Shorewall-1.4.6 Beta 1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@628 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-15 12:14:32 +01:00 · 2003-07-04 16:41:22 +00:00 · 2003-07-04 16:41:22 +00:00 · 5e73f39c5a
commit 5e73f39c5a
parent e4fe73b53a
22 changed files with 14258 additions and 13921 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -23,6 +23,7 @@
                                                               <tr>
                                                                <td
 width="100%">                                                          
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                                                                </td>
                                                              </tr>
@ -38,9 +39,9 @@
           </h1>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
-                             port</b> 7777 to my my personal PC with IP address 
+                              port</b> 7777 to my my personal PC with IP
-      192.168.1.5.             I've     looked     everywhere and can't find 
+address        192.168.1.5.             I've     looked     everywhere and
-   <b>how   to do it</b>.</a></p>
+can't find     <b>how   to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
                              but it doesn't work.<br>
@ -49,9 +50,9 @@
 <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
                         port forwarding</a></p>
-<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
+<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect
-<b>connect to port 1022</b> on my firewall and have the <b>firewall forward
+to port 1022</b> on my firewall and have the <b>firewall forward the connection
-the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
+to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
           </p>
 <h1><b>DNS and PORT FORWARDING/NAT<br>
@ -65,10 +66,10 @@ the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
                              subnet and I use <b>static NAT</b> to assign
-non-RFC1918            addresses          to   hosts   in  Z. Hosts in Z cannot
+ non-RFC1918            addresses          to   hosts   in  Z. Hosts in Z
-communicate       with     each other  using      their    external    (non-RFC1918
+cannot communicate       with     each other  using      their    external
-addresses)       so  they   <b>can't access each     other using   their
+   (non-RFC1918 addresses)       so  they   <b>can't access each     other
-DNS   names.</b></a></p>
+using   their DNS   names.</b></a></p>
 <h1><b>NETMEETING/MSN<br>
           </b></h1>
@ -85,8 +86,8 @@ DNS   names.</b></a></p>
    as   'closed'         rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
-                             of my firewall and it showed 100s of ports as 
+                              of my firewall and it showed 100s of ports
- open!!!!<br>
+as   open!!!!<br>
    </a></p>
    <b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter
 how  I change my rules. </a>             
@ -109,13 +110,14 @@ how  I change my rules.
 <p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
 href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
-             requests. Can i exclude these error messages for this port temporarily 
+              requests. Can i exclude these error messages for this port
-          from   logging in Shorewall?</a><br>
+temporarily            from   logging in Shorewall?</a><br>
                            </p>
 <p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
-             of these <b>DROP messages from port 53</b> <b>to some high numbered 
+              of these <b>DROP messages from port 53</b> <b>to some high
-       port</b>.       They get dropped, but what the heck are they?</a><br>
+numbered         port</b>.       They get dropped, but what the heck are
 they?</a><br>
                            </p>
 <p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
@ -136,8 +138,8 @@ how  I change my rules.
 <h1>STARTING AND STOPPING<br>
           </h1>
-<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 'shorewall
+<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
-stop', I can't connect to anything</b>. Why doesn't that command        
+'shorewall stop', I can't connect to anything</b>. Why doesn't that command
                          work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
@ -161,7 +163,8 @@ Shorewall    starts.</b> Which   file do   I  put them in?</a><br>
 <p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
                             it  work with?</a></p>
-<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it support?</a></p>
+<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
 support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
@ -177,9 +180,9 @@ use   such   <b>ugly    fonts</b>      on  your   <b>web site</b>?</a><br>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
                             and it has an internel  web server that allows
- me   to   configure/monitor                  it   but as expected if I enable 
+  me   to   configure/monitor                  it   but as expected if I
-   <b> rfc1918  blocking</b>  for    my   eth0     interface,       it also
+enable     <b> rfc1918  blocking</b>  for    my   eth0     interface,   
-   blocks the <b>cable  modems  web server</b></a>.</p>
+   it also    blocks the <b>cable  modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
                             IP  addresses, my ISP's DHCP server has an RFC
@ -198,21 +201,23 @@ external    interface,  <b>my      DHCP  client  cannot    renew   its lease</b>
 /etc/shorewall/tcrules</b>             but they <b>don't  </b>seem to <b>do 
    anything</b>.  Why?</a><br>
                                              <br>
-                                             <b>20. </b><a href="#faq20">I
+                                              <b>20. </b><a
- have   just   set    up   a   server.      <b>Do  I have to change Shorewall
+ href="#faq20">I  have   just   set    up   a   server.      <b>Do  I have
- to  allow access   to my   server    from   the  internet?</b></a><br>
+to change Shorewall  to  allow access   to my   server    from   the  internet?</b></a><br>
                                  <br>
                               <b>24. </b><a href="#faq24">How can I <b>allow 
  conections</b>        to  let's    say  the ssh port only<b> from specific 
  IP Addresses</b>    on   the internet?</a><br>
 <br>
-                 <br>
+                  <b>26. </b><a href="#faq26">When I try to use any of the
-                     <br>
+<b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation
 not permitted</b>". How can I use nmap with Shorewall?"</a><br>
 <hr>        
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
                             my my personal PC with IP address 192.168.1.5.
- I've     looked       everywhere           and    can't find how to do it.</h4>
+  I've     looked       everywhere           and    can't find how to do
 it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
@ -288,9 +293,9 @@ external    interface,  <b>my      DHCP  client  cannot    renew   its lease</b>
                                                            </blockquote>
 <div align="left">                      <font face="Courier">     </font>If
-                  you want to forward requests directed to a particular address 
+                   you want to forward requests directed to a particular
-      (  <i>&lt;external          IP&gt;</i> ) on your firewall to an internal 
+address        (  <i>&lt;external          IP&gt;</i> ) on your firewall
-     system:</div>
+to an internal       system:</div>
 <blockquote>                          
  <table border="1" cellpadding="2" cellspacing="0"
@ -334,12 +339,12 @@ in  the  PORT   column    specify  the range  as <i>low-port</i>:<i>high-port</i
 <ul>
                                                              <li>You are 
-trying    to  test   from   inside    your   firewall     (no,   that   
+trying    to  test   from   inside    your   firewall     (no,   that    won't
-won't    work  -- see      <a href="#faq2">FAQ   #2</a>).</li>
+   work  -- see      <a href="#faq2">FAQ   #2</a>).</li>
                                                              <li>You have
 a  more   basic    problem     with   your   local    system    such   as
- an    incorrect   default   gateway     configured    (it  should    be set
+  an    incorrect   default   gateway     configured    (it  should    be
-to    the IP   address     of your  firewall's    internal    interface).</li>
+set to    the IP   address     of your  firewall's    internal    interface).</li>
                <li>Your ISP is blocking that particular port inbound.<br>
             </li>
@ -372,18 +377,18 @@ the   redirected      port   from   an  external     host.</li>
 is  zero:</li>
  <ul>
-                                                     <li>the connection request 
+                                                      <li>the connection
-   is  not   reaching     your   server    (possibly      it  is being blocked 
+request     is  not   reaching     your   server    (possibly      it  is
-   by  your   ISP); or</li>
+being blocked     by  your   ISP); or</li>
-                                                     <li>you are trying to
+                                                      <li>you are trying
- connect    to  a  secondary      IP  address     on  your   firewall   and
+to  connect    to  a  secondary      IP  address     on  your   firewall
- your rule    is only  redirecting    the  primary  IP  address    (You 
+  and  your rule    is only  redirecting    the  primary  IP  address   
-need  to specify      the secondary  IP address     in the "ORIG.   DEST."
+(You  need  to specify      the secondary  IP address     in the "ORIG. 
-column     in  your     DNAT rule);  or</li>
+ DEST." column     in  your     DNAT rule);  or</li>
-                                                     <li>your DNAT rule doesn't 
+                                                      <li>your DNAT rule
-   match    the   connection      request     in  some   other   way. In that
+doesn't     match    the   connection      request     in  some   other 
-   case,  you  may   have to use  a  packet  sniffer     such  as tcpdump 
+ way. In that    case,  you  may   have to use  a  packet  sniffer     such
- or   ethereal   to further   diagnose  the  problem.<br>
+ as tcpdump   or   ethereal   to further   diagnose  the  problem.<br>
                                                      </li>
  </ul>
@ -391,8 +396,8 @@ column     in  your     DNAT rule);  or</li>
 </ul>
 <h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want
-    to connect to port 1022 on my firewall and have the firewall forward the
+     to connect to port 1022 on my firewall and have the firewall forward
-   connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
+the    connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
 <div align="left">        
 <blockquote>                          
@ -430,20 +435,20 @@ column     in  your     DNAT rule);  or</li>
                                                            </div>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
-                            (IP 130.151.100.69) to system 192.168.1.5 in my
+                             (IP 130.151.100.69) to system 192.168.1.5 in
-  local      network.         External         clients  can browse http://www.mydomain.com 
+my   local      network.         External         clients  can browse http://www.mydomain.com
         but internal         clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-                                                             <li>Having an
+                                                              <li>Having
- internet-accessible          server    in  your   local    network     
+an  internet-accessible          server    in  your   local    network  
-   is  like raising foxes     in   the  corner   of your  hen   house.  If
+      is  like raising foxes     in   the  corner   of your  hen   house.
- the server     is      compromised,        there's  nothing    between 
+ If  the server     is      compromised,        there's  nothing    between
-that  server  and  your other   internal           systems.  For the    cost
+ that  server  and  your other   internal           systems.  For the   
-of another  NIC and  a cross-over  cable,       you can   put       your
+cost of another  NIC and  a cross-over  cable,       you can   put      
-  server in a DMZ such  that it is isolated  from     your   local systems
+your   server in a DMZ such  that it is isolated  from     your   local systems 
   -      assuming that the  Server can be located     near the Firewall, 
  of course     :-)</li>
                                                              <li>The accessibility
@ -451,8 +456,8 @@ of another  NIC and  a cross-over  cable,       you can   put       your
 href="shorewall_setup_guide.htm#DNS">Bind  Version       9 "views"</a>  
 (or using a separate DNS server for local  clients)  such   that www.mydomain.com
              resolves to 130.141.100.69     externally  and 192.168.1.5
-internally.         That's    what I do here at     shorewall.net  for my 
+  internally.         That's    what I do here at     shorewall.net  for
-local systems     that    use static   NAT.</li>
+my  local systems     that    use static   NAT.</li>
 </ul>
@ -464,8 +469,8 @@ local systems     that    use static   NAT.</li>
       </p>
 <p align="left">If you are running Shorewall 1.4.0 or earlier see <a
- href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions   suitable for those
+ href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions   suitable for
-releases.<br>
+those releases.<br>
      </p>
 <p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
@ -613,21 +618,22 @@ releases.<br>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
                             subnet and I use static NAT to assign non-RFC1918
     addresses          to   hosts      in   Z.  Hosts in Z cannot communicate
-    with each other      using    their  external      (non-RFC1918     addresses) 
+     with each other      using    their  external      (non-RFC1918    
-    so they can't    access  each    other  using their    DNS  names.</h4>
+addresses)      so they can't    access  each    other  using their    DNS
 names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved
-                            using Bind Version 9 "views". It allows both external
+                             using Bind Version 9 "views". It allows both
-        and    internal         clients       to access a NATed host using
+external         and    internal         clients       to access a NATed
- the    host's    DNS   name.</p>
+host using  the    host's    DNS   name.</p>
 <p align="left">Another good way to approach this problem is to switch from
                              static NAT to Proxy ARP. That way, the hosts
 in   Z  have     non-RFC1918            addresses      and can be accessed
 externally     and    internally using     the    same   address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all
+<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
-Z-&gt;Z traffic through your firewall then:</p>
+traffic through your firewall then:</p>
 <p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
                                                            b) Masquerade 
@ -722,10 +728,11 @@ Z  to  itself.<br>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
                             tracking/NAT module</a> that may help with Netmeeting.
-         Look    <a href="http://linux-igd.sourceforge.net">here</a> for a
+          Look    <a href="http://linux-igd.sourceforge.net">here</a> for
- solution        for MSN   IM but be aware that there are significant security 
+a  solution        for MSN   IM but be aware that there are significant security
- risks  involved      with this  solution. Also check the Netfilter      mailing
+  risks  involved      with this  solution. Also check the Netfilter    
-        list    archives    at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
+ mailing         list    archives    at <a
 href="http://www.netfilter.org">http://www.netfilter.org</a>.          
           </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -733,8 +740,8 @@ Z  to  itself.<br>
   as   'closed'         rather       than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
-                            always    rejects connection requests on TCP port
+                             always    rejects connection requests on TCP
-    113    rather       than     dropping        them. This is    necessary
+port     113    rather       than     dropping        them. This is    necessary 
   to  prevent    outgoing     connection       problems to   services   
 that   use  the    'Auth'  mechanism     for identifying       requesting 
 users.    Shorewall       also  rejects TCP      ports 135, 137 and    139 
@ -762,13 +769,14 @@ open,      temporarily      change    your net-&gt;all     policy    to REJECT,
 <h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how
  I change my rules. </h4>
    I had a rule that allowed telnet from my local network to my firewall;
-I  removed that rule and restarted Shorewall but my telnet session still works!!!<br>
+ I  removed that rule and restarted Shorewall but my telnet session still
 works!!!<br>
    <br>
    <b>Answer: </b> Rules only govern the establishment of new connections. 
- Once a connection is established through the firewall it will be usable
+ Once a connection is established through the firewall it will be usable until
-until  disconnected (tcp) or until it times out (other protocols).  If you
+ disconnected (tcp) or until it times out (other protocols).  If you stop
-stop telnet and try to establish a new session your firerwall will block
+telnet and try to establish a new session your firerwall will block that
-that attempt.<br>
+attempt.<br>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
                             can't ping through the firewall</h4>
@ -794,11 +802,11 @@ that attempt.<br>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
                              and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
+(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-facility (see "man openlog") and you get to choose the log level (again,
+(see "man openlog") and you get to choose the log level (again, see "man
-see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
+syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged 
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
                           When you have changed /etc/syslog.conf, be sure 
 to   restart        syslogd        (on    a  RedHat system, "service syslog 
@ -840,8 +848,8 @@ to   log    all messages,  set: </p>
 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
              are <b>flooding the logs</b> with their connect requests. Can
- i  exclude        these  error messages for this port temporarily from logging 
+  i  exclude        these  error messages for this port temporarily from
-   in Shorewall?</h4>
+logging     in Shorewall?</h4>
                            Temporarily add the following rule:<br>
 <pre>	DROP    net    fw    udp    10619</pre>
@ -901,10 +909,10 @@ the   <b>logunclean</b>         option   (<a
    that     command        work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into
-                            a safe state whereby only those hosts listed in
+                             a safe state whereby only those hosts listed
-  /etc/shorewall/routestopped'              are    activated.         If
+in   /etc/shorewall/routestopped'              are    activated.        
-you   want to totally open up your  firewall,          you  must    use the
+If you   want to totally open up your  firewall,          you  must    use
-'shorewall           clear' command.  </p>
+the 'shorewall           clear' command.  </p>
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
                 I get messages about insmod failing -- what's wrong?</h4>
@ -948,9 +956,9 @@ you   want to totally open up your  firewall,          you  must    use the
                                                           </div>
 <div align="left">        
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
-Net    zone is defined as all hosts that are connected through eth0 and the
+   zone is defined as all hosts that are connected through eth0 and the local
-local    zone is defined as all hosts connected through eth1</p>
+   zone is defined as all hosts connected through eth1</p>
                                                           </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -981,18 +989,17 @@ local    zone is defined as all hosts connected through eth1</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
                             and it has an  internal web server that allows
- me   to   configure/monitor                  it   but as expected if I  enable
+  me   to   configure/monitor                  it   but as expected if I
-    rfc1918   blocking for my  eth0     interface          (the  internet 
+ enable     rfc1918   blocking for my  eth0     interface          (the 
-one),    it also   blocks  the cable  modems    web server.</h4>
+internet  one),    it also   blocks  the cable  modems    web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking
                             that will let all traffic to and from the 192.168.100.1
-          address         of   the    modem  in/out but still block all other 
+           address         of   the    modem  in/out but still block all
-    rfc1918      addresses?</p>
+other      rfc1918      addresses?</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
-earlier than      1.3.1, create /etc/shorewall/start and in it, place the
+than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 following:</p>
 <div align="left">        
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -1029,9 +1036,9 @@ following:</p>
                                                         </p>
 <p align="left">Note: If you add a second IP address to your external firewall
-                           interface to correspond to the modem address, you
+                            interface to correspond to the modem address,
-   must     also     make     an   entry      in /etc/shorewall/rfc1918 for
+you    must     also     make     an   entry      in /etc/shorewall/rfc1918
-  that address.     For    example,    if you   configure      the address
+for   that address.     For    example,    if you   configure      the address 
  192.168.100.2 on   your  firewall,    then   you would   add two entries 
      to /etc/shorewall/rfc1918:      <br>
                                                         </p>
@ -1070,10 +1077,10 @@ following:</p>
                                                           </div>
 <div align="left">        
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
-IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
+   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-RFC 1918    filtering on my external interface, my DHCP client cannot renew
+1918    filtering on my external interface, my DHCP client cannot renew its
-its lease.</h4>
+lease.</h4>
                                                            </div>
 <div align="left">        
@ -1085,10 +1092,10 @@ its lease.</h4>
                             the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
-                            the net", I wonder  where the poster bought computers 
+                             the net", I wonder  where the poster bought
-        with     eyes     and    what     those computers will "see"  when 
+computers          with     eyes     and    what     those computers will
- things       are working     properly.      That   aside,     the most common 
+"see"  when   things       are working     properly.      That   aside, 
- causes     of  this  problem    are:</p>
+   the most common   causes     of  this  problem    are:</p>
 <ol>
                                                              <li>      
@ -1115,12 +1122,12 @@ its lease.</h4>
                             all  over my console making it unusable!</h4>
 <p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4 
-or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
+or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see the
-the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command 
+'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command  
                           to your startup    scripts or place it in /etc/shorewall/start.
                   Under      RedHat,    the max log level    that is sent
-to   the    console        is   specified     in /etc/sysconfig/init    in 
+ to   the    console        is   specified     in /etc/sysconfig/init   
-the      LOGLEVEL    variable.<br>
+in  the      LOGLEVEL    variable.<br>
                                                       </p>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
@ -1140,18 +1147,19 @@ the      LOGLEVEL    variable.<br>
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                                        <li><b>all2&lt;zone&gt;</b>,
          <b>&lt;zone&gt;2all</b>             or      <b>all2all        
-   </b>-       You have a<a href="Documentation.htm#Policy"> policy</a> that
+     </b>-       You have a<a href="Documentation.htm#Policy"> policy</a>
-    specifies      a  log level              and this packet is being logged
+that     specifies      a  log level              and this packet is being
-under that policy.         If you  intend        to   ACCEPT this traffic
+logged under that policy.         If you  intend        to   ACCEPT this
-then you need a  <a href="Documentation.htm#Rules">rule</a>   to that effect.<br>
+traffic then you need a  <a href="Documentation.htm#Rules">rule</a>   to
 that effect.<br>
                                                        </li>
                                                         <li><b>&lt;zone1&gt;2&lt;zone2&gt;
             </b>-    Either    you   have   a<a
 href="Documentation.htm#Policy">  policy</a> for       <b>&lt;zone1&gt;
        </b>to       <b>&lt;zone2&gt;</b>  that specifies   a log level and
    this     packet is being         logged under that policy   or this packet
-      matches    a     <a href="Documentation.htm#Rules">rule</a>   that includes
+       matches    a     <a href="Documentation.htm#Rules">rule</a>   that
-      a log level.</li>
+includes       a log level.</li>
                                                  <li><b>&lt;interface&gt;_mac</b>
     -  The   packet    is  being    logged    under    the      <b>maclist</b>
         <a href="Documentation.htm#Interfaces">interface     option</a>.<br>
@ -1174,14 +1182,13 @@ then you need a  <a href="Documentation.htm#Rules">rule</a>   to that effect.<br
 it   is not a  syn   packet.    Options   affecting  the logging    of such 
 packets   include          <b>NEWNOTSYN          </b>and        <b>LOGNEWNOTSYN 
       </b>in           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                                                       <li><b>INPUT</b> or
+                                                        <li><b>INPUT</b>
-     <b>FORWARD</b>        -  The   packet    has   a  source    IP  address
+or      <b>FORWARD</b>        -  The   packet    has   a  source    IP  address 
    that isn't in any    of   your  defined   zones    ("shorewall    check" 
-    and  look at the    printed   zone  definitions)   or   the chain is
+    and  look at the    printed   zone  definitions)   or   the chain is FORWARD
-FORWARD    and   the destination     IP   isn't  in any of your   defined
+   and   the destination     IP   isn't  in any of your   defined    zones.</li>
-   zones.</li>
+                                               <li><b>logflags </b>- The
-                                              <li><b>logflags </b>- The packet
+packet    is  being    logged    because     it  failed    the   checks implemented 
   is  being    logged    because     it  failed    the   checks implemented
   by the     <b>tcpflags        </b><a
 href="Documentation.htm#Interfaces">interface   option</a>.<br>
                                               </li>
@ -1205,9 +1212,9 @@ the    tcrules   file are simply being ignored.<br>
   the    internet?</b><br>
                                              </h4>
                                              Yes. Consult the <a
- href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that you
+ href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that
-used during your initial setup for information about      how to set  up
+you used during your initial setup for information about      how to set
-rules for your server.<br>
+ up rules for your server.<br>
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
                      what are they?<br>
@ -1221,11 +1228,11 @@ rules for your server.<br>
                                            <br>
                                            <b>Answer: </b>While most people
  associate      the   Internet     Control     Message     Protocol (ICMP)
- with 'ping',    ICMP  is   a key piece    of  the internet.     ICMP   is 
+  with 'ping',    ICMP  is   a key piece    of  the internet.     ICMP  
-  used to report    problems  back  to the sender    of a packet; this   is
+is    used to report    problems  back  to the sender    of a packet; this
-  what  is happening     here. Unfortunately,  where NAT   is involved (including
+  is   what  is happening     here. Unfortunately,  where NAT   is involved
-     SNAT,  DNAT    and Masquerade),  there  are a lot  of broken implementations.
+(including      SNAT,  DNAT    and Masquerade),  there  are a lot  of broken
-    That is    what you are seeing with   these messages.<br>
+implementations.     That is    what you are seeing with   these messages.<br>
                                            <br>
                                           Here is my interpretation of what
  is  happening     --  to  confirm     this   analysis,    one would have
@ -1234,36 +1241,36 @@ to have  packet sniffers     placed  a both    ends of   the connection.<br>
                                           Host 172.16.1.10 behind NAT gateway
   206.124.146.179         sent   a  UDP   DNS   query    to 192.0.2.3 and
 your  DNS server tried     to   send a  response   (the response   information
-  is in the brackets   --  note   source  port 53 which   marks this as  a
+   is in the brackets   --  note   source  port 53 which   marks this as
- DNS reply).  When the   response   was  returned  to to 206.124.146.179, 
+ a  DNS reply).  When the   response   was  returned  to to 206.124.146.179,
-   it rewrote  the destination    IP  TO 172.16.1.10   and forwarded the packet
+    it rewrote  the destination    IP  TO 172.16.1.10   and forwarded the
- to  172.16.1.10  who no longer    had  a connection   on UDP port 2857.
+packet  to  172.16.1.10  who no longer    had  a connection   on UDP port
-This causes    a port unreachable    (type 3, code  3) to   be generated back
+2857. This causes    a port unreachable    (type 3, code  3) to   be generated
-to 192.0.2.3.   As this packet  is sent  back through  206.124.146.179, 
+back to 192.0.2.3.   As this packet  is sent  back through  206.124.146.179,
   that box correctly   changes the  source address  in the packet  to 206.124.146.179
      but doesn't   reset the DST IP in the original   DNS response  similarly.
      When the ICMP reaches your firewall (192.0.2.3),   your firewall  has
-  no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't 
+   no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP
-      appear to be related   to anything that was sent. The final   result 
+doesn't        appear to be related   to anything that was sent. The final
- is   that the packet gets logged   and dropped in the all2all chain. I  have
+  result   is   that the packet gets logged   and dropped in the all2all
-  also  seen cases where the source   IP in the ICMP itself isn't set back
+chain. I  have   also  seen cases where the source   IP in the ICMP itself
-  to the  external IP of the remote NAT   gateway; that causes your firewall
+isn't set back   to the  external IP of the remote NAT   gateway; that causes
-  to  log  and drop the packet out of the   rfc1918 chain because the source
+your firewall   to  log  and drop the packet out of the   rfc1918 chain because
-  IP is  reserved by RFC 1918.<br>
+the source   IP is  reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
-                 I want to <b>run when Shorewall starts.</b> Which file do 
+                  I want to <b>run when Shorewall starts.</b> Which file
- I  put    them     in?</h4>
+do   I  put    them     in?</h4>
-                                           You can place these commands in
+                                            You can place these commands
- one   of  the   <a href="shorewall_extension_scripts.htm">Shorewall Extension
+in  one   of  the   <a href="shorewall_extension_scripts.htm">Shorewall Extension 
 Scripts</a>.     Be sure that you look at the contents of the chain(s) that 
 you will be  modifying              with your commands to be sure that the 
 commands will  do what they     are    intended.    Many iptables commands 
 published in HOWTOs and other    instructional    material    use the -A 
 command which adds the rules to  the  end of the chain.    Most chains   
- that Shorewall constructs end with  an  unconditional DROP,   ACCEPT or
+that Shorewall constructs end with  an  unconditional DROP,   ACCEPT or REJECT
-REJECT    rule and any rules that you  add  after that will be ignored. 
+   rule and any rules that you  add  after that will be ignored.   Check
- Check "man iptables"   and look at the  -I (--insert)  command.<br>
+"man iptables"   and look at the  -I (--insert)  command.<br>
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
                 web site?</h4>
@ -1273,7 +1280,8 @@ so   the fonts you  see   are largely   the   default fonts configured  in
 your   browser.  If you  don't   like them then  reconfigure   your browser.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
-              the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
+               the ssh port only<b> from specific IP Addresses</b> on the
 internet?</h4>
                               In the SOURCE column of the rule, follow "net" 
  by  a  colon    and   a  list   of  the host/subnet addresses as a comma-separated
     list.<br>
@ -1291,11 +1299,18 @@ your   browser.  If you  don't   like them then  reconfigure   your browser.<br>
                  At the shell prompt, type:<br>
                  <br>
                  <font color="#009900"><b>    /sbin/shorewall version</b></font><br>
 <h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN options
 in nmap on or behind the firewall, I get "operation not permitted". How can
 I use nmap with Shorewall?"</h4>
 Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes"
 then restart Shorewall.<br>
 <br>
-                 <font size="2">Last updated 5/29/2003 - <a
+                  <font size="2">Last updated 6/29/2003 - <a
 href="support.htm">Tom     Eastep</a></font>         
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -37,18 +37,18 @@
 <ol>
             <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
-this option is specified, all traffic arriving on the interface is subjet
+option is specified, all traffic arriving on the interface is subjet to MAC
-to MAC verification.</li>
+verification.</li>
             <li>The <b>maclist </b>option in <a
 href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option 
-  is specified for a subnet, all traffic from that subnet  is subject to
+  is specified for a subnet, all traffic from that subnet  is subject to MAC
-MAC   verification.</li>
+  verification.</li>
             <li>The /etc/shorewall/maclist file. This file is used to associate 
   MAC  addresses with interfaces and to optionally associate IP addresses 
 with  MAC  addresses.</li>
-            <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
+             <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
-     in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
+    </b>variables      in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> 
  The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT 
 and  determines   the disposition of connection requests that fail MAC verification. 
  The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection 
@ -64,35 +64,37 @@ not logged.<br>
             <li>INTERFACE - The name of an ethernet interface on the Shorewall 
   system.</li>
             <li>MAC - The MAC address of a device on the ethernet segment
-connected     by INTERFACE. It is not necessary to use the Shorewall MAC format
+ connected     by INTERFACE. It is not necessary to use the Shorewall MAC
-in this     column although you may use that format if you so choose.</li>
+format in this     column although you may use that format if you so choose.</li>
             <li>IP Address - An optional comma-separated list of IP addresses 
  for   the device whose MAC is listed in the MAC column.</li>
 </ul>
-<h3>Example 1: Here are my files:</h3>
+<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
 details about my setup):</h3>
           <b>/etc/shorewall/shorewall.conf:<br>
           </b>   
 <pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
           <b>/etc/shorewall/interfaces:</b><br>
 <blockquote>      
-  <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>wap     eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
+  <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>WiFi    eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
  </blockquote>
           <b>/etc/shorewall/maclist:</b><br>
 <blockquote>      
-  <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7     #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250   #WAP11<br>eth3                    00:06:25:56:33:3c                       #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8     #TIPPER</pre>
+  <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11<br>eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</pre>
  </blockquote>
  As shown above, I use MAC Verification on my wireless zone.<br>
 <br>
-<b>Note: </b>The WET11 is a somewhat curious device; when forwarding DHCP
+ <b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
-traffic, it uses the MAC address of the host (TIPPER) but for other forwarded
+a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
-traffic it uses it's own MAC address. Consequently, I don't assign the WET11
+the MAC address of the host (TIPPER) but for other forwarded traffic it uses
-a fixed IP address in /etc/shorewall/maclist.<br>
+it's own MAC address. Consequently, I list the IP addresses of both devices
 in /etc/shorewall/maclist.<br>
-<h3>Example 2: Router in Local Zone</h3>
+<h3>Example 2: Router in Wireless Zone</h3>
           Suppose now that I add a second wireless segment to my wireless
 zone and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15 
 and   IP address  192.168.3.253. Hosts in the second segment have IP addresses 
@ -101,12 +103,12 @@ zone and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15
 <pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
           This entry accomodates traffic from the router itself (192.168.3.253) 
-   and  from the second wireless segment (192.168.4.0/24). Remember that
+   and  from the second wireless segment (192.168.4.0/24). Remember that all
-all traffic    being  sent to my firewall from the 192.168.4.0/24 segment
+traffic    being  sent to my firewall from the 192.168.4.0/24 segment will
-will be forwarded    by the router so that traffic's MAC address will be
+be forwarded    by the router so that traffic's MAC address will be that
-that of the router (00:06:43:45:C6:15)    and not that of the host sending
+of the router (00:06:43:45:C6:15)    and not that of the host sending the
-the traffic.   
+traffic.    
-<p><font size="2">   Updated 6/10/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 6/30/2002 - <a href="support.htm">Tom  Eastep</a> 
        </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         &copy; 
@ -116,5 +118,6 @@ the traffic.
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@ -56,8 +56,8 @@ to  run   as  a transparent proxy  as described at <a
          <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
           </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
-or  in  the  local zone, that zone must be defined ONLY by its interface --
+ or  in  the  local zone, that zone must be defined ONLY by its interface
-no  /etc/shorewall/hosts   file entries. That is because the packets being 
+-- no  /etc/shorewall/hosts   file entries. That is because the packets being
 routed  to the Squid server   still have their original destination IP addresses.<br>
          <br>
          <b><img src="images/BD21298_3.gif" alt="" width="13"
@ -67,10 +67,12 @@ Squid    server.<br>
          <br>
          <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
-          </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in
+           </b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
-your   /etc/shorewall/conf   file<br>
+than 1.4.6, you must have NAT and MANGLE enabled in your   /etc/shorewall/conf
  file<br>
          <br>
-         &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
+          &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
 NAT_ENABLED=Yes<br>
        </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
 color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
          <br>
@ -79,8 +81,8 @@ your   /etc/shorewall/conf   file<br>
 <ol>
            <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running 
 on  the  Firewall.</a></li>
-           <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
+            <li><a href="Shorewall_Squid_Usage.html#Local">Squid running
- the  local  network</a></li>
+in  the  local  network</a></li>
            <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in 
 the  DMZ</a></li>
@ -90,9 +92,9 @@ the  DMZ</a></li>
             You want to redirect all local www connection requests EXCEPT
                                                     those to your     own 
    http server                                                  (206.124.146.177)
-             to a Squid                                                  transparent
+              to a Squid                                                
-           proxy  running on the firewall and listening on port 3128. Squid
+ transparent            proxy  running on the firewall and listening on port
-     will     of course  require access to remote web servers.<br>
+3128. Squid      will     of course  require access to remote web servers.<br>
            <br>
            In /etc/shorewall/rules:<br>
            <br>
@ -142,22 +144,25 @@ the  DMZ</a></li>
 or networks from being redirected. For example, you might also want requests 
 destined for 130.252.100.0/24 to not be routed to Squid. In that case, you 
 must add a manual rule in /etc/shorewall/start:<br>
 <blockquote>   
  <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
 </blockquote>
 &nbsp;To exclude additional hosts or networks, just add additional similar 
 rules.<br>
 <h2><a name="Local"></a>Squid Running in the local network</h2>
             You want to redirect all local www connection requests  to a 
 Squid                                                    transparent     
 proxy   running   in your local zone at 192.168.1.3 and listening on port 
 3128.    Your local  interface is eth1. There may also be a web server running
-on   192.168.1.3. It is assumed that web access is already enabled from the 
+ on   192.168.1.3. It is assumed that web access is already enabled from
-local   zone to the internet.<br>
+the  local   zone to the internet.<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
-     other aspects of your gateway including but not limited to traffic shaping 
+      other aspects of your gateway including but not limited to traffic
-     and route redirection. For that reason, <b>I don't recommend it</b>.<br>
+shaping       and route redirection. For that reason, <b>I don't recommend
 it</b>.<br>
              </p>
 <ul>
@ -294,8 +299,8 @@ following policy in place of the above rule:<br>
           </blockquote>
 <ul>
-            <li>On 192.168.1.3, arrange for the following command to be executed 
+             <li>On 192.168.1.3, arrange for the following command to be
-   after   networking has come up<br>
+executed     after   networking has come up<br>
    <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
               </li>
@ -317,8 +322,8 @@ following policy in place of the above rule:<br>
 <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
            You have a single Linux system in your DMZ with IP address 192.0.2.177.
-    You want to run both a web server and Squid on that system. Your DMZ interface
+     You want to run both a web server and Squid on that system. Your DMZ
-    is eth1 and your local interface is eth2.<br>
+interface     is eth1 and your local interface is eth2.<br>
 <ul>
              <li>On your firewall system, issue the following command<br>
@ -520,12 +525,10 @@ following     command to be executed after  networking has come up<br>
 <blockquote>  </blockquote>
-<p><font size="-1">   Updated 5/29/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="-1">   Updated 6/27/2003 - <a href="support.htm">Tom  Eastep</a>
               </font></p>
    <a href="copyright.htm"><font size="2">Copyright</font>           &copy; 
 <font size="2">2003 Thomas M. Eastep.</font></a><br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
+++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
@ -34,12 +34,12 @@ ifconfig   treats them more or less like real interfaces.<br>
       Example:<br>
 <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55<br>          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0<br>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>          Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
-     The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
+      The ifconfig utility is being gradually phased out in favor of the
-   utility which is part of the <i>iproute </i>package. The ip utility does
+<i>ip</i>    utility which is part of the <i>iproute </i>package. The ip
-  not use the concept of aliases or virtual interfaces but rather treats
+utility does   not use the concept of aliases or virtual interfaces but rather
-additional    addresses on an interface as objects. The ip utility does provide
+treats additional    addresses on an interface as objects. The ip utility
-for interaction   with ifconfig in that it allows addresses to be <i>labeled
+does provide for interaction   with ifconfig in that it allows addresses
-</i>and labels  may take the form of ipconfig virtual interfaces.<br>
+to be <i>labeled </i>and labels  may take the form of ipconfig virtual interfaces.<br>
       <br>
       Example:<br>
       <br>
@ -49,9 +49,9 @@ for interaction   with ifconfig in that it allows addresses to be <i>labeled
 "eth0:0"  is a label for a particular address rather than a device name.<br>
 <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
-      The iptables program doesn't support virtual interfaces in either it's
+       The iptables program doesn't support virtual interfaces in either
-  "-i"  or "-o" command options; as a consequence, Shorewall does not allow
+it's   "-i"  or "-o" command options; as a consequence, Shorewall does not
-  them to be used in the /etc/shorewall/interfaces file.<br>
+allow   them to be used in the /etc/shorewall/interfaces file.<br>
       <br>
 <h2>So how do I handle more than one address on an interface?</h2>
@ -59,9 +59,9 @@ for interaction   with ifconfig in that it allows addresses to be <i>labeled
 In the sub-sections   that follow, we'll take a look at common scenarios.<br>
 <h3>Separate Rules</h3>
-     If you need to make a rule for traffic to/from the firewall itself that
+      If you need to make a rule for traffic to/from the firewall itself
- only  applies to a particular IP address, simply qualify the $FW zone with
+that  only  applies to a particular IP address, simply qualify the $FW zone
- the IP  address.<br>
+with  the IP  address.<br>
      <br>
      Example (allow SSH from net to eth0:0 above):<br>
      <br>
@ -213,12 +213,45 @@ the INTERFACE   column as follows:<br>
    </tbody>         
  </table>
         <br>
          </blockquote>
 Shorewall can also set up SNAT to round-robin over a range of IP addresses.
 Do do that, you specify a range of IP addresses in the ADDRESS column. If
 you specify a label in the INTERFACE column, Shorewall will use that label
 for the first address of the range and will increment the label by one for
 each subsequent label.<br>
 <br>
 <blockquote>         
  <table cellpadding="2" cellspacing="0" border="1">
            <tbody>
              <tr>
                <td valign="top"><b>INTERFACE<br>
                </b></td>
                <td valign="top"><b>SUBNET<br>
                </b></td>
                <td valign="top"><b>ADDRESS<br>
                </b></td>
              </tr>
              <tr>
                <td valign="top">eth0:0<br>
                </td>
                <td valign="top">eth1<br>
                </td>
                <td valign="top">206.124.146.178-206.124.146.180<br>
                </td>
              </tr>
    </tbody>         
  </table>
          </blockquote>
 The above would create three IP addresses:<br>
 <br>
 &nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
 &nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
 &nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
 <h3>STATIC NAT</h3>
-      If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
+       If you wanted to use static NAT to link eth0:0 with local address
-   you would have the following in /etc/shorewall/nat:<br>
+192.168.1.3,    you would have the following in /etc/shorewall/nat:<br>
       <br>
 <blockquote>         
@ -257,8 +290,8 @@ the INTERFACE   column as follows:<br>
 set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning with 
 Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual interface) 
 so   that you can see the  created address using ifconfig. In addition to 
-setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface name in
+setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface name in the
-the INTERFACE   column as follows:<br>
+INTERFACE   column as follows:<br>
       <br>
 <blockquote>         
@ -607,17 +640,11 @@ privileges).<br>
 that   you want to permit.<br>
       <br>
-<p align="left"><font size="2">Last Updated 5/8/2003 A - <a
+<p align="left"><font size="2">Last Updated 6/22/2003 A - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         &copy; 
   <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
      <br>
 </p>
         <br>
      <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -43,19 +43,17 @@
                                                        <li> <a
 href="download.htm">Download</a><br>
                                                </li>
-                                             <li> <a href="Install.htm">Installation/Upgrade/</a><br>
+                                                <li> <a
 href="Install.htm">Installation/Upgrade/</a><br>
                                                  <a href="Install.htm">Configuration</a><br>
                                                </li>
                                                <li> <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                                                 </li>
                                                                        <li>
-          <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation 
+            <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
-Index</a></b></li>
+                                                                        
-                                                     <li> <a
+                                     <li> <a href="FAQ.htm">FAQs</a></li>
 href="Documentation.htm">Reference      Manual</a></li>
                                                     <li> <a
 href="FAQ.htm">FAQs</a></li>
                                                         <li><a
 href="useful_links.html">Useful     Links</a><br>
                                                         </li>
@ -73,11 +71,12 @@ Index</a></b></li>
                                             <li><a href="1.3"
 target="_top">Shorewall       1.3 Site</a></li>
                                             <li><a
- href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall  1.2
+ href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 
-Site</a></li>
+1.2 Site</a></li>
                     <li><a href="shorewall_mirrors.htm">Mirrors</a>    
          <ul>
                                                          <li><a
 target="_top" href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -91,13 +90,15 @@ Site</a></li>
                      <li><a href="http://shorewall.syachile.cl"
 target="_top">Chile</a></li>
                     <li><a href="http://shorewall.greshko.com"
- target="_top">Taiwan</a><br>
+ target="_top">Taiwan</a></li>
             <li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
             </li>
                                              <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
                                              </li>
          </ul>
                                                        </li>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -43,19 +43,17 @@
                                                       <li> <a
 href="download.htm">Download</a><br>
                                               </li>
-                                            <li> <a href="Install.htm">Installation/Upgrade/</a><br>
+                                               <li> <a
 href="Install.htm">Installation/Upgrade/</a><br>
                                                 <a href="Install.htm">Configuration</a><br>
                                               </li>
                                               <li> <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                                                </li>
                                                                       <li> 
-          <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
+           <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
-Index</a></b></li>
+                                                                        
-                                                    <li> <a
+                                   <li> <a href="FAQ.htm">FAQs</a></li>
 href="Documentation.htm">Reference      Manual</a></li>
                                                    <li> <a
 href="FAQ.htm">FAQs</a></li>
                                                        <li><a
 href="useful_links.html">Useful     Links</a><br>
                                                        </li>
@ -73,8 +71,8 @@ Index</a></b></li>
           </li>
                  <li><a href="1.3" target="_top">Shorewall   1.3 Site</a></li>
                                            <li><a
- href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 
+ href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall  1.2
-1.2 Site</a></li>
+Site</a></li>
                    <li><a href="shorewall_mirrors.htm">Mirrors</a>     
@ -91,13 +89,15 @@ Index</a></b></li>
                     <li><a href="http://shorewall.syachile.cl"
 target="_top">Chile</a></li>
                    <li><a href="http://shorewall.greshko.com"
- target="_top">Taiwan</a><br>
+ target="_top">Taiwan</a></li>
             <li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
             </li>
                                             <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
                                             </li>
          </ul>
                                                       </li>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -40,8 +40,8 @@ files on a system running Microsoft Windows, you <u>must</u>
 <ul>
                            <li>/etc/shorewall/shorewall.conf - used to set
 several     firewall             parameters.</li>
-                           <li>/etc/shorewall/params - use this file to set 
+                            <li>/etc/shorewall/params - use this file to
- shell    variables     that you will     expand in other files.</li>
+set   shell    variables     that you will     expand in other files.</li>
                            <li>/etc/shorewall/zones - partition the firewall's
   view   of  the   world         into <i>zones.</i></li>
                            <li>/etc/shorewall/policy - establishes firewall
@ -59,12 +59,13 @@ where    to  use   many-to-one            (dynamic) Network Address Translation
                            <li>/etc/shorewall/rules - defines rules that 
 are  exceptions      to  the         overall policies established in /etc/shorewall/policy.</li>
                            <li>/etc/shorewall/nat - defines static NAT rules.</li>
-                           <li>/etc/shorewall/proxyarp - defines use of Proxy 
+                            <li>/etc/shorewall/proxyarp - defines use of
-  ARP.</li>
+Proxy    ARP.</li>
                            <li>/etc/shorewall/routestopped (Shorewall 1.3.4
  and   later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
-                           <li>/etc/shorewall/tcrules - defines marking of 
+                            <li>/etc/shorewall/tcrules - defines marking
-packets     for   later   use by     traffic control/shaping or policy routing.</li>
+of  packets     for   later   use by     traffic control/shaping or policy
 routing.</li>
                            <li>/etc/shorewall/tos - defines rules for setting
   the   TOS   field   in packet         headers.</li>
                            <li>/etc/shorewall/tunnels - defines IPSEC, GRE
@ -73,8 +74,8 @@ and   IPIP   tunnels    with end-points on         the firewall system.</li>
  IP/subnet/MAC        addresses.</li>
         <li>/etc/shorewall/init - commands that you wish to execute at the
 beginning   of a "shorewall start" or "shorewall restart".</li>
-        <li>/etc/shorewall/start - commands that you wish to execute at the 
+         <li>/etc/shorewall/start - commands that you wish to execute at
- completion  of a "shorewall start" or "shorewall restart"</li>
+the   completion  of a "shorewall start" or "shorewall restart"</li>
         <li>/etc/shorewall/stop - commands that you wish to execute at the
 beginning   of a "shorewall stop".</li>
         <li>/etc/shorewall/stopped - commands that you wish to execute at
@ -88,9 +89,9 @@ the   completion of a "shorewall stop".</li>
 <h2><a name="Comments"></a>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-               character a pound sign ("#"). You may also place comments at
+                character a pound sign ("#"). You may also place comments
-  the    end  of any line, again by       delimiting the comment from the
+at   the    end  of any line, again by       delimiting the comment from
-rest  of   the line  with a pound sign.</p>
+the rest  of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -177,6 +178,7 @@ INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
 <blockquote>         ----- end rules -----<br>
  </blockquote>
 <h2><a name="dnsnames"></a>Using DNS Names</h2>
 <p align="left">     </p>
@ -184,14 +186,14 @@ INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
          using DNS names in Shorewall configuration files. If you use DNS
 names      and   you are called out of bed at 2:00AM because Shorewall won't
-start    as  a result  of DNS problems then don't say that you were not forewarned. 
+ start    as  a result  of DNS problems then don't say that you were not
-    <br>
+forewarned.      <br>
                    </b></p>
 <p align="left"><b>    -Tom<br>
                    </b></p>
-<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall 
+<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
         configuration files may be specified as either IP addresses or DNS
    Names.<br>
                    <br>
@ -223,8 +225,8 @@ starting     your   firewall.<br>
 </ul>
 <p align="left"> Each DNS name much be fully qualified and include a minumum
-        of two periods (although one may be trailing). This restriction is 
+         of two periods (although one may be trailing). This restriction
- imposed       by Shorewall to insure backward compatibility with existing 
+is   imposed       by Shorewall to insure backward compatibility with existing
  configuration       files.<br>
                    <br>
                    Examples of valid DNS names:<br>
@ -269,7 +271,8 @@ following the "!".</p>
 <ul>
                            <li>Must not have any embedded white space.<br>
                            Valid: routefilter,dhcp,norfc1918<br>
-                           Invalid: routefilter,     dhcp,              norfc1818</li>
+                            Invalid: routefilter,     dhcp,             
 norfc1818</li>
                            <li>If you use line continuation to break a comma-separated
       list,   the          continuation line(s) must begin in column 1 (or
  there     would  be embedded          white space)</li>
@ -286,9 +289,9 @@ an integer or a service name from /etc/services. </p>
 <h2><a name="Ranges"></a>Port Ranges</h2>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
-               port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
+                port number</i>&gt;:&lt;<i>high port number</i>&gt;. For
-       if you want to forward the range of tcp ports 4000 through 4100 to 
+example,         if you want to forward the range of tcp ports 4000 through
-local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+4100 to  local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
                 </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
@ -325,6 +328,7 @@ that you can then use in some of the other    configuration files.</p>
  <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
                         </blockquote>
                                                               </font>  
 <p>Variables may be used anywhere in the              other configuration
         files.</p>
@ -369,12 +373,12 @@ the  MAC address    in  the example above would be        written "~02-00-08-E3-
 <h2><a name="Levels"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall.
-        The <a href="starting_and_stopping_shorewall.htm">shorewall start 
+         The <a href="starting_and_stopping_shorewall.htm">shorewall check,
-and    restart</a>       commands allow you to specify an alternate configuration 
+start  and    restart</a>       commands allow you to specify an alternate
-    directory and    Shorewall will use the files in the alternate directory 
+configuration      directory and    Shorewall will use the files in the alternate
-   rather than the  corresponding  files in /etc/shorewall. The alternate 
+directory     rather than the  corresponding  files in /etc/shorewall. The
-directory    need not contain a complete  configuration; those files not
+alternate  directory    need not contain a complete  configuration; those
-in the alternate    directory  will be read from  /etc/shorewall.</p>
+files not in the alternate    directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration
          by:</p>
@ -384,24 +388,20 @@ in the alternate    directory  will be read from  /etc/shorewall.</p>
 from   /etc/shorewall       to a separate      directory;</li>
                            <li>  modify those files in the separate directory;
   and</li>
-                           <li>  specifying the separate directory in a shorewall 
+                            <li>  specifying the separate directory in a
-    start    or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
+shorewall      start    or  shorewall     restart command (e.g., <i><b>shorewall
-       restart</b></i>  )</li>
+-c /etc/testconfig        restart</b></i>  )</li>
 </ol>
 The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
 allows you to attempt to restart using an alternate configuration and if
 an error occurs to automatically restart the standard configuration.<br>
-<p><font size="2">   Updated 4/18/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 6/29/2003 - <a href="support.htm">Tom  Eastep</a>
             </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
            © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -38,7 +38,8 @@ for the configuration that most closely matches your own.<br>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                   <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
+                  <a
 href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
       </p>
 <p>The documentation in HTML format is included   in the .rpm and in the
@ -57,12 +58,12 @@ for the configuration that most closely matches your own.<br>
 href="mailto:teastep@shorewall.net">     me</a>                know so that
         I can mention them here. See the   <a href="Install.htm">Installation
     Instructions</a>    if you have problems    installing the RPM.</li>
-                         <li>If you are running LRP, download the .lrp file 
+                           <li>If you are running LRP, download the .lrp
- (you   might    also   want  to     download the .tgz so you will have a 
+file   (you   might    also   want  to     download the .tgz so you will
-copy of   the documentation).</li>
+have a  copy of   the documentation).</li>
-                         <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
+                           <li>If you run <a
-        and   would      like a .deb package, Shorewall is included in both
+ href="http://www.debian.org"><b>Debian</b></a>          and   would    
-  the     <a
+ like a .deb package, Shorewall is included in both    the     <a
 href="http://packages.debian.org/testing/net/shorewall.html">Debian    
     Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian  Unstable 
@ -156,6 +157,17 @@ which   can be obtained using the following command:<br>
 href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
           </td>
         </tr>
         <tr>
        <td valign="top">Argentina<br>
        </td>
        <td valign="top">Shorewall.net<br>
        </td>
        <td valign="top"><a
 href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
        </td>
        <td valign="top">N/A<br>
        </td>
      </tr>
      <tr>
                               <td>Washington State, USA</td>
                               <td>Shorewall.net</td>
@ -174,13 +186,25 @@ which   can be obtained using the following command:<br>
 <blockquote>                  
  <p align="left">The <a target="_top"
 href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository
-   at        cvs.shorewall.net</a> contains the latest snapshots of the each
+    at        cvs.shorewall.net</a> contains the latest snapshots of the
-    Shorewall        component. There's no guarantee that what you find there
+each      Shorewall        component. There's no guarantee that what you
-   will work at    all.<br>
+find there     will work at    all.<br>
   </p>
 </blockquote>
-<p align="left"><font size="2">Last Updated 3/24/2003 - <a
+<p align="left"><b>Shapshots:<br>
 </b></p>
 <blockquote>   
  <p align="left">Periodic snapshots from CVS may be found at <a
 href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a> 
 (<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>). 
 These snapshots have undergone initial testing and will have been installed 
 and run at shorewall.net.<br>
                   </p>
 </blockquote>
 <p align="left"><font size="2">Last Updated 6/19/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -190,5 +214,7 @@ which   can be obtained using the following command:<br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@ -26,16 +26,22 @@
  </tbody> 
 </table>
-
+  <font size="3">"I have fought with IPtables for untold hours. First I tried
 the SuSE firewall, which worked for 80% of what I needed. Then gShield, which
 also worked for 80%. Then I set out to write my own IPtables parser in shell
 and awk, which was a lot of fun but never got me past the "hey, cool" stage.
 Then I discovered Shorewall. After about an hour, everything just worked.
 I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
 <p>"The configuration is intuitive and flexible, and much easier than any 
 of the other iptables-based firewall programs out there. After sifting through 
 many other scripts, it is obvious that yours is the most well thought-out 
 and complete one available." -- BC, USA</p>
 <p>"I just installed Shorewall after weeks of messing with       ipchains/iptables 
 and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
   </p>
-  "My case was almost like [the one above]. Well. instead of 'weeks' it was
+   "My case was almost like [the one above]. Well. instead of 'weeks' it
- 'months' for me, and I think I needed two minutes more:<br>
+was  'months' for me, and I think I needed two minutes more:<br>
 <ul>
     <li>One to see that I had no Internet access from the firewall itself.</li>
@ -48,8 +54,8 @@ enough  to uncomment a line in /etc/shorewall/policy.<br>
 and well documented thing for something as huge as iptables." -- JV, Spain. 
 <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without 
- any problems. Your documentation is great and I really appreciate
+ any problems. Your documentation is great and I really appreciate your 
-your  network configuration info. That really helped me out alot.       THANKS!!!"
+network configuration info. That really helped me out alot.       THANKS!!!" 
 -- MM.           </p>
 <p>"[Shorewall is a] great, great project. I've used/tested may       firewall 
@ -58,14 +64,14 @@ your  network configuration info. That really helped me out alot.       THANKS!!
 <p>"Never in my +12 year career as a sys admin have I witnessed       someone 
 so relentless in developing a secure, state of the art, safe and       useful 
- product as the Shorewall firewall package for no cost or obligation
+ product as the Shorewall firewall package for no cost or obligation   involved."
-  involved." -- Mario Kerecki, Toronto           </p>
+-- Mario Kerecki, Toronto           </p>
-<p>"one time more to report, that your great shorewall in the latest
+<p>"one time more to report, that your great shorewall in the latest    release
-   release       1.2.9 is working fine for me with SuSE Linux 7.3! I now
+      1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines
-have 7 machines up       and running with shorewall on several versions -
+up       and running with shorewall on several versions - starting with 1.2.2
-starting with 1.2.2 up to       the new 1.2.9 and I never have encountered
+up to       the new 1.2.9 and I never have encountered any problems!" --
-any problems!" -- SM, Germany</p>
+SM, Germany</p>
 <p>"You have the best support of any other package I've ever       used." 
 -- SE, US           </p>
@ -86,8 +92,8 @@ by request,  Europe</p>
  Shorewall won hands down." -- RG, Toronto</p>
 <p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it 
- is a  wonderful piece of software. I've just sent out an email to about
+ is a  wonderful piece of software. I've just sent out an email to about 30
-30  people  recommending it. :-)<br>
+ people  recommending it. :-)<br>
    While I had previously taken the time (maybe 40 hours) to really understand 
  ipchains, then spent at least an hour per server customizing and carefully 
  scrutinizing firewall rules, I've got shorewall running on my home firewall, 
@ -96,7 +102,7 @@ by request,  Europe</p>
    <br>
     </p>
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003 
 - <a href="support.htm">Tom Eastep</a>      </font>                    
    </p>
@ -105,5 +111,6 @@ by request,  Europe</p>
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -3,6 +3,7 @@
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
@ -12,6 +13,7 @@
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -29,10 +31,12 @@
      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
              </td>
              <td valign="middle">                                      
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><img border="0" src="images/shorewall.jpg" width="119"
 height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
@ -45,6 +49,7 @@
  </tbody>                                   
 </table>
 <div align="center">                                      
 <center>                                      
 <table border="0" cellpadding="0" cellspacing="0"
@ -58,11 +63,13 @@
      <h2 align="left">What is it?</h2>
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
@ -71,6 +78,7 @@
      <p>This program is free software; you can redistribute it and/or modify 
                                                                         it
         under      the    terms      of         <a
@ -98,6 +106,7 @@ the       GNU     General          Public         License
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -107,11 +116,12 @@ the       GNU     General          Public         License
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-              If so, almost <b>NOTHING </b>on this site will apply directly 
+                  If so, the documentation<b> </b>on this site will not apply 
- to  your   setup.  If you want to use the documentation that you find here,
+ directly   to  your   setup.  If you want to use the documentation that you
-  it  is best   if you  uninstall what you have and install a setup that
+ find here, you will want to consider uninstalling what you have and installing
-matches    the documentation    on this site. See the <a
+ a setup that matches    the documentation    on this site. See the <a
 href="two-interface.htm">Two-interface    QuickStart    Guide</a> for details.<br>
@ -127,41 +137,147 @@ matches    the documentation    on this site. See the <a
-      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>       </b><b><img
+    
      <p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
       <br>
       </b></p>
      <blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
         <a href="ftp://shorewall.net/pub/shorewall/testing"
 target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
       </blockquote>
      <p><b>Problems Corrected:</b><br>
   </p>
      <ol>
          <li>A problem seen on RH7.3 systems where Shorewall encountered 
 start errors when started using the "service" mechanism has been worked around.<br>
       <br>
     </li>
          <li>Previously, where a list of IP addresses appears in the DEST
 column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
 in the nat table (one for each element in the list). Shorewall now correctly
 creates a single DNAT rule with multiple "--to-destination" clauses.<br>
     </li>
      </ol>
      <p><b>New Features:</b><br>
   </p>
      <ol>
          <li>A 'newnotsyn' interface option has been added. This option
 may  be specified in /etc/shorewall/interfaces and overrides the setting
 NEWNOTSYN=No  for packets arriving on the associated interface.<br>
       <br>
     </li>
          <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
 to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
 ranges.<br>
       <br>
     </li>
          <li>Shorewall can now add IP addresses to subnets other than the
 first one on an interface.<br>
       <br>
     </li>
          <li>DNAT[-] rules may now be used to load balance (round-robin) 
 over a set of servers. Up to 256 servers may be specified in a range of addresses
 given as &lt;first address&gt;-&lt;last address&gt;.<br>
       <br>
   Example:<br>
       <br>
       DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
       <br>
   Note that this capability has previously been available using a combination 
 of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable 
 for load-balancing over a large number of servers (&gt; 16) since specifying 
 a range in the DNAT rule causes one filter table ACCEPT rule to be generated 
 for each IP address in the range.<br>
       <br>
     </li>
          <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration 
 options have been removed and have been replaced by code that detects whether 
 these capabilities are present in the current kernel. The output of the start,
 restart and check commands have been enhanced to report the outcome:<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
      Packet Mangling: Available<br>
      Multi-port Match: Available<br>
   Verifying Configuration...<br>
       <br>
     </li>
          <li>Support for the Connection Tracking Match Extension has been
 added. This extension is available in recent kernel/iptables releases and
 allows for rules which match against elements in netfilter's connection
 tracking  table. Shorewall automatically detects the availability of this
 extension  and reports its availability in the output of the start, restart
 and check  commands.<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
      Packet Mangling: Available<br>
      Multi-port Match: Available<br>
      Connection Tracking Match: Available<br>
      Verifying Configuration...<br>
       <br>
   If this extension is available, the ruleset generated by Shorewall is
 changed  in the following ways:</li>
        <ul>
            <li>To handle 'norfc1918' filtering, Shorewall will not create
 chains in the mangle table but will rather do all 'norfc1918' filtering
 in  the filter table (rfc1918 chain).</li>
            <li>Recall that Shorewall DNAT rules generate two netfilter rules;
 one in the nat table and one in the filter table. If the Connection Tracking 
 Match Extension is available, the rule in the filter table is extended to 
 check that the original destination address was the same as specified (or 
 defaulted to) in the DNAT rule.<br>
         <br>
       </li>
        </ul>
          <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) 
 may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li>
      </ol>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
     </p>
      <ol>
            <li>The command "shorewall debug try &lt;directory&gt;" now correctly
  traces the attempt.</li>
-        <li>The INCLUDE directive now works properly in the zones file; previously,
+            <li>The INCLUDE directive now works properly in the zones file; 
-INCLUDE in that file was ignored.</li>
+ previously, INCLUDE in that file was ignored.</li>
-        <li>/etc/shorewall/routestopped records with an empty second column
+            <li>/etc/shorewall/routestopped records with an empty second
-are no longer ignored.<br>
+column   are no longer ignored.<br>
       </li>
      </ol>
      <p>New Features:<br>
     </p>
      <ol>
-        <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
+            <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule 
-now contain a list of addresses. If the list begins with "!' then the rule
+may  now contain a list of addresses. If the list begins with "!' then the 
-will take effect only if the original destination address in the connection
+rule  will take effect only if the original destination address in the connection
  request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
      </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
                         </b></p>
      <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel 
  and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
- have been encountered with this set of software. The Shorewall version is
+   have been encountered with this set of software. The Shorewall version
- 1.4.4b plus the accumulated changes for 1.4.5.<br>
+is   1.4.4b plus the accumulated changes for 1.4.5.<br>
      </p>
      <p><b>6/8/2003 - Updated Samples</b><b>                      </b></p>
@ -169,185 +285,12 @@ and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
   version 1.4.4.</p>
-      <p><b>5/29/2003 - Shorewall-1.4.4b</b><b>                      </b></p>
+      <p><b></b></p>
      <p>Groan -- This version corrects a problem whereby the --log-level 
  was not being set when logging via syslog. The most commonly reported symptom 
  was that Shorewall messages were being written to the console even though 
  console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ 
 16</a>.<br>
      </p>
      <p><b>5/27/2003 - Shorewall-1.4.4a</b><b>                      </b></p>
        The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
  out   that the code in 1.4.4 restricts the length of short zone names to
 4 characters.   I've produced version 1.4.4a that restores the previous
 5-character   limit   by conditionally omitting the log rule number when
 the LOGFORMAT  doesn't  contain '%d'.                                   
      <p><b>5/23/2003 - Shorewall-1.4.4</b><b>                      </b><b> 
           </b></p>
         I apologize for the rapid-fire releases but since there is a potential 
   configuration  change required to go from 1.4.3a to 1.4.4, I decided to 
 make  it a full release  rather than just a bug-fix release. <br>
          <br>
          <b>    Problems corrected:</b><br>
      <blockquote>None.<br>
          </blockquote>
          <b>    New Features:<br>
          </b>                                                          
      <ol>
                 <li>A REDIRECT- rule target has been added. This target
 behaves     for REDIRECT in the same way as DNAT- does for DNAT in that the
 Netfilter     nat table REDIRECT rule is added but not the companion filter
 table ACCEPT     rule.<br>
              <br>
            </li>
                 <li>The LOGMARKER variable has been renamed LOGFORMAT and
 has   been  changed to a 'printf' formatting template which accepts three
 arguments   (the  chain name, logging rule number and the disposition).
 To  use LOGFORMAT   with  fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), 
    set it as:<br>
           <br>
                 LOGFORMAT="fp=%s:%d a=%s "<br>
           <br>
              <b>CAUTION: </b>/sbin/shorewall uses the leading part of the
 LOGFORMAT     string (up to but not including the first '%') to find log
 messages in  the   'show log', 'status' and 'hits' commands. This part should
 not be omitted     (the LOGFORMAT should not begin with "%") and the leading
 part should be   sufficiently unique for /sbin/shorewall to identify Shorewall
 messages.<br>
              <br>
            </li>
                 <li>When logging is specified on a DNAT[-] or REDIRECT[-]
 rule,    the logging now takes place in the nat table rather than in the
 filter table.   This way, only those connections that actually undergo DNAT
 or redirection    will be logged.<br>
            </li>
      </ol>
      <p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
                 </p>
           This version primarily corrects the documentation included in
 the   .tgz   and  in the .rpm. In addition: <br>
      <ol>
                   <li>(This change is in 1.4.3 but is not documented) If 
 you   are   running  iptables 1.2.7a and kernel 2.4.20, then Shorewall will 
 return   reject   replies  as follows:<br>
              a) tcp - RST<br>
              b) udp - ICMP port unreachable<br>
              c) icmp - ICMP host unreachable<br>
              d) Otherwise - ICMP host prohibited<br>
           If you are running earlier software, Shorewall will follow it's
 traditional     convention:<br>
              a) tcp - RST<br>
              b) Otherwise - ICMP port unreachable</li>
                   <li>UDP port 135 is now silently dropped in the common.def 
  chain.    Remember that this chain is traversed just before a DROP or REJECT 
  policy    is enforced.<br>
                   </li>
      </ol>
      <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
                    </p>
                  <b>Problems Corrected:<br>
               </b>                                                     
      <ol>
                     <li>There were several cases where Shorewall would fail
  to  remove    a temporary directory from /tmp. These cases have been corrected.</li>
                     <li>The rules for allowing all traffic via the loopback
  interface      have been moved to before the rule that drops status=INVALID
  packets.  This    insures that all loopback traffic is allowed even if
 Netfilter   connection      tracking is confused.</li>
      </ol>
                   <b>New Features:<br>
               </b>                                                     
      <ol>
                     <li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> 
  now   supported  in the /etc/shorewall/tunnels  file.</li>
                  <li>You may now change the leading portion of the --log-prefix
    used  by Shorewall using the LOGMARKER variable in shorewall.conf. By
 default,    "Shorewall:" is used.<br>
                  </li>
      </ol>
      <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b>          </b><br>
                       </p>
                  Ed Greshko has established a mirror in Taiwan -- Thanks 
 Ed!                                                                      
      <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>      </b></p>
      <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
                        </p>
      <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>           </b></p>
      <p>The list server will be down this morning for upgrade to RH9.0.<br>
                        </p>
      <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
                                           </b></p>
      <p>Thanks to Francesca Smith, the sample configurations are now upgraded 
            to Shorewall version 1.4.2.</p>
      <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
                                           </b></p>
      <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a 
             Shorewall presentation to GSLUG</a>.         The presentation 
 is   in   HTML     format but was generated from Microsoft PowerPoint and 
 is best   viewed   using    Internet Explorer (although Konqueror also seems 
  to work   reasonably   well   as does Opera 7.1.0).  Neither Opera 6 nor 
 Netscape work  well to view  the   presentation.<br>
                                  </blockquote>
      <blockquote>                                                       
      <ol>
      </ol>
                               </blockquote>
      <p><a href="News.htm">More News</a></p>
@ -355,23 +298,25 @@ Ed!
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
                    </a>Jacques        Nilo       and     Eric     Wolzak 
-   have       a   LEAF  (router/firewall/gateway                        on
+      have       a   LEAF  (router/firewall/gateway                      
-  a  floppy,       CD    or compact     flash)  distribution            
+ on   a  floppy,       CD    or compact     flash)  distribution        
       called                 <i>Bering</i>          that          features 
-             Shorewall-1.3.14         and    Kernel-2.4.20.          You
+               Shorewall-1.4.2         and    Kernel-2.4.20.          You
     can     find         their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                  </a></p>
-                   <b>Congratulations to Jacques and Eric on the recent release 
+                       <b>Congratulations to Jacques and Eric on the recent 
-   of  Bering    1.2!!! </b><br>
+ release     of  Bering    1.2!!! </b><br>
      <h2><a name="Donations"></a>Donations</h2>
@ -391,6 +336,7 @@ Ed!
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
                                                                 <font
 face="Arial" size="-1">        <input type="text" name="words"
@ -414,6 +360,7 @@ Ed!
                     </tr>
  </tbody>                                      
 </table>
@ -421,6 +368,7 @@ Ed!
         </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -443,9 +391,10 @@ Ed!
      <p align="center"><font size="4" color="#ffffff"><br>
-         <font size="+2"> Shorewall is free but if       you try it and find 
+             <font size="+2"> Shorewall is free but if       you try it and 
- it useful, please consider making a donation                            
+ find   it useful, please consider making a donation                     
                                                to             <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight    Children's 
           Foundation.</font></a> Thanks!</font></font></p>
@ -455,11 +404,16 @@ Ed!
              </tr>
  </tbody>                                      
 </table>
-<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font> 
+    
 <p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                                                  <br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_extension_scripts.htm
+++ b/Shorewall-docs/shorewall_extension_scripts.htm
@ -14,31 +14,37 @@
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
                <tbody>
       <tr>
                  <td width="100%">               
      <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
                  </td>
                </tr>
  </tbody>  
 </table>
 <p>  Extension scripts are   user-provided  scripts that are invoked at various
 points during firewall   start, restart,  stop and clear. The scripts are
 placed in /etc/shorewall and   are processed  using the Bourne shell "source"
-mechanism. The   following scripts can be  supplied:</p>
+ mechanism.<br>
 </p>
 <p><font color="#ff0000"><b>Caution: <br>
 </b></font></p>
 <ol>
  <li><font color="#ff0000"><b>Be sure that you actually need to use an extension 
 script to do what you want. Shorewall has a wide range of features that cover 
 most requirements.</b></font></li>
  <li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
 THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK 
 SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING
 WITH RESPECT TO iptables/Netfilter</b></font></li>
 </ol>
 <p>The   following scripts can be  supplied:</p>
 <ul>
       <li>init -- invoked early in "shorewall start" and       "shorewall
@ -54,9 +60,6 @@ chain     has been created but before any rules have been added to it.</li>
 </ul>
 <p><u><b>If your version of Shorewall doesn't have the file that you want
 to use from the above list, you can simply create the file yourself.</b></u></p>
@ -65,62 +68,47 @@ to use from the above list, you can simply create the file yourself.</b></u></p>
   file has been processed but before the   /etc/shorewall/policy file has
 been  processed.</p>
 <p>The /etc/shorewall/common file receives special treatment. If this file
 is present, the rules that it       defines will totally replace the default
-rules in the common chain. These         default rules are contained in the
+ rules in the common chain. These         default rules are contained in
-file /etc/shorewall/common.def which        may be used as a starting point
+the  file /etc/shorewall/common.def which        may be used as a starting
-for making your own customized file.</p>
+point  for making your own customized file.</p>
 <p>   Rather than running iptables directly, you should run it using the
- function  run_iptables. Similarly, rather than running "ip" directly,
+ function  run_iptables. Similarly, rather than running "ip" directly, you 
-you should use run_ip. These functions accept the same arguments as the
+should use run_ip. These functions accept the same arguments as the  underlying 
- underlying command but cause the firewall to be stopped if an error occurs
+command but cause the firewall to be stopped if an error occurs   during processing
-  during processing of the command.</p>
+of the command.</p>
 <p>   If you decide to create /etc/shorewall/common it is a good idea to use
 the    following technique</p>
 <p>   /etc/shorewall/common:</p>
 <blockquote>       
  <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
     </blockquote>
 <p>If you need to supercede a rule in the released common.def file, you can
-add   the superceding rule before the '.' command. Using this technique allows
+ add   the superceding rule before the '.' command. Using this technique
-  you to add new rules while still getting the benefit of the latest common.def
+allows    you to add new rules while still getting the benefit of the latest
-  file.</p>
+common.def    file.</p>
 <p>Remember that /etc/shorewall/common defines rules   that are only applied
 if the applicable policy is DROP or REJECT. These rules   are NOT applied
-if the policy is ACCEPT or CONTINUE.</p>
+ if the policy is ACCEPT or CONTINUE<br>
 </p>
 <p> </p>
-
+<p align="left"><font size="2">Last updated 6/30/2003 - <a
 <p align="left"><font size="2">Last updated 2/18/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
 Thomas M. Eastep</font></a></p>
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@ -49,7 +49,9 @@
      <li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
      </a>(Santiago Chile)</li>
    <li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
-(Taipei, Taiwan)<br>
+ (Taipei, Taiwan)</li>
  <li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
 (Argentina)<br>
  </li>
          <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> 
   (Washington State, USA)<br>
@ -72,8 +74,8 @@
                   <li>   <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
      (Paris, France)</li>
-   <li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a> 
+    <li><a href="ftp://shorewall.greshko.com/pub/shorewall"
-(Taipei, Taiwan)</li>
+ target="_top">ftp://shorewall.greshko.com</a>  (Taipei, Taiwan)</li>
    <li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
     </a>(Washington State, USA)<br>
    </li>
@ -82,7 +84,7 @@
      Search results and the mailing list archives are always fetched from
 the  site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 6/5/2003 - <a
+<p align="left"><font size="2">Last Updated 6/19/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -95,5 +97,6 @@ the  site in Washington State.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -31,11 +31,11 @@
 <ul>
         <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
-With current releases of Shorewall, Traffic Shaping/Control requires at least
+ With current releases of Shorewall, Traffic Shaping/Control requires at
-2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
+least  2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
       information.</a>       If you are looking for a firewall for use with
-2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle Firewall
+ 2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle
- site</a>     .</li>
+Firewall   site</a>     .</li>
         <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
 href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
   buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
@ -43,21 +43,31 @@ With current releases of Shorewall, Traffic Shaping/Control requires at least
  is available   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
     and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
-       <li>Iproute ("ip" utility). The iproute package  is     included with
+         <li>Iproute ("ip" utility). The iproute package  is     included 
-most distributions but may not be installed by default.  The     official
+with most distributions but may not be installed by default.  The     official
 download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
 target="_blank">   <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
     </li>
-       <li>A Bourne shell or derivative such as bash or ash. This shell must
+         <li>A Bourne shell or derivative such as bash or ash. This shell 
- have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
+must  have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
      },        ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
       } and       ${<i>variable</i>##<i>pattern</i>}.</li>
  <li>Must produce a sensible result when a number n (128 &lt;= n &lt;= 255) 
 is left shifted by 24 bits. You can check this at a shell prompt by:</li>
  <ul>
     <li>echo $((128 &lt;&lt; 24))<br>
    </li>
     <li>The result must be either 2147483648 or -2147483648.<br>
    </li>
  </ul>
         <li>The firewall monitoring display is greatly improved if you have
  awk        (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 3/19/2003 - <a
+<p align="left"><font size="2">Last updated 7/4/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -67,5 +77,7 @@ download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -55,8 +55,8 @@ Firewall</a></p>
 <h2><a name="Introduction"></a>1.0 Introduction</h2>
 <p>This guide is intended for users who are setting up Shorewall in an  environment
-     where a set of public IP addresses must be managed or who want to  know 
+      where a set of public IP addresses must be managed or who want to 
-   more  about Shorewall than is contained in the  <a
+know     more  about Shorewall than is contained in the  <a
 href="shorewall_quickstart_guide.htm">single-address  guides</a>. Because
      the  range of possible applications is so broad, the Guide will give 
 you    general  guidelines and will point you to other resources as necessary.</p>
@ -68,16 +68,16 @@ Shorewall   lrp  from the  shorewall.net site before you proceed.</p>
 <p>Shorewall requires that the iproute/iproute2 package be installed    (on
    RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell  if
- this  package is installed by the presence of an <b>ip</b> program on  your 
+  this  package is installed by the presence of an <b>ip</b> program on 
-  firewall  system. As root, you can use the 'which' command to check  for 
+your    firewall  system. As root, you can use the 'which' command to check
- this  program:</p>
+ for   this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself
      with what's involved then go back through it again  making your configuration
-     changes. Points at which configuration changes are  recommended are flagged
+      changes. Points at which configuration changes are  recommended are
-     with <img border="0" src="images/BD21298_.gif" width="13"
+flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
             .</p>
@ -85,9 +85,9 @@ Shorewall   lrp  from the  shorewall.net site before you proceed.</p>
                  If you edit your configuration files on a Windows system, 
 you  must   save them as  Unix files if your editor supports that option 
 or you  must  run them through  dos2unix before trying to use them with Shorewall.
-  Similarly,   if you copy a configuration file  from your Windows hard drive 
+   Similarly,   if you copy a configuration file  from your Windows hard
-  to a floppy   disk, you must run dos2unix against the  copy before using 
+drive    to a floppy   disk, you must run dos2unix against the  copy before
- it with Shorewall.</p>
+using   it with Shorewall.</p>
 <ul>
                <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
@ -140,8 +140,8 @@ of    dos2unix</a></li>
      file.</p>
 <p>Shorewall also recognizes the firewall system as its own zone - by default,
-      the firewall itself is known as <b>fw</b> but that may be changed in 
+       the firewall itself is known as <b>fw</b> but that may be changed
- the    <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a> 
+in   the    <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
    file.   In  this guide, the default name (<b>fw</b>) will be used.</p>
 <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
@ -157,9 +157,9 @@ necessary.</p>
      in  terms of zones.</p>
 <ul>
-               <li>You express your default policy for connections from one 
+                <li>You express your default policy for connections from
- zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+one   zone   to  another    zone in the<a
-         </a>file.</li>
+ href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                <li>You define exceptions to those default policies in the
     <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -169,9 +169,9 @@ necessary.</p>
      kernel facility. Netfilter   implements a   <a
 href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
      tracking function</a> that allows what is often referred to   as <i>stateful
-     inspection</i> of packets. This stateful property allows   firewall rules
+      inspection</i> of packets. This stateful property allows   firewall
-     to be defined in terms of <i>connections</i> rather than   in terms
+rules      to be defined in terms of <i>connections</i> rather than   in
-of    packets.  With Shorewall, you:</p>
+terms of    packets.  With Shorewall, you:</p>
 <ol>
                      <li>  Identify the source zone.</li>
@ -179,14 +179,14 @@ of    packets.  With Shorewall, you:</p>
                      <li>  If the POLICY from the client's zone to the server's
    zone   is what you       want for this client/server pair, you need do
 nothing   further.</li>
-                     <li>  If the POLICY is not what you want, then you must 
+                      <li>  If the POLICY is not what you want, then you
- add   a  rule.  That rule       is expressed in terms of the client's zone 
+must   add   a  rule.  That rule       is expressed in terms of the client's
- and  the  server's  zone.</li>
+zone   and  the  server's  zone.</li>
 </ol>
-<p>  Just because connections of a particular type are allowed from zone
+<p>  Just because connections of a particular type are allowed from zone A
-A to the   firewall and are also allowed from the firewall to zone B <font
+to the   firewall and are also allowed from the firewall to zone B <font
 color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed
      from zone A to zone  B</u></b></font>.   It rather means that you can
  have    a proxy running on the firewall that accepts   a connection from 
@ -194,8 +194,8 @@ A to the   firewall and are also allowed from the firewall to zone B <font
 to zone B.</p>
 <p>For each connection request entering the firewall, the request is first
-      checked against the /etc/shorewall/rules file. If no rule in that file 
+       checked against the /etc/shorewall/rules file. If no rule in that
-   matches   the connection request then the first policy in /etc/shorewall/policy 
+file     matches   the connection request then the first policy in /etc/shorewall/policy
    that   matches the request is applied. If that policy is REJECT or DROP 
   the  request  is first checked against the rules in /etc/shorewall/common.def.</p>
@ -245,8 +245,8 @@ A to the   firewall and are also allowed from the firewall to zone B <font
 to  the   internet</li>
                <li>drop (ignore) all connection requests from the internet 
 to  your   firewall     or local network and log a message at the <i>info</i>
-  level  (<a href="shorewall_logging.html">here</a> is a description of log 
+   level  (<a href="shorewall_logging.html">here</a> is a description of
-  levels).</li>
+log    levels).</li>
                <li>reject all other connection requests and log a message
 at  the       <i>info</i>      level. When a request is rejected, the firewall
  will   return an RST (if   the    protocol is TCP) or an ICMP port-unreachable
@ -255,8 +255,8 @@ at  the       <i>info</i>      level. When a request is rejected, the firewall
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-                At this point, edit your /etc/shorewall/policy and make any 
+                 At this point, edit your /etc/shorewall/policy and make
- changes     that you  wish.</p>
+any   changes     that you  wish.</p>
 <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -288,9 +288,9 @@ Zone.      </li>
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>      file.</p>
 <p align="left">The firewall illustrated above has three network interfaces.
-      Where Internet connectivity is through a cable or DSL "Modem", the <i>External
+       Where Internet connectivity is through a cable or DSL "Modem", the
-      Interface</i> will be the Ethernet adapter that is connected to that
+<i>External       Interface</i> will be the Ethernet adapter that is connected
- "Modem"     (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
+to that  "Modem"     (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
      <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
      <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
   Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
@ -304,10 +304,10 @@ Zone.      </li>
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
-      eth1 or eth2) and will be connected to a hub or switch. Your local computers
+       eth1 or eth2) and will be connected to a hub or switch. Your local
-      will be connected to the same switch (note: If you have only a single
+computers       will be connected to the same switch (note: If you have only
-  local   system,  you can connect the firewall directly to the computer
+a single   local   system,  you can connect the firewall directly to the
-using   a <i>cross-over   </i> cable).</p>
+computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
      (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your 
@ -317,8 +317,8 @@ using   a <i>cross-over   </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-            </b></u>Do not connect more than one interface  to the same hub 
+             </b></u>Do not connect more than one interface  to the same
- or  switch    (even for testing). It won't work the way that you  expect 
+hub   or  switch    (even for testing). It won't work the way that you  expect
 it to  and you   will end up confused and believing that Linux networking
 doesn't  work at  all.</p>
@ -376,11 +376,11 @@ doesn't  work at  all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-                 Edit the /etc/shorewall/interfaces file and define the network 
+                  Edit the /etc/shorewall/interfaces file and define the
-   interfaces   on  your firewall and associate each interface with a zone. 
+network     interfaces   on  your firewall and associate each interface with
-  If you have a  zone that  is interfaced through more than one interface, 
+a zone.    If you have a  zone that  is interfaced through more than one
- simply include  one entry for each  interface and repeat the zone name as 
+interface,   simply include  one entry for each  interface and repeat the
- many times as necessary.</p>
+zone name as   many times as necessary.</p>
 <p align="left">Example:</p>
@ -456,26 +456,26 @@ doesn't  work at  all.</p>
 <h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
 <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
-     IP addresses. You will configure your firewall's external interface to
+      IP addresses. You will configure your firewall's external interface
-  use    one of those addresses permanently and you will then have to decide
+to   use    one of those addresses permanently and you will then have to
-  how  you are  going to use the rest of your addresses. Before we tackle
+decide   how  you are  going to use the rest of your addresses. Before we
-that  question   though, some  background is in order.</p>
+tackle that  question   though, some  background is in order.</p>
 <p align="left">If you are thoroughly familiar with IP addressing and routing,
       you may <a href="#Options">go to the next section</a>.</p>
-<p align="left">The following discussion barely scratches the surface of
+<p align="left">The following discussion barely scratches the surface of addressing
-addressing and routing. If you are interested in learning more about  this
+and routing. If you are interested in learning more about  this subject,
-subject, I highly recommend <i>"IP Fundamentals: What Everyone  Needs to
+I highly recommend <i>"IP Fundamentals: What Everyone  Needs to Know about
-Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
+Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,  1999, ISBN
- 1999, ISBN 0-13-975483-0.</p>
+0-13-975483-0.</p>
 <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
 <p align="left">IP version 4 (<i>IPv4) </i>addresses  are 32-bit numbers.
-     The notation w.x.y.z refers to an address where the high-order byte has
+      The notation w.x.y.z refers to an address where the high-order byte
-   value  "w", the next  byte has value "x", etc. If we take the address 192.0.2.14
+has    value  "w", the next  byte has value "x", etc. If we take the address
-     and express it in  hexadecimal,  we get:</p>
+192.0.2.14      and express it in  hexadecimal,  we get:</p>
 <blockquote>            
  <p align="left">C0.00.02.0E</p>
@ -490,9 +490,9 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
 <h3 align="left"><a name="Subnets"></a>4.2 Subnets</h3>
 <p align="left">You will still hear the terms "Class A network", "Class B
-      network" and "Class C network". In the early days of IP,  networks only
+       network" and "Class C network". In the early days of IP,  networks
-    came  in three sizes (there were also Class D networks but they were
+only     came  in three sizes (there were also Class D networks but they
-used     differently):</p>
+were used     differently):</p>
 <blockquote>            
  <p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
@ -545,13 +545,13 @@ used     differently):</p>
      <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that
  can    be assigned to    hosts). The first and last address in the subnet
  are used   for the subnet    address and subnet broadcast address respectively.
-  Consequently,   small    subnetworks are more wasteful of IP addresses than
+   Consequently,   small    subnetworks are more wasteful of IP addresses
-  are large ones.   </p>
+than   are large ones.   </p>
 <p align="left">Since <b>n</b> is a power of two, we can easily calculate
      the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more
-  common   subnet sizes, the size and its natural logarithm are given in the
+   common   subnet sizes, the size and its natural logarithm are given in
-     following   table:</p>
+the      following   table:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -638,9 +638,9 @@ used     differently):</p>
              </blockquote>
 <p align="left">You will notice that the above table also contains a column
-        for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet 
+         for (32 - log2 <b>n</b>). That number is the <i>Variable Length
-     Mask</i> for a network of size <b>n</b>.    From the above table, we
+Subnet       Mask</i> for a network of size <b>n</b>.    From the above table,
- can    derive the following one which is a little easier to use.</p>
+we  can    derive the following one which is a little easier to use.</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -732,13 +732,13 @@ used     differently):</p>
              </blockquote>
 <p align="left">Notice that the VLSM is written with a slash ("/") -- you
-     will    often hear a subnet of size 64 referred to as a "slash 26" subnet 
+      will    often hear a subnet of size 64 referred to as a "slash 26"
-     and one of    size 8 referred to as a "slash 29".</p>
+subnet       and one of    size 8 referred to as a "slash 29".</p>
 <p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
-     simply a 32-bit number with the first "VLSM"    bits set to one and the
+      simply a 32-bit number with the first "VLSM"    bits set to one and
-   remaining  bits set to zero. For example, for a subnet    of size 64,
+the    remaining  bits set to zero. For example, for a subnet    of size
-the    subnet mask  has 26 leading one bits:</p>
+64, the    subnet mask  has 26 leading one bits:</p>
 <blockquote>            
  <p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -746,11 +746,11 @@ the    subnet mask  has 26 leading one bits:</p>
              </blockquote>
 <p align="left">The subnet mask has the property that if you logically AND
-     the    subnet mask with an address in the subnet, the result is the subnet
+      the    subnet mask with an address in the subnet, the result is the
-     address.    Just as important, if you logically AND the subnet mask
+subnet      address.    Just as important, if you logically AND the subnet
-with     an address    outside the subnet, the result is NOT the subnet address.
+mask with     an address    outside the subnet, the result is NOT the subnet
-  As  we will see    below, this property of subnet masks is very useful
+address.   As  we will see    below, this property of subnet masks is very
-in   routing.</p>
+useful in   routing.</p>
 <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
         Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork
@ -821,8 +821,8 @@ in   routing.</p>
      and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
 <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
-      used to describe the ip configuration of a network interface (the 'ip' 
+       used to describe the ip configuration of a network interface (the
-   utility   also uses this syntax). This simply means that the interface
+'ip'     utility   also uses this syntax). This simply means that the interface 
 is   configured  with  ip address <b>a.b.c.d</b> and with the netmask that 
 corresponds   to VLSM <b>/v</b>.</p>
@ -853,13 +853,13 @@ in   routing.</p>
 route</i> and  the gateway mentioned in that route is called the <i>default
  gateway</i>.</p>
-<p align="left">When the kernel is trying to send a packet to IP address
+<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
-<b>A</b>,  it starts at the top of the routing table and:</p>
+ it starts at the top of the routing table and:</p>
 <ul>
                <li>                    
-    <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
+    <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in
-in the  table entry.</p>
+the  table entry.</p>
                </li>
                <li>                    
    <p align="left">The result is compared with the 'Destination' value in
@ -888,14 +888,14 @@ in the  table entry.</p>
 </ul>
-<p align="left">Since the default route matches any IP address (<b>A</b>
+<p align="left">Since the default route matches any IP address (<b>A</b> land
-land  0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
+ 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
-table  entries are sent to the <i>default gateway</i> which is usually a
+ entries are sent to the <i>default gateway</i> which is usually a router
-router at your  ISP.</p>
+at your  ISP.</p>
 <p align="left">Lets take an example. Suppose that we want to route a packet
-     to  192.168.1.5. That address clearly doesn't match any of the host routes
+      to  192.168.1.5. That address clearly doesn't match any of the host
-     in the  table but if we logically and that address with 255.255.255.0, 
+routes      in the  table but if we logically and that address with 255.255.255.0,
   the   result is  192.168.1.0 which matches this routing table entry:</p>
 <div align="left">    
@ -903,26 +903,25 @@ router at your  ISP.</p>
  <pre>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2</pre>
                </blockquote>
-<p>So to route a packet to 192.168.1.5, the packet is sent directly over
+<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p>
 eth2.</p>
             </div>
 <p align="left">One more thing needs to be emphasized -- all outgoing packet
      are  sent using the routing table and reply packets are not a special
  case.    There  seems to be a common mis-conception whereby people think 
 that request    packets  are like salmon and contain a genetic code that 
-is magically transferred    to  reply packets so that the replies follow
+is magically transferred    to  reply packets so that the replies follow the
-the reverse route taken by  the  request.  That isn't the case; the replies
+reverse route taken by  the  request.  That isn't the case; the replies may
-may take a totally different  route  back to the  client than was taken by
+take a totally different  route  back to the  client than was taken by the
-the requests -- they are totally  independent.</p>
+requests -- they are totally  independent.</p>
 <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol (ARP)</h3>
 <p align="left">When sending packets over Ethernet, IP addresses aren't used.
-      Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
+       Rather Ethernet addressing is based on <i>Media Access Control</i>
-      addresses. Each Ethernet device has it's own unique  MAC address which
+(MAC)       addresses. Each Ethernet device has it's own unique  MAC address
-   is   burned into a PROM on the device during manufacture. You can obtain
+which    is   burned into a PROM on the device during manufacture. You can
-  the MAC of  an Ethernet device using the 'ip' utility:</p>
+obtain   the MAC of  an Ethernet device using the 'ip' utility:</p>
 <blockquote>            
  <div align="left">            
@ -931,9 +930,9 @@ the requests -- they are totally  independent.</p>
              </blockquote>
 <div align="left">    
-<p align="left">As you can see from the above output, the MAC is 6 bytes
+<p align="left">As you can see from the above output, the MAC is 6 bytes (48
-(48    bits) wide. A card's MAC is usually also printed on a label attached
+   bits) wide. A card's MAC is usually also printed on a label attached to
-to the card    itself. </p>
+the card    itself. </p>
             </div>
 <div align="left">    
@ -969,27 +968,27 @@ to the card    itself. </p>
 <p align="left">The leading question marks are a result of my having specified
       the 'n' option (Windows 'arp' doesn't allow that option) which causes
-  the   'arp'  program to forego IP-&gt;DNS name translation. Had I not given 
+   the   'arp'  program to forego IP-&gt;DNS name translation. Had I not
-  that   option, the  question marks would have been replaced with the FQDN 
+given    that   option, the  question marks would have been replaced with
-  corresponding   to each IP  address. Notice that the last entry in the table
+the FQDN    corresponding   to each IP  address. Notice that the last entry
-  records the  information we saw  using tcpdump above.</p>
+in the table   records the  information we saw  using tcpdump above.</p>
 <h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
 <p align="left">IP addresses are allocated by the <i> <a
 href="http://www.iana.org">Internet Assigned Number Authority</a> </i>(IANA)
       who delegates allocations on a geographic basis to <i>Regional Internet
-     Registries</i> (RIRs). For example, allocation for the Americas and for
+      Registries</i> (RIRs). For example, allocation for the Americas and
-    sub-Sahara Africa is delegated to the <i><a
+for     sub-Sahara Africa is delegated to the <i><a
 href="http://www.arin.net">American      Registry for Internet Numbers</a>
- </i>(ARIN). These RIRs may in turn delegate    to  national registries. Most
+  </i>(ARIN). These RIRs may in turn delegate    to  national registries.
- of us don't deal with these registrars but   rather get  our IP addresses 
+Most  of us don't deal with these registrars but   rather get  our IP addresses
  from our ISP.</p>
-<p align="left">It's a fact of life that most of us can't afford as many
+<p align="left">It's a fact of life that most of us can't afford as many Public
-Public  IP addresses as we have devices to assign them to so we end up making
+ IP addresses as we have devices to assign them to so we end up making use
-use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
+of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges
-ranges for this  purpose:</p>
+for this  purpose:</p>
 <div align="left">    
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -997,10 +996,10 @@ ranges for this  purpose:</p>
 <div align="left">    
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-     to    as <i>non-routable</i> because the Internet backbone routers don't 
+      to    as <i>non-routable</i> because the Internet backbone routers
-    forward    packets which have an RFC-1918 destination address. This is 
+don't      forward    packets which have an RFC-1918 destination address.
- understandable       given that anyone can select any of these addresses
+This is   understandable       given that anyone can select any of these
- for their private   use.</p>
+addresses  for their private   use.</p>
             </div>
 <div align="left">    
@ -1011,8 +1010,8 @@ ranges for this  purpose:</p>
 <div align="left">    
 <ul>
                  <li>                    
-    <p align="left">As the IPv4 address space becomes depleted, more and
+    <p align="left">As the IPv4 address space becomes depleted, more and more
-more      organizations (including ISPs) are beginning to use RFC 1918 addresses 
+     organizations (including ISPs) are beginning to use RFC 1918 addresses
      in      their infrastructure.     </p>
               </li>
               <li>                    
@ -1026,8 +1025,8 @@ more      organizations (including ISPs) are beginning to use RFC 1918 addresses
 <div align="left">    
 <p align="left">So it's a good idea to check with your ISP to see if they
-     are    using (or are planning to use) private addresses before you decide 
+      are    using (or are planning to use) private addresses before you
-     the    addresses that you are going to use.</p>
+decide       the    addresses that you are going to use.</p>
             </div>
 <div align="left">    
@ -1047,9 +1046,9 @@ ways:</p>
                  <li>                    
    <p align="left"><b>Routed - </b>Traffic to any of your addresses will
      be    routed through a single <i>gateway address</i>. This will generally
-     only be    done if your ISP has assigned you a complete subnet (/29 or
+      only be    done if your ISP has assigned you a complete subnet (/29
-  larger).   In this    case, you will assign the gateway address as the IP
+or   larger).   In this    case, you will assign the gateway address as the
-  address of   your    firewall/router's external interface.     </p>
+IP   address of   your    firewall/router's external interface.     </p>
               </li>
               <li>                    
    <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
@ -1074,7 +1073,7 @@ ways:</p>
             </p>
 <ul>
-            <li>NAT_ENABLED=Yes</li>
+             <li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
             <li>IP_FORWARDING=On<br>
              </li>
@ -1087,12 +1086,12 @@ ways:</p>
 <div align="left">    
 <p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28 
- routed through 192.0.2.65. That means that you have IP addresses       
+ routed through 192.0.2.65. That means that you have IP addresses        192.0.2.64
-192.0.2.64  - 192.0.2.79 and that your firewall's external IP address   is
+ - 192.0.2.79 and that your firewall's external IP address   is     192.0.2.65.
-    192.0.2.65.  Your ISP has also told you that you should use a netmask
+ Your ISP has also told you that you should use a netmask   of     255.255.255.0
-  of     255.255.255.0  (so your /28 is part of a larger /24). With this
+ (so your /28 is part of a larger /24). With this many   IP     addresses,
-many   IP     addresses,  you are able to subnet your /28 into two /29's
+ you are able to subnet your /28 into two /29's and set  up your     network
-and set  up your     network  as shown in the following diagram.</p>
+ as shown in the following diagram.</p>
             </div>
 <div align="left">    
@ -1102,10 +1101,10 @@ and set  up your     network  as shown in the following diagram.</p>
             </div>
 <div align="left">    
-<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
+<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
-Local    network is 192.0.2.72/29. The default gateway for hosts in the DMZ
+   network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
-would be    configured to 192.0.2.66 and the default gateway for hosts in
+be    configured to 192.0.2.66 and the default gateway for hosts in the local
-the local    network would be 192.0.2.73.</p>
+   network would be 192.0.2.73.</p>
             </div>
 <div align="left">    
@ -1121,8 +1120,8 @@ the local    network would be 192.0.2.73.</p>
 <div align="left">    
 <p align="left">The astute reader may have noticed that the Firewall/Router's
         external interface is actually part of the DMZ subnet (192.0.2.64/29).
-     What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
+      What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65?
-   routing  table on    DMZ 1 will look like this:</p>
+The    routing  table on    DMZ 1 will look like this:</p>
             </div>
 <div align="left">    
@ -1134,18 +1133,18 @@ the local    network would be 192.0.2.73.</p>
 <div align="left">    
 <p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
         request and no device on the DMZ Ethernet segment has that IP address.
-     Oddly    enough, the firewall will respond to the request with the MAC 
+      Oddly    enough, the firewall will respond to the request with the
-  address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames
+MAC    address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet
-  addressed   to that    MAC address and the frames will be received (correctly)
+frames   addressed   to that    MAC address and the frames will be received
-  by the   firewall/router.</p>
+(correctly)   by the   firewall/router.</p>
             </div>
 <div align="left">    
-<p align="left">It is this rather unexpected ARP behavior on the part of
+<p align="left">It is this rather unexpected ARP behavior on the part of the
-the    Linux Kernel that prompts the warning earlier in this guide regarding
+   Linux Kernel that prompts the warning earlier in this guide regarding the
-the    connecting of multiple firewall/router interfaces to the same hub
+   connecting of multiple firewall/router interfaces to the same hub or switch.
-or switch.    When an ARP request for one of the firewall/router's IP addresses
+   When an ARP request for one of the firewall/router's IP addresses is sent
-is sent by    another system connected to the hub/switch, all    of the firewall's 
+by    another system connected to the hub/switch, all    of the firewall's
      interfaces that connect to the hub/switch can respond! It    is then 
 a  race   as to which "here-is" response reaches the sender first.</p>
             </div>
@ -1155,16 +1154,16 @@ is sent by    another system connected to the hub/switch, all    of the firewall
              </div>
 <div align="left">    
-<p align="left">If you have the above situation but it is    non-routed,
+<p align="left">If you have the above situation but it is    non-routed, you
-you can configure your network exactly as described above with one    additional 
+can configure your network exactly as described above with one    additional
      twist; simply specify the "proxyarp" option on all three firewall 
  interfaces     in the /etc/shorewall/interfaces file.</p>
             </div>
 <div align="left">    
-<p align="left">Most of us don't have the luxury of having enough public
+<p align="left">Most of us don't have the luxury of having enough public IP
-IP    addresses to set up our networks as shown in the preceding example
+   addresses to set up our networks as shown in the preceding example (even
-(even if    the setup is routed). </p>
+if    the setup is routed). </p>
             </div>
 <div align="left">    
@ -1202,8 +1201,8 @@ IP    addresses to set up our networks as shown in the preceding example
              </div>
 <div align="left">    
-<p align="left">Often a combination of these techniques is used. Each of
+<p align="left">Often a combination of these techniques is used. Each of these
-these    will be discussed in the sections that follow.</p>
+   will be discussed in the sections that follow.</p>
             </div>
 <div align="left">    
@ -1216,9 +1215,9 @@ these    will be discussed in the sections that follow.</p>
      a    connection to host <b>B</b> on the internet, the firewall/router
  rewrites    the    IP header in the request to use one of your public IP 
 addresses as   the source    address. When <b>B</b> responds and the response 
- is received    by the firewall,    the firewall changes the destination
+ is received    by the firewall,    the firewall changes the destination address
-address  back to   the RFC 1918 address of   <b>A</b> and forwards the response
+ back to   the RFC 1918 address of   <b>A</b> and forwards the response back
-back  to <b>A.</b></p>
+ to <b>A.</b></p>
             </div>
 <div align="left">    
@ -1277,8 +1276,8 @@ a  default     gateway of 192.168.201.1    (the IP address of the firewall's
 <p align="left">This example used the normal technique of assigning the same
         public IP address for the firewall external interface and for SNAT.
   If   you    wanted to use a different IP address, you would either have 
- to  use   your    distributions network configuration tools to add that
+ to  use   your    distributions network configuration tools to add that IP
-IP  address    to the    external interface or you could set ADD_SNAT_ALIASES=Yes
+ address    to the    external interface or you could set ADD_SNAT_ALIASES=Yes 
 in    /etc/shorewall/shorewall.conf and Shorewall will add the address for 
 you.</p>
             </div>
@ -1343,9 +1342,9 @@ to her   server by  adding the following    entry in <a
             </div>
 <div align="left">    
-<p align="left">This example used the firewall's external IP address for
+<p align="left">This example used the firewall's external IP address for DNAT.
-DNAT.    You can use another of your public IP addresses but Shorewall will
+   You can use another of your public IP addresses but Shorewall will not
-not add    that address to the firewall's external interface for you.</p>
+add    that address to the firewall's external interface for you.</p>
             </div>
 <div align="left">    
@ -1359,8 +1358,8 @@ not add    that address to the firewall's external interface for you.</p>
 <div align="left">    
 <ul>
                  <li>                    
-    <p align="left">A host <b>H </b>behind your firewall is assigned one
+    <p align="left">A host <b>H </b>behind your firewall is assigned one of
-of your    public IP addresses (<b>A)</b> and is assigned the same netmask
+your    public IP addresses (<b>A)</b> and is assigned the same netmask 
   <b>(M) </b>as    the firewall's external interface.     </p>
               </li>
               <li>                    
@ -1368,9 +1367,9 @@ of your    public IP addresses (<b>A)</b> and is assigned the same netmask
           </p>
               </li>
               <li>                    
-    <p align="left">When <b>H</b> issues an ARP "who has" request for an
+    <p align="left">When <b>H</b> issues an ARP "who has" request for an address
-address    in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
+   in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will
-will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
+respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
               </li>
 </ul>
@ -1398,7 +1397,8 @@ will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
                 The Shorewall    configuration of Proxy ARP is done using
-the     <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div>
+ the     <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a>
 file.</div>
 <div align="left">    
 <blockquote>            
@ -1456,10 +1456,10 @@ the     <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</
 <div align="left">    
 <div align="left">    
 <p align="left">A word of warning is in order here. ISPs typically configure
-       their routers with a long ARP cache timeout. If you move a system from
+        their routers with a long ARP cache timeout. If you move a system
-       parallel to your firewall to behind your firewall with Proxy ARP,
+from        parallel to your firewall to behind your firewall with Proxy
-it   will     probably be HOURS before that system can communicate with the
+ARP, it   will     probably be HOURS before that system can communicate with
-internet.     There are a couple of things that you can try:<br>
+the internet.     There are a couple of things that you can try:<br>
           </p>
 <ol>
@ -1472,13 +1472,15 @@ the   MAC  address for its own IP; in addition to ensuring that the IP address
   isn't  a duplicate,...<br>
               <br>
           "if the host sending the gratuitous ARP has just changed its hardware
-   address...,  this packet causes any other host...that has an entry in its
+    address...,  this packet causes any other host...that has an entry in
-   cache for the  old hardware address to update its ARP cache entry accordingly."<br>
+its    cache for the  old hardware address to update its ARP cache entry
 accordingly."<br>
               <br>
           Which is, of course, exactly what you want to do when you switch 
 a host   from being exposed to the Internet to behind Shorewall using proxy
- ARP  (or  static NAT for that matter). Happily enough, recent versions of 
+  ARP  (or  static NAT for that matter). Happily enough, recent versions
- Redhat's  iputils package include "arping", whose "-U" flag does just that:<br>
+of   Redhat's  iputils package include "arping", whose "-U" flag does just
 that:<br>
               <br>
               <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
  proxied   IP&gt;</b></font><br>
@ -1490,14 +1492,14 @@ the   MAC  address for its own IP; in addition to ensuring that the IP address
 idea  that it works   most of the time.<br>
               <br>
             </li>
-           <li>You    can call your ISP and ask them to purge the stale ARP 
+            <li>You    can call your ISP and ask them to purge the stale
- cache    entry but many    either can't or won't purge individual entries.</li>
+ARP   cache    entry but many    either can't or won't purge individual entries.</li>
 </ol>
-          You can determine if your    ISP's gateway ARP cache is stale using 
+           You can determine if your    ISP's gateway ARP cache is stale
-  ping   and tcpdump. Suppose that we    suspect that the gateway router has
+using    ping   and tcpdump. Suppose that we    suspect that the gateway
-  a stale   ARP cache entry for 192.0.2.177.    On the firewall, run tcpdump
+router has   a stale   ARP cache entry for 192.0.2.177.    On the firewall,
-  as follows:</div>
+run tcpdump   as follows:</div>
 <div align="left">    
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1524,10 +1526,10 @@ idea  that it works   most of the time.<br>
 <div align="left">    
 <p align="left">Notice that the source MAC address in the echo request is
         different from the destination MAC address in the echo reply!! In 
- this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
+ this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
-while  0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other words,
+ 0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other words, the
-the  gateway's ARP cache     still    associates 192.0.2.177 with the NIC
+ gateway's ARP cache     still    associates 192.0.2.177 with the NIC in
-in DMZ  1 rather than with the   firewall's    eth0.</p>
+DMZ  1 rather than with the   firewall's    eth0.</p>
             </div>
 <div align="left">    
@ -1536,9 +1538,9 @@ in DMZ  1 rather than with the   firewall's    eth0.</p>
 <div align="left">    
 <p align="left">With static NAT, you assign local systems RFC 1918 addresses
-        then establish a one-to-one mapping between those addresses and public 
+         then establish a one-to-one mapping between those addresses and
-     IP    addresses. For outgoing connections SNAT (Source Network Address 
+public       IP    addresses. For outgoing connections SNAT (Source Network
-   Translation) occurs and on incoming connections      DNAT (Destination 
+Address     Translation) occurs and on incoming connections      DNAT (Destination
 Network   Address Translation) occurs. Let's go back to our earlier example
 involving   your daughter's   web    server running on system Local 3.</p>
             </div>
@ -1657,10 +1659,10 @@ involving   your daughter's   web    server running on system Local 3.</p>
 <div align="left">    
 <div align="left">    
 <p align="left">A word of warning is in order here. ISPs typically configure
-       their routers with a long ARP cache timeout. If you move a system from
+        their routers with a long ARP cache timeout. If you move a system
-       parallel to your firewall to behind your firewall with static NAT,
+from        parallel to your firewall to behind your firewall with static
-it   will     probably be HOURS before that system can communicate with the
+NAT, it   will     probably be HOURS before that system can communicate with
-internet.     There are a couple of things that you can try:<br>
+the internet.     There are a couple of things that you can try:<br>
           </p>
 <ol>
@ -1673,13 +1675,15 @@ the   MAC  address for its own IP; in addition to ensuring that the IP address
   isn't  a duplicate,...<br>
               <br>
           "if the host sending the gratuitous ARP has just changed its hardware
-   address...,  this packet causes any other host...that has an entry in its
+    address...,  this packet causes any other host...that has an entry in
-   cache for the  old hardware address to update its ARP cache entry accordingly."<br>
+its    cache for the  old hardware address to update its ARP cache entry
 accordingly."<br>
               <br>
           Which is, of course, exactly what you want to do when you switch 
 a host   from being exposed to the Internet to behind Shorewall using proxy
- ARP  (or  static NAT for that matter). Happily enough, recent versions of 
+  ARP  (or  static NAT for that matter). Happily enough, recent versions
- Redhat's  iputils package include "arping", whose "-U" flag does just that:<br>
+of   Redhat's  iputils package include "arping", whose "-U" flag does just
 that:<br>
               <br>
               <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
  proxied   IP&gt;</b></font><br>
@ -1693,11 +1697,12 @@ idea  that it works   most of the time.<br>
             </li>
   <li>You    can call your ISP and ask them to purge the stale ARP  cache 
   entry but many    either can't or won't purge individual entries.</li>
 </ol>
-          You can determine if your    ISP's gateway ARP cache is stale using 
+           You can determine if your    ISP's gateway ARP cache is stale
-  ping   and tcpdump. Suppose that we    suspect that the gateway router has
+using    ping   and tcpdump. Suppose that we    suspect that the gateway
-  a stale   ARP cache entry for 209.0.2.179.    On the firewall, run tcpdump
+router has   a stale   ARP cache entry for 209.0.2.179.    On the firewall,
-  as follows:</div>
+run tcpdump   as follows:</div>
 <div align="left">    
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1724,10 +1729,10 @@ we     will    assume is 192.0.2.254):</p>
 <div align="left">    
 <p align="left">Notice that the source MAC address in the echo request is
         different from the destination MAC address in the echo reply!! In 
- this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
+ this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
-while  0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other words,
+ 0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other words, the
-the  gateway's ARP cache     still    associates 192.0.2.179 with the NIC
+ gateway's ARP cache     still    associates 192.0.2.179 with the NIC in
-in the local zone rather than with the   firewall's    eth0.</p>
+the local zone rather than with the   firewall's    eth0.</p>
             </div>
 <h3 align="left"><a name="Rules"></a>5.3 Rules</h3>
@ -1736,13 +1741,13 @@ in the local zone rather than with the   firewall's    eth0.</p>
 <div align="left">    
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-                   With the default policies, your local systems (Local 1-3) 
+                    With the default policies, your local systems (Local
- can   access   any    servers on the internet and the DMZ can't access any 
+1-3)   can   access   any    servers on the internet and the DMZ can't access
- other   host (including   the    firewall). With the exception of <a
+any   other   host (including   the    firewall). With the exception of <a
 href="#DNAT">DNAT rules</a> which   cause    address translation and allow
    the translated connection request  to pass    through the firewall, the
- way  to allow connection requests through   your    firewall is to use ACCEPT 
+  way  to allow connection requests through   your    firewall is to use
-  rules.</p>
+ACCEPT    rules.</p>
             </div>
 <div align="left">    
@ -1897,8 +1902,8 @@ in the local zone rather than with the   firewall's    eth0.</p>
              </div>
 <div align="left">    
-<p align="left">If you run a public DNS server on 192.0.2.177, you would
+<p align="left">If you run a public DNS server on 192.0.2.177, you would need
-need    to add the following rules:</p>
+   to add the following rules:</p>
             </div>
 <div align="left">    
@ -1986,8 +1991,9 @@ need    to add the following rules:</p>
 <div align="left">    
 <p align="left">You probably want some way to communicate with your firewall
-        and DMZ systems from the local network -- I recommend SSH which through 
+         and DMZ systems from the local network -- I recommend SSH which
-     its    scp utility can also do publishing and software update distribution.</p>
+through       its    scp utility can also do publishing and software update
 distribution.</p>
             </div>
 <div align="left">    
@ -2030,10 +2036,10 @@ need    to add the following rules:</p>
              </div>
 <div align="left">    
-<p align="left">The above discussion reflects my personal preference for
+<p align="left">The above discussion reflects my personal preference for using
-using    Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
+   Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
-I prefer    to use NAT only in cases where a system that is part of an RFC
+prefer    to use NAT only in cases where a system that is part of an RFC 1918
-1918 subnet    needs to have it's own public IP. </p>
+subnet    needs to have it's own public IP. </p>
             </div>
 <div align="left">    
@ -2048,14 +2054,13 @@ Shorewall can  do.</p>
             </div>
 <div align="left">    
-<p align="left">In case you haven't been keeping score, here's the final
+<p align="left">In case you haven't been keeping score, here's the final set
-set    of configuration files for our sample network. Only those that were
+   of configuration files for our sample network. Only those that were modified
-modified    from the original installation are shown.</p>
+   from the original installation are shown.</p>
             </div>
 <div align="left">    
-<p align="left">/etc/shorewall/interfaces (The "options" will be very   
+<p align="left">/etc/shorewall/interfaces (The "options" will be very    site-specific).</p>
 site-specific).</p>
             </div>
 <div align="left">    
@ -2097,8 +2102,8 @@ site-specific).</p>
 <p align="left">The setup described here requires that your network interfaces
         be brought up before Shorewall can start. This opens a short window
   during      which you have no firewall protection. If you replace 'detect'
-  with the   actual    broadcast addresses in the entries above, you can bring
+   with the   actual    broadcast addresses in the entries above, you can
-  up Shorewall   before    you bring up your network interfaces.</p>
+bring   up Shorewall   before    you bring up your network interfaces.</p>
             </div>
 <div align="left">    
@ -2435,10 +2440,10 @@ site-specific).</p>
              </div>
 <div align="left">    
-<p align="left">Given the collection of RFC 1918 and public addresses in
+<p align="left">Given the collection of RFC 1918 and public addresses in this
-this    setup, it only makes sense to have separate internal and external
+   setup, it only makes sense to have separate internal and external DNS
-DNS servers.    You can  combine the two into a single BIND 9 server using
+servers.    You can  combine the two into a single BIND 9 server using <i>Views.
-<i>Views.   </i>   If you are not interested in Bind 9 views, you can   <a
+  </i>   If you are not interested in Bind 9 views, you can   <a
 href="#StartingAndStopping">go to the next section</a>.</p>
             </div>
@ -2578,9 +2583,9 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
         and stopped using "shorewall stop". When the firewall is stopped, 
 routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
-        running firewall may be restarted using the "shorewall restart" command. 
+         running firewall may be restarted using the "shorewall restart"
-     If    you want to totally remove any trace of Shorewall from your Netfilter 
+command.       If    you want to totally remove any trace of Shorewall from
-        configuration, use "shorewall clear".</p>
+your Netfilter          configuration, use "shorewall clear".</p>
             </div>
 <div align="left">    
@ -2593,21 +2598,20 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
 <div align="left">    
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-     the    internet, do not issue a "shorewall stop" command unless you have
+      the    internet, do not issue a "shorewall stop" command unless you
-    added an    entry for the IP address that you are connected from to 
+have     added an    entry for the IP address that you are connected from
- <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
    Also, I don't recommend using "shorewall restart"; it is better to create
      an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
      and    test it using the <a href="Documentation.htm#Starting">"shorewall
     try" command</a>.</p>
             </div>
-<p align="left"><font size="2">Last updated 6/7/2003 - <a
+<p align="left"><font size="2">Last updated 6/27/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
     Thomas  M. Easte</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -3,15 +3,17 @@
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
-  <title>Shoreline Firewall (Shorewall) 1.3</title>
+  <title>Shoreline Firewall (Shorewall) 1.4</title>
                                  <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -29,10 +31,12 @@
      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
              </td>
              <td valign="middle">                                      
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><br>
                                                                  </a></h1>
@ -44,6 +48,7 @@
  </tbody>                                  
 </table>
 <div align="center">                                       
 <center>                                       
 <table border="0" cellpadding="0" cellspacing="0"
@ -57,23 +62,27 @@
      <h2 align="left">What is it?</h2>
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
-                             a       <a href="http://www.netfilter.org">Netfilter</a>
+                               a       <a
-            (iptables)           based      firewall        that can be used
+ href="http://www.netfilter.org">Netfilter</a>               (iptables) 
-   on   a  dedicated    firewall     system,      a multi-function      
+         based      firewall        that can be used     on   a  dedicated
-      gateway/router/server         or on a  standalone    GNU/Linux    system.</p>
+   firewall     system,      a multi-function             gateway/router/server
        or on a  standalone    GNU/Linux    system.</p>
      <p>This program is free software; you can redistribute it and/or modify
-                                                                        it
+                                                                        
-        under      the    terms      of         <a
+ it          under      the    terms      of         <a
 href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
 GNU General Public License</a> as published by the Free   Software      
     Foundation.<br>
@ -89,11 +98,12 @@ FOR   A  PARTICULAR          PURPOSE.        See the     GNU  General
                         <br>
-          You     should       have     received        a   copy     of 
+              You     should       have     received        a   copy    
- the       GNU     General          Public         License              
+of    the       GNU     General          Public         License         
-  along       with    this   program;            if   not,    write  to 
+       along       with    this   program;            if   not,    write
-  the    Free   Software              Foundation,                   Inc., 
+ to    the    Free   Software              Foundation,                  
- 675     Mass   Ave,  Cambridge,      MA    02139,       USA</p>
+Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,       USA</p>
@ -105,11 +115,12 @@ FOR   A  PARTICULAR          PURPOSE.        See the     GNU  General
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-             If so, almost <b>NOTHING </b>on this site will apply directly
+                  If so, the documentation<b> </b>on this site will not apply
- to  your   setup.  If you want to use the documentation that you find here, 
+  directly   to  your   setup.  If you want to use the documentation that
- it  is best   if you  uninstall what you have and install a setup that matches 
+you  find here, you will want to consider uninstalling what you have and
-  the documentation    on this site. See the <a href="two-interface.htm">Two-interface
+installing  a setup that matches    the documentation    on this site. See
-   QuickStart    Guide</a> for details.<br>
+the <a href="two-interface.htm">Two-interface    QuickStart    Guide</a>
 for details.<br>
      <h2>Getting Started with Shorewall</h2>
@ -124,205 +135,161 @@ FOR   A  PARTICULAR          PURPOSE.        See the     GNU  General
-      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>       </b><b><img
+                   
      <p><b>7/4/2003 - Shorewall-1.4.6 Beta 1</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
       <br>
       </b></p>
      <blockquote><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
    <a href="ftp://shorewall.net/pub/shorewall/testing" target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
  </blockquote>
      <p><b>Problems Corrected:</b><br>
   </p>
      <ol>
          <li>A problem seen on RH7.3 systems where Shorewall encountered 
 start errors when started using the "service" mechanism has been worked around.<br>
       <br>
     </li>
          <li>Previously, where a list of IP addresses appears in the DEST
 column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
 in the nat table (one for each element in the list). Shorewall now correctly
 creates a single DNAT rule with multiple "--to-destination" clauses.<br>
     </li>
      </ol>
      <p><b>New Features:</b><br>
   </p>
      <ol>
          <li>A 'newnotsyn' interface option has been added. This option
 may  be specified in /etc/shorewall/interfaces and overrides the setting
 NEWNOTSYN=No  for packets arriving on the associated interface.<br>
       <br>
     </li>
          <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
 to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
 ranges.<br>
       <br>
     </li>
          <li>Shorewall can now add IP addresses to subnets other than the
 first one on an interface.<br>
       <br>
     </li>
          <li>DNAT[-] rules may now be used to load balance (round-robin) 
 over a set of servers. Up to 256 servers may be specified in a range of addresses
 given as &lt;first address&gt;-&lt;last address&gt;.<br>
       <br>
   Example:<br>
       <br>
       DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
       <br>
   Note that this capability has previously been available using a combination 
 of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable 
 for load-balancing over a large number of servers (&gt; 16) since specifying 
 a range in the DNAT rule causes one filter table ACCEPT rule to be generated 
 for each IP address in the range.<br>
       <br>
     </li>
          <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration 
 options have been removed and have been replaced by code that detects whether 
 these capabilities are present in the current kernel. The output of the start,
 restart and check commands have been enhanced to report the outcome:<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
      Packet Mangling: Available<br>
      Multi-port Match: Available<br>
   Verifying Configuration...<br>
       <br>
     </li>
          <li>Support for the Connection Tracking Match Extension has been
 added. This extension is available in recent kernel/iptables releases and
 allows for rules which match against elements in netfilter's connection
 tracking  table. Shorewall automatically detects the availability of this
 extension  and reports its availability in the output of the start, restart
 and check  commands.<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
      Packet Mangling: Available<br>
      Multi-port Match: Available<br>
      Connection Tracking Match: Available<br>
      Verifying Configuration...<br>
       <br>
   If this extension is available, the ruleset generated by Shorewall is
 changed  in the following ways:</li>
        <ul>
            <li>To handle 'norfc1918' filtering, Shorewall will not create
 chains in the mangle table but will rather do all 'norfc1918' filtering
 in  the filter table (rfc1918 chain).</li>
            <li>Recall that Shorewall DNAT rules generate two netfilter rules;
 one in the nat table and one in the filter table. If the Connection Tracking 
 Match Extension is available, the rule in the filter table is extended to 
 check that the original destination address was the same as specified (or 
 defaulted to) in the DNAT rule.<br>
         <br>
       </li>
        </ul>
          <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) 
 may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.</li>
      </ol>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
     </p>
      <ol>
            <li>The command "shorewall debug try &lt;directory&gt;" now correctly
  traces the attempt.</li>
-        <li>The INCLUDE directive now works properly in the zones file; previously,
+            <li>The INCLUDE directive now works properly in the zones file; 
-INCLUDE in that file was ignored.</li>
+ previously, INCLUDE in that file was ignored.</li>
-        <li>/etc/shorewall/routestopped records with an empty second column
+            <li>/etc/shorewall/routestopped records with an empty second
-are no longer ignored.<br>
+column   are no longer ignored.<br>
       </li>
      </ol>
      <p>New Features:<br>
     </p>
      <ol>
-        <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
+            <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule 
-now contain a list of addresses. If the list begins with "!' then the rule
+may  now contain a list of addresses. If the list begins with "!' then the 
-will take effect only if the original destination address in the connection
+rule  will take effect only if the original destination address in the connection
  request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
      </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
                       </b></p>
   The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
 iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
 have been encountered with this set of software. The Shorewall version is
 1.4.4b plus the accumulated changes for 1.4.5.       
      <p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                         </b></p>
       The firewall at shorewall.net has been upgraded to the 2.4.21 kernel 
 and  iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
   have been encountered with this set of software. The Shorewall version
 is   1.4.4b plus the accumulated changes for 1.4.5.                     
      <p><b>6/8/2003 - Updated Samples</b><b>                         </b></p>
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
   version 1.4.4.</p>
-      <p><b>5/29/2003 - Shorewall-1.4.4b</b><b>                     </b></p>
+      <p><b></b></p>
      <p>Groan -- This version corrects a problem whereby the --log-level
  was not being set when logging via syslog. The most commonly reported symptom
  was that Shorewall messages were being written to the console even though
  console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
 16</a>.<br>
     </p>
      <p><b>5/27/2003 - Shorewall-1.4.4a</b><b>                     </b></p>
        The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
  out  that the code in 1.4.4 restricts the length of short zone names to
 4  characters.  I've produced version 1.4.4a that restores the previous 5-character
  limit  by conditionally omitting the log rule number when the LOGFORMAT
 doesn't  contain '%d'.                                                 
      <p><b>5/23/2003 - Shorewall-1.4.4</b><b>                     </b><b> 
           </b></p>
         I apologize for the rapid-fire releases but since there is a potential 
   configuration change required to go from 1.4.3a to 1.4.4, I decided to 
 make   it a full release rather than just a bug-fix release. <br>
          <br>
          <b>    Problems corrected:</b><br>
      <blockquote>None.<br>
         </blockquote>
          <b>    New Features:<br>
         </b>                                                         
      <ol>
                <li>A REDIRECT- rule target has been added. This target behaves 
   for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter 
   nat table REDIRECT rule is added but not the companion filter table ACCEPT 
   rule.<br>
             <br>
           </li>
                <li>The LOGMARKER variable has been renamed LOGFORMAT and 
 has   been  changed to a 'printf' formatting template which accepts three 
 arguments   (the  chain name, logging rule number and the disposition). To 
 use LOGFORMAT   with  fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
    set it as:<br>
          <br>
                LOGFORMAT="fp=%s:%d a=%s "<br>
          <br>
             <b>CAUTION: </b>/sbin/shorewall uses the leading part of the 
 LOGFORMAT     string (up to but not including the first '%') to find log messages
 in  the   'show log', 'status' and 'hits' commands. This part should not
 be omitted     (the LOGFORMAT should not begin with "%") and the leading part
 should be   sufficiently unique for /sbin/shorewall to identify Shorewall 
 messages.<br>
             <br>
           </li>
                <li>When logging is specified on a DNAT[-] or REDIRECT[-] 
 rule,    the logging now takes place in the nat table rather than in the filter
 table.   This way, only those connections that actually undergo DNAT or redirection
   will be logged.</li>
      </ol>
      <p><b>5/20/2003 - Shorewall-1.4.3a</b><b>              </b><b>    
       </b><br>
           </p>
          This version primarily corrects the documentation included in the 
 .tgz   and  in the .rpm. In addition: <br>
      <ol>
                  <li>(This change is in 1.4.3 but is not documented) If
 you   are   running  iptables 1.2.7a and kernel 2.4.20, then Shorewall will
 return   reject   replies  as follows:<br>
              a) tcp - RST<br>
              b) udp - ICMP port unreachable<br>
              c) icmp - ICMP host unreachable<br>
              d) Otherwise - ICMP host prohibited<br>
           If you are running earlier software, Shorewall will follow it's
 traditional     convention:<br>
              a) tcp - RST<br>
              b) Otherwise - ICMP port unreachable</li>
                  <li>UDP port 135 is now silently dropped in the common.def
  chain.    Remember that this chain is traversed just before a DROP or REJECT
  policy    is enforced.<br>
             </li>
      </ol>
-      <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
+      <p><b></b></p>
                   </p>
                  <b>Problems Corrected:<br>
              </b>                                                      
      <ol>
                    <li>There were several cases where Shorewall would fail 
 to  remove    a temporary directory from /tmp. These cases have been corrected.</li>
                    <li>The rules for allowing all traffic via the loopback 
 interface      have been moved to before the rule that drops status=INVALID 
 packets.  This    insures that all loopback traffic is allowed even if Netfilter 
 connection      tracking is confused.</li>
      </ol>
                   <b>New Features:<br>
              </b>                                                      
      <ol>
                    <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
  (6to4)    tunnels </a>are now supported in the /etc/shorewall/tunnels 
 file.</li>
                    <li value="2">You may now change the leading portion
 of  the   --log-prefix  used by Shorewall using the LOGMARKER variable in
 shorewall.conf.    By default,  "Shorewall:" is used.<br>
            </li>
      </ol>
      <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b>          </b><br>
                 </p>
                  Ed Greshko has established a mirror in Taiwan -- Thanks 
 Ed!                                                                      
      <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>      </b></p>
      <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
                  </p>
      <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>         </b></p>
      <p>The list server will be down this morning for upgrade to RH9.0.<br>
                          </p>
      <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> 
                                        </b></p>
      <p>Thanks to Francesca Smith, the sample configurations are now upgraded
           to Shorewall version 1.4.2.</p>
      <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> 
                                         </b></p>
      <blockquote> This morning, I gave <a href="GSLUG.htm"
 target="_top">a Shorewall presentation to GSLUG</a>.         The presentation
            is in HTML format but was generated from Microsoft PowerPoint
 and    is   best     viewed using Internet Explorer (although Konqueror also
 seems    to   work reasonably    well as does Opera 7.1.0). Neither Opera
 6 nor Netscape      work well to view  the presentation.</blockquote>
@ -331,11 +298,13 @@ seems    to   work reasonably    well as does Opera 7.1.0). Neither Opera
      <blockquote>                                                      
        <ol>
        </ol>
                                 </blockquote>
@ -347,16 +316,19 @@ seems    to   work reasonably    well as does Opera 7.1.0). Neither Opera
      <p><b><a href="News.htm">More News</a></b></p>
                                                   <b>      </b>        
      <h2><b> </b></h2>
                                             <b>      </b>              
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
@ -365,7 +337,7 @@ seems    to   work reasonably    well as does Opera 7.1.0). Neither Opera
       have       a   LEAF  (router/firewall/gateway                    
   on   a  floppy,       CD    or compact     flash)  distribution      
         called                 <i>Bering</i>          that          features
-              Shorewall-1.3.14         and    Kernel-2.4.20.          You 
+                Shorewall-1.4.2         and    Kernel-2.4.20.          You 
     can     find         their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
@ -383,28 +355,32 @@ on   a  floppy,       CD    or compact     flash)  distribution
      <h4><b>       </b></h4>
                                             <b>      </b>              
      <h2><b>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </b></h2>
                                             <b>      </b>              
      <h2><b><a name="Donations"></a>Donations</b></h2>
                                        <b>                        </b></td>
-                        <td width="88" bgcolor="#4b017c" valign="top"
+                            <td width="88" bgcolor="#4b017c"
- align="center">                                                         
+ valign="top" align="center">                                           
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch">                  
        <p><strong><br>
                                <font color="#ffffff"><b>Note: </b></font></strong> 
                       <font color="#ffffff">Search is unavailable Daily 0200-0330
@ -413,6 +389,7 @@ on   a  floppy,       CD    or compact     flash)  distribution
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
                                <font face="Arial" size="-1">           <input
 type="text" name="words" size="15"></font><font size="-1">           </font><font
@ -426,6 +403,7 @@ on   a  floppy,       CD    or compact     flash)  distribution
   </form>
      <p><font color="#ffffff"><b>         <a
 href="http://lists.shorewall.net/htdig/search.html">         <font
 color="#ffffff">Extended Search</font></a></b></font></p>
@ -438,6 +416,7 @@ on   a  floppy,       CD    or compact     flash)  distribution
                      </tr>
  </tbody>                                       
 </table>
@ -445,6 +424,7 @@ on   a  floppy,       CD    or compact     flash)  distribution
          </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -467,9 +447,10 @@ on   a  floppy,       CD    or compact     flash)  distribution
      <p align="center"><font size="4" color="#ffffff"><br>
-         <font size="+2">Shorewall is free but if       you try it and find 
+             <font size="+2">Shorewall is free but if       you try it and
- it useful, please consider making a donation                            
+ find   it useful, please consider making a donation                    
                                                  to             <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight     Children's 
           Foundation.</font></a> Thanks!</font></font></p>
@ -479,11 +460,16 @@ on   a  floppy,       CD    or compact     flash)  distribution
               </tr>
  </tbody>                                       
 </table>
-<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
+      
 <p><font size="2">Updated 7/4/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                                   <br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -30,8 +30,8 @@
 <h2>Before Reporting a Problem or Asking a Question<br>
                 </h2>
                                                                       There
- are   a  number    of  sources of Shorewall information. Please     try these
+  are   a  number    of  sources of Shorewall information. Please     try
- before   you   post.               
+these  before   you   post.                
 <ul>
                                                 <li>Shorewall versions earlier 
  that 1.3.0 are no longer supported.<br>
@ -46,11 +46,11 @@
  solutions    to  more than 20 common      problems.                 </li>
                                 <li>                                   The 
         <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> 
-    Information           contains                a    number of tips to
+    Information           contains                a    number of tips to help
-help    you solve common  problems.        </li>
+   you solve common  problems.        </li>
                                <li>                                   The
-        <a href="http://www.shorewall.net/errata.htm">   Errata</a> has links 
+         <a href="http://www.shorewall.net/errata.htm">   Errata</a> has
-   to  download        updated     components.         </li>
+links     to  download        updated     components.         </li>
                                 <li>                                   The 
 Site   and   Mailing        List   Archives     search facility can locate 
 documents   and  posts    about         similar   problems:         </li>
@ -63,6 +63,7 @@ help    you solve common  problems.        </li>
  <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
    <select name="method">
    <option value="and">All </option>
    <option value="or">Any </option>
@ -116,9 +117,9 @@ what   is  posted    in  your   message.      Do  not  leave out any information
 Any help  we  offer   is an act of generosity, not    an   obligation.  
 Try  to make   it easy  for us to help you. Follow good,    courteous  
 practices    in  writing and formatting your e-mail. Provide   details that 
-  we need if  you  expect good  answers. <em>Exact quoting     </em>  of
+  we need if  you  expect good  answers. <em>Exact quoting     </em>  of error
-error messages,  log  entries,  command output, and other output  is better
+messages,  log  entries,  command output, and other output  is better   than
-  than a paraphrase   or  summary.<br>
+a paraphrase   or  summary.<br>
                                            <br>
                                          </li>
                                          <li>                          
@ -147,8 +148,8 @@ your   job for you.<br>
  </ul>
  <ul>
-                                           <li>the exact kernel version you 
+                                            <li>the exact kernel version
- are   running<br>
+you   are   running<br>
                                              <br>
                                              <font color="#009900"><b>uname
  -a<br>
@ -197,12 +198,13 @@ route    show<br>
                  <li><font color="#ff0000"><u><i><big><b>If you are having 
 connection       problems of        any kind then:</b></big></i></u></font><br>
                                 <br>
-                            1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
+                             1. <b><font color="#009900">/sbin/shorewall
 reset</font></b><br>
                                 <br>
                             2. Try the connection that is failing.<br>
                                 <br>
-                            3.<b><font color="#009900"> /sbin/shorewall status
+                             3.<b><font color="#009900"> /sbin/shorewall
-   &gt;   /tmp/status.txt</font></b><br>
+status    &gt;   /tmp/status.txt</font></b><br>
                                 <br>
                             4. Post the /tmp/status.txt file as an attachment.<br>
                   <br>
@ -226,15 +228,15 @@ route    show<br>
      information</strong>        in   an attempt to conceal your IP address, 
  netmask,      nameserver    addresses,     domain name, etc. These aren't 
  secrets,  and concealing   them often   misleads  us (and 80% of the time, 
-  a hacker  could derive them       anyway   from information  contained
+  a hacker  could derive them       anyway   from information  contained in
-in   the SMTP headers  of your post).<br>
+  the SMTP headers  of your post).<br>
                           <br>
                           <strong></strong></li>
-                        <li>Do you see  any   "Shorewall"      messages ("<b><font
+                         <li>Do you see  any   "Shorewall"      messages
- color="#009900">/sbin/shorewall  show   log</font></b>")            when 
+("<b><font color="#009900">/sbin/shorewall  show   log</font></b>")     
-            you exercise the function that is giving   you problems? If  
+      when              you exercise the function that is giving   you problems?
-so,    include    the message(s) in your post along with a  copy of your /etc/shorewall/interfaces
+If   so,    include    the message(s) in your post along with a  copy of
-              file.<br>
+your /etc/shorewall/interfaces               file.<br>
                           <br>
                         </li>
                         <li>Please include any of the Shorewall configuration
@ -245,15 +247,16 @@ so,    include    the message(s) in your post along with a  copy of your /etc/sh
  one also knows the policies).<br>
                           <br>
                         </li>
-                        <li>If an error occurs    when   you   try   to "<font
+                         <li>If an error occurs    when   you   try   to
- color="#009900"><b>shorewall  start</b></font>",        include     a  trace
+"<font color="#009900"><b>shorewall  start</b></font>",        include  
-      (See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> 
+  a  trace       (See the <a
 href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>   
   section  for    instructions).<br>
                           <br>
                         </li>
-                        <li><b>The list server limits posts to 120kb so don't 
+                         <li><b>The list server limits posts to 120kb so
-   post    GIFs     of               your             network layout, etc. 
+don't     post    GIFs     of               your             network layout,
- to the Mailing   List    --   your      post      will  be rejected.</b></li>
+etc.   to the Mailing   List    --   your      post      will  be rejected.</b></li>
 </ul>
@ -265,29 +268,29 @@ one also knows the policies).<br>
 <h2>When using the mailing list, please post in plain text</h2>
-<blockquote>      A growing  number of MTAs serving list subscribers are
+<blockquote>      A growing  number of MTAs serving list subscribers are rejecting
-rejecting   all    HTML  traffic.  At least one MTA has gone so far as to
+  all    HTML  traffic.  At least one MTA has gone so far as to blacklist
-blacklist   shorewall.net      "for  continuous abuse" because it has been
+  shorewall.net      "for  continuous abuse" because it has been my policy
-my policy   to  allow HTML in  list    posts!!<br>
+  to  allow HTML in  list    posts!!<br>
                    <br>
                                             I think that blocking all HTML 
 is  a  Draconian      way   to  control     spam    and  that the ultimate 
 losers   here are not    the spammers    but the   list  subscribers    
-  whose MTAs   are bouncing    all shorewall.net    mail. As   one list 
+ whose MTAs   are bouncing    all shorewall.net    mail. As   one list  subscriber
-subscriber    wrote    to me privately      "These e-mail admin's   need
+   wrote    to me privately      "These e-mail admin's   need  to get a <i>(expletive
- to get a <i>(expletive      deleted)</i>  life     instead of trying to
+     deleted)</i>  life     instead of trying to rid   the planet of HTML
-rid   the planet of HTML based   e-mail".   Nevertheless,       to allow
+based   e-mail".   Nevertheless,       to allow subscribers  to  receive
-subscribers  to  receive list posts   as must as possible,   I  have   now
+list posts   as must as possible,   I  have   now   configured the  list
-  configured the  list  server at shorewall.net   to strip all HTML    from
+ server at shorewall.net   to strip all HTML    from  outgoing  posts.<br>
 outgoing  posts.<br>
   <br>
   <big><font color="#cc0000"><b>If you run your own outgoing mail server 
 and it doesn't have a valid DNS PTR record, your email won't reach the lists
-unless/until the postmaster notices that your posts are being rejected. To 
+ unless/until the postmaster notices that your posts are being rejected.
-avoid this problem, you should configure your MTA to forward posts to shorewall.net 
+To  avoid this problem, you should configure your MTA to forward posts to
-through an MTA that <u>does</u> have a valid PTR record (such as the one
+shorewall.net  through an MTA that <u>does</u> have a valid PTR record (such
-at your ISP). </b></font></big><br>
+as the one at your ISP). </b></font></big><br>
 </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
 <blockquote>                               
@ -301,14 +304,9 @@ MandrakeSoft       Multi    Network     Firewall     (MNF)   and you have
 not purchased  an   MNF  license    from MandrakeSoft     then    you can
  post non MNF-specific     Shorewall  questions   to the </b><a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall   users mailing
-            list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
+             list</a>. <b>Do not expect to get free MNF support on the list</b> 
-  <p>If you have a question, you may post it on the <a
+  <p>Otherwise, please post your question or problem to the <a
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Forum</a>: 
  <font color="#ff6666"><b>DO NOT USE THE FORUM FOR REPORTING PROBLEMS OR 
 ASKING FOR HELP WITH PROBLEMS.<br>
   </b></font><br>
 Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
                list</a> .</p>
@ -322,10 +320,11 @@ ASKING FOR HELP WITH PROBLEMS.<br>
 href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
                         </p>
-<p align="left"><font size="2">Last Updated 6/14/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 6/24/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -55,36 +55,36 @@ Relay,    dial-up,     ...</li>
 <p>Shorewall requires that you have the iproute/iproute2 package installed
         (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
- tell     if  this  package is installed by the presence of an <b>ip</b> program
+  tell     if  this  package is installed by the presence of an <b>ip</b>
-   on   your  firewall  system. As root, you can use the 'which' command
+program    on   your  firewall  system. As root, you can use the 'which'
-to   check   for this  program:</p>
+command to   check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the guide    to familiarize yourself
-        with what's involved then go back through it again  making your configuration 
+         with what's involved then go back through it again  making your
-        changes. Points at which configuration changes are  recommended are 
+configuration          changes. Points at which configuration changes are
-  flagged      with <img border="0" src="images/BD21298_.gif" width="13"
+ recommended are    flagged      with <img border="0"
- height="13">
+ src="images/BD21298_.gif" width="13" height="13">
      . Configuration notes that are unique to LEAF/Bering are marked with <img
 src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
                   </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-                      If you edit your configuration files on a Windows system, 
+                       If you edit your configuration files on a Windows
-   you   must   save them as  Unix files if your editor supports that option 
+system,     you   must   save them as  Unix files if your editor supports
-   or you   must  run them through  dos2unix before trying to use them. Similarly, 
+that option     or you   must  run them through  dos2unix before trying to
-   if   you copy  a configuration file  from your Windows hard drive to a 
+use them. Similarly,     if   you copy  a configuration file  from your Windows
-floppy    disk, you must run dos2unix against the  copy before using it with 
+hard drive to a  floppy    disk, you must run dos2unix against the  copy
-Shorewall.</p>
+before using it with  Shorewall.</p>
 <ul>
                     <li><a
 href="http://www.simtel.net/pub/pd/51438.html">Windows     Version     of 
   dos2unix</a></li>
                     <li><a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version of
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
-   dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
@ -92,10 +92,10 @@ Shorewall.</p>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
-             The configuration files for Shorewall are contained in the directory 
+              The configuration files for Shorewall are contained in the
-     /etc/shorewall -- for simple setups, you will only need to deal with 
+directory       /etc/shorewall -- for simple setups, you will only need to
-a  few  of  these as described in this guide.  After you have <a
+deal with  a  few  of  these as described in this guide.  After you have
- href="Install.htm">installed Shorewall</a>,  <b>download the <a
+<a href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface  
      sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy
    the    files to /etc/shorewall  (the files will replace files with the
@ -141,19 +141,19 @@ instructions        and default entries.</p>
         in  terms of zones.</p>
 <ul>
-                    <li>You express your default policy for connections from 
+                     <li>You express your default policy for connections
- one   zone   to  another    zone in the<a
+from   one   zone   to  another    zone in the<a
 href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
-                    <li>You define exceptions to those default policies in
+                     <li>You define exceptions to those default policies
- the        <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+in  the        <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first
         checked against the  /etc/shorewall/rules file. If no rule in that
  file     matches  the connection  request then the first policy in /etc/shorewall/policy
-      that  matches the    request is applied. If that policy is REJECT or 
+       that  matches the    request is applied. If that policy is REJECT
- DROP      the request is first  checked against the rules in /etc/shorewall/common 
+or   DROP      the request is first  checked against the rules in /etc/shorewall/common
      (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample
@ -247,9 +247,9 @@ and   make   any   changes  that you  wish.</p>
                  </p>
 <p align="left">The firewall has three network interfaces. Where Internet
-         connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+          connectivity is through a cable or DSL "Modem", the <i>External
-         will be the ethernet adapter that is connected to that "Modem" (e.g.,
+Interface</i>          will be the ethernet adapter that is connected to
-     <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
+that "Modem" (e.g.,      <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
      <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
      <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External
     Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
@ -265,30 +265,30 @@ and   make   any   changes  that you  wish.</p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
          eth1 or eth2) and will be connected to a hub or switch. Your local
   computers       will be connected to the same switch (note: If you have
-only  a single   local   system,  you can connect the firewall directly to 
+ only  a single   local   system,  you can connect the firewall directly
-the computer using   a <i>cross-over   </i> cable).</p>
+to  the computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
-        (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your 
+         (eth0,  eth1 or eth2) and will be connected to a hub or switch.
-   DMZ    computers will  be connected to the same switch (note: If you have 
+Your     DMZ    computers will  be connected to the same switch (note: If
-   only  a  single DMZ system,  you can connect the firewall directly to the
+you have     only  a  single DMZ system,  you can connect the firewall directly
-   computer    using a <i>cross-over </i> cable).</p>
+to the    computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-                 </b></u>Do not connect more than one interface  to the same 
+                  </b></u>Do not connect more than one interface  to the
- hub   or  switch    (even for testing). It won't work the way that you  expect
+same   hub   or  switch    (even for testing). It won't work the way that
-  it to  and you   will end up confused and  believing that Shorewall doesn't
+you  expect   it to  and you   will end up confused and  believing that Shorewall
-    work  at all.</p>
+doesn't     work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-                     The Shorewall three-interface sample configuration assumes 
+                      The Shorewall three-interface sample configuration
-   that    the   external interface is <b>eth0, </b>the local interface is 
+assumes     that    the   external interface is <b>eth0, </b>the local interface
- <b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration 
+is   <b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration
  is different,    you will have to modify the sample  /etc/shorewall/interfaces
-  file accordingly.     While you are there, you may wish to  review the list
+   file accordingly.     While you are there, you may wish to  review the
-  of options that are    specified for the interfaces. Some hints:</p>
+list   of options that are    specified for the interfaces. Some hints:</p>
 <ul>
                     <li>                     
@ -307,17 +307,18 @@ the    option    list. </p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet
-         Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
+          Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
-  a  single    <i> Public</i> IP address. This address may be assigned via 
+you    a  single    <i> Public</i> IP address. This address may be assigned
- the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of 
+via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part
-establishing  your  connection   when you dial in (standard modem) or establish 
+of  establishing  your  connection   when you dial in (standard modem) or
-your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i> 
+establish  your PPP  connection.  In rare   cases, your ISP may assign you
-IP address; that  means that  you  configure your firewall's external interface 
+a<i> static</i>  IP address; that  means that  you  configure your firewall's
-   to use that  address permanently.<i>  </i>Regardless of how the address 
+external interface     to use that  address permanently.<i>  </i>Regardless
- is  assigned, it  will be shared by all of your  systems when you access 
+of how the address   is  assigned, it  will be shared by all of your  systems
-the Internet. You will have to assign your  own addresses  for your internal 
+when you access  the Internet. You will have to assign your  own addresses
-network (the local and DMZ Interfaces on  your firewall plus your other computers).
+ for your internal  network (the local and DMZ Interfaces on  your firewall
- RFC 1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
+plus your other computers).  RFC 1918 reserves several <i>Private  </i>IP
 address ranges for this  purpose:</p>
 <div align="left">    
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -327,23 +328,23 @@ network (the local and DMZ Interfaces on  your firewall plus your other computer
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                         Before starting Shorewall, you should look at the
-IP  address     of  your  external    interface and if it is one of the above 
+ IP  address     of  your  external    interface and if it is one of the
- ranges, you    should  remove  the    'norfc1918' option from the external 
+above   ranges, you    should  remove  the    'norfc1918' option from the
- interface's   entry  in    /etc/shorewall/interfaces.</p>
+external   interface's   entry  in    /etc/shorewall/interfaces.</p>
                  </div>
 <div align="left">    
 <p align="left">You will want to assign your local addresses from one <i>
           sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-     subnet.  For our purposes, we can consider a subnet    to consists of 
+      subnet.  For our purposes, we can consider a subnet    to consists
- a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a
+of   a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have
- <i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved
+a  <i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved 
 as    the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet
  Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
    </i>(CIDR)</a>   notation with consists of the subnet address  followed
-    by "/24". The "24"  refers to the number of    consecutive "1"  bits from
+     by "/24". The "24"  refers to the number of    consecutive "1"  bits
-   the left of the subnet  mask. </p>
+from    the left of the subnet  mask. </p>
                  </div>
 <div align="left">    
@ -394,17 +395,18 @@ IP  address     of  your  external    interface and if it is one of the above
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                      Your local  computers    (Local Computers 1 &amp; 2)
-should    be  configured    with their<i>    default gateway</i> set to the 
+ should    be  configured    with their<i>    default gateway</i> set to
-IP address     of the firewall's    internal interface    and your DMZ computers 
+the  IP address     of the firewall's    internal interface    and your DMZ
-( DMZ   Computers   1 &amp; 2)  should  be configured with their    default 
+computers  ( DMZ   Computers   1 &amp; 2)  should  be configured with their
-gateway   set to the   IP address  of the firewall's DMZ interface.   </p>
+   default  gateway   set to the   IP address  of the firewall's DMZ interface.  
 </p>
                  </div>
 <p align="left">The foregoing short discussion barely scratches the surface
          regarding subnetting and routing. If you are interested in learning
-   more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
+    more     about  IP addressing and routing, I highly recommend <i>"IP
-        What Everyone  Needs to Know about Addressing &amp; Routing",</i> 
+Fundamentals:          What Everyone  Needs to Know about Addressing &amp;
-Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
          your network as shown here:</p>
@ -429,24 +431,24 @@ then you will need  to select a different RFC 1918 subnet for your DMZ.</b><br>
 <p align="left">IP Masquerading (SNAT)</p>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-        to as <i>non-routable</i> because the Internet backbone routers don't 
+         to as <i>non-routable</i> because the Internet backbone routers
-    forward    packets  which have an RFC-1918 destination address. When one
+don't      forward    packets  which have an RFC-1918 destination address.
-   of your local    systems  (let's assume local computer 1) sends a connection
+When one    of your local    systems  (let's assume local computer 1) sends
-    request to an   internet host, the  firewall must perform <i>Network
+a connection     request to an   internet host, the  firewall must perform
-Address     Translation   </i>(NAT). The firewall  rewrites the source address
+<i>Network Address     Translation   </i>(NAT). The firewall  rewrites the
-in the    packet to be  the address of the firewall's  external interface;
+source address in the    packet to be  the address of the firewall's  external
-in other    words, the firewall   makes it look as if the firewall  itself
+interface; in other    words, the firewall   makes it look as if the firewall
-is initiating    the connection.  This  is necessary so that the  destination
+ itself is initiating    the connection.  This  is necessary so that the
-host will be   able to route return packets   back to the firewall  (remember
+ destination host will be   able to route return packets   back to the firewall
-that packets   whose destination address is   reserved by RFC 1918 can't
+ (remember that packets   whose destination address is   reserved by RFC
- be routed accross   the internet). When the firewall   receives a return
+1918 can't  be routed accross   the internet). When the firewall   receives
-packet, it  rewrites   the destination address back to 10.10.10.1   and forwards
+a return packet, it  rewrites   the destination address back to 10.10.10.1
-the packet on  to local computer 1. </p>
+  and forwards the packet on  to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> and you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
                     <li>                     
@ -489,7 +491,7 @@ change    them appropriately:<br>
           </p>
 <ul>
-          <li>NAT_ENABLED=Yes</li>
+           <li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
           <li>IP_FORWARDING=On<br>
            </li>
@ -498,13 +500,13 @@ change    them appropriately:<br>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your
-        DMZ computers. Because these computers have RFC-1918 addresses, it 
+         DMZ computers. Because these computers have RFC-1918 addresses,
- is   not     possible for clients on the internet to connect directly to 
+it   is   not     possible for clients on the internet to connect directly
-them.   It is   rather  necessary for those clients to address their connection 
+to  them.   It is   rather  necessary for those clients to address their
-  requests    to your firewall  who rewrites the destination address to the 
+connection    requests    to your firewall  who rewrites the destination
-  address of   your server and forwards  the packet to that server. When your
+address to the    address of   your server and forwards  the packet to that
-  server responds,     the firewall automatically  performs SNAT to rewrite
+server. When your   server responds,     the firewall automatically  performs
-  the source address   in  the response.</p>
+SNAT to rewrite   the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
         Destination Network Address Translation</i> (DNAT). You configure 
@ -541,8 +543,8 @@ them.   It is   rather  necessary for those clients to address their connection
  </table>
                   </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
-the same  as <i>&lt;port&gt;</i>.</p>
+be the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
          TCP port 80 to that system:</p>
@ -588,10 +590,10 @@ the same  as <i>&lt;port&gt;</i>.</p>
 <ul>
                     <li>When you are connecting to your server from your 
 local   systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
-                    <li>Many ISPs block incoming connection requests to port 
+                     <li>Many ISPs block incoming connection requests to
- 80.   If  you   have     problems connecting to your web server, try the
+port   80.   If  you   have     problems connecting to your web server, try
- following   rule and  try     connecting to port 5000 (e.g., connect to
+the  following   rule and  try     connecting to port 5000 (e.g., connect
-    <a href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z
+to     <a href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z 
 is your         external IP).</li>
 </ul>
@ -705,44 +707,45 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting
-        an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
+         an IP  address your firewall's <i>Domain Name Service </i>(DNS)
-       will be  automatically configured (e.g., the /etc/resolv.conf file 
+resolver         will be  automatically configured (e.g., the /etc/resolv.conf
-will     be  written).  Alternatively, your ISP may have given you the IP 
+file  will     be  written).  Alternatively, your ISP may have given you
-address    of a  pair of DNS <i> name servers</i> for you to manually configure 
+the IP  address    of a  pair of DNS <i> name servers</i> for you to manually
-as  your    primary  and secondary  name servers. It is <u>your</u> responsibility 
+configure  as  your    primary  and secondary  name servers. It is <u>your</u>
-   to   configure  the resolver in your  internal systems. You can take one 
+responsibility     to   configure  the resolver in your  internal systems.
-  of two   approaches:</p>
+You can take one    of two   approaches:</p>
 <ul>
                     <li>                     
    <p align="left">You can configure your internal systems to use your ISP's
         name    servers. If you ISP gave you the addresses of their servers
-  or   if   those    addresses are available on their web site, you can configure 
+   or   if   those    addresses are available on their web site, you can
-     your   internal    systems to use those addresses. If that information 
+configure       your   internal    systems to use those addresses. If that
-  isn't   available,   look in    /etc/resolv.conf on your firewall system 
+information    isn't   available,   look in    /etc/resolv.conf on your firewall
- -- the name  servers are  given in    "nameserver" records in that file. 
+system   -- the name  servers are  given in    "nameserver" records in that
-  </p>
+file.    </p>
                    </li>
                    <li>                     
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
                      You can configure a<i> Caching Name Server </i>on your
     firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching
-name  server (which     also     requires the 'bind' RPM) and for Bering users,
+ name  server (which     also     requires the 'bind' RPM) and for Bering
- there is dnscache.lrp.     If you    take this approach, you configure your
+users,  there is dnscache.lrp.     If you    take this approach, you configure
- internal systems to use    the caching    name server as their primary (and
+your  internal systems to use    the caching    name server as their primary
- only) name server. You  use  the internal IP    address of the firewall (10.10.10.254
+(and  only) name server. You  use  the internal IP    address of the firewall
- in the example  above)    for the name    server address if you choose to
+(10.10.10.254  in the example  above)    for the name    server address if
- run the name server  on your   firewall. To allow your local systems to
+you choose to  run the name server  on your   firewall. To allow your local
-talk  to your caching name      server,   you must open port 53 (both UDP
+systems to talk  to your caching name      server,   you must open port 53
-and TCP)  from the local network   to the    server; you do that by adding
+(both UDP and TCP)  from the local network   to the    server; you do that
-the rules  in /etc/shorewall/rules.       </p>
+by adding the rules  in /etc/shorewall/rules.       </p>
                    </li>
 </ul>
 <blockquote>            
  <p align="left">If you run the name server on the firewall:           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
@ -1045,8 +1048,8 @@ allowing        all    connections from the firewall to the internet.</p>
 <div align="left">    
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-           the internet because it uses clear text (even for login!). If you
+            the internet because it uses clear text (even for login!). If
-   want     shell    access to your firewall from the internet, use SSH:</p>
+you    want     shell    access to your firewall from the internet, use SSH:</p>
                  </div>
 <div align="left">    
@ -1146,8 +1149,8 @@ other   connections      as required.</p>
                    The <a href="Install.htm">installation procedure </a> 
  configures       your system to start Shorewall at system boot  but beginning 
 with Shorewall      version 1.3.9 startup is disabled so that your system 
- won't try to start     Shorewall before configuration is complete. Once
+ won't try to start     Shorewall before configuration is complete. Once you
-you  have completed configuration     of your firewall, you can enable Shorewall
+ have completed configuration     of your firewall, you can enable Shorewall 
 startup by removing the file   /etc/shorewall/startup_disabled.<br>
                  </p>
@ -1163,8 +1166,8 @@ you  have completed configuration     of your firewall, you can enable Shorewall
    routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
            running firewall may be restarted using the "shorewall restart"
- command.       If    you want to totally remove any trace of Shorewall from 
+  command.       If    you want to totally remove any trace of Shorewall
- your Netfilter          configuration, use "shorewall clear".</p>
+from   your Netfilter          configuration, use "shorewall clear".</p>
                  </div>
 <div align="left">    
@ -1179,16 +1182,16 @@ different  set   of hosts, modify /etc/shorewall/routestopped       accordingly.
 <div align="left">    
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-        the    internet, do not issue a "shorewall stop" command unless you 
+         the    internet, do not issue a "shorewall stop" command unless
-  have     added an    entry for the IP address that you are connected from 
+you    have     added an    entry for the IP address that you are connected
-  to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-      Also, I don't recommend using "shorewall restart"; it is better to create
+       Also, I don't recommend using "shorewall restart"; it is better to
-        an   <i><a href="configuration_file_basics.htm#Configs">alternate 
+create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i>        and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
                  </div>
-<p align="left"><font size="2">Last updated 5/19/2003 - <a
+<p align="left"><font size="2">Last updated 6/27/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -30,19 +30,19 @@
 </table>
 <p align="left">Setting up a Linux system as a firewall for a small network
-         is a  fairly straight-forward task if you understand the basics and
+          is a  fairly straight-forward task if you understand the basics
-   follow      the  documentation.</p>
+and    follow      the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of
-          Shorewall. It rather focuses on what is required to configure Shorewall 
+           Shorewall. It rather focuses on what is required to configure
-        in its  most common configuration:</p>
+Shorewall          in its  most common configuration:</p>
 <ul>
                       <li>Linux system used as a firewall/router for a small
  local    network.</li>
                       <li>Single public IP address.</li>
-                      <li>Internet connection through cable modem, DSL, ISDN, 
+                       <li>Internet connection through cable modem, DSL,
-  Frame    Relay,    dial-up    ...</li>
+ISDN,    Frame    Relay,    dial-up    ...</li>
 </ul>
@ -53,14 +53,14 @@
                    </p>
 <p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
-      configure the above setup using the Mandrake "Internet Connection Sharing" 
+       configure the above setup using the Mandrake "Internet Connection
-      applet. From the Mandrake Control Center, select "Network &amp; Internet" 
+Sharing"        applet. From the Mandrake Control Center, select "Network
-      then "Connection Sharing".<br>
+&amp; Internet"        then "Connection Sharing".<br>
     </b></p>
 <p><b>Note however, that the Shorewall configuration produced by Mandrake
- Internet Connection Sharing is strange and is apt to confuse you if you use
+  Internet Connection Sharing is strange and is apt to confuse you if you
- the rest of this documentation (it has two local zones; "loc" and "masq"
+use  the rest of this documentation (it has two local zones; "loc" and "masq" 
 where "loc" is empty; this conflicts with this documentation which assumes 
 a single local zone "loc"). We therefore recommend that once you have set 
 up this sharing that you uninstall the Mandrake Shorewall RPM and install 
@ -69,38 +69,38 @@
      </p>
 <p>Shorewall requires that you have the iproute/iproute2 package installed
-         (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can 
+          (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You
-  tell     if  this  package is installed by the presence of an <b>ip</b> 
+can    tell     if  this  package is installed by the presence of an <b>ip</b>
-program    on   your  firewall  system. As root, you can use the 'which' command
+ program    on   your  firewall  system. As root, you can use the 'which'
-to   check   for this  program:</p>
+command to   check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself
-         with what's involved then go back through it again  making your configuration
+          with what's involved then go back through it again  making your
-         changes. Points at which configuration changes are  recommended
+configuration          changes. Points at which configuration changes are
-are    flagged      with <img border="0" src="images/BD21298_.gif"
+ recommended are    flagged      with <img border="0"
- width="13" height="13">
+ src="images/BD21298_.gif" width="13" height="13">
-                   . Configuration notes that are unique to LEAF/Bering are 
+                    . Configuration notes that are unique to LEAF/Bering
- marked  with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
+are   marked  with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
       </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                         If you edit your configuration files on a Windows
 system,     you   must   save them as  Unix files if your editor supports
-that option     or you   must  run them through  dos2unix before trying to 
+ that option     or you   must  run them through  dos2unix before trying
-use them. Similarly,     if   you copy  a configuration file  from your Windows 
+to  use them. Similarly,     if   you copy  a configuration file  from your
-hard drive to a  floppy    disk, you must run dos2unix against the  copy before
+Windows  hard drive to a  floppy    disk, you must run dos2unix against the
-using it with  Shorewall.</p>
+ copy before using it with  Shorewall.</p>
 <ul>
                       <li><a
 href="http://www.simtel.net/pub/pd/51438.html">Windows     Version     of 
    dos2unix</a></li>
                       <li><a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version of
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
-   dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
@ -110,11 +110,12 @@ using it with  Shorewall.</p>
 alt="">
                 The configuration files for Shorewall are contained in the 
 directory      /etc/shorewall -- for simple setups, you will only need to 
- deal with a  few  of  these as described in this guide.  After you have
+ deal with a  few  of  these as described in this guide.  After you have <a
-<a href="Install.htm">installed Shorewall</a>,  <b>download the <a
+ href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
-        un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to 
+         un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
- /etc/shorewall        (these files will replace files with the same name).</b></p>
+to   /etc/shorewall        (these files will replace files with the same
 name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual
          file on your system -- each file contains detailed  configuration
@ -164,12 +165,12 @@ in  the         <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.
 <p>For each connection request entering the firewall, the request is first
          checked against the  /etc/shorewall/rules file. If no rule in that
   file     matches  the connection  request then the first policy in /etc/shorewall/policy
-       that  matches the    request is applied. If that policy is REJECT or
+        that  matches the    request is applied. If that policy is REJECT
-  DROP      the request is first  checked against the rules in /etc/shorewall/common 
+or   DROP      the request is first  checked against the rules in /etc/shorewall/common
       (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample has
+<p>The /etc/shorewall/policy file included with the two-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -238,8 +239,8 @@ the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-                      <li>allow all connection requests from your local network 
+                       <li>allow all connection requests from your local
-   to  the   internet</li>
+network     to  the   internet</li>
                       <li>drop (ignore) all connection requests from the 
 internet     to  your   firewall     or local network</li>
                       <li>optionally accept all connection requests from 
@ -258,9 +259,9 @@ make   any   changes     that you  wish.</p>
 height="635">
                    </p>
-<p align="left">The firewall has two network interfaces. Where Internet 
+<p align="left">The firewall has two network interfaces. Where Internet  connectivity
-connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+is through a cable or DSL "Modem", the <i>External Interface</i>  will be
- will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
          <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
           over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
     <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
@ -270,31 +271,32 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-                       If your external interface is <b>ppp0</b>  or<b> ippp0</b>  
+                        If your external interface is <b>ppp0</b>  or<b>
-    then   you   will want to  set CLAMPMSS=yes in <a
+ippp0</b>       then   you   will want to  set CLAMPMSS=yes in <a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
-         (eth1  or eth0) and will be connected to a hub or switch. Your other 
+          (eth1  or eth0) and will be connected to a hub or switch. Your
-    computers     will be  connected to the same hub/switch (note: If you 
+other      computers     will be  connected to the same hub/switch (note:
-have    only a single     internal system,  you can connect the firewall directly
+If you  have    only a single     internal system,  you can connect the firewall
-   to the computer   using  a <i>cross-over </i> cable).</p>
+directly    to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
                    </b></u>Do not connect the internal and external interface
-   to  the   same   hub or switch (even for testing). It won't work the way 
+    to  the   same   hub or switch (even for testing). It won't work the
-  that  you think  that   it will and you will end up confused and  believing 
+way    that  you think  that   it will and you will end up confused and 
-  that  Shorewall   doesn't   work at all.</p>
+believing    that  Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-                       The Shorewall two-interface sample configuration assumes 
+                        The Shorewall two-interface sample configuration
-   that    the   external  interface is <b>eth0</b> and the internal interface 
+assumes     that    the   external  interface is <b>eth0</b> and the internal
-   is <b>eth1</b>.     If your  configuration is different, you will have 
+interface     is <b>eth1</b>.     If your  configuration is different, you
-to   modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
+will have  to   modify the sample    <a
-   file    accordingly.  While you are there, you may wish to  review the
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>     file
- list   of options   that are  specified for the interfaces. Some hints:</p>
+   accordingly.  While you are there, you may wish to  review the  list 
 of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
                       <li>                     
@ -313,17 +315,18 @@ to   modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet
-          Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
+           Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
-   a  single    <i> Public</i> IP address. This address may be assigned via
+you    a  single    <i> Public</i> IP address. This address may be assigned
-  the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
+via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part
- establishing  your  connection   when you dial in (standard modem) or establish
+of  establishing  your  connection   when you dial in (standard modem) or
- your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
+establish  your PPP  connection.  In rare   cases, your ISP may assign you
- IP address; that  means that  you  configure your firewall's external interface
+a<i> static</i>  IP address; that  means that  you  configure your firewall's
-    to use that  address permanently.<i>  </i>However your external address
+external interface     to use that  address permanently.<i>  </i>However
-  is  assigned, it  will be shared by all of your systems when you access
+your external address   is  assigned, it  will be shared by all of your systems
-the   Internet. You will have to assign your  own addresses in your  internal
+when you access the   Internet. You will have to assign your  own addresses
- network (the Internal  Interface on your firewall  plus your other  computers).
+in your  internal  network (the Internal  Interface on your firewall  plus
- RFC 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
+your other  computers).  RFC 1918 reserves  several <i>Private </i>IP address
 ranges for this  purpose:</p>
 <div align="left">    
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -332,19 +335,19 @@ the   Internet. You will have to assign your  own addresses in your  internal
 <div align="left">    
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                          Before starting Shorewall, you should look at the 
+                           Before starting Shorewall, you should look at
- IP  address     of  your  external    interface and if it is one of the above
+the   IP  address     of  your  external    interface and if it is one of
-  ranges, you    should  remove  the    'norfc1918' option from the external
+the above   ranges, you    should  remove  the    'norfc1918' option from
-  interface's   entry  in    /etc/shorewall/interfaces.</p>
+the external   interface's   entry  in    /etc/shorewall/interfaces.</p>
                    </div>
 <div align="left">    
 <p align="left">You will want to assign your addresses from the same <i>
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
             to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
-a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address 
+ a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The
-  x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is
+address    x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255
-  reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, 
+is   reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
   a subnet  is  described  using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
    </i>(CIDR)  notation</a> with consists of the subnet  address followed
@ -399,17 +402,17 @@ a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
 <div align="left">    
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-                       Your local computers (computer    1 and computer 2 
+                        Your local computers (computer    1 and computer
-in  the   above    diagram)   should be configured with their<i>    default 
+2  in  the   above    diagram)   should be configured with their<i>    default
 gateway</i>    to  be  the IP address   of the firewall's internal    interface.<i>     
    </i>  </p>
                    </div>
 <p align="left">The foregoing short discussion barely scratches the surface
           regarding subnetting and routing. If you are interested in learning
-    more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
+     more     about  IP addressing and routing, I highly recommend <i>"IP
-         What Everyone  Needs to Know about Addressing &amp; Routing",</i>
+Fundamentals:          What Everyone  Needs to Know about Addressing &amp;
- Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
           your network as shown here:</p>
@ -432,43 +435,44 @@ in the 10.10.10.0/24   subnet then you will need to select a DIFFERENT RFC
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-         to as <i>non-routable</i> because the Internet backbone routers don't
+          to as <i>non-routable</i> because the Internet backbone routers
-     forward    packets  which have an RFC-1918 destination address. When
+don't      forward    packets  which have an RFC-1918 destination address.
-one    of your local    systems  (let's assume computer 1) sends a connection 
+When one    of your local    systems  (let's assume computer 1) sends a connection
  request    to an internet    host, the  firewall must perform <i>Network
-Address Translation     </i>(NAT).    The firewall  rewrites the source address 
+ Address Translation     </i>(NAT).    The firewall  rewrites the source
-in the packet to   be the address    of the firewall's  external interface; 
+address  in the packet to   be the address    of the firewall's  external
-in other words,   the firewall makes    it look as if the firewall  itself 
+interface;  in other words,   the firewall makes    it look as if the firewall
-is initiating the   connection.  This is   necessary so that the  destination 
+ itself  is initiating the   connection.  This is   necessary so that the
-  host will be able   to route return packets   back to the firewall  (remember 
+ destination    host will be able   to route return packets   back to the
-  that packets whose   destination address is   reserved by RFC 1918 can't 
+firewall  (remember    that packets whose   destination address is   reserved
-  be routed across the   internet so the remote host  can't address its response 
+by RFC 1918 can't    be routed across the   internet so the remote host 
-  to  computer 1).  When the firewall receives a return packet, it  rewrites 
+can't address its response    to  computer 1).  When the firewall receives
-  the destination address  back to 10.10.10.1  and  forwards the packet on 
+a return packet, it  rewrites    the destination address  back to 10.10.10.1
- to computer 1. </p>
+ and  forwards the packet on   to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> but you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
                       <li>                     
    <p align="left"><i>Masquerade</i> describes the case where you let your
-            firewall system automatically detect the external interface address. 
+             firewall system automatically detect the external interface
-             </p>
+address.               </p>
                      </li>
                      <li>                     
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
-         the    source address that you want outbound packets from your local 
+          the    source address that you want outbound packets from your
-    network     to use.    </p>
+local      network     to use.    </p>
                      </li>
 </ul>
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with
-          entries in the /etc/shorewall/masq file. You will normally use Masquerading
+           entries in the /etc/shorewall/masq file. You will normally use
-         if  your external IP is dynamic and SNAT if the IP is static.</p>
+Masquerading          if  your external IP is dynamic and SNAT if the IP
 is static.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
@ -480,11 +484,11 @@ is initiating the   connection.
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                       If your external IP is  static, you can enter it in
+                        If your external IP is  static, you can enter it
- the  third    column    in the /etc/shorewall/masq entry if  you like although 
+in  the  third    column    in the /etc/shorewall/masq entry if  you like
-  your firewall    will    work fine if you leave that column empty.  Entering 
+although    your firewall    will    work fine if you leave that column empty.
-  your static  IP  in column    3 makes processing outgoing packets a little 
+ Entering    your static  IP  in column    3 makes processing outgoing packets
-   more efficient.<br>
+a little     more efficient.<br>
            <br>
            <img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
@ -494,7 +498,7 @@ is initiating the   connection.
            </p>
 <ul>
-             <li>NAT_ENABLED=Yes</li>
+              <li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
              <li>IP_FORWARDING=On<br>
              </li>
@ -505,11 +509,11 @@ is initiating the   connection.
 <p align="left">One of your goals may be to run one or more servers on your
           local computers. Because these computers have RFC-1918 addresses,
   it   is   not  possible for clients on the internet to connect directly
-to  them.   It   is rather  necessary for those clients to address their connection
+ to  them.   It   is rather  necessary for those clients to address their
-  requests     to the firewall  who rewrites the destination address to the
+connection   requests     to the firewall  who rewrites the destination address
-  address of   your   server and forwards  the packet to that server. When
+to the   address of   your   server and forwards  the packet to that server.
- your server responds,     the firewall automatically  performs SNAT to rewrite
+When  your server responds,     the firewall automatically  performs SNAT
-  the source address   in  the response.</p>
+to rewrite   the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
          Destination Network Address Translation</i> (DNAT). You configure
@ -580,13 +584,13 @@ to  them.   It   is rather  necessary for those clients to address their connect
 <ul>
                       <li>You must test the above rule from a client outside
- of  your   local    network    (i.e., don't test from a browser running on
+  of  your   local    network    (i.e., don't test from a browser running
- computers     1 or 2  or  on the    firewall). If you want to be able to
+on  computers     1 or 2  or  on the    firewall). If you want to be able
-access your  web   server  using  the IP    address of your external interface,
+to access your  web   server  using  the IP    address of your external interface, 
 see     <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
                       <li>Many ISPs block incoming connection requests to
-port   80.   If  you   have     problems connecting to your web server, try 
+ port   80.   If  you   have     problems connecting to your web server,
-the  following   rule and  try     connecting to port 5000.</li>
+try  the  following   rule and  try     connecting to port 5000.</li>
 </ul>
@ -624,24 +628,24 @@ any   DNAT   rules    that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting
-         an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
+          an IP  address your firewall's <i>Domain Name Service </i>(DNS)
-        will be  automatically configured (e.g., the /etc/resolv.conf file
+resolver         will be  automatically configured (e.g., the /etc/resolv.conf
- will     be  written).  Alternatively, your ISP may have given you the IP
+file  will     be  written).  Alternatively, your ISP may have given you
- address    of a  pair of DNS <i> name servers</i> for you to manually configure
+the IP  address    of a  pair of DNS <i> name servers</i> for you to manually
- as  your    primary  and secondary  name servers. Regardless of how DNS
+configure  as  your    primary  and secondary  name servers. Regardless of
-gets   configured    on your  firewall, it is <u>your</u> responsibility to
+how DNS gets   configured    on your  firewall, it is <u>your</u> responsibility
-configure   the resolver    in your   internal systems. You can take one of
+to configure   the resolver    in your   internal systems. You can take one
-two approaches:</p>
+of two approaches:</p>
 <ul>
                       <li>                     
    <p align="left">You can configure your internal systems to use your ISP's
          name    servers. If you ISP gave you the addresses of their servers
-   or   if   those    addresses are available on their web site, you can configure
+    or   if   those    addresses are available on their web site, you can
-      your   internal    systems to use those addresses. If that information
+configure       your   internal    systems to use those addresses. If that
-   isn't   available,   look in    /etc/resolv.conf on your firewall system
+information    isn't   available,   look in    /etc/resolv.conf on your firewall
-  -- the name  servers are  given in    "nameserver" records in that file.
+system   -- the name  servers are  given in    "nameserver" records in that
-   </p>
+file.    </p>
                      </li>
                      <li>                     
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -654,8 +658,8 @@ internal   systems to use  the firewall    itself as their primary (and only)
 name  server.  You use the  internal IP     address of the firewall (10.10.10.254 
 in the  example above)  for the name       server address. To allow your 
 local systems  to talk to  your caching name      server, you must open port 
-53 (both UDP  and TCP) from  the local network   to the    firewall; you
+53 (both UDP  and TCP) from  the local network   to the    firewall; you do
-do that by adding  the following  rules in /etc/shorewall/rules.       </p>
+that by adding  the following  rules in /etc/shorewall/rules.       </p>
                      </li>
 </ul>
@ -744,8 +748,8 @@ do that by adding  the following  rules in /etc/shorewall/rules.       </p>
 <div align="left">    
 <p align="left">Those rules allow DNS access from your firewall and may be
-            removed if you uncommented the line in /etc/shorewall/policy allowing
+             removed if you uncommented the line in /etc/shorewall/policy
-         all    connections from the firewall to the internet.</p>
+allowing          all    connections from the firewall to the internet.</p>
                    </div>
 <div align="left">    
@ -821,8 +825,7 @@ do that by adding  the following  rules in /etc/shorewall/rules.       </p>
                     </div>
 <div align="left">    
-<p align="left">Example - You want to run a Web Server on your firewall 
+<p align="left">Example - You want to run a Web Server on your firewall  system:</p>
 system:</p>
                    </div>
 <div align="left">    
@ -865,8 +868,8 @@ system:</p>
 <div align="left">    
 <p align="left">Those two rules would of course be in addition to the rules
-            listed above under "You can configure a Caching Name Server on 
+             listed above under "You can configure a Caching Name Server
- your     firewall"</p>
+on   your     firewall"</p>
                    </div>
 <div align="left">    
@ -877,7 +880,8 @@ system:</p>
 <div align="left">    
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
             the internet because it uses clear text (even for login!). If
-you    want     shell    access to your firewall from the internet, use SSH:</p>
+ you    want     shell    access to your firewall from the internet, use
 SSH:</p>
                    </div>
 <div align="left">    
@ -991,8 +995,8 @@ you  have completed configuration     of your firewall, you can enable Shorewall
     routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
             running firewall may be restarted using the "shorewall restart"
-  command.       If    you want to totally remove any trace of Shorewall from
+   command.       If    you want to totally remove any trace of Shorewall
-  your Netfilter          configuration, use "shorewall clear".</p>
+from   your Netfilter          configuration, use "shorewall clear".</p>
                    </div>
 <div align="left">    
@ -1007,20 +1011,21 @@ if you  wish to  enable       access to/from other hosts, change /etc/shorewall/
 <div align="left">    
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-         the    internet, do not issue a "shorewall stop" command unless you
+          the    internet, do not issue a "shorewall stop" command unless
-   have     added an    entry for the IP address that you are connected from
+you    have     added an    entry for the IP address that you are connected
-   to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
        Also, I don't recommend using "shorewall restart"; it is better to
 create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
  configuration</a></i>        and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
                    </div>
-<p align="left"><font size="2">Last updated 2/21/2003 - <a
+<p align="left"><font size="2">Last updated 6/27/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
    Thomas      M. Eastep</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@ -55,12 +55,16 @@ are    currently running.<br>
 <h3> </h3>
 <h3>Version &gt;= 1.4.6</h3>
 The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed from
 shorewall.conf. These capabilities are now automatically detected by Shorewall.<br>
 <h3>Version &gt;= 1.4.4</h3>
   If you are upgrading from 1.4.3 and have set the LOGMARKER variable in 
-<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
+<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then you
-you  must set the new LOGFORMAT variable appropriately and remove your setting
+ must set the new LOGFORMAT variable appropriately and remove your setting 
 of LOGMARKER<br>
  <br>
 <h3>Version 1.4.4<br>
 </h3>
 If you have zone names that are 5 characters long, you may experience problems
@ -85,14 +89,14 @@ Upgrade to Version 1.4.4a to fix this problem..<br>
 <ul>
           <li>Beginning with Version 1.4.1, traffic between groups in the
-same   zone is accepted by default.  Previously, traffic from a zone to itself
+ same   zone is accepted by default.  Previously, traffic from a zone to
- was  treated just like any other  traffic; any matching rules were applied
+itself  was  treated just like any other  traffic; any matching rules were
- followed  by enforcement of the appropriate  policy. With 1.4.1 and later
+applied  followed  by enforcement of the appropriate  policy. With 1.4.1
- versions,  unless you have explicit rules for  traffic from Z to Z or you
+and later  versions,  unless you have explicit rules for  traffic from Z
- have an explicit  Z to Z policy (where "Z" is some  zone) then traffic between
+to Z or you  have an explicit  Z to Z policy (where "Z" is some  zone) then
- the groups in  zone Z will be accepted. If you do have one or more explicit
+traffic between  the groups in  zone Z will be accepted. If you do have one
- rules for Z to Z or if you have an explicit Z to Z policy then the behavior
+or more explicit  rules for Z to Z or if you have an explicit Z to Z policy
- is as it was in prior versions.</li>
+then the behavior  is as it was in prior versions.</li>
 </ul>
@ -101,8 +105,8 @@ same   zone is accepted by default.  Previously, traffic from a zone to itself
             <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
  between   two interfaces to the same zone, that policy can be removed and
  traffic between  the interfaces will traverse fewer rules than previously.</li>
-            <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
+             <li>If you have a Z Z DROP or Z Z REJECT policy or you have
-   rules then your configuration should not require any change.</li>
+Z-&gt;Z    rules then your configuration should not require any change.</li>
            <li>If you are currently relying on a implicit policy (one that 
 has   "all" in either the SOURCE or DESTINATION column) to prevent traffic 
 between   two interfaces to a zone Z and you have no rules for Z-&gt;Z then 
@ -124,16 +128,16 @@ between  them. </li>
  <blockquote>                             
    <pre>/etc/shorewall/zones<br><br>z1	Zone1	The first Zone<br>z2	Zone2	The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2	eth1	192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1	eth1:192.168.1.3<br></pre>
         </blockquote>
-       Here, zone z1 is nested in zone z2 and the firewall is not going to
+        Here, zone z1 is nested in zone z2 and the firewall is not going
- be  involved in any traffic between these two zones. Beginning with Shorewall 
+to  be  involved in any traffic between these two zones. Beginning with Shorewall
-  1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
+   1.4.1, you can prevent Shorewall from setting up any infrastructure to
-  traffic between z1 and z2 by using the new NONE policy:<br>
+handle   traffic between z1 and z2 by using the new NONE policy:<br>
  <blockquote>                             
    <pre>/etc/shorewall/policy<br><pre>z1	z2	NONE<br>z2	z1	NONE</pre></pre>
        </blockquote>
-       Note that NONE policies are generally used in pairs unless there is
+        Note that NONE policies are generally used in pairs unless there
- asymetric   routing where only the traffic on one direction flows through
+is  asymetric   routing where only the traffic on one direction flows through 
 the firewall   and you are using a NONE polciy in the other direction. </blockquote>
 <h3>Version 1.4.1<br>
@ -142,9 +146,9 @@ between  them. </li>
 <ul>
           <li>In Version 1.4.1, Shorewall will never create rules  to  deal
  with traffic from a given group back to itself.  The <i>multi</i>  interface
- option is no longer available so if you want to route traffic between  two 
+  option is no longer available so if you want to route traffic between 
- subnetworks on the same interface then I recommend that you upgrade to Version 
+two   subnetworks on the same interface then I recommend that you upgrade
- 1.4.2 and use the 'routeback' interface or host option. </li>
+to Version   1.4.2 and use the 'routeback' interface or host option. </li>
 </ul>
@ -158,31 +162,31 @@ iproute2    which will cause the upgrade of Shorewall to fail with the diagnosti
                error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
        <br>
             <br>
-          This may be worked around by using the --nodeps option of rpm (rpm
+           This may be worked around by using the --nodeps option of rpm
-  -Uvh   --nodeps &lt;shorewall rpm&gt;).<br>
+(rpm   -Uvh   --nodeps &lt;shorewall rpm&gt;).<br>
             <br>
             If you are upgrading from a version &lt; 1.4.0, then:<br>
 <ul>
-                 <li>The <b>noping </b>and <b>forwardping</b> interface options
+                  <li>The <b>noping </b>and <b>forwardping</b> interface
-   are   no  longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
+options    are   no  longer supported nor is the <b>FORWARDPING </b>option
-      ICMP echo-request (ping) packets are treated just like any other connection
+in shorewall.conf.       ICMP echo-request (ping) packets are treated just
-      request and are subject to rules and policies.</li>
+like any other connection       request and are subject to rules and policies.</li>
                  <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
   in   /etc/shorewall/interfaces   now generate a Shorewall error at startup 
   (they   always have produced warnings   in iptables).</li>
                  <li>The MERGE_HOSTS variable has been removed from shorewall.conf. 
     Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
-  contents   are  determined by BOTH the interfaces and hosts files when there
+   contents   are  determined by BOTH the interfaces and hosts files when
-  are entries   for the zone in both files.</li>
+there   are entries   for the zone in both files.</li>
                  <li>The <b>routestopped</b> option in the interfaces and
 hosts   file   has  been eliminated; use entries in the routestopped file
 instead.</li>
                  <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
 is  no  longer     accepted; you must convert to using the new syntax.</li>
                  <li value="6">The ALLOWRELATED variable in shorewall.conf 
- is  no  longer    supported.  Shorewall 1.4 behavior is the same as 1.3
+ is  no  longer    supported.  Shorewall 1.4 behavior is the same as 1.3 with
-with  ALLOWRELATED=Yes.</li>
+ ALLOWRELATED=Yes.</li>
                  <li value="6">Late-arriving DNS replies are now dropped 
 by  default;     there  is no need for your own /etc/shorewall/common file 
 simply  to avoid     logging  these packets.</li>
@ -247,9 +251,9 @@ and would    masquerade   traffic  from that subnet. Any other subnets that
 routed through    eth1 needed   their  own entry in /etc/shorewall/masq to 
 be masqueraded   or  to have SNAT   applied.</li>
                    <li>Beginning with Shorewall 1.3.14, Shorewall uses the 
- firewall's      routing   table to determine ALL subnets routed through
+ firewall's      routing   table to determine ALL subnets routed through the
-the  named interface.      Traffic   originating in ANY of those subnets
+ named interface.      Traffic   originating in ANY of those subnets is masqueraded
-is masqueraded  or has SNAT     applied.</li>
+ or has SNAT     applied.</li>
 </ul>
                  You will need to make a change to your configuration if:<br>
@ -285,10 +289,10 @@ like   this?<br>
 height="13">
                     Version 1.3.14 also introduced simplified ICMP echo-request 
   (ping)    handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
-       is used  to specify that the old (pre-1.3.14) ping handling is to
+       is used  to specify that the old (pre-1.3.14) ping handling is to be
-be   used     (If the option is not set in your /etc/shorewall/shorewall.conf
+  used     (If the option is not set in your /etc/shorewall/shorewall.conf 
- then OLD_PING_HANDLING=Yes      is assumed). I don't plan on supporting
+ then OLD_PING_HANDLING=Yes      is assumed). I don't plan on supporting the
-the  old handling indefinitely  so   I urge current users to migrate to using
+ old handling indefinitely  so   I urge current users to migrate to using 
 the new handling as soon as  possible.    See the <a href="ping.html">'Ping' 
 handling documentation</a>  for details.<br>
@ -343,8 +347,8 @@ floppy     with the    later one.  If you did
  instructions   below.</li>
                                                        <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                            file and remove the /var/lib/shorewall 
-         entry  if                                  present. Then do not
+         entry  if                                  present. Then do not forget
-forget       to   backup  root.lrp !</li>
+      to   backup  root.lrp !</li>
 </ol>
@ -362,19 +366,20 @@ forget       to   backup  root.lrp !</li>
 <p align="left">If you have a pair of firewall systems configured for   
     failover or if you have asymmetric routing, you will need to modify
-                  your firewall setup slightly under Shorewall versions 1.3.6
+                   your firewall setup slightly under Shorewall versions
-      and   1.3.7</p>
+1.3.6       and   1.3.7</p>
 <ol>
                                    <li>                                
    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
                      the following rule<br>
                                  <br>
                                  <font face="Courier">run_iptables -A newnotsyn 
   -j  RETURN    #  So  that the            connection tracking table can 
 be   rebuilt<br>
-                                                                      # from
+                                                                       #
-  non-SYN     packets     after  takeover.<br>
+from   non-SYN     packets     after  takeover.<br>
                         </font>  </p>
                         </li>
                         <li>                                    
@ -428,14 +433,15 @@ Acks  to rebuild   connection<br>
 <p align="left">The functions and versions files together with the      'firewall'
   symbolic link have moved from /etc/shorewall to /var/lib/shorewall.  
-               If you have applications that access these files, those  applications
+                 If you have applications that access these files, those
-                   should be modified accordingly.</p>
+ applications                    should be modified accordingly.</p>
-<p><font size="2">  Last updated 5/27/2003 -   <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">  Last updated 6/29/2003 -   <a href="support.htm">Tom
-</p>
+Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
             © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
 </body>
 </html>