From b7d2e8c6848671cf3d59768852b7fc4b414e9ecd Mon Sep 17 00:00:00 2001
From: paulgear <paulgear@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 7 Jun 2006 03:02:49 +0000
Subject: [PATCH] Import of shoregen 0.1.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3999 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 contrib/shoregen/AUTHORS                      |   1 +
 contrib/shoregen/BUGS                         |   6 +
 contrib/shoregen/COPYING                      | 340 +++++++++++
 contrib/shoregen/README                       | 125 ++++
 contrib/shoregen/TODO                         |  19 +
 contrib/shoregen/install_shoregen             | 103 ++++
 contrib/shoregen/samples/Makefile             |  10 +
 contrib/shoregen/samples/example1.dia         | Bin 0 -> 3388 bytes
 contrib/shoregen/samples/example1.png         | Bin 0 -> 30197 bytes
 contrib/shoregen/samples/hosts/ig             |  13 +
 contrib/shoregen/samples/hosts/mail           |   7 +
 contrib/shoregen/samples/hosts/og             |   7 +
 contrib/shoregen/samples/hosts/proxy          |   7 +
 contrib/shoregen/samples/interfaces/ig        |   5 +
 contrib/shoregen/samples/interfaces/mail      |   3 +
 contrib/shoregen/samples/interfaces/og        |   5 +
 contrib/shoregen/samples/interfaces/proxy     |   3 +
 contrib/shoregen/samples/params/COMMON        |   9 +
 contrib/shoregen/samples/policy               | 112 ++++
 contrib/shoregen/samples/rules                | 187 ++++++
 .../shoregen/samples/shorewall.conf/COMMON    | 569 ++++++++++++++++++
 contrib/shoregen/samples/shorewall.conf/ig    |   2 +
 contrib/shoregen/samples/shorewall.conf/mail  |   2 +
 contrib/shoregen/samples/shorewall.conf/og    |   2 +
 contrib/shoregen/samples/shorewall.conf/proxy |   2 +
 contrib/shoregen/samples/zones                |  10 +
 contrib/shoregen/shoregen                     | 373 ++++++++++++
 contrib/shoregen/spec/description             |   3 +
 contrib/shoregen/spec/files                   |   4 +
 contrib/shoregen/spec/header                  |  10 +
 contrib/shoregen/spec/install                 |   9 +
 contrib/shoregen/spec/type                    |   2 +
 32 files changed, 1950 insertions(+)
 create mode 100644 contrib/shoregen/AUTHORS
 create mode 100644 contrib/shoregen/BUGS
 create mode 100644 contrib/shoregen/COPYING
 create mode 100644 contrib/shoregen/README
 create mode 100644 contrib/shoregen/TODO
 create mode 100644 contrib/shoregen/install_shoregen
 create mode 100644 contrib/shoregen/samples/Makefile
 create mode 100644 contrib/shoregen/samples/example1.dia
 create mode 100644 contrib/shoregen/samples/example1.png
 create mode 100644 contrib/shoregen/samples/hosts/ig
 create mode 100644 contrib/shoregen/samples/hosts/mail
 create mode 100644 contrib/shoregen/samples/hosts/og
 create mode 100644 contrib/shoregen/samples/hosts/proxy
 create mode 100644 contrib/shoregen/samples/interfaces/ig
 create mode 100644 contrib/shoregen/samples/interfaces/mail
 create mode 100644 contrib/shoregen/samples/interfaces/og
 create mode 100644 contrib/shoregen/samples/interfaces/proxy
 create mode 100644 contrib/shoregen/samples/params/COMMON
 create mode 100644 contrib/shoregen/samples/policy
 create mode 100644 contrib/shoregen/samples/rules
 create mode 100644 contrib/shoregen/samples/shorewall.conf/COMMON
 create mode 100644 contrib/shoregen/samples/shorewall.conf/ig
 create mode 100644 contrib/shoregen/samples/shorewall.conf/mail
 create mode 100644 contrib/shoregen/samples/shorewall.conf/og
 create mode 100644 contrib/shoregen/samples/shorewall.conf/proxy
 create mode 100644 contrib/shoregen/samples/zones
 create mode 100644 contrib/shoregen/shoregen
 create mode 100644 contrib/shoregen/spec/description
 create mode 100644 contrib/shoregen/spec/files
 create mode 100644 contrib/shoregen/spec/header
 create mode 100644 contrib/shoregen/spec/install
 create mode 100644 contrib/shoregen/spec/type

diff --git a/contrib/shoregen/AUTHORS b/contrib/shoregen/AUTHORS
new file mode 100644
index 000000000..3cedc2493
--- /dev/null
+++ b/contrib/shoregen/AUTHORS
@@ -0,0 +1 @@
+Paul Gear <paul@gear.dyndns.org>
diff --git a/contrib/shoregen/BUGS b/contrib/shoregen/BUGS
new file mode 100644
index 000000000..a7664840c
--- /dev/null
+++ b/contrib/shoregen/BUGS
@@ -0,0 +1,6 @@
+Sat Apr 24 23:10:10 EST 2004:
+
+- The "minimal" in "Only the minimal information necessary for operation is
+  stored on each firewall" is a bit of an overstatement.  This could
+  probably use some work.
+
diff --git a/contrib/shoregen/COPYING b/contrib/shoregen/COPYING
new file mode 100644
index 000000000..5b6e7c66c
--- /dev/null
+++ b/contrib/shoregen/COPYING
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/contrib/shoregen/README b/contrib/shoregen/README
new file mode 100644
index 000000000..97c2cbcd7
--- /dev/null
+++ b/contrib/shoregen/README
@@ -0,0 +1,125 @@
+shoregen 0.1
+Shoreline Firewall configuration generator
+(c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+SHOREWALL
+
+The quick plug:
+
+  - I love shorewall.  Shorewall is the only firewall i trust.
+
+The IT Manager plug:
+
+  - Shorewall is a policy-driven firewall which lets you think about your
+    firewall at a higher level than iptables commands.
+
+The hard sell to you crazy people still maintaining manual firewall scripts:
+
+  - Shorewall is a wrapper around the kernel iptables, so your existing
+    Linux firewall skills transfer.  I converted from a 900-plus-line
+    ipchains shell script to around 50 lines of shorewall configuration in
+    less than 4 hours, with no prior experience.
+
+
+ISSUES
+
+  - I'm paranoid - i want more than one firewall between me and the world.
+
+  - Configuring multiple firewalls separately is a recipe for getting your
+    rules out of sync, and allowing security problems to creep in.
+
+  - IT Manager types (like me) like to know their policy is consistently
+    implemented.
+
+
+SOLUTION
+
+Shoregen is a script that generates shorewall configurations for multiple
+firewalls from a common set of rules and policies.  Only the minimal
+information necessary for operation is stored on each firewall, so, for
+example, your DMZ server doesn't need to know about the rules on your
+internal network, but at the same time, it gets consistent rules to your
+outer guard.
+
+
+PHILOSOPHY
+
+Shoregen assumes the X-Files approach to firewall design: trust no one.
+That is, paranoia is a virtue.  All access should be as limited as possible
+for things to work.  If you don't already agree with this philosophy, you
+may find some of the things shoregen does frustrating, but then again,
+you're probably not reading this document.  :-)
+
+
+DESIGN
+
+Shoregen distinguishes between two different types of shorewall
+configurations.  Most shorewall configuration files are simply concatenated
+together from parts constructed from common and host-specific parts.  These
+are called simple configs, and shoregen doesn't substantially alter them,
+and uses little information from them.
+
+Configs with which shoregen is more concerned are treated separately, and
+additional features beyond the scope of shorewall itself are implemented.
+Most importantly, two new policy/rule keywords are introduced: WARN and
+BAN.  These keywords are not included in shoregen's output, but when a
+subsequent rule or policy is encountered which matches a rule or policy
+marked WARN or BAN, an error message is issued.  In the case of BAN, the
+offending line is also dropped from the output, and a non-zero return code
+issued.
+
+
+PREREQUISITES
+
+The tools you will need to use shoregen are:
+	perl	The main shoregen script is written in Perl
+	rsync	Used to keep /etc/shorewall directories on your firewalls
+		in sync with the central repository
+	ssh	Encrypted transport for rsync
+	make	Optional, but saves a few keystrokes.
+
+
+USAGE
+
+Put shoregen and install_shoregen in a directory on your PATH.
+
+Make a central directory for your configs.  I recommend somewhere in a
+trusted user's home directory or central system admin repository.  This
+directory should be on a trusted machine in the most secure part of your
+network.  Put all of your policies, rules, and zones together in the
+correct order in files in the top level of this directory.
+
+For each of the simple configs you want to generate centrally, create a
+directory, with a file called COMMON (if necessary) containing the content
+you want to see in that file on all hosts, and a file named for each host
+for host-specific content.  I recommend that the default shorewall
+configuration file be placed in the COMMON file of the corresponding
+directory, with directives that are not appropriate commented out.
+
+When shoregen is run, it places the generated files in the directory 
+SPOOL/<host>, where <host> is the hostname of the target firewall.  The
+files in this directory are synchronised and the firewall checked and/or
+restarted by a simple wrapper script called install_shoregen.
+
+See the samples directory for a starting point configuration.  It provides
+some suggested policies & rules for the network shown in example1.png.  The
+sample configuration has not been tested in any way.
+
+I hope you find shoregen useful.  I welcome your comments, contributions,
+criticisms, and questions.
+
diff --git a/contrib/shoregen/TODO b/contrib/shoregen/TODO
new file mode 100644
index 000000000..7741da178
--- /dev/null
+++ b/contrib/shoregen/TODO
@@ -0,0 +1,19 @@
+As at Wed Apr 21 22:30:12 EST 2004:
+
+- Need to make it possible for a host to have the same $FW name as the zone
+  in which it belongs, and have shoregen automatically create appropriate
+  rules.
+
+- At the moment, if a fully-expanded policy file (such as is shown 
+
+- Better documentation & samples.  I'm sure there is room for improvement.
+
+- Better rule & policy sanitisation.  Again, there is room for improvement.
+
+- The Makefile could be improved to detect changes in the lower level
+  config files and call shoregen automatically when they are out-of-date.
+  At the moment, shoregen is so simple (and thus fast) that the amount of
+  time that would be saved by a clever Makefile (in comparison to the
+  rsync, ssh, and shorewall steps) is probably not worth the trouble to
+  code.
+
diff --git a/contrib/shoregen/install_shoregen b/contrib/shoregen/install_shoregen
new file mode 100644
index 000000000..13665bf08
--- /dev/null
+++ b/contrib/shoregen/install_shoregen
@@ -0,0 +1,103 @@
+#!/bin/sh
+#
+# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
+# 
+# Wrapper script to install shoregen-generated shorewall configuration files.
+#
+
+# 
+# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
+# <http://www.gnu.org/copyleft/gpl.html> on the World Wide Web.
+
+VERBOSE=0
+RESTART=0
+CHECK=1
+
+usage()
+{
+    echo "Usage:	$0 [--verbose] [--restart] host ...
+	Generates and installs shorewall configuration on the given hosts" >&2
+    exit 1
+}
+
+error()
+{
+    echo "$0: ERROR -" "$@" >&2
+}
+
+while :; do
+    case "$1" in
+
+    -v|--verbose)
+    	VERBOSE=1
+	shift
+	;;
+
+    -r|--restart)
+	RESTART=1
+	shift
+	;;
+
+    -c|--nocheck)
+	CHECK=0
+	shift
+	;;
+
+    --)
+	shift
+	break 2
+    	;;
+
+    --*)
+	error "Unrecognised option $1"
+	usage
+	;;
+
+    *)
+	break 2
+    	;;
+
+    esac
+done
+
+set -e
+set -u
+
+if [ "$#" -lt 1 ]; then
+    usage
+fi
+
+USER=root
+RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
+#--progress 
+if [ "$VERBOSE" -gt 0 ]; then
+    RSYNC_ARGS="$RSYNC_ARGS --verbose"
+fi
+DIR=/etc/shorewall
+SW_PATH=/sbin/shorewall
+
+PATH=$PATH:
+for HOST; do
+    shoregen $HOST
+    rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
+    if [ "$CHECK" -gt 0 ]; then
+	ssh -l $USER -t $HOST $SW_PATH check
+    fi
+    if [ "$RESTART" -gt 0 ]; then
+	ssh -l $USER -t $HOST $SW_PATH restart
+    fi
+done
diff --git a/contrib/shoregen/samples/Makefile b/contrib/shoregen/samples/Makefile
new file mode 100644
index 000000000..2e74e1c28
--- /dev/null
+++ b/contrib/shoregen/samples/Makefile
@@ -0,0 +1,10 @@
+FLAGS=-c -r
+HOSTS=ig proxy mail og
+
+default:	$(HOSTS)
+
+$(HOSTS):
+	shoregen $@
+
+install:
+	install_shoregen -c -r $(HOSTS)
diff --git a/contrib/shoregen/samples/example1.dia b/contrib/shoregen/samples/example1.dia
new file mode 100644
index 0000000000000000000000000000000000000000..92f26108433bbe89d11aa74220921094e457ddf6
GIT binary patch
literal 3388
zcmV-C4a4#uiwFP!000001MOW~Z`;Nae$THEl$REe*L%NIO^P%{g91q#oaW#>8nngO
zJf%s2qT;v@=eM6(lD<i#EOWW4<g9}P5xv^skh9-6GdsKc<4<2N)6ti>SR{G&YD^Fw
zkK*hspC#G(tMR`-{d%OwKfQkO<1C4OfWPNObUA`=WDEQ0)%c<;=RX`DUtL|H^m-AM
zd4bYoi5Btk|DrUFj-k=<`1Om?=za&YsEq8j=4w=yMRK|<<53n}#;?Yw(b-?;MZU~t
z<GNMT?krF9V)P|SUyWaWu71YHO*h96`q|L;JetSFYPXm3e33wt@_N43q@y4E@4Yrn
zs|7U5&R@TL!(Z07)LgjhtL;WRg_M_3ah_!Ba*8-g>jy!Rrj*`1ho_4;^)DjzFQV`-
zB3Ycw^P()Gq+Azsn&)X8WwoTTSjPS3EY6}7OlFfRq<`<9ld{Yox&O~my4Xg6`tt4Q
zdFn_!FOu2jf%u?BM=w{&th_k+>gjRSy<dCk{Y$b)PSd#U?vtz>tov)n?p@#WGMUAT
zN8a?qHXS`(G|i45Q+&1Ewi?uzR!FK6kw({X(RBaw9X*YjXWR_>dru)h{cn6$HtPLZ
zM%gSXW}~Cg`y`9UcXSJ6o6KH~|G*EQ&#Fey8=%kH1DfZzFOqU3iO~~=s5XkM>c0L`
zyTqKHu1YCDktjP)<6B8WaA74;&c&1(gb6hhfe7PD^pkv+XW2=d%_@z0>Dkg$Bg2)1
z8^h9Y)9=Qz<>lFY^?urh&!$eTcJL74jW1Suy8F%O0&K)u5|~7pgGn$t9^L&KWQjFp
zTfR+hzAYYp8?TRsm3yi$*LJ&wA%D!%>keZk&c-~%o7>KqHPV`j2}MjY!KO@raT`_}
zvylBH&*9OWJZ{NdO0GAByW)mZxJyp8^l5Y5R`a;YanBalVQtja+8Dg@i9#H6qCA=!
zLtGh20J*f{SWXqvSV(OptKO!zHEy;mx!z78#RQ-^1LFjAKQzz;<sO3OlQ8q)cl96!
z{Ciwp<;7oMzrQ9$d<8*qiw!eZ8@_pM5WWl1*O<04V+H)ng`Qw!7}sKI5YvK_2?rp>
zyr1AWjW18m@*-Q0yNA}X5>>hN>w4b0^a#Xo;vnE6PR=jNZV3>K!cR|PTU_K<CoMUW
z$79i_Nco&5^OK9bNdC^VGD<f}S&0~*EC$9ynVk6(GLL4nhcWfa`@jguUkKK(`!fEz
z_O4eWoRv0RueM4TJ!rR*S^Di=M`me5blCOi;l;Lzve%m?pOVXXarCeJGRp1)>C<Jc
z4T#p4pxuN#gvd4s(TEd)8Gw}{LK-)5RXVaw;Qc%$u72DEMQL)LUB>NiD+aP{iRCvX
z3)-ULu896g4EHw8m$Mdn<IXOcuq*?dLw!cJ_oPfYL6iw=D4O<lgSMkJXWh1;G=a46
z$Y&f0)%!68KKq9G48UWTg!VRH76}Z;=Rjr**i1qI3C<)Tj07?pg3KPzH;AE9wFDw4
zOquUgt+uh6A`q*wDp#we4WW!7RP88NyQXMMQ@AlIjJ;DOw4n!|tbJPILH;wTGwE!~
zNE-N=95F<Qls?mEAPRzVRf*Dym^y!^30N035>wx{+^OlNL<Obd@KR{_p)o3l6dD^i
zh4%Au(PGBR)r<jrz_b)FsnFc`v|^CNIdJw7cxZ+*Fk{LPBbZNoPn>n?*kbDpQ3+8p
z*gQ6UAIIr(aZ+2yrn@3l8c|et)iS|#za>K$^ZNd^-q=#XLuP6s9%)3el$DN5ZsaDy
z>;7)v*~VuF3TZo2BZ)L#r)pLRhdpVSuF#d-=F7bKGVL=-ByYaVIurDRAjF%|FY)59
zGM|q=zHNaD?Ftpv2qs4Y^$m8nLJ2EGSSe!4km42ZfDy{x47*(>!d16z5)lkp8Z{ns
z5d<;&6LJxUm5X@lF#iwyXHiBK$b87Nq=fKweY_jj@s1IpFcdY=gl0ZtHH@&T1ql!Y
z<Gvn>{Y`nhF+YTU+l_mW<8jnG^dH9jp^W*B)K0MbSXY*3y;3`d@oj~ODZgQM=AYRe
zH4DTZ2Kk;5J8>>DBsKFX@61kWW>*cfbIa`9KeG>^Utsny==Xrxsry*3631Sdom9-u
zfZ4?jvs3@f?x<N{_AtozjoF#|tW?E((mS)$n%QN;?7}iT^Uv%<=ogqh4EjA_cIV2#
zBQnuGGx4_Ae4>!CnRr~Wx-EG3Jiz-a75F?1?S12OF~FRgP_`CVbK<qe1O!Q175y3z
zG^I#RG{VIHw41YffzHF2-vc^#E-1qj<9B=mn`_JFykT>KD?0a@e4m&==3!tz4>DKo
zlWZI)R(R)fcudO5si~X+l^g$5K7ew8$-{u(115Jalp{c`UWd04Frtmkwl_>pyfb-!
zodT7Ik-cwJZro?pEZa%%R8A@?mkpJ3pmOlqG4VaI=B!+x@-X1N4fuPjyFS^qxGfta
z;Q<nFx~fC>If-^ekua27F~%;Nn%+t!_T&C9VSfMS_pm2N|7FZ=M)n+5Fw=j21#=fL
z5cgR(#OrA>pTNKn*VJy1#t2trS_{>P*iZWp3-6Zkq71;`01Pcg7J$JkFt``mam1zO
zb{)U*92DG2B0>?Zrgs-ibz%PzB5Zup4;VU)ENpx-L;~Sm43ROs&bQDvbWx1H`;=eB
z#rJK1;asanY%#n~n4os6lY0FupAvzvk#<8AfwAzMK<Ka8Hi-j@uvUIE2h#3O8*&F>
zPp>`ZwH-UXY6sj_Z8m`s6_Sg<Z9DROoeNQkwA(m}${+Q+6B3XZ6-?Iqkr+zolqe*K
zvJMf$SZTfg5JBKE!5<c&!T~C}EG|IBuH9hajvf=?7cwd@m?I;nMAuHR0S6BYzdmqp
zwSo&AT;KzCfj>k^8gjo5+}7;jW)NdS%fM|ra)X@<xGlL5%_jm$-&G;ElCT!aOsVyL
zg+01S+0O^#1JmFGJK#i@xjhG*!2636YKYPj2JYbz2Tu39O1s)RQB<M~;gn48$)@(g
zfj|YgyT_CVv~VjmX*aqsuj~~r^biFnn%L!-+Vi~fQGGTLNCM9j+=?5?24QwMZUqZi
zF+lZ6tHlMV@Cp^~Rp}V$ekUa;3TdjUsTx2At*3XAO?Ba5{0b6)!XX6dvbO*fK7oQ^
z_cK#@bJVTsf7I<(Kp_w@Tv$m&YoVrhlC}MOFg``V2?w0$G`D~gUU7oBpAMsJiisiS
z*`H_xQ3z6P<Ut_dw+T&#1UsaJW(YeRP@>D&LOyedIsHvXushej-yEAn5Z2i18SEg5
zFe9r{ccaCW+RP^Ac6uKRuV=6iqGLFNJxuN&^5p&>;S6>Mh64yO7OE7-;RN=bdBN_R
zDpO?SPTXJ$ZWgUhDy;qBJIROT2Zw0c1tq%7Ekw&+al*L{o=PO@C{}nb0J2`MFw`C|
zT^9gpgcaZhvt`kTfD_+UBkH%0FTgb_;>99fd><gg0W!KQFSr&%#Lge`S$x?B8P3J;
z)UNTz1bjj!G4Z*bJ4n*1l0-E~nlfyUowpk{0?7!kf%6bLZWlNk!;R0t86yD$jMES~
zhsgPfj0gWum-7%kJCK})=vhfy<xHjFf#h~Xa&iEY(>9>7dysQQdv8#(Ezc=k3nLVS
z8OwB3G7io%(2pdZscsNWw_5_ni15mFlC$24?!a|n7lg38&r=!BSfAVgQgJ3pAh>}O
zKOgh-`hAkcZ6xQss^jL}LA0-gHq<A@fg>aZv7(5;icFb+xI{qo&$a0roXp|joK*Vs
z({jBn+!cr0vA0F_mNasfXBj99?`E-vRX4vGUBDYn<Lc#=dF`Q$?tZ;8+1~YK(tMeB
ze)q-_SMF$_Y@_qKfXWJLU&Hq@BJ0+0S&1@+Ny@A2fx)$xRbAPCQhM{tpYKEX<raRm
z+gqR~uk#Yl%L1rC#J)L#sPFm9MiS6Ny)J-C#H5jxM{^Jp6LEPFCNEu3qRZAo6`xO#
z;Lb||szN$#t5f6-CNFDA&F%#fan5X6%wf!3&gXL+Ai@D6x-2a~gja|l1JprP*-eV5
zZ-^jBQerc<x+#Nd1RqFw19%YuBHT)#+AS@VKzW4-I>a7GQr9)E{`WwtC6Njvh_Uk_
z+MXpHFydR;|ESf}f*au#BiIm&3c0OuW<q#fE7S-gNEsumJqnEVDk$Rib3ll1VL@S=
zp#^~O3J~u5i3@w|6|tFS$$`!N?hagwB8XzH*px^lBoS7&uoq~6iD&OfbedZL3a>yR
z1~_sH+il?OZibwBodP8cyiG%_D6O=l_B<Veo6~jdh5g5gk466VI?RBMoDL{yH@7eY
z>J=!Y`+i4COt9De&{XX+2%$BdYGeeV_IL`;3DIHN^ZD;^^w7Y9=in6(oU8Q&kT$nV
zY{ADDe)m7C1lgPek!mUtqeR=?(E3+m>=+lqChZQm&}C-<AGX7X`g0mx$HnUx^#}NS
SUPPC#U;H0<Pa?a&)c^oswu`U;

literal 0
HcmV?d00001

diff --git a/contrib/shoregen/samples/example1.png b/contrib/shoregen/samples/example1.png
new file mode 100644
index 0000000000000000000000000000000000000000..71739088d7e6700073790049bc15243816436af2
GIT binary patch
literal 30197
zcmb@uWn7hA*FCxs6a@ikX$0v~q@>X;NF&`ycXxwGNjD-0f=YLnC@mqNbV@fUrSzHG
z=XuZn{r%4Qa6X*tgWNaleeHFvHP@J9jycv2S5lC|!6L^(AP_jxPm#(91bPYrffjrH
z3jC(p7M&h`pgTX3R=s}x`qaGQPXvM%A&rz!^+?~Eao1HDJH`CPbc0ss$uoT7C#pom
zOtKQ<)@nr6NrKus#UvWl#UnMil&)1Z)iv7I<=WLd9BNk29PeT9v*IFa0<P0}C!Af>
z8SF<$UzdLBM7Za9InVa+;p#L~>hGm#=Yjd_7*}2hws&+KZcn9bGm|e3=c^cZMVktt
zMvEX`te`^uL<F?n9LE*MblKi;I5{w^$x#}guE%a`D=nkCiu$WIZA8-8*MwXZ<?rOP
zG1opiR9OreO;)jNi2l1xL~KV78_$8R$&y-4PONOMf?Kx{8Um5!_?V<H^-B=u)cANA
z)su`@uU@sbwmNiB!!3Edx{ZhzS5`&~HMnYW@>JB-)ipJ5Pd!5oCXZ^A8TAt}6U0t}
z`sspKp^5rADDv;V2=PC(5vXzf|M3Fj&u)k)buTY3C8b+zp$hWyyQ9To&fe2?jxv9o
zH-_`ejk^k%{|!g2Rg)d{p=;EU9R(V-cDR>k&Z*nXM11Z$t-pS;*+{`7Bb1m-%F`V7
zmevy!d0;Lgl9EQMELFy%QK67U-EA}?OG`_Kg(E^r=9#pux%53hf$HD04f=H(@pk?A
z@uRadWSe<I6()m(gz@>F9qJReL)g`wb@lYT4>vm8h+KPmda$sujsLTR_0OYF_x^vK
zn;Jh#+$nt2Uq8Qz?LfUOU`K)k8}*9@Os)Suj7d4_|FgXRKfmDqb0I`5ors7CGjmwd
z<J^xQ-8V-w>qYFQ1wNcUbln&pFE>^rB7%Dc2t@w(L%(Pi9c_&E&u9AMR#FAGu6)zG
zP3;%Fjhfc1I0%w$h4jBn3=C25<X!U)MMXs)<=?cr(W3rL8rxyj=zl3fgPJhr|21JZ
zP0C+QeDZCKi;ENHwYIWS_0UyRRHUGwAa-Mxq`k%S-t*bBXPTOt=t8J<iKVH~>>wg0
zE_c$^&=}Ki_9}O>@H8<s4Gs=2{}<zH_$K9hCp(Qvrl!k#!%GeV$i&1%ZttU2D_m5J
zi!0uVNJ^=8l?~oVNlwmZA%Nc@K70M&b2nOgXN=uZpdjM$rsKiJ1Zu7e|7S+OG>xB#
z_@-?wEU1j-Ffe@Z5j9Boje0+#V*KRy@mXuDAnEwRZx2l-V)&hS8|<d<mF5GaT>9O4
zw70I?%{Gw{5IAiNvlz-hc<`fkc5i*6vTL$h%<8Tj>L$%W?CK=w=;+qg))TIhQRKW<
z!+ByCf9V++SJsAdLh)$6efuWr%6c%Iuhfrm1KyAoTD7pj`OVr%J-HGyxWSedH*|4+
zzTEQ1$G*P4wY9YYvCAe?*^beae|zlM@(D?AA6t^YTfT`AYjtt<Ou@^086xgG>5MU`
zP|DJ%qKinP32lpuOTxmqvaMC2>P?55atj|9SN)<b7j@&N=H^oUX4b<yw%74c?<oKN
zfn7bdzUQ{HDfM^FYg%e*YI=IbuZ>af3W()2EjOw%5l9X@+CKd;QJ<?hzt|OyhDK9C
zfO@ldPVNJ(BF%3FB5mbJmyO}q)?;?Bh*y@IhyOtY;zZKCLQ{Fki{%O7#PR-WrkKBe
zc<lEdKf>3>%WpAE{@VoKUFai{(&D+TzZ97C@zT@N-?{T{{v2+O2r#p-C(*GFVfEJI
zU{IgI!aAAkxBcAYX|S@g5-u`alCeD?R;rO#yR<ZXyiXdDY%}+1rn~#;+ZtY8UMwoq
zbcoMcz<j-bV<eq>FPK=AHF;R3#>fu4kR`2qa=gmTp^S^Gl$nEr&^xc7py$gM{R(MY
zTaL_u6tB9yJ*@JcCr_U2VWOjk!VUM)*-b4ZC|)Y1ANdkAHC1K#1eu>t_9J(ov~Y6F
zpj6oRgx$H(c8X6+Yv6<WDa3BPbn#7TX_iWJ|B|OosGFQTVXM&OFflZ=v$T{zuB@0H
zj;#><zD&9AEYNQ9jgrprnyu}O^1B>a+-s;04Pd643RIW<eR=uO;g<%RdIc&1EZ*NE
zVVg-{lIAj4A$+EnfN{J34ZrnF12Mj%03}-?iO(l-+FK6wx`E<KdU_d|moks%QM0^8
zW>Ws0L-+Pw#cI=D5)Pf3ryGxBs71*5?J8t~{w>3$1PNP-`M^%GcDSPP_Tak=r)CC5
z#>Tq8!-p2q()kYI|K<U;a~)eQFDkLT7x#~YgIzhxIu?KP)T?m9hlu9{va9PgxNTDs
zI!j1i4HUlzU|d&sDokBkQ<KcX!_QB_*VkySm|Jb_Kln5i-hmLjp;grI%R`v0aHV3i
z%EIsovZjV_eSIJ`K0f}tO70`Y3@kNoAJi)w<mQuV?z*=vgvGWb4O4Fv)2d5(Xh`C{
z+Iif|NgdPWcKzS|!~@GU$sR6jUcG$ix=pBKU)y(79N)hz_Hvk-NZt@0IVoZPQH5@G
zrG}m!W?kJu%1Nx<@^n_{U4!h@DI5f%NQpLrcqLA`ciokm#hmS{pz@nu=j)zcu`1%9
z>q2-iEe=xMUys{Axmy8S$8&2SLha;K@$Zb52A<s2;JwL)PNO8+MbG=j<tn+?W}7@i
z!??M*gYia&hx3-!5ajf)$6&H85T{y2N^OcCBaX6k?b9eDiVF&iNFqAM#CXWF#i)Y0
zZ06rQvkD)cipR?rbAxPhUpuiQp7m29(pxFJHb+WP#Q*J&&$l<^v-EUNuva^FW*VCn
zGxd##sl^m-UjJJbXo#=~aiC51T#m><$EW&8EaI=cYx}hkCMdg#Awun-QD%czKi(ku
z6}gZbQD*5;sT_LHr9s%w;rs_<B{M{Yu_=F)XYM0-UXEww{|XrwrYU#N9)3ye$%;TQ
zOR-gqhxkW*)u)iSxEOfb9Q)=??%=z&HZI6LY($^R9SMyW8DS5Eul@b)Pb5egz^5cV
z%fcH>%z=CXTar5u=2s{)&&9dmR95!r&RuV%lPgy4e*)FiMzA_)sHomR%)Vnph|@Xa
z#THya1P~-@aj74C$C+m>?t7eF|50<6MT^-pKXkl&L+~X*;rE{Pp&X`CePZU}_gPu7
zVJ}{Ma&xA*XFr<~|G0j8a^m7_-z)e;PC+3<%)i{?>(Ta9RAeO41~Q?n>Pp@%WgSRH
zp{<)8Ju3RU4C+{Fv5spYVyvB=AFDrn2tGRu?;ak0X}R|Exq-g^Gi_}~^>_cp2}8h%
zN=Y<n-3&c_{X6RQd3jIY<!OFdW^E#-<gqh4wrJMy8X36-dm>)FFJgpxd70SMbip#u
zrn<Vib*e9A=l?*+`j1?$yu$ha4IzCzTGE?irLl5W)d_KNcc$(HOonqJX$KxFllH~y
z_9Gs$!9vI|RcapkPCXR*qgwU#;#{g-hMm3dHJYBY^Zv<{bNJuZaFTZ62e@&+$ZD)i
zi!GiaHs}{;a$A4!KD9zaWa$gO?kJFUJKE1xOdz&pco-~x|Ln4b<!rRGmLK9Iz^2>i
zaxRTmEbo10d;49pkr#b^He@4d{Pv>-NxaVUX-R4kliH%^_Ez~>4Gk;Hy*^18=vj};
z;MRz4JS}$oXQ8-MlvGqnrwfqA*jZTcIgS@1Xg$d}b!sdoDxN6Qcpa>Lt#eFBx_(W3
z>`pL1+rv8%40MxCo|WHiyP_ya2?$!JcSZ`kB1r3vhy`6Na&-s7!@qKJin@wuD=V|=
zE{L}YP(}wo$x!j@?djnqyJ<1olf<T?qLO6ICiFNeCdS>#Nx8%vb`O8Ik=pv7Ie&FS
zdmqu3va)YiYdnOhbsno<2^5!nKDZVf5;FVAcWO{6NmlvS@mX408lKqMEfgc`26W=v
zn5=e|>$^%ujB(`)@bJZjoqZ4Cd1XjKW^Ey!F_g#ZrTPl26W11ilA8~_#lyxX-N6{D
z%4fhQCL!6LZT23{d&WJft*y-`j2P6;5OSZbvP{4dij0oFxH#Qa8^7}({#}h9(^Xkv
z#o4G3L86W{v9?ZldlAV3m&kwEg0pj_sIM0p1qGXz?)<o&tE;Q-baQsL(Td%VkMeVV
z-fI!0T$~2cPA*&8nwrB!S`VzP+0m}SQWi;&OnF@IGL@B)$;mdNm^G|4lLsCm=(MC$
zQgZGoJo}1xlYEwmhcPKB>D3MaU3l*@pY5b71CXKseF>66ZmF2JUKherGg6MOR6iHK
z8*Dso)xwaJlmw!1bVSwMB%CPFzCGo>JL7%Nu(giYI@wS~D|Y_-2U$~7(~loNI*q0X
z4lQ4tpGJ^K8x%nn5x-_q&PsUeUi9{@i_qTXTX6|0e;8yxsb(J!h}k#0?@EN?ZpXGh
zYWDH*N#idyKZ>y7GWevbb`QmFVmk`@hH`S9ob+P_`MW=i8JE-e{Q6p~<A_X*i(~Q0
z`}i@W9+;*yGFLHE#P_7=JLbu9N^#5CUZcg0{U!nef^g=0_Z+sy%VpegVQvP+AvPov
zjLSzxM*57(H+oZ#eFBGz9bVI`tEuI$*JatOR=kBtT)P89&N=ohKRr5M-<npLks?Y+
zND#6~Z3)3c5mMS~T17pPR6?%?G*0<2u3ZzJ-%ems?CP9V`h(w*n4E0&Hw<2dh(`^7
zqLS3fd7sFNfZFdNFYn`x@Y9Cd6cqfHMu|y>>0!|{mr~`o)N<?U#)pQUg@@>J{;8ew
z+dn*1^Lz?-_%{QQji;Y`WID_uB&E7mR#yvIsH+Q#i{+m_RVuM{bS$?DLaSL?St&7S
znf)wY9)n*VUe?jk0pn4()P*|$hcD=ZB=S<Ix+nkt37J#1Q+3ado38=U-CvApd8LoW
z=eQuW`$_1ii-v!$&QZ3AJG5=0#XmHgEd0@E(Xqt73az+rQE_n!r{3h}q#9gm;k*J5
zSmjdM2sJW_H>1hPBv`!nd3g=V1qH@aQZy2iU)cw#YH6+ie9kpd2E;%sCm;;tO5l>(
zEG2H&=g+hp969foqAZKd%*=3ckA$f;_B4^h_0CL>A3qL$`{Gew-;y3R4a|i&A1sQB
zzW%#4yY#-0@@!n{>DiC+Y;-d6@|mK(5_&i-7hWG6IL2#ir|$hQc~Wip<D@6a|Me6#
zHRt9i$4vF+&pCe@l45vDYhe))026WXAWS?`PX2#H`W&Vyk|08Vd(IzO)ZW^fPBzHP
z&tKRgk`i{=a#i;sr4b{pLl_3KHBOsuVgDEkm3ZlbxVWKm<2&?HpIrA>sGiVc!YH4U
zR%niNfBWWn!lN~$uB^Dp_Ve<A8o@W;B;8$FzN3$s1{oRyz<|t*&=G9I4Pzhy@EAc<
z8uzE+u&%FuO?aQewIBY}DLx=?rT<N}m8m=urm3gk2@ut=I^7a++UHJJDBkcPO>Cy$
zyKbttvIn-!Yip)r3wd4$GYOp@1ArFm)Edd`%y?&w7B&_X6pV~Lgn_LQo0Q{>eDd{{
zl9F2POyGX-01yHxOTu|GK6k#tG$NTpN7cSsB50b9?%U|$S|GaAkMG>6S~zlhf~Gw;
zJ)=u_q`FG1woxl_fC-#n65jK_pnIayyHK5@gVkkiP~o_HgPwPP#i?FFp~uFYR>#cD
z&F_LO$sK#Er?*$9#m^UgteTmH<u$kItAa;Bkj{Ze>YQDi4%mc>BTcNVytc;mliVAP
zIvUzS74w>Oo@?|bbCl}?LYD>i0zpDuSdaf#EnRkl%@z$2;B=2mosCk&YvXvIl7U=i
zM}#dXLe`%&<wAxM#ihlkXd_0j(9jmgaZ$yNcna!&Wnwy5+eci*n~lo>;B;y**oNx2
zp3P(8QL_v&S=47|XFm?b1sLXkpOBbHq}Bm|=5<x8NPX~ax#r`?ZBj7=s<XvV$o8CK
zjFOR&JrocaKFnlWeL42x#g(LM@UbUX{`=}c@mth>PnJX7oHk1KL<3zrJ3G;@-L&}W
zRi2-p&x!@XbAVl;S$xlJi&@lQTf>Ut_AlgaGzGt)$oa&t`A^8I=U+5RBOJd7SP=b_
zXqHjKHy_aV_)V8mUp!cWj<r5EP;Ve+K0os<LkPxlxG}N_WXVd94xTn34fXP!9rQv7
z2wx&uS?8~<1qB-#r5FB2bSb?e9=}S@&NM<oLZH4V%*$hDW#xmiil0BhhRv9$xT2z<
ztSq+P*38UnZ^=^kCu%xbU$U#S340wNd6HBKrMftilapH;uU)$a$aC-heZN!NIn&-x
z#K}Se;|5K)hYHksXPYyC9amPot+o77U_L;NMa3p0#Kgw-rhevAb8&chxXfErX@Wq9
z2`ekNw6)AXD*XF~&z9B8{o<@ccjuDNzA!)E&<?bLhDJP<<9EkCpJ3YI9loH^uq6W4
zBqimaGLMYd%W41IKUPkVHI&4r)!AR^SIiW(wXo=(R@)IQj*ln!KMUjFwv+$0&30ms
zo-HT`o5bhv@BNay*1|w#mJQ5$J3A$9OebIqH7f4nZrxYHd54A&UkqhW_MMn`sF=wJ
zdI}?aW+l~?JY_k#NO%Nc9qlGq5Pp95!7PbZ0@2LN<KzK@`eyCdb>GV)as=Bj5CNSx
zwAfEaizYrp4I{HL(^xCqR=&Qz4lDL&cdoRk=x#Q|j=A}&ghJ5H-P!fQ+MpBE+a#}R
zvA+>?S^K%R*1b@$%fP@eF)`sIIyXFAWjj>^Mb`x%PTRag8Ab7IK~a%zwG}Zwm5|$3
zM+E6Ej&JGQkGGJVZMtCPpa^4s!)HI+=XTxY^l1COaVKaoWaQ+q_--4+;oD(ZLj*HJ
zK?AGy6BT*>mracF$x~CtK}I03-LBB|9V<0x86O`X%8{CDbRU?R5xIM}ePkqQJ4>8D
z_05~mmoIrNzrUYN`|#nz`RN}nPENB<qf8O+m5q(b53;*eRds&nlldY_P!>gkMpJD+
zC(6ye*ZgM|8yg$a-b|zWuF!5%o10P=`ZYXiVUJ(W8OU*O-wO!qjC}n}P0iHA<o!k+
zY+f#h30y?giw_@`Uq3Lvf{qTP@XD1de0I~_Zb-;^tx!sQkL_r^ynXvN1}3Kccv)Z=
z35Pb1`;M-SKPt$yv9;Kn<_k+d!HmWN(}b*Xc77fa5it>ssw~B^Ov-6FX=!PNg{LPc
zPqrp1-@bi2@K(fF2(_6Ij@?EQSnlqB#>X|Kq`F|t4fXYqbjzvmElLj#4jOi_FkVDP
z-khJ&fKr8+_&=q=9e9(VxA$qGMyZ##w>j)3FE5~kEjCgZ+N^?t+6Q*3s)@h&G6!P9
z!|`Y3<>mYP`icsHF9tk{?Rb;{WSp9WgbzeMh+u#J%Q^qcjO~9s;{x==ZX*+uD&V7P
zh3cScdG4?H9xtc(h-PkQp~egE_Z6W028{X7)`YQ%$-(}Bm}2U^cSS{!|6U+IcPHX%
zy<CPMFBBC$JsV436GTNtA3l5tV}rMQ;lKy<PE8333Qo?>UYs0m+S%FR(TJM-n~gyO
zcrdi+=;-qD@|~R>K(nB0I9Pai=KuMt3jFo{=;-MD{5%>O+SRL9>7}BltF1|=@BxJb
zL?4l0V?DTk{~;s}4Fg}$qRxMJ(EtO~rM*=~g;FxtNKMMKZgQqH8n%V}{P`RmJ;-%)
zwE6Pl6bP&hCJKqXFtpg2x$fQj)%W@Vpb%g;C7;cBZweQzr6w&O!N9!3MghxFY+A^#
zhm;C>_Z^UVi-SOoq`QsYNzD44Zg+QgL!~J7<Vk&FBNHQI1r`2UV?(?#qcib!47sbQ
z+P?u;i=9VxcedHs*!c8tGbJ^3ZD)s?n79L?EoSMfOz;g(GbeNe&lPystCKah-pf5n
zu(6taj-AHK3}HktRZ2ONliIE(f%~fiDJ>P_?TD3-aaFWFO4th1u^lh0VE1GSdpcd5
z9mA9Dg6h)Xx;Y+wefWb`r5OYf>+aFn@xDfhZd@*7Xd8YLV>**KUFFr6uGb$x?jYxa
zS>hI^wg<EW{)?T`tM|$0xQoUgr0agzO-2-aHr)dQ8d3vLlE7M(6cohgIyIA8-q_bp
z>cGt6egA3iA%O`GsroIEcY!}hvz%c_uY8Xt%)4S}_#Zr&s<s~Mj-$uM!h#{GvT$>Q
ztfx}dJ~pOtP!bap^NTN~mx|jY?3dl@w~XzrtqrU0WhbZ!1wHpnJX>#tDKYy6bV_i~
z5Q)&=5mvdQCBLT{qUp?wiJK(@Gj`Y+P33*OXG%fw=GU)Z(6j(?0Tv;zGX#f1PF_AL
zD(VR~C~zucdbpuK8eFaC^#CnYRDLv&gXjs;tFiH7Ru(OB7tUbVb@Sd~S#C9A>xgt>
zmkhKiH1S2A=br;$ql$^O{Qc_zo7Vs0*!<_`K!_b2V#wG&e}BQ21(0V_e4AIcT2#co
z5|WZKHs2NssWLJ$(qx$QoICkamMX#Y-Tk=zq=CB?t|Le~Y(e>1MSlbX5edmP42*O!
z|JmVTm$^^Ai(N4g_)4=dbi0`bUYqf<;o)J}@=&Jb)m)~fk*^TPzj@;gzzeVJ&13gu
zOnkpxK+7H{r~i8hv*GE{Zf!$_TDiJv*QUV*%}a##6)r8M(v6Lcdgs-h@$#VF<%_?I
zG1#P>sEGRhACZ}pFGF0uM7Q3^-oC}GpB#r0TRgP;o7D1GqbE~66O`iChWhMzDevAv
z58&c>#(nMv#tW{NGba$NK%anlz)BFLSNCmdYFaWV1+_iTLA`Joy9wcf>*o;|LMiIw
zF<E5^5$NaV2TRJ$&yRY*07gtBvb{bw#2}mU1BK;IqYt95$~6Zc-j2A6^IE{s$iu?}
zSR0V|=B6efn-kGbb(`7Pt+;O&R~WWkBP1l0|5%26d5DEThL^-LH1z2<)5yms+(MA!
zKp;P)rl!7s|Gr+MTeI_O^qV(RkQXMR*Kk~M9zADp_{wX<i@uMAFi8+`>G5$J;iXsi
z&^WpW%{~kzwscX1eDA;jjhLSg68SPXxC0haDw^`Eov>5M#QWOSNvP{n?;F?Yy7~PE
zR6><a6BDnKa?mYq<dYgd^VRyeBt^3Ska2*3#`O@9rFL)-K{l?YrS;IbGZGRS#qHZR
z6BVXMTNC6$Ra+lYkYWqVx~<ntoZZ|$x$n-xIKBVu6c>n^;&HK@3n7o}Q@u`Md*ZZ3
zUU@E&z$kyTGebc{q^hGMWd1E3a`XPN4-Tb<)8>;Q5sD|9w-i3)Cl*|!x^Cx5(_Mxu
zvvuQU&9V$($v*}d?iVM)-umevFb9ZLqSpwa>36c88xRn%x98MPso~c1qQ6~Dw%T8M
zXpTZTMtLl!qAgYrO~~yE!U7s&pFhTko~!|?SkE>chZ8bEx$WfSH0+Bk@AXC_dJ)cm
zKuop;Y=ee={P!<XO6v6Z7^c4;@;eVt6+9D!3F{AwZ>_!KwS?jnltOMr@82WeF#@DR
z;b!#;Qyl$X2|{}w9_ixZVyr~Z8W_&+#V%i8-w{WmawO7&BW0Kut6g&D-u2vc=mB+f
zb<MT-w?N7&*ibq0k8;9p8Pj=J648z}uBNJrN@c)mM7$234%IL+G6H5^uDr2_99R-P
zju^&yfF;gWWi_$^vcvADQ#%QXF91%E+j63Fu6JF1lJd-iKx^JaEC2G<4C0tKtz2_!
z{Kn)8s1nXAedX2FdS%Z830T<ilTuPHf3@KOBwoyi((pK&UJ0-=^te%VJ#*mlWV6)&
zWSt2&w9@BzZ=_Iz-gwYe#QVtS*G~x_pC-@)3QkN++0}=v5I9Sln>w1B%vzjh$5f=G
zOh-z<6qYah<YZ;pSXl{XZD$&)i;Ii57-9W^9+sz{qgx<WI$n^>JJmz8$QU4Vbs!UV
zZrak)5{!k<^83r}I&sf5vIw=!6N_xZXTK`3cve97Jw86(8|JxxA2!&+biFesE+w=7
zrKhJSsE3#5f9BZO*ut5am~v+~tub-P@A_XN$OG6(s=fhz0Ze98NU!t1ynwhNWKw`8
z@(ZABY}XT>mM{A~Ve$_9_{Jzd*W{fr@%tmZEF3vGxyf34du!`A85vYWM0Xo2hUcC`
z)(4IYw9~^dh!Ya`q{UJ<v;gCBq++7O!T`Fj<KVbDI6N0(R(e|ya&Pk_JBhv2J#H*S
z12Gt>kRb@uR|LtdZw5p+$c6LL1;CG*y$)qGUk|LNq@?s}dS+Er#CI){-ER85Jy&5W
zYq$zk2vkaaGn12(XJ<Y_LXA~bJj9~(2sLP?YWDyS=i_thOTF*DGwtZ^F6O#Hq+qsA
zx8#q&8OvA6jiTTu7-|c}(<s)4EqwfyDbvH-J3`I-_kxFLk>vk)0XiUxfImX}?r=zo
zM*7J4cyC$$4Ii)NcN3_g;;qRU@7^uaEQeaqXr=FU-=q6lTJRM86*V=IFb6lRi2{x)
zs;i@52KM)RdwU_%jsxhRh@|+Bm$}^3qCRzAhgO^^Q&5=0eIYSxRgovOLVo_<+q(%Z
z+jzF-dn`pcIrNaVtF4m8E3V05$sz$uE)T~Hxb&OyI&(3y=m1%Z&Ft)`2?+Kk%rhaV
zT=$l~!X=x`ZuvYjek?WO?QV(nR@r<+_{M7Wb{#X8I0Hyv>c!foW@aR0WE0s>uoV>t
zU<5$+xta3!_V$w5wUnXvPENkDy)9zamkRC#M}c(ELt`z0+<=7g5r9U&-id*qf9%H(
zXCO7!V<p>@)ol3CEGp3~Zyg^Oprgx%Tk7lUw_KbQ1_q*ibmGN@8bMJ;Mh1dNMuy-z
zhAwBVbOIw(yAICI&Q4AXPOcu}gj(ztLew#TrtDi>ccwjuvY*JNaLUWb0C{@z?%g{A
zJ?Z`r?VM|I8H+t@>K-_;CIzo3aS`O*pf8V)*A*3^3L7YTKsW>THa(s0Sp^?KLP7$&
z0g5TmB4Mw9aspvCJ`LC4U|C&V9k2x09!*Wt?d|Qu!-<}dn&GN~kYZx$YHxoJcl-SL
zb8G91;ME(f@fjJuJFv@Ody4ss^7Cs{v;s>E?;aobfZ`7Lai-r1%#b`Uwb|qK#h<s<
z@>FsaP{b5I+`jp66e^@7zm|NT>Sts^eqSdZ)32<prN+ko`ulqkm_a!eb^xd4Q1;cz
z@5#;0&4GbmI-@9{P^xiR|GuzbWNp0(dxOK^)AYoImS#&`od7d4^TUS|Lqop-RRP7w
z9y-0Z2z7LHgcYf-sOahMudb@nZSiYfyHXDE3AvYznb`t@#LjMKZ@CxvMsHsP)xGDR
zp}-Hf0FwCz#Qk9!MB+1j{ZDWY(8462Jh_1lC8NOe&j?IROf%6NnFCxL98usMiHee!
zmNwjgYRc!=7fe{G?e8D3Wy{$f)3m5dxX;u%w$065LdzF+xUlm|WJX2?K}Mcs|Cv|e
zod{DQ5`-Sz>kfivUS20K6xeF*%9_^_x<9^u-}hEThdtPIy4l+u!U{6U=4f%k^kRUt
z36x?f96F=5_6Br4-@Zwb6taE){=Eh!&bSNLtRD*k$=-e!wi%Qmx}9D2mX_<m*rasy
z^!&Dy?W_Bsb0@N>sF&zY)H|Ewbj~8KATprG*t&IP1ndnI{C3PkLF2vpM>Af%9UI+w
zA2aRw%|`VeJ-RX#h*-M~IJ!dLF+2M<cuD+aR1}W0G0d0ErJDFF04^ZHSWJ^R<UGuG
z@4g&ZWgC`OR{jo^$7=-$cemZy;*S<;vZ1*LFZ?!OYpbdbml?Lb74zTO-ll>kha1xV
z*4mr}8zN85$%(rW&BWZik^<2k8y~;0z1<9%2ACeCba*USjpNf(HZPHo=H_!CZm%;k
z&H=y@Q&JS)@NNH46oWRRvdVbD3w9D0MS!CVNB}Wn7j;!t2SD-8ms1SJqr;vWFx?!M
z4d4aUdUz3)j!zE4U%djfYIc}!jiZ;kn}VkPG=hYq#(wS-Oe_#-z^IeIe=UyfZx=m7
z2!0(Lbb$DWq@)jUMQY#^mza3a%hdu3X3c^G7B-?_d39AoS-I7X$bN06k$>vW=Sx{x
z+5O+YSy)-UPPc1gC?6VGTILtLHSbFuf<oDS&iBv8Na5`4EbzP5V~)vd2F+PhP$=-g
z&>+xY)6fWeDAnym-i%Li9(waQM0t)#Ge`U(kP&&9U^%(=)&xXa*XlmhO09h@MnWV?
zAF{LQ@bF@w%4#|s)dBG6DHdhX@${?@4VBW>O|PwW*VIgfG}VJQ<dFId(O~=iy)-0T
zkT+1`LC8(A_@pF;9PY}ug=;uo&L1?tHo8_5G;=huY0>3iio6RA7eX{zSy=%T*7%*D
zyn7s)_WHFiYy*G*n60;vi)sAN;$mYzy9H!jL9sK~OX=z9(bOUZ(L~8%FlGhNpRBE+
z#95xGG%sAdg_9c-^my>^T}H-}<70qQnEne0A%X1=A`LF<dk5<(ksU9h;~o7%s@5?g
z#A!YL{xSqY?cwn^iA@9iN3Wg0HUempoDAMA#v&U)i+$}}g$zwBvc!~x1Y>)9=wMQl
zlIHI0Hcr*rdwY5&B`04TO`)nomCf?RERJ3AfNNebo;t@x$ZPBz9I#M(@PbMz{9E{-
zV%}w7fQE{yxjGGoN5U4)@%TBeysRuX9$t&bZ{YTSfsh3+!<tZmelqy(F(8;um4yTn
z=s}8p@7J&RqtJB8xtC)*Rzih6fJRgc;RabEibm|BJ)DqSU>YSKdG9uZ>deT*WIYva
z2etU`yrQCXQQs3N0C8^KguPCF`!>iqKw(_s`4rs-dV3pP)(IYLoxuDUdQR2YLN&6n
zxhVuA0AL;)Nhhl|{XW5_Q37SR@?Rw&p|4#=r=}V~FWB%U&nhY?U}a+~tf;8?`}Z%k
zh?m7m7Gy1m3#iWY%Z-A~qM3mw59VFRc#)Nr1#iM10!88wHj`t0>RJCsP*s`WVqhr$
z<Rm1nch~$YHVq^<xdK*KtH92RaljX_qcA!{Pm4Npz`O?lR@9{Xmf5&kI79MZpNnSi
zKb-na9_!yfz{`d_uLHULb$EFA`!^XB&ZGL7C7IyRlZ?DQ1Ol5*t)1mo7K{x>2uaP-
z(h^{MY}|1(n4N_D9g3Kz@fJ2Tc(uN~;eUBv3)8-q1M*9O?*ul+3pDg=7ORJEia;XQ
zR@f*j)V$NIV7}guR4>-DfxbHcSZd$lWVJPP!Q|>e`^u6CO6{vQXz?r1HZ1%2aRnx`
z@3yU~s;Z?Wi^{iUCqVPp_qDmWxQIDdF?zJho_~R5djYNY^CKO3Y9Iy=SXo&?1)Q5R
z_{IqA@WzcB_4V~2P(sbP{O@X|07-+7kFVz6<>uxFq)&Na!yKktAUHG>B}HXreeUn)
zxO?|KC|GjGd!;S2`&0JY9o!1^^c9sk1*|>YSz|$zuK3<<P3+81>3X{RY^G|8u@>!l
zwzjubl$GNX5*+bwbX)#j&76ygBIa6l`r7_dKUW>=D+jZO*d0T|naV53U73EP%{0BN
zJ@({*)wyQxl-H}|WMnM5T%(^qgGzuVx3aObV`pPi)EXoMia>+kxnROjXL~!$#r3we
zxfZd6AzX4E;2?6vh5@R5gW~Yg!ootvm|l|sNGiH@4)2z7;89~}#1uTXza}uje{gbg
zCb#%Q!3*5$&f^dupxz!H-4j?KC}~6TI@sTrm6xxst;GZG?Bb$(F`|(Rmb<2^st*>;
zJ2UGGPpp1~e9O!&H_mU;y?9K?c=94Igc(=Mh6)6lN68%eK5MmeHR`HOaoTQc;$mmw
z{b@t<ZB^DOkErzToFsK;u4U0V>+q&`z{W}>b8dE7SJu~mTjmUrY*w%td*^W)w10o0
zv%CWk1=ku-Veq~+IWC4c$SQ+7i<Fd<hK9z#z<{5h-<4_fGiXTmL)pRg_2BS}3mLOL
zgFN%;??S{w=N0JS?8-?4P}<mRL5vw08}Clnt7vJljJ`MRO@^2SFvxiQ`ZdI9c=(Nd
zF6SIzZ1DeZLA})b?OSw21R>wnT+3zllL$t+)aTEY23B+d7w!X~{QmQ&#qZn;@?2*$
zxhvCMq;RmS%lqDxd{^raD&x*bd%_uU5}i;eGCqLL{r<hn)_B~uruY<xPLqJkR1LO~
z{da1SHJHqqv~L+Xj*CQI3Dk5a@oR+Ht4MzfEfOem`XlQ@LPK+NbFq7Y1a<4aTi)E9
z`Y2DaEU1wH+yj~-W|2pu#X6vw$koF`goa{1klb8Y$o{x28yIF}WF#ys%p=T_4BgEy
zzvkPxbnEVU?k&Nz1KCU$@m6QI-3HVHRBCJ<1-=t(Hb_E5lrH4H({gzs<nR;mqY~6?
z6v)V>(&i9XXj&|R*;MrJ&!E9UrGf${T7pc8(IT>maiu3$KYSPwN)cDZdB*aL`I#b}
zj!C&IY<8zKUgOSsbWC-1)iAE5N?#!@t)ZF5Dns<uL-8!(@8N#5f{H})E;?o;vUHVt
z!DCMO^bs8F?0}Zsm3*T>rGjmtO!f8gNxgyIP?08OXlRH;Vk8W`(szKmL)2oBcBSVY
zvBK2VPAEm8<1T92lL(TC^<EvSJm0RJYsb>5u~`SZ9*`LL7pA7*;ST@-kPps}S2IDA
zkwb!VHC<--STCpoh4_TmF@VeBV_^ET9*>6;F8vfIWE@Oj!a5|AAd)%Y!Uy9gbSt{U
zyXGVBTG6Rb77#xaBE;8gdRi)V5%%=$gZ!BAQNm+F+mzQG@$K0d@xgbUTvNtv%hlrn
zlCpDhUK@@93}bb1_4oIK5S4mg!`$3FV|HYBxi<x*R6}m<p{*t$@c^>`d7$r>8_BhC
zXjLqME<bkmN&}jI&Ct(@>Dq)oO=IIJ>=#hKb9b6;E<hiEWUis1fk!Fu3o7iso-U(}
z*A9rm>kb0xZrhV;1c&iHMY5zD6A45H`m|AGqstB!o9fzCPp>}XQ;wG<MSI$D2P;lk
zhuh>j)x$?pG2f5(U%3ecbSH-iP;Sg-P>Uu$Q?bHj)neAB^G4*=)SzOo&n9qf&0>D!
z85lD91ePK5>gnlG^uPWC&5fr0Z_ql~$HiY>TDo4V@l;L@Oo|8KH+n4ybW2Wh3WCmu
zkvViiybjU}x#$iMW;^gu7VGc>n~tJ7Sd0;Kb8)$O{W_3>PG|vKp6-f$rFjItZ}Oji
z<}8nFv@1il1rXxoxS=(+^mJbo#qv*;t_1#ssBRT`4$^R{6BN0n24alPhX)5X2V;k|
zb~9c;wm|ow%LYZ~eoC-jg9{4>$2QbJper+F1NPh_D=sbNI{K)7T}O*Ov~7K^1zZ*~
zNKgRz?Ppz_oCN(Z&Y&~`RAN_0(_#-$hS`}&FdO)|=hQP`E=0Z^T(0^2M?3?MHHqy^
z!62_8mb9XxIrkVCWX#OXu~D3%wa*#SY@8RPDoqtwR>4^gl^R3#(vr#iZCiEqQJ{3d
zK#|DpsajIIKx=dJF1K#&V#tIrc~HATb!5|(4MGDSR8bU=wxNgtU8^JB5~NCg(euPl
zCo)a3^%#H8JiVH;>zYb*;f8rl>1XHCMxOZ4H4A<G<73=7-di;EurNW_>=-fiy0-48
zUaM5BT)D+MEDuz8B?yK#MV`OTFM&+nx(CfDtQ1n<RY6!W<JZThP}e}}{h%-?=Tp%p
zp|fFbVsZw2A96pxN@zWM-_#U^2KiGNaBdb9R8&?z;N^v?>z^I@#Z_#-^TV-HsLor1
zv9s}@(bH^bDebz=QPS?j*Pr%Gnc(;&era!u_KI<NR)E;$-Tag)yxZbJ?yS>q5(w2)
zV_U>TyoP@b%E-zFdw&LllZJ=1AK)+;i(mH<{}5SjFKXv8|3(S@Z5o<^n}aC106Iqx
zA9{90Qz4h2TX}O3`dvCYI+auvAJsH8K=!+YP=?rOa9osBP*8aG48JlwU?rE(A_#Og
zs5}im`8;G}lRY5Ct<W5#XgQbk{=+)GF+|V(AZKT$gCEC;k$|~EfD|!oJjSVfz<u;q
z<ZDOp!s7ag>+jILJ&QAso_;mK^o<RxA(7|7*cT7HKXbR008(`sDa$N62mtwj5@ZZ!
z#>(1yabY1fk`H>2{~}Usw#Jr1MXK&<$s^g=jdTEDsONWKn*rQ$Ce^59KwC32Gjj#q
zSPv?HsVH*Sh4yejPXFH>q^(Y<aCr3!%z^XjeM#K|Z-+LEX(jGx_Tnuu+!|!cWS+MA
zZRF(m?(%{@yjL`_ZFPTlrm@SU#K`+|Lqh|%ik^tDaG6?C&u@<=P%0n1;R7G(bdzVo
z>l#NGFn}m1Lc3!I{>#5TU}GC{Vp9lvlm!R>U1)9C1kToSel!Jv2Of*?u(o-Z%~4xm
zG<|dLA@hO*Sasw@k)TyiA`6p3x&UMwIQcNhoNjiNqiYKd^e|9UxMX(FfJ-Zp{0SI&
z42^tH```j~DZi+w$!(kbfg~9Gd(%xW*K;#(;^1K3y!|<H$jifHZAWzoHgl<F`2rNY
zefAfhd`}h9cr0ON>PF=wTUuJ`>yLrH0>}g>$U)OLfZULsL{no-_7^AyfE+)*e}B0Q
zq_9tT490IYMP25V2bckv3>VOOb}p`%=x8(UNq}-7V{jE2w0weBl$4b8B^koM@@Zka
zZ{KA=pCRbQ3zW|eWFK&60LXJ`mSurhXVdlJ1B@Bw&=;l>`anQxKB7#2c~qT7hk@hj
zCGmLo$IlH_G&Mbzdx)X)H)C1=tOZ6_{vv;r`~H10Q1zga56c57hL!czYu8&qjqp)d
zxzz|O7!mRC@XR9Jpt0n-t=rQ88By`A@G*=4+UkLUfiRM;ikpWU6O~Lb^GV!1svb$4
zzAwr(&+pW8u|4K#Ty_wk#1#_C<kG3xg4F=*D+05FOkaOLoc4f?cAB$6iH#irHG4GW
z!}u^PEUcG0KWAYp!LIJ}l7k`vI@AF2xr#I#^|*?(w|qbmmXMGDwt{N7w)p!meln2{
zhPpIt4GOGQ0yuku^V|dpc?Xk*=RID=?JrieksW+SdnO-Rv0P0XtW2JZi;B8joI%11
z2aWA%YCYdak>`iH|2P=RTA)b>s#CMmGFBxus+omSpaGCl!a$|pSzhkYB^#|YSF90D
zgk2;VO-Y82|7F<;lvrXSqL-P9dz(W!n9Z}FBLmq<#I<xesYGNhE{4lE7^;0Ru*DO9
zRkJn_l#O%UCll-A=^u=ZrpYa0_xioiYuJ`5@|?FGU)bVpb@k!P8-&0V#gR~TwBocu
z1@`FQl`7arQU~QZG&<96LTC6Mh?LM1N5MC*RU#wa%=LTw!_H5V2Y@ws1+{q^>(B=K
zh3$JRM3nD)EN#hMTqLGQaT%}@N4v#5&%f>_Vj+h#sOqy_Nn$yXG25}~*yY3x_4^yx
z8Tl@Xf`xuDH`CAP!R_ZkQBnOMJAIUU{RjyqTWcgAJ^doI=%iw(8M0BJUi%q{zJ|3h
zFuqgR;?UzaHZnSJ-hXk;h|k%NWiKOwo#dc1o}tPvBi<Gpt6lb6`a7|UtR`V{KDoD^
z<$`=Kt}2Ck`N!VldT#3H?kG^@^r5wpx~`EBABP+{=f`$2IN!FkF74@AWl6Za$~MZu
zBMAEnkP2)x<oKw9K6S{<)N~sK!58OpRECmMpGumklU%nadClJafE<C%QsneftLPWu
zH7)ivoWKAp>kjOC-35oR0jB)=oXAqczyN9yI#N;@>HI(4FrE*}QS0@H{8KTPW2beY
z!O`BCbN}_CJakNE{uI%RRPF~!YZZaJ$b2!G4;N{~t#6(fQ~tX|kCzAo#ec00(KBX%
z?B%4bJ^2sbX62DU5%BE-r+!@>D<~{Pzj6f%G11elO6XY?{Cv2^07VIS0Dxh_9ydF@
zfx_HRr_rBI6`Fos_yRLX&tMVNFUHhZyq?Tyk*J8JYCppIJ2P5Afya?f#6vt3k8OG?
zf|SQkSWPvLRWSIeFIU954{`I<U%xLK7|>rvt(J&a-y8lIC=pxyGwa#e>FDS{t-62T
z5dw%3Hy2Q(&(!d7$W6l#bmD5z%%P<MZ4BG#x@XG+kNp25DuYydom2_pE9-{W>GJzp
z#isIj;qojcHmw$Oj4RrW>P`1(0~i(FhvHfGlP_OUk6t0{={&(!4~5elz)`{f!}aNJ
zHn6_`sm6!@X`McGVEO}=)#z?-7CGA6D|@j$ox0@O@rqcxVlpM#sAiS-{(byp)ET|%
zwlU{L+VlguCRu{@6bHMT%@6%0i;_xi`3l~>PbhAq9BXoCjhQ-z-vK}i9n<e{L<1B7
zknYX7CsR{XK`w_2BIm#9h-~}km!SR){h}36U8SX^Z6~Wd|IE1a9<!5Yf`Eb_2QIiW
zaAE{7<~d@>HqKKt$Hkq{0DV=@*5N|`ns9NjqLvz8+cDaqvT(ey<J~m$fQN^Y#{#tU
zpkyuseP98QUTki=omb;f@ZBaSZ>XySZWtOG3bmF6ULVQLwh)}QODFXEY#nav-=AoL
z@F~81;D8}}Q?yYccf>U=+2ksN{zlZINC{J9R1`>3aKXs*w6)2psQM#^W*c1D1W}h4
zXwA@60<(%7s(=IQO#2q^GN&gR9fgUmQQmp!XNUp(xHW<n6!-0Heeo({v-krZy{0nn
zi(CY)WT%3+jGTRkH&O~}R~#Bqun^26K_egnh%>2zHn6GPtvDDp*k2_juQltJXSy13
zJ!4RyE%P8Vf|3gVaQ%lAYW!JfX?!2b?vdYru`N&qnJAFg%#6nfBSYZbXwY*{G!b)4
z%ZK2c2LvH}=I3_-;$JHA2+$iOS>ugvf0op1PfL#S&Oz1!TL+xpJ3Bjj84P1iG<_~^
zXt=Z?BcE1Ag@t%(Y^N|k@3M;fA-Aw>tl?wlhPnd6$_PxX%gagW>AGra3@7m(`NNzs
zHgUc;=-KvfDZCZd($$>?E<c3B0z$*A#b{(vQ9E{2WLVf_bxs9$uwZXt38(dp;KXDa
zA^x*BDJgMr;Ll<>!Y$o2Sf(~Av_)S(8L`Z2^AMhFNYd3^18#iq^uo=kw=TYFv-!P(
zb4t4E=eY4{WR+5d^Pnq8U0=R@LD7i3JlbrCdEmSB3=F2A3=Cw7nF}@Wci)aK-gGh{
z@h=1W0yKT2!=PcxpdHOl!Xve%Z16R7!%LNS<y)~c=47Qg@wSa#3a6s|?ACPs1Lv{+
z{^C3DEGw^l?C#t114L}y^{{=~Kcr4E<s@)0X0RYM=(hC~xwP=e|5E-HG<}_%vX@LI
z>*8c&i0l-QP6HOCY(<;SMZe{JFgrmlL^bg#DbIe*Kc<7DgJ6q*1P}j$`v%%B-bY*E
zQBlxgMw^NoRb-bQiLb{5ZK%n8SHID1J5}UmFwE!5u<K0F8X|;zj-yonnNvk;v7p;s
z&J<;p@BvZ|J43s-9gEc@*TV)BnXINhiNtgfM)!oBvsIVPhE^36ui-ExvIq?0c!hP%
z4-V&lch9P>%*j_F-f^4}lzEzE|LL7ZDUodf!`yV%Imi+(f`UNYZ9OxpEiZo!rX&!W
zp&R_t6{JQ9B<SF)`^UQFbCyK~o35OPZ_=Ki7%%^v4|oaTG>szt%FPXH@aSwW9dpMv
z{7rmiJ0&?)!!lh^m)h5#ufbJbp1zFqzm;)^j!q{Ve1VYW3K$hQavERPezz4nS<3+^
z0p5xoI$kZdB01=GB1JP)W%+)M>2uyQ9!r7@5m`*US7M1tPiTC^yO9z&&;x+gC#9tH
z*_{=kTX3oe*vsU#9tF<^5V#IjchFCvB?kb+Z#V7W>S{`_-(fMbTMMBBgsZ-$1|^Ns
z-!1t7y;)X9K7R3ot#`ko?zm|b&fcSy+&U{2y~oSTkPQVoD7;bIng`tncw+B;Pl@bC
zKjO%zA@QgOXPXP6Ff(OoM}V{j1qFc(QBzx623f3Kod#zzo<Gk5T!~btmy8?-hnD~4
zd9JNi(bCVjB}DPoJLbcTYVe*yECX?d9!MH=2P#Z^?`~QQb@TCDNgwMy#Gal06~cmF
z{P;ToeX~rGxb?{435Lj>^fo>FcbyA{%XPE`@86q1s)34y2B>;8l@Kr}A75Wk3)AD`
zegn<wRWMvXeE$Oa3>6ofPX+GXS#)La5c#6G!6P;iQ}9xpR>1e9Dk0$qbT7dv1$9^>
z_$>3$jM+(4i)Qh3ClW9<{X@|M-X@%^zn?u;$m&>FSb#7A|EYnlt{f7|g|oGs7_e1B
z#IpJ`K{rz!<aR;=0$k8KAUp~=#!saEzRH|WCY|dQ71(dUu~i@V7|=RlOduk#b8`9}
zZm9YAoPh}Xx{w9Bx{W}m-Df>>OQ=!KGM4j&&T678wb+Wac**mjJDwq=JXz4y1>p?l
z4n#6z8So>)2tW-RME>S&eZyl}0Tm-u<e1<g#J~vC%YI)Atq|xo1?yylZ;TdC0U3lu
z0`e_;4kpk7Vwb-U8f<lXdg61lmz;_E6E?g~4lhiXj(@EG%1psI`BiJQIg%&B_2ew&
zH`)Jq0m{kFjDnS|v36fY_rB^Ei<^8i&VW`SyTOVP6&@3Vhl@K49Z3lZG<;tB*|Ro0
zv70w<ZUH<$ZpaXH-2j<ladENMb_#5Bnfc6`Ge@hL{-OW~z|oPzIZ}9VNE*&-fqL$@
z_mzo5yDBypHBh5;L3LSmTSD8R5-Pn0<RJ$Mo44<MFOetGlInN-Yh^Uh??)Z(c8(Ut
zRk!3u;Y8iOQ!`yOzE9kb?5I%w`lwv`QniaIb?GXCTgHU{?#(VM<dY{IFer%K9FV{W
z!1D$r5O{38!AXO&o7uJK3yB;2Oj->t`Os%=Z1iqB9d?D14|-?7ry+P;WMq1PHHP5P
zlqliVHDIesALuCkea$9Fn7*NZ48|p<L=zji6wbJypud9K1V}DBLN?OIJBn<_YynQ>
ze+-g}HRy%7#zu=-xZ`#8EPsmUe+lzl=@yev;_gj3!yuG(+hmQ)y^}Wrbpt7<u7$Pr
zDHw1hrKF&J>jF)8$f2kzU5du{eLPX}eaL|z(t)rZMfQO4&K(K0nGGI#`W&#De}g^<
z^z-ND#Ds-)->ra0f;eH{TD%JRm}b<??ZB&$<LW)@GCZ<J%ggqO8X5_KXb%Mj``^6p
zXf%$<IL8>Imy{%;l*<tM@h!vUv}QcW2)z*J?jgN`jjB!s@>@t2>X;N%%-3;o!Qt}!
zViFw_HyzLjG%YY947&_M9kjH%dI^47U=u?_ptrhf{0MZp9@BLSa$2444&Y&D42?ga
z77+g42@;^yQGe!2Axn8>Jf#0%vTxSlnK0`mYoo)p4ToYLYFb86QR3<~Y3{zpaonE7
z$CrOA7vJmPcSKfgEyZs)SlXhjHu5I)J2INtoQ_TLu~IQe6CmUHf;<3S7bKiFz7Mi9
zEcoH(nBq+6%5RVV7-BV{4+*3nW#4}O<q8>v7o1mvQ$L=gMOuJt%I-E>lVGiMbo>qF
zJ6K^rwjF_9fTuP}Fp5i-B;|TV+RzaHnoO@z^23K$hi<#nGxd*yFjY)H6kJio^ud0?
z`THR86S{5lWc8_mAX`CEBptow2y1)|TE#HsvyFOePX&vo-yD{k^o4b7NQyKy_INPV
z@=Ho^p<RTFiwl0?i!I;NBk260Dp$~@c}PO?^DQ+s$6*s)fb8K58VeM^$6J*HFr!>G
z4iZ{g6N+NzDBUtSF%b@aBu?Bd!UuuJ|NKxxUw;;$nIF#ML$&WY`U1>zUdESxlPv~K
z_e9^Or(3MZy^1lXXXI@akN$p-q!%|Zz{jWEJ?rr3<4EE9o~d@d@;vSX?zIT64S_^)
z0SYyC$D-QUb%~AZg}+M5aKEOL7Aie%%AlZQU|0t914r{1)cmLuq%NR%LXGU?=xE45
z4JA9ua7)3@2~{X;KSst*XsMt5{S7Px{_ySV*Lo<$P{i(?5na!~fH{K#4)9`7Ze8G1
z6Sc6%Eh3@=z?tDGpw@YBmoQ7lJ8GP2l=JGhs5gf5T5fNU@1YGU$Hgr$6zdS;FRv&g
zUs~ZYxH=V_1#^2Pv>-36veLn|@WA{V_~0{PC<Cj6&%kvB&<YJ>Fm|fc<m3P=fRh{+
z5FP+l^`QQO%+StS*U$jxH~Z%1GAA4)XrQ3knyl_^Yg>f%@B;wZoGBxPF~twhvkf_3
z%};115>(R|^ZXq0vY%w$`I*$&?e1r3e$gETha-77pj<+->~tgQ`FyHz1I{{telQN+
z3^OxE{MV_e7;s&?2EDbg?ZMeWFo{964%v4XPz;n1*lJ)Tg2pXMwu4#)I=abeX+5gO
zLdyMQkRekH{OS$cLcsm-7q~;kDlwElY6Y7*N?SM6(u><CM@O1wsWq9rNaAOwgEY2G
zvNb!oCS=}WA>zlqcx8&Sq+!?oIXujONdg56=jN}OF@cfM(YGSrd;$W0LE8rr1vw1;
zTQCQKIcl({=hgO_$@*+_<M1IC7$c;SPIhR67Dd|C&<0(C@(7aU>Dm5(>2SMOd6uk;
zi`=7MjQPvi4BXl*suBm{8{TeFNuw9cR<t$xQLa=P#$a-8Yiom4_uSmP7UU$eFa@Tc
z=WH?XZ5#kLAOOdZJpk+3gZ~__0Vl>Dq*+n;4ipYWL(}JG?Hf8I);2axV63Hsb6MC1
zE39zRQG(xMx8Z?;!opZiK=hB!6fz!7GqV+#R_}wgxTK_Nz*nFapWwR-0D(XI*DAmf
ze`xtY3n4lqW9Ahx8(6$SJl})pGchrt6mWRn9ebzY!nq1gU4{V{o4`f>kc<Hoa9#!9
zB5<;=c_GlM4<GfVKHPYc!uhN>*`^B(;kq^wA$l4Kg5YG;Iyl%NLvrag@Hj3YIa9nr
zBdneE>IGL51l4GQ^=FC%P^f_2fBW*qussYPJlXJdAYd|uAwGTjR1@5j)z!RHXaym&
z3IvNz^`N!f$%cK`TktX813`}Tpi_<@(89*X!eg?wE+{q?B2r=qbW^Onc2z(?$wR<(
zSHbs``zrXtrlw9o)di6TWoUx~?T|`7o$d7kEripA=OB4)bz&bvcOOnI>^A?=hyFk^
zr(PO-O98YF09ZkPr+nyS0up`HRz_hhoPY+`?5&{>vMDCRUv9b&QhfV%x1LLOe+7wL
z><qW9)NlE&%*sq_ZH<NVL8DZa@D3s`Hv9%q>CsUl8byA)Fp+Ucx4@8m_xt%F3qt@w
zV{rOElE@6GHPBzpbH!6uQUF|o-`3jCy-iJhiiCiG42pO2Cb+cgBAZKHs1iDQ-cn3z
zLWLO`20d}pVem<&4aPq4d9S}xbW^NF&^=49QgVJ4lqHa^coJuQYaO`+3qw&5h#MLo
z-~MNZo0oxZZ$GDsCs>G5C^?NkcTnkMF{VKw6<k05sOu8e`{&P}AQypMO9yt1F4##!
zY5WAdk8Et52Lz!N0J<npcv#+^9vQj~m|%!rlm)29R;MOMMaaww>E$Ij6<GH9`}g>^
zc_LEMUI82szf`5EBK|(L<y6F5*qQy%azSv7bywx&CptF|Q1rY8?WS5G_wKpOgFPnh
z0Bx5wT3<|U6_t%aiTPO>8Rok$`E0V%(!4e&r>5Y<k0B_%z)4{$r=YC>Fwz9yg#o59
zn94{Beg!<PQbRo`szI}ChP;ES_~A@8s=Wj71A66G6}wy`DtJ-|{>0Q&O=V>xJG*ag
z0^}X@4t2VmnFFP8(q$7T3<jNFQZH07<`+L%Fi+eb9HMMtaX!+Hff4)ePXFu23=GON
zTy(5--!o%WeFMrh-L7Mp*q1sKeiqlRiF^@cdG7T)w4#DYq~FNK=Ije59B}@EiE@&|
zuz@kaRslmG1DuS2`9rZr=uv41JW`s5M*@BaQkAy8z5;xWM$H58Z{9bS#ANX6TN410
z42+Jb5Q2WqRE>>NEvV*Tp+(gae{sS=Iq}p&enR$!Yd<(Oxg!3U*>SQeD<CW{FR!FV
z3n@letX2k{(p3P|MOfEy=sSSL37>`rWm1OlM=50A(jTJg0{XXMU$eou0_X@V<Q#^K
zY+rVgioAUv9N+-ooBNW)Fuma8ht{@x)!m4ha$_k8i9qP0G^|d+mt)~SgS)}5IlUz=
zO$=lD5&o&OX}t5gae0(DXB^ki&1}Sn+4pd+2QmVD8Id0n*$%x)PhtJ1PrJkL=^?8e
zff?@p8`eM>us`~CMv}o~03^Vs@dMctEUw_E`T^hR14&pRQ$>?*W2}@0U$5CKX<Ixj
z3?ySS_*x5(-wW_aa_Itb6SNxg;O>8n{PgJ)_r}^G8~OnfYI`70yhDr(<n}W%l9EOV
zMpuz|;dJ4jo?uPgUSG}Ti&EqrvdOMT8u0!V8-{O^`tf5QIx4972R8L1R}s3Gl#s}0
zy?6UxKj`Z3muEoRd<R7r&`C(kbM?-l(DeNV{RNm`UQpKMkR<S3LPT&d6Sy4o4z%Xl
z!8Y0R`EwSWpzd0vdg!zSnF@T|y3Jm$a1>kBI}46QmX+NjBus!3sW<Oq(wjSIdEcPT
z21N-N<12%m_&pan3{8+oRW%0nP{rX43zAvUs5l`1Ha0eLayKgo<+*=4Bx+6ed=9vI
zGw-A19zh9rc4^pX{)xP{jt&rm32@}2H2%I5DOk}A@OpySeXzaoCZx`J_5Z5tJHWZ@
z|F(aUGLlgdQYi^p*&`#Atg=^jQAsJ1h^Wk@NcPI!<7YLDG=z*~Q%D(Qhls*+Uj5(a
zJ>K^?o~NVZKJNSWbN#OI{eH&zInVPtdF9G1P{ez|!9n$XeI6(*0E(cla}3A`0W3wZ
z6A4YzMBz(&ITm)X#&CaddzJwz;v_+1V`pavP0kBQCY~R^44PQbspass5HVF^^?2lL
z5H|uZ61vm_`(WgQTUx}q_4_7F;P-)_YA46Is+Z*e4<845X&IU2IH&3hojE(^?QkYo
zAFJXD1S;I=3R)6MkDb3gye@AI5Ib8RibnwGu81?%r~*U?CQ~yrbZqyhOg5r{=So3D
zhn5clA#6WUeFZE7OxnT0?4DI|?0*pvXjbkR1NLAA5BM7Kzddh(O)XaTGyIeShGtOc
zw6Y-&-$E_@XK4n!#-j5e>9lfrjs_APPNn-i$T#o*LWY+|aA**M$ed9vJEbn~Vghsh
z!IaWQK+OkIu#4z4Q9xn!$dA%>zkY3t$VR_R?+#tN{qG-G2)~Sgc7*7tt2clFph9E?
z#O6bvhI}4?Ak3A597pD){{9F@BbFcd%?)j4PcMTD)Yj2qQ2xypgyCLPJ0P(5p7Vip
zU;$4VeEbs5*ar>u^+lzn+$o@CkvSUTWn2Q!g9dIpf(*1<#+iHmr6Z^z^Xq*T^FCSc
zs~Em~Xe!zo$3e~Sa7T$hrJjmULc6_VgO;w?Q&APcb||5q+x6y8$1T~br?{6nAKfR(
zbX8sdDwjb)MM~h4y(x~xEh1twdoo+(n?3AhT>N8Z#tOy8jx;jtw7)gq<dQfx^_2d`
z4(*dCfiZCVBBumsyPqXnUqVV$yL7r6F>`X#amueuD_=ME#@!!M<&@~R(k|FqUb=J%
ziWjs=*_!*pzIPg1$zS>6qs8;>kU_OMm`ShhP+iKlsHQ=e*$i5u8^mbU-yCWeX9iE@
zYgfbOsoFNQ;cQ3b1<=bK=*&@pMHpKqughWDRJ}YJ2WDY{ps}H0bE144dn<wcHF~pE
z9=>Y`dVX@`W%M+7);w|iIX|+;<+kyJecJBOW_kIt(BSPJS;-}**|`hhY!MmMrxIj;
zz2k7wN!1wsQ1!~u=DLDJtu2bK1v6LVQxG`|3k%2O#4i?k{kcBQD(AiCY00w<TFH1u
zlqCnBn-`?_VBH|%DSu#x9}4?n+qaORLFNN8O!R@c*jSX%_~}=reogIqFui)~?n=<s
zKyFVygJ=$l3?_wG;g0PY^l@ezURkZtJ>ETjgrV!;kt2VxB0e-Xr_UTcEF*aOfLM2S
zS#M^1+l<;&q2{l&a{4T7&fRgW^vWjyJ)j1E>e%bNG;N_An3{S9bTBL%t!mFI<z#7>
z(JhTh{oUPB!P-TbVPaLI5BT}}=NaWd$h<h5Dw$YW)x2ajWfWu4V$YSAmZCLC%go%o
zX;W<e1Q9|&G%A1kR1s4Pg#T-iQ75=j#(_?N%$*faK3$>13s43z4Szi6hSeLB=<dU-
zgGdteG&GnuEz$`4)H+<aU|M<O@UO>~kOCR-+gU{|TluV0>+o(z3G5q+q9CE&vO}Ra
zTDY<NFLVCN-E9$tY9>Yor~O49S$Lf)X7J|;Z@|161W`ke+;K$tcXf4fXLtDF79&9d
zrSx0<Qw`=eAUH(s`!g2FI&j2-x^yd0yfqRF<{K#Y(7VT`dFeohG&VM-M$HtYiZuSr
z>yKo&yhb{nP?VncSA@s$(^WY+4p_a2gD^BQ=zF8g%}kGy98xs@ew~Y{!eQ3hn3mPu
zXH%iRdgY49mzU5t^9~6GcP^i8my$2mkQFod<}G-fr+CwP3?NpcJd>kNCR5YX3Mh*}
z=fA)&9MyPQJX9kc6?gm*chOb(ylQiEb4bQgvADG@bV~n9BV3z;nX&o}bD>I*4WjRz
z*^Ln<(o?1aD~;c4HZgm!_pAz;b}fQq0JgW&c;R2Dc{v8HF={}MJ3UbK2cY@>nfa31
zs1rpz0P;GFS}?Z;bs>&Iut;6ty#Hp}{LK-y4lmqp%cp0Cv~5$DkkW&-2=DgM_qJtH
zjcaKXKXD&tK)oV1#=On!msbEO^%6#*ZMwB+nys|=itW+Desd@f4ZlTcq(cnbn5CQQ
z`&v<wJoD-44D3}-!|<+qhT^`liHY>ZE`b#%ewJYL!Y{y3LdM=Xcmp(eJWvoAv)^I<
zh<UrMXGw-%_N~@?t6+U$umeyCC?#|zXdI=UFpb7b3eJBL5$?JU!C?Z#BErH>;9hK!
zN?CMIzxIeRMTa-KM5g!Dvr=2xv5Z{7C*7X5lHQz=2g^3*wWE-Gi5_gvt>4MW?TlYX
zMnGbBf|~rJupP!rO`obHplo^=5|W_cCHqUT<T|{7K(kXnaU!d*u-jBxTzmmt)xsN8
z69lPdu)3<W^fBYt$;l&EzrMwj!sI?do5Bqb9nB4<JzAHBHGe{?MMLugSP)u%=$X6W
z1S<Jvk=E}kXu%N9AZ#He;Mw{zqKqVH6bLfar$0LPeAVPO2|#BKcB2k|1OU5rs8JV0
zLslRM)6j~j72V^Y9z?zQhi<OD2}^EOL8R>wd-7w@TX3i9>guq{w<-H74`HN5)PunF
zptqGY6>!TEFyaa4M30FH3h=7O4QG8r36)@NEkPT%JV7UL6p`iS+OI+oRp5dX6%lb*
z7=s{O9qSHo#UK+~S~JkoQy%m`u$>m=FXjP?=rQ##30`zA|IJL3pJ2d`z)WcOl=hk+
zfFDfqRQ4v@ksx!>*tBIQ2<m>Q8Uy_O**^zn{8T<mmW??Wd|-Uj>tFKO*BsN(<-Dz{
z1N&Q-(i+#|J><uFefqOHHB)dcJw5%mcOlz?Yq2bl!|AE1b*dsNP>e}QErIq3WWn%-
zfv)aV#97d%+PCexfQ6623vmo2C2B6<cEnalM^6Pl1Ho%fOY>#?Iy@|X>+f$oLQMQP
z*5@~5g4#3BhNzi!YOgFrQ!)_vz$+D1AnKE0*^~Qw@pMWZFb2T@O8)v}bV<oPG9u^*
zwrB6=INdx_@P#sxWGXPzv1S}Q+s<RC<ti^6d5|WGE=3++q`1EP0njwiSCyn|*RKOd
zN9;O>oeR`uVtjl%Z7rz#nc8v3qn05{%g(1gw(lcCRLtO<6*4H4Mje;Li6%tEW`h?W
zBs2;NiHw9I*?HuBYb!8UDIDvtx2N(6C8ZjaDPjPi!Mcl{4WKFsYdDML048<ry1t4E
zr7N5_Jy35F>lw$L8Az~HPj$7HxXDr@ih?&H_ID@pUASX@+Q=S?bsouF@AWm`P%uk(
zwg<L}1!Uzl6fQ<X0+n<#=cRn7mEXAf;>*L@>vIC9VsC5l$laJF2Hr8ksz@=eE-n{8
zl~18&2AS&^HKAMvwetA!cWA`+Zl^_yg_ZtgYzzbWr?$1U<88nxgjj;XC3SXj0V<$D
zjgi_W*9$1-Hr)1!RsJ?HG4bU~(dB+wk8Qfjfl7O$G2|-iIVk*cGihq!nK6@(6*e_s
zi|qV-dQ300wIv$FIsHbDZWoLqUDM;;j-%`*>;H{mI9xXy{mrw3+-D|v;??is#Ph%9
zc_Tg=<V7&k`lTKZK>|x2t<^il5Tk`m1j7=r^b_Lasku5nQz}!Jy?ulsm5BfnWoG2}
z6rqN*qR-7QqoYH4<m6On7VOYEFkqRib0S^OekVd1Dnp4+r|6#uzd5&ULv%Z_6ktY*
zh7seNB<ZWKZO_Ht-JzrXaLeU@jKwr%J5?in!B1~Tm#k|FgV%bjd(<tlOc|A7p@GrO
zr`A?R78Z1DEZeq;0TRf;s4sQ2C4r!sVFR#k-!5QT8J+lo9Wzu2E)9*07ALxAF!=#b
zG*;G?-xYH+2f)%YGBP+d6zqrz!9d>^bGwVpNu%e2Pqjh{I?nN?>kziRtZeKIZ&TXy
z=Q2V<g!_PU@)h7WppBLKO6?$>PcOYcSuE2)$Nvb0K2CBAhvX!XpAQOu9ErT4rx#rd
z)fmRia_9w+{CF*h<^=dBFrYCon6L32ITHV(A{QFL0|)&21X!OK7S#%{n1w+;*=>1q
z3cV!=Xo`Pl-+(py`vG-cQuaGr3N1ggPatB1DG-`ToJ*FVCoo??HMv!){RIV!ZTN!w
zA<Q+Cj#9z&)UzMzPjpzcyl#qn`u+RI!QT&FYe6Zplatc|(lTrUe0Qgv9h@#|?0YY>
zXrj#L6%hC;M{5L$uA)l@Iai}>pW^!8dDO#LeyHCc$Hz~Cf#s&!dN1F!#D8@u4T01*
z6bkUb=P4B#$-Ss7a)fGNNNaCBVd`i<nhgAFo|Ed(ha>IH$BRw;lz$>`7oL84GFgYv
zRQ>$<({ZtxvUQ)B*gR%g9rS&U($dnqWUrmL$u=%Ii`}z7nCiiOc8Q#fjN>=iMm4q~
z{0;)^F*0H)Q#y*|3a}AWNtz&4W$K@ci;3X<-e(hocj$Xj(izFe6e5(TKiKjC)LdL#
z9F?OD0Wq_rq(pE`f%2q;xOh{%j2IuEIyW<6Y65_SVvy-}1iHgd&#tD@a5ObEEY~Tn
z*}UFF@wlhA7akrZ!h6ti?bzXp>_)^81XO4|kw^pu1%;~?^ibG<tnr7znUuew*hHB+
zC@>HM9^!jJa>e&9KX|=sdhjLeDZPeXQ$bn=aDzYxJ>iDZ`W{`A9ikH8jb)5N2~HU!
zV@*5<rL{H&o9V#7Cb1GA`t1ScfWQpRY4!dMhdMqJB2??M`<0Vh-@H*dcNj86eQ~df
z6c+}=DXO9~8+3e?xvF9Xe9DkXS%%Q`dX6Qy0lCMRJ}f%Ar@%rEhnaw`f$Z<UiENUW
zO^Tx`7qY6ZJlnu5NYx>!oRAjvvn}x(I}1m@U*F;@2j11Iy?^t6dXjQ|1z2wIL^ZCj
zExja&s=lEZ1v(*R^$2c~hC_wO{+HJId3ha{O6~Vbn&@AMTXa6kDK@P)nlgH7t-a-U
z<JSgK7wwM?v)P~{g-8wbK(~*|7Jwyc4lMa6JKk8w3F@o{rp(VgI3;17500l3Mzg6Y
zDFv2Qec*JarKRDYbDT^*5lZiEBcj9g9=9CQ7J0I@!~Us82(R`vo6(BjIvXPyG+$9D
zKG>rOD2|}KB3NKzv6WB2=K>cMS=8WOwroz$iq6l2Wqa%&C+^hvAz)!qW=EnUuCEBy
zG&Yq25*b=E8O%=rE8*m7JiaLGo_O;&&Ot*ZMD;_K<fRf)JZ`alXIq;nsO3NdPyDO2
zGt$$4lx0Yf&IfGodUu%h)fdQCTVR|KeF~Z>WIk{xkdYsUhKgM36UU>7)7RA{199K)
zCgK5_J%EkNO2=ethk4&vXB3?{cPYH>h;j8BiZ3k1CL-Y=fM6&K<|E`knQ3WTc1efM
z1lF*)dw38k>iURsWV_TVQi8mQKCK6v@i?>C2c7pa2B(SzltQ18cqn}Y0ppHdL9vT~
z+zppfe}BkaR#sMUPe}pd=}b9eG3PqEM5{?A6yy6D=UwRH<OjY}Cd5@8=BO*7He+fE
zrfLB}?I-RHU`wJtaG&GWgKe`H-=&6(7v(;EwoSDq28~(e86Gq>k1+Jxs?PlgQ$$Ru
zPY6X7T2x3LKCIi=l0?d<8tA{xy1;ItK{>nN-f7!Jsa<BkDzC%8#hNUVs-%cWlWUa!
zHGLu_<!en1MaNY*W4)S6Lts!-i{s_J1e}d1Yrw#N{_GjidP2iy|9yK+)2uxMsRm|0
zH9^Ee#Vi#QO;|!fb~pj$)!;w7AgKN?2G%I8FD$55r?!5obPs;8d$oBBXL?$iR+2(h
zL4gpM+!zNT#z?AU!j4ZQQYwVPWcyjNzvllRHAlCLT}#v9C0M->=RY@BKsf^5Lt3PW
z8NB&}h<5}?Bef)3ks^01-XcaTa&oDbE6^KeY8|dq-0su6*WIs++B9!SRE#0vh&z&y
ziTh~GW&3(t(4+@FCh`$9?y07L#rG8xl;Ia@Brn(Rt*^FBz?a>JZEvtd7l>~t|9Tz|
z+eyq}qa!todDh>8zXW=4XtW?V0jvQ8yV3O_V!w4`Xf69iR4&Mgo@&XuXnL<-m+Y>B
z_al(ag3{8C4<Cf(<q5`{`4Zt_CAoE?_6`|}WO)cAAz;FU3<xZC6Mhy=fmIoAE@VZv
zt%Vu_XFS#v6OOSD3<9hFIYh_#uu)mV?DYi(9@rWn*slH=Tu+1v)qkD@J-J^X^5N<H
zJT(|_LgkDm0Ukj>g{m?Cn#Za<grOPA3RlRSGr|BM$MWOd10vB=_T+b;%bdP7j^m~|
zBPk+I6Uo@a<HgH=Pq}CWW$?_*3=CJb_Jfd^aS#3}TkI=L1$Np4%g1b}Ky@D*n*IL(
zR@mZ73=k2ZZ9iVX8cfEL*7T{U@X1I00f9>k1m^p~P;USdr~G&6vs7ouH5#t2zc9l`
z{Rx4>Z%90w<7L8U2sf>o46OZrl$}KW0OSnB912w;yAsi#L@M73?~woqM$mrGVwi?n
zqp`X97^Ki75>Z^ApGR^0kW;Q4?s{e2mU6D+1}KS^|GA3!FgEd$w7HoZ05LrUkMp)t
zkwa$=ct|uwZ-q*40bXqe+E&v3vn_MAcMU4n@J;Zy^2g}f0T88Dw8#+RkS+NJat=zR
zukhDur>3Q~ec2QV3#PXB#mqs&ZBv>yRj;L~;cdNeSD?$2m=$4tTfPwD=ij<zml7vz
z4vGqUT3ZQi8e)k)1E}j@iD>WH<MSLa%{!RkG#6|JF%Z|^6!gXUx#v)ZUuRh7#mj{>
z3k<`eu)S}E9T=%65-oBu+XJXw2S8LpgNOvDMg5<FzI*l3Jgbw%!qix!S2UcqD2q*8
z=(a3?{xU2_Th;vEWzL40&#`fFxILQG>KYn3Sy|E2p0?ko6l}@SGcb9>-8`kICkoUc
zbMcXKvWSaFAN=BOjW+Rls!`M^J~ywv(Ef;ma<`mJzQ<_HUIbfGk!!u}a#)P}_u+<i
zPqkMX7*B@P-suES3}M9O+O-bT;_B*K=*_V>J4_~V;`{gQL#uJxJbn**U(CD`4E_*;
zd>J2whGH4kWSrI145s<R3FsELn1(|<|34d5lY?WE$UAJ{P4w(%m1@!JDc9!~wmdq)
z-O)(3CP5<o_7jL?R7M%&{zD4%VQJ~;sDfU2&o{TUpw1vQzMk7AOd?%r?kef|pm4gq
zr{`_;U+m7YCe!mKRy{ZXR-%EUeDJS@$tT9kD=V8G{PXoEE&6(5JK)a~Da5pz4w8>i
z{<CK$?J9oCy6AotA#%2Di8IbY062myN0NljGhlfZdwhXxE~E(fZM7&Xi%<YKXu@sr
zrF0T&V`aK}vJT!=LT8!??JwS^VG~=>)!ErN;_UM7pAG!v)#zHi<wIiUB&M`ij`O^A
zeqNbz{M!a>ta|0*OT^je)EctnO4g>mvy~YStAgecbb=F_6n@HKfRV8iV`DX<u3cq%
zxzJVw3Z2(nLzF$uHsTk>zj6n6ifU*i8M9{_{?VCYdtL8u7;v+<2)*mVLWkwQq1L<m
z%hMGzfGFX?NsQu*jBvo1*w}1iE8-Y6R0Gq~dK&T(JiB?<RL|uuu-UthvI#-QJ(hU$
zGU^;K`09aZJiB5OuyrM0n2r?rff*Sb$uCAYc!$V&;SBl1BX%$N6Iyo5UaS9GMO?HG
z^ZZo*F}ozk%ME(kE-~92maBfyo{=QJFS3T&?TKMrrs%<X=Y)F1kOedW4#GD7toKQp
zHR>!E=Ui=?E8pj-?hDgMx1S)qhe->yohAbEn|($+$W0Z`qGb+w<?)4$2)$bUk(tlM
z<@NaFz%yM&4!MNjX;RIc%}FMb&&Zc6$0-uL_!Ddt&bC}npVuubu{LbCEpXd_T!uQ+
zEj=6{$556Wad_*8^X}wH)?KaFw02H7{OJ4*1*11?11Q@*gW;@v!rA#n^$x=KwC0Gw
z&uJljJ|Us%tKT*a>XJz7sN~8owDW{Z5s-5DQ?vyFrY<a+rezL4YHoYqT<WjgvEyNc
zkn4}O<=jHa@115gHXr{k?-BjL&CQKIpeXxOTU!dAg*876tbrQwI4z=^11bZKq=<VX
z7Hjygb7TdDfweVxc8<953694?sOG)bcjp+M6^$_$%6t$LevO7JB;>u5FLowR2rEfz
z5}c~SoSd&Ic5rTskKYxf`g$%Exhpyp$I`mF$c<8pN%`JAjR8;nZ^pM9Bl9t;NO>UV
zIwvIPl~vwzE-7DE+o24jsp)tbx?e#!<QGId^cZ;2O!^1(f%i>)mI3%y&%UNxP{CL`
z>_l2NpgK>K$X1{bVe;Evhd651Ys4}EP3!dZaq6qCt{*MTP6WnVUbw9z6+}aw?8Gup
zY|)vVyRS$!WncoC3$Vz^$Q(We&D%u}UPfwJP>U6>xwy3Jg%RK$#F;Rz$^qsUCvYB*
z?NxcP$!h(&+lfLKpM(mMSrj@kAdbb@)ce9dzi@5z6$I9$o8%k-pNi<{KzC#Wd;8O-
zlliCJ5|3na`<{>GR=V)1JR~aWAeZW1MhF}&dBO>hEm=7kcy2^QyjBq<DLi$vE$6OX
zL>o5Qb6EQT{ihb67k2u48LchhoV$!mtT_LXU$PdKDaFns%w<t9M%%G%{)IY<fdU;$
zvTrCd2||5B#RHK-ETX?_QMEbKchl`Y2?~}i<QJ50artJdE%?3cs`1Rg(Zs~52>;V)
z?_L+bcy#B^{|zbans7U`>SzfZ**c2%twhIgew;OAcd0PGt@K2`&hT`CP+__3AEB(W
zg2x5pe|}kc{ykpx{^G%?#)}T(LPZCdgG$r7<ENtONZv;o-o^$f?cJ&1DgEzAA)GeD
zVH(}v4YV#a8;lxi_olU7FP06yz^^hRf3YV|BAkwTR?cNKFmeN}pY1^9vE}8cWBbCi
zcv4TI#KEw-6mL{W@|;UIeZ8^B)qZzi`V9{cTjJLAMxU|Fv$R?jYrL5Bu13@H5OWYP
z(%dR7Bw=c<1i3%kSqC#)IyyTuGwd@m?499N&8Xa@z^M7A5&@=UNHW;2g-xWIv-4Zm
z9T_1yl6k773q}A<8AT0NdhrPfpyR>O$+piPnJ4G~*iz}@$Bq`hfRdA8Pb5c|@E^Bl
zv$GUKLzMR&H<IojWTeJS>Vq4MF>3@bmza#wTMFo(DqFh2*1A>S(eZw@ArT8|9+|Fq
zko&riTgP-bum?*_G4e^Upc0v!ADgG)I&gsDyJkn*cjA-Q{C)7NK6biS-|Sdpk&uC!
zO=kgLZn#XHZMq&`nMvNya9&c4Z>fMn{(O#}`Ws7BNHwKv#g+nMztW5^qzfH((N3?_
z|HU0~Imf8G*RMLatvFeS_t7K0#>PEty$=?JsJWP!Y!)he_IPW3?-n-6#(;{7Om07X
zjKzo5kwx;O)SlYMZY0v~Ri`Qw!<;eK0o!zA3PB4F?+89wkNf5=%ho{&34sbHwfnuN
z%@g%**F8+S!bwRwpZTL*^iS;{6Cr=>Q1g-ncQQ{{gzNCfRNATmM>wxo8W<=C?tWef
zpSILgl?y*q{zbq6-3>l|x^m4VedI?0UpqVUt|}?j<7@fPO<x~L6-#YykU4E?+Hg#S
zR3n@|WTI`F-6y&eJFaL~WJIm=@XD{#=mk9p)*_cL*j|obYKq(jEzEU)nq(_Q2_?K-
zaky)F2~xb~q;;-&EoJ392b^Z_Ca{wpThn4GjT8k5bk$|1R#e1U8osqXmy`0+`=P)8
zJ7o9t4a`Ar2VVv_9E;I9p0BH9FffZi`Ixr5t80A64q-q8gIuIp(p_vlmKL7ko_Fsu
z{5Oq=8_0Fq)XU#wh8CBa>)5daPSrA2`n4mC-5HsCo)DohBcmZ_WwJzqo<1Z^qEZdS
zn782@9cksWl^VH?BO9r(M6De69mOml)hWWFVv#T5s*6kdrfX1@U+ZRN-j_MJPW?-W
z&-$~#=#So`gQ29FrYo$hB%cE%YXXZyZ{|KdrTdkiF6*bHIJeH(Hgore;>My~eVc7#
zqA#A=Ur5}zuB6%mt93v1zUQtJE#U_vd>OUFH}YQUyK%$aomqL~hND2?>_la_RC%}a
zZ>P;RFf%o^dt^;gvN90Ou{*XQJ$Iq<x`#K*%Kf%SRP~oBNH=VnO&w7(Lg=~Wrkgvu
zB?}AA`KFX(xjhEv&z&3IM`(6f!nngot7&4>MoQ8<F?$ZyPD;TttlT4cGQq?IhrWOV
zJc-E2<D8o}FJWqU$K5bl2k&3IXwpbU<u^3+M%*GlH#aj%T14!&(wEWEoFDwI!tB^C
zK7K``0$m1@PHXRd^BYFyV%bCJ9D`K%RUdcTPU{z0Lu@Gl+G3M=n*Sl%FjaL#<>od9
zGO4INyu~N|?5TR>A3ok^;SsLCzr5PNaFTKN?rGmpIOBm+3~=nYriGiE+qZuOn8<D%
z6T?C1mO3pnF#YunZAtLD7d)eX4njD6eKGvCFgIUWVz`cWOPUm<8k^*uUB1Zo3s}>c
zj;tYIA+opr8tCXKX=`5sD+Uhu^p^=Q_Zr90S~FP>^YZHIwT|qPcTznWA$9d(Z-`Ue
zXX|r<+pKCu|Jx^`^AQolOoaPDx`L-kK}mGj;IDuH25N>qPpa%TZ@w9%+Lx-f#HErb
z_9U2&b?xSlwoaODwq1o*LE3hxI-Zo_O=BvKj#~z~{@&J*zqxd4amL%qQR!D<^~z#f
zdM-4|gqswJWJC&f%~i`UEpwkYj)*WE8F|=aEIzpe@hHn~1?%yS-mwp3C`_kWbXjSs
zeE-_@m?Z18#_hydJ|b#j_YL9=7+)Zyaupdf$ur<jX9*sePW3Y{(5cuV)S0TfZz$_u
z#n`Tlv(eMbu{=XIJKvz4O*R?-otaeb@4IkV{o!Opl=1zYOm?FuiE?QRyu|~)e?ROj
zGZrp1IjOpE)nR<iWo+)*bl6{s+=9YFDHWnSCuQ8h=koIQYkc}JZvNm)eb~39>4>b=
zua?_Tfvc$nw6z8Jh9-HR6x(|;{Km?{1s$DGiXBuNUSS^j=WDQV>=AC_C}p9w<BV*}
zQbDRY#+cQWV4}3E_6=W**7f;O?Kk5ntUF3y5g$Ac&-{RiZl{lOWyJ;-7An*z)_QAh
z+ssr~JWKgX)}yc*6k1>M_MedmjdJ_hD7@Yr&meN4?c%pOwe|TVtFh5UV}1cfYK#Q!
z&(#g>@mO6EZb@8Cs8}Sf*?=p!^VR<rs6Z1y8E0_l{aI0mkPR3$tVHNh+*Sf}6$&SH
zi+-yN^1WJH)OO0rI%UGjfk}g60Chc9sXeY<Wpe43#_@g3>TO-mJ32a?*9m8LIC^Pk
zW9hk5cb-0F<x0!S`rRxw*llpNw^)LW&9vic=E;E$aZ?_rnFlXdulvZ}ntnceO3?yu
z1{_F`TM}*bTpod6R1$ndXsOu5&lByM<tt*(l+xlmM65qzX)S)N>$s5<7k5bF3FcTi
z71g1P%X{dksW<w@O7GpPdX!pTPm?;VaRfn9FMBTDV)N#J;o*fStKDHyZn}f@#2qoC
zJ4^0^)%#$zMV6CbnbpL^karA!@>q3Ff!mcu$AKPl;Y9}(Zf4zW9QZUTkGa_7Qdi;n
zXYMJKaCobOhH~IIH$?`fasN-)%XW3}Q%*+p>u>MnSxLjy(sGhh&f}w-8_mWIqfPw*
z42_NNcPn@pd?cr`y26<!H-4Z$eTMyCH}MYpDY3B732G!8SHdyP*tqUU2~ooBfUgNr
z!X?xu-V_1>Q$X9;ZRX?)x5DAfBxV{e1LA!S0+Ll60=&FF?f?C_4V@qo-qalu6r`^C
z=gin01+T<kbK_48o?Pq}@>k0U?(@3rr))Db;O}_uN&nr=cG#LcPQ?2mm0+3mxvz5h
zP_@clUq-SCSkH>FmA#$0irQL#YloYWU`XG&hyS%GcwHW_75opMuK)7}#8QQ5*2d(t
zw2rwsHS;Cr-3oh;c#^uS@DUP$+3f<aYe<fWJ){X=fk>7A6h$umnyRYNEo74*)wyOV
z8lIVz@y-bzC!(G7fqC$*;&`$NY}R4)5nX8t+oFCy;sDY<I6$NrORf$t0T~WkEd7|z
zYxoz~tU(eANJ*`$A91+eCMqZ=$24!F)pQ7TlBLImom|7KOHt1K|E@qdwAPvT&_sQz
z+KvU4+e$UZgp-rG@OME)@#Q(p;O^eNY4P$_u<pJ2vqZY6i6=fUI_K2f%sgdx|J0@a
zehb4>8r*FlbF83F`dszr&-?fMI9V(VaS4geE`=SzwE!_aesz8p08X3yz{313A0L}>
z!Iw>d3rJr8+ifMjAx6WQn>Q=7qC#%9wWa0q-0)8<p48)2&zwi<7M2s`SK;~L8)Y02
z8mfTH0CUjGQ+Dx3yJlfE{#{eEG3$)gAYM(_!n4do+?)lV6)Fk}oc;YWmBC5u?|#kB
zS|`RUuB#-^J{0W5%Z#$_zId@xU(dwDpd=I(SE)_>k|ZuJi%iZ=PQE>1nWo1#kELuJ
zXWqsph#&gwP-1CJ#@CNd;*CYZ?rgif)>rKy*=w^P)^E)<{BnBU<j~Y7KTkEAt@b;e
sh|sNbM<DXhM7Q@VH`HfH1{3QPyV}k%hVaRsCH`Ce*h$p_W$Qct1#!`<ng9R*

literal 0
HcmV?d00001

diff --git a/contrib/shoregen/samples/hosts/ig b/contrib/shoregen/samples/hosts/ig
new file mode 100644
index 000000000..a9b9f738c
--- /dev/null
+++ b/contrib/shoregen/samples/hosts/ig
@@ -0,0 +1,13 @@
+# ZONE		HOST(S)				OPTIONS
+
+# I used the vi command
+#	!Gsort -k2 -k1 
+# to sort this file, starting at the next line.
+mail		eth0:$MAIL
+og		eth0:$OG
+proxy		eth0:$PROXY
+net		eth0:0.0.0.0/0
+lan		eth1:$LAN
+other		eth1:0.0.0.0/0
+guest		eth2:$GUEST
+other		eth2:0.0.0.0/0
diff --git a/contrib/shoregen/samples/hosts/mail b/contrib/shoregen/samples/hosts/mail
new file mode 100644
index 000000000..362369f0f
--- /dev/null
+++ b/contrib/shoregen/samples/hosts/mail
@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+og		eth0:$OG
+proxy		eth0:$PROXY
+net		eth0:0.0.0.0/0
diff --git a/contrib/shoregen/samples/hosts/og b/contrib/shoregen/samples/hosts/og
new file mode 100644
index 000000000..66a912c84
--- /dev/null
+++ b/contrib/shoregen/samples/hosts/og
@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+mail		eth0:$MAIL
+proxy		eth0:$PROXY
+other		eth0:0.0.0.0/0
diff --git a/contrib/shoregen/samples/hosts/proxy b/contrib/shoregen/samples/hosts/proxy
new file mode 100644
index 000000000..a0ca224c0
--- /dev/null
+++ b/contrib/shoregen/samples/hosts/proxy
@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+mail		eth0:$MAIL
+og		eth0:$OG
+net		eth0:0.0.0.0/0
diff --git a/contrib/shoregen/samples/interfaces/ig b/contrib/shoregen/samples/interfaces/ig
new file mode 100644
index 000000000..523891686
--- /dev/null
+++ b/contrib/shoregen/samples/interfaces/ig
@@ -0,0 +1,5 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+-	eth1		detect		dhcp
+-	eth2		detect		dhcp
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/interfaces/mail b/contrib/shoregen/samples/interfaces/mail
new file mode 100644
index 000000000..8c485e0ec
--- /dev/null
+++ b/contrib/shoregen/samples/interfaces/mail
@@ -0,0 +1,3 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/interfaces/og b/contrib/shoregen/samples/interfaces/og
new file mode 100644
index 000000000..b627368ec
--- /dev/null
+++ b/contrib/shoregen/samples/interfaces/og
@@ -0,0 +1,5 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+net	eth1		detect		norfc1918,blacklist,dhcp
+net	ppp+		detect		norfc1918,blacklist
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/interfaces/proxy b/contrib/shoregen/samples/interfaces/proxy
new file mode 100644
index 000000000..8c485e0ec
--- /dev/null
+++ b/contrib/shoregen/samples/interfaces/proxy
@@ -0,0 +1,3 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/params/COMMON b/contrib/shoregen/samples/params/COMMON
new file mode 100644
index 000000000..2f7bed38b
--- /dev/null
+++ b/contrib/shoregen/samples/params/COMMON
@@ -0,0 +1,9 @@
+# These are parameterised firstly so they only live in one place, and
+# secondly because they can appear on different interfaces, but with a
+# constant address.
+OG=10.1.1.1
+MAIL=10.1.1.2
+PROXY=10.1.1.3
+IG=10.1.1.4
+LAN=10.1.2.0/24
+GUEST=10.1.3.0/24
diff --git a/contrib/shoregen/samples/policy b/contrib/shoregen/samples/policy
new file mode 100644
index 000000000..7106fd0d4
--- /dev/null
+++ b/contrib/shoregen/samples/policy
@@ -0,0 +1,112 @@
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST EXT
+
+#
+# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
+# the policy or rules file.  These are not part of shorewall and do not
+# actually block any traffic.  They are about stopping the firewall
+# administrator from activating silly rules.  Note that these rules should
+# always be accompanied by a corresponding REJECT/BAN policy as they don't
+# actually set the shorewall policy (see below for these).
+#
+# These policies are samples only and are not suggested for your
+# environment.  You must decide on the policies that are right for you.
+#
+
+guest		lan		BAN
+proxy		lan		BAN
+mail		lan		BAN
+og		lan		BAN
+net		lan		BAN
+
+proxy		guest		BAN
+mail		guest		BAN
+og		guest		BAN
+net		guest		BAN
+
+proxy		ig		BAN
+mail		ig		BAN
+og		ig		BAN
+net		ig		BAN
+
+net		proxy		BAN
+
+proxy		og		BAN
+mail		og		BAN
+net		og		BAN
+
+ig		net		BAN
+
+
+#
+# Now the normal policies.  We define each set of zone pairs individually
+# so that Shorewall produces more meaningful error messages.
+#
+
+lan		guest		ACCEPT		info
+lan		ig		REJECT		info
+lan		proxy		REJECT		info
+lan		mail		REJECT		info
+lan		og		REJECT		info
+lan		net		REJECT		info
+lan		other		REJECT		info
+lan		all		REJECT		info
+
+guest		lan		REJECT		info
+guest		ig		REJECT		info
+guest		proxy		REJECT		info
+guest		mail		REJECT		info
+guest		og		REJECT		info
+guest		net		ACCEPT		info
+guest		other		REJECT		info
+guest		all		REJECT		info
+
+ig		lan		REJECT		info
+ig		guest		REJECT		info
+ig		proxy		REJECT		info
+ig		mail		REJECT		info
+ig		og		REJECT		info
+ig		net		REJECT		info
+ig		other		REJECT		info
+ig		all		REJECT		info
+
+proxy		lan		REJECT		info
+proxy		guest		REJECT		info
+proxy		ig		REJECT		info
+proxy		mail		REJECT		info
+proxy		og		REJECT		info
+proxy		net		ACCEPT
+proxy		other		REJECT		info
+proxy		all		REJECT		info
+
+mail		lan		REJECT		info
+mail		guest		REJECT		info
+mail		ig		REJECT		info
+mail		proxy		REJECT		info
+mail		og		REJECT		info
+mail		net		REJECT		info
+mail		other		REJECT		info
+mail		all		REJECT		info
+
+og		lan		REJECT		info
+og		guest		REJECT		info
+og		ig		REJECT		info
+og		proxy		REJECT		info
+og		mail		REJECT		info
+og		net		REJECT		info
+og		other		REJECT		info
+og		all		REJECT		info
+
+net		lan		DROP		info
+net		guest		DROP		info
+net		ig		DROP		info
+net		proxy		DROP		info
+net		mail		DROP		info
+net		og		DROP		info
+net		other		DROP		info
+net		all		DROP		info
+
+# Catch-all policies
+other		all		DROP		info
+all		all		DROP		info
+
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/rules b/contrib/shoregen/samples/rules
new file mode 100644
index 000000000..1723a706e
--- /dev/null
+++ b/contrib/shoregen/samples/rules
@@ -0,0 +1,187 @@
+#
+# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
+#
+# Master Rules File
+#
+# This file is organised into 4 main sections:
+#   1.	Rules that need to transcend the more general WARN/BAN rules.  The
+#	reason for this is typically system administration and
+#	troubleshooting.  This section should be kept as small as possible.
+#   2.	WARN/BAN rules to put restrictions on which rules contravening
+#	policies may be created.  This section should be as large as
+#	possible, if you take a traditional (i.e. paranoid) approach to
+#	firewall design.
+#   3.	Noise-reducing rules for illegitimate traffic.  This is typically
+#	small, but may grow as time goes on.
+#   4.	Normal rules which define the holes in your firewall.  Again, this
+#	should include only the rules you need and no more.  However, even
+#	on a simple home network like mine, this section tends to get
+#	large!
+#
+
+#
+# Order by port, protocol, dest zone (in->out order), src zone (in->out
+# order).
+#
+
+#ACTION		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+
+#
+# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
+#
+# Nearly all of these rules should be limited to system administration
+# terminals.  These would be better put in a separate zone.
+#
+
+# ping (more below)
+ACCEPT		lan	og		icmp	8
+
+# ssh (more below)
+ACCEPT		lan	og		tcp	22
+ACCEPT		ig	og		tcp	22
+
+# SNMP (more below) - for MRTG stats run from LAN
+ACCEPT		lan	og		udp	161	
+
+# syslog (more below)
+ACCEPT		ig	lan		udp	514
+
+# Squid - this wouldn't be necessary except that a lot of OS updates are
+# rather large...
+ACCEPT		mail	proxy		tcp	3128
+
+#
+# Section 2: WARN/BAN rule directives
+#
+
+BAN		ig	lan
+BAN		mail	proxy
+BAN		lan	og
+BAN		ig	og
+
+#
+# Section 3: Drop noisy junk
+#
+
+# auth - reverse of the SMTP rules below
+REJECT		mail	lan		tcp	113
+REJECT		mail	guest		tcp	113
+REJECT		mail	ig		tcp	113
+REJECT		mail	proxy		tcp	113
+REJECT		mail	og		tcp	113
+REJECT		net	og		tcp	113
+REJECT		mail	net		tcp	113
+
+# KaZaA file sharing
+DROP		net	og		tcp	1214
+
+# Gnutella server
+REJECT		net	og		tcp	6346,6347
+
+# Half-Life
+REJECT		net	og		udp	27015,27016
+
+
+#
+# Section 4: Normal traffic
+#
+
+# ping (more above)
+ACCEPT		lan	ig		icmp	8
+ACCEPT		lan	proxy		icmp	8
+ACCEPT		lan	mail		icmp	8
+ACCEPT		ig	proxy		icmp	8
+ACCEPT		ig	mail		icmp	8
+ACCEPT		og	proxy		icmp	8
+ACCEPT		og	mail		icmp	8
+ACCEPT		og	net		icmp	8
+
+# FTP
+ACCEPT		proxy	net		tcp	21
+
+# ssh (more above)
+ACCEPT		lan	ig		tcp	22
+ACCEPT		lan	proxy		tcp	22
+ACCEPT		lan	mail		tcp	22
+ACCEPT		lan	net		tcp	22
+ACCEPT		ig	proxy		tcp	22
+ACCEPT		ig	mail		tcp	22
+ACCEPT		proxy	mail		tcp	22
+ACCEPT		proxy	net		tcp	22
+
+# SMTP
+ACCEPT		lan	mail		tcp	25
+ACCEPT		guest	mail		tcp	25
+ACCEPT		ig	mail		tcp	25
+ACCEPT		proxy	mail		tcp	25
+ACCEPT		og	mail		tcp	25
+DNAT		net	mail:$MAIL	tcp	25
+ACCEPT		mail	net		tcp	25
+
+# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
+# proxy, and mail independent of the rest (proxy & mail should run their
+# own caches).
+ACCEPT		lan	proxy		tcp	53
+ACCEPT		lan	proxy		udp	53
+ACCEPT		guest	proxy		tcp	53
+ACCEPT		guest	proxy		udp	53
+ACCEPT		ig	proxy		tcp	53
+ACCEPT		ig	proxy		udp	53
+ACCEPT		og	proxy		tcp	53
+ACCEPT		og	proxy		udp	53
+ACCEPT		proxy	net		tcp	53
+ACCEPT		proxy	net		udp	53
+ACCEPT		mail	net		tcp	53
+ACCEPT		mail	net		udp	53
+
+# HTTP
+ACCEPT		proxy	net		tcp	80
+
+# POP3 - must be proxied through mail
+ACCEPT		mail	net		tcp	110
+ACCEPT		lan	mail		tcp	110
+
+# NNTP - application layer proxy (e.g. leafnode) on proxy
+ACCEPT		lan	proxy		tcp	119
+ACCEPT		proxy	net		tcp	119
+
+# NTP - we really need more than 2 servers, but this is only an example.  :-)
+ACCEPT		lan	proxy		udp	123
+ACCEPT		lan	mail		udp	123
+ACCEPT		ig	proxy		udp	123
+ACCEPT		ig	mail		udp	123
+ACCEPT		proxy	net		udp	123
+ACCEPT		mail	net		udp	123
+ACCEPT		og	proxy		udp	123
+ACCEPT		og	mail		udp	123
+
+# IMAP
+ACCEPT		lan	mail		tcp	143
+ACCEPT		guest	mail		tcp	143
+
+# SNMP (more above) - for MRTG stats
+ACCEPT		lan	ig		udp	161
+ACCEPT		lan	proxy		udp	161
+ACCEPT		lan	mail		udp	161
+
+# HTTPS
+ACCEPT		proxy	net		tcp	443
+
+# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
+ACCEPT		og	mail		udp	514
+ACCEPT		proxy	mail		udp	514
+
+# Squid
+ACCEPT		lan	proxy		tcp	3128
+ACCEPT		guest	proxy		tcp	3128
+ACCEPT		ig	proxy		tcp	3128
+ACCEPT		og	proxy		tcp	3128
+
+# Webmin
+ACCEPT		lan	proxy		tcp	10000
+ACCEPT		guest	proxy		tcp	10000
+ACCEPT		ig	proxy		tcp	10000
+ACCEPT		og	proxy		tcp	10000
+
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/shorewall.conf/COMMON b/contrib/shoregen/samples/shorewall.conf/COMMON
new file mode 100644
index 000000000..e3633936b
--- /dev/null
+++ b/contrib/shoregen/samples/shorewall.conf/COMMON
@@ -0,0 +1,569 @@
+##############################################################################
+#  /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
+#  match your setup
+#
+#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
+##############################################################################
+#                              L O G G I N G
+##############################################################################
+#
+# General note about log levels. Log levels are a method of describing
+# to syslog (8) the importance of a message and a number of parameters
+# in this file have log levels as their value.
+#
+# Valid levels are:
+#
+#	7	debug
+#	6	info
+#	5	notice
+#	4	warning
+#	3	err
+#	2	crit
+#	1	alert
+#	0	emerg
+#
+# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
+# log messages are generated by NetFilter and are logged using facility
+# 'kern' and the level that you specifify. If you are unsure of the level
+# to choose, 6 (info) is a safe bet. You may specify levels by name or by
+# number.
+#
+# If you have build your kernel with ULOG target support, you may also
+# specify a log level of ULOG (must be all caps). Rather than log its
+# messages to syslogd, Shorewall will direct netfilter to log the messages
+# via the ULOG target which will send them to a process called 'ulogd'.
+# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
+# configured to log all Shorewall message to their own log file
+################################################################################
+#
+# LOG FILE LOCATION
+#
+# This variable tells the /sbin/shorewall program where to look for Shorewall
+# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# /var/log/messages is assumed.
+#
+# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+#          look for Shorewall messages.It does NOT control the destination for
+#          these messages. For information about how to do that, see
+#
+#              http://www.shorewall.net/shorewall_logging.html
+
+LOGFILE=/var/log/messages
+
+#
+# LOG FORMAT
+#
+# Shell 'printf' Formatting template for the --log-prefix value in log messages
+# generated by Shorewall to identify Shorewall log messages. The supplied
+# template is expected to accept either two or three arguments; the first is
+# the chain name, the second (optional) is the logging rule number within that
+# chain and the third is the ACTION specifying the disposition of the packet
+# being logged. You must use the %d formatting type for the rule number; if your
+# template does not contain %d then the rule number will not be included.
+#
+# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
+#
+#	LOGFORMAT="fp=%s:%d a=%s "
+#
+# If not specified or specified as empty (LOGFORMAT="") then the value
+# "Shorewall:%s:%s:" is assumed.
+# 
+# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up 
+# to but not including the first '%') to find log messages in the 'show log',
+# 'status' and 'hits' commands. This part should not be omitted (the 
+# LOGFORMAT should not begin with "%") and the leading part should be
+# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+#
+# LOG RATE LIMITING
+#
+# The next two variables can be used to control the amount of log output
+# generated. LOGRATE is expressed as a number followed by an optional
+# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
+# rate at which a particular message will occur. LOGBURST determines the
+# maximum initial burst size that will be logged. If set empty, the default
+# value of 5 will be used.
+#
+# Example:
+#
+#	LOGRATE=10/minute
+#	LOGBURST=5
+#
+# If BOTH variables are set empty then logging will not be rate-limited.
+#
+
+LOGRATE=10/minute
+LOGBURST=5
+
+#
+# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
+#
+# This variable determines the level at which Mangled/Invalid packets are logged
+# under the 'dropunclean' interface option. If you set this variable to an
+# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
+# silently.
+#
+# The value of this variable also determines the level at which Mangled/Invalid
+# packets are logged under the 'logunclean' interface option. If the variable
+# is empty, these packets will still be logged at the 'info' level.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+LOGUNCLEAN=info
+
+#
+# BLACKLIST LOG LEVEL
+#
+# Set this variable to the syslogd level that you want blacklist packets logged
+# (beware of DOS attacks resulting from such logging). If not set, no logging
+# of blacklist packets occurs.
+#
+# See the comment at the top of this section for a description of log levels
+#
+BLACKLIST_LOGLEVEL=
+
+#
+# LOGGING 'New not SYN' rejects
+#
+# This variable only has an effect when NEWNOTSYN=No (see below).
+#
+# When a TCP packet that does not have the SYN flag set and the ACK and RST
+# flags clear then unless the packet is part of an established connection,
+# it will be rejected by the firewall. If you want these rejects logged,
+# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
+#
+# See the comment at the top of this section for a description of log levels
+#
+# Example: LOGNEWNOTSYN=debug
+
+
+LOGNEWNOTSYN=info
+
+#
+# MAC List Log Level
+#
+# Specifies the logging level for connection requests that fail MAC
+# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
+# such connection requests will not be logged.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+MACLIST_LOG_LEVEL=info
+
+#
+# TCP FLAGS Log Level
+#
+# Specifies the logging level for packets that fail TCP Flags
+# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
+# such packets will not be logged.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+TCP_FLAGS_LOG_LEVEL=info
+
+#
+# RFC1918 Log Level
+#
+# Specifies the logging level for packets that fail RFC 1918
+# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
+# RFC1918_LOG_LEVEL=info is assumed.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+RFC1918_LOG_LEVEL=info
+
+################################################################################
+#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
+################################################################################
+#
+# PATH - Change this if you want to change the order in which Shorewall
+#        searches directories for executable files.
+#
+#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+#
+# SHELL
+#
+# The firewall script is normally interpreted by /bin/sh. If you wish to change
+# the shell used to interpret that script, specify the shell here.
+
+SHOREWALL_SHELL=/bin/sh
+
+# SUBSYSTEM LOCK FILE
+#
+# Set this to the name of the lock file expected by your init scripts. For
+# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
+# use lock files, set this to "".
+#
+
+SUBSYSLOCK=/var/lock/subsys/shorewall
+
+#
+# SHOREWALL TEMPORARY STATE DIRECTORY
+#
+# This is the directory where the firewall maintains state information while
+# it is running
+#
+
+STATEDIR=/var/lib/shorewall
+
+#
+# KERNEL MODULE DIRECTORY
+#
+# If your netfilter kernel modules are in a directory other than
+# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
+# directory in this variable. Example: MODULESDIR=/etc/modules.
+
+MODULESDIR=
+
+################################################################################
+#                       F I R E W A L L   O P T I O N S
+################################################################################
+
+# NAME OF THE FIREWALL ZONE
+#
+# Name of the firewall zone -- if not set or if set to an empty string, "fw"
+# is assumed.
+#
+#FW=fw
+
+#
+# ENABLE IP FORWARDING
+#
+# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
+# say "Off" or "off", packet forwarding will be disabled. You would only want
+# to disable packet forwarding if you are installing Shorewall on a
+# standalone system or if you want all traffic through the Shorewall system
+# to be handled by proxies.
+#
+# If you set this variable to "Keep" or "keep", Shorewall will neither
+# enable nor disable packet forwarding.
+#
+#IP_FORWARDING=On
+
+#
+# AUTOMATICALLY ADD NAT IP ADDRESSES
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
+# for each NAT external address that you give in /etc/shorewall/nat. If you say
+# "No" or "no", you must add these aliases youself.
+#
+ADD_IP_ALIASES=Yes
+
+#
+# AUTOMATICALLY ADD SNAT IP ADDRESSES
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
+# for each SNAT external address that you give in /etc/shorewall/masq. If you say
+# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
+# you are sure that you need it -- most people don't!!!
+#
+ADD_SNAT_ALIASES=No
+
+#
+# ENABLE TRAFFIC SHAPING
+#
+# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
+# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
+# you must enable packet mangling above.
+#
+TC_ENABLED=No
+
+#
+# Clear Traffic Shapping/Control
+#
+# If this option is set to 'No' then Shorewall won't clear the current
+# traffic control rules during [re]start. This setting is intended
+# for use by people that prefer to configure traffic shaping when
+# the network interfaces come up rather than when the firewall
+# is started. If that is what you want to do, set TC_ENABLED=Yes and
+# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
+# way, your traffic shaping rules can still use the 'fwmark'
+# classifier based on packet marking defined in /etc/shorewall/tcrules.
+#
+# If omitted, CLEAR_TC=Yes is assumed.
+
+CLEAR_TC=Yes
+
+#
+# Mark Packets in the forward chain
+#
+# When processing the tcrules file, Shorewall normally marks packets in the
+# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
+# this to "Yes". If not specified or if set to the empty value (e.g.,
+# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
+#
+# Marking packets in the FORWARD chain has the advantage that inbound
+# packets destined for Masqueraded/SNATed local hosts have had their destination
+# address rewritten so they can be marked based on their destination. When
+# packets are marked in the PREROUTING chain, packets destined for
+# Masqueraded/SNATed local hosts still have a destination address corresponding
+# to the firewall's external interface.
+#
+# Note: Older kernels do not support marking packets in the FORWARD chain and
+#       setting this variable to Yes may cause startup problems.
+
+MARK_IN_FORWARD_CHAIN=No
+
+#
+# MSS CLAMPING
+#
+# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
+# option. This option is most commonly required when your internet
+# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
+# have CONFIG_IP_NF_TARGET_TCPMSS set.
+#
+# [From the kernel help:
+#
+#    This option adds a `TCPMSS' target, which allows you to alter the
+#    MSS value of TCP SYN packets, to control the maximum size for that
+#    connection (usually limiting it to your outgoing interface's MTU
+#    minus 40).
+#
+#    This is used to overcome criminally braindead ISPs or servers which
+#    block ICMP Fragmentation Needed packets.  The symptoms of this
+#    problem are that everything works fine from your Linux
+#    firewall/router, but machines behind it can never exchange large
+#    packets:
+#        1) Web browsers connect, then hang with no data received.
+#	 2) Small mail works fine, but large emails hang.
+#	 3) ssh works fine, but scp hangs after initial handshaking.
+# ]
+#
+# If left blank, or set to "No" or "no", the option is not enabled.
+#
+CLAMPMSS=No
+
+#
+# ROUTE FILTERING
+#
+# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
+# interfaces started while Shorewall is started (anti-spoofing measure).
+#
+# If this variable is not set or is set to the empty value, "No" is assumed.
+# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
+# on individual interfaces using the 'routefilter' option in the
+# /etc/shorewall/interfaces file.
+
+ROUTE_FILTER=yes
+
+#
+# NAT BEFORE RULES
+#
+# Shorewall has traditionally processed static NAT rules before port forwarding
+# rules. If you would like to reverse the order, set this variable to "No".
+#
+# If this variable is not set or is set to the empty value, "Yes" is assumed.
+
+NAT_BEFORE_RULES=Yes
+
+# DNAT IP ADDRESS DETECTION
+#
+# Normally when Shorewall encounters the following rule:
+#
+#	DNAT	net	loc:192.168.1.3	tcp	80
+#
+# it will forward TCP port 80 connections from the net to 192.168.1.3
+# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
+# convenient for two reasons:
+#
+#	a) If the the network interface has a dynamic IP address, the
+#	   firewall configuration will work even when the address
+#	   changes.
+#
+#	b) It saves having to configure the IP address in the rule
+#	   while still allowing the firewall to be started before the
+#	   internet interface is brought up.
+#
+# This default behavior can also have a negative effect. If the
+# internet interface has more than one IP address then the above
+# rule will forward connection requests on all of these addresses;
+# that may not be what is desired.
+#
+# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
+# only if the original destination address is the primary IP address of
+# one of the interfaces associated with the source zone. Note that this
+# requires all interfaces to the source zone to be up when the firewall
+# is [re]started.
+
+DETECT_DNAT_IPADDRS=No
+
+#
+# MUTEX TIMEOUT
+#
+# The value of this variable determines the number of seconds that programs
+# will wait for exclusive access to the Shorewall lock file. After the number
+# of seconds corresponding to the value of this variable, programs will assume
+# that the last program to hold the lock died without releasing the lock.
+#
+# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
+#
+# An appropriate value for this parameter would be twice the length of time
+# that it takes your firewall system to process a "shorewall restart" command.
+
+MUTEX_TIMEOUT=60
+
+#
+# NEWNOTSYN
+#
+# TCP connections are established using the familiar three-way "handshake":
+#
+#	CLIENT			SERVER
+#
+#	SYN-------------------->
+#            <------------------SYN,ACK
+#       ACK-------------------->
+#
+# The first packet in that exchange (packet with the SYN flag on and the ACK
+# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
+# A packet is said to be NEW if it is not part of or related to an already
+# established connection.
+#
+# The NETNOTSYN option determines the handling of non-SYN packets (those with
+# SYN off or with ACK or RST on) that are not associated with an already
+# established connection.
+# 
+# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
+# part of an already established connection, it will be dropped by the
+# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
+# logged before they are dropped.
+#
+# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
+# dropped but will pass through the normal rule/policy processing.
+#
+# Users with a High-availability setup with two firewall's and one acting
+# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
+# also need to select NEWNOTSYN=Yes.
+#
+# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
+# using the 'newnotsyn' option in /etc/shorewall/interfaces.
+#
+# I find that NEWNOTSYN=No tends to result in lots of "stuck"
+# connections because any network timeout during TCP session tear down
+# results in retries being dropped (Netfilter has removed the
+# connection from the conntrack table but the end-points haven't
+# completed shutting down the connection).  I therefore have chosen
+# NEWNOTSYN=Yes as the default value.
+
+NEWNOTSYN=Yes
+
+#
+# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
+#
+# Normally, when a "shorewall stop" command is issued or an error occurs during
+# the execution of another shorewall command, Shorewall puts the firewall into
+# a state where only traffic to/from the hosts listed in
+# /etc/shorewall/routestopped is accepted. 
+#
+# When performing remote administration on a Shorewall firewall, it is
+# therefore recommended that the IP address of the computer being used for
+# administration be added to the firewall's /etc/shorewall/routestopped file.
+#
+# Some administrators have a hard time remembering to do this with the result
+# that they get to drive across town in the middle of the night to restart
+# a remote firewall (or worse, they have to get someone out of bed to drive 
+# across town to restart a very remote firewall).
+#
+# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
+# when the firewall enters the 'stopped' state:
+#
+# All traffic that is part of or related to established connections is still
+# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
+# to and from hosts listed in /etc/shorewall/routestopped.
+#
+# If this variable is not set or it is set to the null value then
+# ADMINISABSENTMINDED=No is assumed.
+#
+ADMINISABSENTMINDED=Yes
+
+#
+# BLACKLIST Behavior
+#
+# Shorewall offers two types of blacklisting:
+#
+#	- static blacklisting through the /etc/shorewall/blacklist file together
+#	  with the 'blacklist' interface option.
+#	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
+#
+# The following variable determines whether the blacklist is checked for each
+# packet or for each new connection.
+#
+#	BLACKLISTNEWONLY=Yes	Only consult blacklists for new connection
+#				requests
+#
+#	BLACKLISTNEWONLY=No	Consult blacklists for all packets.
+#
+# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
+# BLACKLISTNEWONLY=No is assumed.
+#
+BLACKLISTNEWONLY=Yes
+
+# MODULE NAME SUFFIX
+#
+# When loading a module named in /etc/shorewall/modules, Shorewall normally
+# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
+# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
+# naming convention then you can specify the suffix (extension) for module 
+# names in this variable.
+#
+# To see what suffix is used by your distribution:
+#
+#     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#
+# All of the file names listed should have the same suffix (extension). Set
+# MODULE_SUFFIX to that suffix.
+#
+# Examples: 
+#
+#	If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
+#	If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
+#
+
+MODULE_SUFFIX=
+
+################################################################################
+#                       P A C K E T   D I S P O S I T I O N
+################################################################################
+#
+# BLACKLIST DISPOSITION
+#
+# Set this variable to the action that you want to perform on packets from
+# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# DROP is assumed.
+#
+BLACKLIST_DISPOSITION=DROP
+
+#
+# MAC List Disposition
+#
+# This variable determines the disposition of connection requests arriving
+# on interfaces that have the 'maclist' option and that are from a device
+# that is not listed for that interface in /etc/shorewall/maclist. Valid
+# values are ACCEPT, DROP and REJECT. If not specified or specified as
+# empty (MACLIST_DISPOSITION="") then REJECT is assumed
+
+MACLIST_DISPOSITION=REJECT
+
+#
+# TCP FLAGS Disposition
+#
+# This variable determins the disposition of packets having an invalid
+# combination of TCP flags that are received on interfaces having the
+# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
+# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE
diff --git a/contrib/shoregen/samples/shorewall.conf/ig b/contrib/shoregen/samples/shorewall.conf/ig
new file mode 100644
index 000000000..ffc52bd43
--- /dev/null
+++ b/contrib/shoregen/samples/shorewall.conf/ig
@@ -0,0 +1,2 @@
+FW=ig
+IP_FORWARDING=On
diff --git a/contrib/shoregen/samples/shorewall.conf/mail b/contrib/shoregen/samples/shorewall.conf/mail
new file mode 100644
index 000000000..a6051a9af
--- /dev/null
+++ b/contrib/shoregen/samples/shorewall.conf/mail
@@ -0,0 +1,2 @@
+FW=enoch
+IP_FORWARDING=Off
diff --git a/contrib/shoregen/samples/shorewall.conf/og b/contrib/shoregen/samples/shorewall.conf/og
new file mode 100644
index 000000000..220ec2e8a
--- /dev/null
+++ b/contrib/shoregen/samples/shorewall.conf/og
@@ -0,0 +1,2 @@
+FW=og
+IP_FORWARDING=On
diff --git a/contrib/shoregen/samples/shorewall.conf/proxy b/contrib/shoregen/samples/shorewall.conf/proxy
new file mode 100644
index 000000000..b324a4fc7
--- /dev/null
+++ b/contrib/shoregen/samples/shorewall.conf/proxy
@@ -0,0 +1,2 @@
+FW=dmz
+IP_FORWARDING=Off
diff --git a/contrib/shoregen/samples/zones b/contrib/shoregen/samples/zones
new file mode 100644
index 000000000..d84061bd5
--- /dev/null
+++ b/contrib/shoregen/samples/zones
@@ -0,0 +1,10 @@
+#ZONE	DISPLAY		COMMENTS
+lan	LAN		Local network
+guest	Guest		Untrusted LAN hosts
+ig	IG		Inner Guard
+og	OG		Outer Guard
+mail	Mail		Mail server
+proxy	Proxy		Proxy server
+net	Net		Internet 
+other	Other		Basket for things that don't fit elsewhere
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/contrib/shoregen/shoregen b/contrib/shoregen/shoregen
new file mode 100644
index 000000000..bc4eed6f1
--- /dev/null
+++ b/contrib/shoregen/shoregen
@@ -0,0 +1,373 @@
+#!/usr/bin/perl -w
+#
+# $Id: shoregen,v 1.27 2004/04/24 12:31:18 paulgear Exp $
+# 
+# Generate shorewall configuration for a host from central configuration
+# files.
+#
+
+#
+# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
+# <http://www.gnu.org/copyleft/gpl.html> on the World Wide Web.
+#
+
+use strict;
+
+my $VERBOSE = 1;
+my $DEBUG = 1;
+my $DATE = scalar localtime;
+my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n";
+
+if ($#ARGV != 0) {
+    print STDERR "Usage: $0 <hostname>\n";
+    exit 1;
+}
+
+my $base = ".";
+my $host = $ARGV[ 0 ];
+my $spool = "$base/SPOOL";
+my $dir = "$spool/$host";
+
+
+#
+# Messaging routines for use by the program itself - any errors that are
+# generated externally (e.g. file opening problems) are reported using the
+# usual perl 'die' or 'warn' functions.
+#
+
+sub warning
+{
+    print STDERR "$0: WARNING - @_\n";
+}
+
+sub fatal
+{
+    my $RET = shift;
+    print STDERR "$0: FATAL - @_\n";
+    exit $RET;
+}
+
+sub message
+{
+    print "$0: @_\n";
+}
+
+
+#
+# These bits make the files that actually get copied to the target host
+#
+
+sub stripfile
+{
+    open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!";
+    my @file;
+
+    for (<$file>) {
+	s/\s*#.*$//g;		# remove all comments
+	next if m/^\s*$/;	# skip blank lines
+	push @file, $_;
+    }
+
+    close $file or warn "Can't close $_[ 0 ] after reading: $!";
+
+    return @file;
+}
+
+
+sub constructfile
+{
+    my $confname = shift;
+    my $dst = shift;
+    my $foundone = 0;
+
+    message "Constructing $confname" if $VERBOSE > 1;
+
+    open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
+    printf $DST $HEADER, $confname;
+
+    for my $file (@_) {
+	if (-r $file) {
+	    $foundone = 1;
+	    print $DST "##$file\n" if $DEBUG > 1;
+	    print $DST stripfile $file;
+	}
+    }
+
+    close $DST or warn "Can't close $dst: $!";
+
+    if (!$foundone) {
+	warning "\"$confname\" not present.  " .
+	    "Existing file on $host will be preserved." if $VERBOSE > 2;
+	unlink $dst;
+    }
+}
+
+#
+# main
+#
+
+my $fw;			# Firewall zone for this host
+my @globalzones;	# All known zones
+my %globalzones;
+my %hostzones;		# zones applicable to this host
+my $outfile;		# filename holders
+my $conf;		# config file we're processing at present
+my %warnban;		# meta-rules/policies
+
+
+# Change to the base configuration directory
+die "Configuration directory $base doesn't exist!" if ! -d $base;
+chdir $base or die "Can't change directory to $base: $!";
+
+# Create spool directories if necessary
+if (! -d "$spool") {
+    mkdir "$spool" or die "Can't create spool directory $spool: $!";
+}
+if (! -d $dir) {
+    mkdir $dir or die "Can't create host spool directory $dir: $!";
+}
+
+
+#
+# Construct all the simple config files.
+#
+
+# Config files for which the host-specific file is included *first*
+my @hostfirstconfigs = qw( blacklist ecn hosts interfaces maclist masq nat
+    proxyarp rfc1918 routestopped start stop stopped tcrules tos tunnels );
+
+# Config files for which the host-specific file is included *last*
+my @hostlastconfigs = qw( common init modules params shorewall.conf );
+
+for my $conf (@hostfirstconfigs) {
+    constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON";
+}
+
+for my $conf (@hostlastconfigs) {
+    constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host";
+}
+
+#
+# The remaining config files (policy, rules, zones) are processed uniquely.
+#
+
+# Find the firewall name of this host
+open( my $infile, "$dir/shorewall.conf" ) or
+    die "Can't open $dir/shorewall.conf: $!";
+
+for (<$infile>) {
+    next unless m/^\s*FW=(\S+)/;
+    $fw = $1;
+    last;
+}
+
+close $infile;
+
+
+# The firewall name must be defined
+unless (defined $fw) {
+    fatal 1, "Can't find firewall name for $host in $dir/shorewall.conf";
+}
+
+
+# Find all valid zones
+unless (-r "zones") {
+    fatal 2, "You must provide a global zone file";
+}
+
+
+for (stripfile "zones") {
+    chomp;
+    my ($zone, $details) = split /\s+/, $_, 2;
+    push @globalzones, $zone;
+    $globalzones{ $zone } = $details;
+}
+
+#
+# Work out which zones apply to this host from the combination of hosts &
+# interfaces.  The first field in both files is the zone name, and the
+# second (minus any trailing ips) is the interface, which we save as well
+# for later reference.
+#
+
+for my $infile ("$dir/hosts", "$dir/interfaces") {
+    if (-r $infile) {
+	for (stripfile $infile) {
+	    chomp;
+	    my @F = split;
+	    next if $#F < 0;
+	    next if $F[ 0 ] eq "-";
+	    my @IF = split /:/, $F[ 1 ];
+	    $hostzones{ $F[ 0 ] } = $IF[ 0 ];
+	}
+    }
+}
+
+$conf = "zones";
+
+#
+# Create the zones file from the intersection of the above - note the order
+# from the original zone file must be preserved, hence the need for the
+# array as well as the hash.
+#
+
+open( $outfile, ">$dir/$conf" ) or
+    die "Can't open $dir/$conf for writing: $!";
+
+printf $outfile $HEADER, "$conf";
+my %tmpzones = %hostzones;		# Take a copy of all the zones,
+
+for my $zone (@globalzones) {
+    if (exists $tmpzones{ $zone }) {
+	print $outfile "$zone	$globalzones{ $zone }\n";
+	delete $tmpzones{ $zone };	# deleting those found as we go along.
+    }
+}
+
+close $outfile or warn "Can't close $dir/$conf after writing: $!";
+
+for my $zone (sort keys %tmpzones) {	# Warn if we've got any zones left now.
+    #next if $zone eq "-";
+    warning "No entry for $zone in global zones file - ignored";
+}
+undef %tmpzones;
+
+
+my @tmp = sort keys %hostzones;
+message "FW zone for $host: $fw" if $VERBOSE > 0;
+message "Other zones for $host: @tmp" if $VERBOSE > 0;
+
+#
+# Add 'all' as a valid source or destination.  Added here so it doesn't get
+# checked in %tmpzones check above.  Also add firewall itself.  (The
+# numbers are not important as long as they are different.)
+#
+
+$hostzones{"all"} = 1;
+$hostzones{$fw} = 2;
+
+#
+# Create the policy file, including only the applicable zones.
+#
+
+$conf = "policy";
+if (! -r $conf) {
+    fatal 3, "You must provide a global \"$conf\" file";
+}
+
+open( $outfile, ">$dir/$conf" ) or
+    die "Can't open $dir/$conf for writing: $!";
+printf $outfile $HEADER, "$conf";
+
+for (stripfile $conf) {
+    chomp;
+
+    my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4;
+
+    print "$src, $dst, $pol, $rest\n" if $DEBUG > 3;
+    
+    # Both source and destination zones must be valid on this host for this
+    # policy to apply.
+    next unless defined $hostzones{$src} and defined $hostzones{$dst};
+
+    # Source and destination zones must be on different interfaces as well,
+    # except for the case of all2all.
+    #next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
+
+    # Save WARN & BAN details for later rules processing
+    if ($pol eq "WARN"  or  $pol eq "BAN") {
+	if (exists $warnban{$src}{$dst}) {
+	    warning "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?";
+	}
+	$warnban{$src}{$dst} = $pol;
+	next;
+    }
+
+    printf $outfile "%s\n", $_;
+}
+close $outfile or warn "Can't close $dir/$conf for writing: $!";
+
+
+#
+# Create the rules file, only including the applicable zones and taking
+# into account any WARN or BAN policies.
+#
+
+$conf = "rules";
+if (! -r $conf) {
+    fatal 4, "You must provide a global \"$conf\" file";
+}
+
+open( $outfile, ">$dir/$conf" ) or
+    die "Can't open $dir/$conf for writing: $!";
+printf $outfile $HEADER, "$conf";
+
+my $ret = 0;
+
+for (stripfile $conf) {
+    chomp;
+
+    my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
+
+    # strip down to only the main tag
+    $act =~ s/:.*//;
+    $src =~ s/:.*//;
+    $dst =~ s/:.*//;
+    print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
+
+    # Both source and destination zones must be valid on this host for this
+    # rule to apply.
+    next unless defined $hostzones{$src} and defined $hostzones{$dst};
+
+    # Source and destination zones must be on different interfaces as well,
+    # except for the case of all2all.
+    next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
+
+    # Save additional WARN/BAN rules
+    if ($act eq "WARN"  or  $act eq "BAN") {
+	if (exists $warnban{$src}{$dst}) {
+	    warning "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
+	}
+	$warnban{$src}{$dst} = $act;
+	next;
+    }
+
+    # Check against WARN/BAN rules
+    if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|DNAT)\b/) {
+	if ($warnban{$src}{$dst} eq "WARN") {
+	    warning "Rule contravenes WARN policy:\n\t$_";
+	}
+	else { # $warnban{$src}{$dst} eq "BAN"
+	    warning "Rule contravenes BAN policy (omitted):\n\t$_";
+	    ++$ret;
+	    next;
+	}
+    }
+
+    # Mangle DNAT rules if the destination is the local machine
+    if ($act =~ /^DNAT/  &&  $dst eq $fw) {
+	$_ =~ s/\bDNAT(-)?/ACCEPT/;	# change rule type
+	$_ =~ s/\b$fw:\S+/$dst/;	# strip trailing server address/port
+    }
+
+    printf $outfile "%s\n", $_;
+}
+close $outfile or warn "Can't close $dir/$conf for writing: $!";
+
+
+# If we get here, everything's OK - return whatever we produced above...
+exit $ret;
diff --git a/contrib/shoregen/spec/description b/contrib/shoregen/spec/description
new file mode 100644
index 000000000..e4f33e240
--- /dev/null
+++ b/contrib/shoregen/spec/description
@@ -0,0 +1,3 @@
+Shoregen is a script that generates Shoreline Firewall configurations for
+multiple firewalls from a common set of rules and policies.  Only the
+minimal information necessary for operation is stored on each firewall.
diff --git a/contrib/shoregen/spec/files b/contrib/shoregen/spec/files
new file mode 100644
index 000000000..10685dd98
--- /dev/null
+++ b/contrib/shoregen/spec/files
@@ -0,0 +1,4 @@
+# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $
+/usr/bin/%{name}
+/usr/bin/install_%{name}
+%doc /usr/share/doc/%{name}-%{version}/
diff --git a/contrib/shoregen/spec/header b/contrib/shoregen/spec/header
new file mode 100644
index 000000000..c0c422fd7
--- /dev/null
+++ b/contrib/shoregen/spec/header
@@ -0,0 +1,10 @@
+# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $
+Summary:	Shoreline Firewall configuration generator
+License:	GPL
+Group:		Applications/System
+BuildArch:	noarch
+URL:		http://paulgear.webhop.net/linux/#shoregen
+Packager:	Paul Gear <paul@gear.dyndns.org>
+Requires:	openssh
+Requires:	perl
+Requires:	rsync
diff --git a/contrib/shoregen/spec/install b/contrib/shoregen/spec/install
new file mode 100644
index 000000000..12c63ae99
--- /dev/null
+++ b/contrib/shoregen/spec/install
@@ -0,0 +1,9 @@
+# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $
+
+install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/
+install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/
+
+install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
+install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
+cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
+chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
diff --git a/contrib/shoregen/spec/type b/contrib/shoregen/spec/type
new file mode 100644
index 000000000..1c561e982
--- /dev/null
+++ b/contrib/shoregen/spec/type
@@ -0,0 +1,2 @@
+install
+# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $