Release changes for 1.3.12

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@385 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-21 10:18:58 +02:00 · 2002-12-28 15:38:03 +00:00 · 2002-12-28 15:38:03 +00:00 · 36aa2c8e88
commit 36aa2c8e88
parent 89efe0c6f6
100 changed files with 26957 additions and 22978 deletions
--- a/Lrp/etc/init.d/shorewall
+++ b/Lrp/etc/init.d/shorewall
--- a/Lrp/etc/shorewall/init
+++ b/Lrp/etc/shorewall/init
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
 #
--- a/Lrp/etc/shorewall/interfaces
+++ b/Lrp/etc/shorewall/interfaces
@ -20,6 +20,8 @@
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
 #			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
 #			column is left black.If the interface has multiple
@ -89,6 +91,14 @@
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #			tcpflags     - Packets arriving on this interface are
 #				       checked for certain illegal combinations
 #				       of TCP flags. Packets found to have
 #				       such a combination of flags are handled
 #				       according to the setting of
 #				       TCP_FLAGS_DISPOSITION after having been
 #				       logged according to the setting of
 #				       TCP_FLAGS_LOG_LEVEL.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
--- a/Lrp/etc/shorewall/policy
+++ b/Lrp/etc/shorewall/policy
@ -17,6 +17,10 @@
 #	DEST		Destination zone. Must be the name of a zone defined
 #			in /etc/shorewall/zones, $FW or "all"
 #
 #		WARNING: Firewall->Firewall policies are not allowed; if
 #			 you have a policy where both SOURCE and DEST are $FW,
 #			 Shorewall will not start!
 #
 #	POLICY		Policy if no match from the rules file is found. Must
 #			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
 #
@ -25,6 +29,12 @@
 #			log message is generated. See syslog.conf(5) for a
 #			description of log levels.
 #
 #			Beginning with Shorewall version 1.3.12, you may
 #			also specify ULOG (must be in upper case). This will
 #			log to the ULOG target and sent to a separate log
 #			through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			If you don't want to log but need to specify the
 #			following column, place "_" here.
 #
--- a/Lrp/etc/shorewall/rfc1918
+++ b/Lrp/etc/shorewall/rfc1918
@ -47,7 +47,7 @@
 60.0.0.0/8		logdrop		# Reserved
 70.0.0.0/7		logdrop		# Reserved
 72.0.0.0/5		logdrop		# Reserved
-82.0.0.0/7		logdrop		# Reserved
+83.0.0.0/8		logdrop		# Reserved
 84.0.0.0/6		logdrop		# Reserved
 88.0.0.0/5		logdrop		# Reserved
 96.0.0.0/3		logdrop		# Reserved
--- a/Lrp/etc/shorewall/rules
+++ b/Lrp/etc/shorewall/rules
@ -31,18 +31,26 @@
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#	SOURCE		Source hosts to which the rule applies. May be a zone
+#			Beginning with Shorewall version 1.3.12, you may
-#                       defined in /etc/shorewall/zones or $FW to indicate the
+#			also specify ULOG (must be in upper case) as a log level.\
-#			firewall itself. If the ACTION is DNAT or REDIRECT,
+#			This will log to the ULOG target and sent to a separate log
-#			sub-zones of the specified zone may be excluded from
+#			through use of ulogd
-#			the rule by following the zone name with "!' and a
+#			(http://www.gnumonks.org/projects/ulogd).
 #			comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a list of subnets
+#
-#			and/or hosts by appending ":" and a comma-separated
+#	SOURCE		Source hosts to which the rule applies. May be a zone
-#			list of subnets and/or hosts. Hosts may be specified
+#                       defined in /etc/shorewall/zones, $FW to indicate the
-#			by IP or MAC address; mac addresses must begin with
+#			firewall itself, or "all" If the ACTION is DNAT or
-#			"~" and must use "-" as a separator.
+#			REDIRECT, sub-zones of the specified zone may be
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
 #			Except when "all" is specified, clients may be further
 #			restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@ -64,12 +72,13 @@
 #			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or $FW to indicate the firewall
+#			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself.
+#			itself or "all"
 #
-#			The server may be further restricted to a particular
+#			Except when "all" is specified, the server may be
-#			subnet, host or interface by appending ":" and the
+#			further restricted to a particular subnet, host or
-#			subnet, host or interface. See above.
+#			interface by appending ":" and the subnet, host or
 #			interface. See above.
 #
 #				Restrictions:
 #
--- a/Lrp/etc/shorewall/shorewall.conf
+++ b/Lrp/etc/shorewall/shorewall.conf
@ -9,6 +9,35 @@
 #  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #
 # General note about log levels. Log levels are a method of describing 
 # to syslog (8) the importance of a message and a number of parameters
 # in this file have log levels as their value.
 #
 # Valid levels are:
 #
 #	7	debug
 #	6	info
 #	5	notice
 #	4	warning
 #	3	err
 #	2	crit
 #	1	alert
 #	0	emerg
 #
 # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
 # log messages are generated by NetFilter and are logged using facility 
 # 'kern' and the level that you specifify. If you are unsure of the level
 # to choose, 6 (info) is a safe bet. You may specify levels by name or by
 # number.
 #
 # If you have build your kernel with ULOG target support, you may also 
 # specify a log level of ULOG (must be all caps). Rather than log its
 # messages to syslogd, Shorewall will direct netfilter to log the messages
 # via the ULOG target which will send them to a process called 'ulogd'.
 # ulogd is available from http://www.gnumonks.org/projects/ulogd and can be 
 # configured to log all Shorewall message to their own log file
 ################################################################################
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.	
 #
@ -97,6 +126,8 @@ LOGBURST=
 # packets are logged under the 'logunclean' interface option. If the variable
 # is empty, these packets will still be logged at the 'info' level.
 #
 # See the comment at the top of this file for a description of log levels
 #
 LOGUNCLEAN=info
@ -192,6 +223,8 @@ BLACKLIST_DISPOSITION=DROP
 # (beward of DOS attacks resulting from such logging). If not set, no logging
 # of blacklist packets occurs.
 #
 # See the comment at the top of this file for a description of log levels
 #
 BLACKLIST_LOGLEVEL=
 #
@ -354,6 +387,8 @@ MUTEX_TIMEOUT=60
 # it will be rejected by the firewall. If you want these rejects logged, 
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this file for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
@ -402,7 +437,63 @@ MACLIST_DISPOSITION=REJECT
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Disposition
 #
 # This variable determins the disposition of packets having an invalid 
 # combination of TCP flags that are received on interfaces having the
 # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
 # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
 TCP_FLAGS_DISPOSITION=DROP
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this file for a description of log levels
 # 
 RFC1918_LOG_LEVEL=info
 #
 # Mark Packets in the forward chain
 #
 # When processing the tcrules file, Shorewall normally marks packets in the
 # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
 # this to "Yes". If not specified or if set to the empty value (e.g., 
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for 
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #LAST LINE -- DO NOT REMOVE
--- a/Lrp/etc/shorewall/start
+++ b/Lrp/etc/shorewall/start
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has 
 # been started or restarted.
 #
--- a/Lrp/etc/shorewall/stop
+++ b/Lrp/etc/shorewall/stop
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
 #
--- a/Lrp/etc/shorewall/stopped
+++ b/Lrp/etc/shorewall/stopped
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
 #
--- a/Lrp/etc/shorewall/tcrules
+++ b/Lrp/etc/shorewall/tcrules
@ -6,6 +6,11 @@
 #	Entries in this file cause packets to be marked as a means of
 #	classifying them for traffic control or policy routing.
 #
 #                              I M P O R T A N T ! ! ! !
 #
 #		FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
 #		TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
 #
 # Columns are:
 #
 #
--- a/Lrp/sbin/shorewall
+++ b/Lrp/sbin/shorewall
@ -58,6 +58,7 @@
 #	   shorewall show nat			   Display the rules in the nat table
 #	   shorewall show {mangle|tos}		   Display the rules in the mangle table
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
 #	   shorewall version			   Display the installed version id
 #	   shorewall check			   Verify the more heavily-used
 #						   configuration files.
@ -150,8 +151,10 @@ display_chains()
 	iptables -L -n -v > /tmp/chains-$$
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "Standard Chains\\n"
+	echo
 	echo "Standard Chains"
 	echo
 	firstchain="Yes"
 	showchain INPUT
 	showchain OUTPUT
@ -160,9 +163,11 @@ display_chains()
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo -e "Input Chains\\n"
+	echo "Input Chains"
 	echo
 	chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -176,10 +181,12 @@ display_chains()
 	    if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
 		clear
-		echo -e "$banner `date`\\n"
+		echo "$banner `date`"
 		echo
 		firstchain=Yes
 		eval display=\$${zone}_display
-		echo -e "$display Chains\\n"
+		echo "$display Chains"
 		echo
 		for zone1 in $FW $zones; do
 		    showchain ${zone}2$zone1
 		    showchain @${zone}2$zone1
@ -193,9 +200,11 @@ display_chains()
 	done
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo -e "Policy Chains\\n"
+	echo "Policy Chains"
 	echo
 	showchain common
 	showchain badpkt
 	showchain icmpdef
@ -212,9 +221,11 @@ display_chains()
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo -e "Dynamic Chain\\n"
+	echo "Dynamic Chain"
 	echo
 	showchain dynamic
 	timed_read
@ -248,7 +259,8 @@ packet_log() # $1 = number of messages
    [ -n "$realtail" ] && options="-n$1"
    grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
-	 sed s/" $host kernel: Shorewall:"/" "/ | \
+	 sed s/" kernel:"// | \
 	 sed s/" $host Shorewall:"/" "/ | \
 	 sed s/" $host kernel: ipt_unclean: "/" "/ | \
 	 sed 's/MAC=.*SRC=/SRC=/' | \
 	 tail $options
@ -284,6 +296,34 @@ show_tc() {
 }
 #
 # Show classifier information
 #
 show_classifiers() {
    show_one_classifier() {
 	local device=${1%@*}
 	qdisc=`tc qdisc list dev $device`
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
 	    tc -s filter ls dev $device
 	    echo
 	fi
    }
    ip link list | \
    while read inx interface details; do
 	case $inx in
 	[0-9]*)
 	    show_one_classifier ${interface%:}
 	    ;;
 	*)
 	    ;;
 	esac
    done
 }
 #
 # Monitor the Firewall
 #
@ -309,9 +349,11 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	display_chains
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
-	echo -e "Dropped/Rejected Packet Log\\n"
+	echo "Dropped/Rejected Packet Log"
 	echo
 	show_reset
@ -319,11 +361,14 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
-	    echo -e '\a'
+	    
 	    $RING_BELL
 	    packet_log 20
 	    if [ "$pause" = "Yes" ]; then
-		echo -en '\nEnter any character to continue: '
+		echo
 		echo $ECHO_N 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@ -335,28 +380,48 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	fi
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "NAT Status\\n"
+	echo
 	echo "NAT Status"
 	echo
 	iptables -t nat -L -n -v
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "\\nTOS/MARK Status\\n"
+	echo
 	echo
 	echo "TOS/MARK Status"
 	echo
 	iptables -t mangle -L -n -v
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "\\nTracked Connections\\n"
+	echo
 	echo
 	echo "Tracked Connections"
 	echo
 	cat /proc/net/ip_conntrack
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "\\nTraffic Shaping/Control\\n"
+	echo
 	echo
 	echo "Traffic Shaping/Control"
 	echo
 	show_tc
 	timed_read
 	clear
 	echo "$banner `date`"
 	echo
 	echo
 	echo "Packet Classifiers"
 	echo
 	show_classifiers
 	timed_read
    done
 }
@ -383,9 +448,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    while true; do
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
-	echo -e "Dropped/Rejected Packet Log\\n"
+	echo "Dropped/Rejected Packet Log"
 	echo
 	show_reset
@ -393,11 +460,14 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
-	    echo -e '\a'
+
 	    $RING_BELL
 	    packet_log 40
 	    if [ "$pause" = "Yes" ]; then
-		echo -en '\nEnter any character to continue: '
+		echo
 		echo $ECHO_N 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@ -419,7 +489,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host>] <zone>"
    echo "   delete <interface>[:<host>] <zone>"
-    echo "   show [<chain>|connections|log|nat|tc|tos]"
+    echo "   show [<chain>|classifiers|connections|log|nat|tc|tos]"
    echo "   start"
    echo "   stop"
    echo "   reset"
@ -445,7 +515,8 @@ usage() # $1 = exit status
 #
 show_reset() {
    [ -f $STATEDIR/restarted ] && \
-	echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
+	echo "Counters reset `cat $STATEDIR/restarted`" && \
 	echo
 }
 #
@ -537,6 +608,24 @@ banner="Shorewall-$version Status at $HOSTNAME -"
 get_statedir
 case `echo -e` in
    -e*)
 	RING_BELL="echo \'\a\'"
 	;;
    *)
 	RING_BELL="echo -e \'\a\'"
 	;;
 esac
 case `echo -n "Testing"` in
    -n*)
 	ECHO_N=
 	;;
    *)
 	ECHO_N=-n
 	;;
 esac
 case "$1" in
    start|stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
@ -550,32 +639,43 @@ case "$1" in
 	[ $# -gt 2 ] && usage 1
 	case "$2" in
 	connections)
-	    echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Connections at $HOSTNAME - `date`"
 	    echo
 	    cat /proc/net/ip_conntrack
 	    ;;
 	nat)
-	    echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version NAT at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    iptables -t nat -L -n -v
 	    ;;
 	tos|mangle)
-	    echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version TOS at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    iptables -t mangle -L -n -v
 	    ;;
 	log)
 	    get_config
-	    echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Log at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    host=`echo $HOSTNAME | sed 's/\..*$//'`
 	    packet_log 20
 	    ;;
 	tc)
-	    echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
 	    echo
 	    show_tc
 	    ;;
 	classifiers)
 	    echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
 	    echo
 	    show_classifiers
 	    ;;
 	*)
-	    echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    iptables -L $2 -n -v
 	    ;;
@ -594,15 +694,20 @@ case "$1" in
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
-	echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
+	echo "Shorewall-$version Status at $HOSTNAME - `date`"
 	echo
 	show_reset
 	host=`echo $HOSTNAME | sed 's/\..*$//'`
 	iptables -L -n -v
 	echo
 	packet_log 20
 	echo
 	echo "NAT Table"
 	echo
 	iptables -t nat -L -n -v
 	echo
 	echo "Mangle Table"
 	echo
 	iptables -t mangle -L -n -v
 	echo
 	cat /proc/net/ip_conntrack
@ -611,7 +716,9 @@ case "$1" in
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
-	echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
+	echo "Shorewall-$version Hits at $HOSTNAME - `date`"
 	echo
 	timeout=30
 	if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
--- a/Lrp/usr/lib/shorewall/functions
+++ b/Lrp/usr/lib/shorewall/functions
@ -25,9 +25,22 @@ find_file()
 #
 # Replace commas with spaces and echo the result
 #
-separate_list()
+separate_list() { 
-{
+    local list
-    echo $1 | sed 's/,/ /g'
+    local part
    local newlist
    list="$@"
    part="${list%%,*}"
    newlist="$part"
    while [ "x$part" != "x$list" ]; do
 	list="${list#*,}";
 	part="${list%%,*}";
 	newlist="$newlist $part";
    done
    echo "$newlist"
 }
 #
--- a/Lrp/var/lib/lrpkg/shorwall.conf
+++ b/Lrp/var/lib/lrpkg/shorwall.conf
@ -16,3 +16,7 @@
 /etc/shorewall/tos		TOS       Type of Service policy
 /etc/shorewall/blacklist	Blacklist Blacklisted hosts
 /etc/shorewall/rfc1918		RFC1918   Defines 'norfc1918' interface option
 /etc/shorewall/init		Init      Commands executed before [re]start
 /etc/shorewall/start		Start     Commands executed after [re]start
 /etc/shorewall/stop		Stop      Commands executed before stop
 /etc/shorewall/stopped		Stopped   Commands executed after stop
--- a/Lrp/var/lib/lrpkg/shorwall.version
+++ b/Lrp/var/lib/lrpkg/shorwall.version
@ -1 +1 @@
-1.3.10
+1.3.12
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -1,17 +1,43 @@
-Changes since 1.3.10
+Changes since 1.3.11
-1. Added TCP flags checking.
+1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
-2. Accomodate bash clones like dash and ash
+2. "shorewall refresh" now refreshes the traffic shaping rules
-3. Added some comments in the policy chain creation/population logic.
+3. Turned off debugging after error.
-4. Check for fw->fw rules.
+4. Removed drop of INVALID state output ICMP packets. 
-5. Allow 'all' in rules.
+5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
-6. Add reverse GRE rules for PPTP server and clients.
+6. Replaced 'wc' invocation in list_count() by shell code (speedup)
-7. Add warning to tcrules file.
+7. Replaced 'sed' invocation in run_iptables() by shell code and
   optomized (speedup)
-8. Add warning to policy file that fw->fw policies aren't allowed.
+8. Only read the interfaces file once (speedup)
 9. Only read the policy file once (speedup)
 10. Removed redundant function input_chains() (duplicate of first_chains()) 
 11. Generated an error if 'lo' is defined in the interfaces file.
 12. Clarified error message where ORIGINAL DEST is specified on an
    ACCEPT, DROP or REJECT rule.
 13. Added "shorewall show classifiers" command and added packet
    classification filter display to "shorewall monitor"
 14. Added an error message when the destination in a rule contained a
    MAC address.
 15. Added ULOG target support.
 16. Add MARK_IN_FORWARD option.
 17. General Cleanup for Release
 18. Release changes and add init, start, stop and stopped files.
 19. Add headings to NAT and Mangle tables in "shorewall status" output
--- a/STABLE/documentation/Documentation.htm
+++ b/STABLE/documentation/Documentation.htm
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -2,17 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -29,6 +34,7 @@
                             </td>
                           </tr>
  </tbody>                        
 </table>
@ -44,22 +50,22 @@ I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
       port forwarding</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
-        to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
+            to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
-  local      network. <b>External clients can browse</b> http://www.mydomain.com 
+in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com
      but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
             subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
      to   hosts   in  Z. Hosts in Z cannot communicate with each other using
-their    external    (non-RFC1918 addresses) so they <b>can't access each 
+    their    external    (non-RFC1918 addresses) so they <b>can't access
-other using   their DNS   names.</b></a></p>
+each     other using   their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
            Messenger </b>with  Shorewall. What do I do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
-        to  check my firewall and it shows <b>some ports as 'closed' rather 
+            to  check my firewall and it shows <b>some ports as 'closed'
-  than     'blocked'.</b>  Why?</a></p>
+rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
             of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -78,7 +84,8 @@ other using   their DNS   names.</b></a></p>
             work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
-        on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
+            on RedHat</b> I get messages about insmod failing -- what's 
 wrong?</a></p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
            my  interfaces </b>properly?</a></p>
@ -95,13 +102,13 @@ support?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
            and it has an internel  web server that allows me to configure/monitor
-     it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 
+         it   but as expected if I enable <b> rfc1918 blocking</b> for my
- interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
+eth0     interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
-        IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I 
+            IP  addresses, my ISP's DHCP server has an RFC 1918 address.
-enable       RFC 1918  filtering on my external interface, <b>my DHCP client 
+If   I  enable       RFC 1918  filtering on my external interface, <b>my
-cannot    renew   its lease</b>.</a></p>
+DHCP  client  cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
            out to  the net</b></a></p>
@ -109,23 +116,24 @@ cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
             all over my console</b> making it unusable!<br>
                    </a></p>
-                          <b>17</b>. <a href="#faq17">How do I find out <b>why
+                                 <b>17</b>. <a href="#faq17">How do I find
-   this   is</b> getting  <b>logged?</b></a><br>
+ out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
                <br>
-         <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
+                <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
- addresses</b>    with Shorewall, and maintain separate rulesets for different
+   ip  addresses</b>    with Shorewall, and maintain separate rulesets for
- IPs?</a><br>
+ different   IPs?</a><br>
            <br>
            <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b> 
     but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
           <br>
-    <b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a 
+           <b>20. </b><a href="#faq20">I have just set  up  a  server.  <b>Do 
-server.  <b>Do I have to change Shorewall to allow access to my server from 
+I have to change Shorewall to allow access to my server   from  the internet?<br>
-the internet?<br>
+ <br>
-  </b><br>
+ </b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries 
-  </a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
+</b>occasionally;    what are they?<br>
 what are they?<br>
         </a><br>
 <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
 want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
 <hr>                         
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
@ -139,6 +147,7 @@ the internet?<br>
      rule to a local system is as   follows:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -165,7 +174,9 @@ the internet?<br>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -173,6 +184,7 @@ the internet?<br>
            the rule is:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -198,18 +210,18 @@ the internet?<br>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
-<div align="left">                  
+<div align="left">                      <font face="Courier">     </font>If 
-<pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
+ you want to forward requests directed to a particular address ( <i>&lt;external 
-                  </div>
+ IP&gt;</i> ) on your firewall to an internal system:</div>
 <p align="left">If you want to forward requests directed to a particular
 address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -234,7 +246,9 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -246,9 +260,9 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
 <ul>
                           <li>You are trying to test from inside your firewall 
   (no,   that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
-                    <li>You have a more basic problem with your local system
+                           <li>You have a more basic problem with your local
-  such   as  an   incorrect default gateway configured (it should be set
+  system    such   as  an   incorrect default gateway configured (it should
-to   the IP   address    of your  firewall's internal interface).</li>
+  be set to   the IP   address    of your  firewall's internal interface).</li>
 </ul>
@ -257,30 +271,31 @@ to   the IP   address    of your  firewall's internal interface).</li>
               <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
-          <li>As root, type "iptables -t nat -Z". This clears the NetFilter 
+                 <li>As root, type "iptables -t nat -Z". This clears the
- counters   in the nat table.</li>
+NetFilter      counters   in the nat table.</li>
-          <li>Try to connect to the redirected port from an external host.</li>
+                 <li>Try to connect to the redirected port from an external 
 host.</li>
                 <li>As root type "shorewall show nat"</li>
-          <li>Locate the appropriate DNAT rule. It will be in a chain called
+                 <li>Locate the appropriate DNAT rule. It will be in a chain
-      <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the 
+  called        <i>zone</i>_dnat   where <i>zone</i> is the zone that includes
- ('net' in the above   examples).</li>
+  the    ('net' in the above   examples).</li>
-          <li>Is the packet count in the first column non-zero? If so, the
+                 <li>Is the packet count in the first column non-zero? If 
- connection    request is reaching the firewall and is being redirected to
+so,   the   connection    request is reaching the firewall and is being redirected 
- the server.  In  this case, the problem is usually a missing or incorrect
+  to   the server.  In  this case, the problem is usually a missing or incorrect 
- default gateway   setting on the server (the server's default gateway should
+    default gateway   setting on the server (the server's default gateway 
- be the IP address   of the firewall's interface to the server).</li>
+should    be the IP address   of the firewall's interface to the server).</li>
                 <li>If the packet count is zero:</li>
  <ul>
-            <li>the connection request is not reaching your server (possibly
+                   <li>the connection request is not reaching your server 
-  it  is being blocked by your ISP); or</li>
+(possibly      it  is being blocked by your ISP); or</li>
-            <li>you are trying to connect to a secondary IP address on your 
+                   <li>you are trying to connect to a secondary IP address
- firewall   and your rule is only redirecting the primary IP address (You 
+ on  your   firewall   and your rule is only redirecting the primary IP address 
-need to specify   the secondary IP address in the "ORIG. DEST." column in 
+  (You  need to specify   the secondary IP address in the "ORIG. DEST." column 
-your DNAT rule);  or</li>
+  in  your DNAT rule);  or</li>
-            <li>your DNAT rule doesn't match the connection request in some 
+                   <li>your DNAT rule doesn't match the connection request
- other   way. In that case, you may have to use a packet sniffer such as tcpdump
+ in  some   other   way. In that case, you may have to use a packet sniffer
- or  ethereal to further diagnose the problem.<br>
+ such  as tcpdump  or  ethereal to further diagnose the problem.<br>
                   </li>
  </ul>
@ -288,31 +303,34 @@ your DNAT rule);  or</li>
 </ul>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
-        (IP 130.151.100.69) to system 192.168.1.5 in my local network. External 
+            (IP 130.151.100.69) to system 192.168.1.5 in my local network.
-      clients  can browse http://www.mydomain.com but internal clients can't.</h4>
+ External         clients  can browse http://www.mydomain.com but internal
 clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-                    <li>Having an internet-accessible server in your local
+                           <li>Having an internet-accessible server in your 
- network         is  like raising foxes in the corner of your hen house.
+ local    network         is  like raising foxes in the corner of your hen 
-If  the server     is      compromised, there's nothing between that server
+ house.  If  the server     is      compromised, there's nothing between that
-and  your other   internal        systems. For the cost of another NIC and
+ server  and  your other   internal        systems. For the cost of another
-a cross-over  cable,   you can   put      your server in a DMZ such that
+ NIC and  a cross-over  cable,   you can   put      your server in a DMZ
-it is isolated  from your   local systems    -     assuming that the Server
+such  that it is isolated  from your   local systems    -     assuming that
-can be located  near the Firewall,   of course    :-)</li>
+the  Server can be located  near the Firewall,   of course    :-)</li>
                           <li>The accessibility problem is best solved using 
         <a href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a>
    (or using a separate DNS server for local clients) such that www.mydomain.com
-resolves to 130.141.100.69     externally and 192.168.1.5 internally. That's 
+    resolves to 130.141.100.69     externally and 192.168.1.5 internally.
-what I do here at     shorewall.net for my local systems that use static NAT.</li>
+That's    what I do here at     shorewall.net for my local systems that use
 static   NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem
-         rather than a DNS solution, then assuming that your external interface 
+             rather than a DNS solution, then assuming that your external
-      is  eth0  and your internal interface is eth1  and that eth1 has IP 
+interface          is  eth0  and your internal interface is eth1  and that
-address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
+eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, do
 the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
             for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -323,6 +341,7 @@ address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
 <div align="left">                         
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -346,19 +365,18 @@ address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
                         </div>
 <div align="left">                  
 <pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
                  </div>
 <div align="left">                         
 <p align="left">That rule only works of course if you have a static external
-        IP  address. If you  have a dynamic IP address and are running Shorewall 
+            IP  address. If you  have a dynamic IP address and are running
-       1.3.4 or later then include this in  /etc/shorewall/params:</p>
+ Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
                        </div>
 <div align="left">                         
@ -371,6 +389,7 @@ address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
 <div align="left">                         
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -394,22 +413,24 @@ address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
                         </div>
 <div align="left">                         
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
-         client to automatically restart Shorewall each time that you get 
+             client to automatically restart Shorewall each time that you
-a  new    IP   address.</p>
+get    a  new    IP   address.</p>
                        </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
-        subnet and I use static NAT to assign non-RFC1918 addresses to hosts 
+            subnet and I use static NAT to assign non-RFC1918 addresses to
-   in   Z.  Hosts in Z cannot communicate with each other using their external 
+ hosts      in   Z.  Hosts in Z cannot communicate with each other using
-   (non-RFC1918     addresses) so they can't access each other using their 
+their  external      (non-RFC1918     addresses) so they can't access each
- DNS  names.</h4>
+other  using their    DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved
            using Bind Version 9 "views". It allows both external and internal
@ -420,8 +441,8 @@ a  new    IP   address.</p>
     addresses      and can be accessed externally and internally using the 
  same   address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
+<p align="left">If you don't like those solutions and prefer routing all
-traffic through your firewall then:</p>
+Z-&gt;Z traffic through your firewall then:</p>
 <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces 
       (If you are running a Shorewall version earlier than 1.3.9).<br>
@ -437,6 +458,7 @@ traffic through your firewall then:</p>
 <p align="left">In /etc/shorewall/interfaces:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber2">
                             <tbody>
@ -454,13 +476,16 @@ traffic through your firewall then:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
 <p align="left">In /etc/shorewall/policy:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                             <tbody>
@ -479,7 +504,9 @@ traffic through your firewall then:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -490,6 +517,7 @@ traffic through your firewall then:</p>
 <p align="left">In /etc/shorewall/masq:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3" width="369">
                             <tbody>
@ -506,7 +534,9 @@ traffic through your firewall then:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -515,8 +545,8 @@ traffic through your firewall then:</p>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
-        tracking/NAT module</a> that may help. Also check the Netfilter mailing 
+            tracking/NAT module</a> that may help. Also check the Netfilter
-      list  archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
+  mailing        list  archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
            </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -524,15 +554,15 @@ traffic through your firewall then:</p>
     than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
-        always    rejects connection requests on TCP port 113 rather than 
+            always    rejects connection requests on TCP port 113 rather
-dropping        them. This is    necessary to prevent outgoing connection 
+than     dropping        them. This is    necessary to prevent outgoing connection
    problems to   services    that use the    'Auth' mechanism for identifying
-requesting  users.  Shorewall    also rejects TCP    ports 135, 137 and 139 
+    requesting  users.  Shorewall    also rejects TCP    ports 135, 137 and
-as well as  UDP ports  137-139.   These are ports that are    used by Windows 
+  139  as well as  UDP ports  137-139.   These are ports that are    used
-(Windows  <u>can</u>  be configured   to use the DCE cell locator    on port 
+by  Windows  (Windows  <u>can</u>  be configured   to use the DCE cell locator
-135). Rejecting these  connection requests   rather than dropping them   
+     on port  135). Rejecting these  connection requests   rather than dropping
-cuts down slightly on the amount of Windows  chatter on LAN segments connected 
+  them    cuts down slightly on the amount of Windows  chatter on LAN segments
-    to the Firewall. </p>
+  connected      to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably
            your    ISP preventing you from running a web server in violation
@ -542,10 +572,11 @@ of   your     Service    Agreement.</p>
               firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
-        section about    UDP scans. If nmap gets <b>nothing</b> back from 
+            section about    UDP scans. If nmap gets <b>nothing</b> back
-your     firewall   then it reports    the port as open. If you want to see 
+from     your     firewall   then it reports    the port as open. If you
-which    UDP ports are  really open,    temporarily change your net-&gt;all 
+want to   see  which    UDP ports are  really open,    temporarily change
-policy    to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
+your net-&gt;all     policy    to REJECT, restart  Shorewall and do    the
 nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
            can't ping through the firewall</h4>
@ -555,21 +586,26 @@ policy    to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
 <p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
                         b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
-                  c) Add the following to /etc/shorewall/icmpdef: </p>
+                         c) Add the following to /etc/shorewall/icmpdef:
 </p>
 <blockquote>                                                            
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-        -j ACCEPT </p>
+            -j ACCEPT<br>
    </p>
  </blockquote>
  For a complete description of Shorewall 'ping' management, see <a
 href="ping.html">this page</a>.                                        
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
            and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
+syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
-(see "man openlog") and you get to choose the log level (again, see "man
+facility (see "man openlog") and you get to choose the log level (again,
-syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
+see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
- href="Documentation.htm#Rules">rules</a>. The destination for messaged 
+ and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
           When you have changed /etc/syslog.conf, be sure to restart syslogd
    (on    a  RedHat system, "service syslog restart"). </p>
@ -579,7 +615,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
            -- If you want to log all messages, set: </p>
 <div align="left">                         
-<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""</pre>
+<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
 href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
                         </div>
 <h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work 
@ -589,6 +626,7 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
            </p>
 <blockquote>                                                            
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                         <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
@ -598,18 +636,19 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
              http://www.logwatch.org</a><br>
        </p>
      </blockquote>
-                                   
+      I personnaly use Logwatch. It emails me a report each day from my various
   systems with each report summarizing the logged activity on the corresponding
   system.                                                               
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
            stop', I can't connect to anything. Why doesn't that command work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into
-        a safe state whereby only those interfaces/hosts having the 'routestopped' 
+            a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
-        option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
+are    activated.         If you want to totally open up your firewall, you
-        If you want to totally open up your firewall, you must use the 'shorewall
+must    use the 'shorewall         clear' command. </p>
        clear' command. </p>
-<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
+<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
-         7.x, I get messages about insmod failing -- what's wrong?</h4>
+I get messages about insmod failing -- what's wrong?</h4>
 <p align="left"><b>Answer: </b>The output you will see looks something like
            this:</p>
@ -646,9 +685,9 @@ with     RH7.2.</p>
                        </div>
 <div align="left">                           
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The
-   zone is defined as all hosts that are connected through eth0 and the local
+Net    zone is defined as all hosts that are connected through eth0 and the
-   zone is defined as all hosts connected through eth1</p>
+local    zone is defined as all hosts connected through eth1</p>
                        </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -664,17 +703,18 @@ with     RH7.2.</p>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I
-myself doing      other things. I guess I just don't care enough if Shorewall
+find myself doing      other things. I guess I just don't care enough if
-has a GUI to      invest the effort to create one myself. There are several
+Shorewall has a GUI to      invest the effort to create one myself. There
-Shorewall GUI      projects underway however and I will publish links to
+are several Shorewall GUI      projects underway however and I will publish
-them when the authors      feel that they are ready. </p>
+links to them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
-        (<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
+            (<a href="http://www.cityofshoreline.com">the      city where
-        and "Fire<u>wall</u>".</p>
+I  live</a>)          and "Fire<u>wall</u>". The full name of the product
 is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
            and it has an  internal web server that allows me to configure/monitor
@ -682,11 +722,12 @@ them when the authors      feel that they are ready. </p>
        (the  internet one), it also blocks  the cable modems web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking
-        that will let all traffic to and from the 192.168.100.1 address  of
+            that will let all traffic to and from the 192.168.100.1 address
-  the    modem  in/out but still block all other rfc1918 addresses.</p>
+   of   the    modem  in/out but still block all other rfc1918 addresses?</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall
-than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
+earlier than      1.3.1, create /etc/shorewall/start and in it, place the
 following:</p>
 <div align="left">                           
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -699,6 +740,7 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 <div align="left">                           
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                               <tbody>
@ -712,7 +754,9 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                               </tr>
    </tbody>                                                            
  </table>
                           </blockquote>
                         </div>
@ -722,13 +766,14 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                      </p>
 <p align="left">Note: If you add a second IP address to your external firewall
-       interface to correspond to the modem address, you must also make an 
+           interface to correspond to the modem address, you must also make
- entry      in /etc/shorewall/rfc1918 for that address. For example, if you 
+  an   entry      in /etc/shorewall/rfc1918 for that address. For example,
- configure      the address 192.168.100.2 on your firewall, then you would 
+ if you   configure      the address 192.168.100.2 on your firewall, then
- add two entries      to /etc/shorewall/rfc1918:  <br>
+you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                      </p>
 <blockquote>                                                            
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
                          <tbody>
                            <tr>
@ -752,15 +797,16 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
    </tbody>                                                            
  </table>
                      </blockquote>
                        </div>
 <div align="left">                           
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
-   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
-1918    filtering on my external interface, my DHCP client cannot renew its
+RFC 1918    filtering on my external interface, my DHCP client cannot renew
-lease.</h4>
+its lease.</h4>
                         </div>
 <div align="left">                           
@ -772,23 +818,26 @@ lease.</h4>
            the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
-        the net", I wonder  where the poster bought computers with eyes and 
+            the net", I wonder  where the poster bought computers with eyes
-  what     those computers will "see"  when things are working properly. That
+  and    what     those computers will "see"  when things are working properly.
-  aside,     the most common causes of this  problem are:</p>
+   That   aside,     the most common causes of this  problem are:</p>
 <ol>
                           <li>                                         
    <p align="left">The default gateway on each local system isn't set to
            the    IP address of the local firewall interface.</p>
                            </li>
                           <li>                                         
    <p align="left">The entry for the local network in the /etc/shorewall/masq
               file is wrong or missing.</p>
                            </li>
                           <li>                                         
    <p align="left">The DNS settings on the local systems are wrong or the
               user is running a DNS server on the firewall and hasn't enabled
     UDP    and   TCP    port 53 from the firewall to the internet.</p>
@ -800,57 +849,61 @@ lease.</h4>
            all  over my console making it unusable!</h4>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
-        to your startup    scripts or place it in /etc/shorewall/start. Under 
+            to your startup    scripts or place it in /etc/shorewall/start.
-    RedHat,    the max log level    that is sent to the console is specified 
+  Under      RedHat,    the max log level    that is sent to the console
-   in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
+is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
                    </p>
-<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
+<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
-             <b>Answer: </b>Logging occurs out of a number of chains (as
+logged?</h4>
-indicated      in  the log message) in Shorewall:<br>
+                    <b>Answer: </b>Logging occurs out of a number of chains 
 (as   indicated      in  the log message) in Shorewall:<br>
 <ol>
-               <li><b>man1918 - </b>The destination address is listed in
+                      <li><b>man1918 - </b>The destination address is listed
-/etc/shorewall/rfc1918       with a <b>logdrop </b>target -- see <a
+  in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-               <li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918 
+                      <li><b>rfc1918</b> - The source address is listed in
-      with a <b>logdrop </b>target -- see <a
+ /etc/shorewall/rfc1918          with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-              <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
+                     <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> 
-        </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that
+or      <b>all2all          </b>-  You have a<a
-   specifies a  log level and this packet is being logged under that policy.
+ href="Documentation.htm#Policy"> policy</a> that     specifies a  log level
-   If you intend  to ACCEPT this traffic then you need a  <a
+  and this packet is being logged under that policy.     If you intend  to
- href="Documentation.htm#Rules">rule</a> to that effect.<br>
+ ACCEPT this traffic then you need a  <a href="Documentation.htm#Rules">rule</a>
 to that effect.<br>
                     </li>
-               <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
+                      <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you 
- href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to 
+have   a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; 
-   <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being 
+    </b>to       <b>&lt;zone2&gt;</b> that specifies a log level and this 
-     logged under that policy or this packet matches  a <a
+packet is being         logged under that policy or this packet matches  a
- href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
+    <a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
-        <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under 
+               <li><b>&lt;interface&gt;_mac</b> - The packet is being logged
- the      <b>maclist</b> <a href="Documentation.htm#Interfaces">interface 
+  under    the      <b>maclist</b> <a
-option</a>.<br>
+ href="Documentation.htm#Interfaces">interface     option</a>.<br>
               </li>
-               <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b> 
+                      <li><b>logpkt</b> - The packet is being logged under
-          <a href="Documentation.htm#Interfaces">interface option</a>.</li>
+ the       <b>logunclean</b>            <a
-               <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b> 
+ href="Documentation.htm#Interfaces">interface   option</a>.</li>
-          <a href="Documentation.htm#Interfaces">interface option</a> as specified
+                      <li><b>badpkt </b>- The packet is being logged under
 the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified 
     in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-               <li><b>blacklst</b> - The packet is being logged because the 
+                      <li><b>blacklst</b> - The packet is being logged because
- source    IP  is blacklisted in the<a
+   the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
                      <li><b>newnotsyn </b>- The packet is being logged because 
-it  is  a  TCP   packet that is not part of any current connection yet it
+   it  is  a  TCP   packet that is not part of any current connection yet 
-is not a syn  packet.   Options affecting the logging of such packets include 
+it   is not a syn  packet.   Options affecting the logging of such packets 
-    <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN </b>in     <a
+include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN </b>in    
- href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+    <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-              <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
+                     <li><b>INPUT</b> or <b>FORWARD</b> - The packet has
- IP  address    that isn't in any of your defined zones ("shorewall check"
+a  source    IP  address    that isn't in any of your defined zones ("shorewall
- and  look at the   printed zone definitions) or the chain is FORWARD and
+ check"    and  look at the   printed zone definitions) or the chain is FORWARD
-the destination  IP  isn't in any of your defined zones.</li>
+ and   the destination  IP  isn't in any of your defined zones.</li>
-     <li><b>logflags </b>- The packet is being logged because it failed the 
+            <li><b>logflags </b>- The packet is being logged because it failed
- checks implemented by the <b>tcpflags </b><a
+   the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
            </li>
@ -858,11 +911,11 @@ the destination  IP  isn't in any of your defined zones.</li>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
        with Shorewall, and maintain separate rulesets for different IPs?</h4>
-         <b>Answer: </b>Yes. You simply use the IP address in your rules
+                <b>Answer: </b>Yes. You simply use the IP address in your 
-(or   if  you  use NAT, use the local IP address in your rules). <b>Note:</b>
+rules    (or   if  you  use NAT, use the local IP address in your rules). 
-The  ":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
+<b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated and will 
-  Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
+disappear eventually.      Neither   iproute  (ip and tc) nor iptables supports 
-  does   Shorewall.  <br>
+that notation so  neither    does   Shorewall.  <br>
                <br>
                <b>Example 1:</b><br>
                <br>
@ -903,41 +956,64 @@ how to set  up rules for your server.<br>
 <blockquote>                           
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
         </blockquote>
-  192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
+         192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal 
  LAN<br>
         <br>
-  <b>Answer: </b>While most people associate the Internet Control Message 
+         <b>Answer: </b>While most people associate the Internet Control
-Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. ICMP is 
+Message     Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet.
-used to report problems back to the sender of a packet; this is what is happening 
+ICMP   is  used to report problems back to the sender of a packet; this is
-here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), 
+what  is happening  here. Unfortunately, where NAT is involved (including
-there are a lot of broken implementations. That is what you are seeing with 
+SNAT,  DNAT and Masquerade),  there are a lot of broken implementations.
-these messages.<br>
+That is  what you are seeing with  these messages.<br>
         <br>
- Here is my interpretation of what is happening -- to confirm this analysis, 
+        Here is my interpretation of what is happening -- to confirm this 
-one out have to have packet sniffers placed a both ends of the connection.<br>
+analysis,    one would have to have packet sniffers placed a both ends of 
 the connection.<br>
        <br>
- Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query 
+        Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
-to 192.0.2.3 and your DNS server tried to send a response (the response information 
+ query    to 192.0.2.3 and your DNS server tried to send a response (the
-is in the brackets -- note source port 53 which marks this as a DNS reply). 
+response   information  is in the brackets -- note source port 53 which marks
-When the response was returned to to 206.124.146.179, it rewrote the destination 
+this as  a DNS reply).  When the response was returned to to 206.124.146.179,
-IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had 
+it rewrote  the destination  IP TO 172.16.1.10 and forwarded the packet to
-a connection on UDP port 2857. This causes a port unreachable (type 3, code 
+172.16.1.10  who no longer had  a connection on UDP port 2857. This causes
-3) to be generated back to 192.0.2.3. As this packet is sent back through 
+a port unreachable  (type 3, code  3) to be generated back to 192.0.2.3.
-206.124.146.179, that box correctly changes the source address in the packet 
+As this packet is sent  back through  206.124.146.179, that box correctly
-to 206.124.146.179 but doesn't reset the DST IP in the original DNS response 
+changes the source address  in the packet  to 206.124.146.179 but doesn't
-similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall 
+reset the DST IP in the original   DNS response  similarly. When the ICMP
-has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't 
+reaches your firewall (192.0.2.3),   your firewall  has no record of having
-appear to be related to anything that was sent. The final result is that the
+sent a DNS reply to 172.16.1.10 so   this ICMP doesn't  appear to be related
-packet gets logged and dropped in the all2all chain. I have also seen cases
+to anything that was sent. The final   result is that the packet gets logged
-where the source IP in the ICMP itself isn't set back to the external IP
+and dropped in the all2all chain. I  have also seen cases where the source
-of the remote NAT gateway; that causes your firewall to log and drop the packet
+IP in the ICMP itself isn't set back  to the external IP of the remote NAT
-out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
+gateway; that causes your firewall to  log and drop the packet out of the
 rfc1918 chain because the source IP is  reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
 I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
         You can place these commands in one of the <a
 href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
 sure that you look at the contents of the chain(s) that you will be modifying 
 with your commands to be sure that the commands will do what they are intended. 
 Many iptables commands published in HOWTOs and other instructional material 
 use the -A command which adds the rules to the end of the chain. Most chains 
 that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT 
 rule and any rules that you add after that will be ignored. Check "man iptables" 
 and look at the -I (--insert) command.<br>
 <br>
 <div align="left">     </div>
-      <font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
+             <font size="2">Last updated 12/13/2002 - <a
-Eastep</a></font>                                 
+ href="support.htm">Tom   Eastep</a></font>                             
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
             © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
       </p>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/MAC_Validation.html
+++ b/STABLE/documentation/MAC_Validation.html
@ -29,13 +29,17 @@
    Beginning with Shorewall version 1.3.10, all traffic from an interface
 or  from a subnet on an interface can be verified to originate from a defined
  set of MAC addresses. Furthermore, each MAC address may be optionally associated
- with one or more IP addresses. There are four components to this facility.<br>
+  with one or more IP addresses. <br>
 <br>
 <b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
 <br>
 There are four components to this facility.<br>
 <ol>
      <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
-option is specified, all traffic arriving on the interface is subjet to MAC
+this option is specified, all traffic arriving on the interface is subjet
-verification.</li>
+to MAC verification.</li>
      <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
  When this option is specified for a subnet, all traffic from that subnet
 is subject to MAC verification.</li>
@ -43,19 +47,20 @@ is subject to MAC verification.</li>
 MAC  addresses with interfaces and to optionally associate IP addresses with
 MAC  addresses.</li>
      <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
- in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The 
+  in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
- MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines 
+The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
- the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL 
+determines   the disposition of connection requests that fail MAC verification.
- variable gives the syslogd level at which connection requests that fail verification
+The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
- are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") 
+requests that fail verification  are to be logged. If set the the empty value
- then failing connection requests are not logged.<br>
+(e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
      </li>
 </ol>
    The columns in /etc/shorewall/maclist are:<br>
 <ul>
-     <li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
+      <li>INTERFACE - The name of an ethernet interface on the Shorewall
 system.</li>
      <li>MAC - The MAC address of a device on the ethernet segment connected
  by INTERFACE. It is not necessary to use the Shorewall MAC format in this
  column although you may use that format if you so choose.</li>
@ -80,8 +85,8 @@ MAC  addresses.</li>
 <h3>Example 2: Router in Local Zone</h3>
    Suppose now that I add a second ethernet segment to my local zone and 
 gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and 
-IP address  192.168.1.253. Hosts in the second segment have IP addresses
+IP address  192.168.1.253. Hosts in the second segment have IP addresses in
-in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist 
+the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
  file:<br>
 <pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
@ -90,7 +95,7 @@ and  from the second LAN segment (192.168.2.0/24). Remember that all traffic
 being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded
 by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
  and not that of the host sending the traffic.    
-<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 12/22/2002 - <a href="support.htm">Tom  Eastep</a> 
     </font></p>
@ -102,5 +107,6 @@ by the router so that traffic's MAC address will be that of the router (00:06:43
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/Shorewall_CA_html.html
+++ b/STABLE/documentation/Shorewall_CA_html.html
@ -0,0 +1,92 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>Shorewall Certificate Authority</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
         <tbody>
          <tr>
           <td width="100%">                                            
      <h1 align="center"><font color="#ffffff">Shorewall Certificate Authority 
 (CA) Certificate</font></h1>
           </td>
         </tr>
  </tbody>      
 </table>
 <br>
 Given that I develop and support Shorewall without asking for any renumeration, 
 I can hardly justify paying $200US+ a year to a Certificate Authority such 
 as Thawte (A Division of VeriSign) for an X.509 certificate to prove that 
 I am who I am. I have therefore established my own Certificate Authority (CA)
 and sign my own X.509 certificates. I use these certificates on my web server
 (<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
 as on my mail server (mail.shorewall.net).<br>
 <br>
 X.509 certificates are the basis for the Secure Socket Layer (SSL). As part 
 of establishing an SSL session (URL https://...), your browser verifies the 
 X.509 certificate supplied by the HTTPS server against the set of Certificate 
 Authority Certificates that were shipped with your browser. It is expected 
 that the server's certificate was issued by one of the authorities whose identities
 are known to your browser. <br>
 <br>
 This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar 
 you are REALLY connecting to www.foo.bar, means that the CAs literally have 
 a license to print money -- they are selling a string of bits (an X.509 certificate) 
 for $200US+ per year!!!I <br>
 <br>
 I wish that I had decided to become a CA rather that designing and writing 
 Shorewall.<br>
 <br>
 What does this mean to you? It means that the X.509 certificate that my
 server will present to your browser will not have been signed by one of the
 authorities known to your browser. If you try to connect to my server using
 SSL, your browser will frown and give you a dialog box asking if you want
 to accept the sleezy X.509 certificate being presented by my server. <br>
 <br>
 There are two things that you can do:<br>
 <ol>
   <li>You can accept the www.shorewall.net certificate when your browser 
 asks -- your acceptence of the certificate can be temporary (for that access 
 only) or perminent.</li>
   <li>You can download and install <a href="ca.crt">my (self-signed) CA
 certificate.</a> This will make my Certificate Authority known to your browser
 so that it will accept any certificate signed by me. <br>
   </li>
 </ol>
 What are the risks?<br>
 <ol>
   <li>If you install my CA certificate then you assume that I am trustworthy 
 and that Shorewall running on your firewall won't redirect HTTPS requests 
 intented to go to your bank's server to one of my systems that will present
 your browser with a bogus certificate claiming that my server is that of
 your bank.</li>
   <li>If you only accept my server's certificate when prompted then the
 most that you have to loose is that when you connect to https://www.shorewall.net, 
 the server you are connecting to might not be mine.</li>
 </ol>
 I have my CA certificate loaded into all of my browsers but I certainly
 won't be offended if you decline to load it into yours... :-)<br>
 <p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -49,8 +49,8 @@
                   <li> <a href="shorewall_quickstart_guide.htm">QuickStart 
 Guides   (HOWTOs)</a><br>
                    </li>
-                                          <li> <a
+                                           <li> <b><a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                           <li> <a href="Documentation.htm">Reference Manual</a></li>
                           <li> <a href="FAQ.htm">FAQs</a></li>
                            <li><a href="useful_links.html">Useful Links</a><br>
@ -139,5 +139,6 @@
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_sfindex_frame.htm
+++ b/STABLE/documentation/Shorewall_sfindex_frame.htm
@ -0,0 +1,145 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
             <base target="main">                                       
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#4b017c" height="90">
                        <tbody>
                         <tr>
                          <td width="100%" height="90">                 
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                          </td>
                        </tr>
                        <tr>
                          <td width="100%" bgcolor="#ffffff">           
      <ul>
                            <li> <a href="seattlefirewall_index.htm">Home</a></li>
                                    <li> <a
 href="shorewall_features.htm">Features</a></li>
                            <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
                            <li> <a href="download.htm">Download</a><br>
                    </li>
                    <li> <a href="Install.htm">Installation/Upgrade/</a><br>
                      <a href="Install.htm">Configuration</a><br>
                    </li>
                    <li> <a href="shorewall_quickstart_guide.htm">QuickStart
  Guides   (HOWTOs)</a><br>
                     </li>
                                            <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                            <li> <a href="Documentation.htm">Reference Manual</a></li>
                            <li> <a href="FAQ.htm">FAQs</a></li>
                             <li><a href="useful_links.html">Useful Links</a><br>
                             </li>
                            <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                            <li> <a href="errata.htm">Errata</a></li>
                            <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
                            <li> <a href="support.htm">Support</a></li>
                            <li> <a href="mailing_list.htm">Mailing Lists</a></li>
                            <li> <a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
                              <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                              <li><a target="_top"
 href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                              <li><a target="_top"
 href="http://germany.shorewall.net">Germany</a></li>
                              <li><a target="_top"
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                              <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
                  <li><a href="http://www.shorewall.net" target="_top">Washington
  State, USA</a><br>
                  </li>
          </ul>
                            </li>
      </ul>
      <ul>
                            <li>   <a href="News.htm">News Archive</a></li>
                            <li> <a href="Shorewall_CVS_Access.html">CVS
 Repository</a></li>
                            <li> <a href="quotes.htm">Quotes from Users</a></li>
                            <li> <a href="shoreline.htm">About the Author</a></li>
                            <li> <a
 href="sourceforge_index.htm#Donations">Donations</a></li>
      </ul>
                          </td>
                        </tr>
  </tbody>                     
 </table>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
                  <strong><br>
                  <b>Note: </b></strong>Search is unavailable Daily 0200-0330 
  GMT.<br>
                  <strong></strong>                                     
  <p><strong>Quick Search</strong><br>
                        <font face="Arial" size="-1">     <input
 type="text" name="words" size="15"></font><font size="-1"> </font>   <font
 face="Arial" size="-1">     <input type="hidden" name="format"
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
                        <font face="Arial">   <input type="hidden"
 name="exclude" value="[http://www.shorewall.net/pipermail/*]">   </font>
    </form>
 <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> </a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/VPN.htm
+++ b/STABLE/documentation/VPN.htm
@ -1,40 +1,60 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>VPN</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">VPN</font></h1>
+      <h1 align="center"><font color="#ffffff">VPN</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<p>It is often the case that a system behind the firewall needs to be able to 
+ 
-access a remote network through Virtual Private Networking (VPN). The two most 
+<p>It is often the case that a system behind the firewall needs to be able
-common means for doing this are IPSEC and PPTP. The basic setup is shown in the 
+to  access a remote network through Virtual Private Networking (VPN). The
-following diagram:</p>
+two most  common means for doing this are IPSEC and PPTP. The basic setup
-<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
+is shown in the  following diagram:</p>
 <p align="center"><img border="0" src="images/VPN.png" width="568"
 height="796">
 </p>
 <p align="left">A system with an RFC 1918 address needs to access a remote
-network through a remote gateway. For this example, we will assume that the 
+ network through a remote gateway. For this example, we will assume that
-local system has IP address 192.168.1.12 and that the remote gateway has IP 
+the  local system has IP address 192.168.1.12 and that the remote gateway
-address 192.0.2.224.</p>
+has IP  address 192.0.2.224.</p>
-<p align="left">If PPTP is being used, there are no firewall requirements beyond 
+ 
-the default loc-&gt;net ACCEPT policy. There is one restriction however: Only one 
+<p align="left">If PPTP is being used, there are no firewall requirements
-local system at a time can be connected to a single remote gateway unless you 
+beyond  the default loc-&gt;net ACCEPT policy. There is one restriction however:
-patch your kernel from the 'Patch-o-matic' patches available at
+Only one  local system at a time can be connected to a single remote gateway
-<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
+unless you  patch your kernel from the 'Patch-o-matic' patches available
-<p align="left">If IPSEC is being used then there are firewall configuration 
+at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
-requirements as follows:</p>
+ 
 <p align="left">If IPSEC is being used then only one system may connect to
 the remote gateway and there are firewall configuration  requirements as
 follows:</p>
 <blockquote>   
-  <table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 bordercolor="#111111" id="AutoNumber2" height="98">
     <tbody>
      <tr>
       <td height="38"><u><b>ACTION</b></u></td>
       <td height="38"><u><b>SOURCE</b></u></td>
@ -51,9 +71,9 @@ requirements as follows:</p>
       <td height="19">net:192.0.2.224</td>
       <td height="19">loc:192.168.1.12</td>
       <td height="19">50</td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
     </tr>
     <tr>
       <td height="19">DNAT</td>
@ -61,21 +81,24 @@ requirements as follows:</p>
       <td height="19">loc:192.168.1.12</td>
       <td height="19">udp</td>
       <td height="19">500</td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
     </tr>
    </tbody>
  </table>
 </blockquote>
 <p>If you want to be able to give access to all of your local systems to the 
 remote network, you should consider running a VPN client on your firewall. As 
 starting points, see
 <a href="http://www.shorewall.net/Documentation.htm#Tunnels">
 http://www.shorewall.net/Documentation.htm#Tunnels</a> or
 <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
 <p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
 Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
 <font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p>&nbsp;</p>
 <p>If you want to be able to give access to all of your local systems to
 the  remote network, you should consider running a VPN client on your firewall.
 As  starting points, see <a
 href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
 or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
 <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
 <p> </p>
  <br>
 </body>
 </html>
--- a/STABLE/documentation/configuration_file_basics.htm
+++ b/STABLE/documentation/configuration_file_basics.htm
@ -20,6 +20,7 @@
                <tbody>
                 <tr>
                  <td width="100%">                                     
      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
                  </td>
                </tr>
@ -38,46 +39,56 @@
 <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
 <ul>
-              <li>/etc/shorewall/shorewall.conf - used to set several firewall
+                      <li>/etc/shorewall/shorewall.conf - used to set several 
-           parameters.</li>
+  firewall             parameters.</li>
-              <li>/etc/shorewall/params - use this file to set shell variables 
+                      <li>/etc/shorewall/params - use this file to set shell
-  that you will     expand in other files.</li>
+  variables     that you will     expand in other files.</li>
-              <li>/etc/shorewall/zones - partition the firewall's view of 
+                      <li>/etc/shorewall/zones - partition the firewall's 
-the   world         into <i>zones.</i></li>
+view   of  the   world         into <i>zones.</i></li>
                      <li>/etc/shorewall/policy - establishes firewall high-level 
    policy.</li>
-              <li>/etc/shorewall/interfaces - describes the interfaces on 
+                      <li>/etc/shorewall/interfaces - describes the interfaces
-the          firewall system.</li>
+   on  the          firewall system.</li>
-              <li>/etc/shorewall/hosts - allows defining zones in terms of
+                      <li>/etc/shorewall/hosts - allows defining zones in 
- individual           hosts and subnetworks.</li>
+terms    of  individual           hosts and subnetworks.</li>
-              <li>/etc/shorewall/masq - directs the firewall where to use 
+                      <li>/etc/shorewall/masq - directs the firewall where
-many-to-one            (dynamic) Network Address Translation (a.k.a. Masquerading) 
+ to  use   many-to-one            (dynamic) Network Address Translation (a.k.a. 
-and  Source          Network Address Translation (SNAT).</li>
+  Masquerading)   and  Source          Network Address Translation (SNAT).</li>
-              <li>/etc/shorewall/modules - directs the firewall to load kernel 
+                      <li>/etc/shorewall/modules - directs the firewall to
-  modules.</li>
+ load   kernel    modules.</li>
                      <li>/etc/shorewall/rules - defines rules that are exceptions
     to  the         overall policies established in /etc/shorewall/policy.</li>
                      <li>/etc/shorewall/nat - defines static NAT rules.</li>
-              <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
+                      <li>/etc/shorewall/proxyarp - defines use of Proxy
-              <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) 
+ARP.</li>
-  defines  hosts    accessible when Shorewall is stopped.</li>
+                      <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
-              <li>/etc/shorewall/tcrules - defines marking of packets for 
+ later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
-later   use by     traffic control/shaping or policy routing.</li>
+                      <li>/etc/shorewall/tcrules - defines marking of packets 
-              <li>/etc/shorewall/tos - defines rules for setting the TOS
+  for   later   use by     traffic control/shaping or policy routing.</li>
-field   in packet         headers.</li>
+                      <li>/etc/shorewall/tos - defines rules for setting
-              <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels 
+the   TOS   field   in packet         headers.</li>
-  with end-points on         the firewall system.</li>
+                      <li>/etc/shorewall/tunnels - defines IPSEC, GRE and 
 IPIP   tunnels    with end-points on         the firewall system.</li>
                      <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
      addresses.</li>
   <li>/etc/shorewall/init - commands that you wish to execute at the beginning 
 of a "shorewall start" or "shorewall restart".</li>
   <li>/etc/shorewall/start - commands that you wish to execute at the completion 
 of a "shorewall start" or "shorewall restart"</li>
   <li>/etc/shorewall/stop - commands that you wish to execute at the beginning 
 of a "shorewall stop".</li>
   <li>/etc/shorewall/stopped - commands that you wish to execute at the
 completion of a "shorewall stop".<br>
   </li>
 </ul>
 <h2>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-         character a pound sign ("#"). You may also place comments at the
+             character a pound sign ("#"). You may also place comments at
-end  of any line, again by       delimiting the comment from the rest of
+the    end  of any line, again by       delimiting the comment from the rest
-the line  with a pound sign.</p>
+of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -100,38 +111,41 @@ the line  with a pound sign.</p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
       using DNS names in Shorewall configuration files. If you use DNS names
-and   you are called out of bed at 2:00AM because Shorewall won't start as
+    and   you are called out of bed at 2:00AM because Shorewall won't start
-a result  of DNS problems then don't say that you were not forewarned. <br>
+  as  a result  of DNS problems then don't say that you were not forewarned.
  <br>
              </b></p>
 <p align="left"><b>    -Tom<br>
              </b></p>
 <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall 
-  configuration files may be specified either as IP addresses or as DNS Names.<br>
+      configuration files may be specified as either IP addresses or DNS 
 Names.<br>
              <br>
-     DNS names in iptables rules  aren't nearly as useful as they first appear. 
+             DNS names in iptables rules  aren't nearly as useful as they 
-  When a DNS name appears in a rule,  the iptables utility resolves the name 
+first    appear.    When a DNS name appears in a rule,  the iptables utility 
-  to one or more IP addresses and inserts  those addresses into the rule. 
+resolves    the name    to one or more IP addresses and inserts  those addresses 
-So  change in the DNS-&gt;IP address relationship  that occur after the firewall 
+into    the rule.  So  changes in the DNS-&gt;IP address relationship  that 
-  has started have absolutely no effect on the  firewall's ruleset.    </p>
+occur   after the firewall    has started have absolutely no effect on the 
 firewall's   ruleset.    </p>
 <p align="left">     If your firewall rules include DNS names then:</p>
 <ul>
               <li>If your /etc/resolv.conf is wrong then your firewall won't 
      start.</li>
-       <li>If your /etc/nsswitch.conf is wrong then your firewall won't 
+               <li>If your /etc/nsswitch.conf is wrong then your firewall 
-   start.</li>
+won't        start.</li>
-       <li>If your Name Server(s) is(are) down then your firewall won't 
+               <li>If your Name Server(s) is(are) down then your firewall 
-   start.</li>
+won't        start.</li>
-       <li>If your startup scripts try to start your firewall before starting 
+               <li>If your startup scripts try to start your firewall before
-  your DNS server then your firewall won't start.<br>
+  starting     your DNS server then your firewall won't start.<br>
              </li>
-       <li>Factors totally outside your control (your ISP's router is   
+               <li>Factors totally outside your control (your ISP's router
- down   for example), can prevent your firewall from starting.</li>
+ is      down   for example), can prevent your firewall from starting.</li>
-      <li>You must bring up your network interfaces prior to starting your
+              <li>You must bring up your network interfaces prior to starting 
- firewall.<br>
+  your   firewall.<br>
              </li>
 </ul>
@ -146,7 +160,7 @@ So  change in the DNS-&gt;IP address relationship  that occur after the firewall
 <ul>
               <li>mail.shorewall.net</li>
-       <li>shorewall.net.</li>
+               <li>shorewall.net. (note the trailing period).</li>
 </ul>
              Examples of invalid DNS names:<br>
@ -159,14 +173,14 @@ So  change in the DNS-&gt;IP address relationship  that occur after the firewall
              DNS names may not be used as:<br>
 <ul>
-       <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
+               <li>The server address in a DNAT rule (/etc/shorewall/rules
 file)</li>
               <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
               <li>In the /etc/shorewall/nat file.</li>
 </ul>
-      These are iptables restrictions and are not simply imposed for your 
+              These restrictions are not imposed by Shorewall simply for
-inconvenience   by Shorewall. <br>
+your inconvenience but are rather limitations of iptables.<br>
      <br>
 <h2>Complementing an Address or Subnet</h2>
@ -187,7 +201,8 @@ no white space following the "!".</p>
                      <li>If you use line continuation to break a comma-separated 
    list,   the          continuation line(s) must begin in column 1 (or there
    would  be embedded          white space)</li>
-              <li>Entries in a comma-separated list may appear in any order.</li>
+                      <li>Entries in a comma-separated list may appear in 
 any   order.</li>
 </ul>
@ -218,6 +233,7 @@ would  be embedded          white space)</li>
 <p>Example:</p>
 <blockquote>                                                             
  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
                   </blockquote>
@ -225,7 +241,9 @@ would  be embedded          white space)</li>
                   Example (/etc/shorewall/interfaces record):</p>
                                        <font
 face="Century Gothic, Arial, Helvetica">                                
 <blockquote>                                                             
  <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
                   </blockquote>
                                                     </font>            
@ -233,7 +251,9 @@ would  be embedded          white space)</li>
 <p>The result will be the same as if the record had been written</p>
                                            <font
 face="Century Gothic, Arial, Helvetica">                                
 <blockquote>                                                             
  <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
                   </blockquote>
                                                         </font>        
@ -251,50 +271,150 @@ would  be embedded          white space)</li>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
  unique MAC address.<br>
                    <br>
-            In GNU/Linux, MAC addresses are usually written as a series of
+                    In GNU/Linux, MAC addresses are usually written as a
- 6  hex numbers        separated by colons. Example:<br>
+series    of  6  hex numbers        separated by colons. Example:<br>
                    <br>
                   [root@gateway root]# ifconfig eth0<br>
                   eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
-           inet addr:206.124.146.176 Bcast:206.124.146.255        Mask:255.255.255.0<br>
+                   inet addr:206.124.146.176 Bcast:206.124.146.255      
 Mask:255.255.255.0<br>
                   UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
-           RX packets:2398102 errors:0 dropped:0 overruns:0        frame:0<br>
+                   RX packets:2398102 errors:0 dropped:0 overruns:0     
-           TX packets:3044698 errors:0 dropped:0 overruns:0        carrier:0<br>
+  frame:0<br>
                   TX packets:3044698 errors:0 dropped:0 overruns:0     
  carrier:0<br>
                   collisions:30394 txqueuelen:100<br>
-           RX bytes:419871805 (400.4 Mb) TX bytes:1659782221        (1582.8 
+                   RX bytes:419871805 (400.4 Mb) TX bytes:1659782221    
- Mb)<br>
+   (1582.8     Mb)<br>
                   Interrupt:11 Base address:0x1800<br>
                    <br>
-            Because Shorewall uses colons as a separator for address fields,
+                    Because Shorewall uses colons as a separator for address
-  Shorewall requires        MAC addresses to be written in another way. In
+  fields,     Shorewall requires        MAC addresses to be written in another
- Shorewall, MAC addresses        begin with a tilde ("~") and consist of
+  way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
-6  hex numbers separated by        hyphens. In Shorewall, the MAC address
+consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
-in  the example above would be        written "~02-00-08-E3-FA-55".<br>
+MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
         </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
    in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
         </p>
 <h2><a name="Levels"></a>Logging</h2>
     By default, Shorewall directs NetFilter to log using syslog (8). Syslog
  classifies log messages by a <i>facility</i> and a <i>priority</i> (using 
 the notation <i>facility.priority</i>). <br>
   <br>
   The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
 kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through 
 <i>local7</i>.<br>
   <br>
   Throughout the Shorewall documentation, I will use the term <i>level</i> 
 rather than <i>priority</i> since <i>level</i> is the term used by NetFilter. 
 The syslog documentation uses the term <i>priority</i>.<br>
 <h3>Syslog Levels<br>
     </h3>
     Syslog levels are a method of describing to syslog (8) the importance
  of  a message and a number of Shorewall parameters have a syslog level
 as   their  value.<br>
       <br>
       Valid levels are:<br>
       <br>
              7       debug<br>
              6       info<br>
              5       notice<br>
              4       warning<br>
              3       err<br>
              2       crit<br>
              1       alert<br>
              0       emerg<br>
       <br>
       For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall 
   log messages are generated by NetFilter and are logged using the <i>kern</i>
  facility  and the level that you specify. If you are unsure of the level
  to choose,  6 (info) is a safe bet. You may specify levels by name or by
 number.<br>
     <br>
     Syslogd writes log messages to files (typically in /var/log/*) based 
 on  their facility and level. The mapping of these facility/level pairs to 
 log  files is done in /etc/syslog.conf (5). If you make changes to this file,
 you must restart syslogd before the changes can take effect.<br>
 <h3>Configuring a Separate Log for Shorewall Messages</h3>
     There are a couple of limitations to syslogd-based logging:<br>
 <ol>
       <li>If you give, for example, kern.info it's own log destination then 
  that destination will also receive all kernel messages of levels 5 (notice) 
  through 0 (emerg).</li>
       <li>All kernel.info messages will go to that destination and not just
  those from NetFilter.<br>
       </li>
 </ol>
     Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
  support (and most vendor-supplied kernels do), you may also specify a log 
 level of ULOG (must be all caps). When  ULOG is used, Shorewall will direct 
 netfilter to log the related messages  via the ULOG target which will send 
 them to a process called 'ulogd'. The  ulogd program is available from http://www.gnumonks.org/projects/ulogd 
 and  can be configured to log all Shorewall message to their own log file.<br>
 <br>
 Download the ulod tar file and:<br>
 <ol>
   <li>cd /usr/local/src (or wherever you do your builds)</li>
   <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
   <li>cd ulogd-<i>version</i><br>
   </li>
   <li>./configure</li>
   <li>make</li>
   <li>make install<br>
   </li>
 </ol>
 If you are like me and don't have a development environment on your firewall, 
 you can do the first five steps on another system then either NFS mount your 
 /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> 
 directory and move it to your firewall system.<br>
 <br>
 Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
 <ol>
   <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
   <li>syslogsync 1</li>
 </ol>
 I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to 
 /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" 
 to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig 
 --level 3 ulogd on" starts ulogd during boot up. Your init system may need 
 something else done to activate the script.<br>
 <br>
 Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that 
 you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
 look for the log when processing its "show log", "logwatch" and "monitor" 
 commands.<br>
 <h2><a name="Configs"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-  The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
+      The <a href="starting_and_stopping_shorewall.htm">shorewall start and 
-      commands allow you to specify an alternate configuration directory
+  restart</a>       commands allow you to specify an alternate configuration 
-and    Shorewall will use the files in the alternate directory rather than
+  directory and    Shorewall will use the files in the alternate directory 
-the  corresponding  files in /etc/shorewall. The alternate directory need
+ rather than the  corresponding  files in /etc/shorewall. The alternate directory 
-not contain a complete  configuration; those files not in the alternate directory 
+  need not contain a complete  configuration; those files not in the alternate 
-will be read from  /etc/shorewall.</p>
+  directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
       by:</p>
 <ol>
-              <li>  copying the files that need modification from /etc/shorewall 
+                      <li>  copying the files that need modification from 
-  to a separate      directory;</li>
+/etc/shorewall       to a separate      directory;</li>
-              <li>  modify those files in the separate directory; and</li>
+                      <li>  modify those files in the separate directory; 
-              <li>  specifying the separate directory in a shorewall start
+and</li>
- or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
+                      <li>  specifying the separate directory in a shorewall
  start    or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
     restart</b></i>  ).</li>
 </ol>
@ -302,19 +422,14 @@ will be read from  /etc/shorewall.</p>
-<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 12/20/2002 - <a href="support.htm">Tom  Eastep</a>
          </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+         © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-                                                                        
+  </p>
                                <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -33,35 +33,38 @@
   for the configuration that most closely matches your own.<br>
    </b></p>
-<p>The entire set of Shorewall documentation is also available in PDF format
+<p>The entire set of Shorewall documentation is available in PDF format  at:</p>
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
        <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
+       <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
- <br>
+  </p>
- Once you've done that, download <u>     one</u> of the modules:</p>
+ 
 <p>The documentation in HTML format is included   in the .rpm and in the .tgz
 packages below.</p>
 <p>  Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
                <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
             Linux PPC</b> or     <b> TurboLinux</b> distribution     with 
 a  2.4   kernel,   you can use the  RPM version (note: the             RPM 
-should   also work  with other distributions that             store init scripts
+ should   also work  with other distributions that             store init 
-in  /etc/init.d  and that             include chkconfig or insserv). If you
+scripts in  /etc/init.d  and that             include chkconfig or insserv). 
-find  that it works   in other cases, let <a
+If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
   I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
   if you have problems    installing the RPM.</li>
                <li>If you are running LRP, download the .lrp file (you might 
  also   want  to     download the .tgz so you will have a copy of the documentation).</li>
                <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
-   and   would      like a .deb package, Shorewall is in both the    <a
+    and   would      like a .deb package, Shorewall is included in both the 
- href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
+   <a href="http://packages.debian.org/testing/net/shorewall.html">Debian 
-Branch</a> and the    <a
+    Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
 Unstable Branch</a>.</li>
-              <li>Otherwise, download the <i>shorewall</i>             module 
+                <li>Otherwise, download the <i>shorewall</i>            
-  (.tgz)</li>
+module    (.tgz)</li>
 </ul>
@ -76,8 +79,8 @@ Unstable Branch</a>.</li>
                <li>RPM - "rpm -qip LATEST.rpm"</li>
                <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name
 will   contain    the version)</li>
-              <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf 
+                <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar   
- &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
+-zxf   &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
 </ul>
@ -92,8 +95,9 @@ will   contain    the version)</li>
 configuration    of your firewall, you can enable startup by removing the 
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
+<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
-  to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
+   to the    mirrors  occur 1-12 hours after an update to the Washington
 State site.</b></p>
 <blockquote>                                          
  <table border="2" cellspacing="3" cellpadding="3"
@ -231,10 +235,10 @@ file /etc/shorewall/startup_disabled.</b></font></p>
                    <td>Shorewall.net</td>
                    <td><a
 href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
-                    <a href="http://france.shorewall.net/pub/LATEST.tgz">Download 
+                      <a
-            .tgz</a> <br>
+ href="http://france.shorewall.net/pub/LATEST.tgz">Download              .tgz</a> <br>
-                    <a href="http://france.shorewall.net/pub/LATEST.lrp">Download 
+                      <a
-            .lrp</a><br>
+ href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
                    <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
  .md5sums</a></td>
@ -283,28 +287,11 @@ file /etc/shorewall/startup_disabled.</b></font></p>
               </td>
              </tr>
    </tbody>                                       
  </table>
              </blockquote>
 <p align="left"><b>Documentation in PDF format:</b><br>
    </p>
 <blockquote>            
  <p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing 
 the Shorewall 1.3.10 documenation (the documentation in HTML format is included 
 in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
    </blockquote>
 <blockquote>            
  <blockquote><a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
    http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
      </blockquote>
    </blockquote>
 <p><b>Browse Download Sites:</b></p>
 <blockquote>                                          
@ -367,11 +354,13 @@ file /etc/shorewall/startup_disabled.</b></font></p>
                   <tr>
                    <td>Washington State, USA</td>
                    <td>Shorewall.net</td>
-                  <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
+                    <td><a
 href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
                    <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
 target="_blank">Browse</a></td>
                   </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -387,22 +376,12 @@ file /etc/shorewall/startup_disabled.</b></font></p>
        </p>
      </blockquote>
-<p align="left"><font size="2">Last Updated 12/3/2002 - <a
+<p align="left"><font size="2">Last Updated 12/12/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-             <br>
+ </p>
           <br>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -42,22 +42,23 @@
                             </li>
                <li>                                                    
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory 
+untar the archive, replace the        'firewall' script in the untarred directory
      with the one you downloaded        below, and then run install.sh.</b></p>
                             </li>
                <li>                                                    
    <p align="left">          <b>When the instructions say to install a corrected
      firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
-    or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
+     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
-    the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
+overwrite      the        existing file. DO  NOT REMOVE OR RENAME THE OLD
-           or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall 
+/etc/shorewall/firewall             or /var/lib/shorewall/firewall  before
-           and /var/lib/shorewall/firewall  are symbolic links that point 
+you do that. /etc/shorewall/firewall             and /var/lib/shorewall/firewall
-       to the 'shorewall' file used by your  system initialization scripts 
+ are symbolic links that point         to the 'shorewall' file used by your
- to         start Shorewall during boot. It is  that file that must be overwritten 
+ system initialization scripts   to         start Shorewall during boot.
-           with the corrected script.</b></p>
+It is  that file that must be overwritten             with the corrected
 script.</b></p>
        </li>
        <li>                              
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
@ -72,16 +73,16 @@ example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
                <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
                <li>                            <b><a href="#V1.3">Problems 
 in  Version    1.3</a></b></li>
-               <li>                            <b><a href="errata_2.htm">Problems 
+                <li>                            <b><a
-    in  Version 1.2</a></b></li>
+ href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
                <li>                            <b><font color="#660066"> 
     <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
                <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
                <li>                            <b><a href="#Debug">Problems
  with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
-               <li><b><a href="#SuSE">Problems installing/upgrading RPM on
+                <li><b><a href="#SuSE">Problems installing/upgrading RPM
- SuSE</a></b></li>
+on  SuSE</a></b></li>
                <li><b><a href="#Multiport">Problems with iptables version
 1.2.7    and       MULTIPORT=Yes</a></b></li>
          <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
@ -92,6 +93,13 @@ example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
 <hr>                                    
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.11a</h3>
 <ul>
  <li><a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
 copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
  </li>
 </ul>
 <h3>Version 1.3.11</h3>
 <ul>
@ -101,12 +109,12 @@ example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
        user teastep does not exist - using root<br>
        group teastep does not exist - using root<br>
       <br>
-  These warnings are harmless and may be ignored. Users downloading the .rpm
+   These warnings are harmless and may be ignored. Users downloading the
- from shorewall.net or mirrors should no longer see these warnings as the
+.rpm  from shorewall.net or mirrors should no longer see these warnings as
-.rpm you will get from there has been corrected.</li>
+the .rpm you will get from there has been corrected.</li>
-   <li>DNAT rules that exclude a source subzone (SOURCE column contains ! 
+    <li>DNAT rules that exclude a source subzone (SOURCE column contains
-followed by a sub-zone list) result in an error message and Shorewall fails 
+!  followed by a sub-zone list) result in an error message and Shorewall
-to start.<br>
+fails  to start.<br>
      <br>
  Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
@ -158,9 +166,9 @@ on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
 <ul>
        <li>The installer (install.sh) issues a misleading message "Common
-functions   installed in /var/lib/shorewall/functions" whereas the file is 
+ functions   installed in /var/lib/shorewall/functions" whereas the file
-installed  in /usr/lib/shorewall/functions. The installer also performs incorrectly 
+is  installed  in /usr/lib/shorewall/functions. The installer also performs
-when updating old configurations that had the file /etc/shorewall/functions. 
+incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
     <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
   is an updated version that corrects these problems.<br>
@ -179,8 +187,8 @@ when updating old configurations that had the file /etc/shorewall/functions.
 <ul>
             <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
  of  the  policy file doesn't work.</li>
-            <li>A DNAT rule with the same original and new IP addresses but 
+             <li>A DNAT rule with the same original and new IP addresses
- with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 
+but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
  tcp   25 - 10.1.1.1")<br>
             </li>
@ -222,14 +230,14 @@ when updating old configurations that had the file /etc/shorewall/functions.
 <ol>
                                             <li>If the firewall is running 
- a  DHCP   server,                                   the client won't be
+ a  DHCP   server,                                   the client won't be able
-able   to obtain   an IP  address                                  lease
+  to obtain   an IP  address                                  lease from
-from that   server.</li>
+that   server.</li>
                                             <li>With this order of checking, 
  the   "dhcp"                                   option cannot be used as 
 a  noise-reduction                                     measure where there 
-are  both dynamic and    static                                  clients
+are  both dynamic and    static                                  clients on
-on a LAN segment.</li>
+a LAN segment.</li>
 </ol>
@ -260,8 +268,8 @@ on a LAN segment.</li>
                         <li>                                           
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-     an error occurs when the firewall            script attempts to add an
+      an error occurs when the firewall            script attempts to add
-  SNAT   alias.  </p>
+an   SNAT   alias.  </p>
              </li>
              <li>                                                      
@ -308,8 +316,8 @@ on a LAN segment.</li>
 <div align="left">                
 <p align="left">That capability was lost in version 1.3.4 so that it is only
-         possible to  include a single host specification on each line. This 
+          possible to  include a single host specification on each line.
-       problem is corrected by    <a
+This         problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
          modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
          as instructed above.</p>
@ -331,10 +339,10 @@ on a LAN segment.</li>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
-        to not verify that the zones named in the /etc/shorewall/policy file
+         to not verify that the zones named in the /etc/shorewall/policy
-           have been previously defined in the /etc/shorewall/zones file.
+file            have been previously defined in the /etc/shorewall/zones
-The            "shorewall check" command does perform this verification so
+file. The            "shorewall check" command does perform this verification
-it's a            good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
                 changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -351,8 +359,8 @@ it's a            good idea to run that command after you have made configuratio
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version
+           file can be identified by its size (56284 bytes). The correct
-           has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
 <ul>
                         <li>The code to detect a duplicate interface entry 
@ -383,8 +391,8 @@ just   like   "NAT_BEFORE_RULES=Yes".</li>
 <ul>
                         <li>TCP SYN packets may be double counted when 
-         LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e., each
+          LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e.,
-             packet is sent through the limit chain twice).</li>
+each              packet is sent through the limit chain twice).</li>
                         <li>An unnecessary jump to the policy chain is sometimes 
               generated for a CONTINUE policy.</li>
                         <li>When an option is given for more than one interface
@ -402,8 +410,8 @@ option.  For example:<br>
 noping. An additional                 bug has been found that affects only 
 the 'routestopped' option.<br>
                         <br>
-                        Users who downloaded the corrected script prior to
+                         Users who downloaded the corrected script prior
- 1850   GMT   today              should download and install the corrected
+to  1850   GMT   today              should download and install the corrected 
 script   again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -553,5 +561,6 @@ option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentati
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/images/MDKlinux.jpg
+++ b/STABLE/documentation/images/MDKlinux.jpg
--- a/STABLE/documentation/images/Vexira_Antivirus_Logo.gif
+++ b/STABLE/documentation/images/Vexira_Antivirus_Logo.gif
--- a/STABLE/documentation/images/courier-imap.png
+++ b/STABLE/documentation/images/courier-imap.png
--- a/STABLE/documentation/images/debian.jpg
+++ b/STABLE/documentation/images/debian.jpg
--- a/STABLE/documentation/images/logo2.png
+++ b/STABLE/documentation/images/logo2.png
--- a/STABLE/documentation/images/medbutton.png
+++ b/STABLE/documentation/images/medbutton.png
--- a/STABLE/documentation/images/obrasinf.gif
+++ b/STABLE/documentation/images/obrasinf.gif
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -33,10 +33,18 @@
                </a><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45">
-            </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
+                </a><font color="#ffffff">Shorewall Mailing Lists<a
 href="http://www.inter7.com/courierimap/"><img
 src="images/courier-imap.png" alt="Courier-Imap" width="100"
 height="38" align="right">
        </a></font></h1>
      <p align="right"><font color="#ffffff"><b><br>
-Powered by Postfix          </b></font>     </p>
+        </b></font></p>
      <p align="right"><font color="#ffffff"><b><br>
  Powered by Postfix         </b></font>     </p>
                </td>
             </tr>
@ -71,10 +79,27 @@ Powered by Postfix
        <li>to ensure that the sender address is fully qualified.</li>
        <li>to verify that the sender's domain has an A or MX record in DNS.</li>
        <li>to ensure that the host name in the HELO/EHLO command is a valid
-fully-qualified  DNS name.<br>
+  fully-qualified  DNS name.</li>
    </li>
 </ol>
 <h2>Please post in plain text</h2>
 While the list server here at shorewall.net accepts and distributes HTML
 posts, a growing number of MTAs serving list subscribers are rejecting this
 HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
 "for continuous abuse"!!<br>
 <br>
 I think that blocking all HTML is a rather draconian way to control spam
 and that the unltimate loser here is not the spammers but the list subscribers
 whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
 can help by restricting your list posts to plain text.<br>
 <br>
 And as a bonus, subscribers who use email clients like pine and mutt will
 be able to read your plain text posts whereas they are most likely simply
 ignoring your HTML posts.<br>
 <br>
 A final bonus for the use of HTML is that it cuts down the size of messages
 by a large percentage -- that is important when the same message must be
 sent 500 times over the slow DSL line connecting the list server to the internet.<br>
 <h2></h2>
@ -110,14 +135,19 @@ fully-qualified  DNS name.<br>
 type="submit" value="Search"> </p>
          </form>
 <h2 align="left"><font color="#ff0000">Please do not try to download the entire
 Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
 stand the traffic. If I catch you, you'll be blacklisted.<br>
   </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
        If you want to trust X.509 certificates issued by Shoreline Firewall
  (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a>
-  in your browser. If you don't wish to trust my certificates then you can
+    in your browser. If you don't wish to trust my certificates then you
- either use unencrypted access when subscribing to Shorewall mailing lists
+can    either use unencrypted access when subscribing to Shorewall mailing
- or you can use secure access (SSL) and accept the server's certificate when
+lists    or you can use secure access (SSL) and accept the server's certificate
- prompted by your browser.<br>
+when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
@ -187,10 +217,10 @@ list may be found at <a
             </li>
             <li>                                                   
    <p align="left">Down at the bottom of that page is the following text:
-   "To  change your subscription (set options like digest and delivery modes,
+     "To  change your subscription (set options like digest and delivery
-   get a  reminder of your password, <b>or unsubscribe</b> from &lt;name
+modes,      get a  reminder of your password, <b>or unsubscribe</b> from
-of   list&gt;), enter  your subscription email address:". Enter your email
+&lt;name  of   list&gt;), enter  your subscription email address:". Enter
-address   in the box and click  on the "Edit Options" button.</p>
+your email  address   in the box and click  on the "Edit Options" button.</p>
             </li>
             <li>                                                   
    <p align="left">There will now be a box where you can enter your password
@ -205,17 +235,12 @@ address   in the box and click  on the "Edit Options" button.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 11/22/2002 - <a
+<p align="left"><font size="2">Last updated 12/27/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-        <br>
+ </p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list_problems.htm
+++ b/STABLE/documentation/mailing_list_problems.htm
@ -33,11 +33,11 @@
 <blockquote>                                    
  <div align="left">                                      
-  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled  (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
              </div>
            </blockquote>
-<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
+<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -53,5 +53,8 @@
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ping.html
+++ b/STABLE/documentation/ping.html
@ -0,0 +1,90 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>ICMP Echo-request (Ping)</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
      <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <br>
 Shorewall 'Ping' management has evolved over time in a less than consistant
 way. This page describes how it now works.<br>
 <br>
 There are several aspects to Shorewall Ping management:<br>
 <ol>
  <li>The <b>noping</b> and <b>filterping </b>interface options in <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
  <li>The <b>FORWARDPING</b> option in<a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
  <li>Explicit rules in <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ol>
 There are two cases to consider:<br>
 <ol>
  <li>Ping requests addressed to the firewall itself; and</li>
  <li>Ping requests being forwarded to another system. Included here are
 all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
 routing.</li>
 </ol>
 These cases will be covered separately.<br>
 <h2>Ping Requests Addressed to the Firewall Itself</h2>
 For ping requests addressed to the firewall, the sequence is as follows:<br>
 <ol>
  <li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
 interface that receives the ping request then the request will be responded
 to with an ICMP echo-reply.</li>
  <li>If <b>noping</b> is specified for the interface that receives the ping
 request then the request is ignored.</li>
  <li>If <b>filterping </b>is specified for the interface then the request
 is passed to the rules/policy evaluation.</li>
 </ol>
 <h2>Ping Requests Forwarded by the Firewall</h2>
 These requests are <b>always</b> passed to rules/policy evaluation.<br>
 <h2>Rules Evaluation</h2>
 Ping requests are ICMP type 8. So the general rule format is:<br>
 <br>
 &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
 </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 <br>
 Example 1. Accept pings from the net to the dmz (pings are responded to with
 an ICMP echo-reply):<br>
 <br>
 &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 <br>
 Example 2. Drop pings from the net to the firewall<br>
 <br>
 &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 <h2>Policy Evaluation</h2>
 If no applicable rule is found, then the policy for the source to the destination
 is applied.<br>
 <ol>
  <li>If the relevant policy is ACCEPT then the request is responded to with
 an ICMP echo-reply.</li>
  <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
 then the request is responded to with an ICMP echo-reply.</li>
  <li>Otherwise, the relevant REJECT or DROP policy is used and the request
 is either rejected or simply ignored.</li>
 </ol>
 <p><font size="2">Updated 12/13/2002 - <a
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -11,6 +11,7 @@
  <base target="_self">
 </head>
  <body>
@ -20,10 +21,13 @@
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
      <tbody>
                                                                        <tr>
-                                                                   <td
+                                                                        
- width="100%" height="90">                                              
+            <td width="100%" height="90">                               
@ -33,9 +37,10 @@
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                                                              </a></i></font><font
+                                                                        
- color="#ffffff">Shorewall      1.3   -        <font size="4">"<i>iptables 
+       </a></i></font><font color="#ffffff">Shorewall      1.3   -      
-            made easy"</i></font></font></h1>
+       <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
@ -47,13 +52,16 @@
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
                                                                   </div>
                                                                   <br>
            </td>
        </tr>
  </tbody>                                                              
 </table>
@ -61,12 +69,15 @@
 <div align="center">                                                     
 <center>                                                                 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
        <tbody>
                                                                        <tr>
-                                                                     <td
+                                                                        
- width="90%">                                                            
+              <td width="90%">                                          
@ -81,6 +92,8 @@
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
@ -92,22 +105,29 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify
                                  it        under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
 General Public License</a> as published by the Free Software        Foundation.<br>
           <br>
-                                                                   This program 
+                                                                        
-   is  distributed       in  the   hope   that   it  will   be  useful,  
+      This   program     is  distributed       in  the   hope   that   it 
- but         WITHOUT  ANY    WARRANTY;   without   even the  implied   warranty
+ will     be  useful,    but         WITHOUT  ANY    WARRANTY;   without 
-     of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR    PURPOSE.
+ even the   implied    warranty      of MERCHANTABILITY             or FITNESS
-       See the  GNU General     Public License          for  more details.<br>
+  FOR   A PARTICULAR      PURPOSE.        See the  GNU General     Public
 License           for  more details.<br>
           <br>
-                                                                   You should 
+                                                                        
-  have   received     a  copy   of  the   GNU   General     Public    License 
+      You   should    have   received     a  copy   of  the   GNU   General 
-           along  with   this program;    if  not, write  to the    Free Software
+     Public      License             along  with   this program;    if  not,
-       Foundation,            Inc., 675    Mass  Ave, Cambridge,  MA  02139,
+   write  to  the    Free Software        Foundation,            Inc., 675
-     USA</p>
+    Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -124,20 +144,23 @@ General Public License</a> as published by the Free Software        Foundation.<
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                                              </a>Jacques 
+                                                                        
-       Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway 
+       </a>Jacques              Nilo   and   Eric   Wolzak    have   a  LEAF 
-  on  a floppy,   CD  or compact  flash) distribution       called       
+(router/firewall/gateway         on  a floppy,   CD  or compact  flash) distribution 
-      <i>Bering</i>    that          features     Shorewall-1.3.10 and  Kernel-2.4.18.
+      called              <i>Bering</i>    that          features     Shorewall-1.3.10 
-      You    can  find    their   work at:          <a
+and    Kernel-2.4.18.       You    can  find    their   work at:         
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+      <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                      </a></p>
      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.0 Final!!! </b><br>
                 </p>
      <h2>This is a mirror of the main Shorewall web site at SourceForge
 (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -150,6 +173,7 @@ Bering 1.0 Final!!! </b><br>
      <h2>News</h2>
@ -158,283 +182,187 @@ Bering 1.0 Final!!! </b><br>
      <h2></h2>
-      <p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
+                                                                        
- src="images/new10.gif" width="28" height="12" alt="(New)">
+   
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                                              </b></p>
-      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
+      <p>     Features include:<br>
 with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
 don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                              </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
  documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
          <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
          </p>
-      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
+      <ol>
-                 </b></p>
+        <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules 
  and tcstart).</li>
        <li>"shorewall debug [re]start" now turns off debugging after an
 error   occurs. This places the point of the failure near the end of the
 trace rather   than up in the middle of it.</li>
        <li>"shorewall [re]start" has been speeded up by more than 40% with
 my  configuration. Your milage may vary.</li>
        <li>A "shorewall show classifiers" command has been added which shows
  the current packet classification filters. The output from this command
 is  also added as a separate page in "shorewall monitor"</li>
        <li>ULOG (must be all caps) is now accepted as a valid syslog level
 and  causes the subject packets to be logged using the ULOG target rather
 than  the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
        <li>If you are running a kernel that has a FORWARD chain in the mangle 
  table ("shorewall show mangle" will show you the chains in the mangle table), 
  you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
 input packets based on their destination even when you are using  Masquerading
 or SNAT.</li>
        <li>I have cluttered up the /etc/shorewall directory with empty 'init', 
  'start', 'stop' and 'stopped' files. If you already have a file with one 
 of these names, don't worry -- the upgrade process won't overwrite your file.</li>
        <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
 the syslog level at which packets are logged as a result of entries in the
 /etc/shorewall/rfc1918 file. Previously, these packets were always logged
 at the 'info' level.<br>
   </li>
      </ol>
-      <p>In this version:</p>
+      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
       </p>
 This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL 
 was set to anything but ULOG, the firewall would fail to start and "shorewall 
 refresh" would also fail.<br>
-      <ul>
+      <p>     You may download the Beta from:<br>
           <li>A 'tcpflags' option has been added to entries in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
 option causes Shorewall to make a set of sanity check on TCP packet header
 flags.</li>
           <li>It is now allowed to use 'all' in the SOURCE or DEST column
 in a <a href="Documentation.htm#Rules">rule</a>.  When used, 'all' must
 appear  by itself (in may not be qualified) and it does  not enable intra-zone
 traffic.  For example, the rule <br>
        <br>
        ACCEPT loc all tcp 80<br>
        <br>
    does not enable http traffic from 'loc' to 'loc'.</li>
           <li>Shorewall's use of the 'echo' command is now compatible with 
 bash clones such as ash and dash.</li>
           <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw 
 rules  generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
                          </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 
  documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
          <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                                  </p>
-      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>         
+      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                     </b></p>
+        <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
-                                                                        
+ target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
      <p>The main Shorewall web site is now back at SourceForge at <a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
              </p>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b>                         
 </b></p>
      <p>In this version:</p>
      <ul>
                       <li>You may now <a href="IPSEC.htm#Dynamic">define 
 the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
        delete" commands</a>. These commands are expected to be used primarily 
     within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
     updown   scripts.</li>
                       <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments. 
 You can specify the set  of allowed   MAC addresses   on   the segment and 
 you can optionally tie each MAC address   to one or more   IP  addresses.</li>
                       <li>PPTP Servers and Clients running on the firewall 
 system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
     file.</li>
                       <li>A new 'ipsecnat' tunnel type is supported for
 use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint is
 behind   a NAT   gateway</a>.</li>
                       <li>The PATH used by Shorewall may now be specified
 in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                       <li>The main firewall script is now /usr/lib/shorewall/firewall. 
        The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
        to do the real work. This change makes custom distributions such as
  for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
      that tends  to have distribution-dependent code.</li>
      </ul>
              If you have installed the 1.3.10 Beta 1 RPM and are now upgrading 
   to  version   1.3.10, you will need to use the '--force' option:<br>
      <blockquote>                                                      
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
      </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                            </b></p>
     The first public Beta version of Shorewall 1.3.12 is now available (Beta
 1 was made available to a limited audience). <br>
      <br>
      Features include:<br>
      <br>
-      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
+      <ol>
- href="http://www.gentoo.org"><br>
+             <li>"shorewall refresh" now reloads the traffic shaping rules
-                            </a></p>
+ (tcrules  and tcstart).</li>
-                      Alexandru Hartmann reports that his Shorewall package 
+             <li>"shorewall debug [re]start" now turns off debugging after
- is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo 
+ an  error occurs. This places the point of the failure near the end of the
-Linux  distribution</a>.       Thanks Alex!<br>
+ trace  rather than up in the middle of it.</li>
             <li>"shorewall [re]start" has been speeded up by more than 40% 
 with  my configuration. Your milage may vary.</li>
             <li>A "shorewall show classifiers" command has been added which
  shows the current packet classification filters. The output from this command
  is also added as a separate page in "shorewall monitor"</li>
             <li>ULOG (must be all caps) is now accepted as a valid syslog
 level  and causes the subject packets to be logged using the ULOG target
 rather than the LOG target. This allows you to run ulogd (available from
          <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
             <li>If you are running a kernel that has a FORWARD chain in
 the   mangle table ("shorewall show mangle" will show you the chains in the
 mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
 This allows  for  marking input packets based on their destination even when
 you are using  Masquerading or SNAT.</li>
             <li>I have cluttered up the /etc/shorewall directory with empty
  'init', 'start', 'stop' and 'stopped' files. If you already have a file
 with  one of these names, don't worry -- the upgrade process won't overwrite
 your  file.</li>
-                                                                        
+      </ol>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
                        In this version:<br>
      <ul>
                                <li>You may now <a
 href="IPSEC.htm#Dynamic">define     the   contents      of a zone dynamically</a>
 with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
 "shorewall            delete" commands</a>. These commands are expected
 to  be used primarily         within             <a
 href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>         updown  
 scripts.</li>
                                <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments.
      You can specify the set of  allowed   MAC addresses on   the segment
 and    you can optionally tie each MAC address   to one or more IP  addresses.</li>
                                <li>PPTP Servers and Clients running on the 
 firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
         file.</li>
                                <li>A new 'ipsecnat' tunnel type is supported 
  for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
  is   behind   a NAT   gateway</a>.</li>
                                <li>The PATH used by Shorewall may now be 
 specified      in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                <li>The main firewall script is now /usr/lib/shorewall/firewall.
            The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
            to do the real work. This change makes custom distributions such
   as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
          that tends  to have distribution-dependent code.</li>
      </ul>
      You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
        <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
      </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
        </a></b></p>
       Shorewall is at the center of MandrakeSoft's recently-announced <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
   Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
   release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
-      <ul>
+      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-                               <li><a
+     delivered. I have installed 9.0 on one of my systems and I am now in
- href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
+a  position   to support Shorewall users who run Mandrake 9.0.</p>
                               <li><a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                               </li>
-                                     
+      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>      
                          </b><br>
                 </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
-                                                                        
+      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                         </b></p>
                               This release rolls up fixes to the installer 
 and   to  the   firewall     script.<br>
                                <b><br>
                               10/6/2002 - Shorewall.net now running on RH8.0 
        </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
                                                         </b><br>
                                     <br>
                                 The firewall and server here at shorewall.net
   are   now   running     RedHat    release   8.0.<br>
      <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>                          
     </b></p>
                                       Roles up the fix for broken tunnels.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>                
         </b></p>
                                           <img
 src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
 align="left">
                                      There is an updated firewall script 
 at        <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
                   -- copy that file to /usr/lib/shorewall/firewall.<br>
      <p><b><br>
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
      with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
   who   don't need rules of this type need not upgrade to 1.3.11.</p>
-   
+      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
      <p><b><br>
                                    </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
        documenation. the PDF may be downloaded from</p>
-   
+      <p>    <a
-      <p><b><br>
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                                     9/28/2002 - Shorewall 1.3.9 </b><b>
+                      <a
-                               </b></p>
+ href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
      <p>In this version:<br>
                  </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
                 </b></p>
      <p>In this version:</p>
      <ul>
-                                                   <li><a
+                       <li>A 'tcpflags' option has been added to entries
- href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now
+in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
-               allowed in Shorewall config files (although I recommend  
+ This option causes Shorewall to make a set of sanity check on TCP packet 
-against          using       them).</li>
+header flags.</li>
-                                                   <li>The connection SOURCE
+                       <li>It is now allowed to use 'all' in the SOURCE or
-  may   now   be  qualified      by  both   interface      and IP address
+ DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.  When
-in  a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+used,  'all'   must  appear  by itself (in may not be qualified) and it does
-                                                   <li>Shorewall startup
+ not  enable   intra-zone  traffic.  For example, the rule <br>
-is  now   disabled     after    initial     installation       until the
+                    <br>
-file  /etc/shorewall/startup_disabled          is removed.     This avoids
+                    ACCEPT loc all tcp 80<br>
-   nasty    surprises at reboot for users     who    install Shorewall  
+                    <br>
-  but don't  configure     it.</li>
+                does not enable http traffic from 'loc' to 'loc'.</li>
-                                                  <li>The 'functions' and 
+                       <li>Shorewall's use of the 'echo' command is now compatible
-'version'      files    and   the   'firewall'      symbolic   link have been
+     with   bash clones such as ash and dash.</li>
- moved  from    /var/lib/shorewall       to /usr/lib/shorewall      to appease
+                       <li>fw-&gt;fw policies now generate a startup error. 
-  the LFS   police at Debian.<br>
+ fw-&gt;fw      rules  generate a warning and are ignored</li>
                                                  </li>
      </ul>
@ -442,16 +370,12 @@ file  /etc/shorewall/startup_disabled          is removed.     This avoids
      <p><b></b><a href="News.htm">More News</a></p>
      <p><a href="News.htm">More News</a></p>
@ -459,17 +383,21 @@ file  /etc/shorewall/startup_disabled          is removed.     This avoids
      <h2><a name="Donations"></a>Donations</h2>
                                                 </td>
-                                                                     <td
+                                                                        
- width="88" bgcolor="#4b017c" valign="top" align="center">             <a
+              <td width="88" bgcolor="#4b017c" valign="top"
- href="http://sourceforge.net">M</a></td>
+ align="center">              <a href="http://sourceforge.net">M</a></td>
          </tr>
  </tbody>                                                              
 </table>
    </center>
  </div>
@ -479,8 +407,10 @@ file  /etc/shorewall/startup_disabled          is removed.     This avoids
 bgcolor="#4b017c">
                                                                        <tbody>
                                                                        <tr>
-                                                              <td
+                                                                        
- width="100%" style="margin-top: 1px;">                                  
+       <td width="100%" style="margin-top: 1px;">                       
@ -489,7 +419,9 @@ file  /etc/shorewall/startup_disabled          is removed.     This avoids
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                                                               </a></p>
+                                                                        
        </a></p>
@ -499,8 +431,10 @@ file  /etc/shorewall/startup_disabled          is removed.     This avoids
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
-                            to       <a href="http://www.starlight.org"><font
+                                  to       <a
- color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
 Children's Foundation.</font></a> Thanks!</font></p>
       </td>
                                                                        </tr>
@ -508,12 +442,15 @@ but if       you try it and find it useful, please consider making a donation
  </tbody>                                                              
 </table>
-<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font> 
+                    
 <p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font> 
                          <br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/sfindex.htm
+++ b/STABLE/documentation/sfindex.htm
@ -0,0 +1,22 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Shoreline Firewall</title>
 <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
 <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <frameset cols="242,*">
  <frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
  <frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
  <noframes>
  <body>
  <p>This page uses frames, but your browser doesn't support them.</p>
  </body>
  </noframes>
 </frameset>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -41,12 +41,13 @@
 href="http://www.experiencewashington.com">Washington     State</a> .</li>
              <li>BA Mathematics from <a href="http://www.wsu.edu">Washington 
  State    University</a>  1967</li>
-           <li>MA Mathematics from <a href="http://www.washington.edu">University 
+              <li>MA Mathematics from <a
-   of Washington</a> 1969</li>
+ href="http://www.washington.edu">University      of Washington</a> 1969</li>
              <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
              <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
-    (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
+      (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
 present</li>
              <li>Married 1969 - no children.</li>
 </ul>
@ -67,25 +68,26 @@
 <p>Our current home network consists of: </p>
 <ul>
-           <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
+              <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB 
- HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also has 
+IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also 
-RedHat  8.0 installed.</li>
+has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
              <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
 NIC   -  My      personal Linux System which runs Samba configured as a WINS
 server.    This      system also has <a href="http://www.vmware.com/">VMware</a>
 installed    and      can run both <a href="http://www.debian.org">Debian
 Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual
 machines.</li>
-           <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail 
+              <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
- (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server 
+Email   (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS 
-      (Bind).</li>
+server        (Bind).</li>
              <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
   (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.11  and a DHCP
       server.  Also   runs PoPToP for     road warrior access.</li>
-           <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's 
+              <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My 
-      personal system.</li>
+wife's        personal system.</li>
-           <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
+              <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
-   and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
+EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main
 work system.</li>
 </ul>
@ -102,19 +104,21 @@ machines.</li>
 src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
         </a><a href="http://www.pureftpd.org"><img border="0"
 src="images/pure.jpg" width="88" height="31">
-      </a><font size="4"><a href="http://www.apache.org"><img border="0"
+         </a><font size="4"><a href="http://www.apache.org"><img
- src="images/apache_pb1.gif" hspace="2" width="170" height="20">
+ border="0" src="images/apache_pb1.gif" hspace="2" width="170"
-      </a>  </font></p>
+ height="20">
  </a><a href="http://www.mandrakelinux.com"><img
 src="images/medbutton.png" alt="Powered by Mandrake" width="90"
 height="32">
 </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
 width="125" height="40" hspace="4">
           </font></p>
-<p><font size="2">Last updated 11/24/2002 - </font><font size="2">      
+<p><font size="2">Last updated 12/7/2002 - </font><font size="2">       <a
-<a href="support.htm">Tom Eastep</a></font>  </p>
+ href="support.htm">Tom Eastep</a></font>  </p>
            <font face="Trebuchet MS"><a href="copyright.htm"><font
 size="2">Copyright</font>       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
         <br>
 <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_extension_scripts.htm
+++ b/STABLE/documentation/shorewall_extension_scripts.htm
@ -1,113 +1,133 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Extension Scripts</title>
 </head>
  <body>
-                                                                                  <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+           
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
            <tbody>
    <tr>
              <td width="100%">                                         
-                                                                                      <h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
+                                             
      <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
              </td>
            </tr>
  </tbody>
 </table>
-                                                                                  <p>
+                                                 
- Extension scripts are   user-provided
+<p>  Extension scripts are   user-provided  scripts that are invoked at various
- scripts that are invoked at various points during firewall   start, restart,
+points during firewall   start, restart,  stop and clear. The scripts are
- stop and clear. The scripts are placed in /etc/shorewall and   are processed
+placed in /etc/shorewall and   are processed  using the Bourne shell "source"
- using the Bourne shell "source" mechanism. The   following scripts can be
+mechanism. The   following scripts can be  supplied:</p>
- supplied:</p>
+  
 <ul>
    <li>init -- invoked early in "shorewall start" and       "shorewall restart"</li>
    <li>start -- invoked after the firewall has been started or restarted.</li>
    <li>stop -- invoked as a first step when the firewall is being stopped.</li>
    <li>stopped -- invoked after the firewall has been stopped.</li>
    <li>clear -- invoked after the firewall has been cleared.</li>
-   <li>refresh -- invoked while the firewall is being refreshed but before the 
+    <li>refresh -- invoked while the firewall is being refreshed but before
-   common and/or blacklst chains have been rebuilt.</li>
+the     common and/or blacklst chains have been rebuilt.</li>
-   <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain 
+    <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
-   has been created but before any rules have been added to it.</li>
+chain     has been created but before any rules have been added to it.</li>
 </ul>
-                                                                                  <p>
+                                    
-  You can also supply a script with the same name as any of the filter  
+<p><u><b>If your version of Shorewall doesn't have the file that you want
 to use from the above list, you can simply create the file yourself.</b></u></p>
 <p>   You can also supply a script with the same name as any of the filter
  chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules 
- file has been processed but before the   /etc/shorewall/policy file has
+ file has been processed but before the   /etc/shorewall/policy file has been
-been  processed.</p>
+ processed.</p>
-                                                                                  <p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it   
+                                    
-   defines will totally replace the default rules in the common chain. These 
+<p>The /etc/shorewall/common file receives special treatment. If this file
-       default rules are contained in the file /etc/shorewall/common.def which
+is present, the rules that it       defines will totally replace the default
-       may be used as a starting point for making your own customized file.</p>
+rules in the common chain. These         default rules are contained in the
 file /etc/shorewall/common.def which        may be used as a starting point
 for making your own customized file.</p>
-                                                                                  <p>
+                                    
-  Rather than running iptables directly, you should run it using the   function
+<p>   Rather than running iptables directly, you should run it using the
- run_iptables. Similarly, rather than running "ip" directly,   you should
+  function  run_iptables. Similarly, rather than running "ip" directly, 
-use run_ip. These functions accept the same arguments as the   underlying
+ you should use run_ip. These functions accept the same arguments as the
-command but cause the firewall to be stopped if an error occurs   during
+  underlying command but cause the firewall to be stopped if an error occurs
-processing of the command.</p>
+  during processing of the command.</p>
-                                                                                  <p>
+                                   
-  If you decide to create /etc/shorewall/common it is a good idea to use the 
+<p>   If you decide to create /etc/shorewall/common it is a good idea to
-  following technique</p>
+use the    following technique</p>
-                                                                                  <p>
+                                   
-  /etc/shorewall/common:</p>
+<p>   /etc/shorewall/common:</p>
 <blockquote>                                                            
-                                                                                    <pre>. /etc/shorewall/common.def
+                        
-&lt;add your rules here&gt;</pre>
+  <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
  </blockquote>
- <p>If you need to supercede a rule in the released common.def file, you can add 
+  
- the superceding rule before the '.' command. Using this technique allows 
+<p>If you need to supercede a rule in the released common.def file, you can
 add   the superceding rule before the '.' command. Using this technique allows
  you to add new rules while still getting the benefit of the latest common.def
  file.</p>
- <p>Remember that /etc/shorewall/common defines rules 
+<p>Remember that /etc/shorewall/common defines rules   that are only applied
- that are only applied if the applicable policy is DROP or REJECT. These rules 
+if the applicable policy is DROP or REJECT. These rules   are NOT applied
- are NOT applied if the policy is ACCEPT or CONTINUE.</p>
+if the policy is ACCEPT or CONTINUE.</p>
- <p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be 
+<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
- rejected by the firewall. It is recommended with this setting that you create 
+be   rejected by the firewall. It is recommended with this setting that you
- the file /etc/shorewall/icmpdef and in it place the following commands:</p>
+create   the file /etc/shorewall/icmpdef and in it place the following commands:</p>
                                                                                  <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
 </pre>
                                                                                  <p align="left"><font size="2">Last updated 
 8/22/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
+<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
 <p align="left"><font size="2">Last updated 12/22/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
 M. Eastep</font></a></p>
  <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -12,6 +12,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall QuickStart Guide</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -45,8 +46,9 @@ we must  all first walk before we can run.</p>
               <li><a href="standalone.htm">Standalone</a> Linux System</li>
               <li><a href="two-interface.htm">Two-interface</a> Linux System 
  acting    as a    firewall/router for a small local network</li>
-           <li><a href="three-interface.htm">Three-interface</a> Linux System 
+               <li><a href="three-interface.htm">Three-interface</a> Linux
-  acting  as a    firewall/router for a small local network and a DMZ.</li>
+ System    acting  as a    firewall/router for a small local network and
 a  DMZ.</li>
 </ul>
@ -66,29 +68,37 @@ Concepts</a></li>
  Interfaces</a></li>
               <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, 
    Subnets  and Routing</a>                                             
    <ul>
-             <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
+                 <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP 
-           <li><br>
+Addresses</a></li>
-           </li>
+                             <li><a
-             <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
+ href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
                 <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
-             <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution 
+                 <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
-   Protocol</a></li>
+Resolution      Protocol</a></li>
    </ul>
    <ul>
-             <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
+                 <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
 1918</a></li>
    </ul>
               </li>
-           <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up 
+               <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
-your   Network</a>                                         
+ up  your   Network</a>                                                 
    <ul>
                 <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
    </ul>
    <ul>
                 <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
@ -96,31 +106,34 @@ your   Network</a>
        <ul>
                   <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
                   <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
-               <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy 
+                   <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 
- ARP</a></li>
+Proxy    ARP</a></li>
-               <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
+                   <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static 
 NAT</a></li>
        </ul>
                 </li>
                 <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-             <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds 
+                 <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
-and   Ends</a></li>
+Odds   and   Ends</a></li>
    </ul>
               </li>
               <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
-           <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
+               <li><a
- Starting    and    Stopping the Firewall</a></li>
+ href="shorewall_setup_guide.htm#StartingAndStopping">7.0   Starting    and 
   Stopping the Firewall</a></li>
 </ul>
 <h2><a name="Documentation"></a>Documentation Index</h2>
 <p>The following documentation covers a variety of topics and <b>supplements
-    the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
+      the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
-    above</b>. Please review the appropriate guide before trying to use this 
+described      above</b>. Please review the appropriate guide before trying
-  documentation directly.</p>
+to use this    documentation directly.</p>
 <ul>
               <li><a href="blacklisting_support.htm">Blacklisting</a>  
@ -129,10 +142,12 @@ and   Ends</a></li>
                 <li>Static Blacklisting using /etc/shorewall/blacklist</li>
                 <li>Dynamic Blacklisting using /sbin/shorewall</li>
    </ul>
               </li>
               <li><a href="configuration_file_basics.htm">Common configuration 
   file   features</a>                                                  
    <ul>
                 <li>Comments in configuration files</li>
                 <li>Line Continuation</li>
@ -144,35 +159,46 @@ and   Ends</a></li>
                 <li>Complementing an IP address or Subnet</li>
                 <li>Shorewall Configurations (making a test configuration)</li>
                 <li>Using MAC Addresses in Shorewall</li>
      <li>Logging<br>
      </li>
    </ul>
               </li>
-           <li><a href="Documentation.htm">Configuration File Reference Manual</a>
+               <li><a href="Documentation.htm">Configuration File Reference 
 Manual</a>                                                             
    <ul>
                 <li>   <a href="Documentation.htm#Variables">params</a></li>
-             <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Zones">zones</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#Interfaces">interfaces</a></font></li>
-             <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Hosts">hosts</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#Policy">policy</a></font></li>
-             <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Rules">rules</a></font></li>
                 <li><a href="Documentation.htm#Common">common</a></li>
-             <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Masq">masq</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
-             <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#NAT">nat</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#Tunnels">tunnels</a></font></li>
                 <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
-             <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Conf">shorewall.conf</a></font></li>
                 <li><a href="Documentation.htm#modules">modules</a></li>
                 <li><a href="Documentation.htm#TOS">tos</a> </li>
                 <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
                 <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
                 <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
    </ul>
               </li>
               <li><a href="dhcp.htm">DHCP</a></li>
@ -182,14 +208,19 @@ to extend Shorewall without modifying Shorewall  code)</li>
               <li><a href="fallback.htm">Fallback/Uninstall</a></li>
               <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
               <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
-           <li><a href="myfiles.htm">My  Configuration Files</a> (How I personally
+  <li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
-    use Shorewall)</li>
+  </li>
               <li><a href="myfiles.htm">My  Configuration Files</a> (How 
 I  personally     use Shorewall)</li>
               <li><a href="ping.html">'Ping' Management</a><br>
   </li>
   <li><a href="ports.htm">Port Information</a>                         
    <ul>
                 <li>Which applications use which ports</li>
                 <li>Ports used by Trojans</li>
    </ul>
               </li>
               <li><a href="ProxyARP.htm">Proxy ARP</a></li>
@ -206,26 +237,33 @@ to extend Shorewall without modifying Shorewall  code)</li>
               <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
               <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
               <li>VPN                                                  
    <ul>
                 <li><a href="IPSEC.htm">IPSEC</a></li>
                 <li><a href="IPIP.htm">GRE and IPIP</a></li>
                 <li><a href="PPTP.htm">PPTP</a></li>
-             <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your 
+                 <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
- firewall   to a      remote network.</li>
+ your   firewall   to a      remote network.</li>
    </ul>
               </li>
-           <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
+               <li><a href="whitelisting_under_shorewall.htm">White List
 Creation</a></li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_setup_guide.htm
+++ b/STABLE/documentation/shorewall_setup_guide.htm
@ -54,24 +54,25 @@
 <h2><a name="Introduction"></a>1.0 Introduction</h2>
 <p>This guide is intended for users who are setting up Shorewall in an  environment
-where a set of public IP addresses must be managed or who want to  know more
+ where a set of public IP addresses must be managed or who want to  know
-about Shorewall than is contained in the  <a
+more  about Shorewall than is contained in the  <a
 href="shorewall_quickstart_guide.htm">single-address  guides</a>. Because
 the  range of possible applications is so broad, the Guide will give you
 general  guidelines and will point you to other resources as necessary.</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you run LEAF Bering, your Shorewall configuration is NOT what I release
+       If you run LEAF Bering, your Shorewall configuration is NOT what I 
-- I  suggest that you consider installing a stock Shorewall lrp from the
+release -- I  suggest that you consider installing a stock Shorewall lrp from
- shorewall.net site before you proceed.</p>
+the  shorewall.net site before you proceed.</p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
-(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+ (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on
-firewall  system. As root, you can use the 'which' command to check for this
+your  firewall  system. As root, you can use the 'which' command to check
-program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself
 with what's involved then go back through it again  making your configuration
 changes. Points at which configuration changes are  recommended are flagged
@ -79,17 +80,17 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
  .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you edit your configuration files on a Windows system, you must save
+       If you edit your configuration files on a Windows system, you must 
-them as  Unix files if your editor supports that option or you must run them
+save them as  Unix files if your editor supports that option or you must run
-through  dos2unix before trying to use them with Shorewall. Similarly, if
+them through  dos2unix before trying to use them with Shorewall. Similarly, 
-you copy a configuration file  from your Windows hard drive to a floppy disk,
+if you copy a configuration file  from your Windows hard drive to a floppy 
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
     <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
 of    dos2unix</a></li>
-   <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
+     <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
@ -151,8 +152,9 @@ the internet zone"  or "because that is the DMZ".</p>
 in  terms of zones.</p>
 <ul>
-   <li>You express your default policy for connections from one zone to another
+     <li>You express your default policy for connections from one zone to 
-   zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
+another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
    </a>file.</li>
     <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -163,17 +165,18 @@ kernel facility. Netfilter   implements a   <a
 href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
 tracking function</a> that allows what is often referred to   as <i>stateful
 inspection</i> of packets. This stateful property allows   firewall rules
-to be defined in terms of <i>connections</i> rather than   in terms of  packets.
+ to be defined in terms of <i>connections</i> rather than   in terms of 
-With Shorewall, you:</p>
+packets.  With Shorewall, you:</p>
 <ol>
           <li>  Identify the source zone.</li>
           <li>  Identify the destination zone.</li>
           <li>  If the POLICY from the client's zone to the server's zone
-is what you       want for this client/server pair, you need do nothing further.</li>
+ is what you       want for this client/server pair, you need do nothing
-         <li>  If the POLICY is not what you want, then you must add a rule.
+further.</li>
-That rule       is expressed in terms of the client's zone and the server's
+           <li>  If the POLICY is not what you want, then you must add a
-zone.</li>
+rule.  That rule       is expressed in terms of the client's zone and the
 server's  zone.</li>
 </ol>
@ -181,15 +184,15 @@ zone.</li>
 A to the   firewall and are also allowed from the firewall to zone B <font
 color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed
 from zone A to zone  B</u></b></font>.   It rather means that you can have
-a proxy running on the firewall that accepts   a connection from zone A and
+ a proxy running on the firewall that accepts   a connection from zone A
-then establishes its own separate connection from   the firewall to zone
+and  then establishes its own separate connection from   the firewall to
-B.</p>
+zone B.</p>
 <p>For each connection request entering the firewall, the request is first
- checked against the /etc/shorewall/rules file. If no rule in that file matches
+  checked against the /etc/shorewall/rules file. If no rule in that file
- the connection request then the first policy in /etc/shorewall/policy that
+matches   the connection request then the first policy in /etc/shorewall/policy
- matches the request is applied. If that policy is REJECT or DROP  the  request
+that   matches the request is applied. If that policy is REJECT or DROP 
-is first checked against the rules in /etc/shorewall/common.def.</p>
+the  request  is first checked against the rules in /etc/shorewall/common.def.</p>
 <p>The default /etc/shorewall/policy file  has the  following policies:</p>
@ -234,9 +237,10 @@ is first checked against the rules in /etc/shorewall/common.def.</p>
 <ol>
     <li>allow all connection requests from your local network to the internet</li>
-   <li>drop (ignore) all connection requests from the internet to your firewall
+     <li>drop (ignore) all connection requests from the internet to your
-   or local network and log a message at the <i>info</i> level (see "man
+firewall     or local network and log a message at the <i>info</i> level
-syslog").</li>
+(<a href="configuration_file_basics.htm#Levels">here</a> is a description
 of log levels).</li>
     <li>reject all other connection requests and log a message at the <i>info</i>
    level. When a request is rejected, the firewall will return an RST (if
 the    protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li>
@ -244,8 +248,8 @@ the    protocol is TCP) or an ICMP port-unreachable packet for other protocols.<
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-    At this point, edit your /etc/shorewall/policy and make any changes that
+      At this point, edit your /etc/shorewall/policy and make any changes 
-you  wish.</p>
+that you  wish.</p>
 <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -256,11 +260,12 @@ you  wish.</p>
 <p align="left">In this diagram:</p>
 <ul>
-   <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to
+     <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
-isolate your  internet-accessible servers from your local systems so that
+to  isolate your  internet-accessible servers from your local systems so
-if one of those  servers is compromised, you still have the firewall between
+that  if one of those  servers is compromised, you still have the firewall
-the compromised  system and your local systems. </li>
+between  the compromised  system and your local systems. </li>
-   <li>The Local Zone consists of systems Local 1, Local 2 and Local 3. </li>
+     <li>The Local Zone consists of systems Local 1, Local 2 and Local 3. 
  </li>
     <li>All systems from the ISP outward comprise the Internet Zone. </li>
 </ul>
@ -286,8 +291,8 @@ using ISDN, you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-    If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then you will
+      If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then you 
-want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
  eth1 or eth2) and will be connected to a hub or switch. Your local computers
@ -363,8 +368,8 @@ file, that file would might contain:</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
       Edit the /etc/shorewall/interfaces file and define the network interfaces
-on  your firewall and associate each interface with a zone. If you have a
+ on  your firewall and associate each interface with a zone. If you have
-zone that  is interfaced through more than one interface, simply include
+a  zone that  is interfaced through more than one interface, simply include
 one entry for each  interface and repeat the zone name as many times as necessary.</p>
 <p align="left">Example:</p>
@ -458,8 +463,8 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
 <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
 <p align="left">IP version 4 (<i>IPv4) </i>addresses  are 32-bit numbers.
-The notation w.x.y.z refers to an address where the high-order byte has value
+ The notation w.x.y.z refers to an address where the high-order byte has
-"w", the next  byte has value "x", etc. If we take the address 192.0.2.14
+value  "w", the next  byte has value "x", etc. If we take the address 192.0.2.14
 and express it in  hexadecimal,  we get:</p>
 <blockquote>         
@ -721,9 +726,9 @@ will    often hear a subnet of size 64 referred to as a "slash 26" subnet
 and one of    size 8 referred to as a "slash 29".</p>
 <p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
-simply a 32-bit number with the first "VLSM"    bits set to one and the remaining
+ simply a 32-bit number with the first "VLSM"    bits set to one and the
-bits set to zero. For example, for a subnet    of size 64, the subnet mask
+remaining  bits set to zero. For example, for a subnet    of size 64, the
-has 26 leading one bits:</p>
+subnet mask  has 26 leading one bits:</p>
 <blockquote>         
  <p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -805,10 +810,10 @@ the  subnet with one member and the subnet with 2 ** 32 members.</p>
 and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
 <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
- used to describe the ip configuration of a network interface (the 'ip' utility
+  used to describe the ip configuration of a network interface (the 'ip'
- also uses this syntax). This simply means that the interface is configured
+utility   also uses this syntax). This simply means that the interface is
-with  ip address <b>a.b.c.d</b> and with the netmask that corresponds to
+configured  with  ip address <b>a.b.c.d</b> and with the netmask that corresponds
-VLSM <b>/v</b>.</p>
+to VLSM <b>/v</b>.</p>
 <p align="left">Example: 192.0.2.65/29</p>
@ -829,12 +834,12 @@ and netmask 255.255.255.248.</p>
 <p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in
 the  Dallas, Texas area.<br>
   <br>
- The first three routes are <i>host routes</i> since they indicate how to
+   The first three routes are <i>host routes</i> since they indicate how
-get to  a single host. In the 'netstat' output this can be seen by the "Genmask"
+to  get to  a single host. In the 'netstat' output this can be seen by the
-(Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder
+"Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column.
-are 'net' routes since they tell the  kernel how to route packets to a subnetwork.
+The remainder  are 'net' routes since they tell the  kernel how to route
-The last route is the <i>default  route</i> and the gateway mentioned in
+packets to a subnetwork.  The last route is the <i>default  route</i> and
-that route is called the <i>default  gateway</i>.</p>
+the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
 <p align="left">When the kernel is trying to send a packet to IP address
 <b>A</b>,  it starts at the top of the routing table and:</p>
@ -894,17 +899,18 @@ eth2.</p>
 are  sent using the routing table and reply packets are not a special case.
 There  seems to be a common mis-conception whereby people think that request
 packets  are like salmon and contain a genetic code that is magically transferred
-to  reply packets so that the replies follow the reverse route taken by the
+ to  reply packets so that the replies follow the reverse route taken by
-request.  That isn't the case; the replies may take a totally different route
+the  request.  That isn't the case; the replies may take a totally different
-back to the  client than was taken by the requests -- they are totally independent.</p>
+route  back to the  client than was taken by the requests -- they are totally
 independent.</p>
 <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
 <p align="left">When sending packets over Ethernet, IP addresses aren't used.
  Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
- addresses. Each Ethernet device has it's own unique  MAC address which is
+  addresses. Each Ethernet device has it's own unique  MAC address which
- burned into a PROM on the device during manufacture. You can obtain the
+is   burned into a PROM on the device during manufacture. You can obtain
-MAC of  an Ethernet device using the 'ip' utility:</p>
+the MAC of  an Ethernet device using the 'ip' utility:</p>
 <blockquote>         
  <div align="left">           
@ -921,8 +927,8 @@ to the card    itself. </p>
 <div align="left">     
 <p align="left">Because IP uses IP addresses and Ethernet uses MAC addresses,
    a mechanism is required to translate an IP address into a MAC address;
-that is    the purpose of the <i>Address Resolution Protocol</i> (ARP). Here
+ that is    the purpose of the <i>Address Resolution Protocol</i> (ARP).
-is ARP in    action:</p>
+Here  is ARP in    action:</p>
  </div>
 <div align="left">     
@ -934,9 +940,9 @@ is ARP in    action:</p>
   </div>
 <p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
-to  know the MAC of the device with IP address 192.168.1.19. The system having
+ to  know the MAC of the device with IP address 192.168.1.19. The system
-that  IP address is responding that the MAC address of the device with IP
+having  that  IP address is responding that the MAC address of the device
-address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
+with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
 <p align="left">In order to avoid having to exchange ARP information each
 time  that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
@ -1001,6 +1007,7 @@ in      their infrastructure.     </p>
      your ISP or by another organization with whom you want to establish
 a VPN      relationship.    </p>
    </li>
 </ul>
   </div>
@ -1017,8 +1024,8 @@ the    addresses that you are going to use.</p>
 <div align="left">     
 <p align="left">The choice of how to set up your network depends primarily
 on    how many Public IP addresses you have vs. how many addressable entities
-you    have in your network. Regardless of how many addresses you have, your
+ you    have in your network. Regardless of how many addresses you have,
-ISP will    handle that set of addresses in one of two ways:</p>
+your  ISP will    handle that set of addresses in one of two ways:</p>
  </div>
 <div align="left">     
@ -1034,12 +1041,26 @@ your    firewall/router's external interface.     </p>
    <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
 of your    addresses directly.   </p>
    </li>
 </ol>
   </div>
 <div align="left">     
 <p align="left">In the subsections that follow, we'll look at each of these
-   separately.</p>
+    separately.<br>
 </p>
 <p align="left">Before we begin, there is one thing for you to check:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
     If you are using the Debian package, please check your shorewall.conf 
 file to ensure that the following are set correctly; if they are not, change 
 them appropriately:<br>
  </p>
 <ul>
  <li>NAT_ENABLED=Yes</li>
  <li>IP_FORWARDING=On<br>
   </li>
 </ul>
  </div>
 <div align="left">     
@ -1049,11 +1070,11 @@ of your    addresses directly.   </p>
 <div align="left">     
 <p align="left">Let's assume that your ISP has assigned you the subnet  
 192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
-   192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
+    192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
-   192.0.2.65. Your ISP has also told you that you should use a netmask of
+is     192.0.2.65. Your ISP has also told you that you should use a netmask
-   255.255.255.0 (so your /28 is part of a larger /24). With this many IP
+of     255.255.255.0 (so your /28 is part of a larger /24). With this many
-   addresses, you are able to subnet your /28 into two /29's and set up your
+IP     addresses, you are able to subnet your /28 into two /29's and set
-   network as shown in the following diagram.</p>
+up your     network as shown in the following diagram.</p>
  </div>
 <div align="left">     
@ -1082,8 +1103,8 @@ because    of the simplicity of the setup.</p>
 <div align="left">     
 <p align="left">The astute reader may have noticed that the Firewall/Router's
    external interface is actually part of the DMZ subnet (192.0.2.64/29).
-What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing
+ What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
-table on    DMZ 1 will look like this:</p>
+routing  table on    DMZ 1 will look like this:</p>
  </div>
 <div align="left">     
@ -1136,8 +1157,9 @@ netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
 <div align="left">     
 <p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
-   and there aren't enough addresses for all of the network interfaces. There
+    and there aren't enough addresses for all of the network interfaces.
-are    four different techniques that can be used to work around this problem.</p>
+There  are    four different techniques that can be used to work around this
 problem.</p>
  </div>
 <div align="left">     
@ -1157,6 +1179,7 @@ also    known as <i>Port Forwarding.</i>     </p>
    <p align="left"><i>Network Address Translation</i> (NAT) also referred
 to as   <i>Static NAT</i>.   </p>
    </li>
 </ul>
   </div>
@ -1199,8 +1222,8 @@ zone.</p>
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-    The systems in    the local zone would be configured with a default gateway
+      The systems in    the local zone would be configured with a default 
-of 192.168.201.1    (the IP address of the firewall's local interface).</div>
+gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
 <div align="left">    </div>
@ -1254,8 +1277,8 @@ do    not have a public IP address. DNAT provides a way to allow selected
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
          Suppose that your daughter wants to run a web server on her system
-"Local 3". You    could allow connections to the internet to her server by
+ "Local 3". You    could allow connections to the internet to her server
-adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
+by  adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
  </div>
 <div align="left">     
@ -1291,10 +1314,10 @@ adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewal
 <p align="left">If one of your daughter's friends at address <b>A</b> wants
 to    access your daughter's server, she can connect to <a
 href="http://192.0.2.176">   http://192.0.2.176</a> (the firewall's external
-IP address) and the firewall    will rewrite the destination IP address to
+ IP address) and the firewall    will rewrite the destination IP address
-192.168.201.4 (your daughter's system)    and forward the request. When your
+to  192.168.201.4 (your daughter's system)    and forward the request. When
-daughter's server responds, the firewall will    rewrite the source address
+your  daughter's server responds, the firewall will    rewrite the source
-back to 192.0.2.176 and send the response back to   <b>A.</b></p>
+address  back to 192.0.2.176 and send the response back to   <b>A.</b></p>
  </div>
 <div align="left">     
@ -1327,6 +1350,7 @@ of your    public IP addresses (<b>A)</b> and is assigned the same netmask
 address    in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
 will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
    </li>
 </ul>
   </div>
@ -1391,8 +1415,8 @@ add    host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</p>
 <div align="left">     
 <p align="left">A word of warning is in order here. ISPs typically configure
    their routers with a long ARP cache timeout. If you move a system from
-   parallel to your firewall to behind your firewall with Proxy ARP, it will
+    parallel to your firewall to behind your firewall with Proxy ARP, it
-   probably be HOURS before that system can communicate with the internet.
+will     probably be HOURS before that system can communicate with the internet.
 You    can call your ISP and ask them to purge the stale ARP cache entry
 but many    either can't or won't purge individual entries. You can determine
 if your    ISP's gateway ARP cache is stale using ping and tcpdump. Suppose
@ -1478,9 +1502,9 @@ and    is sharing the firewall external IP (192.0.2.176) for outbound connection
 <div align="left">     
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-       Suppose now that you have decided to give your daughter her own IP
+         Suppose now that you have decided to give your daughter her own
-address    (192.0.2.179) for both inbound and outbound connections. You would
+IP  address    (192.0.2.179) for both inbound and outbound connections. You
-do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
+would  do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
  </div>
 <div align="left">     
@ -1517,9 +1541,9 @@ do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
         Once the relationship between 192.0.2.179 and 192.168.201.4 is established
-by    the nat file entry above, it is no longer    appropriate to use a DNAT
+ by    the nat file entry above, it is no longer    appropriate to use a
-rule for you daughter's web server -- you would    rather just use an ACCEPT
+DNAT  rule for you daughter's web server -- you would    rather just use
-rule:</p>
+an ACCEPT  rule:</p>
  </div>
 <div align="left">     
@ -2266,9 +2290,9 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
 <p align="left">Suppose that your domain is foobar.net and you want the two
    DMZ systems named www.foobar.net and mail.foobar.net and you want the
 three    local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
-   You want your firewall to be known as firewall.foobar.net externally and
+    You want your firewall to be known as firewall.foobar.net externally
-it's    interface to the local network to be know as gateway.foobar.net and
+and  it's    interface to the local network to be know as gateway.foobar.net
-its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
+and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
 on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
  </div>
@ -2291,8 +2315,10 @@ on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
 <div align="left">     
 <p align="left">Here are the files in /var/named (those not shown are usually
    included in your bind disbribution).</p>
 <p align="left">db.192.0.2.176 - This is    the reverse zone for the firewall's
 external interface</p>
 <blockquote>           
  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32<br>; Filename: db.192.0.2.176<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.<br></pre>
     </blockquote>
@ -2419,11 +2445,13 @@ and    test it using the <a href="Documentation.htm#Starting">"shorewall
 try" command</a>.</p>
  </div>
-<p align="left"><font size="2">Last updated 9/19/2002 - <a
+<p align="left"><font size="2">Last updated 12/13/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
 M. Eastep</font></a></p>
        <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@ -0,0 +1,454 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
                              <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
             <tbody>
          <tr>
                   <td width="100%" height="90">                        
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
              </a></i></font><font color="#ffffff">Shorewall      1.3   - 
             <font size="4">"<i>iptables                   made easy"</i></font></font><a
 href="http://www.sf.net">            </a></h1>
      <div align="center"><a href="/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a></div>
                                                    </td>
                                   </tr>
  </tbody>                                                               
 </table>
 <div align="center">                                                    
 <center>                                                                
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
               <tbody>
          <tr>
                     <td width="90%">                                   
      <h2 align="left">What is it?</h2>
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
      <p>This program is free software; you can redistribute it and/or modify 
                                     it        under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
 Public License</a> as published by the Free Software        Foundation.<br>
                  <br>
             This   program     is  distributed       in  the   hope   that 
   it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;   without
     even the   implied    warranty      of MERCHANTABILITY             or
 FITNESS    FOR   A PARTICULAR      PURPOSE.        See the  GNU General
    Public  License           for  more details.<br>
                  <br>
             You   should    have   received     a  copy   of  the   GNU
  General         Public      License             along  with   this program;
    if  not,    write  to  the    Free Software        Foundation,      
     Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
              </a>Jacques              Nilo   and   Eric   Wolzak    have 
  a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or compact 
  flash)  distribution        called              <i>Bering</i>    that  
       features      Shorewall-1.3.10  and    Kernel-2.4.18.       You  
 can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                      <b>Congratulations to Jacques and Eric on the recent
 release     of  Bering  1.0 Final!!! <br>
                      </b>                                              
      <h2>News</h2>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                                             </b><br>
 </p>
 This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
 was set to anything but ULOG, the firewall would fail to start and "shorewall
 refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                 </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
     </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                                             </b></p>
    The first public Beta version of Shorewall 1.3.12 is now available (Beta 
 1 was made available only to a limited audience). <br>
     <br>
     Features include:<br>
     <br>
      <ol>
            <li>"shorewall refresh" now reloads the traffic shaping rules 
 (tcrules  and tcstart).</li>
            <li>"shorewall debug [re]start" now turns off debugging after 
 an  error occurs. This places the point of the failure near the end of the 
 trace  rather than up in the middle of it.</li>
            <li>"shorewall [re]start" has been speeded up by more than 40%
 with  my configuration. Your milage may vary.</li>
            <li>A "shorewall show classifiers" command has been added which 
 shows the current packet classification filters. The output from this command 
 is also added as a separate page in "shorewall monitor"</li>
            <li>ULOG (must be all caps) is now accepted as a valid syslog 
 level  and causes the subject packets to be logged using the ULOG target rather
 than the LOG target. This allows you to run ulogd (available from       
   <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
  and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
            <li>If you are running a kernel that has a FORWARD chain in the 
 mangle table ("shorewall show mangle" will show you the chains in the mangle 
 table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows 
 for  marking input packets based on their destination even when you are using 
 Masquerading or SNAT.</li>
            <li>I have cluttered up the /etc/shorewall directory with empty 
 'init', 'start', 'stop' and 'stopped' files. If you already have a file with
 one of these names, don't worry -- the upgrade process won't overwrite your
 file.</li>
      </ol>
     You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
     </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
       </a></b></p>
      Shorewall is at the center of MandrakeSofts's recently-announced <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
   Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
   release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>        
                                   </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally 
    delivered. I have installed 9.0 on one of my systems and I am now in a
 position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
                </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                         
                  </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT 
     with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users 
  who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> 
                                   </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
        documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                      <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                  </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b>                         
         </b></p>
      <p>In this version:</p>
      <ul>
                       <li>A 'tcpflags' option has been added to entries
 in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
 This option causes Shorewall to make a set of sanity check on TCP packet 
 header flags.</li>
                       <li>It is now allowed to use 'all' in the SOURCE or
 DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.  When
 used,  'all'   must  appear  by itself (in may not be qualified) and it does
 not  enable   intra-zone  traffic.  For example, the rule <br>
                    <br>
                    ACCEPT loc all tcp 80<br>
                    <br>
                does not enable http traffic from 'loc' to 'loc'.</li>
                       <li>Shorewall's use of the 'echo' command is now compatible
     with   bash clones such as ash and dash.</li>
                       <li>fw-&gt;fw policies now generate a startup error. 
 fw-&gt;fw      rules  generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>   
                              </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 
        documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                      <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                  </p>
      <p><b></b></p>
      <ul>
      </ul>
      <p><b></b><a href="News.htm">More News</a></p>
      <h2> </h2>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
                                    </a></h1>
      <h4>       </h4>
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
      <h2><a name="Donations"></a>Donations</h2>
                                                        </td>
                     <td width="88" bgcolor="#4b017c" valign="top"
 align="center">              <br>
                                      </td>
                 </tr>
  </tbody>                                                               
 </table>
           </center>
         </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
        <tbody>
          <tr>
              <td width="100%" style="margin-top: 1px;">                
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
               </a></p>
      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                                     to       <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
 Foundation.</font></a> Thanks!</font></p>
              </td>
          </tr>
  </tbody>                                                               
 </table>
 <p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
                               <br>
 </p>
 </body>
 </html>
--- a/STABLE/documentation/standalone.htm
+++ b/STABLE/documentation/standalone.htm
@ -44,10 +44,10 @@ in one  of its  most common configurations:</p>
 </ul>
 <p>This guide assumes that you have the iproute/iproute2 package installed
- (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
- this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on
- firewall  system. As root, you can use the 'which' command to check for
+your  firewall  system. As root, you can use the 'which' command to check
-this  program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -61,8 +61,8 @@ this  program:</p>
         If you edit your configuration files on a Windows system, you must 
 save them as  Unix files if your editor supports that option or you must 
 run them through  dos2unix before trying to use them. Similarly, if you copy 
-a configuration file  from your Windows hard drive to a floppy disk, you
+a configuration file  from your Windows hard drive to a floppy disk, you must
-must run dos2unix against the  copy before using it with Shorewall.</p>
+run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -74,14 +74,16 @@ Version  of    dos2unix</a></li>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
     The configuration files for Shorewall are contained in the directory
 /etc/shorewall -- for simple setups, you  only need to deal with a few of 
 these as described in this guide.  After you have <a href="Install.htm">installed 
-Shorewall</a>,  download the <a
+Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, 
 un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
 (they will replace files with the same names that were placed in /etc/shorewall 
- during Shorewall installation).</p>
+ during Shorewall installation)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
  file on your system -- each file contains detailed  configuration instructions
@ -115,8 +117,8 @@ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
  in  terms of zones.</p>
 <ul>
-      <li>You express your default policy for connections from one zone to
+       <li>You express your default policy for connections from one zone
- another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,14 +126,14 @@ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
 </ul>
 <p>For each connection request entering the firewall, the request is first
- checked against the  /etc/shorewall/rules file. If no rule in that file matches
+  checked against the  /etc/shorewall/rules file. If no rule in that file
- the connection  request then the first policy in /etc/shorewall/policy that
+matches  the connection  request then the first policy in /etc/shorewall/policy
- matches the    request is applied. If that policy is REJECT or DROP  the
+that  matches the    request is applied. If that policy is REJECT or DROP 
-request is first  checked against the rules in /etc/shorewall/common (the
+the request is first  checked against the rules in /etc/shorewall/common
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample has
+<p>The /etc/shorewall/policy file included with the one-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -178,8 +180,8 @@ the  following policies:</p>
       <li>allow all connection requests from the firewall to the internet</li>
       <li>drop (ignore) all connection requests from the internet to your
 firewall</li>
-      <li>reject all other connection requests (Shorewall requires this catchall 
+       <li>reject all other connection requests (Shorewall requires this
-    policy).</li>
+catchall      policy).</li>
 </ol>
@ -201,8 +203,8 @@ a <b>ppp0</b>. If you connect via a regular modem, your External  Interface
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
        The Shorewall one-interface sample configuration assumes that  the
-external  interface is <b>eth0</b>.  If your configuration is different, you
+ external  interface is <b>eth0</b>.  If your configuration is different,
-will have  to modify the sample  /etc/shorewall/interfaces file accordingly. 
+you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
 While you  are there, you may wish to  review the list of options that are
 specified  for the interface. Some hints:</p>
@ -239,9 +241,9 @@ specified  for the interface. Some hints:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-           Before starting Shorewall, you should look at the IP address of
+            Before starting Shorewall, you should look at the IP address
- your external    interface and if it is one of the above ranges, you should
+of  your external    interface and if it is one of the above ranges, you
- remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+should  remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
    </div>
 <div align="left">       
@ -283,8 +285,8 @@ specified  for the interface. Some hints:</p>
     </div>
 <div align="left">       
-<p align="left">Example - You want to run a Web Server and a POP3 Server on
+<p align="left">Example - You want to run a Web Server and a POP3 Server
-your firewall    system:</p>
+on your firewall    system:</p>
    </div>
 <div align="left">       
@ -326,8 +328,8 @@ your firewall    system:</p>
     </div>
 <div align="left">       
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, see <a href="ports.htm">here</a>.</p>
+application uses, see <a href="ports.htm">here</a>.</p>
    </div>
 <div align="left">       
@ -416,7 +418,7 @@ added an    entry for the IP address that you are connected from to   <a
 try" command</a>.</p>
    </div>
-<p align="left"><font size="2">Last updated 11/21/2002 - <a
+<p align="left"><font size="2">Last updated 12/9/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
@ -425,5 +427,6 @@ try" command</a>.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -2,16 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Support</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -23,63 +29,94 @@
                         <tr>
                          <td width="100%">                             
-      <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
+                                                 
      <h1 align="center"><font color="#ffffff">Shorewall Support<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
           </font></h1>
                          </td>
                        </tr>
  </tbody>                     
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
+<p> <br>
-is easier to post a problem than to use your own brain" </font>-- </i> <font
+   <span style="font-weight: 400;"></span></p>
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you
+<h2><big><font color="#ff0000"><b>I  don't look at problems sent to me directly 
-just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+ but I try  to spend some amount          of time each day responding to problems
 posted  on the Shorewall mailing list.</b></font></big></h2>
-<blockquote> </blockquote>
+<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
-<p><span style="font-weight: 400;"><i>"It irks me when people believe that
+<h2>Before Reporting a Problem</h2>
    free software        comes at no cost. The cost is incredibly high."</i>
   - <font size="2">       Wietse Venem<br>
  </font></span></p>
-<h3 align="left">Before Reporting a Problem</h3>
+<h3>T<b>here are a number of sources for problem solution information. Please
-  <b><i>"Reading the documentation fully is a prerequisite to getting help
+  try these before you post.</b></h3>
 for your particular situation. I know it's harsh but you will have to get
 so far on your own before you can get reasonable help from a list full of
 busy people. A mailing list is not a tool to speed up your day by being
 spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
-<p>There are also a number of sources for problem solution information.</p>
+<h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-           <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
+     <li>               
-           <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information 
+    <h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to  more than 20 common 
-  contains  a    number of tips to help you solve common problems.</li>
+   problems.</b></h3>
-           <li>The <a href="errata.htm">   Errata</a> has links to download 
+     </li>
 updated      components.</li>
           <li>The Mailing List Archives search facility can locate posts 
 about         similar problems:</li>
 </ul>
-<h4>Mailing List Archive Search</h4>
+<h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The <a href="troubleshoot.htm">Troubleshooting</a>  Information 
       contains  a    number of tips to help you solve common problems.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The <a href="errata.htm">   Errata</a> has links  to  download 
     updated      components.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The Mailing List Archives search facility can locate   posts  
 about         similar problems:</b></h3>
     </li>
 </ul>
 <h2>                                     </h2>
 <h2>Mailing List Archive Search</h2>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
  <p> <font size="-1"> Match:                                           
  <select name="method">
  <option value="and">All </option>
  <option value="or">Any </option>
  <option value="boolean">Boolean </option>
  </select>
                   Format:                                              
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
                   Sort by:                                             
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -88,82 +125,163 @@ about         similar problems:</li>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-      </font> <input type="hidden" name="config" value="htdig"> <input
+                   </font> <input type="hidden" name="config"
- type="hidden" name="restrict"
+ value="htdig">    <input type="hidden" name="restrict"
 value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-      Search: <input type="text" size="30" name="words" value=""> <input
+                   Search: <input type="text" size="30" name="words"
- type="submit" value="Search"> </p>
+ value="">    <input type="submit" value="Search"> </p>
                   </form>
-<h3 align="left">Problem Reporting Guideline</h3>
+<h2>Problem Reporting Guidelines</h2>
  <i>"Let me see if I can translate your message into a real-world example. 
 It would be like saying that you have three rooms at home, and when you
 walk  into one of the rooms, you detect this strange smell.  Can anyone tell
 you  what that strange smell is?<br>
  <br>
  Now, all of us could do some wonderful guessing as to the smell and even
 what's causing it.  You would be absolutely amazed at the range and variety
 of smells we could come up with.  Even more amazing is that all of the explanations
 for the smells would be completely plausible."<br>
  </i><br>
 <div align="center">   - Russell Mosemann<br>
  </div>
  <br>
 <h3>                     </h3>
 <ul>
-           <li>When reporting a problem, give as much information as you
+     <li>               
-can.   Reports   that say "I tried XYZ and it didn't work" are not at all
+    <h3><b>When reporting a problem, give as much information  as  you   can.
-helpful.</li>
+  Reports   that say "I tried XYZ and it didn't work" are not at all   helpful.</b></h3>
-           <li>Please don't describe your environment and then ask us to
+     </li>
 send   you             custom configuration files. We're here to answer your
 questions     but we           can't do your job for you.</li>
           <li>Do you see any "Shorewall" messages in     /var/log/messages 
 when   you exercise the function that is giving you problems?</li>
           <li>Have you looked at the packet flow with a tool like tcpdump
     to  try to understand what is going on?</li>
           <li>Have you tried using the diagnostic capabilities of the  
  application    that isn't working? For example, if "ssh" isn't able   
 to connect, using    the "-v" option gives you a lot of valuable     diagnostic
 information.</li>
           <li>Please include any of the Shorewall configuration files (especially
    the    /etc/shorewall/hosts file if you have modified that file) that
 you    think are    relevant. If an error occurs when you try to "shorewall
 start",    include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
    section for    instructions).</li>
           <li>The list server limits posts to 120kb so don't post GIFs of
 your             network layout, etc to the Mailing List -- your post will
 be rejected.</li>
 </ul>
-<h3>Where to Send your Problem Report or to Ask for Help</h3>
+<h3>                     </h3>
             <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem 
 reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set 
 on October 3, 2002; MandrakeSoft issued a charge against my credit card on
 October 4, 2002 (they are very effecient at that part of the order process)
 and I haven't heard a word from them since (although their news letters
 boast  that 9.0 boxed sets have been shipping for the last two weeks). If
 they can't  fill my 9.0 order within <u>6 weeks after they have billed my
 credit card</u>  then I refuse to spend my free time supporting their product
 for them.<br>
 <br>
 <b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
 order is part of a batch of which was not correctly sent to our shipping
 handler, and so unfortunately was not processed". They further assure me
 that these mishandled orders will begin shipping on 12/2/2002.<br>
-<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
+<ul>
-     post your question or problem to the <a
+     <li>               
- href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
+    <h3><b>Please don't describe your environment and then  ask  us  to  send
  you             custom configuration files. We're here  to answer   your
 questions     but we           can't do your job for you.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Do you see any "Shorewall" messages in     /var/log/messages  
    when   you exercise the function that is giving you problems?</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Have you looked at the packet flow with a tool  like  tcpdump 
       to  try to understand what is going on?</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Have you tried using the diagnostic capabilities  of  the     
 application    that isn't working? For example, if "ssh" isn't  able   
 to connect, using    the "-v" option gives you a lot of valuable      diagnostic 
    information.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Please include any of the Shorewall configuration  files    (especially 
      the    /etc/shorewall/hosts file if you have modified  that   file) 
 that  you    think are    relevant.</b></h3>
   </li>
   <li>     
    <h3><b>If an error occurs when you try   to "shorewall  start",    include 
 a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>      section 
 for    instructions).</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
  your             network layout, etc to the Mailing List  -- your  post 
  will  be rejected.</b></h3>
     </li>
 </ul>
 <h3>                                     </h3>
 <h2>Please post in plain text</h2>
 <blockquote>
  <h3><b> While the list server here at shorewall.net accepts and distributes
 HTML posts, a growing number of MTAs serving list subscribers are rejecting
 this HTML list traffic. At least one MTA has gone so far as to blacklist
 shorewall.net "for continuous abuse"!!</b></h3>
  <h3><b> I think that blocking all HTML is a rather draconian way to control
 spam and that the unltimate loser here is not the spammers but the list subscribers 
 whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
 help by restricting your list posts to plain text.</b></h3>
  <h3><b> And as a bonus, subscribers who use email clients like pine and
 mutt will be able to read your plain text posts whereas they are most likely
 simply ignoring your HTML posts.</b></h3>
  <h3><b> A final bonus for the use of HTML is that it cuts down the size
 of messages by a large percentage -- that is important when the same message
 must be sent 500 times over the slow DSL line connecting the list server
 to the internet.</b>   </h3>
 </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
 <h3></h3>
 <blockquote>         
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem 
 to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing 
 list</a>.</span></h4>
  <p>Otherwise, please post your question or problem to the <a
- href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
+ href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
-     there are lots of folks there who are willing to help you. Your question/problem
+   </blockquote>
     description and their responses will be placed in the mailing list archives
    to  help people who have a similar question or problem in the future.</p>
 <p>I don't look at problems sent to me directly but I try to spend some amount
     of time each day responding to problems posted on the mailing list.</p>
-<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
+                   
 <p align="center"><big><font color="#ff0000"><b></b></font></big></p>
 <p>To Subscribe to the  mailing list go to <a
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
               .</p>
-<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
+ 
 <p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
   </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/three-interface.htm
+++ b/STABLE/documentation/three-interface.htm
@ -39,11 +39,12 @@
    in one  of its more popular configurations:</p>
 <ul>
-          <li>Linux system used as a firewall/router for a small local network.</li>
+             <li>Linux system used as a firewall/router for a small local 
 network.</li>
             <li>Single public IP address.</li>
             <li>DMZ connected to a separate ethernet interface.</li>
-          <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
+             <li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
-   ...</li>
+dial-up,     ...</li>
 </ul>
@ -55,43 +56,47 @@
 <p>This guide assumes that you have the iproute/iproute2 package installed
     (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
- if  this  package is installed by the presence of an <b>ip</b> program on 
+   if  this  package is installed by the presence of an <b>ip</b> program
- your  firewall  system. As root, you can use the 'which' command to check 
+on   your  firewall  system. As root, you can use the 'which' command to
- for this  program:</p>
+check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the guide    to familiarize yourself
     with what's involved then go back through it again  making your configuration
-   changes. Points at which configuration changes are  recommended are flagged 
+     changes. Points at which configuration changes are  recommended are
-   with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
          </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-            If you edit your configuration files on a Windows system, you 
+               If you edit your configuration files on a Windows system,
-must   save them as  Unix files if your editor supports that option or you 
+you   must   save them as  Unix files if your editor supports that option
-must  run them through  dos2unix before trying to use them. Similarly, if 
+or you   must  run them through  dos2unix before trying to use them. Similarly,
-you copy  a configuration file  from your Windows hard drive to a floppy disk,
+if   you copy  a configuration file  from your Windows hard drive to a floppy
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+ disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
-          <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
+             <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
   of    dos2unix</a></li>
          <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
 Version     of    dos2unix</a></li>
             <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version 
 of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
-/etc/shorewall -- for simple setups, you will only need to deal with a few
+ alt="">
-of  these as described in this guide.  After you have <a
+      The configuration files for Shorewall are contained in the directory
- href="Install.htm">installed Shorewall</a>,  download the <a
+  /etc/shorewall -- for simple setups, you will only need to deal with a
 few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
-   sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy the 
+     sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy
-  files to /etc/shorewall  (the files will replace files with the same names 
+the    files to /etc/shorewall  (the files will replace files with the same
-  that were placed in  /etc/shorewall when Shorewall was installed).</p>
+names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
     file on your system -- each file contains detailed  configuration instructions
@ -133,11 +138,11 @@ following   zone names are used:</p>
     in  terms of zones.</p>
 <ul>
-          <li>You express your default policy for connections from one zone 
+             <li>You express your default policy for connections from one 
- to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
        </a>file.</li>
-          <li>You define exceptions to those default policies in the   <a
+             <li>You define exceptions to those default policies in the 
- href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+     <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -190,8 +195,8 @@ following   zone names are used:</p>
 <blockquote>                               
  <p>In the three-interface sample, the line below is included but commented
-   out. If  you want your firewall system to have full access to servers on
+     out. If  you want your firewall system to have full access to servers
-  the internet,  uncomment that line.</p>
+ on   the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -218,10 +223,10 @@ following   zone names are used:</p>
 <p>The above policy will:</p>
 <ol>
-          <li>allow all connection requests from your local network to the
+             <li>allow all connection requests from your local network to 
- internet</li>
+the   internet</li>
-          <li>drop (ignore) all connection requests from the internet to
+             <li>drop (ignore) all connection requests from the internet
-your   firewall     or local network</li>
+to  your   firewall     or local network</li>
             <li>optionally accept all connection requests from the firewall
  to  the     internet (if you uncomment the additional policy)</li>
             <li>reject all other connection requests.</li>
@ -243,10 +248,10 @@ any   changes  that you  wish.</p>
      will be the ethernet adapter that is connected to that "Modem" (e.g.,
  <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
  <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-<u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External Interface
+  <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External
-will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular
+ Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
-modem, your External  Interface will also be <b>ppp0</b>. If you connect
+ a regular modem, your External  Interface will also be <b>ppp0</b>. If you
-using ISDN,   you external  interface will be <b>ippp0.</b></p>
+ connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -255,32 +260,32 @@ using ISDN,   you external  interface will be <b>ippp0.</b></p>
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
-    eth1 or eth2) and will be connected to a hub or switch. Your local computers 
+      eth1 or eth2) and will be connected to a hub or switch. Your local
-    will be connected to the same switch (note: If you have only a single 
+computers       will be connected to the same switch (note: If you have only
-local   system,  you can connect the firewall directly to the computer using 
+a single   local   system,  you can connect the firewall directly to the
-a <i>cross-over   </i> cable).</p>
+computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
-   (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
+     (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your
-  computers will  be connected to the same switch (note: If you have only 
+DMZ    computers will  be connected to the same switch (note: If you have
-a  single DMZ system,  you can connect the firewall directly to the computer 
+only  a  single DMZ system,  you can connect the firewall directly to the
-  using a <i>cross-over </i> cable).</p>
+computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-       </b></u>Do not connect more than one interface  to the same hub or 
+          </b></u>Do not connect more than one interface  to the same hub 
-switch    (even for testing). It won't work the way that you  expect it to 
+or  switch    (even for testing). It won't work the way that you  expect it
-and you   will end up confused and  believing that Shorewall doesn't work 
+to  and you   will end up confused and  believing that Shorewall doesn't
-at all.</p>
+ work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-           The Shorewall three-interface sample configuration assumes that
+              The Shorewall three-interface sample configuration assumes
-  the   external interface is <b>eth0, </b>the local interface is <b>eth1
+that    the   external interface is <b>eth0, </b>the local interface is <b>eth1 
 </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is different,
   you will have to modify the sample  /etc/shorewall/interfaces file accordingly.
-   While you are there, you may wish to  review the list of options that are
+    While you are there, you may wish to  review the list of options that
-   specified for the interfaces. Some hints:</p>
+are    specified for the interfaces. Some hints:</p>
 <ul>
             <li>                                                     
@ -289,8 +294,8 @@ at all.</p>
            </li>
            <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
-   or if you have a static IP    address, you can remove "dhcp" from the option
+     or if you have a static IP    address, you can remove "dhcp" from the
-   list. </p>
+ option    list. </p>
            </li>
 </ul>
@ -298,17 +303,18 @@ at all.</p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet
-    Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
+      Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
-   <i> Public</i> IP address. This address may be assigned via the<i> Dynamic
+a  single    <i> Public</i> IP address. This address may be assigned via
-   Host  Configuration Protocol</i> (DHCP) or as part of establishing your
+the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
- connection   when you dial in (standard modem) or establish your PPP connection.
+establishing  your  connection   when you dial in (standard modem) or establish
- In rare   cases, your ISP may assign you a<i> static</i> IP address; that
+your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
- means that  you  configure your firewall's external interface to use that
+IP address; that  means that  you  configure your firewall's external interface
- address permanently.<i>  </i>Regardless of how the address is assigned,
+to use that  address permanently.<i>  </i>Regardless of how the address is
-it  will be shared by all of your  systems when you access the Internet.
+assigned, it  will be shared by all of your  systems when you access the
-You will have to assign your  own addresses  for your internal network (the
+Internet. You will have to assign your  own addresses  for your internal
-local and DMZ Interfaces on  your firewall plus your other  computers). RFC
+network (the local and DMZ Interfaces on  your firewall plus your other 
-1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
+computers). RFC 1918 reserves several <i>Private  </i>IP address ranges for
 this  purpose:</p>
 <div align="left">             
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -331,10 +337,10 @@ range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
  Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet
    Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>
  <i>Address</i>.  In Shorewall,  a subnet is described using <a
- href="subnet_masks.htm"><i>Classless  InterDomain Routing </i>(CIDR)</a> 
+ href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
-notation with consists of the subnet address  followed    by "/24". The "24" 
+</i>(CIDR)</a>   notation with consists of the subnet address  followed 
-refers to the number of    consecutive "1"  bits from the left of the subnet 
+  by "/24". The "24"  refers to the number of    consecutive "1"  bits from
-mask. </p>
+the left of the subnet  mask. </p>
          </div>
 <div align="left">             
@ -384,16 +390,16 @@ mask. </p>
 <div align="left">             
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-           Your local  computers    (Local Computers 1 &amp; 2) should be 
+              Your local  computers    (Local Computers 1 &amp; 2) should 
-configured    with their<i>    default gateway</i> set to the IP address of
+be  configured    with their<i>    default gateway</i> set to the IP address
-the firewall's    internal interface    and your DMZ computers ( DMZ Computers 
+ of the firewall's    internal interface    and your DMZ computers ( DMZ
-1 &amp; 2)  should  be configured with their    default gateway set to the 
+Computers   1 &amp; 2)  should  be configured with their    default gateway
-IP address  of the firewall's DMZ interface.   </p>
+set to the   IP address  of the firewall's DMZ interface.   </p>
          </div>
 <p align="left">The foregoing short discussion barely scratches the surface
-    regarding subnetting and routing. If you are interested in learning more 
+      regarding subnetting and routing. If you are interested in learning
-   about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
+more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
     What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
    A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
@ -410,24 +416,24 @@ IP address  of the firewall's DMZ interface.
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-   to as <i>non-routable</i> because the Internet backbone routers don't forward
+     to as <i>non-routable</i> because the Internet backbone routers don't
-   packets  which have an RFC-1918 destination address. When one of your
+ forward    packets  which have an RFC-1918 destination address. When one
-local    systems  (let's assume local computer 1) sends a connection request
+of your local    systems  (let's assume local computer 1) sends a connection
-to an   internet host, the  firewall must perform <i>Network Address Translation
+ request to an   internet host, the  firewall must perform <i>Network Address
-  </i>(NAT). The firewall  rewrites the source address in the packet to be
+ Translation   </i>(NAT). The firewall  rewrites the source address in the
- the address of the firewall's  external interface; in other words, the firewall
+ packet to be  the address of the firewall's  external interface; in other
-  makes it look as if the firewall  itself is initiating the connection. 
+ words, the firewall   makes it look as if the firewall  itself is initiating
-This  is necessary so that the  destination host will be able to route return
+ the connection.  This  is necessary so that the  destination host will be
-packets   back to the firewall  (remember that packets whose destination
+ able to route return packets   back to the firewall  (remember that packets
-address is   reserved by RFC 1918 can't  be routed accross the internet).
+ whose destination address is   reserved by RFC 1918 can't  be routed accross
-When the firewall   receives a return packet, it  rewrites the destination
+ the internet). When the firewall   receives a return packet, it  rewrites
-address back to 10.10.10.1   and  forwards the packet on to local computer
+ the destination address back to 10.10.10.1   and  forwards the packet on
-1. </p>
+to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> and you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
             <li>                                                     
@ -437,8 +443,8 @@ address back to 10.10.10.1   and  forwards the packet on to local computer
            </li>
            <li>                                                     
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
-   the    source address that you want outbound packets from your local network 
+     the    source address that you want outbound packets from your local
-   to use.    </p>
+network     to use.    </p>
            </li>
 </ul>
@ -449,8 +455,8 @@ address back to 10.10.10.1   and  forwards the packet on to local computer
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
              If your external firewall interface is <b>eth0</b>, your local
- interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
+   interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
- not  need to  modify the file provided with the sample. Otherwise, edit
+do  not  need to  modify the file provided with the sample. Otherwise, edit 
  /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -458,19 +464,34 @@ address back to 10.10.10.1   and  forwards the packet on to local computer
              If your external IP  is static, you can enter it in the third 
 column    in the /etc/shorewall/masq entry  if you like although your firewall 
 will    work fine if you leave that column  empty. Entering your static IP
-in column    3 makes processing outgoing packets a  little more efficient.
+ in column    3 makes <br>
 processing outgoing packets a  little more efficient.<br>
 </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
      If you are using the Debian package, please check your shorewall.conf
 file to ensure that the following are set correctly; if they are not, change
 them appropriately:<br>
   </p>
 <ul>
   <li>NAT_ENABLED=Yes</li>
   <li>IP_FORWARDING=On<br>
    </li>
 </ul>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your
-   DMZ computers. Because these computers have RFC-1918 addresses, it is not
+     DMZ computers. Because these computers have RFC-1918 addresses, it is
-    possible for clients on the internet to connect directly to them. It
+ not     possible for clients on the internet to connect directly to them.
-is   rather  necessary for those clients to address their connection requests 
+ It is   rather  necessary for those clients to address their connection
- to your firewall  who rewrites the destination address to the address of 
+requests    to your firewall  who rewrites the destination address to the
-your server and forwards  the packet to that server. When your server responds, 
+address of   your server and forwards  the packet to that server. When your
-  the firewall automatically  performs SNAT to rewrite the source address 
+server responds,     the firewall automatically  performs SNAT to rewrite
-in  the response.</p>
+the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
     Destination Network Address Translation</i> (DNAT). You configure port 
@ -507,8 +528,8 @@ in  the response.</p>
  </table>
           </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
-the same  as <i>&lt;port&gt;</i>.</p>
+be the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
      TCP port 80 to that system:</p>
@ -554,9 +575,9 @@ the same  as <i>&lt;port&gt;</i>.</p>
 <ul>
             <li>When you are connecting to your server from your local systems,
    you  must    use the server's internal IP address (10.10.11.2).</li>
-          <li>Many ISPs block incoming connection requests to port 80. If 
+             <li>Many ISPs block incoming connection requests to port 80. 
-you   have     problems connecting to your web server, try the following rule
+If  you   have     problems connecting to your web server, try the following
-and  try     connecting to port 5000 (e.g., connect to <a
+ rule and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your
     external IP).</li>
@ -590,8 +611,8 @@ and  try     connecting to port 5000 (e.g., connect to <a
           </blockquote>
 <p>If you want to be able  to access your server from the local network using
-   your external address, then  if you have a static external IP you can replace
+     your external address, then  if you have a static external IP you can
-   the loc-&gt;dmz rule above with:</p>
+ replace    the loc-&gt;dmz rule above with:</p>
 <blockquote>                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -621,8 +642,8 @@ and  try     connecting to port 5000 (e.g., connect to <a
           </blockquote>
 <p>If you have a dynamic ip then you must ensure that your external interface
-   is  up before starting Shorewall and you must take steps as follows (assume 
+     is  up before starting Shorewall and you must take steps as follows
-   that  your external interface is <b>eth0</b>):</p>
+(assume      that  your external interface is <b>eth0</b>):</p>
 <ol>
             <li>Include the following in /etc/shorewall/params:<br>
@ -673,35 +694,36 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p align="left">Normally, when you connect to your ISP, as part of getting
     an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
    will be  automatically configured (e.g., the /etc/resolv.conf file will
-be  written).  Alternatively, your ISP may have given you the IP address of
+  be  written).  Alternatively, your ISP may have given you the IP address
-a  pair of DNS <i> name servers</i> for you to manually configure as your 
+ of a  pair of DNS <i> name servers</i> for you to manually configure as
- primary  and secondary  name servers. It is <u>your</u> responsibility to 
+your    primary  and secondary  name servers. It is <u>your</u> responsibility
- configure  the resolver in your  internal systems. You can take one of two 
+to   configure  the resolver in your  internal systems. You can take one
- approaches:</p>
+of two   approaches:</p>
 <ul>
             <li>                                                     
    <p align="left">You can configure your internal systems to use your ISP's
-   name    servers. If you ISP gave you the addresses of their servers or 
+     name    servers. If you ISP gave you the addresses of their servers
-if   those    addresses are available on their web site, you can configure 
+or   if   those    addresses are available on their web site, you can configure
-your   internal    systems to use those addresses. If that information isn't 
+  your   internal    systems to use those addresses. If that information
-available,   look in    /etc/resolv.conf on your firewall system -- the name 
+isn't   available,   look in    /etc/resolv.conf on your firewall system
-servers are  given in    "nameserver" records in that file.   </p>
+-- the name  servers are  given in    "nameserver" records in that file.
  </p>
            </li>
            <li>                                                     
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
              You can configure a<i> Caching Name Server </i>on your    firewall
-  or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
+    or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
-  also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
+(which     also     requires the 'bind' RPM) and for Bering users, there
-  If you    take this approach, you configure your internal systems to use 
+is dnscache.lrp.     If you    take this approach, you configure your internal
- the caching    name server as their primary (and only) name server. You use
+systems to use    the caching    name server as their primary (and only)
- the internal IP    address of the firewall (10.10.10.254 in the example above)
+name server. You  use  the internal IP    address of the firewall (10.10.10.254
-   for the name    server address if you choose to run the name server on
+in the example  above)    for the name    server address if you choose to
-your   firewall. To allow your local systems to talk to your caching name 
+run the name server  on your   firewall. To allow your local systems to talk
-   server,   you must open port 53 (both UDP and TCP) from the local network 
+to your caching name      server,   you must open port 53 (both UDP and TCP)
-to the    server; you do that by adding the rules in /etc/shorewall/rules. 
+from the local network   to the    server; you do that by adding the rules
-    </p>
+in /etc/shorewall/rules.       </p>
            </li>
 </ul>
@ -917,8 +939,8 @@ to the    server; you do that by adding the rules in /etc/shorewall/rules.
 <div align="left">             
 <p align="left">That rule allows you to run an SSH server on your firewall
-   and    in each of your DMZ systems and    to connect to those servers from
+     and    in each of your DMZ systems and    to connect to those servers
-   your local systems.</p>
+ from    your local systems.</p>
          </div>
 <div align="left">             
@ -1004,14 +1026,14 @@ to the    server; you do that by adding the rules in /etc/shorewall/rules.
          </div>
 <div align="left">             
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
          </div>
 <div align="left">             
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-      the internet because it uses clear text (even for login!). If you want 
+        the internet because it uses clear text (even for login!). If you
-   shell    access to your firewall from the internet, use SSH:</p>
+want     shell    access to your firewall from the internet, use SSH:</p>
          </div>
 <div align="left">             
@ -1073,8 +1095,8 @@ uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">             
 <p align="left">The firewall is started using the "shorewall start" command
-      and stopped using "shorewall stop". When the firewall is stopped, routing 
+        and stopped using "shorewall stop". When the firewall is stopped,
-   is    enabled on those hosts that have an entry in   <a
+routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
        running firewall may be restarted using the "shorewall restart" command.
     If    you want to totally remove any trace of Shorewall from your Netfilter
@ -1093,16 +1115,16 @@ of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
 <div align="left">             
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-   the    internet, do not issue a "shorewall stop" command unless you have 
+     the    internet, do not issue a "shorewall stop" command unless you
-  added an    entry for the IP address that you are connected from to   <a
+have     added an    entry for the IP address that you are connected from
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
   Also, I don't recommend using "shorewall restart"; it is better to create
     an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
     and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
          </div>
-<p align="left"><font size="2">Last updated 11/21/2002 - <a
+<p align="left"><font size="2">Last updated 12/20/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
@ -1115,5 +1137,8 @@ of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/traffic_shaping.htm
+++ b/STABLE/documentation/traffic_shaping.htm
@ -20,6 +20,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
            </td>
          </tr>
@ -37,12 +38,12 @@ to provide the "ip" and "tc" utilities.</p>
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
 <ul>
-    <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic     Shaping 
+          <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
-also requires that you enable packet mangling.<br>
+    Shaping  also requires that you enable packet mangling.<br>
          </li>
          <li>/etc/shorewall/tcrules - A file where you can specify     firewall 
-marking of packets. The firewall mark value may be used to classify     packets 
+   marking of packets. The firewall mark value may be used to classify   
-for traffic shaping/control.<br>
+ packets  for traffic shaping/control.<br>
          </li>
          <li>/etc/shorewall/tcstart - A user-supplied file that is     sourced 
   by Shorewall during "shorewall start" and which you can     use to define 
@ -52,13 +53,24 @@ your traffic shaping disciplines and classes. I have provided     a <a
   the     HOWTO mentioned above, you can probably code your own faster than 
   you can     learn how to use my sample. I personally use <a
 href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see below). HTB
-     support may eventually become an integral part of Shorewall since HTB 
+        support may eventually become an integral part of Shorewall since
-is a     lot simpler and better-documented than CBQ. HTB is currently not 
+HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
-a standard     part of either the kernel or iproute2 so both must be patched 
+HTB is a standard     part of the kernel but iproute2 must be patched  in
-in order to     use it.<br>
+order  to     use it.<br>
            <br>
-      In tcstart, when you want to run the 'tc' utility, use the run_tc function
+            In tcstart, when you want to run the 'tc' utility, use the run_tc 
-     supplied by shorewall. <br>
+  function      supplied by shorewall if you want tc errors to stop the firewall.<br>
      <br>
  You can generally use off-the-shelf traffic shaping scripts by simply copying
 them to /etc/shorewall/tcstart. I use <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
 that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
 modified  it according to the Wonder Shaper README). <b>WARNING: </b>If you
 use use Masquerading or SNAT (i.e., you only have one external IP address)
 then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
 script won't work. Traffic shaping occurs after SNAT has already been applied
 so when traffic shaping happens, all outbound traffic will have as a source 
 address the IP addresss of your firewall's external interface.<br>
    </li>
          <li>/etc/shorewall/tcclear - A user-supplied file that is     sourced 
   by Shorewall when it is clearing traffic shaping. This file is     normally 
@ -78,8 +90,16 @@ is pretty general.</li>
 <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
 <p align="left">The fwmark classifier provides a convenient way to classify
- packets for traffic shaping. The /etc/shorewall/tcrules file provides a
+    packets for traffic shaping. The /etc/shorewall/tcrules file provides
-means  for specifying these marks in a tabular fashion.</p>
+a  means  for specifying these marks in a tabular fashion.<br>
 </p>
 <p align="left">Normally, packet marking occurs in the PREROUTING chain before
 any address rewriting takes place. This makes it impossible to mark inbound
 packets based on their destination address when SNAT or Masquerading are
 being used. Beginning with Shorewall 1.3.12, you can cause packet marking
 to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
 <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
 </p>
 <p align="left">Columns in the file are as follows:</p>
@ -89,35 +109,35 @@ a match. This is an integer in the range 1-255.<br>
            <br>
            Example - 5<br>
          </li>
-    <li>SOURCE - The source of the packet. If the packet originates     on 
+          <li>SOURCE - The source of the packet. If the packet originates 
-the firewall, place "fw" in this column. Otherwise, this is a     comma-separated 
+    on  the firewall, place "fw" in this column. Otherwise, this is a    
-list of interface names, IP addresses, MAC addresses in   <a
+comma-separated   list of interface names, IP addresses, MAC addresses in
- href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
+   <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
            <br>
            Examples<br>
                eth0<br>
                192.168.2.4,192.168.1.0/24<br>
          </li>
-    <li>DEST -- Destination of the packet. Comma-separated list of     IP 
+          <li>DEST -- Destination of the packet. Comma-separated list of
-addresses and/or subnets.<br>
+    IP  addresses and/or subnets.<br>
          </li>
-    <li>PROTO - Protocol - Must be the name of a protocol from     /etc/protocol, 
+          <li>PROTO - Protocol - Must be the name of a protocol from    
-a number or "all"<br>
+/etc/protocol,    a number or "all"<br>
          </li>
-    <li>PORT(S) - Destination Ports. A comma-separated list of Port     names 
+          <li>PORT(S) - Destination Ports. A comma-separated list of Port 
-(from /etc/services), port numbers or port ranges (e.g., 21:22); if     the 
+    names  (from /etc/services), port numbers or port ranges (e.g., 21:22);
-protocol is "icmp", this column is interpreted as the     destination icmp 
+  if     the  protocol is "icmp", this column is interpreted as the     destination 
-type(s).<br>
+  icmp  type(s).<br>
          </li>
-    <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If     omitted, 
+          <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
-any source port is acceptable. Specified as a comma-separate list     of port
+    omitted,  any source port is acceptable. Specified as a comma-separate
-names, port numbers or port ranges.</li>
+ list      of port names, port numbers or port ranges.</li>
 </ul>
 <p align="left">Example 1 - All packets arriving on eth1 should be marked 
-with 1. All packets arriving on eth2 should be marked with 2. All packets 
+   with 1. All packets arriving on eth2 and eth3 should be marked with 2. 
-originating on the firewall itself should be marked with 3.</p>
+All packets   originating on the firewall itself should be marked with 3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
          <tbody>
@ -145,6 +165,20 @@ originating on the firewall itself should be marked with 3.</p>
            <td> </td>
            <td> </td>
          </tr>
          <tr>
         <td valign="top">2<br>
         </td>
         <td valign="top">eth3<br>
         </td>
         <td valign="top">0.0.0.0/0<br>
         </td>
         <td valign="top">all<br>
         </td>
         <td valign="top"><br>
         </td>
         <td valign="top"><br>
         </td>
       </tr>
       <tr>
            <td>3</td>
            <td>fw</td>
@ -158,7 +192,8 @@ originating on the firewall itself should be marked with 3.</p>
 </table>
 <p align="left">Example 2 - All GRE (protocol 47) packets not originating 
-on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
+   on the firewall and destined for 155.186.235.151 should be marked with 
 12.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
          <tbody>
@ -207,51 +242,52 @@ and destined for 155.186.235.151 should be marked with 22.</p>
  </tbody>       
 </table>
-<h3>Hierarchical Token Bucket</h3>
+<h3>My Setup<br>
  </h3>
-<p>I personally use HTB. I have found a couple of things that may be of use 
+<p>While I am currently using the HTB version of <a
-to others.</p>
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
-   
+wshaper.htb  to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
-<ul>
+README),  I have also run with the following set of hand-crafted rules in
-    <li>The gzipped tc binary at the <a
+my tcstart  file:<br>
- href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB     website</a> didn't work
+  </p>
 for me -- I had to download the lastest version of     the <a
 href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch    
 them for HTB.</li>
    <li>I'm currently      running with this set of shaping rules in my tcstart
 file. I recently changed from using a ceiling of 10Mbit (interface speed)
 to 384kbit (DSP Uplink speed).<br>
    <br>
  </li>
 </ul>
 <blockquote>      
-  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
+  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
-  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
+  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
-  <pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
+  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
-  <pre>echo "   Enabled SFQ on Second Level Classes"</pre>
+  <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
-  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
+  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
  <pre>echo "   Defined fwmark filters"<br></pre>
  <p>My tcrules file is shown in Example 1 above. You can look at my <a
 href="myfiles.htm">network   configuration</a> to get an idea of why I want 
 these particular rules.<font face="Courier" size="2"><br>
    </font></p>
                  </blockquote>
-<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p>My tcrules file that went with this tcstart file is shown in Example 1
 above. You can look at my <a href="myfiles.htm">network   configuration</a>
 to get an idea of why I wanted   these particular rules.<br>
   </p>
 <ol>
     <li>I wanted to allow up to 140kbits/second for traffic outbound from
 my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
 can  use all available bandwidth if there is no traffic from the local systems 
 or from my laptop or firewall).</li>
     <li>My laptop and local systems could use up to 224kbits/second.</li>
     <li>My firewall could use up to 20kbits/second.<br>
     </li>
 </ol>
 <p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-   <br>
+</p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/troubleshoot.htm
+++ b/STABLE/documentation/troubleshoot.htm
@ -18,6 +18,7 @@
               <tbody>
          <tr>
                 <td width="100%">                                      
      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
 src="images/obrasinf.gif" alt="Beating head on table" width="90"
 height="90" align="middle">
@ -44,13 +45,30 @@ of  the   firewall.</p>
 firewall  and you can't determine the cause, then do the following:     
 <ul>
           <li>Make a note of the error message that you see.<br>
  </li>
  <li>shorewall debug start 2&gt; /tmp/trace</li>
-         <li>Look at the /tmp/trace file and see if that helps you     determine
+           <li>Look at the /tmp/trace file and see if that helps you    
-  what the problem is.</li>
+determine    what the problem is. Be sure you find the place in the log where
-         <li>If you still can't determine what's wrong then see the     <a
+the error message you saw is generated -- in 99.9% of the cases, it will
- href="support.htm">support page</a>.</li>
+not be near the end of the log because after startup errors, Shorewall goes
 through a "shorewall stop" phase which will also be traced.</li>
           <li>If you still can't determine what's wrong then see the   
     <a href="support.htm">support page</a>.</li>
 </ul>
 Here's an example. During startup, a user sees the following:<br>
 <blockquote>
  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
 </blockquote>
 A search through the trace for "No chain/target/match by that name" turned
 up the following: 
 <blockquote>
  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
 </blockquote>
 The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
 tcp-reset". In this case, the user had compiled his own kernel and had forgotten
 to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) 
 <h3>Your network environment</h3>
@ -100,6 +118,7 @@ one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">Example:</p>
            <font face="Century Gothic, Arial, Helvetica">              
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
   LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53
@ -133,8 +152,8 @@ chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT policy
 <h3 align="left">Other Gotchas</h3>
 <ul>
-         <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
+           <li>Seeing rejected/dropped packets logged out of the INPUT or 
-       chains? This means that:                    
+FORWARD        chains? This means that:                              
    <ol>
             <li>your zone definitions are screwed up and the host that is
 sending   the        packets or the destination host isn't in any zone (using
@ -153,15 +172,15 @@ to be  allowed between zones, you need a rule of the form:<br>
                ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
   icmp        echo-request<br>
            <br>
-          The ramifications of this can be subtle. For example, if you have 
+            The ramifications of this can be subtle. For example, if you
- the      following in /etc/shorewall/nat:<br>
+have   the      following in /etc/shorewall/nat:<br>
            <br>
                10.1.1.2    eth0        130.252.100.18<br>
            <br>
            and you ping 130.252.100.18, unless you have allowed icmp type
-8  between  the     zone containing the system you are pinging from and the
+ 8  between  the     zone containing the system you are pinging from and
-zone containing       10.1.1.2, the ping requests will be dropped. This is
+the  zone containing       10.1.1.2, the ping requests will be dropped. This
-true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
+is  true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
           <li>If you specify "routefilter" for an interface,     that interface
   must be up prior to starting the firewall.</li>
           <li>Is your routing correct? For example, internal systems usually 
@ -186,8 +205,8 @@ by     default). You may also download the latest source tarball from <a
           <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
   then the zone must be entirely   defined in /etc/shorewall/hosts unless
 you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
- For example, if a zone has two interfaces but   only one interface has an
+  For example, if a zone has two interfaces but   only one interface has
- entry in /etc/shorewall/hosts then hosts attached to   the other interface
+an   entry in /etc/shorewall/hosts then hosts attached to   the other interface
  will     <u>not</u> be considered part of the zone.</li>
           <li>Problems with NAT? Be sure that you let Shorewall add all
    external  addresses to be use with NAT unless you have set <a
@ -199,14 +218,17 @@ you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
 <p>See the<a href="support.htm"> support page.</a></p>
              <font face="Century Gothic, Arial, Helvetica">            
 <blockquote> </blockquote>
               </font>                  
-<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -22,6 +22,7 @@
            <tbody>
             <tr>
              <td width="100%">                                         
      <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
              </td>
            </tr>
@ -38,10 +39,11 @@
   in its  most common configuration:</p>
 <ul>
-        <li>Linux system used as a firewall/router for a small local network.</li>
+            <li>Linux system used as a firewall/router for a small local
 network.</li>
            <li>Single public IP address.</li>
-        <li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
+            <li>Internet connection through cable modem, DSL, ISDN, Frame 
-  dial-up    ...</li>
+Relay,    dial-up    ...</li>
 </ul>
@ -51,6 +53,12 @@
 height="635">
         </p>
 <p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily 
 configure the above setup using the Mandrake "Internet Connection Sharing" 
 applet. From the Mandrake Control Center, select "Network &amp; Internet" 
 then "Connection Sharing". You should not need to refer to this guide.</b><br>
   </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
    (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
  if  this  package is installed by the presence of an <b>ip</b> program on
@ -62,33 +70,37 @@ for this  program:</p>
 <p>I recommend that you first read through the  guide to familiarize yourself 
    with what's involved then go back through it again  making your configuration 
    changes. Points at which configuration changes are  recommended are flagged 
-  with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+    with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-          If you edit your configuration files on a Windows system, you must
+              If you edit your configuration files on a Windows system, you 
-  save them as  Unix files if your editor supports that option or you must
+ must   save them as  Unix files if your editor supports that option or you 
- run them through  dos2unix before trying to use them. Similarly, if you
+ must  run them through  dos2unix before trying to use them. Similarly, if 
-copy  a configuration file  from your Windows hard drive to a floppy disk,
+ you copy  a configuration file  from your Windows hard drive to a floppy 
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
-        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
+            <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
  of    dos2unix</a></li>
        <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
 Version     of    dos2unix</a></li>
            <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
 of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
-/etc/shorewall -- for simple setups, you will only need to deal with a few
+ alt="">
-of  these as described in this guide.  After you have <a
+      The configuration files for Shorewall are contained in the directory
- href="Install.htm">installed Shorewall</a>,  download the <a
+  /etc/shorewall -- for simple setups, you will only need to deal with a
 few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
    un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall 
-   (these files will replace files with the same name).</p>
+     (these files will replace files with the same name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual 
    file on your system -- each file contains detailed  configuration instructions 
@ -127,11 +139,11 @@ of  these as described in this guide.  After you have <a
    in  terms of zones.</p>
 <ul>
-        <li>You express your default policy for connections from one zone 
+            <li>You express your default policy for connections from one
-to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
        </a>file.</li>
-        <li>You define exceptions to those default policies in the   <a
+            <li>You define exceptions to those default policies in the  
- href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+    <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -139,8 +151,8 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
    checked against the  /etc/shorewall/rules file. If no rule in that file 
  matches  the connection  request then the first policy in /etc/shorewall/policy 
  that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common (the
+  the request is first  checked against the rules in /etc/shorewall/common 
-samples provide that  file for you).</p>
+ (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the two-interface sample has
 the  following policies:</p>
@ -184,8 +196,8 @@ the  following policies:</p>
 <blockquote>                            
  <p>In the two-interface sample, the line below is included but commented 
-  out. If  you want your firewall system to have full access to servers on 
+    out. If  you want your firewall system to have full access to servers 
- the internet,  uncomment that line.</p>
+on   the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -212,19 +224,19 @@ the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-        <li>allow all connection requests from your local network to the
+            <li>allow all connection requests from your local network to
-internet</li>
+the   internet</li>
-        <li>drop (ignore) all connection requests from the internet to your 
+            <li>drop (ignore) all connection requests from the internet to
- firewall     or local network</li>
+ your   firewall     or local network</li>
-        <li>optionally accept all connection requests from the firewall to
+            <li>optionally accept all connection requests from the firewall 
- the     internet (if you uncomment the additional policy)</li>
+ to  the     internet (if you uncomment the additional policy)</li>
            <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-         At this point, edit your /etc/shorewall/policy and make any changes
+             At this point, edit your /etc/shorewall/policy and make any
-  that you  wish.</p>
+changes     that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -237,16 +249,16 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
 will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
     over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-   <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
+    <u>P</u>rotocol </i>(PPTP) in which case the External Interface will
- a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
+be   a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
  your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
  your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-         If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then 
+             If your external interface is <b>ppp0</b>  or<b> ippp0</b> 
-you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> 
+then   you   will want to  set CLAMPMSS=yes in <a
-/etc/shorewall/shorewall.conf.</a></p>
+ href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter 
    (eth1  or eth0) and will be connected to a hub or switch. Your other computers
@ -256,19 +268,19 @@ using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-     </b></u>Do not connect the internal and external interface  to the same
+         </b></u>Do not connect the internal and external interface  to the 
-  hub or switch (even for testing). It won't work the way that you think
+ same   hub or switch (even for testing). It won't work the way that you think
 that   it will and you will end up confused and  believing that Shorewall
  doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-         The Shorewall two-interface sample configuration assumes that  the 
+             The Shorewall two-interface sample configuration assumes that
- external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>. 
+  the   external  interface is <b>eth0</b> and the internal interface is
-  If your  configuration is different, you will have to modify the sample 
+<b>eth1</b>.     If your  configuration is different, you will have to modify
- <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file 
+the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
- accordingly.  While you are there, you may wish to  review the list of options 
+file    accordingly.  While you are there, you may wish to  review the list
- that are  specified for the interfaces. Some hints:</p>
+of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
            <li>                                                
@ -277,8 +289,8 @@ doesn't   work at all.</p>
           </li>
           <li>                                                
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-  or if you have a static IP    address, you can remove "dhcp" from the option 
+    or if you have a static IP    address, you can remove "dhcp" from the 
-  list. </p>
+option    list. </p>
           </li>
 </ul>
@ -286,17 +298,17 @@ doesn't   work at all.</p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet 
-   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
+     Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a 
-  <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
+single    <i> Public</i> IP address. This address may be assigned via the<i> 
-  Host  Configuration Protocol</i> (DHCP) or as part of establishing your 
+Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing 
-connection   when you dial in (standard modem) or establish your PPP connection. 
+your  connection   when you dial in (standard modem) or establish your PPP 
-In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
+connection.  In rare   cases, your ISP may assign you a<i> static</i> IP address;
-means that  you  configure your firewall's external interface to use that 
+that  means that  you  configure your firewall's external interface to use
-address permanently.<i>  </i>However your external address is assigned, it 
+that  address permanently.<i>  </i>However your external address is assigned,
-will be shared by all of your systems when you access the  Internet. You will
+it  will be shared by all of your systems when you access the  Internet.
-have to assign your  own addresses in your  internal network (the Internal 
+You will have to assign your  own addresses in your  internal network (the
-Interface on your firewall  plus your other  computers). RFC 1918 reserves 
+Internal  Interface on your firewall  plus your other  computers). RFC 1918
-several <i>Private </i>IP address ranges for this  purpose:</p>
+reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">            
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -307,8 +319,8 @@ several <i>Private </i>IP address ranges for this  purpose:</p>
 height="13">
                Before starting Shorewall, you should look at the IP address
  of  your  external    interface and if it is one of the above ranges, you
-should  remove  the    'norfc1918' option from the external interface's entry
+  should  remove  the    'norfc1918' option from the external interface's
-in    /etc/shorewall/interfaces.</p>
+entry  in    /etc/shorewall/interfaces.</p>
         </div>
 <div align="left">            
@ -317,11 +329,11 @@ in    /etc/shorewall/interfaces.</p>
       to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet 
    will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 
  is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as
-the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
+  the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
- using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
+ described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
- notation</a> with consists of the subnet address followed    by "/24". The
+InterDomain Routing  </i>(CIDR)  notation</a> with consists of the subnet
- "24" refers to the number of    consecutive leading "1" bits from the left
+address followed    by "/24". The  "24" refers to the number of    consecutive
- of the subnet mask. </p>
+leading "1" bits from the left  of the subnet mask. </p>
         </div>
 <div align="left">            
@ -372,8 +384,9 @@ systems send packets    through a<i>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
             Your local computers (computer    1 and computer 2 in the above
-diagram)   should be configured with their<i>    default gateway</i> to be
+  diagram)   should be configured with their<i>    default gateway</i> to
-the IP address   of the firewall's internal    interface.<i>      </i> </p>
+be  the IP address   of the firewall's internal    interface.<i>      </i>
 </p>
         </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -394,18 +407,18 @@ the IP address   of the firewall's internal    interface.<i>
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
-  to as <i>non-routable</i> because the Internet backbone routers don't forward 
+    to as <i>non-routable</i> because the Internet backbone routers don't 
-  packets  which have an RFC-1918 destination address. When one of your local 
+forward    packets  which have an RFC-1918 destination address. When one of
-  systems  (let's assume computer 1) sends a connection request to an internet 
+your local    systems  (let's assume computer 1) sends a connection request 
-  host, the  firewall must perform <i>Network Address Translation </i>(NAT). 
+to an internet    host, the  firewall must perform <i>Network Address Translation 
-  The firewall  rewrites the source address in the packet to be the address 
+ </i>(NAT).    The firewall  rewrites the source address in the packet to 
-  of the firewall's  external interface; in other words, the firewall makes 
+be the address    of the firewall's  external interface; in other words, the
-  it look as if the firewall  itself is initiating the connection.  This is
+firewall makes    it look as if the firewall  itself is initiating the connection. 
-  necessary so that the  destination host will be able to route return packets
+This is   necessary so that the  destination host will be able to route return
-  back to the firewall  (remember that packets whose destination address
+packets   back to the firewall  (remember that packets whose destination
-is   reserved by RFC 1918 can't  be routed across the internet so the remote
+address is   reserved by RFC 1918 can't  be routed across the internet so
-host  can't address its response to  computer 1). When the firewall receives
+the remote host  can't address its response to  computer 1). When the firewall
-a return packet, it  rewrites the destination address  back to 10.10.10.1 
+receives a return packet, it  rewrites the destination address  back to 10.10.10.1
 and  forwards the packet on to computer 1. </p>
 <p align="left">On Linux systems, the above process is often referred to as<i>
@ -440,19 +453,32 @@ the  second column to the name of your internal interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-         If your external IP is  static, you can enter it in the third column 
+             If your external IP is  static, you can enter it in the third
-  in the /etc/shorewall/masq entry if  you like although your firewall will 
+ column    in the /etc/shorewall/masq entry if  you like although your firewall
-  work fine if you leave that column empty.  Entering your static IP in column 
+ will    work fine if you leave that column empty.  Entering your static
-  3 makes processing outgoing packets a little  more efficient. </p>
+IP  in column    3 makes processing outgoing packets a little  more efficient.<br>
 <br>
 <img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
     If you are using the Debian package, please check your shorewall.conf 
 file to ensure that the following are set correctly; if they are not, change 
 them appropriately:<br>
 </p>
 <ul>
   <li>NAT_ENABLED=Yes</li>
   <li>IP_FORWARDING=On<br>
   </li>
 </ul>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals may be to run one or more servers on your 
-   local computers. Because these computers have RFC-1918 addresses, it is 
+     local computers. Because these computers have RFC-1918 addresses, it 
- not  possible for clients on the internet to connect directly to them. It 
+is   not  possible for clients on the internet to connect directly to them. 
- is rather  necessary for those clients to address their connection requests 
+It   is rather  necessary for those clients to address their connection requests 
- to the firewall  who rewrites the destination address to the address of your
+   to the firewall  who rewrites the destination address to the address of 
-  server and forwards  the packet to that server. When your server responds, 
+ your   server and forwards  the packet to that server. When your server responds,
    the firewall automatically  performs SNAT to rewrite the source address
  in  the response.</p>
@ -524,14 +550,14 @@ in  the response.</p>
 <p>A couple of important points  to keep in mind:</p>
 <ul>
-        <li>You must test the above rule from a client outside of your local
+            <li>You must test the above rule from a client outside of your
-  network    (i.e., don't test from a browser running on computers 1 or 2
+ local    network    (i.e., don't test from a browser running on computers
-or  on the    firewall). If you want to be able to access your web server
+ 1 or 2  or  on the    firewall). If you want to be able to access your web
-using  the IP    address of your external interface, see <a
+ server  using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-        <li>Many ISPs block incoming connection requests to port 80. If you 
+            <li>Many ISPs block incoming connection requests to port 80.
- have     problems connecting to your web server, try the following rule and
+If  you   have     problems connecting to your web server, try the following 
- try     connecting to port 5000.</li>
+rule and  try     connecting to port 5000.</li>
 </ul>
@ -563,16 +589,16 @@ using  the IP    address of your external interface, see <a
          </blockquote>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
-         At this point, modify  /etc/shorewall/rules to add any DNAT rules
+             At this point, modify  /etc/shorewall/rules to add any DNAT
- that  you require.</p>
+rules    that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
    an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
- will be  automatically configured (e.g., the /etc/resolv.conf file will be
+   will be  automatically configured (e.g., the /etc/resolv.conf file will 
- written).  Alternatively, your ISP may have given you the IP address of
+ be  written).  Alternatively, your ISP may have given you the IP address 
-a  pair of DNS <i> name servers</i> for you to manually configure as your 
+of a  pair of DNS <i> name servers</i> for you to manually configure as your 
  primary  and secondary  name servers. Regardless of how DNS gets configured 
  on your  firewall, it is <u>your</u> responsibility to configure the resolver 
  in your   internal systems. You can take one of two approaches:</p>
@ -580,25 +606,25 @@ in your   internal systems. You can take one of two approaches:</p>
 <ul>
            <li>                                                
    <p align="left">You can configure your internal systems to use your ISP's 
-  name    servers. If you ISP gave you the addresses of their servers or if
+    name    servers. If you ISP gave you the addresses of their servers or 
-  those    addresses are available on their web site, you can configure your
+ if   those    addresses are available on their web site, you can configure 
-  internal    systems to use those addresses. If that information isn't available,
+ your   internal    systems to use those addresses. If that information isn't 
-  look in    /etc/resolv.conf on your firewall system -- the name servers
+ available,   look in    /etc/resolv.conf on your firewall system -- the name
-are  given in    "nameserver" records in that file.   </p>
+ servers are  given in    "nameserver" records in that file.   </p>
           </li>
           <li>                                                
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
             You can configure a<i> Caching Name Server </i>on your    firewall.<i> 
-      </i>Red Hat has an RPM for a caching name server (the RPM also    requires 
+        </i>Red Hat has an RPM for a caching name server (the RPM also   
-  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take
+requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
-  this approach, you configure your internal systems to use the firewall 
+you    take   this approach, you configure your internal systems to use the
-  itself as their primary (and only) name server. You use the internal IP 
+firewall    itself as their primary (and only) name server. You use the internal
-   address of the firewall (10.10.10.254 in the example above) for the name 
+IP     address of the firewall (10.10.10.254 in the example above) for the
-     server address. To allow your local systems to talk to your caching name
+name       server address. To allow your local systems to talk to your caching
-     server, you must open port 53 (both UDP and TCP) from the local network
+name      server, you must open port 53 (both UDP and TCP) from the local
-  to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
+network   to the    firewall; you do that by adding the following rules in
-      </p>
+/etc/shorewall/rules.       </p>
           </li>
 </ul>
@ -808,7 +834,8 @@ are  given in    "nameserver" records in that file.   </p>
 <div align="left">            
 <p align="left">Those two rules would of course be in addition to the rules 
-     listed above under "You can configure a Caching Name Server on your firewall"</p>
+       listed above under "You can configure a Caching Name Server on your 
 firewall"</p>
         </div>
 <div align="left">            
@ -854,8 +881,8 @@ uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-         Now edit your    /etc/shorewall/rules file to add or delete other
+             Now edit your    /etc/shorewall/rules file to add or delete
- connections  as required.</p>
+other    connections  as required.</p>
         </div>
 <div align="left">            
@ -869,7 +896,8 @@ uses, look <a href="ports.htm">here</a>.</p>
    your system to start Shorewall at system boot  but beginning with Shorewall
   version 1.3.9 startup is disabled so that your system won't try to start
  Shorewall before configuration is complete. Once you have completed configuration
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+  of your firewall, you can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
         </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,10 +919,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-         The two-interface sample assumes that you want to enable    routing
+             The two-interface sample assumes that you want to enable   
-  to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If 
+routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
-  your local network isn't connected to <b>eth1</b> or if you wish to enable
+If    your local network isn't connected to <b>eth1</b> or if you wish to
-    access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
+enable       access to/from other hosts, change /etc/shorewall/routestopped
 accordingly.</p>
         </div>
 <div align="left">            
@ -904,11 +933,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
    an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-  and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
+    and    test it using the <a
- try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
         </div>
-<p align="left"><font size="2">Last updated 11/21/2002 - <a
+<p align="left"><font size="2">Last updated 12/20/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -919,5 +948,9 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.11a
+VERSION=1.3.12
 usage() # $1 = exit status
 {
@ -119,6 +119,14 @@ restore_file /etc/shorewall/whitelist
 restore_file /etc/shorewall/rfc1918
 restore_file /etc/shorewall/init
 restore_file /etc/shorewall/start
 restore_file /etc/shorewall/stop
 restore_file /etc/shorewall/stopped
 if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
    restore_file /usr/lib/shorewall/version
    oldversion="`cat /usr/lib/shorewall/version`"
--- a/STABLE/firewall
+++ b/STABLE/firewall
--- a/STABLE/functions
+++ b/STABLE/functions
@ -25,9 +25,22 @@ find_file()
 #
 # Replace commas with spaces and echo the result
 #
-separate_list()
+separate_list() { 
-{
+    local list
-    echo $1 | sed 's/,/ /g'
+    local part
    local newlist
    list="$@"
    part="${list%%,*}"
    newlist="$part"
    while [ "x$part" != "x$list" ]; do
 	list="${list#*,}";
 	part="${list%%,*}";
 	newlist="$newlist $part";
    done
    echo "$newlist"
 }
 #
--- a/STABLE/init
+++ b/STABLE/init
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
 #
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.11a
+VERSION=1.3.12
 usage() # $1 = exit status
 {
@ -488,6 +488,46 @@ else
    echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
 fi
 #
 # Install the init file
 #
 if [ -f ${PREFIX}/etc/shorewall/init ]; then
    backup_file /etc/shorewall/init
 else
    run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
    echo
    echo "Init file installed as ${PREFIX}/etc/shorewall/init"
 fi
 #
 # Install the start file
 #
 if [ -f ${PREFIX}/etc/shorewall/start ]; then
    backup_file /etc/shorewall/start
 else
    run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
    echo
    echo "Start file installed as ${PREFIX}/etc/shorewall/start"
 fi
 #
 # Install the stop file
 #
 if [ -f ${PREFIX}/etc/shorewall/stop ]; then
    backup_file /etc/shorewall/stop
 else
    run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
    echo
    echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
 fi
 #
 # Install the stopped file
 #
 if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
    backup_file /etc/shorewall/stopped
 else
    run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
    echo
    echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
 fi
 #
 # Backup the version file
 #
 if [ -z "$PREFIX" ]; then
--- a/STABLE/policy
+++ b/STABLE/policy
@ -29,6 +29,12 @@
 #			log message is generated. See syslog.conf(5) for a
 #			description of log levels.
 #
 #			Beginning with Shorewall version 1.3.12, you may
 #			also specify ULOG (must be in upper case). This will
 #			log to the ULOG target and sent to a separate log
 #			through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			If you don't want to log but need to specify the
 #			following column, place "_" here.
 #
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -2,22 +2,39 @@ This is a minor release of Shorewall that has a couple of new features.
 New features include:
-1) A 'tcpflags' option has been added to entries in
+1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
-   /etc/shorewall/interfaces. This option causes Shorewall to make a
+   and tcstart).
   set of sanity check on TCP packet header flags.
-2) It is now allowed to use 'all' in the SOURCE or DEST column in a
+2) "shorewall debug [re]start" now turns off debugging after an error
-   rule. When used, 'all' must appear by itself (in may not be
+   occurs. This places the point of the failure near the end of the
-   qualified) and it does not enable intra-zone traffic (e.g., the rule
+   trace rather than up in the middle of it.
   "ACCEPT loc	  all	  tcp 80" does not enable http traffic from
   'loc' to 'loc').
-3) Shorewall's use of the 'echo' command is now compatible with bash
+3) "shorewall [re]start" has been speeded up by more than 40% with
-   clones such as ash and dash.
+   my configuration. Your milage may vary. 
-4) fw->fw policies now generate a startup error. fw->fw rules generate
+4) A "shorewall show classifiers" command has been added which shows
-   a warning and are ignored.
+   the current packet classification filters. The output from this
   command is also added as a separate page in "shorewall monitor"
 5) ULOG (must be all caps) is now accepted as a valid syslog level and
   causes the subject packets to be logged using the ULOG target rather
   than the LOG target. This allows you to run ulogd (available from
   www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
   a separate log file.
 6) If you are running a kernel that has a FORWARD chain in the mangle
   table ("shorewall show mangle" will show you the chains in the
   mangle table), you can set MARK_IN_FORWARD=Yes in
   shorewall.conf. This allows for marking inbound packets based on
   their destination even when you are using Masquerading or SNAT.
 7) I have cluttered up the /etc/shorewall directory with empty 'init',
   'start', 'stop' and 'stopped' files. If you already have a file with
   one of these names, don't worry -- the upgrade process won't
   overwrite your file.
 8) I have added a new RFC1918_LOG_LEVEL variable to
   shorewall.conf. This variable specifies the syslog level at which
   packets are logged as a result of entries in the
   /etc/shorewall/rfc1918 file. Previously, these packets were always
   logged at the 'info' level.
--- a/STABLE/rules
+++ b/STABLE/rules
@ -31,6 +31,13 @@
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
 #			Beginning with Shorewall version 1.3.12, you may
 #			also specify ULOG (must be in upper case) as a log level.\
 #			This will log to the ULOG target and sent to a separate log
 #			through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
--- a/STABLE/shorewall
+++ b/STABLE/shorewall
@ -58,6 +58,7 @@
 #	   shorewall show nat			   Display the rules in the nat table
 #	   shorewall show {mangle|tos}		   Display the rules in the mangle table
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
 #	   shorewall version			   Display the installed version id
 #	   shorewall check			   Verify the more heavily-used
 #						   configuration files.
@ -258,7 +259,8 @@ packet_log() # $1 = number of messages
    [ -n "$realtail" ] && options="-n$1"
    grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
-	 sed s/" $host kernel: Shorewall:"/" "/ | \
+	 sed s/" kernel:"// | \
 	 sed s/" $host Shorewall:"/" "/ | \
 	 sed s/" $host kernel: ipt_unclean: "/" "/ | \
 	 sed 's/MAC=.*SRC=/SRC=/' | \
 	 tail $options
@ -294,6 +296,34 @@ show_tc() {
 }
 #
 # Show classifier information
 #
 show_classifiers() {
    show_one_classifier() {
 	local device=${1%@*}
 	qdisc=`tc qdisc list dev $device`
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
 	    tc -s filter ls dev $device
 	    echo
 	fi
    }
    ip link list | \
    while read inx interface details; do
 	case $inx in
 	[0-9]*)
 	    show_one_classifier ${interface%:}
 	    ;;
 	*)
 	    ;;
 	esac
    done
 }
 #
 # Monitor the Firewall
 #
@ -383,6 +413,15 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	echo
 	show_tc
 	timed_read
 	clear
 	echo "$banner `date`"
 	echo
 	echo
 	echo "Packet Classifiers"
 	echo
 	show_classifiers
 	timed_read
    done
 }
@ -450,7 +489,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host>] <zone>"
    echo "   delete <interface>[:<host>] <zone>"
-    echo "   show [<chain>|connections|log|nat|tc|tos]"
+    echo "   show [<chain>|classifiers|connections|log|nat|tc|tos]"
    echo "   start"
    echo "   stop"
    echo "   reset"
@ -629,6 +668,11 @@ case "$1" in
 	    echo
 	    show_tc
 	    ;;
 	classifiers)
 	    echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
 	    echo
 	    show_classifiers
 	    ;;
 	*)
 	    echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
 	    echo
@ -658,8 +702,12 @@ case "$1" in
 	echo
 	packet_log 20
 	echo
 	echo "NAT Table"
 	echo
 	iptables -t nat -L -n -v
 	echo
 	echo "Mangle Table"
 	echo
 	iptables -t mangle -L -n -v
 	echo
 	cat /proc/net/ip_conntrack
--- a/STABLE/shorewall.conf
+++ b/STABLE/shorewall.conf
@ -9,6 +9,35 @@
 #  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #
 # General note about log levels. Log levels are a method of describing 
 # to syslog (8) the importance of a message and a number of parameters
 # in this file have log levels as their value.
 #
 # Valid levels are:
 #
 #	7	debug
 #	6	info
 #	5	notice
 #	4	warning
 #	3	err
 #	2	crit
 #	1	alert
 #	0	emerg
 #
 # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
 # log messages are generated by NetFilter and are logged using facility 
 # 'kern' and the level that you specifify. If you are unsure of the level
 # to choose, 6 (info) is a safe bet. You may specify levels by name or by
 # number.
 #
 # If you have build your kernel with ULOG target support, you may also 
 # specify a log level of ULOG (must be all caps). Rather than log its
 # messages to syslogd, Shorewall will direct netfilter to log the messages
 # via the ULOG target which will send them to a process called 'ulogd'.
 # ulogd is available from http://www.gnumonks.org/projects/ulogd and can be 
 # configured to log all Shorewall message to their own log file
 ################################################################################
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.	
 #
@ -96,6 +125,8 @@ LOGBURST=
 # packets are logged under the 'logunclean' interface option. If the variable
 # is empty, these packets will still be logged at the 'info' level.
 #
 # See the comment at the top of this file for a description of log levels
 #
 LOGUNCLEAN=info
@ -191,6 +222,8 @@ BLACKLIST_DISPOSITION=DROP
 # (beward of DOS attacks resulting from such logging). If not set, no logging
 # of blacklist packets occurs.
 #
 # See the comment at the top of this file for a description of log levels
 #
 BLACKLIST_LOGLEVEL=
 #
@ -353,6 +386,8 @@ MUTEX_TIMEOUT=60
 # it will be rejected by the firewall. If you want these rejects logged, 
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this file for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
@ -401,6 +436,8 @@ MACLIST_DISPOSITION=REJECT
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 MACLIST_LOG_LEVEL=info
@ -421,7 +458,41 @@ TCP_FLAGS_DISPOSITION=DROP
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this file for a description of log levels
 # 
 RFC1918_LOG_LEVEL=info
 #
 # Mark Packets in the forward chain
 #
 # When processing the tcrules file, Shorewall normally marks packets in the
 # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
 # this to "Yes". If not specified or if set to the empty value (e.g., 
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for 
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #LAST LINE -- DO NOT REMOVE
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.11a
+%define version 1.3.12
 %define release 1
 %define prefix /usr
@ -94,6 +94,10 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/init
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/start
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /usr/lib/shorewall/functions
 %attr(0544,root,root) /usr/lib/shorewall/firewall
@ -101,6 +105,15 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12
 * Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta3
 * Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta2
 * Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta1
 - Add init, start, stop and stopped files.
 * Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11a
 * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/start
+++ b/STABLE/start
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has 
 # been started or restarted.
 #
--- a/STABLE/stop
+++ b/STABLE/stop
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
 #
--- a/STABLE/stopped
+++ b/STABLE/stopped
@ -0,0 +1,6 @@
 ############################################################################
 # Shorewall 1.3 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
 #
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.11a
+VERSION=1.3.12
 usage() # $1 = exit status
 {
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -2,17 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -24,16 +29,18 @@
                            <tr>
                             <td width="100%">                          
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                             </td>
                           </tr>
  </tbody>                        
 </table>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b> 
-       port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
+            port</b> 7777 to my my personal PC with IP address 192.168.1.5. 
-  looked     everywhere and can't find <b>how to do it</b>.</a></p>
+  I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
             but it doesn't work.<br>
@ -43,22 +50,22 @@
       port forwarding</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
-      to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my 
+            to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
-local      network. <b>External clients can browse</b> http://www.mydomain.com 
+in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com
      but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
             subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
-to   hosts   in  Z. Hosts in Z cannot communicate with each other using their 
+      to   hosts   in  Z. Hosts in Z cannot communicate with each other using
-  external    (non-RFC1918 addresses) so they <b>can't access each other using
+    their    external    (non-RFC1918 addresses) so they <b>can't access
-  their DNS   names.</b></a></p>
+each     other using   their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
            Messenger </b>with  Shorewall. What do I do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
-      to  check my firewall and it shows <b>some ports as 'closed' rather 
+            to  check my firewall and it shows <b>some ports as 'closed'
-than     'blocked'.</b>  Why?</a></p>
+rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
             of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -77,7 +84,8 @@ than     'blocked'.</b>  Why?</a></p>
             work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
-      on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
+            on RedHat</b> I get messages about insmod failing -- what's 
 wrong?</a></p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
            my  interfaces </b>properly?</a></p>
@ -94,13 +102,13 @@ support?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
            and it has an internel  web server that allows me to configure/monitor
-   it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
+         it   but as expected if I enable <b> rfc1918 blocking</b> for my
-      it also blocks the <b>cable modems  web server</b></a>.</p>
+eth0     interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
-      IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable 
+            IP  addresses, my ISP's DHCP server has an RFC 1918 address.
-     RFC 1918  filtering on my external interface, <b>my DHCP client cannot 
+If   I  enable       RFC 1918  filtering on my external interface, <b>my
-  renew   its lease</b>.</a></p>
+DHCP  client  cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
            out to  the net</b></a></p>
@ -108,18 +116,25 @@ support?</a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
             all over my console</b> making it unusable!<br>
                    </a></p>
-                      <b>17</b>. <a href="#faq17">How do I find out <b>why
+                                 <b>17</b>. <a href="#faq17">How do I find
- this   is</b> getting  <b>logged?</b></a><br>
+ out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
                <br>
-     <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b> 
+                <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
-  with Shorewall, and maintain separate rulesets for different IPs?</a><br>
+   ip  addresses</b>    with Shorewall, and maintain separate rulesets for
 different   IPs?</a><br>
            <br>
            <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b> 
     but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
           <br>
-<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
+           <b>20. </b><a href="#faq20">I have just set  up  a  server.  <b>Do 
-<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
+I have to change Shorewall to allow access to my server   from  the internet?<br>
-</a> 
+ <br>
 </b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries 
 </b>occasionally;    what are they?<br>
         </a><br>
 <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
 want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
 <hr>                         
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
            my my personal PC with IP address 192.168.1.5. I've looked everywhere
@ -132,6 +147,7 @@ but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
      rule to a local system is as   follows:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -158,7 +174,9 @@ port</i>&gt;]</td>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -166,6 +184,7 @@ port</i>&gt;]</td>
            the rule is:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -191,18 +210,18 @@ port</i>&gt;]</td>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
-<div align="left">              
+<div align="left">                      <font face="Courier">     </font>If 
-<pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
+ you want to forward requests directed to a particular address ( <i>&lt;external 
-              </div>
+ IP&gt;</i> ) on your firewall to an internal system:</div>
 <p align="left">If you want to forward requests directed to a particular
 address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -227,7 +246,9 @@ port</i>&gt;]</td>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -237,11 +258,11 @@ port</i>&gt;]</td>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-                <li>You are trying to test from inside your firewall (no, 
+                           <li>You are trying to test from inside your firewall 
-that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
+   (no,   that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
-                <li>You have a more basic problem with your local system
+                           <li>You have a more basic problem with your local
-such   as  an   incorrect default gateway configured (it should be set to
+  system    such   as  an   incorrect default gateway configured (it should
-the IP   address    of your  firewall's internal interface).</li>
+  be set to   the IP   address    of your  firewall's internal interface).</li>
 </ul>
@ -250,30 +271,31 @@ the IP   address    of your  firewall's internal interface).</li>
               <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
-      <li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
+                 <li>As root, type "iptables -t nat -Z". This clears the
-  in the nat table.</li>
+NetFilter      counters   in the nat table.</li>
-      <li>Try to connect to the redirected port from an external host.</li>
+                 <li>Try to connect to the redirected port from an external 
 host.</li>
                 <li>As root type "shorewall show nat"</li>
-      <li>Locate the appropriate DNAT rule. It will be in a chain called
+                 <li>Locate the appropriate DNAT rule. It will be in a chain
-    <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the server
+  called        <i>zone</i>_dnat   where <i>zone</i> is the zone that includes
-('loc' in the above   examples).</li>
+  the    ('net' in the above   examples).</li>
-      <li>Is the packet count in the first column non-zero? If so, the connection
+                 <li>Is the packet count in the first column non-zero? If 
-  request is reaching the firewall and is being redirected to the server.
+so,   the   connection    request is reaching the firewall and is being redirected 
-In  this case, the problem is usually a missing or incorrect default gateway
+  to   the server.  In  this case, the problem is usually a missing or incorrect 
- setting on the server (the server's default gateway should be the IP address
+    default gateway   setting on the server (the server's default gateway 
- of the firewall's interface to the server).</li>
+should    be the IP address   of the firewall's interface to the server).</li>
                 <li>If the packet count is zero:</li>
  <ul>
-        <li>the connection request is not reaching your server (possibly
+                   <li>the connection request is not reaching your server 
-it  is being blocked by your ISP); or</li>
+(possibly      it  is being blocked by your ISP); or</li>
-        <li>you are trying to connect to a secondary IP address on your firewall
+                   <li>you are trying to connect to a secondary IP address
-  and your rule is only redirecting the primary IP address (You need to specify
+ on  your   firewall   and your rule is only redirecting the primary IP address 
-  the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
+  (You  need to specify   the secondary IP address in the "ORIG. DEST." column 
- or</li>
+  in  your DNAT rule);  or</li>
-        <li>your DNAT rule doesn't match the connection request in some other
+                   <li>your DNAT rule doesn't match the connection request
-  way. In that case, you may have to use a packet sniffer such as tcpdump
+ in  some   other   way. In that case, you may have to use a packet sniffer
-or  ethereal to further diagnose the problem.<br>
+ such  as tcpdump  or  ethereal to further diagnose the problem.<br>
                   </li>
  </ul>
@ -281,31 +303,34 @@ or  ethereal to further diagnose the problem.<br>
 </ul>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
-      (IP 130.151.100.69) to system 192.168.1.5 in my local network. External 
+            (IP 130.151.100.69) to system 192.168.1.5 in my local network.
-    clients  can browse http://www.mydomain.com but internal clients can't.</h4>
+ External         clients  can browse http://www.mydomain.com but internal
 clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-                <li>Having an internet-accessible server in your local network
+                           <li>Having an internet-accessible server in your 
-       is  like raising foxes in the corner of your hen house. If the server 
+ local    network         is  like raising foxes in the corner of your hen 
-   is      compromised, there's nothing between that server and your other 
+ house.  If  the server     is      compromised, there's nothing between that
- internal        systems. For the cost of another NIC and a cross-over cable, 
+ server  and  your other   internal        systems. For the cost of another
- you can   put      your server in a DMZ such that it is isolated from your 
+ NIC and  a cross-over  cable,   you can   put      your server in a DMZ
- local systems    -     assuming that the Server can be located near the Firewall,
+such  that it is isolated  from your   local systems    -     assuming that
-  of course    :-)</li>
+the  Server can be located  near the Firewall,   of course    :-)</li>
-                <li>The accessibility problem is best solved using    <a
+                           <li>The accessibility problem is best solved using 
- href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
+         <a href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a>
-a separate DNS server for local clients) such that www.mydomain.com resolves
+    (or using a separate DNS server for local clients) such that www.mydomain.com
-to 130.141.100.69     externally and 192.168.1.5 internally. That's what
+    resolves to 130.141.100.69     externally and 192.168.1.5 internally.
-I do here at     shorewall.net for my local systems that use static NAT.</li>
+That's    what I do here at     shorewall.net for my local systems that use
 static   NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem
-       rather than a DNS solution, then assuming that your external interface 
+             rather than a DNS solution, then assuming that your external
-    is  eth0  and your internal interface is eth1  and that eth1 has IP address 
+interface          is  eth0  and your internal interface is eth1  and that
-    192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
+eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, do
 the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
             for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -316,6 +341,7 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <div align="left">                         
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -339,19 +365,18 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
                         </div>
 <div align="left">              
 <pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
              </div>
 <div align="left">                         
 <p align="left">That rule only works of course if you have a static external
-      IP  address. If you  have a dynamic IP address and are running Shorewall 
+            IP  address. If you  have a dynamic IP address and are running
-     1.3.4 or later then include this in  /etc/shorewall/params:</p>
+ Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
                        </div>
 <div align="left">                         
@ -364,6 +389,7 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <div align="left">                         
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                             <tbody>
@ -387,34 +413,36 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
                         </div>
 <div align="left">                         
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
-       client to automatically restart Shorewall each time that you get a 
+             client to automatically restart Shorewall each time that you
-new    IP   address.</p>
+get    a  new    IP   address.</p>
                        </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
-      subnet and I use static NAT to assign non-RFC1918 addresses to hosts 
+            subnet and I use static NAT to assign non-RFC1918 addresses to
- in   Z.  Hosts in Z cannot communicate with each other using their external 
+ hosts      in   Z.  Hosts in Z cannot communicate with each other using
- (non-RFC1918     addresses) so they can't access each other using their DNS
+their  external      (non-RFC1918     addresses) so they can't access each
- names.</h4>
+other  using their    DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved
-      using Bind Version 9 "views". It allows both external and internal clients
+            using Bind Version 9 "views". It allows both external and internal
-      to access a NATed host using the host's DNS name.</p>
+     clients       to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from 
            static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 
-addresses      and can be accessed externally and internally using the same
+     addresses      and can be accessed externally and internally using the 
-address.  </p>
+  same   address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
+<p align="left">If you don't like those solutions and prefer routing all
-traffic through your firewall then:</p>
+Z-&gt;Z traffic through your firewall then:</p>
 <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces 
       (If you are running a Shorewall version earlier than 1.3.9).<br>
@ -430,6 +458,7 @@ traffic through your firewall then:</p>
 <p align="left">In /etc/shorewall/interfaces:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber2">
                             <tbody>
@ -447,13 +476,16 @@ traffic through your firewall then:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
 <p align="left">In /etc/shorewall/policy:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                             <tbody>
@ -472,7 +504,9 @@ traffic through your firewall then:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -483,6 +517,7 @@ traffic through your firewall then:</p>
 <p align="left">In /etc/shorewall/masq:</p>
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3" width="369">
                             <tbody>
@ -499,7 +534,9 @@ traffic through your firewall then:</p>
                             </tr>
    </tbody>                                                            
  </table>
                         </blockquote>
@ -508,37 +545,38 @@ traffic through your firewall then:</p>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
-      tracking/NAT module</a> that may help. Also check the Netfilter mailing 
+            tracking/NAT module</a> that may help. Also check the Netfilter
-    list  archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
+  mailing        list  archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
            </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
-      to    check my firewall and it shows some ports as 'closed' rather than
+            to    check my firewall and it shows some ports as 'closed' rather
-    'blocked'.     Why?</h4>
+     than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
-      always    rejects connection requests on TCP port 113 rather than dropping 
+            always    rejects connection requests on TCP port 113 rather
-      them. This is    necessary to prevent outgoing connection problems to
+than     dropping        them. This is    necessary to prevent outgoing connection
-  services    that use the    'Auth' mechanism for identifying requesting 
+    problems to   services    that use the    'Auth' mechanism for identifying
-users.  Shorewall    also rejects TCP    ports 135, 137 and 139 as well as 
+    requesting  users.  Shorewall    also rejects TCP    ports 135, 137 and
-UDP ports  137-139.   These are ports that are    used by Windows (Windows 
+  139  as well as  UDP ports  137-139.   These are ports that are    used
-<u>can</u>  be configured   to use the DCE cell locator    on port 135). Rejecting
+by  Windows  (Windows  <u>can</u>  be configured   to use the DCE cell locator
-these  connection requests   rather than dropping them    cuts down slightly
+     on port  135). Rejecting these  connection requests   rather than dropping
-on the amount of Windows  chatter on LAN segments connected    to the Firewall.
+  them    cuts down slightly on the amount of Windows  chatter on LAN segments
-</p>
+  connected      to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably
-      your    ISP preventing you from running a web server in violation of 
+            your    ISP preventing you from running a web server in violation
- your     Service    Agreement.</p>
+    of   your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
               firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
-      section about    UDP scans. If nmap gets <b>nothing</b> back from your 
+            section about    UDP scans. If nmap gets <b>nothing</b> back
-   firewall   then it reports    the port as open. If you want to see which 
+from     your     firewall   then it reports    the port as open. If you
-  UDP ports are  really open,    temporarily change your net-&gt;all policy 
+want to   see  which    UDP ports are  really open,    temporarily change
-  to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
+your net-&gt;all     policy    to REJECT, restart  Shorewall and do    the
 nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
            can't ping through the firewall</h4>
@ -548,31 +586,37 @@ on the amount of Windows  chatter on LAN segments connected    to the Firewall.
 <p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
                         b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
-              c) Add the following to /etc/shorewall/icmpdef: </p>
+                         c) Add the following to /etc/shorewall/icmpdef:
 </p>
 <blockquote>                                                            
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-      -j ACCEPT </p>
+            -j ACCEPT<br>
    </p>
  </blockquote>
  For a complete description of Shorewall 'ping' management, see <a
 href="ping.html">this page</a>.                                        
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
            and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
+syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
-(see "man openlog") and you get to choose the log level (again, see "man
+facility (see "man openlog") and you get to choose the log level (again,
-syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
+see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
- href="Documentation.htm#Rules">rules</a>. The destination for messaged 
+ and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
-     When you have changed /etc/syslog.conf, be sure to restart syslogd (on 
+           When you have changed /etc/syslog.conf, be sure to restart syslogd
-  a  RedHat system, "service syslog restart"). </p>
+    (on    a  RedHat system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages
            through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
            -- If you want to log all messages, set: </p>
 <div align="left">                         
-<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""</pre>
+<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
 href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
                         </div>
 <h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work 
@ -582,26 +626,29 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
            </p>
 <blockquote>                                                            
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                         <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
-              <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
+                         <a
 href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
              http://www.logwatch.org</a><br>
        </p>
      </blockquote>
-                           
+      I personnaly use Logwatch. It emails me a report each day from my various
   systems with each report summarizing the logged activity on the corresponding
   system.                                                               
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
            stop', I can't connect to anything. Why doesn't that command work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into
-      a safe state whereby only those interfaces/hosts having the 'routestopped' 
+            a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
-      option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. 
+are    activated.         If you want to totally open up your firewall, you
-      If you want to totally open up your firewall, you must use the 'shorewall 
+must    use the 'shorewall         clear' command. </p>
      clear' command. </p>
-<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
+<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
-       7.x, I get messages about insmod failing -- what's wrong?</h4>
+I get messages about insmod failing -- what's wrong?</h4>
 <p align="left"><b>Answer: </b>The output you will see looks something like
            this:</p>
@ -617,8 +664,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <div align="left">                         
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
-      for  problems concerning the version of iptables (v1.2.3) shipped with 
+            for  problems concerning the version of iptables (v1.2.3) shipped
-   RH7.2.</p>
+    with     RH7.2.</p>
                        </div>
 <h4 align="left">      </h4>
@ -638,9 +685,9 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
                        </div>
 <div align="left">                           
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The
-   zone is defined as all hosts that are connected through eth0 and the local
+Net    zone is defined as all hosts that are connected through eth0 and the
-   zone is defined as all hosts connected through eth1</p>
+local    zone is defined as all hosts connected through eth1</p>
                        </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -656,17 +703,18 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I
-myself doing      other things. I guess I just don't care enough if Shorewall
+find myself doing      other things. I guess I just don't care enough if
-has a GUI to      invest the effort to create one myself. There are several
+Shorewall has a GUI to      invest the effort to create one myself. There
-Shorewall GUI      projects underway however and I will publish links to
+are several Shorewall GUI      projects underway however and I will publish
-them when the authors      feel that they are ready. </p>
+links to them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
-      (<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
+            (<a href="http://www.cityofshoreline.com">the      city where
-      and "Fire<u>wall</u>".</p>
+I  live</a>)          and "Fire<u>wall</u>". The full name of the product
 is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
            and it has an  internal web server that allows me to configure/monitor
@ -674,11 +722,12 @@ them when the authors      feel that they are ready. </p>
        (the  internet one), it also blocks  the cable modems web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking
-      that will let all traffic to and from the 192.168.100.1 address  of 
+            that will let all traffic to and from the 192.168.100.1 address
-the    modem  in/out but still block all other rfc1918 addresses.</p>
+   of   the    modem  in/out but still block all other rfc1918 addresses?</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall
-than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
+earlier than      1.3.1, create /etc/shorewall/start and in it, place the
 following:</p>
 <div align="left">                           
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -691,6 +740,7 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 <div align="left">                           
 <blockquote>                                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                               <tbody>
@ -704,7 +754,9 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                               </tr>
    </tbody>                                                            
  </table>
                           </blockquote>
                         </div>
@ -714,13 +766,14 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                      </p>
 <p align="left">Note: If you add a second IP address to your external firewall
-     interface to correspond to the modem address, you must also make an entry
+           interface to correspond to the modem address, you must also make
-     in /etc/shorewall/rfc1918 for that address. For example, if you configure
+  an   entry      in /etc/shorewall/rfc1918 for that address. For example,
-     the address 192.168.100.2 on your firewall, then you would add two entries
+ if you   configure      the address 192.168.100.2 on your firewall, then
-     to /etc/shorewall/rfc1918:  <br>
+you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                      </p>
 <blockquote>                                                            
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
                          <tbody>
                            <tr>
@ -742,16 +795,18 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                              </td>
                            </tr>
    </tbody>                                                            
  </table>
                      </blockquote>
                        </div>
 <div align="left">                           
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
-   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
-1918    filtering on my external interface, my DHCP client cannot renew its
+RFC 1918    filtering on my external interface, my DHCP client cannot renew
-lease.</h4>
+its lease.</h4>
                         </div>
 <div align="left">                           
@ -763,26 +818,29 @@ lease.</h4>
            the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
-      the net", I wonder  where the poster bought computers with eyes and 
+            the net", I wonder  where the poster bought computers with eyes
-what     those computers will "see"  when things are working properly. That 
+  and    what     those computers will "see"  when things are working properly.
-aside,     the most common causes of this  problem are:</p>
+   That   aside,     the most common causes of this  problem are:</p>
 <ol>
                           <li>                                         
    <p align="left">The default gateway on each local system isn't set to
            the    IP address of the local firewall interface.</p>
                            </li>
                           <li>                                         
    <p align="left">The entry for the local network in the /etc/shorewall/masq
               file is wrong or missing.</p>
                            </li>
                           <li>                                         
    <p align="left">The DNS settings on the local systems are wrong or the
-         user is running a DNS server on the firewall and hasn't enabled UDP
+               user is running a DNS server on the firewall and hasn't enabled
-   and   TCP    port 53 from the firewall to the internet.</p>
+     UDP    and   TCP    port 53 from the firewall to the internet.</p>
                            </li>
 </ol>
@ -791,63 +849,73 @@ aside,     the most common causes of this  problem are:</p>
            all  over my console making it unusable!</h4>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
-      to your startup    scripts or place it in /etc/shorewall/start. Under 
+            to your startup    scripts or place it in /etc/shorewall/start.
-  RedHat,    the max log level    that is sent to the console is specified 
+  Under      RedHat,    the max log level    that is sent to the console
- in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
+is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
                    </p>
-<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
+<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
-         <b>Answer: </b>Logging occurs out of a number of chains (as indicated
+logged?</h4>
-   in  the log message) in Shorewall:<br>
+                    <b>Answer: </b>Logging occurs out of a number of chains 
 (as   indicated      in  the log message) in Shorewall:<br>
 <ol>
-           <li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918 
+                      <li><b>man1918 - </b>The destination address is listed
-    with a <b>logdrop </b>target -- see <a
+  in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-           <li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918 
+                      <li><b>rfc1918</b> - The source address is listed in
-    with a <b>logdrop </b>target -- see <a
+ /etc/shorewall/rfc1918          with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-          <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
+                     <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> 
-      </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that
+or      <b>all2all          </b>-  You have a<a
- specifies a  log level and this packet is being logged under that policy.
+ href="Documentation.htm#Policy"> policy</a> that     specifies a  log level
- If you intend  to ACCEPT this traffic then you need a  <a
+  and this packet is being logged under that policy.     If you intend  to
- href="Documentation.htm#Rules">rule</a> to that effect.<br>
+ ACCEPT this traffic then you need a  <a href="Documentation.htm#Rules">rule</a>
 to that effect.<br>
                     </li>
-           <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
+                      <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you 
- href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to 
+have   a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; 
-   <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being 
+    </b>to       <b>&lt;zone2&gt;</b> that specifies a log level and this 
-   logged under that policy or this packet matches  a <a
+packet is being         logged under that policy or this packet matches  a
- href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
+    <a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
-    <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
+               <li><b>&lt;interface&gt;_mac</b> - The packet is being logged
-     <b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
+  under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
               </li>
                      <li><b>logpkt</b> - The packet is being logged under
 the       <b>logunclean</b>            <a
 href="Documentation.htm#Interfaces">interface   option</a>.</li>
                      <li><b>badpkt </b>- The packet is being logged under
 the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified 
     in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
                      <li><b>blacklst</b> - The packet is being logged because
   the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
                      <li><b>newnotsyn </b>- The packet is being logged because 
   it  is  a  TCP   packet that is not part of any current connection yet 
 it   is not a syn  packet.   Options affecting the logging of such packets 
 include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN </b>in    
    <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                     <li><b>INPUT</b> or <b>FORWARD</b> - The packet has
 a  source    IP  address    that isn't in any of your defined zones ("shorewall
 check"    and  look at the   printed zone definitions) or the chain is FORWARD
 and   the destination  IP  isn't in any of your defined zones.</li>
            <li><b>logflags </b>- The packet is being logged because it failed
   the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
            </li>
           <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b> 
        <a href="Documentation.htm#Interfaces">interface option</a>.</li>
           <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b> 
        <a href="Documentation.htm#Interfaces">interface option</a> as specified 
    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
           <li><b>blacklst</b> - The packet is being logged because the source
   IP  is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist 
        </a>file.</li>
           <li><b>newnotsyn </b>- The packet is being logged because it is
 a  TCP   packet that is not part of any current connection yet it is not
 a syn  packet.   Options affecting the logging of such packets include <b>NEWNOTSYN
      </b>and       <b>LOGNEWNOTSYN </b>in     <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
          <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP 
 address    that isn't in any of your defined zones ("shorewall check" and 
 look at the   printed zone definitions) or the chain is FORWARD and the destination
 IP  isn't in any of your defined zones.</li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
        with Shorewall, and maintain separate rulesets for different IPs?</h4>
-     <b>Answer: </b>Yes. You simply use the IP address in your rules (or
+                <b>Answer: </b>Yes. You simply use the IP address in your 
-if  you  use NAT, use the local IP address in your rules). <b>Note:</b> The 
+rules    (or   if  you  use NAT, use the local IP address in your rules). 
-":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
+<b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated and will 
-Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
+disappear eventually.      Neither   iproute  (ip and tc) nor iptables supports 
-does   Shorewall.  <br>
+that notation so  neither    does   Shorewall.  <br>
                <br>
                <b>Example 1:</b><br>
                <br>
@ -873,24 +941,79 @@ does   Shorewall.  <br>
      but they don't seem to do anything. Why?</h4>
            You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
      so the contents of the tcrules file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have 
     to change Shorewall to allow access to my server from the internet?</b><br>
           </h4>
-Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
+           Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart 
-that you used during your initial setup for information about how to set
+   guide</a>   that you used during your initial setup for information about 
-up rules for your server.<br>
+   how to set  up rules for your server.<br>
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; 
    what are they?<br>
         </h4>
 <blockquote>                           
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
         </blockquote>
         192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal 
  LAN<br>
         <br>
         <b>Answer: </b>While most people associate the Internet Control
 Message     Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet.
 ICMP   is  used to report problems back to the sender of a packet; this is
 what  is happening  here. Unfortunately, where NAT is involved (including
 SNAT,  DNAT and Masquerade),  there are a lot of broken implementations.
 That is  what you are seeing with  these messages.<br>
         <br>
        Here is my interpretation of what is happening -- to confirm this 
 analysis,    one would have to have packet sniffers placed a both ends of 
 the connection.<br>
        <br>
        Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
 query    to 192.0.2.3 and your DNS server tried to send a response (the
 response   information  is in the brackets -- note source port 53 which marks
 this as  a DNS reply).  When the response was returned to to 206.124.146.179,
 it rewrote  the destination  IP TO 172.16.1.10 and forwarded the packet to
 172.16.1.10  who no longer had  a connection on UDP port 2857. This causes
 a port unreachable  (type 3, code  3) to be generated back to 192.0.2.3.
 As this packet is sent  back through  206.124.146.179, that box correctly
 changes the source address  in the packet  to 206.124.146.179 but doesn't
 reset the DST IP in the original   DNS response  similarly. When the ICMP
 reaches your firewall (192.0.2.3),   your firewall  has no record of having
 sent a DNS reply to 172.16.1.10 so   this ICMP doesn't  appear to be related
 to anything that was sent. The final   result is that the packet gets logged
 and dropped in the all2all chain. I  have also seen cases where the source
 IP in the ICMP itself isn't set back  to the external IP of the remote NAT
 gateway; that causes your firewall to  log and drop the packet out of the
 rfc1918 chain because the source IP is  reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
 I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
         You can place these commands in one of the <a
 href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
 sure that you look at the contents of the chain(s) that you will be modifying 
 with your commands to be sure that the commands will do what they are intended. 
 Many iptables commands published in HOWTOs and other instructional material 
 use the -A command which adds the rules to the end of the chain. Most chains 
 that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT 
 rule and any rules that you add after that will be ignored. Check "man iptables" 
 and look at the -I (--insert) command.<br>
 <br>
 <div align="left">     </div>
-  <font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
+             <font size="2">Last updated 12/13/2002 - <a
 href="support.htm">Tom   Eastep</a></font>                             
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
             © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
     <br>
       </p>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -29,13 +29,17 @@
    Beginning with Shorewall version 1.3.10, all traffic from an interface
 or  from a subnet on an interface can be verified to originate from a defined
  set of MAC addresses. Furthermore, each MAC address may be optionally associated
- with one or more IP addresses. There are four components to this facility.<br>
+  with one or more IP addresses. <br>
 <br>
 <b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
 <br>
 There are four components to this facility.<br>
 <ol>
      <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
-option is specified, all traffic arriving on the interface is subjet to MAC
+this option is specified, all traffic arriving on the interface is subjet
-verification.</li>
+to MAC verification.</li>
      <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
  When this option is specified for a subnet, all traffic from that subnet
 is subject to MAC verification.</li>
@ -43,19 +47,20 @@ is subject to MAC verification.</li>
 MAC  addresses with interfaces and to optionally associate IP addresses with
 MAC  addresses.</li>
      <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
- in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The 
+  in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
- MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines 
+The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
- the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL 
+determines   the disposition of connection requests that fail MAC verification.
- variable gives the syslogd level at which connection requests that fail verification
+The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
- are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") 
+requests that fail verification  are to be logged. If set the the empty value
- then failing connection requests are not logged.<br>
+(e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
      </li>
 </ol>
    The columns in /etc/shorewall/maclist are:<br>
 <ul>
-     <li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
+      <li>INTERFACE - The name of an ethernet interface on the Shorewall
 system.</li>
      <li>MAC - The MAC address of a device on the ethernet segment connected
  by INTERFACE. It is not necessary to use the Shorewall MAC format in this
  column although you may use that format if you so choose.</li>
@ -80,8 +85,8 @@ MAC  addresses.</li>
 <h3>Example 2: Router in Local Zone</h3>
    Suppose now that I add a second ethernet segment to my local zone and 
 gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and 
-IP address  192.168.1.253. Hosts in the second segment have IP addresses
+IP address  192.168.1.253. Hosts in the second segment have IP addresses in
-in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist 
+the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
  file:<br>
 <pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
@ -90,7 +95,7 @@ and  from the second LAN segment (192.168.2.0/24). Remember that all traffic
 being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded
 by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
  and not that of the host sending the traffic.    
-<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 12/22/2002 - <a href="support.htm">Tom  Eastep</a> 
     </font></p>
@ -102,5 +107,6 @@ by the router so that traffic's MAC address will be that of the router (00:06:43
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -49,8 +49,8 @@
                   <li> <a href="shorewall_quickstart_guide.htm">QuickStart 
 Guides   (HOWTOs)</a><br>
                    </li>
-                                          <li> <a
+                                           <li> <b><a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                           <li> <a href="Documentation.htm">Reference Manual</a></li>
                           <li> <a href="FAQ.htm">FAQs</a></li>
                            <li><a href="useful_links.html">Useful Links</a><br>
@ -139,5 +139,6 @@
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -2,13 +2,17 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
@ -35,7 +39,8 @@
      <ul>
                            <li> <a href="seattlefirewall_index.htm">Home</a></li>
-                                 <li> <a href="shorewall_features.htm">Features</a></li>
+                                    <li> <a
 href="shorewall_features.htm">Features</a></li>
                            <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
                            <li> <a href="download.htm">Download</a><br>
                    </li>
@ -45,8 +50,8 @@
                    <li> <a href="shorewall_quickstart_guide.htm">QuickStart
  Guides   (HOWTOs)</a><br>
                     </li>
-                                         <li> <a
+                                            <li> <b><a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                            <li> <a href="Documentation.htm">Reference Manual</a></li>
                            <li> <a href="FAQ.htm">FAQs</a></li>
                             <li><a href="useful_links.html">Useful Links</a><br>
@ -60,6 +65,7 @@ Guides   (HOWTOs)</a><br>
          <ul>
                              <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -89,11 +95,12 @@ State, USA</a><br>
      <ul>
                            <li>   <a href="News.htm">News Archive</a></li>
-                         <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
+                            <li> <a href="Shorewall_CVS_Access.html">CVS
 Repository</a></li>
                            <li> <a href="quotes.htm">Quotes from Users</a></li>
                            <li> <a href="shoreline.htm">About the Author</a></li>
                            <li> <a
- href="seattlefirewall_index.htm#Donations">Donations</a></li>
+ href="sourceforge_index.htm#Donations">Donations</a></li>
@ -101,6 +108,7 @@ State, USA</a><br>
                          </td>
                        </tr>
  </tbody>                     
 </table>
@ -109,6 +117,7 @@ State, USA</a><br>
                  <b>Note: </b></strong>Search is unavailable Daily 0200-0330 
  GMT.<br>
                  <strong></strong>                                     
  <p><strong>Quick Search</strong><br>
                        <font face="Arial" size="-1">     <input
 type="text" name="words" size="15"></font><font size="-1"> </font>   <font
@ -125,12 +134,12 @@ State, USA</a><br>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
-<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
+<p><a href="http://www.shorewall.net" target="_top"> </a><br>
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
     </a><br>
  <br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/VPN.htm
+++ b/Shorewall-docs/VPN.htm
@ -1,40 +1,60 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>VPN</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">VPN</font></h1>
+      <h1 align="center"><font color="#ffffff">VPN</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<p>It is often the case that a system behind the firewall needs to be able to 
+ 
-access a remote network through Virtual Private Networking (VPN). The two most 
+<p>It is often the case that a system behind the firewall needs to be able
-common means for doing this are IPSEC and PPTP. The basic setup is shown in the 
+to  access a remote network through Virtual Private Networking (VPN). The
-following diagram:</p>
+two most  common means for doing this are IPSEC and PPTP. The basic setup
-<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
+is shown in the  following diagram:</p>
 <p align="center"><img border="0" src="images/VPN.png" width="568"
 height="796">
 </p>
 <p align="left">A system with an RFC 1918 address needs to access a remote
-network through a remote gateway. For this example, we will assume that the 
+ network through a remote gateway. For this example, we will assume that
-local system has IP address 192.168.1.12 and that the remote gateway has IP 
+the  local system has IP address 192.168.1.12 and that the remote gateway
-address 192.0.2.224.</p>
+has IP  address 192.0.2.224.</p>
-<p align="left">If PPTP is being used, there are no firewall requirements beyond 
+ 
-the default loc-&gt;net ACCEPT policy. There is one restriction however: Only one 
+<p align="left">If PPTP is being used, there are no firewall requirements
-local system at a time can be connected to a single remote gateway unless you 
+beyond  the default loc-&gt;net ACCEPT policy. There is one restriction however:
-patch your kernel from the 'Patch-o-matic' patches available at
+Only one  local system at a time can be connected to a single remote gateway
-<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
+unless you  patch your kernel from the 'Patch-o-matic' patches available
-<p align="left">If IPSEC is being used then there are firewall configuration 
+at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
-requirements as follows:</p>
+ 
 <p align="left">If IPSEC is being used then only one system may connect to
 the remote gateway and there are firewall configuration  requirements as
 follows:</p>
 <blockquote>   
-  <table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 bordercolor="#111111" id="AutoNumber2" height="98">
     <tbody>
      <tr>
       <td height="38"><u><b>ACTION</b></u></td>
       <td height="38"><u><b>SOURCE</b></u></td>
@ -51,9 +71,9 @@ requirements as follows:</p>
       <td height="19">net:192.0.2.224</td>
       <td height="19">loc:192.168.1.12</td>
       <td height="19">50</td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
     </tr>
     <tr>
       <td height="19">DNAT</td>
@ -61,21 +81,24 @@ requirements as follows:</p>
       <td height="19">loc:192.168.1.12</td>
       <td height="19">udp</td>
       <td height="19">500</td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
-      <td height="19">&nbsp;</td>
+       <td height="19"> </td>
     </tr>
    </tbody>
  </table>
 </blockquote>
 <p>If you want to be able to give access to all of your local systems to the 
 remote network, you should consider running a VPN client on your firewall. As 
 starting points, see
 <a href="http://www.shorewall.net/Documentation.htm#Tunnels">
 http://www.shorewall.net/Documentation.htm#Tunnels</a> or
 <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
 <p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
 Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
 <font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><p>&nbsp;</p>
 <p>If you want to be able to give access to all of your local systems to
 the  remote network, you should consider running a VPN client on your firewall.
 As  starting points, see <a
 href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
 or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
 <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
 <p> </p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -20,6 +20,7 @@
                <tbody>
                 <tr>
                  <td width="100%">                                     
      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
                  </td>
                </tr>
@ -38,46 +39,56 @@
 <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
 <ul>
-              <li>/etc/shorewall/shorewall.conf - used to set several firewall
+                      <li>/etc/shorewall/shorewall.conf - used to set several 
-           parameters.</li>
+  firewall             parameters.</li>
-              <li>/etc/shorewall/params - use this file to set shell variables 
+                      <li>/etc/shorewall/params - use this file to set shell
-  that you will     expand in other files.</li>
+  variables     that you will     expand in other files.</li>
-              <li>/etc/shorewall/zones - partition the firewall's view of 
+                      <li>/etc/shorewall/zones - partition the firewall's 
-the   world         into <i>zones.</i></li>
+view   of  the   world         into <i>zones.</i></li>
                      <li>/etc/shorewall/policy - establishes firewall high-level 
    policy.</li>
-              <li>/etc/shorewall/interfaces - describes the interfaces on 
+                      <li>/etc/shorewall/interfaces - describes the interfaces
-the          firewall system.</li>
+   on  the          firewall system.</li>
-              <li>/etc/shorewall/hosts - allows defining zones in terms of
+                      <li>/etc/shorewall/hosts - allows defining zones in 
- individual           hosts and subnetworks.</li>
+terms    of  individual           hosts and subnetworks.</li>
-              <li>/etc/shorewall/masq - directs the firewall where to use 
+                      <li>/etc/shorewall/masq - directs the firewall where
-many-to-one            (dynamic) Network Address Translation (a.k.a. Masquerading) 
+ to  use   many-to-one            (dynamic) Network Address Translation (a.k.a. 
-and  Source          Network Address Translation (SNAT).</li>
+  Masquerading)   and  Source          Network Address Translation (SNAT).</li>
-              <li>/etc/shorewall/modules - directs the firewall to load kernel 
+                      <li>/etc/shorewall/modules - directs the firewall to
-  modules.</li>
+ load   kernel    modules.</li>
                      <li>/etc/shorewall/rules - defines rules that are exceptions
     to  the         overall policies established in /etc/shorewall/policy.</li>
                      <li>/etc/shorewall/nat - defines static NAT rules.</li>
-              <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
+                      <li>/etc/shorewall/proxyarp - defines use of Proxy
-              <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) 
+ARP.</li>
-  defines  hosts    accessible when Shorewall is stopped.</li>
+                      <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
-              <li>/etc/shorewall/tcrules - defines marking of packets for 
+ later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
-later   use by     traffic control/shaping or policy routing.</li>
+                      <li>/etc/shorewall/tcrules - defines marking of packets 
-              <li>/etc/shorewall/tos - defines rules for setting the TOS
+  for   later   use by     traffic control/shaping or policy routing.</li>
-field   in packet         headers.</li>
+                      <li>/etc/shorewall/tos - defines rules for setting
-              <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels 
+the   TOS   field   in packet         headers.</li>
-  with end-points on         the firewall system.</li>
+                      <li>/etc/shorewall/tunnels - defines IPSEC, GRE and 
 IPIP   tunnels    with end-points on         the firewall system.</li>
                      <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
      addresses.</li>
   <li>/etc/shorewall/init - commands that you wish to execute at the beginning 
 of a "shorewall start" or "shorewall restart".</li>
   <li>/etc/shorewall/start - commands that you wish to execute at the completion 
 of a "shorewall start" or "shorewall restart"</li>
   <li>/etc/shorewall/stop - commands that you wish to execute at the beginning 
 of a "shorewall stop".</li>
   <li>/etc/shorewall/stopped - commands that you wish to execute at the
 completion of a "shorewall stop".<br>
   </li>
 </ul>
 <h2>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-         character a pound sign ("#"). You may also place comments at the
+             character a pound sign ("#"). You may also place comments at
-end  of any line, again by       delimiting the comment from the rest of
+the    end  of any line, again by       delimiting the comment from the rest
-the line  with a pound sign.</p>
+of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -100,38 +111,41 @@ the line  with a pound sign.</p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
       using DNS names in Shorewall configuration files. If you use DNS names
-and   you are called out of bed at 2:00AM because Shorewall won't start as
+    and   you are called out of bed at 2:00AM because Shorewall won't start
-a result  of DNS problems then don't say that you were not forewarned. <br>
+  as  a result  of DNS problems then don't say that you were not forewarned.
  <br>
              </b></p>
 <p align="left"><b>    -Tom<br>
              </b></p>
 <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall 
-  configuration files may be specified either as IP addresses or as DNS Names.<br>
+      configuration files may be specified as either IP addresses or DNS 
 Names.<br>
              <br>
-     DNS names in iptables rules  aren't nearly as useful as they first appear. 
+             DNS names in iptables rules  aren't nearly as useful as they 
-  When a DNS name appears in a rule,  the iptables utility resolves the name 
+first    appear.    When a DNS name appears in a rule,  the iptables utility 
-  to one or more IP addresses and inserts  those addresses into the rule. 
+resolves    the name    to one or more IP addresses and inserts  those addresses 
-So  change in the DNS-&gt;IP address relationship  that occur after the firewall 
+into    the rule.  So  changes in the DNS-&gt;IP address relationship  that 
-  has started have absolutely no effect on the  firewall's ruleset.    </p>
+occur   after the firewall    has started have absolutely no effect on the 
 firewall's   ruleset.    </p>
 <p align="left">     If your firewall rules include DNS names then:</p>
 <ul>
               <li>If your /etc/resolv.conf is wrong then your firewall won't 
      start.</li>
-       <li>If your /etc/nsswitch.conf is wrong then your firewall won't 
+               <li>If your /etc/nsswitch.conf is wrong then your firewall 
-   start.</li>
+won't        start.</li>
-       <li>If your Name Server(s) is(are) down then your firewall won't 
+               <li>If your Name Server(s) is(are) down then your firewall 
-   start.</li>
+won't        start.</li>
-       <li>If your startup scripts try to start your firewall before starting 
+               <li>If your startup scripts try to start your firewall before
-  your DNS server then your firewall won't start.<br>
+  starting     your DNS server then your firewall won't start.<br>
              </li>
-       <li>Factors totally outside your control (your ISP's router is   
+               <li>Factors totally outside your control (your ISP's router
- down   for example), can prevent your firewall from starting.</li>
+ is      down   for example), can prevent your firewall from starting.</li>
-      <li>You must bring up your network interfaces prior to starting your
+              <li>You must bring up your network interfaces prior to starting 
- firewall.<br>
+  your   firewall.<br>
              </li>
 </ul>
@ -146,7 +160,7 @@ So  change in the DNS-&gt;IP address relationship  that occur after the firewall
 <ul>
               <li>mail.shorewall.net</li>
-       <li>shorewall.net.</li>
+               <li>shorewall.net. (note the trailing period).</li>
 </ul>
              Examples of invalid DNS names:<br>
@ -159,14 +173,14 @@ So  change in the DNS-&gt;IP address relationship  that occur after the firewall
              DNS names may not be used as:<br>
 <ul>
-       <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
+               <li>The server address in a DNAT rule (/etc/shorewall/rules
 file)</li>
               <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
               <li>In the /etc/shorewall/nat file.</li>
 </ul>
-      These are iptables restrictions and are not simply imposed for your 
+              These restrictions are not imposed by Shorewall simply for
-inconvenience   by Shorewall. <br>
+your inconvenience but are rather limitations of iptables.<br>
      <br>
 <h2>Complementing an Address or Subnet</h2>
@ -187,7 +201,8 @@ no white space following the "!".</p>
                      <li>If you use line continuation to break a comma-separated 
    list,   the          continuation line(s) must begin in column 1 (or there
    would  be embedded          white space)</li>
-              <li>Entries in a comma-separated list may appear in any order.</li>
+                      <li>Entries in a comma-separated list may appear in 
 any   order.</li>
 </ul>
@ -218,6 +233,7 @@ would  be embedded          white space)</li>
 <p>Example:</p>
 <blockquote>                                                             
  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
                   </blockquote>
@ -225,7 +241,9 @@ would  be embedded          white space)</li>
                   Example (/etc/shorewall/interfaces record):</p>
                                        <font
 face="Century Gothic, Arial, Helvetica">                                
 <blockquote>                                                             
  <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
                   </blockquote>
                                                     </font>            
@ -233,7 +251,9 @@ would  be embedded          white space)</li>
 <p>The result will be the same as if the record had been written</p>
                                            <font
 face="Century Gothic, Arial, Helvetica">                                
 <blockquote>                                                             
  <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
                   </blockquote>
                                                         </font>        
@ -251,50 +271,150 @@ would  be embedded          white space)</li>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
  unique MAC address.<br>
                    <br>
-            In GNU/Linux, MAC addresses are usually written as a series of
+                    In GNU/Linux, MAC addresses are usually written as a
- 6  hex numbers        separated by colons. Example:<br>
+series    of  6  hex numbers        separated by colons. Example:<br>
                    <br>
                   [root@gateway root]# ifconfig eth0<br>
                   eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
-           inet addr:206.124.146.176 Bcast:206.124.146.255        Mask:255.255.255.0<br>
+                   inet addr:206.124.146.176 Bcast:206.124.146.255      
 Mask:255.255.255.0<br>
                   UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
-           RX packets:2398102 errors:0 dropped:0 overruns:0        frame:0<br>
+                   RX packets:2398102 errors:0 dropped:0 overruns:0     
-           TX packets:3044698 errors:0 dropped:0 overruns:0        carrier:0<br>
+  frame:0<br>
                   TX packets:3044698 errors:0 dropped:0 overruns:0     
  carrier:0<br>
                   collisions:30394 txqueuelen:100<br>
-           RX bytes:419871805 (400.4 Mb) TX bytes:1659782221        (1582.8 
+                   RX bytes:419871805 (400.4 Mb) TX bytes:1659782221    
- Mb)<br>
+   (1582.8     Mb)<br>
                   Interrupt:11 Base address:0x1800<br>
                    <br>
-            Because Shorewall uses colons as a separator for address fields,
+                    Because Shorewall uses colons as a separator for address
-  Shorewall requires        MAC addresses to be written in another way. In
+  fields,     Shorewall requires        MAC addresses to be written in another
- Shorewall, MAC addresses        begin with a tilde ("~") and consist of
+  way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
-6  hex numbers separated by        hyphens. In Shorewall, the MAC address
+consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
-in  the example above would be        written "~02-00-08-E3-FA-55".<br>
+MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
         </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
    in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
         </p>
 <h2><a name="Levels"></a>Logging</h2>
     By default, Shorewall directs NetFilter to log using syslog (8). Syslog
  classifies log messages by a <i>facility</i> and a <i>priority</i> (using 
 the notation <i>facility.priority</i>). <br>
   <br>
   The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
 kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through 
 <i>local7</i>.<br>
   <br>
   Throughout the Shorewall documentation, I will use the term <i>level</i> 
 rather than <i>priority</i> since <i>level</i> is the term used by NetFilter. 
 The syslog documentation uses the term <i>priority</i>.<br>
 <h3>Syslog Levels<br>
     </h3>
     Syslog levels are a method of describing to syslog (8) the importance
  of  a message and a number of Shorewall parameters have a syslog level
 as   their  value.<br>
       <br>
       Valid levels are:<br>
       <br>
              7       debug<br>
              6       info<br>
              5       notice<br>
              4       warning<br>
              3       err<br>
              2       crit<br>
              1       alert<br>
              0       emerg<br>
       <br>
       For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall 
   log messages are generated by NetFilter and are logged using the <i>kern</i>
  facility  and the level that you specify. If you are unsure of the level
  to choose,  6 (info) is a safe bet. You may specify levels by name or by
 number.<br>
     <br>
     Syslogd writes log messages to files (typically in /var/log/*) based 
 on  their facility and level. The mapping of these facility/level pairs to 
 log  files is done in /etc/syslog.conf (5). If you make changes to this file,
 you must restart syslogd before the changes can take effect.<br>
 <h3>Configuring a Separate Log for Shorewall Messages</h3>
     There are a couple of limitations to syslogd-based logging:<br>
 <ol>
       <li>If you give, for example, kern.info it's own log destination then 
  that destination will also receive all kernel messages of levels 5 (notice) 
  through 0 (emerg).</li>
       <li>All kernel.info messages will go to that destination and not just
  those from NetFilter.<br>
       </li>
 </ol>
     Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
  support (and most vendor-supplied kernels do), you may also specify a log 
 level of ULOG (must be all caps). When  ULOG is used, Shorewall will direct 
 netfilter to log the related messages  via the ULOG target which will send 
 them to a process called 'ulogd'. The  ulogd program is available from http://www.gnumonks.org/projects/ulogd 
 and  can be configured to log all Shorewall message to their own log file.<br>
 <br>
 Download the ulod tar file and:<br>
 <ol>
   <li>cd /usr/local/src (or wherever you do your builds)</li>
   <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
   <li>cd ulogd-<i>version</i><br>
   </li>
   <li>./configure</li>
   <li>make</li>
   <li>make install<br>
   </li>
 </ol>
 If you are like me and don't have a development environment on your firewall, 
 you can do the first five steps on another system then either NFS mount your 
 /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> 
 directory and move it to your firewall system.<br>
 <br>
 Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
 <ol>
   <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
   <li>syslogsync 1</li>
 </ol>
 I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to 
 /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" 
 to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig 
 --level 3 ulogd on" starts ulogd during boot up. Your init system may need 
 something else done to activate the script.<br>
 <br>
 Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that 
 you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
 look for the log when processing its "show log", "logwatch" and "monitor" 
 commands.<br>
 <h2><a name="Configs"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-  The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
+      The <a href="starting_and_stopping_shorewall.htm">shorewall start and 
-      commands allow you to specify an alternate configuration directory
+  restart</a>       commands allow you to specify an alternate configuration 
-and    Shorewall will use the files in the alternate directory rather than
+  directory and    Shorewall will use the files in the alternate directory 
-the  corresponding  files in /etc/shorewall. The alternate directory need
+ rather than the  corresponding  files in /etc/shorewall. The alternate directory 
-not contain a complete  configuration; those files not in the alternate directory 
+  need not contain a complete  configuration; those files not in the alternate 
-will be read from  /etc/shorewall.</p>
+  directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
       by:</p>
 <ol>
-              <li>  copying the files that need modification from /etc/shorewall 
+                      <li>  copying the files that need modification from 
-  to a separate      directory;</li>
+/etc/shorewall       to a separate      directory;</li>
-              <li>  modify those files in the separate directory; and</li>
+                      <li>  modify those files in the separate directory; 
-              <li>  specifying the separate directory in a shorewall start
+and</li>
- or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
+                      <li>  specifying the separate directory in a shorewall
  start    or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
     restart</b></i>  ).</li>
 </ol>
@ -302,19 +422,14 @@ will be read from  /etc/shorewall.</p>
-<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 12/20/2002 - <a href="support.htm">Tom  Eastep</a>
          </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+         © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-                                                                        
+  </p>
                                <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -30,30 +30,41 @@
 <p><b>I strongly urge you to read and print a copy of the       <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>    
-    for the configuration that most closely matches your own.</b></p>
+   for the configuration that most closely matches your own.<br>
    </b></p>
 <p>The entire set of Shorewall documentation is available in PDF format  at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
        <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
       <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
  </p>
 <p>The documentation in HTML format is included   in the .rpm and in the .tgz
 packages below.</p>
 <p>  Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
                <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
-         Linux PPC</b> or     <b> TurboLinux</b> distribution     with a
+             Linux PPC</b> or     <b> TurboLinux</b> distribution     with 
-2.4   kernel,   you can use the  RPM version (note: the             RPM should
+ a  2.4   kernel,   you can use the  RPM version (note: the             RPM 
- also work  with other distributions that             store init scripts
+ should   also work  with other distributions that             store init 
-in  /etc/init.d  and that             include chkconfig or insserv). If you
+scripts in  /etc/init.d  and that             include chkconfig or insserv). 
-find  that it works   in other cases, let <a
+If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
   I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
   if you have problems    installing the RPM.</li>
                <li>If you are running LRP, download the .lrp file (you might 
  also   want  to     download the .tgz so you will have a copy of the documentation).</li>
                <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
- and   would      like a .deb package, Shorewall is in both the    <a
+    and   would      like a .deb package, Shorewall is included in both the 
- href="http://packages.debian.org/testing/net/shorewall.html">Debian    
+   <a href="http://packages.debian.org/testing/net/shorewall.html">Debian 
    Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
 Unstable Branch</a>.</li>
-           <li>Otherwise, download the <i>shorewall</i>             module
+                <li>Otherwise, download the <i>shorewall</i>            
- (.tgz)</li>
+module    (.tgz)</li>
 </ul>
@ -66,10 +77,10 @@ Testing Branch</a> and the    <a
 <ul>
                <li>RPM - "rpm -qip LATEST.rpm"</li>
-           <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will
+                <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name
- contain    the version)</li>
+ will   contain    the version)</li>
-           <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf
+                <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar   
-&lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
+-zxf   &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
 </ul>
@ -84,8 +95,9 @@ Testing Branch</a> and the    <a
 configuration    of your firewall, you can enable startup by removing the 
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates 
+<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
-to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
+   to the    mirrors  occur 1-12 hours after an update to the Washington
 State site.</b></p>
 <blockquote>                                          
  <table border="2" cellspacing="3" cellpadding="3"
@ -221,13 +233,14 @@ to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
                  <tr>
                    <td>Paris, France</td>
                    <td>Shorewall.net</td>
-               <td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
+                    <td><a
-    .rpm</a><br>
+ href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
-                 <a href="http://france.shorewall.net/pub/LATEST.tgz">Download
+                      <a
-           .tgz</a> <br>
+ href="http://france.shorewall.net/pub/LATEST.tgz">Download              .tgz</a> <br>
-                 <a href="http://france.shorewall.net/pub/LATEST.lrp">Download
+                      <a
-           .lrp</a><br>
+ href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
-               <a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
+                    <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
  .md5sums</a></td>
                    <td>       <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download 
@ -274,28 +287,11 @@ to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
               </td>
              </tr>
    </tbody>                                       
  </table>
              </blockquote>
 <p align="left"><b>Documentation in PDF format:</b><br>
 </p>
 <blockquote>   
  <p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
 the Shorewall 1.3.10 documenation (the documentation in HTML format is included
 in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
 </blockquote>
 <blockquote>   
  <blockquote><a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
 http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
   </blockquote>
 </blockquote>
 <p><b>Browse Download Sites:</b></p>
 <blockquote>                                          
@ -334,7 +330,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
                  <tr>
                    <td>Hamburg, Germany</td>
                    <td>Shorewall.net</td>
-               <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
+                    <td><a
 href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
                    <td><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
                  </tr>
@ -357,11 +354,13 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
                   <tr>
                    <td>Washington State, USA</td>
                    <td>Shorewall.net</td>
-               <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
+                    <td><a
 href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
                    <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
 target="_blank">Browse</a></td>
                   </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -377,19 +376,12 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
        </p>
      </blockquote>
-<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
+<p align="left"><font size="2">Last Updated 12/12/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-          <br>
+ </p>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -32,6 +33,7 @@
 <ol>
                <li>                                                    
    <p align="left">          <b><u>I</u>f you use a Windows system to download
      a corrected     script, be sure to run the script through <u>     
      <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -39,21 +41,24 @@
      it to your Linux system.</b></p>
                             </li>
                <li>                                                    
    <p align="left">          <b>If you are installing Shorewall for the
 first time and plan to use the        .tgz and install.sh script, you can
 untar the archive, replace the        'firewall' script in the untarred directory
      with the one you downloaded        below, and then run install.sh.</b></p>
                             </li>
                <li>                                                    
    <p align="left">          <b>When the instructions say to install a corrected
      firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
-   or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
+     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
-   the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
+overwrite      the        existing file. DO  NOT REMOVE OR RENAME THE OLD
-          or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
+/etc/shorewall/firewall             or /var/lib/shorewall/firewall  before
-          and /var/lib/shorewall/firewall  are symbolic links that point
+you do that. /etc/shorewall/firewall             and /var/lib/shorewall/firewall
-       to the 'shorewall' file used by your  system initialization scripts
+ are symbolic links that point         to the 'shorewall' file used by your
-to         start Shorewall during boot. It is  that file that must be overwritten
+ system initialization scripts   to         start Shorewall during boot.
-          with the corrected script.</b></p>
+It is  that file that must be overwritten             with the corrected
 script.</b></p>
        </li>
        <li>                              
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
@ -66,19 +71,20 @@ example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
 <ul>
                <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-            <li>                            <b><a href="#V1.3">Problems in
+                <li>                            <b><a href="#V1.3">Problems 
- Version    1.3</a></b></li>
+ in  Version    1.3</a></b></li>
-            <li>                            <b><a href="errata_2.htm">Problems
+                <li>                            <b><a
-   in  Version 1.2</a></b></li>
+ href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
-            <li>                            <b><font color="#660066">  <a
+                <li>                            <b><font color="#660066"> 
- href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
+     <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
                <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
                <li>                            <b><a href="#Debug">Problems
  with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
-            <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
+                <li><b><a href="#SuSE">Problems installing/upgrading RPM
-            <li><b><a href="#Multiport">Problems with iptables version 1.2.7
+on  SuSE</a></b></li>
-  and       MULTIPORT=Yes</a></b></li>
+                <li><b><a href="#Multiport">Problems with iptables version
 1.2.7    and       MULTIPORT=Yes</a></b></li>
          <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
          </li>
@ -87,11 +93,44 @@ with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
 <hr>                                    
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.11a</h3>
 <ul>
  <li><a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
 copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
  </li>
 </ul>
 <h3>Version 1.3.11</h3>
 <ul>
     <li>When installing/upgrading using the .rpm, you may receive the following 
 warnings:<br>
       <br>
        user teastep does not exist - using root<br>
        group teastep does not exist - using root<br>
       <br>
   These warnings are harmless and may be ignored. Users downloading the
 .rpm  from shorewall.net or mirrors should no longer see these warnings as
 the .rpm you will get from there has been corrected.</li>
    <li>DNAT rules that exclude a source subzone (SOURCE column contains
 !  followed by a sub-zone list) result in an error message and Shorewall
 fails  to start.<br>
      <br>
  Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
 corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. 
 Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
     <br>
 This problem is corrected in version 1.3.11a.<br>
    </li>
 </ul>
 <h3>Version 1.3.10</h3>
 <ul>
-   <li>If you experience problems connecting to a PPTP server running on
+       <li>If you experience problems connecting to a PPTP server running 
-your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
+on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
      <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
  version of the firewall script</a> may help. Please report any cases where
@ -106,8 +145,8 @@ is the real script now and not just a symbolic link to the real script.<br>
 <h3>Version 1.3.9a</h3>
 <ul>
-    <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
+        <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No 
- the following message appears during "shorewall [re]start":</li>
+ then  the following message appears during "shorewall [re]start":</li>
 </ul>
@ -116,8 +155,8 @@ is the real script now and not just a symbolic link to the real script.<br>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
- corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
+   corrects this problem.Copy the script to /usr/lib/shorewall/firewall as 
- above.<br>
+ described  above.<br>
      </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -126,10 +165,10 @@ is the real script now and not just a symbolic link to the real script.<br>
      </blockquote>
 <ul>
-    <li>The installer (install.sh) issues a misleading message "Common functions
+        <li>The installer (install.sh) issues a misleading message "Common
- installed in /var/lib/shorewall/functions" whereas the file is installed
+ functions   installed in /var/lib/shorewall/functions" whereas the file
-in /usr/lib/shorewall/functions. The installer also performs incorrectly
+is  installed  in /usr/lib/shorewall/functions. The installer also performs
-when updating old configurations that had the file /etc/shorewall/functions.
+incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
     <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
   is an updated version that corrects these problems.<br>
@ -148,8 +187,8 @@ when updating old configurations that had the file /etc/shorewall/functions.
 <ul>
             <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
  of  the  policy file doesn't work.</li>
-         <li>A DNAT rule with the same original and new IP addresses but
+             <li>A DNAT rule with the same original and new IP addresses
-with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
+but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
  tcp   25 - 10.1.1.1")<br>
             </li>
@ -190,15 +229,15 @@ tcp   25 - 10.1.1.1")<br>
                                     has two problems:</p>
 <ol>
-                                         <li>If the firewall is running a 
+                                             <li>If the firewall is running 
-DHCP   server,                                   the client won't be able 
+ a  DHCP   server,                                   the client won't be able
-to obtain   an IP  address                                  lease from that 
+  to obtain   an IP  address                                  lease from
-server.</li>
+that   server.</li>
                                             <li>With this order of checking, 
-the   "dhcp"                                   option cannot be used as a 
+  the   "dhcp"                                   option cannot be used as 
-noise-reduction                                     measure where there are 
+a  noise-reduction                                     measure where there 
-both dynamic and    static                                  clients on a LAN
+are  both dynamic and    static                                  clients on
-segment.</li>
+a LAN segment.</li>
 </ol>
@ -229,8 +268,8 @@ segment.</li>
                         <li>                                           
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-    an error occurs when the firewall            script attempts to add an
+      an error occurs when the firewall            script attempts to add
- SNAT   alias.  </p>
+an   SNAT   alias.  </p>
              </li>
              <li>                                                      
@ -277,8 +316,8 @@ segment.</li>
 <div align="left">                
 <p align="left">That capability was lost in version 1.3.4 so that it is only
-        possible to  include a single host specification on each line. This
+          possible to  include a single host specification on each line.
-      problem is corrected by    <a
+This         problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
          modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
          as instructed above.</p>
@ -324,11 +363,11 @@ message    in this case.</p>
 version            has a size of 38126 bytes.</p>
 <ul>
-                     <li>The code to detect a duplicate interface entry in
+                         <li>The code to detect a duplicate interface entry 
-            /etc/shorewall/interfaces contained a typo that prevented it
+ in             /etc/shorewall/interfaces contained a typo that prevented 
-from               working correctly. </li>
+it from               working correctly. </li>
-                     <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
+                         <li>"NAT_BEFORE_RULES=No" was broken; it behaved 
- like   "NAT_BEFORE_RULES=Yes".</li>
+just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -352,8 +391,8 @@ from               working correctly. </li>
 <ul>
                         <li>TCP SYN packets may be double counted when 
-      LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e., each 
+          LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e.,
-           packet is sent through the limit chain twice).</li>
+each              packet is sent through the limit chain twice).</li>
                         <li>An unnecessary jump to the policy chain is sometimes 
               generated for a CONTINUE policy.</li>
                         <li>When an option is given for more than one interface
@ -365,15 +404,15 @@ option.  For example:<br>
                         loc    eth1    dhcp<br>
                         <br>
                         Shorewall will ignore the 'dhcp' on eth1.</li>
-                     <li>Update 17 June 2002 - The bug described in the prior 
+                         <li>Update 17 June 2002 - The bug described in the 
-  bullet               affects the following options: dhcp, dropunclean, logunclean,
+ prior    bullet               affects the following options: dhcp, dropunclean, 
-                norfc1918, routefilter, multi, filterping and noping. An
+ logunclean,                 norfc1918, routefilter, multi, filterping and 
-additional                 bug has been found that affects only the 'routestopped'
+ noping. An additional                 bug has been found that affects only 
-option.<br>
+ the 'routestopped' option.<br>
                         <br>
-                     Users who downloaded the corrected script prior to 1850
+                         Users who downloaded the corrected script prior
-  GMT   today              should download and install the corrected script
+to  1850   GMT   today              should download and install the corrected 
-  again   to ensure              that this second problem is corrected.</li>
+ script   again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -385,10 +424,10 @@ option.<br>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
-                     <li>Folks who downloaded 1.3.0 from the links on the 
+                         <li>Folks who downloaded 1.3.0 from the links on 
-download    page              before 23:40 GMT, 29 May 2002 may have downloaded 
+the   download    page              before 23:40 GMT, 29 May 2002 may have 
-1.2.13    rather than              1.3.0. The "shorewall version" command 
+downloaded   1.2.13    rather than              1.3.0. The "shorewall version" 
-will tell    you which version              that you have installed.</li>
+command   will tell    you which version              that you have installed.</li>
                         <li>The documentation NAT.htm file uses non-existent 
             wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
@ -408,8 +447,8 @@ will tell    you which version              that you have installed.</li>
 <blockquote>                                                          
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
-            prevent it from working with Shorewall. Regrettably,  RedHat released
+              prevent it from working with Shorewall. Regrettably,  RedHat 
-   this buggy iptables in RedHat   7.2. </p>
+ released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
@ -417,8 +456,8 @@ will tell    you which version              that you have installed.</li>
  built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently
-    running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
+      running RedHat 7.1, you can install either of these RPMs          
-      </b>you upgrade to RedHat 7.2.</p>
+   <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
      has   released an iptables-1.2.4 RPM of their own which you can download
@ -451,6 +490,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
      may     experience the following:</p>
  <blockquote>                                                           
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                </blockquote>
@ -459,9 +499,9 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
      the     Netfilter 'mangle' table. You can correct the problem by installing 
         <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
-       this iptables RPM</a>. If you are already running a 1.2.5 version of
+         this iptables RPM</a>. If you are already running a 1.2.5 version 
-      iptables, you will need to specify the --oldpackage option to rpm (e.g.,
+ of       iptables, you will need to specify the --oldpackage option to rpm 
-       "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+ (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
              </blockquote>
@ -508,22 +548,17 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
        Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-    The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
+        The solution is to put "no" in the LOCAL column. Kernel support for 
-  has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
+ LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. The 
-  contains corrected support under a new kernel configuraiton option; see
+2.4.19 kernel   contains corrected support under a new kernel configuraiton 
-<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 11/24/2002 -                            
+<p><font size="2">  Last updated 12/3/2002 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+        © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-          <br>
+   </p>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
--- a/Shorewall-docs/images/MDKlinux.jpg
+++ b/Shorewall-docs/images/MDKlinux.jpg
--- a/Shorewall-docs/images/courier-imap.png
+++ b/Shorewall-docs/images/courier-imap.png
--- a/Shorewall-docs/images/logo2.png
+++ b/Shorewall-docs/images/logo2.png
--- a/Shorewall-docs/images/medbutton.png
+++ b/Shorewall-docs/images/medbutton.png
--- a/Shorewall-docs/images/obrasinf.gif
+++ b/Shorewall-docs/images/obrasinf.gif
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -33,10 +33,18 @@
                </a><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45">
-            </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
+                </a><font color="#ffffff">Shorewall Mailing Lists<a
 href="http://www.inter7.com/courierimap/"><img
 src="images/courier-imap.png" alt="Courier-Imap" width="100"
 height="38" align="right">
        </a></font></h1>
      <p align="right"><font color="#ffffff"><b><br>
-Powered by Postfix          </b></font>     </p>
+        </b></font></p>
      <p align="right"><font color="#ffffff"><b><br>
  Powered by Postfix         </b></font>     </p>
                </td>
             </tr>
@ -71,10 +79,27 @@ Powered by Postfix
        <li>to ensure that the sender address is fully qualified.</li>
        <li>to verify that the sender's domain has an A or MX record in DNS.</li>
        <li>to ensure that the host name in the HELO/EHLO command is a valid
-fully-qualified  DNS name.<br>
+  fully-qualified  DNS name.</li>
    </li>
 </ol>
 <h2>Please post in plain text</h2>
 While the list server here at shorewall.net accepts and distributes HTML
 posts, a growing number of MTAs serving list subscribers are rejecting this
 HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
 "for continuous abuse"!!<br>
 <br>
 I think that blocking all HTML is a rather draconian way to control spam
 and that the unltimate loser here is not the spammers but the list subscribers
 whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
 can help by restricting your list posts to plain text.<br>
 <br>
 And as a bonus, subscribers who use email clients like pine and mutt will
 be able to read your plain text posts whereas they are most likely simply
 ignoring your HTML posts.<br>
 <br>
 A final bonus for the use of HTML is that it cuts down the size of messages
 by a large percentage -- that is important when the same message must be
 sent 500 times over the slow DSL line connecting the list server to the internet.<br>
 <h2></h2>
@ -110,14 +135,19 @@ fully-qualified  DNS name.<br>
 type="submit" value="Search"> </p>
          </form>
 <h2 align="left"><font color="#ff0000">Please do not try to download the entire
 Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
 stand the traffic. If I catch you, you'll be blacklisted.<br>
   </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
        If you want to trust X.509 certificates issued by Shoreline Firewall
  (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a>
-  in your browser. If you don't wish to trust my certificates then you can
+    in your browser. If you don't wish to trust my certificates then you
- either use unencrypted access when subscribing to Shorewall mailing lists
+can    either use unencrypted access when subscribing to Shorewall mailing
- or you can use secure access (SSL) and accept the server's certificate when
+lists    or you can use secure access (SSL) and accept the server's certificate
- prompted by your browser.<br>
+when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
@ -187,10 +217,10 @@ list may be found at <a
             </li>
             <li>                                                   
    <p align="left">Down at the bottom of that page is the following text:
-   "To  change your subscription (set options like digest and delivery modes,
+     "To  change your subscription (set options like digest and delivery
-   get a  reminder of your password, <b>or unsubscribe</b> from &lt;name
+modes,      get a  reminder of your password, <b>or unsubscribe</b> from
-of   list&gt;), enter  your subscription email address:". Enter your email
+&lt;name  of   list&gt;), enter  your subscription email address:". Enter
-address   in the box and click  on the "Edit Options" button.</p>
+your email  address   in the box and click  on the "Edit Options" button.</p>
             </li>
             <li>                                                   
    <p align="left">There will now be a box where you can enter your password
@ -205,17 +235,12 @@ address   in the box and click  on the "Edit Options" button.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 11/22/2002 - <a
+<p align="left"><font size="2">Last updated 12/27/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-        <br>
+ </p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list_problems.htm
+++ b/Shorewall-docs/mailing_list_problems.htm
@ -33,11 +33,11 @@
 <blockquote>                                    
  <div align="left">                                      
-  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled  (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
              </div>
            </blockquote>
-<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
+<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -53,5 +53,8 @@
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -0,0 +1,90 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>ICMP Echo-request (Ping)</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
      <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <br>
 Shorewall 'Ping' management has evolved over time in a less than consistant
 way. This page describes how it now works.<br>
 <br>
 There are several aspects to Shorewall Ping management:<br>
 <ol>
  <li>The <b>noping</b> and <b>filterping </b>interface options in <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
  <li>The <b>FORWARDPING</b> option in<a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
  <li>Explicit rules in <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ol>
 There are two cases to consider:<br>
 <ol>
  <li>Ping requests addressed to the firewall itself; and</li>
  <li>Ping requests being forwarded to another system. Included here are
 all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
 routing.</li>
 </ol>
 These cases will be covered separately.<br>
 <h2>Ping Requests Addressed to the Firewall Itself</h2>
 For ping requests addressed to the firewall, the sequence is as follows:<br>
 <ol>
  <li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
 interface that receives the ping request then the request will be responded
 to with an ICMP echo-reply.</li>
  <li>If <b>noping</b> is specified for the interface that receives the ping
 request then the request is ignored.</li>
  <li>If <b>filterping </b>is specified for the interface then the request
 is passed to the rules/policy evaluation.</li>
 </ol>
 <h2>Ping Requests Forwarded by the Firewall</h2>
 These requests are <b>always</b> passed to rules/policy evaluation.<br>
 <h2>Rules Evaluation</h2>
 Ping requests are ICMP type 8. So the general rule format is:<br>
 <br>
 &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
 </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 <br>
 Example 1. Accept pings from the net to the dmz (pings are responded to with
 an ICMP echo-reply):<br>
 <br>
 &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 <br>
 Example 2. Drop pings from the net to the firewall<br>
 <br>
 &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 <h2>Policy Evaluation</h2>
 If no applicable rule is found, then the policy for the source to the destination
 is applied.<br>
 <ol>
  <li>If the relevant policy is ACCEPT then the request is responded to with
 an ICMP echo-reply.</li>
  <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
 then the request is responded to with an ICMP echo-reply.</li>
  <li>Otherwise, the relevant REJECT or DROP policy is used and the request
 is either rejected or simply ignored.</li>
 </ol>
 <p><font size="2">Updated 12/13/2002 - <a
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -11,6 +11,7 @@
  <base target="_self">
 </head>
  <body>
@ -20,10 +21,13 @@
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
      <tbody>
                                                                        <tr>
-                                                                <td
+                                                                        
- width="100%" height="90">                                               
+            <td width="100%" height="90">                               
@ -33,9 +37,10 @@
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                                                           </a></i></font><font
+                                                                        
- color="#ffffff">Shorewall      1.3   -        <font size="4">"<i>iptables
+       </a></i></font><font color="#ffffff">Shorewall      1.3   -      
-           made easy"</i></font></font></h1>
+       <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
@ -47,12 +52,16 @@
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
                                                                   </div>
                                                                   <br>
            </td>
        </tr>
  </tbody>                                                              
 </table>
@ -60,12 +69,16 @@
 <div align="center">                                                     
 <center>                                                                 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
        <tbody>
                                                                        <tr>
-                                                                  <td
+                                                                        
- width="90%">                                                           
+              <td width="90%">                                          
@ -79,9 +92,11 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+                                                                        
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+     
-       that can be used on a dedicated firewall system, a multi-function 
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -90,22 +105,29 @@
      <p>This program is free software; you can redistribute it and/or modify
                                  it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
-Public License</a> as published by the Free Software        Foundation.<br>
+General Public License</a> as published by the Free Software        Foundation.<br>
           <br>
-                                                                This program
+                                                                        
-  is  distributed       in  the   hope   that   it  will   be  useful,  
+      This   program     is  distributed       in  the   hope   that   it 
- but         WITHOUT  ANY    WARRANTY;   without   even the  implied   warranty 
+ will     be  useful,    but         WITHOUT  ANY    WARRANTY;   without 
-   of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR    PURPOSE. 
+ even the   implied    warranty      of MERCHANTABILITY             or FITNESS
-     See the  GNU General     Public License          for  more details.<br>
+  FOR   A PARTICULAR      PURPOSE.        See the  GNU General     Public
 License           for  more details.<br>
           <br>
-                                                                You should
+                                                                        
- have   received     a  copy   of  the   GNU   General     Public    License
+      You   should    have   received     a  copy   of  the   GNU   General 
-          along  with   this program;    if  not, write  to the    Free Software 
+     Public      License             along  with   this program;    if  not,
-      Foundation,            Inc., 675    Mass  Ave, Cambridge,  MA  02139, 
+   write  to  the    Free Software        Foundation,            Inc., 675
-    USA</p>
+    Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -121,22 +143,28 @@ Public License</a> as published by the Free Software        Foundation.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                                           </a>Jacques  
+                                                                        
-     Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway
+       </a>Jacques              Nilo   and   Eric   Wolzak    have   a  LEAF 
- on  a floppy,   CD  or compact  flash) distribution       called       
+(router/firewall/gateway         on  a floppy,   CD  or compact  flash) distribution 
-      <i>Bering</i>    that          features     Shorewall-1.3.10 and  Kernel-2.4.18.
+      called              <i>Bering</i>    that          features     Shorewall-1.3.10 
-     You    can  find    their   work at:          <a
+and    Kernel-2.4.18.       You    can  find    their   work at:         
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+      <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                      </a></p>
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+                                                      
-1.0 Final!!! </b><br>
+      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.0 Final!!! </b><br>
                 </p>
-      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
+                                                      
- href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
 (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -154,256 +182,187 @@ Public License</a> as published by the Free Software        Foundation.<br>
      <h2></h2>
-      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
+                                                                        
- src="images/new10.gif" width="28" height="12" alt="(New)">
+   
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                                              </b></p>
-      <p>In this version:</p>
+      <p>     Features include:<br>
      <ul>
        <li>A 'tcpflags' option has been added to entries in <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
 This option causes Shorewall to make a set of sanity check on TCP packet
 header flags.</li>
        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
 a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
 When used, 'all' must appear by itself (in may not be qualified) and it does 
 not enable intra-zone traffic. For example, the rule <br>
     <br>
     ACCEPT loc all tcp 80<br>
     <br>
 does not enable http traffic from 'loc' to 'loc'.</li>
        <li>Shorewall's use of the 'echo' command is now compatible with
 bash clones such as ash and dash.</li>
        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
 generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>   
                           </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
       <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
          </p>
-      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>        
+      <ol>
-                      </b></p>
+        <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules 
  and tcstart).</li>
        <li>"shorewall debug [re]start" now turns off debugging after an
 error   occurs. This places the point of the failure near the end of the
 trace rather   than up in the middle of it.</li>
        <li>"shorewall [re]start" has been speeded up by more than 40% with
 my  configuration. Your milage may vary.</li>
        <li>A "shorewall show classifiers" command has been added which shows
  the current packet classification filters. The output from this command
 is  also added as a separate page in "shorewall monitor"</li>
        <li>ULOG (must be all caps) is now accepted as a valid syslog level
 and  causes the subject packets to be logged using the ULOG target rather
 than  the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
        <li>If you are running a kernel that has a FORWARD chain in the mangle 
  table ("shorewall show mangle" will show you the chains in the mangle table), 
  you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
 input packets based on their destination even when you are using  Masquerading
 or SNAT.</li>
        <li>I have cluttered up the /etc/shorewall directory with empty 'init', 
  'start', 'stop' and 'stopped' files. If you already have a file with one 
 of these names, don't worry -- the upgrade process won't overwrite your file.</li>
        <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
 the syslog level at which packets are logged as a result of entries in the
 /etc/shorewall/rfc1918 file. Previously, these packets were always logged
 at the 'info' level.<br>
   </li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
       </p>
 This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL 
 was set to anything but ULOG, the firewall would fail to start and "shorewall 
 refresh" would also fail.<br>
-      <p>The main Shorewall web site is now back at SourceForge at <a
+      <p>     You may download the Beta from:<br>
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
                                  </p>
-     
+      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-      <p><b>11/09/2002 - Shorewall 1.3.10</b><b>                        
+        <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
-  </b></p>
+ target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
      <p>In this version:</p>
      <ul>
                    <li>You may now <a href="IPSEC.htm#Dynamic">define the
 contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
       delete" commands</a>. These commands are expected to be used primarily
    within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
    updown   scripts.</li>
                    <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments.
 You can specify the set  of allowed   MAC addresses   on   the segment and
 you can optionally tie each MAC address   to one or more   IP  addresses.</li>
                    <li>PPTP Servers and Clients running on the firewall
 system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
   file.</li>
                    <li>A new 'ipsecnat' tunnel type is supported for use 
 when   the             <a href="IPSEC.htm">remote IPSEC endpoint is behind 
 a NAT   gateway</a>.</li>
                    <li>The PATH used by Shorewall may now be specified in
           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                    <li>The main firewall script is now /usr/lib/shorewall/firewall.
       The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
       to do the real work. This change makes custom distributions such as
 for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
     that tends  to have distribution-dependent code.</li>
      </ul>
           If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
  to  version   1.3.10, you will need to use the '--force' option:<br>
      <blockquote>                                                       
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
      </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                            </b></p>
     The first public Beta version of Shorewall 1.3.12 is now available (Beta
 1 was made available to a limited audience). <br>
      <br>
      Features include:<br>
      <br>
-      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
+      <ol>
- href="http://www.gentoo.org"><br>
+             <li>"shorewall refresh" now reloads the traffic shaping rules
-                         </a></p>
+ (tcrules  and tcstart).</li>
-                   Alexandru Hartmann reports that his Shorewall package
+             <li>"shorewall debug [re]start" now turns off debugging after
-is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo
+ an  error occurs. This places the point of the failure near the end of the
-Linux  distribution</a>.       Thanks Alex!<br>
+ trace  rather than up in the middle of it.</li>
             <li>"shorewall [re]start" has been speeded up by more than 40% 
 with  my configuration. Your milage may vary.</li>
             <li>A "shorewall show classifiers" command has been added which
  shows the current packet classification filters. The output from this command
  is also added as a separate page in "shorewall monitor"</li>
             <li>ULOG (must be all caps) is now accepted as a valid syslog
 level  and causes the subject packets to be logged using the ULOG target
 rather than the LOG target. This allows you to run ulogd (available from
          <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
             <li>If you are running a kernel that has a FORWARD chain in
 the   mangle table ("shorewall show mangle" will show you the chains in the
 mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
 This allows  for  marking input packets based on their destination even when
 you are using  Masquerading or SNAT.</li>
             <li>I have cluttered up the /etc/shorewall directory with empty
  'init', 'start', 'stop' and 'stopped' files. If you already have a file
 with  one of these names, don't worry -- the upgrade process won't overwrite
 your  file.</li>
-                                                                        
+      </ol>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
                     In this version:<br>
      <ul>
                             <li>You may now <a href="IPSEC.htm#Dynamic">define 
   the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
          delete" commands</a>. These commands are expected to be used primarily 
       within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
       updown   scripts.</li>
                             <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments. 
    You can specify the set of  allowed   MAC addresses on   the segment and
   you can optionally tie each MAC address   to one or more IP  addresses.</li>
                             <li>PPTP Servers and Clients running on the
 firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
        file.</li>
                             <li>A new 'ipsecnat' tunnel type is supported
 for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
 is   behind   a NAT   gateway</a>.</li>
                             <li>The PATH used by Shorewall may now be specified
    in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                             <li>The main firewall script is now /usr/lib/shorewall/firewall. 
          The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
          to do the real work. This change makes custom distributions such 
 as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
        that tends  to have distribution-dependent code.</li>
      </ul>
      You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
        <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
      </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
        </a></b></p>
       Shorewall is at the center of MandrakeSoft's recently-announced <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
   Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
   release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
-      <ul>
+      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-                            <li><a
+     delivered. I have installed 9.0 on one of my systems and I am now in
- href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
+a  position   to support Shorewall users who run Mandrake 9.0.</p>
                            <li><a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                            </li>
-             
+      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>       
                         </b><br>
                 </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
-                                                                      
+      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b></p>
                            This release rolls up fixes to the installer
 and   to  the   firewall     script.<br>
                             <b><br>
                            10/6/2002 - Shorewall.net now running on RH8.0
       </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
                                                      </b><br>
                                  <br>
                              The firewall and server here at shorewall.net 
 are   now   running     RedHat    release   8.0.<br>
      <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>                         
      </b></p>
                                    Roles up the fix for broken tunnels.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>               
          </b></p>
                                        <img src="images/j0233056.gif"
 alt="Brown Paper Bag" width="50" height="86" align="left">
                                   There is an updated firewall script at 
      <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
                 -- copy that file to /usr/lib/shorewall/firewall.<br>
      <p><b><br>
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
      with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
   who   don't need rules of this type need not upgrade to 1.3.11.</p>
-      <p><b><br>
+      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                                    </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
        documenation. the PDF may be downloaded from</p>
-      <p><b><br>
+      <p>    <a
-                                  9/28/2002 - Shorewall 1.3.9 </b><b>   
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                            </b></p>
+                      <a
-                                                                        
+ href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
      <p>In this version:<br>
                  </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
                 </b></p>
      <p>In this version:</p>
      <ul>
-                                                <li><a
+                       <li>A 'tcpflags' option has been added to entries
- href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now 
+in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
-             allowed in Shorewall config files (although I recommend   against 
+ This option causes Shorewall to make a set of sanity check on TCP packet 
-       using       them).</li>
+header flags.</li>
-                                                <li>The connection SOURCE 
+                       <li>It is now allowed to use 'all' in the SOURCE or
-may   now   be  qualified      by  both   interface      and IP address in 
+ DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.  When
-a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+used,  'all'   must  appear  by itself (in may not be qualified) and it does
-                                                <li>Shorewall startup is
+ not  enable   intra-zone  traffic.  For example, the rule <br>
-now   disabled     after    initial     installation       until the file
+                    <br>
-/etc/shorewall/startup_disabled          is removed.     This avoids    nasty
+                    ACCEPT loc all tcp 80<br>
-  surprises at reboot for users     who    install Shorewall     but don't
+                    <br>
-configure     it.</li>
+                does not enable http traffic from 'loc' to 'loc'.</li>
-                                               <li>The 'functions' and 'version'
+                       <li>Shorewall's use of the 'echo' command is now compatible
-    files    and   the   'firewall'      symbolic   link have been  moved
+     with   bash clones such as ash and dash.</li>
-from    /var/lib/shorewall       to /usr/lib/shorewall      to appease  
+                       <li>fw-&gt;fw policies now generate a startup error. 
-the LFS   police at Debian.<br>
+ fw-&gt;fw      rules  generate a warning and are ignored</li>
                                               </li>
      </ul>
@ -411,13 +370,11 @@ the LFS   police at Debian.<br>
      <p><b></b><a href="News.htm">More News</a></p>
      <p><a href="News.htm">More News</a></p>
@ -426,27 +383,34 @@ the LFS   police at Debian.<br>
      <h2><a name="Donations"></a>Donations</h2>
                                                 </td>
-                                                                  <td
+                                                                        
- width="88" bgcolor="#4b017c" valign="top" align="center">             <a
+              <td width="88" bgcolor="#4b017c" valign="top"
- href="http://sourceforge.net">M</a></td>
+ align="center">              <a href="http://sourceforge.net">M</a></td>
          </tr>
  </tbody>                                                              
 </table>
    </center>
  </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
                                                                        <tbody>
                                                                        <tr>
-                                                           <td
+                                                                        
- width="100%" style="margin-top: 1px;">                                 
+       <td width="100%" style="margin-top: 1px;">                       
@ -455,32 +419,38 @@ the LFS   police at Debian.<br>
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                                                            </a></p>
+                                                                        
        </a></p>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+                                                                        
-if       you try it and find it useful, please consider making a donation 
+                                      
-                          to       <a href="http://www.starlight.org"><font
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
- color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
+but if       you try it and find it useful, please consider making a donation
                                  to       <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight        
 Children's Foundation.</font></a> Thanks!</font></p>
       </td>
                                                                        </tr>
  </tbody>                                                              
 </table>
-<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
+                    
 <p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font> 
                          <br>
 </p>
 <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -37,16 +37,17 @@
     </p>
 <ul>
-          <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington 
+              <li>Born 1945 in <a
-   State</a> .</li>
+ href="http://www.experiencewashington.com">Washington     State</a> .</li>
              <li>BA Mathematics from <a href="http://www.wsu.edu">Washington 
  State    University</a>  1967</li>
-          <li>MA Mathematics from <a href="http://www.washington.edu">University
+              <li>MA Mathematics from <a
-   of Washington</a> 1969</li>
+ href="http://www.washington.edu">University      of Washington</a> 1969</li>
-          <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
+              <li>Burroughs Corporation (now <a
-   ) 1969 - 1980</li>
+ href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
              <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
-    (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
+      (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
 present</li>
              <li>Married 1969 - no children.</li>
 </ul>
@ -56,8 +57,8 @@ State    University</a>  1967</li>
 <p>I became interested in Internet Security when I established a home office 
    in 1999 and had DSL service installed in our       home. I investigated 
-ipchains  and developed the scripts which are now collectively known as <a
+  ipchains  and developed the scripts which are now collectively known as 
- href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
+<a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
    on what I learned from Seattle Firewall, I then       designed and wrote 
   Shorewall. </p>
@ -67,24 +68,26 @@ ipchains  and developed the scripts which are now collectively known as <a
 <p>Our current home network consists of: </p>
 <ul>
-          <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE 
+              <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB 
-HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also has
+IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also 
-RedHat  8.0 installed.</li>
+has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
-          <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC 
+              <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
- -  My      personal Linux System which runs Samba configured as a WINS server. 
+ NIC   -  My      personal Linux System which runs Samba configured as a WINS
-  This      system also has <a href="http://www.vmware.com/">VMware</a> installed 
+ server.    This      system also has <a href="http://www.vmware.com/">VMware</a>
-  and      can run both <a href="http://www.debian.org">Debian Woody</a>
+ installed    and      can run both <a href="http://www.debian.org">Debian
-and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
+ Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual
-          <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
+ machines.</li>
- (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
+              <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
-      (Bind).</li>
+Email   (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS 
 server        (Bind).</li>
              <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
- (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.9a  and a DHCP
+   (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.11  and a DHCP
       server.  Also   runs PoPToP for     road warrior access.</li>
-          <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
+              <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My 
-      personal system.</li>
+wife's        personal system.</li>
-          <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 
+              <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
-  and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
+EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main
 work system.</li>
 </ul>
@ -101,17 +104,20 @@ and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
 src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
         </a><a href="http://www.pureftpd.org"><img border="0"
 src="images/pure.jpg" width="88" height="31">
-     </a><font size="4"><a href="http://www.apache.org"><img border="0"
+         </a><font size="4"><a href="http://www.apache.org"><img
- src="images/apache_pb1.gif" hspace="2" width="170" height="20">
+ border="0" src="images/apache_pb1.gif" hspace="2" width="170"
-     </a>  </font></p>
+ height="20">
  </a><a href="http://www.mandrakelinux.com"><img
 src="images/medbutton.png" alt="Powered by Mandrake" width="90"
 height="32">
 </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
 width="125" height="40" hspace="4">
           </font></p>
-<p><font size="2">Last updated 10/28/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 12/7/2002 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
-        <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+            <font face="Trebuchet MS"><a href="copyright.htm"><font
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font>       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
     <br>
    <br>
   <br>
         <br>
 <br>
 </body>
--- a/Shorewall-docs/shorewall_extension_scripts.htm
+++ b/Shorewall-docs/shorewall_extension_scripts.htm
@ -1,113 +1,133 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Extension Scripts</title>
 </head>
  <body>
-                                                                                  <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+           
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
            <tbody>
    <tr>
              <td width="100%">                                         
-                                                                                      <h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
+                                             
      <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
              </td>
            </tr>
  </tbody>
 </table>
-                                                                                  <p>
+                                                 
- Extension scripts are   user-provided
+<p>  Extension scripts are   user-provided  scripts that are invoked at various
- scripts that are invoked at various points during firewall   start, restart,
+points during firewall   start, restart,  stop and clear. The scripts are
- stop and clear. The scripts are placed in /etc/shorewall and   are processed
+placed in /etc/shorewall and   are processed  using the Bourne shell "source"
- using the Bourne shell "source" mechanism. The   following scripts can be
+mechanism. The   following scripts can be  supplied:</p>
- supplied:</p>
+  
 <ul>
    <li>init -- invoked early in "shorewall start" and       "shorewall restart"</li>
    <li>start -- invoked after the firewall has been started or restarted.</li>
    <li>stop -- invoked as a first step when the firewall is being stopped.</li>
    <li>stopped -- invoked after the firewall has been stopped.</li>
    <li>clear -- invoked after the firewall has been cleared.</li>
-   <li>refresh -- invoked while the firewall is being refreshed but before the 
+    <li>refresh -- invoked while the firewall is being refreshed but before
-   common and/or blacklst chains have been rebuilt.</li>
+the     common and/or blacklst chains have been rebuilt.</li>
-   <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain 
+    <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
-   has been created but before any rules have been added to it.</li>
+chain     has been created but before any rules have been added to it.</li>
 </ul>
-                                                                                  <p>
+                                    
-  You can also supply a script with the same name as any of the filter  
+<p><u><b>If your version of Shorewall doesn't have the file that you want
 to use from the above list, you can simply create the file yourself.</b></u></p>
 <p>   You can also supply a script with the same name as any of the filter
  chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules 
- file has been processed but before the   /etc/shorewall/policy file has
+ file has been processed but before the   /etc/shorewall/policy file has been
-been  processed.</p>
+ processed.</p>
-                                                                                  <p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it   
+                                    
-   defines will totally replace the default rules in the common chain. These 
+<p>The /etc/shorewall/common file receives special treatment. If this file
-       default rules are contained in the file /etc/shorewall/common.def which
+is present, the rules that it       defines will totally replace the default
-       may be used as a starting point for making your own customized file.</p>
+rules in the common chain. These         default rules are contained in the
 file /etc/shorewall/common.def which        may be used as a starting point
 for making your own customized file.</p>
-                                                                                  <p>
+                                    
-  Rather than running iptables directly, you should run it using the   function
+<p>   Rather than running iptables directly, you should run it using the
- run_iptables. Similarly, rather than running "ip" directly,   you should
+  function  run_iptables. Similarly, rather than running "ip" directly, 
-use run_ip. These functions accept the same arguments as the   underlying
+ you should use run_ip. These functions accept the same arguments as the
-command but cause the firewall to be stopped if an error occurs   during
+  underlying command but cause the firewall to be stopped if an error occurs
-processing of the command.</p>
+  during processing of the command.</p>
-                                                                                  <p>
+                                   
-  If you decide to create /etc/shorewall/common it is a good idea to use the 
+<p>   If you decide to create /etc/shorewall/common it is a good idea to
-  following technique</p>
+use the    following technique</p>
-                                                                                  <p>
+                                   
-  /etc/shorewall/common:</p>
+<p>   /etc/shorewall/common:</p>
 <blockquote>                                                            
-                                                                                    <pre>. /etc/shorewall/common.def
+                        
-&lt;add your rules here&gt;</pre>
+  <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
  </blockquote>
- <p>If you need to supercede a rule in the released common.def file, you can add 
+  
- the superceding rule before the '.' command. Using this technique allows 
+<p>If you need to supercede a rule in the released common.def file, you can
 add   the superceding rule before the '.' command. Using this technique allows
  you to add new rules while still getting the benefit of the latest common.def
  file.</p>
- <p>Remember that /etc/shorewall/common defines rules 
+<p>Remember that /etc/shorewall/common defines rules   that are only applied
- that are only applied if the applicable policy is DROP or REJECT. These rules 
+if the applicable policy is DROP or REJECT. These rules   are NOT applied
- are NOT applied if the policy is ACCEPT or CONTINUE.</p>
+if the policy is ACCEPT or CONTINUE.</p>
- <p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be 
+<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
- rejected by the firewall. It is recommended with this setting that you create 
+be   rejected by the firewall. It is recommended with this setting that you
- the file /etc/shorewall/icmpdef and in it place the following commands:</p>
+create   the file /etc/shorewall/icmpdef and in it place the following commands:</p>
                                                                                  <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
 </pre>
                                                                                  <p align="left"><font size="2">Last updated 
 8/22/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
+<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
 <p align="left"><font size="2">Last updated 12/22/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
 M. Eastep</font></a></p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -12,6 +12,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall QuickStart Guide</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -31,8 +32,8 @@
  </tbody>            
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.</p>
+we must  all first walk before we can run.</p>
 <h2>The Guides</h2>
@ -45,8 +46,9 @@ must  all first walk before we can run.</p>
               <li><a href="standalone.htm">Standalone</a> Linux System</li>
               <li><a href="two-interface.htm">Two-interface</a> Linux System 
  acting    as a    firewall/router for a small local network</li>
-          <li><a href="three-interface.htm">Three-interface</a> Linux System
+               <li><a href="three-interface.htm">Three-interface</a> Linux
-  acting  as a    firewall/router for a small local network and a DMZ.</li>
+ System    acting  as a    firewall/router for a small local network and
 a  DMZ.</li>
 </ul>
@ -54,9 +56,9 @@ acting    as a    firewall/router for a small local network</li>
       quickly in the three most common Shorewall configurations.</p>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
-    the steps necessary to set up a firewall where <b>there are multiple public
+       the steps necessary to set up a firewall where <b>there are multiple
-   IP  addresses involved or if you want to learn more about Shorewall than
+  public    IP  addresses involved or if you want to learn more about Shorewall
-  is  explained in the single-address guides above.</b></p>
+  than   is  explained in the single-address guides above.</b></p>
 <ul>
               <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -66,60 +68,72 @@ Concepts</a></li>
  Interfaces</a></li>
               <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, 
    Subnets  and Routing</a>                                             
    <ul>
-            <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
+                 <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP 
-          <li><br>
+Addresses</a></li>
-          </li>
+                             <li><a
-            <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
+ href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
                 <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
-            <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
+                 <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
-   Protocol</a></li>
+Resolution      Protocol</a></li>
    </ul>
    <ul>
-            <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
+                 <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
 1918</a></li>
    </ul>
               </li>
-          <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
+               <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
-your   Network</a>                                    
+ up  your   Network</a>                                                 
    <ul>
                 <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
    </ul>
    <ul>
                 <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
        <ul>
                   <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
                   <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
-              <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
+                   <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 
- ARP</a></li>
+Proxy    ARP</a></li>
-              <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
+                   <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static 
 NAT</a></li>
        </ul>
                 </li>
                 <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-            <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
+                 <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
-and   Ends</a></li>
+Odds   and   Ends</a></li>
    </ul>
               </li>
               <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
-          <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 
+               <li><a
-Starting    and    Stopping the Firewall</a></li>
+ href="shorewall_setup_guide.htm#StartingAndStopping">7.0   Starting    and 
   Stopping the Firewall</a></li>
 </ul>
 <h2><a name="Documentation"></a>Documentation Index</h2>
 <p>The following documentation covers a variety of topics and <b>supplements
-   the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described 
+      the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
-   above</b>. Please review the appropriate guide before trying to use this
+described      above</b>. Please review the appropriate guide before trying
-  documentation directly.</p>
+to use this    documentation directly.</p>
 <ul>
               <li><a href="blacklisting_support.htm">Blacklisting</a>  
@ -128,10 +142,12 @@ Starting    and    Stopping the Firewall</a></li>
                 <li>Static Blacklisting using /etc/shorewall/blacklist</li>
                 <li>Dynamic Blacklisting using /sbin/shorewall</li>
    </ul>
               </li>
               <li><a href="configuration_file_basics.htm">Common configuration 
   file   features</a>                                                  
    <ul>
                 <li>Comments in configuration files</li>
                 <li>Line Continuation</li>
@ -143,85 +159,111 @@ Starting    and    Stopping the Firewall</a></li>
                 <li>Complementing an IP address or Subnet</li>
                 <li>Shorewall Configurations (making a test configuration)</li>
                 <li>Using MAC Addresses in Shorewall</li>
      <li>Logging<br>
      </li>
    </ul>
               </li>
-          <li><a href="Documentation.htm">Configuration File Reference Manual</a> 
+               <li><a href="Documentation.htm">Configuration File Reference 
 Manual</a>                                                             
    <ul>
                 <li>   <a href="Documentation.htm#Variables">params</a></li>
-            <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Zones">zones</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#Interfaces">interfaces</a></font></li>
-            <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
+                 <li><font color="#000099"><a
-            <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
+ href="Documentation.htm#Hosts">hosts</a></font></li>
-            <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Policy">policy</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#Rules">rules</a></font></li>
                 <li><a href="Documentation.htm#Common">common</a></li>
-            <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Masq">masq</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
-            <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#NAT">nat</a></font></li>
                 <li><font color="#000099"><a
 href="Documentation.htm#Tunnels">tunnels</a></font></li>
                 <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
-            <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
+                 <li><font color="#000099"><a
 href="Documentation.htm#Conf">shorewall.conf</a></font></li>
                 <li><a href="Documentation.htm#modules">modules</a></li>
                 <li><a href="Documentation.htm#TOS">tos</a> </li>
                 <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
                 <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
                 <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
    </ul>
               </li>
               <li><a href="dhcp.htm">DHCP</a></li>
               <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-(How to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code)</li>
               <li><a href="fallback.htm">Fallback/Uninstall</a></li>
               <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
               <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
-          <li><a href="myfiles.htm">My  Configuration Files</a> (How I personally 
+  <li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
-   use Shorewall)</li>
+  </li>
               <li><a href="myfiles.htm">My  Configuration Files</a> (How 
 I  personally     use Shorewall)</li>
               <li><a href="ping.html">'Ping' Management</a><br>
   </li>
   <li><a href="ports.htm">Port Information</a>                         
    <ul>
                 <li>Which applications use which ports</li>
                 <li>Ports used by Trojans</li>
    </ul>
               </li>
               <li><a href="ProxyARP.htm">Proxy ARP</a></li>
               <li><a href="samba.htm">Samba</a></li>
               <li><font color="#000099"><a
 href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
  <ul>
         <li>Description of all /sbin/shorewall commands</li>
         <li>How to safely test a Shorewall configuration change<br>
         </li>
  </ul>
               <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
               <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
               <li>VPN                                                  
    <ul>
                 <li><a href="IPSEC.htm">IPSEC</a></li>
                 <li><a href="IPIP.htm">GRE and IPIP</a></li>
                 <li><a href="PPTP.htm">PPTP</a></li>
-            <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
+                 <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
- firewall   to a      remote network.</li>
+ your   firewall   to a      remote network.</li>
    </ul>
               </li>
-          <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
+               <li><a href="whitelisting_under_shorewall.htm">White List
 Creation</a></li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/19/2002 - <a
+<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -54,24 +54,25 @@
 <h2><a name="Introduction"></a>1.0 Introduction</h2>
 <p>This guide is intended for users who are setting up Shorewall in an  environment
-where a set of public IP addresses must be managed or who want to  know more
+ where a set of public IP addresses must be managed or who want to  know
-about Shorewall than is contained in the  <a
+more  about Shorewall than is contained in the  <a
 href="shorewall_quickstart_guide.htm">single-address  guides</a>. Because
 the  range of possible applications is so broad, the Guide will give you
 general  guidelines and will point you to other resources as necessary.</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you run LEAF Bering, your Shorewall configuration is NOT what I release
+       If you run LEAF Bering, your Shorewall configuration is NOT what I 
-- I  suggest that you consider installing a stock Shorewall lrp from the
+release -- I  suggest that you consider installing a stock Shorewall lrp from
- shorewall.net site before you proceed.</p>
+the  shorewall.net site before you proceed.</p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
-(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+ (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on
-firewall  system. As root, you can use the 'which' command to check for this
+your  firewall  system. As root, you can use the 'which' command to check
-program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself
 with what's involved then go back through it again  making your configuration
 changes. Points at which configuration changes are  recommended are flagged
@ -79,17 +80,17 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
  .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you edit your configuration files on a Windows system, you must save
+       If you edit your configuration files on a Windows system, you must 
-them as  Unix files if your editor supports that option or you must run them
+save them as  Unix files if your editor supports that option or you must run
-through  dos2unix before trying to use them with Shorewall. Similarly, if
+them through  dos2unix before trying to use them with Shorewall. Similarly, 
-you copy a configuration file  from your Windows hard drive to a floppy disk,
+if you copy a configuration file  from your Windows hard drive to a floppy 
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
     <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
 of    dos2unix</a></li>
-   <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
+     <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
@ -151,8 +152,9 @@ the internet zone"  or "because that is the DMZ".</p>
 in  terms of zones.</p>
 <ul>
-   <li>You express your default policy for connections from one zone to another
+     <li>You express your default policy for connections from one zone to 
-   zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
+another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
    </a>file.</li>
     <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -163,17 +165,18 @@ kernel facility. Netfilter   implements a   <a
 href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
 tracking function</a> that allows what is often referred to   as <i>stateful
 inspection</i> of packets. This stateful property allows   firewall rules
-to be defined in terms of <i>connections</i> rather than   in terms of  packets.
+ to be defined in terms of <i>connections</i> rather than   in terms of 
-With Shorewall, you:</p>
+packets.  With Shorewall, you:</p>
 <ol>
           <li>  Identify the source zone.</li>
           <li>  Identify the destination zone.</li>
           <li>  If the POLICY from the client's zone to the server's zone
-is what you       want for this client/server pair, you need do nothing further.</li>
+ is what you       want for this client/server pair, you need do nothing
-         <li>  If the POLICY is not what you want, then you must add a rule.
+further.</li>
-That rule       is expressed in terms of the client's zone and the server's
+           <li>  If the POLICY is not what you want, then you must add a
-zone.</li>
+rule.  That rule       is expressed in terms of the client's zone and the
 server's  zone.</li>
 </ol>
@ -181,15 +184,15 @@ zone.</li>
 A to the   firewall and are also allowed from the firewall to zone B <font
 color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed
 from zone A to zone  B</u></b></font>.   It rather means that you can have
-a proxy running on the firewall that accepts   a connection from zone A and
+ a proxy running on the firewall that accepts   a connection from zone A
-then establishes its own separate connection from   the firewall to zone
+and  then establishes its own separate connection from   the firewall to
-B.</p>
+zone B.</p>
 <p>For each connection request entering the firewall, the request is first
- checked against the /etc/shorewall/rules file. If no rule in that file matches
+  checked against the /etc/shorewall/rules file. If no rule in that file
- the connection request then the first policy in /etc/shorewall/policy that
+matches   the connection request then the first policy in /etc/shorewall/policy
- matches the request is applied. If that policy is REJECT or DROP  the  request
+that   matches the request is applied. If that policy is REJECT or DROP 
-is first checked against the rules in /etc/shorewall/common.def.</p>
+the  request  is first checked against the rules in /etc/shorewall/common.def.</p>
 <p>The default /etc/shorewall/policy file  has the  following policies:</p>
@ -234,9 +237,10 @@ is first checked against the rules in /etc/shorewall/common.def.</p>
 <ol>
     <li>allow all connection requests from your local network to the internet</li>
-   <li>drop (ignore) all connection requests from the internet to your firewall
+     <li>drop (ignore) all connection requests from the internet to your
-   or local network and log a message at the <i>info</i> level (see "man
+firewall     or local network and log a message at the <i>info</i> level
-syslog").</li>
+(<a href="configuration_file_basics.htm#Levels">here</a> is a description
 of log levels).</li>
     <li>reject all other connection requests and log a message at the <i>info</i>
    level. When a request is rejected, the firewall will return an RST (if
 the    protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li>
@ -244,8 +248,8 @@ the    protocol is TCP) or an ICMP port-unreachable packet for other protocols.<
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-    At this point, edit your /etc/shorewall/policy and make any changes that
+      At this point, edit your /etc/shorewall/policy and make any changes 
-you  wish.</p>
+that you  wish.</p>
 <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -256,11 +260,12 @@ you  wish.</p>
 <p align="left">In this diagram:</p>
 <ul>
-   <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to
+     <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
-isolate your  internet-accessible servers from your local systems so that
+to  isolate your  internet-accessible servers from your local systems so
-if one of those  servers is compromised, you still have the firewall between
+that  if one of those  servers is compromised, you still have the firewall
-the compromised  system and your local systems. </li>
+between  the compromised  system and your local systems. </li>
-   <li>The Local Zone consists of systems Local 1, Local 2 and Local 3. </li>
+     <li>The Local Zone consists of systems Local 1, Local 2 and Local 3. 
  </li>
     <li>All systems from the ISP outward comprise the Internet Zone. </li>
 </ul>
@ -286,8 +291,8 @@ using ISDN, you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-    If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then you will
+      If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then you 
-want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
  eth1 or eth2) and will be connected to a hub or switch. Your local computers
@ -363,8 +368,8 @@ file, that file would might contain:</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
       Edit the /etc/shorewall/interfaces file and define the network interfaces
-on  your firewall and associate each interface with a zone. If you have a
+ on  your firewall and associate each interface with a zone. If you have
-zone that  is interfaced through more than one interface, simply include
+a  zone that  is interfaced through more than one interface, simply include
 one entry for each  interface and repeat the zone name as many times as necessary.</p>
 <p align="left">Example:</p>
@ -458,8 +463,8 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
 <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
 <p align="left">IP version 4 (<i>IPv4) </i>addresses  are 32-bit numbers.
-The notation w.x.y.z refers to an address where the high-order byte has value
+ The notation w.x.y.z refers to an address where the high-order byte has
-"w", the next  byte has value "x", etc. If we take the address 192.0.2.14
+value  "w", the next  byte has value "x", etc. If we take the address 192.0.2.14
 and express it in  hexadecimal,  we get:</p>
 <blockquote>         
@ -721,9 +726,9 @@ will    often hear a subnet of size 64 referred to as a "slash 26" subnet
 and one of    size 8 referred to as a "slash 29".</p>
 <p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
-simply a 32-bit number with the first "VLSM"    bits set to one and the remaining
+ simply a 32-bit number with the first "VLSM"    bits set to one and the
-bits set to zero. For example, for a subnet    of size 64, the subnet mask
+remaining  bits set to zero. For example, for a subnet    of size 64, the
-has 26 leading one bits:</p>
+subnet mask  has 26 leading one bits:</p>
 <blockquote>         
  <p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -805,10 +810,10 @@ the  subnet with one member and the subnet with 2 ** 32 members.</p>
 and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
 <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
- used to describe the ip configuration of a network interface (the 'ip' utility
+  used to describe the ip configuration of a network interface (the 'ip'
- also uses this syntax). This simply means that the interface is configured
+utility   also uses this syntax). This simply means that the interface is
-with  ip address <b>a.b.c.d</b> and with the netmask that corresponds to
+configured  with  ip address <b>a.b.c.d</b> and with the netmask that corresponds
-VLSM <b>/v</b>.</p>
+to VLSM <b>/v</b>.</p>
 <p align="left">Example: 192.0.2.65/29</p>
@ -829,12 +834,12 @@ and netmask 255.255.255.248.</p>
 <p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in
 the  Dallas, Texas area.<br>
   <br>
- The first three routes are <i>host routes</i> since they indicate how to
+   The first three routes are <i>host routes</i> since they indicate how
-get to  a single host. In the 'netstat' output this can be seen by the "Genmask"
+to  get to  a single host. In the 'netstat' output this can be seen by the
-(Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder
+"Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column.
-are 'net' routes since they tell the  kernel how to route packets to a subnetwork.
+The remainder  are 'net' routes since they tell the  kernel how to route
-The last route is the <i>default  route</i> and the gateway mentioned in
+packets to a subnetwork.  The last route is the <i>default  route</i> and
-that route is called the <i>default  gateway</i>.</p>
+the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
 <p align="left">When the kernel is trying to send a packet to IP address
 <b>A</b>,  it starts at the top of the routing table and:</p>
@ -894,17 +899,18 @@ eth2.</p>
 are  sent using the routing table and reply packets are not a special case.
 There  seems to be a common mis-conception whereby people think that request
 packets  are like salmon and contain a genetic code that is magically transferred
-to  reply packets so that the replies follow the reverse route taken by the
+ to  reply packets so that the replies follow the reverse route taken by
-request.  That isn't the case; the replies may take a totally different route
+the  request.  That isn't the case; the replies may take a totally different
-back to the  client than was taken by the requests -- they are totally independent.</p>
+route  back to the  client than was taken by the requests -- they are totally
 independent.</p>
 <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
 <p align="left">When sending packets over Ethernet, IP addresses aren't used.
  Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
- addresses. Each Ethernet device has it's own unique  MAC address which is
+  addresses. Each Ethernet device has it's own unique  MAC address which
- burned into a PROM on the device during manufacture. You can obtain the
+is   burned into a PROM on the device during manufacture. You can obtain
-MAC of  an Ethernet device using the 'ip' utility:</p>
+the MAC of  an Ethernet device using the 'ip' utility:</p>
 <blockquote>         
  <div align="left">           
@ -921,8 +927,8 @@ to the card    itself. </p>
 <div align="left">     
 <p align="left">Because IP uses IP addresses and Ethernet uses MAC addresses,
    a mechanism is required to translate an IP address into a MAC address;
-that is    the purpose of the <i>Address Resolution Protocol</i> (ARP). Here
+ that is    the purpose of the <i>Address Resolution Protocol</i> (ARP).
-is ARP in    action:</p>
+Here  is ARP in    action:</p>
  </div>
 <div align="left">     
@ -934,9 +940,9 @@ is ARP in    action:</p>
   </div>
 <p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
-to  know the MAC of the device with IP address 192.168.1.19. The system having
+ to  know the MAC of the device with IP address 192.168.1.19. The system
-that  IP address is responding that the MAC address of the device with IP
+having  that  IP address is responding that the MAC address of the device
-address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
+with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
 <p align="left">In order to avoid having to exchange ARP information each
 time  that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
@ -1001,6 +1007,7 @@ in      their infrastructure.     </p>
      your ISP or by another organization with whom you want to establish
 a VPN      relationship.    </p>
    </li>
 </ul>
   </div>
@ -1017,8 +1024,8 @@ the    addresses that you are going to use.</p>
 <div align="left">     
 <p align="left">The choice of how to set up your network depends primarily
 on    how many Public IP addresses you have vs. how many addressable entities
-you    have in your network. Regardless of how many addresses you have, your
+ you    have in your network. Regardless of how many addresses you have,
-ISP will    handle that set of addresses in one of two ways:</p>
+your  ISP will    handle that set of addresses in one of two ways:</p>
  </div>
 <div align="left">     
@ -1034,12 +1041,26 @@ your    firewall/router's external interface.     </p>
    <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
 of your    addresses directly.   </p>
    </li>
 </ol>
   </div>
 <div align="left">     
 <p align="left">In the subsections that follow, we'll look at each of these
-   separately.</p>
+    separately.<br>
 </p>
 <p align="left">Before we begin, there is one thing for you to check:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
     If you are using the Debian package, please check your shorewall.conf 
 file to ensure that the following are set correctly; if they are not, change 
 them appropriately:<br>
  </p>
 <ul>
  <li>NAT_ENABLED=Yes</li>
  <li>IP_FORWARDING=On<br>
   </li>
 </ul>
  </div>
 <div align="left">     
@ -1049,11 +1070,11 @@ of your    addresses directly.   </p>
 <div align="left">     
 <p align="left">Let's assume that your ISP has assigned you the subnet  
 192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
-   192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
+    192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
-   192.0.2.65. Your ISP has also told you that you should use a netmask of
+is     192.0.2.65. Your ISP has also told you that you should use a netmask
-   255.255.255.0 (so your /28 is part of a larger /24). With this many IP
+of     255.255.255.0 (so your /28 is part of a larger /24). With this many
-   addresses, you are able to subnet your /28 into two /29's and set up your
+IP     addresses, you are able to subnet your /28 into two /29's and set
-   network as shown in the following diagram.</p>
+up your     network as shown in the following diagram.</p>
  </div>
 <div align="left">     
@ -1082,8 +1103,8 @@ because    of the simplicity of the setup.</p>
 <div align="left">     
 <p align="left">The astute reader may have noticed that the Firewall/Router's
    external interface is actually part of the DMZ subnet (192.0.2.64/29).
-What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing
+ What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
-table on    DMZ 1 will look like this:</p>
+routing  table on    DMZ 1 will look like this:</p>
  </div>
 <div align="left">     
@ -1136,8 +1157,9 @@ netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
 <div align="left">     
 <p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
-   and there aren't enough addresses for all of the network interfaces. There
+    and there aren't enough addresses for all of the network interfaces.
-are    four different techniques that can be used to work around this problem.</p>
+There  are    four different techniques that can be used to work around this
 problem.</p>
  </div>
 <div align="left">     
@ -1157,6 +1179,7 @@ also    known as <i>Port Forwarding.</i>     </p>
    <p align="left"><i>Network Address Translation</i> (NAT) also referred
 to as   <i>Static NAT</i>.   </p>
    </li>
 </ul>
   </div>
@ -1199,8 +1222,8 @@ zone.</p>
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-    The systems in    the local zone would be configured with a default gateway
+      The systems in    the local zone would be configured with a default 
-of 192.168.201.1    (the IP address of the firewall's local interface).</div>
+gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
 <div align="left">    </div>
@ -1254,8 +1277,8 @@ do    not have a public IP address. DNAT provides a way to allow selected
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
          Suppose that your daughter wants to run a web server on her system
-"Local 3". You    could allow connections to the internet to her server by
+ "Local 3". You    could allow connections to the internet to her server
-adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
+by  adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
  </div>
 <div align="left">     
@ -1291,10 +1314,10 @@ adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewal
 <p align="left">If one of your daughter's friends at address <b>A</b> wants
 to    access your daughter's server, she can connect to <a
 href="http://192.0.2.176">   http://192.0.2.176</a> (the firewall's external
-IP address) and the firewall    will rewrite the destination IP address to
+ IP address) and the firewall    will rewrite the destination IP address
-192.168.201.4 (your daughter's system)    and forward the request. When your
+to  192.168.201.4 (your daughter's system)    and forward the request. When
-daughter's server responds, the firewall will    rewrite the source address
+your  daughter's server responds, the firewall will    rewrite the source
-back to 192.0.2.176 and send the response back to   <b>A.</b></p>
+address  back to 192.0.2.176 and send the response back to   <b>A.</b></p>
  </div>
 <div align="left">     
@ -1327,6 +1350,7 @@ of your    public IP addresses (<b>A)</b> and is assigned the same netmask
 address    in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
 will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
    </li>
 </ul>
   </div>
@ -1391,8 +1415,8 @@ add    host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</p>
 <div align="left">     
 <p align="left">A word of warning is in order here. ISPs typically configure
    their routers with a long ARP cache timeout. If you move a system from
-   parallel to your firewall to behind your firewall with Proxy ARP, it will
+    parallel to your firewall to behind your firewall with Proxy ARP, it
-   probably be HOURS before that system can communicate with the internet.
+will     probably be HOURS before that system can communicate with the internet.
 You    can call your ISP and ask them to purge the stale ARP cache entry
 but many    either can't or won't purge individual entries. You can determine
 if your    ISP's gateway ARP cache is stale using ping and tcpdump. Suppose
@ -1478,9 +1502,9 @@ and    is sharing the firewall external IP (192.0.2.176) for outbound connection
 <div align="left">     
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-       Suppose now that you have decided to give your daughter her own IP
+         Suppose now that you have decided to give your daughter her own
-address    (192.0.2.179) for both inbound and outbound connections. You would
+IP  address    (192.0.2.179) for both inbound and outbound connections. You
-do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
+would  do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
  </div>
 <div align="left">     
@ -1517,9 +1541,9 @@ do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
         Once the relationship between 192.0.2.179 and 192.168.201.4 is established
-by    the nat file entry above, it is no longer    appropriate to use a DNAT
+ by    the nat file entry above, it is no longer    appropriate to use a
-rule for you daughter's web server -- you would    rather just use an ACCEPT
+DNAT  rule for you daughter's web server -- you would    rather just use
-rule:</p>
+an ACCEPT  rule:</p>
  </div>
 <div align="left">     
@ -2266,9 +2290,9 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
 <p align="left">Suppose that your domain is foobar.net and you want the two
    DMZ systems named www.foobar.net and mail.foobar.net and you want the
 three    local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
-   You want your firewall to be known as firewall.foobar.net externally and
+    You want your firewall to be known as firewall.foobar.net externally
-it's    interface to the local network to be know as gateway.foobar.net and
+and  it's    interface to the local network to be know as gateway.foobar.net
-its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
+and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
 on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
  </div>
@ -2291,8 +2315,10 @@ on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
 <div align="left">     
 <p align="left">Here are the files in /var/named (those not shown are usually
    included in your bind disbribution).</p>
 <p align="left">db.192.0.2.176 - This is    the reverse zone for the firewall's
 external interface</p>
 <blockquote>           
  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32<br>; Filename: db.192.0.2.176<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.<br></pre>
     </blockquote>
@ -2419,11 +2445,13 @@ and    test it using the <a href="Documentation.htm#Starting">"shorewall
 try" command</a>.</p>
  </div>
-<p align="left"><font size="2">Last updated 9/19/2002 - <a
+<p align="left"><font size="2">Last updated 12/13/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
 M. Eastep</font></a></p>
        <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -5,12 +5,14 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
                                      <base target="_self">
 </head>
  <body>
@ -20,10 +22,14 @@
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
               <tbody>
            <tr>
-                                                                       <td
+                                                                        
- width="100%" height="90">                                              
+                     <td width="100%" height="90">                      
@ -34,10 +40,12 @@
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                                                                  </a></i></font><font
+                                                                        
- color="#ffffff">Shorewall      1.3   -        <font size="4">"<i>iptables 
+                </a></i></font><font color="#ffffff">Shorewall      1.3 
-              made easy"</i></font></font><a href="http://www.sf.net">   
+ -               <font size="4">"<i>iptables                   made easy"</i></font></font><a
-       </a></h1>
+ href="http://www.sf.net">            </a></h1>
@ -50,7 +58,9 @@
                                     </tr>
  </tbody>                                                               
 </table>
@ -61,7 +71,9 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                 <tbody>
            <tr>
                       <td width="90%">                                 
@ -71,6 +83,8 @@
      <h2 align="left">What is it?</h2>
@ -80,9 +94,11 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                                                                        
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+    
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
@ -92,23 +108,29 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
                                      it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                    <br>
-                                                                       This 
+                                                                        
- program     is  distributed       in  the   hope   that   it  will   be 
+               This   program     is  distributed       in  the   hope  
-useful,    but         WITHOUT  ANY    WARRANTY;   without   even the  implied 
+that     it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;
-  warranty      of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR 
+  without      even the   implied    warranty      of MERCHANTABILITY   
-    PURPOSE.        See the  GNU General     Public License          for 
+         or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the 
-more details.<br>
+GNU General     Public  License           for  more details.<br>
                    <br>
-                                                                       You
+                                                                        
- should    have   received     a  copy   of  the   GNU   General     Public
+               You   should    have   received     a  copy   of  the   GNU
-    License             along  with   this program;    if  not, write  to
+   General         Public      License             along  with   this program;
-the    Free Software        Foundation,            Inc., 675    Mass  Ave,
+     if  not,    write  to  the    Free Software        Foundation,     
-Cambridge,  MA  02139,      USA</p>
+      Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -126,17 +148,22 @@ Cambridge,  MA  02139,      USA</p>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                                                  </a>Jacques 
+                                                                        
-         Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway 
+                </a>Jacques              Nilo   and   Eric   Wolzak    have 
-    on  a floppy,   CD  or compact  flash) distribution       called     
+   a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or compact 
-        <i>Bering</i>    that          features     Shorewall-1.3.10 and 
+   flash)  distribution        called              <i>Bering</i>    that 
-Kernel-2.4.18.       You    can  find    their   work at:          <a
+        features      Shorewall-1.3.10  and    Kernel-2.4.18.       You 
  can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-       <b>Congratulations to Jacques and Eric on the recent release of Bering 
+                        <b>Congratulations to Jacques and Eric on the recent
-1.0 Final!!! <br>
+  release     of  Bering  1.0 Final!!! <br>
                        </b>                                            
      <h2>News</h2>
@ -148,271 +175,213 @@ Kernel-2.4.18.       You    can  find    their   work at:          <a
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                               </b></p>
      <p>In this version:</p>
-      <ul>
+      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
        <li>A 'tcpflags' option has been added to entries in <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
 This option causes Shorewall to make a set of sanity check on TCP packet
 header flags.</li>
        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
 a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
 When used, 'all' must appear by itself (in may not be qualified) and it does 
 not enable intra-zone traffic. For example, the rule <br>
     <br>
     ACCEPT loc all tcp 80<br>
     <br>
 does not enable http traffic from 'loc' to 'loc'.</li>
        <li>Shorewall's use of the 'echo' command is now compatible with
 bash clones such as ash and dash.</li>
        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
 generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                                               </b></p>
-      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
+      <p>     Features include:<br>
 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
       <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
           </p>
-      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
+      <ol>
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+         <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
-                                  </b></p>
+   and tcstart).</li>
         <li>"shorewall debug [re]start" now turns off debugging after an 
 error   occurs. This places the point of the failure near the end of the trace
 rather   than up in the middle of it.</li>
         <li>"shorewall [re]start" has been speeded up by more than 40% with 
 my  configuration. Your milage may vary.</li>
         <li>A "shorewall show classifiers" command has been added which
 shows   the current packet classification filters. The output from this command 
 is  also added as a separate page in "shorewall monitor"</li>
         <li>ULOG (must be all caps) is now accepted as a valid syslog level 
 and  causes the subject packets to be logged using the ULOG target rather 
 than  the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
   and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
         <li>If you are running a kernel that has a FORWARD chain in the
 mangle    table ("shorewall show mangle" will show you the chains in the
 mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking 
 input packets based on their destination even when you are using  Masquerading 
 or SNAT.</li>
         <li>I have cluttered up the /etc/shorewall directory with empty
 'init',    'start', 'stop' and 'stopped' files. If you already have a file
 with one   of these names, don't worry -- the upgrade process won't overwrite
 your file.</li>
         <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies 
 the syslog level at which packets are logged as a result of entries in the 
 /etc/shorewall/rfc1918 file. Previously, these packets were always logged 
 at the 'info' level.</li>
      </ol>
-      <p>The main Shorewall web site is now at SourceForge at <a
+      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
- href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
+   </p>
   This version corrects a problem with Blacklist logging. In Beta 2, if
 BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would fail
 to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                   </p>
-                              
+      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-      <p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
+         <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
- src="images/new10.gif" width="28" height="12" alt="(New)">
+ target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                                  </b></p>
      <p>In this version:</p>
      <ul>
                           <li>You may now <a href="IPSEC.htm#Dynamic">define 
  the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
          delete" commands</a>. These commands are expected to be used primarily 
       within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
       updown   scripts.</li>
                           <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments. 
   You can specify the set  of allowed   MAC addresses   on   the segment 
 and   you can optionally tie each MAC address   to one or more   IP  addresses.</li>
                           <li>PPTP Servers and Clients running on the firewall 
   system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
       file.</li>
                           <li>A new 'ipsecnat' tunnel type is supported
 for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
 is   behind   a NAT   gateway</a>.</li>
                           <li>The PATH used by Shorewall may now be specified
   in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                           <li>The main firewall script is now /usr/lib/shorewall/firewall. 
          The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
          to do the real work. This change makes custom distributions such 
 as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
        that tends  to have distribution-dependent code.</li>
      </ul>
                  If you have installed the 1.3.10 Beta 1 RPM and are now 
 upgrading      to  version   1.3.10, you will need to use the '--force' option:<br>
      <blockquote>                                                      
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
       </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                             </b></p>
      The first public Beta version of Shorewall 1.3.12 is now available
 (Beta  1 was made available only to a limited audience). <br>
       <br>
       Features include:<br>
       <br>
      <ol>
              <li>"shorewall refresh" now reloads the traffic shaping rules 
 (tcrules  and tcstart).</li>
              <li>"shorewall debug [re]start" now turns off debugging after 
 an  error occurs. This places the point of the failure near the end of the 
 trace  rather than up in the middle of it.</li>
              <li>"shorewall [re]start" has been speeded up by more than
 40%   with  my configuration. Your milage may vary.</li>
              <li>A "shorewall show classifiers" command has been added which 
  shows the current packet classification filters. The output from this command 
  is also added as a separate page in "shorewall monitor"</li>
              <li>ULOG (must be all caps) is now accepted as a valid syslog 
 level  and causes the subject packets to be logged using the ULOG target 
 rather than the LOG target. This allows you to run ulogd (available from 
         <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
   and log all Shorewall messages <a
 href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
              <li>If you are running a kernel that has a FORWARD chain in 
 the   mangle table ("shorewall show mangle" will show you the chains in the 
 mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. 
 This allows  for  marking input packets based on their destination even when 
 you are using  Masquerading or SNAT.</li>
              <li>I have cluttered up the /etc/shorewall directory with empty 
  'init', 'start', 'stop' and 'stopped' files. If you already have a file 
 with  one of these names, don't worry -- the upgrade process won't overwrite 
 your  file.</li>
-      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
+      </ol>
 href="http://www.gentoo.org"><br>
                                </a></p>
                          Alexandru Hartmann reports that his Shorewall package 
   is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo 
  Linux  distribution</a>.       Thanks Alex!<br>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
                            In this version:<br>
      <ul>
                                    <li>You may now <a
 href="IPSEC.htm#Dynamic">define     the   contents      of a zone dynamically</a>
   with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
 and   "shorewall            delete" commands</a>. These commands are expected
 to  be used primarily         within             <a
 href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>         updown  
 scripts.</li>
                                    <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments.
        You can specify the set of  allowed   MAC addresses on   the segment
   and    you can optionally tie each MAC address   to one or more IP  addresses.</li>
                                    <li>PPTP Servers and Clients running
 on  the   firewall     system    may   now be defined in the<a
 href="PPTP.htm"> /etc/shorewall/tunnels</a>           file.</li>
                                    <li>A new 'ipsecnat' tunnel type is supported 
    for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
    is   behind   a NAT   gateway</a>.</li>
                                    <li>The PATH used by Shorewall may now
 be  specified      in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                    <li>The main firewall script is now /usr/lib/shorewall/firewall.
              The script in /etc/init.d/shorewall is very small and uses
 /sbin/shorewall               to do the real work. This change makes custom
 distributions such     as   for    Debian  and for Gentoo easier to manage
 since it is /etc/init.d/shorewall            that tends  to have distribution-dependent
 code.</li>
      </ul>
       You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
         <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
       </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
         </a></b></p>
        Shorewall is at the center of MandrakeSofts's recently-announced
      <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
    Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
    release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>        
                                   </b></p>
-      <ul>
+      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally 
-                                   <li><a
+     delivered. I have installed 9.0 on one of my systems and I am now in 
- href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
+a  position   to support Shorewall users who run Mandrake 9.0.</p>
                                   <li><a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                                   </li>
-                                                                     
+      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>      
                          </b><br>
                  </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
-                                                                        
+      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                         
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b></p>
                                   This release rolls up fixes to the installer 
   and   to  the   firewall     script.<br>
                                    <b><br>
                                   10/6/2002 - Shorewall.net now running
 on  RH8.0          </b><b><img border="0" src="images/new10.gif"
 width="28" height="12" alt="(New)">
                                                             </b><br>
                                         <br>
                                     The firewall and server here at shorewall.net
     are   now   running     RedHat    release   8.0.<br>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT 
      with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users 
   who   don't need rules of this type need not upgrade to 1.3.11.</p>
-                  
+      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> 
      <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>                          
     </b></p>
                                           Roles up the fix for broken tunnels.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>                
         </b></p>
                                               <img
 src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
 align="left">
                                          There is an updated firewall script 
  at        <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
                     -- copy that file to /usr/lib/shorewall/firewall.<br>
      <p><b><br>
                                    </b></p>
-                                                                        
+      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
-                                   
+         documenation. the PDF may be downloaded from</p>
      <p><b><br>
                                               </b></p>
-                                                                        
+      <p>    <a
-                                   
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-      <p><b><br>
+                        <a
-                                         9/28/2002 - Shorewall 1.3.9 </b><b>
+ href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                                 </b></p>
      <p>In this version:<br>
                    </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b>                         
         </b></p>
      <p>In this version:</p>
      <ul>
-                                                       <li><a
+                         <li>A 'tcpflags' option has been added to entries
- href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now
+ in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
-                 allowed in Shorewall config files (although I recommend
+  This option causes Shorewall to make a set of sanity check on TCP packet 
-  against          using       them).</li>
+ header flags.</li>
-                                                       <li>The connection 
+                         <li>It is now allowed to use 'all' in the SOURCE 
-SOURCE    may   now   be  qualified      by  both   interface      and IP 
+or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.  When
-address  in  a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+ used,  'all'   must  appear  by itself (in may not be qualified) and it
-                                                       <li>Shorewall startup
+does   not  enable   intra-zone  traffic.  For example, the rule <br>
-  is  now   disabled     after    initial     installation       until the
+                      <br>
- file  /etc/shorewall/startup_disabled          is removed.     This avoids
+                      ACCEPT loc all tcp 80<br>
-    nasty    surprises at reboot for users     who    install Shorewall 
+                      <br>
-   but don't  configure     it.</li>
+                  does not enable http traffic from 'loc' to 'loc'.</li>
-                                                      <li>The 'functions' 
+                         <li>Shorewall's use of the 'echo' command is now 
-and   'version'      files    and   the   'firewall'      symbolic   link 
+compatible      with   bash clones such as ash and dash.</li>
-have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall 
+                         <li>fw-&gt;fw policies now generate a startup error. 
-     to appease   the LFS   police at Debian.<br>
+  fw-&gt;fw      rules  generate a warning and are ignored</li>
                                                      </li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>   
                              </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 
         documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                        <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                    </p>
      <p><b></b></p>
      <ul>
@ -423,13 +392,11 @@ have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall
      <p><b></b><a href="News.htm">More News</a></p>
      <p><a href="News.htm">More News</a></p>
@ -439,33 +406,44 @@ have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall
      <h2> </h2>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
                                      </a></h1>
      <h4>       </h4>
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
      <h2><a name="Donations"></a>Donations</h2>
                                                          </td>
-      <td width="88" bgcolor="#4b017c" valign="top" align="center">     
+                       <td width="88" bgcolor="#4b017c" valign="top"
-       <br>
+ align="center">              <br>
                                        </td>
                   </tr>
  </tbody>                                                               
 </table>
             </center>
           </div>
@ -473,10 +451,14 @@ have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
          <tbody>
            <tr>
-                                                                  <td
+                                                                        
- width="100%" style="margin-top: 1px;">                                  
+                <td width="100%" style="margin-top: 1px;">              
@ -486,6 +468,7 @@ have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
                 </a></p>
@ -494,28 +477,33 @@ have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+                                                                        
-but if       you try it and find it useful, please consider making a donation
+                                     
      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                                      to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight        
+ href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Children's Foundation.</font></a> Thanks!</font></p>
+Foundation.</font></a> Thanks!</font></p>
                </td>
            </tr>
  </tbody>                                                               
 </table>
-<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
                                <br>
  </p>
  <br>
 <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -44,10 +44,10 @@ in one  of its  most common configurations:</p>
 </ul>
 <p>This guide assumes that you have the iproute/iproute2 package installed
- (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
- this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on
- firewall  system. As root, you can use the 'which' command to check for
+your  firewall  system. As root, you can use the 'which' command to check
-this  program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -61,8 +61,8 @@ this  program:</p>
         If you edit your configuration files on a Windows system, you must 
 save them as  Unix files if your editor supports that option or you must 
 run them through  dos2unix before trying to use them. Similarly, if you copy 
-a configuration file  from your Windows hard drive to a floppy disk, you
+a configuration file  from your Windows hard drive to a floppy disk, you must
-must run dos2unix against the  copy before using it with Shorewall.</p>
+run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -74,14 +74,16 @@ Version  of    dos2unix</a></li>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
     The configuration files for Shorewall are contained in the directory
 /etc/shorewall -- for simple setups, you  only need to deal with a few of 
 these as described in this guide.  After you have <a href="Install.htm">installed 
-Shorewall</a>,  download the <a
+Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, 
 un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
 (they will replace files with the same names that were placed in /etc/shorewall 
- during Shorewall installation).</p>
+ during Shorewall installation)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
  file on your system -- each file contains detailed  configuration instructions
@ -115,8 +117,8 @@ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
  in  terms of zones.</p>
 <ul>
-      <li>You express your default policy for connections from one zone to
+       <li>You express your default policy for connections from one zone
- another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,14 +126,14 @@ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
 </ul>
 <p>For each connection request entering the firewall, the request is first
- checked against the  /etc/shorewall/rules file. If no rule in that file matches
+  checked against the  /etc/shorewall/rules file. If no rule in that file
- the connection  request then the first policy in /etc/shorewall/policy that
+matches  the connection  request then the first policy in /etc/shorewall/policy
- matches the    request is applied. If that policy is REJECT or DROP  the
+that  matches the    request is applied. If that policy is REJECT or DROP 
-request is first  checked against the rules in /etc/shorewall/common (the
+the request is first  checked against the rules in /etc/shorewall/common
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample has
+<p>The /etc/shorewall/policy file included with the one-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -178,8 +180,8 @@ the  following policies:</p>
       <li>allow all connection requests from the firewall to the internet</li>
       <li>drop (ignore) all connection requests from the internet to your
 firewall</li>
-      <li>reject all other connection requests (Shorewall requires this catchall 
+       <li>reject all other connection requests (Shorewall requires this
-    policy).</li>
+catchall      policy).</li>
 </ol>
@ -201,8 +203,8 @@ a <b>ppp0</b>. If you connect via a regular modem, your External  Interface
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
        The Shorewall one-interface sample configuration assumes that  the
-external  interface is <b>eth0</b>.  If your configuration is different, you
+ external  interface is <b>eth0</b>.  If your configuration is different,
-will have  to modify the sample  /etc/shorewall/interfaces file accordingly. 
+you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
 While you  are there, you may wish to  review the list of options that are
 specified  for the interface. Some hints:</p>
@ -239,9 +241,9 @@ specified  for the interface. Some hints:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-           Before starting Shorewall, you should look at the IP address of
+            Before starting Shorewall, you should look at the IP address
- your external    interface and if it is one of the above ranges, you should
+of  your external    interface and if it is one of the above ranges, you
- remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+should  remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
    </div>
 <div align="left">       
@ -283,8 +285,8 @@ specified  for the interface. Some hints:</p>
     </div>
 <div align="left">       
-<p align="left">Example - You want to run a Web Server and a POP3 Server on
+<p align="left">Example - You want to run a Web Server and a POP3 Server
-your firewall    system:</p>
+on your firewall    system:</p>
    </div>
 <div align="left">       
@ -326,8 +328,8 @@ your firewall    system:</p>
     </div>
 <div align="left">       
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, see <a href="ports.htm">here</a>.</p>
+application uses, see <a href="ports.htm">here</a>.</p>
    </div>
 <div align="left">       
@ -416,7 +418,7 @@ added an    entry for the IP address that you are connected from to   <a
 try" command</a>.</p>
    </div>
-<p align="left"><font size="2">Last updated 11/21/2002 - <a
+<p align="left"><font size="2">Last updated 12/9/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
@ -425,5 +427,6 @@ try" command</a>.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/subnet_masks.htm
+++ b/Shorewall-docs/subnet_masks.htm
@ -1,78 +0,0 @@
 <html>
 <head>
 <meta http-equiv="Content-Language" content="en-us">
 <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
 <meta name="ProgId" content="FrontPage.Editor.Document">
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Subnet Masks</title>
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
  <tr>
    <td width="100%">
    <h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1>
    </td>
  </tr>
 </table>
 <p align="left">IP addresses and subnet masks are 32-bit numbers. The notation 
 w.x.y.z refers to an address where the high-order byte has value &quot;w&quot;, the next 
 byte has value &quot;x&quot;, etc. If we take 255.255.255.0 and express it in 
 hexadecimal, 
 we get:</p>
 <blockquote>
  <p align="left">FF.FF.FF.00</p>
 </blockquote>
 <p align="left">or looking at it as a 32-bit integer</p>
 <blockquote>
  <p align="left">FFFFFF00</p>
 </blockquote>
 <p align="left">Each &quot;F&quot; represents the bit pattern &quot;1111&quot; so if we look at the 
 number in binary, we have:</p>
 <blockquote>
  <p align="left">11111111111111111111111100000000</p>
 </blockquote>
 <p align="left">Counting the leading &quot;1&quot; bits, we see that there are 24 -- /24 
 in VLSM notation.</p>
 <p align="left">It is handy to remember that the size of the subnet can be 
 obtained by subtracting the number of consecutive leading &quot;1&quot; bits from 32 and 
 raising 2 to that power. In the above case, 32 - 24 = 8 and 2 ** 8 = 256 
 addresses. Remember that the number of usable addresses is two less than that 
 (254) because the first and last address in the subnet are reserved as the 
 sub-network and broadcast addresses respectively.</p>
 <p align="left">The size of a subnet can be any power of two so long as the 
 address of the subnet is a multiple of it's size. For example, if you want a 
 subnet of size 8, you could choose 192.168.12.8/29 (8 = 2 ** 3 and 32 - 3 = 29). 
 The subnet mask would be:</p>
 <blockquote>
  <p align="left">11111111111111111111111111111000 = FFFFFFF8 = 255.255.255.248.</p>
 </blockquote>
 <p align="left">This subnet would have 6 usable addresses: 192.168.12.9 - 
 192.168.12.14.</p>
 <p align="left">You will still hear the terms &quot;Class A network&quot;, &quot;Class B 
 network&quot; and &quot;Class C network&quot;. In the early days of IP, sub-networks only came 
 in three sizes:</p>
 <blockquote>
  <p align="left">Class A - Subnet mask 255.0.0.0, size = 2 ** 24</p>
  <p align="left">Class B - Subnet mask 255.255.0.0, size = 2 ** 16</p>
  <p align="left">Class C - Subnet mask 255.255.255.0, size = 256</p>
 </blockquote>
 <p align="left">The class of a network was determined by the value of the high 
 order byte of its address so you could look at an IP address and immediately 
 determine the associated subnet mask. </p>
 <p align="left">As the internet grew, it became clear that such a gross 
 partitioning of the 32-bit address space was going to be very limiting (early 
 on, large corporations and universities were assigned their own class A 
 network!). It was then that VLSM was devised -- today, any system that you are 
 likely to work with understands VLSM and Class-based subnetworking is largely a 
 thing of the past.</p>
 <p align="left"><font size="2">Last updated 
 7/15/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -2,16 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Support</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -23,63 +29,94 @@
                         <tr>
                          <td width="100%">                             
-      <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
+                                                 
      <h1 align="center"><font color="#ffffff">Shorewall Support<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
           </font></h1>
                          </td>
                        </tr>
  </tbody>                     
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
+<p> <br>
-easier to post a problem than to use your own brain" </font>-- </i> <font
+   <span style="font-weight: 400;"></span></p>
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you just
+<h2><big><font color="#ff0000"><b>I  don't look at problems sent to me directly 
- have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+ but I try  to spend some amount          of time each day responding to problems
 posted  on the Shorewall mailing list.</b></font></big></h2>
-<blockquote> </blockquote>
+<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
-<p><span style="font-weight: 400;"><i>"It irks me when people believe that 
+<h2>Before Reporting a Problem</h2>
   free software        comes at no cost. The cost is incredibly high."</i> 
  - <font size="2">       Wietse Venem<br>
 </font></span></p>
-<h3 align="left">Before Reporting a Problem</h3>
+<h3>T<b>here are a number of sources for problem solution information. Please
- <b><i>"Reading the documentation fully is a prerequisite to getting help 
+  try these before you post.</b></h3>
 for your particular situation. I know it's harsh but you will have to get 
 so far on your own before you can get reasonable help from a list full of 
 busy people. A mailing list is not a tool to speed up your day by being spoon
 fed</i></b><i><b>".</b> </i>-- Simon White<br>
-<p>There are also a number of sources for problem solution information.</p>
+<h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-          <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
+     <li>               
-          <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
+    <h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to  more than 20 common 
-  contains  a    number of tips to help you solve common problems.</li>
+   problems.</b></h3>
-          <li>The <a href="errata.htm">   Errata</a> has links to download
+     </li>
 updated      components.</li>
          <li>The Mailing List Archives search facility can locate posts
 about         similar problems:</li>
 </ul>
-<h4>Mailing List Archive Search</h4>
+<h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The <a href="troubleshoot.htm">Troubleshooting</a>  Information 
       contains  a    number of tips to help you solve common problems.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The <a href="errata.htm">   Errata</a> has links  to  download 
     updated      components.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The Mailing List Archives search facility can locate   posts  
 about         similar problems:</b></h3>
     </li>
 </ul>
 <h2>                                     </h2>
 <h2>Mailing List Archive Search</h2>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
  <p> <font size="-1"> Match:                                           
  <select name="method">
  <option value="and">All </option>
  <option value="or">Any </option>
  <option value="boolean">Boolean </option>
  </select>
                   Format:                                              
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
                   Sort by:                                             
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -88,76 +125,163 @@ about         similar problems:</li>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-     </font> <input type="hidden" name="config" value="htdig"> <input
+                   </font> <input type="hidden" name="config"
- type="hidden" name="restrict"
+ value="htdig">    <input type="hidden" name="restrict"
 value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-     Search: <input type="text" size="30" name="words" value=""> <input
+                   Search: <input type="text" size="30" name="words"
- type="submit" value="Search"> </p>
+ value="">    <input type="submit" value="Search"> </p>
                   </form>
-<h3 align="left">Problem Reporting Guideline</h3>
+<h2>Problem Reporting Guidelines</h2>
  <i>"Let me see if I can translate your message into a real-world example. 
 It would be like saying that you have three rooms at home, and when you
 walk  into one of the rooms, you detect this strange smell.  Can anyone tell
 you  what that strange smell is?<br>
  <br>
  Now, all of us could do some wonderful guessing as to the smell and even
 what's causing it.  You would be absolutely amazed at the range and variety
 of smells we could come up with.  Even more amazing is that all of the explanations
 for the smells would be completely plausible."<br>
  </i><br>
 <div align="center">   - Russell Mosemann<br>
  </div>
  <br>
 <h3>                     </h3>
 <ul>
-          <li>When reporting a problem, give as much information as you can.
+     <li>               
-  Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+    <h3><b>When reporting a problem, give as much information  as  you   can.
-          <li>Please don't describe your environment and then ask us to send
+  Reports   that say "I tried XYZ and it didn't work" are not at all   helpful.</b></h3>
-  you             custom configuration files. We're here to answer your questions 
+     </li>
   but we           can't do your job for you.</li>
          <li>Do you see any "Shorewall" messages in     /var/log/messages
 when   you exercise the function that is giving you problems?</li>
          <li>Have you looked at the packet flow with a tool like tcpdump 
    to  try to understand what is going on?</li>
          <li>Have you tried using the diagnostic capabilities of the   
 application    that isn't working? For example, if "ssh" isn't able    
 to connect, using    the "-v" option gives you a lot of valuable     diagnostic 
 information.</li>
          <li>Please include any of the Shorewall configuration files (especially 
   the    /etc/shorewall/hosts file if you have modified that file) that you
   think are    relevant. If an error occurs when you try to "shorewall start",
   include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
   section for    instructions).</li>
          <li>The list server limits posts to 120kb so don't post GIFs of 
 your             network layout, etc to the Mailing List -- your post will 
 be rejected.</li>
 </ul>
-<h3>Where to Send your Problem Report or to Ask for Help</h3>
+<h3>                     </h3>
            <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
 reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
 on October 3, 2002; MandrakeSoft issued a charge against my credit card
 on  October 4, 2002 (they are really effecient at that part of the order
 process)  and I haven't heard a word from them since (although their news
 letters boast  that 9.0 boxed sets have been shipping for the last two weeks).
 If they can't  fill my 9.0 order within <u>6 weeks after they have billed
 my credit card</u>  then I refuse to spend my free time supporting of their
 product for them.<br>
-<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please 
+<ul>
-    post your question or problem to the <a
+     <li>               
- href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
+    <h3><b>Please don't describe your environment and then  ask  us  to  send
  you             custom configuration files. We're here  to answer   your
 questions     but we           can't do your job for you.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Do you see any "Shorewall" messages in     /var/log/messages  
    when   you exercise the function that is giving you problems?</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Have you looked at the packet flow with a tool  like  tcpdump 
       to  try to understand what is going on?</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Have you tried using the diagnostic capabilities  of  the     
 application    that isn't working? For example, if "ssh" isn't  able   
 to connect, using    the "-v" option gives you a lot of valuable      diagnostic 
    information.</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>Please include any of the Shorewall configuration  files    (especially 
      the    /etc/shorewall/hosts file if you have modified  that   file) 
 that  you    think are    relevant.</b></h3>
   </li>
   <li>     
    <h3><b>If an error occurs when you try   to "shorewall  start",    include 
 a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>      section 
 for    instructions).</b></h3>
     </li>
 </ul>
 <h3>                     </h3>
 <ul>
     <li>               
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
  your             network layout, etc to the Mailing List  -- your  post 
  will  be rejected.</b></h3>
     </li>
 </ul>
 <h3>                                     </h3>
 <h2>Please post in plain text</h2>
 <blockquote>
  <h3><b> While the list server here at shorewall.net accepts and distributes
 HTML posts, a growing number of MTAs serving list subscribers are rejecting
 this HTML list traffic. At least one MTA has gone so far as to blacklist
 shorewall.net "for continuous abuse"!!</b></h3>
  <h3><b> I think that blocking all HTML is a rather draconian way to control
 spam and that the unltimate loser here is not the spammers but the list subscribers 
 whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
 help by restricting your list posts to plain text.</b></h3>
  <h3><b> And as a bonus, subscribers who use email clients like pine and
 mutt will be able to read your plain text posts whereas they are most likely
 simply ignoring your HTML posts.</b></h3>
  <h3><b> A final bonus for the use of HTML is that it cuts down the size
 of messages by a large percentage -- that is important when the same message
 must be sent 500 times over the slow DSL line connecting the list server
 to the internet.</b>   </h3>
 </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
 <h3></h3>
 <blockquote>         
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem 
 to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing 
 list</a>.</span></h4>
  <p>Otherwise, please post your question or problem to the <a
- href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; 
+ href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
-    there are lots of folks there who are willing to help you. Your question/problem 
+   </blockquote>
    description and their responses will be placed in the mailing list archives 
   to  help people who have a similar question or problem in the future.</p>
 <p>I don't look at problems sent to me directly but I try to spend some amount 
    of time each day responding to problems posted on the mailing list.</p>
-<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
+                   
 <p align="center"><big><font color="#ff0000"><b></b></font></big></p>
 <p>To Subscribe to the  mailing list go to <a
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
               .</p>
-<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
+ 
 <p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
   </p>
- 
+     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -39,11 +39,12 @@
    in one  of its more popular configurations:</p>
 <ul>
-          <li>Linux system used as a firewall/router for a small local network.</li>
+             <li>Linux system used as a firewall/router for a small local 
 network.</li>
             <li>Single public IP address.</li>
             <li>DMZ connected to a separate ethernet interface.</li>
-          <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
+             <li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
-   ...</li>
+dial-up,     ...</li>
 </ul>
@ -55,43 +56,47 @@
 <p>This guide assumes that you have the iproute/iproute2 package installed
     (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
- if  this  package is installed by the presence of an <b>ip</b> program on 
+   if  this  package is installed by the presence of an <b>ip</b> program
- your  firewall  system. As root, you can use the 'which' command to check 
+on   your  firewall  system. As root, you can use the 'which' command to
- for this  program:</p>
+check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the guide    to familiarize yourself
     with what's involved then go back through it again  making your configuration
-   changes. Points at which configuration changes are  recommended are flagged 
+     changes. Points at which configuration changes are  recommended are
-   with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
          </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-            If you edit your configuration files on a Windows system, you 
+               If you edit your configuration files on a Windows system,
-must   save them as  Unix files if your editor supports that option or you 
+you   must   save them as  Unix files if your editor supports that option
-must  run them through  dos2unix before trying to use them. Similarly, if 
+or you   must  run them through  dos2unix before trying to use them. Similarly,
-you copy  a configuration file  from your Windows hard drive to a floppy disk,
+if   you copy  a configuration file  from your Windows hard drive to a floppy
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+ disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
-          <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
+             <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
   of    dos2unix</a></li>
          <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
 Version     of    dos2unix</a></li>
             <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version 
 of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
-/etc/shorewall -- for simple setups, you will only need to deal with a few
+ alt="">
-of  these as described in this guide.  After you have <a
+      The configuration files for Shorewall are contained in the directory
- href="Install.htm">installed Shorewall</a>,  download the <a
+  /etc/shorewall -- for simple setups, you will only need to deal with a
 few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
-   sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy the 
+     sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy
-  files to /etc/shorewall  (the files will replace files with the same names 
+the    files to /etc/shorewall  (the files will replace files with the same
-  that were placed in  /etc/shorewall when Shorewall was installed).</p>
+names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
     file on your system -- each file contains detailed  configuration instructions
@ -133,11 +138,11 @@ following   zone names are used:</p>
     in  terms of zones.</p>
 <ul>
-          <li>You express your default policy for connections from one zone 
+             <li>You express your default policy for connections from one 
- to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
        </a>file.</li>
-          <li>You define exceptions to those default policies in the   <a
+             <li>You define exceptions to those default policies in the 
- href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+     <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -190,8 +195,8 @@ following   zone names are used:</p>
 <blockquote>                               
  <p>In the three-interface sample, the line below is included but commented
-   out. If  you want your firewall system to have full access to servers on
+     out. If  you want your firewall system to have full access to servers
-  the internet,  uncomment that line.</p>
+ on   the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -218,10 +223,10 @@ following   zone names are used:</p>
 <p>The above policy will:</p>
 <ol>
-          <li>allow all connection requests from your local network to the
+             <li>allow all connection requests from your local network to 
- internet</li>
+the   internet</li>
-          <li>drop (ignore) all connection requests from the internet to
+             <li>drop (ignore) all connection requests from the internet
-your   firewall     or local network</li>
+to  your   firewall     or local network</li>
             <li>optionally accept all connection requests from the firewall
  to  the     internet (if you uncomment the additional policy)</li>
             <li>reject all other connection requests.</li>
@ -243,10 +248,10 @@ any   changes  that you  wish.</p>
      will be the ethernet adapter that is connected to that "Modem" (e.g.,
  <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
  <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-<u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External Interface
+  <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External
-will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular
+ Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
-modem, your External  Interface will also be <b>ppp0</b>. If you connect
+ a regular modem, your External  Interface will also be <b>ppp0</b>. If you
-using ISDN,   you external  interface will be <b>ippp0.</b></p>
+ connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -255,32 +260,32 @@ using ISDN,   you external  interface will be <b>ippp0.</b></p>
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
-    eth1 or eth2) and will be connected to a hub or switch. Your local computers 
+      eth1 or eth2) and will be connected to a hub or switch. Your local
-    will be connected to the same switch (note: If you have only a single 
+computers       will be connected to the same switch (note: If you have only
-local   system,  you can connect the firewall directly to the computer using 
+a single   local   system,  you can connect the firewall directly to the
-a <i>cross-over   </i> cable).</p>
+computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
-   (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
+     (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your
-  computers will  be connected to the same switch (note: If you have only 
+DMZ    computers will  be connected to the same switch (note: If you have
-a  single DMZ system,  you can connect the firewall directly to the computer 
+only  a  single DMZ system,  you can connect the firewall directly to the
-  using a <i>cross-over </i> cable).</p>
+computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-       </b></u>Do not connect more than one interface  to the same hub or 
+          </b></u>Do not connect more than one interface  to the same hub 
-switch    (even for testing). It won't work the way that you  expect it to 
+or  switch    (even for testing). It won't work the way that you  expect it
-and you   will end up confused and  believing that Shorewall doesn't work 
+to  and you   will end up confused and  believing that Shorewall doesn't
-at all.</p>
+ work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-           The Shorewall three-interface sample configuration assumes that
+              The Shorewall three-interface sample configuration assumes
-  the   external interface is <b>eth0, </b>the local interface is <b>eth1
+that    the   external interface is <b>eth0, </b>the local interface is <b>eth1 
 </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is different,
   you will have to modify the sample  /etc/shorewall/interfaces file accordingly.
-   While you are there, you may wish to  review the list of options that are
+    While you are there, you may wish to  review the list of options that
-   specified for the interfaces. Some hints:</p>
+are    specified for the interfaces. Some hints:</p>
 <ul>
             <li>                                                     
@ -289,8 +294,8 @@ at all.</p>
            </li>
            <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
-   or if you have a static IP    address, you can remove "dhcp" from the option
+     or if you have a static IP    address, you can remove "dhcp" from the
-   list. </p>
+ option    list. </p>
            </li>
 </ul>
@ -298,17 +303,18 @@ at all.</p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet
-    Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
+      Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
-   <i> Public</i> IP address. This address may be assigned via the<i> Dynamic
+a  single    <i> Public</i> IP address. This address may be assigned via
-   Host  Configuration Protocol</i> (DHCP) or as part of establishing your
+the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
- connection   when you dial in (standard modem) or establish your PPP connection.
+establishing  your  connection   when you dial in (standard modem) or establish
- In rare   cases, your ISP may assign you a<i> static</i> IP address; that
+your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
- means that  you  configure your firewall's external interface to use that
+IP address; that  means that  you  configure your firewall's external interface
- address permanently.<i>  </i>Regardless of how the address is assigned,
+to use that  address permanently.<i>  </i>Regardless of how the address is
-it  will be shared by all of your  systems when you access the Internet.
+assigned, it  will be shared by all of your  systems when you access the
-You will have to assign your  own addresses  for your internal network (the
+Internet. You will have to assign your  own addresses  for your internal
-local and DMZ Interfaces on  your firewall plus your other  computers). RFC
+network (the local and DMZ Interfaces on  your firewall plus your other 
-1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
+computers). RFC 1918 reserves several <i>Private  </i>IP address ranges for
 this  purpose:</p>
 <div align="left">             
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -331,10 +337,10 @@ range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
  Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet
    Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>
  <i>Address</i>.  In Shorewall,  a subnet is described using <a
- href="subnet_masks.htm"><i>Classless  InterDomain Routing </i>(CIDR)</a> 
+ href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
-notation with consists of the subnet address  followed    by "/24". The "24" 
+</i>(CIDR)</a>   notation with consists of the subnet address  followed 
-refers to the number of    consecutive "1"  bits from the left of the subnet 
+  by "/24". The "24"  refers to the number of    consecutive "1"  bits from
-mask. </p>
+the left of the subnet  mask. </p>
          </div>
 <div align="left">             
@ -384,16 +390,16 @@ mask. </p>
 <div align="left">             
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-           Your local  computers    (Local Computers 1 &amp; 2) should be 
+              Your local  computers    (Local Computers 1 &amp; 2) should 
-configured    with their<i>    default gateway</i> set to the IP address of
+be  configured    with their<i>    default gateway</i> set to the IP address
-the firewall's    internal interface    and your DMZ computers ( DMZ Computers 
+ of the firewall's    internal interface    and your DMZ computers ( DMZ
-1 &amp; 2)  should  be configured with their    default gateway set to the 
+Computers   1 &amp; 2)  should  be configured with their    default gateway
-IP address  of the firewall's DMZ interface.   </p>
+set to the   IP address  of the firewall's DMZ interface.   </p>
          </div>
 <p align="left">The foregoing short discussion barely scratches the surface
-    regarding subnetting and routing. If you are interested in learning more 
+      regarding subnetting and routing. If you are interested in learning
-   about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
+more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
     What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
    A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
@ -410,24 +416,24 @@ IP address  of the firewall's DMZ interface.
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-   to as <i>non-routable</i> because the Internet backbone routers don't forward
+     to as <i>non-routable</i> because the Internet backbone routers don't
-   packets  which have an RFC-1918 destination address. When one of your
+ forward    packets  which have an RFC-1918 destination address. When one
-local    systems  (let's assume local computer 1) sends a connection request
+of your local    systems  (let's assume local computer 1) sends a connection
-to an   internet host, the  firewall must perform <i>Network Address Translation
+ request to an   internet host, the  firewall must perform <i>Network Address
-  </i>(NAT). The firewall  rewrites the source address in the packet to be
+ Translation   </i>(NAT). The firewall  rewrites the source address in the
- the address of the firewall's  external interface; in other words, the firewall
+ packet to be  the address of the firewall's  external interface; in other
-  makes it look as if the firewall  itself is initiating the connection. 
+ words, the firewall   makes it look as if the firewall  itself is initiating
-This  is necessary so that the  destination host will be able to route return
+ the connection.  This  is necessary so that the  destination host will be
-packets   back to the firewall  (remember that packets whose destination
+ able to route return packets   back to the firewall  (remember that packets
-address is   reserved by RFC 1918 can't  be routed accross the internet).
+ whose destination address is   reserved by RFC 1918 can't  be routed accross
-When the firewall   receives a return packet, it  rewrites the destination
+ the internet). When the firewall   receives a return packet, it  rewrites
-address back to 10.10.10.1   and  forwards the packet on to local computer
+ the destination address back to 10.10.10.1   and  forwards the packet on
-1. </p>
+to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> and you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
             <li>                                                     
@ -437,8 +443,8 @@ address back to 10.10.10.1   and  forwards the packet on to local computer
            </li>
            <li>                                                     
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
-   the    source address that you want outbound packets from your local network 
+     the    source address that you want outbound packets from your local
-   to use.    </p>
+network     to use.    </p>
            </li>
 </ul>
@ -449,8 +455,8 @@ address back to 10.10.10.1   and  forwards the packet on to local computer
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
              If your external firewall interface is <b>eth0</b>, your local
- interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
+   interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
- not  need to  modify the file provided with the sample. Otherwise, edit
+do  not  need to  modify the file provided with the sample. Otherwise, edit 
  /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -458,19 +464,34 @@ address back to 10.10.10.1   and  forwards the packet on to local computer
              If your external IP  is static, you can enter it in the third 
 column    in the /etc/shorewall/masq entry  if you like although your firewall 
 will    work fine if you leave that column  empty. Entering your static IP
-in column    3 makes processing outgoing packets a  little more efficient.
+ in column    3 makes <br>
 processing outgoing packets a  little more efficient.<br>
 </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
      If you are using the Debian package, please check your shorewall.conf
 file to ensure that the following are set correctly; if they are not, change
 them appropriately:<br>
   </p>
 <ul>
   <li>NAT_ENABLED=Yes</li>
   <li>IP_FORWARDING=On<br>
    </li>
 </ul>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your
-   DMZ computers. Because these computers have RFC-1918 addresses, it is not
+     DMZ computers. Because these computers have RFC-1918 addresses, it is
-    possible for clients on the internet to connect directly to them. It
+ not     possible for clients on the internet to connect directly to them.
-is   rather  necessary for those clients to address their connection requests 
+ It is   rather  necessary for those clients to address their connection
- to your firewall  who rewrites the destination address to the address of 
+requests    to your firewall  who rewrites the destination address to the
-your server and forwards  the packet to that server. When your server responds, 
+address of   your server and forwards  the packet to that server. When your
-  the firewall automatically  performs SNAT to rewrite the source address 
+server responds,     the firewall automatically  performs SNAT to rewrite
-in  the response.</p>
+the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
     Destination Network Address Translation</i> (DNAT). You configure port 
@ -507,8 +528,8 @@ in  the response.</p>
  </table>
           </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
-the same  as <i>&lt;port&gt;</i>.</p>
+be the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
      TCP port 80 to that system:</p>
@ -554,9 +575,9 @@ the same  as <i>&lt;port&gt;</i>.</p>
 <ul>
             <li>When you are connecting to your server from your local systems,
    you  must    use the server's internal IP address (10.10.11.2).</li>
-          <li>Many ISPs block incoming connection requests to port 80. If 
+             <li>Many ISPs block incoming connection requests to port 80. 
-you   have     problems connecting to your web server, try the following rule
+If  you   have     problems connecting to your web server, try the following
-and  try     connecting to port 5000 (e.g., connect to <a
+ rule and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your
     external IP).</li>
@ -590,8 +611,8 @@ and  try     connecting to port 5000 (e.g., connect to <a
           </blockquote>
 <p>If you want to be able  to access your server from the local network using
-   your external address, then  if you have a static external IP you can replace
+     your external address, then  if you have a static external IP you can
-   the loc-&gt;dmz rule above with:</p>
+ replace    the loc-&gt;dmz rule above with:</p>
 <blockquote>                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -621,8 +642,8 @@ and  try     connecting to port 5000 (e.g., connect to <a
           </blockquote>
 <p>If you have a dynamic ip then you must ensure that your external interface
-   is  up before starting Shorewall and you must take steps as follows (assume 
+     is  up before starting Shorewall and you must take steps as follows
-   that  your external interface is <b>eth0</b>):</p>
+(assume      that  your external interface is <b>eth0</b>):</p>
 <ol>
             <li>Include the following in /etc/shorewall/params:<br>
@ -673,35 +694,36 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p align="left">Normally, when you connect to your ISP, as part of getting
     an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
    will be  automatically configured (e.g., the /etc/resolv.conf file will
-be  written).  Alternatively, your ISP may have given you the IP address of
+  be  written).  Alternatively, your ISP may have given you the IP address
-a  pair of DNS <i> name servers</i> for you to manually configure as your 
+ of a  pair of DNS <i> name servers</i> for you to manually configure as
- primary  and secondary  name servers. It is <u>your</u> responsibility to 
+your    primary  and secondary  name servers. It is <u>your</u> responsibility
- configure  the resolver in your  internal systems. You can take one of two 
+to   configure  the resolver in your  internal systems. You can take one
- approaches:</p>
+of two   approaches:</p>
 <ul>
             <li>                                                     
    <p align="left">You can configure your internal systems to use your ISP's
-   name    servers. If you ISP gave you the addresses of their servers or 
+     name    servers. If you ISP gave you the addresses of their servers
-if   those    addresses are available on their web site, you can configure 
+or   if   those    addresses are available on their web site, you can configure
-your   internal    systems to use those addresses. If that information isn't 
+  your   internal    systems to use those addresses. If that information
-available,   look in    /etc/resolv.conf on your firewall system -- the name 
+isn't   available,   look in    /etc/resolv.conf on your firewall system
-servers are  given in    "nameserver" records in that file.   </p>
+-- the name  servers are  given in    "nameserver" records in that file.
  </p>
            </li>
            <li>                                                     
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
              You can configure a<i> Caching Name Server </i>on your    firewall
-  or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
+    or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
-  also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
+(which     also     requires the 'bind' RPM) and for Bering users, there
-  If you    take this approach, you configure your internal systems to use 
+is dnscache.lrp.     If you    take this approach, you configure your internal
- the caching    name server as their primary (and only) name server. You use
+systems to use    the caching    name server as their primary (and only)
- the internal IP    address of the firewall (10.10.10.254 in the example above)
+name server. You  use  the internal IP    address of the firewall (10.10.10.254
-   for the name    server address if you choose to run the name server on
+in the example  above)    for the name    server address if you choose to
-your   firewall. To allow your local systems to talk to your caching name 
+run the name server  on your   firewall. To allow your local systems to talk
-   server,   you must open port 53 (both UDP and TCP) from the local network 
+to your caching name      server,   you must open port 53 (both UDP and TCP)
-to the    server; you do that by adding the rules in /etc/shorewall/rules. 
+from the local network   to the    server; you do that by adding the rules
-    </p>
+in /etc/shorewall/rules.       </p>
            </li>
 </ul>
@ -917,8 +939,8 @@ to the    server; you do that by adding the rules in /etc/shorewall/rules.
 <div align="left">             
 <p align="left">That rule allows you to run an SSH server on your firewall
-   and    in each of your DMZ systems and    to connect to those servers from
+     and    in each of your DMZ systems and    to connect to those servers
-   your local systems.</p>
+ from    your local systems.</p>
          </div>
 <div align="left">             
@ -1004,14 +1026,14 @@ to the    server; you do that by adding the rules in /etc/shorewall/rules.
          </div>
 <div align="left">             
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
          </div>
 <div align="left">             
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-      the internet because it uses clear text (even for login!). If you want 
+        the internet because it uses clear text (even for login!). If you
-   shell    access to your firewall from the internet, use SSH:</p>
+want     shell    access to your firewall from the internet, use SSH:</p>
          </div>
 <div align="left">             
@ -1073,8 +1095,8 @@ uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">             
 <p align="left">The firewall is started using the "shorewall start" command
-      and stopped using "shorewall stop". When the firewall is stopped, routing 
+        and stopped using "shorewall stop". When the firewall is stopped,
-   is    enabled on those hosts that have an entry in   <a
+routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
        running firewall may be restarted using the "shorewall restart" command.
     If    you want to totally remove any trace of Shorewall from your Netfilter
@ -1093,16 +1115,16 @@ of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
 <div align="left">             
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-   the    internet, do not issue a "shorewall stop" command unless you have 
+     the    internet, do not issue a "shorewall stop" command unless you
-  added an    entry for the IP address that you are connected from to   <a
+have     added an    entry for the IP address that you are connected from
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
   Also, I don't recommend using "shorewall restart"; it is better to create
     an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
     and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
          </div>
-<p align="left"><font size="2">Last updated 11/21/2002 - <a
+<p align="left"><font size="2">Last updated 12/20/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
@ -1115,5 +1137,8 @@ of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@ -20,6 +20,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
            </td>
          </tr>
@ -37,12 +38,12 @@ to provide the "ip" and "tc" utilities.</p>
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
 <ul>
-    <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic     Shaping 
+          <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
-also requires that you enable packet mangling.<br>
+    Shaping  also requires that you enable packet mangling.<br>
          </li>
          <li>/etc/shorewall/tcrules - A file where you can specify     firewall 
-marking of packets. The firewall mark value may be used to classify     packets 
+   marking of packets. The firewall mark value may be used to classify   
-for traffic shaping/control.<br>
+ packets  for traffic shaping/control.<br>
          </li>
          <li>/etc/shorewall/tcstart - A user-supplied file that is     sourced 
   by Shorewall during "shorewall start" and which you can     use to define 
@ -52,13 +53,24 @@ your traffic shaping disciplines and classes. I have provided     a <a
   the     HOWTO mentioned above, you can probably code your own faster than 
   you can     learn how to use my sample. I personally use <a
 href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see below). HTB
-     support may eventually become an integral part of Shorewall since HTB 
+        support may eventually become an integral part of Shorewall since
-is a     lot simpler and better-documented than CBQ. HTB is currently not 
+HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
-a standard     part of either the kernel or iproute2 so both must be patched 
+HTB is a standard     part of the kernel but iproute2 must be patched  in
-in order to     use it.<br>
+order  to     use it.<br>
            <br>
-      In tcstart, when you want to run the 'tc' utility, use the run_tc function
+            In tcstart, when you want to run the 'tc' utility, use the run_tc 
-     supplied by shorewall. <br>
+  function      supplied by shorewall if you want tc errors to stop the firewall.<br>
      <br>
  You can generally use off-the-shelf traffic shaping scripts by simply copying
 them to /etc/shorewall/tcstart. I use <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
 that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
 modified  it according to the Wonder Shaper README). <b>WARNING: </b>If you
 use use Masquerading or SNAT (i.e., you only have one external IP address)
 then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
 script won't work. Traffic shaping occurs after SNAT has already been applied
 so when traffic shaping happens, all outbound traffic will have as a source 
 address the IP addresss of your firewall's external interface.<br>
    </li>
          <li>/etc/shorewall/tcclear - A user-supplied file that is     sourced 
   by Shorewall when it is clearing traffic shaping. This file is     normally 
@ -78,8 +90,16 @@ is pretty general.</li>
 <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
 <p align="left">The fwmark classifier provides a convenient way to classify
- packets for traffic shaping. The /etc/shorewall/tcrules file provides a
+    packets for traffic shaping. The /etc/shorewall/tcrules file provides
-means  for specifying these marks in a tabular fashion.</p>
+a  means  for specifying these marks in a tabular fashion.<br>
 </p>
 <p align="left">Normally, packet marking occurs in the PREROUTING chain before
 any address rewriting takes place. This makes it impossible to mark inbound
 packets based on their destination address when SNAT or Masquerading are
 being used. Beginning with Shorewall 1.3.12, you can cause packet marking
 to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
 <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
 </p>
 <p align="left">Columns in the file are as follows:</p>
@ -89,35 +109,35 @@ a match. This is an integer in the range 1-255.<br>
            <br>
            Example - 5<br>
          </li>
-    <li>SOURCE - The source of the packet. If the packet originates     on 
+          <li>SOURCE - The source of the packet. If the packet originates 
-the firewall, place "fw" in this column. Otherwise, this is a     comma-separated 
+    on  the firewall, place "fw" in this column. Otherwise, this is a    
-list of interface names, IP addresses, MAC addresses in   <a
+comma-separated   list of interface names, IP addresses, MAC addresses in
- href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
+   <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
            <br>
            Examples<br>
                eth0<br>
                192.168.2.4,192.168.1.0/24<br>
          </li>
-    <li>DEST -- Destination of the packet. Comma-separated list of     IP 
+          <li>DEST -- Destination of the packet. Comma-separated list of
-addresses and/or subnets.<br>
+    IP  addresses and/or subnets.<br>
          </li>
-    <li>PROTO - Protocol - Must be the name of a protocol from     /etc/protocol, 
+          <li>PROTO - Protocol - Must be the name of a protocol from    
-a number or "all"<br>
+/etc/protocol,    a number or "all"<br>
          </li>
-    <li>PORT(S) - Destination Ports. A comma-separated list of Port     names 
+          <li>PORT(S) - Destination Ports. A comma-separated list of Port 
-(from /etc/services), port numbers or port ranges (e.g., 21:22); if     the 
+    names  (from /etc/services), port numbers or port ranges (e.g., 21:22);
-protocol is "icmp", this column is interpreted as the     destination icmp 
+  if     the  protocol is "icmp", this column is interpreted as the     destination 
-type(s).<br>
+  icmp  type(s).<br>
          </li>
-    <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If     omitted, 
+          <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
-any source port is acceptable. Specified as a comma-separate list     of port
+    omitted,  any source port is acceptable. Specified as a comma-separate
-names, port numbers or port ranges.</li>
+ list      of port names, port numbers or port ranges.</li>
 </ul>
 <p align="left">Example 1 - All packets arriving on eth1 should be marked 
-with 1. All packets arriving on eth2 should be marked with 2. All packets 
+   with 1. All packets arriving on eth2 and eth3 should be marked with 2. 
-originating on the firewall itself should be marked with 3.</p>
+All packets   originating on the firewall itself should be marked with 3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
          <tbody>
@ -145,6 +165,20 @@ originating on the firewall itself should be marked with 3.</p>
            <td> </td>
            <td> </td>
          </tr>
          <tr>
         <td valign="top">2<br>
         </td>
         <td valign="top">eth3<br>
         </td>
         <td valign="top">0.0.0.0/0<br>
         </td>
         <td valign="top">all<br>
         </td>
         <td valign="top"><br>
         </td>
         <td valign="top"><br>
         </td>
       </tr>
       <tr>
            <td>3</td>
            <td>fw</td>
@ -158,7 +192,8 @@ originating on the firewall itself should be marked with 3.</p>
 </table>
 <p align="left">Example 2 - All GRE (protocol 47) packets not originating 
-on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
+   on the firewall and destined for 155.186.235.151 should be marked with 
 12.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
          <tbody>
@ -207,51 +242,52 @@ and destined for 155.186.235.151 should be marked with 22.</p>
  </tbody>       
 </table>
-<h3>Hierarchical Token Bucket</h3>
+<h3>My Setup<br>
  </h3>
-<p>I personally use HTB. I have found a couple of things that may be of use 
+<p>While I am currently using the HTB version of <a
-to others.</p>
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
-   
+wshaper.htb  to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
-<ul>
+README),  I have also run with the following set of hand-crafted rules in
-    <li>The gzipped tc binary at the <a
+my tcstart  file:<br>
- href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB     website</a> didn't work
+  </p>
 for me -- I had to download the lastest version of     the <a
 href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch    
 them for HTB.</li>
    <li>I'm currently      running with this set of shaping rules in my tcstart
 file. I recently changed from using a ceiling of 10Mbit (interface speed)
 to 384kbit (DSP Uplink speed).<br>
    <br>
  </li>
 </ul>
 <blockquote>      
-  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
+  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
-  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
+  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
-  <pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
+  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
-  <pre>echo "   Enabled SFQ on Second Level Classes"</pre>
+  <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
-  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
+  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
  <pre>echo "   Defined fwmark filters"<br></pre>
  <p>My tcrules file is shown in Example 1 above. You can look at my <a
 href="myfiles.htm">network   configuration</a> to get an idea of why I want 
 these particular rules.<font face="Courier" size="2"><br>
    </font></p>
                  </blockquote>
-<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p>My tcrules file that went with this tcstart file is shown in Example 1
 above. You can look at my <a href="myfiles.htm">network   configuration</a>
 to get an idea of why I wanted   these particular rules.<br>
   </p>
 <ol>
     <li>I wanted to allow up to 140kbits/second for traffic outbound from
 my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
 can  use all available bandwidth if there is no traffic from the local systems 
 or from my laptop or firewall).</li>
     <li>My laptop and local systems could use up to 224kbits/second.</li>
     <li>My firewall could use up to 20kbits/second.<br>
     </li>
 </ol>
 <p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-   <br>
+</p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@ -18,7 +18,11 @@
               <tbody>
          <tr>
                 <td width="100%">                                      
-      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
+              
      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
 src="images/obrasinf.gif" alt="Beating head on table" width="90"
 height="90" align="middle">
        </font></h1>
                 </td>
               </tr>
@ -37,16 +41,34 @@ of  the   firewall.</p>
   problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
-        If you receive an error message when starting or restarting the firewall
+            If you receive an error message when starting or restarting the 
- and you can't determine the cause, then do the following:     
+ firewall  and you can't determine the cause, then do the following:     
 <ul>
           <li>Make a note of the error message that you see.<br>
  </li>
  <li>shorewall debug start 2&gt; /tmp/trace</li>
-       <li>Look at the /tmp/trace file and see if that helps you     determine
+           <li>Look at the /tmp/trace file and see if that helps you    
- what the problem is.</li>
+determine    what the problem is. Be sure you find the place in the log where
-       <li>If you still can't determine what's wrong then see the     <a
+the error message you saw is generated -- in 99.9% of the cases, it will
- href="support.htm">support page</a>.</li>
+not be near the end of the log because after startup errors, Shorewall goes
 through a "shorewall stop" phase which will also be traced.</li>
           <li>If you still can't determine what's wrong then see the   
     <a href="support.htm">support page</a>.</li>
 </ul>
 Here's an example. During startup, a user sees the following:<br>
 <blockquote>
  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
 </blockquote>
 A search through the trace for "No chain/target/match by that name" turned
 up the following: 
 <blockquote>
  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
 </blockquote>
 The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
 tcp-reset". In this case, the user had compiled his own kernel and had forgotten
 to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) 
 <h3>Your network environment</h3>
@ -55,8 +77,8 @@ of  the   firewall.</p>
  </p>
 <ul>
-       <li>Port           Forwarding where client and server are in the same
+           <li>Port           Forwarding where client and server are in the 
- subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+ same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
           <li>Changing the IP address of a local system to be in the external
   subnet,      thinking that Shorewall will suddenly believe that the system
   is in the      'net' zone.</li>
@ -80,10 +102,10 @@ that you forget to remove them later.</p>
   will        generate when you try to connect in a way that isn't permitted
   by your        rule set.</p>
-<p align="left">Check your log. If you don't see Shorewall  messages, then
+<p align="left">Check your log ("/sbin/shorewall show log"). If you don't 
- your problem is probably NOT a Shorewall problem. If you DO see packet messages,
+ see Shorewall  messages, then  your problem is probably NOT a Shorewall problem.
- it may be an indication that you are missing one or more rules -- see <a
+ If you DO see packet messages,  it may be an indication that you are missing
- href="FAQ.htm#faq17">FAQ 17</a>.</p>
+ one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear 
         two variables in /etc/shorewall/shorewall.conf:</p>
@ -96,16 +118,18 @@ that you forget to remove them later.</p>
 <p align="left">Example:</p>
            <font face="Century Gothic, Arial, Helvetica">              
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
- LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
+   LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53
 LEN=47</font></p>
               </font>                
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
-       <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
+           <li>all2all:REJECT - This packet was REJECTed out of the all2all 
- -- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
+ chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT policy 
-     <a href="FAQ.htm#faq17">FAQ 17).</a></li>
+ (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
           <li>IN=eth2 - the packet entered the firewall via eth2</li>
           <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
           <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -128,42 +152,42 @@ about how to interpret the chain name appearing in a Shorewall log message.<br>
 <h3 align="left">Other Gotchas</h3>
 <ul>
-       <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
+           <li>Seeing rejected/dropped packets logged out of the INPUT or 
-      chains? This means that:          
+FORWARD        chains? This means that:                              
    <ol>
-         <li>your zone definitions are screwed up and the host that is sending
+             <li>your zone definitions are screwed up and the host that is
- the        packets or the destination host isn't in any zone (using an 
+ sending   the        packets or the destination host isn't in any zone (using
-     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
+ an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
-you?);         or</li>
+are you?);         or</li>
-         <li>the source and destination hosts are both connected to the same
+             <li>the source and destination hosts are both connected to the 
-        interface and that interface doesn't have the 'multi' option specified
+ same         interface and that interface doesn't have the 'multi' option 
- in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+ specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
           </li>
-       <li>Remember that Shorewall doesn't automatically allow ICMP     type
+           <li>Remember that Shorewall doesn't automatically allow ICMP 
- 8 ("ping") requests to be sent between zones. If you want     pings to be
+   type  8 ("ping") requests to be sent between zones. If you want     pings 
- allowed between zones, you need a rule of the form:<br>
+ to be  allowed between zones, you need a rule of the form:<br>
            <br>
                ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
   icmp        echo-request<br>
            <br>
-        The ramifications of this can be subtle. For example, if you have 
+            The ramifications of this can be subtle. For example, if you
-the      following in /etc/shorewall/nat:<br>
+have   the      following in /etc/shorewall/nat:<br>
            <br>
                10.1.1.2    eth0        130.252.100.18<br>
            <br>
-        and you ping 130.252.100.18, unless you have allowed icmp type 8
+            and you ping 130.252.100.18, unless you have allowed icmp type
-between  the     zone containing the system you are pinging from and the
+ 8  between  the     zone containing the system you are pinging from and
-zone containing       10.1.1.2, the ping requests will be dropped. This is
+the  zone containing       10.1.1.2, the ping requests will be dropped. This
-true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
+is  true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
           <li>If you specify "routefilter" for an interface,     that interface
   must be up prior to starting the firewall.</li>
           <li>Is your routing correct? For example, internal systems usually 
  need to      be configured with their default gateway set to the IP address 
-of their      nearest firewall interface. One often overlooked aspect of routing
+  of their      nearest firewall interface. One often overlooked aspect of 
-is that      in order for two hosts to communicate, the routing between them
+ routing is that      in order for two hosts to communicate, the routing between
-must be set      up <u>in both directions.</u> So when setting up routing
+ them must be set      up <u>in both directions.</u> So when setting up routing
  between <b>A</b>      and<b> B</b>, be sure to verify that the route from
      <b>B</b> back to <b>A</b>      is defined.</li>
           <li>Some versions of LRP (EigerStein2Beta for example) have a
@ -172,17 +196,17 @@ shell  with broken variable expansion. <a
   shell from the Shorewall Errata download site.</a>     </li>
           <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-       <li>Some features require the "ip" program. That     program is generally
+           <li>Some features require the "ip" program. That     program is
- included in the "iproute" package which should     be included with your
+ generally   included in the "iproute" package which should     be included
-distribution (though many distributions don't install     iproute by    
+ with your  distribution (though many distributions don't install     iproute
-default). You may also download the latest source tarball from <a
+ by     default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
   .</li>
           <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
   then the zone must be entirely   defined in /etc/shorewall/hosts unless
 you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
-For example, if a zone has two interfaces but   only one interface has an
+  For example, if a zone has two interfaces but   only one interface has
-entry in /etc/shorewall/hosts then hosts attached to   the other interface
+an   entry in /etc/shorewall/hosts then hosts attached to   the other interface
  will     <u>not</u> be considered part of the zone.</li>
           <li>Problems with NAT? Be sure that you let Shorewall add all
    external  addresses to be use with NAT unless you have set <a
@ -194,12 +218,17 @@ external  addresses to be use with NAT unless you have set <a
 <p>See the<a href="support.htm"> support page.</a></p>
              <font face="Century Gothic, Arial, Helvetica">            
 <blockquote> </blockquote>
               </font>                  
-<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -22,6 +22,7 @@
            <tbody>
             <tr>
              <td width="100%">                                         
      <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
              </td>
            </tr>
@ -38,10 +39,11 @@
   in its  most common configuration:</p>
 <ul>
-        <li>Linux system used as a firewall/router for a small local network.</li>
+            <li>Linux system used as a firewall/router for a small local
 network.</li>
            <li>Single public IP address.</li>
-        <li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
+            <li>Internet connection through cable modem, DSL, ISDN, Frame 
-  dial-up    ...</li>
+Relay,    dial-up    ...</li>
 </ul>
@ -51,6 +53,12 @@
 height="635">
         </p>
 <p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily 
 configure the above setup using the Mandrake "Internet Connection Sharing" 
 applet. From the Mandrake Control Center, select "Network &amp; Internet" 
 then "Connection Sharing". You should not need to refer to this guide.</b><br>
   </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
    (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
  if  this  package is installed by the presence of an <b>ip</b> program on
@ -62,33 +70,37 @@ for this  program:</p>
 <p>I recommend that you first read through the  guide to familiarize yourself 
    with what's involved then go back through it again  making your configuration 
    changes. Points at which configuration changes are  recommended are flagged 
-  with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+    with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-          If you edit your configuration files on a Windows system, you must
+              If you edit your configuration files on a Windows system, you 
-  save them as  Unix files if your editor supports that option or you must
+ must   save them as  Unix files if your editor supports that option or you 
- run them through  dos2unix before trying to use them. Similarly, if you
+ must  run them through  dos2unix before trying to use them. Similarly, if 
-copy  a configuration file  from your Windows hard drive to a floppy disk,
+ you copy  a configuration file  from your Windows hard drive to a floppy 
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
-        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
+            <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
  of    dos2unix</a></li>
        <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
 Version     of    dos2unix</a></li>
            <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
 of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
-/etc/shorewall -- for simple setups, you will only need to deal with a few
+ alt="">
-of  these as described in this guide.  After you have <a
+      The configuration files for Shorewall are contained in the directory
- href="Install.htm">installed Shorewall</a>,  download the <a
+  /etc/shorewall -- for simple setups, you will only need to deal with a
 few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
    un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall 
-   (these files will replace files with the same name).</p>
+     (these files will replace files with the same name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual 
    file on your system -- each file contains detailed  configuration instructions 
@ -127,11 +139,11 @@ of  these as described in this guide.  After you have <a
    in  terms of zones.</p>
 <ul>
-        <li>You express your default policy for connections from one zone 
+            <li>You express your default policy for connections from one
-to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
        </a>file.</li>
-        <li>You define exceptions to those default policies in the   <a
+            <li>You define exceptions to those default policies in the  
- href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+    <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -139,8 +151,8 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
    checked against the  /etc/shorewall/rules file. If no rule in that file 
  matches  the connection  request then the first policy in /etc/shorewall/policy 
  that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common (the
+  the request is first  checked against the rules in /etc/shorewall/common 
-samples provide that  file for you).</p>
+ (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the two-interface sample has
 the  following policies:</p>
@ -184,8 +196,8 @@ the  following policies:</p>
 <blockquote>                            
  <p>In the two-interface sample, the line below is included but commented 
-  out. If  you want your firewall system to have full access to servers on 
+    out. If  you want your firewall system to have full access to servers 
- the internet,  uncomment that line.</p>
+on   the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -212,19 +224,19 @@ the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-        <li>allow all connection requests from your local network to the
+            <li>allow all connection requests from your local network to
-internet</li>
+the   internet</li>
-        <li>drop (ignore) all connection requests from the internet to your 
+            <li>drop (ignore) all connection requests from the internet to
- firewall     or local network</li>
+ your   firewall     or local network</li>
-        <li>optionally accept all connection requests from the firewall to
+            <li>optionally accept all connection requests from the firewall 
- the     internet (if you uncomment the additional policy)</li>
+ to  the     internet (if you uncomment the additional policy)</li>
            <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-         At this point, edit your /etc/shorewall/policy and make any changes
+             At this point, edit your /etc/shorewall/policy and make any
-  that you  wish.</p>
+changes     that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -237,16 +249,16 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
 will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
     over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-   <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
+    <u>P</u>rotocol </i>(PPTP) in which case the External Interface will
- a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
+be   a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
  your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
  your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-         If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then 
+             If your external interface is <b>ppp0</b>  or<b> ippp0</b> 
-you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> 
+then   you   will want to  set CLAMPMSS=yes in <a
-/etc/shorewall/shorewall.conf.</a></p>
+ href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter 
    (eth1  or eth0) and will be connected to a hub or switch. Your other computers
@ -256,19 +268,19 @@ using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-     </b></u>Do not connect the internal and external interface  to the same
+         </b></u>Do not connect the internal and external interface  to the 
-  hub or switch (even for testing). It won't work the way that you think
+ same   hub or switch (even for testing). It won't work the way that you think
 that   it will and you will end up confused and  believing that Shorewall
  doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-         The Shorewall two-interface sample configuration assumes that  the 
+             The Shorewall two-interface sample configuration assumes that
- external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>. 
+  the   external  interface is <b>eth0</b> and the internal interface is
-  If your  configuration is different, you will have to modify the sample 
+<b>eth1</b>.     If your  configuration is different, you will have to modify
- <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file 
+the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
- accordingly.  While you are there, you may wish to  review the list of options 
+file    accordingly.  While you are there, you may wish to  review the list
- that are  specified for the interfaces. Some hints:</p>
+of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
            <li>                                                
@ -277,8 +289,8 @@ doesn't   work at all.</p>
           </li>
           <li>                                                
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-  or if you have a static IP    address, you can remove "dhcp" from the option 
+    or if you have a static IP    address, you can remove "dhcp" from the 
-  list. </p>
+option    list. </p>
           </li>
 </ul>
@ -286,17 +298,17 @@ doesn't   work at all.</p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet 
-   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
+     Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a 
-  <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
+single    <i> Public</i> IP address. This address may be assigned via the<i> 
-  Host  Configuration Protocol</i> (DHCP) or as part of establishing your 
+Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing 
-connection   when you dial in (standard modem) or establish your PPP connection. 
+your  connection   when you dial in (standard modem) or establish your PPP 
-In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
+connection.  In rare   cases, your ISP may assign you a<i> static</i> IP address;
-means that  you  configure your firewall's external interface to use that 
+that  means that  you  configure your firewall's external interface to use
-address permanently.<i>  </i>However your external address is assigned, it 
+that  address permanently.<i>  </i>However your external address is assigned,
-will be shared by all of your systems when you access the  Internet. You will
+it  will be shared by all of your systems when you access the  Internet.
-have to assign your  own addresses in your  internal network (the Internal 
+You will have to assign your  own addresses in your  internal network (the
-Interface on your firewall  plus your other  computers). RFC 1918 reserves 
+Internal  Interface on your firewall  plus your other  computers). RFC 1918
-several <i>Private </i>IP address ranges for this  purpose:</p>
+reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">            
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -307,8 +319,8 @@ several <i>Private </i>IP address ranges for this  purpose:</p>
 height="13">
                Before starting Shorewall, you should look at the IP address
  of  your  external    interface and if it is one of the above ranges, you
-should  remove  the    'norfc1918' option from the external interface's entry
+  should  remove  the    'norfc1918' option from the external interface's
-in    /etc/shorewall/interfaces.</p>
+entry  in    /etc/shorewall/interfaces.</p>
         </div>
 <div align="left">            
@ -317,11 +329,11 @@ in    /etc/shorewall/interfaces.</p>
       to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet 
    will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 
  is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as
-the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
+  the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
- using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
+ described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
- notation</a> with consists of the subnet address followed    by "/24". The
+InterDomain Routing  </i>(CIDR)  notation</a> with consists of the subnet
- "24" refers to the number of    consecutive leading "1" bits from the left
+address followed    by "/24". The  "24" refers to the number of    consecutive
- of the subnet mask. </p>
+leading "1" bits from the left  of the subnet mask. </p>
         </div>
 <div align="left">            
@ -372,8 +384,9 @@ systems send packets    through a<i>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
             Your local computers (computer    1 and computer 2 in the above
-diagram)   should be configured with their<i>    default gateway</i> to be
+  diagram)   should be configured with their<i>    default gateway</i> to
-the IP address   of the firewall's internal    interface.<i>      </i> </p>
+be  the IP address   of the firewall's internal    interface.<i>      </i>
 </p>
         </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -394,18 +407,18 @@ the IP address   of the firewall's internal    interface.<i>
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
-  to as <i>non-routable</i> because the Internet backbone routers don't forward 
+    to as <i>non-routable</i> because the Internet backbone routers don't 
-  packets  which have an RFC-1918 destination address. When one of your local 
+forward    packets  which have an RFC-1918 destination address. When one of
-  systems  (let's assume computer 1) sends a connection request to an internet 
+your local    systems  (let's assume computer 1) sends a connection request 
-  host, the  firewall must perform <i>Network Address Translation </i>(NAT). 
+to an internet    host, the  firewall must perform <i>Network Address Translation 
-  The firewall  rewrites the source address in the packet to be the address 
+ </i>(NAT).    The firewall  rewrites the source address in the packet to 
-  of the firewall's  external interface; in other words, the firewall makes 
+be the address    of the firewall's  external interface; in other words, the
-  it look as if the firewall  itself is initiating the connection.  This is
+firewall makes    it look as if the firewall  itself is initiating the connection. 
-  necessary so that the  destination host will be able to route return packets
+This is   necessary so that the  destination host will be able to route return
-  back to the firewall  (remember that packets whose destination address
+packets   back to the firewall  (remember that packets whose destination
-is   reserved by RFC 1918 can't  be routed across the internet so the remote
+address is   reserved by RFC 1918 can't  be routed across the internet so
-host  can't address its response to  computer 1). When the firewall receives
+the remote host  can't address its response to  computer 1). When the firewall
-a return packet, it  rewrites the destination address  back to 10.10.10.1 
+receives a return packet, it  rewrites the destination address  back to 10.10.10.1
 and  forwards the packet on to computer 1. </p>
 <p align="left">On Linux systems, the above process is often referred to as<i>
@ -440,19 +453,32 @@ the  second column to the name of your internal interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-         If your external IP is  static, you can enter it in the third column 
+             If your external IP is  static, you can enter it in the third
-  in the /etc/shorewall/masq entry if  you like although your firewall will 
+ column    in the /etc/shorewall/masq entry if  you like although your firewall
-  work fine if you leave that column empty.  Entering your static IP in column 
+ will    work fine if you leave that column empty.  Entering your static
-  3 makes processing outgoing packets a little  more efficient. </p>
+IP  in column    3 makes processing outgoing packets a little  more efficient.<br>
 <br>
 <img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
     If you are using the Debian package, please check your shorewall.conf 
 file to ensure that the following are set correctly; if they are not, change 
 them appropriately:<br>
 </p>
 <ul>
   <li>NAT_ENABLED=Yes</li>
   <li>IP_FORWARDING=On<br>
   </li>
 </ul>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals may be to run one or more servers on your 
-   local computers. Because these computers have RFC-1918 addresses, it is 
+     local computers. Because these computers have RFC-1918 addresses, it 
- not  possible for clients on the internet to connect directly to them. It 
+is   not  possible for clients on the internet to connect directly to them. 
- is rather  necessary for those clients to address their connection requests 
+It   is rather  necessary for those clients to address their connection requests 
- to the firewall  who rewrites the destination address to the address of your
+   to the firewall  who rewrites the destination address to the address of 
-  server and forwards  the packet to that server. When your server responds, 
+ your   server and forwards  the packet to that server. When your server responds,
    the firewall automatically  performs SNAT to rewrite the source address
  in  the response.</p>
@ -524,14 +550,14 @@ in  the response.</p>
 <p>A couple of important points  to keep in mind:</p>
 <ul>
-        <li>You must test the above rule from a client outside of your local
+            <li>You must test the above rule from a client outside of your
-  network    (i.e., don't test from a browser running on computers 1 or 2
+ local    network    (i.e., don't test from a browser running on computers
-or  on the    firewall). If you want to be able to access your web server
+ 1 or 2  or  on the    firewall). If you want to be able to access your web
-using  the IP    address of your external interface, see <a
+ server  using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-        <li>Many ISPs block incoming connection requests to port 80. If you 
+            <li>Many ISPs block incoming connection requests to port 80.
- have     problems connecting to your web server, try the following rule and
+If  you   have     problems connecting to your web server, try the following 
- try     connecting to port 5000.</li>
+rule and  try     connecting to port 5000.</li>
 </ul>
@ -563,16 +589,16 @@ using  the IP    address of your external interface, see <a
          </blockquote>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
-         At this point, modify  /etc/shorewall/rules to add any DNAT rules
+             At this point, modify  /etc/shorewall/rules to add any DNAT
- that  you require.</p>
+rules    that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
    an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
- will be  automatically configured (e.g., the /etc/resolv.conf file will be
+   will be  automatically configured (e.g., the /etc/resolv.conf file will 
- written).  Alternatively, your ISP may have given you the IP address of
+ be  written).  Alternatively, your ISP may have given you the IP address 
-a  pair of DNS <i> name servers</i> for you to manually configure as your 
+of a  pair of DNS <i> name servers</i> for you to manually configure as your 
  primary  and secondary  name servers. Regardless of how DNS gets configured 
  on your  firewall, it is <u>your</u> responsibility to configure the resolver 
  in your   internal systems. You can take one of two approaches:</p>
@ -580,25 +606,25 @@ in your   internal systems. You can take one of two approaches:</p>
 <ul>
            <li>                                                
    <p align="left">You can configure your internal systems to use your ISP's 
-  name    servers. If you ISP gave you the addresses of their servers or if
+    name    servers. If you ISP gave you the addresses of their servers or 
-  those    addresses are available on their web site, you can configure your
+ if   those    addresses are available on their web site, you can configure 
-  internal    systems to use those addresses. If that information isn't available,
+ your   internal    systems to use those addresses. If that information isn't 
-  look in    /etc/resolv.conf on your firewall system -- the name servers
+ available,   look in    /etc/resolv.conf on your firewall system -- the name
-are  given in    "nameserver" records in that file.   </p>
+ servers are  given in    "nameserver" records in that file.   </p>
           </li>
           <li>                                                
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
             You can configure a<i> Caching Name Server </i>on your    firewall.<i> 
-      </i>Red Hat has an RPM for a caching name server (the RPM also    requires 
+        </i>Red Hat has an RPM for a caching name server (the RPM also   
-  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take
+requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
-  this approach, you configure your internal systems to use the firewall 
+you    take   this approach, you configure your internal systems to use the
-  itself as their primary (and only) name server. You use the internal IP 
+firewall    itself as their primary (and only) name server. You use the internal
-   address of the firewall (10.10.10.254 in the example above) for the name 
+IP     address of the firewall (10.10.10.254 in the example above) for the
-     server address. To allow your local systems to talk to your caching name
+name       server address. To allow your local systems to talk to your caching
-     server, you must open port 53 (both UDP and TCP) from the local network
+name      server, you must open port 53 (both UDP and TCP) from the local
-  to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
+network   to the    firewall; you do that by adding the following rules in
-      </p>
+/etc/shorewall/rules.       </p>
           </li>
 </ul>
@ -808,7 +834,8 @@ are  given in    "nameserver" records in that file.   </p>
 <div align="left">            
 <p align="left">Those two rules would of course be in addition to the rules 
-     listed above under "You can configure a Caching Name Server on your firewall"</p>
+       listed above under "You can configure a Caching Name Server on your 
 firewall"</p>
         </div>
 <div align="left">            
@ -854,8 +881,8 @@ uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-         Now edit your    /etc/shorewall/rules file to add or delete other
+             Now edit your    /etc/shorewall/rules file to add or delete
- connections  as required.</p>
+other    connections  as required.</p>
         </div>
 <div align="left">            
@ -869,7 +896,8 @@ uses, look <a href="ports.htm">here</a>.</p>
    your system to start Shorewall at system boot  but beginning with Shorewall
   version 1.3.9 startup is disabled so that your system won't try to start
  Shorewall before configuration is complete. Once you have completed configuration
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+  of your firewall, you can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
         </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,10 +919,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-         The two-interface sample assumes that you want to enable    routing
+             The two-interface sample assumes that you want to enable   
-  to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If 
+routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
-  your local network isn't connected to <b>eth1</b> or if you wish to enable
+If    your local network isn't connected to <b>eth1</b> or if you wish to
-    access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
+enable       access to/from other hosts, change /etc/shorewall/routestopped
 accordingly.</p>
         </div>
 <div align="left">            
@ -904,11 +933,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
    an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-  and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
+    and    test it using the <a
- try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
         </div>
-<p align="left"><font size="2">Last updated 11/21/2002 - <a
+<p align="left"><font size="2">Last updated 12/20/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -919,5 +948,9 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.12-Beta3
+VERSION=1.3.12
 usage() # $1 = exit status
 {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.12-Beta3
+VERSION=1.3.12
 usage() # $1 = exit status
 {
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 1.3.12
-%define release 0Beta3
+%define release 1
 %define prefix /usr
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12
 * Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta3
 * Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.12-Beta3
+VERSION=1.3.12
 usage() # $1 = exit status
 {