Some 1.3.14 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@427 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-05-19 23:51:07 +02:00 · 2003-01-31 21:50:51 +00:00 · 2003-01-31 21:50:51 +00:00 · b56fd26640
commit b56fd26640
parent 5aeecee8ab
23 changed files with 11632 additions and 10588 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -18,6 +18,7 @@
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -31,6 +32,7 @@
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                                       </td>
                                     </tr>
@ -56,14 +58,14 @@
           but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
-                subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
+                  subnet and I use <b>static NAT</b> to assign non-RFC1918
-         to   hosts   in  Z. Hosts in Z cannot communicate with each other
+ addresses          to   hosts   in  Z. Hosts in Z cannot communicate with
- using      their    external    (non-RFC1918 addresses) so they <b>can't
+ each other  using      their    external    (non-RFC1918 addresses) so they
-access each     other using   their DNS   names.</b></a></p>
+ <b>can't access each     other using   their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
-or <b>MSN                Instant Messenger </b>with  Shorewall. What do I 
+  or <b>MSN                Instant Messenger </b>with  Shorewall. What do
-do?</a></p>
+I  do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
                 to  check my firewall and it shows <b>some ports as 'closed'
@ -81,17 +83,20 @@ do?</a></p>
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
                  that work with Shorewall?</a></p>
 <p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
 href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect 
-requests. Can i exclude these error messages for this port temporarily from
+ requests. Can i exclude these error messages for this port temporarily from 
-logging in Shorewall?</a><br>
+ logging in Shorewall?</a><br>
-</p>
+   </p>
 <p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow 
-of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>. 
+ of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.  
-They get dropped, but what the heck are they?</a><br>
+ They get dropped, but what the heck are they?</a><br>
-</p>
+   </p>
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
-'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
+ 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
                  work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
@ -101,11 +106,12 @@ They get dropped, but what the heck are they?</a><br>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
                 my  interfaces </b>properly?</a></p>
 <p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
                 it  work with?</a></p>
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
-support?</a></p>
+ support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
@ -114,7 +120,8 @@ support?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
                 and it has an internel  web server that allows me to configure/monitor
              it   but as expected if I enable <b> rfc1918 blocking</b> for
-my   eth0     interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
+  my   eth0     interface,       it also blocks the <b>cable modems  web
 server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
                 IP  addresses, my ISP's DHCP server has an RFC 1918 address.
@ -127,37 +134,38 @@ my   eth0     interface,       it also blocks the <b>cable modems  web server</b
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
                  all over my console</b> making it unusable!<br>
                              </a></p>
-                                        <b>17</b>. <a href="#faq17">How do
+                                           <b>17</b>. <a href="#faq17">How
- I  find   out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
+ do  I  find   out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
                          <br>
-                       <b>18.</b> <a href="#faq18">Is there any way to use
+                          <b>18.</b> <a href="#faq18">Is there any way to 
- <b>aliased      ip  addresses</b>    with Shorewall, and maintain separate
+use   <b>aliased      ip  addresses</b>    with Shorewall, and maintain separate 
  rulesets for    different   IPs?</a><br>
                      <br>
-                   <b>19. </b><a href="#faq19">I have added <b>entries to 
+                      <b>19. </b><a href="#faq19">I have added <b>entries 
-/etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do anything</b>. 
+to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do 
-Why?</a><br>
+anything</b>.  Why?</a><br>
                     <br>
-                  <b>20. </b><a href="#faq20">I have just set  up  a  server. 
+                     <b>20. </b><a href="#faq20">I have just set  up  a 
-   <b>Do  I have to change Shorewall to allow access to my server   from 
+server.      <b>Do  I have to change Shorewall to allow access to my server
-the  internet?<br>
+  from   the  internet?<br>
           <br>
-        </b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
+           </b></a><b>21. </b><a href="#faq21">I see these <b>strange log 
-    </b>occasionally;    what are they?<br>
+entries      </b>occasionally;    what are they?<br>
                   </a><br>
           <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that
-  I  want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
+    I  want to <b>run when Shorewall starts.</b> Which file do I put them
 in?</a><br>
         <br>
-      <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b> on
+         <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b>
- your   <b>web site</b>?</a><br>
+ on  your   <b>web site</b>?</a><br>
      <br>
      <b>24: </b><a href="#faq24">How can I <b>allow conections</b> to let's
-say  the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
+  say  the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
 <hr>                                   
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
                 my my personal PC with IP address 192.168.1.5. I've looked
-everywhere           and    can't find how to do it.</h4>
+  everywhere           and    can't find how to do it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
@ -278,12 +286,12 @@ everywhere           and    can't find how to do it.</h4>
 <ul>
                                     <li>You are trying to test from inside 
-your   firewall     (no,   that    won't    work -- see <a href="#faq2">FAQ
+ your   firewall     (no,   that    won't    work -- see <a href="#faq2">FAQ 
-#2</a>).</li>
+ #2</a>).</li>
                                     <li>You have a more basic problem with 
-your   local    system    such   as  an   incorrect default gateway configured 
+ your   local    system    such   as  an   incorrect default gateway configured
-(it  should    be set to   the IP   address    of your  firewall's internal 
+  (it  should    be set to   the IP   address    of your  firewall's internal
-interface).</li>
+  interface).</li>
 </ul>
@ -294,31 +302,32 @@ interface).</li>
 <ul>
                           <li>As root, type "iptables -t nat -Z". This clears
   the   NetFilter      counters   in the nat table.</li>
-                        <li>Try to connect to the redirected port from an 
+                           <li>Try to connect to the redirected port from 
-external     host.</li>
+an  external     host.</li>
                           <li>As root type "shorewall show nat"</li>
-                        <li>Locate the appropriate DNAT rule. It will be
+                           <li>Locate the appropriate DNAT rule. It will
-in  a  chain    called        <i>zone</i>_dnat   where <i>zone</i> is the
+be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat' 
-zone  that  includes    the    ('net' in the above   examples).</li>
+in the above   examples).</li>
                           <li>Is the packet count in the first column non-zero?
-  If  so,   the   connection    request is reaching the firewall and is being
+    If  so,   the   connection    request is reaching the firewall and is
-   redirected    to   the server.  In  this case, the problem is usually
+being    redirected    to   the server.  In  this case, the problem is usually 
-a  missing  or incorrect      default gateway   setting on the server (the
+ a  missing  or incorrect      default gateway   setting on the server (the 
-server's  default  gateway  should    be the IP address   of the firewall's
+ server's  default  gateway  should    be the IP address   of the firewall's 
-interface  to the  server).</li>
+ interface  to the  server).</li>
                           <li>If the packet count is zero:</li>
  <ul>
                             <li>the connection request is not reaching your
-server    (possibly      it  is being blocked by your ISP); or</li>
+  server    (possibly      it  is being blocked by your ISP); or</li>
-                          <li>you are trying to connect to a secondary IP 
+                             <li>you are trying to connect to a secondary 
-address     on  your   firewall   and your rule is only redirecting the primary 
+IP  address     on  your   firewall   and your rule is only redirecting the
-IP  address    (You  need to specify   the secondary IP address in the "ORIG. 
+ primary  IP  address    (You  need to specify   the secondary IP address
- DEST." column    in  your DNAT rule);  or</li>
+in the "ORIG.   DEST." column    in  your DNAT rule);  or</li>
                             <li>your DNAT rule doesn't match the connection
-request     in  some   other   way. In that case, you may have to use a packet 
+  request     in  some   other   way. In that case, you may have to use a
-sniffer     such  as tcpdump  or  ethereal to further diagnose the problem.<br>
+packet  sniffer     such  as tcpdump  or  ethereal to further diagnose the
 problem.<br>
                             </li>
@ -336,26 +345,26 @@ sniffer     such  as tcpdump  or  ethereal to further diagnose the problem.<br>
 <ul>
                                     <li>Having an internet-accessible server 
  in  your   local    network         is  like raising foxes in the corner 
-of your  hen   house.  If  the server     is      compromised, there's nothing 
+ of your  hen   house.  If  the server     is      compromised, there's nothing
- between  that  server  and  your other   internal        systems. For the 
+   between  that  server  and  your other   internal        systems. For
- cost of another  NIC and  a cross-over  cable,   you can   put      your 
+the    cost of another  NIC and  a cross-over  cable,   you can   put   
-server in a DMZ such  that it is isolated  from your   local systems    - 
+  your   server in a DMZ such  that it is isolated  from your   local systems
-    assuming that the  Server can be located  near the Firewall,   of course 
+   -      assuming that the  Server can be located  near the Firewall,  
-   :-)</li>
+of course     :-)</li>
-                                  <li>The accessibility problem is best solved
+                                     <li>The accessibility problem is best
-   using           <a href="shorewall_setup_guide.htm#DNS">Bind Version 
+ solved    using           <a href="shorewall_setup_guide.htm#DNS">Bind Version
-   9 "views"</a>     (or using a separate DNS server for local clients) such
+     9 "views"</a>     (or using a separate DNS server for local clients)
-  that www.mydomain.com     resolves to 130.141.100.69     externally and
+such   that www.mydomain.com     resolves to 130.141.100.69     externally
-192.168.1.5   internally. That's    what I do here at     shorewall.net for
+and 192.168.1.5   internally. That's    what I do here at     shorewall.net
-my local systems   that use static   NAT.</li>
+for my local systems   that use static   NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem
                  rather than a DNS solution, then assuming that your external
-   interface          is  eth0  and your internal interface is eth1  and that
+     interface          is  eth0  and your internal interface is eth1  and
-   eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, do
+ that    eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24,
-  the following:</p>
+ do   the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
                  for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -447,27 +456,28 @@ my local systems   that use static   NAT.</li>
 <div align="left">                                   
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
-                client to automatically restart Shorewall each time that you
+                  client to automatically restart Shorewall each time that
-   get    a  new    IP   address.</p>
+ you    get    a  new    IP   address.</p>
                                  </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
                 subnet and I use static NAT to assign non-RFC1918 addresses
- to   hosts      in   Z.  Hosts in Z cannot communicate with each other using 
+   to   hosts      in   Z.  Hosts in Z cannot communicate with each other
-  their  external      (non-RFC1918     addresses) so they can't access each 
+using    their  external      (non-RFC1918     addresses) so they can't access
-  other  using their    DNS  names.</h4>
+each    other  using their    DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved
-               using Bind Version 9 "views". It allows both external and internal
+                 using Bind Version 9 "views". It allows both external and
-        clients       to access a NATed host using the host's DNS name.</p>
+ internal         clients       to access a NATed host using the host's DNS
 name.</p>
 <p align="left">Another good way to approach this problem is to switch from 
                 static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 
          addresses      and can be accessed externally and internally using 
   the    same   address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
+<p align="left">If you don't like those solutions and prefer routing all
-traffic through your firewall then:</p>
+Z-&gt;Z traffic through your firewall then:</p>
 <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces 
            (If you are running a Shorewall version earlier than 1.3.9).<br>
@ -535,9 +545,6 @@ traffic through your firewall then:</p>
  </table>
                                   </blockquote>
 <div align="left">                                
 <pre align="left">     dmz    dmz    ACCEPT</pre>
                                </div>
 <p align="left">In /etc/shorewall/masq:</p>
@ -566,15 +573,15 @@ traffic through your firewall then:</p>
                                   </blockquote>
 <h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant
-Messenger                with Shorewall. What do I do?</h4>
+  Messenger                with Shorewall. What do I do?</h4>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
                 tracking/NAT module</a> that may help with Netmeeting. Look
-<a href="http://linux-igd.sourceforge.net">here</a> for a solution for MSN 
+  <a href="http://linux-igd.sourceforge.net">here</a> for a solution for
-IM but be aware that there are significant security risks involved with this 
+MSN   IM but be aware that there are significant security risks involved
-solution. Also check the Netfilter      mailing        list  archives at <a
+with this  solution. Also check the Netfilter      mailing        list  archives
- href="http://www.netfilter.org">http://www.netfilter.org</a>.          
+at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.     
         </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -584,27 +591,27 @@ solution. Also check the Netfilter      mailing        list  archives at <a
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
                 always    rejects connection requests on TCP port 113 rather
    than     dropping        them. This is    necessary to prevent outgoing
-connection       problems to   services    that use the    'Auth' mechanism 
+  connection       problems to   services    that use the    'Auth' mechanism
-for identifying       requesting  users.  Shorewall    also rejects TCP  
+  for identifying       requesting  users.  Shorewall    also rejects TCP
- ports 135, 137 and    139  as well as  UDP ports  137-139.   These are ports
+   ports 135, 137 and    139  as well as  UDP ports  137-139.   These are
-that are    used  by  Windows  (Windows  <u>can</u>  be configured   to use
+ports that are    used  by  Windows  (Windows  <u>can</u>  be configured
-the DCE cell locator       on port  135). Rejecting these  connection requests
+  to use the DCE cell locator       on port  135). Rejecting these  connection
-  rather than dropping    them    cuts down slightly on the amount of Windows
+requests   rather than dropping    them    cuts down slightly on the amount
- chatter on LAN segments    connected      to the Firewall. </p>
+of Windows  chatter on LAN segments    connected      to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably
-               your    ISP preventing you from running a web server in violation 
+                 your    ISP preventing you from running a web server in
-       of   your     Service    Agreement.</p>
+violation          of   your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
                    firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
-               section about    UDP scans. If nmap gets <b>nothing</b> back 
+                 section about    UDP scans. If nmap gets <b>nothing</b>
-  from     your     firewall   then it reports    the port as open. If you 
+back     from     your     firewall   then it reports    the port as open.
- want to   see  which    UDP ports are  really open,    temporarily change 
+If you    want to   see  which    UDP ports are  really open,    temporarily
- your net-&gt;all     policy    to REJECT, restart  Shorewall and do    the 
+change    your net-&gt;all     policy    to REJECT, restart  Shorewall and
- nmap UDP scan again.</p>
+do    the   nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
                 can't ping through the firewall</h4>
@ -623,24 +630,25 @@ the DCE cell locator       on port  135). Rejecting these  connection requests
                 -j ACCEPT<br>
              </p>
            </blockquote>
-         For a complete description of Shorewall 'ping' management, see <a
+            For a complete description of Shorewall 'ping' management, see
- href="ping.html">this page</a>.                                         
+ <a href="ping.html">this page</a>.                                     
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
                 and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
+syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
-(see "man openlog") and you get to choose the log level (again, see "man
+facility (see "man openlog") and you get to choose the log level (again,
-syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
+see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
- href="Documentation.htm#Rules">rules</a>. The destination for messaged 
+ and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
-logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
+ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
-              When you have changed /etc/syslog.conf, be sure to restart syslogd
+                When you have changed /etc/syslog.conf, be sure to restart
-       (on    a  RedHat system, "service syslog restart"). </p>
+ syslogd        (on    a  RedHat system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages
-               through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
+                 through <a href="Documentation.htm#Conf">settings</a> in
-               -- If you want to log all messages, set: </p>
+/etc/shorewall/shorewall.conf                 -- If you want to log all messages,
 set: </p>
 <div align="left">                                   
 <pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
@ -662,36 +670,44 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
                        http://www.logwatch.org</a><br>
  <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
                  </p>
                </blockquote>
-             I personnaly use Logwatch. It emails me a report each day from 
+                I personnaly use Logwatch. It emails me a report each day 
- my  various    systems with each report summarizing the logged activity on
+from   my  various    systems with each report summarizing the logged activity
- the  corresponding    system.                                          
+ on  the  corresponding    system.                                      
 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 
-are <b>flooding the logs</b> with their connect requests. Can i exclude these
+ are <b>flooding the logs</b> with their connect requests. Can i exclude these
-error messages for this port temporarily from logging in Shorewall?</h4>
+ error messages for this port temporarily from logging in Shorewall?</h4>
-Temporarily add the following rule:<br>
+   Temporarily add the following rule:<br>
 <pre>	DROP    net    fw    udp    10619</pre>
 <h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow 
-of these DROP messages from port 53 to some high numbered port.  They get
+ of these DROP messages from port 53 to some high numbered port.  They get 
-dropped, but what the heck are they?</h4>
+ dropped, but what the heck are they?</h4>
 <pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
-<b>Answer: </b>There are two possibilities:<br>
+   <b>Answer: </b>There are two possibilities:<br>
 <ol>
     <li>They are late-arriving replies to DNS queries.</li>
     <li>They are corrupted reply packets.</li>
 </ol>
-You can distinguish the difference by setting the <b>logunclean</b> option
+   You can distinguish the difference by setting the <b>logunclean</b> option 
-(<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) on
+ (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) on 
-your external interface (eth0 in the above example). If they get logged twice,
+ your external interface (eth0 in the above example). If they get logged twice,
-they are corrupted. I solve this problem by using an /etc/shorewall/common
+ they are corrupted. I solve this problem by using an /etc/shorewall/common 
-file like this:<br>
+ file like this:<br>
 <blockquote>         
  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
-</blockquote>
+   </blockquote>
-The above file is also include in all of my sample configurations available
+   The above file is also include in all of my sample configurations available 
-in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
+ in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
                 stop', I can't connect to anything. Why doesn't that command 
    work?</h4>
@ -718,8 +734,8 @@ in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
 <div align="left">                                   
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
-               for  problems concerning the version of iptables (v1.2.3) shipped
+                 for  problems concerning the version of iptables (v1.2.3)
-       with     RH7.2.</p>
+ shipped        with     RH7.2.</p>
                                  </div>
 <h4 align="left">      </h4>
@ -739,9 +755,9 @@ in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
                                  </div>
 <div align="left">                                     
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The
-   zone is defined as all hosts that are connected through eth0 and the local
+Net    zone is defined as all hosts that are connected through eth0 and the
-   zone is defined as all hosts connected through eth1</p>
+local    zone is defined as all hosts connected through eth1</p>
                                  </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -757,32 +773,34 @@ in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I
-myself doing      other things. I guess I just don't care enough if Shorewall
+find myself doing      other things. I guess I just don't care enough if
-has a GUI to      invest the effort to create one myself. There are several
+Shorewall has a GUI to      invest the effort to create one myself. There
-Shorewall GUI      projects underway however and I will publish links to
+are several Shorewall GUI      projects underway however and I will publish
-them when the authors      feel that they are ready. </p>
+links to them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
-               (<a href="http://www.cityofshoreline.com">the      city where 
+                 (<a href="http://www.cityofshoreline.com">the      city
-   I  live</a>)          and "Fire<u>wall</u>". The full name of the product 
+where      I  live</a>)          and "Fire<u>wall</u>". The full name of
-   is actually "Shoreline Firewall" but "Shorewall" is must more commonly 
+the product      is actually "Shoreline Firewall" but "Shorewall" is must
-used.</p>
+more commonly   used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
                 and it has an  internal web server that allows me to configure/monitor
              it   but as expected if I  enable rfc1918 blocking for my eth0
   interface          (the  internet one), it also blocks  the cable modems
-web server.</h4>
+  web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking
-               that will let all traffic to and from the 192.168.100.1 address 
+                 that will let all traffic to and from the 192.168.100.1
-      of   the    modem  in/out but still block all other rfc1918 addresses?</p>
+address         of   the    modem  in/out but still block all other rfc1918
 addresses?</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall
-than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
+earlier than      1.3.1, create /etc/shorewall/start and in it, place the
 following:</p>
 <div align="left">                                     
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -822,9 +840,9 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 <p align="left">Note: If you add a second IP address to your external firewall
                interface to correspond to the modem address, you must also
-make     an   entry      in /etc/shorewall/rfc1918 for that address. For example,
+  make     an   entry      in /etc/shorewall/rfc1918 for that address. For
-   if you   configure      the address 192.168.100.2 on your firewall, then
+ example,    if you   configure      the address 192.168.100.2 on your firewall,
-  you would   add two entries      to /etc/shorewall/rfc1918:  <br>
+ then   you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                                </p>
 <blockquote>                                                            
@ -859,10 +877,10 @@ make     an   entry      in /etc/shorewall/rfc1918 for that address. For example
                                  </div>
 <div align="left">                                     
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
-   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
-1918    filtering on my external interface, my DHCP client cannot renew its
+RFC 1918    filtering on my external interface, my DHCP client cannot renew
-lease.</h4>
+its lease.</h4>
                                   </div>
 <div align="left">                                     
@ -875,8 +893,9 @@ lease.</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
                 the net", I wonder  where the poster bought computers with
-eyes     and    what     those computers will "see"  when things are working 
+  eyes     and    what     those computers will "see"  when things are working
-properly.      That   aside,     the most common causes of this  problem are:</p>
+  properly.      That   aside,     the most common causes of this  problem
 are:</p>
 <ol>
                                     <li>                               
@ -896,7 +915,7 @@ properly.      That   aside,     the most common causes of this  problem are:</p
    <p align="left">The DNS settings on the local systems are wrong or the
                    user is running a DNS server on the firewall and hasn't
-enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
+  enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
                                      </li>
 </ol>
@ -913,15 +932,15 @@ enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
     logged?</h4>
                              <b>Answer: </b>Logging occurs out of a number 
-of  chains    (as   indicated      in  the log message) in Shorewall:<br>
+ of  chains    (as   indicated      in  the log message) in Shorewall:<br>
 <ol>
                                <li><b>man1918 - </b>The destination address
-is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target
+  is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target 
  --  see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                <li><b>rfc1918</b> - The source address is
 listed    in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target
 -- see      <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                             <li><b>rfc1918</b> - The source address is listed
   in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target -- see
     <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                               <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> 
     or      <b>all2all          </b>-  You have a<a
 href="Documentation.htm#Policy"> policy</a> that     specifies a  log level
@ -929,14 +948,14 @@ is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target
   to   ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                               </li>
-                             <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either
+                                <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>-
-  you   have   a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
+Either    you   have   a<a href="Documentation.htm#Policy"> policy</a> for
-        </b>to       <b>&lt;zone2&gt;</b> that specifies a log level and
+    <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b> that specifies
-this     packet is being         logged under that policy or this packet
+a log level and this     packet is being         logged under that policy
-matches    a     <a href="Documentation.htm#Rules">rule</a> that includes
+or this packet matches    a     <a href="Documentation.htm#Rules">rule</a>
-a log level.</li>
+that includes a log level.</li>
-                      <li><b>&lt;interface&gt;_mac</b> - The packet is being
+                         <li><b>&lt;interface&gt;_mac</b> - The packet is 
-  logged    under    the      <b>maclist</b> <a
+being    logged    under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
                         </li>
                                <li><b>logpkt</b> - The packet is being logged
@ -945,20 +964,21 @@ a log level.</li>
                                <li><b>badpkt </b>- The packet is being logged
   under    the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified 
-    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+     in the <b>LOGUNCLEAN </b>setting in <a
-                             <li><b>blacklst</b> - The packet is being logged 
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-  because     the   source    IP  is blacklisted in the<a
+                                <li><b>blacklst</b> - The packet is being 
 logged    because     the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
-                             <li><b>newnotsyn </b>- The packet is being logged
+                                <li><b>newnotsyn </b>- The packet is being
-   because     it  is  a  TCP   packet that is not part of any current connection
+ logged    because     it  is  a  TCP   packet that is not part of any current
-   yet  it   is not a syn  packet.   Options affecting the logging of such
+ connection    yet  it   is not a syn  packet.   Options affecting the logging
- packets   include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN
+ of such  packets   include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN 
     </b>in         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                               <li><b>INPUT</b> or <b>FORWARD</b> - The packet
   has   a  source    IP  address    that isn't in any of your defined zones
- ("shorewall    check"    and  look at the   printed zone definitions) or 
+   ("shorewall    check"    and  look at the   printed zone definitions)
-the chain is FORWARD   and   the destination  IP  isn't in any of your defined 
+or   the chain is FORWARD   and   the destination  IP  isn't in any of your
- zones.</li>
+defined    zones.</li>
                      <li><b>logflags </b>- The packet is being logged because
   it  failed    the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
@ -967,12 +987,13 @@ the chain is FORWARD   and   the destination  IP  isn't in any of your defined
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
-           with Shorewall, and maintain separate rulesets for different IPs?</h4>
+             with Shorewall, and maintain separate rulesets for different
 IPs?</h4>
                          <b>Answer: </b>Yes. You simply use the IP address 
-in  your   rules    (or   if  you  use NAT, use the local IP address in your 
+ in  your   rules    (or   if  you  use NAT, use the local IP address in your
-rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated 
+ rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated
-and will   disappear eventually.      Neither   iproute  (ip and tc) nor iptables
+  and will   disappear eventually.      Neither   iproute  (ip and tc) nor
-supports   that notation so  neither    does   Shorewall.  <br>
+ iptables supports   that notation so  neither    does   Shorewall.  <br>
                          <br>
                          <b>Example 1:</b><br>
                          <br>
@ -980,8 +1001,8 @@ supports   that notation so  neither    does   Shorewall.  <br>
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
 class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
 class="moz-txt-citetags"></span></pre>
-                       <span class="moz-txt-citetags"></span><b>Example 2 
+                          <span class="moz-txt-citetags"></span><b>Example
-(NAT):</b><br>
+ 2  (NAT):</b><br>
                          <br>
                          <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
@ -1004,9 +1025,9 @@ supports   that notation so  neither    does   Shorewall.  <br>
          to change Shorewall to allow access to my server from the internet?</b><br>
                     </h4>
                     Yes. Consult the <a
- href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that
+ href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that you
-you used during your initial setup for information about      how to set
+used during your initial setup for information about      how to set  up
- up rules for your server.<br>
+rules for your server.<br>
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; 
         what are they?<br>
@ -1015,48 +1036,49 @@ you used during your initial setup for information about      how to set
 <blockquote>                                                         
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
                   </blockquote>
-                192.0.2.3 is external on my firewall... 172.16.0.0/24 is
+                   192.0.2.3 is external on my firewall... 172.16.0.0/24
-my  internal     LAN<br>
+is  my  internal     LAN<br>
                   <br>
-                <b>Answer: </b>While most people associate the Internet Control 
+                   <b>Answer: </b>While most people associate the Internet
-   Message     Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. 
+ Control     Message     Protocol (ICMP) with 'ping', ICMP is a key piece
-   ICMP   is  used to report problems back to the sender of a packet; this 
+of  the internet.     ICMP   is  used to report problems back to the sender
- is  what  is happening  here. Unfortunately, where NAT is involved (including 
+of a packet; this   is  what  is happening  here. Unfortunately, where NAT
-   SNAT,  DNAT and Masquerade),  there are a lot of broken implementations. 
+is involved (including     SNAT,  DNAT and Masquerade),  there are a lot
-  That is  what you are seeing with  these messages.<br>
+of broken implementations.    That is  what you are seeing with  these messages.<br>
                   <br>
                  Here is my interpretation of what is happening -- to confirm
   this   analysis,    one would have to have packet sniffers placed a both
-ends of   the connection.<br>
+  ends of   the connection.<br>
                  <br>
-               Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a 
+                  Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent
-UDP   DNS   query    to 192.0.2.3 and your DNS server tried to send a response 
+ a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to send a
- (the response   information  is in the brackets -- note source port 53 which 
+response   (the response   information  is in the brackets -- note source
- marks this as  a DNS reply).  When the response was returned to to 206.124.146.179, 
+port 53 which   marks this as  a DNS reply).  When the response was returned
-  it rewrote  the destination  IP TO 172.16.1.10 and forwarded the packet 
+to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10
-to  172.16.1.10  who no longer had  a connection on UDP port 2857. This causes 
+and forwarded the packet  to  172.16.1.10  who no longer had  a connection
-  a port unreachable  (type 3, code  3) to be generated back to 192.0.2.3. 
+on UDP port 2857. This causes    a port unreachable  (type 3, code  3) to
- As this packet is sent  back through  206.124.146.179, that box correctly 
+be generated back to 192.0.2.3.   As this packet is sent  back through  206.124.146.179,
- changes the source address  in the packet  to 206.124.146.179 but doesn't 
+ that box correctly   changes the source address  in the packet  to 206.124.146.179
- reset the DST IP in the original   DNS response  similarly. When the ICMP 
+ but doesn't   reset the DST IP in the original   DNS response  similarly.
- reaches your firewall (192.0.2.3),   your firewall  has no record of having 
+ When the ICMP   reaches your firewall (192.0.2.3),   your firewall  has
- sent a DNS reply to 172.16.1.10 so   this ICMP doesn't  appear to be related 
+no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't
- to anything that was sent. The final   result is that the packet gets logged 
+  appear to be related   to anything that was sent. The final   result is
- and dropped in the all2all chain. I  have also seen cases where the source 
+that the packet gets logged   and dropped in the all2all chain. I  have also
- IP in the ICMP itself isn't set back  to the external IP of the remote NAT 
+seen cases where the source   IP in the ICMP itself isn't set back  to the
- gateway; that causes your firewall to  log and drop the packet out of the 
+external IP of the remote NAT   gateway; that causes your firewall to  log
- rfc1918 chain because the source IP is  reserved by RFC 1918.<br>
+and drop the packet out of the   rfc1918 chain because the source IP is 
 reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
     I want to <b>run when Shorewall starts.</b> Which file do I put them 
 in?</h4>
                   You can place these commands in one of the <a
- href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
+ href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
-Be sure that you look at the contents of the chain(s) that you will be modifying
+sure that you look at the contents of the chain(s) that you will be modifying 
     with your commands to be sure that the commands will do what they are 
-intended.    Many iptables commands published in HOWTOs and other instructional
+ intended.    Many iptables commands published in HOWTOs and other instructional 
-material    use the -A command which adds the rules to the end of the chain.
+ material    use the -A command which adds the rules to the end of the chain. 
-Most chains    that Shorewall constructs end with an unconditional DROP,
+ Most chains    that Shorewall constructs end with an unconditional DROP, 
 ACCEPT or REJECT    rule and any rules that you add after that will be ignored. 
 Check "man iptables"   and look at the -I (--insert) command.<br>
@ -1069,8 +1091,8 @@ Check "man iptables"   and look at the -I (--insert) command.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
   the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
-   In the SOURCE column of the rule, follow "net" by a colon and a list of
+      In the SOURCE column of the rule, follow "net" by a colon and a list
- the host/subnet addresses as a comma-separated list.<br>
+ of  the host/subnet addresses as a comma-separated list.<br>
 <pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
      Example:<br>
@ -1078,13 +1100,16 @@ Check "man iptables"   and look at the -I (--insert) command.<br>
 <pre>    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22<br></pre>
 <div align="left">     </div>
-                    <font size="2">Last updated 1/8/2003 - <a
+                       <font size="2">Last updated 1/30/2003 - <a
 href="support.htm">Tom   Eastep</a></font>                             
-<p><a href="copyright.htm"><font size="2">Copyright</font>              
+<p><a href="copyright.htm"><font size="2">Copyright</font>               ©
-© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@ -19,7 +19,7 @@
      <tr>
       <td width="100%">                   
      <h1 align="center"><font color="#ffffff">Shorewall Installation and
-Upgrade</font></h1>
+ Upgrade</font></h1>
       </td>
     </tr>
@ -30,17 +30,19 @@ Upgrade</font></h1>
 href="upgrade_issues.htm">Upgrade Issues</a></b></p>
 <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
-  <a href="#Install_Tarball">Install using tarball</a><br>
+   <a href="#Install_Tarball">Install using tarball<br>
 </a><a href="#LRP">Install the .lrp</a><br>
   <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
-  <a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
+   <a href="#Upgrade_Tarball">Upgrade using tarball<br>
 </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
   <a href="#Config_Files">Configuring Shorewall</a><br>
   <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
 <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
 <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
-shell  prompt, type "/sbin/iptables --version"), you must upgrade to version 
+ shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
-1.2.4  either from the <a
+ 1.2.4  either from the <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
  site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
  attempting to start Shorewall.</b></p>
@ -48,23 +50,23 @@ shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
 <ul>
     <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
     <br>
-    <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports 
+     <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
-a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. 
+reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-If this    happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps 
+installed.  If this    happens, simply use the --nodeps option to rpm (rpm
-&lt;shorewall    rpm&gt;).</li>
+-ivh --nodeps  &lt;shorewall    rpm&gt;).</li>
     <li>Edit the <a href="#Config_Files"> configuration files</a> to match
-your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> 
+ your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
-SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
+ SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
-IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND 
+ IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
-AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK 
+ AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
-TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK 
+NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO
-CONNECTIVITY.</b></font></li>
+RESTORE NETWORK  CONNECTIVITY.</b></font></li>
     <li>Start the firewall by typing "shorewall start"</li>
 </ul>
 <p><a name="Install_Tarball"></a>To     install Shorewall using the tarball
-and install     script: </p>
+ and install     script: </p>
 <ul>
     <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -79,60 +81,65 @@ and install     script: </p>
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
     <li>If you are using <a href="http://www.suse.com">SuSe</a> then type 
    "./install.sh /etc/init.d"</li>
-    <li>If your distribution has directory             /etc/rc.d/init.d or 
+     <li>If your distribution has directory             /etc/rc.d/init.d
-/etc/init.d then type             "./install.sh"</li>
+or  /etc/init.d then type             "./install.sh"</li>
     <li>For other distributions, determine where your             distribution
-installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
+ installs init scripts and type             "./install.sh &lt;init script
 directory&gt;</li>
     <li>Edit the <a href="#Config_Files"> configuration files</a> to match
-your configuration.</li>
+ your configuration.</li>
     <li>Start the firewall by typing "shorewall             start"</li>
     <li>If the install script was unable to configure Shorewall to be started
-automatically at boot,             see <a
+ automatically at boot,             see <a
 href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
 </ul>
 <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
 disk, simply replace the "shorwall.lrp" file on the image with the file that
 you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
 Guide</a> for information about further steps required.</p>
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
-and are upgrading to a new version:</p>
+ and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-you  have entries in the /etc/shorewall/hosts file then please check your
+and you  have entries in the /etc/shorewall/hosts file then please check
- /etc/shorewall/interfaces file to be sure that it contains an entry for
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-each  interface mentioned in the hosts file. Also, there are certain 1.2
+for each  interface mentioned in the hosts file. Also, there are certain
-rule forms  that are no longer supported under 1.3 (you must use the new
+1.2 rule forms  that are no longer supported under 1.3 (you must use the
-1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
+new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
-You can check your rules and  host file for 1.3 compatibility using the "shorewall
+details. You can check your rules and  host file for 1.3 compatibility using
-check" command after  installing the latest version of 1.3.</p>
+the "shorewall check" command after  installing the latest version of 1.3.</p>
 <ul>
     <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
-you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
+ you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
-    you must use the "--oldpackage" option to rpm (e.g., "rpm     -Uvh --oldpackage
+installed,     you must use the "--oldpackage" option to rpm (e.g., "rpm
-shorewall-1.2-0.noarch.rpm").        
+    -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").             
    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
-rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
+ rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-installed. If this    happens, simply use the --nodeps option to rpm (rpm 
+is installed. If this    happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
+ -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
       </p>
    </li>
    <li>See if there are any incompatibilities between your configuration 
-and the    new Shorewall version (type "shorewall check") and correct as
+and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
 necessary.</li>
     <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
-are upgrading to a new version using the tarball:</p>
+and are upgrading to a new version using the tarball:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-you  have entries in the /etc/shorewall/hosts file then please check your
+and you  have entries in the /etc/shorewall/hosts file then please check
- /etc/shorewall/interfaces file to be sure that it contains an entry for
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-each  interface mentioned in the hosts file.  Also, there are certain 1.2
+for each  interface mentioned in the hosts file.  Also, there are certain
-rule  forms that are no longer supported under 1.3 (you must use the new
+1.2 rule  forms that are no longer supported under 1.3 (you must use the
-1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
+new 1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
-details. You can check your rules  and host file for 1.3 compatibility using
+for details. You can check your rules  and host file for 1.3 compatibility
-the "shorewall check" command after  installing the latest version of 1.3.</p>
+using the "shorewall check" command after  installing the latest version
 of 1.3.</p>
 <ul>
     <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -147,27 +154,33 @@ the "shorewall check" command after  installing the latest version of 1.3.</p>
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
     <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type 
    "./install.sh /etc/init.d"</li>
-    <li>If your distribution has directory             /etc/rc.d/init.d or 
+     <li>If your distribution has directory             /etc/rc.d/init.d
-/etc/init.d then type             "./install.sh"</li>
+or  /etc/init.d then type             "./install.sh"</li>
     <li>For other distributions, determine where your             distribution
-installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
+ installs init scripts and type             "./install.sh &lt;init script
 directory&gt;</li>
     <li>See if there are any incompatibilities between your configuration
-and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
+ and the    new Shorewall version (type "shorewall check") and correct as
 necessary.</li>
     <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-       
+         <a name="LRP_Upgrade"></a>If you already have a running Bering installation
 and wish to upgrade to a later version of Shorewall:<br>
 <br>
     <b>UNDER CONSTRUCTION...</b><br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
 <p>You will need to edit some or all of these configuration files to match
-your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
+ your  setup. In most cases, the <a
- QuickStart Guides</a> contain all of the information you need.</p>
+ href="shorewall_quickstart_guide.htm">Shorewall   QuickStart Guides</a>
 contain all of the information you need.</p>
 <ul>
     <li>/etc/shorewall/shorewall.conf - used to set several firewall   
     parameters.</li>
     <li>/etc/shorewall/params - use this file to set shell variables that
-you will     expand in other files.</li>
+ you will     expand in other files.</li>
     <li>/etc/shorewall/zones - partition the firewall's view of the world 
        into <i>zones.</i></li>
     <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
@ -185,22 +198,23 @@ you will     expand in other files.</li>
     <li>/etc/shorewall/nat - defines static NAT rules.</li>
     <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
     <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
-hosts    accessible when Shorewall is stopped.</li>
+ hosts    accessible when Shorewall is stopped.</li>
     <li>/etc/shorewall/tcrules - defines marking of packets for later use
-by     traffic control/shaping.</li>
+ by     traffic control/shaping.</li>
-    <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
+     <li>/etc/shorewall/tos - defines rules for setting the TOS field in
-         headers.</li>
+packet          headers.</li>
     <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on 
        the firewall system.</li>
     <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
 </ul>
-<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a>
-</font></p>
+ </font></p>
-<p><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>   © <font
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
    <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@ -28,9 +28,10 @@
       </a><br>
       </td>
     </tr>
  </tbody> 
 </table>
-<br>
+ <br>
    This page covers Shorewall configuration to use with <a
 href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent 
  Proxy</b></u>.&nbsp;<br>
@ -68,15 +69,15 @@ server.<br>
 file<br>
   <br>
   &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
-</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
+ </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
   <br>
   Three different configurations are covered:<br>
 <ol>
     <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
-Firewall.</a></li>
+ Firewall.</a></li>
-    <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local 
+     <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
-network</a></li>
+local  network</a></li>
     <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
 </ol>
@ -146,14 +147,14 @@ network</a></li>
 <h2><a name="Local"></a>Squid Running in the local network</h2>
      You want to redirect all local www connection requests  to a Squid
                                                 transparent       proxy
-running   in your local zone at 192.168.1.3 and listening on port  3128.
+ running   in your local zone at 192.168.1.3 and listening on port  3128. 
-Your local  interface is eth1. There may also be a web server running on
+Your local  interface is eth1. There may also be a web server running on 192.168.1.3.
-192.168.1.3. It is assumed that web access is already enabled from the local
+It is assumed that web access is already enabled from the local zone to the
-zone to the internet.<br>
+internet.<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
   other aspects of your gateway including but not limited to traffic shaping
-  and route redirection. For that reason, I don't recommend it.<br>
+   and route redirection. For that reason, <b>I don't recommend it</b>.<br>
       </p>
 <ul>
@ -266,7 +267,7 @@ zone to the internet.<br>
 <ul>
      <li>On 192.168.1.3, arrange for the following command to be executed
-after   networking has come up<br>
+ after   networking has come up<br>
    <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
        </li>
@ -312,15 +313,95 @@ after   networking has come up<br>
      </blockquote>
 <ul>
-      <li>&nbsp;In /etc/shorewall/start add:<br>
+       <li>&nbsp;Do<b> one </b>of the following:<br>
    <br>
 A) In /etc/shorewall/start add<br>
      </li>
 </ul>
 <blockquote>            
-  <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
+  <pre><b><font color="#009900">	iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
-   </blockquote>
+</blockquote>
 <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
 and add the following entry in /etc/shorewall/tcrules:<br>
 </blockquote>
 <blockquote>
  <blockquote>
    <table cellpadding="2" border="1" cellspacing="0">
      <tbody>
        <tr>
          <td valign="top">MARK<br>
          </td>
          <td valign="top">SOURCE<br>
          </td>
          <td valign="top">DESTINATION<br>
          </td>
          <td valign="top">PROTOCOL<br>
          </td>
          <td valign="top">PORT<br>
          </td>
          <td valign="top">CLIENT PORT<br>
          </td>
        </tr>
        <tr>
          <td valign="top">202<br>
          </td>
          <td valign="top">eth2<br>
          </td>
          <td valign="top">0.0.0.0/0<br>
          </td>
          <td valign="top">tcp<br>
          </td>
          <td valign="top">80<br>
          </td>
          <td valign="top">-<br>
          </td>
        </tr>
      </tbody>
    </table>
  </blockquote>
 C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
 </blockquote>
 <blockquote>   
  <blockquote>     
    <table cellpadding="2" border="1" cellspacing="0">
       <tbody>
         <tr>
           <td valign="top">MARK<br>
           </td>
           <td valign="top">SOURCE<br>
           </td>
           <td valign="top">DESTINATION<br>
           </td>
           <td valign="top">PROTOCOL<br>
           </td>
           <td valign="top">PORT<br>
           </td>
           <td valign="top">CLIENT PORT<br>
           </td>
         </tr>
         <tr>
           <td valign="top">202:P<br>
           </td>
           <td valign="top">eth2<br>
           </td>
           <td valign="top">0.0.0.0/0<br>
           </td>
           <td valign="top">tcp<br>
           </td>
           <td valign="top">80<br>
           </td>
           <td valign="top">-<br>
           </td>
         </tr>
      </tbody>     
    </table>
   </blockquote>
  <br>
 </blockquote>
 <ul>
       <li>In /etc/shorewall/rules, you will need:</li>
@ -392,7 +473,7 @@ after   networking has come up<br>
 <blockquote>  </blockquote>
-<p><font size="-1">   Updated 1/10/2003 - <a
+<p><font size="-1">   Updated 1/23/2003 - <a
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a>  
          </font></p>
@ -404,5 +485,6 @@ after   networking has come up<br>
       <br>
     <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -60,15 +60,15 @@
  Manual</a></li>
                                   <li> <a href="FAQ.htm">FAQs</a></li>
                                    <li><a href="useful_links.html">Useful
-Links</a><br>
+ Links</a><br>
                                    </li>
                                   <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                   <li> <a href="errata.htm">Errata</a></li>
                                   <li> <a href="upgrade_issues.htm">Upgrade
  Issues</a></li>
                                   <li> <a href="support.htm">Support</a></li>
-                                  <li> <a href="mailing_list.htm">Mailing 
+                                   <li> <a
-Lists</a></li>
+ href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
                                   <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
@ -109,7 +109,8 @@ Lists</a></li>
                                   <li>   <a href="News.htm">News Archive</a></li>
                                   <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                                  <li> <a href="quotes.htm">Quotes from Users</a></li>
+                                   <li> <a href="quotes.htm">Quotes from
 Users</a></li>
                                   <li> <a href="shoreline.htm">About the 
 Author</a></li>
                                   <li> <a
@ -129,7 +130,7 @@ Author</a></li>
 <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
                    <strong><br>
                         <b>Note: </b></strong>Search is unavailable Daily
-0200-0330      GMT.<br>
+ 0200-0330      GMT.<br>
                         <strong></strong>                              
  <p><strong>Quick Search</strong><br>
@ -139,9 +140,9 @@ Author</a></li>
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
-                              <font face="Arial">   <input type="hidden"
+                               <font face="Arial">   <input
- name="exclude" value="[http://lists.shorewall.net/pipermail/*]">   </font>
+ type="hidden" name="exclude"
-       </form>
+ value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
@ -161,5 +162,6 @@ Author</a></li>
        <br>
     <br>
      <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -18,6 +18,7 @@
                                             <base target="main">       
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -51,8 +52,8 @@
                            <li> <a href="Install.htm">Installation/Upgrade/</a><br>
                              <a href="Install.htm">Configuration</a><br>
                            </li>
-                           <li> <a href="shorewall_quickstart_guide.htm">QuickStart 
+                            <li> <a
-     Guides   (HOWTOs)</a><br>
+ href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                             </li>
                                                    <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
@ -67,8 +68,8 @@
                                    <li> <a href="upgrade_issues.htm">Upgrade 
  Issues</a></li>
                                    <li> <a href="support.htm">Support</a></li>
-                                   <li> <a href="mailing_list.htm">Mailing
+                                    <li> <a
- Lists</a></li>
+ href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
                                    <li> <a href="shorewall_mirrors.htm">Mirrors</a>
@ -112,7 +113,7 @@
                                    <li> <a href="quotes.htm">Quotes from 
 Users</a></li>
                                    <li> <a href="shoreline.htm">About the
-Author</a></li>
+ Author</a></li>
                                    <li> <a
 href="sourceforge_index.htm#Donations">Donations</a></li>
@ -161,5 +162,6 @@ Author</a></li>
     <br>
     <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -2,6 +2,7 @@
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
@ -9,6 +10,7 @@
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -44,9 +46,9 @@
                                  </li>
                     <li>                                               
-    <p align="left">          <b>If you are installing Shorewall for the
+    <p align="left">          <b>If you are installing Shorewall for the first
-first time and plan to use the        .tgz and install.sh script, you can
+time and plan to use the        .tgz and install.sh script, you can untar
-untar the archive, replace the        'firewall' script in the untarred directory
+the archive, replace the        'firewall' script in the untarred directory 
        with the one you downloaded        below, and then run install.sh.</b></p>
                                  </li>
                     <li>                                               
@ -59,14 +61,14 @@ untar the archive, replace the        'firewall' script in the untarred director
              or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
              and /var/lib/shorewall/firewall  are symbolic links that point
          to the 'shorewall' file used by your  system initialization scripts
-   to         start Shorewall during boot. It is  that file that must be overwritten
+    to         start Shorewall during boot. It is  that file that must be
-             with the corrected script. Beginning with Shorewall 1.3.11,
+overwritten              with the corrected script. Beginning with Shorewall
-you may rename the existing file before copying in the new file.</b></p>
+1.3.11, you may rename the existing file before copying in the new file.</b></p>
             </li>
             <li>                                                       
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS 
-     ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
+     ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
-For    example,  do NOT install the 1.3.9a firewall script if you are running
+   example,  do NOT install the 1.3.9a firewall script if you are running 
 1.3.7c.</font></b><br>
                         </p>
             </li>
@ -91,7 +93,7 @@ RPM   on  SuSE</a></b></li>
                     <li><b><a href="#Multiport">Problems with iptables version 
   1.2.7    and       MULTIPORT=Yes</a></b></li>
               <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and
-NAT</a></b><br>
+ NAT</a></b><br>
               </li>
 </ul>
@ -104,15 +106,21 @@ NAT</a></b><br>
 <ul>
    <li>The 'shorewall add' command produces an error message referring to
-'find_interfaces_by_maclist'.</li>
+ 'find_interfaces_by_maclist'.</li>
   <li>The 'shorewall delete' command can leave behind undeleted rules.<br>
   </li>
 </ul>
-Both problems are corrected by <a
+ Both problems are corrected by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this 
 firewall script</a> which may be installed in /usr/lib/shorewall as described 
 above.<br>
 <ul>
  <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
 are not supported in this version or in 1.3.12. If you need such support,
 post on the users list and I can provide you with a patched version.<br>
  </li>
 </ul>
 <h3>Version 1.3.12</h3>
@ -122,7 +130,10 @@ the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is
 corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this 
 firewall script</a> which may be installed in /usr/lib/shorewall as described 
- above.<br>
+ above.</li>
  <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) 
 are not supported in this version or in 1.3.13. If you need such support, 
 post on the users list and I can provide you with a patched version.<br>
   </li>
 </ul>
@ -130,8 +141,8 @@ corrected  by <a
 <h3>Version 1.3.12 LRP</h3>
 <ul>
-     <li>The .lrp was missing the /etc/shorewall/routestopped file -- a new 
+      <li>The .lrp was missing the /etc/shorewall/routestopped file -- a
- lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
+new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
      </li>
 </ul>
@ -179,12 +190,11 @@ as  the .rpm you will get from there has been corrected.</li>
   on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, 
        <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
-    version of the firewall script</a> may help. Please report any cases
+    version of the firewall script</a> may help. Please report any cases where
-where     installing this script in /usr/lib/shorewall/firewall solved your
+    installing this script in /usr/lib/shorewall/firewall solved your connection
-connection     problems. Beginning with version 1.3.10, it is safe to save
+    problems. Beginning with version 1.3.10, it is safe to save the old version
-the old version     of /usr/lib/shorewall/firewall before copying in the
+    of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
-new one since /usr/lib/shorewall/firewall     is the real script now and
+    is the real script now and not just a symbolic link to the real script.<br>
 not just a symbolic link to the real script.<br>
            </li>
 </ul>
@ -203,7 +213,7 @@ not just a symbolic link to the real script.<br>
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
      corrects this problem.Copy the script to /usr/lib/shorewall/firewall
-as   described  above.<br>
+ as   described  above.<br>
           </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the 
@ -233,7 +243,7 @@ as   described  above.<br>
              Version 1.3.8                 
 <ul>
                  <li> Use of shell variables in the LOG LEVEL or SYNPARMS
-columns     of  the  policy file doesn't work.</li>
+ columns     of  the  policy file doesn't work.</li>
                  <li>A DNAT rule with the same original and new IP addresses 
  but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 
    tcp   25 - 10.1.1.1")<br>
@ -243,8 +253,8 @@ columns     of  the  policy file doesn't work.</li>
                Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">    
                          this corrected firewall script</a> in /var/lib/shorewall/firewall 
-                                       as described above corrects these
+                                       as described above corrects these problems.
-problems.                       
+                       
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                        
@ -276,15 +286,15 @@ problems.
                                       has two problems:</p>
 <ol>
-                                                 <li>If the firewall is running 
+                                                  <li>If the firewall is
-   a  DHCP   server,                                   the client won't be 
+running     a  DHCP   server,                                   the client
- able   to obtain   an IP  address                                  lease 
+won't be   able   to obtain   an IP  address                            
-from that   server.</li>
+     lease  from that   server.</li>
-                                                 <li>With this order of checking, 
+                                                  <li>With this order of
-    the   "dhcp"                                   option cannot be used as
+checking,      the   "dhcp"                                   option cannot
-  a  noise-reduction                                     measure where there
+be used as   a  noise-reduction                                     measure
-  are  both dynamic and    static                                  clients
+where there   are  both dynamic and    static                           
- on a LAN segment.</li>
+      clients  on a LAN segment.</li>
 </ol>
@ -316,6 +326,7 @@ above.</p>
 <ul>
                              <li>                                      
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf, 
        an error occurs when the firewall            script attempts to add 
  an   SNAT   alias.  </p>
@ -388,10 +399,10 @@ above.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
-         to not verify that the zones named in the /etc/shorewall/policy
+        to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                   changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -401,20 +412,20 @@ so it's a            good idea to run that command after you have made configura
        by that name" then you probably have an entry in            /etc/shorewall/hosts 
        that specifies an interface that you didn't            include in 
 /etc/shorewall/interfaces.        To correct this problem, you           
- must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 and
+must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 and 
           later versions produce a clearer error    message    in this case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
-           file can be identified by its size (56284 bytes). The correct
+          file can be identified by its size (56284 bytes). The correct version
-version            has a size of 38126 bytes.</p>
+           has a size of 38126 bytes.</p>
 <ul>
                              <li>The code to detect a duplicate interface
-entry    in             /etc/shorewall/interfaces contained a typo that prevented 
+ entry    in             /etc/shorewall/interfaces contained a typo that
-  it from               working correctly. </li>
+prevented    it from               working correctly. </li>
                              <li>"NAT_BEFORE_RULES=No" was broken; it behaved
   just   like   "NAT_BEFORE_RULES=Yes".</li>
@ -428,6 +439,7 @@ entry    in             /etc/shorewall/interfaces contained a typo that prevente
 <ul>
                              <li>                                      
    <p align="left">The IANA have just announced the allocation of subnet 
                   221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">     
@ -446,8 +458,8 @@ entry    in             /etc/shorewall/interfaces contained a typo that prevente
 is  sometimes                 generated for a CONTINUE policy.</li>
                              <li>When an option is given for more than one 
 interface      in               /etc/shorewall/interfaces then depending 
-on the option,     Shorewall                may ignore all but the first
+on the option,     Shorewall                may ignore all but the first appearence
-appearence of the   option.  For example:<br>
+of the   option.  For example:<br>
                              <br>
                              net    eth0    dhcp<br>
                              loc    eth1    dhcp<br>
@ -455,9 +467,9 @@ appearence of the   option.  For example:<br>
                              Shorewall will ignore the 'dhcp' on eth1.</li>
                              <li>Update 17 June 2002 - The bug described 
 in  the   prior    bullet               affects the following options: dhcp,
-dropunclean,   logunclean,                 norfc1918, routefilter, multi, 
+ dropunclean,   logunclean,                 norfc1918, routefilter, multi,
-filterping and   noping. An additional                 bug has been found 
+ filterping and   noping. An additional                 bug has been found
-that affects only   the 'routestopped' option.<br>
+ that affects only   the 'routestopped' option.<br>
                              <br>
                              Users who downloaded the corrected script prior 
  to  1850   GMT   today              should download and install the corrected
@ -504,10 +516,10 @@ have installed.</li>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
-         corrected 1.2.3 rpm which you can download here</a>  and I have also
+          corrected 1.2.3 rpm which you can download here</a>  and I have
-    built            an <a
+also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+ iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
        running RedHat 7.1, you can install either of these RPMs         
    <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
@ -516,7 +528,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
        has   released an iptables-1.2.4 RPM of their own which you can download 
       from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
-          </font>I have installed this RPM   on my firewall and it works fine.</p>
+           </font>I have installed this RPM   on my firewall and it works
 fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself, 
@ -530,10 +543,12 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p align="left">To install one of the above patches:</p>
  <ul>
                            <li>cd iptables-1.2.3/extensions</li>
                            <li>patch -p0 &lt; <i>the-patch-file</i></li>
  </ul>
                             </blockquote>
@ -552,12 +567,12 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p>The RedHat iptables RPM is compiled with debugging enabled but the 
   user-space debugging code was not updated to reflect recent changes in 
-        the     Netfilter 'mangle' table. You can correct the problem by
+        the     Netfilter 'mangle' table. You can correct the problem by installing
-installing            <a
+           <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
            this iptables RPM</a>. If you are already running a 1.2.5 version
    of       iptables, you will need to specify the --oldpackage option to
-rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+ rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                   </blockquote>
@ -585,8 +600,8 @@ rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
 <ul>
                                                  <li>set MULTIPORT=No in 
                                 /etc/shorewall/shorewall.conf; or </li>
-                                                 <li>if you are running Shorewall 
+                                                  <li>if you are running
-    1.3.6    you may                                  install            
+Shorewall      1.3.6    you may                                  install
                                <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
                            this firewall script</a> in /var/lib/shorewall/firewall 
@ -605,11 +620,11 @@ in  Shorewall     being unable to start:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
             The solution is to put "no" in the LOCAL column. Kernel support
- for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. 
+  for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled
- The  2.4.19 kernel   contains corrected support under a new kernel configuraiton 
+it.   The  2.4.19 kernel   contains corrected support under a new kernel
-  option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 1/21/2003 -                             
+<p><font size="2">  Last updated 1/25/2003 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
@ -622,5 +637,6 @@ in  Shorewall     being unable to start:<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/images/Thumbs.db
+++ b/Shorewall-docs/images/Thumbs.db
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -22,7 +22,7 @@
 border="0">
                    <tbody>
                     <tr>
-                     <td width="33%" valign="middle">                   
+                      <td width="33%" valign="middle" align="left">     
      <h1 align="center"><a
@ -32,28 +32,32 @@
                 </a></h1>
-                                  
+                                          <a
      <h1 align="center"><a
 href="http://www.gnu.org/software/mailman/mailman.html">         <img
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35" alt="">
-                      </a></h1>
+                       </a>                       
-               
+      <p align="right"><font color="#ffffff"><b>      </b></font>     </p>
      <p align="right"><br>
        <font color="#ffffff"><b>            </b></font>     </p>
                       </td>
         <td valign="middle" width="34%" align="center">                
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
         </td>
-        <td valign="middle" width="33%">              
+         <td valign="middle" width="33%">                     <a
-      <h1 align="center"><a href="http://www.postfix.org/">       <img
+ href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45" alt="(Postfix Logo)">
-                      </a></h1>
+                       </a><br>
      <div align="left"><a href="http://www.spamassassin.org"><img
 src="file:///J:/Shorewall-docs/images/ninjalogo.png" alt="" width="110"
 height="42" align="right" border="0">
      </a> </div>
      <br>
      <div align="right"><br>
-        <b><font color="#ffffff">Powered by Postfix    </font></b><br>
+         <b><font color="#ffffff"><br>
 Powered by Postfix    </font></b><br>
         </div>
         </td>
                    </tr>
@ -87,35 +91,34 @@
               <li>to ensure that the sender address is fully qualified.</li>
               <li>to verify that the sender's domain has an A or MX record 
 in  DNS.</li>
-              <li>to ensure that the host name in the HELO/EHLO command is
+               <li>to ensure that the host name in the HELO/EHLO command
- a  valid    fully-qualified  DNS name that resolves.</li>
+is  a  valid    fully-qualified  DNS name that resolves.</li>
 </ol>
 <h2>Please post in plain text</h2>
       A growing number of MTAs serving list subscribers are rejecting all
-HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net 
+ HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net
-"for  continuous abuse" because it has been my policy to allow HTML in list 
+ "for  continuous abuse" because it has been my policy to allow HTML in list
-posts!!<br>
+ posts!!<br>
       <br>
       I think that blocking all HTML is a Draconian way to control spam
-and   that the ultimate losers here are not the spammers but the list subscribers
+ and   that the ultimate losers here are not the spammers but the list subscribers 
   whose MTAs are bouncing all shorewall.net mail. As one list subscriber 
-wrote  to me privately "These e-mail admin's need to get a <i>(explitive
+wrote  to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
-deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
+ life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
-Nevertheless,  to allow subscribers to receive list posts as must as possible,
+ to allow subscribers to receive list posts as must as possible, I have now
-I have now  configured the list server at shorewall.net to strip all HTML
+ configured the list server at shorewall.net to strip all HTML from outgoing
-from outgoing  posts. This means that HTML-only posts will be bounced by
+ posts. This means that HTML-only posts will be bounced by the list server.<br>
 the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
    </p>
 <h2>Other Mail Delivery Problems</h2>
     If you find that you are missing an occasional list post, your e-mail
-admin  may be blocking mail whose <i>Received:</i> headers contain the names 
+ admin  may be blocking mail whose <i>Received:</i> headers contain the names
-of certain ISPs. Again, I believe that such policies hurt more than they help
+ of certain ISPs. Again, I believe that such policies hurt more than they
-but I'm not prepared to go so far as to start stripping <i>Received:</i>
+help but I'm not prepared to go so far as to start stripping <i>Received:</i> 
 headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -135,6 +138,7 @@ but I'm not prepared to go so far as to start stripping <i>Received:</i>
  <option value="builtin-short">Short </option>
  </select>
                 Sort by:                                               
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -143,22 +147,22 @@ but I'm not prepared to go so far as to start stripping <i>Received:</i>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-                </font> <input type="hidden" name="config" value="htdig"> 
+                 </font> <input type="hidden" name="config"
-  <input type="hidden" name="restrict"
+ value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                 Search: <input type="text" size="30" name="words"
 value="">    <input type="submit" value="Search"> </p>
                 </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the entire
+<h2 align="left"><font color="#ff0000">Please do not try to download the
-Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
+entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
-stand the traffic. If I catch you, you will be blacklisted.<br>
+won't stand the traffic. If I catch you, you will be blacklisted.<br>
          </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
               If you want to trust X.509 certificates issued by Shoreline
-Firewall     (such   as the one used on my web site), you may <a
+ Firewall     (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a> 
       in your browser. If you don't wish to trust my certificates then you 
  can    either use unencrypted access when subscribing to Shorewall mailing 
@ -176,13 +180,15 @@ this list.</p>
        the <a href="support.htm">problem reporting guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list:<br>
-</p>
+ </p>
 <ul>
   <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
   <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
 </ul>
 <p align="left">To post to the list, post to <a
@ -191,24 +197,28 @@ this list.</p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
-at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
-list may be found at <a
+may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the
         Shorewall community. To subscribe:<br>
-</p>
+ </p>
 <p align="left"></p>
 <ul>
   <li><b>Insecure:</b> <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
   <li><b>SSL</b>: <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
 </ul>
 <p align="left"><br>
               The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
@ -221,13 +231,16 @@ list may be found at <a
 <p align="left">To subscribe to the mailing list:<br>
  </p>
 <ul>
   <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
   <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
 </ul>
 <p align="left">              To post to the list, post to <a
 href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
@ -273,8 +286,8 @@ to you.</p>
 <p align="left"><font size="2">Last updated 1/14/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
-<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
        </p>
        <br>
       <br>
@ -283,5 +296,6 @@ to you.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@ -37,13 +37,14 @@
 use a combination of Static NAT and Proxy ARP, neither of which are relevant 
 to a simple configuration with a single public IP address.</small></b></big><big><b><small> 
 If you have just a single public IP address, most of what you see here won't 
-apply to your setup so beware of copying parts of this configuration and
+apply to your setup so beware of copying parts of this configuration and expecting
-expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
+them to work for you. What you copy may or may not work in your setup. </small></b></big><br>
   </p>
  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). 
    My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
    is connected to eth0. I have a local network connected to eth2 (subnet
-192.168.1.0/24)     and a DMZ connected to eth1 (192.168.2.0/24). </p>
+ 192.168.1.0/24)     and a DMZ connected to eth1 (192.168.2.0/24). </p>
  <p> I use:<br>
          </p>
@ -54,7 +55,7 @@ expecting them to work for you. They may or may not work in your setup. </small>
            <li>Proxy ARP for wookie (my Linux System). This system has two 
 IP  addresses:  192.168.1.3/24 and 206.124.146.179/24.</li>
            <li>SNAT through the primary gateway address (206.124.146.176)
-for    my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
+ for    my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
  </ul>
@ -64,14 +65,14 @@ for
    own 'whitelist' zone  called 'me'.</p>
  <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
-   It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software 
+    It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
-   and is managed by Proxy ARP. It connects to the  local network through 
+software     and is managed by Proxy ARP. It connects to the  local network
-the   PopTop server running on my firewall. </p>
+through  the   PopTop server running on my firewall. </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
-   Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
+    Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
-   (Pure-ftpd). The system   also runs fetchmail to fetch our email from
+server    (Pure-ftpd). The system   also runs fetchmail to fetch our email
-our    old and current ISPs. That server is managed through Proxy ARP.</p>
+from our    old and current ISPs. That server is managed through Proxy ARP.</p>
  <p> The firewall system itself runs a DHCP server that serves the local
      network.</p>
@ -96,7 +97,7 @@ our    old and current ISPs. That server is managed through Proxy ARP.</p>
                              Shorewall automatically adds a host route to 
                           206.124.146.177 through eth1 (192.168.2.1) because
    of                           the entry in /etc/shorewall/proxyarp (see
-below).</p>
+ below).</p>
  <p>A similar setup is used on eth3 (192.168.3.1) which                
           interfaces to my laptop (206.124.146.180).<br>
@ -120,8 +121,8 @@ below).</p>
 <h3>Interfaces File: </h3>
 <blockquote>                                                        
-  <p> This is set up so that I can start the firewall before bringing up my
+  <p> This is set up so that I can start the firewall before bringing up
-Ethernet  interfaces. </p>
+my Ethernet  interfaces. </p>
             </blockquote>
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp,filterping,maclist<br>	dmz	eth1 		206.124.146.255	filterping<br>	net	eth3		206.124.146.255 filterping,blacklist<br>	-	texas 		-               filterping<br>	loc	ppp+		-		filterping<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -137,6 +138,7 @@ Ethernet  interfaces. </p>
 <h3>Common File: </h3>
 <pre><font size="2" face="Courier">	. /etc/shorewall/common.def<br>	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
 <h3>Policy File:</h3>
 <pre><font size="2" face="Courier">
@ -183,5 +185,6 @@ Ethernet  interfaces. </p>
           <a href="copyright.htm"><font size="2">Copyright</font>      © 
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -27,39 +27,49 @@
 coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>) 
 was added to /etc/shorewall/shorewall.conf. The value of that option determines 
 the overall handling of ICMP echo requests (pings).<br>
 <h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
-In 1.3.14, Ping handling was put under control of the rules and policies
+ In 1.3.14, Ping handling was put under control of the rules and policies 
-just like any other connection request. In order to accept ping requests
+just like any other connection request. In order to accept ping requests from
-from zone z1 to zone z2, you need a rule in /etc/shoreall/rules of the form:<br>
+zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
 a rule in /etc/shoreall/rules of the form:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
-</blockquote>
+ </blockquote>
-Example: <br>
+ Example: <br>
-<br>
+ <br>
-To permit ping from the local zone to the firewall:<br>
+ To permit ping from the local zone to the firewall:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
-</blockquote>
+ </blockquote>
-    If you would like to accept 'ping' by default, create <b>/etc/shorewall/icmpdef
+     If you would like to accept 'ping' by default even when the relevant
-</b>if it doesn't already exist and in that file place the following command:<br>
+policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
 already exist and in that file place the following command:<br>
 <blockquote>   
  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
-</blockquote>
+ </blockquote>
-With that rule in place, if you want to ignore 'ping' from z1 to z2 then
+ With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
 you need a rule of the form:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
-</blockquote>
+ </blockquote>
-Example:<br>
+ Example:<br>
-<br>
+ <br>
-To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
+ To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
-</blockquote>
+ </blockquote>
 <blockquote>      </blockquote>
 <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
-</h2>
+ </h2>
-There are several aspects to the old Shorewall Ping management:<br>
+ There are several aspects to the old Shorewall Ping management:<br>
 <ol>
    <li>The <b>noping</b> and <b>filterping </b>interface options in <a
@ -74,8 +84,8 @@ There are several aspects to the old Shorewall Ping management:<br>
 <ol>
    <li>Ping requests addressed to the firewall itself; and</li>
    <li>Ping requests being forwarded to another system. Included here are
-all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple 
+ all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
-routing.</li>
+ routing.</li>
 </ol>
  These cases will be covered separately.<br>
@ -84,13 +94,13 @@ routing.</li>
  For ping requests addressed to the firewall, the sequence is as follows:<br>
 <ol>
-   <li>If neither <b>noping</b> nor <b>filterping </b>are specified for the 
+    <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
-interface that receives the ping request then the request will be responded 
+the  interface that receives the ping request then the request will be responded
-to with an ICMP echo-reply.</li>
+ to with an ICMP echo-reply.</li>
    <li>If <b>noping</b> is specified for the interface that receives the 
 ping request then the request is ignored.</li>
    <li>If <b>filterping </b>is specified for the interface then the request
-is passed to the rules/policy evaluation.</li>
+ is passed to the rules/policy evaluation.</li>
 </ol>
@ -107,24 +117,24 @@ Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 with an ICMP echo-reply):<br>
  <br>
  &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
-icmp&nbsp;&nbsp;&nbsp; 8<br>
+ icmp&nbsp;&nbsp;&nbsp; 8<br>
  <br>
  Example 2. Drop pings from the net to the firewall<br>
  <br>
  &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
-icmp&nbsp;&nbsp;&nbsp; 8<br>
+ icmp&nbsp;&nbsp;&nbsp; 8<br>
 <h3>Policy Evaluation</h3>
  If no applicable rule is found, then the policy for the source to the destination
-is applied.<br>
+ is applied.<br>
 <ol>
    <li>If the relevant policy is ACCEPT then the request is responded to 
 with an ICMP echo-reply.</li>
    <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
-then the request is responded to with an ICMP echo-reply.</li>
+ then the request is responded to with an ICMP echo-reply.</li>
    <li>Otherwise, the relevant REJECT or DROP policy is used and the request
-is either rejected or simply ignored.</li>
+ is either rejected or simply ignored.</li>
 </ol>
@ -135,5 +145,6 @@ is either rejected or simply ignored.</li>
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -13,7 +13,8 @@
-                                              <base target="_self">
+                                                          <base
 target="_self">
 </head>
  <body>
@ -41,8 +42,10 @@
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                  </a></i></font><font color="#ffffff">Shorewall      1.3 
+                     </a></i></font><font color="#ffffff">Shorewall     
-  -               <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
+1.3     -               <font size="4">"<i>iptables                   made
 easy"</i></font></font></h1>
@ -93,6 +96,7 @@
      <h2 align="left">What is it?</h2>
@ -104,9 +108,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-       that can be used on a dedicated firewall system, a multi-function 
+firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -120,8 +124,8 @@
      <p>This program is free software; you can redistribute it and/or modify
                                         it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
-Public License</a> as published by the Free Software        Foundation.<br>
+General Public License</a> as published by the Free Software        Foundation.<br>
                         <br>
@ -129,13 +133,13 @@ Public License</a> as published by the Free Software        Foundation.<br>
   that     it   will     be  useful,    but         WITHOUT  ANY    WARRANTY; 
    without      even the   implied    warranty      of MERCHANTABILITY  
          or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the 
- GNU General     Public  License           for  more details.<br>
+GNU General     Public  License           for  more details.<br>
                         <br>
                    You   should    have   received     a  copy   of  the 
-GNU     General         Public      License             along  with   this
+  GNU     General         Public      License             along  with   this 
-program;       if  not,    write  to  the    Free Software        Foundation,
+ program;       if  not,    write  to  the    Free Software        Foundation, 
            Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -162,8 +166,8 @@ program;       if  not,    write  to  the    Free Software        Foundation,
 border="0" src="images/leaflogo.gif" width="49" height="36">
                     </a>Jacques              Nilo   and   Eric   Wolzak
-have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or
+   have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD 
-compact     flash)  distribution        called              <i>Bering</i>
+ or compact     flash)  distribution        called              <i>Bering</i> 
    that          features      Shorewall-1.3.10  and    Kernel-2.4.18.  
    You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
@ -171,14 +175,17 @@ compact     flash)  distribution        called              <i>Bering</i>
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+                    
-1.0 Final!!! </b><br>
+      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.0 Final!!! </b><br>
                               </p>
-      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
+                    
- href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
 (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -210,26 +217,117 @@ compact     flash)  distribution        called              <i>Bering</i>
-      <p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img
+      <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
       </b></p>
      <p>Includes the Beta 1 content plus restores VLAN device names of the 
 form $dev.$vid (e.g., eth0.1)</p>
      <p> The beta may be downloaded from:<br>
        </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
          <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
        </blockquote>
      <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
      </b><br>
        </p>
      <p>The Beta includes the following changes:<br>
   </p>
      <ol>
          <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
 When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
       <br>
   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies 
 just like any other connection request. The FORWARDPING=Yes option in shorewall.conf 
 and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will 
 all generate an error.<br>
       <br>
     </li>
          <li>It is now possible to direct Shorewall to create a "label"
 such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
 and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
 just  the interface name:<br>
    <br>
      a) In the INTERFACE column of /etc/shorewall/masq<br>
      b) In the INTERFACE column of /etc/shorewall/nat<br>
    </li>
          <li>When an interface name is entered in the SUBNET column of the
 /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
 only  the first subnet defined on that interface. It did not masquerade traffic
 from:<br>
    <br>
      a) The subnets associated with other addresses on the interface.<br>
      b) Subnets accessed through local routers.<br>
    <br>
   Beginning with Shorewall 1.3.14, if you enter an interface name in the 
 SUBNET  column, shorewall will use the firewall's routing table to construct 
 the masquerading/SNAT rules.<br>
    <br>
   Example 1 -- This is how it works in 1.3.14.<br>
      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos... <br></pre>
   When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
 connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq 
 entry, your /etc/shorewall/masq file will need changing. In most cases, you
 will simply be able to remove redundant entries. In some cases though, you
 might want to change from using the interface name to listing specific subnetworks
 if the change described above will cause masquerading to occur on subnetworks
 that you don't wish to masquerade.<br>
    <br>
   Example 2 -- Suppose that your current config is as follows:<br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
      In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
    <br>
   Example 3 -- What if your current configuration is like this?<br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
      In this case, you would want to change the entry in  /etc/shorewall/masq
 to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          </li>
      </ol>
  The beta may be downloaded from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
          <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
        </blockquote>
      <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b> 
        </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
-documenation.          the PDF may be downloaded from</p>
+  documenation.          the PDF may be downloaded from</p>
                                            <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                           <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
-      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img
+      <p><b>1/17/2003 - shorewall.net has MOVED</b><b></b></p>
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
   </b></p>
      <p>Thanks to the generosity of Alex Martin and <a
- href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
+ href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and ftp.shorewall.net
-ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
+are now hosted on a system in Bellevue, Washington.  A big thanks to Alex
-big thanks to Alex for making this happen.<br>
+for making this happen.<br>
           </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><br>
@ -239,14 +337,14 @@ big thanks to Alex for making this happen.<br>
       </p>
      <ol>
-           <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
+              <li>A new 'DNAT-' action has been added for entries in the
-  file. DNAT- is intended for advanced users who wish to minimize the number
+/etc/shorewall/rules    file. DNAT- is intended for advanced users who wish
-  of rules that connection requests must traverse.<br>
+to minimize the number    of rules that connection requests must traverse.<br>
           <br>
       A Shorewall DNAT rule actually generates two iptables rules: a header
-rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table. 
+  rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
-A DNAT-  rule only generates the first of these rules. This is handy when 
+  A DNAT-  rule only generates the first of these rules. This is handy when
-you have  several DNAT rules that would generate the same ACCEPT rule.<br>
+  you have  several DNAT rules that would generate the same ACCEPT rule.<br>
           <br>
          Here are three rules from my previous rules file:<br>
           <br>
@ -259,7 +357,7 @@ you have  several DNAT rules that would generate the same ACCEPT rule.<br>
                ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
           <br>
          By writing the rules this way, I end up with only one copy of the 
-ACCEPT  rule.<br>
+ ACCEPT  rule.<br>
           <br>
               DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
               DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
@ -270,14 +368,14 @@ ACCEPT  rule.<br>
  policy between each pair of zones.<br>
           <br>
         </li>
-           <li>A new CLEAR_TC option has been added to shorewall.conf. If 
+              <li>A new CLEAR_TC option has been added to shorewall.conf. 
-this  option is set to 'No' then Shorewall won't clear the current traffic 
+If  this  option is set to 'No' then Shorewall won't clear the current traffic
-control  rules during [re]start. This setting is intended for use by people 
+  control  rules during [re]start. This setting is intended for use by people
-that prefer  to configure traffic shaping when the network interfaces come 
+  that prefer  to configure traffic shaping when the network interfaces come
-up rather than  when the firewall is started. If that is what you want to 
+  up rather than  when the firewall is started. If that is what you want
-do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart 
+to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
-file. That way,  your traffic shaping rules can still use the 'fwmark' classifier 
+  file. That way,  your traffic shaping rules can still use the 'fwmark'
-based on  packet marking defined in /etc/shorewall/tcrules.<br>
+classifier   based on  packet marking defined in /etc/shorewall/tcrules.<br>
           <br>
         </li>
              <li>A new SHARED_DIR variable has been added that allows distribution
@ -291,12 +389,15 @@ based on  packet marking defined in /etc/shorewall/tcrules.<br>
      <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
                                                        </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall
      Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
                  </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
                                                  </b></p>
@ -328,31 +429,32 @@ based on  packet marking defined in /etc/shorewall/tcrules.<br>
  after    an  error   occurs. This places the point of the failure near the
  end of   the trace rather   than up in the middle of it.</li>
                      <li>"shorewall [re]start" has been speeded up by more 
-than   40%   with   my  configuration. Your milage may vary.</li>
+ than   40%   with   my  configuration. Your milage may vary.</li>
-                   <li>A "shorewall show classifiers" command has been added
+                      <li>A "shorewall show classifiers" command has been 
-  which    shows   the current packet classification filters. The output
+added    which    shows   the current packet classification filters. The output
 from   this  command  is  also added as a separate page in "shorewall monitor"</li>
                      <li>ULOG (must be all caps) is now accepted as a valid
-syslog    level   and  causes the subject packets to be logged using the ULOG
+  syslog    level   and  causes the subject packets to be logged using the
-target    rather   than  the LOG target. This allows you to run ulogd (available
+ ULOG target    rather   than  the LOG target. This allows you to run ulogd
-from             <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
+ (available from             <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
         and log all Shorewall messages <a href="shorewall_logging.html">to 
  a  separate  log file</a>.</li>
-                   <li>If you are running a kernel that has a FORWARD chain 
+                      <li>If you are running a kernel that has a FORWARD
- in  the   mangle    table ("shorewall show mangle" will show you the chains
+chain    in  the   mangle    table ("shorewall show mangle" will show you
-  in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
+the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes
- href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking 
+in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for 
-      input packets based on their destination even when you are using  Masquerading 
+marking         input packets based on their destination even when you are
-      or SNAT.</li>
+using  Masquerading        or SNAT.</li>
-                   <li>I have cluttered up the /etc/shorewall directory with
+                      <li>I have cluttered up the /etc/shorewall directory
-  empty    'init',    'start', 'stop' and 'stopped' files. If you already
+ with   empty    'init',    'start', 'stop' and 'stopped' files. If you already 
-have  a file    with one   of these names, don't worry -- the upgrade process
+ have  a file    with one   of these names, don't worry -- the upgrade process 
-won't  overwrite    your file.</li>
+ won't  overwrite    your file.</li>
-                   <li>I have added a new RFC1918_LOG_LEVEL variable to <a
+                      <li>I have added a new RFC1918_LOG_LEVEL variable to
- href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies 
+           <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
-     the syslog level at which packets are logged as a result of entries in
+ specifies       the syslog level at which packets are logged as a result
-  the   /etc/shorewall/rfc1918 file. Previously, these packets were always 
+of entries in   the   /etc/shorewall/rfc1918 file. Previously, these packets
- logged   at the 'info' level.<br>
+ were always   logged   at the 'info' level.<br>
                 </li>
@ -361,9 +463,9 @@ won't  overwrite    your file.</li>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
                     </p>
-            This version corrects a problem with Blacklist logging. In Beta 
+               This version corrects a problem with Blacklist logging. In 
- 2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would
+Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall
-  fail  to start and "shorewall  refresh" would also fail.<br>
+ would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
@ -371,59 +473,65 @@ won't  overwrite    your file.</li>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
+                      <a
- target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+ href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                    </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                            </b></p>
                   The first public Beta version of Shorewall 1.3.12 is now 
-available      (Beta  1 was made available to a limited audience). <br>
+ available      (Beta  1 was made available to a limited audience). <br>
                    <br>
                    Features include:<br>
                    <br>
      <ol>
-                        <li>"shorewall refresh" now reloads the traffic shaping 
+                           <li>"shorewall refresh" now reloads the traffic
-   rules    (tcrules  and tcstart).</li>
+ shaping     rules    (tcrules  and tcstart).</li>
-                        <li>"shorewall debug [re]start" now turns off debugging 
+                           <li>"shorewall debug [re]start" now turns off
-   after    an  error occurs. This places the point of the failure near the 
+debugging      after    an  error occurs. This places the point of the failure
-  end of the   trace  rather than up in the middle of it.</li>
+near the    end of the   trace  rather than up in the middle of it.</li>
-                        <li>"shorewall [re]start" has been speeded up by
+                           <li>"shorewall [re]start" has been speeded up
-more   than   40%   with  my configuration. Your milage may vary.</li>
+by  more   than   40%   with  my configuration. Your milage may vary.</li>
-                        <li>A "shorewall show classifiers" command has been 
+                           <li>A "shorewall show classifiers" command has 
- added    which    shows the current packet classification filters. The output 
+been   added    which    shows the current packet classification filters. 
- from    this command    is also added as a separate page in "shorewall monitor"</li>
+The output   from    this command    is also added as a separate page in "shorewall
-                        <li>ULOG (must be all caps) is now accepted as a
+monitor"</li>
-valid    syslog    level  and causes the subject packets to be logged using
+                           <li>ULOG (must be all caps) is now accepted as 
-the ULOG   target   rather than the LOG target. This allows you to run ulogd
+a  valid    syslog    level  and causes the subject packets to be logged using
-(available   from            <a
+ the ULOG   target   rather than the LOG target. This allows you to run ulogd
 (available   from            <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
         and log all Shorewall messages <a href="shorewall_logging.html">to 
  a  separate  log file</a>.</li>
                           <li>If you are running a kernel that has a FORWARD 
  chain    in  the   mangle table ("shorewall show mangle" will show you the
  chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes 
-in  shorewall.conf.     This allows  for  marking input packets based on
+in  shorewall.conf.     This allows  for  marking input packets based on their
-their  destination even   when  you are using  Masquerading or SNAT.</li>
+ destination even   when  you are using  Masquerading or SNAT.</li>
                           <li>I have cluttered up the /etc/shorewall directory 
   with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
   have   a file  with  one of these names, don't worry -- the upgrade process 
   won't   overwrite  your  file.</li>
      </ol>
                    You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
+                      <a
- target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+ href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                    </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
@ -436,14 +544,15 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
          release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-          delivered. I have installed 9.0 on one of my systems and I am now 
+            delivered. I have installed 9.0 on one of my systems and I am
-  in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
+now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
@ -452,6 +561,7 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
@ -494,28 +604,33 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
      <p>In this version:</p>
      <ul>
                                     <li>A 'tcpflags' option has been added 
-to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+ to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
        This option causes Shorewall to make a set of sanity check on TCP 
 packet       header flags.</li>
-                                  <li>It is now allowed to use 'all' in the 
+                                     <li>It is now allowed to use 'all' in
- SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.
+ the   SOURCE    or  DEST   column    in a <a
-   When   used,  'all'   must  appear  by itself (in may not be qualified)
+ href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must 
- and it does   not  enable   intra-zone  traffic.  For example, the rule
+appear  by itself (in may not be qualified)  and it does   not  enable  
-          <br>
+intra-zone  traffic.  For example, the rule           <br>
                                  <br>
                                  ACCEPT loc all tcp 80<br>
                                  <br>
-                           does not enable http traffic from 'loc' to 'loc'.</li>
+                              does not enable http traffic from 'loc' to
 'loc'.</li>
                                     <li>Shorewall's use of the 'echo' command
   is  now   compatible      with   bash clones such as ash and dash.</li>
-                                  <li>fw-&gt;fw policies now generate a startup 
+                                     <li>fw-&gt;fw policies now generate
-   error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
+a  startup     error.    fw-&gt;fw      rules  generate a warning and are
 ignored</li>
@ -525,6 +640,7 @@ packet       header flags.</li>
      <p><b></b><a href="News.htm">More News</a></p>
@ -540,8 +656,9 @@ packet       header flags.</li>
                                                               </td>
-                         <td width="88" bgcolor="#4b017c" valign="top"
+                            <td width="88" bgcolor="#4b017c"
- align="center">              <a href="http://sourceforge.net">M</a></td>
+ valign="top" align="center">              <a
 href="http://sourceforge.net">M</a></td>
                        </tr>
@ -590,11 +707,12 @@ packet       header flags.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+    
-if       you try it and find it useful, please consider making a donation 
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                                         to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                     </td>
@ -610,7 +728,7 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 1/28/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                 <br>
 </p>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -47,8 +47,8 @@
                <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
                <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
-      (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - 
+       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
-present</li>
+-  present</li>
                <li>Married 1969 - no children.</li>
 </ul>
@ -70,26 +70,26 @@ present</li>
 <ul>
                <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB 
- IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system.
+ IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Serves
-Serves as a PPTP server for Road Warrior access. Also  has <a
+as a PPTP server for Road Warrior access. Dual boots <a
- href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
+ href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
  NIC   -  My      personal Linux System which runs Samba configured as a 
 WINS  server.    This      system also has <a
- href="http://www.vmware.com/">VMware</a>  installed    and      can run
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run both
-both <a href="http://www.debian.org">Debian  Woody</a> and         <a
+    <a href="http://www.debian.org">Debian  Woody</a> and         <a
 href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
                <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  
- Email   (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
+- Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), 
-DNS  server        (Bind).</li>
+DNS  server        (Bind 9).</li>
                <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
-   (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.12+  and a
+    (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.14  and a DHCP
-DHCP        server.</li>
+       server.</li>
-               <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
+                <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
- wife's        personal system.</li>
+My  wife's        personal system.</li>
                <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
-EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main 
+ EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main
-work system.</li>
+ work system.</li>
 </ul>
@ -116,10 +116,11 @@ work system.</li>
 width="125" height="40" hspace="4">
             </font></p>
-<p><font size="2">Last updated 1/7/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 1/24/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
              <font face="Trebuchet MS"><a href="copyright.htm"><font
 size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas 
 M. Eastep.</font></a></font><br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_features.htm
+++ b/Shorewall-docs/shorewall_features.htm
@ -37,19 +37,20 @@
       <li>No limit on the number of network interfaces.</li>
       <li>Allows you to partitions the network into <i><a
 href="Documentation.htm#Zones">zones</a></i>         and gives you complete
-control over the connections permitted between         each pair of zones.</li>
+ control over the connections permitted between         each pair of zones.</li>
       <li>Multiple interfaces per zone and multiple zones per interface
        permitted.</li>
       <li>Supports nested and overlapping zones.</li>
    </ul>
     </li>
-    <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to 
+     <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
-help    get your first firewall up and running quickly</li>
+to  help    get your first firewall up and running quickly</li>
-    <li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> 
+     <li>Extensive <b> <a
 href="shorewall_quickstart_guide.htm#Documentation" target="_top">documentation</a>
     </b>   included in the .tgz and .rpm downloads.</li>
-    <li><b>Flexible address management/routing support</b> (and you can use 
+     <li><b>Flexible address management/routing support</b> (and you can
-all     types in the same firewall):        
+use  all     types in the same firewall):             
    <ul>
       <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
       <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
@ -66,14 +67,15 @@ all     types in the same firewall):
    <ul>
       <li>Commands to start, stop and clear the firewall</li>
       <li>Supports status             monitoring      with an audible alarm
-when an             "interesting" packet is detected.</li>
+ when an             "interesting" packet is detected.</li>
       <li>Wide variety of informational commands.</li>
    </ul>
     </li>
     <li><b>VPN Support</b>             
    <ul>
-      <li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP     Tunnels</a>.</li>
+       <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP     and
 OpenVPN Tunnels</a>.</li>
       <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
    </ul>
@ -86,9 +88,9 @@ when an             "interesting" packet is detected.</li>
       <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a> 
         packages available.</li>
-      <li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
+       <li>Includes <a href="Install.htm"><b>automated install, upgrade,
-         and uninstall facilities</b></a> for users who can't use or choose 
+fallback          and uninstall facilities</b></a> for users who can't use
-not         to use the RPM or Debian packages.</li>
+or choose  not         to use the RPM or Debian packages.</li>
       <li>Included as a standard part of<b> <a
 href="http://leaf.sourceforge.net/devel/jnilo">     LEAF/Bering</a> </b>(router/firewall 
 on a floppy, CD or compact flash).</li>
@ -102,10 +104,11 @@ on a floppy, CD or compact flash).</li>
 </ul>
-<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 1/31/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
-</p>
+ </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -26,7 +26,7 @@
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
-(HOWTO's)<br>
+ (HOWTO's)<br>
                 Version 3.1</font></h1>
                     </td>
                   </tr>
@ -34,8 +34,10 @@
  </tbody>                
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.</p>
+we must  all first walk before we can run.<br>
 The French Translations are courtesy of Patrice Vetsel<br>
 </p>
 <h2>The Guides</h2>
@ -45,12 +47,14 @@ must  all first walk before we can run.</p>
 <p>The following guides are for <b>users who have a single public IP address</b>:</p>
 <ul>
-                  <li><a href="standalone.htm">Standalone</a> Linux System</li>
+                   <li><a href="standalone.htm">Standalone</a> Linux System
 (<a href="standalone_fr.html">Version Française</a>)</li>
                   <li><a href="two-interface.htm">Two-interface</a> Linux
-System    acting    as a    firewall/router for a small local network</li>
+ System    acting    as a    firewall/router for a small local network (<a
-                  <li><a href="three-interface.htm">Three-interface</a> Linux 
+ href="two-interface_fr.html">Version Française</a>)</li>
-  System    acting  as a    firewall/router for a small local network and 
+                   <li><a href="three-interface.htm">Three-interface</a>
-a  DMZ.</li>
+Linux    System    acting  as a    firewall/router for a small local network
 and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
 </ul>
@ -74,10 +78,11 @@ Addressing,       Subnets  and Routing</a>
    <ul>
                     <li><a href="shorewall_setup_guide.htm#Addresses">4.1
-IP  Addresses</a></li>
+ IP  Addresses</a></li>
                                 <li><a
 href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
-                    <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
+                     <li><a href="shorewall_setup_guide.htm#Routing">4.3
 Routing</a></li>
                     <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
  Resolution      Protocol</a></li>
@ -86,8 +91,8 @@ IP  Addresses</a></li>
    <ul>
-                    <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 
+                     <li><a href="shorewall_setup_guide.htm#RFC1918">4.5
- 1918</a></li>
+RFC   1918</a></li>
    </ul>
@ -104,7 +109,7 @@ IP  Addresses</a></li>
    <ul>
                     <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
-Non-routed</a>                                                           
+ Non-routed</a>                                                         
        <ul>
@ -114,8 +119,8 @@ SNAT</a></li>
 DNAT</a></li>
                       <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 
  Proxy    ARP</a></li>
-                      <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
+                       <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
-   NAT</a></li>
+Static    NAT</a></li>
@ -157,8 +162,9 @@ DNAT</a></li>
     file   features</a>                                                 
    <ul>
-                    <li><a href="configuration_file_basics.htm#Comments">Comments
+                     <li><a
- in configuration files</a></li>
+ href="configuration_file_basics.htm#Comments">Comments  in configuration
 files</a></li>
                     <li><a
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
                     <li><a href="configuration_file_basics.htm#Ports">Port 
@ -167,16 +173,16 @@ DNAT</a></li>
 Ranges</a></li>
                     <li><a
 href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
-                    <li><a href="configuration_file_basics.htm#dnsnames">Using
+                     <li><a
- DNS Names</a><br>
+ href="configuration_file_basics.htm#dnsnames">Using  DNS Names</a><br>
                </li>
                     <li><a
 href="configuration_file_basics.htm#Compliment">Complementing an IP address
-or Subnet</a></li>
+ or Subnet</a></li>
                     <li><a href="configuration_file_basics.htm#Configs">Shorewall 
 Configurations (making a test configuration)</a></li>
                     <li><a href="configuration_file_basics.htm#MAC">Using
-MAC Addresses in Shorewall</a></li>
+ MAC Addresses in Shorewall</a></li>
    </ul>
@ -219,12 +225,13 @@ MAC Addresses in Shorewall</a></li>
                   </li>
                   <li><a href="dhcp.htm">DHCP</a></li>
                   <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-(How to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code)</li>
                   <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                   <li><a href="shorewall_firewall_structure.htm">Firewall
-Structure</a></li>
+ Structure</a></li>
-                  <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
+                   <li><font color="#000099"><a href="kernel.htm">Kernel
 Configuration</a></font></li>
      <li><a href="shorewall_logging.html">Logging</a><br>
      </li>
                   <li><a href="MAC_Validation.html">MAC Verification</a><br>
@ -254,8 +261,8 @@ Structure</a></li>
  </ul>
                   <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
-  <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
+   <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
-Shorewall</a><br>
+with Shorewall</a><br>
   </li>
                   <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
                   <li>VPN                                              
@ -278,12 +285,13 @@ Shorewall</a><br>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 1/28/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M. 
 Eastep</font></a><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -21,6 +21,7 @@
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -56,6 +57,7 @@
      <div align="center"><a href="/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a></div>
                                                                   </td>
@ -63,6 +65,7 @@
  </tbody>                                                              
 </table>
@ -104,8 +107,8 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based 
+  a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-firewall        that can be used on a dedicated firewall system, a multi-function 
+  firewall        that can be used on a dedicated firewall system, a multi-function
         gateway/router/server or on a standalone GNU/Linux system.</p>
@ -119,25 +122,27 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify
-                                           it        under the terms of <a
+                                             it        under the terms of
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+      <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
-Public License</a> as published by the Free Software        Foundation.<br>
+the GNU General Public License</a> as published by the Free Software    
   Foundation.<br>
                                 <br>
-                         This   program     is  distributed       in  the 
+                            This   program     is  distributed       in 
-  hope     that     it   will     be  useful,    but         WITHOUT  ANY
+the     hope     that     it   will     be  useful,    but         WITHOUT
-    WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY
+ ANY      WARRANTY;      without      even the   implied    warranty    
-              or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See
+ of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR    
-the    GNU General     Public  License           for  more details.<br>
+ PURPOSE.        See the    GNU General     Public  License           for
 more details.<br>
                                 <br>
-                         You   should    have   received     a  copy   of 
+                            You   should    have   received     a  copy 
- the     GNU     General         Public      License             along  with
+ of   the     GNU     General         Public      License             along 
-   this   program;       if  not,    write  to  the    Free Software    
+ with    this   program;       if  not,    write  to  the    Free Software
-   Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
+        Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA
-      USA</p>
+  02139,       USA</p>
@ -164,14 +169,14 @@ the    GNU General     Public  License           for  more details.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                          </a>Jacques              Nilo   and   Eric   Wolzak 
+                             </a>Jacques              Nilo   and   Eric 
-     have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD
+ Wolzak       have     a   LEAF  (router/firewall/gateway         on  a floppy, 
-   or compact     flash)  distribution        called              <i>Bering</i>
+  CD    or compact     flash)  distribution        called              <i>Bering</i> 
        that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
        You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                     <b>Congratulations to Jacques and Eric 
-on  the   recent    release     of  Bering  1.0 Final!!! <br>
+ on  the   recent    release     of  Bering  1.0 Final!!! <br>
                                     </b>                               
@ -190,26 +195,120 @@ on  the   recent    release     of  Bering  1.0 Final!!! <br>
-      <p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img
+      <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
       </b></p>
      <p>Includes the Beta 1 content plus restores VLAN device names of the 
 form $dev.$vid (e.g., eth0.1)</p>
      <p> The beta may be downloaded from:<br>
         </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
          <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
        </blockquote>
      <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
      </b><br>
   </p>
      <p>The Beta includes the following changes:<br>
   </p>
      <ol>
          <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
 When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
       <br>
   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies 
 just like any other connection request. The FORWARDPING=Yes option in shorewall.conf 
 and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will 
 all generate an error.<br>
       <br>
     </li>
          <li>It is now possible to direct Shorewall to create a "label"
 such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
 and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
 just  the interface name:<br>
    <br>
      a) In the INTERFACE column of /etc/shorewall/masq<br>
      b) In the INTERFACE column of /etc/shorewall/nat<br>
    </li>
          <li>When an interface name is entered in the SUBNET column of the
 /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
 only  the first subnet defined on that interface. It did not masquerade traffic
 from:<br>
    <br>
      a) The subnets associated with other addresses on the interface.<br>
      b) Subnets accessed through local routers.<br>
    <br>
   Beginning with Shorewall 1.3.14, if you enter an interface name in the 
 SUBNET  column, shorewall will use the firewall's routing table to construct 
 the masquerading/SNAT rules.<br>
    <br>
   Example 1 -- This is how it works in 1.3.14.<br>
      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
    <br>
   When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
 connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq 
 entry, your /etc/shorewall/masq file will need changing. In most cases, you
 will simply be able to remove redundant entries. In some cases though, you
 might want to change from using the interface name to listing specific subnetworks
 if the change described above will cause masquerading to occur on subnetworks
 that you don't wish to masquerade.<br>
    <br>
   Example 2 -- Suppose that your current config is as follows:<br>
      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
      In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
    <br>
   Example 3 -- What if your current configuration is like this?<br>
    <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]# <br></pre>
      In this case, you would want to change the entry in  /etc/shorewall/masq
 to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          </li>
      </ol>
   The beta may be downloaded from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
     <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
   </blockquote>
      <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b> 
        </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
-documenation.          the PDF may be downloaded from</p>
+  documenation.          the PDF may be downloaded from</p>
                                             <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                            <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
-      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img
+      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b>    </b></p>
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
   </b></p>
      <p>Thanks to the generosity of Alex Martin and <a
- href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
+ href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and ftp.shorewall.net
-ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
+are now hosted on a system in Bellevue, Washington.  A big thanks to Alex
-big thanks to Alex for making this happen.<br>
+for making this happen.<br>
      </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
@ -221,14 +320,14 @@ big thanks to Alex for making this happen.<br>
       </p>
      <ol>
-           <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
+              <li>A new 'DNAT-' action has been added for entries in the
-  file. DNAT- is intended for advanced users who wish to minimize the number
+/etc/shorewall/rules    file. DNAT- is intended for advanced users who wish
-  of rules that connection requests must traverse.<br>
+to minimize the number    of rules that connection requests must traverse.<br>
           <br>
       A Shorewall DNAT rule actually generates two iptables rules: a header
-rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table. 
+  rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
-A DNAT-  rule only generates the first of these rules. This is handy when 
+  A DNAT-  rule only generates the first of these rules. This is handy when
-you have  several DNAT rules that would generate the same ACCEPT rule.<br>
+  you have  several DNAT rules that would generate the same ACCEPT rule.<br>
           <br>
          Here are three rules from my previous rules file:<br>
           <br>
@ -241,7 +340,7 @@ you have  several DNAT rules that would generate the same ACCEPT rule.<br>
                ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
           <br>
          By writing the rules this way, I end up with only one copy of the 
-ACCEPT  rule.<br>
+ ACCEPT  rule.<br>
           <br>
               DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
               DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
@ -252,14 +351,14 @@ ACCEPT  rule.<br>
  policy between each pair of zones.<br>
           <br>
         </li>
-           <li>A new CLEAR_TC option has been added to shorewall.conf. If 
+              <li>A new CLEAR_TC option has been added to shorewall.conf. 
-this  option is set to 'No' then Shorewall won't clear the current traffic 
+If  this  option is set to 'No' then Shorewall won't clear the current traffic
-control  rules during [re]start. This setting is intended for use by people 
+  control  rules during [re]start. This setting is intended for use by people
-that prefer  to configure traffic shaping when the network interfaces come 
+  that prefer  to configure traffic shaping when the network interfaces come
-up rather than  when the firewall is started. If that is what you want to 
+  up rather than  when the firewall is started. If that is what you want
-do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart 
+to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
-file. That way,  your traffic shaping rules can still use the 'fwmark' classifier 
+  file. That way,  your traffic shaping rules can still use the 'fwmark'
-based on  packet marking defined in /etc/shorewall/tcrules.<br>
+classifier   based on  packet marking defined in /etc/shorewall/tcrules.<br>
           <br>
         </li>
              <li>A new SHARED_DIR variable has been added that allows distribution
@ -272,12 +371,15 @@ based on  packet marking defined in /etc/shorewall/tcrules.<br>
      <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
                                                       </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall 
     Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
            </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
                                                 </b></p>
@ -309,31 +411,32 @@ based on  packet marking defined in /etc/shorewall/tcrules.<br>
  after    an  error   occurs. This places the point of the failure near the
  end of   the trace rather   than up in the middle of it.</li>
                      <li>"shorewall [re]start" has been speeded up by more 
-than   40%   with   my  configuration. Your milage may vary.</li>
+ than   40%   with   my  configuration. Your milage may vary.</li>
-                   <li>A "shorewall show classifiers" command has been added
+                      <li>A "shorewall show classifiers" command has been 
-  which    shows   the current packet classification filters. The output
+added    which    shows   the current packet classification filters. The output
 from   this  command  is  also added as a separate page in "shorewall monitor"</li>
                      <li>ULOG (must be all caps) is now accepted as a valid
-syslog    level   and  causes the subject packets to be logged using the ULOG
+  syslog    level   and  causes the subject packets to be logged using the
-target    rather   than  the LOG target. This allows you to run ulogd (available
+ ULOG target    rather   than  the LOG target. This allows you to run ulogd
-from             <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
+ (available from             <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
         and log all Shorewall messages <a href="shorewall_logging.html">to 
  a  separate log file</a>.</li>
-                   <li>If you are running a kernel that has a FORWARD chain 
+                      <li>If you are running a kernel that has a FORWARD
- in  the   mangle    table ("shorewall show mangle" will show you the chains
+chain    in  the   mangle    table ("shorewall show mangle" will show you
-  in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
+the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes
- href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking 
+in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for 
-      input packets based on their destination even when you are using  Masquerading 
+marking         input packets based on their destination even when you are
-      or SNAT.</li>
+using  Masquerading        or SNAT.</li>
-                   <li>I have cluttered up the /etc/shorewall directory with
+                      <li>I have cluttered up the /etc/shorewall directory
-  empty    'init',    'start', 'stop' and 'stopped' files. If you already
+ with   empty    'init',    'start', 'stop' and 'stopped' files. If you already 
-have  a file    with one   of these names, don't worry -- the upgrade process
+ have  a file    with one   of these names, don't worry -- the upgrade process 
-won't  overwrite    your file.</li>
+ won't  overwrite    your file.</li>
-                   <li>I have added a new RFC1918_LOG_LEVEL variable to <a
+                      <li>I have added a new RFC1918_LOG_LEVEL variable to
- href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies 
+           <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
-     the syslog level at which packets are logged as a result of entries in
+ specifies       the syslog level at which packets are logged as a result
-  the   /etc/shorewall/rfc1918 file. Previously, these packets were always 
+of entries in   the   /etc/shorewall/rfc1918 file. Previously, these packets
- logged   at the 'info' level.</li>
+ were always   logged   at the 'info' level.</li>
      </ol>
@ -341,9 +444,9 @@ won't  overwrite    your file.</li>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
                </p>
-             This version corrects a problem with Blacklist logging. In Beta
+                This version corrects a problem with Blacklist logging. In
-  2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall
+ Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall 
-would   fail  to start and "shorewall  refresh" would also fail.<br>
+ would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
@ -351,59 +454,66 @@ would   fail  to start and "shorewall  refresh" would also fail.<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
+                      <a
- target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+ href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                    </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                            </b></p>
                   The first public Beta version of Shorewall 1.3.12 is now 
-available      (Beta  1 was made available only to a limited audience). <br>
+ available      (Beta  1 was made available only to a limited audience). 
     <br>
                    <br>
                    Features include:<br>
                    <br>
      <ol>
-                        <li>"shorewall refresh" now reloads the traffic shaping 
+                           <li>"shorewall refresh" now reloads the traffic
-   rules    (tcrules  and tcstart).</li>
+ shaping     rules    (tcrules  and tcstart).</li>
-                        <li>"shorewall debug [re]start" now turns off debugging 
+                           <li>"shorewall debug [re]start" now turns off
-   after    an  error occurs. This places the point of the failure near the 
+debugging      after    an  error occurs. This places the point of the failure
-  end of the   trace  rather than up in the middle of it.</li>
+near the    end of the   trace  rather than up in the middle of it.</li>
-                        <li>"shorewall [re]start" has been speeded up by
+                           <li>"shorewall [re]start" has been speeded up
-more   than   40%   with  my configuration. Your milage may vary.</li>
+by  more   than   40%   with  my configuration. Your milage may vary.</li>
-                        <li>A "shorewall show classifiers" command has been 
+                           <li>A "shorewall show classifiers" command has 
- added    which    shows the current packet classification filters. The output 
+been   added    which    shows the current packet classification filters. 
- from    this command    is also added as a separate page in "shorewall monitor"</li>
+The output   from    this command    is also added as a separate page in "shorewall
-                        <li>ULOG (must be all caps) is now accepted as a
+monitor"</li>
-valid    syslog    level  and causes the subject packets to be logged using
+                           <li>ULOG (must be all caps) is now accepted as 
-the ULOG   target   rather than the LOG target. This allows you to run ulogd
+a  valid    syslog    level  and causes the subject packets to be logged using
-(available   from            <a
+ the ULOG   target   rather than the LOG target. This allows you to run ulogd
 (available   from            <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
         and log all Shorewall messages <a href="shorewall_logging.html">to 
  a  separate log file</a>.</li>
                           <li>If you are running a kernel that has a FORWARD 
  chain    in  the   mangle table ("shorewall show mangle" will show you the
  chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes 
-in  shorewall.conf.     This allows  for  marking input packets based on
+in  shorewall.conf.     This allows  for  marking input packets based on their
-their  destination even   when  you are using  Masquerading or SNAT.</li>
+ destination even   when  you are using  Masquerading or SNAT.</li>
                           <li>I have cluttered up the /etc/shorewall directory 
   with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
   have   a file  with  one of these names, don't worry -- the upgrade process 
   won't   overwrite  your  file.</li>
      </ol>
                    You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
+                      <a
- target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+ href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                    </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
@ -416,14 +526,15 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
          release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-          delivered. I have installed 9.0 on one of my systems and I am now 
+            delivered. I have installed 9.0 on one of my systems and I am
-  in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
+now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
@ -432,6 +543,7 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
@ -474,28 +586,33 @@ their  destination even   when  you are using  Masquerading or SNAT.</li>
      <p>In this version:</p>
      <ul>
                                      <li>A 'tcpflags' option has been added
-to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
+  to  entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
-       This option causes Shorewall to make a set of sanity check on TCP packet
+         This option causes Shorewall to make a set of sanity check on TCP
-      header flags.</li>
+ packet       header flags.</li>
-                                   <li>It is now allowed to use 'all' in
+                                      <li>It is now allowed to use 'all'
-the   SOURCE    or  DEST   column    in a <a
+in  the   SOURCE    or  DEST   column    in a <a
- href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must 
+ href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must  appear
-appear  by itself (in may not be qualified)  and it does   not  enable  
+ by itself (in may not be qualified)  and it does   not  enable   intra-zone
-intra-zone  traffic.  For example, the rule           <br>
+ traffic.  For example, the rule           <br>
                                   <br>
                                   ACCEPT loc all tcp 80<br>
                                   <br>
-                            does not enable http traffic from 'loc' to 'loc'.</li>
+                               does not enable http traffic from 'loc' to 
 'loc'.</li>
                                      <li>Shorewall's use of the 'echo' command 
   is  now   compatible      with   bash clones such as ash and dash.</li>
-                                   <li>fw-&gt;fw policies now generate a
+                                      <li>fw-&gt;fw policies now generate 
-startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
+a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
 ignored</li>
@ -503,6 +620,7 @@ startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
                             </b></p>
@ -535,6 +653,7 @@ startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</
      </ul>
@ -575,6 +694,7 @@ startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
@ -596,6 +716,7 @@ startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</
  </tbody>                                                              
 </table>
@ -639,11 +760,11 @@ startup     error.    fw-&gt;fw      rules  generate a warning and are ignored</
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
-if       you try it and find it useful, please consider making a donation 
+but if       you try it and find it useful, please consider making a donation
                                             to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                             </td>
@ -659,7 +780,7 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 1/28/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                     <br>
 </p>
--- a/Shorewall-docs/spam_filters.htm
+++ b/Shorewall-docs/spam_filters.htm
@ -1,44 +1,62 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+ 
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+ 
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>SPAM Filters</title>
+ content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>SPAM Filters</title>
 </head>
  <body>
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1>
+      <h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <h1 align="center"><br>
-<a href="http://ordb.org">
+ <a href="http://ordb.org"> <a href="http://www.spamassassin.org"><img
-<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1>
+ src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
 height="38">
 </a><img border="0" src="images/but3.png" hspace="3" width="88"
 height="31">
 </a></h1>
 <p>Like all of you, I'm concerned about the increasing volume of Unsolicited 
-Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who
+Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
-are installing SPAM filters on your mail servers. A couple of recent incidents
+you who are installing SPAM filters on your mail servers. A couple of recent
-involving mis-configured filters have prompted me to establish this page to spell
+incidents involving mis-configured filters have prompted me to establish
-out what I will do when these filters bounce list postings.</p>
+this page to spell out what I will do when these filters bounce list postings.</p>
 <p>When your SPAM filter bounces/rejects list mail, I will:</p>
 <ol>
-  <li>immediately turn off delivery to you from all Shorewall lists to
+   <li>immediately turn off delivery to you from all Shorewall lists to which
-which you subscribe.</li>
+you subscribe.</li>
   <li><u>try</u> to send you an email from a source other than shorewall.net</li>
 </ol>
 <p>When you have corrected the problem, please let me know and I will re-enable 
 delivery (or you can reenable delivery yourself).</p>
-<p><font size="2">Last Updated 3/21/2002 - Tom Eastep</font></p>
+ 
 <p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
 </html>
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -60,9 +60,9 @@ for this  program:</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
          If you edit your configuration files on a Windows system, you must
  save them as  Unix files if your editor supports that option or you must
-run them through  dos2unix before trying to use them. Similarly, if you copy 
+ run them through  dos2unix before trying to use them. Similarly, if you
-a configuration file  from your Windows hard drive to a floppy disk, you must
+copy  a configuration file  from your Windows hard drive to a floppy disk,
-run dos2unix against the  copy before using it with Shorewall.</p>
+you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
@ -76,12 +76,12 @@ run dos2unix against the  copy before using it with Shorewall.</p>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
-    The configuration files for Shorewall are contained in the directory
+     The configuration files for Shorewall are contained in the directory 
 /etc/shorewall -- for simple setups, you  only need to deal with a few of
- these as described in this guide.  After you have <a href="Install.htm">installed 
+  these as described in this guide.  After you have <a
-Shorewall</a>,  <b>download the <a
+ href="Install.htm">installed  Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
-un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
+ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
  (they will replace files with the same names that were placed in /etc/shorewall
  during Shorewall installation)</b>.</p>
@ -129,11 +129,11 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
  checked against the  /etc/shorewall/rules file. If no rule in that file 
 matches  the connection  request then the first policy in /etc/shorewall/policy 
 that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common
+the request is first  checked against the rules in /etc/shorewall/common (the
-(the samples provide that  file for you).</p>
+samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample
+<p>The /etc/shorewall/policy file included with the one-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -155,7 +155,8 @@ has the  following policies:</p>
          </tr>
          <tr>
            <td>net</td>
-           <td>net</td>
+            <td>all<br>
        </td>
            <td>DROP</td>
            <td>info</td>
            <td> </td>
@ -172,8 +173,6 @@ has the  following policies:</p>
  </table>
      </blockquote>
 <pre>     fw		net	ACCEPT<br>     net	all	DROP	info<br>     all	all	REJECT	info</pre>
 <p>The above policy will:</p>
 <ol>
@ -196,7 +195,7 @@ catchall      policy).</li>
   <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
   <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-a <b>ppp0</b>. If you connect via a regular modem, your External  Interface
+ a <b>ppp0</b>. If you connect via a regular modem, your External  Interface 
  will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
  will be<b> ippp0.</b></p>
@ -242,8 +241,8 @@ you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
             Before starting Shorewall, you should look at the IP address 
-of  your external    interface and if it is one of the above ranges, you
+of  your external    interface and if it is one of the above ranges, you should
-should  remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+ remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
     </div>
 <div align="left">        
@ -285,8 +284,8 @@ should  remove the    'norfc1918' option from the entry in /etc/shorewall/interf
      </div>
 <div align="left">        
-<p align="left">Example - You want to run a Web Server and a POP3 Server
+<p align="left">Example - You want to run a Web Server and a POP3 Server on
-on your firewall    system:</p>
+your firewall    system:</p>
     </div>
 <div align="left">        
@ -328,8 +327,8 @@ on your firewall    system:</p>
      </div>
 <div align="left">        
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, see <a href="ports.htm">here</a>.</p>
+uses, see <a href="ports.htm">here</a>.</p>
     </div>
 <div align="left">        
@ -367,10 +366,6 @@ application uses, see <a href="ports.htm">here</a>.</p>
        </blockquote>
      </div>
 <div align="left">       
 <pre>     ACCEPT	net	fw	tcp	22</pre>
     </div>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
@ -388,8 +383,9 @@ application uses, see <a href="ports.htm">here</a>.</p>
          The <a href="Install.htm">installation procedure </a>   configures
  your system to start Shorewall at system boot but beginning with Shorewall
  version 1.3.9 startup is disabled so that your system won't try to start
-Shorewall before configuration is complete. Once you have completed configuration 
+ Shorewall before configuration is complete. Once you have completed configuration
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+ of your firewall, you can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
     </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
@ -418,11 +414,12 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 try" command</a>.</p>
     </div>
-<p align="left"><font size="2">Last updated 12/9/2002 - <a
+<p align="left"><font size="2">Last updated 1/26/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-  M. Eastep</font></a></p>
+Thomas   M. Eastep</font></a></p>
       <br>
     <br>
    <br>
   <br>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -25,6 +25,7 @@
                   <td width="100%">                                    
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
   the Firewall</font></h1>
@ -54,6 +55,7 @@ graphical  run-level editor.</p>
 <p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
       </p>
@ -63,9 +65,9 @@ graphical  run-level editor.</p>
   Note: Users of the .deb package must edit /etc/default/shorewall and set
   'startup=1'.<br>
         </li>
-      <li>If you use dialup, you may want to start the firewall     in your 
+         <li>If you use dialup, you may want to start the firewall     in 
- /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart" 
+your   /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall
- in that script.</li>
+ restart"   in that script.</li>
 </ol>
@ -82,26 +84,33 @@ graphical  run-level editor.</p>
 <ul>
           <li>shorewall start - starts the firewall</li>
           <li>shorewall stop - stops the firewall</li>
-        <li>shorewall restart - stops the firewall (if it's             running)
+           <li>shorewall restart - stops the firewall (if it's          
-  and  then starts it again</li>
+  running)   and  then starts it again</li>
           <li>shorewall reset - reset the packet and byte counters     
       in the  firewall</li>
-        <li>shorewall clear - remove all rules and chains             installed
+           <li>shorewall clear - remove all rules and chains            
-  by Shoreline  Firewall</li>
+installed    by Shoreline  Firewall</li>
           <li>shorewall refresh - refresh the rules involving the broadcast
          addresses  of firewall interfaces and the black and white lists.</li>
 </ul>
-If you include the keyword <i>debug</i> as the first argument, then a shell
+   If you include the keyword <i>debug</i> as the first argument, then a
-trace of the command is produced as in:<br>
+shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
-<p>The above command would trace the 'start' command and place the trace
+<p>The above command would trace the 'start' command and place the trace information
-information in the file /tmp/trace</p>
+in the file /tmp/trace<br>
-<p>   The "shorewall" program may also be used to monitor the     firewall.</p>
+  </p>
 <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
 bottom of this page.<br>
  </p>
 <p>The "shorewall" program may also be used to monitor the     firewall.</p>
 <ul>
@ -109,8 +118,8 @@ information in the file /tmp/trace</p>
            (iptables -L -n -v)</li>
           <li>shorewall show <i>chain</i> - produce a verbose report about 
     <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
-        <li>shorewall show nat - produce a verbose report about the nat table
+           <li>shorewall show nat - produce a verbose report about the nat
-            (iptables -t nat -L -n -v)</li>
+ table             (iptables -t nat -L -n -v)</li>
           <li>shorewall show tos - produce a verbose report about the mangle 
  table          (iptables -t mangle -L -n -v)</li>
           <li>shorewall show log - display the last 20 packet log entries.</li>
@ -124,44 +133,45 @@ information in the file /tmp/trace</p>
             status, last 20 log entries and nat. When the log entry display 
             changes, an audible alarm is sounded.</li>
           <li>shorewall hits - Produces several reports about the Shorewall
-packet  log          messages in the current /var/log/messages file.</li>
+  packet  log          messages in the current /var/log/messages file.</li>
           <li>shorewall version -  Displays the installed     version number.</li>
-        <li>shorewall check -  Performs a <u>cursory</u> validation     of
+           <li>shorewall check -  Performs a <u>cursory</u> validation  
- the  zones, interfaces, hosts, rules and policy files.    <font
+  of  the  zones, interfaces, hosts, rules and policy files.    <font
 size="4" color="#ff6666"><b>The "check" command does not parse and     validate 
-the   generated iptables commands so even though the "check" command    
+ the   generated iptables commands so even though the "check" command    
 completes   successfully, the configuration may fail to start. See the  
  recommended   way to make configuration changes described below. </b></font> 
   </li>
           <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
-]  -  Restart shorewall using the     specified configuration and if an error
+  ]  -  Restart shorewall using the     specified configuration and if an
-  occurs or if the<i> timeout </i>    option is given and the new configuration
+error   occurs or if the<i> timeout </i>    option is given and the new configuration 
   has been up for that many seconds     then shorewall is restarted using 
-the  standard configuration.</li>
+ the  standard configuration.</li>
           <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
   save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
           <li>shorewall logwatch (added in version 1.3.2) - Monitors the 
-     <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
+       <a href="#Conf">LOGFILE </a>and produces an audible alarm when new
-      messages are logged.</li>
+ Shorewall       messages are logged.</li>
 </ul>
-  Finally, the "shorewall" program may be used to dynamically alter the contents
+     Finally, the "shorewall" program may be used to dynamically alter the
- of a zone.<br>
+ contents  of a zone.<br>
 <ul>
-    <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
+       <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds
- specified interface (and host if included) to the specified zone.</li>
+ the  specified interface (and host if included) to the specified zone.</li>
-    <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
+       <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
- the specified interface (and host if included) from the specified zone.</li>
+Deletes   the specified interface (and host if included) from the specified
 zone.</li>
 </ul>
 <blockquote>Examples:<br>
  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> 
-- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
+ -- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
       <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font> 
-- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
+ -- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
       </blockquote>
     </blockquote>
@ -174,6 +184,7 @@ the  standard configuration.</li>
 <blockquote>                                                             
  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
         shorewall try <i>configuration-directory</i></p>
         </blockquote>
@ -181,8 +192,8 @@ the  standard configuration.</li>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
     is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
-    . If the file is present in the <i>configuration-directory</i>, that file
+      . If the file is present in the <i>configuration-directory</i>, that
-   will be used; otherwise, the file in /etc/shorewall will be used.</p>
+ file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -236,7 +247,74 @@ the  standard configuration.</li>
-<p><font size="2">   Updated 1/9/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
 </p>
 <div align="center"><img
 src="file:///J:/Shorewall-docs/images/State_Diagram.png"
 alt="(State Diagram)" width="747" height="714" align="middle">
 <br>
 </div>
 <p>    <br>
   </p>
    You will note that the commands that result in state transitions use
 the  word "firewall" rather than "shorewall". That is because the actual
 transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
 on  Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
  <br>
 <table cellpadding="2" cellspacing="2" border="1">
     <tbody>
       <tr>
         <td valign="top">shorewall start<br>
         </td>
         <td valign="top">firewall start<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall stop<br>
         </td>
         <td valign="top">firewall stop<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall restart<br>
         </td>
         <td valign="top">firewall restart<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall add<br>
         </td>
         <td valign="top">firewall add<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall delete<br>
         </td>
         <td valign="top">firewall delete<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall refresh<br>
         </td>
         <td valign="top">firewall refresh<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall try<br>
         </td>
         <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
   If unsuccessful then firewall start (standard configuration)<br>
   If timeout then firewall restart (standard configuration)<br>
         </td>
       </tr>
  </tbody>   
 </table>
  <br>
 <p><font size="2">   Updated 1/29/2003 - <a href="support.htm">Tom  Eastep</a>
       </font></p>
@ -250,5 +328,8 @@ the  standard configuration.</li>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -31,8 +31,8 @@
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up a Linux system as a firewall for a small network 
-      with  DMZ is a  fairly straight-forward task if you understand the
+      with  DMZ is a  fairly straight-forward task if you understand the basics
-basics       and follow the  documentation.</p>
+      and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of 
       Shorewall. It rather focuses on what is required to configure Shorewall 
@ -55,8 +55,8 @@ basics       and follow the  documentation.</p>
             </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
+      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-tell     if  this  package is installed by the presence of an <b>ip</b> program
+    if  this  package is installed by the presence of an <b>ip</b> program 
 on   your  firewall  system. As root, you can use the 'which' command to 
 check   for this  program:</p>
@ -67,6 +67,8 @@ check   for this  program:</p>
      changes. Points at which configuration changes are  recommended are 
 flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
 . Configuration notes that are unique to LEAF/Bering are marked with <img
 src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
              </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
@ -81,7 +83,7 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
  Version     of    dos2unix</a></li>
                <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
-of    dos2unix</a></li>
+ of    dos2unix</a></li>
 </ul>
@ -103,8 +105,8 @@ few  of  these as described in this guide.  After you have <a
      and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a 
-      set of  <i>zones.</i> In the three-interface sample configuration,
+      set of  <i>zones.</i> In the three-interface sample configuration, the
-the    following   zone names are used:</p>
+   following   zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -138,19 +140,19 @@ the    following   zone names are used:</p>
      in  terms of zones.</p>
 <ul>
-               <li>You express your default policy for connections from one 
+                <li>You express your default policy for connections from
- zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+one   zone   to  another    zone in the<a
-         </a>file.</li>
+ href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                <li>You define exceptions to those default policies in the
       <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first 
-      checked against the  /etc/shorewall/rules file. If no rule in that
+      checked against the  /etc/shorewall/rules file. If no rule in that file
-file     matches  the connection  request then the first policy in /etc/shorewall/policy
+    matches  the connection  request then the first policy in /etc/shorewall/policy 
-    that  matches the    request is applied. If that policy is REJECT or
+    that  matches the    request is applied. If that policy is REJECT or DROP 
-DROP      the request is first  checked against the rules in /etc/shorewall/common
+    the request is first  checked against the rules in /etc/shorewall/common 
   (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample 
@ -251,9 +253,9 @@ make   any   changes  that you  wish.</p>
   <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
   <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
   <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External 
-  Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
+  Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
-via   a regular modem, your External  Interface will also be <b>ppp0</b>.
+  a regular modem, your External  Interface will also be <b>ppp0</b>. If
-If you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
+you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -264,8 +266,8 @@ If you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
       eth1 or eth2) and will be connected to a hub or switch. Your local 
 computers       will be connected to the same switch (note: If you have only 
-a single   local   system,  you can connect the firewall directly to the
+a single   local   system,  you can connect the firewall directly to the computer
-computer using   a <i>cross-over   </i> cable).</p>
+using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
      (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your 
@ -275,19 +277,19 @@ computer using   a <i>cross-over   </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-            </b></u>Do not connect more than one interface  to the same hub 
+             </b></u>Do not connect more than one interface  to the same
- or  switch    (even for testing). It won't work the way that you  expect 
+hub   or  switch    (even for testing). It won't work the way that you  expect
-it to  and you   will end up confused and  believing that Shorewall doesn't
+ it to  and you   will end up confused and  believing that Shorewall doesn't 
  work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                 The Shorewall three-interface sample configuration assumes 
- that    the   external interface is <b>eth0, </b>the local interface is
+ that    the   external interface is <b>eth0, </b>the local interface is <b>eth1
-<b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration
+  </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is
-is different,    you will have to modify the sample  /etc/shorewall/interfaces 
+different,    you will have to modify the sample  /etc/shorewall/interfaces
-file accordingly.     While you are there, you may wish to  review the list 
+ file accordingly.     While you are there, you may wish to  review the list
-of options that are    specified for the interfaces. Some hints:</p>
+ of options that are    specified for the interfaces. Some hints:</p>
 <ul>
                <li>                                                    
@ -308,17 +310,16 @@ of options that are    specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet 
       Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
-a  single    <i> Public</i> IP address. This address may be assigned via
+a  single    <i> Public</i> IP address. This address may be assigned via the<i>
-the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
+ Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
-establishing  your  connection   when you dial in (standard modem) or establish
+ your  connection   when you dial in (standard modem) or establish your PPP
-your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
+ connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
-IP address; that  means that  you  configure your firewall's external interface
+address; that  means that  you  configure your firewall's external interface 
- to use that  address permanently.<i>  </i>Regardless of how the address
+ to use that  address permanently.<i>  </i>Regardless of how the address is
-is  assigned, it  will be shared by all of your  systems when you access
+ assigned, it  will be shared by all of your  systems when you access the
-the Internet. You will have to assign your  own addresses  for your internal
+Internet. You will have to assign your  own addresses  for your internal network
-network (the local and DMZ Interfaces on  your firewall plus your other 
+(the local and DMZ Interfaces on  your firewall plus your other  computers).
-computers). RFC 1918 reserves several <i>Private  </i>IP address ranges for
+RFC 1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
 this  purpose:</p>
 <div align="left">                
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -327,20 +328,20 @@ this  purpose:</p>
 <div align="left">                
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                   Before starting Shorewall, you should look at the IP address 
+                    Before starting Shorewall, you should look at the IP
-   of  your  external    interface and if it is one of the above ranges, you
+address     of  your  external    interface and if it is one of the above
-   should  remove  the    'norfc1918' option from the external interface's 
+ranges, you    should  remove  the    'norfc1918' option from the external
- entry  in    /etc/shorewall/interfaces.</p>
+interface's   entry  in    /etc/shorewall/interfaces.</p>
             </div>
 <div align="left">                
 <p align="left">You will want to assign your local addresses from one <i>
         sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-   subnet.  For our purposes, we can consider a subnet    to consists of a
+    subnet.  For our purposes, we can consider a subnet    to consists of
- range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
+a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a
-   Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the
+<i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved
-<i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>
+as    the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet
-  <i>Address</i>.  In Shorewall,  a subnet is described using <a
+Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing 
 </i>(CIDR)</a>   notation with consists of the subnet address  followed 
  by "/24". The "24"  refers to the number of    consecutive "1"  bits from 
@ -381,8 +382,8 @@ this  purpose:</p>
 <div align="left">                
 <p align="left">It is conventional to assign the internal interface either 
-      the    first usable address in the subnet (10.10.10.1 in the above
+      the    first usable address in the subnet (10.10.10.1 in the above example)
-example)       or the    last usable address (10.10.10.254).</p>
+      or the    last usable address (10.10.10.254).</p>
             </div>
 <div align="left">                
@ -421,7 +422,7 @@ set to the   IP address  of the firewall's DMZ interface.
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
-    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
+     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign 
 your external interface an RFC 1918  address. If that address is in the 10.10.10.0/24 
 subnet then you will need  to select a DIFFERENT RFC 1918 subnet for your 
 local network and if it is in the 10.10.11.0/24 subnet then you will need 
@ -438,17 +439,17 @@ to select a different RFC 1918 subnet for your DMZ.</b><br>
  Translation   </i>(NAT). The firewall  rewrites the source address in the 
  packet to be  the address of the firewall's  external interface; in other 
  words, the firewall   makes it look as if the firewall  itself is initiating 
-  the connection.  This  is necessary so that the  destination host will
+  the connection.  This  is necessary so that the  destination host will be
-be   able to route return packets   back to the firewall  (remember that
+  able to route return packets   back to the firewall  (remember that packets
-packets   whose destination address is   reserved by RFC 1918 can't  be routed
+  whose destination address is   reserved by RFC 1918 can't  be routed accross
-accross   the internet). When the firewall   receives a return packet, it
+  the internet). When the firewall   receives a return packet, it  rewrites
- rewrites   the destination address back to 10.10.10.1   and  forwards the
+  the destination address back to 10.10.10.1   and  forwards the packet on
-packet on  to local computer 1. </p>
+ to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
+ IP Masquerading</i> and you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
                <li>                                                    
@ -478,10 +479,10 @@ edit    /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-                If your external IP  is static, you can enter it in the third 
+                 If your external IP  is static, you can enter it in the
-  column    in the /etc/shorewall/masq entry  if you like although your firewall 
+third    column    in the /etc/shorewall/masq entry  if you like although
-  will    work fine if you leave that column  empty. Entering your static 
+your firewall    will    work fine if you leave that column  empty. Entering
-IP  in column    3 makes <br>
+your static  IP  in column    3 makes <br>
    processing outgoing packets a  little more efficient.<br>
    </p>
@ -502,17 +503,17 @@ IP  in column    3 makes <br>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your 
-      DMZ computers. Because these computers have RFC-1918 addresses, it
+      DMZ computers. Because these computers have RFC-1918 addresses, it is
-is   not     possible for clients on the internet to connect directly to
+  not     possible for clients on the internet to connect directly to them.
-them.   It is   rather  necessary for those clients to address their connection
+  It is   rather  necessary for those clients to address their connection 
 requests    to your firewall  who rewrites the destination address to the 
 address of   your server and forwards  the packet to that server. When your 
 server responds,     the firewall automatically  performs SNAT to rewrite 
 the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-      Destination Network Address Translation</i> (DNAT). You configure port 
+       Destination Network Address Translation</i> (DNAT). You configure
-    forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
      is:</p>
@ -546,8 +547,8 @@ the source address   in  the response.</p>
  </table>
              </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
-be the same  as <i>&lt;port&gt;</i>.</p>
+the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming 
       TCP port 80 to that system:</p>
@ -593,10 +594,10 @@ be the same  as <i>&lt;port&gt;</i>.</p>
 <ul>
                <li>When you are connecting to your server from your local
-systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
+ systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
-               <li>Many ISPs block incoming connection requests to port 80. 
+                <li>Many ISPs block incoming connection requests to port
- If  you   have     problems connecting to your web server, try the following
+80.   If  you   have     problems connecting to your web server, try the
-  rule and  try     connecting to port 5000 (e.g., connect to <a
+following   rule and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your 
      external IP).</li>
@ -705,7 +706,7 @@ systems,     you  must    use the server's internal IP address (10.10.11.2).</li
              </blockquote>
 <p>If you want to access your server from the DMZ using your external IP 
- address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
+address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
                 At this point, add the DNAT and  ACCEPT rules for your servers.
@ -729,9 +730,8 @@ of two   approaches:</p>
      name    servers. If you ISP gave you the addresses of their servers 
 or   if   those    addresses are available on their web site, you can configure 
   your   internal    systems to use those addresses. If that information 
-isn't   available,   look in    /etc/resolv.conf on your firewall system
+isn't   available,   look in    /etc/resolv.conf on your firewall system --
-- the name  servers are  given in    "nameserver" records in that file.
+the name  servers are  given in    "nameserver" records in that file.   </p>
  </p>
               </li>
               <li>                                                     
@ -739,15 +739,15 @@ isn't   available,   look in    /etc/resolv.conf on your firewall system
 width="13" height="13">
                 You can configure a<i> Caching Name Server </i>on your 
  firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name
-server (which     also     requires the 'bind' RPM) and for Bering users, 
+ server (which     also     requires the 'bind' RPM) and for Bering users,
-there is dnscache.lrp.     If you    take this approach, you configure your 
+ there is dnscache.lrp.     If you    take this approach, you configure your
-internal systems to use    the caching    name server as their primary (and 
+ internal systems to use    the caching    name server as their primary (and
-only) name server. You  use  the internal IP    address of the firewall (10.10.10.254
+ only) name server. You  use  the internal IP    address of the firewall
- in the example  above)    for the name    server address if you choose to
+(10.10.10.254  in the example  above)    for the name    server address if
- run the name server  on your   firewall. To allow your local systems to
+you choose to  run the name server  on your   firewall. To allow your local
-talk  to your caching name      server,   you must open port 53 (both UDP
+systems to talk  to your caching name      server,   you must open port 53
-and TCP)  from the local network   to the    server; you do that by adding
+(both UDP and TCP)  from the local network   to the    server; you do that
-the rules  in /etc/shorewall/rules.       </p>
+by adding the rules  in /etc/shorewall/rules.       </p>
               </li>
 </ul>
@ -1056,8 +1056,8 @@ the rules  in /etc/shorewall/rules.       </p>
             </div>
 <div align="left">                
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
             </div>
 <div align="left">                
@ -1097,10 +1097,59 @@ application uses, look <a href="ports.htm">here</a>.</p>
              </div>
 <div align="left">                
 <p align="left">                </p>
 <p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
     Bering users will want to add the following two rules to be compatible
 with Jacques's Shorewall configuration.<br>
 </p>
 <div align="left">                
 <blockquote>                                            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                    <tbody>
                   <tr>
                      <td><u><b>ACTION</b></u></td>
                      <td><u><b>SOURCE</b></u></td>
                      <td><u><b>DESTINATION</b></u></td>
                      <td><u><b>PROTOCOL</b></u></td>
                      <td><u><b>PORT</b></u></td>
                      <td><u><b>SOURCE PORT</b></u></td>
                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc<br>
 </td>
                      <td>fw</td>
                      <td>udp<br>
 </td>
                      <td>53<br>
 </td>
                      <td>#Allow DNS Cache to</td>
                      <td>work<br>
 </td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc</td>
                      <td>fw</td>
                      <td>tcp</td>
                      <td>80</td>
                      <td>#Allow weblet to work</td>
                      <td><br>
 </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
              </div>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                 Now modify    /etc/shorewall/rules to add or remove other
-connections      as required.</p>
+ connections      as required.</p>
             </div>
 <div align="left">                
@ -1129,9 +1178,9 @@ connections      as required.</p>
         and stopped using "shorewall stop". When the firewall is stopped, 
 routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
-         running firewall may be restarted using the "shorewall restart"
+         running firewall may be restarted using the "shorewall restart" command.
-command.       If    you want to totally remove any trace of Shorewall from
+      If    you want to totally remove any trace of Shorewall from your Netfilter
-your Netfilter          configuration, use "shorewall clear".</p>
+         configuration, use "shorewall clear".</p>
             </div>
 <div align="left">                
@ -1139,9 +1188,9 @@ your Netfilter          configuration, use "shorewall clear".</p>
 height="13">
                 The three-interface sample assumes that you want to enable 
    routing    to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
-  when Shorewall    is stopped.    If these two interfaces don't connect to
+   when Shorewall    is stopped.    If these two interfaces don't connect
-  your local network    and DMZ or if you    want to enable a different set
+to   your local network    and DMZ or if you    want to enable a different
-  of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
+set   of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
             </div>
 <div align="left">                
@ -1155,11 +1204,12 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
             </div>
-<p align="left"><font size="2">Last updated 1/21/2003 - <a
+<p align="left"><font size="2">Last updated 1/30/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-Thomas      M. Eastep</font></a></p>
+ Thomas      M. Eastep</font></a></p>
               <br>
             <br>
            <br>
           <br>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -61,8 +61,8 @@ follow      the  documentation.</p>
       </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
+      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-tell     if  this  package is installed by the presence of an <b>ip</b> program
+    if  this  package is installed by the presence of an <b>ip</b> program 
 on   your  firewall  system. As root, you can use the 'which' command to 
 check   for this  program:</p>
@ -73,7 +73,10 @@ check   for this  program:</p>
      changes. Points at which configuration changes are  recommended are 
 flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-            .</p>
+             . Configuration notes that are unique to LEAF/Bering are marked
 with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
 height="36">
 </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                  If you edit your configuration files on a Windows system, 
@ -87,7 +90,7 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
  Version     of    dos2unix</a></li>
                <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
-of    dos2unix</a></li>
+ of    dos2unix</a></li>
 </ul>
@ -96,12 +99,12 @@ of    dos2unix</a></li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
          The configuration files for Shorewall are contained in the directory
-   /etc/shorewall -- for simple setups, you will only need to deal with a 
+    /etc/shorewall -- for simple setups, you will only need to deal with
-few  of  these as described in this guide.  After you have <a
+a  few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
-      un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
+      un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
-/etc/shorewall        (these files will replace files with the same name).</b></p>
+       (these files will replace files with the same name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual 
      file on your system -- each file contains detailed  configuration instructions 
@ -140,23 +143,23 @@ few  of  these as described in this guide.  After you have <a
      in  terms of zones.</p>
 <ul>
-               <li>You express your default policy for connections from one 
+                <li>You express your default policy for connections from
- zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+one   zone   to  another    zone in the<a
-         </a>file.</li>
+ href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                <li>You define exceptions to those default policies in the
       <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first 
-      checked against the  /etc/shorewall/rules file. If no rule in that
+      checked against the  /etc/shorewall/rules file. If no rule in that file
-file     matches  the connection  request then the first policy in /etc/shorewall/policy
+    matches  the connection  request then the first policy in /etc/shorewall/policy 
-    that  matches the    request is applied. If that policy is REJECT or
+    that  matches the    request is applied. If that policy is REJECT or DROP 
-DROP      the request is first  checked against the rules in /etc/shorewall/common
+    the request is first  checked against the rules in /etc/shorewall/common 
   (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>                                          
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -238,8 +241,8 @@ to  the   internet</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-                At this point, edit your /etc/shorewall/policy and make any 
+                 At this point, edit your /etc/shorewall/policy and make
- changes     that you  wish.</p>
+any   changes     that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -247,9 +250,9 @@ to  the   internet</li>
 height="635">
             </p>
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
       <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
       over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
 <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External 
@ -271,10 +274,10 @@ If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-            </b></u>Do not connect the internal and external interface  to
+             </b></u>Do not connect the internal and external interface 
- the   same   hub or switch (even for testing). It won't work the way that
+to  the   same   hub or switch (even for testing). It won't work the way
- you think  that   it will and you will end up confused and  believing that
+that  you think  that   it will and you will end up confused and  believing
- Shorewall   doesn't   work at all.</p>
+that  Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
@ -282,8 +285,8 @@ If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
 that    the   external  interface is <b>eth0</b> and the internal interface 
 is <b>eth1</b>.     If your  configuration is different, you will have to 
 modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-file    accordingly.  While you are there, you may wish to  review the list 
+ file    accordingly.  While you are there, you may wish to  review the list
-of options   that are  specified for the interfaces. Some hints:</p>
+ of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
                <li>                                                    
@ -304,16 +307,16 @@ of options   that are  specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet 
       Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
-a  single    <i> Public</i> IP address. This address may be assigned via
+a  single    <i> Public</i> IP address. This address may be assigned via the<i>
-the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
+ Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
-establishing  your  connection   when you dial in (standard modem) or establish
+ your  connection   when you dial in (standard modem) or establish your PPP
-your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
+ connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
-IP address; that  means that  you  configure your firewall's external interface
+address; that  means that  you  configure your firewall's external interface 
- to use that  address permanently.<i>  </i>However your external address
+ to use that  address permanently.<i>  </i>However your external address is
-is  assigned, it  will be shared by all of your systems when you access the
+ assigned, it  will be shared by all of your systems when you access the 
- Internet. You will have to assign your  own addresses in your  internal
+Internet. You will have to assign your  own addresses in your  internal network
-network (the Internal  Interface on your firewall  plus your other  computers).
+(the Internal  Interface on your firewall  plus your other  computers). RFC
-RFC 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
+1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">                
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -322,24 +325,23 @@ RFC 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</
 <div align="left">                
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                   Before starting Shorewall, you should look at the IP address 
+                    Before starting Shorewall, you should look at the IP
-   of  your  external    interface and if it is one of the above ranges, you
+address     of  your  external    interface and if it is one of the above
-   should  remove  the    'norfc1918' option from the external interface's 
+ranges, you    should  remove  the    'norfc1918' option from the external
- entry  in    /etc/shorewall/interfaces.</p>
+interface's   entry  in    /etc/shorewall/interfaces.</p>
             </div>
 <div align="left">                
 <p align="left">You will want to assign your addresses from the same <i>
  sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet 
-         to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
+         to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
-subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
+      will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
-x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is
+    is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved
-reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
+ as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet
-a subnet  is  described  using <a
+ is  described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
- href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
+ InterDomain Routing  </i>(CIDR)  notation</a> with consists of the subnet
- </i>(CIDR)  notation</a> with consists of the subnet  address followed 
+ address followed    by "/24". The  "24" refers to the number of    consecutive
-  by "/24". The  "24" refers to the number of    consecutive  leading "1"
+ leading "1" bits from the left  of the subnet mask. </p>
 bits from the left  of the subnet mask. </p>
             </div>
 <div align="left">                
@ -376,8 +378,8 @@ bits from the left  of the subnet mask. </p>
 <div align="left">                
 <p align="left">It is conventional to assign the internal interface either 
-      the    first usable address in the subnet (10.10.10.1 in the above
+      the    first usable address in the subnet (10.10.10.1 in the above example)
-example)       or the    last usable address (10.10.10.254).</p>
+      or the    last usable address (10.10.10.254).</p>
             </div>
 <div align="left">                
@ -391,9 +393,9 @@ example)       or the    last usable address (10.10.10.254).</p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                 Your local computers (computer    1 and computer 2 in the
-above    diagram)   should be configured with their<i>    default gateway</i> 
+ above    diagram)   should be configured with their<i>    default gateway</i>
-to  be  the IP address   of the firewall's internal    interface.<i>      
+ to  be  the IP address   of the firewall's internal    interface.<i>     
-</i>  </p>
+ </i>  </p>
             </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -414,10 +416,10 @@ to  be  the IP address   of the firewall's internal    interface.<i>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
-    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
+     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign 
 your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 
-subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
+subnet then you will need to select a DIFFERENT RFC 1918 subnet for your local
-local network.</b><br>
+network.</b><br>
  </p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
@ -427,20 +429,20 @@ local network.</b><br>
  forward    packets  which have an RFC-1918 destination address. When one 
 of your local    systems  (let's assume computer 1) sends a connection request 
  to an internet    host, the  firewall must perform <i>Network Address Translation 
-   </i>(NAT).    The firewall  rewrites the source address in the packet
+   </i>(NAT).    The firewall  rewrites the source address in the packet to
-to   be the address    of the firewall's  external interface; in other words,
+  be the address    of the firewall's  external interface; in other words, 
 the firewall makes    it look as if the firewall  itself is initiating the 
 connection.  This is   necessary so that the  destination host will be able 
 to route return packets   back to the firewall  (remember that packets whose 
 destination address is   reserved by RFC 1918 can't  be routed across the 
 internet so the remote host  can't address its response to  computer 1). 
-When the firewall receives a return packet, it  rewrites the destination
+When the firewall receives a return packet, it  rewrites the destination address
-address  back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
+ back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
                <li>                                                    
@ -464,18 +466,19 @@ with  Netfilter:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                If your external firewall interface is <b>eth0</b>, you do
+                 If your external firewall interface is <b>eth0</b>, you
- not    need   to modify the file provided with the sample. Otherwise, edit
+do  not    need   to modify the file provided with the sample. Otherwise,
-  /etc/shorewall/masq      and change the first column to the name of your
+edit   /etc/shorewall/masq      and change the first column to the name of
- external  interface and    the  second column to the name of your internal
+your  external  interface and    the  second column to the name of your internal 
 interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                If your external IP is  static, you can enter it in the third 
+                 If your external IP is  static, you can enter it in the
-  column    in the /etc/shorewall/masq entry if  you like although your firewall 
+third    column    in the /etc/shorewall/masq entry if  you like although
-  will    work fine if you leave that column empty.  Entering your static 
+your firewall    will    work fine if you leave that column empty.  Entering
-IP  in column    3 makes processing outgoing packets a little  more efficient.<br>
+your static  IP  in column    3 makes processing outgoing packets a little
 more efficient.<br>
     <br>
     <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
@ -494,17 +497,17 @@ IP  in column    3 makes processing outgoing packets a little  more efficient.<b
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals may be to run one or more servers on your 
-       local computers. Because these computers have RFC-1918 addresses,
+       local computers. Because these computers have RFC-1918 addresses, it
-it   is   not  possible for clients on the internet to connect directly to
+  is   not  possible for clients on the internet to connect directly to them.
-them.   It   is rather  necessary for those clients to address their connection
+  It   is rather  necessary for those clients to address their connection 
 requests     to the firewall  who rewrites the destination address to the 
-address of   your   server and forwards  the packet to that server. When
+address of   your   server and forwards  the packet to that server. When your
-your server responds,     the firewall automatically  performs SNAT to rewrite
+server responds,     the firewall automatically  performs SNAT to rewrite 
 the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-      Destination Network Address Translation</i> (DNAT). You configure port 
+       Destination Network Address Translation</i> (DNAT). You configure
-    forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
      is:</p>
@ -574,12 +577,12 @@ the source address   in  the response.</p>
 <ul>
                <li>You must test the above rule from a client outside of 
 your   local    network    (i.e., don't test from a browser running on computers
-  1 or 2  or  on the    firewall). If you want to be able to access your web
+   1 or 2  or  on the    firewall). If you want to be able to access your
-  server  using  the IP    address of your external interface, see <a
+web   server  using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-               <li>Many ISPs block incoming connection requests to port 80. 
+                <li>Many ISPs block incoming connection requests to port
- If  you   have     problems connecting to your web server, try the following
+80.   If  you   have     problems connecting to your web server, try the
-  rule and  try     connecting to port 5000.</li>
+following   rule and  try     connecting to port 5000.</li>
 </ul>
@ -622,9 +625,9 @@ your   local    network    (i.e., don't test from a browser running on computers
     will be  automatically configured (e.g., the /etc/resolv.conf file will 
   be  written).  Alternatively, your ISP may have given you the IP address 
  of a  pair of DNS <i> name servers</i> for you to manually configure as 
-your    primary  and secondary  name servers. Regardless of how DNS gets
+your    primary  and secondary  name servers. Regardless of how DNS gets configured
-configured    on your  firewall, it is <u>your</u> responsibility to configure
+   on your  firewall, it is <u>your</u> responsibility to configure the resolver
-the resolver    in your   internal systems. You can take one of two approaches:</p>
+   in your   internal systems. You can take one of two approaches:</p>
 <ul>
                <li>                                                    
@ -633,23 +636,22 @@ the resolver    in your   internal systems. You can take one of two approaches:<
      name    servers. If you ISP gave you the addresses of their servers 
 or   if   those    addresses are available on their web site, you can configure 
   your   internal    systems to use those addresses. If that information 
-isn't   available,   look in    /etc/resolv.conf on your firewall system
+isn't   available,   look in    /etc/resolv.conf on your firewall system --
-- the name  servers are  given in    "nameserver" records in that file.
+the name  servers are  given in    "nameserver" records in that file.   </p>
  </p>
               </li>
               <li>                                                     
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                 You can configure a<i> Caching Name Server </i>on your 
- firewall.<i>          </i>Red Hat has an RPM for a caching name server (the 
+  firewall.<i>          </i>Red Hat has an RPM for a caching name server
-RPM also    requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp.
+(the  RPM also    requires    the 'bind' RPM) and for Bering users, there
- If you    take   this approach, you configure your internal systems to use
+is dnscache.lrp.  If you    take   this approach, you configure your internal
- the firewall    itself as their primary (and only) name server. You use
+systems to use  the firewall    itself as their primary (and only) name server.
-the  internal IP     address of the firewall (10.10.10.254 in the example
+You use the  internal IP     address of the firewall (10.10.10.254 in the
-above)  for the name       server address. To allow your local systems to
+example above)  for the name       server address. To allow your local systems
-talk to  your caching name      server, you must open port 53 (both UDP and
+to talk to  your caching name      server, you must open port 53 (both UDP
-TCP) from  the local network   to the    firewall; you do that by adding
+and TCP) from  the local network   to the    firewall; you do that by adding 
 the following  rules in /etc/shorewall/rules.       </p>
               </li>
@ -870,8 +872,8 @@ the following  rules in /etc/shorewall/rules.       </p>
             </div>
 <div align="left">                
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
             </div>
 <div align="left">                
@ -911,8 +913,55 @@ application uses, look <a href="ports.htm">here</a>.</p>
              </div>
 <div align="left">                
-<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
+<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
- height="13">
+ width="49" height="36">
     Bering users will want to add the following two rules to be compatible
 with Jacques's Shorewall configuration.</p>
 <div align="left">                
 <blockquote>                                            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                    <tbody>
                   <tr>
                      <td><u><b>ACTION</b></u></td>
                      <td><u><b>SOURCE</b></u></td>
                      <td><u><b>DESTINATION</b></u></td>
                      <td><u><b>PROTOCOL</b></u></td>
                      <td><u><b>PORT</b></u></td>
                      <td><u><b>SOURCE PORT</b></u></td>
                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc<br>
        </td>
                      <td>fw</td>
                      <td>udp<br>
        </td>
                      <td>53<br>
        </td>
                      <td>#Allow DNS Cache to</td>
                      <td>work<br>
        </td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc</td>
                      <td>fw</td>
                      <td>tcp</td>
                      <td>80</td>
                      <td>#Allow weblet to work</td>
                      <td><br>
        </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
              </div>
 <p align="left"><br>
 <img border="0" src="images/BD21298_.gif" width="13" height="13">
                 Now edit your    /etc/shorewall/rules file to add or delete
  other    connections  as required.</p>
             </div>
@ -943,18 +992,18 @@ application uses, look <a href="ports.htm">here</a>.</p>
         and stopped using "shorewall stop". When the firewall is stopped, 
 routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
-         running firewall may be restarted using the "shorewall restart"
+         running firewall may be restarted using the "shorewall restart" command.
-command.       If    you want to totally remove any trace of Shorewall from
+      If    you want to totally remove any trace of Shorewall from your Netfilter
-your Netfilter          configuration, use "shorewall clear".</p>
+         configuration, use "shorewall clear".</p>
             </div>
 <div align="left">                
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                 The two-interface sample assumes that you want to enable 
-   routing     to/from <b>eth1 </b>(the local network) when Shorewall is
+   routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
-stopped.  If    your local network isn't connected to <b>eth1</b> or if you
+ If    your local network isn't connected to <b>eth1</b> or if you wish to
-wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped 
+ enable       access to/from other hosts, change /etc/shorewall/routestopped
  accordingly.</p>
             </div>
@ -973,7 +1022,8 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-Thomas      M. Eastep</font></a></p>
+ Thomas      M. Eastep</font></a></p>
               <br>
             <br>
            <br>
           <br>
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@ -20,6 +20,7 @@
          <tbody>
          <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
            </td>
          </tr>
@ -30,17 +31,71 @@
 <p>For upgrade instructions see the                               <a
 href="Install.htm">Install/Upgrade page</a>.</p>
 <h3>Version &gt;= 1.3.14</h3>
 <img src="images/BD21298_3.gif" alt="" width="13" height="13">
      Beginning in version 1.3.14, Shorewall treats entries in <a
 href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change 
 involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) 
 <b>column</b>:<br>
 <ul>
   <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface 
 (as shown by "ip addr show <i>interface</i>") and would masquerade traffic 
 from that subnet. Any other subnets that routed through eth1 needed their 
 own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li>
   <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing 
 table to determine ALL subnets routed through the named interface. Traffic 
 originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
 </ul>
 You will need to make a change to your configuration if:<br>
 <ol>
   <li>You have one or more entries in /etc/shorewall/masq with an interface 
 name in the SUBNET (second) column; and</li>
   <li>That interface connects to more than one subnetwork.</li>
 </ol>
 Two examples:<br>
 <br>
  <b>Example 1</b> -- Suppose that your current config is as follows:<br>
    <br>
 <pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE              SUBNET                  ADDRESS<br>	eth0                    eth2                    206.124.146.176<br>	eth0                    192.168.10.0/24         206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>	[root@gateway test]#</pre>
 <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer 
 required.<br>
 </blockquote>
 <b>Example 2</b>-- What if your current configuration is like this?<br>
 <pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    eth2                    206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	<br>	[root@gateway test]#</pre>
 <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq 
 to:<br>
 </blockquote>
 <pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
 <img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.
 The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used
 to specify that the old (pre-1.3.14) ping handling is to be used (If the
 option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
 is assumed). I don't plan on supporting the old handling indefinitely so
 I urge current users to migrate to using the new handling as soon as possible.
 See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
 <h3>Version 1.3.10</h3>
-If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
+  If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
-1.3.10, you will need to use the '--force' option:<br>
+ 1.3.10, you will need to use the '--force' option:<br>
-<br>
+  <br>
 <blockquote>      
  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
-</blockquote>
+  </blockquote>
 <h3>Version &gt;= 1.3.9</h3>
    The 'functions' file has moved to /usr/lib/shorewall/functions. If you
-have  an application that uses functions from that file, your application
+ have  an application that uses functions from that file, your application
-will need to be changed to reflect this change of location.<br>
+ will need to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.8</h3>
@ -55,7 +110,7 @@ will need to be changed to reflect this change of location.<br>
 <p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf
   will need to include the                                following rules
-in  their /etc/shorewall/icmpdef                                file (creating
+ in  their /etc/shorewall/icmpdef                                file (creating
   this file if necessary):</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -71,25 +126,25 @@ in  their /etc/shorewall/icmpdef                                file (creating
 <ol>
                                       <li>Be sure you have a backup -- you 
-will  need                                  to transcribe any Shorewall configuration
+ will  need                                  to transcribe any Shorewall configuration
                                   changes that you have made to the new
                                 configuration.</li>
                                       <li>Replace the shorwall.lrp package 
-provided  on                                  the Bering floppy with the later
+ provided  on                                  the Bering floppy with the 
-one.  If you did                                  not obtain the later version
+later one.  If you did                                  not obtain the later 
-from Jacques's                                  site, see additional instructions
+version from Jacques's                                  site, see additional 
- below.</li>
+instructions  below.</li>
                                       <li>Edit the /var/lib/lrpkg/root.exclude.list
                                    file and remove the /var/lib/shorewall
-entry  if                                  present. Then do not forget to
+ entry  if                                  present. Then do not forget to
-backup  root.lrp !</li>
+ backup  root.lrp !</li>
 </ol>
 <p>The .lrp that I release isn't set up for a two-interface firewall like
     Jacques's. You need to follow the <a href="two-interface.htm">instructions
   for   setting up a two-interface firewall</a> plus you also need to add
-the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
+ the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
 <blockquote>                      
  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
@ -104,11 +159,12 @@ and   1.3.7</p>
 <ol>
                   <li>                                                 
    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
              the following rule<br>
                 <br>
-               <font face="Courier">run_iptables -A newnotsyn -j RETURN # 
+                 <font face="Courier">run_iptables -A newnotsyn -j RETURN 
-So  that the            connection tracking table can be rebuilt<br>
+#  So  that the            connection tracking table can be rebuilt<br>
                                                      # from non-SYN packets
  after  takeover.<br>
        </font>  </p>
@ -166,11 +222,13 @@ So  that the            connection tracking table can be rebuilt<br>
              If you have applications that access these files, those applications
              should be modified accordingly.</p>
-<p><font size="2">  Last updated 11/09/2002 -                           
+<p><font size="2">  Last updated 1/25/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+     © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-</p>
+  </p>
  <br>
 <br>
 </body>
 </html>