diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules
new file mode 100755
index 000000000..de6d2d76f
--- /dev/null
+++ b/Samples/one-interface/rules
@@ -0,0 +1,197 @@
+#
+# Shorewall version 1.3 - Rules File
+#
+# /etc/shorewall/rules
+#
+# Rules in this file govern connection establishment. Requests and
+# responses are automatically allowed using connection tracking.
+#
+# In most places where an IP address or subnet is allowed, you
+# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
+# indicate that the rule matches all addresses except the address/subnet
+# given. Notice that no white space is permitted between "!" and the
+# address/subnet.
+#
+# Columns are:
+#
+#
+# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
+#
+# ACCEPT -- allow the connection request
+# DROP -- ignore the request
+# REJECT -- disallow the request and return an
+# icmp-unreachable or an RST packet.
+# DNAT -- Forward the request to another
+# system (and optionally another
+# port).
+# DNAT- -- Advanced users only.
+# Like DNAT but only generates the
+# DNAT iptables rule and not
+# the companion ACCEPT rule.
+# REDIRECT -- Redirect the request to a local
+# port on the firewall.
+#
+# May optionally be followed by ":" and a syslog log
+# level (e.g, REJECT:info). This causes the packet to be
+# logged at the specified level.
+#
+# Beginning with Shorewall version 1.3.12, you may
+# also specify ULOG (must be in upper case) as a log level.\
+# This will log to the ULOG target and sent to a separate log
+# through use of ulogd
+# (http://www.gnumonks.org/projects/ulogd).
+#
+#
+# SOURCE Source hosts to which the rule applies. May be a zone
+# defined in /etc/shorewall/zones, $FW to indicate the
+# firewall itself, or "all" If the ACTION is DNAT or
+# REDIRECT, sub-zones of the specified zone may be
+# excluded from the rule by following the zone name with
+# "!' and a comma-separated list of sub-zone names.
+#
+# Except when "all" is specified, clients may be further
+# restricted to a list of subnets and/or hosts by
+# appending ":" and a comma-separated list of subnets
+# and/or hosts. Hosts may be specified by IP or MAC
+# address; mac addresses must begin with "~" and must use
+# "-" as a separator.
+#
+# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
+#
+# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
+# Internet
+#
+# loc:192.168.1.1,192.168.1.2
+# Hosts 192.168.1.1 and
+# 192.168.1.2 in the local zone.
+# loc:~00-A0-C9-15-39-78 Host in the local zone with
+# MAC address 00:A0:C9:15:39:78.
+#
+# Alternatively, clients may be specified by interface
+# by appending ":" to the zone name followed by the
+# interface name. For example, loc:eth1 specifies a
+# client that communicates with the firewall system
+# through eth1. This may be optionally followed by
+# another colon (":") and an IP/MAC/subnet address
+# as described above (e.g., loc:eth1:192.168.1.5).
+#
+# DEST Location of Server. May be a zone defined in
+# /etc/shorewall/zones, $FW to indicate the firewall
+# itself or "all"
+#
+# Except when "all" is specified, the server may be
+# further restricted to a particular subnet, host or
+# interface by appending ":" and the subnet, host or
+# interface. See above.
+#
+# Restrictions:
+#
+# 1. MAC addresses are not allowed.
+# 2. In DNAT rules, only IP addresses are
+# allowed; no FQDNs or subnet addresses
+# are permitted.
+#
+# The port that the server is listening on may be
+# included and separated from the server's IP address by
+# ":". If omitted, the firewall will not modifiy the
+# destination port. A destination port may only be
+# included if the ACTION is DNAT or REDIRECT.
+#
+# Example: loc:192.168.1.3:3128 specifies a local
+# server at IP address 192.168.1.3 and listening on port
+# 3128. The port number MUST be specified as an integer
+# and not as a name from /etc/services.
+#
+# if the ACTION is REDIRECT, this column needs only to
+# contain the port number on the firewall that the
+# request should be redirected to.
+#
+# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
+# "all" or "related". If "related", the remainder of the
+# entry must be omitted and connection requests that are
+# related to existing requests will be accepted.
+#
+# DEST PORT(S) Destination Ports. A comma-separated list of Port
+# names (from /etc/services), port numbers or port
+# ranges; if the protocol is "icmp", this column is
+# interpreted as the destination icmp-type(s).
+#
+# A port range is expressed as <low port>:<high port>.
+#
+# This column is ignored if PROTOCOL = all but must be
+# entered if any of the following ields are supplied.
+# In that case, it is suggested that this field contain
+# "-"
+#
+# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+# only a single Netfilter rule will be generated if in
+# this list and the CLIENT PORT(S) list below:
+# 1. There are 15 or less ports listed.
+# 2. No port ranges are included.
+# Otherwise, a separate rule will be generated for each
+# port.
+#
+# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
+# any source port is acceptable. Specified as a comma-
+# separated list of port names, port numbers or port
+# ranges.
+#
+# If you don't want to restrict client ports but need to
+# specify an ADDRESS in the next column, then place "-"
+# in this column.
+#
+# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+# only a single Netfilter rule will be generated if in
+# this list and the DEST PORT(S) list above:
+# 1. There are 15 or less ports listed.
+# 2. No port ranges are included.
+# Otherwise, a separate rule will be generated for each
+# port.
+#
+# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
+# REDIRECT) If included and different from the IP
+# address given in the SERVER column, this is an address
+# on some interface on the firewall and connections to
+# that address will be forwarded to the IP and port
+# specified in the DEST column.
+#
+# The address may optionally be followed by
+# a colon (":") and a second IP address. This causes
+# Shorewall to use the second IP address as the source
+# address in forwarded packets. See the Shorewall
+# documentation for restrictions concerning this feature.
+# If no source IP address is given, the original source
+# address is not altered.
+#
+# Example: Accept SMTP requests from the DMZ to the internet
+#
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+# # PORT PORT(S) DEST
+# ACCEPT dmz net tcp smtp
+#
+# Example: Forward all ssh and http connection requests from the internet
+# to local system 192.168.1.3
+#
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+# # PORT PORT(S) DEST
+# DNAT net loc:192.168.1.3 tcp ssh,http
+#
+# Example: Redirect all locally-originating www connection requests to
+# port 3128 on the firewall (Squid running on the firewall
+# system) except when the destination address is 192.168.2.2
+#
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+# # PORT PORT(S) DEST
+# REDIRECT loc 3128 tcp www - !192.168.2.2
+#
+# Example: All http requests from the internet to address
+# 130.252.100.69 are to be forwarded to 192.168.1.3
+#
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+# # PORT PORT(S) DEST
+# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
+##############################################################################
+#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+# PORT PORT(S) DEST
+ACCEPT net fw icmp 8
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE