Some documentation updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@463 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-25 12:13:29 +02:00 · 2003-02-22 20:15:15 +00:00 · 2003-02-22 20:15:15 +00:00 · 5f9ff7336a
commit 5f9ff7336a
parent 9b98ecbff5
3 changed files with 1507 additions and 1477 deletions
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -23,6 +23,7 @@
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -80,8 +81,8 @@ do   I  do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
-                    to  check my firewall and it shows <b>some ports as 'closed'
+                     to  check my firewall and it shows <b>some ports as
-       rather       than     'blocked'.</b>  Why?</a></p>
+'closed'         rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
@ -96,6 +97,7 @@ do   I  do?</a></p>
                      written and  how do I <b>change the destination</b>?</a></p>
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
                      that work with Shorewall?</a></p>
@ -106,7 +108,7 @@ do   I  do?</a></p>
           </p>
 <p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow 
-    of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.  
+     of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.
      They get dropped, but what the heck are they?</a><br>
           </p>
@ -151,9 +153,9 @@ modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
-                    IP  addresses, my ISP's DHCP server has an RFC 1918 address.
+                     IP  addresses, my ISP's DHCP server has an RFC 1918
-       If   I  enable       RFC 1918  filtering on my external interface,
+address.         If   I  enable       RFC 1918  filtering on my external
-<b>my      DHCP  client  cannot    renew   its lease</b>.</a></p>
+interface,  <b>my      DHCP  client  cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
@ -175,9 +177,9 @@ maintain   separate    rulesets for    different   IPs?</a><br>
    to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do
    anything</b>.  Why?</a><br>
                             <br>
-                           <b>20. </b><a href="#faq20">I have just set  up
+                             <b>20. </b><a href="#faq20">I have just set
-  a   server.      <b>Do  I have to change Shorewall to allow access to my 
+ up   a   server.      <b>Do  I have to change Shorewall to allow access
- server    from   the  internet?<br>
+to my   server    from   the  internet?<br>
                   <br>
                   </b></a><b>21. </b><a href="#faq21">I see these <b>strange 
  log   entries      </b>occasionally;    what are they?<br>
@ -186,25 +188,28 @@ maintain   separate    rulesets for    different   IPs?</a><br>
   </b>that     I  want to <b>run when Shorewall starts.</b> Which file do 
 I  put them in?</a><br>
                 <br>
-               <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b>
+                 <b>23. </b><a href="#faq23">Why do you use such <b>ugly
-    on  your   <b>web site</b>?</a><br>
+fonts</b>      on  your   <b>web site</b>?</a><br>
              <br>
              <b>24. </b><a href="#faq24">How can I <b>allow conections</b> 
-to  let's    say  the ssh port only<b> from specific IP Addresses</b> on the
+ to  let's    say  the ssh port only<b> from specific IP Addresses</b> on 
-internet?</a><br>
+the internet?</a><br>
 <br>
 <b>25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b> 
 I am <b>running</b>?</a><br>
     <br>
 <hr>                                           
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
-                    my my personal PC with IP address 192.168.1.5. I've looked
+                     my my personal PC with IP address 192.168.1.5. I've
-     everywhere           and    can't find how to do it.</h4>
+looked       everywhere           and    can't find how to do it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to
-                    do port forwarding under Shorewall. The format of a port-forwarding
+                     do port forwarding under Shorewall. The format of a
-              rule to a local system is as   follows:</p>
+port-forwarding                rule to a local system is as   follows:</p>
 <blockquote>                                                             
@ -224,8 +229,8 @@ internet?</a><br>
                                               <tr>
                                                 <td>DNAT</td>
                                                 <td>net</td>
-                                               <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
+                                                 <td>loc:<i>&lt;local IP
-              port</i>&gt;]</td>
+address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
                                                 <td><i>&lt;protocol&gt;</i></td>
                                                 <td><i>&lt;port #&gt;</i></td>
                                                 <td> <br>
@ -283,8 +288,8 @@ internet?</a><br>
 <div align="left">                      <font face="Courier">     </font>If 
-         you want to forward requests directed to a particular address ( <i>&lt;external
+          you want to forward requests directed to a particular address ( 
-         IP&gt;</i> ) on your firewall to an internal system:</div>
+<i>&lt;external          IP&gt;</i> ) on your firewall to an internal system:</div>
 <blockquote>                                                             
@ -304,8 +309,8 @@ internet?</a><br>
                                               <tr>
                                                 <td>DNAT</td>
                                                 <td>net</td>
-                                               <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
+                                                 <td>loc:<i>&lt;local IP
-              port</i>&gt;]</td>
+address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
                                                 <td><i>&lt;protocol&gt;</i></td>
                                                 <td><i>&lt;port #&gt;</i></td>
                                                 <td>-</td>
@ -336,8 +341,8 @@ specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
 href="#faq2">FAQ   #2</a>).</li>
                                             <li>You have a more basic problem
   with   your   local    system    such   as  an   incorrect default gateway
-  configured    (it  should    be set to   the IP   address    of your  firewall's
+   configured    (it  should    be set to   the IP   address    of your 
-  internal    interface).</li>
+firewall's    internal    interface).</li>
 </ul>
@ -345,7 +350,8 @@ specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
 <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port 
                forwarding</h4>
-                               <b>Answer: </b>To further diagnose this problem:<br>
+                                 <b>Answer: </b>To further diagnose this
 problem:<br>
 <ul>
                                   <li>As root, type "iptables -t nat -Z".
@ -353,9 +359,9 @@ This   clears    the   NetFilter      counters   in the nat table.</li>
                                   <li>Try to connect to the redirected port
  from   an  external     host.</li>
                                   <li>As root type "shorewall show nat"</li>
-                                 <li>Locate the appropriate DNAT rule. It 
+                                   <li>Locate the appropriate DNAT rule.
-will   be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat'
+It  will   be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat 
-   in the above   examples).</li>
+('net_dnat'    in the above   examples).</li>
                                   <li>Is the packet count in the first column
   non-zero?      If  so,   the   connection    request is reaching the firewall
   and is  being    redirected    to   the server.  In  this case, the problem
@ -372,10 +378,10 @@ the  server (the   server's  default  gateway  should    be the IP address
    IP  address     on  your   firewall   and your rule is only redirecting 
  the  primary  IP  address    (You  need to specify   the secondary IP address
    in the "ORIG.   DEST." column    in  your DNAT rule);  or</li>
-                                   <li>your DNAT rule doesn't match the connection
+                                     <li>your DNAT rule doesn't match the 
-     request     in  some   other   way. In that case, you may have to use
+connection      request     in  some   other   way. In that case, you may 
- a  packet  sniffer     such  as tcpdump  or  ethereal to further diagnose
+have to use  a  packet  sniffer     such  as tcpdump  or  ethereal to further 
- the  problem.<br>
+diagnose  the  problem.<br>
                                     </li>
@ -463,7 +469,8 @@ is eth1  and    that    eth1 has IP   address      192.168.1.254  with subnet
 <div align="left">                                           
 <p align="left">That rule only works of course if you have a static external
                     IP  address. If you  have a dynamic IP address and are
- running        Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
+  running        Shorewall          1.3.4 or later then include this in 
 /etc/shorewall/params:</p>
                                          </div>
@ -615,6 +622,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                                           </blockquote>
 <p align="left">In /etc/shorewall/masq:</p>
@ -667,10 +675,10 @@ archives    at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
                     always    rejects connection requests on TCP port 113
 rather       than     dropping        them. This is    necessary to prevent
-outgoing     connection       problems to   services    that use the    'Auth'
+ outgoing     connection       problems to   services    that use the   
-mechanism     for identifying       requesting  users.  Shorewall    also
+'Auth'  mechanism     for identifying       requesting  users.  Shorewall
-rejects TCP      ports 135, 137 and    139  as well as  UDP ports  137-139.
+   also  rejects TCP      ports 135, 137 and    139  as well as  UDP ports
-  These are   ports that are    used  by  Windows  (Windows  <u>can</u> 
+ 137-139.    These are   ports that are    used  by  Windows  (Windows  <u>can</u>
 be configured    to use the DCE cell locator       on port  135). Rejecting
 these  connection   requests   rather than dropping    them    cuts down
 slightly on the amount   of Windows  chatter on LAN segments    connected
@ -766,22 +774,22 @@ all messages,  set: </p>
          <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
                          </p>
                        </blockquote>
-                      I personnaly use Logwatch. It emails me a report each 
+                        I personnaly use Logwatch. It emails me a report
- day   from   my  various    systems with each report summarizing the logged 
+each   day   from   my  various    systems with each report summarizing the
- activity   on  the  corresponding    system.                            
+logged   activity   on  the  corresponding    system.                   
 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 
     are <b>flooding the logs</b> with their connect requests. Can i exclude 
   these  error messages for this port temporarily from logging in Shorewall?</h4>
           Temporarily add the following rule:<br>
-<pre>	DROP    net    fw    udp    10619</pre>
+<pre>	DROP    net    fw    udp    10619</pre>
 <h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow 
-    of these DROP messages from port 53 to some high numbered port.  They 
+     of these DROP messages from port 53 to some high numbered port.  They 
 get    dropped, but what the heck are they?</h4>
-<pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
+<pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
           <b>Answer: </b>There are two possibilities:<br>
 <ol>
@ -826,8 +834,8 @@ is actually the Ethernet frame header. In contains:<br>
 </ul>
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
-                    stop', I can't connect to anything. Why doesn't that command
+                     stop', I can't connect to anything. Why doesn't that 
-       work?</h4>
+command        work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into
@ -920,9 +928,9 @@ prerequisites</a>.</p>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
                     (<a href="http://www.cityofshoreline.com">the      city
-  where      I  live</a>)          and "Fire<u>wall</u>". The full name of
+   where      I  live</a>)          and "Fire<u>wall</u>". The full name
- the product      is actually "Shoreline Firewall" but "Shorewall" is must
+of   the product      is actually "Shoreline Firewall" but "Shorewall" is
- more commonly   used.</p>
+must   more commonly   used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
@ -950,7 +958,8 @@ following:</p>
 <div align="left">                                             
 <p align="left">If you are running version 1.3.1 or later, simply add the
-                       following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
+                        following to<a href="Documentation.htm#rfc1918">
 /etc/shorewall/rfc1918</a>:</p>
                                          </div>
@ -987,8 +996,8 @@ following:</p>
 <p align="left">Note: If you add a second IP address to your external firewall
                    interface to correspond to the modem address, you must
 also     make     an   entry      in /etc/shorewall/rfc1918 for that address.
-For    example,    if you   configure      the address 192.168.100.2 on your
+ For    example,    if you   configure      the address 192.168.100.2 on
-firewall,    then   you would   add two entries      to /etc/shorewall/rfc1918:
+your  firewall,    then   you would   add two entries      to /etc/shorewall/rfc1918:
  <br>
                                        </p>
@ -1047,8 +1056,8 @@ its lease.</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
                     the net", I wonder  where the poster bought computers
 with     eyes     and    what     those computers will "see"  when things
-are working     properly.      That   aside,     the most common causes of
+ are working     properly.      That   aside,     the most common causes
-this  problem    are:</p>
+of  this  problem    are:</p>
 <ol>
@ -1071,9 +1080,9 @@ this  problem    are:</p>
    <p align="left">The DNS settings on the local systems are wrong or the
-                       user is running a DNS server on the firewall and hasn't
+                        user is running a DNS server on the firewall and
-     enabled        UDP    and   TCP    port 53 from the firewall to the
+hasn't       enabled        UDP    and   TCP    port 53 from the firewall
-internet.</p>
+to the internet.</p>
                                              </li>
@ -1091,10 +1100,13 @@ console        is   specified     in /etc/sysconfig/init    in the    LOGLEVEL
 variable.<br>
                                      </p>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
         logged?</h4>
                                      <b>Answer: </b>Logging occurs out of
-a  number    of  chains    (as   indicated      in  the log message) in Shorewall:<br>
+ a  number    of  chains    (as   indicated      in  the log message) in
 Shorewall:<br>
 <ol>
                                        <li><b>man1918 - </b>The destination
@ -1106,8 +1118,8 @@ a  number    of  chains    (as   indicated      in  the log message) in Shorewal
                                       <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> 
         or      <b>all2all          </b>-  You have a<a
 href="Documentation.htm#Policy"> policy</a> that     specifies a  log level
-          and this packet is being logged under that policy.     If you intend
+           and this packet is being logged under that policy.     If you
-      to   ACCEPT this traffic then you need a  <a
+intend        to   ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                                       </li>
                                        <li><b>&lt;zone1&gt;2&lt;zone2&gt;
@ -1120,44 +1132,46 @@ under that policy   or this packet matches    a     <a
   is  being    logged    under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
                                 </li>
-                                      <li><b>logpkt</b> - The packet is being 
+                                        <li><b>logpkt</b> - The packet is 
-  logged    under    the       <b>logunclean</b>            <a
+being    logged    under    the       <b>logunclean</b>            <a
 href="Documentation.htm#Interfaces">interface   option</a>.</li>
-                                      <li><b>badpkt </b>- The packet is being 
+                                        <li><b>badpkt </b>- The packet is 
-  logged    under    the       <b>dropunclean</b>            <a
+being    logged    under    the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified 
     in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-                                      <li><b>blacklst</b> - The packet is 
+                                        <li><b>blacklst</b> - The packet
-being    logged    because     the   source    IP  is blacklisted in the<a
+is  being    logged    because     the   source    IP  is blacklisted in
- href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
+the<a href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist     
-                                      <li><b>newnotsyn </b>- The packet is
+    </a>file.</li>
- being    logged    because     it  is  a  TCP   packet that is not part
+                                        <li><b>newnotsyn </b>- The packet 
 is  being    logged    because     it  is  a  TCP   packet that is not part
 of  any current    connection    yet  it   is not a syn  packet.   Options
 affecting  the logging    of such  packets   include       <b>NEWNOTSYN
      </b>and        <b>LOGNEWNOTSYN        </b>in         <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                                     <li><b>INPUT</b> or <b>FORWARD</b> - 
+                                       <li><b>INPUT</b> or <b>FORWARD</b> 
-The   packet    has   a  source    IP  address    that isn't in any of your 
+-  The   packet    has   a  source    IP  address    that isn't in any of 
-defined   zones    ("shorewall    check"    and  look at the   printed zone 
+your  defined   zones    ("shorewall    check"    and  look at the   printed 
-definitions)   or   the chain is FORWARD   and   the destination  IP  isn't 
+zone  definitions)   or   the chain is FORWARD   and   the destination  IP 
-in any of your   defined    zones.</li>
+ isn't  in any of your   defined    zones.</li>
                              <li><b>logflags </b>- The packet is being logged
-  because     it  failed    the   checks implemented by the <b>tcpflags </b><a
+   because     it  failed    the   checks implemented by the <b>tcpflags
- href="Documentation.htm#Interfaces">interface option</a>.<br>
+    </b><a href="Documentation.htm#Interfaces">interface option</a>.<br>
                              </li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
                 with Shorewall, and maintain separate rulesets for different
    IPs?</h4>
-                                <b>Answer: </b>Yes. You simply use the IP 
+                                  <b>Answer: </b>Yes. You simply use the
-address     in  your   rules    (or   if  you  use NAT, use the local IP address
+IP  address     in  your   rules    (or   if  you  use NAT, use the local
-in   your  rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0)
+IP address in   your  rules).   <b>Note:</b>    The  ":n"  notation  (e.g., 
-is deprecated     and will   disappear eventually.      Neither   iproute
+eth0:0) is deprecated     and will   disappear eventually.      Neither  
- (ip and tc) nor    iptables supports   that notation so  neither    does
+iproute  (ip and tc) nor    iptables supports   that notation so  neither 
-  Shorewall.  <br>
+   does   Shorewall.  <br>
                                  <br>
                                  <b>Example 1:</b><br>
                                  <br>
@ -1184,8 +1198,9 @@ is deprecated     and will   disappear eventually.      Neither   iproute
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
               but they don't seem to do anything. Why?</h4>
-                            You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
+                              You probably haven't set TC_ENABLED=Yes in
-              so the contents of the tcrules file are simply being ignored.<br>
+/etc/shorewall/shorewall.conf                so the contents of the tcrules
 file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have 
              to change Shorewall to allow access to my server from the internet?</b><br>
@ -1206,16 +1221,16 @@ rules for your server.<br>
                           192.0.2.3 is external on my firewall... 172.16.0.0/24
    is  my  internal     LAN<br>
                           <br>
-                         <b>Answer: </b>While most people associate the Internet
+                           <b>Answer: </b>While most people associate the 
-    Control     Message     Protocol (ICMP) with 'ping', ICMP is a key piece
+Internet     Control     Message     Protocol (ICMP) with 'ping', ICMP is 
-   of  the internet.     ICMP   is  used to report problems back to the sender
+a key piece    of  the internet.     ICMP   is  used to report problems back 
-   of a packet; this   is  what  is happening  here. Unfortunately, where
+to the sender    of a packet; this   is  what  is happening  here. Unfortunately, 
-NAT   is involved (including     SNAT,  DNAT and Masquerade),  there are
+where NAT   is involved (including     SNAT,  DNAT and Masquerade),  there 
-a lot  of broken implementations.    That is  what you are seeing with  these
+are a lot  of broken implementations.    That is  what you are seeing with 
-messages.<br>
+ these messages.<br>
                           <br>
-                        Here is my interpretation of what is happening -- 
+                          Here is my interpretation of what is happening
-to  confirm     this   analysis,    one would have to have packet sniffers 
+--  to  confirm     this   analysis,    one would have to have packet sniffers 
 placed  a both    ends of   the connection.<br>
                          <br>
                          Host 172.16.1.10 behind NAT gateway 206.124.146.179 
@ -1244,11 +1259,12 @@ because the source IP is  reserved by RFC 1918.<br>
 href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
 sure that you look at the contents of the chain(s) that you will be modifying 
         with your commands to be sure that the commands will do what they 
-are    intended.    Many iptables commands published in HOWTOs and other instructional
+ are    intended.    Many iptables commands published in HOWTOs and other 
-   material    use the -A command which adds the rules to the end of the
+instructional    material    use the -A command which adds the rules to the 
-chain.    Most chains    that Shorewall constructs end with an unconditional
+end of the chain.    Most chains    that Shorewall constructs end with an 
-DROP,   ACCEPT or REJECT    rule and any rules that you add after that will
+unconditional DROP,   ACCEPT or REJECT    rule and any rules that you add 
-be ignored.   Check "man iptables"   and look at the -I (--insert) command.<br>
+after that will be ignored.   Check "man iptables"   and look at the -I (--insert) 
 command.<br>
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your 
        web site?</h4>
@ -1262,17 +1278,22 @@ like them then  reconfigure   your browser.<br>
              In the SOURCE column of the rule, follow "net" by a colon and 
 a  list   of  the host/subnet addresses as a comma-separated list.<br>
-<pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
+<pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
              Example:<br>
 <pre>    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22<br></pre>
 <h4></h4>
 <div align="left">     </div>
-                             <font size="2">Last updated 2/18/2003 - <a
+                                
- href="support.htm">Tom   Eastep</a></font>                             
+<h4><b><a name="faq25"></a>25. </b>How to I tell <b>which version of Shorewall</b> 
 I am <b>running</b>?<br>
  </h4>
 At the shell prompt, type:<br>
 <br>
 <font color="#009900"><b>    /sbin/shorewall version</b></font><br>
 <br>
 <font size="2">Last updated 2/22/2003 - <a href="support.htm">Tom   Eastep</a></font> 
 <p><a href="copyright.htm"><font size="2">Copyright</font>               ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -1280,5 +1301,7 @@ a  list   of  the host/subnet addresses as a comma-separated list.<br>
     <br>
    <br>
   <br>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@ -41,8 +41,8 @@
      &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
      <br>
      <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-     &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run 
+      &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to
- as  a transparent proxy  as described at <a
+run   as  a transparent proxy  as described at <a
 href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
      <b><br>
      </b><b><img src="images/BD21298_3.gif" alt="" width="13"
@ -82,9 +82,9 @@ DMZ</a></li>
 </ol>
 <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
-        You want to redirect all local www connection requests          EXCEPT
+         You want to redirect all local www connection requests         
-                                                    those to your     own
+EXCEPT                                                     those to your
-   http server                                                  (206.124.146.177)
+    own    http server                                                  (206.124.146.177) 
            to a Squid                                                  transparent 
          proxy  running on the firewall and listening on port 3128. Squid 
    will     of course  require access to remote web servers.<br>
@ -320,7 +320,7 @@ zone to the internet.<br>
 </ul>
 <blockquote>                     
-  <pre><b><font color="#009900">	iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
+  <pre><b><font color="#009900">	iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
   </blockquote>
 <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf 
@ -476,7 +476,7 @@ zone to the internet.<br>
 <blockquote>  </blockquote>
-<p><font size="-1">   Updated 2/21/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="-1">   Updated 2/22/2003 - <a href="support.htm">Tom  Eastep</a>
             </font></p>
@ -490,5 +490,6 @@ zone to the internet.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -23,6 +23,7 @@
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
@ -43,6 +44,7 @@
  </tbody>                                    
 </table>
 <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions 
  emailed directly to me, I try to spend some time each day answering questions 
  on the Shorewall Users Mailing List.</font></big><span
@ -148,9 +150,10 @@ problems:         </li>
    Can anyone tell  you  what that strange smell is?<br>
                 <br>
                 Now, all of us could do some wonderful guessing as to the
-smell    and   even   what's causing it.  You would be absolutely amazed at
+ smell    and   even   what's causing it.  You would be absolutely amazed
-the range   and   variety   of smells we could come up with.  Even more amazing
+at the range   and   variety   of smells we could come up with.  Even more
-is that   all   of the explanations   for the smells would be completely plausible."<br>
+amazing is that   all   of the explanations   for the smells would be completely
 plausible."<br>
                 </i><br>
 <div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
@ -164,8 +167,8 @@ is that   all   of the explanations   for the smells would be completely plausib
             <li>Please remember we only know what is posted in your message. 
   Do  not  leave out any information that appears to be correct,  or was 
 mentioned    in  a previous post. There have been countless  posts by people 
-who were   sure  that some part of their  configuration was correct when
+who were   sure  that some part of their  configuration was correct when it
-it actually   contained  a small error.  We tend to be skeptics where detail
+actually   contained  a small error.  We tend to be skeptics where detail 
 is lacking.<br>
               <br>
             </li>
@ -180,8 +183,8 @@ or  summary.<br>
             </li>
             <li>                                   Please don't describe 
 your   environment   and then  ask  us  to  send   you             custom 
-configuration   files.   We're here  to answer   your  questions     but
+configuration   files.   We're here  to answer   your  questions     but we
-we           can't   do your   job for you.<br>
+          can't   do your   job for you.<br>
               <br>
                    </li>
             <li>When reporting a problem, <strong>ALWAYS</strong> include
@ -252,16 +255,17 @@ please  indicate which one. <br>
 <ul>
             <li><b>NEVER </b>include the output of "<b><font
- color="#009900">iptables    -L</font></b>". Instead, <b>if you are having
+ color="#009900">iptables    -L</font></b>". Instead,<font
-connection  problems of any kind</b>, post the exact output of<br>
+ color="#ff0000"><u><i><big> <b>if you are having connection  problems of
 any kind then:</b></big></i></u></font><br>
    <br>
-              <b><font color="#009900">/sbin/shorewall status<br>
+1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
    <br>
-              </font></b>Since that command generates a lot of output, we 
+2. Try the connection that is failing.<br>
 suggest     that you redirect the output to a file and attach the file to 
 your post<br>
    <br>
-              <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
+3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
    <br>
 4. Post the /tmp/status.txt file as an attachment.<br>
               <br>
             </li>
             <li>As a general matter, please <strong>do not edit the diagnostic 
@ -295,8 +299,8 @@ copy of your /etc/shorewall/interfaces      file.<br>
             <li>Please include any of the Shorewall configuration  files 
   (especially             the    /etc/shorewall/hosts file if you have modified
   that   file)      that  you    think are    relevant. If you include /etc/shorewall/rules, 
-     please include /etc/shorewall/policy as well (rules are meaningless
+     please include /etc/shorewall/policy as well (rules are meaningless unless
-unless      one also knows the policies).                      </li>
+     one also knows the policies).                      </li>
 </ul>
@ -336,18 +340,18 @@ when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>",
 <blockquote>            </blockquote>
             A growing number of MTAs serving list subscribers are rejecting
- all    HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net
+  all    HTML  traffic. At least one MTA has gone so far as to blacklist
-     "for continuous abuse" because it has been my policy to allow HTML in
+shorewall.net      "for continuous abuse" because it has been my policy to
- list    posts!!<br>
+allow HTML in  list    posts!!<br>
               <br>
                I think that blocking all HTML is a Draconian way to control
- spam    and  that the ultimate losers here are not the spammers but the list
+  spam    and  that the ultimate losers here are not the spammers but the
- subscribers      whose MTAs are bouncing all shorewall.net mail. As one
+list  subscribers      whose MTAs are bouncing all shorewall.net mail. As
-list  subscriber   wrote  to me privately "These e-mail admin's need to get
+one list  subscriber   wrote  to me privately "These e-mail admin's need
-a <i>(expletive   deleted)</i>  life instead of trying to rid the planet
+to get a <i>(expletive   deleted)</i>  life instead of trying to rid the
-of HTML based e-mail".   Nevertheless,  to allow subscribers to receive list
+planet of HTML based e-mail".   Nevertheless,  to allow subscribers to receive
-posts as must as possible,   I have now   configured the list server at shorewall.net
+list posts as must as possible,   I have now   configured the list server
-to strip all HTML   from outgoing  posts.<br>
+at shorewall.net to strip all HTML   from outgoing  posts.<br>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -356,9 +360,9 @@ to strip all HTML   from outgoing  posts.<br>
 style="font-weight: 400;">please           post your question or problem
         to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
  mailing       list</a>.</span></h4>
-               <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
+                <b>If you run Shorewall under MandrakeSoft Multi Network
-    (MNF)   and you have not purchased an MNF license from MandrakeSoft then
+Firewall     (MNF)   and you have not purchased an MNF license from MandrakeSoft
-   you can  post non MNF-specific Shorewall questions to the </b><a
+then    you can  post non MNF-specific Shorewall questions to the </b><a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
  list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
@ -375,7 +379,8 @@ to strip all HTML   from outgoing  posts.<br>
                      .</p>
-<p align="left"><font size="2">Last Updated 2/9/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -386,5 +391,6 @@ to strip all HTML   from outgoing  posts.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>