Version 1.3.9b

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@290 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-07 05:58:49 +01:00 · 2002-10-09 15:47:48 +00:00 · 2002-10-09 15:47:48 +00:00 · 53d582d396
commit 53d582d396
parent ad21569d2a
16 changed files with 3710 additions and 3479 deletions
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -29,7 +29,7 @@
  </tbody>   
 </table>
-<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
+<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
  port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked 
  everywhere and can't find <b>how to do it</b>.</a></p>
@ -51,8 +51,8 @@ in  Z. Hosts in Z cannot communicate with each other using their external
 Messenger </b>with  Shorewall. What do I do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
-to  check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
+ to  check my firewall and it shows <b>some ports as 'closed' rather than 
- Why?</a></p>
+'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
  of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -61,7 +61,7 @@ to  check my firewall and it shows <b>some ports as 'closed' rather than 'blocke
 I <b> can't ping</b> through the firewall</a></p>
 <p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
- written and  how do I <b>change the destination</b>?</a></p>
+  written and  how do I <b>change the destination</b>?</a></p>
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
  that work with Shorewall?</a></p>
@ -92,9 +92,9 @@ but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
 it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
-IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+ IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable 
-1918  filtering on my external interface, <b>my DHCP client cannot renew its
+RFC 1918  filtering on my external interface, <b>my DHCP client cannot renew 
-lease</b>.</a></p>
+its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
 out to  the net</b></a></p>
@ -111,7 +111,8 @@ can't find how to do it.</h4>
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to 
 do port forwarding under Shorewall. Assuming that you have a dynamic external 
-IP address, the format of a port-forwarding rule to a local system is as follows:</p>
+ IP address, the format of a port-forwarding rule to a local system is as 
 follows:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -132,8 +133,10 @@ IP address, the format of a port-forwarding rule to a local system is as follows
          <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
          <td><i>&lt;protocol&gt;</i></td>
          <td><i>&lt;port #&gt;</i></td>
-        <td> </td>
+          <td> <br>
-        <td> </td>
+        </td>
          <td> <br>
        </td>
        </tr>
    </tbody>         
@ -162,8 +165,10 @@ the rule is:</p>
          <td>loc:192.168.1.5</td>
          <td>udp</td>
          <td>7777</td>
-        <td> </td>
+          <td> <br>
-        <td> </td>
+        </td>
          <td> <br>
        </td>
        </tr>
    </tbody>         
@ -225,12 +230,13 @@ can browse http://www.mydomain.com but internal clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-    <li>Having an internet-accessible server in your local network     is 
+      <li>Having an internet-accessible server in your local network    
-like raising foxes in the corner of your hen house. If the server is     compromised,
+is  like raising foxes in the corner of your hen house. If the server is
-there's nothing between that server and your other internal     systems.
+    compromised, there's nothing between that server and your other internal 
-For the cost of another NIC and a cross-over cable, you can put      your
+    systems. For the cost of another NIC and a cross-over cable, you can put
-server in a DMZ such that it is isolated from your local systems -     assuming
+     your server in a DMZ such that it is isolated from your local systems 
-that the Server can be located near the Firewall, of course :-)</li>
+-     assuming that the Server can be located near the Firewall, of course 
 :-)</li>
      <li>The accessibility problem is best solved using    <a
 href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
 a separate DNS server for local clients) such that www.mydomain.com resolves
@ -281,13 +287,13 @@ with subnet 192.168.1.0/24, do the following:</p>
    </div>
 <div align="left">    
-<pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
+<pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
    </div>
 <div align="left">    
 <p align="left">That rule only works of course if you have a static external 
-IP  address. If you  have a dynamic IP address and are running Shorewall 1.3.4
+ IP  address. If you  have a dynamic IP address and are running Shorewall 
-or later then include this in  /etc/shorewall/params:</p>
+1.3.4 or later then include this in  /etc/shorewall/params:</p>
   </div>
 <div align="left">    
@ -344,7 +350,7 @@ to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
  static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses 
-and can be accessed externally and internally using the same address. </p>
+ and can be accessed externally and internally using the same address. </p>
 <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
 traffic through your firewall then:</p>
@ -398,7 +404,8 @@ traffic through your firewall then:</p>
          <td>dmz</td>
          <td>dmz</td>
          <td>ACCEPT</td>
-        <td> </td>
+          <td> <br>
        </td>
        </tr>
    </tbody>         
@ -406,7 +413,7 @@ traffic through your firewall then:</p>
    </blockquote>
 <div align="left">    
-<pre align="left">     dmz    dmz    ACCEPT</pre>
+<pre align="left">     dmz    dmz    ACCEPT</pre>
    </div>
 <p align="left">In /etc/shorewall/masq:</p>
@ -423,7 +430,8 @@ traffic through your firewall then:</p>
        <tr>
          <td width="93">eth2</td>
          <td width="31">192.168.2.0/24</td>
-        <td width="120"> </td>
+          <td width="120"> <br>
        </td>
        </tr>
    </tbody>         
@ -447,11 +455,11 @@ to    check my firewall and it shows some ports as 'closed' rather than 'blocked
 always    rejects connection requests on TCP port 113 rather than dropping 
 them. This is    necessary to prevent outgoing connection problems to services 
 that use the    'Auth' mechanism for identifying requesting users. Shorewall 
-also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. These
+ also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. 
-are ports that are    used by Windows (Windows <u>can</u> be configured to
+These are ports that are    used by Windows (Windows <u>can</u> be configured 
-use the DCE cell locator    on port 135). Rejecting these connection requests 
+to use the DCE cell locator    on port 135). Rejecting these connection requests 
-rather than dropping them    cuts down slightly on the amount of Windows chatter
+ rather than dropping them    cuts down slightly on the amount of Windows 
-on LAN segments connected    to the Firewall. </p>
+chatter on LAN segments connected    to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
 your    ISP preventing you from running a web server in violation of your 
@ -482,15 +490,15 @@ for "ping": </p>
    </blockquote>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
- and  how do I change the destination?</h4>
+  and  how do I change the destination?</h4>
 <p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
 (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
 (see "man openlog") and you get to choose the log level (again, see "man
 syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- href="Documentation.htm#Rules">rules</a>. The destination for messaged  logged
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged 
-by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
+logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
-you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
+When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
 system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages 
@ -543,10 +551,11 @@ this:</p>
 for  problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
   </div>
-<h4 align="left">     
+<h4 align="left">      </h4>
 <h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces
 properly?</h4>
-      </h4>
+          
 <p align="left">I just installed Shorewall and when I issue the start command, 
    I see the following:</p>
@ -589,10 +598,10 @@ them when the authors      feel that they are ready. </p>
 (<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
 and "Fire<u>wall</u>".</p>
-<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
+<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
 and it has an  internal web server that allows me to configure/monitor it 
-but as expected if I  enable rfc1918 blocking for my eth0 interface (the internet
+ but as expected if I  enable rfc1918 blocking for my eth0 interface (the 
-one), it also blocks  the cable modems web server.</h4>
+internet one), it also blocks  the cable modems web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
 that will let all traffic to and from the 192.168.100.1 address  of the modem
@ -630,7 +639,41 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
    </div>
 <div align="left">      
-<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.</p>
+<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
 </p>
 <p align="left">Note: If you add a second IP address to your external firewall 
 interface to correspond to the modem address, you must also make an entry 
 in /etc/shorewall/rfc1918 for that address. For example, if you configure 
 the address 192.168.100.2 on your firewall, then you would add two entries 
 to /etc/shorewall/rfc1918:  <br>
 </p>
 <blockquote>   
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
     <tbody>
       <tr>
         <td valign="top"><u><b>SUBNET</b></u><br>
         </td>
         <td valign="top"><u><b>TARGET</b></u><br>
         </td>
       </tr>
       <tr>
         <td valign="top">192.168.100.1<br>
         </td>
         <td valign="top">RETURN<br>
         </td>
       </tr>
       <tr>
         <td valign="top">192.168.100.2<br>
         </td>
         <td valign="top">RETURN<br>
         </td>
       </tr>
    </tbody>   
  </table>
 </blockquote>
   </div>
 <div align="left">      
@ -649,9 +692,9 @@ lease.</h4>
 the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
-the net", I wonder  where the poster bought computers with eyes and what those
+ the net", I wonder  where the poster bought computers with eyes and what 
-computers will "see"  when things are working properly. That aside, the most
+those computers will "see"  when things are working properly. That aside, 
-common causes of this  problem are:</p>
+the most common causes of this  problem are:</p>
 <ol>
      <li>               
@ -678,16 +721,14 @@ to your startup    scripts or place it in /etc/shorewall/start. Under RedHat,
 the max log level    that is sent to the console is specified in /etc/sysconfig/init 
 in the    LOGLEVEL variable.</p>
-<div align="left">
+<div align="left">     </div>
 <p align="left"></p>
 </div>
-<p align="left"><font size="2">Last updated 9/23/2002 - <a
+<p align="left"><font size="2">Last updated 10/8/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-   <br>
+ </p>
- <br>
+ 
 </body>
 </html>
--- a/STABLE/documentation/Install.htm
+++ b/STABLE/documentation/Install.htm
@ -1,147 +1,176 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Installation</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Installation and
 Upgrade</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<p align="center"><b>Before upgrading, be sure to review the
+<p align="center"><b>Before upgrading, be sure to review the <a
-<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
+ href="upgrade_issues.htm">Upgrade Issues</a></b></p>
 <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
-<a href="#Install_Tarball">Install
+ <a href="#Install_Tarball">Install using tarball</a><br>
 using tarball</a><br>
 <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
-<a href="#Upgrade_Tarball">Upgrade
+ <a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
 using tarball</a><br>
 <a href="#Config_Files">Configuring Shorewall</a><br>
 <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
 <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
-<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell 
+ 
-prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4 
+<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
-either from the
+shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
-<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update 
+1.2.4  either from the <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
 site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
 attempting to start Shorewall.</b></p>
 <ul>
   <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
   <br>
-  <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a 
+   <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
-  conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this 
+a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
-  happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall 
+If this    happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
-  rpm&gt;).</li>
+&lt;shorewall    rpm&gt;).</li>
-  <li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM 
+   <li>Edit the <a href="#Config_Files"> configuration files</a> to match
-AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE 
+your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
-FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO 
+SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
-START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, 
+IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
-ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
+AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
-  <li>Start the firewall by typing &quot;shorewall start&quot;</li>
+TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
 CONNECTIVITY.</b></font></li>
   <li>Start the firewall by typing "shorewall start"</li>
 </ul>
-    <p><a name="Install_Tarball"></a>To
+     
-    install Shorewall using the tarball and install
+<p><a name="Install_Tarball"></a>To     install Shorewall using the tarball
-    script: </p>
+and install     script: </p>
 <ul>
   <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
   <li>cd to the shorewall directory (the version is encoded in the     
-            directory name as in &quot;shorewall-1.1.10&quot;).</li>
+       directory name as in "shorewall-1.1.10").</li>
   <li>If you are using <a
-            href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
+ href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
-          <a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
+ href="http://www.redhat.com">RedHat</a>,           <a
-          <a href="http://www.slackware.com/">Slackware</a> or
+ href="http://www.linux-mandrake.com">Mandrake</a>, <a
-          <a href="http://www.debian.org">Debian</a>
+ href="http://www.corel.com">Corel</a>,           <a
-            then type &quot;./install.sh&quot;</li>
+ href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
   <li>If you are using <a href="http://www.suse.com">SuSe</a> then type 
-    &quot;./install.sh /etc/init.d&quot;</li>
+   "./install.sh /etc/init.d"</li>
-  <li>If your distribution has directory
+   <li>If your distribution has directory             /etc/rc.d/init.d or
-            /etc/rc.d/init.d or /etc/init.d then type
+/etc/init.d then type             "./install.sh"</li>
-            &quot;./install.sh&quot;</li>
+   <li>For other distributions, determine where your             distribution
-  <li>For other distributions, determine where your
+installs init scripts and type             "./install.sh &lt;init script
-            distribution installs init scripts and type
+directory&gt;</li>
-            &quot;./install.sh &lt;init script directory&gt;</li>
+   <li>Edit the <a href="#Config_Files"> configuration files</a> to match
-  <li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
+your configuration.</li>
-  <li>Start the firewall by typing &quot;shorewall
+   <li>Start the firewall by typing "shorewall             start"</li>
-            start&quot;</li>
+   <li>If the install script was unable to configure Shorewall to be started
-  <li>If the install script was unable to configure Shorewall to be started automatically at boot,
+automatically at boot,             see <a
-            see <a href="Documentation.htm#Starting">these
+ href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
-            instructions</a>.</li>
+ 
 </ul>
-<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
+ 
-version:</p>
+<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you 
+and are upgrading to a new version:</p>
-have entries in the /etc/shorewall/hosts file then please check your 
+ 
-/etc/shorewall/interfaces file to be sure that it contains an entry for each 
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-interface mentioned in the hosts file. Also, there are certain 1.2 rule forms 
+and you  have entries in the /etc/shorewall/hosts file then please check
-that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and 
+for each  interface mentioned in the hosts file. Also, there are certain
-host file for 1.3 compatibility using the &quot;shorewall check&quot; command after 
+1.2 rule forms  that are no longer supported under 1.3 (you must use the
-installing the latest version of 1.3.</p>
+new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
 details. You can check your rules and  host file for 1.3 compatibility using
 the "shorewall check" command after  installing the latest version of 1.3.</p>
 <ul>
-  <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
+   <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
-    are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
+you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
-    you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
+installed,     you must use the "--oldpackage" option to rpm (e.g., "rpm 
-    -Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
+   -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").   
-  <p>
+    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
-  <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a 
+rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-  conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this 
+is installed. If this    happens, simply use the --nodeps option to rpm (rpm
-  happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall 
+-Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
-  rpm&gt;).<br>
+     </p>
-&nbsp;</li>
+  </li>
-  <li>See if there are any incompatibilities between your configuration and the 
+  <li>See if there are any incompatibilities between your configuration and
-  new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
+the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
   <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
+ 
-using the tarball:</p>
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you 
+and are upgrading to a new version using the tarball:</p>
-have entries in the /etc/shorewall/hosts file then please check your 
+ 
-/etc/shorewall/interfaces file to be sure that it contains an entry for each 
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule 
+and you  have entries in the /etc/shorewall/hosts file then please check
-forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). 
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules 
+for each  interface mentioned in the hosts file.  Also, there are certain
-and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after 
+1.2 rule  forms that are no longer supported under 1.3 (you must use the
-installing the latest version of 1.3.</p>
+new 1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
 for details. You can check your rules  and host file for 1.3 compatibility
 using the "shorewall check" command after  installing the latest version
 of 1.3.</p>
 <ul>
   <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
   <li>cd to the shorewall directory (the version is encoded in the     
-            directory name as in &quot;shorewall-3.0.1&quot;).</li>
+       directory name as in "shorewall-3.0.1").</li>
   <li>If you are using <a
-            href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
+ href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
-          <a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
+ href="http://www.redhat.com">RedHat</a>,           <a
-          <a href="http://www.slackware.com/">Slackware</a> or
+ href="http://www.linux-mandrake.com">Mandrake</a>, <a
-          <a href="http://www.debian.org">Debian</a>
+ href="http://www.corel.com">Corel</a>,           <a
-            then type &quot;./install.sh&quot;</li>
+ href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
   <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type 
-    &quot;./install.sh /etc/init.d&quot;</li>
+   "./install.sh /etc/init.d"</li>
-  <li>If your distribution has directory
+   <li>If your distribution has directory             /etc/rc.d/init.d or
-            /etc/rc.d/init.d or /etc/init.d then type
+/etc/init.d then type             "./install.sh"</li>
-            &quot;./install.sh&quot;</li>
+   <li>For other distributions, determine where your             distribution
-  <li>For other distributions, determine where your
+installs init scripts and type             "./install.sh &lt;init script
-            distribution installs init scripts and type
+directory&gt;</li>
-            &quot;./install.sh &lt;init script directory&gt;</li>
+   <li>See if there are any incompatibilities between your configuration
-  <li>See if there are any incompatibilities between your configuration and the 
+and the    new Shorewall version (type "shorewall check") and correct as
-  new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
+necessary.</li>
-  <li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
+   <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
-<p>You will need to edit some or all of these configuration files to match your 
+ 
-setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
+<p>You will need to edit some or all of these configuration files to match
 your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
 QuickStart Guides</a> contain all of the information you need.</p>
 <ul>
   <li>/etc/shorewall/shorewall.conf - used to set several firewall     
   parameters.</li>
-  <li>/etc/shorewall/params - use this file to set shell variables that you will
+   <li>/etc/shorewall/params - use this file to set shell variables that
-    expand in other files.</li>
+you will     expand in other files.</li>
   <li>/etc/shorewall/zones - partition the firewall's view of the world 
       into <i>zones.</i></li>
   <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
@ -156,19 +185,23 @@ QuickStart Guides</a> contain all of the information you need.</p>
      overall policies established in /etc/shorewall/policy.</li>
   <li>/etc/shorewall/nat - defines static NAT rules.</li>
   <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
-  <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts 
+   <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
-  accessible when Shorewall is stopped.</li>
+hosts    accessible when Shorewall is stopped.</li>
-  <li>/etc/shorewall/tcrules - defines marking of packets for later use by
+   <li>/etc/shorewall/tcrules - defines marking of packets for later use
-    traffic control/shaping.</li>
+by     traffic control/shaping.</li>
   <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet 
        headers.</li>
   <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on 
       the firewall system.</li>
   <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
 </ul>
-<p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
+ 
-Eastep</a> </font></p>
+<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
-</body></html>
+</body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall News</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -26,8 +27,16 @@
  </tbody>           
 </table>
-<p><b>9/30/2002 - Shorewall 1.3.9a</b></p>
+<p><b>10/9/2002 - Shorewall 1.3.9b</b></p>
 This release rolls up fixes to the installer and to the firewall script.<br>
 <p><b>10/6/2002 - Shorewall.net now running on RH8.0<br>
  </b><br>
  The firewall and server here at shorewall.net are now running RedHat release 
 8.0.<br>
                <b><br>
 9/30/2002 - Shorewall 1.3.9a</b></p>
  Roles up the fix for broken tunnels.<br>
 <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b></p>
  There is an updated firewall script at <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
@ -43,13 +52,14 @@ There is an updated firewall script at <a
         <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a> 
 are   now allowed in Shorewall config files (although I recommend against 
 using  them).</li>
-       <li>The connection SOURCE may now be qualified by both interface and 
+         <li>The connection SOURCE may now be qualified by both interface 
- IP  address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
+and   IP  address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
-       <li>Shorewall startup is now disabled after initial installation until 
+         <li>Shorewall startup is now disabled after initial installation 
-  the file /etc/shorewall/startup_disabled is removed. This avoids nasty surprises
+until    the file /etc/shorewall/startup_disabled is removed. This avoids 
- during reboot for users who install Shorewall but don't configure it.</li>
+nasty surprises  during reboot for users who install Shorewall but don't configure
-    <li>The 'functions' and 'version' files and the 'firewall' symbolic link
+it.</li>
- have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease
+      <li>The 'functions' and 'version' files and the 'firewall' symbolic 
 link  have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease
  the LFS police at Debian.<br>
      </li>
@ -75,8 +85,8 @@ using  them).</li>
 <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
    Restored<br>
        </b></p>
-      A couple of recent configuration changes at www.shorewall.net had the 
+        A couple of recent configuration changes at www.shorewall.net had 
- negative  effect of breaking the Search facility:<br>
+the   negative  effect of breaking the Search facility:<br>
 <ol>
          <li>Mailing List Archive Search was not available.</li>
@ -98,10 +108,10 @@ using  them).</li>
           </p>
 <ul>
-           <li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option has
+             <li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option
- been   added  to shorewall.conf. This option determines whether Shorewall
+has   been   added  to shorewall.conf. This option determines whether Shorewall
- accepts   TCP packets  which are not part of an established connection and
+  accepts   TCP packets  which are not part of an established connection
- that are   not 'SYN' packets  (SYN flag on and ACK flag off).</li>
+and   that are   not 'SYN' packets  (SYN flag on and ACK flag off).</li>
             <li>The need for the 'multi' option to communicate between zones 
  za  and  zb on the same interface is removed in the case where the chain 
 'za2zb'   and/or  'zb2za' exists. 'za2zb' will exist if:</li>
@ -207,7 +217,8 @@ the   Frontpage files have been removed.</p>
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
 <p>This branch will only be updated after I release a new version of Shorewall 
-      so you can always update from this branch to get the latest stable tree.</p>
+       so you can always update from this branch to get the latest stable 
 tree.</p>
 <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
  to the <a href="errata.htm">Errata Page</a></b></p>
@ -221,15 +232,15 @@ the   Frontpage files have been removed.</p>
 <ul>
               <li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart 
-   Guides      </a>    including the <a href="shorewall_setup_guide.htm">Shorewall 
+    Guides      </a>    including the <a
-   Setup  Guide.</a></li>
+ href="shorewall_setup_guide.htm">Shorewall     Setup  Guide.</a></li>
-             <li>Shorewall will now DROP TCP packets that are not part of 
+               <li>Shorewall will now DROP TCP packets that are not part
-or      related to an existing connection and that are not SYN packets. These 
+of  or      related to an existing connection and that are not SYN packets. 
-  "New      not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN
+These    "New      not SYN" packets may be optionally logged by setting the 
-    option     in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+LOGNEWNOTSYN     option     in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
               <li>The processing of "New not SYN" packets may be extended
-by  commands    in     the new <a href="shorewall_extension_scripts.htm">newnotsyn 
+ by  commands    in     the new <a
- extension    script</a>.</li>
+ href="shorewall_extension_scripts.htm">newnotsyn   extension    script</a>.</li>
 </ul>
@ -238,10 +249,10 @@ by  commands    in     the new <a href="shorewall_extension_scripts.htm">newnots
 <p>This interim release:</p>
 <ul>
-             <li>Causes the firewall script to remove the lock file if it 
+               <li>Causes the firewall script to remove the lock file if
-is  killed.</li>
+it  is  killed.</li>
-             <li>Once again allows lists in the second column of the    <a
+               <li>Once again allows lists in the second column of the  
- href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
+     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
               <li>Includes the latest <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides</a>.</li>
@ -289,8 +300,8 @@ prevent   a successful restart.</li>
  This     option facilitates Proxy ARP sub-netting as described in the Proxy
  ARP        subnetting mini-HOWTO (<a
 href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>). 
-        Specifying the proxyarp option for an interface causes Shorewall to
+         Specifying the proxyarp option for an interface causes Shorewall 
-  set      /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
+to   set      /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
               <li>The Samples have been updated to reflect the new capabilities
    in  this     release. </li>
@ -307,21 +318,21 @@ prevent   a successful restart.</li>
 <ul>
               <li>A new <a href="Documentation.htm#Routestopped">    /etc/shorewall/routestopped</a> 
-    file has been added. This file is intended to     eventually replace the
+     file has been added. This file is intended to     eventually replace 
-       <b>routestopped</b> option in the     /etc/shorewall/interface and
+the        <b>routestopped</b> option in the     /etc/shorewall/interface 
-/etc/shorewall/hosts    files. This new file makes     remote firewall administration
+and /etc/shorewall/hosts    files. This new file makes     remote firewall 
-easier by  allowing  any IP or subnet to be     enabled while Shorewall is
+administration easier by  allowing  any IP or subnet to be     enabled while 
-stopped.</li>
+Shorewall is stopped.</li>
               <li>An /etc/shorewall/stopped <a
 href="Documentation.htm#Scripts">extension       script</a> has been added. 
   This script is invoked after Shorewall has       stopped.</li>
-             <li>A <b>DETECT_DNAT_ADDRS </b>option has been added to    <a
+               <li>A <b>DETECT_DNAT_ADDRS </b>option has been added to  
- href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this 
+     <a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When 
-        option is selected, DNAT rules only apply when the destination address 
+this          option is selected, DNAT rules only apply when the destination 
-    is the     external interface's primary IP address.</li>
+address      is the     external interface's primary IP address.</li>
               <li>The <a href="shorewall_quickstart_guide.htm">QuickStart
-Guide</a>     has     been broken into three guides and has been almost entirely
+ Guide</a>     has     been broken into three guides and has been almost
-rewritten.</li>
+entirely  rewritten.</li>
               <li>The Samples have been updated to reflect the new capabilities
    in  this     release. </li>
@ -346,9 +357,9 @@ from   those      generated by the 'rfc1918' chain in the filter table.</li>
    against  the     interfaces file.</li>
               <li>The TARGET column in the rfc1918 file is now checked for 
 correctness.</li>
-             <li>The chain structure in the nat table has been changed to 
+               <li>The chain structure in the nat table has been changed
-reduce    the     number of rules that a packet must traverse and to correct 
+to  reduce    the     number of rules that a packet must traverse and to
-problems    with     NAT_BEFORE_RULES=No</li>
+correct  problems    with     NAT_BEFORE_RULES=No</li>
               <li>The "hits" command has been enhanced.</li>
 </ul>
@ -376,8 +387,8 @@ problems    with     NAT_BEFORE_RULES=No</li>
 <ul>
               <li>A <a href="Documentation.htm#Starting">logwatch command</a>
   has   been     added to /sbin/shorewall.</li>
-             <li>A <a href="blacklisting_support.htm">dynamic blacklist facility</a> 
+               <li>A <a href="blacklisting_support.htm">dynamic blacklist 
-    has     been added.</li>
+facility</a>      has     been added.</li>
               <li>Support for the <a href="Documentation.htm#Conf">Netfilter 
  multiport        match function</a> has been added.</li>
               <li>The files <b>firewall, functions </b>and <b>version</b>
@ -455,8 +466,8 @@ away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it with the "all2all
 incorporates the following:</p>
 <ul>
-             <li>Support for the /etc/shorewall/whitelist file has been withdrawn. 
+               <li>Support for the /etc/shorewall/whitelist file has been 
-    If you     need whitelisting, see <a
+withdrawn.      If you     need whitelisting, see <a
 href="/1.3/whitelisting_under_shorewall.htm">these     instructions</a>.</li>
 </ul>
@ -471,8 +482,8 @@ away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it with the "all2all
 is  now   an INPUT     and a FORWARD chain for each interface; this reduces
  the  number   of rules that     a packet must traverse, especially in complicated
   setups.</li>
-             <li><a href="Documentation.htm#Exclude">Sub-zones may now be 
+               <li><a href="Documentation.htm#Exclude">Sub-zones may now
-excluded     from     DNAT and REDIRECT rules.</a></li>
+be  excluded     from     DNAT and REDIRECT rules.</a></li>
               <li>The names of the columns in a number of the configuration
  files    have been     changed to be more consistent and self-explanatory
  and the   documentation has     been updated accordingly.</li>
@ -486,15 +497,15 @@ excluded     from     DNAT and REDIRECT rules.</a></li>
       features:</p>
 <ul>
-             <li>Simplified rule syntax which makes the intent of each rule 
+               <li>Simplified rule syntax which makes the intent of each
- clearer    and     hopefully makes Shorewall easier to learn.</li>
+rule   clearer    and     hopefully makes Shorewall easier to learn.</li>
-             <li>Upward compatibility with 1.2 configuration files has been 
+               <li>Upward compatibility with 1.2 configuration files has
- maintained    so     that current users can migrate to the new syntax at 
+been   maintained    so     that current users can migrate to the new syntax
-their convenience.</li>
+at  their convenience.</li>
-             <li><b><font color="#cc6666">WARNING:  Compatibility with the
+               <li><b><font color="#cc6666">WARNING:  Compatibility with
- old       parameterized sample configurations has NOT been maintained. Users
+the   old       parameterized sample configurations has NOT been maintained.
- still        running those configurations should migrate to the new sample
+Users   still        running those configurations should migrate to the new
- configurations        before upgrading to 1.3 Beta 1.</font></b></li>
+sample   configurations        before upgrading to 1.3 Beta 1.</font></b></li>
 </ul>
@ -512,8 +523,8 @@ is  supported.</li>
 now inherit the VLSM and Broadcast Address   of  the     interface's primary 
 IP address.</li>
               <li>The order in which port forwarding DNAT and Static DNAT
-       <a href="Documentation.htm#Conf">can now be reversed</a> so that port 
+        <a href="Documentation.htm#Conf">can now be reversed</a> so that
-     forwarding    rules can override the contents of <a
+port       forwarding    rules can override the contents of <a
 href="Documentation.htm#NAT">    /etc/shorewall/nat</a>.     </li>
 </ul>
@ -562,17 +573,17 @@ Unstable Branch</a></li>
 <p>In this version:</p>
 <ul>
-             <li>The 'try' command now accepts an optional timeout. If the
+               <li>The 'try' command now accepts an optional timeout. If
- timeout    is     given in the command, the standard configuration will
+the   timeout    is     given in the command, the standard configuration
-automatically     be     restarted after the new configuration has been running
+will automatically     be     restarted after the new configuration has been
-for that  length   of     time. This prevents a remote admin from being locked
+running for that  length   of     time. This prevents a remote admin from
-out of the firewall   in     the case where the new configuration starts
+being locked out of the firewall   in     the case where the new configuration
-but prevents access.</li>
+starts but prevents access.</li>
               <li>Kernel route filtering may now be enabled globally using 
 the   new       ROUTE_FILTER parameter in <a
 href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
-             <li>Individual IP source addresses and/or subnets may now be 
+               <li>Individual IP source addresses and/or subnets may now
-excluded     from     masquerading/SNAT.</li>
+be  excluded     from     masquerading/SNAT.</li>
               <li>Simple "Yes/No" and "On/Off" values are now case-insensitive 
   in      /etc/shorewall/shorewall.conf.</li>
@ -600,9 +611,9 @@ excluded     from     masquerading/SNAT.</li>
 <p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
 <p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart 
-    Guide</a>   is now available. This Guide and its accompanying sample configurations
+     Guide</a>   is now available. This Guide and its accompanying sample 
-    are   expected to provide a replacement for the recently withdrawn parameterized
+configurations     are   expected to provide a replacement for the recently 
-      samples. </p>
+withdrawn parameterized       samples. </p>
 <p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
@ -718,8 +729,9 @@ dropped     in the    <i>common</i> chain</li>
               <li>RFC 1918 checking in the mangle table has been streamlined 
  to  no  longer     require packet marking. RFC 1918 checking in the filter 
  table   has been     changed to require half as many rules as previously.</li>
-             <li>A 'shorewall check' command has been added that does a cursory 
+               <li>A 'shorewall check' command has been added that does a 
-   validation      of the zones, interfaces, hosts, rules and policy files.</li>
+cursory     validation      of the zones, interfaces, hosts, rules and policy 
 files.</li>
 </ul>
@ -734,12 +746,12 @@ dropped     in the    <i>common</i> chain</li>
 <ul>
               <li>$-variables may now be used anywhere in the configuration
  files    except     /etc/shorewall/zones.</li>
-             <li>The interfaces and hosts files now have their contents validated 
+               <li>The interfaces and hosts files now have their contents 
-    before     any changes are made to the existing Netfilter configuration. 
+validated      before     any changes are made to the existing Netfilter configuration.
    The appearance     of a zone name that isn't defined in /etc/shorewall/zones
-   causes "shorewall     start" and "shorewall restart" to abort without changing
+    causes "shorewall     start" and "shorewall restart" to abort without
-   the Shorewall state.     Unknown options in either file cause a warning
+changing    the Shorewall state.     Unknown options in either file cause
- to  be issued.</li>
+a warning  to  be issued.</li>
               <li>A problem occurring when BLACKLIST_LOGLEVEL was not set
 has   been       corrected.</li>
@ -769,8 +781,8 @@ GNU/Linux    File Hierarchy Standard, Version 2.2.</li>
 <p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
 <ul>
-            <li>The "fw" zone <a href="Documentation.htm#FW">may now be given 
+              <li>The "fw" zone <a href="Documentation.htm#FW">may now be 
-  a      different name</a>.</li>
+given    a      different name</a>.</li>
              <li>You may now place end-of-line comments (preceded by '#')
 in  any   of  the     configuration files</li>
              <li>There is now protection against against two state changing
@ -840,12 +852,12 @@ chain</li>
              <li>Support for IP blacklisting has been added            
    <ul>
-              <li>You specify whether you want packets from blacklisted hosts 
+                <li>You specify whether you want packets from blacklisted 
-  dropped   or         rejected using the <a
+hosts    dropped   or         rejected using the <a
 href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION           </a>setting 
   in /etc/shorewall/shorewall.conf</li>
-              <li>You specify whether you want packets from blacklisted hosts 
+                <li>You specify whether you want packets from blacklisted 
-  logged   and         at what syslog level using the <a
+hosts    logged   and         at what syslog level using the <a
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>         setting 
     in /etc/shorewall/shorewall.conf</li>
                <li>You list the IP addresses/subnets that you wish to blacklist
@ -862,16 +874,17 @@ blacklist             using the new "<a
              <li>Use of TCP RST replies has been expanded              
    <ul>
-              <li>TCP connection requests rejected because of a REJECT policy 
+                <li>TCP connection requests rejected because of a REJECT
-  are   now         replied with a TCP RST packet.</li>
+policy    are   now         replied with a TCP RST packet.</li>
                <li>TCP connection requests rejected because of a protocol=all
-  rule   in         /etc/shorewall/rules are now replied with a TCP RST packet.</li>
+   rule   in         /etc/shorewall/rules are now replied with a TCP RST
 packet.</li>
    </ul>
              </li>
              <li>A <a href="Documentation.htm#Logfile">LOGFILE</a> specification 
-   has  been     added to /etc/shorewall/shorewall.conf. LOGFILE is used to
+    has  been     added to /etc/shorewall/shorewall.conf. LOGFILE is used 
-  tell the     /sbin/shorewall program where to look for Shorewall messages.</li>
+to   tell the     /sbin/shorewall program where to look for Shorewall messages.</li>
 </ul>
@ -904,8 +917,8 @@ than   DROPPED.   This     speeds up connection establishment to some servers.</
 <p>In version 1.2.1:</p>
 <ul>
-            <li><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
+              <li><a href="Documentation.htm#LogUncleanOption">Logging of 
-         Packets</a> is added. </li>
+Mangled/Invalid          Packets</a> is added. </li>
              <li>The <a href="IPIP.htm">tunnel script</a> has been corrected.</li>
              <li>'shorewall show tc' now correctly handles tunnels.</li>
@ -936,8 +949,8 @@ forced    into a  quick upgrade to 1.2.0 just to have access to bug fixes.</p>
             </blockquote>
 <p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
-     Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site
+      Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web
-   is  mirrored at <a href="http://www.infohiiway.com/shorewall"
+site     is  mirrored at <a href="http://www.infohiiway.com/shorewall"
 target="_top">http://www.infohiiway.com/shorewall</a>  and the ftp site
 is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
@ -1006,13 +1019,13 @@ to  properly        display the NAT entry in that file.</li>
              <li>A new "shorewall show connections" command has been added.</li>
              <li>In the "shorewall monitor" output, the currently tracked
       connections  are now shown on a separate page.</li>
-            <li>Prior to this release, Shorewall unconditionally added the
+              <li>Prior to this release, Shorewall unconditionally added
- external    IP     adddress(es) specified in /etc/shorewall/nat. Beginning
+the   external    IP     adddress(es) specified in /etc/shorewall/nat. Beginning
  with version           1.1.16, a new parameter (<a
 href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)           may be set
  to "no" (or "No") to inhibit this behavior.       This   allows IP aliases
- created using your distribution's network       configuration    tools to
+  created using your distribution's network       configuration    tools
- be used in static NAT. </li>
+to   be used in static NAT. </li>
 </ul>
@ -1037,8 +1050,8 @@ to  properly        display the NAT entry in that file.</li>
 will first     look for configuration files in the alternate directory then 
 in     /etc/shorewall.    To create an alternate configuration simply:<br>
                1. Create a New Directory<br>
-              2. Copy to that directory any of your configuration files that
+                2. Copy to that directory any of your configuration files 
-  you   want to     change.<br>
+that   you   want to     change.<br>
                3. Modify the copied files as needed.<br>
                4. Restart Shorewall specifying the new directory.</li>
              <li>The rules for allowing/disallowing icmp echo-requests (pings) 
@ -1047,8 +1060,8 @@ This  allows   you to     add rules that selectively allow/deny ping based
 on source  or  destination     address.</li>
              <li>Rules that specify multiple client ip addresses or subnets
  no  longer   cause     startup failures.</li>
-            <li>Zone names in the policy file are now validated against the 
+              <li>Zone names in the policy file are now validated against 
- zones    file.</li>
+the   zones    file.</li>
              <li>If you have <a href="Documentation.htm#MangleEnabled">packet
   mangling</a>        support enabled, the "<a
 href="Documentation.htm#Interfaces">norfc1918</a>"        interface option
@ -1094,12 +1107,14 @@ the       <a href="Documentation.htm#Interfaces">documentation     for the
     refreshing   the rules associated with the broadcast address on a dynamic 
       interface.   This command should be used in place of "shorewall   
 restart"  when the  internet interface's IP address changes.</li>
-            <li>The /etc/shorewall/start file (if any) is now processed after 
+              <li>The /etc/shorewall/start file (if any) is now processed 
-  all      temporary rules have been deleted. This change prevents the accidental
+after    all      temporary rules have been deleted. This change prevents 
-         removal of rules added during the processing of that file.</li>
+the accidental          removal of rules added during the processing of that 
 file.</li>
              <li>The "dhcp" interface option is now applicable to firewall 
     interfaces   used by a DHCP server running on the firewall.</li>
-            <li>The RPM can now be built from the .tgz file using "rpm -tb" </li>
+              <li>The RPM can now be built from the .tgz file using "rpm
 -tb" </li>
 </ul>
@ -1109,10 +1124,10 @@ restart"  when the  internet interface's IP address changes.</li>
              <li>Shorewall now enables Ipv4 Packet Forwarding by default.
 Packet    forwarding      may be disabled by specifying IP_FORWARD=Off in
     /etc/shorewall/shorewall.conf.     If you don't want Shorewall to enable
-or     disable packet forwarding,   add  IP_FORWARDING=Keep to your     /etc/shorewall/shorewall.conf
+ or     disable packet forwarding,   add  IP_FORWARDING=Keep to your    
-file.</li>
+/etc/shorewall/shorewall.conf  file.</li>
-            <li>The "shorewall hits" command no longer lists extraneous service 
+              <li>The "shorewall hits" command no longer lists extraneous 
-       names in its last report.</li>
+service         names in its last report.</li>
              <li>Erroneous instructions in the comments at the head of the 
 firewall     script     have been corrected.</li>
@ -1123,16 +1138,16 @@ firewall     script     have been corrected.</li>
 <ul>
              <li>The "tunnels" file <u>really</u> is in the RPM now.</li>
              <li>SNAT can now be applied to port-forwarded connections.</li>
-            <li>A bug which would cause firewall start failures in some dhcp
+              <li>A bug which would cause firewall start failures in some 
-  configurations        has been fixed.</li>
+dhcp   configurations        has been fixed.</li>
              <li>The firewall script now issues a message if you have the
 name   of  an      interface in the second column in an entry in /etc/shorewall/masq
     and that     interface is not up.</li>
              <li>You can now configure Shorewall so that it<a
 href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or     mangle
 netfilter modules</a>.</li>
-            <li>Thanks to Alex  Polishchuk, the "hits" command     from seawall 
+              <li>Thanks to Alex  Polishchuk, the "hits" command     from 
-   is  now in shorewall.</li>
+seawall     is  now in shorewall.</li>
              <li>Support for <a href="IPIP.htm">IPIP tunnels</a> has been
 added.</li>
@ -1168,22 +1183,22 @@ been   formatted         to 80 columns for ease of editing on a VGA console.</li
 <ul>
              <li><a href="Documentation.htm#lograte">You may now rate-limit
  the   packet  log.</a></li>
-            <li><font face="Century Gothic, Arial, Helvetica"> Previous versions
+              <li><font face="Century Gothic, Arial, Helvetica"> Previous 
-    of      Shorewall have an implementation of Static NAT which violates
+versions     of      Shorewall have an implementation of Static NAT which 
-the    principle      of least surprise.  NAT only occurs for packets arriving
+violates the    principle      of least surprise.  NAT only occurs for packets 
-  at  (DNAT) or      send from (SNAT) the interface named in the INTERFACE
+arriving   at  (DNAT) or      send from (SNAT) the interface named in the 
- column  of     /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
+INTERFACE  column  of     /etc/shorewall/nat. Beginning with version 1.1.6, 
- regardless      of which interface packets come from or are destined to.
+NAT effective  regardless      of which interface packets come from or are 
-To get     compatibility  with prior versions, I have added a new "ALL <a
+destined to. To get     compatibility  with prior versions, I have added a
- href="NAT.htm#AllInterFaces">"ALL     INTERFACES"  column to /etc/shorewall/nat</a>.
+new "ALL <a href="NAT.htm#AllInterFaces">"ALL     INTERFACES"  column to /etc/shorewall/nat</a>.
    By placing     "no" or "No" in the new column, the NAT behavior of  
  prior   versions may be retained. </font></li>
-            <li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels
+              <li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC
-   where  the remote     gateway is a standalone system has been improved</a>.
+Tunnels     where  the remote     gateway is a standalone system has been
-   Previously,  it was     necessary to include an additional rule allowing
+improved</a>.     Previously,  it was     necessary to include an additional
-  UDP port 500 traffic to     pass through the tunnel. Shorewall will now
+rule allowing    UDP port 500 traffic to     pass through the tunnel. Shorewall
-create   this rule automatically     when you place the name of the remote
+will now  create   this rule automatically     when you place the name of
-peer's  zone in a new GATEWAY ZONE     column in /etc/shorewall/tunnels. </li>
+the remote  peer's  zone in a new GATEWAY ZONE     column in /etc/shorewall/tunnels. </li>
 </ul>
@ -1223,21 +1238,21 @@ been         corrected (Thanks to Mark Pavlidis).
              <li>/tmp/shorewallpolicy-$$ is now removed if there is an error 
  while      starting the firewall.</li>
              <li>/etc/shorewall/icmp.def and /etc/shorewall/common.def are 
-now   used     to define the icmpdef and common chains unless overridden by
+ now   used     to define the icmpdef and common chains unless overridden 
-the     presence   of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
+by the     presence   of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
-            <li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been 
+              <li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has
-   corrected.   An extra space after "/etc/shorwall/policy" has been   removed 
+been     corrected.   An extra space after "/etc/shorwall/policy" has been
-  and "/etc/shorwall/rules"   has been added.</li>
+  removed    and "/etc/shorwall/rules"   has been added.</li>
              <li>When a sub-shell encounters a fatal error and has stopped 
 the     firewall,  it now kills the main shell so that the main shell will 
   not    continue.</li>
-            <li>A problem has been corrected where a sub-shell stopped the
+              <li>A problem has been corrected where a sub-shell stopped
- firewall      and main shell continued resulting in a perplexing error message
+the   firewall      and main shell continued resulting in a perplexing error
-       referring to "common.so" resulted.</li>
+message         referring to "common.so" resulted.</li>
              <li>Previously, placing "-" in the PORT(S) column in   /etc/shorewall/rules 
     resulted in an error message during start. This   has been corrected.</li>
-            <li>The first line of "install.sh" has been corrected -- I had
+              <li>The first line of "install.sh" has been corrected -- I
-   inadvertently   deleted the initial "#".</li>
+had     inadvertently   deleted the initial "#".</li>
 </ul>
@ -1247,9 +1262,9 @@ the     firewall,  it now kills the main shell so that the main shell will
              <li>Port redirection now works again.</li>
              <li>The icmpdef and common chains <a
 href="Documentation.htm#Icmpdef">may        now be user-defined</a>.</li>
-            <li>The firewall no longer fails to start if "routefilter" is 
+              <li>The firewall no longer fails to start if "routefilter"
-      specified  for an interface that isn't started. A warning message is 
+is        specified  for an interface that isn't started. A warning message 
- now         issued  in this case.</li>
+is   now         issued  in this case.</li>
              <li>The LRP Version is renamed "shorwall" for 8,3 MSDOS file
       system  compatibility.</li>
              <li>A couple of LRP-specific problems were corrected.</li>
@ -1268,9 +1283,9 @@ the     firewall,  it now kills the main shell so that the main shell will
              <li>The common chain is traversed from INPUT, OUTPUT and FORWARD
   before          logging occurs</li>
              <li>The source has been cleaned up dramatically</li>
-            <li>DHCP DISCOVER packets with RFC1918 source addresses no longer 
+              <li>DHCP DISCOVER packets with RFC1918 source addresses no
-        generate log messages. Linux DHCP clients generate such packets and
+longer          generate log messages. Linux DHCP clients generate such packets 
-   it's         annoying to see them logged. </li>
+and    it's         annoying to see them logged. </li>
 </ul>
@ -1279,8 +1294,8 @@ the     firewall,  it now kills the main shell so that the main shell will
 <ul>
              <li>Log messages now indicate the packet disposition.</li>
              <li>Error messages have been improved.</li>
-            <li>The ability to define zones consisting of an enumerated set 
+              <li>The ability to define zones consisting of an enumerated 
- of  hosts         and/or subnetworks has been added.</li>
+set   of  hosts         and/or subnetworks has been added.</li>
              <li>The zone-to-zone chain matrix is now sparse so that only
 those    chains         that contain meaningful rules are defined.</li>
              <li>240.0.0.0/4 and 169.254.0.0/16 have been added to the source
@ -1290,8 +1305,8 @@ interface            option.</li>
  when   a        chain is defined, when the firewall is initialized, when 
 the firewall    is       started, when the firewall is stopped and when the
 firewall is  cleared.</li>
-            <li>The Linux kernel's route filtering facility can now be specified
+              <li>The Linux kernel's route filtering facility can now be
-          selectively on network interfaces.</li>
+specified            selectively on network interfaces.</li>
 </ul>
@ -1319,8 +1334,8 @@ packets     are        sent through the chain.</li>
 <ul>
              <li>The PATH variable in the firewall script now includes /usr/local/bin
            and /usr/local/sbin.</li>
-            <li>DMZ-related chains are now correctly deleted if the DMZ is
+              <li>DMZ-related chains are now correctly deleted if the DMZ 
- deleted.</li>
+is  deleted.</li>
              <li>The interface OPTIONS for "gw" interfaces are no longer 
      ignored.</li>
@ -1331,7 +1346,7 @@ packets     are        sent through the chain.</li>
  tunnels    with end-points on the firewall. There is also a .lrp available
 now.</b></p>
-<p><font size="2">Updated 9/23/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a> 
     </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">     Copyright</font>
@ -1346,5 +1361,7 @@ now.</b></p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -37,7 +37,8 @@
              <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
              <li> <a href="Install.htm">Installation/Upgrade/</a><br>
        <a href="Install.htm">Configuration</a></li>
-            <li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
+              <li> <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
              <li> <a href="Documentation.htm">Reference Manual</a></li>
              <li> <a href="FAQ.htm">FAQs</a></li>
               <li><a href="useful_links.html">Useful Links</a><br>
@ -50,8 +51,8 @@
              <li> <a href="shorewall_mirrors.htm">Mirrors</a>          
          <ul>
-              <li><a target="_top" href="http://slovakia.shorewall.net">Slovak 
+                <li><a target="_top"
-  Republic</a></li>
+ href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                <li><a target="_top"
 href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
@ -59,6 +60,7 @@
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                <li><a target="_top" href="http://france.shorewall.net">France</a></li>
          </ul>
              </li>
@ -80,7 +82,7 @@
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
                  <strong><br>
-  <b>Note: </b></strong>Search is unavailable Daily 0100-0200 GMT.<br>
+    <b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
    <strong></strong>      
  <p><strong>Quick Search</strong><br>
          <font face="Arial" size="-1">     <input type="text"
@ -106,5 +108,7 @@
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/blacklisting_support.htm
+++ b/STABLE/documentation/blacklisting_support.htm
@ -31,8 +31,7 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration
+<p>Shorewall static blacklisting support has the following configuration parameters:</p>
 parameters:</p>
 <ul>
    <li>You specify whether you want packets from blacklisted hosts dropped 
@ -50,8 +49,8 @@ names in the blacklist file.<br>
    <li>You specify the interfaces whose incoming packets you want checked 
 against     the blacklist using the "<a
 href="Documentation.htm#Interfaces">blacklist</a>"     option in /etc/shorewall/interfaces.</li>
-   <li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
+    <li>The black list is refreshed from /etc/shorewall/blacklist by the
- href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
+"<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
 </ul>
@ -62,7 +61,7 @@ against     the blacklist using the "<a
 /sbin/shorewall commands:</p>
 <ul>
-   <li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
+    <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed 
 IP    addresses to be silently dropped by the firewall.</li>
    <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed 
 IP    addresses to be rejected by the firewall.</li>
@ -76,7 +75,7 @@ be    automatically restored the next time that the firewall is restarted.</li>
 <p>Example 1:</p>
-<pre>     shorewall deny 192.0.2.124 192.0.2.125</pre>
+<pre>     shorewall drop 192.0.2.124 192.0.2.125</pre>
 <p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
@ -86,10 +85,11 @@ be    automatically restored the next time that the firewall is restarted.</li>
 <p>    Reenables access from 192.0.2.125.</p>
-<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -20,6 +20,7 @@
          <tbody>
          <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
            </td>
          </tr>
@ -38,9 +39,9 @@
   it to your Linux system.</b></p>
                       </li>
          <li>                                             
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory 
+untar the archive, replace the        'firewall' script in the untarred directory
   with the one you downloaded        below, and then run install.sh.</b></p>
                       </li>
          <li>                                             
@ -50,17 +51,22 @@ or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
  the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
         or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
         and /var/lib/shorewall/firewall  are symbolic links that point 
-   to the 'shorewall' file used by your  system initialization scripts to 
+      to the 'shorewall' file used by your  system initialization scripts
-       start Shorewall during boot. It is  that file that must be overwritten 
+to         start Shorewall during boot. It is  that file that must be overwritten
         with the corrected script.</b></p>
  </li>
-        
+  <li>
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
 ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
 do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
              </p>
  </li>
 </ol>
 <ul>
          <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-       <li>                            <b><a href="#V1.3">Problems in Version 
+          <li>                            <b><a href="#V1.3">Problems in
- 1.3</a></b></li>
+Version    1.3</a></b></li>
          <li>                            <b><a href="errata_2.htm">Problems
  in  Version 1.2</a></b></li>
          <li>                            <b><font color="#660066">  <a
@ -70,24 +76,55 @@ in  Version 1.2</a></b></li>
          <li>                            <b><a href="#Debug">Problems with 
 kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
          <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
-       <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and 
+          <li><b><a href="#Multiport">Problems with iptables version 1.2.7
-     MULTIPORT=Yes</a></b></li>
+ and       MULTIPORT=Yes</a></b></li>
    <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
    </li>
 </ul>
 <hr>                              
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.9a</h3>
 <ul>
  <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
 the following message appears during "shorewall [re]start":</li>
 </ul>
 <pre>          recalculate_interfacess: command not found<br></pre>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
 corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described 
 above.<br>
 </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
 single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
 to 'recalculate_interface'. <br>
 </blockquote>
 <ul>
  <li>The installer (install.sh) issues a misleading message "Common functions
 installed in /var/lib/shorewall/functions" whereas the file is installed
 in /usr/lib/shorewall/functions. The installer also performs incorrectly
 when updating old configurations that had the file /etc/shorewall/functions.
    <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
 is an updated version that corrects these problems.<br>
    </a></li>
 </ul>
 <h3>Version 1.3.9</h3>
-<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script at
+   <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
-<a href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
+at  <a
- target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
+ href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
-</a>-- copy that file to /usr/lib/shorewall/firewall as descripbed above.<br>
+ target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
 -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
    <br>
   Version 1.3.8      
 <ul>
-    <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
+       <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
- policy file doesn't work.</li>
+ the  policy file doesn't work.</li>
       <li>A DNAT rule with the same original and new IP addresses but with 
 different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 
 25 - 10.1.1.1")<br>
@ -135,8 +172,8 @@ server,                                   the client won't be able to obtain
  an IP  address                                  lease from that server.</li>
                                       <li>With this order of checking, the 
 "dhcp"                                   option cannot be used as a noise-reduction
-                                  measure where there are both dynamic and 
+                                    measure where there are both dynamic
- static                                  clients on a LAN segment.</li>
+and    static                                  clients on a LAN segment.</li>
 </ol>
@ -165,9 +202,10 @@ an IP  address                                  lease from that server.</li>
 <ul>
                   <li>                                                 
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
- an error occurs when the firewall            script attempts to add an SNAT 
+   an error occurs when the firewall            script attempts to add an
- alias.  </p>
+SNAT   alias.  </p>
        </li>
        <li>                                                          
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
@ -235,10 +273,10 @@ an IP  address                                  lease from that server.</li>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
-        to not verify that the zones named in the /etc/shorewall/policy file
+         to not verify that the zones named in the /etc/shorewall/policy
-           have been previously defined in the /etc/shorewall/zones file.
+file            have been previously defined in the /etc/shorewall/zones
-The            "shorewall check" command does perform this verification so
+file. The            "shorewall check" command does perform this verification
-it's a            good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
              changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -248,22 +286,22 @@ it's a            good idea to run that command after you have made configuratio
   by that name" then you probably have an entry in            /etc/shorewall/hosts
   that specifies an interface that you didn't            include in /etc/shorewall/interfaces.
   To correct this problem, you            must add an entry to /etc/shorewall/interfaces.
- Shorewall 1.3.3 and            later versions produce a clearer error message 
+   Shorewall 1.3.3 and            later versions produce a clearer error
- in this case.</p>
+message    in this case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version
+           file can be identified by its size (56284 bytes). The correct
-           has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
 <ul>
                   <li>The code to detect a duplicate interface entry in
           /etc/shorewall/interfaces contained a typo that prevented it from
             working correctly. </li>
-                <li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
+                   <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
- "NAT_BEFORE_RULES=Yes".</li>
+like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -274,6 +312,7 @@ it's a            good idea to run that command after you have made configuratio
 <ul>
                   <li>                                                 
    <p align="left">The IANA have just announced the allocation of subnet
              221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
@ -290,9 +329,10 @@ it's a            good idea to run that command after you have made configuratio
          packet is sent through the limit chain twice).</li>
                   <li>An unnecessary jump to the policy chain is sometimes 
            generated for a CONTINUE policy.</li>
-                <li>When an option is given for more than one interface in
+                   <li>When an option is given for more than one interface
-              /etc/shorewall/interfaces then depending on the option, Shorewall 
+ in               /etc/shorewall/interfaces then depending on the option,
-              may ignore all but the first appearence of the option. For example:<br>
+Shorewall                may ignore all but the first appearence of the option.
 For example:<br>
                   <br>
                   net    eth0    dhcp<br>
                   loc    eth1    dhcp<br>
@ -300,12 +340,13 @@ it's a            good idea to run that command after you have made configuratio
                   Shorewall will ignore the 'dhcp' on eth1.</li>
                   <li>Update 17 June 2002 - The bug described in the prior 
 bullet               affects the following options: dhcp, dropunclean, logunclean,
-              norfc1918, routefilter, multi, filterping and noping. An additional 
+                norfc1918, routefilter, multi, filterping and noping. An
-              bug has been found that affects only the 'routestopped' option.<br>
+additional                 bug has been found that affects only the 'routestopped'
 option.<br>
                   <br>
-                Users who downloaded the corrected script prior to 1850 GMT 
+                   Users who downloaded the corrected script prior to 1850
- today              should download and install the corrected script again 
+ GMT   today              should download and install the corrected script
- to ensure              that this second problem is corrected.</li>
+ again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -396,6 +437,7 @@ from<font color="#ff6633">   <a
       "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
        </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
   RPM on SuSE</h3>
@ -429,7 +471,22 @@ from<font color="#ff6633">   <a
 </ul>
-<p><font size="2">  Last updated 9/28/2002 -                             
+<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
     </h3>
  /etc/shorewall/nat entries of the following form will result in Shorewall
 being unable to start:<br>
  <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
  Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
  The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
 has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
 contains corrected support under a new kernel configuraiton option; see
 <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
 <p><font size="2">  Last updated 10/9/2002 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -438,5 +495,8 @@ from<font color="#ff6633">   <a
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list_problems.htm
+++ b/STABLE/documentation/mailing_list_problems.htm
@ -1,21 +1,30 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Mailing List Problems</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
+      <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <h2 align="left">Shorewall.net is currently experiencing mail delivery problems
@ -23,37 +32,18 @@ to at least one address in each of the following domains:</h2>
 <blockquote>      
  <div align="left">        
-    <pre>2020ca - delivery to this domain has been disabled (cause unknown)
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>familie-fleischhacker.de - (connection timed out)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
 excite.com - delivery to this domain has been disabled (cause unknown)
 epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
 familie-fleischhacker.de - (connection timed out)
 gmx.net - delivery to this domain has been disabled (cause unknown)
 hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
 intercom.net - delivery to this domain has been disabled (cause unknown)
 initialcs.com - delivery to this domain has been disabled (cause unknown)
 intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
 khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
 kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
 littleblue.de - (connection timed out)
 opermail.net - delivery to this domain has been disabled (cause unknown)
 penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
 scip-online.de - delivery to this domain has been disabled (cause unknown)
 spctnet.com - connection timed out - delivery to this domain has been disabled
 telusplanet.net - delivery to this domain has been disabled (cause unknown)
 yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
    </div>
  </blockquote>
-<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
+<p align="left"><font size="2">Last updated 10/6/2002 20:30 GMT - <a
-<a href="support.htm">Tom
+ href="support.htm">Tom Eastep</a></font></p>
 Eastep</a></font></p>
-<p align="left"><a href="copyright.htm">
+<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
-<font face="Trebuchet MS">
+ size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
 <font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
 <p align="left">&nbsp;</p>
 <p align="left"> </p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
@ -43,8 +43,8 @@ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1
  <ul>
      <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
 and external address 206.124.146.178.</li>
-     <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses: 
+      <li>Proxy ARP for wookie (my Linux System). This system has two IP
-192.168.1.3/24 and 206.124.146.179/24.</li>
+addresses:  192.168.1.3/24 and 206.124.146.179/24.</li>
      <li>SNAT through the primary gateway address (206.124.146.176) for  
 my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
@ -93,8 +93,8 @@ of                           the entry in /etc/shorewall/proxyarp (see below).</
           interfaces to my laptop (206.124.146.180).</p>
  <p><font color="#ff0000" size="5">                           Note: My files
- use features not available before                            Shorewall version 
+  use features not available before                            Shorewall
-1.3.4.</font></p>
+version  1.3.4.</font></p>
    </blockquote>
 <h3>Shorewall.conf</h3>
@ -108,8 +108,8 @@ of                           the entry in /etc/shorewall/proxyarp (see below).</
 <h3>Interfaces File: </h3>
 <blockquote>                                      
-  <p> This is set up so that I can start the firewall before bringing up my
+  <p> This is set up so that I can start the firewall before bringing up
-Ethernet  interfaces. </p>
+my Ethernet  interfaces. </p>
       </blockquote>
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp<br>	dmz	eth1 		206.124.146.255	-<br>	net	eth3		206.124.146.255 norfc1918<br>	-	texas 		-<br>	loc	ppp+<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -140,10 +140,11 @@ Ethernet  interfaces. </p>
 <blockquote>                                                
  <p> Although most of our internal systems use static NAT, my wife's system
- (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
+  (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
 laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
    </blockquote>
-<pre><font size="2" face="Courier">	#INTERFACE 	SUBNET		ADDRESS<br>	eth0 		192.168.1.0/24	206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
+<pre><font size="2" face="Courier">	#INTERFACE 	SUBNET		ADDRESS<br>	eth0 		192.168.1.0/24	206.124.146.176<br>        texas           206.124.146.179 192.168.1.254<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
 <h3>NAT File: </h3>
@ -151,18 +152,21 @@ Ethernet  interfaces. </p>
 <h3>Proxy ARP File:</h3>
-<pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
+<pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROU</font><font
 face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br>        206.124.146.179 eth2            eth0            No<br></font><font
 face="Courier" size="2">	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
 <h3>Rules File (The shell variables                                     
      are set in /etc/shorewall/params):</h3>
 <pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	ACCEPT		net		fw			tcp	1723<br>	ACCEPT		net		fw			gre<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-<p><font size="2"> Last updated 9/19/2002  - </font><font size="2">      
+<p><font size="2"> Last updated 10/1/2002  - </font><font size="2">     
                                       <a href="support.htm">Tom Eastep</a></font> 
   </p>
     <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/quotes.htm
+++ b/STABLE/documentation/quotes.htm
@ -32,14 +32,16 @@ and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
 </p>
 "My case was almost like [the one above]. Well. instead of 'weeks' it was 
 'months' for me, and I think I needed two minutes more:<br>
 <ul>
   <li>One to see that I had no Internet access from the firewall itself.</li>
   <li>Other to see that this was the default configuration, and it was enough 
 to uncomment a line in /etc/shorewall/policy.<br>
   </li>
 </ul>
-Minutes instead of months! Congratulations and thanks for such a simple and
+ Minutes instead of months! Congratulations and thanks for such a simple
-well documented thing for something as huge as iptables." -- JV, Spain. 
+and well documented thing for something as huge as iptables." -- JV, Spain.
 <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without 
 any problems. Your documentation is great and I really appreciate       your 
@ -51,15 +53,15 @@ scripts but this one is till now the best." -- B.R,       Netherlands
      </p>
 <p>"Never in my +12 year career as a sys admin have I witnessed       someone 
-so relentless in developing a secure, state of the art, save and       useful
+so relentless in developing a secure, state of the art, safe and       useful 
 product as the Shorewall firewall package for no cost or obligation      
- involved." -- Mario Kericki, Toronto           </p>
+involved." -- Mario Kerecki, Toronto           </p>
 <p>"one time more to report, that your great shorewall in the latest     
-   release       1.2.9 is working fine for me with SuSE Linux 7.3! I now
+  release       1.2.9 is working fine for me with SuSE Linux 7.3! I now have
-have 7 machines up       and running with shorewall on several versions -
+7 machines up       and running with shorewall on several versions - starting
-starting with 1.2.2 up to       the new 1.2.9 and I never have encountered
+with 1.2.2 up to       the new 1.2.9 and I never have encountered any problems!"
-any problems!" -- SM, Germany</p>
+-- SM, Germany</p>
 <p>"You have the best support of any other package I've ever       used." 
 -- SE, US           </p>
@ -68,8 +70,8 @@ any problems!" -- SM, Germany</p>
 national government as secret, our security doesn't stop by putting a fence 
 around our company. Information security is a hot issue. We also make use 
 of  checkpoint firewalls, but not all of the internet servers are guarded 
-by  checkpoint, some of them are running....Shorewall." -- Name withheld
+by  checkpoint, some of them are running....Shorewall." -- Name withheld by
-by request,  Europe</p>
+request,  Europe</p>
 <p>"thanx for all your efforts you put into shorewall - this product stands 
 out  against a lot of commercial stuff i´ve been working with in terms of 
@ -90,12 +92,13 @@ people  recommending it. :-)<br>
  <br>
   </p>
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002 
 - <a href="support.htm">Tom Eastep</a>      </font>                      
                      </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -20,12 +20,13 @@
                                    <td width="100%" height="90">       
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                        </a></i></font><font color="#ffffff">Shorewall 1.3
+                               </a></i></font><font color="#ffffff">Shorewall 
- -        <font size="4">"<i>iptables made easy"</i></font></font></h1>
+  1.3   -        <font size="4">"<i>iptables made easy"</i></font></font></h1>
      <div align="center"><a href="1.2" target="_top"><font
@ -49,31 +50,36 @@
                                      <td width="90%">                  
      <h2 align="left">What is it?</h2>
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                           
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
      <p>This program is free software; you can redistribute it and/or modify 
            it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                                   <br>
-                             This program is distributed in the hope that 
+                                    This program is distributed in the hope 
-it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the
+ that   it  will   be  useful,    but        WITHOUT ANY WARRANTY; without 
- implied   warranty  of MERCHANTABILITY           or FITNESS FOR A PARTICULAR
+ even the  implied   warranty  of MERCHANTABILITY           or FITNESS FOR 
- PURPOSE.   See the  GNU General Public License          for more details.<br>
+ A PARTICULAR    PURPOSE.   See the  GNU General Public License          for
 more details.<br>
                                   <br>
-                             You should have received a copy of the GNU General 
+                                    You should have received a copy of the
-   Public    License          along with this program; if not, write to the 
+ GNU   General     Public    License          along with this program; if
-  Free Software    Foundation,          Inc., 675 Mass Ave, Cambridge, MA 
+not, write  to the    Free Software    Foundation,          Inc., 675 Mass
-02139,   USA</p>
+Ave, Cambridge,  MA  02139,   USA</p>
@ -81,12 +87,14 @@ it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                        </a>Jacques        Nilo and Eric Wolzak have a LEAF 
+                               </a>Jacques        Nilo and Eric Wolzak have 
- distribution       called        <i>Bering</i> that        features Shorewall-1.3.3 
+ a  LEAF   distribution       called        <i>Bering</i> that        features 
- and  Kernel-2.4.18.      You can find their work at:   <a
+  Shorewall-1.3.3   and  Kernel-2.4.18.      You can find their work at: 
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+       <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
@ -94,51 +102,79 @@ it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the
-      <p><b>9/30/2002 - Shorewall 1.3.9a </b><b><img border="0"
+             
      <h2></h2>
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                          </b></p>
 This release rolls up fixes to the installer and to the firewall script.<br>
 <b><br>
 10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                          </b><br>
      <br>
  The firewall and server here at shorewall.net are now running RedHat release
 8.0.<br>
      <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>                         
      </b></p>
        Roles up the fix for broken tunnels.<br>
-      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!! </b><b><img
+      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>               
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
            <img src="images/j0233056.gif" alt="Brown Paper Bag"
 width="50" height="86" align="left">
       There is an updated firewall script at <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
   -- copy that file to /usr/lib/shorewall/firewall.<br>
-      <p><b>9/28/2002 - Shorewall 1.3.9 </b><b><img border="0"
+                                                       
- src="images/new10.gif" width="28" height="12" alt="(New)">
+      <p><b><br>
            </b></p>
      <p><b><br>
            </b></p>
      <p><b><br>
      9/28/2002 - Shorewall 1.3.9 </b><b>                          </b></p>
      <p>In this version:<br>
             </p>
      <ul>
-             <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a> 
+                    <li><a href="configuration_file_basics.htm#dnsnames">DNS
-  are now allowed in Shorewall config files (although I recommend against 
+  Names</a>     are now allowed in Shorewall config files (although I recommend
-using  them).</li>
+  against   using  them).</li>
-             <li>The connection SOURCE may now be qualified by both interface 
+                    <li>The connection SOURCE may now be qualified by both
-  and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
+ interface      and IP address in a <a href="Documentation.htm#Rules">Shorewall
 rule</a>.</li>
                    <li>Shorewall startup is now disabled after initial installation
-  until the file /etc/shorewall/startup_disabled is removed. This avoids nasty
+      until the file /etc/shorewall/startup_disabled is removed. This avoids
-  surprises at reboot for users who install Shorewall but don't configure 
+   nasty   surprises at reboot for users who install Shorewall but don't
-it.</li>
+configure     it.</li>
-            <li>The 'functions' and 'version' files and the 'firewall' symbolic
+                   <li>The 'functions' and 'version' files and the 'firewall' 
- link have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease
+  symbolic   link have been  moved from /var/lib/shorewall to /usr/lib/shorewall 
- the LFS police at Debian.<br>
+  to appease   the LFS police at Debian.<br>
                   </li>
      </ul>
      <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
       Restored</b><b>                   </b><br>
                     </p>
                   <img src="images/j0233056.gif" alt="Brown Paper Bag"
 width="50" height="86" align="left">
-        A couple of recent configuration changes at www.shorewall.net broke 
+               A couple of recent configuration changes at www.shorewall.net
- the  Search facility:<br>
+  broke    the  Search facility:<br>
      <blockquote>                                                       
        <ol>
                       <li>Mailing List Archive Search was not available.</li>
                       <li>The Site Search index was incomplete</li>
@ -149,38 +185,45 @@ it.</li>
                   </blockquote>
                Hopefully these problems are now corrected.             
      <p><b>9/18/2002 -  Debian 1.3.8 Packages Available </b><b>         
         </b><br>
                          </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
                      <b> </b>                                          
      <p><b>9/16/2002 - Shorewall 1.3.8</b><b>                   </b></p>
      <p>In this version:<br>
                          </p>
      <ul>
-                          <li>A NEWNOTSYN option has been added to shorewall.conf.
+                                 <li>A NEWNOTSYN option has been added to 
-     This   option  determines whether Shorewall accepts TCP packets which
+shorewall.conf.         This   option  determines whether Shorewall accepts 
- are    not part   of an  established connection and that are not 'SYN' packets
+TCP packets which     are    not part   of an  established connection and 
-   (SYN  flag on   and ACK  flag off).</li>
+that are not 'SYN'  packets     (SYN  flag on   and ACK  flag off).</li>
                                 <li>The need for the 'multi' option to communicate 
     between     zones    za and zb on the same interface is removed in the 
-case   where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will exist
+  case   where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will 
-if:                                                                     
+exist  if:                                                               
          <ul>
                                    <li>There is a policy for za to zb; or</li>
-                             <li>There is at least one rule for za to zb. 
+                                    <li>There is at least one rule for za 
-                                    </li>
+to  zb.                                       </li>
@ -188,72 +231,88 @@ if:
                                </li>
      </ul>
      <ul>
-                          <li>The /etc/shorewall/blacklist file now contains
+                                 <li>The /etc/shorewall/blacklist file now
-  three    columns.     In addition to the SUBNET/ADDRESS column, there are
+ contains     three    columns.     In addition to the SUBNET/ADDRESS column,
-  optional    PROTOCOL and    PORT columns to block only certain applications
+ there are    optional    PROTOCOL and    PORT columns to block only certain
-  from the   blacklisted addresses.<br>
+ applications     from the   blacklisted addresses.<br>
                            </li>
      </ul>
      <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
      <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
      <p>This is a role up of a fix for "DNAT" rules where the source zone 
            is $FW   (fw).</p>
      <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
      <p>This is a role up of the "shorewall refresh" bug fix and the change 
            which   reverses the order of "dhcp" and "norfc1918" checking.</p>
      <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
      <p><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
            is now available.</p>
      <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
      <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now 
            mirrored   at <a target="_top"
 href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
      <p><a href="News.htm">More News</a></p>
      <h2><a name="Donations"></a>Donations</h2>
      </td>
                                      <td width="88" bgcolor="#4b017c"
 valign="top" align="center">             <a
@ -266,6 +325,7 @@ if:
                                  </center>
                                </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -274,6 +334,7 @@ if:
                               <td width="100%" style="margin-top: 1px;"> 
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
@ -281,8 +342,8 @@ if:
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-but if       you try it and find it useful, please consider making a donation
+if       you try it and find it useful, please consider making a donation 
            to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                               </td>
@ -292,9 +353,11 @@ but if       you try it and find it useful, please consider making a donation
  </tbody>                         
 </table>
-<p><font size="2">Updated       9/30/2002 - <a href="support.htm">Tom Eastep</a></font> 
+       
 <p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a></font>
      <br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -67,18 +67,19 @@ Shorewall. </p>
 <ul>
        <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs 
-and LNE100TX      (Tulip) NIC - My personal Windows system.</li>
+ and LNE100TX      (Tulip) NIC - My personal Windows system. Also has SuSE
-     <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
+ 8.0 installed.</li>
-My      personal Linux System which runs Samba configured as a WINS server.
+        <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC 
 -  My      personal Linux System which runs Samba configured as a WINS server. 
 This      system also has <a href="http://www.vmware.com/">VMware</a> installed 
 and      can run both <a href="http://www.debian.org">Debian</a> and    
    <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
-     <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
+        <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
-&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server      (Bind).</li>
+(Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
-     <li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
+     (Bind).</li>
- 3      LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
+        <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
-1.3.9 (Yep -- I run them before I release them) and a DHCP     server.  Also
+(Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.9a  and a DHCP
- runs PoPToP for     road warrior access.</li>
+    server.  Also   runs PoPToP for     road warrior access.</li>
        <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
     personal system.</li>
        <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 
@ -103,9 +104,12 @@ and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
 src="images/apache_pb1.gif" hspace="2" width="170" height="20">
   </a>  </font></p>
-<p><font size="2">Last updated 9/19/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 10/6/2002 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
      <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -30,8 +30,8 @@
  </tbody>  
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.</p>
+we must  all first walk before we can run.</p>
 <h2>The Guides</h2>
@ -54,8 +54,8 @@ as a    firewall/router for a small local network and a DMZ.</li>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
  the steps necessary to set up a firewall where there are multiple public
-IP  addresses involved or if you want to learn more about Shorewall than is
+ IP  addresses involved or if you want to learn more about Shorewall than
- explained in the single-address guides above.</p>
+is  explained in the single-address guides above.</p>
 <ul>
     <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -77,8 +77,8 @@ Protocol</a></li>
    </ul>
     </li>
-    <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a> 
+     <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
-    
+Network</a>           
    <ul>
       <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -110,7 +110,8 @@ and    Stopping the Firewall</a></li>
 <p>The following documentation covers a variety of topics and supplements
 the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
-above.</p>
+ above. Please review the appropriate guide before trying to use this documentation
 directly.</p>
 <ul>
     <li><a href="blacklisting_support.htm">Blacklisting</a>          
@ -199,11 +200,12 @@ to a      remote network.</li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 9/16/2002 - <a
+<p><font size="2">Last modified 10/5/2002 - <a
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -52,10 +52,10 @@ in its  most common configuration:</p>
    </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
- (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
- this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on
- firewall  system. As root, you can use the 'which' command to check for
+your  firewall  system. As root, you can use the 'which' command to check
-this  program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -69,8 +69,8 @@ this  program:</p>
         If you edit your configuration files on a Windows system, you must 
 save them as  Unix files if your editor supports that option or you must 
 run them through  dos2unix before trying to use them. Similarly, if you copy 
-a configuration file  from your Windows hard drive to a floppy disk, you
+a configuration file  from your Windows hard drive to a floppy disk, you must
-must run dos2unix against the  copy before using it with Shorewall.</p>
+run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -82,10 +82,10 @@ Version  of    dos2unix</a></li>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
-/etc/shorewall -- for simple setups, you will only need to deal with a few
+-- for simple setups, you will only need to deal with a few of  these as
-of  these as described in this guide.  After you have <a
+described in this guide.  After you have <a href="Install.htm">installed
- href="Install.htm">installed Shorewall</a>,  download the <a
+Shorewall</a>,  download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
  un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
   (these files will replace files with the same name).</p>
@ -127,8 +127,8 @@ of  these as described in this guide.  After you have <a
  in  terms of zones.</p>
 <ul>
-      <li>You express your default policy for connections from one zone to
+       <li>You express your default policy for connections from one zone
- another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -136,14 +136,14 @@ of  these as described in this guide.  After you have <a
 </ul>
 <p>For each connection request entering the firewall, the request is first
- checked against the  /etc/shorewall/rules file. If no rule in that file matches
+  checked against the  /etc/shorewall/rules file. If no rule in that file
- the connection  request then the first policy in /etc/shorewall/policy that
+matches  the connection  request then the first policy in /etc/shorewall/policy
- matches the    request is applied. If that policy is REJECT or DROP  the
+that  matches the    request is applied. If that policy is REJECT or DROP 
-request is first  checked against the rules in /etc/shorewall/common (the
+the request is first  checked against the rules in /etc/shorewall/common
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample has
+<p>The /etc/shorewall/policy file included with the two-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -231,9 +231,9 @@ the     internet (if you uncomment the additional policy)</li>
 height="635">
    </p>
-<p align="left">The firewall has two network interfaces. Where Internet 
+<p align="left">The firewall has two network interfaces. Where Internet  connectivity
-connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+is through a cable or DSL "Modem", the <i>External Interface</i>  will be
- will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling 
  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be 
@ -243,14 +243,15 @@ your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-       If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then you 
+        If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then
- will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
 /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
  (eth1  or eth0) and will be connected to a hub or switch. Your other computers
  will be  connected to the same hub/switch (note: If you have only a single
- internal system,  you can connect the firewall directly to the computer using
+  internal system,  you can connect the firewall directly to the computer
- a <i>cross-over </i> cable).</p>
+using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
@ -286,15 +287,15 @@ that are  specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet
   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
  <i> Public</i> IP address. This address may be assigned via the<i> Dynamic
- Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
+  Host  Configuration Protocol</i> (DHCP) or as part of establishing your
-  when you dial in (standard modem) or establish your PPP connection. In
+connection   when you dial in (standard modem) or establish your PPP connection.
-rare   cases, your ISP may assign you a<i> static</i> IP address; that means
+In rare   cases, your ISP may assign you a<i> static</i> IP address; that
-that  you  configure your firewall's external interface to use that address
+means that  you  configure your firewall's external interface to use that
-permanently.<i>  </i>However your external address is assigned, it will be
+address permanently.<i>  </i>However your external address is assigned, it
-shared by all of your systems when you access the  Internet. You will have
+will be shared by all of your systems when you access the  Internet. You
-to assign your  own addresses in your  internal network (the Internal Interface
+will have to assign your  own addresses in your  internal network (the Internal
-on your firewall  plus your other  computers). RFC 1918 reserves several
+Interface on your firewall  plus your other  computers). RFC 1918 reserves
-<i>Private </i>IP address ranges for this  purpose:</p>
+several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">       
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -313,13 +314,13 @@ remove  the    'norfc1918' option from the external interface's entry in
 <p align="left">You will want to assign your addresses from the same <i> 
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
     to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
- will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
+  will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
- reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as the
+is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as
- <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
+the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
- using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
+described  using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
- notation</a> with consists of the subnet address followed    by "/24". The
+</i>(CIDR)  notation</a> with consists of the subnet address followed   
- "24" refers to the number of    consecutive leading "1" bits from the left
+by "/24". The  "24" refers to the number of    consecutive leading "1" bits
- of the subnet mask. </p>
+from the left  of the subnet mask. </p>
    </div>
 <div align="left">       
@ -362,16 +363,16 @@ remove  the    'norfc1918' option from the external interface's entry in
 <div align="left">       
 <p align="left">One of the purposes of subnetting is to allow all computers
  in the    subnet to understand which other computers can be communicated
-with directly.    To communicate with systems outside of the subnetwork, systems
+ with directly.    To communicate with systems outside of the subnetwork,
-send packets    through a<i>  gateway</i>  (router).</p>
+systems send packets    through a<i>  gateway</i>  (router).</p>
    </div>
 <div align="left">       
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
        Your local computers (computer    1 and computer 2 in the above diagram)
- should be configured with their<i>    default gateway</i> to be the IP address 
+  should be configured with their<i>    default gateway</i> to be the IP
- of the firewall's internal    interface.<i>      </i> </p>
+address   of the firewall's internal    interface.<i>      </i> </p>
    </div>
 <p align="left">The foregoing short discussion barely scratches the surface
@ -398,18 +399,18 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
  host, the  firewall must perform <i>Network Address Translation </i>(NAT).
  The firewall  rewrites the source address in the packet to be the address
  of the firewall's  external interface; in other words, the firewall makes
- it look as if the firewall  itself is initiating the connection.  This is 
+  it look as if the firewall  itself is initiating the connection.  This
- necessary so that the  destination host will be able to route return packets 
+is   necessary so that the  destination host will be able to route return
- back to the firewall  (remember that packets whose destination address is 
+packets   back to the firewall  (remember that packets whose destination
- reserved by RFC 1918 can't  be routed across the internet so the remote host
+address is   reserved by RFC 1918 can't  be routed across the internet so
- can't address its response to  computer 1). When the firewall receives a
+the remote host  can't address its response to  computer 1). When the firewall
-return packet, it  rewrites the destination address  back to 10.10.10.1 and
+receives a return packet, it  rewrites the destination address  back to 10.10.10.1
- forwards the packet on to computer 1. </p>
+and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> but you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
       <li>                       
@ -433,8 +434,8 @@ return packet, it  rewrites the destination address  back to 10.10.10.1 and
 height="13">
        If your external firewall interface is <b>eth0</b>, you do not  need
  to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq
- and change the first column to the name of your external  interface and the
+  and change the first column to the name of your external  interface and
- second column to the name of your internal interface.</p>
+the  second column to the name of your internal interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
@ -449,10 +450,10 @@ return packet, it  rewrites the destination address  back to 10.10.10.1 and
   local computers. Because these computers have RFC-1918 addresses, it is
 not  possible for clients on the internet to connect directly to them. It
 is rather  necessary for those clients to address their connection requests
-to the firewall  who rewrites the destination address to the address of your 
+ to the firewall  who rewrites the destination address to the address of
- server and forwards  the packet to that server. When your server responds, 
+your   server and forwards  the packet to that server. When your server responds,
- the firewall automatically  performs SNAT to rewrite the source address in
+  the firewall automatically  performs SNAT to rewrite the source address
- the response.</p>
+in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
  Destination Network Address Translation</i> (DNAT). You configure port 
@ -523,13 +524,13 @@ port&gt;</i>]</td>
 <ul>
       <li>You must test the above rule from a client outside of your local 
- network    (i.e., don't test from a browser running on computers 1 or 2
+ network    (i.e., don't test from a browser running on computers 1 or 2 or
-or  on the    firewall). If you want to be able to access your web server
+ on the    firewall). If you want to be able to access your web server using
-using  the IP    address of your external interface, see <a
+ the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
       <li>Many ISPs block incoming connection requests to port 80. If you
-have     problems connecting to your web server, try the following rule and 
+ have     problems connecting to your web server, try the following rule
-try     connecting to port 5000.</li>
+and  try     connecting to port 5000.</li>
 </ul>
@ -568,35 +569,35 @@ that  you require.</p>
 <p align="left">Normally, when you connect to your ISP, as part of getting
  an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
-will be  automatically configured (e.g., the /etc/resolv.conf file will be 
+ will be  automatically configured (e.g., the /etc/resolv.conf file will
-written).  Alternatively, your ISP may have given you the IP address of a 
+be  written).  Alternatively, your ISP may have given you the IP address
-pair of DNS <i> name servers</i> for you to manually configure as your primary 
+of a  pair of DNS <i> name servers</i> for you to manually configure as your
-and secondary  name servers. Regardless of how DNS gets configured on your 
+primary  and secondary  name servers. Regardless of how DNS gets configured
-firewall, it is <u>your</u> responsibility to configure the resolver in your 
+on your  firewall, it is <u>your</u> responsibility to configure the resolver
- internal systems. You can take one of two approaches:</p>
+in your   internal systems. You can take one of two approaches:</p>
 <ul>
       <li>                       
    <p align="left">You can configure your internal systems to use your ISP's
- name    servers. If you ISP gave you the addresses of their servers or if 
+  name    servers. If you ISP gave you the addresses of their servers or
- those    addresses are available on their web site, you can configure your 
+if   those    addresses are available on their web site, you can configure
- internal    systems to use those addresses. If that information isn't available, 
+your   internal    systems to use those addresses. If that information isn't
- look in    /etc/resolv.conf on your firewall system -- the name servers are
+available,   look in    /etc/resolv.conf on your firewall system -- the name
- given in    "nameserver" records in that file.   </p>
+servers are  given in    "nameserver" records in that file.   </p>
      </li>
      <li>                       
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
        You can configure a<i> Caching Name Server </i>on your    firewall.<i>
      </i>Red Hat has an RPM for a caching name server (the RPM also    requires
- the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take 
+  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you   
- this approach, you configure your internal systems to use the firewall  
+take   this approach, you configure your internal systems to use the firewall
   itself as their primary (and only) name server. You use the internal IP
   address of the firewall (10.10.10.254 in the example above) for the name
-    server address. To allow your local systems to talk to your caching name 
+     server address. To allow your local systems to talk to your caching
-    server, you must open port 53 (both UDP and TCP) from the local network 
+name      server, you must open port 53 (both UDP and TCP) from the local
- to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
+network   to the    firewall; you do that by adding the following rules in
-      </p>
+/etc/shorewall/rules.       </p>
      </li>
 </ul>
@ -685,7 +686,7 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
 <div align="left">       
 <p align="left">Those rules allow DNS access from your firewall and may be
-    removed if you commented out the line in /etc/shorewall/policy allowing 
+     removed if you uncommented the line in /etc/shorewall/policy allowing
  all    connections from the firewall to the internet.</p>
    </div>
@ -806,12 +807,13 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
 <div align="left">       
 <p align="left">Those two rules would of course be in addition to the rules
-    listed above under "You can configure a Caching Name Server on your firewall"</p>
+     listed above under "You can configure a Caching Name Server on your
 firewall"</p>
    </div>
 <div align="left">       
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
    </div>
 <div align="left">       
@ -865,9 +867,9 @@ connections  as required.</p>
 width="13" height="13" alt="Arrow">
       The <a href="Install.htm">installation procedure </a>   configures 
 your system to start Shorewall at system boot  but beginning with Shorewall 
-version 1.3.9 startup is disabled so that your system won't try to start
+version 1.3.9 startup is disabled so that your system won't try to start Shorewall
-Shorewall before configuration is complete. Once you have completed configuration
+before configuration is complete. Once you have completed configuration of
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
    </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -906,7 +908,7 @@ added an    entry for the IP address that you are connected from to   <a
 try" command</a>.</p>
    </div>
-<p align="left"><font size="2">Last updated 9/26/2002 - <a
+<p align="left"><font size="2">Last updated 10/9/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
@ -915,5 +917,6 @@ try" command</a>.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.9a
+VERSION=1.3.9b
 usage() # $1 = exit status
 {
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.9a
+VERSION=1.3.9b
 usage() # $1 = exit status
 {
@ -167,6 +167,8 @@ while [ $# -gt 0 ] ; do
    ARGS="yes"
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
@ -282,13 +284,18 @@ fi
 # Install the functions file
 #
 if [ -f ${PREFIX}/etc/shorewall/functions ]; then
    backup_file ${PREFIX}/etc/shorewall/functions
    rm -f  ${PREFIX}/etc/shorewall/functions
 fi
 if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
    backup_file ${PREFIX}/var/lib/shorewall/functions
    rm -f  ${PREFIX}/var/lib/shorewall/functions
 fi
 install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
-echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions"
+echo -e "\nCommon functions installed in ${PREFIX}/usr/lib/shorewall/functions"
 #
 # Install the common.def file
 #
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.9a
+VERSION=1.3.9b
 usage() # $1 = exit status
 {