From a6c7cf06ee7d247b81f94843ab631b10d3f9e27a Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 9 Nov 2002 18:10:22 +0000 Subject: [PATCH] Version 1.3.10 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/changelog.txt | 48 +- STABLE/documentation/Documentation.htm | 4337 +++++++++-------- STABLE/documentation/FAQ.htm | 1414 +++--- STABLE/documentation/IPSEC.htm | 635 +-- STABLE/documentation/Install.htm | 312 +- STABLE/documentation/MAC_Validation.html | 107 + STABLE/documentation/News.htm | 2228 +++++---- STABLE/documentation/PPTP.htm | 1483 +++--- .../documentation/Shorewall_index_frame.htm | 165 +- .../configuration_file_basics.htm | 555 ++- STABLE/documentation/dhcp.htm | 124 +- STABLE/documentation/download.htm | 440 +- STABLE/documentation/images/TomNTarry.png | Bin 0 -> 323818 bytes STABLE/documentation/images/netfilterlogo.png | Bin 0 -> 2456 bytes .../documentation/images/openlogo-nd-50.png | Bin 0 -> 758 bytes .../documentation/mailing_list_problems.htm | 52 +- STABLE/documentation/myfiles.htm | 195 +- STABLE/documentation/ports.htm | 266 +- .../documentation/seattlefirewall_index.htm | 564 ++- STABLE/documentation/shoreline.htm | 153 +- STABLE/documentation/shorewall_features.htm | 188 +- .../shorewall_quickstart_guide.htm | 324 +- .../starting_and_stopping_shorewall.htm | 302 +- STABLE/documentation/support.htm | 160 +- STABLE/documentation/three-interface.htm | 1818 +++---- STABLE/documentation/traffic_shaping.htm | 427 +- STABLE/documentation/troubleshoot.htm | 372 +- STABLE/documentation/upgrade_issues.htm | 264 +- STABLE/fallback.sh | 11 +- STABLE/firewall | 1644 +++++-- STABLE/functions | 22 +- STABLE/hosts | 6 + STABLE/init.sh | 75 + STABLE/install.sh | 33 +- STABLE/interfaces | 10 +- STABLE/maclist | 18 + STABLE/releasenotes.txt | 35 +- STABLE/shorewall | 79 +- STABLE/shorewall.conf | 30 +- STABLE/shorewall.spec | 14 +- STABLE/tunnels | 34 +- STABLE/uninstall.sh | 7 +- STABLE/zones | 2 +- 43 files changed, 10351 insertions(+), 8602 deletions(-) create mode 100644 STABLE/documentation/MAC_Validation.html create mode 100644 STABLE/documentation/images/TomNTarry.png create mode 100644 STABLE/documentation/images/netfilterlogo.png create mode 100644 STABLE/documentation/images/openlogo-nd-50.png create mode 100644 STABLE/init.sh create mode 100644 STABLE/maclist diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 6156439da..6330272b5 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,18 +1,44 @@ -Changes since 1.3.8 +Changes since 1.3.9 -1. DNAT rules that remap a port but leave the IP address unchanged are - now handled properly. +1. Fix dumb bug in 1.3.9 Tunnel Handling. -2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of - the policy file now works correctly. +2. First implementaiton of dynamic zones. -3. Added support for /etc/shorewall/startup_disabled. +3. Corrections to Dynamic Zones. -4. Added support for DNS names in config files. +4. More fixes for Dynamic Zones. -5. Don't insist on state NEW for protocols other than tcp, udp and - icmp. Workaround for conntrack glitches in other protocols. +5. Correct a typo in an error message. -6. Move 'functions', 'version' and 'firewall' to /usr/lib/shorewall. +6. Fix rule insertion algorithms for Dynamic Zones. + +7. Optimize dynamic zones code + +8. Remove iptables 1.2.7 hacks. + +9. Fix dumb typo in 1.3.9 (recalculate_interfacess) + +10. Add PATH assignment to the install script + +11. Correct 'functions' file handling in the install script. + +12. Add ipsecnat tunnel type. + +13. Correct typo in the shorewall.spec file. + +14. Add support for PPTP client and server to the tunnels file. + +15. Move the main firewall script to /usr/lib/shorewall + +16. Allow SNAT using primary IP and ADD_SNAT_ALIASES=Yes + +17. Add MAC verificaiton + +18. Conserve space by removing comment decorations. + +19. Improve comments in interfaces file re: use of aliases + +20. Clear nat and mangle counters during 'shorewall reset' + +21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules -7. Fix problems with oddball shells. diff --git a/STABLE/documentation/Documentation.htm b/STABLE/documentation/Documentation.htm index c6b44de34..5bc38e28f 100644 --- a/STABLE/documentation/Documentation.htm +++ b/STABLE/documentation/Documentation.htm @@ -1,1103 +1,1132 @@ - + - + - + Shorewall 1.3 Documentation - - + - + - + - - - + + - - - -
+

Shorewall 1.3 Reference

-
- -

This documentation is intended primarily for reference. - Step-by-step instructions for configuring Shorewall in common setups - may be found in the QuickStart - Guides.

- -

Components

- -

Shorewall consists of the following components:

+ + + + + +

This documentation is intended primarily for reference. + Step-by-step instructions for configuring Shorewall in common setups + may be found in the QuickStart + Guides.

+ +

Components

+ +

Shorewall consists of the following components:

+ - +

/etc/shorewall/params

- +

You may use the file /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration files.

- + that you can then use in some of the other configuration files.

+

It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs

- + within the Shorewall programs

+

Example:

- + 
 	NET_IF=eth0
	NET_BCAST=130.252.100.255
	NET_OPTIONS=noping,norfc1918
- +

Example (/etc/shorewall/interfaces record):

- + 
	net $NET_IF $NET_BCAST $NET_OPTIONS
- +

The result will be the same as if the record had been written

- + 
	net eth0 130.252.100.255 noping,norfc1918
- +

Variables may be used anywhere in the other configuration - files.

- + files.

+

/etc/shorewall/zones

- +

This file is used to define the network zones. There is one entry - in /etc/shorewall/zones for each zone; Columns in an entry are:

- + in /etc/shorewall/zones for each zone; Columns in an entry are:

+ - +

The /etc/shorewall/zones file released with Shorewall is as follows:

- + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - + +
ZONE DISPLAY COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
ZONE DISPLAY COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
- +

You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.

- + as desired so long as you have at least one zone defined.

+

Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather than "shorewall restart".

- + stop; shorewall start" to install the change rather than "shorewall restart".

+

Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.

- + significant in some cases.

+

/etc/shorewall/interfaces

- +

This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will be one entry in /etc/shorewall/interfaces - for each of your interfaces. Columns in an entry are:

- + interfaces are connected to which zone. There will be one entry in +/etc/shorewall/interfaces for each of your interfaces. Columns in an entry + are:

+ - -

Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local network and eth0 - gets its IP address via DHCP. You want to ignore ping requests from the - internet and you want to check all packets entering from - the internet against the black list. - Your /etc/shorewall/interfaces file would be as follows:

-
- - - - - - - - - - - - - - - - - - - - - - - - -
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918,blacklist
loceth1detect 
-
+

Example 1: You have a conventional firewall setup in which eth0 connects + to a Cable or DSL modem and eth1 connects to your local network and eth0 + gets its IP address via DHCP. You want to ignore ping requests from the + internet and you want to check all packets entering from + the internet against the black list. + Your /etc/shorewall/interfaces file would be as follows:

-

Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:

- - -
+
- + - - - - - - - - - - - + + + + + + + + + + + + + + + + + - +
ZONE INTERFACE BROADCAST OPTIONS
netppp0  
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918,blacklist
loceth1detect 
-
+
- -

Example 3: You have local interface eth1 with two IP - addresses - 192.168.1.1/24 and 192.168.12.1/24

- -
+ +

Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:

+ + +
- - - - - - - - - - - - - + + + + + + + + + + + + + - - + + +
ZONE INTERFACE BROADCAST OPTIONS
loceth1192.168.1.255,192.168.12.255 
ZONE INTERFACE BROADCAST OPTIONS
netppp0  
- + +

Example 3: You have local interface eth1 with two IP + addresses - 192.168.1.1/24 and 192.168.12.1/24

+ +
+ + + + + + + + + + + + + + + + + +
ZONE INTERFACE BROADCAST OPTIONS
loceth1192.168.1.255,192.168.12.255 
+
+ +

/etc/shorewall/hosts - Configuration

- + Configuration +

For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.

- +

WARNING: 90% of Shorewall users don't need to put entries in this file and 80% of those who try to add such entries do it wrong. Unless you are ABSOLUTELY SURE that you need entries in this file, don't touch it.

- +

Columns in this file are:

- + - -
- -
    - -
  1. An IP address (example - eth1:192.168.1.3)
    2. - -
  2. A subnet in the form <subnet address>/<width> - (example - eth2:192.168.2.0/2)
    3. - - -
- - -

The interface name much match an entry in /etc/shorewall/interfaces.

-
- - - - +
+
    + +
  1. An IP address (example - eth1:192.168.1.3)
    2. + +
  2. A subnet in CIDR notation + (example - eth2:192.168.2.0/24)
    3. + + +
+ + +

The interface name much match an entry in /etc/shorewall/interfaces.

+
+ + + + +
+

routestopped - Beginning with Shorewall 1.3.4, this option is deprecated in favor of the /etc/shorewall/routestopped file. When the firewall is stopped, traffic to and from - this host (these hosts) will be accepted and routing will occur between - this host and other routestopped interfaces and hosts.

-
+ this host (these hosts) will be accepted and routing will occur between + this host and other routestopped interfaces and hosts.
+
+ maclist - Added in version 1.3.10. If specified, connection requests +from the hosts specified in this entry are subject to MAC Verification. This option is only valid +for ethernet interfaces.
+

+
- +

If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces - to the zone.

+ to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces + to the zone.

- +

Note 1: You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules.

- +

Note 2: The setting of the MERGE_HOSTS variable - in /etc/shorewall/shorewall.conf - has an important effect on how the host file is - processed. Please read the description of that + in /etc/shorewall/shorewall.conf + has an important effect on how the host file +is processed. Please read the description of that variable carefully.

- +

Example:

- +

Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:

- + you want to make into separate zones:

+ - +

Your /etc/shorewall/interfaces file might look like:

- -
+ +
- - - - - - - - - - - - - - - - - - - - - - - -
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918
-eth1detect 
-
- - -

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.

- - -

Your /etc/shorewall/hosts file might look like:

- - -
- - - + - - - - - - - - - - - - - - - - - - -
ZONE HOST(S) OPTIONS
loc1eth1:192.168.1.0/25 
loc2eth1:192.168.1.128/25routestopped
-
- - -

Hosts in 'loc2' can communicate with the firewall while Shorewall is - stopped -- those in 'loc1' cannot.

- - -

Nested and Overlapping Zones

- - -

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow -you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that they appear - in the /etc/shorewall/zones file. So if you have nested zones, you want - the sub-zone to appear before the super-zone and in the case of overlapping - zones, the rules that will apply to hosts that belong to both zones is - determined by which zone appears first in /etc/shorewall/zones.

- - -

Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the special CONTINUE policy described below.

- - -

- /etc/shorewall/policy Configuration.

- - -

This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described in terms of clients - who initiate connections and servers who receive those connection - requests. Policies defined in /etc/shorewall/policy describe which zones - are allowed to establish connections with other zones.

- - -

Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies to a particular - connection request then the policy from /etc/shorewall/policy is applied.

- - -

Four policies are defined:

- - - - - -

For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each time that the policy - is applied.

- - -

Entries in /etc/shorewall/policy have four columns as follows:

- - -
    - -
  1. SOURCE - The name of a client - zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall zone or "all").
    2. - -
  2. DEST - The name of a destination - zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall zone or "all").
    3. - -
  3. POLICY - The default policy - for connection requests from the SOURCE zone to the DESTINATION zone.
    4. - -
  4. LOG LEVEL - Optional. If -left empty, no log message is generated when the policy is applied. -Otherwise, this column should contain an integer or name indicating -a syslog level. See the syslog.conf man page for a description of -each log level.
    5. - -
  5. LIMIT:BURST - Optional. If left - empty, TCP connection requests from the SOURCE zone to the DEST - zone will not be rate-limited. Otherwise, this column specifies the maximum - rate at which TCP connection requests will be accepted followed by a colon - (":") followed by the maximum burst size that will be tolerated. Example: - 10/sec:40 specifies that the maximum rate of TCP connection - requests allowed will be 10 per second and a burst of 40 connections will - be tolerated. Connection requests in excess of these limits will be dropped.
    6. - - -
- - -

In the SOURCE and DEST columns, you can enter "all" to indicate all - zones. 

- - -

The policy file installed by default is as follows:

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - +
SOURCEDEST POLICY LOG LEVELLIMIT:BURST
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918
-eth1detect 
-
+
- -

This table may be interpreted as follows:

- - - -

WARNING:

- -

The firewall script processes  the - /etc/shorewall/policy file from top to bottom and uses the first applicable - policy that it finds. For example, in the following policy file, - the policy for (loc, loc) connections would be ACCEPT as specified in -the first entry even though the third entry in the file specifies REJECT.

- -
+ +

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.

+ + +

Your /etc/shorewall/hosts file might look like:

+ + +
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - +
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT  
netallDROPinfo 
loclocREJECTinfo 
ZONE HOST(S) OPTIONS
loc1eth1:192.168.1.0/25 
loc2eth1:192.168.1.128/25routestopped
-
- -

- The CONTINUE policy

- -

Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple zones to be managed - under the rules of all of these zones. Let's look at an example:

- -

/etc/shorewall/zones:

- -
+
+ + +

Hosts in 'loc2' can communicate with the firewall while Shorewall is + stopped -- those in 'loc1' cannot.

+ + +

Nested and Overlapping Zones

+ + +

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow +you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order that they appear + in the /etc/shorewall/zones file. So if you have nested zones, you want + the sub-zone to appear before the super-zone and in the case of overlapping + zones, the rules that will apply to hosts that belong to both zones is + determined by which zone appears first in /etc/shorewall/zones.

+ + +

Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use of the special CONTINUE policy described below.

+ + +

+ /etc/shorewall/policy Configuration.

+ + +

This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described in terms of clients + who initiate connections and servers who receive those connection + requests. Policies defined in /etc/shorewall/policy describe which zones + are allowed to establish connections with other zones.

+ + +

Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies to a particular + connection request then the policy from /etc/shorewall/policy is applied.

+ + +

Four policies are defined:

+ + + + + +

For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log each time that the policy + is applied.

+ + +

Entries in /etc/shorewall/policy have four columns as follows:

+ + +
    + +
  1. SOURCE - The name of a +client zone (a zone defined in the /etc/shorewall/zones + file , the name of the firewall zone or "all").
    2. + +
  2. DEST - The name of a destination + zone (a zone defined in the /etc/shorewall/zones + file , the name of the firewall zone or "all").
    3. + +
  3. POLICY - The default policy + for connection requests from the SOURCE zone to the DESTINATION zone.
    4. + +
  4. LOG LEVEL - Optional. If + left empty, no log message is generated when the policy is applied. + Otherwise, this column should contain an integer or name indicating + a syslog level. See the syslog.conf man page for a description of +each log level.
    5. + +
  5. LIMIT:BURST - Optional. If +left empty, TCP connection requests from the SOURCE zone to the + DEST zone will not be rate-limited. Otherwise, this column +specifies the maximum rate at which TCP connection requests will be accepted +followed by a colon (":") followed by the maximum burst size that will +be tolerated. Example: 10/sec:40 specifies that the maximum +rate of TCP connection requests allowed will be 10 per second and a burst +of 40 connections will be tolerated. Connection requests in excess of +these limits will be dropped.
    6. + + +
+ + +

In the SOURCE and DEST columns, you can enter "all" to indicate all + zones. 

+ + +

The policy file installed by default is as follows:

+ + +
+ - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - +
ZONE DISPLAY COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
SOURCEDEST POLICY LOG LEVELLIMIT:BURST
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
-
+
+ + +

This table may be interpreted as follows:

+ + -

/etc/shorewall/interfaces:

+

WARNING:

-
+

The firewall script processes  the + /etc/shorewall/policy file from top to bottom and uses the first applicable + policy that it finds. For example, in the following policy file, + the policy for (loc, loc) connections would be ACCEPT as specified in + the first entry even though the third entry in the file specifies REJECT.

+ +
- - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - +
ZONE INTERFACE BROADCAST OPTIONS
-eth0detectdhcp,noping,norfc1918
loceth1detectroutestopped
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT  
netallDROPinfo 
loclocREJECTinfo 
-
+
-

/etc/shorewall/hosts:

+

+ The CONTINUE policy

-
+

Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple zones to be managed + under the rules of all of these zones. Let's look at an example:

+ +

/etc/shorewall/zones:

+ +
- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - +
ZONE HOST(S) OPTIONS
neteth0:0.0.0.0/0 
sameth0:206.191.149.197routestopped
ZONE DISPLAY COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
-
+
-

Note that Sam's home system is a member of both the sam zone - and the net zone and as described above , that means that sam must -be listed before net  in /etc/shorewall/zones.

+

/etc/shorewall/interfaces:

-

/etc/shorewall/policy:

- -
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - +
SOURCE DEST POLICY LOG LEVEL
locnetACCEPT 
samallCONTINUE 
netallDROPinfo
allallREJECTinfo
ZONE INTERFACE BROADCAST OPTIONS
-eth0detectdhcp,noping,norfc1918
loceth1detectroutestopped
-
+
-

The second entry above says that when Sam is the client, connection - requests should first be process under rules where the source zone is sam - and if there is no match then the connection request should be treated under - rules where the source zone is net. It is important that this policy - be listed BEFORE the next policy (net to all).

+

/etc/shorewall/hosts:

-

Partial /etc/shorewall/rules:

- -
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
...      
DNATsamloc:192.168.1.3tcpssh- 
DNATnetloc:192.168.1.5tcpwww- 
...      
ZONE HOST(S) OPTIONS
neteth0:0.0.0.0/0 
sameth0:206.191.149.197routestopped
-
+
-

Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded to 192.168.1.3. Like - all hosts in the net zone, Sam can connect to the firewall's internet - interface on TCP port 80 and the connection request will be forwarded to - 192.168.1.5. The order of the rules is not significant.

- -

Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts can SSH to the firewall - and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the - firewall's external IP, he should be connected to the firewall itself. - Because of the way that Netfilter is constructed, this requires two rules - as follows:

- -
-

 

- Note that Sam's home system is a member of both the sam zone + and the net zone and as described above , that means that sam must +be listed before net  in /etc/shorewall/zones.

+ +

/etc/shorewall/policy:

+ +
+ face="Century Gothic, Arial, Helvetica"> - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
       
...      
DNATsamfwtcpssh- 
DNATnet!samloc:192.168.1.3tcpssh- 
...      
SOURCE DEST POLICY LOG LEVEL
locnetACCEPT 
samallCONTINUE 
netallDROPinfo
allallREJECTinfo
+

The second entry above says that when Sam is the client, connection + requests should first be process under rules where the source zone is +sam and if there is no match then the connection request should be +treated under rules where the source zone is net. It is important +that this policy be listed BEFORE the next policy (net to all).

+ +

Partial /etc/shorewall/rules:

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
...      
DNATsamloc:192.168.1.3tcpssh- 
DNATnetloc:192.168.1.5tcpwww- 
...      
+
+ +

Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to 192.168.1.3. +Like all hosts in the net zone, Sam can connect to the firewall's +internet interface on TCP port 80 and the connection request will be forwarded +to 192.168.1.5. The order of the rules is not significant.

+ +

Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can SSH to the firewall + and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the + firewall's external IP, he should be connected to the firewall itself. + Because of the way that Netfilter is constructed, this requires two +rules as follows:

+ +
+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
       
...      
DNATsamfwtcpssh- 
DNATnet!samloc:192.168.1.3tcpssh- 
...      
+
+

The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the @@ -1106,387 +1135,392 @@ be listed before net connection port forwarded to 192.168.1.3. If you need to exclude more than one zone in this way, - you can list the zones separated - by commas (e.g., net!sam,joe,fred). - This technique also may be used - when the ACTION is REDIRECT.

+ you can list the zones separated + by commas (e.g., net!sam,joe,fred). + This technique also may be +used when the ACTION is REDIRECT.

+

/etc/shorewall/rules

+

The /etc/shorewall/rules file defines exceptions to the policies established - in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules - for each of these rules. 

+ in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules + for each of these rules. 

- +

Entries in the file have the following columns:

- + - +

Example 1. You wish to forward all - ssh connection requests from the internet to local system 192.168.1.3. 

- + ssh connection requests from the internet to local system 192.168.1.3. 

+
+ face="Century Gothic, Arial, Helvetica"> - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
DNATnetloc:192.168.1.3tcpssh  
-
- -

Example 2. You want to redirect all local www connection requests - EXCEPT those to your own - http server (206.124.146.177) - to a Squid transparent proxy - running on the firewall and listening on port 3128. Squid will of course - require access to remote web servers. This example shows yet - another use for the ORIGINAL - DEST column; here, connection - requests that were NOT - - (notice the "!") originally - destined to 206.124.146.177 - are redirected to local -port 3128.

- -
- - + - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST		ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
REDIRECTloc3128tcpwww !206.124.146.177
ACCEPTfwnettcpwww  
-
- -

Example 3. You want to run a web server at 155.186.235.222 in -your DMZ and have it accessible remotely and locally. the DMZ is managed - by Proxy ARP or by classical sub-netting.

- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
ACCEPTnetdmz:155.186.235.222tcpwww- 
ACCEPTlocdmz:155.186.235.222tcpwww  
DNATnetloc:192.168.1.3tcpssh  
-
- - -

Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded - DMZ. Your internet interface address is 155.186.235.151 and you want -the FTP server to be accessible from the internet in addition to the local - 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since the - server is in the 192.168.2.0/24 subnetwork, we can assume that access -to the server from that subnet will not involve the firewall (but see FAQ 2). Note that unless you - have more than one external - IP address, you can leave - the ORIGINAL DEST column - blank in the first rule. - You cannot leave it -blank in the second rule -though because then -all ftp connections - originating in the local - subnet 192.168.1.0/24 would - be sent to 192.168.2.2 - regardless of the site that - the user was trying to - connect to. That is - clearly not what you want - - .

- - -
+
+ +

Example 2. You want to redirect all local www connection requests + EXCEPT those to your own + http server (206.124.146.177) + to a Squid transparent +proxy running on the firewall and listening on port 3128. Squid will of +course require access to remote web servers. This example shows yet + another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + + (notice the "!") originally + destined to 206.124.146.177 + are redirected to local + port 3128.

+ +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
DNATnetdmz:192.168.2.2tcpftp  
DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
REDIRECTloc3128tcpwww !206.124.146.177
ACCEPTfwnettcpwww  
+
+ +

Example 3. You want to run a web server at 155.186.235.222 in +your DMZ and have it accessible remotely and locally. the DMZ is managed + by Proxy ARP or by classical sub-netting.

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTnetdmz:155.186.235.222tcpwww- 
ACCEPTlocdmz:155.186.235.222tcpwww  
-
+
+ + +

Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded + DMZ. Your internet interface address is 155.186.235.151 and you want + the FTP server to be accessible from the internet in addition to the local + 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since +the server is in the 192.168.2.0/24 subnetwork, we can assume that access + to the server from that subnet will not involve the firewall (but see FAQ 2). Note that unless you + have more than one external + IP address, you can leave + the ORIGINAL DEST +column blank in the +first rule. You cannot +leave it blank in the + second rule though because + then all ftp connections + originating in the local + subnet 192.168.1.0/24 would + be sent to 192.168.2.2 + regardless of the site that + the user was trying to + connect to. That is + clearly not what you +want + .

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetdmz:192.168.2.2tcpftp  
DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
+
+ + +

If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, this entry is appropriate:

+ so I use port range 65500-65535. In /etc/ftpaccess, this entry is appropriate:

- +
- +

passive ports  0.0.0.0/0 65500 65534

-
+ - +

If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.

+ the pure-ftpd runline.

- +

The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with any usage on the - firewall system.

+ passive connections is unique and will not overlap with any usage on the + firewall system.

- +

Example 5. You wish to allow unlimited DMZ access to the host @@ -1494,51 +1528,51 @@ though because then 02:00:08:E3:FA:55.

- +
+ face="Century Gothic, Arial, Helvetica"> - - - - - - - - - - + - - - - - - - - + + + + + + + + + + + + + + + + + - - + +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
ACCEPTloc:~02-00-08-E3-FA-55dmzall   
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTloc:~02-00-08-E3-FA-55dmzall   
-
+ - +

Look here for information on other services. -

+

- +

/etc/shorewall/common

- +

Shorewall allows definition of rules that apply between all zones. @@ -1548,157 +1582,160 @@ though because then but may be modified to suit individual requirements. Rather - than modify - /etc/shorewall/common.def, - you should copy -that file to - /etc/shorewall/common - and modify that file.

+ than modify + /etc/shorewall/common.def, + you should copy + that file to + /etc/shorewall/common + and modify that +file.

- +

The /etc/shorewall/common - file is expected - to contain iptables - commands; rather - than running iptables - directly, you should - run it indirectly - using the Shorewall - function 'run_iptables'. - That way, if iptables - encounters an error, the - firewall will be safely - stopped.

+ file is expected + to contain iptables + commands; rather + than running iptables + directly, you should + run it indirectly + using the Shorewall + function 'run_iptables'. + That way, if iptables + encounters an error, the + firewall will be safely + stopped.

- +

/etc/shorewall/masq

- +

The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation  (SNAT). There is one entry in the - file for each subnet that you want to masquerade. In order to make use -of this feature, you must have NAT enabled .

+ and Source Network Address Translation  (SNAT). There is one entry in the + file for each subnet that you want to masquerade. In order to make use + of this feature, you must have NAT enabled + .

- +

Columns are:

- + - +

Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq - file would look like:    

+ connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq + file would look like:    

- +
- + - - - - - - - - - - - - - - - - - -
INTERFACE SUBNETADDRESS
eth0192.168.9.0/24 
-
- - -

Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 subnet to -the remote subnet 10.1.0.0/16 only.

- - -
- - - + - - - - - - - - - + + + + + + + + + + -
INTERFACE SUBNETADDRESS
ipsec0:10.1.0.0/16192.168.9.0/24 
INTERFACE SUBNETADDRESS
eth0192.168.9.0/24 
-
+ +

Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your 192.168.9.0/24 subnet to + the remote subnet 10.1.0.0/16 only.

+ + +
+ + + + + + + + + + + + + + + + + + + + +
INTERFACE SUBNETADDRESS
ipsec0:10.1.0.0/16192.168.9.0/24 
+
+ +

Example 3: You have a DSL line connected on eth0 and a local - network (192.168.10.0/24) - connected to + network (192.168.10.0/24) + connected to eth1. You want all local->net connections to use source address 206.124.146.176.

- -
+ +
- - - - - - + - - - - + + + + + + + + + - - + +
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24206.124.146.176
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24206.124.146.176
-
+
- +

Example 4: Same as example 3 except that you wish @@ -1708,34 +1745,34 @@ all local->net the SNAT rule.

- +
- + - - - - - - + - - - - + + + + + + + + + - - + +
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
-
+ - +

/etc/shorewall/proxyarp

- +

If you want to use proxy ARP on an entire sub-network, @@ -1744,30 +1781,30 @@ all local->net http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide - to use the technique - described in - that HOWTO, -you can set the -proxy_arp flag - for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - by including the + If you decide + to use the +technique described +in that HOWTO, + you can set +the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including the proxyarp - option in the - interface's -record in - /etc/shorewall/interfaces. - When using Proxy ARP - sub-netting, you do - NOT include - any entries in - /etc/shorewall/proxyarp. -

+ option in the + interface's + record in + /etc/shorewall/interfaces. + When using Proxy ARP + sub-netting, you do + NOT include + any entries in + /etc/shorewall/proxyarp. +

- +

The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for @@ -1775,47 +1812,47 @@ record in - + in this file + for each system + using proxy + ARP. Columns are:

+ - +

Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers on the LAN segment - connected to the interface specified in the EXTERNAL column of the change/added - entry(s). If you are having problems communicating between an individual - host (A) on that segment and a system whose entry has changed, you may -need to flush the ARP cache on host A as well.

+ file, you may need to flush the ARP cache of all routers on the LAN segment + connected to the interface specified in the EXTERNAL column of the change/added + entry(s). If you are having problems communicating between an individual + host (A) on that segment and a system whose entry has changed, you may + need to flush the ARP cache on host A as well.

- +

ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long @@ -1824,92 +1861,94 @@ to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.

- +

Example: You have public IP addresses 155.182.235.0/28. You configure your - firewall as follows:

- + firewall as follows:

+ - +

In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like the firewall's eth0 - and you configure 155.186.235.1 as the default gateway. In your /etc/shorewall/proxyarp - file, you will have:

+ 155.186.235.4. On the Web server, you subnet just like the firewall's +eth0 and you configure 155.186.235.1 as the default gateway. In your + /etc/shorewall/proxyarp file, you will have:

- +
- + - - - - - - - - - - - - - + + + + + + + + + + + + + + + - +
ADDRESS INTERFACE EXTERNALHAVEROUTE
155.186.235.4eth2eth0No
ADDRESS INTERFACE EXTERNALHAVEROUTE
155.186.235.4eth2eth0No
-
- + +

Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. See the Proxy - ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" in the HAVEROUTE - column.

- + for details. In this case you will want to place "Yes" in the HAVEROUTE + column.

+

To learn how I use Proxy ARP in my DMZ, see my configuration files.

- +

Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, the proxied - IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) - rather than to the interface that you specify in the INTERFACE column of - /etc/shorewall/proxyarp. I haven't had the time to debug this problem so -I can't say if it is a bug in the Kernel or in FreeS/Wan. 

- + If you start or restart Shorewall with an IPSEC tunnel active, the proxied + IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) + rather than to the interface that you specify in the INTERFACE column of + /etc/shorewall/proxyarp. I haven't had the time to debug this problem so + I can't say if it is a bug in the Kernel or in FreeS/Wan. 

+

You might be able to work around this problem using the following - (I haven't tried it):

- + (I haven't tried it):

+

In /etc/shorewall/init, include:

- +

     qt service ipsec stop

- +

In /etc/shorewall/start, include:

- +

    qt service ipsec start

- +

/etc/shorewall/nat

- +

The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship that you wish to define. - In order to make use of this feature, you must have NAT enabled .

- +

IMPORTANT: If @@ -1921,9 +1960,9 @@ I can't say if it is a bug in the Kernel or in FreeS/Wan. static NAT. Port forwarding can be accomplished - with simple - entries in - the rules file. Also, in most @@ -1938,387 +1977,397 @@ be accomplished are accessed using the same IP address internally - and externally.

+ and externally.

- +

Columns in an entry are:

- + - +

Look here for additional information and an example. -

+

- +

/etc/shorewall/tunnels

- -

The /etc/shorewall/tunnels file allows you to define IPSec, GRE and - IPIP tunnels with end-points on your firewall. To use ipsec, you must -install version 1.9, 1.91 or the current The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP +and PPTP tunnels with end-points on your firewall. To use ipsec, you must + install version 1.9, 1.91 or the current FreeS/WAN development snapshot. 

- +

Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version 1.9 results in kernel - compilation errors.

+ or a development snapshot as patching with version 1.9 results in kernel + compilation errors.

- +

Instructions for setting up IPSEC tunnels may - be found here and instructions for IPIP - tunnels are here . Look here for information - about setting up PPTP - tunnels under - Shorewall.

+ be found here, instructions for IPIP and +GRE tunnels are here  and instructions for +PPTP tunnels are here.

+ +

/etc/shorewall/shorewall.conf

- -

- /etc/shorewall/shorewall.conf

- - +

This file is used to set the following firewall parameters:

- + - +

/etc/shorewall/modules Configuration

- +

The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. Shorewall will source - this file during start/restart provided that it exists and that the directory - specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf - above).

+ modules required by Shorewall-defined firewall rules. Shorewall will +source this file during start/restart provided that it exists and that +the directory specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf above).

- +

The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.

+ "loadmodule" for the set of modules that I load.

- +

The loadmodule function is called as follows:

- +
- - + +

loadmodule <modulename> [ <module parameters> ]

-
+ - +

where

- +
- +

<modulename>                

- +
- +

is the name of the modules without the trailing ".o" (example ip_conntrack).

-
+
- +

<module parameters>

- +
- +

Optional parameters to the insmod utility.

+
- - +

The function determines if the module named by <modulename> - is already loaded and if not then the function determines if the - ".o" file corresponding to the module exists in the moduledirectory; - if so, then the following command is executed:

+ is already loaded and if not then the function determines if the + ".o" file corresponding to the module exists in the moduledirectory; + if so, then the following command is executed:

- +
- +

insmod moduledirectory/<modulename>.o <module - parameters>

-
+ parameters>

+ - +

If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed @@ -2504,391 +2553,399 @@ it does, the function assumes that the running configuration supports compress - +

- +

insmod moduledirectory/<modulename>.o.gz <module - parameters>

-
+ parameters>

+ - +

/etc/shorewall/tos Configuration

- +

The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, protocol, - source port and destination port. In order for this file to be processed - by Shorewall, you must have mangle support enabled + in packet headers based on packet source, packet destination, protocol, + source port and destination port. In order for this file to be processed + by Shorewall, you must have mangle support enabled .

- +

Entries in the file have the following columns:

- + - +
- +
- +

Minimize-Delay (16)
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)

-
-
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)

+ + - +

The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.

+ the following entries.

- -
+ +
- + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - +
SOURCEDESTPROTOCOLSOURCE
- PORT(S)		DEST PORT(S)TOS
allalltcp-ssh16
allalltcpssh-16
allalltcp-ftp16
allalltcpftp-16
allalltcp-ftp-data8
allalltcpftp-data-8
SOURCEDESTPROTOCOLSOURCE
+ PORT(S)		DEST PORT(S)TOS
allalltcp-ssh16
allalltcpssh-16
allalltcp-ftp16
allalltcpftp-16
allalltcp-ftp-data8
allalltcpftp-data-8
-
+
- +

WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos file.

+ adding the ESP and AH protocols to the /etc/shorewall/tos file.

- +

/etc/shorewall/blacklist

- +

Each line in /etc/shorewall/blacklist contains - an - IP - address, a MAC address in Shorewall - Format - or - subnet - address. - Example:

+ an + IP + address, a MAC address in Shorewall + Format + or + subnet + address. + Example:

- + 
      130.252.100.69
      206.124.146.0/24
- +

Packets from hosts listed in - the - blacklist - file - will - be - disposed + the + blacklist + file + will + be + disposed - of - according - to - the - value - assigned + of + according + to + the + value + assigned - to - the BLACKLIST_DISPOSITION - and - BLACKLIST_LOGLEVEL variables - in - /etc/shorewall/shorewall.conf. + to + the BLACKLIST_DISPOSITION - Only - packets - arriving - on - interfaces +and BLACKLIST_LOGLEVEL variables + in + /etc/shorewall/shorewall.conf. + + Only + packets + arriving + on + interfaces that have the 'blacklist' - option - in - /etc/shorewall/interfaces - are + option + in + /etc/shorewall/interfaces + are - checked - against - the - blacklist. The black list is + checked + against + the + blacklist. The black list is designed to prevent listed hosts/subnets from accessing services on your - network.
-

- + network.
+

+

Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-

- +

+ - +

Shorewall also has a dynamic blacklist - capability.

+ capability.

- +

IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, I suggest that - you install and configure Squid (http://www.squid-cache.org). -

+ designed to police your users' web browsing -- to do that, I suggest that + you install and configure Squid (http://www.squid-cache.org). +

- +

/etc/shorewall/rfc1918 (Added in Version 1.3.1)

- +

This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:

+ interface option. Columns in the file are:

- + - -

25. /etc/shorewall/routestopped (Added in Version -1.3.4)

+ +

/etc/shorewall/routestopped (Added in Version + 1.3.4)

- -

This fine defines the hosts that are accessible from the firewall when - the firewall is stopped.  Columns in the file are:

+ +

This file defines the hosts that are accessible from the firewall when + the firewall is stopped.  Columns in the file are:

- + - +

Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through - eth1 and your local hosts through eth2.

+ from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through + eth1 and your local hosts through eth2.

- +
- + - - + + - + - + - + - + - + - + - + - + - + - + - + - - + +
INTERFACEINTERFACEHOST(S)HOST(S)
eth2eth2192.168.1.0/24192.168.1.0/24
eth1eth1--
-
+ - -

Updated 9/28/2002 - Tom Eastep -

+ +

/etc/shorewall/maclist (Added in Version 1.3.10)

+ This file is described in the MAC Validation +Documentation.
+
+ +

Updated 10/28/2002 - Tom Eastep +

- +

Copyright - © 2001, 2002 Thomas M. Eastep.

+ © 2001, 2002 Thomas M. Eastep.

-
+
+



diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm index 030efb9d2..03ca89fce 100644 --- a/STABLE/documentation/FAQ.htm +++ b/STABLE/documentation/FAQ.htm @@ -1,734 +1,856 @@ - + - + - + - + Shorewall FAQ - + - + - - - + + - - - + + + +
+
+

Shorewall FAQs

-
- -

1. I want to forward UDP - port 7777 to my my personal PC with IP address 192.168.1.5. I've looked - everywhere and can't find how to do it.

- -

1a. Ok -- I followed those instructions - but it doesn't work.

- -

2. I port forward www requests - to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local - network. External clients can browse http://www.mydomain.com but internal - clients can't.

- -

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses to hosts - in Z. Hosts in Z cannot communicate with each other using their external - (non-RFC1918 addresses) so they can't access each other using their DNS - names.

- -

3. I want to use Netmeeting/MSN - Messenger with Shorewall. What do I do?

- -

4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' rather than -'blocked'. Why?

- -

4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!

- -

5. I've installed Shorewall and now - I can't ping through the firewall

- -

6. Where are the log messages - written and how do I change the destination?

- -

6a. Are there any log parsers - that work with Shorewall?

- -

7. When I stop Shorewall using -'shorewall stop', I can't connect to anything. Why doesn't that command - work?

- -

8. When I try to start Shorewall - on RedHat 7.x, I get messages about insmod failing -- what's wrong?

- -

9. Why can't Shorewall detect - my interfaces properly?

- -

10. What distributions does - it work with?

- -

11. What features does it -support?

- + +

1. I want to forward UDP + port 7777 to my my personal PC with IP address 192.168.1.5. I've +looked everywhere and can't find how to do it.

+ +

1a. Ok -- I followed those instructions + but it doesn't work.
+

+ +

1b. I'm still having problems with +port forwarding

+ +

2. I port forward www requests + to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my +local network. External clients can browse http://www.mydomain.com +but internal clients can't.

+ +

2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 addresses +to hosts in Z. Hosts in Z cannot communicate with each other using their + external (non-RFC1918 addresses) so they can't access each other using + their DNS names.

+ +

3. I want to use Netmeeting/MSN + Messenger with Shorewall. What do I do?

+ +

4. I just used an online port scanner + to check my firewall and it shows some ports as 'closed' rather +than 'blocked'. Why?

+ +

4a. I just ran an nmap UDP scan + of my firewall and it showed 100s of ports as open!!!!

+ +

5. I've installed Shorewall and now + I can't ping through the firewall

+ +

6. Where are the log messages + written and how do I change the destination?

+ +

6a. Are there any log parsers + that work with Shorewall?

+ +

7. When I stop Shorewall using + 'shorewall stop', I can't connect to anything. Why doesn't that command + work?

+ +

8. When I try to start Shorewall + on RedHat 7.x, I get messages about insmod failing -- what's wrong?

+ +

9. Why can't Shorewall detect + my interfaces properly?

+ +

10. What distributions does + it work with?

+ +

11. What features does it + support?

+

12. Why isn't there a GUI

- +

13. Why do you call it "Shorewall"?

- -

14. I'm connected via a cable modem - and it has an internel web server that allows me to configure/monitor it - but as expected if I enable rfc1918 blocking for my eth0 interface, - it also blocks the cable modems web server.

- -

14a. Even though it assigns public - IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable -RFC 1918 filtering on my external interface, my DHCP client cannot renew -its lease.

- -

15. My local systems can't see - out to the net

- -

16. Shorewall is writing log messages - all over my console making it unusable!

- -
-

1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've looked everywhere and - can't find how to do it.

- + +

14. I'm connected via a cable modem + and it has an internel web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for my eth0 interface, + it also blocks the cable modems web server.

+ +

14a. Even though it assigns public + IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable + RFC 1918 filtering on my external interface, my DHCP client cannot + renew its lease.

+ +

15. My local systems can't see + out to the net

+ +

16. Shorewall is writing log messages + all over my console making it unusable!
+

+ 17. How do I find out why this + is getting logged?
+
+ 18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different IPs? +
+

1. I want to forward UDP port 7777 to + my my personal PC with IP address 192.168.1.5. I've looked everywhere + and can't find how to do it.

+

Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. Assuming that you have a dynamic external - IP address, the format of a port-forwarding rule to a local system is as -follows:

- -
+ href="Documentation.htm#Rules">rules file documentation shows how to + do port forwarding under Shorewall. The format of a port-forwarding +rule to a local system is as follows:

+ +
- - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local port>]<protocol><port #>
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local port>]<protocol><port #>
+
+
-
- -

So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:

- -
+
+ +

So to forward UDP port 7777 to internal system 192.168.1.5, + the rule is:

+ +
- - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
+
+
-
- -
+
+ +
     DNAT net loc:192.168.1.5 udp 7777
-
- -

If you want to forward requests directed to a particular -address ( <external IP> ) on your firewall to an internal system:

- -
+ + +

If you want to forward requests directed to a particular address +( <external IP> ) on your firewall to an internal system:

+ +
- - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local port>]<protocol><port #>-<external IP>
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local port>]<protocol><port #>-<external IP>
-
- -

1a. Ok -- I followed those instructions - but it doesn't work

- +
+ +

1a. Ok -- I followed those instructions + but it doesn't work

+

Answer: That is usually the result of one of two things:

- + - -

2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients - can browse http://www.mydomain.com but internal clients can't.

- + +

1b. I'm still having problems with port +forwarding

+ Answer: To further diagnose this problem:
+ + + +

2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my local network. External + clients can browse http://www.mydomain.com but internal clients can't.

+

Answer: I have two objections to this setup.

- + - -

If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your external interface is - eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254 - with subnet 192.168.1.0/24, do the following:

- -

a) In /etc/shorewall/interfaces, specify "multi" as an option - for eth1.

- -
+ +

If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that your external interface + is eth0 and your internal interface is eth1 and that eth1 has IP address + 192.168.1.254 with subnet 192.168.1.0/24, do the following:

+ +

a) In /etc/shorewall/interfaces, specify "multi" as an option + for eth1 (No longer required as of Shorewall version 1.3.9).

+ +

b) In /etc/shorewall/rules, add:

-
- -
-
+
+ +
+
- - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
-
-
- -
+ +
+ +
     DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254
-
- -
-

That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and are running Shorewall -1.3.4 or later then include this in /etc/shorewall/params:

-
- -
+
+ +
+

That rule only works of course if you have a static external + IP address. If you have a dynamic IP address and are running Shorewall + 1.3.4 or later then include this in /etc/shorewall/params:

+
+ +
     ETH0_IP=`find_interface_address eth0`
-
- -
+
+ +

and make your DNAT rule:

-
- -
-
+
+ +
+
- - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
-
-
- -
-

Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time that you get a new IP - address.

-
- -

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. - Hosts in Z cannot communicate with each other using their external (non-RFC1918 - addresses) so they can't access each other using their DNS names.

- -

Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external and internal clients - to access a NATed host using the host's DNS name.

- -

Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses - and can be accessed externally and internally using the same address.

- -

If you don't like those solutions and prefer routing all Z->Z -traffic through your firewall then:

- -

a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.
- b) Set the Z->Z policy to ACCEPT.
- c) Masquerade Z to itself.
-
- Example:

- + +
+ +
+

Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each time that you get a +new IP address.

+
+ +

2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 addresses to hosts +in Z. Hosts in Z cannot communicate with each other using their external +(non-RFC1918 addresses) so they can't access each other using their DNS +names.

+ +

Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both external and internal clients + to access a NATed host using the host's DNS name.

+ +

Another good way to approach this problem is to switch from + static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses + and can be accessed externally and internally using the same address. +

+ +

If you don't like those solutions and prefer routing all +Z->Z traffic through your firewall then:

+ +

a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces +(If you are running a Shorewall version earlier than 1.3.9).
+ b) Set the Z->Z policy to ACCEPT.
+ c) Masquerade Z to itself.
+
+ Example:

+

Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24

- + Interface: eth2
+ Subnet: 192.168.2.0/24

+

In /etc/shorewall/interfaces:

- -
+ +
- - - - - - - - - - - - - - - + + + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255multi
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255multi
-
- +
+

In /etc/shorewall/policy:

- -
+ +
- - - - - - - - - - - - - - - + + + + + + + + + + + + + + +
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
-
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
+
-
- -
+
+ +
     dmz    dmz    ACCEPT
-
- + +

In /etc/shorewall/masq:

- -
+ +
- - - - - - - - - - - - - + + + + + + + + + + + + +
INTERFACE SUBNETADDRESS
eth2192.168.2.0/24
-
INTERFACE SUBNETADDRESS
eth2192.168.2.0/24
+
-
- -

3. I want to use Netmeeting/MSN Messenger - with Shorewall. What do I do?

- +
+ +

3. I want to use Netmeeting/MSN Messenger + with Shorewall. What do I do?

+

Answer: There is an H.323 connection - tracking/NAT module that may help. Also check the Netfilter mailing list - archives at http://netfilter.samba.org. -

- -

4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' rather than 'blocked'. - Why?

- -

Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 rather than dropping - them. This is necessary to prevent outgoing connection problems to services - that use the 'Auth' mechanism for identifying requesting users. Shorewall - also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. -These are ports that are used by Windows (Windows can be configured -to use the DCE cell locator on port 135). Rejecting these connection requests - rather than dropping them cuts down slightly on the amount of Windows -chatter on LAN segments connected to the Firewall.

- -

If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server in violation of your - Service Agreement.

- -

4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!

- -

Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing back from your firewall - then it reports the port as open. If you want to see which UDP ports are - really open, temporarily change your net->all policy to REJECT, restart - Shorewall and do the nmap UDP scan again.

- -

5. I've installed Shorewall and now I - can't ping through the firewall

- -

Answer: If you want your firewall to be totally open - for "ping":

- + href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection + tracking/NAT module that may help. Also check the Netfilter mailing + list archives at http://netfilter.samba.org. +

+ +

4. I just used an online port scanner + to check my firewall and it shows some ports as 'closed' rather than + 'blocked'. Why?

+ +

Answer: The common.def included with version 1.3.x + always rejects connection requests on TCP port 113 rather than dropping + them. This is necessary to prevent outgoing connection problems to + services that use the 'Auth' mechanism for identifying requesting +users. Shorewall also rejects TCP ports 135, 137 and 139 as well as +UDP ports 137-139. These are ports that are used by Windows (Windows +can be configured to use the DCE cell locator on port 135). +Rejecting these connection requests rather than dropping them cuts +down slightly on the amount of Windows chatter on LAN segments connected + to the Firewall.

+ +

If you are seeing port 80 being 'closed', that's probably + your ISP preventing you from running a web server in violation of +your Service Agreement.

+ +

4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!

+ +

Answer: Take a deep breath and read the nmap man page + section about UDP scans. If nmap gets nothing back from your + firewall then it reports the port as open. If you want to see which + UDP ports are really open, temporarily change your net->all policy + to REJECT, restart Shorewall and do the nmap UDP scan again.

+ +

5. I've installed Shorewall and now I + can't ping through the firewall

+ +

Answer: If you want your firewall to be totally open + for "ping":

+

a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
- b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
- c) Add the following to /etc/shorewall/icmpdef:

- -
-

run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT

-
- -

6. Where are the log messages written - and how do I change the destination?

- -

Answer: NetFilter uses the kernel's equivalent of syslog -(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility -(see "man openlog") and you get to choose the log level (again, see "man -syslog") in your policies and rules. The destination for messaged -logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). -When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat -system, "service syslog restart").

- -

By default, older versions of Shorewall ratelimited log messages - through settings in /etc/shorewall/shorewall.conf - -- If you want to log all messages, set:

- -
+ b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
+ c) Add the following to /etc/shorewall/icmpdef:

+ +
+

run_iptables -A icmpdef -p ICMP --icmp-type echo-request + -j ACCEPT

+
+ +

6. Where are the log messages written + and how do I change the destination?

+ +

Answer: NetFilter uses the kernel's equivalent of +syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) +facility (see "man openlog") and you get to choose the log level (again, +see "man syslog") in your policies + and rules. The destination for messaged + logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). + When you have changed /etc/syslog.conf, be sure to restart syslogd (on + a RedHat system, "service syslog restart").

+ +

By default, older versions of Shorewall ratelimited log messages + through settings in /etc/shorewall/shorewall.conf + -- If you want to log all messages, set:

+ +
     LOGLIMIT=""
     LOGBURST=""
-
- -

6a. Are there any log parsers that work - with Shorewall?

- -

Answer: Here are several links that may be helpful: -

- -
+
+ +

6a. Are there any log parsers that work + with Shorewall?

+ +

Answer: Here are several links that may be helpful: +

+ +

http://www.shorewall.net/pub/shorewall/parsefw/
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch

-
- -

7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that command work?

- -

The 'stop' command is intended to place your firewall into - a safe state whereby only those interfaces/hosts having the 'routestopped' - option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. - If you want to totally open up your firewall, you must use the 'shorewall - clear' command.

- -

8. When I try to start Shorewall on RedHat - 7.x, I get messages about insmod failing -- what's wrong?

- -

Answer: The output you will see looks something like - this:

- + http://www.fireparse.com
+ http://cert.uni-stuttgart.de/projects/fwlogwatch
+http://www.logwatch.org
+

+ + +

7. When I stop Shorewall using 'shorewall + stop', I can't connect to anything. Why doesn't that command work?

+ +

The 'stop' command is intended to place your firewall into + a safe state whereby only those interfaces/hosts having the 'routestopped' + option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. + If you want to totally open up your firewall, you must use the 'shorewall + clear' command.

+ +

8. When I try to start Shorewall on RedHat + 7.x, I get messages about insmod failing -- what's wrong?

+ +

Answer: The output you will see looks something like + this:

+ 
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.
- -

This is usually cured by the following sequence of commands: -

- -
+ +

This is usually cured by the following sequence of commands: +

+ +
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
-
- -
-

Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.

-
- +
+ +
+

Also, be sure to check the errata + for problems concerning the version of iptables (v1.2.3) shipped with + RH7.2.

+
+

- -

9. Why can't Shorewall detect my interfaces - properly?

- -

I just installed Shorewall and when I issue the start command, - I see the following:

- -
+ +

9. Why can't Shorewall detect my interfaces + properly?

+ +

I just installed Shorewall and when I issue the start command, + I see the following:

+ +
     Processing /etc/shorewall/shorewall.conf ...
     Processing /etc/shorewall/params ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
     Deleting user chains...
     Creating input Chains...
     ...
-
- -
+
+ +

Why can't Shorewall detect my interfaces properly?

-
- -
-

Answer: The above output is perfectly normal. The Net - zone is defined as all hosts that are connected through eth0 and the local - zone is defined as all hosts connected through eth1

-
- -

10. What Distributions does it work - with?

- -

Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.

- +
+ +
+

Answer: The above output is perfectly normal. The +Net zone is defined as all hosts that are connected through eth0 and the +local zone is defined as all hosts connected through eth1

+
+ +

10. What Distributions does it work + with?

+ +

Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.

+

11. What Features does it have?

- -

Answer: See the Shorewall - Feature List.

- + +

Answer: See the Shorewall + Feature List.

+

12. Why isn't there a GUI?

- -

Answer: Every time I've started to work on one, I find -myself doing other things. I guess I just don't care enough if Shorewall -has a GUI to invest the effort to create one myself. There are several -Shorewall GUI projects underway however and I will publish links to -them when the authors feel that they are ready.

- + +

Answer: Every time I've started to work on one, I +find myself doing other things. I guess I just don't care enough if +Shorewall has a GUI to invest the effort to create one myself. There +are several Shorewall GUI projects underway however and I will publish +links to them when the authors feel that they are ready.

+

13. Why do you call it "Shorewall"?

- -

Answer: Shorewall is a concatenation of "Shoreline" - (the city where I live) - and "Firewall".

- -

14. I'm connected via a cable modem - and it has an internal web server that allows me to configure/monitor it - but as expected if I enable rfc1918 blocking for my eth0 interface (the -internet one), it also blocks the cable modems web server.

- -

Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 address of the modem - in/out but still block all other rfc1918 addresses.

- -

Answer: If you are running a version of Shorewall earlier -than 1.3.1, create /etc/shorewall/start and in it, place the following:

- -
+ +

Answer: Shorewall is a concatenation of "Shoreline" + (the city where I live) + and "Firewall".

+ +

14. I'm connected via a cable modem + and it has an internal web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for my eth0 interface + (the internet one), it also blocks the cable modems web server.

+ +

Is there any way it can add a rule before the rfc1918 blocking + that will let all traffic to and from the 192.168.100.1 address of +the modem in/out but still block all other rfc1918 addresses.

+ +

Answer: If you are running a version of Shorewall +earlier than 1.3.1, create /etc/shorewall/start and in it, place the +following:

+ +
     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
-
- -
-

If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:

-
- -
-
+
+ +
+

If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:

+
+ +
+
- - - - - - - - - + + + + + + + + + + + +
SUBNET TARGET
192.168.100.1RETURN
SUBNET TARGET
192.168.100.1RETURN
+
+
- - - -
- -
+

Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-

- -

Note: If you add a second IP address to your external firewall -interface to correspond to the modem address, you must also make an entry -in /etc/shorewall/rfc1918 for that address. For example, if you configure -the address 192.168.100.2 on your firewall, then you would add two entries -to /etc/shorewall/rfc1918:
-

- -
+

+ +

Note: If you add a second IP address to your external firewall + interface to correspond to the modem address, you must also make an entry + in /etc/shorewall/rfc1918 for that address. For example, if you configure + the address 192.168.100.2 on your firewall, then you would add two entries + to /etc/shorewall/rfc1918:
+

+ +
- - - - - - - - - - - - - - - + + + + + + + + + + + + + + +
SUBNET
- 		TARGET
-
192.168.100.1
- 		RETURN
-
192.168.100.2
- 		RETURN
-
SUBNET
+ 		TARGET
+
192.168.100.1
+ 		RETURN
+
192.168.100.2
+ 		RETURN
+
-
-
- -
-

14a. Even though it assigns public IP - addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC -1918 filtering on my external interface, my DHCP client cannot renew its -lease.

-
- -
-

The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.

-
- -

15. My local systems can't see out to - the net

- -

Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers with eyes and what -those computers will "see" when things are working properly. That aside, -the most common causes of this problem are:

- + +
+ +
+

14a. Even though it assigns public +IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable +RFC 1918 filtering on my external interface, my DHCP client cannot renew +its lease.

+
+ +
+

The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.

+
+ +

15. My local systems can't see out to + the net

+ +

Answer: Every time I read "systems can't see out to + the net", I wonder where the poster bought computers with eyes and +what those computers will "see" when things are working properly. That +aside, the most common causes of this problem are:

+
    -
  1. -

    The default gateway on each local system isn't set to - the IP address of the local firewall interface.

    -
    2. -
  2. -

    The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.

    -
    3. -
  3. -

    The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and hasn't enabled UDP and - TCP port 53 from the firewall to the internet.

    -
    4. - +
  4. +

    The default gateway on each local system isn't set to + the IP address of the local firewall interface.

    +
    5. +
  5. +

    The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.

    +
    6. +
  6. +

    The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and hasn't enabled UDP + and TCP port 53 from the firewall to the internet.

    +
    7. +
- -

16. Shorewall is writing log messages - all over my console making it unusable!

- -

Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. Under RedHat, - the max log level that is sent to the console is specified in /etc/sysconfig/init - in the LOGLEVEL variable.

- + +

16. Shorewall is writing log messages + all over my console making it unusable!

+ +

Answer: "man dmesg" -- add a suitable 'dmesg' command + to your startup scripts or place it in /etc/shorewall/start. Under + RedHat, the max log level that is sent to the console is specified +in /etc/sysconfig/init in the LOGLEVEL variable.
+

+ +

17. How do I find out why this is getting logged?

+ Answer: Logging occurs out of a number of chains (as indicated + in the log message) in Shorewall:
+ +
    +
  1. man1918 - The destination address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
    2. +
  2. rfc1918 - The source address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
    3. +
  3. all2<zone>, <zone>2all or all2all + - You have a policy that specifies +a log level and this packet is being logged under that policy. If you intend + to ACCEPT this traffic then you need a rule to that effect.
    +
    4. +
  4. <zone1>2<zone2> - Either you have a policy for <zone1> to + <zone2> that specifies a log level and this packet is being + logged under that policy or this packet matches a rule that include a log level.
    5. +
  5. logpkt - The packet is being logged under the logunclean + interface option.
    6. +
  6. badpkt - The packet is being logged under the dropunclean + interface option as specified + in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    7. +
  7. blacklst - The packet is being logged because the source + IP is blacklisted in the /etc/shorewall/blacklist + file.
    8. +
  8. newnotsyn - The packet is being logged because it is a +TCP packet that is not part of any current connection yet it is not a syn +packet. Options affecting the logging of such packets include NEWNOTSYN + and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf.
    9. +
  9. INPUT or FORWARD - The packet has a source IP address + that isn't in any of your defined zones ("shorewall check" and look at the + printed zone definitions) or the chain is FORWARD and the destination IP + isn't in any of your defined zones.
    10. + +
+ +

18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different IPs?

+ Answer: Yes. You simply use the IP address in your rules (or if +you use NAT, use the local IP address in your rules). Note: The ":n" +notation (e.g., eth0:0) is deprecated and will disappear eventually. Neither + iproute (ip and tc) nor iptables supports that notation so neither does + Shorewall.
+
+ Example 1:
+
+ /etc/shorewall/rules +
     # Accept AUTH but only on address 192.0.2.125

     ACCEPT	net	fw:192.0.2.125	tcp	auth
+ Example 2 (NAT):
+
+ /etc/shorewall/nat
+ +
     192.0.2.126	eth0	10.1.1.126
+ /etc/shorewall/rules +
     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)

     ACCEPT	net	loc:10.1.1.126	tcp	www
+
- -

Last updated 10/8/2002 - Last updated 11/09/2002 - Tom Eastep

- -

Copyright - © 2001, 2002 Thomas M. Eastep.
+ +

Copyright + © 2001, 2002 Thomas M. Eastep.
+

- +
diff --git a/STABLE/documentation/IPSEC.htm b/STABLE/documentation/IPSEC.htm index fee400531..e3518fd2e 100644 --- a/STABLE/documentation/IPSEC.htm +++ b/STABLE/documentation/IPSEC.htm @@ -1,284 +1,367 @@ - - + + Shorewall IPSec Tunneling - - - - - - - - - - - - -
-

IPSEC Tunnels

-
-

Configuring FreeS/Wan

-There is an excellent guide to configuring IPSEC tunnels at - http://jixen.tripod.com -. I highly recommend that you consult that site for information about confuring -FreeS/Wan. 

Warning: Do not use Proxy ARP - and FreeS/Wan on the same system unless you are prepared to suffer the - consequences. If you start or restart Shorewall with an IPSEC tunnel active, - the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device - (ipsecX) rather than to the interface that you specify in the INTERFACE column - of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I - can't say if it is a bug in the Kernel or in FreeS/Wan. 

-

You might be able to work around this problem using the following (I - haven't tried it):

-

In /etc/shorewall/init, include:

-

     qt service ipsec stop

-

In /etc/shorewall/start, include:

-

    qt service ipsec start

-

- -IPSec Gateway -on the Firewall System -

- -

Suppose that we have the following sutuation:

- - - -

- -

- - - -

We want systems -in the 192.168.1.0/24 sub-network to be able to communicate with systems -in the 10.0.0.0/8 network.

- -

To make this work, we need to do two things:

- -

a) Open the firewall so that the IPSEC tunnel can be established -(allow the ESP and AH protocols and UDP Port 500).

- -

b) Allow traffic through the tunnel.

- -

Opening the firewall for the IPSEC tunnel is accomplished by -adding an entry to the /etc/shorewall/tunnels file.

- -

In /etc/shorewall/tunnels -on system A, we need the following 

- -
- - - - - - - - - - - - - - - - -
- TYPE - ZONE - GATEWAY - GATEWAY ZONE
ipsecnet134.28.54.2 
- -

In /etc/shorewall/tunnels -on system B, we would have:

- -
- - - - - - - - - - - - - - - - -
- TYPE - ZONE - GATEWAY - GATEWAY ZONE
ipsecnet206.161.148.9 
- -

You need to define a zone for the remote subnet or include - it in your local zone. In this example, we'll assume that you have created a - zone called "vpn" to represent the remote subnet.

- -
- - - - - - - - - - - - -
ZONEDISPLAYCOMMENTS
vpnVPNRemote Subnet
-
- -

At both -systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn" -interface:

- -
- - - - - - - - - - - - - - - - -
- ZONE - INTERFACE - BROADCAST - OPTIONS
vpnipsec0  
- -

You will need to allow traffic between the "vpn" zone and - the "loc" zone -- if you simply want to admit all traffic in both - directions, you can use the policy file:

- - -
- - - - - - - - - - - - - - - - - - - - - -
SOURCEDESTPOLICYLOG LEVEL
locvpnACCEPT 
vpnlocACCEPT 
-
- -

Once -you have these entries in place, restart Shorewall (type shorewall restart); -you are now ready to configure the tunnel in - FreeS/WAN - .

- - -

- Mobile System (Road Warrior)

- -

Suppose that you have -a laptop system (B) that you take with you when you travel and you want to -be able to establish a secure connection back to your local network.

- -

- -

- -

You need to define a zone for the laptop or include it in - your local zone. In this example, we'll assume that you have created a zone - called "vpn" to represent the remote host.

- -
- - - - - - - - - - - - -
ZONEDISPLAYCOMMENTS
vpnVPNRemote Subnet
-
- -

In this -instance, the mobile system (B) has IP address 134.28.54.2 but that cannot -be determined in advance. In the /etc/shorewall/tunnels file on system A, -the following entry should be made:

- -
- - - - - - - - - - - - - - - -
- TYPE - ZONE - GATEWAY - GATEWAY ZONE
ipsecnet0.0.0.0/0vpn
+ + + + + + + + + + + + + +
+

IPSEC Tunnels

+
+ +

Configuring FreeS/Wan

+ There is an excellent guide to configuring IPSEC tunnels at http://jixen.tripod.com . I highly recommend +that you consult that site for information about confuring FreeS/Wan.  +

Warning: Do not use Proxy ARP and +FreeS/Wan on the same system unless you are prepared to suffer the consequences. +If you start or restart Shorewall with an IPSEC tunnel active, the proxied +IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) +rather than to the interface that you specify in the INTERFACE column of +/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I + can't say if it is a bug in the Kernel or in FreeS/Wan. 

+ +

You might be able to work around this problem using the following +(I haven't tried it):

+ +

In /etc/shorewall/init, include:

+ +

     qt service ipsec stop

+ +

In /etc/shorewall/start, include:

+ +

    qt service ipsec start

+ +

IPSec Gateway on the Firewall System

+ +

Suppose that we have the following sutuation:

+ +

+

+ +

We want systems in the 192.168.1.0/24 sub-network to be able +to communicate with systems in the 10.0.0.0/8 network.

+ +

To make this work, we need to do two things:

+ +

a) Open the firewall so that the IPSEC tunnel can be established + (allow the ESP and AH protocols and UDP Port 500).

+ +

b) Allow traffic through the tunnel.

+ +

Opening the firewall for the IPSEC tunnel is accomplished +by adding an entry to the /etc/shorewall/tunnels file.

+ +

In /etc/shorewall/tunnels on system A, we need the following 

+ +
+ + + + + + + + + + + + + + + + +
TYPE ZONE GATEWAY GATEWAY ZONE
ipsecnet134.28.54.2 
+
-

Note that the GATEWAY -ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the -gateway system itself comprises the peer subnetwork; in other words, the -remote gateway is a standalone system.

- - -

You will need to configure /etc/shorewall/interfaces and establish - your "through the tunnel" policy as shown under the first example above.

- - -

Last -updated 8/20/2002 - - Tom Eastep +

In /etc/shorewall/tunnels on system B, we would have:

+ +
+ + + + + + + + + + + + + + + + +
TYPE ZONE GATEWAY GATEWAY ZONE
ipsecnet206.161.148.9 
+
+ +

Note: If either of the endpoints is behind a NAT gateway +then the tunnels file entry on the other endpoint should specify +a tunnel type of ipsecnat rather than ipsec and the GATEWAY +address should specify the external address of the NAT gateway.
+

+

You need to define a zone for the remote subnet or include + it in your local zone. In this example, we'll assume that you have created +a zone called "vpn" to represent the remote subnet.

+ +
+ + + + + + + + + + + + + + +
ZONEDISPLAYCOMMENTS
vpnVPNRemote Subnet
+
+ +

At both systems, ipsec0 would be included in /etc/shorewall/interfaces +as a "vpn" interface:

+ +
+ + + + + + + + + + + + + + + + +
ZONE INTERFACE BROADCAST OPTIONS
vpnipsec0  
+
+ +

You will need to allow traffic between the "vpn" zone and + the "loc" zone -- if you simply want to admit all traffic in both + directions, you can use the policy file:

+ +
+ + + + + + + + + + + + + + + + + + + + + + +
SOURCEDESTPOLICYLOG LEVEL
locvpnACCEPT 
vpnlocACCEPT 
+
+ +

Once you have these entries in place, restart Shorewall (type +shorewall restart); you are now ready to configure the tunnel in FreeS/WAN .

+ +

Mobile System (Road +Warrior)

+ +

Suppose that you have a laptop system (B) that you take with you when you +travel and you want to be able to establish a secure connection back to your +local network.

+ +

+ +

+ +

You need to define a zone for the laptop or include it in + your local zone. In this example, we'll assume that you have created +a zone called "vpn" to represent the remote host.

+ +
+ + + + + + + + + + + + + + +
ZONEDISPLAYCOMMENTS
vpnVPNRemote Subnet
+
+ +

In this instance, the mobile system (B) has IP address 134.28.54.2 +but that cannot be determined in advance. In the /etc/shorewall/tunnels file +on system A, the following entry should be made:

+ +
+ + + + + + + + + + + + + + + + +
TYPE ZONE GATEWAY GATEWAY ZONE
ipsecnet0.0.0.0/0vpn
+
+ +

Note that the GATEWAY ZONE column contains the name of the zone corresponding +to peer subnetworks. This indicates that the gateway system itself comprises +the peer subnetwork; in other words, the remote gateway is a standalone system.

+ +

You will need to configure /etc/shorewall/interfaces and establish + your "through the tunnel" policy as shown under the first example above.

- - -

- Copyright © 2001, 2002 Thomas M. Eastep.

- + +

Dynamic RoadWarrior Zones

+ Beginning with Shorewall release 1.3.10, you can define multiple VPN zones +and add and delete remote endpoints dynamically using /sbin/shorewall. In +/etc/shorewall/zones:
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + +
ZONE
+ 		DISPLAY
+ 		COMMENTS
+
vpn1
+ 		VPN-1
+ 		First VPN Zone
+
vpn2
+ 		VPN-2
+ 		Second VPN Zone
+
vpn3
+ 		VPN-3
+ 		Third VPN Zone
+
+
+
+ In /etc/shorewall/tunnels:
+ +
+ + + + + + + + + + + + + + + + +
TYPE
+ 		ZONE
+ 		GATEWAY
+ 		GATEWAY ZONE
+
ipsec
+ 		net
+ 		0.0.0.0/0
+ 		vpn1,vpn2,vpn3
+
+
+
+ When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall +will issue warnings to that effect. These warnings may be safely ignored. +FreeS/Wan may now be configured to have three different Road Warrior connections +with the choice of connection being based on X-509 certificates or some other +means. Each of these connectioins will utilize a different updown script that +adds the remote station to the appropriate zone when the connection comes +up and that deletes the remote station when the connection comes down. For +example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the +script will issue the command":
+
+ +
/sbin/shorewall add ipsec0:134.28.54.2 vpn2
+
+ and the 'down' part will:
+ +
/sbin/shorewall delete ipsec0:134.28.54.2 vpn
+ +

Last updated 10/23/2002 - + Tom Eastep

+ +

+ Copyright © 2001, 2002 Thomas M. Eastep.

+
+
- \ No newline at end of file + diff --git a/STABLE/documentation/Install.htm b/STABLE/documentation/Install.htm index 9b5b55523..1b7565f5a 100644 --- a/STABLE/documentation/Install.htm +++ b/STABLE/documentation/Install.htm @@ -1,207 +1,207 @@ - + Shorewall Installation - + - + - + - - - + + - - - + + + +
-

Shorewall Installation and +

+

Shorewall Installation and Upgrade

-
- +

Before upgrading, be sure to review the Upgrade Issues

- +

Install using RPM
- Install using tarball
- Upgrade using RPM
- Upgrade using tarball
- Configuring Shorewall
- Uninstall/Fallback

- + Install using tarball
+ Upgrade using RPM
+ Upgrade using tarball
+ Configuring Shorewall
+ Uninstall/Fallback

+

To install Shorewall using the RPM:

- -

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a -shell prompt, type "/sbin/iptables --version"), you must upgrade to version + +

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a +shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the RedHat update - site or from the Shorewall Errata page before + href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update + site or from the Shorewall Errata page before attempting to start Shorewall.

- + - -

To install Shorewall using the tarball + +

To install Shorewall using the tarball and install script:

- + - -

If you already have the Shorewall RPM installed + +

If you already have the Shorewall RPM installed and are upgrading to a new version:

- -

If you are upgrading from a 1.2 version of Shorewall to a 1.3 version -and you have entries in the /etc/shorewall/hosts file then please check -your /etc/shorewall/interfaces file to be sure that it contains an entry -for each interface mentioned in the hosts file. Also, there are certain -1.2 rule forms that are no longer supported under 1.3 (you must use the -new 1.3 syntax). See the upgrade issues for -details. You can check your rules and host file for 1.3 compatibility using -the "shorewall check" command after installing the latest version of 1.3.

- + +

If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and +you have entries in the /etc/shorewall/hosts file then please check your + /etc/shorewall/interfaces file to be sure that it contains an entry for +each interface mentioned in the hosts file. Also, there are certain 1.2 +rule forms that are no longer supported under 1.3 (you must use the new +1.3 syntax). See the upgrade issues for details. +You can check your rules and host file for 1.3 compatibility using the "shorewall +check" command after installing the latest version of 1.3.

+
    -
  • Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If -you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs -installed, you must use the "--oldpackage" option to rpm (e.g., "rpm - -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). -

    Note: Some SuSE users have encountered a problem whereby -rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel -is installed. If this happens, simply use the --nodeps option to rpm (rpm +

  • Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If +you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, + you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage +shorewall-1.2-0.noarch.rpm"). +

    Note: Some SuSE users have encountered a problem whereby +rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is +installed. If this happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall rpm>).
    -  

    -
    • -
  • See if there are any incompatibilities between your configuration and -the new Shorewall version (type "shorewall check") and correct as necessary.
    • -
  • Restart the firewall (shorewall restart).
    • - -
- -

If you already have Shorewall installed -and are upgrading to a new version using the tarball:

- -

If you are upgrading from a 1.2 version of Shorewall to a 1.3 version -and you have entries in the /etc/shorewall/hosts file then please check -your /etc/shorewall/interfaces file to be sure that it contains an entry -for each interface mentioned in the hosts file.  Also, there are certain -1.2 rule forms that are no longer supported under 1.3 (you must use the -new 1.3 syntax). See the upgrade issues -for details. You can check your rules and host file for 1.3 compatibility -using the "shorewall check" command after installing the latest version -of 1.3.

- -
    -
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
    • -
  • cd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-3.0.1").
    • -
  • If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
    • -
  • If you are using SuSe then type - "./install.sh /etc/init.d"
    • -
  • If your distribution has directory /etc/rc.d/init.d or -/etc/init.d then type "./install.sh"
    • -
  • For other distributions, determine where your distribution -installs init scripts and type "./install.sh <init script -directory>
    • +  

    +
  • See if there are any incompatibilities between your configuration and the new Shorewall version (type "shorewall check") and correct as necessary.
    • -
  • Restart the firewall by typing "shorewall restart"
    • - +
  • Restart the firewall (shorewall restart).
    • +
- -

Configuring Shorewall

- -

You will need to edit some or all of these configuration files to match -your setup. In most cases, the Shorewall - QuickStart Guides contain all of the information you need.

- + +

If you already have Shorewall installed and +are upgrading to a new version using the tarball:

+ +

If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and +you have entries in the /etc/shorewall/hosts file then please check your + /etc/shorewall/interfaces file to be sure that it contains an entry for +each interface mentioned in the hosts file.  Also, there are certain 1.2 +rule forms that are no longer supported under 1.3 (you must use the new +1.3 syntax). See the upgrade issues for +details. You can check your rules and host file for 1.3 compatibility using +the "shorewall check" command after installing the latest version of 1.3.

+
    -
  • /etc/shorewall/shorewall.conf - used to set several firewall - parameters.
    • -
  • /etc/shorewall/params - use this file to set shell variables that -you will expand in other files.
    • -
  • /etc/shorewall/zones - partition the firewall's view of the world - into zones.
    • -
  • /etc/shorewall/policy - establishes firewall high-level policy.
    • -
  • /etc/shorewall/interfaces - describes the interfaces on the - firewall system.
    • -
  • /etc/shorewall/hosts - allows defining zones in terms of individual - hosts and subnetworks.
    • -
  • /etc/shorewall/masq - directs the firewall where to use many-to-one - (dynamic) NAT a.k.a. Masquerading.
    • -
  • /etc/shorewall/modules - directs the firewall to load kernel modules.
    • -
  • /etc/shorewall/rules - defines rules that are exceptions to the - overall policies established in /etc/shorewall/policy.
    • -
  • /etc/shorewall/nat - defines static NAT rules.
    • -
  • /etc/shorewall/proxyarp - defines use of Proxy ARP.
    • -
  • /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines -hosts accessible when Shorewall is stopped.
    • -
  • /etc/shorewall/tcrules - defines marking of packets for later use -by traffic control/shaping.
    • -
  • /etc/shorewall/tos - defines rules for setting the TOS field in packet - headers.
    • -
  • /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on - the firewall system.
    • -
  • /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    • - +
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
    • +
  • cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-3.0.1").
    • +
  • If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
    • +
  • If you are using SuSe then type + "./install.sh /etc/init.d"
    • +
  • If your distribution has directory /etc/rc.d/init.d or +/etc/init.d then type "./install.sh"
    • +
  • For other distributions, determine where your distribution +installs init scripts and type "./install.sh <init script directory>
    • +
  • See if there are any incompatibilities between your configuration +and the new Shorewall version (type "shorewall check") and correct as necessary.
    • +
  • Restart the firewall by typing "shorewall restart"
    • +
- -

Updated 10/9/2002 - Tom Eastep + +

Configuring Shorewall

+ +

You will need to edit some or all of these configuration files to match +your setup. In most cases, the Shorewall + QuickStart Guides contain all of the information you need.

+ +
    +
  • /etc/shorewall/shorewall.conf - used to set several firewall + parameters.
    • +
  • /etc/shorewall/params - use this file to set shell variables that +you will expand in other files.
    • +
  • /etc/shorewall/zones - partition the firewall's view of the world + into zones.
    • +
  • /etc/shorewall/policy - establishes firewall high-level policy.
    • +
  • /etc/shorewall/interfaces - describes the interfaces on the + firewall system.
    • +
  • /etc/shorewall/hosts - allows defining zones in terms of individual + hosts and subnetworks.
    • +
  • /etc/shorewall/maclist - verification of the MAC addresses of devices.
    +
    • +
  • /etc/shorewall/masq - directs the firewall where to use many-to-one + (dynamic) NAT a.k.a. Masquerading.
    • +
  • /etc/shorewall/modules - directs the firewall to load kernel modules.
    • +
  • /etc/shorewall/rules - defines rules that are exceptions to the + overall policies established in /etc/shorewall/policy.
    • +
  • /etc/shorewall/nat - defines static NAT rules.
    • +
  • /etc/shorewall/proxyarp - defines use of Proxy ARP.
    • +
  • /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines +hosts accessible when Shorewall is stopped.
    • +
  • /etc/shorewall/tcrules - defines marking of packets for later use +by traffic control/shaping.
    • +
  • /etc/shorewall/tos - defines rules for setting the TOS field in packet + headers.
    • +
  • /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on + the firewall system.
    • +
  • /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    • + +
+ +

Updated 10/28/2002 - Tom Eastep

- -

Copyright + +

Copyright © 2001, 2002 Thomas M. Eastep.

-
+
+
diff --git a/STABLE/documentation/MAC_Validation.html b/STABLE/documentation/MAC_Validation.html new file mode 100644 index 000000000..427184e89 --- /dev/null +++ b/STABLE/documentation/MAC_Validation.html @@ -0,0 +1,107 @@ + + + + MAC Verification + + + + + + + + + + + + + + +
+ +

MAC Verification
+

+
+
+
+ Beginning with Shorewall version 1.3.10, all traffic from an interface +or from a subnet on an interface can be verified to originate from a defined + set of MAC addresses. Furthermore, each MAC address may be optionally associated + with one or more IP addresses. There are four components to this facility.
+ +
    +
  1. The maclist interface option in /etc/shorewall/interfaces. When +this option is specified, all traffic arriving on the interface is subjet +to MAC verification.
    2. +
  2. The maclist option in /etc/shorewall/hosts. + When this option is specified for a subnet, all traffic from that subnet +is subject to MAC verification.
    3. +
  3. The /etc/shorewall/maclist file. This file is used to associate MAC + addresses with interfaces and to optionally associate IP addresses with +MAC addresses.
    4. +
  4. The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables + in /etc/shorewall/shorewall.conf. The + MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines + the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL + variable gives the syslogd level at which connection requests that fail +verification are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") + then failing connection requests are not logged.
    +
    5. + +
+ The columns in /etc/shorewall/maclist are:
+ +
    +
  • INTERFACE - The name of an ethernet interface on the Shorewall system.
    • +
  • MAC - The MAC address of a device on the ethernet segment connected + by INTERFACE. It is not necessary to use the Shorewall MAC format in this + column although you may use that format if you so choose.
    • +
  • IP Address - An optional comma-separated list of IP addresses for +the device whose MAC is listed in the MAC column.
    • + +
+ +

Example 1: Here are my files:

+ /etc/shorewall/shorewall.conf:
+ +
     MACLIST_DISPOSITION=REJECT
     MACLIST_LOG_LEVEL=info
+ /etc/shorewall/interfaces:
+ +
     #ZONE           INTERFACE       BROADCAST       OPTIONS
     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist
     loc             eth2            192.168.1.255   dhcp,filterping,maclist
     dmz             eth1            192.168.2.255   filterping
     net             eth3            206.124.146.255 filterping,blacklist
     -               texas           192.168.9.255   filterping
     loc             ppp+            -               filterping
+ /etc/shorewall/maclist:
+ +
     #INTERFACE              MAC                     IP ADDRESSES (Optional)
     eth2                    00:A0:CC:63:66:89       192.168.1.3     #Wookie
     eth2                    00:10:B5:EC:FD:0B       192.168.1.4     #Tarry
     eth2                    00:A0:CC:DB:31:C4       192.168.1.5     #Ursa
     eth2                    00:06:25:aa:a8:0f       192.168.1.7     #Eastept1 (Wireless)
     eth2                    00:04:5A:0E:85:B9       192.168.1.250   #Wap
+ As shown above, I use MAC Verification on my local + zone.
+ +

Example 2: Router in Local Zone

+ Suppose now that I add a second ethernet segment to my local zone and gateway + that segment via a router with MAC address 00:06:43:45:C6:15 and IP address + 192.168.1.253. Hosts in the second segment have IP addresses in the subnet + 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist + file:
+ +
     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24
+ This entry accomodates traffic from the router itself (192.168.1.253) and + from the second LAN segment (192.168.2.0/24). Remember that all traffic +being sent to my firewall from the 192.168.2.0/24 segment will be forwarded +by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) + and not that of the host sending the traffic. +

Updated 10/23/2002 - Tom Eastep +

+ + + +

Copyright + © 2001, 2002 Thomas M. Eastep.

+
+
+
+
+ + diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm index 46a69385d..6016710da 100644 --- a/STABLE/documentation/News.htm +++ b/STABLE/documentation/News.htm @@ -1,1357 +1,1455 @@ - + Shorewall News - + - + - + - - - + + - - - + + + +
- +
+

Shorewall News Archive

-
- -

10/9/2002 - Shorewall 1.3.9b

-This release rolls up fixes to the installer and to the firewall script.
-

10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server here at shorewall.net are now running RedHat release -8.0.
-
- 9/30/2002 - Shorewall 1.3.9a

- Roles up the fix for broken tunnels.
- -

9/30/2002 - TUNNELS Broken in 1.3.9!!!

- There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
- -

9/28/2002 - Shorewall 1.3.9

- -

In this version:
-

- + +

11/09/2002 - Shorewall 1.3.10

+

In this version:

    -
  • DNS Names - are now allowed in Shorewall config files (although I recommend against - using them).
    • -
  • The connection SOURCE may now be qualified by both interface -and IP address in a Shorewall rule.
    • -
  • Shorewall startup is now disabled after initial installation -until the file /etc/shorewall/startup_disabled is removed. This avoids -nasty surprises during reboot for users who install Shorewall but don't configure -it.
    • -
  • The 'functions' and 'version' files and the 'firewall' symbolic -link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease - the LFS police at Debian.
    -
    • - +
  • You may now define the contents of a zone +dynamically with the "shorewall +add" and "shorewall delete" commands. These commands are expected to +be used primarily within FreeS/Wan updown scripts.
    • +
  • Shorewall can now do MAC verification + on ethernet segments. You can specify the set of allowed MAC addresses +on the segment and you can optionally tie each MAC address to one or more +IP addresses.
    • +
  • PPTP Servers and Clients running on the firewall system may now be +defined in the /etc/shorewall/tunnels file.
    • +
  • A new 'ipsecnat' tunnel type is supported for use when the + remote IPSEC endpoint is behind a NAT gateway.
    • +
  • The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
    • +
  • The main firewall script is now /usr/lib/shorewall/firewall. The script +in /etc/init.d/shorewall is very small and uses /sbin/shorewall to do the +real work. This change makes custom distributions such as for Debian and +for Gentoo easier to manage since it is /etc/init.d/shorewall that tends +to have distribution-dependent code
- -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
-

- Brown Paper Bag - A couple of recent configuration changes at www.shorewall.net broke - the Search facility:
- -
-
    -
  1. Mailing List Archive Search was not available.
    2. -
  2. The Site Search index was incomplete
    3. -
  3. Only one page of matches was presented.
    4. - -
-
- Hopefully these problems are now corrected. -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
-

- A couple of recent configuration changes at www.shorewall.net had -the negative effect of breaking the Search facility:
- -
    -
  1. Mailing List Archive Search was not available.
    2. -
  2. The Site Search index was incomplete
    3. -
  3. Only one page of matches was presented.
    4. - -
- Hopefully these problems are now corrected.
- -

9/18/2002 -  Debian 1.3.8 Packages Available
-

+

10/24/2002 - Shorewall is now in Gentoo Linux
+

+ Alexandru Hartmann reports that his Shorewall package is now a part of +the Gentoo Linux distribution. Thanks +Alex!
+ +

10/23/2002 - Shorewall 1.3.10 Beta 1

+ In this version:
+ + + You may download the Beta from:
+ + +

10/10/2002 -  Debian 1.3.9b Packages Available
+

+

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

9/16/2002 - Shorewall 1.3.8

- + +

10/9/2002 - Shorewall 1.3.9b

+ This release rolls up fixes to the installer and to the firewall script.
+ +

10/6/2002 - Shorewall.net now running on RH8.0
+
+ The firewall and server here at shorewall.net are now running RedHat +release 8.0.
+
+ 9/30/2002 - Shorewall 1.3.9a

+ Roles up the fix for broken tunnels.
+ +

9/30/2002 - TUNNELS Broken in 1.3.9!!!

+ There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
+ +

9/28/2002 - Shorewall 1.3.9

+

In this version:
-

- +

+
    -
  • A NEWNOTSYN option -has been added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established connection -and that are not 'SYN' packets (SYN flag on and ACK flag off).
    • -
  • The need for the 'multi' option to communicate between zones - za and zb on the same interface is removed in the case where the chain - 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
    • - -
      -
    • There is a policy for za to zb; or
      • -
    • There is at least one rule for za to zb.
      • +
    • DNS Names + are now allowed in Shorewall config files (although I recommend against + using them).
      • +
    • The connection SOURCE may now be qualified by both interface + and IP address in a Shorewall rule.
      • +
    • Shorewall startup is now disabled after initial installation + until the file /etc/shorewall/startup_disabled is removed. This avoids + nasty surprises during reboot for users who install Shorewall but don't + configure it.
      • +
    • The 'functions' and 'version' files and the 'firewall' symbolic + link have been moved from /var/lib/shorewall to /usr/lib/shorewall to +appease the LFS police at Debian.
      +
      • + +
    + +

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
    +

    + Brown Paper Bag + A couple of recent configuration changes at www.shorewall.net + broke the Search facility:
    + +
    +
      +
    1. Mailing List Archive Search was not available.
      2. +
    2. The Site Search index was incomplete
      3. +
    3. Only one page of matches was presented.
      4. -
+ + + Hopefully these problems are now corrected. +

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+

+ A couple of recent configuration changes at www.shorewall.net +had the negative effect of breaking the Search facility:
- - +
    +
  1. Mailing List Archive Search was not available.
    2. +
  2. The Site Search index was incomplete
    3. +
  3. Only one page of matches was presented.
    4. + +
+ Hopefully these problems are now corrected.
+ +

9/18/2002 -  Debian 1.3.8 Packages Available
+

+ +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

9/16/2002 - Shorewall 1.3.8

+ +

In this version:
+

+
    -
  • The /etc/shorewall/blacklist file now contains three columns. - In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL - and PORT columns to block only certain applications from the blacklisted - addresses.
    -
    • - -
- -

9/11/2002 - Debian 1.3.7c Packages Available

+
  • A NEWNOTSYN option + has been added to shorewall.conf. This option determines whether Shorewall + accepts TCP packets which are not part of an established connection +and that are not 'SYN' packets (SYN flag on and ACK flag off).
    • +
  • The need for the 'multi' option to communicate between + zones za and zb on the same interface is removed in the case where +the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
    • +
      +
    • There is a policy for za to zb; or
      • +
    • There is at least one rule for za to zb.
      • + +
    + + + +
      +
    • The /etc/shorewall/blacklist file now contains three +columns. In addition to the SUBNET/ADDRESS column, there are optional +PROTOCOL and PORT columns to block only certain applications from the +blacklisted addresses.
      +
      • + +
    + +

    9/11/2002 - Debian 1.3.7c Packages Available

    +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    9/2/2002 - Shorewall 1.3.7c

    - -

    This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).

    - + +

    This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).

    +

    8/31/2002 - I'm not available

    - -

    I'm currently on vacation  -- please respect my need for a couple of - weeks free of Shorewall problem reports.

    - + +

    I'm currently on vacation  -- please respect my need for a couple of +weeks free of Shorewall problem reports.

    +

    -Tom

    - +

    8/26/2002 - Shorewall 1.3.7b

    - -

    This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" checking.

    - + +

    This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.

    +

    8/26/2002 - French FTP Mirror is Operational

    - +

    ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.

    - + href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available.

    +

    8/25/2002 - Shorewall Mirror in France

    - -

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at http://france.shorewall.net.

    - + +

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.

    +

    8/25/2002 - Shorewall 1.3.7a Debian Packages Available

    - -

    Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a releasedLorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.

    + +

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + -- Shorewall 1.3.7a released -

    - -

    1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.

    - +

    + +

    1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.

    +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

    - +

    Features in this release include:

    - +
      -
    • The 'icmp.def' file is now empty! The rules in that file - were required in ipchains firewalls but are not required in Shorewall. - Users who have ALLOWRELATED=No in The 'icmp.def' file is now empty! The rules in that +file were required in ipchains firewalls but are not required in +Shorewall. Users who have ALLOWRELATED=No in shorewall.conf should see the Upgrade Issues.
      • -
    • A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting - this variable to Yes is the same as the effect of adding an ACCEPT - rule for ICMP echo-request in /etc/shorewall/icmpdef. Users - who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
      • -
    • The loopback CLASS A Network (127.0.0.0/8) has been added - to the rfc1918 file.
      • -
    • Shorewall now works with iptables 1.2.7
      • -
    • The documentation and web site no longer uses FrontPage - themes.
      • - +
    • A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting + this variable to Yes is the same as the effect of adding an ACCEPT + rule for ICMP echo-request in /etc/shorewall/icmpdef. Users + who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
      • +
    • The loopback CLASS A Network (127.0.0.0/8) has been +added to the rfc1918 file.
      • +
    • Shorewall now works with iptables 1.2.7
      • +
    • The documentation and web site no longer uses FrontPage + themes.
      • +
    - -

    I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input has led to marked improvement - in Shorewall in the last two releases.

    - + +

    I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That input has led to marked + improvement in Shorewall in the last two releases.

    +

    8/13/2002 - Documentation in the CVS Repository

    - -

    The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.

    - + +

    The Shorewall-docs project now contains just the HTML and image files +- the Frontpage files have been removed.

    +

    8/7/2002 - STABLE branch added to CVS Repository

    - -

    This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to get the latest stable -tree.

    - -

    8/7/2002 - Upgrade Issues section added - to the Errata Page

    - -

    Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.

    - + +

    This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable + tree.

    + +

    8/7/2002 - Upgrade Issues section +added to the Errata Page

    + +

    Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.

    +

    8/7/2002 - Shorewall 1.3.6

    - +

    This is primarily a bug-fix rollup with a couple of new features:

    - + - +

    7/30/2002 - Shorewall 1.3.5b Released

    - +

    This interim release:

    - + - +

    7/29/2002 - New Shorewall Setup Guide Available

    - +

    The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are setting up Shorewall - to manage multiple public IP addresses and by people who want to learn - more about Shorewall than is described in the single-address guides. - Feedback on the new guide is welcome.

    - + href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who are setting up Shorewall + to manage multiple public IP addresses and by people who want to +learn more about Shorewall than is described in the single-address +guides. Feedback on the new guide is welcome.

    +

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - -

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/27/2002 - Shorewall 1.3.5a Released

    - +

    This interim release restores correct handling of REDIRECT rules.

    - +

    7/26/2002 - Shorewall 1.3.5 Released

    - -

    This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.

    - + +

    This will be the last Shorewall release for a while. I'm going to be +focusing on rewriting a lot of the documentation.

    +

     In this version:

    - +
      -
    • Empty and invalid source and destination qualifiers are - now detected in the rules file. It is a good idea to use the 'shorewall - check' command before you issue a 'shorewall restart' command be -be sure that you don't have any configuration problems that will -prevent a successful restart.
      • -
    • Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior - of the /etc/shorewall/hosts file.
      • -
    • The time that the counters were last reset is now displayed - in the heading of the 'status' and 'show' commands.
      • -
    • A proxyarp option has been added for entries in - /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described in the Proxy - ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface causes Shorewall -to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
      • -
    • The Samples have been updated to reflect the new capabilities - in this release.
      • - +
    • Empty and invalid source and destination qualifiers +are now detected in the rules file. It is a good idea to use the +'shorewall check' command before you issue a 'shorewall restart' +command be be sure that you don't have any configuration problems +that will prevent a successful restart.
      • +
    • Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior + of the /etc/shorewall/hosts file.
      • +
    • The time that the counters were last reset is now displayed + in the heading of the 'status' and 'show' commands.
      • +
    • A proxyarp option has been added for entries +in /etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described in the Proxy + ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes Shorewall + to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
      • +
    • The Samples have been updated to reflect the new capabilities + in this release.
      • +
    - +

    7/16/2002 - New Mirror in Argentina

    - -

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!

    - + +

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!

    +

    7/16/2002 - Shorewall 1.3.4 Released

    - +

    In this version:

    - +
      -
    • A new /etc/shorewall/routestopped - file has been added. This file is intended to eventually replace -the routestopped option in the /etc/shorewall/interface -and /etc/shorewall/hosts files. This new file makes remote firewall -administration easier by allowing any IP or subnet to be enabled while -Shorewall is stopped.
      • -
    • An /etc/shorewall/stopped extension script has been added. - This script is invoked after Shorewall has stopped.
      • -
    • A DETECT_DNAT_ADDRS option has been added to - /etc/shoreall/shorewall.conf. When -this option is selected, DNAT rules only apply when the destination -address is the external interface's primary IP address.
      • -
    • The QuickStart - Guide has been broken into three guides and has been almost +
    • A new +/etc/shorewall/routestopped file has been added. This file is +intended to eventually replace the routestopped option +in the /etc/shorewall/interface and /etc/shorewall/hosts files. +This new file makes remote firewall administration easier by allowing + any IP or subnet to be enabled while Shorewall is stopped.
      • +
    • An /etc/shorewall/stopped extension script has been added. + This script is invoked after Shorewall has stopped.
      • +
    • A DETECT_DNAT_ADDRS option has been added to + /etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only apply when the destination + address is the external interface's primary IP address.
      • +
    • The QuickStart + Guide has been broken into three guides and has been almost entirely rewritten.
      • -
    • The Samples have been updated to reflect the new capabilities - in this release.
      • - +
    • The Samples have been updated to reflect the new capabilities + in this release.
      • +
    - +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - +

    Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/6/2002 - Shorewall 1.3.3 Released

    - +

    In this version:

    - +
      -
    • Entries in /etc/shorewall/interface that use the wildcard - character ("+") now have the "multi" option assumed.
      • -
    • The 'rfc1918' chain in the mangle table has been renamed - 'man1918' to make log messages generated from that chain distinguishable - from those generated by the 'rfc1918' chain in the filter table.
      • -
    • Interface names appearing in the hosts file are now validated - against the interfaces file.
      • -
    • The TARGET column in the rfc1918 file is now checked for - correctness.
      • -
    • The chain structure in the nat table has been changed -to reduce the number of rules that a packet must traverse and to +
    • Entries in /etc/shorewall/interface that use the wildcard + character ("+") now have the "multi" option assumed.
      • +
    • The 'rfc1918' chain in the mangle table has been renamed + 'man1918' to make log messages generated from that chain distinguishable + from those generated by the 'rfc1918' chain in the filter table.
      • +
    • Interface names appearing in the hosts file are now +validated against the interfaces file.
      • +
    • The TARGET column in the rfc1918 file is now checked + for correctness.
      • +
    • The chain structure in the nat table has been changed + to reduce the number of rules that a packet must traverse and to correct problems with NAT_BEFORE_RULES=No
      • -
    • The "hits" command has been enhanced.
      • - +
    • The "hits" command has been enhanced.
      • +
    - +

    6/25/2002 - Samples Updated for 1.3.2

    - -

    The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.

    - + +

    The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.

    +

    6/25/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/19/2002 - Documentation Available in PDF Format

    - -

    Thanks to Mike Martinez, the Shorewall Documentation is now available for - download in Adobe - PDF format.

    - + +

    Thanks to Mike Martinez, the Shorewall Documentation is now available +for download in Adobe PDF format.

    +

    6/16/2002 - Shorewall 1.3.2 Released

    - +

    In this version:

    - + - +

    6/6/2002 - Why CVS Web access is Password Protected

    - -

    Last weekend, I installed the CVS Web package to provide brower-based access - to the Shorewall CVS repository. Since then, I have had several instances -where my server was almost unusable due to the high load generated by website -copying tools like HTTrack and WebStripper. These mindless tools:

    - + +

    Last weekend, I installed the CVS Web package to provide brower-based +access to the Shorewall CVS repository. Since then, I have had several +instances where my server was almost unusable due to the high load generated +by website copying tools like HTTrack and WebStripper. These mindless tools:

    +
      -
    • Ignore robot.txt files.
      • -
    • Recursively copy everything that they find.
      • -
    • Should be classified as weapons rather than tools.
      • - +
    • Ignore robot.txt files.
      • +
    • Recursively copy everything that they find.
      • +
    • Should be classified as weapons rather than tools.
      • +
    - -

    These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the cgi-generated HTML resulting - in 1000s of executions of the cvsweb.cgi script. Yesterday, I spend - several hours implementing measures to block these tools but unfortunately, - these measures resulted in my server OOM-ing under even moderate load.

    - -

    Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web access will remain Password - Protected.

    - + +

    These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated HTML + resulting in 1000s of executions of the cvsweb.cgi script. Yesterday, + I spend several hours implementing measures to block these tools but + unfortunately, these measures resulted in my server OOM-ing under +even moderate load.

    + +

    Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will remain + Password Protected.

    +

    6/5/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/2/2002 - Samples Corrected

    - -

    The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems have been corrected - in the 1.3.1 samples.

    - + +

    The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have been corrected + in the 1.3.1 samples.

    +

    6/1/2002 - Shorewall 1.3.1 Released

    - +

    Hot on the heels of 1.3.0, this release:

    - + - +

    5/29/2002 - Shorewall 1.3.0 Released

    - -

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:

    - + +

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:

    +
      -
    • A 'filterping' interface option that allows ICMP echo-request - (ping) requests addressed to the firewall to be handled by entries - in /etc/shorewall/rules and /etc/shorewall/policy.
      • - +
    • A 'filterping' interface option that allows ICMP echo-request + (ping) requests addressed to the firewall to be handled by entries + in /etc/shorewall/rules and /etc/shorewall/policy.
      • +
    - +

    5/23/2002 - Shorewall 1.3 RC1 Available

    - -

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:

    - + +

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:

    + - +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    - -

    In addition to the changes in Beta 1, this release which carries the - designation 1.2.91 adds:

    - + +

    In addition to the changes in Beta 1, this release which carries the +designation 1.2.91 adds:

    +
      -
    • The structure of the firewall is changed markedly. There - is now an INPUT and a FORWARD chain for each interface; this reduces - the number of rules that a packet must traverse, especially in complicated - setups.
      • -
    • Sub-zones may now -be excluded from DNAT and REDIRECT rules.
      • -
    • The names of the columns in a number of the configuration - files have been changed to be more consistent and self-explanatory - and the documentation has been updated accordingly.
      • -
    • The sample configurations have been updated for 1.3.
      • - +
    • The structure of the firewall is changed markedly. +There is now an INPUT and a FORWARD chain for each interface; this +reduces the number of rules that a packet must traverse, especially +in complicated setups.
      • +
    • Sub-zones may now + be excluded from DNAT and REDIRECT rules.
      • +
    • The names of the columns in a number of the configuration + files have been changed to be more consistent and self-explanatory + and the documentation has been updated accordingly.
      • +
    • The sample configurations have been updated for 1.3.
      • +
    - +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    - -

    Beta 1 carries the version designation 1.2.90 and implements the following - features:

    - + +

    Beta 1 carries the version designation 1.2.90 and implements the following + features:

    +
      -
    • Simplified rule syntax which makes the intent of each -rule clearer and hopefully makes Shorewall easier to learn.
      • -
    • Upward compatibility with 1.2 configuration files has -been maintained so that current users can migrate to the new syntax -at their convenience.
      • -
    • WARNING:  Compatibility with -the old parameterized sample configurations has NOT been maintained. -Users still running those configurations should migrate to the new -sample configurations before upgrading to 1.3 Beta 1.
      • - +
    • Simplified rule syntax which makes the intent of each + rule clearer and hopefully makes Shorewall easier to learn.
      • +
    • Upward compatibility with 1.2 configuration files has + been maintained so that current users can migrate to the new syntax + at their convenience.
      • +
    • WARNING:  Compatibility with + the old parameterized sample configurations has NOT been maintained. + Users still running those configurations should migrate to the new + sample configurations before upgrading to 1.3 Beta 1.
      • +
    - +

    5/4/2002 - Shorewall 1.2.13 is Available

    - +

    In this version:

    - + - +

    4/30/2002 - Shorewall Debian News

    - -

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch and the Debian -Unstable Branch.

    - + +

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian + Testing Branch and the Debian + Unstable Branch.

    +

    4/20/2002 - Shorewall 1.2.12 is Available

    - +
      -
    • The 'try' command works again
      • -
    • There is now a single RPM that also works with SuSE.
      • - +
    • The 'try' command works again
      • +
    • There is now a single RPM that also works with SuSE.
      • +
    - +

    4/17/2002 - Shorewall Debian News

    - +

    Lorenzo Marignoni reports that:

    - + - +

    Thanks, Lorenzo!

    - +

    4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

    - -

    Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.

    - + +

    Thanks to Stefan Mohr, there + is now a Shorewall 1.2.11 + SuSE RPM available.

    +

    4/13/2002 - Shorewall 1.2.11 Available

    - +

    In this version:

    - +
      -
    • The 'try' command now accepts an optional timeout. If -the timeout is given in the command, the standard configuration -will automatically be restarted after the new configuration has been -running for that length of time. This prevents a remote admin from -being locked out of the firewall in the case where the new configuration +
    • The 'try' command now accepts an optional timeout. +If the timeout is given in the command, the standard configuration +will automatically be restarted after the new configuration has been +running for that length of time. This prevents a remote admin from +being locked out of the firewall in the case where the new configuration starts but prevents access.
      • -
    • Kernel route filtering may now be enabled globally using - the new ROUTE_FILTER parameter in Kernel route filtering may now be enabled globally +using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
      • -
    • Individual IP source addresses and/or subnets may now -be excluded from masquerading/SNAT.
      • -
    • Simple "Yes/No" and "On/Off" values are now case-insensitive - in /etc/shorewall/shorewall.conf.
      • - +
    • Individual IP source addresses and/or subnets may now + be excluded from masquerading/SNAT.
      • +
    • Simple "Yes/No" and "On/Off" values are now case-insensitive + in /etc/shorewall/shorewall.conf.
      • +
    - +

    4/13/2002 - Hamburg Mirror now has FTP

    - +

    Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  - Thanks Stefan!

    - + href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall.  + Thanks Stefan!

    +

    4/12/2002 - New Mirror in Hamburg

    - -

    Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at http://germany.shorewall.net.

    - + +

    Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at http://germany.shorewall.net. +

    +

    4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

    - -

    Version 1.1 of the QuickStart - Guide is now available. Thanks to those who have read version 1.0 - and offered their suggestions. Corrections have also been made to the - sample scripts.

    - + +

    Version 1.1 of the QuickStart + Guide is now available. Thanks to those who have read version + 1.0 and offered their suggestions. Corrections have also been made +to the sample scripts.

    +

    4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

    - -

    Version 1.0 of the QuickStart - Guide is now available. This Guide and its accompanying sample -configurations are expected to provide a replacement for the recently -withdrawn parameterized samples.

    - + +

    Version 1.0 of the QuickStart + Guide is now available. This Guide and its accompanying sample + configurations are expected to provide a replacement for the recently + withdrawn parameterized samples.

    +

    4/8/2002 - Parameterized Samples Withdrawn

    - +

    Although the parameterized - samples have allowed people to get a firewall up and running quickly, - they have unfortunately set the wrong level of expectation among those - who have used them. I am therefore withdrawing support for the samples - and I am recommending that they not be used in new Shorewall installations.

    - + href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to get a firewall up and running +quickly, they have unfortunately set the wrong level of expectation +among those who have used them. I am therefore withdrawing support +for the samples and I am recommending that they not be used in new +Shorewall installations.

    +

    4/2/2002 - Updated Log Parser

    - -

    John Lodge has provided an updated - version of his CGI-based log parser - with corrected date handling.

    - + +

    John Lodge has provided an updated + version of his CGI-based log parser + with corrected date handling.

    +

    3/30/2002 - Shorewall Website Search Improvements

    - -

    The quick search on the home page now excludes the mailing list archives. - The Extended Search allows excluding - the archives or restricting the search to just the archives. An archive - search form is also available on the mailing - list information page.

    - + +

    The quick search on the home page now excludes the mailing list archives. + The Extended Search allows excluding + the archives or restricting the search to just the archives. An archive + search form is also available on the mailing + list information page.

    +

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    - + - +

    3/25/2002 - Log Parser Available

    - +

    John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.

    - + href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks + John.

    +

    3/20/2002 - Shorewall 1.2.10 Released

    - +

    In this version:

    - + - +

    3/11/2002 - Shorewall 1.2.9 Released

    - +

    In this version:

    - + - +

    3/1/2002 - 1.2.8 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/25/2002 - New Two-interface Sample

    - -

    I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    - + +

    I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    +

    2/23/2002 - Shorewall 1.2.8 Released

    - -

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies for any inconvenience - my carelessness may have caused.

    - + +

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies for any inconvenience + my carelessness may have caused.

    +

    2/22/2002 - Shorewall 1.2.7 Released

    - +

    In this version:

    - +
      -
    • UPnP probes (UDP destination port 1900) are now silently - dropped in the common chain
      • -
    • RFC 1918 checking in the mangle table has been streamlined - to no longer require packet marking. RFC 1918 checking in the filter - table has been changed to require half as many rules as previously.
      • -
    • A 'shorewall check' command has been added that does a -cursory validation of the zones, interfaces, hosts, rules and policy -files.
      • - +
    • UPnP probes (UDP destination port 1900) are now silently + dropped in the common chain
      • +
    • RFC 1918 checking in the mangle table has been streamlined + to no longer require packet marking. RFC 1918 checking in the filter + table has been changed to require half as many rules as previously.
      • +
    • A 'shorewall check' command has been added that does + a cursory validation of the zones, interfaces, hosts, rules and + policy files.
      • +
    - +

    2/18/2002 - 1.2.6 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/8/2002 - Shorewall 1.2.6 Released

    - +

    In this version:

    - +
      -
    • $-variables may now be used anywhere in the configuration - files except /etc/shorewall/zones.
      • -
    • The interfaces and hosts files now have their contents -validated before any changes are made to the existing Netfilter configuration. - The appearance of a zone name that isn't defined in /etc/shorewall/zones - causes "shorewall start" and "shorewall restart" to abort without -changing the Shorewall state. Unknown options in either file cause -a warning to be issued.
      • -
    • A problem occurring when BLACKLIST_LOGLEVEL was not set - has been corrected.
      • - +
    • $-variables may now be used anywhere in the configuration + files except /etc/shorewall/zones.
      • +
    • The interfaces and hosts files now have their contents + validated before any changes are made to the existing Netfilter + configuration. The appearance of a zone name that isn't defined +in /etc/shorewall/zones causes "shorewall start" and "shorewall +restart" to abort without changing the Shorewall state. Unknown options +in either file cause a warning to be issued.
      • +
    • A problem occurring when BLACKLIST_LOGLEVEL was not +set has been corrected.
      • +
    - +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    - +

    see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/1/2002 - Shorewall 1.2.5 Released

    - -

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.

    - + +

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.

    +

    In version 1.2.5:

    - +
      -
    • The installation problems have been corrected.
      • -
    • SNAT is now supported.
      • -
    • A "shorewall version" command has been added
      • -
    • The default value of the STATEDIR variable in /etc/shorewall/shorewall.conf - has been changed to /var/lib/shorewall in order to conform to the - GNU/Linux File Hierarchy Standard, Version 2.2.
      • - +
    • The installation problems have been corrected.
      • +
    • SNAT is now supported.
      • +
    • A "shorewall version" command has been added
      • +
    • The default value of the STATEDIR variable in /etc/shorewall/shorewall.conf + has been changed to /var/lib/shorewall in order to conform to +the GNU/Linux File Hierarchy Standard, Version 2.2.
      • +
    - +

    1/28/2002 - Shorewall 1.2.4 Released

    - +
      -
    • The "fw" zone may now be -given a different name.
      • -
    • You may now place end-of-line comments (preceded by '#') - in any of the configuration files
      • -
    • There is now protection against against two state changing - operations occuring concurrently. This is implemented using the -'lockfile' utility if it is available (lockfile is part of procmail); -otherwise, a less robust technique is used. The lockfile is created -in the STATEDIR defined in /etc/shorewall/shorewall.conf and has the -name "lock".
      • -
    • "shorewall start" no longer fails if "detect" is specified - in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255.
      • - +
    • The "fw" zone may now +be given a different name.
      • +
    • You may now place end-of-line comments (preceded by +'#') in any of the configuration files
      • +
    • There is now protection against against two state changing + operations occuring concurrently. This is implemented using the + 'lockfile' utility if it is available (lockfile is part of procmail); + otherwise, a less robust technique is used. The lockfile is created + in the STATEDIR defined in /etc/shorewall/shorewall.conf and has the + name "lock".
      • +
    • "shorewall start" no longer fails if "detect" is + specified in /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255.
      • +
    - +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    1/20/2002 - Corrected firewall script available 

    - -

    Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.

    - + +

    Corrects a problem with BLACKLIST_LOGLEVEL. See the + errata for details.

    +

    1/19/2002 - Shorewall 1.2.3 Released

    - +

    This is a minor feature and bugfix release. The single new feature is:

    - +
      -
    • Support for TCP MSS Clamp to PMTU -- This support is usually - required when the internet connection is via PPPoE or PPTP and may - be enabled using the CLAMPMSS - option in /etc/shorewall/shorewall.conf.
      • - +
    • Support for TCP MSS Clamp to PMTU -- This support is +usually required when the internet connection is via PPPoE or PPTP +and may be enabled using the CLAMPMSS + option in /etc/shorewall/shorewall.conf.
      • +
    - +

    The following problems were corrected:

    - +
      -
    • The "shorewall status" command no longer hangs.
      • -
    • The "shorewall monitor" command now displays the icmpdef - chain
      • -
    • The CLIENT PORT(S) column in tcrules is no longer ignored
      • - +
    • The "shorewall status" command no longer hangs.
      • +
    • The "shorewall monitor" command now displays the icmpdef + chain
      • +
    • The CLIENT PORT(S) column in tcrules is no longer ignored
      • +
    - +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    - -

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.

    - + +

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + for details.

    +

    1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There is a link to Lorenzo's - site from the Shorewall download page.

    - + href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There is a link to Lorenzo's + site from the Shorewall download page.

    +

    1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.

    - + href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores + the "shorewall status" command to health.

    +

    1/8/2002 - Shorewall 1.2.2 Released

    - +

    In version 1.2.2

    - +
      -
    • Support for IP blacklisting has been added - +
    • Support for IP blacklisting has been added +
        -
      • You specify whether you want packets from blacklisted -hosts dropped or rejected using the BLACKLIST_DISPOSITION setting - in /etc/shorewall/shorewall.conf
        • -
      • You specify whether you want packets from blacklisted -hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting +
      • You specify whether you want packets from blacklisted + hosts dropped or rejected using the BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf
        • -
      • You list the IP addresses/subnets that you wish to blacklist - in /etc/shorewall/blacklist
        • -
      • You specify the interfaces you want checked against the - blacklist using the new "blacklist" option in - /etc/shorewall/interfaces.
        • -
      • The black list is refreshed from /etc/shorewall/blacklist - by the "shorewall refresh" command.
        • - +
      • You specify whether you want packets from blacklisted + hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting + in /etc/shorewall/shorewall.conf
        • +
      • You list the IP addresses/subnets that you wish to +blacklist in /etc/shorewall/blacklist
        • +
      • You specify the interfaces you want checked against + the blacklist using the new "blacklist" option in + /etc/shorewall/interfaces.
        • +
      • The black list is refreshed from /etc/shorewall/blacklist + by the "shorewall refresh" command.
        • + +
      -
      • -
    • Use of TCP RST replies has been expanded  - +
      • +
    • Use of TCP RST replies has been expanded  +
        -
      • TCP connection requests rejected because of a REJECT -policy are now replied with a TCP RST packet.
        • -
      • TCP connection requests rejected because of a protocol=all - rule in /etc/shorewall/rules are now replied with a TCP RST +
      • TCP connection requests rejected because of a REJECT + policy are now replied with a TCP RST packet.
        • +
      • TCP connection requests rejected because of a protocol=all + rule in /etc/shorewall/rules are now replied with a TCP RST packet.
        • - + +
      -
      • -
    • A LOGFILE specification - has been added to /etc/shorewall/shorewall.conf. LOGFILE is used -to tell the /sbin/shorewall program where to look for Shorewall messages.
      • - + +
    • A LOGFILE specification + has been added to /etc/shorewall/shorewall.conf. LOGFILE is used + to tell the /sbin/shorewall program where to look for Shorewall messages.
      • +
    - +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two new rules added:

    - + target="_blank">version 1.2.0) released.     These are minor updates + to the previously-released samples. There are two new rules added:

    +
      -
    • Unless you have explicitly enabled Auth connections (tcp - port 113) to your firewall, these connections will be REJECTED rather - than DROPPED. This speeds up connection establishment to some servers.
      • -
    • Orphan DNS replies are now silently dropped.
      • - +
    • Unless you have explicitly enabled Auth connections +(tcp port 113) to your firewall, these connections will be REJECTED +rather than DROPPED. This speeds up connection establishment to +some servers.
      • +
    • Orphan DNS replies are now silently dropped.
      • +
    - +

    See the README file for upgrade instructions.

    - +

    1/1/2002 - Shorewall Mailing List Moving

    - -

    The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If you are a current subscriber - to the list at Sourceforge, please see these instructions. - If you would like to subscribe to the new list, visit The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. If you are a current +subscriber to the list at Sourceforge, please see these instructions. + If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    - +

    12/31/2001 - Shorewall 1.2.1 Released

    - +

    In version 1.2.1:

    - + - -

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing -1.2 on 12/21/2001

    - + +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist +releasing 1.2 on 12/21/2001

    +

    Version 1.2 contains the following new features:

    - + - -

    For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x users will not be - forced into a quick upgrade to 1.2.0 just to have access to bug fixes.

    - -

    For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading to 1.2.0:

    - -
    + +

    For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users will not be + forced into a quick upgrade to 1.2.0 just to have access to bug fixes.

    + +

    For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading to 1.2.0:

    + +

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    -
    - -

    12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in Texas. This web +

    + +

    12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall and the ftp site -is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    - + target="_top">http://www.infohiiway.com/shorewall and the ftp site is +at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    +

    11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:

    - + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample + Configurations has been released. In this version:

    +
      -
    • Ping is now allowed between the zones.
      • -
    • In the three-interface configuration, it is now possible - to configure the internet services that are to be available to servers - in the DMZ. 
      • - +
    • Ping is now allowed between the zones.
      • +
    • In the three-interface configuration, it is now possible + to configure the internet services that are to be available to servers + in the DMZ. 
      • +
    - +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    - +

    In this version:

    - -
      -
    • The spelling of ADD_IP_ALIASES has been corrected in the - shorewall.conf file
      • -
    • The logic for deleting user-defined chains has been simplified - so that it avoids a bug in the LRP version of the 'cut' utility.
      • -
    • The /var/lib/lrpkg/shorwall.conf file has been corrected - to properly display the NAT entry in that file.
      • - -
    - -

    11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror in the Slovak Republic. - The website is now mirrored at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    -

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:

    -
      -
    • One Interface -- for a standalone system.
      • -
    • Two Interfaces -- A masquerading firewall.
      • -
    • Three Interfaces -- A masquerading firewall with DMZ.
      • - +
    • The spelling of ADD_IP_ALIASES has been corrected in +the shorewall.conf file
      • +
    • The logic for deleting user-defined chains has been +simplified so that it avoids a bug in the LRP version of the 'cut' +utility.
      • +
    • The /var/lib/lrpkg/shorwall.conf file has been corrected + to properly display the NAT entry in that file.
      • +
    - + +

    11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the Slovak Republic. + The website is now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    + +

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:

    + +
      +
    • One Interface -- for a standalone system.
      • +
    • Two Interfaces -- A masquerading firewall.
      • +
    • Three Interfaces -- A masquerading firewall with DMZ.
      • + +
    +

    Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.

    - -

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend - this to be the last of the 1.1 Shorewall releases.

    - + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions.

    + +

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + this to be the last of the 1.1 Shorewall releases.

    +

    In this version:

    - + - -

    10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:

    - + +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this + version:

    +
      -
    • A new "shorewall show connections" command has been added.
      • -
    • In the "shorewall monitor" output, the currently tracked - connections are now shown on a separate page.
      • -
    • Prior to this release, Shorewall unconditionally added -the external IP adddress(es) specified in /etc/shorewall/nat. Beginning - with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be set - to "no" (or "No") to inhibit this behavior. This allows IP aliases - created using your distribution's network configuration tools +
    • A new "shorewall show connections" command has been +added.
      • +
    • In the "shorewall monitor" output, the currently tracked + connections are now shown on a separate page.
      • +
    • Prior to this release, Shorewall unconditionally added + the external IP adddress(es) specified in /etc/shorewall/nat. Beginning + with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be set + to "no" (or "No") to inhibit this behavior. This allows IP aliases + created using your distribution's network configuration tools to be used in static NAT. 
      • - + +
    + +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this + version:

    + +
      +
    • Support for nested zones has been improved. See the documentation for details
      • +
    • Shorewall now correctly checks the alternate configuration + directory for the 'zones' file.
      • +
    -

    10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:

    - +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this + version

    +
      -
    • Support for nested zones has been improved. See the documentation for details
      • -
    • Shorewall now correctly checks the alternate configuration - directory for the 'zones' file.
      • - +
    • Shorewall now supports alternate configuration directories. + When an alternate directory is specified when starting or restarting + Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall + will first look for configuration files in the alternate directory +then in /etc/shorewall. To create an alternate configuration simply:
      + 1. Create a New Directory
      + 2. Copy to that directory any of your configuration files + that you want to change.
      + 3. Modify the copied files as needed.
      + 4. Restart Shorewall specifying the new directory.
      • +
    • The rules for allowing/disallowing icmp echo-requests + (pings) are now moved after rules created when processing the +rules file. This allows you to add rules that selectively allow/deny +ping based on source or destination address.
      • +
    • Rules that specify multiple client ip addresses or subnets + no longer cause startup failures.
      • +
    • Zone names in the policy file are now validated against + the zones file.
      • +
    • If you have packet mangling support +enabled, the "norfc1918" + interface option now logs and drops any incoming packets on the interface + that have an RFC 1918 destination address.
      • +
    - -

    10/4/2001 - The current version of Shorewall is 1.1.14. In this - version

    - + +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this + version

    +
      -
    • Shorewall now supports alternate configuration directories. - When an alternate directory is specified when starting or restarting - Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall - will first look for configuration files in the alternate directory then - in /etc/shorewall. To create an alternate configuration simply:
      - 1. Create a New Directory
      - 2. Copy to that directory any of your configuration files -that you want to change.
      - 3. Modify the copied files as needed.
      - 4. Restart Shorewall specifying the new directory.
      • -
    • The rules for allowing/disallowing icmp echo-requests (pings) - are now moved after rules created when processing the rules file. - This allows you to add rules that selectively allow/deny ping based - on source or destination address.
      • -
    • Rules that specify multiple client ip addresses or subnets - no longer cause startup failures.
      • -
    • Zone names in the policy file are now validated against -the zones file.
      • -
    • If you have packet - mangling support enabled, the "norfc1918" interface option - now logs and drops any incoming packets on the interface that have - an RFC 1918 destination address.
      • - +
    • Shell variables can now be used to parameterize Shorewall + rules.
      • +
    • The second column in the hosts file may now contain +a comma-separated list.
      +
      + Example:
      +     sea    eth0:130.252.100.0/24,206.191.149.0/24
      • +
    • Handling of multi-zone interfaces has been improved. +See the documentation for +the /etc/shorewall/interfaces file.
      • +
    - -

    9/12/2001 - The current version of Shorewall is 1.1.13. In this - version

    - + +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this + version

    +
      -
    • Shell variables can now be used to parameterize Shorewall - rules.
      • -
    • The second column in the hosts file may now contain a comma-separated - list.
      -
      - Example:
      -     sea    eth0:130.252.100.0/24,206.191.149.0/24
      • -
    • Handling of multi-zone interfaces has been improved. See - the documentation for the - /etc/shorewall/interfaces file.
      • - +
    • Several columns in the rules file may now contain comma-separated + lists.
      • +
    • Shorewall is now more rigorous in parsing the options + in /etc/shorewall/interfaces.
      • +
    • Complementation using "!" is now supported in rules.
      • +
    - -

    8/28/2001 - The current version of Shorewall is 1.1.12. In this - version

    - + +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this + version

    +
      -
    • Several columns in the rules file may now contain comma-separated - lists.
      • -
    • Shorewall is now more rigorous in parsing the options in - /etc/shorewall/interfaces.
      • -
    • Complementation using "!" is now supported in rules.
      • - +
    • A "shorewall refresh" command has been added to allow + for refreshing the rules associated with the broadcast address on + a dynamic interface. This command should be used in place of "shorewall + restart" when the internet interface's IP address changes.
      • +
    • The /etc/shorewall/start file (if any) is now processed + after all temporary rules have been deleted. This change prevents + the accidental removal of rules added during the processing of +that file.
      • +
    • The "dhcp" interface option is now applicable to firewall + interfaces used by a DHCP server running on the firewall.
      • +
    • The RPM can now be built from the .tgz file using "rpm + -tb" 
      • +
    - -

    7/28/2001 - The current version of Shorewall is 1.1.11. In this - version

    - + +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this +version

    +
      -
    • A "shorewall refresh" command has been added to allow for - refreshing the rules associated with the broadcast address on a dynamic - interface. This command should be used in place of "shorewall - restart" when the internet interface's IP address changes.
      • -
    • The /etc/shorewall/start file (if any) is now processed -after all temporary rules have been deleted. This change prevents -the accidental removal of rules added during the processing of that -file.
      • -
    • The "dhcp" interface option is now applicable to firewall - interfaces used by a DHCP server running on the firewall.
      • -
    • The RPM can now be built from the .tgz file using "rpm --tb" 
      • - +
    • Shorewall now enables Ipv4 Packet Forwarding by default. + Packet forwarding may be disabled by specifying IP_FORWARD=Off in + /etc/shorewall/shorewall.conf. If you don't want Shorewall to enable + or disable packet forwarding, add IP_FORWARDING=Keep to your + /etc/shorewall/shorewall.conf file.
      • +
    • The "shorewall hits" command no longer lists extraneous + service names in its last report.
      • +
    • Erroneous instructions in the comments at the head of + the firewall script have been corrected.
      • +
    - -

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    - + +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this +version

    +
      -
    • Shorewall now enables Ipv4 Packet Forwarding by default. - Packet forwarding may be disabled by specifying IP_FORWARD=Off in - /etc/shorewall/shorewall.conf. If you don't want Shorewall to enable - or disable packet forwarding, add IP_FORWARDING=Keep to your -/etc/shorewall/shorewall.conf file.
      • -
    • The "shorewall hits" command no longer lists extraneous -service names in its last report.
      • -
    • Erroneous instructions in the comments at the head of the - firewall script have been corrected.
      • - +
    • The "tunnels" file really is in the RPM now.
      • +
    • SNAT can now be applied to port-forwarded connections.
      • +
    • A bug which would cause firewall start failures in some + dhcp configurations has been fixed.
      • +
    • The firewall script now issues a message if you have +the name of an interface in the second column in an entry in /etc/shorewall/masq + and that interface is not up.
      • +
    • You can now configure Shorewall so that it doesn't require the NAT and/or +mangle netfilter modules.
      • +
    • Thanks to Alex  Polishchuk, the "hits" command from + seawall is now in shorewall.
      • +
    • Support for IPIP tunnels has +been added.
      • +
    - -

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    - + +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this +version

    +
      -
    • The "tunnels" file really is in the RPM now.
      • -
    • SNAT can now be applied to port-forwarded connections.
      • -
    • A bug which would cause firewall start failures in some -dhcp configurations has been fixed.
      • -
    • The firewall script now issues a message if you have the - name of an interface in the second column in an entry in /etc/shorewall/masq - and that interface is not up.
      • -
    • You can now configure Shorewall so that it doesn't require the NAT and/or mangle -netfilter modules.
      • -
    • Thanks to Alex  Polishchuk, the "hits" command from -seawall is now in shorewall.
      • -
    • Support for IPIP tunnels has been - added.
      • - -
    - -

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    - - - +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    - +
      -
    • The TOS rules are now deleted when the firewall is stopped.
      • -
    • The .rpm will now install regardless of which version of - iptables is installed.
      • -
    • The .rpm will now install without iproute2 being installed.
      • -
    • The documentation has been cleaned up.
      • -
    • The sample configuration files included in Shorewall have - been formatted to 80 columns for ease of editing on a VGA console.
      • - +
    • The TOS rules are now deleted when the firewall is stopped.
      • +
    • The .rpm will now install regardless of which version + of iptables is installed.
      • +
    • The .rpm will now install without iproute2 being installed.
      • +
    • The documentation has been cleaned up.
      • +
    • The sample configuration files included in Shorewall +have been formatted to 80 columns for ease of editing on a VGA +console.
      • +
    - -

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    - + +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this +version

    +
      -
    • You may now rate-limit - the packet log.
      • -
    •  Previous -versions of Shorewall have an implementation of Static NAT which -violates the principle of least surprise.  NAT only occurs for packets -arriving at (DNAT) or send from (SNAT) the interface named in the -INTERFACE column of /etc/shorewall/nat. Beginning with version 1.1.6, -NAT effective regardless of which interface packets come from or are -destined to. To get compatibility with prior versions, I have added a -new "ALL "ALL INTERFACES"  column to /etc/shorewall/nat. - By placing "no" or "No" in the new column, the NAT behavior of - prior versions may be retained. 
      • -
    • The treatment of IPSEC -Tunnels where the remote gateway is a standalone system has been -improved. Previously, it was necessary to include an additional -rule allowing UDP port 500 traffic to pass through the tunnel. Shorewall -will now create this rule automatically when you place the name of -the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • - +
    • You may now rate-limit + the packet log.
      • +
    •  Previous + versions of Shorewall have an implementation of Static NAT which + violates the principle of least surprise.  NAT only occurs for +packets arriving at (DNAT) or send from (SNAT) the interface named +in the INTERFACE column of /etc/shorewall/nat. Beginning with version +1.1.6, NAT effective regardless of which interface packets come from +or are destined to. To get compatibility with prior versions, I have +added a new "ALL "ALL INTERFACES"  column +to /etc/shorewall/nat. By placing "no" or "No" in the new column, + the NAT behavior of prior versions may be retained. 
      • +
    • The treatment of IPSEC + Tunnels where the remote gateway is a standalone system has been + improved. Previously, it was necessary to include an additional + rule allowing UDP port 500 traffic to pass through the tunnel. Shorewall + will now create this rule automatically when you place the name of + the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • +
    - -

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    - + +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this +version

    + - -

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    - + +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this +version

    +
      -
    • Accepting RELATED connections - is now optional.
      • -
    • Corrected problem where if "shorewall start" aborted early - (due to kernel configuration errors for example), superfluous 'sed' - error messages were reported.
      • -
    • Corrected rules generated for port redirection.
      • -
    • The order in which iptables kernel modules are loaded has - been corrected (Thanks to Mark Pavlidis). 
      • - +
    • Accepting RELATED +connections is now optional.
      • +
    • Corrected problem where if "shorewall start" aborted +early (due to kernel configuration errors for example), superfluous +'sed' error messages were reported.
      • +
    • Corrected rules generated for port redirection.
      • +
    • The order in which iptables kernel modules are loaded + has been corrected (Thanks to Mark Pavlidis). 
      • +
    - -

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    - + +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this +version

    +
      -
    • Correct message issued when Proxy ARP address added (Thanks - to Jason Kirtland).
      • -
    • /tmp/shorewallpolicy-$$ is now removed if there is an error - while starting the firewall.
      • -
    • /etc/shorewall/icmp.def and /etc/shorewall/common.def are - now used to define the icmpdef and common chains unless overridden -by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • -
    • In the .lrp, the file /var/lib/lrpkg/shorwall.conf has -been corrected. An extra space after "/etc/shorwall/policy" has been - removed and "/etc/shorwall/rules" has been added.
      • -
    • When a sub-shell encounters a fatal error and has stopped - the firewall, it now kills the main shell so that the main shell will - not continue.
      • -
    • A problem has been corrected where a sub-shell stopped -the firewall and main shell continued resulting in a perplexing error -message referring to "common.so" resulted.
      • -
    • Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules - resulted in an error message during start. This has been corrected.
      • -
    • The first line of "install.sh" has been corrected -- I -had inadvertently deleted the initial "#".
      • - +
    • Correct message issued when Proxy ARP address added +(Thanks to Jason Kirtland).
      • +
    • /tmp/shorewallpolicy-$$ is now removed if there is an + error while starting the firewall.
      • +
    • /etc/shorewall/icmp.def and /etc/shorewall/common.def + are now used to define the icmpdef and common chains unless overridden + by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • +
    • In the .lrp, the file /var/lib/lrpkg/shorwall.conf has + been corrected. An extra space after "/etc/shorwall/policy" has been + removed and "/etc/shorwall/rules" has been added.
      • +
    • When a sub-shell encounters a fatal error and has stopped + the firewall, it now kills the main shell so that the main shell +will not continue.
      • +
    • A problem has been corrected where a sub-shell stopped + the firewall and main shell continued resulting in a perplexing error + message referring to "common.so" resulted.
      • +
    • Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules + resulted in an error message during start. This has been corrected.
      • +
    • The first line of "install.sh" has been corrected -- +I had inadvertently deleted the initial "#".
      • +
    - -

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    - + +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this +version

    +
      -
    • Port redirection now works again.
      • -
    • The icmpdef and common chains Port redirection now works again.
      • +
    • The icmpdef and common chains may now be user-defined.
      • -
    • The firewall no longer fails to start if "routefilter" -is specified for an interface that isn't started. A warning message -is now issued in this case.
      • -
    • The LRP Version is renamed "shorwall" for 8,3 MSDOS file - system compatibility.
      • -
    • A couple of LRP-specific problems were corrected.
      • - +
    • The firewall no longer fails to start if "routefilter" + is specified for an interface that isn't started. A warning message + is now issued in this case.
      • +
    • The LRP Version is renamed "shorwall" for 8,3 MSDOS +file system compatibility.
      • +
    • A couple of LRP-specific problems were corrected.
      • +
    - +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project -

    - +

    +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - +
      -
    • The common chain is traversed from INPUT, OUTPUT and FORWARD - before logging occurs
      • -
    • The source has been cleaned up dramatically
      • -
    • DHCP DISCOVER packets with RFC1918 source addresses no -longer generate log messages. Linux DHCP clients generate such packets -and it's annoying to see them logged. 
      • - +
    • The common chain is traversed from INPUT, OUTPUT and +FORWARD before logging occurs
      • +
    • The source has been cleaned up dramatically
      • +
    • DHCP DISCOVER packets with RFC1918 source addresses +no longer generate log messages. Linux DHCP clients generate such +packets and it's annoying to see them logged. 
      • +
    - +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - +
      -
    • Log messages now indicate the packet disposition.
      • -
    • Error messages have been improved.
      • -
    • The ability to define zones consisting of an enumerated -set of hosts and/or subnetworks has been added.
      • -
    • The zone-to-zone chain matrix is now sparse so that only - those chains that contain meaningful rules are defined.
      • -
    • 240.0.0.0/4 and 169.254.0.0/16 have been added to the source - subnetworks whose packets are dropped under the norfc1918 -interface option.
      • -
    • Exits are now provided for executing an user-defined script - when a chain is defined, when the firewall is initialized, when - the firewall is started, when the firewall is stopped and when the - firewall is cleared.
      • -
    • The Linux kernel's route filtering facility can now be -specified selectively on network interfaces.
      • - +
    • Log messages now indicate the packet disposition.
      • +
    • Error messages have been improved.
      • +
    • The ability to define zones consisting of an enumerated + set of hosts and/or subnetworks has been added.
      • +
    • The zone-to-zone chain matrix is now sparse so that +only those chains that contain meaningful rules are defined.
      • +
    • 240.0.0.0/4 and 169.254.0.0/16 have been added to the + source subnetworks whose packets are dropped under the norfc1918 + interface option.
      • +
    • Exits are now provided for executing an user-defined +script when a chain is defined, when the firewall is initialized, +when the firewall is started, when the firewall is stopped and +when the firewall is cleared.
      • +
    • The Linux kernel's route filtering facility can now +be specified selectively on network interfaces.
      • +
    - +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - +
      -
    • Allows user-defined zones. Shorewall now has only one pre-defined - zone (fw) with the remaining zones being defined in the new configuration - file /etc/shorewall/zones. The /etc/shorewall/zones file released - in this version provides behavior that is compatible with Shorewall - 1.0.3. 
      • -
    • Adds the ability to specify logging in entries in the - /etc/shorewall/rules file.
      • -
    • Correct handling of the icmp-def chain so that only ICMP - packets are sent through the chain.
      • -
    • Compresses the output of "shorewall monitor" if awk is - installed. Allows the command to work if awk isn't installed (although - it's not pretty).
      • - +
    • Allows user-defined zones. Shorewall now has only one + pre-defined zone (fw) with the remaining zones being defined +in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones + file released in this version provides behavior that is compatible + with Shorewall 1.0.3. 
      • +
    • Adds the ability to specify logging in entries in the + /etc/shorewall/rules file.
      • +
    • Correct handling of the icmp-def chain so that only +ICMP packets are sent through the chain.
      • +
    • Compresses the output of "shorewall monitor" if awk +is installed. Allows the command to work if awk isn't installed +(although it's not pretty).
      • +
    - -

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.

    - + +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.

    +
      -
    • The PATH variable in the firewall script now includes /usr/local/bin - and /usr/local/sbin.
      • -
    • DMZ-related chains are now correctly deleted if the DMZ -is deleted.
      • -
    • The interface OPTIONS for "gw" interfaces are no longer - ignored.
      • - +
    • The PATH variable in the firewall script now includes + /usr/local/bin and /usr/local/sbin.
      • +
    • DMZ-related chains are now correctly deleted if the +DMZ is deleted.
      • +
    • The interface OPTIONS for "gw" interfaces are no longer + ignored.
      • +
    - -

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and it supports IPSEC - tunnels with end-points on the firewall. There is also a .lrp available - now.

    - -

    Updated 10/9/2002 - Tom Eastep -

    - -

    Copyright2001, 2002 Thomas M. Eastep.

    + +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports IPSEC + tunnels with end-points on the firewall. There is also a .lrp available + now.

    + +

    Updated 11/09/2002 - Tom Eastep +

    + +

    +Copyright © 2001, 2002 Thomas M. Eastep.

    +
    +

    +



    diff --git a/STABLE/documentation/PPTP.htm b/STABLE/documentation/PPTP.htm index b8a61e6c4..21aa4560b 100644 --- a/STABLE/documentation/PPTP.htm +++ b/STABLE/documentation/PPTP.htm @@ -1,575 +1,411 @@ + - - - - - -Shorewall PPTP + + + + + + + + + Shorewall PPTP - - - - - - - + + +
    -

    PPTP

    -
    + + + + + +
    +

    PPTP

    +
    - +

    Shorewall easily supports PPTP in a number of configurations:

    + +

    1. PPTP Server Running on your Firewall

    -

    I will try to give you an idea of how to set up a PPTP server -on your firewall system. This isn't a detailed HOWTO but rather an example of -how I have set up a working PPTP server on my own firewall.

    + +

    I will try to give you an idea of how to set up a PPTP server on your firewall +system. This isn't a detailed HOWTO but rather an example of how I have set +up a working PPTP server on my own firewall.

    +

    The steps involved are:

    +
      -
    1. Patching and building pppd
      2. -
    2. Patching and building your Kernel
      3. -
    3. Configuring Samba
      4. -
    4. Configuring pppd
      5. -
    5. Configuring pptpd
      6. -
    6. Configuring Shorewall
      7. +
    7. Patching and building pppd
      8. +
    8. Patching and building your Kernel
      9. +
    9. Configuring Samba
      10. +
    10. Configuring pppd
      11. +
    11. Configuring pptpd
      12. +
    12. Configuring Shorewall
      13. +
    +

    Patching and Building pppd

    +

    To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary -site for releases of pppd is ftp://ftp.samba.org/pub/ppp.

    + site for releases of pppd is ftp://ftp.samba.org/pub/ppp.

    +

    You will need the following patches:

    + -

    You may also want the following patch if you want to require remote hosts to -use encryption:

    + +

    You may also want the following patch if you want to require remote hosts +to use encryption:

    + +

    Un-tar the pppd source and uncompress the patches into one directory (the -patches and the ppp-2.4.1 directory are all in a single parent directory):

    + patches and the ppp-2.4.1 directory are all in a single parent directory):

    +
      -
    • cd ppp-2.4.1
      • -
    • patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
      • -
    • patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
      • -
    • (Optional) patch -p1 < ../require-mppe.diff
      • -
    • ./configure
      • -
    • make
      • +
    • cd ppp-2.4.1
      • +
    • patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
      • +
    • patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
      • +
    • (Optional) patch -p1 < ../require-mppe.diff
      • +
    • ./configure
      • +
    • make
      • +
    -

    You will need to install the resulting binary on your firewall system. To do -that, I NFS mount my source filesystem and use "make install" from the + +

    You will need to install the resulting binary on your firewall system. +To do that, I NFS mount my source filesystem and use "make install" from the ppp-2.4.1 directory.

    +

    Patching and Building your Kernel

    +

    You will need one of the following patches depending on your kernel version:

    + +

    Uncompress the patch into the same directory where your top-level kernel -source is located and:

    + source is located and:

    +
      -
    • cd <your GNU/Linux source top-level directory>
      • -
    • patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch
      • +
    • cd <your GNU/Linux source top-level directory>
      • +
    • patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch
      • +
    +

    Now configure your kernel. Here is my ppp configuration:

    -
    -

    -
    + +
    +

    +

    +
    +

    Configuring Samba

    -

    You will need a WINS server (Samba configured to run as a WINS server is -fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:

    -
    - 
    [global]
-     workgroup = TDM-NSTOP
-     netbios name = WOOKIE
-     server string = GNU/Linux Box
-     encrypt passwords = Yes
-     log file = /var/log/samba/%m.log
-     max log size = 0
-     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
-     os level = 65
-     domain master = True
-     preferred master = True
-     dns proxy = No
-     wins support = Yes
-     printing = lprng
-
-[homes]
-     comment = Home Directories
-     valid users = %S
-     read only = No
-     create mask = 0664
-     directory mask = 0775
-
-[printers]
-     comment = All Printers
-     path = /var/spool/samba
-     printable = Yes
    -
    + +

    You will need a WINS server (Samba configured to run as a WINS server is + fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) +is:

    + +
    + 
    [global]
         workgroup = TDM-NSTOP
         netbios name = WOOKIE
         server string = GNU/Linux Box
         encrypt passwords = Yes
         log file = /var/log/samba/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         os level = 65
         domain master = True
         preferred master = True
         dns proxy = No
         wins support = Yes
         printing = lprng

    [homes]
         comment = Home Directories
         valid users = %S
         read only = No
         create mask = 0664
         directory mask = 0775

    [printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
    +
    +

    Configuring pppd

    +

    Here is a copy of my /etc/ppp/options.poptop file:

    -
    + +

    ipparam PoPToP
    - lock
    - mtu 1490
    - mru 1490
    - ms-wins 192.168.1.3
    - ms-dns 206.124.146.177
    - multilink
    - proxyarp
    - auth
    - +chap
    - +chapms
    - +chapms-v2
    - ipcp-accept-local
    - ipcp-accept-remote
    - lcp-echo-failure 30
    - lcp-echo-interval 5
    - deflate 0
    - mppe-128
    - mppe-stateless
    - require-mppe
    - require-mppe-stateless

    -
    + lock
    + mtu 1490
    + mru 1490
    + ms-wins 192.168.1.3
    + ms-dns 206.124.146.177
    + multilink
    + proxyarp
    + auth
    + +chap
    + +chapms
    + +chapms-v2
    + ipcp-accept-local
    + ipcp-accept-remote
    + lcp-echo-failure 30
    + lcp-echo-interval 5
    + deflate 0
    + mppe-128
    + mppe-stateless
    + require-mppe
    + require-mppe-stateless

    +
    +

    Notes:

    +
      -
    • Since the firewall itself is acting as a WINS server, I have included the - firewall's internal IP as the 'ms-wins' value.
      • -
    • I have pointed the remote clients at my DNS server -- it has external - address 206.124.146.177.
      • -
    • I am requiring 128-bit stateless compression (my kernel is built with the - 'require-mppe.diff' patch mentioned above.
      • +
    • System 192.168.1.3 acts as a WINS server so I have included that +IP as the 'ms-wins' value.
      • +
    • I have pointed the remote clients at my DNS server -- it has external + address 206.124.146.177.
      • +
    • I am requiring 128-bit stateless compression (my kernel is built +with the 'require-mppe.diff' patch mentioned above.
      • +
    +

    Here's my /etc/ppp/chap-secrets:

    -
    + +

    Secrets for authentication using CHAP
    - # client        server    secret    - IP addresses
    - CPQTDM\\TEastep *         <shhhhhh> - 192.168.1.7
    - TEastep         *         - <shhhhhh> 192.168.1.7

    -
    -

    I am the only user who connects to the server but I may connect either with -or without a domain being specified. The system I connect from is my laptop so I -give it the same IP address when tunneled in as it has when it is in its docking -station.

    + # client        server    secret    IP addresses
    + CPQTDM\\TEastep *         <shhhhhh> 192.168.1.7
    + TEastep         *         <shhhhhh> 192.168.1.7

    +
    + +

    I am the only user who connects to the server but I may connect either +with or without a domain being specified. The system I connect from is my +laptop so I give it the same IP address when tunneled in at it has when I +use its wireless LAN card around the house.

    +

    You will also want the following in /etc/modules.conf:

    -
         alias ppp-compress-18 ppp_mppe
-     alias ppp-compress-21 bsd_comp
-     alias ppp-compress-24 ppp_deflate
-     alias ppp-compress-26 ppp_deflate
    + +
         alias ppp-compress-18 ppp_mppe
         alias ppp-compress-21 bsd_comp
         alias ppp-compress-24 ppp_deflate
         alias ppp-compress-26 ppp_deflate
    +

    Configuring pptpd

    +

    PoPTop (pptpd) is available from http://poptop.lineo.com/.

    +

    Here is a copy of my /etc/pptpd.conf file:

    -
    + +

    option /etc/ppp/options.poptop
    - speed 115200
    - localip 192.168.1.254
    - remoteip 192.168.1.33-38

    -
    + speed 115200
    + localip 192.168.1.254
    + remoteip 192.168.1.33-38

    +
    +

    Notes:

    + +

    I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:

    -
    + +

    #!/bin/sh
    - #
    - # /etc/rc.d/init.d/pptpd
    - #
    - # chkconfig: 5 12 85
    - # description: control pptp server
    - #
    -
    - case "$1" in
    - start)
    -     echo 1 > /proc/sys/net/ipv4/ip_forward
    -     modprobe ppp_async
    -     modprobe ppp_generic
    -     modprobe ppp_mppe
    -     modprobe slhc
    -     if /usr/local/sbin/pptpd; then
    -         touch /var/lock/subsys/pptpd
    -     fi
    -     ;;
    - stop)
    -     killall pptpd
    -     rm -f /var/lock/subsys/pptpd
    -     ;;
    - restart)
    -     killall pptpd
    -     if /usr/local/sbin/pptpd; then
    -         touch /var/lock/subsys/pptpd
    -     fi
    -     ;;
    - status)
    -     ifconfig
    -     ;;
    - *)
    -     echo "Usage: $0 {start|stop|restart|status}"
    -     ;;
    - esac

    -
    + #
    + # /etc/rc.d/init.d/pptpd
    + #
    + # chkconfig: 5 12 85
    + # description: control pptp server
    + #
    +
    + case "$1" in
    + start)
    +     echo 1 > /proc/sys/net/ipv4/ip_forward
    +     modprobe ppp_async
    +     modprobe ppp_generic
    +     modprobe ppp_mppe
    +     modprobe slhc
    +     if /usr/local/sbin/pptpd; then
    +         touch /var/lock/subsys/pptpd
    +     fi
    +     ;;
    + stop)
    +     killall pptpd
    +     rm -f /var/lock/subsys/pptpd
    +     ;;
    + restart)
    +     killall pptpd
    +     if /usr/local/sbin/pptpd; then
    +         touch /var/lock/subsys/pptpd
    +     fi
    +     ;;
    + status)
    +     ifconfig
    +     ;;
    + *)
    +     echo "Usage: $0 {start|stop|restart|status}"
    +     ;;
    + esac

    +
    +

    Configuring Shorewall

    +

    I consider hosts connected to my PPTP server to be just like local systems. -My key Shorewall entries are:

    + My key Shorewall entries are:

    +

    /etc/shorewall/zones:

    -
    - - - - - - - - - - - - - - - - + +
    +
    ZONEDISPLAYCOMMENTS
    netInternetThe Internet
    locLocalMy Local Network including remote PPTP clients
    + + + + + + + + + + + + + + + + + +
    ZONEDISPLAYCOMMENTS
    netInternetThe Internet
    locLocalMy Local Network including remote PPTP clients
    -
    + +

    /etc/shorewall/interfaces:

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - + +
    +
    ZONEINTERFACEBROADCASTOPTIONS
    neteth0206.124.146.255noping,norfc1918
    loceth2192.168.1.255 
    -ppp+  
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZONEINTERFACEBROADCASTOPTIONS
    neteth0206.124.146.255noping,norfc1918
    loceth2192.168.1.255 
    -ppp+  
    -
    + +

    /etc/shorewall/hosts:

    -
    - - - - - - - - - - - - - - - - + +
    +
    ZONEHOST(S)OPTIONS
    loceth2:192.168.1.0/24routestopped
    locppp+:192.168.1.0/24 
    + + + + + + + + + + + + + + + + + +
    ZONEHOST(S)OPTIONS
    loceth2:192.168.1.0/24routestopped
    locppp+:192.168.1.0/24 
    -
    + +

    /etc/shorewall/policy:

    -
    - - - - - - - - - - - - - + +
    +
    SOURCEDESTPOLICYLOG LEVEL
    loclocACCEPT 
    + + + + + + + + + + + + + + +
    SOURCEDESTPOLICYLOG LEVEL
    loclocACCEPT 
    -
    -

    /etc/shorewall/rules:

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST
    ACCEPTnetfwtcp1723  
    ACCEPTnetfw47-  
    ACCEPTfwnet47-  
    -
    -

    Note: I have multiple ppp interfaces on my firewall. If you - have a single ppp interface, you probably want:

    -

    /etc/shorewall/interfaces:

    -
    - - - - - - - + + +

    /etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b):

    + +
    + +
    ZONEINTERFACEBROADCASTOPTIONS
    + + + + + + + + + + + - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPT neteth0206.124.146.255noping,norfc1918
    loceth2192.168.1.255 
    locppp0  
    -
    -

    and no entries in /etc/shorewall/hosts.

    -

    2. PPTP Server Running Behind your Firewall

    -

    If you have a single external IP address, add the following to your - /etc/shorewall/rules file:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST
    DNATnetloc:<server address>tcp1723  
    DNATnetloc:<server address>47-  
    -

    If you have multiple external IP address and you want to forward a single <external -address>, add the following to your /etc/shorewall/rules file:

      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST
    DNATnetloc:<server address>tcp1723-<external address>
    DNATnetloc:<server address>47--<external address>
    -

    3. PPTP Clients Running Behind your Firewall

    -

    You shouldn't have to take any special action for this case unless you wish -to connect multiple clients to the same external server. In that case, you will -need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. -I recommend that you also add these two lines to your /etc/shorewall/modules -file: -

    -

    loadmodule ip_conntrack_pptp
    - loadmodule ip_nat_pptp -

    -

    4. PPTP Client Running on your Firewall.

    -

    The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/.    -Rather than use the configuration script that comes with the client, I built my -own. I also build my own kernel as described above -rather than using the mppe package that is available with the client. My -/etc/ppp/options file is mostly unchanged from what came with the client (see -below).

    -

    The key elements of this setup are as follows: -

      -
    1. Define a zone for the remote network accessed via PPTP.
      2. -
    2. Associate that zone with a ppp interface.
      3. -
    3. Define rules for PPTP traffic to/from the firewall.
      4. -
    4. Define rules for traffic two and from the remote zone.
      5. -
    -

    Here are examples from my setup:

    -

    /etc/shorewall/zones

    -
    - - - - - - - - - - - -
    ZONEDISPLAYCOMMENTS
    cpqCompaqCompaq Intranet
    -
    -

    /etc/shorewall/interfaces

    -
    - - - - - - - - - - - - - -
    ZONEINTERFACEBROADCASTOPTIONS
    -ppp+  
    -
    -

    /etc/shorewall/hosts

    -
    - - - - - - - - - - - -
    ZONEHOST(S)OPTIONS
    -ppp+:!192.168.1.0/24 
    -
    -

    /etc/shorewall/rules

    -
    - - - - - - - - - - - - - - - - - + + + + + + + + + + + @@ -577,160 +413,487 @@ below).

    - - + + + + +
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST
    ACCEPT fwnet tcp 1723    
    ACCEPTnetfw47-  
    ACCEPT net 47 -    
    +
    + +

    /etc/shoreawll/tunnels (For Shorewall versions 1.3.10 +and later)
    +

    +
    + + + + + + + + + + + + + + +
    TYPE
    +     		ZONE
    +     		GATEWAY
    +     		GATEWAY ZONE
    +
    pptpserver
    +     		net
    +     		0.0.0.0/0
    +
    +
    -

    I use the combination of interface and hosts file to define the 'cpq' zone -because I also run a PPTP server on my firewall (see above). Using this -technique allows me to distinguish clients of my own PPTP server from arbitrary -hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and -Compaq doesn't use that RFC1918 Class C subnet. -

    I use this script in /etc/init.d to control the client. The reason that I -disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet -and reject the initial TCP connection request if I enable ECN :-( +


    +Note: I have multiple ppp interfaces on my firewall. If you have a single +ppp interface, you probably want:

    + +

    /etc/shorewall/interfaces:

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZONEINTERFACEBROADCASTOPTIONS
    neteth0206.124.146.255noping,norfc1918
    loceth2192.168.1.255 
    locppp0  
    +
    + +

    and no entries in /etc/shorewall/hosts.

    + +

    2. PPTP Server Running Behind +your Firewall

    + +

    If you have a single external IP address, add the following to your /etc/shorewall/rules +file:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    DNATnetloc:<server address>tcp1723  
    DNATnetloc:<server address>47-  
    + +

    If you have multiple external IP address and you want to forward a single +<external address>, add the following to your /etc/shorewall/rules +file:

    + +

      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    DNATnetloc:<server address>tcp1723-<external address>
    DNATnetloc:<server address>47--<external address>
    +

    + +

    3. PPTP Clients Running Behind +your Firewall

    + +

    You shouldn't have to take any special action for this case unless you +wish to connect multiple clients to the same external server. In that case, +you will need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. + I recommend that you also add these two lines to your /etc/shorewall/modules + file:

    + +
    +

    loadmodule ip_conntrack_pptp
    + loadmodule ip_nat_pptp

    +
    + +

    4. PPTP Client Running on your Firewall.

    + +

    The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/.    + Rather than use the configuration script that comes with the client, I built +my own. I also build my own kernel as described above + rather than using the mppe package that is available with the client. My +/etc/ppp/options file is mostly unchanged from what came with the client +(see below).

    + +

    The key elements of this setup are as follows:

    + +
      +
    1. Define a zone for the remote network accessed via PPTP.
      2. +
    2. Associate that zone with a ppp interface.
      3. +
    3. Define rules for PPTP traffic to/from the firewall.
      4. +
    4. Define rules for traffic two and from the remote zone.
      5. + +
    + +

    Here are examples from my setup:

    + +

    /etc/shorewall/zones

    + +
    + + + + + + + + + + + + + + +
    ZONEDISPLAYCOMMENTS
    cpqCompaqCompaq Intranet
    +
    + +

    /etc/shorewall/interfaces

    + +
    + + + + + + + + + + + + + + + + +
    ZONEINTERFACEBROADCASTOPTIONS
    -ppp+  
    +
    + +

    /etc/shorewall/hosts

    + +
    + + + + + + + + + + + + + + +
    ZONEHOST(S)OPTIONS
    -ppp+:!192.168.1.0/24 
    +
    + +

    /etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b)

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPTfwnettcp1723  
    ACCEPTfwnet47-  
    +
    + +

    /etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)
    +

    -

    #!/bin/sh
    -#
    -# /etc/rc.d/init.d/pptp
    -#
    -# chkconfig: 5 60 85
    -# description: PPTP Link Control
    -#
    -NAME="Tandem"
    -ADDRESS=tunnel-tandem.compaq.com
    -USER='Tandem\tommy'
    -ECN=0
    -DEBUG=
    -
    -start_pptp() {
    -    echo $ECN > /proc/sys/net/ipv4/tcp_ecn
    -    if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
    -        touch /var/lock/subsys/pptp
    -        echo "PPTP Connection to $NAME Started"
    -    fi
    -}
    -
    -stop_pptp() {
    -    if killall /usr/sbin/pptp 2> /dev/null; then
    -        echo "Stopped pptp"
    -    else
    -        rm -f /var/run/pptp/*
    -    fi
    -
    -    # if killall pppd; then
    -    # echo "Stopped pppd"
    -    # fi
    -
    -    rm -f /var/lock/subsys/pptp
    -
    -    echo 1 > /proc/sys/net/ipv4/tcp_ecn
    -}
    -
    -
    -case "$1" in
    - start)
    -    echo "Starting PPTP Connection to ${NAME}..."
    -    start_pptp
    -    ;;
    - stop)
    -    echo "Stopping $NAME PPTP Connection..."
    -    stop_pptp
    -    ;;
    - restart)
    -    echo "Restarting $NAME PPTP Connection..."
    -    stop_pptp
    -    start_pptp
    -    ;;
    - status)
    -    ifconfig
    -    ;;
    - *)
    -    echo "Usage: $0 {start|stop|restart|status}"
    -    ;;
    -esac
    -     -

    -

    Here's my /etc/ppp/options file: -

    -

    #
    -# Identify this connection
    -#
    -ipparam Compaq
    -#
    -# Lock the port
    -#
    -lock
    -#
    -# We don't need the tunnel server to authenticate itself
    -#
    -noauth
    -
    -+chap
    -+chapms
    -+chapms-v2
    -
    -multilink
    -mrru 1614
    -#
    -# Turn off transmission protocols we know won't be used
    -#
    -nobsdcomp
    -nodeflate
    -
    -#
    -# We want MPPE
    -#
    -mppe-128
    -mppe-stateless
    -
    -#
    -# We want a sane mtu/mru
    -#
    -mtu 1000
    -mru 1000
    -
    -#
    -# Time this thing out of it goes poof
    -#
    -lcp-echo-failure 10
    -lcp-echo-interval 10     -

    -

    My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq -traffic through the PPTP tunnel: -

    -

    #/bin/sh
    + + + + + + + + + + + + + + + +
    TYPE
    +     		ZONE
    +     		GATEWAY
    +     		GATEWAY ZONE
    +
    pptpclient
    +     		net
    +     		0.0.0.0/0
    +
    +

    - case $6 in
    - Compaq)
    -     route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1
    -     route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1
    -     route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1
    -     ...
    -     ;;
    - esac

    -

    Finally, I run the following script every five minutes under crond to - restart the tunnel if it fails:

         #!/bin/sh
-     restart_pptp() {
-         /sbin/service pptp stop
-         sleep 10
-         if /sbin/service pptp start; then
-             /usr/bin/logger "PPTP Restarted"
-         fi
-     }
-
-     if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
-         exit 0
-     fi
-
-     echo "Attempting to restart PPTP"
-
-     restart_pptp > /dev/null 2>&1 &
-
    -

    Here's a script - and corresponding ip-up.local from Jerry - Vonau that controls two PPTP connections.

    -

    Last modified 7/11/2002 - Tom -Eastep

    -Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file + +

    I use the combination of interface and hosts file to define the 'cpq' zone +because I also run a PPTP server on my firewall (see above). Using this technique +allows me to distinguish clients of my own PPTP server from arbitrary hosts +at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq +doesn't use that RFC1918 Class C subnet.

    + +

    I use this script in /etc/init.d to control the client. The reason that +I disable ECN when connecting is that the Compaq tunnel servers don't do ECN +yet and reject the initial TCP connection request if I enable ECN :-(

    + +
    +

    #!/bin/sh
    + #
    + # /etc/rc.d/init.d/pptp
    + #
    + # chkconfig: 5 60 85
    + # description: PPTP Link Control
    + #
    + NAME="Tandem"
    + ADDRESS=tunnel-tandem.compaq.com
    + USER='Tandem\tommy'
    + ECN=0
    + DEBUG=
    +
    + start_pptp() {
    +     echo $ECN > /proc/sys/net/ipv4/tcp_ecn
    +     if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
    +         touch /var/lock/subsys/pptp
    +         echo "PPTP Connection to $NAME Started"
    +     fi
    + }
    +
    + stop_pptp() {
    +     if killall /usr/sbin/pptp 2> /dev/null; then
    +         echo "Stopped pptp"
    +     else
    +         rm -f /var/run/pptp/*
    +     fi
    +
    +     # if killall pppd; then
    +     # echo "Stopped pppd"
    +     # fi
    +
    +     rm -f /var/lock/subsys/pptp
    +
    +     echo 1 > /proc/sys/net/ipv4/tcp_ecn
    + }
    +
    +
    + case "$1" in
    + start)
    +     echo "Starting PPTP Connection to ${NAME}..."
    +     start_pptp
    +     ;;
    + stop)
    +     echo "Stopping $NAME PPTP Connection..."
    +     stop_pptp
    +     ;;
    + restart)
    +     echo "Restarting $NAME PPTP Connection..."
    +     stop_pptp
    +     start_pptp
    +     ;;
    + status)
    +     ifconfig
    +     ;;
    + *)
    +     echo "Usage: $0 {start|stop|restart|status}"
    +     ;;
    + esac
    +

    +
    + +

    Here's my /etc/ppp/options file:

    + +
    +

    #
    + # Identify this connection
    + #
    + ipparam Compaq
    + #
    + # Lock the port
    + #
    + lock
    + #
    + # We don't need the tunnel server to authenticate itself
    + #
    + noauth
    +
    + +chap
    + +chapms
    + +chapms-v2
    +
    + multilink
    + mrru 1614
    + #
    + # Turn off transmission protocols we know won't be used
    + #
    + nobsdcomp
    + nodeflate
    +
    + #
    + # We want MPPE
    + #
    + mppe-128
    + mppe-stateless
    +
    + #
    + # We want a sane mtu/mru
    + #
    + mtu 1000
    + mru 1000
    +
    + #
    + # Time this thing out of it goes poof
    + #
    + lcp-echo-failure 10
    + lcp-echo-interval 10

    +
    + +

    My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq + traffic through the PPTP tunnel:

    + +
    +

    #/bin/sh
    +
    + case $6 in
    + Compaq)
    +     route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1
    +     route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1
    +     route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1
    +     ...
    +     ;;
    + esac

    +
    + +

    Finally, I run the following script every five minutes under crond to + restart the tunnel if it fails:

    + +
         #!/bin/sh
         restart_pptp() {
             /sbin/service pptp stop
             sleep 10
             if /sbin/service pptp start; then
                 /usr/bin/logger "PPTP Restarted"
             fi
         }

         if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
             exit 0
         fi

         echo "Attempting to restart PPTP"

         restart_pptp > /dev/null 2>&1 &
    + +

    Here's a script + and corresponding ip-up.local from Jerry Vonau that controls two PPTP connections.

    + +

    Last modified 10/23/2002 - Tom Eastep

    + +

    Copyright2001, 2002 Thomas M. Eastep.

    +
    +
    + + diff --git a/STABLE/documentation/Shorewall_index_frame.htm b/STABLE/documentation/Shorewall_index_frame.htm index 2bb250bd1..42a295f8d 100644 --- a/STABLE/documentation/Shorewall_index_frame.htm +++ b/STABLE/documentation/Shorewall_index_frame.htm @@ -1,114 +1,121 @@ - + - + - + - + Shorewall Index - + - + - - - + + - - - + + + - - - + + + + + + +
    - +
    +

    Shorewall

    -
    - -
    - - - - - - + -
    - +

    - Note:     Search is unavailable Daily 0200-0330 GMT.
    - + Note: Search is unavailable Daily 0200-0330 GMT.
    +

    Quick Search
    -

    -
    - + + +

    Extended Search

    - +

    Copyright © 2001, 2002 Thomas M. Eastep.

    - +

    -

    -
    -
    -
    -
    -
    -
    -
    -
    +
    +

    diff --git a/STABLE/documentation/configuration_file_basics.htm b/STABLE/documentation/configuration_file_basics.htm index b7b76e842..c8657434e 100644 --- a/STABLE/documentation/configuration_file_basics.htm +++ b/STABLE/documentation/configuration_file_basics.htm @@ -1,300 +1,319 @@ - + - + - + - + Configuration File Basics - + - - - + + - - - + + + +
    +

    Configuration Files

    -
    - -

    Warning: If you copy or edit your - configuration files on a system running Microsoft Windows, you must - run them through dos2unix -before you use them with Shorewall.

    - -

    Files

    - -

    Shorewall's configuration files are in the directory /etc/shorewall.

    - - - -

    Comments

    - -

    You may place comments in configuration files by making the first non-whitespace - character a pound sign ("#"). You may also place comments at the end -of any line, again by delimiting the comment from the rest of the line -with a pound sign.

    - -

    Examples:

    - -
    # This is a comment
    - -
    ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
    - -

    Line Continuation

    - -

    You may continue lines in the configuration files using the usual backslash -("\") followed immediately by a new line character.

    - -

    Example:

    - -
    ACCEPT	net	fw	tcp \
    smtp,www,pop3,imap  #Services running on the firewall
    - -

    Using DNS Names

    - -

    - -

    WARNING: I personally recommend strongly against - using DNS names in Shorewall configuration files. If you use DNS names and - you are called out of bed at 2:00AM because Shorewall won't start as a result -of DNS problems then don't say that you were not forewarned.
    -

    - -

        -Tom
    -

    - -

    Beginning with Shorwall 1.3.9, Host addresses in Shorewall -configuration files may be specified either as IP addresses or as DNS Names.
    -
    - DNS names in iptables rules aren't nearly as useful as they first appear. -When a DNS name appears in a rule, the iptables utility resolves the name -to one or more IP addresses and inserts those addresses into the rule. So -change in the DNS->IP address relationship that occur after the firewall -has started have absolutely no effect on the firewall's ruleset.

    - -

    If your firewall rules include DNS names then:

    - - - -

    Each DNS name much be fully qualified and include a minumum -of two periods (although one may be trailing). This restriction is imposed -by Shorewall to insure backward compatibility with existing configuration -files.
    -
    - Examples of valid DNS names:
    -

    - - - Examples of invalid DNS names:
    - - - DNS names may not be used as:
    - - - These are iptables restrictions and are not simply imposed for your inconvenience -by Shorewall.
    -
    - -

    Complementing an Address or Subnet

    - -

    Where specifying an IP address, a subnet or an interface, you can - precede the item with "!" to specify the complement of the item. For - example, !192.168.1.4 means "any host but 192.168.1.4".

    - -

    Comma-separated Lists

    - -

    Comma-separated lists are allowed in a number of contexts within the - configuration files. A comma separated list:

    - - - -

    Port Numbers/Service Names

    - -

    Unless otherwise specified, when giving a port number you can use - either an integer or a service name from /etc/services.

    - -

    Port Ranges

    - -

    If you need to specify a range of ports, the proper syntax is <low - port number>:<high port number>.

    - -

    Using Shell Variables

    - -

    You may use the file /etc/shorewall/params file to set shell variables -that you can then use in some of the other configuration files.

    - -

    It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally -within the Shorewall programs

    - -

    Example:

    - -
    - 
    NET_IF=eth0
    NET_BCAST=130.252.100.255
    NET_OPTIONS=noping,norfc1918
    -
    - -


    - Example (/etc/shorewall/interfaces record):

    - -
    - 
    net $NET_IF $NET_BCAST $NET_OPTIONS
    -
    -     + +

    Warning: If you copy or edit your + configuration files on a system running Microsoft Windows, you must + run them through dos2unix + before you use them with Shorewall.

    -

    The result will be the same as if the record had been written

    - -
    - 
    net eth0 130.252.100.255 noping,norfc1918
    -
    -     - -

    Variables may be used anywhere in the other configuration -files.

    +

    Files

    + +

    Shorewall's configuration files are in the directory /etc/shorewall.

    + + + +

    Comments

    + +

    You may place comments in configuration files by making the first non-whitespace + character a pound sign ("#"). You may also place comments at the end + of any line, again by delimiting the comment from the rest of the +line with a pound sign.

    + +

    Examples:

    + +
    # This is a comment
    + +
    ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
    + +

    Line Continuation

    + +

    You may continue lines in the configuration files using the usual backslash + ("\") followed immediately by a new line character.

    + +

    Example:

    + +
    ACCEPT	net	fw	tcp \
    smtp,www,pop3,imap  #Services running on the firewall
    + +

    Using DNS Names

    + +

    + +

    WARNING: I personally recommend strongly against + using DNS names in Shorewall configuration files. If you use DNS names and + you are called out of bed at 2:00AM because Shorewall won't start as a +result of DNS problems then don't say that you were not forewarned.
    +

    + +

        -Tom
    +

    + +

    Beginning with Shorwall 1.3.9, Host addresses in Shorewall + configuration files may be specified either as IP addresses or as DNS Names.
    +
    + DNS names in iptables rules aren't nearly as useful as they first appear. + When a DNS name appears in a rule, the iptables utility resolves the name + to one or more IP addresses and inserts those addresses into the rule. +So change in the DNS->IP address relationship that occur after the firewall + has started have absolutely no effect on the firewall's ruleset.

    + +

    If your firewall rules include DNS names then:

    + + + +

    Each DNS name much be fully qualified and include a minumum + of two periods (although one may be trailing). This restriction is imposed + by Shorewall to insure backward compatibility with existing configuration + files.
    +
    + Examples of valid DNS names:
    +

    + + + Examples of invalid DNS names:
    + + + DNS names may not be used as:
    + + + These are iptables restrictions and are not simply imposed for your +inconvenience by Shorewall.
    +
    + +

    Complementing an Address or Subnet

    + +

    Where specifying an IP address, a subnet or an interface, you can + precede the item with "!" to specify the complement of the item. For + example, !192.168.1.4 means "any host but 192.168.1.4". There must +be no white space following the "!".

    + +

    Comma-separated Lists

    + +

    Comma-separated lists are allowed in a number of contexts within the + configuration files. A comma separated list:

    + + + +

    Port Numbers/Service Names

    + +

    Unless otherwise specified, when giving a port number you can use + either an integer or a service name from /etc/services.

    + +

    Port Ranges

    + +

    If you need to specify a range of ports, the proper syntax is <low + port number>:<high port number>. For example, + if you want to forward the range of tcp ports 4000 through 4100 to local +host 192.168.1.3, the entry in /etc/shorewall/rules is:
    +

    + +
         DNAT	net	loc:192.168.1.3	tcp	4000:4100
    + +

    Using Shell Variables

    + +

    You may use the /etc/shorewall/params file to set shell variables + that you can then use in some of the other configuration files.

    + +

    It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally + within the Shorewall programs

    + +

    Example:

    + +
    + 
    NET_IF=eth0
    NET_BCAST=130.252.100.255
    NET_OPTIONS=noping,norfc1918
    +
    +


    + Example (/etc/shorewall/interfaces record):

    + +
    + 
    net $NET_IF $NET_BCAST $NET_OPTIONS
    +
    +     + +

    The result will be the same as if the record had been written

    + +
    + 
    net eth0 130.252.100.255 noping,norfc1918
    +
    +     + +

    Variables may be used anywhere in the other configuration + files.

    +

    Using MAC Addresses

    - -

    Media Access Control (MAC) addresses can be used to specify packet -source in several of the configuration files. To use this feature, -your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) -included.

    - -

    MAC addresses are 48 bits wide and each Ethernet Controller has a - unique MAC address.
    -
    - In GNU/Linux, MAC addresses are usually written as a series of 6 -hex numbers separated by colons. Example:
    -
    -      [root@gateway root]# ifconfig eth0
    -      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
    -      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
    -      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    -      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
    -      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
    -      collisions:30394 txqueuelen:100
    -      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
    -      Interrupt:11 Base address:0x1800
    -
    - Because Shorewall uses colons as a separator for address fields, -Shorewall requires MAC addresses to be written in another way. In -Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 -hex numbers separated by hyphens. In Shorewall, the MAC address in -the example above would be written "~02-00-08-E3-FA-55".

    - + +

    Media Access Control (MAC) addresses can be used to specify packet + source in several of the configuration files. To use this feature, + your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) + included.

    + +

    MAC addresses are 48 bits wide and each Ethernet Controller has a + unique MAC address.
    +
    + In GNU/Linux, MAC addresses are usually written as a series of +6 hex numbers separated by colons. Example:
    +
    +      [root@gateway root]# ifconfig eth0
    +      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
    +      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
    +      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    +      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
    +      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
    +      collisions:30394 txqueuelen:100
    +      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 + Mb)
    +      Interrupt:11 Base address:0x1800
    +
    + Because Shorewall uses colons as a separator for address fields, + Shorewall requires MAC addresses to be written in another way. In +Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 +hex numbers separated by hyphens. In Shorewall, the MAC address in +the example above would be written "~02-00-08-E3-FA-55".
    +

    +

    Note: It is not necessary to use the special Shorewall notation +in the /etc/shorewall/maclist file.
    +

    +

    Shorewall Configurations

    - -

    Shorewall allows you to have configuration directories other than /etc/shorewall. -The shorewall start and restart - commands allow you to specify an alternate configuration directory and - Shorewall will use the files in the alternate directory rather than the corresponding - files in /etc/shorewall. The alternate directory need not contain a complete - configuration; those files not in the alternate directory will be read from - /etc/shorewall.

    - -

    This facility permits you to easily create a test or temporary configuration - by:

    - + +

    Shorewall allows you to have configuration directories other than /etc/shorewall. + The shorewall start and restart + commands allow you to specify an alternate configuration directory and + Shorewall will use the files in the alternate directory rather than the + corresponding files in /etc/shorewall. The alternate directory need not +contain a complete configuration; those files not in the alternate directory +will be read from /etc/shorewall.

    + +

    This facility permits you to easily create a test or temporary configuration + by:

    +
      -
    1. copying the files that need modification from /etc/shorewall -to a separate directory;
      2. -
    2. modify those files in the separate directory; and
      3. -
    3. specifying the separate directory in a shorewall start or -shorewall restart command (e.g., shorewall -c /etc/testconfig restart - ).
      4. - +
    4. copying the files that need modification from /etc/shorewall + to a separate directory;
      5. +
    5. modify those files in the separate directory; and
      6. +
    6. specifying the separate directory in a shorewall start +or shorewall restart command (e.g., shorewall -c /etc/testconfig + restart ).
      7. +
    - -

    Updated 9/24/2002 - Tom Eastep -

    + +

    Updated 10/24/2002 - Tom Eastep +

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    -
    +
    +
    +
    +

    diff --git a/STABLE/documentation/dhcp.htm b/STABLE/documentation/dhcp.htm index c66b6fe65..d736f42eb 100644 --- a/STABLE/documentation/dhcp.htm +++ b/STABLE/documentation/dhcp.htm @@ -1,60 +1,82 @@ + - - - - - -DHCP + + + + + + + + + DHCP - - - - - - - + + +
    -

    DHCP

    -
    + + + + + +
    +

    DHCP

    +
    -

    DHCP Server on your firewall

    + +

    If you want to Run a DHCP Server on your firewall

    + -

    A Firewall Interface gets its IP Address via DHCP

    + +

    If a Firewall Interface gets its IP Address via DHCP

    + -

    Last updated 1/26/2002 - Tom -Eastep

    - -

    Copyright2001, 2002 Thomas M. Eastep.

    - + +

    Last updated 11/03/2002 - Tom Eastep

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    +
    - - \ No newline at end of file + diff --git a/STABLE/documentation/download.htm b/STABLE/documentation/download.htm index 5c4aff566..e9405790c 100644 --- a/STABLE/documentation/download.htm +++ b/STABLE/documentation/download.htm @@ -1,304 +1,310 @@ - + - + - + - + Download - + - - - + + - - - + + + +
    +

    Shorewall Download

    -
    - +

    I strongly urge you to read and print a copy of the Shorewall QuickStart Guide for the configuration that most closely matches your own.

    - +

    Once you've done that, download one of the modules:

    - + - +

    The documentation in HTML format is included in the .tgz and .rpm files - and there is an documentation .deb that also contains the documentation.

    - + and there is an documentation .deb that also contains the documentation.

    +

    Please verify the version that you have downloaded -- during the - release of a new version of Shorewall, the links below may point -to a newer or an older version than is shown below.

    - + release of a new version of Shorewall, the links below may point + to a newer or an older version than is shown below.

    + - +

    Once you have verified the version, check the - errata errata to see if there are updates that apply to the version - that you have downloaded.

    - + that you have downloaded.

    +

    WARNING - YOU CAN NOT SIMPLY - INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration -of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.

    - -

    Download Latest Version (1.3.9a): Remember that updates to the - mirrors occur 1-12 hours after an update to the primary site.

    - -
    + INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration + of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.

    + +

    Download Latest Version (1.3.10): Remember that updates to the + mirrors occur 1-12 hours after an update to the primary site.

    + +
    - - - - - - - - - - - - + + + + + + + + + + - - - - - + + + - - - - - - + + + + + - + - - - - - + + + + + - + - - - - - + + + - + - - - - - - + + + + + + - - - + .lrp + + +
    SERVER LOCATIONDOMAINHTTPFTP
    Washington State, USAShorewall.netDownload - .rpm
    - Download - .tgz 
    - Download - .lrp    		 Download .rpm 
    - +
    SERVER LOCATIONDOMAINHTTPFTP
    Washington State, USAShorewall.netDownload .rpm
    + Download + .tgz 
    + Download + .lrp    		 + Download .rpm 
    + Download .tgz 
    - Download .lrp
    Slovak RepublicShorewall.net +
    Slovak RepublicShorewall.netDownload .rpm
    - Download .tgz 
    - Download .lrp    		 Download - .rpm  
    -   
    +     Download - .tgz 
    -  
    +     Download - .rpm
    Texas, USAInfohiiway.com
    Texas, USAInfohiiway.comDownload - .rpm
    -
    +     Download - .tgz 
    -  
    +     Download - .lrp    		 Download .rpm  
    - Download .tgz 
    - Download - .lrp
    Hamburg, GermanyShorewall.net
    Hamburg, GermanyShorewall.net Download - .rpm
    - Download - .tgz
    - Download - .lrp
    +     Download + .tgz
    + Download + .lrp    		 Download - .rpm  
    -   
    +     Download .tgz 
    - Download .lrp
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar +
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar Download - .rpm  
    -   
    +     Download - .tgz 
    -  
    +     - Download .lrp    		 Download - .rpm  
    -   
    +     Download - .tgz 
    -  
    +     - Download .lrp
    Paris, FranceShorewall.netDownload - .rpm
    - Download - .tgz 
    - Download - .lrp    		 Download - .rpm  
    - Download + Download .lrp
    Paris, FranceShorewall.netDownload + .rpm
    + Download .tgz 
    - Download + .lrp    		 Download + .rpm  
    + Download + .tgz 
    + Download - .lrp
    -
    - +
    +

    Browse Download Sites:

    - -
    + +
    - - - - - - - - - - - - + + + + + + + + + + - - - - - - + + + + - - - - - - + + + + - - - - - - + + + + - - - - - + + + - - - - - - + + + - - - - - - - - - - + + + + + + + + +
    SERVER LOCATIONDOMAINHTTPFTP
    Washington State, USAShorewall.netBrowse +
    SERVER LOCATIONDOMAINHTTPFTP
    Washington State, USAShorewall.netBrowseBrowse
    Slovak RepublicShorewall.netBrowse +
    Slovak RepublicShorewall.netBrowse Browse
    Texas, USAInfohiiway.comBrowse +
    Texas, USAInfohiiway.comBrowseBrowse
    Hamburg, GermanyShorewall.netBrowse +
    Hamburg, GermanyShorewall.netBrowseBrowse
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar +
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse Browse
    FranceShorewall.net +
    FranceShorewall.netBrowse Browse
    California, USA (Incomplete)Sourceforge.netBrowseN/A
    California, USA (Incomplete)Sourceforge.netBrowseN/A
    -
    - +
    +

    CVS:

    - -
    + +

    The CVS repository at - cvs.shorewall.net contains the latest snapshots of the each Shorewall - component. There's no guarantee that what you find there will work at all.

    -
    - -

    Last Updated 9/26/2002 - contains the latest snapshots of the each Shorewall + component. There's no guarantee that what you find there will work at +all.

    +
    + +

    Last Updated 11/9/2002 - Tom Eastep

    - +

    Copyright - © 2001, 2002 Thomas M. Eastep.

    + © 2001, 2002 Thomas M. Eastep.

    +

    +


    diff --git a/STABLE/documentation/images/TomNTarry.png b/STABLE/documentation/images/TomNTarry.png new file mode 100644 index 0000000000000000000000000000000000000000..2c884566579dc2e97b2ad60680c26e87b2e83b36 GIT binary patch literal 323818 zcmV)HK)t_-P)x07*na zRCt^$yEn70OP1&LOZmuGZ*|laCAu5BCIAZzaB#4|8IMmu044@ze+4Z3@vtT)a4?7% zdT3&RCc0X8)m(Y*J!k9v>PMx-*kxp7q`M;Hzt&$YvHSo2GRIINXCvy#GT90>duDp7 znXL-FQ)Ja6rV2Sf;g1#4Wa9UCn41~J48&9;FoZh8%YX*P^aGh&gf|i9-oe;zh%SlQYW6K@_Lj`R{Wh?>@9=MX9`8Cw@;{F~{eL+1tBJLCU`WN_c51pr-X?CZc zjkx4T`N$$#q8(9wiQ+TTDPsF8D*H3{KNq~;2tG|cYbu<$K)4sw7a2L6XseQskBV!x zAjDga#Ru%VXMRk)TuOdfDNe;D%Pd%5EzqNIB5R@sCogYw^(QVL6yov!`pcYTg*0Hpghb-WNNJf|Pt``cv7}Z4F9YFV3EH9l z-4XS53d;q>FcOR8Y-m;z7b5n}oFp{TE=Yi^G@>7Pc!AmBTS9Y5-cQIPVP!|kB|<5rQ}}g3 z95W^u@+MQ}h?p8e(IL(-05%K6w&N@mT1}+!j53$F_yl8ty(vj!L%npQY)M+fLL<7w z^LHbc@{auG3xw88Cy8=f&RX&DhaI!KAJD&ihd=E(o=T2mN1mT~t|jkn;?&*HY-Y3@ z%ez&@q*lylU{ytJ95L2pmC!;WL?8)`0T2>0IG<1oq)6mH0ArF8BY>2VN)i(Y5-DX6 zfK2$aL>8Hx6Nj_M>Ok)`;}nT$;$zX# z@Ck^Ks1l=tmv0ZKjbeO!!Ou(fk1teRgBj1v7Fu`i`iU zc()^^U-8Gw1Gnvx{-ZZT$zMyZG z%$o-BxWmnt9J`+CIPxO)v{k{>mgMckFl07wJbGx**CkfhSfjAnV#|U?1*9%9LLh`f zxX4gy>NFvR1uaN1L5?6aIYz<|hzL&OnXc;gUtETqP_8IejjRBY8A{cM>odfvsz zX|=`=k*QBK#g3!9#+pwIokg~uwyzl*L)rE8bwcF@&b?3y3#R0$^T46GM7mF?|M9>5 z@BWO=^+9f<^ zqSi#Ou*)+%0*ivI9+3Mb11+UG;nRee0-`oVACMUmXJSx@I3XlVb_T;hv;rj*(M-t6 zla2}1^$-f`ydxYk)!Gs!fv6Q=K?y7wlEGFP;R=KjIIoZaqLq*orj-x{<&DOQ1=VH) zMp9&jn4VB$jo%MUZjXOHQ$2g&gz%bX8By=wK$fqKqco^ROR=bEWXWcsSgb4No40Jf zdc&Km74N^8vDm(6_X?qx3& zoD?B?Tu!(ioK6@LIZLF9TG&OJ4W5^OEvnqWfk*w~=si$jh4WxJB2JvyfaDk;mc)+ZLxQRNmtU zhj?4!b~`SLE5@jBm4SRFRhjtQBQHv}hsb&{vOAW{%gEE-a=kgR&lfD|IQfb;8;)9` zs)5$jjDu#<5^6^^40O#5n?~wz;7MC&ukf)hJisvq)Y^#5guep5G5z0C{q9-5CWtCkVutL2#m=r*9Apgb9pgm zJukVwT(fvP$1Y12Wr53rX>!;>;*W}Iz2@_F!j2G+iqI(hJ~1u}S{*qZkBpOIUI$Jt zp|rr|6SXcGhmmYSOpaq&QN^A-otcIJQ;R7Iq6{p9;V2};N z#jG+c)+??qTCU$*vZ&{jnnf6LuUzMz*tNFRA6sB?zW*=9hsda zyP`qI6G}+DY>D}dbqe7O(rM)Bnb=$-!WMD=fBb!p%}6OM(+=ucCfSIeCbYZ6w@1_= zBb`TG3i5g6WxqoF!!7IoWRAge=t}Cc#FsCmeTB4hg1lq$8yY#_&KbKdDaHe-F38p( zr;<>CJsoh3ChsJ=?HSJ%A{J;nlFO08CVcon*$$l43^`AfO(JgtYQAPTOoYc1Wf{qN zOYE;nO@~SatSa&VyFiMHcbh~K zOZ2Ls5(Ppz3ZW>XMO7J4ugv)MA0mZ-3@K)WhMXiaCsLM37fH2%1SH60a?X$=LsG=) zg~M}Xzn9drfy2;q`Ui)*_Jnc7+8KTr(HDvOq2o}$r8w@H-j|r~Mw&mak=8RE5{Fzz9js;dLsMkfKBiK~4c=W;~BXtC{W` zZZ@*k9sh8<=J4|^$_fV8!TS}L-Dh}vh5Dz&=OS~xh@|sG(KPgXN4}})ZueAgRuqRb zqc+s%#CF+G4tJz}&BX<1rSa*4a{kP5zu_@$sqbHyt`(~sdA`lm%a-25rSR-GiN&#` z*F8m7(YF&-m2fFhc9#31>~=K%8)^2PohAm z%!r^60ueJ&2>jsLI#1qDxcNl$G4t)^5%JN|E*<;Bk;;_pA3PTyD)vK1wOg^9c}m|? z%rd)^W-+#$8$~|<4*li^{jo#+5C8pt^Jis%;0(HrXc-87CfPYT_SAWTY!O)yOphEB ze#-Fl5pz-DBm^bMr!!I|k{5*HhzuH)MwC(*ab$`K*;MH13GWuZRF&9qAp3&cNEjxvoRCA0ks0S33RPf)K*2 z)RG}Zsw`1HgGyLG5@IHr0)Znq(B30_Nj4IdPfR<5y|l#PNE$~JHLCOIiwvg`ThAy= zAT1QNt;tD{REh1L@%;tP?U1{Ha6ZFi(7q=((3XL!U82g8(X`lAfYXd(t(nP^#X52= zY8Kbmq(kJ7%*5L--t%FcQRFX3`ic4WjJUhy;crJiACEl#{1>>F9pC>HaW6+s-t*)o zGL59H2-zXBBB%U%awcVn2vqhANg+%^iH!4L4CJhkGNYtIX^Axoi+RKPs-aoUxY?|! zu1emoD$2_l#W>@TB**Ni)DIjUu8`}VVREdRz;w@zfU#1P zek7ZbI4n>bf!ZE4Pi4GC8fD}(5&x{_*+9D4VNk!^C+^sUpokq3;DL1t7nW>qx5<8w` z%d9`LEout+L^w8Bp*ZgoVOC?FKEc~L?r6y!*j8{DCl=Xq$gu1)kG`a>0;g{!OX+yn zf9801qK`e#&nI?X(x;IwC{pUkSu?tcYy}a60=&o+LLjFERw4ndC2gr`W+j!@wCj>Z zxu9-JM!jI(I=WLyqXN@PBA+MxWkuZu3R$qVM^;7TIU3|}OJd1t_KB{yh|hoiH@T7! zrNc$R+-A;Ujcs4jP}1U=z>L(zf{f-Doc1HDm%$B5hnWGLvjp4Dt(a0PHgl`FKINV0$nL6Qqh z@T8j=<_sYurqQ8&PoYQRn3hs>-V=|oL24hUJ| zV?bvQS(7UVvLWpt76YZo2w&4rBgSgP=YjaXMGueYEQ!|Q#53t-PV=id$=&0+3Y7&f zETPpXKQSI_iq$~uGU!M?7L+*RCUU+nX_pXEPcE-1^_kdI_=m{LHwP}oR9e6@!N^}<4BqnQ2fN~@E-r(vTPkmZV(I4Fw9t8DK13D z*$Rd5gi&A@U`K_tffOo~iHIafNlE~dXpT;ZRz4^@d_aC_UvZML#$o|U<7N1@aUux1Pi@%PjheWU) z_2FwiULJWbd#0EXPZRNNN!s@4SxbL}FP0OZ&w}e&&FAyPDjM8EV~#z$*^I>?u_1A; zA{9OR;*wSW8CPzw5#*Z}c)UjFgm4gor>+~$Ll5)FMqiWFfvLD+&`&InAWF^Ey5jqw zxY1|4eUJ5yxv6oB%pwYmX)r254xlYUW@J{71jq~`6H`Vc$O#aMQA9!(sPoAAEIFq$ zA}D_TafeJD?YQTj6-Ah6*9)Gz12gvq|BDI#-5|0T{MT``*mF4#Pf$BE}_0OLe^?yJ)za>m_^2M3BjkH`d z+9!s+rh4z0_A{;wl$kEhJ#>5gM(nF_%;ZV|e`{agTv^2-yC-(|$h|NBo_xFds#H0K%NCL$gu zLMgGTWZ3ppjb!RZN&*jVO>DO`|MDk_|8zw!7nI{37M9|2j()o#&emw5@GhVa2ZE?M z_KvpP5qBW!8h3XjxlExa(m0Y?Kz*cs$xNGy>_KgI3L7pSIFqkL^ zV@8UOFb)*8V(J`9SIE^7`SJ!g%NXUzu|Ql%^1+a_C72`Tppk{e%L$PSRGvTv%rr8! z1?rHHYmGX1LTrd;!rofkdl3B#3^mya#Cw4}oRE7MFK1}^ND5z|MI@90sRkI<j z4z&MKOKRq5ZNMaw3Y>rIFtz0TF2eyRN4S+dm5Fe?k3FYdqIkDrfBV99HAl{Obh8DQN%7M|$GcW@_pFf33m3(b7g@2M z9`MZ)9Y&4^iCWFE<7aFw*}FGr|3H{FtQ*6v?0FM*q;W$s1?TpJIVh@Ja%?15T{NwX2S9}lR)Ailbx`t+ISrD634BSKux5re^>GmB>6+*zt+;&{khv=c9bCZ{Dv zB=q`7j6Ej)iq*0s*b0~PglY^mGYS=Ox}XsW7bHf5a2c$4HQNxRoDnXQ6$p_*3Y-@V z;~5f6Q(*rvakqm-`H>%fUZHYN@nJ-~{Q2KzSAjSuC>=%#LcGcH{Q-0B4JRFuc%)5zXH2Hi+m7aJz;FfPF@)==Znp>(A zn5K&A%Hf_fX0c)z99CJz;HhLL8&4PuqCI1&n1(${G?cxD3vgpZ*c$DQ7+Vngo-jys z9S|>)ux?QG1LA236{H*(wWBN+cqcGwz%&ZcJG{;aR%j!kDez&ym;xOHs*r>b5k?{L zq->bHg!}?yjm(b2ZjX3!q}@PWJI)m7I3TV{YSo||gjq%Edd#~SVi-A{3MxDy%Q?QB zQ)z{475h`dZ1*G`=*lJH@JyZx_UF&+%v-iU{98uZGnH3J*<){(ES8e@`YV`g+VTQx z6NQ~IPZMyeGDE%ALo}Cmc7lVqzT5l*I)mJTcY_io*-~kCv>n zK$~|cGw_cOiMR8J+$T;}a#8fSSkWg~mWjjgIzZ_13HvbPUO_vH7+tW>icK?8+nTCf zqHBo|C2jHuVMtn2sfpwYk`<_&a1#`@c$FlAK#EB4fD{a3Lyk1IIuxwxt6`%F_^@MyNw+2fBF z_|~(^&y3|8V!p%r0x1dxzreWf$;&UvhfgH)3)JirQ7o7hJ#J{xsi3r)yzVKA0`=4& zzABlk1f!s;8lndnLK%f)krBx05KC{WEvAHPdtx`{)d6* z;RUh#fBrhVD9Dq>l_zQ~2$Mmq66$_}c|sgY#(9T$kl4$b$Im^*UwnuD4>gUv!C8m& z1>1$9kCN53ruzDVGS2a3K~;c2;DjcUsYE7vfhIwUNTW#JgO>E?jCMU^6tv@!`@zso z9{VWB%NIt|QmzGJzreOVru z!t{*KBdIi)Sp!((5FcQhqg8l0c9cBMj#)))pK)fg3!#AD-y1 zN}9Vn?wd8Ur|x<=3c8CcaWa2gyi8N(dQAS>eNg^O7huVu*~c=XlN>_P4kn4xAU@ zc8+SHn2rTQ>uK$T_J-b9h}hFsON!;5``ZiNy}je{cEfC~$mvWnVCxyvDa1ei`QPNm^-z}>WzfT(l;@=K zMDhbh&WQ1m9M%*OyeQcoKC$_WJ^r7~(4{1e5i1418!q|j@Bfb7(<4{^@i6gDEVWs1DIs*OimNMj-wH7ZDa%18?^Awo&QlLt?#Bw|QNk&sFe{D_nVk&&1q z>7~T@XWT;ba4Wf52#Pn5(voN-&);;+%8}BJq-{-nqY1}IH8aQ@cWB~ScERdmAQS`BOTk7YUar?{9$t8uzrnhHB1|hjEN1Mdj9yxDIx_DSk7dDIdB-$< zMaKd35}JEfr-o-LDj6uGWc}3)IZYhOFUh-~iHAVFT;iuaW!Z4FHH+aHp97r|ET!hL zoA_|C;o&86Q8^C6GLD(mQjkuLshpwY3uPR6jvFrXz`->Xiyjr0sP)9@x!}WlgRvz+ zz^rJ|LSPkSq0uohNJ;G?@ih`h7V5RW`IQoq6PUq z(a%WTNLNeNMq}oVU3iBpZ~3Jf`1s?B%ipY+o^CO^!Pjg2=@G64`J2E|7#7XM?8b5U zc|&aq6D3JcTo#$(@<#oeCzDfXfvdCHxqd+l%ED=5u3yJ!#{`r6XXIgoFc97K*r(@zgD$dmrGevTO zq)L=(a0=pKWHbu1{fXiiOQiD*rbS$gWN`&IiEH(aeZJ>^{a?P}yHEdyZ-4t&Jbm+- z-+jCzpYQnFk9*|#nIIt!?$sewh6sq1kXe9|B>kFgQdSa?6lUVQEl6QNj2)FI2|kj- zBTB7EN?^)_&yJKO%0`4akbFf}BS}aEmdQ*ccOV-<;R78NHV3pnlU+h5O=^1lzCslz z@=0OKOm`6AHwb!c2;^8ITSt1a_|jlGBf5kR2JJFFK+>Kddz35D%8=4XS(JohfTf`r zdW12gkPrxxQDhWKdk_K{Mkb}vMlkq@tu;7_Y%*hX7-#5oL18o5mjoC95MBb(ZlKYFX;S){Pw{4_P})7Q)Wj@C-iwF>k)bL9$gz|MMH6Ih`OXKD@0w> zUKSL&p{XO+UoLt3i?3;DdHc%>MPJZ;zUTC#V(<@q{)@lk@BX3Z<)`2BQ{M4>cVzT| zF-Kxb_y}XjXd)?Ogz%&!a5Hf7v!CiEUVRD#dmcmMz(07*naRG14-emZe%zvjBS zXFDu$)?ng+TtkUwe8>dVuviM5`h?yrdBZbL`GyO5&!=v=kw6k`^T=%!{XUk?pQ$ z+B!a^5l&lPwwkUI5GS;hM45;goaj-`zG`4uAbdt9&`JedJ)VRkTb*u2X!WD|P9hmMc$|(9IS-YO$c}-g;3P0fGn$({V zXGvTLbYoE6Bf-wma-eROOzVQY-y&l}IvJ`a5N8@(%~A*Ut{_elAp~RDWAcvJWgfSV z@ovvk>XElU^1U#K@H5A#5mO>enaTX2!McR_*Z=$fmQ$)Y#YBp)I!r$a7Vbb&hM5_t z`kHE{Ifs^Iedc@)g#Yu7%m4Tn%v?Y%24X*B`t^qTdWOm;p6+Y%&f(Kv5r1#^{k|i0 zFU;BUZ?~6}=9boXNd6h(kB{gNE8bkr_)uMQ{l(W5b%k~kQA=cwXm4Qfbk7IaJ|X%u zwq4*?9(z|3)`qxqn2jZN0ZhQwH6l#(g@F_)ixL&!oEPYeGkgMd5wQ=F+?3=n5>k(n zhLjXTJ+QpXj8Q`)(BTR62BjkIJYeUBaYzWG$fKdwBjZ?Nu6lSjq(w_e2dtRmiU~;x z0_3bkA#u4tE(KMT#GFutMkImD5?cqlWN4Hp`vS;dBa9M?OdKLvIZV{_A-rx~Op-7I zdq_|#Op2Ux=JERhj^DCb8l-+h{^=GuTN2aH*jN*E0db%x6Jgh4(?nQSbVbFy4zRpt z(t-v8G-R;0-^NFMWHU4x@>2h-EY=NQ}gcX3P=bEr8b~6PD$#RP*M>9nKM#G1nM<6sQ!=@BtuF_ zpt>|bR7|GHf=_8IR6&e1d6|IE{QjyU|lP;Z!qM^t^oc-pdx1;dp^Jr2~B!CAMPtSKHp<5q7G;|n4=lDZ;rVisF=$}lUR z>AI15hG#!xvr?Qso=|Ta^sQjKFtqiS@FQSW0E6MTxhPB^n_{ly4BFzyYO*AS8l6=wK5ua-O;WX2j_=$F}3^mopFRIc>is7cHl$p(*d^o;B+~T5}p7 zSc(d}`^@G`#eA@o?+nxTbH?Q->T-jyjwEVg*)#7;_A(<53U3ZfKUJs;g>cUtb;~O5 zcus3(Zw}}|GYpbut(eXSD)*l5jc4;@(C2DtR>O;ggZ}=4lb{Fs1TsbxuOVr{WRbj~vz!8Fk6i}y; zJbDg&pxd92`zP^yjSQ)MK>=IZlK5oec>sG9=#~=cab4HC+SNL(on>V0xOP2!k#vp>G zQt_1vppYa)2Bdt=7)}vc@*11r)in9TkV8m;+`aB9Phx_Q$!TDUHQnQplQ=QlO717m zyZj@+J8W3Xg5vFfe;hF%O0MIQ^KwLXHD&wE_;CX_GqmloyTHRrV!MH=sA!0M-dYwb zM~WqIz5{FZ!E7oE zeeoJ=@;mGz5RYrF+5<9ujrigb_w5Shm7~*JE`7mXZ=jtpUE+9ZpxVK4%OT%jpN{yP z*?hTT|2R=uOMY{pJqkuA7_l_%9mn7Q8h+_0-6KEmTEzeKKmUuIL|{>rNbv=7zNZ=l zTn5gE85`B{JQl1&U|eK2w&RDeM*Q|WzV(tn(I=|q6+eZq2%9q>fB!x2FM9s@fAODD zTz=&lcNUVDlEL3zXR6!jh;2rt}1r&~{0ZJ&FtX|9N_oUfb3zJ?r_( zS*~jDwaZi9bE~*{BZ7>yv$BPqLI@)y5KSbyv}nF66 z88@n1o^qdEt-Y#Q&#$1dF8qWw*VLF}jCZ`x8`g-?A+waObx0g?uSlj6?<$5~<0pY^ z*D_Q&PCSsr69)Yb+GEOD%h2RFVGu<_?j*kSj8_9TQ;7MLz8$bi6J-KPU<@tVrl?WS zpHGk~K+Mq6Lhmv8h^XhVgt`tCQ;Cos?=@2Vu-Ei~c5tKt`lu1H#;r5ryv8;Gl}6$o zf)NZ+F)FBjv1e+(MovFKCpqKG*Kj^Z@7E|f(vLYK2Au}9Dj0nrO?y->8660r>E?5c z?66`+YYK%M*>#ZFfQ}X2jbWIV7_&w{cn0gB(3GQ~Q5mwxNK=W>l2K}O?}$cI)jiGC zhRNhTA%9N44y^l*hr2r-Ry~9HEvHWK{ckk>^K%xdWqPj2=7!_sDSBEk%`%dxKnF6d z5#q4OcTpfkK!`|NOVW%3U_n704*O%l4@D3NeMFdu6N)qd9CeD>}|nL0|RwB0-o6 zL%YQ42jbdNpX7*DM>5sS#Vyy(1bH!GcKe1QKV}>fx*jG7hPKC@r7YAn-MGZ-f{V>9 z-%X!!n%=Ryb%<=iw75gxM&2(LEN<`FJbA`h{rB8Y&&l32#4@4F5-v|2iJT#(mPyEv z7IaK;i9$t%Yyw#!=mvjy-o_J!LIqEdir^apIqS+3hlb776}P*Tr`PZJ*3KYZ)7UA; z?typpIZqx3#-Zc9ctSIKP24O=!kV3Z#Nud=t`#e}q};zDWJ^}JE8JyCc>O(nd%}FS z!IcTINf0x`Y8_H9~$SriIbZU$G{Ad5!&)cRYYwzf!qJ6vJ)tzG^ zcifJKT)m^uMvjEwPFk#=w6k8#KA=(fOQas8BvZClOb9d}fGaM7Wk@)CgTNiUzk4 z=<|rYsxTs__k!4`#JER<4oAaqE$M6|aTTpP+zQF9#}x)UO2#5Z?;4!Z41JH171ABy z3Xm~Dw2pk5GrV!wMbFqM(2>qG_)(Cn0KH}mfjC4wo}rG6E)qo#)uAA+neEfgilC!bN&{*a?OxP*x(9Kud{{3S|_f z(G*$6$vov~mUHoe;$pGn$w|rl$((YQkQX`kGN+IZn{~9S4!Ine-1MyGQ0^Yc$0c2H zPo_LwUohl>BG$xx!MIS^tt9Dwai^<5U`Iw_TaQQeRxtyRL zBzM^{H^2H7f7N>O?j?TMAx@T@rc<6i&pCba7@3~&$wD%5ZVDfof2vg(nFRLP0u(+ zv>XxL2^4G8-XijmVLuXP8G3aOYJ&EL%GIPYVel1d-QWgE;uT@4h+BcY)VN_pm;{rr zpqnCWNh?Q8Jz%E>f`M_3n4ZvNo@BI`OwlKXxJjALTXwxcJx=s@7TWGkd*gi*(pIh!zU{k3|cfO zq3Es$^!W*iYZ)`}K_XR$HVJ)}itgomi6&WWClNP%*taQnoYl5F)j|ExU@M8KS&+yK( z(NpZIK|CqI@9C!}B>T6>bV1WMB>o7S-mqPd%&IABW>|-w!JQ)htN-SIjHktxswxQT z13obXI4l|obshO#;pGi+1*gOV=DWck6+yJ-+a9eQqihK87f^cYyPk9s@mWXG21J@7 zl}4;u#JQz&Q_AU{UX+M!OPnc+(zCsqVr)yiFccfj?t>-fE@Db>`z^wbsJNt?CnUQT z{a6v(jOaT;T%f`VZRHq!$%K2xn9~JE+Gs}Gklpn(CmKCEhWnaqQR4P%ZhohkfASK` zkFmzF?;L5J(H+<5U5m~m^^lTJ0x`EFTSqJeqn;D{8a+KCxC$ygC)%3e7bGeoQbUhH z%7z#Wq$$d@#8rn~q;xxrF#~<{@Gv43sJo6aFBr~h(w!wvQj(|`=OtplLmTM5Bh;RB zI-z}Ep~5}8ZOZ(q#mtVWuY0uLz(d6_XsUjse_1nYt{ER?c)38vo|jsYT-|ef5z!Bt z=o9Yro?)7T+Hg5Z>B~=fx@<{AL3Vb+R47O+LR%6gF@RB;!3m5R4}y}E2Qo^K_%5RI z!?k~OkxoDs!3&@p@m3@H95Xqw&*r8O=_+WasK*`scLQa)XRV%6-d^+0o^fh^ z$#(z8sDJVYfA(|bGBQ17a2;te66{F3O(<%`wG3SLJF30Gq6jA8-M+{D>Tem;DYIh1 zz5%B-ca3JXYZ=o$M-zihO0pusT1z&~Su6^cA71k0>F0d($x}Z1^e6o6^H2Ekryujv z^aIYa6OOIm*I$jq`(Jbay<=Jg-n5Fp`hRYa4}Zy5_m)kvp}xCiYja-R!K!)BO>L;u zHL)$IhK%}jk1q<=XLvg@_?#q95d@qy=r+MikG7GWL?i)~<~S8envu{OoY3@6pz{PjI&xLebYP>TtrcRCk`FCIpFwF!+6teg zh*A*k37HGD5^NRmQ%jIFk`f&h*hp9f#BGO})VQ~vsCzPz;qSJP1|kYZSmHxR$Wlh% z&^8O&UpAawzD0^9I~Os!qtgnrPH4v-RpqE4+1HXXY4Oz(W&_qmWVwL2K{tlDG>E-H zA2;~=V6`$~M1&Mo3dXS~Ru-`s7}pw|NR$)EVxSug*4OyVkd8Gr3XI~2H0xnH!y1pB z6v!-N%q)3oiHRgn6LdNyJxLHcMHK??2jsOyX+fp7Ot&fe(MUFG>^?AtkzDLJ5)g-k zQ=>Rjg5%{eKk5@)VNt)%cr>lKf0u&#me+stk}rSt3U@E>*;a4(ezhaIHC4AoA{oNS z;5<)ff50sB~mMtI)Ggzl01>jO3P%HGg~ZpbSgMMnNcnl zWLb&ThQ5o)uwimtG8TsPPEi*FDhh^uM5O^K3&wOL=^I?7*y%Y(=QZjkpkqU-5ARG}k=2kw4x%l$rZwYg!qyJZ+)@3u6Z#mSLgMtpF{5f}tQ9YiLf z6-r7}6ey*TT96pcT&3hkb53SCc~UZaR-n8>W+!-dEL+Wx<@jzzw<}=Y)4%T-W(vN} z*>xThBI&%M|K<_(vmU*#2Oeb=zq>l(v!`Eiz5N+k{w0gLqC0!cq-W+b(c-bJ#Rqi`0ck+k=ypx7l9hAAfWjIG36 zCZy{vWC1e{cxl)%MamH^4i1gM4#=v+XAbw^(dCHU*9=1jM+3uMh0G?1?tyHfiTj$h zR}9I>@-#)(hI~;FlM$b4`pKO1O-nQp;d;X608t#04kR)xZ11o>Wo%&(E9zY& zTR57#ge>W4iKupDsQ1{^GK7x7Ob~YusOc1cm*Z!aY+O<0Q^xxnGz*ffqu-}!)gbOY z!Wd%L6H|{@8PqjVSmavZ`yOEu#BQL!EXc+^va>+IMu8uIGSK@L-sTk3hDIrL56&85 zHw-%XO9Puzd9!C-+L`T;OCbNX_xxj0~;(metP?3yVx+QeY zd#3L#eYT^}(B~tw{SjRgNqEmVJ?G;TcX~I6fuB$aE=)BlHCH*?`Xy;lmpWSzD6+bJgzC(r-9iZsr?qSIH9>}$&Whj#s|h5jnEZxa*rMc z@{0q5v2aWLJmuUev`9&kgfx+WJcvb7B85a}0uePK1g0l5X4-LjtQf0+uoGN!n7lkE zyx(>VSBiS_D`bDfo|^e`p!rfzJe726PqI!>|LhNc|L1#gN!s1ApQc=@*TnsE>K=wT zl06zI>mA$V8M9h5+3k zFW zLN7CdhcFiS%n)Knbe6nGpnHIRhB>bB_dV=Djo^hN`Ar~xS|jTTb}Eo+B)bKF0&VAU zsb(eyd{9Is80((Ch{)*a6li(4Tn|-8Os9y4mS_b=MSAZ@q@jNRXDqVm4xm;knoqMV%)mxg>1X_E=w8jdCrnF{u4f$1N}%}5%j96di` zGRc`QQ|8knrY|O(m1h*YoX17Z#nY1GQIRsEqD1}qFZjX*hOfV%S$TeWU!m*+>wUnf zj!i4+L%Xb4!Os5IU(6I^34=PAuqg|ZWZ zY-#G2kex76BZ@8QcY-d{4632uCd4Gb5NMfD%skCdF&{ddQ0(G@Ox6@6)Efsy%B=_- z;YnvTt9yy@lC|HlS&g)}Z@9l7sk?^j?YA_$oSnLZ2AZf4vc-FYiU+Yt^&V*s)-h`% z+8T^iWJN-*6DCI`m&=?-=a*bu9+4fLa8zsL*&LI$G%+AYflf`zb^v>pGWI=VdON?@zfbzU9XsJY(|V&oETnH#y_Yiks#s zZhyu1Z|`|`EBR*jx9lFa)UIK2Y1wnc<4Ma$fAllb(elyb1!1p9CTHk!r1OGcp!b?> zY?x>Fe7_2OnpvEQq}jmxd(UUB!#ICLC)dbm zND@!`+LA3L+6C68XEs=(Z|SB_NX0dy8!1P77?opAAA#*2=_D}>^gD^tf>1Ts#-J02 zNJeDs=v9u%MxuB4`vGSa@?i(%lqBw&QhCkT!$j6RxBzcJkiUQ`YbHX|+#Cd|fjtTfmijHb+jH`> z0lnWMhsUJdJ^P8kyw+s>1owQ4{apxTyEFg*AOJ~3K~zaOOWBTsqTaDJkt7e?{NkSY zM+x@&FHyMWc`kx;_v#6~YKMF5=so(6;m&_-4PSFg5$% zwETAeK(>_F?v}f_VBEdqKm13JcppDuqDyZ6?pwNYpwymuqj~b z9X>#C27j7!*?q-mzGm7Gdt-rwbui z`gY)F|B>eC{23z6G149)cLZn=2~nXA6r97|-4BsH_=wQz@Eaw>G1BZ?>Q@!zaLc%E zFy6!HX$M0TEpgxDvlRcuOJ@I2qWW{X(}ZT#F)`qV5}P^%n%a*PatqZ7!}9^NPv|Ee zIVPAUGG-Q^Dyny1bNcukJ)6Q9A+f03(3u(9b_fq)7!h89mWW;<*brTb3koS~gcxvb zO2`aa3+%B)c+lA#F_lE8i9;kL5gk223*sn{M&rhS)}E;B!3hu!_QN0)B02z~kl-VM zh*F0m?f(ySs-vUx0WCFB349aK)-yg-gwYe)4$((+(lLq!F@>lsHVKSbf<>WBB#;o= zmYC=R;yoJH%@%pR$DVnjTtM4!d*gWZ<(};9dlpQ2^FB~5=9KD=WMW8;N-{G=NXc@M zGRlP9CTNvXrU8jX1y8hx_rg1YlHw3&A_dNQl#mB}R1^#$qGOE16|kAjx}$u z6vuMS)xAf{9c&AFx24ZCy%7xifrVJXuEb6hol-muo{MDQ!IUiQieWg#S2b~Zgx=iY zQ;Qr+;)zGyZrJ5H(@rwfd-Qxk7)SInW7r9bq{g*^kf&(Z5z`|w8<3(S(+Rs-Px^IE zcpONo8S<#27Acd^5t@$d>Z&65mTT?7&Y`x*{zw2=RJ09NbxfN$TdU4I}?IXCV7`M;aP8AdPHQ0p2NmgGs zjFVGNFITL-dqn@~F-i3foxsjQSVi=>p*dO5z1h;7WsD5$hML*jl5ZpXP~fpl{r6nU zlyGNw^ts~~cNLd(y#4zcpO<{oS(@1MVQJZ3@0fjRh=ZYc7C5d7etH3Z4`W6+v0UA} zr|DbuLbcmMKz8gKS5cDn~t$iNN+%SL|-9YPAyBy@fOj~3CA`5eU4fPly@Y` z(^nB}PHYEEnjn%$93$QXLj>C(REg_GqEtkokOJHf*m)T(9tVBIC&k?%{;`oTjz|br(a>NUT5RP%@2r=NSIM^LWh#GMBcuWj2qj4%I)O}bq*r9wq2L#V1u^6D1cW%@ znI92B($oWeJ=}vc~B0;}>AaSQuB#56RB-Igb2F+0$5X+iwJ}2oF zig%3lIn6X9X$R^nuutbS^vtEj8-rPG@fT-kb&ZJ$&2UX7o}ly{QJm7`8}juLeZEI_ zM@aQ8gwGI3gTG2hQ^~D&WL4l*)pM5La{t{aDqCaB?@)`+NZXq8G-Wthkl2n=B*@W& zQuwG)HlqH6KmE^to`(v(+j5_ONVt22QgenFFh`0{lAhPMhI}$PkUjK-QA>(@^?&&us^9Rt8_z?1$5*d*?1abnTlP_riU`tUe1|mVAZGZK ztf^_0WU6}7#W5(0)RK@JR(;3*;alWx!=h-Y)g!cg&Gv4?WHB&|lK4*I3r!wRkaA>i zj!BNbVKz$4R73lWB_^8Ys>3B`B%Ps@x7=(e zoXd)L^#GGIhQ3Go3eg=ijh3;vBcSPWMZZdTH}t4*N0=H43cvsR6CSJYWX z7YAGv8mOVI1JNAF#GRE`5ov`wFco7&#DMT1gu*8y!fV72H0Bs1bp8NY^^4NS~vm!z+j1ANY{Dm)JB#BsnS`ijFW5tt8Po5)UF#hXZFK zK}d|0WK)fvWyri>&4f!7q`Z1d z+Y0>ZZ|-s5`~`paCc}(>&u`ZP7dys%ORq-o;CpvCpw z9!FAu!jFIY8GrP6#<=5wFeD}Bfi+}MqeDV4UUw-ig z-*4aY>dlHb*Y9{x3IUHxz{m_I3_grFqcLNTA0l7=<`%WNWAA5-dcpFj=k@xOx_*Q1 zcihiEqFjH4&L5MP-!Qo@*_R8{Rxp`&Y_6dz3TQQpd572~)OktOHE8vWu6)Dt?w&h$ z%;~hkRW*;~matJ=%Q?nGveyGI z^=iQ~9SLV=Oecmy32a%Sr6P2Z!3HvIuv#MhVO&8TID$e7Vmz3-g*&83~h^^Y6f#4=-QaNOV~y|%)p>NT7&}F< z0@0ZRDk~ijok7cvQM4GH6OeS3Cz_GekM!C>@3BVz|CjyLk?13X)9B!EF=B!QEg}4X zN!N$uq7Xd7KnjUPezh)|&7!JQL-2=fq5;dPJfBU5!PWfU=L=3heu2#%bNTFo)89Mer+@H_&wuX|{@@>c$e%v>fIs^2KjLSXPq5Z< z?hNw1W32A@#sBe&+cz)y-~ZxUzWA#z_?LhFuX*$BUz4OMuUyG*{^jquzwIg8->{b@ zA7t0``Wb5Tp29TLy&Qy}0JRTkz|@dc&t5kLbxWtX2pi8HFGf0;2@MOJWd66@JJ-Jvco> z1S=zhI5a;|N*X8m)%ObT{{9txzh&P$1`B$$v?h|yM=GVL-ft-$pQE0f5b7)1l|twO zm5$V1P3|q-L=cZ9yshw4&tONA!cvDFQn%Q6L@-PIRHEWYqahnKePKwd8Z)0ER*`Y8 zN&5lkI=U>y+*R0QiWnP&u|z+Tj4dj*gux?i4k2R39mo^L5b$Qigq%S-vWJd-+#}Fr zy`r)4z*OWQoWvnwbUdiJsYM9zF&;8}y$2N-cc4;Gl^|+?AA6J($Zg?K}2HV`Bv88Kpu6 zi3kxD1)YIRX_PXgQIbz5EM^%e&(3&$w&diKDJRREv&kt#IAwAa8G&4R29q6JJEcT- zEkl^27dysqf*gK}4=)glh}gGu`5eKT9#1JG-CB~KofDd`c<4XixV*u=m#FC_`|Z~( z?HSFmCufOr6%YCZC3_kz@o9IUl<#Vq7l!mI$4n}EouWQ?@t^#BV(#f4Buu8P2uvp) zIY_K)$xOnXnsL7Wmha_b=EnoSd3njn#n-I%r<_b%_EliRj$htySikKjJ69|2aSX(Q|%$cElh3!AJbbAAZJ< zKKWx#ADvN3#c%dGtKa<^bAE~6zG9kb@)ys!d1&z5lMD*KAMn$2=GC`slIKjuTl&1< zQNHDNJ4Y^Hd0Jz~z;#!!AC5_9EAnAvFD4vMZrFWWl0Vjn-Ht&{pr5k1xZ~C+iMR)xUb@~a?Z25kBPAS%$7M|0KQ?xd8 zQIbjymK+(8;*b-IfI14Sh#(FlnU&!{w~ZbVAv3Tn6u*2ZS*`y)yJ6%_9az;{TGO%b zO5P8V>vm81#N(yKlM(W8AjIgABrDnLf;1nIV@E%~BzJ2tOG4)nV?r`57@H1ukS!JM zxTCxZgwlZO=(0ez6%3|i^fg`-=rj_B0TBw`^axYq)+x>eR0ven1ZF+fIXbIA8H8J- zT!EQu1{}7Ngg&6t79U1rUK|uzZSnm`w{u|j=%{F&M(YDF&Gr5uRv@7hh@?FvW_2wZ z4;>IkIxH@_gYcmvatMSbK+zH!gU$u?J=#dB7$|67z_yxW&i_eHsk~FUHTcg<%ZmnMj971qm8kR1V96U zW@~g;SKU%qRts{JT5!;xm46vtYaajLlt*DL1UG#5FbA2%Lai z2(+*m;m}4Pq@+{=Z5w2$@q8c8_ekP^Zm&l&Oc)>aI6d$4=+T7H=#25B4#TmJ5Camo z$2W$RKO(hjOzKc~3c`%W49U`(=*FWNHza0{XJVvmP<6^W(s*l2adIFk3j4sJwgS^r z><$r8ogq3I{b0{-r|2IXV&7*uJdi9m)N#zZyrpkPs2}~wkA8gA8$(vI>pWr--l94_ zVpsB}dBCH11{=Zk@hNA)7evJ)z9I=r$(gg#-^AVrsW5Fn!jHHdKClwNO2JWA*V2}uwzoW#8TrxkYx zNaKccx5evE`T12zYAWWwCXpF(9KcB~ye=KRpugBNug)kNL$ehGk9^!_ zOK`5SHw)HF5BXxuI9zdiJ4Sd8rD4C@6Z8uDs^Io+MCnQTVF{+9vtQEa6Z-oZYjw=1 zct@jpG&hE7=+is4=)A*5?D=lj@$dfnk2rn*TlhhOkcvRbKXk+jN&8{6Dl`J&?n_Hr zeWDPO+*y>?h&J#FyLMbgj@>UVD8d_jTd~=Ph}D6O?6P%BUcH=imuOZu3ob=Kb2H;J zkr3@F_KhJrlGIy|y3u%cMb;ccV5nS(pJmj&4q_Ek>ov_LM`S6+Z(uS+A1po@bUgBM zjcNw?roeg?;x<4t1=3o|OyWs_l;8@3^dT<Um8P7_?V!&6;kWs#n0Lt5{jmu*iugmXxx5TY$d z2M|)?fC_;W4l6-guv(G<_3H{9a>C&N=V`Qa=s=(o-8P#csO5dXgO*q!i4-`g5D2_b zA+?9|HJ;HN{>7{;5*4$TBL<0uW_mh5U8+Jc?wN~@&ww}B%Opfj_LRM9FH`^ zlXIrWV~&pc47-}~V9H>apwl6?+9Ml9wOoz810p;twjCV*|&duA$mNVUUT!V$CI;y zQMM-YPx059>!cy}HbgeVtOqoc1i3WWO2V0?Q+h;w%Sp86o6k>pFgimnBwx%H{J($y zQ-1gPPx$g;$D1B*S1)4?f)$U%AnDP&7h2#0Cf4@1a% zO$zOV*M2QEO0^P%Lj$UUjc54%WyWsv8L`*H%Ph6d+un@4U=~j4WWOQvAJS`J*14sa zUGv4uiZA`QT>Ck{``Mh&{fyP+$GqKl_$-`LLdh@wArAr>`gqo0f)tZmobwQ-#;*&g6;AG`3-6v3$gsXd$3AF<4irTt(aK=~Y1#u% zDs>;C+2XHX3yehLP`Yh-Q#5VI1OjUeoh&1ohS2RHw8Cf)rCWSYNbai~?+et0Z0ia| zTizptx(~Xt_p&965*|u|&>p%GK@`OddR;oBF1>!t@!5oQv?z6cybfxC#q~h0a27EsIl>hR-S~2Q<6BV~pn>8S1 z-5T&qg9!!N2?{IljYW9vhavAfIvtY8Hq^@TpMF*l{_^j!>6qMG;EW&(2286iC2n5y>L=p%kR!68(QU?lQtuRthG$lc45uuMU z0$nkyTAq*T&w9iFI*^*6PA8_*iFVO~)S^?_*0<%t`L!h?ojiU$-L`es$+AKe<1;Sa3 zX#-gV_lKNo>o6st5J)^4ArRIeoW%J)LA%W3kSJ#%@`Pos@NE7kHlN+F~`q6muu7l#CX0x@)e$wv<38Qf`#5SrUjL%!XSK2xmr zdpiA+tF2>-qq>agerM12>WbX94}^E zctak_S7gnAdKh8cf!IZ;)t-EPO59zL_F3(v({l|%||O_%6yMiz`w%^NzhRc24~5{eGpY>DZ2Seuwkd7O+_m@h0MeS+z&sihr$V_uGJOx})ol*zG4Y!jK1=bX%}mckudqT&>Yb4<#zG5)+ScfJ1*=s)U^(nV&4%>oRIbQ{eiB;p>ejPtY}bsk6H@~(|`l*H(1{hZX%jQ zARCFa3L^BWgh0#o5W!e#1j@Cs`>uk*TC@-d^)+Mx`%2(zhbSN~EOD{L8+H(W7bR&g zI03k}_#B#6bJqs5(3V^R$bYRqm0+Z33i(1nZo&V0d!UWD(t;Azrj9Sua+`AR!`kK#QUvTs8 zV}AYHTQYyg^~(z`8;MxoB80~li=x5S3K7WrZANlmF^lpQN=vi~P`;)gdZaxS0 z7d_T;(G+e=S!w3i0v$}*Rf@&@mQcS(b7u(0J~w*GfB&-sFN*(>zx>bt zf)8Ij#Fh~@-qDC&YoJbQv{B@$l!{r4o`4&Mq;m;eN z|K&ID6aM;t4QLd)=@6|Nd1Jcw-$Qqg{fBgKK!SsY) ze?a7Skm{aI#E}_6`>D1sdf5m9XVIR;pzkrhw!>9OL9PY9wR9rQ@X0yLf4t<>yG3mt zBhs9)2it3(Fa0M>pZ)`xeNOHccy5ZXH2X?$*Nag370z~1tVuf|S2Eyneap*Y%4nQ3 z?p(3DdQ3HO6y`v-9pPfh>1o8XvE*p<5ao{uL(N{*giS!cGkBwlSNWQ+etC_TH0a$W z2QOseSvq&`Fj0W3LnenDZ`9%K?+RX4m;BX}IinB%0$T?dXYpkP!oztIWm{K)<6jGy zos(2ZLLbanQWXXlSj3^hH31|QT34{$p|l}Cgy1!JS%C}&$aszrF}cm!m@1QFtWT(J zkx`FoV~}Z$Ej7M&kV=H9*wsFRz5>_a$pF_>l#N3nkrXY{OPf3$xb{F%!s2X8T%KNE#^!3>Z%k`5s0pJgYg0Eyi`BTXQTeNDpVHG)`hhIW7mWC~*hDWWC3f0j2Mw z{^~z`|HtdM0m%c&^3{Rv)S+0jC-CFv?U zodHRb;5@;w6Y-1R`_$A7%;%KmxGm~k9k5M>?g`T74&NJ6QKR>c#^pFOLgfLszDM9T z2D(j2(hBWCKNN9Wf=D+|wAi?l!zPUXh-@U^IC`9H#^dg!CvK?er#EV}V3M zQDZ%amKx!p76vCI!nTuwv<_z=uWDXp2K(_ZFn*6&(@@I;eY%w8j&1(}=@c{hkfL^@9BcO(An`)B;clP=Fb z`W|PGpE5ie(;0P%lZam0AxQ%UlbFs~my^+u-qDyhH`iQb3j$@hn0s8#pk%?ud(C|3 zQAm%oc+0nb@PMTMl#Ok8y)C)EoblzW8LL&s%9iB21J3v~P0k^&sFcJQMSEn3-<u@53St2b?ttNb)v-+14W}Gfdpbj7)XM+gY69I3LSAX<@oHB ze#bG`jp>z!$IXya5#uF8^h&Y(;tFqW4lJ&J$yI*AZ1#@re$E%~GIF!R;vv{k^W%)gXZ|Ni}j+D<2zyFBIUq7O(&dBEr zzRH&T_W$}9s(8ozD&gwwHJxW34~Gi-!FQQbKyGH-cV&D4^`|kG~I*$nI*SuVw(93?s(IE-utS<^xM`PcA!ua)XxeA^TcMrsC!;vqTEr#g9HNkXCx6vH^@e`hY zt4D8gOw*6)3X60eNQDp;Qniy7U-xd@ucA=`$0r@W`NKcv=AT}2_;N+}`4U&hRP&P3 zS=MDqd3ejQ9U#L5-;aqK!G}XbK1dLGPMIHgWh~9-B{Ta4`_7JJ<#Ff*JQ;Y5#wUd&1kwFO z>;zxWia29h+)>b4@URG>{y>;H$9?K^>-K4CgZA6FD}CQ}+v1lYwe|6{l4ffVT}c%; zs8`VSQ}k2A@VS6kqn`!riYYRC!tT`_bJwNw`wV%miQ^dWkn!%NVA1~-+bF=7OQNGw zCU_);k2#MS(M9^8$~JG)lTbQGfTb3ok*(HJYILX|)N~Tiem_RcGs-BTAKo%wopSc# ziYK=L%T1Tl-j?gbbB>O_VzW4+c$*Nc9fxWN{*rnbvF`Z{@2(mD5^=_WwmrflOYe{gpXbv@uxrf zQ*IAO{Pdr{q$>(rT_IK(J8wdj?HG5uTwZTDn_9MCI`$m%==P3gFBlqw)(M|(1i@&F zsU5Zv7^jG0&32bEjBW@IlG25^)RC4uGB;)5JNBJ|N8*mv<&-W{hk=`GPWGWN@W z-m4*x|W zAVr^9e!w()CfgmN)1&DK{PmW)W5`z!$_lphF(RhW8OczA-yl~C#dMDn5#%*hCqd0E zYGiN(gf^$D_ZU4wFh|pHs7{DS2WtNwO$%v*ExlG#DO?N8yY>tLU(ncAt0$eM&cIYP zC_$!nsM`wD)70f2Wou;Q6AT5|7^&J&2_YQ!0qXdG6_R^^7p3m&6?1Swd!Sib_sG}Q zM65$d3#fKmz=5Z+)%%g)(2)Wi>U)QV2c^UM0x26B=iy0kqkyvC zCoTorTHJ#U!E-|t3bvO4UaU#w632!p1^0s^cE8k^?S_*m!JCYk^ah+g5SVyRc?q{E zh_4o?lY+zQhF4z-IOdL>u9&e_)E6yJ|c180?hsj*;Ulz0J~QVo1E=*ifLvP{w0I4!xlcH#h(3mg0E)e zVUMW1WM72nqb}lR%_<)fDalH9@TZ36V9E0%-lUr3NHAF3v9446q(fxDZahwgpsR?^ z`Iha=nr&yqv%wuZF(iC7NBK`V8^djUifSbPb^^UW|Bnm?W4zMC1rCX9aXH~|-hI7b z3E2a2Po--R7huNghEOO4pgLY zLSV}Z5w-3R;T%r*Z9}ZJ?P@M8-HzaSD!6+1g7q)fnEeW#S&(}p>_SpcPI0G_*Pj%e zetv=ZCiacaG$E#ceg_yWOu?+f!6_jjjasKEQJwhQ6Wlr~LEHf}j7>C)CS#45kW6 zl298T(I_$@k)9xewwR|0=}Lu*67kl}-eJz6IHr&zqVA5P?Sl2$MW5lDfv z?F%Lp6jq`|jdGIQ3A7Mg+?3?k7u0S;QTFKN6U+Sy$kx!`q>h*W=Z0+n10ykyBFvitp7r_jXveqz@;@W(O|VVH?f|bZFPQy) z&a7@I^A!bfwQ?v?lM9Kl2Gy7r&ry!X39N!`B{@jRR~I`D;*P}(7FQM58N6F9S>7(W zTxBdaJGMeltV#|-vNZx#S9nc9?Ryk{h22yX#)ED}P_||2P1?FgO6B1>i3;?;;#&fY z5J)ZBRZz6p*w=AiN;n$Vb`Yyfljk*lUQqqKKt8ZIJZh8U^#X*E2{=zf=zN{WGF86bL*lQpx*ws%0k{(N1u+b4b~~dX-gp&a?!OkYH+@&}h+4cC`~| z(fYToYiSeXM2jsNi4~4&ZxBuES4Id-1HzhieQpfS32Ld@Bx6qyX@%Ai{_%h~3{b-! z@i<2K31*d2*K5j`cUbF?MTw_;Di36&2?CFxA0wrve*)uV#ORv|k9#Q(k58EPI>hcA zPt8$R1-Z=Fzs*=3-f{QxOVqO$fBWMg$+59S)e$FWOK!Ja0<~cgc1eOACnL#f7Gozv zhNDZ~eB$HBj-v-lj2JNJ8HP#9z@GEH2UE7IIY0Rw{O;4A@ei+F^Xc1{l$SHEGr@du z#k{omYD-=Va_yn(3eS(J74$s^fhO<-N(MMvW0j^VEAIZE8T&A&YiB$jS}Ol3pDYfX zk1JH)lFfS@_8WG&N7juvk3VHU)6}|;GzVrb=0shx+&!i#FIk5Vu+1I8v?3@fYOluZ zEz6xp=qYUKs3L>R)~L=g=_cd$#?s3b^X(WF6+HT&OAj*p-H(@c{3*Lma1c(il%`&W|Dn52l=qJ9In`Pgq2` z!!(L!zu>m2vHOa=toeL>;LY0^H@6$KTw>Qbiy|ZY;*!rU_hd@o@7^L01z#^(#wr6PA0|8B*)X>cEJ2~GsQ)TqM_c@j~oh+yDjl#djS zrWWY?=VArO+#mu?jYJDeVO#yC@GR0c)J7tep%EZFi3V`uUf$GBbxO2>6i&7inn2uZ z0h?9;9>!ztq@Pno1cPEO7^nuPSqN9YH=OJ46jr0jSkr*~Xjc8CTChIpj4#5FzgI^sCZ zv0j2(KcUzk=$(E}Sv*3nFSs3?@X&q6fBjcKBp$t>34TO#$l2FB4p~XH5Nu}|o3DP$ zPxotPOONsB9kZJu4AvY46{7ng&Tbf-o$~ysLskl&j9@T*kG%@H{9?}Su%f@d;Z-?h z5?frnr?EL^Ib(5oM)mr4bWWagkz8>SU6bA!?p&WJ-r{cxX`)$SIrR6WWzJ|cr&#Xk z-u1btA29N-nd}7bb{YNdkoC1>cwDeew^aKXqB9|mbM{JeBCiocsDC?W7k-1|j$kDk z&b=?uykH>;4tE<~oHP{sEo+tV^3oB0@l*8eB_I6N-y&szlo}DVfdGvaC}Yr`z**U% zFdpq>cF?pP$I=+Cg~42IxTtD6s|EFb%he`k zP~Bj*j%DAFR2d15)wO1E>N9xt7X9KW)n-S&f?znt4{llAH4Hk6cN)64B?nP4-yMh| zs17Th#5vt@ir;;NLUPpzy!DdRwIdld)WT;v^zaJ9+UpWk6; z-Jn`RsbwOlEO;~+)v~`rScH^FC#W-ph(X!5n?qPZeUJn_%fSc&p>SHDi-xEWRAz~H z7?T|eG&!y?7^lIX;q3~w>%vqc8$q5_pn5c(N0PQq7a<%*1%&=B=A%=>*K2~oH>jhK z@LZGcr|7^#HiB%IVXJ~BS`lI>ZI3W*LmY&J01qL22nBHfNR2TAcmeuT22B0W*(@HA z2OWA3b{q~4Q8j#3_IP&w8O7U&$X-abkR(w_KJKvV|IYvsozQsRC28*ygB{=j7?eVA-zpGW%+pV zK7$T)*^*uC*gbfGI$YCxP~**g8rel`j_G$i@}=V6eB0x_Z~g!~d=Dx8HmO70YwLtS z$@{ey38GyE4i-AC)SiwMWJVy0*5m7hu+%R;D!fb!G*skjCRbj8Tu+fp9;2RTOuRs6-}yX9)VWa zr(-f-q53&a*7U{^>?)7!t2dUl_Q=WUohD<{HD>IF~?*9g;coBoZgXPl{GwO$w7UW zYfrs(31z%Fup&rrx6IWQPj zWVasMI3&ILlG)Kip4i{g*mF9oJ$@N-TaFOi5(GYemb1_i9k;<9j%idul!ln~ns7R1 zXg_8%d&VS4nKwS2&K1k~nCXKO|E%O$_InQDh$swMme=$j4k>Q;WaR{zG(0=2IeY#J zFnwaFX*vIU*37y4D5w?)HWp-MiGx;DifuiVAy5lPokJ;V=Cwlx3WH>Yx=hK>Ce#lM z{oaz!!Ev()NREACSMi&)Lk0#jWm_)V!x~~-!f{i_) zV=dxnPH`iNHZy+s{(B^U`ixNeG!*Qv7HoY-c3ZHWZ`f5OQK-QN9DK(x4DdbBVMIrI zGzNro_(!n*^@!J_8>Z)<CP~=LssA5@^c2~ zYwZ4j%gTmr?+pZNTv@=MZ(2&A}LA1KKxm zXRy9SQ)3J?m5=fzA_N-l+v5yYdU!=eQyD~gK&mmho71T>Hg7aZ3PrX=6(f|LA=4qd z?S^oX5TC9vYe^OCaJ>^m=wmS`>4C6_P?Bf?DgqhftVQ$$O)ZeVWqdp!?i!5fGU$xS zK0fgJE!_R5-_iNj8=9-f)RS9IpY`zuPZ=K7?4lm((bFIO_-Qv|&LduQu4z<{Wj5sD zg90_%pn^Vo`qV=3;^~21d_?wUPF8g2oEa8qQom#<`&{2CmgN;+6xUpQe#QQ<18KS4 zYZm!|T~)EiL#qR6=utXN;CXHGh1Ap%WZ|QuHf_T96@>*aRH%N;{MTEi=8C)J|4-C= z^~{naW_nLVq&Jo2t3G>tpFZ6)-93g@bW0K>0TGaX(p>2uNPuny5YjHN*j-{*Bf1gU zoE^tz&rF{_-k;CcSH3EJW~45v3H^b*3nU`m_jz8y2e&#TiR5}?(BqQJZJ)8fAv0Q( z+Zv;9;!f7Q3R-l6Il2fi0)e%T*%UqUQem_=2-PFoFX)|JFbO}P-;QbWAzpWhs5E-p zp_$f5r)HyELXol2UDj)X-P*E^_nDarJ;OqV3XU;Ag=fgbWn(~n6f#O4Q6)b4ZIA8y z69$JJ8pFX-3MDm-Fv-&fWr7frtZFco07D?zvBM=8+`chew*I@9<||OqCqGORU;Z}M|?E9!<1JV z(Nt75#HL`A!%tpL`7b{@<<;kZPnA69pb)I)2PEBsLMGf8!{(i4Dt$IBm%n^4=fzdaa!TY~|&iIoO=V8q0jS<${oG3cR?Hbtq2+wqA_d0Z25u;&?UbnZ9 zFgE}IAOJ~3K~%%hpv^FH>9;$$rpanmBCoHxthOxX=e$o#UOoJZy#R|qbieB>rbUjJ zEXdB+G{Kl?ZPC^S?E{}`YO@p_+QucSBaxdPWjn!`U(w21=&E3OK1Aq@!d_86c9yU|TkpXpoJ?{_p#=o*Fn0 z0_w&`&)>88yCn}#*Hl-JQGfc!zw?93b%ZI_bXo}sht!+*gnr5DW{S};gGcgy3RH4uWiP|8R|Sh+a=PjY08*Y z-lG^uob`;v8RBj(5KD_tmMkj|Czv7ZE|fJhC#0Re$8g%D?Hsdj(Os@sH$9xoif2_9 zyE|hu>taYjubi-)3b;P9!I*IV=$fN(K-3#zC=)}P-&|oE)Hl7Y5{WH#0?v zgfdZL$4c5Xj7BcbC_>5w+fB*F%V^EpTtzX~z9L&^G-o-#{}(s7^P9gxtFwo)ObjWI zjRduOuhW&F`sN{8rwS-d(g+r-ieH>2{KtPhA^ze&pq{P>qlS^JnVwekN0QBENp~zM zCfV*_ls1*9_`Rcj!do9BMTOQ1L_?wlSGnNw^M9oYYNoQnuroq?!%s~g{^p;!`RQFu z+aUpTBQUg}GBlQHB9x6?OMK5{-1iuad+fId91KD_Uc@+Pvs(EGrEvW=e$V6}9H9p_ zUdzDpEkYxp$hR~_&C=)-IVJkkV_^yQM>*43iH>}R#wC|81!WY_uQ$lrhE~OS*W z4(^zH2W^6bTlmtU-4b*pAT5%)W>qyzms3{DbLO#uuo{x>h8$R?B}rOgP*PSon?~~J z%Q>aa$VAS@jdA6QB=qQXT1YRV)l@WEU|0^y6ljsMP8(K@z?omMa6F{iU|1Fk29rsN zlddQla~GnB3b9$Ev_+X1C|6UK&^U@}T_LLq7gc05wWi5Sn#mklIS6M(ZaBy~Mpgxs z3h|;r)ftF$9^U}V#T{6foi<`HAh7$0kxvtO*j9*^F4}dG+M!-q7*2uK z9+)MvuEA88yJUw#XjCJRCZHvCBPg2!vABl7`6dOINYla(3PKeA?J=#jpnDv#Z?@=v z%b`E+(+WEnn`%V5c*Wkaa=2qK@kJf(aUvvC_1uE(eT8-9NN zDYy5}NMFS)dtK~s3uTX6-b?J4CFby$xOq+PENS;cl2g8NNT#-+K2G88!HVSk-RC9$tg>kUv$`W+D3ruOSzkW;ex{VB%Xy3r<1sHjP zADVO)lJ@;QE>1kU!}s9d!|*j)?{)|p0i+6^t)barMa?%TPa{k;8Z8>6R7fGQs*2&h z%`abswDc*W%qgrkT~FW_6_pe5XWy>);QOC}Gum;A2xzLEcBpEoO@XL(o1JCdP${^` zN~Tv^{_z)AT)lZlx4fV!I`sBEuJn?8VleU}=5w2aP%|$N$WGodK6Z#MCup^Y*bAU8 zkWIi=2|P57hSmEmp0_5q2K4MT?v>3`hI_LPqHolg4 zDkQf}S{4+Qz;Pw27U)J3*FH1~l@n4N)^ukDxo6Ni9r7vAuW9S}9X5-c+S5jf+OIESPv#(D0aFvmLXFzhfLCq7YMF(4G z&X*GPiQrCZGkLdSFKiR52x;x=Nm2_6<G+1MP_5m1o1wmGR9bU3#dFAPf}mosP>AjXVY2DNyi=h zRYI+fX!lMqLe^Y6K9SgRElgU?0@(^VxwvM~7MQV*9i(WpN6W3rrXGtlXY5Rf^N2g+ zOU`1CU!9$>d=zoqTXXoq3LLXXBTZ~2Q8l#h9n;*d(ZwMLA2qmX#q(9dUwoF3x!)pQ z&57qJg{wGF6Hdet(l79B$+@)or$-r9-y}{7&SRgO!XdX^YZE`zX><02C}pw6@pw#tX0S=aN(rl zx^WpA9jy6VKKb_aZmGGbsqWx=YUebJQ&!t!B4-L)YX`U+;Oq!cnxf>3 zvxM-5O=xWKYPi0R$v<3jvk2*a>k~vFG3}DNQ29c$=48^*hwFnD}Lh zb92Es_F3P_F;)w#c?F9OZMlF=Oj3P}&62nZF-?PJRUov)CK1yz1PWp8j* zgig4DE@jZ7A3FG*HlxEn{rwTq z-U>#e0SChlez(tfug@dVqk8u_AK3|4@tEH*EvC8T@;ab3yr5qgoGb!{{sw8yccVIW zNF_Hc(-23zqYOVFxmXY#c{HyQjN=2^@pDcHaR&+QrODde$p_B7Hhb0?@vLEJ`K&J` z>l)0~u35iWBv__PZAS#YAc(i*n}CZ7+Itzh%{ui3ZG$l`r^qmZcGLJEy6 z6e(b!*=UVb?r8*y&=5{`PL^DX72_D5+Q2ps^M8&@zcM4 zN>6MOYVj!w#0=Vb}&O*Twa0T+hSpb@AIRR=LGu374}8|Mf>R zisx^5_OqCL_=cB1{57&jS-hF^NOuXcFFAi6QFd}3KU-sl*Hl|YU1Y?LsERuufy%&jnMlVRF5|v=V0P2CrjLt(O!tlR8mgSLoD% zy#hCiklp~Z=VR3t%cW%Y_<~uorFr~@7v~eo?1af=g_tgwOdWhu^rXP3a?mkq0XYVy ztbqbHHlcut%&$?jfzZ8)!c**Ol0d-MRhC?DZ zCwAN1jLw)|M}(~qRjue3lC!eIAiCr<>Cx#nI1>Z3LzOM*iVk_BXnG1!)xnkuZnfmR z9#KRV!)k$1gj`1mr*T9%QnL@<#pbpV{ABEc6d>H=(AVcdeBG6 z5E_YP?%Mf|u@gLM1bL-Vvfef2|4n_YcL}P@!7v*PEjjRE;|yt=OVTrs#MNX`%7@C} z?jPJD@J1L~?SzrWH{LWMXlQoV!5pqp{KKm?fBWMn_<#3baDy>c=&)RDG2BB8l@eVV zJXg06t&G5z6faXQ1_#J!NvF;*Rt}fhkg#<^b=IajHraDyT7x~LbjTXbOgH@S%O%z? z{tmy>VsTXy*eU0ML?3iHxjf^|=dZZiw~$eUl29bD)(Y2`1@o5+e*R>IvHF_FQ^nJN zehZ5eM9^Tl8|0!Q-RrYHe^0V+(J8jr?U2&RIhpyWZoz&zp{PeRO+r2k$)&}nTHw?! zo>#CR^|*M~B2ZU!RypU^A(1|(a&4-kg!VQkO>)*PNxR$<-Mm33>|=%=`yGqJj!S=d z#NId}QZ1^op{OeA?3_H`axVjBXA58(^LeG!gOprVPO^$B_N4wRwZof8NYf|aLf8N+8xsE-Jp>su4&Wr zAnJASTLZeGiSLZ*wcE6Z&=D57(PE<4{PdqHs{EX++z?xe@hyv$hQ-|A{Twp;9T&5l z)Hg9=sKN^A_RvC68Ir(|^o{~Xqlnh65#z%iR=Z6{2}&~}a!RUgfmvpdR9IS*rV357 z#jYhX6x13@Yp0PntqN*`yn%ckbN*yT5nmJB(v*RPbQGd?5phZ#HK*aPHt z&bL3k#~=LO0e9|xkMDo`F2DI(A9H*E2C{ZYR|+p4KcSpWDL#M155K(T>!1EJfAjex zzWDryoNiC}*~53_^_sZO$P3NucNtlIO|A^qTg?|wGgeO?V%+JVuD`-)?Q>@O?Azy@ zo*T3dHQQ}KU2bU0g!MdPqiVwKlvxtu3^e27jEN2jM2S!fuCm*V2bb8FF^QH0Wx~Aj zXsU+FXvjAPX)V#)Ic4NxcRW0OPF6;Y^n&xcOCYy|s>fB5AzC{}SM4Z*`jQo00%u0o z8gW@lK5G|TRyNgYjoS)YHzu)ws>v~tJH}G(My91wq(Wed9lP4-Z_1;)(jJl;rJ)m< zJp4sWe!3-#9L%cVcaJpD-3KV?lSz#s&0XtXG~aNp3b}@VnU(zY|ND@WfBYFey*1m{E{X2p+A9nd;wi=dbhE|p{N}UW=AFkPw%IvP z-`4DJA7R)JFttl>wx(8nvS5y9h1mNJg?7-YLRTe4W1!GbfHVY3Nt97zNJYyQw3SV7 z2m+Wt3ABWfWwkiP6lFTY;Qt?5oa zcWFRBB3*i%h>F%|$?9cFeSE+#7Z%ZrpKu@Tb*xc1Brg z@#m_+S~grSQYdn^cEj>A#av%AySQMH{ffQALz3JinKnFoolq?qK%h(2)fPG6yG zjT9wW3hz68ZWz~G7GpYhOROhTu8Vz^H`-VgsB%p{hi25_N*3HUmpq@2vF>iM-qkcw zhe313TK5sQPp6!s-3Pp?my9Bd`}-X}y>pL#zaft$aam$+HyA1<4t<1UvB|-b2Bu!& z`YkXD>PjPbK`z>m`x_7buVMn_>t7p2%q2O6l;3gH-JdCgkF ze}9_s?1!IY#uJPf>fV^ia7)t|bXOOYg9x#i;bud!tilS!pv0RNG-ZLl%xQmMv$8vk z^K<4Kn_6`_T)&3um>9{A^PI^~{wulL=19F~=#Qy4P#;LT^(CGGRnic>uV~#o!0fls zwc_e3Ve{j6*z1C>o>H}ZE~|!3obckS8E!b??A4lgvjy9WlvW-?Akl_NnkH^g@bG47NDNxyf^GxyKZG*Fg;#+?pn3jrgGv|beaDIjI+TY{wmRacxiCY?7YWOoj6YY#(|J=oF;?qk>v)iOqlinD3X>x&hi94zR^0cn___U>WL-th6A zn^e(0SEn=T?I|Z`4x^g|?WHF7hO~ML!nBdX!o)&k3Qd*~U1St(kGzhtiV8W)sJb?0 zw#G6vRb!&1i>XTT6+E33{ATwV#pUmz?t}<4K_wNrVPY<88rk5j=9Gm+UOs&^d8intTdjpr1$;&GPp z#eaOmA00j7xBmE#2)sQSsqkDu5g6FoB@;ffDd@=pB??-54x-W^Ex0WZ_8p4Kz->S{ z3Sl(V1^9OwUjCI}(>xE;XH8gesoRUzC+V2F}5b| zz+iR#mc!_ftN5COVS+QsiTyq7V2V}QG?gUwJkIA4N1d3UKV=w8W^TkCvm)^KXor%4 zR49D@jVza|CRSrWR_)FCsB%*yx7GS2bV#`$xFp8|Kc1GMTPe; zm5ojXr6Vw#25l-fx?x^7{P^*N&;R`w{PzCWY_c9vGbVm@!MxXDl)vEI`UEF`j94qo z@q#=R#M^V6%b3&ph)>K@-dH_0{(@mqGS9&&1g6nYr4d)Ep)O|V%)&R?nB@sU8L(V9 zG)+R$aWN-r)RCfY7Hmb2S2DwUIp>#?gzckW!+OL~xFstDm*<+ezu@f4SDd_@^4W39 zWqunqe~Zut-HyqAH{fyRGg!XlgF%<6Rbg}z@=PFpeMP*oQJV#?zILJilEHrC3!<&Zm-kt2vVkw41YS zjuG0yb_AyFVAdJBa8Oo>FI-j~o7X25znDD1eDaj6^(n#TE$;nqBkYQGxuQucX2qHt z<%*N#5sPNZxL%VA50S++qiBrhhuEfvJMyp(BJSQTS-x$M3#MFeZGs4jt zQTsH(4887BtaA*fMYGl9eTB1_qWPS`@DznK@EwJ;&0XI{LMaqVNzOJJ_x)S0rXEQr;-2@Kv-cyqW{#zO<{Qa2 z^Y8`*^(v)_E$ptMtqa!8fN_yCml2{g$S>gjZ^GwoC9A!!{U6uSFe}6{t-~Kad)T5Lkp0{M(k~ro$%{!QeAJG<% zv1*&law*b?P`PY8gW76nw?JkAjbD(KUG&X0Rg$0#i`R|I-eJo7wad7)Dc1%UsmnN! zuvuUhJx(JNOD7zK87J!l`U62vdX)PS?;hs_uOHJKj1gtV8(p(p&RLg&tBVPNwWUl$ zbiKm#4DOB{GIKyDtZ_PHrWadExgr<}(HjFdPjExYDzoWUOZpG`9N8_#(jy$+ViCJY zXM>*1sAwpqp&;&S9tUykN!c(Uf1Wa*QXtLtiImz`0_RLr(g5c zvl&-c@0dK=@>MzG`NLoE^OKCL`ByxCm@rGONEdS+|9nE;D!Ice+6TAk_#wLMP_I&6 zFLQXeB@eIhHa4@$BHUY}$01&|;#7vbnVd7$CbWG}Cbg;Pv^`o;K!5DgkJ@x@^cV{E z>2(fxUz)_{b7oYWyk2m1cFl{kl*V|++jEDiz2@r6jEOhn(dSc^i#I%+O&QI8%`)oq zCa#%0dBHMSQ&!IqrvkUzMpZ6VS)$7smab`9E=HB2?*8VV{y^xGTn=a%D;GZ-V(TKft44y&P~eo1!-ZiJ#_HQDao0E8f*5& zlG8;O5lKvAMMs)UN{fwxwkVlg+qkzBB3TogHX~P4O-szSizo~9!Y2t`%C4qPEF!%n zGxn&h8MSSaw;DucQmi{TLj$MGSSb%_m#k-!8#hvvH^y?r&Q2n}(Paw#k^lf807*na zRCXgsYp~F}u@^(2jepypl4!k4_=-kih#J3ET-!DmU#w8WE!C=^W#xSEtpMBK+aXdyoP3g z)v3u=9-i7_4+nI67T#VT+8xxjh3Z?>a*iVc9zK;EwYD^VA7Mzgaf4xKbOVXlEzV*2 zn2km$g)#)D>C(2qZ-q>Lk$8;gCS#dw zm@f-9dW+5^7z(DAlvRz<2oghLB)hQhy$N6c)t8LL8Qr5>$UH^rIn#~J>B9@MtM|;( zDd%smG0K-z%H+*7;b8NOo3j#qcn>#oiA_OvC0VPIRz72%+UUSTPNrC+5r$}(iJW`| zAM9CJ{ShxGg7;4no?pFWEehi6D~iHmp-ZyLAr%FAS@C{bW1hZXQNwKO@an5yA^Rq0 zXQvo;!SuW)UcuS3C1zA(4BJo`+*Kib`VnT>=CEti^dAuRL3;!2Lx(CDP-zp9&MDo7 zbW@V0CPvS6n9DBh{0y@f;jd?0xh)LUB2rTVcTMV!SnC0Y{fr{r^3=LR*ndZ`^q9z! zy?nvk{0L{y!E$0uH^XTuZjCbD{MQIeWc;qPFR_E9A<-sIIxQ zXLH~k@WF3&u!37O|CT^EJ5{#?8Yv0*M#lKf#)ToEY6P{|{ZP!^W(#?vNhBy!({6HP zy3_I(Lrsx?!|6(e1Zs0Q>DO1pa>yJgVC`^;2AeR4^&zUHypW%go0`urK#E=#|KalK(2rIhsnv+Hx@ zVadk4&rg2w&wL=}{LXLh^OG+mhl2|5%zgCb8NP2|c3V`oqSpzi>OQL%9_|W@psR3DVnr+~$nM*P2Wjq{Ety z;o;>gGA*#ZhH%u!Cg4`5p)pEo?Xt+XWUH8qRl=riAj<-Z1h3^&MJ|IXWWBg%K9N{` zA9-q^Z&;Lb#iW<P?2> zc@QV8lOC(H35zIZ%r*WzSw%9ZV)3=Hu3Mf|>xTRwL2-L?9e)|VuKW5cb$ik#>O=<`1 zX-+x}FcnO%BitJje>>y-tcB_?=@=I0Tg{+llKOkxI$F{`^612hx(vA=KsFoEzU^{s z4p4^2ZAY+86vrK#^E|+eZ_;b7QF}esS{0;ndCmm^JnNyi&rquRNSuap@{T=16UGZfrSP z&3N2-K(Cx&xHikIBo_hgqM-^3wi_EgXwg?G#j3=z6ss(va3uHZiqmz2(Hhd(oU`;> z__iR`IeOk_&rit;lZ_6Df{6ZI!LWB1+je(t^u|CoVmJ0;vD+aKyN0or-xwoB!?p%j zL0v;GG^G+uV!?~A=6v;|_XMMiDx2U028koM7p2(!W0VrRZ`K;2Bzd8@er+&eL%Y9W zGc9PFOE&8eU1UgiNS{l}g&^p-tQ$$-FUVYhYo{!hW2C#qQ)|q1LDDF!p1^2QY^j+~ zBz~u&2^7sXLFx)(7E*KrM48~okmI1mL930tc@N(*c>1iQHWnl=E_gRfcsISqdGnOc zy<^t%3d0ceyn?JXL|mK`k8abNopNQ2IDPk&gF1!rG5PtH-a*B5a~EcpIP09=zJ+jF zbQ_!TgEn4xNVlD02OklPW7@4YeiL!nYSTXs2{}To6-zn6b_E5HO=l=akQWhlwV^!@ zaocV74_l0Sef+3L7`hw|LXLWEdixRmuFa@xlB|>JE zmRj#IzAMQ}o1!lnNVr}(7i; z6GaZ;pik%EfI(k!eCwFrtv;hpo58Tdc?$LW39c9LvM?y#JV8l^Q(NGtQ*<<@Kb=sE z4l3wE;&JinJtyz_Y&K75&r7Ns4vpng%QcOe;%SR10m=3?fAjN-c>9R;lT%*F4(fmT z-~ZPi+`rl9!^0cg`|Jis{gAyoL+;-mFepPxZ4vGJWQ&^ZVnegvkgY2`G2>*><=3fHq_@5Y1t@W(%r9- zXAAmji1ZJcblbSwHN(il4EH#jTC8VFIztod^pesT;ol0F#u=7VaZ%QE)q<&x2nL#d zu_V?*l6i&dH(1v##GO8#?a;`5ZWlRAzfZFih|nZgU7Vn1yYMi(E_qXMJPpTkf?35T+RuGU1}7CN|A}g9h+3EHA8pEV!mK`GQhtrIXQ>zCg9eM z6w~Wr7&b;+9x|`e+-%Pap|NEt~DKNg-F~}Nlgh1&6w*X5kY#++Y=bXehkoz&K zrQ*oRamP1sq@qy@DFs>DFpOYyJD_TMtez}cItF8V!+I9s-?VT}7Q9zCksnvAuCHmA zIbzvjp;~y=lA`Kz(SdF_V^!|c>YCKE9H(PaJ)W}(ic0JaugnV25e?+}kk7QYvrS~0im0i=y zwFs3NsWVG-Rd-iwa=I}jF(CNFH~t9@=W%`q0lpI;2@KdELG-YiJ=3zXE4wO1WM=5_ z2$yDVT3vO{;ls74dWt}V`L*lje%9T4?X}m!uXtomvQaq|nGi)Wq3@w|gr~u;R**WR z8~ccAi=9fue!s~{tHpl1!9iSS=_}mlb5_2`v!^S1?h$>j$#Z{?uy>89ZjcL0=g^?S z2Cr9wtNDWYI$@;@nK5`m;VDC?HKB^|w1@H{B44B8h~cwx z@^Zqz`dG4Ty+@e5X7BDFFnlg?A4rBHM^O9u7mkf6H zx&FGKoxCKh9rH*;2v`vgpQqVJQ*gt+ffyPffPvd51OMvQK9#>qbQ>@nHwgu$M| zKh}ghOPq@d>KjZ^CmC;uI|3&xMvLFHtT>R;A)LUyb(Y2AWKf2$2&gKFEi6I@Y$C(n zNx)6s<;8iQC@k=9#&jALMwcFaJ0r>ZXyK4b5?3UJwd^z_{`@Dq+&t{^i@&*LmFMvN zfZ^!X4=FDme@R}*?LI(*b)Rj!=+<5y5MZG!08c)oXgP)LEF$fYO)ylH1&)( z^O*m9^Man|Se)JEYIMs7vrGCv*{9absI=e3>l`r*1*h#9wdXz7dmj;Zo|5G)b}Amj z+bYezr5!4k;}*3bqV_&4tl~KKS$Z|%UY*=Vu&~Uc1NxOIk1i7Y``;7Abw_9x z+(p|3!z)Lx<(OqXyhWAS?u;;~gK#wci1SrKr$|6m@U>!%BHHdntI%Pk$H~1tF1k4t z`x2=nqUI3>9(Rq0t~kcF&L^i$dMEE;bsfE$akZH<{AP+W6{_KY#CAFAY#4NQ*tZE` zXOCt(B0y6}$+{JC^4%0jQ-;?|US}0P`d!Bl+t;){`$J6X zv!0Eq&ezPQ1(%OTsBXdSmB+AGp|_mi#Shqs0hixvPQy1Ow;$li5kpy}t%lS@6@91A z_?rpG2OSn;kD&RSMn&_~RS8$G815V)Dwh=Y1B7mnOCNQXAwQBN(lM(z+T#n>mv^|m zSK(m1MElA^ZLP-fz!(P<1fIrO2!&TVcEpZY2=ZdPduiMF!Xh6YkqeCiDmxzU{&zp3 z$ThjNG}b9$zlKW+ffS_68dEnUyPnbh7^W9%E*3R@axdfao7doa4Dy^G?{|4AsubVv zvTVTzcNI_TpRf+T#8g7wIo60MpxPU7b8UHe+{a8S_`>o*;1lE%R<$4C`x!0o0`iPT z)hCEFCo+ZF0ryuvH?0nS<39V(pU}U5$l0yL58hxT1PjfizJs3(iQ>CNxy5=Ou9|bK zHB0ZDMYqR;B4fPTA*#)}pUinSKc;hBp%#v4t?OhP#j2Kar(ff+ol!kGC2$*ri$O`Y zF`)>tO}N5AW+@~nSw`SVxy=W#4wL6-Pvg6?<)?H+u}1|C;aiE_ics!_8TT=s`eueoix%T)gVyb#CzvTQs9N zf^F;9_;7Kaad6{}f=#X>O_3y^aTRfTp_pe6yw$6e}vMCD|c!}Ww@RK?^9 zl4?MW1bwf`9e+u>>5(@gs%*&XHFQlf#nR{*7Lg!K76e6uY_~#_jFHpy!ZlgD%E>6_ zD(KQVD0uxZAns+X<$&bO!>>%y)+1K}KT8p{F+sB6$Q^;&5U(l-&l0j>uuQo*pVMkd zk~{^WXmu^FXfl~vk|Lw1r_|O<@^y-nKB6{d_0mV=5eHomy(;@*jOf+zMT5Jk#T`wN zY0SjC$9kBPR2Jl~3QRX=efb7|EqOllVKiZ}sxS;R@5Z-y)je|Q2tRJ}i&l2yKO|V zAfK;^mp;1EVy$Ml%PTx0PHS~mVoqyEa4`$WIz6tJBaS*AY(|G(dS^42dU+%d~*fPThhi z47#GwqLh>5#v!CclwqRezD8Owx#br(hV0d2D(i%mS4XVYWCL*b3jXQqTYf)zM*sAL ztf-?sv5nz#SS3*z)I3e48gumf?=V^3W%=31Twf3P%O`D)&;Aj+l(d@_uD>?FFN352XxRNz&_rxakw$>mt1hNj;}pXf9-hO7$hz z-|UkthO~Qq@>ePKULA2<=lL(6kgrmDHs$ohXO}~4?U3}K!NYXPC}^_N3z0KPW4A^| z&c5gH=J&~ZO9EFgysoiVNmz>xm5LxpEjG+RDT*vXg$dVTmDcTu^-&dX(qz?B?1u%s zze`@%ycvy&^A|jN(&Bf1Z@~924tV(F8Nz$W=H3c(1L8D@^2ASk3Tu&eO9Yq4<*Ppiksa@aiFNW{Ra(r>BS5PK5+8#T8=N zVpCJ#NfJ6#s~Pet)1HZxTU`}7Xms0U0scol~z{rkg6K!8a`A9{F&ESIe1I z8@OUlI$Ut;e#!dufM$Q6#X#aBsJe`}sA8&;pjr|%rY`8FAU}fj|FXn(uW6rK;z|os zTcPZPW;5Wj-C~@Ssxbrqigu&RP8gR1A@tt=_F(S z_%+Xe@qj=5qXnDf0h+DVz1*gcySMq5Te*aL+iD3#ZUoW?kwY8_L}1ZQAw4i_5EX~B z8fz`uS)^BrXqAvi2hKR82IqPBeoZhKGh|-avN+|L1>v#h?A@YxeK_2~B)*=Mf5r zbrR=0gazq)C>))dpj~Tm^lqD@kN3Hqyi4&{-=OE$tcw*%ypP%>sFPiq;R?clLWiug z4$3TeV)i(03VCzcqWu$1aea%?KEB@}jEDI4T_)>WZa<%}S=Ja&-yp*QdR52ox4BIM zk}sYilL;U7Bbx90fL_Z(Zu%JOp_)}{m5kW5k&MWjr&Q${qhf-@uFhSWUCFfepyj{sC6<#=CgYklDl0hS1Z2$PI1Sc zG1(lEA1{c95zCfC&r-})!sN(jeX&5+66&o}DtJgr>n*R)L<)t)$5=xhN%!4|N*FNt z%NdKvl4lVzTd+zV(C%EY5+1Fw=HQ(GYIjhv;H#y>K6}PmLnB=g?Dpve&~yrfP^9t(TE<(+ih$i(HuQ;0?a<6jE`syC) z;VoJTiB*cXy_FQDSH2Xb&3IxRv6eU~&~BT19+lcKAtscFGV8XK9!u@2FR2i{bfRzL`!f=A>y*4k-ntwNu&g41Dtb&ktlOq_d-Gw z;|?4GMV?vQCypWqMUE7jTnfD8A$gz>rd+F8E;5K$i1~)D?&Gy)4BQdZs~0?a8lY+p zF@KD^NV%ThrE+)13Tuu!ImzR5I`3r6HYqAxAQ}ocUa`6EP~WK$Rz|qf2FZNGS~zC6 zYYLZ;+A1NXIe<$fBHD%}JBuGFj1gt1vUB*VOesr^!6K zVb%=rCo8O&;R+P`L7kufAK&uR|K9Rw_(NoYDB$R z;pl((Bc`Jzzy5m4PGSv0Wzlz@ofdWu}Y?QswFa7xW=nB0cEx1(qT zj^OC0EWcTEy;|_a_c>AVC7$bXJKWHU=IEmy_E)cIgav=`vkzHp_UYf3Xj7qQ6<2Xc zH8jkMK6`S*I&EW&pkiV!vl=qEAYY`YiqBf)2$3N-0#^WLfhl@~v0$}Y5CkFXRYXv` zVmR6(R8w5GCNhe7bq6(Apj4HEreOAco9M90ufLq|I8M2{cgZYmAnY^tZd#0VM3!ly zr;iaoddTgYjHR8kSBsE309T#^mssLZV60_jL8p$uuaM0>iiYE^yy24vAM&WEu~;T_ z7-1_rh*%;6g_7{GEU+J(lH`s&T_ds_7X+-<9vihL8fMIlCNC03OULz_XN=nlI|}GU zl616#l$LY|eFr05;a)A}((j|K=4uhp%P+V(>$1~J8K)lVjbOkLr*~d4{a&$Z-r?{# zRc=1zD=dO-eRB!1!0>t14uBrjHZW6S3x`w!LzxC8g(H$>-hwrb@;sCR zS#VfawqwFMq;nVqYHRKRrOZMKiQV#35?cyvt)s9GPfMf_r8mEINU=?@r*waCf-$+O{3`6$A1=?q*N{6)>`98PAXjLG(h8izdJ=(;NG-}1c+Cot5MUfgL8TU8T?J9s zIO8y)N?TY~JMZz%I|05n%$9pZzTyX)1uIt}pItE=EN~r1wYjF*Y7;PGoqE{zg0&Z- zWX>Yp=d_b@b=|?M7EsG6=4-rO#?)y7VUdAEXO2`tMTv5mOn}@*Hd;#2uvXw~L8v`! zVGy1m1%gVQX%Uf~CKSbjjjyQqbEF@`izUCxJEVX2n8C{>zyCWQkoWiTa5!5aoGw2L z!1@xC38KK^$37kw8~OwlkN3*442KiGesRvPe*TnJV@y~$GCyOn3TbyY*t|;e zLQ(%&kMMoR&fOFGUCqS`e0A$soNqA8DJT1qY9pXAX!1=FAb$NhfAL|Ry!w#lgF1Z` zBa~0z9FYlW?4jYwh42NVzM7xpD*{Kno2qsUzrDi=Y^$zx*zhL)Y zeL!o~WV6=Hk9(Z1MqF0v9DXt2_I`ul?3Q3JrrHdthHX@qbKyYGGKQI@()9Ui8gTyq zeUELACMmy zn*bLiRJD&Krk`eHqX(>4-ymuMaxkRUd!HZwp(Gf7h!Q^CxXLd#DTnA7$DP~LN>j9zHWE`!io?r6H+(DUN zGLG7`E1LFX!IRrPhUSc&=?LFOEY~^Lc|g8vdF3pyjsO5407*naR405z7XE}pWK5C@ zRXHMR#HhrlmLzDQJX}#$W2h2%l%%Z6lttpOg+ck6%t-=gwrS*VjVlGBFgT^rN|YXJ zZ0Q6gwtJ!Fzp26@{4!E55ZkN~C<#*1h^v?Yl+;wK zU8IDrY$J@t9`>*w+TVbZMq-5}bB-)e(bC5yYjUknLi6cENb;O)p0Zd=rNS!GP0TvMH`SbyM=UwAZ3 zj?5Hx+Je0$KOA3k|NaqQysUHe*MGwwfBGSvqxY!RV>CHz1R`<-LSenqsYN+Uno7I~ z>RMqH9Ql%Fz0Y3P=XAHjSO4i1k01Y%AG8;InI6$quh=vX3B3tQbh!JD;iJ2Cu4;F9 z_WztQoPURVdChzG4+#2Ap8xYXS+t~nv*w+{7X70;v;u)~`>5KCb=oGVtXNMqa@Iqr zH#GAqE3-lvXjTLh3i8n{wL6w%v_Sa*gCwG(Z|IqX+f9YG9+S!%vD$E3K#^wzOT*OL z5T%;QdW{JL6F)&*NBDalay-X1j@W;=WPYBp-mJO%p5pdZlZ%C5a{h#me{_TiLT+mX z{%FIs*l=`Jt}15hQzCCpP-!5dfD_@!6OW^Yz-EFwI_KQh$*)JOj$>xlA-;Z2W$}iM z>Y>9X=d&??@>#-YeS#Mnl9@qFyt;XXS&x|26mGgeRoggU zp?ys^kOYZlMT6mB$pe3ic)rgpj?lv#Wj9pj7TNEUJikON))YH!qDKYK9>f^)JDLlQ7hN8|D7e>p$t-<`V`Xra0QK+wr+@eF-_~E0bBYqk zg#3*vERzyV=`CNzkrrhI1qdgwV$1vG4yWWcw^x)NZo+NrJ&7olwWXf+H)MT@bcqF> zZ}~(awwngq$)zX(Rtkp^@-6L%6eUmzwl?Ul^wC2}GQ{>ZrKenZJy~|pl>U3Asb(n! z0f#39(pW&Cwh3MWiBce4*}_Yu5Zk18r6f{r|3u*_iKjGSpur2M2LYk=@GF{HC8XI1 zXg2F$T0~kBX@^Nu0^<=>6{>J}%0rTY)uhgm+Js3yWj2w_1}|Bf3O9oVH)m(O`u2>) z?KR`5N^LY{Fsx9+G1^pc^);(2kG5X$!RZ0bkKW^#HnFjv$GZ4<=BN0)=Nw3D?=^^vleHPz*gQzHyPJmi0`S@;~Pk(&E{f{1E z{1cx3^MV(D`-sWQIYE@tY{2U@Bq^Vgl+OsKx>{2$*U~r*n%N z`drQe>T(H9N1onNtbC-e800HR6QaT}-vpS|hOY*ad-WG=c%Pg3n#JuELROIE82W_s z=j8f;)!>GC=Cj)uG`tXMEsWIVR*hG>+o%FWMX+v$B>(sbr84l=xX7}}Vr+XzwUSdy zcDQq=PPqRr5f-~l5SyIEY(cb|b8Ay%Hehs?vdG6=Ei|b&XOKB&;}w(Ti2Qs>mV_K0 z=Ioxl!|B~7J9qB#`en>;`5gbrGY&r4!ynX0?mP5)MlLLsJf{_97%${#Zz5DMBC|Q(VT1MSDY9MV`SS_!;+$4j;OBdc#F)#^7wlJt z?CrOBIoYEaU(-H9jmUvStQk?$UJzg6Y7)Y&=0AbP42A z;|C?63n>XaAE7m&wiHt0n=(+?cM{)sL@J~c#?%9kdbLSAiin~r^=d@>PLI7_NWT-( z+-tIPQlq-7*xO$bcss;oJepS-U;T=UNtMdk_qaP%KL0M|%|HGT)=8ayYF)=>*BhnSASP|P$ctFq1_5;ew;1N36SVs6nD%OKg%WyWOE!|D{vm=|XS2bEjCpY-@- z{w=RM4^Y(^t5L*ozC^L4NG$ABuqt9aGpt0)db4J&V7xG_Zx&pL8W<}L4h++wHFrqMZ|5eKXmmhV1K`N_cr)xDo$I}2v#0V^d*MU~hk%#5Iz&9TLX zH15FF3cs#des_U9Y>^}z?6IYrEomGnY^6$;2|B(;S6URFhd>edifT0?t^_n&b=u7a zjZTMFzeh8w@V760cI_jIb`?=c30F&YiCBz4Mm27xV{*J7;=7V}hadbdUJG7!~4@=wKaw6-DBu_0m zWGjadU>#0aa0V$gp#|qG)|qmM;Ka6-6le=bgSCpx8bVJIdmh-bq5^P%L^uN)lFSiE z3tFSLLlbAqim<9m5VY>Myq2^MlR8B7+jiKxatPwy?xi|`7PjOOWeH9QfplyKBwMmk zz)C>PScK3BC6J=z2`vJpz}oUXoO9qLb_;G&8eF;gUvh%RqLtZJydbQ=NkP??Z9l%k z+3kQr2(URq1^8R9J0FSi1z3$!0*!}qY}40(`n@V*++Z)=;Y6-DS@h234KLj0clwd7ECsVu1=AmU}{sAPcNzG zbM`(xKz1JzdI7DljOMeEAX_FZf;t_yq%||V@qD@!7*2EQp~uCtL;cP*a?l`0lO}ya zxuBRfnCq9UclX#?jks*IX>BB;Q4pmYS95;n-7C)3J-T~Ox%sxv zH^07xpZOe}ZxDA3aV)6`O`#Pxi-dpp=Y;ULHVZ0If%js-px)D8K;#R}1E zmz=w{{PeRLJK-^Av&+RK$HZ;AtuOih&3z7=k1($rtd1HSMl;mPa`R$C-fN@Xnrx@Z zWIRIl6rQP23zo#gCCkb~4!Z$CqsGj@o7w{vvE?wd4c>gUcOwx~%eCIs6b#utpHMf+}h|A=!q_l=<#uQ|u&i z8ze0SSn04vp!ILpzucC46jI`Zk3djZfhUV{0xd08Niqka*nUPz;GAEYdn$z!+X=RG zI4g11pp?Vv@)ugz0;DR3IdVH3vL%D4WXbJeEm}7aI3hs_&NiYM7D!)WU7x)o3quk6)N3i@fxrtqHq|b* zWI^uM+zQ;Lxw|Z+`0W^VfgC^~Eo!hK?zk zNuuc-uGyIsq}MxCJDSga=rbBd{9^Emid&Q00XA-M*o$e30KXp5ra@Noh;@Jvj*5{K z2=cC`8|O4CbE0~So9TpF8q)0wbP#a(;T|`e0zQ9DZS{uv#V&_me8y@=tsi^`@f zmt*vF!FXMz-4~c=1?N!%`}lLJ9m9Aj*vOoAJ))S7nGY@TVaEBjLfxh)KVh~xVmG?v z)E*Q4@w@C4bIc=6^xzfK%Nl+kqG?3Fw<7lplbajP!<6^?inQLr%vb0wX+tQsvsWis zI!Dagp+Q;6p&ZiaQXH!Ud0r5P8k3b`R_C^o7NNljv|qY_SXCaJ63iS3$GQ;26u52B zZV6KSM&xX*EqO#OaH0e;YaN*aKNS!-gq9=*JX?Z<#Inj9p$A5kZKil@sU*R-u1x9@ zzvU6bvezvE)4iPvTQ*kV%aZT2#!*Ue-VRPctG66vSt823z-bR5OYn0zlyC^?lT#qK z+Z2%~t4LFnz$vy5hwT^PezR5v(#i7SAWW%|wA=Q*d?{~fQb$Q>Dj~>?LJ5J{@~u{a z782)s2$z#dg$^nuKw3#8EY{VK&QW*@DNXr36bfs~p_8;0A#xm=9D&{}AgH2n*c`mj zQLSp$i-I^z@LWid3$BG?bFpIl%ERpV+_%?!{px^s?j3OWKCH7UJ?E&Hg6gu$bpT#8 zWpW$iw=A-{X8p#a_^^U^k)Tt_bP5&UGEOVBn`7k4$2Tdi5O}J^=-Q)k-%@?7G3}VN zbw!|325)={e~)_Og6qpYf}IQIH&q(JirFgU#l?ok@tm4aJjqjb79%#ZBU0V|d!JSL?jNhzmlyQiig@oHi_c$@d}CB$-^w(XYKTp_O3Mtec z_&#fAh(&?%ecB&t;^#yDYIp!PB@ZLc*D;OgC9&C|<6GYAoKoMt!{L39#*pC1R~c3a zlviMdBGneD9iADoNq4wZg2!K+Gn>A^&lj}!_tu)5AGe zs~?b7uX%4g;2$2YrD@o_1Cw>!j{ky>ZqX2PA$aMLV9&T?0^+WFC!Bkvaq;&1^H_M_JHE_IkwuNHMr#UO`nmu zVBd{+Irsr>{WlE#9Re}I+;?1_C%pguB{o0gS!b8{yI-=RBu&UmxWLDNIzip;K9 zXBjtxDIfo^ioBh&Qv2wQu|&=xlqye8VX1n*)y82R36jX#?LebEpgK@s%j$&fE~ueE zh?4tDa)_h>bh#M+RtWAKkrp_!J?ILAabP7*TMFZl#v-M{-@aaK+gb(SZ%r+&!M@@TXJxv{!fDsRv&m>GqNhvZKbtGq)z+aUEm+JA$r@1Vjl125+A@+)3leoV9blKG8~ z=Mv(I$Lkk{{?UwJA`z;`Dx1=46)-QTr#^}7b8$IBR+^l@dQR)1q_tWj4({S#PWXQ3 zF8_sk%;VZ848OYNgFg<~oK0BNyDX{}lR3`UxA>z=K7ZAO)s!IKu<`}dSxPTH$6W7F z@g+g9=5ei0f3m=}GGZwZp-;_|2;WC(N2(N3f~FK4d!k9zgSN8xKk4!R{v6W5-;(^n zoV6497Fx|1=LDIv1TN?PK?)bYM@RTHhdUJOF<-9djBbBT9B6K$5XYRwBqb~&tT0?$ zNRB^q*;S)3nWSWI?|nnRQ@`MjPV3pjc@b`g9r+vFu{akaYeryA+(g64Idwa-T39KOS za2Qbr+888i%jvnyVU~;l|z-lmKsJ?0w%V+ACM)T;BCuJj zzWk3P?)`MYFI}6cxMGtYQCVK%6}tpcz^>mRZFE>KXMFzmPf>+pkqo&?RvbTmjgWO- z*CTfND|+(vlwdHCfxwAVbe|64fPf{y3 zWZne7*$6nl_`GX#AHKMQ~`DBB3c}`&+LJ1OEN+rs!&usZTg|i?-hjFDU z-`NsWtaDqhwNipo+0Hkx4&{|?sBjM942ckgZ?Oo8Gqya$xxpz9q3zZcq!c3?%2aug z8CF_SlNQI8!^4)CD@B75x1cuo>=e#R#qZhg{7P01v#py6OT6}Ek&}p z!CUzpG+r{k-l5f)Gfke0#p%%Hlf ztFlODWkyB@^KfErZv66}U~w%H%kU5hb2AUutE%TaM`z@hDM6|b?;ZVK%%)jkOb@xV zJoxgOtDQqsl2}#*Wy4)mGVl>cx=&Fl*vuHJFIYc*%%3iANY)FEi+i$DS;6>8qSxHl?lmlzl_Kuw>8Xv^Oc@Xp9`bB)lyV zgDKKPtaHfXio-L>SWckn^YBrLkSVTsNb|@L)rL9_kj}D5bKd{YD^7p$DS5J`ecvO; zv0R2s&u_tml%d7iip?-%uwCFzKj+=+AK3opJqQ1K$l<~wV#zE|DczXHZ)oDjw2yBn z@NiSJH6HnNhb*_q^&eky`^}8%+ixka?`iK|(JXSR^*wb}QkOMNT~n17*BWfy;#&*0 z1lx_EA9y=!EY@1A?TVqtQ5c7D5Ys8Lx$C}eT{m7j)v2`w9&0Uyaoy`Q4upeHkjifC zD+;^cDMBiJ*ZJ&~VgKP5(D@&+7Oy~uuH)@+olC=m(!ieKb9;dz&>rc#Vqu-b?z>81 z_X5hE+lvrLC2*};SoNToZ|zuUit>s~==g$#oZkr5z7K+A{F&yJE&IJ{`V zc9Bj<&|+Uym7tPx4|{uDVe!s&P_>jeFYp4|{dQ5}k^56;LJ8yt^3nUQ>)tzD@ZEza z^tRhkde@D!(&O!Z-1gmQEcPcOKR9B95J)Z1QKud|+fX--D)jiOrhc^KciUr*kG|ud z?n1n}lFGG%S8_{>ZALLp0hO4p?yML@32*iS;y3RKzBh9BQ>vo_Ew&@J(%rpY%{>yW?svzp-aIcJ}q@&CToEPwS+Jd`uS=@cfK_upRf z^rwp3yFSUZx~VKmG}3Q?pn=9Mrr_dR*S_ z$h6@wOc)(c=?_OlaYo=nYTx1;2pwcv5XgYBEcvY0XRteB(q)-HCE_7!^Mq2tUyO$I#4p(WYDqmgW*E1G2S>cF4tRR7 zLbE7o4z?gQb`jIqn&xJMa5eX>Zazph`6o_EftlAHq)RSjZ)Yu6b6jvxH(YVYGhBP4qMJ;~C-7GODKxZAD{R zl17r(n(CWtF5`f-{gz#Igx3H28%#7~we8XOa6NELFf>ujeIZFMB8Ga+P53Fj+x)C>)27xA& zT~U&HvT=zX1FFM|``wo%Pu<;!MSYhLJ(y75Z-^pETO=$+#NhGoFjoq19ulqpNF@*X`m68w z*}of6{%%9N+fa`q9)2^Y`s^8hS_qzGTeQ{`4ou!4jpgnSOL}U@7biWw{a@Go^1p;x za>lRQA?MqF&w72x(PPQmudWeM!t_{AonZg~AOJ~3K~!jhurZQ|*mgH&T_dovC6JP) z>AFXiqy(+!i$6E~@wexU=a+1UeJ*+xZ?0>4N5@3X47;){CmQ`?iFtfTvUpG1lMKQN zIvf%_3_1G#p81nLgWD4G$st%EkR`8pGe1L)BWfDXh9TRw$2Z?peAF)Ri6HfsU1U+Wx71J0FtcwM27>Tn z%=)GwIq(eUb6$`Cnk@T0kDf*3oWtE36ArmKgpZ%TM)iJ%m@9VMkZl|A{8>wx1q?P7 z+o(lX+|z4P%%G*VTaIc+6^*ggJxApusy9ovz9!oK78ho$&6tsS$!=VBg(BU-GDlwg zj63s|MnA-#tS}nP-BZ%%3L6B&!Gs``7!}dRnjqS9zuID?BCry|5>YE^;ZeRtivS-M zcoHyn?{W}mt$rL`y93p-!$8^!7ld605~?4Im=nH3DpF;fPjZlB=!q^M!P&0+ zkwPFsaIFC0&`Ltmjq~CIkSrYl5uKO-65}jdf;6V%+1T&f5abvV89)U@21KxL@%H;T z(RGzA0_{8KCzYM(VS}z%dcW^tJ82e-?;^dtz++HCA)KdUu{|k(a7Yx+tB$K&okfwRd zVwVzsl2f>xjfxoRJNnl{h!pRGgu`})OZp`09n~sBUkI98i(FUq)t2FULhD=R#R=+Q z$&`CGQIFPq%#ps~^|;0Pim8mbT{sF7cJ79=RB-vbkm*s&_y5!oeNvFTI^e#oklTiD zYQ-1J3L7?L=`lU|o_PI??5t)O0#Sl%1&@E3;@)oYYscUHvZc&ECCG0Xg_;|Az{%ki z>n+@wr~Kwuzv2DcJ0fT3{qz~**z?Kch_Hzm52h$xVMuVYK?E_*cx+oEf`%N;v6lqH zQy!HqRXia)C`nhEo8*Y+lufGBfPz1d-WNc$%bWh%=70Zv7REFWSYi|f`n&BQ_2?LF~RblQVfV>3C)%V=VRV1 zYu^5EQ^G|~DGImu@Zhw>EE5)$W*}y`2NUvlmu%l`2!A?dWGpY$3De*Hf%`8$;q%D~ z_23f{(Ga(DqEVks3M;lKXSkm=JnZe*q*LSrf!6Ug{p}NWji$DzG;vKGNaFb^+jvgt zx7?R&?9%ed<71B1mQDVEgKW#%M)))!Gcl`I3r44!eDR*}dWdW-;oxiBA}8BwHa6ox z!qSDfsil~DCT&QWMnt_Hr3pCc3wBx)CK@X}Q4p|;1YxLAK0|~#tsW5QE`mx)Xk~zM z4xNNFLL#dcLcdRak$7Pcwu72$(-4Yi@3K&MYw-dy#E)7>3xxYo6}qCSL{}z!;jxJz z@Zg+5%8oG9-hq<{Wx5VYbROT1S?jt!FCliFnkpi&LU#K;(^ z!rvi%jc5Zxm(i4pda4LbiY$Ai!v%SrkfG2zW_kRyK{!&pE0sSKidCB@-@I_Q{sWt9qgQ#QNaL95#Bk7lfcUPQ`PEn>uKbRod zuK<*1=rlihFr;~y@bKvgCip4pw&mYOnvMS{2#c+2c5TdEb&csCFmF8RPOy0~=ZEQn z^yX{c=_gbtn)ffRI65%g$|>#jjN@LPOkbd<6AnyG*gvIgFY#5)=%@$4XMtxEe8M1I zb8;F{n-ktfeYU&zq_JW&UoaD&@-TTr)eh08nk37aZ_YW+c6|NakOz+hS2u>o`g^YX z16Jh=jz1YN5C^nP$jTY|fy0Y{U_4|Ui1F;obiJhpE*gpd4i~Ns;t3oAkka0B%ogR zi4Gesy+!+G%FbI5A-%~x?J^~?F~K0fZ8CDNcr06zlLLg&6s|zYf_xJbdf1ATFajSr zbfY_ivtH3I1VKKg9k%F1GHkD?;}bF$vx%1+uQV&!5(z=?{+rIxFw<}!5auJAgL_u} zA<^X}_vM&gG{)%HG}$@Lg<|a1SUX}7fcJ*!AX&U$%5|Da$~pD|6gh{HbdWQwr{ z6{M6DL@L=!iVk;4Q zC|F3f7c2JNv$dVLwD;H98g$Z)wL&fpf-Q7>*w18SKp*I42 z2SM+7K}F|fHnrz+o1h;rxXv}k7o?e>SmaDU`ZjPhJy%LP2MlH5%P7}h+#Tn)5l5ixM1%h~ahZF(a8cbSI z6$3_ohg)c@&$y3nNleP>pe6`BweB;?LMA)Mn?I%OK8{J!8B^CHUaYCd7o6x9TweBh zK3JknpBX!T{eRqY`mE35yCK5|iutRGzSb;cO7_%pSz3OY+ykG`cthd?O5xD~1d&2I zMWRNa3_gu;Sf)afcdJ9B5Xg3l{oH~JsI4FnTPoW_mVZlOBPzc{|9s0`p~$79wsYc@ zWfcw(i;~>-*(_#=VVBXzZJ%9K(;GLei!p=gHTPSEQU9=J{IS4pr|eEg_~4FUQ=@Sn*?N+r zOIS{E(&D2QyDb^39)oQPhk%?R>?yHcQ_B+JMwsZ9`2EKeXOIRrl>QLiI2NyZjGh}d z@9!8M3f!i^NP&2-(ft)sn-fI=1CTHp^8GFju|jGa1Ta8Y4g zifkPsRh^5VwTOL+ikEa3#qg+5VqLeRtBfbKmPkoZ36b!K+9SfQOZTI#9qd6v zI`KnMW7nRb=Sb6n-O@AqEMe&Ik9KlZdX*p0ljAmvW}6dqG~kby2Q5$o9a2e$vx_7 zNg_{Z8bdoeLgzasnWo-WeB58LSv_Gps5$!BBI7NEad5li+rc9al1sb}$TH13sEEcP z-p8!vmM@Z;%XCC@Uvo}QdT~f|Wk`O0K(Sm>y>a-DETQzE0wURkS@_nXg+eHccQG<> z_*R4T45YwmsJ$SFdO%AkB#G8olaRUwKNyo*&@x4wdCq~lu}Dr3E~Zq9uy7Q9M`=H& zs%jeBP~NnJ2V1tcil;%#uK$EZS#s(uI_zviUwlg86ZBW#lQn%rqWEZW%OVe{$0-Nb?|6TH%0K+!pXfinLGMxq zDurCJd3eFY>o?q#&p8;T1TNrIWxUxM`bW1kcF3mIC^q!nISW(q%M*C*Snqq}NqRC|ax zS|V(PH3Q%b?^l$fPuupHB$sUOJ|amYOr1j%AS;L2#te@f)#{$~U_`rFQRy+mZHgV- zP&-I=DUBGiWk>7`NgAQmoLZzrMj=ds$%YiokV(I#Y9oT?ifEFuvnzU7f-PQYvFd~laCqaer6WiL-U*Zg5d=sns9mR4d*6ZSQVIl}f4D6r zvR5;xj`_n~ff?;s|NeWP|3$>CtO?4Pwvxnoje3}}Y!~!|qVgeT6Cy?+gNAWl5+;%& zazv&;2Rq~@z%gX58iHWWDxc!qkg&SPu4;C2%0+(94`M_e<@jwM5$-5wJ2GpS8O6W| z?5d(z?C7~6Z(BzhuL$*yMxQYFC`Vk5+2qd|m~V*38N+X0P^yO{{aY6I2V6|A;N%JZ z>W-VQ=Vbrpl;t8Mp5;9IuRmp`dc69F8As<8+gXLRJ3>97_1&Fev4`nfA<@25_k|2V ze^_mJRO86vE|69FU=Pmk12a^|ZAvMBv}rmk2@(Y&1RzG>l%p4fShvr(^d52UKniw` zAZ{CskmOb{3h!v_A-*+ie_oR2-_!h8f6I;lv-^_&Vq;mj3trC(0&{~@7r6Ud=A1D3 ze9K`IB6goL>eYx^5MA_GZ=NvD|Hx+fh{0Cz_=%(H8;&ba^7J$0Y)$@yU^aE=>W^o>H;ML+PI{*Y*0pE(*?Hfqh&&q<^9C4R^g>V)pI!l^HB3({Z zNvzuvZSKhn5Rs%AOSH@|4wNvouH*HbvotU7nf>nf1V0;+x+&2(z$F5DQxdsDs6M3? z_&7jGPvaHJ?~ppciv*!}*fzzv78e8r4!jaHwL`|P^DR4z(}Jq*Fdk+tiiwowTB2QF9`M>BFnez z%eP~~;}wZ+iN*rsQlgu;-2d_;P9n|CPLkexM!}Hn`zgJHmT@oV-bZ96r|d^Gxnh+x z95exU`IKN(A(=B+TZ-z4QmmQxhMfCbHZDWDOBVejPTN<^7b!YT31!YI*LV}NYg&B! zj?4QACN^a1H@N#T>j$3xRgFE3Xx@0XBTamAOYz-+v*;aF9Cu>aJ>0HZo*sC9adyFP zZvKQ22`93o49{u$bFf>!zWtoh_18R1Cd7Yt*zI&}wPsAK2KJw#=>5KOiCtqN;GtMK=-Q9@M@r=F$ zb#_j_?la4d7`$H)9~FE$Oqo{?__J(@sfR2M0^(^-{66J=)8kO?5C_ALh%*;>T?)`1Sc=iJ5POgf*hXU%{}E& zO{8klU5{j3;^z_i+9TZ&CSFnphj>*max+%zluSRui!1ueocf@}ha==NAg&LoON-YM z8%XNbqQizzc$PY#7YC3j?#+;)+tSDbvdJ8l0W@3ug=Ex#Epy8Bg2+~g`!UT~kEqDN zT;qq2ut=n_-C0T*?X6nfp(1T8C_&qJLSbp7M^qIiO;D94)`HfS)H)*_mxy+U=LD|= zR)O{!j{pUxlteyba*<)0A>nQdKI(YI-Iiu*QR^jD`5vjKh~9$j{V7M;4w5a!?u4kf zqHazwQ%^5a7$u3*0hQeljxtJP2~>b;1mU2MEefy+RaoPsg(gCKj|v>ZcDuet8$u6W zs7{?V3QC0tJZ)}J3Dnk;N{98j^V5p3^EnHN3%jl|1aJoLHMIk8K!_5b7914?yLLjw zf?T&uj}`5AAvZ(C)6;vF>nVY(sCxG#mnFq?$e^xS4o*01Z^^x4EE4KvMR?L6yrX>) zA&)%5ZHctyK{;ndkN(8qUxaJ}O;HT6)h*^(%=Yq{+53=O3f_J7hT+fexxAb+?XS2! zJ>z71$?MlYMq-2B1w7f%X*`iWY)bFf1di?*R8ef_FjpNO7QTCt|=JwBMsr3elZi zaP~(>i)$@D?4H7j1SkByAa*|Vj#yxiRsH|@jczYwb+H%9?YR#=&_t_yxXYH7`a+#b<9`)e8}aqXCQ-@*K0&h+J5=+)GsXKnq3ER?Rf5BQg;9Cuc_L^iOGCJ)r82*(<=i+ugi*a-eXZH4^e2CBgjO} zXk^%}kBG0{VQ&oaxg#tpw%d^5pwG_U5Zs0wtk%@FBKc1h>DgPXUy}GW_M4o5Ee^rT zWJI-~J~r&`dJHbU;z19SDTHr`?1o*Lv767)x|DYPne1Yqs<&~ct%`Xe!nU>df@o>dx1T?=ioSCbvNL_M~XZDgu_7&_X+RJj<9EV z@gm^wo*0Hj%#)8(ZfBZ7u;L<(sSeIDr6%Q4k=Vr||-)ag*X0X+2+N3M2ZhUhar1PLyTZ{_rdvUHiEBM7gw}W>FYsX}-Zys7xVDZ!T7oR> zQjKhPA6W$*$j)B)`jC**v9SRl&{9Cv9e5YsqNGBE-3q0rz$?AyK=(+K5+q^wFmx)Q zNPA>Ta$tIhQ$y7rVnTtgDg+^3Jfr<Nu9MujAoJJzA5smAn4F%L?7XfbgYo9@ei@H`~n)(AJm zT_`*;Ov{RxxaEoJW^+TPHP0>Xnn{l3H$Ac6!dT9&shN${3!|1*-JAjtyS zwq=l5Oyls8LXQ&4+7sjo)y5>%l2SvUGUBqOnFMI#A#eyQ32=A`0*Q^lzRcOou1PKm zs$8L>9Pe_>drgwGv~L~hW{8YyDl^Bwof16WuzY72j6*CbL3vMQC%A)(!OpX_J)$Z{ zH8HY%#<97=iV4+mOLDistCDiQq@GkXa!3F0gjl5*l@SXEzKhsuT7wq*9J{Jz`KILL z_x~63ZAwr@uqoIa3NgVBd3;Qida}QKNTZGjmBD$z#(^zMQVN;v^Y3pyWinbK%_Xr4 zXwIN5wq)gw<>?_PL$I!B#t~Ux(>5(-1NW<9kryx`?rFi#}2 zs~tZSmz*4b$weA4Ni8xMFfX?p)ir+T2u1fm^ul$5g$FAXYHtUOg!mC^_fB>f{!Dim z%PUFf9C(K{`+LQEj8n@li!zFX?jg31UX#KT=&sPw5mGcp5YUi?0YYiS{_`uwLriQPd{c4zIRDOLP`|-Ltt(n)F$>WC)d3P0Z66jtBxcH6hJ_t zJpNAjyq5(21Bd7dWM}(rS0&Ax3d3LhN0zQ-9Brw?3br3H zy?w)W@DXZ$iTF2

    RZr!+VXdOUi47w+nhlQ)(@#Rl~{f3Po?ki?1&ke$q1ks^##@ zj01bk5B@VAO|E(EE_hJo{NBX$^Cg#WXA~z1$@&WS<%H`${D!S+ISNK>ZgK`!Ypx$1 z@u1o9-8$g>;f}?kpc;%gdwav|RfKygiT`EESKF9g_&r~YL-GfI#mK$j*SAMJ8O(4; zpHTjK$>Op=i;}~~l3W~;wRbr6fU@4v?>}U>^gNVH{M7(^c#4S}VwUq+obp^pyqun} z*~~c}mV91(JZOjToe#S4j>vX) zNb9>WTqz~Ao#5fUr*e|mSwQXGH5TjlXAhzemQRKAhJ}%+vLuTHVH|Z18o-NSAIJ9L z9*sc|fTkk=q7IthM-m~lVAew1^a(=s!B8c&~^N&G`2H~yASz_ zcJG8z$ezb5g{CX;iSf8N29Y8&M^m?iT2kwPeiC+v>1{@DA;sPBl_$-Y$|LbSi z=ZC}tjf`W;M&RZ->VNqA|Neih50`w@)_5!s43TOxacGVc>* zlGq2xWJ$XcMDm1ETAC;&Y!lS`V_aX8OUd-8McN48E}%WZIl81)pW}Cm)VFM1i`I(1 zuPEmVJF*12p&U$*$`dpZ<_xQXr+J z3O(_$LHDPKDC%4yQV@iYBq4PhV3a4+iYV!JCC)Wn{1q*V25Tg`Zeb^>gE>KC@nL|k zKu*Sl&UL%3y-JFQq7oFV0`vV_vL}zof;)VWVde$9c}Q^BAl8;%7GfThnENemG$egD zrw)5$2Wv_h6Kn*nNHNox$*#h;Q;KB6r0Nr8n)0rpA7!lMih-yoRS$Q(AiNzD{Z)W{ z@Fni#fGCLeH=7)RlIQ>cAOJ~3K~xHB6k%y_T96kt)%z9VKmQ|bRiWD+QCMQ;JzNl= zy`~--(y3*5o+1X1@KFfTlN-Tq({iFq=q23UILg;A@HZ{9_Z#NhEf*IRo7bMRXQ#*{ zW10x8s_}Wi%J*0om)yQtaP$42@WONT{hHUWZmEhZQrplf#YyF`*_3=!a2mhIl^+rG zD#pHH;}T3$5-w&0OPDVrh<7|c7R=m)&0G`A?nobv`SM8d<-hxLXg*@TUGvdY@bKe9 z{^MncUcBJh^AS~X#-MjY;SR8;g0S3j`1F|jR`Er3$-!rz5v8Y?$(W~M&PNwhE)IT9 z)|QCLAwev8c%Bou698^Nk-tuUc8rSq2rmhP4+$IlBq2oSi4Mfx9=KQdz2BcFkl4-6hu|MFaczUhnt*YteOd-gRdf zkX?}#`$TRj6(HE)IgIBB(Feb`IBMTTrb+SR*@muPbOcg%9(Hf=vO{mWqh0&(-Y$%Z zNU1&ZDSr&^Xgw&|y+#m*AVD?Vjve0#H%BymW8*vBUcy&xn@LV5=Y z5>X4)(VnM7MwA@fGclg@^wawV&4u2V<25Ve%MKiA`%LCGWLest^N|$IV z+Omab-_w>Yp~*Ub)vEIPo%A3n=eQ=9yL^maK#`16Rc?HV|y8_TUbwt8ch;K zm~2ecYw&JBlyxiKYInqZZs4FMasnYI=tarqIzY&Ta+M+H0d-!Z3UEaqg6_js!lQ(v zF`hQxuojTAK&bBaL>Ozl5Af9*uOqySafOGfK?Ig|(^6Lvggg8)q~3WLbQjO0*#AJK zB-Q{SZGVfL?P!U}n>A%PCK=3$eU5BBek74^uMj#z&I>lD2|?RnOiViX9{a@MgNkJ4 zSQQDm+t9wtXahrAYzdE7%x*0GexJq)Q8uS~F(eoqBTqjkI6o$kAyNrY61=8oTC9T2 z+OYc%uQ311zYwiMWGnHzfT}(w3OxO0hHWd-d4?H`aHprZez)^0jYBmMZQh{|6Ph3( zjRLTz%qdU@hQlP_l|3ShA+|L)>6pUJd96ke)V$eVku2xT@2*I74_R$^aIAT#OP+pm z!9g%4oSbrSW(eE~@;sv68H&LIxisve2rCML$fD2s+(v?(x#jez;MzVRJ8IaLj*V^k zo1Y2^{`_zF?jP@Ic9%ST{1f`)gg=yzarf7-v|P_t?CPB5qa()C8^k)~@Bi&jD6(_X z?+UNlpK)+hF{w4Cvh>FxE*ioEgGw(*o<<~T$h+AogUX|Q(;cFh0%vUJzVUm}!GW)B zx2yAAl$W<2Mazc_?;q2=>+Vm%2Os#pU?{1<C3^{q|oE1BfHVAd3iwJ@)mgbBfF0 z$NMhwL$MQG!uN+rut0pcEGYI-Yu!HY7)h}TscM6>24T$JY1H9O4k(>RxVF0$<3Jkr z3FTl-*9;ghIxoHGAbkJ9$0$AR&VlMqB)GbBBnjCST@{Dju`VyL%F{Xv#v&rw1$t;f zqXkkadRn8TBnTv0DP$u&N*!SiAdJ>H)u)XWJ8vnPQvyGLhXHE(7VpoIy#NtJ6k&!v zgH##TW{9_^v`k4|K^={$L?0LJNOeQm_w>RRu~TGGAD3wYb;d?D=t3guh$iyrp2Yu9 zp*W_@pz7tgeu2?_^hJWKYpQI@A`VbJhfNe|y(C+O)WHH3>~OM09$JFk8xZe_>K%bx zq3>#_c8JA_#&nWaBLs<7=-!ZN79hftj#-o7+b$PQCsRTtK?O7(tO}@h1wjRo-{Esb z8EqlH!}+V(Q@9R-p5L^XUwuz}{T2N*r(#CD6C?}pyKAEDB|bl-tU;LQ-u_8q*9#CigS(32>WnB@u(-*2|0ZCkTOKb< zjt2(}wucni36)Q=XzufxC@T2X%ZPIJpNN)<+onfxv&3)Skng5szGCMsn?=deM%?eV z?5;Q1s^sA_#bn^g4i32T4*BYj%$J881Xm2B78~`sIP?7dgN*cxf6ZvpV=#a}{_~L6 z-@M|{#P9-%_z%BkmnO)Ax45dLI#}a;%2;V`+7p(Eqv*Zj*$8>Y>J*BQoYY zpLuY1Ep8ULznd_NbB=$Xzwh$|eh+1};M;!x|JCnLQN8on58OxV_d79ZKhzBQUNW^0 zC+~NJ`!kq#4ut&x$nf+ZEPmgYkHq)CaURP)pBigH70k%1n&rC0t7iW@FL160??{A4 z>R?~t6d%M`LhtcrRgV`Sn*G~R`u#v8-G8|#(aAmn<%~y~o-X{p*zNu<+@E{Ts`GSt zL1`pWR}t-(h9q7f)rSfDgZCQgP=EgPzx#Y>#>m>y`4fb>-!}tjkmZ0fSd+#IMb?rq z!^#D+_qaYL(wB5DKnfJfEs%Oc899coqs)&OsE$f2tPY8rJ8XV{)&m5JF6w~*J_V<7Kv!6OQ4=93ZPvm?a83Bf4F`2gz-1M3iRgdT>-p{8Dsh)xx5bBYRY zi0mmsS$5HwuvWCkJ;L_L(?@6>A%b9kw6}ZAy7pop=KPR%LJ9)4-=}EtA?H+Dx^0V4 zl76|R?Ru1n(ZUgp3Yr+7MBqK0-xKBN z7uYI*)tc}~6Nv}#3Bv5q_5gWWBeFZJJtmlxcw=dwWcV^hj4aXE(^Qsvq(~0V34i}N z^3e$qdk}4mGH#?3hS++&I9DQ=(62 z)Q`^hbvityhljTrkDjJj69bA)Sn}nLEMHJvZivpO{OWy0(qHrZC+C>iDT9+O)q|u{ zJ;Iv4PCl<_i*se%RdNuS$jY@(e!1AozBRs3J1do;S>Biqz~^% z!xmc`93e9Hl!Jtk->`O{qKB90;Eb-g!PG5-IKtWpBi1N2r8XmyVSqn8LOySP` zwrH=w2nr`iPkb4$6_C_Tg%J+3U-EQf@#Vz+6S8b`Gl zpj3)FZfLh9K2_+ekWR-$^_sSr;hbVTo-+8eA#QL&uOvb5Q3h(!qft25v%Rb6|NWA| z;u3i;(Wf!8%PE3@FfQr)1zj;i_m+CHM0EqqA3w#$ z@P{P6=Bhbm`fx!$dQ7Ue$l;va=S;j|oX*(z3XcQJL-8}7JpTrFG341lIALrr*^T}& z(!b=uZ*k_7Hz?%&mbb+@KX3mQHU9e)IkdmGqWS6`aWUt`@Q8nY@GHWb9}=!C`v3eE z*M37?Ma14BQ$w~1@MD251*^l9cH%L8$~rYnLPHQRNpJRJZ`W4`@1#~qQ!f&$DsKScEb-8BjE+Q+h+lT4|_Q&_U1wHAt1fC3bLn` zTmNCYg4XS|4sK8E-4nK*MF@j!JTjK_LJ>$$-Fa$TW73F${vMR};Wb4pcul1EeES46>M>I{zcidFd$abnRzBTRr0 zEp5;ej(eKB3Bn3ltA?R|ptA|hW>r^eqE;y>(tg+pkK7Y^53jO<|D(K?T7q&PoAk8;e>0qXo1J3dDlg>d_@Y3Bu@Qds9H+X{YhiGH{x_61Gc(KS#J zFj)8OhCP!|5ie#m@d~$ijQslnoPUNJMf*jzb^8ZrC6LDhEGfe8eZT>VkN)rxU%nEI zj}K^G-tog9J6`_9h|6!697dW@q`Z?6!}vRxKgC9C-hUI3UtaO-_lC5SkBGw@MrSV zXUy{}+E2&muL{COliLZYTaZ6KrKlS8zE>U3?omZJXGLxu&0t)f$cylhqY?27zL;uL9!?LU_IXL3E7%`_0d^@ z&~_hV@%wSoIfA&x7f1e0-C@Jy#{vGCnvQa};=}`acKl`)Ko2|q3A-)=;jG%2L z!flYN5&k$NvI`sueb6C;m~?c_x;n(98~UZB73W0Z1I3^w40=SAq1psjj_LajJt~k+ zBeciaDb1snATV@hf^mX=s_~-GyE6CE5NkB%USK}aejN_A|7<}NR|zTB}a zuE-ln9Xjm8hAj3J`Iuev9&Kv6MZ?S61!dh}w*^I8&`-zcszOIGIRaxoum!{1 zppx9fFQxYg+`g4jfi*SyA)_|}+iZxeBXF9QAtu!*6e3Xg7Mv6q=gDt665gYlh%oH% zvV?U)G{2{-99oU&w>5q{A(R1Xm7q_0C^xj3Lw7SwX>prlL}}rqgR-M<4v3wgKMGOf z66dD`fA0W!a)u6~54ACY?DoEpzIT+{mhRU#=)e2|FC?7^5hIIQ?@)0`_c&&>>R9fE zB-5U<1oLP>`d>dH7$1WP|IYCCe&?9o{*LJU+1|?`_P2Ys1+6=_W6kCN{#%|s8L_Yn zwhtvwe>fpd1FB@k$6tRO|qqs}hriR&I!J-^-^zLicA3s5U^DXCp z@(fWWv=^4cr#tdBJb$<#_J@qkF==m+!99AAldmPIS<}@Dp?jirN3ikKVuFiyh-raX zwD=%ECjuvP;^CU^YC`C1OmT$0$>n-EIl@OCH`XkhJ)>?`hXNx@Ch~PPPwQ#*) z(|1JM6}8ZGU4yGz{I15w0rVYhBS2W%rp9}PkR7gq%I+P}-bt)$k(I}3NoxUD;u?pO za?hgld*Zm1;H{*!9ljUn)`Jnq(&CNWgFT!;2#atX)@bwsT-aeu_#sfgAA^0>A%gwY zkNO{f_D??7CP7U~%)^RZdVnN@)hWSjg^m`KYlD{wN!5`z6XK#o6gj?|VF#e}igtIx z#8_IrV!NE;N$4j9O)ha!i(U>9&e9Rkt06`z;*Sbl^b#aGqJA?=A2IOBWy2%DvdE%tU=p}hRMjM9h(8YQT`K(~&3)w1}-g80Q3R6Zu1 zcmlO!Ck8YwL9|m;8l%SdnB*yboD&YGgnt~O&!6GLF|`or+EH3hce`UY_K0+hvzlJ+ zg-IojFo3BL?BWRf-8IeNG1bj2zyGI)TtAGtyn92sUBFMDqWdNG;SsYxIpm{hLgCIy zeaxdipg9#t3H8GSagdVOigFgw){jwpacF6yJFZur)OeCvMzvP-Wr}VLrIRFWfd~WY zS%SzdzAb1%jcpZ^n})>axSIyID2TcT%)=G#vLSl+n(oUr{`E`p+dIV9SMb{#;$Q9P zzWa`T`I6?lFNuG-p?JBZc=wv>uh-ajzhzs1-L0{!Tl$BFev_eXN0wW(?eSfY6+NPD z5Y%{O@mm41$9q99dK6;cKKUN-*zWB$Sr0J_td95lzwcL1-lLR7ONm0!d+4_X@ig5> zRlNE@9^WfnrQDC;>fij?zxZ4#Lov$mJj2+UravK>IlN!s>Yw16mN=deVi4hqEOdvuyc}p~IFvDkPmtlQR@S?y32~KBNH6Usw zQs#tV&n^szlZHSPSPlt-3e!1sH^)CysNjm~DkTXFe$wwrCx7%K%-IoLG$fP~iQF6F z5GW5>)>Hq@*95Cyl60ER3J{G#YJt!rVwKU)3*zhjjcy$b2?K@rv?u)Z59q?lUjJx4 zRzm)MLv(jXcsir>ia_kpG9lXuifYX;vZx@%_!%#Lb4lG~)Pdp;ehp5E^LSj0oe#WsHqnr$_au&k7#xj^$Br#KtC(dn+|p2@NI;zQq<#nTwmbxDUs3$ zQD7424pXp8;@*=_3Zb<)qX}Negkgk>*MvcWsy5hCQ{5X(=IIY26jx;R!3S`Np^8SR zpv0L9emI7^j@WH+fyOQ;j1FqL2T4ax;uN==JEs5X7j)5-bag@b)f>#KZ*YHA;=j5e zyL(Ua<`u=u-_c)XY`^%1F1w)oW=Xc&;og2jUWY`RcT~F$zpRmZO}nV+8(3~K?q4j> z&XanN741HoVte*zg%6Nh@2EWZ>jF8AkVrZ_s;~(4!LBGiP=EgQKmPc0Umvn-43X{# zrJ$bXgwY+5HFOE|(Hgr^7^BGhA)V`~y(2aX^=?8WYId^5HxnWpLgqvRg)pXXv^A`m?|MW4iMs+H2Me^?T^bMa7YpE zZ)Cp@MY6x;lC}paDa#(U-Qn5_k=Lj@fg@uyDd_SR|M-xoTH)r8z!L8uV-w!};=vRfncA>DT!`n17%i{A-kAE3e#RR>f~VT@-t*dg*5OF*DI>aC)m zI;0*DKA&PfJwvAR4@+QyZym1N^ZANZ%kr-;iN3x-rpE;KOX!a2;)-;z!QBRUm1A6m z2ogFPtP3$u48bQqgZTt4CA1E!Bz0HA^$xXrAbfs|i3Xq(d=HC@EkoO(M-f^Xu$C|W zHsNsopLqFd!gzE`a&k`89c<@o#wVkEHN&EKAS0mvmY|(Ynn|!sGEK3LTOam(G&`D91&)FkOOm1+X|#pw0eM4HQr50 z)fN(s-U=E&Cy5+!T_KS4`6+?R=v)tOfCwd`EAe$hTN}hAK*SQgw6ujoO&U^VsofZP zvVp85=mwZdA#;!HBYdzy_7lRsqstrmd4uXB{A5R4wM4eUE)S_(N4$PSJ6@Aak7*t< zqGo~|gYiqs*psI3kT*5e+cCq|A#Zc~-38{ZWORQ;{Y^;Hd`J7c3jFFCce|p!`&;<+ zhVJ?W+b?eDuD)XV`gf$|JM6~s@E0%Wvz#E$*<=gcs=($OZkGyhHt)|NdWo-twAMe?sf-@T$c(ErV9DXg+3YOM0h>1548g3<^SyQOaUX z$ROF#REoeK&v6hOXUU1vz#BXo-`sD%Y?o0l| z-3-l3!fk`oheT0_k{aJ+)D=i8@PQ>v5;{7Xs>N!B`LOfalYYgXE$2L1LiVn~=Ue1j z(fJkF9`PWFLqprP$e}^G0cx<{2O4AWwxGJ}NNtB}8bZ@i?WVNDOYAnl?sB?E37#Ce z5wyjeVbasMh%W1pgE^|->@n!=3>{`LfGm522t&p{9})cgN7!V75*pDsWH0dwYUe0- zE#`0D!RxOWEgL$aaK0keuZZdd)nqhwh%Oqm%Fv?(Wm@=QMEc`TkVl7j5$tjHN>Vx4 z{%%A3_65l_#hxC~mlaNE8Y>Xr++dgQNzTW3Z$JyItXaN)&HbA-Pd;wwct#w1?#qaS z%^msS9P0*z<~4USkI_L&kJ%$f1fTT!IoYvGRnC=dL{CGxMH%^9kzihRyl_)$TYjmU4H1 z%661NNFKot^*t~0WBwq#;Wz8YoF82vy<#{HNm5G~eFXiIWSX-3UCk#)Yo_s-Y<0w7 zvO_jCc72Ld66tpII;0n#z*dA5w8Eg`C9RYsqa`kn=+1KDRZU+XQ7i@Rv145BKj!o? z?r=?5CW!SI-&xFQ!^%d?QcXW_C|?q+BqG$5XvAtn809!A@w*0VCZLzt_ea>dMO2kDOLwJD9a?EOqNEK48$ik4JtjO*PVfGd2^bFawc)P{e zo<2MxatdZKp|wL)WUyt89TwQ&lvEXz&XaT*;m*^YM#y+gunI5}*exGOiy1{!G5*aJ zJ|A%smbBNF=<1GYyCi=575wLh^(&2UUJ=VT$oi0Wos+%1B=~nxyc7 zPyQd@q5kI|{qxTocY?4F_)uc3feiAl{l;>nb9q*$yZ`RYAizOGm-E?K?4p)4i$ z-xa(rGU83c+uIxZ?TX7x^5)emg8G8{+mvm8%ah%T_)&%(ea3kzc+(6R_IJd_vARjP zEjrfMYcB2@ME?cX-w0|6_4PaY-H2Rm37U}JI)Yt}3<{kV2&q8|M8CJ3HBFDoE9Cu} zwyFqL75$(fPFiFMm=fnC;mHsuJj$e4A!#~Eala$f9bMBBIZ3z7(bRogxAVj~4hmel4Qm9oyu(-u8A{w1iY?mCy5}$YuPXjjJ zqzsRHM#lm6wj&tL&_P8vdd$@4EEW+5p9(RZAfL^d>yBm)n=Rw8AhC-4UB>G4h)1Wt zWw{6$n2!9~5{@1*4l~jw zL(KSw;&wzVLg*CjuER)&7_RBJ26|0jcF2B?^#yh~Whh>uRxvUb2wj5Q!o-t^dz#G@ z(;6ro@ubJ*hPqdf21KgGbdKs~K=kN=)^xP>XirrcIf9px_P9q5FLBunMNU}t_#h+R zd74(EWQ`OPny{u#3~{|h6a{U6&L+k0;vw2849=wEh1aXRQ7u0e_xJqe9iuBmy zd_|G|08t4>X-o8Fg2`&k-6f%!qYqY)YvlSB>d*h_fBQME!gL0!W0KNS>k#V(B(9~< z3f5Jai9qH%h9ghe1XwXaNl8$~xZxJlMabS@LPKvm>S@Qce@j*zK&Jho?qn^zFW{Y3OCz`WV|CM<6*hs>tDX$vt-Hf(?8Z~gwY|cC@IPeRX2z@LbyGZ!ncmHtm%sd(aVNS95WIMOb3*GOMLBdvk0wwS{tCp zExk(dokZMkh}tdUu0^bB!nYk+7m+5CHgKe-#91gCiR%SY#Z(hblCH3-K{CY8hQ#3= zcIL3PApYYioIXQMPC;n8&S5?TI(@ImH$CnDd(Eu>B`g>C^$0ne(YfCd3I5+Om0`$;0gS}faE97v6DHC2??A-%65~ca{1k5tu5dV4BfqTh z?=Db-_Y_~hKz*@7efv9fw?d2>MCDn(y+$V|glWS#wJiLU$Sv4(lEZF7(|h#6o;cIk zf~@_Bh?aiZV|+=wIY6$KWc?7KB?DoYoLMrFfbB8)DYw01aI9Efwv1L^lZhuZH@C=E zaTK=f)-i4DIShAfE-k}w!9y^kjJM1i$JJ`cY+TR}O5!5L_66!-hTdG$&L43&+;A^{ zz{kV)WSfNeXuxRD;p~)nvw)r9ho5$koD+|wSm_}UY7_eeKl6M6>sYlIx( z;{eyCNU_Gn=a}IREhS+c(HlW950Sm1?gxbDC8kKI4isVE(Hv%YJH%Q=Oh=GgR63^g z3Ny%&S0Q$Q^IMF7)I1`jc$fC=>~Z_ zq>Mq&H0>8}80i7Mn-iTxbju1%_guYDD12aOO@g#5nq)vYtZ}A--4HR9c;jjNn9$u~ zmxg}(6s8bwbNcQ8n+oE~m$>#3CZ5v;V}vwxr$b2GzMmUu#GrtU$2>W~XpgVfEUz-c z`AY_-0Ffe}jN#>5)c^8d{o&`X`G{U@F=~KJTD*t}MT=IJrj6)y!$8(l^*L2yNXdws zEj|_aZiWdvdKusb7o^P!b^jTvZ1L?A)D&F%4!wSiOgl=YDH_46+kpJ)8~*B2^Ik7V zvs?VjimO5s*6+z`MJW{*U%%lGe;o4U`6-9bpYU$0QT>*iZ?^pSrwS8$%DeE0X!Vje z7cC|o@q_V}gVV>vp+fb7dpqJ}cR{|$*&ZA+(i!3WoY8?Kk_k&ShT;OZRy2{MxX#(h zj$yM#ro(*p@QEHF=sdIx{-eI~+tW8i$OY|(luQaaC z8BQm}NbWBRk50a0xqVIa+ck@^;9z&pYj?mzZF#>LVB`ZQRl&pZh(676 z*Ag?XiAIX@UL&2uj1(Ptcjf_ zIO^aUaEg8x>{S587+o(xKcy}M{IiCxSRv;jQMN9$)+Cm2q@ z!N~w4JazJz)ch?~@{CyB;5Gso&nTk_VOQWLBZ8L&#Y0V3)I_5mDW1@-dhDh|{rNxr z)6c6&U_?dV3d&YfOO3FG=4?e}3aPQ=g<_~0M4eHpDbe7LRUr_m+IQ~KkZ{#gGr(;F z!ov$}nUaj&fo`$OG3^*^7xU`2XVH2dTmj;S>g@n!D%!r__END`JDS_q3^oFH_$f~Z zxBS7M{V5MR<;DN?HynO)fYu6=Amt#mB<7fxr9j?XvkHcM^NZh6rQoBG+35kHhtV9a z#Tj$^p0FR&7MAsUO+P7Ey}d!&m{#WSkTZBX#0L>!xj{>{zebmuW?f^p7uc%>Vih6m z5aSlaT2rsUXa~^*9~)%XpawBjAE0h(dLvMIM|`)UE(Y*%fw`-(aezN>kq;%sS`x}J ze$&zI6uQ?)t#Lx5GD|yvbQWNK{uriDFk!F$v>|c|Tdk47 z3K1QGIj(W|fhI`j)Z8MYBchLD%x9nBg9$=91O~4J!tPT7yW5iP*S{tXJo@mE;N$?I zLX-kgd5Sgk?|(yB7>WfX8mdK4(;Oj28R{-T$0^fUNc**bpPkX$8kO`M202kYK&wMG zcXw=uV`O>BC^pRehKuH7!f?rG+M&B4uJUA6PB4o|g9^cTO3RMiYK-Wq9wZ0$f<}$e zjU|YVh#9c#LbST0Z$iqkVcJ}AZH^g7_oyaim(>Vg@X=Ird8g6wn)+7JM^marPjs9U zwnJ9i2%TzFux2nwx!-DLkB3Ym!)ZJNGawXOg2p4Z0;xu*sHLSRQI_g1Bno1x)=(Wt zyr{9!gec5u4jW{*A=5)l6hY^SN0Ls3gsMX%1zkU7To!E4ju`eUd^@2F?$PCdE;V@V z5w#{h+|l*|)wi@kNL<&TbGqaRInD{%05z)UeMmfAP}c*3OtT6STwbBY0Bu_e*WwWP zB*D5C9b5WlPIZ$pom|rRpJH_d3E15!O0`tl&^3-YDzSY?GnUZ4#hHj8O3~vC?&eq> z(nb3?|b^p zV_vN(*)jN7V|RuwjtSc}>VNu^fBE?!S<;mqPE66VA_*qM;R1VkKs}6!nmdB-5yC@3 zj)(`yB1gpM7;CY$#NS4=2?&$H*dm>y-%Qxv%^1!n6irQa+;jU-v1+ck?o;|maJjzV zD7oPJHH@Y!nr2Gi3Zkmx=|B3IT_5o{d&$!u{*?diHvr@gf- zCXPXQM=X!o=`q;`R8#-~w3564QI`a42~|ra1U4*~P*aWPIAbwtNEHfV=_qy~&GtQs z^Tc&ayUH-p9X^bZNr|V!Tnu6E=>v-~hDNrys01C;hYFEc(C!Y9Pd&+}6F7WKpksuV z*xJ$r5)}ws?P$Kb!F+p(x?Q0r>E55)w5TTv-LzEA6dOs#7Ba7iVoCV(1atN=O*q1s z5RfRhCmYKaie*pt|9r*xc8xnyM31M)gGb0-&?t}hP`|jr{qCA**%2g`R;Exwba%Hqb4=%W>bEF=@h*s#Ny5#BWD`HZyHOyUXC+X>ytkn!f4;qi?7>Yh|Z ztgS}bilOQW=M#q2icMZIDqC7o0_nK8myAahufOUz{HWuh2{FDRd3#I!vrlMWypOSPHmFn?rj(MNrbA|OSa9l{2zYG%`X=m&O*j#Gs^2N%O^vgi!Cp{+w$bcQ@XNY zSwy&ZmpsG)i?3fX4(=JWHBC0*Ky}^O7HF_H&2RUp!`e=k{8`>};hy-`JB)GcSqixCx|6bsYqw^Kr zQXobF?Is{-1?eQGe`xVOV(3N)zrv>hRtQ7_;~&p4pL~W4hg8yFa5O>^NP%rU_rKX7 z-n>S>c|j{iL~)Kg=<#cTTGfay#g)O{QWr{ek`exBhB^BL869B)1O47}>*ZeX(myn8 z{`!`~?ORr1$@GaKIDL+g5rht$W?8k2{_Pv6ujt#1I4)V2V}in?y9%RHnqf{L3K}z{ zG7;DB3hLtrq)HiVD~g>&4dfwtG>NmLInB7AT)sEM1E;xHESz~ybG`#Ph5tR$%|IgEVEL)o8 z_jPNV&wt0CbA6hdnPt1$01z7hMGBA?z!l_-g&pviqiDJc4q zf!&~R;Lg&iKFL_{w0wYIkGn;Ud~?oBy}++mX#Ws1Ji}rMq>B|kb82p&OTw3AnPHW3{b6q}ohz`!!Oy2v*dq0ovanv_`cB?qN+KEBw%dz~Jp% z8b^cn=t_^kzr%70^#I}KsBnohwwO(h*bA|xLHQFbHxMa0J*9OWoI)b@EHX1l8zBcd zLMdceA#{iC3hZ@{Z26Ah)gJCJBb_+JjYV3Y)I`WYVfz}lU$DvoCQlq>8B)H_n9GKv z`qz|dk7#IU@?(@(q5ijj@sqy_)`ndWV;b<31+%4TLv*KT0)x;wtsK#>)|B-Dxl}l# z6w}ps+W>2Gy8009uCNtgG`%s5l)aEXJR6|HFGef09t__ZY2~B!gG@ z)g7BA zE4}R&;^;XpylC+V}*eSCrZ?{Lwyq^$E(GQY(!w1+)UC z3TX<}MMnMqzC(9wD(x`w=Tv@=QYOf?p^Yb4*nj7r^QgX$QF8C95uGW>QpcS#$xO-C(~fS(uv9 zOmMY5X7F^u^+lg2;(^6dW3A8fX3i?IEN%sxhj*;1n2+c0xV*om+->njKBDSa4`R66 zuytdMN(rl+ZYG%}6@{8o=PAuflOFW&oEvIJctJ^H74~jRv>%e(Sdu>;GW)Qm<`BJi zz+zx1eszO9STG#-;aXsHi&N)hOo`(iwt{K|CIdCvfPkjaI4+olixC|i89~&NwKZKn zq#57b((R7vVvtURT~>rWOPTfv9y2}IGN2h=pzDB^4hl=4V$3R{9tZ-FBKkY> zLf~{`9OssF=OJf;IMtwgkZ&I~p0-8@66PuDFs7^&?re_Qolq|p@MnE+KSM8Dq^fY` zimu$l)+VS3uG4JrpJ`E!o(%pS`gk| zRfOrIS=-Gd<;$2h+@YHz*f|3fUm=Sl^*vS|p1dcFNgAw6w zgApav1%0<8+Zd2Ns-UG;3ry5u>mJ#1Ls0w{z4saAwneuEL!hKX?D;tJl3I?4+zjDM zR8`^*0`%6S8Pqgeh5NH({NpDm_Xy!BlvIx{2-`jW(9Uc0|Mxp&v_N9&%ga>4qFO|rrBJa1jdk%eD2~VM`(LX8w}~_=uK0sH^!zZ_%)&SF#3YJIwq(zoe%U^^p%I$g=D&* zmM+4M2vtp!L{yDKHwy5UYpQ&Yc9_xCIr2^uA6u;KQ_nR~nNYYA(@H#1(B&iCfk5m8 zqO5Qn@LK5h9rS(q=;;ff%?c2GR6C@Q8qe8aJ;Uy;#f^sa+%xLKF9_X?W|>j;Cit@i zf|lmcp{T(xk5C7Xrj_QkPrJD#T-@Ofp3>M5UAg4jE2MNs#Pv6Hc8H(>zogL)a{NG5 z&he`uK_bzO&#cTTZA}%%R9aJr9_0>-)Tduo)UA(uKcqmVA!l6SC5R+OovLelRA$Z>?4Pf5*$tk6V(!L#@H zi+eVHLAqI^sM#eh&AS>~WW=9Eu#U(J3T8}T1olab3JPA8QU@DE8?)L%v6oXl#5nx{ zV&6y44v<3^D?3EnQZvpMbP@%e`n;sq()uK$?De3qk^5K0H>4Djj&ZRWExeOfQa$s2<0lxjU?d)G1& z73Hdj+h240!IDHFNtCgD`vx=gxY~GpI7|8A=7Oz#P4a$2(L3VzzrJN@Zn;TYs&0iQ zLJx-gbQF;sKjCB2^22$>#V#jvbKYOBx%_a&D$v+)L90uoBlx%;F?+FNbM7$tV$67R zPqsMVZclNPykl2RSywG_*s#t^RCk88F7E1%)S0sW?cd?|CFw(jHGS%0ga|vV3Mrk6 zR%EDB;x+}B;4ZV3e#wueugm>x{lGdB<&hZ2aauV{f=T_>70_V zZ4ilO*>llBN_5?)+Jr>ul6HPecXyAc&S@qca&ABjF~t=V(H^nORRZEqeEoTVn;)q`X6cP394SRt%j(~#q~P6+~8*$#Jdtb4`>Pp ze=kFo0^==du4}w{OYLiVo}iKt9G0m6{lEDae`VV#pfR4pEi*bP391q8?f}{MspS%1 zX6*b30>Q*t(j*#t$E?2P zq0AZS33iym+{Z>4Ar88y*xVKj`wDC0;#f^wzr$=IoP{R!LL8?=`x5Ps>3TVN=A-XE z(&_=_`?t6=5W6{YnbEZ&>>QMUG;i^UDO^S1fzpODH-!J}nCSEn84nOb(pZfamIeu> zVfXK@7+(I4<{`(aT|!Y%I+m`?G1U?NbW7bdByPa?vzYkjpP`OU5$^E60M(L59~rix zDlF#jKO(>R9w&M97>dIRz89lkO<**^xEiGdrl?6T7c@7&M%gj#uEp~NU7q0E2-{y{ zjm4-6W)UL$5v#hOXCppl8J^rDKGob`bhyub;^sZAoROr0{&Sb@cFS$6+4xHq^Lvi< z3hys|N^xK~imxaiT$V&^?(g}yNT{m?a@?|8w0!bPusu5<40nXbAyMcPnjZJ`xVyh# z|7RZG{>l(EXC&@`xA%99)rPD(!aa!z{fa;czI~?|92cw~BAl_uc(A3+`e>8WngONf zA&M>2*rO>tsxGAWVa}gMD@K3vV@%W0`5m6F@PtFRjBv&oB2Y+Q&}13($LOWR5tf=E zj@Qu)EaAo?r_WKlTgkxk5md7^Zq?G+4$t*4)fT7i(J{}}3Ag|NAOJ~3 zK~%u{C7u_6ClK8obuxy+Q28G2xS^VOxVs8QY%q~Tq?SxH7+*77$E10V_6O+rBb~7n zn;y{sj93tiN>ta7e4C+qKECf$cqLU_;?p6$1?Yw@nqll5>9?q>8Cu1tXBBFvFhmG_ zkF`Uvf~N0Ktrgmh&{aayIW$X&$yZ2q1k;$P%ONij(TrwOqr?Gvs;M^x&Zz^bq)BJk z>=OOm9i<%Neg$o%shxoOZH=t&OX|*nt-+8{>`COVqudPeW|As7$9NtlYG}3+zq@9; zouXt9=dPd~M0DOYyW|P}HbRR8x5-i3<%6hL2H1|9DU$|5VuH}UNam(Vmj}u9p z^6`FDIz7T5rL<7IJLA>Mj_Kiu58su@H)l*7&CYq`KKGATxKCyb4|=?{C;Y=Vuen}a z@_F>YWbi4A!eh)GPmlYgM-yK93GXt8es+cs0B=B$zprSXJM?17E_%wT^DQ=iLR$8D zw{+>VqdUK6yB<(X1l(J`yJ}gNl5kdVRcON4B2Nkuo*@PmRzJ`)Yka9FAADT9!=@cw zQsQMjx_(4x9o)qny$W$pGg`U9RTnsVNt_G`A3VbA2<_&W%-|h3_)`ZPjWE(dG!`uc znYOsbviQ)Te)laxWQaJWKfc5yHEt^CdwqhaAiEdH6Ggo5p+5f{b-WKwfDp|;rCuKW zf7TkZ#8UnHxA=eanym4t0|%AvsIwWZY|#4-GIY^EX9Xn!@ryORRg5VdoNR+yH1ynt zZ6y#g!xlZdSP(ub5Xp|gwojoH4l$)kxw8s`Cl31jBinpNdzcWV7c9;SxvQ{ML9%RE zw+U}=8+3S0c;r!S8=PUts1$tiU(Zk+vW+$BL&D_gfa}*T$3IS(&Q9p|pYY8;EXZHK z<>-k^UIh%kyXMLBJ^H1ORtlqIzJ92gpTA+&yX5XoM=Mu|!lzi|9GzCo?{n^M*R-R8 zx33kW>3fD{MHdXP*K_p7Vb~`8(SJWC_|u=VYfsQ=%}5lFq)4KvqZGO5XsXAOS!@#Q zy+!Ma(gQt6DYFDo4rsjw^Q}NM6N*Ja<3n2x;M&1eEo$x4c_EHnpqmuw_vp+eZnh!F zC*-1JmqX%(xTAY2r@?ce9hCIrZ)sx%U4|JimmI6?;(G-$3RZ~D!3hi8d<1I`GaQ2R11g`>bYpbVqfTJpxoGhmDJ5pS zLbw)pbB|LG!P`(Y3i5!RZODc(i*3ciZut6d6TbTKhBSMM8|3UNms)B@(HgVKc~=ZL z(&ubOKc>7o15c9~$S+%N8jqZYs%R)9Nt*01Z{M(+3rk=K>w9*3M{lA*bvTDE!A$V0*EM-~h5PU= z+1ojd9^ywkx~m)VprO9nv1qqc)}gm22xWnCdI*M;D<6|q*js~18X~{MMsqsbu(|Q6 z><}?-$eIDN+)+dxu4*X^RH~&r+2Jg5S`WO_2z}xqJr84`aQ>+xUs<+i3GRRXK-phl zni2lEAYb=UQHBZ|<_VN;g>+}M`!W3=A0dwRu{xq^1-g>7@aWfTEJLMpzeuFG399<))mU?_o)dlq8_o&@-BD+OKLza4t zyY;AL1EGU|9O2Hcamof!&Dok~>I^i!sq`jQI2^I&vB9d0bX8?%5UlpYQXVt>MMuoM>{&>!oG8xFTIQ zOh4~4dOGE&r%$*)IN|d53*@+wQI?dwlZL@-cnJ!E`~na5#%U zfs=~Yb;!d*N%AUUwEv81`kba3vuq>$eg=h0;ScZ=i)|aK{sD5>kQWNO9HV8AXjD@7 zZ)l96KHkzsJA~V!Wq`4l#4jzS+@kJ4KJ+n%&r$9cni!tWuv*h}Yut99UVlr_S*mD? zdRbta4)1P8@xvbN@&Lyiqpn-3;Q@h@65a~f<_hZIkalm4TTE%`)9n8vgBol*qRgjs z2<#-JiEdGzPk_YcTheSu)lM;FIJzbgkL5OPF0s28bXACWRx;{cP}d%!Z0P9%U*3~( zjGDAm#XH1kM$v324}7FK!^ul%1f4RdQJ=bJ5TEpE#e&^9!}DeogDuL&RIR0~O2&f< z+#{N3&BOH+6%J7U>tFnjf8{oiM;;>H;200;l%{zFE+7g*Rg`f9PEO~6%?xg7$-4$^ zPY~S}P08~}k;MCScOJ3qQ;!tMwjfOl+GDjl)^d4}^LpS@&8TNvd<#u0k#4~5S35?Z-J>|buS>*QQ@S0F zv^1?xFPqS?!s`hNT%5?KXbRkCPw{>{L{FY!l#kL9$4bZy^{%D+;Rg5o2ZSqe1=z&^ zJ54C_8C{qlnjU2=@c+W4|LjXRc>yv2Ay7za3ayc}g`rtzH2>j(;Op-YuAGpsS!eAl9uNB0rSHZBg8FJ0>y5+l< z$Mk>oE$PWKVj;Qw?wTiRMc5yc)TbOa?>JkI=smn+Hk2H{IArl5V*hwce&_M|Pg>r7 z>yj5MR?CL-y%mrw@jrFxH#?GT%p}h#2R*9Q1_qkv!IF>PkNEUu%KZ|` zy*>7uZ~4ysoXa16$#h&|_s2M|p5k{o=7WoIE0hB&^09f1l`*DjPy<+aM*!U1tFJa-(`98`|@DodEVoaVOn9#W$dDvmi1d*(WmM>U) z1@<~ciVppR|$S_5QS0t3uA=-A>^aQajX{wmC3vl}ZSyN)2{CLgM#SkDWiUlZd-CsGwj#QB7@0Wf~=+P_jx`n(7h3(I^jA4xjEw(|LGE% zTmJ7KS}xvxP1f)8yZapP{?}|)ikoyn*BHEE#sa#2Ln%$C3enJF zrx$>WXf0LTpym8=VSi$9M@LvUpzZ{9_ZU3RT0{1a4+P)-fb3jw)@0R+jg;(KjWgQf zraiLJn9(1_3|{;U4)!tnvFT}Au+rcPf!kTKUBc?Omx$fp(&&t)c#79rOu0oBLv+%h z_6FGg1fyLXEzuI1c>`y+h_FVUMTo%@0(XrZ_!u)G`ZQyejVYdY^!~C>@8AA+=>Op* z^^+6&KOf^hdrpTTj6z0t7j$lO_{I0=k!aLO&lYZDOVRY?AJVe zfNs`N3XRVK9R-j3Q8nUZFX!cF6O27U_d5Kqe!}%1YD#y_-~IJHAJ4w#d{ZzIl6wKm zyLYs&p75}+RNFaUzI3SC0oiiL#cM-$dCMOXXw-^g>NBcye(xQ!_r;d4%NVb@#BSGg zW{;swnU@a#{@1sB^V`>K?UwGJ|1-pwuV}>{ZqLIkI&9Fxvn#TGh1qOrA`f46w5?0g z?$K=`lo-&-F=kTGhzM&}bO#e~-%>g))dckZlHOpANuN?-dFdb3_sC0qJUm+?Nx4)xH60}#5 z>k4tSB-ROwQOvC<_|D!?*gm6uK~d~eY`$QA(&rC}M}2q6WiVs2*x_$4>GxfRQOvyHVxxTZ>1R1*i8_VITE ze5a!4Hn^UmoAx;Ra|r+Fr_|vd#tBha%C5t9hN3ZaT}yIRApg%l;C);otb^}?>8Ges zjc#jfzC*?#(SeH!1FX=Lrb9Fe#l;rq^&06pxC4z+1``K3s=zyi)jJnGtO$=ssHan8 zyhrdnrugJJqo)I+KYmL8wxTQovVBX@MEK*Br<*=QwZJSQmZ>Bx47bgY^S3wrSihyz z&uB(1BAw$3pD<8dU*v?hrB!LtS4=z#5=!#2zCy#l`ui91PaLRMEdpasFj0##4Q-3Xc8 zpvKPQ^58e``RngL@ZH5P+1|b-Ywi*M@(InsE4m;-j|ElZqZNcJ2PHkim0-7wv1=bs zj%fQ!0yeZeL9}#nniVSPq4E{|yD8Q=B-mV0C5kNBrNwmJD5F?}?vD@afWy$`N31yvgwu=$b z8HJVDLCb+k$OxHEw$#q2jI3sS^n##F34;ms!ROd^jt)J7tfsl%@bPcY_-?aiU0;yC z-yxSv{D&QVrRhH%(50GBPd$o*FOa)}bXRZ`w|qH0Ves=;IJQq_6{~;v16${S<=F~B z@g8qf?Td}E+ZZF?jiLSUn)u;8qCTM$H#h@{*-sE< zgG|R{*%0|>`?y~mA>9FvRDy`|4&{a_V(y1 ziSiU8blIJ6IogBe)6W^W_l)lfVG**G9qXv3J{qy?jX9id`Q#{KZcljg<|E&)mYnjy z?cC*uH<$e4>+g7Gz9lIR824&)I7922_Vv@RJ$-$(VT&Vw*F<*k>^5$6*r>PIAv>=W&ZmjW( zYs&Qjs%YTkhp)CfK!wRln;k8eZH-fe}#fx0B zy&kUDQ6@je%o4J|N3{x}b)r%0b2`afGYIA5_2#~c=D4W?ctQ>`#1da&lDm!!F}$KmLaF3 zInm)0oXmNo1@w;WK@uKI)Er*D7;=0x#IXv+!7;zNdEn;kBR7i`Q^z0;&e0oA3CoGEI@Lp&YPO(&Sv(nbo+!b5L0s!&u< zJ-lBUs`(MFTC>{@XdDL-Ww=UGZCmUvCf-h{E?sQDhxGf8#d#|!+74SiVqSiJjcq!@ z-~pY+belD<*W2&7)yRDdtg0iky zU-_K)EhEQ+{Ud(=zUFVg{sV8`{D#X#LjC$%N{%_+hlx{@)whJKVGyofF+ zut|+Ca^#61KUpD~1*#j;ln(aeQ>+Sz+5@^sQ-%r6iHrX{1ji@C0c8oKz*QaT`5NaV zG^tM(6_~OEIcB>$ApFv&_wyIHFJ7Yc5J89P46b;r)@PlhOj_D+R}BB3?=bf{G8@vO zF*}K}@)365Tq8Qk#z=b84@5&n(;uT7i?NTlL_V~r`R}n^hgx{V^@h6baQiN`=i^;1 zD55>WJ%b26%`0@=3EI>U*rO?zr6+d^lethYvh##>~W9I{!1w{RP?A7c|#frl#fo z+m7Ju3j2F~j*iCUl}~oPB;7r7(95nyE>}2hNteT_PDwU~#k)E2S9_F2iP`UQmEEzw zUt;|soyZYwM?yuUed$2|M5XtEcq%aTg% z!Ol`F2ZZH-3Pal1!l0li9K_I&FQ>@Ck}@Bmx5v<%;yVetR*0-coDZmRkZna{4{_r; z!U^eGg%C%yjSH!znK_j66csSQ8(B(7CBK!cT3(kxKv1?9w$vw(#1JJ-lHD0`1uBLm}6{?+K#BDrS+yb z%M7_2Qx6;TrNV3joZg0PVNv=6><$dd}$8{;f83au#* zD@+HK>f@f~xVtTFZ^h`OL5gHbm+TW6VCfKrJu)YN@DDiiJvuQ!rzO%%X=!j$OWm_5 zKcLT&G;qk{6?(6RX3nbeiMMa*6&`Xh!fzE9$pLS_x!|)w%Hlzhy}!m5CDq*-i*Up* z|KktL`WJlq`~=U8ac#tCY6!}bVseVpElINj)JcNjnoeunI)U(ri|?;E`lLs)3(*uj zKaE&4V>-KG+ZLpzq)jTSrlG1Ve}8$;<=5Y{eK=#g8sLy&!kF{lC6xd0hMkx3^)KGB zxqD5RzT^4C=jZ?C35-uEK77y3{Tg8kZSla}YEEJwNY@MMG{tB`KUBC&kKC^*>SMyw znx+|HdLHU-ND>}lyqr4P$BmbGgFEtB0{V>7b?~Yd-8on-2=$|C-WW-`su*9MlPL$~ zc(lC$aj?b)AVWPb#?+d;l2}_{JV7WMJXaz{g5wla@C12(&82XWG9+4M^y~?@yCG6m7;X3@$VgI& zE*^OCq(zkuPwN#woxUKcV%&E(=<6lo+cyl$1y|n~7B^><@4n~LgN*w61^eYke)gAN z^3{tT_0gZe`x{bMvw0{um{fduxX&Ly+2>gI`PctyN_2FBA0J?3Nj)C$^YA0LyB~4v z-7xMy=jOI!x?kbXW}L2b#OHrbzP`h6)|@;KX{!)j8M?fqSotJHOOaQ!fo4%dcsfA* zPk%!1^oVNV!2XU{?ub?e%r*UWN_+bhq3&_?J!-GSQZY;y}3Ol7b>aAX`lmjcQj}Rq0RW@xM3Q@BQshgVa5& zHCXYk_jzdS3bl8Ut&2@vDletUD+nsug@?BZak4p?+e61yI+#U``hN#f>?&MIYb zGa@fytlZHb2RMBPSsU84Vzyi}iPnT87iZf=wri-m$c5m^#Kp=3lJ^;yiq@ChZ7XcH z=b#tRmx{AELhhH8A4=TRW8!>^K2?Ne#*0NuXZJ1Y;DF4wIB|W@f3vmRCcE%Rg+noh^9%{D%Mi*S|sB{R4F|;ETsc z^bdc@EvZW{AH$ME&FlC*2@d zhQMmlPK8)?2ndnI1hs}t4$*@SEeb4{%3v|$+4194S7^vXw+=L%A+#|L^Ch|LY})6q~s)Nl2T9>^7imLiT~CifZJ&B??B=V~_Uh zA?~sIh>w?=R)AMk@IyvAn4&N4X~LRzaD+HN!kj)rj1TbRr^xdLZ}12i_(W}uqf-nJ z*$SuIMb?6;ThbkjpxAI&1nj<7l*c~1w>6>d;vTtp(E)|jm#YK-03ZNKL_t*c7{wAR zVoEewA5%OWGdgJr!V?~S;t@XkF-Ol%h$chg$rH2==>F)0 z*>y?luhFBY9EOt7#W`)<<>9tv5jMQZe176LykATxn-!a~Wxp(d`IjCw5e5swZZcvESbbj4zu;JTJ&)S&w%?%(}{=0`ta z(|ZI4nu&(-4jFhfwWYZ_ATMIP^$=&HsOodHm*clNbw^P6TU@b1q#XnX9d&TchP)or z{HVa67c`DfCp3to6p;z+y30{;N@;6Mt0{st?!$zVDYn^S>oub5vp?>k!+Y{>jT3>$ zJys~1s>Evoq*mByhuON6dWW$AvN%Hz3fyFey9ub>4!OR;nLWeiDcWXKgEh6V=ys2r z*JRCOw7bBzF2YeHPC?;DsP+T38X-bUdfE_;UQsuOY(K^}Bcjl-WsS65%2pHZ1hw|? z4eIM;CNYoNHbC9;ua8%N16|%Dc?+H;FAi^2Sn+w_w&LjD{Jb$&k%# z&7+Qw(+XKzMcveN;+nW!lQvy?@g3{FPyf(iu~_l?%^QlFlB@{n_$kNdXBd6LyWiX( zU%n-~-4PTmawJ)=0*?KXas%dW$6HfFKF2FcOs~%$f7lSzH>5R;&U+lD9_rXZcN{{` zq28YG!}AA%yGv#ZhhCF0emo%9PFO7jPO~MCF39x^;rc8_6Cwq+(Nw0Q+Uzi;&teg> z`=5VJz1m>oE{<1GxfNkCq&bx&q&SC~Fz`Q~sojF6{1`L{KGK%sCdE-2x&on>xQD0c zzx*lo;$I?qLktQFC}qJ~L~Cf9mLx4H{*Q0*@BfHa3bZb!9$>r!Vn?DniYVyQYb_@H zG0n*iFAIqM0w)|G+Ad|=BHETFuQ2mDGPcMYi@p4u#+~B1?+I2r>f1GOx~1G~h-xU^ zmO_H`EKcZ?DAXw7r`K%tg zgy%gR*XQcK&xSe6`}cIFmY@FBGd_Ft6Iwp!{f87kd0@4@C)@8?r8)PrJy)xO!rj8( z4pD#k3wA&ME7BB%Hzm(=*avhUS=_{5$A*h-i*jJfj%ph*ndtC-kE|6b>q` z(CvU|?|~aov}@$}ntnZ^Eqst6BA?T4yBHNfQ!(%@uI*7S6Rh-!nj6vsiB=oh3rny~ z5%q#dYibYD*Ba3m$a2A43Xx41(4;q1bxB=kH2R)Ay2dH5D4mFA-b3v(?6OatxcF^_ zR~d@V2bBLFmA0^3qA!oBQ_GQ6C~6MRr(BB* zK3rY1ynBI-BG&I`D7_-`T>8qTE*lp2KIL^psT;b7&xl8lSj;QBHyMTUh`fqMOIlsg z3L(EZ;4ay-e{spBAp(YY1z&etmY-!%+W_@^b^6+mqQ{oB|QCv z)xz@lYeS|d{O&TRNWSMTU!&GLmTs59lbZd?qjS9H!MZqNLnlkA{Lh$2U7W)`p0v2a zGHfMLc}$z`P@4g2s_En@*2`$_T-@1^eAQxn#lUMY1b9J1V-#qKa-coyA;vD8j^L}W z=>7aDjGm$c7a=90hP*atvnQ`DCbw+g<&^*aCGOR8Sf3LJ2UJ98XVmqIrrh9`nxrgf z3lFiJ5${S&sbDZf9faUmq|h{#rM3#~hdXq1hZjRJyrmUen7ia|i8rgs^9n~vvMj~Z zJset^wn0QgvYVQu1+=ElE!m=C7;7fZV{|hh=|xNr?=iT9y9HHyf;#T8TS%na;=}=t zsBs5<;>M#qjCt4;Y+a9f5V5ccujd|pbHloGL~xdIdEcr!3(Io)x^ z(}S2a@9?&65bZsKPtQ1ZT>9=~+`=I%dn6B*m&=OX^_JvrM^V)*=PQ2m-97hjUa`yy zny-iKzx-PqFQxWf+)v)I?O59B8dVG_ttII!uzQEl9OD`flf-mHj*1GDmr==E>TW@8 z6izz98E#SA2$}&wE%9|sKB$T83bXae!v@oIFiwJ7ftC@?AfPx_=y^l9_Av7U=mu2% zj50i=@OJc_HKwB}RDmuw;CL{cQ}rJ37YZc>qMl*$5zlkn=NAafsPNEqmm}A;xIDgEh6&#W)gwaE$OA znrw>pLefui>Zs(tEE&l@tK6Zg8q~uaFCH-(281V%*-}y1g4tchxO;=0MO0qF+gVC_ z{{y`$Lo1hjIO6F+N-*pb9gpcdf}wPH+7TR|f5z~j!_(nY++c!zdr2@p<>>Pci{=yV z|M-$swIi=n-YwQR7POV1Ts+U^yV5eAFE|-RjLxUr6BEwf;2)29(iL1hIz!6|p3FG* z6ups;lQ`J6X7}cgG;amNFrsrdBu)$V)iDnbHD>724s+b1AxM1^-$S=MWYZxl`vj#x zi)+k0Wo;&SS|XGp5jB44QZFINJ=!EeNR5^t6(}H*lK9{JjLE;gAo}yq5z{AFKLD!` zMT>R7^(AfUVU6M4tCaTt{Co8K*LdS0oV>+^E5!ZOLCX_|evkI>1-N9fs{;k1uqy7&jjeD%dS^Y{ek?vnP%rE72a`WIi~ zE+jV}42RBpyk1Cn5#e`6Odkq4${bwNa1{EK{R3XUz9LaONWWn@Gw4t<_d+7GW`3E0 zE_ir#N8~lAZp6@?qenh23Ov#*ZgzMJmv?s$JpXXZ>cuS|<|V`Afj?d++-&D$H}~jI zaznK(qwHLYhUQx|8l zVxLc0Omphq9b#FcqLKzfi-WgP_)eE*3b|vFRe*2`z#q4v^C|DCnH*QRM@=8d0Yj*Z5R+0%DJBeau0P zT=p=!j~O~2F;R7os@p?JLwkFJDbL|`2Ca)a)wrf6?JQ7^q-X9YA+a zCtYGoh38AuX2IGFu-=BoKV>U4qYKM;kn;FqNHP7Ccfa{3Zoiqayn0Jdy;jI#j_FVb+xUmO>Xera}@Djgbcd0sYlZZ$>KG>S5oL1)(E^vQSJq`-4Jw_ zSk)qHL$ONmy&Z$~mM;$v$X}<(RmDIQR4a)#38TpcU9ZcNPcN7}JHYc?9M@;FOL+8n z&f~A2(2O5*dSK9xkEyIA__T*|e41rNeAb7c-MB`&Ry$H4nMUV16p(6!$+M~C-;}<6rZi6SRu0F8J7wlIVcZ)q& zzkkbOd_XD`)mX4xLi8BQ`!z}7Fm?7YvrLPE8`0syT~O`}52nQs5d8H8?mz$6n1B9X z;rA}E{V7%1p^<%*5$LAD2#X#{d{MBQJwb zmE1rmAvmI-MAM-92AUO0L|C_^PS=q3X>MFZIe;+1t1PZmRFt?giQ1Gjk8(Vbut^2c z*dkW}UN)w#B=~ED2W~LHOEqm1A@FIM0OJbEQnKIAklq1dW@!C2?%M&A)qsV{cGVbN%)n*|q%SCtskSIINNpDLaxabf#d#0M+T!Ej57?kk*PY$e2|V zdL2tG71FG5;|SW4xLHz$$2=N^IDUtkjAIv`e0_@QPI>z_XBf=5Z~Hvt3h)1Z&0%?o z{Pcv&cZQd@w=AT~RP0&BPdV*vx!($;V~M&7-Otb1AN9EW_LgGtCkD?3{OGF-KK;7O z4-W$tFK)538Ez#x`%+WX3Vya@JWkM3+dKWgWn&qcR^SmNrE*Mq7xvR z1Xg{d*|M($)HT{#L|fqrgO(PHzy=zSSmn^REwT`J*3y9!#K{X3lRehXX^IR-m? zjmT%XMF*rK92Tv2Xfidv%e6>7XiAC&}w#0o`a4AO!6Zjb)v1$wDJ z5;m$WZmRKS2Irwc>>b*XL2V?e38=RQ^LJX3}(btg>MSFf#Kxh8Kb_3@h0T29*Fi1O?ZmuhlB&euJk$I zU2($&wkWag2rnM;;x`+P}9zg)902h@uM&kEe8<%=&IK0AF%@3RxijnBcMpx#O%+u%Ar z`ErI-lHTH;%AAmlVXsr%RIh`A$HX3} z9eNd`mxd;-5YB)$t}q8K?r4WUyvNKHO1Lz|19c(Tdy012#b4Y}Rvom+u}%j)y~hTI zytc@vJE-@R_X@k?3V2(j=%b=rC>4%3WN@5Q+7&7nIM!gL0_&3;6sZ6HtAF(?PdoVX zfTFZe)l_DT=e;GUB65F=(mtNpQka&0(NH2W@9~wMI4Rs3lBwyT_%{EyEF*Y zgPJ|dFEmQ4=-;i{55hB;7nTbSl~D%`=vq&Xgd}sm#ChL zbJjuH4(N{wsZ3UP)@njk(zG8>eK#seRUfYrh%ZODkIu1+N~P%x4sga(^0mP(zCq-Bl$b(RGI$oF zQ^_pw3C*6)L6?Wyi0Lq+ym&^QEIDW!IDEvP3Nn)R6Z!+6PY--%ivv_wFg)y$OTkfF zvoR4kTi(83@zc*ra_=W}>@|ye$eV{b-Fiv%^pNYjhEJcC^wk-|UP#o9@j3$8zu>T! zlky2&UgKZPJf5K=-{=IH)VkH{yV&mhh14#ZALeQi}8eY;?NlcFso=fJ$$jD zBB!24c(TGSJha$T>kcMuC|yCaSrRrC!8l-RLR4C??F0nFEyc+N(U<4=Pba9Zk8KXf z>J|nHHnFI!g9$3gCB|zBB8g}nbO5cp#c#S`T#!SkU5F~`x+WYtq zi|55Ot%uYJj+P%K?)jF)_b|`z=$8Gj;?9@60A#Y984G^ zhYQ>)r!2-aUX1M&I8KHrj&OINbWMIL@V9e#aB#H75>qUFx^06T8RY61bEN4!tV!d~ zD4*mE_AzE)vA-)>tacooy`}0NBTqcM2ZL}*+Wi{!KmPLXepNUj!h7}6+R|#=sDL`c z2?c2_P}_vo>tkz4>j``rp`sX7<)rmFjW)C+L)KXC+m<}P;l4azI9%a0id`uPJ1%cO z+~7MqUbZpS{XHj9LU44(?!ge*H9vmVV;p@7K@U4Aa9tPK`s}+U(zwWuPd*pO!2#ON z38n_Q6YO-uLBEd~N6cR>xGz&aJ!sfgLnah-hFwBW^XRNcrXJyaxZ>!uGrU#KcpUI< zR^plzSGp{(Zy1hG*)JV-q2;W}5I_3~M}4Tgr}VOna(IXrxKu$OcfTb%8KF(W&`fCN zCFS7+yIx}Ti1^*F;rMfO5}>ukXh{_1)Jh_wId;~;iV1Dt6U#MCdVmV{wBrd*Hvr}G zQPl#pEy7By7TDGzD@&a>)YmJ#Uw=>8-V!=B*{z@)ju_N)3}gJtl2rj-(4qAg=x~d5 z4=AR0_-Tmn1!Y;Iy$Yf+gC7c@KcP|@VIa?2)W5%hBFAn@YCWV)7AUX5F#?wgx$NUM z? z_oU5)Shh5iKDmlXl08#funJD`dnLUCg&SzrcQwW2F+ul+h?G1$MBneo>I3ro8`KWc z*dw+j-d>=ecKG3&Yxavdk3Unq|K1_a-|_Rm`I?*CnD;N%f()-3vhh2_y9&!*Ol&vM1eA>+H5RwY$*@GeBz5|f!UB>c@{mUZqNf4Q(GgZg zcsgKDMVxCWEJBC0%>r#S>Zm2(Cb+$TO&Q^r8E%_V?Iv_}#m;L8{5?)xtU%@f8`9~F0~{Fq?3qVXd3-3HGuG1)P) zSF^A^rej6xh3pq=?CUwM`vYNlhOPRfqY>iaEq?z1^>6?7U;HXqRYL5y16@|OSWGzKoP}(laxgo55b_Kl8Ec?|KAqxC_OWlF{ZI>Tr zceI-w!=Xo_1I#AjYHis(+;V!*;tG$8rys7i60R-F4^=N6Zt+yVoCxy&c*gA(ED`KO_t-;Xu(O z9%I?y);)Oo48K{D8IJ)Q0?#L2jd6T~>>nYVh>q8i*Mhnd=p#k-dV}bn(Vdi-U_>Wb zQML+c?Vq_c=Bvb5;~c5uY< zD`0LM^uR{*Idse+qc$&RsmJX0dBgVBxY~iJL z=?nzA&M}oooux!!NL|D0#A0R(iuVO~+XvdR#F&5UkS{g(Y(h3GnDS%MQD(?$y3c8%*glp?`O4C{hnmb`X`1s(n<^U|I^Y zqN-|w%3?i>3@e&98^W_|YWoD~WH?@i?FtH$&{i33HN=S&HonEq70QiprBB`~Db)ZK zXLU`H#D zkfD!wvBA0j4(Ul$oKZcxAa1wpvy3*EsQ>Bje)=m~0V={1YxdO`=}LS7*dCSMp~@EH zM99*o?iBc5fi5GQsX!ZnCnb3iP*okupy16nOT59FUf%LneM!E)q@T4+JwrI`;1n@` z@vP<_%L}6H6;H#4vUAR$7ef$0+$U@`g*G^$M=&$&lODn;phOs5c1d>qz}Z-nTsiDNY{B2K ze({d<<~{paMrCT^P*WWCm}F~;&_{bEyO-cMhF58T4lF^sVImy7QB1O_>AMbQS0a{w zBtAW%)*V7Bj2vK!65BV}?tnILQ7Xq>4rppiojH`POT9}lT^F|-p&SMMM}FrqiIT-sYJ##D%WVSr?P#VETh#^ z94A4Fkod1ZN&L3R(Tr4vII}!a@u>k>sY&at}5XY#l{;tdZS}d?N`( zhF`->d`z+5Wj-gPOa8+*;6Hp%XS`or&}(wK7k&IDLrh~tqS

      $ zrB62)uSWkrC(6dk;L#dh7pp4UXl3~G<^O@b*F z6i$Y-73?l^%K!MB{Qr5*csr-8mgvwxE$Jo&a$Qj2Uf03ZNKL_t&t>uRikd|so!-=V~Ftm%Ps zO~r)D-Qm)~?YlJF3SQ(w0mkuA2QH$%!qyXby2m?-k4eyyp3 z97{_ZR`_~IZc^gD!@PFcs3E=Lj-4JO)HSt^36u9IeA>$4_SHQ}_=A>6) zlRl$i#fK}8t5)zu|DLPzG1k6k^seGYN|rBP5=9C1KEl=yd~w$0vhx?5cApbvr`WON z#t1&|K9D(traRwf8H!5p*$Pk1-+g?F-ueBZ}@50<#BIBa#T6bZNQ*z0KIk z7=NiT(*PmBwQH(yKsnvf#xY(x!(`_eTSC}Hg-dD#!rhVIwb=BQ;IyKN0D(Y$zdk|C z42>RR#;1s&!V632X6#gkFQ<6t9!}LITkn~_z2vZW#eVRN_@PVbdUWqH^k1K#{)hki zU;WCK8G$>csT!2mW1|vWM zm5A8P|H#{axF^aNyt-*HZ+>7oFG*j#=jQf`aCS{0;l*#>;Wt;rPmgI@$%!9O2cMDn zkXIYdv|-=-oXv-X_5b<`gR=~V3L;hP#senv8RM_U?B)?cGw18CCp7gVs`WLEw-m(bWf?$B`WLEx(V{_pNRguzo8N%V#i1BDujJN zB&W0jN=JPJBep9XcY+sOB6N(C)hMTig`|4*fc)k^Qobz+Rtb&WQr06pe~0#SOex8; z2{I7))e>8F5N(Ssa?IfrXMaV*F-~|z9+W84rxKE0kM?;}LKE@F&j31yvJr+^zYcddl*}cbp$3tnND8>>tQCIVLcauE*Qo&N&M<^uL^v zt~9snIiK|$)WI3IvxeSePPj8{oKyU9%IAZUKV;`*HX(Wbntrw95Be$9cmKdy$4~@M zL2jWtVX=ds23uPH0>^h~lA6Nt>1K+-AY!#l@#`U;TaZASXg;+OpXx z)cTU{=qc{VA>H-qnk&p0yh73_fhwjrE^M2}M8_G%3dk1^3}39!(J7%6)L#rq+&!T) z#QDnuq`S#*+avPw9m%SLFfO55Q}0q#=HS*N+Ph=g!h^=81+vo|kw7IJL=}?U3h_tdMph=YzNAPXbtSzEhfr!LJetuF zZ{IIi{{3%oW;GJc_2rzNol)*vve_lmvzC%BGTjkR$E>o7*$-fAcfS%^7cA zKXA2q&E=nd$J>3utDA@>|Bk=V_uPN$QXF)6RZ9XLU~P(ScXYZvw$B$t+K^dADWGY( z#KQ-yN(svyfe;AQCGs|i+Y{=%z!^s9=f-o5gvN$QO12l)IoYKO)&hZ;~RMN-8IFXpvab(tR;CU z@E?AlPJ1Y+sGqv%-imZRCjRp;X#V;U#o-~v@Qh%q$ZJh-($Jq6n(mOi-+_5X3VmYN;ws661ddO*+yz{37HmG;GuvfYZ%bKcBwdevYZ*8>7oSe3)rjWS^2?w4 zg#FKXXj+EqifR0qe5ZMr7s!JLF09KYiuvMvg?uY``io=Um#6Gs{};MVg6Q<9^9nn( zynI*iq}b5{&AkDC~Tv!*;~=}u?Nb`C@lg%ZrYoOGI#Bs-Stm^L31 z-|tz_VKa;^@*LasbtS=B=gDoV!EGgTBT~T72 z9*yVn|B-YbUAAP2b>IKzobVAhuD|K?<+Jswx~sbyZ2+PHLJ$RtSXzskX{L!Lnrbb6 zf&MfcYNCO(sDTV232Yd)FY|o*%|5>*jJZ)m@}VSjeY zyMKDa?&BNwea%>`5%q@E$y3_5k8Dg&xlL)>9nS*Tl*ic zL$qgMs(^Mpq;^_pGmIPohQ?pfJ1%Y}*+vKGZb@IeSZ4!l%O-zl5x@E;tXx80vG*XV zhcs4?V_GaVplu44CDHbjrnj-2hHB^ISQCuuFnvSqNK};4UAwsd_dA?VH}rZ)Jy{c} z8Qu5ixUVlL4^Q~b$Yxw@dAAw^HS2EASzJ*HV(xxv@IE&*k14{I)M6t>*#{V-`{e-yhQ7QwC~s#C9j@`bn5}$6AP0GzW3RPZ@yOO`#TP1hUVZUo3B4G z9oYmYKJ9(Rs+sY#gGWAmI!BIb^t~iL_PF`o3iio$Dkk*0M3x z_8(Bk5u3|9zWyfV&DX!=O5E_{FP2>VH~$?LA#aUCF4x?NNAAiyiib7l|LTM{S0!)X zeaoBw`G4c~-S5~t9#zy*3CZ^3ikgI%vf+*RjN3|ZzIsO`W|TYZvW-0&bW z{LK|7|LPe|KIc$2Jo|6|ocG@pe7e5o*uLiD=!{|hkMx1UtvZ_6;9CXOY|g$cn0Y<@ zzQ?Qrj52h?HEtEcE=QIpxI>8-+#~8KrU26^I$z_oIZEUdwoPI^AmSFQ6Ucc-+AWzn z6^c^&_^Xrm$-|6t<)320MB;hwT!-c|tcHQH>;x(Wq*S$!!V*L0d3vD%OQX z^UW{GZdT}TKjG?}uB~at0ZOOX<_aPn(iu(nkmBqskYmbqjw=+hctl1ProP7PW(3l~ z+e-TX^;`6R_+O~+-cWfq^+IF)@PhJRe8%>(zu?lD@Nrw>mKjAWx#>%iqGBOBwoF;A zhD0YC%f#eO1&aZJEePX)+W4%MB0f=k+`@YKj=naW4qcv~IF$AbKikm`Cp3Kn<(?-4 z!$vNMgPya4nqB{lq1e+eUa*-tc-aR!_mo%hn(N&H;}>+cpq);Mvn%e4bCO^F9p`_2 zPBwVL^6dsIOlgIUme3dT!y7ATYa*(hLcPF81*jE4rf`c0|jF zliqMOaQ>(qCpJeVbSk67r(1;7>IUsfs$om4Z;7lB%e2(@XJ`+6w?>;Dc0L7m51I4Y~xZ#9oYBix<+RmMQq`U z3hU9KkUqNYXyQBE!iChM*~YXR3(>vDZUs~sPNC`BJ+58TE%wMxqf3de9m;Tlo<87| zTRLYBCoAl*MvOi(8BM51Px15}GK{FaTc`xOaqu>VPC4+f!#meB%NmXh-qJ!GwA62x z_`OeH_w4c^Cb1a>3Zet`@BYib`bFM?@7S1hk9Los&%rxDrWKK|k)}ik(Azb#TG06( zR6Q!L@k|O`hnr7`;*h)(*rP+l{g(Z<#hgVHmSFcGgEw8%Nw6J>u5OWCgw_V-x1?2o-R^LOMABn*9V)a@t%gkC z%7RYyShB;`HJugUCO7nfN0^jo9bj_kVh_<-xWNM^ozwFXwXLwa1Z84$?IXI1Ugr1* z4yr7_vE!eUQ~qFIc;!&Nwzqa zg4CswBiJQ~%BCMEx>twvKYoRHeZr-ju=eM)n=2mPDXdvdl_Vs|h?`G4tn?0DkI)N= zyJ{KtS3IUMXWbrs5HPn=*5x6(y60i;Fh#hZ=zo7pH##7= z`NZtZ<#%rk+vO$G7ZGJOHqLNBVI2_|iENjs)_~b#1yjn##tvIl6@t|f=!$%` zKxF@ndoZGG=2-C^R$ZekpVoK;evKK#ba@5o6dZ{}Lmp!G0_$Kz^R9;J93vj-w&$qB zgn9*{vB?^bV!Orne~mx?g39wSorh{Zpk^~fr0M(##za&T4>K4suq8!2BK!3ns=vf{ zYbyU4>ZFH{CC=m!`}GuAr8W*@Oj-gReO6=L8QR3cd+{E*LEOe-kXI3|a7&s5o{GUd$faXvrgcT4#6tN(+OLCwL*OMV!ga4KFf zF>@M`QGe5*+m8Ixp2i4dH=!0io_HX55i>h}#>hJ2t!@a+-|<9BD*YTM5R}-6-zP}f z5ywZIj}@Q&*MCMhet}$7=)>V%ru7aBT2LC4u{Z zai^5hWq2GS>zrzDVTv(s3XK=gyE!U}=$O!mF(L?X#R{ECshb&P7$es%eYitAA+776 z^N@bfQHvDim2mis>ZgBA^4V+N)Gk*=L9uJuWtTL0i*47GI-w~7c11;=USgFsWt8yD zt`SC2coziIAtH7eWSXpf!dR_v&cDyX&WV>T_4pZ2o@sg&)9lxHFG83K_%EKsEc@4N z`cx_NcLl>UI_Hc%e4Bd*|r;2tMV!18l zgH3P>rt^_jNo&RQYm07bLD3@ZSYTv^sRy(tM_B$noO;BgKajoqA>H8%gtbLmlw6M4k=`~|x%Vz~N%5;ncHr`H|r z%^g*ynYSsEc*=ceGdyrnO;27vgN5R+{;Tg1*;C@7NBv=g=@XOzVS5zYmUZl+T?;2T z!YTK-W=bCl+z3?LV;^a>QB>0gypsI=oN_QEvMPEn!_0kZ>EK*wia|x0Ksn(l(U1U7=OmoUSdUu+;u+1XLp zSm`G&4ns=okdto3?AaM={0x7;p&U$j%rv>RV>ayBeit&T_iWy^SYkzxFIjx%lW7NE zf<8Xsaoy3EkJt)aSc=9zU{fgcvB8WA14|KD3U#DF_qe)cQ7YWdW?Op%Pb#F9BfFA^ zdqItdQ>^ed3NAgW0NN3)Y;ZS2#I7Wawxm&nO71aL#2!#l!k!UErnIU@jtc6{oMr~8 zv1uB`X8j7y!-}sTQ#SY46uSmvm+;dC+28&gaWKL!Jz7^|-7LvhQ)FAA8;`~rQdN6& zF@?FpaZ@@oq-!>KgDv)MgO$yw>in^P3|J)oHUyfoo9HeAzL~G(}cT+8g&ujhc4Q- z37$z56?g(^swMSmMy+O8ml>iyq)a`EhnRM}N8CL^HNy&8x-mFeMsJ1$_6inzDr-hB zHBO{4vZl>D!p`Av9`WQapR;2K`3A4HnH~=~;3Zyff!b55F;~A|(RCSTQH5n%MyGJM zopb&19oyY|E+(2E9v`C2kn+03C*&-M`TCvDic12y#zOHApB_ogl5E*BnjK>bi$`<9 zsQr%Jn-K@!pOQ5Jvb#g#aAZ8<`4g6(Z1&ZX{CY{;3mkVyM^Cl7CJt9vX@ne};1>zc z%^o#9qtzRtre``aoP2e`r`rbYmbA?ZPv)RpCW8{^?`wj^8Nzu>ML-c}(6-2dhp+ZD zms5NhVW|o|AHrhKK<%jWHIXOjQVVMmf_}irBOE-;C?O@LJ26;}M0kqgBt|$r7 zAdub$z8|1PgD@Q>2EET|&ola+gJ~jEI6!S<-0BGbVM6Ji;WjIp{1|;Gu}3>f0^GJF zX{P9j!78CX2vNxj&dm_lonr+Dh`|;^gCkw4kwZK0@xEG+|NIARfB0{?F*CM};Wlru zyOKIdY4#SfmPqMSWI2{4!4_^diFwuF66uVZT6V_L&h+o)zrT{_%U z1?6VPzJn~k=4QX4u^Y^bA?4qEi8wu=bOIVR#GO@C2U{GgK()ZoL63~~D6HxrI;|GdNb!=A( z`Fh1*I%L;}nC(Y?VqC=GYwoxAWPBtSk34zxjNG{V$)KbiA94D^FcL%dH7vU!gRe4< zstQ92&isIrCkvDsVEZMbS3{1CV#b668PFUa@r0hqvma5E19oc7Z|^D|x_5m3`Wjtd z;7&qhcLV1$;)7>A`QB3={@)K+ANJ()*Qg)N=*}h>F~OM`dOfAPn;>i#;~JLem$j3 z8~n=9?_$&m=b= z6i?4HcFifB-r>1dxTApP{*JXA(7u1ei_-}U_YfsR*2f2Aenn|Hw3l1PolT#1MBNV8 znL}!Dt%frCNMvu3y5cM-*_96FYzni4o$Og|JeIqpK>)LX>zh+12;$(HEl2uhoYEvT*(rvHN8 z8&f2pT|?lsn1PMBl~jI+tX))GV?|56U5qF~`p%{A9E7$peoP-hdt#A{daSmBML?f- z2svaZQYzn~bOS^;^%~vytck(%UZ*hCS=2y3Gc=PXn&FtV2ciZ8OJ$&{Qs{|=pdVPrQwsb?7 zUCfw`zrY*04CR1!I3T0sA%)RS001BWNklT?dCB}~3Jz|shxd+(7X7}Be!J=l@ z%(=Z@)2#NW%^lX%qCE-8>X7}eq%0*Tm4ko$oPmE!I6Oz+8r*bE)fwteAxSV(pHjr| zLxqeb((0)f=8rL*n2;Luf?{xn7q;~6n5GFR{Ej9FanfV#xr2GqV0krNxS-!pNT-HQ zLB9#;qL$>e1Am4*nq%S^_xK5wcY%DBlFcdx_5f#Tp%66Qgw}G=(;i1jBCA0Z3Y8CV z%!JW#NOEz&G`vEsT{=6UKlVW=dQnghjxdJ~Mm31skc=bZ!w6=l+#j5;9sdfXEme8s?$xOikuLOTPahKQ4#b~hy%j5u{~NcZPZ8iFLIi9+&x!=|)J>j+;y zP~|cAg+pxC4CH`i>#_N=KnibBPaC93=vO|SGE7uUB?s(^j?R%-(+aoJLdI)?RYp^c zDY}}x95Yz0>1q#uY|zyM#%&OC$!5Jm<{eGm@hS89&c3Hq0{QBY_9s7}i>9>qAcF() z7?3@^v7nq{bcUl+x@d=ec!L@niuf(w)+0w@^$&<7qDzMa3DnxhG#WL}aM;jBHuk|M zyad#(#*rS~@CI2<5T2l|Tg-t?FCv^XNjVhg#{?{mlr_RyLFFK4Hna|TP;vbq@45ZQ z-(ptpsndkUY!JRc{r8{!>=zU9ElT|uZRO~$!Hu_g#zHWL;62@DhPG0i!IWaz0}#E8pvKoWvB# zfTQOw#jxSEU6RRXypERK=>_&~O|fa%wkfs?dA4E{%qi=d6VbDqJfq(vM4`+4dp~7t zHDLR!d&%rr++ z|1n>D=`)PZDB^(TzDL?Ng*=ao}+^U>UvIL zw#26%>2J1V-T`g0Wq#)J@h)NH)nw5VwAwO{9;y47WMfF`dtNU>qUT?-{Z-E4;hOm3 z8NJf1t~%x?858C3@vToevUuP4oRq)Co}aL~Oc;7wuGDL13VBZc zq2B|>Fn)%~BEo7-JN7Zd z7O&0e${F}II!(yFDVcuN{gFqTxafZ{*iRJp&L>}uu)4QYz0bZi_;!J<6~&{%P3~y^ zdCl#wDvp!Cr&T`gr#)6+V@Cn%-~H|1{-XW;9{2bar5G`7uIYA%ly;0?uW2$Lf7a6* z8x?-Q3T^6M5&9iv@Q7}wMDh;YIgRC#R0A9v?C6o*)e3RBC3rPK>T}GjMpPjPkL_&A zoQ%bvJ;5Cgc&S&U`T%yUBs|dP|rV=f z#>VX(x-y|#jB!rZ^i_rS$I!Rf_7E%0=;JwbEyB~-+M-r-yq`~bm^_EbXHA1jEwtXz z0=q3(GZ)e3*d3%*&!`{3fs5R1nM?wSjrdG!6=`kW1F#eMPm+u@k(DQCd<8C68r`C%257A)%^xY<-#_#2US$cTcd}jHrt+y`bxT+R(uo7#ennwnwNI zyO|-a9S$A3H_ZAWr3Z3rQF$I+2~$sSt!+w?5ZWp6C}Ld{gndstZfUZd;Ml_-&*?jd zWwK@Buh63lnl{JNl6KN!cLj_hwAmtZNp1Uh_L{aEVjX3ad5f24v}z3f9ddRIrJ-+Z zNP2oxQ+X~;7g4@j;tn!YJfTfa@Y)J`sK`|g-JI@1fvU*TfPrNprvl3zAs=(7D!Sc@ zNtt7gjxh2V$Iq}9A#&ealvxU0_O-O6$2$;RMRVuZZ9!SPu_nY-GCh==weLV z`nX9z5l)e9fg&UHC7x|_YzuyRJmJs3c*-#O89}<{@r~l!-`^0(Tc-0lSvbVGDd~fN zQaI#sKs0*GawqugMT&7=Bd3ZO4|lR4?OkRA&Gg9&B!btACqz$wi1x>ves<1$7EpEt zA_#~d_KeD7WWJ{oPdTm%*X0E#g9I`89>4kK17rUk^Oxt$of+QA34+`blH2hKS=5*U7PWJ4~i%la~5^Nws~% zUM!gC5>dtEp2BYx>f?eoap>9zXX((VF3!=4pfO~rg<3Y)qYBTv!w$jI1MG!B>7J(d zaf&@{y`@{u@g^PGZ!txQ*fgZ2g?xO1^cv!Qj-_3i#wCyi#n!{mK(#w8sga^5?**P^ zi|@LHFpQyL*z>p(7&< zR>+M(wF=tp8F(q(xW!INoX=y*Zbc^)o4%u)ta$kKC-%DnEy12H=+_Frx-Pl8`I^bd z@EDFMHi|mG#C4%EHF9qeI1YD?3m@L{#TXKO$nGxT^u%y>c!WAR#q2AhvBn-8QCcPO zz9csRUf6T{U~@jc;=Y@+{_YZaU!g`WPP3!lG@MLbW>3b{sYE$F>S2$@<3mzWrc3G( z++g8bIi|K53Os_#9@n-Rbq@P}M%#z9!sFr4U?1F&_ZxZ&c6&hJ?@4Pxq*8{iz&8ng zKOh(ws>G+8Jg_TIh{XnTAK_PX+;oNMZSM2Xq;)mW~(_j6>Z_Mz0XK>$0*sb=?_Wo6~>QQ-#DaRiTl+tuKS91 z<-pq(-<#9;dpy~r?xy6MDPHg48J9MOv!cljK&Zlmd7zvhE2-^^hGvsoO+dRh=Ihl!( z`W_sOF$s~GQ56opcT49q&?~&MAUHihJ+$lu+&|o~6Di&*V|whOqhs35Bd0UPwiqLh zCd^rqq+|SHLt7cV*H3wRAjlSHtX4j=#U5|`jPaSo`QooQdlgc(5;b*DvZA}M$ybI( z4jGROjS~2WHoIL+KYFD3)Y8N~*6@_Hdf-J@kR5$RZ(71o5o(Duf5Ab1$#ytlWCG9; z&dUbJcEK^&u1%i%v?Ig)$00|vy z3aYOt?S@Xya1U!Cd!Ve?2>-wqufWT@Q|1S-6~AKpnl$=Hx-%)rFv{>;p5To2ZTXM-_-P$ zMwk%V1n$pZSkkBmMC%}4o|8R|SQdh+cFC)Z*76xOYpyp#MoN$>1GS`z6ag;EcW|_W z8u`?fpe-CqtHxks{{*+Zq&+!DRVkO-9iFcF*}r^7p^wlH?@3lJ3?cS& zTw$}yeIoaoNuKd={Dl1S0|U3Ek55PxOd><1ha_rmh()}m(i%a}#B~U3XiE#xIp{&m^1A1#EO9D} zT{`6OiA7>MdbOoA1G0R~;IPJNTKf46CrfBsK`|a;s|u5j(6PYU2pV^e6+BQ&3B8TX zh9Cv$2HebLKie>J1@b&g4CSwt>sZXs?x7;5%!1@%5-GR-m1r`Qb9 zk;ZjF{SSwK_KWb~TUzHQ*hP*?V@%l4Zbm5IqV{TBdfF~R4=Z$PBaKg^TReA69cTD^ zK`w^~uLkjei5jfDLlU9un(%pt`1+7)RFehqJ08JD&65|M@-V=aNo5!QH<{%@+9OCD;8cR8r9j!TiuB+t&E= z6jz;+R5jjlLw5%U!&_$k5uv-K+qlTb9lj1}-J0YdHOH?$qP?$xhHeJhS~9(M=|qH` z)p)i>c^Up~m7PZ5N}%4y^<5QmRbj5aGrZRofwCL6?OzwxRDO zZCwEs5+A$UW2GUzY0=phxo+tu9@gy&Dmg^9J+fDLqN0zs^tzz7UHWZ_?iWaROW#hg zOiLGLh&ZM_f63j88LPCSOKLK)$8IZ%dW5)tfO$u|ZYa<+(%=;#?OBDFWVFP%c8$(U zOeJs(yj?r|=Kp+;SAI=v+r*TJ_yAe#q4a4y#b12i;7<>EdnvH}jEQ-mx!2UqA#{88 z4<(DKVcCW}&8`_7y{2n6ln;i{ETLXj934pPhlF4;V7JXF%$Vd4-!TX~{I0|t`lzcl z_!rc7AK4`xX3!C;0h2f*b;fLOZ*hP2l&}Be13!3H;kd_~oyT-e$UbdYlqIj9P1z1E zSm=`4_(GGU_{2J)}@EmbF6k6I|WWwu0Jg5%eTcL+C*y9$9`=bkm6OLL+v9 zuBlNB2xNxuHS7u>ix^XZ>0(4{s3#$_>0id)}PX6DIy*VS5Xyx%Zl z&c+;Le3Q_XJd_5LzN9}L;g(0#&c+=t!3fb|hp7sRp~4qCT4#V^9k43{CBIw3%Cs@n z5fPr^21|~nNi!JH`U&=n8U6W;;b@HWbWBMC>yCr27_NGGwP!X{f@<*AWPmeKHpL%KO(Nxk?@&<>N9cV^p$hE6K@V=}+96GKjWivsgGbkBEY;EI5-aN%gfS!r zyEeiW4+P^GowO-e6&F!PHT@wnUlN3Kvh|+YaZ$yRopFxaNRE!jY;d4Ii%ATJKsDH< zPmPZ!QmBqRzNwjg=_0fbwTUNlwnfFzu6Z;i-uoqM%Oc4a?9zhq@yJ#TI7VwO(gmCD zOD={zvg+CQJ=4pE=FKCn7h`!gQ={Y9KE;YWyc7a*>DOp}M9(c&F+~RkZNEgE%@9^b#dq#fU4~elKvXWWH)v#sCu$lR+~Wm>IY#V` zh~p*QL~&3)s2=G$bcV!r18grvD@Et{xIszU574I-O12z&gOMFkk0x|wOEm})k%y4~9}Iave*vqMENxMNNm)K(>JVM-s1lp* zFvXj%;KQ6a(gfoMxwdKJIa865rX8l?^GJ#^BoFVG+`PS}E*IG6a||b7u{mjA=TxOuo>wchjUd5^)4vKXSf4r{6jYLi>rVQ}(*C?&!L$KR640i*4b z8}pn{)-(ZRMvLFuRYg z+R?aqhw`VSD#ZzGs!5Ld-a&5~jP?nl-9mna-0sQZ0KKxH2`F@dEewzm`DYJv;;}bM z^2+0P3yXWPCvZKyp@r@H)Jjk+D~!MWnxIznAKqek5exrF|BHX%;p#QZ8!-E?7`zBj z?g&fwxMQ34wZrAr3F^rY5GNzb&SX4K_!vrL_{2rDPszK2@wB7OBV4DTRU?!>VA~Z+ zjcGd*3`H96p(t@f8?8H9KOn7VSjI;NJfp39dZ(ec8fvei69Umm%tUi?DhS7C3{NZ` z7arTk3ZB~0*DkROo@G$(;X-=kxxrYP3`7e42cEV!Bs-s+kibwBVZb^*LB%_68p-YA zfYYzY+;ehwhuf5VZ3LM8J=YtJ{%G=6Y3gpr-6BV(k9>1eGE$!yn@?ySbGm*{<$CM`YC)V-ppO={iAvRY0pj6-d*itqQ8_ zDN<~3B*@u>?(+d<1{iir{?#7m(Lmv0og7gMjZ91`v!rjwtYwCwQVc>=nBvt1epO@H zC0c51YfU36%0iGw0{Vtxbb*LgG>d@NGI5%ggOGH3g<(s4Vd9qeWcyQ;?a*2qw3AbM zEBts(e{`@1ioSPA9guO0^D^YleolJWk{gPy?WwnW8a*VHHiqcvYzyQgRS^-L?il)l zZa8P)*?6I%BPEZ==zL3zAYW;2-{wS7#m!D}VXs)!9@U3yihM;_)qF8>co0|k-Ja<* z!8#PgVT{Tf22T)lGfuX2m7?vghzgT@6%lzh|M+2o^Z1t4vZhcu3#r-GD_mcYOBd=R z$?!XjR8hb-AG7u)zTT3R4qnsZDhDsxar9e~az&Y)Q-l`NV1){H0&V%D|$%xaXleve!@OqYAgo82Aat+k&o5Df<$s?kQJ0<5Gs5R?k?qNf=)$e}=smbSh_OtdRDotDYES1CJ?}q&O@&oVw)8BCa>EF|pE7IH~rJ&4nh%K%zPl>+wC8NvN zOa^CM{nPI;{^4tW`t&7I`x`0?B4>=2V3Y?cJ;ifNToKS411z(rYzI^hxX~D)3UaN8 zh8D`a$5SqX9)=lKTcVl~POmWv5621ES}}F(P~j3u6W9=X*ax_DeQjH@quy zrr8}$7t(#&@^04?+ehsCBgf$EyQ@J@WVxQDvB)Q=GiU40f2aN1Rw7Ry*{;Ldgo% zH)OVn8BM7J7uzhTb_0qh7HMJNcrnr!Sd$|r2TVs|*bAC6!FFP7x5DWU==2KA2uh8+ z7kG|?+dg6?HbHoRZ9p<|5v@(@q%^9;Y;syXA`tpJu3@hzs&ia_NSDQwkxQ2ggdwrd zpHuzwE0*RNpX-b|J5ZWARnlXU(l!>>r#(kE#4HO8y}|KAx|4*oZHR(L%D6`D3l3!r z^?|fCX$nbptk{(;+s%ej!H0J@oP{~jE!6wZT$~eO^B!x5i1xZwj`Yam5{ zwR7R%V7;udJBvqEusP(kszw|ND&>;jN}6~~v$-boT4X$87n_Ka0pfW`+D)kg2Ps!{ zSxlEJ><=wXBZ&?h>hzS{yucfLq}6L^Doo#`$O}xrMjRff_7&Bkq`f`R^#`2wfgm&J z1vItE+h6{In`OzTzxxWxU(wh-M-ft55g)%*RLu@uX<8&jBawzc7#6k?mp!`I-jZsHRv(j6t6L8q(kGZ@TE;*nuNVYRvNg5ixSWY50Q2> zdVt}ZXrb_|kjLuCQFnam6wCMTxV#*)Y|p65H9!7-h?!a(of9@@Mq-$(M1`6&(Q9cUliRAcUML7SCD5B;U_;!ieM~LYF&kq>1J@;zJ3D?}6T@ltt zl#$@Z34yw0_c%iNDd(Q#o7D+V2k&T(V@B1ET%8fS3*PTTo(wA(IGBcH`&cm?9ykfc z{JOj1#Jr(AX#CJbwE|li$j6-J+a=*;iyh37`-IYLz*AVcqC2=)L4wua5tbgsVTXOu zQ>_Y=RpV4XM{S@*jXBB@U!9>$Nu6o13gTW+Zwjhvgqmn%v&N7qq8`xtC3e3?-i^pG zQOc%Q9=dce?F>{yIsi9w=+Y8{2%$r?en9j&M(JZYQ#yH#I*l=YIO20TrEE%^YJ(~R zM7}{T2BgZv*Ey<*s7;f3vZl5#32mP?D;dN-Y2H)s#~g(ubaJwViFamUZF4@BAx3vY zef`Lz>ErZ|j9*>w@J+>KbmZz}PBFY-FtCZFBzTfg1@yEP+ea}E!ylZBJ zqb-MYOY%J*b~d>+Wza0ibwoi&zCIu#mu_3|lh-!E`5A=)ulow4bE$J5aZzI)3=B*< z-BGC_gRbRJ**K1aY3Fz%!0IY&CGn-r=dFday}`M1XbczEhNjb;oR=(n4_zBftP%7b z=J{dA5(nWQMEZYtG7IUmD0TVOWZeaY1$c?VbE+dK36-^`!{SJL)tRs z#ZN=vwJ3Dx001BWNklOW4ahhAiIpZHxRm~ZhK_Vd9=YZ z?2~V4^BO}!r8J%1)7dFX>}b~tHy_al3D!D8q|a#AHnI=s$>@C-X}_mdAsCMsZi+MY zkjXs?jcMcr>nW2)@Wk`kEjlK~Z+ZUg1?|p3lxtKYu!M`V3)szV#-ASv`cv!*vip`z zE9ed(^R{Nc>yeg8bEs*u9iE>s98MUlG6tPML>^aXf`J>bo|??&9=JbI_)hRk@ zq51;1=!s_V`(O0<;TMdjQ+lHz&1Dvveve%k93Ogyeoj3}Xy->B>xgl#F!})xd4l~S;z_tAx*sz9 zV$7-RNX(G^e#ptZqwHd&t$E!a=#rP<`^W%vK#RZ8h&DNrl%MI7`4N`iaDHXjzxh`IlDe!mhG?(5oPAGYkEXlqtl-2 zu4Q0`G2?XYN#OBbj*D0-&;x--I0u)PnRp9E1?eh_fErhZ}_2-oKQ`#oO6*=u9qVp!0 zRmnj|*dsx0RWu_XYnOr-^TQL#KfR1O!{*i32JN5M=({186Y`f(6ZbNITW&RgZBhF~SZJ+@f0>-PqW& zq3Jay0&AMn)dS3;qQfSrw^U|;S65hSggcB__9o|c&XW_1&-D|M{ubxuYjj)UO)*IW^fv(E1P_A+-ZS zv7pzALB3$^U*hXE%iJJxw{*3n-gzkBM#_SOmVMt)IhWY&HDklXaHg0_p;f^7$q>ub zD8ofqE)RdUBla4GHaOdqE}vu6DcNt91k;fEYDoX!5W5Oxe}_711vbwJ@+ zG{y>@9$^nh2-Q&)L-epgbOpUKs1l1#Zn1lpT2F}77WHCG^XdglKcM{7vGD^2?j!4? zrg2*61!B9VbA7sLLu*v%T~FqPSoEl3gYbPeVvlSZ)Fj7it?z=_wngbQeE3blFn!DW zbB@0Kmb;01-h}bvy<{{w8;0kpfvTVjoUKW^} zAqz9)qB&5tQ=BxXAAdozU!jyo;MTv?fcZl(Egk-hJX>j z;)O1~AK=N)bm;(Z=Ci($%)165JW^9LM6zjJ298HtwKS&B;M^yZ8b3K=oC+yTA93}B zbQ}?nO!Aioq3zO7u5izXSY3jcIS|h=TpJ^_an55HM7Z`X#x}zJnI;?mi2Iddz5PTm zsJY88>C}eTUxuiB#{I*NQ+3UUuUo==L%MiNa4vW@ZJ11EBHPNMBoOueCXzB?8d7C4QM9Pa=ZiU4~Q z)AV~(?o$UBczcZqOiDW-@m72i4%YS`IL`hV)3fg!naR|r>lFSmrki-!L5iCTmRW~o zN*X()8k&eyv90E)@eb=|MRxvuymNt3^{koW4tpN`mfli$UVtxBY*lkC9h5&~RhcAR zN_xm?bc}Bt$n*qZ?|C|pXzuqEqbVn5%}eQ#w&zSD$!+`+p97O3r5K%JIFeW^zIxPz zfA{Ygy?jPIACP$_)dYOq@%UFJCx5)8t;c9R!3jEYvBoTi*u#Y0%jv9=u(#2~ONhBO=O)FSKj5|J{h61PAAiD{j(_oJz z)h*1Q)NHLGFY^X7EcrUSz`gxP+`vSh4CwEUsAp#wcMtsN*$lfMP@F5uW6vzF@U(?< zG-&E0p7PK-qjxM$jTE|)wepx>R_J|=rv<%bfl>0iyd^9j=$r&Q=}5K_)nSJjkGW5e zr~sS@bs|DH4r;jAVvBXq+ zjBA5TjG5az>hck7p3?^z&C!FdL`Ma#B}g}#WbASfE`D(UKjOIZkcmxl>d`!#;wKi; zFtBjYR|9k>kz*foRHOVUrjqorg)#(2T_WaZq`4pued2t@%6Lw_uPA@_mfg97e|F@& z)!36~y!l!oAAZIBrGw>72@eXQzTl7lNHM$o7g$$M(ITJ~4vh=8VPX6)zxQu`?wWf{ zyTcSUwRUg@&T(4-KK1J6pjvEp51=rn--l&+H4~UCP-1d=P&auM?JBf&lob}$r zeS9QJrsS24>`b~o_hv;cVU)0#a01}I?t}#!1R8nDA zA;OPgU?GP+?a{}%^5{kuonvBFCY3cqo=U>5MrohcSfhi0zRa-5Jbz8&2Q-HY z(L0C1WHHpKQGFp2D4B_Xir0AmyIn zxj}F=FuI!QK*MoBqziN$;i-apw&%6ok=~5yrxE(FU^WXF85Q+Sz{8cznYo}0hX`+q znrf!HhPG2X_`)IEeWwGHA;~Vseg2#$Nl&^6u%By8U6Q2}y5zucV$jNz zHn+L*3vTvPBH`ghEos^#Z2@|S)Ay_gXB@uC2-sqG3S;LPt+vp@g~+5|3ry2M9*(%< z2+OT8`hd=_5ZeZC7E<2jwAv&yW87egPII(3$8>Kgtq~SAUYk&`BI_h&1_x|>Z%eC& z$e>4cE{2&SHZih#L=M4hhFC#`-i**;hf`}RqsMnU96w^;SeW|?<^V*d=ntAYD-o@Q zS05-AIdz-B`Ub6Q`b;3p2D>|g2uP*H;ro@P1y^`$i3rus)QApHg z&%|CKN3R*XDd}d$=|#oKFrpg@`NeMwn(eo||HTgUJKlfQVf@ek;wL{3(|dIA2ZSmm z+l7Q7bXkj~eTufnYCL*3!7mS#^#%H9(Wf4^>Cq_*Q-Lwj*i}zsDnxTaFBR$-;6w^- z6w!AX;bui!#S}|}@o+;%NT*ujr#@=a;Z3I0#R5YFbmaI>&Dhnfoe{Fnh~gO2_GlVS zsh%<#Ut?4;A2xHM7gNf+-?H-0IXAKW z{Fd9l`b(mHg7+%qvAtkCe@`z4bVh=*E&OqY3SH<78u{IG@f|aIuSWF~3{}9wp_$|q z*A{Y~p@IgnIUqk-WRZhCI3Tu1MAK6Q9>zMS345%Oi53ze8yNdken~idN-Y(c7a<%9 zZHJgkWId-aP4uOW92{uv6RJy_@VsU@dq%Z9pq&}c3?3g0+`OT!_Eff{Ed@#Ui87f{ zWCikKjCWXJ=ZdB^=$!<|im0p*nHY@H70ac^{boa%9cXtqJf=%tywKb-#@JjFcamZ{ zVVUNf7deZ;Zflk5*M?YTG)jE0B1@MX#rHs_XfwpsDZ1ZbjxI3j2kLT;uyPP%0$-8seT?uF(`>OT zgRYO^WKMjy=TH7P9g6W>c+Np<+D|#+-e&RY4*w=ZRW*iisJsYW z^_a1y%@0)85a}*yuUo{_pv9z%k0iFHc%0(C=s8^q-tGl~FbL|1$`?E-cRWll`JAmd zyMN&OFUI7>2)n)pJdRt9H`*cE3B$f5Jvy}c8q*r^Qv z*s{hf5*|&Pq|cE3IigHiw%4q06><__?T+YOLte$m9|n|N&iF!O%9MQJFc7B*A+YO! zc7Kg$P0{^|VlyR}n4||E|8+*+)rdijtOadRV+TH>YO#kcU7pjO?D4&f{q%(Nafczs zcpTsYyqlJ^PDsZ+SNa1CFTvlShXc~b2a?kX15aWEF{kDw!%>eA7KUx&OF`dR^pk+@ z;XRFU#EwhsqoxxxFl!2xA{q~MQqdj{xb2pMbf}u4plQg_TdK&6e4p_Gs&XzI7RdDf>i|7+cJ@TmIYM|1qS6}jcQZst}hh+01uY8By z#ZSl#1)r9DYo0Mk|B5rmV=z5qbeeDxNIn%Yr^6B*jp&X&{vae6hU^xPOrBV{;)Eui z5jHzQ$7dN1@g7&)e7oW4L~^}wI5qFtA8eB8nBdg}e)5{x^JiEuE^*G!5a(z3Pv&@M zr$jR!`{a~x?Bh-+n0|~ik8x&G`r(KmNw5bY<}kq+IEcWaH8gINUgt>t36 zA<{4q_>_jkHccue0Wd5{BLz4nQi5$7w1z<|Jz8ndY0Z5qiI?x#olmGTMY{P+`AH!! zp~*lTg*vA^UZ;0mqT{$ zDdR~+y^!3e0d8%RWfi9rjcjASc~ms_zrml+cwD5MoGGrCA(41wUt08ah6p{X?GYD~ zS~Xx-^tFQ(El~ZO=Ge1eZ}|9FvTd$e{Axki=a^+f>WnZ{K}SRE2|TaG5(6wx)Ak)k zXd*U`XvatQ5m{9-@gz-TBXohQBwgLnGGQPdP}zj8&FP&0)2|TS5#f&!dr2=W93!P` z2Qav!%M8#Gx|8>;!8pI!9b2%{7y29AbU8a3vA*D9;Q?J|NJ#4|2ky+>`!pc4311O zzA#UJKJgcX^-J8#hQ1!sR|a}8##dW%e}o$^vCJzhdP+aUvMU-KHWO^PuxNg%j7`u9; zjwcL7MOBZ{UWUg2r{1y|U(lBZb-2M9rF1$W5EaY%oX$@f#sRfd*wrJuEMQ|9)J92o znG+leCg)?Sw-t|4bLOlmj|O#-F|ift!RDcdaPx_FaEWQ9XcaQ_dUP1#)G&;EzPX+< zKE9(87o;PF?3To-Pwp0ksYTjEYz%|?XcL_k9F7}u8vG!j$#ULrBZ8Y7oFpN?dck10 z=TVKw<(_a`VOa+CG+`<}voRCCS(?nZ?~%hXH;#wBdcZOrLRFJmbMoREeZ8i#EI!|~ z)OyXVZTX-a^rGbES07oM9^QIO-3w;^o?$z{vo8?m5f+a`Gs*anQKzSzpZHj9jc&&X zHKh>-eo|lzp++-p_UtDEiqb`f25w(qm}eMjL$?dj^NMm;(gz)8Ya>&as&+7r3b7lp z$`6cMMO9A-lN^`W3(zmNay45|VdkI;Qgwk{d!6zk_)PNCXSm)gCVzU$hw_ZOKl_HfT;L3Q?)E)zZW|t!|CQsk=j~T( zp2Q2}%Rgr4+WhDLXUE~|Ut(_3klTNJ!?XYKE%guoC2?m_+C8D=(D$zx#2&r+1Nxvw z3ZFqQP!`yBjwWQ*f>sJrT3DrlJE%bfpbA`jfTBlM8n08-RZCQ9thMA-d|3x1GGmCgc6j1I{V>IO){$lg&O=H0qf-WtYe-Ghc}w!R zVOt8Z{`M{Yzx@$uGeR2{i*ZJVWz`|IM6V{9l(`PF75J4$3&A zw{6^gK|fNQgek=q+M^~*9O{8fdGkPhDX`iD!_cN1oY0?L^3={)>|>tz6;16>MKyWd zakX=Kj3+z^a*WL9%d438dyC0zj9IRT&%k_$vBDv7b4wFl5LX)}gIDakDUG$_S?zN$ zYI662fuD1F>T^-GY!BeVj4{Ou`_5z38yw3u&FCqP`H0bJ4yh)!M@;-RRs9`V zoUq3BNBnS};hm1?=3i3ZL01$Q%IEQ`BQiK(qy@{BVwq^ZZQtsMMHL0c1`{@fBM2spJYmE{GyVjEAYkMOM-X7Z z7#y~7xk{x{uS{hsyRX0BZBKvB+xPorkgDO1HQA#TYdw3%?@@e8wDe9etx4+?Of`*pvJXm!>;Mz zA-`EILy>Ojz5F%i^e#qEr!x$U zu7^CUi9WQ@htDu@@zf#m$U@H(vT}@(6==pemKmV+6f_D%rqR;Fy6aFJ9C91BMB7)C zvp!O~6oU+R30W7>O-6KHi!D2{o{QBegt=ril2lEInNpS`_d847}3Y{sb zS_(;oQ{VDpJ7HkgR5OV?FfoH6T_-7giFTWi+Z}aZ;ysiI?LOw|KF2JX6&`65QQRaL zeT%8B(AYL+&>&ia!9>C6d;I*P8GgTH;BQ%U#|+Jgm8D_F5$k%4G}i>8pl07*naRQ`-nuF<*^hK7qioS;q$v~`PRcr?2OUqttqK91=LgV1WITOT!4d2(Ze z@(d?|$UWu0GegFGl3M58`&XQ=PI>?ChGh3uy2F;S)e=lfW|fQXXKb2)X}hNJJXCCy zVoKB(*cNDg$(a+e-Aw7m8pDH-c+)577sS3pqv?a6j8e74x`}C9h)hM% zdYEZS?VEJ{3ZIa2bBH%+sG={~VJ#kF4CWX!$;i~n%$CyI;k{0%^h55B1fz$iq{2aM z1Xj}W>{Z7{S5Hv71%|!g>Zwov>=NUm$1b)hj4jq)k9<~QSsjXP5UUlQjEF|}_~Bo^ zr&MJ z*@z=U0eUL7C^27oVfQHZkH9vG@XGv7?z)sJ)i1>tmkpP!}O` z8)BBv=+0Bjolbg{Fut2nz8K*oYbv$I=vqu?O;Ob7%bLA@!{?vd9J<#`_7sN4KDGal z{FTa0*`oRaD_fJJ@vxUr#ezgr&@7u;?r7_V+Kwpu4z^j)RAa=Xq|+KYcga91sA#`#Sd1mz0f(*YoM>n!5KJvwW{d^m@+TJAL%9!)ONRZHt|1ykN}9QG?l; zNNLc;C7mf?Jz&r;Nb82&ZE%v1>?*{4ypM4aVNZK3Gl#>Wjq}){(kJw;3!;^vdrL>z z*tDn63u1IdVz>%InUbk7TF^tQZF1YA?^rm#iE4HT%_MgfBnqkk%{9>5A+6dVYylaR zgFd#BVfJ)NdxGlgsI8#Yd>RpD}_M}OLRszDq*<7IzD0` zE6S?Dw1zCQm@>)`b%k!%K#y@LsoWuc93%H05rtbOV#^nsG1~1DPTw38)fZjGhWc%BBkNwO6!lkEgdOhtnIXg~c*BAiVsXu~U zC73N0A3G$(OdVKc=wP_ z$F3OAKKn7khRe$x|Ih#S5u1xo*w#5MHHel1lflqJ&$j%Hcl+!LzRfe^fFJx1|B6JM zQ&*tKs=&(UD92yJ%GWey#rpa=X173ZTim`*YZy3PPAf+grq8ko5S#xOtx2&{z}~}D z8`R}}RO=yPs51LSP5IFeQ2Y|F*C5&8L^fG7!CFhSLTB~!f_q;N>1VL--$kneCPqu@ z>nLeXB=*@@7G;}qqdD~YYs_$quJp*8hJmqS_o9zpNz5!j6*+DfBh!p_qfrz#=g9=i zZ;5VJn5@vxQ&xB0LJ3zCZjGT8*t=WQmBd3u6$)_?5M~*XTC&<~5O-RJ_J-y{0c*_W z_8K>csMoJ4x?9?13cVE37^Gjj%eIV3Y8UM*3hQTEu7pCi`IKtD!ydQDubiSi>``U` zav%vr!LABmU=w>TxzKQ@`=GUSqX4t7(i$y=F(e!MbVCz0F40Ya8fKJ=L>;|G40M_@ zr>u44rouHM!bCwqpe+TWwrRBrMX%Txr)*|l8m0`#C-fYg!vyV~U{IKB`eS@iG4*Qd z+(pbcWV&D=ORANNZHM{4kOxK&}#=@>CpC6hJH(@cdWFI{;5u*N*d=3 zy;tKU0?%&0jAJT0oIp^zITN>LZUmTSjiyHEx=rp%9J``aJnBy6dUu51r6i_-b+DqZ zsML9buA3ySOV+pq_fziP3veekX3wL!Oep#$ua_CipL|H8Er}Ki_GZATnvg6k^dKSH zZ7{P88kJ(VAxUz6`tx6~S$)BW&n%uKFF1eRqJ}g6^m`8&zWGh6&O+&QmZa3gNIDQe z2QwkqZW4;{hBj?cTn|w-Tzr<(cW=2r3{cx|vHHmcowi~qHBLuIbn*m8hPYE7{p5gq z;{o1R?(uqkpF;Tr#h+sx5KoWk>B(&nxID+jR+{@5?dXR z#yO5AX?FW~>MNw)(v>lt;-Fh8nH1O}#o8ZHYY&hE^UKr=zol(Mno6UvCs?Br#djEZ zf>SGl;X_1l096Y2C!{wUGFc<40((+pzpTkl_Hm3A5h<}YVC-h3?J@mHhSOFQ+CE0{ zl3wEwS2pU~!9#CJs5`WgOElPH>O|DafY{Qxb0#S^6{^`M>{7n% zM!b~w81BXR+K4)KF&u+TOR@TrXx89s8W+`+{_={Ka|ikQ3r-$Z^qevE>J;mtNxr>c zdsE_CEv6|Es*7`GpkxX~Yoo>nvQg0;9c5EdjXG#0P1;c_0@Ktn+=eXbq0|}mDnPZ@ z-#*36zaG@=uqSxoo_O!3kn&N zrvY|dP%9m3Pr+L?q`?3>flMRPp+~8|hNeZm^)L@$WM!B|POXioWP#xdaow1FJ)le1 z+$0HE-{7>@U=AxZwIOqTWSSE0Bx>roFahNex?d1Ox$(us{!RC=aGg^t%L{S%1yedh2OMD znIrWA%05EqOhy^Iu4AfpGz*Q|bI9Tdr>F8{+cNv`38G&iUTir!(%5V#_-4nbCn=;# zV|6^DKS;sW0iDydG!lWTZ(|T-k9cvhpls+mkO4q~gwg_>Ex=y$hLu~&R zS?E04U!&D`s3tv>&5CB=uza52JbA%()?q0sp{k&%0!_?#CJ!mAIWK-O!?!B7i-uWi zvU;`P)zzG*7hAIJf=82#84s}A1yx-W_%^{CQ_g>KPE$vOU5iA3C=in0G`)@o0&dD< z(&3z6KWX{=@`lgHz=zem3M?W)S)=0Dh!&eqMOb!L!aV6!Blq$ zTg5Ug^1O#BZSvN@@C(YcK-oFehJ$5U=rX3wJ1l!eElo&LMCW2^g0zsB{shrw$WFlt z1S$%N@a}OB*cnCQ)%pJHJS%a zF(NOnDT^smuW3`4_E@0YgfvCXMl0a?1qVW6pB{2B@`yTv>BM6l9&`RLe}d62Xe$?u z9PQ{XisK;eIJlNYR~e+1PPZ%QUK`}$CE0mGal2;yvZhehgr96!UGGTdJ9f8Mq~!%y zpS6VZS3JLrsm^bB{&~pds~ML+x#05rmY;ogMg95{hHv>~citj=0z?)sEK0vZpi?y=UJ0|(!xAC+>mJHbAR3c`37%C^>Vlx^DBYMk^vJIy zc_;9@*SHgx&QCDQ2D3WAnzrOK7sQUivf*`jpVp2zdQ@<6J;8mf;3y$uQLr-vZCg|A z`dlYF@^Hgd6;Zrgb8zC*RDIg1NnfNChbLf~*59-pT;e(zIZ|66vT@V>KuL0F`n4ije*~E9P|g=nYvhy-saE$;ue)TW3eO=9UY(} z=ulWo*koHiy`1y;kA6w`@ddKl@%Y5zO=TWpw%1g#PTk$boy4R`iQ_e_GYWrHl9vXCP+3(IEKkMn)@Wi% zR#)_rklYxuH3PZ>h#Q?^eS^$GOuu0zdc2c|e0pnepqI?teI}EZU^gcTBwCZ=swJyz zpIGU5bi7A$xdCUNytqOgHXOPM_3j8;FA%~ba$_`Mpp8NtP2f}=S*D?T3dPkDr$3>r zOO&)kt!=F4mhRv&ZBP&`E(riJ*&>q)v%O&bBETsWE~_DSbr*_uo7m~uU5F?)scBx3Rh3V}63ZJ`tn+Q7gQJ&+c)FR0Ta@{5XRv**YsSDb4G z>GCrcp@N0?hd#qJSFR8JP$H=YD_057Sk^l`g6ZQj!EH?$PQe#}EcX4#mj(NeoA zUgNRORNB#V+Kqz@_EBao6G!1?Kj6V6N8k1-)RLiq^j0vruhC|pJ)Ll*Cs-c^gm-+% zcc{)0mDJJiZ#nxk=5lyKbNialt2M^|_jBI*?uhYLA#(+zJVD+YA&*Sl+Xb&@HFx|G z>BR=`-iD-7*w;;R;bCrfq(;s_XlUsOW6|OC1bNiMGIn&`81+cSs~2cl!KZ zgSU>^ji>ne3XbhzU+RRDL*8*-@^p0v)2iud3RPr~iWE0jsk}K;TM{V>Sy404GG?}e z(h=t$AqcoTle+YDHALlFFRYl%P@4ZA&7nhuAAP$ydl6@a=M-|y0?$JRLPVY51q47q{fkC0_h;he{mO9tfmd?pJ3k%lyAp|*FToHc^h`X!9}zni<`>T)IA(n_!$_B;%Z91k zq8lEbI41opMLiA}FefU;h_XT7H=w_Vo)77tc0^YdvNGVwoYam`uM)^qYOf>E9L%qc zdHm>@JO9r6oWA{-v*{xyXCCpwMcyn(^p@K==O!(X6P3;Lir!arK3&%6Wc=5EcfvRS z)4xyYzKLe)n5s{d>#U+JhMpqp0*nGhjp-T(SJkMs7FBr2HX^MpJmVU*@TnIng� zGWK^@DESmCsHt}X&GE?M0@G1BUt9FE70FCPk8Ngp0Kpm~bCF|{K<`+T1L{Re8rEbz z180|!OnO+Aq?pv?eT}KTqa}rP53`q0>IKEqE%-xz`}a(4=R@K^!MwS_AC7TR(2SO@ zbLkHxjyYudNFlKI=)Zk}HwkEJg}IW@x8WwWu@5%rnM9Zdj%J|HU}7Vc4%OB$W|G^^ zz}}bm^N@4(6ft{>R6IPbV0ND>31(H2g@RdCaeIA(If+o#EsAcE zg)JiR`240IdA;J}Pp+xM8{E4J^U`D*SJY=c4vLiE!F__GGrlq`IDPz09(?VT{^1?^ z<1t0t(AEZ3s$lmk^jz}Q-wXKJ56`$<{&PA75MMSr(LwjuNU#3#tlk^pFIW8G@APoq z{T(iz_xRP1|23jZ$%YQAWeC$gtCt<`-);Dt|K58HoICu}t218y_1hTBJ5 zmd8}jzrgs~J(O)mi$%9h(7G|Yy&zf_=+lrgtYBwi7a8;3J_q)aaOqGM*C=g;^i;g! zHH&75T5sv%idG%NopY)yhfXZWmorjv$o}z)%hymkEr;lw{qeV`-WcIDD6AK1M2pZy);_Uq(XgHpdFuBS|oQkG9`3?-*f1(p&}S0>t^ zqBaafmt$u>Yhj>8YjV#=+*T+f@KM;N=D%Iu?%F+8;>UNp$N zE#79!u*wkKKBe7p7*@pQ6hq(A?JIO$L?p)OVuP-^sN;?<3h?j7ba_kNP0;I%oxYE2 zNPaaMVQ-$2E_+*HJ|V9v3L3b{;h*~Pi2;rIQ^JO zS~6-6Nji_dy+!688%laJkNC_&W+g?_Fb*VbCD_#iyxAJX>SN@BUD#p>h1R!V?;P!F z$ar6Hxr{k=eC*RH{mGbH)5o7>NNTPw=LEYa1lEA1E=e1~c4rZ-&sm-4><2Zod`dQ7 zVLJs6PW$Aqr#!y9;?cLyxO3-#Vdarn`$YMh#PtR*skv@V#`1!f>k&Quf|*eHXr9xZ z*L>%p%^&}FkI4Ss?+{IYPPlA=3Ob3R{58)LARt|D5pIiHM--fL)9t>jOA{hNhlW@# zfB<_eh?^;h0r9$|kIoJSugfS8Ewpxg%IB+sHh;z!f7YQMMs$~#xYM_I_31TRZWsm@ zQg4u}J!Y)1kT^mi!Db_K#^h{;PC-U4wivQUtAvzo$K+F3F{SHTbSdbRC)~fX_!$D9 zn*a9i-eYz5J+$mO+q}S%CZ^)h7%}5fk41V#f8CM@m+Q(wsMn~*9n$q{s_c}QfaCg> z3q|2xQ}S#(j+8#G>O?!^I!1s<_ack=-MSw zR56-LmYW`dza%U=97B-C3YP2P%9J=&sOK@51B%7LyE;r0WA8VvTGecS)ooQj#CA+o5yxrojbh@JeH@oDj zxx^3V5$7ZW68FU)k+Ql6zsCA6t^hi*cxNFw84u@VrbEY!7 zea89qfM>}SkB84uniGz!HR^qre7J|#U6YS$PHf3#yT@Ux;>8NFp`smjl0O^O2bn- zblGw14me>$T`H858D=xUyxy@nIHG5_ounl+!N z`*@RERv-3|{emaY&sn~Fg`@B2t9O|z8LC}Sj}?^0;`e`hk2g-=!P&cyUTI__iE-7E z8UQIbg^JK$^Mg-Zo-WS0e)=4*UeYt*?mLHk^vvbpo{l^EE*mwX;|igah%QD2j^8+7 zI}g}x=2&0#=|0S8%>i1RaNiZc8J*YyYZL-HI;KJ(R0mCTl!k#QQu?DY=ENtF4nx_X ze(&`3`?-5SPk~RefM5OUV?MQ?@>$yPB-;@yb3Q9Oo|khL-3qV8md}VdS9dH~aV1)8 z1fdwR6$&pz!=!8YgqE&>Sc7wsQ%Hrh8_{Yv$nhR8iY?!}t8)6c{zJOVqh1wUcMemz z#560GwNEVylDwmi7nst6UPic0vFjSeKO>nhI2=oM%9wsJ=eF3#)Jrz@Dd$?wp_L=I z290Vm5Rx>GG0X`@J7e7(aNNHpVT>zFVm}~TtWlbny$Ni0Iz}+SC?$di=yk=mH3+nn z*P%@^sZi<_)m2KQdSrQr8m}1k1jB)e<{fZwP~c_?i{$`k(6YH|*?hiZFpNm9LezQ6 ztSym?g7D@g&e0V2K*#F$uyiP5h004Y*sxv*Oy8ln-O=nUlxjDO=kN+k=se2@+;tXM=75j429A76nW>DmhD_CH zBZ=B;S*;aZGhw4?XbGrFNmp2C14;MkmU`dBb`_L7$8lWRP+@%BBU!pAZjGLnEEgTZ zvdNHCy)B1Q!<;%OU5aIn*me;?6w_5LPO@Y->fy#21|y0{#j+fnOp=K&m656u6X_Px zs4*5RdWZY8%b0iGak<#;^LqW7a<$_0@faBi#!5i$C}2Xd%-CJsAPR8p3SF+SO*_1! zlHew#?zw1ciz6VZ8`@5z(&v2o%O%MoMkF(OO+hj2VOR>jYf`l~{oF;LOtFlRtOH^9 zININFb7NwRC)Bf?6V>H-=p zs3k1n`HKt6k7prms-83e9H6=L^Zj$1kXg8{RusS$jt;w=w%il6T*^&$r&Y z%h{WUIPN11%Rz<}ahCCe=WE){uleAqt~-M>jmoXzxUw#i*=7l|BBag zkBe8&xigYXzxqBzHs*N9(a|YJ?z1REa!hiiMiCNCYKX36q9l~`c=IivcJYvH_ncHf zE;{-OMBOPyw{!N?oBv>{0v z{Hac)^w}$CJTE4A_6}!glANze_eS)3HOh-~3af@_M3<+8>x#zG$cutoqsNe^H0LUz zw~x8KVrN)vS`%aT3N6<#@B3^oLxQ_wb_6`ipCMC?m%_zji`@K>vj6}f07*naR4yy_ zT$6QVQQfR)3zgg(Q_OEMWQ8{J7<_hxckm|3t&eRr6eEYRw?=dV%ZR8NpT**UlgF@q zrD5+$nt?`^DMaTrwz)==9q!acxF&QS>^2ltg4k)S)C^NM=&ousJc_MKH%KvNON86w zY+vEQ_r8vE{04vds}6DTBaXwE%sIqWJCe>|I51c=3VEDS6|X=&BwMG{8t7$$S~W<; zrb-=pGU0aXVf9mPQWM=-Vpj^5P{?c@O*3ee488P`Nmh|C{d-oJ??(`-HVhQIXRWmJhD>S%2~qE;b89c!O<1JKCd)Q*vcPmlZsItZ@6UP3Dh1<{$q{ z=m5!Y0A5RHFA!Zyo7+rBlD2aB&S`@-{ar$5$jcWS?({RJj~;N}bl89E0qYk4d_aT0 z3Sad$oPPHmi2D5bU&6!kmpsYuu)g^zhOAKg#@Y9e$|aF^%H`7?#rBeK|M5Mhdtb+R zFlI73A0e5P+an1ryIeEfq2` z;Qf;=?|=38`J+GmF5;_yh_`8xxU|C*B*x|nRiWkul$Gsc6U5+aI=$1~bnvAQbEN^{0yFtOAPE?YeLbd1P zKL3K7w$CtMW9=WaSV{WD6^%GXXGhu&v8|4(fZDT&r3$NSjNu-cmZ7;h<|k_$caOTV zc=Ke#3YCBW$_2nqnXCNLvTLw9y|mR4G)p&A~lMv)$2KMB#hfFd?<4>ZzHBa328>xODOLg*!}GQb*{ zG|>#(^+|k-LA@sQJW5fKH40v+5*t3r)fH*4k1OX~y*}a2@SHR0)6P9Ze~bdM{aB)TrBSzr|eM(n5`g$^7cppm$3SDJdnpB-deWFuW6=Qo#lN`~?HI1!f6&aB>WoWIj%ake~pjWp<$}vj* ziliD-JAyK`X>d4nLlWJ=&~6c$PVE|)aRwB$qNP;_=*x;yw;75SQ8jdd_|hM3y99oX z+(4&gJRS$^-+Msj9bq*YFF$YDt*@!8C1HOb>v~S4+iW92s{@?XztRF1IUG zx#M2nVKuyizFe?$9E><+tha0q-sKAUD}Mf~5kkB`{N{DGlTa)LO)luVfMJ<1a2&qz zj)!r2hF3eB-{#zrGv56h#|+;1Hh=i0$`9qg&;I;h@Xi}w=h{8uuReUnZuJX_%At#% z5z?W)>m7Xmu-{S?CLdlYB-t~vqk!GA;aATZW}kgPIG^$4`~pqfVhM;9LHe7&Gjw1| zL8G~xixk8)Yx&nV@2FHrnw+$&xKGGG{0D!;<3IQlMu%^(t_!M7i|Wr2bDPUrBS}5_ zBBWe-lv#>crF9{p2P3G+_PwC5nEh@r6~EESSCAvn}n zJZo^q9riqAW}29`LjCI*!nIJOifZWWPeP8Z1F}Y9S%O^k8QBtp{qHRaD2Y-LN5RwVOFcJ?v#=9Wshn5Ipsb#zKgZEKKvw1YK@sOXfI zCdujL5StRSQ7P6X(>>5#6N?TOInO@x3HD!O>;;&O&daAc>8{4_WoY4)T4r=6?6eV9 zyrRq;GAl(E3c25>-&UBRMeU7H0ztGZ82AC%wnFqRx+Y|{XHs6(6c(tpizs4@dLLuh z&=n54ZBmo6D>M`;tZjuGcw~UKQ80ZIMK39eK1G+In;q54!sy3nNM^4}4(@*`F5ko^ z`~8$xg-KNx=wlPP%y1rAR8mK~+@Vc!w3jZMeu**iAYY-`JxW8M=LIi9lb4$r`paKY zsy>JPkoDz0gS!R;U!hGE&J3SW3pkQK>H~#A(z4Ms?16)?<_s4tt7wEa*wK?dE8j+_ z4tibFRspW>(#8sQC)mYMMiy@0qd0^;k>Czew#fjsQoyuO6bF4#Q;vo-RYsK9NX#=he-{MHe|IA9$YL?7M~uS3>ljWftd=LY_8$LxAU zmh5=(>4G=!%(z_ak*BxZ@l@`9eUEQ_=Xdb;kMJMup|uXlN~g27{PNEee);DwxcK$Y zc$>mvoxZ#Gp4+}I-+S3rW>$+r0R%yiAV`9=WK(uHWHTJ@ zg5kM6^c??$CLDNRMOd~%vKW+tok@Tc2?7LBK%u(K%J%i|-TvOwx8LVM7BxFN;tamg zinaGzd+pMr`$$J#+dO&~f;%5jZv(tia_NU$pMQe6oTGvx{_cl0_q89f_x3lLbwhsf zfByr~?1XB&U^9HhFe%ah>tFxQ_cnEx&o50ry#5JWaYkD-d~xP;b^Z~{^mF9mj96Wx z1jOpg2Ysoa2mwB@P$`N6h4@cC8szIwAzm}p|M6bKoBzfCLen{5kxOnaQfyCPYBo_5 z;M+@@S|?wvk-aX63VZBx&`#N?06og7l}8YCh$U1Tjn3d2Ne9xLj?qw5Bd~NPqkZ~i z%;nUB2!Oo3F|AX6jR+m+2F#CrqS}mcm&yiM% zzo{sf0k7PYZI$!$zxWwCbbODVKE>)D5vq!H84~Qy$(~Ep{*ZLOW^W|P zW&-a{K=drb$QIbQhMfN5hVFZk)z267-n>r}*Q~Ev_U_iO65QGMIQwZ$|47ky1?k$P zS>)7VpX}4;6y%7@7|cDY=?T{Qh^ks3c6I8PD^hoa-#H=a@6ydLN$Y!fhbv@bqlX|Z z9hsZRe1MVyf4n3+Ysd^R!h)tqX!Sm6l7OSrtSf|LVEJ3>BtX*zW-cHF!}r;gWAyc7 zth)zTeZ}RIijo^#TgPEc-_DsXe0pz~*xMz|Y((Qa7@>h%6-e8_D>Z`knr3pF*jr;I z4zd$b76GDDQxy`s3eb*Pw6(;Mx9E0q3e}@BQnG1HZF<=48Z4J><^M^Tdr3D*OwP0vzY4SbKC=uZW^%_`-Hm^*J)9efYE>z0f*LxE7c?H3d+F7sx~B| z2V%~+(pkA(`ej3FC*;=yoWRD&u2~1Wcrs?#+0tYhSF0{X$G}tz@-vgpo`ImiNF0K) zAyQ*hu*K_Gv>D{KjmZ{sSddN~3{MiZ29v_#qS#^w4w@zqQli@fI@X50w~n!fAz9TS z{bE6OF-H?Q>7_$$D(2CGWjy8ajl^0$rr0WO-5>Dmw8c?dzVX4B!Qn&dz@-XeHm3?N z3c(Nm@|34P{Tt5D7nH?0lcNdol|blAqSU3WR`drp^U`9XZ|L9YBUBgnz(>X!^H&K= zZHZiONF5)4nepaV3|7OpxnI5HgZmHo#&7>RUv+z2CU25f&k$(DvBA6du6Y09Lpn!q z(Hrg%njR01S3G+6m$>uBBR-fM@b0(X>=z$#q@QzzODi%|oDu?s9J8ax#A<>d!x9FqkYAbv1wv>b6iNw%P$*5jrgci7 z^w&giEfk0fAzHrst$o5f{}~nvRWrd9DNlZQ&FwcXsM>q@9Z8OjA1!E{ko{tV*cst& zOJrgqI~~k=jwOezR7*d;q8c5OTu!<3o=baCAa-{tk||};!5wQjt|Y$JDbh90(SXg< zQ>yL`R+&)k`{>aMtrTc}h@~y5DviyeCUmY@ZQh{Vo?^(FLXHTUGi>7_-kv0TbxpT7 zB1!t->R7Udp9${2x4<*@$l{!)b3iBm3~v82L3v8r-oeaD+JiA&z98C$v{H+ZkL?TER0Tunpem&!M=TnB`Vfe0aZt*H)xqfHPOt%zFQ+!b6jW4PI^J1TX>xz zd66@ZLKve*c&{X%M-hX*%dm#Lrd>PJVhy-#_8+kfjFxRS zKr?L~85vEngRwJVk?0J=7+YBcdXL<<=oC3w+C}z#23pQ~H>58wF~pD}PVoaW@Mbe;q5v*R8B*`Sy8wH99be}%> zV!Tx1kB^zJHHJqe-`eXE96w_FyvsCe`QjIs{Q0M6q(AwP51(IRFHhNje@vMfJe&yT zGkE{L#>vtm%(jGwT~3~~=#Ie3#7pZpmp3aLr<+=g#_@Bmxf<<6Z4>>jv`j^5(%-ag~QdkpXI zb8vSDV{puRk@LylNk0AP`&4992)1I3-pSE_=NrHFy=k?_cKu^=E&Z|uRa8PCRZJ>C z6A1``RO({<5cSLDRpqPfNi=yU#lxyh}P8u!xpu*B6|A ze@burguzjtNDArOr`UQAyNP-Hyo)nPsr(R82K1~Ij?l4GL{!=I@02`y;xq1DFiVbE zUtKc{TI^}XrFWaX^5;9{uHGuBt~2w$G4z zx5=bWD9=gN0X`9_Y!P;ik_Oz_p(8g)9EQV$Hucf$fTQV*=$*F^FJGYU?xD3M_IgX~ zjPU&}>Aaw|751hfa&1IMVA_&#Kjr$RgZY+EIX}nPPMEygpsi|5ZGiG~%HEuaJvz=a zbTvj68d^`0>KnpgNKa3p?V)8Zw$Ue-3bhwgU3So?DRFIL)&)8nvMfN~lQ>~atBskc zOUy~gLXB`<{G83`i1DsQQ(GuwM$|vRvI^F-hR#Z7>Lu)`mTI$4=xm7TF&Qf?qoqDo z*m{i@c<7rO%F&p9l93KWY^~3B&{8Y~4r_`cMBXb17i)y)qqh;UbA;Wj=o*U9?ohQU zQdk&(zD%GSQ0O)4NRmCD(^>|?Qf!Kx<6W0eW{O|(7YyFHPos9w$`-?Qm|qHhFq1t0 zH-Ev=!xg#pfbn1nrBCP&u#J?+_X&5qq@|59G_d^&)rQoxc=>?-!3;OA=;$5`tzzO8 zG_lX*TH`V>85b1`J)q}0)G9`l0mG=J6ZlMX6I)Jci^cc}D|f!5ND_Hma5rq^Y> z-$hD~ZD6vP!{Y1`+lF^{UH-$xZOr-4d8`zt+X{dDgXfgdCn%v1DDEBj9Njvge|QIJ z?ozKSwyLGxl+4nU(bnm^%S`HCUz93z+R9{>XXmdJm3@8P7{X?YTQKbfjSu=@l2qz(Xt&g@{a4rv7 zXED<1b4#A^#k`B%kJ(%0Bvu!7vxP^y6sl(2Zn#-YkoN`dXV+}KE~9Y;XDRZH`*iY` zH2OoFoh?nIlib7{-V@x&km2?@Rp*dAP#Ci%-R~Tco|P0{h}AC8gCPgjjMRKcnHD(3 zhHyW^RQ7ADL8_y<4qY{4RUV`3*LY2jsB^^R_7l{!Lo^uSujl022z#8M#R}e$!ThnJ z@%xnO3_ny<%3! zzf$OV55_uyQ8L{OFdGAn3^^#-E+U-9C97+8wu-g3M_}hPdJiL3)UHO5mgsuLP3+JH zg6^QATL{WPl4Jov&!W{6+Qy>M7NoNfqbD(E3BC&GHVV(O9rWTA$-Ln1e$C@%2j}_= z9=>@%czlQIrlQ){cs{>Gnp6JxUw%RF`eVEg9?&1G&{rmf9I-G3qGRC)9l9##dNJhI z*dVHW!tn-Y9^gzW+E!p1A+KD?QLjW?OX#~qixe?%sj>`TI*6%c<#Z6emae`gcYXTq ziaH%5teEuNAlY$|+gB)g3l-D^Ne)tCj0NtjBI@tZS`o3mCfFz%r=qP2lxNb&oL*tD z%|mPor^n7PV*LJBS>_IxC+Dc?lG!4riEcP64A$3I{NN`uwkOZIwHq-AT`Am>}_!n&ag2igXVH=@^V|-cQSv?+a4C1S6cEf^A_lVVO z!M2D1z2*SZGwyE>Mz(IfXZQ5Ap=ISXoS8#UzlI7D2US5>Qs}r=IMwWQ| z(ci^*Cx3;@9hA%{b@e)){^G*qojVyy|K%^!Sp=LZgxa8xw2WS}I;8;h8pMP^DFx~^ zmlN6y1w4B2ihtyHVO#MPsrZdHN4UOf!Tcv`;#^L zb%TwCQC0Xwi=QS$(-_YvXqp>tqbA^4H5chq;Cc>}^jQ%ZFizz#1O|)zYPBXH}Eo@>E*QIzFW9+!BRKT6}3UTik z_thCPe8BNRix<~qrAt~?tgM^|9fhCSWQ~opo{_r~s!@upG@5P)rJdsrdX#F;IDSTS zafe#8^lF{DXb^=#brGRi8tu;voMB7QoiXxy)K!;cYceu!*q#VXS>tsUKDS z;a@TeL;RZvnR-}qL%R@!^_I=0K~pAJ2QB_^Om^3%N^4FgeMUzKvYL`vLyEd(9C`@t z8F4;lC3MVjjG!T~3Upu53ly7R!!)^*X*E0-us==mDftma$4HDdC{J4{zTH%-cuA7*Gzui4(T)bk~8-k0o} zyU1dP^^r^OL4p<5m@=eeZ`g<`sGLO*h0dWtJ|u+<7}EyzSj84C*CBMuV= z&5~8>(WW8IPK`()Yc0%+9KA3&4;;Gg62XQrDLL4?$EI=FJl;^BELj-_^OKB|R`JnK zU$S`o5w|}GFozb$1BYLG=Ux8!H-3|^{MPTX_x9J=v3s<1h!T^3Fk3c1{9Ag195*w$ zYor|P1T5o#iPwUCfGZPRH)o@nWM`MiGGdW6bgYJM2Lhon+X~dvr}U49e9jJ!fAN%B zCfpwP7>>I<5*~(iz^CUC-)dj6`<34%RR#xd>x`KoxQkK>uT!8Uf+aeJniFR&Q|A`{ z=l}aDfB0|ykU#&czvNH9|L=(MCuC_sairt#*C=B|@18;T?FY1S0u|`r`qf|iUUreN zZ4}YwV}xjF4>h#-wGyk5{-YrKx?NQo;vZ{Gfzr@4=(TXQ))4~Ul8XOse9TvSclpiV z{}tZbdx!hq_$K}C1D2&tSFYLo=p5VDIPRouW1CEmaPQW-r4Bl|*hL&91hdjUbP#W8&xy`~5(;*%Po z$CwLPD~(?0;ffo?wU6bdw5ds5_{3g7$JtUUk4C>hZQds~XeW4C?9 z{L?*}AfV|lK#a)NHMP}YU)EgLg7<#IrRN>u8(#Sb=r@;`cYLPXl+aKNhr7rI^4(iBCuh9-o5Chxp+nIuFf4<2e%0ml#|JF0FIj6j(knR#bFQyTMvlXK@B3)}Z_@4w{*OP( zdHF~Gf|H92KF+2Xs}&E1DfZ4U<92Sy=lj@|;O<^c+YUI7Za^*2n&lNkujP0=L2{2H zfQ#4YCcpI3y*_U$P?`opg7$iJXS^QZp_C%hU;le76~BA`9>4M3@9@s={2u-A*O8M$ zgbL8s0i9xjZyIziG+Z6DBxB_2xT6W8&Ph)<_<4o7jj+-RzS(E~GUB238L~Cdy)kEJ z=L80~u3CbC)Q~>F@Z2O+o9A5ILle z2IMDmnn8$OXB>=rJb&?kvA00o-)ExFSz)liWX;Y3|t}X;> zUto4)M4qzPjB$gAW$Ln?*JRr*gTBV@fY$*wS{ItS=ZfoXL}tCaa5;LuoMh7MjhN(LC0Ey;3%+te(x+w2Nb*3AZg-bc0yVaH$;$Gr4)CSHIO z^tfqE^yQS_TP9DTML-`ed_g;?IP#p7dapO z-4);e<4^eM|My3XIitqp)!%PmRggw0nv>%M8Z#-mNfUbdOU?&-IA^B}4-{HvpqCm4 z6PuU4ki}*}UL?G1O5)`T#w`;uY}szRJb!+{yTb(kn{RV<6H_G_KV51ZEFSazfBqiZ zc7htM5$T$2AsFoLv#pn?y20wek56?z`hWg_R7LnZE=u@Bj^z4kgF`PDJfpZxbUTVA)zA$ zkCf!Ue*oY9?(fij;|j`9gFGcLC3aj=)Emlm7khJo`!Hm9U_oz8R%wWf8%CocX&usD zKW5~vxEt=%&%20=CF;#XoF`LMYqCBo=$lVSJI55OYYJQA&_6}*A7bi|raM^rlm?B? zy$)U9p{EpXPaw~7QoF-yn=s6mKttZR?0ZYfOCQ-aSf1V>`ZY%fK6U??JQB1h#C1+N z8e(P@?U_lPrHm#m)h8Os!HBAgu)UV#w80n}RJMiDX|Tlz?_kUFL=lX)B$pe8+LlGK zhj&ylEh|RKqH=cWMVD;niU`n$f@1m%Cktqkf@p4G#pl%PDf)ShCT9$~HH-5e=KUM$ z#g?Lt@Y%AM+W6sfijOUZoh6%7LAKSazazt%(WWnwy|_OUJa%gzeDe`+s%D%YXPjKl<~R^t!JwDu;A$LcU#NT8i6UkCErmxD&G4 zquLHg$9+1(n5u-MSR!46#BNx`Arsw4tpe7o4o_2`j*KWQ3Nw_@S;HnphHLCHLpl~4 z+2S}ht7w99b<{mcJ;-P`g0*8HJ%_?_@h2_1xnh)*TeK$P z=}t&@w4xn1*rK5ZR)K|Ml-z%$Bg_e_i=6861$Ge8R|Qv@$H&V#s(8xpe*2hPlkZ?T zHks$}ldFKoU%ccmeh~8?e(*Q^>Hqa-eD>^b`RwG9`N<{gI;Fy<6Dg{(&PI08SJxa5 zO^$YkL~S3V$QbrD9_;#T-9v6>2?L|TbWOCWqRwl=ddf~e;O1pOyoJMuJ8a_>FE%B0 z@`U%_@j1Tx7VFGo{rnY+tCBarE}4wqM6LHgz_tVX{S2>v8{Z7Tj`?C85QrP@X*SN_ z0e!s%0}=_HX2rT3^OI*+{381~KmYq@xQlZz3O0s@Ht8qmjYd*W07(hRXP35d(6%^bRUdJsvf~@2d-ya zWdS?>6-oYH>hT=+ zAVl7((bqe4?`y1ItkDL$Oolo7;_PDjbBw9}By;-1jCB|DGnvs(^_wmdbsZ{Sxc(64Ul5%svyVCY9g}6;97b+t&1& zA$nnA90rVC2(%HhBhj`cvW^Js12h7(aKS9wV-iX>Wr1S_(-L5*TCwdtc{wt|hL=N!ek*t!6UYOF<5zZA<(JnG9p%%1$!p_K|&X?HD zghgwS7F#Uc zq9+?N-{lz<^A{)VxDfPvB$EzF3_tq$mOuRdkNJat^(Xx3r+>u!>^bw<6$4gu?}XF_ z6j@1cBxr{UO>QuqE?4WCD9>rKf^D5~x@lRQ-Y{J&gmHyiT{Afzb2)wO?&#?yu48gh zxSX6^v)i0NWpi)0$HU_Z&!1&@io62AE8@w-l$?;hzCq&FWIaVW;5fd zCGfXbTwRom%!bWc!?ZUfvn3*tcmtQQ392=@{~&;=q}3hjmsebs0iAA%=MHd!ns8{N zTPZl_nAZ!A?tH=G3kui1B8d{3o=yMsnwjhq4zH<#L-gqqqLd_VF#9c4664;oSv}iw zV3jOhj_5x$sMj;BuQ{l-jlPax7BF#YW~&ZEYfHR2CjN9ybsa-3k*`WLV?ecBQguAa za)p;|&_*uR)j9cngZ^U0YVFfmKY{ljqOuHkZ_8?}!TA#kS&*EjXyS@Hoj!8^kkd~i zEMtSS>R|PBx^azKI&4cxWa^lH%zSO*G%=I{Rc@GG?9(0Fm>rF>TcDK*BI)1?yCgG7 zuVZ4g6>i(bsU0#Om|S97k|@_Pk0D>^1g?cP6&UE`{XTXhP%9sACDHSe{%nV=jS+(i zOK(VSB97lm_?Q2>BD(l9%+4;4?s)jUw`l!+mX0D%uIY{?=6KAWx5lw-q-L_CYpga8 z=l1a{;yU#JlHpU>}o|ZF+VB{+-CXj+wcF|0W%~eZQJ>aSa-zw-Hmo&?m(l%HoOV-tGbn^vH>{4hw zJfp%A8lv*iXt62_*V3>$J%r`(>a4)j3#61>3Z1Gl$UZtD>~;D2yCHfwVtU=>um9!+ zKmF6cApYbdWVxVG5yP&c@NG`7Gs>)GAzJd&lHM)FS`6`PFl`E_Hi?UZiLB{$9i(QV z#VPLleYT%fIECUsZ`iWK_Tq{{cNq2reeZ~^0axoSp}0b8M_gwvi^gPjea=H!^3K~| z2ff3|wx*e%aqp2}SAKv?k6octDvRXh8I^0(W)^j=u|rMpmA4Vs3TiE|HWhX2(K*$#m{qpufevZA)3-Rh*fA*;t3N0S?x69bAGW%-mHA7imbYZUFJ zB2P_fw?Hc+usODZ;}@lzA4cL2Fo9n_`MPik7#U= zO@;2ebhZVW9AleHGNtgEoNU_?$&{{~GrgIhi=5h2tkfF4Frh6-beqAUVtrzgcK4C; z0^_!Ya83L=MXY?%vliRUXa+uN+fcR^w$N#XLOZ*ptu$u2i=Av}ZXePU*VJ#lkN(jb zxzi|<7CDgw$k+WZO={eoEEqs=!|NrMerS+X7V@&fi5&8tL))v+oGpQwQcXR=Wy{vk z>GeCDmykIwUUQ8!DuOB{k2=h|fU{w!736L~w{wZFwX9=@=5QBj zM2yzg6jwuhUqfDGWZD?RZaIh@`jZZe`Vbb+*j_By)RLK=^YQaDHs`M}WsYlF_~tH; z<0(&m_#toJ+o1LP?4WZv=yAOkbS#Zr8syV+-Vg$J&!wn9dN%Fl7EfO?^m|xy>-G7^ zv_W$rX(jSa-lyP-pm=m9fb*AkfCSO#bVHpo(a7T* zLx#NhUWYr%pi>=F2#-3uhJ1@Qi6X>i1t`)l6Ixz(u7lTVtR@h9`j>lSuWO|Q4}{`> zdNkpG`~Ba;yZ`&-v5A%GxPC+?Yr3LKs})4(;IvfxDV_LdaPEQq2)k?089yQy#~6by z@s&Z-(I|U9Qb=sQp*1>;$3sNnve6tYW6SAfh(m=@CR}Ac-+8;@!g!B&f)j4!1Ua43 zj)#n^h?%&@(K{Ob=LOZyLt0gF@Rm=bg&0R314@FROEvD$U(RXUJ?3&qT4^NR9^Lj8 z%Iz_{e~YU1I36cluev0QEt``)meu>%%?Z&@*3?>v`TQC4vcNn!WxlNFxfyxwV-6MN zPfsXUig>ZY?I_Nt2J+@Pa_<(=$Jc0Xh`E!ner9891-4bP+B#I$6x}_-YOg8sA^z+O z(%FbkA+WS->XnT!x9H27T%}NGB-;o>&oO5<$yJ42Tp`;ADHQs$L{B6vI+#}xDs8Yo zzrl(Z$O1h52DNIa3qk){qGt+gWzn@ei06uY6=KeFoFrv#>@wNj(8LCVJVIs_m7bHD z6FRy?sRm9gWT#IV!R|SxoMA+YMmCI-0dBTIuOrehK-30C;UVocO}*fJ3${_= zdNVZPU?yuUN*dW<_Fc^Nlup`5%lf=GG5NJ$y3aR{-$A~4pEun#CW_4Kqb~|Zev1|9 ztR+}=jn}ofT6)OthQa+C%y>mT9AT;j-nypIJ-ltrG77NtgvPCL(~=@uqNGj67MnG- zH=wyTv7%GRTvU})1wGnk+^#Xok4+ESm-;T6&5ezn*M%6EELf!<;C+kjj^Im3bu(xKUt8DLk42O_|6#R znSAlgz(O+pyg>zU(C;I6_A$3QZ$7jc`hE1>A)2tUeG5ypFxcVavn{J+%HBbba^f;7 zW7@$EzG>lWKB`i52Nh$zCEmS_R!4ME9CRf%M|i^)y)y7Uoj8giv=|r;b#CE%7S~0~ zakS#r*Y1+_cKGBn#!O!F-hG?#{SWy3#Grd$Quey!jZW*gkYprdiHxpZW0F{*8yfvx zn_5e#rx}$QFvH+lTmli(CIBNt`|+y}dEh-k@h+MWXb6psF4sO2-t zPv`jlhREt-&z@qm7Nx(UnY1*bK@&?1G?cGl7y)~~dW%{Ps49b(&!z-{A{`uJw+i-N zK+Fz1`ii>kk_SHa-3EQrU_N>S}Zhbk2KZld*RP5^N>7K|T zX_8}+G$Bi*KvS?RgBE;YK=1?j0SNd>3jjG{av`qam z$*oN{E0O#W<=Kd_86fl~VLd_qK*j6U?CTMVo3L+BsJlJJOegPWEH6ry%8aB{DK1*H zYD-oQ5bO#2)0(2OG3 zSWYOF8uNUDHG~Jsk}T5D%q4ofL)2B|iNkURsWd^Drl?Acb%3^B(5_~*6Oi@+*{w@y zd)Q6|xqzy=6b!&lzrBRU6NU;Djf|}Y*y|E)VscbxC}vHq=!kudeXO{1Y}&4+s0^}N z2irmIBSav>N9g!Alq)sJZO^J7uryM3y9pbHL}fs4+q7m#mG!i8fg9Y@IAd(z<2Kk* z^)-dmf%~2}uaES>9loS<;f;{oQ-t9uODD2BK4Jk5oUDzh5`#ypMh>;6bhPQ zqg`o?&uxOLCiwK4ekd_*?lFgBs;EF|Js62Z>KS%%$Nl`2iMS!FMu?V*KhLn&5vBZ` zGeXkFM(KPm)Rw4pnP?rcB69g%5rU4{na)WZVwM(29p2F3ec2&J5>+8kr#;GTM>qB{ zo7beGM=eTlcZc64gqKgyx+4-gxniPr1&uPK2(IW8fp!}q>p4MEpr3STb;P^f34`bF zNM2=Vk9)`hoZMwCgW`hxSfsBb)QQiqxg+XlsM?z9_zKnHly+Z|>|5@glHuS$d)p$* zJ?3ghwbW@}7ATI2_Hgi;Cf+%%}N=E4>$fb(y_Bis6=}4o? zb(Eb=sLnZaGK@0e(5jrM_ef1nU3Hk#l5J)onh|-dQ%EY($l<6}I7PzS;Dp&(&1qjz zW(t`$WUu=4OBK(I$qO5y(-{^mclQhIS_i{rv(Xrh4v4Ww94M3nl}K$-rwUrGA?#xk zS4KO2%g{Q_#Ab_~)$GLrvmVfl2Q)=Ou8bIZEoNOKq|h8SR{aE}>&R3JO;ecWIqMFb zzGv6_WMnA5!Xa0&suVwose=kpZJA~T(v5;%=(Kf0SqoUUP2H~X1`3*9kS85+D_~d( z{VF7i#>AVNKYq6X;XS|bRD|{+s}NKnV|TsdgJHnK#f0wiTYKTjGo9;W!e#5|#na)h^@&;4txGP(PUBc+moF19Q5EizH`s@+Cpd+>k zaSKwCQ`$Z2q{bX{RK1ESrrZPu-Rg#LY#;_(e)TtG8toBZY$7D-Z?XIVLT@6ERqUa} zp*KitnXwe)IQ#hu{B)Kj6Ro_1qsO<9i8(^^U=%N8=hKl$fzZHFD6?HC5fPKTH{%zQaEqkftNFlY~;W zn9P^Nm5Fh_LNpVE_LK+;Pr8TMkXvEM!^>-e&vYy|L88MQd(`%T?mj}A)Odp_-F1Pt zFsQl$4~6^4$8uxjs-w<3dfTK|6#AiqbQ2*yHtEckW@C}b3ZsV#$ zCF(aZJISL-WpcrzZ*-ues}rPqg``wi={{FN22DxR?Qq8h;;+j& zCR}~$p_xnW-c$(225`Q&ECW!rL09JMTpwE7-~%|3RHT6TQ?lc z36gVza#X>Xf<8oL2Zlsn2~@d{=o=JjNmsWB!=6U0h$D-cq0>17v^v2)x2ShHI3fc> zMAI4s(V|mT)a5-I1xnS>xh|zuP-Gw&3aQ{xI~9$7pt?)h_e->4Lte~L*kKD6eV$PY zJ>^cr@H;|5W27fIl7uQ|JUolpB??!KiE)%^?rd&#Xs3HNrAwyvG)M$VLXvshH$&)k zgsx($xl}=bte9*M5w=@X)(R(4!tmi3tNNB<2kn8)VS}09VLu&l|Am1UZCKbc16f0M z#|%`NXLqA1mEu>gN3s?99A6Ij+ln!^Ulcp|T?o*z&@3Fu0fa}U4{&K_l>>VOK z%~qnT9mZwHp>i;-Zx}8lUVQX~2Ty*?(ff#Ux5JSPlFmf4bjHgO$#sv^XmqrA!yd&O zB5Gz%U%Ons(D~i}{zv@QKmA|$wO{$?sN)Y2MCkh^k8Kb!`H|4^4}Rq#^I!fkroAL6 zYD8g6{r<>ZBhc11%)f?L(bNY;eg6m4NM@@+KR zB&`CpN}?-ORHI~bIij>u+_2xU$4<_6V~=qC>1>zHDr!t;XuQwsT^Oi`FLw;76K;9(&j zRv-p6pQmJ%&(O@+ygK6A3wVw41pojb07*naRMJ-p$(4vN-Ew#@(c@5MEz+Vw{Hr~i zLPsoe+N2>BO3eNWhvp3Hcuzm@>AzZ0j~BGrHwc3{O4?x<3dgNPZsfp-?Ycp;-q9$} zNPl{RI@ajXk=7-l+7KR79Q7?$o1)D^#&Uy@tjI!@LeFTlhFEne1qojhXwx0U3#zW* z^ZOwqdB98;$W{iDT_FYvJ6~gdE>LwlVkJjRM<%X&q@qJ=Ys^y%CDiB|kwzEL z)rQ*c(foVFB4=hb$f3ib%IP)|T4hoe1H=x5RHN>vC|Sg~nqvAIikKn4%;?J@4-Q-M z`V>PB(1eU`oHF)P0=+|;IQViwa-reh9FZy)ydEV}apw*~+~Ra1RwH4Z>S*R`oMVqr zP0^YPDR9Yimr&^#L<(}L(8v<@z+);m1U#a)GbE{^X+d^;9xjIP{G47l5Cob1)e7`2 z^^HV#2-v23V8czE;rm1Cv|`)9H|df4AV!b2%$`|%b2M2W@7U!zmS^+nN<+)9u+*H% z$Ya%Ogm*g{p+fB&+Ae3L2DpkzSP69Z0Vgk}ynd-ti$~JD$1_^A(!d%S?6wlh{Z|Yo z9$)>u;UBzkaf*+)3Q8VJDJ_pN`-)H(hz@&f7uv$Y{H7rjMb=&d$qIuWCJO^~f6nD) z$KU^r@AJFA@qL!x{Q(9&?%1Z4HN-T@Sl{c4EqUQx9^;zA`(zI_Qeb_#8DpbEAu$1)T3 z67kqm=o3bQ&Cb4{nCVml3e`Chi!RH_0D(Y$zZ~0fIrj=g?+Na@cDkN0gS!s7MJWCoH$OgjXur`5evMkQNGIdxoGl*bijtT}z;xVC#2yeawD6$DVdX zjl=9xps8x)HYX_tBz=LUY3TZhV|I$z_O$XT!Y-xMRpjW1pfBiTfl)8hdMfL`3(1~n zc->1RL8GxYxGYg-F7aPoAwMqZUnZD>g4hep&PQY$;H?XN#cc0zmyR(80}OA-bfY3f z1!vI;5)m!W5$rJ(0iEKqs2i$M!l@#}#zBZ|R7YX_PGIjU)Jls#5)pCGBjlPz83(JTeBU`3+{w2_9< zHbngpdvau_3mm5oo%I$~Y02uIrJr)#*!Xpg)O9$!fHbQ}9ynB8On>7cSvuyO#eoYB zl7o?_yuWWyIvrOoY1bWQWg`?eeH$Vr3D)!)U;nnu-5(3o-lQAE^k3alBC=}&{@xRl zXTSSBBzJ_?yS#cUv#?Um1e1I+;BcE@C@EMA_BSQR{2p^CaF@CeuDQQ%smlm)VK8lF zde_F#Op2)Gi*?MlS+PDgoS)_xqY+gkFjpE@Oc5KAK80gHL={UOEE+boM;7e}@(!uG z#@2oM@eEsWC~BFp({R_#`D`DO-+#&TUwOpa!-Po^z~vK`f&}`M%(W@xdmcP+IJc+# z`}HaR+yDCSkaz!zr6{2-3dGZz7e>NA`t4ufd%yXc{QZCSJ;qOdi!AQw>l`tB^_FwR zM9qDwPDPHk$${!vi%yoIi!1tq~-fXf$TpZdkt`k+(XdQAKRe zF`J4a5gFwjD|LpRrSzzbjhIa!B7FXLwC<4on~3>|jC8eUeXy|Fgd*=a?Ruh2Wak(} zq6+Nk9=SZej|p>!UUjfF9ivG(v=c(TMhpy^Fv3LQSXyLZP2B33;w@sUP;TGizWy1d z=p!HAknRucvK&K&U9VHD?oc09=d5hBApbL@8rsNBvn!&Q=hV(r}S1&)^)gkkFq#nnQuswQ|wVsYwM_5LtWM?(YmGBj~EX!s!+!922?_Wu1pAy0-n?$ zw+j8fCmOpfgNE`jz#O*7XECkP6Q7q%q@1Q!(1!_PRB?Nl5>Go+C!-v!5X6MEvgmz- z-O(fx6q-^+ku8*khETY;l}R6~d~93%@^3uAU;HBKVL(2X`0M}cZ}4A;Jo@f}bv~wh zx933>@ci;IL1>ZhwtVtP#TY!|6MxM37d}S!Y~EeBq-1M0~PqT)MzahElJCiy602-cyOMC*BIsKbZ$Nn0kq9oW zxI?&%IowM~&HyQgsV}h)Y9#EzK` zlKPgFIKr44OlKDQLcx+tJoNn%-40!Z#eWPZ%2tjpZVnci6)*-MI--hrE;!(};uq zoN@J@b$5ojc};op5!S3&I9H@sML5 zG20W*21r4RkoQ!gN847EwT}2c;^uBl=SfWZoGL#-laJI*iJu9wIT==3aNI8t8iPWHB5aU7oi^E{Wj1=KqNFLsQ6awR-`iqIQ0%g5lPh+Gi!)7k6>D`zPsmFKT?=n zd`v592$jme{7hkW`+pL=%h=o<(bO38;Q&!lP}-W*g6X8^r&kWU;A_sOHC3(i*=^6O zKYokY?>Iko3FSFWvf;@GBDyo@DsDKwykgSDsItLfli|b%dPKUrj3}>>+6LXXXjPfr zt;G7}*Cf|9+d)s4uP9@m(KI71=ZvR27W#nO_7d&$Kj)*r_kypl=gd!c2%|Y#U!$uv zC>q7;NYOX=9I0HN-Zbe%g<~x<@mun+Lo{lTM84}Q{LX*#kndmqkNnaPKSuiG`@j7M zLj0Ph05Q46)_pX!1-E2>o$)>U9%b?&`a0*sp~|Kikme%RZo@I2q-!HI zv8Ai$)J8&gEYPbxiZCF(&hdnR+LlnxMl^44Q9l@B@w)r^!r8zeY?WQsEJ;vLz|T45W&r%F#3dA&^mgpK5zVe0xMsCH(qGsEnwu zH;4~43|T_V3na^BF%sFYmz2dDOcz|`z-l*OewL8lP7x-uQYulV(+je=$1Uy<&4-kmI~LzJS^af`{lq09!n`|D%x1XBo@6+|X(QVC z2}OQ}DhM=5fN$p({EW{07ctVlVVXXJ*;#Xux- zPLPU{tM@yy5MGQ@rr-M!hB-p21b+H;!=L@{f5Alj3`Uo{y1K@S177_48TVV4G~E*? z8L}iGj7HpU-_s@`lBALE3mQshdQCqaP!}#*b|fxpDzRp)N@(JMSdh36BHEjhqKhbG z8BgeGMoaDw8_q}(PM+bCkQW-;{SHTrDCSS;ZnrR7&~-jV=n-xzVJFKN8 z|Hb2$fAfbO4sZC$voVL$-{MdH<1OXtFG$1+y{~Cfo!JwOdDqgNKH|%lFNv}QSGmPI zosnujce@^ae1m8OugLrlF{>^0^c+Qd&;IV7?c0>aQ-eSHa>hvcoQvQ7P1eGP80m<^ zswX^L<9pW}-zf;EBKuu{Gf9YE3P~3!%}q`}XsC)QhwT=586Y((ieJ;OB}Nkmv$;j~ zEF|B@n$;-7jNDFfvj~?P+H{L=_=tlS)ZHzzG3KDzXw?qSaoKGJjyLy+BZup5MQKR5 zZjPX*)ItuaPg1&QX2-Esh|2@H93yB6Z6y#2N>0m&C|#hNE7ZiHRa&HOkD)jig}_lX z(Dn&!CzIU0$5digl})zmP@l!rijJCWxlt|k*w0TZ(n^9%~)&~*7?VicBClGx?O0uhKq(>T}onjO^ z@zo6XaZ6*k9CkX(^Pak1pqwdWeM8n%G(t%)jhGY#)w(19*dclwkwqO@QlVeYsOyNq z;+$q|Aol@l*~O{v*>pAoEyW~7P>v+_n4=&tpNuHYIZfW+lrE|~ATk9cHODkctHM`nySF+9r~R><_VatN*F5)yc8`mv9bhuolzVh_)z-_`c+AgSZM*ayF-==6w4&c3(VRk zY-I#f#IIsnNugigAyy;&7!=3l)cu@JRA{py;Z&tRrZl5#%tWX1cFa+5O_}4YMz;#A zKBuW=B;^X$F(GS1N?jt5eezL8C6^4NjP2_Qr9P*=S>QG@iQ5Q#eS3;#>QqvUkmkfu&7jeFzco2|TH($t>aydDpyOZvKVOqy z{~@P87_zGbIt+GQi6?_KN#3-C+8LU2MC=^O9gx+CFAKz(KsOwd=Nt6WChiPmWb)6B2#bj7 zR^Z}0Du=a2L&aT?@?hShY%{K$C8ypMM)aK0G;s$THj2Yi4j6U{U+e~)omx) z?x~F_cC{x;HAYU%KC_vOa+*y;od_hELjLvNF`ty|S4%oILe49+r!vB^C%o>kmpbz9 zK(CL{+BIV9QRG|1XpBA`rzKmbh)#(dv;>=uk#Wy${9PWNyyyNu z_4HJq2lv;U@HHp|J*W`u9Icv;T&R$!3s=miVS?nyM0{*WL$! z-%$$YWT}9&I8bK_Wu?%V9%9`f3MpwZ;4mw2(v+PTA&D}o;S#PBjL0SrTk@rjW`}5s zfM@EQ3my9960u3yNiB!ZZ+QO65KEYoRXwGUW7rzBHUm#b>;pO)n;}f)5jBF@a+*1S|6SE}~3}!lG@-?Or5xEbk-u^Ake28wS=r;%2PU9HaIL3y}Do5}nw57-~ z>*%97ZL!5P3k*#sbwo^a%khniI9S2T$0$RbvpxIG3G?NF-D*P7g{WH3?x-*zAWnx_pkjf)*qvJd@P(uM2Ji#*k_7A9U$@oMPeDgkC{;x#SJF+sLX3`s$3K#?qpYKY})m_PlR zsVkGMO_s}uVtRrrXY_YN>e&z{+*2+Gh=(3&25Q$JSPG>*gZhXph=jr^+T{Tb4#q$y zY%RuqLZ1&&r#faAp=dhEW<)<-QEoMq)5^Mks!P(uJhy3DdJZ@%u5RrjhiZs~c9gF3U#+`43Wze1 zYUt9}5z5Js+jkk$4}0?ZIjWJ-r6&DcAr=IrSU`v(E}qOed8pwIAM)VA1p9%>%zDUh z=`nvO6CS6GPGK~53F8Wd1=&$zCbXm*lVGV~DlukUQ_CfBbBZ}=iEji{U!^ND2DMFM zR2)hQ(aESJ55GR(pXijz3CqipWhishCTPBb0K|ocBky^)o71na`QVw0HXdQyEe{?K zIeqdR@4=Mi=?L}gg5eVj-yPu37kFoLX0tiV4>ShnbNtZ&e{xDa^qA`+RcB$FDi}7N zt729bg=^v2I+doO$R1POBwvisH3ivqFvkXt?=T!#RMv>Ivnj4K!f_1j*#viL;x7i| z!ie;%HAOchmr`u`fGR8ORF7Hr7786x8Dg9dDBcCUO+}9DTb|8JQZD)9pN8ze{u8oK zw^ZW-EsN=%PPqT3Mk^zvsm$ZDLw3h}ccSxE>=A8m=_%;?ic<8LxCz2^fd1l?``25N z_dD`^!Q5_f2N!&OA90iCjNh+G>jJZ@u^f-v$RyZr$+Db2is?P$Tb|i^oMvm*@{}yQ z!I&+%+eFlHiX~JyA765N$Prgt1{3(=rHoy__ zL7Q%<-YN)>99+GiuNKrg=$3(DG&JTJwtRe`$(=J4R!EgbVR%ful&uY)~&Jgs)S&>@C5zW#C6_-cFdy zuh|-BrQf&Ml@5bhAF6Ix@#Ak{IZ0-Hc(+O9YZJce>av)0Hw6=i>g);LrX z2cf=2QpU(hLta`ac7&Fe=%?qThg(L2n&eJnxU|^SF+&1!eN1!}aQ166*42#A*HFeH zVtAlEh@8&_tlS#?*U5R7`2vJK}RMcWdaBOhojHD8X0|C9=QkEKZn^1KMs!>oC0)?0(Ze#jZ zp$yjsJy3-Za5Pyg)|O8*Ye^vTkONtYtaHgO6UbDe$f zqRKM2Uq%E%!gK4Mp9+uo?En2Mrpjw}?vUX6j_IT!@f@PBEAl?V=}Su2AWB*mO^rGp zas7VBu~^YpIepc!dI@uFO~C`q_&tXNK5$F?i&MVQLyE(J?Dc^YDxQA4;9aTX*aho@ zLXm7aw@2h{%h(1(FgP{}TCyU)oU;!@+@`_17^32F=@#s*0ZXOg{vcutA@4(hPTVq5 zJ(Tl?^sjGu{*xgLUhpy-vHh!`p^g*sD#!2)x_; zsjD6*|4-bt6ACkDVH)sOL3As2s)@15XeSq_-8T%aXYA4z-Cv<<6=LDic^zroB3LtY zwL@xBcIpsI-_q|pUVob4>z|`*J|o{DEn9|uiP%i34h#BvL)|?jzy1_&l#(hJj3yFp zv_*Di$j1Qj^jl46+}yHPA2W~w3Nazq;9NK8gpSx(81)5BYJ;=Eou?>ai&V#~KW!QQ zWQ=(zD3y+8rXk*~F&vpUFBSYBB?Pwx>Qra{vo+57V{A$`I}>I96=6T7suLFBOA6@| zdU?KIaq`1!4uA0hwk8wW3R>}wSpATNe8s95p&AF|M>_eRzM}p3LzFLHqc;+- zlbR2P_Z)8L$g3}LtR=@zr#!4_mpyt~AWuB9sKCEC@F?)<(2$>g2SrlRJPTEn2zJKq!VJUu2Kxe<+e;1SQUHIz}Lr=R)Bn^Vvh=LUnZm*8>zX*F-^o^MVjYq zObCxYA31wg(uh3XFs)DNoX^-rBV?y$=%*C9hp|mL+5^UJ%WB==KhVBa)zTX2tS4Ss zBt=6ta9C#>wA^EA#^nACt@@1X&#rj(qf=@;j@x^b$0Lqag(L>FamO)lG1Ht|K_+|o z747kWm!_B>KI3UJWaXHQ4k2g0i2t1-KYzPGc=sjGhcch$K4x`=ljh`>PE%*-a>3D^ zGHTY;sz@!{2=am1ROG$tLhzQ^`2=|#F*(cmG7wq64l%+NqWYL+CnC>ul6!&r{hp71 z@R0g1GOo8B+T}g_9uoinAOJ~3K~$bI)2E&;sFE#G6qBFH>_5Nd@`1q6e?}L7#>GV7 zSh^gpule!wGj2clb)5QVRMw2E|9DHq5n&hc!&8;_-bc8_7s&FIun@TW%Ugnd#^fUj zx&?o=llb~y{Cgh$_7kL~EdRlMd&VMKGx*Me{;0xW$kFrglWV3wSa9-SPNNUGSqsE> z72ZT5XdKl2S0t^0_RR)mvP2d()R!lCZ@(dEA7QIGxms~PX}RYS&fyOAR6~|Zn!Y1% z9ZoxqY*FC00_)nP3Jdbj?hyBH38?Y(ivE+2vESd)chEEiqS(=-M?`5x#R|)l*&S*c zNyoEv&d&~f9({m*reHT~T+Jg31qKAHD+kAjv9>DLg@)Jd*py&)Dv79}J2w9x33t{j zS%MgN{eSi?B2MhvU30Ijy}GKqY})RzEsa2cG~xyEar&bm1TUb`fKUUrW{jbG#&p}Y zS7lb_&AUh3*yF_6_j7pg$N0Vcyn6>M6XEX{ScU+@2ySEi$p~|~M3)-4LCwN3=t-{$ zg_qbY5T>VSdP0&;KnSplgq7392!En_`HXxK(+cOPy;IEDhG;S&yK_N2Ab1jn0j*xj z_Vo$ksGwZ$D9ajU+(o@BadH9Gju2%PA*x7vP0r;Rhons*`PkC~&bKPcAV*mg(D-`;XR3vrx#7FTQLZ#?pBf%onXZxGLeN!O1$54jcziTMm`v&R zkIC4VQ@K~%iy}>VPc~oi>e5E# zmh|qL%#pc!v!>tJP((UqRgkD9c`hN#5`9f0FeM6IAdOU72Ix{s5gIh40=c82FW2~* zg_hKWS;j~z*cKV&4*QvlnWo&WL$qwg#@*3%wgg4aZjsYGPgu-y)Y_%!^oU1IgxrID z6V2$+D>8nLdMH2KvXg334!pW@$;*&conS`^ZdsBc63qjG#~QZVq}we!MSMQ zw;yxVbjYm7WL3&1t(t@1!6-IJ=N9XINn74xcFw31gFM|MHgv{XjeRs=HPcC(TY8kd zI2$s{o1AJfqCBCfT?S=E!{~76A0r-aXxIuVI^kOvQ%NYA2FJR{A+njgm$F~L(Q}Rc z7NlCnibDEd_Bc;t)X5WsnWV5%5k>-Llv2u%(8mI|S2mWm#nS|a^*fgP zF6P4wA+xaB1^5w4&qTIF_G<-2cj+k}57{YZR8kZfRV$_5$3*>ejOZQPxQ!fFB*}{X zKix43?zu^u6wx(Svqg8@BTYNR+6djbpcoFAXd4o7NVPYyKB>spGFey=ngzXfOzyWS zg`7^Kh3sS$y3Dqt)3O3m(IBiN#CD5zl41C5WX&SVZS=lFz4Z{wDec`3X|_igK0#Uk zNYHqn;l#t6RT#O=M%BUgIZs_ySDItJ&Ji=-s9-na0t+eqUFq@aehjhtUml^@YL zx@K{0q82r(UE`G|_SU7Cn5184=pTEqRuPR3Rqc~9rqy1vzk^{XAzO}Vj$`~lqkA4> zY&-1QBh>3lgzkul1;rj-e0t1=m(Y|^WtAur@WYt0j9K3ll-@1cG@$TfGHXg#FQHS? zjB@NsV!72hG-6V}L05{{+&bK@Og6#}tN4+-A5)TQg+JS~@Is=+j@8Wp?-1ea7woRK z9Lf;U38=ylQHhXBk;E`4_8GbePF^9_3CSTRj7m1UE#h6wG70eB-LiK>G~XegKad(C z%5Fq8+!F079$~PMHB>31(G)160>cb&a)WkLXCH|4%#6jmlPj6cAi>FOC!c!)MY-5Y_&qQ2b08yn*}gK5B`9J5$$_?shv z@8f5v+ba@NMo%+Zi9zwGO@8lEKO0bNOIj^hhh2t^B^z~sQI@QiIgiE%7Uns{`i|bD ziJHpjCiLwF{i7x-Ef!A3MD(Edgr-%HdNp@tk7RkxM<*I)V?bSXXiFuZey;Jw=@HZO z_xa$+fE4?m>UT9UW_994LS z+dHB3BfQz1^<~2L=8jK}y3f?Bf zi0;{ccVM#**&ZC^*&Zh>Nz$4|6d*_yYU$&eHk~4YTp)^a2K|U#Zqsh;S;hvo6kuru zv8JO45}6UxE(GGpARm;(Zi?I#*)KC%sOV;ivWQuzEt<+6+>nDdpc;nc&5EYKVPAC- z`#bt>L@oD`suDj-krfp$(m<0DlZ;BJ$n+FTk=Q6Y!?A;u8ZG70uHKR=~lvPH;?I37*~1ZK!ljRlhtX-0XD*^HvkRI$jTeYdA9243IqF0>3!Pmhp;SJ# z6A|{Cun#yoZgIQLF)WWTRWa+DAS~$$9;s?0)v-A;3iA0Gku6aHb*=}Tt zSSK)Z%GH*SpQbdQeZYrDH6Q%?l*gZc!STzFIsM`jP9J?l`{lYz<}IL6azWHH29Yjo{(Nz^eg|1n#TM8JRElJx`QRNWf z#AJQH$I?`s@`#3bO{%?5p6MQ`XW-ZAlnKQrvg@~(9m46(kHM_Fp>xAq=nJ+ z(d7ciE-~a4abP1z9;3`5N`|bW16k?Q6LTnX{2)NoYpOaTZR8kIfS%~o)so!opyF^a zZ8X24ZAV<~YEodH8??10i**l636XPf4qfzGK$G|6NzKi5%?g(~Tl13}u}?A%&I*O^ z;4fBubD^PH3wGb7Y`vVj)rPVNh;I(Ox&lL8b9>*S3TIs3l{gfXhaI(>khvjj0`7g2 zAdAShE_bC(t*%%;gzV-uM=u2m$wm}Fk!^~oAe{R+io%=MGt|v34`G|h;f8hFrk$re z1QM+x!g$=~VX06n2L|0K?+yXYGUS^gpsmO3Je^??6LFZ)DtrP3&NW z{9?-DZo}A&aD)clA;7jhg8Dtw-8%xQL%$K=g)OX!j1Y!&>l|zRgrjFR#^?!}-lftl z1XZB~#IRx!#{BModW9SP4poCr&t^0@MO#|@^?!GSfAtbcRps9vwFeB}pE78**?17I zZs=(c!~<&K4rf2);q|wSaL6PH-4^K90^3~+y=^gndxaVw2r88m`I4x3j+wpV;MvsC z1KMhd>k2TuugIez(W}=qx+S^Wp_mAiZ!XbJ3QVCyy!GHOPBAVnS(h@WM+)580ZZ19 z%98coW2i6K-1g|76a-}p_w572p^BGx@U9k=6BD~7VJ00!B}LZ)?lP6g&KWBe<<7th zWSVitwtRtX-XhjhI=d~)H!{ciHCd9AIb-DgPt@jw;z&pO=Qm_eUSd~sytz#CNGB>A zbi*Zi`$N+C3cD;>OEO*0W%sO2CrH^=O|rWg_Ru7ELK>4cX}TlYNW`UyT5j<7HbNsp za6Ik91AuJYjKWpR9YKmt~ zj-CY64+^C?MNY0Lp{6VcA2nn0;+@0CM;Oa zD;9B0s0Ez(59}k0s>oQ>9a_Q`E%k87sY3;)mdNW2IY_8diKtbeB?kE_M;K{Xal$5Q zP_*_O3LRbY*wiI;RAZK1c8!2)TobRF_+mgf4@iTApI$q}NXQN2-(4b&B_6(wn0XIu%7nwl!&%L_RhsNyy&==#;x6Rj zVM7+I5JgDUHsN89tZQt;fZ$<=H``$J;l^zc?k=#;S|p~8v)C{_F1X+KNVc!&>2R5t zJnpPmC}Wa5fI=kj5}MQ;$_DMqrD{!h*!ffoAN~1=)x(yh@6jp>PD~lk?xOl3nGjLv zQ-UC*Q1^673CofY`%{ut!p7S()DKkgl%$yuEn_^TqFDyiFZ+mBG0LMpv%82QT=C+# zMUix=M-{zrP4D9qYNtl4TAVf%a`QQ9y+qD3uAMRI?4OwbbYOjZ%l!5C+^+Wg@sAJu z;qU%OjK+@DUZ>Yg_|+#CAAR}>MeAd}`FVwO{(1@hkQn*3D`(zSwYr)gc|#7 zg*MI33gKIiKsGsjB(m6b(c=|q@0hk)u+`g`g-@$dA$0m2RyF-cG<1AiugTy?4f&cL~{I&B;;C z50^EK=LybLh*p$1Ne8RBAq;YaykO8N+3kDW9JZXvJ`ZZ2+2szS+Crm+z7IJ)1;^X0g;! zDvzEek&nBi%Ltc>G)rk7iR|_YcCJfLh%tu>zSp5AMy#D7)&34ymUuEX*rX<`SClFU zVM*E3Y1KW9R)uM|QS3f6D)ODoB9yqiaM-TiadlJik8dvc{Xcxi#{B`UkrGNKBR%5T zXCJb?)>z&a{JVd=LJHio--?yTFCQNu`w)j1d*{-yH0~}vq}?@TtT1y!ign27SwWee zlW7I51YEaE{#0P|_MX$mhBRn!de*|(G%)Hp%hr%#w8yDVa92z6QHCw6loJZ?%0-zZ zWPygNYlO=N{lSvMt%*JeU{hl}Z=$|-xJ$;I)c4FA&ro;QRE;j?;6O1`5c7;GlgS*9 zLKCPX73;V{id~LNmAI)Rm=#JQktG&8%_Qq&)OA6*4>44g!WHSg`v#E&!5EXvIoA4` zApaOsyrNc)@RN$hyC1puu|@l6O*0c|s(pH=8t%G{T;EU{BiOI7pBfn7`y^@~Nzp;x z5h-1I$(H4EK=0`T{u>3Mb{Kptv-o2{_p=7UMTl5t)KigGBWC_!(0^W&UyDczjm%q8 z?PRJ}lf;=*9Ymy-Pn4?|dO);Ea6^@DYtQar(amEbN2A#*$i)gN5r_^J!jVb2U*o1A zH<~nU*o8KRz98ONNP2`MYk!OR`r+_mt93gM4C61C#$vS8`0AlMK@1>asqD8(zhc!=fQv8wu< znh`t6Vq{CK_X5Xu%q+99i!~W-%&@|IuTR=H@NN$@2NJTTkp~j(bDf5Tj`=qEaV|eOji4JZ;dEbXEtIQ$5E!Kf*gC zuvrifTKG3Ha_*u(Qs_=Q+|3KRwL^4#OtsiEebzx&G)iAZ>*Yv|293hxP;2}z|HnJN z`oI2;AKrb-zyJCx-u!q$L%zcbRV+ItMn@D?`rZNitiwjJ`Mdx7KO##{7StC4iYg;o z6(_=T%0`IUFVTc2^u{5++GaVDnE%r~PnHpJSLI2(X5&t2J&D;b2CM~%&E+lq{%731 zb1t%-2)@Gc zKB9NN!y$s3IEV=jL0^XMe!u!^bFiad+aO`BXuFg6j@`GjJY)B56+)&G+c zPIX##fjZUTszoD>33C(UrGvK+kgO@u)TiIwxpdZJQ`33aA%_b^8pJVz89 z#+pKujS$M1_9$auHJJUV)0`-Xk%b}~^q$BJnoXqE5#7HODJ6^IM51-3k;@;T#vyV? zCkZP2G{=^qEV~GuE$-T2T32kfh$Pb4ukIOTHuBJ-nkXbr%&-3o3nL1t#3@JG1Cr9F zVG4=GBUGj0=@$y(&U1QlLgX8`mB8v|jc$s_g-Fuw5=L*)kysQm&Gi=H*%@lR!t(^A ztmbB!Bkb=G`vPGS@bjUM!3rOl9b&t~;g1eSQp%;Pp+4-PcZzuJ;4Joh{uc^c?*-fF zhOSl76sK%55o7Ps?Ke5p1%{|l7&2lN(NG$cnU5aZ%qyRcTp`#x#e>9p=P)%28k)$# zka0`s6b4o9q6Y&;Q=Mhj#+U}Aiv;=Up0aU*q;4^ToH7BseL!e6@%&pP{Xm(=)HJx? zYCy(r<@0C1)H#3lm;CJ?BA)gCneC@%Y}S85?p=a1oseD5k;et6qb^Q)M50LeRm$B; z;Flk*aHNm97w$=%ilVV2s6--L!4@+{O&^4haO#w5x4}+zMiZL{U&L6YOIa$Wo6(m7)}FS}TtS zzt6C|pv)$ug-UW93mn%@+o}KmP*FGjV!NM%^6s&mN<+1)di=mi7rzk&(#-Qu>T|FXAjs*6D)c zMB?^l!DIbE*6vXsGD1J+*++1{FgR|-6viW3;idsUEnuv8p(b6yu1$#B45$Kftn#w6ihF#hf#I}VT1Wfw|={m=4 z>2zxuwJ#%iDN;*f^8OiWT`PIvc9}cHT>pPT=fnDl+8`enWhQE5> z=6iPnyKC%@!e&u(KFz3mB??QXk*GZWY{a{-BRc(E6P&7I`E;atH})dSWqb*e*~tUW^>pR>QZ!xT64>l~p} z@NY8ITIJF^aFou7BLUGoWx3hV?lf=&lY?;JZzO{%dd|8mkY@|3Qyo7vXsZqq&ye5# z2jsu(qpxdL;}f*Ki_{j0FKX0oijfb=2RhO^#%p%bqaEtBL6M%|MPG9yMwI#x%y_}1`!k2=G5X6G@it`fi>I9KE^rSWlF<=%xFJ8R5Racw2P?{;$5QOm zo_$C4u}Ph0wCX*6GQv3|Sa!t4jmt~vfji?12B!|=c}e`?8Cp9>dgqe7n9xuYGO;MQ zqA&meAOJ~3K~#_V@Q&H=Gwk7>_$s0G^o;%66yt@2lEq}%dst~e97QC0K_ynmO_d^8 zAxY0E`de!Mfw~IFoR^emTf(0m2JMWEFr?es5^p0?MZl~R;#8s4$=F{>3_jW7h8lz6 zJK|fD<|rl>Ce+Rf;Z`CYt28v3hTw7)k7%|2gm%sdh%SV)gYY;RLOjZ(H>e8%}NH0nn~^ti<^0=aFXpVau7M2`S@+s8O7(ei-w zAW5=&?=;LF4hP|7vlIwL!j48?$L)j;Y*5bTNE z4tXa;cTEyCrC51XnT@Vh)R{*jHn8mkv5J|mRP?cky3$ZA1wYJ?svM=M5=JSN)k7{_ zqPU4J$|Q0^mdBhuH3_o`|M4GwX0<=i%l3Ts>42YJwa8*Hq<|nxP@;QIj@#V6R&iM{ zTZOECo^y2U@a6Moe4m{YE-pEp4iSZji78Q-69QiG!b*sYr)-oZ;o^XKmNSn}DZ^{d zn>I5&^J7tOxd-cuy}RH$0rfW;1~4DH9NOWw_LK9PLZ8CgUOKl?T$R~Xq+!F z#tPd=V>|aT)r4lzCkXb~n4ESjLid!~7BKfQikhK3Jw^#~9)|~h`QQ9k{PX{I!(Ixh zD-pe_(9asYIJc0D&oIK6&T*T6_*!N2?Y~19*T_)tP>K{mOlc`dnnYu^q%ur8QwlFW z#?2Ch)g1#NCic!amNzWbzoOCF(<>m{^l|EMI0zoEN|z5CmsH}XNJ56@2dKs)iiu9W z_Gq0nnXQ_f#dD~1RIx@$HP%W%Ln|rsoH%JSu3wR6?@@GPg2bRs-=bbNk^U;-aN$ul zQ__oolaptx>y&}wQ#u{w?-z8xY~s%ps&kKu^4r~B>K!m@Y9Hm`T*H_%W()r*Ek?L^7NN(ZXtvEW8Niz#24v5Tiy74_*`4nY! zpwSko_X?eQ&h_L8#{OrFqaN{1jr_DEyh;#TOWNZz^f*E=G+3?B`eVXqhgHOQR+Heh zhVk-%co#C9wwdo7@Lj4#gi#1&0}(Bc@eTtT)(kcqihT=Z1b3oJyIhb2Ho_pl))InW zzM$OtWIYMGb$=$mUE{~H6nJVG9w z)B5WZMy5iydrB0P2>TLAQ;1Fr^jSh`=!ls|oNCBYjQ1dM+HMh736_vkI}&0`rU;|Aih7@ri!!2?(OHKi!Uz-}t3Ay$Vx@@KZh_-032GC)Q)2ach%*PRC9zIbI`WQ%{2bf8MJ(aT zSV3uxNk@G;p%1c7W{Bu%!6MU;e1+s;Mk%+U9a79?a(j;CE5t@cl%{xoOm}z7o2WxC zyQf5C?(V2#7fBt_sUxmrlYHwTx)Qb#vDxXUl1HbOx%*i_6kG&VW|mmw?iE%$#H%J; zUdNnvWcF>1Nu6_X2g1`8MxB$p1=(#$A-!VyG-LGSQ|`V?h=nCdpwg>z+*;%|J8*iJ zVSf=LEi4XB#-LqMb^AC!-SSv*@TVPCuQ%vdca&d@$%6wO)h29ZynC0>H6k|K2A<>7 zR(z&jn{PHc%4){@GKAfaF;MxBg9(9K8XpI z8S*0?iVCC9P<8?1vcmoR7%jZO&nEoplaT-K>j~%fkKAX!=FIv7zWkiYr#~>e>66PE zkA!QkR&Ao`6m$QU^{~%TuZ<8Ku4NU~Kq8E~isa@g;^rNq z*+*-S*&WtA`tmWmf4ZR;ZdezmbOt}M_Rer8puU+Cy?BCkGv~JTgyYfoEZ;n)|9;8r zqCn*iRmHti)5+G9ZjZbppdT_edK*g$=?=Th_7S~y8zIif6@?(zXlV-4Fy!!16YP9~ zD879P)eb9XhAOCtW|M4Sarr8t^}`+I$1=Za{E9M<_~n231@HdX8QEUoQTKvq z@E%`X&iQ;bNBOJI@qTO~kU$BfJ>V#YG2VDR7i0Hv8u>UF}x#)wqCQNPmR*PK~F&M<`w^Ix~rj~5vRftfhL<@`7^pe6l zruDeM2;2B(Md}nZpSLJn6LZkSA)sBzNTVZ~7k6mWG5SmK;GN0vIAWwS;wLq|T8BA+#FV?h;J-H(A{qJ`?ISzP>0nZxv4-y?+ z2B}Lm^%zJgS62on{*LR=fMLqx*ym005gp?-o_s=g;gC*jI#qyl`~+PJX*NaV+Tg+w z5mpa$B$Y+GOZDbkq`JfLuQY;%NJttBNchICzhV^ zJpG=_)j7|9b>Kh!EgUyOo_*e8|5d=?smLL;DeIb(c8=p6GtMvRD=^vwRsz2qiu{M9OA`D@RU4$$lIKRsqEHEfHAhy-BKIlX80AFA zECo`UiAb!9{HPivU(K<8{g$&wDvx5Fhet0__Fr*z5Glo|CJJX<`hI@DDkIi9nk6ASj5Hocd4`s0yK1^4L!34qvdz z{-tLsXC^^{WCgZIGB<+-Pyhqqrh`k6&Fc2syRxQ*&PbnTmR%yluO^2CxO8=2d z>gptJfp;{bA8&C-|36Fjxoc^jp6C7gzd5g*cHWh%yQe2G41+03uuOmk3>&gP*k_|t z@i`a*1sDb>$ppiMX3tc2S6AF|<+a|NgFlQ96xt?1e@ZPp@HEwUe>T?%QV0zE14?Q5*?EmCPA zT8GK$i1Kbl_Hs`B{)l&8Q+_b0R0pfr(zs)eZ`XK>oOsnIDIMCu9!nFX+nV_cgXC5w zk3J!Eo7QZxcNt1MWj}DSSW&oBY_TUyR0w3miGtX!kV1oQkf7LS*C&Kjaj)Lz}Kp7B1;;A{04cdu(`IX#CTE`OFXh^$PX! zBkON7o}8~(=W{yWM|X7EP$4o5CgG9Fv2l7G@d0GXC#^ktN=7HU^h%$Df5xQy#OAi4 zYYwO@pEA-(_D4*sWoT2C{Ud6aA=f!udqH#a3V!S0|LO{xbwqLqXw;H^ zzNUCAQ5^%~jNI_(ijd(|L$pyTyDd_s;baNclM9qK!)P>uPUm|ar3zw{lZN8npbkT{vk`|dL(UU)w})Hj4Aed=N|L0Yj53_6Kr00Dprn$A zNL9tyw)rtA@IQS(&LZxUArCk2I2}j$xl7Ub7-_@BLT9x%n2rPbV#4IAM|`hQ)O(&x zRDO0c=0E>Kg&97=Ob`!rJiEj|!_;-c0{rNPlYvYzd4;vwV`(K~XrZ?njRZxf(H|CQ z&Y0wQ#2RY^2N}~y(XZwl!x}9NDZ2qeP4K2YHhxEwXY6ivT%C7pw5Rw%${|`oT_FsG z(}m7WH0S>IBdf;;=9$m=<(U8LhjVVe`A^7IfG&K_y^g1U`ik$i3qHO1ub_OO1=3FWni^z91Wv9O|;D0a}EsHATqMm-fRlTbh15zPmv z{yUDkj`$Sw5Y^bf{t^DFrju24S>P8Xo)aP_S0woc$Av@TB28l|VNrejh&ohge!s(> z*7%Kt{IH|*C)9%xj<_Ln=QQ$xMhQ6<3UU_X{x(B>Iiy{-Xo^V}MGRhysecIR|Ak4h zGijWZshiSl6&-xUH9){XbB__?+1G?Z2LoLt}o5QlE_q4(oPpHb0 z-1IQ@EqnKZ^5zEJt!S<+ZgLxE`CF>R968X@y(25lrPPin&V*v+Q{J{z?E>Y8x7a_u zCi?CccTv+-2ElO5ul~<}T8r+K^c~&y%l_a`_B5Fzt(yAs81drtjt-Pe(6?DBm znPgyudu-37)g?||nkdSMZ3(rSknbXn-YHV~J-R7j>m@~QP_`0&p^~2Txosml54L^= zBZ>PY1T)4M6c~07&kk809WG`G-~4!rHQ(}h4ETH#Fu&G#yY}hw71~th{oY_?Y#3P< zai*a7KBc12><{e69^bs#fR^&8P0_Ly{y^d5&1b^Rfz~lFjuQEWOH=2RV*`>L{dB-) z-(tHFTc=N(l<4!0)N&9;#oo|~ix4rN8Yju@z0x~|W+-z7-JXO!uj zO)WUoYr2ud_XmkYO8EY+WV!Z<+kiN4_#jQW!UW9ZU7*J7G z4hjNOY{|9*aw642P7VU_XA~_BH?q~b~Hkz{uJPhQdD_F)+RVpgHoM? zq2Sjo`s{@5-`}7f67=x}o2X_n?AX8kg1WA${VjE!vDUw4TK$T|`U+hv>CJ3DtrV

      #R+lUV>FQ242IYbYkKE4(niDi z`7>H!)4RNhVr(-nLFe`!f3VQ zE*fK-pQ!8>-D>cVkpquX(RhEqp-%3gwph4OE-S(yz>-Tu=5qTWxUjY~l8wkTnq7<` z*Mwofpe{g+QFo6Nd4W>i64ru~dc)(ri(Eg@YdVT%fTFaBxS$p)qw+ve^_ey?>$@Ii zvO(yO_z|X35p8Y6CSvq@LB7ioa>3zKjI9caTE=Tq6k+42786^iRSePxA2n?-JriYJ zB9D3;cM-~TOsi^ihQx(oA}^+Nhm5(ca&q3sozAgDgsqJ^TR60>#&}ZGbSCF>nTz3= zFtAbL26wE}W5C0`#@t!aH3suK<*YYi?2NcNlks;t$J-VCwx;R|nY0mS&XE3PpUi-t z{E5t~(HWQHIaMR@0twNWC?`X{kXyvX89k}Tiz|hT$r;0D#L$eHzj{SuxFn*6kxgf` zq(Y?%Yfhz>%U4q@XG*_kVO&^T{ba<$p-0{xxSCoRT8|=;LE4c^eY{TQ=}8Y|G{h-2 zOj%~t8no*rA}^8h6iJg=oQ!yJHDm8R#p~9DrHW^2Jb5vu98cJ7VQ!^($q2DiS*;VfA|)X+=Nd)8rp>ShF{^HdaeScA73wOY zic@;#2sv$0WQlcF;IwP3hXdwthADE=w#O*`5ltVH->z_bGF}v8&ZdaTh$`A(t2Jej zQe^@Pn^AL5?@Gu2ZNcp8h|PB$UX)UZhAIlFw*}R|yrZ{#kH&~1QOVK=jN^(lHgHdD zsw$!zT%Z^-?fnMnc!K!2L|G*yj}oO_V&;HU5SuBaAE*NhGpo4$PT_R8MP3RhwlS3! zQ=e+IyCdWm&=08ngt(2+W(vnc&A^GMGo3=%H0vdn7E_!GqMHh5VN!mSh+PHS7GxV2 zHIm3unfAOOUJ1_nExT++zq_L?he#6%)C1#}9-0eD*+YIz>8eMJL7y(}D7yy63)JR; zHd3+Wf+H%rcp%eT4AZ35XGlgzddShx7;6f3X)sJXPG8S>A2?+DN3?-Xk{b*L2@j#o zb8U-r@&vU}p&8KAeAac3FWmz@YsPrep*=q*+C|JPgW<&~RnVaI3dE}gpC1EMAtB8L znqi{L3ge!^LF#dFmEi|2Px~3UKIc?XsgypNSz@2*4C*6xQqw&>h2oZJUt^=r8O-iU zklAHmJ1JFXqqQcdCn~mPkt##VHo~-3E+rVfenwoiyqH3(I>=Q@Qz_KhhT)4bb)qmc zOXkn6@GFze;egs@*ry}TJe{U+nV#23#+0E_lCXs9tadMqYaNc}$dNyQ+&W%Ojm z`DlPAFG&0Yl3CM#K0u@fk*K+QccA_D*L)u)yfioD<^}IQ`CK~@o5n>%M`o@^w-L-n zF_=BZ){veiL*CMka&W4hr4v zJ)NB3Cnj-Q(dr#b-6V;ZG+jw23jC;|suQ$P$D}$Zs-XC=r>P>6w;PZMuR>JX+SYPWfRMYFhFXNkR{mdI%Zb|VK|^H z_NZ2ep*ASPDYD$rZ!ej3aC+%cKM01eFYthpT&qE4PN4no8c4Cxe0TCwi>c&}mz)#s+?p3&Ylo%Ql3B8 z@crjh>Lapsh15hS*wk{L%8n?PGy1)T{ow`b!#(=qineR$O&f}+qpvljgJ&pjW5kt; z{J2Kxc?hK;$~uf;h$%+YX9?pxBsH$ck`;BW;7tU1r{LH+opp+TXCbL;u77dD5tFJ` zkzYEj-ul=tTGHQtqWswj{eDLMd5S6$BGVxL&FvrRyVa5AP>^4EjOP-KvxeI8I4X*?)-8+XlZ?$)W_PIUZW7v?QrCLNzDf9jU9B zHkCQF3aO?bHX)(t(N}jwoksm(!`T-@{`tF(g}ua>>g+!T=!1rD-wK++5kqPTk{!vh z!cb}+CHTV1`1os$*_qFH*5_uOGdK2hsmiG%$ZigNtO~qfOWE^ycz=hh?1-b1H#ZrH zf5Q(C9fthK3a4~g!b4!OIV{3u_+Zpkbi$`&C*Ck(naXVh0IRwdc6U^3R( zYG*9NJ#QbkJggt6+LCSSko$Wu6VgsYb`vVS&oT2k`VqTyg(m0Jxy-zdskKv-IA-7q z4E2ouRHjqldQdYsIl~k>UrbD{lm%_mQl|=GDdFZdrjQ}g*zG&2Zyr&l5ZkLbc|PF2 z)@ibYAC4JsZhxeyB82YHZ5w{|xX1tSmjCWD;QHtPD@Ol>la~v&y_RH~&@m$^GT3AY z?vW5JbqAkXnXFy0dbi>9(q`}X$&VkYWd&1J7Q<$ovdgH)CZ2L23pF%3rudL@>c%YfGtTADh*0O_?`rIe4rO;ovfMF$S>n8} z>6SI+fBQT1PQ`GCxW$gH(%7F~(1ja{sG;)&Ql-&smdIxlG_A#HKValKem%g{cQopn zd>;|pGP)d*7e^8chVB}_@6a71RIkF?YS@vW5*@nT;2ige7b;0mayHnqyFbAZpD8mN zInN1X1cMTOH-k@gb7@76SWg?8+4Ta|nY=5a;YcIa2vNGA$*8?YSAIjMe2Xq=GT zB&f=c^n;+-e4@z{?!J5A%-YbuJjL`6xYH5a+F)U3td%Q_WP`pJWX_1KE|b>}__sdF zY(ZQp9Je7!aL;MKM2;1VUd?40)Aa|GQGwUgbWO)dw0Oz{)lIo-mTc!wv8y#(S>sgR z5>B2YaiFzZvRcNHWt7WP@^>wRbA$N4r8P3zMxZ+;vR_e52Aql`rDhXVEs}9$Tj`7% zfl~CD_4}wvgC#md*2gw;q^*JBS!B9_R{C^`!rQ$AIB9`hem7Bh{1V$azlh#To0{l&7;AiypC_B3z3U30Z;pup+X?49u8o?hK6p03ZNK zL_t(!t1ute=$B{cl<11hWxvPl`idmb$tD7`$T_3n)w2l)?}`t1pZPJWaaTv=$psff zn_yexCI?1!%hQ)5gqR>rb-vvQ=Epbu@vA8h8<$<1ag$YKw{H>DTuTB!Q`sH&oK8xv z>>ih66G^BXjEw9dVm=V`&(0x}shk42k!ef||M3Rlhv=G1t6S_IBL;TH=b*x|V$Mfn z!bBrmui3{TJ;$R_bS{4}ARqVGy-TRHh%9wT*B!MZbC-6kZ|}*H2PXaj`|6Zbn7s8P z;1T!ogs!!~Pw|g}?b{EmMS$s-2xm#BcS!uf3TFl6Ws4Rdl68wTalYNA_KZXhZ6~Nlb}VJ|YZ-t%%XDCAzAi za3{!Ch@Tk9`aOmHg!1^AZDZl45p~^x$PjKv(CC=u9l4@FyhXGoLgd7eLZiFHyCvGi zg40VuVLv0g^D$JH@W%vcy=L<4f|*bdjYm@{+BeeG&QHI8k*lgn4F`$TwvYb5G$92pZ5%#HC_3f-5|rbYUuU}N~I#% z7E&jnl2WA(gI6J1y&#BPI;%z$7BUsFGDW0&baG10Xz~Wf2{?W#QAeP*0=F#joB`o& zf#E#DtR~#-FsBB4ZNlI@C)sLvZOI{*P+ttOH+NKDzo5P8$hiN*ZX2`|=Y5PhWS=Y2 zG{Bol9E&OWvf{SxarX5d|Dj>>MT-+_{Kct@tO}@x4pJBrD9{|%)JelGuIMW%)H?gt z;_PWaw5vIr+O+O9ZwVv6c}@dY;W;c+q|r9N$LfOlTmIHdefRPgPX0O zind6VLOoX4t!ny8OPpBLP0mP@7z7#1!lU=_dyca!y2eLu1eRZ;49;lw8w%ORt19kG zi|p|o-fT*#SR6i==tjw7uF`k6tUi|*s)l4%99s|J?(rWKs!4@z%G4`x`Yu*aLroQ) zT=Yn{ecEoz6U#!lDzi@T%IZ_N{U+s~xQl66w^&ALI_J)k-n%|_z57sS<`%c?~E@+sf14vfu5 zHrW_C38=O<-@IAzu)5*z{_hI^@Y}b1`0#;o8*&sCU9;dUoFIXqLq>>>Q{ye0OsC8? z*dq(Qu_%@yi_?-BQ_j)I#RRp{m>WwrpHj{|nR8)q=!U3K#rrn_h&6Txrd-f_c20!O z&8Hl1yvNA;C{abNN!W{mGJQ@dmCUM=ayUhfYRnHloj0Pk_lO4SNMY7*DU&g+R-wr< zt(4O}@53>nR61f|A~_+un*np{9_i#~43&;OLmYC_j|qlXVAm3AuVQ|2O0{^3^P43_ z7|^?JY0sYGE)K{d!e~BYbf>7pEuF71*Hv`6<#^*UxC+r|(N8;q$CSK|=yx#_OQ#yR zgoiy%5D;ndA6$Z?f^{vC{pJBNJ|kImv`N4&OE|rXc>K|$*AEFlG@SNV^rmz22N}gZ z;Kd0^uF<>dD1OLMhc-ujK`B4bf0ncV)W?huDBT%q|1;LDpwcbeNJ6|akya8`5fgVF zljs)Z^%q!C$6YYS^}k{N=@cXT$mLIFB+EYC`3x!964V7+dn67jqRzxDQcTN2NGkm& zDn;o~X(~lta(U))+{sjB!FbT|E_Bd#-=fqyt9J^c?vYYc7@1oXrH_y+F1n7=9B{l@ zV;e`r#e{8^qsSHJ&_JsyLPbGO8}e2|9mwQW%VAkEcwtlP8e=I!(iU_=LKg+6mpvX1 z4*f}t*GdH4DdRzfRs`&FlZkR*v?-9>DYk4PI*BgVn4D&ak&Tn=_%3v~n#O$hP_r#+ zq>%z@Mwn{IrjFb;+~g+qAi%b4l0wJm8hpv)$`#yXD(6n-(A;h5zf_n^dc^t!5j_y4@ZrC0kh3LIyQa*26p@fT zaj^1x7WNpoFN4tNa)VNo46_wgnsbzN{5K!jCpiyc!f*cZTZFjhRO%4j6^>LP8v+S{ zuA}Q9^I_0aIXO2u1Rn1`m-wH5kK8XgIkC~dxTNc9KD_ zL$-=T(n&aWL$J2#?%&~!Dpu+SSF;IO`blIiYdlq zO&<|$|^noc0bIY-H%uv&CNYDYo}AIXjev%KJt&8hP(^0-HlWF*EM{lx>ttxDWe z85K2Ymm@DCaQei*k2xMUR8ff`3aEeChb+L41jg^aq4#7&`9sD~?Ad!Wis>zA;qyRq9i2V-xI4f#qB-P$r;|IjU0#cOq+V%C;b@Umomm7 zL6u|Hfy}PVy57Zdqn#H;b|B}!@H!TS3hv< z4BGs_du@nx_Z}7t>R*3mJL;1hZs^Myjjzy?6k^+=6#<&wa$Ke?t|F3kgq$k;?p=d< z64J{m9PQzv_%vZrEQW$JEE|}XmVP|AlxOm69KaUb=+c)JK|->)LG&_y`t@n zIED%Pw4yhtC<~KHwo%L$VU36!jo^nzG})L# zeq2_h8GNcs%1J{h>DY3`;KhVYo$&2L!eO70M?Sa9lKAcS6qIb2A#xOOay=s-_VFeP z{qu8oT`1&Ytw>M2|t=VR1U+`&);t^gWJf00}`0)O-+tc#rB@ z+@wP!fq)h|z$l@UCEou&#*=?V?=R12u{gX5NS%yiSD`5#zwZS9@Xv3!IsRwlaYZ+< z(L90qRA4(cueA|n_b05|C8z0%v#aMc`-FW8{;&QOxpMKEE&JbLN`e&WzJD(TT9RusHpf_SK~%8=b&MtM4< zRRU5?#e8PqdM^G^r7<;hL!q3HaFrE>?4X_~Sk;iyPnn;O@PCt2Y9|z@HjDEkn|lxE z>w@MmW8vITg;!KV!FaLbxSXT@FTrL=QElt5Ze_7YkTd4njoCG@lQLA!q3W z)@Xto1q{qFl2&22CTb>7bdS1cq1S8FQJ?ZqaQ;-n*InW|W8kGE>5xp5X)OasZHO|# z*`%aCUNCkWQgcq3XXxo8!`4Jr1e%|a$tv>WkvMC~9EEzbL$5vhZh<+S^8NdgYc=A1 zb3!k<<%h!pr`WM_N2JS7$me6)%@#?Luy=dfiN)biGHe3WU%cR7{yt_tTXU#K$We+r z_1KguDMz%Tq%%tna`U8c@k6gRNS%0{zl-h5~A*bSC)WLpS;m| z{M{|0%y_I_>@uM>ZIqRQ*1*xPVSS{_8ydgE)JkI0B}otXhk`D7@rA|lw|l}W zMynGH4{Ebu((gE(Pbg}eP)`u0MAWA2mMv9xM`P6d%~ORx`#=7ifBQ$zd3E*2bc@&g z(?8w+|CeRXc%aZ5%{U$F7_H7F8rM$8^A|&;j*dR5bjBQsV7qP_VY=Pv|>Y}5CKAQW;lMV2neq7F}bN4hcb>KeVT zV7PPYHxH;)PTIH8yg6Mhvu^~ZI1ue?oHW9)Ew-N|O6wk@NqASiVmS3l&d$+SAMvD^ zZ0Do*EUI!(*1G_IO>Xo_t37Ja;ofCX8Wd59a=S-8F(`hwgq}owr;z9a^v@xO@fhQ{ zB364e3ed#ZQb7EDhVDJ3xr^ARF8x8k!zY1OK2jV^%Et;k9+1WwW*(Al3YzH{RvMZd z(Vw+6l82LiB59_K+Jxh}K+bhK-$se=vF(B=ijmJ65`ThIeNWVZ-X>ICP9EvB+X|WA zP}?qfm!hQ=eyd}J5!N5i`Qb)Ja}xGlP8s+-K2%6~%avVVwmnMGaQExaXj#Vm<&^wg zz_BTCyN1UP8aN$tQ=zvS2opzL(bgWeW^%lXQ1zNnHz_v(ITA+IanvjjzW37~ws`1bJVLxsLB__@Q?h!%OnIOZ6T~6r>WMNCU19&NG)u3uCg3lX1CJ_`F zAm}pCx(xG$!>)BG_78MvM77&tv?+`wf`iPcSJKu!Ql*5>qUh!PQnEO-Hdb(;6eYAB zlTn7EIw-16)HO_c1932|fr?_nyoa)>kdwBMil{8|cC-}t)>>shFW14M(IrJ!x zk7xrAJ*vphUz2R^(Hv0o9C{i4@F~3?ZfLF*iuVb^}~@URwl)Zh;N=hy5$C7ixYcwEaMYR>$KM^0$P9Uclx zZ%prTjr_|mxLI%Ux{mu@i!{nP%_YiSkHIuVvL*zbLfS;k&72$K6-{)9rb`$DjlFaKFB816 zzza>Rxy*J0iNEEUUh=M8P^D|0^=f$jf@zWQS1Fp(plLnAq7TWAs_oI)3ErJgK07C0Z)m+f z=9`rE%0vn?G_5AJ=BROid6v@VCdN~j>{cKzWHh1TT$;4@286&~2Grh95td-JH!;Q) z`DY*X>Kd!wpq)!}qm(9SD5sCKX~Ux!@O-x7u=nU9sNY0%0~_hb6-82^Of8B zL_H%v8PKM8jI@qc8p1lqsK;bcifT&~yMRt@s2*3Shm5BDga05*mHPXVa#|rLpU9d^ zb`SR`)O>oEGB6{g^J}`Z9$nWmnP{B7(viv>qpP8lF>{6SwZ_nOiGGz+wHxX{rzkUm zC_!G`q2&sjV}vVJ=vj_D7*K>ULjguy!>FL!XY`sHcdsB-F^%zuux2U>akPXWl`+*L zVc1gSHTv;D)oK*Ske~ol%@{@!dFf(nJDN&Gu2s&=h9ELg%akB&sNQbS`yS;sLhDk( zeMOH15(zcgkTovlF5|d&sFIALhRva+=N0(Xh`h+jvm8?j!EulkP^*}I*^%$=d6vg0 z!#V0Ur!Q4VoyNe^F@laFb8zYsUGX?+TKr^8@32DjZOl%P2p7dxiCUPyt(4Ra*-U?D*AgTa;E^#jg zh}D7dsRF$jimPK>S?EKR^w6NB0p_VkmsqGp!^rLNr@uJijef<2m7`u=A!?bcCkA_a zL{T32dMIPeuW59XVBnj$cfHWQjup*u{?t` z@MyFEBdExvAfaJNQn8rphKJ9vWs<42yz3fp{+(Y-;>EE=Pr3VVoV zk15M+#g zz^+^AeI9SGzqf2Vpn<`V6b9tXP|^fLzw`il7rdB$ND(4}3JRvt= zZ$JKk-eSkzE7qpaz{moEqK7|;h#y-zS2Dq}q$?N1gCXk274>k2{rL$D6VaO3`T|Ki zr#yV5wYxOWYfRIp-06t(7HcaIP8U^vi=?579lOVgd$rT-Qw3xEYP6$hTMVP6)O`$9!|8_X*4Jq1 z2PA)v(QT>s1@b^cZ*|;$&RXixte*(SZ~1(;z^7tydCp0;<=MJnqOVYAZ&)uvzW!Qg zzZ}!rGTn|sU(s2%ee8OHp^sQpKJs$I?8akN`!t7=FZ7zIbBb$)MAi^{BqPFt+|qDF zLL_8dA<_C>A|(EG?0Xr>^kaz;i$HW(w81+^pNXgRVrqK*PewL{;GI0^^F zH|Tf@Cv%_OyBhDchOw`aT#H^;q6lkx6PGww>6}<_Xjv)}cAb)qr%a53r{{w4u;nQd z43wPq^a`DD#abKCJlx@oZMLCKZx*q6lsG*R+@}tTNO{@K`LsPjF+Z|D82tKe!u|Fo zzjPLm^)TFm$7Ri+mqOg9om!;tHy9TxR#;HE4zI6G5^+MD>``Qkt!5J^TiPV&Vq~*R zCA2m}^?O))$<*(1ELGOo2E&tiWz{??b3_^7&j;ADgqk}HM;7w2B|S*gb<9DlDHaJv zry*Ucs7XXK^!RR7FvxOlt_-631XVc_wKi&aAnuItxgiQHovFId(0(zpW5gHb%Kc_gu`L zg;hF;K^JYgKp%F{{XCFZ#cvwY{uMoGN#UQNrOz1d2|LjtPXk7VO{l)W z%p(|1FwY~J+(18{Vj6p_wMVK8w24bgiaeiE7z$zOF=;abhBVEQWTl{L4*8{rCNg5l zqsu33e+H_DsX_f?!8X^Jv1Y4wk)n)tvqAbCBYG2BZGa|J0-hmr$WByrIVBGzI=)SM ztZ)Ybrqhyqs_0#uAa**c7GbC|`J;-kJ(i0IIo)BOLbjA7X4pa7+r8 z%M#6Pv2~qKmBa1!mJ@r$u^qG99r&`FBa|t+k)YHOu{mV@e8g8G_Mu8pr<97!^HxU- zK0@9Sv^str@c67@*&(&2vV15}rV4f|5fnOBuOQy!NUA~>>nvRpX}2I#Onh5rpMjHZ z3ArLpbKRbV|RQiQldkNNHV4~iB0VzZ$7h#H6n4O3KJe4az1_d8)+w}2?KN* z^f=;gcMfj;j(1VcF-y3oqOZ0za)-rk&+g|td|Bc1Q$d>t=#t9fsi2WF=4MUdUqG;? zJg8`O#*?j)T|)fnj;k|;l``XS_sFlVRQ7V8 z!}^(ex96k}^KJ*tHK=5`Jdrq&b(E_K%lm>x6Fff#_|+D!bi$AK9K)Dz%r*b|U(Wf* z-+sy9<||t35@{MT&l?J7gk5V`)_|z==xa8~z@_Il_?CkvcQM6;{%8ZmD{NV(S9^2} zfdy#)pz`8>J3|{@GO#4fP8a+ELOp>^%|0uzdKq4&&>ISIWsg?%kZBcYS_FcGhV5O& zAz#z(OFXkc7%E5Krp-6(r3x$Bv62jyZBDt$S>yt3@mHb;jpY4z^d?gzNyBReI|Sp# zBu-mu8L}#)J5lMh73-^Wv>-tpwit0toGX;!4o`1jC6S95nHpvWlnREVu#H>XZAhf~ zXnsiixku3xC~D36d5>3hXO6Jlm%X zUp)|RCgizA(I{xgiX>C>G(x5Ga!USrNi{mflVXnQOM0_CS@B3&OwlYI8UfP=J*mlbLG&PzK4$C> zEot%|zumJT!7Ky9twzt?^7QB<<)4WfiDl+tbUxCEA=*%*daS7>3*&f1e9|dD2&S(k zN=lrcQqF~hdUM0Wea!0plGAyC+v~zE!@3+GKW_1-1EfRDG3YQF6>NfvO`B53&(w*@ z_2BOpm~pIeaZ|EuI~dWLuJ2ToV-+g%i?0!*kqWTRxL3L14xy<5>*snB1&qYz!R8oV~lUc1wMsEzBV(8ihO`)RYIa2PjYfaQnfV7uT zeTRCJQfe)ZVWKn@hkQ)FjOq3zkb3BbLE$*`nv%nCKzFwy!a>(+O4Flv*iv=J#J4eO zp7SiV*j`4Y+I;*j!RV)SJ1&jdBRxb6I~7IZVQU9gw+c67*d1KLr)Sh8;$Uj@U7PPh z0q=gso4`KGc-|){@&o@ocj%p6abjyI^@u|#^XWrLaJ0fktUmGB= zna*5(J#h$6U$P4_{3zr*dB*MMh*cWl=q3lN$J57<*{sFzEH=*;zi}EA?VQKQf{wQb zf5du`5o6;yf?r+x{QC4Y*OPxn^4`$;Iz7Fh)3~HV3MaME9FI1Y=(#?MXmDt0v5@3F za^9kj1d`W5&X1Vg3dw2sem6oLt{7G=|1@;)|LGfw#|sRrrYQ@Gq=IG(vPHN)a%{IO zlahF!Q#&a#vOvfZErK1;?L_p&0MQ%qIa2xg=ZNz0C+ba#{&Ru-MNTVhItVtvBC1U23LHX$2b-?5 z<$W2jiw}gZ&cY~p_qd?@&ldXA5o!1(gWWyxgCL*W;Gec+cM8%jgi;|=Erx!ML`$q_ ztLOW>D<0a`*r6~(E zw%-g?!R3LwBQM3**63$c1VK^cRc1Te|ZP^^E70Li|K#jj?h1x18l8t5wOsSz2 z8H(FtzwWXWD($-mI^zx-sURbz>KL?HNZSe&vFGa2X0b~No0xicr0V)SK1kTcE!%~G zZq*EjCYo*0844;|jABRI?cygHx}_84E_(6Ib2?uZofpPfVd#86mmI3sRLTs zWLQM3bB&Ezaonw`(C9P@yG=^!`>4?pIc_OM7m+ng^pvdjDULa+q+r>5qQs-?%fu^_ z;qXYkbCDc@l?Ieqm#%ssbw;>k$O_oKl3Ue7kKfTKJ{N9EH5yaA-{A~(B-_F_D(;sx zX>{OZ)H1ad(m{{s4+jSBfq(bgFVNaC=dT9*bUz?H+@rQJ%Lf@H+t8U0DZ-Xd`+&#i zn585Lb%Vt=qfRymS?9Cduy_pU+ZmbYbNKkcW+2eo7f|IK%>ylvN;@s5LJK zT~6Pg;8;4pnOgiGzqsOm`L}=JAO83M#MS7OZr`DA7^tnul$=?|pdIyjiUQV6M815+ zlnPQAc8!AEl%!^j^w%Ho-t0%ir;;3R;HchvSd~`6n z9uyT_$0e=<3TJ>W*EA@!jf-B{RJn>sT9n}sH;?d@KEFIMP?Qt$sKXS4o1056{;fm1 zJ4JFl$P$+Em@*HD-H7!2n6wT!?x1?Akr6EtAPb4TBr(r_W;$|lRSD(kKq)o+`2CNh ze83tB4x1sWw8N31D@iEznwkef>2Day3b{3DYlFIPNc;`CLQ+b0XLyZw6sj-cJf?A|HV!5xhd80MJfaZmeUkK2_| zJO`!Uq1o=()-%-VGj)>F?s95FMtBHbbip8bV7t0PnKlT&L`!b5IxgFX zK5DQ;YJIfho+vF5v5&!m-7!ahc|!Ll;ePfduZ9PTFMrGJR|#52*hkL}3lq9nn_ik@*8kYKZW-16@yEk*w=C&7*(4#Qvj?0;xDyn7&T zDqd6@Hb)=j@PIpzFYK6|w#T5msV93PS5a@GM>A>+gN3cRObtD`lcgG5M^@#AsG-1GnUD7d!2t`4(5{@S5^m}A^#p*f0Qe&PIK@of)x4T?8 zH8*cwqt_!`OG9dEv^t?Xl(8)Zgu~sBd+Its%|j3-Jx9Y{Yh2m|-ToUC(II<;WU(U% zavVG0TJLc3wuj+OaK}1Dl4A^O{=?;v-~RJkzWt}ybWeZHi(ie{Jq#JP72mvlLuH+! zSAU10-ENPE+@RmWc;--vIjyR*yH9Dem`QJs(hP|znWqmKyLiW(kgvX(q4r;r=^iZ+ znwX(>WI7$0vXD^Db>uq45OB0rB&VQiYt&pu8TD|bBdrQ%Q6ZTIb(z?emd!KgfC&E$o|F0?TW!9ECZ%rQ;8 zXT1Lku?d~W{JuST|ZF865BwAiAnTn&B?^zS6`k{Rde)#L;7Nh z_HM)e{2Kl9EtTd{%~~XK^1t4po%fNHoMt|wmUR@vqdfG9{~DrS*+}aHnbyT>{>-yF z=Sq1`v9~yxHyi>V$&aX`9fj;traRP$!R`>!(?i-)h5Q^%ec-QuEKrUgF{OmlUwEW{ zJ)%%iCpK&ZZYQE@OSFAKlFz8?&(y9P+FTmU()gP>o%*RZ51G4c1@Ejq}CKru50bDaY=ZvIS=Y9y+Lp=s<}i^)k!N|$uM;lswH z{qrNLHRTsGmu&c&*`OeqUvuSU#Pb`P3q z-eq9cwB8saj!?%QcY%v$K9l#)c)va}bt^tfr%Z_${OcvHsnF0M>=BZgaPjpJ?Yz%( zIl^!@3~kWoF8aj5cP+9#G`67Mw|V`mF8}50mwfx1|IEMs&tLP!7ym17Mk9RXnzNe@ z;a!i>&_OYDoS97I`sCpQ-GRYOks0_JGtWkHhWM6-Fm!BL21{YTDA=blrKpkQnCml_ zU%tG?n4F`!Hm;t5>|u8W!s=1g0!8tWb04K6&@2T#&#{^l++IuN)bR6>wC5m88ci4K zGQqIA93&{}fU*;@FLRdvU&=9Fk;OW3wIdftK0igI4<${r;yK7U{@k$bZFv0Yfv0u> zixfpu)Za^hq{>J_-~}y>=ThG<>5LVO$V8iT$PNWokfWSlGu$5$^8w{%%Up&(h*J`I zgMoxo>3l3BZ0?v~)1SS?v=1c3IpgDjl`)`aE-*8TGJ`rTkvcwRB_Y`nS#(bCIwfCA zXak2h*rMA*>EEz_T7` z%yZl#L_7P6$>Kff$p!BBDV>)E2Tt+32kfFIzcR_!F8xVLGZ=9EEaP`KsP-kcek9tc zc-KeJJ7`ja?x)CAm!eUzYK6!#&{U61uP`+eQ!~iB7D`>4%0;8jy)c{8NkgSTM;_it!6>njOjNjOn*IyAKMky{0y2 zM6!Wb-ebJDq`ehr*JILsNPjdWX)=C{Ym!fUrvEx2Ykjm#(3@+lb}ln_Pf*X$wMQKP zjH=0Lst|Re6FwUZr!}&oks2Oqe86ucoRcZX5)Qi%O|LPAKGv~dmFx8TkY}JbHCew) zy*=O{q0ViJg^KJPX*V^-09r$1K**xHpi_QEsB;GPg8kaUv<@r+hw0>i)~X!s9s~J_ zJQ`to1qa2(+&|M=bBbz9E18V#ltQ{eO7>(M=ot%EToA1vkUKV$;7ED#2Ic-1O>&V< znWC;J;tXS6^8DzM1xrlFK%4rgjm*GqkUC$mUp>*Y8Xg}Lx@tgPPKmdlF)gSI6RFr! z)-q|<(r*j=OP58gqC7<;dP15AG$SU<1V@q6(+mcEn{MCZ&D3N%I^*@Vk2e33FK9>Vt2?%n-%_H zk8?KXr@I}w{6Nqs_+mkT;2$MHTTgMCiZjW?78c5zSIGGq?dJx0T#_CNI#x{5USc{D zik(uIGn9HsQny%Hj?_BD!o;2IF*B1yHnG=`q$`x+3FW6Js>uo7{u6Q1L(~z)!JvO7 z(d;7jxkJxhAY>g8%6R1g4l2&5pc|L${}6KJZ3zmUcKwWOj_EYdl%<2zNZ7T+@z~(& zGG(rzrW$l|EJ0LPe-3CXT`C;!QTD_WB!`Wp~2mJ!Wo~@ zy0D6doL)q%J_=FVcVv=@dDs$H1LE*NQ3c$T8J~wU`XBG9#h8s)G8?z_C#Tf8hTb%+ zbDvpn$3lNg`Ltm6s>5!tk*YPpuBI$YEV)GyHCmq2)jKR}55st3e;gx~PYf)T%sZ#e z0;(WEdDUaL%s3s&gln6Qb07*`^nQ$z3(|+2&Q~tYvLHE`FpUy6fr(@1RI-jbka+r- zaM^3g@leJ(nkf-}Dj1JD+}|FVPIDI33Hs9`%C$zlYOua&FP9dzG6kjq+hT< z*bF-bM(dKv5<-?}YKb)(u2!)+Ry1XaZ8jWN65gz#SqYRGEI!0^+l;iU6W{JIhAo@G zz+p$(?O_!mqT{mJg-CVDiKC$O=hWevn=^%McZPJ_peYsZsmjRpc>QX`)$o-6_{Egd zH{bBf>mkbghO1M9x_-fMqM+7&8qGt>x=2QiXcgQbW3jgws|E5L`i9Cnn)31U&!~rp z?h6&0F3)MfSsNqC6I`?A?x^sPK4MD(t*7DZ5?{U0dHwa*3{PgXIJlD%Yu87NB@{EI zJ@%3Hfu@#2-K9{J%ea&!<2BnM3=)?N5({PoJP8)9hC$sz6vd zhMb_Nit>9|l4$`+5p+@TzkJE=hn$2x77@dtOQKj5Sxmoas7}sVZ2}r8z>x}4Bn&{3 z1qb%nB4j8JaAcpV>7WUXwu~@QC_DwNH^98V$NKV$_*T%F9mwS?h@SCBJwy-_&L+5r zM}&G#k`} z&p6hU`eaD`!#mtx3OU}Dcy>%%d&IGZ-78o;_}I$#6!SMMzPm$J7es?oxP8yrSVF!V zP)ZTrmooc}MVpia#9SFQt8&CdeowG_OLtac#UZJG#`gJ^iBWQ>`q`q*v@L5n$d>5TeR zhmi5aA&XqB&XFMOk#tl}`WaE~<0t{fY(^DlkZM?lN@;kEdofuuBo-}-$dNJ&{nEfH z6*iJbk%TaCsGs&|Jr_0J(RF;b*#PA{A^((NBo)LzML_>_$LH4J=;X9Y{Z#I9hY=HpCYL#9F>8bbCh+8qGtE$i6Gna)BpL7 z-R<9a|A&u^Fq9Pc#wT2>sCh(Q=cpY6`4}V4hS>g4=Uyhhw?sWcv`Z0?{RXGko=sJk9>N&Cz{ekJJys%iGHr5wK4GzCB}`)!++b5 zN(;z!tp1VmzK7omF!U04qqi^PREfr%v{EXihFF>$5R^dh-y^KJ09V8GQL#fO& zZ`;p=-U@28Vx(&v*9xWE$4FMhii1)W41$)k-(1pqGG(Dqt`nS&fx3v$uWgjrA}Dj#Or&g*C&*J43LHr1684w3`|#}IB0zSe8ld?ygl)8 z%oA=mDP^A0pF?S!Vl_3cYcnWi+@8Xz-Qo0`uleGO6Nay^8P0rW{WILYLMwX6t)P+< zn##n^ayT;>s2Zj1VA}^2;bABRN;l#00VFFy@`sEDGI?7e)g46GuqsWG?TYI%Wzid8 zq(=t539TnngbALhQUiS}rxG^58Je7b`;X*ik7-w+>H}(BVxp;JD3~bZT8mLOh=+>1 zOy%Q$zazf=j{MVtcJ)Ly9a0?=nk1utI^^f)f@!@XAD>enB1~1_Uv(J08W4&RU)4{j zXJ2q)$28iQv#)GU^&Z+6zu;teb36N-c z=1>5JIArS~MBHMWNSzi@-#YbgVW; zDQd*7LGc{we2wal$if1Y9NTS>u~|RGOyrVO_Ynh`HU--($zzRnASnMS- zCq0xfqU;Lr+9gtdjJi7#OFq39LrQr8*^q9pp;;G5ZbCGFjiDcr)0U#`;kOD|w@Z6MCl}8XXypj)ma&Net+!9zXD7PE@mnMEJ*oRYO2VAEms`_Zw5js7> zqNbz9e2!1C%b!ThHx$PT-HAqC8K`L7xB*+~64g#n_kvZc;$}M{X^J>(=-7Qk(cmcx z$L$w5ZwEv5l2VDwvpM8-aGQT7sfSH((OGBv{~b&T-%q~cgM2bBe(ibgdzmI=Bl2}uQ z_JL#7W3veuoVEmei!<-YBI=_0G48QptKZN~ej@L+ zDTY!a*D|#$5YH81r^6uJqxeHC-J@sd99tV%k=YsoDQ?*xE!uj6;&=?L1C`dr$vTvY zgrgnERG+8E0K+e_Zd}x~#UG9N(;s)J$34oK#pWPLc1Nyf5?}u6414x1ex70WXMf)V ztO7~4&?SX!rr{R_PkV_Ue_HYMm(R@NcjPl4Ib2bACx~c^-L+Y76m0F0McqY?AJMuF zbzGq-8RILLQ8XZ&j~R-b#`E#7RIZ0E!|pX_|8UM#&tYi%nipRRdGXaRY3E(MX^*z> zSS%G3LzjOqS{Wqi?-5Uu`1iw#HvJED>yT}05#%B3>K-RokV=)c*i#@F4r|KzEemx+ zCZI3F7{Q?THAR+lDK%I_pXHs&xLcF=PUvO}qO&iM9zHQ2*ZiEmVlaCqIy!j9fus5o zBRkR|BR9_xvWuytlvRXzG6uPY=YYtyamOX`Ukh5VOWQ0Eofca%F!~CjF7bB}d+PypmHbZL!UfJVH+U26XY_WFf5FEL;p~djZ7ph zXLBbQ;j@-?&chWO>x9~AY1;$t>XCdtLEEj7hA!Esh{>0N@COI=qQp!EiRLj#pQy?% zIW0;f@tnE1^*xn-pc5G!S{+Y7rT1yV1IPO%Rny|i3B_=TQy$4a)YwxG(KC4dF+*lS zTMwwq4z~16F3u?jG4*jzD|JYlgsvxepJk+^sH6_NN-(u|ygNF~ z`vuDbbfg;p${^TiygW&n_iQBfl5MhN+!owcecJGj(bQ&jU*P!;qh88(qthS3pZ|K` zrFQUDP-`8!N{xwzur(Uhp=(O~`qv#y>x^$-&$+ms zGP-`lZ0dqL#SjzRkw%$mBu<}mx#c-B5luw7Ras(kDjslUL3G)nTNt!@fnwWi${M$b z$&wys6Hp2nrQa}8Z34+-ZdRyv#5x#K8VSuN1-oYbDMfEHd|MD6U1r^wtT!UqujnZi z-`vc2GdV{cpJR4%RDXb{R5Y1{TssK8APeB#cOk3)`WHI&CoH8V(+U*Hq;x#ms>HJb zocxT`gD6EE{AW? zFDG;?pT?^&Ws5`Z5FPgH4>`@}nA_DIWon_wn(}*^zk5JssYQ~(1T1HWbj*>*E}x?c zt(-B)51f55VYMA#utCZsLg6xQLvCe>9$?54YMRlZix3sYSr;#^Xs$0Pzgv*^pywo1 zlR5S_pb|Yi<$=aMpHs{)yCk`bwETpkcQLX(SyWK!7ntz}%5PqBxxM9s z{2JehF#9!a>Y;5SG+UzTc-X-HHe)DNB%>Zqc|df!RGR|HZ5UU3qSPmIG&p$3{ffF# zQ5%I~9b)+=<+Dq0Wirq|5bvh=wLrEq{QSVNzCaz77vbs7aox<;a z_mYZh2ID=Jb4uR^-F(IQw54wP*c};d<{?Ejngw1hbHA^cbW?`s6XaN;(ruPifh$!w z_LSji!C_V5^ecL*Aazd()=$)Njkr)qqdpTW!@%RRQ}ZdG@~U0%;G8p5pE>FtE(+nX zp{X-YXC~3nra)rgL5hZ#9Pm7gWujvAq1YGP3@n}^A5E;de^yX?3ehrT(ic3}F0!=8 zv^-2nkeMEj!GYImPT=+tLgsoTQO~E$6oE9DgVNBoGz!JxL@k(I^^seZ(<_IG>oa?O z%DHvQ*8>>7{0dj|9_DP0DUGlS6WP$QZG%n`lPf;Da2S;;dl6u?4y$!azaJrK5rb~S zv64JJX5Q5vGz5ranP^!1VWwTAd>6qR%wWhzUZSRyN2b89l6sWkFhG9OFHa z+>-Bdv=nR8fvQ^9c?DKR;sLbjSjWp1Gl|PI>dKOMmbh z-#%mIJ7{uBxHCCyH{>gobs3VcHY7V0C*JUmIl=xD+2MeqsmkvqNdh4u5J-~57b#ey z7aVpQ23|xHSzHPg%3_M%lTo)WHZqdr5Q!&{;7Nj4qT!0N^u3FN?mWJ@@|z;3r#rOir`>GTrzE02zLMAv0vUC>AlZGBHPont;M z$%IZ`w74T!{8V#wazNW@{12MmYgdyjNwZsfyZd(Szy6OtCqzcd%4AiGscxc)x#0yt zfbTTVLx2DufFM9n%nV!9bX9ewh|G*QC*tT|yB2$IUIgbI3oF}@GEClFh(%Oz@^Q%)@2vqsn+ zdp4(97tGx?8xxZ{l5Xb{^ed{x=S=$@O+H~I4x9%$YhotHK8M2KPa5pOLC*x;yAJO+ zg5tekv~a1zj%DC;_p73Fo{44^Z~w(-7XQFg^ez2|UpbkF)Yq0w8N{*6QBt%0m>@Gt zWi}k`44YUm>@tetXU>z7+snVD-h9u+Z!J$hO$qG^QcSts8(umaZq~2x%fH}Wonh<> z;dXTC5xct;^QFSsTk27QK3v0i!OP8#^~HDilMnp#^Nz2-OG!Ta3NbzA@@zsnopAEy zl(UnJZ1R%N|KW(={mq;xd&M_r3ts*Hg5S&(lkdLf^6CmAnDFYAhmkX0o(oP+15~-> z<+7&>jtPy&c2Dd#m%Ms8Ca)wf77NBFlCz^LCVxBPi_d*Tf6V8fW%%)wcse3l5;GqqygpZaGy5x!e}BcBm*-5D9^YP`bNtl>zde}{oxbGvUtZx|yynel z%<|%tH=`xq*H^r}IN~=a9^vR5-yac;U6cw)r!m34AUHmv5{7g zf_KoU!6iu&tcmF^Eygt!9?MDTYOUFFy_uRjDW%un#S&dB=~xMC{at_kXzOVReo3c*6%B;~Ky*7K8)= z)>`~igN`G1Vu!siI1wrC^qA+TnEr=7zO>w0xaWaRSiW;W7|C7;0$VeeDR+8|Ha{?3 z%=qbH!D)U&dGc3;_Gcd6*CgQ>XIC)1@)$mhNbcSdo+Rv-lHsQo_f^d(m~iXtSUQ%g zrsew8gy{a3^UV_?7@>l5{OBiwC&kg5CC=kpR(eFBw+zP%#I4Wj)r{%&JL2??RelhROq)@fdTkn3sFTcM*pyVf=VYb<*K}oN)N2A-cDOI;N^0 z$mdu1`vY}WunaYu$IqC|p4s&Zj;c9|67p5UWEN4cYT}XQ=HrwvzItZ=-eq*@(muGz zCgR6~SsSW|j@D49MN8LS<5`d`?=M#*~DgH}<_wRk|&zdBz@P=cq z#R^}}1pnn1K`dMJi?8YaTo8zXkJkg4s3}OWNE&*AQ-Qc!VeO3V^?OF2&Ds16>P^F8 zJ21L_!u{-w>X(X_(&a}Ta4Vpz3oLE^U>Qb{q9WaU8KMAS*ev=x}a!>8v=N-jmq zW*jriHMNRyqAlw6l*X%3BBaa*++d*ESBU%-P1NFr5PGo1a9YE2I_32?$D0W#70NnH z=9Wo+Mf%hr0>gJZAHfHlosTODU%LYbn-c{`=(wY-2fSoVm=@&sn%VM_!~O~1CX{J` zNhgTIn#vE+hdo*NBQ~7kk6L0C)5bmNqh&~zIJ=f0?s1<&cG-bY?bsEca8z-m7{UxO zxKvfk=}b~~Exyz6{N(ZZbjQ(X%KGa$@Bi(Zt2dV%PYmwW6@TAE%qKOd6LbIyOIwfN ztVQPzgVcQg7sKsO|3uJS<9zlN-uj8SI%l5-#Ogg&{fb5M$o>8^#z(gV{+5S#ipbnk zbzjm{56pE#6NPj;A78e(SwQvq3l4|xc`#?3l^>WbFS#k6Y2L4S|Bx~Lhj-Y2-ScBV zrT@SF2|w5mZ{EGasV(c6UkG^2tdhCm9R`QX# zadF214_!`SEy}{PfZtn#YCdP9x6GvBY5`B~Z>ewpgnt*}{C-aO;}&@uVfP6;Q*n~t zlh41vFV=|Avis<8`klsIb+j#{PEWP*V4{%EKH|v2?H>6$rTf>9O#b=>+v}2W_ds6= z##d8H8)51SLRJJ@gVP@oh@U9JgyHFlpfW_+70%-WrO8mIEutKe4)^GEj;yyF@{nk{ zBUsH?nKAC@iB#v@-=8yze_$AWM%MpI`50moLC|*;wZT2k86F25GiSdqS-ce7>zWZC zY067{U6JdIsk&t=zo7c{PslH(O#LVBR>zE|HxxG>wO&J9k~9Om_$B$z51h^$s>v(1 z_bYG=Hg74q6Nugs=OtV3l+iXve13v|b3ng3WBXG=7$+6&CgnIbCy?Q)#xBZqyeSY1fHTVT}GK^ zXaf>Y;Q2j`5X^*2IXz<3^c3!dk*nDe;TQ*mLuFRzFk&P-$~>Sy3-F5qDZIpO;PyLoGNCT+p(<#%EiyP| z={o}y<+jsEcPki$t zW54@~>Ea{%tIAr%cC3)>2-<8zvG4rM*U%F%`0dBBk zSZAo0bGq9CIf<~kCyESB8t~$!Wc~J-^z0UKCtxzcJmo}bLX<6eE()%E*WRwpSCMHQN)E+`9T(<*! z)zImRbuOCq()KYBoW-9$7lVj0P5+qE#Mo zXP!=uKD z1FBFV>XuzsVfz(PTjCZmK@#I93WT5tM#M$KCUTJCfb#@;d0?nIhFFoM6^@O`{GQNc z)I~}kL=4mng@cVOlS;FnCsch!CNqQsY2VVvBeG|K?F41iGYSWs^*}uvlL|GhuoOkW z|NW28?Elk$#3T`2(r}asHdTacp*UDsJ;lmr z2pwkmnri-rseern#z{P9_HpP-~10p^zIDR_k?c(zWw4G#?ci= zL&N)ciKE(2JUk4@|9YAtC2!6&Zg+xQ2+Fmj=x=cC8sAt_Ec5e>KVyl6VWmUvghlI$ z0!uI6F+G8ZIqiDDYaY0bj&VOc5P1sEgfut|{d+dv2whePyQTTXL$~*cGGi|l&h0yh z&M@1LII{@*YliI$qQv4q9>}F+wtJ?JeOd~(-*I`-^Z293iT{B9afMAfhWF2SevW!R zBJefcZi8cHCbHLB<{fgVkY@qW=9)6PWO(`+dB`YKOmn-T zjcb~FaHWGMbJW&Q6$9~=Vz4ol%@|+b({5j*iY?Xc0mm`eK`@ydsG1R*9}CvqhNgX_ z{qvS$afb8pn(#NTSUqk~M+03h==UFSql)0|>BIGZ9w$M!xTFg0N?=K1>-N3SY+#u!;KI?Yke3wm234+VyT4_1qJkx9s``v-Od?fyAw- z%Yj&Ydan2Nl)y6}TmnYOUeXr_T-Rmn#_V*@xC&W23hWd!bs2>PqiuwjxkQ1a5fNim z<8(fb9kX{mqShndPw|2fFLCgC7zZAmFBs{LLI^I8G~L!GNE~*3j4Kt6_Na|Z&`G>9 zM53s(5amP+yAbcf=fZmAbxL~X;z|gbjB1p!Og!=ivb0AI1G`G%JFt0N(L6;ozDrb3 zQF8_EguXo@T(rcli(?{;O{gk`Th54EkFJ9u^l%*q|8dK{kW|kS;e_;=gPjOG>7$&G z-Y6uJ*0f+ddgHTkT!x}0ACCzOf$m1wL6O&*Mj2FGGD`N?gC&V9^=OV08W5HM!&4*Z z{gzGY<2+RC!yXn1F+GpZ9_wt(5qt8@z;2`Y=l|s$Bj+b3Z)O|?TkLR27q%qB7#S!= zdV{+RvDQVj9@dNrV;_HJsDJX%PQqzuar`6F#TL6u0cgN+-cTTQZ-tOb;P{ z^><%$@%4;LU5`-lIL|Z7vu5(_W1nh1b(#e9lNtm9_5&b6_ zwz3`ChPX7CuBLQHbpQ4BmpB&8C?Zf&WYMzXkL8F-9P@y_(e;*DPidG zKVNY8vyXeUg?&$dB5{V0?PH7o?TFw^(Q?AVtZCkSNp+|RGKr2-d`GdrP{`mGcYeW6 zT9n!HVVDt{19vu|yM019JyQ0Vgs zISDI@@{^6epIC<6!7dDHYpJ3oaiuZQF>cf#1CM)~5k&)W(9muiBGIaV=UukM9_2`!ic46sSgg4 z2DfoQdNiF!nrrq#p!xis z)8>ic)$fqqhVb+S)oo3f`K;HP#qkm+l9*wJc00H$i0vtIx1&0a$hHUa)WcK(^>)Q5 zDJhyGf}2~M^C_Em8|*lx{lm`$*$eh>e<6q>KHkFQ(xvwvsh%plokmT4Mkf(X?c-J@ zUVlURv}IdgA@VKG!xQa;fzr^lCE2p!SM?UA<~cCL87Kj4lE_`&kL(WpSv zub&9zj{P6^6k>qqEyeR4lUa|~c(iRwI(a1N7j#Vn9}B#BO!zF=w;ulG829>-)gKRJ z(F!Y}IEi*B6(P%kwSSI#_&{|CNzMdMYt5|L(Z~_ejfapfm*Si!;gZ)MNv$H8p3?~z z-t7p#NEse{geiIVeM|J~d;H90cbY;0V6)a2J~Ps5~w5?AT=JI%@I1H zRSJm*wQxvvKxZU-F_1J6h8C#?{8G>>5A8OXZlKM3HcG=!8#-Y1v7|FTbES#gkXRW8 zl@KXQJx2MT?P zV;xHO4lO)%6S6&&jD45RxddP09eH$-W?~8lk>dF|LV%n3;6m0_m{`*`7BT5LA3ree z9}p(yvVy@K5y_JHKExgp%1AMeEpKmJmcoE@Npq1BdwasuV-z`k;Ntc!K`5x>OD>{{ zyUmo*Hv{qgAK2>=lWI#~Pw|=xQF@Gg$}qxbIfn%UetL{KD0IBwJgj(n@36BGc3RV~ z$F$n=yc+ZI=_B<|f8eq9S>4aLt8b|b!ET%K<1Z`n`~yMqjI{PsqcZ|P^D?j$?J<*c zOFI3Ulz?x}Bc}EYosOu@z^OG{SxD_C+nFmZPe_y%Ocr0`HjlJ-h+-JBLur~#rTw=D5*yN13s5#uY(AK!afM`3co8Tkp`X%14e<6DH z1xB@mr#bx)FpVVE2?+ZMZcuZydghQW3FCrj)RC~z6^%4ZJ|EMS z2SO3y|KqcrjK6Mio-2ZHmZXJ8Hans#9UkAUIe(KO#y;JX=6Kdq9p>a*k;%N>}L4V;}Z}b%^#X!*)d8J4{EGr>!BKNK9wwb%+G=NTKVFt(G*q9rZrq z@LW?5Ibt|awhGp(xx253ClTqHLe7pEK2K1L@l%%u7r%+H=z=x+Z0xzf7KpQOyO$BO6**{Rr6Kr$fJ{uE8 z_x${0LS6Q_-V?csaLZ?Qm1g6VnESWzSkY~IMoG)Ne9m9~=>vzGcigNV7;gWCfBr*A z^l$$eaoTV{2)6&*KXNty6wHDIVFiCJEMd098cp5#tTy*-1bp0U>fQ7hTZ)@5;y3*p)dh` z?9r`aI!7aH$nNnLanZB8-e5eR{*Tv0jU|i)?)8EFZH4Iqth=Y4o#2%}(f!>QaD7cP z9y8TO|Ke@PJ%k(0qzmIW6PASJU z&pVtX#Bmf|-N0;#I(o$2NjfFbHwCBO78!j`eS3{rPEf5P-Ih3>#T*-YC295t#Mtuu z(K0z*GmR#ccP-UwAepT=^ixV()7p-Os#x!)IAVoU8-$plf|L%yTXTn58k+C#ss3q) zdwGiQuMozgsbZp;CeCt3Opvb@q?3fz2TKw;%-ua_CZg*Df~p}7r+B?)c?LQ$=vpA8 zK&TS89N1Y8-<7zwz;PA5)daqW6%J~!cq2utO6=O8Iu|i^ICOAgJyuDA(;FJ?fN4lj z^r6RE8lpkacO_c*c)lQvG&&k+N<$L6tT#QL6CnB=FR*k@f{A*Txu#Q!zz*z2K9N(h zZ6gvK+SX+sRM3}1u0!|O^Qaxta)T))BFw3KNpz^F`kt`MS*w6a){)FT;;O|&5wTW; zX}};XVdK$HT{7=LRX`IAsIp@aJ>Jg2n1-U&)V4tnma*$GxCx2&@%$LimB`9P&%r7W zo$tU1+^RskBaQ~erw`*g001BWNklm8_ZMBhLAGNsgXZ$zcogt+Z zU?oc|FVYL1ALmS-Zm|!Z|uQfVbAoCimi;P;VGz^tT zrW*VrCoN~J2SqgZkk2ha>NBxV^zIU`dBns^-2DgIL?XwUYP&%?lDY-Qv$(ev!Ldg> zo-q9~$7>q$EWoawiKa6mu|vBTIR2j6S(3Itz~~rb9j22CMR$rj+pyOeY5bApX2lS_ zqPeRvug}@!2Sm3cofvd2@lA`q-cTjS+;{pDrNi+U^by*JVk?-=D%_Dz^Ou(HtAJ!3 z<0Ls-aY9pnk1fv`9v+xPf^9s;+-*^_1@*HgUU-C_Pt#k1amN1fg6He^geQtHmdG$- z64wOtBR21znEri0YeNosg%Ccv&1us zYMwd#=P|e2ie5Z&v4~i=Cv3|Bp#*u2M$pa?a__t9d;QX1TJgc@o_!3l1xu%$rsk|6Riu4Kq-+%lk(194UI z)Vs`W%c0$4b_!xQ5QQzNm*WC;RWrx{w`yoZ53RT4MT{IucAJJ=XgVQrs)jz6^mW82 z%Gpau{f0_Mv`L32OT1B!X9M~NkCu>XP{W(gs96uA?2KY-&-Figcfr$@J86l;j z7<>4s#j%#I)SN9HJZFLxAztQChAE5mBkECM(+Tluj{WgR>@SA2v5dZYMRYmg;&sa5 ze!}cB<>GhW5;-AXUro9E{BM|^W=L&5DFly?VF(j8La=$<(Ut#-bCj|c10NsPs1FaY z8~}1ajlbv}%U^)ZLLs2Du>1s<;?Gi|_;i~$HCuY|8ii&X#8}(0P95s<8rOHJ`xj^Lc)g~r*`Zu1_S2#Bt+N8xPces_H z92c~EMKqB#E6Zpy!qx&E8KelH+S4}^ob?^8o??cccC875n#xSDU59yI6F+TjMD#6z7;rO(cGaOoOuKhc zWLi}W09>%cIP?)TMj>m16ZynWjO*@cl%(4= z7=MCtK497%VQdM#7G*<@rarC^3{HUT9n2yjX%kZ0lWC9MF?i2DwgV?9h|C z9G*rfDQLIxe>klJ4;cM+q%ig|iy*><<+<{j~o;$!%ptNtx#^EK;_HPJ!w(ee3@fBK$({$Kxh zB*Joz#aC~*mf$50+5`V|!umd@wjWqq@SR^_dP-uad}HCrdBH}&jj;IEa$*F%6$E;Z z%2K*JOG!m>|48EcERuxH>Vl*waQuu`6-+K&jGZAxf;BmlvOtFl>1xJRL~yj@oj7Ld z@3BLSdpxHvKaft=*zgRmH#o04+MmXB%Y=PuIdLuP#wFcq-t8Kq?icDCpJ9B2J!=>k zD2`I}Qq%mUz&V=IyK~}b&Oz2VGl5qR?An37n$Z81W%jT}hdycFk`x(5a*P_FUk3Dc zk1G|Z6IOedUHG|SKEHjfl4Aut(jcSCVk5M34McM-$|gBDm5k&kQIj~R0P zGo!B{YNtH?Dp=_Uf<;STEm_?@asHLdZgvcJKau+hll~n)r>CUl4-8|)uX#@_R+uki zc7YEfis;K7bPgsE1Xg1RnPwGv;UScdKNM8GLmvmYw5TCO4;l~6 zwlT~TgQpv`wD_{4uM`T9x`usY$hsO=LEH3D_%x=W)+u!%q}IGTJrkkDg0 z%P0!ad4LK>I5x)WfTJK}Z4%PNWl$EaCCPmHRu!KQHnRK|dCWsX6zN7O8hOlI?V2>r4SW{`2;nZb}gDvLN zV+WaOhFMNy26WS7jfa!(Y3r0Ibg}CdX(BO3GYT|D1T+rRONrxdDP~hxI5@?5oCQSM@ zaz{9;3U@x?zIIr#Woh6Z$pQFlYv`RAuO2fI1HGA$j&p=M z>sy9G;(dOK_xOZPzvLo*=B|H1+Py>g8C|)>?i%!mJ^n>N=GHWQ1?v`n784c~`%d95 zCgiIv%TzI#3VKKx>WIGE;QN|=w!nS5;pE~ahd*u*R|(;~IdyqNQr^JH3GJpL^Bn44V@sdN9jK3eQfHv|=eXkx->or`L@Tfb$nl7z zQFJE7J+jOk&8_&1NcL1w!+0sttBfOe$J@<0Gk!r7$Mk6mCj*DKAt%|2Cv(aC=!s@? zNi7nNnmxjqu?*&J-YU(U4v6e zl;a`>2dfM=lz6pInKlU9;g}HNR~$NpjWn&cOqHhZT#VlmhYD>I7UJf$(2v!^?ZaZXe9Mc zqDBX*S};0l7>YefqS0c88&#M*MXNDOZ%^lVNL8V_1+6>a>;;pgv|`!4%-N){*%_KBdCl+&D(WCiO0I+y%Ok<4rM%@`Tv?4BK*rlgx| z+UI~a>gZa-I66QRBf2My2r%_C?rceIHeA&?+sb3Rvy1|TE}n68#KWPZU#&QFicmbE zml@BS94FZ^pIMw$N8VqeihG*l8O8f8XY-PGn*{BTScwlT=P8XC)2}Kff#&7O1Suti zR+&M>$c5my(l9m>D=gPi z;){%u8>&Tyl|5!2VJnB|{D|s{8TEBbyzf!J3TUf{=DRcO4+p|mDYgpOxtFNjFPO;% z%VCEhWifAX7Zd!lL64`jX+%GrGSq84C&Q)*!`+_fYej2)G?ra>LAd*gRXAlfzr%|M zit7MB^^xv^6C9fGjQj7OS-hFhbP~}gR6$7VX2^$+`2QbC@3k!3c3s)EX_jBP(&x6v zUk897Ko(gnMO5h9^ht_PJ?cRrDMCe-0D%N>an12(+svJIc{AtK!~Ka7F-C8_ja5us z9M~4;c=AYi_DH+>Jz`yA>>avH*c|qV)qva_sImzA2a9PXZM5X+4=wtvAm}fUvLNus zL{*OR&j{*Un(+ej?h~PCke)$1N&MV$_bDXOCqCo~zOQ)t>jQ_=8vA2QXT}6^i8GE$ z9(me5Ah_pee}Z5AMC|v78wvLl*76wdQZ^b)eP>4;RDbA zvEXepVjTQ`*hj%Z`}Dg#sh4wf0p|N#{DmZmMtJ)M>3qb=p&X2+0;+&83?YuFhK}T5 zkt+{x1Bb?=r$FT;PW#k#&RR}bg@$hHC>H@~Z!n$W6u^{dr)9PoS&fDia-ve#-|+uT;HOcPv!5i$_G&}NKPGL?{PE+S$TM|AZ&q7p=F2?Eq)o1cbYhaI=2YvQHulpz9fVr>F4>yC9%)lD?bMrHSs;fgb!Mp|&1m^Z(>cOS(ApE-X-A?<^xc>+)=X;f>M6%O zVAmD6WJ3RBaPtO%)#GqJh*!5pw>z@k_mrm*GOX#FhA7_P&o6PCoV-dH{FZ#9 ziMO9IuU=66?SYwJQtu>Unqcc20+pkK42GJ+JIUFUl6=hOde`>(N~D!MABHA&k62yhd&*N-3$D2 z&SC$W>|#&%*93o7FpbyPVMhJG-ZFb`V7(+32YflA{Navbzr`AGF2~3k5a?*Z@ohst z={SB+$nZ1u8s_^Gqic<4W1`uN&I5Doa8u~31`kd8>Y5St1Wl2r(sF_$2c&y^>V+is+9U9^918$6MyV)%fay#)X)RDKDo3 z^4U4d^&Q7-!pmldYdx&becoJ0y1j;*6MA)e}K2E)!tLSNJ5IgA~eiX5MG9I!16 zH6Fg|@RiT0x2QD5c0F#0v8f@I9kx{1>j6zLhqnZL}ox~ zhdNfsNrKCy!ZArrb zKM;7`3q*c}+!>5NK{bN*N)fuA+5<5faQOpcm2hT$ITiVnfb(&PlJ8hP7~bbEkV-IX z=M3(NvD?uH0@8N@ZMh>(GW#jAn4(}L>LJ9hOB?gHJOr7A)31TTJ9Uug2C-8;fR+bFBBMIhoXCo2;EJLbD^_rjR7o54z_`asTDUhcFWjaQQ4n6PLwh3YtabHSA@JQ^> zs0Ea-&uKRA$uLk_8#PEe~KcV<~M97}?WJy}xGWsf|elf%A-jY0rs)$)G1l8yQ zxqnBRWz^mot;~@x7VKM%Dr=eurmK+K<{8EQL}QN(qXb!6dg-u%$Nu|@NQY?Mk^f=O z?0mpm{)STZ7YX>;@y%SZ=bD9* zIV?sqZZ)mF{ zRpujGLneNa&ALUy>~TYztQe}EVCgUijfesc`x2A-%sU5(B+!z;NmL{#T*=@R=c%D8 z2E=5EFg2%I69*v5fe>(wqgH~6YN^{0*LOtDaS(#4)&wDhwkOyq!o)Ezq4y#N&oVYC z`Ox5d8OBy07u_6WcmsJl@gwK4k|{U{PI7 zTwA(WG8zV~OmLYZa04DKUei(rK2g-6^8meX2t|+UQcPFjc?M52BXZR-cpm)@qQx_+;0n=pi&PfGY{L3e$4-7`^X{IY`%FZN zX2LKSuodUCGtRl@#`@g8{U7+^4y7HLgJ;%Yr9j}&fTL&P0vZ!AWRHA$%*fm)_Fq~S z*_it6d*qK>vS~xPo?&W*>TfwtU-9^MM_GNwLvc8jSbxBMZn=MSly5&V3IzOA&`!=# z|8~RUHlV)*`Sv~a@&$4KnJ2E%>pxMwYw(|Y6#x22;tPhrN3RmR{=k!nh`KSeWrdtR zN4g!mk12Q3uuL57$35XZBl__(r!Xb74>VsCuP2f+p5eb;bDPgteeKcTIlK#x{$C$R z&lC1li+3Ri9#8BxFDVuSsyy=aRFeIAij;~z&(WSBFB7y_6FEirRfN|Vs*45Dw#R?r z;dgVow&A#5GySI-MOQM5;P_=tvv9O7W_NRBh!vwDM2CVRn^2YleN`bh9w7t%?=tM8 zMkvkXJITbIbLe8+mxkudQcX*g%ovN7(w;-NDL6rT_*jnKsC$fYNJ8W5-apBr$NvXp@253MSJKbLu#fAj1Jw zRQPQ|6={TR@Fz2>V@$6+l2b$@Jtkd=nRQIcoU*r2L*tK$!k)A@-~zOEG@VaU*O>i` zyl^C$j}jHJKOmnHJTD<^3gH#Z`jWy=2+vBY-I(N36NoWk+96sfCYGtPXj9-Sg>2`9 zrolUmsiqP+-qM=~+&Rjkm- zl7NiqG$u=0Z^pL%mfoR{dnr_EmSQ07G6MpP}t1N5hW@tNjuGIXN?!dtdkh(F#T z!ZmW_GYKqDJICXv6C%m!?@mN2!n1~aCGl?#Jb5z$eM{#DByqy=+c{^ALsbiGddBxF z!~gc*{)0UKfiQ*TuNCrAI}Y0mIto@|Mki+Iz9qUy7+qyp@roiivfmYq5(f;to{kCK z-}Akb%RO8lSO0HhXZmPBep%$??U>>5y}bq?UwL`qF$y%>l0NoV)ABA z_i>9fnqCFOPdi$Dfp`Co_}dxs#|GmYnunX1)R!dE(f1lpZ+ z*nY#vb({)=NWhK-$-Koo_RNP6_mfYakJ#)Q%14cvYvKl4FJm!0(KI1N)3blr6Uv^w z4v0>-)T0@xF0gftTWiY0Tb37R{Qi~4f7+h&-Rpm%{%Cl*DQM&YIsbb&{-khhIses| zm<4trarZHSccQ5sWnW+^*_=+y#GKQi=Z=O9gRd+*Cjmz!;6lJ#k@3ZT4|>O^j~}>> zzfifDDC-D*xJAAC3e7#m@|yASuXOS`+mG*X4P1vySc6l5TU4w>ang_<@_#Gv?)6hGt4Ha`tx0#63`%fMEE3~_N)Z0W zr~5MCT#K?fdlG^x!ROna$*UdP8=t7Sr`>AAYmbfFFq_|_nRD3Hl&MF!-;n;}73;@2 z7pr^ha*l~Y7JvPW`pqj&y9cbQ>1UQG*s?Jr)TlvpJ!WFrZ7e$OsFRGL-*8pL+>b4y zku<9((n2wf0$N!>J7VrP*s4WL!7HC=5M;8!Yg2^ZqxVOu#zU!qlP4G_EmA4Epd{E^ zdKEAg3Qeu?tAXAh(7mP!Abo<08Aa$wl!s~^8!_NF60HP9I}pneras_qJa%D>O&s-8 zPd;vt{(yNhgrktQ-qZF2m8#JFfOHULAy(GN4$9pcCq@LGVW>dcfJXK7y2cJMVF=;6 zW#6pW?>e-u$cqzFk7$h{SbC&>fucwDG1bC{WsYqOnT)ABM{g}tp%`LCXb1Yhs# z$JBK}(Ps!%5egL}*TbYoFFL$!Pw5Z%vzFZ_3&Dbus!8*JQRh<`%Y5p=(GUy7ytku07*naRKq16$@rIUd=qL?N)DF=%Ga#2k|CdR(_5;E9XL|6~b550fZXze)Jd|Fh)kfBI*plPk(*gzR@y%Jq)~;t}U{bcta+ zllT|s#H$GFB>yZclKFq(3d8H~p7YsGG42OmSSYPTh+lp@M!-d4QT7?%BN*F%Bf#SR zIYm=a#U6qa0T%ze35#-rfANfisd)Ca#p#!@5~%hDalYV_j&X8>-*4%SN7Gd3@r+}Z46?eUdQ`o{6J%}8B|9!DgzF|J!-9vjqi zMOp-O8ie%`A2ZUclB0P}xHvLAYIe8X}k$(x+1kO(9)l$?&5_Vh@qJ=S%HmyD?UEm5A} z#vw_n7Ggq2AΜrHCX51A$iLx}lBXpK_ zune9>Sr0QPRPw|~N*d9V4mHj<vusIi$#83M;|O=} zVdD@z7<}R5`yPE&k|gKEw&KZ-83hWbqsI9obRN=1B}o#{7>#Z%;V`E?4s^=WaAGvk z&{c%v0WtLWNr04lCS)|X0&_Y?XO2$QjE)X%7T`H{I%J-%=}rrVNMM~o`U7O|@VXNy z$w*3~Wrwsq;^f%ZA%l!qD2G`%v@WPb$oRacta`NaP>X`W7B@%Uh&aaeX5HMRgV!r0I38=(@>63^5m8IKw z`1_9i#36eSHMFfq^(BY!p3{#tNfOY%??}TLt%}hvH1!0eaGz|{zS z+Yv8X%HxEmn-huefhqA01A%o^pDn_#xtL1i{P&DDKhmf(baW(~&S)MsWD~>UpRZ~E z@0P2}jxd|DyBV?DA8AGb$D6wjF(xi^fH7Uv3r_j|-Q5yvkr?czxDFrZ(Jc4lcExjTnZf%Qhb%sH38!fkCc}q_76GBuYJ}c0=Hw= zTAFP|{vjgzy2q9+feUH+fXP(hR~9`wC-E#@qmhx1*q!iZF=^#-03vaY8-;}0BX&>N zourK&l`8PZ9;$b^_LuO&h6PSUoK8K@ET8hUNroJOyTjWpAk;^faH)oML$TC)mq1cW2k0+12 z>OXLUMP596%}Io$wZOAuv~b*~C$iNR^ZA_BqUPpt2K}G85e3c1FG$-lk&Z}c4$|QO zVFfc|Xg>tJ9ydG_|HPlylBY#a^W`4->?NniH8QwDh#T(GujxLmsq-7==Sz;;2TuR+ zYo=L65M*q_3BBA9tRFd^KSQ{R#aD)MzeTJTxOWGl>x}MQK{hIo&o$!5Bh8Bux@y@S z9M$#{!#>9x5{mCU+~XQ?et}1TeLHZfTfD~#-Q1ynx}``YnV+(*V_qkJqwHQWG!;5t zBHW(C#T?n>=+5EV2+yBTrcTMKN7sFZP%_M~|ld_X?5;L+yw~Na-8InZO-)^u{AiHG|jF_X8t*0==hE zBh;~@!4L}2e5`3R4|O;(Ya2>w=!TxbEs0`5g#)KiwnL{5YkIU*n60CiEwSHYU4T4- ziX8FC(e#S_&=Zdj)JVo `2AZ%-}DB=!C*`4nL~Fhk6`x zkyu17=!=+mVKH6EWM1JagB@!Y*@!lBXc>^plCU>0)y(CI){gOn!ym2@p5P=$C|#q~ zK$K~ongfMDX6U!XnZl+O&Ipz=rKtwIc*3J?NRp6YunaDw&IhCw#GOTVHBttMc#kJF zeXe2V@CQff4~)BjL*?+EMtqql5>*lj!QMKO_((X4@x=qDengZAhNdMeQlu2<-3*2a zy)xLw!%SlASwa2Svl{}EsG#>1bpzeuiE0z^C7#n}E$wUAIZYxZ=U)qqS>byvb)~4c zKBuz`-c!AqD5T#ynj6Wq+h8y9%ZoWtS;{j-LN+3?}=IrZj==c5eq^%;{}L%sTzM1Ld? zXIy^+rTCiV)d!B|0{2)U;v)pt)c-JH+TGB}ZyD_$SqHE2?S{v73ayy+n(E_3@6ye_m1#=S1y0qSZ^>-%U74fs6-+(jZ@WBwdf5UnACF>s#DvPF`5_ zHws^jQPgzWWAgHf^qn<_k#ErI9nE!ydtZ^hJi~T5 ztMd+Jr|exy6c2o<3+x-iVmQL;cLYC|h;;}>PnUYQjR%QGzqeG=h{Rd63y@Jns4SJ$ zG?NUksBqfD2t!m#aw`b19E@XRe*t>?V?a|VTk2Wp6Z&|69qZ?xx$V5wNAi5UB z7+T+wT1Tn_3Y{`_n!7q6X$NvIV$^CnrD?a&GW(?(W@?Vspj|;?I*#Fpz!cOKjK?8i zS#b11yrf2y3Snfa6(oa2Xb9_oUiGwoKpK}s185?0=cr|f9FClvMCbyk3asi8ZXnZ= zoR-M%5c8hswq{TkCpj2AX5CL{Z;E(q2yMzxJ+SbO zs7H@pCp5{xSQ!deab^bMt0`WZU<$=Cmh5bWCw4e*Mt^RoerkBgA?+M%x#UCniT?jQ z5KMi-WlQN!?A}Y9Jkk#l^I1)pjgT+P>ztjY)kkh9dn$ZZ`w`8(p{b7stp!mK+d^>0G4BpHU_Kzfq$L*Jfi|m&2 z_L3;*n9K@PBw594qRE0|p5V(Gzr82Al*C~Kg@+q7)7hBaX@K<(vz(%S`X2pe3Wqgf zHsb02gxBxc#vX?s)_C~}roO~>YaTz=9JQhT;l%b-VgLIBaU^N{6z{QSl#Ce99ocL} zFq^WMdp_6-)gRxZ=N(;VIMoN*O!DO~8y4ab_7(oOS2XVr*rFj4jxXC2Mb=YC9f{h} z$sPT%M<*wgf8<~@tTMD+iST>+utb*zJG283xASx2UouY!yx^jCJHvfT(e`#;-aG9dMK#GiBM~BW+J+ zpdn$0qxB`@(~es=!fQJ=UC3%Ypo$TdH&81{q!gj2iIt#;Ga_{)vW7A+Tud8w3bL7_ zG9FjH<`8=bDbYblM}QU<;RcT5kf|_qg<|AIG^#^nJ;rqSx zDT1QMMkAtihtrxtdBiszqR+^!B4{nP8Pn9@&pZMg?paA>8xG-^Bs@?zlH_RFwiEmT zD&OZg4`^LSJ*-)U0j(ZXXl+mM|#s-5CZ)e#~(4 z$nvR2EN5I_TAHwC>bG28X2@?etLqi>=QAGfB6hZ+*MG)+8^DF7*-emk{SkFF=KcFE zAAb0E?(Lsx`dcQ`Bm3r?Tv`h4=%wRZ41+so zY3^y{g!c0a&1lT%YRle^P+`k3PdV;)Xf0UZv@Ff{c%v1kN5yfw=UH^1Y-YsCk=!VP zVT=FubJX#H%^majPj)a-VZaX3V+UM|O5LrpLcLcMFuBiA{Mua?PU9>d8 z7g`}{pGtaHP}d5v?2wZcT_MOf2LENjbnr2sYKGYb)$twr$`E)p?S4z0M9hnOaus3I z7B4$vNY>a{N*op}JI9GD>g}G^wRqzU>!tYCAU(lIM--43=dHCA{*RKR= z8u6*tj80p6rrb6ix9WTTSZ%Q7Unq|$s%UA<5+en&_o?~}C2nb|fbcS+Ie17i!l|X! z0vGpmMawDgiKYs>qGMV|l#>D3Te`;5bc)~%ym3c5^z>OwRa6XGVSw!rp>;>x)zmVi z5gnt<5!->vb41F=uL?~jX{!NDgmwx_K&Kq6$zaquPQaffk&RczQD0#sUK z`x%};;B-T=G4#up^kL7=PEi5O^BMOxW99jj1}564Q$2x&ECOQ+MyjA~71{}+rlI!* z#t57bv>xgtk#Wc4A!ZrZbkbq1VKQp*g8{#5@Fe(2NndJ$Yemo-mU4tXhq{Hd6%5vc zLqpstY#*~b8th?;m?-F<&`#meu#uKgde3Q{5R5uTCy5$q=3dC@G+@#vlmHhx>>V_Z z23y7C$v|vR)Le7!x44mq*VMSer&j~rY{1xoMjMj7#0(eM!50=H9pCgk-oSefgR%j}w+z!{0V92v>q3dX695b7-e@3&-f`6ZM-nC?1m`d5zuchCz9T3d_yKnHn$x=G=06!F&k?&7rYorM_JGq*jz5ixG@Pi!|G%oIhIp-&saiQ^{wJ;(h$zIVj_?wY5q=Co@lDus8* z@zMg3M}+AC7ddRHa65A#>fZH{hlU zt|=JVkYnp3t>7pi4jXor#)}-bgx16mCUmxCL_m!}3yEhWdlez0jLYx%2g{IP z!l3AevSo`BSyUCXva&KFqq%Y8-h2A9`);k}hwxv_i8;p@J>ByNKZ7XsF`YnnA%pQh zrTa|Fi3wsj;B){>%kd98uD-tJao2Mmo_JUPglO}3bdjX_U|2qnu&qO<14F!^Ywk%W zJ-ceo$o3q|l;zouwR=hw>`9Ijvdfh8qTzHu!8@**Ef(Mk^m>Bo3q*coJPO$yHIt^p z#Rh#dCfGQttB_=O$B?dQwg)-~m!aVOe90H9kI3hL&g{>Ze7HU1Ve@-pub_PXlKj;p zqg6vaThh_<+0}yJ*{=vkJ%iL}5z+=8iiRL8@#K<|Ix=&Ht(g(dOZwbnJTsUK(j=xj zb=Y%3G6;qWiV!AZ!1XaZPZBH&t6jrdjW|mR`Z7gK9L1rfOGfB=iyIbrfx~qXi8|1? zQ)=0eC`Ta#ik`lUs7C|Iv4y}QObCNTrvdB-bR;=Rxbg;eO^9bbIvOUC#rHA}ZOY8S z&hwZ>1KRcs(U__l@Cebd#g-jy7%>+CmGSY4hCb7D(HTj4pvw#{PVnQ5Cb#H1rcGKr z|I>;a#sN-Q!lFW)r-)24ga+RgjLe)}YnU%fs>hgdI-nXD>=HHG;*LGDPScqI7e$yp zMn{fXE0(>X=~JpjgJeMTK80zB#t`_b|w)Ifs zm})o@dP`1^8}vlb+XHQ`2`}K7Wwbg5)!{@-A4<}?p>={mM1!oA>R z9hbq8clm_)@dtu0o)Q!-T_3aE+~eyEsVDe_q?o51)0Cy(u>57h%#1Ol3~ht;YsP1W z=U-l6m)H0wOCSei)LK6Oa*44cj_VIh{f2FE#k2j6t1mA3v;Szplj)z~Pe(*H=32gB zBP6MHyZ|Que~8-`P+Q04WXZ?Jo>WNG`a}urPCb!#q7h53zjD;}20BTXI->3+d$VU& zt$9B8xSM^3cl#Fg@@K@|3AI=uwi%P3hiu=#*;7ZYzF@yS@^rpu*Nlne1N0T`!+=`O zm|i=&-H2*-N1V@j?%pE8ZA$EcpLt4bEvEk!&b+`q@D zm}$^++#cw?C7atL-p~_W`ed)?j8~d6%b6r2yqh^Dza#qU0(}~AlR06%BM%(yP&18l zj?Ii}bI&sJ*}UmV{hoUE6gL^jx0cDI#@07nhc)k_7o2f|&|$j~W54CFuZXpx*P8v# zu*4w8Ur`=*l!c=Np14us=?>NMu$DN=vL*4CtK;0Sis(eG-iS%g1SxIp4s!=NnIWUOLCQAk7}nD{Nj zvByLjZ3;5?kh309R?Np5SrjyBiZ2Q_uP9`P@#i$diOVRY7+@?FLlofYmPIA0!-)Rm z(<2B}Mt5o{Q$t`I@=VfY197M*Wyi{^IrN&r1dNPN8?;>Zj=pYbf;l}ENh(pQAfq4@ z64eU4w#GG@LRj3iBNHWFsfi*!p>~BwFk9jUC&VBqK1xQ@29x)=&Qiz_Gr$lYa8}Se zN$EO7D9IZ^oRnlTBKJIozNbG0^g5;va`1fGZXop}Lmkj<6@^I9X3xw|86FyfQ9@(| z(iUt=i(6Ps6QUY}P3DNfBX-bBM=-LKtzg_}A`3yTSWU(ZJV1X&6l8>LKtCNJhYE{c zGLHpItq60N+m4_uAWgtKP|cf9Tz;{_cuxj&F4@!>`61%XT}^Kb`a8q<)0Q?%X}Xrpu48nQv-x{L zdgdb^D?}xThZcAFg#F(;Y+B+U8cxYIc3;xJF7U3veO#cIC2Airo_jngKeA6=kR}~E zR=|Kb8RU}*%{z-*d5Ct5EJ~_VkA886|M(rdR|Z!_jN@C{yHEC(tL%Fk{Wa?DNa#*X zCoOpqF}V>m*^IV(g>TL&9$@iQV#gB#6OlIyS{1QO?>KqqnB(uU&qugg5u^jQj5yX1 zcYB6A#b})HU{YqoE%y02-oc;)NB)O`Gk@T~6{F+|z5N+s_ah>RDchEQ2D?`UYQE=K zMogP684CZIWWSDZa!0^Rf;p z#6j*z>_AYJsM&<<`xCSWil!x3WA=?@E+o=~46A{WZZUa=>@Vm7K{xd1gQT5m&WeiN zAPJ@wZSND51Kv1c_vq7m%_prnSI@*DhM^hwa_ zT4Dng4sS5XTHtcS)c2^Rq^*xcX-Xpt8nfzZWW1IWfC?+^%U?O^(Gx!Pu zkDKwp{;fwi4hUO=k||+7;LMVlZGk!E-jFIt>lB&9^jksekFeeW6?OC?qnQkNLqV)c zvc1NalF72c77~$M(bYA6D=6!VHk8!689^uTj6wt*MKHoM9i6Jls|K{k%sym3i2wi~ z07*naRChSG9C{$vOs4|B38=C;&n8DU-znx79t(ZXEbnPdNK+UDf+257A0&s-IbzZg z9**SMoUmya;&b**!_sb1!5JUE)qL~Raob$t^>^F~Gt}ul{$k4RzWsEuJ{wU*n&*?( zJd`V{?T;MuBUhs>+8^js$-XsgclYppP0@GUcP(<{f5~jVWa2F8ONn^4M9w8Uro4ar z5B%Ob+U&R3pI)$$h7s>*oM4V4mkK8wIg(hyObCi^dlF%Z?U?0@F*ExLN#M~R1gb0O zoWm~mw8wy4rd*`287(JhuSa?*-m#}1B}o6kSO+Ko#O6Jh zXCd9{CB2ZyAcyjZf1@Cec{~>gJCJ$L2-km4^W{H5`X`>boU%K|7tlo@x{`1jV%~O` zCoBBP2jb-m^x*>{p3%55XWv+|-|U!v6R_J(;j4f$$dKI{dAUUVenwYrUx#F`YtF0g+czYW8TxHOvQJ^`-g_` ztAO?)MvK>&-ZIWDrSUjJ;_8Gmr+I?l$74wT_8(aP^*b(y_gq|mMK@W{9goD+lp>}z z2CvLWXFhqoKzJ?V?trNkQgs}>mh;k(34vavq)ks31SB@18i6u`lPMT?4yyz7V}+P# z!jq+2wIoKNt%ocuL+M!eBhqVwR~QI1kvq~lpJr%rDk3Q1pfsW?shWT=PH0apviGq; ziz%SV&R40%Nqj#}iXJ&oJJ>FnHKN(sl}-RoLC9ZgZe~hEs)%d-?~3Ta7rW zn)GDR$q4_hrt~H}69d)IGwK7Hv4>mt)FS3^3(AWTqQFyA%2YGkDjG8(>>G;yh#v`z z^-zEnii!a33hKf>CP4A;el!# zFiBfBvlZ>^oO+`1DY(n7xEu$Ft)iwBKAYxHV2{ zCi@R;cQb->k4V7UUeaY-E)p>Pg44DqthS7skn70>H~;L9nN6N@8Ggn#xImR1{rZM> z@Yr-6#_ae*Uh&~?H%K*91V(YRCGG1s+`d!zum5je{BnVIOFRL+gJqU6wj(Zna?K^r zsDRWs7RK?^IeIDC0`KiDpUH+){e<^#BvUs~1m7^YkLdA$Jr%SMSJa7NDR$iMr!10! zh3B|$=Zu>VtjmCL`+>4`coU1wGm=ry$J%FjXt9xxHaVwCllc|>4>kE|&B8YbKcO;9 z`qhHT?_QJqbV+fyV^$vsjmNaf0Cqr$zd5WvBY5*3qhN|AbCa;DgPTeEsTqBEb-$&86Q(G1rF#?Z7L{$__+fGIT1+aqDH zrd}JudcRP5RtW*n)# z8C_j5Pj9H5q8tntvSFEijkPOw|KcAwmPe`&1(QjL)*;O_WgJSH<%Hvpdz3rTTaU0` z)0ZCGU5M{Rw25Hc7nIf~R2`IxYNc47ESoeUC|a5>#WN|}$lyKf37(AU)(Yz&B0Yq3 zVSuwOdF9bxbgT{vTaz#upYRHgy_zwX3OS0XZKzdB;1%=)$gZZElxQJQQ^T&2q|=!0 zG>|2VRjt{yK9jblGJ@V6F}i0MSw?kBisEDf7RqtIOn6Z@?5$-yhK879Y+3C}3eK@3 zMKMTJpb=3=)zwT}4<}k|+t3d_E72mPCQ389b%=vzIovBU@%~gZgm;w25w0?-3iOjpJbNVCW>mUF)E%SjK=`B2adtxxY{@So zwAnC=b9(I)+Y_Q}2nNHb>{))MI6NAjEjL_@B~{|{?Oz_SyryUhmAB<2?n#0>;Jf}Btr+vc?h&#jFfpt7h^)In&aSZ88|r7*==B;szT{yez;78xXAD(F z7rn%&oKYIG{xBxcIo7gM~3iYu;7k9LsqJOhy z^4U2IF%Li9BE*6HUCQjHpowS9l%NP(B!XZVC=UVhYJ}|$99K{9e|*P2N@#Zlp;V;b z<}~M1($Ro>_mO&9Qr%^I$UQFfEo&jUT2<723c|-vDmtc!(Fot)v2!Wi@x=1#ktkS@ zm6Fg@#D0qKQ_gHjeF-AB{40=3J4=vUyOd-)zh&PT#`Plt|UQQ{78m$U}udvq9 zCz3!N=(>m`?TJl?ZKsGxU`oTn>oF!{=w?jms6#{SYdooGg9J}V23r$I$%6@z(ZI47 zoMMaj(a?AvI(GD>!`hZB%^lM*FJU7qNW2i0v8N)l~1!w2(6$v zDuPH6ZbNYku|TFZulQf5aa>{bMfw_yrdi=Uh!bLpC_mOSE^8OuKaQwM>S+#0x(4vVBQ2edn*{NtzG*`8iJeyX}3KCtfR zl&|hMyJ^rP2w#<~7Zc|Cdt7vhH9l=`X-IhHZaKISZ#$ot@_RlGzhrLSqQ+CA>6GK$ zl;EnPE>ngw$E~J3nZ*QO-(bQe{+TA7*F>uY<6%ze?GY1&Kl==0v-Zbb5uieFuM%a`u>0&ab($g128hA+|?|MntV69zVz5jF5{3!>MDK zUEABqOy-H=3{DN z%8h0B+aLKzMS6B*{?jSi56BzMOzzoDzF-yIGUyPa6|r*c&PS+2iz+Pv14m^Mo+cVj zoDP;C4lrSh*5D5rWuaL#&`x~fVW0|X270PVi180#5>y0H*pak~w}WGnL#-5EXbH0# z;U@GWAnz!B2%IKwpd%!jS@vB`6j;c59wNn!$=K@&X)VbIN%Z8v;Z4hC7Gm-fsVC`X z4lnO9egV4+#luy1@uPT`FjMkb?g72|n8 zQy2#A5WxY~GY0MOO39!FaoKQ;5^4tg9z11n!GyNbXg4sJ6lMXd?2%m;Gm(Pq*2imW z>g^bRykh{?tDY*~(wyM%dZ3&5gpWHOix(t|EpcBk4;$?MgozZ9x1n?j5j*yxAu(H) z-5bguSE#kyL;?2SkM@Q(V)1RhRY|HlgNw4`oho?J)#@<0DM zpS_&&ldqn0^ZYBGJ$cUA#TV#!j2}kee5^Fc96?PDr2 z=HU6{BZad*_3k654+?r#5uAX_nU%T}d5RXwj2C+)@+? zW4FPbbp(%Vh9hK?n6Wuh^p0hHq}nyKiKQKKq&B!k&Bc?J>M>w78miKD(y%zGnR&{tlUZWF60V__ueM4!m^W@MDV;Iqs}xa$izxC8;i$ ztQE^t&<+CsgQYMTc_Y!{z;-)BJ-()TGULN8=dgQZ~c<3%n%H02Tf>C6xyRZ zNM;MmgRMxa8b9o*4vLwdU`&Bm3yf#T^Ap-7bbiOAX;Jfz(3G?%fs_H|&@k*2ZS<)e zHaNkc3#vB$&`KDPu(FG4ETX)3~^yIw~Te>AQklYCO@h zw;eFxEjpq@PmVxFB|5f@^nszsN&5+P0A5qzCJ^YD$m~>(}Mn5GwhGZ(~RKcXo4kmrHJ}DLo(+i5R-6PTfkp=rCz@o^_J((~(h>Gs@2O2zrM>u5_HE;q#@s?)_9D;8g#CAy_ zEsdArCnwtZ3o5Yz*Px4!_y@)4TGERM^|NR6?_Xh;Q)a*GVC1lJMmlcLo#6O*#4mcv zwk1+`boOhK?j4PHgL`N>zdW!$fO-4_Bcm|qFNxY6^U&k;TGFge)MZ5<7{tvbbt_2I zitK8E-u{kbf5X!kHPz@(5bYzOtEi3%o?p?HA^4K+@j$$~q0~@SW0buo@Mr83%V<+j z*#&1&NacKna?j*R%Kq1T+=~^5+aCyj`jlifpt31P+cP?Shg1=!+tU2LWI1!7E*QiK zDQ7gp4!x}D*BLxLL$wM+GGqR9M>F}7@`raUXFdB@W6sBWM7l((2tQu%kVg!nz&?5$ z_8(|P3Q{n(9UT+G>J@sGAa6p{5FyqNWH&c#Lyx2{*gv}_90}t37Uj-)a&aJX5ju!a zO+#QkG7*q<3JNVOC7&t}bA)_HD+X}if(Aj{g ze3H;In2wVcEOf-Qvoty-tQ1kCX{rJdEAp^rVnS5w=!$@FtU30MXmEtFg-Wr@Qvzq{ z{Eo7MsEJWYNEDu^28;0|RRh)^n0N~QHp2EHy4O^~C-4GJxgpRAbv7_c411%w2nzQ| z$||Ar6NZIh86QbqhdO*DOcVNgU@}v@E-S90icF-$eZ;wK=!PC|W{K`KmFP&lfKoI( zgdNF?hN;@(XAbK{406kGoKQ>$gcz6#9%VV9tbMArBM&s&`-I-FNiQOrI>JoAjz9h5 zIsGGjVp-j^9LorUM(PH+t*F!)-5QJ?F}!=j#Z64#$81CoZ+1j4J??J{X7dbxe1QmJ zL~C(4+J2xsbR6#+e*eRsfA!aI`K$lwU-Pg3+ke6T{@?v2G6oU_(Q!#3wq$vVpuux5 zcqLLKHCrLjcaO{@ln5r$adc0Sz$@XXs*eNiuEu*V>3xMO zYmR+F)(W1GBft6_wd?7WPyhJHG@2nM9wG~<9(!)8H79e$B>jLGoiiGIDz8Jk68wSQ zo{=m=PHzN@Xu#_&;qp1z;4`XHy3ZP#O-bHtaq$Y9I<~*dnf&Pl_dyc>GD7_N1KDDQ z-2X_Feo1`UQnwRk(~zT@V6#1ST_Z{lv;PXF8=)(Y$)aWb??%|-4s({%-TI8O*MxJ$ zaUT)|Ij6OtmOg=Jc-Y=?eer-di!p;l*8vwVES={utb2@5q#rfSDI$8?kv*T%<_?oO zj=#%j*BRHBTTb7NXri22l-xclChn2KKO>47zIows>{j%T8#*f7n**F_u2(bE^CeYh z=rjfmWpbS2N_BxWpr$@3nVW@jdpOUyE z1Qj;?#B4h|5SJ}Mt0*=Bo``S~qQ0jw1N1S{_$XB}Qi84r8-l2h$QJyt$94rIK6z${ z#e`w7xKvWFGb$4y=#fK-CkKjD(i@l1~G>mK0hL82xD&u^CF21bL6O3e%q`MSycFtZ#^vPkXYAy^cdM zNB4$qd0;(6Xc-{t9(k?NrDKQ{kt&!BA%54ekEX;=GY-X`r`?o#G-s@0R<5Epm(*j$ z<#mNTj##tX&T2NH@y0o^X<1k@R$GmxBS0<@h|y5|EvF=fB!%H zFZ|7a{TKZ8|M)NY{(t?Ssk<%epXsmu%QXpI)AQ5kE&b_?_}Y>RDaG)P8xCCGe9dE4 zU})%_;|hlrPZ`7`)+#CiUkOM2voFZrZ&=J{Jp8!jPsJmf$v+~B-;-n>{);*LH#twg z=&4?HM4w+%{lh)M(x3-RNQytJXuT(x$6LB2r0xfX&4AcF5Iwu3m5#w1FuR;2dXDOE z>HQ04?v{QuX1}>+qF#}^8zQ$w`iAB<#hYv~H=jfKj-l?U%aBSb=FdvnwIcjFMSj=Q z*DXU}aJ`SdiBa1Hw=?0qlc1iHbR?$y>O)W1L4%s zPG)pQpjFQC;B$7RxPPx$ye!ydQ&!I_4!7sDY0G5UQq~FHu_v64(6(eF9p}$dnma@I zBw~6QQ=c66i9r5PV;6#f6t!C;f-`zovN%mRNslPpp)N-3|Bw(}=d{kpwlE%-oQIls z=@kogVod;L$KvLk{mv0BN+LPXjaNjjg652_T{Hj5h=o64n}>|ko@27)>9nBfJ?3$U z?N=O))J+LQyt@vdg9Jf;3F`Y-couXmBQ-< zRt%^>U~0iI84$X|Tf-1WI2lq3$y6Wcdx>6?7s1G+KhOK4Yb*dW~&9)xW&G#*GH#uA_-#CT&L} z0z8osxEV!X5+|TrP3|1AXJ`Y(Tp5}oK*%1)2@}LvPcYEz3=jiE%}2S~r8y^k?7K_V08u}?D&Ve6=?j>#%ubK9XbbU{ra z#*9Yqupb0|?XmVOH)6v>8(Z0uH;7zuOo-{%?QFKmTw3iu5;s#b5m!$Nts7;K0r;53W z38Mwmq(i^_3HRT=#ZL;Rp(7fdQ@b2rJCZ?h>IT#}WZu0dNS>42XrdvaYe%?bgK{2> z#$@+7tQ66+1#a^|TLcVJQu$L(fgy8|*Tsc-L|DY(leER?v^K-h9R zdH827rBWz;cFgiy>?!24=hwVyZx{+caF{rHm$U6gxT0obJVMi=ml6g?>xT@YLnaAD z>hN5L?cmfWc$WqlWhgf$O~%;PC!SeGgZQ+r>Y6iW$+HpV%p=1g#|5)P$KIdd3YI2T zgxWCJo-T+`X--gU=A(q+q?t`xwrz>hgaTyK<4c&ThV9_E_6KSt z#tiIjgkNQN;|Ml6-Fe68&~oy}h^8elk}fQ;U4n}`e4(+KArmb#>2p$=vD7>u5ph9r z@Nx4o>SR%kz!!#7u>=*uVCejUKw3)GqILou1c;#{I|YoqF?j`kSP{lO@^qvU5;5N* zHWAs>pvNJ$7bxS<{y-bGI3%-9&}oG)ZYk`NG^oh@0M%O}EH+OdjF6c}leXlI#ebgC zJAq0YHcih=?9uv&Jqu}?l4uEIv12td$juSI3~|YlE{&P=3SqxwluS`gin1O@k&+Mh z$fIDGD@xJPihn|qR{U$Cw{imD(jkNoiZg6!|V<1ha0cWgF) z!`kif`tO)ThM)fGoL~LpDK9Uc@QXjb=JJnz#mWzmxBDMx7a7@H^5eIPt$Vqusjih+D`b+T72nvivZ^soS=1%`O6#LeBV;@h?WWFZb$LEo|-LJ zlN}ds%H4+*p4*cbhS3*i96l9+Z1$zAeyCA*27I|OewL=9oD}g z`u$tRi*q(zk4Hr8wmcp*qw5i-+#w$)_+Ms(r;yTQRChW4bwW3J!qW3u$CmMhV*h@O z7xz31d*1zeLRxI8drR2)jGu3)@`TTqZz$X^ICS^KnIZkj9MSK|-$kV98u7&y#pag2 zYX}xcM7`wfDf9=2O%!G2Gu&-CsIO(Xhk2?Zl#7G?|@JMWj z9BI5P;;13@AlwfWv!3)=LK;vEhQSN*qkvE+RNkJnl^li+iJ@u)%V|enN}`FR%q@h9 zNEyPxU_?k7_;jI?t7LKC^L^??g)!}ln4ki4{ajO)Rv`)8M9z$70QIn z&z3Z`BhWqblVRV4lv|&X4B0gi6TP9gnkaD;^@eGFkF6l+3~4k|RWJYmAOJ~3K~&Nb zG%t{2!6G}NA5-LNM7}Q3o=p!7PZg_g$Fc~k<<16GCc-)S;+HLVy7Zld#POQ0jHn0$1 zFgw4(h>9gJM{pDpNyep=bbyuuXJIa2F|*iOlWz)qaZB&62*w?tSrGI6-<>o0RY=g) zXfff~jh{ZAw8sU`{}svqH|8|1^7exH-13ayyYz(+sUbe9R! zphmlh)8Z-5?!F_tyyW`bhQsm-KR>d@aY5^&rm-Pew7OLm~=KO&}g%csw6k3UsK zc6Ij!B?!6_&{uj$y?~xTfDF{6SaiiQ$8VQ@<+9Veh|tC1TMS@~@%>T8He;R^-Sa!BZZtO^~+1XpeY=Tsd?@h4ll9+#*v!Bn6o_Vq1yr8nm)Z zJ%jC`2?l)S5(E)utI$-qwq^|Xj9p1nS(3&uih!-OcmhtGJ93?2bxP+6gtsLy8to{8 zRfRV;h(R#-8a$S?eZWk{be%_PCB1bC8;9K?!ZALh3NVX~E|!R?hSL*rS7SuSp=dB} zNL`nd30zzSm}+1j`YdJ=Jr2-sxLOKqN6m{j8xF05T?h&>FgiP;X-W7rr`jCZyDvFb z1}nhihD8>jPd+DJ=Lq*D@@Y>zRTw!T*9vjIK`dg*?q?K#t*f28YP!*EB~&DgXv zX2~r#`YYnep5e!lXf+|nvPcK+e_He6x2F`FknWor=P!FU*Ke3Kdune)1Q}Hm!l}zV zKTy4E@PGf3>G~Z5xWC#Qh-n> z{}!9SAv|tzhZEv+k2Y9xe1D4+P%*MAd!npod;;Sec6)`l>L}xw`sb0uXD8eS7W4gI zS)49-dT{U`j_fxvudF7Or&Mi56exbM0lTMd|&YnE)jY^ijRn6MCN81ZO%@SC&QSk&hu_XbGnt zrtf)>4lCVIjR|quQx5`DhYa(8(|F)0JhFbzvGtg(T5_i%nF~-k^^;&42Oy!S1Yrz? zQy?}DMHF%@66QgH3OoD?5HSji>w0*tpx;P#{S-fG87k;U52GsF!$3TE9Q_%QI3U9i zv+YqP!8v-gRYsr&#+k$&_9U%?^-C<0lmj2!KGG&3!ZA2zjS4$zHz96HKK{8!UMNH+ z+4TXAi7C|r{oE6#bGmIoI?U+iS6ogk!_x)b{ESWH5yWf4eM_O1bQ6m%_q4MBM;DMq z1Q&w03(X;T&G^?JnSJ&euM6nH4116)zj1Is2E<}Y?}U_Fi*GiZF9gPUOYRrETo!15 zLYy6tH6bMu(X_P95y#X72o7XC+I#Xp-E;QZ;Z8znbF2kr;YL~>0I|0K{AdM}&wl3W z^@`>B3%(l#!|+FB>f+m%6yH~zIY-|8pBdBDdxU+pPOntrr&RfzA6$Vq@-mUMQ9S6EDv;A|=e&tmf7*RP1G zLMINLqY)jb(Qp(Y4w|BY@T4St8W3?p-fKcrBh!w!j_4(%UQQ=9w(SV3U)dzr9l-4o z!2o5BjXkuoB(=iRAdSN~NSria?bZmt!$~{DPU2=BUDso6#Uk#hd&rA{&RUk{z|cq> zH6pFS3Pl#}X_}G6sZaepVEvdX8Bw+&>MQbMf}r7`1u|^$q5;Md9ZhMrnl{K7W(5i> zun~DW^B z17V{9W`?l2iY=>O0;w2D`9c@Esm5} zDKMR((Z4PxB4K$YExuiFX`!`(Ou$+R`umdWuPx%m6@xT{&J#s_K_`CUUJK;!6pqyl zKcobwIR{P%#RfZ_GKpNq^cC~dkzyM$n4Xh28Ld7;9PUW262iq9Mn}Z5BfMOoyNr{s zTMltb{b_@Dc8$Gl$zLTX3es=RF^41ZY$S+Mnp!gd=89=z7+aY9Zpy<$#-)49v;HmF z6*{Zy23BPUCZ$#e$13XP8-v>mR5uR%Cre zd47gF@9Aw$_d~|X7a8*PB~H;H-oC-@OUA1c{O=AdzL4D6GvcgfKYq*dw~vI!6T&N> zwrX+SP7uoCZ|~8|mw29Hvw+!3k-c1D!`C?VfE&5gea8IsXYxNz@!nn$w+H0nf^PqT zlZC(v7u2o5iDA;6<9!)X6oQC7tIyBTjYA+c^;WRx@5!bqqm8-B1j+O*L+KMe-V=Pg zBEe%d^}t^;R$F8|a=5K|YYgN4635dVKkf;-fYz;$RnMYq=~gj$18!DRnFAANiY|T3 zDa7n4HxeSB&T8E0oFQmAxRx;U8JhtDhidSct{kX3jH(cWC2XPA9(^}rBEzKBvA(RE3qoM9LcrycE}$O=n7k<2Co`Od+?(pm?rU^J3G7mQQE zc8Z<^d_zKuHzq(pXgvJjNY+`R!6$YPXuYIeZxPBvCjmjeXN*(y zQ$gTJy!(+RiwMdBYRjM$hth#{!all0k4K(GiZ^KLCS)7>EQRK{E%AbiYHv}hVfQQv zvX*`as}~7fm2e>--3nCojx0^c+Xg*TRMVC&I54;_S80i(c0B*|fKxp%HZ68&SVbev z5TM?K=$kuMmx8?V36DG6s~JxN$n6JoI%TpdG4+;uddXbogw6$8t>~4cA0wQiU$Oz%bZSr!64xFzM>bfvJl8~N+ZcQkXS)# zEva5mj9~uQlb0i}zXZoFXe>-sM`|6Ub!kUMCUTxd%&GfC@h6wFHwx`f4n@Ahx<2-1 zOY9Gn$0;`25KE1}lnl2H!{!rgk2oTy>+VT^%6aO}IW0co#53B5Ep~azTsXA*mZB<{ zCJLoJp&d84azfD@QT>28vDhCfE+!#e5)rIwR1snhTRz?{SX@0&zw_D4BdgsVuKWu5 zdQWn_M81nV{1f7Jw+&zSF8YG;WZ-ZSw}87)j~gQz!r{Bglm|2>CwL|j&6 zlQZ-~Pd3|8w{!aXK(XDiTt4&grwDm*L$^(Tl})}c$-bCl-?cmpGqU0XD!k%2bPQ92 z{oxnluU53hk=pJFhn8-B$*{X)|M3yW-y_2red(fQg$242isMJ7#z)+=)PW%#OFY}4 zzKOUl9vNT!p5oA=s%O@Dz#IJ|P4t3h+tS@N;2FxI!w)+yS1WXt@buW=?$=naXJ|s0 zw6x(P<_8Zy>0#O8*gbw5p(hZmp>I4)Vu*Gzqr1SOaqlY1*#%zvj3YvfHUzpuyB?nP z&{>1s3kDORZH6l)yOm@@O|1m3Z|S`l+>xjXXsyqwFA(=GW9*>3o~_dO#-$SpMF6Q) zjDE+qa&g<3PJ6g&Lq95PoFf~D^6273H4!dHt1(f4ElQ%Wg*o_#2C0`2c5FUGsHw{^ z7U*NdF%qb{q;nD`tAc|z`12#3r>XrBPjpl=!?q)}ayTR<#vEuz2SJ8yN}|}Ktp>Ua zL%;?@&p29&KvIkqhjvP(8ic2)oq#G2u(_ZP1bv(_j(1dx3#vw-O~HPc$-%8H);v>+mP6CvD8q0UBe#-wZibi~3AUEguR8Yk9>IlVIJ@IEcTh6tun+OV z5U+Fa!Wm+r>6@5`(xZ-jF5VW*gZ|gpdG=d&O^$R&-7l+ST?^B}116jHxb2Le!F|X%*r5b$sKXLvxU?|R!>4iWt6CcC zXD~03-i|)~jJEy2G%RSp{vYt9VtR6*3g4jPQ`+0V@;IBo((fD z8SYbn`#Zt733)DCJnxpRh&WB|d8jf1w_=bhW@1O3O|W}OIPK7zfKR)W>GBz|pKyMi zakD>XRsES=@&eDxk-?n!<&>$X$eoN?tkB*Iit)f?HsR^`f@kwg;yh8?Id4w|Tl<>k z!y{SdaVISL=Nm5n%ZhQl*1 zMue8Q28ddwj=-3Xu4|Z1LMrLu7du1|bC4m^Am?d_iLIokBkWz=iAGixB6b+bne+jr zaycIi+KZ_k46Qpdni8*1$O^xrqT1lPHN#+_wHPIddY5MGnbZN!C{c%z#`r`-z$g^O zE=EKaEk&=713`5Co0196{8)P#Rr16p$V>VqY_JuavhXo@v4@t z3~`znLsz5J1a~_k#}G9wh`Nek7n19k#OtU-2S2T7dY^u#P@9s$T_AQHap5qwA&#~9 zeuVl^k>!#~1cZwn_0%UZ&kU8s!~%EN61Hpfc0%9<3=dnR8{+95U8692pUUjmD2YFY zh(=?cdZK5K#w!@(51bWiyf)=iQ{i+9XCW9%O*#J^vON-5kEp*#4<5(%z#%W_T!jt~ z=uxA4k8XrkN9d!Wms`T+h}drtWzV5eq{kg+S5rQ;XV~3GPNos%G-T1-bGleC40F^s z9mDjN*RMJjCk}}-VfO7Sg1Jw!OmQzyh{k8CJm%y0fE>5)8EsEv1?yfQ?siP&gxgJm zWX%4zQiZM2R09e{?H;ZT(}jb z&1iQmjR*He6SgJmKOAYJm}p-RWEQ)aLf*nGpvpbQ?vdowXBbj+;9=?xJ=2(_f}2}Z z7Vvy?Wci{Yx|q|d38i;rda#UdE@W1{DjF@?6Z>Asi=F8Sgna?Us61F_~r)x+UI!}Amt-d*`uvPSLB5I3eLwpDw)y$ z&K3vCfF}j=*j4W>=7RIBq~&?&yn=-O!N)2in65`}k-4Xo~)5 zm^liyt|_-2>TpN0YbhFo8#=5vd(Nao-wSx&5cc;Zujgo?Sj`3DRYv>W4rloFRN?U- z4s_cGj^Pxy|A0zj#-hfSE$-brPOjcCVCgv``hrXp42uaID*S~YU3yd#pSjGD?&r+r z3a^(7y!4Wv{_qihSd&wb?+Q(kOQBcGRBfv>C?$BWag+Cf>DKVi3)f5wWAfHh- z=9oHoo`K%QQy~wV3^i>Tg(e$E+)(3UD1?I>3;bY>>3zmr;Vuk=XfU~hG!BiIF&BGe z2GL!IKb#?@LJF3lkFon2KTZ%{NNGo;jwc-9F0Ve0{I}BHU{^hp^g;$Q^B({U?YzqPf$nDxgr$6lLp!6$=XB&3T=<_p0*c?(xBaW4vP><}7BZ6k)l<*qNNRl)6l z-yt7rSiUiwIR7J=@Te)EJTNUg2H~?Yuz33pDLg9i02X@V@CwU?RCHT`OG;{Bi{S5n z_!Iuk6S2AE9I$*z|M*NR3{L}`B?l^d%A)>6z%^>q(9Kr(fXqscI>Y{W!`W8}rgAW6 zbM!9us27tqGE85 z#3~>yT88D92rp+c0puxNWbopFth=LW77SN2IxR`g1EOSvETMkZL~l|K@)e#aP|Dy; zBZjL5%`Z8V6BlQ8iWUmrZAstEP(m>zOQzbPh*tzpIpgF4@pK@XC?2;1i{K8E{T*Lk zyr)mUAaW|wFRvKB?})x!;^Wg@r0jMBi5XB6#p&xy`ei`xz9Jaj<6XX?YCEFw8u|4K z_iD*7J!4m&V9f{a@=Gp*hO%7{zsMmBao&8!?C^;(Ng?&9KL~=)47~~oPYQ1S=<@li zj=LXUF|`rpxxO`LFj zGBUOfecj`wE#~ObS%Wu=Fpnk1pE4-e$(l)8(d%H)LofUN<6Sh}vr0rNBHjWEOT~M;auIHel=pQ6Qx$x zancs$NE+=DW-)&KAJ$-C81oR*j>H2LV#+LiMtUn`?lX=pUeeMwmYuM;@gB2n87@Z( z&(Z`d=64EJouYz)^_?a?ft_|}PXfkCM?CeoTldUl$K0Ed7tq=nXP&|}3Gy-~*p?h_ zP7uk6>NE#6N3S&5!y~)=g6Z-Z@1SwsS&HQ)ZL@(SW3%gck+kIL7bMp|A*g8#crVTg zFB<&C5)mr;V8k+mzGKW4-Cp5lF!VXGyh4?*FDJ+kMo_&k81$CKtmT9Wg%NDU3W!fs zSUjiX$r?IishnSvc8gRnn|{qKIHjXP3iz`W#2-JQ#RJiqq{T9s@334lQ$5dGxq(j^{;qQ&!iJl!#cOnnUSm-wuhMKKfPz-H+Yjb9Pc{L&X45VgrvHo z>CTuh4hSL8n-0%iQCgo&RrET*C_`D)blU^YMa1w}10&tDMYNhQRgC$s(?l8{d~v6&liM~pV7f@SU3g2;&Y1ifvPzmCX!kX_^HEC zNUAQQDo5PtBb7P9sox=HukfBK94F-D8<;U={VyAW+kc=B&oS$Pnd`9WHLX*_q2^Vn z7)*-Ojff}7#j2tpL*@_6vju%+IP)sp>3^l|-{WV$&V61I3RR!oFt z)y9PWg#Djyah)UEpIqeH;JK%?#v!er_=lep%pgglkvw-WSjKT&Y*D>toIUs<&fq%av~X8!Aw^?*$!Wg zOjOBp;b6l6$JLb5LG3C=$071d%BIHaTsqG|A1CG^+<@X^Gl7M6)Tw)1LHo!t$_X@6KS};i;Nq9xz6l-g6Om zB}Pp##S!UxD5s;^B9X?zx&4G|9e&&?YW5%?F_0J^M=I`ql(=-9NLcck16O=FLb3ma`xau} z^VWhjk{>^T|9Z*m|8>cYU14_*xaSU$(cpZ6dsm=Ez*zN&szzKb(2oW;f_4YBSMy81 z;7|Ybj_^FebtB}aM&~I@(Qs2OnE5}mJ6@25_sD8RGn*4Bf!x>BO@Nyy+(klhbISZb zYpP?+(ya-5hwQ{5yuN0*d(SyJO@D${R0Oj*yTakb9w_VrO3h5KsY?fcnqZm+$CHE) z75>*Vnu8=PEUg_eh0pA=r<%RQX?8ptO|opUy^pXH%q)X5&CG8&h%?;omj3*Vs&44N zJ2F{Gyr^M+2l2e;csvkUi6;~KgP|@4^mjktU7s;%O}dyftSf3cRn_I98=32Fc30q=`5%#*G z9_iKSI>$Y^q;VD8Jdn*J{(AITKm5q{enX%eo^nG`Jd%AIAg*6h$b?ZEtXt8(FGzNC z!mQ_Y-7|?(I@zN_iSsCFu0tlO#!AiL350BLT7}XU<2!Wn$m|eer;3F$uofA9eZVx} zxt0R~!MtVImWa?2Y#z`d)JEdE?XOabcIi8x6F0*4l5PsN+0uEEu4)+FjIlh>wK1{n z7#jzxMuuj_V`HDh?{^0mnKM%u_6eLr~>?`r=`bfLrj$s ztbE4jmZ!mCDGKy1BAQf;%}8t;%A;l(RxsuW1Ysf>4u;s-(fK3(&~cw648?(6D@nA= z^VkyoN8ZuuJ@p8olhBL??RAXXij@v(Sv9)wHOYL~MQqV2#*g zr6$NN$7qG+hPd{LgPt;vP&(w(;~6TBI7TycI1mn!Iu?|@rTFQe*>(>4xTc9xmS*Jm zxWK;HWBnYJCiMG)C+RWO?=gFckQN)b^hI&zwR!*mAOJ~3K~#-MBawHkBbvO!O%pP=p|VTj<4=s)OZMgy9+J9!qV;D8wczRI14S#*(G$b7N86P&!3q2O z^?wl6K3dFahFiSSaF;`9YrH_Pd3l1q-5{48+Ro6o2cn{)yAL>y8;+4j_QNeUp3=-E zR$7$5<#6XR&2FjejLd^W>Hiupne@b;TGoxFEJylZKrK7UA9DP-q$gr>Y8XGngy%Kh z!N;pw+Q!H6NBkN(X(>xffB!@rSc=;{bvtsI)Qs7Re!oRm8sQx{ZVGlWqqQX@A@mze z5)f7u`!7Bx`E>W|mbPfA_nJ1Tk?k3_DKHy{-DyPlyymksp%34XA8t`A!D5jxUtUu- zDf-izw|1oX>`Q|8@0fl2HLW|Rd{{G!YLYh>NY60132tgAgMz0zp_{{_JJRngHr9-B z&saP7onaIit+Y@o{KV3^14>&OLJo99uBFEi*CV5n2;)*oi(3TvuB3G&;i&Ky8T%$> zHtnhV4(lsCwL$iVqqQ^&jQfZonUGc^Rh%-F1AQk6Pc%hmQL({Vhc+D;?t%MY{?wO=xk5mBUUME^ULBAuG?a2_&%`Xab9|Bkp;`(B`yL0}MD( zOAwEYK~KCc>5~(*-7#@vs&RvhgB@Jz*hBZXln(S#57tWMi+Z*sBR)e(4hkt0n^tgp&PWRm6x*dz_IMua2D(=+C_#&uHiXhvd=m>Wa(_6oEG&ey*~conMsh4Ix_1YXI| z^{85Kb8L7SuesMRIJ>wdX=n5-@y~iPamjE|A)+OIS#WDEIg~qCe54)U&}=@?1u0WP znzSSHkH~aFuN-W1L-QgcZffGIB_<0IRCq%{>n%A+Z)xu5q*+7v;u7ZofIxr0?|)`| z5p#HIa1+bm%y24jmL1dUDQer|i33IDaf}3IEE%46v_F@eMI8t43Wi(KiNZVeu#e#P zBM(oK?(vo(NDyPmVi{9KpW)Arq(O_<`KWqJAROXj$C#zGTTAZ*jMW2PBoV45xD!;- z1k(yA5i!Ps3sX~s8RH?xbOxD9Y8#S;f{AVraf?|Gcv(v8Sc=Nw())GNk6RZ+&Cpl| z6`)Lxl#)O;AP1VhN0=T@wltX{;6MkU2gK0$(^phl;yD@P+CfbfWBP=Q9q>lF zNYc+?Dl~aM;D;&F8|e-{qwgZe9$QNETwsjGua7jPM;B@0u4f|?hGB<@6|%1pcOm^y z;hCNWk6yNjVTQl0$UUE0)QIOAh76a1G1L@K7Vjh`SqnzvqYfUWBVfOwcM7`hv4u+) zcLY+g9eX;l2{=~)aZpmIoj28vB z4<0|hyXBXE`|r5NKhg+=|8j;zT7D9W`R-qt*d4t$D{&@JrUVg{(SYynQt@XfKZls{8pRj#}oUJI0<>h=yBBpfD34(@F3OwCeXdl>6 za{p7yY!+kun&N|@3r1Gg606?gls}NiCs=Qf|EZ;AjygWzP6GCSS(Cj=;ooklzj{Tp zTeJA^o?`X|ZThg|Y{=tN&bg!NK#2mY=Jb(^)7@aMB;}``?0iqVu@nc5+Wf+-jxqE&%Ly{5IhH+P zmSXitJEjCP`?eF#Y_3 zd^|Sf{1j21F=^Zp44qR3?M0Vaz~QJ>hhR7tiTMjk}t{_XXwU9QpLb?(8N0 z@7C<^e9ZO0d?l#5mc`2ue2;!mR5OLKBSb#N_qlxGQO~Z4r!A99k0$<{-@b6!2VZ~z z<+|Xwbgf~sxWMZkX&JExgOj=V`4P*EydP-#2pfZTTSVJpZBHz6a_!^$BUr&xtw_C& z27$4LgSLpy;}}Uo26WfpITf8yU|O1)!PXsd>|%$CAdDE0^sd1*6}q%2DJZrfkr+|E zp^F4=3Ctu>u4$D|$;ebl#MmG+7g-B*eTK~%jvLKVb_~6y#mDp!Ro)Vqh}x?O9EBqc zrjBskn6k5|SxhENc-BKjntP)NBMNzn$qbHB z=t^U3M&S75CP0@8oud$@!&WiKlwPIys~RGUt_8;-Mye6#&f_du^V97)(ZxWo2KuLv zJ3VKTj6_kuR&}K39?zXXdnw*aL!L<7Nl9;Rm>W%=`kV$k>TQB=9r`E$4) z{A?}a8=v=|1RL>4Dxd-E{Sz6I=4pntf<{^jz}1%6o)XJb65H~3!e^yVxv-Xg-C}A@ zxqcv-3U(j17&)b5Pjng6R}<#v6&tbSY9jHyb4Kpy+KjU=ugU+VA^BWW^$XIzKpbP7 zXo3691kEQvi#M6$ zpU<)1zemc9ZJslUBAWP&;=>0PmrM2!G4n4sxV1r-F6s6?JNJs|CG3BI*_Q=&1H1|m zf3EOI=$dD=GeMA&Ob4ocfch$?YIa1Y7OCbqR&cCS($6hwnIg1L7_1ogl2Z4mZp4{e z#-m_nc3LBO@g;ks!Lz z?A2^B;o{7AiaJz>&u|Efou5UFh}r@+eu)?`e7+T*qXrP<)h7QZ$$(gSI*w}Lu#k%gwV9AdX6 zJyqEKfU*wggNthnw%1X29nRo`3OSt|d{2?@Jf^cL_vOGMg#Kvgg~o3zP6rQnE)nY- zy{KU8u^&R@-q2VATb^i*#LhI8kerN#R#2)8)n^E8h<+FlbDM|KW~l}&Qbaf~@md}Z zEjMLCs%w;`QFhB=n=w|3Qk>vWk)OLn!x3w+5w4-wb=YN28!3ikP2*PJ_hiOpRBW;B z5w2{IIXG2KA9oCPjZ-)Gz+NOK&6V502m7!gpa0(lLo6z@g>3?9N1v5Ejd`gH~i&?9w#FWWtPi}Z9%t~QEoH*42Jy}C$88%W<0s6DVzwC zu4y-dCvi_NKSI~=V(CyV&q%Hy82jjNDpsqXGCdP?nFmVXIwejQ@~@w{oPG4)^Yxe4 zbmLEu0x(AMgOMDoKkz6@IstQGc;G3uX^_G~KV1+DfhE8IPo-ftSrX!LkRg8|=UO~c z7|9R+bfcV(VB~rlBkw zWPgV{n=vFKcCR0Cl%z5hloi?i0lU?F_;$x6%sF%x&cXq$nOKT94-tX?K)G%ZBT2P+ z#GctyxuEd&M6_(`DOV~ba{}^BiF2kX|Mrq6K~H0zQ@!6a|60=BX@(#q9yYjNxE$X+ zA~TKq=%GssDGEcQ3Ga^7qtB3j#G78S%-@oXZz%p&GpGhjZt=qz_Crc(P4LnKr+bfN z^q#po=eAKSA7A0VNNC?>xX%*qb#%R;9KN%#{T-LuWAI{n zCnJm%wR26GTC}0S8l{NFqkg4vE_$+Efk|pQV_}Lr_FE6j|DJK$(=kFs8sxxeF~_<| zsH!7tdqQ~Ju+Js_>jL{?jN`;KLrB+rpe8`>az6dVHPU>b%{Ckp!>|Bp71$$U>J-7EJvJ7mKz6;en@G*6qM}ENNuH$b!L^C^f=$3i@J!95v*!f_|Vr z34|?>b^}gHuU*1O@^ETcSdv2?&;=b{Y0>GHLDjTf#^5SU)uTm2-VDTnV4VsyouKl4 zq~9^K1=iV#J_Wa#QTGBZGFmT0Y6~sk*a+rbLYq01!ouoLcbu&^I0Z{eija5yzOW%jwQ% z%!iCadj%&==XMlcjVIT}!5sX6O&G$Uj9bRMOM}p%q!Fx7C-aT^K&G7r0dgAkPony>jaDgm65N1AO>jft9 zsa&6T@773N6RHub+-K-w`o#k69C|73zRNQ49<1jo0U!Q64C3f||RlM&IG z1JR2LmUx0~N{n7%1pG}4s{JdHRY8YGZ46>HL1Flh-wEFT{#Wey9q->gaJE{Kqi`|w z*9neEsgy?GG9(J=bcQ9qCC>*$+!CWWeEtQh+fj^Gu>Ju)d5TxBiOwdJgp6J+7%B_3 z`tj-6HZ{$gp5_ZUyjl}}vY^{EtX|mIt-_uL>~af#rf9n<+q~uSret^ZjPT)s=weFs z(HPZMtgRS*x2MVn2G=2fksyv0+uBCD3(B?6mzdBGM`#J{;&kqa9>Oj-@Rm%EbuIk z<~(M*X-Sfv{$OLA0Q21=^2HUkl6)94CVoQaj@bTCbMdjpoldcSa>e##jee%d(5P{b z^ZcCZ;BoemMu*poM8@ngpf@2WEt$Q2&2Dv$%-?Z*>*2gwW12>A#?<7iXC`3MlopzdI84N^rdE|D(a!ZDNBUtaoU<% zbvSyUw=`B4Fit#l=TMd|Mo8+e<1EZM6`E1g(0LZlsi5mUI$`J^!HrtlZlF;WGWV(E zfRmS~Tq7bVP6wROp)vvy*l2G+$sDJVRB4N=rnpT(+Z*E2#d@e|;*hXyX#*R|3VW!? z9gSUqHU(Cfi_8uOhbmvf?tK@UBHnt`j)%anNsp5>x2jATi3mSKEDai};B&l$WU z{xYIYD`vJp)*Y5n^gDyOx9M>>C`q68i18G;3gKW89tPy`$ha*SnoByjBllvg{TA)| zto%Dp+c|34VEPjm?LcqNu;YMuX2B|<+MW30PV?@MZ}2{;DYgeTY0p0UJ#Q0($x@u^ zfM_llGK=!uW%%GCg)j)M!DzNd@@O!#3&ZnOx-Jnmq$F2F&AgVgj`EQDMIr2 zkt+^JAsKB1N?W{>g5sb4%roIq1E+G!Oh_hY5vQFX7bmR0+@gfbaMZ}U;5-TuToL^6 ziY{K^>~5hFM53bTJH}DX50#HO>~W%mPMj#a9B&*`JT?qP$>7xFzqXLmn(A*aL4@SP ziM+PZ`vYFvqK`e}g(Sk~^*@z(PR1$Kv=4ixn-uL!0w<*FQi7$=X(uqR1#a+`E;pw8_tf|B^z#Fc>m^a&P!0zB;lS*oMJ%r{KRhxTdH8WfXIUIgLp0T-A0BBE zLtFkp_?gSy?+-*zB;l-NJ{Uq@Q8b!7yG0lf(nI9~y%*5j-C+k3H8jkE4t?9;X$w0U z@I04M6tlm3WOM%xuNsiPK)*RMzPV&^w_`d_czEsNvZZSZ*&q;Y#iot$)dRwJu_qJy z+l)^>H8d}tBR|}sLxt53oGY8-c**)9W9SN_x#2QN_~_G+`klkosiQgj608%g9iz9< z*B6{b$)T`t_6PQkOQae~-$q0Qowvuy6qz+6wsIbwoY?Bv?|sJ0TLNp~6id9SqP8p~ zE@f&{_XFz&e6Jwva?0N2&<8~IfEQ`ZUQ@*})=*Om562%6IP6tJXgMUKAKk1Y&nMds z=uD$$KC;*&Jdc^l=mrp#Lo)SI;>5WZQ?xbM4l*zZ;o#LFm9X*J0aw&mwV>-q_=!#7 z_DtkJAx{un*nLHHZHQ(r?PG^Cv5*5;Zc1q_aP~dU)WzxoyasS;wBNBPGOkocQ!^vEp-fOdBJp*lAj#Lz9O6j zB>F9WdP$Oc)T1k!S~0{Ugy)b1BZdkVp~qMo`n<#IB(9Zm5bxhKfoJt!v1|5COc#*JQ zJLEEB=p=cn7|#wA-Gs$Ru6@fW$ zWJJgja~g=P4l9m{I-9Kt@q+@ZsZb`sv?!k_?0D z3Rc#_T$2|yp|;6%z^7VkpJ)A%iH7((l!gL+WnWVO0c|1|hZ*ZdqCJ}+yvx>m4 zEQD|ocOAY+=tmi$9pZ=u`dtsf2vAI|2{%9U*tBzmY~fDhe>NedXVZ?UKW=DriRB5T z@DbY@Uu+Rahpstd8ynLeunslt;vDPkp3TXkyj!#QxW`fFxD!KBO6u*Nr7?W@b1RB9vBLTI=X`#(Lc5>ylk0-f!a>=N^-E(U0)7-c1s_ibs{I#O z;zTWPnV(Jhe7WG;chAVoH>gUmOC4^aHJ$hcyYz32519+ z#}JdIvPhncS+945&kB=;!$ae96+ZI)hb5!#j_}19r`m!10n4}P&aM#I10^mTHt0A+ zr5Qv4RVHxM10tH@tRLy-S7hJa({)FjsYidG<0TP97W+SJnOi-T`xMW9%l=_ReO;m6 zWOQnTzi43Hpg*}_|LvOD93ECr7(aeXw|I&e5}foF5yo^Ujhz_MyACh$=z1IRp=I}U z3~yc&Qz54_nmZ4D)6hP)bW;oc?T-G_74G^Lf3d_aE8-i;!ykNRU#FDc+ANkS+uL&% zFOH-yA@D}1Vasvr5PAwGFR*VuLsqwV-WlDnCx~s*tYv;&Q%_>VT}gd$&Zzu=upuiF z!d1s(>o693lzYYT;YfVdGL&QdU`MfyF^ihp<3RNI!0hXY0*lS9#Z~-3lPsv(2>rq( z`+mpqb%`@6asKWjf5a1f3dD{b!Ay+Qib33y^NW5Y{NiFtk31 zf*~6iMgd~mGuReYp@@TyMszq%Ln1Zl(Z;>ppxSpqA{FgPiVV825867RW)`Uqo)R)mguNKoqTX=+SDLMF-Eqi zwFTo5JqCX$sTvzgdc=XvF(0@H4BHOILSVX%RKa){DC+>?7U$GqtO(m`>CHcLtEMB7 zF-9G*2gz_UxUNJB9pJ-oA)vPzg<*Q6TGM-q<-_npN5r*E-C7hx&7bxSyw9P247=Z;}(aqC}UiEju? zkE~f@t@bp1L%+-Lt`ylpp}idISTTL>VfF)U&@o8Kzg-SEpZ|L%XCeOEG0lJb6-rc? z-5TLeN$h)`{OlRm&!3>e8Bd=ork5)|{pr_SUtggdTm4c3`u`U_XpV3*uCb#pn3p-h z>Vm(WTFPS2MBHPz;7Ezp)i^KatoN^wW?*Foa^Pu;DoPMZ~WzG01ApNE$xlyD)*vMr^)3+$k5UP;s0pz6RD9$PV`hg*-=tj?R-1n4i zfH|Au=@VTaGFmjOcjx%d8{{h(KJpNIMLoBf)g`;+47({Xc8MF#XkQkXB*PCP&?SfB zoXPZoD!o9bx47deY0-ZTze0adJJ}~*| z5`iR1KH;-}^PG5j#WJyxXEB>M9xrY@?ljo@S8UBW!CA;8?BJy628ZdWhkl^x=NQ@H zcpif&u{{g7H1u9VllNH4B@9~F#bgr)uTnpnHRzT`3RtP+SooN!O(=SbuE2|8I5uP= zK+q702$7W(mW{iR=trC3TwtFHI>tzUgRUloUXAV~s@2%W<5nA1-HERE@LYo~b8;zA zy}$$>UYAk`N#XWP2N=YFXb196qHB*%c0{74>thZ>ON>N!U&mVw5aLug#i z{^e6XO;()!+na5=BoXEWBn`-T@QNzRnks%Tn?)Np+B1|=PiX^#qX$~MBbj}*m%x$};b zv!rS&T$OUT)hKa?EeBrj2a0aZ)8~TlfBHFx@f3T0#MF|g+oBtrH6c74(843r206`m zyqge32a4XqS{f)P1XlxmqiN0s^3_`!l@LWWPS;WdiXhA|xzEj)id}z+E54<#ZH!fL zczGla2h6r3I|!t|LwX^`7}9RW{$Wirt{Ccy*=GS=DoCt5n!+I$nsK$I**KVyjlMtf zY#fr_HcVeAti2$Kdx~{~(LRo@xcszW-~SBlYYt|O7hQnqNmH04JF2v&h%F||6WR1B zeU;Oyh~7JpE|x6wdnU_}$5X++sc?P5;->JSlNSOJf^Owo5n~sE;Kl zr^o498e8JI1L@!s4wAGTQTs7wT%kqFOBbWHa# zN9EF&Ep6}8EhM(P!vq0?ZDPGy2K_efPu=lFz;B=ro+NU8>UTAm8QzOy-| zE?W55GQo0cM4schHgcGeSS7WXgUawlL_g`MyA#<{*r*d-GoW0LvC+s$OJaANZ3^9m z%lz0bXBkoT(wKYDCe~*b4m)Y#TfoF=j@oYo%#S`W?@buFaKmWy7eD>^y>wo`qZmwS-&z=$c4wpY! zfbB`sOFd-FxEM z8GRyA?^5(=&dO-oM$usNWMT9DDIs!q*sBrhpEUZ@8Hd{=gDLTrF)DTG-5>vDH@g-c zK`z1bYWVE$Se%`q!UMzO71HccUpt&$6ZVBIxj{!{vX%Pbq{osKFSae1Bd?){u+Uza?-w7Gn4 zvDFq;OaMqJejo7)M)xW=6=*=7!|o8z9XaGo!bJI!A{2<~3*SYB9slXu+y zKmUQ&s9U=m1JIeoj8<0Y&ZScYekpOL3b`u@ z+@3?_Gt)H(C&#r1#+jmY6|Io8x??#~l)1qYK91a?y9Fs7R%x@39kdk^tDaNe6Erq8 z5Li9xBrqaCryckKO`x%8f4t&n8Fn4P&|;>BYFE)t9IR7^3?=(|AeKHmVX?B0lzW#- zG&nXW)nIllO=u%@ff^hNJB4nHR*Kn9(6u1K1$xM+i-1rH8U?NG6S>f21GA}5z7x2C z;ZzIkT(CVT&OObk>j;IR2v&HZ#05gD#*Y#*%O+_CdfC(MJ&Mzo`u%`dAGv*3(3?9r zbhP6skyQ}P0-~2k?$2J}S&s;-LL?sh`vNnKU|(UsaA2EaEhXzm#e9CG*+uMShg&}| z`9!gZm;ChKe9H2p&$)ha$@t`RK*f2Hdl;T(#;d1S>SXUiSm=Lzxf zmR&Z&nI90Dg>sMF|D_;#p3>H^lCyk6ZE$g!RO~}juO}N8MP_V z<%9?A`c z90!^d zXp9BI!s{z!)KMP_o-?L*j+{h9C?6S`F?u4nXe>-!p>07R9E@k7riwu4amgi%SG6wq`mzsH-wH);9d}Y zI^$#~*yBsg+#q`w-?OMEG4WzfQ{;?f&GAul$}N7VGcujhEo;V}pb7$Zw*_+LV+!{K zm1ege=sxb5@D@32aY}(-xhy*y*VtIKqQ32Mo_kc^x7cD#NX5Y#(eB>Tsg?wn)qitN zF#DSE)6WRqIZ90kEf=i-?SdKTyPj;{a;Q4)fA@yp{`Ncm^Z)#R@vHys|K>OU%YQ*x z%KD`MPy%UwPm=Lv0R@YM-9eMVQ_GkZ3sJ1W{N z!;f1;E~uI*6dR6}p$R%nRWdwtSikmI**nU~M~DwEi6=ho1`HnQHfK3HvN`*An8)uJ z#TG0bwzm$GHmAp@`IC!(aZ8b1BkB)7+7hK5?6!DMJgPSu<&>01mmmR?C>!KI8gQ(T~1{ zlLeikXbg7i;x9C9Rv}j-?4rd)U~(Vf7BrQIJCw+v#nm2N=^<=IXO~!ghq4BSE~FU* za;Pw2KpfXpM*{@lbR>1bP`OmKLJ4q%M>`y7#)4YsIHe1&3+0ic2?)jms?g+Zh-;-d zm5YdMCVkERq!=O!ZH&_v7;R(wJFJb%sUC=9fj$Wa<6_$>?a9LSTAH#$DUSwCZ%INr zlyXqT2}8iaZ&>+~T~#r0Yxb!k32lt2!1JjN18p#1)j!e`PMLG0Cum!Y(x^m{>I23O zkwL=XGz6rukC0Z2I=a|lK<7%7X^0#b-39bXPvCV}El4-Q8w&>Q;rSIq=HNsX6BTgO zn$^^$-*-%>6Ap(I&xD*#8#bLLZ5poP9lmX&ikO3FdHu5IoNrjmYvS2GRy0OG6!g=N znQy+~BtB&_>S-SpI@CBt!^umqn=NG;!(__!>f$w=VfA#QEz>yvt7+)*GxRbIP|{f=|y$s)EhK5qqCwe|5?6AMRLO8{!|9 z{OqfMdgqf&E8@T>yHALQ3PudHpUf!!R3N?ri8ZKBl@7Pb4nC(5@mBCFVb<>b!Tkhn? zMBO_I?Ql97RCU1IOv!)!hFtqxO^!VDmt6X5ZudVyR)58_J-qn^mD%AH4x_I>qTH>q zBFV5B=<+>hpZnx*mrUx{6w#FGm|@3~a;D)}BD6w;A)_cmU93=I&+uUmDrFe^>~C}8 zGZ(K&(ZdpNVUevh?Rk$`!Lgt4ufC44&VNRlOHNCJ^{4M}pFCr8m-9q8eEjtl_2>!Z z?JXZ}3moeKt#VGoSA`!|@C( zNol}ue2Rl)WC{Aifa7(beQN89@GPb1dzN^#!-Uo@i0IK?fWECEUeU`Aw{h4Rg&Wy; zW``dJDAQmS0aEzvhXbcp!s|8rUByE$h&-5D2ka)G+XiSaCEIlLbw;tNP*cM^Ea|oi z+nF%73ruJc_BkmEOO<51g7ar^dLLk|eEMNPH!Yp*vE81q>bGR!GrD}w%q#iy?><6b zUz4{!uix!>_1kZF`S-u)umAfWN&nMJ(m(9@=G*r${GK;&B(LAU;y1tf9p8Tcd%pSb z8ehKoXTcjJN*bg9TS@v>@&8dOUw?FDyMIo= zZ#K8Q(3;FdXnjkhEJW?IGc!ir8h7~>PP<`t^4R+!-McLl)`-zhsG1K59ik=*(M%vt zKE{)%OM%f2O;zz^74rVAO?2kd7@xj*z`Ho(wCQkVMqk;C&J;R)iYs>{PQ+tA=lqL3 z%?C|8JEv?V@*yMg49zq~6(@#^k8r9M^OzA`IIQn4a4(NkYe_s0+3pG^PQYhER3BEjoKOfLfuW_6AynVD;hAEx%FPJ88vE4EE8_CtPHR+$8aP{c}_t}#8ro?m$ zl(j`&-Qd2Sjql*snNkN35<79KVe))+^HOiuuKk?e{mt7q4(T z2XFp4`tAeLQ#3_{d!4aK9nPi>r*{RbX~V7#7#<7kuOq6zFDU$$W|vWC0xOwvrq}F> zzhhkeBi@S_JboDAR^Om*ZooD~%Y=)oGd}+xzohr(H02gG1XNi;K4`uxJ1*UC@n;i6 zaDkCCK7Cf=L>G*w6DDCtx|JLXBnt_{1Q}KYRzWEygr;L~6C#;W7A|4fptlm?8-$UF z>V%3U$9>F2c;dbbSQR=8^_`iGcChxDMwxoL7(R>s!H3N|{9J>ztvl$P+TO*ed`fY|C z#nknYb|~3qg5-4KbT4pc6+$*BGw1Qck&&u+v_@Fp-!lE_nBun?;S1QjP7w~cPDj6~ znOsSB-*qJ83cIuzpBs+%3D&r!X$I`Ei+IygjV3tVTSkk|C~kkiUL+KcJ)zoCXC2lu z!EU!S2Z?wwX3}Nsik6_TsMi8(C5W1ggSw`@{}ZwD(er@pO~K+uvfoM~tU+Y?2M{rqf56ufhd3rV zI}pf#x&ixWj9C}x)Wvh}_<+yNw;7K|ciiufm`_)zeaN=*@WK{PHkiG`Ch$p}io-B4 z_AFLbisMxb8y`KhX|t9ftjV>5{BX~@Q@FC=@~3mM@G19y-0}Ng-to_W|4Ux3f5%r> zZ&-F4el%Tk*D1c3lmvfv%%5LKzWDqF(UgO1R5D!3YAq++s5FiH0 zvJ#w4@30n+xp?HWsYdkI8^$w5IX=Qa?9pw&h6;|zNO0)Ih@PBhCS@sYrYDlJpHj3n zu{@CJGm^WvL?=@Q~R8p@8@}hjGxvEpVYLAql(#+A25G3VSY5nmS;pqBZ9!kvOHAl;d&CG9K6(_yD^y2J-vZqK6WEf$p;$qh}7OvcQeYV%edT7)-i+!hAzYy z2QRH)A0oPvO*`Q-zUAg^KS2)QjgE^o= z2gj}GK29(Rs9rF3a*E6)Bf{zq2zNqP?&BI2;e zE+hvF9D3?tj@ufH8{yGobpvG-V4F3=biq*Dj3#^fwT~V4lzB%IP4HEZZF2M&CZ$al z#fVms%y?+N2^D_#;9XOP92F+?c|{W?=uORSTVZe3Xal_!;&?0UxThYUf!fo{059li zbB*15;AgnKMANe!JWPM!`c+FD-_T__N$9b>OL0_@RJsn30W7= zJsqQ7-7+W(pN98Y#LWN56;C*m*L)04QL8Qb&4Kubim=zLHv!h&d*t*4sRnx4F_a^= zFRz&$wQS8XV}H$Zn}GEWw-|G44D%?b=tqR*694EDXT2ex&q?3CWi?Himo;5#(OlO| zM?Sj9QI8h{{gzFZ;vMf%J+$vMi&@FRol)62&L2Cn$8+3#g^JGML(X6t+*(5tA?IKn z4rJMgZ1bK)8gr$`%$+qH+cf`FP)8+YZ*%ly&vyTu_pe@(PHLu~ov{3n(bqk~G|a~e zTl0*mvjx#otxg#hTdJ+(czz%&FEFkld;5;j&mM92t37(6(5|NHN7Pqu8J~n)e=}hJ zU_@LOblnsyu1EvJ&CLjRdixMwC%|noT0f!hw|I7kdOjmMdx4+ir2d%k#N+t+Dc1ND zKL`nxLuD)?*TRw(2EpOm0q;nV_XCH0!#7_SgyM!xKF1Gx+E(H9F-6dG;u!8K58Kvs zp2DlQSb;%_fzCkC8FrRt><3tViu(`E2I{PzJyK?_%VeX2$ejjL!9o0E2+lrvP<5-cTVF-8PCRM(?YLthUJR>MrS zyna6rWJ~b$%L&2FEfd@0%NGJSea89cQ$9)0IJvxFdh`SpjySjHm{Y^JObH*u{tt7~ z&teYC>U$ra1|cPA@%;)8EJ>3R8c~ zzK)rA6`4s;9aQTzap03%3xdsim_8?p-!Mu}slo^^wYlCp%#Q8|vw(8jGdhC0b?JMJ zpGKHgP)I@P7&6&$kwZC~QN3vpet~oqI$BUKEku4pH+@7p-J`!Y#Lq7%rV-h9SJ-NV zqGEd5ksngVM~bps5=1>!?;wSR)!uU;BvJxb+BkEUa9y+RU`kFGp3sYkz}wO+1FWW{ zk0K_?j_o$2c3gsXhkFqaw2C@A5F86Wd^}=&aSOKt(PYF>X>8?j)9;A=0Hg28wh?Df z8#b@ToXU5soH2>BC({!qvkoC$>em~RXEqXMo>a(7R9J}_-P zp8dzqNG`s_OFf)miq(Vd+Nc49VkeE8!X~#$6C917;=3e>;oz#k-9{C5w@!l`;I0^nV6nZ zJ9rHA)&YZ$+jyWOOqyf85tOb)WDg8`i=CJ-vX->IKou3WYh(5{gJTiP14A$9k3TTH zA5)Ke=Ay*P1$)QBDhE^uMXnfv8rwHW)#4DqZck+kP8^4QpJGiaqE4}QTVy+;nmJ7B z3fi*~j*TkG>}|LJ03ZNKL_t(N4or!IjyQudRH*tuBWHwBMc4Ky*Tc#(I@iU?3OePG z?_AuuB9=Af4q9hlF>f=56(2@2vwS7Wp!2Sxc@IqITJ48}hdY#HoclYN%HO_SC~+ z#IUy!ZiU}Vgjk@96~q%nVAC8vaH!8P&6;e`oXebpdx^Jsk9#rZi)3JOJmuNt3qFgU zk^b~Ac=ppNlj;)d@(9Hkij-)6Ant0UeMEIKA$2{hal@m^bLw4xzA3MpP1 zRFdN;$c2NmU$bipnLgoo_ZxP@l-aamR~TfSpxq_i5TM!}o55w$3wAV^UBjZys6Sm` z{l1~_T)c^-A2Lj16Qz)?1}6PS%5F|x-c#-uOvYbRHYpAo;X;3Ppfn*va*xbn9QQ!q z{D6J`M;@KTyt`?bJnlIBVj%g+f%bkx)i$&i*jh4{EB1LxqYl_fPko=z963zQ9hrQ} z%-Q2N4j*5~^iFwU)|~$JU*V;5 zEF5~kNQoXa+s06pE!)+Wmmf<0_dX)}W3*>u{2hJc z(F%|KeMjQ>>`g%`ZYexLc0CXwX}g+Erfh=-yF1`D9$9Blv1GiKG-nEnz2=P-aV%SQ zfq}J4?6eTYXxpaCTU_795;h$@C6c(w+2i0;9j)&n9UIrFv5cgPeDt9ubRCbN*O!M1vOsVQh_?M^2hvbetsELPaH0w-?}YW6YfQdDshl5s1LC1rfh*<4Z#7Cs-T#>Wipp1KNg z>H%}p&^{XD^jl)(QuQI%%a%p3qucB6MGIpdw%P}s0;Iv{?`2v*2!XYPix(d2okNx# zh}N$-dpx1vC$#F0I~=;9$CZNIX#PqX2Kg8%9CXto5JaY8IC{+K?usFMggBit{_Z{2 zXV1`I?P=!`MX@7}Z7eAXFD|(G-8I3N3%pl*WFRJ(z@+E%Ql8-N$ zcCTn|=GaF$BW3eW95L;$aN;AH(*|ds(KU|=pLR4KEJmSCIXDDIlEbPac+_EUJq}UK zS)8%H_0Yagx7*{7G)u(6A4kzsR@Xlqr(3GLeuv)V?)7*TQ za_nAH9{&($^@{uEgsHXV?ZM`9d_y_?l>Pg+2-l^Z3T*H0c@cQ*)-d^xUlJs9dJ5}& z;KLtZ^V^sA{OP~_d#>LXe0%esuzvX!CVR^Q!{)Z*SGOx(zWWnDeO$AOKSO=I$4O%% z*Qa(ZmUk{k9vozVGzMEW3_kdI#n5{cjv&w(`CULTkrW>XgpLrkg&aEs)}Gu9M9zS$ zVQ3pPa9H`+F_cY(lUWe$(W)XU5-iuD+iO};6M8N~p=jJ1H->cWv6ULtNczZN+Z}#k zXyt^{bc+!Ig{|=V1G)+jLNk(r*G5r?8NseVmV$#6RHi0s3Ww#EJW9}A#^9uQMTW6Q zh+g6=g-uUa3G7ji;bFt7_AS2a5~!X^#e{Tpfq_QS8W_eAZEtX~5F)`^fV179g9)Li z$h`q`W7v8EKJ2);8_>=j>%!+W?a*>g5XE479L&II=*ZUzB61jp4lA>`mk#z`lG}pp zSko5+N!!vYjTSkjtq6L9^jgY7P~6-x4_6c`kKoiL8gd3~ax}&hlv|hZqD1dP{Ns%J zn;riA6w~%tz02TrXb~WS6q6tg^ip13_*=$rId^rxCMI(?Fcb!vF)BFwefZy zX8aTxAK1M&IHxQ2A7iZPzedXhQV2#G8u>8hKL9U_iSE$PA&d`FTlhB z)gfhPdIr5?hNeQ1iwBU7)<2|FzeE@Zt!*Ns$--mKvya%HeL?p13L}xT^(}_=mf05* z)E_hKA3x#dPfKL+4$d!dyDh<7a{Zmd^l3?Utq5EX|D`P)b&b|1m|%^Sud(tY_BObuKJ8cc3}2qp|HBo|r=QV&_#N)^Pq=-z zCWvx6D@E@L!Y45wUMr3+Gfd~u40Fcb6}zirF8^&qQO%h=i7_b5+C^T*1XfGFwTXY& z!tEJ@RTEw;XjV(kpQhZ~bLP&5;>yK5n_-=I^smP-$q8#iJw3xyJ8~J4WP;XGM2`er z?~sNG!&>28^knuKA=d<>OWMW|ueQ`rPq4BB)zOR(zg_ZAzdUeQ|1H@+yk)YxL(YBb zn+ip)`SA8VzxYkZ%~yZo*LOKr)$jP}I3xP6e?~-vGZa{9f)^oZRk1&s|p!Zj`TtXS>l8#vMwmX0Z$r~XCb6{V86}+qGm^)j0sp#u2aHO!O-@Y zNr>CkXcN$88Y{H%>w+p6VOaw*u5ed^Dv)%UCLJqu55lVnNyr9?c6vmuu%*Uz3PX_M zjRaIKqrgKSKuta3LZGW2--UZM&}#_0imdA~GRN28ty*@iji1(3Ymf=_`vIvsx&cPY zV%KO!BcDT`5wroF;}dm?!WD#_hwNIMMA8)+Atc?-p>iGiYKOS)xhgx_Ye_G2tWl3o zhI1S;R}Q_O&~6)CYs-)aSVxMXmiYY&xv{Y)Acvef>hK&3YbWq&X+n@)O53%BPLH&0 zx?RuJU?JXp1=3-j6x?p+BvXe?Z*w|3pre>hYfMyPA&HM2(pb=#nD?8Esrbl}XXO1$ zhP)#*5yz8))9`}e*%33R=dMbbi4QbOg=-IFO-a>Uz~)=BHy+7Fi$+t3o;3Q1a}yIk z9^=+I%C@bae=pF|s)xFFgy8|7ZXVnzLZCCr{6+we!Q4OO)rK?rZcpPKqxx%31>^>L z44-Mk_{9%sw=Gh;*v4V{>4KZ93}2L-J)R%~Md=?idel?snEZavqo)?@{gnA=%|;*d z*ks(ACx~~q%oi>zbBr_C1fv5(K4v@;6l+5hCP+_`^n0@TXVm!$=V8OQA5NK%iwDoq zBF5RjC$A^W}Slr`)6`_f_?J}F^w7Y8K!*AG`*lYI23-5U$->* zfv%bm6-)Gs#}vy0_A0|U4-s|6&K8_`HyplshJSWNRarQZf?`BaudtuQbRQ+|SxtAN zFr7tLEwSezJKee(@^Fe)ky-Y3Zsi7s(wXWY7WFg$hv@dE|A?d zRWyQCOA+|c!O#v2rbdeh9U02IoZ1*BwPGhLx~?OU7PYa+O^#n^_BfcXhbF{c*vO`1 z2t8s?pvDF9ZN%XDL{&}OD-x%rSmj(vg}!?OC zxx=nPwB_LJ2dcqB#EQCiVByd>1+lTQI)Usx{8>+R6;r1<;qE{^i*Q#8`y%9<-yJv` zf5*}!%pYxW^%;w2Q+PJLKW3J$~efS-UH zgjh|@`1u${Hdv3TTtk0Xv8N+zTM`Psy>obVeaG4E?~vgsOnlIaWMSPA}+RzsFYvUHBY%^9qYEPPu#K;zR|}*Y{LEd5V3#qV+81Clw!- zCtO_I(yTAY!-i?GqU{#QBg3d^sJ%JG_Li}+=+7OhU4-|$cMLDa90tYM{)p=zQ!WQ) z)r!N^WfZkE*MeYXQCBWb{+_x&BRaCEzqJUg4F4!)x9;$o_w?~&?Cp};onX6L>ZOO5 zbWjTTk4|{|^?M$jdVKfN@ad-+*ZmWYthbos&)EO{2ab*l*5;Bx-%?hZqt7SY-$5eo z>EmO}a*OfClsKg0Ers^66OHq#LOeO5u)wdji0O|AlO@C6B6pt9Ex$!Y3x>8}GzzKq zhUtqb*mXJ~ZT=A`A=KHlp=4o$PSMK!8Vn=on8OK33fWtSPHOXxw9sd(bo{ z#C2NwVT5b#klvWVEphh|YCgc>A#>|?167mYx&mQps%cEH(+|dYe}e1o7&`&2ZKGsQ z96NLzP+o*7=GJ8X5lJjCRZ8Gn)H=fpa~dsBt;M$KDVh*zHFUM65g7~?Rd$bE z3hb8|cmeD69l{fI%Nx2PC39Mm_L{2d3EGe{vhkFr?NcHt82ckk=y5!D5m@xCz(=AF z0YU|6ZRq0+A+}^mLbNR)age2?^97-7aWaQI0&5E&8i{%H4$CvFx(2ZqTwU*3-@M^` z;-bzcObR5^lyq^X#V*WMKO4+q= z^Y#koR>9(vGvs7}(<`VqWK}{c?r7=>&Hk1`$NVq<-5+_g{1wS`$>+~Kl23ks{_q6# z=p%Xcg6QHF`5;yN%O3mClrjKD3-n+R#$X;E^tdwy+s#?Zl5bzV!Zl0Q;u$yk_tfGc zsj)GVTLgiTXi;%w5}cEmTsPR+fy>0>tIY{#afiNtgcJq!!G=+RcjD6)Uw6Xjmvg2Bkx!EUzdn<#*y`k<<}wpr6IW85u7CqmY{1}wy$a~ek!^DwnP;< zw{IP^_>RztP+ds#@|HL6b8fd+^xZd{oKHD_5%B!W880RwKm6G-FTVUCpPr5AFaMg! z@d)>cB+j>dEFN3Zj`K0YY?WKlG{k5sVbU&d>@TJ|iRp z^~%DsG_6szMMb}@c-;=vO-WQ3b~va_4*n9ytMH=?CAQdEhR#MXT(LXEz=1xDDY6`I zkWd+h;Dpd07~$jFXBw$+q}AZ!`jmvnfJtXg!EH3 z!7=G%ixQf-Q<5|a`I9fOygfojs3c|WyOdGL&GrV-&C%=;Lx;2khr0uTqp{}^$`Ulv zqTCm3S3OgwLj=zmdo?fH3;z56>F>z*zhD=-{9nJl;imdMp2?W~J4N45I0+iM>=I>L z*3Tc53V}gCsI}t3DPT|t9&9Q~K!N1a+K?A1rO0?JS|-oW*luhL87_vU1dZS?wPtT7 zSn4B*Ga}C=rts*x1KPMaIwSorAF=!W7W>N>bG^a}<`}s_XW%-}W*LppZ0id3Do3Rq zZXeLS-D4eh@J)+6aoF6J_@ZZ!66bA6CJL@P&|ByDx7WyH7kA$i_#ykoA|a=mo-@4u zfWL4ku3KW!Qc8``HL4m2X0ZL*L-`qDG)I5T(IX#LSIDCPuQF7fi>h~oCqBj7meHc6 zT?>X$OMa6PiH>#{!*IZvB(yIx^rsGf*;9E_Tz!l2WBMV)_AEx#J>m2MS=4mWr&?|a zWyxkVW^M{}xS(8@j1!G8 ztERgWY>yqr_e-y0TUht-Ubu9i=#>Mf1p^ zzpl`?2KBVVy6b7u4spL?*PmeDZLq8u|JY-_>+qF@Xaw6KN4h*>)1&NQAG6E6oN$Tq~Mc zz(~>AEpGuF> zC7-H0hxRQ^ncxO{QZ=VKQT*cn*s!_!H79nCF7!ijfc%&JRe{kD zD=tQSfAf3zJ}L@(dBQ|&XfM7bEDCjgU@t1(2+inwPv2+85Qz&8!l9@NN`#C>Ph&c! zBBAqRtZ(;h&K6vDTk3j5GwcxFBW(LXf87zEdz8)*L){b2Y(~=NJ9mz2y<-SZFgF#m zPeQt#hhuu|nT@3j#*RnRC!~*Rw$+>#he$Mt?TXS{Ai6D6W1~HrpmG@k7oifA5wv#5 z)U8?BXSmxMaWcVO-*8j5Or|kxa=IYErDrWYhHS(9Btm?QY3-J79x=<;4C;iTpCXs< z=srEdwl=tfWLS@hosVqmOSo^OA3$tN#%Sf>G38<*pF z!~69)NAVlV{xMGR8r$*My%spn6U1-Va4gZrP}X$dvEA29fnso1V=|S+a z9#z!{vxC;a&Y_u=j7Ew!H+VsOpvWb@72-IGWp3kJJFMEn@)dd3;W`$%udzQ? zG@}$Lp|8OiY1F=_+&d7JV+FkrEN^uqs<<-aj7Dkcv)Zt zN7UtjmzJzI9=`WLBdZ62>npmwhZ~fdL#H#1^T}hL`DAn9wOU9q|MDJ@>{u9b|#>_G_I^geKg~&hrzxXFUrFcxl zhRS;QckA?wU;fQUV(~lV=^1LSIN9!5{JWoVmQ4Bj)~C-WJ?0m;X`^CBBbZ=!XOGeca+f%rF=U=!dSnsWhA%^#u8p zyTx;M?|#9#C^<-%neHi-Ak#3{hUaq1oz#4(4{Xe5obrx_M|c-L{q2hJP$7;#Wn#YK z_WBuda)mQLVe?gi`ZT9sC%8h8BrV0uBh2g`_B))%Q`EbXFj9DnDW=~cE5WV`2uEv* ze1Sf-*{v*)1y6&5tNS_O3mfP9J?-Krbmkk3drI~43UBVwoVwVD3dZ-T4;!T4lA>v{ z5lxvf3IpC(ijlad77=z^a5NpUWro|`(j3mFJAKPf(#YVGS zO?dkGN49UqnDho~pO7CiX7P;m)FSEjxam1wyQQ>4M%~v0pFbzx`!sK_2!+S03b2!F zEccB5s%G@p$1HzaF&Qt(%PhQw=B|EVRXC!io{aH_ zo_uX#d<#q8;uc4=ZiCZ>sMJvP0sbHfM5KVx>++B3M_8|j9uaQ5w@+d>WWTU2tBY} z)$Hq>>gJkvxy7`+WfR0C&5oc_C@a978#>P?nALQC^Z@i$5@RfUOQ6Rwvvi;eY(m#y z`va-vAfgUm*mQ#=9Sp_{XsgCGioTSrOHJfKCo=lgnAmn6SRW}IOoin;1X5rIO|KnD z8(3+KfujFNtqk>t1D$JOj3jbx2nL3{r1cbTQZO{o_aUv_BV32ZQWV=Ii{l;Z@`8Gq zadzR7BCx`Q>|k;9yr=qhLbDe{$1XBy$p^)_eM@`i;>H#)?>0=1cVs-nuCDp#zkNfX zUa|5Qr1@*^wl+V0(y|$y5>^Gjee3h>|NZ|Fhdo~3adhnQ?|=Lw`0_KH`;xzUGRFI4 z!SzSQMf(bA^q6Su;WnUbOa1(NUfI8lJeVUYaElZkONwr(&!R7IK-zR`Nu7nrw&arrg`5J#sRBcj_3CDuQl!Y zf=jh!U(VS$15x${*FL871;^Al+YWtnLH@3!|H7vKQ-k-Jk0=ME?{dHM@#BV|x<|z4 z?DCxc=71Nq7{lD}=(_{KDI-(>85opSlvJ@41g7*?;a&0~VI9p$ye6fNqL3EusNr5mwmSL_R)lVDA` zIwrhm*%vOO;REGx#>vqEV=q|NTh8JJ`RR{nYeVA+66YKz`x8|#M{OF6XR~upiM$G3 zlTrp1apiMYXy%Da*(5kt1JY+}YkMgKk{QXcv+(zO{_~(%lv{4JL*`~I>^+sA zcYBv1001BWNkl3ynd`{L$%?2(z3m04BYRgLb!LW&G95aA{i z@`87K9y|fxf-)k!ql|FK0f?C)K&;aWHX2=fR%S+KEFR&zncHrr%8STuj9=LUs2u;# zIsgA1?Rgjm`141vpOrZDwMN=LUE85_fb=xoz+xgBbTmOV20RZtm=bn9r9VU&ptWiI z2D9sN!U^l*hCvX3$S^v@vMmaFf@#a4H3SI!IH0We*o{L~*a&CALl%>nH^f;@9w#(K zjuQ$nZhj}L_663yg0mTew=Jii zpE7hKen>rN8oVa~vfVNsA2XT-wD~2;7bPQeidQ{g2XofjitqmI3aR{oWm|HYrM$DB zGQR%-|Kd~ppkY&;@sEG@SNy^6rif2|%xSDR|MUxl88KU0{LcUM3G=g0IeGR8`a6yI zbi&YYNoL81q=gn3DG=yKp@;Y_>s?v;@nJ~`S^}Vq#u6<-k&$VE5r&b_yb_9MXq1*5 zp(#YdrgjWs`I z(m#*}pOU}%j_Bot#V%(!Z^&*Vs_hTVem3Urz2L}Nvgtoz7JS2f4xxnh+XC;u45;!7 z;U8gfP1ksco=|4({l9v1%m(jlpS@k`3w;@~@ zis6urHVo8~y6|u&1BTC9t~q6XTG1^V8huWagEg%fjy(p!J^AfZqKlg1uEm+VH1U|A z*`cQqve(qT!U}tw%0eF$qH!?s9_hr4ogUwnbe4tEW7_r>cP+S$P8jMPbRoIp;TC(0 zr-|)?F0(0dkT#f!1y?P0@7O;{pAC#Z?(DZ&7>6O5x&@Fdk8u5b24p+U+1{bT~>LA6C1p~ zz+sH-flLDGuNureAo5f4%4ZN5>aP^xX9iOQM0!otPw>Nn)whb|#}0>VOxi7pRRxVp z-CD$b!A72u%sc9(zg=5C&4S>lLfI1zxh64dQZDJ!EwiX(D`LiG zhtwyO_Z!5s0JS}!teBwhA!%8>Y8b=|a-EQ5_oUkw9G~2fM~Yc&7(APz zMo-!7G9o3BsUV07jcxG!nEhfv@XSD!V-_cbjf>M-~sMw>|z$pyUpJ zZ&Bv~lQ^aBB~2ZpLQSJeynT)E9LmZNwH{579#5L$7S=-b2a^yaD-A!$e>&8$=R;RUIorSDlmG5x7Ozucr|0*+aG0Du<>dS+pM2_Y{`nX9$4~g|*%8Ahmo!Fl z^I!-LulU2?6=cyLa`pXt#?>oaZ_M#$FKCR5QcC@ag2%ZXk5x^}-{4dDfPMc>$m};< zP{BYLG#-gK!qORg3?~8>$AVc3Gx3zGe#2PoG1ZLN`1GbhxdSdI6}QV%9C3|$@gt(| zugGUJrp}7edx?DgJ>lFZ^hVsZ8Ixeba;=y>JK$C`s&PPjEl8I+!I8m^j?h(3^2{N9 zZQ)Q;nhrauiK6FR-C3L@x9lf#L|zbg3WtxMGrRkSCYxjb3yoRzY~_e2(UP(XD2f5e z$7^=qO-aVDQM|;d-_x&M=#q53V;mbchX_wp=p;a7CGls9o%X;w z!9CvKzVc~jG0h?8=t6O@Bs3ONbI<$yB`0SO)VnctlM;j$?tDmQ71XN<>R4bNQv69q zx%!N(e!%K$Vtb5sYHAr^)fL-;k7H*HKbf$3tx>9A`q_wOp{UB7KsD%5z+_=q`6CkN z9jlv!s9SM(a)J8pYvTXnGamkSM>5aR!*d4bYvhB^e*T=GyrE0Z3C}!?ZBVsObm2hL z;l4N_9PUxWDY0j`PiMG6NDk4I%iEO1c{2#MTSlk zWziCh6iz1aBOm9+Bm8WHzs+e{AJuMguN!is(E|(BS=_(t>C22xDvT0z!bX-79khs@ zpbB&R&fr=a9V%oUO zx+L)|Ow%#51hv%AN&*WurDoXo8g%EXq=IS*$N4xhC}8OSSz&W5gyt{)K&y?-BQ|;Ifh**P-Tsi_bh`J znWoI<1@&u};Cw>tFIax-@$T2(QY~)LCl|c=t6$TU9n$X6x}erI-yCf6zyB5Ae3LWZ z{T)|o#M%9?(SP(aZvL)9tPcFEAA5ZA-~S=cfBL&P)>E9p8O=80+4BZ(_JYWr@zOVZ z{o0MhUlOVVwKZmTxaGDT65L*6#Z#>E zo-TTVTda`boMw^3^8@m|g7q4P$CMA(jEAsGr#OQW^Zkaw(_`{dBhq`y%NgE&Pt(V^ zF*Hj-p$>R?OXVcU{XOD1M&}jLZcEoC$hx8H3f$8%#j>Q?wD`Jar-sPu(Cv z%LRV?oL8@I8LFD17c}OK^W+M<`eTAO?{JT2JYbP6?(mgnDm%JjOkMA|eClw$8(@ih zO674rlDus^23HyW3y=Q$5&H0+;CzU;%J4rMaraG)@LPs`g_sVgHb?Yl5A^#3&QFd= zzdi8mLbH2q@$vDN*ZL*V!$0B*f675htedyU@pHEIit&pA=je!h_>{BhHMKYA_$We# znqg2<*iV=`6;*q|_I-*cJNi{ZHkmRR)NE>tN$68ID=2-O5c2me(bUJ1KBXwA+W<5^vv=toum&B)O+cr5 z_O&3@7U%`~jl+Y=pXOdF7hp0)7_l7hGjS!;(_Dx9__4_vHtjT4{X znSi`kv_T9ar>i`A*+K4N%bKEg3D13eT%?L=%9;?LLOS@Sr710>w2;k!+|L^tWXx2T#>sVwt5N`lgieQ6lGfPtcEdyX_$O#R?eMme!mY8J zDWzy}TNm5X^nr!3Thy*$aNM!IQ_OrrR!4Zf#56s<o^0ze9HrQH#4d$=e@iVKUcX(kTE3!OY`A%Khkx^))EMe|O}$uh z{L_G+{~Ye_zvt-%>~15}V24bOsCGHVJ)sdTfBMS@g4@4fQ`nfc<9zr7!{7U3ipJsS zs3%Dx#xE15$$;_61S=RLwJ^ZrJz8nN=zj(Vzz3*+79ae1;PkMnLQ^?Iu`vA0QLBo@nTOC53v?^*kQ;buNaIIOf0d4%ewS9 z&X#QU7Tr+cm>OmgMPuOb2H9K0rxB~pAv)gRnkQ_!ki=QR@R*yMmRZ=)Mge0vVf4ge zsci@h?}VnkdcaQ%#~&ZDUqgQsklro{rQ-YB0Z#aqz#hVF$WCl=tSP}o!|JWVH!DVy zBObPzck7(0+2dsg{1@jmMa%u+7<>5(Eb%EyY4(3r@Z|F?UsgZm$)^iei&GNsK$uwE z59ZkKeu;2@%(BU_`<#b=QanjwE@u;x$&Waj+gOf5^)KV42;jvX^EVaD3qMc3+98KL3|ER3|`-2>A*IDgb#%F=EJD1bCz1;B!6L31ZK@a4sq9eqVr3JQGj=HLhSj3?>kO@^ zvezXa{Wo*$lM{rFX{{kbXLw$Mk{*uJ;*WjquTD5@ugG;yH;M301buGf#RcWwCvYqF zmZ96VxK2fsH?+Q{%wu$r;}ku$qkx{Qv4~{Naw|K6dsxiy`6w7uscmBYeQ#&-_h*~LTlE_&{qQCOA=d?iiF{1#Jw7q%}a``B;V)sg+`?{$QYqDwQvZPA=zj$-$l|A0bOm=$2*dJ zgpMtmVubA-xP6lnPeusUqJo%yr|~Btb?YDs9JEKIN(x_Kjt@A6#@HISl^jwBNrdb( z%E>XRy+_KPKuPlUh#=Te^*POr#rB6=j?XmpR$_M^)iB1(7Hq^BW}b6euE_fcYdS>~ z9j+1tPXn4xlKl81oMlZD%sIUf>=!;SzVNxdmV9xx=V$-p?-PIYd)Q|kLFqD$e1>Nu z1}{%Ib|<(O9}!zqMkg1S*# z)OzN(Nem-ki(sNAED>~~W~~KB=AN<8tdShdJ^R#VAbL_WVJK2gJ`$WvB8-?(KEw>F zEd?<~M); zN->!+mjzZb0Xlp$#yp+#^d~miCP6tpwJjKbc7}7`aFT9O@iEEK1SxA~j>h}(k7$<# z;^Q9Cd#G%MI*v)sT=sV*@e3Ezx{SsH`mjeF4;cA^cd3n+mspPA-GgDaykS1D(dLxa zHjIOm{`nDk5@H@S_P`?YJGx7S)E0*}!uLFkK2T_zYOus#EBx~WC%0&gL+>i~bQ~&! zbAE@|NV?}|^tTUaF@eP$;>cq3G{fCE)Xs$3fLyIk$?a^QRWY-eEmDLf1CKsX&$v{zzif>cblLEhW6RZHu|h-8Zw-Q(IP)TxKC&qgq*=5J9*8z*?aGBrJ zwKmSILmqO%siZ5XFz|5On!J>3T93ecM=*$Jx`=cEYIESQt%&WEdQ(wfEzrHssJ%gr zPIwYm44)ixG`irk)6Y5j*;Ab3BgPj~#@+?tA%C_3MHkzW$EafB79Z zfBs8$ch@BP`jG;Kc_bX8AJv_bV2~eB?;qB)2oU0*TU{gg6%sFbONzw`Z}~w$CVOT^ zGBrbPj9@OlBEC2x>31mkl((-8)hc68gE-3RjG{@7sdu+bUO3$S`W|nhu*(2;1&3-& zeCc9I8?V;*!+;~Hkrk(+sHb!8dJC?v5UZBLw$Zx-#%|H7!oA+&M2aGBc<5ZJ`ifdf*1y_e&3uw^ zMfPoj+i04XKFfQFZIx_G3;q5Y_spaIrsFQJaN7!&Z?ikN*kZ%CJR#k`C7QTwe>J4P zyuob-6klFrLPMO6Xm(46^8n9ws0&59wwVS{TnnPlLyA{BM*BU%(Q}%+TT(SdTvZ%j z97s!--1PKcFNwx8p2UWAHbk2(Rh4lueqg;8jLu{1;FO#lLb`Mt7d9)zk;g`F@a8$q z&lP##Vj;tnb+f^u^SJ+t{6KGzA7<&{}?L^9n$829oVRw3U6Nv@Js5~g0?St z+xFP0#!D+&=@Awnrvt*oX7Bh6Fu3N3r8A|+q8h|ZT8p|mpp-&&d*X?vY+Xi9L~9#- zT->yzTXpQsmh^r@y{_2xC5{l-UWIKE@?N36o`GNBbpbdI)u=?999b$HT_eUZyF!sC zK9RY{_I(Z}!HENkb%Plm69tB;=Ydm`b_Q#!F_A^zONa`Vonf@b@(iUI5Yz(8k~G@F z3PJ4@ZaBrri2kaf9ZwNXPoNt5)X?b)s5xD{B^``tml@u&W*;Bp{;(j8K#Q7gyC)l4 zB;1nT8Rpp)j{OPYp=2ups@Jb59FOh(fz7uE+QSOwZ4R>n)!BH-jL8I|lV_Ywj+s1v z#?&1W#1Y0gWCvK>Y`OXQD}MQJf6n6TUz6Sbf_B@H3LPrv*L-)IBheouoaCQTP(~n( zek^kGgZWqjQeb}LQ2x;R&XNP2yg&&Ejo=1B2Q0-7WAzvTcSS*Cu5cZRD>PdX5ty9& zdyCVT2M+s|^6ouG#l%S3(&zR1f#}%?H}|N2s1Zi8e-=^i*1Z4zJ>p!_ZaSjTJN!U52)wj7l?-N<6)hqTL#>2ntm zO>ojBxCv&H6VDRNdr5NYp_eJa|9r{rO5+HJVOpV!o?_QvnHE=R9M7YBKET{c`ra^` z`4l21TbGQVKwJBGeTL|3OqK9pZ^*vMQKOd5SPX<_ZPiG2)KP%9E2v($SGg(qCJj@gkDe&*6_9w7V9-#SySpe8hM~vv=G!R?Eoj=Ltrt? z3f7^f9D%J{GAG16GU(bR+ZmS29f#$ftNV&qmIc-Km|RhN6~2?>$q>ix*h>%B*9<9e zDhH?c$PX5Y1wm0_`Z--FuuPBZfoT+~)o3e3IVEbG(>=79ASSLeTGP|VbJ!M$K6osc zLg0uF;{=FF`nD3>vL4+FgrVDI6bDfkExrE?IGjp|GVKAf3e`|AODW)uf9dU|66b+awpjx zPFa1o;m`lKzvo~7FMq|q|KI=hW0sZ=5i*Iym=Ard5x+gv_}ht|`Ebn)iTLpSDX=I` zIbubEpcXJOnsei0=?hNOj_BwMR@;oz6QA9_VfIN$v3^0!_w>h4DIV?^4@caMKVo(J zCBcb{zTXp^3_08sh>w6>1S_7+3E!A*~_#|O5{IY0fQn(ux!s-TP(e2_St~d zYmdohjXgZYbyuXhWVBpU|Kw+w@4jbvHb;#ek}9J7!p9O4RmNmN%d>Nj!Wr`PxT4$} zOdnF+uJLV)HVV0+dB~y$wK;~OKKg9NyELRbcFK|2yWjW9qGRsEV8hfW` z0mll+LdB%rQwKJx>FBx$?QgL|o36;PgM=upNfQTY3)+2&_UA;-lKTCCZdTEY9@}cL zx(?||n*JEqOYw6-=|t$hL+Tzg=s?G`g(hw#y|HL!6+yOTs}l6VLK_!7)+Ds_x?{K6 zv01(0$Vth*%MmYzw0VW+RZOJMclSeLdk0t`=)f2a>`Wpx)b*kxvx4G-i!H*!0_+`g}s48@ffuX9hhg;^)hAh7d=`VA<*Ey@m@S`J}>-`1R z?LW|vFqjMS@;UkT9WUaJ*Y*X2;uTGK^w^Tvm&Dx_sXHfoyW!+t`b@ug#?+tDTF@Nk zX!i=!QOEe~gkpHf)ju7G<~6=kl7|VVa&cUNKeRDziL^=%swb9`qUjk~JzX-ODHY)u z>a9X5fw3x-wrwV&4sl6JnEisKt zqbzj0qAx=Zjls(U?)N{+4zu;C+l29`MXMgu^fgJH`p*luxKNWyL)z?Mblc?LLmJu_iONuY?^h4)>FJFBNRDZ=doEU z2rRB2GP)nWMn1WqZ3=y2bKL?L>=|8ydzXL>u^HQ+)^FR2&xMH=QG-^q1@NR zo`vPQL{>)>TeO1{j=Y|+dyFqjZrhmr-G)%^sPY{aF-_C*?R~}eS6}n*|I-`(@Bix; z{KL)vgI!$n?DD{mK6d%yfB1-xo?en9A3p*>h56tx{vhn65Fh4u;}!R1 zWaio000~;|5Wot-6AGa)14+)~UW&YVEZ`T>8_KsEbJJib`n7@F-w+dRG z@GRc28NJ|ibxS(>4Bmf*mALc|3LGnZ1e>=d7avzt--Y;3H0|{YC$+GT3%0ibR~Y{Vt!<69nXVxIiO;o)J&p$@UU9cBy8 zPo~IifqC(q-OpcPJ)bhjmu%b@i0VBekl4y_;0))9p}pSWM?Kn{W6fK(iYyO7=-D8F0d_7Up~gIij(O5oQCjn~ts0V-}V!egHctXvQu3z~fc zR>QPZWUj)AeVT2JW&1QCSY}UC*tDjm@k}t&Orh@{K~f33iy#3kz=r z{j9+&G-*7<)f?(2#vk@Leh15ld&lCLwdHzmp@fa?+Ei6fU`4c6j&CbE&%p{(s&+3ZsBzE9%+APS1pD^28bL$=9$p`Xsf^XL79rTkHleX0NE8L4y+RZ(kJLcrH zVznQT9k%p4gY%@L-aAa*(ZGZ`yofu&lv|Zn)x|X={(-F5Ga)VKme8Iv6^Y|!Cw5K7z&W$ zk(gpI{ASsa8o|$!DTiv05SoF63j@A5<6t~mYsItE6Y9+q1}3FVE-<@0{LvZbBUq~# zynvC}5uQB9>KmUw$yCuAs zQGX?gJ`b_J+h9NG=;mJ#ynV}?7k|KL^$YgTe?)Yy-IPOTBY(Pi@lm0iAV>$}RQqCC++D)jCW*()9n(<4nh7%UfQKJMu7KcRj^TUr~gY z1l*y|B;(SXGUJ}}CDtnB|7RXbVJnu;K zfW1udvj&Ck4{Qf+Td9V?sITknPrG5@>drrgwatvO~EpO;cfZG0xZ!WC4UWUYXPD z80D8(K|zoQRBb~mD|BTsutM6tAczD~^vJv;HG;9M=~|yU5QKhDp9^Z=!tOLA1`3Zj zuHd~z^So>^V|3>-d~$b=E33_a!H1Hyi+Cb$E1?$7j6${(G$D zf$IB|N=aI!xUUur{(q|8tjCrnz0P|gBIjw(yM|MB#&7<*o6ROE!lXc3f@}l6l5Xrj z;Xfw8fG=dg7GN1P1i>QZR-5eM8_!sC)gE)_oEZ_msMFo{eO@L4@4Mc$o;BP)ik#QK zg{C939hEaC`lO>f+%i5Jaq}N`OrKkrol);D@$U-UUE^jh?OjWfRrJnJ2)zo@P6_Oq zB6Q(;hfZ7Uu44$tBvHW*MH?^Zx(l|qTV7-}{VqWk-w{?mx({g9Ylgl>tQu+>WbB&$_W@si#?7}q=UL89#GHzEe7BhsT)(A1K4Es6u`(eO zKCl~JLR&B%26Q^&?%Lyj`rH4&&9DDg8e5XjcPM`f&5W;>g68DEz+HDV*CC-lW!vRw zXF~6->79sb9pQRCL%$)8V*1!8pLE!uC2tBAg;ENcDyTa}I20slh{!c=mLvR(PPn*1 zM(kB=Wk(}xRCu5dQ%pFJw;kDBqhvu6^$fNn(;b~B77`Uw(04JNF9~~xO7*xwOE~moeS~lw z#(qcRx};8n30wB9rClmi5R=LQl~@M9BNsl-q(JT06j?-cQ?vIxTqLD-$$X%ziEK^b zjtPUBZXXcN3{h~vb80&0fM50K-XOe&LHW2(6me|OR?*>7-(=W@$JB4xya{N+gmE@d z*D3Rh74GSCT+<M~fZd*y`#BAG^@cK2|r>~fNxJINIW+>6~3D)#9VZr9IWvSPc4!B*7 zY$6IL;pl0_VS7S<^MLo&6ZZNDH!}E3hi#tlU}Mh34x>&PIuC!OXm=eG(J?rmJZg&K z27fxEQv<>1occns6)@mzICM-u`<%^d#q{}rc{QRHhPhZ%${EY2 zn!7gT=;u3(PH5aQa$8fCcQ`ZzKhJPh_pG%hkP4|3?3XTy%sE6On%irZ@&V6$&AQjm_8r#=}$&1PLANLvmBO^xj% zdSOZ208u2!(gRl_iv|%*SRlzOMVM`16%x-&WT_$RnD;k~wMQ6v*jy0_L0t;ssU^B= zNu7XxXy}Z<4|<$>%-jrw`#n_~;n+R84A|w0v2A$2mw5J;!QU}jR1Di28Z{*;G~GI7 z*E<9ls&zv@P6_m$q3v;8Nw`-8euG0yXDzjy;;RC0P~7)|I4N;kMMlr2atK9_78#;b zsJcb>1IpBRUWn*!ajt!8eIULAJr^YH3PYi(+lFDcr5{Vun*%|v7{&ueK~g`^-D_+m z=?g<;Bz?Q(;f=u;S9pP>uOONzinp40aUiTy5Nn(`B^YwVFk*h@;C%K9WhL%WgcEo; zi-z6CGCS66uPik#vg#OrcE-I9cro1a$@wq%%U7rTNc$Z(US&U;jRpL1 zva=SH0V7GRrKdv(*h-iR@CE!@T57)GGb|JPl+I3()}wh?(F#p@ch7=>u0Lf{Z}CQk zx%QY?gC8%5o{Z`Gp8aaWQ4(`sj2WVy)@tbYjOghf0`&J+P`9*w%|sORkw^AF5pFWDx^Ge2d*qXIHnu{1xFoK& zG;xajj}JsoKPCL`TN)Iy-qH#!j^8sZj?o{!M;!JHQlWo0uwSGBkvCk%Ro=Z~mlN0M!jThMKU#7B%NHwOKm`7-2=Ha$3p}VBA8kI;26@ng-I32Z@;#!Gt3X$hw z1lUC4nSx$hs(#DZ2~h4Sj#$7>;W<;fqZZk?6rNA2AlPY)N*QebguweS>J0ZS~g`Gg0#WvvG$j^)WHCBGOk znfj#1ihdWO(u75Jpt&32%mmd|pq?e%t}R)+M`k{bP}r&_ou$;;VLILu0Yqe9TQFONK?yd^97-P!#sViaIA5S1O3Wffe7{5fiA#(k9eG^7 zm5lyL&-RxZl^N1uAWuHQ{N@V0^qI+l^{vC~@PYa9GwxouxTg|~;yZ87ukU}uL~Qxy z=u^J?KYqo39p57V{J$cQ39Ex)^W7WTD5T9&PHfLzm@-yS>4s>UQQiqO4n{_(zND2N zopV5k14-r6IysSyN#cslP7%HEajzSy*e5UnH3O-zC@X1=1LeTbXw)R4%@fjPg*`af zK+uF1pAOr1L|H<)E(pgOd!sNX8FBT2x;+6~BE1;p)D&fka0Y^|q>}+*y28m7rI?Tg zd*a@u6g`TX#_gUPhFKB}@eQ*5K4Gfp!??E#s!6@x({s z@|wmAiHDw{9MOy$LSNEt2Vx;m+YsgX9HeXzMgyCV0O{N^zE2K`)ZU_qO?TAr& z%jIo~DDF9#`;^M1>(+cV5%`Oz%!7_i`wVZk<+usiA0{|aN#|xbwr7?>ySkuSd=7O- zqPA2wGs0Ib)waN2X2?fB-AB8LwFvpKi`IVB@67KnvmYnB-{;CcZoUS|1gM2T2}>_5 z3(+BsVhJoQe7~P@Fuz7-hQqs#$$Vh*PV)9cgTpQAmB0ydWSZf&HM_}(&CNCQ@tQJy z%AspfV~u>b!@fM{MRm*7cFy^eklnT=`zmAoZs6qW37Z?uY*|r$S1<}ahM=d2mYDUx zI}@{7J+M0%Mp=VD476FuwrB{1;Ni84n)_6FO}x|G=yQCTV@5vJudW!l#kW1WP{?4$ zKEGs{W^DHrxpT_&%{RFA6*Tu)-%>vqmdTn;8#7$B9NulHPsfN&&dp89I9(yUW7IMD zV}-f1B+p^9g@wtngxIj*coy>R((vkura6o-O~Ijs^jS;srXiR*G``PdX4&oocCUAo z(NoTjI;w5U&8;OJ-lCVU7~O4oKmP=-U!%TwM)^8NhBc}-+}}#l-Mh!M#`o{&D<3N& zwxYm&Skuze)`t7s;}_?bd~W^%hhrYzY;e+^|M|Vg;q?y`O-0#Mq&8=NP{g5P3XJQL z?KZ(_E&0ACnnVPp#QGl6b1_;FA7WfNqwxmDL4?y=+9D*yCtphj9S|8qH*HCE$3~@e zoli5>^sdIAdN`XMP9o^`AzkPrf&eR9TwH}L5*59>>0*s?Va_>h{Ou zEc36&WRnV2;E;v`jr8ybgLOQtPVwt|wD$3Wfw)%;8%;bNqoqNol6L6HB7xQlol3EO zgVCC12p9^taKW{7ZOB;N;@g&)HF&X@!7vFDH=<4(43nC`{oty^Lr*<%N(D+bPBg>T zLtFvVB`e`jnU{q29(SYA+Y_8GQsnv)clLs)ul`6p7SdwvV|wCo*prX+l#lP75&~f* z67vWb5THJuZcnY@8!0J)z``*(%FZydV=OhtPk)Ns7R(EmYdgl_j?r{M8@lv$!RL#X zmHmoobW3w(N#_D%r%1J@I81pS+%t$XR@W;;Qqd|OT^aoHK>F07-@)wpl-q|Ev97U+ zCdf4Hg`lOR(}J7Dgda9H$m58v^XQe!A~@hoUvb!N@#Ts{C-kRN;%bNO4C5eRe;E*s zZt0^DLMlwv62t>y<6(~uG|d<}bYvy0B}|TUF7qkj`kvsqq~7+plN2{KY_9|-PYX89 zn90&oZED2GhldKie@^x05< zNyk^LZzC2#!9F@?nrd#o-I4sfC;F{M{g-D%SNG`ig!NsG3M{_evX?GnmD9DBXf2R` zF~h#w5d0!!`@ZM2TeI(8k=YB{)6W^UD@^23rXeAk@2@&G=L(h9%tj0T^WRoD-~4-i zc>|N*{wMPBb7r3?bbUkUhaAe3!FSMpz_KjaCL=uOlD#{^-FFm@i?+AOCPq#`Z7d(M z6hFVmKlT`M2>lY#IIN0@!Ns&Ke&C{Pg|rUUMlsAFyr?jV zN3RDa&WyZosOpF(QA;UWq)JH+B~`DHSw&}E+^EIf3K${TZheksCEbmWNeaSrOs6fz zgor}Z2tlAqY~W+A4k#Vazf4JPG{e-v?HtUsqj-=wS`!x~d1P7S4%faWF%_~Ja3&E} z_5?;V=mePZ0S2NOm9H5gD$pQHO?zfgLkO&K`eAaULv9DzSma%N_d7Tk2Jd|Jf0$ULn#M z%~&9Z9&Cf$^fZhpg+t5vjRnC?@!SCUDdMoni@ zK2Qrqb7XOaAbYxG>RfQ{9N~%)*MrX!`G#+A7tCL@$U{l*b;Qag^<6I93G>~L1fTu_ zcb&6;uUWp>&^QzH;L%u1ySt(u#`w=$$_oXh!6Ys5{24bp%OM_k`ZPtIeMa=@=VX4s zVgDR^{X5hsBv1-Qps#PKm8A9*gR>``TO4mrC1M<1(F!fLkLmmt5x&Aae8+Zt%)VKX z-|n%_fovLKrZM|(4lE{;>-rhu@E-5eW14@w=fzmi-beV(fqq-F{}3VeuW7P#)}}#T z?a9xk%rebdk9jevS$=(tUM0BO_k_s;oo}diip9B)r^bwwMb8tG%>$fE~&pQ@s1?Qx@eu?zfovUvCS3X`8CBV#g!%fFDs5-jdAht6UD|l^gsSTsOKlB z%MUzrL$0%zJlG#-eFt%S;GZgudGQr@>ua31SE!?yNbafbU4(do|ObV(I=%8aH3pz(ptu-c&N#Y*0mdNP_ZMu)>%N?$} z#S8*783^@(y-ATBK zlzEJqDQiD=SqO}=SZyC4I{8OE?;r$)dP*w{74Tpktf}a&VUFbbtzjxPcXCX^2bfRz z?n>dG-qBe_*za-2F>2`Wr(;T~P;G;AJY(P8GxvJ(voq@Jw*-Ik1U+?WRSNrCdN;)6 zJMu|{n;5)@0{0~4=1$V~)P&Ar)Ny?Z2n#f1o>`5V0lbDxB$z%{zrJ zAvjr59y;tWW4-Fp)mx6wQ}%}ivrne%Z#tCS(d0hCk&nA?34XSCB;9U5!{vsS7d-hI zE)Gk6dV0sMO^G81;f>kgQth^QP6j%}edS|{J)>B&P!sa{z(QGiv0~c_2Ai|mgcSRl zFs|tOHM$y6970^K36gWV{ehuv=x%F2#EOkaic9~zAC(1)D7a_Gfth7KxICpE>+@-1{o{>b)Ju-94#x)qzAUBVZLM^U28oQL$W5ImaE1cFr zA9~WN;6Z~O?wQ(*C^*5{^!TNRbJ~(!7#KV3ojt>S&q_K(Y00J!QAvq|q>e`T^)(bB zN`>sVKHkD-87g{z$4EIeDxkdk#BA?S|}n2P;!ndqrV#w)Zm*(xr1ka7(sn zk1r}Vb%QS@t`k#U1$4fLTXjtR11ow`A*p;H->xVfMH2M%!;GNl>3ok=TOOK>rET%M z5Lx;(L5MTzsc$@t(5P*Q9Z9OZLzgK{#_4CySBoeN@_R3KJ-M-1A?|Bh(nySgyUx(O|anU`Hq37 z>^y;32>L32)bK3w4^fK8LC&J2K`O~VfBqRlJb%PP$w&IJ{TMT|AFat9mYJ=%77||> z95KQd7o=A5Mp)k3H{6;XI z!yVnjEmarclzT!nW>Zmh9w%RxtS(xnVS?Bu^!Fb?WYl)dX}V$Kyr6k~$?SZDZYy5S zF8J~PJh0@qc*&>8!)r>Z7+v?s92QGK>Gb%UI~KDE#Vlj`siw3uGh|>|y%a?Th zfs>^{MMr2^lPj0mUz~GyvBFtooV|#-*)15qc)&{n%p}0bXBncSL{k zC2l*gk;jzVYy3}tO1Hh{>7P!J`zakUQ1SFsaZ!0ppSqN{5mD5!^i%ri2%R+?A6%Y@ z8AI{{otL~i?^tj~VE^Bv8ljZboKnetQf;)8Vy9uYM z%j>O27YvMp9xY-nzggkg385cA6B3+ToZH8iI=i8lQL%?ewu~KtsReefaaGSq*6jNZab*as%S7#QoQ!;1 zGo&3(I6yFB+qsOAEer|0TQl@2iH1Yl;JT7J*H}+d8i&j%ssQ9shsTbFP^jM|QHf@@A^ zG2zpvxUVmXzIefpHyfslf}SG|wP3!gxE=Y-%pFN^iu-xO{@Vjy*rWP{(XoT91D?hj zy>|Jt>POCw&hh_KMS6Omc3z^Ro~vvE?UwQ9=UiVwbX?QC+u>9@ob)OC^_ooIQMn4a z^AN{1LIsS{IVuO`r8o;qxbw*p#ry9-7)AKB$2cCbno+kM?vEF68l#4Re1A`$OPpEF z!)?qcsOaA`xZ{q*`s{a~p&$MMclLAc-rrJ<3Q-P#*ReWl5(l2$)*fU+>tP9?!hxlUL{TiwTZXa{J&S6M;Y0m}Ey^ z?ih)He81&r>|qZTI@}P*n7pmAeoN>#)JcnfwPR!lwoZ#}1FToG3nUZmv2`5$sU+MP zxNDGI&U1Bk~>cHhg!^GKeNx*SeWBdt+YR}M*$VNNFP!a{OYYqfv z#D&(xrNipb5n7k38ZjGhXp)d!-r$cz!u*ChTM*q_hI2uqHTq^p5el4ldu*LB^9<{2 zi5eyJ9}1kQkJ%+`8y7pobejUomP6rFc>xP~U}^?#>XcFJ5PF(!3cfF}U61d9jSL1& zAY0rf;84u5^`605pd6px?QuLXeThzD`qDwA4m~Bd%t-doPi9b7sHUeXGVH8GIyJj^ z!ZLio);_kC%#+7PIqQy)-4@q6-2cad!Afwzu}3V&HHX(@+$3Ofvu9_HXlFTT)%+diO{9dX8>^qOX_aWu%qp4z)ZrXU~vb|1TFKQ6VWLh#Gq zJVV>xv7zVlvl_B5xiW%&^&4I+C9Mkit4}3o{0s#A+F14&J_yN{_XJk)dT6*5?{Ua5(R2Pu$?DCF(aSaK+X*k_4^;Lk>90TVYC6aFf5QD~ zj{XNjy9lXtf$RDV+lrv?NtLA{!P)N!&RhqL#)nWVRWcnYt-8^Uf^9Rab&k>7;MO&csoN8_Gw+FV*C$z?c{T*ZBF!NK^n=8Cj5}G-q)S-XxFhm7MaYfgSP*sIkrtIFd#FK0G z4;eiNx^02~N^@B*v5TDRtCDomvb(Kub;bO%C4m+!znV}2saH~VCzQY0F`QIXqJg`H z3#+l;{NIc|ef)1W!h&u|1l)=#O?$`jH0G`x6R16oGp0Zg782k16jhCPG^5T6FoAxG zbz8j1Q0o!*j>K_Xa0ItQz|%uTqmJndiSjG@G)K1mBStE^LW?mwJ<#Rg1tsmBqq#V>)R*D zp$6mASeF4G-CM-G!{!EA!6EZmWSaZsIo3C{GGKNh(5nFxBnTX;-JXdrXgk3)^`V;L z7?0HL7;eWLf-#e2i6$Bro47!!C*w8kAGy3SxiL9|hbae%+cQMSfy#!!!O zh7fCNBBKZj$u?Ff`GB!A)GDB|ir!6$rdtB*lcWcN%F_2|RD&i@L(0aZ90r8wNu7*` zohGk(o-c1H%Ls-$4l2QBHBN9K^&M)C>AdFx@@Vj5#K>i&X%k2QS z4<2t!&71Gukjz)iS@LruIN~#Itz{xCoqWzUngPpY0{7h=3wuR7`kJb|K$jiUWy{_> zrCUi(PDYeX$KrTGWsf*p=XjqyqrTLX`z?KEXhn!Q4w1G%bRJz?GBGuB{tO-UJnUlf zANTl6m;BXJhV6kufPZEf-j+x=Wg05-Ea9c2sK!r_RgbrK31^BVferzFRF zJ{+b@SMSN=7%N9i>l?Py1@t4r;|TBan&?x9hcctM{sDWc+25oz+#y-P!xS~CS#NTl ze7ri&e3*+H-&zZE1>V;2$ce|^cZIdBjTq4v;n#{2JE7IuR( zoiKI>;$w{t6UL(>HhGOr8rr&|x0*q2XeJK6zoUpfX6Aub&j?+Qsu$FEmcJ_tq!i+# zH1|k6{`o7--H(#5jviRZzv3IQU|oNM)sOn#PcuWy0xO}F0`LA?rqfT^3Amx5l!85i zD_s-Y3sNii;;>+&X9)8SJ@Rnr*?1}K{Ra;3YvS=8Zd>!=CZM^wM2L!;L~_OhI#MJ< zKszY>n>|C8arO2Bg=JC{beoh&z9lb0j*A;g@fekwzyF@1Rm|CuZ>NlQ71gFgw0pe! z8+KtvXf_}uVrFTt1nHjzh+jRRmmZ_LHNG{>-)>+&qAd*8v+S>W#O6Sw4&2<8NV&!v zdO{~Tg#Z|7?oAZ9%lSswVeB%(|oxEnyfFg*EGP3fz+4jgT_MJA-KKGumeO z+k4jUPMAL5vi)%&{xoL)P$9yaLvJ{dx76m(8Tt;DZz=YMXmAOhjVLz*dRL>`o=;9- zXOAfTYfKk#@`cA_ddBeL6U^SBqeYxc;{973KB2tYp-hL{cDyCUIeK91`6!bhhnng6 zlICXMiIaSM>>f4U6LZJ^_^-yKFaA4H8E}{`@Y5Zwku+`3U?h_hO?EqC$XZ&_(fS6j zb+8hgdj~HX(F%g`*r(Y!G&>Jb#B|dDwO---9-e4XkxQ8f!Y;rdpdFD!kW0%VmTYI5 zR8-hdFyOFAEQ9VS#Dvxe#!HQT@aVk>zKRg`z`l6KcmlgN!ZRTg*)U^@qazB(Vj>4m zCG_`jjdC2|b9sJN9WGcn-j8BRIoCY{pmJH&H~(gzSVRzlN^&`+Q#EZ$_!plkN^ z!0{r--8$$rB3WB(I7X!{$EKsJ5T+)OmRDr+=Tijj~Xo1%pu`14p7A=R>Jtn@VuRDg|_OV064pb`T;jSbT z4*4OZDekF8pD>smc9bCxmbTxLsF)Ox=@GXN2a1Ou@tT3!lX&(He3zz4P{}dML|7-p z3<_;0sQr-jj~%bSd*J5v1%Lmx;D`U~ih8p{{_Mo?OrB!pDY29s7GLta75wJ*ntQ%M zu)-LDRF5m~v!{l^jgSV?Gs~^D*zBG+LU3d+2(hHnQi~f>VR*%oG&*5v6;^$Mb8&~_ zDb){8dq|&83@o{c*wx=VEDKSHcJq%)u0>yE_}k1Cz8 za2$$YiW|MAIn3zw4$9+c)eNF}>Jw zJns=>j=H?=Kz48dBV}`@PE{qWFicKe&{J%WC*N$b&dR{pq zVtTiHu5@L0ZGXHYB~m0nkW`~D8hRu?jV^?42tv1j23k!(f?5=L91qXgwrcOH%FIf$ z{9Mz!h`!jAo*@De`0=@M>noh!~0Li z%kOYH3u6yhN>JN2J9Z>dO|vx=GQn$7vXRU79Mnn1!YirMIo{F6moZ(`VD3|bu_30x zxB*7qQi=h0B50MOk6WBxaa`J1dPk@|_LW7T1d$GCdK+!E96Sq44&+*5hdtS*K)M3U z+@mv%410=hz|;;M0-d=u^`61<>76}8<*?cBX#F#Sq9?{hA1pdo(N+r66U~hVQ3`m$ zJx9l+6je^JI*}nsY7{xii9bS5*C+{BT9wcgRSvJHUO{arnaW__XpxHC9WI@rQqfpMG$vX-|k61 z`h@au&*^f)wu-Q-g5gC-`Hi6JcX+0!x%W^fcNBMX+Tk6e=#)GhXuiC{I`t^`5=X!+ zv8cbwxREe%EADR{%)^!jhxNlA(FzbWy!pIC=oFg}IX~xkJ)r9v=Omz(7Dkkuj|XP) zn8~v_iL$|;QfNo_eqLr&8@W~4XVS`!vBI3MuZi!YR53RWVyl80x{0%dyitvo1|fZfWl$~58i8yJ z%Cv_Wl$A$sEDRpm5EAdbp1QnpY|I@`PiQ zFwO4J7Yl~G#W*7lHt43{#tOOq@)qSvzFj%|hgTc^?%)1jtY7^ByS|}VC9Lmy>b~RZ zS9kpS^?~L3KZ745{fPf^ch7M5JO2Fq6|3%vS=D|VUd6S8K>W$QmiUYoi!~T-bXWRYVvf-vYP!!xpUhb&9IL`@CyCpQ_9_u$uvOU3TW$`M?akK*{^cG_oD~y#R;)Ga`r^=@R^I{x7f1@kq@?- zlD+;0{%V2Qq{NTL^r^(`cO+*KB2$=Pg7h~y!4&heIc;}fIM`^rp!W>d_b#@-<)NLh zeZ9dKC9m`hv) zfBNHu@Y#n{uEJ|VzW?+?9^PrxDq>emnZB@{MVmZ+{Ly;BUaMs@{BDkuw$ls2Y=y{SQVn1g0=qS0lE(H4Ve zC}mIQ_{d7*wmq^d5p9IbYE;xv?On=V5k&%-YK#-$D#1`1q$Q9CL#GoQUsGb^$p?aJ zOpPY6ZK_g`xINPf?0$^yJc3rxYX{GP*3lrQw2Pi;(@^@7veJZ;h~qxQmL0x-ps^)M zDCksTk;A6jk>J(G)^u)bqHj|ppw zb*Aojqcu`!K1cGk z`A2@A9r@S{D6>Rbf}b11r|vJnjSv}OHbf-jlP%?6a}W16jnl;ZaEox(mr9-)g09r zr~WR&-UU;}^_ul6!tLI0cw1p69*0*7L3AMdI-w~_!t;SH@`!$aAo-IQbh*HZdxl73 zx+%hwY+k*CX2a34iDx~>W5n!5g9#$KyBh|l|8D%L6M_?uXj36ZK8c2h_B)15N{N&f zsXL;5_yhTyBa_RRV`=cL5#i917Bf!&V&M9}D+DE7+To9CCZWg8n~>w?7IiVe&@hA( z+{nhh{D3^$GQWR^I+-Ki@siY>DFvUAmafJzClQ9q`3dPJti&_=iOPf?S2{gAtEUY8v+g z60gP^xwO)wF+Rbm!4}Z>1$NU?Pkq^m001BWNkl zkvLL?g32h0tilS$c=AB+k5N^F2o-JU5ef#>lJQC-MZz!`v{2+lNZ(5a;UT&Th*6Hf zR3HWmFcgUm*6BRx-WV3$WWAuI8orG=-fv}J&qYT zhK8_isNIe_k5QGvp~klzg1DhP^i*SwC@R`0!7@Gginc$ZrV%RNVmw9E-+^P`C~&j| zj)$CP%tX$+JBNkmVmX>7XdxYNdW{wmzirqxK8L;F#J|JZ8Pd&&>&jt08kmi8%u3@5 zm({f*HFM^<=9}UYd(l$`71q#@zq9C*ob>AwJ231^pZ1udyPmKy2ybBi$m4hy(Z0OK zWleZ8A@D+iT}vfHy1RR3aZ7+<7~5<^#jpOKzekq;jaqtG>YlHz0{+|I{v%@dw_GkA z-d#-i;`Rz(|N0N~w_l(hov6PlQo+c8eff;T{S}Y?rQqdP5klM{re~PCh5k?g=-7-N?b(R7B^nzlY@upYCcv1vXiFB)D`azRBoc zC_*z}&t}N*j6ToNU)&M@@EO~$HY78bgRxoYj>aD797VY*vEQ4p{?&m=w4(aS2drNH zp39F$9DjAh{ds~{>}dN7md}rT@wbXZzoGL-++4NT?JZ4e5x(DXd=PkXMcRz8uC7_m zX6V@?VsWIuX=p2jKi;6*nCfuLcrj=7dBu1sC^{F5Yr63#i0gMWxy$V1g4LSpD zae=aJntelfdP2YJh(n2VTN*3DbPwODHOrb>28g~Ss~bkK&(Tu&y{2vzk*VplgI|~I zJ0CZ+Nva!K`wUZ8h=~IaJ9_^Nqbe*@f%Fivri)zUZH{!uQ1{s5j7oY0!wx&E5Uoex zcoeEf7B1RX^g4%PhLhY=AAN)u(yA0&wlsN+HPgs-Pdj!o^lW^=WU#3E5_}tZY*Bs; zT447s!$Q)D7S|JGUW3j(d!DQ^5~UfTWS^p3L&WngVZ5L*NAL_7zvDa@I{Zr zrcwsW*7U-n@hf~4&=eh7duUhT#}Rcp&|?#L8He8B1R=w|#Tc8~1vNx;ZbM{sbWwoU z?>VXfchGdP&rG-E77VM9ehSJN;Lt|3rkF~jA8_qpb{d4hiI<6Yg; z&R*aTIaL|Z&pj6H6;*M86E@^U%Va94Y6m4#>e3|&1YR&>{;1+$pW{#={3&mDBjAd7 zwxmjPbTlQ9TmJ0R5ug6~k9qo&pD-F<(2Wz!LDPvH;n@ixIpdEXbN=Lv_kXO2C-3u< z_ajD&_jq>s0{{FY-lje>KRg2iu>c{b_*&5FM<9Ot9d)q3<5C#LKNJ|F`Tpp;3Ilgi zV4FAS^*jE_K)Aa>Admv~LUJV@n29aD7L@t7q~xrAcgukuegB4m3X2g`&M^ywLA7bEVgGnVHHMKnRgE&Hz_ zdX_>rMz|e^s}RfX*@qr-eZ%fYPw^eaXf|T?cuJR5XwT5oGd^>OW(j>6kxUi#X3GAv zBeUn4^6i0S?h-v-lHc4hS|xeJ`zfk%%566X=FXET#CJgr3LEOxG23h9M~({DkA9MyNt1?32ae#b1=6y*fYCFWg6ITol~Q`atbInXv0we8@wd-^!R z?bjF;VFf)h-;(qpMk&TshY%sg^eC&R+s^41(6t3l*pRw{saGQkn@)A~1o)mNQ#Ov> zbJu#<%BF7=*dW>x?bZy9z#lcxJJ^mv9TdtKv~19Jh20qZ)}s{_O!*C7IdGJ?N4Gj!7*@}K@m@a*z) z{^|HVjL`^SVHvb>`Nl||@{f$=PccHHC7kF5TPe5`5Sg05j5rx8PEMb4nz(G{7hGKI zX&)|;bZpCjg(*3fOD1ZEZBKCCy(4%OaDSC!O%jqvE;rs|EqUt$(#bj^;< z!$2ilqAtVO6UzCL_VqRP(!rcfSRD(dF$|L_y##f)qq1y9!$3^OZZl?f(ee6KhkK&w zzTMH=Q`B$;^BMWwhG6M&|7JsWGQ}=Z>b;B2nr?f774683WV_QeL&ojjzr-d!Z@IJxm9cf$Ri9N^4#!7kuZBrf|h#e2J_3)A$Z7S;5CEFB?qv^_! zI9pOS1JN|4*(Mw(bDCXEsU1}3pu>n}=n0CFeP96@P8Kq<3_&@-(8l1K0&GFMcCflVs06E$3{_90dg7f;L&L;Ktjfpk zGJ?#I_6B^IAkP_U&CrUEJra>x0VrsOs7>-Ny+`|qf#*-An!ZR8> zD)Dtgp$i=2plglSy9{|m?{{=ggBR_w>k-9%O|8bz?P(rbf-YnCyPAEwK;L9+jt>29 zMOr&-iw=$ldNEL{6_Gp=sRpMp40%O&bV$Y}?N=3rPFURv4zAC%`;z@}is$E$Wpvg# zbS3xK0_US1C%>ngpOacG3*M1c36&^mn~pe|;2!pLr#6$-J=TkJGGh_Ww`^07(r>9N z(4t1x6g!iL9ADEP-f zk&pB=JvLsQa;OEK&ya>=rR73;JV@T z<0^8=8GSt>OBPs}CU6EaF`_Xg!`MazIXbqejx`4-p!AQFLUC+e3f_@QAHopoGt{)F zXOFE5Py@M?7=OT)9xLH;rgG9kVU`Zgw8R>F^nj>cd}qpjm9Wc0FaU z0-}SV#zVFeu&5n}&N3J^Mrwg0ef+J53>#Ex)3*wP3I92qDXI5kTsKBlJ$7X9geFe} zQC*`{fVcAyPDC#b_#+P`@34lLCP~Odhx@)DR4KL{V~2vyQV20H@&^*Trp`ks=Twc2 znrP@t_LDL8qb>Wl4)sJ~V=)OfRF)zPdU_cV51OJrL;IR!IO2y1X>T!_E5zyxf;c4K z70`6BOmOTS$ttTW&7%Ll6-?XhxgxmpsvT<|8k9Tobqps zhJ_LwpZ|n1{Sx#&U+rwN!)qqO;Nx>O{ebP8U-6+Z?8FB=Gh2Rr{5i6HOD`UAVYd9L zJ!gcZB@SH4Ip@Ip;>W0au=NxWIym3jx1zdfL_xwZT;Vn(SU=eQF^r)kV89A<~4{4?&EX3$l~(P3eM%Hgq}t%9y7v_<)^f|<>mE(Y!UH( zQ*%Fw5k-q*6$~OG5k0Goz&(LoDp-gfF9{j12g+l`rjf+%7S-f*WsE&j*iD0RJWQ{V zS`rEmU3b`ZPp2i)1C`Zu#v)V(Wh?JZ<6(CLBE)S{~u zt);P2o2{{s(t_ZQY1`9Q5k|O_T}?A;ndg$XmL}*c93ph(AkK1zw8uYD^oJA~Cy2IU zz`>J-tn08miO6=~MRbnA=#sj1@uvd2b7)PE>s6QmdP@+rCAB?fP&orOwE>|zl;zUU zA_j}nbl|r{sYEYq+Gb!TpvA`#K2~DzZ192v%YYO6C}9X=m(~-wVNTnP5Kc*#Yphc7 z&?d}-l!1Yzlw56Mg8T|qp=jeVZnk3VeFtur^vsKvqw)}z;au<8=NFU?LhTq+P4B`rvk+c{R z0h6&n)+Z!|0P&1i9H?g=qixU4v1cYWM3acyyAZ7DfrcKnk1;unPaCC%v+h7>RB39N`RGdSu%BVxiP$2y&{ zzAl-5QASXc)cc(QO(^Ct)OWwr_1tznAj$enjG2AqyYh z9ub`E=!-LCaKJwq;dcfzj)=pQtL=nIv!yzDhMjaAh8A)3vHS{0hcqjP;1fyHNcw7y zVU129`M^V`A$Pk9i>bu>!34b+s9t+KzgT0%KV1h23r&>{+FNpIBeUwn=70M)3Nc?Gp zprmYU=0Q)_NSrvK6NYI}Q8oj9;LvwHj4YadKr`UB9if`As|B&2qpcPzjmU&cCk(!d z7+HI~&ZS5^tlI;^Rw&Cyj10Q*h&(~6JK|xWup|7apl>Cv3SDXAIFhawloLtPRn&Ei zGthWuyu^4G zQV%2+SgJ>O7Q;&8`WCYH5M9d4FcugfHY*zPps-TXi^!IE03&pmuIk$37Ud+j>fW!+)gMjP*_$|52xz8(1 zb<2DyNp~^7-rVwEfB88g`xS17`x>3dPSTc*m5V>x{ep6UOE1?=IUvhagJ|kCO$f=9IqQ z;)#rK88F-{oN0o$w6WcU`ppjKbVmCC)-oWHIo0Gny7CsgO*o5dzPi8UlMh#1XJ-g; zPj#?Zj(hg%1N=Bc7YZXZqj8IP^dY%yIDTC)eln1~xn#0@%X%Gfaw@rBD<;zn(VgRa z54_z-o?rHqCP7X*@+?6ez9G8|@vpZ~rS$GOPIikKLgd2b_;pS+tI*bS`rQic%bNH{ zbHZ>mAck$lXff=qm!VM8^X~Ws$$F8QTxY*%I@4hIo;1UmS6F8Szk1^%nb1 z6YlRR&z6Lj6>ewKmp#^nhyMIXZJ$%#yv2Kb0r>AJ8vzB7Z;^W17hbFU{$uKI%{~o!IPm z5>vr$tgsF(&3T2JLp8u0$*PSQ$A*KdvD1#WkVMM?v-2n%iK+#*?O?RTOA1si=$wWo z^YA8uN)Pys##RQjjljk-5rzRFHB{)jqpupo%8+{!eSaWMCbXV|-PL&Ip0_t1 zmU+u%B+&Cm1i*lZw{*B2%(D8{|5H26{b~|uV6<9Bx z@yzk@XYcXZP0DWl3JK%`yoctqXFo&izvbDJOSrFi_VX9~?k>WZEgx&cHG;Edk9N*@ zJAA=Y<52ez>ELsoY{&M_v8J>T{ z*=)~t?{hIWbcYeq>7Hz(@TE<?5uUYWaXIDPZxU4WHU07eZdUlS1lc+qa|+d((2WsJ zLAs6^pKQ?1Q<|3#*dHt@wktwgV>u^m-le=qN{Z=%nabFjfV>kp-2qdFTr5j=`W$O$ zaeDB^1Eq6Gzj{ZzS4?&lcR|Rcxg~c#CMpi3BZI$Q!;?#NzQWq|EQL+ocbI9#PK}Y` z!0g9Q7zbm*7YTz*@U4OCyyrjt?Ch3LDP%cdA_uG4Vq}2h_q1Jt zaD7~Nhg%ACXwgfT(2|syi#shrX>1CZyA(Rb*a2-OnYabLh;Z|UVIpwaj=J_>uo?S3 z-5xAo(lwf@QN+5(Qs1HUpIRNSLv1CLcRf6= z&{d1<52(_^BcSXvJUqfCr0NwiPDp}`wsr_?MOjLwQqgz@)AbCdLG_^Q0bK@+#x`mv z5VnEbqp>7`+mH@Ek*FvJ8_O&3Y@aL}SV&0kL5_Titi}o>Muh+)k!?$DMa0-#>y9pk zW(;+f(z8M6CA!XOPcE6N3Y@w~p&4Z{TW`RY6}q$tl9W^^nru($y=C?Jk?2W{{ovEi zCYUs%3oY!u#&{z#(_>XFPE_F98eMmE$2r1Oq=8M6zsA^4vBR7&FGz=kPE~X_`|s*@ zryg$M;Jvq`dAY}#neRsBNO30;%uw(r&&F7f=e+qw5!sqYrz5;rpmqzs)&+0={tqmz zE$6)o7b8A>Hb!}m;lyMAvSEL6gydsmlz}X)$b%H*0*G%PkC7stiJp$U*5jv zx1axp7vhQ}_!y%KM!~m2!t3Ag{`>I%-6TAl-|}j`U}3%l1uuo*fZ(NoD9oAgK2w=e zG;?h6Kpige9$fUGSlJFr?728ya=eCUTCnd1s>Y&9uQ(KQKFVIRJHH@5yv4j(GhaO6 zAkTp}6lp+Y8RRhF{KVj1-?PpG9PvQ=-i&nj1wjb=&LKSYFoh=kc!|iiC~wJ|)F$3- zX#$0}Dp;RhAU#2RT`~XDCHZc|_`IPxD2%OXuMcQ9W_vP1z50qgd4%O|S>K#uwjGCU zju}Ju$V1&X3`Q_yHGTJ-vMy048)A1(_mHDy&GG(#vN}SuKt1+oZjU%egAO~ghZe8A zqgR6dHYfIMv^{6+KcJmCufG;7#w(68q1X?c?Ni)%Mokmot4%<1k<%JYtqget-jI>VhR|;5 zm4&tjf~cZV0cj)Xm4hV;!meSL$5_?CAr3fnh9I=D>z0E(V(P82qnL@VId&5~X4F2| zs=*4Nvm|>j0BKXTHEyBkO-JtJSfa&XG1P{DfJ|tj!EmfXEMFkHk~%2qg`$fEzG~>Y z5C=h1PjG7o)d||2#!qaH#~Lw_$o!6235IRXs@HUFNq($hXt}xBGnYHqbqu#1VddfZ z6WXLDKAAA~@9=z3X~05<6i$a#dmN7rSshSC3VWTiDGQ2~AUqQs*Wkq+ZWoc|K3)oa z(lAlC)ax;$YJ)1zsP|)}(j-Aa(FWL_gR5NP$$*LnHby|XEueoA~E^QqtQ@sCf@{V7gVA_eFFY-Th}9~-{-tm9F%Mhg!!z!HOH-s2kq z$Lb5-J2(GR)A+xRJHCGSOU&>E-CE#vH`q7`14qC`(-_HxtoZ2sd))R5#^=zQ9Fs%N zJ^swXd+_n62}6?;o}4pZ&gkk>qU{|&eLCZ4pR&EKNd^mN2-xifcAU|DejttmRBMyv z9nq*D{o2PlRRs4X2l0qyf8^cW5}9qOXAb@AHTir>{lyMFE2+|s@mWC=S@u_PhA}>7@W{S=z>YGk>6lR7uWX#R)51dX6@AQW(gST|yM>yL7UmI+3i<5acQ%RQ?7NNiyCFHeX z`NE>S%keH_t{!S$A2%#MnIL8@%|@e|35#)n_lq%`-)o|eHAnFgou#>X*%ANT(B&5G z=8EF%8G){-#0kmk_-M?(001BWNklu;cg-R&Fx;s;ZnJpLKO$ieR|#^!;tnIN1BE3Jqo3e_3H zQ;EAT$s3972b_5wbQ!MGAzhEuZgDNm>PZJ}#dKs-buJ_0QWg{1@RZ@cBo~_DP>@Un z+1@a2N;)A4nt?*vq`iZdHdfQ2l*2Im|1`bHuWi|V-}hN-?Y=wvw6}lvb@l31v8qUs zqGffE3Y(A-+ek7p?7v1p#u+Do5G0e>h!Dg<8i%1JTY;pAj3ko9>g#p)z1!c@pWU}B zgG&z<_G}8jSifd}J~@U|jO+#>UD{+or3Jc4Xw4EgTN0WrI_=mFdM5Ikvefi4ft4gs zEAn1ots5F?qdJALGbr*5x{5uOGxsBGt3})h2!`lpgEj&jZVB=|^47#^C81Mu)hZ@I zNl|M^b1WyPsWPPK=*t3{mU0u3R4w(qBJF(Y+XYv5f^3y?ann+-@7U}LN?TABw|G{< zBHPD%u)&WceP~nQ;q(@^ZxL=?wrYYRU}I>i%EgVZQCNg~-%?(~>aHYD6+yfs$rbH- zi7HBR-SHq=an~QBc6X#ZkK@4=+CO0187%UgvJWV_ExGcURo`%1#o*7W1Y8z^Re42z zamHk*nYtdrKjd2~+T~A~KJ?kFJXBKfi=9W8-{FQH>^u(Lx6JHkh*Hp2K38w=AlPCs z;-CK)kGK>6l=^9-SbB}T}LMo3Re*c)?_=ESz%kLo(mmmcH(C=BAKjQ!R;xlHK z|2_Zm_n#75|B`bGH81GeqXnwkA8$szCiSXLTFZ<&pXke^}X;%^nzMw zUN7F#uWv|tgR)s-iHODBhQSPsV2t@3(sjz$Hzn!qXK?p!VTd!FMNb>KSbE1YZz+YwvlDtT#ZDI3 z!xPr4EsZEyzOL}C0wFuz{%pf@KBw0s7(=mmM<1A6ou@S7inR0DUTqN+T$nZa<(6Gv z+0Nan8i-=(l?q*%jMG3+;wYX_9>T728dXBB%T13hLOz+s#2wXy*48 zE3Y@OlAhg{JMvk}R&Th9DrT1@36xTtQ! z+tk5cyv6MbzVp40`N#kH1Hym$FX*?&c>5W7ZQ(|WENc;y4rh^q(U3`v9JDw)$x`Jk zc2o2OPIi)3`lv}jXDbdiOGFjXS_+QV46P37wkTb5<<=OTMOyo$%A!wuve-c6JG{uJ ztOU|F$a2`?P;3g;YJx~BtiVMWDYgqe9c@+MmOV``=sUr>@URMxPAf#|Vp%)t&4imu zP&OI0VM4K_awMfW$F)+VE!pabxGSj9=vja^?%1>k*yfIT<6xL6=C7dwcCYSPewIbG z%g8#1#inG@Z>bhJ^G(U!oo2D#!Zv4@uGlSJQr=|bvY~da==N*WUXI_baZMY0JHa2g z;FpMDjE}J29_Dh*mE(}TctxuPMql9sH9{&Pqh%$hOn;!z>ml7;L6}a96N*lgIVMJ0F%=5Muo!|R_ zcj*y-bDp68_W$Acew1=iJthp6Ov4)eoBP!3ly9$gcuiJjY5c;HqjhBbdXz%i~`XL zYS~i>!LVv*WrSDOSWJNmKQy?0*D#KkD5a1G`}m7ntlxeQ^Lz#S$8?5;d2vNO+^0`# z#?Fr1I3!j}wyO#5C_x)OcE6)JdY|U(hH`I6zq@59ZCWi!h7RK@p{*i%p&36+&}l&B zO_7I+@~b8Og9(*kQB?t+zvY%AW~Uj+e25_%7Db1b*7%PcHeWhSe#fG^@iAr=?ZpcJ z?;WuEs)f;xgONuWM@-($sXsZzIh*6{KP6RbL^i?HxA+gAqKls4zG8g|fy|Jz8HU?p zmM!7_N7U(>z=nA%G20c}E~YuQk*hT$_n5oZWwyS;{>`VfXEpjmh5D*TJof0<7Qus# zIgeKCwe+1 zTBclm`~i#kHIbL&`0vp@K4lbXT6@UNg^hGC7{(*|(>>C8hbS71%%F`1IHjcRQ|i?a zIkJ$crtm!Mw#3X`kP4xzxk`OhD;P~{%9{!fruU>_t3mE8u9akxRBT$4auA}6EdoUl zZ0M!L>MhD7M>QsG?;(y@ z{uaykk$TN`u!pBjl%=Wa4Abc7la9c!Sr{=1!#V9r8DV=m_Zxb#v1JS&pQXPl( z3a@HOcKevc5^q1INGep(({$?IQxVR{zj;kLn_w*7kqH+jTkJ~n_F5qA3>wKSpY!7N z0omPGY<3y>u4R+1@wyyo#LU~8<@E(#nh<>7=k`TO<@YQ%TRbykAbKXTL-pVR%Wq#3 zdV+0bLbzbkYxZNs&i`Eu)i8FalrIv3Co{T6@x}Foum0bk)0!KOYMXnoy9PDY&>Y{B zQ>O5L{?%({-oItpxjg&sDIXjL{LaV!fT;T}Xu-AC{O(6??+!4yU)5-C4A2|CepO>RIp<$5*%O-A|FK}TeaXPR#;84< zz=cgkF9n-L!7!985{XnM=7~kO-cbmL;Okf9<0tsp8S#F|ya_Rq6l;}HCR>D@;m0nE zoyXmmE9}#b)um*@hD+lR`}&g8y$N;Uv%g+qO=g%E6}9R)6ajPzZ5k5FOUmqkuv=3l zCfOpx(Q9Ww;x%#5Q<*-ii!1i_m)Nr*M#mQ^D|qArHPYK~0X)W0O(SVda8lDDgiCF^deT3pza` z3p(mF2b6|lq%UzygL-9P7cO>GQ*RpTW}n7V zjEoxUk}fIGy=13-Jaoya(E*VkA)^6~ z)sZ_CDB7w@mc6#JaQfe2^G#J)9I;m;xJ(|2i*fxQF z0m5P;QaX9aARgmHYtqu7Zg;q7%3zA_cWh=Oveg>#IHI^M>GuVW7tpO*Zfl45P!TmL zo%SiDV%@IT`OB}z zWN&|oX_(Lp?ERSbLK2H_=p|elf~JQ8$(Km#_ASVWgK3E-K#xXDj0!V)pEiY~_yOzQ zLh1++9B{XFaF?%W^^knou>V2Fwm(G5E%vQLWt&tN6_as^k`oNOqnJeKD}i@(fPA;b zdlHe=l49PYoGX&j#9Ag4m>A!DN*_(R5QJ6k;596mJ5I2eA9}g5aTzS=~_jPdWSgf;NKP-(KN88B^FDwPT7@24kO)XHnEu&tMA3jFf?+~t_acuf|N8{!E_1q_W@u#e>G+oo-y%FS# z3bwS^48}PATl}_Smkg-}H97?sm$i@tQsVeFGzDc{vr}7IxuOqj`qV@WN?aqxY;ANn zqCRxkcYBVN;v$If%_aHVMY=hYiAz72Bej7w^+_86jR^-+dc7f%Yb>|G$^^RXX*VYG zb4^IGnDcA)HGhE&8 z)|3XVy~AlT=6XtIYHCwq3W@HQq)9;C7xX&h#H*M&8XSpZDJH&;zr~&xl%|1Ey7a~! z^J|Osr?)I$zsD>Hk=_hvI$$#>cAY?3L~Q-*FI5Ru>Zk;!k>W!qk-hz#Xb=`>cqr(U|?91*ohc~ zCV^q_RTgsb@4lvb*KsEN|Mii$)0--V}pAMV$9&PU zH!N{a_u0w_%etkj9K`n@VdM&qJ)jqoSsdarr1-qXvO9>zgy|MRh4*AYxgD~(*b&bh zDn6oLoYCi?qBWz9PnQPd!wO~E;O?9Bxo(FDZBJDj~k+}y&{Chs*v1Br6-NMMfqR z$`kA_UCK7b-)%_>pIw_$6;njFqxTAEOf1vn@|}k@6zqBvp<`5+bJvfsqb=h{5o^^D zs4=%IkH)qcH5FHl%j4&7v6CHjF~JI3jNGI{P;LUuMq(~1Y-5Qo1!mCF?hKlwMSd>k1)Q^<><{UXa z;`F;Ueqduh^-<{-KM%OPw$LJ@Ep2kw!kyj`i7AF{5j=@0zbT0KEv(@I^(rHZBt;z{ zikhys*?Uxzo$XOtODcPS+HMKV_@iTHqX{Yu z!B9Nh2Se|3etpK9zkJRAclkB)#b0w#N8HT6Vfp2!n86G7Zft(*51+Cxo-;c>=IFtc z(enqmQ=73pMrsLKXrg6LfAS$(!YlyY3qBb3#6l28LqId=I%*m6>G{{Z?Ju|x;IDtl zRF4@+jjmT*Z&C!sy$MYSOs!EGYysCo5np^kK6p&i71+y);Z!oz1C<Rno3ibIr}2Ra7Gwmix|eE1>rPZv0mh0__dBA~Z?)Q2g)cZ@k4P$xOZM=lJ9 zm@=jcM)cQTk-p71{3kog`HaZ-5JQi|iWsln5X6r-j!ljZKV-F@Vva$+Hpt$a@bKu4 zR?lc-g|#$^*asybhI+H3(*vBzoTz`q-oQu14m$M^I6VHI&&}PGN0VEYH;))R5BSwt z!?-@f9)7_1!bFC9T)cRPI&8>F8#!!|w3Rua=vlncqS zg2q*d%@uLm(|L-G=itW*Cjd9F=!;|IOk%%~?4%;D70az4JhA9*3ry2s*9oe1 z!+O(DP39Pa7ew9 zcgc<_=qR@vrfo`D9#Y7Xcc~&4E9(6N(shYG3|M?~M|rIH`mP{b+|ZOMFRmNL@iklT z3EQg`iDBVvOWuFr)1(jRpJa3=5i8TcUcNy%Yfe?kco$$#o>9v^PRA{igXaX_AJb3A zY-S!KJ3($utV0{gy_J?Fg2~?Q-c)u9f)j=t%}W0hreFS?$BdYb5BO>qfYA3zi9o;B z#4=>Rhc&1C@>ieok?Q&6!80U+suPUqIn}V{33u%oa_TV}Z0Ins2LraE!Rfa+vCYAW z$5aZM+F@u5ign1N{fNu+5IMVJwe*<3PKo>lrJS*Od5JYhiKidX#x}hcxJqKo4%n_! zisA-y)w3A{jDm*F9dYugXZ}Xf?2Sl&@fochP`tjw7!J7GENJ`geyv8YDF#FOg+{q8 z2Vz2vgC#Z$+W`Ux+qGDT5Kk3YR>00OP>v+s#rW+Df}>Nq%B6gHMdwtwxyB1!=I1*^ zRj~C_)MCN#dmh=#IAALC5Bs9jEVst3G10IY;FRNpnlPeU0V!=t+Q^htz&e zUFGz<8_G#X?e@^wq_;W2Nlq#x-Yz8@_|!>3T?rapVKz3Gxnw*4n)V3R+c`~_(r7_* zy~P?EB#$K7#gU*mROD?kR9sOVAND}tsuS77)60f zHBBZl3y`g%zeq3(MeA-cwZP9xHeHR(B)Q$tc^zU?A}xvIION(z+C8qNk-pDls_7SF zXbNUw%xzxMB?^nqq?d28t}<55F{K}-D}1AZ zE<$=cCaapPo#MF)dFeo7A~rU8R?y5{vdW^-TYO{7&h$}j&pR#19Jtb;lO0ZFJfmaU0rN(MXqW)8LO?yefrEU?@$yHc_gkt_;?z3}u$=pR9>y z$2ir9QXZ2BE~ZZCdQG8htXgsRD&b(}(9U~It3szH6K})zt|qb?RMOBk5nWl4uL_c1 ze2P9XsoNA`Y3hx_3TonEL}W<}D?po?I1Y#tK{&FR3WH}4h6oX0Ohy#B=JKmK$>I!4 zl$1q}u~!h(iYVO@d5WVCA2E1v#L@E^d+$X|$3AxW0DIpC(;~Qw==?E#7_do7lpb=P z-y!)m#{JFbFxf28O4DC<5I^H5ZxlcJ`=9f=QJe+~KIb>cF8&Om0i{9r{NG4yy`mHc z{BPf8z*jtes`=%)Pfy3KA+WVZ3(bxcp8~YcVx7~BU8+ruMpCUcY%{#|6(vu|vMt7b z$hxX&^p-{+qIyZ0Wyt-GwVtwibw#pK#9dBd8}!93n{Pa9UZKK$=pBS8D4!k@CtI%H zS!`D~WSgFLogs&sKCOspxe-Um%WoJzc#b|PFk1^_y`XmvsLsB`IJMZuGsNi0;grFJ4Bv!V(- zvNtQHrxtZ%;*BiaNriX?#qEx5en&hD5T`bs=`x*E6lWd11w-SG#WrRdrVxLC(UquT zOPiZm4}I2G7RI9pD=}%SlB(D-IUQ4C;pVUC+8DX-u=?9Ihaw|;?O=+Uk{){iyEDaJ zpCZMCDA#nvtfw)uNYPQoo1dMNy}3jB3XcWv5B6~%P8rxP-d#@7nKXME+bpQwHCU}g zh=L&7A>#WXLlTE9i-b70xRoYm;hbe-fM*xf%-GpB8?VPv@V02VU36rwO=r#7 z-6=}7VKwwoeMR2%REb5h>!?GYysg;SDPi6ryNYrdA_|jsJj0o34u&S1or%}NliX*3 zh3AB{v1U~42=+aifkt;Z=3q!+HMG_h2uX0zvk*0LyvDX2e7B-b45Sm%=$hV?B)gK% zQmBolQ3g(xVVN1KNYS~At~=Umhl_!Y+19kT7qm%=3{6B?M$U$YK+LkU-#sLh+=n5IW-v=0;FIfdosghQf0_ZPvk2K zWn*M#yj*3BqZMEv<9#mA1?FIfC2P{VhGgHMl7eQJ(`^z4vSHsg5FArzN$k$a(g8-g zX7KR|x36mM^a|G9iqr4KtTrR^qTt)xEz9i%;{)h6F2^irgh#*183;|Oe0X_@)kX~5 zA>QmU$DT0haG!eK*3s$!YBvTjyj)CjEB92Z!=4Xq4#%A-1fAt4*e)akj9#@~!kN=R-q~TA0af+<|3N7x-V4(#X!GJkm zh#9?pixh%y7ZM?^>3^-mu%(7hB87#b;CLoUmk$^UEw;BSMthoWuumB_^qoMAhj{C^ ztouVo#x2`^$kS-Y)!afJnv9JCUxrv)!SuHtA@4TiflGZ}6MRo#tR?AqA8+@TaPKj8 zx?`C&42Ct{C`N}i$6d!;F=N_ZTFBp?r~yVu>GrkYY(8)8GVzOI=* z9&!0)g@2T@{nV!2u1Jm)dsR<$(IKZk`Eriji&(wMnVj@&`Wb$=W?5M{g`hWWdatCd zj;J;-QH=1L9qT%#+gJ>SS1i*5?EZ#4X_foR%N(aqjLw_5VW;TQJC~miX}5dIzWdV*3P8X75FxEC8aqb>{2SH z!l@!`BWKqL)^{d;T;pw9G98hw1Y&PPuPQ=m&}IrVyP>KAM6{*T7Rs&AR)NwUUY4?| z9Bdlq*9J;%XzYSn5pljYaXpV-n22>vBpv$MkiapBl7Mo5pH3I-jU4)2Na+f+@aUIo zR4b^Xn)W#R4v)BH?;nQv4px-5GY(JDTW@t z2~8K!I|`@kKs!hygT}zpg5378cPXuB5#&3{(5Gt)a;KsxQ`B3{WYUpV0Y(aKa*xz^ zXE*4|qj6fgzGrC&?52fcN&jj?@$3MjUJ|Dz*K$Bv8we^UPQ&IxA-H9o_B?$a&~Sw5 z+Z0(tU`uLajM3fk<#kQ6y~1h=P97a_zK+p1uW5~zbkQ)~)3~SKAxl%zZ9`-3c>jsZ zv!@RjKK%~XO5vDK=pWRC)gh@ViG)C6vE9T>1gu+!-M2gLR(IU~_=Z3I@!#^ZPydup zU;j0${xhUN-Uk?h&;PyTcRr5qUtF)ZIHyPa*+TO8;>SGw>8EAhI*6lYs5I!T(4xRSEscBmB5w9Y(nRHQPQw zNeiQ?Xwx}^r<(p^!`|ToC`@j&%af-i*B1qbJVCb`XgtilC80Wnk-_rL!K^N@M`JF} zItEF_QV0gaCEZq0yWl_bVXYZVBr9B$9};LA|M-2HNl$1lNbX_;b8O=S!a;?KT+E9e z|B1m;@8LBycke$$?$)dfLEq;X!pBJ0n9mMKt`lZYVm4pQ8Mu1b_<-Me&#fs}%M zqrs>(ZmzMz0@DfbyMUom^u5hO^%%hlCn|7LMVM*O5cnBYqR_^cDhqJ?oVvI13XSM0 zcD{q#He4@VtXV``$E?i}xu5dEVZq9bnZ*iX3a;W3d-K6l^sHtC`Yl&E3A`}@|8y=3aVAh zGHOtJ9sM$-Q6QEI`Bu`jCbsOUrHKj$SiQwvJtIqRS>9?+oNw8^9bsE3TO;I)t6Lnk zVA1tNMnNZGYj{@A8`!QB&{hs+yvDX-lqcyuN&n4;*S~thuYUY9{^$SZf9K!)*Z&=# z{`tS*)31KUyPG$hwO4G#?R^gq*@Mvhg%G&Q|B-(1A^+DagXiuSfaGe{^KCjo@Fj?z zUTdV#_o1d?r|*OB{s=T0q4oWOpS*X6NCdrx$=*vc@0c6?HO18(jud387<0BEof~`@ zR*2aMK~L6X+`dVeCGWTv@3TLCiN4Sj*Ewp_Q1k&cH&jWAzAM;W-@?l|?V|{^i;4`~ zDo0`vyysB7zTnA7VcrZeeNDF$q~}YVVNJD=?A{dUb%J%bMJ6?AQ0FYu!MJ^a z(1)m#l>X-lxyac+IOkn4V(PvmcRxW`J?>@3W?&QhH98#7YlDgpvXWr?$G_^bAa+p915!S{Pi=Y957jx`MF`+(ih zV&9Wk^^T%UsfEBdd*nfYKW<4wAK7myXre>3d;IDD=jx*0>ZGo)%ya6eueNVCi4ob z^$<=#w}pDV&&f$c<;T2vlW}`@MN?iN#wORVa#XiqrAxm3`dfB)H!LqR!eogIedNT# z9L(t7AK*M3A)Op+d_*{m39SK(yNKlNlAr$gmVf)l|B?Uczx`wW-T&~f`N{wK6Fy!2 zoG+6VU*#)0vBDD?%8a{CqYP92(fun=BZ0FeJaXr>@k8F8y!!U_SuUP00Kkw%Y1^!GOU|1_!15j+zD(SxTnruJ|P$?5k1dO(H0PFUP&%%cGZ zYDJQbh=(n!JmUDM=5`x#yyuXPJn9>Z;Yr2oY{}S4Yl275sa=oBw(dS|zrxxNQ0;`h_iL8b&O3 z$8df%W;R*Uo}OR_g8n8$cs9P#BidskZ$p+G6GrDG+e5l{udw%~6q^=nY~Usf65}EE zv>>l0xXUwUzx$BnuT#b+IaX&ezbSckkW)oJM7(^1esaiO+;ij2V0+8>`Gnv7;UlIW zK4X5V_^nSSOdfuha&&^;ESM}(Fcpb;KSHILb&f3QM2sgP1s7(q)==xrNMX zEF`Axk!Vb6tguB_A=RP>U$UuINTCU{4q*tc)&maWHC1m@EIS6$1+k;jilXUgLKEj^ zhcWVLw>frF@vdzdBo&KBqxv->FX+1tv`fD0@ul@^F;I?F8I?D{kb=PLpb_Z6q-i9c zt4M1Xf2a^$jV&9R#sjlP84CH_Lc|KfENO&;Y%2`gqpK{0A?Vv4Wf!0{RoP&7CZceV zQHyH}`pTs+hEz?8X<~ZS&<#ogKq+`3a zk@Gdiuw&6XI8{nF9Gb_ zXQFv{Nb-;mwx2){F8^A}f) zMjh9}r(M4#JPOJGron$ugE`^s%>{$Fq)0;s#~r)t6lZTh@%omon9{q~l&GwJWnvEzqa-fbD`IoG!l(R7ZZ9&z^ijPb!9&dOjX3cT@x zdTX&R1=TWRz#Y5j7#45XMvn<@Z%N!KZh1vA-X}6s?zYF|$rr3v8TONk@Z)Ewvkd!( z9}tH<`w!k@I-cPk3<=!|<{`IPO}?C?*~4-g8tLIxIdvGYDJ8bKz$#2q<>Ki%q94+z z4#NuR#2seUBejK2Y_fiZ)oL)-udOXEdtvl8z#irJws3`#mvkx zl%ni4`KG4uEPBhMHMf{sgLY8S)jhIPRJ)R71MdM(W3aZPg?G~B5vsYcH@!?A1AI!N|#g=#EwDV+t{9>YI`gTHm$^SZIX6PTi7(7Wbpqp z^>NJ?|oNJm8+}M?wwB9Jm-j6BxMVVBN+CDZwwm-{AKttd}aH}_Qk-SV9sb} zD2bvZN+KzeqIBYpokPX7YUS|0zNp@ZYM_B$wQ5y03aCH+>3LRSlSKlpJZcYY(a{M> zvuSDV0-;I*-Ql#bY;2lLP|~2ykmRnw9eY$aSB%_(yX}a2{+gAuPqlo>!JuIqeZ=bS zlAHCC_3I^nu(#&)_*+EAiU}smn};;}73$M3NR|0EdIj?K(PH$-2f~OB0_79)1`1L+tyjk+&|MMsO{g3|(|K(>t;^x&Sj2|oR0(jc1 zc(sm*i5ZHL7iG>SnWOX+p<_@rA_N*REYtixTJE&zJtG6ST?h`voQDq%2%deH&wn<@ z&^KQ)L4EJg3B-==9R=uQbAL;2fw-5p7$CI4-tHdi6r!UyIUvnDG!-Wghumfg-6nVk zAJNWFk@^t(Na7Deme(8h#}3tC?f#GkH-9v9?#KwzZYRAVA}$u@X^zI?-|CuzhXDlPCH3|TH6BI6uszE8b+ z!DP>8dC?;nYV0PX3}=)R!RGJIn0??=d_E#LDY0Zr=TEV37NoNenW#^>+m7jbD~fr< ztx$}{8*bENM&>!b@ckV`$rwC zy2t2YgWQCuCkD;O63g6T>>rZfU6GnG-P%At6x4Y|Wopc;IsTJ}#D>qzyJX&c#OCZ3 zj!JoY0!?_t-Mk=A-(a5{(tp087KiknExE}(#xlkF;}3AQ7JDBAjQlZO7;=1MBSeUh zAr*pG+XAaAFujaUP6@3FVOx}{V=OgAvCn{n+Lr{G#kS{Rnsd6ezze51c1Nuhb_R1R zq~F_8ZAZwlOK=h6cQ%3n=$tN8M5};qBykcGF%pDDOIdpqMnUNGxhxY#ZcQycwsDOT z4pvvNRA4VGx-dmK_cI`XcinB>@TMw7a9S5OK9vW2EN zvdAh)e;Q+z9hHb^dKP^uw5?fL8=}y|xY3vgHvMhMTDbI0#Y#*V3>CKP(JFzJ`;PuIPk|Yk+VQNQQKV!qqK)YEVZK^R~wHEd83u@vhhaIS z{ScWZAgUb+>vo7`7`E|!soqM|9hB+&@F7u>={Di4>#?2xBj_Dt(|Q+1pm)+$D1nj1 zX!g+}-9;5j?;0=n#TT@ohoF!U%@!DIo4$C=*>c0v>4xpydt{53%nmx%TZ{2gMO+s& zg<^}tNzrl^3~8?}d2no_Z!LKCjP1uSG5326ynyvZOwUi)NE@-tkv)&}iweD~gtk8* zo%uL77sP`jj-r%glahaNM|6-=&I-a4lli5@RyTtRjn{dCjtWgzw&9yB1bD#GRI8 zFKcGM)$++NBO>c_tojh`uc>Y)SoRr>IHB)fldebj%Q;!Cu%{V%;bYf1!?q>9ap}gI zQTc{ef1TCM3a(Qk4?M*B5$^Z~V;j&I5r;>&#NJ12KKUi?)?@NyM!6`MJ@Y8848p;X zvRX143Yl-_jQ3}B$sKd+kcn|g`8A$D z^wB+m(t=@Y5nF=IvcfeCs7(lc%(}pGdq^i_YPaCo_{$cgfwly$+0qyS!z{67irGOX zdyLhVB%5KiHHeBpYgR@NtE_Pc6{^Xo+!1cFB<&QPR-{EtUuZ6_bM_xe%BIBiB$XV{ zH!>_|fZ0!3$`WN*?6)y(*+te%Vop4<&ST1h3Th3Xn7o_8CoC& zxt8=4xI*#F+NUYT1X6M`3Rx8+>MG^Y;Q*5wKX6EWn{r`dk4*fwAuAk4s;21K3=D(G zRC2i)qBgJD7X{_y1B_yWGjgddmnzBVO-$N+M06xsIX2VvIePDiX}Td{O8w%B;RjQM z;}S0%244&4%prYufhSzLqY?c1=kWWFP**odCqkK1%%}q^z;$Y@y&gu^U{7qC#}5(d zk|3~Yq)Cw^L?eYeonR$%iCBGHGcX(S!5H7zV1*8TW0GE3gwve5 zHzwJZ1Wt!{*k`4DOc~RkJS9FWsK-6LW5sG6;D|ed-jKCBAig{0!C}E|dqm$_kXAGF z;F@fs31))s+(IL;9>f@xkM>RMRmG|}#+jYtWi{6D0a-U=FuWl(Cd?jH=#$@O?@>gP z^mzD9pYZ5IT(6ITq(P!;xY<^8zdq;AfWfrHSo8@d9eL*xL^1W+#hM1xWrFDnvcM$_ zU6#q3$nIfRHC<&P90TRrSlt$1MyP%WafLZCXmo=#8iZ+48+|-?MJQ~x2;2&k$O-KV zLq@1sicBR<=h8SM+R1|Iw$Fp0Ax~PueMkz>oxmRT2-Jc+HPJ~;W!l`nZmG44lLY}w!W{`bBPX*49Pby@-4N5U(2Yku z0Bo*SqY`+(E-7-MAT3? z9W)v+DcIsV2l%?7P4|(GLn#VOucNI6b*B-zL3I<5dnF>uF{Q`rIN`;opWrli)aJSXo?=*<#p0Gn`vzylgkpJx zc~;Q%8t&|twYuVQ=M)WmOXbM8np-_6a`@YkF>~`CYwLss;v0C0gM@YC2ArOlDJQjgQbi2oP ze*j8=+VMt1L!e>LYw>l&R+TjMhGbI{vm$oykiCHOTg7p6i5s1e$2C2BLso$G3W433 zC_iMIw%D5$kH0x1i=L9-euh06f}0Xvbx0>fTy638`fNIbVOb%J88Y26e_;~JQ^w;N zTX~51WJ&n`L)M>ds1`A{auHfITj$l3h7Bg_^wjYO3x@oj=pZZNBosy85ebAucY zSiV@Y_~Hdx&Dq}W?g>#9hgkX!=U@+46__^_mXzGZF-Box_Z2ZAgJw>fjJeAyjBHE$ z{)p?%kbyqu`c5N_Im?$@rlBIN3qC(jXsQe9clPj-Ic;sQZu`7`@fjyiHtfy5P2C!( zTayFT(#biIbSPIg?jocAeup!5X)Xe!TyuKm(6|fo#fE%kpmj^07VP;~oP92+%#^AZ z@FcAGt?zxEKlmShkLbaFhp4H0&8jFRQpJ;k5x&= z&sHisz6}8w?oAF_b#KWGMylE72Cb+)dvK0z?Ded+eaqE*X zW;1Ir+Bw<}IqbE#dj{qsXoD8h%&4pk9n=VCMfk#{+25yjW8BQAiWQDhs8V7MH#Dh* z7#{E>%BYMUuGL^mO+7I1&(X#3YURT+O~YW$e8O2ck!B4c8N%q)WBoWf);!Z#M?VMaxU}=B{XzEtxz;Hw5$LLh?r;N0NG((ykY`G$z&zKq)l>H~v zS%b(Ih_N6keS(W~^8Fe9%Oz^>5HDJD{b`@@-4=BV>8QtGeo6c7?=m@kO*Wj6xQa=c z!O@J>RCn)H0jbnHOItATh zYc$N6;VYBc>hZv`ST>{>TI4e-AE$QMA-4mR@X!(yn{+KuMe`c9>cxSJv#E7Anv#{Uc{Op?L<%TF-a`?Tk zFpnhzY|L;%vr^nN3HIua;DND?5Urf(ii!;A-T~(A&M(j*z{rn&{sE zo4(hGnRn{mze8x!7EB5{39y}r6LCXunGg$wSV0~udV7#8!QD47w=N2b zyUl{Vr!(TS3_IJf_xOb6n-$8JRCb1rB@d4x>}y4A?bB>lcq0>UAxZZ=>f{c8vLIiF zxXFfkVKXjH(dn4Rg6{bX#LQ>dD54J<)VV=E(CA`IF&)xVud%}e>MJm_7Ap#{%{fl+ znEcI_%(gi2PN}ONx>*wWTUO~)?BE&^_J}XHSd=7ANv9jSO@-^s===%YN??9*M)2T> zc2JT#1#|}Lbc1cJXg-}XI)dPj`ZTYmWXA=@-D@s_hxAwyogA~u&NvLVguQ^_s$njn zx_FI)L1_y|@UGkm(=_&DV{|={@2`~QYl#l=XV_yB>PwB4C$m13nDDJ$DwtB<1 z2^j}xq^3#F%!p;5Hp{7Gjx)TbS_wMQpf3!{^OS0?Smgz`QXx8lQqU>E7hZ#76eLAX zP$%3j7UZT+o1YOxDcLH+2?RPxu^orTDVettVQI3SK~v?ZUW2g-7+{gd9ja`oaq;aG z>3aBqX8LGN*Y~jpF1;%cLz@_-!6>yTZyc;5!Ic8h35+hM$oeGhgbo-PbMnMMcou_! zMH_hx0*A)#K@7eAfc2?|DST4VU<^CrGeH~H^zSk*g+Z727)DLH)zmoHl_behDs7W4 z6KcO;+ug9TH3*B?vKV!mTU}$8YhvA^+Z4=-3`tQp_`!;S5Crjt2A@IHQdJZ3k%!70 zWF65`Vq{Q$)^gfJl=X_v$%!8{yjm{!!C(HIt55$wSlzK$t@v16lk*ckRgmRxFob}i z%keXV-~R3QSashZTduHOlca@qy}%wDyr>-f;&ZH;&F-hpvIcbPzbb! ztpcU5P+yKM+y?+c?^v6b2z{?u$?nqzjV?jb-h-Upb%A%nmGym7L@SLh1%_#v-`{Oy z-_bZB^*uQh_dxZf-?w9U#xA7L;$Fxq0YW16ZjMY#xeGMjvdsJaQ&LM%fG>ZJ=7{iL>BXF(05CCf1i4>#5juZrzQ_R za+&=8A5+LFo7alXXTM@xD`IKmYLCqGP;r6wY%V@s^Ut?7<@2A?n_39>faFeL&m4Mg z#ddAt3=FbOOypXWUC!OgCHzp(oi4El3ZhN8N+UdPLHk9YzSC0GC0V^@mU~#sYnsuJ zbiN>{C&XDwnon`_JMIh{d$qzYT)J(8XGpeIi>(t@iz(*b98tM+Swqh-p@p<=u}3|c zR--at=Azae?!=%-GunPjepAr)1EMbGG6ay~5*f7&2y(@3*AROxdYus0AlnsI8ezva zo1h{pwruYL`s0$W9pE%I5*sWE>jo7D)K0-(S&%cN*QUgNf%3qr7F4x|vNNh0mWu#G zHW=9zg>wW^$xnYN_=o@F#~ACsgK0?V2xOU|b;qKzNVZq}FMr}-y!X4jJ2m*)?;OxS z{C)D^i0e16cq+Cu)(JD2bNgh<=Dgs$Pq#RK^85VqMThJE8*XlFuHu9weSt=!g+hp( z7boB1+&%b6ecuO>piny?)FAGO6#oLIA}Of#+YENM-p&%B3>fMA&;l(GddJ4}+pCpe z2VM7dm3ytc!?m}M3#8n6bUP`m5n3YJT~E)Dpp2cI6+$wUkoTu_#T#s$(eEa-dXJbF zctVn|Bu7O?nuoZ;Vzo|~9cILL$GAFYTeo!UnAX|gyH7~YHw*_EaeIQg{e*6RN_(?G z8&I*P+_u8X8;s&Qz;S6oAp1TaZ1?8p0d@#iFZV@XVap1$} z8P?E8HVNzYh{<@)#imF9*kh$Kj+};-dqnif3o2(He{3@hR+P<0n1(=xOGK`?%v(l} z1npf-F@B1zF6h^qEBy@b>kQqg~oO8)n?qNAy1sj9xZW{vp=cIVbPf zoWDHagjXzPU&k44@CF0+KLqhdUne-4fic9=EwWcpwk9+qvb_qglDx@YF#pTf{O~XC z_`Cn~XMFmrpP=}R_rCsh#O(tl1!aGLypB=(E@E3DOhs23v`&tHG{s+Ls5U|b4%)H_ z*^(+3|G;KkL*;vPj*Tib&x1n(KWAe_7+#DjYoxAe*EyTaBGoasuE4EI3TsLBMa`S5 zh=Ctdev)xjc$9gLT6e5Pi3=SZ$Tw^)ZEv+A0-uo#Vf^ewDxiwC`g+VWvD zV1h&pEbOcyJ)Y9Z3O7@fnT74QNF`}(7hBa_bRJXxibZUIZ{jUhEVab$TF$O}M3W_# zuX^}iNwMfqLCUmkIZZsKqQy`Jj3t(?kkt@xkRjU`(fH(^!mt#UV_?@c?F!g4iJKOj zn*sY_jIuq@E#{SjHM5YnIo33w+gLbBgXrJj_buGk=O?c;zxscE$Zhvaw&6KNBoXrk zL#-)whmZ;ceD8w;zW$Xzz<>6HL3d0P3J4s*{Mx{(5-MXt+Ph;@^qHzTPrrFgzuV(y zA763)v)9n&Kyx2#?j)qR#}T3L8I}}i9wPPT{`g+oDv)1-o%nJHVx%>(5NNTZT!s_~ zt?z}WrgS8RCC%^eAW|T;Mu=Td@z&_$U$pLc8%!AYhTzWi+g$^{fmxxE8dL+q*j@Lm z4{;%Rl&1{#piB;s-G+nV0jYaJkSqzb!37UEJespN*rySD7__ujNB_YdoB5jk_btY) zPwWaADnWMymbTFT0DHS7{N{)>Kf-x&f%EQ^CQUK-Y?@U=5DKcn3?n{c@c0R}R+zrR z$#U|ikC8F14Pwe`3jwBl0QDCm|qj*&>0gP?{oU&uX6ilL3^4o_)s9O zUBbsD?QKQL0X_3m^3TV3Ck5+E6F&;j@fuwVqDhZ+k`XkT@T8+#8RTw3WH`jRP4KXw zdSl}}>)^%$SFzWoY}EmIcFy}v&NWALFJf%-hAOnNZc6%tAp*tboeBOwyujU`;lw$M zD<3~!Qu{5{n_KLMCm4$rDSZrA(7mU*dugGq7kv0f2ej{e1*bivvps5~#x1X??+y?; z#OMg5~@*p_4Kgd3XlTul1ynxAIN#>eZ=8}9HqwNJ@I-<)i$Qns~zCrXf zMQtM|8P*H zpW=-F_-B93YVi{wgIZ%H3QFV@xS*T2P{HHTh~RggF_`bOI+!6ZZ)o-=Ob=>Q-A4{O zbg6jyZl8w_riAZ3C1%UN{|^Z=`}^NiMc(3!0HNPbXbFU&(Lx|eKnuQYE3WR_ByW*O z==&umV%HuicMF^t7*Gj;)|w*)iJpPX87qy{hDNF#bJIej?&o1qZwff|o3+UIe%vkv z*`X#{qt*S0hLSr|@GW3Ui2x1?&F7l|X{RyK=!Kw`1qa%~TDEx040E=Rz2_p?a&cCZ zUtO`43U?xD?$#i8JAM7(L$19Jx4I-VyrNs?pWIq!Tk zqM5#jSM})z5hWS*%@tSw;P4l}e98a)gCFy6|F{2@AO7TLl>hK62nE#`9vs8({kJ`y z{nm`He&u&q+K+#wACBlbF>Yj2%v>V3q!(p4GYjWrhH)sdA2d83 zHJIUynQ3AVj?vQr)1w2rae_s_V3e|*3V7lsNFyRJTg)??_Weg(Z`Y_%Kwl)dMNK0# z=_A?4Mks_FaxbMb}AGG~nIC znxY-h_zr;#@C+Bv^qGwWiW5xR#})$&FM>!h^(4Ae6nczj`^ZLM_9cOB5p|$-NUbay zuOsjx^2(tTCWhltrw-=Q*cs|p$4E3hzi#=#|NB>j%O9d~5Gn_eP(PX7J7w7pX70cH z%VbNL`uHQ4{$`FfIV4O{#_p7lzIDu3pC0hecR%E-AM7!WK0<9ycv%I=`Cmd8fqKi0 z?y+JQZSG)3D0BxXh3a;I_>0=O*OlG9-3GRJyPo78tM0qLt^y%?2n0R=K4?v;<^5>59J*IDgRgRa{gTI`qwI}|0|#e)P8A$eEbkcZnZ$G0d)MRopBnt*nyw3o1|`~k zgyn6q2YYY_>^ZbWN-wZb-H_F}rWf5XcMllW7Z4txyb7sYRt$KcUJ!?mFq1WHwxsv| zA?n=3ofUAaaUTjPRu!E)q}46%$mQa-W>38&J$#Ss#TQI|tIy)~5$5!B(t1pHaSGo( zAb#h+23OJ9ukgL)SD1zPm$fUkk#uu_75y7VX#?6 zB-dw*AE%`LSLk!c=K6j5v)8P%eahr>ru~{#{to`?Ior(`DKd9ig>Y;y z*~o7*G(M+s_vzc0ZeO8R9>?nO9T#kJ>RsXGF*$7We^8xOHOlSVhp%ZApE7$;kr zdW4n%V{1ca_Ha9sMkov;B+(XqWl&87cCn-iEo9!qRVLE#Np(x_AS9L=yRryGic|Ph zmB;WnVYS?{d~?J%PZlW4!+#Lb_yWtY8Jy(!HzvNc@gf($UD5_7owSIYj?Rt<>=L)% z$J8Yr{5uT6fT7a*1;Gf z(@14-CIb$;FZk!%eO~|a2MC$$`n(D>YS)nyI}1%ny-Q_{d#S2-tq|mWzM$ooWBf|P z(A=>(Urh03K{U~%m7vizeIckjpF?AgB{WZ;N({^T7m^kVa)-D=?DT0UcS;-Mp51X@ zIr(xbV+VP=({DR3Zzb;TpOr}h8hTn%nu2{g2GbE)8F7G5t4-=@h`r93eQ?119DE9P zU(kvMyU9_(`_${#=sh^8-(eQrFR4m z1}uNRWbZ3B)pei#*RNQ<*~1H$2(eG+S2%kE)`=;;0TNT6T$UOOB-Z(OTl=mNyI+IN>Sfk(@lr8FQ217_<-!iHKm_2oJ|pv0l%C- z;OymJ@#CNV3jh2!f5YXg8>G&V6L>JT`Syo1o__5iUw!9>k)2b_U5ueg-VCuwvD%7m?PHo?SqfAxov^Ts z3M;bcN)J2OP}LDZ)u;A5B!?8E1y-o>w88vNb2zFfi-c+tVRklyo{w@1tTIBF86p^B z)d5PHgjPTpO0I>0ZwXvwpxPd7BymO-`3iW49pQ~bV%dzG3Sm0XL^w{2Rwmol#0*VD zB@tmq*D4Hc(>4ZLR`KT&?tHpf(D(@6%WYR!<_wCrA;~^CfH7WBACT=#8<2L6vz#-g^@z;v@FOr^MkCvd_-wJ#M&qm2)uG#Me)_Tb^@rASj9% z=byEh*{ArHjaQ|lje#~Jq&sKTgd7R*)gy*~XtMd(r=H}v+Y8e7pP)GfF(zmVS`_BN zgtisT_Z@!p@BT0T^2h&~Mt@GY@AKg!li&T;5x@J}Gyc{0-sPQd{t532{utxQyY$}Q z=Xe{Sg-b6|vO0d2uDC<-D!x}bYjIyOJJ1&29!_$+J!-IX49-y__1r}ll zbh{x3&7Ig;W#S$dwGg`{!toA!-u}d!g4?-ZVF{#`RGr|flNK$9K!l_B=#3||gE77X zt5RW@mhpXYKTG>1f{We$I<0qa_M2LY-YIP@zm&H3wU>LY3qss?WsLiX+2DTmcK3uM zv!g)rkxnVb$F#AHo(gf}77xp-lBc-mFEPG*2%o3SeH**GVbGbpE)E%#pW;03v-!N? zV74V``{+%D>(>|?g>gKhi4#m~Oz>#V`g}rFzQO1n5~UZk(SUYSqaXFDF4pYZbLwiJ z(P2(=XA_PZaC+F~lG+{6voZ|XLTZzWgh6ja6>ll4K6o+B#fo6^gw^Go$|b@3^5+Ohg+P| zA6fM3hFjTZXq$*~jcq=om3J7M15B+*eSzurK}ek1q4Wa`nc`7FCdibDky|*nMe9lo ze?wEanB|(i{ z#Uv${1FCd`D{NY2A_7Ix-_WluOxwh46_M9b3yGL&dDl*$S7bsEDPFpVxGQ0eh(;9~u}Nh(?-iq3N`V z8O@pB->c+>| zKs}T=Re|3qlG4B$2-;NQNEamG9?d2e4Z z?H#g=h!!ZIp>9%Yh_;xO zS($m<_TiWJbLwL6lca8AA+T-&BgXj0|9?XxkG|kcmc0J#ob6i!5f-Gapf}7#{8Brir8Ra{L}aRD5p&1kJO{*d~?30AHSqpy(K9Jn(Q9g<#63$Ia8#W z(GH*vCSjJ~xC>ZRw5gAkB;1Z7+~@=Odl*TJz5?0j-1iZ$*%BD%M9T@hE$AH0xjaz& zM~Hflzw}s%CDrx!#N(E_zog#e%#UhDYC*DvQQ$~>%1kM-p-SGx|T z24Sz!)dc6Fq0&<(Cnb?JWp_wXv7}Xsb`1Q(4|uD`fhtnEH&fb& z4rvZJvmLXYkoWw-f6P(hd93*rmwH*`19k+SFpkvHwk8dbM(BRn}Wf~I3 z1#0R+T_P%jk?Zo12ZTn66_pIC#mH>7eSncFTq8j{HiMU=atEDMh@DR!c+8p|oXiky zN97ynpe3BRj1$Su(|BEqH5&7u{(g-$zQWZOt`0%j=!Xa`jK^rGG=FYn&`XxjPWkWu z!)q?T{7VKaBF;6Pv7zhl3EcyAr|@*g!GDfEJK*d`s3@m54%A7EGb~{fbfvUd|Qf`BzvA$?*JF-27-G zx_7vqhd5cHwMVhhys$dPpTEYiE$4TS=DH_$o%p1^iBEFe&jsrfWI)R&bKq01R(wik z7y>Pgr%ldNHz;`we5l9S`&??m$#de$VENlQsuyJTn0~#1ddyJ_?b;#w>WHh4SDXy6 zC+0Kjo`1SOVLrQJKADo$=N$V7v@@qFTP_xwdObmm3xqN#W&zfHf)hwcZI&-w^1{bT z*0^y)G|VXHV`k!t`*MVswnR-r-5JR66!aC{eZchB3vU0fErC&Bdj>&g(r!ztNsMjY zGROt_O+)aNLVT~;KbvsUZfK6rX|6LSpKVFrg?PS1%7XgV#0qQLZB6(*WV;@S%?!h^ zC>)!KQ&W66VsetATSeV;RJ($3-=Urd=sHArC95kb&L<4%pWTsbdgz1)1G43?;IP zX^k3Gh#?xJJs=X7KpAXQgGob@2AGo-Ki(av4moY8aGZ>B40a?5s+{6z$!s@3B$8d{@#7pr zk9lCqfBxV9in?hq-G)(g!b#n7FDArdLxV(W=n)J&#=#!f2sUTB$3CC&kk*Ju@Ny(D zFW;bd1Hn`gK09Z7ZE*T)!D^-W`WSZgl0a>lMIo(s%IA|7qR)`%{?Y6QPd1XLJT2;H zJ?_)gtWl3XKc!K_W9KKHD6*hY3Zzy)CoQy)kHWP06h+e<3B|kpx7_lP=Aq~P`#m#x zPjEJ2m_%gTmRd-xwr4(x$&Zg2rSG{*PndWbeRM{BvnQU17=t2d945|&yU8o8kMGd- z92rLR4{M@{pz9pWAm`!#T~kYs&Tg?@oU^^xj3=7yPa`o50ssIY07*naR5g=ngK8bD zBqfS0d}-2YkAM{fA-%3}&yFc_jhqR(%*Jwh`iC0hvjtXP;$owejWLfgf{w%A+~7VN zsP;2Pv8HG(%p;3j7X*uf!JFW15_)HhJ%Vf{c^?a3yM{(>*e9Aizo$9W6z@xlZOwO8%J#;jN=l^h zK$$w6+Av#A7&#`wj%b|$X+k(rL?!Iw2xD7wzje^-9M^29MVWtzvFqS*d7YHG{RU^=o^7QE2y=BRuIaP^58MCG`i`K{TRbnbghq$T1I8deO}|` zH9H5|VvX8r?$wT_=t+`>Y$)i<96?EIfZ+z5ybQ5XM9~cWyvFd401r3rkOu=}6w;B= z_W{kyAnzr4<&yLXYfJFWml>INMqX*6tin7<#N0%TTyh-&5xP0y*=v{o;Wsb%=HLA} zRq}>3ctppUT~2vpB2`IK3b^+UP2-?z1Cj){lH|z=QCRTp?FMM6MMmA#Ohrp}bc*DU zWctz7fq+iJ8v!T2=E#KSdQ2$i1kO3HPM&dj@fE}5bB<18rq5oW<(G`LLnohcyl#kJ zd`+2oJU@>yj!rr89Y)>^_jJKnjxY?%{GA-+Q`}Yk+~GZHb5DL0t$K0*>6a&$qq`(&7YRxF|2(S=kPHN3*@9#JcI#TB|hTA_Pr(@hc z!HlNtR}n$`J;U@hBL9dUpHu$y0X?^|)@#(o1?{^BTJH!kYzTdmB%ENc6L=L9REoh0 z(K2UuD~L8Xh+odxr5Q`7;cA#OnF?$g@R~cyV8%(;v96Y!`S+;P=T!9`ueH! (cS ztQmun)I~=tBYag6TOpz^5tWN+fw>5&+m5PfnU)8tXJ>GqBQNLVS9_xI5#{?G^4XkD zCq(Up#UGEY43Xbp679MDaS(wq>k4P^g=F@`qLD8!bj;!h006mci zyQTLmW~Yy)_|vh*scocj#t^&sZo^v$L)vCcngpk-$)!gbx;#5AnB*bI zfO=Z9h>p0m8|L;kq$c~Nr1@dR?Dd4sc9DIKV@uk>MtT*)LBeRvB5T>rEMnOa2nj=n z@GR;^VJd^zGuSm2v$jNGF&G}cg4WZ-y~7aMXv-oV3iS2_JvDKY0bfN}j*VHHSbag` z85nknXk8dIgN_lkrdAfJ9JnbJN7+69bqdYRJ@XeajsmQTbsz~_jdSprjNtsG&oBRM z#-IN7HDCYw-!m952pR*wgzbBS^}-{vf6r`)d1xm{zs4K}=yEKnDbkeb7_8xh|M)iw z>HU9xoCI~lPEJU7??5~PMTVzX*>63~b@vKC+HrjT0wE+}DR_2lupN!igF&xsly(rM zW;Bau2Y~OVlmTCM>h)4em`Z2GjHIMcb z#pCBZ=4Bt5caMAkc+Av3IRz1Dq*UXTM32^_;;B z2}S{q>(buA;#EWX(LpQ>tV2ov%@J{0Q3O+7j7zH7obonj`aHtyU6kQr-z8XI1r#?5 z(a2}Bu5rs2iHBiWbVA~to7B0)jS5Ip7zQkBjFJ}i!xs08BgRQd;vUmvD?HyupHIoZ z&+yJ_>dqlBa$rF#dSt(*E<)zd3ijn0X8oQ`>Ellf>W`XHl#r`8bj_N@q$9CjV3gN{ z3y+7Jg7J%r{%(#Mm#BkAH$B1U7OQuHz~7S_uW9q|sB8}}+0pBWOfhAZy$ z2`&l7R^rSB!|je}{+a>(Cj!`q9v8D_ks5^Ib~(l{}qhPW2&m5VKpk$s6VvQdWv=H6fs3!>Q_vW&?@N$h)+mO1y4AMcG zEqOO03_2tST64@~G*IIZOa^@4rYU{gk;NqMkbz6m^z>L@7W6xf2ug%jBwf#7wA9xb zVrP?88tcr*bZp#_#?%(U0J5E6^%hb}hAcrf1L}h$cNL!2WWk8OI?!!uJX_M69;o^; z#NQ93d4u6~khavlA}|DL8zD`NZZy`!;m`@jo`qpabZjwcG=nFx1`DNJ8eN03@RX(z zU{)@MBN!}b+6>)0C{tr$k@n#FJpRGx98nKcBB$D?R1XJA?Gk$flfY-;jrsbwXAJTP zZx-UXJ);YkH?POM`SLlx{p!DA@%(G7%@XZ+NGoCYpjjh%)xM?e&Zx9W@Jw;I-D0{X zaoSPq3BF~Knl9P89cj`^GHYrUU!SunB8Ftg zr3 z52#g-`O>CO3%n?%>#vdGoZzLV{;nr{-t(~?BkLa-YmZ^PK(_^(!=C8G!MH6^Cnt3K z5`!(_c)_7`u7opi>I$qApE5Nt+8+_t45>;~XJ8(? zv}KC$24qlS?me8>V^()1llDM6Iig%8OkOIs8xL1~#EFmC{IJ5)E#54pte!LPcHF5M zr}2ii^r^c7YtZygPo0i&yDLiLgu34n4}xlBaCm#i@u)=jFIZGt*7*gKi#6+;7~^;c zmBq*~D2p0v=@Pu2)0>i+oAADW#i{s6pMODaRk&S8cNAg_IbAjox>LHoB6K=xVPfSj znLEP|Th!P@NR2&o#Cb=lm-vU8UQIEu@i1uOg0l9>ZE(t((j6nTz$jBv5i&7zDq)j$ zEyw0SHH`7Bo+1y4MGmt7tpaS>GN=)9EV0v`#uHd(3$07H+mp02`k_W02G*TJFMC#v z!C++MMUR)}RN6!sCdNgDTL;*4o4PJ=)tG$eGI%YkPVvy?__jh8IfKpP`|UAe$k-Dg z%8uG>F-r$qw3J%n*#@!~bWV)XmN?$PCY6|uz^eyZTYyvJ_ZFru7<52SixEeZ>44># z)Usx%JVM80)0KFJkD+n~Szr|k%k3#U18uuhs>bUql&dg{4n#v1OClcMWRvT*LfMJ@(?<6ofAJe4mBeeiP8wk`>R`=6rD=|J9@09pCLZ-F; zx$D!Pik;MtsHsoKex9NvovE1sbG2koM5G78*kza5_~Af*-7x!Xj+3|K?j@?bCU3`F z&Jy~5K|gninj1Rr1+}V>q=bGzZCZ3~iRwIrE$Fml94U7DBdpE$l$Q&{@9!{AES$<< z*Mv+KH9B(9<(MWk@izyGcud@E$^0?nV*~MBLpJVdt}~3tA!;j{dP@4w9}tTG+xF-` zR=93P<1Ue#8;<^D&gy%YxJ=;lnChSiO$)q+@&}*L+pte(_;OAB{29CJlE7_o=N|pR zU^Mqp#F&eS>s3o{rsVeuixWljK_fmN(N_kO(4r>f$XZj)zakVHM%w0Zcge{wuNbl! z(~~iWcN+h=q3l{BdWt6I*`nZKcf#_bV3iM?oQ;W3M@Tv5AZEmi2GN&x9J9wX ze59E%9z`T=hjUue^^*C>rtt%&M>+F$iFq`|Ix(p45?UD{W(B?x(o8#woe$FrbKj#( zN!Zu4BMa3%{+#NpCkSkk)+O%1^?C+nUl z>p2@5t~M^pb(x5PVr*cwxA-V*F{fF#jE*Ip%-F308ecJ18J!toTRENkIA(gLN#8p# zlyuUe$pxlt$drMh3I+?@LxnkeOrkigg^Cq*r5VQq!`7gSY@DH@#zA&qC{0xxL}8EJ z8Z=r^8iMA2O=bi4Yn1O0&TP6&GCKjIHZjDALnW}5TkOuoZWhc>mgvf0JDOn*HHI=V zs+z-njWx{KItqhjbMQ5d-{Y%0?sF5%0h1O*gwEFJaLUwHd|TM8fA}k62R2>JP#2tY zia+u>znC)n;xjg@fG?j}92%F?lYr6e2xSE1GQivJnVq`K&c@{Fn3uXl$FJC>D-I$- znTn%m!m}@y{Q6?d-+p|?hwFb}Ti!ENEtcG%9GD#O=)==W(&hCN^#p|RuSP?mBw9X! z;q_zD(^~)kIzFKVmH|pVMMHQ(!K=p(Pdyo#FC}ac%(cd1grPgaTJz=W5qCEcC&v}m zAz;9LD?K|Wyf|KVI8)dow|J7j5xC%xUOC@74O+r z4qjekpT|s_g1z;IqoXT&{TyF!sEj3Tb&D~yq~VBVwkDGkgke#)2h`=~M9oKpc!Aj7 zppM4OWWsIgVY)C~`Z$e7&PMFtZ<$ijJwM0obF#w4?HjC%5T|aC)`ZT?XbvOnvA`Z1 ztk)hhZ;wCK=$(gD5&PW(lZ%j~@JRMsW@bxkTyS!B&EUO&I>&GY?b#{8`X}zX1%Yny zb-^%xN&E0ej5h(*dW`3n$RNb8Gj_KDFV9*`z(q*VEEJxECJrlP>G(K7v zh%TYYd=9F@R0?fi;*mjXt)!$8j(-hnp!Bb;5kVqk6gIY|^6F zHG6x^yv|vh4hz>n0lgT3(Dc5<)Phz!G+v3*M0B#mwJo&fF}={5Sb9K73zq=x3amg= zH445LQ(G>JeqG>P9+7_-==KS>-5;p3gz~WC{r#5q#~b1!n}?$0g|nyjf5G^W(rTYz zk#Y8`vnM>1;OE;E`jeqpeJXaJ@GVcaluy^l#8b1TU6w zUqCA1l#EC(sYHqGN?K>a=5E95OUeB&sNMAn%(!Ydsf;uoBl zSG>Dg;vKI!yl)Y`pok^YxMlUzf$h*e?6uNo@2@Z+>~0+@uM|$*D$GH&|3E_0t094FtLs>mrEv9 zgZXAkpE-n=Hp9vR+sAUCNm|mnLq;Wa22&h{T4LBcLf6KnW{3k+Cg^;dqJi^SO<{~M zs}Ak8P-xu2BTW>>NMos%BJZ)aN$*+&b`OTb$h9zq!qo;@8Q|B7-OwZIoV0T>@)kEz zB#FbA3ON(hup_++@h1wXjzK2WBBIfnrIR8?HZC1aJ)-S8s>)^R?>QU>ta5^z4tOUP z)g5f74(6s|t_SvE#JQ;Hw-M@ML|e6>AN8q98t6tL?H$?9Ac$+qogy?#{KBFN2D}W~ zP+@H~xf*fkB+jWOSyk9`6PXosW`xrSY|CZna@-;&GY7_D!ePB&hy-TVkTrt2Ws@2T zYi48LIn|c`1E1g5!c|){q`F zy^PWA4s+)t(h5VpM7k+e-lKKQXjH?<=HY5Y_J{wQubw;X%wrbAo@G3tS_(XSRZ=&{ z++W`!wk3}1(UVh+U-JDAA88L)j7`Od;+(_7_skY8|MHI+58dCvQ%C{b#2P) zJKSRfV`nq_Oz`e{!D+m~ls?j(ai8s(aUk{1Sr%99gJ*C!Aa%)*%@Edm)Qd}ut9#aV zM4(n|-m}3UJ!!mT_i)Fv zOPl?71Af@zSOM4tgFHi3JC1F^hjic~R$SlAvD_WW{RG$gz+Npmb`K2Q8RNKQ_rak5 zs-b^tPy~{Z^?`Kz3g-NphbzT}wPF{)rn$dj{^c=vKF0YmX3=9V!0~bnH^#N5j87{> z=P(*wU>QB(EI^4RVN^1xfl%l4eN12Vm~qX}l?>9Q{4PZV7Hv7lob4U~mC~Z4pseN? zR!iRsIM#&TEHSMJH%sXJBSwx**Ml>5h^&Dui|L{O*?^1-R4?%k0V;rMP;|PZf9N<= zE%~Bj$PzNIz}ZT?up-+)H~3(z@pcsl^96peAY}tX3xW!YALm$ge!MH+yU=V2Z`MR~ZxKv(_f_sixa% zWHgYMJ*`$)s-y@_7FG&G*t3A+RFm`;;lxJX38WiQbrlC9#{LeSw%n!~28~@w`mSM8 zOR8eZak%CFDkkfFoS>jecNpe~I$u$r`*?kVz2DGe$E;0@;};K@M$C`z0=9qr8=Q&6 z8INg&OFBd}yB#kV5kKY;?XV^>9e8j@>5Zy1t`Yt=Y8Kpr0&q zPimW#@XA>bpJ=o*;!p}qE?w?^EE(H9fASxGNt_x;Egtd55`{oL=G&gED4#BKE5#EK zK>wSVm_~gfAAfrBr|ytPuioRuAW&MMdN{fQKfndxIYR} zYEQoP*dBHm)jj3LV=M=5w;@gcp6gqP`#Y@Bf@{ab^6oJ-f_4RZ0jE=?j^NR z@a_-)gwhl4lZ25-`ImPAMfbq|zuaPxbMM5g<28MM!2UdB|6$F+KfyRn$q5NY3cEvt zzu0iNX^4LvAd*wcA0B9on!~WhyF8;>#dyU7;%H8_y2A-=gbIB-C#@fy?F13c=73SP z*ltH%)P$pkdRJg^M6EI=7Zq(KFq0ZWO=Wq^!-2hP5Fb8J?HWeI8runp)*5TJ0At2T zIEe6+6GDd2Wi~m(^({PW%C5DM{R4LG(F_{Gm?ldY^)5Lf-d?b&Y}6#6PfV0sV`_tD zW8oMIY87FuR`e?atreBgGZw?6Pt35H`3h>t==BUU7P!_JV{~BIrKq`u<(gQSC@)8E zz%CS&HdVJr**%ke3LAmn&2UW3?Qn`Ykxa%N+VL1>a~9E0bj=F}&q1V$L55V`hOocF z&LHtMeqYi=k~Y1^pTc5UvfFmJCj<50KhWAC=GbB!8Vo~EUQU?THP^|6&C*7j8~RG) zj2etuV^uqxox)8kbY-#?9^;YX?%qJoT%!A&buQ?*BXRaPy9a7H(A*ce$(Dz`rmZrD zO+oT@Pg)LqXm_aHp4~&w?aHFw?ASGmD*H%#=D`xJ+i=ZhDN-~0k415V#W7|La;d%k`? zBEezIw~R&;Zu1I+hXCd;LByJq*ABn>{F3AU`2=Ti%ol$WFm>j5W{>B1NTK-fZbeho zk4p>se~o{AT0WrVlhx#D%oPHmGMR9MAp6+CL~)neJaa#C z&F94X2fWjOp$PFW6!jlWj8_3i&osO5ZH~U$qplaMeMux!%7erCpGzLT9r5x{YlhNf zh|i$DK}f}5oiTU^baV_O137udJPK$|M$Fxk@$wuQWoUDXp%Ox8Miy02NTwr6vT1R= zl1_~1RYLCt_(?-+J1DEiaSDM_& z$WLgJ31-`ocMC!{qaTj&><4r|!83c*LE@S=gC(inA2WJW6SM(+KQQupHhYuiATfQD zpiYS282Gm!k0RZ^u2p5-!h17_R7$YyVr?7SnU^M;{Ki7Y7n zm_?M+m=Tj{iDAvbOc}I9G%ZPM(fckF9%%gqhkcFmZ0w;TZO54P?@?XA!7A8SP_`{z zlTrp2_q9jg@7S&jT-U`G{{p3j6KUFQ1BAF;NxSc`P3S*bY$8cS&1h$`lOcU-(B=`2 z-LgCQbnbg}Qer3*>G%Icc+I->(q+pKw%xbw0-T=ES3jqoXNKdCa^wxlT^-oC=eZ z*ZkR+&v`Td_ndt78gKp^9My4e9AlRy&wm;6(`rDl$FME)cUs8D3uB1K(5`soPJNQ$ zK526L$xHXiT>PoXY4vZG7(X+t#AAo|goG9dS}mxJHFMq53xSKk)?*IYmLn8<@r)yL z!={coKkL{$IOy3JoosPEgQ}P_nHNy?wEC3lr?(WfLzM}%IgtHOA&(W^_gnNgCzOBK z5`DR({(VW|DaLulx|?B}AE|?9{PcE@Xs)RpO`2@@QW)feLo}bTzJJf+*_eD^5{a1I zLZgj4WPHKu?GH@PM*Q$D=kwQl@}GV|t=71qM^`EOeuwGInS5B&e!axWw%mT0G56lG zyL!RtHwpWVP4s-i>bsQFS;B@F zQZaZZ94!_8<%CFe?B_=;wg-~&l2JV{h=yfxMzsI{4ys8+K~(C=MB>2q{UiB9m?>aL;q}`h?UT6Uq+85|WNo z9O2ahrFxu&M^$vhfg(>9jE*YIKE-q+L^IH}9`&?lmE{cGfkTpzZO7=s#XT3C&JXx; zK$%9w%Yr^tOdkdwc2LGKH@e~6-ctJxSr^dGB>kbl@XzE&FtXPPRPv z#(c4u;9k6XfUJ;g9A<9B>Irfodwa8H|731}fOj7K1VcmfLi zeB9y*A7FfnkHHfF^sz=7;xP#Ph>8-7w7{?)g}xs6Vt`6qAVtE-$%2C;;ZP&>7+Y@O z;*xxQU|zQj_geN#B-OXtZ}lOk#dNv2+{Qn(-WL{jf+L&pHppbSq2JXIYF%pgzIs>4|y1m zd3K!9dEYSH-D7_BhUV@q(TfP~Excb|BHpf8x##%pN6x--QRy-LFJi*#fb=~^_CO}j zvHBZEen>Yx!Ls+b^*NE7aX3iEp9v17#u-5SF~wkD$dq{I(;W;x2Eoy2KsYX)vKh?-9J@!FKDKYrxCWv&$>|tw z2h2cIsTS=@l(ohzB}3pbH#7DhEutW&8kV&AmKq7BiFGK^xr9@V+~!z8OlrG)=1C4+ zL#Hm-)puO4N({Xvn7MS8$$kF+6?NvybsdWpU47>H4!9Q=00EMqK#8*C(%`_EmD&CR ze~*8}u^l*ip;MRbz@@UDRPRY32@*5zJe+y#b^uT>KIy4ly?gK8E92o|L+_Vc*5q8u zb7tj=Om2WjSExisEClnUqv~32<9Fy*OqTW8ii-Sl$G%oEml~o?m~U$?&o5Z!5L9cj z+m^W1`SP&AXoj?2z@myiL45c(bP?JNt+d0)FVDsyoCaj2W=Xe91`#S;d3~GB$QE%QsvvH|$qCw3SUVbQoVviB*VaH)vKsGP}nhOnkdb#u z>w9d@byRvq*zZw98u>%RI4p>#EfbNTf>W||huh0ZwT2i z7aPv`mh3g3m;wCVdUt31cI zZb%9XbF|NJu|P9JZgvTqjn2RQ`!(l(_!lnbckBl%PT#yDo*j@TJB)rqRw#_pMD!~R z-$XAYwqu}D(0eX+dP!ZlggwZXF7?F1UNy*2kZdc8#3HtHhJzi&%zpgWEQMKtt~YE` zAKh%|oE^c(mR1E^iarzLj<~cb>XNMNSUpUMjEXALFcuvP1ignAY!^9&X){hbEns6Sh4PAFM29i-~r>A+iiE;|0=E$kN7^ z3e9>5oz6n@=#O^9^8h(4$+uHNP14GOLYcS&g-l(9(WlKL%oYDJlUhYR-F2ORebzf^(`KcDl{{h!eaOaEt~1n4?KKB<+a(9uv& z&}~iQ=??GH{hs*r2m_S%`+k-D-Tmsnr?oICnkq*H z8S%Bv$zP`!>HsVQeY^)38KWNttjivg;Es2*W1a^~cFPFsSRz`%S`0`&d_WFe^0{Pm zB#HXZpl4!;j_Az^-6lg$MwpERt0c`U{JmaESQqVtaF_$~GgMGF}#!01^mx|z^L036$ z(cng!Wr&e}M|AN~m*6khFvXKd~0^y~c?P+MpN4gJ9_lZt{t{zLok7+G*NclPs@Nhmc&ht zwVrXCAJG54Pdbk|>E+n^kh~g_%N=7)5i6Z$)Zdt7 zP-Z4h6p?(G;-4vYGZTATk=X+ZJO)n5{eLy=?X3t+7iCuD(U@tTV*4F#d5ltP?%%#* zS1&O(Gd!nd73?$SmQ+5+tsl?}hxPweG;^EsYD#;vruHPVZ7`I@eWtUo-w?JTwb-M* zoWiojHwx@S3? zKmK}2wfLFQ>wwmp<2oMQuEaE2R(Z|&|J)JSE3#$<<_I&kiS~7(u0^IDfmgB8#+ap| zEBXlC=3t#;*@x(tg03eOO3 ziI*Ot?SZ%F(XH0cUayG zH%jqZh24&+Djy?g*j_taUs>3m#2Xya`Uc)mvS7#EPSMk1;?BmYOqz+uz}I<5Yr;CA zDr}0rMd9vnEt}n1VJVw=A+SuHv~#INiZTR69n-WrdR1c}5IsrJ)rhK3VTTM>75agR z-73gUjPaKGPNEK6%<>N52Z%aEuPc6CUQib!U;pEt_hG*}Ug4bXk}kKThBB z9}jcZ@~0;##FKXD(ECz?638!KA_V;7Yn#D0f6v3+7|-u>_W8HGe15`rKYT;``kxSz zry#ZCXE|q4T(G*l;_yJnIt+NWsCj<)oYzBxY}99cf5X?`OMEZFb8Y?~%&HFOvD8*e P00000NkvXXu0mjf;g|(d literal 0 HcmV?d00001 diff --git a/STABLE/documentation/images/netfilterlogo.png b/STABLE/documentation/images/netfilterlogo.png new file mode 100644 index 0000000000000000000000000000000000000000..aef7adacab95213bf9679d9e2f70bcaa43c16aad GIT binary patch literal 2456 zcmV;J31{|+P)gY%x0O)W@gMYX3R5YnKLt)05h5Y|Nk(Nr@jCH00Cl4M??UK1szBL z000(rMObuGZ)S9NVRB^vXK7|KaBgQHGA=YOGNWEc4gdfM{z*hZRCwCGSj|%#$rT?Y zyaa0w#^u!R7Cy*>ah9Dq5K=D3fdlbJxm<8?;fRlw4y-qb)k+7llyMyCkn+Zkv*0@BbWupbHo8wL|CMhc7f2NgA@OHQ~H@33^fYZ0ky#J;yz zAIBDx8Ww|0lsCWt3ye$@Z(fOr7&gprqbbSA0&n1?%!a0H=+uCMVPuvJz=qc?8JafL zvnNSJo!mDL$(yrG2Po(9zF%P(3>YitEu*ebaYTSLkQuOtj#ogVq@)v*{w1Fecn_c+ zW!}Ob$!!O^Bpf;-^2RgSiXE>eWx> zRLX%hS*syQx?~2~9m{wlwUY=Rc=fi$iHAg*J}8kc~Z#AqrW z@D?fpKmMEkFZHw zd=vuql$v;p6#Yg8Z_<9e{Ki5PF@JI&UJPo`E#<`PWKXVZ!J{=1f)jG$BX~zcQ?IN& zpAw&&q|in7p2piQIlJ!vEBN1yDlaw0(7)DlVrz3yxwutizgU}(l=I6oR(j)db};ht zPv`aG!iA8reLXck64b*?sl^fBn^D8c#qestRoshMc_n8h(#1PzBR7x=>kHnnkxWM> zrap%M>}DhJw(-wQnYEYp`GPSu3aJCJ+y?)q4-2{p3cT5O>QFqlnbpMaVe0(s_joZ^7I2M|%ny_H zdSiBfv0k0$u#LA0LDElY*#<94jvR#-XwU0Dj`yL2?VM}H`+N&N9W=BLZ6;zcaO7wU z-W0mY|1;hhKdpFs$@}nfCp>G1k5UYk0tfLKQfrL8mG|NMsaQt?v=wO%{96na1g3CO z`}ui{K!9#PI`9>W2agDuefW~V*IMvo8>7|+&-exqU@ds6oQBviZ2XpuCnmH7j-8}@ ztmEGjeiwCXHr}zdb}DKPohem$X8I^&&q`fXo#;iW4!nr}nAc}XUy||IG2nH{k_KMQ z%hJ;e>9Q%sU1jscDG!snBu)F)Rg&f<+3YG>Y+RxW2MQS0)db(iFdlp8shCKtvmtCoYl&$>P(SXW=4T(y1d=PV9-a_s|A^3nJeY%SS=m~Dxie7!cr4n_{K zjES#1ObbDO*Ec&XIYYczMa(U}ieu9^Kk?`VcWvVb3ZP#&CU^&@C(ww;rq><)GVSO^ zhl%&2r^Pm8yEDE2J?Y_i^fdeLt_ivNj*riIct3K*&Xw~CxdT0~ zG*6Ye_%3(q9q;KmV(Uy_+gIVlnGtq6(U%)F#}Uzo(K~QRzk38dw;rc&mbb&{*=QZM zWS6$X=u3@yZ?4wUWz0#B^{$V6QorN78_xlrjoW+I%;U#*z4&?DCq9sESQ9_ksrc9ZqTQBc^2P`Q}MXy=&=O5ol zC*+Cx!Cb{KJsHC@c=6Hi)}v2T4{!Q&s`}gMt#}l-OHcOUUV(+sV=w+vs6nIxFILkh z^Xp&t=KWbSkt_7>^lZgev%y(aAAxikZWMbGNPhWq{o-HOw?ju0t)~OpQlF9~*%@EQh97vX8vJ=l~7y3bCKFU6c-$(e=x&=lAyB1Nx6U$qo(xf=wMJk$dwTcDz=w$ z3U+y}<&6Tf=>sVd6XPla>FWoLB6F*i(+d(^x5yDo&OkgIc$3T_=R{k4CBSrZ_eRXkUty!t#wO*N)cL{4bxjK(tmo$Kay ziNGax<=JG0DtB*#h)#yVaVB}BN>6Zr%`+f&+S1&|XglC-caC;GUYE!0S@Azf35a8! zS7q`oiq~7M6D+Gb-)*yRPmsTn{%_D_$e$ksBl2Al-}f~T`(l>8Kz - + - + - + - + Mailing List Problems - + - - - + + - - - + + + +
      +

      Mailing List Problems

      -
      - +

      Shorewall.net is currently experiencing mail delivery problems - to at least one address in each of the following domains:

      - -
      -
      - 
      2020ca - delivery to this domain has been disabled (cause unknown)
      arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)
      excite.com - delivery to this domain has been disabled (cause unknown)
      epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
      familie-fleischhacker.de - (connection timed out)
      gmx.net - delivery to this domain has been disabled (cause unknown)
      hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
      intercom.net - delivery to this domain has been disabled (cause unknown)
      ionsphere.org - (connection timed out)
      initialcs.com - delivery to this domain has been disabled (cause unknown)
      intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
      khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
      kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)
      littleblue.de - (connection timed out)
      navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)
      opermail.net - delivery to this domain has been disabled (cause unknown)
      penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
      scip-online.de - delivery to this domain has been disabled (cause unknown)
      spctnet.com - connection timed out - delivery to this domain has been disabled
      telusplanet.net - delivery to this domain has been disabled (cause unknown)
      yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
      -
      -
      - -

      Last updated 10/6/2002 20:30 GMT - + +

      +
      + 
      2020ca - delivery to this domain has been disabled (cause unknown)
      arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)
      asurfer.com - (Mailbox full)
      cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").
      excite.com - delivery to this domain has been disabled (cause unknown)
      epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
      freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)
      gmx.net - delivery to this domain has been disabled (cause unknown)
      hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
      intercom.net - delivery to this domain has been disabled (cause unknown)
      ionsphere.org - (connection timed out)
      initialcs.com - delivery to this domain has been disabled (cause unknown)
      intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
      khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
      kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)
      littleblue.de - (connection timed out)
      navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)
      opermail.net - delivery to this domain has been disabled (cause unknown)
      opus.homeip.net - (SpamAssassin is missing the HiRes Time module)
      penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
      scip-online.de - delivery to this domain has been disabled (cause unknown)
      spctnet.com - connection timed out - delivery to this domain has been disabled
      telusplanet.net - delivery to this domain has been disabled (cause unknown)
      yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
      +
      +
      + +

      Last updated 11/3/2002 16:00 GMT - Tom Eastep

      - +

      Copyright © 2002 Thomas M. Eastep.

      - +

       

      +
      +
      +

      +

      diff --git a/STABLE/documentation/myfiles.htm b/STABLE/documentation/myfiles.htm index ed93a3856..cef30a5e6 100644 --- a/STABLE/documentation/myfiles.htm +++ b/STABLE/documentation/myfiles.htm @@ -1,133 +1,134 @@ - + My Shorewall Configuration - + - + - + - + - - - + + - - - + + + +
      +

      About My Network

      -
      - +
      - +

      My Current Network

      - -
      + +

      I have DSL service and have 5 static IP addresses (206.124.146.176-180). - My DSL "modem" (Fujitsu Speedport) - is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) - and a DMZ connected to eth1 (192.168.2.0/24). 

      - + My DSL "modem" (Fujitsu Speedport) + is connected to eth0. I have a local network connected to eth2 (subnet +192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

      +

      I use:
      -

      - +

      +
        -
      • Static NAT for ursa (my XP System) - Internal address 192.168.1.5 - and external address 206.124.146.178.
        • -
      • Proxy ARP for wookie (my Linux System). This system has two IP -addresses: 192.168.1.3/24 and 206.124.146.179/24.
        • -
      • SNAT through the primary gateway address (206.124.146.176) for  -my Wife's system (tarry) and the Wireless Access Point (wap)
        • - +
      • Static NAT for ursa (my XP System) - Internal address 192.168.1.5 + and external address 206.124.146.178.
        • +
      • Proxy ARP for wookie (my Linux System). This system has two IP + addresses: 192.168.1.3/24 and 206.124.146.179/24.
        • +
      • SNAT through the primary gateway address (206.124.146.176) for  + my Wife's system (tarry) and the Wireless Access Point (wap)
        • +
      - +

      The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.

      - +

      Wookie runs Samba and acts as the a WINS server.  Wookie is in its - own 'whitelist' zone called 'me'.

      - + own 'whitelist' zone called 'me'.

      +

      My laptop (eastept1) is connected to eth3 using a cross-over cable. - It runs its own Sygate firewall software - and is managed by Proxy ARP. It connects to the local network through the - PopTop server running on my firewall.

      - + It runs its own Sygate firewall software + and is managed by Proxy ARP. It connects to the local network through +the PopTop server running on my firewall.

      +

      The single system in the DMZ (address 206.124.146.177) runs postfix, - Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server - (Pure-ftpd). The system also runs fetchmail to fetch our email from our - old and current ISPs. That server is managed through Proxy ARP.

      - + Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server + (Pure-ftpd). The system also runs fetchmail to fetch our email from our + old and current ISPs. That server is managed through Proxy ARP.

      +

      The firewall system itself runs a DHCP server that serves the local - network.

      - + network.

      +

      All administration and publishing is done using ssh/scp.

      - +

      I run an SNMP server on my firewall to serve MRTG running - in the DMZ.

      - + in the DMZ.

      +

      -

      - +

      +

       

      - +

      The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, - Shorewall automatically adds a host route to - 206.124.146.177 through eth1 (192.168.2.1) because - of the entry in /etc/shorewall/proxyarp (see below).

      - + Shorewall automatically adds a host route to + 206.124.146.177 through eth1 (192.168.2.1) because + of the entry in /etc/shorewall/proxyarp (see +below).

      +

      A similar setup is used on eth3 (192.168.3.1) which interfaces to my laptop (206.124.146.180).

      - +

      Note: My files - use features not available before Shorewall + use features not available before Shorewall version 1.3.4.

      -
      - -

      Shorewall.conf

      - -
      	SUBSYSLOCK=/var/lock/subsys/shorewall
      	STATEDIR=/var/state/shorewall

      	LOGRATE=
      	LOGBURST=

      	ADD_IP_ALIASES="Yes"

      	CLAMPMSS=Yes

      	MULTIPORT=Yes
      - -

      Zones File:

      - -
      	#ZONE 	DISPLAY 	COMMENTS
      	net	Internet	Internet
      	me	Eastep		My Workstation
      	loc	Local		Local networks
      	dmz	DMZ		Demilitarized zone
      	tx	Texas		Peer Network in Dallas Texas
      	#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
      - -

      Interfaces File:

      +
      -
      +

      Shorewall.conf

      + +
      	SUBSYSLOCK=/var/lock/subsys/shorewall
      	STATEDIR=/var/state/shorewall

      	LOGRATE=
      	LOGBURST=

      	ADD_IP_ALIASES="Yes"

      	CLAMPMSS=Yes

      	MULTIPORT=Yes
      + +

      Zones File:

      + +
      	#ZONE 	DISPLAY 	COMMENTS
      	net	Internet	Internet
      	me	Eastep		My Workstation
      	loc	Local		Local networks
      	dmz	DMZ		Demilitarized zone
      	tx	Texas		Peer Network in Dallas Texas
      	#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
      + +

      Interfaces File:

      + +

      This is set up so that I can start the firewall before bringing up my Ethernet interfaces.

      -
      - -
      	#ZONE    INTERFACE	BROADCAST 	OPTIONS
      	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping
      	loc	eth2 		192.168.1.255	dhcp
      	dmz	eth1 		206.124.146.255	-
      	net	eth3		206.124.146.255 norfc1918
      	-	texas 		-
      	loc	ppp+
      	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
      - +
      + +
      	#ZONE    INTERFACE	BROADCAST 	OPTIONS
      	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping
      	loc	eth2 		192.168.1.255	dhcp,filterping,maclist
      	dmz	eth1 		206.124.146.255	filterping
      	net	eth3		206.124.146.255 filterping,blacklist
      	-	texas 		-               filterping
      	loc	ppp+		-		filterping
      	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
      +

      Hosts File:

      - + 
      	#ZONE 		HOST(S)			OPTIONS
      	me		eth2:192.168.1.3,eth2:206.124.146.179
      	tx 		texas:192.168.9.0/24
      	#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
      - +

      Routestopped File:

      - + 
      	#INTERFACE	HOST(S)
      	eth1		206.124.146.177
      	eth2 		-
      	eth3 		206.124.146.180
      - +

      Common File:

      - + 
      	. /etc/shorewall/common.def
      	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
      	run_iptables -A common -p tcp --dport 113 -j REJECT
      - +

      Policy File:

      - + 
      
 	#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
 	me	all	ACCEPT
@@ -135,37 +136,39 @@ my Ethernet  interfaces. 
      
 	all	me	CONTINUE	#WARNING: You must be running Shorewall 1.3.1 or later for
      					      #	  this policy to work as expected!!!	
      	loc 	loc 	ACCEPT
      	loc 	net	ACCEPT
      	$FW	loc	ACCEPT
      	$FW	tx	ACCEPT
      	loc	tx	ACCEPT
      	loc	fw	REJECT
      	net	net	ACCEPT
      	net	all	DROP	info		10/sec:40
      	all	all	REJECT	info
      	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
      - +

      Masq File:

      - -
      + +

      Although most of our internal systems use static NAT, my wife's system - (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with + (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops. Also, I masquerade wookie to the peer subnet in Texas.

      -
      - +
      + 
      	#INTERFACE 	SUBNET		ADDRESS
      	eth0 		192.168.1.0/24	206.124.146.176
              texas           206.124.146.179 192.168.1.254
      	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - +

      NAT File:

      - + 
      	#EXTERNAL	INTERFACE	INTERNAL	ALL	LOCAL
      	206.124.146.178 eth0 		192.168.1.5 	No 	No
      	206.124.146.179 eth0 		192.168.1.3 	No 	No
      	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - +

      Proxy ARP File:

      - + 
           	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE
      	206.124.146.177 eth1 		eth0 		No
      	206.124.146.180	eth3		eth0		No
              206.124.146.179 eth2            eth0            No
      TE
      	206.124.146.177 eth1 		eth0 		No
      	206.124.146.180	eth3		eth0		No
      	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
      - +

      Rules File (The shell variables are set in /etc/shorewall/params):

      - + 
           	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL
      	#                       				PORT(S) PORT(S)	PORT(S)	DEST
      	#
      	# Local Network to Internet - Reject attempts by Trojans to call home
      	#
      	REJECT:info 	loc 		net 			tcp	6667
      	#
      	# Local Network to Firewall 
      	#
      	ACCEPT		loc		fw 			tcp 	ssh
      	ACCEPT		loc		fw			tcp	time
      	#
      	# Local Network to DMZ 
      	#
      	ACCEPT 		loc 		dmz 			udp	domain
      	ACCEPT		loc		dmz			tcp	smtp
      	ACCEPT		loc		dmz			tcp	domain
      	ACCEPT		loc		dmz			tcp	ssh
      	ACCEPT		loc		dmz			tcp	auth
      	ACCEPT		loc		dmz			tcp	imap
      	ACCEPT		loc		dmz			tcp	https
      	ACCEPT		loc		dmz			tcp	imaps
      	ACCEPT		loc		dmz			tcp	cvspserver
      	ACCEPT 		loc 		dmz 			tcp 	www
      	ACCEPT		loc		dmz			tcp	ftp
      	ACCEPT		loc		dmz			tcp	pop3
      	ACCEPT		loc		dmz			icmp	echo-request
      	#
      	# Internet to DMZ 
      	#
      	ACCEPT		net		dmz 			tcp	www
      	ACCEPT		net		dmz			tcp	smtp
      	ACCEPT		net		dmz			tcp	ftp
      	ACCEPT		net		dmz			tcp	auth
      	ACCEPT		net		dmz			tcp	https
      	ACCEPT		net		dmz			tcp	imaps
      	ACCEPT		net		dmz			tcp	domain
      	ACCEPT		net		dmz			tcp	cvspserver
      	ACCEPT		net		dmz			udp	domain
      	ACCEPT		net		dmz			icmp	echo-request
      	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync
      	#
      	# Net to Me (ICQ chat and file transfers) 
      	#
      	ACCEPT		net		me			tcp	4000:4100
      	#
      	# Net to Local 
      	#
      	ACCEPT		net		loc			tcp	auth
      	REJECT		net		loc			tcp	www
      	#
      	# DMZ to Internet
      	#
      	ACCEPT		dmz		net			icmp	echo-request
      	ACCEPT		dmz		net			tcp	smtp
      	ACCEPT		dmz		net			tcp	auth
      	ACCEPT		dmz		net			tcp	domain
      	ACCEPT		dmz		net			tcp	www
      	ACCEPT		dmz		net			tcp	https
      	ACCEPT		dmz		net			tcp	whois
      	ACCEPT		dmz		net			tcp	echo
      	ACCEPT		dmz		net			udp	domain
      	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp
      	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3
      	#
      	# The following compensates for a bug, either in some FTP clients or in the
      	# Netfilter connection tracking code that occasionally denies active mode
      	# FTP clients
      	#
      	ACCEPT:info 	dmz 		net			tcp	1024:	20
      	#
      	# DMZ to Firewall -- snmp
      	#
      	ACCEPT 		dmz 		fw 			tcp	snmp
      	ACCEPT		dmz		fw			udp	snmp
      	#
      	# DMZ to Local Network 
      	#
      	ACCEPT 		dmz 		loc			tcp	smtp
      	ACCEPT		dmz		loc			tcp	auth
      	ACCEPT		dmz		loc			icmp	echo-request
      	# Internet to Firewall
      	#
      	ACCEPT		net		fw			tcp	1723
      	ACCEPT		net		fw			gre
      	REJECT 		net		fw			tcp	www
      	#
      	# Firewall to Internet
      	#
      	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp
      	ACCEPT		fw		net			udp	domain
      	ACCEPT		fw		net			tcp	domain
      	ACCEPT		fw		net			tcp	www
      	ACCEPT		fw		net			tcp	https
      	ACCEPT		fw		net			tcp	ssh
      	ACCEPT		fw		net			tcp	whois
      	ACCEPT		fw		net 			icmp	echo-request
      	#
      	# Firewall to DMZ
      	#
      	ACCEPT 		fw 		dmz 			tcp 	www
      	ACCEPT 		fw 		dmz 			tcp 	ftp
      	ACCEPT 		fw 		dmz 			tcp 	ssh
      	ACCEPT 		fw 		dmz 			tcp 	smtp
      	ACCEPT 		fw 		dmz 			udp 	domain
      	#
      	# Let Texas Ping
      	#
      	ACCEPT 		tx 		fw 			icmp 	echo-request
      	ACCEPT		tx 		loc 			icmp 	echo-request

      	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
      - -

      Last updated 10/1/2002 - + +

      Last updated 10/14/2002 - Tom Eastep -

      - Copyright - © 2001, 2002 Thomas M. Eastep.
      +

      + Copyright + © 2001, 2002 Thomas M. Eastep.
      +
      +


      diff --git a/STABLE/documentation/ports.htm b/STABLE/documentation/ports.htm index f205236fe..2ab74c0a0 100644 --- a/STABLE/documentation/ports.htm +++ b/STABLE/documentation/ports.htm @@ -1,122 +1,192 @@ + - - -Shorewall Port Information - - + + + Shorewall Port Information + + + + - - - - - - + + +
      -

      Ports required for Various Services/Applications

      -
      + + + + + +
      +

      Ports required for Various +Services/Applications

      +
      - -

      In addition to those applications described in the -/etc/shorewall/rules documentation, here are some other -services/applications that you may need to configure your firewall to accommodate.

      - + +

      In addition to those applications described in the /etc/shorewall/rules documentation, here +are some other services/applications that you may need to configure your firewall +to accommodate.

      +

      NTP (Network Time Protocol)

      -
      + +

      UDP Port 123

      -
      -

      rdate

      -
      +
      + +

      rdate

      + +

      TCP Port 37

      -
      -

      UseNet (NNTP)

      -
      +
      + +

      UseNet (NNTP)

      + +

      TCP Port 119

      -
      +
      +

      DNS

      -
      -

      UDP Port 53. If you are configuring a DNS client, you will probably want to - open TCP Port 53 as well.
      - If you are configuring a server, only open TCP Port 53 if you will return long - replies to queries or if you need to enable ZONE transfers. In the latter - case, be sure that your server is properly configured.

      -
      -

      ICQ   

      -
      -

      UDP Port 4000. You will also need to open a range of TCP ports which you - can specify to your ICQ client. By default, clients use 4000-4100.

      -
      + +
      +

      UDP Port 53. If you are configuring a DNS client, you will probably want +to open TCP Port 53 as well.
      + If you are configuring a server, only open TCP Port 53 if you will return +long replies to queries or if you need to enable ZONE transfers. In the +latter case, be sure that your server is properly configured.

      +
      + +

      ICQ   

      + +
      +

      UDP Port 4000. You will also need to open a range of TCP ports which +you can specify to your ICQ client. By default, clients use 4000-4100.

      +
      +

      PPTP

      -
      -

      Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more - information here).

      -
      + +
      +

      Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information here).

      +
      +

      IPSEC

      -
      -

      Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. - These should be opened in both directions.

      -
      + +
      +

      Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port +500. These should be opened in both directions.

      +
      +

      SMTP

      -
      -

       TCP Port 25.

      -
      + +
      +

       TCP Port 25.

      +
      +

      POP3

      -
      + +

      TCP Port 110.

      -
      +
      +

      TELNET

      -
      + +

      TCP Port 23.

      -
      +
      +

      SSH

      -
      + +

      TCP Port 22.

      -
      +
      +

      Auth (identd)

      -
      + +

      TCP Port 113

      -
      - -

      Web Access

      -
      +
      + +

      Web Access

      + +

      TCP Ports 80 and 443.

      -
      -

      FTP

      -
      -

      Server configuration is covered on in the - /etc/shorewall/rules documentation,

      +
      + +

      FTP

      + +
      +

      Server configuration is covered on in the /etc/shorewall/rules documentation,

      +

      For a client, you must open outbound TCP port 21 and be sure that your - kernel is compiled to support FTP connection tracking. If you build this - support as a module, Shorewall will automatically load the module from - /var/lib/<kernel version>/kernel/net/ipv4/netfilter. 

      -
      - -

      SMB/NMB (Samba/Windows Browsing/File Sharing)

      -
      + kernel is compiled to support FTP connection tracking. If you build this + support as a module, Shorewall will automatically load the module from + /var/lib/<kernel version>/kernel/net/ipv4/netfilter. 
      +

      + +

      If you run an FTP server on a nonstandard port or you need to access +such a server, then you must specify that port in /etc/shorewall/modules. +For example, if you run an FTP server that listens on port 49 then you would +have:
      +

      + +
      +

      loadmodule ip_conntrack_ftp ports=21,49
      + loadmodule ip_nat_ftp ports=21,49
      +

      +
      + +

      Note that you MUST include port 21 in the ports list or you may +have problems accessing regular FTP servers.

      +

      If there is a possibility that these modules might be loaded before Shorewall +starts, then you should include the port list in /etc/modules.conf:
      +

      + +
      +

      options ip_conntrack_ftp ports=21,49
      + options ip_nat_ftp ports=21,49
      +

      +
      +
      + +

      SMB/NMB (Samba/Windows Browsing/File Sharing)

      + +
      + +

      TCP Ports 137, 139 and 445.
      - UDP Ports 137-139.
      -
      - Also, see this page.

      -
      - -

      Traceroute

      -
      + UDP Ports 137-139.
      +
      + Also, see this page.

      +
      + +

      Traceroute

      + +

      UDP ports 33434 through 33434+<max number of hops>-1

      -
      -

      NFS

      -
      -

      There's some good information at  - - http://nfs.sourceforge.net/nfs-howto/security.html

      -
      -

      Didn't find what you are looking for -- have you looked in your own - /etc/services file?

      - -

      Still looking? Try - - http://www.networkice.com/advice/Exploits/Ports

      - -

      Last updated 8/21/2002 - -Tom -Eastep

      -Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file +
      + +

      NFS

      + +
      +

      There's some good information at  http://nfs.sourceforge.net/nfs-howto/security.html

      +
      + +

      Didn't find what you are looking for -- have you looked in your own /etc/services +file?

      + +

      Still looking? Try http://www.networkice.com/advice/Exploits/Ports

      + +

      Last updated 10/22/2002 - Tom Eastep

      + Copyright + © 2001, 2002 Thomas M. Eastep.
      +
      + + diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm index 1a87a34cc..d373b1aeb 100644 --- a/STABLE/documentation/seattlefirewall_index.htm +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -2,362 +2,396 @@ - + + Shoreline Firewall (Shorewall) 1.3 - + + - + - - - + + - + +
      + + - - + + +
      +
      - + +

      Shorwall Logo - Shorewall - 1.3 - "iptables made easy"

      + Shorewall 1.3 - "iptables + made easy" - + + + -
      -
      - -
      -
      + +
      +
      - - - + + - - - -
      +
      - + + +

      What is it?

      - -

      The Shoreline Firewall, more commonly known as "Shorewall", is a - Netfilter (iptables) based firewall - that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.

      + + + +

      The Shoreline Firewall, more commonly known as "Shorewall", is +a Netfilter (iptables) based +firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

      - -

      This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General -Public License as published by the Free Software Foundation.
      -
      - This program is distributed in the hope - that it will be useful, but WITHOUT ANY WARRANTY; without - even the implied warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU General Public License for - more details.
      -
      - You should have received a copy of the - GNU General Public License along with this program; if -not, write to the Free Software Foundation, Inc., 675 Mass -Ave, Cambridge, MA 02139, USA

      + + + +

      This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU +General Public License as published by the Free Software Foundation.
      +
      + This program is distributed + in the hope that it will be useful, but WITHOUT +ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details.
      +
      + You should have received + a copy of the GNU General Public License along with + this program; if not, write to the Free Software Foundation, + Inc., 675 Mass Ave, Cambridge, MA 02139, USA

      - + + +

      Copyright 2001, 2002 Thomas M. Eastep

      - + + +

      - Jacques Nilo and Eric Wolzak have - a LEAF distribution called Bering that features - Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at: - http://leaf.sourceforge.net/devel/jnilo

      + Jacques Nilo and + Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD +or compact flash) distribution called Bering that + features Shorewall-1.3.9b and Kernel-2.4.18. You can find +their work at: http://leaf.sourceforge.net/devel/jnilo

      - + + + +

      Thinking of Downloading this Site for Offline Browsing?

      + You might want to reconsider -- this site is 213 MB!!! +and you will almost certainly be blacklisted before you download the whole +thing (my SDSL is only 384kbs so I'll have lots of time to catch you). Besides, +if you simply download the product and install it, you get the essential +parts of the site in a fraction of the time. And do you really want to download:
      + +
        +
      • Both text and HTML versions of every post ever made on three + different mailing lists (65 MB)?
        • +
      • Every .rpm, .tgz and .lrp ever released for both Shorewall + and Seawall (92MB and 10MB respectively)?
        • +
      • A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?
        +
        • +
      • Several ancient RPMs for courier-imap and maildrop (1.5MB).
        +
        • + +
      + You get all that and more if you do a blind recurive copy of this site. + Happy downloading!
      +

      News

      - + + +

      - -

      10/9/2002 - Shorewall 1.3.9b (New) -

      -This release rolls up fixes to the installer and to the firewall script.
      -
      -10/6/2002 - Shorewall.net now running on RH8.0       (New) -
      -
      - The firewall and server here at shorewall.net are now running RedHat release - 8.0.
      - -

      9/30/2002 - Shorewall 1.3.9a -

      - Roles up the fix for broken tunnels.
      - -

      9/30/2002 - TUNNELS Broken in 1.3.9!!! -

      - Brown Paper Bag - There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
      - -


      -

      - -


      -

      - -


      - 9/28/2002 - Shorewall 1.3.9 

      - - -

      In this version:
      -

      - - -
        -
      • DNS - Names are now allowed in Shorewall config files (although I recommend - against using them).
        • -
      • The connection SOURCE may now be qualified by both - interface and IP address in a Shorewall - rule.
        • -
      • Shorewall startup is now disabled after initial installation - until the file /etc/shorewall/startup_disabled is removed. This avoids - nasty surprises at reboot for users who install Shorewall but don't -configure it.
        • -
      • The 'functions' and 'version' files and the 'firewall' - symbolic link have been moved from /var/lib/shorewall to /usr/lib/shorewall - to appease the LFS police at Debian.
        -
        • - - -
      - - -

      9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
      -

      - Brown Paper Bag - A couple of recent configuration changes at www.shorewall.net - broke the Search facility:
      - - -
      - -
        -
      1. Mailing List Archive Search was not available.
        2. -
      2. The Site Search index was incomplete
        3. -
      3. Only one page of matches was presented.
        4. - - -
      -
      - Hopefully these problems are now corrected. - - -

      9/18/2002 - Debian 1.3.8 Packages Available  -
      -

      - - - -

      Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html

      - - - -

      9/16/2002 - Shorewall 1.3.8

      - - - -

      In this version:
      -

      - - - -
        -
      • A NEWNOTSYN option has been added to -shorewall.conf. This option determines whether Shorewall accepts -TCP packets which are not part of an established connection and -that are not 'SYN' packets (SYN flag on and ACK flag off).
        • -
      • The need for the 'multi' option to communicate - between zones za and zb on the same interface is removed in the - case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will -exist if: - - -
        • + +

        10/9/2002 - Shorewall 1.3.9b (New) +

        + This release rolls up fixes to the installer and to the +firewall script.
        +
        + 10/6/2002 - Shorewall.net now running on RH8.0         (New) +
        +
        + The firewall and server here at shorewall.net are now +running RedHat release 8.0.
        + + + +

        9/30/2002 - Shorewall 1.3.9a +

        + Roles up the fix for broken tunnels.
        + + + +

        9/30/2002 - TUNNELS Broken in 1.3.9!!! +

        + Brown Paper Bag + There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
        -
      +


      +

      - + +


      +

      + + + +


      + 9/28/2002 - Shorewall 1.3.9        +

      + + + + +

      In this version:
      +

      + + + +
        -
      • The /etc/shorewall/blacklist file now - contains three columns. In addition to the SUBNET/ADDRESS column, - there are optional PROTOCOL and PORT columns to block only certain - applications from the blacklisted addresses.
        -
        • +
      • DNS Names are now + allowed in Shorewall config files (although I recommend against + using them).
        • +
      • The connection SOURCE may now be +qualified by both interface and IP address in a Shorewall rule.
        • +
      • Shorewall startup is now disabled + after initial installation until the file /etc/shorewall/startup_disabled + is removed. This avoids nasty surprises at reboot for users +who install Shorewall but don't configure it.
        • +
      • The 'functions' and 'version' files + and the 'firewall' symbolic link have been moved from /var/lib/shorewall + to /usr/lib/shorewall to appease the LFS police at Debian.
        +
        • - + +
      - -

      9/11/2002 - Debian 1.3.7c Packages Available

      - -

      Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

      - - - -

      9/2/2002 - Shorewall 1.3.7c

      - - - - -

      This is a role up of a fix for "DNAT" rules where the source zone - is $FW (fw).

      - - - - -

      8/26/2002 - Shorewall 1.3.7b

      - - - - -

      This is a role up of the "shorewall refresh" bug fix and the change - which reverses the order of "dhcp" and "norfc1918" checking.

      - - - - -

      8/26/2002 - French FTP Mirror is Operational

      - - - - -

      ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.

      - - - - -

      8/25/2002 - Shorewall Mirror in France

      - - - - -

      Thanks to a Shorewall user in Paris, the Shorewall web site is now - mirrored at http://france.shorewall.net.

      - - - - +

      More News

      - -

      Donations

      -       		M
      -
      -
      +

      Donations

      - + + M + + + + + + +
      +
      + + - - - + + - + + - - + + +
      - +
      - + + +

      -  

      +  

      - -

      Shorewall is free but -if you try it and find it useful, please consider making a donation - to Shorewall is free +but if you try it and find it useful, please consider making a donation + to Starlight Children's Foundation. Thanks!

      -
      - -

      Updated 10/9/2002 - Tom Eastep - -
      -

      -
      + +

      Updated 11/9/2002 - Tom Eastep + +
      +

      diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm index 51c72836f..ddb722719 100644 --- a/STABLE/documentation/shoreline.htm +++ b/STABLE/documentation/shoreline.htm @@ -1,113 +1,116 @@ - + About the Shorewall Author - + - + - + - + - - - + + - - - + + + +
      +
      +

      Tom Eastep

      -
      - -

      Tom on the PCT - 1991 -

      - -

      Tom on the Pacific Crest Trail north of Stevens Pass, - Washington  -- Sept 1991.
      - Photo by Ken Mazawa

      - + +

      Tom on the PCT - 1991 +

      + +

      Tarry & Tom -- August 2002
      +
      +

      + - +

      I am currently a member of the design team for the next-generation operating system from the NonStop Enterprise Division of HP.

      - +

      I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated ipchains - and developed the scripts which are now collectively known as Seattle Firewall. Expanding - on what I learned from Seattle Firewall, I then designed and wrote -Shorewall.

      - + on what I learned from Seattle Firewall, I then designed and wrote + Shorewall.

      +

      I telework from our home in Shoreline, - Washington where I live with my wife Tarry.

      - + Washington where I live with my wife Tarry.

      +

      Our current home network consists of:

      - -
        -
      • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE HDs - and LNE100TX (Tulip) NIC - My personal Windows system. Also has SuSE - 8.0 installed.
        • -
      • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -- My personal Linux System which runs Samba configured as a WINS server. - This system also has VMware installed - and can run both Debian and - SuSE in virtual machines.
        • -
      • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail -(Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server - (Bind).
        • -
      • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  -(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP - server.  Also runs PoPToP for road warrior access.
        • -
      • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's - personal system.
        • -
      • PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 - and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.
        • - -
      - -

      For more about our network see my Shorewall Configuration.

      +
        +
      • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE +HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has +RedHat 8.0 installed.
        • +
      • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC + - My personal Linux System which runs Samba configured as a WINS server. + This system also has VMware installed + and can run both Debian Woody +and SuSE 8.1 in virtual machines.
        • +
      • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail + (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server + (Bind).
        • +
      • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  + (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP + server.  Also runs PoPToP for road warrior access.
        • +
      • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's + personal system.
        • +
      • PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 + and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.
        • + +
      + +

      For more about our network see my Shorewall Configuration.

      +

      All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.

      - +

      - - - -

      - -

      Last updated 10/6/2002 -

      + +

      Last updated 10/28/2002 - Tom Eastep

      - Copyright - © 2001, 2002 Thomas M. Eastep.
      + Copyright + © 2001, 2002 Thomas M. Eastep.
      +
      +



      diff --git a/STABLE/documentation/shorewall_features.htm b/STABLE/documentation/shorewall_features.htm index 02ac60f3d..87c11864a 100644 --- a/STABLE/documentation/shorewall_features.htm +++ b/STABLE/documentation/shorewall_features.htm @@ -1,91 +1,111 @@ + - - - - - -Shorewall Features + + + + + + + + + Shorewall Features - - - - - - - + + +
      -

      Shorewall Features

      -
      + + + + + +
      +

      Shorewall Features

      +
      +
        -
      • Uses Netfilter's connection tracking facilities for stateful packet - filtering.
        • -
      • Can be used in a wide range of router/firewall/gateway applications. -
          -
        • Completely customizable using configuration files.
          • -
        • No limit on the number of network interfaces.
          • -
        • Allows you to partitions the network into zones - and gives you complete control over the connections permitted between - each pair of zones.
          • -
        • Multiple interfaces per zone and multiple zones per interface - permitted.
          • -
        • Supports nested and overlapping zones.
          • -
        -
        • -
      • QuickStart Guides to help - get your first firewall up and running quickly
        • -
      • Extensive documentation - included in the .tgz and .rpm downloads.
        • -
      • Flexible address management/routing support (and you can use all - types in the same firewall): - -
        • -
      • Blacklisting of individual - IP addresses and subnetworks is supported.
        • -
      • Operational support: -
          -
        • Commands to start, stop and clear the firewall
          • -
        • Supports status monitoring - with an audible alarm when an "interesting" packet is detected.
          • -
        • Wide variety of informational commands.
          • -
        -
        • -
      • VPN Support - -
        • -
      • Support for Traffic Control/Shaping - integration.
        • -
      • Wide support for different GNU/Linux Distributions. - -
        • +
      • Uses Netfilter's connection tracking facilities for stateful packet + filtering.
        • +
      • Can be used in a wide range of router/firewall/gateway applications. + +
          +
        • Completely customizable using configuration files.
          • +
        • No limit on the number of network interfaces.
          • +
        • Allows you to partitions the network into zones and gives you complete +control over the connections permitted between each pair of zones.
          • +
        • Multiple interfaces per zone and multiple zones per interface + permitted.
          • +
        • Supports nested and overlapping zones.
          • + +
        +
        • +
      • QuickStart Guides to +help get your first firewall up and running quickly
        • +
      • Extensive documentation + included in the .tgz and .rpm downloads.
        • +
      • Flexible address management/routing support (and you can use +all types in the same firewall): + +
        • +
      • Blacklisting of individual + IP addresses and subnetworks is supported.
        • +
      • Operational support: + +
          +
        • Commands to start, stop and clear the firewall
          • +
        • Supports status monitoring with an audible alarm +when an "interesting" packet is detected.
          • +
        • Wide variety of informational commands.
          • + +
        +
        • +
      • VPN Support + +
        • +
      • Support for Traffic Control/Shaping + integration.
        • +
      • Wide support for different GNU/Linux Distributions. + + +
        • +
      • Media Access Control (MAC) Address + Verification
        +
        +
        • +
      -

      Last updated 7/14/2002 - Tom -Eastep

      -

      -Copyright © 2001,2002 Thomas M. Eastep.

      - + +

      Last updated 11/09/2002 - Tom Eastep

      + +

      Copyright © 2001,2002 Thomas M. Eastep.
      +

      - - \ No newline at end of file + diff --git a/STABLE/documentation/shorewall_quickstart_guide.htm b/STABLE/documentation/shorewall_quickstart_guide.htm index f3c896786..173ea0601 100644 --- a/STABLE/documentation/shorewall_quickstart_guide.htm +++ b/STABLE/documentation/shorewall_quickstart_guide.htm @@ -1,210 +1,220 @@ - + - + - + - + Shorewall QuickStart Guide - + - + - - - + + - - - + Version 3.1 + + + +
      +

      Shorewall QuickStart Guides
      - Version 3.1

      -
      - -

      With thanks to Richard who reminded me once again that -we must all first walk before we can run.

      - + +

      With thanks to Richard who reminded me once again that we +must all first walk before we can run.

      +

      The Guides

      - -

      These guides provide step-by-step instructions for configuring Shorewall - in common firewall setups.

      - -

      The following guides are for users who have a single public IP address:

      - + +

      These guides provide step-by-step instructions for configuring Shorewall + in common firewall setups.

      + +

      The following guides are for users who have a single public IP address:

      +
        -
      • Standalone Linux System
        • -
      • Two-interface Linux System acting - as a firewall/router for a small local network
        • -
      • Three-interface Linux System acting - as a firewall/router for a small local network and a DMZ.
        • - +
      • Standalone Linux System
        • +
      • Two-interface Linux System acting + as a firewall/router for a small local network
        • +
      • Three-interface Linux System + acting as a firewall/router for a small local network and a DMZ.
        • +
      - -

      The above guides are designed to get your first firewall up and running - quickly in the three most common Shorewall configurations.

      - -

      The Shorewall Setup Guide outlines - the steps necessary to set up a firewall where there are multiple public - IP addresses involved or if you want to learn more about Shorewall than -is explained in the single-address guides above.

      - + +

      The above guides are designed to get your first firewall up and running + quickly in the three most common Shorewall configurations.

      + +

      The Shorewall Setup Guide outlines + the steps necessary to set up a firewall where there are multiple public + IP addresses involved or if you want to learn more about Shorewall than + is explained in the single-address guides above.

      + - +

      Additional Documentation

      - -

      The following documentation covers a variety of topics and supplements - the QuickStart Guides described - above. Please review the appropriate guide before trying to use this documentation -directly.

      - + +

      The following documentation covers a variety of topics and supplements + the QuickStart Guides described + above. Please review the appropriate guide before trying to use this + documentation directly.

      + + +
    • Configuration File Reference Manual + -
      • -
    • Proxy ARP
      • -
    • Samba
      • -
    • +
    • DHCP
      • +
    • Extension Scripts +(How to extend Shorewall without modifying Shorewall code)
      • +
    • Fallback/Uninstall
      • +
    • Firewall Structure
      • +
    • Kernel Configuration
      • +
    • My Configuration Files (How I personally + use Shorewall)
      • +
    • Port Information + +
        +
      • Which applications use which ports
        • +
      • Ports used by Trojans
        • + +
      +
      • +
    • Proxy ARP
      • +
    • Samba
      • +
    • Starting/stopping the Firewall
      • -
    • Static NAT
      • -
    • Traffic Shaping/Control
      • -
    • VPN +
    • Static NAT
      • +
    • Traffic Shaping/Control
      • +
    • VPN -
      • -
    • White List Creation
      • - + +
    • White List Creation
      • +
    - +

    If you use one of these guides and have a suggestion for improvement please let me know.

    - -

    Last modified 10/5/2002 - Last modified 11/3/2002 - Tom Eastep

    - +

    Copyright 2002 Thomas M. Eastep

    +
    +

    +


    diff --git a/STABLE/documentation/starting_and_stopping_shorewall.htm b/STABLE/documentation/starting_and_stopping_shorewall.htm index f216e4f9e..cad46fc6e 100644 --- a/STABLE/documentation/starting_and_stopping_shorewall.htm +++ b/STABLE/documentation/starting_and_stopping_shorewall.htm @@ -1,13 +1,13 @@ - + - + - + - + Starting and Stopping Shorewall @@ -15,211 +15,227 @@ - + - - + + - + - + - - + +
    - -

    Starting/Stopping and Monitoring -the Firewall

    +     		+ +

    Starting/Stopping and Monitoring + the Firewall

    -
    - -

    If you have a permanent internet connection such as DSL or Cable, -I recommend that you start the firewall automatically at boot. Once you - have installed "firewall" in your init.d directory, simply type - "chkconfig --add firewall". This will start the firewall in run levels -2-5 and stop it in run levels 1 and 6. If you want to configure your firewall -differently from this default, you can use the "--level" option in - chkconfig (see "man chkconfig") or using your favorite graphical run-level -editor.

    - - - - - - - -

    Important Notes:
    -

    - -
      -
    1. Shorewall startup is disabled by default. Once you have configured -your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. -Note: Users of the .deb package must edit /etc/default/shorewall and set -'startup=1'.
      -
      2. -
    2. If you use dialup, you may want to start the firewall in your -/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" -in that script.
      3. - -
    - -

    -

    - - - -

    You can manually start and stop Shoreline Firewall using the "shorewall" +

    If you have a permanent internet connection such as DSL or Cable, + I recommend that you start the firewall automatically at boot. Once +you have installed "firewall" in your init.d directory, simply type + "chkconfig --add firewall". This will start the firewall in run levels + 2-5 and stop it in run levels 1 and 6. If you want to configure your +firewall differently from this default, you can use the "--level" option +in chkconfig (see "man chkconfig") or using your favorite graphical +run-level editor.

    + + + + + + + +

    Important Notes:
    +

    + +
      +
    1. Shorewall startup is disabled by default. Once you have configured + your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. + Note: Users of the .deb package must edit /etc/default/shorewall and set +'startup=1'.
      +
      2. +
    2. If you use dialup, you may want to start the firewall in your +/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" +in that script.
      3. + +
    + +

    +

    + + + + +

    You can manually start and stop Shoreline Firewall using the "shorewall" shell program:

    - +
      -
    • shorewall start - starts the firewall
      • -
    • shorewall stop - stops the firewall
      • -
    • shorewall restart - stops the firewall (if it's running) -and then starts it again
      • -
    • shorewall reset - reset the packet and byte counters - in the firewall
      • -
    • shorewall clear - remove all rules and chains installed -by Shoreline Firewall
      • -
    • shorewall refresh - refresh the rules involving the broadcast - addresses of firewall interfaces and the black and white lists.
      • - +
    • shorewall start - starts the firewall
      • +
    • shorewall stop - stops the firewall
      • +
    • shorewall restart - stops the firewall (if it's running) + and then starts it again
      • +
    • shorewall reset - reset the packet and byte counters + in the firewall
      • +
    • shorewall clear - remove all rules and chains installed + by Shoreline Firewall
      • +
    • shorewall refresh - refresh the rules involving the broadcast + addresses of firewall interfaces and the black and white lists.
      • +
    - +

    The "shorewall" program may also be used to monitor the firewall.

    - +
      -
    • shorewall status - produce a verbose report about the firewall - (iptables -L -n -v)
      • -
    • shorewall show chain - produce a verbose report about chain - (iptables -L chain -n -v)
      • -
    • shorewall show nat - produce a verbose report about the nat table - (iptables -t nat -L -n -v)
      • -
    • shorewall show tos - produce a verbose report about the mangle table - (iptables -t mangle -L -n -v)
      • -
    • shorewall show log - display the last 20 packet log entries.
      • -
    • shorewall show connections - displays the IP connections currently -being tracked by the firewall.
      • -
    • shorewall - show - tc - displays information -about the traffic control/shaping configuration.
      • -
    • shorewall monitor [ delay ] - Continuously display the firewall - status, last 20 log entries and nat. When the log entry display - changes, an audible alarm is sounded.
      • -
    • shorewall hits - Produces several reports about the Shorewall packet -log messages in the current /var/log/messages file.
      • -
    • shorewall version - Displays the installed version number.
      • -
    • shorewall check - Performs a cursory validation of the -zones, interfaces, hosts, rules and policy files. The "check" command does not parse and validate the -generated iptables commands so even though the "check" command completes -successfully, the configuration may fail to start. See the recommended -way to make configuration changes described below.
      • -
    • shorewall try configuration-directory [ timeout ] -- Restart shorewall using the specified configuration and if an error -occurs or if the timeout option is given and the new configuration -has been up for that many seconds then shorewall is restarted using the -standard configuration.
      • -
    • shorewall deny, shorewall reject, shorewall accept and shorewall -save implement dynamic blacklisting.
      • -
    • shorewall logwatch (added in version 1.3.2) - Monitors the LOGFILE and produces an audible alarm when new Shorewall - messages are logged.
      • - +
    • shorewall status - produce a verbose report about the firewall + (iptables -L -n -v)
      • +
    • shorewall show chain - produce a verbose report about chain + (iptables -L chain -n -v)
      • +
    • shorewall show nat - produce a verbose report about the nat table + (iptables -t nat -L -n -v)
      • +
    • shorewall show tos - produce a verbose report about the mangle +table (iptables -t mangle -L -n -v)
      • +
    • shorewall show log - display the last 20 packet log entries.
      • +
    • shorewall show connections - displays the IP connections currently + being tracked by the firewall.
      • +
    • shorewall + show + tc - displays information + about the traffic control/shaping configuration.
      • +
    • shorewall monitor [ delay ] - Continuously display the firewall + status, last 20 log entries and nat. When the log entry display + changes, an audible alarm is sounded.
      • +
    • shorewall hits - Produces several reports about the Shorewall packet + log messages in the current /var/log/messages file.
      • +
    • shorewall version - Displays the installed version number.
      • +
    • shorewall check - Performs a cursory validation of +the zones, interfaces, hosts, rules and policy files. The "check" command does not parse and validate the + generated iptables commands so even though the "check" command completes + successfully, the configuration may fail to start. See the recommended + way to make configuration changes described below.
      • +
    • shorewall try configuration-directory [ timeout ] +- Restart shorewall using the specified configuration and if an error + occurs or if the timeout option is given and the new configuration + has been up for that many seconds then shorewall is restarted using +the standard configuration.
      • +
    • shorewall deny, shorewall reject, shorewall accept and shorewall + save implement dynamic blacklisting.
      • +
    • shorewall logwatch (added in version 1.3.2) - Monitors the LOGFILE and produces an audible alarm when new Shorewall + messages are logged.
      • +
    +Finally, the "shorewall" program may be used to dynamically alter the contents +of a zone.
    +
      +
    • shorewall add interface[:host] zone - Adds the +specified interface (and host if included) to the specified zone.
      • +
    • shorewall delete interface[:host] zone - Deletes +the specified interface (and host if included) from the specified zone.
      • +
    +
    Examples:
    +
    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 +from interface ipsec0 to the zone vpn1
    +shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 +from interface ipsec0 from zone vpn1
    +
    +
    - -

    The shorewall start, shorewall restart, shorewall check  and + +

    The shorewall start, shorewall restart, shorewall check  and shorewall try commands allow you to specify which Shorewall configuration to use:

    - -
    - + +
    +

    shorewall [ -c configuration-directory ] {start|restart|check}
    - shorewall try configuration-directory

    -
    + shorewall try configuration-directory

    +
    - -

    If a configuration-directory is specified, each time that Shorewall - is going to use a file in /etc/shorewall it will first look in the configuration-directory - . If the file is present in the configuration-directory, that file + +

    If a configuration-directory is specified, each time that Shorewall + is going to use a file in /etc/shorewall it will first look in the configuration-directory + . If the file is present in the configuration-directory, that file will be used; otherwise, the file in /etc/shorewall will be used.

    - -

    When changing the configuration of a production firewall, I recommend -the following:

    + +

    When changing the configuration of a production firewall, I recommend + the following:

    - +
      -
    • mkdir /etc/test
      • +
    • mkdir /etc/test
      • -
    • cd /etc/test
      • +
    • cd /etc/test
      • -
    • <copy any files that you need to change from /etc/shorewall -to . and change them here>
      • +
    • <copy any files that you need to change from /etc/shorewall + to . and change them here>
      • -
    • shorewall -c . check
      • +
    • shorewall -c . check
      • -
    • <correct any errors found by check and check again>
      • +
    • <correct any errors found by check and check again>
      • -
    • /sbin/shorewall try .
      • - +
    • /sbin/shorewall try .
      • +
    - -

    If the configuration starts but doesn't work, just "shorewall restart" -to restore the old configuration. If the new configuration fails to start, -the "try" command will automatically start the old one for you.

    + +

    If the configuration starts but doesn't work, just "shorewall restart" + to restore the old configuration. If the new configuration fails to start, + the "try" command will automatically start the old one for you.

    - +

    When the new configuration works then just

    - +
      -
    • cp * /etc/shorewall
      • +
    • cp * /etc/shorewall
      • -
    • cd
      • +
    • cd
      • -
    • rm -rf /etc/test
      • - +
    • rm -rf /etc/test
      • +
    - -

    Updated 9/26/2002 - Tom Eastep + +

    Updated 10/23/2002 - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    -
    +
    +

    diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm index f22c2bd51..cf59cad7c 100644 --- a/STABLE/documentation/support.htm +++ b/STABLE/documentation/support.htm @@ -1,77 +1,78 @@ - + - + - + - + Support - + - + - - - + + - - - + + + +
    +

    Shorewall Support

    -
    - -

    "It is -easier to post a problem than to use your own brain" -- "It +is easier to post a problem than to use your own brain" -- Wietse Venema (creator of Postfix)

    - -

    "Any sane computer will tell you how it works -- you just - have to ask it the right questions" -- Tom Eastep

    - + +

    "Any sane computer will tell you how it works -- you +just have to ask it the right questions" -- Tom Eastep

    +
    - -

    "It irks me when people believe that - free software comes at no cost. The cost is incredibly high." -- Wietse Venema

    +

    "It irks me when people believe that + free software comes at no cost. The cost is incredibly high." + - Wietse Venema

    +

    Before Reporting a Problem

    - +

    There are a number of sources for problem solution information.

    - +
      -
    • The FAQ has solutions to common problems.
      • -
    • The Troubleshooting Information +
    • The FAQ has solutions to common problems.
      • +
    • The Troubleshooting Information contains a number of tips to help you solve common problems.
      • -
    • The Errata has links to download updated - components.
      • -
    • The Mailing List Archives search facility can locate posts about +
    • The Errata has links to download updated + components.
      • +
    • The Mailing List Archives search facility can locate posts about similar problems:
      • - +
    - +

    Mailing List Archive Search

    + +
    - -

    Match: +

    Match: - Format: + Format: - Sort by: + Sort by: -
    - Search:

    - - + +

    Problem Reporting Guidelines

    - +
      -
    • When reporting a problem, give as much information as you can. +
    • When reporting a problem, give as much information as you can. Reports that say "I tried XYZ and it didn't work" are not at all helpful.
      • -
    • Please don't describe your environment and then ask us to send -you custom configuration files. We're here to answer your questions - but we can't do your job for you.
      • -
    • Do you see any "Shorewall" messages in /var/log/messages when - you exercise the function that is giving you problems?
      • -
    • Have you looked at the packet flow with a tool like tcpdump - to try to understand what is going on?
      • -
    • Have you tried using the diagnostic capabilities of the application - that isn't working? For example, if "ssh" isn't able to connect, using - the "-v" option gives you a lot of valuable diagnostic information.
      • -
    • Please include any of the Shorewall configuration files (especially - the /etc/shorewall/hosts file if you have modified that file) that you - think are relevant. If an error occurs when you try to "shorewall start", - include a trace (See the Troubleshooting - section for instructions).
      • -
    • The list server limits posts to 120kb so don't post GIFs of your +
    • Please don't describe your environment and then ask us to send +you custom configuration files. We're here to answer your questions + but we can't do your job for you.
      • +
    • Do you see any "Shorewall" messages in /var/log/messages when + you exercise the function that is giving you problems?
      • +
    • Have you looked at the packet flow with a tool like tcpdump + to try to understand what is going on?
      • +
    • Have you tried using the diagnostic capabilities of the application + that isn't working? For example, if "ssh" isn't able to connect, using + the "-v" option gives you a lot of valuable diagnostic information.
      • +
    • Please include any of the Shorewall configuration files (especially + the /etc/shorewall/hosts file if you have modified that file) that you + think are relevant. If an error occurs when you try to "shorewall start", + include a trace (See the Troubleshooting + section for instructions).
      • +
    • The list server limits posts to 120kb so don't post GIFs of your network layout, etc to the Mailing List -- your post will be rejected.
      • - +
    - +

    Where to Send your Problem Report or to Ask for Help

    - -

    If you run Shorewall under Bering -- please - post your question or problem to the +

    If you run Shorewall under Bering -- please + post your question or problem to the LEAF Users mailing list.

    - +

    Otherwise, please post your question or problem to the Shorewall users mailing list; - there are lots of folks there who are willing to help you. Your question/problem - description and their responses will be placed in the mailing list archives - to help people who have a similar question or problem in the future.

    - -

    I don't look at problems sent to me directly but I try to spend some amount - of time each day responding to problems posted on the mailing list.

    - + href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list; + there are lots of folks there who are willing to help you. Your question/problem + description and their responses will be placed in the mailing list archives + to help people who have a similar question or problem in the future.

    + +

    I don't look at problems sent to me directly but I try to spend some amount + of time each day responding to problems posted on the mailing list.

    +

    -Tom

    - +

    To Subscribe to the mailing list go to http://www.shorewall.net/mailman/listinfo/shorewall-users + href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users .

    - -

    Last Updated 9/27/2002 - Tom Eastep

    - + +

    Last Updated 10/13/2002 - Tom Eastep

    +

    Copyright © 2001, 2002 Thomas M. Eastep.

    -
    +
    +



    diff --git a/STABLE/documentation/three-interface.htm b/STABLE/documentation/three-interface.htm index f6c767173..a87918901 100644 --- a/STABLE/documentation/three-interface.htm +++ b/STABLE/documentation/three-interface.htm @@ -1,764 +1,484 @@ - + - + - + - + Three-Interface Firewall - + - - - + + - - - + + + +
    +

    Three-Interface Firewall

    -
    - +

    Version 2.0.1

    - +

    Setting up a Linux system as a firewall for a small network - with DMZ is a fairly straight-forward task if you understand the basics - and follow the documentation.

    - + with DMZ is a fairly straight-forward task if you understand the basics + and follow the documentation.

    +

    This guide doesn't attempt to acquaint you with all of the features of - Shorewall. It rather focuses on what is required to configure Shorewall -in one of its more popular configurations:

    - + Shorewall. It rather focuses on what is required to configure Shorewall + in one of its more popular configurations:

    +
      -
    • Linux system used as a firewall/router for a small local network.
      • -
    • Single public IP address.
      • -
    • DMZ connected to a separate ethernet interface.
      • -
    • Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, - ...
      • - +
    • Linux system used as a firewall/router for a small local network.
      • +
    • Single public IP address.
      • +
    • DMZ connected to a separate ethernet interface.
      • +
    • Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, + ...
      • +
    - +

    Here is a schematic of a typical installation.

    - +

    -

    - +

    +

    This guide assumes that you have the iproute/iproute2 package installed - (on RedHat, the package is called iproute). You can tell if - this package is installed by the presence of an ip program on your - firewall system. As root, you can use the 'which' command to check for -this program:

    - + (on RedHat, the package is called iproute). You can tell +if this package is installed by the presence of an ip program on +your firewall system. As root, you can use the 'which' command to check +for this program:

    + 
         [root@gateway root]# which ip
         /sbin/ip
         [root@gateway root]#
    - +

    I recommend that you first read through the guide to familiarize yourself - with what's involved then go back through it again making your configuration - changes. Points at which configuration changes are recommended are flagged - with -

    - + with what's involved then go back through it again making your configuration + changes. Points at which configuration changes are recommended are flagged + with +

    +

    -     If you edit your configuration files on a Windows system, you must - save them as Unix files if your editor supports that option or you must -run them through dos2unix before trying to use them. Similarly, if you copy -a configuration file from your Windows hard drive to a floppy disk, you -must run dos2unix against the copy before using it with Shorewall.

    - +     If you edit your configuration files on a Windows system, you must + save them as Unix files if your editor supports that option or you must + run them through dos2unix before trying to use them. Similarly, if you +copy a configuration file from your Windows hard drive to a floppy disk, +you must run dos2unix against the copy before using it with Shorewall.

    + - +

    Shorewall Concepts

    - +

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. After you have installed Shorewall, download the three-interface - sample, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the -files to /etc/shorewall (the files will replace files with the same names -that were placed in /etc/shorewall when Shorewall was installed).

    - + sample, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the + files to /etc/shorewall (the files will replace files with the same names + that were placed in /etc/shorewall when Shorewall was installed).

    +

    As each file is introduced, I suggest that you look through the actual - file on your system -- each file contains detailed configuration instructions - and default entries.

    - + file on your system -- each file contains detailed configuration instructions + and default entries.

    +

    Shorewall views the network where it is running as being composed of a - set of zones. In the three-interface sample configuration, the following - zone names are used:

    - + set of zones. In the three-interface sample configuration, the following + zone names are used:

    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    - +

    Zone names are defined in /etc/shorewall/zones.

    - +

    Shorewall also recognizes the firewall system as its own zone - by default, - the firewall itself is known as fw.

    - + the firewall itself is known as fw.

    +

    Rules about what traffic to allow and what traffic to deny are expressed - in terms of zones.

    - + in terms of zones.

    + - +

    For each connection request entering the firewall, the request is first - checked against the /etc/shorewall/rules file. If no rule in that file matches - the connection request then the first policy in /etc/shorewall/policy that - matches the request is applied. If that policy is REJECT or DROP  the -request is first checked against the rules in /etc/shorewall/common (the + checked against the /etc/shorewall/rules file. If no rule in that file +matches the connection request then the first policy in /etc/shorewall/policy +that matches the request is applied. If that policy is REJECT or DROP  +the request is first checked against the rules in /etc/shorewall/common (the samples provide that file for you).

    - +

    The /etc/shorewall/policy file included with the three-interface sample - has the following policies:

    - -
    + has the following policies:

    + +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    -
    - -
    +
    + +

    In the three-interface sample, the line below is included but commented - out. If you want your firewall system to have full access to servers on -the internet, uncomment that line.

    - + out. If you want your firewall system to have full access to servers on + the internet, uncomment that line.

    + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    fwnetACCEPT  
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    fwnetACCEPT  
    -
    - +
    +

    The above policy will:

    - +
      -
    1. allow all connection requests from your local network to the internet
      2. -
    2. drop (ignore) all connection requests from the internet to your -firewall or local network
      3. -
    3. optionally accept all connection requests from the firewall to -the internet (if you uncomment the additional policy)
      4. -
    4. reject all other connection requests.
      5. - +
    5. allow all connection requests from your local network to the +internet
      6. +
    6. drop (ignore) all connection requests from the internet to your + firewall or local network
      7. +
    7. optionally accept all connection requests from the firewall to + the internet (if you uncomment the additional policy)
      8. +
    8. reject all other connection requests.
      9. +
    - +

    -     At this point, edit your /etc/shorewall/policy file and make any -changes that you wish.

    - +     At this point, edit your /etc/shorewall/policy file and make any + changes that you wish.

    +

    Network Interfaces

    - +

    -

    - +

    +

    The firewall has three network interfaces. Where Internet - connectivity is through a cable or DSL "Modem", the External Interface - will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  - unless you connect via Point-to-Point Protocol - over Ethernet (PPPoE) or Point-to-Point Tunneling + connectivity is through a cable or DSL "Modem", the External Interface + will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  + unless you connect via Point-to-Point Protocol + over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP) in which case the External Interface will be a ppp interface (e.g., ppp0). If you connect via a regular modem, -your External Interface will also be ppp0. If you connect using ISDN, - you external interface will be ippp0.

    - +your External Interface will also be ppp0. If you connect using ISDN, + you external interface will be ippp0.

    +

    -     If your external interface is ppp0 or ippp0 then you - will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    - +     If your external interface is ppp0 or ippp0 then +you will want to set CLAMPMSS=yes in +/etc/shorewall/shorewall.conf.

    +

    Your Local Interface will be an ethernet adapter (eth0, - eth1 or eth2) and will be connected to a hub or switch. Your local computers - will be connected to the same switch (note: If you have only a single local - system, you can connect the firewall directly to the computer using a cross-over - cable).

    - + eth1 or eth2) and will be connected to a hub or switch. Your local computers + will be connected to the same switch (note: If you have only a single local + system, you can connect the firewall directly to the computer using a +cross-over cable).

    +

    Your DMZ Interface will also be an ethernet adapter - (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ -computers will be connected to the same switch (note: If you have only a -single DMZ system, you can connect the firewall directly to the computer -using a cross-over cable).

    - + (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ + computers will be connected to the same switch (note: If you have only a + single DMZ system, you can connect the firewall directly to the computer + using a cross-over cable).

    +

    - Do not connect more than one interface to the same hub or switch - (even for testing). It won't work the way that you expect it to and you -will end up confused and believing that Shorewall doesn't work at all.

    - +     Do not connect more than one interface to the same hub or switch + (even for testing). It won't work the way that you expect it to and you + will end up confused and believing that Shorewall doesn't work at all.

    +

    -     The Shorewall three-interface sample configuration assumes that the - external interface is eth0, the local interface is eth1 and - the DMZ interface is eth2. If your configuration is different, -you will have to modify the sample /etc/shorewall/interfaces file accordingly. - While you are there, you may wish to review the list of options that are - specified for the interfaces. Some hints:

    - +     The Shorewall three-interface sample configuration assumes that + the external interface is eth0, the local interface is eth1 +and the DMZ interface is eth2. If your configuration is different, + you will have to modify the sample /etc/shorewall/interfaces file accordingly. + While you are there, you may wish to review the list of options that are + specified for the interfaces. Some hints:

    +
      -
    • +

    • If your external interface is ppp0 or ippp0, - you can replace the "detect" in the second column with "-".

      -
      • -
    • + you can replace the "detect" in the second column with "-".

      +
      • +

    • If your external interface is ppp0 or ippp0 - or if you have a static IP address, you can remove "dhcp" from the option - list.

      -
      • - + or if you have a static IP address, you can remove "dhcp" from the option + list.

      + +
    - +

    IP Addresses

    - +

    Before going further, we should say a few words about Internet - Protocol (IP) addresses. Normally, your ISP will assign you a single - Public IP address. This address may be assigned via the Dynamic - Host Configuration Protocol (DHCP) or as part of establishing your connection - when you dial in (standard modem) or establish your PPP connection. In -rare cases, your ISP may assign you a static IP address; that means -that you configure your firewall's external interface to use that address -permanently. Regardless of how the address is assigned, it will be -shared by all of your systems when you access the Internet. You will have -to assign your own addresses for your internal network (the local and DMZ -Interfaces on your firewall plus your other computers). RFC 1918 reserves + Protocol (IP) addresses. Normally, your ISP will assign you a single + Public IP address. This address may be assigned via the Dynamic + Host Configuration Protocol (DHCP) or as part of establishing your +connection when you dial in (standard modem) or establish your PPP connection. +In rare cases, your ISP may assign you a static IP address; that +means that you configure your firewall's external interface to use that +address permanently. Regardless of how the address is assigned, it +will be shared by all of your systems when you access the Internet. You will +have to assign your own addresses for your internal network (the local and +DMZ Interfaces on your firewall plus your other computers). RFC 1918 reserves several Private IP address ranges for this purpose:

    - -
    + +
         10.0.0.0    - 10.255.255.255
         172.16.0.0  - 172.31.255.255
         192.168.0.0 - 192.168.255.255
    -
    - -
    +
    + +

    -     Before starting Shorewall, you should look at the IP address of -your external interface and if it is one of the above ranges, you should -remove the 'norfc1918' option from the external interface's entry in - /etc/shorewall/interfaces.

    -
    - -
    +     Before starting Shorewall, you should look at the IP address +of your external interface and if it is one of the above ranges, you +should remove the 'norfc1918' option from the external interface's entry +in /etc/shorewall/interfaces.

    +
    + +

    You will want to assign your local addresses from one - sub-network or subnet and your DMZ addresses from another + sub-network or subnet and your DMZ addresses from another subnet. For our purposes, we can consider a subnet to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a Subnet Mask of 255.255.255.0. The address x.y.z.0 is reserved as the Subnet -Address and x.y.z.255 is reserved as the Subnet Broadcast Address. -In Shorewall, a subnet is described using Classless -InterDomain Routing (CIDR) notation with consists of the subnet address -followed by "/24". The "24" refers to the number of consecutive "1" -bits from the left of the subnet mask.

    -
    - -
    + Address and x.y.z.255 is reserved as the Subnet Broadcast Address. + In Shorewall, a subnet is described using Classless + InterDomain Routing (CIDR) notation with consists of the subnet +address followed by "/24". The "24" refers to the number of consecutive +"1" bits from the left of the subnet mask.

    +
    + +

    Example sub-network:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    Range:10.10.10.0 - 10.10.10.255
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.255
    CIDR Notation:10.10.10.0/24
    Range:10.10.10.0 - 10.10.10.255
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.255
    CIDR Notation:10.10.10.0/24
    -
    -
    - -
    + +
    + +

    It is conventional to assign the internal interface either - the first usable address in the subnet (10.10.10.1 in the above example) - or the last usable address (10.10.10.254).

    -
    - -
    + the first usable address in the subnet (10.10.10.1 in the above example) + or the last usable address (10.10.10.254).

    +
    + +

    One of the purposes of subnetting is to allow all computers - in the subnet to understand which other computers can be communicated -with directly. To communicate with systems outside of the subnetwork, systems -send packets through a  gateway  (router).

    -
    - -
    + in the subnet to understand which other computers can be communicated + with directly. To communicate with systems outside of the subnetwork, +systems send packets through a  gateway  (router).

    +
    + +

    -     Your local computers (Local Computers 1 & 2) should be configured - with their default gateway set to the IP address of the firewall's - internal interface and your DMZ computers ( DMZ Computers 1 & 2) should - be configured with their default gateway set to the IP address of the -firewall's DMZ interface.  

    -
    - +     Your local computers (Local Computers 1 & 2) should be configured + with their default gateway set to the IP address of the firewall's + internal interface and your DMZ computers ( DMZ Computers 1 & 2) +should be configured with their default gateway set to the IP address +of the firewall's DMZ interface.  

    +
    +

    The foregoing short discussion barely scratches the surface - regarding subnetting and routing. If you are interested in learning more - about IP addressing and routing, I highly recommend "IP Fundamentals: - What Everyone Needs to Know about Addressing & Routing", Thomas -A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    - + regarding subnetting and routing. If you are interested in learning more + about IP addressing and routing, I highly recommend "IP Fundamentals: + What Everyone Needs to Know about Addressing & Routing", Thomas + A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    +

    The remainder of this quide will assume that you have configured - your network as shown here:

    - + your network as shown here:

    +

    -

    - -

    The default gateway for the DMZ computers would be 10.10.10.254 - and the default gateway for the Local computers would be 10.10.10.254.

    - +

    + +

    The default gateway for the DMZ computers would be 10.10.11.254 + and the default gateway for the Local computers would be 10.10.10.254.

    +

    IP Masquerading (SNAT)

    - +

    The addresses reserved by RFC 1918 are sometimes referred - to as non-routable because the Internet backbone routers don't forward - packets which have an RFC-1918 destination address. When one of your local - systems (let's assume local computer 1) sends a connection request to an - internet host, the firewall must perform Network Address Translation -(NAT). The firewall rewrites the source address in the packet to be the -address of the firewall's external interface; in other words, the firewall -makes it look as if the firewall itself is initiating the connection.  This -is necessary so that the destination host will be able to route return packets - back to the firewall (remember that packets whose destination address is - reserved by RFC 1918 can't be routed accross the internet). When the firewall - receives a return packet, it rewrites the destination address back to 10.10.10.1 - and forwards the packet on to local computer 1.

    - + to as non-routable because the Internet backbone routers don't forward + packets which have an RFC-1918 destination address. When one of your local + systems (let's assume local computer 1) sends a connection request to an + internet host, the firewall must perform Network Address Translation + (NAT). The firewall rewrites the source address in the packet to be +the address of the firewall's external interface; in other words, the firewall + makes it look as if the firewall itself is initiating the connection.  This + is necessary so that the destination host will be able to route return packets + back to the firewall (remember that packets whose destination address +is reserved by RFC 1918 can't be routed accross the internet). When the +firewall receives a return packet, it rewrites the destination address +back to 10.10.10.1 and forwards the packet on to local computer 1.

    +

    On Linux systems, the above process is often referred to as IP Masquerading and you will also see the term Source Network Address Translation (SNAT) used. Shorewall follows the convention used with Netfilter:

    - +
      -
    • +

    • Masquerade describes the case where you let your - firewall system automatically detect the external interface address. -

      -
      • -
    • + firewall system automatically detect the external interface address. +

      +
      • +

    • SNAT refers to the case when you explicitly specify - the source address that you want outbound packets from your local network - to use.

      -
      • - + the source address that you want outbound packets from your local network + to use.

      + +
    - +

    In Shorewall, both Masquerading and SNAT are configured with - entries in the /etc/shorewall/masq file.

    - + entries in the /etc/shorewall/masq file.

    +

    -     If your external firewall interface is eth0, your local interface - eth1 and your DMZ interface is eth2 then you do not need to - modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq - and change it to match your configuration.

    - +     If your external firewall interface is eth0, your local +interface eth1 and your DMZ interface is eth2 then you do +not need to modify the file provided with the sample. Otherwise, edit +/etc/shorewall/masq and change it to match your configuration.

    +

    -     If your external IP is static, you can enter it in the third column - in the /etc/shorewall/masq entry if you like although your firewall will - work fine if you leave that column empty. Entering your static IP in column - 3 makes processing outgoing packets a little more efficient.

    - +     If your external IP is static, you can enter it in the third column + in the /etc/shorewall/masq entry if you like although your firewall will + work fine if you leave that column empty. Entering your static IP in column + 3 makes processing outgoing packets a little more efficient.

    +

    Port Forwarding (DNAT)

    - +

    One of your goals will be to run one or more servers on your - DMZ computers. Because these computers have RFC-1918 addresses, it is not - possible for clients on the internet to connect directly to them. It is -rather necessary for those clients to address their connection requests to -your firewall who rewrites the destination address to the address of your + DMZ computers. Because these computers have RFC-1918 addresses, it is not + possible for clients on the internet to connect directly to them. It is + rather necessary for those clients to address their connection requests +to your firewall who rewrites the destination address to the address of your server and forwards the packet to that server. When your server responds, -the firewall automatically performs SNAT to rewrite the source address in -the response.

    - + the firewall automatically performs SNAT to rewrite the source address in + the response.

    +

    The above process is called Port Forwarding or - Destination Network Address Translation (DNAT). You configure port + Destination Network Address Translation (DNAT). You configure port forwarding using DNAT rules in the /etc/shorewall/rules file.

    - +

    The general form of a simple port forwarding rule in /etc/shorewall/rules - is:

    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:<server local ip address> [:<server -port>]<protocol><port>  
    -
    - -

    If you don't specify the <server port>, it is assumed to be -the same as <port>.

    - -

    Example - you run a Web Server on DMZ 2 and you want to forward incoming - TCP port 80 to that system:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2tcp80# Forward port 80from the internet
    ACCEPTlocdmz:10.10.11.2tcp80#Allow connections from the local network
    -
    - -

    A couple of important points to keep in mind:

    - -
      -
    • When you are connecting to your server from your local systems, -you must use the server's internal IP address (10.10.11.2).
      • -
    • Many ISPs block incoming connection requests to port 80. If you -have problems connecting to your web server, try the following rule and -try connecting to port 5000 (e.g., connect to http://w.x.y.z:5000 where w.x.y.z is your - external IP).
      • - -
    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp5000  
    -
    - -

    If you want to be able to access your server from the local network using - your external address, then if you have a static external IP you can replace - the loc->dmz rule above with:

    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp80-<external IP>
    -
    - -

    If you have a dynamic ip then you must ensure that your external interface - is up before starting Shorewall and you must take steps as follows (assume - that your external interface is eth0):

    - -
      -
    1. Include the following in /etc/shorewall/params:
      -
      - ETH0_IP=`find_interface_address eth0`
      -  
      2. -
    2. Make your loc->dmz rule:
      3. - -
    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp80-$ETH0_IP
    -
    - -

    If you want to access your server from the DMZ using your external IP -address, see FAQ 2a.

    - -

    -     At this point, add the DNAT and ACCEPT rules for your servers.

    - -

    Domain Name Server (DNS)

    - -

    Normally, when you connect to your ISP, as part of getting - an IP address your firewall's Domain Name Service (DNS) resolver -will be automatically configured (e.g., the /etc/resolv.conf file will be -written). Alternatively, your ISP may have given you the IP address of a -pair of DNS name servers for you to manually configure as your primary -and secondary name servers. It is your responsibility to configure -the resolver in your internal systems. You can take one of two approaches:

    - -
      -
    • -

      You can configure your internal systems to use your ISP's - name servers. If you ISP gave you the addresses of their servers or if - those addresses are available on their web site, you can configure your - internal systems to use those addresses. If that information isn't available, - look in /etc/resolv.conf on your firewall system -- the name servers are - given in "nameserver" records in that file.

      -
      • -
    • -

      -     You can configure a Caching Name Server on your firewall -or in your DMZ. Red Hat has an RPM for a caching name server (which -also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. -If you take this approach, you configure your internal systems to use the -caching name server as their primary (and only) name server. You use the -internal IP address of the firewall (10.10.10.254 in the example above) - for the name server address if you choose to run the name server on your - firewall. To allow your local systems to talk to your caching name server, - you must open port 53 (both UDP and TCP) from the local network to the - server; you do that by adding the rules in /etc/shorewall/rules.

      -
      • - -
    - -
    -

    If you run the name server on the firewall: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp53  
    ACCEPTlocfwudp53  
    ACCEPTdmzfwtcp53  
    ACCEPTdmzfwudp53  
    -

    -
    - -
    -
    -

    Run name server on DMZ computer 1

    - + is:

    + +
    - + @@ -768,192 +488,225 @@ internal IP address of the firewall (10.10.10.254 in the example above) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTION SOURCE DESTINATIONORIGINAL ADDRESS
    ACCEPTlocdmz:10.10.11.1tcp53  
    ACCEPTlocdmz:10.10.11.1udp53  
    ACCEPTfwdmz:10.10.10.1tcp53  
    ACCEPTfwdmz:10.10.10.1udp53  
    -
    -
    - -
    -

    Other Connections

    -
    - -
    -

    The three-interface sample includes the following rules:

    -
    - -
    -
    - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwDNAT netudp53  
    ACCEPTfwnettcp53  
    -
    -
    - -
    -

    Those rules allow DNS access from your firewall and may be - removed if you commented out the line in /etc/shorewall/policy allowing - all connections from the firewall to the internet.

    -
    - -
    -

    The sample also includes:

    -
    - -
    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  
    ACCEPTlocdmztcp22  
    -
    -
    - -
    -

    That rule allows you to run an SSH server on your firewall - and in each of your DMZ systems and to connect to those servers from - your local systems.

    -
    - -
    -

    If you wish to enable other connections between your systems, - the general format is:

    -
    - -
    -
    - - - - - - - - - - - - - - - + - - + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone>dmz:<server local ip address> [:<server + port>] <protocol> <port>    
    -
    - -
    -

    Example - You want to run a publicly-available DNS server - on your firewall system:

    -
    - -
    -
    + +

    If you don't specify the <server port>, it is assumed to be +the same as <port>.

    + +

    Example - you run a Web Server on DMZ 2 and you want to forward incoming + TCP port 80 to that system:

    + +
    - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2tcp80# Forward port 80from the internet
    ACCEPTlocdmz:10.10.11.2tcp80#Allow connections from the local network
    +
    + +

    A couple of important points to keep in mind:

    + +
      +
    • When you are connecting to your server from your local systems, + you must use the server's internal IP address (10.10.11.2).
      • +
    • Many ISPs block incoming connection requests to port 80. If you + have problems connecting to your web server, try the following rule and + try connecting to port 5000 (e.g., connect to http://w.x.y.z:5000 where w.x.y.z is your + external IP).
      • + +
    + +
    + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp5000  
    +
    + +

    If you want to be able to access your server from the local network using + your external address, then if you have a static external IP you can replace + the loc->dmz rule above with:

    + +
    + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp80-<external IP>
    +
    + +

    If you have a dynamic ip then you must ensure that your external interface + is up before starting Shorewall and you must take steps as follows (assume + that your external interface is eth0):

    + +
      +
    1. Include the following in /etc/shorewall/params:
      +
      + ETH0_IP=`find_interface_address eth0`
      +  
      2. +
    2. Make your loc->dmz rule:
      3. + +
    + +
    + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATloc
    +     		dmz:10.10.11.2:80tcp80-$ETH0_IP
    +
    + +

    If you want to access your server from the DMZ using your external IP +address, see FAQ 2a.

    + +

    +     At this point, add the DNAT and ACCEPT rules for your servers. +

    + +

    Domain Name Server (DNS)

    + +

    Normally, when you connect to your ISP, as part of getting + an IP address your firewall's Domain Name Service (DNS) resolver + will be automatically configured (e.g., the /etc/resolv.conf file will be + written). Alternatively, your ISP may have given you the IP address of +a pair of DNS name servers for you to manually configure as your +primary and secondary name servers. It is your responsibility to +configure the resolver in your internal systems. You can take one of two +approaches:

    + +
      +
    • +

      You can configure your internal systems to use your ISP's + name servers. If you ISP gave you the addresses of their servers or if + those addresses are available on their web site, you can configure your + internal systems to use those addresses. If that information isn't available, + look in /etc/resolv.conf on your firewall system -- the name servers +are given in "nameserver" records in that file.

      +
      • +
    • +

      +     You can configure a Caching Name Server on your firewall + or in your DMZ. Red Hat has an RPM for a caching name server (which + also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. + If you take this approach, you configure your internal systems to use +the caching name server as their primary (and only) name server. You use +the internal IP address of the firewall (10.10.10.254 in the example above) + for the name server address if you choose to run the name server on your + firewall. To allow your local systems to talk to your caching name server, + you must open port 53 (both UDP and TCP) from the local network to the + server; you do that by adding the rules in /etc/shorewall/rules.

      +
      • + +
    + +
    +

    If you run the name server on the firewall: + + + + @@ -964,137 +717,392 @@ internal IP address of the firewall (10.10.10.254 in the example above) - + - - + + - + + + + + + + + + + - - + + - - + + + + + + + + + + +
    ACTION SOURCE DESTINATION
    ACCEPTnetloc fw tcp 53#Allow DNS accessfrom the internet  
    ACCEPTnetlocfwudp53  
    ACCEPTdmz fw tcp 53#Allow DNS accessfrom the internet  
    ACCEPTdmzfwudp53  
    -

    -
    - -
    +

    + + +
    +
    +

    Run name server on DMZ computer 1

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocdmz:10.10.11.1tcp53  
    ACCEPTlocdmz:10.10.11.1udp53  
    ACCEPTfwdmz:10.10.10.1tcp53  
    ACCEPTfwdmz:10.10.10.1udp53  
    +
    +
    + +
    +

    Other Connections

    +
    + +
    +

    The three-interface sample includes the following rules:

    +
    + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwnetudp53  
    ACCEPTfwnettcp53  
    +
    +
    + +
    +

    Those rules allow DNS access from your firewall and may be + removed if you commented out the line in /etc/shorewall/policy allowing + all connections from the firewall to the internet.

    +
    + +
    +

    The sample also includes:

    +
    + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  
    ACCEPTlocdmztcp22  
    +
    +
    + +
    +

    That rule allows you to run an SSH server on your firewall + and in each of your DMZ systems and to connect to those servers from + your local systems.

    +
    + +
    +

    If you wish to enable other connections between your systems, + the general format is:

    +
    + +
    +
    + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone><protocol><port>  
    +
    +
    + +
    +

    Example - You want to run a publicly-available DNS server + on your firewall system:

    +
    + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp53#Allow DNS accessfrom the internet
    ACCEPTnetfwtcp53#Allow DNS accessfrom the internet
    +
    +
    + +

    Those two rules would of course be in addition to the rules - listed above under "If you run the name server on your firewall".

    -
    - -
    + listed above under "If you run the name server on your firewall".

    +
    + +

    If you don't know what port and protocol a particular application uses, look here.

    -
    - -
    +
    + +

    Important: I don't recommend enabling telnet to/from - the internet because it uses clear text (even for login!). If you want - shell access to your firewall from the internet, use SSH:

    -
    - -
    -
    + the internet because it uses clear text (even for login!). If you want + shell access to your firewall from the internet, use SSH:

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  
    -
    -
    - -
    + +
    + +

    -     Now modify /etc/shorewall/rules to add or remove other connections - as required.

    -
    - -
    +     Now modify /etc/shorewall/rules to add or remove other connections + as required.

    +
    + +

    Starting and Stopping Your Firewall

    -
    - -
    +
    + +

    Arrow -     The installation procedure configures -your system to start Shorewall at system boot  but beginning with Shorewall -version 1.3.9 startup is disabled so that your system won't try to start +     The installation procedure configures + your system to start Shorewall at system boot  but beginning with Shorewall + version 1.3.9 startup is disabled so that your system won't try to start Shorewall before configuration is complete. Once you have completed configuration of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.
    -

    - +

    +

    IMPORTANT: Users of the .deb package must edit /etc/default/shorewall -and set 'startup=1'.
    -

    -
    - -
    + and set 'startup=1'.
    +

    +
    + +

    The firewall is started using the "shorewall start" command - and stopped using "shorewall stop". When the firewall is stopped, routing - is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A - running firewall may be restarted using the "shorewall restart" command. - If you want to totally remove any trace of Shorewall from your Netfilter - configuration, use "shorewall clear".

    -
    - -
    + running firewall may be restarted using the "shorewall restart" command. + If you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

    +
    + +

    -     The three-interface sample assumes that you want to enable routing - to/from eth1 (your local network) and eth2 (DMZ) when Shorewall - is stopped. If these two interfaces don't connect to your local network - and DMZ or if you want to enable a different set of hosts, modify /etc/shorewall/routestopped - accordingly.

    -
    - -
    +     The three-interface sample assumes that you want to enable routing + to/from eth1 (your local network) and eth2 (DMZ) when Shorewall + is stopped. If these two interfaces don't connect to your local network + and DMZ or if you want to enable a different set of hosts, modify /etc/shorewall/routestopped + accordingly.

    +
    + +

    WARNING: If you are connected to your firewall from - the internet, do not issue a "shorewall stop" command unless you have -added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. Also, I don't recommend using "shorewall restart"; it is better to create - an alternate configuration - and test it using the "shorewall -try" command.

    -
    - -

    Last updated 9/26/2002 - alternate configuration + and test it using the "shorewall + try" command.

    +
    + +

    Last updated 10/22/2002 - Tom Eastep

    - +

    Copyright 2002 Thomas - M. Eastep

    + M. Eastep

    +

    +



    diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm index 4593e1f70..ddff1c3b7 100644 --- a/STABLE/documentation/traffic_shaping.htm +++ b/STABLE/documentation/traffic_shaping.htm @@ -1,214 +1,257 @@ + - - - - - -Traffic Shaping + + + + + + + + + Traffic Shaping - - - - - - - + + +
    -

    Traffic Shaping/Control

    -
    + + + + + +
    +

    Traffic Shaping/Control

    +
    -

    Beginning with version 1.2.0, Shorewall has limited support for traffic -shaping/control. In order to use traffic shaping under Shorewall, it is -essential that you get a copy of the Linux Advanced Routing -and Shaping HOWTO, version 0.3.0 or later. You must also install -the iproute (iproute2) package to provide the "ip" and "tc" -utilities.

    - + +

    Beginning with version 1.2.0, Shorewall has limited support +for traffic shaping/control. In order to use traffic shaping under Shorewall, +it is essential that you get a copy of the Linux Advanced Routing and Shaping HOWTO, +version 0.3.0 or later. You must also install the iproute (iproute2) package +to provide the "ip" and "tc" utilities.

    +

    Shorewall traffic shaping support consists of the following:

    - +
      -
    • A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic - Shaping also requires that you enable packet mangling.
      -
      • -
    • /etc/shorewall/tcrules - A file where you can specify - firewall marking of packets. The firewall mark value may be used to classify - packets for traffic shaping/control.
      -
      • -
    • /etc/shorewall/tcstart - A user-supplied file that is - sourced by Shorewall during "shorewall start" and which you can - use to define your traffic shaping disciplines and classes. I have provided - a sample that does - table-driven CBQ shaping but if you read the traffic shaping sections of the - HOWTO mentioned above, you can probably code your own faster than you can - learn how to use my sample. I personally use HTB - (see below). HTB - support may eventually become an integral part of Shorewall since HTB is a - lot simpler and better-documented than CBQ. HTB is currently not a standard - part of either the kernel or iproute2 so both must be patched in order to - use it.
      -
      - In tcstart, when you want to run the 'tc' utility, use the run_tc function - supplied by shorewall.
      -
      • -
    • /etc/shorewall/tcclear - A user-supplied file that is - sourced by Shorewall when it is clearing traffic shaping. This file is - normally not required as Shorewall's method of clearing qdisc and filter - definitions is pretty general.
      • +
    • A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping +also requires that you enable packet mangling.
      +
      • +
    • /etc/shorewall/tcrules - A file where you can specify firewall +marking of packets. The firewall mark value may be used to classify packets +for traffic shaping/control.
      +
      • +
    • /etc/shorewall/tcstart - A user-supplied file that is sourced +by Shorewall during "shorewall start" and which you can use to define +your traffic shaping disciplines and classes. I have provided a sample that does + table-driven CBQ shaping but if you read the traffic shaping sections of +the HOWTO mentioned above, you can probably code your own faster than +you can learn how to use my sample. I personally use HTB (see below). HTB + support may eventually become an integral part of Shorewall since HTB +is a lot simpler and better-documented than CBQ. HTB is currently not +a standard part of either the kernel or iproute2 so both must be patched +in order to use it.
      +
      + In tcstart, when you want to run the 'tc' utility, use the run_tc function + supplied by shorewall.
      +
      • +
    • /etc/shorewall/tcclear - A user-supplied file that is sourced +by Shorewall when it is clearing traffic shaping. This file is normally +not required as Shorewall's method of clearing qdisc and filter definitions +is pretty general.
      • +
    +

    Kernel Configuration

    +

    This screen shot show how I've configured QoS in my Kernel:

    -

    + +

    +

    +

    /etc/shorewall/tcrules

    +

    The fwmark classifier provides a convenient way to classify -packets for traffic shaping. The /etc/shorewall/tcrules file provides a means -for specifying these marks in a tabular fashion.

    + packets for traffic shaping. The /etc/shorewall/tcrules file provides a +means for specifying these marks in a tabular fashion.

    +

    Columns in the file are as follows:

    +
      -
    • MARK - Specifies the mark value is to be assigned in case of - a match. This is an integer in the range 1-255.
      -
      - Example - 5
      -
      • -
    • SOURCE - The source of the packet. If the packet originates - on the firewall, place "fw" in this column. Otherwise, this is a - comma-separated list of interface names, IP addresses, MAC addresses in - Shorewall Format and/or Subnets.
      -
      - Examples
      -     eth0
      -     192.168.2.4,192.168.1.0/24
      -
      • -
    • DEST -- Destination of the packet. Comma-separated list of - IP addresses and/or subnets.
      -
      • -
    • PROTO - Protocol - Must be the name of a protocol from - /etc/protocol, a number or "all"
      -
      • -
    • PORT(S) - Destination Ports. A comma-separated list of Port - names (from /etc/services), port numbers or port ranges (e.g., 21:22); if - the protocol is "icmp", this column is interpreted as the - destination icmp type(s).
      -
      • -
    • CLIENT PORT(S) - (Optional) Port(s) used by the client. If - omitted, any source port is acceptable. Specified as a comma-separate list - of port names, port numbers or port ranges.
      • +
    • MARK - Specifies the mark value is to be assigned in case of +a match. This is an integer in the range 1-255.
      +
      + Example - 5
      +
      • +
    • SOURCE - The source of the packet. If the packet originates on +the firewall, place "fw" in this column. Otherwise, this is a comma-separated +list of interface names, IP addresses, MAC addresses in Shorewall Format and/or Subnets.
      +
      + Examples
      +     eth0
      +     192.168.2.4,192.168.1.0/24
      +
      • +
    • DEST -- Destination of the packet. Comma-separated list of IP +addresses and/or subnets.
      +
      • +
    • PROTO - Protocol - Must be the name of a protocol from /etc/protocol, +a number or "all"
      +
      • +
    • PORT(S) - Destination Ports. A comma-separated list of Port names +(from /etc/services), port numbers or port ranges (e.g., 21:22); if the +protocol is "icmp", this column is interpreted as the destination icmp +type(s).
      +
      • +
    • CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted, +any source port is acceptable. Specified as a comma-separate list of port +names, port numbers or port ranges.
      • +
    -

    Example 1 - All packets arriving on eth1 should be marked with -1. All packets arriving on eth2 should be marked with 2. All packets originating -on the firewall itself should be marked with 3.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +

    Example 1 - All packets arriving on eth1 should be marked +with 1. All packets arriving on eth2 should be marked with 2. All packets +originating on the firewall itself should be marked with 3.

    + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  
    3fw0.0.0.0/0all  
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  
    3fw0.0.0.0/0all  
    -

    Example 2 - All GRE (protocol 47) packets not originating on the -firewall and destined for 155.186.235.151 should be marked with 12.

    - - - - - - - - - - - - - - - - - + +

    Example 2 - All GRE (protocol 47) packets not originating +on the firewall and destined for 155.186.235.151 should be marked with 12.

    + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    120.0.0.0/0155.186.235.15147  
    + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    120.0.0.0/0155.186.235.15147  
    -

    Example 3 - All SSH packets originating in 192.168.1.0/24 and -destined for 155.186.235.151 should be marked with 22.

    - - - - - - - - - - - - - - - - - + +

    Example 3 - All SSH packets originating in 192.168.1.0/24 +and destined for 155.186.235.151 should be marked with 22.

    + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    22192.168.1.0/24155.186.235.151tcp22 
    + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    22192.168.1.0/24155.186.235.151tcp22 
    +

    Hierarchical Token Bucket

    -

    I personally use HTB. I have found a couple of things that may be of -use to others.

    + +

    I personally use HTB. I have found a couple of things that may be of use +to others.

    +
      -
    • The gzipped tc binary at the HTB - website didn't work for me -- I had to download the lastest version of - the iproute2 sources and patch - them for HTB.
      • -
    • The HTB example in the HOWTO seems to be full of errors. I'm currently - running with this set of shaping rules in my tcstart file so I know that it works.
      • +
    • The gzipped tc binary at the HTB website didn't work +for me -- I had to download the lastest version of the iproute2 sources and patch +them for HTB.
      • +
    • I'm currently running with this set of shaping rules in my tcstart +file. I recently changed from using a ceiling of 10Mbit (interface speed) +to 384kbit (DSP Uplink speed).
      +
      +
      • +
    -
    -

    run_tc qdisc add dev eth0 root handle 1: htb default 30
    -
    - run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k
    -
    - run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k
    - run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k
    - run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil   - 10mbit burst 15k
    -
    - run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10
    - run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10
    - run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10
    -
    - run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
    - run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20
    - run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30 -

    -

    My tcrules file is shown in Example 1 above. You can look at my network - configuration to get an idea of why I want these particular rules.
    -

    -
    -

    Last Updated 8/24/2002 - Tom -Eastep

    - + +
    + 
    run_tc qdisc add dev eth0 root handle 1: htb default 30
    run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k

    echo "   Added Top Level Class -- rate 384kbit"
    + + 
    run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k
    run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k
    run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500
    + + 
    echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
    + + 
    run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10
    run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10
    run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10
    + + 
    echo "   Enabled SFQ on Second Level Classes"
    + + 
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
    + + 
    echo "   Defined fwmark filters"
    + +

    My tcrules file is shown in Example 1 above. You can look at my network configuration to get an idea of why I want +these particular rules.
    +

    +
    + +

    Last Updated 10/25/2002 - Tom Eastep

    +

    Copyright2001, 2002 Thomas M. Eastep.

    - + © 2001, 2002 Thomas M. Eastep.

    +
    +
    - - \ No newline at end of file + diff --git a/STABLE/documentation/troubleshoot.htm b/STABLE/documentation/troubleshoot.htm index 964d3df21..1e69a028e 100644 --- a/STABLE/documentation/troubleshoot.htm +++ b/STABLE/documentation/troubleshoot.htm @@ -1,205 +1,199 @@ - - + + Shorewall Troubleshooting - + - + - - - + - - - - - - - -
    -

    Shorewall Troubleshooting

    -
    + + + + + + + + +
    +

    Shorewall Troubleshooting

    +
    + +

    Check the Errata

    + +

    Check the Shorewall Errata to be +sure that there isn't an update that you are missing for your version of +the firewall.

    + +

    Check the FAQs

    + +

    Check the FAQs for solutions to common +problems.

    + +

    If the firewall fails to start

    + If you receive an error message when starting or restarting the firewall +and you can't determine the cause, then do the following: +
      +
    • shorewall debug start 2> /tmp/trace
      • +
    • Look at the /tmp/trace file and see if that helps you determine +what the problem is.
      • +
    • If you still can't determine what's wrong then see the support page.
      • - - -

      Check the Errata

      - -

      Check the Shorewall Errata - to be sure that there isn't an update that you are missing for your version -of the firewall.

      - -

      Check the FAQs

      - -

      Check the FAQs for solutions to common problems.

      - - - -

      If the firewall fails to start

      - - If you -receive an error message when starting or restarting the firewall and you -can't determine the cause, then do the following: -
        -
      • shorewall debug start 2> /tmp/trace
        • -
      • Look at the /tmp/trace file and see if that helps you determine what -the problem is.
        • -
      • If you still can't determine what's wrong then see the - support page.
        • -
      -

      Your test environment

      -

      Many times when people have problems with Shorewall, the problem is - actually an ill-conceived test setup. Here are several popular snafus:

      -
        -
      • Port - Forwarding where client and server are in the same subnet. See FAQ - 2.
        • -
      • Changing the IP address of a local system to be in the external subnet, - thinking that Shorewall will suddenly believe that the system is in the - 'net' zone.
        • -
      • Multiple interfaces connected to the same HUB or Switch. Given the way - that the Linux kernel respond to ARP "who-has" requests, this type of setup - does NOT work the way that you expect it to.
        • -
      - -

      If you are having -connection problems:

      - -

      If the appropriate policy for the connection that you -are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING -TO MAKE IT WORK. Such additional rules will NEVER make it work, they add -clutter to your rule set and they represent a big security hole in the event -that you forget to remove them later.

      - -

      I also recommend against setting all of your policies to - ACCEPT in an effort to make something work. That robs you of one of your - best diagnostic tools - the "Shorewall" messages that Netfilter will - generate when you try to connect in a way that isn't permitted by your - rule set.

      - -

      Check your log. If you don't see Shorewall messages, -then your problem is probably NOT a Shorewall problem. If you DO see packet -messages, it is an indication that you are missing one or more rules.

      - -

      While you are troubleshooting, it is a good idea to clear +

    + +

    Your test environment

    + +

    Many times when people have problems with Shorewall, the problem is + actually an ill-conceived test setup. Here are several popular snafus:

    + +
      +
    • Port Forwarding where client and server are in the same +subnet. See FAQ 2.
      • +
    • Changing the IP address of a local system to be in the external +subnet, thinking that Shorewall will suddenly believe that the system +is in the 'net' zone.
      • +
    • Multiple interfaces connected to the same HUB or Switch. Given the +way that the Linux kernel respond to ARP "who-has" requests, this type +of setup does NOT work the way that you expect it to.
      • + +
    + +

    If you are having connection problems:

    + +

    If the appropriate policy for the connection that you are +trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING +TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter +to your rule set and they represent a big security hole in the event that +you forget to remove them later.

    + +

    I also recommend against setting all of your policies to + ACCEPT in an effort to make something work. That robs you of one of +your best diagnostic tools - the "Shorewall" messages that Netfilter +will generate when you try to connect in a way that isn't permitted +by your rule set.

    + +

    Check your log. If you don't see Shorewall messages, then +your problem is probably NOT a Shorewall problem. If you DO see packet messages, +it may be an indication that you are missing one or more rules -- see FAQ 17.

    + +

    While you are troubleshooting, it is a good idea to clear two variables in /etc/shorewall/shorewall.conf:

    - -

    LOGRATE=""
    - LOGBURST=""

    - -

    This way, you will see all of the log messages being - generated (be sure to restart shorewall after clearing these variables).

    - -

    Example:

    - - - -

    Jun 27 15:37:56 gateway kernel: - Shorewall:all2all:REJECT:IN=eth2 -OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 -ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

    - -     - -

    Let's look at the important parts of this message:

    + +

    LOGRATE=""
    + LOGBURST=""

    + +

    This way, you will see all of the log messages being + generated (be sure to restart shorewall after clearing these variables).

    + +

    Example:

    + +

    Jun 27 15:37:56 gateway kernel: + Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 +LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

    +     +

    Let's look at the important parts of this message:

    + +
      +
    • all2all:REJECT - This packet was REJECTed out of the all2all chain +-- the packet was rejected under the "all"->"all" REJECT policy (see + FAQ 17).
      • +
    • IN=eth2 - the packet entered the firewall via eth2
      • +
    • OUT=eth1 - if accepted, the packet would be sent on eth1
      • +
    • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
      • +
    • DST=192.168.1.3 - the packet is destined for 192.168.1.3
      • +
    • PROTO=UDP - UDP Protocol
      • +
    • DPT=53 - DNS
      • -
        -
      • all2all:REJECT - the packet was rejected under the "all"->"all" REJECT -policy
        • -
      • IN=eth2 - the packet entered the firewall via eth2
        • -
      • OUT=eth1 - if accepted, the packet would be sent on eth1
        • -
      • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
        • -
      • DST=192.168.1.3 - the packet is destined for 192.168.1.3
        • -
      • PROTO=UDP - UDP Protocol
        • -
      • DPT=53 - DNS
        • -
      - -

      In this case, 192.168.2.2 was in the "dmz" zone and -192.168.1.3 is in the "loc" zone. I was missing the rule:

      - -

      ACCEPT    dmz    loc    udp    53

      - - - -

      Other Gotchas

      - -
        -
      • Seeing rejected/dropped packets logged out of the INPUT or FORWARD - chains? This means that:
          -
        1. your zone definitions are screwed up and the host that is sending the - packets or the destination host isn't in any zone (using an - /etc/shorewall/hosts file are you?); - or
          2. -
        2. the source and destination hosts are both connected to the same - interface and that interface doesn't have the 'multi' option specified in - /etc/shorewall/interfaces.
          3. +
      + +

      In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 +is in the "loc" zone. I was missing the rule:

      + +

      ACCEPT    dmz    loc    udp    53

      + +

      Other Gotchas

      + +
        +
      • Seeing rejected/dropped packets logged out of the INPUT or FORWARD + chains? This means that: +
          +
        1. your zone definitions are screwed up and the host that is sending +the packets or the destination host isn't in any zone (using an + /etc/shorewall/hosts file are you?); + or
          2. +
        2. the source and destination hosts are both connected to the same + interface and that interface doesn't have the 'multi' option specified +in /etc/shorewall/interfaces.
          3. +
        -
        • -
      • Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping") -requests to be sent between zones. If you want pings to be allowed between -zones, you need a rule of the form:
        -
        -     ACCEPT    <source zone>    <destination zone>    +
        • +
      • Remember that Shorewall doesn't automatically allow ICMP type +8 ("ping") requests to be sent between zones. If you want pings to be +allowed between zones, you need a rule of the form:
        +
        +     ACCEPT    <source zone>    <destination zone>    icmp    echo-request
        -
        - The ramifications of this can be subtle. For example, if you have the - following in /etc/shorewall/nat:
        -
        -     10.1.1.2    eth0    130.252.100.18
        -
        - and you ping 130.252.100.18, unless you have allowed icmp type 8 between -the zone containing the system you are pinging from and the zone containing - 10.1.1.2, the ping requests will be dropped. This is true even if you +
        + The ramifications of this can be subtle. For example, if you have the + following in /etc/shorewall/nat:
        +
        +     10.1.1.2    eth0    130.252.100.18
        +
        + and you ping 130.252.100.18, unless you have allowed icmp type 8 between +the zone containing the system you are pinging from and the zone containing + 10.1.1.2, the ping requests will be dropped. This is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.
        • -
      • If you specify "routefilter" for an interface, that interface must be -up prior to starting the firewall.
        • -
      • Is your routing correct? For example, internal systems usually need to - be configured with their default gateway set to the IP address of their - nearest firewall interface. One often overlooked aspect of routing is that - in order for two hosts to communicate, the routing between them must be set - up in both directions. So when setting up routing between A - and B, be sure to verify that the route from B back to A - is defined.
        • -
      • Some versions of LRP (EigerStein2Beta for example) have a shell with -broken variable expansion. -You can get a corrected shell from the Shorewall Errata download site. -
        • -
      • Do you have your kernel properly configured? Click - here to see my kernel configuration.
        • -
      • Some features require the "ip" program. That program is generally included -in the "iproute" package which should be included with your distribution -(though many distributions don't install iproute by default). You -may also download the latest source tarball from -ftp://ftp.inr.ac.ru/ip-routing +
      • If you specify "routefilter" for an interface, that interface +must be up prior to starting the firewall.
        • +
      • Is your routing correct? For example, internal systems usually need +to be configured with their default gateway set to the IP address of +their nearest firewall interface. One often overlooked aspect of routing +is that in order for two hosts to communicate, the routing between them +must be set up in both directions. So when setting up routing +between A and B, be sure to verify that the route from + B back to A is defined.
        • +
      • Some versions of LRP (EigerStein2Beta for example) have a shell +with broken variable expansion. You can get a corrected +shell from the Shorewall Errata download site.
        • +
      • Do you have your kernel properly configured? Click here to see my kernel configuration.
        • +
      • Some features require the "ip" program. That program is generally +included in the "iproute" package which should be included with your +distribution (though many distributions don't install iproute by +default). You may also download the latest source tarball from ftp://ftp.inr.ac.ru/ip-routing .
        • -
      • If you have any entry for a zone in /etc/shorewall/hosts then the -zone must be entirely defined in /etc/shorewall/hosts unless you have - specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if -a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts -then hosts attached to the other interface will not be considered -part of the zone.
        • -
      • Problems with NAT? Be sure that you let Shorewall add all external addresses -to be use with NAT unless you have set -ADD_IP_ALIASES -=No in /etc/shorewall/shorewall.conf.
        • -
      -

      Still Having Problems?

      -

      See the support page.

      +
    • If you have any entry for a zone in /etc/shorewall/hosts +then the zone must be entirely defined in /etc/shorewall/hosts unless you +have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). +For example, if a zone has two interfaces but only one interface has an +entry in /etc/shorewall/hosts then hosts attached to the other interface +will not be considered part of the zone.
      • +
    • Problems with NAT? Be sure that you let Shorewall add all external +addresses to be use with NAT unless you have set ADD_IP_ALIASES =No in /etc/shorewall/shorewall.conf.
      • + +
    + +

    Still Having Problems?

    + +

    See the support page.

    + +
    +     +

    Last updated 10/17/2002 - Tom Eastep

    - - -
    - -     - -

    Last updated 9/13/2002 - -Tom Eastep -

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    - +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    +
    - \ No newline at end of file + diff --git a/STABLE/documentation/upgrade_issues.htm b/STABLE/documentation/upgrade_issues.htm index d815e38dd..ba8f2ce32 100644 --- a/STABLE/documentation/upgrade_issues.htm +++ b/STABLE/documentation/upgrade_issues.htm @@ -1,170 +1,178 @@ - + Upgrade Issues - + - + - + - + - - - + + - - - + + + +
    +

    Upgrade Issues

    -
    - +

    For upgrade instructions see the Install/Upgrade page.

    - + +

    Version 1.3.10

    +If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version +1.3.10, you will need to use the '--force' option:
    +
    +
    + 
    rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm 
    +

    Version >= 1.3.9

    - The 'functions' file has moved to /usr/lib/shorewall/functions. If you have -an application that uses functions from that file, your application will need -to be changed to reflect this change of location.
    - + The 'functions' file has moved to /usr/lib/shorewall/functions. If you +have an application that uses functions from that file, your application +will need to be changed to reflect this change of location.
    +

    Version >= 1.3.8

    - -

    If you have a pair of firewall systems configured for failover - or if you have asymmetric routing, you will need to modify - your firewall setup slightly under Shorewall - versions >= 1.3.8. Beginning with version 1.3.8, - you must set NEWNOTSYN=Yes in your - /etc/shorewall/shorewall.conf file.

    - + +

    If you have a pair of firewall systems configured for failover + or if you have asymmetric routing, you will need to modify + your firewall setup slightly under Shorewall + versions >= 1.3.8. Beginning with version 1.3.8, + you must set NEWNOTSYN=Yes in your + /etc/shorewall/shorewall.conf file.

    +

    Version >= 1.3.7

    - -

    Users specifying ALLOWRELATED=No in /etc/shorewall.conf - will need to include the following rules in - their /etc/shorewall/icmpdef file (creating - this file if necessary):

    - + +

    Users specifying ALLOWRELATED=No in /etc/shorewall.conf + will need to include the following rules +in their /etc/shorewall/icmpdef file (creating + this file if necessary):

    + 
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    - -

    Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" - command from that file since the icmp.def file is now empty.

    - -

    Upgrading Bering to - Shorewall >= 1.3.3

    - -

    To properly upgrade with Shorewall version - 1.3.3 and later:

    - + +

    Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" + command from that file since the icmp.def file is now empty.

    + +

    Upgrading Bering to + Shorewall >= 1.3.3

    + +

    To properly upgrade with Shorewall version + 1.3.3 and later:

    +
      -
    1. Be sure you have a backup -- you -will need to transcribe any Shorewall configuration - changes that you have made to the new - configuration.
      2. -
    2. Replace the shorwall.lrp package -provided on the Bering floppy with the -later one. If you did not obtain the later -version from Jacques's site, see additional -instructions below.
      3. -
    3. Edit the /var/lib/lrpkg/root.exclude.list - file and remove the /var/lib/shorewall entry - if present. Then do not forget to backup - root.lrp !
      4. - +
    4. Be sure you have a backup -- you +will need to transcribe any Shorewall configuration + changes that you have made to the new + configuration.
      5. +
    5. Replace the shorwall.lrp package +provided on the Bering floppy with the later +one. If you did not obtain the later version +from Jacques's site, see additional instructions + below.
      6. +
    6. Edit the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall +entry if present. Then do not forget to +backup root.lrp !
      7. +
    - -

    The .lrp that I release isn't set up for a two-interface firewall like - Jacques's. You need to follow the instructions - for setting up a two-interface firewall plus you also need to add the - following two Bering-specific rules to /etc/shorewall/rules:

    - -
    + +

    The .lrp that I release isn't set up for a two-interface firewall like + Jacques's. You need to follow the instructions + for setting up a two-interface firewall plus you also need to add +the following two Bering-specific rules to /etc/shorewall/rules:

    + +
    # Bering specific rules:
    # allow loc to fw udp/53 for dnscache to work
    # allow loc to fw tcp/80 for weblet to work
    #
    ACCEPT loc fw udp 53
    ACCEPT loc fw tcp 80
    -
    - +
    +

    Version 1.3.6 and 1.3.7

    - -

    If you have a pair of firewall systems configured for - failover or if you have asymmetric routing, you will need to modify - your firewall setup slightly under Shorewall versions 1.3.6 and - 1.3.7

    - + +

    If you have a pair of firewall systems configured for + failover or if you have asymmetric routing, you will need to modify + your firewall setup slightly under Shorewall versions 1.3.6 +and 1.3.7

    +
      -
    1. -

      Create the file /etc/shorewall/newnotsyn and in it add - the following rule
      -
      - run_iptables -A newnotsyn -j RETURN # +

    2. +

      Create the file /etc/shorewall/newnotsyn and in it add + the following rule
      +
      + run_iptables -A newnotsyn -j RETURN # So that the connection tracking table can be rebuilt
      -                                     # from non-SYN packets -after takeover.
      -  

      -
      3. -
    3. -

      Create /etc/shorewall/common (if you don't already - have that file) and include the following:
      -
      - run_iptables -A common -p tcp --tcp-flags - ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
      -                                                                     - #tracking table.
      - . /etc/shorewall/common.def

      -
      4. - +                                     # from non-SYN packets + after takeover.
      +  

      + +
    4. +

      Create /etc/shorewall/common (if you don't already + have that file) and include the following:
      +
      + run_iptables -A common -p tcp --tcp-flags + ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
      +                                                                     + #tracking table.
      + . /etc/shorewall/common.def

      +
      5. +
    - +

    Versions >= 1.3.5

    - -

    Some forms of pre-1.3.0 rules file syntax are no - longer supported.

    - + +

    Some forms of pre-1.3.0 rules file syntax are no + longer supported.

    +

    Example 1:

    - -
    + +
    	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
    -
    - +
    +

    Must be replaced with:

    - -
    + +
    	DNAT	net	loc:192.168.1.12:22	tcp	11111
    -
    - -
    +
    + +

    Example 2:

    -
    - -
    +
    + +
    	ACCEPT	loc	fw::3128	tcp	80	-	all
    -
    - -
    +
    + +

    Must be replaced with:

    -
    - -
    +
    + +
    	REDIRECT	loc	3128	tcp	80
    -
    - +
    +

    Version >= 1.3.2

    - -

    The functions and versions files together with the - 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. - If you have applications that access these files, those applications - should be modified accordingly.

    - -

    Last updated 9/30/2002 - - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    -
    + +

    The functions and versions files together with the + 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. + If you have applications that access these files, those applications + should be modified accordingly.

    + +

    Last updated 11/09/2002 - + Tom Eastep

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    +
    +



    diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 506ebe8c8..76fa4491f 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.3.9b +VERSION=1.3.10 usage() # $1 = exit status { @@ -38,7 +38,7 @@ usage() # $1 = exit status restore_file() # $1 = file to restore { - if [ -f ${1}-${VERSION}.bkout ]; then + if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then if (mv -f ${1}-${VERSION}.bkout $1); then echo echo "$1 restored" @@ -62,6 +62,10 @@ if [ -L /usr/lib/shorewall/firewall ]; then elif [ -L /var/lib/shorewall/firewall ]; then FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'` restore_file $FIREWALL +elif [ -L /usr/lib/shorewall/init ]; then + FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'` + restore_file $FIREWALL + restore_file /usr/lib/shorewall/firewall fi restore_file /sbin/shorewall @@ -73,6 +77,7 @@ restore_file /etc/shorewall/shorewall.conf restore_file /etc/shorewall/functions restore_file /usr/lib/shorewall/functions restore_file /var/lib/shorewall/functions +restore_file /usr/lib/shorewall/firewall restore_file /etc/shorewall/common.def @@ -96,6 +101,8 @@ restore_file /etc/shorewall/proxyarp restore_file /etc/shorewall/routestopped +restore_file /etc/shorewall/maclist + restore_file /etc/shorewall/masq restore_file /etc/shorewall/modules diff --git a/STABLE/firewall b/STABLE/firewall index 04c56de17..b44f429ae 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -1,5 +1,4 @@ #!/bin/sh -RCDLINKS="2,S41 3,S41 6,K41" # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 # @@ -42,23 +41,10 @@ RCDLINKS="2,S41 3,S41 6,K41" # shorewall check Verify the more heavily-used # configuration files. -#### BEGIN INIT INFO -# Provides: shorewall -# Required-Start: $network -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Description: starts and stops the shorewall firewall -### END INIT INFO - -# chkconfig: 2345 25 90 -# description: Packet filtering firewall # - -############################################################################### -# Search a list looking for a match -- returns zero if a match found # -# 1 otherwise # -############################################################################### +# Search a list looking for a match -- returns zero if a match found +# 1 otherwise +# list_search() # $1 = element to search for , $2-$n = list { local e=$1 @@ -70,21 +56,22 @@ list_search() # $1 = element to search for , $2-$n = list return 1 } -############################################################################### -# Function to count list elements # -############################################################################### + +# +# Function to count list elements +# list_count() { local temp="`separate_list $1`" echo $temp | wc -w } -############################################################################### -# Mutual exclusion -- These functions are jackets for the mutual exclusion # -# routines in /usr/lib/shorewall/functions. They invoke # -# the corresponding function in that file if the user did # -# not specify "nolock" on the runline. # -############################################################################### +# +# Mutual exclusion -- These functions are jackets for the mutual exclusion +# routines in /usr/lib/shorewall/functions. They invoke +# the corresponding function in that file if the user did +# not specify "nolock" on the runline. +# my_mutex_on() { [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } } @@ -93,17 +80,17 @@ my_mutex_off() { [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } } -############################################################################### -# Message to stderr # -############################################################################### +# +# Message to stderr +# error_message() # $* = Error Message { echo " $@" >&2 } -############################################################################### -# Fatal error -- stops the firewall after issuing the error message # -############################################################################### +# +# Fatal error -- stops the firewall after issuing the error message +# fatal_error() # $* = Error Message { echo " $@" >&2 @@ -111,10 +98,10 @@ fatal_error() # $* = Error Message exit 2 } -############################################################################### -# Fatal error during startup -- generate an error message and abend with # -# altering the state of the firewall # -############################################################################### +# +# Fatal error during startup -- generate an error message and abend with +# altering the state of the firewall +# startup_error() # $* = Error Message { echo " $@" >&2 @@ -124,25 +111,25 @@ startup_error() # $* = Error Message exit 2 } -############################################################################### -# Send a message to STDOUT and the System Log # -############################################################################### +# +# Send a message to STDOUT and the System Log +# report () { # $* = message echo "$@" logger "$@" } -############################################################################### -# Perform variable substitution on the passed argument and echo the result # -############################################################################### +# +# Perform variable substitution on the passed argument and echo the result +# expand() # $1 = contents of variable which may be the name of another variable { eval echo \"$1\" } -############################################################################### -# Perform variable substitition on the values of the passed list of variables # -############################################################################### +# +# Perform variable substitition on the values of the passed list of variables +# expandv() # $* = list of variable names { local varval @@ -154,50 +141,50 @@ expandv() # $* = list of variable names done } -################################################################################ -# Run iptables and if an error occurs, stop the firewall and quit # -################################################################################ +# +# Run iptables and if an error occurs, stop the firewall and quit +# run_iptables() { if ! iptables `echo $@ | sed 's/!/! /g'`; then [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } -################################################################################ -# Run ip and if an error occurs, stop the firewall and quit # -################################################################################ +# +# Run ip and if an error occurs, stop the firewall and quit +# run_ip() { if ! ip $@ ; then [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } -################################################################################ -# Run arp and if an error occurs, stop the firewall and quit # -################################################################################ +# +# Run arp and if an error occurs, stop the firewall and quit +# run_arp() { if ! arp $@ ; then [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } -################################################################################ -# Run tc and if an error occurs, stop the firewall and quit # -################################################################################ +# +# Run tc and if an error occurs, stop the firewall and quit +# run_tc() { if ! tc $@ ; then [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } -################################################################################ -# Create a filter chain # -# # -# If the chain isn't one of the common chains then add a rule to the chain # -# allowing packets that are part of an established connection. Create a # -# variable ${1}_exists and set its value to Yes to indicate that the chain now # -# exists. # -################################################################################ +# +# Create a filter chain +# +# If the chain isn't one of the common chains then add a rule to the chain +# allowing packets that are part of an established connection. Create a +# variable ${1}_exists and set its value to Yes to indicate that the chain now +# exists. +# createchain() # $1 = chain name, $2 = If non-null, don't create default rules { local target @@ -215,41 +202,41 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules eval ${1}_exists=Yes } -################################################################################ -# Determine if a chain exists # -# # -# When we create a chain "chain", we create a variable named chain_exists and # -# set its value to Yes. This function tests for the "_exists" variable # -# corresponding to the passed chain having the value of "Yes". # -################################################################################ +# +# Determine if a chain exists +# +# When we create a chain "chain", we create a variable named chain_exists and +# set its value to Yes. This function tests for the "_exists" variable +# corresponding to the passed chain having the value of "Yes". +# havechain() # $1 = name of chain { eval test \"\$${1}_exists\" = Yes } -################################################################################ -# Ensure that a chain exists (create it if it doesn't) # -################################################################################ +# +# Ensure that a chain exists (create it if it doesn't) +# ensurechain() # $1 = chain name { havechain $1 || createchain $1 } -################################################################################ -# Add a rule to a chain creating the chain if necessary # -################################################################################ +# +# Add a rule to a chain creating the chain if necessary +# addrule() # $1 = chain name, remainder of arguments specify the rule { ensurechain $1 run_iptables -A $@ } -################################################################################ -# Create a nat chain # -# # -# Create a variable ${1}_nat_exists and set its value to Yes to indicate that # -# the chain now exists. # -################################################################################ +# +# Create a nat chain +# +# Create a variable ${1}_nat_exists and set its value to Yes to indicate that +# the chain now exists. +# createnatchain() # $1 = chain name { run_iptables -t nat -N $1 @@ -257,73 +244,73 @@ createnatchain() # $1 = chain name eval ${1}_nat_exists=Yes } -################################################################################ -# Determine if a nat chain exists # -# # -# When we create a chain "chain", we create a variable named chain_nat_exists # -# and set its value to Yes. This function tests for the "_exists" variable # -# corresponding to the passed chain having the value of "Yes". # -################################################################################ +# +# Determine if a nat chain exists +# +# When we create a chain "chain", we create a variable named chain_nat_exists +# and set its value to Yes. This function tests for the "_exists" variable +# corresponding to the passed chain having the value of "Yes". +# havenatchain() # $1 = name of chain { eval test \"\$${1}_nat_exists\" = Yes } -################################################################################ -# Ensure that a chain exists (create it if it doesn't) # -################################################################################ +# +# Ensure that a chain exists (create it if it doesn't) +# ensurenatchain() # $1 = chain name { havenatchain $1 || createnatchain $1 } -################################################################################ -# Add a rule to a nat chain creating the chain if necessary # -################################################################################ +# +# Add a rule to a nat chain creating the chain if necessary +# addnatrule() # $1 = chain name, remainder of arguments specify the rule { ensurenatchain $1 run_iptables -t nat -A $@ } -################################################################################ -# Delete a chain if it exists # -################################################################################ +# +# Delete a chain if it exists +# deletechain() # $1 = name of chain { qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 } -################################################################################ -# Set a standard chain's policy # -################################################################################ +# +# Set a standard chain's policy +# setpolicy() # $1 = name of chain, $2 = policy { run_iptables -P $1 $2 } -################################################################################ -# Set a standard chain to enable established connections # -################################################################################ +# +# Set a standard chain to enable established connections +# setcontinue() # $1 = name of chain { run_iptables -A $1 -m state --state ESTABLISHED -j ACCEPT } -################################################################################ -# Flush one of the NAT table chains # -################################################################################ +# +# Flush one of the NAT table chains +# flushnat() # $1 = name of chain { run_iptables -t nat -F $1 } -################################################################################ -# Find interfaces to a given zone # -# # -# Read the interfaces file and for each record matching the passed ZONE, # -# echo the expanded contents of the "INTERFACE" column # -################################################################################ +# +# Find interfaces to a given zone +# +# Read the interfaces file and for each record matching the passed ZONE, +# echo the expanded contents of the "INTERFACE" column +# find_interfaces() # $1 = interface zone { local zne=$1 @@ -333,9 +320,9 @@ find_interfaces() # $1 = interface zone done < $TMP_DIR/interfaces } -################################################################################ -# Chain name base for an interface # -################################################################################ +# +# Chain name base for an interface +# chain_base() #$1 = interface { local c=${1%%+*} @@ -343,57 +330,75 @@ chain_base() #$1 = interface echo ${c:=common} } -################################################################################ -# Forward Chain for an interface # -################################################################################ +# +# Forward Chain for an interface +# forward_chain() # $1 = interface { echo `chain_base $1`_fwd } -################################################################################ -# Input Chain for an interface # -################################################################################ +# +# Input Chain for an interface +# input_chain() # $1 = interface { echo `chain_base $1`_in } -################################################################################ -# Output Chain for an interface # -################################################################################ +# +# Input Chains (input and forward) for an interface +# +input_chains() # $1 = interface +{ + local base=`chain_base $1` + + echo ${base}_in ${base}_fwd +} + +# +# Output Chain for an interface +# output_chain() # $1 = interface { echo `chain_base $1`_out } -################################################################################ -# Masquerade Chain for an interface # -################################################################################ +# +# Masquerade Chain for an interface +# masq_chain() # $1 = interface { echo `chain_base $1`_masq } -################################################################################ -# DNAT Chain from a zone # -################################################################################ +# +# MAC Verification Chain for an interface +# +mac_chain() # $1 = interface +{ + echo `chain_base $1`_mac +} + +# +# DNAT Chain from a zone +# dnat_chain() # $1 = zone { echo ${1}_dnat } -################################################################################ -# SNAT Chain to a zone # -################################################################################ +# +# SNAT Chain to a zone +# snat_chain() # $1 = zone { echo ${1}_snat } -################################################################################ -# First chains for an interface # -################################################################################ +# +# First chains for an interface +# first_chains() #$1 = interface { local c=`chain_base $1` @@ -401,12 +406,12 @@ first_chains() #$1 = interface echo ${c}_fwd ${c}_in } -################################################################################ -# Find hosts in a given zone # -# # -# Read hosts file and for each record matching the passed ZONE, # -# echo the expanded contents of the "HOST(S)" column # -################################################################################ +# +# Find hosts in a given zone +# +# Read hosts file and for each record matching the passed ZONE, +# echo the expanded contents of the "HOST(S)" column +# find_hosts() # $1 = host zone { local hosts @@ -416,12 +421,12 @@ find_hosts() # $1 = host zone done < $TMP_DIR/hosts } -################################################################################ -# Determine the interfaces on the firewall # -# # -# For each zone, create a variable called ${zone}_interfaces. This # -# variable contains a space-separated list of interfaces to the zone # -################################################################################ +# +# Determine the interfaces on the firewall +# +# For each zone, create a variable called ${zone}_interfaces. This +# variable contains a space-separated list of interfaces to the zone +# determine_interfaces() { for zone in $zones; do interfaces=`find_interfaces $zone` @@ -430,9 +435,9 @@ determine_interfaces() { done } -################################################################################ -# Determine the defined hosts in each zone and generate report # -################################################################################ +# +# Determine the defined hosts in each zone and generate report +# determine_hosts() { do_a_zone() { @@ -470,19 +475,19 @@ determine_hosts() { hosts=`echo $hosts` # Remove extra trash if [ -n "MERGE_HOSTS" ]; then - #################################################################### + # # Zone will be the union of its host and interface definitions # do_a_zone recalculate_interfaces elif [ -n "$hosts" ]; then - #################################################################### + # # Zone is defined in terms of hosts -- derive the interface list # from the host list # - recalculate_interfaces + recalculate_interface else - #################################################################### + # # If no hosts are defined for a zone then the zone consists of any # host that can send us messages via the interfaces to the zone # @@ -500,17 +505,17 @@ determine_hosts() { done } -################################################################################ -# Ensure that the passed zone is defined in the zones file or is the firewall # -################################################################################ +# +# Ensure that the passed zone is defined in the zones file or is the firewall +# validate_zone() # $1 = zone { list_search $1 $zones $FW } -################################################################################ -# Validate the zone names and options in the interfaces file # -################################################################################ +# +# Validate the zone names and options in the interfaces file +# validate_interfaces_file() { while read z interface subnet options; do expandv z interface subnet options @@ -526,7 +531,7 @@ validate_interfaces_file() { case $option in dhcp|noping|filterping|routestopped|norfc1918|multi) ;; - routefilter|dropunclean|logunclean|blacklist|proxyarp|-) + routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" @@ -539,9 +544,9 @@ validate_interfaces_file() { done < $TMP_DIR/interfaces } -################################################################################ -# Validate the zone names and options in the hosts file # -################################################################################ +# +# Validate the zone names and options in the hosts file +# validate_hosts_file() { while read z hosts options; do expandv z hosts options @@ -556,7 +561,7 @@ validate_hosts_file() { for option in `separate_list $options`; do case $option in - routestopped|-) + routestopped|maclist|-) ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" @@ -567,28 +572,28 @@ validate_hosts_file() { done < $TMP_DIR/hosts } -################################################################################ -# Format a match by the passed MAC address # -# The passed address begins with "~" and uses "-" as a separator between bytes # -# Example: ~01-02-03-04-05-06 # -################################################################################ +# +# Format a match by the passed MAC address +# The passed address begins with "~" and uses "-" as a separator between bytes +# Example: ~01-02-03-04-05-06 +# mac_match() # $1 = MAC address formated as described above { echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" } -################################################################################ -# validate a record from the rules file # -# # -# The caller has loaded the column contents from the record into the following # -# variables: # -# # -# target clients servers protocol ports cports address # -# # -# and has loaded a space-separated list of their values in "rule". # -################################################################################ +# +# validate a record from the rules file +# +# The caller has loaded the column contents from the record into the following +# variables: +# +# target clients servers protocol ports cports address +# +# and has loaded a space-separated list of their values in "rule". +# validate_rule() { - ############################################################################ + # # Ensure that the passed comma-separated list has 15 or fewer elements # validate_list() { @@ -597,11 +602,11 @@ validate_rule() { [ `echo $temp | wc -w` -le 15 ] } - ############################################################################ + # # validate one rule # validate_a_rule() { - ######################################################################## + # # Determine the format of the client # cli= @@ -646,7 +651,7 @@ validate_rule() { serv= ;; esac - ################################################################ + # # Setup PROTOCOL, PORT and STATE variables # sports="" @@ -710,11 +715,11 @@ validate_rule() { fi if [ -n "${serv}${servport}" ]; then - ################################################################## + # # Destination is a Specific Server or we're redirecting a port # if [ -n "$addr" -a "$addr" != "$serv" ]; then - ############################################################## + # # Must use Prerouting DNAT # if [ -z "$NAT_ENABLED" ]; then @@ -733,9 +738,9 @@ validate_rule() { " a DNAT or REDIRECT rule: \"$rule\"" fi } - ############################################################################ + # # V a l i d a t e _ R u l e S t a r t s H e r e - ############################################################################ + # # Parse the Target and Clients columns # if [ "$target" = "${target%:*}" ]; then @@ -794,9 +799,9 @@ validate_rule() { [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ startup_error "Error: Exclude list only allowed with DNAT or REDIRECT" fi - ############################################################################ + # # Validate the Source Zone - + # if ! validate_zone $clientzone; then startup_error "Error: Undefined Client Zone in rule \"$rule\"" fi @@ -805,7 +810,7 @@ validate_rule() { [ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\" - ############################################################################ + # # Parse the servers column # if [ "$servers" = "${servers%:*}" ] ; then @@ -826,7 +831,7 @@ validate_rule() { startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" fi fi - ############################################################################ + # # Validate the destination zone # if ! validate_zone $serverzone; then @@ -834,7 +839,7 @@ validate_rule() { fi dest=$serverzone - ############################################################################ + # # Check length of port lists if MULTIPORT set # if [ -n "$MULTIPORT" ]; then @@ -844,7 +849,7 @@ validate_rule() { error_message "Warning: Too many source ports: Rule \"$rule\"" fi - ############################################################################ + # # Iterate through the various lists validating individual rules # for client in `separate_list ${clients:=-}`; do @@ -860,9 +865,9 @@ validate_rule() { echo " Rule \"$rule\" validated." } -################################################################################ -# validate the rules file # -################################################################################ +# +# validate the rules file +# validate_rules() # $1 = name of rules file { strip_file rules @@ -883,9 +888,9 @@ validate_rules() # $1 = name of rules file done < $TMP_DIR/rules } -################################################################################ -# validate the policy file # -################################################################################ +# +# validate the policy file +# validate_policy() { strip_file policy $policy @@ -921,9 +926,9 @@ validate_policy() done < $TMP_DIR/policy } -################################################################################ -# Find broadcast addresses # -################################################################################ +# +# Find broadcast addresses +# find_broadcasts() { while read z interface bcast options; do expandv interface bcast @@ -940,10 +945,34 @@ find_broadcasts() { done < $TMP_DIR/interfaces } -################################################################################ -# Find interface address--returns the first IP address assigned to the passed # -# device # -################################################################################ +# +# Find interface broadcast addresses +# +find_interface_broadcasts() # $1 = Interface name +{ + while read z interface bcast options; do + expandv interface bcast + if [ "$interface" = "$1" ]; then + if [ "x$bcast" = "xdetect" ]; then + addr="`ip addr show $interface 2> /dev/null`" + if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then + addr="`echo "$addr" | \ + grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" + echo $addr | cut -d' ' -f 1 + fi + elif [ "x${bcast}" != "x-" ]; then + echo `separate_list $bcast` + fi + + return + fi + done < $TMP_DIR/interfaces +} + +# +# Find interface address--returns the first IP address assigned to the passed +# device +# find_interface_address() # $1 = interface { # @@ -961,9 +990,9 @@ find_interface_address() # $1 = interface echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' } -################################################################################ -# Find interfaces that have the passed option specified # -################################################################################ +# +# Find interfaces that have the passed option specified +# find_interfaces_by_option() # $1 = option { while read ignore interface subnet options; do @@ -973,9 +1002,9 @@ find_interfaces_by_option() # $1 = option done < $TMP_DIR/interfaces } -################################################################################ -# Find hosts with the passed option # -################################################################################ +# +# Find hosts with the passed option +# find_hosts_by_option() # $1 = option { while read ignore hosts options; do @@ -991,11 +1020,11 @@ find_hosts_by_option() # $1 = option done < $TMP_DIR/interfaces } -################################################################################ -# Determine if there are interfaces of the given zone and option # -# # -# Returns zero if any such interfaces are found and returns one otherwise. # -################################################################################ +# +# Determine if there are interfaces of the given zone and option +# +# Returns zero if any such interfaces are found and returns one otherwise. +# have_interfaces_in_zone_with_option() # $1 = zone, $2 = option { local zne=$1 @@ -1008,17 +1037,17 @@ have_interfaces_in_zone_with_option() # $1 = zone, $2 = option return 1 } -################################################################################ -# Flush and delete all user-defined chains in the filter table # -################################################################################ +# +# Flush and delete all user-defined chains in the filter table +# deleteallchains() { run_iptables -F run_iptables -X } -################################################################################ -# Source a user exit file if it exists # -################################################################################ +# +# Source a user exit file if it exists +# run_user_exit() # $1 = file name { local user_exit=`find_file $1` @@ -1029,9 +1058,9 @@ run_user_exit() # $1 = file name fi } -################################################################################ -# Stop the Firewall - # -################################################################################ +# +# Stop the Firewall +# stop_firewall() { stopping="Yes" @@ -1115,9 +1144,9 @@ stop_firewall() { esac } -################################################################################ -# Remove all rules and remove all user-defined chains # -################################################################################ +# +# Remove all rules and remove all user-defined chains +# clear_firewall() { stop_firewall @@ -1134,33 +1163,39 @@ clear_firewall() { logger "Shorewall Cleared" } -################################################################################ -# Set up ipsec tunnels # -################################################################################ +# +# Set up ipsec tunnels +# setup_tunnels() # $1 = name of tunnels file { local inchain local outchain - setup_one_ipsec() # $1 = gateway $2 = gateway zone + setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones { options="-m state --state NEW -j ACCEPT" addrule $inchain -p 50 -s $1 -j ACCEPT addrule $outchain -p 50 -d $1 -j ACCEPT run_iptables -A $inchain -p 51 -s $1 -j ACCEPT run_iptables -A $outchain -p 51 -d $1 -j ACCEPT - run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options - run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options - if [ -n "$2" ]; then - if validate_zone $2; then - addrule ${FW}2${2} -p udp --sport 500 --dport 500 $options - addrule ${2}2${FW} -p udp --sport 500 --dport 500 $options + run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options + + if [ $2 = ipsec ]; then + run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options + else + run_iptables -A $inchain -p udp -s $1 --dport 500 $options + fi + + for z in `separate_list $3`; do + if validate_zone $z; then + addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options + addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options else - error_message "Warning: Invalid gateway zone ($2)" \ + error_message "Warning: Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" may encounter keying problems" fi - fi + done echo " IPSEC tunnel to $gateway defined." } @@ -1170,7 +1205,23 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p $3 -s $2 -j ACCEPT addrule $outchain -p $3 -d $2 -j ACCEPT - echo " $1 tunnel to $gateway defined." + echo " $1 tunnel to $2 defined." + } + + setup_pptp_client() # $1 = gateway + { + addrule $outchain -p 47 -d $1 -j ACCEPT + addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT + + echo " PPTP tunnel to $1 defined." + } + + setup_pptp_server() + { + addrule $inchain -p 47 -j ACCEPT + addrule $inchain -p tcp --dport 1723 -j ACCEPT + + echo " PPTP server defined." } strip_file tunnels $1 @@ -1183,13 +1234,22 @@ setup_tunnels() # $1 = name of tunnels file outchain=${FW}2${z} case $kind in ipsec|IPSEC) - setup_one_ipsec $gateway $z1 + setup_one_ipsec $gateway ipsec $z1 + ;; + ipsecnat|IPSECNAT) + setup_one_ipsec $gateway ipsecnat $z1 ;; ipip|IPIP) setup_one_other IPIP $gateway 4 ;; gre|GRE) - setup_one_other GRE $gateway 47 + setup_one_other GRE $gateway 47 + ;; + pptpclient|PPTPCLIENT) + setup_pptp_client $gateway + ;; + pptpserver|PPTPSERVER) + setup_pptp_server ;; *) error_message "Tunnels of type $kind are not supported:" \ @@ -1203,9 +1263,9 @@ setup_tunnels() # $1 = name of tunnels file done < $TMP_DIR/tunnels } -################################################################################ -# Setup Proxy ARP # -################################################################################ +# +# Setup Proxy ARP +# setup_proxy_arp() { print_error() { @@ -1260,9 +1320,133 @@ setup_proxy_arp() { done } -############################################################################### -# Set up SYN flood protection # -############################################################################### +# +# Set up MAC Verification +# +setup_mac_lists() { + local interface + local mac + local addresses + local address + local chain + local logpart + local macpart + local blob + local hosts + # + # Generate the list of interfaces having MAC verification + # + maclist_interfaces= + + for hosts in $maclist_hosts; do + interface=${hosts%:*} + if ! list_search $interface $maclist_interfaces; then\ + if [ -z "$maclist_interfaces" ]; then + maclist_interfaces=$interface + else + maclist_interfaces="$maclist_interfaces $interface" + fi + fi + done + + echo "Setting up MAC Verification on $maclist_interfaces..." + # + # Be sure that they are all ethernet interfaces + # + for interface in $maclist_interfaces; do + case $interface in + eth*) + ;; + *) + fatal_error "Error: MAC verification is only supported on ethernet devices: $interface" + ;; + esac + + createchain `mac_chain $interface` no + done + # + # Process the maclist file producing the verification rules + # + strip_file maclist + + while read interface mac addresses; do + expandv interface mac addresses + + chain=`mac_chain $interface` + + if ! havechain $chain ; then + fatal_error "Error: No hosts on $interface have the maclist option specified" + fi + + macpart=`mac_match $mac` + + if [ -z "$addresses" ]; then + run_iptables -A $chain $macpart -j RETURN + else + for address in `separate_list $addresses` ; do + run_iptables -A $chain $macpart -s $address -j RETURN + done + fi + done < $TMP_DIR/maclist + # + # Setup Logging variables + # + if [ -n "$MACLIST_LOG_LEVEL" ]; then + logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix" + else + logpart= + fi + # + # Must take care of our own broadcasts and multicasts then terminate the verification + # chains + # + for interface in $maclist_interfaces; do + chain=`mac_chain $interface` + blob=`ip addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'` + + [ -z "$blob" ] && \ + fatal_error "Error: Interface $interface must be up before Shorewall can start" + + set -- $blob + + while [ $# -gt 0 ]; do + address=${1%/*} + + case $1 in + */32) + ;; + *) + run_iptables -A $chain -s $address -d $2 -j RETURN + shift + ;; + esac + + run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN + run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN + shift + done + + [ -n "$logpart" ] && \ + run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:" + + run_iptables -A $chain -j $maclist_target + done + # + # Generate jumps from the input and forward chains + # + for hosts in $maclist_hosts; do + interface=${hosts%:*} + hosts=${hosts#*:} + for chain in `input_chains $interface` ; do + run_iptables -A $chain -s $hosts -m state --state NEW \ + -j `mac_chain $interface` + done + done +} + +# +# Set up SYN flood protection +# setup_syn_flood_chain () # $1 = policy chain # $2 = synparams @@ -1278,21 +1462,21 @@ setup_syn_flood_chain () run_iptables -A @$chain -j DROP } -################################################################################ -# Enable SYN flood protection on a chain # -# -----------------------------------------------------------------------------# -# Insert a jump rule to the protection chain from the first chain. Inserted # -# as the second rule and restrict the jump to SYN packets # -################################################################################ +# +# Enable SYN flood protection on a chain +# +# Insert a jump rule to the protection chain from the first chain. Inserted +# as the second rule and restrict the jump to SYN packets +# enable_syn_flood_protection() # $1 = chain, $2 = protection chain { run_iptables -I $1 2 -p tcp --syn -j @$2 echo " Enabled SYN flood protection" } -################################################################################ -# Delete existing Proxy ARP # -################################################################################ +# +# Delete existing Proxy ARP +# delete_proxy_arp() { if [ -f ${STATEDIR}/proxyarp ]; then while read address interface external haveroute; do @@ -1310,9 +1494,9 @@ delete_proxy_arp() { done } -################################################################################ -# Setup Static Network Address Translation (NAT) # -################################################################################ +# +# Setup Static Network Address Translation (NAT) +# setup_nat() { local allints # @@ -1356,9 +1540,9 @@ setup_nat() { done < $TMP_DIR/nat } -################################################################################ -# Delete existing Static NAT # -################################################################################ +# +# Delete existing Static NAT +# delete_nat() { run_iptables -t nat -F run_iptables -t nat -X @@ -1374,9 +1558,9 @@ delete_nat() { [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat } -################################################################################ -# Process TC Rule # -################################################################################ +# +# Process a TC Rule +# process_tc_rule() { add_a_tc_rule() { @@ -1385,18 +1569,22 @@ process_tc_rule() if [ "x$source" != "x-" ]; then case $source in - *.*.*) - r="-s $source " - ;; - ~*) - r=`mac_match $source` - ;; - $FW) - chain=tcout - ;; - *) - r="-i $source " - ;; + *.*.*) + r="-s $source " + ;; + ~*) + r=`mac_match $source` + ;; + $FW) + chain=tcout + ;; + *) + if ! list_search $source $all_interfaces; then + fatal_error "Error: Unknown interface $source" + fi + + r="-i $source " + ;; esac fi [ "x$dest" = "x-" ] || r="${r}-d $dest " @@ -1421,9 +1609,9 @@ process_tc_rule() echo " TC Rule \"$rule\" added" } -################################################################################ -# Setup queuing and classes # -################################################################################ +# +# Setup queuing and classes +# setup_tc() { echo "Setting up Traffic Control Rules..." @@ -1453,9 +1641,9 @@ setup_tc() { } -################################################################################ -# Clear Traffic Shaping # -################################################################################ +# +# Clear Traffic Shaping +# delete_tc() { clear_one_tc() { @@ -1477,21 +1665,21 @@ delete_tc() done } -################################################################################ -# Add a NAT rule - Helper function for the rules file processor # -#------------------------------------------------------------------------------# -# The caller has established the following variables: # -# cli = Source IP, interface or MAC Specification # -# serv = Destination IP Specification # -# servport = Port the server is listening on # -# dest_interface = Destination Interface Specification # -# proto = Protocol Specification # -# addr = Original Destination Address # -# dports = Destination Port Specification. 'dports' may be changed # -# by this function # -# cport = Source Port Specification # -# multiport = String to invoke multiport match if appropriate # -################################################################################ +# +# Add a NAT rule - Helper function for the rules file processor +# +# The caller has established the following variables: +# cli = Source IP, interface or MAC Specification +# serv = Destination IP Specification +# servport = Port the server is listening on +# dest_interface = Destination Interface Specification +# proto = Protocol Specification +# addr = Original Destination Address +# dports = Destination Port Specification. 'dports' may be changed +# by this function +# cport = Source Port Specification +# multiport = String to invoke multiport match if appropriate +# add_nat_rule() { local chain @@ -1605,20 +1793,20 @@ add_nat_rule() { fi } -################################################################################ -# Add one Filter Rule -- Helper function for the rules file processor # -#------------------------------------------------------------------------------# -# The caller has established the following variables: # -# client = SOURCE IP or MAC # -# server = DESTINATION IP or interface # -# protocol = Protocol # -# address = Original Destination Address # -# port = Destination Port # -# cport = Source Port # -# multioption = String to invoke multiport match if appropriate # -# servport = Port the server listens on # -# chain = The canonical chain for this rule # -################################################################################ +# +# Add one Filter Rule -- Helper function for the rules file processor +# +# The caller has established the following variables: +# client = SOURCE IP or MAC +# server = DESTINATION IP or interface +# protocol = Protocol +# address = Original Destination Address +# port = Destination Port +# cport = Source Port +# multioption = String to invoke multiport match if appropriate +# servport = Port the server listens on +# chain = The canonical chain for this rule +# add_a_rule() { # Set source variables @@ -1777,19 +1965,19 @@ add_a_rule() fi } -################################################################################ -# Process a record from the rules file # -# # -# The caller has loaded the column contents from the record into the following # -# variables: # -# # -# target clients servers protocol ports cports address # -# # -# and has loaded a space-separated list of their values in "rule". # -# # -# The 'multioption' variable has also been loaded appropriately to reflect # -# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf # -################################################################################ +# +# Process a record from the rules file +# +# The caller has loaded the column contents from the record into the following +# variables: +# +# target clients servers protocol ports cports address +# +# and has loaded a space-separated list of their values in "rule". +# +# The 'multioption' variable has also been loaded appropriately to reflect +# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf +# process_rule() { # Function Body -- isolate log level @@ -1916,9 +2104,9 @@ process_rule() { echo " Rule \"$rule\" added." } -################################################################################ -# Process the rules file # -################################################################################ +# +# Process the rules file +# process_rules() # $1 = name of rules file { strip_file rules @@ -1939,18 +2127,18 @@ process_rules() # $1 = name of rules file done < $TMP_DIR/rules } -################################################################################ -# Process a record from the tos file # -# # -# The caller has loaded the column contents from the record into the following # -# variables: # -# # -# src dst protocol sport dport tos # -# # -# and has loaded a space-separated list of their values in "rule". # -################################################################################ +# +# Process a record from the tos file +# +# The caller has loaded the column contents from the record into the following +# variables: +# +# src dst protocol sport dport tos +# +# and has loaded a space-separated list of their values in "rule". +# process_tos_rule() { - ############################################################################ + # # Parse the contents of the 'src' variable # if [ "$src" = "${src%:*}" ]; then @@ -1992,7 +2180,7 @@ process_tos_rule() { ;; esac - ############################################################################ + # # Parse the contents of the 'dst' variable # if [ "$dst" = "${dst%:*}" ]; then @@ -2033,7 +2221,7 @@ process_tos_rule() { ;; esac - ############################################################################ + # # Setup PROTOCOL and PORT variables # sports="" @@ -2103,9 +2291,9 @@ process_tos_rule() { echo " Rule \"$rule\" added." } -################################################################################ -# Process the tos file # -################################################################################ +# +# Process the tos file +# process_tos() # $1 = name of tos file { echo "Processing $1..." @@ -2125,9 +2313,9 @@ process_tos() # $1 = name of tos file run_iptables -t mangle -A OUTPUT -j outtos } -################################################################################ -# Load a Kernel Module # -################################################################################ +# +# Load a Kernel Module +# loadmodule() # $1 = module name, $2 - * arguments { local modulename=$1 @@ -2153,18 +2341,18 @@ loadmodule() # $1 = module name, $2 - * arguments fi } -################################################################################ -# Display elements of a list with leading white space # -################################################################################ +# +# Display elements of a list with leading white space +# display_list() # $1 = List Title, rest of $* = list to display { [ $# -gt 1 ] && echo " $*" } -################################################################################ -# Add rules to the "common" chain to silently drop packets addressed to any of # -# the passed addresses # -################################################################################ +# +# Add rules to the "common" chain to silently drop packets addressed to any of +# the passed addresses +# drop_broadcasts() # $* = broadcast addresses { while [ $# -gt 0 ]; do @@ -2173,9 +2361,9 @@ drop_broadcasts() # $* = broadcast addresses done } -################################################################################ -# Add policy rule ( and possibly logging rule) to the passed chain # -################################################################################ +# +# Add policy rule ( and possibly logging rule) to the passed chain +# policy_rules() # $1 = chain to add rules to # $2 = policy # $3 = loglevel @@ -2207,16 +2395,16 @@ policy_rules() # $1 = chain to add rules to [ -n "$target" ] && run_iptables -A $1 -j $target } -################################################################################ -# Generate default policy & log level rules for the passed client & server # -# zones # -#------------------------------------------------------------------------------# -# This function is only called when the canonical chain for this client/server # -# pair is known to exist. If the default policy for this pair specifies the # -# same chain then we add the policy (and logging) rule to the canonical chain; # -# otherwise add a rule to the canonical chain to jump to the appropriate # -# policy chain. # -################################################################################ +# +# Generate default policy & log level rules for the passed client & server +# zones +# +# This function is only called when the canonical chain for this client/server +# pair is known to exist. If the default policy for this pair specifies the +# same chain then we add the policy (and logging) rule to the canonical chain; +# otherwise add a rule to the canonical chain to jump to the appropriate +# policy chain. +# default_policy() # $1 = client $2 = server { local chain="${1}2${2}" @@ -2225,7 +2413,7 @@ default_policy() # $1 = client $2 = server local chain1 jump_to_policy_chain() { - ######################################################################## + # # Add a jump to from the canonical chain to the policy chain. On return, # $chain is set to the name of the policy chain # @@ -2235,36 +2423,36 @@ default_policy() # $1 = client $2 = server apply_default() { - ######################################################################## + # # Add the appropriate rules to the canonical chain ($chain) to enforce # the specified policy - #----------------------------------------------------------------------- + # # Construct policy chain name # chain1=${client}2${server} if [ "$chain" = "$chain1" ]; then - #################################################################### + # # The policy chain is the canonical chain; add policy rule to it # The syn flood jump has already been added if required. # policy_rules $chain $policy $loglevel else - #################################################################### + # # The policy chain is different from the canonical chain -- approach # depends on the policy # case $policy in ACCEPT) if [ -n "$synparams" ]; then - ############################################################ + # # To avoid double-counting SYN packets, enforce the policy # in this chain. # enable_syn_flood_protection $chain $chain1 policy_rules $chain $policy $loglevel else - ############################################################ + # # No problem with double-counting so just jump to the # policy chain. # @@ -2272,7 +2460,7 @@ default_policy() # $1 = client $2 = server fi ;; CONTINUE) - ################################################################ + # # Silly to jump to the policy chain -- add any logging # rules and enable SYN flood protection if requested # @@ -2281,7 +2469,7 @@ default_policy() # $1 = client $2 = server policy_rules $chain $policy $loglevel ;; *) - ################################################################ + # # DROP or REJECT policy -- enforce in the policy chain and # enable SYN flood protection if requested. # @@ -2318,7 +2506,7 @@ default_policy() # $1 = client $2 = server fatal_error "Error: No default policy for zone $1 to zone $2" } -################################################################################ +# # Complete a standard chain # # - run any supplied user exit @@ -2326,7 +2514,7 @@ default_policy() # $1 = client $2 = server # appropriate # - If no applicable policy is found, add rules for an assummed # policy of DROP INFO -################################################################################ +# complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone { local policy= @@ -2360,13 +2548,13 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone policy_rules $1 DROP INFO } -################################################################################ -# Find the appropriate chain to pass packets from a source zone to a # -# destination zone # -# # -# If the canonical chain for this zone pair exists, echo it's name; otherwise # -# locate and echo the name of the appropriate policy chain # -################################################################################ +# +# Find the appropriate chain to pass packets from a source zone to a +# destination zone +# +# If the canonical chain for this zone pair exists, echo it's name; otherwise +# locate and echo the name of the appropriate policy chain +# rules_chain() # $1 = source zone, $2 = destination zone { local chain=${1}2${2} @@ -2394,9 +2582,9 @@ rules_chain() # $1 = source zone, $2 = destination zone fatal_error "Error: No appropriate chain for zone $1 to zone $2" } -################################################################################ -# Set up Source NAT (including masquerading) # -################################################################################ +# +# Set up Source NAT (including masquerading) +# setup_masq() { setup_one() { @@ -2439,7 +2627,7 @@ setup_masq() iface="-o $interface" ;; *) - ipaddr="`run_ip addr show $subnet | grep 'inet '`" + ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`" source="$subnet" if [ -z "$ipaddr" ]; then fatal_error \ @@ -2500,9 +2688,9 @@ setup_masq() done < $TMP_DIR/masq } -################################################################################ -# Setup Intrazone chain if appropriate # -################################################################################ +# +# Setup Intrazone chain if appropriate +# setup_intrazone() # $1 = zone { eval hosts=\$${1}_hosts @@ -2513,13 +2701,13 @@ setup_intrazone() # $1 = zone ensurechain ${1}2${1} fi } -############################################################################### -# Add a record to the blacklst chain # -# # -# $source = address match # -# $proto = protocol selector # -# $dport = destination port selector # -############################################################################### +# +# Add a record to the blacklst chain +# +# $source = address match +# $proto = protocol selector +# $dport = destination port selector +# add_blacklist_rule() { [ -n "$BLACKLIST_LOGLEVEL" ] && \ run_iptables -A blacklst $source $proto $dport -j \ @@ -2529,13 +2717,13 @@ add_blacklist_rule() { run_iptables -A blacklst $source $proto $dport -j $disposition } -############################################################################### -# Process a record from the blacklist file # -# # -# $subnet = address/subnet # -# $protocol = Protocol Number/Name # -# $port = Port Number/Name # -############################################################################### +# +# Process a record from the blacklist file +# +# $subnet = address/subnet +# $protocol = Protocol Number/Name +# $port = Port Number/Name +# process_blacklist_rec() { local source local addr @@ -2604,9 +2792,9 @@ process_blacklist_rec() { done } -############################################################################### -# Setup the Black List # -############################################################################### +# +# Setup the Black List +# setup_blacklist() { local interfaces=`find_interfaces_by_option blacklist` local f=`find_file blacklist` @@ -2637,9 +2825,9 @@ setup_blacklist() { fi } -############################################################################### -# Refresh the Black List # -############################################################################### +# +# Refresh the Black List +# refresh_blacklist() { local f=`find_file blacklist` local disposition=$BLACKLIST_DISPOSITION @@ -2660,9 +2848,9 @@ refresh_blacklist() { fi } -############################################################################### -# Verify that kernel has netfilter support # -############################################################################### +# +# Verify that kernel has netfilter support +# verify_os_version() { osversion=`uname -r` @@ -2676,11 +2864,15 @@ verify_os_version() { esac } -################################################################################ -# Add IP Aliases # -################################################################################ +# +# Add IP Aliases +# add_ip_aliases() { + local external + local interface + local primary + do_one() { # @@ -2716,18 +2908,19 @@ add_ip_aliases() while [ $# -gt 0 ]; do external=$1 interface=$2 + primary=`find_interface_address $interface` shift;shift - do_one + [ "x${primary}" = "x${external}" ] || do_one done } -################################################################################ -# Load kernel modules required for Shorewall # -################################################################################ +# +# Load kernel modules required for Shorewall +# load_kernel_modules() { - [ -z "$MODULESDIR" ] && - MODULESDIR=/lib/modules/$osversion/kernel/net/ipv4/netfilter + [ -z "$MODULESDIR" ] && \ + MODULESDIR=/lib/modules/$osversion/kernel/net/ipv4/netfilter modules=`find_file modules` @@ -2737,14 +2930,14 @@ load_kernel_modules() { fi } -################################################################################ -# Perform Initialization # -# - Delete all old rules # -# - Delete all user chains # -# - Set the POLICY on all standard chains and add a rule to allow packets# -# that are part of established connections. # +# +# Perform Initialization +# - Delete all old rules +# - Delete all user chains +# - Set the POLICY on all standard chains and add a rule to allow packets +# that are part of established connections # - Determine the zones -################################################################################ +# initialize_netfilter () { echo "Determining Zones..." @@ -2800,6 +2993,9 @@ initialize_netfilter () { # # Allow DNS lookups during startup for FQDNs # + run_iptables -A INPUT -p udp --dport 53 -j ACCEPT # I suppose that there + # is an idiot somewhere + # who needs this run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT @@ -2846,20 +3042,20 @@ initialize_netfilter () { done } -################################################################################ -# Build the common chain -- called during [re]start and refresh # -################################################################################ +# +# Build the common chain -- called during [re]start and refresh +# build_common_chain() { - ########################################################################### + # # PING # [ -n "$FORWARDPING" ] && \ run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT - ############################################################################ + # # Common ICMP rules # run_user_exit icmpdef - ############################################################################ + # # Common rules in each chain # common=`find_file common` @@ -2869,33 +3065,33 @@ build_common_chain() { else . `find_file common.def` fi - ########################################################################### + # # New Not Syn Stuff # if [ -n "$NEWNOTSYN" ]; then run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT fi - ########################################################################### + # # BROADCASTS # drop_broadcasts `find_broadcasts` } -################################################################################ -# Construct zone-independent rules # -################################################################################ +# +# Construct zone-independent rules +# add_common_rules() { logdisp() # $1 = Chain Name { echo "LOG --log-prefix "Shorewall:${1}:DROP:" --log-level info" } - ############################################################################ + # # Reject Rules # run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -j REJECT - ############################################################################ + # # dropunclean rules # interfaces="`find_interfaces_by_option dropunclean`" @@ -2907,8 +3103,7 @@ add_common_rules() { logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A badpkt -p tcp -j DROP # Workaround for iptables 1.2.7 - run_iptables -A badpkt -j LOG $logoptions + run_iptables -A badpkt -p ! tcp -j LOG $logoptions fi run_iptables -A badpkt -j DROP @@ -2921,7 +3116,7 @@ add_common_rules() { echo " $interface" done fi - ############################################################################ + # # logunclean rules # interfaces="`find_interfaces_by_option logunclean`" @@ -2933,8 +3128,7 @@ add_common_rules() { logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A logpkt -p tcp -j RETURN # Workaround for iptables 1.2.7 - run_iptables -A logpkt -j LOG $logoptions + run_iptables -A logpkt -p ! tcp -j LOG $logoptions echo "Mangled/Invalid Packet Logging enabled on:" @@ -2948,7 +3142,7 @@ add_common_rules() { build_common_chain - ########################################################################### + # # DHCP # echo "Adding rules for DHCP" @@ -2958,7 +3152,7 @@ add_common_rules() { run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT done - ########################################################################### + # # RFC 1918 # norfc1918_interfaces="`find_interfaces_by_option norfc1918`" @@ -2975,7 +3169,7 @@ add_common_rules() { run_iptables -A logdrop -j DROP if [ -n "$MANGLE_ENABLED" ]; then - #################################################################### + # # Mangling is enabled -- create a chain in the mangle table to # filter RFC1918 destination addresses. This must be done in the # mangle table before we apply any DNAT rules in the nat table @@ -2998,7 +3192,7 @@ add_common_rules() { esac run_iptables -A rfc1918 -s $subnet -j $target - #################################################################### + # # If packet mangling is enabled, trap packets with an # RFC1918 destination # @@ -3017,21 +3211,22 @@ add_common_rules() { done fi - ############################################################################ + # # Process Black List # setup_blacklist - ############################################################################ + # # Enable the Loopback interface # run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT - ############################################################################ + + # # Enable icmp output # run_iptables -A OUTPUT -m state --state ! INVALID -p icmp -j ACCEPT - ############################################################################ + # # Route Filtering # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do @@ -3059,7 +3254,7 @@ add_common_rules() { done fi fi - ############################################################################ + # # IP Forwarding # case "$IP_FORWARDING" in @@ -3074,12 +3269,12 @@ add_common_rules() { esac } -################################################################################ -# Scan the policy file defining the necessary chains # -# Add the appropriate policy rule(s) to the end of each canonical chain # -################################################################################ +# +# Scan the policy file defining the necessary chains +# Add the appropriate policy rule(s) to the end of each canonical chain +# apply_policy_rules() { - ############################################################################ + # # Create policy chains # while read client server policy loglevel synparams; do @@ -3113,7 +3308,7 @@ apply_policy_rules() { fi done < $TMP_DIR/policy - ############################################################################ + # # Add policy rules to canonical chains # for zone in $FW $zones; do @@ -3128,14 +3323,14 @@ apply_policy_rules() { done } -################################################################################ -# Activate the rules # -################################################################################ +# +# Activate the rules +# activate_rules() { local PREROUTING_rule=1 local POSTROUTING_rule=1 - ############################################################################ + # # Jump to a NAT chain from one of the builtin nat chains # addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments @@ -3148,9 +3343,9 @@ activate_rules() run_iptables -t nat -A $sourcechain $@ -j $destchain } - ############################################################################ + # # Jump to a RULES chain from one of the builtin nat chains - #--------------------------------------------------------------------------- + # # If NAT_BEFORE_RULES then append the rule to the chain; otherwise, insert # the jump near the front of the builtin chain # @@ -3184,23 +3379,34 @@ activate_rules() multi_interfaces=`find_interfaces_by_option multi` + > ${STATEDIR}/chains + > ${STATEDIR}/zones + for zone in $zones; do eval source_hosts=\$${zone}_hosts + echo $zone $source_hosts >> ${STATEDIR}/zones + + chain1=`rules_chain $FW $zone` + chain2=`rules_chain $zone $FW` + + echo "$FW $zone $chain1" >> ${STATEDIR}/chains + echo "$zone $FW $chain2" >> ${STATEDIR}/chains + for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} - run_iptables -A OUTPUT -o \ - $interface -d $subnet -j `rules_chain $FW $zone` + run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 + # # Add jumps from the builtin chains for DNAT and SNAT rules # addrulejump PREROUTING `dnat_chain $zone` -i $interface -s $subnet addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet - run_iptables -A `input_chain $interface` -s $subnet \ - -j `rules_chain $zone $FW` + run_iptables -A `input_chain $interface` -s $subnet -j $chain2 + done for zone1 in $zones; do @@ -3208,6 +3414,8 @@ activate_rules() chain="`rules_chain $zone $zone1`" + echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then have_canonical=Yes else @@ -3255,17 +3463,18 @@ activate_rules() complete_standard_chain OUTPUT $FW all complete_standard_chain FORWARD all all - run_iptables -D INPUT 1 - run_iptables -D OUTPUT 1 - run_iptables -D FORWARD 1 + run_iptables -D INPUT -m state --state ESTABLISHED -j ACCEPT + run_iptables -D OUTPUT -m state --state ESTABLISHED -j ACCEPT + run_iptables -D FORWARD -m state --state ESTABLISHED -j ACCEPT + run_iptables -D INPUT -p udp --dport 53 -j ACCEPT run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT } -################################################################################ -# Start/Restart the Firewall # -################################################################################ +# +# Start/Restart the Firewall +# define_firewall() # $1 = Command (Start or Restart) { if [ -f /etc/shorewall/startup_disabled ]; then @@ -3303,6 +3512,12 @@ define_firewall() # $1 = Command (Start or Restart) [ -f $tunnels ] && \ echo "Processing $tunnels..." && setup_tunnels $tunnels + maclist_hosts=`find_hosts_by_option maclist` + + if [ -n "$maclist_hosts" ] ; then + setup_mac_lists + fi + rules=`find_file rules` echo "Processing $rules..." @@ -3362,9 +3577,9 @@ define_firewall() # $1 = Command (Start or Restart) rm -rf $TMP_DIR } -################################################################################ -# Check the configuration # -################################################################################ +# +# Check the configuration +# check_config() { echo "Verifying Configuration..." @@ -3406,9 +3621,9 @@ check_config() { echo "Configuration Validated" } -################################################################################ -# Rebuild the common chain # -################################################################################ +# +# Rebuild the common chain +# refresh_firewall() { echo "Refreshing Shorewall..." @@ -3429,7 +3644,7 @@ refresh_firewall() build_common_chain - ########################################################################### + # # Blacklist # refresh_blacklist @@ -3439,9 +3654,343 @@ refresh_firewall() rm -rf $TMP_DIR } -################################################################################ -# Determine the value for a parameter that defaults to Yes # -################################################################################ +# +# Query NetFilter about the existence of a filter chain +# +chain_exists() # $1 = chain name +{ + qt iptables -L $1 -n +} + +# +# Add a host or subnet to a zone +# +add_to_zone() # $1 = [:] $2 = zone +{ + local base + + nat_chain_exists() # $1 = chain name + { + qt iptables -t nat -L $1 -n + } + + do_iptables() # $@ = command + { + if ! iptables $@ ; then + startup_error "Error: can't add $1 to zone $2" + fi + } + + output_rule_num() { + local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1` + + [ -n "$num" ] && echo $(($num+1)) + } + # + # Isolate interface and host parts + # + interface=${1%:*} + host=${1#*:} + + [ -z "$host" ] && host="0.0.0.0/0" + # + # Load $zones + # + determine_zones + # + # Validate Zone + # + zone=$2 + + validate_zone $zone || startup_error "Error: Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Error: Can't add $1 to firewall zone" + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found" + # + # Be sure that the interface was present at last [re]start + # + if ! chain_exists `input_chain $interface` ; then + startup_error "Error: Unknown interface $interface" + fi + # + # Build lists of interfaces with special rules + # + dhcp_interfaces=`find_interfaces_by_option dhcp` + blacklist_interfaces=`find_interfaces_by_option blacklist` + filterping_interfaces=`find_interfaces_by_option filterping` + maclist_interfaces=`find_interfaces_by_maclist` + # + # Normalize the first argument to this function + # + newhost="$interface:$host" + # + # Create a new Zone state file + # + > ${STATEDIR}/zones_$$ + # + # Add $1 to the Zone state file + # + while read z hosts; do + if [ "$z" = "$zone" ]; then + for h in $hosts; do + if [ "$h" = "$newhost" ]; then + rm -f ${STATEDIR}/zones_$$ + startup_error "Error: $1 already in zone $zone" + fi + done + + [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $hosts" >> ${STATEDIR}/zones_$$ + done < ${STATEDIR}/zones + + mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + # + # If the zone passed in the command has a dnat chain then insert a rule in + # the nat table PREROUTING chain to jump to that chain when the source + # matches the new host(s) + # + chain=${zone}_dnat + + if nat_chain_exists $chain; then + do_iptables -t nat -I PREROUTING -i $interface -s $host -j $chain + fi + # + # Insert new rules into the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + # + # We will insert the rule right after the DHCP, 'ping' and + # MAC rules (if any) + # + if list_search $interface $dhcp_interfaces; then + rulenum=3 + else + rulenum=2 + fi + + if ! list_search $interface $filterping_interfaces; then + rulenum=$(($rulenum + 1)) + fi + + if ! list_search $interface $maclist_interfaces; then + rulenum=$(($rulenum + 1)) + fi + + do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain + else + # + # Insert rules into the passed interface's forward chain + # + # We insert them after any blacklist/MAC verification rules + # + source_chain=`forward_chain $interface` + eval dest_hosts=\"\$${z2}_hosts\" + + base=`chain_base $interface` + + eval rulenum=\$${base}_rulenum + + if [ -z "$rulenum" ]; then + if list_search $interface $blacklist_interfaces; then + rulenum=3 + else + rulenum=2 + fi + + if ! list_search $interface $maclist_interfaces; then + rulenum=$(($rulenum + 1)) + fi + fi + + for h in $dest_hosts; do + iface=${h%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain + rulenum=$(($rulenum + 1)) + fi + done + + eval ${base}_rulenum=$rulenum + + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + # + # Add a rule to the OUTPUT chain -- always after the icmp * ACCEPT rule + # + do_iptables -I OUTPUT `output_rule_num` -o $interface -d $host -j $chain + else + # + # Insert rules into the source interface's forward chain + # + # We insert them after any blacklist rules + # + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%:*} + hosts=${h#*:} + + base=`chain_base $iface` + + eval rulenum=\$${base}_rulenum + + if [ -z "$rulenum" ]; then + if list_search $iface $blacklist_interfaces; then + rulenum=3 + else + rulenum=2 + fi + fi + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables -I `forward_chain $iface` $rulenum -s $hosts -o $interface -d $host -j $chain + rulenum=$(($rulenum + 1)) + fi + + eval ${base}_rulenum=$rulenum + done + fi + fi + done < ${STATEDIR}/chains + + echo "$1 added to zone $2" +} + +# +# Delete a host or subnet from a zone +# +delete_from_zone() # $1 = [:] $2 = zone +{ + # + # Delete the subnect host(s) from the zone state file + # + delete_from_zones_file() + { + > ${STATEDIR}/zones_$$ + + while read z hosts; do + if [ "$z" = "$zone" ]; then + temp=$hosts + hosts= + + for h in $temp; do + if [ "$h" = "$delhost" ]; then + echo Yes + else + hosts="$hosts $h" + fi + done + fi + + echo "$z $hosts" >> ${STATEDIR}/zones_$$ + done < ${STATEDIR}/zones + + mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + } + # + # Isolate interface and host parts + # + interface=${1%:*} + host=${1#*:} + + [ -z "$host" ] && host="0.0.0.0/0" + # + # Load $zones + # + determine_zones + + zone=$2 + + validate_zone $zone || startup_error "Error: Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Error: Can't remove $1 from firewall zone" + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found" + # + # Be sure that the interface was present at last [re]start + # + if ! chain_exists `input_chain $interface` ; then + startup_error "Error: Unknown interface $interface" + fi + # + # Normalize the first argument to this function + # + delhost="$interface:$host" + # + # Delete the passed hosts from the zone state file + # + [ -z "`delete_from_zones_file`" ] && \ + error_message "Warning: $1 does not appear to be in zone $2" + # + # Construct the zone host maps + # + while read z hosts; do + eval ${z}_hosts=\"$hosts\" + done < ${STATEDIR}/zones + # + # Delete any nat table entries for the host(s) + # + qt iptables -t nat -D PREROUTING -i $interface -s $host -j ${zone}_dnat + # + # Delete rules rules the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + qt iptables -D `input_chain $interface` -i $interface -s $host -j $chain + else + source_chain=`forward_chain $interface` + eval dest_hosts=\"\$${z2}_hosts\" + + for h in $dest_hosts $delhost; do + iface=${h%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain + fi + done + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + qt iptables -D OUTPUT -o $interface -d $host -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt iptables -D `forward_chain $iface` -s $hosts -o $interface -d $host -j $chain + fi + done + fi + fi + done < ${STATEDIR}/chains + + echo "$1 removed from zone $2" +} + +# +# Determine the value for a parameter that defaults to Yes +# added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value { local val="$2" @@ -3462,9 +4011,9 @@ added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value fi } -################################################################################ -# Determine the value for a parameter that defaults to No # -################################################################################ +# +# Determine the value for a parameter that defaults to No +# added_param_value_no() # $1 = Parameter Name, $2 = Parameter value { local val="$2" @@ -3485,9 +4034,9 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value fi } -################################################################################ -# Initialize this program # -################################################################################ +# +# Initialize this program +# do_initialize() { # Run all utility programs using the C locale # @@ -3496,7 +4045,7 @@ do_initialize() { export LC_ALL=C PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - ############################################################################ + # # Clear all configuration variables # version= @@ -3525,6 +4074,8 @@ do_initialize() { NEWNOTSYN= LOGNEWNOTSYN= FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= stopping= have_mutex= masq_seq=1 @@ -3604,19 +4155,37 @@ do_initialize() { MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` + + maclist_target=reject + + if [ -n "$MACLIST_DISPOSITION" ] ; then + case $MACLIST_DISPOSITION in + REJECT) + ;; + ACCEPT|DROP) + maclist_target=$MACLIST_DISPOSITION + ;; + *) + startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" + ;; + esac + else + MACLIST_DISPOSITION=REJECT + fi + } -################################################################################ -# Give Usage Information # -################################################################################ +# +# Give Usage Information +# usage() { - echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear]}" + echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear|{add|delete} [:hosts] zone}}" exit 1 } -################################################################################ -# E X E C U T I O N B E G I N S H E R E # -################################################################################ +# +# E X E C U T I O N B E G I N S H E R E +# # # Start trace if first arg is "debug" # @@ -3626,14 +4195,13 @@ nolock= [ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } -[ $# -ne 1 ] && usage - trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 command="$1" case "$command" in stop) + [ $# -ne 1 ] && usage do_initialize my_mutex_on echo -n "Stopping Shorewall..." @@ -3645,6 +4213,7 @@ case "$command" in ;; start) + [ $# -ne 1 ] && usage do_initialize my_mutex_on if qt iptables -L shorewall -n ; then @@ -3659,6 +4228,7 @@ case "$command" in ;; restart) + [ $# -ne 1 ] && usage do_initialize my_mutex_on if qt iptables -L shorewall -n ; then @@ -3673,17 +4243,31 @@ case "$command" in ;; status) + [ $# -ne 1 ] && usage echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" iptables -L -n -v ;; reset) - iptables -L -n -Z -v + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + iptables -Z + iptables -t nat -Z + iptables -t mangle -Z report "Shorewall Counters Reset" date > $STATEDIR/restarted + my_mutex_off ;; refresh) + [ $# -ne 1 ] && usage do_initialize my_mutex_on if ! qt iptables -L shorewall -n ; then @@ -3697,6 +4281,7 @@ case "$command" in ;; clear) + [ $# -ne 1 ] && usage do_initialize my_mutex_on echo -n "Clearing Shorewall..." @@ -3708,9 +4293,38 @@ case "$command" in ;; check) + [ $# -ne 1 ] && usage do_initialize check_config ;; + + add) + [ $# -ne 3 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + add_to_zone $2 $3 + my_mutex_off + ;; + + delete) + [ $# -ne 3 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + delete_from_zone $2 $3 + my_mutex_off + ;; *) usage diff --git a/STABLE/functions b/STABLE/functions index e8d0c797d..340c0d9b2 100644 --- a/STABLE/functions +++ b/STABLE/functions @@ -80,17 +80,17 @@ determine_zones() } -############################################################################### +# # The following functions may be used by apps that wish to ensure that # the state of Shorewall isn't changing -#------------------------------------------------------------------------------ +# # This function loads the STATEDIR variable (directory where Shorewall is to # store state files). If your application supports alternate Shorewall # configurations then the name of the alternate configuration directory should # be in $SHOREWALL_DIR at the time of the call. # # If the shorewall.conf file does not exist, this function does not return -############################################################################### +# get_statedir() { MUTEX_TIMEOUT= @@ -107,7 +107,7 @@ get_statedir() [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall } -############################################################################### +# # Call this function to assert MUTEX with Shorewall. If you invoke the # /sbin/shorewall program while holding MUTEX, you should pass "nolock" as # the first argument. Example "shorewall nolock refresh" @@ -115,7 +115,7 @@ get_statedir() # This function uses the lockfile utility from procmail if it exists. # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the # behavior of lockfile. -############################################################################### +# mutex_on() { local try=0 @@ -145,18 +145,18 @@ mutex_on() fi } -############################################################################### +# # Call this function to release MUTEX -############################################################################### +# mutex_off() { rm -f $STATEDIR/lock } -############################################################################### -# Strip comments and blank lines from a file and place the result in the # -# temporary directory # -############################################################################### +# +# Strip comments and blank lines from a file and place the result in the +# temporary directory +# strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) { local fname diff --git a/STABLE/hosts b/STABLE/hosts index 6158a3571..9ce4bc3ab 100644 --- a/STABLE/hosts +++ b/STABLE/hosts @@ -35,6 +35,12 @@ # route messages to and from this # member when the firewall is in the # stopped state +# maclist - Connection requests from these hosts +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. # # #ZONE HOST(S) OPTIONS diff --git a/STABLE/init.sh b/STABLE/init.sh new file mode 100644 index 000000000..f775dfc32 --- /dev/null +++ b/STABLE/init.sh @@ -0,0 +1,75 @@ +#!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# On most distributions, this file should be called: +# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# +#### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $network +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall firewall +### END INIT INFO + +# chkconfig: 2345 25 90 +# description: Packet filtering firewall +# + +################################################################################ +# Give Usage Information # +################################################################################ +usage() { + echo "Usage: $0 start|stop|restart|status" + exit 1 +} + +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +command="$1" + +case "$command" in + + stop|start|restart|status) + + exec /sbin/shorewall $@ + ;; + *) + + usage + ;; + +esac diff --git a/STABLE/install.sh b/STABLE/install.sh index ebb36befc..b14387446 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.3.9b +VERSION=1.3.10 usage() # $1 = exit status { @@ -237,7 +237,7 @@ if [ -n "$RUNLEVELS" ]; then echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp echo "{ print }" >> awk.temp - awk -f awk.temp firewall > firewall.temp + awk -f awk.temp init.sh > init.temp if [ $? -ne 0 ]; then echo -e "\nERROR: Error running awk." @@ -246,11 +246,11 @@ if [ -n "$RUNLEVELS" ]; then exit 1 fi - install_file_with_backup firewall.temp ${PREFIX}${DEST}/$FIREWALL 0544 + install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544 - rm -f firewall.temp awk.tmp + rm -f init.temp awk.tmp else - install_file_with_backup firewall ${PREFIX}${DEST}/$FIREWALL 0544 + install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544 fi echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL" @@ -382,6 +382,15 @@ else echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" fi # +# Install the Mac List file +# +if [ -f ${PREFIX}/etc/shorewall/maclist ]; then + backup_file /etc/shorewall/maclist +else + run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist + echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist" +fi +# # Install the Masq file # if [ -f ${PREFIX}/etc/shorewall/masq ]; then @@ -476,13 +485,15 @@ chmod 644 ${PREFIX}/usr/lib/shorewall/version if [ -z "$PREFIX" ]; then rm -f /etc/shorewall/firewall rm -f /var/lib/shorewall/firewall - rm -f /usr/lib/shorewall/firewall - ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/firewall -else - pushd ${PREFIX}/usr/lib/shorewall/ >> /dev/null && ln -s ../../..${DEST}/${FIREWALL} firewall && popd >> /dev/null + [ -L /usr/lib/shorewall/firewall ] && \ + mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout + rm -f /usr/lib/shorewall/init + ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init fi - -echo -e "\n${PREFIX}/usr/lib/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL" +# +# Install the firewall script +# +install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544 if [ -z "$PREFIX" -a -n "$first_install" ]; then if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then diff --git a/STABLE/interfaces b/STABLE/interfaces index eb20f46cd..8be1de806 100644 --- a/STABLE/interfaces +++ b/STABLE/interfaces @@ -16,7 +16,9 @@ # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only -# once in this file. +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this @@ -81,6 +83,12 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. diff --git a/STABLE/maclist b/STABLE/maclist new file mode 100644 index 000000000..37c61a38f --- /dev/null +++ b/STABLE/maclist @@ -0,0 +1,18 @@ +# +# Shorewall 1.3 - MAC list file +# +# /etc/shorewall/maclist +# +# Columns are: +# +# INTERFACE Network interface to a host +# +# MAC MAC address of the host -- you do not need to use +# the Shorewall format for MAC addresses here +# +# IP ADDRESSES Optional -- if specified, both the MAC and IP address +# must match. This column can contain a comma-separated +# list of host and/or subnet addresses. +############################################################################## +#INTERFACE MAC IP ADDRESSES (Optional) +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index d398a9346..ca1daccde 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -1,16 +1,27 @@ -This is a minor release of Shorewall which rolls up a number of bug -fixes. +This is a minor release of Shorewall that has a number of new features.. New features include: -1. DNS Names are now allowed in Shorewall config files. +1) You may now define the contents of a zone dynamically with the + "shorewall add" and "shorewall delete" commands. These commands + are expected to be used primarily within FreeS/Wan updown scripts. + +2) Shorewall can now do MAC verification on ethernet segments. You can + specify the set of allowed MAC addresses on the segment and you can + optionally tie each MAC address to an IP address. + +3) PPTP Servers and Clients running on the firewall system may now be + defined in the /etc/shorewall/tunnels file. -2. The connection SOURCE may now be qualified by both interface - and IP address in a Shorewall rule. - -3. Shorewall startup is now disabled after initial installation until - the file /etc/shorewall/startup_disabled is removed. - -4. The 'functions' and 'version' files and the 'firewall' symbolic link - have been moved from /var/lib/shorewall to /usr/lib/shorewall to - appease the LFS police at Debian. +4) A new 'ipsecnat' tunnel type is supported for use when the remote + IPSEC endpoint is behind a NAT gateway. + +5) The PATH used by Shorewall may now be specified in + /etc/shorewall/shorewall.conf. + +6) The main firewall script is now /usr/lib/shorewall/firewall. The + script in /etc/init.d/shorewall is very small and uses + /sbin/shorewall to do the real work. This change makes custom + distributions such as for Debian and for Gentoo easier to manage + since it is /etc/init.d/shorewall that tends to have + distribution-dependent code. diff --git a/STABLE/shorewall b/STABLE/shorewall index aa39becab..67741839f 100755 --- a/STABLE/shorewall +++ b/STABLE/shorewall @@ -32,6 +32,8 @@ # # Commands are: # +# shorewall add [:] zone Adds a host or subnet to a zone +# shorewall delete [:] zone Deletes a host or subnet from a zone # shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall @@ -108,11 +110,10 @@ showchain() # $1 = name of chain fi } -################################################################################# -# Set the configuration variables from shorewall.conf # -################################################################################# +# +# Set the configuration variables from shorewall.conf +# get_config() { - get_statedir [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages @@ -133,10 +134,10 @@ get_config() { [ -n "$FW" ] || FW=fw } -################################################################################# -# Display IPTABLES rules -- we used to store them in a variable but ash # -# dies when trying to display large sets of rules # -################################################################################# +# +# Display IPTABLES rules -- we used to store them in a variable but ash +# dies when trying to display large sets of rules +# display_chains() { trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 @@ -226,10 +227,10 @@ display_chains() } -################################################################################# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow # -# to terminate the delay # -################################################################################# +# +# Delay $timeout seconds -- if we're running on a recent bash2 then allow +# to terminate the delay +# timed_read () { read -t $timeout foo 2> /dev/null @@ -237,9 +238,9 @@ timed_read () test $? -eq 2 && sleep $timeout } -################################################################################# -# Display the last $1 packets logged # -################################################################################# +# +# Display the last $1 packets logged +# packet_log() # $1 = number of messages { local options @@ -253,9 +254,9 @@ packet_log() # $1 = number of messages tail $options } -################################################################################# -# Show traffic control information # -################################################################################# +# +# Show traffic control information +# show_tc() { show_one_tc() { @@ -283,9 +284,9 @@ show_tc() { } -################################################################################# -# Monitor the Firewall # -################################################################################# +# +# Monitor the Firewall +# monitor_firewall() # $1 = timeout -- if negative, prompt each time that # an 'interesting' packet count changes { @@ -359,9 +360,9 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that done } -################################################################################# -# Watch the Firewall Log # -################################################################################# +# +# Watch the Firewall Log +# logwatch() # $1 = timeout -- if negative, prompt each time that # an 'interesting' packet count changes { @@ -409,13 +410,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that done } -################################################################################# -# Give Usage Information # -################################################################################# +# +# Give Usage Information +# usage() # $1 = exit status { echo "Usage: `basename $0` [debug] [nolock] [-c ] " echo "where is one of:" + echo " add [:] " + echo " delete [:] " echo " show [|connections|log|nat|tc|tos]" echo " start" echo " stop" @@ -437,17 +440,17 @@ usage() # $1 = exit status exit $1 } -################################################################################# -# Display the time that the counters were last reset # -################################################################################# +# +# Display the time that the counters were last reset +# show_reset() { [ -f $STATEDIR/restarted ] && \ echo -e "Counters reset `cat $STATEDIR/restarted`\\n" } -################################################################################# -# Execution begins here # -################################################################################# +# +# Execution begins here +# debugging= if [ $# -gt 0 ] && [ "$1" = "debug" ]; then @@ -532,11 +535,17 @@ fi banner="Shorewall-$version Status at $HOSTNAME -" +get_statedir + case "$1" in start|stop|restart|reset|clear|refresh|check) [ $# -ne 1 ] && usage 1 exec $firewall $debugging $nolock $1 ;; + add|delete) + [ $# -ne 3 ] && usage 1 + exec $firewall $debugging $nolock $1 $2 $3 + ;; show) [ $# -gt 2 ] && usage 1 case "$2" in @@ -550,7 +559,6 @@ case "$1" in iptables -t nat -L -n -v ;; tos|mangle) - get_config echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" show_reset iptables -t mangle -L -n -v @@ -567,7 +575,6 @@ case "$1" in show_tc ;; *) - get_config echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" show_reset iptables -L $2 -n -v @@ -710,6 +717,8 @@ case "$1" in [ $# -ne 1 ] && usage 1 mutex_on if qt iptables -L shorewall -n; then + [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall + if iptables -L dynamic -n > /var/lib/shorewall/save; then echo "Dynamic Rules Saved" else diff --git a/STABLE/shorewall.conf b/STABLE/shorewall.conf index 8bb4fb236..ba0fdb069 100644 --- a/STABLE/shorewall.conf +++ b/STABLE/shorewall.conf @@ -8,6 +8,12 @@ # # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + # # NAME OF THE FIREWALL ZONE # @@ -154,7 +160,8 @@ ADD_IP_ALIASES=Yes # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. +# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless +# you are sure that you need it -- most people don't!!! # ADD_SNAT_ALIASES=No @@ -376,4 +383,25 @@ FORWARDPING=Yes NEWNOTSYN=No +# +# MAC List Disposition +# +# This variable determines the disposition of connection requests arriving +# on interfaces that have the 'maclist' option and that are from a device +# that is not listed for that interface in /etc/shorewall/maclist. Valid +# values are ACCEPT, DROP and REJECT. If not specified or specified as +# empty (MACLIST_DISPOSITION="") then REJECT is assumed + +MACLIST_DISPOSITION=REJECT + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# + +MACLIST_LOG_LEVEL=info + #LAST LINE -- DO NOT REMOVE diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index e5744bbf2..99f57ff1d 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.3.9b +%define version 1.3.10 %define release 1 %define prefix /usr @@ -85,6 +85,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/params %attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist %attr(0600,root,root) %config(noreplace) /etc/shorewall/masq %attr(0600,root,root) %config(noreplace) /etc/shorewall/modules %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules @@ -95,11 +96,20 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918 %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/lib/shorewall/functions -/usr/lib/shorewall/firewall +%attr(0544,root,root) /usr/lib/shorewall/firewall %doc documentation %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sat Nov 09 2002 Tom Eastep +- Changes version to 1.3.10 +* Wed Oct 23 2002 Tom Eastep +- Changes version to 1.3.10b1 +* Tue Oct 22 2002 Tom Eastep +- Added maclist file +* Tue Oct 15 2002 Tom Eastep +- Changed version to 1.3.10 +- Replaced symlink with real file * Wed Oct 09 2002 Tom Eastep - Changed version to 1.3.9b * Mon Sep 30 2002 Tom Eastep diff --git a/STABLE/tunnels b/STABLE/tunnels index 1e841e814..5e961d6fd 100644 --- a/STABLE/tunnels +++ b/STABLE/tunnels @@ -9,7 +9,8 @@ # # The columns are: # -# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre" +# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" +# "gre","pptpclient" or "pptpserver" # # ZONE -- The zone of the physical interface through which # tunnel traffic passes. This is normally your internet @@ -19,10 +20,10 @@ # remote getway has no fixed address (Road Warrior) # then specify the gateway as 0.0.0.0/0. # -# GATEWAY ZONE-- Optional. If the gateway system specified in the third +# GATEWAY ZONES -- Optional. If the gateway system specified in the third # column is a standalone host then this column should -# contain the name of the zone that the host is in. This -# column only applies to IPSEC tunnels. +# contain a comma-separated list of the names of the zones that +# the host might be in. This column only applies to IPSEC tunnels. # # Example 1: # @@ -47,5 +48,28 @@ # # ipsec net 4.33.99.124 gw # -# TYPE ZONE GATEWAY GATEWAY ZONE +# Example 4: +# +# Road Warriors that may belong to zones vpn1, vpn2 or +# vpn3. The FreeS/Wan _updown script will add the +# host to the appropriate zone using the "shorewall add" +# command on connect and will remove the host from the +# zone at disconnect time. +# +# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 +# +# Example 5: +# +# You run the Linux PPTP client on your firewall and +# connect to server 192.0.2.221. +# +# pptpclient net 192.0.2.221 +# +# Example 6: +# +# You run a PPTP server on your firewall. +# +# pptpserver net +# +# TYPE ZONE GATEWAY GATEWAY ZONE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index 7bb0837a0..d77a4249a 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.3.9b +VERSION=1.3.10 usage() # $1 = exit status { @@ -61,7 +61,7 @@ remove_file() # $1 = file to restore } if [ -f /usr/lib/shorewall/version ]; then - INSTALLED_VERSION="`cat /var/lib/shorewall/version`" + INSTALLED_VERSION="`cat /usr/lib/shorewall/version`" if [ "$INSTALLED_VERSION" != "$VERSION" ]; then echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" echo " and this is the $VERSION uninstaller." @@ -82,6 +82,8 @@ if [ -L /usr/lib/shorewall/firewall ]; then FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'` elif [ -L /var/lib/shorewall/firewall ]; then FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'` +elif [ -L /usr/lib/shorewall/init ]; then + FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'` else FIREWALL= fi @@ -94,6 +96,7 @@ if [ -n "$FIREWALL" ]; then fi remove_file $FIREWALL + rm -f ${FIREWALL}-*.bkout fi remove_file /sbin/shorewall diff --git a/STABLE/zones b/STABLE/zones index 6d5add70c..45f103b73 100644 --- a/STABLE/zones +++ b/STABLE/zones @@ -3,7 +3,7 @@ # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone +# ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone #