Shorewall 1.4.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1080 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 01:37:59 +02:00 · 2004-01-13 22:27:57 +00:00 · 2004-01-13 22:27:57 +00:00 · 8b205571f0
commit 8b205571f0
parent 3954d9310f
18 changed files with 1169 additions and 202 deletions
--- a/STABLE/accounting
+++ b/STABLE/accounting
@ -0,0 +1,73 @@
 #
 # Shorewall version 1.4 - Accounting File
 #
 # /etc/shorewall/accounting
 #
 #	Accounting rules exist simply to count packets and bytes in categories
 #	that you define in this file. You may display these rules and their
 #	packet and byte counters using the "shorewall show accounting" command.
 #
 #	Please see http://shorewall.net/Accounting.html for examples and 
 #	additional information about how to use this file.
 #
 #
 # Columns are:
 #
 #	ACTION	      - What to do when a match is found.
 #
 #				COUNT	- Simply count the match and continue
 #					  with the next rule
 #				DONE	- Count the match and don't attempt
 #					  to match any other accounting rules
 #					  in the chain specified in the CHAIN
 #					  column.
 #				<chain>[:COUNT] 
 #					- Where <chain> is the name of
 #					  a chain. Shorewall will create
 #					  the chain automatically if it
 #					  doesn't already exist. Causes
 #					  a jump to that chain. If :COUNT
 #					  is including, a counting rule
 #					  matching this record will be
 #				          added to <chain>
 #
 #	CHAIN	      - The name of a chain. If specified as "-" the 
 #			'accounting' chain is assumed. This is the chain
 #			where the accounting rule is added. The chain will
 #			be created if it doesn't already exist.
 # 
 #	SOURCE	      - Packet Source
 #
 #			The name of an interface, an address (host or net) or
 #			an interface name followed by ":"
 #			and a host or net address. 
 #
 #	DESTINATION   - Packet Destination
 #
 #			Format the same as the SOURCE column.
 #
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
 #			number.
 #
 #	DEST PORT	Destination Port number
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17). 
 #
 #	SOURCE PORT	Source Port number
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
 #
 #	Please see http://shorewall.net/Accounting.html for examples and 
 #	additional information about how to use this file.
 #
 #ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE
 #							PORT		PORT
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE/action.template
+++ b/STABLE/action.template
@ -0,0 +1,131 @@
 #
 # Shorewall 1.4 /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form 
 #	/etc/shorewall/action.<action-name> where <action> is an
 #	ACTION defined in /etc/shorewall/actions.
 #
 #	To define a new action:
 #
 #	1. Add the <action name> to /etc/shorewall/actions
 #	2. Copy this file to /etc/shorewall/action.<action name>
 #	3. Add the desired rules to that file.
 #
 # Columns are:
 #
 #
 #	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE or a
 #			previously-defined <action>
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
 #				LOG      -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as p2pwall.
 #				<action> -- An <action> defined in
 #					    /etc/shorewall/actions. The <action>
 #					    must appear in that file BEFORE the
 #					    one being defined in this file.
 #
 #			The TARGET may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			ACCEPT:debugging). This causes the packet to be
 #			logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #	SOURCE		Source hosts to which the rule applies. 
 #			A comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			192.168.2.2		Host 192.168.2.2
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
 #			~00-A0-C9-15-39-78      Host with
 #                                               MAC address 00:A0:C9:15:39:78.
 #
 #			Alternatively, clients may be specified by interface
 #			name. For example, eth1 specifies a
 #			client that communicates with the firewall system
 #			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., eth1:192.168.1.5).
 #
 #	DEST		Location of Server. Same as above with the exception that
 #			MAC addresses are not allowed.
 #
 #			Unlike in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this column:
 # 
 #				<rate>/<interval>[:<burst>]
 #
 #			where <rate> is the number of connections per 
 #			<interval> ("sec" or "min") and <burst> is the
 #			largest burst permitted. If no <burst> is given,
 #			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
 #				Example: 10/sec:20
 #
 #			If you place a rate limit in this column, you may not
 #			place a similar limit in the TARGET column.
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
 #                       	        	PORT    PORT(S)    DEST		LIMIT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE/actions
+++ b/STABLE/actions
@ -0,0 +1,16 @@
 #
 # Shorewall 1.4 /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules 
 #	(/etc/shorewall/rules). You define the iptables rules to
 #	be performed in an ACTION in
 #	/etc/shorewall/action.<action-name>.
 #
 #	ACTION names should begin with an upper-case letter to
 #	distinguish them from Shorewall-generated chain names and
 #	they must need the requirements of a Netfilter chain
 #	name. 
 #
 #ACTION
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -1,40 +1,23 @@
-Changes since 1.4.7
+Changes since 1.4.8
-1) Applied patch from Tuomo Soini that fixes syntax error occuring with
+1) Replace "Static NAT" with "One-to-one NAT".
   some versions of 'ash'.
-2) Applied Andrew Zhoglo's patch that avoids using multiport match for
+2) Change SMB common rules to DROP.
   ICMP.
-3) Added support for QUEUE target.
+3) Change wording in release notes.
-4) Fix error handling after "Unable to determine the routes..."
+4) Move ip_forward handling to a function.
-5) Fix handling of LOGUNCLEAN
+5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.
-6) Added BLACKLISTNEWONLY support.
+6) Reword the description of NEWNOTSYN in shorewall.conf.
-7) Correct optimization for 'complex' zones.
+7) Added MODULE_SUFFIX option to shorewall.conf.
-8) Fix tcrules processing.
+8) Add /etc/shorewall/actions and /etc/shorewall/action.template
-9) Liberalize chain names used in the accounting file.
+9) Fix SNAT handling in DNAT rules.
-10) Fix the fix for 'complex' zones (twice).
+10) Change default to NEWNOTSYN=Yes
-11) Remove incorrect comment from shorewall.conf regarding Debian
+11) Add rule to drop null source addressed ICMPs.
    lockfiles.
 12) Change "_exists" suffix (including _nat_exists) to an "exists_"
    prefix to allow chain names beginning with a digit without
    lengthening the variable name.
 13) Applied and improved Eric Bowles's fix for route filtering.
 14) Corrected handling of /32 addresses with broadcast in maclist
    processing.
 15) Generate error for NONE policy where source or destination zone is
    the firewall itself.
 16) Fix 'routeback' for wildcard interfaces.
--- a/STABLE/common.def
+++ b/STABLE/common.def
@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef
 ############################################################################
 # NETBIOS chatter
 #
-run_iptables -A common -p udp --dport 135	  -j reject
+run_iptables -A common -p udp --dport 135	  -j DROP
-run_iptables -A common -p udp --dport 137:139     -j reject
+run_iptables -A common -p udp --dport 137:139     -j DROP
-run_iptables -A common -p udp --dport 445         -j reject
+run_iptables -A common -p udp --dport 445         -j DROP
-run_iptables -A common -p tcp --dport 139         -j reject
+run_iptables -A common -p tcp --dport 139         -j DROP
-run_iptables -A common -p tcp --dport 445         -j reject
+run_iptables -A common -p tcp --dport 445         -j DROP
-run_iptables -A common -p tcp --dport 135	  -j reject
+run_iptables -A common -p tcp --dport 135	  -j DROP
 ############################################################################
 # UPnP
 #
@ -37,7 +37,13 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
 #
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
 ############################################################################
 # ICMP -- Silently drop null-address ICMPs
 #
 run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
 run_iptables -A common -p icmp -d 0.0.0.0 -j DROP
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.8
+VERSION=1.4.9
 usage() # $1 = exit status
 {
@ -79,6 +79,8 @@ restore_file /sbin/shorewall
 restore_file /etc/shorewall/shorewall.conf
 restore_file /etc/shorewall/functions
 restore_file /usr/share/shorewall/functions
 restore_file /usr/share/shorewall/firewall
 restore_file /usr/lib/shorewall/functions
 restore_file /var/lib/shorewall/functions
 restore_file /usr/lib/shorewall/firewall
@ -140,7 +142,14 @@ restore_file /etc/shorewall/usersets
 restore_file /etc/shorewall/users
-if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
+restore_file /etc/shorewall/actions
 restore_file /etc/shorewall/action.template
 if [ -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
    restore_file /usr/share/shorewall/version
    oldversion="`cat /usr/share/shorewall/version`"
 elif [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
    restore_file /usr/lib/shorewall/version
    oldversion="`cat /usr/lib/shorewall/version`"
 elif [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -1027,6 +1027,22 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
    log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
 }
 #
 # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
 #
 setup_forwarding() {
    case "$IP_FORWARDING" in
    [Oo][Nn])
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Enabled"
 	;;
    [Oo][Ff][Ff])
 	echo 0 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Disabled!"
 	;;
    esac
 }
 #
 # Stop the Firewall
 #
@ -1118,14 +1134,7 @@ stop_firewall() {
 	    iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
    done
-    case "$IP_FORWARDING" in
+    setup_forwarding
    [Oo][Nn])
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	;;
    [Oo][Ff][Ff])
 	echo 0 > /proc/sys/net/ipv4/ip_forward
 	;;
    esac
    run_user_exit stopped
@ -2063,6 +2072,10 @@ check_config() {
    validate_policy
    echo "Validating Actions..."
    process_actions
    echo "Validating rules file..."
    rules=`find_file rules`
@ -2113,6 +2126,349 @@ refresh_tc() {
 }
 #
 # Add one Filter Rule from an action -- Helper function for the action file processor
 #
 # The caller has established the following variables:
 #    check       = current command. If 'check', we're executing a 'check'
 #                  which only goes through the motions.
 #    client	 = SOURCE IP or MAC
 #    server	 = DESTINATION IP or interface
 #    protocol	 = Protocol
 #    address	 = Original Destination Address
 #    port	 = Destination Port
 #    cport	 = Source Port
 #    multioption = String to invoke multiport match if appropriate
 #    action	 = The chain for this rule
 #    ratelimit   = Optional rate limiting clause
 #
 add_an_action()
 {
    do_ports() {
 	if [ -n "$port" ]; then
 	    dports="--dport"
 	    if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
 		multiport="$multioption"
 		dports="--dports"
 	    fi
 	    dports="$dports $port"
 	fi
 	if [ -n "$cport" ]; then
 	    sports="--sport"
 	    if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
 		multiport="$multioption"
 		sports="--sports"
 	    fi
 	    sports="$sports $cport"
 	fi
    }
    # Set source variables. The 'cli' variable will hold the client match predicate(s).
    cli=
    case "$client" in
    -)
 	;;
    *:*)
 	cli="-i ${client%:*} -s ${client#*:}"
 	;;
    *.*.*)
 	cli="-s $client"
 	;;
    ~*)
 	cli=`mac_match $client`
 	;;
    *)
 	[ -n "$client" ] && cli="-i $client"
 	;;
    esac
    # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
    dest_interface=
    serv=
    case "$server" in
    -)
 	;;
    *.*.*)
 	serv=$server
 	;;
    ~*)
 	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
    *)
 	[ -n "$server" ] && dest_interface="-o $server"
 	;;
    esac
    # Setup protocol and port variables
    sports=
    dports=
    state="-m state --state NEW"
    proto=$protocol
    servport=$serverport
    multiport=
    [ x$port  = x- ] && port=
    [ x$cport = x- ] && cport=
    case $proto in
 	tcp|TCP|6)
 	    do_ports
 	    [ "$target" = QUEUE ] && proto="$proto --syn"
 	    ;;
 	udp|UDP|17)
 	    do_ports
 	    ;;
 	icmp|ICMP|1)
 	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    state=
 	    ;;
 	all|ALL)
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
 	*)
 	    state=
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
 	    ;;
    esac
    proto="${proto:+-p $proto}"
    # Some misc. setup
    case "$logtarget" in
 	LOG)
 	    [ -z "$loglevel" ] && fatal_error "LOG requires log level"
 	    ;;
    esac
    if [ $command != check ]; then
       if [ -n "${serv}" ]; then
 	    for serv1 in `separate_list $serv`; do
 		for srv in `ip_range $serv1`; do
 		    if [ -n "$loglevel" ]; then
 			log_rule_limit $loglevel $action $logtarget "$ratelimit" \
 			    `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 		    fi
 		    run_iptables2 -A $action $proto $multiport $state $cli $sports \
 			-d $srv $dports $ratelimit -j $target
 		done
 	    done
 	else
 	    if [ -n "$loglevel" ]; then
 		log_rule_limit $loglevel $action $logtarget "$ratelimit" \
 		    `fix_bang $proto $sports $multiport $state $cli $dports`
 	    fi
 	    run_iptables2 -A $action $proto $multiport $state $cli $sports \
 		$dports $ratelimit -j $target
 	fi
    fi
 }
 #
 # Process a record from an action file for the 'start', 'restart' or 'check' commands
 #
 process_action() # $1 = action
                 # $1 = target
                 # $2 = clients
                 # $3 = servers
                 # $4 = protocol
                 # $5 = ports
                 # $6 = cports
                 # $7 = ratelimit
 {
    local action="$1"
    local target="$2"
    local clients="$3"
    local servers="$4"
    local protocol="$5"
    local ports="$6"
    local cports="$7"
    local ratelimit="$8"
    local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`"
    if [ -n "$ratelimit" ]; then
 	case $ratelimit in
 	    -)
 		ratelimit=
 		;;
 	    *:*)
 		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
 		;;
 	    *)
 		ratelimit="-m limit --limit $ratelimit"
 		;;
 	esac
    fi
    # Isolate log level
    if [ "$target" = "${target%:*}" ]; then
 	loglevel=
    else
 	loglevel="${target#*:}"
 	target="${target%:*}"
 	expandv loglevel
    fi
    logtarget="$target"
    case $target in
 	ACCEPT|LOG)
 	    ;;
 	REJECT)
 	    target=reject
 	    ;;
 	*)
 	    ;;
 	esac
    # Generate Netfilter rule(s)
    protocol=${protocol:=all}
    if [ -n "$MULTIPORT" ] && \
 	! list_search $protocol "icmp" "ICMP" "1" && \
 	[ "$ports" = "${ports%:*}" -a \
 	"$cports" = "${cports%:*}" -a \
 	`list_count $ports` -le 15 -a \
 	`list_count $cports` -le 15 ]
 	then
 	#
 	# MULTIPORT is enabled, there are no port ranges in the rule and less than
 	# 16 ports are listed - use multiport match.
 	#
 	multioption="-m multiport"
 	for client in `separate_list ${clients:=-}`; do
 	    for server in `separate_list ${servers:=-}`; do
 		#
 		# add_a_rule() modifies these so we must set their values each time
 		#
 		port=${ports:=-}
 		cport=${cports:=-}
 		add_an_action
 	    done
 	done
    else
 	#
 	# MULTIPORT is disabled or the rule isn't compatible with multiport match
 	#
 	multioption=
 	for client in `separate_list ${clients:=-}`; do
 	    for server in `separate_list ${servers:=-}`; do
 		for port in `separate_list ${ports:=-}`; do
 		    for cport in `separate_list ${cports:=-}`; do
 			add_an_action
 		    done
 		done
 	    done
 	done
    fi
    #
    # Report Result
    #
    if [ $command = check ]; then
 	echo "   Rule \"$rule\" checked."
    else
 	echo "   Rule \"$rule\" added."
    fi
 }
 #
 # Read /etc/shorewall/actions and for each defined <action>, process 
 # /etc/shorewall/action.<action>
 #
 process_actions() {
    #
    # Process a rule where the source or destination is "all"
    #
    process_wildcard_rule() {
 	local yclients yservers ysourcezone ydestzone ypolicy
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
 		ysourcezone=${yclients%%:*}
 		ydestzone=${yservers%%:*}
 		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
 		    if [ "$ypolicy" != NONE ] ; then
 			process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
 		    fi
 		fi
 	    done
 	done
    }
    do_it() {
 	expandv xclients xservers xprotocol xports xcports xratelimit
 	if [ "x$xclients" = xall ]; then
 	    xclients="$zones $FW"
 	    if [ "x$xservers" = xall ]; then
 		xservers="$zones $FW"
 	    fi
 	    process_wildcard_rule
 	    continue
 	fi
 	if [ "x$xservers" = xall ]; then
 	    xservers="$zones $FW"
 	    process_wildcard_rule
 	    continue
 	fi
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
    }
    strip_file actions
    while read xaction rest; do
 	[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
 	[ "$command" = check ] || createchain $xaction No
 	f=action.$xaction
 	fn=`find_file $f`
 	if [ -f $fn ]; then
 	    echo "Processing $fn..."
 	    strip_file $f $fn
 	    while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
 		expandv xtarget
 		temp="${xtarget%:*}"
 		case "${temp%<*}" in
 		    ACCEPT|DROP|REJECT|LOG|QUEUE)
 			do_it
 			;;
 		    *)
 			if list_search $temp $ACTIONS; then
 			    do_it
 			else
 			    rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
 			    fatal_error "Invalid TARGET in rule \"$rule\""
 			fi
 			;;
 		esac
 	    done < $TMP_DIR/$f
 	else
 	    fatal_error "Missing Action File: $f"
 	fi
 	ACTIONS="$ACTIONS $xaction"
    done < $TMP_DIR/actions
 }
 #
 # Add a NAT rule - Helper function for the rules file processor
 #
@ -2878,41 +3234,56 @@ process_rules()
    # Process a rule where the source or destination is "all"
    #
    process_wildcard_rule() {
 	local yclients yservers ysourcezone ydestzone ypolicy
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
-		if [ "${yclients}" != "${yservers}" ] ; then
+		ysourcezone=${yclients%%:*}
-		    process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
+		ydestzone=${yservers%%:*}
 		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
 		    if [ "$ypolicy" != NONE ] ; then
 			process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
 		    fi
 		fi
 	    done
 	done
    }
    do_it() {
 	expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
 	if [ "x$xclients" = xall ]; then
 	    xclients="$zones $FW"
 	    if [ "x$xservers" = xall ]; then
 		xservers="$zones $FW"
 	    fi
 	    process_wildcard_rule
 	    continue
 	fi
 	if [ "x$xservers" = xall ]; then
 	    xservers="$zones $FW"
 	    process_wildcard_rule
 	    continue
 	fi
 	process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
    }
    while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
 	temp="${xtarget%:*}"
 	case "${temp%<*}" in
 	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
-		expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
+		do_it
 		if [ "x$xclients" = xall ]; then
 		    xclients="$zones $FW"
 		    if [ "x$xservers" = xall ]; then
 			xservers="$zones $FW"
 		    fi
 		    process_wildcard_rule
 		    continue
 		fi
 		if [ "x$xservers" = xall ]; then
 		    xservers="$zones $FW"
 		    process_wildcard_rule
 		    continue
 		fi
 		process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
 		;;
 	    *)
-		rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`"
+		if list_search $temp $ACTIONS; then
-		fatal_error "Invalid Action in rule \"$rule\""
+		    do_it
 		else
 		    rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`"
 		    fatal_error "Invalid Action in rule \"$rule\""
 		fi
 		;;
 	esac
@ -3117,7 +3488,7 @@ loadmodule() # $1 = module name, $2 - * arguments
    if [ -z "`lsmod | grep $modulename`" ]; then
 	shift
-	for suffix in o gz ko o.gz ; do
+	for suffix in $MODULE_SUFFIX ; do
 	    modulefile=$MODULESDIR/${modulename}.${suffix}
 	    if [ -f $modulefile ]; then
@ -4081,13 +4452,13 @@ add_common_rules() {
 	strip_file rfc1918
-	createchain rfc1918 no
+	createchain norfc1918 no
-	createchain logdrop no
+	createchain rfc1918 no
-	log_rule $RFC1918_LOG_LEVEL logdrop DROP
+	log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
-	run_iptables -A logdrop -j DROP
+	run_iptables -A rfc1918 -j DROP
 	if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
 	    #
@ -4099,27 +4470,30 @@ add_common_rules() {
 	    # Also add a chain to log and drop any RFC1918 packets that we find
 	    #
 	    run_iptables -t mangle -N man1918
-	    run_iptables -t mangle -N logdrop
+	    run_iptables -t mangle -N rfc1918
-	    log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle
+	    log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
-	    run_iptables -t mangle -A logdrop -j DROP
+	    run_iptables -t mangle -A rfc1918 -j DROP
 	fi
 	while read subnet target; do
 	    case $target in
-		logdrop|DROP|RETURN)
+		logdrop)
 		    target=rfc1918
 		    ;;
 		DROP|RETURN)
 		    ;;
 		*)
 		    fatal_error "Invalid target ($target) for $subnet"
 		    ;;
 	    esac
-	    run_iptables2 -A rfc1918 -s $subnet -j $target
+	    run_iptables2 -A norfc1918 -s $subnet -j $target
 	    if [ -n "$CONNTRACK_MATCH" ]; then
 		#
 		# We have connection tracking match -- match on the original destination
 		#
-		run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
+		run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target
 	    elif [ -n "$MANGLE_ENABLED" ]; then
 		#
 		# No connection tracking match but we have mangling -- add a rule to
@ -4131,7 +4505,7 @@ add_common_rules() {
 	for interface in $norfc1918_interfaces; do
 	    for chain in `first_chains $interface`; do
-		run_iptables -A $chain -m state --state NEW -j rfc1918
+		run_iptables -A $chain -m state --state NEW -j norfc1918
 	    done
 	    [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
@ -4237,19 +4611,8 @@ add_common_rules() {
 	[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
 	run_ip route flush cache
    fi
-    #
+
-    # IP Forwarding
+    setup_forwarding
    #
    case "$IP_FORWARDING" in
    [Oo][Nn])
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Enabled"
 	;;
    [Oo][Ff][Ff])
 	echo 0 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Disabled!"
 	;;
    esac
 }
 #
@ -4475,6 +4838,7 @@ activate_rules()
 	run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
    done
 }
 #
@ -4534,6 +4898,10 @@ define_firewall() # $1 = Command (Start or Restart)
    rules=`find_file rules`
    echo "Processing Actions..."
    process_actions
    echo "Processing $rules..."
    process_rules
@ -5059,6 +5427,8 @@ do_initialize() {
    LOGRULENUMBERS=
    ADMINISABSENTMINDED=
    BLACKLISTNEWONLY=
    MODULE_SUFFIX=
    ACTIONS=
    stopping=
    have_mutex=
@ -5209,6 +5579,8 @@ do_initialize() {
    fi
    ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
    BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
    [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
    #
    # Strip the files that we use often
    #
--- a/STABLE/help
+++ b/STABLE/help
@ -0,0 +1,248 @@
 #!/bin/sh
 #
 # Shorewall help subsystem - V1.4 - 3/14/2003
 #
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
 #     (c) 2003 - Tom Eastep (teastep@shorewall.net)
 #                Steve Herber (herber@thing.com)
 #
 #	This file should be placed in /usr/share/shorewall/help
 #
 #	Shorewall documentation is available at http://shorewall.sourceforge.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 ##################################################################################
 case $1 in
 add)
 	echo "add: add <interface>[:<host>] <zone>
    Adds a host or subnet to a dynamic zone usually used with VPN's.
    shorewall add interface[:host] zone - Adds the specified interface
    (and host if included) to the specified zone.
    Example:
    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
    from interface ipsec0 to the zone vpn1.
    See also \"help host\""
 	;;
 address|host)
        echo "<$1>: 
    May be either a host IP address such as 192.168.1.4 or a network address in
    CIDR format like 192.168.1.0/24"
 	;;
 allow)
 	echo "allow: allow <address> ...
    Re-enables receipt of packets from hosts previously blacklisted
    by a drop or reject command.
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    See also \"help address\""
 	;;
 check)
 	echo "check: check [ -c <configuration-directory> ]
   Performs a cursory validation of the zones, interfaces, hosts,
   rules and policy files.  Use this if you are unsure of any edits
   you have made to the shorewall configuration.  See the try command
   examples for a recommended way to make changes."
 	;;
 clear)
 	echo "clear: clear
    Clear will remove all rules and chains installed by Shoreline.
    The firewall is then wide open and unprotected.  Existing
    connections are untouched.  Clear is often used to see if the
    firewall is causing connection problems."
 	;;
 debug)
 	echo "debug: debug
    If you include the keyword debug as the first argument to any
    of these commands:
 	start|stop|restart|reset|clear|refresh|check|add|delete
    then a shell trace of the command is produced.  For example:
 	shorewall debug start 2> /tmp/trace
    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace."
 	;;
 delete)
 	echo "delete: delete <interface>[:<host>] <zone>
    Deletes a host or subnet from a dynamic zone usually used with VPN's.
    shorewall delete interface[:host] zone - Deletes the specified
    interface (and host if included) from the specified zone.
    Example:
    shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
    192.0.2.24 from interface ipsec0 from zone vpn1
    See also \"help host\""
 	;;
 drop)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    See also \"help address\""
 	;;
 help)
 	echo "help: help [<command> | host | address ]
    Display helpful information about the shorewall commands."
 	;;
 hits)
    echo "hits: hits
    Produces several reports about the Shorewall packet log messages
    in the current /var/log/messages file."
 	;;
 ipcalc)
 	echo "ipcalc: ipcalc [ address mask | address/vlsm ]
    Ipcalc displays the network address, broadcast address,
    network in CIDR notation and netmask corresponding to the input[s]."
 	;;
 iprange)
 	echo "iprange: iprange address1-address2
    Iprange decomposes the specified range of IP addresses into the
    equivalent list of network/host addresses."
 	;;
 logwatch)
 	echo "logwatch: logwatch [<refresh interval>]
    Monitors the LOGFILE, $LOGFILE,
    and produces an audible alarm when new Shorewall messages are logged."
 	;;
 monitor)
 	echo "monitor: monitor [<refresh_interval>]
    Continuously display the firewall status, last 20 log entries and nat.
    When the log entry display changes, an audible alarm is sounded."
 	;;
 refresh)
 	echo "refresh: refresh
    The rules involving the broadcast addresses of firewall interfaces,
    the black list, traffic control rules and ECN control rules are recreated
    to reflect any changes made.  Existing connections are untouched"
 	;;
 reject)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    See also \"help address\""
 	;;
 reset)
 	echo "reset: reset
    All the packet and byte counters in the firewall are reset."
 	;;
 restart)
 	echo "restart: restart [ -c <configuration-directory> ]
    Restart is the same as a shorewall stop && shorewall start.
    Existing connections are dropped."
 	;;
 save)
 	echo "save: save
    The dynamic data is stored in /var/lib/shorewall/save
    Shorewall allow, drop, rejct and save implement dynamic blacklisting."
 	;;
 show)
 	echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
    shorewall show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)
    shorewall show nat - produce a verbose report about the nat table.
    (iptables -t nat -L -n -v)
    shorewall show tos - produce a verbose report about the mangle table.
    (iptables -t mangle -L -n -v)
    shorewall show log - display the last 20 packet log entries.
    shorewall show connections - displays the IP connections currently
 	being tracked by the firewall.
    shorewall show tc - displays information about the traffic
 	control/shaping configuration."
 	;;
 start)
 	echo "start: start [ -c <configuration-directory> ]
    Start shorewall.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies."
 	;;
 stop)
 	echo "stop: stop
    Stops the firewall.  All existing connections, except those
    listed in /etc/shorewall/routestopped, are taken down.
    The only new traffic permitted through the firewall
    is from systems listed in /etc/shorewall/routestopped."
 	;;
 status)
 	echo "status: status
    Produce a verbose report about the firewall.
    (iptables -L -n -v)"
 	;;
 try)
 	echo "try: try <configuration-directory> [ <timeout> ]
    Restart shorewall using the specified configuration.  If an error
    occurs during the restart, then another shorewall restart is performed
    using the default configuration.  If a timeout is specified then
    the restart is always performed after the timeout occurs and uses
    the default configuration."
 	;;
 version)
 	echo "version: version
    Show the current shorewall version which is: $version"
 	;;
 *)
 	echo "$1: $1 is not recognized by the help command"
 	;;
 esac
 exit 0	# always ok
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.8
+VERSION=1.4.9
 usage() # $1 = exit status
 {
@ -586,6 +586,26 @@ else
    echo "Users file installed as ${PREFIX}/etc/shorewall/users"
 fi
 #
 # Install the Actions file
 #
 if [ -f ${PREFIX}/etc/shorewall/actions ]; then
    backup_file /etc/shorewall/actions
 else
    run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions
    echo
    echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
 fi
 #
 # Install the Action Template file
 #
 if [ -f ${PREFIX}/etc/shorewall/action.template ]; then
    backup_file /etc/shorewall/action.template
 else
    run_install -o $OWNER -g $GROUP -m 0600 action.template ${PREFIX}/etc/shorewall/action.template
    echo
    echo "Action Template file installed as ${PREFIX}/etc/shorewall/action.template"
 fi
 #
 # Backup the version file
 #
 if [ -z "$PREFIX" ]; then
--- a/STABLE/interfaces
+++ b/STABLE/interfaces
@ -103,6 +103,11 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow filtering
 #				       traffic arriving on this interface back
 #				       out that same interface.
 #
 #			arp_filter   - If specified, this interface will only
 #				       respond to ARP who-has requests for IP
 #				       addresses configured on the interface.
--- a/STABLE/nat
+++ b/STABLE/nat
@ -4,11 +4,12 @@
 #
 # /etc/shorewall/nat
 #
-#	This file is used to define static Network Address Translation (NAT).
+#	This file is used to define one-to-one Network Address Translation
 #	(NAT).
 #
 # WARNING: If all you want to do is simple port forwarding, do NOT use this
 #          file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
-#	   cases, Proxy ARP is a better solution that static NAT.
+#	   cases, Proxy ARP is a better solution that one-to-one NAT.
 #
 # Columns must be separated by white space and are:
 #
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -1,115 +1,104 @@
 This is a minor release of Shorewall.
-Problems Corrected since version 1.4.7:
+Problems Corrected since version 1.4.8:
-1) Tuomo Soini has supplied a correction to a problem that occurs using
+1) There has been a low continuing level of confusion over the terms
-   some versions of 'ash'. The symptom is that "shorewall start" fails
+   "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all
-   with:
+   instances of "Static NAT" have been replaced with "One-to-one NAT"
   in the documentation and configuration files.
-   local: --limit: bad variable name
+2) The description of NEWNOTSYN in shorewall.conf has been reworded for
-   iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: 
+   clarity.
   cannot open shared object file: No such file or directory
   Try `iptables -h' or 'iptables --help' for more information.
-2) Andres Zhoglo has supplied a correction that avoids trying to use
+3) Wild-card rules (those involving "all" as SOURCE or DEST) will no
-   the multiport match iptables facility on ICMP rules.
+   longer produce an error if they attempt to add a rule that would
   override a NONE policy. The logic for expanding these wild-card
   rules now simply skips those (SOURCE,DEST) pairs that have a NONE
   policy.
-   Example of rule that previously caused "shorewall start" to fail:
+4) DNAT rules that also specified SNAT now work reliably. Previously,
-
+   there were cases where the SNAT specification was effectively
-	   ACCEPT      loc  $FW  icmp    0,8,11,12
+   ignored. 
 3) Previously, if the following error message was issued, Shorewall
   was left in an inconsistent state.
   Error: Unable to determine the routes through interface xxx
 4) Handling of the LOGUNCLEAN option in shorewall.conf has been
   corrected.
 5) In Shorewall 1.4.2, an optimization was added. This optimization
   involved creating a chain named "<zone>_frwd" for most zones
   defined using the /etc/shorewall/hosts file. It has since been
   discovered that in many cases these new chains contain redundant
   rules and that the "optimization" turns out to be less than
   optimal. The implementation has now been corrected.
 6) When the MARK value in a tcrules entry is followed by ":F" or ":P",
   the ":F" or ":P" was previously only applied to the first Netfilter
   rule generated by the entry. It is now applied to all entries.
 7) The original fix for item 5) above contained a bug which caused the
   "<zone>_frwd" chain to have too few rules. That has been corrected
   (twice).  
 8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
   option has been removed from shorewall.conf.
 9) Previously, neither the 'routefilter' interface option nor the
   ROUTE_FILTER parameter were working properly. This has been
   corrected (thanks to Eric Bowles for his patch). The definition
   of the ROUTE_FILTER option has changed however. Previously,
   ROUTE_FILTER=Yes was documented as enabling route filtering on all
   interfaces (which didn't work). Beginning with this release, setting
   ROUTE_FILTER=Yes will enable route filtering of all interfaces
   brought up while Shorewall is started. As a consequence,
   ROUTE_FILTER=Yes can coexist with the use of the 'routefilter'
   option in the interfaces file.
 10) If MAC verification was enabled on an interface that had a /32
    address with a broadcast address then an error would occur during
    startup.
 11) The NONE policy's intended use is to suppress the generating of
    rules that can't possibly be traversed. This means that a policy of
    NONE is inappropriate where the source or destination zone is
    $FW. Shorewall now generates an error message if such a policy is
    given in /etc/shorewall/policy. Previously such a policy caused
    "shorewall start" to fail.
 12) The 'routeback' option was broken for wildcard interfaces (e.g.,
    "tun+"). This has been corrected so that 'routeback' now works as
    expected in this case.
 Migration Issues:
-1. The definition of the ROUTE_FILTER option in shorewall.conf has
+None.
   changed as described in item 9) above.
 New Features:
-1. A new QUEUE action has been introduced for rules. QUEUE allows you
+1) The documentation has been completely rebased to Docbook XML. The
-   to pass connection requests to a user-space filter such as ftwall
+   documentation is now released as separate HTML and XML packages.
   (http://p2pwall.sourceforge.net). The ftwall program allows for
   effective filtering of p2p applications such as Kazaa.
-   For example, to use ftwall to filter P2P clients in your 'loc' zone,
+2) To cut down on the number of "Why are these ports closed rather than
-   you would add the following rules:
+   stealthed?" questions, the SMB-related rules in
   /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
-   QUEUE   loc	     net	tcp
+3) For easier identification, packets logged under the 'norfc1918'
-   QUEUE   loc	     net	udp
+   interface option are now logged out of chains named
-   QUEUE   loc	     fw		udp
+   'rfc1918'. Previously, such packets were logged under chains named
   'logdrop'.
-   You would normally want to place those three rules BEFORE any ACCEPT
+4) Distributors and developers seem to be regularly inventing new
-   rules for loc->net or loc->fw udp or tcp.
+   naming conventions for kernel modules. To avoid the need to change
   Shorewall code for each new convention, the MODULE_SUFFIX option has
   been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
   for module names in your particular distribution. If MODULE_SUFFIX
   is not set in shorewall.conf, Shorewall will use the list "o gz ko
   o.gz".
-   Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
+   To see what suffix is used by your distribution:
   Shorewall will only pass connection requests (SYN packets) to user
   space. This is for compatibility with ftwall.
-2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
+      ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
   this option is set to "Yes", the blacklists (dynamic and static)
   are only consulted for new connection requests. When set to "No"
   (the default if the variable is not set), the blacklists are
   consulted on every packet.
-   Setting this option to "No" allows blacklisting to stop existing
+   All of the files listed should have the same suffix (extension). Set
-   connections from a newly blacklisted host but is more expensive in
+   MODULE_SUFFIX to that suffix.
   terms of packet processing time. This is especially true if the
   blacklists contain a large number of entries.
-3. Chain names used in the /etc/shorewall/accounting file may now begin
+   Examples: 
   with a digit ([0-9]) and may contain embedded dashes ("-").
 	    If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
 	    If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
 5) Support for user defined rule ACTIONS has been implemented through
   two new files:
   /etc/shorewall/actions         - used to list the user-defined ACTIONS.
   /etc/shorewall/action.template - For each user defined <action>, copy
 				    this file to
 				    /etc/shorewall/action.<action> and
 				    add the appropriate rules for that
 				    <action>.
   Once an <action> has been defined, it may be used like any of the
   builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
   Example: You want an action that logs a packet at the 'info' level
   and accepts the connection.
   In /etc/shorewall/actions, you would add:
      LogAndAccept
   You would then copy /etc/shorewall/action.template to
   /etc/shorewall/action.LogAndAccept and in that file, you would add the two
   rules:
 	LOG:info
 	ACCEPT
 6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
   (non-syn TCP packets that are not part of an existing connection are
   filtered according to the rules and policies rather than being
   dropped). I have made this change for two reasons:
   a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
   any timeout during TCP session tear down results in the firewall
   dropping all of the retries.
   b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
   lots of confusing messages when a connection got "stuck". While I
   could have changed the default value of LOGNEWNOTSYN to suppress
   logging, I dislike defaults that silently throw away packets.
 7) The common.def file now contains an entry that silently drops ICMP
   packets with a null source address. Ad Koster reported a case where
   these were occuring frequently as a result of a broken system on his
   external network.    
--- a/STABLE/rules
+++ b/STABLE/rules
@ -15,8 +15,8 @@
 # Columns are:
 #
 #
-#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
-#			or LOG.
+#			LOG or an <action>.
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
@ -48,6 +48,8 @@
 #				LOG      -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as p2pwall.
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions.
 #
 #			You may rate-limit the rule by optionally
 #			following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
--- a/STABLE/shorewall.conf
+++ b/STABLE/shorewall.conf
@ -221,7 +221,7 @@ STATEDIR=/var/lib/shorewall
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
-# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
+# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
@ -417,13 +417,30 @@ MUTEX_TIMEOUT=60
 #
 # NEWNOTSYN
 #
-# If this variable is set to "No" or "no", then when a TCP packet that does
+# TCP connections are established using the familiar three-way "handshake":
 # not have the SYN flag set and the ACK and RST flags clear then unless the
 # packet is part of an established connection, it will be dropped by the
 # firewall
 #
-# If this variable is set to "Yes" or "yes" then such packets will not be
+#	CLIENT			SERVER
-# dropped but will pass through the normal rule processing.
+#
 #	SYN-------------------->
 #            <------------------SYN,ACK
 #       ACK-------------------->
 #
 # The first packet in that exchange (packet with the SYN flag on and the ACK
 # and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
 # A packet is said to be NEW if it is not part of or related to an already
 # established connection.
 #
 # The NETNOTSYN option determines the handling of non-SYN packets (those with
 # SYN off or with ACK or RST on) that are not associated with an already
 # established connection.
 # 
 # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
 # part of an already established connection, it will be dropped by the
 # firewall. The setting of LOGNEWNOTSYN above determines if these packets are
 # logged before they are dropped.
 #
 # If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
 # dropped but will pass through the normal rule/policy processing.
 #
 # Users with a High-availability setup with two firewall's and one acting
 # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
@ -431,8 +448,15 @@ MUTEX_TIMEOUT=60
 #
 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
 # using the 'newnotsyn' option in /etc/shorewall/interfaces.
 #
 # I find that NEWNOTSYN=No tends to result in lots of "stuck"
 # connections because any network timeout during TCP session tear down
 # results in retries being dropped (Netfilter has removed the
 # connection from the conntrack table but the end-points haven't
 # completed shutting down the connection).  I therefore have chosen
 # NEWNOTSYN=Yes as the default value.
-NEWNOTSYN=No
+NEWNOTSYN=Yes
 #
 # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
@ -485,6 +509,29 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes
 # MODULE NAME SUFFIX
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally
 # looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
 # end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
 # naming convention then you can specify the suffix (extension) for module 
 # names in this variable.
 #
 # To see what suffix is used by your distribution:
 #
 #     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #
 # All of the file names listed should have the same suffix (extension). Set
 # MODULE_SUFFIX to that suffix.
 #
 # Examples: 
 #
 #	If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
 #	If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
 #
 MODULE_SUFFIX=
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.8
+%define version 1.4.9
 %define release 1
 %define prefix /usr
@ -100,14 +100,25 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/users
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
 %attr(0544,root,root) /usr/share/shorewall/help
 %doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.9
 * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
 - Remove Documentation from this RPM
 * Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
 - Updated for Beta 2
 * Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
 - Added User Defined Actions Files
 * Wed Dec 03 2003 Tom Eastep <tom@shorewall.net>
 - Added User Defined Actions Files
 * Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.8
 * Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.8
+VERSION=1.4.9
 usage() # $1 = exit status
 {
@ -60,8 +60,8 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/lib/shorewall/version ]; then
+if [ -f /usr/share/shorewall/version ]; then
-    INSTALLED_VERSION="`cat /usr/lib/shorewall/version`"
+    INSTALLED_VERSION="`cat /usr/share/shorewall/version`"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
--- a/STABLE/users
+++ b/STABLE/users
@ -0,0 +1,25 @@
 #
 # Shorewall version 1.4 - Users File
 #
 # /etc/shorewall/users
 #
 #	This file is used to associate local users and/or groups to Shorewall
 #	"User Sets". 
 # Columns are:
 #
 #	USERSET		The name of a user set defined in
 #			/etc/shorewall/usersets.
 #
 #	USER		A Linux user name or number defined in /etc/passwd.
 #
 #	GROUP		A linux group name or number defined in /etc/groups.
 #
 #	The GROUP may be omitted. If it is supplied, then the USER may be 
 #	entered as "-" in which case all members of the specified group are
 #	included in the USERSET.
 #
 ################################################################################
 #USERSET	USER		GROUP
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE/usersets
+++ b/STABLE/usersets
@ -0,0 +1,29 @@
 #
 # Shorewall version 1.4 - Users Sets File
 #
 # /etc/shorewall/usersets
 #
 #	A user set is a list of <user>, <group> or <user:group> names and can
 #	be used to control access by individual users to other network hosts
 #	from the firewall system.
 #
 # Columns are:
 #
 #	USERSET		The name of a user set. May be up to 6 characters in
 #			length and must be a valid shell identifier.
 #
 #	REJECT		The log level for REJECT rules that match a user in this
 #			userset.
 #
 #	ACCEPT		The log level for ACCEPT rules that match a user in this
 #			userset.
 #
 #	DROP		The log level for DROP rules that match a user in this
 #			userset.
 #
 # To omit one of the last three columns yet supply a value to one of the
 # following ones, enter "-".
 #
 #USERSET	REJECT	ACCEPT	DROP
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE