Updates for 2.0.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1317 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-03-01 08:01:23 +01:00 · 2004-05-08 22:31:54 +00:00 · 2004-05-08 22:31:54 +00:00 · 84029e5bd4
commit 84029e5bd4
parent e023c8b712
32 changed files with 6910 additions and 6517 deletions
--- a/Shorewall-docs2/Accounting.xml
+++ b/Shorewall-docs2/Accounting.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-05</pubdate>
+    <pubdate>2004-04-19</pubdate>
    <copyright>
      <year>2003-2004</year>
@ -193,9 +193,13 @@
     [root@gateway shorewall]#</programlisting>
  <para>Here&#39;s how the same example would be constructed on an HTTP server
-  (READ THAT FOLKS -- IT SAYS <emphasis role="underline">SERVER</emphasis>. If
+  with only one interface (eth0).</para>
-  you want to account for web browsing, you have to reverse the rules below)
+
-  with only one interface (eth0):</para>
+  <caution>
    <para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis role="bold">SERVER</emphasis>.
    If you want to account for web browsing, you have to reverse the rules
    below.</para>
  </caution>
  <programlisting>        #ACTION         CHAIN   SOURCE  DESTINATION     PROTOCOL        DEST            SOURCE
        #                                                               PORT            PORT
@ -228,4 +232,7 @@
      8767  727K            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
     11506   13M            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
     [root@mail shorewall]#</programlisting>
  <para>For an example of integrating Shorewall Accounting with MRTG, see
  <ulink url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
 </article>
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@ -64,7 +64,7 @@
  Please review the appropriate guide before trying to use this documentation
  directly.</para>
-  <itemizedlist>
+  <orderedlist>
    <listitem>
      <para><ulink url="Accounting.html">Accounting</ulink></para>
    </listitem>
@ -391,5 +391,5 @@
    <listitem>
      <para><ulink url="whitelisting_under_shorewall.htm">White List Creation</ulink></para>
    </listitem>
-  </itemizedlist>
+  </orderedlist>
 </article>
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
--- a/Shorewall-docs2/FTP.xml
+++ b/Shorewall-docs2/FTP.xml
@ -15,11 +15,13 @@
      </author>
    </authorgroup>
-    <pubdate>2003-12-01</pubdate>
+    <pubdate>2004-04-26</pubdate>
    <copyright>
      <year>2003</year>
      <year>2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -62,6 +64,27 @@
    </orderedlist>
  </important>
  <important>
    <para><trademark>Mandrake</trademark> have done it again with their 10.0
    release. This time, they have decided that kernel modules should have
    &#34;ko.gz&#34; for their suffix. If you are having problems with Mandrake
    10.0 and FTP, change your <filename>/etc/shorewall/conf</filename> file
    definition of MODULE_SUFFIX as follows:</para>
    <programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
    <para>The version of <command>insmod</command> shipped with 10.0 also does
    not comprehend these module files so you will also need to change
    <filename>/usr/share/shorewall/firewall</filename> -- replace the line
    that reads:</para>
    <programlisting>     insmod $modulefile $*</programlisting>
    <para>with:</para>
    <programlisting>     modprobe $modulename $*</programlisting>
  </important>
  <section>
    <title>FTP Protocol</title>
--- a/Shorewall-docs2/IPSEC.xml
+++ b/Shorewall-docs2/IPSEC.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-20</pubdate>
+    <pubdate>2004-05-04</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -38,9 +39,10 @@
    Linux Kernel. David Hollis has provided i<ulink
    url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
    about how to set up a simple tunnel under 2.6</ulink>. One important point
-    that is not made explicit in David&#39;s post is that the <emphasis
+    that is not made explicit in David's post is that the <emphasis
    role="bold">vpn</emphasis> zone must be defined before the <emphasis
-    role="bold">net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</para>
+    role="bold">net</emphasis> zone in
    <filename>/etc/shorewall/zones</filename>.</para>
  </warning>
  <section>
@ -54,7 +56,8 @@
    <warning>
      <para>IPSEC and Proxy ARP do not work unless you are running Shorewall
      2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
-      2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
+      2.0.0 available from the <ulink url="errata.htm">Errata
      Page</ulink>.</para>
    </warning>
    <important>
@ -187,30 +190,111 @@ conn packetdefault
      <title>VPN</title>
      <para>You need to define a zone for the remote subnet or include it in
-      your local zone. In this example, we&#39;ll assume that you have created
+      your local zone. In this example, we'll assume that you have created a
-      a zone called <quote>vpn</quote> to represent the remote subnet.</para>
+      zone called <quote>vpn</quote> to represent the remote subnet.</para>
-      <para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
+      <para><table>
-      align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
+          <title>/etc/shorewall/zones local</title>
-      align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
+
-      Subnet</entry></row></tbody></tgroup></table></para>
+          <tgroup cols="3">
            <thead>
              <row>
                <entry align="center">ZONE</entry>
                <entry align="center">DISPLAY</entry>
                <entry align="center">COMMENTS</entry>
              </row>
            </thead>
            <tbody>
              <row>
                <entry>vpn</entry>
                <entry>VPN</entry>
                <entry>Remote Subnet</entry>
              </row>
            </tbody>
          </tgroup>
        </table></para>
      <para>At both systems, ipsec0 would be included in
      /etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
-      <para><table><title>/etc/shorewall/interfaces system local &#38; remote</title><tgroup
+      <para><table>
-      cols="4"><thead><row><entry align="center">ZONE</entry><entry
+          <title>/etc/shorewall/interfaces system local &amp; remote</title>
-      align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
+
-      align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
+          <tgroup cols="4">
            <thead>
              <row>
                <entry align="center">ZONE</entry>
                <entry align="center">INTERFACE</entry>
                <entry align="center">BROADCAST</entry>
                <entry align="center">OPTIONS</entry>
              </row>
            </thead>
            <tbody>
              <row>
                <entry>vpn</entry>
                <entry>ipsec0</entry>
                <entry></entry>
                <entry></entry>
              </row>
            </tbody>
          </tgroup>
        </table></para>
      <para>You will need to allow traffic between the <quote>vpn</quote> zone
      and the <quote>loc</quote> zone -- if you simply want to admit all
      traffic in both directions, you can use the policy file:</para>
-      <para><table><title>/etc/shorewall/policy local &#38; remote</title><tgroup
+      <para><table>
-      cols="4"><thead><row><entry align="center">SOURCE</entry><entry
+          <title>/etc/shorewall/policy local &amp; remote</title>
-      align="center">DEST</entry><entry align="center">POLICY</entry><entry
+
-      align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
+          <tgroup cols="4">
            <thead>
              <row>
                <entry align="center">SOURCE</entry>
                <entry align="center">DEST</entry>
                <entry align="center">POLICY</entry>
                <entry align="center">LOG LEVEL</entry>
              </row>
            </thead>
            <tbody>
              <row>
                <entry>loc</entry>
                <entry>vpn</entry>
                <entry>ACCEPT</entry>
                <entry></entry>
              </row>
              <row>
                <entry>vpn</entry>
                <entry>loc</entry>
                <entry>ACCEPT</entry>
                <entry></entry>
              </row>
            </tbody>
          </tgroup>
        </table></para>
      <para>Once you have these entries in place, restart Shorewall (type
      shorewall restart); you are now ready to configure the tunnel in <ulink
@ -299,7 +383,7 @@ conn packetdefault
    <para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
    <table>
-      <title>/etc/shorewall/tunnels system B &#38; C</title>
+      <title>/etc/shorewall/tunnels system B &amp; C</title>
      <tgroup cols="4">
        <thead>
@ -376,7 +460,7 @@ conn packetdefault
    <para>On systems B and C:</para>
    <table>
-      <title>/etc/shorewall/zones system B &#38; C</title>
+      <title>/etc/shorewall/zones system B &amp; C</title>
      <tgroup cols="3">
        <thead>
@ -434,7 +518,8 @@ conn packetdefault
      </tgroup>
    </table>
-    <para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
+    <para>The /etc/shorewall/hosts file on system A defines the two VPN
    zones:</para>
    <table>
      <title>/etc/shorewall/hosts system A</title>
@ -474,7 +559,7 @@ conn packetdefault
    following in /etc/shorewall/interfaces:</para>
    <table>
-      <title>/etc/shorewall/interfaces system B &#38; C</title>
+      <title>/etc/shorewall/interfaces system B &amp; C</title>
      <tgroup cols="4">
        <thead>
@ -575,7 +660,7 @@ conn packetdefault
    policy file entries on all three gateways:</para>
    <table>
-      <title>/etc/shorewall/policy system B &#38; C</title>
+      <title>/etc/shorewall/policy system B &amp; C</title>
      <tgroup cols="4">
        <thead>
@ -616,7 +701,8 @@ conn packetdefault
    <para>Once you have the Shorewall entries added, restart Shorewall on each
    gateway (type shorewall restart); you are now ready to configure the
-    tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
+    tunnels in <ulink
    url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
    <note>
      <para>to allow traffic between the networks attached to systems B and C,
@ -684,27 +770,75 @@ conn packetdefault
      <title>Road Warrior VPN</title>
      <para>You need to define a zone for the laptop or include it in your
-      local zone. In this example, we&#39;ll assume that you have created a
+      local zone. In this example, we'll assume that you have created a zone
-      zone called <quote>vpn</quote> to represent the remote host.</para>
+      called <quote>vpn</quote> to represent the remote host.</para>
-      <para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
+      <para><table>
-      align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
+          <title>/etc/shorewall/zones local</title>
-      align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
+
-      Subnet</entry></row></tbody></tgroup></table></para>
+          <tgroup cols="3">
            <thead>
              <row>
                <entry align="center">ZONE</entry>
                <entry align="center">DISPLAY</entry>
                <entry align="center">COMMENTS</entry>
              </row>
            </thead>
            <tbody>
              <row>
                <entry>vpn</entry>
                <entry>VPN</entry>
                <entry>Remote Subnet</entry>
              </row>
            </tbody>
          </tgroup>
        </table></para>
      <para>In this instance, the mobile system (B) has IP address 134.28.54.2
      but that cannot be determined in advance. In the /etc/shorewall/tunnels
      file on system A, the following entry should be made:</para>
-      <para><table><title>/etc/shorewall/tunnels system A</title><tgroup
+      <para><table>
-      cols="4"><thead><row><entry align="center">TYPE</entry><entry
+          <title>/etc/shorewall/tunnels system A</title>
      align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
      align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
-      <para><note><para>the GATEWAY ZONE column contains the name of the zone
+          <tgroup cols="4">
            <thead>
              <row>
                <entry align="center">TYPE</entry>
                <entry align="center">ZONE</entry>
                <entry align="center">GATEWAY</entry>
                <entry align="center">GATEWAY ZONE</entry>
              </row>
            </thead>
            <tbody>
              <row>
                <entry>ipsec</entry>
                <entry>net</entry>
                <entry>0.0.0.0/0</entry>
                <entry>vpn</entry>
              </row>
            </tbody>
          </tgroup>
        </table></para>
      <para><note>
          <para>the GATEWAY ZONE column contains the name of the zone
          corresponding to peer subnetworks. This indicates that the gateway
-      system itself comprises the peer subnetwork; in other words, the remote
+          system itself comprises the peer subnetwork; in other words, the
-      gateway is a standalone system.</para></note></para>
+          remote gateway is a standalone system.</para>
        </note></para>
      <para>You will need to configure /etc/shorewall/interfaces and establish
      your <quote>through the tunnel</quote> policy as shown under the first
@ -717,7 +851,11 @@ conn packetdefault
    <para>Beginning with Shorewall release 1.3.10, you can define multiple VPN
    zones and add and delete remote endpoints dynamically using
-    /sbin/shorewall. In /etc/shorewall/zones:</para>
+    /sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
    capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
    url="Documentation.htm#Conf">shorewall.conf</ulink>.</para>
    <para>In /etc/shorewall/zones:</para>
    <table>
      <title>/etc/shorewall/zones</title>
@ -801,7 +939,8 @@ conn packetdefault
    a different updown script that adds the remote station to the appropriate
    zone when the connection comes up and that deletes the remote station when
    the connection comes down. For example, when 134.28.54.2 connects for the
-    vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
+    vpn2 zone the <quote>up</quote> part of the script will issue the
    command:</para>
    <programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
@ -818,11 +957,45 @@ conn packetdefault
      <example>
        <title>dyn=dynamic zone</title>
-        <para><informaltable><tgroup cols="7"><thead><row><entry
+        <para><informaltable>
-        align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
+            <tgroup cols="7">
-        align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
+              <thead>
-        align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
+                <row>
-        align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
+                  <entry align="center">ACTION</entry>
                  <entry align="center">SOURCE</entry>
                  <entry align="center">DESTINATION</entry>
                  <entry align="center">PROTOCOL</entry>
                  <entry align="center">PORT(S)</entry>
                  <entry align="center">CLIENT PORT(S)</entry>
                  <entry align="center">ORIGINAL DESTINATION</entry>
                </row>
              </thead>
              <tbody>
                <row>
                  <entry>DNAT</entry>
                  <entry>z!dyn</entry>
                  <entry>loc:192.168.1.3</entry>
                  <entry>tcp</entry>
                  <entry>80</entry>
                  <entry></entry>
                  <entry></entry>
                </row>
              </tbody>
            </tgroup>
          </informaltable></para>
        <para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
        will have no effect on the above rule.</para>
--- a/Shorewall-docs2/Install.xml
+++ b/Shorewall-docs2/Install.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-01</pubdate>
+    <pubdate>2004-05-07</pubdate>
    <copyright>
      <year>2001</year>
@ -35,7 +35,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -44,9 +45,9 @@
    <important>
      <para>Before attempting installation, I strongly urge you to read and
-      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
+      print a copy of the <ulink
-      QuickStart</ulink> Guide for the configuration that most closely matches
+      url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
-      your own.</para>
+      for the configuration that most closely matches your own.</para>
    </important>
    <warning>
@ -64,14 +65,15 @@
      <listitem>
        <para>Install the RPM</para>
-        <programlisting><command>rpm -ivh &#60;shorewall rpm&#62;</command></programlisting>
+        <programlisting><command>rpm -ivh &lt;shorewall rpm&gt;</command></programlisting>
        <note>
          <para>Some SuSE users have encountered a problem whereby rpm reports
-          a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
+          a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-          installed. If this happens, simply use the --nodeps option to rpm.</para>
+          installed. If this happens, simply use the --nodeps option to
          rpm.</para>
-          <programlisting><filename><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></filename></programlisting>
+          <programlisting><filename><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></filename></programlisting>
        </note>
        <note>
@ -82,9 +84,10 @@
          <programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
-          <para>This may be worked around by using the --nodeps option of rpm.</para>
+          <para>This may be worked around by using the --nodeps option of
          rpm.</para>
-          <programlisting><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
+          <programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
        </note>
      </listitem>
@ -116,9 +119,9 @@
    <important>
      <para>Before attempting installation, I strongly urge you to read and
-      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
+      print a copy of the <ulink
-      QuickStart</ulink> Guide for the configuration that most closely matches
+      url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
-      your own.</para>
+      for the configuration that most closely matches your own.</para>
    </important>
    <para>To install Shorewall using the tarball and install script:</para>
@ -134,14 +137,19 @@
      </listitem>
      <listitem>
-        <para>If you are using <ulink
+        <para>If you are running <ulink
-        url="http://www.caldera.com/openstore/openlinux/">Caldera</ulink>,
+        url="http://www.slackware.com">Slackware</ulink>, edit the install.sh
-        <ulink url="http://www.redhat.com">RedHat</ulink>, <ulink
+        file and change the line</para>
-        url="http://www.linux-mandrake.com">Mandrake</ulink>, <ulink
+
-        url="http://www.corel.com">Corel</ulink>, <ulink
+        <programlisting>DEST=""</programlisting>
-        url="http://www.suse.com">SuSe</ulink>,<ulink
+
-        url="http://www.slackware.com/"> Slackware</ulink> or <ulink
+        <para>to</para>
-        url="http://www.debian.org">Debian/Gentoo</ulink> then type</para>
+
        <programlisting>DEST="/etc/rc.d"</programlisting>
      </listitem>
      <listitem>
        <para>Type</para>
        <programlisting><command>./install.sh</command></programlisting>
      </listitem>
@ -152,9 +160,10 @@
      </listitem>
      <listitem>
-        <para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
+        <para>Enable Startup by removing
-        (Debian users will edit <filename>/etc/default/shorewall</filename>
+        <filename>/etc/shorewall/startup_disabled</filename> (Debian users
-        and set startup=1).</para>
+        will edit <filename>/etc/default/shorewall</filename> and set
        startup=1).</para>
      </listitem>
      <listitem>
@ -166,7 +175,8 @@
      <listitem>
        <para>If the install script was unable to configure Shorewall to be
        started automatically at boot, see <ulink
-        url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
+        url="starting_and_stopping_shorewall.htm">these
        instructions</ulink>.</para>
      </listitem>
    </orderedlist>
  </section>
@ -176,15 +186,16 @@
    <important>
      <para>Before attempting installation, I strongly urge you to read and
-      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
+      print a copy of the <ulink
-      QuickStart</ulink> Guide for the configuration that most closely matches
+      url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
-      your own.</para>
+      for the configuration that most closely matches your own.</para>
    </important>
    <para>To install my version of Shorewall on a fresh Bering disk, simply
    replace the <quote>shorwall.lrp</quote> file on the image with the file
    that you downloaded. See the <ulink url="two-interface.htm">two-interface
-    QuickStart Guide</ulink> for information about further steps required.</para>
+    QuickStart Guide</ulink> for information about further steps
    required.</para>
  </section>
  <section id="Upgrade_RPM">
@ -204,22 +215,23 @@
      please check your /etc/shorewall/interfaces file to be sure that it
      contains an entry for each interface mentioned in the hosts file. Also,
      there are certain 1.2 rule forms that are no longer supported under 1.4
-      (you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
+      (you must use the new 1.4 syntax). See <ulink
-      upgrade issues</ulink> for details.</para>
+      url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
    </important>
    <orderedlist>
      <listitem>
        <para>Upgrade the RPM</para>
-        <programlisting><command>rpm -Uvh &#60;shorewall rpm file&#62;</command></programlisting>
+        <programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt;</command></programlisting>
        <note>
          <para>Some SuSE users have encountered a problem whereby rpm reports
-          a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
+          a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-          installed. If this happens, simply use the --nodeps option to rpm.</para>
+          installed. If this happens, simply use the --nodeps option to
          rpm.</para>
-          <programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
+          <programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
        </note>
        <note>
@ -230,15 +242,17 @@
          <programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
-          <para>This may be worked around by using the --nodeps option of rpm.</para>
+          <para>This may be worked around by using the --nodeps option of
          rpm.</para>
-          <programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
+          <programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
        </note>
      </listitem>
      <listitem>
        <para>See if there are any incompatibilities between your
-        configuration and the new Shorewall version and correct as necessary.</para>
+        configuration and the new Shorewall version and correct as
        necessary.</para>
        <programlisting><command>shorewall check</command></programlisting>
      </listitem>
@ -268,8 +282,8 @@
      please check your /etc/shorewall/interfaces file to be sure that it
      contains an entry for each interface mentioned in the hosts file. Also,
      there are certain 1.2 rule forms that are no longer supported under 1.4
-      (you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
+      (you must use the new 1.4 syntax). See <ulink
-      upgrade issues</ulink> for details.</para>
+      url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
    </important>
    <orderedlist>
@ -285,21 +299,27 @@
      </listitem>
      <listitem>
-        <para>If you are using <ulink
+        <para>If you are running <ulink
-        url="http://www.caldera.com/openstore/openlinux/">Caldera</ulink>,
+        url="http://www.slackware.com">Slackware</ulink>, edit the install.sh
-        <ulink url="http://www.redhat.com">RedHat</ulink>, <ulink
+        file and change the line</para>
-        url="http://www.linux-mandrake.com">Mandrake</ulink>, <ulink
+
-        url="http://www.corel.com">Corel</ulink>, <ulink
+        <programlisting>DEST=""</programlisting>
-        url="http://www.suse.com">SuSe</ulink>, <ulink
+
-        url="http://www.slackware.com/">Slackware</ulink> or <ulink
+        <para>to</para>
-        url="http://www.debian.org">Debian/Gentoo</ulink> then type</para>
+
        <programlisting>DEST="/etc/rc.d"</programlisting>
      </listitem>
      <listitem>
        <para>Type</para>
        <programlisting><command>./install.sh</command></programlisting>
      </listitem>
      <listitem>
        <para>See if there are any incompatibilities between your
-        configuration and the new Shorewall version and correct as necessary.</para>
+        configuration and the new Shorewall version and correct as
        necessary.</para>
        <programlisting><command>shorewall check</command></programlisting>
      </listitem>
@ -313,7 +333,8 @@
      <listitem>
        <para>If the install script was unable to configure Shorewall to be
        started automatically at boot, see <ulink
-        url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
+        url="starting_and_stopping_shorewall.htm">these
        instructions</ulink>.</para>
      </listitem>
    </orderedlist>
  </section>
@ -342,6 +363,7 @@
  <section>
    <title>Uninstall/Fallback</title>
-    <para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
+    <para>See <quote><ulink url="fallback.htm">Fallback and
    Uninstall</ulink></quote>.</para>
  </section>
 </article>
--- a/Shorewall-docs2/PPTP.xml
+++ b/Shorewall-docs2/PPTP.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2003-12-23</pubdate>
+    <pubdate>2004-04-15</pubdate>
    <copyright>
      <year>2001</year>
@ -24,6 +24,8 @@
      <year>2003</year>
      <year>2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -37,6 +39,16 @@
    </legalnotice>
    <revhistory>
      <revision>
        <revnumber>1.2</revnumber>
        <date>2004-04-15</date>
        <authorinitials>TE</authorinitials>
        <revremark>Revised instructions regarding PPTP conntrack patch.</revremark>
      </revision>
      <revision>
        <revnumber>1.1</revnumber>
@ -909,14 +921,16 @@ esac</programlisting>
    <para>You shouldn&#39;t have to take any special action for this case
    unless you wish to connect multiple clients to the same external server.
-    In that case, you will need to follow the instructions at <ulink
+    In that case, you must install the PPTP connection/tracking and NAT patch
-    url="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</ulink>.
+    from <ulink url="http://www.netfilter.org">Netfilter Patch-O-Mati</ulink>c
-    I recommend that you also add these three lines to your
+    (some distributions are now shipping with this patch installed). I
    recommend that you also add these four lines to your
    /etc/shorewall/modules file:</para>
    <programlisting>loadmodule ip_conntrack_proto_gre
 loadmodule ip_conntrack_pptp
-loadmodule ip_nat_pptp</programlisting>
+loadmodule ip_nat_pptp
 loadmodule ip_nat_proto_gre</programlisting>
    <para>For LEAF/Bering users, the 2.4.20 kernel as already been patched as
    described at the URL above and the three modules are included in the
--- a/Shorewall-docs2/Shorewall_Squid_Usage.xml
+++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-29</pubdate>
+    <pubdate>2004-04-19</pubdate>
    <copyright>
      <year>2003-2004</year>
@ -153,7 +153,7 @@ REDIRECT  loc        3228     tcp      www              -          !206.124.146.
          <para>In /etc/shorewall/init, put:</para>
          <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
-        ip rule add fwmark 202 table www.out
+        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 192.168.1.3 dev eth1 table www.out
        ip route flush cache
        echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
@ -232,7 +232,7 @@ chkconfig --level 35 iptables on</command></programlisting>
          <para>In /etc/shorewall/init, put:</para>
          <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
-        ip rule add fwmark 202 table www.out
+        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 192.0.2.177 dev eth1 table www.out
        ip route flush cache
 fi</command></programlisting>
--- a/Shorewall-docs2/bridge.xml
+++ b/Shorewall-docs2/bridge.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-05</pubdate>
+    <pubdate>2004-04-12</pubdate>
    <copyright>
      <year>2004</year>
@ -152,7 +152,7 @@
  <section>
    <title>Configuring the Bridge</title>
-    <para>Configuring the bridge itself is quite simple and used the
+    <para>Configuring the bridge itself is quite simple and uses the
    <command>brctl</command> utility from the bridge-utils package. Bridge
    configuration information may be found at <ulink
    url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
@ -334,7 +334,7 @@ dmz      br0:eth2</programlisting>
  <section>
    <title>Limitations</title>
-    <para>Bridging doesn&#39; t work with wireless cards — see <ulink
+    <para>Bridging doesn&#39; t work with some wireless cards — see <ulink
    url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
  </section>
 </article>
--- a/Shorewall-docs2/configuration_file_basics.xml
+++ b/Shorewall-docs2/configuration_file_basics.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-03</pubdate>
+    <pubdate>2004-04-20</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -93,6 +93,16 @@
    and modify the copy</emphasis>.</para></listitem></itemizedlist></para>
  </section>
  <section>
    <title>Special Note about /etc/shorewall/shorewall.conf</title>
    <para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
    even if you just add a comment that says &#34;I modified this file&#34;.
    That way, your package manager won&#39;t overwrite the file with future
    updated versions. Such overwrites can cause unwanted changes in the
    behavior of Shorewall.</para>
  </section>
  <section id="Comments">
    <title>Comments</title>
@ -381,9 +391,12 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    <title>Using MAC Addresses</title>
    <para>Media Access Control (MAC) addresses can be used to specify packet
-    source in several of the configuration files. To use this feature, your
+    source in several of the configuration files. In order to control traffic
-    kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
+    to/from a host by its MAC address, the host must be on the same network as
-    included.</para>
+    the firewall.</para>
    <para>To use this feature, your kernel must have MAC Address Match support
    (CONFIG_IP_NF_MATCH_MAC) included.</para>
    <para>MAC addresses are 48 bits wide and each Ethernet Controller has a
    unique MAC address.</para>
--- a/Shorewall-docs2/errata.xml
+++ b/Shorewall-docs2/errata.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-20</pubdate>
+    <pubdate>2004-05-03</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -27,7 +27,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -55,9 +56,9 @@
      <listitem>
        <para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
-        RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
+        RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
-        For example, do NOT install the 1.3.9a firewall script if you are
+        BELOW.</emphasis> For example, do NOT install the 1.3.9a firewall
-        running 1.3.7c.</para>
+        script if you are running 1.3.7c.</para>
      </listitem>
    </itemizedlist>
  </caution>
@ -65,7 +66,8 @@
  <section>
    <title>RFC1918 File</title>
-    <para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
+    <para><ulink
    url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only
    applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall
@ -75,9 +77,75 @@
    url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
  </section>
  <section>
    <title>Bogons File</title>
    <para><ulink
    url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#Bogons">bogons file</ulink>.</para>
  </section>
  <section>
    <title>Problems in Version 2.0</title>
    <section>
      <title>Shorewall 2.0.1</title>
      <itemizedlist>
        <listitem>
          <para>Confusing message mentioning IPV6 occur at startup.</para>
        </listitem>
        <listitem>
          <para>Modules listed in /etc/shorewall/modules don't load or produce
          errors on Mandrake 10.0 Final.</para>
        </listitem>
        <listitem>
          <para>The <command>shorewall delete</command> command does not
          remove all dynamic rules pertaining to the host(s) being
          deleted.</para>
        </listitem>
      </itemizedlist>
      <para>These problems are corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
      firewall script</ulink> which may be installed in
      <filename>/usr/share/shorewall/firewall</filename> as described
      above.</para>
      <itemizedlist>
        <listitem>
          <para>When run on a SuSE system, the install.sh script fails to
          configure Shorewall to start at boot time. That problem is corrected
          in <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
          version of the script</ulink>.</para>
        </listitem>
      </itemizedlist>
    </section>
    <section>
      <title>Shorewall 2.0.1/2.0.0</title>
      <itemizedlist>
        <listitem>
          <para>On Debian systems, an install using the tarball results in an
          inability to start Shorewall at system boot. If you already have
          this problem, install <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
          file</ulink> as /etc/init.d/shorewall (replacing the existing file
          with that name). If you are just installing or upgrading to
          Shorewall 2.0.0 or 2.0.1, then replace the
          <filename>init.debian.sh</filename> file in the Shorewall
          distribution directory (shorewall-2.0.x) with the updated file
          before running <command>install.sh</command> from that
          directory.</para>
        </listitem>
      </itemizedlist>
    </section>
    <section>
      <title>Shorewall 2.0.0</title>
@ -95,11 +163,13 @@
        </listitem>
      </itemizedlist>
-      <para>The first problem has been corrected in Shorewall update 2.0.0a.</para>
+      <para>The first problem has been corrected in Shorewall update
      2.0.0a.</para>
      <para>All of these problems may be corrected by installing <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
-      firewall script</ulink> in /usr/share/shorewall as described above.</para>
+      firewall script</ulink> in /usr/share/shorewall as described
      above.</para>
    </section>
  </section>
@ -111,118 +181,12 @@
  </section>
  <section>
-    <title>Problem with iptables version 1.2.3</title>
+    <title>Problem with iptables 1.2.9</title>
-    <para>There are a couple of serious bugs in iptables 1.2.3 that prevent it
+    <para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
-    from working with Shorewall. Regrettably, RedHat released this buggy
+    Final) or later then you need to patch your iptables 1.2.9 with <ulink
-    iptables in RedHat 7.2.&#x00A0;</para>
+    url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
-
+    patch</ulink>.</para>
    <para>I have built a <ulink
    url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
    1.2.3 rpm which you can download here</ulink>&#x00A0; and I have also
    built an <ulink
    url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
    rpm which you can download here</ulink>. If you are currently running
    RedHat 7.1, you can install either of these RPMs before you upgrade to
    RedHat 7.2.</para>
    <para><emphasis role="bold">Update 11/9/2001:</emphasis> RedHat has
    released an iptables-1.2.4 RPM of their own which you can download from
    <ulink url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink>.I
    have installed this RPM on my firewall and it works fine.</para>
    <para>If you would like to patch iptables 1.2.3 yourself, the patches are
    available for download. This <ulink
    url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</ulink>
    which corrects a problem with parsing of the --log-level specification
    while this <ulink
    url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
    corrects a problem in handling the&#x00A0; TOS target.</para>
    <para>To install one of the above patches:<programlisting>     cd iptables-1.2.3/extensions
     patch -p0 &#60; the-patch-file</programlisting></para>
  </section>
  <section>
    <title>Problems with kernels &#62;= 2.4.18 and RedHat iptables</title>
    <para>Users who use RedHat iptables RPMs and who upgrade to kernel
    2.4.18/19 may experience the following:</para>
    <blockquote>
      <programlisting># shorewall start
 Processing /etc/shorewall/shorewall.conf ...
 Processing /etc/shorewall/params ...
 Starting Shorewall...
 Loading Modules...
 Initializing...
 Determining Zones...
 Zones: net
 Validating interfaces file...
 Validating hosts file...
 Determining Hosts in Zones...
 Net Zone: eth0:0.0.0.0/0
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h-&#62;info.valid_hooks == (1 &#60;&#60; 0 | 1 &#60;&#60; 3)&#39; failed.
 Aborted (core dumped)
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h-&#62;info.valid_hooks == (1 &#60;&#60; 0 | 1 &#60;&#60; 3)&#39; failed.
 Aborted (core dumped)</programlisting>
    </blockquote>
    <para>The RedHat iptables RPM is compiled with debugging enabled but the
    user-space debugging code was not updated to reflect recent changes in the
    Netfilter <quote>mangle</quote> table. You can correct the problem by
    installing <ulink
    url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
    iptables RPM</ulink>. If you are already running a 1.2.5 version of
    iptables, you will need to specify the --oldpackage option to rpm (e.g.,
    <quote>iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm</quote>).</para>
  </section>
  <section>
    <title>Problems with iptables version 1.2.7 and MULTIPORT=Yes</title>
    <para>The iptables 1.2.7 release of iptables has made an incompatible
    change to the syntax used to specify multiport match rules; as a
    consequence, if you install iptables 1.2.7 you must be running Shorewall
    1.3.7a or later or:</para>
    <itemizedlist>
      <listitem>
        <para>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or</para>
      </listitem>
      <listitem>
        <para>If you are running Shorewall 1.3.6 you may install <ulink
        url="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">this
        firewall script</ulink> in /usr/lib/shorewall/firewall as described
        above.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Problems with RH Kernel 2.4.18-10 and NAT</title>
    <para>/etc/shorewall/nat entries of the following form will result in
    Shorewall being unable to start:</para>
    <programlisting>     #EXTERNAL&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; INTERFACE&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; INTERNAL&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; ALL INTERFACES&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; LOCAL
     192.0.2.22&#x00A0;&#x00A0;&#x00A0;   eth0&#x00A0;&#x00A0;&#x00A0;         192.168.9.22&#x00A0;&#x00A0;  yes&#x00A0;&#x00A0;&#x00A0;&#x00A0;                 yes
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    <para>Error message is:</para>
    <programlisting>     Setting up NAT...
     iptables: Invalid argument
     Terminated</programlisting>
    <para>The solution is to put <quote>no</quote> in the LOCAL column. Kernel
    support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
    it. The 2.4.19 kernel contains corrected support under a new kernel
    configuraiton option; see <ulink
    url="http://www.shorewall.net/Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</ulink>.</para>
  </section>
  <section>
@ -233,24 +197,151 @@ Aborted (core dumped)</programlisting>
    --reject-with tcp-reset</quote> is broken. The symptom most commonly seen
    is that REJECT rules act just like DROP rules when dealing with TCP. A
    kernel patch and precompiled modules to fix this problem are available at
-    <ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
+    <ulink
    url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
    <note>
-      <para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
+      <para>RedHat have corrected this problem in their 2.4.20-27.x
      kernels.</para>
    </note>
  </section>
  <appendix>
-    <title>Revision History4</title>
+    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.6</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
+    <para><revhistory>
-    ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-03-17</date><authorinitials>TE</authorinitials><revremark>Action
+        <revision>
-    rules are reported as policies.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-03</date><authorinitials>TE</authorinitials><revremark>Update
+          <revnumber>1.12</revnumber>
-    for Shorewall 2.0.0.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
+
-    address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
+          <date>2004-05-04</date>
-    template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
+
-    note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
+          <authorinitials>TE</authorinitials>
-    RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
+
-    Conversion to Docbook XML</revremark></revision></revhistory></para>
+          <revremark>Add Alex Wilms's "install.sh" fix.</revremark>
        </revision>
        <revision>
          <revnumber>1.11</revnumber>
          <date>2004-05-03</date>
          <authorinitials>TE</authorinitials>
          <revremark>Add Stefan Engel's "shorewall delete" fix.</revremark>
        </revision>
        <revision>
          <revnumber>1.10</revnumber>
          <date>2004-04-28</date>
          <authorinitials>TE</authorinitials>
          <revremark>Add iptables 1.2.9 iptables-save bug notice.</revremark>
        </revision>
        <revision>
          <revnumber>1.9</revnumber>
          <date>2004-04-21</date>
          <authorinitials>TE</authorinitials>
          <revremark>Debian initialization script problem. Deleted obsolete
          sections.</revremark>
        </revision>
        <revision>
          <revnumber>1.8</revnumber>
          <date>2004-04-20</date>
          <authorinitials>TE</authorinitials>
          <revremark>Updated RFC1918 and BOGONS files.</revremark>
        </revision>
        <revision>
          <revnumber>1.7</revnumber>
          <date>2004-03-20</date>
          <authorinitials>TE</authorinitials>
          <revremark>Proxy ARP/IPSEC fix.</revremark>
        </revision>
        <revision>
          <revnumber>1.6</revnumber>
          <date>2004-03-17</date>
          <authorinitials>TE</authorinitials>
          <revremark>Action rules are reported as policies.</revremark>
        </revision>
        <revision>
          <revnumber>1.5</revnumber>
          <date>2004-02-03</date>
          <authorinitials>TE</authorinitials>
          <revremark>Update for Shorewall 2.0.0.</revremark>
        </revision>
        <revision>
          <revnumber>1.4</revnumber>
          <date>2004-01-19</date>
          <authorinitials>TE</authorinitials>
          <revremark>IPV6 address problems. Make RFC1918 file section more
          prominent.</revremark>
        </revision>
        <revision>
          <revnumber>1.3</revnumber>
          <date>2004-01-14</date>
          <authorinitials>TE</authorinitials>
          <revremark>Confusing template file in 1.4.9</revremark>
        </revision>
        <revision>
          <revnumber>1.3</revnumber>
          <date>2004-01-03</date>
          <authorinitials>TE</authorinitials>
          <revremark>Added note about REJECT RedHat Kernal problem being
          corrected.</revremark>
        </revision>
        <revision>
          <revnumber>1.2</revnumber>
          <date>2003-12-29</date>
          <authorinitials>TE</authorinitials>
          <revremark>Updated RFC1918 file</revremark>
        </revision>
        <revision>
          <revnumber>1.1</revnumber>
          <date>2003-12-17</date>
          <authorinitials>TE</authorinitials>
          <revremark>Initial Conversion to Docbook XML</revremark>
        </revision>
      </revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs2/images/State_Diagram.png
+++ b/Shorewall-docs2/images/State_Diagram.png
--- a/Shorewall-docs2/images/State_Diagram.vdx
+++ b/Shorewall-docs2/images/State_Diagram.vdx
--- a/Shorewall-docs2/images/staticnat.png
+++ b/Shorewall-docs2/images/staticnat.png
--- a/Shorewall-docs2/images/staticnat.vdx
+++ b/Shorewall-docs2/images/staticnat.vdx
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-03</pubdate>
+    <pubdate>2004-04-27</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -47,16 +47,16 @@
    <caution>
      <para>The configuration shown here corresponds to Shorewall version
-      2.0.1 (that&#39;s right -- I am running a version of Shorewall that is
+      2.0.1. My configuration uses features not available in earlier Shorewall
-      not yet released). My configuration uses features not available in
+      releases.</para>
      earlier Shorewall releases.</para>
    </caution>
    <para>I have DSL service and have 5 static IP addresses
    (206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
    connected to eth0. I have a local network connected to eth2 (subnet
    192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note
-    that the IP address of eth1 is a duplicate of one on eth0.</para>
+    that I configure the same IP address on both <filename class="devicefile">eth0</filename>
    and <filename class="devicefile">eth1</filename>.</para>
    <para>In this configuration:</para>
@ -127,8 +127,9 @@
    <para>I run an SNMP server on my firewall to serve <ulink
    url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
-    in the DMZ.<graphic align="center" fileref="images/network.png" />The
+    in the DMZ.</para>
-    ethernet interface in the Server is configured with IP address
+
    <para>The ethernet interface in the Server is configured with IP address
    206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
    is 206.124.146.254 (Router at my ISP. This is the same default gateway
    used by the firewall itself). On the firewall, an entry in my
@ -136,6 +137,8 @@
    206.124.146.177 through eth1 when that interface is brought up.</para>
    <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para>
    <para><graphic align="center" fileref="images/network.png" /></para>
  </section>
  <section>
@ -241,27 +244,6 @@ eth2            -
      </blockquote>
    </section>
    <section id="RFC1918">
      <title>RFC1918 File</title>
      <blockquote>
        <para>I use a stripped-down file which doesn&#39;t have to be updated
        when the IANA allocates a block of IP addresses.</para>
      </blockquote>
      <blockquote>
        <programlisting>#SUBNET                 TARGET
 169.254.0.0/16          DROP            # DHCP autoconfig
 172.16.0.0/12           logdrop         # RFC 1918
 192.0.2.0/24            logdrop         # Example addresses
 192.168.0.0/16          logdrop         # RFC 1918
 10.24.60.56             DROP            # Some idiot in my broadcast domain
                                        # has a box configured with this
                                        # address.
 10.0.0.0/8              logdrop         # Reserved (RFC 1918)</programlisting>
      </blockquote>
    </section>
    <section>
      <title>Blacklist File (Partial)</title>
@ -554,90 +536,6 @@ iface eth1 inet static
 </emphasis>...</programlisting>
      </blockquote>
    </section>
    <section id="Dhcpd">
      <title>/etc/dhcpd.conf (MAC Addresses Omitted)</title>
      <blockquote>
        <para>While this is a little off-topic, I&#39;ve included it to show
        how to set up DHCP on two interfaces.<programlisting>default-lease-time 67200; max-lease-time 67200;
 get-lease-hostnames on;
 group {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option routers 192.168.1.254;
        option ntp-servers 192.168.1.254;
        option domain-name-servers 192.168.1.193;
        option netbios-name-servers 192.168.1.254;
        option domain-name &#34;shorewall.net&#34;;
        option netbios-dd-server 192.168.1.254;
        option netbios-node-type 8;
        option netbios-scope &#34;&#34;;
        subnet 192.168.1.0 netmask 255.255.255.0 {
                range 192.168.1.11 192.168.1.20;
        }
         host ursa.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.1.5;
        }
        host eastept1 {
                hardware ethernet …;
                fixed-address 192.168.1.7;
        }
        host tarry {
                hardware ethernet …;
                fixed-address 192.168.1.4;
        }
        host wookie.shorewall.net {
                hardware ethernet  …;
                fixed-address 192.168.1.3;
        }
        host testws.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.1.6;
        }
        host printer.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.1.10;
        }
 }
 group {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.3.255;
        option routers 192.168.3.254;
        option ntp-servers 192.168.3.254;
        option domain-name-servers 206.124.146.177;
        option netbios-name-servers 192.168.3.254;
        option domain-name &#34;shorewall.net&#34;;
        option netbios-dd-server 192.168.3.254;
        option netbios-node-type 8;
        option netbios-scope &#34;&#34;;
        subnet 192.168.3.0 netmask 255.255.255.0 {
                range 192.168.3.11 192.168.3.20;
        }
        host easteplaptop {
                hardware ethernet …;
                fixed-address 192.168.3.7;
        }
        host tipper.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.3.8;
        }</programlisting></para>
      </blockquote>
    </section>
  </section>
  <section>
--- a/Shorewall-docs2/ports.xml
+++ b/Shorewall-docs2/ports.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-27</pubdate>
+    <pubdate>2004-04-24</pubdate>
    <copyright>
      <year>2001-2002</year>
@ -101,14 +101,10 @@ ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62
  </section>
  <section>
-    <title>ICQ</title>
+    <title>ICQ/AIM</title>
    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
-ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        4000
+ACCEPT     <emphasis>&#60;source&#62;</emphasis>  net              tcp        5190</programlisting>
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        4000:4100</programlisting>
    <para>UDP Port 4000. You will also need to open a range of TCP ports which
    you can specify to your ICQ client. By default, clients use 4000-4100.</para>
  </section>
  <section>
@ -208,7 +204,16 @@ ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62
    <title>SMTP</title>
    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
-ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        25</programlisting>
+ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        25     #Insecure SMTP
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        465    #SMTP over SSL (TLS)</programlisting>
  </section>
  <section>
    <title>SNMP</title>
    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        161:162
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        161</programlisting>
  </section>
  <section>
@ -275,7 +280,9 @@ ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make
+    <para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-24</date><authorinitials>TE</authorinitials><revremark>Revised
    ICQ/AIM.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-04-23</date><authorinitials>TE</authorinitials><revremark>Added
    SNMP.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make
    NFS work for everyone.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-14</date><authorinitials>TE</authorinitials><revremark>Add
    PCAnywhere.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
    information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
--- a/Shorewall-docs2/shorewall_extension_scripts.xml
+++ b/Shorewall-docs2/shorewall_extension_scripts.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-05-04</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -64,7 +65,8 @@
    </listitem>
    <listitem>
-      <para>start -- invoked after the firewall has been started or restarted.</para>
+      <para>start -- invoked after the firewall has been started or
      restarted.</para>
    </listitem>
    <listitem>
@ -92,27 +94,90 @@
    </listitem>
  </itemizedlist>
-  <para><emphasis role="bold">If your version of Shorewall doesn&#39;t have
+  <para><emphasis role="bold">If your version of Shorewall doesn't have the
-  the file that you want to use from the above list, you can simply create the
+  file that you want to use from the above list, you can simply create the
  file yourself.</emphasis> You can also supply a script with the same name as
  any of the filter chains in the firewall and the script will be invoked
  after the /etc/shorewall/rules file has been processed but before the
  /etc/shorewall/policy file has been processed.</para>
-  <para>Beginning with Shorewall 2.0.0, you can also define a
+  <para>There are a couple of special considerations for commands in extension
-  <emphasis>common action</emphasis> to be performed immediately before a
+  scripts:</para>
-  policy of ACCEPT, DROP or REJECT is applied. Separate actions can be
+
-  assigned to each policy type so for example you can have a different common
+  <itemizedlist>
-  action for DROP and REJECT policies. The most common usage of common actions
+    <listitem>
-  is to silently drop traffic that you don&#39;t wish to have logged by the
+      <para>When you want to run <command>iptables</command>, use the command
-  policy.</para>
+      <command>run_iptables</command> instead. <command>run_iptables</command>
      will run the iptables utility passing the arguments to
      <command>run_iptables</command> and if the command fails, the firewall
      will be stopped (Shorewall version &lt; 2.0.2 Beta 1 or there is no
      <filename>/var/lib/shorewall/restore</filename> file) or restored
      (Shorewall version &gt;= 2.0.2 Beta 1 and
      <filename>/var/lib/shorewall/restore</filename> exists).</para>
    </listitem>
    <listitem>
      <para>With Shorewall 2.0.2 Beta 1 and later versions, if you run
      commands other than <command>iptables</command> that must be re-run in
      order to restore the firewall to its current state then you must save
      the commands to the <firstterm>restore file</firstterm>. The restore
      file is a temporary file in <filename
      class="directory">/var/lib/shorewall</filename> that will be renamed
      <filename>/var/lib/shorewall/restore-base</filename> at the successful
      completion of the Shorewall command. The <command>shorewall
      save</command> command combines
      <filename>/var/lib/shorewall/restore-base</filename> with the output of
      <command>iptables-save</command> to produce the
      <filename>/var/lib/shorewall/restore</filename> script.</para>
      <para>Here are three functions that are useful when running commands
      other than <command>iptables</command>:</para>
      <orderedlist>
        <listitem>
          <para><emphasis role="bold">save_command() </emphasis>-- saves the
          passed command to the restore file.</para>
          <para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
          <para>That command would simply write "echo Operation Complete" to
          the restore file.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">run_and_save_command()</emphasis> --
          saves the passed command to the restore file then executes it. The
          return value is the exit status of the command. Example:
          <programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
          <para>Note that as in this example, when the command involves file
          redirection then the entire command must be enclosed in quotes. This
          applies to all of the functions described here.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">ensure_and_save_command()</emphasis> --
          runs the passed command. If the command fails, the firewall is
          restored to it's prior saved state and the operation is terminated.
          If the command succeeds, the command is written to the restore
          file</para>
        </listitem>
      </orderedlist>
    </listitem>
  </itemizedlist>
  <para>Beginning with Shorewall 2.0.0, you can also define a <emphasis>common
  action</emphasis> to be performed immediately before a policy of ACCEPT,
  DROP or REJECT is applied. Separate <ulink
  url="User_defined_Actions.html">actions</ulink> can be assigned to each
  policy type so for example you can have a different common action for DROP
  and REJECT policies. The most common usage of common actions is to silently
  drop traffic that you don't wish to have logged by the policy.</para>
  <para>As released, Shorewall defines a number of actions which are cataloged
-  in the <filename>/etc/shorewall/actions.std</filename> file. The default
+  in the <filename>/usr/share/shorewall/actions.std</filename> file. That file
-  <filename>/etc/shorewall/actions</filename> file contains <quote>INCLUDE
+  is processed before /etc/shorewall/actions. Among the entries in
-  /etc/shorewall/actions.std</quote> so that the Shorewall-defined actions are
+  <filename>/usr/share/shorewall/actions.std</filename> are:</para>
  included by default. Among the entries in <filename>/etc/shorewall/actions.std</filename>
  are:</para>
  <programlisting>Drop:DROP
 Reject:REJECT</programlisting>
@ -120,21 +185,20 @@ Reject:REJECT</programlisting>
  <para>So the action named <quote>Drop</quote> is performed immediately
  before DROP policies are applied and the action called <quote>Reject</quote>
  is performed before REJECT policies are applied. These actions are defined
-  in the files <filename>/etc/shorewall/action.Drop</filename> and
+  in the files <filename>/usr/share/shorewall/action.Drop</filename> and
-  <filename>/etc/shorewall/action.Reject</filename> respectively.</para>
+  <filename>/usr/share/shorewall/action.Reject</filename> respectively.</para>
  <para>You can override these defaults with entries in your
  /etc/shorewall/actions file. For example, if that file were to contain
  <quote>MyDrop:DROP</quote> then the common action for DROP policies would
-  become <quote>MyDrop</quote>. For an example, see <ulink url="myfiles.htm">my
+  become <quote>MyDrop</quote>.</para>
  configuration files</ulink>.</para>
  <para>One final note. The chain created to perform an action has the same
  name as the action. You can use an extension script by that name to add
-  rules to the action&#39;s chain in the same way as you can any other chain.
+  rules to the action's chain in the same way as you can any other chain. So
-  So if you create the new action <quote>Dagger</quote> and define it in
+  if you create the new action <quote>Dagger</quote> and define it in
  <filename>/etc/shorewall/action.Dagger</filename>, you can also have an
  extension script named <filename>/etc/shorewall/Dagger</filename> that can
-  add rules to the <quote>Dagger</quote> chain that can&#39;t be created using
+  add rules to the <quote>Dagger</quote> chain that can't be created using
  <filename>/etc/shorewall/action.Dagger</filename>.</para>
 </article>
--- a/Shorewall-docs2/shorewall_features.xml
+++ b/Shorewall-docs2/shorewall_features.xml
@ -13,7 +13,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2004-04-04</pubdate>
+    <pubdate>2004-05-07</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -27,7 +27,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -36,7 +37,7 @@
    <itemizedlist>
      <listitem>
-        <para>Uses Netfilter&#39;s connection tracking facilities for stateful
+        <para>Uses Netfilter's connection tracking facilities for stateful
        packet filtering.</para>
      </listitem>
@ -54,9 +55,10 @@
          </listitem>
          <listitem>
-            <para>Allows you to partitions the network into <ulink
+            <para>Allows you to partition the network into <ulink
            url="Documentation.htm#Zones">zones</ulink> and gives you complete
-            control over the connections permitted between each pair of zones.</para>
+            control over the connections permitted between each pair of
            zones.</para>
          </listitem>
          <listitem>
@ -78,26 +80,30 @@
      <listitem>
        <para>A <emphasis role="bold">GUI</emphasis> is available via Webmin
-        1.060 and later (<ulink url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
+        1.060 and later (<ulink
        url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
      </listitem>
      <listitem>
        <para>Extensive <emphasis role="bold"><ulink
-        url="Documentation_Index.html">documentation</ulink></emphasis>
+        url="Documentation_Index.html">documentation</ulink></emphasis> in
-        included in the .tgz and .rpm downloads.</para>
+        available in both XML and HTML formats.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Flexible address management/routing
-        support</emphasis> (and you can use all types in the same firewall):</para>
+        support</emphasis> (and you can use all types in the same
        firewall):</para>
        <itemizedlist>
          <listitem>
-            <para><ulink url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
+            <para><ulink
            url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
          </listitem>
          <listitem>
-            <para><ulink url="FAQ.htm#faq1">Port Forwarding (DNAT)</ulink>.</para>
+            <para><ulink url="FAQ.htm#faq1">Port Forwarding
            (DNAT)</ulink>.</para>
          </listitem>
          <listitem>
@ -107,6 +113,11 @@
          <listitem>
            <para><ulink url="ProxyARP.htm">Proxy ARP</ulink>.</para>
          </listitem>
          <listitem>
            <para><ulink url="netmap.html">NETMAP</ulink> (requires a 2.6
            kernel or a patched 2.4 kernel).</para>
          </listitem>
        </itemizedlist>
      </listitem>
@ -146,15 +157,16 @@
          </listitem>
          <listitem>
-            <para><ulink url="PPTP.htm">PPTP</ulink> clients and Servers.</para>
+            <para><ulink url="PPTP.htm">PPTP</ulink> clients and
            Servers.</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>Support for <ulink url="traffic_shaping.htm"><emphasis
-        role="bold">Traffic</emphasis> Control/<emphasis role="bold">Shaping</emphasis></ulink>
+        role="bold">Traffic</emphasis> Control/<emphasis
-        integration.</para>
+        role="bold">Shaping</emphasis></ulink> integration.</para>
      </listitem>
      <listitem>
@ -171,7 +183,7 @@
          <listitem>
            <para>Includes automated <ulink url="Install.htm">install,
            upgrade, fallback and uninstall facilities</ulink> for users who
-            can&#39;t use or choose not to use the RPM or Debian packages.</para>
+            can't use or choose not to use the RPM or Debian packages.</para>
          </listitem>
          <listitem>
@ -184,7 +196,8 @@
      <listitem>
        <para><ulink url="MAC_Validation.html">Media Access Control (<emphasis
-        role="bold">MAC</emphasis>) Address <emphasis role="bold">Verification</emphasis></ulink>.</para>
+        role="bold">MAC</emphasis>) Address <emphasis
        role="bold">Verification</emphasis></ulink>.</para>
      </listitem>
      <listitem>
@ -193,8 +206,9 @@
      </listitem>
      <listitem>
-        <para><ulink url="bridge.html"><emphasis role="bold">Bridge</emphasis>/Firewall
+        <para><ulink url="bridge.html"><emphasis
-        support</ulink> (requires a 2.6 kernel or a patched 2.4 kernel).</para>
+        role="bold">Bridge</emphasis>/Firewall support</ulink> (requires a 2.6
        kernel or a patched 2.4 kernel).</para>
      </listitem>
    </itemizedlist>
  </section>
--- a/Shorewall-docs2/shorewall_logging.xml
+++ b/Shorewall-docs2/shorewall_logging.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-12-18</pubdate>
+    <pubdate>2004-04-25</pubdate>
    <copyright>
-      <year>2001 - 2003</year>
+      <year>2001 - 2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -142,7 +142,7 @@
    </section>
    <section>
-      <title>Configuring a Separate Log for Shorewall Messages</title>
+      <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
      <para>There are a couple of limitations to syslogd-based logging:</para>
--- a/Shorewall-docs2/shorewall_quickstart_guide.xml
+++ b/Shorewall-docs2/shorewall_quickstart_guide.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-04-16</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -36,6 +36,12 @@
  <para>With thanks to Richard who reminded me once again that we must all
  first walk before we can run.</para>
  <para>The French Translations of the single-IP guides are courtesy of
  Patrice Vetsel. Updated for Shorewall 2.0 by Fabien Demassieux.</para>
  <para>The French Translation of the Shorewall Setup Guide is courtesy of
  Fabien Demassieux.</para>
  <section id="Guides">
    <title>The Guides</title>
@ -50,11 +56,14 @@
      you want to learn more about Shorewall than is explained in these simple
      guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
      Guide</ulink> is for you.<itemizedlist><listitem><para><ulink
-      url="standalone.htm">Standalone</ulink> Linux System</para></listitem><listitem><para><ulink
+      url="standalone.htm">Standalone</ulink> Linux System (<ulink
      url="standalone_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
      url="two-interface.htm">Two-interface</ulink> Linux System acting as a
-      firewall/router for a small local network</para></listitem><listitem><para><ulink
+      firewall/router for a small local network (<ulink
      url="two-interface_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
      url="three-interface.htm">Three-interface</ulink> Linux System acting as
-      a firewall/router for a small local network and a DMZ.</para></listitem></itemizedlist></para>
+      a firewall/router for a small local network and a DMZ.. (<ulink
      url="three-interface_fr.html">Version Française</ulink>)</para></listitem></itemizedlist></para>
    </section>
    <section>
@ -64,7 +73,8 @@
      (See Index Below) outlines the steps necessary to set up a firewall
      where there are multiple public IP addresses involved or if you want to
      learn more about Shorewall than is explained in the single-address
-      guides above </para>
+      guides above (<ulink url="shorewall_setup_guide_fr.htm">Version
      Française</ulink>)</para>
    </section>
  </section>
 </article>
--- a/Shorewall-docs2/shorewall_setup_guide_fr.xml
+++ b/Shorewall-docs2/shorewall_setup_guide_fr.xml
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-16</pubdate>
+    <pubdate>2004-04-22</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -187,10 +187,11 @@
    first checked against the <filename><filename>/etc/shorewall/rules</filename></filename>
    file. If no rule in that file matches the connection request then the
    first policy in <filename>/etc/shorewall/policy</filename> that matches
-    the request is applied. If that policy is REJECT or DROP the request is
+    the request is applied. If there is a <ulink
-    first checked against the rules in /etc/shorewall/common if that file
+    url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
-    exists; otherwise the rules in <filename>/etc/shorewall/common.def</filename>
+    policy in <filename>/etc/shorewall/actions</filename> or
-    are checked.</para>
+    <filename>/usr/share/shorewall/actions.std</filename> then that action is
    peformed before the action is applied.</para>
    <para>The <filename>/etc/shorewall/policy</filename> file included with
    the one-interface sample has the following policies:</para>
--- a/Shorewall-docs2/standalone_fr.xml
+++ b/Shorewall-docs2/standalone_fr.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-<article id="IPIP">
+<article id="standalone">
  <!--$Id$-->
  <articleinfo>
    <title>Standalone Firewall</title>
@ -11,47 +13,57 @@
        <surname>Eastep</surname>
      </author>
      <author>
        <firstname>Patrice</firstname>
        <surname>Vetsel</surname>
      </author>
      <author>
        <firstname>Fabien</firstname>
        <surname>Demassieux</surname>
      </author>
    </authorgroup>
-    <pubdate>2003-12-30</pubdate>
+    <pubdate>2004-02-16</pubdate>
    <copyright>
-      <year>2001-2003</year>
+      <year>2002-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
-      dcument under the terms of the GNU Free Documentation License, Version
+      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled &#34;<ulink
+      Texts. A copy of the license is included in the section entitled
-      url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <note>
-    <para><emphasis role="underline">Notes du traducteur :</emphasis> Je ne
+    <para><emphasis role="underline">Notes du traducteur :</emphasis> Le guide
-    prétends pas être un vrai traducteur dans le sens ou mon travail n&#39;est
+    initial a été traduit par <ulink
-    pas des plus précis (loin de là...). Je ne me suis pas attaché à une
+    url="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</ulink> que je
-    traduction exacte du texte, mais plutôt à en faire une version française
+    remercie. J'en ai assuré la révision pour l'adapter à la version 2 de
-    intelligible par tous (et par moi). Les termes techniques sont la plupart
+    Shorewall. J'espère vous faciliter l'accès et la prise en main d'un
-    du temps conservés sous leur forme originale et mis entre parenthèses car
+    firewall performant, efficace, adaptable et facile d'utilisation. Donc
-    vous pouvez les retrouver dans le reste des documentations ainsi que dans
+    félicitations pour la qualité du travail et la disponibilité offerte par
-    les fichiers de configuration. N&#39;hésitez pas à me contacter afin
+    Thomas M. Eastep. Si vous trouvez des erreurs ou des améliorations à
-    d&#39;améliorer ce document <ulink url="mailto:vetsel.patrice@wanadoo.fr">VETSEL
+    apporter vous pouvez me contacter <ulink
-    Patrice</ulink> (merci à JMM pour sa relecture et ses commentaires
+    url="mailto:fd03x@wanadoo.fr">Fabien Demassieux</ulink></para>
    pertinents, ainsi qu&#39;à Tom EASTEP pour son formidable outil et sa
    disponibilité).</para>
  </note>
-  <section id="Documentation">
+  <section>
    <title>Introduction</title>
-    <para>Mettre en place un système Linux en tant que firewall (écluse) pour
+    <para>Configurer Shorewall sur un système isolé Linux est très simple si
-    un petit réseau est une chose assez simple, si vous comprenez les bases et
+    vous comprenez les bases et suivez la documentation.</para>
    suivez la documentation.</para>
    <para>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
    Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
@ -72,391 +84,507 @@
      </listitem>
    </itemizedlist>
-    <para>Ce guide suppose que vous avez le paquet iproute/iproute2
+    <section>
-    d&#39;installé. Vous pouvez voir si le paquet est installé en vérifiant la
+      <title>Pré-requis</title>
    présence du programme ip sur votre système de firewall. Sous root,
    utilisez la commande &#39;which&#39; pour rechercher le programme :</para>
-    <programlisting>     [root@gateway root]# which ip
+      <para>Shorewall a besoin que le package
-     /sbin/ip
+      <command>iproute</command>/<command>iproute2</command> soit installé
-     [root@gateway root]#
+      (avec la distribution <trademark>RedHat</trademark>, le package
-</programlisting>
+      s'appelle <command>iproute</command>). Vous pouvez vérifier si le
      package est installé par la présence du programme <command>ip</command>
      sur votre firewall. En tant que <systemitem
      class="username">root</systemitem>, vous pouvez utiliser la commande
      <command>which</command> pour cela:</para>
-    <para>Je vous recommande dans un premier temps de parcourir tout le guide
+      <programlisting>[root@gateway root]# <command>which ip</command>
-    pour vous familiariser avec ce qu&#39;il va se passer, et de revenir au
+/sbin/ip
-    début en effectuant le changements dans votre configuration. Les points,
+[root@gateway root]#</programlisting>
-    où les changements dans la configuration sont recommandées, sont signalés
+    </section>
-    par une <inlinegraphic fileref="images/BD21298_.gif" /></para>
+
    <section>
      <title>Avant de commencer</title>
      <para>Je recommande en premier la lecture complète du guide afin de se
      familiariser avec les tenants et aboutissants puis de revenir sur les
      modifications de votre configuration adapté à votre système.</para>
      <caution>
        <para>Si vous éditez vos fichiers de configuration sur un système
-      Windows, vous devez les sauver comme des fichiers Unix si votre éditeur
+        <trademark>Windows</trademark>, vous devez les sauver comme des
-      supporte cette option sinon vous devez les faire passer par dos2unix
+        fichiers <trademark>Unix</trademark> si votre éditeur supporte cette
-      avant d&#39;essayer de les utiliser. De la même manière, si vous copiez
+        option sinon vous devez les convertir avec <command>dos2unix</command>
-      un fichier de configuration depuis votre disque dur Windows vers une
+        avant d'essayer de les utiliser. De la même manière, si vous copiez un
-      disquette, vous devez lancer dos2unix sur la copie avant de
+        fichier de configuration depuis votre disque dur
-      l&#39;utiliser avec Shorewall.</para>
+        <trademark>Windows</trademark> vers une disquette, vous devez lancer
        <command>dos2unix</command> sur la copie avant de l'utiliser avec
        Shorewall.</para>
        <itemizedlist>
          <listitem>
-          <para><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
+            <para><ulink
-          Version of dos2unix</ulink></para>
+            url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
            Version of <command>dos2unix</command></ulink></para>
          </listitem>
          <listitem>
-          <para><ulink url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
+            <para><ulink
-          Version of dos2unix</ulink></para>
+            url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
            Version of <command>dos2unix</command></ulink></para>
          </listitem>
        </itemizedlist>
      </caution>
    </section>
    <section>
      <title>Conventions</title>
      <para>Les points ou les modifications s'imposent sont indiqués par
      <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
    </section>
  </section>
  <section>
    <title>PPTP/ADSL</title>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>Si vous êtes équipé d'un modem <acronym>ADSL</acronym> et utilisez
    <acronym>PPTP</acronym> pour communiquer avec un serveur à travers ce
    modem, vous devez faire le changement <ulink
    url="PPTP.htm#PPTP_ADSL">suivant</ulink> en plus de ceux ci-dessous.
    <acronym>ADSL</acronym> avec <acronym>PPTP</acronym> est commun en Europe,
    ainsi qu'en Australie.</para>
  </section>
  <section>
    <title>Les Concepts de Shorewall</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" /> Les fichiers de
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    configuration pour Shorewall sont situés dans le répertoire /etc/shorewall
    -- pour de simples paramétrages, vous n&#39;avez à faire qu&#39;avec
    quelques un d&#39;entre eux comme décris dans ce guide. Après avoir <ulink
    url="Install.htm">installé Shorewall</ulink>, <emphasis role="bold">téléchargez
    <ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">le
    one-interface sample</ulink>, un-tarez le (tar -zxvf one-interface.tgz) et
    copiez les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de
    même nom déjà existant dans /etc/shorewall installés lors de
    l&#39;installation de Shorewall)</emphasis>.</para>
-    <para>Parallèlement à la description, je vous suggère de jeter un oeil à
+    <para>Les fichiers de configuration pour Shorewall sont situés dans le
-    ceux physiquement présents sur votre système -- chacun des fichiers
+    répertoire /etc/shorewall -- pour de simples paramétrages, vous n'avez à
    faire qu'avec quelques un d'entre eux comme décris dans ce guide.<tip>
        <para>Après avoir <ulink url="Install.htm">installé Shorewall</ulink>,
        téléchargez <ulink
        url="http://www1.shorewall.net/pub/shorewall/Samples/">l'exemple
        one-interface</ulink>, décompressez le (<command>tar
        <option>-zxvf</option>
        <filename>one-interface.tgz</filename></command>) et copiez les
        fichiers dans <filename class="directory">/etc/shorewall</filename>
        <emphasis role="bold">(ces fichiers remplaceront les
        initiaux)</emphasis>.</para>
      </tip>Parallèlement à la présentation, je vous suggère de jeter un oeil
    à ceux physiquement présents sur votre système -- chacun des fichiers
    contient des instructions de configuration détaillées et des entrées par
    défaut.</para>
-    <para>Shorewall voit le réseau où il tourne comme composé par un ensemble
+    <para>Shorewall voit le réseau où il fonctionne, comme un ensemble de
-    de zones. Dans les fichiers de configuration fournis pour une unique
+    zones.Dans les fichiers de configuration fournis pour une unique
    interface, une seule zone est définie :</para>
-    <table>
+    <informaltable>
      <title>Zones</title>
      <tgroup cols="2">
-        <tbody>
+        <thead>
          <row>
-            <entry align="left"><emphasis role="bold">Zone</emphasis></entry>
+            <entry align="center">Name</entry>
-            <entry align="left" role="underline"><emphasis role="bold">Description</emphasis></entry>
+            <entry align="center">Description</entry>
          </row>
        </thead>
        <tbody>
          <row>
            <entry>net</entry>
-            <entry>Internet</entry>
+            <entry>The Internet</entry>
          </row>
        </tbody>
      </tgroup>
-    </table>
+    </informaltable>
-    <para>Les zones de Shorewall sont définies dans /etc/shorewall/zones.</para>
+    <para>Les zones de Shorewall sont définies dans <ulink
    url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
    <para>Shorewall reconnaît aussi le système de firewall comme sa propre
-    zone - par défaut, le firewall lui-même est connu en tant que fw.</para>
+    zone - par défaut, le firewall est connu comme <emphasis
    role="bold"><varname>fw</varname></emphasis>.</para>
    <para>Les règles concernant le trafic à autoriser ou à interdire sont
    exprimées en utilisant les termes de zones.</para>
-    <table>
+    <itemizedlist>
-      <title>/etc/shorewall/policy</title>
+      <listitem>
        <para>Vous exprimez votre politique par défaut pour les connexions
        d'une zone vers une autre zone dans le fichier <ulink
        url="Documentation.htm#Policy"><filename
        class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>.</para>
      </listitem>
-      <tgroup cols="5">
+      <listitem>
-        <tbody>
+        <para>Vous définissez les exceptions à ces politiques pas défaut dans
-          <row>
+        le fichier <ulink url="Documentation.htm#Rules"><filename
-            <entry><emphasis role="bold">SOURCE ZONE</emphasis></entry>
+        class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>.</para>
      </listitem>
    </itemizedlist>
-            <entry><emphasis role="bold">DESTINATION ZONE</emphasis></entry>
+    <para>Pour chaque connexion demandant à entrer dans le firewall, la
    requête est en premier lieu comparée par rapport au fichier <filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>. Si
    aucune règle dans ce fichier ne correspond à la demande de connexion alors
    la première politique dans le fichier <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    qui y correspond sera appliquée. Si cette politique est
    <varname>REJECT</varname> ou <varname>DROP</varname> la requête est dans
    un premier temps comparée par rapport aux règles contenues dans le fichier
    <filename
    class="directory">/etc/shorewall/</filename><filename>common</filename>,
    si ce fichier existe; sinon les régles dans le fichier <filename
    class="directory">/etc/shorewall/</filename><filename>common.def</filename>
    sont vérifiées.</para>
-            <entry><emphasis role="bold">POLICY</emphasis></entry>
+    <para>Le fichier /etc/shorewall/policy inclus dans l'archive d'exemple
    (one-interface) contient les politiques suivantes:</para>
-            <entry><emphasis role="bold">LOG LEVEL</emphasis></entry>
+    <programlisting>#SOURCE ZONE   DESTINATION ZONE   POLICY   LOG LEVEL   LIMIT:BURST
-
+fw             net                ACCEPT
-            <entry><emphasis role="bold">LIMIT:BURST</emphasis></entry>
+net            all                DROP     info
-          </row>
+all            all                REJECT   info</programlisting>
          <row>
            <entry>fw</entry>
            <entry>net</entry>
            <entry>ACCEPT</entry>
            <entry></entry>
            <entry></entry>
          </row>
          <row>
            <entry>net</entry>
            <entry>all</entry>
            <entry>DROP</entry>
            <entry>info</entry>
            <entry></entry>
          </row>
          <row>
            <entry>all</entry>
            <entry>all</entry>
            <entry>REJECT</entry>
            <entry>info</entry>
            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </table>
    <para>Ces politiques vont :</para>
    <orderedlist>
      <listitem>
-        <para>permettre toutes demandes de connexion depuis le firewall vers
+        <para>Permettre toutes demandes de connexion depuis le firewall vers
-        l&#39;Internet</para>
+        l'Internet</para>
      </listitem>
      <listitem>
-        <para>drop (ignorer) toutes les demandes de connexion depuis
+        <para>Drop (ignorer) toutes les demandes de connexion depuis
-        l&#39;Internet vers votre firewall</para>
+        l'Internet vers votre firewall</para>
      </listitem>
      <listitem>
-        <para>rejeter toutes les autres requêtes de connexion (Shorewall à
+        <para>Reject (rejeter) toutes les autres requêtes de connexion
-        besoin de cette politique).</para>
+        (Shorewall à besoin de cette politique).</para>
      </listitem>
    </orderedlist>
    <para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
-    votre /etc/shorewall/policy et faites y les changements que vous désirez.</para>
+    votre /etc/shorewall/policy et faites y les changements que vous
    désirez.</para>
  </section>
  <section>
    <title>Interface Externe</title>
    <para>Le firewall possède une seule interface réseau. Lorsque la connexion
-    Internet passe par un modem câble ou par un routeur ADSL (pas un simple
+    Internet passe par un modem câble ou par un
-    modem), l&#39;External Interface (interface externe) sera l&#39;adaptateur
+    <quote>Routeur</quote><acronym> ADSL</acronym>(pas un simple modem),
-    ethernet (<emphasis role="bold">eth0</emphasis>) qui y est connecté à
+    l'<emphasis>Interface Externe</emphasis> sera l'adaptateur ethernet qui y
-    moins que vous vous connectiez par Point-to-Point Protocol over Ethernet
+    est connecté à ce <quote>Modem</quote> (e.g., <filename
-    (PPPoE) ou Point-to-Point TunnelingProtocol(PPTP) dans ce cas
+    class="devicefile">eth0</filename>) à moins d'une connexion par
-    l&#39;interface externe sera <emphasis role="bold">ppp0</emphasis>. Si
+    <emphasis>Point-to-Point Protocol</emphasis> over Ethernet
-    vous vous connectez par un simple modem (RTC), votre interface externe
+    (<acronym>PPPoE</acronym>) ou <emphasis>Point-to-Point Tunneling
-    sera aussi <emphasis role="bold">ppp0</emphasis>. Si vous vous connectez
+    Protocol</emphasis> (<acronym>PPTP</acronym>) dans ce cas l'interface
-    en utilisant l&#39;ISDN (numéris), votre interface externe sera <emphasis
+    externe sera (e.g., <filename class="devicefile">ppp0</filename>). Si vous
-    role="bold">ippp0</emphasis>.</para>
+    utilisez par un simple modem (<acronym>RTC</acronym>), votre interface
    externe sera aussi <filename class="devicefile">ppp0</filename>. Si vous
    utilisez l'<acronym>ISDN</acronym>, votre interface externe sera <filename
    class="devicefile">ippp0</filename>.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" /> L&#39;exemple de
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    configuration de Shorewall pour une interface suppose que votre interface
    externe est <emphasis role="bold">eth0</emphasis>. Si votre configuration
    est différente, vous devrez modifier le fichier d&#39;exemple
    /etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous
    pourriez parcourir la liste d&#39;options qui sont spécifiées pour
    l&#39;interface. Quelques astuces :</para>
-    <itemizedlist>
+    <para>Si votre interface vers l'extérieur est <emphasis
-      <listitem>
+    role="bold">ppp0</emphasis> ou <emphasis role="bold">ippp0</emphasis>
-        <para>Si votre interface externe est <emphasis role="bold">ppp0</emphasis>
+    alors vous mettrez <varname>CLAMPMSS=yes</varname> dans le fichier
-        ou <emphasis role="bold">ippp0</emphasis>, vous pouvez remplacer le
+    <filename
-        &#34;detect&#34; dans la seconde colonne par un &#34;-&#34;.</para>
+    class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
      </listitem>
-      <listitem>
+    <para>Le fichier de configuration d'exemple pour une interface suppose que
-        <para>Si votre interface externe est <emphasis role="bold">ppp0</emphasis>
+    votre interface externe est eth0. Si votre configuration est différente,
-        ou <emphasis role="bold">ippp0</emphasis> ou bien si vous avez une
+    vous devrez modifier le fichier<filename
-        adresse IP statique, vous pouvez enlever le &#34;dhcp&#34; de la liste
+    class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
-        d&#39;option.</para>
+    en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
-      </listitem>
+    options qui sont spécifiées pour les interfaces. Quelques trucs:</para>
-    </itemizedlist>
+
    <tip>
      <para>Si votre interface vers l'extérieur est <filename
      class="devicefile">ppp0</filename> ou <filename
      class="devicefile">ippp0</filename>, vous pouvez remplacer le detect
      dans la seconde colonne par un <quote>-</quote> (sans les
      quotes).</para>
    </tip>
    <tip>
      <para>Si votre interface vers l'extérieur est <filename
      class="devicefile">ppp0</filename> or <filename
      class="devicefile">ippp0</filename> u si vous avez une adresse
      <acronym>IP</acronym> statique, vous pouvez enlever
      <varname>dhcp</varname> dans la liste des options .</para>
    </tip>
    <tip>
      <para>Si vous spécifiez <emphasis>norfc1918</emphasis> pour votre
      interface externe, vous pouvez vérifier périodiquement le <ulink
      url="errata.htm">Shorewall Errata</ulink> pour mettre à jour le fichier
      <filename>/usr/share/shorewall/rfc1918</filename>. Sinon, vous pouvez
      copier le fichier <filename>/usr/share/shorewall/rfc1918</filename> vers
      <filename>/etc/shorewall/rfc1918</filename> et <ulink
      url="myfiles.htm#RFC1918">adapter votre fichier
      <filename>/etc/shorewall/rfc1918</filename> comme je le
      fais</ulink>.</para>
    </tip>
  </section>
  <section>
    <title>Adresse IP</title>
-    <para>La RFC 1918 définie plusieurs plage d&#39;adresses IP privée
+    <para>Avant d'aller plus loin, nous devons dire quelques mots au sujet des
-    (PrivateIP) pour l&#39;utilisation dans des réseaux privés :</para>
+    adresses Internet Protocol (<acronym>IP</acronym>). Normalement, votre
-
+    fournisseur Internet <acronym>ISP</acronym> vous assignera une seule
-    <programlisting>     10.0.0.0    - 10.255.255.255
+    adresse IP. Cette adresse peut être assignée par le Dynamic Host
-     172.16.0.0  - 172.31.255.255
+    Configuration Protocol (<acronym>DHCP</acronym>) ou lors de
-     192.168.0.0 - 192.168.255.255</programlisting>
+    l'établissement de votre connexion (modem standard) ou établissez votre
-
+    connexion <acronym>PPP</acronym>. Dans de rares cas , votre provider peut
-    <para>Ces adresses sont parfois désignées comme étant non-routables car
+    vous assigner une adresse statique <acronym>IP</acronym> ; cela signifie
-    les routeurs sur les backbones Internet ne font pas passer les paquets
+    que vous devez configurer l'interface externe de votre firewall afin
-    dont les adresses de destinations sont définies dans la RFC 1918. Dans
+    d'utiliser cette adresse de manière permanente. La <emphasis
-    certains cas, les fournisseurs (provider ou ISP) utilisent ces adresses et
+    role="bold">RFC 1918</emphasis> réserve plusieurs plages d'adresses
-    utilisent le Network Address Translation afin de récrire les entêtes des
+    privées <emphasis>Private</emphasis> <acronym>IP</acronym> à cet
-    paquets lorsqu&#39;ils les font circuler depuis ou vers l&#39;Internet.</para>
+    fin:</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" /> Avant de lancer
    Shorewall, vous devriez regarder l&#39;adresse de votre interface externe
    et si elle est comprise dans une des plages précédentes, vous devriez
    enlever l&#39;option &#39;norfc1918&#39; dans le fichier
    /etc/shorewall/interfaces.</para>
  </section>
  <section>
    <title>Permettre d&#39;autres connexions</title>
    <para>Si vous désirez autoriser d&#39;autres connexions depuis
    l&#39;Internet vers votre firewall, le format général est :<table><title>/etc/shorewall/rules</title><tgroup
    cols="7"><tbody><row><entry><emphasis role="bold">ACTION</emphasis></entry><entry><emphasis
    role="bold">SOURCE</emphasis></entry><entry><emphasis role="bold">DESTINATION</emphasis></entry><entry><emphasis
    role="bold">PROTOCOL</emphasis></entry><entry><emphasis role="bold">PORT</emphasis></entry><entry><emphasis
    role="bold">SOURCE PORT</emphasis></entry><entry><emphasis role="bold">ORIGINAL
    DEST</emphasis></entry></row><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry><emphasis>&#60;protocol&#62;</emphasis></entry><entry><emphasis>&#60;port&#62;</emphasis></entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
    <para>Exemple - Vous voulez faire tourner un serveur Web et un serveur
    POP3 sur votre système de firewall :</para>
    <table>
-      <title>/etc/shorewall/rules</title>
+      <title>Exemple sous-réseau</title>
      <tgroup cols="2">
        <colspec align="left" />
      <tgroup cols="7">
        <tbody>
          <row>
-            <entry><emphasis role="bold">ACTION</emphasis></entry>
+            <entry>Range:</entry>
-            <entry><emphasis role="bold">SOURCE</emphasis></entry>
+            <entry><systemitem class="ipaddress">10.10.10.0</systemitem> -
-
+            <systemitem class="ipaddress">10.10.10.255</systemitem></entry>
            <entry><emphasis role="bold">DESTINATION</emphasis></entry>
            <entry><emphasis role="bold">PROTOCOL</emphasis></entry>
            <entry><emphasis role="bold">PORT</emphasis></entry>
            <entry><emphasis role="bold">SOURCE PORT</emphasis></entry>
            <entry><emphasis role="bold">ORIGINAL DEST</emphasis></entry>
          </row>
          <row>
-            <entry>ACCEPT</entry>
+            <entry>Subnet Address:</entry>
-            <entry>net</entry>
+            <entry><systemitem
-
+            class="ipaddress">10.10.10.0</systemitem></entry>
            <entry>fw</entry>
            <entry>tcp</entry>
            <entry>80</entry>
            <entry></entry>
            <entry></entry>
          </row>
          <row>
-            <entry>ACCEPT</entry>
+            <entry>Broadcast Address:</entry>
-            <entry>net</entry>
+            <entry><systemitem
            class="ipaddress">10.10.10.255</systemitem></entry>
          </row>
-            <entry>fw</entry>
+          <row>
            <entry>CIDR Notation:</entry>
-            <entry>tcp</entry>
+            <entry><systemitem
-
+            class="ipaddress">10.10.10.0/24</systemitem></entry>
            <entry>110</entry>
            <entry></entry>
            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </table>
-    <para>Si vous ne savez pas quel port ou protocole une application
+    <para>Ces adresses sont parfois nommées comme
-    particulière utilise, regardez <ulink url="ports.htm">ici</ulink>.
+    <emphasis>non-routable</emphasis> car les routeurs centraux d'Internet ne
-    <emphasis role="bold">Important:</emphasis> Je ne vous recommande pas
+    renvoient pas un paquet dont la destination est réservée par la RFC 1918.
-    d&#39;autoriser le telnet depuis ou vers l&#39;Internet car il utilise du
+    Dans certain cas cependant, les FAI (fournisseurs d'accés Internet)
-    texte en clair (même pour le login et le mot de passe !). Si vous voulez
+    assignent ces adresses et utilisent ensuite NAT <emphasis>Network Address
-    avoir un accès au shell de votre firewall depuis Internet, utilisez SSH :</para>
+    Translation</emphasis> pour réécrire les en-têtes de paquets renvoyés
    vers/depuis Internet.</para>
-    <table>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
      <title>/etc/shorewall/rules</title>
-      <tgroup cols="7">
+    <para>Avant de lancer Shorewall, regarder l'adresse IP de votre interface
-        <tbody>
+    externe, et si elle est dans les plages précédentes, vous devez enlever
-          <row>
+    l'option 'norfc1918' dans la ligne concernant l'interface externe dans le
-            <entry><emphasis role="bold">ACTION</emphasis></entry>
+    fichier <filename
-
+    class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
            <entry><emphasis role="bold">SOURCE</emphasis></entry>
            <entry><emphasis role="bold">DESTINATION</emphasis></entry>
            <entry><emphasis role="bold">PROTOCOL</emphasis></entry>
            <entry><emphasis role="bold">PORT</emphasis></entry>
            <entry><emphasis role="bold">SOURCE PORT</emphasis></entry>
            <entry><emphasis role="bold">ORIGINAL DEST</emphasis></entry>
          </row>
          <row>
            <entry>ACCEPT</entry>
            <entry>net</entry>
            <entry>fw</entry>
            <entry>tcp</entry>
            <entry>22</entry>
            <entry></entry>
            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </table>
    <para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
    /etc/shorewall/rules pour rajouter les autres connexions désirées.</para>
  </section>
  <section>
-    <title>Lancer et Arrêter son Firewall</title>
+    <title>Permettre d'autres connexions</title>
-    <para>La <ulink url="Install.htm">procédure d&#39;installation</ulink>
+    <para>Shorewall version 2.0.0 et postérieure propose une collection
    d'actions qui peuvent être utilisées pour rapidemement autoriser ou
    refuser des services. Pour voir les actions comprises avec votre version
    de Shorewall, regardez dans le fichier
    <filename>/etc/shorewall/actions.std</filename>. Le nom de celles qui
    acceptent des connexions débutent par <quote>Allow</quote>.</para>
    <para>Si vous souhaitez autoriser d'autre connexions depuis internet vers
    votre firewall, le format général utilisant l'action type
    <quote>Allow</quote> est:</para>
    <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 &lt;<emphasis>action</emphasis>&gt;  net       fw</programlisting>
    <example>
      <title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
      votre firewall:</title>
      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 AllowWeb  net       fw
 AllowPOP3 net       fw</programlisting>
    </example>
    <para>Au cas ou Shorewall ne propose pas d'actions définies qui vous
    conviennent, vous pouvez les définir vous même ou coder directement les
    régles dans <filename>/etc/shorewall/rules</filename> selon le format
    suivant:</para>
    <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 ACCEPT    net       fw              <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
    <example>
      <title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
      votre firewall:</title>
      <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 ACCEPT    net       fw              tcp          80
 ACCEPT    net       fw              tcp          110</programlisting></para>
    </example>
    <para>Si vous ne savez pas quel port(s) et protocole(s) requièrent une
    application particulière, vous pouvez regarder <ulink
    url="ports.htm">ici</ulink>.</para>
    <important>
      <para>Je ne recommande pas d'autoriser <command>telnet</command> vers/de
      l'Internet parce qu'il utilise du texte en clair (même pour le login!).
      Si vous voulez un accés shell à votre firewall, utilisez
      <acronym>SSH</acronym>:</para>
      <programlisting>#ACTION    SOURCE    DEST               PROTO     DEST PORT(S)
 AllowSSH   net       fw</programlisting>
    </important>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>Maintenant, éditez votre fichier de configuration <filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>
    pour ajouter, modifier ou supprimer les autres connexions voulues.</para>
  </section>
  <section>
    <title>Démarrer et Arrêter Votre Firewall</title>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>La <ulink url="Install.htm">procédure d'installation</ulink>
    configure votre système pour lancer Shorewall au boot du système, mais au
    début avec la version 1.3.9 de Shorewall le lancement est désactivé,
-    n&#39;essayer pas de lancer Shorewall avec que la configuration soit
+    n'essayer pas de lancer Shorewall avec que la configuration soit finie.
-    finie. Une fois que vous en aurez fini avec la configuration du firewall,
+    Une fois que vous en aurez fini avec la configuration du firewall, vous
-    vous pouvez permettre le lancement de Shorewall en supprimant le fichier
+    pouvez permettre le lancement de Shorewall en supprimant le fichier
-    /etc/shorewall/startup_disabled.</para>
+    <filename
    class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.</para>
-    <para><emphasis role="bold">IMPORTANT: Les utilisateurs des paquets .deb
+    <important>
-    doivent éditer /etc/default/shorewall et mettre &#39;startup=1&#39;.</emphasis></para>
+      <para>Les utilisateurs des paquets .deb doivent éditer <filename
      class="directory">/etc/default/</filename><filename>shorewall</filename>
      and set <varname>startup=1</varname>.</para>
    </important>
-    <para>Le firewall est activé en utilisant la commande &#34;shorewall
+    <para>Le firewall est activé en utilisant la commande
-    start&#34; et arrêté avec &#34;shorewall stop&#34;. Lorsque le firewall
+    <quote><command>shorewall start</command></quote> et arrêté avec
-    est stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
+    <quote><command>shorewall stop</command></quote>. Lorsque le firewall est
-    dans <ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
+    stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
-    Un firewall qui tourne peut être relancé en utilisant la commande
+    dans <filename
-    &#34;shorewall restart&#34;. Si vous voulez enlever toutes traces de
+    class="directory">/etc/shorewall/</filename><filename><ulink
-    Shorewall sur votre configuration de Netfilter, utilisez &#34;shorewall
+    url="Documentation.htm#Routestopped">routestopped</ulink></filename>. Un
-    clear&#34;.</para>
+    firewall qui tourne peut être relancé en utilisant la commande
    <quote><command>shorewall restart</command></quote> command. Si vous
    voulez enlever toutes traces de Shorewall sur votre configuration de
    Netfilter, utilisez <quote><command>shorewall
    clear</command></quote>.</para>
-    <para><emphasis role="bold">ATTENTION:</emphasis> Si vous êtes connecté à
+    <warning>
-    votre firewall depuis Internet, n&#39;essayez pas une commande
+      <para>Si vous êtes connecté à votre firewall depuis Internet, n'essayez
-    &#34;shorewall stop&#34; tant que vous n&#39;avez pas ajouté une entrée
+      pas une commande <quote><command>shorewall stop</command></quote> tant
-    pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
+      que vous n'avez pas ajouté une entrée pour votre adresse
-    dans<ulink url="Documentation.htm#Routestopped">
+      <acronym>IP</acronym> (celle à partir de laquelle vous êtes connectée)
-    /etc/shorewall/routestopped</ulink>. De la même manière, je ne vous
+      dans <filename
-    recommande pas d&#39;utiliser &#34;shorewall restart&#34;; il est plus
+      class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
-    intéressant de créer <ulink url="configuration_file_basics.htm#Configs">une
+      De la même manière, je ne vous recommande pas d'utiliser
-    configuration alternative</ulink> et de la tester en utilisant la commande
+      <quote><command>shorewall restart</command></quote>; il est plus
-    &#34;<ulink url="starting_and_stopping_shorewall.htm">shorewall try</ulink>&#34;.</para>
+      intéressant de créer <ulink
      url="configuration_file_basics.htm#Configs">une configuration
      alternative</ulink> et de la tester en utilisant la commande
      <quote><command>shorewall try</command></quote>.</para>
    </warning>
  </section>
  <section>
    <title>Autres Lectures Recommandées</title>
    <para>Je vous recommande vivement de lire la <ulink
    url="configuration_file_basics.htm">page des Fonctionnalités Générales des
    Fichiers de Configuration</ulink> -- elle contient des trucs sur les
    possibilités de Shorewall pour rendre aisé l'administration de votre
    firewall Shorewall.</para>
  </section>
  <appendix>
    <title>Historique de Révision</title>
    <para><revhistory>
        <revision>
          <revnumber>1.7</revnumber>
          <date>2004-02-16</date>
          <authorinitials>TE</authorinitials>
          <revremark>Move /etc/shorewall/rfc1918 to
          /usr/share/shorewall.</revremark>
        </revision>
        <revision>
          <revnumber>1.6</revnumber>
          <date>2004-02-05</date>
          <authorinitials>TE</authorinitials>
          <revremark>Update for Shorewall 2.0</revremark>
        </revision>
        <revision>
          <revnumber>1.5</revnumber>
          <date>2004-01-05</date>
          <authorinitials>TE</authorinitials>
          <revremark>Standards Changes</revremark>
        </revision>
        <revision>
          <revnumber>1.4</revnumber>
          <date>2003-12-30</date>
          <authorinitials>TE</authorinitials>
          <revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
        </revision>
        <revision>
          <revnumber>1.3</revnumber>
          <date>2003-11-15</date>
          <authorinitials>TE</authorinitials>
          <revremark>Initial Docbook Conversion</revremark>
        </revision>
      </revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs2/starting_and_stopping_shorewall.xml
+++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-04</pubdate>
+    <pubdate>2004-05-03</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -41,7 +42,7 @@
    url="Install.htm">installation procedure</ulink> attempts to set up the
    init scripts to start the firewall in run levels 2-5 and stop it in run
    levels 1 and 6. If you want to configure your firewall differently from
-    this default, you can use your distribution&#39;s run-level editor.</para>
+    this default, you can use your distribution's run-level editor.</para>
    <caution>
      <itemizedlist>
@ -49,8 +50,9 @@
          <para>Shorewall startup is disabled by default. Once you have
          configured your firewall, you can enable startup by removing the
          file <filename>/etc/shorewall/startup_disabled</filename>. Note:
-          Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
+          Users of the .deb package must edit
-          and set <quote>startup=1</quote>.</para>
+          <filename>/etc/default/shorewall</filename> and set
          <quote>startup=1</quote>.</para>
        </listitem>
        <listitem>
@ -68,29 +70,40 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall start </command>- starts the firewall. It
+        <para><command>shorewall [ -q ] [ -f ] start </command>- starts the
-        important to understand that when the firewall is in the <emphasis
+        firewall. It important to understand that when the firewall is in the
-        role="bold">Started</emphasis> state there is <emphasis>no Shorewall
+        <emphasis role="bold">Started</emphasis> state there is <emphasis>no
-        Program</emphasis> <emphasis>running</emphasis>. It rather means that
+        Shorewall Program</emphasis> <emphasis>running</emphasis>. It rather
-        Netfilter has been configured to handle traffic as described in your
+        means that Netfilter has been configured to handle traffic as
-        Shorewall configuration files. Please refer to the <link
+        described in your Shorewall configuration files. Please refer to the
-        linkend="State">Shorewall State Diagram</link> as shown at the bottom
+        <link linkend="State">Shorewall State Diagram</link> as shown at the
-        of this page for more information.</para>
+        bottom of this page for more information. The -q option was added in
        Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also
        beginning with Shorewall version 2.0.2 Beta 1, the -f option may be
        specified; if this option is given and the file
        <filename>/var/lib/shorewall/restore</filename> is present (see
        <command>shorewall save</command> below), then that script is run to
        restore the state of the firewall to the state when
        <filename>/var/lib/shorewall/restore</filename> was created. This is
        generally must faster than starting the firewall without the -f
        option.</para>
      </listitem>
      <listitem>
        <para><command>shorewall stop</command> - stops the firewall; the only
        traffic permitted through the firewall is from systems listed in
        <filename>/etc/shorewall/routestopped</filename> (Beginning with
-        version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename>/etc/shorewall/shorewall.conf</filename>
+        version 1.4.7, if ADMINISABSENTMINDED=Yes in
-        then in addition, all existing connections are permitted and any new
+        <filename>/etc/shorewall/shorewall.conf</filename> then in addition,
-        connections originating from the firewall itself are allowed).</para>
+        all existing connections are permitted and any new connections
        originating from the firewall itself are allowed).</para>
      </listitem>
      <listitem>
-        <para><command>shorewall restart </command>- stops the firewall (if it
+        <para><command>shorewall [ -q ] restart </command>- stops the firewall
-        is in the <emphasis role="bold">Started</emphasis> state) and then
+        (if it is in the <emphasis role="bold">Started</emphasis> state) and
-        starts it again</para>
+        then starts it again. The -q option was added in Shorewall 2.0.2 Beta
        1 and reduces the amout of output produced.</para>
      </listitem>
      <listitem>
@ -100,7 +113,8 @@
      <listitem>
        <para><command>shorewall clear</command> - remove all rules and chains
-        installed by Shoreline Firewall. The firewall is <quote>wide open</quote></para>
+        installed by Shoreline Firewall. The firewall is <quote>wide
        open</quote></para>
      </listitem>
      <listitem>
@ -108,18 +122,38 @@
        involving the broadcast addresses of firewall interfaces, the black
        list, traffic control rules and ECN control rules.</para>
      </listitem>
      <listitem>
        <para><command>shorewall save</command> - Beginning with Shorewall
        2.0.2 Beta1, this command creates a script
        <filename>/var/lib/shorewall/restore</filename> which when run will
        restore the state of the firewall to its current state.</para>
      </listitem>
      <listitem>
        <para><command>shorewall restore</command> - Runs the
        <filename>/var/lib/shorewall/restore </filename>created by the
        <command>shorewall save</command> command.</para>
      </listitem>
      <listitem>
        <para>shorewall forget - Added in Shorewall 2.0.2 Beta 1. Removes the
        <filename>/var/lib/shorewall restore</filename> script created by the
        <command>shorewall save </command>command.</para>
      </listitem>
    </itemizedlist>
    <para>If you include the keyword debug as the first argument, then a shell
    trace of the command is produced as in:</para>
-    <para><programlisting>     <command>shorewall debug start 2&#62; /tmp/trace</command></programlisting>The
+    <para><programlisting>     <command>shorewall debug start 2&gt; /tmp/trace</command></programlisting>The
    above command would trace the <quote>start</quote> command and place the
    trace information in the file /tmp/trace</para>
    <para>Beginning with version 1.4.7, shorewall can give detailed help about
    each of its commands: <programlisting>     <command>shorewall help [ command | host | address ]</command></programlisting>The
-    <quote>shorewall</quote> program may also be used to monitor the firewall.</para>
+    <quote>shorewall</quote> program may also be used to monitor the
    firewall.</para>
    <itemizedlist>
      <listitem>
@ -128,21 +162,24 @@
      </listitem>
      <listitem>
-        <para><command>shorewall show &#60;chain1&#62; [ &#60;chain2&#62; ...
+        <para><command>shorewall show &lt;chain1&gt; [ &lt;chain2&gt; ...
-        ]</command> - produce a verbose report about the listed chains (<command>iptables
+        ]</command> - produce a verbose report about the listed chains
-        -L chain -n -v</command>) Note: You may only list one chain in the
+        (<command>iptables -L chain -n -v</command>) Note: You may only list
-        show command when running Shorewall version 1.4.6 and earlier. Version
+        one chain in the show command when running Shorewall version 1.4.6 and
-        1.4.7 and later allow you to list multiple chains in one command.</para>
+        earlier. Version 1.4.7 and later allow you to list multiple chains in
        one command.</para>
      </listitem>
      <listitem>
        <para><command>shorewall show nat</command> - produce a verbose report
-        about the nat table (<command>iptables -t nat -L -n -v</command>)</para>
+        about the nat table (<command>iptables -t nat -L -n
        -v</command>)</para>
      </listitem>
      <listitem>
        <para><command>shorewall show tos</command> - produce a verbose report
-        about the mangle table (<command>iptables -t mangle -L -n -v</command>)</para>
+        about the mangle table (<command>iptables -t mangle -L -n
        -v</command>)</para>
      </listitem>
      <listitem>
@ -161,17 +198,18 @@
      </listitem>
      <listitem>
-        <para><command>shorewall monitor [ &#60;delay&#62; ]</command> -
+        <para><command>shorewall monitor [ &lt;delay&gt; ]</command> -
        Continuously display the firewall status, last 20 log entries and nat.
        When the log entry display changes, an audible alarm is sounded. The
-        <emphasis>&#60;delay&#62;</emphasis> indicates the number of seconds
+        <emphasis>&lt;delay&gt;</emphasis> indicates the number of seconds
        between updates with the default being 10 seconds.</para>
      </listitem>
      <listitem>
        <para><command>shorewall hits</command> - Produces several reports
        about the Shorewall packet log messages in the current log file named
-        in the LOGFILE variable in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
+        in the LOGFILE variable in
        <filename>/etc/shorewall/shorewall.conf</filename>.</para>
      </listitem>
      <listitem>
@ -181,21 +219,27 @@
      <listitem>
        <para><command>shorewall check</command> - Performs a cursory
-        validation of the zones, interfaces, hosts, rules and policy files.<caution><para>The
+        validation of the zones, interfaces, hosts, rules and policy
-        <quote><command>check</command></quote> command is totally unsuppored
+        files.<caution>
-        and does not parse and validate the generated iptables commands. Even
+            <para>The <quote><command>check</command></quote> command is
-        though the <quote>check</quote> command completes successfully, the
+            totally unsuppored and does not parse and validate the generated
-        configuration may fail to start. Problem reports that complain about
+            iptables commands. Even though the <quote>check</quote> command
-        errors that the <quote>check</quote> command does not detect will not
+            completes successfully, the configuration may fail to start.
-        be accepted.</para><para>See the recommended way to make configuration
+            Problem reports that complain about errors that the
-        changes described below.</para></caution></para>
+            <quote>check</quote> command does not detect will not be
            accepted.</para>
            <para>See the recommended way to make configuration changes
            described below.</para>
          </caution></para>
      </listitem>
      <listitem>
-        <para><command>shorewall try &#60;<errortype>configuration-directory</errortype>&#62;
+        <para><command>shorewall try
-        [ &#60;timeout&#62; ]</command> - Restart shorewall using the
+        &lt;<errortype>configuration-directory</errortype>&gt; [
-        specified configuration and if an error occurs or if the
+        &lt;timeout&gt; ]</command> - Restart shorewall using the specified
-        <emphasis>&#60;timeout&#62;</emphasis> option is given and the new
+        configuration and if an error occurs or if the
        <emphasis>&lt;timeout&gt;</emphasis> option is given and the new
        configuration has been up for that many seconds then shorewall is
        restarted using the standard configuration.</para>
      </listitem>
@ -212,16 +256,17 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
+        <para><command>shorewall ipcalc [ &lt;address&gt; &lt;mask&gt; |
-        &#60;address&#62;/&#60;vlsm&#62; ] </command>- displays the network
+        &lt;address&gt;/&lt;vlsm&gt; ] </command>- displays the network
        address, broadcast address, network in CIDR notation and netmask
        corresponding to the input[s].</para>
      </listitem>
      <listitem>
-        <para><command>shorewall iprange &#60;address1&#62;-&#60;address2&#62;</command>
+        <para><command>shorewall iprange
-        - Decomposes the specified range of IP addresses into the equivalent
+        &lt;address1&gt;-&lt;address2&gt;</command> - Decomposes the specified
-        list of network/host addresses</para>
+        range of IP addresses into the equivalent list of network/host
        addresses</para>
      </listitem>
    </itemizedlist>
@ -230,19 +275,19 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall drop &#60;ip address list&#62;</command> -
+        <para><command>shorewall drop &lt;ip address list&gt;</command> -
        causes packets from the listed IP addresses to be silently dropped by
        the firewall.</para>
      </listitem>
      <listitem>
-        <para><command>shorewall reject &#60;ip address list&#62;</command> -
+        <para><command>shorewall reject &lt;ip address list&gt;</command> -
        causes packets from the listed IP addresses to be rejected by the
        firewall.</para>
      </listitem>
      <listitem>
-        <para><command>shorewall allow &#60;ip address list&#62;</command> -
+        <para><command>shorewall allow &lt;ip address list&gt;</command> -
        re-enables receipt of packets from hosts previously blacklisted by a
        drop or reject command.</para>
      </listitem>
@ -250,7 +295,10 @@
      <listitem>
        <para><command>shorewall save</command> - save the dynamic
        blacklisting configuration so that it will be automatically restored
-        the next time that the firewall is restarted.</para>
+        the next time that the firewall is restarted. Beginning with Shorewall
        version 2.0.2 Beta1, this command also creats the
        <filename>/var/lib/shorewall/restore</filename> script as described
        above.</para>
      </listitem>
      <listitem>
@ -264,15 +312,15 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
+        <para><command>shorewall add &lt;interface&gt;[:&lt;host&gt;]
-        &#60;zone&#62;</command> - Adds the specified interface (and host if
+        &lt;zone&gt;</command> - Adds the specified interface (and host if
        included) to the specified zone.</para>
      </listitem>
      <listitem>
-        <para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
+        <para><command>shorewall delete &lt;interface&gt;[:&lt;host&gt;]
-        &#60;zone&#62;</command> - Deletes the specified interface (and host
+        &lt;zone&gt;</command> - Deletes the specified interface (and host if
-        if included) from the specified zone.</para>
+        included) from the specified zone.</para>
        <para>Examples:<programlisting>     <command>shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
     <command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
@ -280,24 +328,51 @@
    </itemizedlist>
  </section>
  <section>
    <title>Error Handling</title>
    <para>When <command>shorewall start</command>, <command>shorewall
    restart</command> or <command>shorewall refresh</command> encounter an
    error, the behavior depends on which version of Shorewall you are running
    and whether there is a <filename>/var/lib/shorewall/restore</filename>
    script available (see <command>shorewall save</command> above).</para>
    <itemizedlist>
      <listitem>
        <para>If you are running a version of Shorewall earlier than 2.0.2
        Beta 1 then the effect is as if a <command>shorewall stop</command>
        command had been run.</para>
      </listitem>
      <listitem>
        <para>If you have executed a <command>shorewall save</command> command
        without a subsequent <command>shorewall forget</command>, then the
        firewall is restored to the state when <command>shorewall
        save</command> was executed.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Alternate Configurations</title>
-    <para>The <command>shorewall start</command>, <command>shorewall restart</command>,
+    <para>The <command>shorewall start</command>, <command>shorewall
-    <command>shorewall check</command>, and <command>shorewall try </command>commands
+    restart</command>, <command>shorewall check</command>, and
-    allow you to specify which Shorewall configuration to use:</para>
+    <command>shorewall try </command>commands allow you to specify which
    Shorewall configuration to use:</para>
-    <programlisting>     <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
+    <programlisting>     <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
-     <command>shorewall try &#60;configuration-directory&#62;</command></programlisting>
+     <command>shorewall try &lt;configuration-directory&gt;</command></programlisting>
-    <para>If a <emphasis>&#60;configuration-directory</emphasis>&#62; is
+    <para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
    specified, each time that Shorewall is going to use a file in <filename
-    class="directory">/etc/shorewall</filename> it will first look in the<emphasis>
+    class="directory">/etc/shorewall</filename> it will first look in
-    &#60;configuration-directory&#62;</emphasis> . If the file is present in
+    the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the file is
-    the <emphasis>&#60;configuration-directory&#62;,</emphasis> that file will
+    present in the <emphasis>&lt;configuration-directory&gt;,</emphasis> that
-    be used; otherwise, the file in <filename class="directory">/etc/shorewall</filename>
+    file will be used; otherwise, the file in <filename
-    will be used. When changing the configuration of a production firewall, I
+    class="directory">/etc/shorewall</filename> will be used. When changing
-    recommend the following:</para>
+    the configuration of a production firewall, I recommend the
    following:</para>
    <itemizedlist>
      <listitem>
@ -309,8 +384,8 @@
      </listitem>
      <listitem>
-        <para>&#60;copy any files that you need to change from /etc/shorewall
+        <para>&lt;copy any files that you need to change from /etc/shorewall
-        to . and change them here&#62;</para>
+        to . and change them here&gt;</para>
      </listitem>
      <listitem>
@ -318,7 +393,7 @@
      </listitem>
      <listitem>
-        <para>&#60;correct any errors found by check and check again&#62;</para>
+        <para>&lt;correct any errors found by check and check again&gt;</para>
      </listitem>
      <listitem>
@ -326,10 +401,10 @@
      </listitem>
    </itemizedlist>
-    <para>If the configuration starts but doesn&#39;t work, just
+    <para>If the configuration starts but doesn't work, just <quote>shorewall
-    <quote>shorewall restart</quote> to restore the old configuration. If the
+    restart</quote> to restore the old configuration. If the new configuration
-    new configuration fails to start, the <quote>try</quote> command will
+    fails to start, the <quote>try</quote> command will automatically start
-    automatically start the old one for you.</para>
+    the old one for you.</para>
    <para>When the new configuration works then just:</para>
@ -357,7 +432,8 @@
    <para>You will note that the commands that result in state transitions use
    the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
-    That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
+    That is because the actual transitions are done by
    <command>/usr/share/shorewall/firewall</command>;
    <command>/sbin/shorewall</command> runs <quote>firewall</quote> according
    to the following table:</para>
@ -402,7 +478,8 @@
            <entry>firewall restart</entry>
-            <entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
+            <entry>Logically equivalent to <quote>firewall stop;firewall
            start</quote></entry>
          </row>
          <row>
@ -450,7 +527,7 @@
          <row>
            <entry>shorewall try</entry>
-            <entry>firewall -c &#60;new configuration&#62; restart If
+            <entry>firewall -c &lt;new configuration&gt; restart If
            unsuccessful then firewall start (standard configuration) If
            timeout then firewall restart (standard configuration)</entry>
@ -464,9 +541,36 @@
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.3-1.8</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Docbook
+    <para><revhistory>
-    standards</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
+        <revision>
-    clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
+          <revnumber>1.3-1.8</revnumber>
-    Docbook conversion</revremark></revision></revhistory></para>
+
          <date>2004-01-04</date>
          <authorinitials>TE</authorinitials>
          <revremark>Docbook standards</revremark>
        </revision>
        <revision>
          <revnumber>1.2</revnumber>
          <date>2003-12-31</date>
          <authorinitials>TE</authorinitials>
          <revremark>Added clarification about "Started State"</revremark>
        </revision>
        <revision>
          <revnumber>1.1</revnumber>
          <date>2003-12-29</date>
          <authorinitials>TE</authorinitials>
          <revremark>Initial Docbook conversion</revremark>
        </revision>
      </revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs2/template.xml
+++ b/Shorewall-docs2/template.xml
@ -18,10 +18,6 @@
    <pubdate>YYYY-MM-DD</pubdate>
    <copyright>
      <year>2001</year>
      <year>2002</year>
      <year>2003</year>
      <holder>Thomas M. Eastep</holder>
--- a/Shorewall-docs2/three-interface.xml
+++ b/Shorewall-docs2/three-interface.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-03</pubdate>
+    <pubdate>2004-04-22</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -228,10 +228,11 @@
    first checked against the <filename>/etc/shorewall/rules</filename> file.
    If no rule in that file matches the connection request then the first
    policy in <filename>/etc/shorewall/policy</filename> that matches the
-    request is applied. If that policy is REJECT or DROP the request is first
+    request is applied. If there is a <ulink
-    checked against the rules in <filename>/etc/shorewall/common</filename> if
+    url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
-    that file exists; otherwise the file <filename>/etc/shorewall/common.def</filename>
+    policy in <filename>/etc/shorewall/actions</filename> or
-    is checked</para>
+    <filename>/usr/share/shorewall/actions.std</filename> then that action is
    peformed before the action is applied.</para>
    <para>The <filename>/etc/shorewall/policy</filename> file included with
    the three-interface sample has the following policies:</para>
--- a/Shorewall-docs2/three-interface_fr.xml
+++ b/Shorewall-docs2/three-interface_fr.xml
--- a/Shorewall-docs2/two-interface.xml
+++ b/Shorewall-docs2/two-interface.xml
@ -12,7 +12,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2003-04-03</pubdate>
+    <pubdate>2003-04-22</pubdate>
    <copyright>
      <year>2002</year>
@ -184,11 +184,11 @@
    class="directory">/etc/shorewall/</filename><filename>rules</filename>
    file. If no rule in that file matches the connection request then the
    first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
-    that matches the request is applied. If that policy is <varname>REJECT</varname>
+    that matches the request is applied. If there is a <ulink
-    or <varname>DROP</varname> the request is first checked against the rules
+    url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
-    in <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
+    policy in <filename>/etc/shorewall/actions</filename> or
-    if that file exists; otherwise the rules in <filename class="directory">/etc/shorewall/</filename><filename>common.def</filename>
+    <filename>/usr/share/shorewall/actions.std</filename> then that action is
-    are checked.</para>
+    peformed before the action is applied.</para>
    <para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
    file included with the two-interface sample has the following policies:
--- a/Shorewall-docs2/two-interface_fr.xml
+++ b/Shorewall-docs2/two-interface_fr.xml
--- a/Shorewall-docs2/upgrade_issues.xml
+++ b/Shorewall-docs2/upgrade_issues.xml
@ -30,7 +30,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink type="" url="copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink type="" url="copyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -41,10 +42,10 @@
    the version number mentioned in the section title is later than what you
    are currently running.</para>
-    <para>In the descriptions that follows, the term <emphasis>group</emphasis>
+    <para>In the descriptions that follows, the term
-    refers to a particular network or subnetwork (which may be
+    <emphasis>group</emphasis> refers to a particular network or subnetwork
-    <literal>0.0.0.0/0</literal> or it may be a host address) accessed through
+    (which may be <literal>0.0.0.0/0</literal> or it may be a host address)
-    a particular interface.</para>
+    accessed through a particular interface.</para>
    <para>Examples:</para>
@ -61,38 +62,95 @@
  </section>
  <section>
-    <title>Version &#62;= 2.0.1</title>
+    <title>Version &gt;= 2.0.2 Beta 1</title>
    <itemizedlist>
      <listitem>
-        <para>The function of &#39;norfc1918&#39; is now split between that
+        <para>Extension Scripts - In order for extension scripts to work
-        option and a new &#39;nobogons&#39; option. The rfc1918 file released
+        properly with the new iptables-save/restore integration introduced in
-        with Shorewall now contains entries for only those three address
+        Shorewall 2.0.2 Beta 1, some change may be required to your extension
-        ranges reserved by RFC 1918. A &#39;nobogons&#39; interface option has
+        scripts.</para>
-        been added which handles bogon source addresses (those which are
+
-        reserved by the IANA, those reserved for DHCP auto-configuration and
+        <para>If your extension scripts are executing commands other than
-        the class C test-net reserved for testing and documentation examples).
+        iptables then those commands must also be written to the restore file
-        This will allow users to perform RFC 1918 filtering without having to
+        (a temporary file in <filename
-        deal with out of date data from IANA. Those who are willing to update
+        class="directory">/var/lib/shorewall</filename> that is renamed
-        their <filename>/usr/share/shorewall/bogons</filename> file regularly
+        <filename>/var/lib/shorewall/restore-base</filename> at the
-        can specify the &#39;nobogons&#39; option in addition to
+        completeion of the <filename>/sbin/shorewall</filename> command). The
-        &#39;norfc1918&#39;. The level at which bogon packets are logged is
+        following functions should be of help:</para>
-        specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If
+
-        that option is not specified or is specified as empty (e.g,
+        <orderedlist>
-        BOGON_LOG_LEVEL=&#34;&#34;) then bogon packets whose TARGET is
+          <listitem>
-        &#39;logdrop&#39; in <filename>/usr/share/shorewall/bogons</filename>
+            <para>save_command() -- saves the passed command to the restore
-        are logged at the &#39;info&#39; level.</para>
+            file.</para>
            <para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
            <para>That command would simply write "echo Operation Complete" to
            the restore file.</para>
          </listitem>
          <listitem>
            <para> run_and_save_command() -- saves the passed command to the
            restore file then executes it. The return value is the exit status
            of the command. Example: <programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
            <para>Note that as in this example, when the command involves file
            redirection then the entire command must be enclosed in quotes.
            This applies to all of the functions described here.</para>
          </listitem>
          <listitem>
            <para>ensure_and_save_command() -- runs the passed command. If the
            command fails, the firewall is restored to it's prior saved state
            and the operation is terminated. If the command succeeds, the
            command is written to the restore file</para>
          </listitem>
        </orderedlist>
      </listitem>
      <listitem>
        <para>Dynamic Zone support. - If you don't need to use the
        <command>shorewall add</command> and <command>shorewall
        delete</command> commands, you should set DYNAMIC_ZONES=No in
        <filename>/etc/shorewall/shorewall.conf</filename>.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>VERSION &#62;= 2.0.0-Beta1</title>
+    <title>Version &gt;= 2.0.1</title>
    <itemizedlist>
      <listitem>
-        <para>The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
+        <para>The function of 'norfc1918' is now split between that option and
-        options are no longer supported. If either option is specified in
+        a new 'nobogons' option. The rfc1918 file released with Shorewall now
        contains entries for only those three address ranges reserved by RFC
        1918. A 'nobogons' interface option has been added which handles bogon
        source addresses (those which are reserved by the IANA, those reserved
        for DHCP auto-configuration and the class C test-net reserved for
        testing and documentation examples). This will allow users to perform
        RFC 1918 filtering without having to deal with out of date data from
        IANA. Those who are willing to update their
        <filename>/usr/share/shorewall/bogons</filename> file regularly can
        specify the 'nobogons' option in addition to 'norfc1918'. The level at
        which bogon packets are logged is specified in the new BOGON_LOG_LEVEL
        variable in shorewall.conf. If that option is not specified or is
        specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose
        TARGET is 'logdrop' in
        <filename>/usr/share/shorewall/bogons</filename> are logged at the
        'info' level.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>VERSION &gt;= 2.0.0-Beta1</title>
    <itemizedlist>
      <listitem>
        <para>The 'dropunclean' and 'logunclean' interface options are no
        longer supported. If either option is specified in
        <filename>/etc/shorewall/interfaces</filename>, a threatening message
        will be generated.</para>
      </listitem>
@ -101,18 +159,19 @@
        <para>The NAT_BEFORE_RULES option has been removed from
        <filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is
        as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
-        rules now always take precidence over one-to-one NAT specifications.</para>
+        rules now always take precidence over one-to-one NAT
        specifications.</para>
      </listitem>
      <listitem>
        <para>The default value for the ALL INTERFACES column in
        <filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*,
-        if the column was left empty, a value of &#34;Yes&#34; was assumed.
+        if the column was left empty, a value of "Yes" was assumed. This has
-        This has been changed so that a value of &#34;No&#34; is now assumed.</para>
+        been changed so that a value of "No" is now assumed.</para>
      </listitem>
      <listitem>
-        <para>The following files don&#39;t exist in Shorewall 2.0:</para>
+        <para>The following files don't exist in Shorewall 2.0:</para>
        <simplelist>
          <member><filename>/etc/shorewall/common.def</filename></member>
@ -122,13 +181,14 @@
          <member><filename>/etc/shorewall/icmpdef</filename></member>
          <member><filename>/etc/shorewall/action.template</filename> (moved
-          to <filename>/usr/share/shorewall/action.template</filename>)</member>
+          to
          <filename>/usr/share/shorewall/action.template</filename>)</member>
        </simplelist>
        <para>The <filename>/etc/shorewall/action</filename> file now allows
-        an action to be designated as the &#34;common&#34; action for a
+        an action to be designated as the "common" action for a particular
-        particular policy type by following the action name with &#34;:&#34;
+        policy type by following the action name with ":" and the policy
-        and the policy (DROP, REJECT or ACCEPT).</para>
+        (DROP, REJECT or ACCEPT).</para>
        <para>The file /usr/share/shorewall/actions.std has been added to
        define those actions that are released as part of Shorewall 2.0 In
@ -144,28 +204,29 @@
        policies while the <quote>Reject</quote> action is the default action
        for REJECT policies. These actions will be performed on packets prior
        to applying the DROP or REJECT policy respectively. In the first
-        release, the difference between &#34;Reject&#34; and &#34;Drop&#34; is
+        release, the difference between "Reject" and "Drop" is that "Reject"
-        that &#34;Reject&#34; REJECTs SMB traffic while &#34;Drop&#34;
+        REJECTs SMB traffic while "Drop" silently drops such traffic.</para>
        silently drops such traffic.</para>
        <para>As described above, Shorewall allows a common action for ACCEPT
        policies but does not specify such an action in the default
        configuration.</para>
        <para>For more information see the <ulink
-        url="User_defined_Actions.html">User-defined Action Page</ulink>.</para>
+        url="User_defined_Actions.html">User-defined Action
        Page</ulink>.</para>
      </listitem>
      <listitem>
        <para>The <filename>/etc/shorewall</filename> directory no longer
-        contains <filename>users</filename> file or a <filename>usersets</filename>
+        contains <filename>users</filename> file or a
-        file. Similar functionality is now available using user-defined
+        <filename>usersets</filename> file. Similar functionality is now
-        actions.</para>
+        available using user-defined actions.</para>
-        <para>Now, action files created by copying <filename>/usr/share/shorewall/action.template</filename>
+        <para>Now, action files created by copying
-        may now specify a USER and or GROUP name/id in the final column just
+        <filename>/usr/share/shorewall/action.template</filename> may now
-        like in the rules file (see below). It is thus possible to create
+        specify a USER and or GROUP name/id in the final column just like in
-        actions that control traffic from a list of users and/or groups.</para>
+        the rules file (see below). It is thus possible to create actions that
        control traffic from a list of users and/or groups.</para>
      </listitem>
      <listitem>
@ -173,57 +234,69 @@
        now labeled USER/GROUP and may contain:</para>
        <simplelist>
-          <member>[!]&#60;<emphasis>user number</emphasis>&#62;[:]</member>
+          <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
-          <member>[!]&#60;<emphasis>user name</emphasis>&#62;[:]</member>
+          <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
-          <member>[!]:&#60;<emphasis>group number</emphasis>&#62;</member>
+          <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
-          <member>[!]:&#60;<emphasis>group name</emphasis>&#62;</member>
+          <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user number</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          number</emphasis>&#62;</member>
+          number</emphasis>&gt;:&lt;<emphasis>group
          number</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          number</emphasis>&#62;</member>
+          name</emphasis>&gt;:&lt;<emphasis>group
          number</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user inumber</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          name</emphasis>&#62;</member>
+          inumber</emphasis>&gt;:&lt;<emphasis>group
          name</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          name</emphasis>&#62;</member>
+          name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
        </simplelist>
      </listitem>
      <listitem>
        <para>If your kernel has IPV6 support (recent
        <trademark>SuSe</trademark> for example), and you don't use IPV6 then
        you will probably want to set DISABLE_IPV6=Yes in <ulink
        url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
        You must have ipv6tables installed.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>Version &#62;= 1.4.8</title>
+    <title>Version &gt;= 1.4.8</title>
    <itemizedlist mark="bullet">
      <listitem>
        <para>The meaning of <varname>ROUTE_FILTER=Yes</varname> has changed.
        Previously this setting was documented as causing route filtering to
-        occur on all network interfaces; this didn&#39;t work. Beginning with
+        occur on all network interfaces; this didn't work. Beginning with this
-        this release, <varname>ROUTE_FILTER=Yes</varname> causes route
+        release, <varname>ROUTE_FILTER=Yes</varname> causes route filtering to
-        filtering to occur on all interfaces brought up while Shorewall is
+        occur on all interfaces brought up while Shorewall is running. This
-        running. This means that it may be appropriate to set
+        means that it may be appropriate to set
        <varname>ROUTE_FILTER=Yes</varname> and use the routefilter option in
-        <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
+        <filename
        class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
        entries.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>Version &#62;= 1.4.6</title>
+    <title>Version &gt;= 1.4.6</title>
    <itemizedlist mark="bullet">
      <listitem>
-        <para>The <varname>NAT_ENABLED</varname>, <varname>MANGLE_ENABLED</varname>
+        <para>The <varname>NAT_ENABLED</varname>,
-        and <varname>MULTIPORT</varname> options have been removed from
+        <varname>MANGLE_ENABLED</varname> and <varname>MULTIPORT</varname>
-        <filename>shorewall.conf</filename>. These capabilities are now
+        options have been removed from <filename>shorewall.conf</filename>.
-        automatically detected by Shorewall.</para>
+        These capabilities are now automatically detected by Shorewall.</para>
      </listitem>
      <listitem>
@ -239,39 +312,48 @@ zone	eth1:192.168.1.0/24,192.168.2.0/24
  </section>
  <section>
-    <title>Version &#62;= 1.4.4</title>
+    <title>Version &gt;= 1.4.4</title>
-    <para>If you are upgrading from 1.4.3 and have set the <varname>LOGMARKER</varname>
+    <para>If you are upgrading from 1.4.3 and have set the
-    variable in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
+    <varname>LOGMARKER</varname> variable in <filename
    class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
    then you must set the new <varname>LOGFORMAT</varname> variable
-    appropriately and remove your setting of <varname>LOGMARKER</varname>.</para>
+    appropriately and remove your setting of
    <varname>LOGMARKER</varname>.</para>
  </section>
  <section>
    <title>Version 1.4.4</title>
    <para>If you have zone names that are 5 characters long, you may
-    experience problems starting Shorewall because the <option>--log-prefix</option>
+    experience problems starting Shorewall because the
-    in a logging rule is too long. Upgrade to Version 1.4.4a to fix this
+    <option>--log-prefix</option> in a logging rule is too long. Upgrade to
-    problem.</para>
+    Version 1.4.4a to fix this problem.</para>
  </section>
  <section>
-    <title>Version &#62;= 1.4.2</title>
+    <title>Version &gt;= 1.4.2</title>
    <para>There are some cases where you may want to handle traffic from a
    particular group to itself. While I personally think that such a setups
    are ridiculous, there are two cases covered in this documentation where it
-    can occur: <itemizedlist><listitem><para><ulink url="FAQ.htm#faq2">In FAQ
+    can occur: <itemizedlist>
-    #2</ulink></para></listitem><listitem><para><ulink
+        <listitem>
-    url="Shorewall_Squid_Usage.html">When running <application>Squid</application>
+          <para><ulink url="FAQ.htm#faq2">In FAQ #2</ulink></para>
-    as a transparent proxy in your local zone.</ulink></para></listitem></itemizedlist>
+        </listitem>
-    If you have either of these cases, you will want to review the current
+
-    documentation and change your configuration accordingly.</para>
+        <listitem>
          <para><ulink url="Shorewall_Squid_Usage.html">When running
          <application>Squid</application> as a transparent proxy in your
          local zone.</ulink></para>
        </listitem>
      </itemizedlist> If you have either of these cases, you will want to
    review the current documentation and change your configuration
    accordingly.</para>
  </section>
  <section>
-    <title>Version &#62;= 1.4.1</title>
+    <title>Version &gt;= 1.4.1</title>
    <itemizedlist mark="bullet">
      <listitem>
@ -280,11 +362,10 @@ zone	eth1:192.168.1.0/24,192.168.2.0/24
        was treated just like any other traffic; any matching rules were
        applied followed by enforcement of the appropriate policy. With 1.4.1
        and later versions, unless you have explicit rules for traffic from Z
-        to Z or you have an explicit Z to Z policy (where &#34;Z&#34; is some
+        to Z or you have an explicit Z to Z policy (where "Z" is some zone)
-        zone) then traffic between the groups in zone Z will be accepted. If
+        then traffic between the groups in zone Z will be accepted. If you do
-        you do have one or more explicit rules for Z to Z or if you have an
+        have one or more explicit rules for Z to Z or if you have an explicit
-        explicit Z to Z policy then the behavior is as it was in prior
+        Z to Z policy then the behavior is as it was in prior versions.</para>
        versions.</para>
        <orderedlist numeration="arabic">
          <listitem>
@ -296,26 +377,29 @@ zone	eth1:192.168.1.0/24,192.168.2.0/24
          <listitem>
            <para>If you have a Z Z DROP or Z Z REJECT policy or you have
-            Z-&#62;Z rules then your configuration should not require any
+            Z-&gt;Z rules then your configuration should not require any
            change.</para>
          </listitem>
          <listitem>
            <para>If you are currently relying on a implicit policy (one that
-            has &#34;all&#34; in either the SOURCE or DESTINATION column) to
+            has "all" in either the SOURCE or DESTINATION column) to prevent
-            prevent traffic between two interfaces to a zone Z and you have no
+            traffic between two interfaces to a zone Z and you have no rules
-            rules for Z-&#62;Z then you should add an explicit DROP or REJECT
+            for Z-&gt;Z then you should add an explicit DROP or REJECT policy
-            policy for Z to Z.</para>
+            for Z to Z.</para>
          </listitem>
        </orderedlist>
      </listitem>
      <listitem>
        <para>Sometimes, you want two separate zones on one interface but you
-        don&#39;t want Shorewall to set up any infrastructure to handle
+        don't want Shorewall to set up any infrastructure to handle traffic
-        traffic between them. <example><title>The <filename>zones</filename>,
+        between them. <example>
-        <filename>interfaces</filename> and, <filename>hosts</filename> file
+            <title>The <filename>zones</filename>,
-        contents</title><programlisting>
+            <filename>interfaces</filename> and, <filename>hosts</filename>
            file contents</title>
            <programlisting>
 <filename class="directory">/etc/shorewall/</filename><filename>zones</filename>
 z1	Zone1	The first Zone
 z2	Zone2	The second Zone
@ -325,17 +409,21 @@ z2	eth1	192.168.1.255
 <filename class="directory">/etc/shorewall/</filename><filename>hosts</filename>
 z1	eth1:192.168.1.3
-					</programlisting></example> Here, zone z1 is nested in zone z2 and the
+					</programlisting>
-        firewall is not going to be involved in any traffic between these two
+          </example> Here, zone z1 is nested in zone z2 and the firewall is
-        zones. Beginning with Shorewall 1.4.1, you can prevent Shorewall from
+        not going to be involved in any traffic between these two zones.
-        setting up any infrastructure to handle traffic between z1 and z2 by
+        Beginning with Shorewall 1.4.1, you can prevent Shorewall from setting
-        using the new NONE policy: <example><title>The contents of
+        up any infrastructure to handle traffic between z1 and z2 by using the
-        <filename>policy</filename></title><programlisting>
+        new NONE policy: <example>
            <title>The contents of <filename>policy</filename></title>
            <programlisting>
 <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
 z1	z2	NONE
 z2	z1	NONE
-					</programlisting></example> Note that NONE policies are generally used in
+					</programlisting>
-        pairs unless there is asymetric routing where only the traffic on one
+          </example> Note that NONE policies are generally used in pairs
        unless there is asymetric routing where only the traffic on one
        direction flows through the firewall and you are using a NONE polciy
        in the other direction.</para>
      </listitem>
@ -348,21 +436,21 @@ z2	z1	NONE
    <itemizedlist mark="bullet">
      <listitem>
        <para>In Version 1.4.1, Shorewall will never create rules to deal with
-        traffic from a given group back to itself. The <varname>multi</varname>
+        traffic from a given group back to itself. The
-        interface option is no longer available so if you want to route
+        <varname>multi</varname> interface option is no longer available so if
-        traffic between two subnetworks on the same interface then I recommend
+        you want to route traffic between two subnetworks on the same
-        that you upgrade to Version 1.4.2 and use the <varname>routeback</varname>
+        interface then I recommend that you upgrade to Version 1.4.2 and use
-        interface or host option.</para>
+        the <varname>routeback</varname> interface or host option.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>Version &#62;= 1.4.0</title>
+    <title>Version &gt;= 1.4.0</title>
    <important>
-      <para>Shorewall &#62;=1.4.0 requires the <command>iproute</command>
+      <para>Shorewall &gt;=1.4.0 requires the <command>iproute</command>
-      package (&#39;<literal>ip</literal>&#39; utility).</para>
+      package ('<literal>ip</literal>' utility).</para>
    </important>
    <note>
@ -370,46 +458,89 @@ z2	z1	NONE
      <command>iproute2</command> which will cause the upgrade of Shorewall to
      fail with the diagnostic: <synopsis>
 error: failed dependencies:iproute is needed by shorewall-1.4.0-1
-				</synopsis> This may be worked around by using the <option>--nodeps</option>
+				</synopsis> This may be worked around by using the
-      option of <command>rpm</command> (<command>rpm -Uvh --nodeps
+      <option>--nodeps</option> option of <command>rpm</command> (<command>rpm
      -Uvh --nodeps
      <filename>your_shorewall_rpm.rpm</filename></command>).</para>
    </note>
-    <para>If you are upgrading from a version &#60; 1.4.0, then: <itemizedlist
+    <para>If you are upgrading from a version &lt; 1.4.0, then: <itemizedlist
-    mark="bullet"><listitem><para>The <varname>noping</varname> and
+        mark="bullet">
-    <varname>forwardping</varname> interface options are no longer supported
+        <listitem>
-    nor is the <varname>FORWARDPING</varname> option in <filename>shorewall.conf</filename>.
+          <para>The <varname>noping</varname> and
-    ICMP echo-request (ping) packets are treated just like any other
+          <varname>forwardping</varname> interface options are no longer
-    connection request and are subject to rules and policies.</para></listitem><listitem><para>Interface
+          supported nor is the <varname>FORWARDPING</varname> option in
-    names of the form <varname>&#60;device&#62;:&#60;integer&#62;</varname> in
+          <filename>shorewall.conf</filename>. ICMP echo-request (ping)
-    <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
+          packets are treated just like any other connection request and are
          subject to rules and policies.</para>
        </listitem>
        <listitem>
          <para>Interface names of the form
          <varname>&lt;device&gt;:&lt;integer&gt;</varname> in <filename
          class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
          now generate a Shorewall error at startup (they always have produced
-    warnings in <application class="software">iptables</application>).</para></listitem><listitem><para>The
+          warnings in <application
-    <varname>MERGE_HOSTS</varname> variable has been removed from
+          class="software">iptables</application>).</para>
-    <filename>shorewall.conf</filename>. Shorewall 1.4 behaves like 1.3 did
+        </listitem>
-    when <varname>MERGE_HOSTS=Yes</varname>; that is zone contents are
+
-    determined by <emphasis>BOTH</emphasis> the interfaces and hosts files
+        <listitem>
-    when there are entries for the zone in both files.</para></listitem><listitem><para>The
+          <para>The <varname>MERGE_HOSTS</varname> variable has been removed
-    <varname>routestopped</varname> option in the interfaces and hosts file
+          from <filename>shorewall.conf</filename>. Shorewall 1.4 behaves like
-    has been eliminated; use entries in the <filename>routestopped</filename>
+          1.3 did when <varname>MERGE_HOSTS=Yes</varname>; that is zone
-    file instead.</para></listitem><listitem><para>The Shorewall 1.2 syntax
+          contents are determined by <emphasis>BOTH</emphasis> the interfaces
-    for <varname>DNAT</varname> and <varname>REDIRECT</varname> rules is no
+          and hosts files when there are entries for the zone in both
-    longer accepted; you must convert to using the new syntax.</para></listitem><listitem><para>The
+          files.</para>
-    <varname>ALLOWRELATED</varname> variable in <filename>shorewall.conf</filename>
+        </listitem>
-    is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
+
-    <varname>ALLOWRELATED=Yes</varname>.</para></listitem><listitem><para>Late-arriving
+        <listitem>
-    DNS replies are now dropped by default; there is no need for your own
+          <para>The <varname>routestopped</varname> option in the interfaces
-    <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
+          and hosts file has been eliminated; use entries in the
-    file simply to avoid logging these packets.</para></listitem><listitem><para>The
+          <filename>routestopped</filename> file instead.</para>
-    <filename>firewall</filename>, <filename>functions</filename> and
+        </listitem>
-    <filename>version</filename> files have been moved to <filename
+
-    class="directory">/usr/share/shorewall</filename>.</para></listitem><listitem><para>The
+        <listitem>
-    <filename>icmp.def</filename> file has been removed. If you include it
+          <para>The Shorewall 1.2 syntax for <varname>DNAT</varname> and
-    from <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
+          <varname>REDIRECT</varname> rules is no longer accepted; you must
-    you will need to modify that file.</para></listitem><listitem><para>If you
+          convert to using the new syntax.</para>
-    followed the advice in FAQ #2 and call <varname>find_interface_address</varname>
+        </listitem>
-    in <filename class="directory">/etc/shorewall/</filename><filename>params</filename>,
+
-    that code should be moved to <filename class="directory">/etc/shorewall/</filename><filename>init</filename>.</para></listitem></itemizedlist></para>
+        <listitem>
          <para>The <varname>ALLOWRELATED</varname> variable in
          <filename>shorewall.conf</filename> is no longer supported.
          Shorewall 1.4 behavior is the same as 1.3 with
          <varname>ALLOWRELATED=Yes</varname>.</para>
        </listitem>
        <listitem>
          <para>Late-arriving DNS replies are now dropped by default; there is
          no need for your own <filename
          class="directory">/etc/shorewall/</filename><filename>common</filename>
          file simply to avoid logging these packets.</para>
        </listitem>
        <listitem>
          <para>The <filename>firewall</filename>,
          <filename>functions</filename> and <filename>version</filename>
          files have been moved to <filename
          class="directory">/usr/share/shorewall</filename>.</para>
        </listitem>
        <listitem>
          <para>The <filename>icmp.def</filename> file has been removed. If
          you include it from <filename
          class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
          you will need to modify that file.</para>
        </listitem>
        <listitem>
          <para>If you followed the advice in FAQ #2 and call
          <varname>find_interface_address</varname> in <filename
          class="directory">/etc/shorewall/</filename><filename>params</filename>,
          that code should be moved to <filename
          class="directory">/etc/shorewall/</filename><filename>init</filename>.</para>
        </listitem>
      </itemizedlist></para>
  </section>
  <section>
@ -420,44 +551,69 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
        <para>The <varname>multi</varname> interface option is no longer
        supported. Shorewall will generate rules for sending packets back out
        the same interface that they arrived on in two cases: <itemizedlist
-        mark="hollow"><listitem><para>There is an <emphasis>explicit</emphasis>
+            mark="hollow">
-        policy for the source zone to or from the destination zone. An
+            <listitem>
-        explicit policy names both zones and does not use the
+              <para>There is an <emphasis>explicit</emphasis> policy for the
-        <varname>all</varname> reserved word.</para></listitem><listitem><para>There
+              source zone to or from the destination zone. An explicit policy
-        are one or more rules for traffic for the source zone to or from the
+              names both zones and does not use the <varname>all</varname>
-        destination zone including rules that use the <varname>all</varname>
+              reserved word.</para>
-        reserved word. Exception: if the source zone and destination zone are
+            </listitem>
-        the same then the rule must be explicit - it must name the zone in
+
-        both the <varname>SOURCE</varname> and <varname>DESTINATION</varname>
+            <listitem>
-        columns.</para></listitem></itemizedlist></para>
+              <para>There are one or more rules for traffic for the source
              zone to or from the destination zone including rules that use
              the <varname>all</varname> reserved word. Exception: if the
              source zone and destination zone are the same then the rule must
              be explicit - it must name the zone in both the
              <varname>SOURCE</varname> and <varname>DESTINATION</varname>
              columns.</para>
            </listitem>
          </itemizedlist></para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>Version &#62;= 1.3.14</title>
+    <title>Version &gt;= 1.3.14</title>
    <para>Beginning in version 1.3.14, Shorewall treats entries in <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
-    differently. The change involves entries with an <emphasis role="bold">interface
+    differently. The change involves entries with an <emphasis
-    name</emphasis> in the <varname>SUBNET</varname> (second) <emphasis
+    role="bold">interface name</emphasis> in the <varname>SUBNET</varname>
-    role="bold">column</emphasis>: <itemizedlist mark="bullet"><listitem><para>Prior
+    (second) <emphasis role="bold">column</emphasis>: <itemizedlist
-    to 1.3.14, Shorewall would detect the FIRST subnet on the interface (as
+        mark="bullet">
-    shown by <quote>ip addr show interface</quote>) and would masquerade
+        <listitem>
-    traffic from that subnet. Any other subnets that routed through
+          <para>Prior to 1.3.14, Shorewall would detect the FIRST subnet on
-    <literal>eth1</literal> needed their own entry in <filename
+          the interface (as shown by <quote>ip addr show interface</quote>)
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> to
+          and would masquerade traffic from that subnet. Any other subnets
-    be masqueraded or to have <acronym>SNAT</acronym> applied.</para></listitem><listitem><para>Beginning
+          that routed through <literal>eth1</literal> needed their own entry
-    with Shorewall 1.3.14, Shorewall uses the firewall&#39;s routing table to
+          in <filename
-    determine ALL subnets routed through the named interface. Traffic
+          class="directory">/etc/shorewall/</filename><filename>masq</filename>
-    originating in ANY of those subnets is masqueraded or has SNAT applied.</para></listitem></itemizedlist>
+          to be masqueraded or to have <acronym>SNAT</acronym> applied.</para>
-    You will need to make a change to your configuration if: <orderedlist
+        </listitem>
-    numeration="arabic"><listitem><para>You have one or more entries in
+
-    <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
+        <listitem>
-    with an interface name in the <varname>SUBNET</varname> (second) column;
+          <para>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
-    and</para></listitem><listitem><para>That interface connects to more than
+          routing table to determine ALL subnets routed through the named
-    one subnetwork.</para></listitem></orderedlist> Two examples: <example
+          interface. Traffic originating in ANY of those subnets is
-    label="1"><title>Suppose that your current config is as follows:</title><programlisting>
+          masqueraded or has SNAT applied.</para>
        </listitem>
      </itemizedlist> You will need to make a change to your configuration if:
    <orderedlist numeration="arabic">
        <listitem>
          <para>You have one or more entries in <filename
          class="directory">/etc/shorewall/</filename><filename>masq</filename>
          with an interface name in the <varname>SUBNET</varname> (second)
          column; and</para>
        </listitem>
        <listitem>
          <para>That interface connects to more than one subnetwork.</para>
        </listitem>
      </orderedlist> Two examples: <example label="1">
        <title>Suppose that your current config is as follows:</title>
        <programlisting>
 				<!-- I added a space below the end of the config file for clarity -->
 [root@gateway test]# cat /etc/shorewall/masq
 #INTERFACE              SUBNET                  ADDRESS
@ -469,10 +625,13 @@ eth0                    192.168.10.0/24         206.124.146.176
 192.168.1.0/24  scope link
 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
 [root@gateway test]#
-				</programlisting></example> In this case, the second entry in <filename
+				</programlisting>
      </example> In this case, the second entry in <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename> is
-    no longer required. <example label="2"><title>What if your current
+    no longer required. <example label="2">
-    configuration is like this?</title><programlisting>
+        <title>What if your current configuration is like this?</title>
        <programlisting>
 [root@gateway test]# cat /etc/shorewall/masq
 #INTERFACE              SUBNET                  ADDRESS
 eth0                    eth2                    206.124.146.176
@ -482,20 +641,23 @@ eth0                    eth2                    206.124.146.176
 192.168.1.0/24  scope link
 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
 [root@gateway test]#
-				</programlisting></example> In this case, you would want to change the
+				</programlisting>
-    entry in /etc/shorewall/masq to: <programlisting>
+      </example> In this case, you would want to change the entry in
    /etc/shorewall/masq to: <programlisting>
 #INTERFACE              SUBNET                  ADDRESS
 eth0                    192.168.1.0/24          206.124.146.176
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
 			</programlisting> Version 1.3.14 also introduced simplified ICMP
-    echo-request (ping) handling. The option <varname>OLD_PING_HANDLING=Yes</varname>
+    echo-request (ping) handling. The option
-    in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
+    <varname>OLD_PING_HANDLING=Yes</varname> in <filename
    class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
    is used to specify that the old (pre-1.3.14) ping handling is to be used
-    (If the option is not set in your <filename class="directory">/etc/shorewall/</filename>shorewall.conf
+    (If the option is not set in your <filename
-    then <varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don&#39;t
+    class="directory">/etc/shorewall/</filename>shorewall.conf then
-    plan on supporting the old handling indefinitely so I urge current users
+    <varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don't plan on
-    to migrate to using the new handling as soon as possible. See the
+    supporting the old handling indefinitely so I urge current users to
-    &#39;Ping&#39; handling documentation for details.</para>
+    migrate to using the new handling as soon as possible. See the 'Ping'
    handling documentation for details.</para>
  </section>
  <section>
@ -513,7 +675,7 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
  </section>
  <section>
-    <title>Version &#62;= 1.3.9</title>
+    <title>Version &gt;= 1.3.9</title>
    <itemizedlist>
      <listitem>
@ -527,22 +689,23 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
  </section>
  <section>
-    <title>Version &#62;= 1.3.8</title>
+    <title>Version &gt;= 1.3.8</title>
    <itemizedlist>
      <listitem>
        <para>If you have a pair of firewall systems configured for failover
        or if you have asymmetric routing, you will need to modify your
-        firewall setup slightly under Shorewall versions &#62;= 1.3.8.
+        firewall setup slightly under Shorewall versions &gt;= 1.3.8.
-        Beginning with version 1.3.8, you must set <varname>NEWNOTSYN=Yes</varname>
+        Beginning with version 1.3.8, you must set
-        in your <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
+        <varname>NEWNOTSYN=Yes</varname> in your <filename
        class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
        file.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>Version &#62;= 1.3.7</title>
+    <title>Version &gt;= 1.3.7</title>
    <itemizedlist>
      <listitem>
@ -550,14 +713,14 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
        class="directory">/etc/</filename><filename>shorewall.conf</filename>
        will need to include the following rules in their <filename
        class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
-        file (creating this file if necessary):
+        file (creating this file if necessary): <programlisting>
        <programlisting>
 run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
-					</programlisting> Users having an <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
+					</programlisting> Users having an <filename
        class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
        file may remove the <command>./etc/shorewall/icmp.def</command>
        command from that file since the <filename>icmp.def</filename> file is
        now empty.</para>
@ -566,24 +729,37 @@ run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
  </section>
  <section>
-    <title>Upgrading Bering to Shorewall &#62;= 1.3.3</title>
+    <title>Upgrading Bering to Shorewall &gt;= 1.3.3</title>
    <itemizedlist>
      <listitem>
        <para>To properly upgrade with Shorewall version 1.3.3 and later:
-        <orderedlist numeration="arabic"><listitem><para>Be sure you have a
+        <orderedlist numeration="arabic">
-        backup -- you will need to transcribe any Shorewall configuration
+            <listitem>
-        changes that you have made to the new configuration.</para></listitem><listitem><para>Replace
+              <para>Be sure you have a backup -- you will need to transcribe
-        the <filename>shorwall.lrp</filename> package provided on the Bering
+              any Shorewall configuration changes that you have made to the
-        floppy with the later one. If you did not obtain the later version
+              new configuration.</para>
-        from Jacques&#39;s site, see additional instructions below.</para></listitem><listitem><para>Edit
+            </listitem>
-        the <filename class="directory">/var/lib/lrpkg/</filename><filename>root.exclude.list</filename>
+
-        file and remove the <filename>/var/lib/shorewall</filename> entry if
+            <listitem>
-        present. Then do not forget to backup <filename>root.lrp</filename>!</para></listitem></orderedlist>
+              <para>Replace the <filename>shorwall.lrp</filename> package
-        The .lrp that I release isn&#39;t set up for a two-interface firewall
+              provided on the Bering floppy with the later one. If you did not
-        like Jacques&#39;s. You need to follow the instructions for setting up
+              obtain the later version from Jacques's site, see additional
-        a two-interface firewall plus you also need to add the following two
+              instructions below.</para>
-        Bering-specific rules to <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>:
+            </listitem>
            <listitem>
              <para>Edit the <filename
              class="directory">/var/lib/lrpkg/</filename><filename>root.exclude.list</filename>
              file and remove the <filename>/var/lib/shorewall</filename>
              entry if present. Then do not forget to backup
              <filename>root.lrp</filename>!</para>
            </listitem>
          </orderedlist> The .lrp that I release isn't set up for a
        two-interface firewall like Jacques's. You need to follow the
        instructions for setting up a two-interface firewall plus you also
        need to add the following two Bering-specific rules to <filename
        class="directory">/etc/shorewall/</filename><filename>rules</filename>:
        <programlisting>
 # Bering specific rules:
 # allow loc to fw udp/53 for dnscache to work
@ -604,41 +780,55 @@ ACCEPT loc fw tcp 80
        <para>If you have a pair of firewall systems configured for failover
        or if you have asymmetric routing, you will need to modify your
        firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7
-        <orderedlist><listitem><para>Create the file <filename
+        <orderedlist>
            <listitem>
              <para>Create the file <filename
              class="directory">/etc/shorewall/</filename><filename>newnotsyn</filename>
              and in it add the following rule: <!-- The following code wraps off of the document. I have added the comment above the command. -->
              <programlisting>
 # So that the connection tracking table can be rebuilt
 # from non-SYN packets after takeover.
 run_iptables -A newnotsyn -j RETURN
- 							</programlisting></para></listitem><listitem><para>Create <filename
+ 							</programlisting></para>
            </listitem>
            <listitem>
              <para>Create <filename
              class="directory">/etc/shorewall/</filename><filename>common</filename>
-        (if you don&#39;t already have that file) and include the following:
+              (if you don't already have that file) and include the following:
              <programlisting>
 #Accept Acks to rebuild connection tracking table.
 run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
 ./etc/shorewall/common.def
-							</programlisting></para></listitem></orderedlist></para>
+							</programlisting></para>
            </listitem>
          </orderedlist></para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
-    <title>Versions &#62;= 1.3.5</title>
+    <title>Versions &gt;= 1.3.5</title>
    <itemizedlist>
      <listitem>
        <para>Some forms of pre-1.3.0 rules file syntax are no longer
-        supported. <example label="1"><title></title><programlisting>
+        supported. <example label="1">
            <title></title>
            <programlisting>
 ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
-						</programlisting></example> Must be replaced with:
+						</programlisting>
-        <programlisting>
+          </example> Must be replaced with: <programlisting>
 DNAT	net	loc:192.168.1.12:22	tcp	11111
-					</programlisting> <example label="2"><title></title><programlisting>
+					</programlisting> <example label="2">
-ACCEPT	loc	fw::3128	tcp	80	-	all
+            <title></title>
-						</programlisting></example> Must be replaced with:
+
            <programlisting>
 ACCEPT	loc	fw::3128	tcp	80	-	all
 						</programlisting>
          </example> Must be replaced with: <programlisting>
 REDIRECT	loc	3128	tcp	80
 						</programlisting></para>
      </listitem>
@ -646,7 +836,7 @@ REDIRECT	loc	3128	tcp	80
  </section>
  <section>
-    <title>Version &#62;= 1.3.2</title>
+    <title>Version &gt;= 1.3.2</title>
    <itemizedlist>
      <listitem>