Move 2.2.0+ to Lrp2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1940 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2005-02-02 21:13:44 +00:00 · 2005-02-02 21:13:44 +00:00 · 627713e621
commit 627713e621
parent a32c5eb849
65 changed files with 2737 additions and 1083 deletions
--- a/Lrp2/etc/shorewall/accounting
+++ b/Lrp2/etc/shorewall/accounting
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Accounting File
+# Shorewall version 2.2 - Accounting File
 #
 # /etc/shorewall/accounting
 #
@ -47,9 +47,12 @@
 #			Format the same as the SOURCE column.
 #
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
-#			number.
+#			number, or "ipp2p"
 #
-#	DEST PORT	Destination Port number
+#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p" then
 #			this column must contain an ipp2p option ("iptables -m 
 #			ipp2p --help") without the leading "--". If no option
 #			is given in this column, "ipp2p" is assumed.
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
@ -61,13 +64,33 @@
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
 #	USER/GROUP	This column may only be non-empty if the CHAIN is
 #			OUTPUT.
 #			
 #			The column may contain:
 #
 #			   [!][<user name or number>][:<group name or number>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
 #			the effective <user> and/or <group> specified (or is
 #			NOT running under that id if "!" is given).
 #
 #			Examples:
 #
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
 #
 #	Please see http://shorewall.net/Accounting.html for examples and 
 #	additional information about how to use this file.
 #
-#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE
+#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE	USER/
-#							PORT		PORT
+#							PORT		PORT	GROUP
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/actions
+++ b/Lrp2/etc/shorewall/actions
@ -1,5 +1,5 @@
 #
-# Shorewall 2.1 /etc/shorewall/actions
+# Shorewall 2.2 /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules 
 #	(/etc/shorewall/rules). You define the iptables rules to
--- a/Lrp2/etc/shorewall/blacklist
+++ b/Lrp2/etc/shorewall/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Blacklist File
+# Shorewall 2.2 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
@ -7,7 +7,9 @@
 #
 # Columns are:
 #
-#	ADDRESS/SUBNET 	- Host address, subnetwork or MAC address
+#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address or IP address
 #			  range (if your kernel and iptables contain iprange
 #			  match support).
 #
 # 			  MAC addresses must be prefixed with "~" and use "-"
 #			  as a separator.
@ -21,10 +23,10 @@
 #			  is TCP (6) or UDP (17). A comma-separated list
 #			  of port numbers or service names from /etc/services.
 #
-# When a packet arrives on in interface that has the 'blacklist' option
+# When a packet arrives on an interface that has the 'blacklist' option
-# specified, its source IP address is checked against this file and disposed of
+# specified in /etc/shorewall/interfaces, its source IP address is checked
-# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
+# against this file and disposed of according to the BLACKLIST_DISPOSITION and
-# /etc/shorewall/shorewall.conf
+# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
 #
 # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
 # the protocol (and one of the ports if PORTS supplied) are blocked.
--- a/Lrp2/etc/shorewall/ecn
+++ b/Lrp2/etc/shorewall/ecn
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/ecn
+# Shorewall 2.2 - /etc/shorewall/ecn
 #
 #	Use this file to list the destinations for which you want to
 #	disable ECN.
@ -12,7 +12,9 @@
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  If left empty or supplied as "-",
-#			  0.0.0.0/0 is assumed.
+#			  0.0.0.0/0 is assumed. If your kernel and iptables
 #			  include iprange match support then IP address ranges
 #			  are also permitted.
 ##############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/hosts
+++ b/Lrp2/etc/shorewall/hosts
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/hosts
+# Shorewall 2.2 - /etc/shorewall/hosts
 #
 #	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -28,12 +28,15 @@
 #			a) The IP address of a host
 #			b) A subnetwork in the form
 #			   <subnet-address>/<mask width>
-#			c) A physical port name; only allowed when the
+#			c) An IP address range of the form <low address>-<high
 #			   address>. Your kernel and iptables must have iprange
 #			   match support.
 #			d) A physical port name; only allowed when the
 #			   interface names a bridge created by the
 #			   brctl addbr command. This port must not
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
-#			   host or network IP.
+#			   host or network IP or a range.
 #			   See http://www.shorewall.net/Bridge.html for details.
 #
 #		  Examples:
@ -43,6 +46,7 @@
 #			eth3:192.168.2.0/24,192.168.3.1
 #			br0:eth4
 #			br0:eth0:192.168.1.16/28
 #			eth4:192.168.1.44-192.168.1.49
 #
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
@ -124,5 +128,12 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
 #			ipsec        - The zone is accessed via a
 #				       kernel 2.6 ipsec SA. Note that if the
 #				       zone named in the ZONE column is 
 #				       specified as an IPSEC zone in the
 #				       /etc/shorewall/ipsec file then you do NOT
 #				       need to specify the 'ipsec' option here.
 #
 #ZONE		HOST(S)				OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/init
+++ b/Lrp2/etc/shorewall/init
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/init
+# Shorewall 2.2 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
--- a/Lrp2/etc/shorewall/initdone
+++ b/Lrp2/etc/shorewall/initdone
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/initdone
+# Shorewall 2.2 -- /etc/shorewall/initdone
 #
 # Add commands below that you want to be executed during 
 # "shorewall start" or "shorewall restart" commands at the point where
--- a/Lrp2/etc/shorewall/interfaces
+++ b/Lrp2/etc/shorewall/interfaces
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Interfaces File
+# Shorewall 2.2 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@ -75,12 +75,23 @@
 #				       option does not cover those ranges
 #				       reserved by RFC 1918 -- see above).
 #
 #				       I PERSONALLY RECOMMEND AGAINST USING
 #				       THE 'nobogons' OPTION.
 #
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
 #				       the /etc/shorewall/shorewall.conf file.
 #
-#	.	.	blacklist    - Check packets arriving on this interface
+#			logmartians  - turn on kernel martian logging (logging
 #				       of packets with impossible source
 #				       addresses. It is suggested that if you
 #				       set routefilter on an interface that
 #				       you also set logmartians. This option
 #				       may also be enabled globally in the
 #				       /etc/shorewall/shorewall.conf file.
 #
 #			blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
 #
@ -190,6 +201,7 @@
 #			net	ppp0	-
 ##############################################################################
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
 #
 net     eth0            detect          dhcp,routefilter,norfc1918
-loc     eth1            detect
+loc     eth1            detect		dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/ipsec
+++ b/Lrp2/etc/shorewall/ipsec
@ -0,0 +1,58 @@
 #
 # Shorewall 2.2 - /etc/shorewall/ipsec
 #
 #	This file defines the attributes of zones with respect to
 #	IPSEC. To use this file, you must be running a 2.6 kernel and
 #       both your kernel and iptables must include Policy Match Support.
 #
 #	The columns are:
 #
 #		ZONE	The name of a zone defined in /etc/shorewall/zones. The
 #			$FW zone may not be listed.
 #
 #		IPSEC   Yes --  Communication with all zone hosts is encrypted
 #		ONLY	No  --  Communication with some zone hosts is encrypted. 
 #				Encrypted hosts are designated using the 'ipsec'
 #				option in /etc/shorewall/hosts. 				
 #
 #		OPTIONS,        A comma-separated list of options as follows:
 #		IN OPTIONS,
 #		OUT OPTIONS	reqid=<number> where <number> is specified
 #				using setkey(8) using the 'unique:<number>
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
 #				the SA used to encrypt/decrypt packets.
 #
 #				proto=ah|esp|ipcomp
 #
 #				mss=<number> (sets the MSS field in TCP packets) 
 #
 #				mode=transport|tunnel
 #
 #				tunnel-src=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
 #				tunnel-dst=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
 #				strict  Means that packets must match all rules.
 #
 #				next    Separates rules; can only be used with
 #                                       strict..
 #
 #			Example:
 #				mode=transport,reqid=44
 #
 #		The options in the OPTIONS column are applied to both incoming
 #		and outgoing traffic. The IN OPTIONS are applied to incoming
 #		traffic (in addition to OPTIONS) and the OUT OPTIONS are 
 #		applied to outgoing traffic.
 #
 #		If you wish to leave a column empty but need to make an entry
 #		in a following column, use "-".
 ###################################################################################
 #ZONE	IPSEC	OPTIONS			IN			OUT
 #	ONLY				OPTIONS			OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/maclist
+++ b/Lrp2/etc/shorewall/maclist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - MAC list file
+# Shorewall 2.2 - MAC list file
 #
 # /etc/shorewall/maclist
 #
@ -15,7 +15,9 @@
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
-#			list of host and/or subnet addresses.
+#			list of host and/or subnet addresses. If your kernel
 #			and iptables have iprange match support then IP 
 #			address ranges are also allowed.
 ##############################################################################
 #INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/masq
+++ b/Lrp2/etc/shorewall/masq
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - Masquerade file
+# Shorewall 2.2 - Masquerade file
 #
 # /etc/shorewall/masq
 #
@ -20,6 +20,24 @@
 #		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
 #		     If you wish to inhibit the action of ADD_SNAT_ALIASES
 #		     for this entry then include the ":" but omit the digit:
 #
 #				eth0:
 #				eth2::192.0.2.32/27
 #
 #		     Normally Masq/SNAT rules are evaluated after those for
 #		     one-to-one NAT (/etc/shorewall/nat file). If you want
 #		     the rule to be applied before one-to-one NAT rules,
 #		     prefix the interface name with "+":
 #
 #			+eth0
 #			+eth0:192.0.2.32/27
 #			+eth0:2
 #
 #		     This feature should only be required if you need to 
 #		     insert rules in this file that preempt entries in
 #		     /etc/shorewall/nat.
 #
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
@ -42,13 +60,6 @@
 #				will automatically add this address to the
 #				INTERFACE named in the first column.
 #
 #				If you have set ADD_SNAT_ALIASES=Yes in
 #				/etc/shorewall/shorewall.conf then DO NOT
 #				PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
 #				ADDRESS IN THIS COLUMN -- If you do so, you
 #				will loose your default route when Shorewall
 #				starts.
 #
 #				You may also specify a range of up to 256
 #				IP addresses if you want the SNAT address to
 #				be assigned from that range in a round-robin
@ -62,6 +73,19 @@
 #
 #				This column may not contain DNS Names.
 #
 #				Normally, Netfilter will attempt to retain
 #				the source port number. You may cause 
 #				netfilter to remap the source port by following
 #				an address or range (if any) by ":" and
 #				a port range with the format <low port>-
 #				<high port>. If this is done, you must 
 #				specify "tcp" or "udp" in the PROTO column.
 #				
 #				Examples:
 #
 #					192.0.2.4:5000-6000
 #					:4000-5000
 #
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.
@ -82,6 +106,42 @@
 #				support and a maximum of 15 ports may be 
 #				listed.
 #				
 #	IPSEC -- (Optional)	If you specify a value other than "-" in this
 #				column, you must be running kernel 2.6 and 
 #				your kernel and iptables must include policy
 #				match support.
 #
 #				Comma-separated list of options from the following.
 #				Only packets that will be encrypted via an SA that
 #				matches these options will have their source address
 #				changed.
 #
 #					Yes or yes -- must be the only option listed
 #					and matches all outbound traffic that will be
 #					encrypted.
 #
 #					reqid=<number> where <number> is specified
 #					using setkey(8) using the 'unique:<number>
 #					option for the SPD level.
 #
 #					spi=<number> where <number> is the SPI of
 #					the SA.
 #
 #					proto=ah|esp|ipcomp 
 #
 #					mode=transport|tunnel
 #
 #					tunnel-src=<address>[/<mask>] (only
 #					available with mode=tunnel)
 #
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel) 
 #
 #					strict  Means that packets must match all
 #						rules.
 #
 #					next    Separates rules; can only be used
 #						with strict..
 #
 #	Example 1:
 #
@ -136,6 +196,6 @@
 #		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
 #
 ###############################################################################
-#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)
+#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 eth0			eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/modules
+++ b/Lrp2/etc/shorewall/modules
@ -1,5 +1,5 @@
 ##############################################################################
-# Shorewall 2.0 /etc/shorewall/modules
+# Shorewall 2.2 /etc/shorewall/modules
 #
 # This file loads the modules needed by the firewall.
 #
--- a/Lrp2/etc/shorewall/nat
+++ b/Lrp2/etc/shorewall/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0  -- Network Address Translation Table
+# Shorewall 2.2  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
@ -16,6 +16,7 @@
 #	EXTERNAL	External IP Address - this should NOT be the primary
 #			IP address of the interface named in the next
 #			column and must not be a DNS Name.
 #
 #	INTERFACE	Interface that you want to EXTERNAL address to appear
 #                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
 #			follow the interface name with ":" and a digit to
@ -24,14 +25,21 @@
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
 #
 #			If you want to override ADD_IP_ALIASES=Yes for a
 #			particular entry, follow the interface name with
 #			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #
 #       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
 #                       If No or no (or left empty) then NAT will be effective
 #                       only through the interface named in the INTERFACE
 #                       column
 #
 #       LOCAL           If Yes or yes, NAT will be effective from the firewall
 #                       system
 ##############################################################################
 #EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
 #						INTERFACES
 #
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/params
+++ b/Lrp2/etc/shorewall/params
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/params
+# Shorewall 2.2 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #
--- a/Lrp2/etc/shorewall/policy
+++ b/Lrp2/etc/shorewall/policy
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Policy File
+# Shorewall 2.2 -- Policy File
 #
 # /etc/shorewall/policy
 #
@ -82,8 +82,4 @@ net		all		DROP		ULOG
 # remove the comment from the following line.
 #fw             net             ACCEPT
 #
 # THE FOLLOWING POLICY MUST BE LAST
 #	
 all		all		REJECT		ULOG
 #LAST LINE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/proxyarp
+++ b/Lrp2/etc/shorewall/proxyarp
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0 -- Proxy ARP
+# Shorewall 2.2 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #
--- a/Lrp2/etc/shorewall/routestopped
+++ b/Lrp2/etc/shorewall/routestopped
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #
@ -12,6 +12,10 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  addresses. If your kernel and iptables include
 #			  iprange match support, IP address ranges are also
 #			  allowed.
 #
 #			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #	OPTIONS         - (Optional) A comma-separated list of
--- a/Lrp2/etc/shorewall/rules
+++ b/Lrp2/etc/shorewall/rules
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Rules File
+# Shorewall version 2.2 - Rules File
 #
 # /etc/shorewall/rules
 #
@ -72,6 +72,20 @@
 #			DNAT:debug). This causes the packet to be
 #			logged at the specified level.
 #
 #			If the ACTION names an action defined in
 #			/etc/shorewall/actions or in
 #			/usr/share/shorewall/actions.std then:
 #
 #			- If the log level is followed by "!' then all rules
 #			  in the action are logged at the log level.
 #
 #			- If the log level is not followed by "!" then only
 #			  those rules in the action that do not specify 
 #			  logging are logged at the specified level.
 #
 #			- The special log level 'none!' suppresses logging
 #			  by the action.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
@ -104,6 +118,10 @@
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
@ -115,6 +133,10 @@
 #			loc:~00-A0-C9-15-39-78  Host in the local zone with
 #                                               MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
 #						Hosts 192.0.2.11-192.0.2.17 in
 #						the net zone.
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, loc:eth1 specifies a
@ -145,7 +167,7 @@
 #				3. You may not specify both an interface and
 #				   an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
@ -223,14 +245,6 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
 #			The address (list) may optionally be followed by
 #			a colon (":") and a second IP address. This causes
 #			Shorewall to use the second IP address as the source
 #			address in forwarded packets. See the Shorewall
 #			documentation for restrictions concerning this feature.
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this colume:
 # 
@ -281,9 +295,9 @@
 #		 to local system 192.168.1.3 with a limit of 3 per second and
 #		 a maximum burst of 10
 #
-#	#ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL	RATE
-#	#                                       	PORT    PORT(S) DEST
+#	#                                       	PORT    PORT(S) DEST		LIMIT
-#	DNAT<3/sec:10>	net	loc:192.168.1.3 tcp	http
+#	DNAT		net	loc:192.168.1.3 tcp	http	-	-		3/sec:10
 #
 #	Example: Redirect all locally-originating www connection requests to
 #		 port 3128 on the firewall (Squid running on the firewall
@ -310,7 +324,6 @@
 ####################################################################################################
 #ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE		USER/
 #                       	        	PORT    PORT(S)    DEST		LIMIT		GROUP
 #                                               PORT    PORT(S)    DEST         LIMIT
 #      Accept DNS connections from the firewall to the network
 #
 ACCEPT          fw              net             tcp     53
@ -318,18 +331,19 @@ ACCEPT          fw              net             udp     53
 #       Accept SSH connections from the local network for administration
 #
 ACCEPT          loc             fw              tcp     22
-#       Allow Ping To And From Firewall
+#       Allow Ping To Firewall
 #
 ACCEPT          loc             fw              icmp    8
 ACCEPT          net             fw              icmp    8
-ACCEPT          fw              loc             icmp    8
+#
-ACCEPT          fw              net             icmp    8
+#	Allow all ICMP types (including ping) From Firewall
 #
 ACCEPT          fw              loc             icmp
 ACCEPT          fw              net             icmp
 #
 # Bering specific rules:
 # allow loc to fw udp/53 for local/caching DNS servers to work
 # allow loc to fw tcp/80 for weblet to work
 # allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work
 ACCEPT          loc       fw            udp     53
 ACCEPT          loc       fw            tcp     80
 ACCEPT          loc       fw            udp     67,68
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@ -1,5 +1,4 @@
-##############################################################################
+/shorewall/shorewall.conf V2.1 - Change the following variables to
 #  /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -7,6 +6,14 @@
 #  This file should be placed in /etc/shorewall
 #
 #  (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #                      S T A R T U P   E N A B L E D
 ##############################################################################
 # Once you have configured Shorewall, you may change the setting of
 # this variable to 'Yes'
 STARTUP_ENABLED=No
 ##############################################################################
 #                              L O G G I N G
 ##############################################################################
@ -80,6 +87,18 @@ LOGFILE=/var/log/shorewall.log
 LOGFORMAT="Shorewall:%s:%s:"
 #
 # LOG FORMAT Continued
 #
 # Using the default LOGFORMAT, chain names may not exceed 11 characters or 
 # truncation of the log prefix may occur. Longer chain names may be used with
 # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is 
 # specified then the tag is included in the log prefix in place of the chain
 # name.
 #
 LOGTAGONLY=No
 #
 # LOG RATE LIMITING
 #
@ -110,6 +129,18 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGRATE=
 LOGBURST=
 #
 # LOG ALL NEW
 #
 # This option should only be used when you are trying to analyze a problem.
 # It causes all packets in the Netfilter NEW state to be logged as the 
 # first rule in each builtin chain. To use this option, set LOGALLNEW to 
 # the log level that you want these packets logged at (e.g.,
 # LOGALLNEW=debug).
 #
 LOGALLNEW=
 #
 # BLACKLIST LOG LEVEL
 #
@ -201,9 +232,29 @@ SMURF_LOG_LEVEL=ULOG
 #
 BOGON_LOG_LEVEL=ULOG
 #
 # MARTIAN LOGGING
 #
 # Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
 # that have impossible source IP addresses. This logging may be enabled 
 # on individual interfaces by using the 'logmartians' option in
 # /etc/shorewall/interfaces.
 #
 LOG_MARTIANS=No
 ################################################################################
 #       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
 ################################################################################
 #
 # IPTABLES
 #
 # Full path to iptables executable Shorewall uses to build the firewall. If 
 # not specified or if specified with an empty value (e.g., IPTABLES="") then
 # the iptables executable located via the PATH setting below is used.
 #
 IPTABLES=
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.
@ -320,14 +371,28 @@ ADD_IP_ALIASES=Yes
 #
 ADD_SNAT_ALIASES=No
 #
 # RETAIN EXISTING ALIASES/IP ADDRESSES
 #
 # Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
 # will first delete the address then re-add it. This is to ensure that the
 # address is added with the specified label. Unfortunately, this can cause
 # problems if it results in the deletion of the last IP address on an
 # interface because then all routes through the interface are automatically 
 # removed.
 #
 # You can cause Shorewall to retain existing addresses by setting
 # RETAIN_ALIASES=Yes. 
 #
 RETAIN_ALIASES=No
 #
 # ENABLE TRAFFIC SHAPING
 #
 # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
 # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
-# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
-# you must enable packet mangling above.
+
 #
 TC_ENABLED=No
 #
@ -393,6 +458,14 @@ MARK_IN_FORWARD_CHAIN=No
 #
 # If left blank, or set to "No" or "no", the option is not enabled.
 #
 # You may also set this option to a numeric value in which case Shorewall will
 # set up a rule to modify the MSS value in SYN packets to the value that
 # you specify.
 #
 # Example:
 #
 #      CLAMPMSS=1400
 #
 CLAMPMSS=No
 #
@ -470,7 +543,7 @@ MUTEX_TIMEOUT=60
 # A packet is said to be NEW if it is not part of or related to an already
 # established connection.
 #
-# The NEWNOTSYN option determines the handling of non-SYN packets (those with
+# The NETNOTSYN option determines the handling of non-SYN packets (those with
 # SYN off or with ACK or RST on) that are not associated with an already
 # established connection.
 # 
@ -551,6 +624,14 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes
 #
 # Users with a large blacklist find that "shorwall [re]start" takes a long
 # time and that new connections are disabled during that time. By setting
 # DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
 # before loading the blacklist.
 DELAYBLACKLISTLOAD=No
 # MODULE NAME SUFFIX
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally
@ -610,16 +691,9 @@ DYNAMIC_ZONES=No
 # USE PKTTYPE MATCH 
 #
 # Some users have reported problems with the PKTTYPE match extension not being
-# able to match certain broadcast packets. 
+# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
-#
+# will use IP addresses to detect broadcasts rather than pkttype. If not given 
-# Other users have complained of the following message when 
+# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
 # starting Shorewall:
 #
 #	    modprobe: cant locate module ipt_pkttype
 #
 # If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
 # broadcasts rather than pkttype. If not given or if given as empty
 # (PKTTYPE="") then PKTTYPE=Yes is assumed.
 PKTTYPE=Yes
--- a/Lrp2/etc/shorewall/start
+++ b/Lrp2/etc/shorewall/start
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/start
+# Shorewall 2.2 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.
--- a/Lrp2/etc/shorewall/stop
+++ b/Lrp2/etc/shorewall/stop
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/stop
+# Shorewall 2.2 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
--- a/Lrp2/etc/shorewall/stopped
+++ b/Lrp2/etc/shorewall/stopped
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/stopped
+# Shorewall 2.2 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
--- a/Lrp2/etc/shorewall/tcrules
+++ b/Lrp2/etc/shorewall/tcrules
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Traffic Control Rules File
+# Shorewall version 2.2 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #
@ -19,9 +19,8 @@
 # Columns are:
 #
 #
-#	MARK		The mark value which is an
+#	MARK/		a) A mark value which is a integer in the range 1-255
-#			integer in the range 1-255
+#       CLASSIFY
 #
 #			   May optionally be followed by ":P" or ":F"
 #			   where ":P" indicates that marking should occur in
 #			   the PREROUTING chain and ":F" indicates that marking
@ -30,9 +29,55 @@
 #			   determined by the setting of MARK_IN_FORWARD_CHAIN in
 #			   /etc/shorewall/shorewall.conf.
 #
 #			   If your kernel and iptables include CONNMARK support
 #			   then you can also mark the connection rather than
 #			   the packet.
 #
 #			   The mark value may be optionally followed by "/" 
 #		           and a mask value (used to determine those bits of
 #                          the connection mark to actually be set). The
 #                          mark and optional mask are then followed by one of:
 #
 #				C - Mark the connection in the chain determined
 #                                   by the setting of MARK_IN_FORWARD_CHAIN
 #
 #			        CF: Mark the conneciton in the FORWARD chain
 #
 #				CP: Mark the connection in the PREROUTING chain.
 #
 #			b) A classification of the form <major>:<minor> where
 #		    	   <major> and <minor> are integers. Corresponds to 
 #			   the 'class' specification in these traffic shaping
 #			   modules:
 #
 #				- atm
 #				- cbq
 #				- dsmark
 #				- pfifo_fast
 #				- htb
 #				- prio
 #
 #			   Classify always occurs in the POSTROUTING chain.
 #
 #			c) RESTORE[/mask] -- restore the packet's mark from the
 #			   connection's mark using the supplied mask if any.
 #			   Your kernel and iptables must  include CONNMARK support.
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			c) SAVE[/mask] -- save the packet's mark to the
 #			   connection's mark using the supplied mask if any.
 #			   Your kernel and iptables must  include CONNMARK support.
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			d) CONTINUE -- don't process any more marking rules in
 #			   the table. As in a) above, may be followed by ":P" or
 #			   ":F".
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
-#			and/or subnets. Use $FW if the packet originates on
+#			and/or subnets. If your kernel and iptables include
 #			iprange match support, IP address ranges are also
 #			allowed. Use $FW if the packet originates on
 #			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs
 #			in the OUTPUT chain).
@ -43,22 +88,34 @@
 #			Example: ~00-A0-C9-15-39-78
 #
 #	DEST		Destination of the packet. Comma separated list of
-#			IP addresses and/or subnets.
+#			IP addresses and/or subnets. If your kernel and 
 #			iptables include iprange match support, IP address
 #			ranges are also allowed.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#                       If the MARK column specificies a classification of
-#			or "all".
+#                       the form <major>:<minor> then this column may also
 #                       contain an interface name.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
 #			a number, or "all". "ipp2p" requires ipp2p match
 #			support in your kernel and iptables.
 #
 #	PORT(S)		Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example "bit"
 #			for bit-torrent). If no PORT is given, "ipp2p" is
 #			assumed.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following field is supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
-#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#	SOURCE PORT(S)	(Optional) Source port(s). If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
@ -77,7 +134,19 @@
 #			The colon is optionnal when specifying only a user.
 #			Examples : john: / john / :users / john:users
 #
 #	TEST		Defines a test on the existing packet or connection mark. 
 #			The rule will match only if the test returns true. Tests
 #			have the format [!]<value>[/<mask>][:C]
 #
 #			Where:
 #
 #				!	Inverts the test (not equal)
 #				<value> Value of the packet or connection mark.
 #				<mask>  A mask to be applied to the mark before
 #					testing 
 #				:C	Designates a connection mark. If omitted,
 #					the packet mark's value is tested.
 ##############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
 #								PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/tos
+++ b/Lrp2/etc/shorewall/tos
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- /etc/shorewall/tos
+# Shorewall 2.2 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
@ -43,10 +43,4 @@
 #
 ##############################################################################
 #SOURCE DEST		PROTOCOL	SOURCE PORTS	DEST PORTS	TOS
 all	all		tcp		-		22		16
 all	all		tcp		22		-		16
 all	all		tcp		-		21		16
 all	all		tcp		21		-		16
 all	all		tcp		20		-		8
 all	all		tcp		-		20		8
 #LAST LINE -- Add your entries above -- DO NOT REMOVE
--- a/Lrp2/etc/shorewall/tunnels
+++ b/Lrp2/etc/shorewall/tunnels
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/tunnels
+# Shorewall 2.2 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
@ -9,7 +9,7 @@
 #
 #	The columns are:
 #
-#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ip"
+#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ipip"
 #			"gre", "6to4", "pptpclient", "pptpserver", "openvpn" or 
 #			"generic"
 #
@ -34,7 +34,10 @@
 #
 #	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
 #			remote getway has no fixed address (Road Warrior)
-#			then specify the gateway as 0.0.0.0/0.
+#			then specify the gateway as 0.0.0.0/0. May be 
 #			specified as a network address and if your kernel and
 #			iptables include iprange match support then IP address
 #			ranges are also allowed.
 #
 #	GATEWAY
 #	ZONES --	Optional. If the gateway system specified in the third
--- a/Lrp2/etc/shorewall/zones
+++ b/Lrp2/etc/shorewall/zones
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/zones
+# Shorewall 2.2 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #
--- a/Lrp2/sbin/shorewall
+++ b/Lrp2/sbin/shorewall
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
+#     Shorewall Packet Filtering Firewall Control Program - V2.2
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@ -134,6 +134,24 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
 #
 iptablesbug()
 {
    if qt which awk ; then
 	awk 'BEGIN           {sline=""; };\
             /^-j/           { print sline $0; next };\
             /-m policy.*-j/ { print $0; next };\
             /-m policy/     { sline=$0; next };\
                             {print ; sline="" }'
    else
 	echo "   Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
 	cat
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
@ -174,6 +192,19 @@ get_config() {
    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
    if [ -n "$IPTABLES" ]; then
 	if [ ! -e "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
 	    exit 2
 	fi
    else
 	IPTABLES=$(which iptables 2> /dev/null)
 	if [ -z "$IPTABLES" ] ; then
 	    echo "   ERROR: Can't find iptables executable" >&2
 	    exit 2
 	fi
    fi
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -e "$SHOREWALL_SHELL" ]; then
 	    echo "   ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@ -205,7 +236,7 @@ display_chains()
 	TMPFILE=$(mktempfile)
 	[ -n "$TMPFILE" ] || { echo "   ERROR:Cannot create temporary file" >&2; exit 1; }
-	iptables -L $IPT_OPTIONS >> $TMPFILE
+	$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
 	clear
 	echo "$banner $(date)"
@ -288,7 +319,7 @@ display_chains()
 	qt rm -f $TMPFILE
    else
-	iptables -L -n -v
+	$IPTABLES -L -n -v
 	timed_read
    fi
    trap - 1 2 3 4 5 6 9
@ -315,10 +346,9 @@ packet_log() # $1 = number of messages
    [ -n "$realtail" ] && options="-n$1"
-    grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
+    grep "${LOGFORMAT}" $LOGFILE | \
 	 sed s/" kernel:"// | \
 	 sed s/" $host $LOGFORMAT"/" "/ | \
 	 sed s/" $host kernel: ipt_unclean: "/" "/ | \
 	 sed 's/MAC=.* SRC=/SRC=/' | \
 	 tail $options
 }
@ -388,9 +418,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 		   #		     an 'interesting' packet count changes
 {
    get_config
    host=$(echo $HOSTNAME | sed 's/\..*$//')
-    oldrejects=$(iptables -L -v -n | grep 'LOG')
+    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
    if [ $1 -lt 0 ]; then
 	let "timeout=- $1"
@ -423,7 +452,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	show_reset
-	rejects=$(iptables -L -v -n | grep 'LOG')
+	rejects=$($IPTABLES -L -v -n | grep 'LOG')
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
@ -450,7 +479,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	echo
 	echo "NAT Status"
 	echo
-	iptables -t nat -L $IPT_OPTIONS
+	$IPTABLES -t nat -L $IPT_OPTIONS
 	timed_read
 	clear
@ -459,7 +488,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	echo
 	echo "TOS/MARK Status"
 	echo
-	iptables -t mangle -L $IPT_OPTIONS
+	$IPTABLES -t mangle -L $IPT_OPTIONS
 	timed_read
 	clear
@ -498,9 +527,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
    get_config
    host=$(echo $HOSTNAME | sed 's/\..*$//')
-    oldrejects=$(iptables -L -v -n | grep 'LOG')
+    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
    if [ $1 -lt 0 ]; then
 	timeout=$((- $1))
@ -522,7 +550,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	show_reset
-	rejects=$(iptables -L -v -n | grep 'LOG')
+	rejects=$($IPTABLES -L -v -n | grep 'LOG')
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
@ -562,11 +590,11 @@ usage() # $1 = exit status
 {
    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
    echo "where <command> is one of:"
-    echo "   add <interface>[:<host>] <zone>"
+    echo "   add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check"
+    echo "   check [ <directory> ]"
    echo "   clear"
-    echo "   delete <interface>[:<host>] <zone>"
+    echo "   delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
    echo "   drop <address> ..."
    echo "   forget [ <file name> ]"
    echo "   help [ <command > | host | address ]"
@ -578,15 +606,17 @@ usage() # $1 = exit status
    echo "   refresh"
    echo "   reject <address> ..."
    echo "   reset"
-    echo "   restart"
+    echo "   restart [ <directory> ]"
    echo "   restore [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
+    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
-    echo "   start"
+    echo "   start [ <directory> ]"
    echo "   stop"
    echo "   status"
    echo "   try <directory> [ <timeout> ]"
    echo "   version"
    echo 
    echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
    exit $1
 }
@ -598,8 +628,11 @@ show_reset() {
 	echo "Counters reset $(cat $STATEDIR/restarted)" && \
 	echo
 }
-
+#
-show_proc() {
+# Display's the passed file name followed by "=" and the file's contents.
 #
 show_proc() # $1 = name of a file  
 {
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
@ -721,6 +754,8 @@ ensure_config_path
 export CONFIG_PATH
 get_config
 [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 if [ ! -f $FIREWALL ]; then
@ -765,8 +800,28 @@ esac
 case "$1" in
    start)
-	[ $# -ne 1 ] && usage 1
+	case $# in
-	get_config
+	    1)
 		;;
 	    2)
 		[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
 		if [ ! -d $2 ]; then
 		    if [ -e $2 ]; then
 			echo "$2 is not a directory" >&2 && exit 2
 		    else
 			echo "Directory $2 does not exist" >&2 && exit 2
 		    fi
 		fi
 		SHOREWALL_DIR=$2
 		export SHOREWALL_DIR
 		;;
 	    *)
 		usage 1
 		;;
 	esac
 	if [ -n "$FAST" ]; then
 	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
@ -783,15 +838,37 @@ case "$1" in
 	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
 	fi
 	;;
-    stop|restart|reset|clear|refresh|check)
+    stop|reset|clear|refresh)
 	[ $# -ne 1 ] && usage 1
-	get_config
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
 	;;
    check|restart)
 	case $# in
 	    1)
 		;;
 	    2)
 		[ -n "$SHOREWALL_DIR" ] && usage 2
 		if [ ! -d $2 ]; then
 		    if [ -e $2 ]; then
 			echo "$2 is not a directory" >&2 && exit 2
 		    else
 			echo "Directory $2 does not exist" >&2 && exit 2
 		    fi
 		fi
 		SHOREWALL_DIR=$2
 		export SHOREWALL_DIR
 		;;
 	    *)
 		usage 1
 		;;
 	esac
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
 	;;
    add|delete)
-	[ $# -ne 3 ] && usage 1
+	[ $# -lt 3 ] && usage 1
-	get_config
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
 	;;
    show|list)
    	[ -n "$debugging" ] && set -x
@ -807,18 +884,17 @@ case "$1" in
 	    echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    iptables -t nat -L $IPT_OPTIONS
+	    $IPTABLES -t nat -L $IPT_OPTIONS
 	    ;;
 	tos|mangle)
 	    [ $# -gt 2 ] && usage 1
 	    echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    iptables -t mangle -L $IPT_OPTIONS
+	    $IPTABLES -t mangle -L $IPT_OPTIONS
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    get_config
 	    echo "Shorewall-$version Log at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
@ -837,6 +913,24 @@ case "$1" in
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 2 ] && usage 1
 	    [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 	    if [ -f $STATEDIR/zones ]; then
 		echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
 		echo
 		while read zone hosts; do
 		    echo $zone
 		    for host in $hosts; do
 			echo "   $host"
 		    done
 		done < $STATEDIR/zones
 		echo
 	    else
 		echo "   ERROR: $STATEDIR/zones does not exist" >&2
 		exit 1
 	    fi
 	    ;;
 	*)
 	    shift
@ -845,10 +939,10 @@ case "$1" in
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    iptables -L $chain $IPT_OPTIONS
+		    $IPTABLES -L $chain $IPT_OPTIONS
 		done
 	    else
-		iptables -L $IPT_OPTIONS
+		$IPTABLES -L $IPT_OPTIONS
 	    fi
 	    ;;
 	esac
@ -866,29 +960,32 @@ case "$1" in
    status)
    	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
 	echo "Shorewall-$version Status at $HOSTNAME - $(date)"
 	echo
 	show_reset
 	host=$(echo $HOSTNAME | sed 's/\..*$//')
-	iptables -L $IPT_OPTIONS
+	$IPTABLES -L $IPT_OPTIONS
 	echo
 	packet_log 20
 	echo
 	echo "NAT Table"
 	echo
-	iptables -t nat -L $IPT_OPTIONS
+	$IPTABLES -t nat -L $IPT_OPTIONS
 	echo
 	echo "Mangle Table"
 	echo
-	iptables -t mangle -L $IPT_OPTIONS
+	$IPTABLES -t mangle -L $IPT_OPTIONS
 	echo
 	cat /proc/net/ip_conntrack
 	echo
 	echo "IP Configuration"
 	echo
 	ip addr ls
 	echo
 	echo "IP Stats"
 	echo
 	ip -stat link ls
 	if qt which brctl; then
 	    echo
@ -902,9 +999,10 @@ case "$1" in
 	echo
 	show_proc /proc/sys/net/ipv4/ip_forward
 	show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
 	for directory in /proc/sys/net/ipv4/conf/*; do
-	    for file in proxy_arp arp_filter rp_filter; do
+	    for file in proxy_arp arp_filter rp_filter log_martians; do
 		show_proc $directory/$file
 	    done
 	done
@ -920,11 +1018,17 @@ case "$1" in
 	    echo
 	    ip route ls table $table
 	done
 	if qt which lsmod; then
 	    echo
 	    echo "Modules"
 	    echo
 	    lsmod | grep -E '^ip_|^ipt_'
 	fi
 	;;
    hits)
    	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
 	echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
 	echo
@ -972,10 +1076,10 @@ case "$1" in
 	[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
 	[ $# -lt 2 -o $# -gt 3 ] && usage 1
 	if ! $0 $debugging -c $2 restart; then
-	    if ! iptables -L shorewall > /dev/null 2> /dev/null; then
+	    if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
 		$0 start
 	    fi
-	elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
+	elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
 	    $0 start
 	elif [ $# -eq 3 ]; then
 	    sleep $3
@ -998,9 +1102,9 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    qt iptables -D dynamic -s $1 -j reject
+	    qt $IPTABLES -D dynamic -s $1 -j reject
-	    qt iptables -D dynamic -s $1 -j DROP
+	    qt $IPTABLES -D dynamic -s $1 -j DROP
-	    iptables -A dynamic -s $1 -j DROP || break 1
+	    $IPTABLES -A dynamic -s $1 -j DROP || break 1
 	    echo "$1 Dropped"
 	done
 	mutex_off
@ -1011,9 +1115,9 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    qt iptables -D dynamic -s $1 -j reject
+	    qt $IPTABLES -D dynamic -s $1 -j reject
-	    qt iptables -D dynamic -s $1 -j DROP
+	    qt $IPTABLES -D dynamic -s $1 -j DROP
-	    iptables -A dynamic -s $1 -j reject || break 1
+	    $IPTABLES -A dynamic -s $1 -j reject || break 1
 	    echo "$1 Rejected"
 	done
 	mutex_off
@ -1024,7 +1128,7 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    if	qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
+	    if	qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
 		echo "$1 Allowed"
 	    else
 		echo "$1 Not Dropped or Rejected"
@ -1035,8 +1139,6 @@ case "$1" in
    save)
    	[ -n "$debugging" ] && set -x
 	get_config
 	case $# in
 	1)
 	    ;;
@ -1053,7 +1155,7 @@ case "$1" in
 	mutex_on
-	if qt iptables -L shorewall -n; then
+	if qt $IPTABLES -L shorewall -n; then
 	    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 	    if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@ -1064,11 +1166,11 @@ case "$1" in
 			echo "   ERROR: Reserved file name: $RESTOREFILE"
 			;;
 		    *)
-			if iptables -L dynamic -n > /var/lib/shorewall/save; then
+			if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
 			    echo "   Dynamic Rules Saved"
 			    if [ -f /var/lib/shorewall/restore-base ]; then
 				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
-				if iptables-save >> /var/lib/shorewall/restore-$$ ; then
+				if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
 				    echo __EOF__ >> /var/lib/shorewall/restore-$$
 				    [ -f /var/lib/shorewall/restore-tail ] && \
 					cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
@ -1094,7 +1196,6 @@ case "$1" in
 	mutex_off
 	;;
    forget)
 	get_config
 	case $# in
 	1)
 	    ;;
@ -1114,7 +1215,7 @@ case "$1" in
 	    rm -f $RESTOREPATH
 	    echo "    $RESTOREPATH removed"
 	elif [ -f $RESTOREPATH ]; then
-	    echo "   ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
 	fi
 	;;
    ipcalc)
@ -1153,7 +1254,6 @@ case "$1" in
 	esac
 	;;
    restore)
 	get_config
 	case $# in
 	1)
 	    ;;
--- a/Lrp2/usr/share/shorewall/action.AllowAuth
+++ b/Lrp2/usr/share/shorewall/action.AllowAuth
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowAuth
+# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
 #
 #	This action accepts Auth (identd) traffic.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowDNS
+++ b/Lrp2/usr/share/shorewall/action.AllowDNS
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowDNS
+# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
 #
 #	This action accepts DNS traffic.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowFTP
+++ b/Lrp2/usr/share/shorewall/action.AllowFTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowFTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
 #
 #	This action accepts FTP traffic. See
 #	http://www.shorewall.net/FTP.html for additional considerations.
--- a/Lrp2/usr/share/shorewall/action.AllowICMPs
+++ b/Lrp2/usr/share/shorewall/action.AllowICMPs
@ -0,0 +1,11 @@
 #
 # Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
 #
 #	ACCEPT needed ICMP types
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 #
 ACCEPT	-		-		icmp	fragmentation-needed
 ACCEPT	-		-		icmp	time-exceeded
--- a/Lrp2/usr/share/shorewall/action.AllowIMAP
+++ b/Lrp2/usr/share/shorewall/action.AllowIMAP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
 #
 #	This action accepts IMAP traffic (secure and insecure):
 #
--- a/Lrp2/usr/share/shorewall/action.AllowNNTP
+++ b/Lrp2/usr/share/shorewall/action.AllowNNTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
 #
 #	This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
 #
--- a/Lrp2/usr/share/shorewall/action.AllowNTP
+++ b/Lrp2/usr/share/shorewall/action.AllowNTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowNTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
 #
 #	This action accepts NTP traffic (ntpd).
 #
@ -7,4 +7,5 @@
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
 #                       	        	PORT    PORT(S)    DEST         LIMIT
 ACCEPT	 -	        -               udp	123
 ACCEPT	 -		-		udp	1024:	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/action.AllowPCA
+++ b/Lrp2/usr/share/shorewall/action.AllowPCA
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPCA
+# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
 #
 #	This action accepts PCAnywere (tm)
 #
--- a/Lrp2/usr/share/shorewall/action.AllowPOP3
+++ b/Lrp2/usr/share/shorewall/action.AllowPOP3
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
+# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
 #
 #	This action accepts POP3 traffic (secure and insecure):
 #
--- a/Lrp2/usr/share/shorewall/action.AllowPing
+++ b/Lrp2/usr/share/shorewall/action.AllowPing
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPing
+# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
 #
 #	This action accepts 'ping' requests.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowRdate
+++ b/Lrp2/usr/share/shorewall/action.AllowRdate
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowRdate
+# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
 #
 #	This action accepts remote time retrieval (rdate).
 #
--- a/Lrp2/usr/share/shorewall/action.AllowSMB
+++ b/Lrp2/usr/share/shorewall/action.AllowSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSMB
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
 #
 #	Allow Microsoft SMB traffic. You need to invoke this action in
 #	both directions.
--- a/Lrp2/usr/share/shorewall/action.AllowSMTP
+++ b/Lrp2/usr/share/shorewall/action.AllowSMTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
 #
 #	This action accepts SMTP (email) traffic.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowSNMP
+++ b/Lrp2/usr/share/shorewall/action.AllowSNMP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
 #
 #	This action accepts SNMP traffic (including traps):
 #
--- a/Lrp2/usr/share/shorewall/action.AllowSSH
+++ b/Lrp2/usr/share/shorewall/action.AllowSSH
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSSH
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
 #
 #	This action accepts secure shell (SSH) traffic.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowTelnet
+++ b/Lrp2/usr/share/shorewall/action.AllowTelnet
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
+# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
 #
 #	This action accepts Telnet traffic. For traffic over the
 #	internet, telnet is inappropriate; use SSH instead
--- a/Lrp2/usr/share/shorewall/action.AllowTrcrt
+++ b/Lrp2/usr/share/shorewall/action.AllowTrcrt
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
+# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
 #
 #	This action accepts Traceroute (for up to 30 hops):
 #
--- a/Lrp2/usr/share/shorewall/action.AllowVNC
+++ b/Lrp2/usr/share/shorewall/action.AllowVNC
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowVNC
+# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
 #
 #	This action accepts VNC traffic for VNC display's 0 - 9.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowVNCL
+++ b/Lrp2/usr/share/shorewall/action.AllowVNCL
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowVNC
+# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
 #
 #	This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
 #
--- a/Lrp2/usr/share/shorewall/action.AllowWeb
+++ b/Lrp2/usr/share/shorewall/action.AllowWeb
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowWeb
+# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
 #
 #	This action accepts WWW traffic (secure and insecure):
 #
@ -7,5 +7,5 @@
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 ACCEPT	 -		-		tcp	80
-ACCEPT	 -		-		TCP	443
+ACCEPT	 -		-		tcp	443
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/action.Drop
+++ b/Lrp2/usr/share/shorewall/action.Drop
@ -1,16 +1,49 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.Drop
+# Shorewall 2.2 /usr/share/shorewall/action.Drop
 #
 #	The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose of the action
 # is:
 #
 #	a) Avoid logging lots of useless cruft. 
 #	b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
 #	   Otherwise, you may experience problems establishing connections with
 #	   servers that use auth.
 #       c) Ensure that certain ICMP packets that are necessary for successful 
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#TARGET  	SOURCE		DEST      	PROTO
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
 # Reject 'auth'
 #
 RejectAuth
 #
 # Don't log broadcasts
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs	-		-		icmp
 #
 # Drop packets that in the INVALID state -- these are usually ICMP packets and just
 # confuse people when they appear in the log.
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DropSMB
 DropUPnP
-dropNotSyn
+#
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn	-		-		tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/action.DropDNSrep
+++ b/Lrp2/usr/share/shorewall/action.DropDNSrep
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
+# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
 #
 #	This action silently drops DNS UDP replies
 #
--- a/Lrp2/usr/share/shorewall/action.DropPing
+++ b/Lrp2/usr/share/shorewall/action.DropPing
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropPing
+# Shorewall 2.2 /usr/share/shorewall/action.DropPing
 #
 #	This action silently drops 'ping' requests.
 #
--- a/Lrp2/usr/share/shorewall/action.DropSMB
+++ b/Lrp2/usr/share/shorewall/action.DropSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropSMB
+# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
 #
 #	This action silently drops Microsoft SMB traffic
 #
--- a/Lrp2/usr/share/shorewall/action.DropUPnP
+++ b/Lrp2/usr/share/shorewall/action.DropUPnP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropUPnP
+# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
 #
 #	This action silently drops UPnP probes on UDP port 1900
 #
--- a/Lrp2/usr/share/shorewall/action.Reject
+++ b/Lrp2/usr/share/shorewall/action.Reject
@ -1,16 +1,46 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.Reject
+# Shorewall 2.2 /usr/share/shorewall/action.Reject
 #
 #	The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose of the action
 # is:
 #
 #	a) Avoid logging lots of useless cruft. 
 #       b) Ensure that certain ICMP packets that are necessary for successful 
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#TARGET  	SOURCE		DEST      	PROTO
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
 # Don't log 'auth' REJECT
 #
 RejectAuth
 #
 # Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs	-		-		icmp
 #
 # Drop packets that in the INVALID state -- these are usually ICMP packets and just
 # confuse people when they appear in the log (these ICMPs cannot be rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the lot.
 #
 RejectSMB
 DropUPnP
-dropNotSyn
+#
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn	-		-		tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/action.RejectAuth
+++ b/Lrp2/usr/share/shorewall/action.RejectAuth
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.RejectAuth
+# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
 #
 #	This action silently rejects Auth (tcp 113) traffic
 #
--- a/Lrp2/usr/share/shorewall/action.RejectSMB
+++ b/Lrp2/usr/share/shorewall/action.RejectSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.RejectSMB
+# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
 #
 #	This action silently rejects Microsoft SMB traffic
 #
--- a/Lrp2/usr/share/shorewall/action.template
+++ b/Lrp2/usr/share/shorewall/action.template
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.template
+# Shorewall 2.2 /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form 
 #	/etc/shorewall/action.<action-name> where <action> is an
@ -37,6 +37,10 @@
 #			ACCEPT:debugging). This causes the packet to be
 #			logged at the specified level.
 #
 #			The special log level 'none' does not result in logging
 #			but rather exempts the rule from being overridden by a
 #			non-forcing log level when the action is invoked.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
@ -61,6 +65,10 @@
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
 #			10.0.0.4-10.0.0.9	Range of IP addresses; your
 #						kernel and iptables must have
 #						iprange match support. 
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
@ -77,10 +85,6 @@
 #	DEST		Location of Server. Same as above with the exception that
 #			MAC addresses are not allowed.
 #
 #			Unlike in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
@ -155,6 +159,6 @@
 #					#of the 'kids' group
 #
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#                       	        	PORT		PORT(S)    LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/actions.std
+++ b/Lrp2/usr/share/shorewall/actions.std
@ -1,19 +1,17 @@
 #
-# Shorewall 2.0 /usr/share/shorewall/actions.std
+# Shorewall 2.2 /usr/share/shorewall/actions.std
 #
 #
 # Builtin Actions are:
 #
 #    allowBcast		#Silently Allow Broadcast/multicast
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
 #    rLogNonSyn         #Log Non-syn TCP packets with disposition REJECT
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
-#    allowInvalid       #Accept packets that are in the INVALID conntrack
+#    allowInvalid	#Accept packets that are in the INVALID
-#                       #state
+#			#conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
@ -36,6 +34,7 @@ AllowSMB	#Allow MS Networking
 AllowAuth	#Allow Auth (identd)
 AllowSMTP	#Allow SMTP (Email)
 AllowPOP3	#Allow reading mail via POP3
 AllowICMPs	#Allows critical ICMP types
 AllowIMAP	#Allow reading mail via IMAP
 AllowTelnet	#Allow Telnet Access (not recommended for use over the
 		#Internet)
--- a/Lrp2/usr/share/shorewall/bogons
+++ b/Lrp2/usr/share/shorewall/bogons
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0-- Bogons File
+# Shorewall 2.2-- Bogons File
 #
 # /etc/shorewall/bogons
 #
@ -14,7 +14,9 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNET		The subnet (host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			include iprange match support).
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
--- a/Lrp2/usr/share/shorewall/functions
+++ b/Lrp2/usr/share/shorewall/functions
@ -1,6 +1,27 @@
 #!/bin/sh
 #
-# Shorewall 2.0 -- /usr/share/shorewall/functions
+# Shorewall 2.2 -- /usr/share/shorewall/functions
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
 #
 truncate() # $1 = length
 {
    cut -b -${1}
 }
 #
 # Split a colon-separated list into a space-separated list
 #
 split() {
    local ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 #
 # Search a list looking for a match -- returns zero if a match found
@ -229,7 +250,7 @@ find_zones() # $1 = name of the zone file
 	    \#*)
 		;;
            $FW)
-	        echo "Reserved zone name \"$zone\" in zones file ignored" >&2
+	        echo "   Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
 		;;
            *)
 		echo $zone
@ -255,12 +276,16 @@ determine_zones()
    multi_display=Multi-zone
    strip_file zones $zonefile
    zones=$(find_zones $TMP_DIR/zones)
-    zones=$(echo $zones) # Remove extra trash
+    newzones=
    for zone in $zones; do
 	dsply=$(find_display $zone $TMP_DIR/zones)
 	[ ${#zone} -gt 5 ] && echo "   Warning: Zone name longer than 5 characters: $zone" >&2
 	eval ${zone}_display=\$dsply
 	newzones="$newzones $zone"
    done
    zones=${newzones# }
 }
 #
@ -377,7 +402,7 @@ mktempfile() {
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
    else
@ -393,7 +418,7 @@ mktempfile() {
 		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
    fi
@ -417,7 +442,7 @@ mktempdir() {
 	    mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 	    ;;
 	*)
-	    echo "   ERROR:Internal error in mktempdir"
+	    echo "   ERROR:Internal error in mktempdir" >&2
 	    ;;
 	esac
 }	
@ -532,6 +557,13 @@ ip_range() {
    local first last l x y z vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
@ -680,6 +712,9 @@ chain_base() #$1 = interface
 	    *-*)
 		c="${c%-*}_${c##*-}"
 		;;
 	    *%*)
 		c="${c%\%*}_${c##*%}"
 		;;
 	    *)
 		echo ${c:=common}
 		return
@ -699,11 +734,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
    case $1 in
 	*+)
-	    #
+	    test  "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
 	    # Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
 	    # variable expansion :-(
 	    #
 	    test  "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
 	    ;;
 	*)
 	    test "x$1" = "x$2"
@ -767,3 +798,11 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
 }
--- a/Lrp2/usr/share/shorewall/help
+++ b/Lrp2/usr/share/shorewall/help
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall help subsystem - V2.0 - 2/14/2004
+# Shorewall help subsystem - V2.2
 #
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -29,11 +29,18 @@
 case $1 in
 add)
-	echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
+	echo "add: add <interface>[:<host-list>] ... <zone>
-    Adds a host or subnet to a dynamic zone usually used with VPN's.
+    Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
-    shorewall add interface[:port][:host] zone - Adds the specified interface
+    shorewall add interface:host-list ... zone - Adds the specified interface
-    (and bridge port/host if included) to the specified zone.
+    (and host-list if included) to the specified zone.
    A host-list is a comma-separated list whose elements are:
        A host or network address
        The name of a bridge port
        The name of a bridge port followed by a colon (":") and a host or
        network address.
    Example:
@ -46,7 +53,9 @@ add)
 address|host)
        echo "<$1>: 
    May be either a host IP address such as 192.168.1.4 or a network address in
-    CIDR format like 192.168.1.0/24"
+    CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
    match support then IP address ranges of the form <low address>-<high address>
    are also permitted."
 	;;
 allow)
@ -60,7 +69,7 @@ allow)
 	;;
 check)
-	echo "check: check [ -c <configuration-directory> ]
+	echo "check: check [ <configuration-directory> ]
   Performs a cursory validation of the zones, interfaces, hosts,
   rules and policy files.  Use this if you are unsure of any edits
   you have made to the shorewall configuration.  See the try command
@ -93,11 +102,18 @@ debug)
 	;;
 delete)
-	echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
+	echo "delete: delete <interface>[:<host-list>] ... <zone>
-    Deletes a host or subnet from a dynamic zone usually used with VPN's.
+    Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
-    shorewall delete interface[:port][:host] zone - Deletes the specified
+    shorewall delete interface[:host-list] ... zone - Deletes the specified
-    interface (and bridge port/host if included) from the specified zone.
+    interfaces (and host list if included) from the specified zone.
    A host-list is a comma-separated list whose elements are:
        A host or network address
        The name of a bridge port
        The name of a bridge port followed by a colon (":") and a host or
        network address.
    Example:
@ -187,7 +203,7 @@ reset)
 	;;
 restart)
-	echo "restart: restart [ -q ] [ -c <configuration-directory> ]
+	echo "restart: [ -q ] restart [ <configuration-directory> ]
    Restart is the same as a shorewall stop && shorewall start.
    Existing connections are maintained.
    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
@ -217,7 +233,7 @@ save)
 	;;
 show)
-	echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
+	echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)
@ -236,17 +252,20 @@ show)
    shorewall show tc - displays information about the traffic
 	control/shaping configuration.
    shorewall show zones - displays the contents of all zones.
    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 start)
-	echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
+	echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
    Start shorewall.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies.
    If \"-q\" is specified, less detail is displayed making it easier to spot warnings
    If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
-    in shorewall.conf will be restored if that saved configuration exists"
+    in shorewall.conf will be restored if that saved configuration exists. In that
    case, a <configuration-directory> may not be specified".
 	;;
 stop)
--- a/Lrp2/usr/share/shorewall/rfc1918
+++ b/Lrp2/usr/share/shorewall/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0-- RFC1918 File
+# Shorewall 2.2 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
@ -12,14 +12,17 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNETS		A comma-separated list of subnet addresses
 #			(host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			have iprange match support). 
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
 #			logdrop - log then drop
 #
 ###############################################################################
-#SUBNET			TARGET
+#SUBNETS		TARGET
 172.16.0.0/12		logdrop		# RFC 1918
 192.168.0.0/16		logdrop		# RFC 1918
 10.0.0.0/8		logdrop		# RFC 1918
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@ -1 +1 @@
-2.0.16
+2.2.0
--- a/Lrp2/var/lib/lrpkg/shorwall.conf
+++ b/Lrp2/var/lib/lrpkg/shorwall.conf
@ -1,6 +1,7 @@
 /etc/shorewall/params		Params    Assign parameter values
 /etc/shorewall/zones		Zones     Partition the network into Zones
 /etc/shorewall/interfaces	Ifaces    Shorewall Networking Interfaces
 /etc/shorewall/ipsec		Ipsec     Define Zone IPSEC Properties
 /etc/shorewall/hosts		Hosts     Define specific zones
 /etc/shorewall/policy		Policy    Firewall high-level policy
 /etc/shorewall/rules		Rules     Exceptions to policy
--- a/Lrp2/var/lib/lrpkg/shorwall.version
+++ b/Lrp2/var/lib/lrpkg/shorwall.version
@ -1 +1 @@
-2.0.2c
+2.0.16