Documentation updates; add rate limiting to 'logdrop' chain

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@487 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 09:47:51 +02:00 · 2003-03-08 15:48:57 +00:00 · 2003-03-08 15:48:57 +00:00 · ba123e3eba
commit ba123e3eba
parent 4a173940b2
16 changed files with 5618 additions and 5072 deletions
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -63,15 +63,15 @@
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
                    to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
-       in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com
+        in   my   local      network. <b>External clients can browse</b>
-             but    <b>internal  clients can't</b>.</a></p>
+http://www.mydomain.com               but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
                     subnet and I use <b>static NAT</b> to assign non-RFC1918
-   addresses          to   hosts   in  Z. Hosts in Z cannot communicate with
+    addresses          to   hosts   in  Z. Hosts in Z cannot communicate
-   each other  using      their    external    (non-RFC1918 addresses) so
+with     each other  using      their    external    (non-RFC1918 addresses)
-they   <b>can't access each     other using   their DNS   names.</b></a></p>
+so  they   <b>can't access each     other using   their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
@ -121,8 +121,8 @@ in Shorewall log messages <b>so long</b>? I thought MAC addresses were only
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
-                   on RedHat</b> I get messages about insmod failing -- what's
+                    on RedHat</b> I get messages about insmod failing --
-      wrong?</a></p>
+what's        wrong?</a></p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
@ -144,10 +144,10 @@ in Shorewall log messages <b>so long</b>? I thought MAC addresses were only
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
-                   and it has an internel  web server that allows me to configure/monitor
+                    and it has an internel  web server that allows me to
-                it   but as expected if I enable <b> rfc1918 blocking</b>
+configure/monitor                  it   but as expected if I enable <b> rfc1918
-for    my   eth0     interface,       it also blocks the <b>cable modems
+blocking</b>  for    my   eth0     interface,       it also blocks the <b>cable
- web server</b></a>.</p>
+modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
@ -167,9 +167,9 @@ for    my   eth0     interface,       it also blocks the <b>cable modems
 href="#faq17">How   do  I  find   out   <b>why    this traffic   is</b> getting
 <b>logged?</b></a><br>
                                <br>
-                              <b>18.</b> <a href="#faq18">Is there any way
+                                <b>18.</b> <a href="#faq18">Is there any
- to  use   <b>aliased      ip  addresses</b>    with Shorewall, and maintain 
+way   to  use   <b>aliased      ip  addresses</b>    with Shorewall, and
- separate    rulesets for    different   IPs?</a><br>
+maintain   separate    rulesets for    different   IPs?</a><br>
                            <br>
                            <b>19. </b><a href="#faq19">I have added <b>entries 
   to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do 
@ -183,14 +183,14 @@ server    from   the  internet?<br>
 log   entries      </b>occasionally;    what are they?<br>
                         </a><br>
                 <b>22. </b><a href="#faq22">I have some <b>iptables commands 
- </b>that     I  want to <b>run when Shorewall starts.</b> Which file do I
+  </b>that     I  want to <b>run when Shorewall starts.</b> Which file do 
- put them in?</a><br>
+I  put them in?</a><br>
               <br>
               <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b>
    on  your   <b>web site</b>?</a><br>
            <br>
-          <b>24. </b><a href="#faq24">How can I <b>allow conections</b> to
+            <b>24. </b><a href="#faq24">How can I <b>allow conections</b> 
- let's    say  the ssh port only<b> from specific IP Addresses</b> on the
+to  let's    say  the ssh port only<b> from specific IP Addresses</b> on the
 internet?</a><br>
  <br>
  <b>25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b> 
@ -323,8 +323,8 @@ I am <b>running</b>?</a><br>
  </table>
                                         </blockquote>
- Finally,  if you need to forward a range of ports, in the PORT column specify 
+   Finally,  if you need to forward a range of ports, in the PORT column
-the range  as <i>low-port</i>:<i>high-port</i>.<br>
+specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
 <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
                    but  it doesn't work</h4>
@ -351,13 +351,13 @@ inside    your   firewall     (no,   that    won't    work -- see <a
                               <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
-                               <li>As root, type "iptables -t nat -Z". This 
+                                 <li>As root, type "iptables -t nat -Z".
- clears    the   NetFilter      counters   in the nat table.</li>
+This   clears    the   NetFilter      counters   in the nat table.</li>
                                 <li>Try to connect to the redirected port
 from   an  external     host.</li>
                                 <li>As root type "shorewall show nat"</li>
-                               <li>Locate the appropriate DNAT rule. It will
+                                 <li>Locate the appropriate DNAT rule. It 
-  be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat' 
+will   be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat'
   in the above   examples).</li>
                                 <li>Is the packet count in the first column
  non-zero?      If  so,   the   connection    request is reaching the firewall
@ -404,22 +404,23 @@ there's  nothing    between  that  server  and  your other   internal
 you can   put       your   server in a DMZ such  that it is isolated  from
 your   local systems    -      assuming that the  Server can be located 
 near the Firewall,   of course     :-)</li>
-                                         <li>The accessibility problem is 
+                                           <li>The accessibility problem
-best   solved    using           <a href="shorewall_setup_guide.htm#DNS">Bind
+is  best   solved    using           <a
- Version       9 "views"</a>     (or using a separate DNS server for local
+ href="shorewall_setup_guide.htm#DNS">Bind  Version       9 "views"</a>  
- clients)  such   that www.mydomain.com     resolves to 130.141.100.69  
+  (or using a separate DNS server for local  clients)  such   that www.mydomain.com 
-  externally  and 192.168.1.5   internally. That's    what I do here at 
+    resolves to 130.141.100.69     externally  and 192.168.1.5   internally. 
-   shorewall.net  for my local systems   that use static   NAT.</li>
+That's    what I do here at     shorewall.net  for my local systems   that 
 use static   NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem
-                    rather than a DNS solution, then assuming that your external
+                     rather than a DNS solution, then assuming that your
-       interface          is  eth0  and your internal interface is eth1 
+external         interface          is  eth0  and your internal interface
-and    that    eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24,
+is eth1  and    that    eth1 has IP   address      192.168.1.254  with subnet
-   do   the following:</p>
+192.168.1.0/24,     do   the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
@ -521,8 +522,8 @@ running        Shorewall          1.3.4 or later then include this in  /etc/shor
 <div align="left">                                         
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
-                    client to automatically restart Shorewall each time that
+                     client to automatically restart Shorewall each time
-   you    get    a  new    IP   address.</p>
+that     you    get    a  new    IP   address.</p>
                                        </div>
@ -541,8 +542,8 @@ DNS   name.</p>
 <p align="left">Another good way to approach this problem is to switch from 
                    static NAT to Proxy ARP. That way, the hosts in Z have 
-non-RFC1918            addresses      and can be accessed externally and internally
+ non-RFC1918            addresses      and can be accessed externally and 
-using     the    same   address.  </p>
+internally using     the    same   address.  </p>
 <p align="left">If you don't like those solutions and prefer routing all
@ -662,8 +663,8 @@ Z-&gt;Z traffic through your firewall then:</p>
                    tracking/NAT module</a> that may help with Netmeeting.
 Look    <a href="http://linux-igd.sourceforge.net">here</a> for a solution
 for MSN   IM but be aware that there are significant security risks involved
-with this  solution. Also check the Netfilter      mailing        list  archives
+ with this  solution. Also check the Netfilter      mailing        list 
-  at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.   
+archives    at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
              </p>
@ -686,8 +687,8 @@ slightly on the amount   of Windows  chatter on LAN segments    connected
 <p align="left">If you are seeing port 80 being 'closed', that's probably
-                   your    ISP preventing you from running a web server in
+                    your    ISP preventing you from running a web server
- violation          of   your     Service    Agreement.</p>
+in   violation          of   your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
@ -711,8 +712,8 @@ and   do    the   nmap UDP scan again.</p>
 <p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
-                                       b) Copy /etc/shorewall/icmp.def to 
+                                         b) Copy /etc/shorewall/icmp.def
-/etc/shorewall/icmpdef<br>
+to  /etc/shorewall/icmpdef<br>
                                         c) Add the following to /etc/shorewall/icmpdef:
        </p>
@ -785,8 +786,8 @@ activity   on  the  corresponding    system.
 <pre>	DROP    net    fw    udp    10619</pre>
 <h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow 
-   of these DROP messages from port 53 to some high numbered port.  They get
+    of these DROP messages from port 53 to some high numbered port.  They 
-   dropped, but what the heck are they?</h4>
+get    dropped, but what the heck are they?</h4>
 <pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
         <b>Answer: </b>There are two possibilities:<br>
@ -811,9 +812,9 @@ Guides</a>.<br>
 <h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in 
 Shorewall log messages so long? I thought MAC addresses were only 6 bytes 
-in length. What is labeled as the MAC address in a Shorewall log message is
+ in length.</h4>
-actually the Ethernet frame header. In contains:<br>
+What is labeled as the MAC address in a Shorewall log message is actually
-  </h4>
+the Ethernet frame header. It contains:<br>
 <ul>
     <li>the destination MAC address (6 bytes)</li>
@ -872,6 +873,7 @@ actually the Ethernet frame header. In contains:<br>
 <h4 align="left">      </h4>
 <h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces 
                   properly?</h4>
@ -932,10 +934,10 @@ more commonly   used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
-                   and it has an  internal web server that allows me to configure/monitor
+                    and it has an  internal web server that allows me to
-                it   but as expected if I  enable rfc1918 blocking for my
+configure/monitor                  it   but as expected if I  enable rfc1918
-eth0     interface          (the  internet one), it also blocks  the cable
+blocking for my  eth0     interface          (the  internet one), it also
-modems    web server.</h4>
+blocks  the cable  modems    web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking
@ -989,6 +991,7 @@ following:</p>
 <p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
                                      </p>
 <p align="left">Note: If you add a second IP address to your external firewall
                   interface to correspond to the modem address, you must
 also     make     an   entry      in /etc/shorewall/rfc1918 for that address.
@ -997,6 +1000,7 @@ firewall,    then   you would   add two entries      to /etc/shorewall/rfc1918:
 <br>
                                      </p>
 <blockquote>                                                            
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
@ -1022,6 +1026,7 @@ firewall,    then   you would   add two entries      to /etc/shorewall/rfc1918:
    </tbody>                                                            
  </table>
@ -1075,7 +1080,8 @@ this  problem    are:</p>
    <p align="left">The DNS settings on the local systems are wrong or the
                       user is running a DNS server on the firewall and hasn't
-    enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
+     enabled        UDP    and   TCP    port 53 from the firewall to the
 internet.</p>
                                            </li>
@ -1088,14 +1094,15 @@ this  problem    are:</p>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
                    to your startup    scripts or place it in /etc/shorewall/start.
-         Under      RedHat,    the max log level    that is sent to the console
+          Under      RedHat,    the max log level    that is sent to the
-      is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
+console        is   specified     in /etc/sysconfig/init    in the    LOGLEVEL
 variable.<br>
                                    </p>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
        logged?</h4>
-                                  <b>Answer: </b>Logging occurs out of a
+                                    <b>Answer: </b>Logging occurs out of
-number    of  chains    (as   indicated      in  the log message) in Shorewall:<br>
+a  number    of  chains    (as   indicated      in  the log message) in Shorewall:<br>
 <ol>
                                      <li><b>man1918 - </b>The destination
@ -1111,11 +1118,11 @@ address     is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop
      to   ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                                     </li>
-                                    <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>-
+                                      <li><b>&lt;zone1&gt;2&lt;zone2&gt;
-  Either    you   have   a<a href="Documentation.htm#Policy"> policy</a>
+    </b>-    Either    you   have   a<a href="Documentation.htm#Policy">
-for       <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b> that
+policy</a> for       <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b>
-specifies   a log level and this     packet is being         logged under
+that specifies   a log level and this     packet is being         logged
-that policy   or this packet matches    a     <a
+under that policy   or this packet matches    a     <a
 href="Documentation.htm#Rules">rule</a>   that includes a log level.</li>
                               <li><b>&lt;interface&gt;_mac</b> - The packet
  is  being    logged    under    the      <b>maclist</b> <a
@ -1129,20 +1136,20 @@ that policy   or this packet matches    a     <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified 
     in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-                                    <li><b>blacklst</b> - The packet is being 
+                                      <li><b>blacklst</b> - The packet is 
-  logged    because     the   source    IP  is blacklisted in the<a
+being    logged    because     the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
                                      <li><b>newnotsyn </b>- The packet is
-being    logged    because     it  is  a  TCP   packet that is not part of
+ being    logged    because     it  is  a  TCP   packet that is not part
-any current    connection    yet  it   is not a syn  packet.   Options affecting
+of  any current    connection    yet  it   is not a syn  packet.   Options
-the logging    of such  packets   include       <b>NEWNOTSYN       </b>and
+affecting  the logging    of such  packets   include       <b>NEWNOTSYN 
-      <b>LOGNEWNOTSYN        </b>in         <a
+     </b>and        <b>LOGNEWNOTSYN        </b>in         <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                                   <li><b>INPUT</b> or <b>FORWARD</b> - The 
+                                     <li><b>INPUT</b> or <b>FORWARD</b> - 
- packet    has   a  source    IP  address    that isn't in any of your defined 
+The   packet    has   a  source    IP  address    that isn't in any of your 
- zones    ("shorewall    check"    and  look at the   printed zone definitions)
+defined   zones    ("shorewall    check"    and  look at the   printed zone 
-  or   the chain is FORWARD   and   the destination  IP  isn't in any of
+definitions)   or   the chain is FORWARD   and   the destination  IP  isn't 
-your   defined    zones.</li>
+in any of your   defined    zones.</li>
                            <li><b>logflags </b>- The packet is being logged
  because     it  failed    the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
@ -1153,35 +1160,8 @@ your   defined    zones.</li>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
                with Shorewall, and maintain separate rulesets for different
   IPs?</h4>
-                              <b>Answer: </b>Yes. You simply use the IP address 
+                                <b>Answer: </b>Yes. See <a
-   in  your   rules    (or   if  you  use NAT, use the local IP address in 
+ href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>. 
 your  rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated
    and will   disappear eventually.      Neither   iproute  (ip and tc)
 nor    iptables supports   that notation so  neither    does   Shorewall.
 <br>
                              <br>
                              <b>Example 1:</b><br>
                              <br>
                              /etc/shorewall/rules                      
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
 class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
 class="moz-txt-citetags"></span></pre>
                              <span class="moz-txt-citetags"></span><b>Example
   2  (NAT):</b><br>
                              <br>
                              <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
 <pre wrap=""><span class="moz-txt-citetags"></span><span
 class="moz-txt-citetags"></span>     192.0.2.126	eth0	10.1.1.126</pre>
                              /etc/shorewall/rules                      
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
 class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
 class="moz-txt-citetags"></span><br></pre>
                           <b>Example 3 (DNAT):<br>
                           </b>                           
 <pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
              but they don't seem to do anything. Why?</h4>
@ -1215,20 +1195,20 @@ NAT   is involved (including     SNAT,  DNAT and Masquerade),  there are
 a lot  of broken implementations.    That is  what you are seeing with  these
 messages.<br>
                         <br>
-                      Here is my interpretation of what is happening -- to
+                        Here is my interpretation of what is happening -- 
- confirm     this   analysis,    one would have to have packet sniffers placed
+to  confirm     this   analysis,    one would have to have packet sniffers 
- a both    ends of   the connection.<br>
+placed  a both    ends of   the connection.<br>
                        <br>
                        Host 172.16.1.10 behind NAT gateway 206.124.146.179 
-sent   a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to send
+ sent   a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to 
-a  response   (the response   information  is in the brackets -- note source
+send a  response   (the response   information  is in the brackets -- note 
- port 53 which   marks this as  a DNS reply).  When the response was returned
+source  port 53 which   marks this as  a DNS reply).  When the response was 
- to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10
+returned  to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10
  and forwarded the packet  to  172.16.1.10  who no longer had  a connection
- on UDP port 2857. This causes    a port unreachable  (type 3, code  3) to
+  on UDP port 2857. This causes    a port unreachable  (type 3, code  3)
- be generated back to 192.0.2.3.   As this packet is sent  back through 
+to   be generated back to 192.0.2.3.   As this packet is sent  back through
-206.124.146.179,    that box correctly   changes the source address  in the
+ 206.124.146.179,    that box correctly   changes the source address  in
-packet  to 206.124.146.179    but doesn't   reset the DST IP in the original
+the packet  to 206.124.146.179    but doesn't   reset the DST IP in the original
  DNS response  similarly.    When the ICMP   reaches your firewall (192.0.2.3),
  your firewall  has  no  record of having   sent a DNS reply to 172.16.1.10
 so   this ICMP doesn't     appear to be related   to anything that was sent.
@ -1244,8 +1224,8 @@ because the source IP is  reserved by RFC 1918.<br>
                         You can place these commands in one of the <a
 href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
 sure that you look at the contents of the chain(s) that you will be modifying 
-       with your commands to be sure that the commands will do what they are
+        with your commands to be sure that the commands will do what they 
-   intended.    Many iptables commands published in HOWTOs and other instructional
+are    intended.    Many iptables commands published in HOWTOs and other instructional
   material    use the -A command which adds the rules to the end of the
 chain.    Most chains    that Shorewall constructs end with an unconditional
 DROP,   ACCEPT or REJECT    rule and any rules that you add after that will
@ -1253,15 +1233,15 @@ be ignored.   Check "man iptables"   and look at the -I (--insert) command.<br>
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your 
       web site?</h4>
-             The Shorewall web site is almost font neutral (it doesn't explicitly 
+               The Shorewall web site is almost font neutral (it doesn't
-     specify fonts except on a few pages) so the fonts you see are largely 
+explicitly       specify fonts except on a few pages) so the fonts you see
- the   default fonts configured  in your browser. If you don't like them then
+are largely   the   default fonts configured  in your browser. If you don't
- reconfigure   your browser.<br>
+like them then  reconfigure   your browser.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
      the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
-          In the SOURCE column of the rule, follow "net" by a colon and a 
+            In the SOURCE column of the rule, follow "net" by a colon and 
-list   of  the host/subnet addresses as a comma-separated list.<br>
+a  list   of  the host/subnet addresses as a comma-separated list.<br>
 <pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
            Example:<br>
@ -1280,11 +1260,13 @@ I am <b>running</b>?<br>
    <br>
    <font color="#009900"><b>    /sbin/shorewall version</b></font><br>
  <br>
-<font size="2">Last updated 2/22/2003 - <a href="support.htm">Tom   Eastep</a></font>
+  <font size="2">Last updated 3/5/2003 - <a href="support.htm">Tom   Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font>               ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/OPENVPN.html
+++ b/STABLE/documentation/OPENVPN.html
@ -4,7 +4,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
-  <title>GRE/IPIP Tunnels</title>
+  <title>OpenVPN Tunnels</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
@ -30,9 +30,9 @@
 <p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
 daemon which can be used to securely link two or more private networks using
-an encrypted tunnel over the internet. OpenVPN is an Open Source project and
+ an encrypted tunnel over the internet. OpenVPN is an Open Source project
-is <a href="http://openvpn.sourceforge.net/license.html">licensed under the
+and is <a href="http://openvpn.sourceforge.net/license.html">licensed under
-GPL</a>. OpenVPN can be downloaded from <a
+the GPL</a>. OpenVPN can be downloaded from <a
 href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
  </p>
@ -78,8 +78,8 @@ it in  /etc/shorewall/zones on both systems as follows.</p>
  </table>
   </blockquote>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
-In /etc/shorewall/interfaces:</p>
+zone. In /etc/shorewall/interfaces:</p>
 <blockquote>        
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -125,8 +125,8 @@ In /etc/shorewall/interfaces:</p>
  </blockquote>
 <p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN
-traffic on the default port 5000/udp will be accepted to/from the remote gateway.
+ traffic on the default port 5000/udp will be accepted to/from the remote
-If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels 
+gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels
 like this:<br>
  </p>
@ -235,8 +235,8 @@ zone. In /etc/shorewall/interfaces:</p>
  </blockquote>
 <p align="left">You will need to allow traffic between the "vpn" zone and
-      the "loc" zone on both systems -- if you simply want to admit all traffic 
+       the "loc" zone on both systems -- if you simply want to admit all
-      in both directions, you can use the policy file:</p>
+traffic        in both directions, you can use the policy file:</p>
 <blockquote>              
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -270,6 +270,7 @@ two masqueraded subnetworks can now talk to each other.</p>
 <p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font> 
 <small>and Simon Mater</small><br>
 </p>
 <p><font size="2"> </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -277,5 +278,6 @@ two masqueraded subnetworks can now talk to each other.</p>
 </font></a></font></p>
  <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ProxyARP.htm
+++ b/STABLE/documentation/ProxyARP.htm
@ -29,8 +29,8 @@
 <p>Proxy ARP allows you to insert a firewall in front of a set of servers 
     without changing their IP addresses and without having to re-subnet. 
-Before you try to use this technique, I strongly recommend that you read
+Before you try to use this technique, I strongly recommend that you read the
-the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
+<a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
 <p>The following figure represents a Proxy ARP     environment.</p>
@ -75,8 +75,8 @@ in      /etc/shorewall/proxyarp:</p>
  </blockquote>
 <p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19  
-     in the above example) are not included in any specification in     
+    in the above example) are not included in any specification in      /etc/shorewall/masq
-/etc/shorewall/masq or /etc/shorewall/nat.</p>
+or /etc/shorewall/nat.</p>
 <p>Note that I've used an RFC1918 IP address for eth1 - that IP address is 
     irrelevant. </p>
@ -92,6 +92,7 @@ the      Firewall system's eth0 is configured.</p>
   probably be HOURS before that system can communicate with the internet. 
 There are a couple of things that you can try:<br>
 </p>
 <ol>
   <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, 
 Vol 1</i> reveals that a <br>
@ -105,10 +106,10 @@ a duplicate...<br>
 this packet causes any other host...that has an entry in its cache for the 
 old hardware address to update its ARP cache entry accordingly."<br>
     <br>
-Which is, of course, exactly what you want to do when you switch a host from
+ Which is, of course, exactly what you want to do when you switch a host
-being exposed to the Internet to behind Shorewall using proxy ARP (or static
+from being exposed to the Internet to behind Shorewall using proxy ARP (or
-NAT for that matter). Happily enough, recent versions of Redhat's iputils
+static NAT for that matter). Happily enough, recent versions of Redhat's
-package include "arping", whose "-U" flag does just that:<br>
+iputils package include "arping", whose "-U" flag does just that:<br>
     <br>
     <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied 
 IP&gt;</i></b></font><br>
@ -118,9 +119,22 @@ Stevens goes on to mention that not all systems respond correctly to gratuitous
 ARPs, but googling for "arping -U" seems to support the idea that it works 
 most of the time.<br>
    <br>
 To use arping with Proxy ARP in the above example, you would have to:<br>
    <br>
    <font color="#009900"><b>    shorewall clear<br>
    </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 dev
 eth0<br>
     ip addr add 130.252.100.19 dev eth0</b></font><br>
     <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
     <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
     <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
     ip addr del 130.252.100.19 dev eth0<br>
     shorewall start</font></b><br>
    <br>
  </li>
   <li>You    can call your ISP and ask them to purge the stale ARP cache 
 entry but many    either can't or won't purge individual entries.</li>
 </ol>
 You can determine if your    ISP's gateway ARP cache is stale using ping 
 and tcpdump. Suppose that we    suspect that the gateway router has a stale 
@ -156,9 +170,10 @@ gateway's ARP cache still    associates 130.252.100.19 with the NIC in that
 system rather than with the firewall's    eth0.</p>
 </div>
-<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 1/26/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
  <a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -16,7 +16,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                         <base target="main">           
+                                                                 <base
 target="main">                                                         
  <meta name="Microsoft Theme" content="none">
 </head>
@ -31,11 +32,13 @@
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                                       </td>
                                     </tr>
                                     <tr>
-                                 <td width="100%" bgcolor="#ffffff">    
+                                       <td width="100%"
 bgcolor="#ffffff">                                                     
@ -51,30 +54,30 @@
                                 <li> <a href="Install.htm">Installation/Upgrade/</a><br>
                                   <a href="Install.htm">Configuration</a><br>
                                 </li>
-                           <li> <a href="shorewall_quickstart_guide.htm">QuickStart 
+                                 <li> <a
-     Guides   (HOWTOs)</a><br>
+ href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                                  </li>
                                                         <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
-                                   <li> <a href="Documentation.htm">Reference 
+                                         <li> <a
-  Manual</a></li>
+ href="Documentation.htm">Reference      Manual</a></li>
                                         <li> <a href="FAQ.htm">FAQs</a></li>
-                                    <li><a href="useful_links.html">Useful
+                                          <li><a
- Links</a><br>
+ href="useful_links.html">Useful     Links</a><br>
                                          </li>
                                         <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                         <li> <a href="errata.htm">Errata</a></li>
                                   <li> <a href="upgrade_issues.htm">Upgrade
  Issues</a></li>
                                   <li> <a href="support.htm">Support</a></li>
                                         <li> <a
- href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
+ href="upgrade_issues.htm">Upgrade     Issues</a></li>
                                         <li> <a href="support.htm">Support</a></li>
                             <li> <a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
                                           <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -94,6 +97,7 @@
          </ul>
                                         </li>
@ -109,10 +113,10 @@
                                         <li>   <a href="News.htm">News Archive</a></li>
                                         <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                                   <li> <a href="quotes.htm">Quotes from
+                                         <li> <a href="quotes.htm">Quotes 
-Users</a></li>
+from   Users</a></li>
-                                   <li> <a href="shoreline.htm">About the 
+                                         <li> <a href="shoreline.htm">About 
-Author</a></li>
+ the   Author</a></li>
                                         <li> <a
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
@ -129,8 +133,8 @@ Author</a></li>
 <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
                       <strong><br>
-                         <b>Note: </b></strong>Search is unavailable Daily
+                               <b>Note: </b></strong>Search is unavailable
- 0200-0330      GMT.<br>
+ Daily    0200-0330      GMT.<br>
                               <strong></strong>                        
  <p><strong>Quick Search</strong><br>
@ -144,6 +148,7 @@ Author</a></li>
 type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
@ -152,16 +157,11 @@ Author</a></li>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
                     </a><br>
            <br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
        <br>
     <br>
      <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_sfindex_frame.htm
+++ b/STABLE/documentation/Shorewall_sfindex_frame.htm
@ -16,8 +16,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                             <base target="main">       
+                                                                     <base
-                                                                        
+ target="main">                                                          
  <meta name="Microsoft Theme" content="none">
 </head>
@ -32,11 +32,13 @@
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                                        </td>
                                      </tr>
                                      <tr>
-                                  <td width="100%" bgcolor="#ffffff">   
+                                        <td width="100%"
 bgcolor="#ffffff">                                                      
@ -57,25 +59,26 @@
                                   </li>
                                                          <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                                    <li> <a href="Documentation.htm">Reference
   Manual</a></li>
                                    <li> <a href="FAQ.htm">FAQs</a></li>
                                     <li><a href="useful_links.html">Useful 
 Links</a><br>
                                     </li>
                                    <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                    <li> <a href="errata.htm">Errata</a></li>
                                    <li> <a href="upgrade_issues.htm">Upgrade 
  Issues</a></li>
                                    <li> <a href="support.htm">Support</a></li>
                                          <li> <a
- href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
+ href="Documentation.htm">Reference      Manual</a></li>
                                          <li> <a href="FAQ.htm">FAQs</a></li>
                                           <li><a
 href="useful_links.html">Useful     Links</a><br>
                                           </li>
                                          <li> <a
 href="troubleshoot.htm">Troubleshooting</a></li>
                                          <li> <a href="errata.htm">Errata</a></li>
                                          <li> <a
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
                                          <li> <a href="support.htm">Support</a></li>
                               <li> <a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
                                            <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -95,6 +98,7 @@
          </ul>
                                          </li>
@ -107,13 +111,14 @@
      <ul>
-                                    <li>   <a href="News.htm">News Archive</a></li>
+                                          <li>   <a href="News.htm">News
 Archive</a></li>
                                          <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                                    <li> <a href="quotes.htm">Quotes from 
+                                          <li> <a href="quotes.htm">Quotes
-Users</a></li>
+ from   Users</a></li>
-                                    <li> <a href="shoreline.htm">About the
+                                          <li> <a href="shoreline.htm">About
- Author</a></li>
+  the   Author</a></li>
                                          <li> <a
 href="sourceforge_index.htm#Donations">Donations</a></li>
@ -130,8 +135,8 @@ Users</a></li>
 <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
                       <strong><br>
-                          <b>Note: </b></strong>Search is unavailable Daily 
+                                <b>Note: </b></strong>Search is unavailable 
- 0200-0330      GMT.<br>
+ Daily    0200-0330      GMT.<br>
                                <strong></strong>                       
  <p><strong>Quick Search</strong><br>
@ -145,19 +150,11 @@ Users</a></li>
 type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> </a><br>
             </p>
             <br>
            <br>
           <br>
          <br>
         <br>
        <br>
                                                                    <br>
    <br>
   <br>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -45,7 +45,8 @@
 <p>The documentation in HTML format is included   in the .rpm and in the .tgz
 packages below.</p>
-<p>  Once you've done that, download <u>     one</u> of the modules:</p>
+<p>  Once you've printed the appropriate QuickStart Guide, download <u>  
  one</u> of the modules:</p>
 <ul>
                    <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
@ -72,7 +73,14 @@ Unstable Branch</a>.</li>
 </ul>
 <p>The documentation in HTML format is included in the .tgz and .rpm files 
-       and  there is an documentation .deb that also contains the documentation.</p>
+        and  there is an documentation .deb that also contains the documentation.  The 
 .rpm will install the documentation in your default document directory which 
 can be obtained using the following command:<br>
     </p>
 <blockquote>      
  <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
  </blockquote>
 <p>Please verify the version that you have        downloaded -- during the 
        release of a new version of Shorewall, the links        below may 
@ -80,8 +88,8 @@ point      to a newer or an older version than is shown below.</p>
 <ul>
                    <li>RPM - "rpm -qip LATEST.rpm"</li>
-                  <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name
+                    <li>TARBALL - "tar -ztf LATEST.tgz" (the directory  
-  will   contain    the version)</li>
+ name   will   contain    the version)</li>
                    <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar 
   -zxf   &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" 
   </li>
@ -136,7 +144,12 @@ State site.</b></p>
      .lrp</a><br>
                        <a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">     
-        Download.md5sums</a></td>
+        Download.md5sums<br>
        </a><a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
        .samples</a><a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
        </a></td>
                        <td>       <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download 
        .rpm</a>  <br>
@ -145,10 +158,15 @@ State site.</b></p>
                 .tgz</a> <br>
                          <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
-                .rpm</a><br>
+                 .lrp</a><br>
                        <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">   
-          Download.md5sums</a></td>
+          Download.md5sums<br>
        </a><a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
                 .samples</a><a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
        </a></td>
                      </tr>
                      <tr>
                        <td>Texas, USA</td>
@ -164,7 +182,12 @@ State site.</b></p>
                 .lrp</a><br>
                        <a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">   
-          Download.md5sums</a></td>
+          Download.md5sums<br>
        </a><a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
                 .samples</a><a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
        </a></td>
                        <td>       <a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
                          <a target="_blank"
@ -175,7 +198,12 @@ State site.</b></p>
        .lrp</a><br>
                        <a
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">          
-   Download.md5sums</a></td>
+   Download.md5sums<br>
        </a><a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples">       Download 
        .samples</a><a
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
        </a></td>
                      </tr>
                      <tr>
                        <td>Hamburg, Germany</td>
@ -191,7 +219,12 @@ State site.</b></p>
      .lrp</a><br>
                        <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">      
-       Download.md5sums</a></td>
+       Download.md5sums<br>
        </a><a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
        .samples</a><a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
        </a></td>
                        <td>       <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">       Download 
        .rpm</a>  <br>
@ -203,15 +236,20 @@ State site.</b></p>
    .lrp</a><br>
                        <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
-            .md5sums</a></td>
+             .md5sums<br>
        </a><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
        .samples</a><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
        </a></td>
                      </tr>
                      <tr>
                        <td>Martinez (Zona Norte - GBA), Argentina</td>
                        <td>Correofuego.com.ar</td>
-                      <td>       <a target="_blank"
+                        <td>       <a
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download 
        .rpm</a>  <br>
-                        <a target="_blank"
+                          <a
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
                 .tgz</a> <br>
                          <a target="_blank"
@ -219,7 +257,12 @@ State site.</b></p>
               Download .lrp</a><br>
                        <a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
-    .md5sums</a></td>
+     .md5sums<br>
        </a><a
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
               Download .samples</a><a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
        </a></td>
                        <td>       <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download 
        .rpm</a>  <br>
@ -231,7 +274,12 @@ State site.</b></p>
               Download .lrp</a><br>
                        <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
-    .md5sums</a></td>
+     .md5sums<br>
        </a><a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
               Download .samples</a><a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
        </a></td>
                      </tr>
                      <tr>
                        <td>Paris, France</td>
@ -244,7 +292,11 @@ State site.</b></p>
 href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
                        <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
-  .md5sums</a></td>
+  .md5sums<br>
        </a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
             .samples</a><a
 href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
        </a></td>
                        <td>       <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download 
        .rpm</a>  <br>
@ -256,7 +308,12 @@ State site.</b></p>
        .lrp</a><br>
                        <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download 
-       .md5sums</a></td>
+        .md5sums<br>
        </a><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download 
        .samples</a><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
        </a></td>
                      </tr>
                  <tr>
                    <td valign="middle">Washington State, USA<br>
@ -273,7 +330,10 @@ State site.</b></p>
     .lrp</a><br>
                    <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download  
-         .md5sums</a><br>
+         .md5sums<br>
        </a><a
 href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download  
         .samples</a><br>
                   </td>
                    <td valign="top"><a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> 
@ -286,7 +346,10 @@ State site.</b></p>
             .lrp</a><br>
                    <a target="_blank"
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download   
-     .md5sums</a><br>
+     .md5sums<br>
        </a><a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
 target="_blank">Download              .samples</a><br>
                   </td>
                  </tr>
@ -379,7 +442,7 @@ will work at    all.<br>
            </p>
          </blockquote>
-<p align="left"><font size="2">Last Updated 2/7/2003 - <a
+<p align="left"><font size="2">Last Updated 3/6/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -388,5 +451,7 @@ will work at    all.<br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -27,8 +27,8 @@
 border="0">
                           <tbody>
                            <tr>
-                           <td width="33%" valign="middle" align="left">
+                             <td width="33%" valign="middle"
-                                                                        
+ align="left">                                                          
      <h1 align="center"><a
@ -51,9 +51,9 @@
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
                </td>
                <td valign="middle" width="33%">                     <a
- href="http://www.postfix.org/">       <img
+ href="http://www.postfix.org/">       <img alt="(Postfix Logo)"
- src="images/small-picture.gif" align="right" border="0" width="115"
+ height="66" width="124" border="0" align="right"
- height="45" alt="(Postfix Logo)">
+ src="images/postfix-white.gif">
                              </a><br>
      <div align="left"><a href="http://www.spamassassin.org"><img
@ -62,9 +62,10 @@
             </a> </div>
             <br>
      <div align="right"><br>
                <b><font color="#ffffff"><br>
-     Powered by Postfix    </font></b><br>
+           </font></b><br>
                </div>
                </td>
                           </tr>
@ -78,6 +79,7 @@
 read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
 Guide</a>.<br>
  </h1>
 <p align="left">If you experience problems with any of these lists, please 
            let <a href="mailto:teastep@shorewall.net">me</a> know</p>
@ -100,8 +102,8 @@ Guide</a>.<br>
      (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
              </li>
                      <li>to ensure that the sender address is fully qualified.</li>
-                    <li>to verify that the sender's domain has an A or MX 
+                      <li>to verify that the sender's domain has an A or
-record    in  DNS.</li>
+MX  record    in  DNS.</li>
                      <li>to ensure that the host name in the HELO/EHLO command 
   is  a  valid    fully-qualified  DNS name that resolves.</li>
@ -130,8 +132,8 @@ will be bounced by  the list server.<br>
            If you find that you are missing an occasional list post, your
 e-mail    admin  may be blocking mail whose <i>Received:</i> headers contain
 the names   of certain ISPs. Again, I believe that such policies hurt more
-than they  help but I'm not prepared to go so far as to start stripping <i>Received:</i>
+ than they  help but I'm not prepared to go so far as to start stripping
-    headers to circumvent those policies.<br>
+<i>Received:</i>      headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -164,8 +166,8 @@ than they  help but I'm not prepared to go so far as to start stripping <i>Recei
 value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-                      Search: <input type="text" size="30" name="words"
+                        Search: <input type="text" size="30"
- value="">    <input type="submit" value="Search"> </p>
+ name="words" value="">    <input type="submit" value="Search"> </p>
                        </form>
@ -272,11 +274,13 @@ to   make  this less confusing. To unsubscribe:</p>
 <ul>
                           <li>                                         
    <p align="left">Follow the same link above that you used to subscribe
            to the  list.</p>
                           </li>
                           <li>                                         
    <p align="left">Down at the bottom of that page is the following text:
            " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
 password      reminder,         or change your subscription options enter
@ -285,6 +289,7 @@ your subscription              email address:". Enter your email  address
                           </li>
                           <li>                                         
    <p align="left">There will now be a box where you can enter your password
            and  click on "Unsubscribe"; if you have forgotten your password,
    there      is  another  button that will cause your password to be emailed
@ -304,8 +309,5 @@ your subscription              email address:". Enter your email  address
 <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ports.htm
+++ b/STABLE/documentation/ports.htm
@ -52,8 +52,8 @@ firewall to accommodate.</p>
 <p>DNS</p>
 <blockquote>               
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-to   open TCP Port 53 as well.<br>
+want to   open TCP Port 53 as well.<br>
       If you are configuring a server, only open TCP Port 53 if you will 
 return  long   replies to queries or if you need to enable ZONE transfers. In 
 the  latter   case, be sure that your server is properly configured.</p>
@ -144,8 +144,8 @@ the  latter   case, be sure that your server is properly configured.</p>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
 have problems accessing regular FTP servers.</p>
-  <p>If there is a possibility that these modules might be loaded before Shorewall
+  <p>If there is a possibility that these modules might be loaded before
-starts, then you should include the port list in /etc/modules.conf:<br>
+Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
      </p>
  <blockquote>                    
@ -174,31 +174,39 @@ starts, then you should include the port list in /etc/modules.conf:<br>
 <p>NFS<br>
 </p>
 <blockquote>   
  <p>I personally use the following rules for opening access from zone z1 
 to a server with IP address a.b.c.d in zone z2:<br>
   </p>
-  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
+   
  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	tcp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
 </blockquote>
 <blockquote>               
-  <p>Note that my rules only cover NFS using UDP (the normal case). There
+  <p>Note that my rules only cover NFS using UDP (the normal case) and your
-is lots of additional information at    <a
+milage may vary depending on the software you are using (I'm using RH8.0
 on both ends). In particular, the local port range in my server starts at
 32768 (It's 32768 - 61000; I could probably get away with just opening those
 ports).<br>
  <br>
 There is lots of additional information at    <a
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
     </blockquote>
-<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
+<p>Didn't find what you are looking for -- have you looked in your own  
-file? </p>
+/etc/services file? </p>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 2/7/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
     <a href="copyright.htm"><font size="2">Copyright</font>   © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -15,7 +15,8 @@
-                                     <base target="_self">
+                                                     <base
 target="_self">
 </head>
  <body>
@ -46,9 +47,10 @@
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                                  </a></i></font><font color="#ffffff">Shorewall
+                                      </a></i></font><font
-         1.3     -               <font size="4">"<i>iptables            
+ color="#ffffff">Shorewall           1.3     -               <font
-      made  easy"</i></font></font></h1>
+ size="4">"<i>iptables                   made  easy"</i></font></font></h1>
@ -135,27 +137,27 @@
      <p>This program is free software; you can redistribute it and/or modify 
-                                               it        under the terms of
+                                                 it        under the terms 
-        <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
+ of         <a href="http://www.gnu.org/licenses/gpl.html">Version       
- the GNU General Public License</a> as published by the Free Software   
+2 of  the GNU General Public License</a> as published by the Free Software 
       Foundation.<br>
                                          <br>
                                     This   program     is  distributed 
     in   the     hope     that     it   will     be  useful,    but    
-WITHOUT    ANY      WARRANTY;      without      even the   implied    warranty
+    WITHOUT    ANY      WARRANTY;      without      even the   implied  
-     of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR
+ warranty       of MERCHANTABILITY                or  FITNESS    FOR   A
-     PURPOSE.        See the    GNU General     Public  License         
+PARTICULAR       PURPOSE.        See the    GNU General     Public  License
          for   more details.<br>
                                          <br>
-                                 You   should    have   received     a  copy
+                                     You   should    have   received    
-    of   the     GNU     General         Public      License            
+a   copy     of   the     GNU     General         Public      License   
-along     with    this   program;       if  not,    write  to  the    Free
+         along     with    this   program;       if  not,    write  to  the
-Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge, 
+   Free Software           Foundation,              Inc.,  675     Mass 
- MA    02139,       USA</p>
+Ave,  Cambridge,   MA    02139,       USA</p>
@ -184,9 +186,9 @@ Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                  </a>Jacques              Nilo   and   Eric
+                                      </a>Jacques              Nilo   and 
-    Wolzak       have     a   LEAF  (router/firewall/gateway         on 
+  Eric     Wolzak       have     a   LEAF  (router/firewall/gateway      
-a  floppy,    CD    or compact     flash)  distribution        called   
+  on  a  floppy,    CD    or compact     flash)  distribution        called 
              <i>Bering</i>          that          features      Shorewall-1.3.14
    and    Kernel-2.4.20.          You    can  find    their    work at:
               <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
@ -196,6 +198,7 @@ a  floppy,    CD    or compact     flash)  distribution        called
      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
 1.1!!! </b><br>
                                                </p>
@ -204,6 +207,7 @@ a  floppy,    CD    or compact     flash)  distribution        called
      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -232,6 +236,7 @@ a  floppy,    CD    or compact     flash)  distribution        called
      <h2></h2>
@ -241,26 +246,27 @@ a  floppy,    CD    or compact     flash)  distribution        called
-      <p><b>2/21/2003 - Shorewall 1.4.0 Beta 1 </b><b>       </b><b><img
+                               
      <p><b>3/7/2003 - Shorewall 1.4.0 RC2 </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
      </b><b>                  </b></p>
-                                               Shorewall 1.4 represents the
+                                                   Shorewall 1.4 represents 
- next  step in the evolution of Shorewall. The main thrust of the initial
+ the  next  step in the evolution of Shorewall. The main thrust of the initial
  release  is simply to remove the cruft that has accumulated in Shorewall
 over time.       <br>
       <br>
-   <b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package
+       <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
  ('ip' utility).</b><br>
       <br>
           Function from 1.3 that has been omitted from this version include:<br>
      <ol>
-         <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
+                      <li>The MERGE_HOSTS variable in shorewall.conf is no
-  Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+ longer supported.    Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
              <br>
            </li>
-         <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in 
+             <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
-/etc/shorewall/interfaces   now generate an error.<br>
+ in  /etc/shorewall/interfaces   now generate an error.<br>
              <br>
            </li>
             <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
@ -268,17 +274,17 @@ over time.       <br>
     of the 'noping' or 'filterping' interface options.<br>
              <br>
            </li>
-         <li>The 'routestopped' option in the /etc/shorewall/interfaces and 
+             <li>The 'routestopped' option in the /etc/shorewall/interfaces 
-/etc/shorewall/hosts   files is no longer supported and will generate an error
+ and  /etc/shorewall/hosts   files is no longer supported and will generate 
-at startup if specified.<br>
+ an error at startup if specified.<br>
              <br>
            </li>
-         <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
+             <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
-  accepted.<br>
+no  longer   accepted.<br>
              <br>
            </li>
-         <li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
+             <li>The ALLOWRELATED variable in shorewall.conf is no longer 
-   Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+supported.     Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
            <br>
          </li>
             <li>The icmp.def file has been removed.<br>
@ -288,44 +294,74 @@ at startup if specified.<br>
           Changes for 1.4 include:<br>
      <ol>
-         <li>The /etc/shorewall/shorewall.conf file has been completely reorganized 
+             <li>The /etc/shorewall/shorewall.conf file has been completely 
-  into logical sections.<br>
+ reorganized    into logical sections.<br>
              <br>
            </li>
             <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
              <br>
            </li>
-         <li>The firewall script and version file are now installed in /usr/share/shorewall.<br>
+             <li>The firewall script, common functions file and version file 
 are now installed in /usr/share/shorewall.<br>
              <br>
            </li>
-         <li>Late arriving DNS replies are now silently dropped in the common 
+             <li>Late arriving DNS replies are now silently dropped in the
- chain  by default.<br>
+ common   chain  by default.<br>
              <br>
            </li>
             <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
-1.4  no  longer unconditionally accepts outbound ICMP packets. So if you want
+  1.4  no  longer unconditionally accepts outbound ICMP packets. So if you 
-to 'ping'  from the firewall, you will need the appropriate rule or policy.
+ want to 'ping'  from the firewall, you will need the appropriate rule or 
 policy.<br>
             <br>
           </li>
           <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
             <br>
           </li>
          <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> 
  now support the 'maclist' option.<br>
             <br>
           </li>
          <li value="8">Explicit Congestion Notification (ECN - RFC 3168) 
 may  now be turned off on a host or network basis using the new /etc/shorewall/ecn
  file. To use this facility:<br>
        <br>
       a) You must be running kernel 2.4.20<br>
       b) You must have applied the patch in<br>
       http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
       c) You must have iptables 1.2.7a installed.<br>
        <br>
      </li>
          <li>The /etc/shorewall/params file is now processed first so that 
 variables may be used in the /etc/shorewall/shorewall.conf file.</li>
      </ol>
   You may download the release candidate from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
           <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
         </blockquote>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                   </b></p>
      <p>New features include</p>
      <ol>
                   <li>An OLD_PING_HANDLING option has been added to shorewall.conf. 
     When   set to Yes, Shorewall ping handling is as it has always been (see
    http://www.shorewall.net/ping.html).<br>
                    <br>
-            When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
+                When OLD_PING_HANDLING=No, icmp echo (ping) is handled via
-  and   policies   just like any other connection request. The FORWARDPING=Yes
+ rules    and   policies   just like any other connection request. The FORWARDPING=Yes
    option   in shorewall.conf   and the 'noping' and 'filterping' options
 in   /etc/shorewall/interfaces   will   all generate an error.<br>
                    <br>
                  </li>
-               <li>It is now possible to direct Shorewall to create a "label" 
+                   <li>It is now possible to direct Shorewall to create a 
-  such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes 
+"label"     such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes 
    and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead 
   of just  the interface name:<br>
                 <br>
@ -352,81 +388,96 @@ of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded traffic
    from  only the first subnet   defined on that interface. It did not masquerade 
    traffic from:<br>
                 <br>
-               a) The subnets associated with other addresses on the interface.<br>
+                   a) The subnets associated with other addresses on the
 interface.<br>
                   b) Subnets accessed through local routers.<br>
                 <br>
-            Beginning with Shorewall 1.3.14, if you enter an interface name 
+                Beginning with Shorewall 1.3.14, if you enter an interface
- in  the   SUBNET  column, shorewall will use the firewall's routing table 
+ name   in  the   SUBNET  column, shorewall will use the firewall's routing
- to construct   the masquerading/SNAT rules.<br>
+ table   to construct   the masquerading/SNAT rules.<br>
                 <br>
                Example 1 -- This is how it works in 1.3.14.<br>
                   <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                 <br>
-            When upgrading to Shorewall 1.3.14, if you have multiple local
+                When upgrading to Shorewall 1.3.14, if you have multiple
- subnets     connected  to an interface that is specified in the SUBNET column
+local    subnets     connected  to an interface that is specified in the
- of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq file will
+SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq
-need  changing.   In most cases, you  will simply be able to remove redundant
+file will need  changing.   In most cases, you  will simply be able to remove
-entries.  In some  cases though, you  might want to change from using the
+redundant entries.  In some  cases though, you  might want to change from
-interface  name to listing specific subnetworks  if the change described
+using the interface  name to listing specific subnetworks  if the change
-above will cause masquerading  to occur on subnetworks  that you don't wish
+described above will cause masquerading  to occur on subnetworks  that you
-to masquerade.<br>
+don't wish to masquerade.<br>
                 <br>
                Example 2 -- Suppose that your current config is as follows:<br>
                   <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                 <br>
-               In this case, the second entry in /etc/shorewall/masq is no
+                   In this case, the second entry in /etc/shorewall/masq
- longer    required.<br>
+is  no  longer    required.<br>
                 <br>
                Example 3 -- What if your current configuration is like this?<br>
                 <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                 <br>
                   In this case, you would want to change the entry in  /etc/shorewall/masq
        to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                   </li>
      </ol>
            <br>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
                     </b></p>
-          Webmin version 1.060 now has Shorewall support included as standard.
+              Webmin version 1.060 now has Shorewall support included as
-   See        <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
+standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
      </b>                                                              
      <p><b></b></p>
      <p><b></b></p>
      <ul>
      </ul>
@ -532,7 +583,7 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 2/21/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a></font>
                                           <br>
   </p>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -47,8 +47,8 @@
                 <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
                 <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> 
-       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
+       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
-  present</li>
+ present</li>
                 <li>Married 1969 - no children.</li>
 </ul>
@ -58,33 +58,35 @@
 <p>I became interested in Internet Security when I established a home office
      in 1999 and had DSL service installed in our       home. I investigated
-   ipchains  and developed the scripts which are now collectively known as 
+    ipchains  and developed the scripts which are now collectively known
- <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
+as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>.
-     on what I learned from Seattle Firewall, I then       designed and wrote 
+Expanding       on what I learned from Seattle Firewall, I then       designed
-    Shorewall. </p>
+and wrote      Shorewall. </p>
-<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, 
+<p>I telework from our <a
-      Washington</a>  where I live with my wife Tarry. </p>
+ href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
 href="http://www.cityofshoreline.com">Shoreline,        Washington</a> 
 where I live with my wife Tarry.  </p>
 <p>Our current home network consists of: </p>
 <ul>
-                <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB 
+                 <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
- IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Serves
+20GB   IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system.
-as a PPTP server for Road Warrior access. Dual boots <a
+Serves as a PPTP server for Road Warrior access. Dual boots <a
 href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                 <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
-  NIC   -  My      personal Linux System which runs Samba configured as a 
+   NIC   -  My      personal Linux System which runs Samba configured as
-WINS  server.    This      system also has <a
+a  WINS  server.    This      system also has <a
- href="http://www.vmware.com/">VMware</a>  installed    and      can run both
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run
-    <a href="http://www.debian.org">Debian  Woody</a> and         <a
+both     <a href="http://www.debian.org">Debian  Woody</a> and         <a
 href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
                 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
 - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
 DNS  server        (Bind 9).</li>
-                <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
+                 <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3     
-    (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.14  and a DHCP
+LNE100TX      (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.14 
-       server.</li>
+and a DHCP        server.</li>
                 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - 
 My  wife's        personal system.</li>
                 <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard 
@ -116,11 +118,12 @@ My  wife's        personal system.</li>
 width="125" height="40" hspace="4">
              </font></p>
-<p><font size="2">Last updated 1/24/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 3/7/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
               <font face="Trebuchet MS"><a href="copyright.htm"><font
 size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas
 M. Eastep.</font></a></font><br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_mirrors.htm
+++ b/STABLE/documentation/shorewall_mirrors.htm
@ -28,7 +28,9 @@
 </table>
 <p align="left"><b>Remember that updates to the mirrors are often delayed 
- for  6-12 hours after an update to the primary site.</b></p>
+ for  6-12 hours after an update to the primary rsync site. For HTML content,
 the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
 is updated at the same time as the rsync site.</b></p>
 <p align="left">The main Shorewall Web Site is <a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
@ -51,9 +53,7 @@ and is located in California, USA. It is mirrored at:</p>
 </ul>
-<p align="left">The main Shorewall FTP Site is <a
+<p align="left">The rsync site is mirrored via FTP at:</p>
 href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a> 
 and is located in Washington State, USA.  It is mirrored at:</p>
 <ul>
      <li><a target="_blank"
@ -75,11 +75,12 @@ and is located in California, USA. It is mirrored at:</p>
 Search results and the mailing list archives are always fetched from the 
 site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 11/09/2002 - <a
+<p align="left"><font size="2">Last Updated 3/7/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
     <br>
   <br>
  <br>
 <br>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -34,8 +34,8 @@
  </tbody>                  
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.<br>
+we must  all first walk before we can run.<br>
  The French Translations are courtesy of Patrice Vetsel<br>
  </p>
@ -63,12 +63,12 @@ and  a  DMZ. (<a href="three-interface_fr.html">Version Fran
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
          the steps necessary to set up a firewall where <b>there are multiple
-    public    IP  addresses involved or if you want to learn more about Shorewall 
+     public    IP  addresses involved or if you want to learn more about
-    than   is  explained in the single-address guides above.</b></p>
+Shorewall      than   is  explained in the single-address guides above.</b></p>
 <ul>
-                    <li><a href="shorewall_setup_guide.htm#Introduction">1.0
+                     <li><a
-  Introduction</a></li>
+ href="shorewall_setup_guide.htm#Introduction">1.0   Introduction</a></li>
                     <li><a href="shorewall_setup_guide.htm#Concepts">2.0 
 Shorewall      Concepts</a></li>
                     <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 
@ -97,8 +97,8 @@ RFC   1918</a></li>
    </ul>
                     </li>
-                    <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting 
+                     <li><a href="shorewall_setup_guide.htm#Options">5.0
-   up  your   Network</a>                                                
+Setting     up  your   Network</a>                                      
    <ul>
                       <li><a href="shorewall_setup_guide.htm#Routed">5.1 
@ -118,8 +118,8 @@ Routed</a></li>
 SNAT</a></li>
                         <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 
 DNAT</a></li>
-                        <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
+                         <li><a
-   Proxy    ARP</a></li>
+ href="shorewall_setup_guide.htm#ProxyARP">5.2.3    Proxy    ARP</a></li>
                         <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
 Static    NAT</a></li>
@ -127,7 +127,8 @@ Static    NAT</a></li>
        </ul>
                       </li>
-                      <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
+                       <li><a href="shorewall_setup_guide.htm#Rules">5.3
 Rules</a></li>
                       <li><a
 href="shorewall_setup_guide.htm#OddsAndEnds">5.4   Odds   and   Ends</a></li>
@ -149,6 +150,9 @@ Static    NAT</a></li>
   to use this    documentation directly.</p>
 <ul>
                     <li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased
 (virtual) Interfaces (e.g., eth0:0)</a><br>
  </li>
  <li><a href="blacklisting_support.htm">Blacklisting</a>               
@ -170,8 +174,8 @@ files</a></li>
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
                       <li><a href="configuration_file_basics.htm#Ports">Port 
  Numbers/Service Names</a></li>
-                      <li><a href="configuration_file_basics.htm#Ranges">Port
+                       <li><a
-  Ranges</a></li>
+ href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
                       <li><a
 href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
                       <li><a
@ -181,8 +185,8 @@ files</a></li>
 href="configuration_file_basics.htm#Compliment">Complementing an IP address
  or Subnet</a></li>
                       <li><a
- href="configuration_file_basics.htm#Configs">Shorewall   Configurations
+ href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
-(making a test configuration)</a></li>
+a test configuration)</a></li>
                       <li><a href="configuration_file_basics.htm#MAC">Using
  MAC Addresses in Shorewall</a></li>
@ -227,8 +231,8 @@ files</a></li>
                     </li>
                     <li><a href="dhcp.htm">DHCP</a></li>
                     <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-(How to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code)</li>
                     <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                     <li><a href="shorewall_firewall_structure.htm">Firewall
  Structure</a></li>
@ -289,7 +293,7 @@ List   Creation</a></li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 2/4/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M. 
 Eastep</font></a><br>
@ -298,5 +302,6 @@ List   Creation</a></li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@ -7,6 +7,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -15,8 +16,8 @@
-                                                             <base
+                                                                        
- target="_self">
+      <base target="_self">
 </head>
  <body>
@ -42,6 +43,7 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
@ -114,6 +116,7 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is 
         a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) 
   based      firewall        that can be used on a dedicated firewall system, 
@ -131,6 +134,7 @@
      <p>This program is free software; you can redistribute it and/or modify 
                                                    it        under the terms 
    of         <a href="http://www.gnu.org/licenses/gpl.html">Version    
@ -151,8 +155,9 @@
                                           You   should    have   received
     a   copy     of   the     GNU     General         Public      License 
             along     with    this   program;       if  not,    write  to
- the    Free Software           Foundation,              Inc.,  675     Mass 
+   the    Free Software           Foundation,              Inc.,  675   
- Ave,  Cambridge,   MA    02139,       USA</p>
+ Mass   Ave,  Cambridge,   MA    02139,       USA</p>
@ -178,22 +183,26 @@
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                        </a>Jacques              Nilo   and 
+                                            </a>Jacques              Nilo 
-   Eric     Wolzak       have     a   LEAF  (router/firewall/gateway     
+  and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway 
-   on  a  floppy,    CD    or compact     flash)  distribution        called 
+         on  a  floppy,    CD    or compact     flash)  distribution     
-               <i>Bering</i>          that          features      Shorewall-1.3.14
+  called                 <i>Bering</i>          that          features  
-     and    Kernel-2.4.20.          You    can  find    their    work at:
+   Shorewall-1.3.14      and    Kernel-2.4.20.          You    can  find 
-               <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+  their    work at:                <a
-                                                <b>Congratulations to Jacques 
+ href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-  and   Eric   on  the   recent    release     of  Bering  1.1!!! <br>
+                                                    <b>Congratulations to 
 Jacques     and   Eric   on  the   recent    release     of  Bering  1.1!!! 
      <br>
                                                    </b>                
      <h2>News</h2>
@ -209,7 +218,8 @@
-      <p><b>2/21/2003 - Shorewall 1.4.0 Beta 1 </b><b>       </b><b><img
+                         
      <p><b>3/7/2003 - Shorewall 1.4.0 RC2  </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
      </b><b>                  </b></p>
                                                    Shorewall 1.4 represents
@ -217,18 +227,18 @@ the  next  step in the evolution of Shorewall. The main thrust of the initial
  release  is simply to remove the cruft that has accumulated in Shorewall
 over time.       <br>
        <br>
-    <b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package
+        <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
  ('ip' utility).</b><br>
        <br>
            Function from 1.3 that has been omitted from this version include:<br>
      <ol>
-         <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
+                      <li>The MERGE_HOSTS variable in shorewall.conf is no
-  Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+ longer supported.    Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
              <br>
            </li>
-         <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in 
+             <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
-/etc/shorewall/interfaces   now generate an error.<br>
+ in  /etc/shorewall/interfaces   now generate an error.<br>
              <br>
            </li>
             <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
@ -236,17 +246,17 @@ over time.       <br>
     of the 'noping' or 'filterping' interface options.<br>
              <br>
            </li>
-         <li>The 'routestopped' option in the /etc/shorewall/interfaces and 
+             <li>The 'routestopped' option in the /etc/shorewall/interfaces 
-/etc/shorewall/hosts   files is no longer supported and will generate an error
+ and  /etc/shorewall/hosts   files is no longer supported and will generate 
-at startup if specified.<br>
+ an error at startup if specified.<br>
              <br>
            </li>
-         <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
+             <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
-  accepted.<br>
+no  longer   accepted.<br>
              <br>
            </li>
-         <li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
+             <li>The ALLOWRELATED variable in shorewall.conf is no longer 
-   Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+supported.     Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
            <br>
          </li>
             <li>The icmp.def file has been removed.<br>
@ -256,44 +266,73 @@ at startup if specified.<br>
            Changes for 1.4 include:<br>
      <ol>
-         <li>The /etc/shorewall/shorewall.conf file has been completely reorganized 
+             <li>The /etc/shorewall/shorewall.conf file has been completely 
-  into logical sections.<br>
+ reorganized    into logical sections.<br>
              <br>
            </li>
             <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
              <br>
            </li>
-         <li>The firewall script and version file are now installed in /usr/share/shorewall.<br>
+             <li>The firewall script, common functions file and version file 
 are now installed in /usr/share/shorewall.<br>
              <br>
            </li>
-         <li>Late arriving DNS replies are now silently dropped in the common 
+             <li>Late arriving DNS replies are now silently dropped in the
- chain  by default.<br>
+ common   chain  by default.<br>
              <br>
            </li>
             <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
-1.4  no  longer unconditionally accepts outbound ICMP packets. So if you want
+  1.4  no  longer unconditionally accepts outbound ICMP packets. So if you 
-to 'ping'  from the firewall, you will need the appropriate rule or policy.
+ want to 'ping'  from the firewall, you will need the appropriate rule or 
 policy.<br>
             <br>
           </li>
           <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
             <br>
           </li>
          <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> 
  now support the 'maclist' option.<br>
             <br>
           </li>
          <li value="8">Explicit Congestion Notification (ECN - RFC 3168) 
 may  now be turned off on a host or network basis using the new /etc/shorewall/ecn
  file. To use this facility:<br>
        <br>
       a) You must be running kernel 2.4.20<br>
       b) You must have applied the patch in<br>
       http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
       c) You must have iptables 1.2.7a installed.<br>
        <br>
      </li>
          <li>The /etc/shorewall/params file is now processed first so that 
 variables may be used in the /etc/shorewall/shorewall.conf file.</li>
      </ol>
   You may download the Release Candidate from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
      <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
    </blockquote>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                  </b></p>
      <p>New features include</p>
      <ol>
                  <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-   When   set to Yes, Shorewall ping handling is as it has always been (see
+     When   set to Yes, Shorewall ping handling is as it has always been
-  http://www.shorewall.net/ping.html).<br>
+(see     http://www.shorewall.net/ping.html).<br>
                   <br>
-           When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules 
+               When OLD_PING_HANDLING=No, icmp echo (ping) is handled via 
- and   policies   just like any other connection request. The FORWARDPING=Yes 
+rules    and   policies   just like any other connection request. The FORWARDPING=Yes 
- option   in shorewall.conf   and the 'noping' and 'filterping' options in 
+   option   in shorewall.conf   and the 'noping' and 'filterping' options 
- /etc/shorewall/interfaces   will   all generate an error.<br>
+in   /etc/shorewall/interfaces   will   all generate an error.<br>
                   <br>
                 </li>
-              <li>It is now possible to direct Shorewall to create a "label"
+                  <li>It is now possible to direct Shorewall to create a
-  such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+"label"     such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
    and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
   of just  the interface name:<br>
                <br>
@ -323,65 +362,77 @@ of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded traffic
                  a) The subnets associated with other addresses on the interface.<br>
                  b) Subnets accessed through local routers.<br>
                <br>
-           Beginning with Shorewall 1.3.14, if you enter an interface name
+               Beginning with Shorewall 1.3.14, if you enter an interface 
- in  the   SUBNET  column, shorewall will use the firewall's routing table
+name   in  the   SUBNET  column, shorewall will use the firewall's routing 
- to construct   the masquerading/SNAT rules.<br>
+table   to construct   the masquerading/SNAT rules.<br>
                <br>
               Example 1 -- This is how it works in 1.3.14.<br>
                  <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                <br>
               When upgrading to Shorewall 1.3.14, if you have multiple local 
  subnets     connected  to an interface that is specified in the SUBNET column
-of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq file will need 
+  of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq file will
-changing.   In most cases, you  will simply be able to remove redundant entries. 
+need  changing.   In most cases, you  will simply be able to remove redundant
-In some  cases though, you  might want to change from using the interface 
+entries.  In some  cases though, you  might want to change from using the
-name to listing specific subnetworks  if the change described above will cause
+interface  name to listing specific subnetworks  if the change described
-masquerading  to occur on subnetworks  that you don't wish to masquerade.<br>
+above will cause masquerading  to occur on subnetworks  that you don't wish
 to masquerade.<br>
                <br>
               Example 2 -- Suppose that your current config is as follows:<br>
                  <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                <br>
-              In this case, the second entry in /etc/shorewall/masq is no 
+                  In this case, the second entry in /etc/shorewall/masq is
-longer    required.<br>
+ no  longer    required.<br>
                <br>
               Example 3 -- What if your current configuration is like this?<br>
                <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                <br>
                  In this case, you would want to change the entry in  /etc/shorewall/masq 
       to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                  </li>
      </ol>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
                    </b></p>
-          Webmin version 1.060 now has Shorewall support included as standard.
+              Webmin version 1.060 now has Shorewall support included as
-   See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b> 
+standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>
-    </b>                                                        
+      <b>      </b>                                                     
      <p><b></b></p>
@ -423,6 +474,7 @@ longer    required.<br>
      <h2> </h2>
@ -430,6 +482,7 @@ longer    required.<br>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -440,6 +493,7 @@ longer    required.<br>
      <h4>       </h4>
@ -455,6 +509,7 @@ longer    required.<br>
      <h2><a name="Donations"></a>Donations</h2>
@ -541,7 +596,7 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 2/19/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a></font>
                                              <br>
   </p>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -3,18 +3,22 @@
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-  <title>Support</title>
+  <title>Shorewall Support Guide</title>
@ -34,47 +38,49 @@
-      <h1 align="center"><font color="#ffffff">Shorewall Support<img
+      <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                             </font></h1>
                                            </td>
                                          </tr>
  </tbody>                                       
 </table>
 <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
    emailed directly to me, I try to spend some time each day answering questions
-  on the Shorewall Users Mailing List.</font></big><span
+    on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
 style="font-weight: 400;"></span></big></b></p>
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
 <h1>Before Reporting a Problem</h1>
-  <i>"Well at least you tried to read the documentation, which is a lot more
+     <i>"Well at least you tried to read the documentation, which is a lot
- than some people on this list appear to do.</i>"<br>
+ more  than some people on this list appear to do.</i>"<br>
     <br>
 <div align="center">- Wietse Venema - On the Postfix mailing list<br>
     </div>
     <br>
-                                          There are a number of sources for 
+                                             There are a number of sources
- problem     solution information. Please     try these before you post. 
+ for   problem     solution information. Please     try these before you
-                      
+post.                            
 <h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-                    <li>More than half of the questions posted on the support 
+                       <li>More than half of the questions posted on the
-  list   have answers directly accessible from the <a
+support     list   have answers directly accessible from the <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
                 <br>
               </li>
-            <li>                                   The <a href="FAQ.htm">FAQ</a>
+               <li>                                   The <a
-    has  solutions to  more than 20 common      problems.         </li>
+ href="FAQ.htm">FAQ</a>     has  solutions to  more than 20 common      problems.
         </li>
 </ul>
@ -99,8 +105,8 @@
 <h3>                     </h3>
 <ul>
-                    <li>                                   The Mailing List 
+                       <li>                                   The Mailing 
- Archives     search facility can locate   posts    about         similar 
+List   Archives     search facility can locate   posts    about         similar
  problems:         </li>
 </ul>
@ -121,12 +127,14 @@ problems:         </li>
  </select>
                                     Format:                            
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
                                     Sort by:                           
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -139,18 +147,19 @@ problems:         </li>
 name="config" value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-                                  Search: <input type="text" size="30"
+                                     Search: <input type="text"
- name="words" value="">    <input type="submit" value="Search"> </p>
+ size="30" name="words" value="">    <input type="submit" value="Search">
  </p>
                </form>
 <h2>Problem Reporting Guidelines </h2>
-                 <i>"Let me see if I can translate your message into a real-world 
+                    <i>"Let me see if I can translate your message into a 
-    example.      It would be like saying that you have three rooms at home, 
+real-world      example.      It would be like saying that you have three 
-   and when you   walk  into one of the rooms, you detect this strange smell. 
+rooms at home,     and when you   walk  into one of the rooms, you detect 
-    Can anyone tell  you  what that strange smell is?<br>
+this strange smell.      Can anyone tell  you  what that strange smell is?<br>
                    <br>
-                 Now, all of us could do some wonderful guessing as to the
+                    Now, all of us could do some wonderful guessing as to 
- smell    and   even   what's causing it.  You would be absolutely amazed
+the   smell    and   even   what's causing it.  You would be absolutely amazed 
 at the range   and   variety   of smells we could come up with.  Even more 
 amazing is that   all   of the explanations   for the smells would be completely 
 plausible."<br>
@ -167,24 +176,24 @@ plausible."<br>
                <li>Please remember we only know what is posted in your message.
     Do  not  leave out any information that appears to be correct,  or was
  mentioned    in  a previous post. There have been countless  posts by people
-who were   sure  that some part of their  configuration was correct when it
+  who were   sure  that some part of their  configuration was correct when
-actually   contained  a small error.  We tend to be skeptics where detail 
+ it actually   contained  a small error.  We tend to be skeptics where detail
  is lacking.<br>
                  <br>
                </li>
                <li>Please keep in mind that you're asking for <strong>free</strong>
-    technical  support. Any help we offer is an act of generosity, not an 
+      technical  support. Any help we offer is an act of generosity, not
-obligation.    Try  to make it easy for us to help you. Follow good, courteous 
+an   obligation.    Try  to make it easy for us to help you. Follow good,
-practices    in writing  and formatting your e-mail. Provide details that 
+courteous   practices    in writing  and formatting your e-mail. Provide
-we need if  you  expect good  answers. <em>Exact quoting </em> of error messages, 
+details that   we need if  you  expect good  answers. <em>Exact quoting </em>
-log  entries,  command output, and other output is better than a paraphrase 
+of error messages,  log  entries,  command output, and other output is better
-or  summary.<br>
+than a paraphrase  or  summary.<br>
                  <br>
                </li>
                <li>                                   Please don't describe
  your   environment   and then  ask  us  to  send   you             custom
-configuration   files.   We're here  to answer   your  questions     but we
+  configuration   files.   We're here  to answer   your  questions     but
-          can't   do your   job for you.<br>
+ we           can't   do your   job for you.<br>
                  <br>
                       </li>
                <li>When reporting a problem, <strong>ALWAYS</strong> include 
@ -271,8 +280,8 @@ any kind then:</b></big></i></u></font><br>
                <li>As a general matter, please <strong>do not edit the diagnostic
     information</strong>   in an attempt to conceal your IP address, netmask,
     nameserver addresses,  domain name, etc. These aren't secrets, and concealing
-   them often misleads  us (and 80% of the time, a hacker could derive them 
+     them often misleads  us (and 80% of the time, a hacker could derive
-  anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
+them     anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
 </ul>
@ -289,18 +298,19 @@ any kind then:</b></big></i></u></font><br>
 <h3>                     </h3>
 <ul>
-                    <li>                                   Do you see any 
+                       <li>                                   Do you see
-"Shorewall"      messages ("<b><font color="#009900">/sbin/shorewall show 
+any   "Shorewall"      messages ("<b><font color="#009900">/sbin/shorewall
-log</font></b>")            when   you exercise the function that is giving 
+show   log</font></b>")            when   you exercise the function that
-you problems? If   so,   include the message(s) in your post along with a 
+is giving   you problems? If   so,   include the message(s) in your post
-copy of your /etc/shorewall/interfaces      file.<br>
+along with a  copy of your /etc/shorewall/interfaces      file.<br>
                  <br>
                </li>
                <li>Please include any of the Shorewall configuration  files
-   (especially             the    /etc/shorewall/hosts file if you have modified
+     (especially             the    /etc/shorewall/hosts file if you have
-   that   file)      that  you    think are    relevant. If you include /etc/shorewall/rules, 
+modified    that   file)      that  you    think are    relevant. If you
-     please include /etc/shorewall/policy as well (rules are meaningless unless
+include /etc/shorewall/rules,       please include /etc/shorewall/policy
-     one also knows the policies).                      </li>
+as well (rules are meaningless unless      one also knows the policies).
                     </li>
 </ul>
@ -348,14 +358,16 @@ allow HTML in  list    posts!!<br>
   spam    and  that the ultimate losers here are not the spammers but the 
 list  subscribers      whose MTAs are bouncing all shorewall.net mail. As 
 one list  subscriber   wrote  to me privately "These e-mail admin's need 
-to get a <i>(expletive   deleted)</i>  life instead of trying to rid the
+to get a <i>(expletive   deleted)</i>  life instead of trying to rid the planet
-planet of HTML based e-mail".   Nevertheless,  to allow subscribers to receive
+of HTML based e-mail".   Nevertheless,  to allow subscribers to receive list
-list posts as must as possible,   I have now   configured the list server
+posts as must as possible,   I have now   configured the list server at shorewall.net
-at shorewall.net to strip all HTML   from outgoing  posts.<br>
+to strip all HTML   from outgoing  posts.<br>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
 <blockquote>                                                             
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem 
          to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users 
@ -364,22 +376,27 @@ at shorewall.net to strip all HTML   from outgoing  posts.<br>
 Firewall     (MNF)   and you have not purchased an MNF license from MandrakeSoft 
 then    you can  post non MNF-specific Shorewall questions to the </b><a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-  list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
+   list</a>         or to the <a
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-  list.</a></p>
+   list</a> or to the <a
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a>.</p>
                     </blockquote>
-<p>To Subscribe to the  mailing list go to <a
+<p>The Shorewall List Server provides additional information about <a
- href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> 
+ href="http://lists.shorewall.net/mailing_list.htm">Shorewall Mailing Lists</a>.<br>
-                      .</p>
+</p>
-<p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 3/6/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -387,10 +404,5 @@ then    you can  post non MNF-specific Shorewall questions to the </b><a
  </p>
  <br>
 <br>
       <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -3500,9 +3500,9 @@ add_common_rules() {
    logdisp() # $1 = Chain Name
    {
 	if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
-	    echo "ULOG --ulog-prefix Shorewall:${1}:DROP:"
+	    echo "ULOG $LOGPARMS --ulog-prefix Shorewall:${1}:DROP:"
 	else
-	    echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
+	    echo "LOG $LOGPARMS --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
 	fi
    }
    #