Add Corporate Network Example

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@664 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 09:47:51 +02:00 · 2003-07-16 18:59:33 +00:00 · 2003-07-16 18:59:33 +00:00 · cbc3ac56b1
commit cbc3ac56b1
parent c89d302114
68 changed files with 25528 additions and 24849 deletions
--- a/Shorewall-docs/6to4.htm
+++ b/Shorewall-docs/6to4.htm
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
      <tbody>
       <tr>
        <td width="100%">                     
@ -29,15 +29,15 @@
  </h3>
 <h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
-only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6 security 
+ only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
-measures.</h3>
+security  measures.</h3>
 <p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
 to another IPv6 network over an IPv4 infrastructure</p>
 <p>More information on Linux and IPv6 can be found in the  <a
- href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>. Details
+ href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
-on how to setup a 6to4 tunnels are described in the section  <a
+Details on how to setup a 6to4 tunnels are described in the section  <a
 href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
  of 6to4 tunnels</a>.</p>
@ -56,11 +56,11 @@ utility for network interface  and routing configuration.</p>
 <p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
 /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
-is no need to declare a zone to  represent the remote IPv6 network. This remote
+ is no need to declare a zone to  represent the remote IPv6 network. This
-network is not visible on IPv4 interfaces and to  iptables. All that is visible
+remote network is not visible on IPv4 interfaces and to  iptables. All that
-on the IPv4 level is an IPv4 stream which contains IPv6 traffic.  Separate
+is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
-IPv6 interfaces and ip6tables rules need to be defined to handle this traffic.
+ Separate IPv6 interfaces and ip6tables rules need to be defined to handle
-</p>
+this traffic. </p>
 <p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
@ -139,5 +139,6 @@ other using IPv6.</p>
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/CorpNetwork.htm
+++ b/Shorewall-docs/CorpNetwork.htm
@ -0,0 +1,293 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Corporate Shorewall Configuration</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
  <meta name="author" content="Graeme Boyle">
 </head>
  <body>
 <script><!--
 function PrivoxyWindowOpen(){return(null);}
 //--></script> 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
                                 <tbody>
                            <tr>
                                   <td width="100%">                    
      <h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
       Internal Servers</font></h1>
                                   </td>
                                 </tr>
  </tbody>             
 </table>
 <blockquote> </blockquote>
 <h1>Corporate Network</h1>
 <p><font size="4" color="#ff0000"><b>Notes</b></font><big><font
 color="#ff0000"><b>:</b></font></big></p>
 <blockquote>           
  <ul>
         <li><b>This configuration is used on a corporate network  that 
      has a Linux (RedHat 8.0) server with three interfaces, running  Shorewall
       1.4.5 release,</b></li>
         <li><b>Make sure you know what public IP addresses are currently 
 being        used and verify these </b><i>before</i><b> starting.</b></li>
         <li><b>Verify you DNS settings </b><i>before</i><b> starting any 
 Shorewall        configuration especially if you have split DNS.</b></li>
         <li><b>System names and Internet IP addresses have been changed
 to  protect        the innocent.</b></li>
  </ul>
  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This    configuration
 uses a combination of Static NAT and Proxy ARP. This is    generally not
  relevant      to a simple configuration with a single public  IP address.</small></b></big><big><b><small>
       If you have just a single  public IP address, most of what you see
 here     won't   apply to your setup  so beware of copying parts of this
 configuration     and  expecting them to work for you. What you copy may
 or may not work  in   your configuration.<br>
               </small></b></big><br>
                   </p>
  <p> I have a T1 with 64 static IP addresses (63.123.106.65-127/26). The
    internet is connected to eth0. The local network is connected via eth1
    (10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
 have  an    IPSec tunnel connecting our offices in Germany to our offices
 in the  US. I    host two Microsoft Exchange servers for two different companies
 behind the    firewall hence, the two Exchange servers in the diagram below.</p>
  <p> Summary:<br>
                          </p>
  <ul>
                            <li>SNAT for all systems connected to the LAN 
 - Internal  addresses     10.10.x.x to external address  63.123.106.127.</li>
                            <li>Static NAT for <i>Polaris</i> (Exchange Server
 #2). Internal    address    10.10.1.8 and external address 63.123.106.70.</li>
             <li>Static NAT for <i>Sims</i> (Inventory Management server).
 Internal            address 10.10.1.56  and external address 63.123.106.75.<br>
             </li>
                            <li>Static NAT for <i>Project</i> (Project Web
 Server).                           Internal address 10.10.1.55 and external
 address                           63.123.106.84.</li>
                            <li>Static NAT for <i>Fortress</i> (Exchange
 Server).                            Internal address 10.10.1.252 and external
 address                            63.123.106.93.</li>
                            <li>Static NAT for <i>BBSRV</i> (Blackberry Server).
                           Internal address 10.10.1.230 and external address
                           63.123.106.97.</li>
                            <li>Static NAT for <i>Intweb</i> (Intranet Web
 Server).                           Internal address 10.10.1.60 and external
 address                           63.123.106.115.</li>
  </ul>
  <p> The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
 RH8.0.</p>
  <p> The Firewall is also a proxy server running Privoxy 3.0.</p>
  <p> The single system in the DMZ (address 63.123.106.80) runs sendmail,
 imap, pop3, DNS, a Web server (Apache) and an FTP    server (vsFTPd 1.1.0).
 That server is managed through Proxy ARP.</p>
  <p> All administration and publishing is done using ssh/scp. I have X installed 
       on the firewall and the system in the DMZ.      X applications   tunnel
 through SSH to Hummingbird Exceed running on a PC located in the LAN.  
 Access to the firewall using SSH is restricted to systems in the LAN, DMZ
 or    the system Kaos which is on the Internet and managed by me.</p>
  <p align="center">                              <img border="0"
 src="images/CorpNetwork.gif" width="770" height="1000"
 alt="(Corporate Network Diagram)">
    </p>
  <p> </p>
  <p>The Ethernet 0 interface in the Server is configured         with IP
 address      63.123.106.68, netmask    255.255.255.192. The server's default
 gateway    is      63.123.106.65, the Router connected to my network and
 the ISP. This is the same           default      gateway used by the firewall
 itself. On the firewall,                                 Shorewall automatically
 adds a host route to                             63.123.106.80 through Ethernet
 2 (192.168.21.1) because     of                            the entry in
 /etc/shorewall/proxyarp  (see  below). I    modified the start, stop and
 init scripts to include the  fixes suggested when    having an IPSec tunnel.</p>
  <p><b>Some Mistakes I Made:</b></p>
  <p>Yes, believe it or not, I made some really basic mistakes when building
    this firewall. Firstly, I had the new firewall setup in parallel with
 the old    firewall so that there was no interruption of service to my users.
 During my out-bound    testing, I set up systems on the LAN to utilize the
 firewall which worked    fine. When testing my NAT connections, from the
 outside, these would fail and    I could not understand why. Eventually,
 I changed the default route on the    internal system I was trying to access,
 to point to the new firewall and    "bingo", everything worked as expected.
 This oversight delayed my deployment    by a couple of days not to mention
 level of  frustration it produced. </p>
  <p>Another problem that I encountered was in setting up the Proxyarp system
 in    the DMZ. Initially I forgot to remove the entry for the eth2 from
 the  /etc/shorewall/masq    file. Once my file settings were correct, I started
 verifying that the ARP caches on the    firewall, as well as the outside
 system "kaos", were showing the correct    Ethernet MAC address. However,
 in testing remote access, I could access the    system in the DMZ only from
 the firewall and LAN but not from the Internet.    The message I received
 was "connection denied" on all protocols. What I did    not realize was that
 a "helpful" administrator that had turned on an old    system and assigned
 the same address as the one I was using for Proxyarp    without notifying
 me. How did I work this out. I shutdown the system in the    DMZ, rebooted
 the router and flushed the ARP cache on the firewall and kaos.    Then, from
 kaos, I started pinging that IP address and checked the updated ARP    cache
 and lo-and-behold a different MAC address showed up. High levels of    frustration
 etc., etc. The administrator will <i>not</i> be doing that again!    :-)</p>
  <p><b>Lessons Learned:</b></p>
  <ul>
         <li>Read the documentation.</li>
         <li>Draw your network topology before starting.</li>
         <li>Understand what services you are going to allow in and out of
 the        firewall, whether they are TCP or UDP packets and make a note
 of these        port numbers.</li>
         <li>Try to get quiet time to build the firewall - you need to focus
 on the        job at hand.</li>
         <li>When asking for assistance, be honest and include as much detail
 as        requested. Don't try and hide IP addresses etc., you will probably
 screw        up the logs and make receiving assistance harder.</li>
         <li>Read the documentation.</li>
  </ul>
  <p><b>Futures:</b></p>
  <p>This is by no means the final configuration. In the near future, I will
 be    moving more systems from the LAN to the DMZ. I will also be watching
 the logs    for port scan programs etc. but, this should be standard security
 maintenance.</p>
  <p>Here are copies of my files. I have removed most of the internal   
 documentation for the purpose of this space however, my system still has
 the    original files with all the comments and I highly recommend you do
 the same.</p>
   </blockquote>
 <h3>Shorewall.conf</h3>
 <blockquote>                                       
  <pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
          </blockquote>
 <h3>Zones File</h3>
 <blockquote>                                       
  <pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
 face="Courier" size="2"><br></font></pre>
               </blockquote>
 <h3>Interfaces File: </h3>
 <blockquote>           
  <p>     ##############################################################################<br>
       #ZONE INTERFACE BROADCAST OPTIONS<br>
       net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
       loc eth1 detect dhcp,routefilter<br>
       dmz eth2 detect<br>
       vpn1 ipsec0<br>
       #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE  
                  </p>
     </blockquote>
 <h3>Routestopped File:</h3>
 <blockquote>                                       
  <pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
 face="Courier" size="2">	</font></pre>
               </blockquote>
 <h3>Policy File:</h3>
 <blockquote>                                       
  <pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
               </blockquote>
 <h3>Masq File: </h3>
 <blockquote>                                       
  <pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 163.123.106.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
         </blockquote>
 <h3>NAT File: </h3>
 <blockquote>                                       
  <pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>63.123.106.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>63.123.106.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>63.123.106.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>63.123.106.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>63.123.106.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>63.123.106.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
               </blockquote>
 <h3>Proxy ARP File:</h3>
 <blockquote>                                       
  <pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>63.123.106.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE     	</font></pre>
               </blockquote>
 <h3>Tunnels File:</h3>
 <blockquote>                                       
  <pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
               </blockquote>
 <h3>Rules File (The shell variables      are set in /etc/shorewall/params):</h3>
 <blockquote>                                       
  <pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:63.123.106.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
               </blockquote>
 <h3>Start File:</h3>
 <blockquote>                                       
  <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
               </blockquote>
 <h3>Stop File:</h3>
 <blockquote>                                       
  <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
               </blockquote>
 <h3>Init File:</h3>
 <blockquote>                                       
  <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
               </blockquote>
 <p><font size="2">Last updated 7/16/2003</font>  
 <script><!--
 function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
 //</script><br>
  </p>
 <p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
 Graeme Boyle</a></small><br>
  </p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/ECN.html
+++ b/Shorewall-docs/ECN.html
@ -2,14 +2,17 @@
 <html>
 <head>
  <title>Shorewall and ECN</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                                                        <tbody>
                                                         <tr>
                                                          <td
@ -22,9 +25,9 @@
 </table>
 <br>
 Explicit Congestion Notification (ECN) is described in RFC 3168 and is a 
-proposed internet standard. Unfortunately, not all sites support ECN and
+proposed internet standard. Unfortunately, not all sites support ECN and when
-when a TCP connection offering ECN is sent to sites that don't support it,
+a TCP connection offering ECN is sent to sites that don't support it, the
-the result is often that the connection request is ignored.<br>
+result is often that the connection request is ignored.<br>
 <br>
 To allow ECN to be used, Shorewall allows you to enable ECN on your Linux 
 systems then disable it in your firewall when the destination matches a list 
@ -32,12 +35,14 @@ that you create (the /etc/shorewall/ecn file).<br>
 <br>
 You enable ECN by<br>
 <br>
 <blockquote>   
  <pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
 </blockquote>
 You must arrange for that command to be executed at system boot. Most distributions 
 have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
 <br>
 <blockquote>   
  <pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
 </blockquote>
@ -55,6 +60,7 @@ tcp connections to 192.0.2.0/24:<br>
 <br>
 In /etc/shorewall/ecn:<br>
 <br>
 <blockquote>   
  <table cellpadding="2" cellspacing="0" border="1">
     <tbody>
@ -70,6 +76,7 @@ In /etc/shorewall/ecn:<br>
         <td valign="top">192.0.2.0/24<br>
         </td>
       </tr>
    </tbody>   
  </table>
   <br>
@ -79,5 +86,6 @@ In /etc/shorewall/ecn:<br>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
--- a/Shorewall-docs/Forum.html
+++ b/Shorewall-docs/Forum.html
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
@ -26,8 +26,10 @@
 </table>
 <h3><font color="#ff6633"></font></h3>
 <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please 
 read the <a href="support.htm">Shorewall Support  Guide</a>.</h1>
 <p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a><br>
 </p>
@ -38,5 +40,6 @@ Forum</a><br>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2003 Thomas M. Eastep.</font></a></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/GnuCopyright.htm
+++ b/Shorewall-docs/GnuCopyright.htm
@ -1,282 +1,341 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Copyright</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h2 align="center"><font color="#FFFFFF">GNU Free Documentation License</font></h2>
+      <h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
     </td>
   </tr>
  </tbody>
 </table>
 <p>Version 1.1, March 2000 </p>
-<pre>Copyright (C) 2000  Free Software Foundation, Inc.
+ 
-59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+<pre>Copyright (C) 2000  Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA  02111-1307  USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
-Everyone is permitted to copy and distribute verbatim copies
+ 
 of this license document, but changing it is not allowed.
 </pre>
 <p><strong>0. PREAMBLE</strong> </p>
 <p>The purpose of this License is to make a manual, textbook, or other written 
-document &quot;free&quot; in the sense of freedom: to assure everyone the effective
+document "free" in the sense of freedom: to assure everyone the effective 
 freedom to copy and redistribute it, with or without modifying it, either 
-commercially or noncommercially. Secondarily, this License preserves for the
+commercially or noncommercially. Secondarily, this License preserves for
-author and publisher a way to get credit for their work, while not being
+the author and publisher a way to get credit for their work, while not being 
 considered responsible for modifications made by others. </p>
-<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
+ 
-the document must themselves be free in the same sense. It complements the GNU
+<p>This License is a kind of "copyleft", which means that derivative works
-General Public License, which is a copyleft license designed for free software.
+of the document must themselves be free in the same sense. It complements
-</p>
+the GNU General Public License, which is a copyleft license designed for
-<p>We have designed this License in order to use it for manuals for free
+free software. </p>
-software, because free software needs free documentation: a free program should
+ 
-come with manuals providing the same freedoms that the software does. But this
+<p>We have designed this License in order to use it for manuals for free software,
-License is not limited to software manuals; it can be used for any textual work,
+because free software needs free documentation: a free program should come
-regardless of subject matter or whether it is published as a printed book. We
+with manuals providing the same freedoms that the software does. But this 
-recommend this License principally for works whose purpose is instruction or
+License is not limited to software manuals; it can be used for any textual
-reference. </p>
+work, regardless of subject matter or whether it is published as a printed
 book. We recommend this License principally for works whose purpose is instruction
 or reference. </p>
 <p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
 <p>This License applies to any manual or other work that contains a notice 
-placed by the copyright holder saying it can be distributed under the terms of
+placed by the copyright holder saying it can be distributed under the terms
-this License. The &quot;Document&quot;, below, refers to any such manual or work. Any
+of this License. The "Document", below, refers to any such manual or work.
-member of the public is a licensee, and is addressed as &quot;you&quot;. </p>
+Any member of the public is a licensee, and is addressed as "you". </p>
-<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
+ 
-or a portion of it, either copied verbatim, or with modifications and/or
+<p>A "Modified Version" of the Document means any work containing the Document 
-translated into another language. </p>
+or a portion of it, either copied verbatim, or with modifications and/or translated
-<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the
+into another language. </p>
-Document that deals exclusively with the relationship of the publishers or
+ 
-authors of the Document to the Document's overall subject (or to related
+<p>A "Secondary Section" is a named appendix or a front-matter section of
 the Document that deals exclusively with the relationship of the publishers
 or authors of the Document to the Document's overall subject (or to related 
 matters) and contains nothing that could fall directly within that overall 
-subject. (For example, if the Document is in part a textbook of mathematics, a
+subject. (For example, if the Document is in part a textbook of mathematics,
-Secondary Section may not explain any mathematics.) The relationship could be a
+a Secondary Section may not explain any mathematics.) The relationship could
-matter of historical connection with the subject or with related matters, or of
+be a matter of historical connection with the subject or with related matters,
-legal, commercial, philosophical, ethical or political position regarding them.
+or of legal, commercial, philosophical, ethical or political position regarding
-</p>
+them. </p>
-<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
+ 
-designated, as being those of Invariant Sections, in the notice that says that
+<p>The "Invariant Sections" are certain Secondary Sections whose titles are 
-the Document is released under this License. </p>
+designated, as being those of Invariant Sections, in the notice that says
-<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as
+that the Document is released under this License. </p>
-Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
+ 
-is released under this License. </p>
+<p>The "Cover Texts" are certain short passages of text that are listed,
-<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy,
+as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
-represented in a format whose specification is available to the general public,
+Document is released under this License. </p>
-whose contents can be viewed and edited directly and straightforwardly with
+ 
-generic text editors or (for images composed of pixels) generic paint programs
+<p>A "Transparent" copy of the Document means a machine-readable copy, represented
-or (for drawings) some widely available drawing editor, and that is suitable for
+in a format whose specification is available to the general public, whose
-input to text formatters or for automatic translation to a variety of formats
+contents can be viewed and edited directly and straightforwardly with generic
-suitable for input to text formatters. A copy made in an otherwise Transparent
+text editors or (for images composed of pixels) generic paint programs or
-file format whose markup has been designed to thwart or discourage subsequent
+(for drawings) some widely available drawing editor, and that is suitable
-modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is
+for input to text formatters or for automatic translation to a variety of
-called &quot;Opaque&quot;. </p>
+formats suitable for input to text formatters. A copy made in an otherwise
 Transparent file format whose markup has been designed to thwart or discourage
 subsequent modification by readers is not Transparent. A copy that is not
 "Transparent" is called "Opaque". </p>
 <p>Examples of suitable formats for Transparent copies include plain ASCII 
-without markup, Texinfo input format, LaTeX input format, SGML or XML using a
+without markup, Texinfo input format, LaTeX input format, SGML or XML using
-publicly available DTD, and standard-conforming simple HTML designed for human
+a publicly available DTD, and standard-conforming simple HTML designed for
-modification. Opaque formats include PostScript, PDF, proprietary formats that
+human modification. Opaque formats include PostScript, PDF, proprietary formats
-can be read and edited only by proprietary word processors, SGML or XML for
+that can be read and edited only by proprietary word processors, SGML or
-which the DTD and/or processing tools are not generally available, and the
+XML for which the DTD and/or processing tools are not generally available,
-machine-generated HTML produced by some word processors for output purposes
+and the machine-generated HTML produced by some word processors for output
-only. </p>
+purposes only. </p>
-<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
+ 
-following pages as are needed to hold, legibly, the material this License
+<p>The "Title Page" means, for a printed book, the title page itself, plus
-requires to appear in the title page. For works in formats which do not have any
+such following pages as are needed to hold, legibly, the material this License 
-title page as such, &quot;Title Page&quot; means the text near the most prominent
+requires to appear in the title page. For works in formats which do not have
-appearance of the work's title, preceding the beginning of the body of the text.
+any title page as such, "Title Page" means the text near the most prominent 
-</p>
+appearance of the work's title, preceding the beginning of the body of the
 text. </p>
 <p><strong>2. VERBATIM COPYING</strong> </p>
 <p>You may copy and distribute the Document in any medium, either commercially 
-or noncommercially, provided that this License, the copyright notices, and the
+or noncommercially, provided that this License, the copyright notices, and
-license notice saying this License applies to the Document are reproduced in all
+the license notice saying this License applies to the Document are reproduced
-copies, and that you add no other conditions whatsoever to those of this
+in all copies, and that you add no other conditions whatsoever to those of
-License. You may not use technical measures to obstruct or control the reading
+this License. You may not use technical measures to obstruct or control the
-or further copying of the copies you make or distribute. However, you may accept
+reading or further copying of the copies you make or distribute. However,
-compensation in exchange for copies. If you distribute a large enough number of
+you may accept compensation in exchange for copies. If you distribute a large
-copies you must also follow the conditions in section 3. </p>
+enough number of copies you must also follow the conditions in section 3.
-<p>You may also lend copies, under the same conditions stated above, and you may
+</p>
-publicly display copies. </p>
+ 
 <p>You may also lend copies, under the same conditions stated above, and
 you may publicly display copies. </p>
 <p><strong>3. COPYING IN QUANTITY</strong> </p>
-<p>If you publish printed copies of the Document numbering more than 100, and
+ 
-the Document's license notice requires Cover Texts, you must enclose the copies
+<p>If you publish printed copies of the Document numbering more than 100,
-in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover
+and the Document's license notice requires Cover Texts, you must enclose
-Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
+the copies in covers that carry, clearly and legibly, all these Cover Texts:
-must also clearly and legibly identify you as the publisher of these copies. The
+Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
-front cover must present the full title with all words of the title equally
+Both covers must also clearly and legibly identify you as the publisher of
-prominent and visible. You may add other material on the covers in addition.
+these copies. The front cover must present the full title with all words
-Copying with changes limited to the covers, as long as they preserve the title
+of the title equally prominent and visible. You may add other material on
-of the Document and satisfy these conditions, can be treated as verbatim copying
+the covers in addition. Copying with changes limited to the covers, as long
-in other respects. </p>
+as they preserve the title of the Document and satisfy these conditions,
-<p>If the required texts for either cover are too voluminous to fit legibly, you
+can be treated as verbatim copying in other respects. </p>
-should put the first ones listed (as many as fit reasonably) on the actual
+ 
 <p>If the required texts for either cover are too voluminous to fit legibly,
 you should put the first ones listed (as many as fit reasonably) on the actual 
 cover, and continue the rest onto adjacent pages. </p>
 <p>If you publish or distribute Opaque copies of the Document numbering more 
-than 100, you must either include a machine-readable Transparent copy along with
+than 100, you must either include a machine-readable Transparent copy along
-each Opaque copy, or state in or with each Opaque copy a publicly-accessible
+with each Opaque copy, or state in or with each Opaque copy a publicly-accessible 
-computer-network location containing a complete Transparent copy of the
+computer-network location containing a complete Transparent copy of the Document,
-Document, free of added material, which the general network-using public has
+free of added material, which the general network-using public has access
-access to download anonymously at no charge using public-standard network
+to download anonymously at no charge using public-standard network protocols.
-protocols. If you use the latter option, you must take reasonably prudent steps,
+If you use the latter option, you must take reasonably prudent steps, when
-when you begin distribution of Opaque copies in quantity, to ensure that this
+you begin distribution of Opaque copies in quantity, to ensure that this Transparent
-Transparent copy will remain thus accessible at the stated location until at
+copy will remain thus accessible at the stated location until at least one
-least one year after the last time you distribute an Opaque copy (directly or
+year after the last time you distribute an Opaque copy (directly or through
-through your agents or retailers) of that edition to the public. </p>
+your agents or retailers) of that edition to the public. </p>
 <p>It is requested, but not required, that you contact the authors of the 
-Document well before redistributing any large number of copies, to give them a
+Document well before redistributing any large number of copies, to give them
-chance to provide you with an updated version of the Document. </p>
+a chance to provide you with an updated version of the Document. </p>
 <p><strong>4. MODIFICATIONS</strong> </p>
 <p>You may copy and distribute a Modified Version of the Document under the 
 conditions of sections 2 and 3 above, provided that you release the Modified 
-Version under precisely this License, with the Modified Version filling the role
+Version under precisely this License, with the Modified Version filling the
-of the Document, thus licensing distribution and modification of the Modified
+role of the Document, thus licensing distribution and modification of the
-Version to whoever possesses a copy of it. In addition, you must do these things
+Modified Version to whoever possesses a copy of it. In addition, you must
-in the Modified Version: </p>
+do these things in the Modified Version: </p>
-<p>&nbsp;</p>
+ 
 <p> </p>
 <ul>
-  <li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
+   <li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
-  title distinct from that of the Document, and from those of previous versions
+a   title distinct from that of the Document, and from those of previous
-  (which should, if there were any, be listed in the History section of the
+versions   (which should, if there were any, be listed in the History section
-  Document). You may use the same title as a previous version if the original
+of the   Document). You may use the same title as a previous version if the
-  publisher of that version gives permission. </li>
+original   publisher of that version gives permission. </li>
   <li><strong>B.</strong> List on the Title Page, as authors, one or more 
-  persons or entities responsible for authorship of the modifications in the
+  persons or entities responsible for authorship of the modifications in
-  Modified Version, together with at least five of the principal authors of the
+the   Modified Version, together with at least five of the principal authors
-  Document (all of its principal authors, if it has less than five). </li>
+of the   Document (all of its principal authors, if it has less than five).
-  <li><strong>C.</strong> State on the Title page the name of the publisher of
+  </li>
-  the Modified Version, as the publisher. </li>
+   <li><strong>C.</strong> State on the Title page the name of the publisher
 of   the Modified Version, as the publisher. </li>
   <li><strong>D.</strong> Preserve all the copyright notices of the Document. 
  </li>
   <li><strong>E.</strong> Add an appropriate copyright notice for your 
 modifications adjacent to the other copyright notices. </li>
-  <li><strong>F.</strong> Include, immediately after the copyright notices, a
+   <li><strong>F.</strong> Include, immediately after the copyright notices,
-  license notice giving the public permission to use the Modified Version under
+a   license notice giving the public permission to use the Modified Version
-  the terms of this License, in the form shown in the Addendum below. </li>
+under   the terms of this License, in the form shown in the Addendum below.
-  <li><strong>G.</strong> Preserve in that license notice the full lists of
+  </li>
-  Invariant Sections and required Cover Texts given in the Document's license
+   <li><strong>G.</strong> Preserve in that license notice the full lists
-  notice. </li>
+of   Invariant Sections and required Cover Texts given in the Document's
 license   notice. </li>
   <li><strong>H.</strong> Include an unaltered copy of this License. </li>
-  <li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
+   <li><strong>I.</strong> Preserve the section entitled "History", and its 
  title, and add to it an item stating at least the title, year, new authors, 
-  and publisher of the Modified Version as given on the Title Page. If there is
+  and publisher of the Modified Version as given on the Title Page. If there
-  no section entitled &quot;History&quot; in the Document, create one stating the title,
+is   no section entitled "History" in the Document, create one stating the
-  year, authors, and publisher of the Document as given on its Title Page, then
+title,   year, authors, and publisher of the Document as given on its Title
-  add an item describing the Modified Version as stated in the previous
+Page, then   add an item describing the Modified Version as stated in the
-  sentence. </li>
+previous   sentence. </li>
-  <li><strong>J.</strong> Preserve the network location, if any, given in the
+   <li><strong>J.</strong> Preserve the network location, if any, given in
-  Document for public access to a Transparent copy of the Document, and likewise
+the   Document for public access to a Transparent copy of the Document, and
-  the network locations given in the Document for previous versions it was based
+likewise   the network locations given in the Document for previous versions
-  on. These may be placed in the &quot;History&quot; section. You may omit a network
+it was based   on. These may be placed in the "History" section. You may
-  location for a work that was published at least four years before the Document
+omit a network   location for a work that was published at least four years
-  itself, or if the original publisher of the version it refers to gives
+before the Document   itself, or if the original publisher of the version
-  permission. </li>
+it refers to gives   permission. </li>
-  <li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
+   <li><strong>K.</strong> In any section entitled "Acknowledgements" or 
-  &quot;Dedications&quot;, preserve the section's title, and preserve in the section all
+ "Dedications", preserve the section's title, and preserve in the section
-  the substance and tone of each of the contributor acknowledgements and/or
+all   the substance and tone of each of the contributor acknowledgements
-  dedications given therein. </li>
+and/or   dedications given therein. </li>
   <li><strong>L.</strong> Preserve all the Invariant Sections of the Document, 
  unaltered in their text and in their titles. Section numbers or the equivalent 
  are not considered part of the section titles. </li>
-  <li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
+   <li><strong>M.</strong> Delete any section entitled "Endorsements". Such
-  section may not be included in the Modified Version. </li>
+a   section may not be included in the Modified Version. </li>
-  <li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
+   <li><strong>N.</strong> Do not retitle any existing section as "Endorsements" 
  or to conflict in title with any Invariant Section. </li>
 </ul>
-<p>If the Modified Version includes new front-matter sections or appendices that
+ 
-qualify as Secondary Sections and contain no material copied from the Document,
+<p>If the Modified Version includes new front-matter sections or appendices
-you may at your option designate some or all of these sections as invariant. To
+that qualify as Secondary Sections and contain no material copied from the
-do this, add their titles to the list of Invariant Sections in the Modified
+Document, you may at your option designate some or all of these sections
-Version's license notice. These titles must be distinct from any other section
+as invariant. To do this, add their titles to the list of Invariant Sections
-titles. </p>
+in the Modified Version's license notice. These titles must be distinct from
-<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing
+any other section titles. </p>
 <p>You may add a section entitled "Endorsements", provided it contains nothing 
 but endorsements of your Modified Version by various parties--for example, 
 statements of peer review or that the text has been approved by an organization 
 as the authoritative definition of a standard. </p>
 <p>You may add a passage of up to five words as a Front-Cover Text, and a 
-passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover
+passage of up to 25 words as a Back-Cover Text, to the end of the list of
-Texts in the Modified Version. Only one passage of Front-Cover Text and one of
+Cover Texts in the Modified Version. Only one passage of Front-Cover Text
-Back-Cover Text may be added by (or through arrangements made by) any one
+and one of Back-Cover Text may be added by (or through arrangements made
-entity. If the Document already includes a cover text for the same cover,
+by) any one entity. If the Document already includes a cover text for the
-previously added by you or by arrangement made by the same entity you are acting
+same cover, previously added by you or by arrangement made by the same entity
-on behalf of, you may not add another; but you may replace the old one, on
+you are acting on behalf of, you may not add another; but you may replace
-explicit permission from the previous publisher that added the old one. </p>
+the old one, on explicit permission from the previous publisher that added
-<p>The author(s) and publisher(s) of the Document do not by this License give
+the old one. </p>
-permission to use their names for publicity for or to assert or imply
+ 
 <p>The author(s) and publisher(s) of the Document do not by this License
 give permission to use their names for publicity for or to assert or imply 
 endorsement of any Modified Version. </p>
 <p><strong>5. COMBINING DOCUMENTS</strong> </p>
-<p>You may combine the Document with other documents released under this
+ 
-License, under the terms defined in section 4 above for modified versions,
+<p>You may combine the Document with other documents released under this License,
-provided that you include in the combination all of the Invariant Sections of
+under the terms defined in section 4 above for modified versions, provided
-all of the original documents, unmodified, and list them all as Invariant
+that you include in the combination all of the Invariant Sections of all
-Sections of your combined work in its license notice. </p>
+of the original documents, unmodified, and list them all as Invariant Sections
 of your combined work in its license notice. </p>
 <p>The combined work need only contain one copy of this License, and multiple 
-identical Invariant Sections may be replaced with a single copy. If there are
+identical Invariant Sections may be replaced with a single copy. If there
-multiple Invariant Sections with the same name but different contents, make the
+are multiple Invariant Sections with the same name but different contents,
-title of each such section unique by adding at the end of it, in parentheses,
+make the title of each such section unique by adding at the end of it, in
-the name of the original author or publisher of that section if known, or else a
+parentheses, the name of the original author or publisher of that section
-unique number. Make the same adjustment to the section titles in the list of
+if known, or else a unique number. Make the same adjustment to the section
-Invariant Sections in the license notice of the combined work. </p>
+titles in the list of Invariant Sections in the license notice of the combined
-<p>In the combination, you must combine any sections entitled &quot;History&quot; in the
+work. </p>
-various original documents, forming one section entitled &quot;History&quot;; likewise
+ 
-combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled
+<p>In the combination, you must combine any sections entitled "History" in
-&quot;Dedications&quot;. You must delete all sections entitled &quot;Endorsements.&quot; </p>
+the various original documents, forming one section entitled "History"; likewise 
 combine any sections entitled "Acknowledgements", and any sections entitled 
 "Dedications". You must delete all sections entitled "Endorsements." </p>
 <p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
 <p>You may make a collection consisting of the Document and other documents 
 released under this License, and replace the individual copies of this License 
 in the various documents with a single copy that is included in the collection, 
-provided that you follow the rules of this License for verbatim copying of each
+provided that you follow the rules of this License for verbatim copying of
-of the documents in all other respects. </p>
+each of the documents in all other respects. </p>
-<p>You may extract a single document from such a collection, and distribute it
+ 
-individually under this License, provided you insert a copy of this License into
+<p>You may extract a single document from such a collection, and distribute
-the extracted document, and follow this License in all other respects regarding
+it individually under this License, provided you insert a copy of this License
-verbatim copying of that document. </p>
+into the extracted document, and follow this License in all other respects
 regarding verbatim copying of that document. </p>
 <p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
 <p>A compilation of the Document or its derivatives with other separate and 
 independent documents or works, in or on a volume of a storage or distribution 
-medium, does not as a whole count as a Modified Version of the Document,
+medium, does not as a whole count as a Modified Version of the Document, provided
-provided no compilation copyright is claimed for the compilation. Such a
+no compilation copyright is claimed for the compilation. Such a compilation
-compilation is called an &quot;aggregate&quot;, and this License does not apply to the
+is called an "aggregate", and this License does not apply to the other self-contained
-other self-contained works thus compiled with the Document, on account of their
+works thus compiled with the Document, on account of their being thus compiled,
-being thus compiled, if they are not themselves derivative works of the
+if they are not themselves derivative works of the Document. </p>
-Document. </p>
+ 
-<p>If the Cover Text requirement of section 3 is applicable to these copies of
+<p>If the Cover Text requirement of section 3 is applicable to these copies
-the Document, then if the Document is less than one quarter of the entire
+of the Document, then if the Document is less than one quarter of the entire 
-aggregate, the Document's Cover Texts may be placed on covers that surround only
+aggregate, the Document's Cover Texts may be placed on covers that surround
-the Document within the aggregate. Otherwise they must appear on covers around
+only the Document within the aggregate. Otherwise they must appear on covers
-the whole aggregate. </p>
+around the whole aggregate. </p>
 <p><strong>8. TRANSLATION</strong> </p>
 <p>Translation is considered a kind of modification, so you may distribute 
 translations of the Document under the terms of section 4. Replacing Invariant 
 Sections with translations requires special permission from their copyright 
-holders, but you may include translations of some or all Invariant Sections in
+holders, but you may include translations of some or all Invariant Sections
-addition to the original versions of these Invariant Sections. You may include a
+in addition to the original versions of these Invariant Sections. You may
-translation of this License provided that you also include the original English
+include a translation of this License provided that you also include the
-version of this License. In case of a disagreement between the translation and
+original English version of this License. In case of a disagreement between
-the original English version of this License, the original English version will
+the translation and the original English version of this License, the original
-prevail. </p>
+English version will prevail. </p>
 <p><strong>9. TERMINATION</strong> </p>
-<p>You may not copy, modify, sublicense, or distribute the Document except as
+ 
-expressly provided for under this License. Any other attempt to copy, modify,
+<p>You may not copy, modify, sublicense, or distribute the Document except
-sublicense or distribute the Document is void, and will automatically terminate
+as expressly provided for under this License. Any other attempt to copy,
-your rights under this License. However, parties who have received copies, or
+modify, sublicense or distribute the Document is void, and will automatically
-rights, from you under this License will not have their licenses terminated so
+terminate your rights under this License. However, parties who have received
-long as such parties remain in full compliance. </p>
+copies, or rights, from you under this License will not have their licenses
 terminated so long as such parties remain in full compliance. </p>
 <p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
 <p>The Free Software Foundation may publish new, revised versions of the GNU
 Free Documentation License from time to time. Such new versions will be similar
 in spirit to the present version, but may differ in detail to address new
 problems or concerns. See http://www.gnu.org/copyleft/. </p>
 <p>Each version of the License is given a distinguishing version number. If the
 Document specifies that a particular numbered version of this License &quot;or any
 later version&quot; applies to it, you have the option of following the terms and
 conditions either of that specified version or of any later version that has
 been published (not as a draft) by the Free Software Foundation. If the Document
 does not specify a version number of this License, you may choose any version
 ever published (not as a draft) by the Free Software Foundation. </p>
 <p align="left">&nbsp;</p>
 <p>The Free Software Foundation may publish new, revised versions of the
 GNU Free Documentation License from time to time. Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
 <p>Each version of the License is given a distinguishing version number.
 If the Document specifies that a particular numbered version of this License
 "or any later version" applies to it, you have the option of following the
 terms and conditions either of that specified version or of any later version
 that has been published (not as a draft) by the Free Software Foundation.
 If the Document does not specify a version number of this License, you may
 choose any version ever published (not as a draft) by the Free Software Foundation.
 </p>
 <p align="left"> </p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/IPIP.htm
+++ b/Shorewall-docs/IPIP.htm
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
@ -86,8 +86,8 @@ it in  /etc/shorewall/zones on both systems as follows.</p>
  </table>
   </blockquote>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
-zone. In /etc/shorewall/interfaces:</p>
+In /etc/shorewall/interfaces:</p>
 <blockquote>   
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -205,8 +205,8 @@ zone. In /etc/shorewall/interfaces:</p>
 are secured so that root can execute them.  </p>
 <p align="left"> You will need to allow traffic between the "vpn" zone and 
-       the "loc" zone on both systems -- if you simply want to admit all
+       the "loc" zone on both systems -- if you simply want to admit all traffic
-traffic        in both directions, you can use the policy file:</p>
+       in both directions, you can use the policy file:</p>
 <blockquote>   
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -234,9 +234,9 @@ traffic        in both directions, you can use the policy file:</p>
  </table>
  </blockquote>
-<p>On both systems, restart Shorewall and run the modified tunnel script
+<p>On both systems, restart Shorewall and run the modified tunnel script with
-with the "start" argument on each system. The systems in the two masqueraded
+the "start" argument on each system. The systems in the two masqueraded subnetworks
-subnetworks can now talk to each other</p>
+can now talk to each other</p>
 <p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> 
 </font></p>
@ -244,5 +244,6 @@ subnetworks can now talk to each other</p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/IPSEC.htm
+++ b/Shorewall-docs/IPSEC.htm
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
          <tbody>
          <tr>
            <td width="100%">                                   
@ -34,9 +34,9 @@
  FreeS/Wan on the same system unless you are prepared to suffer the  consequences. 
  If you start or restart Shorewall with an IPSEC tunnel active,  the proxied 
  IP addresses are mistakenly assigned to the IPSEC tunnel device  (ipsecX) 
-  rather than to the interface that you specify in the INTERFACE column 
+  rather than to the interface that you specify in the INTERFACE column  of
-of   /etc/shorewall/proxyarp. I haven't had the time to debug this problem
+  /etc/shorewall/proxyarp. I haven't had the time to debug this problem so
-so  I  can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
+ I  can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
 <p>You <b>might</b> be able to work around this problem using the following 
  (I  haven't tried it):</p>
@ -115,9 +115,9 @@ so  I  can't say if it is a bug in the Kernel or in FreeS/Wan.
      </blockquote>
 <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway 
-  then the tunnels file entry on the <u><b>other</b></u> endpoint should
+  then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
-specify   a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the
+  a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
-GATEWAY   address should specify the external address of the NAT gateway.<br>
+  address should specify the external address of the NAT gateway.<br>
     </p>
 <p align="left">You need to define a zone for the remote subnet or include 
@ -195,14 +195,14 @@ created  a      zone called "vpn" to represent the remote subnet.</p>
  </table>
        </blockquote>
-<p align="left"> Once you have these entries in place, restart Shorewall (type
+<p align="left"> Once you have these entries in place, restart Shorewall
-shorewall restart);  you are now ready to configure the tunnel in <a
+(type shorewall restart);  you are now ready to configure the tunnel in <a
 href="http://www.xs4all.nl/%7Efreeswan/">  FreeS/WAN</a>  .</p>
 <h2><a name="VPNHub"></a>VPN Hub</h2>
  Shorewall can be used in a VPN Hub environment where multiple remote networks
-are connected to a gateway running Shorewall. This environment is shown in 
+ are connected to a gateway running Shorewall. This environment is shown
-this diatram.<br>
+in  this diatram.<br>
 <div align="center"><img src="images/ThreeNets.png"
 alt="(Three networks linked with IPSEC)" width="750" height="781">
@ -287,8 +287,8 @@ networks.<br>
 <p align="left"></p>
 <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway 
-  then the tunnels file entry on the <u><b>other</b></u> endpoint should
+  then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
-specify   a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
+  a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
  </i> and the GATEWAY  address should specify the external address of the
 NAT gateway.<br>
  </p>
@ -427,10 +427,11 @@ have the following in /etc/shorewall/interfaces:</p>
  </table>
   <br>
 </blockquote>
-<p align="left">On systems A, you will need to allow traffic between the "vpn1"
+ 
-zone and         the "loc" zone as well as between "vpn2" and the "loc" zone
+<p align="left">On systems A, you will need to allow traffic between the
-- if you simply want to admit all traffic in both       directions, you
+"vpn1" zone and         the "loc" zone as well as between "vpn2" and the
-can use the following policy file entries on all three gateways:</p>
+"loc" zone -- if you simply want to admit all traffic in both       directions,
 you can use the following policy file entries on all three gateways:</p>
 <blockquote>   
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -477,10 +478,11 @@ can use the following policy file entries on all three gateways:</p>
    </tbody>    
  </table>
 </blockquote>
 <p align="left">On systems B and C, you will need to allow traffic between
-the "vpn" zone and         the "loc" zone -- if you simply want to admit all
+ the "vpn" zone and         the "loc" zone -- if you simply want to admit
-traffic in both       directions, you can use the following policy file entries
+all traffic in both       directions, you can use the following policy file
-on all three gateways:</p>
+entries on all three gateways:</p>
 <blockquote>               
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -515,6 +517,7 @@ the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/">  FreeS/WAN</a>
  Note that to allow traffic between the networks attached to systems B and
 C, it is necessary to simply add two additional entries to the /etc/shorewall/policy
 file on system A.<br>
 <blockquote>   
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -547,9 +550,9 @@ file on system A.<br>
 <h2><font color="#660066"><a name="RoadWarrior"></a>  </font>Mobile System
 (Road  Warrior)</h2>
-<p>Suppose that you have a laptop system (B) that you take with you when you
+<p>Suppose that you have a laptop system (B) that you take with you when
-travel and you want to be able to establish a secure connection back to your
+you travel and you want to be able to establish a secure connection back
-local network.</p>
+to your local network.</p>
 <p align="center"><strong><font face="Century Gothic, Arial, Helvetica"> 
     <img src="images/Mobile.png" width="677" height="426">
@ -707,8 +710,8 @@ comes down.  For example, when 134.28.54.2 connects for the vpn2 zone the
   </blockquote>
 <h3>Limitations of Dynamic Zones</h3>
-  If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
+   If you include a dynamic zone in the exclude list of a DNAT rule, the
- hosts are not excluded from the rule.<br>
+dynamically-added  hosts are not excluded from the rule.<br>
   <br>
   Example with dyn=dynamic zone:<br>
   <br>
@ -763,5 +766,6 @@ rule.
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
             <tbody>
              <tr>
               <td width="100%">                                   
@ -30,8 +30,8 @@
 href="upgrade_issues.htm">Upgrade Issues<br>
    </a></b></p>
-<div align="left"><b>Before attempting installation, I strongly urge you to
+<div align="left"><b>Before attempting installation, I strongly urge you
-read and print a copy of the       <a
+to read and print a copy of the       <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>    
   for the configuration that most closely matches your own.</b><br>
    </div>
@ -48,11 +48,11 @@ read and print a copy of the       <a
 <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
 <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a 
-    shell  prompt, type "/sbin/iptables --version"), you must upgrade to
+    shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
-version     1.2.4  either from the <a
+    1.2.4  either from the <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update 
-     site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
+     site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
-before      attempting to start Shorewall.</b></p>
+     attempting to start Shorewall.</b></p>
 <ul>
             <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
@ -76,11 +76,11 @@ before      attempting to start Shorewall.</b></p>
       </li>
             <li>Edit the <a href="#Config_Files"> configuration files</a>
 to  match   your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
-    <u>NOT</u>    SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. 
+     <u>NOT</u>    SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start"
-SOME CONFIGURATION    IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU 
+COMMAND.  SOME CONFIGURATION    IS REQUIRED BEFORE THE  FIREWALL WILL START.
-ISSUE A "start" COMMAND    AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL
+IF YOU  ISSUE A "start" COMMAND    AND THE FIREWALL FAILS TO  START, YOUR
-NO LONGER ACCEPT ANY  NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall 
+SYSTEM WILL NO LONGER ACCEPT ANY  NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE
-clear" COMMAND TO  RESTORE NETWORK  CONNECTIVITY.</b></font></li>
+A "shorewall  clear" COMMAND TO  RESTORE NETWORK  CONNECTIVITY.</b></font></li>
             <li>Start the firewall by typing "shorewall start"</li>
 </ul>
@ -99,8 +99,8 @@ the               directory name as in "shorewall-1.1.10").</li>
 href="http://www.corel.com">Corel</a>,           <a
 href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
-            <li>If you are using <a href="http://www.suse.com">SuSe</a> then
+             <li>If you are using <a href="http://www.suse.com">SuSe</a>
-  type       "./install.sh /etc/init.d"</li>
+then   type       "./install.sh /etc/init.d"</li>
             <li>If your distribution has directory             /etc/rc.d/init.d 
   or  /etc/init.d then type             "./install.sh"</li>
             <li>For other distributions, determine where your          
@ -109,22 +109,22 @@ the               directory name as in "shorewall-1.1.10").</li>
             <li>Edit the <a href="#Config_Files"> configuration files</a>
 to  match   your configuration.</li>
             <li>Start the firewall by typing "shorewall             start"</li>
-            <li>If the install script was unable to configure Shorewall to
+             <li>If the install script was unable to configure Shorewall
- be  started   automatically at boot,             see <a
+to  be  started   automatically at boot,             see <a
 href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
 </ul>
 <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering 
   disk, simply replace the "shorwall.lrp" file on the image with the file
- that  you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
+  that  you downloaded. See the <a href="two-interface.htm">two-interface
-  Guide</a> for information about further steps required.</p>
+QuickStart   Guide</a> for information about further steps required.</p>
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed 
    and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
-or and you  have entries in the /etc/shorewall/hosts file then please check
+and you  have entries in the /etc/shorewall/hosts file then please check 
 your  /etc/shorewall/interfaces file to be sure that it contains an entry 
   for each  interface mentioned in the hosts file. Also, there are certain 
  1.2 rule forms  that are no longer supported under 1.4 (you must use the
@ -149,26 +149,26 @@ or and you  have entries in the /etc/shorewall/hosts file then please check
           error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
      <br>
        <br>
-     This may be worked around by using the --nodeps option of rpm (rpm -Uvh
+      This may be worked around by using the --nodeps option of rpm (rpm
-  --nodeps &lt;shorewall rpm&gt;). </p>
+-Uvh   --nodeps &lt;shorewall rpm&gt;). </p>
            </li>
            <li>See if there are any incompatibilities between your configuration 
-   and the    new Shorewall version (type "shorewall check") and correct
+   and the    new Shorewall version (type "shorewall check") and correct as
-as   necessary.</li>
+  necessary.</li>
             <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
-are upgrading to a new version using the tarball:</p>
+and are upgrading to a new version using the tarball:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
-you  have entries in the /etc/shorewall/hosts file then please check your
+and you  have entries in the /etc/shorewall/hosts file then please check
- /etc/shorewall/interfaces file to be sure that it contains an entry for
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-each  interface mentioned in the hosts file.  Also, there are certain 1.2
+for each  interface mentioned in the hosts file.  Also, there are certain
-rule  forms that are no longer supported under 1.4 (you must use the new
+1.2 rule  forms that are no longer supported under 1.4 (you must use the
-1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
+new 1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
-details. </p>
+for details. </p>
 <ul>
         <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -181,28 +181,28 @@ the               directory name as in "shorewall-3.0.1").</li>
 href="http://www.corel.com">Corel</a>,           <a
 href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
-            <li>If you are using<a href="http://www.suse.com"> SuSe</a> then
+             <li>If you are using<a href="http://www.suse.com"> SuSe</a>
-  type       "./install.sh /etc/init.d"</li>
+then   type       "./install.sh /etc/init.d"</li>
             <li>If your distribution has directory             /etc/rc.d/init.d 
   or  /etc/init.d then type             "./install.sh"</li>
             <li>For other distributions, determine where your          
  distribution    installs init scripts and type             "./install.sh
 &lt;init script   directory&gt;</li>
             <li>See if there are any incompatibilities between your configuration 
-   and the    new Shorewall version (type "shorewall check") and correct
+   and the    new Shorewall version (type "shorewall check") and correct as
-as   necessary.</li>
+  necessary.</li>
             <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-                <a name="LRP_Upgrade"></a>If you already have a running Bering
+                 <a name="LRP_Upgrade"></a>If you already have a running
-   installation and wish to upgrade to a later version of Shorewall:<br>
+Bering    installation and wish to upgrade to a later version of Shorewall:<br>
        <br>
            <b>UNDER CONSTRUCTION...</b><br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
-<p>You will need to edit some or all of the configuration files to match
+<p>You will need to edit some or all of the configuration files to match your
-your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
+ setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
    QuickStart Guides</a> contain all of the information you need.</p>
 <ul>
@ -216,5 +216,6 @@ your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -12,7 +12,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                     <tbody>
                    <tr>
                      <td width="100%">                             
@ -37,13 +37,13 @@
 <ol>
              <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
-option is specified, all traffic arriving on the interface is subjet to MAC
+this option is specified, all traffic arriving on the interface is subjet
-verification.</li>
+to MAC verification.</li>
              <li>The <b>maclist </b>option in <a
 href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option
-  is specified for a subnet, all traffic from that subnet  is subject to MAC
+   is specified for a subnet, all traffic from that subnet  is subject to
-  verification.</li>
+MAC   verification.</li>
              <li>The /etc/shorewall/maclist file. This file is used to associate
    MAC  addresses with interfaces and to optionally associate IP addresses
  with  MAC  addresses.</li>
@ -89,10 +89,10 @@ details about my setup):</h3>
   As shown above, I use MAC Verification on my wireless zone.<br>
  <br>
  <b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like 
-a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
+a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
-the MAC address of the host (TIPPER) but for other forwarded traffic it uses
+MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
-it's own MAC address. Consequently, I list the IP addresses of both devices
+own MAC address. Consequently, I list the IP addresses of both devices in
-in /etc/shorewall/maclist.<br>
+/etc/shorewall/maclist.<br>
 <h3>Example 2: Router in Wireless Zone</h3>
            Suppose now that I add a second wireless segment to my wireless 
@ -103,11 +103,11 @@ in /etc/shorewall/maclist.<br>
 <pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
            This entry accomodates traffic from the router itself (192.168.3.253)
-   and  from the second wireless segment (192.168.4.0/24). Remember that all
+    and  from the second wireless segment (192.168.4.0/24). Remember that
-traffic    being  sent to my firewall from the 192.168.4.0/24 segment will
+all traffic    being  sent to my firewall from the 192.168.4.0/24 segment
-be forwarded    by the router so that traffic's MAC address will be that
+will be forwarded    by the router so that traffic's MAC address will be
-of the router (00:06:43:45:C6:15)    and not that of the host sending the
+that of the router (00:06:43:45:C6:15)    and not that of the host sending
-traffic.    
+the traffic.     
 <p><font size="2">   Updated 6/30/2002 - <a href="support.htm">Tom  Eastep</a>
         </font></p>
@ -119,5 +119,6 @@ traffic.
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/NAT.htm
+++ b/Shorewall-docs/NAT.htm
@ -12,44 +12,45 @@
 </head>
  <body>
 <blockquote>      
 <table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
       <tbody>
        <tr>
         <td width="100%">                            
-        <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
+      <h1 align="center"><font color="#ffffff">Static Nat</font></h1>
         </td>
       </tr>
  </tbody>    
 </table>
 <br>
                <br>
 <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward  
     ports to servers behind your firewall, you do NOT want to use static
  NAT.      Port forwarding can be accomplished with simple entries in the
    <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
-        
+<blockquote>                </blockquote>
 <p>Static NAT is a way to make systems behind a     firewall and configured
  with private IP addresses (those     reserved for private use in RFC1918)
  appear to have public IP     addresses. Before you try to use this technique,
  I strongly recommend that you read the <a
 href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
-        
+<blockquote>                </blockquote>
 <p>The following figure represents a static NAT     environment.</p>
-        
+<blockquote>                
  <p align="center"><strong>     <img src="images/staticnat.png"
 width="435" height="397">
      </strong></p>
  <blockquote>     </blockquote>
-        
+                </blockquote>
 <p align="left">Static NAT can be used to make the systems with the  10.1.1.* 
 addresses appear to be on the upper (130.252.100.*) subnet. If we     assume 
 that the interface to the upper subnet is eth0, then the following     /etc/shorewall/NAT 
-file would make the lower left-hand system appear to have     IP address 130.252.100.18
+ file would make the lower left-hand system appear to have     IP address 
-and the right-hand one to have IP address     130.252.100.19.</p>
+130.252.100.18 and the right-hand one to have IP address     130.252.100.19.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
           <tbody>
@ -91,8 +92,8 @@ the INTERFACE column should undergo NAT. If you leave this     column empty,
 <p>Note 2: Shorewall will automatically add the external address to the  
    specified interface unless you specify <a
 href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no"     (or "No") in
- /etc/shorewall/shorewall.conf; If you do not set     ADD_IP_ALIASES or if
+  /etc/shorewall/shorewall.conf; If you do not set     ADD_IP_ALIASES or
- you set it to "Yes" or "yes" then you must NOT configure your own alias(es). 
+if   you set it to "Yes" or "yes" then you must NOT configure your own alias(es). 
   <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
 external addresses to an interface that is configured with a single subnetwork
 -- if your external interface has addresses in more than one subnetwork,
@ -101,11 +102,10 @@ Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
 <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"     column
  determine whether packets originating on the firewall itself and     destined
  for the EXTERNAL address are redirected to the internal ADDRESS. If   
-this  column contains "yes" or "Yes" (and the ALL     INTERFACES COLUMN also
+ this  column contains "yes" or "Yes" (and the ALL     INTERFACES COLUMN
-contains  "Yes" or "yes") then     such packets are redirected; otherwise,
+also contains  "Yes" or "yes") then     such packets are redirected; otherwise,
 such packets  are not redirected. The     LOCAL column was added in version
 1.1.8.</p>
   </blockquote>
 <blockquote> </blockquote>
@ -113,5 +113,7 @@ such packets  are not redirected. The     LOCAL column was added in version
 href="support.htm">Tom Eastep</a></font> </p>
     <a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/OPENVPN.html
+++ b/Shorewall-docs/OPENVPN.html
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
     <tbody>
       <tr>
       <td width="100%">       
@ -78,8 +78,8 @@ the GPL</a>. OpenVPN can be downloaded from <a
  </table>
    </blockquote>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
-zone. In /etc/shorewall/interfaces:</p>
+In /etc/shorewall/interfaces:</p>
 <blockquote>   
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -235,8 +235,8 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
   </blockquote>
 <p align="left">You will need to allow traffic between the "vpn" zone and 
-       the "loc" zone on both systems -- if you simply want to admit all
+       the "loc" zone on both systems -- if you simply want to admit all traffic
-traffic        in both directions, you can use the policy file:</p>
+       in both directions, you can use the policy file:</p>
 <blockquote>   
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -279,5 +279,6 @@ traffic        in both directions, you can use the policy file:</p>
   <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/PPTP.htm
+++ b/Shorewall-docs/PPTP.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
      <tbody>
       <tr>
        <td width="100%">              
@ -27,9 +27,10 @@
  </tbody>  
 </table>
-<h4>NOTE: I am no longer attempting to maintain MPPE patches for current
+<h4>NOTE: I am no longer attempting to maintain MPPE patches for current Linux
-Linux kernel's and pppd. I recommend that you refer to the following URLs
+kernel's and pppd. I recommend that you refer to the following URLs for information
-for information about installing MPPE into your kernel and pppd.</h4>
+about installing MPPE into your kernel and pppd.</h4>
 <h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project 
 </a>has a nice GUI for configuring and managing VPN connections where your 
 Linux system is the PPTP client. This is what I currently use. I am no longer 
@ -40,10 +41,12 @@ below).</h4>
 (Everything you need to run a PPTP client).<br>
     <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod' 
 package can be used to quickly install MPPE into your kernel without rebooting).<br>
 <h4>I am leaving the instructions for building MPPE-enabled kernels and pppd 
 in the text below for those who may wish to obtain the relevant current patches 
 and "roll their own".<br>
 </h4>
 <hr width="100%" size="2"> 
 <p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
@ -56,12 +59,11 @@ and "roll their own".<br>
 </ul>
-<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your
+<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
 Firewall</h2>
-<p>I will try to give you an idea of how to set up a PPTP server on your
+<p>I will try to give you an idea of how to set up a PPTP server on your firewall
-firewall system. This isn't a detailed HOWTO but rather an example of how
+system. This isn't a detailed HOWTO but rather an example of how I have set
-I have set up a working PPTP server on my own firewall.</p>
+up a working PPTP server on my own firewall.</p>
 <p>The steps involved are:</p>
@ -146,8 +148,8 @@ the ppp-2.4.1 directory.</p>
 <h3><a name="Samba"></a>Configuring Samba</h3>
-<p>You will need a WINS server (Samba configured to run as a WINS server
+<p>You will need a WINS server (Samba configured to run as a WINS server is
-is  fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) 
+ fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
 is:</p>
 <blockquote>      
@ -205,8 +207,8 @@ with the     'require-mppe.diff' patch mentioned above.</li>
 <p>I am the only user who connects to the server but I may connect either
 with or without a domain being specified. The system I connect from is my
-laptop so I give it the same IP address when tunneled in at it has when I 
+ laptop so I give it the same IP address when tunneled in at it has when
-use its wireless LAN card around the house.</p>
+I  use its wireless LAN card around the house.</p>
 <p>You will also want the following in /etc/modules.conf:</p>
@ -440,8 +442,8 @@ the remote     hosts look like they are part of the local subnetwork.</li>
  </table>
    </blockquote>
-<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and
+<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
-later)<br>
+and later)<br>
  </b></p>
 <blockquote>      
@ -515,8 +517,8 @@ ppp interface, you probably want:</p>
 <h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
 your Firewall</h2>
-<p>If you have a single external IP address, add the following to your  
+<p>If you have a single external IP address, add the following to your   /etc/shorewall/rules
-/etc/shorewall/rules file:</p>
+file:</p>
    <font face="Century Gothic, Arial, Helvetica">          </font>  
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
      <tbody>
@ -611,16 +613,15 @@ you will need to follow the instructions at <a
      loadmodule ip_nat_pptp </p>
   </blockquote>
-<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your
+<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
 Firewall.</h2>
 <p align="left">The PPTP GNU/Linux client is available at <a
 href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
- Rather than use the configuration script that comes with the client, I built 
+  Rather than use the configuration script that comes with the client, I
-my own. I also build my own kernel <a href="#PatchKernel">as described above</a> 
+built  my own. I also build my own kernel <a href="#PatchKernel">as described
- rather than using the mppe package that is available with the client. My 
+above</a>   rather than using the mppe package that is available with the
-/etc/ppp/options file is mostly unchanged from what came with the client (see
+client. My  /etc/ppp/options file is mostly unchanged from what came with
-below).</p>
+the client (see below).</p>
 <p>The key elements of this setup are as follows: </p>
@ -770,8 +771,8 @@ below).</p>
    <br>
  </blockquote>
-<p>I use the combination of interface and hosts file to define the 'cpq'
+<p>I use the combination of interface and hosts file to define the 'cpq' zone
-zone because I also run a PPTP server on my firewall (see above). Using this
+because I also run a PPTP server on my firewall (see above). Using this 
 technique allows me to distinguish clients of my own PPTP server from arbitrary 
 hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients 
 and Compaq doesn't use that RFC1918 Class C subnet. </p>
@ -923,5 +924,6 @@ ECN yet and reject the initial TCP connection request if I enable ECN :-(
   <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
           <tbody>
        <tr>
             <td width="100%">       
@ -92,24 +92,25 @@ rather than behind it.<br>
 (130.252.100.18 and 130.252.100.19 in the above example)  to the external 
 interface (eth0 in this example) of the firewall.</b></font><br>
                      </p>
 <div align="left">            </div>
 <div align="left"> 
 <p align="left">A word of warning is in order here. ISPs typically configure 
    their routers with a long ARP cache timeout. If you move a system from 
-    parallel to your firewall to behind your firewall with Proxy ARP, it will
+    parallel to your firewall to behind your firewall with Proxy ARP, it
-    probably be HOURS before that system can communicate with the internet.
+will     probably be HOURS before that system can communicate with the internet. 
 There are a couple of things that you can try:<br>
    </p>
 <ol>
-     <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
+      <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
- Vol 1</i> reveals that a <br>
+Illustrated,  Vol 1</i> reveals that a <br>
        <br>
    "gratuitous" ARP packet should cause the ISP's router to refresh their 
 ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the 
-MAC  address for its own IP; in addition to ensuring that the IP address isn't
+MAC  address for its own IP; in addition to ensuring that the IP address
- a duplicate...<br>
+isn't  a duplicate...<br>
        <br>
    "if the host sending the gratuitous ARP has just changed its hardware 
 address...,  this packet causes any other host...that has an entry in its 
@ -124,9 +125,9 @@ iputils package include "arping", whose "-U" flag does just that:<br>
 proxied  IP&gt;</i></b></font><br>
        <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
        <br>
-   Stevens goes on to mention that not all systems respond correctly to gratuitous
+    Stevens goes on to mention that not all systems respond correctly to
- ARPs, but googling for "arping -U" seems to support the idea that it works
+gratuitous  ARPs, but googling for "arping -U" seems to support the idea
- most of the time.<br>
+that it works  most of the time.<br>
       <br>
   To use arping with Proxy ARP in the above example, you would have to:<br>
       <br>
@ -174,9 +175,9 @@ dev  eth0<br>
 <p align="left">Notice that the source MAC address in the echo request is 
    different from the destination MAC address in the echo reply!! In this 
 case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 
-    was the MAC address of the system on the lower left. In other words, the
+    was the MAC address of the system on the lower left. In other words,
- gateway's ARP cache still    associates 130.252.100.19 with the NIC in that
+the  gateway's ARP cache still    associates 130.252.100.19 with the NIC
- system rather than with the firewall's    eth0.</p>
+in that  system rather than with the firewall's    eth0.</p>
    </div>
 <p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
@ -186,5 +187,6 @@ dev  eth0<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/SeattleInTheSpring.html
+++ b/Shorewall-docs/SeattleInTheSpring.html
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
     <tbody>
      <tr>
       <td width="100%">       
@ -48,5 +48,6 @@
 size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_CA_html.html
+++ b/Shorewall-docs/Shorewall_CA_html.html
@ -12,11 +12,10 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
           <tbody>
            <tr>
             <td width="100%">        
      <h1 align="center"><font color="#ffffff">Shorewall Certificate Authority 
 (CA) Certificate</font></h1>
             </td>
@ -72,8 +71,8 @@ so that it will accept any certificate signed by me. <br>
     <li>If you install my CA certificate then you assume that I am trustworthy 
 and that Shorewall running on your firewall won't redirect HTTPS requests 
 intented to go to your bank's server to one of my systems that will present 
-your browser with a bogus certificate claiming that my server is that of your
+your browser with a bogus certificate claiming that my server is that of
-bank.</li>
+your bank.</li>
     <li>If you only accept my server's certificate when prompted then the 
 most that you have to loose is that when you connect to https://mail.shorewall.net, 
 the server you are connecting to might not be mine.</li>
@ -85,8 +84,9 @@ won't be offended if you decline to load it into yours... :-)<br>
 <p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
+ size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
-M. Eastep.</font></a></font></p>
+Eastep.</font></a></font></p>
    <br>
   <br>
  <br>
 <br>
--- a/Shorewall-docs/Shorewall_CVS_Access.html
+++ b/Shorewall-docs/Shorewall_CVS_Access.html
@ -12,7 +12,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
          <tbody>
          <tr>
           <td width="100%">       
@ -27,8 +27,8 @@
      <br>
      Lots of people try to download the entire Shorewall website for off-line 
  browsing, including the CVS portion. In addition to being an enormous volume 
-  of data (HTML versions of all versions of all Shorewall files), all of
+  of data (HTML versions of all versions of all Shorewall files), all of the
-the   pages in Shorewall CVS access are cgi-generated which places a tremendous
+  pages in Shorewall CVS access are cgi-generated which places a tremendous 
  load on my little server. I have therefore resorted to making CVS access 
 password controlled. When you are asked to log in, enter "Shorewall" (NOTE 
 THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
@ -52,5 +52,6 @@ the   pages in Shorewall CVS access are cgi-generated which places a tremendous
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_Doesnt.html
+++ b/Shorewall-docs/Shorewall_Doesnt.html
@ -16,13 +16,14 @@
     </small>   <small>  </small>  
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
    <tbody>
      <tr>
        <td width="100%"><small>                   </small>             
      <h1 align="center"><small><font color="#ffffff">Some things that Shorewall 
      <b>Cannot</b> Do</font></small></h1>
-       <small>                                                          </small></td>
+        <small>                                                         
      </small></td>
        </tr>
  </tbody> 
@ -46,5 +47,6 @@
    </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@ -11,20 +11,23 @@
  <body>
 <table cellpadding="0" cellspacing="0" border="0" width="100%"
- bgcolor="#400169">
+ bgcolor="#3366ff">
             <tbody>
               <tr>
-              <td valign="middle" width="33%" bgcolor="#400169"><a
+                 <td valign="middle" width="33%" bgcolor="#3366ff"><a
 href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
 alt="" width="88" height="31" hspace="4">
                 </a><br>
                 </td>
-              <td valign="middle" height="90" align="center" width="34%"><font
+                 <td valign="middle" height="90" align="center"
- color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
+ width="34%">       
      <h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
      <h1>                </h1>
       </td>
-              <td valign="middle" height="90" width="33%" align="right"><a
+                 <td valign="middle" height="90" width="33%"
- href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
+ align="right"><a href="http://www.squid-cache.org/"><img
- alt="" width="100" height="31" hspace="4">
+ src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
                 </a><br>
                 </td>
               </tr>
@ -36,7 +39,7 @@
 href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent 
       Proxy</b></u>. If you are running Shorewall 1.3, please see <a
 href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
-          <a href="#DMZ"></a><br>
+             <br>
               <img border="0" src="images/j0213519.gif" width="60"
 height="60" alt="Caution" align="middle">
             &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
@ -49,21 +52,22 @@ to  run   as  a transparent proxy  as described at <a
             <b><br>
             </b><b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
-          &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
+             &nbsp;&nbsp;&nbsp; </b>The following instructions mention the
-  /etc/shorewall/start   and /etc/shorewall/init -- if you don't have those
+ files   /etc/shorewall/start   and /etc/shorewall/init -- if you don't have
-  files, siimply create  them.<br>
+ those   files, siimply create  them.<br>
             <br>
             <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
-           </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
+              </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
- or  in  the  local zone, that zone must be defined ONLY by its interface
+zone   or  in  the  local zone, that zone must be defined ONLY by its interface 
 -- no  /etc/shorewall/hosts   file entries. That is because the packets being
- routed  to the Squid server   still have their original destination IP addresses.<br>
+  routed  to the Squid server   still have their original destination IP
 addresses.<br>
             <br>
             <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
-           </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
+              </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
- Squid    server.<br>
+your   Squid    server.<br>
             <br>
             <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
@ -83,8 +87,8 @@ NAT_ENABLED=Yes<br>
   on  the  Firewall.</a></li>
               <li><a href="Shorewall_Squid_Usage.html#Local">Squid running 
 in  the  local  network</a></li>
-            <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in 
+               <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running 
-the  DMZ</a></li>
+in  the  DMZ</a></li>
 </ol>
@ -142,8 +146,8 @@ the  DMZ</a></li>
               </blockquote>
          There may be a requirement to exclude additional destination hosts
  or networks from being redirected. For example, you might also want requests
-destined for 130.252.100.0/24 to not be routed to Squid. In that case, you 
+  destined for 130.252.100.0/24 to not be routed to Squid. In that case,
-must add a manual rule in /etc/shorewall/start:<br>
+you   must add a manual rule in /etc/shorewall/start:<br>
 <blockquote>            
  <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
@ -152,12 +156,12 @@ must add a manual rule in /etc/shorewall/start:<br>
  rules.<br>
 <h2><a name="Local"></a>Squid Running in the local network</h2>
-             You want to redirect all local www connection requests  to a 
+                You want to redirect all local www connection requests  to
-Squid                                                    transparent     
+ a  Squid                                                    transparent
- proxy   running   in your local zone at 192.168.1.3 and listening on port 
+      proxy   running   in your local zone at 192.168.1.3 and listening on
- 3128.    Your local  interface is eth1. There may also be a web server running
+port   3128.    Your local  interface is eth1. There may also be a web server
- on   192.168.1.3. It is assumed that web access is already enabled from
+running  on   192.168.1.3. It is assumed that web access is already enabled
-the  local   zone to the internet.<br>
+from the  local   zone to the internet.<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with 
       other aspects of your gateway including but not limited to traffic 
@ -255,8 +259,8 @@ please upgrade to Shorewall 1.4.2 or later.<br>
    </table>
                </li>
                      <br>
-    <li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
+       <li>Alternativfely, if you are running Shorewall 1.4.0 you can have
- following policy in place of the above rule:<br>
+ the  following policy in place of the above rule:<br>
    <table cellpadding="2" cellspacing="0" border="1">
                  <tbody>
@ -299,8 +303,8 @@ please upgrade to Shorewall 1.4.2 or later.<br>
              </blockquote>
 <ul>
-             <li>On 192.168.1.3, arrange for the following command to be
+                <li>On 192.168.1.3, arrange for the following command to
-executed     after   networking has come up<br>
+be  executed     after   networking has come up<br>
    <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
                  </li>
@ -321,9 +325,9 @@ executed     after   networking has come up<br>
 <blockquote>  </blockquote>
 <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
-            You have a single Linux system in your DMZ with IP address 192.0.2.177.
+               You have a single Linux system in your DMZ with IP address 
-     You want to run both a web server and Squid on that system. Your DMZ
+192.0.2.177.       You want to run both a web server and Squid on that system. 
-interface     is eth1 and your local interface is eth2.<br>
+Your DMZ  interface     is eth1 and your local interface is eth2.<br>
 <ul>
                 <li>On your firewall system, issue the following command<br>
@ -397,7 +401,8 @@ interface     is eth1 and your local interface is eth2.<br>
      </tbody>                                   
    </table>
            </blockquote>
-       C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
+          C) Run Shorewall 1.3.14 or later and add the following entry in 
 /etc/shorewall/tcrules:<br>
          </blockquote>
 <blockquote>                     
@ -504,8 +509,8 @@ interface     is eth1 and your local interface is eth2.<br>
               </blockquote>
 <ul>
-              <li>On 192.0.2.177 (your Web/Squid server), arrange for the 
+                 <li>On 192.0.2.177 (your Web/Squid server), arrange for
-following     command to be executed after  networking has come up<br>
+the   following     command to be executed after  networking has come up<br>
    <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
                  </li>
@ -528,7 +533,10 @@ following     command to be executed after  networking has come up<br>
 <p><font size="-1">   Updated 6/27/2003 - <a href="support.htm">Tom  Eastep</a> 
                </font></p>
-    <a href="copyright.htm"><font size="2">Copyright</font>           &copy; 
+       <a href="copyright.htm"><font size="2">Copyright</font>          
- <font size="2">2003 Thomas M. Eastep.</font></a><br>
+&copy;    <font size="2">2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
+++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
@ -12,10 +12,11 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                           <tbody>
                            <tr>
                             <td width="100%">                          
      <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
                             </td>
                           </tr>
@ -28,18 +29,18 @@
        The traditional net-tools contain a program called <i>ifconfig</i>
 which    is used to configure network devices. ifconfig introduced the concept
 of   <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
-have   names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and 
+ have   names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0)
-ifconfig   treats them more or less like real interfaces.<br>
+and  ifconfig   treats them more or less like real interfaces.<br>
        <br>
        Example:<br>
 <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55<br>          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0<br>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>          Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
       The ifconfig utility is being gradually phased out in favor of the 
-<i>ip</i>    utility which is part of the <i>iproute </i>package. The ip
+<i>ip</i>    utility which is part of the <i>iproute </i>package. The ip utility
-utility does   not use the concept of aliases or virtual interfaces but rather
+does   not use the concept of aliases or virtual interfaces but rather treats
-treats additional    addresses on an interface as objects. The ip utility
+additional    addresses on an interface as objects. The ip utility does provide
-does provide for interaction   with ifconfig in that it allows addresses
+for interaction   with ifconfig in that it allows addresses to be <i>labeled
-to be <i>labeled </i>and labels  may take the form of ipconfig virtual interfaces.<br>
+</i>and labels  may take the form of ipconfig virtual interfaces.<br>
        <br>
        Example:<br>
        <br>
@ -109,8 +110,8 @@ with  the IP  address.<br>
 <h3>DNAT</h3>
        Suppose that I had set up eth0:0 as above and I wanted to port forward
-  from  that virtual interface to a web server running in my local zone at 
+   from  that virtual interface to a web server running in my local zone
- 192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules 
+at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
  file:<br>
        <br>
@ -185,11 +186,11 @@ with  the IP  address.<br>
          <br>
        </blockquote>
        Shorewall can create the alias (additional address) for you if you
-set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning with 
+ set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
-Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual interface) 
+with  Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
-so   that you can see the  created address using ifconfig. In addition to 
+interface)  so   that you can see the  created address using ifconfig. In
-setting   ADD_SNAT_ALIASES=Yes,  you specify the virtual interface name in 
+addition to  setting   ADD_SNAT_ALIASES=Yes,  you specify the virtual interface
-the INTERFACE   column as follows:<br>
+name in  the INTERFACE   column as follows:<br>
 <blockquote>            
  <table cellpadding="2" cellspacing="0" border="1">
@ -220,6 +221,7 @@ you specify a label in the INTERFACE column, Shorewall will use that label
 for the first address of the range and will increment the label by one for 
 each subsequent label.<br>
 <br>
 <blockquote>            
  <table cellpadding="2" cellspacing="0" border="1">
             <tbody>
@ -288,10 +290,10 @@ The above would create three IP addresses:<br>
        </blockquote>
        Shorewall can create the alias (additional address) for you if you
 set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning with
-Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual interface) 
+ Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
-so   that you can see the  created address using ifconfig. In addition to 
+interface)  so   that you can see the  created address using ifconfig. In
-setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface name in the
+addition to  setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface
-INTERFACE   column as follows:<br>
+name in the INTERFACE   column as follows:<br>
        <br>
 <blockquote>            
@ -384,8 +386,8 @@ you   simply qualify the local zone with the internal IP address.<br>
 as a zone and allow your  firewall/router to route between the two subnetworks.<br>
        <br>
        Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
-and   192.168.20.0/24.  The primary IP address of eth1 is 192.168.1.254 and 
+ and   192.168.20.0/24.  The primary IP address of eth1 is 192.168.1.254
-eth1:0   is 192.168.20.254.  You want to simply route all requests between 
+and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
 the two   subnetworks.<br>
 <h4>If you are running Shorewall 1.4.1 or Later</h4>
@ -527,11 +529,11 @@ the two   subnetworks.<br>
  </table>
          <br>
        </blockquote>
-       Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. 
+        Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
-   The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. 
+192.168.20.0/24.     The primary IP address of eth1 is 192.168.1.254 and
-   You want to make these subnetworks into separate zones and control the
+eth1:0 is 192.168.20.254.     You want to make these subnetworks into separate
- access  between them (the users of the systems do not have administrative
+zones and control the  access  between them (the users of the systems do
- privileges).<br>
+not have administrative  privileges).<br>
        <br>
        In /etc/shorewall/zones:<br>
        <br>
@ -646,5 +648,6 @@ the two   subnetworks.<br>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
    <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -20,18 +20,20 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#4b017c" height="90">
+ bgcolor="#3366ff" height="90">
                                                       <tbody>
                                                        <tr>
-                                                       <td width="100%"
+                                                         <td
- height="90">                                                            
+ width="100%" height="90">                                              
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                                                         </td>
                                                       </tr>
                                                       <tr>
-                                                       <td width="100%"
+                                                         <td
- bgcolor="#ffffff">                                                      
+ width="100%" bgcolor="#ffffff">                                        
      <ul>
                                                           <li> <a
@ -47,7 +49,8 @@
                                                   </li>
                                                   <li> <a
 href="Install.htm">Installation/Upgrade/</a><br>
-                                                   <a href="Install.htm">Configuration</a><br>
+                                                     <a
 href="Install.htm">Configuration</a><br>
                                                   </li>
                                                   <li> <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
@ -94,7 +97,10 @@ Site</a></li>
 target="_top">Chile</a></li>
                        <li><a href="http://shorewall.greshko.com"
 target="_top">Taiwan</a></li>
-              <li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
+                <li><a href="http://argentina.shorewall.net"
 target="_top">Argentina</a></li>
             <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">Brazil</a><br>
             </li>
                                                 <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
@ -141,5 +147,7 @@ Site</a></li>
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -12,15 +12,15 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                     <base target="main">
+                                                             <base
-                                          
+ target="main">                                                 
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#4b017c" height="90">
+ bgcolor="#3366ff" height="90">
                                                      <tbody>
                                                       <tr>
                                                        <td width="100%"
@ -47,13 +47,15 @@
                                                  </li>
                                                  <li> <a
 href="Install.htm">Installation/Upgrade/</a><br>
-                                                  <a href="Install.htm">Configuration</a><br>
+                                                    <a
 href="Install.htm">Configuration</a><br>
                                                  </li>
                                                  <li> <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                                                   </li>
-                                                                        <li>
+                                                                        
-            <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
+         <li>             <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
                                      <li> <a href="FAQ.htm">FAQs</a></li>
                                                           <li><a
@ -93,7 +95,10 @@
 target="_top">Chile</a></li>
                       <li><a href="http://shorewall.greshko.com"
 target="_top">Taiwan</a></li>
-              <li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
+                <li><a href="http://argentina.shorewall.net"
 target="_top">Argentina</a></li>
             <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">Brazil</a><br>
  </li>
                                                <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
@ -140,5 +145,7 @@
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/VPN.htm
+++ b/Shorewall-docs/VPN.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
@ -37,19 +37,18 @@ is shown in the  following diagram:</p>
 </p>
 <p align="left">A system with an RFC 1918 address needs to access a remote 
- network through a remote gateway. For this example, we will assume that
+ network through a remote gateway. For this example, we will assume that the
-the  local system has IP address 192.168.1.12 and that the remote gateway
+ local system has IP address 192.168.1.12 and that the remote gateway has
-has IP  address 192.0.2.224.</p>
+IP  address 192.0.2.224.</p>
 <p align="left">If PPTP is being used, there are no firewall requirements 
 beyond  the default loc-&gt;net ACCEPT policy. There is one restriction however: 
 Only one  local system at a time can be connected to a single remote gateway 
-unless you  patch your kernel from the 'Patch-o-matic' patches available
+unless you  patch your kernel from the 'Patch-o-matic' patches available at
-at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
+<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
 <p align="left">If IPSEC is being used then only one system may connect to 
-the remote gateway and there are firewall configuration  requirements as
+the remote gateway and there are firewall configuration  requirements as follows:</p>
 follows:</p>
 <blockquote>   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -89,16 +88,19 @@ follows:</p>
  </table>
  </blockquote>
-<p>If you want to be able to give access to all of your local systems to
+<p>If you want to be able to give access to all of your local systems to the
-the  remote network, you should consider running a VPN client on your firewall.
+ remote network, you should consider running a VPN client on your firewall. 
 As  starting points, see <a
 href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a> 
 or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
 <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> 
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
 <p> </p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/blacklisting_support.htm
+++ b/Shorewall-docs/blacklisting_support.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
      <tbody>
       <tr>
        <td width="100%">       
@ -31,8 +31,7 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration
+<p>Shorewall static blacklisting support has the following configuration parameters:</p>
 parameters:</p>
 <ul>
      <li>You specify whether you want packets from blacklisted hosts dropped 
@ -95,5 +94,6 @@ Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                       <tbody>
                        <tr>
                         <td width="100%">                       
@ -38,8 +38,8 @@ files on a system running Microsoft Windows, you <u>must</u>
 <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
 <ul>
-                            <li>/etc/shorewall/shorewall.conf - used to set
+                             <li>/etc/shorewall/shorewall.conf - used to
- several     firewall             parameters.</li>
+set  several     firewall             parameters.</li>
                             <li>/etc/shorewall/params - use this file to 
 set   shell    variables     that you will     expand in other files.</li>
                             <li>/etc/shorewall/zones - partition the firewall's 
@ -58,7 +58,8 @@ interfaces      on  the          firewall system.</li>
  to  load   kernel    modules.</li>
                             <li>/etc/shorewall/rules - defines rules that
 are  exceptions      to  the         overall policies established in /etc/shorewall/policy.</li>
-                            <li>/etc/shorewall/nat - defines static NAT rules.</li>
+                             <li>/etc/shorewall/nat - defines static NAT
 rules.</li>
                             <li>/etc/shorewall/proxyarp - defines use of 
 Proxy    ARP.</li>
                             <li>/etc/shorewall/routestopped (Shorewall 1.3.4 
@ -68,18 +69,18 @@ of  packets     for   later   use by     traffic control/shaping or policy
 routing.</li>
                             <li>/etc/shorewall/tos - defines rules for setting 
   the   TOS   field   in packet         headers.</li>
-                            <li>/etc/shorewall/tunnels - defines IPSEC, GRE
+                             <li>/etc/shorewall/tunnels - defines IPSEC,
- and   IPIP   tunnels    with end-points on         the firewall system.</li>
+GRE  and   IPIP   tunnels    with end-points on         the firewall system.</li>
                             <li>/etc/shorewall/blacklist - lists blacklisted 
  IP/subnet/MAC        addresses.</li>
-         <li>/etc/shorewall/init - commands that you wish to execute at the
+          <li>/etc/shorewall/init - commands that you wish to execute at
- beginning   of a "shorewall start" or "shorewall restart".</li>
+the  beginning   of a "shorewall start" or "shorewall restart".</li>
          <li>/etc/shorewall/start - commands that you wish to execute at 
 the   completion  of a "shorewall start" or "shorewall restart"</li>
-         <li>/etc/shorewall/stop - commands that you wish to execute at the
+          <li>/etc/shorewall/stop - commands that you wish to execute at
- beginning   of a "shorewall stop".</li>
+the  beginning   of a "shorewall stop".</li>
-         <li>/etc/shorewall/stopped - commands that you wish to execute at
+          <li>/etc/shorewall/stopped - commands that you wish to execute
- the   completion of a "shorewall stop".</li>
+at  the   completion of a "shorewall stop".</li>
     <li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN 
 - RFC 3168) to remote hosts or networks.<br>
     </li>
@ -90,8 +91,8 @@ the   completion  of a "shorewall start" or "shorewall restart"</li>
 <p>You may place comments in configuration files by making the first non-whitespace 
                character a pound sign ("#"). You may also place comments 
-at   the    end  of any line, again by       delimiting the comment from
+at   the    end  of any line, again by       delimiting the comment from the
-the rest  of   the line  with a pound sign.</p>
+rest  of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -186,8 +187,8 @@ directory if one has been specified for the command.<br>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u> 
          using DNS names in Shorewall configuration files. If you use DNS 
 names      and   you are called out of bed at 2:00AM because Shorewall won't 
- start    as  a result  of DNS problems then don't say that you were not
+ start    as  a result  of DNS problems then don't say that you were not forewarned.
-forewarned.      <br>
+     <br>
                     </b></p>
 <p align="left"><b>    -Tom<br>
@ -197,8 +198,8 @@ forewarned.      <br>
         configuration files may be specified as either IP addresses or DNS 
    Names.<br>
                     <br>
-                   DNS names in iptables rules  aren't nearly as useful as
+                    DNS names in iptables rules  aren't nearly as useful
- they   first    appear.    When a DNS name appears in a rule,  the iptables
+as  they   first    appear.    When a DNS name appears in a rule,  the iptables 
 utility   resolves    the name    to one or more IP addresses and inserts 
  those addresses   into    the rule.  So  changes in the DNS-&gt;IP address 
 relationship  that   occur   after the firewall    has started have absolutely 
@ -218,15 +219,15 @@ forewarned.      <br>
                     </li>
                      <li>Factors totally outside your control (your ISP's
 router    is      down   for example), can prevent your firewall from starting.</li>
-                    <li>You must bring up your network interfaces prior to
+                     <li>You must bring up your network interfaces prior
- starting     your   firewall.<br>
+to  starting     your   firewall.<br>
                     </li>
 </ul>
 <p align="left"> Each DNS name much be fully qualified and include a minumum 
-         of two periods (although one may be trailing). This restriction
+         of two periods (although one may be trailing). This restriction is
-is   imposed       by Shorewall to insure backward compatibility with existing
+  imposed       by Shorewall to insure backward compatibility with existing 
  configuration       files.<br>
                     <br>
                     Examples of valid DNS names:<br>
@ -273,9 +274,9 @@ following the "!".</p>
                             Valid: routefilter,dhcp,norfc1918<br>
                             Invalid: routefilter,     dhcp,            
 norfc1818</li>
-                            <li>If you use line continuation to break a comma-separated
+                             <li>If you use line continuation to break a
-       list,   the          continuation line(s) must begin in column 1 (or
+comma-separated        list,   the          continuation line(s) must begin
-  there     would  be embedded          white space)</li>
+in column 1 (or   there     would  be embedded          white space)</li>
                             <li>Entries in a comma-separated list may appear 
  in  any   order.</li>
@ -289,14 +290,14 @@ an integer or a service name from /etc/services. </p>
 <h2><a name="Ranges"></a>Port Ranges</h2>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
-                port number</i>&gt;:&lt;<i>high port number</i>&gt;. For
+                port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
-example,         if you want to forward the range of tcp ports 4000 through
+        if you want to forward the range of tcp ports 4000 through 4100 to
-4100 to  local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+ local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
                  </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
-    If you omit the low port number, a value of zero is assumed; if you omit
+     If you omit the low port number, a value of zero is assumed; if you
-  the high port number, a value of 65535 is assumed.<br>
+omit   the high port number, a value of 65535 is assumed.<br>
 <h2><a name="Variables"></a>Using Shell Variables</h2>
@ -336,8 +337,8 @@ example,         if you want to forward the range of tcp ports 4000 through
 <p>Media Access Control (MAC)        addresses can be used to specify packet 
         source in several of the        configuration files. To use this
-feature,         your kernel must have MAC        Address Match support (CONFIG_IP_NF_MATCH_MAC)
+ feature,         your kernel must have MAC        Address Match support
-         included.</p>
+(CONFIG_IP_NF_MATCH_MAC)          included.</p>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a   unique
 MAC address.<br>
@ -394,8 +395,8 @@ shorewall      start    or  shorewall     restart command (e.g., <i><b>shorewall
 </ol>
 The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a> 
-allows you to attempt to restart using an alternate configuration and if
+allows you to attempt to restart using an alternate configuration and if an
-an error occurs to automatically restart the standard configuration.<br>
+error occurs to automatically restart the standard configuration.<br>
 <p><font size="2">   Updated 6/29/2003 - <a href="support.htm">Tom  Eastep</a> 
             </font></p>
@ -403,5 +404,6 @@ an error occurs to automatically restart the standard configuration.<br>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
            © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/copyright.htm
+++ b/Shorewall-docs/copyright.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
@ -41,5 +41,6 @@ A copy of the    license is included in the section entitled "<a
   </p>
  </blockquote>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/dhcp.htm
+++ b/Shorewall-docs/dhcp.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
@ -31,16 +31,17 @@
 <ul>
    <li>     
-    <p align="left">Specify the "dhcp" option on each interface to be
+    <p align="left">Specify the "dhcp" option on each interface to be  served
- served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-    file. This will generate rules that will allow DHCP to and from your
+    file. This will generate rules that will allow DHCP to and from your firewall
-firewall system.   </p>
+system.   </p>
   </li>
   <li>     
    <p align="left">When starting "dhcpd", you need to list those     interfaces 
 on the run line. On a RedHat system, this is done by modifying     /etc/sysconfig/dhcpd. 
    </p>
   </li>
 </ul>
 <h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
@ -53,14 +54,14 @@ on the run line. On a RedHat system, this is done by modifying     /etc/sysconfi
 system.      </p>
   </li>
   <li>     
-    <p align="left">If you know that the dynamic address is always going
+    <p align="left">If you know that the dynamic address is always going to
-to be     in the same subnet, you can specify the subnet address in the interface's
+be     in the same subnet, you can specify the subnet address in the interface's 
    entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
    file.   </p>
   </li>
   <li>     
-    <p align="left">If you don't know the subnet address in advance, you
+    <p align="left">If you don't know the subnet address in advance, you should
-should     specify "detect" for the interface's subnet address in the <a
+    specify "detect" for the interface's subnet address in the <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>     file 
 and start Shorewall after the interface has started.   </p>
   </li>
@ -70,6 +71,7 @@ and start Shorewall after the interface has started.   </p>
 command to be executed when a new dynamic IP address gets     assigned to 
 the interface. Check your DHCP client's documentation. </p>
   </li>
 </ul>
 <p align="left"><font size="2">Last updated 11/03/2002 - <a
@ -78,5 +80,6 @@ the interface. Check your DHCP client's documentation. </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                             <tbody>
                              <tr>
                               <td width="100%">                        
@ -53,8 +53,8 @@ for the configuration that most closely matches your own.<br>
         <b>               Linux PPC</b> or     <b> TurboLinux</b> distribution
         with   a  2.4   kernel,   you can use the  RPM version (note: the
          RPM   should   also work  with other distributions that     store 
-  init  scripts in  /etc/init.d  and that             include chkconfig  or
+   init  scripts in  /etc/init.d  and that             include chkconfig 
-  insserv).  If you find  that it works   in other cases, let <a
+or   insserv).  If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that
          I can mention them here. See the   <a href="Install.htm">Installation
      Instructions</a>    if you have problems    installing the RPM.</li>
@ -89,8 +89,9 @@ have a  copy of   the documentation).</li>
 <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY        INSTALL
      THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
-  IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed  configuration 
+   IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed 
-      of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
+configuration        of your firewall, you can enable startup by removing
 the   file /etc/shorewall/startup_disabled.</b></font></p>
 <p><b></b></p>
@ -168,6 +169,17 @@ have a  copy of   the documentation).</li>
          <td valign="top">N/A<br>
          </td>
        </tr>
        <tr>
         <td valign="top">Brazil<br>
         </td>
         <td valign="top">securityopensource.org.br<br>
         </td>
         <td valign="top"><a
 href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
         </td>
         <td valign="top">N/A<br>
         </td>
       </tr>
       <tr>
                                 <td>Washington State, USA</td>
                                 <td>Shorewall.net</td>
@ -204,7 +216,7 @@ and run at shorewall.net.<br>
                     </p>
   </blockquote>
-<p align="left"><font size="2">Last Updated 6/19/2003 - <a
+<p align="left"><font size="2">Last Updated 7/15/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -216,5 +228,7 @@ and run at shorewall.net.<br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.4 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -18,7 +19,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                                    <tbody>
                                    <tr>
                                      <td width="100%">                 
@ -44,9 +45,9 @@
                                                 </li>
                                    <li>                                
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory
+untar the archive, replace the        'firewall' script in the untarred directory 
               with the one you downloaded        below, and then run install.sh.</b></p>
                                                 </li>
                                    <li>                                
@ -58,9 +59,9 @@ the archive, replace the        'firewall' script in the untarred directory
                            <li>                                        
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS 
-            ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
+            ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
-BELOW.       For    example,  do NOT install the 1.3.9a firewall script if
+      For    example,  do NOT install the 1.3.9a firewall script if you are
-you are   running     1.3.7c.</font></b><br>
+  running     1.3.7c.</font></b><br>
                                        </p>
                            </li>
@ -81,17 +82,17 @@ you are   running     1.3.7c.</font></b><br>
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
         on RH7.2</a></font></b></li>
                                    <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
-iptables</a></b></li>
+RedHat iptables</a></b></li>
                                    <li><b><a href="#SuSE">Problems installing/upgrading 
       RPM   on  SuSE</a></b></li>
-                                   <li><b><a href="#Multiport">Problems with
+                                    <li><b><a href="#Multiport">Problems
-  iptables     version     1.2.7    and       MULTIPORT=Yes</a></b></li>
+with   iptables     version     1.2.7    and       MULTIPORT=Yes</a></b></li>
                              <li><b><a href="#NAT">Problems with RH Kernel 
 2.4.18-10      and   NAT</a></b></li>
-   <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and REJECT 
+    <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
-(also applies to 2.4.21-RC1) <img src="images/new10.gif" alt="(New)"
+REJECT  (also applies to 2.4.21-RC1) <img src="images/new10.gif"
- width="28" height="12" border="0">
+ alt="(New)" width="28" height="12" border="0">
      </a><br>
      </b></li>
@ -109,8 +110,8 @@ iptables</a></b></li>
 have an empty second column (HOSTS). This problem may be corrected by installing
        <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall
-described above.</li>
+as described above.</li>
   <li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones 
 file. This problem may be corrected by installing <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@ -127,8 +128,8 @@ file. This problem may be corrected by installing <a
 href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
        <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall
-described above.<br>
+as described above.<br>
      </li>
 </ul>
@ -138,8 +139,8 @@ described above.<br>
 <ul>
       <li> If you have zone names that are 5 characters long, you may experience 
-  problems starting Shorewall because the --log-prefix in a logging rule
+  problems starting Shorewall because the --log-prefix in a logging rule is
-is   too long. Upgrade to Version 1.4.4a to fix this problem..</li>
+  too long. Upgrade to Version 1.4.4a to fix this problem..</li>
 </ul>
@ -148,10 +149,11 @@ is   too long. Upgrade to Version 1.4.4a to fix this problem..</li>
 <ul>
        <li>The LOGMARKER variable introduced in version 1.4.3 was intended 
 to  allow integration of Shorewall with Fireparse (http://www.firewparse.com).
-  Unfortunately, LOGMARKER only solved part of the integration problem. I 
+   Unfortunately, LOGMARKER only solved part of the integration problem.
-have  implimented a new LOGFORMAT variable which will replace LOGMARKER which 
+I  have  implimented a new LOGFORMAT variable which will replace LOGMARKER
-has  completely solved this problem and is currently in production with fireparse 
+which  has  completely solved this problem and is currently in production
-  here at shorewall.net. The updated files may be found at <a
+with fireparse    here at shorewall.net. The updated files may be found at
    <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
   See the 0README.txt file for details.<br>
@ -162,12 +164,12 @@ has  completely solved this problem and is currently in production with firepars
 <h3>1.4.2</h3>
 <ul>
-         <li>When an 'add' or 'delete' command is executed, a temporary directory 
+          <li>When an 'add' or 'delete' command is executed, a temporary
-   created in /tmp is not being removed. This problem may be corrected by 
+directory     created in /tmp is not being removed. This problem may be corrected
-installing       <a
+by  installing       <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall
-described above. <br>
+as described above. <br>
          </li>
 </ul>
@ -175,9 +177,9 @@ described above. <br>
 <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
 <ul>
-          <li>Some TCP requests are rejected in the 'common' chain with an
+           <li>Some TCP requests are rejected in the 'common' chain with
- ICMP   port-unreachable response rather than the more appropriate TCP RST
+an  ICMP   port-unreachable response rather than the more appropriate TCP
- response.   This problem is corrected in <a
+RST  response.   This problem is corrected in <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
 target="_top">this updated common.def file</a> which may be installed in 
   /etc/shorewall/common.def.<br>
@ -262,8 +264,8 @@ I  have     also     built            an <a
  </ul>
                                            </blockquote>
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18               and
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
-RedHat iptables</h3>
+and RedHat iptables</h3>
 <blockquote>                                  
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 
@ -299,12 +301,12 @@ RedHat iptables</h3>
 <p>The iptables 1.2.7 release of iptables has made         an incompatible
     change to the syntax used to            specify multiport match rules;
- as   a consequence,                   if you install iptables 1.2.7 you must
+  as   a consequence,                   if you install iptables 1.2.7 you
-  be  running                           Shorewall 1.3.7a or later or:</p>
+must   be  running                           Shorewall 1.3.7a or later or:</p>
 <ul>
-                                                                <li>set MULTIPORT=No
+                                                                 <li>set
-      in                                   /etc/shorewall/shorewall.conf;
+MULTIPORT=No       in                                   /etc/shorewall/shorewall.conf; 
 or     </li>
                                                                 <li>if you 
 are   running     Shorewall      1.3.6    you may                       
@ -327,26 +329,27 @@ or     </li>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
                            The solution is to put "no" in the LOCAL column.
  Kernel    support     for   LOCAL=yes   has never worked properly and 2.4.18-10 
-  has    disabled  it.   The  2.4.19 kernel   contains corrected support
+  has    disabled  it.   The  2.4.19 kernel   contains corrected support under
-under   a  new  kernel configuraiton    option; see <a
+  a  new  kernel configuraiton    option; see <a
 href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
  <br>
-<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
+<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
-(also applies to 2.4.21-RC1)</b></h3>
+REJECT (also applies to 2.4.21-RC1)</b></h3>
  Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
-is broken. The symptom most commonly seen is that REJECT rules act just like 
+ is broken. The symptom most commonly seen is that REJECT rules act just
-DROP rules when dealing with TCP. A kernel patch and precompiled modules to
+like  DROP rules when dealing with TCP. A kernel patch and precompiled modules
-fix this problem are available at <a
+to fix this problem are available at <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
 <hr>                    
-<p><font size="2">  Last updated 6/13/2003 -   <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">  Last updated 6/13/2003 -   <a href="support.htm">Tom
-</p>
+Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata_1.htm
+++ b/Shorewall-docs/errata_1.htm
@ -1,215 +1,196 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Errata for Version 1</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Shorewall Errata for Version 1.1</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Errata for Version
 1.1</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-      <h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
+<h3 align="left"><font color="#660066"><u>To those of you who downloaded
-to Sept 20, 2001:</u></font></h3>
+the 1.1.13 updated firewall script prior to Sept 20, 2001:</u></font></h3>
 <blockquote>          
-
+  <p align="left">Prior to 20:00 20 Sept 2001 GMT, the link under 1.1.13
-        <p align="Left">Prior
+pointed to   a broken version of the firewall script. This has now been corrected.
-to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to   a broken version
+I apologize for any confusion this may have caused.</p>
 of the firewall script. This has now been corrected. I apologize for any confusion
 this may have caused.</p>
    </blockquote>
-          <h3 align="Left">Version 1.1.18</h3>
+<h3 align="left">Version 1.1.18</h3>
 <blockquote>            
-
+  <p align="left">In the original .lrp, /etc/init.d/shorewall was not   
          <p align="Left">In the original .lrp, /etc/init.d/shorewall was not
       secured for execute access. I have replaced the incorrect .lrp   
       (shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
   </blockquote>
-          <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.17</font></h3>
 Version 1.1.17</font></h3>
 <blockquote>              
  <p align="left">In             shorewall.conf, ADD_IP_ALIASES was incorrectly
 spelled             IP_ADD_ALIASAES. There is a corrected version of the
 file <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
-            <p align="Left">In
+  <p align="left">This             problem is also corrected in version 1.1.18.</p>
            shorewall.conf, ADD_IP_ALIASES was incorrectly spelled
            IP_ADD_ALIASAES. There is a corrected version of the file <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
            <p align="Left">This
            problem is also corrected in version 1.1.18.</p>
      </blockquote>
-            <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.16</font></h3>
 Version 1.1.16</font></h3>
 <blockquote>               
-              <p align="Left">
+  <p align="left">  The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly
- The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly   spelled IP_ADD_ALIASES
+  spelled IP_ADD_ALIASES in the firewall script. To correct this problem,
-in the firewall script. To correct this problem,   install the <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall">
+  install the <a
- corrected   firewall script</a>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall">  corrected
-  in the location pointed to by the symbolic link   /etc/shorewall/firewall.</p>
+  firewall script</a>   in the location pointed to by the symbolic link 
 /etc/shorewall/firewall.</p>
-              <p align="Left">
+  <p align="left">  This problem is also corrected in version 1.1.17.</p>
 This problem is also corrected in version 1.1.17.</p>
      </blockquote>
-              <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.14-1.1.15</font></h3>
 Version 1.1.14-1.1.15</font></h3>
 <blockquote>                 
-                <p align="Left">
+  <p align="left">  There are no corrections for these versions.</p>
 There are no corrections for these versions.</p>
      </blockquote>
-                <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.13</font></h3>
 Version 1.1.13</font></h3>
 <blockquote>                   
-                  <p align="Left">
+  <p align="left">  The firewall fails to start if a rule with the following
- The firewall fails to start if a rule with the following   format is given:</p>
+  format is given:</p>
-                  <p align="Left">
+  <p align="left">  &lt;disposition&gt;      z1:www.xxx.yyy.zzz    z2   
- &lt;disposition&gt;      z1:www.xxx.yyy.zzz    z2      proto    p1,p2,p3</p>
+  proto    p1,p2,p3</p>
-                  <p align="Left">
+  <p align="left">  To correct this problem, install <a
- To correct this problem, install <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall">
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall">  this
- this   corrected firewall script</a>
+  corrected firewall script</a>   in the location pointed to by the symbolic
-  in the location pointed to by the symbolic link   /etc/shorewall/firewall. </p>
+link   /etc/shorewall/firewall. </p>
      </blockquote>
-                  <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.12</font></h3>
 Version 1.1.12</font></h3>
 <blockquote>                     
-                    <p align="Left">
+  <p align="left">  The LRP version of Shorewall 1.1.12 has the incorrect
- The LRP version of Shorewall 1.1.12 has the incorrect   /etc/shorewall/functions
+  /etc/shorewall/functions file. This incorrect file results in many error
-file. This incorrect file results in many error   messages of the form:</p>
+  messages of the form:</p>
  <blockquote>                       
-                      <p align="Left">
+    <p align="left">  separate_list: not found</p>
 separate_list: not found</p>
                     </blockquote>
-                      <p align="Left"><a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions">
+  <p align="left"><a
- The   correct file may be obtained here</a>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions">  The
- . This problem is also corrected in version 1.1.13.</p>
+  correct file may be obtained here</a>  . This problem is also corrected
 in version 1.1.13.</p>
      </blockquote>
-                      <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.11</font></h3>
 Version 1.1.11</font></h3>
 <blockquote>                         
-                        <p align="Left">
+  <p align="left">  There are no known problems with this version.</p>
 There are no known problems with this version.</p>
      </blockquote>
-                        <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.10</font></h3>
 Version 1.1.10</font></h3>
 <blockquote>                           
-                          <p align="Left">
+  <p align="left">  If the following conditions were met:<br>
 If the following conditions were met:<br>
                           </p>
  <ol>
                              <li>                               
-                              <p align="Left">
+      <p align="left">  A LAN segment attached to the firewall was served
- A LAN segment attached to the firewall was served by a         DHCP server
+by a         DHCP server running on the firewall.</p>
 running on the firewall.</p>
                              </li>
                              <li>                               
-                              <p align="Left">
+      <p align="left">  There were entries in /etc/shorewall/hosts that referred
- There were entries in /etc/shorewall/hosts that referred         to the
+        to the interface to that LAN segment.</p>
 interface to that LAN segment.</p>
                              </li>
  </ol>
-                          <p align="Left">
+  <p align="left">  then up until now it has been necessary to include entries
- then up until now it has been necessary to include entries     for 0.0.0.0
+    for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts.
-and 255.255.255.255 for that interface in /etc/shorewall/hosts. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
+  <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall"> 
- This     version of the firewall script</a>
+ This     version of the firewall script</a>   makes those additions unnecessary
-  makes those additions unnecessary     provided that you simply include
+    provided that you simply include "dhcp" in the options for the     interface
-"dhcp" in the options for the     interface in /etc/shorewall/interfaces.
+in /etc/shorewall/interfaces. Install the script into     the location pointed
-Install the script into     the location pointed to by the symbolic link
+to by the symbolic link /etc/shorewall/firewall.</p>
 /etc/shorewall/firewall.</p>
-                          <p align="Left">
+  <p align="left">  This problem has also been corrected in version 1.1.11.</p>
 This problem has also been corrected in version 1.1.11.</p>
   </blockquote>
-                          <h3 align="Left"><font color="#660066">
+<h3 align="left"><font color="#660066">  Version 1.1.9</font></h3>
 Version 1.1.9</font></h3>
 <ul>
-  <li>The shorewall "hits" command lists extraneous     service names in the final
+   <li>The shorewall "hits" command lists extraneous     service names in
-report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">
+the final report. <a
- This     version of the shorewall script</a>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">  This
-  corrects this problem.<br>
+    version of the shorewall script</a>   corrects this problem.<br>
     </li>
 </ul>
-
+<h3 align="left">Version 1.1.8</h3>
                          <h3 align="Left">Version 1.1.8</h3>
 <ul>
   <li>Under some circumstances, the "dhcp" option on an     interface triggers 
 a bug in the firewall script that results in a     "chain already exists" 
-error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">
+error. <a
- This     version of the firewall script</a>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">  This
-   corrects this problem. Install it into     the location pointed to by
+    version of the firewall script</a>    corrects this problem. Install
-the symbolic link /etc/shorewall/firewall.<br>
+it into     the location pointed to by the symbolic link /etc/shorewall/firewall.<br>
                                 <br>
       This problem is also corrected in version 1.1.9.<br>
     </li>
 </ul>
-
+<h3 align="left">Version 1.1.7</h3>
                          <h3 align="Left">Version 1.1.7</h3>
 <ul>
-  <li>If the /etc/shorewall/rules template from version 1.1.7 is     used, a warning
+   <li>If the /etc/shorewall/rules template from version 1.1.7 is     used,
-message appears during firewall startup:<br>
+a warning message appears during firewall startup:<br>
                                 <br>
           Warning: Invalid Target - rule "@ icmp-unreachable     packet." 
 ignored<br>
                                 <br>
       This warning may be eliminated by replacing the "@" in column 1 of 
    line 17 with "#"</li>
 </ul>
 <blockquote>                             
-                            <p align="Left">
+  <p align="left">  This problem is also corrected in version 1.1.8</p>
 This problem is also corrected in version 1.1.8</p>
                              </blockquote>
-<p align="left"><font size="2">
+<p align="left"><font size="2">  Last updated 12/21/2001 - </font><font
- Last updated 12/21/2001 - </font><font size="2">
+ size="2">  <a href="support.htm">Tom Eastep</a></font> </p>
 <a href="support.htm">Tom Eastep</a></font>
 </p>
 <p align="left"><a href="copyright.htm">
 <font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/errata_2.htm
+++ b/Shorewall-docs/errata_2.htm
@ -2,152 +2,143 @@
 <html>
 <head>
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.2 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
- <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="90" bgcolor="#400169">
+  
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" height="90" bgcolor="#3366ff">
    <tbody>
    <tr>
      <td width="100%">      
-     <h1 align="center"><font color="#FFFFFF">Shorewall 1.2 Errata</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall 1.2 Errata</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
- <p align="center">
+<p align="center">   <font face="Century Gothic, Arial, Helvetica">     
  <font face="Century Gothic, Arial, Helvetica">
  <b><u>IMPORTANT</u></b></font></p>
- <p align="center">
+<p align="center">        <b><u>If you use a Windows system to download a
-
+corrected     script, be sure to run the script through <a
-      <b><u>If you use a Windows system to download a corrected     script, be sure to
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>   
 run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
 dos2unix</a>
  after you have moved it to your Linux system.</u></b></p>
- <p align="center">
+<p align="center">        <u><b>When the instructions say to install a corrected
-
+firewall script in       /etc/shorewall/firewall, use the 'cp' (or 'scp')
-      <u><b>When the instructions say to install a corrected firewall script in
+utility to overwrite the       existing file. DO NOT REMOVE OR RENAME THE
-      /etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
+OLD /etc/shorewall/firewall       before you do that. /etc/shorewall/firewall
-      existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
+is a symbolic link that points       to the 'shorewall' file used by your
-      before you do that. /etc/shorewall/firewall is a symbolic link that points
+system initialization scripts to       start Shorewall during boot and it
-      to the 'shorewall' file used by your system initialization scripts to
+is that file that must be overwritten       with the corrected script. </b></u></p>
      start Shorewall during boot and it is that file that must be overwritten
      with the corrected script. </b></u></p>
 <ul>
    <li>            
-
+    <h3 align="left"><font color="#660066">  <a href="errata_1.htm">  Problems
-          <h3 align="Left"><font color="#660066">
+in Version 1.1</a></font></h3>
 <a href="errata_1.htm">
 Problems in Version 1.1</a></font></h3>
     </li>
    <li>            
-
+    <h3 align="left"><a href="#V1.2">Problems in Version 1.2</a></h3>
          <h3 align="Left"><a href="#V1.2">Problems in Version 1.2</a></h3>
     </li>
    <li>            
-
+    <h3 align="left"><font color="#660066"><a href="#iptables">  Problem
-          <h3 align="Left"><font color="#660066"><a href="#iptables">
+with iptables version 1.2.3</a></font></h3>
 Problem with iptables version 1.2.3</a></font></h3>
     </li>
    <li>            
-
+    <h3 align="left"><a href="#Debug">Problems with kernel 2.4.18 and   
          <h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
       RedHat iptables</a></h3>
     </li>
 </ul>
 <hr>            
 <h3 align="left"><a name="V1.2"></a>Problems in Version 1.2</h3>
-          <h3 align="Left"><a name="V1.2"></a>Problems in Version 1.2</h3>
+<h3 align="left">Version 1.2.13</h3>
          <h3 align="Left">Version 1.2.13</h3>
 <ul>
             <li>            
-
+    <p align="left">Some users have reported problems installing the RPM 
          <p align="Left">Some users have reported problems installing the RPM
         on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even 
-          though a 2.4 kernel RPM is installed. To get around this problem, use
+          though a 2.4 kernel RPM is installed. To get around this problem,
-          the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps
+use           the --nodeps option to rpm (e.g., "rpm -ivh --nodeps      
-          shorewall-1.2-13.noarch.rpm&quot;).<br>
+    shorewall-1.2-13.noarch.rpm").<br>
           <br>
-          The problem stems from the fact that SuSE does not
+           The problem stems from the fact that SuSE does not           include
-          include a package named &quot;kernel&quot; but rather has a number of packages
+a package named "kernel" but rather has a number of packages           that
-          that provide the virtual package &quot;kernel&quot;. Since virtual packages have
+provide the virtual package "kernel". Since virtual packages have       
   no version associated with them, a conflict results. Since the       
   workaround is simple, I don't intend to change the Shorewall package.</p>
              </li>
             <li>            
-
+    <p align="left">Shorewall accepts invalid rules of the form:<br>
          <p align="Left">Shorewall accepts invalid rules of the form:<br>
           <br>
-          <font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; -
+           <font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt;
-          &lt;original ip address&gt;<br>
+all &lt;port number&gt; -           &lt;original ip address&gt;<br>
           <br>
-          </font>The &lt;port number&gt; is ignored with the result that <u>all</u>
+           </font>The &lt;port number&gt; is ignored with the result that
-          connection requests from the &lt;src&gt; zone whose original destination IP
+    <u>all</u>           connection requests from the &lt;src&gt; zone whose
-          address matches the last column are forwarded to the &lt;dest&gt; zone, IP
+original destination IP           address matches the last column are forwarded
-          address &lt;ip addr&gt;.&nbsp;
+to the &lt;dest&gt; zone, IP           address &lt;ip addr&gt;.         
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
+  <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">  
        This corrected firewall script</a> correctly generates an error when 
          such a rule is encountered.</p>
              </li>
 </ul>
 <h3 align="left">Version 1.2.11</h3>
 <ul>
             <li>            
    <p align="left">The 'try' command is broken.             </p>
  </li>
  <li>            
    <p align="left">The usage text printed by the shorewall utility     
     doesn't show the optional timeout for the 'try' command.  </p>
  </li>
 </ul>
-          <h3 align="Left">Version 1.2.11</h3>
+<p align="left">Both problems are corrected by           <a
-
+ href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall"> 
          <ul>
            <li>
          <p align="Left">The 'try' command is broken.</li>
            <li>
          <p align="Left">The usage text printed by the shorewall utility
          doesn't show the optional timeout for the 'try' command.</li>
 </ul>
          <p align="Left">Both problems are corrected by
          <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
         this new version of /sbin/shorewall</a>.</p>
-          <h3 align="Left">Sample Configurations:</h3>
+<h3 align="left">Sample Configurations:</h3>
 <ul>
             <li>            
-
+    <p align="left">There have been several problems with SSH, DNS and  
          <p align="Left">There have been several problems with SSH, DNS and
        ping in the two- and three-interface examples. Before reporting 
         problems with these services, please verify that you have the latest 
-          version of the appropriate sample 'rules' file.</li>
+          version of the appropriate sample 'rules' file.  </p>
  </li>
 </ul>
-          <h3 align="Left">All Versions through 1.2.10</h3>
+<h3 align="left">All Versions through 1.2.10</h3>
 <ul>
             <li>            
-
+    <p align="left">The <a href="PPTP.htm#ServerFW">documentation for   
          <p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
       running PoPToP on the firewall system</a> contained an incorrect entry 
-          in the /etc/shorewall/hosts file. The corrected entry (underlined) is
+          in the /etc/shorewall/hosts file. The corrected entry (underlined)
-          shown here:</li>
+is           shown here:  </p>
  </li>
 </ul>
 <blockquote>    
  <blockquote>      
    <table border="2">
     <tbody>
        <tr>
       <td><b>ZONE</b></td>
       <td><b>HOST(S)</b></td>
@ -161,279 +152,274 @@ dos2unix</a>
     <tr>
       <td>loc</td>
       <td>ppp+:192.168.1.0/24</td>
-      <td>&nbsp;</td>
+       <td> </td>
     </tr>
      </tbody>
    </table>
    </blockquote>
  </blockquote>
-          <h3 align="Left">All Versions through 1.2.8</h3>
+<h3 align="left">All Versions through 1.2.8</h3>
 <ul>
             <li>            
-
+    <p align="left">The shorewall.conf file and the documentation       
          <p align="Left">The shorewall.conf file and the documentation
   incorrectly refer to a parameter in /etc/shorewall/shorewall.conf    
-          called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
+      called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a
-          the corrected online documentation</a>). Users of the rpm should
+ href="Documentation.htm#Conf">see           the corrected online documentation</a>).
-          change the name (and possibly the value) of this parameter so that
+Users of the rpm should           change the name (and possibly the value)
-          Shorewall interacts properly with the SysV init scripts. The
+of this parameter so that           Shorewall interacts properly with the
-          documentation on this web site has been corrected and
+SysV init scripts. The           documentation on this web site has been
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
+corrected and           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf"> 
          here's a corrected version of shorewall.conf</a>.</p>
              </li>
             <li>            
-
+    <p align="left">The documentation indicates that a comma-separated  
          <p align="Left">The documentation indicates that a comma-separated
        list of IP/subnet addresses may appear in an entry in the hosts file. 
-          This is not the case; if you want to specify multiple addresses for a
+          This is not the case; if you want to specify multiple addresses
-          zone, you need to have a separate entry for each address.</p>
+for a           zone, you need to have a separate entry for each address.</p>
              </li>
 </ul>
-          <h3 align="Left">Version 1.2.7</h3>
+<h3 align="left">Version 1.2.7</h3>
-          <p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
+<p align="left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
 <p>If you have installed and started version 1.2.7 then before trying   
       to restart under 1.2.8:</p>
 <ol>
    <li>Look at your /etc/shorewall/shorewall.conf file and note the directory 
-   named in the STATEDIR variable. If that variable is empty, assume
+   named in the STATEDIR variable. If that variable is empty, assume    /var/state/shorewall.</li>
   /var/state/shorewall.</li>
    <li>Remove the file 'lock' in the directory determined in step 1.</li>
 </ol>
 <p>You may now restart using 1.2.8.</p>
-          <h3 align="Left">Version 1.2.6</h3>
+<h3 align="left">Version 1.2.6</h3>
 <ul>
    <li>            
-
+    <p align="left">GRE and IPIP tunnels are broken.    </p>
-          <p align="Left">GRE and IPIP tunnels are broken.</li>
+  </li>
  <li>            
-
+    <p align="left">The following rule results in a start error:<br>
          <p align="Left">The following rule results in a start error:<br>
           <br>
-&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
+     ACCEPT    z1    z2              icmp  </p>
-          icmp</li>
+  </li>
 </ul>
-          <p align="Left">To correct the above problems, install
+<p align="left">To correct the above problems, install           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
+ href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this 
-    corrected firewall script</a> in&nbsp; /etc/shorewall/firewall..<h3 align="Left">Version 1.2.5</h3>
+    corrected firewall script</a> in  /etc/shorewall/firewall..</p>
 <h3 align="left">Version 1.2.5</h3>
 <ul>
    <li>            
-
+    <p align="left">The new ADDRESS column in /etc/shorewall/masq cannot 
-          <p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
+         contain a $-variable name.    </p>
-          contain a $-variable name.</li>
+  </li>
  <li>            
-
+    <p align="left">Errors result if $FW appears in the           /etc/shorewall/policy
-          <p align="Left">Errors result if $FW appears in the
+file.    </p>
-          /etc/shorewall/policy file.</li>
+  </li>
  <li>            
-
+    <p align="left">Using Blacklisting without setting BLACKLIST_LOGLEVEL 
-          <p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
+          results in an error at start time.  </p>
-          results in an error at start time.</li>
+  </li>
 </ul>
-          <p align="Left">To correct the above problems, install
+<p align="left">To correct the above problems, install           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
+ href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this 
-    corrected firewall script</a> in  /etc/shorewall/firewall.<p align="Left">&nbsp;<ul>
+    corrected firewall script</a> in  /etc/shorewall/firewall.</p>
-   <li>
+<p align="left"> </p>
          <p align="Left">The /sbin/shorewall script produces error messages
          saying that 'mygrep' cannot be found.
          <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
          Here is the correct version of /sbin/shorewall.</a></li>
 </ul>
          <h3 align="Left">Version 1.2.4</h3>
 <ul>
-   <li><p align="Left">This version will not install &quot;out of the box&quot; without
+    <li>            
-    modification. Before attempting to start the
+    <p align="left">The /sbin/shorewall script produces error messages  
-    firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to
+        saying that 'mygrep' cannot be found.           <a
-    refer to /var/lib/shorewall. This only applies to fresh installations -- if
+ href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">  
-    you are upgrading from a previous version of Shorewall, version 1.2.4 will
+        Here is the correct version of /sbin/shorewall.</a>  </p>
-    work without modification.</li>
+  </li>
 </ul>
-          <h3 align="Left">Version 1.2.3</h3>
+<h3 align="left">Version 1.2.4</h3>
 <ul>
    <li>
-    <p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
+    <p align="left">This version will not install "out of the box" without 
-    hosts aren't logged. Install <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
+    modification. Before attempting to start the     firewall, please change
-    corrected firewall script</a> in /etc/shorewall/firewall.</li>
+the STATEDIR in /etc/shorewall/shorewall.conf to     refer to /var/lib/shorewall.
 This only applies to fresh installations -- if     you are upgrading from
 a previous version of Shorewall, version 1.2.4 will     work without modification. 
 </p>
  </li>
 </ul>
 <h3 align="left">Version 1.2.3</h3>
 <ul>
    <li>     
    <p align="left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted 
    hosts aren't logged. Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this 
    corrected firewall script</a> in /etc/shorewall/firewall.  </p>
  </li>
 </ul>
 <blockquote>   
  <p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
   </blockquote>
 <pre>          run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
 <blockquote>   
  <p>to</p>
   </blockquote>
 <pre>          run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
-          <h3 align="Left">Version 1.2.2</h3>
+<h3 align="left">Version 1.2.2</h3>
 <ul>
-   <li>The &quot;shorewall status&quot; command hangs after
+    <li>The "shorewall status" command hangs after           it displays
-          it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
+the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's 
-          a corrected /sbin/shorewall.</a> if&nbsp; you want to simply modify your copy of
+          a corrected /sbin/shorewall.</a> if  you want to simply modify
-          /sbin/shorewall, then at line 445 change this:</li>
+your copy of           /sbin/shorewall, then at line 445 change this:</li>
 </ul>
 <div align="left">            
-
+<pre align="Left">       status)<br>           clear</pre>
          <pre align="Left">       status)
           clear</pre>
   </div>
 <blockquote>            
-
+  <p align="left">to this:</p>
          <p align="Left">to this:</p>
   </blockquote>
 <div align="left">            
-
+<pre align="Left">       status)<br>           get_config<br>           clear</pre>
          <pre align="Left">       status)
           get_config
           clear</pre>
   </div>
 <ul>
-   <li>The &quot;shorewall monitor&quot; command
+    <li>The "shorewall monitor" command     doesn't show the icmpdef chain
-    doesn't show the icmpdef chain - <a href="pub/shorewall/errata/1.2.2/shorewall">this
+- <a href="pub/shorewall/errata/1.2.2/shorewall">this     corrected /sbin/shorewall</a>
-    corrected /sbin/shorewall</a> fixes that problem as well as the status
+fixes that problem as well as the status     problem described above.</li>
-    problem described above.</li>
+  
 </ul>
 <ul>
-   <li>In all 1.2.x versions, the 'CLIENT PORT(S)'
+    <li>In all 1.2.x versions, the 'CLIENT PORT(S)'     column in /etc/shorewall/tcrules
-    column in /etc/shorewall/tcrules is ignored. This is corrected in <a href="/pub/shorewall/errata/1.2.2/firewall">this
+is ignored. This is corrected in <a
-    updated firewall script</a>.&nbsp; Place the script in  /etc/shorewall/firewall. Thanks to Shingo Takeda for
+ href="/pub/shorewall/errata/1.2.2/firewall">this     updated firewall script</a>. 
 Place the script in  /etc/shorewall/firewall. Thanks to Shingo Takeda for 
    spotting this bug.</li>
 </ul>
-          <h3 align="Left">Version 1.2.1</h3>
+<h3 align="left">Version 1.2.1</h3>
 <ul>
-   <li>The new <i>logunclean </i>interface option is not
+    <li>The new <i>logunclean </i>interface option is not           described
-          described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
+in the help text in /etc/shorewall/interfaces. An <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated 
          interfaces file</a> is available.</li>
-   <li>When REJECT is specified in a TCP rule, Shorewall
+    <li>When REJECT is specified in a TCP rule, Shorewall           correctly
-          correctly replies with a TCP RST packet. Previous versions of the
+replies with a TCP RST packet. Previous versions of the           firewall
-          firewall script are broken in the case of a REJECT policy, however; in
+script are broken in the case of a REJECT policy, however; in           REJECT
-          REJECT policy chains, all requests are currently replied to with an
+policy chains, all requests are currently replied to with an           ICMP
-          ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
+port-unreachable packet. <a
-          corrected firewall script</a> replies to TCP requests with TCP RST in
+ href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This 
-   REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
+          corrected firewall script</a> replies to TCP requests with TCP
 RST in    REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
 </ul>
-          <h3 align="Left">Version 1.2.0</h3>
+<h3 align="left">Version 1.2.0</h3>
 <blockquote>            
-
+  <p align="left"><b>Note: </b>If you are upgrading from one of the Beta 
-          <p align="Left"><b>Note: </b>If you are upgrading from one of the Beta
+         RPMs to 1.2.0, you must use the "--oldpackage" option to rpm   
          RPMs to 1.2.0, you must use the &quot;--oldpackage&quot; option to rpm
       (e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
-          <p align="Left">The tunnel script released in version 1.2.0 contained
+  <p align="left">The tunnel script released in version 1.2.0 contained 
-          errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
+         errors -- a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected 
          script</a> is available.</p>
   </blockquote>
 <hr>          
-
+<h3 align="left"><a name="iptables"></a><font color="#660066">  Problem with
-        <h3 align="Left"><a name="iptables"></a><font color="#660066">
+iptables version 1.2.3</font></h3>
 Problem with iptables version 1.2.3</font></h3>
 <blockquote>          
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
        prevent it from working with Shorewall. Regrettably, RedHat released
 this buggy iptables in RedHat   7.2. </p>
-        <p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
+  <p align="left"> I have built a <a
-        prevent it from working with Shorewall. Regrettably,
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-RedHat released this buggy iptables in RedHat   7.2.&nbsp;</p>
+ corrected 1.2.3 rpm which you can download here</a>  and I have also built 
        an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If you are currently
 running RedHat 7.1, you can install either of these RPMs           <b><u>before</u>
  </b>you upgrade to RedHat 7.2.</p>
-        <p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
+  <p align="left"><font face="Century Gothic, Arial, Helvetica"
- corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
+ color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat has   released
-        an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
+an iptables-1.2.4 RPM of their own which you can download from<font
- iptables-1.2.4   rpm which you can download here</a>. If
+ face="Century Gothic, Arial, Helvetica" color="#ff6633">   <a
-you are currently running RedHat 7.1, you can install either of these RPMs
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
-          <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
+  </font>I have installed this RPM   on my firewall and it works fine.</p>
-  <p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
+  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
-  11/9/2001: </b></font>RedHat has
+the patches are available         for download. This <a
-  released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
-  <a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
+    which corrects a problem with parsing of the --log-level specification
-  </font>I have installed this RPM
+while         this <a
-  on my firewall and it works fine.</p>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
        corrects a problem in handling the  TOS target.</p>
-        <p align="Left">If you
+  <p align="left">To install one of the above patches:</p>
        would like to patch iptables 1.2.3 yourself, the patches are available
        for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
    which corrects a problem with parsing of the --log-level specification while
        this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
        corrects a problem in handling the&nbsp; TOS target.</p>
          <p align="Left">To install one of the above patches:</p>
  <ul>
           <li>cd iptables-1.2.3/extensions</li>
           <li>patch -p0 &lt; <i>the-patch-file</i></li>
        </ul>
  </ul>
   </blockquote>
 <h3><a name="Debug"></a>Problems with kernel 2.4.18                     
       and RedHat iptables</h3>
 <blockquote>    
-   <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
+  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18
-   experience the following:</p>
+may    experience the following:</p>
  <blockquote>      
-     <pre># shorewall start
+    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
 Processing /etc/shorewall/shorewall.conf ...
 Processing /etc/shorewall/params ...
 Starting Shorewall...
 Loading Modules...
 Initializing...
 Determining Zones...
 Zones: net
 Validating interfaces file...
 Validating hosts file...
 Determining Hosts in Zones...
 Net Zone: eth0:0.0.0.0/0
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
 Aborted (core dumped)
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
 Aborted (core dumped)
 </pre>
   </blockquote>
   <p>The RedHat iptables RPM is compiled with debugging enabled but the
   user-space debugging code was not updated to reflect recent changes in the
   Netfilter 'mangle' table. You can correct the problem by installing
   <a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
   this iptables RPM</a>. If you are already running a 1.2.5 version of
   iptables, you will need to specify the --oldpackage option to rpm (e.g.,
   &quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
    </blockquote>
-                              <p><font face="Century Gothic, Arial, Helvetica"><font size="2">
+  <p>The RedHat iptables RPM is compiled with debugging enabled but the 
- Last updated 5/24/2002 - </font><font size="2">
+  user-space debugging code was not updated to reflect recent changes in
-                              <a href="support.htm">Tom Eastep</a></font>
+the    Netfilter 'mangle' table. You can correct the problem by installing 
-  </font></p>
+   <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
   this iptables RPM</a>. If you are already running a 1.2.5 version of 
  iptables, you will need to specify the --oldpackage option to rpm (e.g., 
   "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
  </blockquote>
 <p><font face="Century Gothic, Arial, Helvetica"><font size="2">  Last updated
 5/24/2002 - </font><font size="2">                               <a
 href="support.htm">Tom Eastep</a></font>   </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
 </html>
--- a/Shorewall-docs/errata_3.html
+++ b/Shorewall-docs/errata_3.html
@ -2,36 +2,28 @@
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                           <tbody>
                           <tr>
                             <td width="100%">         
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
                             </td>
                           </tr>
  </tbody> 
 </table>
@ -39,8 +31,6 @@
 <ol>
                           <li>       
    <p align="left">          <b><u>I</u>f you use a Windows system to download 
           a corrected     script, be sure to run the script through <u> 
          <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -48,31 +38,26 @@
           it to your Linux system.</b></p>
                                        </li>
                           <li>       
-
+    <p align="left">          <b>If you are installing Shorewall for the first
-
+time and plan to use the        .tgz and install.sh script, you can untar
-    <p align="left">          <b>If you are installing Shorewall for the
+the archive, replace the        'firewall' script in the untarred directory 
 first time and plan to use the        .tgz and install.sh script, you can
 untar the archive, replace the        'firewall' script in the untarred directory
           with the one you downloaded        below, and then run install.sh.</b></p>
                                        </li>
                           <li>       
    <p align="left">          <b>If you are running a Shorewall version earlier 
-    than 1.3.11, when the instructions say to install a corrected
+    than 1.3.11, when the instructions say to install a corrected firewall
-firewall     script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
+    script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
      or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to 
 overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD 
 /etc/shorewall/firewall               or /var/lib/shorewall/firewall  before 
 you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall 
- are symbolic links that point           to the 'shorewall' file used by
+ are symbolic links that point           to the 'shorewall' file used by your
-your  system initialization scripts     to         start Shorewall during
+ system initialization scripts     to         start Shorewall during boot.
-boot. It is  that file that must be overwritten              with the corrected
+It is  that file that must be overwritten              with the corrected 
 script. Beginning with Shorewall 1.3.11, you may rename the existing file 
 before copying in the new file.</b></p>
                   </li>
                   <li>      
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS 
        ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. 
  For    example,  do NOT install the 1.3.9a firewall script if you are running 
@ -94,8 +79,7 @@ before copying in the new file.</b></p>
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
    on RH7.2</a></font></b></li>
                           <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and RedHat iptables</a></b></li>
 RedHat iptables</a></b></li>
                           <li><b><a href="#SuSE">Problems installing/upgrading 
   RPM   on  SuSE</a></b></li>
                           <li><b><a href="#Multiport">Problems with iptables 
@ -109,7 +93,6 @@ RedHat iptables</a></b></li>
 <hr> 
 <h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.14</h3>
 <ul>
@ -122,9 +105,10 @@ RedHat iptables</a></b></li>
 <ul>
    <li>The documentation for the routestopped file claimed that a comma-separated 
-  list could appear in the second column while the code only supported a single
+  list could appear in the second column while the code only supported a
-  host or network address.</li>
+single   host or network address.</li>
-   <li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
+    <li>Log messages produced by 'logunclean' and 'dropunclean' were not
 rate-limited.</li>
    <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't 
 support  the 'maclist' interface option.</li>
    <li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
@ -144,8 +128,8 @@ in /etc/shorewall/masq and the default route is through eth1.<br>
          <li>The 'shorewall add' command produces an error message referring 
  to  'find_interfaces_by_maclist'.</li>
         <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
-      <li>The 'shorewall add' command can fail with "iptables: Index of insertion
+       <li>The 'shorewall add' command can fail with "iptables: Index of
-  too big".<br>
+insertion   too big".<br>
       </li>
 </ul>
@ -182,8 +166,8 @@ support,   post on the users list and I can provide you with a patched version.<
 <ul>
            <li>The .lrp was missing the /etc/shorewall/routestopped file 
--  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects
+--  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this
-this  problem.<br>
+ problem.<br>
            </li>
 </ul>
@ -234,11 +218,11 @@ a fix.<br>
           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
       version of the firewall script</a> may help. Please report any cases 
-  where     installing this script in /usr/lib/shorewall/firewall solved
+  where     installing this script in /usr/lib/shorewall/firewall solved your
-your   connection     problems. Beginning with version 1.3.10, it is safe
+  connection     problems. Beginning with version 1.3.10, it is safe to save
-to save   the old version     of /usr/lib/shorewall/firewall before copying
+  the old version     of /usr/lib/shorewall/firewall before copying in the
-in the  new one since /usr/lib/shorewall/firewall     is the real script
+ new one since /usr/lib/shorewall/firewall     is the real script now and
-now and not just a symbolic link to the real script.<br>
+not just a symbolic link to the real script.<br>
                  </li>
 </ul>
@ -301,73 +285,58 @@ loc dmz:10.1.1.1:24        tcp   25 - 10.1.1.1")<br>
  problems. 
 <h3>Version 1.3.7b</h3>
-
+<p>DNAT rules where the source zone is 'fw' ($FW)         result in an error
-<p>DNAT rules where the source zone is 'fw' ($FW)
+message. Installing     <a
        result in an error message. Installing
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                        this corrected firewall script</a> in /var/lib/shorewall/firewall 
                                          as described above corrects this 
 problem.</p>
 <h3>Version 1.3.7a</h3>
-
+<p>"shorewall refresh" is not creating the proper         rule for FORWARDPING=Yes.
-<p>"shorewall refresh" is not creating the proper
+Consequently, after             "shorewall refresh", the firewall will not
-        rule for FORWARDPING=Yes. Consequently, after
+forward                      icmp echo-request (ping) packets. Installing 
            "shorewall refresh", the firewall will not forward
                     icmp echo-request (ping) packets. Installing
                       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                        this corrected firewall script</a> in /var/lib/shorewall/firewall 
                                          as described above corrects this 
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
-
+<p>If "norfc1918" and "dhcp" are both specified as          options on a
-<p>If "norfc1918" and "dhcp" are both specified as
+given interface then RFC 1918           checking is occurring before DHCP
-         options on a given interface then RFC 1918
+checking. This                  means that if a DHCP client broadcasts using
-          checking is occurring before DHCP checking. This
+an                        RFC 1918 source address, then the firewall will 
                 means that if a DHCP client broadcasts using an
                       RFC 1918 source address, then the firewall will
                             reject the broadcast (usually logging it). This 
                                          has two problems:</p>
 <ol>
                                                        <li>If the firewall 
- is  running     a  DHCP   server,                                   the
+ is  running     a  DHCP   server,                                   the client
-client   won't be   able   to obtain   an IP  address
+  won't be   able   to obtain   an IP  address               lease  from
-              lease  from that   server.</li>
+that   server.</li>
                                                        <li>With this order 
 of  checking,      the   "dhcp"                                   option 
-cannot  be used as   a  noise-reduction
+cannot  be used as   a  noise-reduction    measure  where there   are  both
-   measure  where there   are  both dynamic and    static
+dynamic and    static                   clients  on a LAN segment.</li>
                  clients  on a LAN segment.</li>
 </ol>
 <p>                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                        This version of the 1.3.7a firewall script </a> 
-                                         corrects the problem. It must be
+                                        corrects the problem. It must be installed
-installed          in /var/lib/shorewall                                as
+         in /var/lib/shorewall                                as described
-described  above.</p>
+ above.</p>
 <h3>Version 1.3.7</h3>
-
+<p>Version 1.3.7 dead on arrival -- please use      version 1.3.7a and check
-<p>Version 1.3.7 dead on arrival -- please use
+your version against          these md5sums -- if there's a difference, please 
     version 1.3.7a and check your version against
         these md5sums -- if there's a difference, please
                download again.</p>
 <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
 <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; 
@ -380,15 +349,11 @@ described  above.</p>
 <ul>
                                    <li>       
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf, 
           an error occurs when the firewall            script attempts to 
 add    an   SNAT   alias.  </p>
                         </li>
                         <li>       
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options 
          cause errors during startup when Shorewall is run with iptables 
           1.2.7. </p>
@ -398,9 +363,8 @@ described  above.</p>
 <p align="left">These problems are fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
-       this correct firewall script</a> which must be installed in
+    this correct firewall script</a> which must be installed in      /var/lib/shorewall/
-     /var/lib/shorewall/ as described above. These problems are also
+as described above. These problems are also        corrected in version 1.3.7.</p>
       corrected in version 1.3.7.</p>
 <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
@ -445,8 +409,7 @@ described  above.</p>
 <h3 align="left">Version 1.3.5</h3>
-<p align="left">REDIRECT rules are broken in this version. Install
+<p align="left">REDIRECT rules are broken in this version. Install     <a
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
    this corrected firewall script</a> in /var/lib/pub/shorewall/firewall 
                      as instructed above. This problem is corrected in version 
@ -455,29 +418,29 @@ described  above.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
-         to not verify that the zones named in the /etc/shorewall/policy
+       to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                      changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
-<p align="left">If you have upgraded from Shorewall 1.2 and after
+<p align="left">If you have upgraded from Shorewall 1.2 and after     "Activating
-    "Activating rules..." you see the message: "iptables: No            chains/target/match
+rules..." you see the message: "iptables: No            chains/target/match 
           by that name" then you probably have an entry in            /etc/shorewall/hosts 
           that specifies an interface that you didn't            include 
 in   /etc/shorewall/interfaces.        To correct this problem, you     
 must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 
- and             later versions produce a clearer error    message    in
+and             later versions produce a clearer error    message    in this
-this  case.</p>
+ case.</p>
 <h3 align="left">Version 1.3.2</h3>
-<p align="left">Until approximately 2130 GMT on 17 June 2002, the
+<p align="left">Until approximately 2130 GMT on 17 June 2002, the     download
-    download sites contained an incorrect version of the .lrp file. That
+sites contained an incorrect version of the .lrp file. That            file
-           file can be identified by its size (56284 bytes). The correct
+can be identified by its size (56284 bytes). The correct version        
-version            has a size of 38126 bytes.</p>
+   has a size of 38126 bytes.</p>
 <ul>
                                    <li>The code to detect a duplicate interface 
@ -495,8 +458,6 @@ it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 <ul>
                                    <li>       
    <p align="left">The IANA have just announced the allocation of subnet 
                      221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
@ -513,10 +474,10 @@ it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
  (i.e.,    each              packet is sent through the limit chain twice).</li>
                                    <li>An unnecessary jump to the policy 
 chain    is  sometimes                 generated for a CONTINUE policy.</li>
-                                   <li>When an option is given for more than
+                                    <li>When an option is given for more
-  one   interface      in               /etc/shorewall/interfaces then depending
+than   one   interface      in               /etc/shorewall/interfaces then
-   on the option,     Shorewall                may ignore all but the first
+depending    on the option,     Shorewall                may ignore all but
-  appearence of the   option.  For example:<br>
+the first   appearence of the   option.  For example:<br>
                                    <br>
                                    net    eth0    dhcp<br>
                                    loc    eth1    dhcp<br>
@ -567,21 +528,18 @@ The "shorewall    version"  command   will tell    you which version
           iptables version 1.2.3</font></h3>
 <blockquote>    
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
-                   prevent it from working with Shorewall. Regrettably,  RedHat
+                   prevent it from working with Shorewall. Regrettably, 
-      released    this buggy iptables in RedHat   7.2. </p>
+RedHat       released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
            corrected 1.2.3 rpm which you can download here</a>  and I have 
  also     built            an <a
- href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
+ href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+  rpm which you can download here</a>. If  you are currently            running
-           running RedHat 7.1, you can install either of these RPMs
+RedHat 7.1, you can install either of these RPMs         <b><u>before</u>
-        <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
+       </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat 
           has   released an iptables-1.2.4 RPM of their own which you can 
@ -590,7 +548,6 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
             </font>I have installed this RPM   on my firewall and it works 
  fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself, 
           the patches are available         for download. This <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
@ -599,71 +556,54 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
                   corrects a problem in handling the  TOS target.</p>
  <p align="left">To install one of the above patches:</p>
  <ul>
                                  <li>cd iptables-1.2.3/extensions</li>
                                  <li>patch -p0 &lt; <i>the-patch-file</i></li>
  </ul>
                                   </blockquote>
 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
 and RedHat iptables</h3>
 <blockquote>    
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 
           may     experience the following:</p>
  <blockquote>      
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                           </blockquote>
  <p>The RedHat iptables RPM is compiled with debugging enabled but the 
 user-space debugging code was not updated to reflect recent changes in 
-           the     Netfilter 'mangle' table. You can correct the problem
+          the     Netfilter 'mangle' table. You can correct the problem by
-by   installing            <a
+  installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
              this iptables RPM</a>. If you are already running a 1.2.5 version 
      of       iptables, you will need to specify the --oldpackage option 
 to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                         </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading 
           RPM on SuSE</h3>
-
+<p>If you find that rpm complains about a conflict          with kernel &lt;=
-<p>If you find that rpm complains about a conflict
+2.2 yet you have a 2.4 kernel                installed, simply use the "--nodeps"
-         with kernel &lt;= 2.2 yet you have a 2.4 kernel
+option to                     rpm.</p>
               installed, simply use the "--nodeps" option to
                    rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <h3><a name="Multiport"></a><b>Problems with    iptables version 1.2.7 and
 MULTIPORT=Yes</b></h3>
-<h3><a name="Multiport"></a><b>Problems with
+<p>The iptables 1.2.7 release of iptables has made          an incompatible
-   iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
+change to the syntax used to             specify multiport match rules; as
-
+a consequence,                    if you install iptables 1.2.7 you must
-
+be running                            Shorewall 1.3.7a or later or:</p>
 <p>The iptables 1.2.7 release of iptables has made
         an incompatible change to the syntax used to
            specify multiport match rules; as a consequence,
                   if you install iptables 1.2.7 you must be running
                           Shorewall 1.3.7a or later or:</p>
 <ul>
                                                        <li>set MULTIPORT=No 
@ -679,8 +619,8 @@ to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                      </h3>
-                  /etc/shorewall/nat entries of the following form will result
+                   /etc/shorewall/nat entries of the following form will
-   in  Shorewall     being unable to start:<br>
+result    in  Shorewall     being unable to start:<br>
                   <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -692,8 +632,8 @@ support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has
 disabled  it.   The  2.4.19 kernel   contains corrected support under a new 
 kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 3/8/2003 -
+<p><font size="2">  Last updated 3/8/2003 - <a href="support.htm">Tom Eastep</a></font>
-<a href="support.htm">Tom Eastep</a></font> </p>
+</p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -711,5 +651,6 @@ kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.s
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/fallback.htm
+++ b/Shorewall-docs/fallback.htm
@ -1,74 +1,77 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Fallback and Uninstall</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
   <tbody>
    <tr>
     <td width="100%">  
-
+      <h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
 <h1 align="center"><font color="#FFFFFF">Fallback and Uninstall</font></h1>
      </td>
   </tr>
  </tbody>
 </table>
-<p><strong>Shorewall includes
+<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
-a </strong><a href="#fallback"><strong>fallback script</strong></a><strong>
+script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
-and an </strong><a href="#uninstall"><strong>uninstall script</strong></a><strong>.</strong></p>
+script</strong></a><strong>.</strong></p>
 <h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall 
 using the Fallback Script</h2>
-<p>If you install Shorewall and discover that
+<p>If you install Shorewall and discover that it doesn't work for you, you
-it doesn't work for you, you can fall back to your previously
+can fall back to your previously installed version. To do that:</p>
 installed version. To do that:</p>
 <ul>
-  <li>cd to the distribution directory for the version
+   <li>cd to the distribution directory for the version         of Seattle
-        of Seattle Firewall <u>that you are
+Firewall <u>that you are         currently running </u>(NOT the version 
        currently running </u>(NOT the version
       that you want to fall back to).</li>
-  <li>Type &quot;./fallback.sh&quot;</li>
+   <li>Type "./fallback.sh"</li>
 </ul>
-<h3><strong><u>Warning:</u> The fallback script
+<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
-will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces,
+/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
-/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
+and /etc/shorewall/masq with the version of these files from before the current
-these files from before the current version was installed. Any
+version was installed. Any changes to any of these files will be lost.</strong></h3>
 changes to any of these files will be lost.</strong></h3>
 <h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using 
 rpm</h2>
-<p>If your previous version of Shorewall was
+<p>If your previous version of Shorewall was installed using RPM, you may
-installed using RPM, you may fall back to that version by typing
+fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
-&quot;rpm -Uvh --force &lt;old rpm&gt;&quot; at a root shell
+a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
-prompt (Example: &quot;rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm&quot; would fall back to the 3.1-0
+would fall back to the 3.1-0 version of Shorewall).</p>
 version of Shorewall).</p>
 <h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
-<p>If you no longer wish to use Shorewall, you
+<p>If you no longer wish to use Shorewall, you may remove it by:</p>
 may remove it by:</p>
 <ul>
-  <li>cd to the distribution directory for the version
+   <li>cd to the distribution directory for the version         of Shorewall
-        of Shorewall that you have installed.</li>
+that you have installed.</li>
-  <li>type &quot;./uninstall.sh&quot;</li>
+   <li>type "./uninstall.sh"</li>
 </ul>
-<p>If you installed using an rpm, at a root shell prompt
+<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
 type &quot;rpm -e shorewall&quot;.</p>
-<p><font size="2">Last updated 3/26/2001 - </font><font size="2">
+<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
-<a href="support.htm">Tom
+ href="support.htm">Tom Eastep</a></font> </p>
-Eastep</a></font> </p>
+ <a href="copyright.htm"><font size="2">Copyright</font> © <font
-<a href="copyright.htm"><font size="2">Copyright</font>
+ size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
+</body>
 </html>
--- a/Shorewall-docs/gnu_mailman.htm
+++ b/Shorewall-docs/gnu_mailman.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
      <tbody>
       <tr>
        <td width="100%">       
@ -75,5 +75,6 @@ included with Mailman-2.1.
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/images/CorpNetwork.gif
+++ b/Shorewall-docs/images/CorpNetwork.gif
--- a/Shorewall-docs/kernel.htm
+++ b/Shorewall-docs/kernel.htm
@ -1,32 +1,46 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Kernel Configuration</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Kernel Configuration</font></h1>
+      <h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<p>For information regarding configuring and building GNU/Linux kernels, see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
+ 
 <p>For information regarding configuring and building GNU/Linux kernels,
 see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
 <p>Here's a screen shot of my Network Options Configuration:</p>
 <blockquote>
  <p>&nbsp;<img border="0" src="images/netopts.jpg" width="609" height="842"></p>
 </blockquote>
 <p>While not all of the options that I've selected are required, they should be
 sufficient for most applications. Here's an excerpt from the corresponding .config
 file (Note: If you are running a kernel older than 2.4.17, be sure to select
 CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
 <blockquote>   
-  <font SIZE="2">
+  <p> <img border="0" src="images/netopts.jpg" width="609" height="842">
  </p>
 </blockquote>
 <p>While not all of the options that I've selected are required, they should
 be sufficient for most applications. Here's an excerpt from the corresponding
 .config file (Note: If you are running a kernel older than 2.4.17, be sure
 to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
 <blockquote>   <font size="2">   
  <p>#<br>
   # Networking options<br>
   #<br>
@ -55,16 +69,18 @@ CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
   # CONFIG_ARPD is not set<br>
   CONFIG_INET_ECN=y<br>
   CONFIG_SYN_COOKIES=y</p>
-  </font>
+   </font> </blockquote>
 </blockquote>
 <p>Here's a screen shot of my Netfilter configuration:</p>
 <blockquote>
-<p><img border="0" src="images/menuconfig.jpg" width="609" height="842"></p>
+<blockquote>  
  <p><img border="0" src="images/menuconfig.jpg" width="609"
 height="842">
  </p>
 </blockquote>
 <p>Here's an excerpt from the corresponding .config file.</p>
 <blockquote>   
  <p><font size="2">#<br>
   #   IP: Netfilter Configuration<br>
@ -98,12 +114,15 @@ CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
   # CONFIG_IPV6 is not set</font><font face="Courier"><br>
   </font></p>
 </blockquote>
-<p>Note that I have built everything I need into the kernel except for the FTP
+ 
-connection tracking and NAT modules. I have also run successfully with all of
+<p>Note that I have built everything I need into the kernel except for the
-the options selected above built as modules:</p>
+FTP connection tracking and NAT modules. I have also run successfully with
 all of the options selected above built as modules:</p>
 <blockquote>   
-  <p><img border="0" src="images/menuconfig1.jpg" width="609" height="842"></p>
+  <p><img border="0" src="images/menuconfig1.jpg" width="609"
 height="842">
  </p>
  <p><font size="2">#<br>
   #   IP: Netfilter Configuration<br>
@ -136,11 +155,11 @@ the options selected above built as modules:</p>
   CONFIG_IP_NF_TARGET_TCPMSS=m<br>
   # CONFIG_IPV6 is not set<br>
   </font></p>
  </blockquote>
-<p><font size="2">Last updated 3/10/2002 - </font><font size="2">
+<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <a
-<a href="support.htm">Tom
+ href="support.htm">Tom Eastep</a></font> </p>
-Eastep</a></font> </p>
+ <a href="copyright.htm"><font size="2">Copyright</font> © <font
-<a href="copyright.htm"><font size="2">Copyright</font>
+ size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
+</body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -16,7 +16,7 @@
 </head>
  <body>
-<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
+<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
 style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
 border="0">
                                   <tbody>
@ -50,12 +50,14 @@
 height="84" alt="(Postfix Logo)">
                                      </a><br>
      <div align="left"><a href="http://www.spamassassin.org"><img
 src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
 border="0">
                     </a> </div>
                     <br>
      <div align="right"><b><font color="#ffffff"><br>
        </font></b><br>
                        </div>
@ -75,14 +77,14 @@
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
-<p align="left">You can report such problems by sending mail to tmeastep
+<p align="left">You can report such problems by sending mail to tmeastep at
-at hotmail dot com.</p>
+hotmail dot com.</p>
 <h2>A Word about the SPAM Filters at Shorewall.net <a
 href="http://osirusoft.com/"> </a></h2>
-<p>Please note that the mail server                     at shorewall.net
+<p>Please note that the mail server                     at shorewall.net checks
-checks incoming mail:<br>
+incoming mail:<br>
                            </p>
 <ol>
@ -92,8 +94,8 @@ checks incoming mail:<br>
                      </li>
                              <li>to ensure that the sender address is fully
  qualified.</li>
-                             <li>to verify that the sender's domain has an
+                              <li>to verify that the sender's domain has
- A  or  MX  record    in  DNS.</li>
+an  A  or  MX  record    in  DNS.</li>
                              <li>to ensure that the host name in the HELO/EHLO 
   command    is  a  valid    fully-qualified  DNS name that resolves.</li>
@ -101,8 +103,8 @@ checks incoming mail:<br>
 <h2>Please post in plain text</h2>
                      A growing number of MTAs serving list subscribers are 
- rejecting     all   HTML   traffic. At least one MTA has gone so far as
+ rejecting     all   HTML   traffic. At least one MTA has gone so far as to
-to  blacklist  shorewall.net     "for  continuous abuse" because it has been
+ blacklist  shorewall.net     "for  continuous abuse" because it has been 
 my policy to  allow HTML in  list   posts!!<br>
                      <br>
                      I think that blocking all HTML is a Draconian way to
@ -110,10 +112,10 @@ control     spam    and   that the ultimate losers here are not the spammers
 but the    list subscribers      whose MTAs are bouncing all shorewall.net
 mail. As   one list subscriber   wrote  to me privately "These e-mail admin's
 need to  get a <i>(explitive   deleted)</i>  life instead of trying to rid
-the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers to
+ the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers
-receive list   posts as must as possible,   I have now  configured the list
+to receive list   posts as must as possible,   I have now  configured the
-server at shorewall.net   to strip all HTML   from outgoing  posts. This
+list server at shorewall.net   to strip all HTML   from outgoing  posts.
-means that  HTML-only posts   will be bounced by  the list server.<br>
+This means that  HTML-only posts   will be bounced by  the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
                   </p>
@ -157,26 +159,26 @@ means that  HTML-only posts   will be bounced by  the list server.<br>
 name="words" value="">    <input type="submit" value="Search"> </p>
                                </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the
+<h2 align="left"><font color="#ff0000">Please do not try to download the entire
-entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
+Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-won't stand the traffic. If I catch you, you will be blacklisted.<br>
+stand the traffic. If I catch you, you will be blacklisted.<br>
                         </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
                              If you want to trust X.509 certificates issued
- by  Shoreline     Firewall     (such   as the one used on my web site), you
+  by  Shoreline     Firewall     (such   as the one used on my web site),
- may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a> 
+you  may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
               in your browser. If you don't wish to trust my certificates
-then     you    can    either use unencrypted access when subscribing to Shorewall
+ then     you    can    either use unencrypted access when subscribing to
-    mailing    lists    or you can use secure access (SSL) and accept the
+Shorewall     mailing    lists    or you can use secure access (SSL) and
-server's    certificate     when   prompted by your browser.<br>
+accept the server's    certificate     when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users
                to get answers to questions and to report problems. Information
-     of   general       interest to the Shorewall user community is also posted
+      of   general       interest to the Shorewall user community is also
-     to  this list.</p>
+posted      to  this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
                the <a href="http://www.shorewall.net/support.htm">problem
@ -200,9 +202,9 @@ reporting      guidelines</a>.</b></p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
@ -267,10 +269,10 @@ may be found at <a
    <p align="left">Down at the bottom of that page is the following text:
                " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
- a  password      reminder,         or change your subscription options enter 
+  a  password      reminder,         or change your subscription options
-   your subscription              email address:". Enter your email  address 
+enter     your subscription              email address:". Enter your email
-     in the box and click      on the "<b>Unsubscribe</b> or edit options" 
+ address       in the box and click      on the "<b>Unsubscribe</b> or edit
- button.</p>
+options"   button.</p>
                                   </li>
                                   <li>                                 
@ -290,9 +292,10 @@ emailed       to you.</p>
 <p align="left"><font size="2">Last updated 7/7/2003 - <a
 href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
-© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>My Shorewall Configuration</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -16,7 +17,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                               <tbody>
                          <tr>
                                 <td width="100%">                      
@ -36,8 +37,8 @@
  <p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small> 
       use a combination of Static NAT and Proxy ARP, neither of which are 
 relevant      to a simple configuration with a single public IP address.</small></b></big><big><b><small> 
-       If you have just a single public IP address, most of what you see
+       If you have just a single public IP address, most of what you see here
-here     won't   apply to your setup so beware of copying parts of this configuration
+    won't   apply to your setup so beware of copying parts of this configuration 
    and  expecting them to work for you. What you copy may or may not work 
 in   your configuration.<br>
             </small></b></big></p>
@ -73,21 +74,21 @@ and a Wireless   network connected to eth3 (192.168.3.0/24).</p>
 use   the   laptop isn't very far (25 feet or so), using a WAC11 (CardBus 
 wireless   card)   has proved very unsatisfactory (lots of lost connections). 
 By replacing   the  WAC11 with the WET11 wireless bridge, I have virtually 
-eliminated these   problems  (Being an old radio tinkerer (K7JPV), I was
+eliminated these   problems  (Being an old radio tinkerer (K7JPV), I was also
-also able to eliminate   the disconnects by hanging a piece of aluminum foil
+able to eliminate   the disconnects by hanging a piece of aluminum foil on
-on the family room wall.   Needless to say, my wife Tarry rejected that as
+the family room wall.   Needless to say, my wife Tarry rejected that as a
-a permanent solution :-).</li>
+permanent solution :-).</li>
  </ul>
  <p> The firewall runs on a 256MB PII/233 with RH9.0.</p>
-  <p> Wookie  and the Firewall both run Samba and the Firewall acts as a
+  <p> Wookie  and the Firewall both run Samba and the Firewall acts as a WINS
-WINS server.<br>
+server.<br>
       </p>
-  <p>Wookie is in its         own 'whitelist' zone  called 'me' which is
+  <p>Wookie is in its         own 'whitelist' zone  called 'me' which is embedded
-embedded in the local zone.</p>
+in the local zone.</p>
  <p>The wireless network connects to eth3 via a LinkSys WAP11.  In additional 
   to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit 
@ -97,23 +98,23 @@ would probably   add IPSEC or something similar to my WiFi-&gt;local connections
         </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix, 
-          Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and
+          Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an
-an   FTP    server    (Pure-ftpd). The system   also runs fetchmail to fetch
+  FTP    server    (Pure-ftpd). The system   also runs fetchmail to fetch 
 our  email    from our    old and current ISPs. That server is managed through 
  Proxy ARP.</p>
  <p> The firewall system itself runs a DHCP server that serves the local 
-            network. It also runs Postfix which is configured as a Virus
+            network. It also runs Postfix which is configured as a Virus and
-and    Spam filter with all incoming mail then being forwarded to the MTA
+   Spam filter with all incoming mail then being forwarded to the MTA in
-in the    DMZ.</p>
+the    DMZ.</p>
  <p> All administration and publishing is done using ssh/scp. I have X installed 
      on the firewall but no X server or desktop is installed.     X applications
- tunnel through SSH to XWin.exe running on Ursa. The server does have a desktop 
+  tunnel through SSH to XWin.exe running on Ursa. The server does have a
- environment installed and that desktop environment is available via XDMCP 
+desktop   environment installed and that desktop environment is available
- from the local zone. For the most part though, X tunneled through SSH is 
+via XDMCP   from the local zone. For the most part though, X tunneled through
-used for server administration and the server runs at run level 3 (multi-user 
+SSH is  used for server administration and the server runs at run level 3
-console mode on RedHat).</p>
+(multi-user  console mode on RedHat).</p>
  <p> I run an SNMP server on my firewall to serve <a
 href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running 
@ -128,11 +129,12 @@ console mode on RedHat).</p>
  <p>The ethernet interface in the Server is configured         with IP address
     206.124.146.177, netmask    255.255.255.0. The server's default gateway
-  is      206.124.146.254 (Router at my ISP. This is the same           default 
+   is      206.124.146.254 (Router at my ISP. This is the same          
-    gateway used by the firewall itself). On the firewall,               
+default      gateway used by the firewall itself). On the firewall,     
                           Shorewall automatically adds a host route to 
-                 206.124.146.177 through eth1 (192.168.2.1) because     of
+                           206.124.146.177 through eth1 (192.168.2.1) because
-                           the entry in /etc/shorewall/proxyarp (see  below).</p>
+    of                            the entry in /etc/shorewall/proxyarp (see
 below).</p>
  <p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior 
        access.<br>
@ -164,8 +166,8 @@ TEXAS=<i>&lt;ip address of gateway in Dallas&gt;</i><br>LOG=info<br></pre>
 <h3>Interfaces File: </h3>
 <blockquote>                                  
-  <p> This is set up so that I can start the firewall before bringing up my
+  <p> This is set up so that I can start the firewall before bringing up
-Ethernet  interfaces. </p>
+my Ethernet  interfaces. </p>
                           </blockquote>
 <blockquote>                                 
@ -240,5 +242,6 @@ Ethernet  interfaces. </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -12,7 +12,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
          <tbody>
           <tr>
            <td width="100%">                     
@ -23,9 +23,9 @@
  </tbody>   
 </table>
       <br>
-      Shorewall 'Ping' management has evolved over time with the latest change
+       Shorewall 'Ping' management has evolved over time with the latest
-  coming in Shorewall version 1.4.0. To find out which version of Shorewall
+change   coming in Shorewall version 1.4.0. To find out which version of
-you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
+Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall 
 version</b></font>". If that command gives you an error, it's time to upgrade 
 since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
@ -158,8 +158,8 @@ request    is passed to the rules/policy evaluation.</li>
       Example 1. Accept pings from the net to the dmz (pings are responded 
 to  with an ICMP echo-reply):<br>
       <br>
-      &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
+       &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
-   icmp&nbsp;&nbsp;&nbsp; 8<br>
+dmz&nbsp;&nbsp;&nbsp;    icmp&nbsp;&nbsp;&nbsp; 8<br>
       <br>
       Example 2. Drop pings from the net to the firewall<br>
       <br>
@ -167,8 +167,8 @@ request    is passed to the rules/policy evaluation.</li>
   icmp&nbsp;&nbsp;&nbsp; 8<br>
 <h3>Policy Evaluation</h3>
-      If no applicable rule is found, then the policy for the source to the
+       If no applicable rule is found, then the policy for the source to
- destination  is applied.<br>
+the  destination  is applied.<br>
 <ol>
         <li>If the relevant policy is ACCEPT then the request is responded 
@ -186,5 +186,6 @@ request   is either rejected or simply ignored.</li>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
            <tbody>
             <tr>
              <td width="100%">                                   
@ -54,8 +54,8 @@
 <blockquote>               
  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
 to   open TCP Port 53 as well.<br>
-          If you are configuring a server, only open TCP Port 53 if you will 
+            If you are configuring a server, only open TCP Port 53 if you 
- return  long   replies to queries or if you need to enable ZONE transfers. In 
+will   return  long   replies to queries or if you need to enable ZONE transfers. In 
  the  latter   case, be sure that your server is properly configured.</p>
          </blockquote>
@ -81,7 +81,7 @@ to   open TCP Port 53 as well.<br>
     <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
          </blockquote>
-<p>SMTP</p>
+<p>SMTP (Email)</p>
 <blockquote>               
  <p> TCP Port 25.</p>
@ -89,14 +89,21 @@ to   open TCP Port 53 as well.<br>
 <p>RealPlayer<br>
  </p>
 <blockquote>      
  <p>UDP Port 6790 inbound<br>
    </p>
  </blockquote>
 <p>POP3</p>
 <blockquote>               
-  <p>TCP Port 110.</p>
+  <p>TCP Port 110 (Secure = TCP Port 995)<br>
  </p>
 </blockquote>
 <p>IMAP<br>
 </p>
 <blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
 </blockquote>
 <p>TELNET</p>
@ -130,15 +137,15 @@ to   open TCP Port 53 as well.<br>
 href="Documentation.htm#Rules">the   /etc/shorewall/rules documentation</a>,</p>
  <p>For a client, you must open outbound TCP port 21 and be sure that your 
-     kernel is compiled to support FTP connection tracking. If you build this
+      kernel is compiled to support FTP connection tracking. If you build 
-     support as a module, Shorewall will automatically load the module from
+this      support as a module, Shorewall will automatically load the module 
-    /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
+from     /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
           </p>
  <p>If you run an FTP server on a nonstandard port or you need to access 
   such a server, then you must specify that port in /etc/shorewall/modules. 
-  For example, if you run an FTP server that listens on port 49 then you would
+   For example, if you run an FTP server that listens on port 49 then you 
-  have:<br>
+would   have:<br>
           </p>
  <blockquote>                         
@ -192,7 +199,9 @@ starts, then you should include the port list in /etc/modules.conf:<br>
 <p>Traceroute</p>
 <blockquote>               
-  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
+  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
 ICMP type 8 ('ping')<br>
  </p>
          </blockquote>
 <p>NFS<br>
@ -225,16 +234,9 @@ starts, then you should include the port list in /etc/modules.conf:<br>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 7/16/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
          <a href="copyright.htm"><font size="2">Copyright</font>   © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
       <tbody>
        <tr>
         <td width="100%">              
@ -26,12 +26,13 @@
  </tbody>  
 </table>
-  <font size="3">"I have fought with IPtables for untold hours. First I tried
+   <font size="3">"I have fought with IPtables for untold hours. First I
-the SuSE firewall, which worked for 80% of what I needed. Then gShield, which
+tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
-also worked for 80%. Then I set out to write my own IPtables parser in shell
+which also worked for 80%. Then I set out to write my own IPtables parser
-and awk, which was a lot of fun but never got me past the "hey, cool" stage.
+in shell and awk, which was a lot of fun but never got me past the "hey,
-Then I discovered Shorewall. After about an hour, everything just worked.
+cool" stage. Then I discovered Shorewall. After about an hour, everything
-I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
+just worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
 <p>"The configuration is intuitive and flexible, and much easier than any
 of the other iptables-based firewall programs out there. After sifting through
 many other scripts, it is obvious that yours is the most well thought-out
@ -63,37 +64,37 @@ network configuration info. That really helped me out alot.       THANKS!!!"
       </p>
 <p>"Never in my +12 year career as a sys admin have I witnessed       someone
- so relentless in developing a secure, state of the art, safe and       useful 
+  so relentless in developing a secure, state of the art, safe and      
- product as the Shorewall firewall package for no cost or obligation   involved."
+useful   product as the Shorewall firewall package for no cost or obligation
-- Mario Kerecki, Toronto           </p>
+  involved." -- Mario Kerecki, Toronto           </p>
 <p>"one time more to report, that your great shorewall in the latest    release 
      1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines 
 up       and running with shorewall on several versions - starting with 1.2.2 
-up to       the new 1.2.9 and I never have encountered any problems!" --
+up to       the new 1.2.9 and I never have encountered any problems!" -- SM,
-SM, Germany</p>
+Germany</p>
 <p>"You have the best support of any other package I've ever       used."
  -- SE, US           </p>
 <p>"Because our company has information which has been classified by the
 national government as secret, our security doesn't stop by putting a fence
-  around our company. Information security is a hot issue. We also make use 
+   around our company. Information security is a hot issue. We also make
- of  checkpoint firewalls, but not all of the internet servers are guarded 
+use   of  checkpoint firewalls, but not all of the internet servers are guarded
  by  checkpoint, some of them are running....Shorewall." -- Name withheld
 by request,  Europe</p>
 <p>"thanx for all your efforts you put into shorewall - this product stands
- out  against a lot of commercial stuff i´ve been working with in terms of 
+  out  against a lot of commercial stuff i´ve been working with in terms
-  flexibillity, quality &amp; support" -- RM, Austria</p>
+of    flexibillity, quality &amp; support" -- RM, Austria</p>
 <p>"I have never seen such a complete firewall package that is so easy to
   configure. I searched the Debian package system for firewall scripts and
   Shorewall won hands down." -- RG, Toronto</p>
 <p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
- is a  wonderful piece of software. I've just sent out an email to about 30
+  is a  wonderful piece of software. I've just sent out an email to about
- people  recommending it. :-)<br>
+30  people  recommending it. :-)<br>
     While I had previously taken the time (maybe 40 hours) to really understand
   ipchains, then spent at least an hour per server customizing and carefully
   scrutinizing firewall rules, I've got shorewall running on my home firewall,
@ -112,5 +113,6 @@ by request,  Europe</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/samba.htm
+++ b/Shorewall-docs/samba.htm
@ -1,41 +1,51 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Samba</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Samba</font></h1>
+      <h1 align="center"><font color="#ffffff">Samba</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <p>If you wish to run Samba on your firewall and access shares between the 
 firewall and local hosts, you need the following rules:</p>
 <h4>/etc/shorewall/rules:</h4>
-<blockquote>
+ 
-  <table border="2" cellpadding="2" style="border-collapse: collapse">
+<blockquote>   <font face="Century Gothic, Arial, Helvetica">          </font>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
   <tbody>
      <tr>
    <font face="Century Gothic, Arial, Helvetica">
     <td><b>ACTION</b></td>
          <td><b>SOURCE</b></td>
          <td><b>DEST</b></td>
-         <td><b>
+          <td><b>   PROTO</b></td>
  PROTO</b></td>
          <td><b>DEST<br>
   PORT(S)</b></td>
          <td><b>SOURCE<br>
          PORT(S)</b></td>
          <td><b>ORIGINAL<br>
          DEST</b></td>
    </font>
        </tr>
   <tr>
     <td>ACCEPT</td>
@ -43,8 +53,8 @@ firewall and local hosts, you need the following rules:</p>
     <td>loc</td>
     <td>udp</td>
     <td>137:139</td>
-    <td>&nbsp;</td>
+     <td> </td>
-    <td>&nbsp;</td>
+     <td> </td>
   </tr>
   <tr>
     <td>ACCEPT</td>
@ -52,8 +62,8 @@ firewall and local hosts, you need the following rules:</p>
     <td>loc</td>
     <td>tcp</td>
     <td>137,139</td>
-    <td>&nbsp;</td>
+     <td> </td>
-    <td>&nbsp;</td>
+     <td> </td>
   </tr>
   <tr>
     <td>ACCEPT</td>
@ -62,7 +72,7 @@ firewall and local hosts, you need the following rules:</p>
     <td>udp</td>
     <td>1024:</td>
     <td>137</td>
-    <td>&nbsp;</td>
+     <td> </td>
   </tr>
   <tr>
     <td>ACCEPT</td>
@ -70,8 +80,8 @@ firewall and local hosts, you need the following rules:</p>
     <td>fw</td>
     <td>udp</td>
     <td>137:139</td>
-    <td>&nbsp;</td>
+     <td> </td>
-    <td>&nbsp;</td>
+     <td> </td>
   </tr>
   <tr>
     <td>ACCEPT</td>
@ -79,8 +89,8 @@ firewall and local hosts, you need the following rules:</p>
     <td>fw</td>
     <td>tcp</td>
     <td>137,139</td>
-    <td>&nbsp;</td>
+     <td> </td>
-    <td>&nbsp;</td>
+     <td> </td>
   </tr>
   <tr>
     <td>ACCEPT</td>
@ -89,10 +99,16 @@ firewall and local hosts, you need the following rules:</p>
     <td>udp</td>
     <td>1024:</td>
     <td>137</td>
-    <td>&nbsp;</td>
+     <td> </td>
   </tr>
    </tbody>
  </table>
 </blockquote>
-<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom
+ 
-Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
+<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
-<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font></body></html>
+<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -9,37 +9,46 @@
  <title>Shoreline Firewall (Shorewall) 1.4</title>
-                                                  <base target="_self">
+                                                                  <base
 target="_self">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="4"
+<table cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
- bgcolor="#4b017c">
+ bgcolor="#3366ff">
                       <tbody>
                      <tr>
-                             <td width="33%" height="90" valign="middle"
+                                 <td width="33%" height="90"
- align="left"><a href="http://www.cityofshoreline.com"><img
+ valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
 src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
 border="0">
                      </a></td>
-                  <td valign="middle" width="34%" align="center">       
+                      <td valign="middle" width="34%" align="center"
 bgcolor="#ffffff">                                                     
-      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
+      <div align="center">                                              
- color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
+                                                                        
                                              <img
 src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
   </div>
        </td>
-                  <td valign="middle">                                  
+                      <td valign="middle" width="33%">                  
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><img border="0" src="images/shorewall.jpg" width="119"
 height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
        </a></h1>
                      <br>
                      </td>
@ -52,7 +61,11 @@
 <div align="center">  
 <div align="center">                                            </div>
 <center>  
 <div align="center">                                            </div>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
@ -61,9 +74,12 @@
                      <tr>
                                   <td width="90%">              
      <div align="center">                                              
                                              <br>
        </div>
      <h2 align="left">What is it?</h2>
@ -71,6 +87,7 @@
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
@ -80,6 +97,7 @@
      <p>This program is free software; you can redistribute it and/or modify 
   it          under      the    terms      of         <a
@ -89,8 +107,8 @@ General Public License</a> as published by the Free   Software
                                <br>
-                 This     program         is   distributed            in
+                     This     program         is   distributed          
-  the       hope       that      it   will        be  useful,    but    
+ in    the       hope       that      it   will        be  useful,    but 
         WITHOUT        ANY         WARRANTY;         without           even
 the    implied      warranty          of MERCHANTABILITY               
   or  FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the 
@ -108,6 +126,7 @@ Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,       USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -118,19 +137,33 @@ Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,       USA</p>
      <h2>This is the Shorewall 1.4 Web Site</h2>
 The information on this site applies only to 1.4.x releases of Shorewall.
 For older versions:<br>
      <ul>
            <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
 target="_top">here.</a></li>
            <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>.<br>
       </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
-                                New to Shorewall? Start by selecting the
+                                    New to Shorewall? Start by selecting
-      <a href="shorewall_quickstart_guide.htm">QuickStart  Guide</a> that
+the         <a href="shorewall_quickstart_guide.htm">QuickStart  Guide</a>
-most closely               match your environment and follow the step by
+that   most closely               match your environment and follow the step
- step instructions.<br>
+by   step instructions.<br>
      <h2>Looking for Information?</h2>
      The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
   Index</a> is a good place to start as is the Quick Search to your right.
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-                      If so, the documentation<b> </b>on this site will not 
+                          If so, the documentation<b> </b>on this site will 
- apply   directly   to  your   setup.  If you want to use the documentation 
+ not   apply   directly   to  your   setup.  If you want to use the documentation 
   that you  find here, you will want to consider uninstalling what you have 
   and installing  a setup that matches    the documentation    on this site. 
   See the <a href="two-interface.htm">Two-interface    QuickStart    Guide</a> 
@ -142,21 +175,33 @@ most closely               match your environment and follow the step by
      <p><b></b></p>
      <ol>
      </ol>
      <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
         <br>
         </b></p>
   Thanks to the folks at securityopensource.org.br, there is now a <a
 href="http://shorewall.securityopensource.org.br" target="_top">Shorewall 
 mirror in Brazil</a>.<br>
      <p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
         <br>
         </b></p>
-      <blockquote>
+                       
-        <p><b><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
+      <blockquote><b><a
-        <a href="ftp://shorewall.net/pub/shorewall/testing"
+ href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
- target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
+ href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
-       </b></p>
+   ftp://shorewall.net/pub/shorewall/testing</a><br>
-      </blockquote>
+           </b></blockquote>
      <blockquote>                </blockquote>
      <p><b>Problems Corrected:</b><br>
       </p>
@ -167,19 +212,19 @@ start  errors when started using the "service" mechanism has been worked
 around.<br>
           <br>
         </li>
-         <li>Where a list of IP addresses appears in the DEST column of a 
+             <li>Where a list of IP addresses appears in the DEST column
-DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in the nat 
+of  a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in
-table (one for each element in the list). Shorewall now correctly creates 
+the  nat  table (one for each element in the list). Shorewall now correctly
-a single DNAT rule with multiple "--to-destination" clauses.<br>
+creates   a single DNAT rule with multiple "--to-destination" clauses.<br>
          <br>
      </li>
-         <li>Corrected a problem in Beta 1 where DNS names containing a "-" 
+             <li>Corrected a problem in Beta 1 where DNS names containing 
-were mis-handled when they appeared in the DEST column of a rule.<br>
+a  "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
              <br>
            </li>
-        <li>A number of problems with rule parsing have been corrected. Corrections
+            <li>A number of problems with rule parsing have been corrected. 
-involve the handling of "z1!z2" in the SOURCE column as well as lists in
+ Corrections involve the handling of "z1!z2" in the SOURCE column as well 
-the ORIGINAL DESTINATION column.<br>
+as lists in the ORIGINAL DESTINATION column.<br>
            </li>
      </ol>
@ -193,15 +238,15 @@ in the host file as follows:<br>
          <br>
          z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
          <br>
-  This capability was never documented and has been removed in 1.4.6 to allow 
+      This capability was never documented and has been removed in 1.4.6
-entries of the following format:<br>
+to  allow  entries of the following format:<br>
          <br>
          z   eth1:192.168.1.0/24,192.168.2.0/24<br>
          <br>
        </li>
-         <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been 
+             <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have 
-removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
+ been  removed from /etc/shorewall/shorewall.conf. These capabilities are 
- detected by Shorewall (see below).<br>
+now automatically  detected by Shorewall (see below).<br>
        </li>
      </ol>
@ -210,18 +255,18 @@ removed from /etc/shorewall/shorewall.conf. These capabilities are now automatic
       </p>
      <ol>
-         <li>A 'newnotsyn' interface option has been added. This option may 
+             <li>A 'newnotsyn' interface option has been added. This option 
-be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
+ may  be specified in /etc/shorewall/interfaces and overrides the setting 
- for packets arriving on the associated interface.<br>
+NEWNOTSYN=No  for packets arriving on the associated interface.<br>
           <br>
         </li>
             <li>The means for specifying a range of IP addresses in /etc/shorewall/masq 
- to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address 
+   to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for 
- ranges.<br>
+address   ranges.<br>
           <br>
         </li>
-         <li>Shorewall can now add IP addresses to subnets other than the 
+             <li>Shorewall can now add IP addresses to subnets other than 
-first  one on an interface.<br>
+the   first  one on an interface.<br>
           <br>
         </li>
             <li>DNAT[-] rules may now be used to load balance (round-robin)
@ -234,9 +279,10 @@ over a  set of servers. Servers may be specified in a range of addresses
           <br>
         </li>
             <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
-options  have been removed and have been replaced by code that detects whether
+  options  have been removed and have been replaced by code that detects
-these  capabilities are present in the current kernel. The output of the
+whether   these  capabilities are present in the current kernel. The output
-start, restart and check commands have been enhanced to report the outcome:<br>
+of the  start, restart and check commands have been enhanced to report the
 outcome:<br>
           <br>
       Shorewall has detected the following iptables/netfilter capabilities:<br>
          NAT: Available<br>
@ -245,12 +291,12 @@ start, restart and check commands have been enhanced to report the outcome:<br>
       Verifying Configuration...<br>
           <br>
         </li>
-         <li>Support for the Connection Tracking Match Extension has been 
+             <li>Support for the Connection Tracking Match Extension has
-added.  This extension is available in recent kernel/iptables releases and 
+been   added.  This extension is available in recent kernel/iptables releases 
-allows  for rules which match against elements in netfilter's connection tracking
+and   allows  for rules which match against elements in netfilter's connection 
- table. Shorewall automatically detects the availability of this extension
+ tracking  table. Shorewall automatically detects the availability of this 
- and reports its availability in the output of the start, restart and check
+ extension  and reports its availability in the output of the start, restart 
- commands.<br>
+ and check  commands.<br>
           <br>
       Shorewall has detected the following iptables/netfilter capabilities:<br>
          NAT: Available<br>
@ -259,18 +305,18 @@ allows  for rules which match against elements in netfilter's connection trackin
          Connection Tracking Match: Available<br>
       Verifying Configuration...<br>
           <br>
-   If this extension is available, the ruleset generated by Shorewall is
+       If this extension is available, the ruleset generated by Shorewall 
-changed  in the following ways:</li>
+is  changed  in the following ways:</li>
        <ul>
               <li>To handle 'norfc1918' filtering, Shorewall will not create 
-chains  in the mangle table but will rather do all 'norfc1918' filtering in
+  chains  in the mangle table but will rather do all 'norfc1918' filtering 
-the filter  table (rfc1918 chain).</li>
+ in the filter  table (rfc1918 chain).</li>
-           <li>Recall that Shorewall DNAT rules generate two netfilter rules; 
+               <li>Recall that Shorewall DNAT rules generate two netfilter
-one  in the nat table and one in the filter table. If the Connection Tracking 
+ rules;  one  in the nat table and one in the filter table. If the Connection
-Match Extension is available, the rule in the filter table is extended to 
+ Tracking  Match Extension is available, the rule in the filter table is
-check that the original destination address was the same as specified (or 
+extended  to  check that the original destination address was the same as
-defaulted to) in the DNAT rule.<br>
+specified  (or  defaulted to) in the DNAT rule.<br>
             <br>
           </li>
@ -302,13 +348,14 @@ defaulted to) in the DNAT rule.<br>
          <br>
      Warning:<br>
          <br>
-  If your shell only supports 32-bit signed arithmatic (ash or dash), then
+      If your shell only supports 32-bit signed arithmatic (ash or dash), 
- the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
+then   the ipcalc command produces incorrect information for IP addresses 
- and for /1 networks. Bash should produce correct information for all valid
+128.0.0.0-1   and for /1 networks. Bash should produce correct information 
- IP addresses.<br>
+for all valid   IP addresses.<br>
          <br>
        </li>
-         <li>An 'iprange' command has been added to /sbin/shorewall. <br>
+             <li>An 'iprange' command has been added to /sbin/shorewall.
          <br>
          <br>
            iprange &lt;address&gt;-&lt;address&gt;<br>
          <br>
@ -316,8 +363,8 @@ defaulted to) in the DNAT rule.<br>
  and host addresses. The command can be useful if you need to construct an
  efficient set of rules that accept connections from a range of network addresses.<br>
          <br>
-  Note: If your shell only supports 32-bit signed arithmetic (ash or dash) 
+      Note: If your shell only supports 32-bit signed arithmetic (ash or
-then the range may not span 128.0.0.0.<br>
+dash)   then the range may not span 128.0.0.0.<br>
          <br>
      Example:<br>
          <br>
@ -336,7 +383,8 @@ then the range may not span 128.0.0.0.<br>
            [root@gateway root]#<br>
          <br>
        </li>
-         <li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
+             <li>A list of host/net addresses is now allowed in an entry
 in  /etc/shorewall/hosts.<br>
          <br>
      Example:<br>
          <br>
@ -347,40 +395,49 @@ then the range may not span 128.0.0.0.<br>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
             </p>
      <ol>
-                <li>The command "shorewall debug try &lt;directory&gt;" now 
+                    <li>The command "shorewall debug try &lt;directory&gt;" 
- correctly   traces the attempt.</li>
+ now   correctly   traces the attempt.</li>
                    <li>The INCLUDE directive now works properly in the zones 
  file;    previously, INCLUDE in that file was ignored.</li>
-                <li>/etc/shorewall/routestopped records with an empty second
+                    <li>/etc/shorewall/routestopped records with an empty 
-  column   are no longer ignored.<br>
+second    column   are no longer ignored.<br>
               </li>
      </ol>
      <p>New Features:<br>
             </p>
      <ol>
                    <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
  rule   may  now contain a list of addresses. If the list begins with "!'
 then the   rule  will take effect only if the original destination address
 in the connection    request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
                             </b></p>
      <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel 
-    and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
+      and iptables 1.2.8 (using the "official" RPM from netfilter.org). No 
-    have been encountered with this set of software. The Shorewall version
+ problems     have been encountered with this set of software. The Shorewall 
- is   1.4.4b plus the accumulated changes for 1.4.5.<br>
+ version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
              </p>
      <p><b>6/8/2003 - Updated Samples</b><b>                      </b></p>
@ -390,6 +447,7 @@ in the connection    request does not match any of the addresses listed.</li>
      <p><b></b></p>
      <ol>
@ -408,26 +466,26 @@ in the connection    request does not match any of the addresses listed.</li>
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
-                        </a>Jacques        Nilo       and     Eric     Wolzak 
+                            </a>Jacques        Nilo       and     Eric  
-        have       a   LEAF  (router/firewall/gateway                    
+  Wolzak          have       a   LEAF  (router/firewall/gateway         
              on   a  floppy,       CD    or compact     flash)  distribution
-         called                 <i>Bering</i>          that          features 
+                called                 <i>Bering</i>          that      
-                 Shorewall-1.4.2         and    Kernel-2.4.20.          You
+   features                   Shorewall-1.4.2         and    Kernel-2.4.20.
-       can     find         their    work at:                <a
+          You        can     find         their    work at:             
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+        <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                          </a></p>
-                           <b>Congratulations to Jacques and Eric on the
+                               <b>Congratulations to Jacques and Eric on
-recent    release     of  Bering    1.2!!! </b><br>
+the   recent    release     of  Bering    1.2!!! </b><br>
      <h2><a name="Donations"></a>Donations</h2>
                                                                       </td>
-                               <td width="88" bgcolor="#4b017c"
+                                   <td width="88" bgcolor="#3366ff"
 valign="top" align="center">                                            
@ -443,17 +501,19 @@ recent    release     of  Bering    1.2!!! </b><br>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-                                                                     <font
+                                                                        
- face="Arial" size="-1">        <input type="text" name="words"
+        <font face="Arial" size="-1">        <input type="text"
- size="15"></font><font size="-1"> </font>      <font face="Arial"
+ name="words" size="15"></font><font size="-1"> </font>      <font
- size="-1">     <input type="hidden" name="format" value="long">     <input
+ face="Arial" size="-1">     <input type="hidden" name="format"
- type="hidden" name="method" value="and">     <input type="hidden"
+ value="long">     <input type="hidden" name="method" value="and">     <input
- name="config" value="htdig">     <input type="submit" value="Search"></font>
+ type="hidden" name="config" value="htdig">     <input type="submit"
-            </p>
+ value="Search"></font>               </p>
-                                                                     <font
+                                                                        
- face="Arial">            <input type="hidden" name="exclude"
+        <font face="Arial">            <input type="hidden"
- value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
+ name="exclude" value="[http://lists.shorewall.net/pipermail/*]">   </font>
       </form>
@ -478,7 +538,7 @@ recent    release     of  Bering    1.2!!! </b><br>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
- bgcolor="#4b017c">
+ bgcolor="#3366ff">
                  <tbody>
@ -500,9 +560,10 @@ recent    release     of  Bering    1.2!!! </b><br>
      <p align="center"><font size="4" color="#ffffff"><br>
-                 <font size="+2"> Shorewall is free but if       you try
+                     <font size="+2"> Shorewall is free but if       you
-it  and   find   it useful, please consider making a donation           
+try   it  and   find   it useful, please consider making a donation     
                                                                to      
            <a href="http://www.starlight.org"><font color="#ffffff">Starlight
   Children's              Foundation.</font></a> Thanks!</font></font></p>
@ -517,9 +578,8 @@ it  and   find   it useful, please consider making a donation
 </table>
-<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 7/16/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                                                      <br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -17,7 +17,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                                  <tbody>
                             <tr>
                                    <td width="100%">                   
@ -46,8 +46,8 @@
 href="http://www.washington.edu">University      of Washington</a> 1969</li>
                              <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
-                             <li><a href="http://www.tandem.com">Tandem Computers,
+                              <li><a href="http://www.tandem.com">Tandem
-     Incorporated</a>         (now part of the <a
+Computers,      Incorporated</a>         (now part of the <a
 href="http://www.hp.com">The     New HP</a>) 1980 -  present</li>
                              <li>Married 1969 - no children.</li>
@ -58,15 +58,15 @@
 <p>I became interested in Internet Security when I established a home office
            in 1999 and had DSL service installed in our       home. I investigated
-         ipchains  and developed the scripts which are now collectively known
+          ipchains  and developed the scripts which are now collectively
-     as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>.
+known      as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. 
     Expanding       on what I learned from Seattle Firewall, I then     
 designed    and wrote      Shorewall. </p>
 <p>I telework from our <a
 href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
- href="http://www.cityofshoreline.com">Shoreline,        Washington</a> 
+ href="http://www.cityofshoreline.com">Shoreline,        Washington</a>  where
-where I live with my wife Tarry.  </p>
+I live with my wife Tarry.  </p>
 <p>Our current home network consists of: </p>
@ -87,12 +87,12 @@ FTP    (Pure_ftpd),   DNS  server        (Bind 9).</li>
                              <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
 HD  -  3   LNE100TX       (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
   1.4.6Beta1, a DHCP         server and Samba configured as a WINS server..</li>
-                             <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 
+                              <li>Duron 750, Win ME, 192MB RAM, 20GB HD,
-   NIC   -  My  wife's        personal system.</li>
+RTL8139     NIC   -  My  wife's        personal system.</li>
                              <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
  HD,  built-in     EEPRO100, EEPRO100 in expansion base - My   work system.</li>
-        <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and 
+         <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC
- LinkSys  WET11 - Our Laptop.<br>
+and   LinkSys  WET11 - Our Laptop.<br>
         </li>
 </ul>
@ -133,5 +133,6 @@ HD  -  3   LNE100TX
 size="2">2001, 2002, 2003 Thomas      M. Eastep.</font></a></font><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_extension_scripts.htm
+++ b/Shorewall-docs/shorewall_extension_scripts.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                 <tbody>
        <tr>
                   <td width="100%">                      
@ -32,18 +32,21 @@
 placed in /etc/shorewall and   are processed  using the Bourne shell "source" 
 mechanism.<br>
 </p>
 <p><font color="#ff0000"><b>Caution: <br>
  </b></font></p>
 <ol>
-  <li><font color="#ff0000"><b>Be sure that you actually need to use an extension 
+   <li><font color="#ff0000"><b>Be sure that you actually need to use an
-script to do what you want. Shorewall has a wide range of features that cover 
+extension  script to do what you want. Shorewall has a wide range of features
-most requirements.</b></font></li>
+that cover  most requirements.</b></font></li>
   <li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON 
 THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
-SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING
+ SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
-WITH RESPECT TO iptables/Netfilter</b></font></li>
+DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
 </ol>
 <p>The   following scripts can be  supplied:</p>
 <ul>
@ -53,8 +56,8 @@ WITH RESPECT TO iptables/Netfilter</b></font></li>
        <li>stop -- invoked as a first step when the firewall is being stopped.</li>
        <li>stopped -- invoked after the firewall has been stopped.</li>
        <li>clear -- invoked after the firewall has been cleared.</li>
-       <li>refresh -- invoked while the firewall is being refreshed but before
+        <li>refresh -- invoked while the firewall is being refreshed but
- the     common and/or blacklst chains have been rebuilt.</li>
+before  the     common and/or blacklst chains have been rebuilt.</li>
        <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' 
 chain     has been created but before any rules have been added to it.</li>
@ -70,18 +73,18 @@ WITH RESPECT TO iptables/Netfilter</b></font></li>
 <p>The /etc/shorewall/common file receives special treatment. If this file 
 is present, the rules that it       defines will totally replace the default 
- rules in the common chain. These         default rules are contained in
+ rules in the common chain. These         default rules are contained in the
-the  file /etc/shorewall/common.def which        may be used as a starting
+ file /etc/shorewall/common.def which        may be used as a starting point
-point  for making your own customized file.</p>
+ for making your own customized file.</p>
 <p>   Rather than running iptables directly, you should run it using the 
 function  run_iptables. Similarly, rather than running "ip" directly, you
 should use run_ip. These functions accept the same arguments as the  underlying
-command but cause the firewall to be stopped if an error occurs   during processing
+ command but cause the firewall to be stopped if an error occurs   during
-of the command.</p>
+processing of the command.</p>
-<p>   If you decide to create /etc/shorewall/common it is a good idea to use
+<p>   If you decide to create /etc/shorewall/common it is a good idea to
-the    following technique</p>
+use the    following technique</p>
 <p>   /etc/shorewall/common:</p>
@ -90,9 +93,9 @@ the    following technique</p>
      </blockquote>
 <p>If you need to supercede a rule in the released common.def file, you can 
- add   the superceding rule before the '.' command. Using this technique
+ add   the superceding rule before the '.' command. Using this technique allows
-allows    you to add new rules while still getting the benefit of the latest
+   you to add new rules while still getting the benefit of the latest common.def
-common.def    file.</p>
+   file.</p>
 <p>Remember that /etc/shorewall/common defines rules   that are only applied 
 if the applicable policy is DROP or REJECT. These rules   are NOT applied 
@ -110,5 +113,6 @@ common.def    file.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_features.htm
+++ b/Shorewall-docs/shorewall_features.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
       <tbody>
        <tr>
         <td width="100%">       
@ -63,14 +63,14 @@ use  all     types in the same firewall):
    </ul>
       </li>
-      <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
+       <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
-      IP addresses and subnetworks is supported.</li>
+individual       IP addresses and subnetworks is supported.</li>
       <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: 
    <ul>
         <li>Commands to start, stop and clear the firewall</li>
-        <li>Supports status             monitoring      with an audible alarm
+         <li>Supports status             monitoring      with an audible
- when an             "interesting" packet is detected.</li>
+alarm  when an             "interesting" packet is detected.</li>
         <li>Wide variety of informational commands.</li>
    </ul>
@ -114,5 +114,6 @@ Address      <b>Verification</b><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_firewall_structure.htm
+++ b/Shorewall-docs/shorewall_firewall_structure.htm
@ -16,11 +16,12 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
             <tbody>
        <tr>
               <td width="100%">                                       
-      <h1 align="center"><font color="#ffffff">Firewall Structure</font></h1>
+      <h1 align="center"><font color="#ffffff">Firewall Structure (Under
 Construction)</font></h1>
               </td>
             </tr>
@ -29,24 +30,24 @@
 <p>  Shorewall views the network in which it is running as a set of     
 <i> zones. </i>Shorewall itself defines exactly   one zone called "fw" which
- refers to the firewall system itself . The   /etc/shorewall/zones file is 
+  refers to the firewall system itself . The   /etc/shorewall/zones file
- used to define additional zones and the example file   provided with Shorewall
+is   used to define additional zones and the example file   provided with
-  defines the zones:</p>
+Shorewall   defines the zones:</p>
 <ol>
             <li>  net -- the (untrusted) internet.</li>
             <li>  dmz - systems that must be accessible from       the internet
- and from the local network.  These systems cannot be trusted completely since
+  and from the local network.  These systems cannot be trusted completely
- their servers may have been       compromised through a security exploit.</li>
+since  their servers may have been       compromised through a security exploit.</li>
             <li>  loc - systems in your local network(s).       These systems
- must be protected from the internet and from the DMZ and in       some cases, 
+  must be protected from the internet and from the DMZ and in       some
- from each other.</li>
+cases,   from each other.</li>
 </ol>
-<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall zone</a>.
+<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall
- For ease of description in this documentation, it is assumed  that the firewall
+zone</a>.  For ease of description in this documentation, it is assumed 
-zone is named "fw".</p>
+that the firewall zone is named "fw".</p>
 <p>It can't be stressed enough that  with the exception of the firewall zone,
  Shorewall itself attaches no meaning to  zone names. Zone names are simply
@ -55,12 +56,12 @@ zone is named "fw".</p>
 <p>While zones are normally disjoint (no two zones have a host in common), 
   there are cases where nested or overlapping zone definitions are appropriate.</p>
-<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the
+<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose
-purpose of this document, we will consider Netfilter to have three tables:</p>
+of this document, we will consider Netfilter to have three tables:</p>
 <ol>
-    <li>Filter table -- this is the main table for packet filtering and can
+     <li>Filter table -- this is the main table for packet filtering and
- be displayed with the command "shorewall show".</li>
+can  be displayed with the command "shorewall show".</li>
     <li>Nat table -- used for all forms of Network Address Translation (NAT); 
 SNAT, DNAT and MASQUERADE.</li>
     <li>Mangle table -- used to modify fields in the packet header.<br>
@ -166,8 +167,8 @@ purpose of this document, we will consider Netfilter to have three tables:</p>
 <p><br>
   <br>
-  In the text that follows, the paragraph numbers correspond to the box number
+   In the text that follows, the paragraph numbers correspond to the box
- in the diagram above.<br>
+number  in the diagram above.<br>
   </p>
 <ol>
@ -179,29 +180,30 @@ match extension, then the packet is sent down the <b>man1918</b> chain which
 will  drop  the packet if its destination IP address is reserved (as specified
 in the  /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
 pretos</b>  chain to set its TOS field as specified in the /etc/shorewall/tos
-file.  Finally, if traffic control/shaping is being used, the packet is sent 
+ file.  Finally, if traffic control/shaping is being used, the packet is
-through  the<b> tcpre</b> chain to be marked for later use in policy routing 
+sent  through  the<b> tcpre</b> chain to be marked for later use in policy
-or traffic  control.<br>
+routing  or traffic  control.<br>
       <br>
   Next, if the packet isn't part of an established connection, it passes 
  through the<i> nat</i> table's PREROUTING chain (you can see the nat table
- by  typing "shorewall show nat"). If you are doing both static nat and  port
+  by  typing "shorewall show nat"). If you are doing both static nat and
- forwarding, the order in which chains are traversed is dependent on the
+ port  forwarding, the order in which chains are traversed is dependent on
- setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on
+the  setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is
-then  packets will ender a chain called<b> <i>interface_</i>in</b> where 
+on then  packets will ender a chain called<b> <i>interface_</i>in</b> where
    <i>interface</i>  is  the name of the interface on which the packet entered.
-Here it's destination  IP  is compared to each of the <i>EXTERNAL</i> IP addresses
+ Here it's destination  IP  is compared to each of the <i>EXTERNAL</i> IP
-from /etc/shorewall/nat   that correspond to this interface; if there is
+addresses from /etc/shorewall/nat   that correspond to this interface; if
-a match, DNAT is applied  and the  packet header is modified to the IP in
+there is a match, DNAT is applied  and the  packet header is modified to
-the <i>INTERNAL</i> column  of the nat  file record. If the destination address
+the IP in the <i>INTERNAL</i> column  of the nat  file record. If the destination
-doesn't match any of the rules in the  <b><i>interface_</i>in</b> chain then
+address doesn't match any of the rules in the  <b><i>interface_</i>in</b>
-the packet enters a chain  called <b><i>sourcezone</i>_dnat</b>  where <i>sourcezone</i>
+chain then the packet enters a chain  called <b><i>sourcezone</i>_dnat</b>
-is the source zone of the packet. There it is compared  for a match against
+ where <i>sourcezone</i> is the source zone of the packet. There it is compared
-each of the DNAT records in the rules file that specify     <i>  sourcezone
+ for a match against each of the DNAT records in the rules file that specify
-    </i>as the source  zone. If a match is found, the destination IP  address
+    <i>  sourcezone     </i>as the source  zone. If a match is found, the
-(and possibly the destination port) is modified based on the rule  matched.
+destination IP  address (and possibly the destination port) is modified based
-If NAT_BEFORE_RULES is off, then the order of traversal of the <b><i>  interface_</i>in</b>
+on the rule  matched. If NAT_BEFORE_RULES is off, then the order of traversal
-and <b><i>sourcezone</i>_dnat</b>  is reversed.<br>
+of the <b><i>  interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b>  is
 reversed.<br>
       <br>
     </li>
     <li>Depending on whether the packet is destined for the firewall itself 
@ -216,21 +218,23 @@ all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are
 processed in a chain called <br>
     <br>
   </li>
  <ol>
  </ol>
     <li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
- table  (called 'filter'). If the traffic is destined for the  firewall itself, 
+  table  (called 'filter'). If the traffic is destined for the  firewall
- the name of the interface chain is formed by appending "_in" to  the interface 
+itself,   the name of the interface chain is formed by appending "_in" to
- name. So traffic on eth0 destined for the firewall will enter a  chain called 
+ the interface   name. So traffic on eth0 destined for the firewall will
-     <i>eth0_in</i>. The interface chain for traffic that will be routed
+enter a  chain called       <i>eth0_in</i>. The interface chain for traffic
-to  another  system is formed by appending "_fwd" to the interface name.
+that will be routed to  another  system is formed by appending "_fwd" to
-So traffic  from  eth1 that is going to be forwarded enters a chain called<i>
+the interface name. So traffic  from  eth1 that is going to be forwarded
-eth1_fwd</i>.    Interfaces described with the wild-card character ("+")
+enters a chain called<i> eth1_fwd</i>.    Interfaces described with the wild-card
-in  /etc/shorewall/interfaces,  share input chains. if <i>ppp+ </i>appears
+character ("+") in  /etc/shorewall/interfaces,  share input chains. if <i>ppp+
-in  /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will
+    </i>appears in  /etc/shorewall/interfaces then all PPP interfaces (ppp0,
-share  the interface chains <i>ppp_in</i>  and <i>ppp_fwd</i>. In other words,
+ppp1, ...) will share  the interface chains <i>ppp_in</i>  and <i>ppp_fwd</i>.
-"+" is  deleted from the name before forming the input chain names.<br>
+In other words, "+" is  deleted from the name before forming the input chain
 names.<br>
     <br>
 While the use of interfacechains may seem wasteful in simple environments,
  in  complex setups it substantially reduces the number of rules that each
@ -238,8 +242,8 @@ While the use of interfacechains may seem wasteful in simple environments,
 </ol>
-<p>  Traffic directed from a zone to the firewall itself is sent through a
+<p>  Traffic directed from a zone to the firewall itself is sent through
-chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
+a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from 
  the   internet and addressed to the firewall is sent through a chain named 
  net2fw.   Similarly, traffic originating in the firewall and being sent 
 to  a host in a   given zone is sent through a chain named fw2<i>&lt;zone 
@ -247,8 +251,8 @@ name&gt;.        </i>For   example, traffic originating in the firewall and
 destined  for a host in the   local network is sent through a chain named 
 <i>fw2loc.</i>        <font face="Century Gothic, Arial, Helvetica">   </font></p>
-<p>  Traffic being forwarded between two zones (or from one interface to a
+<p>  Traffic being forwarded between two zones (or from one interface to
-zone to another interface to that zone) is sent through a chain named <i>
+a zone to another interface to that zone) is sent through a chain named <i> 
  &lt;source   zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example, 
  traffic   originating in a local system and destined for a remote web server 
  is   sent through chain       <i>loc2net. </i>This chain is referred to 
@ -262,53 +266,53 @@ be  expressed in terms of the destination system's real IP address as   opposed
 <p>  For each record in the /etc/shorewall/policy file, a chain is   created.
  Policies in that file are expressed in terms of a source zone and   destination
- zone where these zones may be a zone defined in   /etc/shorewall/zones, "fw"
+  zone where these zones may be a zone defined in   /etc/shorewall/zones,
- or "all". Policies specifying   the pseudo-zone "all" matches all defined 
+"fw"  or "all". Policies specifying   the pseudo-zone "all" matches all defined
  zones and "fw".   These chains are referred to as <i>Policy Chains.</i> Notice
  that for an   ordered pair of zones (za,zb), the canonical chain (za2zb)
-may also be the    policy chain for the pair or the policy chain may be a 
+ may also be the    policy chain for the pair or the policy chain may be
-different chain   (za2all, for example). Packets from one zone to another 
+a  different chain   (za2all, for example). Packets from one zone to another
 will traverse chains    as follows:</p>
 <ol>
-            <li>  If the canonical chain exists, packets first traverse that 
+             <li>  If the canonical chain exists, packets first traverse
- chain.</li>
+that   chain.</li>
-            <li>  If the canonical chain and policy chain are different and 
+             <li>  If the canonical chain and policy chain are different
- the packet    does not match a rule in the canonical chain, it then is sent 
+and   the packet    does not match a rule in the canonical chain, it then
- to the      policy chain.</li>
+is sent   to the      policy chain.</li>
             <li>  If the canonical chain does not exist, packets are sent
 immediately    to the policy chain.</li>
 </ol>
-<p>  The canonical chain from zone za to zone zb will be created only if there
+<p>  The canonical chain from zone za to zone zb will be created only if
-are   exception rules defined in /etc/shorewall/rules for packets going from
+there are   exception rules defined in /etc/shorewall/rules for packets going
-za to   zb.</p>
+from za to   zb.</p>
 <p>  Shorewall is built on top of the Netfilter kernel facility. Netfilter 
  implements connection tracking function that allow what is often referred 
  to   as "statefull inspection" of packets. This statefull property allows 
-    firewall rules to be defined in terms of "connections" rather than  
+    firewall rules to be defined in terms of "connections" rather than   in
-in   terms of "packets". With Shorewall, you:</p>
+  terms of "packets". With Shorewall, you:</p>
 <ol>
             <li>  Identify the client's zone.</li>
             <li>  Identify the server's zone.</li>
             <li>  If the POLICY from the client's zone to the server's zone
  is what you     want for this client/server pair, you need do nothing further.</li>
-            <li>  If the POLICY is not what you want, then you must add a 
+             <li>  If the POLICY is not what you want, then you must add
-rule.  That rule       is expressed in terms of the client's zone and the 
+a  rule.  That rule       is expressed in terms of the client's zone and
-server's  zone.</li>
+the  server's  zone.</li>
 </ol>
 <p>  Just because connections of a particular type are allowed between zone
- A   and the firewall and are also allowed between the firewall and zone B
+  A   and the firewall and are also allowed between the firewall and zone
- <font color="#ff6633"><b><u>   DOES   NOT mean that these connections are
+B  <font color="#ff6633"><b><u>   DOES   NOT mean that these connections
- allowed between zone A and zone  B</u></b></font>.   It rather means that
+are  allowed between zone A and zone  B</u></b></font>.   It rather means
- you can have a proxy running on the firewall that accepts   a connection 
+that  you can have a proxy running on the firewall that accepts   a connection
-from zone A and then establishes its own separate connection from   the firewall 
+ from zone A and then establishes its own separate connection from   the
- to zone B.</p>
+firewall   to zone B.</p>
 <p>  If you adopt the default policy of ACCEPT from the local zone to the
    internet zone and you are having problems connecting from a local client
@ -323,5 +327,6 @@ from zone A and then establishes its own separate connection from   the firewall
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_logging.html
+++ b/Shorewall-docs/shorewall_logging.html
@ -12,12 +12,10 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                    <tbody>
                     <tr>
                      <td width="100%">         
      <h1 align="center"><font color="#ffffff">Logging</font></h1>
                      </td>
                    </tr>
@ -88,10 +86,10 @@ file,  you must restart syslogd before the changes can take effect.<br>
         Beginning with Shorewall version 1.3.12, if your kernel has ULOG 
 target    support (and most vendor-supplied kernels do), you may also specify 
 a log  level of ULOG (must be all caps). When  ULOG is used, Shorewall will 
-direct  netfilter to log the related messages  via the ULOG target which will
+direct  netfilter to log the related messages  via the ULOG target which
-send  them to a process called 'ulogd'. The  ulogd program is available from
+will send  them to a process called 'ulogd'. The  ulogd program is available
-http://www.gnumonks.org/projects/ulogd  and  can be configured to log all
+from http://www.gnumonks.org/projects/ulogd  and  can be configured to log
-Shorewall message to their own log file.<br>
+all Shorewall message to their own log file.<br>
  <br>
  <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from 
 syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely 
@ -115,9 +113,9 @@ Download the ulod tar file and:<br>
       </li>
 </ol>
-    If you are like me and don't have a development environment on your firewall,
+     If you are like me and don't have a development environment on your
-  you can do the first six steps on another system then either NFS mount
+firewall,   you can do the first six steps on another system then either
-your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
+NFS mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> 
  directory and move it to your firewall system.<br>
     <br>
     Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
@ -129,9 +127,9 @@ your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
 </ol>
     I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init 
 to  /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" 
-  to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
+  to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
-"chkconfig   --level 3 ulogd on" starts ulogd during boot up. Your init system
+  --level 3 ulogd on" starts ulogd during boot up. Your init system may need
-may need   something else done to activate the script.<br>
+  something else done to activate the script.<br>
  <br>
  You will need to change all instances of log levels (usually 'info') in 
 your configuration files to 'ULOG' - this includes entries in the policy, 
@ -140,17 +138,15 @@ rules and shorewall.conf files. Here's what I have:<br>
 <pre>	[root@gateway shorewall]# grep ULOG *<br>	policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br>	policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br>	policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br>	rules:REJECT:ULOG loc net tcp 6667<br>	shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br>	shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br>	[root@gateway shorewall]#<br></pre>
     Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file 
 that  you wish to log to&gt;</i>. This tells the /sbin/shorewall program 
-where to look for the log when processing its "show log", "logwatch" and
+where to look for the log when processing its "show log", "logwatch" and "monitor"
-"monitor"  commands.<br>
+ commands.<br>
 <p><font size="2">   Updated 1/11/2003 - <a href="support.htm">Tom  Eastep</a> 
          </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>           &copy; 
 <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
      </p>
-
+  <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@ -16,10 +16,11 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
             <tbody>
              <tr>
               <td width="100%">                                        
      <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
               </td>
             </tr>
@ -37,12 +38,12 @@
    and is located in California, USA. It is mirrored at:</p>
 <ul>
-           <li><a target="_top" href="http://slovakia.shorewall.net">   http://slovakia.shorewall.net</a> 
+             <li><a target="_top" href="http://slovakia.shorewall.net"> 
-        (Slovak Republic).</li>
+ http://slovakia.shorewall.net</a>          (Slovak Republic).</li>
             <li>     <a href="http://www.infohiiway.com/shorewall"
 target="_top">   http://shorewall.infohiiway.com</a>     (Texas, USA).</li>
-           <li><a target="_top" href="http://germany.shorewall.net">   http://germany.shorewall.net</a> 
+             <li><a target="_top" href="http://germany.shorewall.net">  
-   (Hamburg, Germany)</li>
+http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
                     <li><a target="_top"
 href="http://france.shorewall.net">http://france.shorewall.net</a>      
 (Paris, France)</li>
@ -51,7 +52,9 @@
      <li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
  (Taipei, Taiwan)</li>
    <li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
-(Argentina)<br>
+ (Argentina)</li>
   <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br>
   </li>
            <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> 
    (Washington State, USA)<br>
@ -76,15 +79,15 @@
       (Paris, France)</li>
      <li><a href="ftp://shorewall.greshko.com/pub/shorewall"
 target="_top">ftp://shorewall.greshko.com</a>  (Taipei, Taiwan)</li>
-    <li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
+      <li><a href="ftp://ftp.shorewall.net/pub/shorewall"
-     </a>(Washington State, USA)<br>
+ target="_blank">ftp://ftp.shorewall.net       </a>(Washington State, USA)<br>
      </li>
 </ul>
        Search results and the mailing list archives are always fetched from
  the  site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 6/19/2003 - <a
+<p align="left"><font size="2">Last Updated 7/15/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -98,5 +101,7 @@
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
           <tbody>
            <tr>
             <td width="100%">                            
@ -32,10 +32,10 @@
 <ul>
           <li>A kernel that supports netfilter. I've tested with 2.4.2 - 
 2.4.20.  With current releases of Shorewall, Traffic Shaping/Control requires 
-at least  2.4.18.        <a href="kernel.htm">     Check here for kernel
+at least  2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
-configuration        information.</a>       If you are looking for a firewall
+       information.</a>       If you are looking for a firewall for use with
-for use with  2.2 kernels, <a href="http://seawall.sf.net">     see     
+ 2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle
- the Seattle Firewall   site</a>     .</li>
+Firewall   site</a>     .</li>
           <li>iptables 1.2 or later  but beware version 1.2.3 -- see the 
    <a href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: 
   </b></font>The    buggy iptables version 1.2.3    is included in RedHat 
@ -81,5 +81,6 @@ have   awk        (gawk) installed.</li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -18,7 +18,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                                   <tbody>
                                    <tr>
                                     <td width="100%">                  
@ -61,9 +61,9 @@ we must  all first walk before we can run.<br>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
    Index Below) outlines              the steps necessary to set up a firewall
-   where <b>there are multiple         public    IP  addresses involved or
+    where <b>there are multiple         public    IP  addresses involved
- if  you want to learn more about   Shorewall      than   is  explained in
+or   if  you want to learn more about   Shorewall      than   is  explained
- the  single-address guides above.</b></p>
+in   the  single-address guides above.</b></p>
 <ul>
@ -72,9 +72,9 @@ we must  all first walk before we can run.<br>
 <h2><a name="Documentation"></a>Documentation Index</h2>
 <p>The following documentation covers a variety of topics and <b>supplements
-               the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
+                the  <a href="shorewall_quickstart_guide.htm">QuickStart
-         described      above</b>. Please review the appropriate guide before
+Guides</a>           described      above</b>. Please review the appropriate
-    trying     to use this    documentation directly.</p>
+guide before      trying     to use this    documentation directly.</p>
 <ul>
                                   <li><a
@ -162,6 +162,9 @@ a test configuration)</a></li>
 href="Documentation.htm#Routestopped">routestopped</a></li>
    </ul>
                                   </li>
                                   <li><a href="CorpNetwork.htm">Corporate
 Network Example</a> (Contributed by a Graeme Boyle)<br>
  </li>
  <li><a href="dhcp.htm">DHCP</a></li>
                                   <li><a href="ECN.html">ECN Disabling by
@ -187,7 +190,8 @@ host   or  subnet</a></li>
 href="kernel.htm">Kernel     Configuration</a></font></li>
                      <li><a href="shorewall_logging.html">Logging</a><br>
                      </li>
-                                 <li><a href="MAC_Validation.html">MAC Verification</a></li>
+                                   <li><a href="MAC_Validation.html">MAC
 Verification</a></li>
    <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
    </li>
                                          <li><a href="myfiles.htm">My Shorewall
@ -229,6 +233,7 @@ host   or  subnet</a></li>
      </ul>
      <ul>
                <li><a href="shorewall_setup_guide.htm#RFC1918">4.5   RFC 
  1918</a></li>
@ -243,23 +248,27 @@ host   or  subnet</a></li>
      </ul>
      <ul>
                <li><a href="shorewall_setup_guide.htm#NonRouted">5.2   Non-routed</a> 
          <ul>
-                  <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1    SNAT</a></li>
+                    <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1  
-                  <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2    DNAT</a></li>
+ SNAT</a></li>
                    <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2  
 DNAT</a></li>
                    <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
    Proxy     ARP</a></li>
-                  <li><a href="shorewall_setup_guide.htm#NAT">5.2.4    Static 
+                    <li><a href="shorewall_setup_guide.htm#NAT">5.2.4   
-     NAT</a></li>
+Static       NAT</a></li>
          </ul>
                                     </li>
                <li><a href="shorewall_setup_guide.htm#Rules">5.3   Rules</a></li>
-              <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4   Odds
+                <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 
-    and   Ends</a></li>
+ Odds     and   Ends</a></li>
      </ul>
                                   </li>
@ -299,8 +308,8 @@ work)</a><br>
                                     <li><a href="PPTP.htm">PPTP</a></li>
         <li><a href="6to4.htm">6t04</a><br>
         </li>
-                                   <li><a href="VPN.htm">IPSEC/PPTP</a> from
+                                     <li><a href="VPN.htm">IPSEC/PPTP</a> 
-  a  system    behind    your   firewall   to a      remote network.</li>
+from   a  system    behind    your   firewall   to a      remote network.</li>
    </ul>
                                   </li>
@ -312,10 +321,12 @@ work)</a><br>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 7/6/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 7/16/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M.
        Eastep</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -16,7 +16,19 @@
 </head>
  <body>
-<h1 align="center">Shorewall Setup Guide</h1>
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
          <tbody>
           <tr>
            <td width="100%">                     
      <h1 align="center"><font color="#ffffff">Shorewall Setup Guide</font></h1>
            </td>
          </tr>
  </tbody>   
 </table>
 <br>
 <p><a href="#Introduction">1.0 Introduction</a><br>
                <a href="#Concepts">2.0 Shorewall Concepts</a><br>
@ -49,28 +61,28 @@
                </blockquote>
 <p><a href="#DNS">6.0 DNS</a><br>
-               <a href="#StartingAndStopping">7.0 Starting and Stopping the 
+                <a href="#StartingAndStopping">7.0 Starting and Stopping
- Firewall</a></p>
+the   Firewall</a></p>
 <h2><a name="Introduction"></a>1.0 Introduction</h2>
 <p>This guide is intended for users who are setting up Shorewall in an  environment
-      where a set of public IP addresses must be managed or who want to  know
+       where a set of public IP addresses must be managed or who want to
-    more  about Shorewall than is contained in the  <a
+ know     more  about Shorewall than is contained in the  <a
 href="shorewall_quickstart_guide.htm">single-address  guides</a>. Because
       the  range of possible applications is so broad, the Guide will give 
  you    general  guidelines and will point you to other resources as necessary.</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-                   If you run LEAF Bering, your Shorewall configuration is
+                    If you run LEAF Bering, your Shorewall configuration
- NOT  what   I  release -- I  suggest that you consider installing a stock
+is  NOT  what   I  release -- I  suggest that you consider installing a stock 
 Shorewall   lrp  from the  shorewall.net site before you proceed.</p>
 <p>Shorewall requires that the iproute/iproute2 package be installed    (on
-    RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell  if 
+     RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
-  this  package is installed by the presence of an <b>ip</b> program on  your
+if    this  package is installed by the presence of an <b>ip</b> program
-   firewall  system. As root, you can use the 'which' command to check  for
+on  your    firewall  system. As root, you can use the 'which' command to
-  this  program:</p>
+check  for   this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -84,10 +96,10 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                    If you edit your configuration files on a Windows system, 
  you  must   save them as  Unix files if your editor supports that option 
- or you  must  run them through  dos2unix before trying to use them with
+ or you  must  run them through  dos2unix before trying to use them with Shorewall.
-Shorewall.    Similarly,   if you copy a configuration file  from your Windows
+   Similarly,   if you copy a configuration file  from your Windows hard
-hard drive    to a floppy   disk, you must run dos2unix against the  copy
+drive    to a floppy   disk, you must run dos2unix against the  copy before
-before using   it with Shorewall.</p>
+using   it with Shorewall.</p>
 <ul>
                  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
@ -101,13 +113,13 @@ of    dos2unix</a></li>
 <h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
 <p>The configuration files for Shorewall are contained in the directory /etc/shorewall 
-  -- for most setups, you will only need to deal with a few of  these as
+  -- for most setups, you will only need to deal with a few of  these as described
-described   in this guide. Skeleton files are created during the <a
+  in this guide. Skeleton files are created during the <a
 href="Install.htm">Shorewall Installation Process</a>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
-      file on your system -- each file contains detailed  configuration instructions 
+       file on your system -- each file contains detailed  configuration
-      and some contain default entries.</p>
+instructions        and some contain default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a
       set of  <i>zones.</i> In the default installation, the following zone
@ -140,8 +152,8 @@ described   in this guide. Skeleton files are created during the <a
       file.</p>
 <p>Shorewall also recognizes the firewall system as its own zone - by default,
-       the firewall itself is known as <b>fw</b> but that may be changed in
+        the firewall itself is known as <b>fw</b> but that may be changed
-  the    <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a> 
+in   the    <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
     file.   In  this guide, the default name (<b>fw</b>) will be used.</p>
 <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
@ -160,8 +172,8 @@ described   in this guide. Skeleton files are created during the <a
                  <li>You express your default policy for connections from
 one   zone   to  another    zone in the<a
 href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
-                 <li>You define exceptions to those default policies in the 
+                  <li>You define exceptions to those default policies in
-     <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+the       <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -170,8 +182,8 @@ one   zone   to  another    zone in the<a
 href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
       tracking function</a> that allows what is often referred to   as <i>stateful
       inspection</i> of packets. This stateful property allows   firewall
-rules      to be defined in terms of <i>connections</i> rather than   in terms
+ rules      to be defined in terms of <i>connections</i> rather than   in
-of    packets.  With Shorewall, you:</p>
+terms of    packets.  With Shorewall, you:</p>
 <ol>
                        <li>  Identify the source zone.</li>
@ -185,17 +197,17 @@ zone   and  the  server's  zone.</li>
 </ol>
-<p>  Just because connections of a particular type are allowed from zone
+<p>  Just because connections of a particular type are allowed from zone A
-A to the   firewall and are also allowed from the firewall to zone B <font
+to the   firewall and are also allowed from the firewall to zone B <font
 color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed
-      from zone A to zone  B</u></b></font>.   It rather means that you can 
+       from zone A to zone  B</u></b></font>.   It rather means that you
-  have    a proxy running on the firewall that accepts   a connection from
+can    have    a proxy running on the firewall that accepts   a connection
-  zone A  and  then establishes its own separate connection from   the firewall
+from   zone A  and  then establishes its own separate connection from   the
-  to zone B.</p>
+firewall   to zone B.</p>
 <p>For each connection request entering the firewall, the request is first
-       checked against the /etc/shorewall/rules file. If no rule in that file
+        checked against the /etc/shorewall/rules file. If no rule in that
-    matches   the connection request then the first policy in /etc/shorewall/policy 
+file     matches   the connection request then the first policy in /etc/shorewall/policy
     that   matches the request is applied. If that policy is REJECT or DROP 
    the  request  is first checked against the rules in /etc/shorewall/common.def.</p>
@ -245,8 +257,8 @@ A to the   firewall and are also allowed from the firewall to zone B <font
 to  the   internet</li>
                  <li>drop (ignore) all connection requests from the internet 
  to  your   firewall     or local network and log a message at the <i>info</i>
-   level  (<a href="shorewall_logging.html">here</a> is a description of log
+    level  (<a href="shorewall_logging.html">here</a> is a description of
-   levels).</li>
+log    levels).</li>
                  <li>reject all other connection requests and log a message
  at  the       <i>info</i>      level. When a request is rejected, the firewall
   will   return an RST (if   the    protocol is TCP) or an ICMP port-unreachable
@ -268,9 +280,9 @@ any   changes     that you  wish.</p>
 <ul>
                  <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A 
-DMZ   is  used   to  isolate your  internet-accessible servers from your
+DMZ   is  used   to  isolate your  internet-accessible servers from your local
-local  systems  so  that  if one of those  servers is compromised, you still
+ systems  so  that  if one of those  servers is compromised, you still have
-have  the firewall   between  the compromised  system and your local systems.
+ the firewall   between  the compromised  system and your local systems. 
 </li>
                  <li>The Local Zone consists of systems Local 1, Local 2 
 and   Local   3.    </li>
@ -291,12 +303,13 @@ and   Local   3.    </li>
 <p align="left">The firewall illustrated above has three network interfaces.
        Where Internet connectivity is through a cable or DSL "Modem", the
 <i>External       Interface</i> will be the Ethernet adapter that is connected
-to that  "Modem"     (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
+ to that  "Modem"     (e.g., <b>eth0</b>)  <u>unless</u> you connect via
-      <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
+<i><u>P</u>oint-to-<u>P</u>oint        <u>P</u>rotocol  over <u>E</u>thernet</i>
-      <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External 
+(PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint        <u>T</u>unneling <u>P</u>rotocol
-   Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect 
+</i>(PPTP) in which case the External     Interface   will be a ppp  interface
-  via a regular   modem, your External  Interface will also be <b>ppp0</b>. 
+(e.g., <b>ppp0</b>). If you connect    via a regular   modem, your External
-  If you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
+ Interface will also be <b>ppp0</b>.    If you connect  using ISDN, you external
 interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -306,9 +319,9 @@ to that  "Modem"     (e.g., <b>eth0</b>)
 <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
        eth1 or eth2) and will be connected to a hub or switch. Your local
-computers       will be connected to the same switch (note: If you have only 
+ computers       will be connected to the same switch (note: If you have
-a single   local   system,  you can connect the firewall directly to the computer
+only  a single   local   system,  you can connect the firewall directly to
-using   a <i>cross-over   </i> cable).</p>
+the computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
       (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your 
@ -319,8 +332,8 @@ using   a <i>cross-over   </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
               </b></u>Do not connect more than one interface  to the same
-hub   or  switch    (even for testing). It won't work the way that you  expect 
+ hub   or  switch    (even for testing). It won't work the way that you 
- it to  and you   will end up confused and believing that Linux networking 
+expect   it to  and you   will end up confused and believing that Linux networking
  doesn't  work at  all.</p>
 <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -378,10 +391,10 @@ hub   or  switch    (even for testing). It won't work the way that you  expect
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                    Edit the /etc/shorewall/interfaces file and define the
-network     interfaces   on  your firewall and associate each interface with 
+ network     interfaces   on  your firewall and associate each interface
-a zone.    If you have a  zone that  is interfaced through more than one interface,
+with  a zone.    If you have a  zone that  is interfaced through more than
-  simply include  one entry for each  interface and repeat the zone name
+one interface,   simply include  one entry for each  interface and repeat
-as   many times as necessary.</p>
+the zone name as   many times as necessary.</p>
 <p align="left">Example:</p>
@ -458,18 +471,18 @@ as   many times as necessary.</p>
 <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
       IP addresses. You will configure your firewall's external interface
-to   use    one of those addresses permanently and you will then have to decide
+ to   use    one of those addresses permanently and you will then have to
-  how  you are  going to use the rest of your addresses. Before we tackle
+decide   how  you are  going to use the rest of your addresses. Before we
-that  question   though, some  background is in order.</p>
+tackle that  question   though, some  background is in order.</p>
 <p align="left">If you are thoroughly familiar with IP addressing and routing,
        you may <a href="#Options">go to the next section</a>.</p>
-<p align="left">The following discussion barely scratches the surface of
+<p align="left">The following discussion barely scratches the surface of addressing
-addressing and routing. If you are interested in learning more about  this
+and routing. If you are interested in learning more about  this subject,
-subject, I highly recommend <i>"IP Fundamentals: What Everyone  Needs to
+I highly recommend <i>"IP Fundamentals: What Everyone  Needs to Know about
-Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
+Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,  1999, ISBN
- 1999, ISBN 0-13-975483-0.</p>
+0-13-975483-0.</p>
 <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
@ -492,8 +505,8 @@ has    value  "w", the next  byte has value "x", etc. If we take the address
 <p align="left">You will still hear the terms "Class A network", "Class B
        network" and "Class C network". In the early days of IP,  networks
-only     came  in three sizes (there were also Class D networks but they were
+ only     came  in three sizes (there were also Class D networks but they
-used     differently):</p>
+were used     differently):</p>
 <blockquote>                  
  <p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
@ -504,12 +517,12 @@ used     differently):</p>
                </blockquote>
 <p align="left">The class of a network was uniquely determined by the value
-      of the high  order byte of its address so you could look at an IP address 
+       of the high  order byte of its address so you could look at an IP
-      and immediately  determine the associated <i>netmask</i>. The netmask 
+address        and immediately  determine the associated <i>netmask</i>.
-  is   a number that when  logically ANDed with an address isolates the <i>network 
+The netmask    is   a number that when  logically ANDed with an address isolates
-      number</i>; the  remainder of the address is the <i>host number</i>.
+the <i>network        number</i>; the  remainder of the address is the <i>host
-  For    example, in the Class C  address 192.0.2.14, the network number
+number</i>.   For    example, in the Class C  address 192.0.2.14, the network
-is   hex C00002   and the host number is hex  0E.</p>
+number is   hex C00002   and the host number is hex  0E.</p>
 <p align="left">As the internet grew, it became clear that such a gross partitioning 
  of the 32-bit address space was going to be very limiting (early  on, large 
@ -550,9 +563,9 @@ is   hex C00002   and the host number is hex  0E.</p>
 than   are large ones.   </p>
 <p align="left">Since <b>n</b> is a power of two, we can easily calculate
-      the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more 
+       the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the
-   common   subnet sizes, the size and its natural logarithm are given in 
+more     common   subnet sizes, the size and its natural logarithm are given
-the      following   table:</p>
+in  the      following   table:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -639,9 +652,9 @@ the      following   table:</p>
                </blockquote>
 <p align="left">You will notice that the above table also contains a column
-         for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
+          for (32 - log2 <b>n</b>). That number is the <i>Variable Length
-      Mask</i> for a network of size <b>n</b>.    From the above table, we
+Subnet       Mask</i> for a network of size <b>n</b>.    From the above table,
- can    derive the following one which is a little easier to use.</p>
+we  can    derive the following one which is a little easier to use.</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -733,13 +746,13 @@ the      following   table:</p>
                </blockquote>
 <p align="left">Notice that the VLSM is written with a slash ("/") -- you
-      will    often hear a subnet of size 64 referred to as a "slash 26" subnet
+       will    often hear a subnet of size 64 referred to as a "slash 26"
-      and one of    size 8 referred to as a "slash 29".</p>
+subnet       and one of    size 8 referred to as a "slash 29".</p>
 <p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
       simply a 32-bit number with the first "VLSM"    bits set to one and
-the    remaining  bits set to zero. For example, for a subnet    of size 64,
+ the    remaining  bits set to zero. For example, for a subnet    of size
-the    subnet mask  has 26 leading one bits:</p>
+64, the    subnet mask  has 26 leading one bits:</p>
 <blockquote>                  
  <p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -822,8 +835,8 @@ useful in   routing.</p>
       and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
 <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
-       used to describe the ip configuration of a network interface (the 'ip'
+        used to describe the ip configuration of a network interface (the
-    utility   also uses this syntax). This simply means that the interface
+'ip'     utility   also uses this syntax). This simply means that the interface 
  is   configured  with  ip address <b>a.b.c.d</b> and with the netmask that 
  corresponds   to VLSM <b>/v</b>.</p>
@ -832,12 +845,14 @@ useful in   routing.</p>
 <p align="left">    The interface is configured with IP address  192.0.2.65
       and netmask 255.255.255.248.<br>
 </p>
-<p align="left">Beginning with Shorewall 1.4.6, /sbin/shorewall supports
+ 
-an <b>ipcalc</b> command that automatically calculates information about
+<p align="left">Beginning with Shorewall 1.4.6, /sbin/shorewall supports an
-a [sub]network.<br>
+<b>ipcalc</b> command that automatically calculates information about a [sub]network.<br>
 </p>
 <p align="left">Example 1:<br>
 </p>
 <blockquote>   
  <pre><b><font color="#009900">ipcalc 10.10.10.0/25<br></font></b>   CIDR=10.10.10.0/25<br>   NETMASK=255.255.255.128<br>   NETWORK=10.10.10.0<br>   BROADCAST=10.10.10.127<br></pre>
 </blockquote>
@ -860,21 +875,21 @@ Example 2
 <p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in
       the  Dallas, Texas area.<br>
                <br>
-               The first three routes are <i>host routes</i> since they indicate 
+                The first three routes are <i>host routes</i> since they
-   how   to  get to  a single host. In the 'netstat' output this can be seen 
+indicate     how   to  get to  a single host. In the 'netstat' output this
-   by the   "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the 
+can be seen     by the   "Genmask"  (Subnet  Mask) of 255.255.255.255 and
-  Flags column.   The remainder  are 'net' routes since they tell the  kernel 
+the "H" in the    Flags column.   The remainder  are 'net' routes since they
-  how to route  packets to a subnetwork.  The last route is the <i>default 
+tell the  kernel    how to route  packets to a subnetwork.  The last route
- route</i> and  the gateway mentioned in that route is called the <i>default 
+is the <i>default   route</i> and  the gateway mentioned in that route is
-  gateway</i>.</p>
+called the <i>default    gateway</i>.</p>
-<p align="left">When the kernel is trying to send a packet to IP address
+<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
-<b>A</b>,  it starts at the top of the routing table and:</p>
+ it starts at the top of the routing table and:</p>
 <ul>
                  <li>                              
-    <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
+    <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in
-in the  table entry.</p>
+the  table entry.</p>
                  </li>
                  <li>                              
    <p align="left">The result is compared with the 'Destination' value in
@ -886,10 +901,12 @@ in the  table entry.</p>
    <ul>
                    <li>                                                
        <p align="left">If the 'Gateway' column is non-zero, the packet is
       sent to the  gateway over the interface named in the 'Iface' column.</p>
                    </li>
                    <li>                                                
        <p align="left">Otherwise, the packet is sent directly to <b>A </b>over
       the  interface named in the 'iface' column.</p>
                    </li>
@ -903,10 +920,10 @@ in the  table entry.</p>
 </ul>
-<p align="left">Since the default route matches any IP address (<b>A</b>
+<p align="left">Since the default route matches any IP address (<b>A</b> land
-land  0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
+ 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
-table  entries are sent to the <i>default gateway</i> which is usually a
+ entries are sent to the <i>default gateway</i> which is usually a router
-router at your  ISP.</p>
+at your  ISP.</p>
 <p align="left">Lets take an example. Suppose that we want to route a packet
       to  192.168.1.5. That address clearly doesn't match any of the host
@ -918,8 +935,7 @@ routes      in the  table but if we logically and that address with 255.255.255.
  <pre>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2</pre>
                  </blockquote>
-<p>So to route a packet to 192.168.1.5, the packet is sent directly over
+<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p>
 eth2.</p>
               </div>
 <p align="left">One more thing needs to be emphasized -- all outgoing packet
@ -946,9 +962,9 @@ obtain   the MAC of  an Ethernet device using the 'ip' utility:</p>
                </blockquote>
 <div align="left">      
-<p align="left">As you can see from the above output, the MAC is 6 bytes
+<p align="left">As you can see from the above output, the MAC is 6 bytes (48
-(48    bits) wide. A card's MAC is usually also printed on a label attached
+   bits) wide. A card's MAC is usually also printed on a label attached to
-to the card    itself. </p>
+the card    itself. </p>
               </div>
 <div align="left">      
@ -972,9 +988,10 @@ to the card    itself. </p>
     with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
 <p align="left">In order to avoid having to exchange ARP information each
-      time  that an IP packet is to be sent, systems maintain an <i>ARP cache</i> 
+       time  that an IP packet is to be sent, systems maintain an <i>ARP
-      of  IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your 
+cache</i>        of  IP&lt;-&gt;MAC correspondences. You can see the ARP
-  system    (including  your Windows system) using the 'arp' command:</p>
+cache on your    system    (including  your Windows system) using the 'arp'
 command:</p>
 <blockquote>                  
  <div align="left">                  
@ -984,10 +1001,10 @@ to the card    itself. </p>
 <p align="left">The leading question marks are a result of my having specified
        the 'n' option (Windows 'arp' doesn't allow that option) which causes
-   the   'arp'  program to forego IP-&gt;DNS name translation. Had I not given
+    the   'arp'  program to forego IP-&gt;DNS name translation. Had I not
-   that   option, the  question marks would have been replaced with the FQDN
+given    that   option, the  question marks would have been replaced with
-   corresponding   to each IP  address. Notice that the last entry in the
+the FQDN    corresponding   to each IP  address. Notice that the last entry
-table   records the  information we saw  using tcpdump above.</p>
+in the table   records the  information we saw  using tcpdump above.</p>
 <h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
@ -1001,10 +1018,10 @@ for     sub-Sahara Africa is delegated to the <i><a
 Most  of us don't deal with these registrars but   rather get  our IP addresses
   from our ISP.</p>
-<p align="left">It's a fact of life that most of us can't afford as many
+<p align="left">It's a fact of life that most of us can't afford as many Public
-Public  IP addresses as we have devices to assign them to so we end up making
+ IP addresses as we have devices to assign them to so we end up making use
-use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
+of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges
-ranges for this  purpose:</p>
+for this  purpose:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -1012,10 +1029,10 @@ ranges for this  purpose:</p>
 <div align="left">      
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-      to    as <i>non-routable</i> because the Internet backbone routers don't
+       to    as <i>non-routable</i> because the Internet backbone routers
-     forward    packets which have an RFC-1918 destination address. This
+don't      forward    packets which have an RFC-1918 destination address.
-is   understandable       given that anyone can select any of these addresses
+This is   understandable       given that anyone can select any of these
- for their private   use.</p>
+addresses  for their private   use.</p>
               </div>
 <div align="left">      
@ -1026,8 +1043,8 @@ is   understandable       given that anyone can select any of these addresses
 <div align="left">      
 <ul>
                    <li>                              
-    <p align="left">As the IPv4 address space becomes depleted, more and
+    <p align="left">As the IPv4 address space becomes depleted, more and more
-more      organizations (including ISPs) are beginning to use RFC 1918 addresses 
+     organizations (including ISPs) are beginning to use RFC 1918 addresses
       in      their infrastructure.     </p>
                 </li>
                 <li>                              
@ -1041,8 +1058,8 @@ more      organizations (including ISPs) are beginning to use RFC 1918 addresses
 <div align="left">      
 <p align="left">So it's a good idea to check with your ISP to see if they
-      are    using (or are planning to use) private addresses before you decide
+       are    using (or are planning to use) private addresses before you
-      the    addresses that you are going to use.</p>
+decide       the    addresses that you are going to use.</p>
               </div>
 <div align="left">      
@ -1063,8 +1080,9 @@ more      organizations (including ISPs) are beginning to use RFC 1918 addresses
    <p align="left"><b>Routed - </b>Traffic to any of your addresses will
       be    routed through a single <i>gateway address</i>. This will generally
       only be    done if your ISP has assigned you a complete subnet (/29
-or   larger).   In this    case, you will assign the gateway address as the 
+ or   larger).   In this    case, you will assign the gateway address as
-IP   address of   your    firewall/router's external interface.     </p>
+the  IP   address of   your    firewall/router's external interface.    
    </p>
                 </li>
                 <li>                              
    <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
@ -1083,9 +1101,9 @@ IP   address of   your    firewall/router's external interface.     </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
-                 If you are using the Debian package, please check your shorewall.conf 
+                  If you are using the Debian package, please check your
-      file to ensure that the following are set correctly; if they are not, 
+shorewall.conf        file to ensure that the following are set correctly;
-  change    them appropriately:<br>
+if they are not,    change    them appropriately:<br>
               </p>
 <ul>
@ -1103,11 +1121,11 @@ IP   address of   your    firewall/router's external interface.     </p>
 <div align="left">      
 <p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28 
  routed through 192.0.2.65. That means that you have IP addresses       
- 192.0.2.64  - 192.0.2.79 and that your firewall's external IP address  
+192.0.2.64  - 192.0.2.79 and that your firewall's external IP address   is
-is     192.0.2.65.  Your ISP has also told you that you should use a netmask
+    192.0.2.65.  Your ISP has also told you that you should use a netmask 
-  of     255.255.255.0  (so your /28 is part of a larger /24). With this
+  of     255.255.255.0  (so your /28 is part of a larger /24). With this many
-many   IP     addresses,  you are able to subnet your /28 into two /29's
+  IP     addresses,  you are able to subnet your /28 into two /29's and set
-and set  up your     network  as shown in the following diagram.</p>
+ up your     network  as shown in the following diagram.</p>
               </div>
 <div align="left">      
@ -1117,10 +1135,10 @@ and set  up your     network  as shown in the following diagram.</p>
               </div>
 <div align="left">      
-<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
+<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
-Local    network is 192.0.2.72/29. The default gateway for hosts in the DMZ
+   network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
-would be    configured to 192.0.2.66 and the default gateway for hosts in
+be    configured to 192.0.2.66 and the default gateway for hosts in the local
-the local    network would be 192.0.2.73.</p>
+   network would be 192.0.2.73.</p>
               </div>
 <div align="left">      
@ -1129,8 +1147,8 @@ the local    network would be 192.0.2.73.</p>
    addresses,      192.0.2.71 and 192.0.2.79 for subnet broadcast addresses
   and 192.0.2.66   and    168.0.2.73 for internal addresses on the firewall/router.
    Nevertheless,   it    shows how subnetting can work and if we were dealing
-   with a /24 rather   than a    /28 network, the use of 6 IP addresses out 
+    with a /24 rather   than a    /28 network, the use of 6 IP addresses
-  of 256 would be justified   because    of the simplicity of the setup.</p>
+out    of 256 would be justified   because    of the simplicity of the setup.</p>
               </div>
 <div align="left">      
@ -1149,18 +1167,18 @@ The    routing  table on    DMZ 1 will look like this:</p>
 <div align="left">      
 <p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
          request and no device on the DMZ Ethernet segment has that IP address.
-      Oddly    enough, the firewall will respond to the request with the MAC
+       Oddly    enough, the firewall will respond to the request with the
-   address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet 
+MAC    address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet
 frames   addressed   to that    MAC address and the frames will be received
 (correctly)   by the   firewall/router.</p>
               </div>
 <div align="left">      
-<p align="left">It is this rather unexpected ARP behavior on the part of
+<p align="left">It is this rather unexpected ARP behavior on the part of the
-the    Linux Kernel that prompts the warning earlier in this guide regarding
+   Linux Kernel that prompts the warning earlier in this guide regarding the
-the    connecting of multiple firewall/router interfaces to the same hub
+   connecting of multiple firewall/router interfaces to the same hub or switch.
-or switch.    When an ARP request for one of the firewall/router's IP addresses
+   When an ARP request for one of the firewall/router's IP addresses is sent
-is sent by    another system connected to the hub/switch, all    of the firewall's 
+by    another system connected to the hub/switch, all    of the firewall's
       interfaces that connect to the hub/switch can respond! It    is then 
  a  race   as to which "here-is" response reaches the sender first.</p>
               </div>
@ -1170,22 +1188,22 @@ is sent by    another system connected to the hub/switch, all    of the firewall
                </div>
 <div align="left">      
-<p align="left">If you have the above situation but it is    non-routed,
+<p align="left">If you have the above situation but it is    non-routed, you
-you can configure your network exactly as described above with one    additional 
+can configure your network exactly as described above with one    additional
       twist; simply specify the "proxyarp" option on all three firewall
   interfaces     in the /etc/shorewall/interfaces file.</p>
               </div>
 <div align="left">      
-<p align="left">Most of us don't have the luxury of having enough public
+<p align="left">Most of us don't have the luxury of having enough public IP
-IP    addresses to set up our networks as shown in the preceding example
+   addresses to set up our networks as shown in the preceding example (even
-(even if    the setup is routed). </p>
+if    the setup is routed). </p>
               </div>
 <div align="left">      
 <p align="left"><b>For the remainder of this section, assume that  your ISP
-      has    assigned you IP addresses 192.0.2.176-180 and has told you to
+       has    assigned you IP addresses 192.0.2.176-180 and has told you
-  use    netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
+to   use    netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
               </div>
 <div align="left">      
@ -1217,8 +1235,8 @@ IP    addresses to set up our networks as shown in the preceding example
                </div>
 <div align="left">      
-<p align="left">Often a combination of these techniques is used. Each of
+<p align="left">Often a combination of these techniques is used. Each of these
-these    will be discussed in the sections that follow.</p>
+   will be discussed in the sections that follow.</p>
               </div>
 <div align="left">      
@ -1229,9 +1247,9 @@ these    will be discussed in the sections that follow.</p>
 <p align="left">With SNAT, an internal LAN segment is configured using RFC
       1918    addresses. When a host <b>A </b>on this internal segment initiates
       a    connection to host <b>B</b> on the internet, the firewall/router
-  rewrites    the    IP header in the request to use one of your public IP
+   rewrites    the    IP header in the request to use one of your public
-  addresses as   the source    address. When <b>B</b> responds and the response
+IP   addresses as   the source    address. When <b>B</b> responds and the
-  is received    by the firewall,    the firewall changes the destination
+response   is received    by the firewall,    the firewall changes the destination 
 address  back to   the RFC 1918 address of   <b>A</b> and forwards the response 
 back  to <b>A.</b></p>
               </div>
@ -1294,8 +1312,8 @@ back  to <b>A.</b></p>
    If   you    wanted to use a different IP address, you would either have 
  to  use   your    distributions network configuration tools to add that 
 IP  address    to the    external interface or you could set ADD_SNAT_ALIASES=Yes 
-  in    /etc/shorewall/shorewall.conf and Shorewall will add the address
+  in    /etc/shorewall/shorewall.conf and Shorewall will add the address for
-for   you.</p>
+  you.</p>
               </div>
 <div align="left">      
@ -1305,8 +1323,8 @@ for   you.</p>
 <div align="left">      
 <p align="left">When SNAT is used, it is impossible for hosts on the internet
          to initiate a connection to one of the internal systems since those
-   systems   do    not have a public IP address. DNAT provides a way to allow 
+    systems   do    not have a public IP address. DNAT provides a way to
-   selected      connections from the internet.</p>
+allow     selected      connections from the internet.</p>
               </div>
 <div align="left">      
@ -1358,9 +1376,9 @@ for   you.</p>
               </div>
 <div align="left">      
-<p align="left">This example used the firewall's external IP address for
+<p align="left">This example used the firewall's external IP address for DNAT.
-DNAT.    You can use another of your public IP addresses but Shorewall will
+   You can use another of your public IP addresses but Shorewall will not
-not add    that address to the firewall's external interface for you.</p>
+add    that address to the firewall's external interface for you.</p>
               </div>
 <div align="left">      
@ -1374,8 +1392,8 @@ not add    that address to the firewall's external interface for you.</p>
 <div align="left">      
 <ul>
                    <li>                              
-    <p align="left">A host <b>H </b>behind your firewall is assigned one
+    <p align="left">A host <b>H </b>behind your firewall is assigned one of
-of your    public IP addresses (<b>A)</b> and is assigned the same netmask
+your    public IP addresses (<b>A)</b> and is assigned the same netmask 
   <b>(M) </b>as    the firewall's external interface.     </p>
                 </li>
                 <li>                              
@ -1383,9 +1401,9 @@ of your    public IP addresses (<b>A)</b> and is assigned the same netmask
            </p>
                 </li>
                 <li>                              
-    <p align="left">When <b>H</b> issues an ARP "who has" request for an
+    <p align="left">When <b>H</b> issues an ARP "who has" request for an address
-address    in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
+   in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will
-will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
+respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
                 </li>
 </ul>
@ -1405,8 +1423,8 @@ will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
 <div align="left">   Here, we've assigned the IP addresses 192.0.2.177 to
       system DMZ 1 and    192.0.2.178 to DMZ 2. Notice that we've just assigned
       an arbitrary RFC 1918 IP    address and subnet mask to the DMZ interface
-     on the firewall. That address and    netmask isn't relevant - just be
+      on the firewall. That address and    netmask isn't relevant - just
-  sure    it doesn't overlap another subnet that    you've defined.</div>
+be   sure    it doesn't overlap another subnet that    you've defined.</div>
 <div align="left">    </div>
@ -1473,9 +1491,9 @@ file.</div>
 <div align="left">      
 <p align="left">A word of warning is in order here. ISPs typically configure
         their routers with a long ARP cache timeout. If you move a system
-from        parallel to your firewall to behind your firewall with Proxy ARP,
+ from        parallel to your firewall to behind your firewall with Proxy
-it   will     probably be HOURS before that system can communicate with the
+ARP, it   will     probably be HOURS before that system can communicate with
-internet.     There are a couple of things that you can try:<br>
+the internet.     There are a couple of things that you can try:<br>
             </p>
 <ol>
@ -1484,8 +1502,8 @@ internet.     There are a couple of things that you can try:<br>
                <br>
            "gratuitous" ARP packet should cause the ISP's router to refresh
  their    ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting
- the   MAC  address for its own IP; in addition to ensuring that the IP address 
+  the   MAC  address for its own IP; in addition to ensuring that the IP
-   isn't  a duplicate,...<br>
+address     isn't  a duplicate,...<br>
                 <br>
             "if the host sending the gratuitous ARP has just changed its 
 hardware     address...,  this packet causes any other host...that has an 
@ -1494,8 +1512,9 @@ entry accordingly."<br>
                 <br>
             Which is, of course, exactly what you want to do when you switch 
  a host   from being exposed to the Internet to behind Shorewall using proxy
-  ARP  (or  static NAT for that matter). Happily enough, recent versions of
+   ARP  (or  static NAT for that matter). Happily enough, recent versions
-  Redhat's  iputils package include "arping", whose "-U" flag does just that:<br>
+of   Redhat's  iputils package include "arping", whose "-U" flag does just
 that:<br>
                 <br>
                 <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
   proxied   IP&gt;</b></font><br>
@ -1508,13 +1527,14 @@ for   example</b></font><br>
                 <br>
               </li>
              <li>You    can call your ISP and ask them to purge the stale
-ARP   cache    entry but many    either can't or won't purge individual entries.</li>
+ ARP   cache    entry but many    either can't or won't purge individual
 entries.</li>
 </ol>
             You can determine if your    ISP's gateway ARP cache is stale
-using    ping   and tcpdump. Suppose that we    suspect that the gateway router
+ using    ping   and tcpdump. Suppose that we    suspect that the gateway
-has   a stale   ARP cache entry for 192.0.2.177.    On the firewall, run
+router has   a stale   ARP cache entry for 192.0.2.177.    On the firewall,
-tcpdump   as follows:</div>
+run tcpdump   as follows:</div>
 <div align="left">      
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1540,11 +1560,11 @@ tcpdump   as follows:</div>
 <div align="left">      
 <p align="left">Notice that the source MAC address in the echo request is
-         different from the destination MAC address in the echo reply!! In
+          different from the destination MAC address in the echo reply!!
-  this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
+In   this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0
-while  0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other words,
+NIC while  0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other
-the  gateway's ARP cache     still    associates 192.0.2.177 with the NIC
+words, the  gateway's ARP cache     still    associates 192.0.2.177 with
-in DMZ  1 rather than with the   firewall's    eth0.</p>
+the NIC in DMZ  1 rather than with the   firewall's    eth0.</p>
               </div>
 <div align="left">      
@ -1553,9 +1573,9 @@ in DMZ  1 rather than with the   firewall's    eth0.</p>
 <div align="left">      
 <p align="left">With static NAT, you assign local systems RFC 1918 addresses
-         then establish a one-to-one mapping between those addresses and public
+          then establish a one-to-one mapping between those addresses and
-      IP    addresses. For outgoing connections SNAT (Source Network Address
+public       IP    addresses. For outgoing connections SNAT (Source Network
-    Translation) occurs and on incoming connections      DNAT (Destination 
+Address     Translation) occurs and on incoming connections      DNAT (Destination
  Network   Address Translation) occurs. Let's go back to our earlier example
  involving   your daughter's   web    server running on system Local 3.</p>
               </div>
@ -1676,8 +1696,8 @@ in DMZ  1 rather than with the   firewall's    eth0.</p>
 <p align="left">A word of warning is in order here. ISPs typically configure
         their routers with a long ARP cache timeout. If you move a system
 from        parallel to your firewall to behind your firewall with static
-NAT, it   will     probably be HOURS before that system can communicate with 
+ NAT, it   will     probably be HOURS before that system can communicate
-the internet.     There are a couple of things that you can try:<br>
+with  the internet.     There are a couple of things that you can try:<br>
             </p>
 <ol>
@ -1686,8 +1706,8 @@ Illustrated,    Vol 1</i> reveals that a <br>
                <br>
            "gratuitous" ARP packet should cause the ISP's router to refresh
  their    ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting
- the   MAC  address for its own IP; in addition to ensuring that the IP address 
+  the   MAC  address for its own IP; in addition to ensuring that the IP
-   isn't  a duplicate,...<br>
+address     isn't  a duplicate,...<br>
                 <br>
             "if the host sending the gratuitous ARP has just changed its 
 hardware     address...,  this packet causes any other host...that has an 
@ -1696,8 +1716,9 @@ entry accordingly."<br>
                 <br>
             Which is, of course, exactly what you want to do when you switch 
  a host   from being exposed to the Internet to behind Shorewall using proxy
-  ARP  (or  static NAT for that matter). Happily enough, recent versions of
+   ARP  (or  static NAT for that matter). Happily enough, recent versions
-  Redhat's  iputils package include "arping", whose "-U" flag does just that:<br>
+of   Redhat's  iputils package include "arping", whose "-U" flag does just
 that:<br>
                 <br>
                 <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
   proxied   IP&gt;</b></font><br>
@ -1714,9 +1735,9 @@ for   example</b></font><br>
 </ol>
             You can determine if your    ISP's gateway ARP cache is stale
-using    ping   and tcpdump. Suppose that we    suspect that the gateway router
+ using    ping   and tcpdump. Suppose that we    suspect that the gateway
-has   a stale   ARP cache entry for 209.0.2.179.    On the firewall, run
+router has   a stale   ARP cache entry for 209.0.2.179.    On the firewall,
-tcpdump   as follows:</div>
+run tcpdump   as follows:</div>
 <div align="left">      
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1742,11 +1763,11 @@ tcpdump   as follows:</div>
 <div align="left">      
 <p align="left">Notice that the source MAC address in the echo request is
-         different from the destination MAC address in the echo reply!! In
+          different from the destination MAC address in the echo reply!!
-  this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
+In   this     case    0:4:e2:20:20:33 was the MAC of the firewall's eth0
-while  0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other words,
+NIC while  0:c0:a8:50:b2:57        was the MAC address of DMZ 1. In other
-the  gateway's ARP cache     still    associates 192.0.2.179 with the NIC
+words, the  gateway's ARP cache     still    associates 192.0.2.179 with
-in the local zone rather than with the   firewall's    eth0.</p>
+the NIC in the local zone rather than with the   firewall's    eth0.</p>
               </div>
 <h3 align="left"><a name="Rules"></a>5.3 Rules</h3>
@ -1757,11 +1778,11 @@ in the local zone rather than with the   firewall's    eth0.</p>
 height="13">
                      With the default policies, your local systems (Local
 1-3)   can   access   any    servers on the internet and the DMZ can't access
-any   other   host (including   the    firewall). With the exception of <a
+ any   other   host (including   the    firewall). With the exception of
- href="#DNAT">DNAT rules</a> which   cause    address translation and allow 
+<a href="#DNAT">DNAT rules</a> which   cause    address translation and allow
-    the translated connection request  to pass    through the firewall, the 
+     the translated connection request  to pass    through the firewall,
-  way  to allow connection requests through   your    firewall is to use ACCEPT
+the    way  to allow connection requests through   your    firewall is to
-   rules.</p>
+use ACCEPT    rules.</p>
               </div>
 <div align="left">      
@ -1916,8 +1937,8 @@ any   other   host (including   the    firewall). With the exception of <a
                </div>
 <div align="left">      
-<p align="left">If you run a public DNS server on 192.0.2.177, you would
+<p align="left">If you run a public DNS server on 192.0.2.177, you would need
-need    to add the following rules:</p>
+   to add the following rules:</p>
               </div>
 <div align="left">      
@ -2005,8 +2026,9 @@ need    to add the following rules:</p>
 <div align="left">      
 <p align="left">You probably want some way to communicate with your firewall
-         and DMZ systems from the local network -- I recommend SSH which through
+          and DMZ systems from the local network -- I recommend SSH which
-      its    scp utility can also do publishing and software update distribution.</p>
+through       its    scp utility can also do publishing and software update
 distribution.</p>
               </div>
 <div align="left">      
@ -2049,17 +2071,17 @@ need    to add the following rules:</p>
                </div>
 <div align="left">      
-<p align="left">The above discussion reflects my personal preference for
+<p align="left">The above discussion reflects my personal preference for using
-using    Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
+   Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
-I prefer    to use NAT only in cases where a system that is part of an RFC
+prefer    to use NAT only in cases where a system that is part of an RFC 1918
-1918 subnet    needs to have it's own public IP. </p>
+subnet    needs to have it's own public IP. </p>
               </div>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-                     If you haven't already, it would be a good idea to browse 
+                      If you haven't already, it would be a good idea to
-  through      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> 
+browse    through      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
   just     to see    if there is anything there that might be of interest. 
  You might     also want to    look at the other configuration files that 
 you haven't  touched   yet just to get    a feel for the other things that 
@ -2067,14 +2089,13 @@ I prefer    to use NAT only in cases where a system that is part of an RFC
               </div>
 <div align="left">      
-<p align="left">In case you haven't been keeping score, here's the final
+<p align="left">In case you haven't been keeping score, here's the final set
-set    of configuration files for our sample network. Only those that were
+   of configuration files for our sample network. Only those that were modified
-modified    from the original installation are shown.</p>
+   from the original installation are shown.</p>
               </div>
 <div align="left">      
-<p align="left">/etc/shorewall/interfaces (The "options" will be very   
+<p align="left">/etc/shorewall/interfaces (The "options" will be very    site-specific).</p>
 site-specific).</p>
               </div>
 <div align="left">      
@ -2454,10 +2475,10 @@ bring   up Shorewall   before    you bring up your network interfaces.</p>
                </div>
 <div align="left">      
-<p align="left">Given the collection of RFC 1918 and public addresses in
+<p align="left">Given the collection of RFC 1918 and public addresses in this
-this    setup, it only makes sense to have separate internal and external
+   setup, it only makes sense to have separate internal and external DNS
-DNS servers.    You can  combine the two into a single BIND 9 server using
+servers.    You can  combine the two into a single BIND 9 server using <i>Views.
-<i>Views.   </i>   If you are not interested in Bind 9 views, you can   <a
+  </i>   If you are not interested in Bind 9 views, you can   <a
 href="#StartingAndStopping">go to the next section</a>.</p>
               </div>
@ -2466,9 +2487,10 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
          DMZ systems named www.foobar.net and mail.foobar.net and you want 
  the    three    local systems named "winken.foobar.net, blinken.foobar.net 
  and  nod.foobar.net.      You want your firewall to be known as firewall.foobar.net
-   externally and  it's    interface to the local network to be know as gateway.foobar.net 
+    externally and  it's    interface to the local network to be know as
-    and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS
+gateway.foobar.net      and  its    interface to the dmz as dmz.foobar.net.
-  server    on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
+Let's have the DNS   server    on    192.0.2.177 which will also be known
 by the name ns1.foobar.net.</p>
               </div>
 <div align="left">      
@ -2597,9 +2619,9 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
          and stopped using "shorewall stop". When the firewall is stopped, 
  routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
-         running firewall may be restarted using the "shorewall restart" command.
+          running firewall may be restarted using the "shorewall restart"
-      If    you want to totally remove any trace of Shorewall from your Netfilter
+command.       If    you want to totally remove any trace of Shorewall from
-         configuration, use "shorewall clear".</p>
+your Netfilter          configuration, use "shorewall clear".</p>
               </div>
 <div align="left">      
@ -2628,5 +2650,6 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
      Thomas  M. Easte</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -9,38 +9,31 @@
  <title>Shoreline Firewall (Shorewall) 1.4</title>
-                                                  <base target="_self">
+                                                              <base
 target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
- bgcolor="#4b017c">
+ bgcolor="#3366ff">
                     <tbody>
                    <tr>
-                            <td width="33%" height="90" valign="middle"
+                               <td width="33%" height="90"
- align="left"><a href="http://www.cityofshoreline.com"><img
+ valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
 src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
 border="0">
                     </a></td>
-                 <td valign="middle" width="34%" align="center">        
+                                        <td valign="middle"
-                                                                        
+ bgcolor="#ffffff" width="34%" align="center">                           
-                                                                        
+                                                                      <img
-                                                                        
+ src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
                     </td>
-                  <td valign="middle">                                  
+       <td valign="top" width="33"><br>
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><br>
                                                                      </a></h1>
                  <br>
       </td>
                                              </tr>
@ -64,6 +57,7 @@
      <h2 align="left">What is it?</h2>
@ -84,18 +78,18 @@
      <p>This program is free software; you can redistribute it and/or modify 
   it          under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
-GNU General Public License</a> as published by the Free   Software      
+General Public License</a> as published by the Free   Software          
 Foundation.<br>
                                <br>
-                  This     program         is   distributed            in 
+                     This     program         is   distributed          
-  the       hope       that      it   will        be  useful,    but     
+ in    the       hope       that      it   will        be  useful,    but 
-    WITHOUT        ANY         WARRANTY;         without           even the
+         WITHOUT        ANY         WARRANTY;         without           even
-   implied      warranty          of MERCHANTABILITY                   or
+ the    implied      warranty          of MERCHANTABILITY               
- FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the     GNU
+   or  FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the 
- General     Public  License                for   more details.<br>
+   GNU  General     Public  License                for   more details.<br>
                                <br>
@ -116,6 +110,19 @@ GNU General Public License</a> as published by the Free   Software
      <h2>This is the Shorewall 1.4 Web Site</h2>
 The information on this site applies only to 1.4.x releases of Shorewall.
 For older versions:<br>
      <ul>
           <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
 target="_top">here.</a></li>
           <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>.<br>
           </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
                                   New to Shorewall? Start by selecting the 
       <a
@ -138,12 +145,21 @@ not  apply   directly   to  your   setup.  If you want to use the documentation
      <h2><b>News</b></h2>
      <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
        <br>
   </b></p>
  Thanks to the folks at securityopensource.org.br, there is now a <a
 href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
 mirror in Brazil</a>.              
      <p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
         <br>
         </b>   </p>
      <blockquote><b><a
 href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
 href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
@ -158,19 +174,19 @@ start  errors when started using the "service" mechanism has been worked
 around.<br>
          <br>
        </li>
-         <li>Where a list of IP addresses appears in the DEST column of a 
+            <li>Where a list of IP addresses appears in the DEST column of
-DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in the nat 
+ a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in the
-table (one for each element in the list). Shorewall now correctly creates 
+ nat  table (one for each element in the list). Shorewall now correctly creates
  a single DNAT rule with multiple "--to-destination" clauses.<br>
         <br>
     </li>
-         <li>Corrected a problem in Beta 1 where DNS names containing a "-" 
+            <li>Corrected a problem in Beta 1 where DNS names containing
-were mis-handled when they appeared in the DEST column of a rule.<br>
+a  "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
             <br>
           </li>
-        <li value="4">A number of problems with rule parsing have been corrected.
+           <li value="4">A number of problems with rule parsing have been 
-Corrections involve the handling of "z1!z2" in the SOURCE column as well
+corrected.  Corrections involve the handling of "z1!z2" in the SOURCE column 
-as lists in the ORIGINAL DESTINATION column.<br>
+as well as lists in the ORIGINAL DESTINATION column.<br>
      </li>
      </ol>
@ -184,15 +200,15 @@ in the host file as follows:<br>
         <br>
         z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
         <br>
-  This capability was never documented and has been removed in 1.4.6 to allow 
+     This capability was never documented and has been removed in 1.4.6 to
-entries of the following format:<br>
+ allow  entries of the following format:<br>
         <br>
         z   eth1:192.168.1.0/24,192.168.2.0/24<br>
         <br>
       </li>
-         <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been 
+            <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
-removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
+ been  removed from /etc/shorewall/shorewall.conf. These capabilities are
- detected by Shorewall (see below).<br>
+now automatically  detected by Shorewall (see below).<br>
       </li>
      </ol>
@ -201,18 +217,18 @@ removed from /etc/shorewall/shorewall.conf. These capabilities are now automatic
      </p>
      <ol>
-         <li>A 'newnotsyn' interface option has been added. This option may 
+            <li>A 'newnotsyn' interface option has been added. This option
-be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
+ may  be specified in /etc/shorewall/interfaces and overrides the setting
- for packets arriving on the associated interface.<br>
+NEWNOTSYN=No  for packets arriving on the associated interface.<br>
          <br>
        </li>
            <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
- to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address 
+   to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
- ranges.<br>
+address   ranges.<br>
          <br>
        </li>
-         <li>Shorewall can now add IP addresses to subnets other than the 
+            <li>Shorewall can now add IP addresses to subnets other than
-first  one on an interface.<br>
+the   first  one on an interface.<br>
          <br>
        </li>
            <li>DNAT[-] rules may now be used to load balance (round-robin) 
@ -237,11 +253,11 @@ start, restart and check commands have been enhanced to report the outcome:<br>
          <br>
        </li>
            <li>Support for the Connection Tracking Match Extension has been
-added.  This extension is available in recent kernel/iptables releases and 
+  added.  This extension is available in recent kernel/iptables releases
-allows  for rules which match against elements in netfilter's connection tracking
+and   allows  for rules which match against elements in netfilter's connection
- table. Shorewall automatically detects the availability of this extension
+ tracking  table. Shorewall automatically detects the availability of this
- and reports its availability in the output of the start, restart and check
+ extension  and reports its availability in the output of the start, restart
- commands.<br>
+ and check  commands.<br>
          <br>
      Shorewall has detected the following iptables/netfilter capabilities:<br>
         NAT: Available<br>
@ -250,18 +266,18 @@ allows  for rules which match against elements in netfilter's connection trackin
         Connection Tracking Match: Available<br>
      Verifying Configuration...<br>
          <br>
-   If this extension is available, the ruleset generated by Shorewall is
+      If this extension is available, the ruleset generated by Shorewall
-changed  in the following ways:</li>
+is  changed  in the following ways:</li>
        <ul>
              <li>To handle 'norfc1918' filtering, Shorewall will not create
-chains  in the mangle table but will rather do all 'norfc1918' filtering in
+  chains  in the mangle table but will rather do all 'norfc1918' filtering
-the filter  table (rfc1918 chain).</li>
+ in the filter  table (rfc1918 chain).</li>
-           <li>Recall that Shorewall DNAT rules generate two netfilter rules; 
+              <li>Recall that Shorewall DNAT rules generate two netfilter 
-one  in the nat table and one in the filter table. If the Connection Tracking 
+rules;  one  in the nat table and one in the filter table. If the Connection 
-Match Extension is available, the rule in the filter table is extended to 
+Tracking  Match Extension is available, the rule in the filter table is extended 
-check that the original destination address was the same as specified (or 
+to  check that the original destination address was the same as specified 
-defaulted to) in the DNAT rule.<br>
+(or  defaulted to) in the DNAT rule.<br>
            <br>
          </li>
@ -293,10 +309,10 @@ defaulted to) in the DNAT rule.<br>
         <br>
     Warning:<br>
         <br>
-  If your shell only supports 32-bit signed arithmatic (ash or dash), then
+     If your shell only supports 32-bit signed arithmatic (ash or dash),
- the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
+then   the ipcalc command produces incorrect information for IP addresses
- and for /1 networks. Bash should produce correct information for all valid
+128.0.0.0-1   and for /1 networks. Bash should produce correct information
- IP addresses.<br>
+for all valid   IP addresses.<br>
         <br>
       </li>
            <li>An 'iprange' command has been added to /sbin/shorewall. <br>
@ -304,8 +320,9 @@ defaulted to) in the DNAT rule.<br>
           iprange &lt;address&gt;-&lt;address&gt;<br>
         <br>
     This command decomposes a range of IP addressses into a list of network
-and host addresses. The command can be useful if you need to construct an 
+  and host addresses. The command can be useful if you need to construct
-efficient set of rules that accept connections from a range of network addresses.<br>
+an   efficient set of rules that accept connections from a range of network
 addresses.<br>
         <br>
     Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
  then the range may not span 128.0.0.0.<br>
@ -327,7 +344,8 @@ then the range may not span 128.0.0.0.<br>
           [root@gateway root]#<br>
         <br>
       </li>
-         <li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
+            <li>A list of host/net addresses is now allowed in an entry in
 /etc/shorewall/hosts.<br>
         <br>
     Example:<br>
         <br>
@ -341,31 +359,38 @@ then the range may not span 128.0.0.0.<br>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
            </p>
      <ol>
-                <li>The command "shorewall debug try &lt;directory&gt;" now 
+                   <li>The command "shorewall debug try &lt;directory&gt;"
- correctly   traces the attempt.</li>
+ now   correctly   traces the attempt.</li>
                   <li>The INCLUDE directive now works properly in the zones
  file;    previously, INCLUDE in that file was ignored.</li>
-                <li>/etc/shorewall/routestopped records with an empty second
+                   <li>/etc/shorewall/routestopped records with an empty
-  column   are no longer ignored.<br>
+second    column   are no longer ignored.<br>
              </li>
      </ol>
      <p>New Features:<br>
            </p>
      <ol>
                   <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] 
 rule   may  now contain a list of addresses. If the list begins with "!' 
 then the   rule  will take effect only if the original destination address 
 in the connection    request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
                             </b></p>
              The firewall at shorewall.net has been upgraded to the 2.4.21 
@ -385,14 +410,17 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.
      <ol>
      </ol>
      <p><b></b></p>
      <p><b></b></p>
@ -400,12 +428,14 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.
      <blockquote>                                                       
        <ol>
        </ol>
                                        </blockquote>
@ -419,33 +449,36 @@ version  is   1.4.4b plus the accumulated changes for 1.4.5.
      <p><b><a href="News.htm">More News</a></b></p>
                                                          <b>      </b> 
      <h2><b> </b></h2>
                                                    <b>      </b>       
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
-                         </a>Jacques        Nilo       and     Eric     Wolzak
+                            </a>Jacques        Nilo       and     Eric  
-         have       a   LEAF  (router/firewall/gateway                  
+  Wolzak          have       a   LEAF  (router/firewall/gateway         
              on   a  floppy,       CD    or compact     flash)  distribution
-           called                 <i>Bering</i>          that          features
+                called                 <i>Bering</i>          that      
-                  Shorewall-1.4.2         and    Kernel-2.4.20.         
+   features                   Shorewall-1.4.2         and    Kernel-2.4.20.
-You        can     find         their    work at:                <a
+          You        can     find         their    work at:             
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+        <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                   <b>Congratulations          to  Jacques
-   and     Eric     on   the     recent    release     of  Bering       1.2!!! 
+     and     Eric     on   the     recent    release     of  Bering     
-        </b><br>
+ 1.2!!!          </b><br>
@ -459,12 +492,14 @@ You        can     find         their    work at:                <a
      <h4><b>       </b></h4>
                                                    <b>      </b>       
      <h2><b>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </b></h2>
                                                    <b>      </b>       
@ -472,18 +507,22 @@ You        can     find         their    work at:                <a
      <h2><b><a name="Donations"></a>Donations</b></h2>
                                            <b>                        </b></td>
-                                <td width="88" bgcolor="#4b017c"
+      <h2><b><a name="Donations"></a>Donations</b></h2>
                                               <b>                      
       </b></td>
                                   <td width="88" bgcolor="#3366ff"
 valign="top" align="center">                                            
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch">                   
        <p><strong><br>
                                       <font color="#ffffff"><b>Note: </b></font></strong>
                           <font color="#ffffff">Search is unavailable Daily
@ -508,6 +547,7 @@ You        can     find         their    work at:                <a
      <p><font color="#ffffff"><b>         <a
 href="http://lists.shorewall.net/htdig/search.html">         <font
 color="#ffffff">Extended Search</font></a></b></font></p>
@ -531,7 +571,7 @@ You        can     find         their    work at:                <a
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
- bgcolor="#4b017c">
+ bgcolor="#3366ff">
                  <tbody>
@ -553,12 +593,13 @@ You        can     find         their    work at:                <a
      <p align="center"><font size="4" color="#ffffff"><br>
-                 <font size="+2">Shorewall is free but if       you try it
+                    <font size="+2">Shorewall is free but if       you try
- and   find   it useful, please consider making a donation              
+ it  and   find   it useful, please consider making a donation          
-                                                        to             <a
+                                                            to          
- href="http://www.starlight.org"><font color="#ffffff">Starlight     Children's 
+        <a href="http://www.starlight.org"><font color="#ffffff">Starlight 
-             Foundation.</font></a> Thanks!</font></font></p>
+    Children's               Foundation.</font></a> Thanks!</font></font></p>
                            </td>
@ -573,5 +614,6 @@ You        can     find         their    work at:                <a
 <p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                                                      <br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber6" bgcolor="#400169" height="90">
+ id="AutoNumber6" bgcolor="#3366ff" height="90">
            <tbody>
             <tr>
              <td width="100%">                     
@ -45,16 +45,16 @@
 <p>Shorewall requires that you have the iproute/iproute2 package installed 
    (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
-  if  this  package is installed by the presence of an <b>ip</b> program
+  if  this  package is installed by the presence of an <b>ip</b> program on
-on   your  firewall  system. As root, you can use the 'which' command to
+  your  firewall  system. As root, you can use the 'which' command to check
-check   for this  program:</p>
+  for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you read through the guide  first to familiarize yourself 
    with what's involved then go back through it again  making your configuration 
-    changes.  Points at which configuration changes  are recommended are
+    changes.  Points at which configuration changes  are recommended are flagged
-flagged     with <img border="0" src="images/BD21298_.gif" width="13"
+    with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         .</p>
@ -68,8 +68,9 @@ disk, you must run dos2unix against the  copy before using it with Shorewall.</p
 <ul>
            <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
 Version     of    dos2unix</a></li>
-           <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
+            <li><a
-   Version  of    dos2unix</a></li>
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
 of    dos2unix</a></li>
 </ul>
@ -118,11 +119,11 @@ one    zone is  defined:</p>
    in  terms of zones.</p>
 <ul>
-           <li>You express your default policy for connections from one zone
+            <li>You express your default policy for connections from one
-  to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
       </a>file.</li>
-           <li>You define exceptions to those default policies in the   <a
+            <li>You define exceptions to those default policies in the  
- href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+    <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -133,8 +134,8 @@ one    zone is  defined:</p>
  the request is first  checked against the rules in /etc/shorewall/common 
 (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample
+<p>The /etc/shorewall/policy file included with the one-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>         
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -180,8 +181,8 @@ has the  following policies:</p>
            <li>allow all connection requests from the firewall to the internet</li>
            <li>drop (ignore) all connection requests from the internet to
 your   firewall</li>
-           <li>reject all other connection requests (Shorewall requires this
+            <li>reject all other connection requests (Shorewall requires
-  catchall      policy).</li>
+this   catchall      policy).</li>
 </ol>
@ -235,8 +236,8 @@ option    list. </p>
 <p align="left">These addresses are sometimes referred to as <i>non-routable</i> 
       because the Internet backbone routers will not forward a packet whose 
-      destination address is reserved by RFC 1918. In some cases though,
+      destination address is reserved by RFC 1918. In some cases though, ISPs
-ISPs     are    assigning these addresses then using <i>Network Address Translation
+    are    assigning these addresses then using <i>Network Address Translation 
    </i>to    rewrite packet headers when forwarding to/from the internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -285,8 +286,8 @@ ISPs     are    assigning these addresses then using <i>Network Address Translat
          </div>
 <div align="left">   
-<p align="left">Example - You want to run a Web Server and a POP3 Server
+<p align="left">Example - You want to run a Web Server and a POP3 Server on
-on your firewall    system:</p>
+your firewall    system:</p>
         </div>
 <div align="left">   
@ -334,8 +335,8 @@ uses, see <a href="ports.htm">here</a>.</p>
 <div align="left">   
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
-       the internet because it uses clear text (even for login!). If you
+       the internet because it uses clear text (even for login!). If you want
-want     shell    access to your firewall from the internet, use SSH:</p>
+    shell    access to your firewall from the internet, use SSH:</p>
         </div>
 <div align="left">   
@ -396,8 +397,8 @@ want     shell    access to your firewall from the internet, use SSH:</p>
 <div align="left">   
 <p align="left">The firewall is started using the "shorewall start" command 
-       and stopped using "shorewall stop". When the firewall is stopped,
+       and stopped using "shorewall stop". When the firewall is stopped, routing
-routing     is    enabled on those hosts that have an entry in   <a
+    is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
       running firewall may be restarted using the "shorewall restart" command. 
    If    you want to totally remove any trace of Shorewall from your Netfilter 
@ -407,8 +408,8 @@ routing     is    enabled on those hosts that have an entry in   <a
 <div align="left">   
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
    the    internet, do not issue a "shorewall stop" command unless you have 
-   added an    entry for the IP address that you are connected from to  
+   added an    entry for the IP address that you are connected from to   <a
-<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+ href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
 Also, I don't recommend using "shorewall restart"; it is better to create 
    an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
    and    test it using the <a
@ -429,5 +430,6 @@ routing     is    enabled on those hosts that have an entry in   <a
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/standalone_fr.html
+++ b/Shorewall-docs/standalone_fr.html
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber6" bgcolor="#400169" height="90">
+ id="AutoNumber6" bgcolor="#3366ff" height="90">
     <tbody>
       <tr>
         <td width="100%">                     
@ -32,22 +32,22 @@
 <p align="left"><small><i><u>Notes du traducteur</u> :<br>
   Je ne prétends pas être un vrai traducteur dans le sens ou mon travail 
 n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une 
-traduction exacte du texte, mais plutôt à en faire une version française
+traduction exacte du texte, mais plutôt à en faire une version française intelligible
-intelligible par tous (et par moi). Les termes techniques sont la plupart
+par tous (et par moi). Les termes techniques sont la plupart du temps conservés
-du temps conservés sous leur forme originale et mis entre parenthèses car
+sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
-vous pouvez les retrouver dans le reste des documentations ainsi que dans
+dans le reste des documentations ainsi que dans les fichiers de configuration.
-les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
+N?hésitez pas à me contacter afin d?améliorer ce document <a
-ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
+ href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
-(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
+pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
-Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
+son formidable outil et sa disponibilité)</i><i>.</i></small></p>
 <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
 pour un petit réseau est une chose assez simple, si vous comprenez les bases
 et suivez la documentation.</p>
-<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
+<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
-focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation
+se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
-la plus courante :</p>
+utilisation la plus courante :</p>
 <ul>
     <li>Un système Linux</li>
@ -57,33 +57,33 @@ rtc...</li>
 </ul>
-<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
+<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
-pouvez voir si le paquet est installé en vérifiant la présence du programme 
+Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
 ip sur votre système de firewall. Sous root, utilisez la commande 'which'
 pour rechercher le programme :</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
-vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant 
+ vous familiariser avec ce qu'il va se passer, et de revenir au début en
-le changements dans votre configuration. Les points, où les changements dans 
+effectuant  le changements dans votre configuration. Les points, où les changements
-la configuration sont recommandées, sont signalés par une <img
+dans  la configuration sont recommandées, sont signalés par une <img
 border="0" src="images/BD21298_.gif" width="13" height="13">
   .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
   Si vous éditez vos fichiers de configuration sur un système Windows, vous 
 devez les sauver comme des fichiers Unix si votre éditeur supporte cette 
-option sinon vous devez les faire passer par dos2unix avant d'essayer de
+option sinon vous devez les faire passer par dos2unix avant d'essayer de les
-les utiliser. De la même manière, si vous copiez un fichier de configuration
+utiliser. De la même manière, si vous copiez un fichier de configuration depuis
-depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix
+votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
-sur la copie avant de l'utiliser avec Shorewall.</p>
+la copie avant de l'utiliser avec Shorewall.</p>
 <ul>
     <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
 of    dos2unix</a></li>
-    <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version 
+     <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
@ -101,12 +101,12 @@ un-tarez le  (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shor
 installés lors de l'installation de Shorewall)</b>.</p>
 <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
-physiquement présents sur votre système -- chacun des fichiers contient des 
+ physiquement présents sur votre système -- chacun des fichiers contient
-instructions de configuration détaillées et des entrées par défaut.</p>
+des  instructions de configuration détaillées et des entrées par défaut.</p>
 <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
-<i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface,
+ <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
-une seule zone est définie :</p>
+interface, une seule zone est définie :</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -126,8 +126,8 @@ une seule zone est d
 <p>Les zones de Shorewall sont définies dans <a
 href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
-<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
+<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
-par défaut,    le firewall lui-même est connu en tant que <b>fw</b>.</p>
+- par défaut,    le firewall lui-même est connu en tant que <b>fw</b>.</p>
 <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
 en utilisant les termes de zones.</p>
@ -143,10 +143,11 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
 demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
-Si aucune des règles dans ce fichier ne correspondent, alors la première politique
+ Si aucune des règles dans ce fichier ne correspondent, alors la première
-dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
+politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
-est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
+politique est REJECT ou DROP la requête est alors comparée par rapport aux
-dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
+règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
 ce fichier).</p>
 <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
 a les politiques suivantes :</p>
@ -210,8 +211,8 @@ que vous d
 <h2 align="left">Interface Externe</h2>
 <p align="left">Le firewall possède une seule interface réseau. Lorsque la
-connexion Internet passe par un modem câble ou par un routeur ADSL (pas un 
+ connexion Internet passe par un modem câble ou par un routeur ADSL (pas
-simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur 
+un  simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
 ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
 par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
 (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) 
@ -247,8 +248,8 @@ de la liste d'option. </p>
   </div>
 <div align="left">   
-<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP)
+<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
-pour l'utilisation dans des réseaux privés :</p>
+(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
 <div align="left">   
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -309,8 +310,8 @@ vers votre   firewall, le format g
   </div>
 <div align="left">   
-<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur
+<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
-POP3 sur votre système de firewall :</p>
+serveur POP3 sur votre système de firewall :</p>
   </div>
 <div align="left">   
@ -362,9 +363,9 @@ particuli
 <div align="left">   
 <p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
-telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour 
+ telnet depuis ou vers l'Internet car il utilise du texte en clair (même
-le login et le mot de passe !). Si vous voulez avoir un accès au shell de 
+pour  le login et le mot de passe !). Si vous voulez avoir un accès au shell
-votre firewall depuis Internet, utilisez SSH :</p>
+de  votre firewall depuis Internet, utilisez SSH :</p>
   </div>
 <div align="left">   
@ -424,26 +425,26 @@ la configuration du firewall, vous pouvez permettre le lancement de Shorewall
 en supprimant le fichier /etc/shorewall/startup_disabled.<br>
   </p>
-<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
-paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
+des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
   </p>
   </div>
 <div align="left">   
 <p align="left">Le firewall est activé en utilisant la commande "shorewall
-start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le 
+ start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
-routage est autorisé sur les hôtes qui possèdent une entrée dans <a
+le  routage est autorisé sur les hôtes qui possèdent une entrée dans <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
 firewall qui tourne peut être relancé en utilisant la commande "shorewall
-restart".   Si vous voulez enlever toutes traces de Shorewall sur votre configuration 
+ restart".   Si vous voulez enlever toutes traces de Shorewall sur votre
-de Netfilter, utilisez "shorewall clear".</p>
+configuration  de Netfilter, utilisez "shorewall clear".</p>
   </div>
 <div align="left">   
-<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis
+<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
-Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
+depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
-pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
+n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
-êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
 il est plus intéressant de créer une <i><a
 href="configuration_file_basics.htm#Configs">configuration alternative</a></i> 
@ -465,5 +466,6 @@ M. Eastep</font></a></p>
   <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                         <tbody>
                  <tr>
                           <td width="100%">                
@ -32,10 +32,10 @@
       I  recommend that you start the firewall     automatically at boot.
 Once     you  have installed      "firewall" in your init.d directory, simply
 type         "chkconfig --add firewall". This will start the     firewall
-in run   levels   2-5 and stop it in run levels 1 and 6.     If you want to
+ in run   levels   2-5 and stop it in run levels 1 and 6.     If you want
-configure   your  firewall differently from this     default, you can use
+to configure   your  firewall differently from this     default, you can
-the "--level"   option  in     chkconfig (see "man chkconfig") or using your
+use the "--level"   option  in     chkconfig (see "man chkconfig") or using
-    favorite   graphical  run-level editor.</p>
+your     favorite   graphical  run-level editor.</p>
 <p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
              </p>
@ -64,8 +64,8 @@ edit /etc/default/shorewall and set    'startup=1'.<br>
    running)   and  then starts it again</li>
                  <li>shorewall reset - reset the packet and byte counters
             in the  firewall</li>
-                 <li>shorewall clear - remove all rules and chains      installed
+                  <li>shorewall clear - remove all rules and chains     
-   by Shoreline  Firewall</li>
+installed    by Shoreline  Firewall</li>
                  <li>shorewall refresh - refresh the rules involving the 
 broadcast             addresses  of firewall interfaces, <a
 href="blacklisting_support.htm">the black list</a>, <a
@ -73,13 +73,13 @@ broadcast             addresses  of firewall interfaces, <a
 href="ECN.html">ECN control rules</a>.</li>
 </ul>
-         If you include the keyword <i>debug</i> as the first argument, then 
+          If you include the keyword <i>debug</i> as the first argument,
- a  shell  trace of the command is produced as in:<br>
+then   a  shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
-<p>The above command would trace the 'start' command and place the trace information
+<p>The above command would trace the 'start' command and place the trace
-in the file /tmp/trace<br>
+information in the file /tmp/trace<br>
         </p>
 <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
@ -101,19 +101,19 @@ the  mangle    table          (iptables -t mangle -L -n -v)</li>
 entries.</li>
                  <li>shorewall show connections - displays the IP connections
   currently     being     tracked by the firewall.</li>
-                 <li>shorewall                                          show 
+                  <li>shorewall                                         
-                                                         tc     - displays 
+show                                                           tc     - displays
  information      about the traffic control/shaping configuration.</li>
-                 <li>shorewall monitor [ delay ] - Continuously display the 
+                  <li>shorewall monitor [ delay ] - Continuously display
- firewall               status, last 20 log entries and nat. When the log 
+the   firewall               status, last 20 log entries and nat. When the
-entry display                changes, an audible alarm is sounded.</li>
+log  entry display                changes, an audible alarm is sounded.</li>
                  <li>shorewall hits - Produces several reports about the 
 Shorewall     packet  log          messages in the current /var/log/messages 
 file.</li>
                  <li>shorewall version -  Displays the installed     version
  number.</li>
-    <li>shorewall check -  Performs a <u>cursory</u> validation     of  the 
+     <li>shorewall check -  Performs a <u>cursory</u> validation     of 
- zones, interfaces, hosts, rules and policy files.<br>
+the   zones, interfaces, hosts, rules and policy files.<br>
       <br>
       <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
 and does not parse and     validate   the   generated iptables commands. 
@ -121,24 +121,26 @@ Even though the "check" command     completes   successfully, the configuration
 may fail to start. Problem reports that complain about errors that the 'check'
 command does not detect will not be accepted.<br>
       <br>
-  See the     recommended   way to make configuration changes described below.</b></font><br>
+   See the     recommended   way to make configuration changes described
 below.</b></font><br>
      <br>
     </li>
                  <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
     ]  -  Restart shorewall using the     specified configuration and if 
-an   error   occurs or if the<i> timeout </i>    option is given and the
+an   error   occurs or if the<i> timeout </i>    option is given and the new
-new configuration     has been up for that many seconds     then shorewall
+configuration     has been up for that many seconds     then shorewall is
-is restarted using   the  standard configuration.</li>
+restarted using   the  standard configuration.</li>
-                 <li>shorewall deny, shorewall reject, shorewall accept and 
+                  <li>shorewall deny, shorewall reject, shorewall accept
- shorewall      save     implement <a href="blacklisting_support.htm">dynamic 
+and   shorewall      save     implement <a
- blacklisting</a>.</li>
+ href="blacklisting_support.htm">dynamic   blacklisting</a>.</li>
                  <li>shorewall logwatch (added in version 1.3.2) - Monitors
- the          <a href="#Conf">LOGFILE </a>and produces an audible alarm when 
+  the          <a href="#Conf">LOGFILE </a>and produces an audible alarm
- new   Shorewall       messages are logged.</li>
+when   new   Shorewall       messages are logged.</li>
 </ul>
 Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands 
 for dealing with IP addresses and IP address ranges:<br>
 <ul>
   <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays 
 the network address, broadcast address, network in CIDR notation and netmask 
@ -147,13 +149,15 @@ corresponding to the input[s].</li>
 range of IP addresses into the equivalent list of network/host addresses. 
    <br>
   </li>
 </ul>
 Finally, the "shorewall" program may be used to dynamically alter  the 
 contents  of a zone.<br>
 <ul>
              <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
- Adds   the  specified interface (and host if included) to the specified zone.</li>
+  Adds   the  specified interface (and host if included) to the specified
 zone.</li>
              <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone 
    </i>-   Deletes   the specified interface (and host if included) from 
 the specified   zone.</li>
@ -183,8 +187,8 @@ from zone vpn1<br>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
        is going to use a file in /etc/shorewall it will first look in the
 <i>configuration-directory</i>        . If the file is present in the <i>configuration-directory</i>,
-that   file    will be used; otherwise, the file in /etc/shorewall will be 
+ that   file    will be used; otherwise, the file in /etc/shorewall will
-used.</p>
+be  used.</p>
 <p>  When changing the configuration of a production firewall, I recommend
       the   following:</p>
@ -202,8 +206,9 @@ from  /etc/shorewall     to . and change them here&gt;</li>
 </ul>
 <p>  If the configuration starts but doesn't work, just "shorewall restart"
-      to   restore the old configuration. If the new configuration fails to
+       to   restore the old configuration. If the new configuration fails
-  start,    the   "try" command will automatically start the old one for you.</p>
+to   start,    the   "try" command will automatically start the old one for
 you.</p>
 <p>  When the new configuration works then just </p>
@ -225,8 +230,8 @@ from  /etc/shorewall     to . and change them here&gt;</li>
 <p>    <br>
          </p>
           You will note that the commands that result in state transitions
-use   the  word "firewall" rather than "shorewall". That is because the actual 
+ use   the  word "firewall" rather than "shorewall". That is because the
- transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall 
+actual   transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
  on  Debian); /sbin/shorewall runs 'firewall" according to the following 
 table:<br>
         <br>
@ -290,5 +295,6 @@ table:<br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -12,15 +12,17 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                                                                       <tbody>
                                                                        <tr>
-                                                                        <td
+                                                                        
- width="100%">                                                          
+      <td width="100%">                                                 
      <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                                                          </font></h1>
      </td>
                                                                       </tr>
@ -105,23 +107,23 @@ locate   documents   and  posts    about         similar   problems:
                         </h2>
 <ul>
-                                            <li>Please remember we only know
+                                             <li>Please remember we only
-  what   is  posted    in  your   message.      Do  not  leave out any information 
+know   what   is  posted    in  your   message.      Do  not  leave out any
-    that  appears   to be  correct,    or was   mentioned    in  a previous 
+information      that  appears   to be  correct,    or was   mentioned  
-  post.  There  have  been countless   posts   by people   who were   sure 
+ in  a previous    post.  There  have  been countless   posts   by people
-  that some  part  of their     configuration  was correct  when  it actually 
+  who were   sure    that some  part  of their     configuration  was correct
-    contained   a  small error.     We tend to be  skeptics where  detail 
+ when  it actually      contained   a  small error.     We tend to be  skeptics
-  is lacking.<br>
+where  detail    is lacking.<br>
                                               <br>
                                             </li>
                                             <li>Please keep in mind that 
 you're    asking    for       <strong>free</strong>            technical 
 support.   Any help  we  offer   is an act of generosity, not    an   obligation.
    Try  to make   it easy  for us to help you. Follow good,    courteous
- practices    in  writing and formatting your e-mail. Provide   details that
+  practices    in  writing and formatting your e-mail. Provide   details
-   we need if  you  expect good  answers. <em>Exact quoting     </em>  of
+that    we need if  you  expect good  answers. <em>Exact quoting     </em>
-error messages,  log  entries,  command output, and other output  is better
+ of error messages,  log  entries,  command output, and other output  is
-  than a paraphrase   or  summary.<br>
+better   than a paraphrase   or  summary.<br>
                                               <br>
                                             </li>
                                             <li>                       
@ -142,8 +144,8 @@ ask    us   to  send   you             custom     configuration   files.
                                               <li>the exact version of Shorewall 
    you   are   running.<br>
                                                 <br>
-                                                <b><font color="#009900">shorewall
+                                                 <b><font
-     version</font><br>
+ color="#009900">shorewall      version</font><br>
                                            </b>    <br>
                                               </li>
@ -186,8 +188,8 @@ ask    us   to  send   you             custom     configuration   files.
  <ul>
                     <li><big><font color="#ff0000"><u><i><big><b>THIS IS 
-IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem
+IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem is
-is that some type of connection to/from or through your firewall isn't working
+that some type of connection to/from or through your firewall isn't working 
 then please perform the following four steps:</big></big></big><br>
        <br>
  1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
@ -216,12 +218,12 @@ then please perform the following four steps:</big></big></big><br>
  </ul>
-      <li>As    a  general    matter,   please <strong>do not edit the  diagnostic
+       <li>As    a  general    matter,   please <strong>do not edit the 
-       information</strong>        in   an attempt to conceal your IP address, 
+diagnostic        information</strong>        in   an attempt to conceal
-   netmask,      nameserver    addresses,     domain name, etc. These aren't 
+your IP address,     netmask,      nameserver    addresses,     domain name,
-   secrets,  and concealing   them often   misleads  us (and 80% of the time, 
+etc. These aren't     secrets,  and concealing   them often   misleads  us
-   a hacker  could derive them       anyway   from information  contained 
+(and 80% of the time,     a hacker  could derive them       anyway   from
-in   the SMTP headers  of your post).<br>
+information  contained  in   the SMTP headers  of your post).<br>
                              <br>
                              <strong></strong></li>
                            <li>Do you see  any   "Shorewall"      messages 
@ -239,16 +241,17 @@ your /etc/shorewall/interfaces               file.<br>
  one also knows the policies).<br>
                              <br>
                            </li>
-                           <li>If an error occurs    when   you   try   to
+                            <li>If an error occurs    when   you   try  
- "<font color="#009900"><b>shorewall  start</b></font>",        include 
+to  "<font color="#009900"><b>shorewall  start</b></font>",        include
    a  trace       (See the <a
 href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>    
  section  for    instructions).<br>
                              <br>
                            </li>
-                           <li><b>The list server limits posts to 120kb so
+                            <li><b>The list server limits posts to 120kb
- don't     post    GIFs     of               your             network layout,
+so  don't     post    GIFs     of               your             network
- etc.   to the Mailing   List    --   your      post      will  be rejected.</b></li>
+layout,  etc.   to the Mailing   List    --   your      post      will  be
 rejected.</b></li>
 </ul>
@ -260,25 +263,25 @@ your /etc/shorewall/interfaces               file.<br>
 <h2>When using the mailing list, please post in plain text</h2>
-<blockquote>      A growing  number of MTAs serving list subscribers are rejecting
+<blockquote>      A growing  number of MTAs serving list subscribers are
-  all    HTML  traffic.  At least one MTA has gone so far as to blacklist
+rejecting   all    HTML  traffic.  At least one MTA has gone so far as to
-  shorewall.net      "for  continuous abuse" because it has been my policy
+blacklist   shorewall.net      "for  continuous abuse" because it has been
-  to  allow HTML in  list    posts!!<br>
+my policy   to  allow HTML in  list    posts!!<br>
                       <br>
                                                I think that blocking all 
-HTML   is  a  Draconian      way   to  control     spam    and  that the
+HTML   is  a  Draconian      way   to  control     spam    and  that the ultimate
-ultimate   losers   here are not    the spammers    but the   list  subscribers
+  losers   here are not    the spammers    but the   list  subscribers  
   whose MTAs   are bouncing    all shorewall.net    mail. As   one list
  subscriber    wrote    to me privately      "These e-mail admin's   need
- to get a <i>(expletive      deleted)</i>  life     instead of trying to rid
+  to get a <i>(expletive      deleted)</i>  life     instead of trying to
-  the planet of HTML based   e-mail".   Nevertheless,       to allow subscribers
+rid   the planet of HTML based   e-mail".   Nevertheless,       to allow
- to  receive list posts   as must as possible,   I  have   now   configured
+subscribers  to  receive list posts   as must as possible,   I  have   now
-the  list  server at shorewall.net   to strip all HTML    from  outgoing
+  configured the  list  server at shorewall.net   to strip all HTML    from
- posts.<br>
+ outgoing  posts.<br>
      <br>
      <big><font color="#cc0000"><b>If you run your own outgoing mail server
- and it doesn't have a valid DNS PTR record, your email won't reach the lists
+  and it doesn't have a valid DNS PTR record, your email won't reach the
-  unless/until the postmaster notices that your posts are being rejected.
+lists   unless/until the postmaster notices that your posts are being rejected. 
 To  avoid this problem, you should configure your MTA to forward posts to 
 shorewall.net  through an MTA that <u>does</u> have a valid PTR record (such 
 as the one at your ISP). </b></font></big><br>
@ -318,5 +321,6 @@ as the one at your ISP). </b></font></big><br>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -16,10 +16,11 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber5" bgcolor="#400169" height="90">
+ id="AutoNumber5" bgcolor="#3366ff" height="90">
                      <tbody>
                       <tr>
                        <td width="100%">                               
      <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
                        </td>
                      </tr>
@ -56,16 +57,16 @@ Relay,    dial-up,     ...</li>
 <p>Shorewall requires that you have the iproute/iproute2 package installed 
         (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can 
  tell     if  this  package is installed by the presence of an <b>ip</b> 
-program    on   your  firewall  system. As root, you can use the 'which'
+program    on   your  firewall  system. As root, you can use the 'which' command
-command to   check   for this  program:</p>
+to   check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the guide    to familiarize yourself 
-         with what's involved then go back through it again  making your
+         with what's involved then go back through it again  making your configuration
-configuration          changes. Points at which configuration changes are
+         changes. Points at which configuration changes are  recommended
- recommended are    flagged      with <img border="0"
+are    flagged      with <img border="0" src="images/BD21298_.gif"
- src="images/BD21298_.gif" width="13" height="13">
+ width="13" height="13">
       . Configuration notes that are unique to LEAF/Bering are marked with <img
 src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
                    </p>
@ -75,16 +76,16 @@ configuration          changes. Points at which configuration changes are
 system,     you   must   save them as  Unix files if your editor supports 
 that option     or you   must  run them through  dos2unix before trying to 
 use them. Similarly,     if   you copy  a configuration file  from your Windows 
-hard drive to a  floppy    disk, you must run dos2unix against the  copy
+hard drive to a  floppy    disk, you must run dos2unix against the  copy before
-before using it with  Shorewall.</p>
+using it with  Shorewall.</p>
 <ul>
                      <li><a
 href="http://www.simtel.net/pub/pd/51438.html">Windows     Version     of
    dos2unix</a></li>
                      <li><a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version of
-of    dos2unix</a></li>
+   dos2unix</a></li>
 </ul>
@ -94,8 +95,8 @@ of    dos2unix</a></li>
 alt="">
               The configuration files for Shorewall are contained in the 
 directory       /etc/shorewall -- for simple setups, you will only need to 
-deal with  a  few  of  these as described in this guide.  After you have
+deal with  a  few  of  these as described in this guide.  After you have <a
-<a href="Install.htm">installed Shorewall</a>,  <b>download the <a
+ href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface 
       sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy 
    the    files to /etc/shorewall  (the files will replace files with the 
@ -152,8 +153,8 @@ in  the        <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<
 <p>For each connection request entering the firewall, the request is first 
         checked against the  /etc/shorewall/rules file. If no rule in that 
  file     matches  the connection  request then the first policy in /etc/shorewall/policy 
-       that  matches the    request is applied. If that policy is REJECT
+       that  matches the    request is applied. If that policy is REJECT or
-or   DROP      the request is first  checked against the rules in /etc/shorewall/common
+  DROP      the request is first  checked against the rules in /etc/shorewall/common 
      (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample 
@ -228,10 +229,11 @@ or   DROP
 <ol>
                      <li>allow all connection requests from your local network 
   to  the   internet</li>
-                     <li>drop (ignore) all connection requests from the internet
+                      <li>drop (ignore) all connection requests from the
-    to  your   firewall     or local network</li>
+internet     to  your   firewall     or local network</li>
-                     <li>optionally accept all connection requests from the 
+                      <li>optionally accept all connection requests from
- firewall     to  the     internet (if you uncomment the additional policy)</li>
+the   firewall     to  the     internet (if you uncomment the additional
 policy)</li>
                      <li>reject all other connection requests.</li>
 </ol>
@ -248,8 +250,8 @@ or   DROP
 <p align="left">The firewall has three network interfaces. Where Internet 
          connectivity is through a cable or DSL "Modem", the <i>External 
-Interface</i>          will be the ethernet adapter that is connected to
+Interface</i>          will be the ethernet adapter that is connected to that
-that "Modem" (e.g.,      <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
+"Modem" (e.g.,      <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
      <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
      <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External 
     Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect 
@ -265,13 +267,13 @@ that "Modem" (e.g.,      <b>eth0</b>)
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
          eth1 or eth2) and will be connected to a hub or switch. Your local 
   computers       will be connected to the same switch (note: If you have 
- only  a single   local   system,  you can connect the firewall directly
+ only  a single   local   system,  you can connect the firewall directly to
-to  the computer using   a <i>cross-over   </i> cable).</p>
+ the computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
-         (eth0,  eth1 or eth2) and will be connected to a hub or switch.
+         (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your
-Your     DMZ    computers will  be connected to the same switch (note: If
+    DMZ    computers will  be connected to the same switch (note: If you
-you have     only  a  single DMZ system,  you can connect the firewall directly
+have     only  a  single DMZ system,  you can connect the firewall directly 
 to the    computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
@ -307,18 +309,18 @@ list   of options that are    specified for the interfaces. Some hints:</p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet 
-          Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
+          Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
-you    a  single    <i> Public</i> IP address. This address may be assigned
+   a  single    <i> Public</i> IP address. This address may be assigned via
-via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part
+  the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
-of  establishing  your  connection   when you dial in (standard modem) or
+ establishing  your  connection   when you dial in (standard modem) or establish
-establish  your PPP  connection.  In rare   cases, your ISP may assign you
+ your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
-a<i> static</i>  IP address; that  means that  you  configure your firewall's
+ IP address; that  means that  you  configure your firewall's external interface
-external interface     to use that  address permanently.<i>  </i>Regardless
+    to use that  address permanently.<i>  </i>Regardless of how the address
-of how the address   is  assigned, it  will be shared by all of your  systems
+  is  assigned, it  will be shared by all of your  systems when you access
-when you access  the Internet. You will have to assign your  own addresses
+ the Internet. You will have to assign your  own addresses  for your internal
- for your internal  network (the local and DMZ Interfaces on  your firewall
+ network (the local and DMZ Interfaces on  your firewall plus your other
-plus your other computers).  RFC 1918 reserves several <i>Private  </i>IP
+computers).  RFC 1918 reserves several <i>Private  </i>IP address ranges
-address ranges for this  purpose:</p>
+for this  purpose:</p>
 <div align="left">     
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -328,16 +330,16 @@ address ranges for this  purpose:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                          Before starting Shorewall, you should look at the 
- IP  address     of  your  external    interface and if it is one of the
+ IP  address     of  your  external    interface and if it is one of the above
-above   ranges, you    should  remove  the    'norfc1918' option from the
+  ranges, you    should  remove  the    'norfc1918' option from the external
-external   interface's   entry  in    /etc/shorewall/interfaces.</p>
+  interface's   entry  in    /etc/shorewall/interfaces.</p>
                   </div>
 <div align="left">     
 <p align="left">You will want to assign your local addresses from one <i> 
           sub-network </i>or <i>subnet</i> and your DMZ addresses from another 
-      subnet.  For our purposes, we can consider a subnet    to consists
+      subnet.  For our purposes, we can consider a subnet    to consists of
-of   a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have
+  a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have 
 a  <i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved
  as    the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet 
  Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using <a
@ -394,19 +396,19 @@ from    the left of the subnet  mask. </p>
 <div align="left">     
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-                      Your local  computers    (Local Computers 1 &amp; 2)
+                       Your local  computers    (Local Computers 1 &amp;
- should    be  configured    with their<i>    default gateway</i> set to
+2)  should    be  configured    with their<i>    default gateway</i> set
-the  IP address     of the firewall's    internal interface    and your DMZ
+to the  IP address     of the firewall's    internal interface    and your
-computers  ( DMZ   Computers   1 &amp; 2)  should  be configured with their
+DMZ computers  ( DMZ   Computers   1 &amp; 2)  should  be configured with
-   default  gateway   set to the   IP address  of the firewall's DMZ interface.  
+their    default  gateway   set to the   IP address  of the firewall's DMZ
-</p>
+interface.   </p>
                   </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
          regarding subnetting and routing. If you are interested in learning 
-    more     about  IP addressing and routing, I highly recommend <i>"IP
+    more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
-Fundamentals:          What Everyone  Needs to Know about Addressing &amp;
+         What Everyone  Needs to Know about Addressing &amp; Routing",</i>
-Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+ Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured 
          your network as shown here:</p>
@ -431,24 +433,24 @@ then you will need  to select a different RFC 1918 subnet for your DMZ.</b><br>
 <p align="left">IP Masquerading (SNAT)</p>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
-         to as <i>non-routable</i> because the Internet backbone routers
+         to as <i>non-routable</i> because the Internet backbone routers don't
-don't      forward    packets  which have an RFC-1918 destination address.
+     forward    packets  which have an RFC-1918 destination address. When
-When one    of your local    systems  (let's assume local computer 1) sends
+one    of your local    systems  (let's assume local computer 1) sends a
-a connection     request to an   internet host, the  firewall must perform
+connection     request to an   internet host, the  firewall must perform <i>Network
-<i>Network Address     Translation   </i>(NAT). The firewall  rewrites the
+Address     Translation   </i>(NAT). The firewall  rewrites the source address
-source address in the    packet to be  the address of the firewall's  external
+in the    packet to be  the address of the firewall's  external interface;
-interface; in other    words, the firewall   makes it look as if the firewall
+in other    words, the firewall   makes it look as if the firewall  itself
- itself is initiating    the connection.  This  is necessary so that the
+is initiating    the connection.  This  is necessary so that the  destination
- destination host will be   able to route return packets   back to the firewall
+host will be   able to route return packets   back to the firewall  (remember
- (remember that packets   whose destination address is   reserved by RFC
+that packets   whose destination address is   reserved by RFC 1918 can't
-1918 can't  be routed accross   the internet). When the firewall   receives
+ be routed accross   the internet). When the firewall   receives a return
-a return packet, it  rewrites   the destination address back to 10.10.10.1
+packet, it  rewrites   the destination address back to 10.10.10.1   and forwards
-  and forwards the packet on  to local computer 1. </p>
+the packet on  to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
+ IP Masquerading</i> and you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
                      <li>                          
@ -500,13 +502,13 @@ the  third    column    in the /etc/shorewall/masq entry  if you like although
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your 
-         DMZ computers. Because these computers have RFC-1918 addresses,
+         DMZ computers. Because these computers have RFC-1918 addresses, it
-it   is   not     possible for clients on the internet to connect directly
+  is   not     possible for clients on the internet to connect directly to
-to  them.   It is   rather  necessary for those clients to address their
+ them.   It is   rather  necessary for those clients to address their connection
-connection    requests    to your firewall  who rewrites the destination
+   requests    to your firewall  who rewrites the destination address to
-address to the    address of   your server and forwards  the packet to that
+the    address of   your server and forwards  the packet to that server.
-server. When your   server responds,     the firewall automatically  performs
+When your   server responds,     the firewall automatically  performs SNAT
-SNAT to rewrite   the source address   in  the response.</p>
+to rewrite   the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
         Destination Network Address Translation</i> (DNAT). You configure
@ -543,8 +545,8 @@ SNAT to rewrite   the source address   in  the response.</p>
  </table>
                    </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
-be the same  as <i>&lt;port&gt;</i>.</p>
+the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming 
          TCP port 80 to that system:</p>
@ -701,35 +703,35 @@ is your         external IP).</li>
 address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
-                      At this point, add the DNAT and  ACCEPT rules for your
+                       At this point, add the DNAT and  ACCEPT rules for
-  servers.     </p>
+your   servers.     </p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
-         an IP  address your firewall's <i>Domain Name Service </i>(DNS)
+         an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
-resolver         will be  automatically configured (e.g., the /etc/resolv.conf
+        will be  automatically configured (e.g., the /etc/resolv.conf file
-file  will     be  written).  Alternatively, your ISP may have given you
+ will     be  written).  Alternatively, your ISP may have given you the IP
-the IP  address    of a  pair of DNS <i> name servers</i> for you to manually
+ address    of a  pair of DNS <i> name servers</i> for you to manually configure
-configure  as  your    primary  and secondary  name servers. It is <u>your</u>
+ as  your    primary  and secondary  name servers. It is <u>your</u> responsibility
-responsibility     to   configure  the resolver in your  internal systems.
+    to   configure  the resolver in your  internal systems. You can take
-You can take one    of two   approaches:</p>
+one    of two   approaches:</p>
 <ul>
                      <li>                          
    <p align="left">You can configure your internal systems to use your ISP's 
         name    servers. If you ISP gave you the addresses of their servers 
-   or   if   those    addresses are available on their web site, you can
+   or   if   those    addresses are available on their web site, you can configure
-configure       your   internal    systems to use those addresses. If that
+      your   internal    systems to use those addresses. If that information
-information    isn't   available,   look in    /etc/resolv.conf on your firewall
+   isn't   available,   look in    /etc/resolv.conf on your firewall system
-system   -- the name  servers are  given in    "nameserver" records in that
+  -- the name  servers are  given in    "nameserver" records in that file.
-file.    </p>
+   </p>
                     </li>
                     <li>                          
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-                      You can configure a<i> Caching Name Server </i>on your
+                       You can configure a<i> Caching Name Server </i>on
-     firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching
+your      firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching 
 name  server (which     also     requires the 'bind' RPM) and for Bering 
 users,  there is dnscache.lrp.     If you    take this approach, you configure 
 your  internal systems to use    the caching    name server as their primary 
@ -1149,8 +1151,8 @@ other   connections      as required.</p>
                     The <a href="Install.htm">installation procedure </a>
   configures       your system to start Shorewall at system boot  but beginning
  with Shorewall      version 1.3.9 startup is disabled so that your system
- won't try to start     Shorewall before configuration is complete. Once you
+  won't try to start     Shorewall before configuration is complete. Once
- have completed configuration     of your firewall, you can enable Shorewall 
+you  have completed configuration     of your firewall, you can enable Shorewall
  startup by removing the file   /etc/shorewall/startup_disabled.<br>
                   </p>
@ -1166,25 +1168,25 @@ other   connections      as required.</p>
    routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
            running firewall may be restarted using the "shorewall restart" 
-  command.       If    you want to totally remove any trace of Shorewall
+  command.       If    you want to totally remove any trace of Shorewall from
-from   your Netfilter          configuration, use "shorewall clear".</p>
+  your Netfilter          configuration, use "shorewall clear".</p>
                   </div>
 <div align="left">     
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                       The three-interface sample assumes that you want to
-enable       routing    to/from <b>eth1 (</b>your local network) and<b> eth2 
+ enable       routing    to/from <b>eth1 (</b>your local network) and<b>
-</b>(DMZ)     when Shorewall    is stopped.    If these two interfaces don't 
+eth2  </b>(DMZ)     when Shorewall    is stopped.    If these two interfaces
-connect  to   your local network    and DMZ or if you    want to enable a 
+don't  connect  to   your local network    and DMZ or if you    want to enable
-different  set   of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
+a  different  set   of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
                   </div>
 <div align="left">     
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
-         the    internet, do not issue a "shorewall stop" command unless
+         the    internet, do not issue a "shorewall stop" command unless you
-you    have     added an    entry for the IP address that you are connected
+   have     added an    entry for the IP address that you are connected from
-from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+   to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
       Also, I don't recommend using "shorewall restart"; it is better to 
 create         an   <i><a href="configuration_file_basics.htm#Configs">alternate 
 configuration</a></i>        and    test it using the <a
@ -1197,5 +1199,6 @@ create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
   Thomas      M. Eastep</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface_fr.html
+++ b/Shorewall-docs/three-interface_fr.html
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber5" bgcolor="#400169" height="90">
+ id="AutoNumber5" bgcolor="#3366ff" height="90">
       <tbody>
         <tr>
           <td width="100%">                            
@ -42,21 +42,21 @@ ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
 Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
 <p align="left"><br>
-    Mettre en place un système linux en tant que firewall pour un petit réseau 
+     Mettre en place un système linux en tant que firewall pour un petit
- contenant une DMZ est une chose assez simple à réaliser si vous comprenez 
+réseau   contenant une DMZ est une chose assez simple à réaliser si vous
- les bases et suivez cette documentation.</p>
+comprenez   les bases et suivez cette documentation.</p>
 <p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
- de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans 
+  de Shorewall. Il se focalise sur les besoins pour configurer Shorewall
- une de ses utilisations les plus populaire :</p>
+dans   une de ses utilisations les plus populaire :</p>
 <ul>
-      <li>Un système Linux utilisé en tant que firewall/routeur pour un petit 
+       <li>Un système Linux utilisé en tant que firewall/routeur pour un
- réseau local.</li>
+petit   réseau local.</li>
       <li>Une seule adresse IP publique.</li>
       <li>Une DMZ connectée sur une interface Ethernet séparée.</li>
-      <li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay, 
+       <li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame
- RTC,     ...</li>
+Relay,   RTC,     ...</li>
 </ul>
@ -66,17 +66,17 @@ Tom EASTEP pour son formidable outil et sa disponibilit
 height="635">
     </p>
-<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
+<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
-pouvez voir si le paquet est installé en vérifiant la présence du programme 
+Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
  ip sur votre système de firewall. Sous root, utilisez la commande 'which'
  pour rechercher le programme :</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
- vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
+  vous familiariser avec ce qu'il va se passer, et de revenir au début en
- le changements dans votre configuration. Les points où, les changements dans
+effectuant  le changements dans votre configuration. Les points où, les changements
- la configuration sont recommandées, sont signalés par une <img
+dans  la configuration sont recommandées, sont signalés par une <img
 border="0" src="images/BD21298_.gif" width="13" height="13">
     </p>
@ -144,8 +144,8 @@ Shorewall)</b>.</p>
 <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
-<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
+<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
-par défaut,    le firewall lui même est connu en tant que <b>fw</b>.</p>
+- par défaut,    le firewall lui même est connu en tant que <b>fw</b>.</p>
 <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
  en utilisant les termes de zones.</p>
@ -154,18 +154,18 @@ par d
       <li>Vous exprimez les politiques par défaut pour les connexions d'une 
 zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
      </a>.</li>
-      <li>Vous définissez les exceptions à ces règles de politiques par défaut 
+       <li>Vous définissez les exceptions à ces règles de politiques par
- dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+défaut   dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ul>
 <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
  demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
  Si aucune des règles dans ce fichier ne correspondent, alors la première
-politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette 
+ politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
-politique est REJECT ou DROP la requête est alors comparée par rapport aux 
+cette  politique est REJECT ou DROP la requête est alors comparée par rapport
-règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit 
+aux  règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
-ce fichier).</p>
+fournit  ce fichier).</p>
 <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
  sample a les politiques suivantes :</p>
@ -268,10 +268,10 @@ l'Internet</li>
 (non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
  sur lequel est connecté le routeur (e.g., eth0)  à moins que vous ne vous
  connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
- Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de 
+  Protocol (PPTP), dans ce cas l'interface extérieure sera une interface
- type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), 
+de   type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
-votre interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
+ votre interface extérieure sera aussi ppp0. Si votre connexion passe par
-(ISDN), votre interface extérieure sera ippp0<b>.</b></p>
+Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -279,31 +279,31 @@ votre interface ext
  CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
- (eth0,       eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs 
+  (eth0,       eth1 ou eth2) et sera connecté à un hub ou un switch. Vos
- locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul 
+ordinateurs   locaux seront connectés à ce même switch (note : si vous n'avez
- ordinateur en local, vous pouvez le connecter directement au firewall par 
+qu'un seul   ordinateur en local, vous pouvez le connecter directement au
- un <i>câble croisé</i>).</p>
+firewall par   un <i>câble croisé</i>).</p>
 <p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
  (eth0,  eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
- appartenant à la DMZ seront connectés à ce même switch (note : si  vous n'avez
+  appartenant à la DMZ seront connectés à ce même switch (note : si  vous
- qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au
+n'avez  qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
- firewall par un <i>câble croisé</i>).</p>
+au  firewall par un <i>câble croisé</i>).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-   </b></u> Ne connectez pas l'interface interne et externe sur le même hub 
+    </b></u> Ne connectez pas l'interface interne et externe sur le même
- ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que
+hub   ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez
- ce soit shorewall qui ne marche pas.</p>
+pas que  ce soit shorewall qui ne marche pas.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
     L'exemple de configuration de Shorewall pour trois interfaces suppose
-que  l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b>
+ que  l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
-et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
+</b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
- vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
+diffère,  vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
- Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
+en conséquence.  Tant que vous y êtes, vous pourriez parcourir la liste des
- spécifiées pour les interfaces. Quelques trucs :</p>
+options qui sont  spécifiées pour les interfaces. Quelques trucs :</p>
 <ul>
       <li>                    
@ -311,9 +311,9 @@ et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diff
  remplacer le "detect" dans la seconde colonne par un "-". </p>
       </li>
       <li>                    
-    <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
+    <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
-vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
+si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
-d'option. </p>
+liste d'option. </p>
       </li>
 </ul>
@ -324,15 +324,16 @@ d'option. </p>
  sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
  Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
  Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
- (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez 
+  (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous
- (modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
+connectez   (modem standard) ou établissez votre connexion PPP. Dans de rares
- provider peu vous assigner une adresse statique (staticIP address); cela
+cas , votre  provider peu vous assigner une adresse statique (staticIP address);
-signifie que vous configurez votre interface externe sur votre firewall afin
+cela signifie que vous configurez votre interface externe sur votre firewall
-d'utiliser cette adresse de manière permanente. Une fois votre adresse externe
+afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
-assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet.
+externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
-Vous devrez assigner vos propres adresses à votre réseau local (votre interface
+à Internet. Vous devrez assigner vos propres adresses à votre réseau local
- interne sur le firewall  ainsi que les autres ordinateurs). La RFC 1918
+(votre interface  interne sur le firewall  ainsi que les autres ordinateurs).
-réserve  plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
+La RFC 1918 réserve  plusieurs plages d'IP (Private IP address ranges) à
 cette fin :</p>
 <div align="left">    
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -341,9 +342,9 @@ r
 <div align="left">    
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-    Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface 
+     Avant de lancer Shorewall, vous devriez regarder l'adresse de votre
- externe et si elle est comprise dans une des plages précédentes, vous devriez 
+interface   externe et si elle est comprise dans une des plages précédentes,
- enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
+vous devriez   enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
     </div>
 <div align="left">    
@ -351,14 +352,15 @@ r
  (<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
  sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
  en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
- une masque (<i>Subnet   Mask)</i> de 255.255.255.0.  L'adresse x.y.z.0 est 
+  une masque (<i>Subnet   Mask)</i> de 255.255.255.0.  L'adresse x.y.z.0
- réservée comme l'adresse du sous-réseau (<i>Subnet     Address)</i> et x.y.z.255 
+est   réservée comme l'adresse du sous-réseau (<i>Subnet     Address)</i>
-  est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i>
+et x.y.z.255    est réservée en tant qu'adresse de broadcast du sous-réseau
- <i>Address)</i>. Sous Shorewall,  un sous-réseau est décrit/désigné en utilisant
+(<i>Subnet Broadcast</i>  <i>Address)</i>. Sous Shorewall,  un sous-réseau
- la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain
+est décrit/désigné en utilisant  la notation <a
- Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par
+ href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain  Routing</i>(CIDR)</a>
- "/24". Le "24"  se réfère au nombre de bits "1" consécutifs dans la partie
+qui consiste en l'adresse du sous-réseau suivie par  "/24". Le "24"  se réfère
- gauche du masque de sous-réseau. </p>
+au nombre de bits "1" consécutifs dans la partie  gauche du masque de sous-réseau.
 </p>
     </div>
 <div align="left">    
@ -393,17 +395,17 @@ r
     </div>
 <div align="left">    
-<p align="left">Il est de convention d'assigner à l'interface interne la première
+<p align="left">Il est de convention d'assigner à l'interface interne la
-adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
+première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
-     ou la dernière utilisable (10.10.10.254).</p>
+précédent)      ou la dernière utilisable (10.10.10.254).</p>
     </div>
 <div align="left">    
 <p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
- ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils
+  ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
- peuvent communiquer directement. Pour communiquer avec des systèmes en dehors
+ils  peuvent communiquer directement. Pour communiquer avec des systèmes
- du sous-réseau, les ordinateurs envoient des paquets à travers le gateway
+en dehors  du sous-réseau, les ordinateurs envoient des paquets à travers
- (routeur).</p>
+le gateway  (routeur).</p>
     </div>
 <div align="left">    
@ -417,8 +419,8 @@ pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
     </div>
 <p align="left">Cette courte description ne fait que survoler les concepts
- de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage
+  de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
- IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:   
+l'adressage  IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
   What  Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
     A.  Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
@ -430,8 +432,8 @@ What  Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
     </p>
 <p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
- de la DMZ sera 10.10.11.254       et le passerelle par défaut pour les ordinateurs 
+  de la DMZ sera 10.10.11.254       et le passerelle par défaut pour les
- en local sera 10.10.10.254.</p>
+ordinateurs   en local sera 10.10.10.254.</p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
@ -451,9 +453,10 @@ rout
  l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
  1. </p>
-<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
+<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
-Masquerading mais vous verrez aussi le terme de Source Network Address Translation
+l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
-(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
+Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
 :</p>
 <ul>
       <li>                    
@ -481,9 +484,9 @@ Masquerading mais vous verrez aussi le terme de Source Network Address Translati
 height="13">
     Si votre IP externe est statique, vous pouvez la mettre dans la troisième
  colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
- firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de 
+  firewall fonctionnera bien si vous laissez cette colonne vide. Le fait
- mettre votre IP statique dans la troisième colonne permet un traitement des
+de   mettre votre IP statique dans la troisième colonne permet un traitement
- paquets sortant un peu plus efficace.<br>
+des  paquets sortant un peu plus efficace.<br>
     </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -506,10 +509,10 @@ Masquerading mais vous verrez aussi le terme de Source Network Address Translati
  serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
  RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
  directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
- de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
+  de connexion au firewall qui ré écrit l'adresse de destination de votre
- et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
+serveur,  et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
- applique automatiquement un SNAT pour ré écrire l'adresse source dans la
+le firewall  applique automatiquement un SNAT pour ré écrire l'adresse source
-réponse.</p>
+dans la réponse.</p>
 <p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
  Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -594,12 +597,12 @@ port&gt;</i>]</td>
 <p>Deux points importants à garder en mémoire :</p>
 <ul>
-      <li>Lorsque vous vous connectez à votre serveur à partir de votre réseau 
+       <li>Lorsque vous vous connectez à votre serveur à partir de votre
- local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
+réseau   local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
       <li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
- de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous 
+  de connexion entrantes sur le port 80. Si vous avez des problèmes pour
- connecter à votre serveur web, essayez la règle suivante et connectez vous 
+vous   connecter à votre serveur web, essayez la règle suivante et connectez
- sur le port 5000 (c.a.d., connectez vous à <a
+vous   sur le port 5000 (c.a.d., connectez vous à <a
 href="http://w.x.y.z:5000">  http://w.x.y.z:5000</a> où w.x.y.z est votre
 IP externe).</li>
@ -634,10 +637,10 @@ IP externe).</li>
  </table>
     </blockquote>
-<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
+<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
-le réseau local en utilisant votre adresse externe, et si vous avez une adresse
+depuis le réseau local en utilisant votre adresse externe, et si vous avez
-IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
+une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
-par :</p>
+précédente par :</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -667,9 +670,9 @@ par :</p>
     </blockquote>
 <p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
- interface externe est en route avant de lancer Shorewall et vous devez suivre 
+  interface externe est en route avant de lancer Shorewall et vous devez
- les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>) 
+suivre   les étapes suivantes (en supposant que votre interface externe est
- :</p>
+<b>eth0</b>)   :</p>
 <ol>
       <li>Insérez ce qui suit dans /etc/shorewall/params :<br>
@ -708,8 +711,8 @@ par :</p>
  </table>
     </blockquote>
-<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
+<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
-IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
+adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
     A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -718,38 +721,38 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p align="left">Normalement, quand vous vous connectez à votre fournisseur
  (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
-firewall (Domain Name Service) est configuré automatiquement (c.a.d., le fichier
+ firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
-/etc/resolv.conf a été écrit). Il arrive que votre provider vous donne une
+fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
-paire d'adresse IP pour les DNS (name servers) afin que vous configuriez manuellement
+donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
-votre serveur de nom primaire et secondaire. La manière dont le DNS est configuré
+manuellement votre serveur de nom primaire et secondaire. La manière dont
-sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
+le DNS est configuré sur votre firewall est de votre responsabilité. Vous
-de ses deux façons :</p>
+pouvez procéder d'une de ses deux façons :</p>
 <ul>
       <li>                    
    <p align="left">Vous pouvez configurer votre système interne pour utiliser
- les noms de serveurs de votre provider. Si votre fournisseur vous donne les
+  les noms de serveurs de votre provider. Si votre fournisseur vous donne
- adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site
+les  adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
- web, vous pouvez configurer votre système interne afin de les utiliser. Si
+site  web, vous pouvez configurer votre système interne afin de les utiliser.
- cette information n'est pas disponible, regardez dans /etc/resolv.conf sur
+Si  cette information n'est pas disponible, regardez dans /etc/resolv.conf
- votre firewall -- les noms des serveurs sont donnés dans l'enregistrement 
+sur  votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
  "nameserver" dans ce fichier. </p>
       </li>
       <li>                    
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-    Vous pouvez installer/configurer un cache dns (Caching Name Server) sur 
+     Vous pouvez installer/configurer un cache dns (Caching Name Server)
- votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache 
+sur   votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre
- un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs 
+en cache   un serveur de nom (le RPM requis aussi le RPM 'bind') et pour
- de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez 
+les utilisateurs   de Bering, il y a dnscache.lrp. Si vous adoptez cette
- votre système interne pour utiliser le firewall lui même comme étant le seul
+approche, vous configurez   votre système interne pour utiliser le firewall
- serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall
+lui même comme étant le seul  serveur de nom primaire. Vous pouvez utiliser
- (10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez
+l'adresse IP interne du firewall  (10.10.10.254 dans l'exemple) pour l'adresse
- de faire tourner le serveur de nom sur votre firewall. Pour permettre à
+de serveur de nom si vous décidez  de faire tourner le serveur de nom sur
-vos  systèmes locaux de discuter avec votre serveur cache de nom, vous devez
+votre firewall. Pour permettre à vos  systèmes locaux de discuter avec votre
-ouvrir  le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous
+serveur cache de nom, vous devez ouvrir  le port 53 (UDP ET  TCP) sur le
-ferez  ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. 
+firewall vers le réseau local; vous ferez  ceci en ajoutant les règles suivantes
-   </p>
+dans /etc/shorewall/rules.     </p>
       </li>
 </ul>
@ -1126,8 +1129,8 @@ firewall depuis Internet, utilisez SSH :</p>
 <div align="left">    
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-    Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions 
+     Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres
- désirées.</p>
+connexions   désirées.</p>
     </div>
 <div align="left">    
@ -1138,11 +1141,11 @@ firewall depuis Internet, utilisez SSH :</p>
 <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
 height="13" alt="Arrow">
     La <a href="Install.htm">procédure d'installation</a> configure votre
-système  pour lancer Shorewall au boot du système, mais au début avec la version
+ système  pour lancer Shorewall au boot du système, mais au début avec la
-1.3.9  de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
+version 1.3.9  de Shorewall le lancement est désactivé, n'essayer pas de
- avec que la configuration soit finie. Une fois que vous en avez fini avec
+lancer Shorewall  avec que la configuration soit finie. Une fois que vous
- la configuration du firewall, vous pouvez permettre le lancement de Shorewall
+en avez fini avec  la configuration du firewall, vous pouvez permettre le
- en supprimant le fichier /etc/shorewall/startup_disabled.<br>
+lancement de Shorewall  en supprimant le fichier /etc/shorewall/startup_disabled.<br>
     </p>
 <p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
@ -1152,8 +1155,8 @@ syst
 <div align="left">    
 <p align="left">Le firewall est activé en utilisant la commande "shorewall
- start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
+  start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
- routage est autorisé sur les hôtes qui possèdent une entrée dans <a
+le  routage est autorisé sur les hôtes qui possèdent une entrée dans <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
  firewall qui tourne peut être relancé en utilisant la commande "shorewall
  restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
@ -1167,15 +1170,14 @@ syst
 routage  depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) 
  lorsque  Shorewall    est arrêté.    Si ces deux interfaces ne sont pas 
 connectées  à votre réseau local et votre DMZ, ou si vous voulez permettre 
-un ensemble  d'hôtes différents, modifiez /etc/shorewall/routestopped en
+un ensemble  d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
 conséquence.</p>
     </div>
 <div align="left">    
-<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
+<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
-n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
+Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
-une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
+pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
-dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
  De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
  il est plus intéressant de créer une <i><a
 href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1190,5 +1192,6 @@ dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
 Thomas  M. Eastep</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@ -16,12 +16,10 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                    <tbody>
                     <tr>
                      <td width="100%">         
      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
                      </td>
                    </tr>
@ -45,9 +43,9 @@ to be running Linux Kernel 2.4.18 or later.</p>
 the  setting of  this variable determines whether Shorewall clears the traffic 
  shaping configuration  during Shorewall [re]start and Shorewall stop. <br>
          </li>
-                   <li><b>/etc/shorewall/tcrules</b> - A file where you can
+                    <li><b>/etc/shorewall/tcrules</b> - A file where you
- specify       firewall     marking of packets. The firewall mark value may
+can  specify       firewall     marking of packets. The firewall mark value
- be used  to classify     packets  for traffic shaping/control.<br>
+may  be used  to classify     packets  for traffic shaping/control.<br>
                    </li>
                    <li><b>/etc/shorewall/tcstart </b>- A user-supplied file 
 that   is     sourced     by Shorewall during "shorewall start" and which 
@ -55,28 +53,28 @@ to be running Linux Kernel 2.4.18 or later.</p>
  I have   provided     a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>   that does 
   table-driven CBQ shaping but if you read the traffic shaping   sections 
-  of     the     HOWTO mentioned above, you can probably code your   own
+  of     the     HOWTO mentioned above, you can probably code your   own faster
-faster   than     you can     learn how to use my sample. I personally  use
+  than     you can     learn how to use my sample. I personally  use    
    <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below). 
 HTB         support may eventually become an integral part of Shorewall 
- since  HTB   is a     lot simpler and better-documented than CBQ. As of
+since  HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
-2.4.20,  HTB is a standard     part of the kernel but iproute2 must be patched
+ HTB is a standard     part of the kernel but iproute2 must be patched  in
- in  order  to     use it.<br>
+ order  to     use it.<br>
                      <br>
-                     In tcstart, when you want to run the 'tc' utility, use
+                      In tcstart, when you want to run the 'tc' utility,
- the   run_tc    function      supplied by shorewall if you want tc errors
+use  the   run_tc    function      supplied by shorewall if you want tc errors 
 to stop   the firewall.<br>
                <br>
            You can generally use off-the-shelf traffic shaping scripts by 
 simply    copying  them to /etc/shorewall/tcstart. I use <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) 
-    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
+    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
-   modified  it according to the Wonder Shaper README). <b>WARNING: </b>If
+and    modified  it according to the Wonder Shaper README). <b>WARNING: </b>If 
 you  use use Masquerading or SNAT (i.e., you only have one external IP address) 
   then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] 
-   script won't work. Traffic shaping occurs after SNAT has already been applied
+   script won't work. Traffic shaping occurs after SNAT has already been
-   so when traffic shaping happens, all outbound traffic will have as a source
+applied    so when traffic shaping happens, all outbound traffic will have
-    address the IP addresss of your firewall's external interface.<br>
+as a source     address the IP addresss of your firewall's external interface.<br>
              </li>
                    <li><b>/etc/shorewall/tcclear</b> - A user-supplied file 
 that   is     sourced     by Shorewall when it is clearing traffic shaping. 
@ -85,8 +83,8 @@ simply    copying  them to /etc/shorewall/tcstart. I use <a
 </ul>
        Shorewall allows you to start traffic shaping when Shorewall itself 
- starts   or it allows you to bring up traffic shaping when you bring up
+ starts   or it allows you to bring up traffic shaping when you bring up your
-your  interfaces.<br>
+ interfaces.<br>
        <br>
        To start traffic shaping when Shorewall starts:<br>
@ -94,8 +92,8 @@ your  interfaces.<br>
          <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
          <li>Supply an /etc/shorewall/tcstart script to configure your traffic 
   shaping rules.</li>
-         <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
+          <li>Optionally supply an /etc/shorewall/tcclear script to stop
-   shaping. That is usually unnecessary.</li>
+traffic    shaping. That is usually unnecessary.</li>
          <li>If your tcstart script uses the 'fwmark' classifier, you can 
 mark   packets using entries in /etc/shorewall/tcrules.</li>
@ -131,10 +129,10 @@ not be covered here. You then should:<br>
 <p align="left">Normally, packet marking occurs in the PREROUTING chain before 
    any address rewriting takes place. This makes it impossible to mark inbound 
-    packets based on their destination address when SNAT or Masquerading are
+    packets based on their destination address when SNAT or Masquerading
-   being used. Beginning with Shorewall 1.3.12, you can cause packet marking
+are    being used. Beginning with Shorewall 1.3.12, you can cause packet
-   to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
+marking    to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
- in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+option  in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
          </p>
 <p align="left">Columns in the file are as follows:</p>
@ -142,18 +140,19 @@ not be covered here. You then should:<br>
 <ul>
                    <li>MARK - Specifies the mark value is to be assigned 
 in  case   of      a match. This is an integer in the range 1-255. Beginning 
-with Shorewall  version 1.3.14, this value may be optionally followed by ":"
+with Shorewall  version 1.3.14, this value may be optionally followed by
-and either 'F'  or 'P' to designate that the marking will occur in the FORWARD
+":" and either 'F'  or 'P' to designate that the marking will occur in the
-or PREROUTING  chains respectively. If this additional specification is omitted,
+FORWARD or PREROUTING  chains respectively. If this additional specification
-the chain  used to mark packets will be determined by the setting of the
+is omitted, the chain  used to mark packets will be determined by the setting
-MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+of the MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                      <br>
                      Example - 5<br>
                    </li>
-                   <li>SOURCE - The source of the packet. If the packet originates
+                    <li>SOURCE - The source of the packet. If the packet
-         on  the firewall, place "fw" in this column. Otherwise, this is
+originates          on  the firewall, place "fw" in this column. Otherwise,
-a      comma-separated   list of interface names, IP addresses, MAC addresses
+this is a      comma-separated   list of interface names, IP addresses, MAC
-  in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
+addresses   in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
 Subnets.<br>
                      <br>
                      Examples<br>
                          eth0<br>
@ -166,9 +165,9 @@ list   of      IP  addresses and/or subnets.<br>
 from       /etc/protocol,    a number or "all"<br>
                    </li>
                    <li>PORT(S) - Destination Ports. A comma-separated list 
- of  Port       names  (from /etc/services), port numbers or port ranges
+ of  Port       names  (from /etc/services), port numbers or port ranges (e.g.,
-(e.g.,   21:22);     if     the  protocol is "icmp", this column is interpreted
+  21:22);     if     the  protocol is "icmp", this column is interpreted as
-as   the     destination    icmp  type(s).<br>
+  the     destination    icmp  type(s).<br>
                    </li>
                    <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. 
   If      omitted,  any source port is acceptable. Specified as a comma-separate 
@ -178,8 +177,8 @@ as   the     destination    icmp  type(s).<br>
 <p align="left">Example 1 - All packets arriving on eth1 should be marked 
        with 1. All packets arriving on eth2 and eth3 should be marked with 
-  2.   All packets   originating on the firewall itself should be marked
+  2.   All packets   originating on the firewall itself should be marked with
-with   3.</p>
+  3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
                    <tbody>
@ -337,5 +336,6 @@ local systems     or from my laptop or firewall).</li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@ -14,7 +14,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
                    <tbody>
               <tr>
                      <td width="100%">               
@ -60,14 +60,14 @@
 <blockquote>      
  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
     </blockquote>
-    A search through the trace for "No chain/target/match by that name" turned 
+     A search through the trace for "No chain/target/match by that name"
- up the following:  
+turned   up the following:   
 <blockquote>      
  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
     </blockquote>
     The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
- tcp-reset". In this case, the user had compiled his own kernel and had forgotten 
+  tcp-reset". In this case, the user had compiled his own kernel and had
- to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) 
+forgotten   to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
 <h3>Your network environment</h3>
@ -78,8 +78,8 @@ an ill-conceived network setup. Here are several popular snafus:    </p>
                <li>Port           Forwarding where client and server are 
 in  the   same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
                <li>Changing the IP address of a local system to be in the
-external     subnet,      thinking that Shorewall will suddenly believe that 
+ external     subnet,      thinking that Shorewall will suddenly believe
-the system     is in the      'net' zone.</li>
+that  the system     is in the      'net' zone.</li>
                <li>Multiple interfaces connected to the same HUB or Switch.
  Given    the way      that the Linux kernel respond to ARP "who-has" requests,
  this    type of setup      does NOT work the way that you expect it to.</li>
@ -89,10 +89,10 @@ the system     is in the      'net' zone.</li>
 <h3 align="left">If you are having connection problems:</h3>
 <p align="left">If the appropriate policy for the connection that you are
-    trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
+     trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
-     TO MAKE IT WORK. Such additional rules will NEVER make it work, they 
+TRYING       TO MAKE IT WORK. Such additional rules will NEVER make it work,
-add    clutter to your rule set and they represent a big security hole in 
+they  add    clutter to your rule set and they represent a big security hole
-the event   that you forget to remove them later.</p>
+in  the event   that you forget to remove them later.</p>
 <p align="left">I also recommend against setting all of your policies to
      ACCEPT in an effort to make something work. That robs you of one of
@ -102,8 +102,8 @@ the event   that you forget to remove them later.</p>
 <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
    see Shorewall  messages, then  your problem is probably NOT a Shorewall
- problem.  If you DO see packet messages,  it may be an indication that you 
+  problem.  If you DO see packet messages,  it may be an indication that
- are missing  one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
+you   are missing  one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear
            two variables in /etc/shorewall/shorewall.conf:</p>
@ -123,9 +123,9 @@ the event   that you forget to remove them later.</p>
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
-               <li>all2all:REJECT - This packet was REJECTed out of the all2all 
+                <li>all2all:REJECT - This packet was REJECTed out of the
-   chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT 
+all2all     chain  -- the packet was rejected under the     "all"-&gt;"all"
-policy   (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
+REJECT  policy   (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
                <li>IN=eth2 - the packet entered the firewall via eth2</li>
                <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
                <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -161,8 +161,8 @@ or  FORWARD        chains? This means that:
  (using  an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
  file are you?);         or</li>
                  <li>the source and destination hosts are both connected 
-to  the   same         interface and you don't have a policy or rule for
+to  the   same         interface and you don't have a policy or rule for the
-the source zone to or from the destination zone.</li>
+source zone to or from the destination zone.</li>
    </ol>
                </li>
@ -184,12 +184,12 @@ and the  zone containing       10.1.1.2, the ping requests will be dropped.
                <li>If you specify "routefilter" for an interface,     that
 interface     must be up prior to starting the firewall.</li>
                <li>Is your routing correct? For example, internal systems
-usually     need to      be configured with their default gateway set to the
+ usually     need to      be configured with their default gateway set to
-IP address     of their      nearest firewall interface. One often overlooked 
+the IP address     of their      nearest firewall interface. One often overlooked
-aspect of   routing is that      in order for two hosts to communicate, the 
+ aspect of   routing is that      in order for two hosts to communicate,
-routing  between  them must be set      up <u>in both directions.</u> So when
+the  routing  between  them must be set      up <u>in both directions.</u>
-setting  up routing   between <b>A</b>      and<b> B</b>, be sure to verify
+So when setting  up routing   between <b>A</b>      and<b> B</b>, be sure
-that the  route from       <b>B</b> back to <b>A</b>      is defined.</li>
+to verify that the  route from       <b>B</b> back to <b>A</b>      is defined.</li>
                <li>Some versions of LRP (EigerStein2Beta for example) have
 a      shell  with broken variable expansion. <a
 href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
@ -199,12 +199,13 @@ a      shell  with broken variable expansion. <a
                <li>Shorewall requires the "ip" program. That     program 
 is  generally   included in the "iproute" package which should     be included
   with your  distribution (though many distributions don't install     iproute
-  by     default). You may also download the latest source tarball from <a
+   by     default). You may also download the latest source tarball from
- href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
+    <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
      .</li>
-                            <li>Problems with NAT? Be sure that you let Shorewall 
+                             <li>Problems with NAT? Be sure that you let
-add all      external  addresses to be use with NAT unless you have set <a
+Shorewall  add all      external  addresses to be use with NAT unless you
- href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
+have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No    
 in /etc/shorewall/shorewall.conf.</li>
 </ul>
@ -220,5 +221,6 @@ add all      external  addresses to be use with NAT unless you have set <a
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
        © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -18,10 +18,11 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber5"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                        <tbody>
                         <tr>
                          <td width="100%">                             
      <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
                          </td>
                        </tr>
@ -34,12 +35,12 @@
 and    follow      the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of 
-           Shorewall. It rather focuses on what is required to configure
+           Shorewall. It rather focuses on what is required to configure Shorewall
-Shorewall          in its  most common configuration:</p>
+         in its  most common configuration:</p>
 <ul>
-                       <li>Linux system used as a firewall/router for a small
+                        <li>Linux system used as a firewall/router for a
-  local    network.</li>
+small   local    network.</li>
                        <li>Single public IP address.</li>
                        <li>Internet connection through cable modem, DSL, 
 ISDN,    Frame    Relay,    dial-up    ...</li>
@ -53,9 +54,9 @@ ISDN,    Frame    Relay,    dial-up    ...</li>
                     </p>
 <p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily 
-       configure the above setup using the Mandrake "Internet Connection
+       configure the above setup using the Mandrake "Internet Connection Sharing"
-Sharing"        applet. From the Mandrake Control Center, select "Network
+       applet. From the Mandrake Control Center, select "Network &amp; Internet"
-&amp; Internet"        then "Connection Sharing".<br>
+       then "Connection Sharing".<br>
      </b></p>
 <p><b>Note however, that the Shorewall configuration produced by Mandrake 
@ -69,8 +70,8 @@ use  the rest of this documentation (it has two local zones; "loc" and "masq"
       </p>
 <p>Shorewall requires that you have the iproute/iproute2 package installed 
-          (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You
+          (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
-can    tell     if  this  package is installed by the presence of an <b>ip</b>
+   tell     if  this  package is installed by the presence of an <b>ip</b> 
 program    on   your  firewall  system. As root, you can use the 'which' 
 command to   check   for this  program:</p>
@ -89,18 +90,18 @@ are   marked  with
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                          If you edit your configuration files on a Windows 
 system,     you   must   save them as  Unix files if your editor supports 
- that option     or you   must  run them through  dos2unix before trying
+ that option     or you   must  run them through  dos2unix before trying to
-to  use them. Similarly,     if   you copy  a configuration file  from your
+ use them. Similarly,     if   you copy  a configuration file  from your Windows
-Windows  hard drive to a  floppy    disk, you must run dos2unix against the
+ hard drive to a  floppy    disk, you must run dos2unix against the  copy
- copy before using it with  Shorewall.</p>
+before using it with  Shorewall.</p>
 <ul>
                        <li><a
 href="http://www.simtel.net/pub/pd/51438.html">Windows     Version     of
     dos2unix</a></li>
                        <li><a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version of
-of    dos2unix</a></li>
+   dos2unix</a></li>
 </ul>
@ -108,14 +109,13 @@ of    dos2unix</a></li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
-                 The configuration files for Shorewall are contained in the 
+                  The configuration files for Shorewall are contained in
- directory      /etc/shorewall -- for simple setups, you will only need to 
+the   directory      /etc/shorewall -- for simple setups, you will only need
- deal with a  few  of  these as described in this guide.  After you have <a
+to   deal with a  few  of  these as described in this guide.  After you have
- href="Install.htm">installed Shorewall</a>,  <b>download the <a
+<a href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>, 
-         un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
+         un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
-to   /etc/shorewall        (these files will replace files with the same
+  /etc/shorewall        (these files will replace files with the same name).</b></p>
 name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual 
          file on your system -- each file contains detailed  configuration 
@ -169,8 +169,8 @@ name).</b></p>
 or   DROP      the request is first  checked against the rules in /etc/shorewall/common 
       (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -244,7 +244,8 @@ network     to  the   internet</li>
                        <li>drop (ignore) all connection requests from the
 internet     to  your   firewall     or local network</li>
                        <li>optionally accept all connection requests from
-the  firewall     to  the     internet (if you uncomment the additional policy)</li>
+ the  firewall     to  the     internet (if you uncomment the additional
 policy)</li>
                        <li>reject all other connection requests.</li>
 </ol>
@ -259,9 +260,9 @@ the  firewall     to  the     internet (if you uncomment the additional policy)<
 height="635">
                     </p>
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
          <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
           over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
     <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External 
@ -276,17 +277,17 @@ ippp0</b>
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter 
-          (eth1  or eth0) and will be connected to a hub or switch. Your
+          (eth1  or eth0) and will be connected to a hub or switch. Your other
-other      computers     will be  connected to the same hub/switch (note:
+     computers     will be  connected to the same hub/switch (note: If you
-If you  have    only a single     internal system,  you can connect the firewall
+ have    only a single     internal system,  you can connect the firewall 
 directly    to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
                     </b></u>Do not connect the internal and external interface 
-    to  the   same   hub or switch (even for testing). It won't work the
+    to  the   same   hub or switch (even for testing). It won't work the way
-way    that  you think  that   it will and you will end up confused and 
+   that  you think  that   it will and you will end up confused and  believing
-believing    that  Shorewall   doesn't   work at all.</p>
+   that  Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
@ -321,8 +322,8 @@ via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part
 of  establishing  your  connection   when you dial in (standard modem) or 
 establish  your PPP  connection.  In rare   cases, your ISP may assign you 
 a<i> static</i>  IP address; that  means that  you  configure your firewall's 
-external interface     to use that  address permanently.<i>  </i>However
+external interface     to use that  address permanently.<i>  </i>However your
-your external address   is  assigned, it  will be shared by all of your systems
+external address   is  assigned, it  will be shared by all of your systems 
 when you access the   Internet. You will have to assign your  own addresses 
 in your  internal  network (the Internal  Interface on your firewall  plus 
 your other  computers).  RFC 1918 reserves  several <i>Private </i>IP address 
@ -345,8 +346,8 @@ the external   interface's   entry  in    /etc/shorewall/interfaces.</p>
 <p align="left">You will want to assign your addresses from the same <i> 
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet 
             to consists of a range of addresses x.y.z.0 - x.y.z.255. Such 
- a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The
+ a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
-address    x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255
+   x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 
 is   reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, 
   a subnet  is  described  using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing 
@ -439,48 +440,48 @@ Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.
 don't      forward    packets  which have an RFC-1918 destination address. 
 When one    of your local    systems  (let's assume computer 1) sends a connection 
  request    to an internet    host, the  firewall must perform <i>Network 
- Address Translation     </i>(NAT).    The firewall  rewrites the source
+ Address Translation     </i>(NAT).    The firewall  rewrites the source address
-address  in the packet to   be the address    of the firewall's  external
+ in the packet to   be the address    of the firewall's  external interface;
-interface;  in other words,   the firewall makes    it look as if the firewall
+ in other words,   the firewall makes    it look as if the firewall  itself
- itself  is initiating the   connection.  This is   necessary so that the
+ is initiating the   connection.  This is   necessary so that the  destination
- destination    host will be able   to route return packets   back to the
+   host will be able   to route return packets   back to the firewall  (remember
-firewall  (remember    that packets whose   destination address is   reserved
+   that packets whose   destination address is   reserved by RFC 1918 can't
-by RFC 1918 can't    be routed across the   internet so the remote host 
+   be routed across the   internet so the remote host  can't address its
-can't address its response    to  computer 1).  When the firewall receives
+response    to  computer 1).  When the firewall receives a return packet,
-a return packet, it  rewrites    the destination address  back to 10.10.10.1
+it  rewrites    the destination address  back to 10.10.10.1  and  forwards
- and  forwards the packet on   to computer 1. </p>
+the packet on   to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
                        <li>                          
    <p align="left"><i>Masquerade</i> describes the case where you let your 
-             firewall system automatically detect the external interface
+             firewall system automatically detect the external interface address.
-address.               </p>
+              </p>
                       </li>
                       <li>                          
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify 
-          the    source address that you want outbound packets from your
+          the    source address that you want outbound packets from your local
-local      network     to use.    </p>
+     network     to use.    </p>
                       </li>
 </ul>
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with 
           entries in the /etc/shorewall/masq file. You will normally use 
-Masquerading          if  your external IP is dynamic and SNAT if the IP
+Masquerading          if  your external IP is dynamic and SNAT if the IP is
-is static.</p>
+static.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                         If your external firewall interface is <b>eth0</b>,
  you  do  not    need   to modify the file provided with the sample. Otherwise, 
   edit   /etc/shorewall/masq      and change the first column to the name
- of  your  external  interface and    the  second column to the name of your 
+  of  your  external  interface and    the  second column to the name of
- internal   interface.</p>
+your   internal   interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
@ -588,8 +589,8 @@ to rewrite   the source address   in  the response.</p>
 on  computers     1 or 2  or  on the    firewall). If you want to be able 
 to access your  web   server  using  the IP    address of your external interface,
  see     <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-                       <li>Many ISPs block incoming connection requests to
+                        <li>Many ISPs block incoming connection requests
- port   80.   If  you   have     problems connecting to your web server,
+to  port   80.   If  you   have     problems connecting to your web server, 
 try  the  following   rule and  try     connecting to port 5000.</li>
 </ul>
@ -630,8 +631,8 @@ try  the  following   rule and  try     connecting to port 5000.</li>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
          an IP  address your firewall's <i>Domain Name Service </i>(DNS) 
 resolver         will be  automatically configured (e.g., the /etc/resolv.conf 
-file  will     be  written).  Alternatively, your ISP may have given you
+file  will     be  written).  Alternatively, your ISP may have given you the
-the IP  address    of a  pair of DNS <i> name servers</i> for you to manually
+IP  address    of a  pair of DNS <i> name servers</i> for you to manually 
 configure  as  your    primary  and secondary  name servers. Regardless of 
 how DNS gets   configured    on your  firewall, it is <u>your</u> responsibility 
 to configure   the resolver    in your   internal systems. You can take one 
@ -653,13 +654,14 @@ file.    </p>
                         You can configure a<i> Caching Name Server </i>on
 your      firewall.<i>          </i>Red Hat has an RPM for a caching name
 server   (the  RPM also    requires    the 'bind' RPM) and for Bering users,
-there   is dnscache.lrp.  If you    take   this approach, you configure your 
+ there   is dnscache.lrp.  If you    take   this approach, you configure
-internal   systems to use  the firewall    itself as their primary (and only) 
+your  internal   systems to use  the firewall    itself as their primary
-name  server.  You use the  internal IP     address of the firewall (10.10.10.254 
+(and only)  name  server.  You use the  internal IP     address of the firewall
- in the  example above)  for the name       server address. To allow your 
+(10.10.10.254   in the  example above)  for the name       server address.
-local systems  to talk to  your caching name      server, you must open port 
+To allow your  local systems  to talk to  your caching name      server,
-53 (both UDP  and TCP) from  the local network   to the    firewall; you do
+you must open port  53 (both UDP  and TCP) from  the local network   to the
-that by adding  the following  rules in /etc/shorewall/rules.       </p>
+   firewall; you do that by adding  the following  rules in /etc/shorewall/rules.
      </p>
                       </li>
 </ul>
@ -825,7 +827,8 @@ allowing          all    connections from the firewall to the internet.</p>
                      </div>
 <div align="left">     
-<p align="left">Example - You want to run a Web Server on your firewall  system:</p>
+<p align="left">Example - You want to run a Web Server on your firewall 
 system:</p>
                     </div>
 <div align="left">     
@ -868,8 +871,8 @@ allowing          all    connections from the firewall to the internet.</p>
 <div align="left">     
 <p align="left">Those two rules would of course be in addition to the rules 
-             listed above under "You can configure a Caching Name Server
+             listed above under "You can configure a Caching Name Server on
-on   your     firewall"</p>
+  your     firewall"</p>
                     </div>
 <div align="left">     
@ -880,8 +883,7 @@ on   your     firewall"</p>
 <div align="left">     
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
             the internet because it uses clear text (even for login!). If 
- you    want     shell    access to your firewall from the internet, use
+ you    want     shell    access to your firewall from the internet, use SSH:</p>
 SSH:</p>
                     </div>
 <div align="left">     
@ -975,12 +977,12 @@ or  delete    other    connections  as required.</p>
 <div align="left">     
 <p align="left">          <img border="0" src="images/BD21298_2.gif"
 width="13" height="13" alt="Arrow">
-                       The <a href="Install.htm">installation procedure </a>
+                        The <a href="Install.htm">installation procedure
-    configures       your system to start Shorewall at system boot  but beginning
+</a>     configures       your system to start Shorewall at system boot 
-   with Shorewall      version 1.3.9 startup is disabled so that your system
+but beginning    with Shorewall      version 1.3.9 startup is disabled so
-   won't try to start     Shorewall before configuration is complete. Once
+that your system    won't try to start     Shorewall before configuration
- you  have completed configuration     of your firewall, you can enable Shorewall
+is complete. Once  you  have completed configuration     of your firewall,
-   startup by removing the file   /etc/shorewall/startup_disabled.<br>
+you can enable Shorewall    startup by removing the file   /etc/shorewall/startup_disabled.<br>
                     </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1027,5 +1029,6 @@ from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestoppe
    Thomas      M. Eastep</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/two-interface_fr.html
+++ b/Shorewall-docs/two-interface_fr.html
@ -20,11 +20,8 @@
 </head>
  <body lang="fr-FR">
 <p style="margin-bottom: 0cm;"><a name="AutoNumber5"></a><br>
  </p>
 <table width="100%" border="0" cellpadding="0" cellspacing="0"
- bgcolor="#400169">
+ bgcolor="#3366ff">
   	<tbody>
       <tr>
   		<td width="100%" height="90">                     
@ -41,9 +38,9 @@
   <small><i><u>Notes du traducteur</u> :<br>
   Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou 
 mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne 
-me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais
+me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t
-plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible
+&agrave; en faire une version fran&ccedil;aise intelligible par tous (et
-par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s 
+par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
 sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
 les retrouver dans le reste des documentations ainsi que dans les fichiers
 de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
@ -57,8 +54,8 @@ qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i>
 pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
 les bases et suivez la documentation.</p>
-<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
+<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
-focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans 
+se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
 son utilisation la plus courante :</p>
 <ul>
@ -86,13 +83,13 @@ ISDN, "Frame Relay", RTC ...  	</p>
 vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
 l'applet Mandrake "Internet Connection Sharing". Depuis le "Mandrake Control
 Center", s&eacute;lectionnez "Network &amp; Internet" et "Connection Sharing".
-Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave; ce 
+ Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave;
-guide.</b></p>
+ce  guide.</b></p>
 <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
 </i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
-la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous
+ la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall.
-root, utilisez la commande 'which' pour rechercher le programme :</p>
+Sous root, utilisez la commande 'which' pour rechercher le programme :</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -106,10 +103,10 @@ par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
 <p><img src="images/j0213519.gif" name="Image3" align="bottom"
 width="60" height="60" border="0">
- &nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur 
+  &nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration
-un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si
+sur  un syst&egrave;me Windows, vous devez les sauver comme des fichiers
-votre &eacute;diteur offre cette option sinon vous devez les faire passer 
+Unix si votre &eacute;diteur offre cette option sinon vous devez les faire
-par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re, 
+passer  par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
 si vous copiez un fichier de configuration depuis votre disque dur Windows
 vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
 avec Shorewall.</p>
@ -134,8 +131,8 @@ of dos2unix</a> 	</p>
  &nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
 le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
 n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit 
- dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
+ dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>,
-Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a
+t&eacute;l&eacute; chargez<b> le <a
 href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface  sample</a>, 
 un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall 
 (ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
@ -204,11 +201,11 @@ d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/r
 <p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
 est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
-Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de
+ Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande
-connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy 
+de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
-qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp;
+ qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou
-la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux
+DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par
-r&egrave;gles contenues dans /etc/shorewall/common.</p>
+rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p>
 <p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
 a les politiques suivantes:</p>
@ -291,9 +288,9 @@ a les politiques suivantes:</p>
     </dd>
 </dl>
-<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est
+<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante
-inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse
+est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall
-avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez 
+puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
 la ligne.</blockquote>
   <a name="AutoNumber31"></a>   
 <dl>
@ -354,8 +351,8 @@ local.  	</p>
   	</li>
     <li>               
    <p style="margin-bottom: 0cm;">Facultativement&nbsp;accepter toutes les
-	demandes de connexion de votre firewall vers l'Internet (si vous 	avez d&eacute; 
+ 	demandes de connexion de votre firewall vers l'Internet (si vous 	avez
-comment&eacute; la politique additionnelle)  	</p>
+d&eacute;  comment&eacute; la politique additionnelle)  	</p>
   	</li>
     <li>               
    <p>reject (rejeter) toutes les autres demandes de connexion.  	</p>
@ -376,10 +373,11 @@ et faite les changements que vous d&eacute;sirez.</p>
 <p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la
 connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
-modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External Interface)</i> 
+ modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External
-sera l'adaptateur sur lequel est connect&eacute; le routeur (e.g., <b>eth0</b>)&nbsp; 
+Interface)</i>  sera l'adaptateur sur lequel est connect&eacute; le routeur
-<u>&agrave; moins que</u> vous ne vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol 
+(e.g., <b>eth0</b>)&nbsp;  <u>&agrave; moins que</u> vous ne vous connectiez
-over<u>E</u>thernet</i> (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
+par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol  over<u>E</u>thernet</i>
 (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP), 
 dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
 (e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
 interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
@ -393,8 +391,8 @@ ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
 <p align="left">Votre <i>Internal Interface</i> (interface vers votre r&eacute;seau
 local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou eth0) et sera connect&eacute;e
-&agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;). Vos 
+ &agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;).
-autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
+Vos  autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
 <p align="left"><b><u><img src="images/j0213519.gif" name="Image8"
 align="bottom" width="60" height="60" border="0">
@ -405,11 +403,12 @@ pas que ce soit shorewall qui ne marche pas.</p>
 <p align="left"><img src="images/BD21298_.gif" name="Image9"
 align="left" width="13" height="13" border="0">
  &nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
-suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>.
+ suppose que votre interface externe est <b>eth0</b>et que l'interne est
- Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier 
+<b>eth1</b>.  Si votre configuration est diff&eacute;rente, vous devrez modifier
-<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence. 
+le fichier  <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui
+en cons&eacute;quence.  Tant que vous y &ecirc;tes, vous pourriez parcourir
-sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
+la liste des options qui sont sp&eacute;cifi&eacute;es pour les interfaces.
 Quelques trucs:</p>
 <ul>
   	<li>               
@ -431,17 +430,17 @@ ou <b>ippp0</b> ou si vous avez une adresse IP 	statique, vous pouvez enlever
 sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
 Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP 
 address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i> 
- Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement
+ Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de
-de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez 
+votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
 votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
 une adresse statique<i> (static</i>IP address); cela signifie que vous devez
 configurer l'interface externe de votre firewall afin d'utiliser cette adresse
 de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
 va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s 
- &agrave; Internet. Vous devrez assigner vos propres adresses dans votre
+ &agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau
-r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi
+local (votre interface interne sur le firewall &nbsp;ainsi que les autres
-que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages
+ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP
-d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p>
+address ranges) &agrave; cette fin :</p>
 <pre style="text-align: left;">     10.0.0.0    - 10.255.255.255an<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -455,11 +454,11 @@ externe dans le fichier /etc/shorewall/interfaces.</p>
 <p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
 (<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
 un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
-sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse
+ sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0.
-x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet
+L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau
-Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de
+(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse
-broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau
+de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un
-est d&eacute;crit en utilisant <a
+sous-r&eacute;seau est d&eacute;crit en utilisant <a
 href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
 Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
 par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
@ -510,8 +509,8 @@ bits marquant "1" dans la partie gauche du masque de sous-r&eacute;seau.</p>
 </dl>
 <p align="left">Il est de mise d'assigner l'interface interne (LAN) &agrave;
-la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1 dans 
+ la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1
-l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable 
+dans  l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable
 (10.10.10.254).</p>
 <p align="left">L'un des buts d'un sous-r&eacute;seau est de permettre &agrave;
@ -524,14 +523,14 @@ des paquets &agrave; travers le gateway (routeur).</p>
 align="bottom" width="13" height="13" border="0">
  &nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur 
 2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle 
- par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
+ par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface
-l'interface interne du firewall.</p>
+interne du firewall.</p>
 <p align="left">The foregoing short discussion barely scratches the surface
-regarding subnetting and routing. If you are interested in learning more about
+ regarding subnetting and routing. If you are interested in learning more
-IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone
+about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
-Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
+What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
-1999, ISBN 0-13-975483-0.</p>
+Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
 <p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
 votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
@ -547,8 +546,8 @@ votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
 <p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
 parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
-Internet (backbone) ne font pas circuler les paquets qui ont une adresse de
+ Internet (backbone) ne font pas circuler les paquets qui ont une adresse
-destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes 
+de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
 en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
 par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
 Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
@ -557,22 +556,22 @@ le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
 Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
 de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
 pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
-1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc
+ 1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet,
-l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur
+donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave;
-1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet
+l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse,
-l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers
+il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet
-l'ordinateur 1. </p>
+vers l'ordinateur 1. </p>
 <p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
-souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le
+ souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi
-terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;. 
+le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
 Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
 <ul>
   	<li>               
    <p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous 	laissez
-votre firewall d&eacute;tecter automatiquement l'adresse de 	l'interface externe.
+ votre firewall d&eacute;tecter automatiquement l'adresse de 	l'interface
- 	</p>
+externe.  	</p>
   	</li>
     <li>               
    <p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous 	sp&eacute;cifiez
@ -592,15 +591,15 @@ SNAT si elle est statique.</p>
  &nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
 vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
 le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
-colonne par le nom de votre interface externe, et la seconde colonne par le
+ colonne par le nom de votre interface externe, et la seconde colonne par
-nom de votre interface interne.</p>
+le nom de votre interface interne.</p>
 <p align="left"><img src="images/BD21298_.gif" name="Image14"
 align="bottom" width="13" height="13" border="0">
  &nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
 dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
-de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette
+ de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez
-colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me 
+cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
 colonne permet un traitement des paquets sortant un peu plus efficace.<br>
   <br>
   <img src="images/BD21298_.gif" name="Image15" align="bottom"
@ -628,12 +627,12 @@ de se connecter directement &agrave; eux. Il est n&eacute;cessaire &agrave;
 ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
 &eacute;crit l'adresse de destination de votre serveur, et fait passer le
 paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
-applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source
+ applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse
- dans la r&eacute;ponse.</p>
+source  dans la r&eacute;ponse.</p>
 <p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
-ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le
+ ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez
-port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
+le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
 <p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
 dans /etc/shorewall/rules est:</p>
@ -760,8 +759,8 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
   	<li>               
    <p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle 	pr&eacute;c&eacute;dente
 depuis un client &agrave; l'ext&eacute;rieur 	de votre r&eacute;seau local
-(c.a.d., ne pas tester depuis un 	navigateur tournant sur l'ordinateur 1 ou
+ (c.a.d., ne pas tester depuis un 	navigateur tournant sur l'ordinateur 1
-2 ou sur le firewall). Si 	vous voulez avoir la possibilit&eacute; d'acc&eacute;der 
+ou 2 ou sur le firewall). Si 	vous voulez avoir la possibilit&eacute; d'acc&eacute;der
 &agrave; 	votre serveur web en utilisant l'adresse IP externe de votre 	firewall,
 regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. 	</p>
   	</li>
@ -838,39 +837,40 @@ les r&egrave;gles DNAT dont vous avez besoin.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normalement, quand vous vous connectez &agrave; votre fournisseur
-(ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS pour 
+ (ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS
-le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement 
+pour  le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement
 (c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute; &eacute;crit). Il
 arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
-(name servers)</i> afin que vous configuriez manuellement votre serveur de 
+ (name servers)</i> afin que vous configuriez manuellement votre serveur
-nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute; 
+de  nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
 sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez 
 proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
 <ul>
   	<li>               
-    <p align="left">Vous pouvez configurer votre syst&egrave;me 	interne pour
+    <p align="left">Vous pouvez configurer votre syst&egrave;me 	interne
-utiliser les noms de serveurs de votre provider. Si 	votre fournisseur vous
+pour utiliser les noms de serveurs de votre provider. Si 	votre fournisseur
-donne les adresses de leurs serveurs ou si 	ces adresses sont disponibles 
+vous donne les adresses de leurs serveurs ou si 	ces adresses sont disponibles
-sur leur site web, vous pouvez 	configurer votre syst&egrave;me interne afin 
+ sur leur site web, vous pouvez 	configurer votre syst&egrave;me interne
-de les utiliser. Si 	cette information n' est pas disponible, regardez dans 
+afin  de les utiliser. Si 	cette information n' est pas disponible, regardez
-	/etc/resolv.conf sur votre firewall -- les noms des serveurs sont 	donn&eacute;s 
+dans  	/etc/resolv.conf sur votre firewall -- les noms des serveurs sont
-dans l'enregistrement "nameserver" dans ce 	fichier.  	</p>
+	donn&eacute;s  dans l'enregistrement "nameserver" dans ce 	fichier.  	</p>
   	</li>
     <li>               
    <p align="left"><img src="images/BD21298_.gif" name="Image17"
 align="bottom" width="13" height="13" border="0">
  	&nbsp;&nbsp;&nbsp; Vous pouvez configurer un cache dns<i> (Caching 	Name
-Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour 	mettre en cache 
+ Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour 	mettre en
-un serveur de nom (le RPM requis aussi le RPM 	'bind') et pour les utilisateurs 
+cache  un serveur de nom (le RPM requis aussi le RPM 	'bind') et pour les
- de Bering, il y a 	dnscache.lrp. Si vous adoptez cette approche, vous configurez 
+utilisateurs   de Bering, il y a 	dnscache.lrp. Si vous adoptez cette approche,
-votre 	syst&egrave;me interne pour utiliser le firewall lui m&ecirc;me 	comme 
+vous configurez  votre 	syst&egrave;me interne pour utiliser le firewall
-&eacute;tant le seul serveur de nom primaire. Vous pouvez 	utiliser l'adresse 
+lui m&ecirc;me 	comme  &eacute;tant le seul serveur de nom primaire. Vous
-IP interne du firewall (10.10.10.254 dans 	l'exemple) pour l'adresse de serveur 
+pouvez 	utiliser l'adresse  IP interne du firewall (10.10.10.254 dans 	l'exemple)
-de nom. Pour permettre &agrave; 	vos syst&egrave;mes locaux de discuter avec 
+pour l'adresse de serveur  de nom. Pour permettre &agrave; 	vos syst&egrave;mes
-votre serveur cache de 	nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP)
+locaux de discuter avec  votre serveur cache de 	nom, vous devez ouvrir le
- sur le firewall 	vers le r&eacute;seau local; vous ferez ceci en ajoutant 
+port 53 (UDP ET&nbsp; TCP)  sur le firewall 	vers le r&eacute;seau local;
-les r&egrave;gles 	suivantes dans /etc/shorewall/rules.  	</p>
+vous ferez ceci en ajoutant  les r&egrave;gles 	suivantes dans /etc/shorewall/rules.
 	</p>
     </li>
 </ul>
@ -1038,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
     </dd>
 </dl>
-<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir
+<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave;
-de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute;
+partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez
-comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les
+d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant
-connexions depuis le firewall vers Internet.</p>
+toutes les connexions depuis le firewall vers Internet.</p>
 <p align="left">Les exemples contiennent aussi :</p>
   <a name="AutoNumber45"></a>   
@ -1102,11 +1102,12 @@ connexions depuis le firewall vers Internet.</p>
 </dl>
 <p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
-serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau
+ serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre
-local.</p>
+r&eacute;seau local.</p>
-<p align="left">Si vous voulez permettre d'autres connexions entre votre firewall
+<p align="left">Si vous voulez permettre d'autres connexions entre votre
-et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
+firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est
 :</p>
   <a name="AutoNumber46"></a>   
 <dl>
  <dd>               
@ -1247,15 +1248,15 @@ firewall :</p>
     </dd>
 </dl>
-<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux
+<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter
-r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez 
+aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
 configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
 <p align="left">Si vous ne savez pas quel port et quel protocole une application
 particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
-<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le
+<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre
-telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me 
+le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
 pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
 sur votre firewall depuis Internet, utilisez SSH :</p>
   <a name="AutoNumber48"></a>   
@ -1327,12 +1328,12 @@ pour ajouter ou supprimer les connexions voulues.</p>
  &nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a> 
 configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
 mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
-est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une 
+ est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie.
-fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre 
+Une  fois la configuration de votre firewall achev&eacute;e, vous pouvez
-le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
+permettre  le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
-<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
-paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
+des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
 <p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
 start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
@ -1345,10 +1346,11 @@ dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
 <p align="left"><img src="images/BD21298_.gif" name="Image20"
 align="bottom" width="13" height="13" border="0">
  &nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
-permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque
+ permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
-Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute;
+lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est
-&agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou
+pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s
-vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p>
+depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped
 en cons&eacute;quence.</p>
 <p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
 votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
@ -1374,5 +1376,6 @@ M. Eastep</font></a></p>
   <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
                             <tbody>
                             <tr>
                               <td width="100%">                        
@ -56,6 +56,7 @@
 <h3> </h3>
 <h3>Version &gt;= 1.4.6</h3>
 <ul>
   <li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed 
 from shorewall.conf. These capabilities are now automatically detected by 
@ -70,20 +71,21 @@ entries of the following format:<br>
     <br>
     <i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
   </li>
 </ul>
 <h3>Version &gt;= 1.4.4</h3>
-    If you are upgrading from 1.4.3 and have set the LOGMARKER variable in
+     If you are upgrading from 1.4.3 and have set the LOGMARKER variable
- <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
+in  <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then 
 you  must set the new LOGFORMAT variable appropriately and remove your setting 
  of LOGMARKER<br>
    <br>
 <h3>Version 1.4.4<br>
   </h3>
-  If you have zone names that are 5 characters long, you may experience problems 
+   If you have zone names that are 5 characters long, you may experience
- starting Shorewall because the --log-prefix in a logging rule is too long.
+problems   starting Shorewall because the --log-prefix in a logging rule
- Upgrade to Version 1.4.4a to fix this problem..<br>
+is too long.  Upgrade to Version 1.4.4a to fix this problem..<br>
 <h3>Version &gt;= 1.4.2</h3>
       There are some cases where you may want to handle traffic from a particular 
@ -102,29 +104,30 @@ transparent    proxy in your local zone.</a></li>
 <h3>Version &gt;= 1.4.1</h3>
 <ul>
-            <li>Beginning with Version 1.4.1, traffic between groups in the 
+             <li>Beginning with Version 1.4.1, traffic between groups in
- same   zone is accepted by default.  Previously, traffic from a zone to itself
+the   same   zone is accepted by default.  Previously, traffic from a zone
- was  treated just like any other  traffic; any matching rules were applied
+to itself  was  treated just like any other  traffic; any matching rules
- followed  by enforcement of the appropriate  policy. With 1.4.1 and later
+were applied  followed  by enforcement of the appropriate  policy. With 1.4.1
- versions,  unless you have explicit rules for  traffic from Z to Z or you
+and later  versions,  unless you have explicit rules for  traffic from Z
- have an explicit  Z to Z policy (where "Z" is some  zone) then traffic between
+to Z or you  have an explicit  Z to Z policy (where "Z" is some  zone) then
- the groups in  zone Z will be accepted. If you do have one or more explicit
+traffic between  the groups in  zone Z will be accepted. If you do have one
- rules for Z to Z or if you have an explicit Z to Z policy then the behavior
+or more explicit  rules for Z to Z or if you have an explicit Z to Z policy
- is as it was in prior versions.</li>
+then the behavior  is as it was in prior versions.</li>
 </ul>
 <blockquote>                           
  <ol>
               <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
-  between   two interfaces to the same zone, that policy can be removed and 
+   between   two interfaces to the same zone, that policy can be removed
-  traffic between  the interfaces will traverse fewer rules than previously.</li>
+and    traffic between  the interfaces will traverse fewer rules than previously.</li>
               <li>If you have a Z Z DROP or Z Z REJECT policy or you have
 Z-&gt;Z    rules then your configuration should not require any change.</li>
-             <li>If you are currently relying on a implicit policy (one that
+              <li>If you are currently relying on a implicit policy (one
-  has   "all" in either the SOURCE or DESTINATION column) to prevent traffic
+that   has   "all" in either the SOURCE or DESTINATION column) to prevent
-  between   two interfaces to a zone Z and you have no rules for Z-&gt;Z
+traffic   between   two interfaces to a zone Z and you have no rules for
-then   you should   add an explicit DROP or REJECT policy for Z to Z.<br>
+Z-&gt;Z then   you should   add an explicit DROP or REJECT policy for Z to
 Z.<br>
              </li>
  </ol>
@ -143,9 +146,9 @@ then   you should   add an explicit DROP or REJECT policy for Z to Z.<br>
    <pre>/etc/shorewall/zones<br><br>z1	Zone1	The first Zone<br>z2	Zone2	The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2	eth1	192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1	eth1:192.168.1.3<br></pre>
           </blockquote>
          Here, zone z1 is nested in zone z2 and the firewall is not going
-to  be  involved in any traffic between these two zones. Beginning with Shorewall 
+ to  be  involved in any traffic between these two zones. Beginning with
-   1.4.1, you can prevent Shorewall from setting up any infrastructure to 
+Shorewall     1.4.1, you can prevent Shorewall from setting up any infrastructure
-handle   traffic between z1 and z2 by using the new NONE policy:<br>
+to  handle   traffic between z1 and z2 by using the new NONE policy:<br>
  <blockquote>                                       
    <pre>/etc/shorewall/policy<br><pre>z1	z2	NONE<br>z2	z1	NONE</pre></pre>
@ -171,7 +174,8 @@ upgrade to Version   1.4.2 and use the 'routeback' interface or host option.
  iproute    package  ('ip' utility).</b><br>
            <br>
            <b>Note: </b>Unfortunately, some distributions call this package
- iproute2    which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
+  iproute2    which will cause the upgrade of Shorewall to fail with the
 diagnostic:<br>
               <br>
                  error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
         <br>
@ -193,9 +197,9 @@ like any other connection       request and are subject to rules and policies.</
      Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
    contents   are  determined by BOTH the interfaces and hosts files when
 there   are entries   for the zone in both files.</li>
-                   <li>The <b>routestopped</b> option in the interfaces and 
+                    <li>The <b>routestopped</b> option in the interfaces
- hosts   file   has  been eliminated; use entries in the routestopped file 
+and   hosts   file   has  been eliminated; use entries in the routestopped
- instead.</li>
+file   instead.</li>
                    <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
  is  no  longer     accepted; you must convert to using the new syntax.</li>
                    <li value="6">The ALLOWRELATED variable in shorewall.conf 
@ -255,22 +259,23 @@ the SOURCE   and  DESTINATION  columns.</li>
 height="13">
                        Beginning in version 1.3.14, Shorewall treats entries 
  in  <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. 
-  The  change      involves entries with an <b>interface name</b> in the
+  The  change      involves entries with an <b>interface name</b> in the <b>SUBNET</b>
-<b>SUBNET</b>    (second)      <b>column</b>:<br>
+   (second)      <b>column</b>:<br>
 <ul>
                      <li>Prior to 1.3.14, Shorewall would detect the FIRST 
 subnet    on  the   interface  (as shown by "ip addr show <i>interface</i>") 
 and would    masquerade   traffic  from that subnet. Any other subnets that 
- routed through    eth1 needed   their  own entry in /etc/shorewall/masq
+ routed through    eth1 needed   their  own entry in /etc/shorewall/masq to
-to  be masqueraded   or  to have SNAT   applied.</li>
+ be masqueraded   or  to have SNAT   applied.</li>
                      <li>Beginning with Shorewall 1.3.14, Shorewall uses 
 the   firewall's      routing   table to determine ALL subnets routed through 
-the  named interface.      Traffic   originating in ANY of those subnets
+the  named interface.      Traffic   originating in ANY of those subnets is
-is masqueraded  or has SNAT     applied.</li>
+masqueraded  or has SNAT     applied.</li>
 </ul>
-                   You will need to make a change to your configuration if:<br>
+                    You will need to make a change to your configuration
 if:<br>
 <ol>
                      <li>You have one or more entries in /etc/shorewall/masq 
@ -311,8 +316,9 @@ the  old handling indefinitely  so   I urge current users to migrate to using
 handling documentation</a>  for details.<br>
 <h3>Version 1.3.10</h3>
-                    If you have installed the 1.3.10 Beta 1 RPM and are now 
+                     If you have installed the 1.3.10 Beta 1 RPM and are
- upgrading     to  version   1.3.10, you will need to use the '--force' option:<br>
+now   upgrading     to  version   1.3.10, you will need to use the '--force'
 option:<br>
                     <br>
 <blockquote>                           
@ -321,9 +327,8 @@ the  old handling indefinitely  so   I urge current users to migrate to using
 <h3>Version &gt;= 1.3.9</h3>
                       The 'functions' file has moved to /usr/lib/shorewall/functions. 
-      If  you   have  an application that uses functions from that file,
+      If  you   have  an application that uses functions from that file, your
-your     application     will need to be changed to reflect this change of
+    application     will need to be changed to reflect this change of location.<br>
 location.<br>
 <h3>Version &gt;= 1.3.8</h3>
@ -359,8 +364,8 @@ have   a  backup    --  you   will  need
                                                          <li>Replace the 
 shorwall.lrp       package     provided  on                              
   the Bering  floppy     with the    later one.  If you did            
-                      not   obtain  the later   version from Jacques's  
+                     not   obtain  the later   version from Jacques's   site,
-site,  see additional    instructions   below.</li>
+ see additional    instructions   below.</li>
                                                          <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                             file and remove the /var/lib/shorewall 
          entry  if                                  present. Then do not 
@ -382,8 +387,8 @@ forget       to   backup  root.lrp !</li>
 <p align="left">If you have a pair of firewall systems configured for   
     failover or if you have asymmetric routing, you will need to modify
-                  your firewall setup slightly under Shorewall versions 1.3.6
+                   your firewall setup slightly under Shorewall versions
-      and   1.3.7</p>
+1.3.6       and   1.3.7</p>
 <ol>
                                      <li>                              
@ -391,20 +396,21 @@ forget       to   backup  root.lrp !</li>
    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
                       the following rule<br>
                                    <br>
-                                   <font face="Courier">run_iptables -A newnotsyn
+                                    <font face="Courier">run_iptables -A
-    -j  RETURN    #  So  that the            connection tracking table can
+newnotsyn     -j  RETURN    #  So  that the            connection tracking
- be   rebuilt<br>
+table can  be   rebuilt<br>
-                                                                        # 
+                                                                        
-from   non-SYN     packets     after  takeover.<br>
+#  from   non-SYN     packets     after  takeover.<br>
                           </font>  </p>
                           </li>
                           <li>                                          
    <p align="left">Create /etc/shorewall/common (if you don't already  
       have that file) and include the following:<br>
                                    <br>
-                                   <font face="Courier">run_iptables -A common
+                                    <font face="Courier">run_iptables -A
-   -p  tcp   --tcp-flags                 ACK,FIN,RST ACK -j ACCEPT #Accept
+common    -p  tcp   --tcp-flags                 ACK,FIN,RST ACK -j ACCEPT
- Acks  to rebuild   connection<br>
+#Accept  Acks  to rebuild   connection<br>
                     #tracking table. <br>
                                    . /etc/shorewall/common.def</font> </p>
@ -452,13 +458,14 @@ from   non-SYN     packets     after  takeover.<br>
                  If you have applications that access these files, those
 applications                    should be modified accordingly.</p>
-<p><font size="2">  Last updated 6/29/2003 -   <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">  Last updated 6/29/2003 -   <a href="support.htm">Tom
-</p>
+Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
              © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/useful_links.html
+++ b/Shorewall-docs/useful_links.html
@ -12,7 +12,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#400169" height="90">
+ bgcolor="#3366ff" height="90">
      <tbody>
        <tr>
          <td width="100%">       
@ -61,5 +61,6 @@
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/whitelisting_under_shorewall.htm
+++ b/Shorewall-docs/whitelisting_under_shorewall.htm
@ -16,7 +16,7 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
     <tbody>
      <tr>
       <td width="100%">       
@ -27,9 +27,9 @@
  </tbody> 
 </table>
-<p align="left">For a brief time, the 1.2 version of Shorewall supported an
+<p align="left">For a brief time, the 1.2 version of Shorewall supported
- /etc/shorewall/whitelist file. This file was intended to contain a list of
+an  /etc/shorewall/whitelist file. This file was intended to contain a list
-IP  addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
+of IP  addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist 
 file was  implemented as a stop-gap measure until the facilities necessary 
 for  implementing white lists using zones was in place. As of Version 1.3 
 RC1, those  facilities were available.</p>
@ -39,12 +39,13 @@ to a  set
 following environment:</p>
 <ul>
-    <li>A firewall with three interfaces -- one to the internet, one    to
+     <li>A firewall with three interfaces -- one to the internet, one   
-a local network and one to a DMZ.</li>
+to a local network and one to a DMZ.</li>
-    <li>The local network uses SNAT to the internet and is comprised    of
+     <li>The local network uses SNAT to the internet and is comprised   
-the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918
+of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
-   local network, the technique described here in no way depends on that or
+1918    local network, the technique described here in no way depends on
-on    SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
+that or on    SNAT. It may be used with Proxy ARP, Subnet Routing, Static
 NAT, etc.).</li>
     <li>The network operations staff have workstations with IP    addresses 
 in the class C network 10.10.10.0/24</li>
     <li>We want the network operations staff to have full access to    all 
@ -127,7 +128,6 @@ since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b
            <td> </td>
          </tr>
    </tbody>   
  </table>
   </blockquote>
@ -139,7 +139,6 @@ we  don't specify a zone for it here.</p>
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">           
                                                     </font>    
  <table border="2">
                                       <tbody>
        <tr>
@ -159,23 +158,21 @@ we  don't specify a zone for it here.</p>
            <td> </td>
          </tr>
    </tbody>   
  </table>
   </blockquote>
-<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is
+<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
-stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
+only the hosts in the <b>ops</b> zone will be allowed to access the  firewall
- firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather
+and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than  10.10.0.0/16
-than  10.10.0.0/16 so that the limited broadcast address (255.255.255.255)
+so that the limited broadcast address (255.255.255.255) falls into  that
-falls into  that zone. If I used 10.10.0.0/16 then I would have to have a
+zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
-separate entry for  that special address.</p>
+ that special address.</p>
 <h2>Policy File</h2>
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">           
                                                         </font>    
  <table border="2">
                                         <tbody>
        <tr>
@ -189,18 +186,14 @@ separate entry for  that special address.</p>
            <td><font color="#0000ff">ops</font></td>
            <td><font color="#0000ff">all</font></td>
            <td><font color="#0000ff">ACCEPT</font></td>
           <td> </td>
           <td> </td>
          </tr>
          <tr>
            <td><font color="#0000ff">all</font></td>
            <td><font color="#0000ff">ops</font></td>
            <td><font color="#0000ff">CONTINUE</font></td>
           <td> </td>
           <td> </td>
          </tr>
          <tr>
@ -208,7 +201,6 @@ separate entry for  that special address.</p>
            <td>net</td>
            <td>ACCEPT</td>
    <td> </td>
           <td> </td>
               </tr>
          <tr>
@ -226,7 +218,6 @@ separate entry for  that special address.</p>
            <td> </td>
          </tr>
    </tbody>   
  </table>
   </blockquote>
@ -271,8 +262,6 @@ file.<font color="#ff0000"><b></b></font></p>
            <td> </td>
          </tr>
    </tbody>   
  </table>
   </blockquote>
@ -280,6 +269,7 @@ file.<font color="#ff0000"><b></b></font></p>
 <p>This is the rule that transparently redirects web traffic to the transparent 
 proxy running on the firewall. The SOURCE column explicitly excludes the 
 <b>ops</b>  zone from the rule.</p>
 <h2>Routestopped File</h2>
 <blockquote>   
@ -302,24 +292,17 @@ file.<font color="#ff0000"><b></b></font></p>
           <td>10.10.10.0/24</td>
               </tr>
    </tbody>   
  </table>
  <br>
 </blockquote>
 <p><font size="2">   Updated 2/18/2003 - <a href="support.htm">Tom  Eastep</a> 
    </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
   © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
-
+                               <br>
  <br>
 <br>
 </body>