Documentation changes for OLD_PING_HANDLING

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 01:37:59 +02:00 · 2003-01-22 00:37:23 +00:00 · 2003-01-22 00:37:23 +00:00 · b35d93acac
commit b35d93acac
parent a5f8c0595d
15 changed files with 8315 additions and 7951 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_CA_html.html
+++ b/Shorewall-docs/Shorewall_CA_html.html
@ -18,7 +18,7 @@
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
-(CA) Certificate</font></h1>
+ (CA) Certificate</font></h1>
            </td>
          </tr>
@ -26,27 +26,27 @@
 </table>
  <br>
  Given that I develop and support Shorewall without asking for any renumeration,
-I can hardly justify paying $200US+ a year to a Certificate Authority such 
+ I can hardly justify paying $200US+ a year to a Certificate Authority such
-as Thawte (A Division of VeriSign) for an X.509 certificate to prove that 
+ as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
-I am who I am. I have therefore established my own Certificate Authority (CA)
+ I am who I am. I have therefore established my own Certificate Authority
-and sign my own X.509 certificates. I use these certificates on my mail server
+(CA) and sign my own X.509 certificates. I use these certificates on my list
-(<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
+server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>) 
 which hosts parts of this web site.<br>
  <br>
- X.509 certificates are the basis for the Secure Socket Layer (SSL). As part 
+  X.509 certificates are the basis for the Secure Socket Layer (SSL). As
-of establishing an SSL session (URL https://...), your browser verifies the 
+part  of establishing an SSL session (URL https://...), your browser verifies
-X.509 certificate supplied by the HTTPS server against the set of Certificate 
+the  X.509 certificate supplied by the HTTPS server against the set of Certificate
-Authority Certificates that were shipped with your browser. It is expected 
+ Authority Certificates that were shipped with your browser. It is expected
-that the server's certificate was issued by one of the authorities whose identities
+ that the server's certificate was issued by one of the authorities whose
-are known to your browser. <br>
+identities are known to your browser. <br>
  <br>
- This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar 
+  This mechanism, while supposedly guaranteeing that when you connect to
-you are REALLY connecting to www.foo.bar, means that the CAs literally have 
+https://www.foo.bar  you are REALLY connecting to www.foo.bar, means that
-a license to print money -- they are selling a string of bits (an X.509 certificate) 
+the CAs literally have  a license to print money -- they are selling a string
-for $200US+ per year!!!I <br>
+of bits (an X.509 certificate)  for $200US+ per year!!!I <br>
  <br>
  I wish that I had decided to become a CA rather that designing and writing
-Shorewall.<br>
+ Shorewall.<br>
  <br>
  What does this mean to you? It means that the X.509 certificate that my 
 server will present to your browser will not have been signed by one of the 
@ -58,8 +58,8 @@ to accept the sleezy X.509 certificate being presented by my server. <br>
 <ol>
    <li>You can accept the mail.shorewall.net certificate when your browser
-asks -- your acceptence of the certificate can be temporary (for that access 
+ asks -- your acceptence of the certificate can be temporary (for that access
-only) or perminent.</li>
+ only) or perminent.</li>
    <li>You can download and install <a href="ca.crt">my (self-signed) CA 
 certificate.</a> This will make my Certificate Authority known to your browser 
 so that it will accept any certificate signed by me. <br>
@ -70,22 +70,24 @@ so that it will accept any certificate signed by me. <br>
 <ol>
    <li>If you install my CA certificate then you assume that I am trustworthy
-and that Shorewall running on your firewall won't redirect HTTPS requests 
+ and that Shorewall running on your firewall won't redirect HTTPS requests
-intented to go to your bank's server to one of my systems that will present
+ intented to go to your bank's server to one of my systems that will present 
-your browser with a bogus certificate claiming that my server is that of
+your browser with a bogus certificate claiming that my server is that of your
-your bank.</li>
+bank.</li>
    <li>If you only accept my server's certificate when prompted then the 
 most that you have to loose is that when you connect to https://mail.shorewall.net,
-the server you are connecting to might not be mine.</li>
+ the server you are connecting to might not be mine.</li>
 </ol>
  I have my CA certificate loaded into all of my browsers but I certainly 
 won't be offended if you decline to load it into yours... :-)<br>
-<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
 M. Eastep.</font></a></font></p>
   <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -30,6 +30,7 @@
                                <td width="100%" height="90">           
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                                </td>
                              </tr>
@ -39,10 +40,12 @@
      <ul>
-                             <li> <a href="seattlefirewall_index.htm">Home</a></li>
+                                  <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
                                          <li> <a
 href="shorewall_features.htm">Features</a></li>
-                             <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
+                                  <li> <a
 href="shorewall_prerequisites.htm">Requirements</a></li>
                                  <li> <a href="download.htm">Download</a><br>
                          </li>
                          <li> <a href="Install.htm">Installation/Upgrade/</a><br>
@ -53,20 +56,25 @@
                           </li>
                                                  <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
-                             <li> <a href="Documentation.htm">Reference Manual</a></li>
+                                  <li> <a href="Documentation.htm">Reference
  Manual</a></li>
                                  <li> <a href="FAQ.htm">FAQs</a></li>
-                              <li><a href="useful_links.html">Useful Links</a><br>
+                                   <li><a href="useful_links.html">Useful 
 Links</a><br>
                                   </li>
                                  <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                  <li> <a href="errata.htm">Errata</a></li>
-                             <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
+                                  <li> <a href="upgrade_issues.htm">Upgrade 
 Issues</a></li>
                                  <li> <a href="support.htm">Support</a></li>
-                             <li> <a href="mailing_list.htm">Mailing Lists</a></li>
+                                  <li> <a href="mailing_list.htm">Mailing 
 Lists</a></li>
                                  <li> <a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
                                    <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -78,33 +86,38 @@
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                                    <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
-                   <li><a href="http://www.shorewall.net" target="_top">Washington 
+                        <li><a href="http://www.shorewall.net"
-  State, USA</a><br>
+ target="_top">Washington    State, USA</a><br>
                        </li>
          </ul>
                                  </li>
      </ul>
      <ul>
                                  <li>   <a href="News.htm">News Archive</a></li>
-                             <li> <a href="Shorewall_CVS_Access.html">CVS 
+                                  <li> <a
-Repository</a></li>
+ href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
                                  <li> <a href="quotes.htm">Quotes from Users</a></li>
-                             <li> <a href="shoreline.htm">About the Author</a></li>
+                                  <li> <a href="shoreline.htm">About the
 Author</a></li>
                                  <li> <a
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                                </td>
                              </tr>
@ -113,10 +126,10 @@ Repository</a></li>
  </tbody>                           
 </table>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
                    <strong><br>
-                   <b>Note: </b></strong>Search is unavailable Daily 0200-0330
+                        <b>Note: </b></strong>Search is unavailable Daily 
-   GMT.<br>
+0200-0330      GMT.<br>
                        <strong></strong>                               
  <p><strong>Quick Search</strong><br>
@ -127,13 +140,13 @@ Repository</a></li>
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
                              <font face="Arial">   <input type="hidden"
- name="exclude" value="[http://mail.shorewall.net/pipermail/*]">   </font> 
+ name="exclude" value="[http://lists.shorewall.net/pipermail/*]">   </font>
       </form>
-<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
+<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
@ -145,6 +158,8 @@ Repository</a></li>
         <br>
        <br>
       <br>
- 
+       <br>
    <br>
     <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -40,10 +40,12 @@
      <ul>
-                              <li> <a href="seattlefirewall_index.htm">Home</a></li>
+                                   <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
                                           <li> <a
 href="shorewall_features.htm">Features</a></li>
-                              <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
+                                   <li> <a
 href="shorewall_prerequisites.htm">Requirements</a></li>
                                   <li> <a href="download.htm">Download</a><br>
                           </li>
                           <li> <a href="Install.htm">Installation/Upgrade/</a><br>
@ -55,20 +57,24 @@
                                                   <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                                   <li> <a href="Documentation.htm">Reference 
-Manual</a></li>
+  Manual</a></li>
                                   <li> <a href="FAQ.htm">FAQs</a></li>
-                               <li><a href="useful_links.html">Useful Links</a><br>
+                                    <li><a href="useful_links.html">Useful
 Links</a><br>
                                    </li>
                                   <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                   <li> <a href="errata.htm">Errata</a></li>
-                              <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
+                                   <li> <a href="upgrade_issues.htm">Upgrade
  Issues</a></li>
                                   <li> <a href="support.htm">Support</a></li>
-                              <li> <a href="mailing_list.htm">Mailing Lists</a></li>
+                                   <li> <a href="mailing_list.htm">Mailing
 Lists</a></li>
                                   <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
          <ul>
                                     <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -80,33 +86,39 @@ Manual</a></li>
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                                     <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
-                    <li><a href="http://www.shorewall.net" target="_top">Washington
+                         <li><a href="http://www.shorewall.net"
-   State, USA</a><br>
+ target="_top">Washington    State, USA</a><br>
                         </li>
          </ul>
                                   </li>
      </ul>
      <ul>
                                   <li>   <a href="News.htm">News Archive</a></li>
-                              <li> <a href="Shorewall_CVS_Access.html">CVS
+                                   <li> <a
- Repository</a></li>
+ href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                              <li> <a href="quotes.htm">Quotes from Users</a></li>
+                                   <li> <a href="quotes.htm">Quotes from
-                              <li> <a href="shoreline.htm">About the Author</a></li>
+Users</a></li>
                                   <li> <a href="shoreline.htm">About the 
 Author</a></li>
                                   <li> <a
 href="sourceforge_index.htm#Donations">Donations</a></li>
      </ul>
                                 </td>
                               </tr>
@ -115,10 +127,10 @@ Manual</a></li>
  </tbody>                            
 </table>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
                    <strong><br>
-                    <b>Note: </b></strong>Search is unavailable Daily 0200-0330 
+                         <b>Note: </b></strong>Search is unavailable Daily
-   GMT.<br>
+ 0200-0330      GMT.<br>
                         <strong></strong>                              
  <p><strong>Quick Search</strong><br>
@ -128,14 +140,14 @@ Manual</a></li>
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
-                          <font face="Arial">   <input type="hidden"
+                               <font face="Arial">   <input
- name="exclude" value="[http://mail.shorewall.net/pipermail/*]">   </font>
+ type="hidden" name="exclude"
-     </form>
+ value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
-<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
+<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> </a><br>
            </p>
@ -145,6 +157,9 @@ Manual</a></li>
         <br>
        <br>
       <br>
- 
+       <br>
    <br>
    <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -374,7 +374,7 @@ site.</b></p>
 <blockquote>                                           
  <p align="left">The <a target="_top"
- href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS  repository at
+ href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository at
       cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
       component. There's no guarantee that what you find there will work
 at    all.<br>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -11,6 +11,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -22,6 +23,7 @@
                    <tr>
                      <td width="100%">                                 
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
                      </td>
                    </tr>
@ -50,21 +52,21 @@ untar the archive, replace the        'firewall' script in the untarred director
                    <li>                                                
    <p align="left">          <b>If you are running a Shorewall version earlier
-than 1.3.11, when the instructions say to install a corrected        firewall
+ than 1.3.11, when the instructions say to install a corrected        firewall
-script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall   
+ script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall  
    or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
      the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
             or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall 
             and /var/lib/shorewall/firewall  are symbolic links that point 
         to the 'shorewall' file used by your  system initialization scripts 
   to         start Shorewall during boot. It is  that file that must be overwritten
-            with the corrected script. Beginning with Shorewall 1.3.11, you
+             with the corrected script. Beginning with Shorewall 1.3.11,
-may rename the existing file before copying in the new file.</b></p>
+you may rename the existing file before copying in the new file.</b></p>
            </li>
            <li>                                                  
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-    ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
+     ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
-  example,  do NOT install the 1.3.9a firewall script if you are running
+For    example,  do NOT install the 1.3.9a firewall script if you are running
 1.3.7c.</font></b><br>
                        </p>
            </li>
@ -81,14 +83,15 @@ may rename the existing file before copying in the new file.</b></p>
 color="#660066">       <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
                    <li>                            <b><font
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
-on RH7.2</a></font></b></li>
+ on RH7.2</a></font></b></li>
                    <li>                            <b><a href="#Debug">Problems
    with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
-                  <li><b><a href="#SuSE">Problems installing/upgrading RPM
+                    <li><b><a href="#SuSE">Problems installing/upgrading
- on  SuSE</a></b></li>
+RPM   on  SuSE</a></b></li>
                    <li><b><a href="#Multiport">Problems with iptables version
   1.2.7    and       MULTIPORT=Yes</a></b></li>
-            <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
+              <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and 
 NAT</a></b><br>
              </li>
 </ul>
@ -97,21 +100,38 @@ on RH7.2</a></font></b></li>
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
-<h3>Version 1.3.12</h3>
+<h3>Version 1.3.13</h3>
 <ul>
-  <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the
+   <li>The 'shorewall add' command produces an error message referring to 
-same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected
+'find_interfaces_by_maclist'.</li>
-by <a
+  <li>The 'shorewall delete' command can leave behind undeleted rules.<br>
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
 firewall script</a> which may be installed in /usr/lib/shorewall as described
 above.<br>
  </li>
 </ul>
 Both problems are corrected by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
 firewall script</a> which may be installed in /usr/lib/shorewall as described
 above.<br>
 <h3>Version 1.3.12</h3>
 <ul>
    <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
 the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is
 corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
 firewall script</a> which may be installed in /usr/lib/shorewall as described
 above.<br>
    </li>
 </ul>
 <h3>Version 1.3.12 LRP</h3>
 <ul>
     <li>The .lrp was missing the /etc/shorewall/routestopped file -- a new 
-lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
+ lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
     </li>
 </ul>
@ -130,17 +150,17 @@ lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
 <ul>
         <li>When installing/upgrading using the .rpm, you may receive the
-following   warnings:<br>
+ following   warnings:<br>
           <br>
            user teastep does not exist - using root<br>
            group teastep does not exist - using root<br>
           <br>
-     These warnings are harmless and may be ignored. Users downloading the
+       These warnings are harmless and may be ignored. Users downloading
- .rpm  from shorewall.net or mirrors should no longer see these warnings
+the   .rpm  from shorewall.net or mirrors should no longer see these warnings
 as  the .rpm you will get from there has been corrected.</li>
        <li>DNAT rules that exclude a source subzone (SOURCE column contains
  !  followed by a sub-zone list) result in an error message and Shorewall
-fails  to start.<br>
+ fails  to start.<br>
          <br>
      Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
@ -159,11 +179,12 @@ fails  to start.<br>
  on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
        <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
-   version of the firewall script</a> may help. Please report any cases where
+    version of the firewall script</a> may help. Please report any cases
-   installing this script in /usr/lib/shorewall/firewall solved your connection
+where     installing this script in /usr/lib/shorewall/firewall solved your
-   problems. Beginning with version 1.3.10, it is safe to save the old version
+connection     problems. Beginning with version 1.3.10, it is safe to save
-   of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
+the old version     of /usr/lib/shorewall/firewall before copying in the
-   is the real script now and not just a symbolic link to the real script.<br>
+new one since /usr/lib/shorewall/firewall     is the real script now and
 not just a symbolic link to the real script.<br>
           </li>
 </ul>
@ -181,8 +202,8 @@ fails  to start.<br>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-    corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
+     corrects this problem.Copy the script to /usr/lib/shorewall/firewall 
-  described  above.<br>
+as   described  above.<br>
          </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -193,8 +214,8 @@ fails  to start.<br>
 <ul>
            <li>The installer (install.sh) issues a misleading message "Common
   functions   installed in /var/lib/shorewall/functions" whereas the file
-is  installed  in /usr/lib/shorewall/functions. The installer also performs
+ is  installed  in /usr/lib/shorewall/functions. The installer also performs
-incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
+ incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
       <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
     is an updated version that corrects these problems.<br>
@ -204,15 +225,15 @@ incorrectly  when updating old configurations that had the file /etc/shorewall/f
 <h3>Version 1.3.9</h3>
             <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall 
-script    at  <a
+ script    at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
     -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
              <br>
             Version 1.3.8                
 <ul>
-               <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
+                 <li> Use of shell variables in the LOG LEVEL or SYNPARMS 
-   of  the  policy file doesn't work.</li>
+columns     of  the  policy file doesn't work.</li>
                 <li>A DNAT rule with the same original and new IP addresses
  but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
    tcp   25 - 10.1.1.1")<br>
@ -222,8 +243,8 @@ script    at  <a
               Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                      as described above corrects these problems.
+                                       as described above corrects these
-                   
+problems.                       
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                       
@ -257,13 +278,13 @@ script    at  <a
 <ol>
                                                 <li>If the firewall is running 
   a  DHCP   server,                                   the client won't be 
-able   to obtain   an IP  address                                  lease from
+ able   to obtain   an IP  address                                  lease 
-that   server.</li>
+from that   server.</li>
                                                 <li>With this order of checking, 
    the   "dhcp"                                   option cannot be used as
  a  noise-reduction                                     measure where there
  are  both dynamic and    static                                  clients
-on a LAN segment.</li>
+ on a LAN segment.</li>
 </ol>
@ -345,7 +366,7 @@ above.</p>
 <div align="left">                    
 <p align="left">That capability was lost in version 1.3.4 so that it is only
            possible to  include a single host specification on each line.
-This         problem is corrected by    <a
+ This         problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
            modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
            as instructed above.</p>
@ -391,8 +412,8 @@ so it's a            good idea to run that command after you have made configura
 version            has a size of 38126 bytes.</p>
 <ul>
-                           <li>The code to detect a duplicate interface entry 
+                             <li>The code to detect a duplicate interface 
-  in             /etc/shorewall/interfaces contained a typo that prevented 
+entry    in             /etc/shorewall/interfaces contained a typo that prevented 
  it from               working correctly. </li>
                             <li>"NAT_BEFORE_RULES=No" was broken; it behaved 
  just   like   "NAT_BEFORE_RULES=Yes".</li>
@ -421,10 +442,10 @@ version            has a size of 38126 bytes.</p>
                             <li>TCP SYN packets may be double counted when 
            LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e.,
  each              packet is sent through the limit chain twice).</li>
-                           <li>An unnecessary jump to the policy chain is 
+                             <li>An unnecessary jump to the policy chain
-sometimes                 generated for a CONTINUE policy.</li>
+is  sometimes                 generated for a CONTINUE policy.</li>
                             <li>When an option is given for more than one
-interface      in               /etc/shorewall/interfaces then depending
+ interface      in               /etc/shorewall/interfaces then depending
 on the option,     Shorewall                may ignore all but the first
 appearence of the   option.  For example:<br>
                             <br>
@ -432,11 +453,11 @@ appearence of the   option.  For example:<br>
                             loc    eth1    dhcp<br>
                             <br>
                             Shorewall will ignore the 'dhcp' on eth1.</li>
-                           <li>Update 17 June 2002 - The bug described in 
+                             <li>Update 17 June 2002 - The bug described
-the   prior    bullet               affects the following options: dhcp, dropunclean,
+in  the   prior    bullet               affects the following options: dhcp, 
-  logunclean,                 norfc1918, routefilter, multi, filterping and
+dropunclean,   logunclean,                 norfc1918, routefilter, multi, 
-  noping. An additional                 bug has been found that affects only
+filterping and   noping. An additional                 bug has been found 
-  the 'routestopped' option.<br>
+that affects only   the 'routestopped' option.<br>
                             <br>
                             Users who downloaded the corrected script prior
  to  1850   GMT   today              should download and install the corrected 
@ -453,9 +474,9 @@ the   prior    bullet               affects the following options: dhcp, dropunc
 <ul>
                             <li>Folks who downloaded 1.3.0 from the links
-on  the   download    page              before 23:40 GMT, 29 May 2002 may
+ on  the   download    page              before 23:40 GMT, 29 May 2002 may
-have  downloaded   1.2.13    rather than              1.3.0. The "shorewall
+ have  downloaded   1.2.13    rather than              1.3.0. The "shorewall
-version"  command   will tell    you which version              that you
+ version"  command   will tell    you which version              that you
 have installed.</li>
                             <li>The documentation NAT.htm file uses non-existent 
               wallpaper and bullet graphic files. The           <a
@ -490,6 +511,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
        running RedHat 7.1, you can install either of these RPMs        
     <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
        has   released an iptables-1.2.4 RPM of their own which you can download
       from<font color="#ff6633">   <a
@ -515,6 +537,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  </ul>
                            </blockquote>
 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
               and RedHat iptables</h3>
@ -529,12 +552,12 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
  user-space debugging code was not updated to reflect recent changes in
-       the     Netfilter 'mangle' table. You can correct the problem by installing 
+        the     Netfilter 'mangle' table. You can correct the problem by
-          <a
+installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
           this iptables RPM</a>. If you are already running a 1.2.5 version 
-  of       iptables, you will need to specify the --oldpackage option to rpm
+   of       iptables, you will need to specify the --oldpackage option to 
-  (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                  </blockquote>
@ -573,8 +596,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
               </h3>
-          /etc/shorewall/nat entries of the following form will result in 
+            /etc/shorewall/nat entries of the following form will result
-Shorewall     being unable to start:<br>
+in  Shorewall     being unable to start:<br>
            <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -582,11 +605,11 @@ Shorewall     being unable to start:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
            The solution is to put "no" in the LOCAL column. Kernel support 
-for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. 
+ for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. 
-The  2.4.19 kernel   contains corrected support under a new kernel configuraiton 
+ The  2.4.19 kernel   contains corrected support under a new kernel configuraiton 
  option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 1/3/2003 -                             
+<p><font size="2">  Last updated 1/21/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
@ -597,5 +620,7 @@ The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -86,9 +86,9 @@
      </li>
              <li>to ensure that the sender address is fully qualified.</li>
              <li>to verify that the sender's domain has an A or MX record
-in  DNS.</li>
+ in  DNS.</li>
              <li>to ensure that the host name in the HELO/EHLO command is
-a  valid    fully-qualified  DNS name that resolves.</li>
+ a  valid    fully-qualified  DNS name that resolves.</li>
 </ol>
@ -98,14 +98,15 @@ HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net
 "for  continuous abuse" because it has been my policy to allow HTML in list 
 posts!!<br>
      <br>
-     I think that blocking all HTML is a Draconian way to control spam  and 
+      I think that blocking all HTML is a Draconian way to control spam 
- that the ultimate losers here are not the spammers but the list subscribers 
+and   that the ultimate losers here are not the spammers but the list subscribers
-  whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
+   whose MTAs are bouncing all shorewall.net mail. As one list subscriber
- to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
+wrote  to me privately "These e-mail admin's need to get a <i>(explitive
- life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
+deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
- to allow subscribers to receive list posts as must as possible, I have now
+Nevertheless,  to allow subscribers to receive list posts as must as possible,
- configured the list server at shorewall.net to strip all HTML from outgoing
+I have now  configured the list server at shorewall.net to strip all HTML
- posts. This means that HTML-only posts will be bounced by the list server.<br>
+from outgoing  posts. This means that HTML-only posts will be bounced by
 the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
   </p>
@ -113,15 +114,16 @@ posts!!<br>
 <h2>Other Mail Delivery Problems</h2>
    If you find that you are missing an occasional list post, your e-mail 
 admin  may be blocking mail whose <i>Received:</i> headers contain the names 
-of certain ISPs. Again, I believe that such policies hurt more than they
+of certain ISPs. Again, I believe that such policies hurt more than they help
-help but I'm not prepared to go so far as to start stripping <i>Received:</i> 
+but I'm not prepared to go so far as to start stripping <i>Received:</i>
-headers to circumvent those policies.<br>
+ headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
-<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch"> 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
  <p> <font size="-1"> Match:                                            
  <select name="method">
  <option value="and">All </option>
  <option value="or">Any </option>
@ -143,15 +145,15 @@ headers to circumvent those policies.<br>
  </select>
                </font> <input type="hidden" name="config" value="htdig"> 
  <input type="hidden" name="restrict"
- value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
+ value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                Search: <input type="text" size="30" name="words"
 value="">    <input type="submit" value="Search"> </p>
                </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the
+<h2 align="left"><font color="#ff0000">Please do not try to download the entire
-entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
+Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-won't stand the traffic. If I catch you, you will be blacklisted.<br>
+stand the traffic. If I catch you, you will be blacklisted.<br>
         </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
@ -167,40 +169,49 @@ Firewall     (such   as the one used on my web site), you may <a
 <p align="left">The Shorewall Users Mailing list provides a way for users
        to get answers to questions and to report problems. Information of
-general       interest to the Shorewall user community is also posted to this
+ general       interest to the Shorewall user community is also posted to
-list.</p>
+this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
        the <a href="support.htm">problem reporting guidelines</a>.</b></p>
-<p align="left">To subscribe to the mailing list, go to <a
+<p align="left">To subscribe to the mailing list:<br>
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a> 
+</p>
-      SSL: <a
+<ul>
- href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
+  <li><b>Insecure: </b><a
- target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
  <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
 </ul>
 <p align="left">To post to the list, post to <a
- href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
+ href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
 <p align="left">The list archives are at <a
- href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
+ href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the 
-        Shorewall community. To subscribe, go to <a
+        Shorewall community. To subscribe:<br>
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a> 
+</p>
-      SSL: <a
+<p align="left"></p>
- href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
+<ul>
- target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
+  <li><b>Insecure:</b> <a
-             </a><br>
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
  <li><b>SSL</b>: <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
 </ul>
 <p align="left"><br>
              The list archives are at <a
- href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
+ href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
@ -208,23 +219,27 @@ may be found at <a
        the exchange of ideas about the future of Shorewall and for coordinating
       ongoing Shorewall Development.</p>
-<p align="left">To subscribe to the mailing list, go to <a
+<p align="left">To subscribe to the mailing list:<br>
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a> 
+ </p>
-      SSL: <a
+<ul>
- href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
+  <li><b>Insecure: </b><a
- target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
-             To post to the list, post to <a
+  <li><b>SSL:</b> <a
- href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
+ href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
 </ul>
 <p align="left">              To post to the list, post to <a
 href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
 <p align="left">The list archives are at <a
- href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
+ href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
 <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
        the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing
-        from Mailman-managed lists although Mailman 2.1 has attempted to make
+         from Mailman-managed lists although Mailman 2.1 has attempted to
- this less confusing. To unsubscribe:</p>
+make  this less confusing. To unsubscribe:</p>
 <ul>
                   <li>                                                 
@ -243,8 +258,9 @@ may be found at <a
                   <li>                                                 
    <p align="left">There will now be a box where you can enter your password
-       and  click on "Unsubscribe"; if you have forgotten your password, there
+        and  click on "Unsubscribe"; if you have forgotten your password,
-     is  another  button that will cause your password to be emailed to you.</p>
+there      is  another  button that will cause your password to be emailed
 to you.</p>
                   </li>
 </ul>
@ -254,11 +270,11 @@ may be found at <a
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 12/31/2002 - <a
+<p align="left"><font size="2">Last updated 1/14/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
       </p>
       <br>
      <br>
@ -266,5 +282,6 @@ may be found at <a
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -2,11 +2,14 @@
 <html>
 <head>
  <title>ICMP Echo-request (Ping)</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-<body>
+  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
@ -19,72 +22,118 @@
  </tbody> 
 </table>
 <br>
 Shorewall 'Ping' management has evolved over time with the latest change
 coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>)
 was added to /etc/shorewall/shorewall.conf. The value of that option determines
 the overall handling of ICMP echo requests (pings).<br>
 <h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
 In 1.3.14, Ping handling was put under control of the rules and policies
 just like any other connection request. In order to accept ping requests
 from zone z1 to zone z2, you need a rule in /etc/shoreall/rules of the form:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 Example: <br>
 <br>
-Shorewall 'Ping' management has evolved over time in a less than consistant
+To permit ping from the local zone to the firewall:<br>
-way. This page describes how it now works.<br>
+<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
    If you would like to accept 'ping' by default, create <b>/etc/shorewall/icmpdef
 </b>if it doesn't already exist and in that file place the following command:<br>
 <blockquote>
  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
 </blockquote>
 With that rule in place, if you want to ignore 'ping' from z1 to z2 then
 you need a rule of the form:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 Example:<br>
 <br>
-There are several aspects to Shorewall Ping management:<br>
+To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 <blockquote>      </blockquote>
 <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
 </h2>
 There are several aspects to the old Shorewall Ping management:<br>
 <ol>
   <li>The <b>noping</b> and <b>filterping </b>interface options in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
-  <li>The <b>FORWARDPING</b> option in<a
+   <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
- href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
+/etc/shorewall/shorewall.conf</a>.</li>
-  <li>Explicit rules in <a
+   <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
- href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+ 
 </ol>
-There are two cases to consider:<br>
+ There are two cases to consider:<br>
 <ol>
   <li>Ping requests addressed to the firewall itself; and</li>
   <li>Ping requests being forwarded to another system. Included here are 
 all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple 
 routing.</li>
 </ol>
-These cases will be covered separately.<br>
+ These cases will be covered separately.<br>
-<h2>Ping Requests Addressed to the Firewall Itself</h2>
+ 
-For ping requests addressed to the firewall, the sequence is as follows:<br>
+<h3>Ping Requests Addressed to the Firewall Itself</h3>
 For ping requests addressed to the firewall, the sequence is as follows:<br>
 <ol>
   <li>If neither <b>noping</b> nor <b>filterping </b>are specified for the 
 interface that receives the ping request then the request will be responded 
 to with an ICMP echo-reply.</li>
-  <li>If <b>noping</b> is specified for the interface that receives the ping
+   <li>If <b>noping</b> is specified for the interface that receives the
-request then the request is ignored.</li>
+ping request then the request is ignored.</li>
   <li>If <b>filterping </b>is specified for the interface then the request 
 is passed to the rules/policy evaluation.</li>
 </ol>
-<h2>Ping Requests Forwarded by the Firewall</h2>
+ 
-These requests are <b>always</b> passed to rules/policy evaluation.<br>
+<h3>Ping Requests Forwarded by the Firewall</h3>
-<h2>Rules Evaluation</h2>
+ These requests are <b>always</b> passed to rules/policy evaluation.<br>
-Ping requests are ICMP type 8. So the general rule format is:<br>
+ 
-<br>
+<h3>Rules Evaluation</h3>
-&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
+ Ping requests are ICMP type 8. So the general rule format is:<br>
-</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+ <br>
-<br>
+ &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
-Example 1. Accept pings from the net to the dmz (pings are responded to with
+Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
-an ICMP echo-reply):<br>
+ <br>
-<br>
+ Example 1. Accept pings from the net to the dmz (pings are responded to
-&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
+with an ICMP echo-reply):<br>
 <br>
 &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
-<br>
+ <br>
-Example 2. Drop pings from the net to the firewall<br>
+ Example 2. Drop pings from the net to the firewall<br>
-<br>
+ <br>
-&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
+ &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
-<h2>Policy Evaluation</h2>
+ 
-If no applicable rule is found, then the policy for the source to the destination
+<h3>Policy Evaluation</h3>
 If no applicable rule is found, then the policy for the source to the destination 
 is applied.<br>
 <ol>
-  <li>If the relevant policy is ACCEPT then the request is responded to with
+   <li>If the relevant policy is ACCEPT then the request is responded to
-an ICMP echo-reply.</li>
+with an ICMP echo-reply.</li>
   <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf 
 then the request is responded to with an ICMP echo-reply.</li>
   <li>Otherwise, the relevant REJECT or DROP policy is used and the request 
 is either rejected or simply ignored.</li>
 </ol>
 <p><font size="2">Updated 12/13/2002 - <a
 href="support.htm">Tom Eastep</a> </font></p>
-<p><a href="copyright.htm"><font size="2">Copyright</font>
+</ol>
- &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ 
 <p><font size="2">Updated 1/21/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -42,7 +42,7 @@
 src="images/washington.jpg" border="0">
                  </a></i></font><font color="#ffffff">Shorewall      1.3 
-               <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
+  -               <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
@ -103,9 +103,10 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                    
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
@ -116,24 +117,25 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
                                       it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                      <br>
-              This   program     is  distributed       in  the   hope   that
+                 This   program     is  distributed       in  the   hope
-    it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;  
+  that     it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;
-without      even the   implied    warranty      of MERCHANTABILITY     
+   without      even the   implied    warranty      of MERCHANTABILITY  
-       or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the  GNU
+          or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the
-General     Public  License           for  more details.<br>
+ GNU General     Public  License           for  more details.<br>
                      <br>
-              You   should    have   received     a  copy   of  the   GNU 
+                 You   should    have   received     a  copy   of  the  
-  General         Public      License             along  with   this program; 
+GNU     General         Public      License             along  with   this
-    if  not,    write  to  the    Free Software        Foundation,       
+program;       if  not,    write  to  the    Free Software        Foundation,
           Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -144,6 +146,7 @@ General     Public  License           for  more details.<br>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -158,24 +161,24 @@ General     Public  License           for  more details.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-               </a>Jacques              Nilo   and   Eric   Wolzak    have
+                  </a>Jacques              Nilo   and   Eric   Wolzak   
-   a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or compact
+have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or
-   flash)  distribution        called              <i>Bering</i>    that
+compact     flash)  distribution        called              <i>Bering</i>
-         features      Shorewall-1.3.10  and    Kernel-2.4.18.       You
+   that          features      Shorewall-1.3.10  and    Kernel-2.4.18.  
-   can  find    their    work at:                <a
+    You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                 </a></p>
-      <p><b>Congratulations to Jacques and Eric on the recent release of
+      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
-Bering 1.0 Final!!! </b><br>
+1.0 Final!!! </b><br>
                            </p>
-      <h2>This is a mirror of the main Shorewall web site at SourceForge
+      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
-(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
+ href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -198,6 +201,7 @@ Bering 1.0 Final!!! </b><br>
      <h2></h2>
@ -205,9 +209,30 @@ Bering 1.0 Final!!! </b><br>
-      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
+                  
- src="images/new10.gif" width="28" height="12" alt="(New)">
+      <p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img
-                                                      </b><br>
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
       </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 
 documenation.          the PDF may be downloaded from</p>
                                         <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                        <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a> 
      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
   </b></p>
      <p>Thanks to the generosity of Alex Martin and <a
 href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
 ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
 big thanks to Alex for making this happen.<br>
        </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><br>
         </p>
      <p>Just includes a few things that I had on the burner:<br>
@ -215,13 +240,13 @@ Bering 1.0 Final!!! </b><br>
      <ol>
           <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
-file. DNAT- is intended for advanced users who wish to minimize the number 
+  file. DNAT- is intended for advanced users who wish to minimize the number
-of rules that connection requests must traverse.<br>
+  of rules that connection requests must traverse.<br>
        <br>
- A Shorewall DNAT rule actually generates two iptables rules: a header rewriting 
+    A Shorewall DNAT rule actually generates two iptables rules: a header 
-rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- 
+rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table. 
-rule only generates the first of these rules. This is handy when you have 
+A DNAT-  rule only generates the first of these rules. This is handy when 
-several DNAT rules that would generate the same ACCEPT rule.<br>
+you have  several DNAT rules that would generate the same ACCEPT rule.<br>
        <br>
       Here are three rules from my previous rules file:<br>
        <br>
@ -233,34 +258,36 @@ several DNAT rules that would generate the same ACCEPT rule.<br>
        <br>
             ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
        <br>
-    By writing the rules this way, I end up with only one copy of the ACCEPT
+       By writing the rules this way, I end up with only one copy of the
-rule.<br>
+ACCEPT  rule.<br>
        <br>
            DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
            DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
            ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
        <br>
      </li>
-        <li>The 'shorewall check' command now prints out the applicable policy
+           <li>The 'shorewall check' command now prints out the applicable
-between each pair of zones.<br>
+ policy between each pair of zones.<br>
        <br>
      </li>
-        <li>A new CLEAR_TC option has been added to shorewall.conf. If this
+           <li>A new CLEAR_TC option has been added to shorewall.conf. If 
-option is set to 'No' then Shorewall won't clear the current traffic control
+this  option is set to 'No' then Shorewall won't clear the current traffic 
-rules during [re]start. This setting is intended for use by people that prefer 
+control  rules during [re]start. This setting is intended for use by people 
-to configure traffic shaping when the network interfaces come up rather than 
+that prefer  to configure traffic shaping when the network interfaces come 
-when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes 
+up rather than  when the firewall is started. If that is what you want to 
-and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, 
+do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart 
-your traffic shaping rules can still use the 'fwmark' classifier based on 
+file. That way,  your traffic shaping rules can still use the 'fwmark' classifier 
-packet marking defined in /etc/shorewall/tcrules.<br>
+based on  packet marking defined in /etc/shorewall/tcrules.<br>
        <br>
      </li>
           <li>A new SHARED_DIR variable has been added that allows distribution 
-packagers to easily move the shared directory (default /usr/lib/shorewall).
+ packagers to easily move the shared directory (default /usr/lib/shorewall). 
-Users should never have a need to change the value of this shorewall.conf
+ Users should never have a need to change the value of this shorewall.conf 
-setting.<br>
+ setting.<br>
      </li>
      </ol>
      <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
                                                       </b></p>
@ -289,54 +316,60 @@ setting.<br>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
                               </b></p>
      <p>     Features include:<br>
                     </p>
      <ol>
-                <li>"shorewall refresh" now reloads the traffic shaping rules 
+                   <li>"shorewall refresh" now reloads the traffic shaping
-  (tcrules     and tcstart).</li>
+ rules    (tcrules     and tcstart).</li>
-                <li>"shorewall debug [re]start" now turns off debugging after 
+                   <li>"shorewall debug [re]start" now turns off debugging
-  an  error   occurs. This places the point of the failure near the end of 
+ after    an  error   occurs. This places the point of the failure near the
- the trace rather   than up in the middle of it.</li>
+ end of   the trace rather   than up in the middle of it.</li>
-                <li>"shorewall [re]start" has been speeded up by more than
+                   <li>"shorewall [re]start" has been speeded up by more
- 40%   with   my  configuration. Your milage may vary.</li>
+than   40%   with   my  configuration. Your milage may vary.</li>
                   <li>A "shorewall show classifiers" command has been added
-which    shows   the current packet classification filters. The output from 
+  which    shows   the current packet classification filters. The output
-this  command  is  also added as a separate page in "shorewall monitor"</li>
+from   this  command  is  also added as a separate page in "shorewall monitor"</li>
-                <li>ULOG (must be all caps) is now accepted as a valid syslog 
+                   <li>ULOG (must be all caps) is now accepted as a valid 
-  level   and  causes the subject packets to be logged using the ULOG target 
+syslog    level   and  causes the subject packets to be logged using the ULOG
-  rather   than  the LOG target. This allows you to run ulogd (available from
+target    rather   than  the LOG target. This allows you to run ulogd (available
-            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+from             <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
-      and log all Shorewall messages <a href="shorewall_logging.html">to a
+        and log all Shorewall messages <a href="shorewall_logging.html">to
- separate  log file</a>.</li>
+ a  separate  log file</a>.</li>
                   <li>If you are running a kernel that has a FORWARD chain 
-in  the   mangle    table ("shorewall show mangle" will show you the chains 
+ in  the   mangle    table ("shorewall show mangle" will show you the chains
-in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
+  in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking 
      input packets based on their destination even when you are using  Masquerading 
      or SNAT.</li>
                   <li>I have cluttered up the /etc/shorewall directory with
-empty    'init',    'start', 'stop' and 'stopped' files. If you already have 
+  empty    'init',    'start', 'stop' and 'stopped' files. If you already
-a file    with one   of these names, don't worry -- the upgrade process won't 
+have  a file    with one   of these names, don't worry -- the upgrade process
-overwrite    your file.</li>
+won't  overwrite    your file.</li>
                   <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies 
     the syslog level at which packets are logged as a result of entries in
  the   /etc/shorewall/rfc1918 file. Previously, these packets were always 
-logged   at the 'info' level.<br>
+ logged   at the 'info' level.<br>
              </li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
                  </p>
            This version corrects a problem with Blacklist logging. In Beta 
-2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would 
+ 2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would
  fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                             </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
@ -345,8 +378,8 @@ logged   at the 'info' level.<br>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                           </b></p>
-             The first public Beta version of Shorewall 1.3.12 is now available 
+                The first public Beta version of Shorewall 1.3.12 is now
-   (Beta  1 was made available to a limited audience). <br>
+available      (Beta  1 was made available to a limited audience). <br>
                 <br>
                 Features include:<br>
                 <br>
@ -358,26 +391,27 @@ logged   at the 'info' level.<br>
                        <li>"shorewall debug [re]start" now turns off debugging 
   after    an  error occurs. This places the point of the failure near the 
  end of the   trace  rather than up in the middle of it.</li>
-                     <li>"shorewall [re]start" has been speeded up by more
+                        <li>"shorewall [re]start" has been speeded up by
- than   40%   with  my configuration. Your milage may vary.</li>
+more   than   40%   with  my configuration. Your milage may vary.</li>
                        <li>A "shorewall show classifiers" command has been 
-added    which    shows the current packet classification filters. The output
+ added    which    shows the current packet classification filters. The output 
-from    this command    is also added as a separate page in "shorewall monitor"</li>
+ from    this command    is also added as a separate page in "shorewall monitor"</li>
-                     <li>ULOG (must be all caps) is now accepted as a valid 
+                        <li>ULOG (must be all caps) is now accepted as a
- syslog    level  and causes the subject packets to be logged using the ULOG 
+valid    syslog    level  and causes the subject packets to be logged using
- target   rather than the LOG target. This allows you to run ulogd (available 
+the ULOG   target   rather than the LOG target. This allows you to run ulogd
- from            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+(available   from            <a
-      and log all Shorewall messages <a href="shorewall_logging.html">to a
+ href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
- separate  log file</a>.</li>
+        and log all Shorewall messages <a href="shorewall_logging.html">to
-                     <li>If you are running a kernel that has a FORWARD chain 
+ a  separate  log file</a>.</li>
-  in  the   mangle table ("shorewall show mangle" will show you the chains 
+                        <li>If you are running a kernel that has a FORWARD
- in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
+ chain    in  the   mangle table ("shorewall show mangle" will show you the
-    This allows  for  marking input packets based on their destination even
+ chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes
-  when  you are using  Masquerading or SNAT.</li>
+in  shorewall.conf.     This allows  for  marking input packets based on
 their  destination even   when  you are using  Masquerading or SNAT.</li>
                        <li>I have cluttered up the /etc/shorewall directory
-with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
+  with   empty    'init', 'start', 'stop' and 'stopped' files. If you already
-have   a file  with  one of these names, don't worry -- the upgrade process 
+  have   a file  with  one of these names, don't worry -- the upgrade process
-won't   overwrite  your  file.</li>
+  won't   overwrite  your  file.</li>
      </ol>
@ -406,11 +440,13 @@ won't   overwrite  your  file.</li>
                                   </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally 
          delivered. I have installed 9.0 on one of my systems and I am now 
  in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
                            </p>
@ -437,11 +473,13 @@ won't   overwrite  your  file.</li>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
              documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                 <a
@ -450,6 +488,7 @@ won't   overwrite  your  file.</li>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                 
                </b></p>
@ -460,20 +499,21 @@ won't   overwrite  your  file.</li>
      <ul>
-                               <li>A 'tcpflags' option has been added to
+                                  <li>A 'tcpflags' option has been added
-entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
+to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
-     This option causes Shorewall to make a set of sanity check on TCP packet 
+       This option causes Shorewall to make a set of sanity check on TCP
-    header flags.</li>
+packet       header flags.</li>
                                  <li>It is now allowed to use 'all' in the 
-SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>. 
+ SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.
- When   used,  'all'   must  appear  by itself (in may not be qualified) and
+   When   used,  'all'   must  appear  by itself (in may not be qualified)
-it does   not  enable   intra-zone  traffic.  For example, the rule <br>
+ and it does   not  enable   intra-zone  traffic.  For example, the rule
          <br>
                               <br>
                               ACCEPT loc all tcp 80<br>
                               <br>
                           does not enable http traffic from 'loc' to 'loc'.</li>
                                  <li>Shorewall's use of the 'echo' command 
-is  now   compatible      with   bash clones such as ash and dash.</li>
+ is  now   compatible      with   bash clones such as ash and dash.</li>
                                  <li>fw-&gt;fw policies now generate a startup 
   error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
@ -550,11 +590,11 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-but if       you try it and find it useful, please consider making a donation
+if       you try it and find it useful, please consider making a donation 
                                       to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight        
+ href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Children's Foundation.</font></a> Thanks!</font></p>
+Foundation.</font></a> Thanks!</font></p>
                  </td>
@ -570,7 +610,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font>
                                 <br>
 </p>
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@ -45,7 +45,7 @@ and is located in California, USA. It is mirrored at:</p>
 (Martinez (Zona Norte - GBA), Argentina)</li>
     <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
    (Paris, France)</li>
-    <li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
+    <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
 (Washington State, USA)<br>
    </li>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -6,6 +6,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,8 +14,8 @@
-                                                                  <base
+                                                                        
- target="_self">
+     <base target="_self">
 </head>
  <body>
@ -37,14 +38,15 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
                          </a></i></font><font color="#ffffff">Shorewall
-  1.3     -               <font size="4">"<i>iptables                   made
+     1.3     -               <font size="4">"<i>iptables                
- easy"</i></font></font><a href="http://www.sf.net">            </a></h1>
+  made  easy"</i></font></font><a href="http://www.sf.net">            </a></h1>
@ -67,6 +69,7 @@
 <div align="center">                                                    
 <center>                                                                
@ -99,7 +102,8 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+           
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is 
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based 
 firewall        that can be used on a dedicated firewall system, a multi-function 
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -113,25 +117,28 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
                                           it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                              <br>
                         This   program     is  distributed       in  the 
-hope     that     it   will     be  useful,    but         WITHOUT  ANY 
+  hope     that     it   will     be  useful,    but         WITHOUT  ANY
    WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY
-            or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the 
+              or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See
- GNU General     Public  License           for  more details.<br>
+the    GNU General     Public  License           for  more details.<br>
                              <br>
-                      You   should    have   received     a  copy   of  the 
+                         You   should    have   received     a  copy   of 
-   GNU     General         Public      License             along  with   this
+ the     GNU     General         Public      License             along  with
-  program;       if  not,    write  to  the    Free Software        Foundation,
+   this   program;       if  not,    write  to  the    Free Software    
-             Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
+   Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
      USA</p>
@ -163,11 +170,12 @@ hope     that     it   will     be  useful,    but         WITHOUT  ANY
       that          features      Shorewall-1.3.10  and    Kernel-2.4.18.
       You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                               <b>Congratulations to Jacques and Eric on
+                                  <b>Congratulations to Jacques and Eric
-the   recent    release     of  Bering  1.0 Final!!! <br>
+on  the   recent    release     of  Bering  1.0 Final!!! <br>
                                  </b>                                  
      <h2>News</h2>
@ -182,6 +190,28 @@ the   recent    release     of  Bering  1.0 Final!!! <br>
      <p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
       </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 
 documenation.          the PDF may be downloaded from</p>
                                          <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                         <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a> 
      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
   </b></p>
      <p>Thanks to the generosity of Alex Martin and <a
 href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
 ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
 big thanks to Alex for making this happen.<br>
   </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                         </b><br>
@ -192,13 +222,13 @@ the   recent    release     of  Bering  1.0 Final!!! <br>
      <ol>
           <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
-file. DNAT- is intended for advanced users who wish to minimize the number 
+  file. DNAT- is intended for advanced users who wish to minimize the number
-of rules that connection requests must traverse.<br>
+  of rules that connection requests must traverse.<br>
        <br>
- A Shorewall DNAT rule actually generates two iptables rules: a header rewriting 
+    A Shorewall DNAT rule actually generates two iptables rules: a header 
-rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- 
+rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table. 
-rule only generates the first of these rules. This is handy when you have 
+A DNAT-  rule only generates the first of these rules. This is handy when 
-several DNAT rules that would generate the same ACCEPT rule.<br>
+you have  several DNAT rules that would generate the same ACCEPT rule.<br>
        <br>
       Here are three rules from my previous rules file:<br>
        <br>
@ -210,33 +240,35 @@ several DNAT rules that would generate the same ACCEPT rule.<br>
        <br>
             ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
        <br>
-    By writing the rules this way, I end up with only one copy of the ACCEPT
+       By writing the rules this way, I end up with only one copy of the
-rule.<br>
+ACCEPT  rule.<br>
        <br>
            DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
            DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
            ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
        <br>
      </li>
-        <li>The 'shorewall check' command now prints out the applicable policy
+           <li>The 'shorewall check' command now prints out the applicable
-between each pair of zones.<br>
+ policy between each pair of zones.<br>
        <br>
      </li>
-        <li>A new CLEAR_TC option has been added to shorewall.conf. If this
+           <li>A new CLEAR_TC option has been added to shorewall.conf. If 
-option is set to 'No' then Shorewall won't clear the current traffic control
+this  option is set to 'No' then Shorewall won't clear the current traffic 
-rules during [re]start. This setting is intended for use by people that prefer 
+control  rules during [re]start. This setting is intended for use by people 
-to configure traffic shaping when the network interfaces come up rather than 
+that prefer  to configure traffic shaping when the network interfaces come 
-when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes 
+up rather than  when the firewall is started. If that is what you want to 
-and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, 
+do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart 
-your traffic shaping rules can still use the 'fwmark' classifier based on 
+file. That way,  your traffic shaping rules can still use the 'fwmark' classifier 
-packet marking defined in /etc/shorewall/tcrules.<br>
+based on  packet marking defined in /etc/shorewall/tcrules.<br>
        <br>
      </li>
           <li>A new SHARED_DIR variable has been added that allows distribution 
-packagers to easily move the shared directory (default /usr/lib/shorewall).
+ packagers to easily move the shared directory (default /usr/lib/shorewall). 
-Users should never have a need to change the value of this shorewall.conf
+ Users should never have a need to change the value of this shorewall.conf 
-setting.</li>
+ setting.</li>
      </ol>
      <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
                                                      </b></p>
@ -265,53 +297,59 @@ setting.</li>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>               
                                 </b></p>
      <p>     Features include:<br>
                     </p>
      <ol>
-                <li>"shorewall refresh" now reloads the traffic shaping rules 
+                   <li>"shorewall refresh" now reloads the traffic shaping
-  (tcrules     and tcstart).</li>
+ rules    (tcrules     and tcstart).</li>
-                <li>"shorewall debug [re]start" now turns off debugging after 
+                   <li>"shorewall debug [re]start" now turns off debugging
-  an  error   occurs. This places the point of the failure near the end of 
+ after    an  error   occurs. This places the point of the failure near the
- the trace rather   than up in the middle of it.</li>
+ end of   the trace rather   than up in the middle of it.</li>
-                <li>"shorewall [re]start" has been speeded up by more than
+                   <li>"shorewall [re]start" has been speeded up by more
- 40%   with   my  configuration. Your milage may vary.</li>
+than   40%   with   my  configuration. Your milage may vary.</li>
                   <li>A "shorewall show classifiers" command has been added
-which    shows   the current packet classification filters. The output from 
+  which    shows   the current packet classification filters. The output
-this  command  is  also added as a separate page in "shorewall monitor"</li>
+from   this  command  is  also added as a separate page in "shorewall monitor"</li>
-                <li>ULOG (must be all caps) is now accepted as a valid syslog 
+                   <li>ULOG (must be all caps) is now accepted as a valid 
-  level   and  causes the subject packets to be logged using the ULOG target 
+syslog    level   and  causes the subject packets to be logged using the ULOG
-  rather   than  the LOG target. This allows you to run ulogd (available from
+target    rather   than  the LOG target. This allows you to run ulogd (available
-            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+from             <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
-      and log all Shorewall messages <a href="shorewall_logging.html">to a
+        and log all Shorewall messages <a href="shorewall_logging.html">to
- separate log file</a>.</li>
+ a  separate log file</a>.</li>
                   <li>If you are running a kernel that has a FORWARD chain 
-in  the   mangle    table ("shorewall show mangle" will show you the chains 
+ in  the   mangle    table ("shorewall show mangle" will show you the chains
-in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
+  in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking 
      input packets based on their destination even when you are using  Masquerading 
      or SNAT.</li>
                   <li>I have cluttered up the /etc/shorewall directory with
-empty    'init',    'start', 'stop' and 'stopped' files. If you already have 
+  empty    'init',    'start', 'stop' and 'stopped' files. If you already
-a file    with one   of these names, don't worry -- the upgrade process won't 
+have  a file    with one   of these names, don't worry -- the upgrade process
-overwrite    your file.</li>
+won't  overwrite    your file.</li>
                   <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies 
     the syslog level at which packets are logged as a result of entries in
  the   /etc/shorewall/rfc1918 file. Previously, these packets were always 
-logged   at the 'info' level.</li>
+ logged   at the 'info' level.</li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
             </p>
             This version corrects a problem with Blacklist logging. In Beta
-2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would
+  2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall
-  fail  to start and "shorewall  refresh" would also fail.<br>
+would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                             </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
@ -320,8 +358,8 @@ logged   at the 'info' level.</li>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                             </b></p>
-             The first public Beta version of Shorewall 1.3.12 is now available 
+                The first public Beta version of Shorewall 1.3.12 is now
-   (Beta  1 was made available only to a limited audience). <br>
+available      (Beta  1 was made available only to a limited audience). <br>
                 <br>
                 Features include:<br>
                 <br>
@ -333,26 +371,27 @@ logged   at the 'info' level.</li>
                        <li>"shorewall debug [re]start" now turns off debugging 
   after    an  error occurs. This places the point of the failure near the 
  end of the   trace  rather than up in the middle of it.</li>
-                     <li>"shorewall [re]start" has been speeded up by more
+                        <li>"shorewall [re]start" has been speeded up by
- than   40%   with  my configuration. Your milage may vary.</li>
+more   than   40%   with  my configuration. Your milage may vary.</li>
                        <li>A "shorewall show classifiers" command has been 
-added    which    shows the current packet classification filters. The output
+ added    which    shows the current packet classification filters. The output 
-from    this command    is also added as a separate page in "shorewall monitor"</li>
+ from    this command    is also added as a separate page in "shorewall monitor"</li>
-                     <li>ULOG (must be all caps) is now accepted as a valid 
+                        <li>ULOG (must be all caps) is now accepted as a
- syslog    level  and causes the subject packets to be logged using the ULOG 
+valid    syslog    level  and causes the subject packets to be logged using
- target   rather than the LOG target. This allows you to run ulogd (available 
+the ULOG   target   rather than the LOG target. This allows you to run ulogd
- from            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+(available   from            <a
-      and log all Shorewall messages <a href="shorewall_logging.html">to a
+ href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
- separate log file</a>.</li>
+        and log all Shorewall messages <a href="shorewall_logging.html">to
-                     <li>If you are running a kernel that has a FORWARD chain 
+ a  separate log file</a>.</li>
-  in  the   mangle table ("shorewall show mangle" will show you the chains 
+                        <li>If you are running a kernel that has a FORWARD
- in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
+ chain    in  the   mangle table ("shorewall show mangle" will show you the
-    This allows  for  marking input packets based on their destination even
+ chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes
-  when  you are using  Masquerading or SNAT.</li>
+in  shorewall.conf.     This allows  for  marking input packets based on
 their  destination even   when  you are using  Masquerading or SNAT.</li>
                        <li>I have cluttered up the /etc/shorewall directory
-with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
+  with   empty    'init', 'start', 'stop' and 'stopped' files. If you already
-have   a file  with  one of these names, don't worry -- the upgrade process 
+  have   a file  with  one of these names, don't worry -- the upgrade process
-won't   overwrite  your  file.</li>
+  won't   overwrite  your  file.</li>
      </ol>
@ -381,11 +420,13 @@ won't   overwrite  your  file.</li>
                                   </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally 
          delivered. I have installed 9.0 on one of my systems and I am now 
  in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
                            </p>
@ -412,11 +453,13 @@ won't   overwrite  your  file.</li>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
              documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                  <a
@ -425,6 +468,7 @@ won't   overwrite  your  file.</li>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b>                         
         </b></p>
@ -435,22 +479,23 @@ won't   overwrite  your  file.</li>
      <ul>
-                                <li>A 'tcpflags' option has been added to 
+                                   <li>A 'tcpflags' option has been added 
-entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
       This option causes Shorewall to make a set of sanity check on TCP packet
      header flags.</li>
-                                <li>It is now allowed to use 'all' in the 
+                                   <li>It is now allowed to use 'all' in
-SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.
+the   SOURCE    or  DEST   column    in a <a
-  When   used,  'all'   must  appear  by itself (in may not be qualified)
+ href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must 
-and it does   not  enable   intra-zone  traffic.  For example, the rule <br>
+appear  by itself (in may not be qualified)  and it does   not  enable  
 intra-zone  traffic.  For example, the rule           <br>
                                <br>
                                ACCEPT loc all tcp 80<br>
                                <br>
                            does not enable http traffic from 'loc' to 'loc'.</li>
                                   <li>Shorewall's use of the 'echo' command
-is  now   compatible      with   bash clones such as ash and dash.</li>
+  is  now   compatible      with   bash clones such as ash and dash.</li>
-                                <li>fw-&gt;fw policies now generate a startup 
+                                   <li>fw-&gt;fw policies now generate a
-  error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
+startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
@ -463,11 +508,13 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 
              documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                  <a
@ -476,9 +523,11 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <p><b></b></p>
      <ul>
@ -493,6 +542,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <p><b></b><a href="News.htm">More News</a></p>
@ -510,6 +560,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -518,6 +569,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <h4>       </h4>
@ -529,6 +581,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <h2><a name="Donations"></a>Donations</h2>
                                                                    </td>
@ -586,11 +639,11 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-but if       you try it and find it useful, please consider making a donation
+if       you try it and find it useful, please consider making a donation 
                                           to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight        
+ href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Children's Foundation.</font></a> Thanks!</font></p>
+Foundation.</font></a> Thanks!</font></p>
                          </td>
@ -606,7 +659,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font>
                                     <br>
 </p>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -41,14 +41,14 @@
  </tbody>                               
 </table>
-<p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently 
+<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
-  not involved in either Shorewall development or Shorewall support. Nevertheless,
+emailed directly to me, I try to spend some time each day answering questions
-  the mailing list is being ably manned by other Shorewall users.</font></big><span
+on the Shorewall Users Mailing List.</font></big><span
 style="font-weight: 400;"></span></big></b></p>
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
-<h2>Before Reporting a Problem</h2>
+<h1>Before Reporting a Problem</h1>
                                     There are a number of sources for problem
   solution information. Please     try these before you post.          
@ -57,13 +57,13 @@
 <h3>                     </h3>
 <ul>
-             <li>More than half of the questions posted on the support list 
+               <li>More than half of the questions posted on the support
- have answers directly accessible from the <a
+list   have answers directly accessible from the <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
         <br>
       </li>
       <li>                                   The <a href="FAQ.htm">FAQ</a> 
-has  solutions to  more than 20 common      problems.         </li>
+ has  solutions to  more than 20 common      problems.         </li>
 </ul>
@ -98,7 +98,7 @@ has  solutions to  more than 20 common      problems.         </li>
 <h2>Mailing List Archive Search</h2>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
  <p> <font size="-1"> Match:                                           
@ -126,7 +126,7 @@ has  solutions to  more than 20 common      problems.         </li>
  </select>
                             </font> <input type="hidden" name="config"
 value="htdig">    <input type="hidden" name="restrict"
- value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
+ value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                             Search: <input type="text" size="30"
 name="words" value="">    <input type="submit" value="Search"> </p>
@ -135,13 +135,13 @@ has  solutions to  more than 20 common      problems.         </li>
 <h2>Problem Reporting Guidelines </h2>
            <i>"Let me see if I can translate your message into a real-world
  example.      It would be like saying that you have three rooms at home,
-and when you   walk  into one of the rooms, you detect this strange smell.
+ and when you   walk  into one of the rooms, you detect this strange smell.
  Can anyone tell  you  what that strange smell is?<br>
            <br>
            Now, all of us could do some wonderful guessing as to the smell 
-and   even   what's causing it.  You would be absolutely amazed at the range 
+ and   even   what's causing it.  You would be absolutely amazed at the range 
-and   variety   of smells we could come up with.  Even more amazing is that 
+ and   variety   of smells we could come up with.  Even more amazing is that 
-all   of the explanations   for the smells would be completely plausible."<br>
+ all   of the explanations   for the smells would be completely plausible."<br>
            </i><br>
 <div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
@ -151,11 +151,11 @@ all   of the explanations   for the smells would be completely plausible."<br>
 <h3>                     </h3>
 <ul>
-      <li>Please remember we only know what is posted in your message.  Do
+        <li>Please remember we only know what is posted in your message.
- not  leave out any information that appears to be correct,  or was mentioned
+ Do  not  leave out any information that appears to be correct,  or was mentioned
  in  a previous post. There have been countless  posts by people who were
-sure  that some part of their  configuration was correct when it actually
+ sure  that some part of their  configuration was correct when it actually
-contained  a small error.  We tend to be skeptics where detail is lacking.<br>
+ contained  a small error.  We tend to be skeptics where detail is lacking.<br>
          <br>
        </li>
        <li>Please keep in mind that you're asking for <strong>free</strong>
@ -167,14 +167,14 @@ entries,  command output, and other output is better than a paraphrase or
 summary.<br>
          <br>
        </li>
-      <li>                                   Please don't describe your environment
+        <li>                                   Please don't describe your 
-  and then  ask  us  to  send   you             custom configuration files.
+environment   and then  ask  us  to  send   you             custom configuration 
-  We're here  to answer   your  questions     but we           can't do your
+files.   We're here  to answer   your  questions     but we           can't 
-  job for you.<br>
+do your   job for you.<br>
          <br>
               </li>
        <li>When reporting a problem, <strong>ALWAYS</strong> include this
-information:</li>
+ information:</li>
 </ul>
@ -244,9 +244,9 @@ information:</li>
          <br>
        </li>
        <li>As a general matter, please <strong>do not edit the diagnostic
-information</strong>   in an attempt to conceal your IP address, netmask,
+ information</strong>   in an attempt to conceal your IP address, netmask,
-nameserver addresses,  domain name, etc. These aren't secrets, and concealing
+ nameserver addresses,  domain name, etc. These aren't secrets, and concealing
-them often misleads  us (and 80% of the time, a hacker could derive them
+ them often misleads  us (and 80% of the time, a hacker could derive them
 anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
 </ul>
@ -289,7 +289,7 @@ so,   include the message(s) in your post along with a copy of your /etc/shorewa
 <ul>
                      <li>                         If an error occurs when
-you   try   to "<font color="#009900"><b>shorewall  start</b></font>",  
+ you   try   to "<font color="#009900"><b>shorewall  start</b></font>", 
  include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
      section  for    instructions).         </li>
@ -299,32 +299,34 @@ you   try   to "<font color="#009900"><b>shorewall  start</b></font>",
 <ul>
               <li>                                                     
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
       your             network layout, etc. to the Mailing List  -- your 
-post      will  be rejected.</b></h3>
+ post      will  be rejected.</b></h3>
        </li>
 </ul>
      The author gratefully acknowleges that the above list was heavily plagiarized
   from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
-at  <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
+ at  <a
 href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
 <h2>Please post in plain text</h2>
 <blockquote>            </blockquote>
        A growing number of MTAs serving list subscribers are rejecting all 
  HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net
-  "for continuous abuse" because it has been my policy to allow HTML in list 
+   "for continuous abuse" because it has been my policy to allow HTML in
-  posts!!<br>
+list    posts!!<br>
          <br>
           I think that blocking all HTML is a Draconian way to control spam
   and  that the ultimate losers here are not the spammers but the list subscribers
     whose MTAs are bouncing all shorewall.net mail. As one list subscriber
  wrote  to me privately "These e-mail admin's need to get a <i>(expletive
-deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
+ deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
-Nevertheless,  to allow subscribers to receive list posts as must as possible,
+ Nevertheless,  to allow subscribers to receive list posts as must as possible,
-I have now   configured the list server at shorewall.net to strip all HTML
+ I have now   configured the list server at shorewall.net to strip all HTML
-from outgoing  posts.<br>
+ from outgoing  posts.<br>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -335,28 +337,29 @@ from outgoing  posts.<br>
      list</a>.</span></h4>
           <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
  (MNF)   and you have not purchased an MNF license from MandrakeSoft then
-you can  post non MNF-specific Shorewall questions to the </b><a
+ you can  post non MNF-specific Shorewall questions to the </b><a
- href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing list.</a>
        <b>Do not expect to get free MNF support on the list.</b><br>
  <p>Otherwise, please post your question or problem to the <a
- href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing list.</a></p>
             </blockquote>
 <p>To Subscribe to the  mailing list go to <a
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
                    .</p>
-<p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 1/16/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
    </p>
    <br>
    <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -31,8 +31,8 @@
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up a Linux system as a firewall for a small network
-     with  DMZ is a  fairly straight-forward task if you understand the basics
+      with  DMZ is a  fairly straight-forward task if you understand the
-     and follow the  documentation.</p>
+basics       and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of
       Shorewall. It rather focuses on what is required to configure Shorewall
@ -40,11 +40,11 @@
 <ul>
               <li>Linux system used as a firewall/router for a small local 
-network.</li>
+ network.</li>
               <li>Single public IP address.</li>
               <li>DMZ connected to a separate ethernet interface.</li>
               <li>Connection through DSL, Cable Modem, ISDN, Frame Relay,
-dial-up,     ...</li>
+ dial-up,     ...</li>
 </ul>
@ -55,9 +55,9 @@ dial-up,     ...</li>
            </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
-     (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
+      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
-   if  this  package is installed by the presence of an <b>ip</b> program
+tell     if  this  package is installed by the presence of an <b>ip</b> program
-on   your  firewall  system. As root, you can use the 'which' command to
+ on   your  firewall  system. As root, you can use the 'which' command to
 check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -71,9 +71,9 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                 If you edit your configuration files on a Windows system,
-you   must   save them as  Unix files if your editor supports that option
+ you   must   save them as  Unix files if your editor supports that option
-or you   must  run them through  dos2unix before trying to use them. Similarly,
+ or you   must  run them through  dos2unix before trying to use them. Similarly,
-if   you copy  a configuration file  from your Windows hard drive to a floppy
+ if   you copy  a configuration file  from your Windows hard drive to a floppy
  disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
@ -95,16 +95,16 @@ few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
      sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy
-the    files to /etc/shorewall  (the files will replace files with the same
+ the    files to /etc/shorewall  (the files will replace files with the same
-names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
+ names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
      file on your system -- each file contains detailed  configuration instructions
      and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a
-     set of  <i>zones.</i> In the three-interface sample configuration, the
+      set of  <i>zones.</i> In the three-interface sample configuration,
-  following   zone names are used:</p>
+the    following   zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -139,7 +139,7 @@ names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.<
 <ul>
               <li>You express your default policy for connections from one 
-zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
         </a>file.</li>
               <li>You define exceptions to those default policies in the 
      <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -147,10 +147,10 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
 </ul>
 <p>For each connection request entering the firewall, the request is first
-     checked against the  /etc/shorewall/rules file. If no rule in that file
+      checked against the  /etc/shorewall/rules file. If no rule in that
-   matches  the connection  request then the first policy in /etc/shorewall/policy
+file     matches  the connection  request then the first policy in /etc/shorewall/policy
-   that  matches the    request is applied. If that policy is REJECT or DROP 
+    that  matches the    request is applied. If that policy is REJECT or
-   the request is first  checked against the rules in /etc/shorewall/common
+DROP      the request is first  checked against the rules in /etc/shorewall/common
   (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample
@ -189,6 +189,7 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -216,6 +217,7 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -223,10 +225,10 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
 <p>The above policy will:</p>
 <ol>
-             <li>allow all connection requests from your local network to 
+               <li>allow all connection requests from your local network
-the   internet</li>
+to  the   internet</li>
               <li>drop (ignore) all connection requests from the internet
-to  your   firewall     or local network</li>
+ to  your   firewall     or local network</li>
               <li>optionally accept all connection requests from the firewall
   to  the     internet (if you uncomment the additional policy)</li>
               <li>reject all other connection requests.</li>
@ -234,8 +236,8 @@ to  your   firewall     or local network</li>
 </ol>
 <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-              At this point, edit your /etc/shorewall/policy  file and make 
+                At this point, edit your /etc/shorewall/policy  file and
- any   changes  that you  wish.</p>
+make   any   changes  that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -249,9 +251,9 @@ to  your   firewall     or local network</li>
   <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
   <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
   <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External
- Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
+  Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
- a regular modem, your External  Interface will also be <b>ppp0</b>. If you
+via   a regular modem, your External  Interface will also be <b>ppp0</b>.
- connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
+If you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -267,32 +269,34 @@ computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
      (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your
-DMZ    computers will  be connected to the same switch (note: If you have
+ DMZ    computers will  be connected to the same switch (note: If you have
-only  a  single DMZ system,  you can connect the firewall directly to the
+ only  a  single DMZ system,  you can connect the firewall directly to the
-computer    using a <i>cross-over </i> cable).</p>
+ computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
            </b></u>Do not connect more than one interface  to the same hub 
-or  switch    (even for testing). It won't work the way that you  expect it
+ or  switch    (even for testing). It won't work the way that you  expect 
-to  and you   will end up confused and  believing that Shorewall doesn't
+it to  and you   will end up confused and  believing that Shorewall doesn't
  work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                The Shorewall three-interface sample configuration assumes
-that    the   external interface is <b>eth0, </b>the local interface is <b>eth1 
+ that    the   external interface is <b>eth0, </b>the local interface is
- </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is different,
+<b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration
-   you will have to modify the sample  /etc/shorewall/interfaces file accordingly.
+is different,    you will have to modify the sample  /etc/shorewall/interfaces 
-    While you are there, you may wish to  review the list of options that
+file accordingly.     While you are there, you may wish to  review the list 
-are    specified for the interfaces. Some hints:</p>
+of options that are    specified for the interfaces. Some hints:</p>
 <ul>
               <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
      you can replace the    "detect" in the second column with "-".   </p>
              </li>
              <li>                                                      
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
      or if you have a static IP    address, you can remove "dhcp" from the
  option    list. </p>
@ -309,9 +313,9 @@ the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
 establishing  your  connection   when you dial in (standard modem) or establish
 your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
 IP address; that  means that  you  configure your firewall's external interface
-to use that  address permanently.<i>  </i>Regardless of how the address is
+ to use that  address permanently.<i>  </i>Regardless of how the address
-assigned, it  will be shared by all of your  systems when you access the
+is  assigned, it  will be shared by all of your  systems when you access
-Internet. You will have to assign your  own addresses  for your internal
+the Internet. You will have to assign your  own addresses  for your internal
 network (the local and DMZ Interfaces on  your firewall plus your other 
 computers). RFC 1918 reserves several <i>Private  </i>IP address ranges for
 this  purpose:</p>
@ -326,21 +330,21 @@ this  purpose:</p>
                   Before starting Shorewall, you should look at the IP address 
   of  your  external    interface and if it is one of the above ranges, you
   should  remove  the    'norfc1918' option from the external interface's 
-entry  in    /etc/shorewall/interfaces.</p>
+ entry  in    /etc/shorewall/interfaces.</p>
            </div>
 <div align="left">               
 <p align="left">You will want to assign your local addresses from one <i> 
        sub-network </i>or <i>subnet</i> and your DMZ addresses from another 
   subnet.  For our purposes, we can consider a subnet    to consists of a
-range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet 
+ range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
-  Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet
+   Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the
-    Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>
+<i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>
  <i>Address</i>.  In Shorewall,  a subnet is described using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
-</i>(CIDR)</a>   notation with consists of the subnet address  followed 
+ </i>(CIDR)</a>   notation with consists of the subnet address  followed
   by "/24". The "24"  refers to the number of    consecutive "1"  bits from
-the left of the subnet  mask. </p>
+ the left of the subnet  mask. </p>
            </div>
 <div align="left">               
@ -369,6 +373,7 @@ the left of the subnet  mask. </p>
                     <td>10.10.10.0/24</td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -376,8 +381,8 @@ the left of the subnet  mask. </p>
 <div align="left">               
 <p align="left">It is conventional to assign the internal interface either
-     the    first usable address in the subnet (10.10.10.1 in the above example)
+      the    first usable address in the subnet (10.10.10.1 in the above
-     or the    last usable address (10.10.10.254).</p>
+example)       or the    last usable address (10.10.10.254).</p>
            </div>
 <div align="left">               
@ -391,7 +396,7 @@ the left of the subnet  mask. </p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                Your local  computers    (Local Computers 1 &amp; 2) should 
-be  configured    with their<i>    default gateway</i> set to the IP address
+ be  configured    with their<i>    default gateway</i> set to the IP address
  of the firewall's    internal interface    and your DMZ computers ( DMZ
 Computers   1 &amp; 2)  should  be configured with their    default gateway
 set to the   IP address  of the firewall's DMZ interface.   </p>
@ -399,7 +404,7 @@ set to the   IP address  of the firewall's DMZ interface.
 <p align="left">The foregoing short discussion barely scratches the surface
       regarding subnetting and routing. If you are interested in learning
-more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
+ more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
      What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
     A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
@ -411,24 +416,34 @@ more     about  IP addressing and routing, I highly recommend <i>"IP Fundamental
            </p>
 <p align="left">The default gateway for the DMZ computers would be 10.10.11.254
-      and the default gateway for the Local computers would be 10.10.10.254.</p>
+       and the default gateway for the Local computers would be 10.10.10.254.<br>
 </p>
-<h2 align="left">IP Masquerading (SNAT)</h2>
+<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
 your external interface an RFC 1918  address. If that address is in the 10.10.10.0/24
 subnet then you will need  to select a DIFFERENT RFC 1918 subnet for your
 local network and if it is in the 10.10.11.0/24 subnet then you will need
 to select a different RFC 1918 subnet for your DMZ.</b><br>
  </p>
 <p align="left">IP Masquerading (SNAT)</p>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
      to as <i>non-routable</i> because the Internet backbone routers don't
  forward    packets  which have an RFC-1918 destination address. When one
-of your local    systems  (let's assume local computer 1) sends a connection
+ of your local    systems  (let's assume local computer 1) sends a connection
  request to an   internet host, the  firewall must perform <i>Network Address
  Translation   </i>(NAT). The firewall  rewrites the source address in the
  packet to be  the address of the firewall's  external interface; in other
  words, the firewall   makes it look as if the firewall  itself is initiating
- the connection.  This  is necessary so that the  destination host will be
+  the connection.  This  is necessary so that the  destination host will
- able to route return packets   back to the firewall  (remember that packets
+be   able to route return packets   back to the firewall  (remember that
- whose destination address is   reserved by RFC 1918 can't  be routed accross
+packets   whose destination address is   reserved by RFC 1918 can't  be routed
- the internet). When the firewall   receives a return packet, it  rewrites
+accross   the internet). When the firewall   receives a return packet, it
- the destination address back to 10.10.10.1   and  forwards the packet on
+ rewrites   the destination address back to 10.10.10.1   and  forwards the
-to local computer 1. </p>
+packet on  to local computer 1. </p>
 <p align="left">On Linux systems, the above process is often referred to
 as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
@ -437,14 +452,16 @@ with  Netfilter:</p>
 <ul>
               <li>                                                     
    <p align="left"><i>Masquerade</i> describes the case where you let your
         firewall system automatically detect the external interface address.
          </p>
              </li>
              <li>                                                      
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
      the    source address that you want outbound packets from your local
-network     to use.    </p>
+ network     to use.    </p>
              </li>
 </ul>
@ -454,17 +471,17 @@ network     to use.    </p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-              If your external firewall interface is <b>eth0</b>, your local
+                If your external firewall interface is <b>eth0</b>, your
-   interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
+local     interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
-do  not  need to  modify the file provided with the sample. Otherwise, edit 
+you  do  not  need to  modify the file provided with the sample. Otherwise,
-  /etc/shorewall/masq   and change it to match your configuration.</p>
+edit    /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                If your external IP  is static, you can enter it in the third 
  column    in the /etc/shorewall/masq entry  if you like although your firewall 
- will    work fine if you leave that column  empty. Entering your static IP
+  will    work fine if you leave that column  empty. Entering your static 
- in column    3 makes <br>
+IP  in column    3 makes <br>
   processing outgoing packets a  little more efficient.<br>
   </p>
@ -485,9 +502,9 @@ do  not  need to  modify the file provided with the sample. Otherwise, edit
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your
-     DMZ computers. Because these computers have RFC-1918 addresses, it is
+      DMZ computers. Because these computers have RFC-1918 addresses, it
- not     possible for clients on the internet to connect directly to them.
+is   not     possible for clients on the internet to connect directly to
- It is   rather  necessary for those clients to address their connection
+them.   It is   rather  necessary for those clients to address their connection
 requests    to your firewall  who rewrites the destination address to the
 address of   your server and forwards  the packet to that server. When your
 server responds,     the firewall automatically  performs SNAT to rewrite
@ -524,6 +541,7 @@ the source address   in  the response.</p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -566,6 +584,7 @@ be the same  as <i>&lt;port&gt;</i>.</p>
                   <td>from the local network</td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -573,10 +592,10 @@ be the same  as <i>&lt;port&gt;</i>.</p>
 <p>A  couple of important points  to keep in mind:</p>
 <ul>
-             <li>When you are connecting to your server from your local systems,
+               <li>When you are connecting to your server from your local 
-    you  must    use the server's internal IP address (10.10.11.2).</li>
+systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
               <li>Many ISPs block incoming connection requests to port 80. 
-If  you   have     problems connecting to your web server, try the following
+ If  you   have     problems connecting to your web server, try the following
  rule and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your
      external IP).</li>
@ -606,6 +625,7 @@ If  you   have     problems connecting to your web server, try the following
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -637,6 +657,7 @@ If  you   have     problems connecting to your web server, try the following
                   <td><i>&lt;external IP&gt;</i></td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -678,6 +699,7 @@ If  you   have     problems connecting to your web server, try the following
                   <td>$ETH0_IP</td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -697,11 +719,12 @@ If  you   have     problems connecting to your web server, try the following
   be  written).  Alternatively, your ISP may have given you the IP address
  of a  pair of DNS <i> name servers</i> for you to manually configure as
 your    primary  and secondary  name servers. It is <u>your</u> responsibility
-to   configure  the resolver in your  internal systems. You can take one
+ to   configure  the resolver in your  internal systems. You can take one
 of two   approaches:</p>
 <ul>
               <li>                                                     
    <p align="left">You can configure your internal systems to use your ISP's
      name    servers. If you ISP gave you the addresses of their servers
 or   if   those    addresses are available on their web site, you can configure
@ -711,19 +734,20 @@ isn't   available,   look in    /etc/resolv.conf on your firewall system
  </p>
              </li>
              <li>                                                      
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-              You can configure a<i> Caching Name Server </i>on your    firewall
+                You can configure a<i> Caching Name Server </i>on your  
-    or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
+ firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name 
-(which     also     requires the 'bind' RPM) and for Bering users, there
+server (which     also     requires the 'bind' RPM) and for Bering users, 
-is dnscache.lrp.     If you    take this approach, you configure your internal
+there is dnscache.lrp.     If you    take this approach, you configure your 
-systems to use    the caching    name server as their primary (and only)
+internal systems to use    the caching    name server as their primary (and 
-name server. You  use  the internal IP    address of the firewall (10.10.10.254
+only) name server. You  use  the internal IP    address of the firewall (10.10.10.254
-in the example  above)    for the name    server address if you choose to
+ in the example  above)    for the name    server address if you choose to
-run the name server  on your   firewall. To allow your local systems to talk
+ run the name server  on your   firewall. To allow your local systems to
-to your caching name      server,   you must open port 53 (both UDP and TCP)
+talk  to your caching name      server,   you must open port 53 (both UDP
-from the local network   to the    server; you do that by adding the rules
+and TCP)  from the local network   to the    server; you do that by adding
-in /etc/shorewall/rules.       </p>
+the rules  in /etc/shorewall/rules.       </p>
              </li>
 </ul>
@ -780,6 +804,7 @@ in /etc/shorewall/rules.       </p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </p>
@ -838,6 +863,7 @@ in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -884,6 +910,7 @@ in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -932,6 +959,7 @@ in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -972,6 +1000,7 @@ in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -1015,6 +1044,7 @@ in /etc/shorewall/rules.       </p>
                     <td>from the internet</td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -1033,7 +1063,7 @@ application uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">               
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
         the internet because it uses clear text (even for login!). If you
-want     shell    access to your firewall from the internet, use SSH:</p>
+ want     shell    access to your firewall from the internet, use SSH:</p>
            </div>
 <div align="left">               
@ -1060,6 +1090,7 @@ want     shell    access to your firewall from the internet, use SSH:</p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -1068,8 +1099,8 @@ want     shell    access to your firewall from the internet, use SSH:</p>
 <div align="left">               
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-              Now modify    /etc/shorewall/rules to add or remove other connections
+                Now modify    /etc/shorewall/rules to add or remove other 
-     as required.</p>
+connections      as required.</p>
            </div>
 <div align="left">               
@ -1084,7 +1115,7 @@ want     shell    access to your firewall from the internet, use SSH:</p>
    version 1.3.9 startup is disabled so that your system won't try to start 
   Shorewall before configuration is complete. Once you have completed configuration 
   of your firewall, you can enable Shorewall startup by removing the file 
-/etc/shorewall/startup_disabled.<br>
+ /etc/shorewall/startup_disabled.<br>
            </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1096,11 +1127,11 @@ want     shell    access to your firewall from the internet, use SSH:</p>
 <div align="left">               
 <p align="left">The firewall is started using the "shorewall start" command
         and stopped using "shorewall stop". When the firewall is stopped,
-routing     is    enabled on those hosts that have an entry in   <a
+ routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
-        running firewall may be restarted using the "shorewall restart" command.
+         running firewall may be restarted using the "shorewall restart"
-     If    you want to totally remove any trace of Shorewall from your Netfilter
+command.       If    you want to totally remove any trace of Shorewall from
-        configuration, use "shorewall clear".</p>
+your Netfilter          configuration, use "shorewall clear".</p>
            </div>
 <div align="left">               
@ -1124,11 +1155,13 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
            </div>
-<p align="left"><font size="2">Last updated 12/20/2002 - <a
+<p align="left"><font size="2">Last updated 1/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
-     M. Eastep</font></a></p>
+Thomas      M. Eastep</font></a></p>
              <br>
            <br>
           <br>
          <br>
         <br>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -12,6 +12,7 @@
 content="text/html; charset=windows-1252">
  <title>Two-Interface Firewall</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -40,7 +41,7 @@ follow      the  documentation.</p>
 <ul>
               <li>Linux system used as a firewall/router for a small local 
-network.</li>
+ network.</li>
               <li>Single public IP address.</li>
               <li>Internet connection through cable modem, DSL, ISDN, Frame
  Relay,    dial-up    ...</li>
@ -60,9 +61,9 @@ network.</li>
      </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
-     (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
+      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
-   if  this  package is installed by the presence of an <b>ip</b> program
+tell     if  this  package is installed by the presence of an <b>ip</b> program
-on   your  firewall  system. As root, you can use the 'which' command to
+ on   your  firewall  system. As root, you can use the 'which' command to
 check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -76,9 +77,9 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                 If you edit your configuration files on a Windows system,
-you   must   save them as  Unix files if your editor supports that option
+ you   must   save them as  Unix files if your editor supports that option
-or you   must  run them through  dos2unix before trying to use them. Similarly,
+ or you   must  run them through  dos2unix before trying to use them. Similarly,
-if   you copy  a configuration file  from your Windows hard drive to a floppy
+ if   you copy  a configuration file  from your Windows hard drive to a floppy
  disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
@ -95,12 +96,12 @@ of    dos2unix</a></li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
         The configuration files for Shorewall are contained in the directory 
-  /etc/shorewall -- for simple setups, you will only need to deal with a few
+   /etc/shorewall -- for simple setups, you will only need to deal with a 
- of  these as described in this guide.  After you have <a
+few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
-     un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
+      un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
-      (these files will replace files with the same name).</b></p>
+/etc/shorewall        (these files will replace files with the same name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual
      file on your system -- each file contains detailed  configuration instructions
@ -108,7 +109,7 @@ of    dos2unix</a></li>
 <p>Shorewall views the network where it is running as being composed of a
      set of  <i>zones.</i> In the two-interface sample configuration, the
-following     zone names are used:</p>
+ following     zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -140,7 +141,7 @@ following     zone names are used:</p>
 <ul>
               <li>You express your default policy for connections from one 
-zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
         </a>file.</li>
               <li>You define exceptions to those default policies in the 
      <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -148,10 +149,10 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
 </ul>
 <p>For each connection request entering the firewall, the request is first
-     checked against the  /etc/shorewall/rules file. If no rule in that file
+      checked against the  /etc/shorewall/rules file. If no rule in that
-   matches  the connection  request then the first policy in /etc/shorewall/policy
+file     matches  the connection  request then the first policy in /etc/shorewall/policy
-   that  matches the    request is applied. If that policy is REJECT or DROP 
+    that  matches the    request is applied. If that policy is REJECT or
-   the request is first  checked against the rules in /etc/shorewall/common
+DROP      the request is first  checked against the rules in /etc/shorewall/common
   (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the two-interface sample
@ -190,6 +191,7 @@ has the  following policies:</p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -217,6 +219,7 @@ has the  following policies:</p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -224,10 +227,10 @@ has the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-             <li>allow all connection requests from your local network to 
+               <li>allow all connection requests from your local network
-the   internet</li>
+to  the   internet</li>
               <li>drop (ignore) all connection requests from the internet
-to  your   firewall     or local network</li>
+ to  your   firewall     or local network</li>
               <li>optionally accept all connection requests from the firewall
   to  the     internet (if you uncomment the additional policy)</li>
               <li>reject all other connection requests.</li>
@ -236,7 +239,7 @@ to  your   firewall     or local network</li>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
                At this point, edit your /etc/shorewall/policy and make any 
-changes     that you  wish.</p>
+ changes     that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -249,45 +252,47 @@ is through a cable or DSL "Modem", the <i>External Interface</i>  will be
 the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
      <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
       over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-<u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
+ <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
-Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect
+ Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect
 via a regular modem,   your External  Interface will also be <b>ppp0</b>.
 If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                If your external interface is <b>ppp0</b>  or<b> ippp0</b>  
-then   you   will want to  set CLAMPMSS=yes in <a
+ then   you   will want to  set CLAMPMSS=yes in <a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
      (eth1  or eth0) and will be connected to a hub or switch. Your other
-computers     will be  connected to the same hub/switch (note: If you have
+ computers     will be  connected to the same hub/switch (note: If you have
-only a single     internal system,  you can connect the firewall directly
+ only a single     internal system,  you can connect the firewall directly
-to the computer   using  a <i>cross-over </i> cable).</p>
+ to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
            </b></u>Do not connect the internal and external interface  to
-the   same   hub or switch (even for testing). It won't work the way that
+ the   same   hub or switch (even for testing). It won't work the way that
-you think  that   it will and you will end up confused and  believing that
+ you think  that   it will and you will end up confused and  believing that
-Shorewall   doesn't   work at all.</p>
+ Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-              The Shorewall two-interface sample configuration assumes that 
+                The Shorewall two-interface sample configuration assumes
-  the   external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
+that    the   external  interface is <b>eth0</b> and the internal interface
-    If your  configuration is different, you will have to modify the sample
+is <b>eth1</b>.     If your  configuration is different, you will have to
-   <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
+modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-   accordingly.  While you are there, you may wish to  review the list of
+file    accordingly.  While you are there, you may wish to  review the list 
-options   that are  specified for the interfaces. Some hints:</p>
+of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
               <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
      you can replace the    "detect" in the second column with "-".   </p>
              </li>
              <li>                                                      
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
      or if you have a static IP    address, you can remove "dhcp" from the
  option    list. </p>
@ -304,11 +309,11 @@ the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
 establishing  your  connection   when you dial in (standard modem) or establish
 your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
 IP address; that  means that  you  configure your firewall's external interface
-to use that  address permanently.<i>  </i>However your external address is
+ to use that  address permanently.<i>  </i>However your external address
-assigned, it  will be shared by all of your systems when you access the 
+is  assigned, it  will be shared by all of your systems when you access the
-Internet. You will have to assign your  own addresses in your  internal network
+ Internet. You will have to assign your  own addresses in your  internal
-(the Internal  Interface on your firewall  plus your other  computers). RFC
+network (the Internal  Interface on your firewall  plus your other  computers).
-1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
+RFC 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">               
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -320,20 +325,21 @@ Internet. You will have to assign your  own addresses in your  internal network
                   Before starting Shorewall, you should look at the IP address 
   of  your  external    interface and if it is one of the above ranges, you
   should  remove  the    'norfc1918' option from the external interface's 
-entry  in    /etc/shorewall/interfaces.</p>
+ entry  in    /etc/shorewall/interfaces.</p>
            </div>
 <div align="left">               
 <p align="left">You will want to assign your addresses from the same <i> 
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
-        to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
+         to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
-     will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
+subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
-   is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved
+x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is
-as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet
+reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
-is  described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless 
+a subnet  is  described  using <a
-InterDomain Routing  </i>(CIDR)  notation</a> with consists of the subnet 
+ href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
-address followed    by "/24". The  "24" refers to the number of    consecutive 
+ </i>(CIDR)  notation</a> with consists of the subnet  address followed 
-leading "1" bits from the left  of the subnet mask. </p>
+  by "/24". The  "24" refers to the number of    consecutive  leading "1"
 bits from the left  of the subnet mask. </p>
            </div>
 <div align="left">               
@ -362,6 +368,7 @@ leading "1" bits from the left  of the subnet mask. </p>
                     <td>10.10.10.0/24</td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -369,8 +376,8 @@ leading "1" bits from the left  of the subnet mask. </p>
 <div align="left">               
 <p align="left">It is conventional to assign the internal interface either
-     the    first usable address in the subnet (10.10.10.1 in the above example)
+      the    first usable address in the subnet (10.10.10.1 in the above
-     or the    last usable address (10.10.10.254).</p>
+example)       or the    last usable address (10.10.10.254).</p>
            </div>
 <div align="left">               
@ -383,15 +390,15 @@ leading "1" bits from the left  of the subnet mask. </p>
 <div align="left">               
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-              Your local computers (computer    1 and computer 2 in the above 
+                Your local computers (computer    1 and computer 2 in the 
-  diagram)   should be configured with their<i>    default gateway</i> to 
+above    diagram)   should be configured with their<i>    default gateway</i> 
-be  the IP address   of the firewall's internal    interface.<i>      </i> 
+to  be  the IP address   of the firewall's internal    interface.<i>      
-</p>
+</i>  </p>
            </div>
 <p align="left">The foregoing short discussion barely scratches the surface
       regarding subnetting and routing. If you are interested in learning
-more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
+ more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
      What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
     A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
@ -402,22 +409,31 @@ more     about  IP addressing and routing, I highly recommend <i>"IP Fundamental
 height="635">
            </p>
-<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.</p>
+<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.<br>
 </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
 your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
 local network.</b><br>
 </p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
      to as <i>non-routable</i> because the Internet backbone routers don't
  forward    packets  which have an RFC-1918 destination address. When one
-of your local    systems  (let's assume computer 1) sends a connection request
+ of your local    systems  (let's assume computer 1) sends a connection request
  to an internet    host, the  firewall must perform <i>Network Address Translation
-  </i>(NAT).    The firewall  rewrites the source address in the packet to
+   </i>(NAT).    The firewall  rewrites the source address in the packet
- be the address    of the firewall's  external interface; in other words,
+to   be the address    of the firewall's  external interface; in other words,
-the firewall makes    it look as if the firewall  itself is initiating the
+ the firewall makes    it look as if the firewall  itself is initiating the
-connection.  This is   necessary so that the  destination host will be able
+ connection.  This is   necessary so that the  destination host will be able
-to route return packets   back to the firewall  (remember that packets whose
+ to route return packets   back to the firewall  (remember that packets whose
-destination address is   reserved by RFC 1918 can't  be routed across the
+ destination address is   reserved by RFC 1918 can't  be routed across the
-internet so the remote host  can't address its response to  computer 1).
+ internet so the remote host  can't address its response to  computer 1).
 When the firewall receives a return packet, it  rewrites the destination
 address  back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
@ -428,14 +444,16 @@ with  Netfilter:</p>
 <ul>
               <li>                                                     
    <p align="left"><i>Masquerade</i> describes the case where you let your
         firewall system automatically detect the external interface address.
          </p>
              </li>
              <li>                                                      
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
      the    source address that you want outbound packets from your local
-network     to use.    </p>
+ network     to use.    </p>
              </li>
 </ul>
@ -447,17 +465,17 @@ network     to use.    </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                If your external firewall interface is <b>eth0</b>, you do
-not    need   to modify the file provided with the sample. Otherwise, edit
+ not    need   to modify the file provided with the sample. Otherwise, edit
  /etc/shorewall/masq      and change the first column to the name of your
-external  interface and    the  second column to the name of your internal
+ external  interface and    the  second column to the name of your internal
-interface.</p>
+ interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                If your external IP is  static, you can enter it in the third 
  column    in the /etc/shorewall/masq entry if  you like although your firewall 
- will    work fine if you leave that column empty.  Entering your static IP
+  will    work fine if you leave that column empty.  Entering your static 
- in column    3 makes processing outgoing packets a little  more efficient.<br>
+IP  in column    3 makes processing outgoing packets a little  more efficient.<br>
    <br>
    <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
@ -476,9 +494,9 @@ interface.</p>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals may be to run one or more servers on your
-      local computers. Because these computers have RFC-1918 addresses, it
+       local computers. Because these computers have RFC-1918 addresses,
- is   not  possible for clients on the internet to connect directly to them.
+it   is   not  possible for clients on the internet to connect directly to
- It   is rather  necessary for those clients to address their connection
+them.   It   is rather  necessary for those clients to address their connection
 requests     to the firewall  who rewrites the destination address to the
 address of   your   server and forwards  the packet to that server. When
 your server responds,     the firewall automatically  performs SNAT to rewrite
@ -515,6 +533,7 @@ the source address   in  the response.</p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -545,6 +564,7 @@ the source address   in  the response.</p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -552,13 +572,13 @@ the source address   in  the response.</p>
 <p>A couple of important points  to keep in mind:</p>
 <ul>
-             <li>You must test the above rule from a client outside of your 
+               <li>You must test the above rule from a client outside of
- local    network    (i.e., don't test from a browser running on computers 
+your   local    network    (i.e., don't test from a browser running on computers 
  1 or 2  or  on the    firewall). If you want to be able to access your web
  server  using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
               <li>Many ISPs block incoming connection requests to port 80. 
-If  you   have     problems connecting to your web server, try the following
+ If  you   have     problems connecting to your web server, try the following
  rule and  try     connecting to port 5000.</li>
 </ul>
@ -586,13 +606,14 @@ If  you   have     problems connecting to your web server, try the following
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
                At this point, modify  /etc/shorewall/rules to add any DNAT 
-rules    that  you require.</p>
+ rules    that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
@ -607,6 +628,7 @@ the resolver    in your   internal systems. You can take one of two approaches:<
 <ul>
               <li>                                                     
    <p align="left">You can configure your internal systems to use your ISP's
      name    servers. If you ISP gave you the addresses of their servers
 or   if   those    addresses are available on their web site, you can configure
@ -616,18 +638,19 @@ isn't   available,   look in    /etc/resolv.conf on your firewall system
  </p>
              </li>
              <li>                                                      
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-              You can configure a<i> Caching Name Server </i>on your    firewall.<i>
+                You can configure a<i> Caching Name Server </i>on your  
-         </i>Red Hat has an RPM for a caching name server (the RPM also 
+ firewall.<i>          </i>Red Hat has an RPM for a caching name server (the 
-  requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp.
+RPM also    requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp.
-If you    take   this approach, you configure your internal systems to use
+ If you    take   this approach, you configure your internal systems to use
-the firewall    itself as their primary (and only) name server. You use the
+ the firewall    itself as their primary (and only) name server. You use
-internal IP     address of the firewall (10.10.10.254 in the example above)
+the  internal IP     address of the firewall (10.10.10.254 in the example
-for the name       server address. To allow your local systems to talk to
+above)  for the name       server address. To allow your local systems to
-your caching name      server, you must open port 53 (both UDP and TCP) from
+talk to  your caching name      server, you must open port 53 (both UDP and
-the local network   to the    firewall; you do that by adding the following
+TCP) from  the local network   to the    firewall; you do that by adding
-rules in /etc/shorewall/rules.       </p>
+the following  rules in /etc/shorewall/rules.       </p>
              </li>
 </ul>
@ -664,6 +687,7 @@ rules in /etc/shorewall/rules.       </p>
                   <td> </td>
                 </tr>
    </tbody>                                    
  </table>
             </blockquote>
@ -709,6 +733,7 @@ rules in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -748,6 +773,7 @@ rules in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -787,6 +813,7 @@ rules in /etc/shorewall/rules.       </p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -830,6 +857,7 @@ rules in /etc/shorewall/rules.       </p>
                     <td>from the local network</td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -849,7 +877,7 @@ application uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">               
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
         the internet because it uses clear text (even for login!). If you
-want     shell    access to your firewall from the internet, use SSH:</p>
+ want     shell    access to your firewall from the internet, use SSH:</p>
            </div>
 <div align="left">               
@ -876,6 +904,7 @@ want     shell    access to your firewall from the internet, use SSH:</p>
                     <td> </td>
                   </tr>
    </tbody>                                    
  </table>
               </blockquote>
@ -885,7 +914,7 @@ want     shell    access to your firewall from the internet, use SSH:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                Now edit your    /etc/shorewall/rules file to add or delete 
-other    connections  as required.</p>
+ other    connections  as required.</p>
            </div>
 <div align="left">               
@ -900,7 +929,7 @@ other    connections  as required.</p>
    version 1.3.9 startup is disabled so that your system won't try to start 
   Shorewall before configuration is complete. Once you have completed configuration 
   of your firewall, you can enable Shorewall startup by removing the file 
-/etc/shorewall/startup_disabled.<br>
+ /etc/shorewall/startup_disabled.<br>
            </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -912,21 +941,21 @@ other    connections  as required.</p>
 <div align="left">               
 <p align="left">The firewall is started using the "shorewall start" command
         and stopped using "shorewall stop". When the firewall is stopped,
-routing     is    enabled on those hosts that have an entry in   <a
+ routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
-        running firewall may be restarted using the "shorewall restart" command.
+         running firewall may be restarted using the "shorewall restart"
-     If    you want to totally remove any trace of Shorewall from your Netfilter
+command.       If    you want to totally remove any trace of Shorewall from
-        configuration, use "shorewall clear".</p>
+your Netfilter          configuration, use "shorewall clear".</p>
            </div>
 <div align="left">               
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                The two-interface sample assumes that you want to enable
- routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped. 
+   routing     to/from <b>eth1 </b>(the local network) when Shorewall is
-If    your local network isn't connected to <b>eth1</b> or if you wish to 
+stopped.  If    your local network isn't connected to <b>eth1</b> or if you
-enable       access to/from other hosts, change /etc/shorewall/routestopped 
+wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped 
-accordingly.</p>
+ accordingly.</p>
            </div>
 <div align="left">               
@ -940,11 +969,13 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
            </div>
-<p align="left"><font size="2">Last updated 12/20/2002 - <a
+<p align="left"><font size="2">Last updated 1/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
-     M. Eastep</font></a></p>
+Thomas      M. Eastep</font></a></p>
              <br>
            <br>
           <br>
          <br>
         <br>