Shorewall 2.0.3-RC2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1403 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-08 22:58:50 +01:00 · 2004-06-19 16:05:50 +00:00 · 2004-06-19 16:05:50 +00:00 · dbd062e23e
commit dbd062e23e
parent 3ca68c3b59
25 changed files with 405 additions and 373 deletions
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@ -4496,7 +4496,7 @@ setup_blacklist() {
 	createchain blacklst no
-	[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+	[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
 	for host in $hosts; do
 	    interface=${host%%:*}
@ -4851,7 +4851,7 @@ initialize_netfilter () {
 	fi
    fi
-    [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+    [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
    echo "Creating Interface Chains..."
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@ -1 +1 @@
-2.0.3-RC1
+2.0.3-RC2
--- a/Shorewall-docs/Documentation.xml
+++ b/Shorewall-docs/Documentation.xml
@ -1232,13 +1232,40 @@ DNAT      net       loc:192.168.1.3 tcp      ssh
    <para>The <filename>/etc/shorewall/rules</filename> file defines
    exceptions to the policies established in the <filename>/etc/shorewall/policy</filename>
-    file. There is one entry in /etc/shorewall/rules for each of these rules.</para>
+    file. There is one entry in /etc/shorewall/rules for each of these rules.
    Entries in this file only govern the establishment of new connections —
    packets that are part of an existing connection or that establish a
    connection that is related to an existing connection are automatically
    accepted.</para>
    <para>Shorewall automatically enables firewall-&#62;firewall traffic over
    the loopback interface (lo) -- that traffic cannot be regulated using
    rules and any rule that tries to regulate such traffic will generate a
    warning and will be ignored.</para>
    <para>Rules for each pair of zones (source zone, destination zone) are
    evaluated in the order that they appear in the file — the first match
    determines the disposition of the connection request with a couple of
    caveats:</para>
    <itemizedlist>
      <listitem>
        <para>LOG rules cause the connection request to be logged then
        processing continues with the next rule in the file.</para>
      </listitem>
      <listitem>
        <para>QUEUE rules cause the connection request to be passed to
        user-space -- the user-space application can later insert them back
        into the stream for further processing by following rules.</para>
      </listitem>
      <listitem>
        <para>CONTINUE rules may cause the connection request to be
        reprocessed using a different (source zone, destination zone) pair.</para>
      </listitem>
    </itemizedlist>
    <para>Entries in the file have the following columns:</para>
    <variablelist>
@ -3115,7 +3142,8 @@ eth1                -</programlisting>
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
+    <para><revhistory><revision><revnumber>1.13</revnumber><date>2004-02-13</date><authorinitials>TE</authorinitials><revremark>Add
    information about the order of rules evalution.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
    masquerade destination list.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-18</date><authorinitials>TE</authorinitials><revremark>Correct
    typo.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
    Compliance</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Improved
--- a/Shorewall-docs/FAQ.xml
+++ b/Shorewall-docs/FAQ.xml
@ -17,7 +17,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-25</pubdate>
+    <pubdate>2004-03-04</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -529,6 +529,28 @@ eth2             192.168.2.0/24</programlisting>
      <para>See the <ulink url="FTP.html">Shorewall and FTP page</ulink>.</para>
    </section>
    <section id="faq33">
      <title>(FAQ 33) From clients behind the firewall, connections to some
      sites fail. Connections to the same sites from the firewall itself work
      fine. What&#39;s wrong.</title>
      <para><emphasis role="bold">Answer</emphasis>: Most likely, you need to
      set CLAMPMSS=Yes in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
    </section>
    <section id="faq35">
      <title>(FAQ 35) I have two Ethernet interfaces to my local network which
      I have bridged. When Shorewall is started, I&#39;m unable to pass
      traffic through the bridge. I have defined the bridge interface (br0) as
      the local interface in /etc/shorewall/interfaces; the bridged Ethernet
      interfaces are not defined to Shorewall. How do I tell Shorewall to
      allow traffic through the bridge?</title>
      <para>Answer: Add the <firstterm>routeback</firstterm> option to
      <filename class="devicefile">br0</filename> in <ulink
      url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
    </section>
  </section>
  <section>
@ -576,7 +598,7 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
 <ulink url="http://gege.org/iptables">http://gege.org/iptables</ulink>
 <ulink url="http://home.regit.org/ulogd-php.html">http://home.regit.org/ulogd-php.html</ulink></literallayout>
-        <para>I personnaly use Logwatch. It emails me a report each day from
+        <para>I personally use Logwatch. It emails me a report each day from
        my various systems with each report summarizing the logged activity on
        the corresponding system.</para>
      </section>
@ -1254,6 +1276,15 @@ Creating input Chains...
      after that will be ignored. Check <quote>man iptables</quote> and look
      at the -I (--insert) command.</para>
    </section>
    <section id="faq34">
      <title>(FAQ 34) How can I speed up start (restart)?</title>
      <para>Using a light-weight shell such as <command>ash</command> can
      dramatically decrease the time required to <emphasis role="bold">start</emphasis>
      or <emphasis role="bold">restart</emphasis> Shorewall. See the
      SHOREWALL_SHELL variable in <ulink url="Documentation.htm#Conf"><filename>shorewall.conf</filename></ulink>.</para>
    </section>
  </section>
  <section>
@ -1542,19 +1573,19 @@ iptables: Invalid argument
    <section id="faq28">
      <title>(FAQ 28) How do I use Shorewall as a Bridging Firewall?</title>
-      <para>Basically, you don&#39;t. While there are kernel patches that
+      <para>Experimental Shorewall Bridging Firewall support is available —
-      allow you to route bridge traffic through Netfilter, the environment is
+      <ulink url="2.0/bridge.html">check here for details</ulink>.</para>
      so different from the Layer 3 firewalling environment that very little
      of Shorewall works. In fact, so much of Shorewall doesn&#39;t work that
      my official position is that <quote>Shorewall doesn&#39;t work with
      Layer 2 Bridging</quote>.</para>
    </section>
  </section>
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
+    <para><revhistory><revision><revnumber>1.19</revnumber><date>2004-03-05</date><authorinitials>TE</authorinitials><revremark>Added
    link to Bridge.</revremark></revision><revision><revnumber>1.18</revnumber><date>2004-02-27</date><authorinitials>TE</authorinitials><revremark>Added
    FAQ 35.</revremark></revision><revision><revnumber>1.17</revnumber><date>2004-02-15</date><authorinitials>TE</authorinitials><revremark>Added
    FAQ 34.</revremark></revision><revision><revnumber>1.16</revnumber><date>2004-02-11</date><authorinitials>TE</authorinitials><revremark>Added
    FAQ 33.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
    FAQ 32 to mention masquerading. Remove tables.</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
    FAQ 27a regarding kernel/iptables incompatibility.</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
    a note about the <emphasis role="bold">detectnets</emphasis> interface
--- a/Shorewall-docs/IPSEC.xml
+++ b/Shorewall-docs/IPSEC.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-22</pubdate>
+    <pubdate>2004-03-20</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -52,24 +52,9 @@
    configuring FreeS/Wan.</para>
    <warning>
-      <para>Do not use Proxy ARP and FreeS/Wan on the same system unless you
+      <para>IPSEC and Proxy ARP don&#39;t work well together unless you have
-      are prepared to suffer the consequences. If you start or restart
+      Shorewall version 1.4.10 with the approriate <ulink url="errata.htm">Errata</ulink>
-      Shorewall with an IPSEC tunnel active, the proxied IP addresses are
+      fix applied or are running Shorewall 1.4.10e or later.</para>
      mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
      the interface that you specify in the INTERFACE column of
      /etc/shorewall/proxyarp. I haven&#39;t had the time to debug this
      problem so I can&#39;t say if it is a bug in the Kernel or in FreeS/Wan.</para>
      <para>You <emphasis role="bold">might</emphasis> be able to work around
      this problem using the following (I haven&#39;t tried it):</para>
      <para>In /etc/shorewall/init, include:</para>
      <programlisting>qt service ipsec stop</programlisting>
      <para>In /etc/shorewall/start, include:</para>
      <programlisting>qt service ipsec start</programlisting>
    </warning>
    <important>
--- a/Shorewall-docs/Install.xml
+++ b/Shorewall-docs/Install.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2003-04-08</pubdate>
+    <pubdate>2004-03-01</pubdate>
    <copyright>
      <year>2001</year>
@ -24,6 +24,8 @@
      <year>2003</year>
      <year>2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -37,21 +39,16 @@
    </legalnotice>
  </articleinfo>
  <important>
    <para>Before upgrading, be sure to review the <ulink
    url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
  </important>
  <important>
    <para>Before attempting installation, I strongly urge you to read and
    print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
    QuickStart</ulink> Guide for the configuration that most closely matches
    your own.</para>
  </important>
  <section id="Install_RPM">
    <title>Install using RPM</title>
    <important>
      <para>Before attempting installation, I strongly urge you to read and
      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
      QuickStart</ulink> Guide for the configuration that most closely matches
      your own.</para>
    </important>
    <para>To install Shorewall using the RPM:</para>
    <warning>
@ -117,6 +114,13 @@
  <section id="Install_Tarball">
    <title>Install using tarball</title>
    <important>
      <para>Before attempting installation, I strongly urge you to read and
      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
      QuickStart</ulink> Guide for the configuration that most closely matches
      your own.</para>
    </important>
    <para>To install Shorewall using the tarball and install script:</para>
    <orderedlist>
@ -186,6 +190,13 @@
  <section id="LRP">
    <title>Install the .lrp</title>
    <important>
      <para>Before attempting installation, I strongly urge you to read and
      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
      QuickStart</ulink> Guide for the configuration that most closely matches
      your own.</para>
    </important>
    <para>To install my version of Shorewall on a fresh Bering disk, simply
    replace the <quote>shorwall.lrp</quote> file on the image with the file
    that you downloaded. See the <ulink url="two-interface.htm">two-interface
@ -195,6 +206,11 @@
  <section id="Upgrade_RPM">
    <title>Upgrade using RPM</title>
    <important>
      <para>Before upgrading, be sure to review the <ulink
      url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
    </important>
    <para>If you already have the Shorewall RPM installed and are upgrading to
    a new version:</para>
@ -264,6 +280,11 @@
  <section id="Upgrade_Tarball">
    <title>Upgrade using tarball</title>
    <important>
      <para>Before upgrading, be sure to review the <ulink
      url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
    </important>
    <para>If you already have Shorewall installed and are upgrading to a new
    version using the tarball:</para>
@ -348,6 +369,11 @@
  <section id="LRP_Upgrade">
    <title>Upgrade the .lrp</title>
    <important>
      <para>Before upgrading, be sure to review the <ulink
      url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
    </important>
    <para>If you already have a running Bering installation and wish to
    upgrade to a later version of Shorewall:</para>
--- a/Shorewall-docs/Shorewall_Doesnt.xml
+++ b/Shorewall-docs/Shorewall_Doesnt.xml
@ -13,11 +13,13 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2003-10-07</pubdate>
+    <pubdate>2004-03-05</pubdate>
    <copyright>
      <year>2003</year>
      <year>2004</year>
      <holder>Thomas M Eastep</holder>
    </copyright>
@ -36,7 +38,9 @@
    <itemizedlist>
      <listitem>
-        <para>Be used to filter traffic through a Layer 2 Bridge</para>
+        <para>Be used to filter traffic through a Layer 2 Bridge (although
        experimental Shorewall Bridge code is available — check <ulink
        url="2.0/bridge.html">here</ulink> for details).</para>
      </listitem>
      <listitem>
--- a/Shorewall-docs/Shorewall_Squid_Usage.xml
+++ b/Shorewall-docs/Shorewall_Squid_Usage.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-04-19</pubdate>
    <copyright>
      <year>2003-2004</year>
@ -153,7 +153,7 @@ REDIRECT  loc        3228     tcp      www              -          !206.124.146.
          <para>In /etc/shorewall/init, put:</para>
          <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
-        ip rule add fwmark 202 table www.out
+        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 192.168.1.3 dev eth1 table www.out
        ip route flush cache
        echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
@ -232,7 +232,7 @@ chkconfig --level 35 iptables on</command></programlisting>
          <para>In /etc/shorewall/init, put:</para>
          <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
-        ip rule add fwmark 202 table www.out
+        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 192.0.2.177 dev eth1 table www.out
        ip route flush cache
 fi</command></programlisting>
--- a/Shorewall-docs/blacklisting_support.xml
+++ b/Shorewall-docs/blacklisting_support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-17</pubdate>
+    <pubdate>2004-02-17</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -57,7 +57,19 @@
      </listitem>
    </orderedlist>
-    <para>Only the source address is checked against the blacklists.</para>
+    <important>
      <para><emphasis role="bold">Only the source address is checked against
      the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
      connecting to you — they do not stop you or your users from connecting
      to blacklisted hosts .</para>
    </important>
    <important>
      <para><emphasis role="bold">Neither form of Shorewall blacklisting is
      appropriate for blacklisting 1,000s of different addresses</emphasis>.
      The blacklists will take forever to load and will have a very negative
      effect on firewall performance.</para>
    </important>
  </section>
  <section>
--- a/Shorewall-docs/configuration_file_basics.xml
+++ b/Shorewall-docs/configuration_file_basics.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-05</pubdate>
+    <pubdate>2004-02-20</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -383,7 +383,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    numbers separated by colons.</para>
    <example>
-      <title>MAC Address of a NIC</title>
+      <title>MAC Address of an Ethernet Controller</title>
      <programlisting> &#x00A0;&#x00A0;&#x00A0;&#x00A0; [root@gateway root]# <command>ifconfig eth0</command>
 &#x00A0;&#x00A0;&#x00A0;&#x00A0; eth0 Link encap:Ethernet HWaddr <emphasis
@ -402,7 +402,7 @@ role="bold">02:00:08:E3:FA:55</emphasis>
    Shorewall requires MAC addresses to be written in another way. In
    Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
    of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
-    the example above would be written <quote>~02-00-08-E3-FA-55</quote>.</para>
+    the example above would be written <emphasis role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
    <note>
      <para>It is not necessary to use the special Shorewall notation in the
--- a/Shorewall-docs/errata.xml
+++ b/Shorewall-docs/errata.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-04-16</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -86,12 +86,55 @@
          <para>The <emphasis role="bold">maclist</emphasis> interface option
          previously wasn&#39;t available on Atheros WiFi cards.</para>
        </listitem>
        <listitem>
          <para>In the /etc/shorewall/masq entry <quote>eth0:!10.1.1.150
          &#x00A0; &#x00A0;0.0.0.0/0!10.1.0.0/16 &#x00A0; &#x00A0; 10.1.2.16</quote>,
          the <quote>!10.1.0.0/16</quote> is ignored.</para>
        </listitem>
        <listitem>
          <para>A startup error occurs if an entry in the tcrules file has an
          empty USER/GROUP column.</para>
        </listitem>
        <listitem>
          <para>Specifying multiple excluded source zones in a REDIRECT or
          DNAT rule produces a startup error. Example of problem rule:<programlisting>#ACTION     SOURCE         DEST             PROTO      DEST PORT(S)
 DNAT        z1!z2,z3       z4:192.168.4.5   tcp        22</programlisting></para>
        </listitem>
        <listitem>
          <para>When using an Action in the ACTIONS column of a rule, you may
          receive a warning message about the rule being a policy. While this
          warning may be safely ignored, it may be eliminated by installing
          the updated script linked below.</para>
        </listitem>
        <listitem>
          <para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
          and IPSEC has been corrected.</para>
        </listitem>
      </itemizedlist>
      <para>These problems have been corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
      firewall script</ulink> which may be installed in
      /usr/share/shorewall/firewall as described above.</para>
      <para>The first two problem corrections were included in Shorewall
      update 1.4.10a.</para>
      <para>The first three problem corrections were included in Shorewall
      update 1.4.10b.</para>
      <para>The first four problem corrections were included in Shorewall
      update 1.4.10c.</para>
      <para>The first six problem corrections were included in Shorewall
      update 1.4.10d.</para>
      <para>All problem corrections were included in Shorewall update 1.4.10e.</para>
    </section>
    <section>
@ -503,7 +546,11 @@ Aborted (core dumped)</programlisting>
  <appendix>
    <title>Revision History4</title>
-    <para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
+    <para><revhistory><revision><revnumber>1.9</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
    ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-03-04</date><authorinitials>TE</authorinitials><revremark>Multiple
    excluded zones problem..</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-15</date><authorinitials>TE</authorinitials><revremark>TCrules
    file problem..</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-09</date><authorinitials>TE</authorinitials><revremark>Masq
    file exclusion problem.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
    Problem</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
    address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
    template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
--- a/Shorewall-docs/images/network.png
+++ b/Shorewall-docs/images/network.png
--- a/Shorewall-docs/images/network.vdx
+++ b/Shorewall-docs/images/network.vdx
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='utf-8' ?>
-<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='3D330883D5BE4379276659B7B337FAEA68F7858049847BF4B73896BB87EE95E3C3BF4CD8EBD5807CEC8562DD2B8068195CBF86047C1AD8342F35E9CB454BE30A' keystart='261'  ?>
+<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='84600AB4CD69630D9AFF2AEF0195FFF9DC4D028D530F10CBC91B68E9842059260FCCC6173566192227FA36BC2287B555303536255BD184146EF63F63251341A6' keystart='261'  ?>
 <VisioDocument xmlns='urn:schemas-microsoft-com:office:visio'>
 <DocumentProperties>
@ -1249,8 +1249,8 @@ BAQP/////////////////////////////////////////////////////////////////////////
 /wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
 wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
-//////////////////////////////////////////////////wAAAP//////////////////////
+//////////////////////////////////////////////////wAAAP///7+/v////7+/v////7+/
-/////////////////////////////////////////////////////////////////////////////
+v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////
 ///////////////
 /////////////////////////////////////////////////////////////////////////////
 ////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCfnwkoKA
@ -1261,9 +1261,9 @@ vzBAQP///////////////////////////////////////////////////////////////////////
 AAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wBAQAD
 //wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////wAAAP////////////////////
+////////////////////////////////////////////////////wAAAGBgYP///wAAAP///wAAAP
-/////////////////////////////////////////////////////////////////////////////
+///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wA
-/////////////////////////////////////////////////////////////////////////////
+AAP//////////////////////////////////////////////////////////////////////////
 /////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
 wD//wD//wB/fw5YWAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@ -1273,8 +1273,8 @@ AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//w
 AAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////
 /////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////wAAAP///
-/////////////////////////////////////////////////////////////////////////////
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-/////////////////////////////////////////////////////////////////////////////
+///wAAAP///wAAAP/////////////////////////////////////////////////////////////
 //////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wD//wD//wlgYACHhwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
 wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
@ -1307,8 +1307,8 @@ AQAD//wBAQAD//wBAQAD//wBAQAD//wBwcAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////
 ///////////////
 /////////////////////////////////////////////////////0BAQP///0BAQP///0BAQP///
-0BAQP///0BAQP///0BAQP///////wAAAH9/f////39/f////39/f////39/f////39/f////39/f/
+0BAQP///0BAQP///0BAQP///////wAAAP////////////////////////////////////////////
-///39/f////39/f////39/f////39/f//////////////////////////////////////////////
+/////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 /wAAAAD//wD//wD//wCfnwD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAA
 AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
@ -1318,8 +1318,8 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wC/vzBAQP/
 AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
-/////////9zc3Hl5eZWVlf///////////////////////wAAAP///wAAAP///wAAAP///wAAAP///
+/////////9zc3Hl5eZWVlf///////////////////////wAAAP///////////////////////////
-wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////////////////////////
+/////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 //////////////////wAAAAD//wD//wD//wD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD/
 /wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wDPzwD//wD//wD//wD//wD//wD//
@ -1329,8 +1329,8 @@ D//wD//wC/vzBAQP/////////////////////////////////////////////////////////////
 /wD//wD//wCHhwD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBwcAD//wD//wD//wD//wD//wD//
 wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////
 /////////////////////////////////////////////////////////////////////////////
-//////////////////////////3l5eTEzOVVVV25ucv///////////////////wAAAAAAAP///wAA
+//////////////////////////3l5eTEzOVVVV25ucv///////////////////wAAAP//////////
-AP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///////////
+/////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD
 //wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
@ -1384,22 +1384,22 @@ wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////////////
 wC/vzBAQP////////////////////////////////////////////////////////////////////
 ///////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD
 //wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampCQkA8eHgDn5wD//wD//wD//wD/
-/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////wAAA
+/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////wAAAP///wAAAP///wAAA
-P///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////
+P///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///w
-///////////////////3d3d2Jmcd/h5ZSe0p6lzs3Nzc3NzUxRaWtsbv///////////////wAAAP/
+AAAP///wAAAP///////3d3d2Jmcd/h5ZSe0p6lzs3Nzc3NzUxRaWtsbv///////yAgIP///wAAAP/
-//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP//////
+//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAA
-/////////////////////////////////////////////////////////////////////////////
+AP///0BAQP///////////////////////////////////////////////////////////////////
 ////////////////////////////wAAAAD//wD//wD//wD//wD//wCoqAEEBAcNDQcNDQcNDQcNDQ
 cNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQYODgDKygD//wD//wD//wD//wD//wD
 //wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wC/vzBAQP///////////////////////////////////////////////////
 ////////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampqamjM/PwC
-fnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////
+fnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////0BAQP//
-/////////0BAQP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
+/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
-P///wAAAP///39/f////////////////////3d3d2Jmcd/h5ayy0c3Nzc3NzY6Yz46Yz2ZmZm1ucf
+P///wAAAP///wAAAP///wAAAP///39/f////3d3d2Jmcd/h5ayy0c3Nzc3NzY6Yz46Yz2ZmZm1ucf
-///////0BAQP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
+///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
-//wAAAP///39/f///////////////////////////////////////////////////////////////
+//wAAAP///wAAAP///wAAAP//////////////////////////////////////////////////////
 /////////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wA/PyAgI
 JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkDQ7OxkoKADf3w
 D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@ -1407,10 +1407,10 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
 /////////////////////////////////////////////////////////////////7+/vxBAQAD//
 wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAMDAwIODg6qqqsDAwMXFxcDAwMDAwMDAwMDAwA
 AAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wx
-gYJ+fn////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v///
+gYJ+fn////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v///
-/7+/v////7+/v////7+/v////7+/v////////////////////////3d3d2Jmcd/h5cTG0M3NzY6Yz
+/7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////3d3d2Jmcd/h5cTG0M3NzY6Yz
-46Yz83Nzc3NzUxRaW1ucf///////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
+46Yz83Nzc3NzUxRaW1uccfHx////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
-+/v////7+/v////7+/v////7+/v//////////////////////////////////////////////////
+/v////7+/v////7+/v////7+/v////7+/v////8/Pz//////////////////////////////////
 //////////////////////////////////////////////////////////////wAAAACvrwD//wD/
 /wD//wD//wA/PyEhIWBgYGBgYLS0tMDAwMDAwMDAwMDAwMDAwMDAwMDAwJ2dnZiYmJiYmKKiopiYm
 JiYmEBMTIeHhxMz
@ -1567,9 +1567,9 @@ zBAQP////////////////////////////////////////////////////////////////////////
 ///////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wA
 AADAwMCNLIwqRChwcHBwcHBMTEwcHBxUVFTAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////
-////////7+/v0BAQP///////////////////////////////////////0BAQP///0BAQP///0BAQP
+////////7+/v0BAQP///////////////////////////////0BAQP///0BAQP///0BAQP///0BAQP
-///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQJubmyQkJI+PjzMzM////0BAQP/////
+///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQJubmyQkJI+PjzMzM////0BAQP///0B
-/////////////////////////////////////////////////////////////////////////////
+AQP//////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 ////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@ -1579,9 +1579,9 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
 /////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
 wAAADAwMBEZEQAoAAAAAAAAAAAAAAICAg4ODjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////
-//////////7+/v0BAQP///////////////////////////////////9/f3////wAAAP///wAAAP//
+//////////7+/v0BAQP///////////////////////////5+fn////wAAAP///wAAAP///wAAAP//
-/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgY
+/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
-P////////////////////////////////////////////////////////////////////////////
+P///yAgIP////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 //////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
@ -1590,9 +1590,9 @@ D//wD//wD//wD//wC/vzBAQP/////////////////////////////////////////////////////
 //////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wAAADAwMC4uLgAAAAAAAAAAAAAAAAAAAB4eHjAwMAAAAJqampqamjM/PwCfn
 wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////
-///////////////////////////7+/v0BAQP///////////////////////////////////////0B
+///////////////////////////7+/v0BAQP///////////////////////////////0BAQP///0B
 AQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP//
-/0BAQP///0BAQP///////////////////////////////////////////////////////////////
+/0BAQP///0BAQP///0BAQP///////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD
 //wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
@ -1613,8 +1613,8 @@ fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwBgYDBAQP///////////////////
 ///7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAADAwMB83HwjPCC4uLhISEgs
 LCwMDAwoKCjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP///////
-////////////////////////////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
+////////////////////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////
+///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////
 /////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 6+vr39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f3
@ -1624,8 +1624,8 @@ LCwMDAwoKCjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
 ////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAADAwMC
 kpKQAAAAAAAAAAAAAAAAAAABgYGDAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD
 //wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////////////
-/7+/v0BAQP///////////////////////////////////9/f3////wAAAP///wAAAP///wAAAP///
+/7+/v0BAQP///////////////////////////5+fn////wAAAP///wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP
 /////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 /////////////////////////////////////////////////////////////////////////////
@ -1636,8 +1636,8 @@ wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////
 //////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAFRU
 VAAAAAAAAAAAAAAAAAAAAAAAAAAAAFRUVAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//
 wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////
-///7+/v0BAQP///////////////////////////////////////39/f////39/f////39/f////39
+///7+/v0BAQP///////////////////////////////39/f////39/f////39/f////39/f////39
-/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f///////////
+/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f///
 /////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////8/PzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@ -1659,8 +1659,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
 D//wD//wD//wD//wD//wD//wD//wCTkwMGBm9vb4GBgYGBgYGBgYGBgYGBgYGBgYGBgYqKimh3d5q
 amjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///
 /////////////////////////////////////7+/v0BAQP///////////////////////////////
-////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-///wAAAP///wAAAP///wAAAP/////////////////////////////////////////////////////
+///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////////////////////
 //////////////////////////////////////////////////////////////////7+/vxAQQAAA
 /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
 wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
@ -1670,8 +1670,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////
 xBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCoqAkPD8rKyubm5ubm5ubm5ubm5u
 bm5ubm5ubm5ru7u2h3dzM+PgCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
 //wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP//////////////
-/////////////////////9/f3////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
+/////////////5+fn////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////////////////////////////
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP////////////////////////
 /////////////////////////////////////////////////////////////////////////////
 //////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA3wAA/wAAfwAA/wAAfwAA
 /wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAf
@ -1681,8 +1681,8 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////
 /////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCoqAkPD
 zk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OSQkJBATEwCVlQD//wD//wD//wD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0B
-AQP///////////////////////////////////////7+/v////7+/v////7+/v////7+/v////7+/
+AQP///////////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/
-v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////////////
+v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////
 ///////////////
 /////////////////////////////////////////////////////////////////////////////
 ////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/w
@ -1693,8 +1693,8 @@ A/wAAAAAA/wAA3wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
 ///////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wC
 oqAA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwDg4AD//wD//wD//wD//wD//wD//wD//wD/
 /wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v
-0BAQP////////////////////////////////////f39////7+/v////7+/v////7+/v////7+/v/
+0BAQP///////////////////////////+fn5////7+/v////7+/v////7+/v////7+/v////7+/v/
-///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////9fX1//////////////
+///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////8fHx//////
 /////////////////////////////////////////////////////////////////////////////
 /////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAv
 wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/w
@ -1704,9 +1704,9 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
 ////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
 //wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////
-/////////////7+/v0BAQP///////////////////////////////////////wAAAP///wAAAP///
+/////////////7+/v0BAQP///////////////////////////////wAAAP///wAAAP///wAAAP///
 wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-/////////////////////////////////////////////////////////////////////////////
+///wAAAP/////////////////////////////////////////////////////////////////////
 //////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA
 /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
 wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
@ -1715,9 +1715,9 @@ A/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////////////
 /////////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//
 wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
 D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////
-//////////////////////////////7+/v0BAQP///////////////////////////////////9/f
+//////////////////////////////7+/v0BAQP///////////////////////////5+fn////wAA
-3////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
+AP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///2BgYP////////////////////////////////////////////////////////
+wAAAP///wAAAP///wAAAP///yAgIP////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////7+/vxAQQAAA/wAA/wA
 A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAxwAA/wAAvwAA/wAAvwAA/wAAvwAA
 /wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
@ -3206,8 +3206,8 @@ f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f
 /////////////////////////////////////////////////////////////////////////////
 /////////////w4AAAAUAAAAAAAAABAAAAAUAAAA</PreviewPicture>
 <TimeCreated>2002-08-11T08:58:32</TimeCreated>
-<TimeSaved>2003-12-29T07:34:23</TimeSaved>
+<TimeSaved>2004-02-13T16:20:19</TimeSaved>
-<TimeEdited>2003-12-29T07:34:13</TimeEdited>
+<TimeEdited>2004-02-13T16:11:36</TimeEdited>
 <TimePrinted>2002-08-11T08:58:32</TimePrinted>
 </DocumentProperties>
 <DocumentSettings TopPage='0' DefaultTextStyle='3' DefaultLineStyle='3' DefaultFillStyle='3' DefaultGuideStyle='4'>
@ -40781,7 +40781,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
 </Master>
 </Masters>
 <Pages>
-<Page ID='0' NameU='Page-1' ViewScale='1' ViewCenterX='35.9' ViewCenterY='27.65'>
+<Page ID='0' NameU='Page-1' ViewScale='1' ViewCenterX='35.9' ViewCenterY='91.65'>
 <PageSheet LineStyle='0' FillStyle='0' TextStyle='0'>
 <PageProps>
 <PageWidth Unit='IN'>85</PageWidth>
@ -40990,10 +40990,10 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
 <Y F='Height*0'>0</Y>
 </LineTo>
 </Geom>
-<Text><cp IX='0'/>206.124.146.176
+<Text><cp IX='0'/>206.124.146.176/24
-206.124.146.178
+206.124.146.178/24
-206.124.146.179
+206.124.146.179/24
-206.124.146.180</Text>
+206.124.146.180/24</Text>
 </Shape>
 <Shape ID='74' Type='Shape' LineStyle='3' FillStyle='3' TextStyle='3'>
 <XForm>
@ -41731,8 +41731,8 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
 </Shape>
 <Shape ID='31' Type='Shape' LineStyle='1' FillStyle='1' TextStyle='3'>
 <XForm>
-<PinX>44</PinX>
+<PinX>45.1</PinX>
-<PinY>45</PinY>
+<PinY>43.1</PinY>
 <Width>15</Width>
 <Height>3</Height>
 <LocPinX F='Width*0.5'>7.5</LocPinX>
@ -41791,11 +41791,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
 <Y F='Height*0'>0</Y>
 </LineTo>
 </Geom>
-<Text><cp IX='0'/>192.168.1.254</Text>
+<Text><cp IX='0'/>192.168.1.254/24</Text>
 </Shape>
 <Shape ID='33' Type='Shape' LineStyle='1' FillStyle='1' TextStyle='3'>
 <XForm>
-<PinX>45</PinX>
+<PinX>45.4</PinX>
 <PinY>47.5</PinY>
 <Width>14</Width>
 <Height>3</Height>
@ -41855,7 +41855,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
 <Y F='Height*0'>0</Y>
 </LineTo>
 </Geom>
-<Text><cp IX='0'/>192.168.3.254</Text>
+<Text><cp IX='0'/>192.168.3.254/24</Text>
 </Shape>
 <Shape ID='34' Type='Shape' LineStyle='1' FillStyle='1' TextStyle='3'>
 <XForm>
@ -41936,7 +41936,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
 <Y F='Height*0'>0</Y>
 </LineTo>
 </Geom>
-<Text><cp IX='0'/>192.168.2.254</Text>
+<Text><cp IX='0'/>206.124.146.176/32</Text>
 </Shape>
 <Shape ID='44' NameU='Comm-link' Type='Shape' Master='12'>
 <XForm>
@ -71384,7 +71384,7 @@ www.xxx.yyy.zzz/
 </Page>
 </Pages>
 <Windows ClientWidth='1280' ClientHeight='850'>
-<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1' ViewCenterX='35.9' ViewCenterY='27.65'>
+<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1' ViewCenterX='35.9' ViewCenterY='91.65'>
 <ShowRulers>1</ShowRulers>
 <ShowGrid>1</ShowGrid>
 <ShowPageBreaks>0</ShowPageBreaks>
--- a/Shorewall-docs/myfiles.xml
+++ b/Shorewall-docs/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-20</pubdate>
+    <pubdate>2004-02-13</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -51,10 +51,11 @@
    </caution>
    <para>I have DSL service and have 5 static IP addresses
-    (206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
+    (206.124.146.176-180/24). My DSL <quote>modem</quote> (Fujitsu Speedport)
-    connected to eth0. I have a local network connected to eth2 (subnet
+    is connected to eth0. I have a local network connected to eth2 (subnet
-    192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
+    192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/24) and a
-    network connected to eth3 (192.168.3.0/24).</para>
+    Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
    address of eth1 is a duplicate of one on eth0.</para>
    <para>I use:</para>
@ -202,7 +203,7 @@ tx      Texas           Peer Network in Dallas
        <programlisting>#ZONE   INERFACE        BROADCAST       OPTIONS
 net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
 loc     eth2            192.168.1.255   dhcp
-dmz     eth1            192.168.2.255
+dmz     eth1            -
 WiFi    eth3            192.168.3.255   dhcp,maclist
 -       texas           192.168.9.255
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -453,33 +454,11 @@ ACCEPT          dmz                             fw                      tcp
 ACCEPT          dmz                             fw                      udp     snmp
 REJECT          dmz                             fw                      tcp     auth
 ###############################################################################################################################################################################
 # DMZ to Internet
 #
 ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
 ACCEPT          dmz                             net                     udp     domain
 ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
 #ACCEPT         dmz                             net:206.191.151.2       tcp     pop3
 #ACCEPT         dmz                             net:66.216.26.115       tcp     pop3
 #
 # Something is wrong with the FTP connection tracking code or there is some client out there
 # that is sending a PORT command which that code doesn&#39;t understand. Either way,
 # the following works around the problem.
 #
 ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
 ###############################################################################################################################################################################
 # DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
 #
 ACCEPT          dmz                             fw                      udp     ntp                                     ntp
 ACCEPT          dmz                             fw                      tcp     snmp,ssh
 ACCEPT          dmz                             fw                      udp     snmp
 REJECT          dmz                             fw                      tcp     auth
 ###############################################################################################################################################################################
 #
 # DMZ to Local Network
 #
 ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
-ACCEPT          dmz                             loc                     tcp     111
+ACCEPT          dmz:206.124.146.177             loc:192.168.1.3         tcp     111
-ACCEPT          dmz                             loc                     udp
+ACCEPT          dmz:206.124.146.177             loc:192.168.1.3         udp#
 ###############################################################################################################################################################################
 # Internet to Firewall
 #
@ -555,10 +534,9 @@ ACCEPT          all                             all                     icmp
        <programlisting>...
 auto eth1
 iface eth1 inet static
-        address 192.168.2.1
+        address 206.124.146.176
-        netmask 255.255.255.0
+        netmask 255.255.255.266
-        network 192.168.2.0
+        broadcast 0.0.0.0
        broadcast 192.168.2.255
        <emphasis role="bold">up ip route add 206.124.146.177 dev eth1
 </emphasis>...</programlisting>
      </blockquote>
--- a/Shorewall-docs/myfiles2.xml
+++ b/Shorewall-docs/myfiles2.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-08</pubdate>
+    <pubdate>2004-02-22</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -47,15 +47,16 @@
    <caution>
      <para>The configuration shown here corresponds to Shorewall version
-      2.0.0-Beta1. It may use features not available in earlier Shorewall
+      2.0.0-Beta2. It may use features not available in earlier Shorewall
      releases.</para>
    </caution>
    <para>I have DSL service and have 5 static IP addresses
    (206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
    connected to eth0. I have a local network connected to eth2 (subnet
-    192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
+    192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/32) and a
-    network connected to eth3 (192.168.3.0/24).</para>
+    Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
    address of eth1 is a duplicate of one on eth0.</para>
    <para>I use:</para>
@ -204,7 +205,7 @@ tx      Texas           Peer Network in Dallas
        <programlisting>#ZONE   INERFACE        BROADCAST       OPTIONS
 net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
 loc     eth2            192.168.1.255   dhcp,detectnets
-dmz     eth1            192.168.2.255
+dmz     eth1            -
 WiFi    eth3            192.168.3.255   dhcp,maclist,detectnets
 -       texas           192.168.9.255
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -261,6 +262,7 @@ eth3            192.168.3.0/24
        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
 0.0.0.0/0               udp             1434
 0.0.0.0/0               tcp             1433
 0.0.0.0/0               tcp             3127
 0.0.0.0/0               tcp             8081
 0.0.0.0/0               tcp             57
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -292,7 +294,7 @@ all             all             REJECT          $LOG                      # Reje
      <blockquote>
        <para>Although most of our internal systems use one-to-one NAT, my
        wife&#39;s system (192.168.1.4) uses IP Masquerading (actually SNAT)
-        as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
+        as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
        visitors with laptops.</para>
        <programlisting>#INTERFACE              SUBNET          ADDRESS
@ -346,18 +348,7 @@ gre                     net     $TEXAS
      <blockquote>
        <programlisting>#ACTION
 DropSMB             #Silently Drops Microsoft SMB Traffic
 RejectSMB           #Silently Reject Microsoft SMB Traffic
 DropUPnP            #Silently Drop UPnP Probes
 RejectAuth          #Silently Reject Auth
 DropPing            #Silently Drop Ping
 DropDNSrep          #Silently Drop DNS Replies
 AllowPing           #Accept Ping
 Mirrors             #Accept traffic from the Shorewall Mirror sites
 MyDrop:DROP         #My DROP common action
 MyReject:REJECT     #My REJECT common action
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>
@ -378,11 +369,11 @@ ACCEPT   $MIRRORS
    </section>
    <section>
-      <title>action.MyDrop</title>
+      <title>/etc/shorewall/action.Drop</title>
      <blockquote>
        <para>This is my common action for the DROP policy. It is like the
-        standard <emphasis role="bold">Reject</emphasis> action except that it
+        standard <emphasis role="bold">Drop</emphasis> action except that it
        allows <quote>Ping</quote>.</para>
        <programlisting>#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
@ -398,12 +389,13 @@ DropDNSrep</programlisting>
    </section>
    <section>
-      <title>action.MyReject</title>
+      <title>/etc/shorewall/action.Reject</title>
      <blockquote>
        <para>This is my common action for the REJECT policy. It is like the
-        standard <emphasis role="bold">Drop</emphasis> action except that it
+        standard <emphasis role="bold">Reject</emphasis> action except that it
-        allows <quote>Ping</quote>.</para>
+        allows <quote>Ping</quote> and contains one rule that guards against
        log flooding by broken software running in my local zone.</para>
        <programlisting>#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
 #                                         PORT(S)   PORT(S)     LIMIT        GROUP
@ -437,15 +429,12 @@ REJECT:$LOG     loc                             net                     tcp
 REJECT          loc                             net                     tcp     137,445
 REJECT          loc                             net                     udp     137:139
 #
 DROP            loc:!192.168.1.0/24             net
 QUEUE           loc                             net                     udp
 QUEUE           loc                             fw                      udp
 QUEUE           loc                             net                     tcp
 ###############################################################################################################################################################################
 # Local Network to Firewall
 #
 DROP            loc:!192.168.1.0/24             fw
 ACCEPT          loc                             fw                      tcp     ssh,time,10000,swat,137,139,445
 ACCEPT          loc                             fw                      udp     snmp,ntp,445
 ACCEPT          loc                             fw                      udp     137:139
@ -453,7 +442,6 @@ ACCEPT          loc                             fw                      udp
 ###############################################################################################################################################################################
 # Local Network to DMZ
 #
 DROP            loc:!192.168.1.0/24             dmz
 REJECT          loc                             dmz                     tcp     465
 ACCEPT          loc                             dmz                     udp     domain,xdmcp
 ACCEPT          loc                             dmz                     tcp     www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3       -
@ -509,33 +497,11 @@ ACCEPT          dmz                             fw                      tcp
 ACCEPT          dmz                             fw                      udp     snmp
 REJECT          dmz                             fw                      tcp     auth
 ###############################################################################################################################################################################
 # DMZ to Internet
 #
 ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
 ACCEPT          dmz                             net                     udp     domain
 ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
 #ACCEPT         dmz                             net:206.191.151.2       tcp     pop3
 #ACCEPT         dmz                             net:66.216.26.115       tcp     pop3
 #
 # Something is wrong with the FTP connection tracking code or there is some client out there
 # that is sending a PORT command which that code doesn&#39;t understand. Either way,
 # the following works around the problem.
 #
 ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
 ###############################################################################################################################################################################
 # DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
 #
 ACCEPT          dmz                             fw                      udp     ntp                                     ntp
 ACCEPT          dmz                             fw                      tcp     snmp,ssh
 ACCEPT          dmz                             fw                      udp     snmp
 REJECT          dmz                             fw                      tcp     auth
 ###############################################################################################################################################################################
 #
 # DMZ to Local Network
 #
 ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
-ACCEPT          dmz                             loc                     tcp     111
+ACCEPT          dmz:206.124.146.177             loc:192.168.1.3         tcp     111
-ACCEPT          dmz                             loc                     udp
+ACCEPT          dmz:206.124.146.177             loc:192.168.1.3         udp
 ###############################################################################################################################################################################
 # Internet to Firewall
 #
@ -598,7 +564,7 @@ ACCEPT          all                             all                     icmp
      </blockquote>
    </section>
-    <section>
+    <section id="Interfaces">
      <title>/etc/network/interfaces</title>
      <blockquote>
@ -611,10 +577,9 @@ ACCEPT          all                             all                     icmp
        <programlisting>...
 auto eth1
 iface eth1 inet static
-        address 192.168.2.1
+        address 206.124.146.176
-        netmask 255.255.255.0
+        netmask 255.255.255.255
-        network 192.168.2.0
+        broadcast 0.0.0.0
        broadcast 192.168.2.255
        <emphasis role="bold">up ip route add 206.124.146.177 dev eth1
 </emphasis>...</programlisting>
      </blockquote>
--- a/Shorewall-docs/ports.xml
+++ b/Shorewall-docs/ports.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-05</pubdate>
+    <pubdate>2004-02-18</pubdate>
    <copyright>
      <year>2001-2002</year>
@ -118,15 +118,9 @@ ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62
  <section>
    <title>NFS</title>
-    <para>I personally use the following rules for opening access from zone z1
+    <programlisting>#ACTION    SOURCE                         DESTINATION      PROTO      DEST PORT(S)
-    to a server with IP address a.b.c.d in zone z2. I have found though that
+ACCEPT     <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62;  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     tcp        111
-    different distributions behave differently so your milage may vary.</para>
+ACCEPT     <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62;  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp</programlisting>
    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
 ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     tcp        111
 ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp        111
 ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp        2049
 ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp        32700:</programlisting>
  </section>
  <section>
@ -136,6 +130,14 @@ ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphas
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        123</programlisting>
  </section>
  <section>
    <title><trademark>PCAnywhere</trademark></title>
    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        5632
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        5631</programlisting>
  </section>
  <section>
    <title>Pop3</title>
@ -255,7 +257,9 @@ ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
+    <para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-12</date><authorinitials>TE</authorinitials><revremark>Make
    NFS work for everyone</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-12</date><authorinitials>TE</authorinitials><revremark>Added
    PCAnywhere</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
    information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
    ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
    rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
--- a/Shorewall-docs/support.xml
+++ b/Shorewall-docs/support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-01</pubdate>
+    <pubdate>2004-02-19</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -121,6 +121,12 @@
        questions but we can&#39;t do your job for you.</para>
      </listitem>
      <listitem>
        <para>Please do NOT include the output of <command>iptables -L</command>
        — the output of <emphasis role="bold">shorewall show</emphasis> or
        <command>shorewall status</command> is much more useful.</para>
      </listitem>
      <listitem>
        <para>When reporting a problem, <emphasis role="bold">ALWAYS</emphasis>
        include this information:</para>
@ -296,7 +302,8 @@
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
+    <para><revhistory><revision><revnumber>1.3</revnumber><date>2003-02-19</date><authorinitials>TE</authorinitials><revremark>Admonish
    against including &#34;iptables -L&#34; output.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
    .GIF and moved note about unsupported releases. Move Revision History to
    this Appendix.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-19</date><authorinitials>TE</authorinitials><revremark>Corrected
    URL for Newbies List</revremark></revision></revhistory></para>
--- a/Shorewall-docs/three-interface.xml
+++ b/Shorewall-docs/three-interface.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-12-05</pubdate>
+    <pubdate>2004-02-12</pubdate>
    <copyright>
      <year>2002</year>
@ -530,6 +530,10 @@ fw         net         ACCEPT</programlisting>
    <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
    and change it to match your configuration.</para>
    <para>If, despite all advice to the contrary, you are using this guide and
    want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry for
    eth2 from <filename>/etc/shorewall/masq</filename>.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>If your external IP is static, you can enter it in the third column
--- a/Shorewall-docs/traffic_shaping.xml
+++ b/Shorewall-docs/traffic_shaping.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-21</pubdate>
+    <pubdate>2004-02-11</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -46,8 +46,7 @@
    <itemizedlist>
      <listitem>
        <para>A new <emphasis role="bold">TC_ENABLED</emphasis> parameter in
-        /etc/shorewall.conf. Traffic Shaping also requires that you enable
+        /etc/shorewall.conf.</para>
        packet mangling.</para>
      </listitem>
      <listitem>
@ -229,12 +228,11 @@
        column may only be non-empty if the SOURCE is the firewall itself.
        When this column is non-empty, the rule applies only if the program
        generating the output is running under the effective user and/or
-        group. It may contain : </para>
+        group. It may contain :</para>
-        <para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]
+        <para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]</para>
        </para>
-        <para>The colon is optionnal when specifying only a user. </para>
+        <para>The colon is optionnal when specifying only a user.</para>
        <para>Examples : john: / john / :users / john:users</para>
      </listitem>
@ -247,63 +245,11 @@
      arriving on eth2 and eth3 should be marked with 2. All packets
      originating on the firewall itself should be marked with 3.</para>
-      <informaltable>
+      <programlisting>#MARK   SOURCE    DESTINATION    PROTOCOL   USER/GROUP
-        <tgroup cols="4">
+1       eth1      0.0.0.0/0      all
-          <thead>
+2       eth2      0.0.0.0/0      all
-            <row>
+2       eth3      0.0.0.0/0      all
-              <entry align="center">MARK</entry>
+3       fw        0.0.0.0/0      all</programlisting>
              <entry align="center">SOURCE</entry>
              <entry align="center">DESTINATION</entry>
              <entry align="center">PROTOCOL</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry>1</entry>
              <entry>eth1</entry>
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
            </row>
            <row>
              <entry>2</entry>
              <entry>eth2</entry>
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
            </row>
            <row>
              <entry>2</entry>
              <entry>eth3</entry>
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
            </row>
            <row>
              <entry>3</entry>
              <entry>fw</entry>
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
            </row>
          </tbody>
        </tgroup>
      </informaltable>
    </example>
    <example>
@ -312,33 +258,8 @@
      <para>All GRE (protocol 47) packets not originating on the firewall and
      destined for 155.186.235.151 should be marked with 12.</para>
-      <informaltable>
+      <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   USER/GROUP
-        <tgroup cols="4">
+12      0.0.0.0/0 155.182.235.151 47</programlisting>
          <thead>
            <row>
              <entry align="center">MARK</entry>
              <entry align="center">SOURCE</entry>
              <entry align="center">DESTINATION</entry>
              <entry align="center">PROTOCOL</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry>12</entry>
              <entry>0.0.0.0/0</entry>
              <entry>155.186.235.151</entry>
              <entry>47</entry>
            </row>
          </tbody>
        </tgroup>
      </informaltable>
    </example>
    <example>
@ -347,37 +268,8 @@
      <para>All SSH packets originating in 192.168.1.0/24 and destined for
      155.186.235.151 should be marked with 22.</para>
-      <informaltable>
+      <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   USER/GROUP
-        <tgroup cols="5">
+22      192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
          <thead>
            <row>
              <entry align="center">MARK</entry>
              <entry align="center">SOURCE</entry>
              <entry align="center">DESTINATION</entry>
              <entry align="center">PROTOCOL</entry>
              <entry align="center">PORT(S)</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry>22</entry>
              <entry>192.168.1.0/24</entry>
              <entry>155.186.235.151</entry>
              <entry>tcp</entry>
              <entry>22</entry>
            </row>
          </tbody>
        </tgroup>
      </informaltable>
    </example>
  </section>
--- a/Shorewall-docs/troubleshoot.xml
+++ b/Shorewall-docs/troubleshoot.xml
@ -13,7 +13,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2004-01-06</pubdate>
+    <pubdate>2004-02-02</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -119,6 +119,50 @@ iptables: No chain/target/match by that name
    </example>
  </section>
  <section>
    <title>Some Things to Keep in Mind</title>
    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">You cannot test your firewall from the
        inside</emphasis>. Just because you send requests to your firewall
        external IP address does not mean that the request will be associated
        with the external interface or the <quote>net</quote> zone. Any
        traffic that you generate from the local network will be associated
        with your local interface and will be treated as loc-&#62;fw traffic.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">IP addresses are properties of systems,
        not of interfaces</emphasis>. It is a mistake to believe that your
        firewall is able to forward packets just because you can ping the IP
        address of all of the firewall&#39;s interfaces from the local
        network. The only conclusion you can draw from such pinging success is
        that the link between the local system and the firewall works and that
        you probably have the local system&#39;s default gateway set
        correctly.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Reply packets do NOT automatically follow
        the reverse path of the one taken by the original request</emphasis>.
        All packets are routed according to the routing table of the host at
        each step of the way. This issue commonly comes up when people install
        a Shorewall firewall parallel to an existing gateway and try to use
        DNAT through Shorewall without changing the default gateway of the
        system receiving the forwarded requests. Requests come in through the
        Shorewall firewall where the destination IP address gets rewritten but
        replies go out unmodified through the old gateway.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall itself has no notion of inside
        or outside</emphasis>. These concepts are embodied in how Shorewall is
        configured. </para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Your Network Environment</title>
@ -355,7 +399,8 @@ DROP      net              fw                  icmp    echo-request</programlist
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
+    <para><revhistory><revision><revnumber>1.7</revnumber><date>2005-02-02</date><authorinitials>TE</authorinitials><revremark>Add
    hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
    pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
    information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
    Docbook Conversion</revremark></revision></revhistory></para>
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@ -17,7 +17,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-06-11</pubdate>
+    <pubdate>2004-06-18</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -58,9 +58,9 @@
      class="directory">/etc/shorewall</filename> and modify the copies.</para>
      <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
-      and /usr/share/doc/shorewall/default-config/modules to <filename
+      and <filename>/usr/share/doc/shorewall/default-config/modules</filename>
-      class="directory">/etc/shorewall</filename> even if you do not modify
+      to <filename class="directory">/etc/shorewall</filename> even if you do
-      those files.</para>
+      not modify those files.</para>
    </section>
  </section>
@ -407,16 +407,17 @@ eth2             192.168.2.0/24</programlisting>
      following:</para>
      <blockquote>
-        <para>&#62; I know PoM -ng is going to address this issue, but till it
+        <para><programlisting>&#62; I know PoM -ng is going to address this issue, but till it is ready, and
-        is ready, and &#62; all the extras are ported to it, is there any way
+&#62; all the extras are ported to it, is there any way to use the h.323
-        to use the h.323 &#62; contrack module kernel patch with a 2.6 kernel?
+&#62; contrack module kernel patch with a 2.6 kernel?
-        &#62; Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade
+&#62; Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not
-        is not &#62; an option... The module is not ported yet to 2.6, sorry.
+&#62; an option... The module is not ported yet to 2.6, sorry.
-        &#62; Do I have any options besides a gatekeeper app (does not work in
+&#62; Do I have any options besides a gatekeeper app (does not work in my
-        my &#62; network) or a proxy (would prefer to avoid them)? I suggest
+&#62; network) or a proxy (would prefer to avoid them)?
-        everyone to setup a proxy (gatekeeper) instead: the module is really
+
-        dumb and does not deserve to exist at all. It was an excellent tool to
+I suggest everyone to setup a proxy (gatekeeper) instead: the module is
-        debug/develop the newnat interface.</para>
+really dumb and does not deserve to exist at all. It was an excellent tool
 to debug/develop the newnat interface.</programlisting></para>
      </blockquote>
      <para>Look <ulink url="http://linux-igd.sourceforge.net">here</ulink>
@ -1734,7 +1735,8 @@ iptables: Invalid argument
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
+    <para><revhistory><revision><revnumber>1.27</revnumber><date>2004-06-18</date><authorinitials>TE</authorinitials><revremark>Correct
    formatting in H323 quote.</revremark></revision><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
    obsolete ping information.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Empty
    /etc/shorewall on Debian.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-08</date><authorinitials>TE</authorinitials><revremark>Update
    for Shorewall 2.0.2</revremark></revision><revision><revnumber>1.24</revnumber><date>2004-04-25</date><authorinitials>TE</authorinitials><revremark>Add
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.0.3-RC1
+VERSION=2.0.3-RC2
 usage() # $1 = exit status
 {
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.0.3-RC1
+VERSION=2.0.3-RC2
 usage() # $1 = exit status
 {
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 2.0.3
-%define release 0RC1
+%define release 0RC2
 %define prefix /usr
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Sat Jun 19 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.2-0RC2
 * Tue Jun 15 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.2-0RC1
 * Mon Jun 14 2004 Tom Eastep tom@shorewall.net
--- a/Shorewall2/uninstall.sh
+++ b/Shorewall2/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.0.3-RC1
+VERSION=2.0.3-RC2
 usage() # $1 = exit status
 {