'check' is back in

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@476 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-16 11:20:53 +01:00 · 2003-02-28 02:12:52 +00:00 · 2003-02-28 02:12:52 +00:00 · 4b5254bed5
commit 4b5254bed5
parent 2894700fcf
6 changed files with 1086 additions and 836 deletions
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@ -51,16 +51,16 @@
       <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
       <br>
       <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
-reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
+ reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
- If this    happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
+installed.  If this    happens, simply use the --nodeps option to rpm (rpm
- &lt;shorewall    rpm&gt;).</li>
+-ivh --nodeps  &lt;shorewall    rpm&gt;).</li>
       <li>Edit the <a href="#Config_Files"> configuration files</a> to match
  your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
  SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
  IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
- AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
+  AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
- TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE
+NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO
-NETWORK  CONNECTIVITY.</b></font></li>
+RESTORE NETWORK  CONNECTIVITY.</b></font></li>
       <li>Start the firewall by typing "shorewall start"</li>
 </ul>
@ -82,33 +82,34 @@ NETWORK  CONNECTIVITY.</b></font></li>
       <li>If you are using <a href="http://www.suse.com">SuSe</a> then type 
     "./install.sh /etc/init.d"</li>
       <li>If your distribution has directory             /etc/rc.d/init.d
-or  /etc/init.d then type             "./install.sh"</li>
+ or  /etc/init.d then type             "./install.sh"</li>
       <li>For other distributions, determine where your             distribution
  installs init scripts and type             "./install.sh &lt;init script
-directory&gt;</li>
+ directory&gt;</li>
       <li>Edit the <a href="#Config_Files"> configuration files</a> to match
  your configuration.</li>
       <li>Start the firewall by typing "shorewall             start"</li>
-      <li>If the install script was unable to configure Shorewall to be started 
+       <li>If the install script was unable to configure Shorewall to be
- automatically at boot,             see <a
+started   automatically at boot,             see <a
 href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
 </ul>
 <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
-disk, simply replace the "shorwall.lrp" file on the image with the file that 
+ disk, simply replace the "shorwall.lrp" file on the image with the file
-you downloaded. See the <a href="two-interface.htm">two-interface QuickStart 
+that  you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
-Guide</a> for information about further steps required.</p>
+ Guide</a> for information about further steps required.</p>
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
  and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
-or and you  have entries in the /etc/shorewall/hosts file then please check 
+and you  have entries in the /etc/shorewall/hosts file then please check
-your  /etc/shorewall/interfaces file to be sure that it contains an entry 
+ your  /etc/shorewall/interfaces file to be sure that it contains an entry
-for each  interface mentioned in the hosts file. Also, there are certain 1.2
+ for each  interface mentioned in the hosts file. Also, there are certain
-rule forms  that are no longer supported under 1.4 (you must use the new
+1.2 rule forms  that are no longer supported under 1.4 (you must use the
-1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
+new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
 details.</p>
 <ul>
       <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: 
@ -118,26 +119,27 @@ Beta RPMs installed,     you must use the "--oldpackage" option to rpm (e.g.,
    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
  rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-is installed. If this    happens, simply use the --nodeps option to rpm (rpm 
+ is installed. If this    happens, simply use the --nodeps option to rpm
- -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
+(rpm   -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
         </p>
      </li>
      <li>See if there are any incompatibilities between your configuration 
- and the    new Shorewall version and correct as necessary.</li>
+and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
       <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
-are upgrading to a new version using the tarball:</p>
+and are upgrading to a new version using the tarball:</p>
 <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
 and you  have entries in the /etc/shorewall/hosts file then please check
 your  /etc/shorewall/interfaces file to be sure that it contains an entry
 for each  interface mentioned in the hosts file.  Also, there are certain
 1.2 rule  forms that are no longer supported under 1.4 (you must use the
 new 1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
 for details. </p>
 <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
 you  have entries in the /etc/shorewall/hosts file then please check your
 /etc/shorewall/interfaces file to be sure that it contains an entry for
 each  interface mentioned in the hosts file.  Also, there are certain 1.2
 rule  forms that are no longer supported under 1.4 (you must use the new
 1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
 details. </p>
 <ul>
   <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
       <li>cd to the shorewall directory (the version is encoded in the 
@ -152,13 +154,12 @@ details. </p>
       <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type 
     "./install.sh /etc/init.d"</li>
       <li>If your distribution has directory             /etc/rc.d/init.d
-or  /etc/init.d then type             "./install.sh"</li>
+ or  /etc/init.d then type             "./install.sh"</li>
       <li>For other distributions, determine where your             distribution
  installs init scripts and type             "./install.sh &lt;init script
-directory&gt;</li>
+ directory&gt;</li>
-      <li>Check your configuration for incompatibility with 1.4 as described
+       <li>See if there are any incompatibilities between your configuration 
-above.<br>
+and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
  </li>
       <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
@ -170,13 +171,15 @@ installation and wish to upgrade to a later version of Shorewall:<br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
 <p>You will need to edit some or all of the configuration files to match
-your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
+ your  setup. In most cases, the <a
-  QuickStart Guides</a> contain all of the information you need.</p>
+ href="shorewall_quickstart_guide.htm">Shorewall   QuickStart Guides</a>
 contain all of the information you need.</p>
 <ul>
 </ul>
-<p><font size="2">Updated 1/24/2003 - <a href="support.htm">Tom Eastep</a> 
+ 
 <p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
  </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>   © <font
@ -185,5 +188,6 @@ your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@ -29,8 +29,8 @@
 <p>Proxy ARP allows you to insert a firewall in front of a set of servers 
     without changing their IP addresses and without having to re-subnet. 
-Before you try to use this technique, I strongly recommend that you read
+Before you try to use this technique, I strongly recommend that you read the
-the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
+<a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
 <p>The following figure represents a Proxy ARP     environment.</p>
@ -75,8 +75,8 @@ in      /etc/shorewall/proxyarp:</p>
  </blockquote>
 <p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19  
-     in the above example) are not included in any specification in     
+    in the above example) are not included in any specification in      /etc/shorewall/masq
-/etc/shorewall/masq or /etc/shorewall/nat.</p>
+or /etc/shorewall/nat.</p>
 <p>Note that I've used an RFC1918 IP address for eth1 - that IP address is 
     irrelevant. </p>
@ -91,38 +91,52 @@ the      Firewall system's eth0 is configured.</p>
   parallel to your firewall to behind your firewall with Proxy ARP, it will 
   probably be HOURS before that system can communicate with the internet. 
 There are a couple of things that you can try:<br>
-</p>
+ </p>
 <ol>
   <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, 
 Vol 1</i> reveals that a <br>
     <br>
-"gratuitous" ARP packet should cause the ISP's router to refresh their ARP
+ "gratuitous" ARP packet should cause the ISP's router to refresh their ARP 
 cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC 
 address for its own IP; in addition to ensuring that the IP address isn't 
 a duplicate...<br>
     <br>
-"if the host sending the gratuitous ARP has just changed its hardware address...,
+ "if the host sending the gratuitous ARP has just changed its hardware address..., 
 this packet causes any other host...that has an entry in its cache for the 
 old hardware address to update its ARP cache entry accordingly."<br>
     <br>
-Which is, of course, exactly what you want to do when you switch a host from
+ Which is, of course, exactly what you want to do when you switch a host
-being exposed to the Internet to behind Shorewall using proxy ARP (or static
+from being exposed to the Internet to behind Shorewall using proxy ARP (or
-NAT for that matter). Happily enough, recent versions of Redhat's iputils
+static NAT for that matter). Happily enough, recent versions of Redhat's
-package include "arping", whose "-U" flag does just that:<br>
+iputils package include "arping", whose "-U" flag does just that:<br>
     <br>
-    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied
+     <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied 
 IP&gt;</i></b></font><br>
-    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
+     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
     <br>
-Stevens goes on to mention that not all systems respond correctly to gratuitous
+ Stevens goes on to mention that not all systems respond correctly to gratuitous 
 ARPs, but googling for "arping -U" seems to support the idea that it works 
 most of the time.<br>
    <br>
 To use arping with Proxy ARP in the above example, you would have to:<br>
    <br>
    <font color="#009900"><b>    shorewall clear<br>
    </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 dev
 eth0<br>
     ip addr add 130.252.100.19 dev eth0</b></font><br>
     <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
     <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
     <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
     ip addr del 130.252.100.19 dev eth0<br>
     shorewall start</font></b><br>
    <br>
  </li>
   <li>You    can call your ISP and ask them to purge the stale ARP cache 
 entry but many    either can't or won't purge individual entries.</li>
 </ol>
-You can determine if your    ISP's gateway ARP cache is stale using ping
+ You can determine if your    ISP's gateway ARP cache is stale using ping 
 and tcpdump. Suppose that we    suspect that the gateway router has a stale 
 ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
@ -133,7 +147,7 @@ ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:<
 <div align="left">    
 <p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we 
 will    assume is 130.252.100.254):</p>
-</div>
+ </div>
 <div align="left">    
 <pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
@ -141,7 +155,7 @@ will    assume is 130.252.100.254):</p>
 <div align="left">    
 <p align="left">We can now observe the tcpdump output:</p>
-</div>
+ </div>
 <div align="left">    
 <pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
@ -154,11 +168,12 @@ case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:
   was the MAC address of the system on the lower left. In other words, the 
 gateway's ARP cache still    associates 130.252.100.19 with the NIC in that 
 system rather than with the firewall's    eth0.</p>
-</div>
+ </div>
-<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 1/26/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
  <a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -29,7 +29,7 @@
 <p>In addition to those applications described in <a
 href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
  are some other services/applications that you may need to configure your
-firewall to accommodate.</p>
+ firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
@ -52,8 +52,8 @@ firewall to accommodate.</p>
 <p>DNS</p>
 <blockquote>               
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-to   open TCP Port 53 as well.<br>
+want to   open TCP Port 53 as well.<br>
       If you are configuring a server, only open TCP Port 53 if you will 
 return  long   replies to queries or if you need to enable ZONE transfers. In 
 the  latter   case, be sure that your server is properly configured.</p>
@ -144,8 +144,8 @@ the  latter   case, be sure that your server is properly configured.</p>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
 have problems accessing regular FTP servers.</p>
-  <p>If there is a possibility that these modules might be loaded before Shorewall
+  <p>If there is a possibility that these modules might be loaded before
-starts, then you should include the port list in /etc/modules.conf:<br>
+Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
      </p>
  <blockquote>                    
@ -173,13 +173,15 @@ starts, then you should include the port list in /etc/modules.conf:<br>
     </blockquote>
 <p>NFS<br>
-</p>
+ </p>
 <blockquote>   
  <p>I personally use the following rules for opening access from zone z1 
 to a server with IP address a.b.c.d in zone z2:<br>
   </p>
-  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
+   
-</blockquote>
+  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	tcp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
 </blockquote>
 <blockquote>               
  <p>Note that my rules only cover NFS using UDP (the normal case). There 
@ -187,18 +189,19 @@ is lots of additional information at
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
     </blockquote>
-<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
+<p>Didn't find what you are looking for -- have you looked in your own  
-file? </p>
+/etc/services file? </p>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 2/7/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
     <a href="copyright.htm"><font size="2">Copyright</font>   © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -2,12 +2,16 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall QuickStart Guide</title>
@ -31,11 +35,12 @@
                        </td>
                      </tr>
  </tbody>                   
 </table>
-<p align="center">With thanks to Richard who reminded me once again that
+<p align="center">With thanks to Richard who reminded me once again that we
-we must  all first walk before we can run.<br>
+must  all first walk before we can run.<br>
   The French Translations are courtesy of Patrice Vetsel<br>
   </p>
@ -63,22 +68,22 @@ we must  all first walk before we can run.<br>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines 
          the steps necessary to set up a firewall where <b>there are multiple 
-     public    IP  addresses involved or if you want to learn more about
+     public    IP  addresses involved or if you want to learn more about Shorewall
-Shorewall      than   is  explained in the single-address guides above.</b></p>
+     than   is  explained in the single-address guides above.</b></p>
 <ul>
                      <li><a
 href="shorewall_setup_guide.htm#Introduction">1.0   Introduction</a></li>
                      <li><a href="shorewall_setup_guide.htm#Concepts">2.0
-Shorewall      Concepts</a></li>
+ Shorewall      Concepts</a></li>
                      <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
  Network     Interfaces</a></li>
                      <li><a href="shorewall_setup_guide.htm#Addressing">4.0
  Addressing,       Subnets  and Routing</a>                            
    <ul>
-                       <li><a href="shorewall_setup_guide.htm#Addresses">4.1
+                        <li><a
-  IP  Addresses</a></li>
+ href="shorewall_setup_guide.htm#Addresses">4.1   IP  Addresses</a></li>
                                    <li><a
 href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
                        <li><a href="shorewall_setup_guide.htm#Routing">4.3 
@ -102,15 +107,16 @@ Setting     up  your   Network</a>
    <ul>
                        <li><a href="shorewall_setup_guide.htm#Routed">5.1
-Routed</a></li>
+ Routed</a></li>
    </ul>
    <ul>
-                       <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
+                        <li><a
-  Non-routed</a>                                                        
+ href="shorewall_setup_guide.htm#NonRouted">5.2   Non-routed</a>        
        <ul>
@ -160,8 +166,8 @@ Rules</a></li>
    </ul>
                      </li>
-                     <li><a href="configuration_file_basics.htm">Common configuration 
+                      <li><a href="configuration_file_basics.htm">Common
-      file   features</a>                                                
+configuration        file   features</a>                                
    <ul>
                        <li><a
@ -169,8 +175,8 @@ Rules</a></li>
 files</a></li>
                        <li><a
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
-                       <li><a href="configuration_file_basics.htm#Ports">Port 
+                        <li><a
-  Numbers/Service Names</a></li>
+ href="configuration_file_basics.htm#Ports">Port    Numbers/Service Names</a></li>
                        <li><a
 href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
                        <li><a
@ -182,16 +188,16 @@ Rules</a></li>
 href="configuration_file_basics.htm#Compliment">Complementing an IP address 
  or Subnet</a></li>
                        <li><a
- href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
+ href="configuration_file_basics.htm#Configs">Shorewall   Configurations
-a test configuration)</a></li>
+(making a test configuration)</a></li>
                        <li><a href="configuration_file_basics.htm#MAC">Using 
  MAC Addresses in Shorewall</a></li>
    </ul>
                      </li>
-                     <li><a href="Documentation.htm">Configuration File Reference 
+                      <li><a href="Documentation.htm">Configuration File
-    Manual</a>                                                           
+Reference      Manual</a>                                               
    <ul>
                        <li>   <a href="Documentation.htm#Variables">params</a></li>
@ -228,8 +234,8 @@ a test configuration)</a></li>
                      </li>
                      <li><a href="dhcp.htm">DHCP</a></li>
                      <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
-to extend Shorewall without modifying Shorewall  code)</li>
+(How to extend Shorewall without modifying Shorewall  code)</li>
                      <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                      <li><a href="shorewall_firewall_structure.htm">Firewall 
  Structure</a></li>
@ -238,11 +244,15 @@ to extend Shorewall without modifying Shorewall  code)</li>
         <li><a href="shorewall_logging.html">Logging</a><br>
         </li>
                      <li><a href="MAC_Validation.html">MAC Verification</a><br>
        </li>
                             <li><a href="myfiles.htm">My Shorewall Configuration
 (How I personally use Shorewall)</a><br>
  </li>
  <li><a href="ping.html">'Ping' Management</a><br>
          </li>
          <li><a href="ports.htm">Port Information</a>                  
    <ul>
                        <li>Which applications use which ports</li>
                        <li>Ports used by Trojans</li>
@ -261,7 +271,8 @@ to extend Shorewall without modifying Shorewall  code)</li>
                </li>
  </ul>
-                     <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
+                      <li><font color="#000099"><a href="NAT.htm">Static
 NAT</a></font></li>
      <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy 
 with Shorewall</a><br>
      </li>
@ -275,20 +286,20 @@ to extend Shorewall without modifying Shorewall  code)</li>
        </li>
                        <li><a href="PPTP.htm">PPTP</a></li>
                        <li><a href="VPN.htm">IPSEC/PPTP</a> from a system
-behind    your   firewall   to a      remote network.</li>
+ behind    your   firewall   to a      remote network.</li>
    </ul>
                      </li>
                      <li><a href="whitelisting_under_shorewall.htm">White
-List   Creation</a></li>
+ List   Creation</a></li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 2/4/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 2/26/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M.
  Eastep</font></a><br>
@ -298,5 +309,6 @@ List   Creation</a></li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -41,13 +41,13 @@
 <p>   If you have a permanent internet connection such as DSL     or Cable, 
-     I  recommend that you start the firewall     automatically at boot.
+     I  recommend that you start the firewall     automatically at boot. Once
-Once     you  have installed      "firewall" in your init.d directory, simply
+    you  have installed      "firewall" in your init.d directory, simply type
-type         "chkconfig --add firewall". This will start the     firewall
+        "chkconfig --add firewall". This will start the     firewall in run
-in run   levels   2-5 and stop it in run levels 1 and 6.     If you want
+  levels   2-5 and stop it in run levels 1 and 6.     If you want to configure
-to configure   your  firewall differently from this     default, you can
+  your  firewall differently from this     default, you can use the "--level"
-use the "--level"   option  in     chkconfig (see "man chkconfig") or using
+  option  in     chkconfig (see "man chkconfig") or using your     favorite
-your     favorite   graphical  run-level editor.</p>
+  graphical  run-level editor.</p>
@ -60,14 +60,14 @@ your     favorite   graphical  run-level editor.</p>
           </p>
 <ol>
-            <li>Shorewall startup is disabled by default. Once you have configured
+             <li>Shorewall startup is disabled by default. Once you have
-     your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
+configured      your firewall, you can enable startup by removing the file
-     Note: Users of the .deb package must edit /etc/default/shorewall and
+/etc/shorewall/startup_disabled.      Note: Users of the .deb package must
-set    'startup=1'.<br>
+edit /etc/default/shorewall and set    'startup=1'.<br>
             </li>
             <li>If you use dialup, you may want to start the firewall  
- in  your   /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall 
+  in  your   /etc/ppp/ip-up.local   script. I recommend just placing    
-  restart"   in that script.</li>
+"shorewall    restart"   in that script.</li>
 </ol>
@ -98,15 +98,15 @@ set    'startup=1'.<br>
 </ul>
       If you include the keyword <i>debug</i> as the first argument, then
-a  shell  trace of the command is produced as in:<br>
+ a  shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
-<p>The above command would trace the 'start' command and place the trace
+<p>The above command would trace the 'start' command and place the trace information
-information in the file /tmp/trace<br>
+in the file /tmp/trace<br>
      </p>
 <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
@ -117,14 +117,14 @@ information in the file /tmp/trace<br>
 <ul>
-              <li>shorewall status - produce a verbose report about the firewall
+               <li>shorewall status - produce a verbose report about the
-              (iptables -L -n -v)</li>
+firewall               (iptables -L -n -v)</li>
               <li>shorewall show <i>chain</i> - produce a verbose report 
 about        <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
               <li>shorewall show nat - produce a verbose report about the
-nat   table             (iptables -t nat -L -n -v)</li>
+ nat   table             (iptables -t nat -L -n -v)</li>
               <li>shorewall show tos - produce a verbose report about the
-mangle    table          (iptables -t mangle -L -n -v)</li>
+ mangle    table          (iptables -t mangle -L -n -v)</li>
               <li>shorewall show log - display the last 20 packet log entries.</li>
               <li>shorewall show connections - displays the IP connections 
 currently     being     tracked by the firewall.</li>
@ -133,17 +133,28 @@ mangle    table          (iptables -t mangle -L -n -v)</li>
                                                        tc     - displays 
 information      about the traffic control/shaping configuration.</li>
               <li>shorewall monitor [ delay ] - Continuously display the 
-firewall               status, last 20 log entries and nat. When the log
+firewall               status, last 20 log entries and nat. When the log entry
-entry display                changes, an audible alarm is sounded.</li>
+display                changes, an audible alarm is sounded.</li>
               <li>shorewall hits - Produces several reports about the Shorewall
    packet  log          messages in the current /var/log/messages file.</li>
               <li>shorewall version -  Displays the installed     version
-number.</li>
+ number.</li>
  <li>shorewall check -  Performs a <u>cursory</u> validation     of  the
 zones, interfaces, hosts, rules and policy files.<br>
    <br>
    <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
 and does not parse and     validate   the   generated iptables commands.
 Even though the "check" command     completes   successfully, the configuration
 may fail to start. Problem reports that complain about errors that the 'check'
 command does not detect will not be accepted.<br>
    <br>
 See the     recommended   way to make configuration changes described below.</b></font><br>
  </li>
               <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
-   ]  -  Restart shorewall using the     specified configuration and if an 
+    ]  -  Restart shorewall using the     specified configuration and if
- error   occurs or if the<i> timeout </i>    option is given and the new configuration
+an   error   occurs or if the<i> timeout </i>    option is given and the
-    has been up for that many seconds     then shorewall is restarted using
+new configuration     has been up for that many seconds     then shorewall
-  the  standard configuration.</li>
+is restarted using   the  standard configuration.</li>
               <li>shorewall deny, shorewall reject, shorewall accept and 
 shorewall      save     implement <a href="blacklisting_support.htm">dynamic 
 blacklisting</a>.</li>
@ -153,7 +164,7 @@ new   Shorewall       messages are logged.</li>
 </ul>
         Finally, the "shorewall" program may be used to dynamically alter
-the   contents  of a zone.<br>
+ the   contents  of a zone.<br>
 <ul>
           <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- 
@ -168,14 +179,15 @@ Adds   the  specified interface (and host if included) to the specified zone.</l
  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> 
   -- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
-          <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
+           <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24
-   -- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
+vpn1</b></font>    -- deletes the address 192.0.2.24  from interface ipsec0
 from zone vpn1<br>
           </blockquote>
         </blockquote>
-<p>  The <b>shorewall start</b>, <b>shorewall restart, </b>and       <b>shorewall
+<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
-try </b>commands allow you to specify which <a
+      <b>shorewall try </b>commands allow you to specify which <a
 href="configuration_file_basics.htm#Configs">   Shorewall configuration</a>
       to use:</p>
@ -183,15 +195,16 @@ try </b>commands allow you to specify which <a
 <blockquote>                                                             
-  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart}<br>
+  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
             shorewall try <i>configuration-directory</i></p>
             </blockquote>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
-      is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
+       is going to use a file in /etc/shorewall it will first look in the
-       . If the file is present in the <i>configuration-directory</i>, that
+<i>configuration-directory</i>        . If the file is present in the <i>configuration-directory</i>,
-  file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
+that   file    will be used; otherwise, the file in /etc/shorewall will be
 used.</p>
@ -209,7 +222,9 @@ try </b>commands allow you to specify which <a
                       <li><font color="#009900"><b>cd /etc/test</b></font></li>
                       <li>&lt;copy any files that you need to change from
-/etc/shorewall     to . and change them here&gt;</li>
+ /etc/shorewall     to . and change them here&gt;</li>
  <li><font color="#009900"><b>shorewall -c . check</b></font></li>
  <li>&lt;correct any errors found by check and check again&gt;</li>
                                             <li><font color="#009900"><b>/sbin/shorewall 
@ -253,10 +268,11 @@ try .</b></font></li>
 <p>    <br>
       </p>
-       You will note that the commands that result in state transitions use 
+        You will note that the commands that result in state transitions
- the  word "firewall" rather than "shorewall". That is because the actual 
+use   the  word "firewall" rather than "shorewall". That is because the actual
-transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall 
+ transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
-on  Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
+ on  Debian); /sbin/shorewall runs 'firewall" according to the following
 table:<br>
      <br>
 <table cellpadding="2" cellspacing="2" border="1">
@ -310,25 +326,13 @@ on  Debian); /sbin/shorewall runs 'firewall" according to the following table:<b
 </table>
      <br>
-<p><font size="2">   Updated 2/10/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 2/27/2003 - <a href="support.htm">Tom  Eastep</a>
         </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-        © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+        © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-                                                                        
+</p>
                                     <br>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>