Updates for 1.3.14 RC1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@431 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-14 05:36:55 +02:00 · 2003-02-04 17:25:01 +00:00 · 2003-02-04 17:25:01 +00:00 · 50b692b6be
commit 50b692b6be
parent 5b9a57d49e
3 changed files with 1040 additions and 1000 deletions
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -2,13 +2,17 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mailing Lists</title>
@ -20,47 +24,48 @@
 <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
 style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
 border="0">
-                     <tbody>
+                      <tbody>
-                      <tr>
+                       <tr>
-                       <td width="33%" valign="middle" align="left">    
+                        <td width="33%" valign="middle" align="left">   
      <h1 align="center"><a
 href="http://www.centralcommand.com/linux_products.html"><img
 src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
 height="79" align="left">
-                  </a></h1>
+                   </a></h1>
-                                           <a
+                                            <a
 href="http://www.gnu.org/software/mailman/mailman.html">         <img
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35" alt="">
-                        </a>                              
+                         </a>                                     
      <p align="right"><font color="#ffffff"><b>      </b></font>     </p>
-                        </td>
+                         </td>
-          <td valign="middle" width="34%" align="center">               
+           <td valign="middle" width="34%" align="center">              
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
-          </td>
+           </td>
-          <td valign="middle" width="33%">                     <a
+           <td valign="middle" width="33%">                     <a
 href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45" alt="(Postfix Logo)">
-                        </a><br>
+                         </a><br>
      <div align="left"><a href="http://www.spamassassin.org"><img
- src="file:///J:/Shorewall-docs/images/ninjalogo.png" alt="" width="110"
+ src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
- height="42" align="right" border="0">
+ border="0">
-       </a> </div>
+        </a> </div>
-       <br>
+        <br>
      <div align="right"><br>
-          <b><font color="#ffffff"><br>
+           <b><font color="#ffffff"><br>
- Powered by Postfix    </font></b><br>
+  Powered by Postfix    </font></b><br>
-          </div>
+           </div>
-          </td>
+           </td>
-                     </tr>
+                      </tr>
  </tbody>                   
 </table>
@ -69,7 +74,7 @@
 href="mailing_list_problems.htm">Check Here</a></h2>
 <p align="left">If you experience problems with any of these lists, please
-         let <a href="mailto:teastep@shorewall.net">me</a> know</p>
+          let <a href="mailto:teastep@shorewall.net">me</a> know</p>
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
@ -81,46 +86,46 @@
 <p>Before subscribing please read my <a href="spam_filters.htm">policy   
-    about list traffic that bounces.</a> Also please note that the mail server
+   about list traffic that bounces.</a> Also please note that the mail server 
                at shorewall.net checks incoming mail:<br>
-              </p>
+               </p>
 <ol>
-                <li>against <a href="http://spamassassin.org">Spamassassin</a>
+                 <li>against <a href="http://spamassassin.org">Spamassassin</a> 
   (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
-        </li>
+         </li>
-                <li>to ensure that the sender address is fully qualified.</li>
+                 <li>to ensure that the sender address is fully qualified.</li>
-                <li>to verify that the sender's domain has an A or MX record
+                 <li>to verify that the sender's domain has an A or MX record 
  in  DNS.</li>
-                <li>to ensure that the host name in the HELO/EHLO command 
+                 <li>to ensure that the host name in the HELO/EHLO command
-is  a  valid    fully-qualified  DNS name that resolves.</li>
+ is  a  valid    fully-qualified  DNS name that resolves.</li>
 </ol>
 <h2>Please post in plain text</h2>
-        A growing number of MTAs serving list subscribers are rejecting all 
+         A growing number of MTAs serving list subscribers are rejecting
- HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net 
+all   HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net
- "for  continuous abuse" because it has been my policy to allow HTML in list 
+  "for  continuous abuse" because it has been my policy to allow HTML in
- posts!!<br>
+list   posts!!<br>
-        <br>
+         <br>
-        I think that blocking all HTML is a Draconian way to control spam 
+         I think that blocking all HTML is a Draconian way to control spam
- and   that the ultimate losers here are not the spammers but the list subscribers
+  and   that the ultimate losers here are not the spammers but the list subscribers 
    whose MTAs are bouncing all shorewall.net mail. As one list subscriber 
 wrote  to me privately "These e-mail admin's need to get a <i>(explitive 
 deleted)</i>  life instead of trying to rid the planet of HTML based e-mail". 
 Nevertheless,  to allow subscribers to receive list posts as must as possible, 
 I have now  configured the list server at shorewall.net to strip all HTML 
-from outgoing  posts. This means that HTML-only posts will be bounced by
+from outgoing  posts. This means that HTML-only posts will be bounced by the
-the list server.<br>
+list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
-     </p>
+      </p>
 <h2>Other Mail Delivery Problems</h2>
-      If you find that you are missing an occasional list post, your e-mail 
+       If you find that you are missing an occasional list post, your e-mail
- admin  may be blocking mail whose <i>Received:</i> headers contain the names 
+  admin  may be blocking mail whose <i>Received:</i> headers contain the
- of certain ISPs. Again, I believe that such policies hurt more than they 
+names   of certain ISPs. Again, I believe that such policies hurt more than
-help but I'm not prepared to go so far as to start stripping <i>Received:</i>
+they  help but I'm not prepared to go so far as to start stripping <i>Received:</i> 
  headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -134,13 +139,13 @@ help but I'm not prepared to go so far as to start stripping <i>Received:</i>
  <option value="or">Any </option>
  <option value="boolean">Boolean </option>
  </select>
-                  Format:                                               
+                   Format:                                              
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
-                  Sort by:                                              
+                   Sort by:                                             
  <select name="sort">
  <option value="score">Score </option>
@ -150,46 +155,46 @@ help but I'm not prepared to go so far as to start stripping <i>Received:</i>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-                  </font> <input type="hidden" name="config"
+                   </font> <input type="hidden" name="config"
 value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-                  Search: <input type="text" size="30" name="words"
+                   Search: <input type="text" size="30" name="words"
 value="">    <input type="submit" value="Search"> </p>
-                  </form>
+                   </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the entire
+<h2 align="left"><font color="#ff0000">Please do not try to download the
-Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
+entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
-stand the traffic. If I catch you, you will be blacklisted.<br>
+won't stand the traffic. If I catch you, you will be blacklisted.<br>
-           </font></h2>
+            </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
-                If you want to trust X.509 certificates issued by Shoreline 
+                 If you want to trust X.509 certificates issued by Shoreline
- Firewall     (such   as the one used on my web site), you may <a
+  Firewall     (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a> 
-        in your browser. If you don't wish to trust my certificates then
+        in your browser. If you don't wish to trust my certificates then you
-you    can    either use unencrypted access when subscribing to Shorewall
+   can    either use unencrypted access when subscribing to Shorewall mailing
-mailing    lists    or you can use secure access (SSL) and accept the server's
+   lists    or you can use secure access (SSL) and accept the server's certificate
-certificate     when   prompted by your browser.<br>
+    when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users 
-         to get answers to questions and to report problems. Information
+         to get answers to questions and to report problems. Information of
-of   general       interest to the Shorewall user community is also posted
+  general       interest to the Shorewall user community is also posted to
-to  this list.</p>
+ this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see 
         the <a href="http://www.shorewall.net/support.htm">problem reporting 
 guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list:<br>
-  </p>
+   </p>
 <ul>
-    <li><b>Insecure: </b><a
+     <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
-    <li><b>SSL:</b> <a
+     <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -201,30 +206,30 @@ guidelines</a>.</b></p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
-at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
-list may be found at <a
+may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the
-         Shorewall community. To subscribe:<br>
+          Shorewall community. To subscribe:<br>
-  </p>
+   </p>
 <p align="left"></p>
 <ul>
-    <li><b>Insecure:</b> <a
+     <li><b>Insecure:</b> <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
-    <li><b>SSL</b>: <a
+     <li><b>SSL</b>: <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
 </ul>
 <p align="left"><br>
-                The list archives are at <a
+                 The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
@ -234,12 +239,12 @@ list may be found at <a
        ongoing Shorewall Development.</p>
 <p align="left">To subscribe to the mailing list:<br>
-   </p>
+    </p>
 <ul>
-    <li><b>Insecure: </b><a
+     <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
-    <li><b>SSL:</b> <a
+     <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -259,26 +264,26 @@ list may be found at <a
 make  this less confusing. To unsubscribe:</p>
 <ul>
-                     <li>                                               
+                      <li>                                              
    <p align="left">Follow the same link above that you used to subscribe 
         to the  list.</p>
-                     </li>
+                      </li>
-                     <li>                                               
+                      <li>                                              
    <p align="left">Down at the bottom of that page is the following text: 
         " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password 
   reminder,         or change your subscription options enter your subscription
-           email address:". Enter your email  address   in the box and click
+            email address:". Enter your email  address   in the box and click 
    on the "<b>Unsubscribe</b> or edit options" button.</p>
-                     </li>
+                      </li>
-                     <li>                                               
+                      <li>                                              
    <p align="left">There will now be a box where you can enter your password 
         and  click on "Unsubscribe"; if you have forgotten your password, 
 there      is  another  button that will cause your password to be emailed 
 to you.</p>
-                     </li>
+                      </li>
 </ul>
@ -290,17 +295,8 @@ list may be found at <a
 <p align="left"><font size="2">Last updated 2/3/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
-<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-         </p>
+</p>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -13,7 +13,7 @@
-                                                              <base
+                                                                      <base
 target="_self">
 </head>
  <body>
@ -24,11 +24,12 @@
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
-                     <tbody>
+                       <tbody>
-                  <tr>
+                    <tr>
                             <td width="100%" height="90">              
                           <td width="100%" height="90">                
@ -42,9 +43,9 @@
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                      </a></i></font><font color="#ffffff">Shorewall    
+                        </a></i></font><font color="#ffffff">Shorewall  
- 1.3     -               <font size="4">"<i>iptables                   made 
+   1.3     -               <font size="4">"<i>iptables                  
-easy"</i></font></font></h1>
+made  easy"</i></font></font></h1>
@ -58,13 +59,13 @@ easy"</i></font></font></h1>
 href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
-               </div>
+                 </div>
-               <br>
+                 <br>
-                           </td>
+                             </td>
-                       </tr>
+                         </tr>
@ -83,11 +84,11 @@ easy"</i></font></font></h1>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
-                       <tbody>
+                         <tbody>
-                  <tr>
+                    <tr>
-                             <td width="90%">                           
+                               <td width="90%">                         
@ -123,24 +124,24 @@ easy"</i></font></font></h1>
      <p>This program is free software; you can redistribute it and/or modify 
-                                         it        under the terms of <a
+                                          it        under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
 Public License</a> as published by the Free Software        Foundation.<br>
-                          <br>
+                            <br>
-                     This   program     is  distributed       in  the   hope
+                       This   program     is  distributed       in  the 
-    that     it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;
+ hope     that     it   will     be  useful,    but         WITHOUT  ANY
-     without      even the   implied    warranty      of MERCHANTABILITY
+   WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY
-            or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the
+             or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the
- GNU General     Public  License           for  more details.<br>
+  GNU General     Public  License           for  more details.<br>
-                          <br>
+                            <br>
-                     You   should    have   received     a  copy   of  the
+                       You   should    have   received     a  copy   of 
-   GNU     General         Public      License             along  with  
+the     GNU     General         Public      License             along  with
-this   program;       if  not,    write  to  the    Free Software       
+  this   program;       if  not,    write  to  the    Free Software     
-Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
+  Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
     USA</p>
@ -163,23 +164,24 @@ Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                      </a>Jacques              Nilo   and   Eric   Wolzak 
+                        </a>Jacques              Nilo   and   Eric   Wolzak 
-   have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD
+    have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD
-  or compact     flash)  distribution        called              <i>Bering</i>
+   or compact     flash)  distribution        called              <i>Bering</i>
-     that          features      Shorewall-1.3.10  and    Kernel-2.4.18.
+      that          features      Shorewall-1.3.10  and    Kernel-2.4.18.
      You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
-                                     </a></p>
+                                       </a></p>
      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
 1.0 Final!!! </b><br>
-                                </p>
+                                  </p>
@ -220,121 +222,122 @@ Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
      <p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-        </b></p>
+          </b></p>
      <p>Includes the Beta 2 content plus support for OpenVPN tunnels.</p>
-      <p> The beta may be downloaded from:<br>
+      <p> The release candidate may be downloaded from:<br>
-         </p>
+           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-           <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+             <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
-         </blockquote>
+ target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
           </blockquote>
      <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
-        </b></p>
+          </b></p>
      <p>Includes the Beta 1 content plus restores VLAN device names of the
- form $dev.$vid (e.g., eth0.1)</p>
+  form $dev.$vid (e.g., eth0.1)</p>
      <p> The beta may be downloaded from:<br>
-         </p>
+           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-           <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+             <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-         </blockquote>
+           </blockquote>
      <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-       </b><br>
+         </b><br>
-         </p>
+           </p>
      <p>The Beta includes the following changes:<br>
-    </p>
+      </p>
      <ol>
-           <li>An OLD_PING_HANDLING option has been added to shorewall.conf. 
+             <li>An OLD_PING_HANDLING option has been added to shorewall.conf. 
- When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
+  When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
-        <br>
+          <br>
-    When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
+      When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
-policies   just like any other connection request. The FORWARDPING=Yes option
+ policies   just like any other connection request. The FORWARDPING=Yes option
-in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
+ in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
-will   all generate an error.<br>
+ will   all generate an error.<br>
-        <br>
+          <br>
-      </li>
+        </li>
-           <li>It is now possible to direct Shorewall to create a "label" 
+             <li>It is now possible to direct Shorewall to create a "label" 
-such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes 
+ such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes 
-and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of 
+ and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
-just  the interface name:<br>
+ just  the interface name:<br>
-     <br>
+       <br>
-       a) In the INTERFACE column of /etc/shorewall/masq<br>
+         a) In the INTERFACE column of /etc/shorewall/masq<br>
-       b) In the INTERFACE column of /etc/shorewall/nat<br>
+         b) In the INTERFACE column of /etc/shorewall/nat<br>
-     </li>
+       </li>
-           <li>When an interface name is entered in the SUBNET column of
+             <li>When an interface name is entered in the SUBNET column of
-the  /etc/shorewall/masq file, Shorewall previously masqueraded traffic from 
+ the  /etc/shorewall/masq file, Shorewall previously masqueraded traffic
-only  the first subnet defined on that interface. It did not masquerade traffic 
+from  only  the first subnet defined on that interface. It did not masquerade 
- from:<br>
+traffic   from:<br>
-     <br>
+       <br>
-       a) The subnets associated with other addresses on the interface.<br>
+         a) The subnets associated with other addresses on the interface.<br>
-       b) Subnets accessed through local routers.<br>
+         b) Subnets accessed through local routers.<br>
-     <br>
+       <br>
-    Beginning with Shorewall 1.3.14, if you enter an interface name in the
+      Beginning with Shorewall 1.3.14, if you enter an interface name in
- SUBNET  column, shorewall will use the firewall's routing table to construct
+the   SUBNET  column, shorewall will use the firewall's routing table to
- the masquerading/SNAT rules.<br>
+construct   the masquerading/SNAT rules.<br>
-     <br>
+       <br>
-    Example 1 -- This is how it works in 1.3.14.<br>
+      Example 1 -- This is how it works in 1.3.14.<br>
-       <br>
+         <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos... <br></pre>
-    When upgrading to Shorewall 1.3.14, if you have multiple local subnets
+      When upgrading to Shorewall 1.3.14, if you have multiple local subnets
- connected  to an interface that is specified in the SUBNET column of an
+  connected  to an interface that is specified in the SUBNET column of an
 /etc/shorewall/masq   entry, your /etc/shorewall/masq file will need changing.
 In most cases, you  will simply be able to remove redundant entries. In some
 cases though, you  might want to change from using the interface name to
 listing specific subnetworks  if the change described above will cause masquerading
 to occur on subnetworks  that you don't wish to masquerade.<br>
-     <br>
+       <br>
-    Example 2 -- Suppose that your current config is as follows:<br>
+      Example 2 -- Suppose that your current config is as follows:<br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
-       In this case, the second entry in /etc/shorewall/masq is no longer 
+         In this case, the second entry in /etc/shorewall/masq is no longer 
-required.<br>
+ required.<br>
-     <br>
+       <br>
-    Example 3 -- What if your current configuration is like this?<br>
+      Example 3 -- What if your current configuration is like this?<br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
-       In this case, you would want to change the entry in  /etc/shorewall/masq 
+         In this case, you would want to change the entry in  /etc/shorewall/masq 
- to:<br>
+  to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-           </li>
+             </li>
      </ol>
-   The beta may be downloaded from:<br>
+     The beta may be downloaded from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-           <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+             <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-         </blockquote>
+           </blockquote>
      <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b>
-         </b></p>
+          </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 
-  documenation.          the PDF may be downloaded from</p>
+   documenation.          the PDF may be downloaded from</p>
-                                             <a
+                                               <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                            <a
+                              <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a> 
      <p><b>1/17/2003 - shorewall.net has MOVED</b><b></b></p>
@ -343,90 +346,94 @@ required.<br>
 href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
 ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
 big thanks to Alex for making this happen.<br>
-            </p>
+              </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><br>
-             </p>
+               </p>
      <p>Just includes a few things that I had on the burner:<br>
-        </p>
+          </p>
      <ol>
-               <li>A new 'DNAT-' action has been added for entries in the 
+                 <li>A new 'DNAT-' action has been added for entries in the 
-/etc/shorewall/rules    file. DNAT- is intended for advanced users who wish 
+ /etc/shorewall/rules    file. DNAT- is intended for advanced users who wish 
-to minimize the number    of rules that connection requests must traverse.<br>
+ to minimize the number    of rules that connection requests must traverse.<br>
-            <br>
+              <br>
-        A Shorewall DNAT rule actually generates two iptables rules: a header 
+          A Shorewall DNAT rule actually generates two iptables rules: a
-  rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table. 
+header    rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' 
-  A DNAT-  rule only generates the first of these rules. This is handy when 
+table.    A DNAT-  rule only generates the first of these rules. This is handy
-  you have  several DNAT rules that would generate the same ACCEPT rule.<br>
+when    you have  several DNAT rules that would generate the same ACCEPT rule.<br>
-            <br>
+              <br>
-           Here are three rules from my previous rules file:<br>
+             Here are three rules from my previous rules file:<br>
-            <br>
+              <br>
-                DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
+                  DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
-                DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
+                  DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
-                ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
+                  ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
-            <br>
+              <br>
-           These three rules ended up generating _three_ copies of<br>
+             These three rules ended up generating _three_ copies of<br>
-            <br>
+              <br>
-                 ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
+                   ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
-            <br>
+              <br>
-           By writing the rules this way, I end up with only one copy of
+             By writing the rules this way, I end up with only one copy of
-the   ACCEPT  rule.<br>
+ the   ACCEPT  rule.<br>
-            <br>
+              <br>
-                DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
+                  DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
-                DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
+                  DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
-                ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
+                  ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
-            <br>
+              <br>
-          </li>
+            </li>
-               <li>The 'shorewall check' command now prints out the applicable
+                 <li>The 'shorewall check' command now prints out the applicable
-   policy between each pair of zones.<br>
+    policy between each pair of zones.<br>
-            <br>
+              <br>
-          </li>
+            </li>
-               <li>A new CLEAR_TC option has been added to shorewall.conf.
+                 <li>A new CLEAR_TC option has been added to shorewall.conf.
- If  this  option is set to 'No' then Shorewall won't clear the current traffic 
+  If  this  option is set to 'No' then Shorewall won't clear the current
-  control  rules during [re]start. This setting is intended for use by people 
+traffic    control  rules during [re]start. This setting is intended for
-  that prefer  to configure traffic shaping when the network interfaces come 
+use by people    that prefer  to configure traffic shaping when the network
-  up rather than  when the firewall is started. If that is what you want to
+interfaces come    up rather than  when the firewall is started. If that
-  do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart 
+is what you want to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not
-  file. That way,  your traffic shaping rules can still use the 'fwmark' classifier
+supply an /etc/shorewall/tcstart    file. That way,  your traffic shaping
-  based on  packet marking defined in /etc/shorewall/tcrules.<br>
+rules can still use the 'fwmark' classifier   based on  packet marking defined
-            <br>
+in /etc/shorewall/tcrules.<br>
-          </li>
+              <br>
-               <li>A new SHARED_DIR variable has been added that allows distribution 
+            </li>
-   packagers to easily move the shared directory (default /usr/lib/shorewall). 
+                 <li>A new SHARED_DIR variable has been added that allows 
-   Users should never have a need to change the value of this shorewall.conf 
+distribution     packagers to easily move the shared directory (default /usr/lib/shorewall). 
-   setting.<br>
+    Users should never have a need to change the value of this shorewall.conf 
-          </li>
+    setting.<br>
            </li>
      </ol>
      <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
-                                                         </b></p>
+                                                          </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall 
-      Development or Shorewall Support</b></p>
+       Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
-                   </p>
+                     </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>    
                                                 </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
-       documenation.        the PDF may be downloaded from</p>
+        documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                                <a
+                                  <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                            </p>
+                              </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
@ -434,131 +441,131 @@ the   ACCEPT  rule.<br>
      <p>     Features include:<br>
-                         </p>
+                           </p>
      <ol>
-                       <li>"shorewall refresh" now reloads the traffic shaping
+                         <li>"shorewall refresh" now reloads the traffic
-   rules    (tcrules     and tcstart).</li>
+shaping     rules    (tcrules     and tcstart).</li>
-                       <li>"shorewall debug [re]start" now turns off debugging
+                         <li>"shorewall debug [re]start" now turns off debugging
-   after    an  error   occurs. This places the point of the failure near
+    after    an  error   occurs. This places the point of the failure near
-the   end of   the trace rather   than up in the middle of it.</li>
+ the   end of   the trace rather   than up in the middle of it.</li>
-                       <li>"shorewall [re]start" has been speeded up by more
+                         <li>"shorewall [re]start" has been speeded up by 
-  than   40%   with   my  configuration. Your milage may vary.</li>
+more   than   40%   with   my  configuration. Your milage may vary.</li>
-                       <li>A "shorewall show classifiers" command has been
+                         <li>A "shorewall show classifiers" command has been
- added    which    shows   the current packet classification filters. The
+  added    which    shows   the current packet classification filters. The
-output from   this  command  is  also added as a separate page in "shorewall
+ output from   this  command  is  also added as a separate page in "shorewall
-monitor"</li>
+ monitor"</li>
-                       <li>ULOG (must be all caps) is now accepted as a valid 
+                         <li>ULOG (must be all caps) is now accepted as a 
-  syslog    level   and  causes the subject packets to be logged using the 
+valid    syslog    level   and  causes the subject packets to be logged using 
- ULOG target    rather   than  the LOG target. This allows you to run ulogd 
+the   ULOG target    rather   than  the LOG target. This allows you to run 
- (available from             <a
+ulogd   (available from             <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
-          and log all Shorewall messages <a
+           and log all Shorewall messages <a
 href="shorewall_logging.html">to    a  separate  log file</a>.</li>
-                       <li>If you are running a kernel that has a FORWARD 
+                         <li>If you are running a kernel that has a FORWARD 
-chain    in  the   mangle    table ("shorewall show mangle" will show you 
+ chain    in  the   mangle    table ("shorewall show mangle" will show you 
-the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes 
+ the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes 
-in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
+ in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for 
-        input packets based on their destination even when you are using
+marking         input packets based on their destination even when you are 
- Masquerading        or SNAT.</li>
+using  Masquerading        or SNAT.</li>
-                       <li>I have cluttered up the /etc/shorewall directory 
+                         <li>I have cluttered up the /etc/shorewall directory 
- with   empty    'init',    'start', 'stop' and 'stopped' files. If you already
+  with   empty    'init',    'start', 'stop' and 'stopped' files. If you already
  have  a file    with one   of these names, don't worry -- the upgrade process
  won't  overwrite    your file.</li>
-                       <li>I have added a new RFC1918_LOG_LEVEL variable
+                         <li>I have added a new RFC1918_LOG_LEVEL variable
-to            <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable 
+ to            <a href="Documentation.htm#Conf">shorewall.conf</a>. This
- specifies       the syslog level at which packets are logged as a result 
+variable   specifies       the syslog level at which packets are logged as
-of entries in   the   /etc/shorewall/rfc1918 file. Previously, these packets 
+a result  of entries in   the   /etc/shorewall/rfc1918 file. Previously,
- were always   logged   at the 'info' level.<br>
+these packets   were always   logged   at the 'info' level.<br>
-                  </li>
+                    </li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
-                      </p>
+                        </p>
-                This version corrects a problem with Blacklist logging. In
+                  This version corrects a problem with Blacklist logging. 
- Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall 
+In  Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the 
- would   fail  to start and "shorewall  refresh" would also fail.<br>
+firewall   would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
-                                                 </p>
+                                                   </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                       <a
+                         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-                     </blockquote>
+                       </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                           </b></p>
-                    The first public Beta version of Shorewall 1.3.12 is
+                      The first public Beta version of Shorewall 1.3.12 is
-now   available      (Beta  1 was made available to a limited audience).
+ now   available      (Beta  1 was made available to a limited audience).
      <br>
-                     <br>
+                       <br>
-                     Features include:<br>
+                       Features include:<br>
-                     <br>
+                       <br>
      <ol>
-                            <li>"shorewall refresh" now reloads the traffic 
+                              <li>"shorewall refresh" now reloads the traffic 
- shaping     rules    (tcrules  and tcstart).</li>
+  shaping     rules    (tcrules  and tcstart).</li>
-                            <li>"shorewall debug [re]start" now turns off 
+                              <li>"shorewall debug [re]start" now turns off 
-debugging      after    an  error occurs. This places the point of the failure 
+ debugging      after    an  error occurs. This places the point of the failure 
-near the    end of the   trace  rather than up in the middle of it.</li>
+ near the    end of the   trace  rather than up in the middle of it.</li>
-                            <li>"shorewall [re]start" has been speeded up 
+                              <li>"shorewall [re]start" has been speeded
-by  more   than   40%   with  my configuration. Your milage may vary.</li>
+up  by  more   than   40%   with  my configuration. Your milage may vary.</li>
-                            <li>A "shorewall show classifiers" command has
+                              <li>A "shorewall show classifiers" command
- been   added    which    shows the current packet classification filters.
+has   been   added    which    shows the current packet classification filters.
- The output   from    this command    is also added as a separate page in
+  The output   from    this command    is also added as a separate page in
-"shorewall monitor"</li>
+ "shorewall monitor"</li>
-                            <li>ULOG (must be all caps) is now accepted as
+                              <li>ULOG (must be all caps) is now accepted 
- a  valid    syslog    level  and causes the subject packets to be logged
+as  a  valid    syslog    level  and causes the subject packets to be logged
-using  the ULOG   target   rather than the LOG target. This allows you to
+ using  the ULOG   target   rather than the LOG target. This allows you to
-run ulogd  (available   from            <a
+ run ulogd  (available   from            <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
-          and log all Shorewall messages <a
+           and log all Shorewall messages <a
 href="shorewall_logging.html">to    a  separate  log file</a>.</li>
-                            <li>If you are running a kernel that has a FORWARD
+                              <li>If you are running a kernel that has a
-   chain    in  the   mangle table ("shorewall show mangle" will show you
+FORWARD     chain    in  the   mangle table ("shorewall show mangle" will
-the   chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes
+show you  the   chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes
- in  shorewall.conf.     This allows  for  marking input packets based on
+  in  shorewall.conf.     This allows  for  marking input packets based on
-their  destination even   when  you are using  Masquerading or SNAT.</li>
+ their  destination even   when  you are using  Masquerading or SNAT.</li>
-                            <li>I have cluttered up the /etc/shorewall directory
+                              <li>I have cluttered up the /etc/shorewall
-    with   empty    'init', 'start', 'stop' and 'stopped' files. If you already
+directory      with   empty    'init', 'start', 'stop' and 'stopped' files.
-    have   a file  with  one of these names, don't worry -- the upgrade process
+If you already      have   a file  with  one of these names, don't worry
-    won't   overwrite  your  file.</li>
+-- the upgrade process      won't   overwrite  your  file.</li>
      </ol>
-                     You may download the Beta from:<br>
+                       You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                       <a
+                         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-                     </blockquote>
+                       </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
-                       </a></b></p>
+                         </a></b></p>
-                      Shorewall is at the center of MandrakeSoft's recently-announced 
+                        Shorewall is at the center of MandrakeSoft's recently-announced 
-            <a
+             <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
-           Network Firewall (MNF)</a> product. Here is the <a
+            Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
-           release</a>.<br>
+            release</a>.<br>
@ -568,13 +575,13 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally 
-            delivered. I have installed 9.0 on one of my systems and I am 
+             delivered. I have installed 9.0 on one of my systems and I am 
-now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
+ now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
-                                </p>
+                                  </p>
@ -590,29 +597,31 @@ now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT 
-             with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 
+              with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 
-    users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
+     users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> 
-                                           </b></p>
+                                            </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
-                documenation. the PDF may be downloaded from</p>
+                 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                                     <a
+                                       <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                                 </p>
+                                   </p>
@ -629,25 +638,26 @@ now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <ul>
-                                      <li>A 'tcpflags' option has been added
+                                        <li>A 'tcpflags' option has been
-  to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+added    to  entries     in            <a
-         This option causes Shorewall to make a set of sanity check on TCP
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.     
- packet       header flags.</li>
+     This option causes Shorewall to make a set of sanity check on TCP  
-                                      <li>It is now allowed to use 'all'
+packet       header flags.</li>
-in  the   SOURCE    or  DEST   column    in a <a
+                                        <li>It is now allowed to use 'all'
 in  the   SOURCE    or  DEST   column    in a <a
 href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must  appear
 by itself (in may not be qualified)  and it does   not  enable   intra-zone
 traffic.  For example, the rule           <br>
-                                   <br>
+                                     <br>
-                                   ACCEPT loc all tcp 80<br>
+                                     ACCEPT loc all tcp 80<br>
-                                   <br>
+                                     <br>
-                               does not enable http traffic from 'loc' to 
+                                 does not enable http traffic from 'loc'
-'loc'.</li>
+to  'loc'.</li>
-                                      <li>Shorewall's use of the 'echo' command 
+                                        <li>Shorewall's use of the 'echo' 
-   is  now   compatible      with   bash clones such as ash and dash.</li>
+command     is  now   compatible      with   bash clones such as ash and dash.</li>
-                                      <li>fw-&gt;fw policies now generate 
+                                        <li>fw-&gt;fw policies now generate 
-a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
+ a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
-ignored</li>
+ ignored</li>
@ -670,15 +680,16 @@ ignored</li>
      <h2><a name="Donations"></a>Donations</h2>
-                                                                </td>
+                                                                  </td>
-                             <td width="88" bgcolor="#4b017c"
+                               <td width="88" bgcolor="#4b017c"
 valign="top" align="center">              <a
 href="http://sourceforge.net">M</a></td>
-                         </tr>
+                           </tr>
@ -688,9 +699,9 @@ ignored</li>
 </table>
-                   </center>
+                     </center>
-                 </div>
+                   </div>
@ -698,11 +709,12 @@ ignored</li>
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
-                <tbody>
+                  <tbody>
-                  <tr>
+                    <tr>
                        <td width="100%" style="margin-top: 1px;">      
                      <td width="100%" style="margin-top: 1px;">        
@ -714,8 +726,8 @@ ignored</li>
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                                                                          
+                                                                        
-                      </a></p>
+                          </a></p>
@ -728,13 +740,13 @@ ignored</li>
      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
-                                         to       <a
+                                          to       <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
 Foundation.</font></a> Thanks!</font></p>
-                      </td>
+                        </td>
-                  </tr>
+                    </tr>
@ -748,8 +760,10 @@ Foundation.</font></a> Thanks!</font></p>
 <p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
-                                   <br>
+                                    <br>
-  </p>
+    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -15,7 +15,7 @@
-                 <base target="_self">
+                         <base target="_self">
 </head>
  <body>
@ -26,11 +26,11 @@
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
-                            <tbody>
+                              <tbody>
-                         <tr>
+                           <tr>
-                                  <td width="100%" height="90">         
+                                    <td width="100%" height="90">       
@ -45,9 +45,10 @@
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                             </a></i></font><font color="#ffffff">Shorewall 
+                               </a></i></font><font color="#ffffff">Shorewall 
-      1.3     -               <font size="4">"<i>iptables                
+       1.3     -               <font size="4">"<i>iptables               
-  made  easy"</i></font></font><a href="http://www.sf.net">            </a></h1>
+   made  easy"</i></font></font><a href="http://www.sf.net">            
     </a></h1>
@ -60,8 +61,8 @@
      <div align="center"><a href="/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a></div>
-                                                                   </td>
+                                                                     </td>
-                                                  </tr>
+                                                    </tr>
@ -80,11 +81,12 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
-                              <tbody>
+                                <tbody>
-                         <tr>
+                           <tr>
                                      <td width="90%">                  
                                    <td width="90%">                    
@ -107,9 +109,9 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
-  a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+   a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-  firewall        that can be used on a dedicated firewall system, a multi-function
+   firewall        that can be used on a dedicated firewall system, a multi-function
-         gateway/router/server or on a standalone GNU/Linux system.</p>
+          gateway/router/server or on a standalone GNU/Linux system.</p>
@ -122,27 +124,27 @@
      <p>This program is free software; you can redistribute it and/or modify
-                                             it        under the terms of
+                                              it        under the terms of
-      <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
+       <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
 the GNU General Public License</a> as published by the Free Software    
   Foundation.<br>
-                                 <br>
+                                   <br>
-                            This   program     is  distributed       in 
+                              This   program     is  distributed       in 
-the     hope     that     it   will     be  useful,    but         WITHOUT
+ the     hope     that     it   will     be  useful,    but         WITHOUT
- ANY      WARRANTY;      without      even the   implied    warranty    
+  ANY      WARRANTY;      without      even the   implied    warranty   
- of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR    
+  of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR   
- PURPOSE.        See the    GNU General     Public  License           for
+  PURPOSE.        See the    GNU General     Public  License           for
 more details.<br>
-                                 <br>
+                                   <br>
-                            You   should    have   received     a  copy 
+                              You   should    have   received     a  copy 
- of   the     GNU     General         Public      License             along 
+  of   the     GNU     General         Public      License             along 
- with    this   program;       if  not,    write  to  the    Free Software
+  with    this   program;       if  not,    write  to  the    Free Software
-        Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA
+         Foundation,              Inc.,  675     Mass  Ave,  Cambridge, 
-  02139,       USA</p>
+MA    02139,       USA</p>
@ -169,15 +171,15 @@ the     hope     that     it   will     be  useful,    but         WITHOUT
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                             </a>Jacques              Nilo   and   Eric 
+                               </a>Jacques              Nilo   and   Eric 
- Wolzak       have     a   LEAF  (router/firewall/gateway         on  a floppy, 
+  Wolzak       have     a   LEAF  (router/firewall/gateway         on  a floppy,
-  CD    or compact     flash)  distribution        called              <i>Bering</i> 
+   CD    or compact     flash)  distribution        called              <i>Bering</i>
-        that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
+         that          features      Shorewall-1.3.10  and    Kernel-2.4.18.
-        You    can  find    their    work at:                <a
+         You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                                     <b>Congratulations to Jacques and Eric 
+                                       <b>Congratulations to Jacques and
- on  the   recent    release     of  Bering  1.0 Final!!! <br>
+Eric   on  the   recent    release     of  Bering  1.0 Final!!! <br>
-                                     </b>                               
+                                       </b>                             
@ -195,112 +197,128 @@ the     hope     that     it   will     be  useful,    but         WITHOUT
      <p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
      <p>Includes the Beta 2 content plus support for OpenVPN tunnels.<br>
      </p>
      <p> The release candidate may be downloaded from:<br>
           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"><br>
 ftp://ftp.shorewall.net/pub/shorewall/Beta</a></blockquote>
      <p></p>
      <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
-       </b></p>
+         </b></p>
      <p>Includes the Beta 1 content plus restores VLAN device names of the 
-form $dev.$vid (e.g., eth0.1)</p>
+ form $dev.$vid (e.g., eth0.1)</p>
      <p> The beta may be downloaded from:<br>
-         </p>
+           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-          <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+            <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-        </blockquote>
+          </blockquote>
      <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-      </b><br>
+        </b><br>
-   </p>
+     </p>
      <p>The Beta includes the following changes:<br>
-   </p>
+     </p>
      <ol>
-          <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
+            <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
- When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
+  When set to Yes, Shorewall ping handling is as it has always been (see
-       <br>
+http://www.shorewall.net/ping.html).<br>
-   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies 
+         <br>
- just like any other connection request. The FORWARDPING=Yes option in shorewall.conf 
+     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
- and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will 
+policies   just like any other connection request. The FORWARDPING=Yes option 
- all generate an error.<br>
+in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-       <br>
+will   all generate an error.<br>
-     </li>
+         <br>
-          <li>It is now possible to direct Shorewall to create a "label"
+       </li>
-such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+            <li>It is now possible to direct Shorewall to create a "label"
-and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
+ such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
-just  the interface name:<br>
+ and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
-    <br>
+of  just  the interface name:<br>
-      a) In the INTERFACE column of /etc/shorewall/masq<br>
+      <br>
-      b) In the INTERFACE column of /etc/shorewall/nat<br>
+        a) In the INTERFACE column of /etc/shorewall/masq<br>
-    </li>
+        b) In the INTERFACE column of /etc/shorewall/nat<br>
-          <li>When an interface name is entered in the SUBNET column of the
+      </li>
- /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
+            <li>When an interface name is entered in the SUBNET column of 
-only  the first subnet defined on that interface. It did not masquerade traffic
+the  /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
- from:<br>
+ only  the first subnet defined on that interface. It did not masquerade
-    <br>
+traffic   from:<br>
-      a) The subnets associated with other addresses on the interface.<br>
+      <br>
-      b) Subnets accessed through local routers.<br>
+        a) The subnets associated with other addresses on the interface.<br>
-    <br>
+        b) Subnets accessed through local routers.<br>
-   Beginning with Shorewall 1.3.14, if you enter an interface name in the 
+      <br>
-SUBNET  column, shorewall will use the firewall's routing table to construct 
+     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
-the masquerading/SNAT rules.<br>
+ SUBNET  column, shorewall will use the firewall's routing table to construct 
-    <br>
+ the masquerading/SNAT rules.<br>
-   Example 1 -- This is how it works in 1.3.14.<br>
+      <br>
-      <br>
+     Example 1 -- This is how it works in 1.3.14.<br>
        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
-    <br>
+      <br>
-   When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
+     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
-connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq 
+ connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
- entry, your /etc/shorewall/masq file will need changing. In most cases, you
+  entry, your /etc/shorewall/masq file will need changing. In most cases,
- will simply be able to remove redundant entries. In some cases though, you
+you  will simply be able to remove redundant entries. In some cases though,
- might want to change from using the interface name to listing specific subnetworks
+you  might want to change from using the interface name to listing specific
- if the change described above will cause masquerading to occur on subnetworks
+subnetworks  if the change described above will cause masquerading to occur
- that you don't wish to masquerade.<br>
+on subnetworks  that you don't wish to masquerade.<br>
-    <br>
+      <br>
-   Example 2 -- Suppose that your current config is as follows:<br>
+     Example 2 -- Suppose that your current config is as follows:<br>
-      <br>
+        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
-      In this case, the second entry in /etc/shorewall/masq is no longer
+        In this case, the second entry in /etc/shorewall/masq is no longer
-required.<br>
+ required.<br>
-    <br>
+      <br>
-   Example 3 -- What if your current configuration is like this?<br>
+     Example 3 -- What if your current configuration is like this?<br>
-    <br>
+      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]# <br></pre>
-      In this case, you would want to change the entry in  /etc/shorewall/masq
+        In this case, you would want to change the entry in  /etc/shorewall/masq
- to:<br>
+  to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          </li>
+            </li>
      </ol>
-   The beta may be downloaded from:<br>
+     The beta may be downloaded from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-     <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-   </blockquote>
+     </blockquote>
      <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b> 
-        </b></p>
+         </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
-  documenation.          the PDF may be downloaded from</p>
+   documenation.          the PDF may be downloaded from</p>
-                                             <a
+                                               <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                            <a
+                              <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b>    </b></p>
@ -309,75 +327,76 @@ required.<br>
 href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and ftp.shorewall.net
 are now hosted on a system in Bellevue, Washington.  A big thanks to Alex
 for making this happen.<br>
-      </p>
+        </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
-                                                            </b><br>
+                                                              </b><br>
-       </p>
+         </p>
      <p>Just includes a few things that I had on the burner:<br>
-       </p>
+         </p>
      <ol>
-              <li>A new 'DNAT-' action has been added for entries in the
+                <li>A new 'DNAT-' action has been added for entries in the
-/etc/shorewall/rules    file. DNAT- is intended for advanced users who wish
+ /etc/shorewall/rules    file. DNAT- is intended for advanced users who wish
-to minimize the number    of rules that connection requests must traverse.<br>
+ to minimize the number    of rules that connection requests must traverse.<br>
-           <br>
+             <br>
-       A Shorewall DNAT rule actually generates two iptables rules: a header
+         A Shorewall DNAT rule actually generates two iptables rules: a header
-  rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
+   rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter'
-  A DNAT-  rule only generates the first of these rules. This is handy when
+table.    A DNAT-  rule only generates the first of these rules. This is
-  you have  several DNAT rules that would generate the same ACCEPT rule.<br>
+handy when    you have  several DNAT rules that would generate the same ACCEPT
-           <br>
+rule.<br>
-          Here are three rules from my previous rules file:<br>
+             <br>
-           <br>
+            Here are three rules from my previous rules file:<br>
-               DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
+             <br>
-               DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
+                 DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
-               ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
+                 DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
-           <br>
+                 ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
-          These three rules ended up generating _three_ copies of<br>
+             <br>
-           <br>
+            These three rules ended up generating _three_ copies of<br>
-                ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
+             <br>
-           <br>
+                  ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
-          By writing the rules this way, I end up with only one copy of the 
+             <br>
- ACCEPT  rule.<br>
+            By writing the rules this way, I end up with only one copy of 
-           <br>
+the   ACCEPT  rule.<br>
-               DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
+             <br>
-               DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
+                 DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
-               ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
+                 DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
-           <br>
+                 ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
-         </li>
+             <br>
-              <li>The 'shorewall check' command now prints out the applicable 
+           </li>
-  policy between each pair of zones.<br>
+                <li>The 'shorewall check' command now prints out the applicable 
-           <br>
+   policy between each pair of zones.<br>
-         </li>
+             <br>
-              <li>A new CLEAR_TC option has been added to shorewall.conf. 
+           </li>
-If  this  option is set to 'No' then Shorewall won't clear the current traffic
+                <li>A new CLEAR_TC option has been added to shorewall.conf. 
-  control  rules during [re]start. This setting is intended for use by people
+ If  this  option is set to 'No' then Shorewall won't clear the current traffic
-  that prefer  to configure traffic shaping when the network interfaces come
+   control  rules during [re]start. This setting is intended for use by people
-  up rather than  when the firewall is started. If that is what you want
+   that prefer  to configure traffic shaping when the network interfaces
-to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
+come    up rather than  when the firewall is started. If that is what you
-  file. That way,  your traffic shaping rules can still use the 'fwmark'
+want to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
   file. That way,  your traffic shaping rules can still use the 'fwmark'
 classifier   based on  packet marking defined in /etc/shorewall/tcrules.<br>
-           <br>
+             <br>
-         </li>
+           </li>
-              <li>A new SHARED_DIR variable has been added that allows distribution
+                <li>A new SHARED_DIR variable has been added that allows
-   packagers to easily move the shared directory (default /usr/lib/shorewall).
+distribution     packagers to easily move the shared directory (default /usr/lib/shorewall).
-   Users should never have a need to change the value of this shorewall.conf
+    Users should never have a need to change the value of this shorewall.conf
-   setting.</li>
+    setting.</li>
      </ol>
      <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
-                                                       </b></p>
+                                                        </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall 
-     Development or Shorewall Support</b></p>
+      Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
-            </p>
+              </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
@ -385,15 +404,15 @@ classifier   based on  packet marking defined in /etc/shorewall/tcrules.<br>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
-      documenation.        the PDF may be downloaded from</p>
+       documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                              <a
+                                <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                          </p>
+                            </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
@ -401,129 +420,130 @@ classifier   based on  packet marking defined in /etc/shorewall/tcrules.<br>
      <p>     Features include:<br>
-                        </p>
+                          </p>
      <ol>
-                      <li>"shorewall refresh" now reloads the traffic shaping 
+                        <li>"shorewall refresh" now reloads the traffic shaping 
-  rules    (tcrules     and tcstart).</li>
+   rules    (tcrules     and tcstart).</li>
-                      <li>"shorewall debug [re]start" now turns off debugging 
+                        <li>"shorewall debug [re]start" now turns off debugging 
-  after    an  error   occurs. This places the point of the failure near the
+   after    an  error   occurs. This places the point of the failure near 
-  end of   the trace rather   than up in the middle of it.</li>
+the   end of   the trace rather   than up in the middle of it.</li>
-                      <li>"shorewall [re]start" has been speeded up by more 
+                        <li>"shorewall [re]start" has been speeded up by
- than   40%   with   my  configuration. Your milage may vary.</li>
+more   than   40%   with   my  configuration. Your milage may vary.</li>
-                      <li>A "shorewall show classifiers" command has been 
+                        <li>A "shorewall show classifiers" command has been 
-added    which    shows   the current packet classification filters. The output
+ added    which    shows   the current packet classification filters. The 
-from   this  command  is  also added as a separate page in "shorewall monitor"</li>
+output from   this  command  is  also added as a separate page in "shorewall 
-                      <li>ULOG (must be all caps) is now accepted as a valid
+monitor"</li>
-  syslog    level   and  causes the subject packets to be logged using the
+                        <li>ULOG (must be all caps) is now accepted as a
- ULOG target    rather   than  the LOG target. This allows you to run ulogd
+valid    syslog    level   and  causes the subject packets to be logged using
- (available from             <a
+the   ULOG target    rather   than  the LOG target. This allows you to run
 ulogd   (available from             <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-         and log all Shorewall messages <a href="shorewall_logging.html">to 
+          and log all Shorewall messages <a
-  a  separate log file</a>.</li>
+ href="shorewall_logging.html">to    a  separate log file</a>.</li>
-                      <li>If you are running a kernel that has a FORWARD
+                        <li>If you are running a kernel that has a FORWARD
-chain    in  the   mangle    table ("shorewall show mangle" will show you
+ chain    in  the   mangle    table ("shorewall show mangle" will show you
-the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes
+ the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes
-in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for 
+ in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
-marking         input packets based on their destination even when you are
+ marking         input packets based on their destination even when you are
 using  Masquerading        or SNAT.</li>
-                      <li>I have cluttered up the /etc/shorewall directory
+                        <li>I have cluttered up the /etc/shorewall directory
- with   empty    'init',    'start', 'stop' and 'stopped' files. If you already 
+  with   empty    'init',    'start', 'stop' and 'stopped' files. If you
- have  a file    with one   of these names, don't worry -- the upgrade process 
+already   have  a file    with one   of these names, don't worry -- the upgrade
- won't  overwrite    your file.</li>
+process   won't  overwrite    your file.</li>
-                      <li>I have added a new RFC1918_LOG_LEVEL variable to
+                        <li>I have added a new RFC1918_LOG_LEVEL variable 
-           <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
+to            <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
- specifies       the syslog level at which packets are logged as a result
+  specifies       the syslog level at which packets are logged as a result
-of entries in   the   /etc/shorewall/rfc1918 file. Previously, these packets
+ of entries in   the   /etc/shorewall/rfc1918 file. Previously, these packets
- were always   logged   at the 'info' level.</li>
+  were always   logged   at the 'info' level.</li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
-                </p>
+                  </p>
-                This version corrects a problem with Blacklist logging. In
+                  This version corrects a problem with Blacklist logging. 
- Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall 
+In  Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the 
- would   fail  to start and "shorewall  refresh" would also fail.<br>
+firewall   would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
-                                                </p>
+                                                  </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                      <a
+                        <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-                    </blockquote>
+                      </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                            </b></p>
-                   The first public Beta version of Shorewall 1.3.12 is now 
+                     The first public Beta version of Shorewall 1.3.12 is 
- available      (Beta  1 was made available only to a limited audience). 
+now   available      (Beta  1 was made available only to a limited audience). 
-     <br>
+      <br>
-                    <br>
+                      <br>
-                    Features include:<br>
+                      Features include:<br>
-                    <br>
+                      <br>
      <ol>
-                           <li>"shorewall refresh" now reloads the traffic
+                             <li>"shorewall refresh" now reloads the traffic
- shaping     rules    (tcrules  and tcstart).</li>
+  shaping     rules    (tcrules  and tcstart).</li>
-                           <li>"shorewall debug [re]start" now turns off
+                             <li>"shorewall debug [re]start" now turns off
-debugging      after    an  error occurs. This places the point of the failure
+ debugging      after    an  error occurs. This places the point of the failure
-near the    end of the   trace  rather than up in the middle of it.</li>
+ near the    end of the   trace  rather than up in the middle of it.</li>
-                           <li>"shorewall [re]start" has been speeded up
+                             <li>"shorewall [re]start" has been speeded up
-by  more   than   40%   with  my configuration. Your milage may vary.</li>
+ by  more   than   40%   with  my configuration. Your milage may vary.</li>
-                           <li>A "shorewall show classifiers" command has 
+                             <li>A "shorewall show classifiers" command has 
-been   added    which    shows the current packet classification filters. 
+ been   added    which    shows the current packet classification filters. 
-The output   from    this command    is also added as a separate page in "shorewall
+ The output   from    this command    is also added as a separate page in 
-monitor"</li>
+"shorewall monitor"</li>
-                           <li>ULOG (must be all caps) is now accepted as 
+                             <li>ULOG (must be all caps) is now accepted
-a  valid    syslog    level  and causes the subject packets to be logged using
+as  a  valid    syslog    level  and causes the subject packets to be logged 
- the ULOG   target   rather than the LOG target. This allows you to run ulogd
+using  the ULOG   target   rather than the LOG target. This allows you to 
- (available   from            <a
+run ulogd  (available   from            <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-         and log all Shorewall messages <a href="shorewall_logging.html">to 
+          and log all Shorewall messages <a
-  a  separate log file</a>.</li>
+ href="shorewall_logging.html">to    a  separate log file</a>.</li>
-                           <li>If you are running a kernel that has a FORWARD 
+                             <li>If you are running a kernel that has a FORWARD 
-  chain    in  the   mangle table ("shorewall show mangle" will show you the
+   chain    in  the   mangle table ("shorewall show mangle" will show you 
-  chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes 
+the   chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes 
-in  shorewall.conf.     This allows  for  marking input packets based on their
+ in  shorewall.conf.     This allows  for  marking input packets based on 
- destination even   when  you are using  Masquerading or SNAT.</li>
+their  destination even   when  you are using  Masquerading or SNAT.</li>
-                           <li>I have cluttered up the /etc/shorewall directory 
+                             <li>I have cluttered up the /etc/shorewall directory 
-   with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
+    with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
-   have   a file  with  one of these names, don't worry -- the upgrade process 
+    have   a file  with  one of these names, don't worry -- the upgrade process 
-   won't   overwrite  your  file.</li>
+    won't   overwrite  your  file.</li>
      </ol>
-                    You may download the Beta from:<br>
+                      You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                      <a
+                        <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-                    </blockquote>
+                      </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
-                      </a></b></p>
+                        </a></b></p>
-                     Shorewall is at the center of MandrakeSofts's recently-announced 
+                       Shorewall is at the center of MandrakeSofts's recently-announced 
-            <a
+             <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
-          Network Firewall (MNF)</a> product. Here is the <a
+           Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
-          release</a>.<br>
+           release</a>.<br>
@ -533,13 +553,13 @@ in  shorewall.conf.     This allows  for  marking input packets based on their
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-            delivered. I have installed 9.0 on one of my systems and I am
+             delivered. I have installed 9.0 on one of my systems and I am
-now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
+ now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
-                               </p>
+                                 </p>
@ -549,34 +569,37 @@ now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
-             with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
+              with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
-    users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
+     users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
-                                           </b></p>
+                                            </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
-                documenation. the PDF may be downloaded from</p>
+                 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                                     <a
+                                       <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                                 </p>
+                                   </p>
@ -593,25 +616,26 @@ now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <ul>
-                                      <li>A 'tcpflags' option has been added
+                                        <li>A 'tcpflags' option has been
-  to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+added    to  entries     in            <a
-         This option causes Shorewall to make a set of sanity check on TCP
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.     
- packet       header flags.</li>
+     This option causes Shorewall to make a set of sanity check on TCP  
-                                      <li>It is now allowed to use 'all'
+packet       header flags.</li>
-in  the   SOURCE    or  DEST   column    in a <a
+                                        <li>It is now allowed to use 'all'
 in  the   SOURCE    or  DEST   column    in a <a
 href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must  appear
 by itself (in may not be qualified)  and it does   not  enable   intra-zone
 traffic.  For example, the rule           <br>
-                                   <br>
+                                     <br>
-                                   ACCEPT loc all tcp 80<br>
+                                     ACCEPT loc all tcp 80<br>
-                                   <br>
+                                     <br>
-                               does not enable http traffic from 'loc' to 
+                                 does not enable http traffic from 'loc'
-'loc'.</li>
+to  'loc'.</li>
-                                      <li>Shorewall's use of the 'echo' command 
+                                        <li>Shorewall's use of the 'echo' 
-   is  now   compatible      with   bash clones such as ash and dash.</li>
+command     is  now   compatible      with   bash clones such as ash and dash.</li>
-                                      <li>fw-&gt;fw policies now generate 
+                                        <li>fw-&gt;fw policies now generate 
-a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
+ a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
-ignored</li>
+ ignored</li>
@ -628,16 +652,16 @@ ignored</li>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
-                documenation. the PDF may be downloaded from</p>
+                 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                                     <a
+                                       <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                                 </p>
+                                   </p>
@ -683,7 +707,7 @@ ignored</li>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
-                                                   </a></h1>
+                                                     </a></h1>
@ -704,13 +728,14 @@ ignored</li>
      <h2><a name="Donations"></a>Donations</h2>
                                                                       </td>
-                                    <td width="88" bgcolor="#4b017c"
+      </td>
                                      <td width="88" bgcolor="#4b017c"
 valign="top" align="center">              <br>
-                                                     </td>
+                                                       </td>
-                                </tr>
+                                  </tr>
@ -721,9 +746,10 @@ ignored</li>
 </table>
-                          </center>
+                            </center>
                          </div>
                        </div>
@ -731,11 +757,11 @@ ignored</li>
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
-                       <tbody>
+                         <tbody>
-                         <tr>
+                           <tr>
-                             <td width="100%" style="margin-top: 1px;"> 
+                               <td width="100%" style="margin-top: 1px;"> 
@ -749,7 +775,8 @@ ignored</li>
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                              </a></p>
+                                </a></p>
@ -762,13 +789,14 @@ ignored</li>
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
-                                             to       <a
+                                              to       <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight        
 Children's Foundation.</font></a> Thanks!</font></p>
-                             </td>
+                               </td>
                           </tr>
                         </tr>
@ -780,10 +808,12 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 1/28/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font> 
-                                     <br>
+                                      <br>
- </p>
+   </p>
   <br>
  <br>
 <br>
 </body>
 </html>