Shorewall 1.4.6 RC1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-15 10:51:02 +01:00 · 2003-07-14 22:09:33 +00:00 · 2003-07-14 22:09:33 +00:00 · 88e1eb7e4d
commit 88e1eb7e4d
parent defe814ca5
16 changed files with 5403 additions and 5050 deletions
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -12,6 +12,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -39,9 +40,9 @@
              </h1>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b> 
-                              port</b> 7777 to my my personal PC with IP address
+                               port</b> 7777 to my my personal PC with IP 
-       192.168.1.5.             I've     looked     everywhere and can't
+address        192.168.1.5.             I've     looked     everywhere and 
-find     <b>how   to do it</b>.</a></p>
+can't find     <b>how   to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
                               but it doesn't work.<br>
@ -86,8 +87,8 @@ using   their DNS   names.</b></a></p>
     as   'closed'         rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
-                              of my firewall and it showed 100s of ports as
+                               of my firewall and it showed 100s of ports 
-  open!!!!<br>
+as   open!!!!<br>
       </a></p>
       <b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter 
  how  I change my rules. </a>                
@ -110,13 +111,13 @@ using   their DNS   names.</b></a></p>
 <p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
 href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect 
-              requests. Can i exclude these error messages for this port temporarily
+               requests. Can i exclude these error messages for this port 
-           from   logging in Shorewall?</a><br>
+temporarily            from   logging in Shorewall?</a><br>
                               </p>
 <p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow 
-              of these <b>DROP messages from port 53</b> <b>to some high numbered
+               of these <b>DROP messages from port 53</b> <b>to some high 
-        port</b>.       They get dropped, but what the heck are they?</a><br>
+numbered         port</b>.       They get dropped, but what the heck are they?</a><br>
                               </p>
 <p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b> 
@ -131,8 +132,8 @@ using   their DNS   names.</b></a></p>
    <a href="#faq17">How   do  I  find   out   <b>why    this traffic   is</b> 
    getting  <b>logged?</b></a><br>
              <b><br>
-            21. </b><a href="#faq21">I see these <b>strange      log   entries
+              21. </b><a href="#faq21">I see these <b>strange      log  
-     </b>occasionally;    what are they?</a><br>
+entries       </b>occasionally;    what are they?</a><br>
 <h1>STARTING AND STOPPING<br>
              </h1>
@ -152,9 +153,10 @@ stop', I can't connect to anything</b>. Why doesn't that command
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
                              my  interfaces </b>properly at startup?</a></p>
-                                             <b>22. </b><a href="#faq22">I
+                                               <b>22. </b><a
- have   some   <b>iptables   commands     </b>that     I  want to <b>run
+ href="#faq22">I  have   some   <b>iptables   commands     </b>that     I 
-when  Shorewall    starts.</b> Which   file do   I  put them in?</a><br>
+ want to <b>run when  Shorewall    starts.</b> Which   file do   I  put them 
 in?</a><br>
 <h1>ABOUT SHOREWALL<br>
              </h1>
@ -167,25 +169,26 @@ when  Shorewall    starts.</b> Which   file do   I  put them in?</a><br>
 <p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
 <p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
-                                     <b>23. </b><a href="#faq23">Why do you 
+                                       <b>23. </b><a href="#faq23">Why do 
- use   such   <b>ugly    fonts</b>      on  your   <b>web site</b>?</a><br>
+you   use   such   <b>ugly    fonts</b>      on  your   <b>web site</b>?</a><br>
              <b><br>
-            25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b> 
+              25. </b><a href="#faq25">How to I tell <b>which version of
-        I am <b>running</b>?</a><br>
+Shorewall</b>          I am <b>running</b>?</a><br>
 <h1>RFC 1918<br>
              </h1>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
                              and it has an internel  web server that allows 
-  me   to   configure/monitor                  it   but as expected if I enable
+   me   to   configure/monitor                  it   but as expected if I 
-    <b> rfc1918  blocking</b>  for    my   eth0     interface,       it also
+enable     <b> rfc1918  blocking</b>  for    my   eth0     interface,    
-   blocks the <b>cable  modems  web server</b></a>.</p>
+  it also    blocks the <b>cable  modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
                              IP  addresses, my ISP's DHCP server has an RFC
-  1918     address.         If   I  enable       RFC 1918  filtering on my 
+   1918     address.         If   I  enable       RFC 1918  filtering on
- external    interface,  <b>my      DHCP  client  cannot    renew   its lease</b>.</a></p>
+my   external    interface,  <b>my      DHCP  client  cannot    renew   its
 lease</b>.</a></p>
 <h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
              </h1>
@ -195,9 +198,9 @@ when  Shorewall    starts.</b> Which   file do   I  put them in?</a><br>
 <h1>MISCELLANEOUS<br>
               </h1>
-            <b>19. </b><a href="#faq19">I have added   <b>entries      to 
+              <b>19. </b><a href="#faq19">I have added   <b>entries     
- /etc/shorewall/tcrules</b>             but they <b>don't  </b>seem to <b>do
+to   /etc/shorewall/tcrules</b>             but they <b>don't  </b>seem to
-     anything</b>.  Why?</a><br>
+<b>do       anything</b>.  Why?</a><br>
                                                 <br>
                                                 <b>20. </b><a
 href="#faq20">I  have   just   set    up   a   server.      <b>Do  I have 
@ -207,14 +210,20 @@ to change Shorewall  to  allow access   to my   server    from   the  internet?<
    conections</b>        to  let's    say  the ssh port only<b> from specific
    IP Addresses</b>    on   the internet?</a><br>
   <br>
-                   <b>26. </b><a href="#faq26">When I try to use any of the 
+                     <b>26. </b><a href="#faq26">When I try to use any of 
-<b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation 
+the  <b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation 
 not permitted</b>". How can I use nmap with Shorewall?"</a><br>
 <br>
 <b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my firewall<b>.</b> 
 What should I look out for?</a><br>
 <br>
 <b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging Firewall</b>?</a><br>
 <hr>           
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
                              my my personal PC with IP address 192.168.1.5. 
-  I've     looked       everywhere           and    can't find how to do it.</h4>
+   I've     looked       everywhere           and    can't find how to do 
 it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
@ -245,9 +254,11 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
                                                                     <td><i>&lt;protocol&gt;</i></td>
                                                                     <td><i>&lt;port 
     #&gt;</i></td>
-                                                                   <td> <br>
+                                                                     <td> 
        <br>
                                                                   </td>
-                                                                   <td> <br>
+                                                                     <td> 
        <br>
                                                                   </td>
                                                                   </tr>
@ -279,9 +290,11 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
                                                                     <td>loc:192.168.1.5</td>
                                                                     <td>udp</td>
                                                                     <td>7777</td>
-                                                                   <td> <br>
+                                                                     <td> 
        <br>
                                                                   </td>
-                                                                   <td> <br>
+                                                                     <td> 
        <br>
                                                                   </td>
                                                                   </tr>
@ -290,9 +303,9 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
                                                               </blockquote>
 <div align="left">                      <font face="Courier">     </font>If 
-                   you want to forward requests directed to a particular address
+                    you want to forward requests directed to a particular 
-       (  <i>&lt;external          IP&gt;</i> ) on your firewall to an internal
+address        (  <i>&lt;external          IP&gt;</i> ) on your firewall to
-      system:</div>
+an internal       system:</div>
 <blockquote>                                   
  <table border="1" cellpadding="2" cellspacing="0"
@ -335,13 +348,14 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
     things:</p>
 <ul>
-                                                               <li>You are
+                                                                 <li>You
- trying    to  test   from   inside    your   firewall     (no,   that  
+are   trying    to  test   from   inside    your   firewall     (no,   that
   won't    work  -- see      <a href="#faq2">FAQ   #2</a>).</li>
-                                                               <li>You have 
+                                                                 <li>You
- a  more   basic    problem     with   your   local    system    such   as 
+have   a  more   basic    problem     with   your   local    system    such
-  an    incorrect   default   gateway     configured    (it  should    be 
+  as    an    incorrect   default   gateway     configured    (it  should
-set to    the IP   address     of your  firewall's    internal    interface).</li>
+   be  set to    the IP   address     of your  firewall's    internal   
 interface).</li>
                   <li>Your ISP is blocking that particular port inbound.<br>
                </li>
@ -353,25 +367,25 @@ set to    the IP   address     of your  firewall's    internal    interface).</l
   diagnose     this   problem:<br>
 <ul>
-                                                     <li>As root, type "iptables
+                                                       <li>As root, type
-    -t  nat   -Z".   This   clears    the   NetFilter      counters   in
+"iptables      -t  nat   -Z".   This   clears    the   NetFilter      counters
-the    nat table.</li>
+  in the    nat table.</li>
-                                                     <li>Try to connect to
+                                                       <li>Try to connect 
- the   redirected      port   from   an  external     host.</li>
+to  the   redirected      port   from   an  external     host.</li>
                                                       <li>As root type "shorewall
     show   nat"</li>
                                                       <li>Locate the appropriate 
    DNAT   rule.    It  will   be  in  a  chain    called        <i>&lt;source 
    zone&gt;</i>_dnat       ('net_dnat'    in the above   examples).</li>
-                                                     <li>Is the packet count
+                                                       <li>Is the packet
-  in  the   first    column    non-zero?      If  so,   the   connection
+count    in  the   first    column    non-zero?      If  so,   the   connection
   request  is  reaching    the firewall    and is  being    redirected 
  to   the server.     In  this    case, the problem    is usually   a  missing
    or incorrect       default  gateway    setting on  the  server (the 
-server's    default   gateway  should     be  the IP address    of  the firewall's 
+ server's    default   gateway  should     be  the IP address    of  the
-  interface   to the  server).</li>
+firewall's    interface   to the  server).</li>
-                                                     <li>If the packet count
+                                                       <li>If the packet
-  is  zero:</li>
+count    is  zero:</li>
  <ul>
                                                         <li>the connection 
@ -443,13 +457,13 @@ my   local      network.         External         clients  can browse http://www
 an  internet-accessible          server    in  your   local    network  
      is  like raising foxes     in   the  corner   of your  hen   house. 
 If  the server     is      compromised,        there's  nothing    between 
- that  server  and  your other   internal           systems.  For the    cost
+  that  server  and  your other   internal           systems.  For the   
-of another  NIC and  a cross-over  cable,       you can   put       your
+cost of another  NIC and  a cross-over  cable,       you can   put      
-  server in a DMZ such  that it is isolated  from     your   local systems
+your   server in a DMZ such  that it is isolated  from     your   local systems
    -      assuming that the  Server can be located     near the Firewall,
   of course     :-)</li>
-                                                               <li>The accessibility 
+                                                                 <li>The
-     problem     is  best   solved    using           <a
+accessibility       problem     is  best   solved    using           <a
 href="shorewall_setup_guide.htm#DNS">Bind  Version       9 "views"</a> 
  (or using a separate DNS server for local  clients)  such   that www.mydomain.com 
               resolves to 130.141.100.69     externally  and 192.168.1.5 
@ -615,13 +629,14 @@ releases.<br>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
                              subnet and I use static NAT to assign non-RFC1918 
      addresses          to   hosts      in   Z.  Hosts in Z cannot communicate 
-     with each other      using    their  external      (non-RFC1918     addresses)
+      with each other      using    their  external      (non-RFC1918    
-     so they can't    access  each    other  using their    DNS  names.</h4>
+addresses)      so they can't    access  each    other  using their    DNS 
 names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
                              using Bind Version 9 "views". It allows both 
-external         and    internal         clients       to access a NATed host
+ external         and    internal         clients       to access a NATed 
-using  the    host's    DNS   name.</p>
+host using  the    host's    DNS   name.</p>
 <p align="left">Another good way to approach this problem is to switch from 
                               static NAT to Proxy ARP. That way, the hosts 
@ -638,7 +653,8 @@ Z-&gt;Z traffic through your firewall then:</p>
                                                               Example:</p>
 <p align="left">Zone: dmz<br>
-                                                             Interface: eth2<br>
+                                                               Interface: 
 eth2<br>
                                                               Subnet: 192.168.2.0/24</p>
 <p align="left">In /etc/shorewall/interfaces:</p>
@ -682,7 +698,8 @@ Z-&gt;Z traffic through your firewall then:</p>
                                                                     <td>dmz</td>
                                                                     <td>dmz</td>
                                                                     <td>ACCEPT</td>
-                                                                   <td> <br>
+                                                                     <td> 
        <br>
                                                                   </td>
                                                                   </tr>
@ -725,8 +742,8 @@ Z-&gt;Z traffic through your firewall then:</p>
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
                              tracking/NAT module</a> that may help with Netmeeting.
           Look    <a href="http://linux-igd.sourceforge.net">here</a> for
-a  solution        for MSN   IM but be aware that there are significant security 
+ a  solution        for MSN   IM but be aware that there are significant
-  risks  involved      with this  solution. Also check the Netfilter     
+security    risks  involved      with this  solution. Also check the Netfilter
     mailing         list    archives    at <a
 href="http://www.netfilter.org">http://www.netfilter.org</a>.          
           </p>
@ -783,10 +800,10 @@ that attempt.<br>
 <p align="left">a) Create /etc/shorewall/common if it doesn't already exist. 
          <br>
-                                                             b) Be sure that
+                                                               b) Be sure 
-  the   first   command    in the file is ". /etc/shorewall/common.def"<br>
+that   the   first   command    in the file is ". /etc/shorewall/common.def"<br>
-                                                             c) Add the following 
+                                                               c) Add the 
-    to  /etc/shorewall/common             </p>
+following      to  /etc/shorewall/common             </p>
 <blockquote>                                   
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
@ -839,14 +856,14 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
                              <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
                                              </p>
                                            </blockquote>
-                                          I personnaly use Logwatch. It emails
+                                            I personnaly use Logwatch. It 
-   me  a  report    each   day   from   my  various    systems with each
+emails    me  a  report    each   day   from   my  various    systems with 
-report    summarizing   the  logged   activity   on  the  corresponding 
+each report    summarizing   the  logged   activity   on  the  corresponding 
   system.               
 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 
               are <b>flooding the logs</b> with their connect requests. Can
-  i  exclude        these  error messages for this port temporarily from logging
+   i  exclude        these  error messages for this port temporarily from
-    in Shorewall?</h4>
+logging     in Shorewall?</h4>
                               Temporarily add the following rule:<br>
 <pre>	DROP    net    fw    udp    10619</pre>
@ -908,9 +925,9 @@ sample    configurations        available    in the <a
 <p align="left">The 'stop' command is intended to place your firewall into 
                              a safe state whereby only those hosts listed 
-in   /etc/shorewall/routestopped'              are    activated.         If
+ in   /etc/shorewall/routestopped'              are    activated.        
-you   want to totally open up your  firewall,          you  must    use the
+If you   want to totally open up your  firewall,          you  must    use 
-'shorewall           clear' command.  </p>
+the 'shorewall           clear' command.  </p>
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, 
                  I get messages about insmod failing -- what's wrong?</h4>
@ -974,8 +991,8 @@ local    zone is defined as all hosts connected through eth1</p>
 <h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
 <p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin 
-           1.060 and later versions. See <a href="http://www.webmin.com">http://www.webmin.com</a> 
+            1.060 and later versions. See <a
-           </p>
+ href="http://www.webmin.com">http://www.webmin.com</a>             </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
@ -993,8 +1010,8 @@ enable     rfc1918   blocking for my  eth0     interface          (the  internet
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
                              that will let all traffic to and from the 192.168.100.1 
-           address         of   the    modem  in/out but still block all other
+            address         of   the    modem  in/out but still block all 
-     rfc1918      addresses?</p>
+other      rfc1918      addresses?</p>
 <p align="left"><b>Answer: </b>If you are running a version of Shorewall
 earlier than      1.3.1, create /etc/shorewall/start and in it, place the
@ -1091,10 +1108,10 @@ its lease.</h4>
                              the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
-                             the net", I wonder  where the poster bought computers
+                              the net", I wonder  where the poster bought 
-         with     eyes     and    what     those computers will "see"  when
+computers          with     eyes     and    what     those computers will 
-  things       are working     properly.      That   aside,     the most
+"see"  when   things       are working     properly.      That   aside,  
-common   causes     of  this  problem    are:</p>
+  the most common   causes     of  this  problem    are:</p>
 <ol>
                                                                 <li>   
@ -1111,8 +1128,8 @@ common   causes     of  this  problem    are:</p>
    <p align="left">The DNS settings on the local systems are wrong or the 
                                 user is running a DNS server on the firewall
-    and    hasn't       enabled        UDP    and   TCP    port 53 from the
+     and    hasn't       enabled        UDP    and   TCP    port 53 from
-  firewall     to the internet.</p>
+the    firewall     to the internet.</p>
                                                                  </li>
 </ol>
@ -1125,8 +1142,8 @@ common   causes     of  this  problem    are:</p>
 the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
                              to your startup    scripts or place it in /etc/shorewall/start. 
                    Under      RedHat,    the max log level    that is sent 
- to   the    console        is   specified     in /etc/sysconfig/init    in
+  to   the    console        is   specified     in /etc/sysconfig/init   
- the      LOGLEVEL    variable.<br>
+in  the      LOGLEVEL    variable.<br>
                                                          </p>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting 
@ -1146,9 +1163,9 @@ the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                                           <li><b>all2&lt;zone&gt;</b>, 
           <b>&lt;zone&gt;2all</b>             or      <b>all2all        
-    </b>-       You have a<a href="Documentation.htm#Policy"> policy</a> that
+     </b>-       You have a<a href="Documentation.htm#Policy"> policy</a> 
-    specifies      a  log level              and this packet is being logged
+that     specifies      a  log level              and this packet is being 
-under that policy.         If you  intend        to   ACCEPT this traffic
+logged under that policy.         If you  intend        to   ACCEPT this traffic
 then you need a  <a href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                                                           </li>
                                                            <li><b>&lt;zone1&gt;2&lt;zone2&gt; 
@ -1165,8 +1182,8 @@ includes       a log level.</li>
                                                            <li><b>logpkt</b> 
  -  The   packet    is  being    logged    under    the       <b>logunclean</b> 
               <a href="Documentation.htm#Interfaces">interface   option</a>.</li>
-                                                          <li><b>badpkt </b>- 
+                                                            <li><b>badpkt 
-  The   packet    is  being    logged    under    the       <b>dropunclean</b> 
+    </b>-    The   packet    is  being    logged    under    the       <b>dropunclean</b> 
                <a href="Documentation.htm#Interfaces">interface  option</a> 
   as specified         in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
@ -1175,11 +1192,12 @@ includes       a log level.</li>
   is  blacklisted   in   the<a href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist 
              </a>file.</li>
                                                            <li><b>newnotsyn
-     </b>-    The  packet    is  being    logged    because     it  is  a
+      </b>-    The  packet    is  being    logged    because     it  is 
- TCP   packet    that  is not part   of  any current    connection    yet
+a   TCP   packet    that  is not part   of  any current    connection   
- it   is not a  syn   packet.    Options   affecting  the logging    of such
+yet   it   is not a  syn   packet.    Options   affecting  the logging  
-  packets   include          <b>NEWNOTSYN          </b>and        <b>LOGNEWNOTSYN
+ of such    packets   include          <b>NEWNOTSYN          </b>and    
-        </b>in           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+   <b>LOGNEWNOTSYN          </b>in           <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                                           <li><b>INPUT</b> 
 or      <b>FORWARD</b>        -  The   packet    has   a  source    IP  address
     that isn't in any    of   your  defined   zones    ("shorewall    check"
@ -1197,9 +1215,9 @@ packet    is  being    logged    because     it  failed    the   checks implemen
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
                          with Shorewall, and maintain separate rulesets for
   different          IPs?</h4>
-                                                    <b>Answer: </b>Yes. See 
+                                                      <b>Answer: </b>Yes. 
- <a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>. 
+See   <a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased 
-             
+Interfaces</a>.                 
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
                        but they don't seem to do anything. Why?</h4>
                                                  You probably haven't set
@ -1225,11 +1243,11 @@ rules for your server.<br>
                                               192.0.2.3 is external on my
 firewall...      172.16.0.0/24        is  my  internal     LAN<br>
                                               <br>
-                                             <b>Answer: </b>While most people 
+                                               <b>Answer: </b>While most
-  associate      the   Internet     Control     Message     Protocol (ICMP) 
+people    associate      the   Internet     Control     Message     Protocol
-  with 'ping',    ICMP  is   a key piece    of  the internet.     ICMP   is
+(ICMP)    with 'ping',    ICMP  is   a key piece    of  the internet.   
-   used to report    problems  back  to the sender    of a packet; this 
+ ICMP   is    used to report    problems  back  to the sender    of a packet;
- is   what  is happening     here. Unfortunately,  where NAT   is involved 
+this   is   what  is happening     here. Unfortunately,  where NAT   is involved 
 (including      SNAT,  DNAT    and Masquerade),  there  are a lot  of broken 
 implementations.     That is    what you are seeing with   these messages.<br>
                                               <br>
@ -1237,9 +1255,9 @@ implementations.     That is    what you are seeing with   these messages.<br>
 what   is  happening     --  to  confirm     this   analysis,    one would
 have  to have  packet sniffers     placed  a both    ends of   the connection.<br>
                                              <br>
-                                            Host 172.16.1.10 behind NAT gateway 
+                                              Host 172.16.1.10 behind NAT 
-   206.124.146.179         sent   a  UDP   DNS   query    to 192.0.2.3 and 
+gateway     206.124.146.179         sent   a  UDP   DNS   query    to 192.0.2.3 
- your  DNS server tried     to   send a  response   (the response   information 
+and   your  DNS server tried     to   send a  response   (the response   information
    is in the brackets   --  note   source  port 53 which   marks this as
 a  DNS reply).  When the   response   was  returned  to to 206.124.146.179, 
     it rewrote  the destination    IP  TO 172.16.1.10   and forwarded the 
@ -1249,17 +1267,17 @@ back to 192.0.2.3.   As this packet  is sent  back through  206.124.146.179,
    that box correctly   changes the  source address  in the packet  to 206.124.146.179 
       but doesn't   reset the DST IP in the original   DNS response  similarly. 
       When the ICMP reaches your firewall (192.0.2.3),   your firewall  has
-   no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't
+    no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP
-       appear to be related   to anything that was sent. The final   result
+doesn't        appear to be related   to anything that was sent. The final
-  is   that the packet gets logged   and dropped in the all2all chain. I
+  result   is   that the packet gets logged   and dropped in the all2all chain.
- have   also  seen cases where the source   IP in the ICMP itself isn't set
+I  have   also  seen cases where the source   IP in the ICMP itself isn't
-back   to the  external IP of the remote NAT   gateway; that causes your
+set back   to the  external IP of the remote NAT   gateway; that causes your
 firewall   to  log  and drop the packet out of the   rfc1918 chain because 
 the source   IP is  reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
-                  I want to <b>run when Shorewall starts.</b> Which file do
+                   I want to <b>run when Shorewall starts.</b> Which file 
-  I  put    them     in?</h4>
+do   I  put    them     in?</h4>
                                               You can place these commands 
 in  one   of  the   <a href="shorewall_extension_scripts.htm">Shorewall Extension
  Scripts</a>.     Be sure that you look at the contents of the chain(s)
@ -1274,10 +1292,10 @@ or REJECT    rule and any rules that you  add  after that will be ignored.
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your 
                  web site?</h4>
                                     The Shorewall web site is almost font
-neutral     (it  doesn't     explicitly       specify fonts except on a few
+ neutral     (it  doesn't     explicitly       specify fonts except on a
-pages)  so   the fonts you  see   are largely   the   default fonts configured
+few  pages)  so   the fonts you  see   are largely   the   default fonts
- in  your   browser.  If you  don't   like them then  reconfigure   your
+configured   in  your   browser.  If you  don't   like them then  reconfigure
-browser.<br>
+  your browser.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say 
                the ssh port only<b> from specific IP Addresses</b> on the 
@ -1305,13 +1323,30 @@ in nmap on or behind the firewall, I get "operation not permitted". How can
 I use nmap with Shorewall?"</h4>
   Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes" 
 then restart Shorewall.<br>
 <h4><a name="faq27">27. I'm compiling a new kernel for my firewall. What should
 I look out for?</a></h4>
 First take a look at the <a href="kernel.htm">Shorewall kernel configuration 
 page</a>. You probably also want to be sure that you have selected the "<b>NAT 
 of local connections (READ HELP)</b>" on the Netfilter Configuration menu. 
 Otherwise, DNAT rules with your firewall as the source zone won't work with 
 your new kernel.<br>
 <h4><a name="faq28"></a>28. How do I use Shorewall as a Bridging Firewall?<br>
 </h4>
 Basically, you don't. While there are kernel patches that allow you to route
 bridge traffic through Netfilter, the environment is so different from the
 Layer 3 firewalling environment that very little of Shorewall works. In fact,
 so much of Shorewall doesn't work that my official position is that "Shorewall
 doesn't work with Layer 2 Bridging".<br>
 <br>
-                   <font size="2">Last updated 7/5/2003 - <a
+                     <font size="2">Last updated 7/9/2003 - <a
 href="support.htm">Tom     Eastep</a></font>            
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_Doesnt.html
+++ b/Shorewall-docs/Shorewall_Doesnt.html
@ -0,0 +1,50 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>What Shorewall Cannot Do</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
   <small>                                                        </small><small>
                                                        </small><small> 
                                                        </small><small> 
                                                      </small><small>   
      </small>   <small>  </small> 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
   <tbody>
     <tr>
       <td width="100%"><small>                   </small>       
      <h1 align="center"><small><font color="#ffffff">Some things that Shorewall
      <b>Cannot</b> Do</font></small></h1>
       <small>                                                          </small></td>
       </tr>
  </tbody>
 </table>
  <small><br>
 </small>Shorewall cannot:<br>
 <ul>
   <li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
   <li>Act as a "Personal Firewall" that allows internet access by application.</li>
   <li>Do content filtering -- better to use <a
 href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
   </li>
 </ul>
 <br>
   <font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom    Eastep</a></font> 
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -12,8 +12,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                     <base target="main">
+                                                         <base
-                                          
+ target="main">                                              
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -38,6 +38,8 @@
 href="seattlefirewall_index.htm">Home</a></li>
                                                                 <li> <a
 href="shorewall_features.htm">Features</a></li>
        <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
        </li>
                                                         <li> <a
 href="shorewall_prerequisites.htm">Requirements</a></li>
                                                         <li> <a
@ -50,8 +52,9 @@
                                                 <li> <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                                                  </li>
-                                                                        <li>
+                                                                        
-            <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
+        <li>             <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
                                      <li> <a href="FAQ.htm">FAQs</a></li>
                                                          <li><a
@ -71,8 +74,8 @@
                                              <li><a href="1.3"
 target="_top">Shorewall       1.3 Site</a></li>
                                              <li><a
- href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 
+ href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall  1.2
-1.2 Site</a></li>
+Site</a></li>
                      <li><a href="shorewall_mirrors.htm">Mirrors</a>   
@ -137,5 +140,6 @@
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -38,6 +38,8 @@
 href="seattlefirewall_index.htm">Home</a></li>
                                                                <li> <a
 href="shorewall_features.htm">Features</a></li>
        <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
 </li>
                                                        <li> <a
 href="shorewall_prerequisites.htm">Requirements</a></li>
                                                        <li> <a
@ -71,11 +73,12 @@
            </li>
                   <li><a href="1.3" target="_top">Shorewall   1.3 Site</a></li>
                                             <li><a
- href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall  1.2
+ href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 
-Site</a></li>
+1.2 Site</a></li>
                     <li><a href="shorewall_mirrors.htm">Mirrors</a>    
          <ul>
                                                          <li><a
 target="_top" href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -136,5 +139,6 @@ Site</a></li>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -75,14 +75,14 @@
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
-<p align="left">You can report such problems by sending mail to tmeastep at
+<p align="left">You can report such problems by sending mail to tmeastep
-hotmail dot com.</p>
+at hotmail dot com.</p>
 <h2>A Word about the SPAM Filters at Shorewall.net <a
 href="http://osirusoft.com/"> </a></h2>
-<p>Please note that the mail server                     at shorewall.net checks
+<p>Please note that the mail server                     at shorewall.net
-incoming mail:<br>
+checks incoming mail:<br>
                           </p>
 <ol>
@ -96,31 +96,24 @@ incoming mail:<br>
 A  or  MX  record    in  DNS.</li>
                             <li>to ensure that the host name in the HELO/EHLO
   command    is  a  valid    fully-qualified  DNS name that resolves.</li>
    <li>to ensure that the sending system has a valid PTR record in DNS.</li>
 </ol>
 <big><font color="#cc0000"><b>This last point is important. If you run your
 own outgoing mail server and it doesn't have a valid DNS PTR record, your
 email won't reach the lists unless/until the postmaster notices that your
 posts are being rejected. To avoid this problem, you should configure your
 MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
 a valid PTR record (such as the one at your ISP). </b></font></big><br>
 <h2>Please post in plain text</h2>
                     A growing number of MTAs serving list subscribers are
-rejecting     all   HTML   traffic. At least one MTA has gone so far as to 
+ rejecting     all   HTML   traffic. At least one MTA has gone so far as
-blacklist  shorewall.net     "for  continuous abuse" because it has been my
+to  blacklist  shorewall.net     "for  continuous abuse" because it has been
-policy to  allow HTML in  list   posts!!<br>
+my policy to  allow HTML in  list   posts!!<br>
                     <br>
                     I think that blocking all HTML is a Draconian way to 
 control     spam    and   that the ultimate losers here are not the spammers 
 but the    list subscribers      whose MTAs are bouncing all shorewall.net 
 mail. As   one list subscriber   wrote  to me privately "These e-mail admin's 
 need to  get a <i>(explitive   deleted)</i>  life instead of trying to rid 
-the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers
+the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers to
-to receive list   posts as must as possible,   I have now  configured the
+receive list   posts as must as possible,   I have now  configured the list
-list server at shorewall.net   to strip all HTML   from outgoing  posts.
+server at shorewall.net   to strip all HTML   from outgoing  posts. This
-This means that  HTML-only posts   will be bounced by  the list server.<br>
+means that  HTML-only posts   will be bounced by  the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
                  </p>
@ -156,34 +149,34 @@ This means that  HTML-only posts   will be bounced by  the list server.<br>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-                              </font> <input type="hidden" name="config"
+                               </font> <input type="hidden"
- value="htdig">    <input type="hidden" name="restrict"
+ name="config" value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                               Search: <input type="text" size="30"
 name="words" value="">    <input type="submit" value="Search"> </p>
                               </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the entire
+<h2 align="left"><font color="#ff0000">Please do not try to download the
-Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
+entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
-stand the traffic. If I catch you, you will be blacklisted.<br>
+won't stand the traffic. If I catch you, you will be blacklisted.<br>
                        </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
                             If you want to trust X.509 certificates issued 
- by  Shoreline     Firewall     (such   as the one used on my web site),
+ by  Shoreline     Firewall     (such   as the one used on my web site), you
-you  may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
+ may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a> 
              in your browser. If you don't wish to trust my certificates 
-then     you    can    either use unencrypted access when subscribing to
+then     you    can    either use unencrypted access when subscribing to Shorewall
-Shorewall     mailing    lists    or you can use secure access (SSL) and
+    mailing    lists    or you can use secure access (SSL) and accept the
-accept the server's    certificate     when   prompted by your browser.<br>
+server's    certificate     when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users 
               to get answers to questions and to report problems. Information 
-     of   general       interest to the Shorewall user community is also
+     of   general       interest to the Shorewall user community is also posted
-posted      to  this list.</p>
+     to  this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see 
               the <a href="http://www.shorewall.net/support.htm">problem 
@ -207,9 +200,9 @@ reporting      guidelines</a>.</b></p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
-at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
-list may be found at <a
+may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
@ -294,11 +287,12 @@ emailed       to you.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 6/14/2003 - <a
+<p align="left"><font size="2">Last updated 7/7/2003 - <a
 href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
-<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -24,7 +24,10 @@
 </table>
      <br>
      Shorewall 'Ping' management has evolved over time with the latest change
- coming in Shorewall version 1.4.0. <br>
+  coming in Shorewall version 1.4.0. To find out which version of Shorewall
 you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
 version</b></font>". If that command gives you an error, it's time to upgrade
 since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
 <h2>Shorewall Versions &gt;= 1.4.0</h2>
 In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just 
@ -51,8 +54,8 @@ form:<br>
 <blockquote>      
  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
     </blockquote>
-    With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
+     With that rule in place, if you want to ignore 'ping' from z1 to z2
- you need a rule of the form:<br>
+then   you need a rule of the form:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
    </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -90,8 +93,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
 <blockquote>      
  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
     </blockquote>
-    With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
+     With that rule in place, if you want to ignore 'ping' from z1 to z2
- you need a rule of the form:<br>
+then   you need a rule of the form:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
    </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -111,8 +114,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
     There are several aspects to the old Shorewall Ping management:<br>
 <ol>
-       <li>The <b>noping</b> and <b>filterping </b>interface options in <a
+        <li>The <b>noping</b> and <b>filterping </b>interface options in
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
        <li>The <b>FORWARDPING</b> option in<a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf</a>.</li>
        <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -123,8 +126,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
 <ol>
        <li>Ping requests addressed to the firewall itself; and</li>
        <li>Ping requests being forwarded to another system. Included here
-are   all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
+ are   all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
-simple   routing.</li>
+and simple   routing.</li>
 </ol>
      These cases will be covered separately.<br>
@ -133,13 +136,13 @@ simple   routing.</li>
      For ping requests addressed to the firewall, the sequence is as follows:<br>
 <ol>
-       <li>If neither <b>noping</b> nor <b>filterping </b>are specified for 
+        <li>If neither <b>noping</b> nor <b>filterping </b>are specified
- the  interface that receives the ping request then the request will be responded 
+for   the  interface that receives the ping request then the request will
-  to with an ICMP echo-reply.</li>
+be responded    to with an ICMP echo-reply.</li>
        <li>If <b>noping</b> is specified for the interface that receives 
 the  ping request then the request is ignored.</li>
-       <li>If <b>filterping </b>is specified for the interface then the request 
+        <li>If <b>filterping </b>is specified for the interface then the
-  is passed to the rules/policy evaluation.</li>
+request    is passed to the rules/policy evaluation.</li>
 </ol>
@ -177,16 +180,11 @@ request   is either rejected or simply ignored.</li>
 </ol>
-<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
  </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  &copy; <font
- size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-      <br>
+</p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -71,9 +71,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
-firewall        that can be used on a dedicated firewall system, a multi-function
+       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
@ -83,18 +83,18 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
 it          under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
-GNU General Public License</a> as published by the Free   Software      
+General Public License</a> as published by the Free   Software          
 Foundation.<br>
                            <br>
                 This     program         is   distributed            in
  the       hope       that      it   will        be  useful,    but    
-    WITHOUT        ANY         WARRANTY;         without           even the 
+     WITHOUT        ANY         WARRANTY;         without           even
-  implied      warranty          of MERCHANTABILITY                   or 
+the    implied      warranty          of MERCHANTABILITY                
-FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the     GNU 
+  or  FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the  
-General     Public  License                for   more details.<br>
+  GNU  General     Public  License                for   more details.<br>
                            <br>
@ -119,9 +119,10 @@ General     Public  License                for   more details.<br>
      <h2>Getting Started with Shorewall</h2>
-                               New to Shorewall? Start by selecting the <a
+                                New to Shorewall? Start by selecting the
- href="shorewall_quickstart_guide.htm">QuickStart  Guide</a> that most closely
+      <a href="shorewall_quickstart_guide.htm">QuickStart  Guide</a> that
-              match your environment and follow the step by  step instructions.<br>
+most closely               match your environment and follow the step by
 step instructions.<br>
      <h2>Looking for Information?</h2>
  The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
@ -142,20 +143,28 @@ Index</a> is a good place to start as is the Quick Search to your right.
      <p><b></b></p>
      <ol>
      </ol>
-      <p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
+      <p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
      <br>
       </b></p>
      <blockquote>
        <p><b><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
        <a href="ftp://shorewall.net/pub/shorewall/testing"
 target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
       </b></p>
      </blockquote>
      <p><b>Problems Corrected:</b><br>
   </p>
      <ol>
-        <li>A problem seen on RH7.3 systems where Shorewall encountered start 
+         <li>A problem seen on RH7.3 systems where Shorewall encountered
-errors when started using the "service" mechanism has been worked around.<br>
+start  errors when started using the "service" mechanism has been worked
 around.<br>
       <br>
     </li>
         <li>Where a list of IP addresses appears in the DEST column of a 
@ -166,7 +175,13 @@ a single DNAT rule with multiple "--to-destination" clauses.<br>
  </li>
         <li>Corrected a problem in Beta 1 where DNS names containing a "-" 
 were mis-handled when they appeared in the DEST column of a rule.<br>
          <br>
        </li>
        <li>A number of problems with rule parsing have been corrected. Corrections
 involve the handling of "z1!z2" in the SOURCE column as well as lists in
 the ORIGINAL DESTINATION column.<br>
        </li>
      </ol>
      <p><b>Migration Issues:</b><br>
@ -188,6 +203,7 @@ entries of the following format:<br>
 removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
 detected by Shorewall (see below).<br>
    </li>
      </ol>
      <p><b>New Features:</b><br>
@ -208,19 +224,19 @@ for packets arriving on the associated interface.<br>
 first  one on an interface.<br>
       <br>
     </li>
-        <li>DNAT[-] rules may now be used to load balance (round-robin) over
+         <li>DNAT[-] rules may now be used to load balance (round-robin)
-a  set of servers. Servers may be specified in a range of addresses  given
+over a  set of servers. Servers may be specified in a range of addresses
-as &lt;first address&gt;-&lt;last address&gt;.<br>
+ given as &lt;first address&gt;-&lt;last address&gt;.<br>
       <br>
   Example:<br>
       <br>
       DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
       <br>
     </li>
-        <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
+         <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
- have been removed and have been replaced by code that detects whether these
+options  have been removed and have been replaced by code that detects whether
- capabilities are present in the current kernel. The output of the start,
+these  capabilities are present in the current kernel. The output of the
-restart and check commands have been enhanced to report the outcome:<br>
+start, restart and check commands have been enhanced to report the outcome:<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
@ -231,10 +247,10 @@ restart and check commands have been enhanced to report the outcome:<br>
     </li>
         <li>Support for the Connection Tracking Match Extension has been 
 added.  This extension is available in recent kernel/iptables releases and 
-allows  for rules which match against elements in netfilter's connection
+allows  for rules which match against elements in netfilter's connection tracking
-tracking  table. Shorewall automatically detects the availability of this
+ table. Shorewall automatically detects the availability of this extension
-extension  and reports its availability in the output of the start, restart
+ and reports its availability in the output of the start, restart and check
-and check  commands.<br>
+ commands.<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
@ -243,12 +259,13 @@ and check  commands.<br>
      Connection Tracking Match: Available<br>
   Verifying Configuration...<br>
       <br>
-  If this extension is available, the ruleset generated by Shorewall is changed
+   If this extension is available, the ruleset generated by Shorewall is
- in the following ways:</li>
+changed  in the following ways:</li>
        <ul>
           <li>To handle 'norfc1918' filtering, Shorewall will not create 
-chains  in the mangle table but will rather do all 'norfc1918' filtering
+chains  in the mangle table but will rather do all 'norfc1918' filtering in
-in the filter  table (rfc1918 chain).</li>
+the filter  table (rfc1918 chain).</li>
           <li>Recall that Shorewall DNAT rules generate two netfilter rules; 
 one  in the nat table and one in the filter table. If the Connection Tracking 
 Match Extension is available, the rule in the filter table is extended to 
@ -256,6 +273,7 @@ check that the original destination address was the same as specified (or
 defaulted to) in the DNAT rule.<br>
         <br>
       </li>
        </ul>
         <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) 
 may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
@ -324,7 +342,9 @@ then the range may not span 128.0.0.0.<br>
      <br>
      foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
    </li>
      </ol>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
@ -345,10 +365,10 @@ file;    previously, INCLUDE in that file was ignored.</li>
         </p>
      <ol>
-               <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
+                <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
-  may  now contain a list of addresses. If the list begins with "!' then
+rule   may  now contain a list of addresses. If the list begins with "!'
-the   rule  will take effect only if the original destination address in
+then the   rule  will take effect only if the original destination address
-the connection    request does not match any of the addresses listed.</li>
+in the connection    request does not match any of the addresses listed.</li>
      </ol>
@ -356,24 +376,28 @@ the connection    request does not match any of the addresses listed.</li>
                           </b></p>
      <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel 
-    and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
+    and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
-problems     have been encountered with this set of software. The Shorewall
+    have been encountered with this set of software. The Shorewall version
-version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
+ is   1.4.4b plus the accumulated changes for 1.4.5.<br>
          </p>
      <p><b>6/8/2003 - Updated Samples</b><b>                      </b></p>
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
     version 1.4.4.</p>
      <p><b></b></p>
      <ol>
      </ol>
      <p><a href="News.htm">More News</a></p>
@ -395,8 +419,8 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
                                      </a></p>
-                          <b>Congratulations to Jacques and Eric on the recent
+                           <b>Congratulations to Jacques and Eric on the
-   release     of  Bering    1.2!!! </b><br>
+recent    release     of  Bering    1.2!!! </b><br>
@ -477,11 +501,11 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
      <p align="center"><font size="4" color="#ffffff"><br>
-                <font size="+2"> Shorewall is free but if       you try it
+                 <font size="+2"> Shorewall is free but if       you try
- and   find   it useful, please consider making a donation              
+it  and   find   it useful, please consider making a donation           
-                                                       to             <a
+                                                          to            
- href="http://www.starlight.org"><font color="#ffffff">Starlight    Children's
+      <a href="http://www.starlight.org"><font color="#ffffff">Starlight
-             Foundation.</font></a> Thanks!</font></font></p>
+   Children's              Foundation.</font></a> Thanks!</font></font></p>
                        </td>
@ -493,8 +517,9 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
 </table>
-<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                                                    <br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>About the Shorewall Author</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -29,7 +30,7 @@
 </table>
 <p align="center">       <img border="3" src="images/Tom.jpg"
- alt="Tom - June 2003" width="640" height="480">
+ alt="Aging Geek - June 2003" width="320" height="240">
                        </p>
 <p align="center">Tom -- June 2003<br>
@ -64,8 +65,8 @@ designed    and wrote      Shorewall. </p>
 <p>I telework from our <a
 href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
- href="http://www.cityofshoreline.com">Shoreline,        Washington</a>  where
+ href="http://www.cityofshoreline.com">Shoreline,        Washington</a> 
-I live with my wife Tarry.  </p>
+where I live with my wife Tarry.  </p>
 <p>Our current home network consists of: </p>
@ -75,17 +76,17 @@ I live with my wife Tarry.
 Windows   system.   Serves as a PPTP server for Road Warrior access. Dual
 boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                             <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
-LNE100TX(Tulip)        NIC   -  My      personal Linux System which runs Samba.
+ LNE100TX(Tulip)        NIC   -  My      personal Linux System which runs
-   This      system also has <a href="http://www.vmware.com/">VMware</a> 
+Samba.    This      system also has <a href="http://www.vmware.com/">VMware</a>
 installed    and      can run both     <a href="http://www.debian.org">Debian
  Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual
  machines.</li>
-                            <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
+                             <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
-    NIC    - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
+EEPRO100     NIC    - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), 
 FTP    (Pure_ftpd),   DNS  server        (Bind 9).</li>
-                            <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD
+                             <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI 
- -  3   LNE100TX       (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
+HD  -  3   LNE100TX       (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 
-  1.4.4c, a DHCP         server and Samba configured as a WINS server..</li>
+  1.4.6Beta1, a DHCP         server and Samba configured as a WINS server..</li>
                             <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 
   NIC   -  My  wife's        personal system.</li>
                             <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB 
@ -125,11 +126,12 @@ FTP    (Pure_ftpd),   DNS  server        (Bind 9).</li>
 height="75" border="0">
     </a><a href="http://www.opera.com"> </a>                 </font></p>
-<p><font size="2">Last updated 6/15/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 7/14/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
                           <font face="Trebuchet MS"><a
 href="copyright.htm"><font size="2">Copyright</font>       © <font
 size="2">2001, 2002, 2003 Thomas      M. Eastep.</font></a></font><br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -30,17 +30,17 @@
     Shorewall Requires:<br>
 <ul>
-         <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
+          <li>A kernel that supports netfilter. I've tested with 2.4.2 -
- With current releases of Shorewall, Traffic Shaping/Control requires at
+2.4.20.  With current releases of Shorewall, Traffic Shaping/Control requires
-least  2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
+at least  2.4.18.        <a href="kernel.htm">     Check here for kernel
-       information.</a>       If you are looking for a firewall for use with
+configuration        information.</a>       If you are looking for a firewall
- 2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle
+for use with  2.2 kernels, <a href="http://seawall.sf.net">     see     
-Firewall   site</a>     .</li>
+ the Seattle Firewall   site</a>     .</li>
-         <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
+          <li>iptables 1.2 or later  but beware version 1.2.3 -- see the
- href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
+    <a href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING:
-   buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
+    </b></font>The    buggy iptables version 1.2.3    is included in RedHat
-  upgrade to iptables 1.2.4 prior to    installing Shorewall. Version 1.2.4
+7.2 and you should   upgrade to iptables 1.2.4 prior to    installing Shorewall.
-  is available   <a
+Version 1.2.4   is available   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> 
     and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
          <li>Iproute ("ip" utility). The iproute package  is     included
@ -52,8 +52,9 @@ with most distributions but may not be installed by default.  The     official
 must  have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
      },        ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> 
       } and       ${<i>variable</i>##<i>pattern</i>}.</li>
-  <li>Must produce a sensible result when a number n (128 &lt;= n &lt;= 255) 
+   <li>Your shell must produce a sensible result when a number n (128 &lt;=
-is left shifted by 24 bits. You can check this at a shell prompt by:</li>
+n &lt;= 255)  is left shifted by 24 bits. You can check this at a shell prompt
 by:</li>
  <ul>
      <li>echo $((128 &lt;&lt; 24))<br>
@ -62,12 +63,12 @@ is left shifted by 24 bits. You can check this at a shell prompt by:</li>
     </li>
  </ul>
-         <li>The firewall monitoring display is greatly improved if you have
+          <li>The firewall monitoring display is greatly improved if you
-  awk        (gawk) installed.</li>
+have   awk        (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 7/4/2003 - <a
+<p align="left"><font size="2">Last updated 7/8/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -79,5 +80,6 @@ is left shifted by 24 bits. You can check this at a shell prompt by:</li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -84,18 +84,18 @@
      <p>This program is free software; you can redistribute it and/or modify
   it          under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
-General Public License</a> as published by the Free   Software          
+GNU General Public License</a> as published by the Free   Software      
     Foundation.<br>
                             <br>
                  This     program         is   distributed            in 
  the       hope       that      it   will        be  useful,    but     
-     WITHOUT        ANY         WARRANTY;         without           even
+    WITHOUT        ANY         WARRANTY;         without           even the
-the    implied      warranty          of MERCHANTABILITY                
+   implied      warranty          of MERCHANTABILITY                   or
-  or  FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the  
+ FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the     GNU
-  GNU  General     Public  License                for   more details.<br>
+ General     Public  License                for   more details.<br>
                             <br>
@ -117,7 +117,8 @@ Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,       USA</p>
      <h2>Getting Started with Shorewall</h2>
-                               New to Shorewall? Start by selecting the <a
+                                New to Shorewall? Start by selecting the
      <a
 href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
  Guide</a> that most closely              match your environment and follow
 the step by  step instructions.<br>
@ -127,8 +128,8 @@ the step by  step instructions.<br>
 Index</a> is a good place to start as is the Quick Search to your right. 
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-                      If so, the documentation<b> </b>on this site will not
+                       If so, the documentation<b> </b>on this site will
- apply   directly   to  your   setup.  If you want to use the documentation
+not  apply   directly   to  your   setup.  If you want to use the documentation 
 that you  find here, you will want to consider uninstalling what you have 
 and installing  a setup that matches    the documentation    on this site. 
 See the <a href="two-interface.htm">Two-interface    QuickStart    Guide</a> 
@ -138,17 +139,23 @@ Index</a> is a good place to start as is the Quick Search to your right.
      <h2><b>News</b></h2>
-      <p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
+       
      <p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
      <br>
      </b>   </p>
      <blockquote><b><a
 href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
 href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
 ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
      <p><b>Problems Corrected:</b><br>
   </p>
      <ol>
-        <li>A problem seen on RH7.3 systems where Shorewall encountered start 
+         <li>A problem seen on RH7.3 systems where Shorewall encountered
-errors when started using the "service" mechanism has been worked around.<br>
+start  errors when started using the "service" mechanism has been worked
 around.<br>
       <br>
     </li>
         <li>Where a list of IP addresses appears in the DEST column of a 
@ -159,7 +166,13 @@ a single DNAT rule with multiple "--to-destination" clauses.<br>
  </li>
         <li>Corrected a problem in Beta 1 where DNS names containing a "-" 
 were mis-handled when they appeared in the DEST column of a rule.<br>
          <br>
        </li>
        <li value="4">A number of problems with rule parsing have been corrected.
 Corrections involve the handling of "z1!z2" in the SOURCE column as well
 as lists in the ORIGINAL DESTINATION column.<br>
   </li>
      </ol>
      <p><b>Migration Issues:</b><br>
@ -181,6 +194,7 @@ entries of the following format:<br>
 removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
 detected by Shorewall (see below).<br>
    </li>
      </ol>
      <p><b>New Features:</b><br>
@ -201,19 +215,19 @@ for packets arriving on the associated interface.<br>
 first  one on an interface.<br>
       <br>
     </li>
-        <li>DNAT[-] rules may now be used to load balance (round-robin) over
+         <li>DNAT[-] rules may now be used to load balance (round-robin)
-a  set of servers. Servers may be specified in a range of addresses  given
+over a  set of servers. Servers may be specified in a range of addresses
-as &lt;first address&gt;-&lt;last address&gt;.<br>
+ given as &lt;first address&gt;-&lt;last address&gt;.<br>
       <br>
   Example:<br>
       <br>
       DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
       <br>
     </li>
-        <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
+         <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
- have been removed and have been replaced by code that detects whether these
+options  have been removed and have been replaced by code that detects whether
- capabilities are present in the current kernel. The output of the start,
+these  capabilities are present in the current kernel. The output of the
-restart and check commands have been enhanced to report the outcome:<br>
+start, restart and check commands have been enhanced to report the outcome:<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
@ -224,10 +238,10 @@ restart and check commands have been enhanced to report the outcome:<br>
     </li>
         <li>Support for the Connection Tracking Match Extension has been 
 added.  This extension is available in recent kernel/iptables releases and 
-allows  for rules which match against elements in netfilter's connection
+allows  for rules which match against elements in netfilter's connection tracking
-tracking  table. Shorewall automatically detects the availability of this
+ table. Shorewall automatically detects the availability of this extension
-extension  and reports its availability in the output of the start, restart
+ and reports its availability in the output of the start, restart and check
-and check  commands.<br>
+ commands.<br>
       <br>
   Shorewall has detected the following iptables/netfilter capabilities:<br>
      NAT: Available<br>
@ -236,12 +250,13 @@ and check  commands.<br>
      Connection Tracking Match: Available<br>
   Verifying Configuration...<br>
       <br>
-  If this extension is available, the ruleset generated by Shorewall is changed
+   If this extension is available, the ruleset generated by Shorewall is
- in the following ways:</li>
+changed  in the following ways:</li>
        <ul>
           <li>To handle 'norfc1918' filtering, Shorewall will not create 
-chains  in the mangle table but will rather do all 'norfc1918' filtering
+chains  in the mangle table but will rather do all 'norfc1918' filtering in
-in the filter  table (rfc1918 chain).</li>
+the filter  table (rfc1918 chain).</li>
           <li>Recall that Shorewall DNAT rules generate two netfilter rules; 
 one  in the nat table and one in the filter table. If the Connection Tracking 
 Match Extension is available, the rule in the filter table is extended to 
@ -249,6 +264,7 @@ check that the original destination address was the same as specified (or
 defaulted to) in the DNAT rule.<br>
         <br>
       </li>
        </ul>
         <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) 
 may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
@ -316,6 +332,7 @@ then the range may not span 128.0.0.0.<br>
  Example:<br>
      <br>
      foo    eth1:192.168.1.0/24,192.168.2.0/24</li>
      </ol>
       <b>     </b>       
      <ol>
@ -342,18 +359,18 @@ file;    previously, INCLUDE in that file was ignored.</li>
         </p>
      <ol>
-               <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
+                <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
-  may  now contain a list of addresses. If the list begins with "!' then
+rule   may  now contain a list of addresses. If the list begins with "!'
-the   rule  will take effect only if the original destination address in
+then the   rule  will take effect only if the original destination address
-the connection    request does not match any of the addresses listed.</li>
+in the connection    request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
                           </b></p>
-          The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
+           The firewall at shorewall.net has been upgraded to the 2.4.21
-   and  iptables 1.2.8 (using the "official" RPM from netfilter.org). No
+kernel    and  iptables 1.2.8 (using the "official" RPM from netfilter.org).
-problems     have been encountered with this set of software. The Shorewall
+No problems     have been encountered with this set of software. The Shorewall 
 version  is   1.4.4b plus the accumulated changes for 1.4.5.             
      <p><b>6/8/2003 - Updated Samples</b><b>                         </b></p>
@ -362,6 +379,7 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
     version 1.4.4.</p>
      <p><b></b></p>
      <ol>
@ -421,8 +439,8 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.
         have       a   LEAF  (router/firewall/gateway                  
     on   a  floppy,       CD    or compact     flash)  distribution    
           called                 <i>Bering</i>          that          features
-                 Shorewall-1.4.2         and    Kernel-2.4.20.          You
+                  Shorewall-1.4.2         and    Kernel-2.4.20.         
-       can     find         their    work at:                <a
+You        can     find         their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                <b>Congratulations          to  Jacques 
@ -524,6 +542,7 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
@ -551,7 +570,7 @@ and   find   it useful, please consider making a donation
 </table>
-<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                                     <br>
 </p>
 </body>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -29,9 +29,9 @@
 <h2>Before Reporting a Problem or Asking a Question<br>
                   </h2>
-                                                                        There 
+                                                                        
-  are   a  number    of  sources of Shorewall information. Please     try 
+There    are   a  number    of  sources of Shorewall information. Please
-these  before   you   post.                 
+    try  these  before   you   post.                  
 <ul>
                                                   <li>Shorewall versions 
 earlier    that 1.3.0 are no longer supported.<br>
@ -49,9 +49,9 @@ has    solutions    to  more than 20 common      problems.
 The           <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> 
     Information           contains                a    number of tips to 
 help    you solve common  problems.        </li>
-                                 <li>                                   The 
+                                  <li>                                  
-         <a href="http://www.shorewall.net/errata.htm">   Errata</a> has links
+The           <a href="http://www.shorewall.net/errata.htm">   Errata</a>
-    to  download        updated     components.         </li>
+has links     to  download        updated     components.         </li>
                                   <li>                                 
 The   Site   and   Mailing        List   Archives     search facility can 
 locate   documents   and  posts    about         similar   problems:     
@ -96,8 +96,8 @@ locate   documents   and  posts    about         similar   problems:
    <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
    </select>
                         </font><br>
-                       Search: <input type="text" size="30" name="words"
+                        Search: <input type="text" size="30"
- value="">      <input type="submit" value="Search"><br>
+ name="words" value="">      <input type="submit" value="Search"><br>
                      </form>
                    </blockquote>
@ -114,21 +114,21 @@ locate   documents   and  posts    about         similar   problems:
  is lacking.<br>
                                              <br>
                                            </li>
-                                           <li>Please keep in mind that you're
+                                            <li>Please keep in mind that
-   asking    for       <strong>free</strong>            technical  support.
+you're    asking    for       <strong>free</strong>            technical
-  Any help  we  offer   is an act of generosity, not    an   obligation.
+ support.   Any help  we  offer   is an act of generosity, not    an   obligation. 
   Try  to make   it easy  for us to help you. Follow good,    courteous 
-  practices    in  writing and formatting your e-mail. Provide   details
+ practices    in  writing and formatting your e-mail. Provide   details that
-that    we need if  you  expect good  answers. <em>Exact quoting     </em>
+   we need if  you  expect good  answers. <em>Exact quoting     </em>  of
- of error messages,  log  entries,  command output, and other output  is
+error messages,  log  entries,  command output, and other output  is better
-better   than a paraphrase   or  summary.<br>
+  than a paraphrase   or  summary.<br>
                                              <br>
                                            </li>
                                            <li>                        
-         Please    don't    describe     your   environment   and then  ask 
+          Please    don't    describe     your   environment   and then 
-  us   to  send   you             custom     configuration   files.   We're
+ask    us   to  send   you             custom     configuration   files.
-  here    to answer     your  questions     but    we           can't   do
+  We're   here    to answer     your  questions     but    we           can't
- your   job for you.<br>
+  do  your   job for you.<br>
                                              <br>
                                                   </li>
                                            <li>When reporting a problem, 
@ -185,10 +185,10 @@ better   than a paraphrase   or  summary.<br>
 <ul>
  <ul>
-                   <li><font color="#ff0000"><u><i><big><b>THIS IS IMPORTANT!<br>
+                    <li><big><font color="#ff0000"><u><i><big><b>THIS IS
-      <br>
+IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem
-      </b></big></i></u></font>If your problem is that some type of connection
+is that some type of connection to/from or through your firewall isn't working
-to/from or through your firewall isn't working then please:<br>
+then please perform the following four steps:</big></big></big><br>
       <br>
 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
                                   <br>
@ -197,7 +197,8 @@ to/from or through your firewall isn't working then please:<br>
                               3.<b><font color="#009900"> /sbin/shorewall
 status    &gt;   /tmp/status.txt</font></b><br>
                                   <br>
-                              4. Post the /tmp/status.txt file as an attachment.<br>
+                               4. Post the /tmp/status.txt file as an attachment
 (you may compress it if you like).<br>
                     <br>
                   </li>
                   <li>the exact wording of any <code
@ -226,8 +227,8 @@ in   the SMTP headers  of your post).<br>
                           <li>Do you see  any   "Shorewall"      messages
 ("<b><font color="#009900">/sbin/shorewall  show   log</font></b>")    
       when              you exercise the function that is giving   you problems?
-If   so,    include    the message(s) in your post along with a  copy of your
+ If   so,    include    the message(s) in your post along with a  copy of
-/etc/shorewall/interfaces               file.<br>
+your /etc/shorewall/interfaces               file.<br>
                             <br>
                           </li>
                           <li>Please include any of the Shorewall configuration
@ -259,28 +260,28 @@ etc.   to the Mailing   List    --   your      post      will  be rejected.</b><
 <h2>When using the mailing list, please post in plain text</h2>
-<blockquote>      A growing  number of MTAs serving list subscribers are
+<blockquote>      A growing  number of MTAs serving list subscribers are rejecting
-rejecting   all    HTML  traffic.  At least one MTA has gone so far as to
+  all    HTML  traffic.  At least one MTA has gone so far as to blacklist
-blacklist   shorewall.net      "for  continuous abuse" because it has been
+  shorewall.net      "for  continuous abuse" because it has been my policy
-my policy   to  allow HTML in  list    posts!!<br>
+  to  allow HTML in  list    posts!!<br>
                      <br>
-                                              I think that blocking all HTML
+                                               I think that blocking all
-  is  a  Draconian      way   to  control     spam    and  that the ultimate
+HTML   is  a  Draconian      way   to  control     spam    and  that the
-  losers   here are not    the spammers    but the   list  subscribers  
+ultimate   losers   here are not    the spammers    but the   list  subscribers
     whose MTAs   are bouncing    all shorewall.net    mail. As   one list 
 subscriber    wrote    to me privately      "These e-mail admin's   need 
- to get a <i>(expletive      deleted)</i>  life     instead of trying to
+ to get a <i>(expletive      deleted)</i>  life     instead of trying to rid
-rid   the planet of HTML based   e-mail".   Nevertheless,       to allow
+  the planet of HTML based   e-mail".   Nevertheless,       to allow subscribers
-subscribers  to  receive list posts   as must as possible,   I  have   now
+ to  receive list posts   as must as possible,   I  have   now   configured
-  configured the  list  server at shorewall.net   to strip all HTML    from
+the  list  server at shorewall.net   to strip all HTML    from  outgoing
- outgoing  posts.<br>
+ posts.<br>
     <br>
     <big><font color="#cc0000"><b>If you run your own outgoing mail server 
 and it doesn't have a valid DNS PTR record, your email won't reach the lists
- unless/until the postmaster notices that your posts are being rejected. To
+  unless/until the postmaster notices that your posts are being rejected.
- avoid this problem, you should configure your MTA to forward posts to shorewall.net
+To  avoid this problem, you should configure your MTA to forward posts to
- through an MTA that <u>does</u> have a valid PTR record (such as the one
+shorewall.net  through an MTA that <u>does</u> have a valid PTR record (such
-at your ISP). </b></font></big><br>
+as the one at your ISP). </b></font></big><br>
   </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -312,12 +313,10 @@ at your ISP). </b></font></big><br>
 href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
                           </p>
-<p align="left"><font size="2">Last Updated 7/6/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.6Beta2
+VERSION=1.4.6RC1
 usage() # $1 = exit status
 {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.6Beta2
+VERSION=1.4.6RC1
 usage() # $1 = exit status
 {
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 1.4.6
-%define release 0Beta2
+%define release 0RC1
 %define prefix /usr
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-0RC1
 * Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-0Beta2
 * Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.6Beta2
+VERSION=1.4.6RC1
 usage() # $1 = exit status
 {