Changes for 1.3.11

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@341 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2002-11-24 20:12:22 +00:00 · 2002-11-24 20:12:22 +00:00 · 99c0b33000
commit 99c0b33000
parent 884da5a325
37 changed files with 9147 additions and 8364 deletions
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -1,44 +1,17 @@
-Changes since 1.3.9
+Changes since 1.3.10
-1. Fix dumb bug in 1.3.9 Tunnel Handling.
+1. Added TCP flags checking.
-2. First implementaiton of dynamic zones.
+2. Accomodate bash clones like dash and ash
-3. Corrections to Dynamic Zones.
+3. Added some comments in the policy chain creation/population logic.
-4. More fixes for Dynamic Zones.
+4. Check for fw->fw rules.
-5. Correct a typo in an error message.
+5. Allow 'all' in rules.
-6. Fix rule insertion algorithms for Dynamic Zones.
+6. Add reverse GRE rules for PPTP server and clients.
-7. Optimize dynamic zones code
+7. Add warning to tcrules file.
 8. Remove iptables 1.2.7 hacks.
 9. Fix dumb typo in 1.3.9 (recalculate_interfacess)
 10. Add PATH assignment to the install script
 11. Correct 'functions' file handling in the install script.
 12. Add ipsecnat tunnel type. 
 13. Correct typo in the shorewall.spec file.
 14. Add support for PPTP client and server to the tunnels file.
 15. Move the main firewall script to /usr/lib/shorewall
 16. Allow SNAT using primary IP and ADD_SNAT_ALIASES=Yes
 17. Add MAC verificaiton
 18. Conserve space by removing comment decorations.
 19. Improve comments in interfaces file re: use of aliases
 20. Clear nat and mangle counters during 'shorewall reset'
 21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules
 8. Add warning to policy file that fw->fw policies aren't allowed.
--- a/STABLE/documentation/Documentation.htm
+++ b/STABLE/documentation/Documentation.htm
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -12,6 +12,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -32,14 +33,14 @@
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
       port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
-looked     everywhere and can't find <b>how to do it</b>.</a></p>
+  looked     everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
       but it doesn't work.<br>
    </a></p>
 <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
-port forwarding</a></p>
+  port forwarding</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
      to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my 
@ -72,7 +73,7 @@ than     'blocked'.</b>  Why?</a></p>
       that work with Shorewall?</a></p>
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 
- 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
+'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
       work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
@ -85,7 +86,7 @@ than     'blocked'.</b>  Why?</a></p>
      it  work with?</a></p>
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
- support?</a></p>
+support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
@ -107,11 +108,18 @@ than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
       all over my console</b> making it unusable!<br>
         </a></p>
-                   <b>17</b>. <a href="#faq17">How do I find out <b>why this 
+                      <b>17</b>. <a href="#faq17">How do I find out <b>why
- is</b> getting  <b>logged?</b></a><br>
+ this   is</b> getting  <b>logged?</b></a><br>
     <br>
     <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b> 
- with Shorewall, and maintain separate rulesets for different IPs?</a>  
+  with Shorewall, and maintain separate rulesets for different IPs?</a><br>
 <br>
 <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
 but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
 <br>
 <b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
 <b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
 </a> 
 <hr>              
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
      my my personal PC with IP address 192.168.1.5. I've looked everywhere 
@ -139,7 +147,8 @@ rule to a local system is as   follows:</p>
                  <tr>
                    <td>DNAT</td>
                    <td>net</td>
-                 <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
+                    <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
 port</i>&gt;]</td>
                    <td><i>&lt;protocol&gt;</i></td>
                    <td><i>&lt;port #&gt;</i></td>
                    <td> <br>
@ -148,6 +157,7 @@ rule to a local system is as   follows:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -180,6 +190,7 @@ rule to a local system is as   follows:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -188,8 +199,8 @@ rule to a local system is as   follows:</p>
 <pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
              </div>
-<p align="left">If you want to forward requests directed to a particular address
+<p align="left">If you want to forward requests directed to a particular
-( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
+address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
 <blockquote>                                          
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -207,13 +218,15 @@ rule to a local system is as   follows:</p>
                  <tr>
                    <td>DNAT</td>
                    <td>net</td>
-                 <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
+                    <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
 port</i>&gt;]</td>
                    <td><i>&lt;protocol&gt;</i></td>
                    <td><i>&lt;port #&gt;</i></td>
                    <td>-</td>
                    <td><i>&lt;external IP&gt;</i></td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -224,42 +237,43 @@ rule to a local system is as   follows:</p>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-             <li>You are trying to test from inside your firewall (no, that 
+                <li>You are trying to test from inside your firewall (no, 
-  won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
+that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
-             <li>You have a more basic problem with your local system such
+                <li>You have a more basic problem with your local system
- as  an   incorrect default gateway configured (it should be set to the IP
+such   as  an   incorrect default gateway configured (it should be set to
- address    of your  firewall's internal interface).</li>
+the IP   address    of your  firewall's internal interface).</li>
 </ul>
 <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
-forwarding</h4>
+  forwarding</h4>
    <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
      <li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
-in the nat table.</li>
+  in the nat table.</li>
      <li>Try to connect to the redirected port from an external host.</li>
      <li>As root type "shorewall show nat"</li>
-   <li>Locate the appropriate DNAT rule. It will be in a chain called <i>zone</i>_dnat 
+      <li>Locate the appropriate DNAT rule. It will be in a chain called
-where <i>zone</i> is the zone that includes the server ('loc' in the above 
+    <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the server
-examples).</li>
+('loc' in the above   examples).</li>
      <li>Is the packet count in the first column non-zero? If so, the connection
-request is reaching the firewall and is being redirected to the server. In 
+  request is reaching the firewall and is being redirected to the server.
-this case, the problem is usually a missing or incorrect default gateway setting
+In  this case, the problem is usually a missing or incorrect default gateway
-on the server (the server's default gateway should be the IP address of the
+ setting on the server (the server's default gateway should be the IP address
-firewall's interface to the server).</li>
+ of the firewall's interface to the server).</li>
      <li>If the packet count is zero:</li>
  <ul>
-     <li>the connection request is not reaching your server (possibly it
+        <li>the connection request is not reaching your server (possibly
-is being blocked by your ISP); or</li>
+it  is being blocked by your ISP); or</li>
        <li>you are trying to connect to a secondary IP address on your firewall
-and your rule is only redirecting the primary IP address (You need to specify 
+  and your rule is only redirecting the primary IP address (You need to specify
-the secondary IP address in the "ORIG. DEST." column in your DNAT rule); or</li>
+  the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
 or</li>
        <li>your DNAT rule doesn't match the connection request in some other
-way. In that case, you may have to use a packet sniffer such as tcpdump or 
+  way. In that case, you may have to use a packet sniffer such as tcpdump
-ethereal to further diagnose the problem.<br>
+or  ethereal to further diagnose the problem.<br>
        </li>
  </ul>
@ -276,16 +290,15 @@ ethereal to further diagnose the problem.<br>
                <li>Having an internet-accessible server in your local network
       is  like raising foxes in the corner of your hen house. If the server 
   is      compromised, there's nothing between that server and your other 
-internal        systems. For the cost of another NIC and a cross-over cable,
+ internal        systems. For the cost of another NIC and a cross-over cable, 
-you can   put      your server in a DMZ such that it is isolated from your
+ you can   put      your server in a DMZ such that it is isolated from your 
-local systems    -     assuming that the Server can be located near the Firewall,
+ local systems    -     assuming that the Server can be located near the Firewall,
  of course    :-)</li>
                <li>The accessibility problem is best solved using    <a
- href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or
+ href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
-using a separate DNS server for local clients) such that www.mydomain.com
+a separate DNS server for local clients) such that www.mydomain.com resolves
-resolves to 130.141.100.69     externally and 192.168.1.5 internally. That's
+to 130.141.100.69     externally and 192.168.1.5 internally. That's what
-what I do here at     shorewall.net for my local systems that use static
+I do here at     shorewall.net for my local systems that use static NAT.</li>
 NAT.</li>
 </ul>
@ -325,6 +338,7 @@ NAT.</li>
                    <td>130.151.100.69:192.168.1.254</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -372,6 +386,7 @@ NAT.</li>
                    <td>$ETH0_IP:192.168.1.254</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -385,24 +400,24 @@ new    IP   address.</p>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
      subnet and I use static NAT to assign non-RFC1918 addresses to hosts 
-in   Z.  Hosts in Z cannot communicate with each other using their external
+ in   Z.  Hosts in Z cannot communicate with each other using their external 
-(non-RFC1918     addresses) so they can't access each other using their DNS
+ (non-RFC1918     addresses) so they can't access each other using their DNS
-names.</h4>
+ names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
      using Bind Version 9 "views". It allows both external and internal clients
      to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
-     static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
+       static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
-     and can be accessed externally and internally using the same address.
+addresses      and can be accessed externally and internally using the same
- </p>
+address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all
+<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
-Z-&gt;Z traffic through your firewall then:</p>
+traffic through your firewall then:</p>
 <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
-(If you are running a Shorewall version earlier than 1.3.9).<br>
+  (If you are running a Shorewall version earlier than 1.3.9).<br>
              b) Set the Z-&gt;Z policy to ACCEPT.<br>
              c) Masquerade Z to itself.<br>
              <br>
@ -431,6 +446,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                    <td>multi</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -455,6 +471,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -481,6 +498,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -504,14 +522,14 @@ Z-&gt;Z traffic through your firewall then:</p>
  services    that use the    'Auth' mechanism for identifying requesting 
 users.  Shorewall    also rejects TCP    ports 135, 137 and 139 as well as 
 UDP ports  137-139.   These are ports that are    used by Windows (Windows 
-<u>can</u>  be configured   to use the DCE cell locator    on port 135).
+<u>can</u>  be configured   to use the DCE cell locator    on port 135). Rejecting
-Rejecting these  connection requests   rather than dropping them    cuts
+these  connection requests   rather than dropping them    cuts down slightly
-down slightly on the amount of Windows  chatter on LAN segments connected
+on the amount of Windows  chatter on LAN segments connected    to the Firewall.
-   to the Firewall. </p>
+</p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
      your    ISP preventing you from running a web server in violation of 
-your     Service    Agreement.</p>
+ your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
         firewall and it showed 100s of ports as open!!!!</h4>
@ -540,12 +558,12 @@ your     Service    Agreement.</p>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
       and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
+(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-facility (see "man openlog") and you get to choose the log level (again,
+(see "man openlog") and you get to choose the log level (again, see "man
-see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
+syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged 
- logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
+logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
     When you have changed /etc/syslog.conf, be sure to restart syslogd (on 
  a  RedHat system, "service syslog restart"). </p>
@ -569,7 +587,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
              <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
              <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
-http://www.logwatch.org</a><br>
+   http://www.logwatch.org</a><br>
     </p>
              </blockquote>
@ -620,9 +638,9 @@ http://www.logwatch.org</a><br>
             </div>
 <div align="left">                
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
-Net    zone is defined as all hosts that are connected through eth0 and the
+   zone is defined as all hosts that are connected through eth0 and the local
-local    zone is defined as all hosts connected through eth1</p>
+   zone is defined as all hosts connected through eth1</p>
             </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
@ -638,11 +656,11 @@ local    zone is defined as all hosts connected through eth1</p>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
-find myself doing      other things. I guess I just don't care enough if
+myself doing      other things. I guess I just don't care enough if Shorewall
-Shorewall has a GUI to      invest the effort to create one myself. There
+has a GUI to      invest the effort to create one myself. There are several
-are several Shorewall GUI      projects underway however and I will publish
+Shorewall GUI      projects underway however and I will publish links to
-links to them when the authors      feel that they are ready. </p>
+them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
@ -659,9 +677,8 @@ links to them when the authors      feel that they are ready. </p>
      that will let all traffic to and from the 192.168.100.1 address  of 
 the    modem  in/out but still block all other rfc1918 addresses.</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
-earlier than      1.3.1, create /etc/shorewall/start and in it, place the
+than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 following:</p>
 <div align="left">                
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -686,6 +703,7 @@ following:</p>
                      <td>RETURN</td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -730,10 +748,10 @@ following:</p>
             </div>
 <div align="left">                
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
-IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
+   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-RFC 1918    filtering on my external interface, my DHCP client cannot renew
+1918    filtering on my external interface, my DHCP client cannot renew its
-its lease.</h4>
+lease.</h4>
              </div>
 <div align="left">                
@ -751,14 +769,17 @@ aside,     the most common causes of this  problem are:</p>
 <ol>
                <li>                                                    
    <p align="left">The default gateway on each local system isn't set to 
      the    IP address of the local firewall interface.</p>
                 </li>
                <li>                                                    
    <p align="left">The entry for the local network in the /etc/shorewall/masq 
         file is wrong or missing.</p>
                 </li>
                <li>                                                    
    <p align="left">The DNS settings on the local systems are wrong or the 
         user is running a DNS server on the firewall and hasn't enabled UDP
   and   TCP    port 53 from the firewall to the internet.</p>
@ -772,7 +793,7 @@ aside,     the most common causes of this  problem are:</p>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
      to your startup    scripts or place it in /etc/shorewall/start. Under 
  RedHat,    the max log level    that is sent to the console is specified 
-in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
+ in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
         </p>
 <h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
@ -787,16 +808,19 @@ in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
    with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
          <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
-    </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that specifies
+      </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that
-a  log level and this packet is being logged under that policy. If you intend
+ specifies a  log level and this packet is being logged under that policy.
- to ACCEPT this traffic then you need a  <a
+ If you intend  to ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a> to that effect.<br>
          </li>
           <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
 href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to 
   <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being 
   logged under that policy or this packet matches  a <a
- href="Documentation.htm#Rules">rule</a> that include a log level.</li>
+ href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
    <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
     <b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
    </li>
           <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b> 
        <a href="Documentation.htm#Interfaces">interface option</a>.</li>
           <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b> 
@ -805,25 +829,25 @@ a  log level and this packet is being logged under that policy. If you intend
           <li><b>blacklst</b> - The packet is being logged because the source
   IP  is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist 
        </a>file.</li>
-        <li><b>newnotsyn </b>- The packet is being logged because it is a 
+           <li><b>newnotsyn </b>- The packet is being logged because it is
-TCP   packet that is not part of any current connection yet it is not a syn 
+ a  TCP   packet that is not part of any current connection yet it is not
-packet.   Options affecting the logging of such packets include <b>NEWNOTSYN 
+a syn  packet.   Options affecting the logging of such packets include <b>NEWNOTSYN
      </b>and       <b>LOGNEWNOTSYN </b>in     <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-       <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP address 
+          <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP 
-  that isn't in any of your defined zones ("shorewall check" and look at the
+address    that isn't in any of your defined zones ("shorewall check" and 
-  printed zone definitions) or the chain is FORWARD and the destination IP
+look at the   printed zone definitions) or the chain is FORWARD and the destination
- isn't in any of your defined zones.</li>
+ IP  isn't in any of your defined zones.</li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
  with Shorewall, and maintain separate rulesets for different IPs?</h4>
-  <b>Answer: </b>Yes. You simply use the IP address in your rules (or if
+     <b>Answer: </b>Yes. You simply use the IP address in your rules (or
-you  use NAT, use the local IP address in your rules). <b>Note:</b> The ":n"
+if  you  use NAT, use the local IP address in your rules). <b>Note:</b> The 
-notation  (e.g., eth0:0) is deprecated and will disappear eventually. Neither
+":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
- iproute  (ip and tc) nor iptables supports that notation so neither does
+Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
- Shorewall.  <br>
+does   Shorewall.  <br>
     <br>
     <b>Example 1:</b><br>
     <br>
@ -840,17 +864,33 @@ notation  (e.g., eth0:0) is deprecated and will disappear eventually. Neither
     /etc/shorewall/rules     
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
 class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
- class="moz-txt-citetags"></span><span class="moz-txt-citetags"></span></pre>
+ class="moz-txt-citetags"></span><br></pre>
  <b>Example 3 (DNAT):<br>
  </b>  
 <pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
 but they don't seem to do anything. Why?</h4>
 You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
 so the contents of the tcrules file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
 to change Shorewall to allow access to my server from the internet?</b><br>
 </h4>
 Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
 that you used during your initial setup for information about how to set
 up rules for your server.<br>
 <br>
 <div align="left">     </div>
-                      
+  <font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
 <p align="left"><font size="2">Last updated 11/09/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
     <br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/MAC_Validation.html
+++ b/STABLE/documentation/MAC_Validation.html
@ -33,21 +33,21 @@ or  from a subnet on an interface can be verified to originate from a defined
 <ol>
     <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
-this option is specified, all traffic arriving on the interface is subjet
+option is specified, all traffic arriving on the interface is subjet to MAC
-to MAC verification.</li>
+verification.</li>
     <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. 
 When this option is specified for a subnet, all traffic from that subnet 
 is subject to MAC verification.</li>
-    <li>The /etc/shorewall/maclist file. This file is used to associate MAC
+     <li>The /etc/shorewall/maclist file. This file is used to associate
- addresses with interfaces and to optionally associate IP addresses with
+MAC  addresses with interfaces and to optionally associate IP addresses with 
 MAC  addresses.</li>
     <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables 
 in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The 
 MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines 
 the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL 
- variable gives the syslogd level at which connection requests that fail
+ variable gives the syslogd level at which connection requests that fail verification
-verification  are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
+ are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") 
 then failing connection requests are not logged.<br>
     </li>
@ -60,7 +60,7 @@ verification  are to be logged. If set the the empty value (e.g., MACLIST_LOG_LE
 by INTERFACE. It is not necessary to use the Shorewall MAC format in this 
 column although you may use that format if you so choose.</li>
     <li>IP Address - An optional comma-separated list of IP addresses for
-the device whose MAC is listed in the MAC column.</li>
+ the device whose MAC is listed in the MAC column.</li>
 </ul>
@ -78,30 +78,29 @@ the device whose MAC is listed in the MAC column.</li>
 zone</a>.<br>
 <h3>Example 2: Router in Local Zone</h3>
-  Suppose now that I add a second ethernet segment to my local zone and gateway
+   Suppose now that I add a second ethernet segment to my local zone and
- that segment via a router with MAC address 00:06:43:45:C6:15 and IP address
+gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and
- 192.168.1.253. Hosts in the second segment have IP addresses in the subnet
+IP address  192.168.1.253. Hosts in the second segment have IP addresses
- 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
+in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist 
 file:<br>
 <pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
-  This entry accomodates traffic from the router itself (192.168.1.253) and
+   This entry accomodates traffic from the router itself (192.168.1.253)
- from the second LAN segment (192.168.2.0/24). Remember that all traffic
+and  from the second LAN segment (192.168.2.0/24). Remember that all traffic 
 being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded 
 by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) 
 and not that of the host sending the traffic.   
-<p><font size="2">   Updated 10/23/2002 - <a
+<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a>
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a> 
     </font></p>
-<p><font face="Trebuchet MS"><a
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 href="file:///home/teastep/Shorewall-docs/copyright.htm"><font size="2">Copyright</font>
      &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
   <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/Shorewall_CVS_Access.html
+++ b/STABLE/documentation/Shorewall_CVS_Access.html
@ -41,12 +41,12 @@ THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
    </div>
 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002
- - <a href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a>
+  - <a href="support.htm">Tom Eastep</a>        </font>                 
-       </font>                                             </p>
+                           </p>
-<p><font face="Trebuchet MS"><a
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font
+ &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
- size="2">Copyright</font>  &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+     <br>
    <br>
   <br>
  <br>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -2,17 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                      <base
+                                                                        
- target="main">                                        
+     <base target="main">                                               
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -24,6 +29,7 @@
                       <tr>
                        <td width="100%" height="90">                   
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                        </td>
                      </tr>
@ -40,11 +46,11 @@
                  <li> <a href="Install.htm">Installation/Upgrade/</a><br>
                    <a href="Install.htm">Configuration</a><br>
                  </li>
-            <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides 
+                  <li> <a href="shorewall_quickstart_guide.htm">QuickStart
-(HOWTOs)</a><br>
+ Guides   (HOWTOs)</a><br>
                   </li>
                                          <li> <a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
                          <li> <a href="Documentation.htm">Reference Manual</a></li>
                          <li> <a href="FAQ.htm">FAQs</a></li>
                           <li><a href="useful_links.html">Useful Links</a><br>
@ -57,6 +63,7 @@
                          <li> <a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
                            <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -68,6 +75,10 @@
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                            <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
                <li><a href="http://www.shorewall.net" target="_top">Washington
 State, USA</a><br>
                </li>
@ -75,47 +86,58 @@
                          </li>
      </ul>
      <ul>
                          <li>   <a href="News.htm">News Archive</a></li>
                          <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
                          <li> <a href="quotes.htm">Quotes from Users</a></li>
                          <li> <a href="shoreline.htm">About the Author</a></li>
-                    <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
+                          <li> <a
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                        </td>
                      </tr>
  </tbody>                   
 </table>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
                  <strong><br>
-          <b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
+                <b>Note: </b></strong>Search is unavailable Daily 0200-0330 
 GMT.<br>
                <strong></strong>                                        
  <p><strong>Quick Search</strong><br>
-                <font face="Arial" size="-1">     <input type="text"
+                      <font face="Arial" size="-1">     <input
- name="words" size="15"></font><font size="-1"> </font>   <font
+ type="text" name="words" size="15"></font><font size="-1"> </font>   <font
 face="Arial" size="-1">     <input type="hidden" name="format"
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
                      <font face="Arial">   <input type="hidden"
 name="exclude" value="[http://www.shorewall.net/pipermail/*]">   </font>
-</form>
+   </form>
-<p><b><a href="htdig/search.html">Extended Search</a></b></p>
+<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
-</a><br>
+      </a><br>
-</p>
+   <br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/configuration_file_basics.htm
+++ b/STABLE/documentation/configuration_file_basics.htm
@ -49,22 +49,22 @@ policy.</li>
              <li>/etc/shorewall/interfaces - describes the interfaces on 
 the          firewall system.</li>
              <li>/etc/shorewall/hosts - allows defining zones in terms of
-individual           hosts and subnetworks.</li>
+ individual           hosts and subnetworks.</li>
              <li>/etc/shorewall/masq - directs the firewall where to use 
 many-to-one            (dynamic) Network Address Translation (a.k.a. Masquerading) 
 and  Source          Network Address Translation (SNAT).</li>
              <li>/etc/shorewall/modules - directs the firewall to load kernel 
  modules.</li>
              <li>/etc/shorewall/rules - defines rules that are exceptions
-to  the         overall policies established in /etc/shorewall/policy.</li>
+ to  the         overall policies established in /etc/shorewall/policy.</li>
              <li>/etc/shorewall/nat - defines static NAT rules.</li>
              <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
              <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) 
 -  defines  hosts    accessible when Shorewall is stopped.</li>
              <li>/etc/shorewall/tcrules - defines marking of packets for 
 later   use by     traffic control/shaping or policy routing.</li>
-             <li>/etc/shorewall/tos - defines rules for setting the TOS field
+              <li>/etc/shorewall/tos - defines rules for setting the TOS
-  in packet         headers.</li>
+field   in packet         headers.</li>
              <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels 
  with end-points on         the firewall system.</li>
              <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
@ -75,9 +75,9 @@ later   use by     traffic control/shaping or policy routing.</li>
 <h2>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-        character a pound sign ("#"). You may also place comments at the end
+         character a pound sign ("#"). You may also place comments at the
- of any line, again by       delimiting the comment from the rest of the
+end  of any line, again by       delimiting the comment from the rest of
-line  with a pound sign.</p>
+the line  with a pound sign.</p>
 <p>Examples:</p>
@ -99,9 +99,9 @@ line  with a pound sign.</p>
 <p align="left">     </p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
-  using DNS names in Shorewall configuration files. If you use DNS names and
+   using DNS names in Shorewall configuration files. If you use DNS names
-  you are called out of bed at 2:00AM because Shorewall won't start as a
+and   you are called out of bed at 2:00AM because Shorewall won't start as
-result  of DNS problems then don't say that you were not forewarned. <br>
+a result  of DNS problems then don't say that you were not forewarned. <br>
      </b></p>
 <p align="left"><b>    -Tom<br>
@ -120,7 +120,7 @@ So  change in the DNS-&gt;IP address relationship  that occur after the firewall
 <ul>
       <li>If your /etc/resolv.conf is wrong then your firewall won't   
-start.</li>
+ start.</li>
       <li>If your /etc/nsswitch.conf is wrong then your firewall won't 
   start.</li>
       <li>If your Name Server(s) is(are) down then your firewall won't 
@ -129,9 +129,9 @@ start.</li>
  your DNS server then your firewall won't start.<br>
      </li>
       <li>Factors totally outside your control (your ISP's router is   
-down   for example), can prevent your firewall from starting.</li>
+ down   for example), can prevent your firewall from starting.</li>
      <li>You must bring up your network interfaces prior to starting your
-firewall.<br>
+ firewall.<br>
      </li>
 </ul>
@ -172,8 +172,8 @@ inconvenience   by Shorewall. <br>
 <p>Where specifying an IP address, a subnet or an interface, you can     
  precede the item with "!" to specify the complement of the item. For  
-      example, !192.168.1.4 means "any host but 192.168.1.4". There must
+     example, !192.168.1.4 means "any host but 192.168.1.4". There must be
-be no white space following the "!".</p>
+no white space following the "!".</p>
 <h2>Comma-separated Lists</h2>
@ -201,7 +201,7 @@ would  be embedded          white space)</li>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
         port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
 if you want to forward the range of tcp ports 4000 through 4100 to local
-host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
   </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
@ -252,7 +252,7 @@ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
  unique MAC address.<br>
            <br>
            In GNU/Linux, MAC addresses are usually written as a series of
-6  hex numbers        separated by colons. Example:<br>
+ 6  hex numbers        separated by colons. Example:<br>
            <br>
           [root@gateway root]# ifconfig eth0<br>
           eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -267,22 +267,23 @@ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
            <br>
            Because Shorewall uses colons as a separator for address fields,
  Shorewall requires        MAC addresses to be written in another way. In
-Shorewall, MAC addresses        begin with a tilde ("~") and consist of 6 
+ Shorewall, MAC addresses        begin with a tilde ("~") and consist of
-hex numbers separated by        hyphens. In Shorewall, the MAC address in 
+6  hex numbers separated by        hyphens. In Shorewall, the MAC address
-the example above would be        written "~02-00-08-E3-FA-55".<br>
+in  the example above would be        written "~02-00-08-E3-FA-55".<br>
-</p>
+ </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
 in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
-</p>
+ </p>
-<h2>Shorewall Configurations</h2>
+<h2><a name="Configs"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
  The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
-     commands allow you to specify an alternate configuration directory and
+      commands allow you to specify an alternate configuration directory
-   Shorewall will use the files in the alternate directory rather than the
+and    Shorewall will use the files in the alternate directory rather than
- corresponding  files in /etc/shorewall. The alternate directory need not
+the  corresponding  files in /etc/shorewall. The alternate directory need
-contain a complete  configuration; those files not in the alternate directory
+not contain a complete  configuration; those files not in the alternate directory 
 will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
@ -293,7 +294,7 @@ will be read from  /etc/shorewall.</p>
  to a separate      directory;</li>
              <li>  modify those files in the separate directory; and</li>
              <li>  specifying the separate directory in a shorewall start
-or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
+ or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
 restart</b></i>  ).</li>
 </ol>
@ -301,7 +302,7 @@ or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
-<p><font size="2">   Updated 10/24/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
      </font></p>
@ -315,5 +316,6 @@ or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -20,6 +20,7 @@
           <tbody>
            <tr>
             <td width="100%">                                          
      <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
             </td>
           </tr>
@ -35,23 +36,24 @@
 <ul>
           <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>   
-     Linux PPC</b> or     <b> TurboLinux</b> distribution     with a 2.4
+         Linux PPC</b> or     <b> TurboLinux</b> distribution     with a
-kernel,   you can use the  RPM version (note: the             RPM should
+2.4   kernel,   you can use the  RPM version (note: the             RPM should
-also work  with other distributions that             store init scripts in
+ also work  with other distributions that             store init scripts
-/etc/init.d  and that             include chkconfig or insserv). If you find
+in  /etc/init.d  and that             include chkconfig or insserv). If you
-that it works   in other cases, let <a
+find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that
-I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
+ I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
-if you have problems    installing the RPM.</li>
+ if you have problems    installing the RPM.</li>
-       <li>If you are running LRP, download the .lrp file (you might also 
+           <li>If you are running LRP, download the .lrp file (you might
-want  to     download the .tgz so you will have a copy of the documentation).</li>
+also   want  to     download the .tgz so you will have a copy of the documentation).</li>
-       <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and 
+           <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> 
- would      like a .deb package, Shorewall is in both the    <a
+ and   would      like a .deb package, Shorewall is in both the    <a
 href="http://packages.debian.org/testing/net/shorewall.html">Debian    
 Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian   
 Unstable Branch</a>.</li>
-       <li>Otherwise, download the <i>shorewall</i>             module (.tgz)</li>
+           <li>Otherwise, download the <i>shorewall</i>             module
 (.tgz)</li>
 </ul>
@ -64,10 +66,10 @@ Testing Branch</a> and the    <a
 <ul>
           <li>RPM - "rpm -qip LATEST.rpm"</li>
-       <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will contain
+           <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will
-  the version)</li>
+ contain    the version)</li>
-       <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf &lt;downloaded
+           <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf
-  .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
+&lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
 </ul>
@ -78,11 +80,12 @@ Testing Branch</a> and the    <a
 <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
    INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
-  IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed configuration 
+    IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed
- of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
+configuration    of your firewall, you can enable startup by removing the
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
+<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates 
-  mirrors  occur 1-12 hours after an update to the primary site.</b></p>
+to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>                           
  <table border="2" cellspacing="3" cellpadding="3"
@ -95,21 +98,15 @@ Testing Branch</a> and the    <a
               <td><b>FTP</b></td>
             </tr>
             <tr>
-           <td>Washington State, USA</td>
+          <td valign="top">SourceForge<br>
-           <td>Shorewall.net</td>
+          </td>
-           <td><a
+          <td valign="top">sf.net<br>
- href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download  .rpm</a><br>
+          </td>
-             <a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download 
+          <td valign="top"><a
-          .tgz</a> <br>
+ href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
-             <a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download 
+          </td>
-          .lrp</a></td>
+          <td valign="top"><br>
-           <td><a
+          </td>
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
      Download .rpm</a> <br>
             <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
 target="_blank">Download         .tgz</a> <br>
             <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
 target="_blank">Download         .lrp</a></td>
        </tr>
             <tr>
               <td>Slovak Republic</td>
@ -121,7 +118,10 @@ Testing Branch</a> and the    <a
       .tgz</a> <br>
                 <a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download 
-       .lrp</a></td>
+       .lrp</a><br>
               <a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">      
       Download.md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
    .rpm</a>  <br>
@ -130,7 +130,10 @@ Testing Branch</a> and the    <a
            .tgz</a> <br>
                 <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download 
-          .rpm</a></td>
+            .rpm</a><br>
               <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">    
         Download.md5sums</a></td>
             </tr>
             <tr>
               <td>Texas, USA</td>
@ -143,7 +146,10 @@ Testing Branch</a> and the    <a
            .tgz</a> <br>
                 <a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download 
-          .lrp</a></td>
+            .lrp</a><br>
               <a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">    
         Download.md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
                 <a target="_blank"
@ -151,7 +157,10 @@ Testing Branch</a> and the    <a
  .tgz</a> <br>
                 <a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">       Download
-  .lrp</a></td>
+    .lrp</a><br>
               <a
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">           
  Download.md5sums</a></td>
             </tr>
             <tr>
               <td>Hamburg, Germany</td>
@ -164,7 +173,10 @@ Testing Branch</a> and the    <a
     .tgz</a><br>
               <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download   
-     .lrp</a></td>
+     .lrp</a><br>
               <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">       
      Download.md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">       Download
    .rpm</a>  <br>
@ -173,7 +185,10 @@ Testing Branch</a> and the    <a
     .tgz</a> <br>
                 <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download   
-     .lrp</a></td>
+     .lrp</a><br>
               <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download 
        .md5sums</a></td>
             </tr>
             <tr>
               <td>Martinez (Zona Norte - GBA), Argentina</td>
@ -186,7 +201,10 @@ Testing Branch</a> and the    <a
            .tgz</a> <br>
                 <a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> 
-        Download .lrp</a></td>
+          Download .lrp</a><br>
               <a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download 
 .md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
    .rpm</a>  <br>
@ -195,7 +213,10 @@ Testing Branch</a> and the    <a
            .tgz</a> <br>
                 <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> 
-        Download .lrp</a></td>
+          Download .lrp</a><br>
               <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download 
 .md5sums</a></td>
             </tr>
             <tr>
               <td>Paris, France</td>
@ -205,7 +226,9 @@ Testing Branch</a> and the    <a
                 <a href="http://france.shorewall.net/pub/LATEST.tgz">Download
           .tgz</a> <br>
                 <a href="http://france.shorewall.net/pub/LATEST.lrp">Download
-         .lrp</a></td>
+           .lrp</a><br>
               <a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
           .md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
    .rpm</a>  <br>
@ -214,14 +237,66 @@ Testing Branch</a> and the    <a
            .tgz</a> <br>
                 <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
-  .lrp</a></td>
+    .lrp</a><br>
               <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
    .md5sums</a></td>
             </tr>
         <tr>
           <td valign="middle">Washington State, USA<br>
          </td>
           <td valign="middle">Shorewall.net<br>
          </td>
           <td valign="top"><a
 href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download  .rpm</a><br>
                 <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download       
    .tgz</a> <br>
                 <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download       
    .lrp</a><br>
           <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download   
        .md5sums</a><br>
          </td>
           <td valign="top"><a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
        Download .rpm</a> <br>
                 <a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
         .tgz</a> <br>
                 <a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
         .lrp</a><br>
           <a target="_blank"
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download    
    .md5sums</a><br>
          </td>
         </tr>
    </tbody>                        
  </table>
         </blockquote>
-<p>Browse Download Sites:</p>
+<p align="left"><b>Documentation in PDF format:</b><br>
 </p>
 <blockquote>   
  <p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
 the Shorewall 1.3.10 documenation (the documentation in HTML format is included
 in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
 </blockquote>
 <blockquote>   
  <blockquote><a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
 http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
   </blockquote>
 </blockquote>
 <p><b>Browse Download Sites:</b></p>
 <blockquote>                           
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -233,23 +308,26 @@ Testing Branch</a> and the    <a
               <td><b>FTP</b></td>
             </tr>
              <tr>
-           <td>Washington State, USA</td>
+               <td>SourceForge<br>
-           <td>Shorewall.net</td>
+          </td>
-           <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
+               <td>sf.net</td>
-           <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
+               <td><a
- target="_blank">Browse</a></td>
+ href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
               <td>N/A</td>
              </tr>
             <tr>
               <td>Slovak Republic</td>
               <td>Shorewall.net</td>
-           <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
+               <td><a
 href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
               <td>       <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
             </tr>
             <tr>
               <td>Texas, USA</td>
               <td>Infohiiway.com</td>
-           <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
+               <td><a
 href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
               <td><a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
             </tr>
@ -277,27 +355,29 @@ Testing Branch</a> and the    <a
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
             </tr>
              <tr>
-           <td>California, USA (Incomplete)</td>
+               <td>Washington State, USA</td>
-           <td>Sourceforge.net</td>
+               <td>Shorewall.net</td>
-           <td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
+               <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
-           <td>N/A</td>
+               <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
 target="_blank">Browse</a></td>
              </tr>
    </tbody>                        
  </table>
         </blockquote>
-<p align="left">CVS:</p>
+<p align="left"><b>CVS:</b></p>
 <blockquote>                         
  <p align="left">The <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS  repository at
    cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
    component. There's no guarantee that what you find there will work at
-all.</p>
+ all.<br>
   </p>
 </blockquote>
-<p align="left"><font size="2">Last Updated 11/9/2002 - <a
+<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -307,5 +387,9 @@ all.</p>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -33,8 +33,8 @@
 <ol>
            <li>                                                       
    <p align="left">          <b><u>I</u>f you use a Windows system to download
-   a corrected     script, be sure to run the script through <u>        <a
+    a corrected     script, be sure to run the script through <u>       
- href="http://www.megaloman.com/%7Ehany/software/hd2u/"
+    <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
 style="text-decoration: none;"> dos2unix</a></u>      after you have moved
    it to your Linux system.</b></p>
                         </li>
@ -57,24 +57,25 @@ to         start Shorewall during boot. It is  that file that must be overwritte
    </li>
    <li>          
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
+ ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
-do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
+example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
                </p>
    </li>
 </ol>
 <ul>
            <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
            <li>                            <b><a href="#V1.3">Problems in
-Version    1.3</a></b></li>
+ Version    1.3</a></b></li>
            <li>                            <b><a href="errata_2.htm">Problems
   in  Version 1.2</a></b></li>
            <li>                            <b><font color="#660066">  <a
 href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
            <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
-          <li>                            <b><a href="#Debug">Problems with 
+            <li>                            <b><a href="#Debug">Problems
- kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
+with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
            <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
            <li><b><a href="#Multiport">Problems with iptables version 1.2.7
  and       MULTIPORT=Yes</a></b></li>
@ -86,48 +87,70 @@ Version    1.3</a></b></li>
 <hr>                                
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.10</h3>
 <ul>
   <li>If you experience problems connecting to a PPTP server running on
 your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
 version of the firewall script</a> may help. Please report any cases where
 installing this script in /usr/lib/shorewall/firewall solved your connection
 problems. Beginning with version 1.3.10, it is safe to save the old version
 of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
 is the real script now and not just a symbolic link to the real script.<br>
   </li>
 </ul>
 <h3>Version 1.3.9a</h3>
 <ul>
    <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
-the following message appears during "shorewall [re]start":</li>
+ the following message appears during "shorewall [re]start":</li>
 </ul>
 <pre>          recalculate_interfacess: command not found<br></pre>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described 
+ corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
-above.<br>
+ above.<br>
-</blockquote>
+  </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
-single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
+ single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
-to 'recalculate_interface'. <br>
+ to 'recalculate_interface'. <br>
-</blockquote>
+  </blockquote>
 <ul>
    <li>The installer (install.sh) issues a misleading message "Common functions
-installed in /var/lib/shorewall/functions" whereas the file is installed
+ installed in /var/lib/shorewall/functions" whereas the file is installed
 in /usr/lib/shorewall/functions. The installer also performs incorrectly
 when updating old configurations that had the file /etc/shorewall/functions.
    <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
-is an updated version that corrects these problems.<br>
+ is an updated version that corrects these problems.<br>
      </a></li>
 </ul>
 <h3>Version 1.3.9</h3>
     <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
-at  <a
+ at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
+ -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
      <br>
     Version 1.3.8        
 <ul>
-       <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
+         <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
- the  policy file doesn't work.</li>
+of  the  policy file doesn't work.</li>
-       <li>A DNAT rule with the same original and new IP addresses but with 
+         <li>A DNAT rule with the same original and new IP addresses but
- different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 
+with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
- 25 - 10.1.1.1")<br>
+tcp   25 - 10.1.1.1")<br>
         </li>
 </ul>
@ -167,13 +190,15 @@ at  <a
                                   has two problems:</p>
 <ol>
-                                       <li>If the firewall is running a DHCP
+                                         <li>If the firewall is running a 
-  server,                                   the client won't be able to obtain
+DHCP   server,                                   the client won't be able 
-  an IP  address                                  lease from that server.</li>
+to obtain   an IP  address                                  lease from that 
-                                       <li>With this order of checking, the 
+server.</li>
- "dhcp"                                   option cannot be used as a noise-reduction
+                                         <li>With this order of checking, 
-                                    measure where there are both dynamic
+the   "dhcp"                                   option cannot be used as a 
-and    static                                  clients on a LAN segment.</li>
+noise-reduction                                     measure where there are 
 both dynamic and    static                                  clients on a LAN
 segment.</li>
 </ol>
@ -205,9 +230,10 @@ and    static                                  clients on a LAN segment.</li>
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
    an error occurs when the firewall            script attempts to add an
-SNAT   alias.  </p>
+ SNAT   alias.  </p>
          </li>
          <li>                                                          
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
           cause errors during startup when Shorewall is run with iptables
    1.2.7. </p>
@ -268,7 +294,8 @@ SNAT   alias.  </p>
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
       this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
-              as instructed above. This problem is corrected in version 1.3.5a.</p>
+               as instructed above. This problem is corrected in version
 1.3.5a.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
@ -298,10 +325,10 @@ version            has a size of 38126 bytes.</p>
 <ul>
                     <li>The code to detect a duplicate interface entry in
-           /etc/shorewall/interfaces contained a typo that prevented it from
+            /etc/shorewall/interfaces contained a typo that prevented it
-             working correctly. </li>
+from               working correctly. </li>
                     <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
-like   "NAT_BEFORE_RULES=Yes".</li>
+ like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -331,8 +358,8 @@ like   "NAT_BEFORE_RULES=Yes".</li>
             generated for a CONTINUE policy.</li>
                     <li>When an option is given for more than one interface
  in               /etc/shorewall/interfaces then depending on the option,
-Shorewall                may ignore all but the first appearence of the option.
+ Shorewall                may ignore all but the first appearence of the
-For example:<br>
+option.  For example:<br>
                     <br>
                     net    eth0    dhcp<br>
                     loc    eth1    dhcp<br>
@ -358,10 +385,10 @@ option.<br>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
-                   <li>Folks who downloaded 1.3.0 from the links on the download
+                     <li>Folks who downloaded 1.3.0 from the links on the 
-   page              before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
+download    page              before 23:40 GMT, 29 May 2002 may have downloaded 
-   rather than              1.3.0. The "shorewall version" command will tell
+1.2.13    rather than              1.3.0. The "shorewall version" command 
-   you which version              that you have installed.</li>
+will tell    you which version              that you have installed.</li>
                     <li>The documentation NAT.htm file uses non-existent 
           wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
@ -386,8 +413,8 @@ option.<br>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-    corrected 1.2.3 rpm which you can download here</a>  and I have also built
+     corrected 1.2.3 rpm which you can download here</a>  and I have also 
-           an <a
+built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently
    running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
@ -462,8 +489,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 <ul>
                                         <li>set MULTIPORT=No in        
                         /etc/shorewall/shorewall.conf; or </li>
-                                       <li>if you are running Shorewall 1.3.6 
+                                         <li>if you are running Shorewall 
-  you may                                  install                       
+1.3.6    you may                                  install                
                <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                             this firewall script</a> in /var/lib/shorewall/firewall
@ -486,7 +513,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  contains corrected support under a new kernel configuraiton option; see
 <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 10/9/2002 -                            
+<p><font size="2">  Last updated 11/24/2002 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -498,5 +525,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -16,23 +16,27 @@
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+ style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
- bgcolor="#400169" height="90">
+ border="0">
         <tbody>
          <tr>
           <td width="100%">                                            
      <h1 align="center"><a
- href="http://www.gnu.org/software/mailman/mailman.html">        <img
+ href="http://www.centralcommand.com/linux_products.html"><img
- border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
+ src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
- height="35">
+ height="79" align="left">
      </a><a href="http://www.gnu.org/software/mailman/mailman.html">   
    <img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
 width="110" height="35">
            </a><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45">
            </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
-      <p align="right"><font color="#ffffff"><b>Powered by Postfix       
+      <p align="right"><font color="#ffffff"><b><br>
-  </b></font>     </p>
+Powered by Postfix          </b></font>     </p>
            </td>
         </tr>
@ -54,18 +58,30 @@
 <h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
 src="images/but3.png" hspace="3" width="88" height="31">
- </a><a href="http://osirusoft.com/"> </a></h2>
+      </a><a href="http://osirusoft.com/"> </a></h2>
 <p>Before subscribing please read my <a href="spam_filters.htm">policy  
    about list traffic that bounces.</a> Also please note that the mail server
-       at shorewall.net checks the sender of incoming mail against the open 
+          at shorewall.net checks incoming mail:<br>
-relay        databases at <a href="http://ordb.org">ordb.org.</a></p>
+  </p>
 <ol>
    <li>against the open   relay        databases at <a
 href="http://ordb.org">ordb.org.</a></li>
    <li>to ensure that the sender address is fully qualified.</li>
    <li>to verify that the sender's domain has an A or MX record in DNS.</li>
    <li>to ensure that the host name in the HELO/EHLO command is a valid
 fully-qualified  DNS name.<br>
    </li>
 </ol>
 <h2></h2>
 <h2 align="left">Mailing Lists Archive Search</h2>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
  <p> <font size="-1"> Match:                
  <select name="method">
  <option value="and">All </option>
@ -94,17 +110,29 @@ relay        databases at <a href="http://ordb.org">ordb.org.</a></p>
 type="submit" value="Search"> </p>
      </form>
 <h2 align="left">Shorewall CA Certificate</h2>
    If you want to trust X.509 certificates issued by Shoreline Firewall
 (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a>
  in your browser. If you don't wish to trust my certificates then you can
 either use unencrypted access when subscribing to Shorewall mailing lists
 or you can use secure access (SSL) and accept the server's certificate when
 prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users
-to get answers to questions and to report problems. Information of general 
+   to get answers to questions and to report problems. Information of general
-interest to the Shorewall user community is also posted to this list.</p>
+   interest to the Shorewall user community is also posted to this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
-the <a href="support.htm">problem reporting guidelines</a>.</b></p>
+   the <a href="support.htm">problem reporting guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
  SSL: <a
 href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
 <p align="left">To post to the list, post to <a
 href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
@ -112,37 +140,42 @@ the <a href="support.htm">problem reporting guidelines</a>.</b></p>
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the 
   Shorewall community. To subscribe, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
-   
+  SSL: <a
-<p align="left">The list archives are at <a
+ href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
 target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
    </a><br>
    The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
 <p align="left">The Shorewall Development Mailing list provides a forum for
-the exchange of ideas about the future of Shorewall and for coordinating ongoing
+   the exchange of ideas about the future of Shorewall and for coordinating
-Shorewall Development.</p>
+  ongoing Shorewall Development.</p>
 <p align="left">To subscribe to the mailing list, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
-   
+  SSL: <a
-<p align="left">To post to the list, post to <a
+ href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
 target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
    To post to the list, post to <a
 href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
 <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
-the  Mailing Lists</h2>
+   the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing
    from Mailman-managed lists. To unsubscribe:</p>
@ -150,19 +183,19 @@ the  Mailing Lists</h2>
 <ul>
         <li>                               
    <p align="left">Follow the same link above that you used to subscribe
-to the  list.</p>
+   to the  list.</p>
         </li>
         <li>                               
    <p align="left">Down at the bottom of that page is the following text:
-"To  change your subscription (set options like digest and delivery modes, 
+   "To  change your subscription (set options like digest and delivery modes,
-get a  reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
+   get a  reminder of your password, <b>or unsubscribe</b> from &lt;name
-enter  your subscription email address:". Enter your email address in the
+of   list&gt;), enter  your subscription email address:". Enter your email
-box and click  on the "Edit Options" button.</p>
+address   in the box and click  on the "Edit Options" button.</p>
         </li>
         <li>                               
    <p align="left">There will now be a box where you can enter your password
-and  click on "Unsubscribe"; if you have forgotten your password, there is 
+   and  click on "Unsubscribe"; if you have forgotten your password, there
-another  button that will cause your password to be emailed to you.</p>
+ is  another  button that will cause your password to be emailed to you.</p>
         </li>
 </ul>
@ -172,12 +205,17 @@ another  button that will cause your password to be emailed to you.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 9/27/2002 - <a
+<p align="left"><font size="2">Last updated 11/22/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
        <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list_problems.htm
+++ b/STABLE/documentation/mailing_list_problems.htm
@ -20,6 +20,7 @@
           <tbody>
            <tr>
             <td width="100%">                                          
      <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
             </td>
           </tr>
@ -32,11 +33,11 @@
 <blockquote>                           
  <div align="left">                             
-  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
           </div>
         </blockquote>
-<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
+<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -49,5 +50,8 @@
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ports.htm
+++ b/STABLE/documentation/ports.htm
@ -19,7 +19,7 @@
      <tr>
       <td width="100%">                   
      <h1 align="center"><font color="#ffffff">Ports required for Various
-Services/Applications</font></h1>
+ Services/Applications</font></h1>
       </td>
     </tr>
@ -28,8 +28,8 @@ Services/Applications</font></h1>
 <p>In addition to those applications described in <a
 href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
-are some other services/applications that you may need to configure your firewall
+ are some other services/applications that you may need to configure your
-to accommodate.</p>
+firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
@ -52,18 +52,18 @@ to accommodate.</p>
 <p>DNS</p>
 <blockquote>         
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-to   open TCP Port 53 as well.<br>
+want to   open TCP Port 53 as well.<br>
     If you are configuring a server, only open TCP Port 53 if you will return
-long   replies to queries or if you need to enable ZONE transfers. In the 
+ long   replies to queries or if you need to enable ZONE transfers. In the
-latter   case, be sure that your server is properly configured.</p>
+ latter   case, be sure that your server is properly configured.</p>
   </blockquote>
 <p>ICQ   </p>
 <blockquote>         
  <p>UDP Port 4000. You will also need to open a range of TCP ports which
-you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
+ you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
   </blockquote>
 <p>PPTP</p>
@ -77,7 +77,8 @@ you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
 <blockquote>         
  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
-500.    These should be opened in both directions.</p>
+ 500.    These should be opened in both directions (Lots more information
  <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
   </blockquote>
 <p>SMTP</p>
@ -142,8 +143,9 @@ have:<br>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
 have problems accessing regular FTP servers.</p>
-  <p>If there is a possibility that these modules might be loaded before Shorewall
+   
-starts, then you should include the port list in /etc/modules.conf:<br>
+  <p>If there is a possibility that these modules might be loaded before
 Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
    </p>
  <blockquote>          
@ -177,16 +179,17 @@ starts, then you should include the port list in /etc/modules.conf:<br>
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
   </blockquote>
-<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
+<p>Didn't find what you are looking for -- have you looked in your own  
-file? </p>
+/etc/services file? </p>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
+<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
   <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -4,23 +4,27 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
             <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
                                                              <tbody>
                                                         <tr>
-                                                     <td width="100%"
+                                                                <td
- height="90">                                                           
+ width="100%" height="90">                                               
@ -36,7 +40,10 @@
-      <div align="center"><a href="1.2" target="_top"><font
+                                                                        
      <div align="center"><a
 href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
                                                    </div>
                                                    <br>
@ -49,13 +56,16 @@
 </table>
 <div align="center">                                                    
 <center>                                                              
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                <tbody>
                                                         <tr>
-                                                       <td width="90%"> 
+                                                                  <td
 width="90%">                                                           
@ -68,9 +78,10 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                               
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
@ -78,21 +89,24 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
                          it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                                                               <br>
-                                                     This program is distributed
+                                                                This program
-    in  the   hope   that   it  will   be  useful,    but        WITHOUT
+  is  distributed       in  the   hope   that   it  will   be  useful,  
-ANY    WARRANTY;   without   even the  implied   warranty  of MERCHANTABILITY
+ but         WITHOUT  ANY    WARRANTY;   without   even the  implied   warranty 
-          or FITNESS  FOR   A PARTICULAR    PURPOSE.   See the  GNU General
+   of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR    PURPOSE. 
-  Public License          for  more details.<br>
+     See the  GNU General     Public License          for  more details.<br>
                                                               <br>
-                                                     You should have received 
+                                                                You should
-  a  copy   of  the   GNU   General     Public    License          along with
+ have   received     a  copy   of  the   GNU   General     Public    License
-  this program;    if  not, write  to the    Free Software    Foundation, 
+          along  with   this program;    if  not, write  to the    Free Software 
-         Inc., 675    Mass  Ave, Cambridge,  MA  02139,   USA</p>
+      Foundation,            Inc., 675    Mass  Ave, Cambridge,  MA  02139, 
    USA</p>
@ -106,40 +120,31 @@ ANY    WARRANTY;   without   even the  implied   warranty  of MERCHANTABILITY
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                                </a>Jacques        Nilo and 
+                                                           </a>Jacques  
- Eric   Wolzak    have   a  LEAF (router/firewall/gateway on a floppy, CD 
+     Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway
-or compact  flash) distribution       called        <i>Bering</i>  that  
+ on  a floppy,   CD  or compact  flash) distribution       called       
-     features     Shorewall-1.3.9b and  Kernel-2.4.18.      You can  find 
+      <i>Bering</i>    that          features     Shorewall-1.3.10 and  Kernel-2.4.18.
-their   work at:          <a
+     You    can  find    their   work at:          <a
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+ href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
       </a></p>
      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
 1.0 Final!!! </b><br>
  </p>
      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
      <h2>Thinking of Downloading this Site for Offline Browsing?</h2>
     You might want to reconsider -- this site is <u><b>213 MB!!!</b></u> 
 and   you will almost certainly be blacklisted before you download the whole 
 thing  (my SDSL is only 384kbs so I'll have lots of time to catch  you). Besides,
 if you simply download the product and install it, you get  the essential
 parts of the site in a fraction of the time. And do you really  want to download:<br>
      <ul>
             <li>Both text and HTML versions of every post ever made on three 
  different mailing lists (65 MB)?</li>
             <li>Every .rpm, .tgz and .lrp ever released for both Shorewall 
 and  Seawall (92MB and 10MB respectively)?</li>
          <li>A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?<br>
          </li>
          <li>Several ancient RPMs for courier-imap and maildrop (1.5MB).<br>
          </li>
      </ul>
     You get all that and more if you do a blind recurive copy of this site.
 Happy downloading!<br>
      <h2>News</h2>
@ -148,88 +153,147 @@ parts of the site in a fraction of the time. And do you really  want to download
      <h2></h2>
-      <p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
+                             
- src="file:///home/teastep/Shorewall-docs/images/new10.gif" width="28"
+      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
- height="12" alt="(New)">
+ src="images/new10.gif" width="28" height="12" alt="(New)">
                               </b></p>
      <p>In this version:</p>
      <ul>
-         <li>You may now <a href="IPSEC.htm#Dynamic">define the contents
+        <li>A 'tcpflags' option has been added to entries in <a
- of a zone dynamically</a> with the <a
+ href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
- href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
+This option causes Shorewall to make a set of sanity check on TCP packet
- delete" commands</a>. These commands are expected to be used primarily within 
+header flags.</li>
-           <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown 
+        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
- scripts.</li>
+a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
-         <li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a> 
+When used, 'all' must appear by itself (in may not be qualified) and it does 
-  on ethernet segments. You can specify the set of allowed MAC addresses on
+not enable intra-zone traffic. For example, the rule <br>
-  the segment and you can optionally tie each MAC address to one or more IP
+     <br>
- addresses.</li>
+     ACCEPT loc all tcp 80<br>
-         <li>PPTP Servers and Clients running on the firewall system may
+     <br>
- now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
+ does not enable http traffic from 'loc' to 'loc'.</li>
-         <li>A new 'ipsecnat' tunnel type is supported for use when the 
+        <li>Shorewall's use of the 'echo' command is now compatible with
-         <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
+bash clones such as ash and dash.</li>
-         <li>The PATH used by Shorewall may now be specified in <a
+        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
- href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+generate a warning and are ignored</li>
         <li>The main firewall script is now /usr/lib/shorewall/firewall. 
 The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
 to do the real work. This change makes custom distributions such as for Debian
 and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends
 to have distribution-dependent code.</li>
      </ul>
 If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
 1.3.10, you will need to use the '--force' option:<br>
-      <blockquote>   
+      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>   
-        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
+                           </b></p>
 </blockquote>
-      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
+      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
- href="http://www.gentoo.org"><br>
+ documenation. the PDF may be downloaded from</p>
              </a></p>
        Alexandru Hartmann reports that his Shorewall package is now a part 
 of        <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
  Thanks Alex!<br>
-      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
+      <p>    <a
-          In this version:<br>
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
       <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
   </p>
      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>        
                      </b></p>
      <p>The main Shorewall web site is now back at SourceForge at <a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
           </p>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b>                        
  </b></p>
      <p>In this version:</p>
      <ul>
                    <li>You may now <a href="IPSEC.htm#Dynamic">define the
-contents      of a zone dynamically</a> with the <a
+ contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
       delete" commands</a>. These commands are expected to be used primarily
    within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
    updown   scripts.</li>
-                  <li>Shorewall can now do<a href="MAC_Validation.html">
+                    <li>Shorewall can now do<a
-MAC   verification</a>    on ethernet segments. You can specify the set of
+ href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments.
-allowed   MAC addresses on   the segment and you can optionally tie each
+You can specify the set  of allowed   MAC addresses   on   the segment and
-MAC address   to one or more IP  addresses.</li>
+you can optionally tie each MAC address   to one or more   IP  addresses.</li>
-                  <li>PPTP Servers and Clients running on the firewall system 
+                    <li>PPTP Servers and Clients running on the firewall
-  may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
+system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
   file.</li>
-                  <li>A new 'ipsecnat' tunnel type is supported for use when
+                    <li>A new 'ipsecnat' tunnel type is supported for use 
-  the             <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT
+when   the             <a href="IPSEC.htm">remote IPSEC endpoint is behind 
-  gateway</a>.</li>
+a NAT   gateway</a>.</li>
                    <li>The PATH used by Shorewall may now be specified in
           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                    <li>The main firewall script is now /usr/lib/shorewall/firewall.
       The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
       to do the real work. This change makes custom distributions such as
-for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
+ for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
     that tends  to have distribution-dependent code.</li>
      </ul>
           If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
  to  version   1.3.10, you will need to use the '--force' option:<br>
      <blockquote>                                                       
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
            </blockquote>
      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
 href="http://www.gentoo.org"><br>
                         </a></p>
                   Alexandru Hartmann reports that his Shorewall package
 is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo
 Linux  distribution</a>.       Thanks Alex!<br>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
                     In this version:<br>
      <ul>
                             <li>You may now <a href="IPSEC.htm#Dynamic">define 
   the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
          delete" commands</a>. These commands are expected to be used primarily 
       within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
       updown   scripts.</li>
                             <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments. 
    You can specify the set of  allowed   MAC addresses on   the segment and
   you can optionally tie each MAC address   to one or more IP  addresses.</li>
                             <li>PPTP Servers and Clients running on the
 firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
        file.</li>
                             <li>A new 'ipsecnat' tunnel type is supported
 for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
 is   behind   a NAT   gateway</a>.</li>
                             <li>The PATH used by Shorewall may now be specified
    in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                             <li>The main firewall script is now /usr/lib/shorewall/firewall. 
          The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
          to do the real work. This change makes custom distributions such 
 as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
        that tends  to have distribution-dependent code.</li>
      </ul>
                    You may download the Beta from:<br>
      <ul>
                            <li><a
 href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
@ -237,31 +301,38 @@ for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                            </li>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>       
                         </b><br>
                                 </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b></p>
-                 This release rolls up fixes to the installer and to the
+                            This release rolls up fixes to the installer
-firewall     script.<br>
+and   to  the   firewall     script.<br>
                             <b><br>
-                 10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
+                            10/6/2002 - Shorewall.net now running on RH8.0
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+       </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
                                                      </b><br>
                                  <br>
-                   The firewall and server here at shorewall.net are now
+                              The firewall and server here at shorewall.net 
-running     RedHat    release   8.0.<br>
+ are   now   running     RedHat    release   8.0.<br>
@ -271,27 +342,32 @@ running     RedHat    release   8.0.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>               
          </b></p>
                                        <img src="images/j0233056.gif"
 alt="Brown Paper Bag" width="50" height="86" align="left">
-                        There is an updated firewall script at <a
+                                   There is an updated firewall script at 
      <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
                 -- copy that file to /usr/lib/shorewall/firewall.<br>
      <p><b><br>
                                        </b></p>
      <p><b><br>
                                        </b></p>
      <p><b><br>
                                  9/28/2002 - Shorewall 1.3.9 </b><b>   
                            </b></p>
@ -299,32 +375,37 @@ running     RedHat    release   8.0.<br>
      <p>In this version:<br>
                                         </p>
      <ul>
                                                <li><a
 href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now 
             allowed in Shorewall config files (although I recommend   against 
       using       them).</li>
-                                     <li>The connection SOURCE may now be 
+                                                <li>The connection SOURCE 
-qualified      by  both   interface      and IP address in a <a
+may   now   be  qualified      by  both   interface      and IP address in 
- href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-                                     <li>Shorewall startup is now disabled
+                                                <li>Shorewall startup is
- after    initial     installation       until the file /etc/shorewall/startup_disabled
+now   disabled     after    initial     installation       until the file
-    is removed.     This avoids    nasty   surprises at reboot for users
+/etc/shorewall/startup_disabled          is removed.     This avoids    nasty
-who    install Shorewall     but don't configure     it.</li>
+  surprises at reboot for users     who    install Shorewall     but don't
-                                    <li>The 'functions' and 'version' files 
+configure     it.</li>
- and   the   'firewall'      symbolic   link have been  moved from /var/lib/shorewall 
+                                               <li>The 'functions' and 'version'
-    to /usr/lib/shorewall      to appease   the LFS police at Debian.<br>
+    files    and   the   'firewall'      symbolic   link have been  moved
 from    /var/lib/shorewall       to /usr/lib/shorewall      to appease  
 the LFS   police at Debian.<br>
                                               </li>
      </ul>
@ -333,6 +414,7 @@ who    install Shorewall     but don't configure     it.</li>
      <p><a href="News.htm">More News</a></p>
@ -340,16 +422,18 @@ who    install Shorewall     but don't configure     it.</li>
      <h2><a name="Donations"></a>Donations</h2>
                                  </td>
-                                                       <td width="88"
+                                                                  <td
- bgcolor="#4b017c" valign="top" align="center">             <a
+ width="88" bgcolor="#4b017c" valign="top" align="center">             <a
 href="http://sourceforge.net">M</a></td>
                                                                </tr>
  </tbody>                                                     
 </table>
                                                              </center>
@ -361,8 +445,9 @@ who    install Shorewall     but don't configure     it.</li>
 bgcolor="#4b017c">
                                                         <tbody>
                                                         <tr>
-                                                <td width="100%"
+                                                           <td
- style="margin-top: 1px;">                                              
+ width="100%" style="margin-top: 1px;">                                 
@ -376,8 +461,9 @@ who    install Shorewall     but don't configure     it.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+                                                                 
-but if       you try it and find it useful, please consider making a donation
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                          to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                                                           </td>
@ -389,9 +475,12 @@ but if       you try it and find it useful, please consider making a donation
 </table>
-<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
                    <br>
-</p>
+   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_mirrors.htm
+++ b/STABLE/documentation/shorewall_mirrors.htm
@ -1,67 +1,87 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+         
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+         
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>Shorewall Mirrors</title>
+ content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mirrors</title>
 </head>
  <body>
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
     <tbody>
      <tr>
       <td width="100%">                   
-    <h1 align="center"><font color="#FFFFFF">Shorewall Mirrors</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
       </td>
     </tr>
  </tbody>  
 </table>
-<p align="left"><b>Remember that updates to the mirrors are often delayed for 
+<p align="left"><b>Remember that updates to the mirrors are often delayed
-6-12 hours after an update to the primary site.</b></p>
+ for  6-12 hours after an update to the primary site.</b></p>
-<p align="left">The main Shorewall Web Site is <a href="http://www.shorewall.net">http://www.shorewall.net</a>
+<p align="left">The main Shorewall Web Site is <a
-and is located in Washington State, USA.
+ href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a> 
-It is mirrored at:</p>
+and is located in California, USA. It is mirrored at:</p>
 <ul>
-  <li><a target="_top" href="http://slovakia.shorewall.net">
+     <li><a target="_top" href="http://slovakia.shorewall.net">   http://slovakia.shorewall.net</a> 
  http://slovakia.shorewall.net</a>
     (Slovak Republic).</li>
-  <li>
+     <li>     <a href="http://www.infohiiway.com/shorewall"
-    <a href="http://www.infohiiway.com/shorewall" target="_top">
+ target="_top">   http://shorewall.infohiiway.com</a>     (Texas, USA).</li>
-  http://shorewall.infohiiway.com</a>
+     <li><a target="_top" href="http://germany.shorewall.net">   http://germany.shorewall.net</a>
-    (Texas, USA).</li>
+ (Hamburg, Germany)</li>
-  <li><a target="_top" href="http://germany.shorewall.net">
+     <li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a>
-  http://germany.shorewall.net</a> (Hamburg, Germany)</li>
+ (Martinez (Zona Norte - GBA), Argentina)</li>
  <li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li>
     <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
    (Paris, France)</li>
    <li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
 (Washington State, USA)<br>
    </li>
 </ul>
-<p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
+     
-and is located in Washington State, USA.&nbsp;
+<p align="left">The main Shorewall FTP Site is <a
-It is mirrored at:</p>
+ href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a> 
 and is located in Washington State, USA.  It is mirrored at:</p>
 <ul>
-  <li><a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
+     <li><a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> 
     (Slovak Republic).</li>
-  <li>
+     <li>     <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
-    <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
+ target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>     (Texas, USA).</li>
-    (Texas, USA).</li>
+     <li><a target="_blank"
-  <li><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">
+ href="ftp://germany.shorewall.net/pub/shorewall">   ftp://germany.shorewall.net/pub/shorewall</a>
-  ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li>
+ (Hamburg, Germany)</li>
-  <li>
+     <li>   <a target="_blank"
-  <a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li>
+ href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
-  <li>
+ (Martinez (Zona Norte - GBA), Argentina)</li>
-  <a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
+     <li>   <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
    (Paris, France)</li>
 </ul>
-<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom
+Search results and the mailing list archives are always fetched from the
-Eastep</a></font></p>
+site in Washington State.<br>
-<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
+<p align="left"><font size="2">Last Updated 11/09/2002 - <a
-<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_prerequisites.htm
+++ b/STABLE/documentation/shorewall_prerequisites.htm
@ -26,43 +26,44 @@
  </tbody>  
 </table>
    <br>
 Shorewall Requires:<br>
 <ul>
     <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
-    <a href="kernel.htm">     Check here for kernel configuration       information.</a> 
+     <a href="kernel.htm">     Check here for kernel configuration      
-     If you are looking for a firewall for use with 2.2 kernels, <a
+information.</a>       If you are looking for a firewall for use with 2.2
- href="http://www.shorewall.net/seawall">     see       the Seattle Firewall
+kernels, <a href="http://seawall.sf.net">     see       the Seattle Firewall
-site</a>     .</li>
+ site</a>     .</li>
     <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
 href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
-buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
+ buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
 upgrade to iptables 1.2.4 prior to    installing Shorewall. Version 1.2.4
 is available   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
-   and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
+   and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
 to be    running kernel 2.4.18 or later, NO currently-available RedHat iptables
 RPM    will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
  </li>
     <li>Some features require iproute ("ip" utility). The iproute package
-is     included with most distributions but may not be installed by default.
+ is     included with most distributions but may not be installed by default.
-The     official download site is <a
+ The     official download site is <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">   <font
 face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. 
   </li>
-   <li>A Bourne shell or derivative such as bash or ash. Must have correct
+     <li>A Bourne shell or derivative such as bash or ash. This shell must 
-      support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
+have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
    },        ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> 
     } and       ${<i>variable</i>##<i>pattern</i>}.</li>
-   <li>The firewall monitoring display is greatly improved if you have awk
+     <li>The firewall monitoring display is greatly improved if you have
-      (gawk) installed.</li>
+awk        (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 9/19/2002 - <a
+<p align="left"><font size="2">Last updated 11/10/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -22,6 +22,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
        Version 3.1</font></h1>
            </td>
@ -42,8 +43,8 @@ must  all first walk before we can run.</p>
 <ul>
          <li><a href="standalone.htm">Standalone</a> Linux System</li>
-        <li><a href="two-interface.htm">Two-interface</a> Linux System acting 
+          <li><a href="two-interface.htm">Two-interface</a> Linux System
-  as a    firewall/router for a small local network</li>
+acting    as a    firewall/router for a small local network</li>
          <li><a href="three-interface.htm">Three-interface</a> Linux System
  acting  as a    firewall/router for a small local network and a DMZ.</li>
@ -59,8 +60,10 @@ must  all first walk before we can run.</p>
 <ul>
          <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
-        <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
+          <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
-        <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
+Concepts</a></li>
          <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
 Interfaces</a></li>
          <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
  Subnets  and Routing</a>                                   
    <ul>
@ -79,8 +82,8 @@ must  all first walk before we can run.</p>
    </ul>
          </li>
-        <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your 
+          <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
- Network</a>                          
+your   Network</a>                                    
    <ul>
            <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -93,24 +96,25 @@ must  all first walk before we can run.</p>
              <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
              <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
              <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
-ARP</a></li>
+ ARP</a></li>
              <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
        </ul>
            </li>
            <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-          <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
+            <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
- Ends</a></li>
+and   Ends</a></li>
    </ul>
          </li>
          <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
-        <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting 
+          <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 
-  and    Stopping the Firewall</a></li>
+Starting    and    Stopping the Firewall</a></li>
 </ul>
-<h2><a name="Documentation"></a>Additional Documentation</h2>
+<h2><a name="Documentation"></a>Documentation Index</h2>
 <p>The following documentation covers a variety of topics and <b>supplements 
   the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described 
@ -127,7 +131,7 @@ ARP</a></li>
    </ul>
          </li>
          <li><a href="configuration_file_basics.htm">Common configuration
-file   features</a>                         
+ file   features</a>                                   
    <ul>
            <li>Comments in configuration files</li>
            <li>Line Continuation</li>
@ -154,9 +158,11 @@ file   features</a>
            <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
            <li><a href="Documentation.htm#Common">common</a></li>
            <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
-          <li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
+            <li><font color="#000099"><a
 href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
            <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
-          <li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
+            <li><font color="#000099"><a
 href="Documentation.htm#Tunnels">tunnels</a></font></li>
            <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
            <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
            <li><a href="Documentation.htm#modules">modules</a></li>
@ -188,6 +194,11 @@ file   features</a>
          <li><a href="samba.htm">Samba</a></li>
          <li><font color="#000099"><a
 href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
  <ul>
    <li>Description of all /sbin/shorewall commands</li>
    <li>How to safely test a Shorewall configuration change<br>
    </li>
  </ul>
          <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
          <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
          <li>VPN                                   
@ -196,7 +207,7 @@ file   features</a>
            <li><a href="IPIP.htm">GRE and IPIP</a></li>
            <li><a href="PPTP.htm">PPTP</a></li>
            <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
-firewall   to a      remote network.</li>
+ firewall   to a      remote network.</li>
    </ul>
          </li>
@ -207,15 +218,10 @@ firewall   to a      remote network.</li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/3/2002 - <a
+<p><font size="2">Last modified 11/19/2002 - <a
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
-<p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
+<p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
-       <br>
+</p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/standalone.htm
+++ b/STABLE/documentation/standalone.htm
@ -30,11 +30,11 @@
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up Shorewall on a standalone Linux system is very 
-easy if you understand the basics and follow the  documentation.</p>
+ easy if you understand the basics and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of 
- Shorewall. It rather focuses on what is required to configure Shorewall in
+  Shorewall. It rather focuses on what is required to configure Shorewall 
-one  of its  most common configurations:</p>
+in one  of its  most common configurations:</p>
 <ul>
      <li>Linux system</li>
@ -44,31 +44,31 @@ one  of its  most common configurations:</p>
 </ul>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if 
+ (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
-this  package is installed by the presence of an <b>ip</b> program on your 
+ this  package is installed by the presence of an <b>ip</b> program on your
-firewall  system. As root, you can use the 'which' command to check for this 
+ firewall  system. As root, you can use the 'which' command to check for
-program:</p>
+this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you read through the guide  first to familiarize yourself 
-with what's involved then go back through it again  making your configuration 
+ with what's involved then go back through it again  making your configuration 
-changes.  Points at which configuration changes  are recommended are flagged 
+ changes.  Points at which configuration changes  are recommended are flagged 
-with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
   .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
        If you edit your configuration files on a Windows system, you must
-save them as  Unix files if your editor supports that option or you must
+ save them as  Unix files if your editor supports that option or you must
 run them through  dos2unix before trying to use them. Similarly, if you copy
 a configuration file  from your Windows hard drive to a floppy disk, you
 must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
      <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
-of    dos2unix</a></li>
+ of    dos2unix</a></li>
-    <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version 
+      <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
@ -84,12 +84,12 @@ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
 during Shorewall installation).</p>
 <p>As each file is introduced, I suggest that you  look through the actual 
-file on your system -- each file contains detailed  configuration instructions 
+ file on your system -- each file contains detailed  configuration instructions 
-and default entries.</p>
+ and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a 
-set of  <i>zones.</i> In the one-interface sample configuration, only one 
+ set of  <i>zones.</i> In the one-interface sample configuration, only one 
-zone is  defined:</p>
+ zone is  defined:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -112,11 +112,11 @@ zone is  defined:</p>
  the firewall itself is known as <b>fw</b>.</p>
 <p>Rules about what traffic to allow and what traffic to deny are expressed 
-in  terms of zones.</p>
+ in  terms of zones.</p>
 <ul>
      <li>You express your default policy for connections from one zone to
-another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
     </a>file.</li>
      <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,11 +124,11 @@ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
 </ul>
 <p>For each connection request entering the firewall, the request is first 
-checked against the  /etc/shorewall/rules file. If no rule in that file matches 
+ checked against the  /etc/shorewall/rules file. If no rule in that file matches
-the connection  request then the first policy in /etc/shorewall/policy that 
+ the connection  request then the first policy in /etc/shorewall/policy that
-matches the    request is applied. If that policy is REJECT or DROP  the request
+ matches the    request is applied. If that policy is REJECT or DROP  the
-is first  checked against the rules in /etc/shorewall/common (the samples
+request is first  checked against the rules in /etc/shorewall/common (the
-provide that  file for you).</p>
+samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the one-interface sample has
 the  following policies:</p>
@ -176,14 +176,15 @@ the  following policies:</p>
 <ol>
      <li>allow all connection requests from the firewall to the internet</li>
-    <li>drop (ignore) all connection requests from the internet to your firewall</li>
+      <li>drop (ignore) all connection requests from the internet to your 
 firewall</li>
      <li>reject all other connection requests (Shorewall requires this catchall 
    policy).</li>
 </ol>
 <p>At this point, edit your /etc/shorewall/policy and make any changes that 
-you  wish.</p>
+ you  wish.</p>
 <h2 align="left">External Interface</h2>
@ -194,26 +195,26 @@ you  wish.</p>
  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
 a <b>ppp0</b>. If you connect via a regular modem, your External  Interface 
-will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
+ will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
-will be<b> ippp0.</b></p>
+ will be<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
-     The Shorewall one-interface sample configuration assumes that  the external 
+       The Shorewall one-interface sample configuration assumes that  the 
-interface is <b>eth0</b>.  If your configuration is different, you will have 
+external  interface is <b>eth0</b>.  If your configuration is different, you
-to modify the sample  /etc/shorewall/interfaces file accordingly. While you 
+will have  to modify the sample  /etc/shorewall/interfaces file accordingly. 
-are there, you may wish to  review the list of options that are specified 
+While you  are there, you may wish to  review the list of options that are 
-for the interface. Some hints:</p>
+specified  for the interface. Some hints:</p>
 <ul>
      <li>                  
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-you can replace the    "detect" in the second column with "-".   </p>
+ you can replace the    "detect" in the second column with "-".   </p>
     </li>
     <li>                  
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-or if you have a static IP    address, you can remove "dhcp" from the option 
+ or if you have a static IP    address, you can remove "dhcp" from the option 
-list. </p>
+ list. </p>
     </li>
 </ul>
@ -224,7 +225,7 @@ list. </p>
 <div align="left">    
 <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges 
-for  use in private networks:</p>
+ for  use in private networks:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -233,14 +234,14 @@ for  use in private networks:</p>
 <p align="left">These addresses are sometimes referred to as <i>non-routable</i> 
    because the Internet backbone routers will not forward a packet whose 
   destination address is reserved by RFC 1918. In some cases though, ISPs 
-are    assigning these addresses then using <i>Network Address Translation 
+ are    assigning these addresses then using <i>Network Address Translation 
-</i>to    rewrite packet headers when forwarding to/from the internet.</p>
+ </i>to    rewrite packet headers when forwarding to/from the internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
           Before starting Shorewall, you should look at the IP address of
-your external    interface and if it is one of the above ranges, you should
+ your external    interface and if it is one of the above ranges, you should
-remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+ remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
   </div>
 <div align="left">      
@ -249,7 +250,7 @@ remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p
 <div align="left">      
 <p align="left">If you wish to enable connections from the internet to your 
-firewall, the general format is:</p>
+ firewall, the general format is:</p>
   </div>
 <div align="left">      
@ -332,7 +333,7 @@ uses, see <a href="ports.htm">here</a>.</p>
 <div align="left">      
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
    the internet because it uses clear text (even for login!). If you want 
-shell    access to your firewall from the internet, use SSH:</p>
+ shell    access to your firewall from the internet, use SSH:</p>
   </div>
 <div align="left">      
@ -372,7 +373,7 @@ shell    access to your firewall from the internet, use SSH:</p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
       At this point, edit    /etc/shorewall/rules to add other connections 
-as desired.</p>
+ as desired.</p>
   </div>
 <div align="left">      
@ -383,43 +384,45 @@ as desired.</p>
 <p align="left">          <img border="0" src="images/BD21298_2.gif"
 width="13" height="13" alt="Arrow">
        The <a href="Install.htm">installation procedure </a>   configures
-your system to start Shorewall at system boot but beginning with Shorewall
+ your system to start Shorewall at system boot but beginning with Shorewall
-version 1.3.9 startup is disabled so that your system won't try to start
+ version 1.3.9 startup is disabled so that your system won't try to start
 Shorewall before configuration is complete. Once you have completed configuration
 of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
   </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
-package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
+ package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
   </p>
   </div>
 <div align="left">      
 <p align="left">The firewall is started using the "shorewall start" command 
    and stopped using "shorewall stop". When the firewall is stopped, routing 
-is    enabled on those hosts that have an entry in   <a
+ is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
    running firewall may be restarted using the "shorewall restart" command. 
-If    you want to totally remove any trace of Shorewall from your Netfilter 
+ If    you want to totally remove any trace of Shorewall from your Netfilter 
    configuration, use "shorewall clear".</p>
   </div>
 <div align="left">      
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
-the    internet, do not issue a "shorewall stop" command unless you have added
+ the    internet, do not issue a "shorewall stop" command unless you have 
-an    entry for the IP address that you are connected from to   <a
+added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
-an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
+ an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-and    test it using the <a href="Documentation.htm#Starting">"shorewall try"
+ and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
-command</a>.</p>
+try" command</a>.</p>
   </div>
-<p align="left"><font size="2">Last updated 9/26/2002 - <a
+<p align="left"><font size="2">Last updated 11/21/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
-M. Eastep</font></a></p>
+ M. Eastep</font></a></p>
     <br>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/starting_and_stopping_shorewall.htm
+++ b/STABLE/documentation/starting_and_stopping_shorewall.htm
@ -61,11 +61,11 @@ run-level editor.</p>
     <li>Shorewall startup is disabled by default. Once you have configured 
 your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. 
 Note: Users of the .deb package must edit /etc/default/shorewall and set
-'startup=1'.<br>
+ 'startup=1'.<br>
     </li>
     <li>If you use dialup, you may want to start the firewall     in your
-/etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart" 
+ /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart"
-in that script.</li>
+ in that script.</li>
 </ol>
@ -118,8 +118,8 @@ table          (iptables -t mangle -L -n -v)</li>
       <li>shorewall monitor [ delay ] - Continuously display the firewall
           status, last 20 log entries and nat. When the log entry display 
           changes, an audible alarm is sounded.</li>
-      <li>shorewall hits - Produces several reports about the Shorewall packet
+       <li>shorewall hits - Produces several reports about the Shorewall
- log          messages in the current /var/log/messages file.</li>
+packet  log          messages in the current /var/log/messages file.</li>
       <li>shorewall version -  Displays the installed     version number.</li>
       <li>shorewall check -  Performs a <u>cursory</u> validation     of 
 the  zones, interfaces, hosts, rules and policy files.    <font size="4"
@ -127,38 +127,43 @@ the  zones, interfaces, hosts, rules and policy files.    <font size="4"
 generated iptables commands so even though the "check" command     completes 
 successfully, the configuration may fail to start. See the     recommended 
 way to make configuration changes described below. </b></font>    </li>
-      <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] 
+       <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
-  Restart shorewall using the     specified configuration and if an error
+]  -  Restart shorewall using the     specified configuration and if an error 
 occurs or if the<i> timeout </i>    option is given and the new configuration 
- has been up for that many seconds     then shorewall is restarted using
+ has been up for that many seconds     then shorewall is restarted using the
-the  standard configuration.</li>
+ standard configuration.</li>
       <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
 save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
-      <li>shorewall logwatch (added in version 1.3.2) - Monitors the    <a
+       <li>shorewall logwatch (added in version 1.3.2) - Monitors the   
- href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
+    <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall 
     messages are logged.</li>
 </ul>
-Finally, the "shorewall" program may be used to dynamically alter the contents
+ Finally, the "shorewall" program may be used to dynamically alter the contents 
 of a zone.<br>
 <ul>
   <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the 
 specified interface (and host if included) to the specified zone.</li>
   <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes 
 the specified interface (and host if included) from the specified zone.</li>
 </ul>
 <blockquote>Examples:<br>
  <blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 
 from interface ipsec0 to the zone vpn1<br>
-shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
+ shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 
 from interface ipsec0 from zone vpn1<br>
   </blockquote>
-</blockquote>
+ </blockquote>
 <p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
   <b>shorewall try </b>commands allow you to specify which <a
- href="#Configs">   Shorewall configuration</a>    to use:</p>
+ href="configuration_file_basics.htm#Configs">   Shorewall configuration</a>
   to use:</p>
 <blockquote>                                                             
@ -170,8 +175,8 @@ from interface ipsec0 from zone vpn1<br>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
   is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
-   . If the file is present in the <i>configuration-directory</i>, that file 
+    . If the file is present in the <i>configuration-directory</i>, that
-  will be used; otherwise, the file in /etc/shorewall will be used.</p>
+file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -225,7 +230,7 @@ from interface ipsec0 from zone vpn1<br>
-<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
     </font></p>
@ -237,5 +242,6 @@ from interface ipsec0 from zone vpn1<br>
                              <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -22,6 +22,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
            </td>
          </tr>
@ -29,31 +30,37 @@
  </tbody>       
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
-is easier to post a problem than to use your own brain" </font>-- </i> <font
+easier to post a problem than to use your own brain" </font>-- </i> <font
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you
+<p align="left"> <i>"Any sane computer will tell you how it works -- you just
-just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+ have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
 <blockquote> </blockquote>
 <p><span style="font-weight: 400;"><i>"It irks me when people believe that 
   free software        comes at no cost. The cost is incredibly high."</i> 
- - <font size="2">       Wietse Venema</font></span></p>
+  - <font size="2">       Wietse Venem<br>
 </font></span></p>
 <h3 align="left">Before Reporting a Problem</h3>
 <b><i>"Reading the documentation fully is a prerequisite to getting help 
 for your particular situation. I know it's harsh but you will have to get 
 so far on your own before you can get reasonable help from a list full of 
 busy people. A mailing list is not a tool to speed up your day by being spoon
 fed</i></b><i><b>".</b> </i>-- Simon White<br>
-<p>There are a number of sources for problem solution information.</p>
+<p>There are also a number of sources for problem solution information.</p>
 <ul>
          <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
          <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
-contains  a    number of tips to help you solve common problems.</li>
+  contains  a    number of tips to help you solve common problems.</li>
-       <li>The <a href="errata.htm">   Errata</a> has links to download updated
+          <li>The <a href="errata.htm">   Errata</a> has links to download
-     components.</li>
+ updated      components.</li>
-       <li>The Mailing List Archives search facility can locate posts about 
+          <li>The Mailing List Archives search facility can locate posts
-      similar problems:</li>
+about         similar problems:</li>
 </ul>
@ -89,33 +96,44 @@ contains  a    number of tips to help you solve common problems.</li>
 type="submit" value="Search"> </p>
     </form>
-<h3 align="left">Problem Reporting Guidelines</h3>
+<h3 align="left">Problem Reporting Guideline</h3>
 <ul>
          <li>When reporting a problem, give as much information as you can.
-Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+  Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
          <li>Please don't describe your environment and then ask us to send
-you             custom configuration files. We're here to answer your questions
+  you             custom configuration files. We're here to answer your questions 
   but we           can't do your job for you.</li>
-       <li>Do you see any "Shorewall" messages in     /var/log/messages when
+          <li>Do you see any "Shorewall" messages in     /var/log/messages
-  you exercise the function that is giving you problems?</li>
+ when   you exercise the function that is giving you problems?</li>
          <li>Have you looked at the packet flow with a tool like tcpdump 
    to  try to understand what is going on?</li>
-       <li>Have you tried using the diagnostic capabilities of the     application
+          <li>Have you tried using the diagnostic capabilities of the   
-  that isn't working? For example, if "ssh" isn't able     to connect, using
+ application    that isn't working? For example, if "ssh" isn't able    
-  the "-v" option gives you a lot of valuable     diagnostic information.</li>
+to connect, using    the "-v" option gives you a lot of valuable     diagnostic 
 information.</li>
          <li>Please include any of the Shorewall configuration files (especially 
   the    /etc/shorewall/hosts file if you have modified that file) that you
   think are    relevant. If an error occurs when you try to "shorewall start",
   include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
   section for    instructions).</li>
-       <li>The list server limits posts to 120kb so don't post GIFs of your 
+          <li>The list server limits posts to 120kb so don't post GIFs of 
-           network layout, etc to the Mailing List -- your post will be rejected.</li>
+your             network layout, etc to the Mailing List -- your post will 
 be rejected.</li>
 </ul>
 <h3>Where to Send your Problem Report or to Ask for Help</h3>
-         <b></b>
+            <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
 reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
 on October 3, 2002; MandrakeSoft issued a charge against my credit card
 on  October 4, 2002 (they are really effecient at that part of the order
 process)  and I haven't heard a word from them since (although their news
 letters boast  that 9.0 boxed sets have been shipping for the last two weeks).
 If they can't  fill my 9.0 order within <u>6 weeks after they have billed
 my credit card</u>  then I refuse to spend my free time supporting of their
 product for them.<br>
 <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please 
    post your question or problem to the <a
 href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
@ -135,14 +153,11 @@ you             custom configuration files. We're here to answer your questions
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
        .</p>
-<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-      <br>
+</p>
-    <br>
+ 
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/three-interface.htm
+++ b/STABLE/documentation/three-interface.htm
@ -20,6 +20,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
            </td>
          </tr>
@ -54,9 +55,9 @@
 <p>This guide assumes that you have the iproute/iproute2 package installed 
   (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
-if  this  package is installed by the presence of an <b>ip</b> program on 
+ if  this  package is installed by the presence of an <b>ip</b> program on 
-your  firewall  system. As root, you can use the 'which' command to check 
+ your  firewall  system. As root, you can use the 'which' command to check 
-for this  program:</p>
+ for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -67,10 +68,10 @@ for this  program:</p>
       </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-          If you edit your configuration files on a Windows system, you must
+            If you edit your configuration files on a Windows system, you 
-  save them as  Unix files if your editor supports that option or you must
+must   save them as  Unix files if your editor supports that option or you 
- run them through  dos2unix before trying to use them. Similarly, if you
+must  run them through  dos2unix before trying to use them. Similarly, if 
-copy  a configuration file  from your Windows hard drive to a floppy disk,
+you copy  a configuration file  from your Windows hard drive to a floppy disk,
 you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
@ -97,8 +98,8 @@ of  these as described in this guide.  After you have <a
   and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a 
-  set of  <i>zones.</i> In the three-interface sample configuration, the following
+   set of  <i>zones.</i> In the three-interface sample configuration, the 
-  zone names are used:</p>
+following   zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -133,7 +134,7 @@ of  these as described in this guide.  After you have <a
 <ul>
          <li>You express your default policy for connections from one zone 
-to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
       </a>file.</li>
          <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -142,10 +143,10 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
 <p>For each connection request entering the firewall, the request is first 
   checked against the  /etc/shorewall/rules file. If no rule in that file 
-matches  the connection  request then the first policy in /etc/shorewall/policy 
+ matches  the connection  request then the first policy in /etc/shorewall/policy 
-that  matches the    request is applied. If that policy is REJECT or DROP  
+ that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common (the
+ the request is first  checked against the rules in /etc/shorewall/common 
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample 
   has the  following policies:</p>
@ -218,18 +219,18 @@ samples provide that  file for you).</p>
 <ol>
          <li>allow all connection requests from your local network to the
-internet</li>
+ internet</li>
-        <li>drop (ignore) all connection requests from the internet to your 
+          <li>drop (ignore) all connection requests from the internet to
- firewall     or local network</li>
+your   firewall     or local network</li>
-        <li>optionally accept all connection requests from the firewall to
+          <li>optionally accept all connection requests from the firewall 
- the     internet (if you uncomment the additional policy)</li>
+to  the     internet (if you uncomment the additional policy)</li>
          <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-         At this point, edit your /etc/shorewall/policy  file and make any
+           At this point, edit your /etc/shorewall/policy  file and make
- changes  that you  wish.</p>
+any   changes  that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -239,37 +240,38 @@ internet</li>
 <p align="left">The firewall has three network interfaces. Where Internet 
    connectivity is through a cable or DSL "Modem", the <i>External Interface</i> 
-   will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+    will be the ethernet adapter that is connected to that "Modem" (e.g., 
-  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
+<b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
-   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
+<u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
-  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
+<u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External Interface
-a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
+will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular
-your External  Interface will also be <b>ppp0</b>. If you connect using ISDN,
+modem, your External  Interface will also be <b>ppp0</b>. If you connect
-  you external  interface will be <b>ippp0.</b></p>
+using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
           If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then
-you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
+ you   will want to  set CLAMPMSS=yes in <a
-/etc/shorewall/shorewall.conf.</a></p>
+ href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
    eth1 or eth2) and will be connected to a hub or switch. Your local computers 
-   will be connected to the same switch (note: If you have only a single local
+    will be connected to the same switch (note: If you have only a single 
-  system,  you can connect the firewall directly to the computer using a
+local   system,  you can connect the firewall directly to the computer using 
-<i>cross-over   </i> cable).</p>
+a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
   (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
- computers will  be connected to the same switch (note: If you have only a
+  computers will  be connected to the same switch (note: If you have only 
- single DMZ system,  you can connect the firewall directly to the computer 
+a  single DMZ system,  you can connect the firewall directly to the computer 
  using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-     </b></u>Do not connect more than one interface  to the same hub or switch 
+       </b></u>Do not connect more than one interface  to the same hub or 
-  (even for testing). It won't work the way that you  expect it to and you 
+switch    (even for testing). It won't work the way that you  expect it to 
- will end up confused and  believing that Shorewall doesn't work at all.</p>
+and you   will end up confused and  believing that Shorewall doesn't work 
 at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
@ -299,14 +301,14 @@ you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
    Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
   <i> Public</i> IP address. This address may be assigned via the<i> Dynamic
   Host  Configuration Protocol</i> (DHCP) or as part of establishing your
-connection   when you dial in (standard modem) or establish your PPP connection. 
+ connection   when you dial in (standard modem) or establish your PPP connection.
-In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
+ In rare   cases, your ISP may assign you a<i> static</i> IP address; that
-means that  you  configure your firewall's external interface to use that 
+ means that  you  configure your firewall's external interface to use that
-address permanently.<i>  </i>Regardless of how the address is assigned, it 
+ address permanently.<i>  </i>Regardless of how the address is assigned,
-will be shared by all of your  systems when you access the Internet. You will
+it  will be shared by all of your  systems when you access the Internet.
-have to assign your  own addresses  for your internal network (the local and
+You will have to assign your  own addresses  for your internal network (the
-DMZ Interfaces on  your firewall plus your other  computers). RFC 1918 reserves
+local and DMZ Interfaces on  your firewall plus your other  computers). RFC
-several <i>Private  </i>IP address ranges for this  purpose:</p>
+1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
 <div align="left">          
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -316,22 +318,23 @@ several <i>Private  </i>IP address ranges for this  purpose:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
              Before starting Shorewall, you should look at the IP address
-of  your  external    interface and if it is one of the above ranges, you
+ of  your  external    interface and if it is one of the above ranges, you
-should  remove  the    'norfc1918' option from the external interface's entry
+ should  remove  the    'norfc1918' option from the external interface's
-in    /etc/shorewall/interfaces.</p>
+entry  in    /etc/shorewall/interfaces.</p>
       </div>
 <div align="left">          
 <p align="left">You will want to assign your local addresses from one <i>
      sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-subnet.  For our purposes, we can consider a subnet    to consists of a range
+ subnet.  For our purposes, we can consider a subnet    to consists of a
-of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
+range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
-Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
+ Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
- Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>.
+  Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>  
- In Shorewall,  a subnet is described using <a href="subnet_masks.htm"><i>Classless
+<i>Address</i>.  In Shorewall,  a subnet is described using <a
- InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet
+ href="subnet_masks.htm"><i>Classless  InterDomain Routing </i>(CIDR)</a> 
-address  followed    by "/24". The "24" refers to the number of    consecutive
+notation with consists of the subnet address  followed    by "/24". The "24" 
-"1"  bits from the left of the subnet mask. </p>
+refers to the number of    consecutive "1"  bits from the left of the subnet 
 mask. </p>
       </div>
 <div align="left">          
@ -375,17 +378,17 @@ address  followed    by "/24". The "24" refers to the number of    consecutive
 <p align="left">One of the purposes of subnetting is to allow all computers 
   in the    subnet to understand which other computers can be communicated 
  with directly.    To communicate with systems outside of the subnetwork, 
-systems send packets    through a<i>  gateway</i>  (router).</p>
+ systems send packets    through a<i>  gateway</i>  (router).</p>
       </div>
 <div align="left">          
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-         Your local  computers    (Local Computers 1 &amp; 2) should be configured 
+           Your local  computers    (Local Computers 1 &amp; 2) should be 
-  with their<i>    default gateway</i> set to the IP address of the firewall's 
+configured    with their<i>    default gateway</i> set to the IP address of
-  internal interface    and your DMZ computers ( DMZ Computers 1 &amp; 2) 
+the firewall's    internal interface    and your DMZ computers ( DMZ Computers 
-should  be configured with their    default gateway set to the IP address 
+1 &amp; 2)  should  be configured with their    default gateway set to the 
-of the firewall's DMZ interface.   </p>
+IP address  of the firewall's DMZ interface.   </p>
       </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -408,17 +411,18 @@ of the firewall's DMZ interface.
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
   to as <i>non-routable</i> because the Internet backbone routers don't forward
-  packets  which have an RFC-1918 destination address. When one of your local 
+   packets  which have an RFC-1918 destination address. When one of your
-  systems  (let's assume local computer 1) sends a connection request to an
+local    systems  (let's assume local computer 1) sends a connection request
-  internet host, the  firewall must perform <i>Network Address Translation 
+to an   internet host, the  firewall must perform <i>Network Address Translation
  </i>(NAT). The firewall  rewrites the source address in the packet to be
-the address of the firewall's  external interface; in other words, the firewall 
+ the address of the firewall's  external interface; in other words, the firewall
- makes it look as if the firewall  itself is initiating the connection.  This
+  makes it look as if the firewall  itself is initiating the connection. 
- is necessary so that the  destination host will be able to route return packets
+This  is necessary so that the  destination host will be able to route return
-  back to the firewall  (remember that packets whose destination address
+packets   back to the firewall  (remember that packets whose destination
-is   reserved by RFC 1918 can't  be routed accross the internet). When the
+address is   reserved by RFC 1918 can't  be routed accross the internet).
-firewall   receives a return packet, it  rewrites the destination address
+When the firewall   receives a return packet, it  rewrites the destination
-back to 10.10.10.1   and  forwards the packet on to local computer 1. </p>
+address back to 10.10.10.1   and  forwards the packet on to local computer
 1. </p>
 <p align="left">On Linux systems, the above process is often referred to as<i>
 IP Masquerading</i> and you will also see the term <i>Source Network Address
@ -445,27 +449,28 @@ back to 10.10.10.1   and  forwards the packet on to local computer 1. </p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
           If your external firewall interface is <b>eth0</b>, your local 
-interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
+ interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
-not  need to  modify the file provided with the sample. Otherwise, edit 
+ not  need to  modify the file provided with the sample. Otherwise, edit
-/etc/shorewall/masq   and change it to match your configuration.</p>
+ /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-         If your external IP  is static, you can enter it in the third column 
+           If your external IP  is static, you can enter it in the third
-  in the /etc/shorewall/masq entry  if you like although your firewall will 
+column    in the /etc/shorewall/masq entry  if you like although your firewall
-  work fine if you leave that column  empty. Entering your static IP in column 
+will    work fine if you leave that column  empty. Entering your static IP
-  3 makes processing outgoing packets a  little more efficient. </p>
+in column    3 makes processing outgoing packets a  little more efficient.
 </p>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your 
   DMZ computers. Because these computers have RFC-1918 addresses, it is not
-   possible for clients on the internet to connect directly to them. It is 
+    possible for clients on the internet to connect directly to them. It
- rather  necessary for those clients to address their connection requests 
+is   rather  necessary for those clients to address their connection requests 
-to your firewall  who rewrites the destination address to the address of your
+ to your firewall  who rewrites the destination address to the address of 
-server and forwards  the packet to that server. When your server responds, 
+your server and forwards  the packet to that server. When your server responds, 
- the firewall automatically  performs SNAT to rewrite the source address in
+  the firewall automatically  performs SNAT to rewrite the source address 
- the response.</p>
+in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
    Destination Network Address Translation</i> (DNAT). You configure port
@ -549,9 +554,9 @@ the same  as <i>&lt;port&gt;</i>.</p>
 <ul>
          <li>When you are connecting to your server from your local systems, 
  you  must    use the server's internal IP address (10.10.11.2).</li>
-        <li>Many ISPs block incoming connection requests to port 80. If you 
+          <li>Many ISPs block incoming connection requests to port 80. If 
- have     problems connecting to your web server, try the following rule and
+you   have     problems connecting to your web server, try the following rule
- try     connecting to port 5000 (e.g., connect to <a
+and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your 
   external IP).</li>
@ -661,27 +666,27 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
           At this point, add the DNAT and  ACCEPT rules for your servers.
-</p>
+ </p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
   an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
- will be  automatically configured (e.g., the /etc/resolv.conf file will be
+  will be  automatically configured (e.g., the /etc/resolv.conf file will 
- written).  Alternatively, your ISP may have given you the IP address of
+be  written).  Alternatively, your ISP may have given you the IP address of
 a  pair of DNS <i> name servers</i> for you to manually configure as your 
-primary  and secondary  name servers. It is <u>your</u> responsibility to 
+ primary  and secondary  name servers. It is <u>your</u> responsibility to 
-configure  the resolver in your  internal systems. You can take one of two 
+ configure  the resolver in your  internal systems. You can take one of two 
-approaches:</p>
+ approaches:</p>
 <ul>
          <li>                                      
    <p align="left">You can configure your internal systems to use your ISP's 
-  name    servers. If you ISP gave you the addresses of their servers or if
+   name    servers. If you ISP gave you the addresses of their servers or 
-  those    addresses are available on their web site, you can configure your
+if   those    addresses are available on their web site, you can configure 
-  internal    systems to use those addresses. If that information isn't available,
+your   internal    systems to use those addresses. If that information isn't 
-  look in    /etc/resolv.conf on your firewall system -- the name servers
+available,   look in    /etc/resolv.conf on your firewall system -- the name 
-are  given in    "nameserver" records in that file.   </p>
+servers are  given in    "nameserver" records in that file.   </p>
         </li>
         <li>                                      
    <p align="left"><img border="0" src="images/BD21298_2.gif"
@ -690,12 +695,13 @@ are  given in    "nameserver" records in that file.   </p>
  or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
  also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
  If you    take this approach, you configure your internal systems to use 
-the caching    name server as their primary (and only) name server. You use 
+ the caching    name server as their primary (and only) name server. You use
-the internal IP    address of the firewall (10.10.10.254 in the example above) 
+ the internal IP    address of the firewall (10.10.10.254 in the example above)
-  for the name    server address if you choose to run the name server on your
+   for the name    server address if you choose to run the name server on
-  firewall. To allow your local systems to talk to your caching name    server,
+your   firewall. To allow your local systems to talk to your caching name 
-  you must open port 53 (both UDP and TCP) from the local network to the
+   server,   you must open port 53 (both UDP and TCP) from the local network 
-   server; you do that by adding the rules in /etc/shorewall/rules.     </p>
+to the    server; you do that by adding the rules in /etc/shorewall/rules. 
    </p>
         </li>
 </ul>
@ -1054,8 +1060,9 @@ uses, look <a href="ports.htm">here</a>.</p>
         The <a href="Install.htm">installation procedure </a>   configures 
  your system to start Shorewall at system boot  but beginning with Shorewall
  version 1.3.9 startup is disabled so that your system won't try to start
-Shorewall before configuration is complete. Once you have completed configuration
+ Shorewall before configuration is complete. Once you have completed configuration
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+ of your firewall, you can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
       </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1077,11 +1084,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 <div align="left">          
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-         The three-interface sample assumes that you want to enable    routing 
+           The three-interface sample assumes that you want to enable   
-  to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ) when Shorewall 
+routing    to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
-  is stopped.    If these two interfaces don't connect to your local network 
+when Shorewall    is stopped.    If these two interfaces don't connect to
-  and DMZ or if you    want to enable a different set of hosts, modify /etc/shorewall/routestopped 
+your local network    and DMZ or if you    want to enable a different set
-     accordingly.</p>
+of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
       </div>
 <div align="left">          
@ -1090,12 +1097,12 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
  added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
-  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
+   an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-  and    test it using the <a href="Documentation.htm#Starting">"shorewall 
+   and    test it using the <a
- try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
       </div>
-<p align="left"><font size="2">Last updated 10/22/2002 - <a
+<p align="left"><font size="2">Last updated 11/21/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -1106,5 +1113,7 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/troubleshoot.htm
+++ b/STABLE/documentation/troubleshoot.htm
@ -28,60 +28,61 @@
 <h3 align="left">Check the Errata</h3>
 <p align="left">Check the <a href="errata.htm">Shorewall Errata</a>  to be
-sure   that there isn't an update that you are missing for your version of
+ sure   that there isn't an update that you are missing for your version
-the   firewall.</p>
+of  the   firewall.</p>
 <h3 align="left">Check the FAQs</h3>
 <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
-problems.</p>
+ problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
        If you receive an error message when starting or restarting the firewall
-and you can't determine the cause, then do the following:   
+ and you can't determine the cause, then do the following:     
 <ul>
       <li>shorewall debug start 2&gt; /tmp/trace</li>
       <li>Look at the /tmp/trace file and see if that helps you     determine
-what the problem is.</li>
+ what the problem is.</li>
       <li>If you still can't determine what's wrong then see the     <a
 href="support.htm">support page</a>.</li>
 </ul>
-<h3>Your test environment</h3>
+<h3>Your network environment</h3>
 <p>Many times when people have problems with Shorewall, the problem is  
- actually an ill-conceived test setup. Here are several popular snafus: </p>
+ actually an ill-conceived network setup. Here are several popular snafus:
 </p>
 <ul>
       <li>Port           Forwarding where client and server are in the same
-subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+ subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
       <li>Changing the IP address of a local system to be in the external
-subnet,      thinking that Shorewall will suddenly believe that the system
+ subnet,      thinking that Shorewall will suddenly believe that the system
-is in the      'net' zone.</li>
+ is in the      'net' zone.</li>
-     <li>Multiple interfaces connected to the same HUB or Switch. Given the
+       <li>Multiple interfaces connected to the same HUB or Switch. Given 
-way      that the Linux kernel respond to ARP "who-has" requests, this type
+the way      that the Linux kernel respond to ARP "who-has" requests, this 
-of setup      does NOT work the way that you expect it to.</li>
+type of setup      does NOT work the way that you expect it to.</li>
 </ul>
 <h3 align="left">If you are having connection problems:</h3>
 <p align="left">If the appropriate policy for the connection that you are
-trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
+ trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
-TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
+ TO MAKE IT WORK. Such additional rules will NEVER make it work, they add 
-to your rule set and they represent a big security hole in the event that
+clutter to your rule set and they represent a big security hole in the event 
-you forget to remove them later.</p>
+that you forget to remove them later.</p>
 <p align="left">I also recommend against setting all of your policies to
       ACCEPT in an effort to make something work. That robs you of one of
-your        best diagnostic tools - the "Shorewall" messages that Netfilter
+ your        best diagnostic tools - the "Shorewall" messages that Netfilter
-will        generate when you try to connect in a way that isn't permitted
+ will        generate when you try to connect in a way that isn't permitted
-by your        rule set.</p>
+ by your        rule set.</p>
 <p align="left">Check your log. If you don't see Shorewall  messages, then
-your problem is probably NOT a Shorewall problem. If you DO see packet messages,
+ your problem is probably NOT a Shorewall problem. If you DO see packet messages,
-it may be an indication that you are missing one or more rules -- see <a
+ it may be an indication that you are missing one or more rules -- see <a
 href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear 
@ -97,13 +98,13 @@ it may be an indication that you are missing one or more rules -- see <a
        <font face="Century Gothic, Arial, Helvetica">            
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
-LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
+ LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
           </font>            
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
       <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
+ -- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
     <a href="FAQ.htm#faq17">FAQ 17).</a></li>
       <li>IN=eth2 - the packet entered the firewall via eth2</li>
       <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
@ -115,9 +116,14 @@ LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</f
 </ul>
 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and  192.168.1.3
-is in the "loc" zone. I was missing the rule:</p>
+ is in the "loc" zone. I was missing the rule:</p>
-<p align="left">ACCEPT    dmz    loc    udp    53</p>
+<p align="left">ACCEPT    dmz    loc    udp    53<br>
 </p>
 <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information 
 about how to interpret the chain name appearing in a Shorewall log message.<br>
 </p>
 <h3 align="left">Other Gotchas</h3>
@ -126,60 +132,60 @@ is in the "loc" zone. I was missing the rule:</p>
      chains? This means that:          
    <ol>
         <li>your zone definitions are screwed up and the host that is sending
-the        packets or the destination host isn't in any zone (using an  
+ the        packets or the destination host isn't in any zone (using an 
-    <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
+     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
-       or</li>
+you?);         or</li>
         <li>the source and destination hosts are both connected to the same
        interface and that interface doesn't have the 'multi' option specified
-in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+ in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
       </li>
       <li>Remember that Shorewall doesn't automatically allow ICMP     type
-8 ("ping") requests to be sent between zones. If you want     pings to be
+ 8 ("ping") requests to be sent between zones. If you want     pings to be
-allowed between zones, you need a rule of the form:<br>
+ allowed between zones, you need a rule of the form:<br>
        <br>
            ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
-icmp        echo-request<br>
+ icmp        echo-request<br>
        <br>
-      The ramifications of this can be subtle. For example, if you have the
+        The ramifications of this can be subtle. For example, if you have 
-     following in /etc/shorewall/nat:<br>
+the      following in /etc/shorewall/nat:<br>
        <br>
            10.1.1.2    eth0        130.252.100.18<br>
        <br>
-      and you ping 130.252.100.18, unless you have allowed icmp type 8 between 
+        and you ping 130.252.100.18, unless you have allowed icmp type 8
-the     zone containing the system you are pinging from and the zone containing
+between  the     zone containing the system you are pinging from and the
-     10.1.1.2, the ping requests will be dropped. This is true even if you 
+zone containing       10.1.1.2, the ping requests will be dropped. This is
-have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
+true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
       <li>If you specify "routefilter" for an interface,     that interface
-must be up prior to starting the firewall.</li>
+ must be up prior to starting the firewall.</li>
-     <li>Is your routing correct? For example, internal systems usually need
+       <li>Is your routing correct? For example, internal systems usually 
-to      be configured with their default gateway set to the IP address of
+need to      be configured with their default gateway set to the IP address 
-their      nearest firewall interface. One often overlooked aspect of routing
+of their      nearest firewall interface. One often overlooked aspect of routing
 is that      in order for two hosts to communicate, the routing between them
 must be set      up <u>in both directions.</u> So when setting up routing
-between <b>A</b>      and<b> B</b>, be sure to verify that the route from
+ between <b>A</b>      and<b> B</b>, be sure to verify that the route from
     <b>B</b> back to <b>A</b>      is defined.</li>
-     <li>Some versions of LRP (EigerStein2Beta for example) have a     shell
+       <li>Some versions of LRP (EigerStein2Beta for example) have a    
-with broken variable expansion. <a
+shell  with broken variable expansion. <a
 href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
-shell from the Shorewall Errata download site.</a>     </li>
+ shell from the Shorewall Errata download site.</a>     </li>
       <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
       <li>Some features require the "ip" program. That     program is generally
-included in the "iproute" package which should     be included with your
+ included in the "iproute" package which should     be included with your
 distribution (though many distributions don't install     iproute by    
 default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
-.</li>
+ .</li>
       <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
-then the zone must be entirely   defined in /etc/shorewall/hosts unless you
+ then the zone must be entirely   defined in /etc/shorewall/hosts unless
-have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
+you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
 For example, if a zone has two interfaces but   only one interface has an
 entry in /etc/shorewall/hosts then hosts attached to   the other interface
 will     <u>not</u> be considered part of the zone.</li>
-     <li>Problems with NAT? Be sure that you let Shorewall add all     external
+       <li>Problems with NAT? Be sure that you let Shorewall add all    
-addresses to be use with NAT unless you have set <a
+external  addresses to be use with NAT unless you have set <a
 href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
 </ul>
@ -190,10 +196,10 @@ addresses to be use with NAT unless you have set <a
          <font face="Century Gothic, Arial, Helvetica">            
 <blockquote> </blockquote>
           </font>              
-<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-  <br>
+</p>
 </body>
 </html>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -68,9 +68,9 @@ for this  program:</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
          If you edit your configuration files on a Windows system, you must
  save them as  Unix files if your editor supports that option or you must
-run them through  dos2unix before trying to use them. Similarly, if you copy 
+ run them through  dos2unix before trying to use them. Similarly, if you
-a configuration file  from your Windows hard drive to a floppy disk, you must
+copy  a configuration file  from your Windows hard drive to a floppy disk,
-run dos2unix against the  copy before using it with Shorewall.</p>
+you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
@ -82,10 +82,10 @@ run dos2unix against the  copy before using it with Shorewall.</p>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
+<p>The configuration files for Shorewall are contained in the directory 
-- for simple setups, you will only need to deal with a few of  these as
+/etc/shorewall -- for simple setups, you will only need to deal with a few
-described in this guide.  After you have <a href="Install.htm">installed
+of  these as described in this guide.  After you have <a
-Shorewall</a>,  download the <a
+ href="Install.htm">installed Shorewall</a>,  download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
  un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall 
   (these files will replace files with the same name).</p>
@ -139,11 +139,11 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
  checked against the  /etc/shorewall/rules file. If no rule in that file 
 matches  the connection  request then the first policy in /etc/shorewall/policy 
 that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common
+the request is first  checked against the rules in /etc/shorewall/common (the
-(the samples provide that  file for you).</p>
+samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -212,11 +212,12 @@ has the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-       <li>allow all connection requests from your local network to the internet</li>
+        <li>allow all connection requests from your local network to the
 internet</li>
        <li>drop (ignore) all connection requests from the internet to your 
 firewall     or local network</li>
        <li>optionally accept all connection requests from the firewall to
-the     internet (if you uncomment the additional policy)</li>
+ the     internet (if you uncomment the additional policy)</li>
        <li>reject all other connection requests.</li>
 </ol>
@ -231,15 +232,15 @@ the     internet (if you uncomment the additional policy)</li>
 height="635">
     </p>
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
   <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
   <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem, 
+ a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
-your External  Interface will also be <b>ppp0</b>. If you connect via ISDN, 
+ your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
-your external  interface will be <b>ippp0.</b></p>
+ your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -256,9 +257,9 @@ using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
     </b></u>Do not connect the internal and external interface  to the same
- hub or switch (even for testing). It won't work the way that you think that 
+  hub or switch (even for testing). It won't work the way that you think
- it will and you will end up confused and  believing that Shorewall doesn't 
+that   it will and you will end up confused and  believing that Shorewall
- work at all.</p>
+doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
@ -292,8 +293,8 @@ connection   when you dial in (standard modem) or establish your PPP connection.
 In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
 means that  you  configure your firewall's external interface to use that 
 address permanently.<i>  </i>However your external address is assigned, it 
-will be shared by all of your systems when you access the  Internet. You
+will be shared by all of your systems when you access the  Internet. You will
-will have to assign your  own addresses in your  internal network (the Internal
+have to assign your  own addresses in your  internal network (the Internal 
 Interface on your firewall  plus your other  computers). RFC 1918 reserves 
 several <i>Private </i>IP address ranges for this  purpose:</p>
@ -304,10 +305,10 @@ several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-           Before starting Shorewall, you should look at the IP address of
+            Before starting Shorewall, you should look at the IP address
- your  external    interface and if it is one of the above ranges, you should
+of  your  external    interface and if it is one of the above ranges, you
- remove  the    'norfc1918' option from the external interface's entry in
+should  remove  the    'norfc1918' option from the external interface's entry
-   /etc/shorewall/interfaces.</p>
+in    /etc/shorewall/interfaces.</p>
     </div>
 <div align="left">        
@ -316,11 +317,11 @@ several <i>Private </i>IP address ranges for this  purpose:</p>
     to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet 
  will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 
 is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as 
-the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
+the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
-described  using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
+ using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
-</i>(CIDR)  notation</a> with consists of the subnet address followed   
+ notation</a> with consists of the subnet address followed    by "/24". The
-by "/24". The  "24" refers to the number of    consecutive leading "1" bits
+ "24" refers to the number of    consecutive leading "1" bits from the left
-from the left  of the subnet mask. </p>
+ of the subnet mask. </p>
     </div>
 <div align="left">        
@ -370,9 +371,9 @@ systems send packets    through a<i>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-        Your local computers (computer    1 and computer 2 in the above diagram)
+         Your local computers (computer    1 and computer 2 in the above
-  should be configured with their<i>    default gateway</i> to be the IP
+diagram)   should be configured with their<i>    default gateway</i> to be
-address   of the firewall's internal    interface.<i>      </i> </p>
+the IP address   of the firewall's internal    interface.<i>      </i> </p>
     </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -399,18 +400,18 @@ address   of the firewall's internal    interface.<i>
  host, the  firewall must perform <i>Network Address Translation </i>(NAT). 
  The firewall  rewrites the source address in the packet to be the address 
  of the firewall's  external interface; in other words, the firewall makes 
-  it look as if the firewall  itself is initiating the connection.  This
+  it look as if the firewall  itself is initiating the connection.  This is
-is   necessary so that the  destination host will be able to route return
+  necessary so that the  destination host will be able to route return packets
-packets   back to the firewall  (remember that packets whose destination
+  back to the firewall  (remember that packets whose destination address
-address is   reserved by RFC 1918 can't  be routed across the internet so
+is   reserved by RFC 1918 can't  be routed across the internet so the remote
-the remote host  can't address its response to  computer 1). When the firewall
+host  can't address its response to  computer 1). When the firewall receives
-receives a return packet, it  rewrites the destination address  back to 10.10.10.1
+a return packet, it  rewrites the destination address  back to 10.10.10.1 
 and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
        <li>                            
@ -432,8 +433,8 @@ with  Netfilter:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-        If your external firewall interface is <b>eth0</b>, you do not  need
+         If your external firewall interface is <b>eth0</b>, you do not 
-  to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq
+need   to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq 
  and change the first column to the name of your external  interface and 
 the  second column to the name of your internal interface.</p>
@ -450,14 +451,14 @@ the  second column to the name of your internal interface.</p>
   local computers. Because these computers have RFC-1918 addresses, it is 
 not  possible for clients on the internet to connect directly to them. It 
 is rather  necessary for those clients to address their connection requests 
- to the firewall  who rewrites the destination address to the address of
+ to the firewall  who rewrites the destination address to the address of your
-your   server and forwards  the packet to that server. When your server responds,
+  server and forwards  the packet to that server. When your server responds, 
  the firewall automatically  performs SNAT to rewrite the source address 
 in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
   Destination Network Address Translation</i> (DNAT). You configure port
-forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
  is:</p>
@ -479,7 +480,7 @@ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
            <td>DNAT</td>
            <td>net</td>
            <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
-port&gt;</i>]</td>
+ port&gt;</i>]</td>
            <td><i>&lt;protocol&gt;</i></td>
            <td><i>&lt;port&gt;</i></td>
            <td> </td>
@ -524,13 +525,13 @@ port&gt;</i>]</td>
 <ul>
        <li>You must test the above rule from a client outside of your local
- network    (i.e., don't test from a browser running on computers 1 or 2 or
+  network    (i.e., don't test from a browser running on computers 1 or 2
- on the    firewall). If you want to be able to access your web server using
+or  on the    firewall). If you want to be able to access your web server
- the IP    address of your external interface, see <a
+using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
        <li>Many ISPs block incoming connection requests to port 80. If you 
- have     problems connecting to your web server, try the following rule
+ have     problems connecting to your web server, try the following rule and
-and  try     connecting to port 5000.</li>
+ try     connecting to port 5000.</li>
 </ul>
@ -563,15 +564,15 @@ and  try     connecting to port 5000.</li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
         At this point, modify  /etc/shorewall/rules to add any DNAT rules
-that  you require.</p>
+ that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
  an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
- will be  automatically configured (e.g., the /etc/resolv.conf file will
+ will be  automatically configured (e.g., the /etc/resolv.conf file will be
-be  written).  Alternatively, your ISP may have given you the IP address
+ written).  Alternatively, your ISP may have given you the IP address of
-of a  pair of DNS <i> name servers</i> for you to manually configure as your
+a  pair of DNS <i> name servers</i> for you to manually configure as your 
 primary  and secondary  name servers. Regardless of how DNS gets configured 
 on your  firewall, it is <u>your</u> responsibility to configure the resolver 
 in your   internal systems. You can take one of two approaches:</p>
@ -579,25 +580,25 @@ in your   internal systems. You can take one of two approaches:</p>
 <ul>
        <li>                            
    <p align="left">You can configure your internal systems to use your ISP's 
-  name    servers. If you ISP gave you the addresses of their servers or
+  name    servers. If you ISP gave you the addresses of their servers or if
-if   those    addresses are available on their web site, you can configure
+  those    addresses are available on their web site, you can configure your
-your   internal    systems to use those addresses. If that information isn't
+  internal    systems to use those addresses. If that information isn't available,
-available,   look in    /etc/resolv.conf on your firewall system -- the name
+  look in    /etc/resolv.conf on your firewall system -- the name servers
-servers are  given in    "nameserver" records in that file.   </p>
+are  given in    "nameserver" records in that file.   </p>
       </li>
       <li>                            
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         You can configure a<i> Caching Name Server </i>on your    firewall.<i> 
      </i>Red Hat has an RPM for a caching name server (the RPM also    requires 
-  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you   
+  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take
-take   this approach, you configure your internal systems to use the firewall
+  this approach, you configure your internal systems to use the firewall 
  itself as their primary (and only) name server. You use the internal IP 
   address of the firewall (10.10.10.254 in the example above) for the name 
-     server address. To allow your local systems to talk to your caching
+     server address. To allow your local systems to talk to your caching name
-name      server, you must open port 53 (both UDP and TCP) from the local
+     server, you must open port 53 (both UDP and TCP) from the local network
-network   to the    firewall; you do that by adding the following rules in
+  to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
-/etc/shorewall/rules.       </p>
+      </p>
       </li>
 </ul>
@ -807,13 +808,12 @@ network   to the    firewall; you do that by adding the following rules in
 <div align="left">        
 <p align="left">Those two rules would of course be in addition to the rules 
-     listed above under "You can configure a Caching Name Server on your
+     listed above under "You can configure a Caching Name Server on your firewall"</p>
 firewall"</p>
     </div>
 <div align="left">        
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
     </div>
 <div align="left">        
@ -855,7 +855,7 @@ application uses, look <a href="ports.htm">here</a>.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         Now edit your    /etc/shorewall/rules file to add or delete other
-connections  as required.</p>
+ connections  as required.</p>
     </div>
 <div align="left">        
@ -867,14 +867,14 @@ connections  as required.</p>
 width="13" height="13" alt="Arrow">
        The <a href="Install.htm">installation procedure </a>   configures
  your system to start Shorewall at system boot  but beginning with Shorewall
-version 1.3.9 startup is disabled so that your system won't try to start Shorewall
+ version 1.3.9 startup is disabled so that your system won't try to start
-before configuration is complete. Once you have completed configuration of
+Shorewall before configuration is complete. Once you have completed configuration
-your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
     </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
 color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
-and set 'startup=1'.</font><br>
+ and set 'startup=1'.</font><br>
    </p>
      </div>
@ -893,7 +893,7 @@ and set 'startup=1'.</font><br>
 height="13">
         The two-interface sample assumes that you want to enable    routing
  to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If 
-your local network isn't connected to <b>eth1</b> or if you wish to enable 
+  your local network isn't connected to <b>eth1</b> or if you wish to enable
    access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
     </div>
@ -903,12 +903,12 @@ your local network isn't connected to <b>eth1</b> or if you wish to enable
 added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
-  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
+  an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-  and    test it using the <a href="Documentation.htm#Starting">"shorewall
+  and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
 try" command</a>.</p>
     </div>
-<p align="left"><font size="2">Last updated 10/9/2002 - <a
+<p align="left"><font size="2">Last updated 11/21/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -918,5 +918,6 @@ your local network isn't connected to <b>eth1</b> or if you wish to enable
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/upgrade_issues.htm
+++ b/STABLE/documentation/upgrade_issues.htm
@ -170,11 +170,7 @@ So  that the            connection tracking table can be rebuilt<br>
   <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-      <br>
+</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/useful_links.html
+++ b/STABLE/documentation/useful_links.html
@ -48,17 +48,16 @@
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
 src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
 align="middle" hspace="4" border="0">
-<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
+ <img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
 align="middle" border="0">
  </a><br>
  </h3>
  <br>
- <font size="2">Last updated 9/16/2002 - <a
+  <font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font> 
 href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font>
-<p><font face="Trebuchet MS"><a
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font
+ &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
- size="2">Copyright</font>  &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    <br>
   <br>
  <br>
 <br>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.10
+VERSION=1.3.11
 usage() # $1 = exit status
 {
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -187,8 +187,6 @@ run_tc() {
 #
 createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 {
    local target
    run_iptables -N $1
    if [ $# -eq 1 ]; then
@ -281,6 +279,14 @@ deletechain() # $1 = name of chain
    qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
 }
 #
 # Determine if a chain is a policy chain
 #
 is_policy_chain() # $1 = name of chain
 {
    eval test \"\$${1}_is_policy\" = Yes
 }    
 #
 # Set a standard chain's policy
 #
@ -529,7 +535,7 @@ validate_interfaces_file() {
 	for option in `separate_list $options`; do
 	    case $option in
-	    dhcp|noping|filterping|routestopped|norfc1918|multi)
+	    dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
                ;;
 	    routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		;;
@ -803,7 +809,7 @@ validate_rule() {
    # Validate the Source Zone
    #
    if ! validate_zone $clientzone; then
-	startup_error "Error: Undefined Client Zone in rule \"$rule\""
+	[ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\""
    fi
    source=$clientzone
@ -835,10 +841,18 @@ validate_rule() {
    # Validate the destination zone
    #
    if ! validate_zone $serverzone; then
-	startup_error "Error: Undefined Server Zone in rule \"$rule\""
+	[ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\""
    fi
    dest=$serverzone
    chain=${source}2${dest}
    if [ "x$chain" = x${FW}2${FW} ]; then
 	error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
 	return
    fi
    #
    # Check length of port lists if MULTIPORT set
    #
@ -923,6 +937,17 @@ validate_policy()
 	    ;;
 	esac
 	chain=${client}2${server}
 	[ "x$chain" = "x${FW}2${FW}" ] && \
 	    startup_error "Error: fw->fw policy not allowed: $policy"
 	if is_policy_chain $chain ; then
 	    startup_error "Error: Duplicate policy $policy"
 	fi
 	eval ${client}2${server}_is_policy=Yes
    done < $TMP_DIR/policy
 }
@ -1211,7 +1236,7 @@ setup_tunnels() # $1 = name of tunnels file
    setup_pptp_client() # $1 = gateway
    {
 	addrule $outchain -p 47               -d $1 -j ACCEPT
-	addrule $inchain  -p 47               -s $1 -j ACCEPT
+	addrule $inchain  -p 47               -j ACCEPT
 	addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT
 	echo "   PPTP tunnel to $1 defined."
@ -1970,17 +1995,22 @@ add_a_rule()
 #
 # Process a record from the rules file
 #
-# The caller has loaded the column contents from the record into the following
+process_rule() # $1 = target
-# variables:
+               # $2 = clients
-#
+               # $3 = servers
-#   target clients servers protocol ports cports address
+               # $4 = protocol
-#
+               # $5 = ports
-# and has loaded a space-separated list of their values in "rule".
+               # $6 = cports
-#
+               # $7 = address 
-# The 'multioption' variable has also been loaded appropriately to reflect
+{
-# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf
+    local target="$1"
-#
+    local clients="$2"
-process_rule() {
+    local servers="$3"
    local protocol="$4"
    local ports="$5"
    local cports="$6"
    local address="$7"
    local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
    # Function Body -- isolate log level
@ -2072,6 +2102,12 @@ process_rule() {
    # Create canonical chain if necessary
    chain=${source}2${dest}
    if [ "x$chain" = x${FW}2${FW} ]; then
 	error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
 	return
    fi
    ensurechain $chain
    # Generate Netfilter rule(s)
@ -2111,20 +2147,49 @@ process_rule() {
 #
 process_rules() # $1 = name of rules file
 {
-    strip_file rules
+    #
    # Process a rule where the source or destination is "all"
    #
    process_wildcard_rule() {
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
 		if [ "${yclients}" != "${yservers}" ] ; then
 		    process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress
 		fi
 	    done
 	done
    }
-    while read target clients servers protocol ports cports address; do
+    strip_file rules $1
 	case "$target" in
-	ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
+    while read xtarget xclients xservers xprotocol xports xcports xaddress; do
-	    expandv clients servers protocol ports cports address
+	case "$xtarget" in
-	    rule="`echo $target $clients $servers $protocol $ports $cports $address`"
+
-	    process_rule
+	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
 		expandv xclients xservers xprotocol xports xcports xaddress
 		if [ "x$xclients" = xall ]; then
 		    xclients="$zones $FW"
 		    if [ "x$xservers" = xall ]; then
 			xservers="$zones $FW"
 		    fi
 		    process_wildcard_rule
 		    continue
 		fi
 		if [ "x$xservers" = xall ]; then
 		    xservers="$zones $FW"
 		    process_wildcard_rule
 		    continue
 		fi
 		process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
 		;;
 	    *)
-	    rule="`echo $target $clients $servers $protocol $ports $cports $address`"
+		rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
 		fatal_error "Error: Invalid Target in rule \"$rule\""
 		;;
 	esac
    done < $TMP_DIR/rules
 }
@ -3213,6 +3278,47 @@ add_common_rules() {
 	done
    fi
    interfaces=`find_interfaces_by_option tcpflags`
    if [ -n "$interfaces" ]; then
 	echo "Setting up TCP Flags checking..."
 	createchain tcpflags no
 	if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
 	    createchain logflags no
 	    run_iptables -A logflags -j LOG  $LOGPARMS \
 		--log-level $TCP_FLAGS_LOG_LEVEL \
 		--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
 		--log-tcp-options --log-ip-options
 	    case $TCP_FLAGS_DISPOSITION in
 		REJECT)
 		    run_iptables -A logflags -j REJECT --reject-with tcp-reset
 		    ;;
 		*)
 		    run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION
 		    ;;
 	    esac
 	    disposition="-j logflags"
 	else
 	    disposition="-j $TCP_FLAGS_DISPOSITION"
 	fi
 	run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE        $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
 	for interface in $interfaces; do
 	    for chain in `first_chains $interface`; do
 		run_iptables -A $chain -p tcp -j tcpflags
 	    done
 	done
    fi
    #
    # Process Black List
    #
@ -3291,7 +3397,7 @@ apply_policy_rules() {
 		run_iptables -I $chain 2 -p tcp --syn -j @$chain
 	else
 	    #
-	    # A wild-card rule. Create the chain and add policy
+	    # The chain doesn't exist. Create the chain and add policy
 	    # rules
 	    #
 	    # We must include the ESTABLISHED and RELATED state
@ -3301,6 +3407,13 @@ apply_policy_rules() {
 	    #
 	    createchain $chain
 	    #
 	    # If either client or server is 'all' then this MUST be
 	    # a policy chain and we must apply the appropriate policy rules
 	    #
 	    # Otherwise, this is a canonical chain which will be handled in
 	    # the for loop below
 	    #
 	    [ "$client" = "all" -o "$server" = "all" ] && \
 		policy_rules $chain $policy $loglevel
@ -3725,6 +3838,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
    blacklist_interfaces=`find_interfaces_by_option blacklist`
    filterping_interfaces=`find_interfaces_by_option filterping`
    maclist_interfaces=`find_interfaces_by_maclist`
    tcpflags_interfaces=`find_interfaces_by_option tcpflags`
    #
    # Normalize the first argument to this function
    #
@ -3788,6 +3902,10 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    rulenum=$(($rulenum + 1))
 		fi
 		if ! list_search $interface $tcpflags_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
 		do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain 
 	    else
 		#
@ -3812,6 +3930,10 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    if ! list_search $interface $maclist_interfaces; then
 			rulenum=$(($rulenum + 1))
 		    fi
 		    if ! list_search $interface $tcpflags_interfaces; then
 			rulenum=$(($rulenum + 1))
 		    fi
 		fi
 		for h in $dest_hosts; do
@ -4078,6 +4200,8 @@ do_initialize() {
    FORWARDPING=
    MACLIST_DISPOSITION=
    MACLIST_LOG_LEVEL=
    TCP_FLAGS_DISPOSITION=
    TCP_FLAGS_LOG_LEVEL=
    stopping=
    have_mutex=
    masq_seq=1
@ -4175,6 +4299,18 @@ do_initialize() {
 	MACLIST_DISPOSITION=REJECT
    fi
    if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
 	case $TCP_FLAGS_DISPOSITION in
 	    REJECT|ACCEPT|DROP)
 		;;
 	    *)
 		startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
 		;;
 	esac
    else
 	TCP_FLAGS_DISPOSITION=DROP
    fi
 }
 #
@ -4246,7 +4382,8 @@ case "$command" in
    status)
 	[ $# -ne 1 ] && usage
-	echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
+	echo "Shorewall-$version Status at $HOSTNAME - `date`"
 	echo
 	iptables -L -n -v
 	;;
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.10
+VERSION=1.3.11
 usage() # $1 = exit status
 {
@ -68,15 +68,17 @@ usage() # $1 = exit status
 run_install()
 {
    if ! install $*; then
-	echo -e "\nERROR: Failed to install $*"
+	echo
 	echo "ERROR: Failed to install $*"
 	exit 1
    fi
 }
 cant_autostart()
 {
-    echo -e "\nWARNING: Unable to configure Shorewall to start"
+    echo
-echo    "           automatically at boot"
+    echo  "WARNING: Unable to configure Shorewall to start"
    echo  "           automatically at boot"
 }
 backup_file() # $1 = file to backup
@ -224,7 +226,8 @@ fi
 install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
-echo -e "\nShorewall control program installed in ${PREFIX}/sbin/shorewall"
+echo
 echo "Shorewall control program installed in ${PREFIX}/sbin/shorewall"
 #
 # Install the Firewall Script
@ -240,7 +243,8 @@ if [ -n "$RUNLEVELS" ]; then
    awk -f awk.temp init.sh > init.temp
    if [ $? -ne 0 ]; then
-	echo -e "\nERROR: Error running awk."
+	echo
 	echo    "ERROR: Error running awk."
 	echo    "         You must run `basename $0` without the "-r" option then edit"
 	echo    "         $DEST/$FIREWALL  manually (line beginning '# chkconfig:')"
 	exit 1
@ -253,7 +257,8 @@ else
    install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
 fi
-echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
+echo
 echo  "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
 #
 # Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed
@ -268,7 +273,8 @@ if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
   backup_file /etc/shorewall/shorewall.conf
 else
   run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
-   echo -e "\nConfig file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
+   echo
   echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
 fi
 #
 # Install the zones file
@ -277,7 +283,8 @@ if [ -f ${PREFIX}/etc/shorewall/zones ]; then
    backup_file /etc/shorewall/zones
 else
    run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
-    echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/zones"
+    echo
    echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
 fi
 #
@ -295,19 +302,22 @@ fi
 install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
-echo -e "\nCommon functions installed in ${PREFIX}/usr/lib/shorewall/functions"
+echo
 echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions"
 #
 # Install the common.def file
 #
 install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
-echo -e "\nCommon rules installed in ${PREFIX}/etc/shorewall/common.def"
+echo
 echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
 #
 # Install the icmp.def file
 #
 install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
-echo -e "\nCommon ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
+echo
 echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
 #
 # Install the policy file
@ -316,7 +326,8 @@ if [ -f ${PREFIX}/etc/shorewall/policy ]; then
    backup_file /etc/shorewall/policy
 else
    run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
-    echo -e "\nPolicy file installed as ${PREFIX}/etc/shorewall/policy"
+    echo
    echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
 fi
 #
 # Install the interfaces file
@ -325,7 +336,8 @@ if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
    backup_file /etc/shorewall/interfaces
 else
    run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
-    echo -e "\nInterfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
+    echo
    echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
 fi
 #
 # Install the hosts file
@ -334,7 +346,8 @@ if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
    backup_file /etc/shorewall/hosts
 else
    run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
-    echo -e "\nHosts file installed as ${PREFIX}/etc/shorewall/hosts"
+    echo
    echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
 fi
 #
 # Install the rules file
@ -343,7 +356,8 @@ if [ -f ${PREFIX}/etc/shorewall/rules ]; then
    backup_file /etc/shorewall/rules
 else
    run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
-    echo -e "\nRules file installed as ${PREFIX}/etc/shorewall/rules"
+    echo
    echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
 fi
 #
 # Install the NAT file
@ -352,7 +366,8 @@ if [ -f ${PREFIX}/etc/shorewall/nat ]; then
    backup_file /etc/shorewall/nat
 else
    run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
-    echo -e "\nNAT file installed as ${PREFIX}/etc/shorewall/nat"
+    echo
    echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
 fi
 # 
 # Install the Parameters file
@ -361,7 +376,8 @@ if [ -f ${PREFIX}/etc/shorewall/params ]; then
    backup_file /etc/shorewall/params
 else
    run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params   
-    echo -e "\nParameter file installed as ${PREFIX}/etc/shorewall/params"
+    echo
    echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
 fi
 #
 # Install the proxy ARP file
@ -370,7 +386,8 @@ if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
    backup_file /etc/shorewall/proxyarp
 else
    run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
-    echo -e "\nProxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
+    echo
    echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
 fi
 #
 # Install the Stopped Routing file
@ -379,7 +396,8 @@ if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
    backup_file /etc/shorewall/routestopped
 else
    run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
-    echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
+    echo
    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
 fi
 #
 # Install the Mac List file
@ -388,7 +406,8 @@ if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
    backup_file /etc/shorewall/maclist
 else
    run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
-    echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist"
+    echo
    echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
 fi
 #
 # Install the Masq file
@ -397,7 +416,8 @@ if [ -f ${PREFIX}/etc/shorewall/masq ]; then
    backup_file /etc/shorewall/masq
 else
    run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
-    echo -e "\nMasquerade file installed as ${PREFIX}/etc/shorewall/masq"
+    echo
    echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
 fi
 #
 # Install the Modules file
@ -406,7 +426,8 @@ if [ -f ${PREFIX}/etc/shorewall/modules ]; then
    backup_file /etc/shorewall/modules
 else
    run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
-    echo -e "\nModules file installed as ${PREFIX}/etc/shorewall/modules"
+    echo
    echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
 fi
 #
 # Install the TC Rules file
@ -415,7 +436,8 @@ if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
    backup_file /etc/shorewall/tcrules
 else
    run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
-    echo -e "\nTC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
+    echo
    echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
 fi
 #
@ -425,7 +447,8 @@ if [ -f ${PREFIX}/etc/shorewall/tos ]; then
    backup_file /etc/shorewall/tos
 else
    run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
-    echo -e "\nTOS file installed as ${PREFIX}/etc/shorewall/tos"
+    echo
    echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
 fi
 #
 # Install the Tunnels file
@ -434,7 +457,8 @@ if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
    backup_file /etc/shorewall/tunnels
 else
    run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
-    echo -e "\nTunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
+    echo
    echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
 fi
 #
 # Install the blacklist file
@ -443,7 +467,8 @@ if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
    backup_file /etc/shorewall/blacklist
 else
    run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
-    echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
+    echo
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
 # Backup and remove the whitelist file
@ -459,7 +484,8 @@ if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
    backup_file /etc/shorewall/rfc1918
 else
    run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
-    echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
+    echo
    echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
 fi
 #
 # Backup the version file
@ -498,20 +524,23 @@ install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544
 if [ -z "$PREFIX" -a -n "$first_install" ]; then
    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
    	if insserv /etc/init.d/shorewall ; then
-	    echo -e "\nFirewall will start automatically at boot"
+	    echo
 	    echo "Firewall will start automatically at boot"
 	else
 	    cant_autostart
 	fi
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	if chkconfig --add $FIREWALL ; then
-	    echo -e "\nFirewall will start automatically in run levels as follows:"
+	    echo
 	    echo "Firewall will start automatically in run levels as follows:"
 	    chkconfig --list $FIREWALL
 	else
 	    cant_autostart
 	fi
    elif [ -x /sbin/rc-update ]; then
 	if rc-update add shorewall default; then
-	    echo -e "\nFirewall will start automatically at boot"
+	    echo
 	    echo "Firewall will start automatically at boot"
 	else
 	    cant_autostart
 	fi
@ -528,4 +557,5 @@ fi
 #
 #  Report Success
 #
-echo -e "\nShorewall Version $VERSION Installed"
+echo
 echo "Shorewall Version $VERSION Installed"
--- a/STABLE/interfaces
+++ b/STABLE/interfaces
@ -20,6 +20,8 @@
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
 #			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
 #			column is left black.If the interface has multiple
@ -89,6 +91,14 @@
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #			tcpflags     - Packets arriving on this interface are
 #				       checked for certain illegal combinations
 #				       of TCP flags. Packets found to have
 #				       such a combination of flags are handled
 #				       according to the setting of
 #				       TCP_FLAGS_DISPOSITION after having been
 #				       logged according to the setting of
 #				       TCP_FLAGS_LOG_LEVEL.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
--- a/STABLE/policy
+++ b/STABLE/policy
@ -17,6 +17,10 @@
 #	DEST		Destination zone. Must be the name of a zone defined
 #			in /etc/shorewall/zones, $FW or "all"
 #
 #		WARNING: Firewall->Firewall policies are not allowed; if
 #			 you have a policy where both SOURCE and DEST are $FW,
 #			 Shorewall will not start!
 #
 #	POLICY		Policy if no match from the rules file is found. Must
 #			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
 #
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -1,27 +1,23 @@
-This is a minor release of Shorewall that has a number of new features..
+This is a minor release of Shorewall that has a couple of new features.
 New features include:
-1) You may now define the contents of a zone dynamically with the 
+1) A 'tcpflags' option has been added to entries in
-   "shorewall add" and "shorewall delete" commands. These commands
+   /etc/shorewall/interfaces. This option causes Shorewall to make a
-   are expected to be used primarily within FreeS/Wan updown scripts.
+   set of sanity check on TCP packet header flags.
-2) Shorewall can now do MAC verification on ethernet segments. You can
+2) It is now allowed to use 'all' in the SOURCE or DEST column in a
-   specify the set of allowed MAC addresses on the segment and you can
+   rule. When used, 'all' must appear by itself (in may not be
-   optionally tie each MAC address to an IP address.
+   qualified) and it does not enable intra-zone traffic (e.g., the rule
   "ACCEPT loc	  all	  tcp 80" does not enable http traffic from
   'loc' to 'loc').
 3) Shorewall's use of the 'echo' command is now compatible with bash
   clones such as ash and dash.
 4) fw->fw policies now generate a startup error. fw->fw rules generate
   a warning and are ignored.
 3) PPTP Servers and Clients running on the firewall system may now be
   defined in the /etc/shorewall/tunnels file.
 4) A new 'ipsecnat' tunnel type is supported for use when the remote
   IPSEC endpoint is behind a NAT gateway.
 5) The PATH used by Shorewall may now be specified in
   /etc/shorewall/shorewall.conf.
 6) The main firewall script is now /usr/lib/shorewall/firewall. The
   script in /etc/init.d/shorewall is very small and uses
   /sbin/shorewall to do the real work. This change makes custom
   distributions such as for Debian and for Gentoo easier to manage
   since it is /etc/init.d/shorewall that tends to have
   distribution-dependent code.
--- a/STABLE/rules
+++ b/STABLE/rules
@ -32,17 +32,18 @@
 #			logged at the specified level.
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
-#                       defined in /etc/shorewall/zones or $FW to indicate the
+#                       defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself. If the ACTION is DNAT or REDIRECT,
+#			firewall itself, or "all" If the ACTION is DNAT or
-#			sub-zones of the specified zone may be excluded from
+#			REDIRECT, sub-zones of the specified zone may be
-#			the rule by following the zone name with "!' and a
+#			excluded from the rule by following the zone name with
-#			comma-separated list of sub-zone names.
+#			"!' and a comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a list of subnets
+#			Except when "all" is specified, clients may be further
-#			and/or hosts by appending ":" and a comma-separated
+#			restricted to a list of subnets and/or hosts by
-#			list of subnets and/or hosts. Hosts may be specified
+#			appending ":" and a comma-separated list of subnets
-#			by IP or MAC address; mac addresses must begin with
+#			and/or hosts. Hosts may be specified by IP or MAC
-#			"~" and must use "-" as a separator.
+#			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@ -64,12 +65,13 @@
 #			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or $FW to indicate the firewall
+#			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself.
+#			itself or "all"
 #
-#			The server may be further restricted to a particular
+#			Except when "all" is specified, the server may be
-#			subnet, host or interface by appending ":" and the
+#			further restricted to a particular subnet, host or
-#			subnet, host or interface. See above.
+#			interface by appending ":" and the subnet, host or
 #			interface. See above.
 #
 #				Restrictions:
 #
--- a/STABLE/shorewall
+++ b/STABLE/shorewall
@ -150,8 +150,10 @@ display_chains()
 	iptables -L -n -v > /tmp/chains-$$
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "Standard Chains\\n"
+	echo
 	echo "Standard Chains"
 	echo
 	firstchain="Yes"
 	showchain INPUT
 	showchain OUTPUT
@ -160,9 +162,11 @@ display_chains()
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo -e "Input Chains\\n"
+	echo "Input Chains"
 	echo
 	chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -176,10 +180,12 @@ display_chains()
 	    if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
 		clear
-		echo -e "$banner `date`\\n"
+		echo "$banner `date`"
 		echo
 		firstchain=Yes
 		eval display=\$${zone}_display
-		echo -e "$display Chains\\n"
+		echo "$display Chains"
 		echo
 		for zone1 in $FW $zones; do
 		    showchain ${zone}2$zone1
 		    showchain @${zone}2$zone1
@ -193,9 +199,11 @@ display_chains()
 	done
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo -e "Policy Chains\\n"
+	echo "Policy Chains"
 	echo
 	showchain common
 	showchain badpkt
 	showchain icmpdef
@ -212,9 +220,11 @@ display_chains()
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo -e "Dynamic Chain\\n"
+	echo "Dynamic Chain"
 	echo
 	showchain dynamic
 	timed_read
@ -309,9 +319,11 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	display_chains
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
-	echo -e "Dropped/Rejected Packet Log\\n"
+	echo "Dropped/Rejected Packet Log"
 	echo
 	show_reset
@ -319,11 +331,14 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
-	    echo -e '\a'
+	    
 	    $RING_BELL
 	    packet_log 20
 	    if [ "$pause" = "Yes" ]; then
-		echo -en '\nEnter any character to continue: '
+		echo
 		echo $ECHO_N 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@ -335,26 +350,37 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	fi
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "NAT Status\\n"
+	echo
 	echo "NAT Status"
 	echo
 	iptables -t nat -L -n -v
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "\\nTOS/MARK Status\\n"
+	echo
 	echo
 	echo "TOS/MARK Status"
 	echo
 	iptables -t mangle -L -n -v
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "\\nTracked Connections\\n"
+	echo
 	echo
 	echo "Tracked Connections"
 	echo
 	cat /proc/net/ip_conntrack
 	timed_read
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
-	echo -e "\\nTraffic Shaping/Control\\n"
+	echo
 	echo
 	echo "Traffic Shaping/Control"
 	echo
 	show_tc
 	timed_read
    done
@ -383,9 +409,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    while true; do
 	clear
-	echo -e "$banner `date`\\n"
+	echo "$banner `date`"
 	echo
-	echo -e "Dropped/Rejected Packet Log\\n"
+	echo "Dropped/Rejected Packet Log"
 	echo
 	show_reset
@ -393,11 +421,14 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
-	    echo -e '\a'
+
 	    $RING_BELL
 	    packet_log 40
 	    if [ "$pause" = "Yes" ]; then
-		echo -en '\nEnter any character to continue: '
+		echo
 		echo $ECHO_N 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@ -445,7 +476,8 @@ usage() # $1 = exit status
 #
 show_reset() {
    [ -f $STATEDIR/restarted ] && \
-	echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
+	echo "Counters reset `cat $STATEDIR/restarted`" && \
 	echo
 }
 #
@ -537,6 +569,24 @@ banner="Shorewall-$version Status at $HOSTNAME -"
 get_statedir
 case `echo -e` in
    -e*)
 	RING_BELL="echo \'\a\'"
 	;;
    *)
 	RING_BELL="echo -e \'\a\'"
 	;;
 esac
 case `echo -n "Testing"` in
    -n*)
 	ECHO_N=
 	;;
    *)
 	ECHO_N=-n
 	;;
 esac
 case "$1" in
    start|stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
@ -550,32 +600,38 @@ case "$1" in
 	[ $# -gt 2 ] && usage 1
 	case "$2" in
 	connections)
-	    echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Connections at $HOSTNAME - `date`"
 	    echo
 	    cat /proc/net/ip_conntrack
 	    ;;
 	nat)
-	    echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version NAT at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    iptables -t nat -L -n -v
 	    ;;
 	tos|mangle)
-	    echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version TOS at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    iptables -t mangle -L -n -v
 	    ;;
 	log)
 	    get_config
-	    echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Log at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    host=`echo $HOSTNAME | sed 's/\..*$//'`
 	    packet_log 20
 	    ;;
 	tc)
-	    echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
 	    echo
 	    show_tc
 	    ;;
 	*)
-	    echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
+	    echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
 	    echo
 	    show_reset
 	    iptables -L $2 -n -v
 	    ;;
@ -594,7 +650,8 @@ case "$1" in
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
-	echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
+	echo "Shorewall-$version Status at $HOSTNAME - `date`"
 	echo
 	show_reset
 	host=`echo $HOSTNAME | sed 's/\..*$//'`
 	iptables -L -n -v
@ -611,7 +668,9 @@ case "$1" in
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
-	echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
+	echo "Shorewall-$version Hits at $HOSTNAME - `date`"
 	echo
 	timeout=30
 	if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
--- a/STABLE/shorewall.conf
+++ b/STABLE/shorewall.conf
@ -404,4 +404,24 @@ MACLIST_DISPOSITION=REJECT
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Disposition
 #
 # This variable determins the disposition of packets having an invalid 
 # combination of TCP flags that are received on interfaces having the
 # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
 # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
 TCP_FLAGS_DISPOSITION=DROP
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #LAST LINE -- DO NOT REMOVE
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.10
+%define version 1.3.11
 %define release 1
 %define prefix /usr
@ -101,6 +101,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11
 * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.10
 * Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/tcrules
+++ b/STABLE/tcrules
@ -6,6 +6,11 @@
 #	Entries in this file cause packets to be marked as a means of
 #	classifying them for traffic control or policy routing.
 #
 #                              I M P O R T A N T ! ! ! !
 #
 #		FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
 #		TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
 #
 # Columns are:
 #
 #
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.10
+VERSION=1.3.11
 usage() # $1 = exit status
 {