Version 1.3.10

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-21 02:08:48 +02:00 · 2002-11-09 18:10:22 +00:00 · 2002-11-09 18:10:22 +00:00 · a6c7cf06ee
commit a6c7cf06ee
parent 3354d96ebb
43 changed files with 10351 additions and 8602 deletions
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -1,18 +1,44 @@
-Changes since 1.3.8
+Changes since 1.3.9
-1. DNAT rules that remap a port but leave the IP address unchanged are
+1. Fix dumb bug in 1.3.9 Tunnel Handling.
   now handled properly.
-2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of 
+2. First implementaiton of dynamic zones.
   the policy file now works correctly.
-3. Added support for /etc/shorewall/startup_disabled.
+3. Corrections to Dynamic Zones.
-4. Added support for DNS names in config files.
+4. More fixes for Dynamic Zones.
-5. Don't insist on state NEW for protocols other than tcp, udp and
+5. Correct a typo in an error message.
   icmp. Workaround for conntrack glitches in other protocols.
-6. Move 'functions', 'version' and 'firewall' to /usr/lib/shorewall.
+6. Fix rule insertion algorithms for Dynamic Zones.
 7. Optimize dynamic zones code
 8. Remove iptables 1.2.7 hacks.
 9. Fix dumb typo in 1.3.9 (recalculate_interfacess)
 10. Add PATH assignment to the install script
 11. Correct 'functions' file handling in the install script.
 12. Add ipsecnat tunnel type. 
 13. Correct typo in the shorewall.spec file.
 14. Add support for PPTP client and server to the tunnels file.
 15. Move the main firewall script to /usr/lib/shorewall
 16. Allow SNAT using primary IP and ADD_SNAT_ALIASES=Yes
 17. Add MAC verificaiton
 18. Conserve space by removing comment decorations.
 19. Improve comments in interfaces file re: use of aliases
 20. Clear nat and mangle counters during 'shorewall reset'
 21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules
 7. Fix problems with oddball shells.
--- a/STABLE/documentation/Documentation.htm
+++ b/STABLE/documentation/Documentation.htm
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -22,6 +22,7 @@
             <tbody>
              <tr>
               <td width="100%">                                        
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
               </td>
             </tr>
@ -30,29 +31,33 @@
 </table>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b> 
-  port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked 
+     port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've 
-  everywhere and can't find <b>how to do it</b>.</a></p>
+looked     everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
-  but it doesn't work.</a></p>
+      but it doesn't work.<br>
 </a></p>
 <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with 
 port forwarding</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
- to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local 
+     to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
- network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal
+local      network. <b>External clients can browse</b> http://www.mydomain.com
- clients can't</b>.</a></p>
+but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
-  subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts 
+      subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
- in  Z. Hosts in Z cannot communicate with each other using their external 
+to   hosts   in  Z. Hosts in Z cannot communicate with each other using their
-  (non-RFC1918 addresses) so they <b>can't access each other using their DNS
+ external    (non-RFC1918 addresses) so they <b>can't access each other using
-  names.</b></a></p>
+ their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
     Messenger </b>with  Shorewall. What do I do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
- to  check my firewall and it shows <b>some ports as 'closed' rather than 
+     to  check my firewall and it shows <b>some ports as 'closed' rather
-'blocked'.</b>  Why?</a></p>
+than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
      of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -87,32 +92,36 @@ support?</a></p>
 <p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
- and it has an internel  web server that allows me to configure/monitor it 
+     and it has an internel  web server that allows me to configure/monitor
- but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface, 
+  it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
     it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
     IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
-RFC 1918  filtering on my external interface, <b>my DHCP client cannot renew 
+    RFC 1918  filtering on my external interface, <b>my DHCP client cannot
-its lease</b>.</a></p>
+ renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
     out to  the net</b></a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
-  all over my console</b> making it unusable!</a></p>
+      all over my console</b> making it unusable!<br>
-           
+      </a></p>
                   <b>17</b>. <a href="#faq17">How do I find out <b>why this 
 is</b> getting  <b>logged?</b></a><br>
  <br>
  <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
 with Shorewall, and maintain separate rulesets for different IPs?</a>  
 <hr>           
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
- my my personal PC with IP address 192.168.1.5. I've looked everywhere and 
+     my my personal PC with IP address 192.168.1.5. I've looked everywhere
- can't find how to do it.</h4>
+ and    can't find how to do it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to
- do port forwarding under Shorewall. Assuming that you have a dynamic external 
+     do port forwarding under Shorewall. The format of a port-forwarding
- IP address, the format of a port-forwarding rule to a local system is as 
+rule to a local system is as   follows:</p>
 follows:</p>
 <blockquote>                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -179,8 +188,8 @@ follows:</p>
 <pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
           </div>
-<p align="left">If you want to forward requests directed to a particular
+<p align="left">If you want to forward requests directed to a particular address
-address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
+( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
 <blockquote>                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -215,43 +224,78 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-      <li>You are trying to test from inside your firewall (no, that  won't 
+             <li>You are trying to test from inside your firewall (no, that 
- work -- see <a href="#faq2">FAQ #2</a>).</li>
+  won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
-      <li>You have a more basic problem with your local system such as an 
+             <li>You have a more basic problem with your local system such
- incorrect default gateway configured (it should be set to the IP address
+ as  an   incorrect default gateway configured (it should be set to the IP
- of your  firewall's internal interface).</li>
+ address    of your  firewall's internal interface).</li>
 </ul>
 <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port 
 forwarding</h4>
 <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
   <li>As root, type "iptables -t nat -Z". This clears the NetFilter counters 
 in the nat table.</li>
   <li>Try to connect to the redirected port from an external host.</li>
   <li>As root type "shorewall show nat"</li>
   <li>Locate the appropriate DNAT rule. It will be in a chain called <i>zone</i>_dnat 
 where <i>zone</i> is the zone that includes the server ('loc' in the above 
 examples).</li>
   <li>Is the packet count in the first column non-zero? If so, the connection 
 request is reaching the firewall and is being redirected to the server. In 
 this case, the problem is usually a missing or incorrect default gateway setting
 on the server (the server's default gateway should be the IP address of the
 firewall's interface to the server).</li>
   <li>If the packet count is zero:</li>
  <ul>
     <li>the connection request is not reaching your server (possibly it
 is being blocked by your ISP); or</li>
     <li>you are trying to connect to a secondary IP address on your firewall 
 and your rule is only redirecting the primary IP address (You need to specify 
 the secondary IP address in the "ORIG. DEST." column in your DNAT rule); or</li>
     <li>your DNAT rule doesn't match the connection request in some other 
 way. In that case, you may have to use a packet sniffer such as tcpdump or 
 ethereal to further diagnose the problem.<br>
     </li>
  </ul>
 </ul>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
- (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients
+     (IP 130.151.100.69) to system 192.168.1.5 in my local network. External
- can browse http://www.mydomain.com but internal clients can't.</h4>
+   clients  can browse http://www.mydomain.com but internal clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
             <li>Having an internet-accessible server in your local network 
-is  like raising foxes in the corner of your hen house. If the server is
+     is  like raising foxes in the corner of your hen house. If the server
-    compromised, there's nothing between that server and your other internal 
+  is      compromised, there's nothing between that server and your other
-    systems. For the cost of another NIC and a cross-over cable, you can put
+internal        systems. For the cost of another NIC and a cross-over cable,
-     your server in a DMZ such that it is isolated from your local systems 
+you can   put      your server in a DMZ such that it is isolated from your
-     assuming that the Server can be located near the Firewall, of course 
+local systems    -     assuming that the Server can be located near the Firewall,
-:-)</li>
+ of course    :-)</li>
             <li>The accessibility problem is best solved using    <a
- href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
+ href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or
-a separate DNS server for local clients) such that www.mydomain.com resolves
+using a separate DNS server for local clients) such that www.mydomain.com
-to 130.141.100.69     externally and 192.168.1.5 internally. That's what
+resolves to 130.141.100.69     externally and 192.168.1.5 internally. That's
-I do here at     shorewall.net for my local systems that use static NAT.</li>
+what I do here at     shorewall.net for my local systems that use static
 NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem
-  rather than a DNS solution, then assuming that your external interface is
+      rather than a DNS solution, then assuming that your external interface
- eth0  and your internal interface is eth1  and that eth1 has IP address 192.168.1.254
+   is  eth0  and your internal interface is eth1  and that eth1 has IP address
- with subnet 192.168.1.0/24, do the following:</p>
+   192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
-  for eth1.</p>
+      for eth1 (No longer required as of Shorewall version 1.3.9).</p>
 <div align="left">           
 <p align="left">b) In /etc/shorewall/rules, add:</p>
@ -335,14 +379,15 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <div align="left">           
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
-  client to automatically restart Shorewall each time that you get a new IP
+      client to automatically restart Shorewall each time that you get a
-  address.</p>
+new    IP   address.</p>
          </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
- subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z.
+     subnet and I use static NAT to assign non-RFC1918 addresses to hosts
- Hosts in Z cannot communicate with each other using their external (non-RFC1918 
+in   Z.  Hosts in Z cannot communicate with each other using their external
- addresses) so they can't access each other using their DNS names.</h4>
+(non-RFC1918     addresses) so they can't access each other using their DNS
 names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved
     using Bind Version 9 "views". It allows both external and internal clients
@ -350,12 +395,14 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <p align="left">Another good way to approach this problem is to switch from 
     static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
- and can be accessed externally and internally using the same address. </p>
+     and can be accessed externally and internally using the same address.
 </p>
-<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
+<p align="left">If you don't like those solutions and prefer routing all
-traffic through your firewall then:</p>
+Z-&gt;Z traffic through your firewall then:</p>
-<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.<br>
+<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces 
 (If you are running a Shorewall version earlier than 1.3.9).<br>
           b) Set the Z-&gt;Z policy to ACCEPT.<br>
           c) Masquerade Z to itself.<br>
           <br>
@ -443,36 +490,37 @@ traffic through your firewall then:</p>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
- tracking/NAT module</a> that may help. Also check the Netfilter mailing list
+     tracking/NAT module</a> that may help. Also check the Netfilter mailing
- archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
+   list  archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
     </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
- to    check my firewall and it shows some ports as 'closed' rather than 'blocked'.
+     to    check my firewall and it shows some ports as 'closed' rather than
-    Why?</h4>
+   'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
     always    rejects connection requests on TCP port 113 rather than dropping
- them. This is    necessary to prevent outgoing connection problems to services 
+     them. This is    necessary to prevent outgoing connection problems to
- that use the    'Auth' mechanism for identifying requesting users. Shorewall 
+ services    that use the    'Auth' mechanism for identifying requesting
- also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. 
+users.  Shorewall    also rejects TCP    ports 135, 137 and 139 as well as
-These are ports that are    used by Windows (Windows <u>can</u> be configured 
+UDP ports  137-139.   These are ports that are    used by Windows (Windows
-to use the DCE cell locator    on port 135). Rejecting these connection requests 
+<u>can</u>  be configured   to use the DCE cell locator    on port 135).
- rather than dropping them    cuts down slightly on the amount of Windows 
+Rejecting these  connection requests   rather than dropping them    cuts
-chatter on LAN segments connected    to the Firewall. </p>
+down slightly on the amount of Windows  chatter on LAN segments connected
   to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably
- your    ISP preventing you from running a web server in violation of your 
+     your    ISP preventing you from running a web server in violation of
- Service    Agreement.</p>
+your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
        firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
- section about    UDP scans. If nmap gets <b>nothing</b> back from your firewall 
+     section about    UDP scans. If nmap gets <b>nothing</b> back from your
- then it reports    the port as open. If you want to see which UDP ports are
+  firewall   then it reports    the port as open. If you want to see which
- really open,    temporarily change your net-&gt;all policy to REJECT, restart
+ UDP ports are  really open,    temporarily change your net-&gt;all policy
- Shorewall and do    the nmap UDP scan again.</p>
+ to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
     can't ping through the firewall</h4>
@ -492,14 +540,14 @@ chatter on LAN segments connected    to the Firewall. </p>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
     and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
+syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
-(see "man openlog") and you get to choose the log level (again, see "man
+facility (see "man openlog") and you get to choose the log level (again,
-syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
+see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
- href="Documentation.htm#Rules">rules</a>. The destination for messaged 
+ and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
-When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
+    When you have changed /etc/syslog.conf, be sure to restart syslogd (on
-system, "service syslog restart"). </p>
+ a  RedHat system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages
     through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
@ -519,7 +567,10 @@ system, "service syslog restart"). </p>
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
           <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
-    <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
+           <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
 http://www.logwatch.org</a><br>
  </p>
           </blockquote>
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
@ -548,7 +599,8 @@ system, "service syslog restart"). </p>
 <div align="left">           
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
- for  problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
+     for  problems concerning the version of iptables (v1.2.3) shipped with
  RH7.2.</p>
          </div>
 <h4 align="left">      </h4>
@ -568,9 +620,9 @@ system, "service syslog restart"). </p>
          </div>
 <div align="left">             
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The
-   zone is defined as all hosts that are connected through eth0 and the local
+Net    zone is defined as all hosts that are connected through eth0 and the
-   zone is defined as all hosts connected through eth1</p>
+local    zone is defined as all hosts connected through eth1</p>
          </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -586,11 +638,11 @@ system, "service syslog restart"). </p>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I
-myself doing      other things. I guess I just don't care enough if Shorewall
+find myself doing      other things. I guess I just don't care enough if
-has a GUI to      invest the effort to create one myself. There are several
+Shorewall has a GUI to      invest the effort to create one myself. There
-Shorewall GUI      projects underway however and I will publish links to
+are several Shorewall GUI      projects underway however and I will publish
-them when the authors      feel that they are ready. </p>
+links to them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
@ -599,16 +651,17 @@ them when the authors      feel that they are ready. </p>
     and "Fire<u>wall</u>".</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
- and it has an  internal web server that allows me to configure/monitor it 
+     and it has an  internal web server that allows me to configure/monitor
- but as expected if I  enable rfc1918 blocking for my eth0 interface (the 
+  it   but as expected if I  enable rfc1918 blocking for my eth0 interface
-internet one), it also blocks  the cable modems web server.</h4>
+ (the  internet one), it also blocks  the cable modems web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking
- that will let all traffic to and from the 192.168.100.1 address  of the modem
+     that will let all traffic to and from the 192.168.100.1 address  of
- in/out but still block all other rfc1918 addresses.</p>
+the    modem  in/out but still block all other rfc1918 addresses.</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall
-than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
+earlier than      1.3.1, create /etc/shorewall/start and in it, place the
 following:</p>
 <div align="left">             
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -677,10 +730,10 @@ to /etc/shorewall/rfc1918:  <br>
          </div>
 <div align="left">             
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
-   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
-1918    filtering on my external interface, my DHCP client cannot renew its
+RFC 1918    filtering on my external interface, my DHCP client cannot renew
-lease.</h4>
+its lease.</h4>
           </div>
 <div align="left">             
@ -692,9 +745,9 @@ lease.</h4>
     the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
- the net", I wonder  where the poster bought computers with eyes and what 
+     the net", I wonder  where the poster bought computers with eyes and
-those computers will "see"  when things are working properly. That aside, 
+what     those computers will "see"  when things are working properly. That
-the most common causes of this  problem are:</p>
+aside,     the most common causes of this  problem are:</p>
 <ol>
             <li>                                                  
@ -707,8 +760,8 @@ the most common causes of this  problem are:</p>
              </li>
             <li>                                                  
    <p align="left">The DNS settings on the local systems are wrong or the
-    user is running a DNS server on the firewall and hasn't enabled UDP and 
+        user is running a DNS server on the firewall and hasn't enabled UDP
- TCP    port 53 from the firewall to the internet.</p>
+  and   TCP    port 53 from the firewall to the internet.</p>
              </li>
 </ol>
@ -717,18 +770,87 @@ the most common causes of this  problem are:</p>
     all  over my console making it unusable!</h4>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
- to your startup    scripts or place it in /etc/shorewall/start. Under RedHat, 
+     to your startup    scripts or place it in /etc/shorewall/start. Under
- the max log level    that is sent to the console is specified in /etc/sysconfig/init 
+ RedHat,    the max log level    that is sent to the console is specified
- in the    LOGLEVEL variable.</p>
+in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
      </p>
 <h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
      <b>Answer: </b>Logging occurs out of a number of chains (as indicated 
 in  the log message) in Shorewall:<br>
 <ol>
        <li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918
   with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
        <li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
   with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
       <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all 
    </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that specifies
 a  log level and this packet is being logged under that policy. If you intend
 to ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a> to that effect.<br>
       </li>
        <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
 href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to
    <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
  logged under that policy or this packet matches  a <a
 href="Documentation.htm#Rules">rule</a> that include a log level.</li>
        <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
       <a href="Documentation.htm#Interfaces">interface option</a>.</li>
        <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
       <a href="Documentation.htm#Interfaces">interface option</a> as specified
   in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
        <li><b>blacklst</b> - The packet is being logged because the source 
 IP  is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
       </a>file.</li>
        <li><b>newnotsyn </b>- The packet is being logged because it is a 
 TCP   packet that is not part of any current connection yet it is not a syn 
 packet.   Options affecting the logging of such packets include <b>NEWNOTSYN 
    </b>and       <b>LOGNEWNOTSYN </b>in     <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
       <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP address 
  that isn't in any of your defined zones ("shorewall check" and look at the
  printed zone definitions) or the chain is FORWARD and the destination IP
 isn't in any of your defined zones.</li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
 with Shorewall, and maintain separate rulesets for different IPs?</h4>
  <b>Answer: </b>Yes. You simply use the IP address in your rules (or if
 you  use NAT, use the local IP address in your rules). <b>Note:</b> The ":n"
 notation  (e.g., eth0:0) is deprecated and will disappear eventually. Neither
 iproute  (ip and tc) nor iptables supports that notation so neither does
 Shorewall.  <br>
  <br>
  <b>Example 1:</b><br>
  <br>
  /etc/shorewall/rules  
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
 class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
 class="moz-txt-citetags"></span></pre>
  <span class="moz-txt-citetags"></span><b>Example 2 (NAT):</b><br>
  <br>
  <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
 <pre wrap=""><span class="moz-txt-citetags"></span><span
 class="moz-txt-citetags"></span>     192.0.2.126	eth0	10.1.1.126</pre>
  /etc/shorewall/rules  
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
 class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
 class="moz-txt-citetags"></span><span class="moz-txt-citetags"></span></pre>
 <div align="left">     </div>
-<p align="left"><font size="2">Last updated 10/8/2002 - <a
+<p align="left"><font size="2">Last updated 11/09/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  <br>
 </p>
- 
+ <br>
 </body>
 </html>
--- a/STABLE/documentation/IPSEC.htm
+++ b/STABLE/documentation/IPSEC.htm
@ -2,128 +2,129 @@
 <html>
 <head>
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall IPSec Tunneling</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
   <tr>
     <td width="100%">
     <h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
     </td>
   </tr>
 </table>
 <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
 There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
 http://jixen.tripod.com</a>
 . I highly recommend that you consult that site for information about confuring
 FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
 and FreeS/Wan on the same system unless you are prepared to suffer the
 consequences. If you start or restart Shorewall with an IPSEC tunnel active,
 the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
 (ipsecX) rather than to the interface that you specify in the INTERFACE column
 of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
 can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
 <p>You <b>might</b> be able to work around this problem using the following (I
 haven't tried it):</p>
 <p>In /etc/shorewall/init, include:</p>
 <p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
 <p>In /etc/shorewall/start, include:</p>
 <p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
 <h2>
-<font color="#660066">IPSec Gateway
+<table border="0" cellpadding="0" cellspacing="0"
-on the Firewall System
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-  </font></h2>
+ id="AutoNumber1" bgcolor="#400169" height="90">
 <p>Suppose that we have the following sutuation:</p>
 <font color="#660066">
 <p align="Center"><font face="Century Gothic, Arial, Helvetica">
 <img src="images/TwoNets1.png" width="745" height="427">
       </font></p>
  </font>
 <p align="Left">We want systems
 in the 192.168.1.0/24 sub-network to be able to communicate with systems
 in the 10.0.0.0/8 network.</p>
 <p align="Left">To make this work, we need to do two things:</p>
 <p align="Left">a) Open the firewall so that the IPSEC tunnel can be established 
 (allow the ESP and AH protocols and UDP Port 500). </p>
 <p align="Left">b) Allow traffic through the tunnel.</p>
 <p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by 
 adding an entry to the /etc/shorewall/tunnels file.</p>
 <p align="Left">In /etc/shorewall/tunnels 
 on system A, we need the following </p>
 <blockquote> 
  <table border="2" cellpadding="2" style="border-collapse: collapse">
     <tbody>
     <tr>
-              <td><strong>
+       <td width="100%">             
- TYPE</strong></td>
+      <h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
-              <td><strong>
+       </td>
- ZONE</strong></td>
+     </tr>
-              <td><strong>
+      
- GATEWAY</strong></td>
+  </tbody> 
-              <td><strong>
+</table>
- GATEWAY ZONE</strong></td>
+    
 <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
  There is an excellent guide to configuring IPSEC tunnels at<a
 href="http://jixen.tripod.com">  http://jixen.tripod.com</a> . I highly recommend
 that you consult that site for information about confuring FreeS/Wan.  
 <p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP  and 
 FreeS/Wan on the same system unless you are prepared to suffer the  consequences. 
 If you start or restart Shorewall with an IPSEC tunnel active,  the proxied 
 IP addresses are mistakenly assigned to the IPSEC tunnel device  (ipsecX) 
 rather than to the interface that you specify in the INTERFACE column  of 
 /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
 can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
 <p>You <b>might</b> be able to work around this problem using the following 
 (I  haven't tried it):</p>
 <p>In /etc/shorewall/init, include:</p>
 <p>     qt service ipsec stop</p>
 <p>In /etc/shorewall/start, include:</p>
 <p>    qt service ipsec start</p>
 <h2>  <font color="#660066">IPSec Gateway on the Firewall System   </font></h2>
 <p>Suppose that we have the following sutuation:</p>
             <font color="#660066">             
 <p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
 src="images/TwoNets1.png" width="745" height="427">
         </font></p>
               </font>             
 <p align="left">We want systems in the 192.168.1.0/24 sub-network to be able 
 to communicate with systems in the 10.0.0.0/8 network.</p>
 <p align="left">To make this work, we need to do two things:</p>
 <p align="left">a) Open the firewall so that the IPSEC tunnel can be established 
 (allow the ESP and AH protocols and UDP Port 500). </p>
 <p align="left">b) Allow traffic through the tunnel.</p>
 <p align="left">Opening the firewall for the IPSEC tunnel is accomplished 
 by  adding an entry to the /etc/shorewall/tunnels file.</p>
 <p align="left">In /etc/shorewall/tunnels  on system A, we need the following </p>
 <blockquote>       
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
            <tbody>
               <tr>
                <td><strong>  TYPE</strong></td>
                <td><strong>  ZONE</strong></td>
                <td><strong>  GATEWAY</strong></td>
                <td><strong>  GATEWAY ZONE</strong></td>
            </tr>
            <tr>
                <td>ipsec</td>
                <td>net</td>
                <td>134.28.54.2</td>
-              <td>&nbsp;</td>
+                <td> </td>
            </tr>
    </tbody>               
-  </table></blockquote>
+  </table>
 </blockquote>
-  <p align="Left">In /etc/shorewall/tunnels
+<p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
 on system B, we would have:</p>
 <blockquote>         
-    <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
            <tbody>
                 <tr>
-              <td><strong>
+                <td><strong>  TYPE</strong></td>
- TYPE</strong></td>
+                <td><strong>  ZONE</strong></td>
-              <td><strong>
+                <td><strong>  GATEWAY</strong></td>
- ZONE</strong></td>
+                <td><strong>  GATEWAY ZONE</strong></td>
              <td><strong>
 GATEWAY</strong></td>
              <td><strong>
 GATEWAY ZONE</strong></td>
            </tr>
            <tr>
                <td>ipsec</td>
                <td>net</td>
                <td>206.161.148.9</td>
-          <td>&nbsp;</td>
+            <td> </td>
            </tr>
    </tbody>                   
-    </table></blockquote>
+  </table>
 </blockquote>
-    <p align="Left">You need to define a zone for the remote subnet or include 
+<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
-    it in your local zone. In this example, we'll assume that you have created a 
+then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
-    zone called &quot;vpn&quot; to represent the remote subnet.</p>
+a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
 address should specify the external address of the NAT gateway.<br>
 </p>
 <p align="left">You need to define a zone for the remote subnet or include 
     it in your local zone. In this example, we'll assume that you have created 
 a      zone called "vpn" to represent the remote subnet.</p>
 <blockquote>        
-    <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
                 <tbody>
       <tr>
                <td><strong>ZONE</strong></td>
                <td><strong>DISPLAY</strong></td>
@ -135,43 +136,40 @@ on system B, we would have:</p>
                <td>Remote Subnet</td>
            </tr>
    </tbody>   
  </table>
   </blockquote>
-    <p align="Left">At both
+<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces 
-systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
+as a "vpn" interface:</p>
 interface:</p>
 <blockquote>           
-      <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
            <tbody>
                   <tr>
-              <td><strong>
+                <td><strong>  ZONE</strong></td>
- ZONE</strong></td>
+                <td><strong>  INTERFACE</strong></td>
-              <td><strong>
+                <td><strong>  BROADCAST</strong></td>
- INTERFACE</strong></td>
+                <td><strong>  OPTIONS</strong></td>
              <td><strong>
 BROADCAST</strong></td>
              <td><strong>
 OPTIONS</strong></td>
            </tr>
            <tr>
                <td>vpn</td>
                <td>ipsec0</td>
-              <td>&nbsp;</td>
+                <td> </td>
-              <td>&nbsp;</td>
+                <td> </td>
            </tr>
    </tbody>                       
-      </table></blockquote>
+  </table>
 </blockquote>
-      <p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and 
+<p align="left"> You will need to allow traffic between the "vpn" zone and 
-      the &quot;loc&quot; zone -- if you simply want to admit all traffic in both 
+       the "loc" zone -- if you simply want to admit all traffic in both 
      directions, you can use the policy file:</p>
 <blockquote>            
-        <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
                 <tbody>
       <tr>
                <td><strong>SOURCE</strong></td>
                <td><strong>DEST</strong></td>
@ -182,43 +180,41 @@ interface:</p>
                <td>loc</td>
                <td>vpn</td>
                <td>ACCEPT</td>
-          <td>&nbsp;</td>
+            <td> </td>
            </tr>
                                <tr>
                <td>vpn</td>
                <td>loc</td>
                <td>ACCEPT</td>
-          <td>&nbsp;</td>
+            <td> </td>
            </tr>
    </tbody>   
  </table>
   </blockquote>
-      <p align="Left"> Once
+<p align="left"> Once you have these entries in place, restart Shorewall (type
-you have these entries in place, restart Shorewall (type shorewall restart); 
+shorewall restart);  you are now ready to configure the tunnel in <a
-you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
+ href="http://www.xs4all.nl/%7Efreeswan/">  FreeS/WAN</a>  .</p>
 FreeS/WAN</a>
 .</p>
 <h2><font color="#660066"><a name="RoadWarrior"></a>  Mobile System (Road 
 Warrior)</font></h2>
-      <h2><font color="#660066"><a name="RoadWarrior"></a>
+<p>Suppose that you have a laptop system (B) that you take with you when you
- Mobile System (Road Warrior)</font></h2>
+travel and you want to be able to establish a secure connection back to your
 local network.</p>
-      <p>Suppose that you have
+<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
 a laptop system (B) that you take with you when you travel and you want to
 be able to establish a secure connection back to your local network.</p>
      <p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
      <img src="images/Mobile.png" width="677" height="426">
               </font></strong></p>
-    <p align="Left">You need to define a zone for the laptop or include it in 
+<p align="left">You need to define a zone for the laptop or include it in 
-    your local zone. In this example, we'll assume that you have created a zone 
+     your local zone. In this example, we'll assume that you have created 
-    called &quot;vpn&quot; to represent the remote host.</p>
+a zone      called "vpn" to represent the remote host.</p>
 <blockquote>        
-    <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
                 <tbody>
       <tr>
                <td><strong>ZONE</strong></td>
                <td><strong>DISPLAY</strong></td>
@ -230,26 +226,22 @@ be able to establish a secure connection back to your local network.</p>
                <td>Remote Subnet</td>
            </tr>
    </tbody>   
  </table>
   </blockquote>
-      <p align="Left"> In this
+<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2 
-instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
+but that cannot be determined in advance. In the /etc/shorewall/tunnels file 
-be determined in advance. In the /etc/shorewall/tunnels file on system A,
+on system A, the following entry should be made:</p>
 the following entry should be made:</p>
 <blockquote>             
-        <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
            <tbody>
                     <tr>
-              <td><strong>
+                <td><strong>  TYPE</strong></td>
- TYPE</strong></td>
+                <td><strong>  ZONE</strong></td>
-              <td><strong>
+                <td><strong>  GATEWAY</strong></td>
- ZONE</strong></td>
+                <td><strong>  GATEWAY ZONE</strong></td>
              <td><strong>
 GATEWAY</strong></td>
              <td><strong>
 GATEWAY ZONE</strong></td>
            </tr>
            <tr>
                <td>ipsec</td>
@ -259,26 +251,117 @@ the following entry should be made:</p>
            </tr>
    </tbody>                           
-        </table></blockquote>
+  </table>
-                  
+ </blockquote>
        <p>Note that the GATEWAY
 ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
 gateway system itself comprises the peer subnetwork; in other words, the
 remote gateway is a standalone system.</p>
 <p>Note that the GATEWAY ZONE column contains the name of the zone corresponding 
 to peer subnetworks. This indicates that the gateway system itself comprises 
 the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
 <p>You will need to configure /etc/shorewall/interfaces and establish    
-        your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
+     your "through the tunnel" policy as shown under the first example above.<br>
        <p><font size="2"> Last
 updated 8/20/2002 - </font><font size="2">
        <a href="support.htm">Tom Eastep</a></font>
 </p>
 <h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
 Beginning with Shorewall release 1.3.10, you can define multiple VPN zones 
 and add and delete remote endpoints dynamically using /sbin/shorewall. In 
 /etc/shorewall/zones:<br>
 <br>
 <blockquote>   
  <table cellpadding="2" border="2" style="border-collapse: collapse;">
     <tbody>
       <tr>
         <td valign="top"><b>ZONE<br>
         </b></td>
         <td valign="top"><b>DISPLAY<br>
         </b></td>
         <td valign="top"><b>COMMENTS<br>
         </b></td>
       </tr>
       <tr>
         <td valign="top">vpn1<br>
         </td>
         <td valign="top">VPN-1<br>
         </td>
         <td valign="top">First VPN Zone<br>
         </td>
       </tr>
       <tr>
         <td valign="top">vpn2<br>
         </td>
         <td valign="top">VPN-2<br>
         </td>
         <td valign="top">Second VPN Zone<br>
         </td>
       </tr>
       <tr>
         <td valign="top">vpn3<br>
         </td>
         <td valign="top">VPN-3<br>
         </td>
         <td valign="top">Third VPN Zone<br>
         </td>
       </tr>
    </tbody>   
  </table>
   <br>
 </blockquote>
 In /etc/shorewall/tunnels:<br>
 <blockquote>   
  <table cellpadding="2" cellspacing="" border="2"
 style="border-collapse: collapse;">
     <tbody>
       <tr>
         <td valign="top"><b>TYPE<br>
         </b></td>
         <td valign="top"><b>ZONE<br>
         </b></td>
         <td valign="top"><b>GATEWAY<br>
         </b></td>
         <td valign="top"><b>GATEWAY ZONE<br>
         </b></td>
       </tr>
       <tr>
         <td valign="top">ipsec<br>
         </td>
         <td valign="top">net<br>
         </td>
         <td valign="top">0.0.0.0/0<br>
         </td>
         <td valign="top">vpn1,vpn2,vpn3<br>
         </td>
       </tr>
    </tbody>   
  </table>
   <br>
 </blockquote>
 When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall 
 will issue warnings to that effect. These warnings may be safely ignored. 
 FreeS/Wan may now be configured to have three different Road Warrior connections 
 with the choice of connection being based on X-509 certificates or some other 
 means. Each of these connectioins will utilize a different updown script that
 adds the remote station to the appropriate zone when the connection comes
 up and that deletes the remote station when the connection comes down. For
 example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
 script will issue the command":<br>
 <br>
 <blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
 </blockquote>
 and the 'down' part will:<br>
 <blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
 <p><font size="2">Last updated 10/23/2002 - </font><font size="2">       
 <a href="support.htm">Tom Eastep</a></font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">     
   Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-  
+     <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Install.htm
+++ b/STABLE/documentation/Install.htm
@ -82,8 +82,7 @@ and install     script: </p>
    <li>If your distribution has directory             /etc/rc.d/init.d or 
 /etc/init.d then type             "./install.sh"</li>
    <li>For other distributions, determine where your             distribution 
-installs init scripts and type             "./install.sh &lt;init script
+installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
 directory&gt;</li>
    <li>Edit the <a href="#Config_Files"> configuration files</a> to match 
 your configuration.</li>
    <li>Start the firewall by typing "shorewall             start"</li>
@ -96,44 +95,44 @@ automatically at boot,             see <a
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed 
 and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
-and you  have entries in the /etc/shorewall/hosts file then please check
+you  have entries in the /etc/shorewall/hosts file then please check your
-your  /etc/shorewall/interfaces file to be sure that it contains an entry
+ /etc/shorewall/interfaces file to be sure that it contains an entry for
-for each  interface mentioned in the hosts file. Also, there are certain
+each  interface mentioned in the hosts file. Also, there are certain 1.2
-1.2 rule forms  that are no longer supported under 1.3 (you must use the
+rule forms  that are no longer supported under 1.3 (you must use the new
-new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
+1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
-details. You can check your rules and  host file for 1.3 compatibility using
+You can check your rules and  host file for 1.3 compatibility using the "shorewall
-the "shorewall check" command after  installing the latest version of 1.3.</p>
+check" command after  installing the latest version of 1.3.</p>
 <ul>
    <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If 
-you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
+you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
-installed,     you must use the "--oldpackage" option to rpm (e.g., "rpm 
+    you must use the "--oldpackage" option to rpm (e.g., "rpm     -Uvh --oldpackage
-   -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").   
+shorewall-1.2-0.noarch.rpm").        
    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby 
-rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
+rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-is installed. If this    happens, simply use the --nodeps option to rpm (rpm
+installed. If this    happens, simply use the --nodeps option to rpm (rpm 
 -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
      </p>
   </li>
-  <li>See if there are any incompatibilities between your configuration and
+   <li>See if there are any incompatibilities between your configuration
-the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
+and the    new Shorewall version (type "shorewall check") and correct as
 necessary.</li>
    <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
-and are upgrading to a new version using the tarball:</p>
+are upgrading to a new version using the tarball:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
-and you  have entries in the /etc/shorewall/hosts file then please check
+you  have entries in the /etc/shorewall/hosts file then please check your
-your  /etc/shorewall/interfaces file to be sure that it contains an entry
+ /etc/shorewall/interfaces file to be sure that it contains an entry for
-for each  interface mentioned in the hosts file.  Also, there are certain
+each  interface mentioned in the hosts file.  Also, there are certain 1.2
-1.2 rule  forms that are no longer supported under 1.3 (you must use the
+rule  forms that are no longer supported under 1.3 (you must use the new
-new 1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
+1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
-for details. You can check your rules  and host file for 1.3 compatibility
+details. You can check your rules  and host file for 1.3 compatibility using
-using the "shorewall check" command after  installing the latest version
+the "shorewall check" command after  installing the latest version of 1.3.</p>
 of 1.3.</p>
 <ul>
    <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -151,11 +150,9 @@ of 1.3.</p>
    <li>If your distribution has directory             /etc/rc.d/init.d or 
 /etc/init.d then type             "./install.sh"</li>
    <li>For other distributions, determine where your             distribution 
-installs init scripts and type             "./install.sh &lt;init script
+installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
 directory&gt;</li>
    <li>See if there are any incompatibilities between your configuration 
-and the    new Shorewall version (type "shorewall check") and correct as
+and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
 necessary.</li>
    <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
@ -178,6 +175,8 @@ you will     expand in other files.</li>
   firewall system.</li>
    <li>/etc/shorewall/hosts - allows defining zones in terms of individual
         hosts and subnetworks.</li>
  <li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
  </li>
    <li>/etc/shorewall/masq - directs the firewall where to use many-to-one
         (dynamic) NAT a.k.a. Masquerading.</li>
    <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
@ -197,11 +196,12 @@ by     traffic control/shaping.</li>
 </ul>
-<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> 
 </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/MAC_Validation.html
+++ b/STABLE/documentation/MAC_Validation.html
@ -0,0 +1,107 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>MAC Verification</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
           <tbody>
          <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
   </h1>
            <br>
   </td>
          </tr>
  </tbody>      
 </table>
  <br>
  Beginning with Shorewall version 1.3.10, all traffic from an interface
 or  from a subnet on an interface can be verified to originate from a defined
 set of MAC addresses. Furthermore, each MAC address may be optionally associated
 with one or more IP addresses. There are four components to this facility.<br>
 <ol>
    <li>The <b>maclist</b> interface option in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
 this option is specified, all traffic arriving on the interface is subjet
 to MAC verification.</li>
    <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
 When this option is specified for a subnet, all traffic from that subnet
 is subject to MAC verification.</li>
    <li>The /etc/shorewall/maclist file. This file is used to associate MAC
 addresses with interfaces and to optionally associate IP addresses with
 MAC  addresses.</li>
    <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
 in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
 MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
 the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
 variable gives the syslogd level at which connection requests that fail
 verification  are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
 then failing connection requests are not logged.<br>
    </li>
 </ol>
  The columns in /etc/shorewall/maclist are:<br>
 <ul>
    <li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
    <li>MAC - The MAC address of a device on the ethernet segment connected
 by INTERFACE. It is not necessary to use the Shorewall MAC format in this
 column although you may use that format if you so choose.</li>
    <li>IP Address - An optional comma-separated list of IP addresses for 
 the device whose MAC is listed in the MAC column.</li>
 </ul>
 <h3>Example 1: Here are my files:</h3>
  <b>/etc/shorewall/shorewall.conf:<br>
  </b>  
 <pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
  <b>/etc/shorewall/interfaces:</b><br>
 <pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,filterping,maclist<br>     dmz             eth1            192.168.2.255   filterping<br>     net             eth3            206.124.146.255 filterping,blacklist<br>     -               texas           192.168.9.255   filterping<br>     loc             ppp+            -               filterping<br></pre>
  <b>/etc/shorewall/maclist:</b><br>
 <pre>     #INTERFACE              MAC                     IP ADDRESSES (Optional)<br>     eth2                    00:A0:CC:63:66:89       192.168.1.3     #Wookie<br>     eth2                    00:10:B5:EC:FD:0B       192.168.1.4     #Tarry<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.5     #Ursa<br>     eth2                    00:06:25:aa:a8:0f       192.168.1.7     #Eastept1 (Wireless)<br>     eth2                    00:04:5A:0E:85:B9       192.168.1.250   #Wap<br></pre>
  As shown above, I use MAC Verification on <a href="myfiles.htm">my local
 zone</a>.<br>
 <h3>Example 2: Router in Local Zone</h3>
  Suppose now that I add a second ethernet segment to my local zone and gateway
 that segment via a router with MAC address 00:06:43:45:C6:15 and IP address
 192.168.1.253. Hosts in the second segment have IP addresses in the subnet
 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
 file:<br>
 <pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
  This entry accomodates traffic from the router itself (192.168.1.253) and
 from the second LAN segment (192.168.2.0/24). Remember that all traffic
 being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded
 by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
 and not that of the host sending the traffic.  
 <p><font size="2">   Updated 10/23/2002 - <a
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a> 
    </font></p>
 <p><font face="Trebuchet MS"><a
 href="file:///home/teastep/Shorewall-docs/copyright.htm"><font size="2">Copyright</font>
      &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
  <br>
  <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/PPTP.htm
+++ b/STABLE/documentation/PPTP.htm
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -11,7 +11,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                              <base target="main">                      
+                                                      <base
 target="main">                                        
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -29,14 +30,19 @@
                <tr>
                  <td width="100%" bgcolor="#ffffff">                   
      <ul>
                    <li> <a href="seattlefirewall_index.htm">Home</a></li>
                            <li> <a href="shorewall_features.htm">Features</a></li>
                    <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
-              <li> <a href="download.htm">Download</a></li>
+                    <li> <a href="download.htm">Download</a><br>
-              <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
+            </li>
            <li> <a href="Install.htm">Installation/Upgrade/</a><br>
-        <a href="Install.htm">Configuration</a></li>
+              <a href="Install.htm">Configuration</a><br>
            </li>
            <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides 
 (HOWTOs)</a><br>
             </li>
                                    <li> <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
                    <li> <a href="Documentation.htm">Reference Manual</a></li>
@ -50,22 +56,28 @@
                    <li> <a href="mailing_list.htm">Mailing Lists</a></li>
                    <li> <a href="shorewall_mirrors.htm">Mirrors</a>    
          <ul>
                      <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                      <li><a target="_top"
 href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
-                <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
+                      <li><a target="_top"
 href="http://germany.shorewall.net">Germany</a></li>
                      <li><a target="_top"
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
-                <li><a target="_top" href="http://france.shorewall.net">France</a></li>
+                      <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
          </ul>
                    </li>
      </ul>
      <ul>
                    <li>   <a href="News.htm">News Archive</a></li>
                    <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
@ -73,6 +85,7 @@
                    <li> <a href="shoreline.htm">About the Author</a></li>
                    <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                  </td>
                </tr>
@ -91,8 +104,9 @@
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
-          <font face="Arial">   <input type="hidden" name="exclude"
+                <font face="Arial">   <input type="hidden"
- value="[http://www.shorewall.net/pipermail/*]">   </font> </form>
+ name="exclude" value="[http://www.shorewall.net/pipermail/*]">   </font>
 </form>
 <p><b><a href="htdig/search.html">Extended Search</a></b></p>
@ -101,14 +115,7 @@
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
-       </a></p>
+</a><br>
-         <br>
+</p>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/configuration_file_basics.htm
+++ b/STABLE/documentation/configuration_file_basics.htm
@ -42,26 +42,27 @@ before you use them with Shorewall.</b></p>
          parameters.</li>
             <li>/etc/shorewall/params - use this file to set shell variables
  that you will     expand in other files.</li>
-          <li>/etc/shorewall/zones - partition the firewall's view of the 
+             <li>/etc/shorewall/zones - partition the firewall's view of
-world         into <i>zones.</i></li>
+the   world         into <i>zones.</i></li>
-          <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
+             <li>/etc/shorewall/policy - establishes firewall high-level
-          <li>/etc/shorewall/interfaces - describes the interfaces on the
+policy.</li>
-        firewall system.</li>
+             <li>/etc/shorewall/interfaces - describes the interfaces on
-          <li>/etc/shorewall/hosts - allows defining zones in terms of individual
+the          firewall system.</li>
-         hosts and subnetworks.</li>
+             <li>/etc/shorewall/hosts - allows defining zones in terms of 
-          <li>/etc/shorewall/masq - directs the firewall where to use many-to-one 
+individual           hosts and subnetworks.</li>
-         (dynamic) Network Address Translation (a.k.a. Masquerading) and Source
+             <li>/etc/shorewall/masq - directs the firewall where to use
-         Network Address Translation (SNAT).</li>
+many-to-one            (dynamic) Network Address Translation (a.k.a. Masquerading)
 and  Source          Network Address Translation (SNAT).</li>
             <li>/etc/shorewall/modules - directs the firewall to load kernel
  modules.</li>
-          <li>/etc/shorewall/rules - defines rules that are exceptions to 
+             <li>/etc/shorewall/rules - defines rules that are exceptions 
-the         overall policies established in /etc/shorewall/policy.</li>
+to  the         overall policies established in /etc/shorewall/policy.</li>
             <li>/etc/shorewall/nat - defines static NAT rules.</li>
             <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
-          <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines 
+             <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
-hosts    accessible when Shorewall is stopped.</li>
+-  defines  hosts    accessible when Shorewall is stopped.</li>
-          <li>/etc/shorewall/tcrules - defines marking of packets for later 
+             <li>/etc/shorewall/tcrules - defines marking of packets for
-use by     traffic control/shaping or policy routing.</li>
+later   use by     traffic control/shaping or policy routing.</li>
             <li>/etc/shorewall/tos - defines rules for setting the TOS field
  in packet         headers.</li>
             <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
@ -75,8 +76,8 @@ addresses.</li>
 <p>You may place comments in configuration files by making the first non-whitespace 
        character a pound sign ("#"). You may also place comments at the end
-of any line, again by       delimiting the comment from the rest of the line 
+ of any line, again by       delimiting the comment from the rest of the
-with a pound sign.</p>
+line  with a pound sign.</p>
 <p>Examples:</p>
@ -99,8 +100,8 @@ with a pound sign.</p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u> 
  using DNS names in Shorewall configuration files. If you use DNS names and
- you are called out of bed at 2:00AM because Shorewall won't start as a result
+  you are called out of bed at 2:00AM because Shorewall won't start as a
-of DNS problems then don't say that you were not forewarned. <br>
+result  of DNS problems then don't say that you were not forewarned. <br>
     </b></p>
 <p align="left"><b>    -Tom<br>
@ -111,22 +112,26 @@ configuration files may be specified either as IP addresses or as DNS Names.<br>
     <br>
    DNS names in iptables rules  aren't nearly as useful as they first appear.
  When a DNS name appears in a rule,  the iptables utility resolves the name
-to one or more IP addresses and inserts  those addresses into the rule. So 
+  to one or more IP addresses and inserts  those addresses into the rule.
-change in the DNS-&gt;IP address relationship  that occur after the firewall 
+So  change in the DNS-&gt;IP address relationship  that occur after the firewall
  has started have absolutely no effect on the  firewall's ruleset.    </p>
 <p align="left">     If your firewall rules include DNS names then:</p>
 <ul>
-   <li>If your /etc/resolv.conf is wrong then your firewall won't     start.</li>
+      <li>If your /etc/resolv.conf is wrong then your firewall won't    
-   <li>If your /etc/nsswitch.conf is wrong then your firewall won't     start.</li>
+start.</li>
-   <li>If your Name Server(s) is(are) down then your firewall won't     start.</li>
+      <li>If your /etc/nsswitch.conf is wrong then your firewall won't  
  start.</li>
      <li>If your Name Server(s) is(are) down then your firewall won't  
  start.</li>
      <li>If your startup scripts try to start your firewall before starting
  your DNS server then your firewall won't start.<br>
     </li>
-   <li>Factors totally outside your control (your ISP's router is     down
+      <li>Factors totally outside your control (your ISP's router is    
- for example), can prevent your firewall from starting.</li>
+down   for example), can prevent your firewall from starting.</li>
-  <li>You must bring up your network interfaces prior to starting your firewall.<br>
+     <li>You must bring up your network interfaces prior to starting your 
 firewall.<br>
     </li>
 </ul>
@ -159,15 +164,16 @@ files.<br>
      <li>In the /etc/shorewall/nat file.</li>
 </ul>
-  These are iptables restrictions and are not simply imposed for your inconvenience 
+     These are iptables restrictions and are not simply imposed for your
-by Shorewall. <br>
+inconvenience   by Shorewall. <br>
     <br>
 <h2>Complementing an Address or Subnet</h2>
 <p>Where specifying an IP address, a subnet or an interface, you can    
   precede the item with "!" to specify the complement of the item. For 
-    example, !192.168.1.4 means "any host but 192.168.1.4".</p>
+      example, !192.168.1.4 means "any host but 192.168.1.4". There must
 be no white space following the "!".</p>
 <h2>Comma-separated Lists</h2>
@ -178,9 +184,9 @@ by Shorewall. <br>
             <li>Must not have any embedded white space.<br>
             Valid: routestopped,dhcp,norfc1918<br>
             Invalid: routestopped,     dhcp,              norfc1818</li>
-          <li>If you use line continuation to break a comma-separated list, 
+             <li>If you use line continuation to break a comma-separated
-the          continuation line(s) must begin in column 1 (or there would be
+list,   the          continuation line(s) must begin in column 1 (or there
-embedded          white space)</li>
+would  be embedded          white space)</li>
             <li>Entries in a comma-separated list may appear in any order.</li>
 </ul>
@ -193,11 +199,16 @@ embedded          white space)</li>
 <h2>Port Ranges</h2>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
-       port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
+         port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
 if you want to forward the range of tcp ports 4000 through 4100 to local 
 host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
  </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
 <h2>Using Shell Variables</h2>
-<p>You may use the file /etc/shorewall/params     file to set shell variables 
+<p>You may use the /etc/shorewall/params     file to set shell variables
  that you can then use in some of the other    configuration files.</p>
 <p>It is suggested that variable names begin with an upper case letter<font
@ -240,8 +251,8 @@ included.</p>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a    
   unique MAC address.<br>
           <br>
-        In GNU/Linux, MAC addresses are usually written as a series of 6
+           In GNU/Linux, MAC addresses are usually written as a series of 
-hex numbers        separated by colons. Example:<br>
+6  hex numbers        separated by colons. Example:<br>
           <br>
          [root@gateway root]# ifconfig eth0<br>
          eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -250,24 +261,29 @@ hex numbers        separated by colons. Example:<br>
          RX packets:2398102 errors:0 dropped:0 overruns:0        frame:0<br>
          TX packets:3044698 errors:0 dropped:0 overruns:0        carrier:0<br>
          collisions:30394 txqueuelen:100<br>
-       RX bytes:419871805 (400.4 Mb) TX bytes:1659782221        (1582.8 Mb)<br>
+          RX bytes:419871805 (400.4 Mb) TX bytes:1659782221        (1582.8
 Mb)<br>
          Interrupt:11 Base address:0x1800<br>
           <br>
           Because Shorewall uses colons as a separator for address fields, 
 Shorewall requires        MAC addresses to be written in another way. In 
 Shorewall, MAC addresses        begin with a tilde ("~") and consist of 6 
 hex numbers separated by        hyphens. In Shorewall, the MAC address in 
-the example above would be        written "~02-00-08-E3-FA-55".</p>
+the example above would be        written "~02-00-08-E3-FA-55".<br>
 </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation
 in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
 </p>
 <h2>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall.
  The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a> 
     commands allow you to specify an alternate configuration directory and
- Shorewall will use the files in the alternate directory rather than the corresponding
+   Shorewall will use the files in the alternate directory rather than the
- files in /etc/shorewall. The alternate directory need not contain a complete
+ corresponding  files in /etc/shorewall. The alternate directory need not
- configuration; those files not in the alternate directory will be read from
+contain a complete  configuration; those files not in the alternate directory
- /etc/shorewall.</p>
+will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration
   by:</p>
@ -276,16 +292,16 @@ The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a
             <li>  copying the files that need modification from /etc/shorewall
  to a separate      directory;</li>
             <li>  modify those files in the separate directory; and</li>
-          <li>  specifying the separate directory in a shorewall start or 
+             <li>  specifying the separate directory in a shorewall start 
-shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
+or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
- ).</li>
+ restart</b></i>  ).</li>
 </ol>
-<p><font size="2">   Updated 9/24/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 10/24/2002 - <a href="support.htm">Tom  Eastep</a> 
     </font></p>
@ -294,6 +310,9 @@ shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig restart<
     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
                               <br>
    <br>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/dhcp.htm
+++ b/STABLE/documentation/dhcp.htm
@ -1,60 +1,82 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>DHCP</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">DHCP</font></h1>
+      <h1 align="center"><font color="#ffffff">DHCP</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<h2 align="left">DHCP Server on your firewall</h2>
+ 
 <h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
 <ul>
   <li>     
-    <p align="left">Specify the &quot;dhcp&quot; option on each interface to be
+    <p align="left">Specify the "dhcp" option on each interface to be   
 served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-    file.</li>
+    file. This will generate rules that will allow DHCP to and from your
 firewall system.   </p>
  </li>
  <li>     
-    <p align="left">When starting &quot;dhcpd&quot;, you need to list those
+    <p align="left">When starting "dhcpd", you need to list those     interfaces
-    interfaces on the run line. On a RedHat system, this is done by modifying
+on the run line. On a RedHat system, this is done by modifying     /etc/sysconfig/dhcpd. 
-    /etc/sysconfig/dhcpd.</li>
+    </p>
  </li>
 </ul>
-<h2 align="left">A Firewall Interface gets its IP Address via DHCP</h2>
+ 
 <h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
 <ul>
   <li>     
-    <p align="left">Specify the &quot;dhcp&quot; option for this interface in
+    <p align="left">Specify the "dhcp" option for this interface in     the
-    the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-    file.</li>
+   file. This will generate rules that will allow DHCP to and from your firewall
 system.      </p>
  </li>
  <li>     
-    <p align="left">If you know that the dynamic address is always going to be
+    <p align="left">If you know that the dynamic address is always going
-    in the same subnet, you can specify the subnet address in the interface's
+to be     in the same subnet, you can specify the subnet address in the interface's 
    entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-    file.</li>
+    file.   </p>
  </li>
  <li>     
-    <p align="left">If you don't know the subnet address in advance, you should
+    <p align="left">If you don't know the subnet address in advance, you
-    specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+should     specify "detect" for the interface's subnet address in the <a
-    file and start Shorewall after the interface has started.</li>
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>     file
 and start Shorewall after the interface has started.   </p>
  </li>
  <li>     
    <p align="left">In the event that the subnet address might change while 
-    Shorewall is started, you need to arrange for a &quot;shorewall
+    Shorewall is started, you need to arrange for a "shorewall     refresh"
-    refresh&quot; command to be executed when a new dynamic IP address gets
+command to be executed when a new dynamic IP address gets     assigned to
-    assigned to the interface. Check your DHCP client's documentation.</li>
+the interface. Check your DHCP client's documentation. </p>
  </li>
 </ul>
-<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
+ 
-Eastep</a></font></p>
+<p align="left"><font size="2">Last updated 11/03/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
 </html>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -35,16 +35,16 @@
 <ul>
       <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>       
-   Linux PPC</b> or     <b> TurboLinux</b> distribution     with a 2.4 kernel,
+     Linux PPC</b> or     <b> TurboLinux</b> distribution     with a 2.4
- you can use the  RPM version (note: the             RPM should also work
+kernel,   you can use the  RPM version (note: the             RPM should
-with other distributions that             store init scripts in /etc/init.d
+also work  with other distributions that             store init scripts in
-and that             include chkconfig or insserv). If you find that it works
+/etc/init.d  and that             include chkconfig or insserv). If you find
- in other cases, let <a href="mailto:teastep@shorewall.net">     me</a> 
+that it works   in other cases, let <a
-              know so that I can mention them here. See the   <a
+ href="mailto:teastep@shorewall.net">     me</a>                know so that
- href="Install.htm">Installation Instructions</a> if you have problems  
+I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
- installing the RPM.</li>
+if you have problems    installing the RPM.</li>
-     <li>If you are running LRP, download the .lrp file (you might also want
+       <li>If you are running LRP, download the .lrp file (you might also 
- to     download the .tgz so you will have a copy of the documentation).</li>
+want  to     download the .tgz so you will have a copy of the documentation).</li>
       <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and 
 would      like a .deb package, Shorewall is in both the    <a
 href="http://packages.debian.org/testing/net/shorewall.html">Debian    
@ -81,7 +81,7 @@ to a newer or an older version than is shown below.</p>
  IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed configuration 
 of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
-<p>Download Latest Version (<b>1.3.9a</b>): <b>Remember that updates to the
+<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
  mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>               
@ -97,14 +97,15 @@ of your firewall, you can enable startup by removing the file /etc/shorewall/sta
         <tr>
           <td>Washington State, USA</td>
           <td>Shorewall.net</td>
-         <td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download
+           <td><a
- .rpm</a><br>
+ href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download  .rpm</a><br>
             <a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download 
          .tgz</a> <br>
             <a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download 
          .lrp</a></td>
-         <td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm"
+           <td><a
- target="_blank">       Download .rpm</a> <br>
+ href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
      Download .rpm</a> <br>
             <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
 target="_blank">Download         .tgz</a> <br>
             <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
@ -158,9 +159,11 @@ of your firewall, you can enable startup by removing the file /etc/shorewall/sta
           <td><a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm">       Download
  .rpm</a><br>
-         <a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
+           <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download   
     .tgz</a><br>
-         <a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
+           <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download   
     .lrp</a></td>
           <td>       <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">       Download
@ -290,10 +293,11 @@ of your firewall, you can enable startup by removing the file /etc/shorewall/sta
  <p align="left">The <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS  repository at
  cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
- component. There's no guarantee that what you find there will work at  all.</p>
+  component. There's no guarantee that what you find there will work at 
 all.</p>
      </blockquote>
-<p align="left"><font size="2">Last Updated 9/26/2002 - <a
+<p align="left"><font size="2">Last Updated 11/9/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -301,5 +305,7 @@ of your firewall, you can enable startup by removing the file /etc/shorewall/sta
      <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/images/TomNTarry.png
+++ b/STABLE/documentation/images/TomNTarry.png
--- a/STABLE/documentation/images/netfilterlogo.png
+++ b/STABLE/documentation/images/netfilterlogo.png
--- a/STABLE/documentation/images/openlogo-nd-50.png
+++ b/STABLE/documentation/images/openlogo-nd-50.png
--- a/STABLE/documentation/mailing_list_problems.htm
+++ b/STABLE/documentation/mailing_list_problems.htm
@ -32,11 +32,11 @@
 <blockquote>                  
  <div align="left">                    
-  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>familie-fleischhacker.de - (connection timed out)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
        </div>
      </blockquote>
-<p align="left"><font size="2">Last updated 10/6/2002 20:30 GMT - <a
+<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -45,5 +45,9 @@
 <p align="left"> </p>
       <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
@ -34,8 +34,8 @@
 <blockquote>                                        
  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). 
  My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
- is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
+  is connected to eth0. I have a local network connected to eth2 (subnet
-   and a DMZ connected to eth1 (192.168.2.0/24). </p>
+192.168.1.0/24)     and a DMZ connected to eth1 (192.168.2.0/24). </p>
  <p> I use:<br>
      </p>
@ -57,8 +57,8 @@ my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
  <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
  It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
- and is managed by Proxy ARP. It connects to the  local network through the
+  and is managed by Proxy ARP. It connects to the  local network through
- PopTop server running on my firewall. </p>
+the   PopTop server running on my firewall. </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
  Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server 
@ -87,7 +87,8 @@ my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
           default gateway used by the firewall itself). On the firewall, 
                            Shorewall automatically adds a host route to 
                         206.124.146.177 through eth1 (192.168.2.1) because
- of                           the entry in /etc/shorewall/proxyarp (see below).</p>
+  of                           the entry in /etc/shorewall/proxyarp (see
 below).</p>
  <p>A similar setup is used on eth3 (192.168.3.1) which                
           interfaces to my laptop (206.124.146.180).</p>
@ -112,7 +113,7 @@ version  1.3.4.</font></p>
 my Ethernet  interfaces. </p>
         </blockquote>
-<pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp<br>	dmz	eth1 		206.124.146.255	-<br>	net	eth3		206.124.146.255 norfc1918<br>	-	texas 		-<br>	loc	ppp+<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
+<pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp,filterping,maclist<br>	dmz	eth1 		206.124.146.255	filterping<br>	net	eth3		206.124.146.255 filterping,blacklist<br>	-	texas 		-               filterping<br>	loc	ppp+		-		filterping<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
 <h3>Hosts File: </h3>
@ -153,7 +154,7 @@ laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
 <h3>Proxy ARP File:</h3>
 <pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROU</font><font
- face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br>        206.124.146.179 eth2            eth0            No<br></font><font
+ face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br></font><font
 face="Courier" size="2">	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
 <h3>Rules File (The shell variables                                     
@ -161,12 +162,14 @@ laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
 <pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	ACCEPT		net		fw			tcp	1723<br>	ACCEPT		net		fw			gre<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-<p><font size="2"> Last updated 10/1/2002  - </font><font size="2">     
+<p><font size="2"> Last updated 10/14/2002  - </font><font size="2">     
                                       <a href="support.htm">Tom Eastep</a></font> 
    </p>
       <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ports.htm
+++ b/STABLE/documentation/ports.htm
@ -1,96 +1,162 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Port Information</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+   
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1>
+      <h1 align="center"><font color="#ffffff">Ports required for Various 
 Services/Applications</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
-<p>In addition to those applications described in <a href="Documentation.htm">the
+<p>In addition to those applications described in <a
-/etc/shorewall/rules documentation</a>, here are some other
+ href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here 
-services/applications that you may need to configure your firewall to accommodate.</p>
+are some other services/applications that you may need to configure your firewall
 to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
 <blockquote>      
  <p>UDP Port 123</p>
  </blockquote>
 <p>rdate</p>
 <blockquote>      
  <p>TCP Port 37</p>
  </blockquote>
 <p>UseNet (NNTP)</p>
 <blockquote>      
  <p>TCP Port 119</p>
  </blockquote>
 <p>DNS</p>
 <blockquote>      
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want to
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
-  open TCP Port 53 as well.<br>
+to   open TCP Port 53 as well.<br>
-  If you are configuring a server, only open TCP Port 53 if you will return long
+    If you are configuring a server, only open TCP Port 53 if you will return 
-  replies to queries or if you need to enable ZONE transfers.&nbsp;In the latter
+long   replies to queries or if you need to enable ZONE transfers. In the 
-  case, be sure that your server is properly configured.</p>
+latter   case, be sure that your server is properly configured.</p>
  </blockquote>
-<p>ICQ&nbsp;&nbsp;&nbsp;</p>
+   
 <p>ICQ   </p>
 <blockquote>      
-  <p>UDP Port 4000. You will also need to open a range of TCP ports which you
+  <p>UDP Port 4000. You will also need to open a range of TCP ports which 
-  can specify to your ICQ client. By default, clients use 4000-4100.</p>
+you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
  </blockquote>
 <p>PPTP</p>
 <blockquote>      
-  <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a href="PPTP.htm">Lots more
+  <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
-  information here</a>).</p>
+ href="PPTP.htm">Lots more   information here</a>).</p>
  </blockquote>
 <p>IPSEC</p>
 <blockquote>      
-  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port 500. 
+  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port 
-  These should be opened in both directions.</p>
+500.    These should be opened in both directions.</p>
  </blockquote>
 <p>SMTP</p>
 <blockquote>      
-  <p>&nbsp;TCP Port 25.</p>
+  <p> TCP Port 25.</p>
  </blockquote>
 <p>POP3</p>
 <blockquote>      
  <p>TCP Port 110.</p>
  </blockquote>
 <p>TELNET</p>
 <blockquote>      
  <p>TCP Port 23.</p>
  </blockquote>
 <p>SSH</p>
 <blockquote>      
  <p>TCP Port 22.</p>
  </blockquote>
 <p>Auth (identd)</p>
 <blockquote>      
  <p>TCP Port 113</p>
  </blockquote>
 <p>Web Access</p>
 <blockquote>      
  <p>TCP Ports 80 and 443.</p>
  </blockquote>
 <p>FTP</p>
 <blockquote>      
-  <p>Server configuration is covered on in <a href="Documentation.htm#Rules">the
+  <p>Server configuration is covered on in <a
-  /etc/shorewall/rules documentation</a>,</p>
+ href="Documentation.htm#Rules">the   /etc/shorewall/rules documentation</a>,</p>
  <p>For a client, you must open outbound TCP port 21 and be sure that your
   kernel is compiled to support FTP connection tracking. If you build this
   support as a module, Shorewall will automatically load the module from
-  /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.&nbsp;</p>
+  /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
   </p>
  <p>If you run an FTP server on a nonstandard port or you need to access
 such a server, then you must specify that port in /etc/shorewall/modules.
 For example, if you run an FTP server that listens on port 49 then you would
 have:<br>
   </p>
  <blockquote>     
    <p>loadmodule ip_conntrack_ftp ports=21,49<br>
 loadmodule ip_nat_ftp ports=21,49<br>
     </p>
   </blockquote>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may
 have problems accessing regular FTP servers.</p>
  <p>If there is a possibility that these modules might be loaded before Shorewall
 starts, then you should include the port list in /etc/modules.conf:<br>
   </p>
  <blockquote>     
    <p>options ip_conntrack_ftp ports=21,49<br>
 options ip_nat_ftp ports=21,49<br>
     </p>
   </blockquote>
 </blockquote>
 <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
 <blockquote> </blockquote>
 <blockquote>      
  <p>TCP Ports 137, 139 and 445.<br>
    UDP Ports 137-139.<br>
@ -99,24 +165,28 @@ services/applications that you may need to configure your firewall to accommodat
  </blockquote>
 <p>Traceroute</p>
 <blockquote>      
  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
  </blockquote>
 <p>NFS</p>
 <blockquote>      
-  <p>There's some good information at&nbsp;
+  <p>There's some good information at    <a
-  <a href="http://nfs.sourceforge.net/nfs-howto/security.html">
+ href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
  http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
  </blockquote>
  <p>Didn't find what you are looking for -- have you looked in your own
  /etc/services file? </p>
-  <p>Still looking? Try
+<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
-  <a href="http://www.networkice.com/advice/Exploits/Ports">
+file? </p>
  http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 8/21/2002 - </font><font size="2">
+<p>Still looking? Try   <a
-<a href="support.htm">Tom
+ href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-Eastep</a></font> </p>
+    
 <p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
  <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+ © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -3,10 +3,12 @@
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
                                          <base target="_self">
 </head>
  <body>
@ -17,7 +19,9 @@
 bgcolor="#4b017c">
                                                   <tbody>
                                              <tr>
-                                    <td width="100%" height="90">       
+                                                     <td width="100%"
 height="90">                                                           
@ -25,8 +29,11 @@
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                               </a></i></font><font color="#ffffff">Shorewall 
+                                                </a></i></font><font
-  1.3   -        <font size="4">"<i>iptables made easy"</i></font></font></h1>
+ color="#ffffff">Shorewall      1.3   -        <font size="4">"<i>iptables 
     made easy"</i></font></font></h1>
      <div align="center"><a href="1.2" target="_top"><font
@ -37,6 +44,7 @@
                                                   </tr>
  </tbody>                                          
 </table>
@ -51,34 +59,42 @@
      <h2 align="left">What is it?</h2>
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+                                                                        
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+                 
-       that can be used on a dedicated firewall system, a multi-function 
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
      <p>This program is free software; you can redistribute it and/or modify
                     it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
-Public License</a> as published by the Free Software        Foundation.<br>
+General Public License</a> as published by the Free Software        Foundation.<br>
                                                    <br>
-                                    This program is distributed in the hope 
+                                                     This program is distributed
- that   it  will   be  useful,    but        WITHOUT ANY WARRANTY; without 
+    in  the   hope   that   it  will   be  useful,    but        WITHOUT
- even the  implied   warranty  of MERCHANTABILITY           or FITNESS FOR 
+ANY    WARRANTY;   without   even the  implied   warranty  of MERCHANTABILITY
- A PARTICULAR    PURPOSE.   See the  GNU General Public License          for
+          or FITNESS  FOR   A PARTICULAR    PURPOSE.   See the  GNU General
- more details.<br>
+  Public License          for  more details.<br>
                                                    <br>
-                                    You should have received a copy of the
+                                                     You should have received 
- GNU   General     Public    License          along with this program; if
+  a  copy   of  the   GNU   General     Public    License          along with
-not, write  to the    Free Software    Foundation,          Inc., 675 Mass
+  this program;    if  not, write  to the    Free Software    Foundation, 
-Ave, Cambridge,  MA  02139,   USA</p>
+         Inc., 675    Mass  Ave, Cambridge,  MA  02139,   USA</p>
@ -88,117 +104,199 @@ Ave, Cambridge,  MA  02139,   USA</p>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                               </a>Jacques        Nilo and Eric Wolzak have 
+                                                </a>Jacques        Nilo and 
- a  LEAF   distribution       called        <i>Bering</i> that        features 
+ Eric   Wolzak    have   a  LEAF (router/firewall/gateway on a floppy, CD 
-  Shorewall-1.3.3   and  Kernel-2.4.18.      You can find their work at: 
+or compact  flash) distribution       called        <i>Bering</i>  that  
-       <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+     features     Shorewall-1.3.9b and  Kernel-2.4.18.      You can  find 
 their   work at:          <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
      <h2>Thinking of Downloading this Site for Offline Browsing?</h2>
     You might want to reconsider -- this site is <u><b>213 MB!!!</b></u> 
 and   you will almost certainly be blacklisted before you download the whole 
 thing  (my SDSL is only 384kbs so I'll have lots of time to catch  you). Besides,
 if you simply download the product and install it, you get  the essential
 parts of the site in a fraction of the time. And do you really  want to download:<br>
      <ul>
             <li>Both text and HTML versions of every post ever made on three 
  different mailing lists (65 MB)?</li>
             <li>Every .rpm, .tgz and .lrp ever released for both Shorewall 
 and  Seawall (92MB and 10MB respectively)?</li>
          <li>A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?<br>
          </li>
          <li>Several ancient RPMs for courier-imap and maildrop (1.5MB).<br>
          </li>
      </ul>
     You get all that and more if you do a blind recurive copy of this site.
 Happy downloading!<br>
      <h2>News</h2>
      <h2></h2>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
 src="file:///home/teastep/Shorewall-docs/images/new10.gif" width="28"
 height="12" alt="(New)">
                </b></p>
      <p>In this version:</p>
      <ul>
         <li>You may now <a href="IPSEC.htm#Dynamic">define the contents
 of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
 delete" commands</a>. These commands are expected to be used primarily within 
           <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown 
 scripts.</li>
         <li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a> 
  on ethernet segments. You can specify the set of allowed MAC addresses on
  the segment and you can optionally tie each MAC address to one or more IP
 addresses.</li>
         <li>PPTP Servers and Clients running on the firewall system may
 now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
         <li>A new 'ipsecnat' tunnel type is supported for use when the 
         <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
         <li>The PATH used by Shorewall may now be specified in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
         <li>The main firewall script is now /usr/lib/shorewall/firewall. 
 The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
 to do the real work. This change makes custom distributions such as for Debian
 and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends
 to have distribution-dependent code.</li>
      </ul>
 If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
 1.3.10, you will need to use the '--force' option:<br>
      <blockquote>   
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
 </blockquote>
      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
 href="http://www.gentoo.org"><br>
              </a></p>
        Alexandru Hartmann reports that his Shorewall package is now a part 
 of        <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
  Thanks Alex!<br>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
          In this version:<br>
      <ul>
                  <li>You may now <a href="IPSEC.htm#Dynamic">define the
 contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
     delete" commands</a>. These commands are expected to be used primarily
  within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
  updown   scripts.</li>
                  <li>Shorewall can now do<a href="MAC_Validation.html">
 MAC   verification</a>    on ethernet segments. You can specify the set of
 allowed   MAC addresses on   the segment and you can optionally tie each
 MAC address   to one or more IP  addresses.</li>
                  <li>PPTP Servers and Clients running on the firewall system 
  may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
  file.</li>
                  <li>A new 'ipsecnat' tunnel type is supported for use when
  the             <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT
  gateway</a>.</li>
                  <li>The PATH used by Shorewall may now be specified in
          <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                  <li>The main firewall script is now /usr/lib/shorewall/firewall.
     The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
     to do the real work. This change makes custom distributions such as
 for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
   that tends  to have distribution-dependent code.</li>
      </ul>
         You may download the Beta from:<br>
      <ul>
                 <li><a
 href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
                 <li><a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                 </li>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>      
                          </b><br>
                      </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                           </b></p>
-This release rolls up fixes to the installer and to the firewall script.<br>
+                 This release rolls up fixes to the installer and to the
 firewall     script.<br>
                  <b><br>
-10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img border="0"
+                 10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
- src="images/new10.gif" width="28" height="12" alt="(New)">
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                                           </b><br>
                       <br>
-  The firewall and server here at shorewall.net are now running RedHat release
+                   The firewall and server here at shorewall.net are now
- 8.0.<br>
+running     RedHat    release   8.0.<br>
      <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>                          
     </b></p>
                         Roles up the fix for broken tunnels.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>                
         </b></p>
-            <img src="images/j0233056.gif" alt="Brown Paper Bag"
+                             <img src="images/j0233056.gif"
- width="50" height="86" align="left">
+ alt="Brown Paper Bag" width="50" height="86" align="left">
                        There is an updated firewall script at <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
            -- copy that file to /usr/lib/shorewall/firewall.<br>
-      <p><b><br>
+                                                                        
            </b></p>
      <p><b><br>
                             </b></p>
      <p><b><br>
-      9/28/2002 - Shorewall 1.3.9 </b><b>                          </b></p>
+                             </b></p>
      <p>In this version:<br>
             </p>
      <ul>
                    <li><a href="configuration_file_basics.htm#dnsnames">DNS
  Names</a>     are now allowed in Shorewall config files (although I recommend
  against   using  them).</li>
                    <li>The connection SOURCE may now be qualified by both
 interface      and IP address in a <a href="Documentation.htm#Rules">Shorewall
 rule</a>.</li>
                    <li>Shorewall startup is now disabled after initial installation
      until the file /etc/shorewall/startup_disabled is removed. This avoids
   nasty   surprises at reboot for users who install Shorewall but don't
 configure     it.</li>
                   <li>The 'functions' and 'version' files and the 'firewall' 
  symbolic   link have been  moved from /var/lib/shorewall to /usr/lib/shorewall 
  to appease   the LFS police at Debian.<br>
                   </li>
      </ul>
      <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
       Restored</b><b>                   </b><br>
                     </p>
                   <img src="images/j0233056.gif" alt="Brown Paper Bag"
 width="50" height="86" align="left">
               A couple of recent configuration changes at www.shorewall.net
  broke    the  Search facility:<br>
      <blockquote>                                                       
        <ol>
                       <li>Mailing List Archive Search was not available.</li>
                       <li>The Site Search index was incomplete</li>
                       <li>Only one page of matches was presented.</li>
        </ol>
                   </blockquote>
                Hopefully these problems are now corrected.             
      <p><b>9/18/2002 -  Debian 1.3.8 Packages Available </b><b>         
         </b><br>
                          </p>
-      <p>Apt-get sources listed at <a
+      <p><b><br>
- href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
+                       9/28/2002 - Shorewall 1.3.9 </b><b>              
-                      <b> </b>                                          
+                 </b></p>
      <p><b>9/16/2002 - Shorewall 1.3.8</b><b>                   </b></p>
      <p>In this version:<br>
@ -206,102 +304,31 @@ configure     it.</li>
      <ul>
                                 <li>A NEWNOTSYN option has been added to 
 shorewall.conf.         This   option  determines whether Shorewall accepts 
 TCP packets which     are    not part   of an  established connection and 
 that are not 'SYN'  packets     (SYN  flag on   and ACK  flag off).</li>
                                 <li>The need for the 'multi' option to communicate 
     between     zones    za and zb on the same interface is removed in the 
  case   where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will 
 exist  if:                                                               
      <ul>
-                                    <li>There is a policy for za to zb; or</li>
+                                     <li><a
-                                    <li>There is at least one rule for za 
+ href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now
-to  zb.                                       </li>
+        allowed in Shorewall config files (although I recommend   against
-                                                                        
+  using       them).</li>
-                                                                        
+                                     <li>The connection SOURCE may now be 
-                                                                        
+qualified      by  both   interface      and IP address in a <a
-                                                                    
+ href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-          </ul>
+                                     <li>Shorewall startup is now disabled
 after    initial     installation       until the file /etc/shorewall/startup_disabled
    is removed.     This avoids    nasty   surprises at reboot for users
 who    install Shorewall     but don't configure     it.</li>
                                    <li>The 'functions' and 'version' files 
 and   the   'firewall'      symbolic   link have been  moved from /var/lib/shorewall 
    to /usr/lib/shorewall      to appease   the LFS police at Debian.<br>
                                    </li>
      </ul>
      <ul>
                                 <li>The /etc/shorewall/blacklist file now
 contains     three    columns.     In addition to the SUBNET/ADDRESS column,
 there are    optional    PROTOCOL and    PORT columns to block only certain
 applications     from the   blacklisted addresses.<br>
                            </li>
      </ul>
      <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
      <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
      <p>This is a role up of a fix for "DNAT" rules where the source zone 
            is $FW   (fw).</p>
      <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
      <p>This is a role up of the "shorewall refresh" bug fix and the change 
            which   reverses the order of "dhcp" and "norfc1918" checking.</p>
      <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
      <p><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
            is now available.</p>
      <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
      <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now 
            mirrored   at <a target="_top"
 href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
@ -311,15 +338,18 @@ to  zb.                                       </li>
      <h2><a name="Donations"></a>Donations</h2>
                       </td>
-                                      <td width="88" bgcolor="#4b017c"
+                                                       <td width="88"
- valign="top" align="center">             <a
+ bgcolor="#4b017c" valign="top" align="center">             <a
 href="http://sourceforge.net">M</a></td>
                                                     </tr>
  </tbody>                                          
 </table>
                                                   </center>
@ -331,7 +361,9 @@ to  zb.                                       </li>
 bgcolor="#4b017c">
                                              <tbody>
                                              <tr>
-                               <td width="100%" style="margin-top: 1px;"> 
+                                                <td width="100%"
 style="margin-top: 1px;">                                              
@ -342,22 +374,24 @@ to  zb.                                       </li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+                                                                        
-if       you try it and find it useful, please consider making a donation 
+                                                  
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                     to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                                                </td>
                                              </tr>
  </tbody>                                          
 </table>
-<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font> 
             <br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -20,6 +20,7 @@
              <tbody>
         <tr>
                <td width="100%">                                        
      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
                </td>
              </tr>
@ -27,19 +28,19 @@
  </tbody>     
 </table>
-<p align="center">       <img border="3" src="images/Hiking1.jpg"
+<p align="center">       <img border="3" src="images/TomNTarry.png"
- alt="Tom on the PCT - 1991" width="374" height="365">
+ alt="Tom on the PCT - 1991" width="316" height="392">
     </p>
-<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,  
+<p align="center">Tarry &amp; Tom -- August 2002<br>
-    Washington  -- Sept       1991.<br>
+            <br>
-          <font size="2">Photo       by Ken Mazawa</font></p>
+ </p>
 <ul>
          <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington 
   State</a> .</li>
-        <li>BA Mathematics from <a href="http://www.wsu.edu">Washington State 
+          <li>BA Mathematics from <a href="http://www.wsu.edu">Washington 
-  University</a>  1967</li>
+State    University</a>  1967</li>
          <li>MA Mathematics from <a href="http://www.washington.edu">University
   of Washington</a> 1969</li>
          <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
@ -54,8 +55,8 @@
  operating system from the NonStop Enterprise Division of HP. </p>
 <p>I became interested in Internet Security when I established a home office 
- in 1999 and had DSL service installed in our       home. I investigated ipchains
+  in 1999 and had DSL service installed in our       home. I investigated 
- and developed the scripts which are now collectively known as <a
+ipchains  and developed the scripts which are now collectively known as <a
 href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
  on what I learned from Seattle Firewall, I then       designed and wrote 
 Shorewall. </p>
@ -66,14 +67,14 @@ Shorewall. </p>
 <p>Our current home network consists of: </p>
 <ul>
-        <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs 
+          <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE 
- and LNE100TX      (Tulip) NIC - My personal Windows system. Also has SuSE
+HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also has
- 8.0 installed.</li>
+RedHat  8.0 installed.</li>
          <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC 
 -  My      personal Linux System which runs Samba configured as a WINS server. 
  This      system also has <a href="http://www.vmware.com/">VMware</a> installed 
- and      can run both <a href="http://www.debian.org">Debian</a> and    
+  and      can run both <a href="http://www.debian.org">Debian Woody</a>
-    <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
+and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
          <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
 (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
      (Bind).</li>
@ -104,12 +105,14 @@ Shorewall. </p>
 src="images/apache_pb1.gif" hspace="2" width="170" height="20">
     </a>  </font></p>
-<p><font size="2">Last updated 10/6/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 10/28/2002 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
        <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_features.htm
+++ b/STABLE/documentation/shorewall_features.htm
@ -1,91 +1,111 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Features</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <ul>
    <li>Uses Netfilter's connection tracking facilities for stateful packet 
   filtering.</li>
    <li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
    <ul>
      <li>Completely customizable using configuration files.</li>
      <li>No limit on the number of network interfaces.</li>
-    <li>Allows you to partitions the network into <i><a href="Documentation.htm#Zones">zones</a></i>
+      <li>Allows you to partitions the network into <i><a
-        and gives you complete control over the connections permitted between
+ href="Documentation.htm#Zones">zones</a></i>         and gives you complete 
-        each pair of zones.</li>
+control over the connections permitted between         each pair of zones.</li>
      <li>Multiple interfaces per zone and multiple zones per interface 
       permitted.</li>
      <li>Supports nested and overlapping zones.</li>
    </ul>
    </li>
-  <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to help 
+    <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to 
-  get your first firewall up and running quickly</li>
+help    get your first firewall up and running quickly</li>
-  <li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> </b>
+    <li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> 
-  included in the .tgz and .rpm downloads.</li>
+    </b>   included in the .tgz and .rpm downloads.</li>
-  <li><b>Flexible address management/routing support</b> (and you can use all
+    <li><b>Flexible address management/routing support</b> (and you can use 
-    types in the same firewall):
+all     types in the same firewall):        
    <ul>
      <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
      <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
-    <li><a href="Documentation.htm#NAT">
+      <li><a href="Documentation.htm#NAT">     Static NAT</a>.</li>
-    Static NAT</a>.</li>
+      <li><a href="Documentation.htm#ProxyArp">     Proxy ARP</a>.</li>
    <li><a href="Documentation.htm#ProxyArp">
    Proxy ARP</a>.</li>
      <li>Simple host/subnet Routing</li>
    </ul>
    </li>
    <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
     IP addresses and subnetworks is supported.</li>
    <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
    <ul>
      <li>Commands to start, stop and clear the firewall</li>
-    <li>Supports status             monitoring
+      <li>Supports status             monitoring      with an audible alarm 
-     with an audible alarm when an             "interesting" packet is detected.</li>
+when an             "interesting" packet is detected.</li>
      <li>Wide variety of informational commands.</li>
    </ul>
    </li>
    <li><b>VPN Support</b>        
    <ul>
-    <li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP
+      <li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP     Tunnels</a>.</li>
    Tunnels</a>.</li>
      <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
    </ul>
    </li>
    <li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
     integration.</li>
    <li>Wide support for different <b>GNU/Linux Distributions</b>.      
    <ul>
-    <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a href="http://security.dsi.unimi.it/~lorenzo/debian.html"><b>Debian</b></a>
+      <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
         packages available.</li>
      <li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
-        and uninstall facilities</b></a> for users who can't use or choose not
+         and uninstall facilities</b></a> for users who can't use or choose 
-        to use the RPM or Debian packages.</li>
+not         to use the RPM or Debian packages.</li>
-    <li>Compatible with 2.4-kernel based versions of <b> <a href="http://leaf.sourceforge.net">
+      <li>Included as a standard part of<b> <a
-    LEAF</a>
+ href="http://leaf.sourceforge.net/devel/jnilo">     LEAF/Bering</a> </b>(router/firewall
-        </b>
+on a floppy, CD or compact flash).</li>
-    .</li>
+         
    </ul>
   </li>
   <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address 
    <b>Verification</b><br>
     </a><br>
    </li>
 </ul>
 <p><font size="2">Last updated 7/14/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
 <font size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font></p>
 <p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
 </p>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -30,22 +30,22 @@
  </tbody>     
 </table>
-<p align="center">With thanks to Richard who reminded me once again that
+<p align="center">With thanks to Richard who reminded me once again that we
-we must  all first walk before we can run.</p>
+must  all first walk before we can run.</p>
 <h2>The Guides</h2>
 <p>These guides provide step-by-step instructions for configuring Shorewall 
  in  common firewall setups.</p>
-<p>The following guides are for users who have a single public IP address:</p>
+<p>The following guides are for <b>users who have a single public IP address</b>:</p>
 <ul>
        <li><a href="standalone.htm">Standalone</a> Linux System</li>
        <li><a href="two-interface.htm">Two-interface</a> Linux System acting 
  as a    firewall/router for a small local network</li>
-     <li><a href="three-interface.htm">Three-interface</a> Linux System acting
+        <li><a href="three-interface.htm">Three-interface</a> Linux System
- as a    firewall/router for a small local network and a DMZ.</li>
+ acting  as a    firewall/router for a small local network and a DMZ.</li>
 </ul>
@ -53,18 +53,20 @@ we must  all first walk before we can run.</p>
   quickly in the three most common Shorewall configurations.</p>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines 
-  the steps necessary to set up a firewall where there are multiple public
+   the steps necessary to set up a firewall where <b>there are multiple public 
  IP  addresses involved or if you want to learn more about Shorewall than 
-is  explained in the single-address guides above.</p>
+ is  explained in the single-address guides above.</b></p>
 <ul>
        <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
        <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
        <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
-     <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
+        <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
- and Routing</a>          
+ Subnets  and Routing</a>                         
    <ul>
          <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
        <li><br>
        </li>
          <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
          <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
          <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
@ -90,13 +92,15 @@ Network</a>
        <ul>
            <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
            <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
-         <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
+            <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
 ARP</a></li>
            <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
        </ul>
          </li>
          <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-       <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
+          <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
 Ends</a></li>
    </ul>
        </li>
@ -108,21 +112,22 @@ Network</a>
 <h2><a name="Documentation"></a>Additional Documentation</h2>
-<p>The following documentation covers a variety of topics and supplements
+<p>The following documentation covers a variety of topics and <b>supplements 
  the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described 
- above. Please review the appropriate guide before trying to use this documentation
+  above</b>. Please review the appropriate guide before trying to use this
-directly.</p>
+ documentation directly.</p>
 <ul>
        <li><a href="blacklisting_support.htm">Blacklisting</a>         
    <ul>
          <li>Static Blacklisting using /etc/shorewall/blacklist</li>
          <li>Dynamic Blacklisting using /sbin/shorewall</li>
    </ul>
        </li>
-     <li><a href="configuration_file_basics.htm">Common configuration file
+        <li><a href="configuration_file_basics.htm">Common configuration
- features</a>          
+file   features</a>                         
    <ul>
          <li>Comments in configuration files</li>
          <li>Line Continuation</li>
@ -142,7 +147,8 @@ directly.</p>
    <ul>
          <li>   <a href="Documentation.htm#Variables">params</a></li>
          <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
-       <li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
+          <li><font color="#000099"><a
 href="Documentation.htm#Interfaces">interfaces</a></font></li>
          <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
          <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
          <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
@ -162,15 +168,16 @@ directly.</p>
    </ul>
        </li>
        <li><a href="dhcp.htm">DHCP</a></li>
-     <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
+        <li><font color="#000099"><a
- Scripts</a></font>    (How to extend Shorewall without modifying Shorewall
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
- code)</li>
+(How to extend Shorewall without modifying Shorewall  code)</li>
        <li><a href="fallback.htm">Fallback/Uninstall</a></li>
        <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
        <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
        <li><a href="myfiles.htm">My  Configuration Files</a> (How I personally 
  use Shorewall)</li>
        <li><a href="ports.htm">Port Information</a>                     
    <ul>
          <li>Which applications use which ports</li>
          <li>Ports used by Trojans</li>
@ -188,8 +195,8 @@ directly.</p>
          <li><a href="IPSEC.htm">IPSEC</a></li>
          <li><a href="IPIP.htm">GRE and IPIP</a></li>
          <li><a href="PPTP.htm">PPTP</a></li>
-       <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
+          <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
- to a      remote network.</li>
+firewall   to a      remote network.</li>
    </ul>
        </li>
@ -200,12 +207,15 @@ directly.</p>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 10/5/2002 - <a
+<p><font size="2">Last modified 11/3/2002 - <a
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
       <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/starting_and_stopping_shorewall.htm
+++ b/STABLE/documentation/starting_and_stopping_shorewall.htm
@ -40,13 +40,13 @@ the Firewall</font></h1>
 <p>   If you have a permanent internet connection such as DSL     or Cable,
-I  recommend that you start the firewall     automatically at boot. Once you
+ I  recommend that you start the firewall     automatically at boot. Once
- have installed      "firewall" in your init.d directory, simply type   
+you  have installed      "firewall" in your init.d directory, simply type
    "chkconfig --add firewall". This will start the     firewall in run levels
-2-5 and stop it in run levels 1 and 6.     If you want to configure your firewall
+ 2-5 and stop it in run levels 1 and 6.     If you want to configure your
-differently from this     default, you can use the "--level" option in  
+firewall differently from this     default, you can use the "--level" option
-  chkconfig (see "man chkconfig") or using your     favorite graphical run-level
+in     chkconfig (see "man chkconfig") or using your     favorite graphical
-editor.</p>
+run-level editor.</p>
@ -106,8 +106,8 @@ by Shoreline  Firewall</li>
           </i>(iptables -L <i>chain</i> -n -v)</li>
      <li>shorewall show nat - produce a verbose report about the nat table
           (iptables -t nat -L -n -v)</li>
-     <li>shorewall show tos - produce a verbose report about the mangle table 
+      <li>shorewall show tos - produce a verbose report about the mangle
-        (iptables -t mangle -L -n -v)</li>
+table          (iptables -t mangle -L -n -v)</li>
      <li>shorewall show log - display the last 20 packet log entries.</li>
      <li>shorewall show connections - displays the IP connections currently
 being     tracked by the firewall.</li>
@ -121,8 +121,8 @@ about the traffic control/shaping configuration.</li>
      <li>shorewall hits - Produces several reports about the Shorewall packet
 log          messages in the current /var/log/messages file.</li>
      <li>shorewall version -  Displays the installed     version number.</li>
-     <li>shorewall check -  Performs a <u>cursory</u> validation     of the 
+      <li>shorewall check -  Performs a <u>cursory</u> validation     of
-zones, interfaces, hosts, rules and policy files.    <font size="4"
+the  zones, interfaces, hosts, rules and policy files.    <font size="4"
 color="#ff6666"><b>The "check" command does not parse and     validate the
 generated iptables commands so even though the "check" command     completes
 successfully, the configuration may fail to start. See the     recommended
@ -130,8 +130,8 @@ way to make configuration changes described below. </b></font>    </li>
      <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] 
 -  Restart shorewall using the     specified configuration and if an error
 occurs or if the<i> timeout </i>    option is given and the new configuration
-has been up for that many seconds     then shorewall is restarted using the 
+ has been up for that many seconds     then shorewall is restarted using
-standard configuration.</li>
+the  standard configuration.</li>
      <li>shorewall deny, shorewall reject, shorewall accept and shorewall
 save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
      <li>shorewall logwatch (added in version 1.3.2) - Monitors the    <a
@ -139,6 +139,21 @@ save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.<
     messages are logged.</li>
 </ul>
 Finally, the "shorewall" program may be used to dynamically alter the contents
 of a zone.<br>
 <ul>
  <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
 specified interface (and host if included) to the specified zone.</li>
  <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
 the specified interface (and host if included) from the specified zone.</li>
 </ul>
 <blockquote>Examples:<br>
  <blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
 from interface ipsec0 to the zone vpn1<br>
 shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
 from interface ipsec0 from zone vpn1<br>
  </blockquote>
 </blockquote>
 <p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and 
@ -210,7 +225,7 @@ the   "try" command will automatically start the old one for you.</p>
-<p><font size="2">   Updated 9/26/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a> 
    </font></p>
@ -219,6 +234,7 @@ the   "try" command will automatically start the old one for you.</p>
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
                             <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -29,12 +29,12 @@
  </tbody>    
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
-easier to post a problem than to use your own brain" </font>-- </i> <font
+is easier to post a problem than to use your own brain" </font>-- </i> <font
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you just
+<p align="left"> <i>"Any sane computer will tell you how it works -- you
- have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
 <blockquote> </blockquote>
@ -60,6 +60,7 @@ contains  a    number of tips to help you solve common problems.</li>
 <h4>Mailing List Archive Search</h4>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
  <p> <font size="-1"> Match:    
  <select name="method">
  <option value="and">All </option>
@ -114,7 +115,7 @@ you             custom configuration files. We're here to answer your questions
 </ul>
 <h3>Where to Send your Problem Report or to Ask for Help</h3>
-       
+         <b></b>
 <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
   post your question or problem to the <a
 href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
@ -134,7 +135,7 @@ you             custom configuration files. We're here to answer your questions
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> 
      .</p>
-<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
@ -142,5 +143,6 @@ you             custom configuration files. We're here to answer your questions
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/three-interface.htm
+++ b/STABLE/documentation/three-interface.htm
@ -53,10 +53,10 @@ in one  of its more popular configurations:</p>
     </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
- (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
- this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on 
- firewall  system. As root, you can use the 'which' command to check for
+your  firewall  system. As root, you can use the 'which' command to check 
-this  program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -69,9 +69,9 @@ this  program:</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
          If you edit your configuration files on a Windows system, you must
  save them as  Unix files if your editor supports that option or you must
-run them through  dos2unix before trying to use them. Similarly, if you copy
+ run them through  dos2unix before trying to use them. Similarly, if you
-a configuration file  from your Windows hard drive to a floppy disk, you
+copy  a configuration file  from your Windows hard drive to a floppy disk,
-must run dos2unix against the  copy before using it with Shorewall.</p>
+you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
@ -132,8 +132,8 @@ that were placed in  /etc/shorewall when Shorewall was installed).</p>
  in  terms of zones.</p>
 <ul>
-      <li>You express your default policy for connections from one zone to
+        <li>You express your default policy for connections from one zone 
- another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
      </a>file.</li>
        <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -141,10 +141,10 @@ that were placed in  /etc/shorewall when Shorewall was installed).</p>
 </ul>
 <p>For each connection request entering the firewall, the request is first 
- checked against the  /etc/shorewall/rules file. If no rule in that file matches
+  checked against the  /etc/shorewall/rules file. If no rule in that file 
- the connection  request then the first policy in /etc/shorewall/policy that
+matches  the connection  request then the first policy in /etc/shorewall/policy 
- matches the    request is applied. If that policy is REJECT or DROP  the
+that  matches the    request is applied. If that policy is REJECT or DROP  
-request is first  checked against the rules in /etc/shorewall/common (the
+the request is first  checked against the rules in /etc/shorewall/common (the
 samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample 
@ -217,7 +217,8 @@ the internet,  uncomment that line.</p>
 <p>The above policy will:</p>
 <ol>
-      <li>allow all connection requests from your local network to the internet</li>
+        <li>allow all connection requests from your local network to the
 internet</li>
        <li>drop (ignore) all connection requests from the internet to your 
 firewall     or local network</li>
        <li>optionally accept all connection requests from the firewall to
@ -248,14 +249,15 @@ your External  Interface will also be <b>ppp0</b>. If you connect using ISDN,
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-       If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then you
+         If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then
- will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
 /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
   eth1 or eth2) and will be connected to a hub or switch. Your local computers 
   will be connected to the same switch (note: If you have only a single local
- system,  you can connect the firewall directly to the computer using a <i>cross-over 
+  system,  you can connect the firewall directly to the computer using a
- </i> cable).</p>
+<i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
  (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
@ -271,9 +273,9 @@ will end up confused and  believing that Shorewall doesn't work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-       The Shorewall three-interface sample configuration assumes that  the 
+         The Shorewall three-interface sample configuration assumes that
- external interface is <b>eth0, </b>the local interface is <b>eth1 </b>and 
+ the   external interface is <b>eth0, </b>the local interface is <b>eth1
-  the DMZ interface is <b> eth2</b>.  If your configuration is different, 
+</b>and    the DMZ interface is <b> eth2</b>.  If your configuration is different, 
 you will have to modify the sample  /etc/shorewall/interfaces file accordingly. 
  While you are there, you may wish to  review the list of options that are 
  specified for the interfaces. Some hints:</p>
@ -296,14 +298,14 @@ you will have to modify the sample  /etc/shorewall/interfaces file accordingly.
 <p align="left">Before going further, we should say a few words about Internet 
   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
  <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
- Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
+  Host  Configuration Protocol</i> (DHCP) or as part of establishing your 
-  when you dial in (standard modem) or establish your PPP connection. In
+connection   when you dial in (standard modem) or establish your PPP connection. 
-rare   cases, your ISP may assign you a<i> static</i> IP address; that means
+In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
-that  you  configure your firewall's external interface to use that address
+means that  you  configure your firewall's external interface to use that 
-permanently.<i>  </i>Regardless of how the address is assigned, it will be
+address permanently.<i>  </i>Regardless of how the address is assigned, it 
-shared by all of your  systems when you access the Internet. You will have
+will be shared by all of your  systems when you access the Internet. You will
-to assign your  own addresses  for your internal network (the local and DMZ
+have to assign your  own addresses  for your internal network (the local and
-Interfaces on  your firewall plus your other  computers). RFC 1918 reserves
+DMZ Interfaces on  your firewall plus your other  computers). RFC 1918 reserves
 several <i>Private  </i>IP address ranges for this  purpose:</p>
 <div align="left">        
@ -313,10 +315,10 @@ several <i>Private  </i>IP address ranges for this  purpose:</p>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-          Before starting Shorewall, you should look at the IP address of 
+            Before starting Shorewall, you should look at the IP address
-your  external    interface and if it is one of the above ranges, you should 
+of  your  external    interface and if it is one of the above ranges, you
-remove  the    'norfc1918' option from the external interface's entry in 
+should  remove  the    'norfc1918' option from the external interface's entry
-  /etc/shorewall/interfaces.</p>
+in    /etc/shorewall/interfaces.</p>
     </div>
 <div align="left">        
@ -327,9 +329,9 @@ of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
 Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
 Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>.
 In Shorewall,  a subnet is described using <a href="subnet_masks.htm"><i>Classless
-InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet address 
+ InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet
-followed    by "/24". The "24" refers to the number of    consecutive "1" 
+address  followed    by "/24". The "24" refers to the number of    consecutive
-bits from the left of the subnet mask. </p>
+"1"  bits from the left of the subnet mask. </p>
     </div>
 <div align="left">        
@ -372,8 +374,8 @@ bits from the left of the subnet mask. </p>
 <div align="left">        
 <p align="left">One of the purposes of subnetting is to allow all computers 
  in the    subnet to understand which other computers can be communicated 
-with directly.    To communicate with systems outside of the subnetwork, systems
+ with directly.    To communicate with systems outside of the subnetwork, 
-send packets    through a<i>  gateway</i>  (router).</p>
+systems send packets    through a<i>  gateway</i>  (router).</p>
     </div>
 <div align="left">        
@ -381,9 +383,9 @@ send packets    through a<i>
 height="13">
         Your local  computers    (Local Computers 1 &amp; 2) should be configured 
  with their<i>    default gateway</i> set to the IP address of the firewall's 
- internal interface    and your DMZ computers ( DMZ Computers 1 &amp; 2) should
+  internal interface    and your DMZ computers ( DMZ Computers 1 &amp; 2) 
- be configured with their    default gateway set to the IP address of the
+should  be configured with their    default gateway set to the IP address 
-firewall's DMZ interface.   </p>
+of the firewall's DMZ interface.   </p>
     </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -399,7 +401,7 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 height="635">
     </p>
-<p align="left">The default gateway for the DMZ computers would be 10.10.10.254 
+<p align="left">The default gateway for the DMZ computers would be 10.10.11.254 
   and the default gateway for the Local computers would be 10.10.10.254.</p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
@ -409,14 +411,14 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
  packets  which have an RFC-1918 destination address. When one of your local 
  systems  (let's assume local computer 1) sends a connection request to an
  internet host, the  firewall must perform <i>Network Address Translation 
-</i>(NAT). The firewall  rewrites the source address in the packet to be the
+ </i>(NAT). The firewall  rewrites the source address in the packet to be 
-address of the firewall's  external interface; in other words, the firewall 
+the address of the firewall's  external interface; in other words, the firewall 
 makes it look as if the firewall  itself is initiating the connection.  This
 is necessary so that the  destination host will be able to route return packets
- back to the firewall  (remember that packets whose destination address is 
+  back to the firewall  (remember that packets whose destination address
- reserved by RFC 1918 can't  be routed accross the internet). When the firewall 
+is   reserved by RFC 1918 can't  be routed accross the internet). When the
- receives a return packet, it  rewrites the destination address back to 10.10.10.1 
+firewall   receives a return packet, it  rewrites the destination address
- and  forwards the packet on to local computer 1. </p>
+back to 10.10.10.1   and  forwards the packet on to local computer 1. </p>
 <p align="left">On Linux systems, the above process is often referred to as<i>
 IP Masquerading</i> and you will also see the term <i>Source Network Address
@ -442,10 +444,10 @@ is necessary so that the  destination host will be able to route return packets
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-       If your external firewall interface is <b>eth0</b>, your local  interface 
+         If your external firewall interface is <b>eth0</b>, your local 
- <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do not  need to
+interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
- modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq 
+not  need to  modify the file provided with the sample. Otherwise, edit 
- and change it to match your configuration.</p>
+/etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
@ -459,8 +461,8 @@ is necessary so that the  destination host will be able to route return packets
 <p align="left">One of your goals will be to run one or more servers on your 
  DMZ computers. Because these computers have RFC-1918 addresses, it is not 
   possible for clients on the internet to connect directly to them. It is 
-rather  necessary for those clients to address their connection requests to
+ rather  necessary for those clients to address their connection requests 
-your firewall  who rewrites the destination address to the address of your
+to your firewall  who rewrites the destination address to the address of your
 server and forwards  the packet to that server. When your server responds, 
 the firewall automatically  performs SNAT to rewrite the source address in
 the response.</p>
@ -641,7 +643,8 @@ try     connecting to port 5000 (e.g., connect to <a
          </tr>
          <tr>
            <td>DNAT</td>
-          <td>net</td>
+            <td>loc<br>
         </td>
            <td>dmz:10.10.11.2:80</td>
            <td>tcp</td>
            <td>80</td>
@ -657,17 +660,19 @@ try     connecting to port 5000 (e.g., connect to <a
 address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
-       At this point, add the DNAT and  ACCEPT rules for your servers. </p>
+         At this point, add the DNAT and  ACCEPT rules for your servers.
 </p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
  an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
 will be  automatically configured (e.g., the /etc/resolv.conf file will be
-written).  Alternatively, your ISP may have given you the IP address of a 
+ written).  Alternatively, your ISP may have given you the IP address of
-pair of DNS <i> name servers</i> for you to manually configure as your primary 
+a  pair of DNS <i> name servers</i> for you to manually configure as your 
-and secondary  name servers. It is <u>your</u> responsibility to configure 
+primary  and secondary  name servers. It is <u>your</u> responsibility to 
-the resolver in your  internal systems. You can take one of two approaches:</p>
+configure  the resolver in your  internal systems. You can take one of two 
 approaches:</p>
 <ul>
        <li>                            
@ -675,8 +680,8 @@ the resolver in your  internal systems. You can take one of two approaches:</p>
  name    servers. If you ISP gave you the addresses of their servers or if
  those    addresses are available on their web site, you can configure your
  internal    systems to use those addresses. If that information isn't available,
- look in    /etc/resolv.conf on your firewall system -- the name servers are
+  look in    /etc/resolv.conf on your firewall system -- the name servers
- given in    "nameserver" records in that file.   </p>
+are  given in    "nameserver" records in that file.   </p>
       </li>
       <li>                            
    <p align="left"><img border="0" src="images/BD21298_2.gif"
@ -684,9 +689,9 @@ the resolver in your  internal systems. You can take one of two approaches:</p>
         You can configure a<i> Caching Name Server </i>on your    firewall 
 or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
 also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
-If you    take this approach, you configure your internal systems to use the
+ If you    take this approach, you configure your internal systems to use 
-caching    name server as their primary (and only) name server. You use the
+the caching    name server as their primary (and only) name server. You use 
-internal IP    address of the firewall (10.10.10.254 in the example above) 
+the internal IP    address of the firewall (10.10.10.254 in the example above) 
  for the name    server address if you choose to run the name server on your
  firewall. To allow your local systems to talk to your caching name    server,
  you must open port 53 (both UDP and TCP) from the local network to the
@ -697,6 +702,7 @@ internal IP    address of the firewall (10.10.10.254 in the example above)
 <blockquote>                  
  <p align="left">If you run the name server on the firewall:            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
          <tbody>
@ -1089,7 +1095,7 @@ added an    entry for the IP address that you are connected from to   <a
 try" command</a>.</p>
     </div>
-<p align="left"><font size="2">Last updated 9/26/2002 - <a
+<p align="left"><font size="2">Last updated 10/22/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -1098,5 +1104,7 @@ try" command</a>.</p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/traffic_shaping.htm
+++ b/STABLE/documentation/traffic_shaping.htm
@ -1,102 +1,126 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Traffic Shaping</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1>
+      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
-<p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic
+   
-shaping/control. In order to use traffic shaping under Shorewall, it is
+<p align="left">Beginning with version 1.2.0, Shorewall has limited support 
-essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
+for traffic shaping/control. In order to use traffic shaping under Shorewall, 
-and Shaping HOWTO</a>, version 0.3.0 or later. You must also install
+it is essential that you get a copy of the <a
-the iproute (iproute2) package to provide the &quot;ip&quot; and &quot;tc&quot;
+ href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, 
-utilities.</p>
+version 0.3.0 or later. You must also install the iproute (iproute2) package 
 to provide the "ip" and "tc" utilities.</p>
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
 <ul>
-  <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
+    <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic     Shaping 
-    Shaping also requires that you enable packet mangling.<br>
+also requires that you enable packet mangling.<br>
    </li>
-  <li>/etc/shorewall/tcrules - A file where you can specify
+    <li>/etc/shorewall/tcrules - A file where you can specify     firewall 
-    firewall marking of packets. The firewall mark value may be used to classify
+marking of packets. The firewall mark value may be used to classify     packets 
-    packets for traffic shaping/control.<br>
+for traffic shaping/control.<br>
    </li>
-  <li>/etc/shorewall/tcstart - A user-supplied file that is
+    <li>/etc/shorewall/tcstart - A user-supplied file that is     sourced 
-    sourced by Shorewall during &quot;shorewall start&quot; and which you can
+by Shorewall during "shorewall start" and which you can     use to define 
-    use to define your traffic shaping disciplines and classes. I have provided
+your traffic shaping disciplines and classes. I have provided     a <a
-    a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
+ href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does   
-    table-driven CBQ shaping but if you read the traffic shaping sections of the
+ table-driven CBQ shaping but if you read the traffic shaping sections of 
-    HOWTO mentioned above, you can probably code your own faster than you can
+the     HOWTO mentioned above, you can probably code your own faster than 
-    learn how to use my sample. I personally use <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB</a> 
+you can     learn how to use my sample. I personally use <a
-    (see below). HTB
+ href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see below). HTB
-    support may eventually become an integral part of Shorewall since HTB is a
+     support may eventually become an integral part of Shorewall since HTB 
-    lot simpler and better-documented than CBQ. HTB is currently not a standard
+is a     lot simpler and better-documented than CBQ. HTB is currently not 
-    part of either the kernel or iproute2 so both must be patched in order to
+a standard     part of either the kernel or iproute2 so both must be patched 
-    use it.<br>
+in order to     use it.<br>
      <br>
      In tcstart, when you want to run the 'tc' utility, use the run_tc function
     supplied by shorewall. <br>
    </li>
-  <li>/etc/shorewall/tcclear - A user-supplied file that is
+    <li>/etc/shorewall/tcclear - A user-supplied file that is     sourced 
-    sourced by Shorewall when it is clearing traffic shaping. This file is
+by Shorewall when it is clearing traffic shaping. This file is     normally 
-    normally not required as Shorewall's method of clearing qdisc and filter
+not required as Shorewall's method of clearing qdisc and filter     definitions 
-    definitions is pretty general.</li>
+is pretty general.</li>
 </ul>
 <h3 align="left">Kernel Configuration</h3>
 <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
-<p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
+   
 <p align="center"><img border="0" src="images/QoS.png" width="590"
 height="764">
 </p>
 <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
 <p align="left">The fwmark classifier provides a convenient way to classify
-packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
+ packets for traffic shaping. The /etc/shorewall/tcrules file provides a
-for specifying these marks in a tabular fashion.</p>
+means  for specifying these marks in a tabular fashion.</p>
 <p align="left">Columns in the file are as follows:</p>
 <ul>
    <li>MARK - Specifies the mark value is to be assigned in case of    
 a match. This is an integer in the range 1-255.<br>
      <br>
      Example - 5<br>
    </li>
-  <li>SOURCE - The source of the packet. If the packet originates
+    <li>SOURCE - The source of the packet. If the packet originates     on 
-    on the firewall, place &quot;fw&quot; in this column. Otherwise, this is a
+the firewall, place "fw" in this column. Otherwise, this is a     comma-separated 
-    comma-separated list of interface names, IP addresses, MAC addresses in
+list of interface names, IP addresses, MAC addresses in   <a
-  <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
+ href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
      <br>
      Examples<br>
-    &nbsp;&nbsp;&nbsp; eth0<br>
+          eth0<br>
-    &nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
+          192.168.2.4,192.168.1.0/24<br>
    </li>
-  <li>DEST -- Destination of the packet. Comma-separated list of
+    <li>DEST -- Destination of the packet. Comma-separated list of     IP 
-    IP addresses and/or subnets.<br>
+addresses and/or subnets.<br>
    </li>
-  <li>PROTO - Protocol - Must be the name of a protocol from
+    <li>PROTO - Protocol - Must be the name of a protocol from     /etc/protocol, 
-    /etc/protocol, a number or &quot;all&quot;<br>
+a number or "all"<br>
    </li>
-  <li>PORT(S) - Destination Ports. A comma-separated list of Port
+    <li>PORT(S) - Destination Ports. A comma-separated list of Port     names 
-    names (from /etc/services), port numbers or port ranges (e.g., 21:22); if
+(from /etc/services), port numbers or port ranges (e.g., 21:22); if     the 
-    the protocol is &quot;icmp&quot;, this column is interpreted as the
+protocol is "icmp", this column is interpreted as the     destination icmp 
-    destination icmp type(s).<br>
+type(s).<br>
    </li>
-  <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
+    <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If     omitted, 
-    omitted, any source port is acceptable. Specified as a comma-separate list
+any source port is acceptable. Specified as a comma-separate list     of port
-    of port names, port numbers or port ranges.</li>
+names, port numbers or port ranges.</li>
 </ul>
-<p align="left">Example 1 - All packets arriving on eth1 should be marked with
+   
-1. All packets arriving on eth2 should be marked with 2. All packets originating
+<p align="left">Example 1 - All packets arriving on eth1 should be marked 
-on the firewall itself should be marked with 3.</p>
+with 1. All packets arriving on eth2 should be marked with 2. All packets 
-<table border="2" cellpadding="2" style="border-collapse: collapse">
+originating on the firewall itself should be marked with 3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
     <tr>
      <td><b>MARK</b></td>
      <td><b>SOURCE</b></td>
@ -110,29 +134,34 @@ on the firewall itself should be marked with 3.</p>
      <td>eth1</td>
      <td>0.0.0.0/0</td>
      <td>all</td>
-    <td>&nbsp;</td>
+      <td> </td>
-    <td>&nbsp;</td>
+      <td> </td>
    </tr>
    <tr>
      <td>2</td>
      <td>eth2</td>
      <td>0.0.0.0/0</td>
      <td>all</td>
-    <td>&nbsp;</td>
+      <td> </td>
-    <td>&nbsp;</td>
+      <td> </td>
    </tr>
    <tr>
      <td>3</td>
      <td>fw</td>
      <td>0.0.0.0/0</td>
      <td>all</td>
-    <td>&nbsp;</td>
+      <td> </td>
-    <td>&nbsp;</td>
+      <td> </td>
    </tr>
  </tbody> 
 </table>
-<p align="left">Example 2 - All GRE (protocol 47) packets not originating on the
+   
-firewall and destined for 155.186.235.151 should be marked with 12.</p>
+<p align="left">Example 2 - All GRE (protocol 47) packets not originating 
-<table border="2" cellpadding="2" style="border-collapse: collapse">
+on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
     <tr>
      <td><b>MARK</b></td>
      <td><b>SOURCE</b></td>
@ -146,13 +175,18 @@ firewall and destined for 155.186.235.151 should be marked with 12.</p>
      <td>0.0.0.0/0</td>
      <td>155.186.235.151</td>
      <td>47</td>
-    <td>&nbsp;</td>
+      <td> </td>
-    <td>&nbsp;</td>
+      <td> </td>
    </tr>
  </tbody> 
 </table>
-<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 and
+   
-destined for 155.186.235.151 should be marked with 22.</p>
+<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 
-<table border="2" cellpadding="2" style="border-collapse: collapse">
+and destined for 155.186.235.151 should be marked with 22.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
     <tr>
      <td><b>MARK</b></td>
      <td><b>SOURCE</b></td>
@ -167,48 +201,57 @@ destined for 155.186.235.151 should be marked with 22.</p>
      <td>155.186.235.151</td>
      <td>tcp</td>
      <td>22</td>
-    <td>&nbsp;</td>
+      <td> </td>
    </tr>
  </tbody> 
 </table>
 <h3>Hierarchical Token Bucket</h3>
-<p>I personally use HTB. I have found a couple of things that may be of
+   
-use to others.</p>
+<p>I personally use HTB. I have found a couple of things that may be of use 
 to others.</p>
 <ul>
-  <li>The gzipped tc binary at the <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB
+    <li>The gzipped tc binary at the <a
-    website</a> didn't work for me -- I had to download the lastest version of
+ href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB     website</a> didn't work
-    the <a href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
+for me -- I had to download the lastest version of     the <a
 href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch    
 them for HTB.</li>
-  <li>The HTB example in the HOWTO seems to be full of errors. I'm currently
+    <li>I'm currently      running with this set of shaping rules in my tcstart
-    running with this set of shaping rules in my tcstart file so I know that it works.</li>
+file. I recently changed from using a ceiling of 10Mbit (interface speed)
 to 384kbit (DSP Uplink speed).<br>
    <br>
  </li>
 </ul>
 <blockquote>      
-  <p><font face="Courier" size="2">run_tc qdisc add dev eth0 root handle 1: htb default 30<br>
+  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
-  <br>
+   
-  run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k<br>
+  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500</pre>
-  <br>
+   
-  run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k<br>
+  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
-  run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k<br>
+   
-  run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit   ceil&nbsp;&nbsp;
+  <pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
-  10mbit burst 15k<br>
+   
-  <br>
+  <pre>echo "   Enabled SFQ on Second Level Classes"</pre>
-  run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>
+   
-  run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>
+  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
-  run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10<br>
+   
-  <br>
+  <pre>echo "   Defined fwmark filters"<br></pre>
-  run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>
+   
-  run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>
+  <p>My tcrules file is shown in Example 1 above. You can look at my <a
-  run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
+ href="myfiles.htm">network   configuration</a> to get an idea of why I want 
-  </font></p>
+these particular rules.<font face="Courier" size="2"><br>
  <p>My tcrules file is shown in Example 1 above. You can look at my <a href="myfiles.htm">network
  configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br>
    </font></p>
  </blockquote>
-<p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
+   
-Eastep</a></font></p>
+<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/troubleshoot.htm
+++ b/STABLE/documentation/troubleshoot.htm
@ -2,144 +2,142 @@
 <html>
 <head>
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Troubleshooting</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
-
+<table border="0" cellpadding="0" cellspacing="0"
-    
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-      <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
         <tbody>
    <tr>
           <td width="100%">           
-          <h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
           </td>
         </tr>
  </tbody>
 </table>
 <h3 align="left">Check the Errata</h3>
 <p align="left">Check the <a href="errata.htm">Shorewall Errata</a>  to be
 sure   that there isn't an update that you are missing for your version of
 the   firewall.</p>
-      <h3 align="Left">Check the Errata</h3>
+<h3 align="left">Check the FAQs</h3>
-      <p align="Left">Check the <a href="errata.htm">Shorewall Errata</a>
+<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
- to be sure   that there isn't an update that you are missing for your version
+problems.</p>
 of the   firewall.</p>
-      <h3 align="Left">Check the FAQs</h3>
+<h3 align="left">If the firewall fails to start</h3>
-    
+      If you receive an error message when starting or restarting the firewall
-      <p align="Left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common problems.</p>
+and you can't determine the cause, then do the following:   
      <h3 align="Left">If the firewall fails to start</h3>
  If you
 receive an error message when starting or restarting the firewall and you
 can't determine the cause, then do the following:
 <ul>
     <li>shorewall debug start 2&gt; /tmp/trace</li>
-    <li>Look at the /tmp/trace file and see if that helps you     determine what
+     <li>Look at the /tmp/trace file and see if that helps you     determine
-the problem is.</li>
+what the problem is.</li>
-    <li>If you still can't determine what's wrong then see the
+     <li>If you still can't determine what's wrong then see the     <a
-    <a href="support.htm">support page</a>.</li>
+ href="support.htm">support page</a>.</li>
 </ul>
 <h3>Your test environment</h3>
 <p>Many times when people have problems with Shorewall, the problem is  
 actually an ill-conceived test setup. Here are several popular snafus: </p>
 <ul>
-    <li>Port
+     <li>Port           Forwarding where client and server are in the same
-          Forwarding where client and server are in the same subnet. See <a href="FAQ.htm">FAQ
+subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
-          2.</a></li>
+     <li>Changing the IP address of a local system to be in the external
-    <li>Changing the IP address of a local system to be in the external subnet, 
+subnet,      thinking that Shorewall will suddenly believe that the system
-    thinking that Shorewall will suddenly believe that the system is in the 
+is in the      'net' zone.</li>
-    'net' zone.</li>
+     <li>Multiple interfaces connected to the same HUB or Switch. Given the
-    <li>Multiple interfaces connected to the same HUB or Switch. Given the way 
+way      that the Linux kernel respond to ARP "who-has" requests, this type
-    that the Linux kernel respond to ARP &quot;who-has&quot; requests, this type of setup 
+of setup      does NOT work the way that you expect it to.</li>
-    does NOT work the way that you expect it to.</li>
+   
 </ul>
-      <h3 align="Left">If you are having
+<h3 align="left">If you are having connection problems:</h3>
 connection problems:</h3>
-      <p align="Left">If the appropriate policy for the connection that you
+<p align="left">If the appropriate policy for the connection that you are
-are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
+trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
-TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
+TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
-clutter to your rule set and they represent a big security hole in the event
+to your rule set and they represent a big security hole in the event that
-that you forget to remove them later.</p>
+you forget to remove them later.</p>
-      <p align="Left">I also recommend against setting all of your policies to 
+<p align="left">I also recommend against setting all of your policies to
-      ACCEPT in an effort to make something work. That robs you of one of your 
+       ACCEPT in an effort to make something work. That robs you of one of
-      best diagnostic tools - the &quot;Shorewall&quot; messages that Netfilter will 
+your        best diagnostic tools - the "Shorewall" messages that Netfilter
-      generate when you try to connect in a way that isn't permitted by your 
+will        generate when you try to connect in a way that isn't permitted
-      rule set.</p>
+by your        rule set.</p>
-      <p align="Left">Check your log. If you don't see Shorewall  messages,
+<p align="left">Check your log. If you don't see Shorewall  messages, then
-then your problem is probably NOT a Shorewall problem. If you DO see packet
+your problem is probably NOT a Shorewall problem. If you DO see packet messages,
-messages, it is an indication that you are missing one or more rules.</p>
+it may be an indication that you are missing one or more rules -- see <a
 href="FAQ.htm#faq17">FAQ 17</a>.</p>
-      <p align="Left">While you are troubleshooting, it is a good idea to clear
+<p align="left">While you are troubleshooting, it is a good idea to clear 
      two variables in /etc/shorewall/shorewall.conf:</p>
-      <p align="Left">LOGRATE=&quot;&quot;<br>
+<p align="left">LOGRATE=""<br>
-      LOGBURST=&quot;&quot;</p>
+       LOGBURST=""</p>
-      <p align="Left">This way, you will see all of the log messages being
+<p align="left">This way, you will see all of the log messages being    
  generated (be sure to restart shorewall after clearing these variables).</p>
-      <p align="Left">Example:</p>
+<p align="left">Example:</p>
      <font face="Century Gothic, Arial, Helvetica">          
-  
+<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
-      <p align="Left"><font face="Courier">Jun 27 15:37:56 gateway kernel: 
+   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
-      Shorewall:all2all:REJECT:IN=eth2 
+LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 
 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
         </font>          
-  
+<p align="left">Let's look at the important parts of this message:</p>
      <p align="Left">Let's look at the important parts of this message:</p>
 <ul>
-    <li>all2all:REJECT - the packet was rejected under the     "all"-&gt;"all" REJECT
+     <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-policy</li>
+-- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
    <a href="FAQ.htm#faq17">FAQ 17).</a></li>
     <li>IN=eth2 - the packet entered the firewall via eth2</li>
     <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
     <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
     <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
     <li>PROTO=UDP - UDP Protocol</li>
     <li>DPT=53 - DNS</li>
 </ul>
-      <p align="Left">In this case, 192.168.2.2 was in the "dmz" zone and 
+<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and  192.168.1.3
-192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
+is in the "loc" zone. I was missing the rule:</p>
-      <p align="Left">ACCEPT    dmz    loc    udp    53</p>
+<p align="left">ACCEPT    dmz    loc    udp    53</p>
-
+<h3 align="left">Other Gotchas</h3>
      <h3 align="Left">Other Gotchas</h3>
 <ul>
     <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
-    chains? This means that:<ol>
+     chains? This means that:
-      <li>your zone definitions are screwed up and the host that is sending the 
+    <ol>
-      packets or the destination host isn't in any zone (using an
+       <li>your zone definitions are screwed up and the host that is sending
 the        packets or the destination host isn't in any zone (using an  
    <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
       or</li>
       <li>the source and destination hosts are both connected to the same
-      interface and that interface doesn't have the 'multi' option specified in
+       interface and that interface doesn't have the 'multi' option specified
-      <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
     </li>
-    <li>Remember that Shorewall doesn't automatically allow ICMP     type 8 ("ping")
+     <li>Remember that Shorewall doesn't automatically allow ICMP     type
-requests to be sent between zones. If you want     pings to be allowed between
+8 ("ping") requests to be sent between zones. If you want     pings to be
-zones, you need a rule of the form:<br>
+allowed between zones, you need a rule of the form:<br>
      <br>
          ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
 icmp        echo-request<br>
@ -153,53 +151,49 @@ icmp
 the     zone containing the system you are pinging from and the zone containing
     10.1.1.2, the ping requests will be dropped. This is true even if you 
 have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
-    <li>If you specify "routefilter" for an interface,     that interface must be
+     <li>If you specify "routefilter" for an interface,     that interface
-up prior to starting the firewall.</li>
+must be up prior to starting the firewall.</li>
-    <li>Is your routing correct? For example, internal systems usually need to 
+     <li>Is your routing correct? For example, internal systems usually need
-    be configured with their default gateway set to the IP address of their 
+to      be configured with their default gateway set to the IP address of
-    nearest firewall interface. One often overlooked aspect of routing is that 
+their      nearest firewall interface. One often overlooked aspect of routing
-    in order for two hosts to communicate, the routing between them must be set 
+is that      in order for two hosts to communicate, the routing between them
-    up <u>in both directions.</u> So when setting up routing between <b>A</b> 
+must be set      up <u>in both directions.</u> So when setting up routing
-    and<b> B</b>, be sure to verify that the route from <b>B</b> back to <b>A</b> 
+between <b>A</b>      and<b> B</b>, be sure to verify that the route from
-    is defined.</li>
+    <b>B</b> back to <b>A</b>      is defined.</li>
-    <li>Some versions of LRP (EigerStein2Beta for example) have a     shell with
+     <li>Some versions of LRP (EigerStein2Beta for example) have a     shell
-broken variable expansion. <a href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz">
+with broken variable expansion. <a
-You     can get a corrected shell from the Shorewall Errata download site.</a>
+ href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
-    </li>
+shell from the Shorewall Errata download site.</a>     </li>
-    <li>Do you have your kernel properly configured? <a href="kernel.htm">Click 
+     <li>Do you have your kernel properly configured? <a
-   here to see my kernel configuration.</a> </li>
+ href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-    <li>Some features require the "ip" program. That     program is generally included
+     <li>Some features require the "ip" program. That     program is generally
-in the "iproute" package which should     be included with your distribution
+included in the "iproute" package which should     be included with your
-(though many distributions don't install     iproute by     default). You
+distribution (though many distributions don't install     iproute by    
-may also download the latest source tarball from <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
+default). You may also download the latest source tarball from <a
-ftp://ftp.inr.ac.ru/ip-routing</a>
+ href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
 .</li>
-    <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts then the
+     <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
-zone must be entirely   defined in /etc/shorewall/hosts unless you have 
+then the zone must be entirely   defined in /etc/shorewall/hosts unless you
-    specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if
+have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
-a zone has two interfaces but   only one interface has an entry in /etc/shorewall/hosts
+For example, if a zone has two interfaces but   only one interface has an
-then hosts attached to   the other interface will <u>not</u> be considered
+entry in /etc/shorewall/hosts then hosts attached to   the other interface
-part of the zone.</li>
+will <u>not</u> be considered part of the zone.</li>
-    <li>Problems with NAT? Be sure that you let Shorewall add all     external addresses
+     <li>Problems with NAT? Be sure that you let Shorewall add all     external
-to be use with NAT unless you have set <a href="Documentation.htm#Aliases">
+addresses to be use with NAT unless you have set <a
-ADD_IP_ALIASES</a>
+ href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
-=No     in /etc/shorewall/shorewall.conf.</li>
+   
 </ul>
 <h3>Still Having Problems?</h3>
 <p>See the<a href="support.htm"> support page.</a></p>
        <font face="Century Gothic, Arial, Helvetica">          
 <blockquote> </blockquote>
         </font>            
-  
+<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font>  </p>
        <p><font size="2">Last updated 9/13/2002 -
 Tom Eastep</font>
 </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
 </html>
--- a/STABLE/documentation/upgrade_issues.htm
+++ b/STABLE/documentation/upgrade_issues.htm
@ -30,10 +30,17 @@
 <p>For upgrade instructions see the                               <a
 href="Install.htm">Install/Upgrade page</a>.</p>
 <h3>Version 1.3.10</h3>
 If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
 1.3.10, you will need to use the '--force' option:<br>
 <br>
 <blockquote>
  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
 </blockquote>
 <h3>Version &gt;= 1.3.9</h3>
- The 'functions' file has moved to /usr/lib/shorewall/functions. If you have 
+  The 'functions' file has moved to /usr/lib/shorewall/functions. If you
-an application that uses functions from that file, your application will need
+have  an application that uses functions from that file, your application
-to be changed to reflect this change of location.<br>
+will need to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.8</h3>
@ -47,8 +54,8 @@ to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.7</h3>
 <p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf
- will need to include the                                following rules in
+  will need to include the                                following rules
- their /etc/shorewall/icmpdef                                file (creating 
+in  their /etc/shorewall/icmpdef                                file (creating
  this file if necessary):</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -68,21 +75,21 @@ will  need                                  to transcribe any Shorewall configur
                                   changes that you have made to the new
                                 configuration.</li>
                                     <li>Replace the shorwall.lrp package 
-provided  on                                  the Bering floppy with the
+provided  on                                  the Bering floppy with the later
-later one.  If you did                                  not obtain the later
+one.  If you did                                  not obtain the later version
-version from Jacques's                                  site, see additional
+from Jacques's                                  site, see additional instructions
-instructions  below.</li>
+ below.</li>
                                     <li>Edit the /var/lib/lrpkg/root.exclude.list
-                                  file and remove the /var/lib/shorewall entry
+                                   file and remove the /var/lib/shorewall
- if                                  present. Then do not forget to backup
+entry  if                                  present. Then do not forget to
- root.lrp !</li>
+backup  root.lrp !</li>
 </ol>
 <p>The .lrp that I release isn't set up for a two-interface firewall like
    Jacques's. You need to follow the <a href="two-interface.htm">instructions
- for   setting up a two-interface firewall</a> plus you also need to add the
+  for   setting up a two-interface firewall</a> plus you also need to add
- following   two Bering-specific rules to /etc/shorewall/rules:</p>
+the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
 <blockquote>                
  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
@ -92,8 +99,8 @@ instructions  below.</li>
 <p align="left">If you have a pair of firewall systems configured for   
        failover or if you have asymmetric routing, you will need to modify
-            your firewall setup slightly under Shorewall versions 1.3.6 and 
+             your firewall setup slightly under Shorewall versions 1.3.6
- 1.3.7</p>
+and   1.3.7</p>
 <ol>
                 <li>                                                
@ -159,7 +166,7 @@ after  takeover.<br>
             If you have applications that access these files, those applications
             should be modified accordingly.</p>
-<p><font size="2">  Last updated 9/30/2002 -                             
+<p><font size="2">  Last updated 11/09/2002 -                           
   <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -168,5 +175,6 @@ after  takeover.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.9b
+VERSION=1.3.10
 usage() # $1 = exit status
 {
@ -38,7 +38,7 @@ usage() # $1 = exit status
 restore_file() # $1 = file to restore
 {
-    if [ -f ${1}-${VERSION}.bkout ]; then
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
 	if (mv -f ${1}-${VERSION}.bkout $1); then
 	    echo
 	    echo "$1 restored"
@ -62,6 +62,10 @@ if [ -L /usr/lib/shorewall/firewall ]; then
 elif [ -L /var/lib/shorewall/firewall ]; then
    FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
    restore_file $FIREWALL
 elif [ -L /usr/lib/shorewall/init ]; then
    FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'`
    restore_file $FIREWALL
    restore_file /usr/lib/shorewall/firewall
 fi
 restore_file /sbin/shorewall
@ -73,6 +77,7 @@ restore_file /etc/shorewall/shorewall.conf
 restore_file /etc/shorewall/functions
 restore_file /usr/lib/shorewall/functions
 restore_file /var/lib/shorewall/functions
 restore_file /usr/lib/shorewall/firewall
 restore_file /etc/shorewall/common.def
@ -96,6 +101,8 @@ restore_file /etc/shorewall/proxyarp
 restore_file /etc/shorewall/routestopped
 restore_file /etc/shorewall/maclist
 restore_file /etc/shorewall/masq
 restore_file /etc/shorewall/modules
--- a/STABLE/firewall
+++ b/STABLE/firewall
--- a/STABLE/functions
+++ b/STABLE/functions
@ -80,17 +80,17 @@ determine_zones()
 }
-###############################################################################
+#
 # The following functions may be used by apps that wish to ensure that
 # the state of Shorewall isn't changing
-#------------------------------------------------------------------------------
+#
 # This function loads the STATEDIR variable (directory where Shorewall is to
 # store state files). If your application supports alternate Shorewall
 # configurations then the name of the alternate configuration directory should
 # be in $SHOREWALL_DIR at the time of the call.
 #
 # If the shorewall.conf file does not exist, this function does not return
-###############################################################################
+#
 get_statedir()
 {
    MUTEX_TIMEOUT=
@ -107,7 +107,7 @@ get_statedir()
    [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 }
-###############################################################################
+#
 # Call this function to assert MUTEX with Shorewall. If you invoke the
 # /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
 # the first argument. Example "shorewall nolock refresh"
@ -115,7 +115,7 @@ get_statedir()
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
 # behavior of lockfile.
-###############################################################################
+#
 mutex_on()
 {
    local try=0
@ -145,18 +145,18 @@ mutex_on()
    fi
 }
-###############################################################################
+#
 # Call this function to release MUTEX
-###############################################################################
+#
 mutex_off()
 {
    rm -f $STATEDIR/lock
 }
-###############################################################################
+#
-# Strip comments and blank lines from a file and place the result in the      #
+# Strip comments and blank lines from a file and place the result in the
-# temporary directory                                                         #
+# temporary directory
-###############################################################################
+#
 strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
 {
    local fname
--- a/STABLE/hosts
+++ b/STABLE/hosts
@ -35,6 +35,12 @@
 #				       route messages to and from this
 #				       member when the firewall is in the
 #				       stopped state
 #			maclist	     - Connection requests from these hosts
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #
 #
 #ZONE		HOST(S)		OPTIONS
--- a/STABLE/init.sh
+++ b/STABLE/init.sh
@ -0,0 +1,75 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
 #     (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called:
 #	/etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License 
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.
 #
 #	Commands are:
 #
 #	   shorewall start			  Starts the firewall 
 #	   shorewall restart			  Restarts the firewall
 #	   shorewall stop			  Stops the firewall
 #	   shorewall status			  Displays firewall status
 #
 #### BEGIN INIT INFO
 # Provides:	  shorewall
 # Required-Start: $network
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
 # Description:	  starts and stops the shorewall firewall
 ### END INIT INFO
 # chkconfig: 2345 25 90
 # description: Packet filtering firewall
 #
 ################################################################################
 # Give Usage Information						       #
 ################################################################################
 usage() {
    echo "Usage: $0 start|stop|restart|status"
    exit 1
 }
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 command="$1"
 case "$command" in
    stop|start|restart|status)
 	exec /sbin/shorewall $@
 	;;
    *)
 	usage
 	;;
 esac
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.9b
+VERSION=1.3.10
 usage() # $1 = exit status
 {
@ -237,7 +237,7 @@ if [ -n "$RUNLEVELS" ]; then
    echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp
    echo "{ print }" >> awk.temp
-    awk -f awk.temp firewall > firewall.temp
+    awk -f awk.temp init.sh > init.temp
    if [ $? -ne 0 ]; then
 	echo -e "\nERROR: Error running awk."
@ -246,11 +246,11 @@ if [ -n "$RUNLEVELS" ]; then
 	exit 1
    fi
-    install_file_with_backup firewall.temp ${PREFIX}${DEST}/$FIREWALL 0544
+    install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544
-    rm -f firewall.temp awk.tmp
+    rm -f init.temp awk.tmp
 else
-    install_file_with_backup firewall ${PREFIX}${DEST}/$FIREWALL 0544
+    install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
 fi
 echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
@ -382,6 +382,15 @@ else
    echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
 fi
 #
 # Install the Mac List file
 #
 if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
    backup_file /etc/shorewall/maclist
 else
    run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
    echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist"
 fi
 #
 # Install the Masq file
 #
 if [ -f ${PREFIX}/etc/shorewall/masq ]; then
@ -476,13 +485,15 @@ chmod 644 ${PREFIX}/usr/lib/shorewall/version
 if [ -z "$PREFIX" ]; then
    rm -f /etc/shorewall/firewall
    rm -f /var/lib/shorewall/firewall
-    rm -f /usr/lib/shorewall/firewall
+    [ -L /usr/lib/shorewall/firewall ] && \
-    ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/firewall
+	mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
-else
+    rm -f /usr/lib/shorewall/init
-    pushd ${PREFIX}/usr/lib/shorewall/ >> /dev/null && ln -s ../../..${DEST}/${FIREWALL} firewall && popd >> /dev/null
+    ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init
 fi
-
+#
-echo -e "\n${PREFIX}/usr/lib/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL"
+# Install the firewall script
 #
 install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544
 if [ -z "$PREFIX" -a -n "$first_install" ]; then
    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/STABLE/interfaces
+++ b/STABLE/interfaces
@ -16,7 +16,9 @@
 #			place "-" in this column.
 #	
 #	INTERFACE	Name of interface. Each interface may be listed only
-#			once in this file.
+#			once in this file. You may NOT specify the name of
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
@ -81,6 +83,12 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
 #			maclist	     - Connection requests from this interface
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
--- a/STABLE/maclist
+++ b/STABLE/maclist
@ -0,0 +1,18 @@
 #
 # Shorewall 1.3 - MAC list file
 #
 # /etc/shorewall/maclist
 #
 # Columns are:
 #
 #	INTERFACE	Network interface to a host
 #	
 #	MAC		MAC address of the host -- you do not need to use
 #			the Shorewall format for MAC addresses here
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
 #			list of host and/or subnet addresses.
 ##############################################################################
 #INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -1,16 +1,27 @@
-This is a minor release of Shorewall which rolls up a number of bug
+This is a minor release of Shorewall that has a number of new features..
 fixes.
 New features include:
-1. DNS Names are now allowed in Shorewall config files.
+1) You may now define the contents of a zone dynamically with the 
   "shorewall add" and "shorewall delete" commands. These commands
   are expected to be used primarily within FreeS/Wan updown scripts.
-2. The connection SOURCE may now be qualified by both interface
+2) Shorewall can now do MAC verification on ethernet segments. You can
-   and IP address in a Shorewall rule.
+   specify the set of allowed MAC addresses on the segment and you can
   optionally tie each MAC address to an IP address.
-3. Shorewall startup is now disabled after initial installation until
+3) PPTP Servers and Clients running on the firewall system may now be
-   the file /etc/shorewall/startup_disabled is removed.
+   defined in the /etc/shorewall/tunnels file.
-4. The 'functions' and 'version' files and the 'firewall' symbolic link
+4) A new 'ipsecnat' tunnel type is supported for use when the remote
-   have been moved from /var/lib/shorewall to /usr/lib/shorewall to
+   IPSEC endpoint is behind a NAT gateway.
-   appease the LFS police at Debian.
+    
 5) The PATH used by Shorewall may now be specified in
   /etc/shorewall/shorewall.conf.
 6) The main firewall script is now /usr/lib/shorewall/firewall. The
   script in /etc/init.d/shorewall is very small and uses
   /sbin/shorewall to do the real work. This change makes custom
   distributions such as for Debian and for Gentoo easier to manage
   since it is /etc/init.d/shorewall that tends to have
   distribution-dependent code.
--- a/STABLE/shorewall
+++ b/STABLE/shorewall
@ -32,6 +32,8 @@
 #
 #	Commands are:
 #
 #          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
 #          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
 #	   shorewall start			   Starts the firewall 
 #	   shorewall restart			   Restarts the firewall
 #	   shorewall stop			   Stops the firewall
@ -108,11 +110,10 @@ showchain() # $1 = name of chain
    fi
 }
-#################################################################################
+#
-# Set the configuration variables from shorewall.conf				#
+# Set the configuration variables from shorewall.conf
-#################################################################################
+#
 get_config() {
    get_statedir
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
@ -133,10 +134,10 @@ get_config() {
    [ -n "$FW" ] || FW=fw
 }
-#################################################################################
+#
-# Display IPTABLES rules -- we used to store them in a variable but ash		#
+# Display IPTABLES rules -- we used to store them in a variable but ash
-# dies when trying to display large sets of rules				#
+# dies when trying to display large sets of rules
-#################################################################################
+#
 display_chains()
 {
    trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
@ -226,10 +227,10 @@ display_chains()
 }
-#################################################################################
+#
-# Delay $timeout seconds -- if we're running on a recent bash2 then allow	# 
+# Delay $timeout seconds -- if we're running on a recent bash2 then allow
-# <enter> to terminate the delay						#
+# <enter> to terminate the delay
-#################################################################################
+#
 timed_read () 
 {
    read -t $timeout foo 2> /dev/null
@ -237,9 +238,9 @@ timed_read ()
    test $? -eq 2 && sleep $timeout
 }
-#################################################################################
+#
-# Display the last $1 packets logged						#
+# Display the last $1 packets logged
-#################################################################################
+#
 packet_log() # $1 = number of messages 
 {
    local options
@ -253,9 +254,9 @@ packet_log() # $1 = number of messages
 	 tail $options
 }
-#################################################################################
+#
-# Show traffic control information						#
+# Show traffic control information
-#################################################################################
+#
 show_tc() {
    show_one_tc() {
@ -283,9 +284,9 @@ show_tc() {
 }
-#################################################################################
+#
-# Monitor the Firewall								#
+# Monitor the Firewall
-#################################################################################
+#
 monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 		   #		     an 'interesting' packet count changes
 {
@ -359,9 +360,9 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
    done
 }
-#################################################################################
+#
-# Watch the Firewall Log							#
+# Watch the Firewall Log
-#################################################################################
+#
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
@ -409,13 +410,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    done
 }
-#################################################################################
+#
-# Give Usage Information							#
+# Give Usage Information
-#################################################################################
+#
 usage() # $1 = exit status
 {
    echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host>] <zone>"
    echo "   delete <interface>[:<host>] <zone>"
    echo "   show [<chain>|connections|log|nat|tc|tos]"
    echo "   start"
    echo "   stop"
@ -437,17 +440,17 @@ usage() # $1 = exit status
    exit $1
 }
-#################################################################################
+#
-# Display the time that the counters were last reset                            #
+# Display the time that the counters were last reset
-#################################################################################
+#
 show_reset() {
    [ -f $STATEDIR/restarted ] && \
 	echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
 }
-#################################################################################
+#
-# Execution begins here								#
+# Execution begins here
-#################################################################################
+#
 debugging=
 if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
@ -532,11 +535,17 @@ fi
 banner="Shorewall-$version Status at $HOSTNAME -"
 get_statedir
 case "$1" in
    start|stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
 	exec $firewall $debugging $nolock $1
 	;;
    add|delete)
 	[ $# -ne 3 ] && usage 1
 	exec $firewall $debugging $nolock $1 $2 $3
 	;;
    show)
 	[ $# -gt 2 ] && usage 1
 	case "$2" in
@ -550,7 +559,6 @@ case "$1" in
 	    iptables -t nat -L -n -v
 	    ;;
 	tos|mangle)
 	    get_config
 	    echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
 	    show_reset
 	    iptables -t mangle -L -n -v
@ -567,7 +575,6 @@ case "$1" in
 	    show_tc
 	    ;;
 	*)
 	    get_config
 	    echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
 	    show_reset
 	    iptables -L $2 -n -v
@ -710,6 +717,8 @@ case "$1" in
 	[ $# -ne 1 ] && usage 1
 	mutex_on
 	if qt iptables -L shorewall -n; then
 	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
 	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
 		echo "Dynamic Rules Saved"
 	    else
--- a/STABLE/shorewall.conf
+++ b/STABLE/shorewall.conf
@ -8,6 +8,12 @@
 #
 #  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.	
 #
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # NAME OF THE FIREWALL ZONE
 #
@ -154,7 +160,8 @@ ADD_IP_ALIASES=Yes
 #
 # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
 # for each SNAT external address that you give in /etc/shorewall/masq. If you say
-# "No" or "no", you must add these aliases youself.
+# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
 # you are sure that you need it -- most people don't!!!
 #
 ADD_SNAT_ALIASES=No
@ -376,4 +383,25 @@ FORWARDPING=Yes
 NEWNOTSYN=No
 #
 # MAC List Disposition
 #
 # This variable determines the disposition of connection requests arriving
 # on interfaces that have the 'maclist' option and that are from a device
 # that is not listed for that interface in /etc/shorewall/maclist. Valid
 # values are ACCEPT, DROP and REJECT. If not specified or specified as
 # empty (MACLIST_DISPOSITION="") then REJECT is assumed
 MACLIST_DISPOSITION=REJECT
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 # 
 MACLIST_LOG_LEVEL=info
 #LAST LINE -- DO NOT REMOVE
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.9b
+%define version 1.3.10
 %define release 1
 %define prefix /usr
@ -85,6 +85,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/params
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
@ -95,11 +96,20 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /usr/lib/shorewall/functions
-/usr/lib/shorewall/firewall
+%attr(0544,root,root) /usr/lib/shorewall/firewall
 %doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.10
 * Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.10b1
 * Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
 - Added maclist file
 * Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.10
 - Replaced symlink with real file
 * Wed Oct 09 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.9b
 * Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/tunnels
+++ b/STABLE/tunnels
@ -9,7 +9,8 @@
 #
 #	The columns are:
 #
-#	TYPE	    --	must start in column 1 and be "ipsec", "ip" or "gre"
+#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ip"
 #			"gre","pptpclient" or "pptpserver"
 #
 #	ZONE	    --	The zone of the physical interface through which
 #			tunnel traffic passes. This is normally your internet
@ -19,10 +20,10 @@
 #			remote getway has no fixed address (Road Warrior)
 #			then specify the gateway as 0.0.0.0/0.
 #
-#	GATEWAY ZONE--	Optional. If the gateway system specified in the third
+#	GATEWAY ZONES --	Optional. If the gateway system specified in the third
 #			column is a standalone host then this column should
-#			contain the name of the zone that the host is in. This
+#			contain a comma-separated list of the names of the zones that
-#			column only applies to IPSEC tunnels.
+#			the host might be in. This column only applies to IPSEC tunnels.
 #
 #		Example 1:
 #
@ -47,5 +48,28 @@
 #
 #			ipsec	net	4.33.99.124	gw
 #
 #		Example 4:
 #
 #			Road Warriors that may belong to zones vpn1, vpn2 or
 #			vpn3. The FreeS/Wan _updown script will add the
 #			host to the appropriate zone using the "shorewall add"
 #			command on connect and will remove the host from the
 #			zone at disconnect time.
 #
 #			ipsec	net	0.0.0.0/0	vpn1,vpn2,vpn3
 #
 #		Example 5:
 #
 #			You run the Linux PPTP client on your firewall and
 #			connect to server 192.0.2.221.
 #
 #			pptpclient	net	192.0.2.221
 #
 #		Example 6:
 #
 #			You run a PPTP server on your firewall.
 #
 #			pptpserver	net
 #
 # TYPE			ZONE	GATEWAY		GATEWAY ZONE
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.9b
+VERSION=1.3.10
 usage() # $1 = exit status
 {
@ -61,7 +61,7 @@ remove_file() # $1 = file to restore
 }
 if [ -f /usr/lib/shorewall/version ]; then
-    INSTALLED_VERSION="`cat /var/lib/shorewall/version`"
+    INSTALLED_VERSION="`cat /usr/lib/shorewall/version`"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@ -82,6 +82,8 @@ if [ -L /usr/lib/shorewall/firewall ]; then
    FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
 elif [ -L /var/lib/shorewall/firewall ]; then
    FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
 elif [ -L /usr/lib/shorewall/init ]; then
    FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'`
 else
    FIREWALL=
 fi
@ -94,6 +96,7 @@ if [ -n "$FIREWALL" ]; then
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
 remove_file /sbin/shorewall