Shoreawall 1.3.14 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-24 19:51:40 +02:00 · 2003-02-08 20:48:47 +00:00 · 2003-02-08 20:48:47 +00:00 · ed61406441
commit ed61406441
parent eca2b625e9
55 changed files with 13472 additions and 11942 deletions
--- a/Lrp/etc/init.d/shorewall
+++ b/Lrp/etc/init.d/shorewall
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
-#     (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called:
 #	/etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
@ -374,7 +374,14 @@ chain_base() #$1 = interface
 {
    local c=${1%%+*}
    case $c in 
        *.*)
 	    echo ${c%.*}_${c#*.}
 	    ;;
 	*)
 	    echo ${c:=common}
 	    ;;
    esac
 }
 #
@ -599,10 +606,14 @@ validate_interfaces_file() {
 	for option in $options; do
 	    case $option in
-	    dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
+		dhcp|routestopped|norfc1918|multi|tcpflags)
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
 		noping|filterping)
 		    [ -n "$OLD_PING_HANDLING" ] || \
 			startup_error "Option $option only allowed with old ping handling"
 		    ;;
 		*)
 		    error_message "Warning: Invalid option ($option) in record \"$r\""
 		    ;;
@ -1102,8 +1113,7 @@ validate_policy()
 #
 find_broadcasts() {
    for interface in $all_interfaces; do
-	interface=`chain_base $interface`
+	eval bcast=\$`chain_base $interface`_broadcast
 	eval bcast=\$${interface}_broadcast
 	if [ "x$bcast" = "xdetect" ]; then
 	    addr="`ip addr show $interface 2> /dev/null`"
 	    if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
@ -1122,7 +1132,7 @@ find_broadcasts() {
 #
 find_interface_broadcasts() # $1 = Interface name
 {
-    eval bcast=\$${1}_broadcast
+    eval bcast=\$`chain_base ${1}`_broadcast
    if [ "x$bcast" = "xdetect" ]; then
 	addr="`ip addr show $interface 2> /dev/null`"
@ -1414,6 +1424,23 @@ setup_tunnels() # $1 = name of tunnels file
 	echo "   PPTP server defined."
    }
    setup_one_openvpn() # $1 = gateway, $2 = kind[:port]
    {
 	case $2 in
 	    *:*)
 		p=${2#*:}
 		;;
 	    *)
 		p=5000
 		;;
 	esac
 	addrule $inchain  -p udp -s $1 --sport $p --dport $p -j ACCEPT
 	addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
 	echo "   OPENVPN tunnel to $1:$p defined."
    }
    strip_file tunnels $1
    while read kind z gateway z1; do
@ -1441,6 +1468,9 @@ setup_tunnels() # $1 = name of tunnels file
 		pptpserver|PPTPSERVER)
 		    setup_pptp_server
 		    ;;
 		openvpn|OPENVPN|openvpn:*|OPENVPN:*)
 		    setup_one_openvpn $gateway $kind
 		    ;;
 		*)
 		    error_message "Tunnels of type $kind are not supported:" \
 			"Tunnel \"$tunnel\" Ignored"
@ -1704,8 +1734,11 @@ setup_nat() {
    while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
 	iface=${interface%:*}
 	if [ -n "$ADD_IP_ALIASES" ]; then
-	    qt ip addr del $external dev $interface
+	    qt ip addr del $external dev $iface
 	fi
 	if [ -z "$allints" -o "$allints" = "Yes" -o "$allints" = "yes" ]
@ -1718,9 +1751,9 @@ setup_nat() {
 		    -j DNAT --to-destination $internal
 	    fi
 	else
-	    addnatrule `input_chain $interface` \
+	    addnatrule `input_chain $iface` \
 		-d $external -j DNAT --to-destination $internal
-	    addnatrule `output_chain $interface` \
+	    addnatrule `output_chain $iface` \
 		-s $internal -j SNAT --to-source $external
 	fi
@ -1753,7 +1786,7 @@ delete_nat() {
 #
 # Process a TC Rule - $marking_chain is assumed to contain the name of the 
-#                     marking chain
+#                     default marking chain
 #
 process_tc_rule()
 {
@ -1774,13 +1807,34 @@ process_tc_rule()
 		    ;;
 		*)
 		    if ! list_search $source $all_interfaces; then
-			fatal_error "Error: Unknown interface $source"
+			fatal_error "Error: Unknown interface $source in rule \"$rule\""
 		    fi
 		    r="-i $source "
 		    ;;
 	    esac
 	fi
 	if [ "$mark" != "${mark%:*}" ]; then
 	    [ "$chain" = tcout ] && \
 		fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
 	    case "${mark#*:}" in
 		p|P)
 		    chain=tcpre
 		    ;;
 		f|F)
 		    chain=tcfor
 		    ;;
 		*)
 		    fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
 		    ;;
 	    esac
 	    mark="${mark%:*}"
 	fi
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@ -1811,7 +1865,8 @@ setup_tc1() {
    # Create the TC mangle chains
    #
-    run_iptables -t mangle -N $marking_chain
+    run_iptables -t mangle -N tcpre
    run_iptables -t mangle -N tcfor
    run_iptables -t mangle -N tcout
    #
    # Process the TC Rules File
@ -1827,11 +1882,9 @@ setup_tc1() {
    # Link to the TC mangle chains from the main chains
    #
    if [ $marking_chain = tcfor ]; then
    run_iptables -t mangle -A FORWARD    -j tcfor
    else
    run_iptables -t mangle -A PREROUTING -j tcpre
-    fi
+    run_iptables -t mangle -A OUTPUT     -j tcout
    run_user_exit tcstart
@ -2871,6 +2924,21 @@ rules_chain() # $1 = source zone, $2 = destination zone
    fatal_error "Error: No appropriate chain for zone $1 to zone $2"
 }
 #
 #  echo the list of subnets routed out of a given interface
 #
 get_routed_subnets() # $1 = interface name
 {
    local address
    local rest
    ip route show dev $1 2> /dev/null |
 	while read address rest; do
 	    [ "$address" = "${address%/*}" ] && address="${address}/32"
 	    echo $address
        done
 }
 #
 # Set up Source NAT (including masquerading)
 #
@ -2879,12 +2947,32 @@ setup_masq()
    setup_one() {
 	local using
-	if [ "$interface" = "${interface%:*}" ]; then
+	case $fullinterface in
 	    *:*:*)
 		# Both alias name and subnet
 		destnet="${fullinterface##*:}"
 		fullinterface="${fullinterface%:*}"
 		;;
 	    *:*)
 		# Alias name OR subnet
 		case ${fullinterface#*:} in
 		    *.*)
 			# It's a subnet
 			destnet="${fullinterface#*:}"
 			fullinterface="${fullinterface%:*}"
 			;;
 		    *)
 			#it's an alias name
 			destnet="0.0.0.0/0"
-	else
+			;;
-	    destnet="${interface#*:}"
+		esac
-	    interface="${interface%:*}"
+		;;
-	fi
+	    *)
 		destnet="0.0.0.0/0"
 		;;
 	esac
 	interface=${fullinterface%:*}
 	if ! list_search $interface $all_interfaces; then
 	    fatal_error "Error: Unknown interface $interface"
@ -2900,10 +2988,10 @@ setup_masq()
 	chain=`masq_chain $interface`
 	iface=
 	source="$subnet"
 	case $subnet in
 	*.*.*)
 	    source="$subnet"
 	    subnet="-s $subnet"
 	    ;;
 	-)
 	    #
@ -2916,22 +3004,15 @@ setup_masq()
 	    iface="-o $interface"
 	    ;;
 	*)
-	    ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`"
+	    subnets=`get_routed_subnets $subnet`
-	    source="$subnet"
+	    [ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
-	    if [ -z "$ipaddr" ]; then
+	    subnet="$subnets"
 		fatal_error \
 		  "Interface $subnet must be up before Shorewall starts"
 	    fi
 	    subnet="`echo $ipaddr | sed s/"    "// | cut -d' ' -f2`"
 	    [ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32"
 	    subnet="-s $subnet"	    
 	    ;;
 	esac
 	if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
 	    list_search $address $aliases_to_add || \
-		aliases_to_add="$aliases_to_add $address $interface" 
+		aliases_to_add="$aliases_to_add $address $fullinterface" 
 	fi
 	destination=$destnet
@ -2939,7 +3020,15 @@ setup_masq()
 	if [ -n "$nomasq" ]; then
 	    newchain=masq${masq_seq}
 	    createnatchain $newchain
-	    addnatrule $chain -d $destnet $iface $subnet -j $newchain
+	    
 	    if [ -n "$subnet" ]; then
 		for s in $subnet; do
 		    addnatrule $chain -d $destnet $iface -s $s -j $newchain
 		done
 	    else
 		addnatrule $chain -d $destnet $iface -j $newchain
 	    fi
 	    masq_seq=$(($masq_seq + 1))
 	    chain=$newchain
 	    subnet=
@ -2949,29 +3038,38 @@ setup_masq()
 	    for addr in `separate_list $nomasq`; do
 		addnatrule $chain -s $addr -j RETURN
 	    done
 	    source="$source except $nomasq"
 	else
 	    destnet="-d $destnet"
 	fi
 	if [ -n "$subnet" ]; then
 	    for s in $subnet; do
 		if [ -n "$address" ]; then
-	    addnatrule $chain $subnet $destnet $iface \
+		    addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address
-		-j SNAT --to-source $address
+		    echo "   To $destination from $s through ${interface} using $address"
 	    using=" using $address"
 		else
-	    addnatrule $chain $subnet $destnet $iface -j MASQUERADE
+		    addnatrule $chain -s $s $destnet $iface -j MASQUERADE
-	    using=
+		    echo "   To $destination from $s through ${interface}"
 		fi
 	    done
 	elif [ -n "$address" ]; then
 	    addnatrule $chain $destnet $iface -j SNAT --to-source $address
 	    echo "   To $destination from $source through ${interface} using $address"
 	else
 	    addnatrule $chain $destnet $iface -j MASQUERADE
 	    echo "   To $destination from $source through ${interface}"
 	fi
 	[ -n "$nomasq" ] && source="$source except $nomasq"
 	echo "   To $destination from $source through ${interface}${using}"
    }
    strip_file masq $1
    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
-    while read interface subnet address; do
+    while read fullinterface subnet address; do
-	expandv interface subnet address
+	expandv fullinterface subnet address
 	[ -n "$NAT_ENABLED" ] && setup_one || \
 	    error_message "Warning: NAT disabled; masq rule ignored"
    done < $TMP_DIR/masq
@ -3195,9 +3293,10 @@ add_ip_aliases()
 	    val=${val%% scope*}
 	fi
-	run_ip addr add ${external}${val} dev $interface
+	run_ip addr add ${external}${val} dev $interface $label
 	echo "$external $interface" >> ${STATEDIR}/nat
-	echo "   IP Address $external added to interface $interface"
+	[ -n "$label" ] && label="with $label"
 	echo "   IP Address $external added to interface $interface $label"
    }
    set -- $aliases_to_add
@ -3205,6 +3304,14 @@ add_ip_aliases()
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
 	label=
 	if [ "$interface" != "${interface%:*}" ]; then
 	    label="${interface#*:}"
 	    interface="${interface%:*}"
 	    label="label $interface:$label"
 	fi
 	primary=`find_interface_address $interface`
 	shift;shift
 	[ "x${primary}" = "x${external}" ] || do_one
@ -3350,11 +3457,14 @@ initialize_netfilter () {
 # Build the common chain -- called during [re]start and refresh
 #
 build_common_chain() {
    if [ -n "$OLD_PING_HANDLING" ]; then
        #
        # PING
        #
 	[ -n "$FORWARDPING" ] && \
 	    run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
    fi
    #
    # Common ICMP rules
    #
@ -3907,6 +4017,7 @@ define_firewall() # $1 = Command (Start or Restart)
    process_rules $rules
    if [ -n "$OLD_PING_HANDLING" ]; then
 	echo "Setting up ICMP Echo handling..."
 	filterping_interfaces="`find_interfaces_by_option filterping`"
@ -3924,6 +4035,7 @@ define_firewall() # $1 = Command (Start or Restart)
 		    -p icmp --icmp-type echo-request -j $target
 	    fi
 	done
    fi
    policy=`find_file policy`
@ -4104,7 +4216,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
    dhcp_interfaces=`find_interfaces_by_option dhcp`
    blacklist_interfaces=`find_interfaces_by_option blacklist`
    filterping_interfaces=`find_interfaces_by_option filterping`
-    maclist_interfaces=`find_interfaces_by_maclist`
+    maclist_interfaces=`find_interfaces_by_option maclist`
    tcpflags_interfaces=`find_interfaces_by_option tcpflags`
    #
    # Normalize the first argument to this function
@ -4161,15 +4273,15 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    rulenum=2
 		fi
-		if ! list_search $interface $filterping_interfaces; then
+		if list_search $interface $filterping_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
-		if ! list_search $interface $maclist_interfaces; then
+		if list_search $interface $maclist_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
-		if ! list_search $interface $tcpflags_interfaces; then
+		if list_search $interface $tcpflags_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
@ -4194,11 +4306,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 			rulenum=2
 		    fi
-		    if ! list_search $interface $maclist_interfaces; then
+		    if list_search $interface $maclist_interfaces; then
 			rulenum=$(($rulenum + 1))
 		    fi
-		    if ! list_search $interface $tcpflags_interfaces; then
+		    if list_search $interface $tcpflags_interfaces; then
 			rulenum=$(($rulenum + 1))
 		    fi
 		fi
@ -4344,7 +4456,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
    while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D `input_chain $interface` -i $interface -s $host -j $chain 
+		qt iptables -D `input_chain $interface` -s $host -j $chain 
 	    else
 		source_chain=`forward_chain $interface`
 		eval dest_hosts=\"\$${z2}_hosts\"
@ -4471,6 +4583,7 @@ do_initialize() {
    TCP_FLAGS_LOG_LEVEL=
    RFC1918_LOG_LEVEL=
    MARK_IN_FORWARD_CHAIN=
    OLD_PING_HANDLING=
    SHARED_DIR=/usr/lib/shorewall
    FUNCTIONS=
    VERSION_FILE=
@ -4596,7 +4709,10 @@ do_initialize() {
    else
 	CLEAR_TC=
    fi
    OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
    [ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No"
    run_user_exit params
--- a/Lrp/etc/shorewall/interfaces
+++ b/Lrp/etc/shorewall/interfaces
@ -46,18 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
 #			noping	     - icmp echo-request (ping) packets
 #				       addressed to the firewall should
 #				       be ignored on this interface
 #			filterping   - icmp echo-request (ping) packets 
 #				       addressed to the firewall should
 #				       be controlled by the rules file and
 #				       applicable policy. If neither 'noping'
 #				       nor 'filterping' are specified then
 #				       the firewall will respond to 'ping'
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
@ -117,15 +105,14 @@
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27 and you want pings from the internet
+#			206.191.149.192/27. You have a DMZ with subnet
 #			to be ignored. You interface a DMZ with subnet
 #			192.168.2.0/24 using eth2. You want to be able to
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
-#			net	eth0	206.191.149.223	noping,dhcp
+#			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
--- a/Lrp/etc/shorewall/masq
+++ b/Lrp/etc/shorewall/masq
@ -9,7 +9,15 @@
 # Columns are:
 #
 #	INTERFACE -- Outgoing interface. This is usually your internet
-#		     interface. This may be qualified by adding the character
+#		     interface. If ADD_SNAT_ALIASES=Yes in
 #		     /etc/shorewall/shorewall.conf, you may add ":" and
 #		     a digit to indicate that you want the alias added with
 #                    that name (e.g., eth0:0). This will allow the alias to
 #		     be displayed with ifconfig. THAT IS THE ONLY USE FOR 
 #		     THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER 
 #		     PLACE IN YOUR SHOREWALL CONFIGURATION.
 #
 #		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
 #
@ -74,13 +82,12 @@
 #	Example 4:
 #
 #		  You want all outgoing traffic from 192.168.1.0/24 through
-#		  eth0 to use source address 206.124.146.176.
+#		  eth0 to use source address 206.124.146.176 which is NOT the
 #		  primary address of eth0. You want 206.124.146.176 added to 
 #		  be added to eth0 with name eth0:0.
 #
-#			eth0	192.168.1.0/24	206.124.146.176
+#			eth0:0	192.168.1.0/24	206.124.146.176
 #
 #		  This would normally be done when you have a static external
 #		  IP address since it makes the processing of outgoing 
 #		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Lrp/etc/shorewall/nat
+++ b/Lrp/etc/shorewall/nat
@ -16,7 +16,13 @@
 #			IP address of the interface named in the next
 #			column and must not be a DNS Name.
 #	INTERFACE	Interface that we want to EXTERNAL address to appear
-#                       on
+#                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
 #			follow the interface name with ":" and a digit to 
 #			indicate that you want Shorewall to add the alias
 #			with this name (e.g., "eth0:0"). That allows you to
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #       ALL INTERFACES  If Yes or yes (or left empty), NAT will be effective
 #                       from all hosts. If No or no then NAT will be effective
--- a/Lrp/etc/shorewall/shorewall.conf
+++ b/Lrp/etc/shorewall/shorewall.conf
@ -401,12 +401,17 @@ MUTEX_TIMEOUT=60
 LOGNEWNOTSYN=
 #
-# Forward "Ping"
+# Old Ping Handling
 #
-# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
+# If this option is set to "Yes" then Shorewall will use its old ping handling
-# forwarded by the firewall.
+# facility including the FORWARDPING option in this file and the 'noping' and
-
+# 'filterping' interface options. If this option is set to 'No' then ping
-FORWARDPING=Yes
+# is handled via policy and rules just like any other connection request.
 #
 # If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
 # DON'T DELETE IT!!!!!!
 #
 OLD_PING_HANDLING=No
 #
 # NEWNOTSYN
@ -502,4 +507,20 @@ RFC1918_LOG_LEVEL=info
 MARK_IN_FORWARD_CHAIN=No
 #
 # Clear Traffic Shapping/Control
 #
 # If this option is set to 'No' then Shorewall won't clear the current
 # traffic control rules during [re]start. This setting is intended
 # for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
 # If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #LAST LINE -- DO NOT REMOVE
--- a/Lrp/etc/shorewall/tcrules
+++ b/Lrp/etc/shorewall/tcrules
@ -17,10 +17,20 @@
 #	MARK		The mark value which is an
 #			integer in the range 1-255
 #
 #			May optionally be followed by ":P" or ":F"
 #			where ":P" indicates that marking should occur in
 #			the PREROUTING chain and ":F" indicates that marking
 #			should occur in the FORWARD chain. If neither
 #			":P" nor ":F" follow the mark value then the chain is
 #			determined by the setting of MARK_IN_FORWARD_CHAIN in
 #			/etc/shorewall/shorewall.conf.
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses 
 #			and/or subnets. Use $FW if the packet originates on
-#			the firewall.
+#			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs 
 #			in the OUTPUT chain).
 #
 #			MAC addresses must be prefixed with "~" and use
 #			"-" as a separator.
--- a/Lrp/etc/shorewall/tunnels
+++ b/Lrp/etc/shorewall/tunnels
@ -1,16 +1,21 @@
 #
 # Shorewall 1.3 - /etc/shorewall/tunnels
 #
-#	This file defines IPSEC, GRE and IPIP tunnels.
+#	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
-#	IPIP and GRE tunnels must be configured on the firewall/gateway itself.
+#	IPIP, GRE and OPENVPN tunnels must be configured on the
-#	IPSEC endpoints may be defined on the firewall/gateway or on an
+#	firewall/gateway itself. IPSEC endpoints may be defined
-#	internal system.
+#	on the firewall/gateway or on an internal system.
 #
 #	The columns are:
 #
 #	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ip"
-#			"gre","pptpclient" or "pptpserver"
+#			"gre", "pptpclient", "pptpserver" or "openvpn".
 #
 #			If type is "openvpn", it may optionally be followed
 #			by ":" and the port number used by the tunnel. if no
 #			":" and port number are included, then the default port
 #			of 5000 will be used
 #
 #	ZONE	    --	The zone of the physical interface through which
 #			tunnel traffic passes. This is normally your internet
@ -20,10 +25,12 @@
 #			remote getway has no fixed address (Road Warrior)
 #			then specify the gateway as 0.0.0.0/0.
 #
-#	GATEWAY ZONES --	Optional. If the gateway system specified in the third
+#	GATEWAY 
 #	ZONES --	Optional. If the gateway system specified in the third
 #			column is a standalone host then this column should
-#			contain a comma-separated list of the names of the zones that
+#			contain a comma-separated list of the names of the
-#			the host might be in. This column only applies to IPSEC tunnels.
+#			zones that the host might be in. This column only
 #			applies to IPSEC tunnels.
 #
 #		Example 1:
 #
@ -71,5 +78,12 @@
 #
 #			pptpserver	net
 #
-# TYPE			ZONE	GATEWAY		GATEWAY ZONE
+#		Example 7:
 #
 #			OPENVPN tunnel. The remote gateway is 4.33.99.124 and
 #			openvpn uses port 7777.
 #
 #			openvpn:7777	net	4.33.99.124
 #
 # TYPE			ZONE	GATEWAY		GATEWAY ZONE	PORT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp/sbin/shorewall
+++ b/Lrp/sbin/shorewall
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
-#     (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #
 #	This file should be placed in /sbin/shorewall.
@ -649,7 +649,7 @@ case "$1" in
 	[ $# -ne 3 ] && usage 1
 	exec $FIREWALL $debugging $nolock $1 $2 $3
 	;;
-    show)
+    show|list)
 	[ $# -gt 2 ] && usage 1
 	case "$2" in
 	connections)
--- a/Lrp/var/lib/lrpkg/shorwall.version
+++ b/Lrp/var/lib/lrpkg/shorwall.version
@ -1 +1 @@
-1.3.13
+1.3.14
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -1,10 +1,22 @@
-Changes since 1.3.12
+Changes since 1.3.13
-1. Added 'DNAT-' target.
+1. Fix 'shorewall add' bug.
-2. Print policies in 'check' command.
+2. Add OLD_PING_HANDLING option
-3. Added CLEAR_TC option.
+3. Allow adding alias labels under ADD_IP_ALIASES=Yes.
-4. Added SHARED_DIR option.
+4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes.
 5. Use the routing table to generate list of subnets to be masqueraded
   when an interface name appears in the SUBNET column of
   /etc/shorewall/masq.
 6. Restore $dev.$vid naming of VLAN interfaces.
 7. Updated copyrights for 2003.
 8. Added support for openvpn tunnels on arbitrary ports
 9. Corrected rule number calculation problem in 'shorewall add' command
   processing.
--- a/STABLE/documentation/Documentation.htm
+++ b/STABLE/documentation/Documentation.htm
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
--- a/STABLE/documentation/Install.htm
+++ b/STABLE/documentation/Install.htm
@ -30,9 +30,11 @@ Upgrade</font></h1>
 href="upgrade_issues.htm">Upgrade Issues</a></b></p>
 <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
-  <a href="#Install_Tarball">Install using tarball</a><br>
+   <a href="#Install_Tarball">Install using tarball<br>
 </a><a href="#LRP">Install the .lrp</a><br>
   <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
-  <a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
+   <a href="#Upgrade_Tarball">Upgrade using tarball<br>
 </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
   <a href="#Config_Files">Configuring Shorewall</a><br>
   <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
@ -48,17 +50,17 @@ shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
 <ul>
     <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
     <br>
-    <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports 
+     <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
-a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. 
+reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-If this    happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps 
+installed.  If this    happens, simply use the --nodeps option to rpm (rpm
-&lt;shorewall    rpm&gt;).</li>
+-ivh --nodeps  &lt;shorewall    rpm&gt;).</li>
     <li>Edit the <a href="#Config_Files"> configuration files</a> to match
 your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
 SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
 IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
-AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK 
+ AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
-TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK 
+NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO
-CONNECTIVITY.</b></font></li>
+RESTORE NETWORK  CONNECTIVITY.</b></font></li>
     <li>Start the firewall by typing "shorewall start"</li>
 </ul>
@ -79,10 +81,11 @@ and install     script: </p>
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
     <li>If you are using <a href="http://www.suse.com">SuSe</a> then type 
    "./install.sh /etc/init.d"</li>
-    <li>If your distribution has directory             /etc/rc.d/init.d or 
+     <li>If your distribution has directory             /etc/rc.d/init.d
-/etc/init.d then type             "./install.sh"</li>
+or  /etc/init.d then type             "./install.sh"</li>
     <li>For other distributions, determine where your             distribution
-installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
+ installs init scripts and type             "./install.sh &lt;init script
 directory&gt;</li>
     <li>Edit the <a href="#Config_Files"> configuration files</a> to match
 your configuration.</li>
     <li>Start the firewall by typing "shorewall             start"</li>
@ -92,47 +95,51 @@ automatically at boot,             see <a
 </ul>
 <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
 disk, simply replace the "shorwall.lrp" file on the image with the file that
 you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
 Guide</a> for information about further steps required.</p>
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
 and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-you  have entries in the /etc/shorewall/hosts file then please check your
+and you  have entries in the /etc/shorewall/hosts file then please check
- /etc/shorewall/interfaces file to be sure that it contains an entry for
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-each  interface mentioned in the hosts file. Also, there are certain 1.2
+for each  interface mentioned in the hosts file. Also, there are certain
-rule forms  that are no longer supported under 1.3 (you must use the new
+1.2 rule forms  that are no longer supported under 1.3 (you must use the
-1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
+new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
-You can check your rules and  host file for 1.3 compatibility using the "shorewall
+details. You can check your rules and  host file for 1.3 compatibility using
-check" command after  installing the latest version of 1.3.</p>
+the "shorewall check" command after  installing the latest version of 1.3.</p>
 <ul>
     <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
-you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
+ you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
-    you must use the "--oldpackage" option to rpm (e.g., "rpm     -Uvh --oldpackage
+installed,     you must use the "--oldpackage" option to rpm (e.g., "rpm
-shorewall-1.2-0.noarch.rpm").        
+    -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").             
    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
-rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
+ rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-installed. If this    happens, simply use the --nodeps option to rpm (rpm 
+is installed. If this    happens, simply use the --nodeps option to rpm (rpm
 -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
       </p>
    </li>
    <li>See if there are any incompatibilities between your configuration 
-and the    new Shorewall version (type "shorewall check") and correct as
+and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
 necessary.</li>
     <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
-are upgrading to a new version using the tarball:</p>
+and are upgrading to a new version using the tarball:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-you  have entries in the /etc/shorewall/hosts file then please check your
+and you  have entries in the /etc/shorewall/hosts file then please check
- /etc/shorewall/interfaces file to be sure that it contains an entry for
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-each  interface mentioned in the hosts file.  Also, there are certain 1.2
+for each  interface mentioned in the hosts file.  Also, there are certain
-rule  forms that are no longer supported under 1.3 (you must use the new
+1.2 rule  forms that are no longer supported under 1.3 (you must use the
-1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
+new 1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
-details. You can check your rules  and host file for 1.3 compatibility using
+for details. You can check your rules  and host file for 1.3 compatibility
-the "shorewall check" command after  installing the latest version of 1.3.</p>
+using the "shorewall check" command after  installing the latest version
 of 1.3.</p>
 <ul>
     <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -147,21 +154,27 @@ the "shorewall check" command after  installing the latest version of 1.3.</p>
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
     <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type 
    "./install.sh /etc/init.d"</li>
-    <li>If your distribution has directory             /etc/rc.d/init.d or 
+     <li>If your distribution has directory             /etc/rc.d/init.d
-/etc/init.d then type             "./install.sh"</li>
+or  /etc/init.d then type             "./install.sh"</li>
     <li>For other distributions, determine where your             distribution
-installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
+ installs init scripts and type             "./install.sh &lt;init script
 directory&gt;</li>
     <li>See if there are any incompatibilities between your configuration
-and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
+ and the    new Shorewall version (type "shorewall check") and correct as
 necessary.</li>
     <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-       
+         <a name="LRP_Upgrade"></a>If you already have a running Bering installation
 and wish to upgrade to a later version of Shorewall:<br>
 <br>
     <b>UNDER CONSTRUCTION...</b><br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
 <p>You will need to edit some or all of these configuration files to match
-your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
+ your  setup. In most cases, the <a
- QuickStart Guides</a> contain all of the information you need.</p>
+ href="shorewall_quickstart_guide.htm">Shorewall   QuickStart Guides</a>
 contain all of the information you need.</p>
 <ul>
     <li>/etc/shorewall/shorewall.conf - used to set several firewall   
@ -188,19 +201,20 @@ you will     expand in other files.</li>
 hosts    accessible when Shorewall is stopped.</li>
     <li>/etc/shorewall/tcrules - defines marking of packets for later use
 by     traffic control/shaping.</li>
-    <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
+     <li>/etc/shorewall/tos - defines rules for setting the TOS field in
-         headers.</li>
+packet          headers.</li>
     <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on 
        the firewall system.</li>
     <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
 </ul>
-<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
-<p><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>   © <font
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
    <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/Shorewall_CA_html.html
+++ b/STABLE/documentation/Shorewall_CA_html.html
@ -28,22 +28,22 @@
  Given that I develop and support Shorewall without asking for any renumeration,
 I can hardly justify paying $200US+ a year to a Certificate Authority such
 as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
-I am who I am. I have therefore established my own Certificate Authority (CA)
+ I am who I am. I have therefore established my own Certificate Authority
-and sign my own X.509 certificates. I use these certificates on my mail server
+(CA) and sign my own X.509 certificates. I use these certificates on my list
-(<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
+server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>) 
 which hosts parts of this web site.<br>
  <br>
- X.509 certificates are the basis for the Secure Socket Layer (SSL). As part 
+  X.509 certificates are the basis for the Secure Socket Layer (SSL). As
-of establishing an SSL session (URL https://...), your browser verifies the 
+part  of establishing an SSL session (URL https://...), your browser verifies
-X.509 certificate supplied by the HTTPS server against the set of Certificate 
+the  X.509 certificate supplied by the HTTPS server against the set of Certificate
 Authority Certificates that were shipped with your browser. It is expected
-that the server's certificate was issued by one of the authorities whose identities
+ that the server's certificate was issued by one of the authorities whose
-are known to your browser. <br>
+identities are known to your browser. <br>
  <br>
- This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar 
+  This mechanism, while supposedly guaranteeing that when you connect to
-you are REALLY connecting to www.foo.bar, means that the CAs literally have 
+https://www.foo.bar  you are REALLY connecting to www.foo.bar, means that
-a license to print money -- they are selling a string of bits (an X.509 certificate) 
+the CAs literally have  a license to print money -- they are selling a string
-for $200US+ per year!!!I <br>
+of bits (an X.509 certificate)  for $200US+ per year!!!I <br>
  <br>
  I wish that I had decided to become a CA rather that designing and writing
 Shorewall.<br>
@ -72,8 +72,8 @@ so that it will accept any certificate signed by me. <br>
    <li>If you install my CA certificate then you assume that I am trustworthy
 and that Shorewall running on your firewall won't redirect HTTPS requests
 intented to go to your bank's server to one of my systems that will present 
-your browser with a bogus certificate claiming that my server is that of
+your browser with a bogus certificate claiming that my server is that of your
-your bank.</li>
+bank.</li>
    <li>If you only accept my server's certificate when prompted then the 
 most that you have to loose is that when you connect to https://mail.shorewall.net,
 the server you are connecting to might not be mine.</li>
@ -82,10 +82,12 @@ the server you are connecting to might not be mine.</li>
  I have my CA certificate loaded into all of my browsers but I certainly 
 won't be offended if you decline to load it into yours... :-)<br>
-<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
 M. Eastep.</font></a></font></p>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/Shorewall_Squid_Usage.html
+++ b/STABLE/documentation/Shorewall_Squid_Usage.html
@ -28,6 +28,7 @@
       </a><br>
       </td>
     </tr>
  </tbody> 
 </table>
 <br>
@ -75,8 +76,8 @@ server.<br>
 <ol>
     <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
 Firewall.</a></li>
-    <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local 
+     <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
-network</a></li>
+local  network</a></li>
     <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
 </ol>
@ -147,13 +148,13 @@ network</a></li>
      You want to redirect all local www connection requests  to a Squid
                                                 transparent       proxy
 running   in your local zone at 192.168.1.3 and listening on port  3128. 
-Your local  interface is eth1. There may also be a web server running on
+Your local  interface is eth1. There may also be a web server running on 192.168.1.3.
-192.168.1.3. It is assumed that web access is already enabled from the local
+It is assumed that web access is already enabled from the local zone to the
-zone to the internet.<br>
+internet.<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
   other aspects of your gateway including but not limited to traffic shaping
-  and route redirection. For that reason, I don't recommend it.<br>
+   and route redirection. For that reason, <b>I don't recommend it</b>.<br>
       </p>
 <ul>
@ -312,7 +313,9 @@ after   networking has come up<br>
      </blockquote>
 <ul>
-      <li>&nbsp;In /etc/shorewall/start add:<br>
+       <li>&nbsp;Do<b> one </b>of the following:<br>
    <br>
 A) In /etc/shorewall/start add<br>
      </li>
 </ul>
@ -321,6 +324,84 @@ after   networking has come up<br>
  <pre><b><font color="#009900">	iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
 </blockquote>
 <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
 and add the following entry in /etc/shorewall/tcrules:<br>
 </blockquote>
 <blockquote>
  <blockquote>
    <table cellpadding="2" border="1" cellspacing="0">
      <tbody>
        <tr>
          <td valign="top">MARK<br>
          </td>
          <td valign="top">SOURCE<br>
          </td>
          <td valign="top">DESTINATION<br>
          </td>
          <td valign="top">PROTOCOL<br>
          </td>
          <td valign="top">PORT<br>
          </td>
          <td valign="top">CLIENT PORT<br>
          </td>
        </tr>
        <tr>
          <td valign="top">202<br>
          </td>
          <td valign="top">eth2<br>
          </td>
          <td valign="top">0.0.0.0/0<br>
          </td>
          <td valign="top">tcp<br>
          </td>
          <td valign="top">80<br>
          </td>
          <td valign="top">-<br>
          </td>
        </tr>
      </tbody>
    </table>
  </blockquote>
 C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
 </blockquote>
 <blockquote>   
  <blockquote>     
    <table cellpadding="2" border="1" cellspacing="0">
       <tbody>
         <tr>
           <td valign="top">MARK<br>
           </td>
           <td valign="top">SOURCE<br>
           </td>
           <td valign="top">DESTINATION<br>
           </td>
           <td valign="top">PROTOCOL<br>
           </td>
           <td valign="top">PORT<br>
           </td>
           <td valign="top">CLIENT PORT<br>
           </td>
         </tr>
         <tr>
           <td valign="top">202:P<br>
           </td>
           <td valign="top">eth2<br>
           </td>
           <td valign="top">0.0.0.0/0<br>
           </td>
           <td valign="top">tcp<br>
           </td>
           <td valign="top">80<br>
           </td>
           <td valign="top">-<br>
           </td>
         </tr>
      </tbody>     
    </table>
   </blockquote>
  <br>
 </blockquote>
 <ul>
       <li>In /etc/shorewall/rules, you will need:</li>
@ -392,7 +473,7 @@ after   networking has come up<br>
 <blockquote>  </blockquote>
-<p><font size="-1">   Updated 1/10/2003 - <a
+<p><font size="-1">   Updated 1/23/2003 - <a
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a>  
          </font></p>
@ -404,5 +485,6 @@ after   networking has come up<br>
       <br>
     <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -30,6 +30,7 @@
                                 <td width="100%" height="90">          
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                                 </td>
                               </tr>
@ -39,10 +40,12 @@
      <ul>
-                             <li> <a href="seattlefirewall_index.htm">Home</a></li>
+                                   <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
                                           <li> <a
 href="shorewall_features.htm">Features</a></li>
-                             <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
+                                   <li> <a
 href="shorewall_prerequisites.htm">Requirements</a></li>
                                   <li> <a href="download.htm">Download</a><br>
                           </li>
                           <li> <a href="Install.htm">Installation/Upgrade/</a><br>
@ -53,20 +56,25 @@
                            </li>
                                                   <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
-                             <li> <a href="Documentation.htm">Reference Manual</a></li>
+                                   <li> <a href="Documentation.htm">Reference 
  Manual</a></li>
                                   <li> <a href="FAQ.htm">FAQs</a></li>
-                              <li><a href="useful_links.html">Useful Links</a><br>
+                                    <li><a href="useful_links.html">Useful
 Links</a><br>
                                    </li>
                                   <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                   <li> <a href="errata.htm">Errata</a></li>
-                             <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
+                                   <li> <a href="upgrade_issues.htm">Upgrade
  Issues</a></li>
                                   <li> <a href="support.htm">Support</a></li>
-                             <li> <a href="mailing_list.htm">Mailing Lists</a></li>
+                                   <li> <a
 href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
                                   <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
          <ul>
                                     <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -78,33 +86,39 @@
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                                     <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
-                   <li><a href="http://www.shorewall.net" target="_top">Washington 
+                         <li><a href="http://www.shorewall.net"
-  State, USA</a><br>
+ target="_top">Washington    State, USA</a><br>
                         </li>
          </ul>
                                   </li>
      </ul>
      <ul>
                                   <li>   <a href="News.htm">News Archive</a></li>
-                             <li> <a href="Shorewall_CVS_Access.html">CVS 
+                                   <li> <a
-Repository</a></li>
+ href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                             <li> <a href="quotes.htm">Quotes from Users</a></li>
+                                   <li> <a href="quotes.htm">Quotes from
-                             <li> <a href="shoreline.htm">About the Author</a></li>
+Users</a></li>
                                   <li> <a href="shoreline.htm">About the 
 Author</a></li>
                                   <li> <a
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                                 </td>
                               </tr>
@ -113,10 +127,10 @@ Repository</a></li>
  </tbody>                            
 </table>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
                    <strong><br>
-                   <b>Note: </b></strong>Search is unavailable Daily 0200-0330
+                         <b>Note: </b></strong>Search is unavailable Daily
-   GMT.<br>
+ 0200-0330      GMT.<br>
                         <strong></strong>                              
  <p><strong>Quick Search</strong><br>
@ -126,14 +140,14 @@ Repository</a></li>
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
-                         <font face="Arial">   <input type="hidden"
+                               <font face="Arial">   <input
- name="exclude" value="[http://mail.shorewall.net/pipermail/*]">   </font> 
+ type="hidden" name="exclude"
-    </form>
+ value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
-<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
+<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
@ -145,6 +159,9 @@ Repository</a></li>
          <br>
         <br>
        <br>
- 
+        <br>
     <br>
      <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_sfindex_frame.htm
+++ b/STABLE/documentation/Shorewall_sfindex_frame.htm
@ -18,6 +18,7 @@
                                             <base target="main">       
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -40,35 +41,41 @@
      <ul>
-                              <li> <a href="seattlefirewall_index.htm">Home</a></li>
+                                    <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
                                            <li> <a
 href="shorewall_features.htm">Features</a></li>
-                              <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
+                                    <li> <a
 href="shorewall_prerequisites.htm">Requirements</a></li>
                                    <li> <a href="download.htm">Download</a><br>
                            </li>
                            <li> <a href="Install.htm">Installation/Upgrade/</a><br>
                              <a href="Install.htm">Configuration</a><br>
                            </li>
-                      <li> <a href="shorewall_quickstart_guide.htm">QuickStart
+                            <li> <a
-   Guides   (HOWTOs)</a><br>
+ href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
                             </li>
                                                    <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
                                    <li> <a href="Documentation.htm">Reference
   Manual</a></li>
                                    <li> <a href="FAQ.htm">FAQs</a></li>
-                               <li><a href="useful_links.html">Useful Links</a><br>
+                                     <li><a href="useful_links.html">Useful 
 Links</a><br>
                                     </li>
                                    <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
                                    <li> <a href="errata.htm">Errata</a></li>
-                              <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
+                                    <li> <a href="upgrade_issues.htm">Upgrade 
  Issues</a></li>
                                    <li> <a href="support.htm">Support</a></li>
-                              <li> <a href="mailing_list.htm">Mailing Lists</a></li>
+                                    <li> <a
 href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
                                    <li> <a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
                                      <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -80,33 +87,39 @@ Manual</a></li>
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                                      <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
-                    <li><a href="http://www.shorewall.net" target="_top">Washington
+                          <li><a href="http://www.shorewall.net"
-   State, USA</a><br>
+ target="_top">Washington    State, USA</a><br>
                          </li>
          </ul>
                                    </li>
      </ul>
      <ul>
                                    <li>   <a href="News.htm">News Archive</a></li>
-                              <li> <a href="Shorewall_CVS_Access.html">CVS
+                                    <li> <a
- Repository</a></li>
+ href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                              <li> <a href="quotes.htm">Quotes from Users</a></li>
+                                    <li> <a href="quotes.htm">Quotes from 
-                              <li> <a href="shoreline.htm">About the Author</a></li>
+Users</a></li>
                                    <li> <a href="shoreline.htm">About the
 Author</a></li>
                                    <li> <a
 href="sourceforge_index.htm#Donations">Donations</a></li>
      </ul>
                                  </td>
                                </tr>
@ -115,10 +128,10 @@ Manual</a></li>
  </tbody>                             
 </table>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
                    <strong><br>
-                    <b>Note: </b></strong>Search is unavailable Daily 0200-0330 
+                          <b>Note: </b></strong>Search is unavailable Daily 
-   GMT.<br>
+ 0200-0330      GMT.<br>
                          <strong></strong>                             
  <p><strong>Quick Search</strong><br>
@ -128,14 +141,14 @@ Manual</a></li>
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
-                          <font face="Arial">   <input type="hidden"
+                                <font face="Arial">   <input
- name="exclude" value="[http://mail.shorewall.net/pipermail/*]">   </font>
+ type="hidden" name="exclude"
-     </form>
+ value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
-<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
+<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> </a><br>
             </p>
@ -145,6 +158,10 @@ Manual</a></li>
          <br>
         <br>
        <br>
- 
+        <br>
     <br>
     <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/blacklisting_support.htm
+++ b/STABLE/documentation/blacklisting_support.htm
@ -31,7 +31,8 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration parameters:</p>
+<p>Shorewall static blacklisting support has the following configuration
 parameters:</p>
 <ul>
     <li>You specify whether you want packets from blacklisted hosts dropped
@ -41,8 +42,8 @@ or     rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DI
 and at     what syslog level using the <a
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>     setting in
 /etc/shorewall/shorewall.conf</li>
-    <li>You list the IP addresses/subnets that you wish to blacklist in <a
+     <li>You list the IP addresses/subnets that you wish to blacklist in
- href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning 
+    <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
 with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
 names in the blacklist file.<br>
    </li>
@ -63,8 +64,8 @@ against     the blacklist using the "<a
 <ul>
     <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
 IP    addresses to be silently dropped by the firewall.</li>
-    <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed 
+     <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
-IP    addresses to be rejected by the firewall.</li>
+listed  IP    addresses to be rejected by the firewall.</li>
     <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
 from hosts    previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
     <li>save - save the dynamic blacklisting configuration so that it will
@ -72,23 +73,26 @@ be    automatically restored the next time that the firewall is restarted.</li>
     <li>show dynamic - displays the dynamic blacklisting configuration.</li>
 </ul>
 Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
 /etc/shorewall/interfaces.<br>
 <p>Example 1:</p>
-<pre>     shorewall drop 192.0.2.124 192.0.2.125</pre>
+<pre>     <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
 <p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
 <p>Example 2:</p>
-<pre>     shorewall allow 192.0.2.125</pre>
+<pre>     <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
 <p>    Reenables access from 192.0.2.125.</p>
-<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
+  © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/configuration_file_basics.htm
+++ b/STABLE/documentation/configuration_file_basics.htm
@ -21,6 +21,7 @@
                   <tr>
                    <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
                    </td>
                  </tr>
@ -41,19 +42,20 @@
 <ul>
                        <li>/etc/shorewall/shorewall.conf - used to set several 
   firewall             parameters.</li>
-                       <li>/etc/shorewall/params - use this file to set shell 
+                        <li>/etc/shorewall/params - use this file to set
-  variables     that you will     expand in other files.</li>
+shell    variables     that you will     expand in other files.</li>
                        <li>/etc/shorewall/zones - partition the firewall's 
 view   of  the   world         into <i>zones.</i></li>
-                       <li>/etc/shorewall/policy - establishes firewall high-level
+                        <li>/etc/shorewall/policy - establishes firewall
-     policy.</li>
+high-level      policy.</li>
                        <li>/etc/shorewall/interfaces - describes the interfaces
    on  the          firewall system.</li>
-                       <li>/etc/shorewall/hosts - allows defining zones in
+                        <li>/etc/shorewall/hosts - allows defining zones
- terms    of  individual           hosts and subnetworks.</li>
+in  terms    of  individual           hosts and subnetworks.</li>
                        <li>/etc/shorewall/masq - directs the firewall where
- to  use   many-to-one            (dynamic) Network Address Translation (a.k.a.
+  to  use   many-to-one            (dynamic) Network Address Translation
-   Masquerading)   and  Source          Network Address Translation (SNAT).</li>
+(a.k.a.    Masquerading)   and  Source          Network Address Translation
 (SNAT).</li>
                        <li>/etc/shorewall/modules - directs the firewall 
 to  load   kernel    modules.</li>
                        <li>/etc/shorewall/rules - defines rules that are 
@ -61,20 +63,20 @@ exceptions      to  the         overall policies established in /etc/shorewall/p
                        <li>/etc/shorewall/nat - defines static NAT rules.</li>
                        <li>/etc/shorewall/proxyarp - defines use of Proxy
 ARP.</li>
-                       <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and 
+                        <li>/etc/shorewall/routestopped (Shorewall 1.3.4
- later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
+and   later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
                        <li>/etc/shorewall/tcrules - defines marking of packets 
   for   later   use by     traffic control/shaping or policy routing.</li>
                        <li>/etc/shorewall/tos - defines rules for setting
 the   TOS   field   in packet         headers.</li>
                        <li>/etc/shorewall/tunnels - defines IPSEC, GRE and 
 IPIP   tunnels    with end-points on         the firewall system.</li>
-                       <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC 
+                        <li>/etc/shorewall/blacklist - lists blacklisted
-      addresses.</li>
+IP/subnet/MAC        addresses.</li>
     <li>/etc/shorewall/init - commands that you wish to execute at the beginning 
 of a "shorewall start" or "shorewall restart".</li>
-    <li>/etc/shorewall/start - commands that you wish to execute at the completion
+     <li>/etc/shorewall/start - commands that you wish to execute at the
- of a "shorewall start" or "shorewall restart"</li>
+completion  of a "shorewall start" or "shorewall restart"</li>
     <li>/etc/shorewall/stop - commands that you wish to execute at the beginning 
 of a "shorewall stop".</li>
     <li>/etc/shorewall/stopped - commands that you wish to execute at the
@ -87,8 +89,8 @@ completion of a "shorewall stop".<br>
 <p>You may place comments in configuration files by making the first non-whitespace
              character a pound sign ("#"). You may also place comments at
-the    end  of any line, again by       delimiting the comment from the rest 
+ the    end  of any line, again by       delimiting the comment from the
-of   the line  with a pound sign.</p>
+rest  of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -110,9 +112,9 @@ of   the line  with a pound sign.</p>
 <p align="left">     </p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
-       using DNS names in Shorewall configuration files. If you use DNS names 
+        using DNS names in Shorewall configuration files. If you use DNS
-    and   you are called out of bed at 2:00AM because Shorewall won't start 
+names      and   you are called out of bed at 2:00AM because Shorewall won't
-  as  a result  of DNS problems then don't say that you were not forewarned. 
+start    as  a result  of DNS problems then don't say that you were not forewarned.
   <br>
                </b></p>
@ -186,8 +188,8 @@ your inconvenience but are rather limitations of iptables.<br>
 <p>Where specifying an IP address, a subnet or an interface, you can     
  precede the item with "!" to specify the complement of the item. For  
-      example, !192.168.1.4 means "any host but 192.168.1.4". There must
+     example, !192.168.1.4 means "any host but 192.168.1.4". There must be
-be no white space following the "!".</p>
+no white space following the "!".</p>
 <h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -201,8 +203,8 @@ be no white space following the "!".</p>
                        <li>If you use line continuation to break a comma-separated 
     list,   the          continuation line(s) must begin in column 1 (or 
 there     would  be embedded          white space)</li>
-                       <li>Entries in a comma-separated list may appear in
+                        <li>Entries in a comma-separated list may appear
- any   order.</li>
+in  any   order.</li>
 </ul>
@ -215,11 +217,13 @@ there     would  be embedded          white space)</li>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
              port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
-      if you want to forward the range of tcp ports 4000 through 4100 to
+      if you want to forward the range of tcp ports 4000 through 4100 to local
-local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+     host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
             </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
 If you omit the low port number, a value of zero is assumed; if you omit
 the high port number, a value of 65535 is assumed.<br>
 <h2><a name="Variables"></a>Using Shell Variables</h2>
@ -271,8 +275,8 @@ local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
  unique MAC address.<br>
                      <br>
-                     In GNU/Linux, MAC addresses are usually written as a 
+                      In GNU/Linux, MAC addresses are usually written as
-series    of  6  hex numbers        separated by colons. Example:<br>
+a  series    of  6  hex numbers        separated by colons. Example:<br>
                      <br>
                     [root@gateway root]# ifconfig eth0<br>
                     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -290,9 +294,9 @@ series    of  6  hex numbers        separated by colons. Example:<br>
                      <br>
                      Because Shorewall uses colons as a separator for address
   fields,     Shorewall requires        MAC addresses to be written in another
-  way. In   Shorewall, MAC addresses        begin with a tilde ("~") and consist
+   way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
-  of 6  hex numbers separated by        hyphens. In Shorewall, the MAC address
+consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
-   in  the example above would be        written "~02-00-08-E3-FA-55".<br>
+MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
           </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
@ -302,12 +306,12 @@ series    of  6  hex numbers        separated by colons. Example:<br>
 <h2><a name="Levels"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-       The <a href="starting_and_stopping_shorewall.htm">shorewall start
+       The <a href="starting_and_stopping_shorewall.htm">shorewall start and
-and    restart</a>       commands allow you to specify an alternate configuration
+   restart</a>       commands allow you to specify an alternate configuration 
   directory and    Shorewall will use the files in the alternate directory 
-  rather than the  corresponding  files in /etc/shorewall. The alternate
+  rather than the  corresponding  files in /etc/shorewall. The alternate directory
-directory    need not contain a complete  configuration; those files not
+   need not contain a complete  configuration; those files not in the alternate
-in the alternate    directory  will be read from  /etc/shorewall.</p>
+   directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
        by:</p>
@ -326,16 +330,17 @@ in the alternate    directory  will be read from  /etc/shorewall.</p>
-<p><font size="2">   Updated 12/29/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 2/7/2003 - <a href="support.htm">Tom  Eastep</a>
           </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-          © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+          © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -21,6 +21,7 @@
                   <tr>
                    <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
                    </td>
                  </tr>
@ -34,26 +35,25 @@
   for the configuration that most closely matches your own.<br>
      </b></p>
-<p>The entire set of Shorewall documentation is available in PDF format 
+<p>The entire set of Shorewall documentation is available in PDF format  at:</p>
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
          <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
         <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
   </p>
-<p>The documentation in HTML format is included   in the .rpm and in the
+<p>The documentation in HTML format is included   in the .rpm and in the .tgz
-.tgz packages below.</p>
+packages below.</p>
 <p>  Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
-                 <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> 
+                  <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
-             Linux PPC</b> or     <b> TurboLinux</b> distribution     with
+    <b>               Linux PPC</b> or     <b> TurboLinux</b> distribution
-  a  2.4   kernel,   you can use the  RPM version (note: the            
+    with   a  2.4   kernel,   you can use the  RPM version (note: the   
-RPM   should   also work  with other distributions that             store
+         RPM   should   also work  with other distributions that        
-init  scripts in  /etc/init.d  and that             include chkconfig or
+    store init  scripts in  /etc/init.d  and that             include chkconfig
-insserv).  If you find  that it works   in other cases, let <a
+or insserv).  If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
    I can mention them here. See the   <a href="Install.htm">Installation 
 Instructions</a>    if you have problems    installing the RPM.</li>
@ -61,8 +61,8 @@ Instructions</a>    if you have problems    installing the RPM.</li>
 might    also   want  to     download the .tgz so you will have a copy of 
 the documentation).</li>
                  <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
-    and   would      like a .deb package, Shorewall is included in both the
+     and   would      like a .deb package, Shorewall is included in both
-    <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
+the     <a href="http://packages.debian.org/testing/net/shorewall.html">Debian 
     Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
 Unstable Branch</a>.</li>
@ -98,9 +98,9 @@ THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
 IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed   configuration 
   of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates 
+<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
-   to the    mirrors  occur 1-12 hours after an update to the Washington State
+    to the    mirrors  occur 1-12 hours after an update to the Washington
-site.</b></p>
+State site.</b></p>
 <blockquote>                                                
  <table border="2" cellspacing="3" cellpadding="3"
@ -239,11 +239,9 @@ site.</b></p>
                      <td><a
 href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
                        <a
- href="http://france.shorewall.net/pub/LATEST.tgz">Download             
+ href="http://france.shorewall.net/pub/LATEST.tgz">Download              .tgz</a> <br>
 .tgz</a> <br>
                        <a
- href="http://france.shorewall.net/pub/LATEST.lrp">Download             
+ href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
 .lrp</a><br>
                      <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
  .md5sums</a></td>
@ -374,14 +372,14 @@ site.</b></p>
 <blockquote>                                              
  <p align="left">The <a target="_top"
- href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS  repository at
+ href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository
-       cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
+at        cvs.shorewall.net</a> contains the latest snapshots of the each
-       component. There's no guarantee that what you find there will work
+ Shorewall        component. There's no guarantee that what you find there
-at    all.<br>
+will work at    all.<br>
          </p>
        </blockquote>
-<p align="left"><font size="2">Last Updated 1/13/2003 - <a
+<p align="left"><font size="2">Last Updated 2/7/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -389,5 +387,6 @@ at    all.<br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -2,6 +2,7 @@
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
@ -9,8 +10,10 @@
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -22,10 +25,12 @@
                      <tr>
                        <td width="100%">                               
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
                        </td>
                      </tr>
  </tbody>                  
 </table>
@ -52,19 +57,21 @@ untar the archive, replace the        'firewall' script in the untarred director
    <p align="left">          <b>If you are running a Shorewall version earlier
  than 1.3.11, when the instructions say to install a corrected        firewall
  script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
-   or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
+     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
-     the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
+overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD
-            or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall 
+/etc/shorewall/firewall               or /var/lib/shorewall/firewall  before
-            and /var/lib/shorewall/firewall  are symbolic links that point 
+you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall
-        to the 'shorewall' file used by your  system initialization scripts 
+ are symbolic links that point           to the 'shorewall' file used by
-  to         start Shorewall during boot. It is  that file that must be overwritten 
+your  system initialization scripts     to         start Shorewall during
-            with the corrected script. Beginning with Shorewall 1.3.11, you
+boot. It is  that file that must be overwritten              with the corrected
-may rename the existing file before copying in the new file.</b></p>
+script. Beginning with Shorewall 1.3.11, you may rename the existing file
 before copying in the new file.</b></p>
              </li>
              <li>                                                      
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-    ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
+      ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
-  example,  do NOT install the 1.3.9a firewall script if you are running
+For    example,  do NOT install the 1.3.9a firewall script if you are running
 1.3.7c.</font></b><br>
                          </p>
              </li>
@ -82,13 +89,15 @@ may rename the existing file before copying in the new file.</b></p>
                      <li>                            <b><font
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
  on RH7.2</a></font></b></li>
-                  <li>                            <b><a href="#Debug">Problems
+                      <li>                            <b><a
-   with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
-                  <li><b><a href="#SuSE">Problems installing/upgrading RPM
+RedHat iptables</a></b></li>
- on  SuSE</a></b></li>
+                      <li><b><a href="#SuSE">Problems installing/upgrading
-                  <li><b><a href="#Multiport">Problems with iptables version
+ RPM   on  SuSE</a></b></li>
-  1.2.7    and       MULTIPORT=Yes</a></b></li>
+                      <li><b><a href="#Multiport">Problems with iptables
-            <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
+version     1.2.7    and       MULTIPORT=Yes</a></b></li>
                <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and 
 NAT</a></b><br>
                </li>
 </ul>
@ -97,21 +106,51 @@ on RH7.2</a></font></b></li>
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
-<h3>Version 1.3.12</h3>
+<h3>Version 1.3.13</h3>
 <ul>
-  <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the
+     <li>The 'shorewall add' command produces an error message referring
-same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected
+to  'find_interfaces_by_maclist'.</li>
-by <a
+    <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
+  <li>The 'shorewall add' command can fail with "iptables: Index of insertion
 too big".<br>
  </li>
 </ul>
  All three problems are corrected by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
  firewall script</a> which may be installed in /usr/lib/shorewall as described
  above.<br>
 <ul>
   <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) 
 are not supported in this version or in 1.3.12. If you need such support, 
 post on the users list and I can provide you with a patched version.<br>
   </li>
 </ul>
 <h3>Version 1.3.12</h3>
 <ul>
      <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
 the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
 is  corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
  firewall script</a> which may be installed in /usr/lib/shorewall as described
  above.</li>
   <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
 are not supported in this version or in 1.3.13. If you need such support,
 post on the users list and I can provide you with a patched version.<br>
    </li>
 </ul>
 <h3>Version 1.3.12 LRP</h3>
 <ul>
-   <li>The .lrp was missing the /etc/shorewall/routestopped file -- a new 
+       <li>The .lrp was missing the /etc/shorewall/routestopped file -- a 
-lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
+new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
       </li>
 </ul>
@ -129,14 +168,14 @@ lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
 <h3>Version 1.3.11</h3>
 <ul>
-       <li>When installing/upgrading using the .rpm, you may receive the
+           <li>When installing/upgrading using the .rpm, you may receive
-following   warnings:<br>
+the   following   warnings:<br>
             <br>
              user teastep does not exist - using root<br>
              group teastep does not exist - using root<br>
             <br>
-     These warnings are harmless and may be ignored. Users downloading the
+         These warnings are harmless and may be ignored. Users downloading
- .rpm  from shorewall.net or mirrors should no longer see these warnings
+ the   .rpm  from shorewall.net or mirrors should no longer see these warnings
 as  the .rpm you will get from there has been corrected.</li>
          <li>DNAT rules that exclude a source subzone (SOURCE column contains
   !  followed by a sub-zone list) result in an error message and Shorewall
@ -159,11 +198,12 @@ fails  to start.<br>
   on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
         <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
-   version of the firewall script</a> may help. Please report any cases where
+     version of the firewall script</a> may help. Please report any cases
-   installing this script in /usr/lib/shorewall/firewall solved your connection
+where     installing this script in /usr/lib/shorewall/firewall solved your
-   problems. Beginning with version 1.3.10, it is safe to save the old version
+connection     problems. Beginning with version 1.3.10, it is safe to save
-   of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
+the old version     of /usr/lib/shorewall/firewall before copying in the
-   is the real script now and not just a symbolic link to the real script.<br>
+new one since /usr/lib/shorewall/firewall     is the real script now and
 not just a symbolic link to the real script.<br>
             </li>
 </ul>
@ -181,8 +221,8 @@ fails  to start.<br>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-    corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
+      corrects this problem.Copy the script to /usr/lib/shorewall/firewall 
-  described  above.<br>
+ as   described  above.<br>
            </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -191,11 +231,11 @@ fails  to start.<br>
            </blockquote>
 <ul>
-          <li>The installer (install.sh) issues a misleading message "Common
+              <li>The installer (install.sh) issues a misleading message
-  functions   installed in /var/lib/shorewall/functions" whereas the file
+"Common     functions   installed in /var/lib/shorewall/functions" whereas
-is  installed  in /usr/lib/shorewall/functions. The installer also performs
+the file   is  installed  in /usr/lib/shorewall/functions. The installer
-incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
+also performs   incorrectly  when updating old configurations that had the
-      <a
+file /etc/shorewall/functions.         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
      is an updated version that corrects these problems.<br>
                </a></li>
@ -211,8 +251,8 @@ script    at  <a
                <br>
               Version 1.3.8                  
 <ul>
-               <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
+                   <li> Use of shell variables in the LOG LEVEL or SYNPARMS 
-   of  the  policy file doesn't work.</li>
+ columns     of  the  policy file doesn't work.</li>
                   <li>A DNAT rule with the same original and new IP addresses
   but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
     tcp   25 - 10.1.1.1")<br>
@ -222,8 +262,8 @@ script    at  <a
                 Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                      as described above corrects these problems.
+                                        as described above corrects these
-                   
+problems.                         
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                       
@ -231,7 +271,8 @@ script    at  <a
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                      as described above corrects this problem.</p>
+                                        as described above corrects this
 problem.</p>
 <h3>Version 1.3.7a</h3>
@ -242,7 +283,8 @@ script    at  <a
                       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                      as described above corrects this problem.</p>
+                                        as described above corrects this
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
@ -255,15 +297,15 @@ script    at  <a
                                        has two problems:</p>
 <ol>
-                                               <li>If the firewall is running 
+                                                   <li>If the firewall is 
-  a  DHCP   server,                                   the client won't be 
+running     a  DHCP   server,                                   the client 
-able   to obtain   an IP  address                                  lease from
+won't be   able   to obtain   an IP  address                             
-that   server.</li>
+    lease  from that   server.</li>
-                                               <li>With this order of checking, 
+                                                   <li>With this order of 
-   the   "dhcp"                                   option cannot be used as 
+checking,      the   "dhcp"                                   option cannot 
- a  noise-reduction                                     measure where there 
+be used as   a  noise-reduction                                     measure 
- are  both dynamic and    static                                  clients 
+where there   are  both dynamic and    static                            
-on a LAN segment.</li>
+     clients  on a LAN segment.</li>
 </ol>
@ -295,9 +337,10 @@ above.</p>
 <ul>
                               <li>                                     
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-       an error occurs when the firewall            script attempts to add
+         an error occurs when the firewall            script attempts to
- an   SNAT   alias.  </p>
+add    an   SNAT   alias.  </p>
                    </li>
                    <li>                                                
@ -380,8 +423,9 @@ so it's a            good idea to run that command after you have made configura
         by that name" then you probably have an entry in            /etc/shorewall/hosts
         that specifies an interface that you didn't            include in
 /etc/shorewall/interfaces.        To correct this problem, you         
- must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 and
+  must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3
-           later versions produce a clearer error    message    in this case.</p>
+and             later versions produce a clearer error    message    in this
 case.</p>
 <h3 align="left">Version 1.3.2</h3>
@ -391,8 +435,8 @@ so it's a            good idea to run that command after you have made configura
 version            has a size of 38126 bytes.</p>
 <ul>
-                           <li>The code to detect a duplicate interface entry 
+                               <li>The code to detect a duplicate interface 
-  in             /etc/shorewall/interfaces contained a typo that prevented 
+ entry    in             /etc/shorewall/interfaces contained a typo that prevented
   it from               working correctly. </li>
                               <li>"NAT_BEFORE_RULES=No" was broken; it behaved 
   just   like   "NAT_BEFORE_RULES=Yes".</li>
@ -407,6 +451,7 @@ version            has a size of 38126 bytes.</p>
 <ul>
                               <li>                                     
    <p align="left">The IANA have just announced the allocation of subnet
                    221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
@ -418,13 +463,13 @@ version            has a size of 38126 bytes.</p>
 <h3 align="left">Version 1.3.1</h3>
 <ul>
-                           <li>TCP SYN packets may be double counted when 
+                               <li>TCP SYN packets may be double counted
-           LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e.,
+when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy
- each              packet is sent through the limit chain twice).</li>
+(i.e.,    each              packet is sent through the limit chain twice).</li>
-                           <li>An unnecessary jump to the policy chain is 
+                               <li>An unnecessary jump to the policy chain
-sometimes                 generated for a CONTINUE policy.</li>
+ is  sometimes                 generated for a CONTINUE policy.</li>
-                           <li>When an option is given for more than one
+                               <li>When an option is given for more than
-interface      in               /etc/shorewall/interfaces then depending
+one   interface      in               /etc/shorewall/interfaces then depending
 on the option,     Shorewall                may ignore all but the first
 appearence of the   option.  For example:<br>
                               <br>
@ -432,15 +477,16 @@ appearence of the   option.  For example:<br>
                               loc    eth1    dhcp<br>
                               <br>
                               Shorewall will ignore the 'dhcp' on eth1.</li>
-                           <li>Update 17 June 2002 - The bug described in 
+                               <li>Update 17 June 2002 - The bug described
-the   prior    bullet               affects the following options: dhcp, dropunclean,
+ in  the   prior    bullet               affects the following options: dhcp, 
-  logunclean,                 norfc1918, routefilter, multi, filterping and
+ dropunclean,   logunclean,                 norfc1918, routefilter, multi, 
-  noping. An additional                 bug has been found that affects only
+ filterping and   noping. An additional                 bug has been found 
-  the 'routestopped' option.<br>
+ that affects only   the 'routestopped' option.<br>
                               <br>
-                           Users who downloaded the corrected script prior
+                               Users who downloaded the corrected script
- to  1850   GMT   today              should download and install the corrected 
+prior    to  1850   GMT   today              should download and install
-  script   again   to ensure              that this second problem is corrected.</li>
+the corrected     script   again   to ensure              that this second
 problem is corrected.</li>
 </ul>
@ -483,18 +529,20 @@ have installed.</li>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-        corrected 1.2.3 rpm which you can download here</a>  and I have also 
+          corrected 1.2.3 rpm which you can download here</a>  and I have 
-   built            an <a
+also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently
         running RedHat 7.1, you can install either of these RPMs       
      <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
-       has   released an iptables-1.2.4 RPM of their own which you can download
+         has   released an iptables-1.2.4 RPM of their own which you can
-      from<font color="#ff6633">   <a
+download         from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
-         </font>I have installed this RPM   on my firewall and it works fine.</p>
+           </font>I have installed this RPM   on my firewall and it works 
 fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
@ -508,13 +556,16 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p align="left">To install one of the above patches:</p>
  <ul>
                             <li>cd iptables-1.2.3/extensions</li>
                             <li>patch -p0 &lt; <i>the-patch-file</i></li>
  </ul>
                              </blockquote>
 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
               and RedHat iptables</h3>
@ -522,19 +573,21 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
         may     experience the following:</p>
  <blockquote>                                                           
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                      </blockquote>
  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
  user-space debugging code was not updated to reflect recent changes in
-       the     Netfilter 'mangle' table. You can correct the problem by installing 
+         the     Netfilter 'mangle' table. You can correct the problem by
-          <a
+installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
            this iptables RPM</a>. If you are already running a 1.2.5 version 
-  of       iptables, you will need to specify the --oldpackage option to rpm
+    of       iptables, you will need to specify the --oldpackage option to 
-  (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+ rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                    </blockquote>
@ -562,8 +615,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 <ul>
                                                   <li>set MULTIPORT=No in
                                  /etc/shorewall/shorewall.conf; or </li>
-                                               <li>if you are running Shorewall 
+                                                   <li>if you are running 
-   1.3.6    you may                                  install             
+Shorewall      1.3.6    you may                                  install 
                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                             this firewall script</a> in /var/lib/shorewall/firewall
@ -573,8 +626,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                 </h3>
-          /etc/shorewall/nat entries of the following form will result in 
+              /etc/shorewall/nat entries of the following form will result
-Shorewall     being unable to start:<br>
+ in  Shorewall     being unable to start:<br>
              <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -586,7 +639,7 @@ for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it.
  The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
   option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 1/3/2003 -                             
+<p><font size="2">  Last updated 2/8/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
@ -597,5 +650,9 @@ The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -2,13 +2,17 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mailing Lists</title>
@ -22,7 +26,7 @@
 border="0">
                       <tbody>
                        <tr>
-                    <td width="33%" valign="middle">                    
+                         <td width="33%" valign="middle" align="left">  
      <h1 align="center"><a
@ -32,32 +36,38 @@
                    </a></h1>
-                          
+                                             <a
      <h1 align="center"><a
 href="http://www.gnu.org/software/mailman/mailman.html">         <img
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35" alt="">
-                     </a></h1>
+                          </a>                                          
-      <p align="right"><br>
+      <p align="right"><font color="#ffffff"><b>      </b></font>     </p>
       <font color="#ffffff"><b>            </b></font>     </p>
                          </td>
            <td valign="middle" width="34%" align="center">             
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
            </td>
-       <td valign="middle" width="33%">       
+            <td valign="middle" width="33%">                     <a
-      <h1 align="center"><a href="http://www.postfix.org/">       <img
+ href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45" alt="(Postfix Logo)">
-                     </a></h1>
+                          </a><br>
      <div align="left"><a href="http://www.spamassassin.org"><img
 src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
 border="0">
         </a> </div>
         <br>
      <div align="right"><br>
-       <b><font color="#ffffff">Powered by Postfix    </font></b><br>
+            <b><font color="#ffffff"><br>
   Powered by Postfix    </font></b><br>
            </div>
            </td>
                       </tr>
  </tbody>                    
 </table>
@ -75,6 +85,7 @@
 <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
 href="http://osirusoft.com/"> </a></h2>
 <p>Before subscribing please read my <a href="spam_filters.htm">policy  
    about list traffic that bounces.</a> Also please note that the mail server
                 at shorewall.net checks incoming mail:<br>
@ -87,25 +98,26 @@
                  <li>to ensure that the sender address is fully qualified.</li>
                  <li>to verify that the sender's domain has an A or MX record
   in  DNS.</li>
-             <li>to ensure that the host name in the HELO/EHLO command is 
+                  <li>to ensure that the host name in the HELO/EHLO command 
-a  valid    fully-qualified  DNS name that resolves.</li>
+ is  a  valid    fully-qualified  DNS name that resolves.</li>
 </ol>
 <h2>Please post in plain text</h2>
-     A growing number of MTAs serving list subscribers are rejecting all
+          A growing number of MTAs serving list subscribers are rejecting 
-HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net
+all   HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net 
  "for  continuous abuse" because it has been my policy to allow HTML in list
  posts!!<br>
          <br>
-     I think that blocking all HTML is a Draconian way to control spam  and 
+          I think that blocking all HTML is a Draconian way to control spam 
- that the ultimate losers here are not the spammers but the list subscribers 
+  and   that the ultimate losers here are not the spammers but the list subscribers
-  whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
+     whose MTAs are bouncing all shorewall.net mail. As one list subscriber
- to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
+  wrote  to me privately "These e-mail admin's need to get a <i>(explitive
- life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
+ deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
- to allow subscribers to receive list posts as must as possible, I have now
+ Nevertheless,  to allow subscribers to receive list posts as must as possible,
- configured the list server at shorewall.net to strip all HTML from outgoing
+ I have now  configured the list server at shorewall.net to strip all HTML
- posts. This means that HTML-only posts will be bounced by the list server.<br>
+ from outgoing  posts. This means that HTML-only posts will be bounced by
 the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
       </p>
@ -119,20 +131,23 @@ headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
-<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch"> 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
  <p> <font size="-1"> Match:                                            
  <select name="method">
  <option value="and">All </option>
  <option value="or">Any </option>
  <option value="boolean">Boolean </option>
  </select>
                    Format:                                             
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
                    Sort by:                                            
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -141,66 +156,82 @@ headers to circumvent those policies.<br>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-               </font> <input type="hidden" name="config" value="htdig">
+                    </font> <input type="hidden" name="config"
-  <input type="hidden" name="restrict"
+ value="htdig">    <input type="hidden" name="restrict"
- value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
+ value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                    Search: <input type="text" size="30" name="words"
 value="">    <input type="submit" value="Search"> </p>
                    </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the
+<h2 align="left"><font color="#ff0000">Please do not try to download the entire
-entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
+Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-won't stand the traffic. If I catch you, you will be blacklisted.<br>
+stand the traffic. If I catch you, you will be blacklisted.<br>
             </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
                  If you want to trust X.509 certificates issued by Shoreline 
  Firewall     (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a>
-      in your browser. If you don't wish to trust my certificates then you 
+         in your browser. If you don't wish to trust my certificates then
- can    either use unencrypted access when subscribing to Shorewall mailing 
+you    can    either use unencrypted access when subscribing to Shorewall
- lists    or you can use secure access (SSL) and accept the server's certificate 
+mailing    lists    or you can use secure access (SSL) and accept the server's
-  when   prompted by your browser.<br>
+certificate     when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users
-       to get answers to questions and to report problems. Information of 
+          to get answers to questions and to report problems. Information
-general       interest to the Shorewall user community is also posted to this
+of   general       interest to the Shorewall user community is also posted
-list.</p>
+to  this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
-       the <a href="support.htm">problem reporting guidelines</a>.</b></p>
+          the <a href="http://www.shorewall.net/support.htm">problem reporting
 guidelines</a>.</b></p>
-<p align="left">To subscribe to the mailing list, go to <a
+<p align="left">To subscribe to the mailing list:<br>
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a> 
+    </p>
-      SSL: <a
+       
- href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
+<ul>
- target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
+      <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
      <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
 </ul>
 <p align="left">To post to the list, post to <a
- href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
+ href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
 <p align="left">The list archives are at <a
- href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
+ href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the 
-        Shorewall community. To subscribe, go to <a
+          Shorewall community. To subscribe:<br>
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a> 
+    </p>
-      SSL: <a
+       
- href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
+<p align="left"></p>
- target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
+       
-             </a><br>
+<ul>
      <li><b>Insecure:</b> <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
      <li><b>SSL</b>: <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
 </ul>
 <p align="left"><br>
                  The list archives are at <a
- href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
+ href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
@ -208,23 +239,30 @@ may be found at <a
          the exchange of ideas about the future of Shorewall and for coordinating
         ongoing Shorewall Development.</p>
-<p align="left">To subscribe to the mailing list, go to <a
+<p align="left">To subscribe to the mailing list:<br>
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a> 
+     </p>
-      SSL: <a
+       
- href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
+<ul>
- target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
+      <li><b>Insecure: </b><a
-             To post to the list, post to <a
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
- href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
+      <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
 </ul>
 <p align="left">              To post to the list, post to <a
 href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
 <p align="left">The list archives are at <a
- href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
+ href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
 <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
          the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing
-        from Mailman-managed lists although Mailman 2.1 has attempted to make
+           from Mailman-managed lists although Mailman 2.1 has attempted
- this less confusing. To unsubscribe:</p>
+to   make  this less confusing. To unsubscribe:</p>
 <ul>
                       <li>                                             
@ -243,8 +281,9 @@ may be found at <a
                       <li>                                             
    <p align="left">There will now be a box where you can enter your password
-       and  click on "Unsubscribe"; if you have forgotten your password, there
+          and  click on "Unsubscribe"; if you have forgotten your password,
-     is  another  button that will cause your password to be emailed to you.</p>
+  there      is  another  button that will cause your password to be emailed
  to you.</p>
                       </li>
 </ul>
@ -254,17 +293,12 @@ may be found at <a
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 12/31/2002 - <a
+<p align="left"><font size="2">Last updated 2/3/2003 - <a
- href="support.htm">Tom Eastep</a></font></p>
+ href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
@ -37,9 +37,10 @@
 use a combination of Static NAT and Proxy ARP, neither of which are relevant 
 to a simple configuration with a single public IP address.</small></b></big><big><b><small> 
 If you have just a single public IP address, most of what you see here won't 
-apply to your setup so beware of copying parts of this configuration and
+apply to your setup so beware of copying parts of this configuration and expecting
-expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
+them to work for you. What you copy may or may not work in your setup. </small></b></big><br>
   </p>
  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). 
    My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
    is connected to eth0. I have a local network connected to eth2 (subnet
@ -64,14 +65,14 @@ for
    own 'whitelist' zone  called 'me'.</p>
  <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
-   It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software 
+    It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
-   and is managed by Proxy ARP. It connects to the  local network through 
+software     and is managed by Proxy ARP. It connects to the  local network
-the   PopTop server running on my firewall. </p>
+through  the   PopTop server running on my firewall. </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
-   Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
+    Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
-   (Pure-ftpd). The system   also runs fetchmail to fetch our email from
+server    (Pure-ftpd). The system   also runs fetchmail to fetch our email
-our    old and current ISPs. That server is managed through Proxy ARP.</p>
+from our    old and current ISPs. That server is managed through Proxy ARP.</p>
  <p> The firewall system itself runs a DHCP server that serves the local
      network.</p>
@ -120,8 +121,8 @@ below).</p>
 <h3>Interfaces File: </h3>
 <blockquote>                                                        
-  <p> This is set up so that I can start the firewall before bringing up my
+  <p> This is set up so that I can start the firewall before bringing up
-Ethernet  interfaces. </p>
+my Ethernet  interfaces. </p>
             </blockquote>
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp,filterping,maclist<br>	dmz	eth1 		206.124.146.255	filterping<br>	net	eth3		206.124.146.255 filterping,blacklist<br>	-	texas 		-               filterping<br>	loc	ppp+		-		filterping<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -137,6 +138,7 @@ Ethernet  interfaces. </p>
 <h3>Common File: </h3>
 <pre><font size="2" face="Courier">	. /etc/shorewall/common.def<br>	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
 <h3>Policy File:</h3>
 <pre><font size="2" face="Courier">
@ -183,5 +185,6 @@ Ethernet  interfaces. </p>
           <a href="copyright.htm"><font size="2">Copyright</font>      © 
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ping.html
+++ b/STABLE/documentation/ping.html
@ -2,11 +2,14 @@
 <html>
 <head>
  <title>ICMP Echo-request (Ping)</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
@ -20,47 +23,98 @@
  </tbody>  
 </table>
  <br>
-Shorewall 'Ping' management has evolved over time in a less than consistant
+  Shorewall 'Ping' management has evolved over time with the latest change 
-way. This page describes how it now works.<br>
+coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>) 
 was added to /etc/shorewall/shorewall.conf. The value of that option determines 
 the overall handling of ICMP echo requests (pings).<br>
 <h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
 In 1.3.14, Ping handling was put under control of the rules and policies 
 just like any other connection request. In order to accept ping requests from
 zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
 a rule in /etc/shoreall/rules of the form:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 Example: <br>
 <br>
-There are several aspects to Shorewall Ping management:<br>
+ To permit ping from the local zone to the firewall:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
     If you would like to accept 'ping' by default even when the relevant
 policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
 already exist and in that file place the following command:<br>
 <blockquote>   
  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
 </blockquote>
 With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
 you need a rule of the form:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 Example:<br>
 <br>
 To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 <blockquote>      </blockquote>
 <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
 </h2>
 There are several aspects to the old Shorewall Ping management:<br>
 <ol>
    <li>The <b>noping</b> and <b>filterping </b>interface options in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
-  <li>The <b>FORWARDPING</b> option in<a
+    <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf"> 
- href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
+/etc/shorewall/shorewall.conf</a>.</li>
-  <li>Explicit rules in <a
+    <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
- href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+   
 </ol>
  There are two cases to consider:<br>
 <ol>
    <li>Ping requests addressed to the firewall itself; and</li>
    <li>Ping requests being forwarded to another system. Included here are
 all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
 routing.</li>
 </ol>
  These cases will be covered separately.<br>
-<h2>Ping Requests Addressed to the Firewall Itself</h2>
+   
 <h3>Ping Requests Addressed to the Firewall Itself</h3>
  For ping requests addressed to the firewall, the sequence is as follows:<br>
 <ol>
-  <li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
+    <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
-interface that receives the ping request then the request will be responded
+the  interface that receives the ping request then the request will be responded
 to with an ICMP echo-reply.</li>
-  <li>If <b>noping</b> is specified for the interface that receives the ping
+    <li>If <b>noping</b> is specified for the interface that receives the 
-request then the request is ignored.</li>
+ping request then the request is ignored.</li>
    <li>If <b>filterping </b>is specified for the interface then the request
 is passed to the rules/policy evaluation.</li>
 </ol>
-<h2>Ping Requests Forwarded by the Firewall</h2>
+   
 <h3>Ping Requests Forwarded by the Firewall</h3>
  These requests are <b>always</b> passed to rules/policy evaluation.<br>
-<h2>Rules Evaluation</h2>
+   
 <h3>Rules Evaluation</h3>
  Ping requests are ICMP type 8. So the general rule format is:<br>
  <br>
-&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp;
+  &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; 
-</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
  <br>
-Example 1. Accept pings from the net to the dmz (pings are responded to with
+  Example 1. Accept pings from the net to the dmz (pings are responded to 
-an ICMP echo-reply):<br>
+with an ICMP echo-reply):<br>
  <br>
  &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -69,22 +123,28 @@ Example 2. Drop pings from the net to the firewall<br>
  <br>
  &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 8<br>
-<h2>Policy Evaluation</h2>
+   
 <h3>Policy Evaluation</h3>
  If no applicable rule is found, then the policy for the source to the destination
 is applied.<br>
 <ol>
-  <li>If the relevant policy is ACCEPT then the request is responded to with
+    <li>If the relevant policy is ACCEPT then the request is responded to 
-an ICMP echo-reply.</li>
+with an ICMP echo-reply.</li>
    <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
 then the request is responded to with an ICMP echo-reply.</li>
    <li>Otherwise, the relevant REJECT or DROP policy is used and the request
 is either rejected or simply ignored.</li>
 </ol>
 <p><font size="2">Updated 12/13/2002 - <a
 href="support.htm">Tom Eastep</a> </font></p>
-<p><a href="copyright.htm"><font size="2">Copyright</font>
+</ol>
- &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+   
 <p><font size="2">Updated 1/21/2003 - <a href="support.htm">Tom Eastep</a> 
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ports.htm
+++ b/STABLE/documentation/ports.htm
@ -52,11 +52,11 @@ firewall to accommodate.</p>
 <p>DNS</p>
 <blockquote>            
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
-want to   open TCP Port 53 as well.<br>
+to   open TCP Port 53 as well.<br>
-     If you are configuring a server, only open TCP Port 53 if you will return
+      If you are configuring a server, only open TCP Port 53 if you will
- long   replies to queries or if you need to enable ZONE transfers. In the
+return  long   replies to queries or if you need to enable ZONE transfers. In
- latter   case, be sure that your server is properly configured.</p>
+the  latter   case, be sure that your server is properly configured.</p>
    </blockquote>
 <p>ICQ   </p>
@ -144,8 +144,8 @@ have:<br>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may
 have problems accessing regular FTP servers.</p>
-  <p>If there is a possibility that these modules might be loaded before
+  <p>If there is a possibility that these modules might be loaded before Shorewall
-Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
+starts, then you should include the port list in /etc/modules.conf:<br>
     </p>
  <blockquote>               
@ -172,23 +172,32 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
    </blockquote>
-<p>NFS</p>
+<p>NFS<br>
 </p>
 <blockquote>
  <p>I personally use the following rules for opening access from zone z1
 to a server with IP address a.b.c.d in zone z2:<br>
  </p>
  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
 </blockquote>
 <blockquote>            
-  <p>There's some good information at    <a
+  <p>Note that my rules only cover NFS using UDP (the normal case). There
 is lots of additional information at    <a
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
    </blockquote>
-<p>Didn't find what you are looking for -- have you looked in your own  
+<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
-/etc/services file? </p>
+file? </p>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
+<p><font size="2">Last updated 2/7/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-   <a href="copyright.htm"><font size="2">Copyright</font>
+    <a href="copyright.htm"><font size="2">Copyright</font>   © <font
-  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -6,6 +6,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,12 +14,14 @@
         <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -36,13 +39,16 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-               </a></i></font><font color="#ffffff">Shorewall      1.3  
+                           </a></i></font><font color="#ffffff">Shorewall 
-               <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
+     1.3     -               <font size="4">"<i>iptables                 
 made  easy"</i></font></font></h1>
@ -73,6 +79,7 @@
 <div align="center">                                                     
 <center>                                                                 
@ -93,6 +100,7 @@
      <h2 align="left">What is it?</h2>
@ -103,6 +111,8 @@
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
@ -116,25 +126,31 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify
-                                      it        under the terms of <a
+                                            it        under the terms of
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+      <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
-General Public License</a> as published by the Free Software        Foundation.<br>
+the GNU General Public License</a> as published by the Free Software    
   Foundation.<br>
                               <br>
-              This   program     is  distributed       in  the   hope   that
+                          This   program     is  distributed       in  the
-    it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;  
+   hope     that     it   will     be  useful,    but         WITHOUT  ANY 
-without      even the   implied    warranty      of MERCHANTABILITY     
+    WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY 
-       or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the  GNU
+              or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the
-General     Public  License           for  more details.<br>
+   GNU General     Public  License           for  more details.<br>
                               <br>
-              You   should    have   received     a  copy   of  the   GNU 
+                          You   should    have   received     a  copy   of
-  General         Public      License             along  with   this program; 
+  the     GNU     General         Public      License             along 
-    if  not,    write  to  the    Free Software        Foundation,       
+with    this   program;       if  not,    write  to  the    Free Software
-    Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
+       Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA
 02139,       USA</p>
@ -155,25 +171,28 @@ General     Public  License           for  more details.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-               </a>Jacques              Nilo   and   Eric   Wolzak    have
+                           </a>Jacques              Nilo   and   Eric   Wolzak
-   a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or compact
+      have     a   LEAF  (router/firewall/gateway         on  a floppy, 
-   flash)  distribution        called              <i>Bering</i>    that
+ CD    or compact     flash)  distribution        called              <i>Bering</i> 
-         features      Shorewall-1.3.10  and    Kernel-2.4.18.       You
+       that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
-   can  find    their    work at:                <a
+       You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                          </a></p>
      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.0 Final!!! </b><br>
                                     </p>
      <h2>This is a mirror of the main Shorewall web site at SourceForge
 (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -188,6 +207,7 @@ Bering 1.0 Final!!! </b><br>
      <h2>News</h2>
@ -198,6 +218,8 @@ Bering 1.0 Final!!! </b><br>
      <h2></h2>
@ -205,277 +227,107 @@ Bering 1.0 Final!!! </b><br>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b><br>
      </p>
-      <p>Just includes a few things that I had on the burner:<br>
+                 
- </p>
+      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
      <p>New features include</p>
      <ol>
-        <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules 
+        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-file. DNAT- is intended for advanced users who wish to minimize the number 
+When   set to Yes, Shorewall ping handling is as it has always been (see
-of rules that connection requests must traverse.<br>
+http://www.shorewall.net/ping.html).<br>
         <br>
- A Shorewall DNAT rule actually generates two iptables rules: a header rewriting 
+     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
-rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- 
+policies   just like any other connection request. The FORWARDPING=Yes option 
-rule only generates the first of these rules. This is handy when you have 
+in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-several DNAT rules that would generate the same ACCEPT rule.<br>
+will   all generate an error.<br>
     <br>
    Here are three rules from my previous rules file:<br>
     <br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
     <br>
    These three rules ended up generating _three_ copies of<br>
     <br>
          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
     <br>
    By writing the rules this way, I end up with only one copy of the ACCEPT
 rule.<br>
     <br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
         <br>
       </li>
-        <li>The 'shorewall check' command now prints out the applicable policy
+        <li>It is now possible to direct Shorewall to create a "label" such
-between each pair of zones.<br>
+ as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
 and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
 of just  the interface name:<br>
      <br>
        a) In the INTERFACE column of /etc/shorewall/masq<br>
        b) In the INTERFACE column of /etc/shorewall/nat<br>
      </li>
        <li>Support for OpenVPN Tunnels.<br>
     <br>
 </li>
-        <li>A new CLEAR_TC option has been added to shorewall.conf. If this
+        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
-option is set to 'No' then Shorewall won't clear the current traffic control
+eth0.0)<br>
 rules during [re]start. This setting is intended for use by people that prefer 
 to configure traffic shaping when the network interfaces come up rather than 
 when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes 
 and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, 
 your traffic shaping rules can still use the 'fwmark' classifier based on 
 packet marking defined in /etc/shorewall/tcrules.<br>
     <br>
   </li>
-        <li>A new SHARED_DIR variable has been added that allows distribution
+        <li>When an interface name is entered in the SUBNET column of the
-packagers to easily move the shared directory (default /usr/lib/shorewall).
+/etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
-Users should never have a need to change the value of this shorewall.conf
+only the first subnet   defined on that interface. It did not masquerade
-setting.<br>
+traffic from:<br>
      <br>
        a) The subnets associated with other addresses on the interface.<br>
        b) Subnets accessed through local routers.<br>
      <br>
     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
 SUBNET  column, shorewall will use the firewall's routing table to construct 
 the masquerading/SNAT rules.<br>
      <br>
     Example 1 -- This is how it works in 1.3.14.<br>
        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
      <br>
     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
 connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
  entry, your /etc/shorewall/masq file will need changing. In most cases,
 you  will simply be able to remove redundant entries. In some cases though,
 you  might want to change from using the interface name to listing specific
 subnetworks  if the change described above will cause masquerading to occur
 on subnetworks  that you don't wish to masquerade.<br>
      <br>
     Example 2 -- Suppose that your current config is as follows:<br>
        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
      <br>
        In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
      <br>
     Example 3 -- What if your current configuration is like this?<br>
      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
      <br>
        In this case, you would want to change the entry in  /etc/shorewall/masq 
  to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
        </li>
      </ol>
      <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
                                                     </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall
   Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
            </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
                                                  </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 
   documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                         <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                     </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>               
                                </b></p>
      <p>     Features include:<br>
                  </p>
      <ol>
                <li>"shorewall refresh" now reloads the traffic shaping rules 
  (tcrules     and tcstart).</li>
                <li>"shorewall debug [re]start" now turns off debugging after 
  an  error   occurs. This places the point of the failure near the end of 
 the trace rather   than up in the middle of it.</li>
                <li>"shorewall [re]start" has been speeded up by more than
 40%   with   my  configuration. Your milage may vary.</li>
                <li>A "shorewall show classifiers" command has been added 
 which    shows   the current packet classification filters. The output from 
 this  command  is  also added as a separate page in "shorewall monitor"</li>
                <li>ULOG (must be all caps) is now accepted as a valid syslog 
  level   and  causes the subject packets to be logged using the ULOG target 
  rather   than  the LOG target. This allows you to run ulogd (available from
            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
      and log all Shorewall messages <a href="shorewall_logging.html">to a
 separate  log file</a>.</li>
                <li>If you are running a kernel that has a FORWARD chain
 in  the   mangle    table ("shorewall show mangle" will show you the chains 
 in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
     input packets based on their destination even when you are using  Masquerading
     or SNAT.</li>
                <li>I have cluttered up the /etc/shorewall directory with 
 empty    'init',    'start', 'stop' and 'stopped' files. If you already have 
 a file    with one   of these names, don't worry -- the upgrade process won't 
 overwrite    your file.</li>
                <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
    the syslog level at which packets are logged as a result of entries in
 the   /etc/shorewall/rfc1918 file. Previously, these packets were always
 logged   at the 'info' level.<br>
           </li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
               </p>
         This version corrects a problem with Blacklist logging. In Beta
 2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would 
 fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                          </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                            </b></p>
             The first public Beta version of Shorewall 1.3.12 is now available 
   (Beta  1 was made available to a limited audience). <br>
              <br>
              Features include:<br>
 <br>
-                               
+      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
-      <ol>
+      </b><b><img border="0" src="images/new10.gif" width="28"
-                     <li>"shorewall refresh" now reloads the traffic shaping
+ height="12" alt="(New)">
  rules    (tcrules  and tcstart).</li>
                     <li>"shorewall debug [re]start" now turns off debugging
  after    an  error occurs. This places the point of the failure near the
 end of the   trace  rather than up in the middle of it.</li>
                     <li>"shorewall [re]start" has been speeded up by more
 than   40%   with  my configuration. Your milage may vary.</li>
                     <li>A "shorewall show classifiers" command has been
 added    which    shows the current packet classification filters. The output
 from    this command    is also added as a separate page in "shorewall monitor"</li>
                     <li>ULOG (must be all caps) is now accepted as a valid 
 syslog    level  and causes the subject packets to be logged using the ULOG 
 target   rather than the LOG target. This allows you to run ulogd (available 
 from            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
      and log all Shorewall messages <a href="shorewall_logging.html">to a
 separate  log file</a>.</li>
                     <li>If you are running a kernel that has a FORWARD chain 
  in  the   mangle table ("shorewall show mangle" will show you the chains 
 in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
    This allows  for  marking input packets based on their destination even
  when  you are using  Masquerading or SNAT.</li>
                     <li>I have cluttered up the /etc/shorewall directory 
 with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
 have   a file  with  one of these names, don't worry -- the upgrade process 
 won't   overwrite  your  file.</li>
      </ol>
              You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
                </a></b></p>
               Shorewall is at the center of MandrakeSoft's recently-announced
         <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
       Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
       release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
             </b></p>
   Webmin version 1.060 now has Shorewall support included as standard. See
       <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>   </b>
      <p><b></b></p>
-      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
+      <p><b></b></p>
         delivered. I have installed 9.0 on one of my systems and I am now
 in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
                         </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
          with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
 users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                                        </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
            documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                              <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                          </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
                 </b></p>
      <p>In this version:</p>
      <ul>
-                               <li>A 'tcpflags' option has been added to
+                                                                        
 entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
     This option causes Shorewall to make a set of sanity check on TCP packet 
    header flags.</li>
                               <li>It is now allowed to use 'all' in the
 SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>. 
 When   used,  'all'   must  appear  by itself (in may not be qualified) and
 it does   not  enable   intra-zone  traffic.  For example, the rule <br>
                            <br>
                            ACCEPT loc all tcp 80<br>
                            <br>
                        does not enable http traffic from 'loc' to 'loc'.</li>
                               <li>Shorewall's use of the 'echo' command
 is  now   compatible      with   bash clones such as ash and dash.</li>
                               <li>fw-&gt;fw policies now generate a startup
  error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
@ -485,6 +337,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <p><b></b><a href="News.htm">More News</a></p>
@ -496,12 +349,14 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <h2><a name="Donations"></a>Donations</h2>
                                                                     </td>
-                      <td width="88" bgcolor="#4b017c" valign="top"
+                                  <td width="88" bgcolor="#4b017c"
- align="center">              <a href="http://sourceforge.net">M</a></td>
+ valign="top" align="center">              <a
 href="http://sourceforge.net">M</a></td>
                              </tr>
@ -536,11 +391,13 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                                                                        
+                                                                        
-                </a></p>
+                             </a></p>
@ -570,10 +427,9 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                    <br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -47,8 +47,8 @@
                <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
                <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
-      (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - 
+       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
-present</li>
+-  present</li>
                <li>Married 1969 - no children.</li>
 </ul>
@ -70,23 +70,23 @@ present</li>
 <ul>
                <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB 
- IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system.
+ IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Serves
-Serves as a PPTP server for Road Warrior access. Also  has <a
+as a PPTP server for Road Warrior access. Dual boots <a
- href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
+ href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
  NIC   -  My      personal Linux System which runs Samba configured as a 
 WINS  server.    This      system also has <a
- href="http://www.vmware.com/">VMware</a>  installed    and      can run
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run both
-both <a href="http://www.debian.org">Debian  Woody</a> and         <a
+    <a href="http://www.debian.org">Debian  Woody</a> and         <a
 href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
                <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  
- Email   (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
+- Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), 
-DNS  server        (Bind).</li>
+DNS  server        (Bind 9).</li>
                <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
-   (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.12+  and a
+    (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.14  and a DHCP
-DHCP        server.</li>
+       server.</li>
-               <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
+                <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
- wife's        personal system.</li>
+My  wife's        personal system.</li>
                <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
 EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main
 work system.</li>
@ -116,10 +116,11 @@ work system.</li>
 width="125" height="40" hspace="4">
             </font></p>
-<p><font size="2">Last updated 1/7/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 1/24/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
              <font face="Trebuchet MS"><a href="copyright.htm"><font
 size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas 
 M. Eastep.</font></a></font><br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_features.htm
+++ b/STABLE/documentation/shorewall_features.htm
@ -44,12 +44,16 @@ control over the connections permitted between         each pair of zones.</li>
    </ul>
      </li>
-    <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to 
+      <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a> 
-help    get your first firewall up and running quickly</li>
+to  help    get your first firewall up and running quickly</li>
-    <li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> 
+  <li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
 href="http://www.webmin.com">http://www.webmin.com</a>)<br>
  </li>
      <li>Extensive <b> <a
 href="shorewall_quickstart_guide.htm#Documentation">documentation</a>   
  </b>   included in the .tgz and .rpm downloads.</li>
-    <li><b>Flexible address management/routing support</b> (and you can use 
+      <li><b>Flexible address management/routing support</b> (and you can 
-all     types in the same firewall):        
+use  all     types in the same firewall):                  
    <ul>
        <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
        <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
@ -73,7 +77,8 @@ when an             "interesting" packet is detected.</li>
      </li>
      <li><b>VPN Support</b>                  
    <ul>
-      <li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP     Tunnels</a>.</li>
+        <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP     and 
 OpenVPN Tunnels</a>.</li>
        <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
    </ul>
@ -86,26 +91,28 @@ when an             "interesting" packet is detected.</li>
        <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
          packages available.</li>
-      <li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
+        <li>Includes <a href="Install.htm"><b>automated install, upgrade, 
-         and uninstall facilities</b></a> for users who can't use or choose 
+fallback          and uninstall facilities</b></a> for users who can't use 
-not         to use the RPM or Debian packages.</li>
+or choose  not         to use the RPM or Debian packages.</li>
        <li>Included as a standard part of<b> <a
 href="http://leaf.sourceforge.net/devel/jnilo">     LEAF/Bering</a> </b>(router/firewall
 on a floppy, CD or compact flash).</li>
    </ul>
     </li>
-   <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address 
+     <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
-    <b>Verification</b><br>
+Address      <b>Verification</b><br>
       </a><br>
      </li>
 </ul>
-<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_mirrors.htm
+++ b/STABLE/documentation/shorewall_mirrors.htm
@ -45,7 +45,7 @@ and is located in California, USA. It is mirrored at:</p>
 (Martinez (Zona Norte - GBA), Argentina)</li>
     <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
    (Paris, France)</li>
-    <li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
+    <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
 (Washington State, USA)<br>
    </li>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -35,7 +35,9 @@
 </table>
 <p align="center">With thanks to Richard who reminded me once again that we
-must  all first walk before we can run.</p>
+must  all first walk before we can run.<br>
 The French Translations are courtesy of Patrice Vetsel<br>
 </p>
 <h2>The Guides</h2>
@ -45,12 +47,14 @@ must  all first walk before we can run.</p>
 <p>The following guides are for <b>users who have a single public IP address</b>:</p>
 <ul>
-                  <li><a href="standalone.htm">Standalone</a> Linux System</li>
+                    <li><a href="standalone.htm">Standalone</a> Linux System 
 (<a href="standalone_fr.html">Version Française</a>)</li>
                    <li><a href="two-interface.htm">Two-interface</a> Linux 
-System    acting    as a    firewall/router for a small local network</li>
+ System    acting    as a    firewall/router for a small local network (<a
-                  <li><a href="three-interface.htm">Three-interface</a> Linux 
+ href="two-interface_fr.html">Version Française</a>)</li>
-  System    acting  as a    firewall/router for a small local network and 
+                    <li><a href="three-interface.htm">Three-interface</a> 
-a  DMZ.</li>
+Linux    System    acting  as a    firewall/router for a small local network 
 and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
 </ul>
@ -65,8 +69,8 @@ a  DMZ.</li>
 <ul>
                    <li><a href="shorewall_setup_guide.htm#Introduction">1.0
  Introduction</a></li>
-                  <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
+                    <li><a href="shorewall_setup_guide.htm#Concepts">2.0
-    Concepts</a></li>
+Shorewall      Concepts</a></li>
                    <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
 Network     Interfaces</a></li>
                    <li><a href="shorewall_setup_guide.htm#Addressing">4.0
@ -77,7 +81,8 @@ Addressing,       Subnets  and Routing</a>
 IP  Addresses</a></li>
                                  <li><a
 href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
-                    <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
+                      <li><a href="shorewall_setup_guide.htm#Routing">4.3 
 Routing</a></li>
                      <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address 
  Resolution      Protocol</a></li>
@ -86,8 +91,8 @@ IP  Addresses</a></li>
    <ul>
-                    <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 
+                      <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 
- 1918</a></li>
+RFC   1918</a></li>
    </ul>
@ -96,7 +101,8 @@ IP  Addresses</a></li>
   up  your   Network</a>                                                
    <ul>
-                    <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
+                      <li><a href="shorewall_setup_guide.htm#Routed">5.1
 Routed</a></li>
    </ul>
@ -114,16 +120,16 @@ SNAT</a></li>
 DNAT</a></li>
                        <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
   Proxy    ARP</a></li>
-                      <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
+                        <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 
-   NAT</a></li>
+Static    NAT</a></li>
        </ul>
                      </li>
                      <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-                    <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 
+                      <li><a
- Odds   and   Ends</a></li>
+ href="shorewall_setup_guide.htm#OddsAndEnds">5.4   Odds   and   Ends</a></li>
    </ul>
@ -157,8 +163,9 @@ DNAT</a></li>
      file   features</a>                                               
    <ul>
-                    <li><a href="configuration_file_basics.htm#Comments">Comments
+                      <li><a
- in configuration files</a></li>
+ href="configuration_file_basics.htm#Comments">Comments  in configuration 
 files</a></li>
                      <li><a
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
                      <li><a href="configuration_file_basics.htm#Ports">Port
@ -167,14 +174,15 @@ DNAT</a></li>
  Ranges</a></li>
                      <li><a
 href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
-                    <li><a href="configuration_file_basics.htm#dnsnames">Using
+                      <li><a
- DNS Names</a><br>
+ href="configuration_file_basics.htm#dnsnames">Using  DNS Names</a><br>
                 </li>
                      <li><a
 href="configuration_file_basics.htm#Compliment">Complementing an IP address 
 or Subnet</a></li>
-                    <li><a href="configuration_file_basics.htm#Configs">Shorewall
+                      <li><a
- Configurations (making a test configuration)</a></li>
+ href="configuration_file_basics.htm#Configs">Shorewall   Configurations
 (making a test configuration)</a></li>
                      <li><a href="configuration_file_basics.htm#MAC">Using 
 MAC Addresses in Shorewall</a></li>
@ -224,7 +232,8 @@ MAC Addresses in Shorewall</a></li>
                    <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                    <li><a href="shorewall_firewall_structure.htm">Firewall 
 Structure</a></li>
-                  <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
+                    <li><font color="#000099"><a href="kernel.htm">Kernel 
 Configuration</a></font></li>
       <li><a href="shorewall_logging.html">Logging</a><br>
       </li>
                    <li><a href="MAC_Validation.html">MAC Verification</a><br>
@ -254,8 +263,8 @@ Structure</a></li>
  </ul>
                    <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
-  <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
+    <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy 
-Shorewall</a><br>
+with Shorewall</a><br>
    </li>
                    <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
                    <li>VPN                                             
@ -263,27 +272,31 @@ Shorewall</a><br>
    <ul>
                      <li><a href="IPSEC.htm">IPSEC</a></li>
                      <li><a href="IPIP.htm">GRE and IPIP</a></li>
      <li><a href="OPENVPN.html">OpenVPN</a><br>
      </li>
                      <li><a href="PPTP.htm">PPTP</a></li>
-                    <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind 
+                      <li><a href="VPN.htm">IPSEC/PPTP</a> from a system
-  your   firewall   to a      remote network.</li>
+behind    your   firewall   to a      remote network.</li>
    </ul>
                    </li>
-                  <li><a href="whitelisting_under_shorewall.htm">White List 
+                    <li><a href="whitelisting_under_shorewall.htm">White
- Creation</a></li>
+List   Creation</a></li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 2/4/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M.
 Eastep</font></a><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@ -6,6 +6,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,13 +14,14 @@
-                                                                  <base
+                                                                        
- target="_self">
+                                     <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -37,14 +39,18 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
                                  </a></i></font><font color="#ffffff">Shorewall
-  1.3     -               <font size="4">"<i>iptables                   made
+         1.3     -               <font size="4">"<i>iptables            
- easy"</i></font></font><a href="http://www.sf.net">            </a></h1>
+      made  easy"</i></font></font><a href="http://www.sf.net">         
        </a></h1>
@ -61,12 +67,14 @@
  </tbody>                                                               
 </table>
 <div align="center">                                                    
 <center>                                                                
@ -88,6 +96,7 @@
      <h2 align="left">What is it?</h2>
@ -99,7 +108,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                                                                        
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is 
    a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based 
    firewall        that can be used on a dedicated firewall system, a multi-function 
           gateway/router/server or on a standalone GNU/Linux system.</p>
@ -113,25 +124,32 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
-                                          it        under the terms of <a
+                                               it        under the terms of
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+        <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
-General Public License</a> as published by the Free Software        Foundation.<br>
+ the GNU General Public License</a> as published by the Free Software   
    Foundation.<br>
                                      <br>
-                      This   program     is  distributed       in  the  
+                                 This   program     is  distributed     
-hope     that     it   will     be  useful,    but         WITHOUT  ANY 
+ in   the     hope     that     it   will     be  useful,    but        
-  WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY 
+WITHOUT    ANY      WARRANTY;      without      even the   implied    warranty
-            or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the 
+     of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR
- GNU General     Public  License           for  more details.<br>
+     PURPOSE.        See the    GNU General     Public  License         
 for   more details.<br>
                                      <br>
-                      You   should    have   received     a  copy   of  the 
+                                 You   should    have   received     a  copy
-   GNU     General         Public      License             along  with   this
+    of   the     GNU     General         Public      License            
-  program;       if  not,    write  to  the    Free Software        Foundation,
+along     with    this   program;       if  not,    write  to  the    Free
-             Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
+Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge, 
 MA    02139,       USA</p>
@ -154,20 +172,23 @@ hope     that     it   will     be  useful,    but         WITHOUT  ANY
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                       </a>Jacques              Nilo   and   Eric   Wolzak
+                                  </a>Jacques              Nilo   and   Eric
-    have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD 
+    Wolzak       have     a   LEAF  (router/firewall/gateway         on 
-  or compact     flash)  distribution        called              <i>Bering</i> 
+a  floppy,    CD    or compact     flash)  distribution        called   
-     that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
+          <i>Bering</i>          that          features      Shorewall-1.3.10
-     You    can  find    their    work at:                <a
+  and    Kernel-2.4.18.          You    can  find    their    work at:  
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+             <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                               <b>Congratulations to Jacques and Eric on
+                                          <b>Congratulations to Jacques and 
-the   recent    release     of  Bering  1.0 Final!!! <br>
+ Eric   on  the   recent    release     of  Bering  1.0 Final!!! <br>
                                          </b>                          
      <h2>News</h2>
@ -182,303 +203,108 @@ the   recent    release     of  Bering  1.0 Final!!! <br>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b><br>
 </p>
-      <p>Just includes a few things that I had on the burner:<br>
+      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
- </p>
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
      <p>New features include</p>
      <ol>
-        <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules 
+        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-file. DNAT- is intended for advanced users who wish to minimize the number 
+When   set to Yes, Shorewall ping handling is as it has always been (see
-of rules that connection requests must traverse.<br>
+http://www.shorewall.net/ping.html).<br>
         <br>
- A Shorewall DNAT rule actually generates two iptables rules: a header rewriting 
+     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
-rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- 
+policies   just like any other connection request. The FORWARDPING=Yes option 
-rule only generates the first of these rules. This is handy when you have 
+in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-several DNAT rules that would generate the same ACCEPT rule.<br>
+will   all generate an error.<br>
     <br>
    Here are three rules from my previous rules file:<br>
     <br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
     <br>
    These three rules ended up generating _three_ copies of<br>
     <br>
          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
     <br>
    By writing the rules this way, I end up with only one copy of the ACCEPT
 rule.<br>
     <br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
         <br>
       </li>
-        <li>The 'shorewall check' command now prints out the applicable policy
+        <li>It is now possible to direct Shorewall to create a "label" such
-between each pair of zones.<br>
+ as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
 and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
 of just  the interface name:<br>
      <br>
        a) In the INTERFACE column of /etc/shorewall/masq<br>
        b) In the INTERFACE column of /etc/shorewall/nat<br>
      </li>
        <li>Support for OpenVPN Tunnels.<br>
     <br>
 </li>
-        <li>A new CLEAR_TC option has been added to shorewall.conf. If this
+        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
-option is set to 'No' then Shorewall won't clear the current traffic control
+eth0.0)<br>
 rules during [re]start. This setting is intended for use by people that prefer 
 to configure traffic shaping when the network interfaces come up rather than 
 when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes 
 and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, 
 your traffic shaping rules can still use the 'fwmark' classifier based on 
 packet marking defined in /etc/shorewall/tcrules.<br>
     <br>
   </li>
-        <li>A new SHARED_DIR variable has been added that allows distribution
+        <li>When an interface name is entered in the SUBNET column of the
-packagers to easily move the shared directory (default /usr/lib/shorewall).
+/etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
-Users should never have a need to change the value of this shorewall.conf
+only the first subnet   defined on that interface. It did not masquerade
-setting.</li>
+traffic from:<br>
-      </ol>
+      <br>
-      <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
+        a) The subnets associated with other addresses on the interface.<br>
-                                                    </b></p>
+        b) Subnets accessed through local routers.<br>
      <br>
     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
 SUBNET  column, shorewall will use the firewall's routing table to construct 
 the masquerading/SNAT rules.<br>
      <br>
     Example 1 -- This is how it works in 1.3.14.<br>
        <br>
-      <p><b>Until further notice, I will not be involved in either Shorewall 
+          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
  Development or Shorewall Support</b></p>
-      <p><b>-Tom Eastep</b><br>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
      </p>
-      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
+          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
-                                                 </b></p>
+      <br>
     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
 connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
  entry, your /etc/shorewall/masq file will need changing. In most cases,
 you  will simply be able to remove redundant entries. In some cases though,
 you  might want to change from using the interface name to listing specific
 subnetworks  if the change described above will cause masquerading to occur
 on subnetworks  that you don't wish to masquerade.<br>
      <br>
     Example 2 -- Suppose that your current config is as follows:<br>
        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-   documenation.        the PDF may be downloaded from</p>
+      <br>
        In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
      <br>
     Example 3 -- What if your current configuration is like this?<br>
      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-      <p>    <a
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
- href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
+      <br>
- target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
+        In this case, you would want to change the entry in  /etc/shorewall/masq 
-                        <a
+  to:<br>
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                    </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
                                </b></p>
      <p>     Features include:<br>
                  </p>
      <ol>
                <li>"shorewall refresh" now reloads the traffic shaping rules 
  (tcrules     and tcstart).</li>
                <li>"shorewall debug [re]start" now turns off debugging after 
  an  error   occurs. This places the point of the failure near the end of 
 the trace rather   than up in the middle of it.</li>
                <li>"shorewall [re]start" has been speeded up by more than
 40%   with   my  configuration. Your milage may vary.</li>
                <li>A "shorewall show classifiers" command has been added 
 which    shows   the current packet classification filters. The output from 
 this  command  is  also added as a separate page in "shorewall monitor"</li>
                <li>ULOG (must be all caps) is now accepted as a valid syslog 
  level   and  causes the subject packets to be logged using the ULOG target 
  rather   than  the LOG target. This allows you to run ulogd (available from
            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
      and log all Shorewall messages <a href="shorewall_logging.html">to a
 separate log file</a>.</li>
                <li>If you are running a kernel that has a FORWARD chain
 in  the   mangle    table ("shorewall show mangle" will show you the chains 
 in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
     input packets based on their destination even when you are using  Masquerading
     or SNAT.</li>
                <li>I have cluttered up the /etc/shorewall directory with 
 empty    'init',    'start', 'stop' and 'stopped' files. If you already have 
 a file    with one   of these names, don't worry -- the upgrade process won't 
 overwrite    your file.</li>
                <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
    the syslog level at which packets are logged as a result of entries in
 the   /etc/shorewall/rfc1918 file. Previously, these packets were always
 logged   at the 'info' level.</li>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
        </li>
      </ol>
-      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
+      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
-          </p>
+      </b><b><img border="0" src="images/new10.gif" width="28"
-          This version corrects a problem with Blacklist logging. In Beta 
+ height="12" alt="(New)">
 2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would
  fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                          </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
             </b></p>
-             The first public Beta version of Shorewall 1.3.12 is now available 
+    Webmin version 1.060 now has Shorewall support included as standard.
-   (Beta  1 was made available only to a limited audience). <br>
+See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b> 
-              <br>
+ </b>              
              Features include:<br>
              <br>
      <ol>
                     <li>"shorewall refresh" now reloads the traffic shaping
  rules    (tcrules  and tcstart).</li>
                     <li>"shorewall debug [re]start" now turns off debugging
  after    an  error occurs. This places the point of the failure near the
 end of the   trace  rather than up in the middle of it.</li>
                     <li>"shorewall [re]start" has been speeded up by more
 than   40%   with  my configuration. Your milage may vary.</li>
                     <li>A "shorewall show classifiers" command has been
 added    which    shows the current packet classification filters. The output
 from    this command    is also added as a separate page in "shorewall monitor"</li>
                     <li>ULOG (must be all caps) is now accepted as a valid 
 syslog    level  and causes the subject packets to be logged using the ULOG 
 target   rather than the LOG target. This allows you to run ulogd (available 
 from            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
      and log all Shorewall messages <a href="shorewall_logging.html">to a
 separate log file</a>.</li>
                     <li>If you are running a kernel that has a FORWARD chain 
  in  the   mangle table ("shorewall show mangle" will show you the chains 
 in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
    This allows  for  marking input packets based on their destination even
  when  you are using  Masquerading or SNAT.</li>
                     <li>I have cluttered up the /etc/shorewall directory 
 with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
 have   a file  with  one of these names, don't worry -- the upgrade process 
 won't   overwrite  your  file.</li>
      </ol>
              You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
                </a></b></p>
               Shorewall is at the center of MandrakeSofts's recently-announced 
         <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
       Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
       release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
         delivered. I have installed 9.0 on one of my systems and I am now
 in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
                         </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
          with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
 users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                                        </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
             documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                               <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                           </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b>                        
          </b></p>
      <p>In this version:</p>
      <ul>
                                <li>A 'tcpflags' option has been added to 
 entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
      This option causes Shorewall to make a set of sanity check on TCP packet
     header flags.</li>
                                <li>It is now allowed to use 'all' in the 
 SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.
  When   used,  'all'   must  appear  by itself (in may not be qualified)
 and it does   not  enable   intra-zone  traffic.  For example, the rule <br>
                             <br>
                             ACCEPT loc all tcp 80<br>
                             <br>
                         does not enable http traffic from 'loc' to 'loc'.</li>
                                <li>Shorewall's use of the 'echo' command 
 is  now   compatible      with   bash clones such as ash and dash.</li>
                                <li>fw-&gt;fw policies now generate a startup 
  error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
                             </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
             documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                               <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                           </p>
      <p><b></b></p>
      <ul>
@ -486,6 +312,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      </ul>
@ -493,7 +320,9 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
-      <p><b></b><a href="News.htm">More News</a></p>
+                                                                 
      <p><a href="News.htm">More News</a></p>
@ -510,6 +339,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -518,23 +348,28 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
      <h4>       </h4>
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
      <h2><a name="Donations"></a>Donations</h2>
         </td>
-                              <td width="88" bgcolor="#4b017c"
+                                         <td width="88"
- valign="top" align="center">              <br>
+ bgcolor="#4b017c" valign="top" align="center">              <br>
                                                          </td>
                                     </tr>
@ -543,6 +378,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
  </tbody>                                                               
 </table>
@ -553,6 +389,7 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -561,7 +398,8 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
                              <tr>
-                       <td width="100%" style="margin-top: 1px;">       
+                                  <td width="100%"
 style="margin-top: 1px;">                                              
@ -586,11 +424,12 @@ is  now   compatible      with   bash clones such as ash and dash.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+                                   
-but if       you try it and find it useful, please consider making a donation
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                                               to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight        
+ href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Children's Foundation.</font></a> Thanks!</font></p>
+Foundation.</font></a> Thanks!</font></p>
                                  </td>
@ -600,16 +439,17 @@ Children's Foundation.</font></a> Thanks!</font></p>
  </tbody>                                                               
 </table>
-<p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font> 
+ 
 <p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
                                         <br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/spam_filters.htm
+++ b/STABLE/documentation/spam_filters.htm
@ -1,44 +1,62 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>SPAM Filters</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1>
+      <h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <h1 align="center"><br>
-<a href="http://ordb.org">
+ <a href="http://ordb.org"> <a href="http://www.spamassassin.org"><img
-<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1>
+ src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
 height="38">
 </a><img border="0" src="images/but3.png" hspace="3" width="88"
 height="31">
 </a></h1>
 <p>Like all of you, I'm concerned about the increasing volume of Unsolicited 
-Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who
+Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
-are installing SPAM filters on your mail servers. A couple of recent incidents
+you who are installing SPAM filters on your mail servers. A couple of recent
-involving mis-configured filters have prompted me to establish this page to spell
+incidents involving mis-configured filters have prompted me to establish
-out what I will do when these filters bounce list postings.</p>
+this page to spell out what I will do when these filters bounce list postings.</p>
 <p>When your SPAM filter bounces/rejects list mail, I will:</p>
 <ol>
-  <li>immediately turn off delivery to you from all Shorewall lists to
+   <li>immediately turn off delivery to you from all Shorewall lists to which
-which you subscribe.</li>
+you subscribe.</li>
   <li><u>try</u> to send you an email from a source other than shorewall.net</li>
 </ol>
 <p>When you have corrected the problem, please let me know and I will re-enable 
 delivery (or you can reenable delivery yourself).</p>
-<p><font size="2">Last Updated 3/21/2002 - Tom Eastep</font></p>
+ 
 <p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
 </html>
--- a/STABLE/documentation/standalone.htm
+++ b/STABLE/documentation/standalone.htm
@ -60,9 +60,9 @@ for this  program:</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
          If you edit your configuration files on a Windows system, you must
  save them as  Unix files if your editor supports that option or you must
-run them through  dos2unix before trying to use them. Similarly, if you copy 
+ run them through  dos2unix before trying to use them. Similarly, if you
-a configuration file  from your Windows hard drive to a floppy disk, you must
+copy  a configuration file  from your Windows hard drive to a floppy disk,
-run dos2unix against the  copy before using it with Shorewall.</p>
+you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
@ -78,8 +78,8 @@ run dos2unix against the  copy before using it with Shorewall.</p>
 alt="">
     The configuration files for Shorewall are contained in the directory 
 /etc/shorewall -- for simple setups, you  only need to deal with a few of
- these as described in this guide.  After you have <a href="Install.htm">installed 
+  these as described in this guide.  After you have <a
-Shorewall</a>,  <b>download the <a
+ href="Install.htm">installed  Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
 un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
  (they will replace files with the same names that were placed in /etc/shorewall
@ -129,11 +129,11 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
  checked against the  /etc/shorewall/rules file. If no rule in that file 
 matches  the connection  request then the first policy in /etc/shorewall/policy 
 that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common
+the request is first  checked against the rules in /etc/shorewall/common (the
-(the samples provide that  file for you).</p>
+samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample
+<p>The /etc/shorewall/policy file included with the one-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -155,7 +155,8 @@ has the  following policies:</p>
          </tr>
          <tr>
            <td>net</td>
-           <td>net</td>
+            <td>all<br>
        </td>
            <td>DROP</td>
            <td>info</td>
            <td> </td>
@ -172,8 +173,6 @@ has the  following policies:</p>
  </table>
      </blockquote>
 <pre>     fw		net	ACCEPT<br>     net	all	DROP	info<br>     all	all	REJECT	info</pre>
 <p>The above policy will:</p>
 <ol>
@ -242,8 +241,8 @@ you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
             Before starting Shorewall, you should look at the IP address 
-of  your external    interface and if it is one of the above ranges, you
+of  your external    interface and if it is one of the above ranges, you should
-should  remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+ remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
     </div>
 <div align="left">        
@ -285,8 +284,8 @@ should  remove the    'norfc1918' option from the entry in /etc/shorewall/interf
      </div>
 <div align="left">        
-<p align="left">Example - You want to run a Web Server and a POP3 Server
+<p align="left">Example - You want to run a Web Server and a POP3 Server on
-on your firewall    system:</p>
+your firewall    system:</p>
     </div>
 <div align="left">        
@ -328,8 +327,8 @@ on your firewall    system:</p>
      </div>
 <div align="left">        
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, see <a href="ports.htm">here</a>.</p>
+uses, see <a href="ports.htm">here</a>.</p>
     </div>
 <div align="left">        
@ -367,10 +366,6 @@ application uses, see <a href="ports.htm">here</a>.</p>
        </blockquote>
      </div>
 <div align="left">       
 <pre>     ACCEPT	net	fw	tcp	22</pre>
     </div>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
@ -389,7 +384,8 @@ application uses, see <a href="ports.htm">here</a>.</p>
  your system to start Shorewall at system boot but beginning with Shorewall
  version 1.3.9 startup is disabled so that your system won't try to start
 Shorewall before configuration is complete. Once you have completed configuration
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+ of your firewall, you can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
     </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
@ -418,11 +414,12 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 try" command</a>.</p>
     </div>
-<p align="left"><font size="2">Last updated 12/9/2002 - <a
+<p align="left"><font size="2">Last updated 1/26/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-  M. Eastep</font></a></p>
+Thomas   M. Eastep</font></a></p>
       <br>
     <br>
    <br>
   <br>
--- a/STABLE/documentation/starting_and_stopping_shorewall.htm
+++ b/STABLE/documentation/starting_and_stopping_shorewall.htm
@ -25,6 +25,7 @@
                   <td width="100%">                                    
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
   the Firewall</font></h1>
@ -54,6 +55,7 @@ graphical  run-level editor.</p>
 <p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
       </p>
@ -63,9 +65,9 @@ graphical  run-level editor.</p>
   Note: Users of the .deb package must edit /etc/default/shorewall and set
   'startup=1'.<br>
         </li>
-      <li>If you use dialup, you may want to start the firewall     in your 
+         <li>If you use dialup, you may want to start the firewall     in 
- /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart" 
+your   /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall
- in that script.</li>
+ restart"   in that script.</li>
 </ol>
@ -82,25 +84,32 @@ graphical  run-level editor.</p>
 <ul>
           <li>shorewall start - starts the firewall</li>
           <li>shorewall stop - stops the firewall</li>
-        <li>shorewall restart - stops the firewall (if it's             running)
+           <li>shorewall restart - stops the firewall (if it's          
-  and  then starts it again</li>
+  running)   and  then starts it again</li>
           <li>shorewall reset - reset the packet and byte counters     
       in the  firewall</li>
-        <li>shorewall clear - remove all rules and chains             installed
+           <li>shorewall clear - remove all rules and chains            
-  by Shoreline  Firewall</li>
+installed    by Shoreline  Firewall</li>
           <li>shorewall refresh - refresh the rules involving the broadcast
          addresses  of firewall interfaces and the black and white lists.</li>
 </ul>
-If you include the keyword <i>debug</i> as the first argument, then a shell
+   If you include the keyword <i>debug</i> as the first argument, then a
-trace of the command is produced as in:<br>
+shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
-<p>The above command would trace the 'start' command and place the trace
+<p>The above command would trace the 'start' command and place the trace information
-information in the file /tmp/trace</p>
+in the file /tmp/trace<br>
  </p>
 <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
 bottom of this page.<br>
  </p>
 <p>The "shorewall" program may also be used to monitor the     firewall.</p>
@ -109,8 +118,8 @@ information in the file /tmp/trace</p>
            (iptables -L -n -v)</li>
           <li>shorewall show <i>chain</i> - produce a verbose report about 
     <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
-        <li>shorewall show nat - produce a verbose report about the nat table
+           <li>shorewall show nat - produce a verbose report about the nat
-            (iptables -t nat -L -n -v)</li>
+ table             (iptables -t nat -L -n -v)</li>
           <li>shorewall show tos - produce a verbose report about the mangle 
  table          (iptables -t mangle -L -n -v)</li>
           <li>shorewall show log - display the last 20 packet log entries.</li>
@ -126,33 +135,34 @@ information in the file /tmp/trace</p>
           <li>shorewall hits - Produces several reports about the Shorewall
  packet  log          messages in the current /var/log/messages file.</li>
           <li>shorewall version -  Displays the installed     version number.</li>
-        <li>shorewall check -  Performs a <u>cursory</u> validation     of
+           <li>shorewall check -  Performs a <u>cursory</u> validation  
- the  zones, interfaces, hosts, rules and policy files.    <font
+  of  the  zones, interfaces, hosts, rules and policy files.    <font
 size="4" color="#ff6666"><b>The "check" command does not parse and     validate 
 the   generated iptables commands so even though the "check" command    
 completes   successfully, the configuration may fail to start. See the  
  recommended   way to make configuration changes described below. </b></font> 
   </li>
           <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
-]  -  Restart shorewall using the     specified configuration and if an error
+  ]  -  Restart shorewall using the     specified configuration and if an
-  occurs or if the<i> timeout </i>    option is given and the new configuration
+error   occurs or if the<i> timeout </i>    option is given and the new configuration 
   has been up for that many seconds     then shorewall is restarted using 
 the  standard configuration.</li>
           <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
   save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
           <li>shorewall logwatch (added in version 1.3.2) - Monitors the 
-     <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
+       <a href="#Conf">LOGFILE </a>and produces an audible alarm when new
-      messages are logged.</li>
+ Shorewall       messages are logged.</li>
 </ul>
-  Finally, the "shorewall" program may be used to dynamically alter the contents
+     Finally, the "shorewall" program may be used to dynamically alter the
- of a zone.<br>
+ contents  of a zone.<br>
 <ul>
-    <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
+       <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds
- specified interface (and host if included) to the specified zone.</li>
+ the  specified interface (and host if included) to the specified zone.</li>
-    <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
+       <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
- the specified interface (and host if included) from the specified zone.</li>
+Deletes   the specified interface (and host if included) from the specified
 zone.</li>
 </ul>
@ -174,6 +184,7 @@ the  standard configuration.</li>
 <blockquote>                                                             
  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
         shorewall try <i>configuration-directory</i></p>
         </blockquote>
@ -181,8 +192,8 @@ the  standard configuration.</li>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
     is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
-    . If the file is present in the <i>configuration-directory</i>, that file
+      . If the file is present in the <i>configuration-directory</i>, that
-   will be used; otherwise, the file in /etc/shorewall will be used.</p>
+ file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -236,7 +247,74 @@ the  standard configuration.</li>
-<p><font size="2">   Updated 1/9/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
 </p>
 <div align="center"><img
 src="file:///J:/Shorewall-docs/images/State_Diagram.png"
 alt="(State Diagram)" width="747" height="714" align="middle">
 <br>
 </div>
 <p>    <br>
   </p>
    You will note that the commands that result in state transitions use
 the  word "firewall" rather than "shorewall". That is because the actual
 transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
 on  Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
  <br>
 <table cellpadding="2" cellspacing="2" border="1">
     <tbody>
       <tr>
         <td valign="top">shorewall start<br>
         </td>
         <td valign="top">firewall start<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall stop<br>
         </td>
         <td valign="top">firewall stop<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall restart<br>
         </td>
         <td valign="top">firewall restart<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall add<br>
         </td>
         <td valign="top">firewall add<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall delete<br>
         </td>
         <td valign="top">firewall delete<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall refresh<br>
         </td>
         <td valign="top">firewall refresh<br>
         </td>
       </tr>
       <tr>
         <td valign="top">shorewall try<br>
         </td>
         <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
   If unsuccessful then firewall start (standard configuration)<br>
   If timeout then firewall restart (standard configuration)<br>
         </td>
       </tr>
  </tbody>   
 </table>
  <br>
 <p><font size="2">   Updated 1/29/2003 - <a href="support.htm">Tom  Eastep</a>
       </font></p>
@ -250,5 +328,8 @@ the  standard configuration.</li>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -18,6 +18,7 @@
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -31,6 +32,7 @@
      <h1 align="center"><font color="#ffffff">Shorewall Support<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                        </font></h1>
@ -41,24 +43,30 @@
  </tbody>                                  
 </table>
-<p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently 
+<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions 
-  not involved in either Shorewall development or Shorewall support. Nevertheless,
+ emailed directly to me, I try to spend some time each day answering questions 
-  the mailing list is being ably manned by other Shorewall users.</font></big><span
+ on the Shorewall Users Mailing List.</font></big><span
 style="font-weight: 400;"></span></big></b></p>
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
-<h2>Before Reporting a Problem</h2>
+<h1>Before Reporting a Problem</h1>
-                                   There are a number of sources for problem
+<i>"Well at least you tried to read the documentation, which is a lot more
-  solution information. Please     try these before you post.           
+than some people on this list appear to do.</i>"<br>
 <br>
 <div align="center">- Wietse Venema - On the Postfix mailing list<br>
 </div>
 <br>
                                        There are a number of sources for 
 problem     solution information. Please     try these before you post.  
 <h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-             <li>More than half of the questions posted on the support list 
+                  <li>More than half of the questions posted on the support 
- have answers directly accessible from the <a
+ list   have answers directly accessible from the <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
            <br>
          </li>
@ -88,8 +96,8 @@ has  solutions to  more than 20 common      problems.         </li>
 <h3>                     </h3>
 <ul>
-             <li>                                   The Mailing List Archives
+                  <li>                                   The Mailing List 
-  search facility can locate   posts    about         similar problems: 
+Archives     search facility can locate   posts    about         similar problems:
        </li>
 </ul>
@ -98,7 +106,7 @@ has  solutions to  more than 20 common      problems.         </li>
 <h2>Mailing List Archive Search</h2>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
  <p> <font size="-1"> Match:                                            
@ -124,9 +132,9 @@ has  solutions to  more than 20 common      problems.         </li>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-                           </font> <input type="hidden" name="config"
+                                </font> <input type="hidden"
- value="htdig">    <input type="hidden" name="restrict"
+ name="config" value="htdig">    <input type="hidden" name="restrict"
- value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
+ value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                                Search: <input type="text" size="30"
 name="words" value="">    <input type="submit" value="Search"> </p>
@ -138,10 +146,11 @@ has  solutions to  more than 20 common      problems.         </li>
  and when you   walk  into one of the rooms, you detect this strange smell. 
   Can anyone tell  you  what that strange smell is?<br>
               <br>
-          Now, all of us could do some wonderful guessing as to the smell 
+               Now, all of us could do some wonderful guessing as to the
-and   even   what's causing it.  You would be absolutely amazed at the range 
+smell    and   even   what's causing it.  You would be absolutely amazed
-and   variety   of smells we could come up with.  Even more amazing is that 
+at the range   and   variety   of smells we could come up with.  Even more
-all   of the explanations   for the smells would be completely plausible."<br>
+amazing is that   all   of the explanations   for the smells would be completely
 plausible."<br>
               </i><br>
 <div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
@ -151,8 +160,8 @@ all   of the explanations   for the smells would be completely plausible."<br>
 <h3>                     </h3>
 <ul>
-      <li>Please remember we only know what is posted in your message.  Do
+           <li>Please remember we only know what is posted in your message. 
- not  leave out any information that appears to be correct,  or was mentioned
+  Do  not  leave out any information that appears to be correct,  or was mentioned
   in  a previous post. There have been countless  posts by people who were
  sure  that some part of their  configuration was correct when it actually
  contained  a small error.  We tend to be skeptics where detail is lacking.<br>
@ -167,14 +176,14 @@ entries,  command output, and other output is better than a paraphrase or
 summary.<br>
             <br>
           </li>
-      <li>                                   Please don't describe your environment
+           <li>                                   Please don't describe your
-  and then  ask  us  to  send   you             custom configuration files.
+  environment   and then  ask  us  to  send   you             custom configuration
-  We're here  to answer   your  questions     but we           can't do your
+  files.   We're here  to answer   your  questions     but we           can't
-  job for you.<br>
+  do your   job for you.<br>
             <br>
                  </li>
-      <li>When reporting a problem, <strong>ALWAYS</strong> include this
+           <li>When reporting a problem, <strong>ALWAYS</strong> include
-information:</li>
+this   information:</li>
 </ul>
@ -223,7 +232,15 @@ information:</li>
               <br>
             </li>
             <li>the exact wording of any <code
- style="color: green; font-weight: bold;">ping</code> failure responses.<br>
+ style="color: green; font-weight: bold;">ping</code> failure responses<br>
       <br>
     </li>
     <li>If you installed Shorewall using one of the QuickStart Guides, please 
 indicate which one. <br>
       <br>
     </li>
     <li><b>If you are running Shorewall under Mandrake using the Mandrake 
 installation of Shorewall, please say so.</b><br>
               <br>
             </li>
@ -232,13 +249,15 @@ information:</li>
 </ul>
 <ul>
-      <li><b>NEVER </b>include the output of "<b><font color="#009900">iptables
+           <li><b>NEVER </b>include the output of "<b><font
-  -L</font></b>". Instead, please post the exact output of<br>
+ color="#009900">iptables    -L</font></b>". Instead, if you are having connection
 problems of any kind, post the exact output of<br>
             <br>
             <b><font color="#009900">/sbin/shorewall status<br>
             <br>
-        </font></b>Since that command generates a lot of output, we suggest 
+             </font></b>Since that command generates a lot of output, we
- that you redirect the output to a file and attach the file to your post<br>
+suggest     that you redirect the output to a file and attach the file to
 your post<br>
             <br>
             <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
             <br>
@ -271,9 +290,9 @@ so,   include the message(s) in your post along with a copy of your /etc/shorewa
    file.<br>
             <br>
           </li>
-      <li>Please include any of the Shorewall configuration  files    (especially 
+           <li>Please include any of the Shorewall configuration  files 
-          the    /etc/shorewall/hosts file if you have modified  that   file) 
+  (especially             the    /etc/shorewall/hosts file if you have modified
-    that  you    think are    relevant. If you include /etc/shorewall/rules,
+  that   file)      that  you    think are    relevant. If you include /etc/shorewall/rules, 
    please include /etc/shorewall/policy as well (rules are meaningless unless 
    one also knows the policies).                      </li>
@ -288,8 +307,8 @@ so,   include the message(s) in your post along with a copy of your /etc/shorewa
 <h3>                     </h3>
 <ul>
-                    <li>                         If an error occurs when
+                         <li>                         If an error occurs
-you   try   to "<font color="#009900"><b>shorewall  start</b></font>",  
+when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>", 
   include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
       section  for    instructions).         </li>
@ -299,64 +318,70 @@ you   try   to "<font color="#009900"><b>shorewall  start</b></font>",
 <ul>
                  <li>                                                  
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of
         your             network layout, etc. to the Mailing List  -- your
   post      will  be rejected.</b></h3>
           </li>
 </ul>
-    The author gratefully acknowleges that the above list was heavily plagiarized
+         The author gratefully acknowleges that the above list was heavily
-  from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
+ plagiarized    from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
-at  <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
+ found  at  <a
 href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
 <h2>Please post in plain text</h2>
 <blockquote>            </blockquote>
-      A growing number of MTAs serving list subscribers are rejecting all 
+           A growing number of MTAs serving list subscribers are rejecting
- HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net
+ all    HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net 
-  "for continuous abuse" because it has been my policy to allow HTML in list 
+    "for continuous abuse" because it has been my policy to allow HTML in 
-  posts!!<br>
+list    posts!!<br>
             <br>
-         I think that blocking all HTML is a Draconian way to control spam
+              I think that blocking all HTML is a Draconian way to control
-  and  that the ultimate losers here are not the spammers but the list subscribers
+ spam    and  that the ultimate losers here are not the spammers but the
-    whose MTAs are bouncing all shorewall.net mail. As one list subscriber
+list  subscribers      whose MTAs are bouncing all shorewall.net mail. As
- wrote  to me privately "These e-mail admin's need to get a <i>(expletive
+one list  subscriber   wrote  to me privately "These e-mail admin's need
-deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
+to get a <i>(expletive   deleted)</i>  life instead of trying to rid the
-Nevertheless,  to allow subscribers to receive list posts as must as possible,
+planet of HTML based e-mail".   Nevertheless,  to allow subscribers to receive
-I have now   configured the list server at shorewall.net to strip all HTML
+list posts as must as possible,   I have now   configured the list server
-from outgoing  posts.<br>
+at shorewall.net to strip all HTML   from outgoing  posts.<br>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
 <blockquote>                                                
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem
-     to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing 
+        to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
-     list</a>.</span></h4>
+ mailing       list</a>.</span></h4>
              <b>If you run Shorewall under MandrakeSoft Multi Network Firewall 
   (MNF)   and you have not purchased an MNF license from MandrakeSoft then 
  you can  post non MNF-specific Shorewall questions to the </b><a
- href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
-       <b>Do not expect to get free MNF support on the list.</b><br>
+ list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
  <p>Otherwise, please post your question or problem to the <a
- href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
 list.</a></p>
                </blockquote>
 <p>To Subscribe to the  mailing list go to <a
- href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> 
                     .</p>
-<p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 2/4/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
       </p>
       <br>
- 
+       <br>
     <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/three-interface.htm
+++ b/STABLE/documentation/three-interface.htm
@ -67,6 +67,8 @@ check   for this  program:</p>
      changes. Points at which configuration changes are  recommended are 
 flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
 . Configuration notes that are unique to LEAF/Bering are marked with <img
 src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
              </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
@ -138,9 +140,9 @@ names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.<
      in  terms of zones.</p>
 <ul>
-             <li>You express your default policy for connections from one 
+                <li>You express your default policy for connections from
-zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+one   zone   to  another    zone in the<a
-        </a>file.</li>
+ href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                <li>You define exceptions to those default policies in the
       <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -189,6 +191,7 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -216,6 +219,7 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -223,8 +227,8 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
 <p>The above policy will:</p>
 <ol>
-             <li>allow all connection requests from your local network to 
+                <li>allow all connection requests from your local network 
-the   internet</li>
+to  the   internet</li>
                <li>drop (ignore) all connection requests from the internet 
 to  your   firewall     or local network</li>
                <li>optionally accept all connection requests from the firewall 
@ -234,8 +238,8 @@ to  your   firewall     or local network</li>
 </ol>
 <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-              At this point, edit your /etc/shorewall/policy  file and make 
+                 At this point, edit your /etc/shorewall/policy  file and 
- any   changes  that you  wish.</p>
+make   any   changes  that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -250,8 +254,8 @@ to  your   firewall     or local network</li>
   <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
   <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External 
  Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
- a regular modem, your External  Interface will also be <b>ppp0</b>. If you
+  a regular modem, your External  Interface will also be <b>ppp0</b>. If
- connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
+you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -262,8 +266,8 @@ to  your   firewall     or local network</li>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
       eth1 or eth2) and will be connected to a hub or switch. Your local 
 computers       will be connected to the same switch (note: If you have only 
-a single   local   system,  you can connect the firewall directly to the
+a single   local   system,  you can connect the firewall directly to the computer
-computer using   a <i>cross-over   </i> cable).</p>
+using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
      (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your 
@ -273,26 +277,28 @@ computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-          </b></u>Do not connect more than one interface  to the same hub 
+             </b></u>Do not connect more than one interface  to the same
-or  switch    (even for testing). It won't work the way that you  expect it
+hub   or  switch    (even for testing). It won't work the way that you  expect
-to  and you   will end up confused and  believing that Shorewall doesn't
+ it to  and you   will end up confused and  believing that Shorewall doesn't 
  work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                 The Shorewall three-interface sample configuration assumes 
 that    the   external interface is <b>eth0, </b>the local interface is <b>eth1
- </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is different,
+  </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is
-   you will have to modify the sample  /etc/shorewall/interfaces file accordingly.
+different,    you will have to modify the sample  /etc/shorewall/interfaces
-    While you are there, you may wish to  review the list of options that
+ file accordingly.     While you are there, you may wish to  review the list
-are    specified for the interfaces. Some hints:</p>
+ of options that are    specified for the interfaces. Some hints:</p>
 <ul>
                <li>                                                    
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
      you can replace the    "detect" in the second column with "-".   </p>
               </li>
               <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
      or if you have a static IP    address, you can remove "dhcp" from the 
  option    list. </p>
@ -304,17 +310,16 @@ are    specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet 
       Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
-a  single    <i> Public</i> IP address. This address may be assigned via
+a  single    <i> Public</i> IP address. This address may be assigned via the<i>
-the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
+ Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
-establishing  your  connection   when you dial in (standard modem) or establish
+ your  connection   when you dial in (standard modem) or establish your PPP
-your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
+ connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
-IP address; that  means that  you  configure your firewall's external interface
+address; that  means that  you  configure your firewall's external interface 
 to use that  address permanently.<i>  </i>Regardless of how the address is
 assigned, it  will be shared by all of your  systems when you access the
-Internet. You will have to assign your  own addresses  for your internal
+Internet. You will have to assign your  own addresses  for your internal network
-network (the local and DMZ Interfaces on  your firewall plus your other 
+(the local and DMZ Interfaces on  your firewall plus your other  computers).
-computers). RFC 1918 reserves several <i>Private  </i>IP address ranges for
+RFC 1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
 this  purpose:</p>
 <div align="left">                
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -323,20 +328,20 @@ this  purpose:</p>
 <div align="left">                
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                 Before starting Shorewall, you should look at the IP address 
+                    Before starting Shorewall, you should look at the IP
-  of  your  external    interface and if it is one of the above ranges, you 
+address     of  your  external    interface and if it is one of the above
-  should  remove  the    'norfc1918' option from the external interface's 
+ranges, you    should  remove  the    'norfc1918' option from the external
-entry  in    /etc/shorewall/interfaces.</p>
+interface's   entry  in    /etc/shorewall/interfaces.</p>
             </div>
 <div align="left">                
 <p align="left">You will want to assign your local addresses from one <i>
         sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-  subnet.  For our purposes, we can consider a subnet    to consists of a 
+    subnet.  For our purposes, we can consider a subnet    to consists of
-range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet 
+a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a
-  Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet
+<i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved
-    Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>
+as    the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet
-  <i>Address</i>.  In Shorewall,  a subnet is described using <a
+Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing 
 </i>(CIDR)</a>   notation with consists of the subnet address  followed 
  by "/24". The "24"  refers to the number of    consecutive "1"  bits from 
@ -369,6 +374,7 @@ the left of the subnet  mask. </p>
                      <td>10.10.10.0/24</td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -411,9 +417,19 @@ more     about  IP addressing and routing, I highly recommend <i>"IP Fundamental
             </p>
 <p align="left">The default gateway for the DMZ computers would be 10.10.11.254 
-      and the default gateway for the Local computers would be 10.10.10.254.</p>
+       and the default gateway for the Local computers would be 10.10.10.254.<br>
  </p>
-<h2 align="left">IP Masquerading (SNAT)</h2>
+<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign 
 your external interface an RFC 1918  address. If that address is in the 10.10.10.0/24 
 subnet then you will need  to select a DIFFERENT RFC 1918 subnet for your 
 local network and if it is in the 10.10.11.0/24 subnet then you will need 
 to select a different RFC 1918 subnet for your DMZ.</b><br>
   </p>
 <p align="left">IP Masquerading (SNAT)</p>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
      to as <i>non-routable</i> because the Internet backbone routers don't 
@ -430,18 +446,20 @@ of your local    systems  (let's assume local computer 1) sends a connection
  the destination address back to 10.10.10.1   and  forwards the packet on
 to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
+ IP Masquerading</i> and you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
                <li>                                                    
    <p align="left"><i>Masquerade</i> describes the case where you let your 
         firewall system automatically detect the external interface address. 
          </p>
               </li>
               <li>                                                     
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify 
      the    source address that you want outbound packets from your local 
 network     to use.    </p>
@ -454,17 +472,17 @@ network     to use.    </p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-              If your external firewall interface is <b>eth0</b>, your local
+                 If your external firewall interface is <b>eth0</b>, your 
-   interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you
+local     interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then 
-do  not  need to  modify the file provided with the sample. Otherwise, edit 
+you  do  not  need to  modify the file provided with the sample. Otherwise, 
-  /etc/shorewall/masq   and change it to match your configuration.</p>
+edit    /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-              If your external IP  is static, you can enter it in the third 
+                 If your external IP  is static, you can enter it in the
- column    in the /etc/shorewall/masq entry  if you like although your firewall 
+third    column    in the /etc/shorewall/masq entry  if you like although
- will    work fine if you leave that column  empty. Entering your static IP
+your firewall    will    work fine if you leave that column  empty. Entering
- in column    3 makes <br>
+your static  IP  in column    3 makes <br>
    processing outgoing packets a  little more efficient.<br>
    </p>
@ -494,8 +512,8 @@ server responds,     the firewall automatically  performs SNAT to rewrite
 the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-     Destination Network Address Translation</i> (DNAT). You configure port 
+       Destination Network Address Translation</i> (DNAT). You configure
-   forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
      is:</p>
@ -524,12 +542,13 @@ the source address   in  the response.</p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
-be the same  as <i>&lt;port&gt;</i>.</p>
+the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming 
       TCP port 80 to that system:</p>
@ -566,6 +585,7 @@ be the same  as <i>&lt;port&gt;</i>.</p>
                    <td>from the local network</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -573,11 +593,11 @@ be the same  as <i>&lt;port&gt;</i>.</p>
 <p>A  couple of important points  to keep in mind:</p>
 <ul>
-             <li>When you are connecting to your server from your local systems,
+                <li>When you are connecting to your server from your local
-    you  must    use the server's internal IP address (10.10.11.2).</li>
+ systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
-             <li>Many ISPs block incoming connection requests to port 80. 
+                <li>Many ISPs block incoming connection requests to port
-If  you   have     problems connecting to your web server, try the following
+80.   If  you   have     problems connecting to your web server, try the
- rule and  try     connecting to port 5000 (e.g., connect to <a
+following   rule and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your 
      external IP).</li>
@ -606,6 +626,7 @@ If  you   have     problems connecting to your web server, try the following
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -637,6 +658,7 @@ If  you   have     problems connecting to your web server, try the following
                    <td><i>&lt;external IP&gt;</i></td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -678,6 +700,7 @@ If  you   have     problems connecting to your web server, try the following
                    <td>$ETH0_IP</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -702,28 +725,29 @@ of two   approaches:</p>
 <ul>
                <li>                                                    
    <p align="left">You can configure your internal systems to use your ISP's 
      name    servers. If you ISP gave you the addresses of their servers 
 or   if   those    addresses are available on their web site, you can configure 
   your   internal    systems to use those addresses. If that information 
-isn't   available,   look in    /etc/resolv.conf on your firewall system
+isn't   available,   look in    /etc/resolv.conf on your firewall system --
-- the name  servers are  given in    "nameserver" records in that file.
+the name  servers are  given in    "nameserver" records in that file.   </p>
  </p>
               </li>
               <li>                                                     
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-              You can configure a<i> Caching Name Server </i>on your    firewall
+                 You can configure a<i> Caching Name Server </i>on your 
-    or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server
+  firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name
-(which     also     requires the 'bind' RPM) and for Bering users, there
+ server (which     also     requires the 'bind' RPM) and for Bering users,
-is dnscache.lrp.     If you    take this approach, you configure your internal
+ there is dnscache.lrp.     If you    take this approach, you configure your
-systems to use    the caching    name server as their primary (and only)
+ internal systems to use    the caching    name server as their primary (and
-name server. You  use  the internal IP    address of the firewall (10.10.10.254
+ only) name server. You  use  the internal IP    address of the firewall
-in the example  above)    for the name    server address if you choose to
+(10.10.10.254  in the example  above)    for the name    server address if
-run the name server  on your   firewall. To allow your local systems to talk
+you choose to  run the name server  on your   firewall. To allow your local
-to your caching name      server,   you must open port 53 (both UDP and TCP)
+systems to talk  to your caching name      server,   you must open port 53
-from the local network   to the    server; you do that by adding the rules
+(both UDP and TCP)  from the local network   to the    server; you do that
-in /etc/shorewall/rules.       </p>
+by adding the rules  in /etc/shorewall/rules.       </p>
               </li>
 </ul>
@ -780,6 +804,7 @@ in /etc/shorewall/rules.       </p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </p>
@ -838,6 +863,7 @@ in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -884,6 +910,7 @@ in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -932,6 +959,7 @@ in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -972,6 +1000,7 @@ in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -1015,6 +1044,7 @@ in /etc/shorewall/rules.       </p>
                      <td>from the internet</td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -1026,8 +1056,8 @@ in /etc/shorewall/rules.       </p>
             </div>
 <div align="left">                
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
             </div>
 <div align="left">                
@ -1060,16 +1090,66 @@ want     shell    access to your firewall from the internet, use SSH:</p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
              </div>
 <div align="left">                
 <p align="left">                </p>
 <p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
     Bering users will want to add the following two rules to be compatible
 with Jacques's Shorewall configuration.<br>
 </p>
 <div align="left">                
 <blockquote>                                            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                    <tbody>
                   <tr>
                      <td><u><b>ACTION</b></u></td>
                      <td><u><b>SOURCE</b></u></td>
                      <td><u><b>DESTINATION</b></u></td>
                      <td><u><b>PROTOCOL</b></u></td>
                      <td><u><b>PORT</b></u></td>
                      <td><u><b>SOURCE PORT</b></u></td>
                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc<br>
 </td>
                      <td>fw</td>
                      <td>udp<br>
 </td>
                      <td>53<br>
 </td>
                      <td>#Allow DNS Cache to</td>
                      <td>work<br>
 </td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc</td>
                      <td>fw</td>
                      <td>tcp</td>
                      <td>80</td>
                      <td>#Allow weblet to work</td>
                      <td><br>
 </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
              </div>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-              Now modify    /etc/shorewall/rules to add or remove other connections
+                 Now modify    /etc/shorewall/rules to add or remove other
-     as required.</p>
+ connections      as required.</p>
             </div>
 <div align="left">                
@ -1108,9 +1188,9 @@ routing     is    enabled on those hosts that have an entry in   <a
 height="13">
                 The three-interface sample assumes that you want to enable 
    routing    to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
- when Shorewall    is stopped.    If these two interfaces don't connect to 
+   when Shorewall    is stopped.    If these two interfaces don't connect
- your local network    and DMZ or if you    want to enable a different set 
+to   your local network    and DMZ or if you    want to enable a different
- of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
+set   of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
             </div>
 <div align="left">                
@ -1124,11 +1204,14 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
             </div>
-<p align="left"><font size="2">Last updated 12/20/2002 - <a
+<p align="left"><font size="2">Last updated 1/30/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-     M. Eastep</font></a></p>
+ Thomas      M. Eastep</font></a></p>
               <br>
             <br>
            <br>
           <br>
          <br>
         <br>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -12,6 +12,7 @@
 content="text/html; charset=windows-1252">
  <title>Two-Interface Firewall</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -72,7 +73,10 @@ check   for this  program:</p>
      changes. Points at which configuration changes are  recommended are 
 flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-          .</p>
+             . Configuration notes that are unique to LEAF/Bering are marked
 with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
 height="36">
 </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                  If you edit your configuration files on a Windows system, 
@ -95,8 +99,8 @@ of    dos2unix</a></li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
          The configuration files for Shorewall are contained in the directory
-  /etc/shorewall -- for simple setups, you will only need to deal with a few
+    /etc/shorewall -- for simple setups, you will only need to deal with
- of  these as described in this guide.  After you have <a
+a  few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
      un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
@ -139,9 +143,9 @@ following     zone names are used:</p>
      in  terms of zones.</p>
 <ul>
-             <li>You express your default policy for connections from one 
+                <li>You express your default policy for connections from
-zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+one   zone   to  another    zone in the<a
-        </a>file.</li>
+ href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                <li>You define exceptions to those default policies in the
       <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -154,8 +158,8 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
    the request is first  checked against the rules in /etc/shorewall/common 
   (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>                                          
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -190,6 +194,7 @@ has the  following policies:</p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -217,6 +222,7 @@ has the  following policies:</p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -224,8 +230,8 @@ has the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-             <li>allow all connection requests from your local network to 
+                <li>allow all connection requests from your local network 
-the   internet</li>
+to  the   internet</li>
                <li>drop (ignore) all connection requests from the internet 
 to  your   firewall     or local network</li>
                <li>optionally accept all connection requests from the firewall 
@ -235,8 +241,8 @@ to  your   firewall     or local network</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-              At this point, edit your /etc/shorewall/policy and make any 
+                 At this point, edit your /etc/shorewall/policy and make
-changes     that you  wish.</p>
+any   changes     that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -244,9 +250,9 @@ changes     that you  wish.</p>
 height="635">
             </p>
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
       <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
       over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
 <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External 
@ -268,26 +274,28 @@ to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-          </b></u>Do not connect the internal and external interface  to
+             </b></u>Do not connect the internal and external interface 
-the   same   hub or switch (even for testing). It won't work the way that
+to  the   same   hub or switch (even for testing). It won't work the way
-you think  that   it will and you will end up confused and  believing that
+that  you think  that   it will and you will end up confused and  believing
-Shorewall   doesn't   work at all.</p>
+that  Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-              The Shorewall two-interface sample configuration assumes that 
+                 The Shorewall two-interface sample configuration assumes 
-  the   external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
+that    the   external  interface is <b>eth0</b> and the internal interface 
-    If your  configuration is different, you will have to modify the sample
+is <b>eth1</b>.     If your  configuration is different, you will have to 
-   <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
+modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-   accordingly.  While you are there, you may wish to  review the list of
+ file    accordingly.  While you are there, you may wish to  review the list
-options   that are  specified for the interfaces. Some hints:</p>
+ of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
                <li>                                                    
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
      you can replace the    "detect" in the second column with "-".   </p>
               </li>
               <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
      or if you have a static IP    address, you can remove "dhcp" from the 
  option    list. </p>
@ -299,11 +307,11 @@ options   that are  specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet 
       Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
-a  single    <i> Public</i> IP address. This address may be assigned via
+a  single    <i> Public</i> IP address. This address may be assigned via the<i>
-the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
+ Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
-establishing  your  connection   when you dial in (standard modem) or establish
+ your  connection   when you dial in (standard modem) or establish your PPP
-your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
+ connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
-IP address; that  means that  you  configure your firewall's external interface
+address; that  means that  you  configure your firewall's external interface 
 to use that  address permanently.<i>  </i>However your external address is
 assigned, it  will be shared by all of your systems when you access the 
 Internet. You will have to assign your  own addresses in your  internal network
@ -317,10 +325,10 @@ Internet. You will have to assign your  own addresses in your  internal network
 <div align="left">                
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                 Before starting Shorewall, you should look at the IP address 
+                    Before starting Shorewall, you should look at the IP
-  of  your  external    interface and if it is one of the above ranges, you 
+address     of  your  external    interface and if it is one of the above
-  should  remove  the    'norfc1918' option from the external interface's 
+ranges, you    should  remove  the    'norfc1918' option from the external
-entry  in    /etc/shorewall/interfaces.</p>
+interface's   entry  in    /etc/shorewall/interfaces.</p>
             </div>
 <div align="left">                
@ -362,6 +370,7 @@ leading "1" bits from the left  of the subnet mask. </p>
                      <td>10.10.10.0/24</td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -383,10 +392,10 @@ leading "1" bits from the left  of the subnet mask. </p>
 <div align="left">                
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-              Your local computers (computer    1 and computer 2 in the above 
+                 Your local computers (computer    1 and computer 2 in the
-  diagram)   should be configured with their<i>    default gateway</i> to 
+ above    diagram)   should be configured with their<i>    default gateway</i>
-be  the IP address   of the firewall's internal    interface.<i>      </i> 
+ to  be  the IP address   of the firewall's internal    interface.<i>     
-</p>
+ </i>  </p>
             </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -402,7 +411,16 @@ more     about  IP addressing and routing, I highly recommend <i>"IP Fundamental
 height="635">
             </p>
-<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.</p>
+<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.<br>
  </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign 
 your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 
 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your local
 network.</b><br>
  </p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
@ -418,21 +436,23 @@ connection.
 to route return packets   back to the firewall  (remember that packets whose 
 destination address is   reserved by RFC 1918 can't  be routed across the 
 internet so the remote host  can't address its response to  computer 1). 
-When the firewall receives a return packet, it  rewrites the destination
+When the firewall receives a return packet, it  rewrites the destination address
-address  back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
+ back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
                <li>                                                    
    <p align="left"><i>Masquerade</i> describes the case where you let your 
         firewall system automatically detect the external interface address. 
          </p>
               </li>
               <li>                                                     
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify 
      the    source address that you want outbound packets from your local 
 network     to use.    </p>
@ -446,18 +466,19 @@ network     to use.    </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-              If your external firewall interface is <b>eth0</b>, you do
+                 If your external firewall interface is <b>eth0</b>, you
-not    need   to modify the file provided with the sample. Otherwise, edit
+do  not    need   to modify the file provided with the sample. Otherwise,
- /etc/shorewall/masq      and change the first column to the name of your
+edit   /etc/shorewall/masq      and change the first column to the name of
-external  interface and    the  second column to the name of your internal
+your  external  interface and    the  second column to the name of your internal 
 interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-              If your external IP is  static, you can enter it in the third 
+                 If your external IP is  static, you can enter it in the
- column    in the /etc/shorewall/masq entry if  you like although your firewall 
+third    column    in the /etc/shorewall/masq entry if  you like although
- will    work fine if you leave that column empty.  Entering your static IP
+your firewall    will    work fine if you leave that column empty.  Entering
- in column    3 makes processing outgoing packets a little  more efficient.<br>
+your static  IP  in column    3 makes processing outgoing packets a little
 more efficient.<br>
     <br>
     <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
@ -480,13 +501,13 @@ interface.</p>
  is   not  possible for clients on the internet to connect directly to them.
  It   is rather  necessary for those clients to address their connection 
 requests     to the firewall  who rewrites the destination address to the 
-address of   your   server and forwards  the packet to that server. When
+address of   your   server and forwards  the packet to that server. When your
-your server responds,     the firewall automatically  performs SNAT to rewrite
+server responds,     the firewall automatically  performs SNAT to rewrite 
 the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-     Destination Network Address Translation</i> (DNAT). You configure port 
+       Destination Network Address Translation</i> (DNAT). You configure
-   forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
      is:</p>
@ -515,6 +536,7 @@ the source address   in  the response.</p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -545,6 +567,7 @@ the source address   in  the response.</p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -552,14 +575,14 @@ the source address   in  the response.</p>
 <p>A couple of important points  to keep in mind:</p>
 <ul>
-             <li>You must test the above rule from a client outside of your 
+                <li>You must test the above rule from a client outside of 
- local    network    (i.e., don't test from a browser running on computers 
+your   local    network    (i.e., don't test from a browser running on computers
- 1 or 2  or  on the    firewall). If you want to be able to access your web 
+   1 or 2  or  on the    firewall). If you want to be able to access your
- server  using  the IP    address of your external interface, see <a
+web   server  using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-             <li>Many ISPs block incoming connection requests to port 80. 
+                <li>Many ISPs block incoming connection requests to port
-If  you   have     problems connecting to your web server, try the following
+80.   If  you   have     problems connecting to your web server, try the
- rule and  try     connecting to port 5000.</li>
+following   rule and  try     connecting to port 5000.</li>
 </ul>
@ -586,6 +609,7 @@ If  you   have     problems connecting to your web server, try the following
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -601,33 +625,34 @@ rules    that  you require.</p>
     will be  automatically configured (e.g., the /etc/resolv.conf file will 
   be  written).  Alternatively, your ISP may have given you the IP address 
  of a  pair of DNS <i> name servers</i> for you to manually configure as 
-your    primary  and secondary  name servers. Regardless of how DNS gets
+your    primary  and secondary  name servers. Regardless of how DNS gets configured
-configured    on your  firewall, it is <u>your</u> responsibility to configure
+   on your  firewall, it is <u>your</u> responsibility to configure the resolver
-the resolver    in your   internal systems. You can take one of two approaches:</p>
+   in your   internal systems. You can take one of two approaches:</p>
 <ul>
                <li>                                                    
    <p align="left">You can configure your internal systems to use your ISP's 
      name    servers. If you ISP gave you the addresses of their servers 
 or   if   those    addresses are available on their web site, you can configure 
   your   internal    systems to use those addresses. If that information 
-isn't   available,   look in    /etc/resolv.conf on your firewall system
+isn't   available,   look in    /etc/resolv.conf on your firewall system --
-- the name  servers are  given in    "nameserver" records in that file.
+the name  servers are  given in    "nameserver" records in that file.   </p>
  </p>
               </li>
               <li>                                                     
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-              You can configure a<i> Caching Name Server </i>on your    firewall.<i>
+                 You can configure a<i> Caching Name Server </i>on your 
-         </i>Red Hat has an RPM for a caching name server (the RPM also 
+  firewall.<i>          </i>Red Hat has an RPM for a caching name server
-  requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp.
+(the  RPM also    requires    the 'bind' RPM) and for Bering users, there
-If you    take   this approach, you configure your internal systems to use
+is dnscache.lrp.  If you    take   this approach, you configure your internal
-the firewall    itself as their primary (and only) name server. You use the
+systems to use  the firewall    itself as their primary (and only) name server.
-internal IP     address of the firewall (10.10.10.254 in the example above)
+You use the  internal IP     address of the firewall (10.10.10.254 in the
-for the name       server address. To allow your local systems to talk to
+example above)  for the name       server address. To allow your local systems
-your caching name      server, you must open port 53 (both UDP and TCP) from
+to talk to  your caching name      server, you must open port 53 (both UDP
-the local network   to the    firewall; you do that by adding the following
+and TCP) from  the local network   to the    firewall; you do that by adding 
-rules in /etc/shorewall/rules.       </p>
+the following  rules in /etc/shorewall/rules.       </p>
               </li>
 </ul>
@ -664,6 +689,7 @@ rules in /etc/shorewall/rules.       </p>
                    <td> </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -709,6 +735,7 @@ rules in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -748,6 +775,7 @@ rules in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -787,6 +815,7 @@ rules in /etc/shorewall/rules.       </p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -830,6 +859,7 @@ rules in /etc/shorewall/rules.       </p>
                      <td>from the local network</td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -842,8 +872,8 @@ rules in /etc/shorewall/rules.       </p>
             </div>
 <div align="left">                
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
             </div>
 <div align="left">                
@ -876,14 +906,62 @@ want     shell    access to your firewall from the internet, use SSH:</p>
                      <td> </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
              </div>
 <div align="left">                
-<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
+<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
- height="13">
+ width="49" height="36">
     Bering users will want to add the following two rules to be compatible
 with Jacques's Shorewall configuration.</p>
 <div align="left">                
 <blockquote>                                            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                    <tbody>
                   <tr>
                      <td><u><b>ACTION</b></u></td>
                      <td><u><b>SOURCE</b></u></td>
                      <td><u><b>DESTINATION</b></u></td>
                      <td><u><b>PROTOCOL</b></u></td>
                      <td><u><b>PORT</b></u></td>
                      <td><u><b>SOURCE PORT</b></u></td>
                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc<br>
        </td>
                      <td>fw</td>
                      <td>udp<br>
        </td>
                      <td>53<br>
        </td>
                      <td>#Allow DNS Cache to</td>
                      <td>work<br>
        </td>
                    </tr>
                    <tr>
                      <td>ACCEPT</td>
                      <td>loc</td>
                      <td>fw</td>
                      <td>tcp</td>
                      <td>80</td>
                      <td>#Allow weblet to work</td>
                      <td><br>
        </td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
              </div>
 <p align="left"><br>
 <img border="0" src="images/BD21298_.gif" width="13" height="13">
                 Now edit your    /etc/shorewall/rules file to add or delete
  other    connections  as required.</p>
             </div>
@ -940,11 +1018,14 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
             </div>
-<p align="left"><font size="2">Last updated 12/20/2002 - <a
+<p align="left"><font size="2">Last updated 1/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-     M. Eastep</font></a></p>
+ Thomas      M. Eastep</font></a></p>
               <br>
             <br>
            <br>
           <br>
          <br>
         <br>
--- a/STABLE/documentation/upgrade_issues.htm
+++ b/STABLE/documentation/upgrade_issues.htm
@ -20,6 +20,7 @@
          <tbody>
          <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
            </td>
          </tr>
@ -30,13 +31,67 @@
 <p>For upgrade instructions see the                               <a
 href="Install.htm">Install/Upgrade page</a>.</p>
 <h3>Version &gt;= 1.3.14</h3>
 <img src="images/BD21298_3.gif" alt="" width="13" height="13">
      Beginning in version 1.3.14, Shorewall treats entries in <a
 href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change 
 involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) 
 <b>column</b>:<br>
 <ul>
   <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface 
 (as shown by "ip addr show <i>interface</i>") and would masquerade traffic 
 from that subnet. Any other subnets that routed through eth1 needed their 
 own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li>
   <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing 
 table to determine ALL subnets routed through the named interface. Traffic 
 originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
 </ul>
 You will need to make a change to your configuration if:<br>
 <ol>
   <li>You have one or more entries in /etc/shorewall/masq with an interface 
 name in the SUBNET (second) column; and</li>
   <li>That interface connects to more than one subnetwork.</li>
 </ol>
 Two examples:<br>
 <br>
  <b>Example 1</b> -- Suppose that your current config is as follows:<br>
    <br>
 <pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE              SUBNET                  ADDRESS<br>	eth0                    eth2                    206.124.146.176<br>	eth0                    192.168.10.0/24         206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>	[root@gateway test]#</pre>
 <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer 
 required.<br>
 </blockquote>
 <b>Example 2</b>-- What if your current configuration is like this?<br>
 <pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    eth2                    206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	<br>	[root@gateway test]#</pre>
 <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq 
 to:<br>
 </blockquote>
 <pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
 <img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.
 The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used
 to specify that the old (pre-1.3.14) ping handling is to be used (If the
 option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
 is assumed). I don't plan on supporting the old handling indefinitely so
 I urge current users to migrate to using the new handling as soon as possible.
 See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
 <h3>Version 1.3.10</h3>
  If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
 1.3.10, you will need to use the '--force' option:<br>
  <br>
 <blockquote>      
  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
  </blockquote>
 <h3>Version &gt;= 1.3.9</h3>
    The 'functions' file has moved to /usr/lib/shorewall/functions. If you
 have  an application that uses functions from that file, your application
@ -75,10 +130,10 @@ will  need                                  to transcribe any Shorewall configur
                                   changes that you have made to the new
                                 configuration.</li>
                                       <li>Replace the shorwall.lrp package 
-provided  on                                  the Bering floppy with the later
+ provided  on                                  the Bering floppy with the 
-one.  If you did                                  not obtain the later version
+later one.  If you did                                  not obtain the later 
-from Jacques's                                  site, see additional instructions
+version from Jacques's                                  site, see additional 
- below.</li>
+instructions  below.</li>
                                       <li>Edit the /var/lib/lrpkg/root.exclude.list
                                    file and remove the /var/lib/shorewall
 entry  if                                  present. Then do not forget to
@ -104,11 +159,12 @@ and   1.3.7</p>
 <ol>
                   <li>                                                 
    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
              the following rule<br>
                 <br>
-               <font face="Courier">run_iptables -A newnotsyn -j RETURN # 
+                 <font face="Courier">run_iptables -A newnotsyn -j RETURN 
-So  that the            connection tracking table can be rebuilt<br>
+#  So  that the            connection tracking table can be rebuilt<br>
                                                      # from non-SYN packets
  after  takeover.<br>
        </font>  </p>
@ -166,11 +222,13 @@ So  that the            connection tracking table can be rebuilt<br>
              If you have applications that access these files, those applications
              should be modified accordingly.</p>
-<p><font size="2">  Last updated 11/09/2002 -                           
+<p><font size="2">  Last updated 1/25/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+     © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
 #
-#     (c) 2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://seattlefirewall.dyndns.org
 #
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.13
+VERSION=1.3.14
 usage() # $1 = exit status
 {
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
-#     (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called:
 #	/etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
@ -374,7 +374,14 @@ chain_base() #$1 = interface
 {
    local c=${1%%+*}
    case $c in 
        *.*)
 	    echo ${c%.*}_${c#*.}
 	    ;;
 	*)
 	    echo ${c:=common}
 	    ;;
    esac
 }
 #
@ -599,10 +606,14 @@ validate_interfaces_file() {
 	for option in $options; do
 	    case $option in
-	    dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
+		dhcp|routestopped|norfc1918|multi|tcpflags)
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
 		noping|filterping)
 		    [ -n "$OLD_PING_HANDLING" ] || \
 			startup_error "Option $option only allowed with old ping handling"
 		    ;;
 		*)
 		    error_message "Warning: Invalid option ($option) in record \"$r\""
 		    ;;
@ -1102,8 +1113,7 @@ validate_policy()
 #
 find_broadcasts() {
    for interface in $all_interfaces; do
-	interface=`chain_base $interface`
+	eval bcast=\$`chain_base $interface`_broadcast
 	eval bcast=\$${interface}_broadcast
 	if [ "x$bcast" = "xdetect" ]; then
 	    addr="`ip addr show $interface 2> /dev/null`"
 	    if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
@ -1122,7 +1132,7 @@ find_broadcasts() {
 #
 find_interface_broadcasts() # $1 = Interface name
 {
-    eval bcast=\$${1}_broadcast
+    eval bcast=\$`chain_base ${1}`_broadcast
    if [ "x$bcast" = "xdetect" ]; then
 	addr="`ip addr show $interface 2> /dev/null`"
@ -1414,6 +1424,23 @@ setup_tunnels() # $1 = name of tunnels file
 	echo "   PPTP server defined."
    }
    setup_one_openvpn() # $1 = gateway, $2 = kind[:port]
    {
 	case $2 in
 	    *:*)
 		p=${2#*:}
 		;;
 	    *)
 		p=5000
 		;;
 	esac
 	addrule $inchain  -p udp -s $1 --sport $p --dport $p -j ACCEPT
 	addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
 	echo "   OPENVPN tunnel to $1:$p defined."
    }
    strip_file tunnels $1
    while read kind z gateway z1; do
@ -1441,6 +1468,9 @@ setup_tunnels() # $1 = name of tunnels file
 		pptpserver|PPTPSERVER)
 		    setup_pptp_server
 		    ;;
 		openvpn|OPENVPN|openvpn:*|OPENVPN:*)
 		    setup_one_openvpn $gateway $kind
 		    ;;
 		*)
 		    error_message "Tunnels of type $kind are not supported:" \
 			"Tunnel \"$tunnel\" Ignored"
@ -1704,8 +1734,11 @@ setup_nat() {
    while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
 	iface=${interface%:*}
 	if [ -n "$ADD_IP_ALIASES" ]; then
-	    qt ip addr del $external dev $interface
+	    qt ip addr del $external dev $iface
 	fi
 	if [ -z "$allints" -o "$allints" = "Yes" -o "$allints" = "yes" ]
@ -1718,9 +1751,9 @@ setup_nat() {
 		    -j DNAT --to-destination $internal
 	    fi
 	else
-	    addnatrule `input_chain $interface` \
+	    addnatrule `input_chain $iface` \
 		-d $external -j DNAT --to-destination $internal
-	    addnatrule `output_chain $interface` \
+	    addnatrule `output_chain $iface` \
 		-s $internal -j SNAT --to-source $external
 	fi
@ -1753,7 +1786,7 @@ delete_nat() {
 #
 # Process a TC Rule - $marking_chain is assumed to contain the name of the 
-#                     marking chain
+#                     default marking chain
 #
 process_tc_rule()
 {
@ -1774,13 +1807,34 @@ process_tc_rule()
 		    ;;
 		*)
 		    if ! list_search $source $all_interfaces; then
-			fatal_error "Error: Unknown interface $source"
+			fatal_error "Error: Unknown interface $source in rule \"$rule\""
 		    fi
 		    r="-i $source "
 		    ;;
 	    esac
 	fi
 	if [ "$mark" != "${mark%:*}" ]; then
 	    [ "$chain" = tcout ] && \
 		fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
 	    case "${mark#*:}" in
 		p|P)
 		    chain=tcpre
 		    ;;
 		f|F)
 		    chain=tcfor
 		    ;;
 		*)
 		    fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
 		    ;;
 	    esac
 	    mark="${mark%:*}"
 	fi
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@ -1811,7 +1865,8 @@ setup_tc1() {
    # Create the TC mangle chains
    #
-    run_iptables -t mangle -N $marking_chain
+    run_iptables -t mangle -N tcpre
    run_iptables -t mangle -N tcfor
    run_iptables -t mangle -N tcout
    #
    # Process the TC Rules File
@ -1827,11 +1882,9 @@ setup_tc1() {
    # Link to the TC mangle chains from the main chains
    #
    if [ $marking_chain = tcfor ]; then
    run_iptables -t mangle -A FORWARD    -j tcfor
    else
    run_iptables -t mangle -A PREROUTING -j tcpre
-    fi
+    run_iptables -t mangle -A OUTPUT     -j tcout
    run_user_exit tcstart
@ -2871,6 +2924,21 @@ rules_chain() # $1 = source zone, $2 = destination zone
    fatal_error "Error: No appropriate chain for zone $1 to zone $2"
 }
 #
 #  echo the list of subnets routed out of a given interface
 #
 get_routed_subnets() # $1 = interface name
 {
    local address
    local rest
    ip route show dev $1 2> /dev/null |
 	while read address rest; do
 	    [ "$address" = "${address%/*}" ] && address="${address}/32"
 	    echo $address
        done
 }
 #
 # Set up Source NAT (including masquerading)
 #
@ -2879,12 +2947,32 @@ setup_masq()
    setup_one() {
 	local using
-	if [ "$interface" = "${interface%:*}" ]; then
+	case $fullinterface in
 	    *:*:*)
 		# Both alias name and subnet
 		destnet="${fullinterface##*:}"
 		fullinterface="${fullinterface%:*}"
 		;;
 	    *:*)
 		# Alias name OR subnet
 		case ${fullinterface#*:} in
 		    *.*)
 			# It's a subnet
 			destnet="${fullinterface#*:}"
 			fullinterface="${fullinterface%:*}"
 			;;
 		    *)
 			#it's an alias name
 			destnet="0.0.0.0/0"
-	else
+			;;
-	    destnet="${interface#*:}"
+		esac
-	    interface="${interface%:*}"
+		;;
-	fi
+	    *)
 		destnet="0.0.0.0/0"
 		;;
 	esac
 	interface=${fullinterface%:*}
 	if ! list_search $interface $all_interfaces; then
 	    fatal_error "Error: Unknown interface $interface"
@ -2900,10 +2988,10 @@ setup_masq()
 	chain=`masq_chain $interface`
 	iface=
 	source="$subnet"
 	case $subnet in
 	*.*.*)
 	    source="$subnet"
 	    subnet="-s $subnet"
 	    ;;
 	-)
 	    #
@ -2916,22 +3004,15 @@ setup_masq()
 	    iface="-o $interface"
 	    ;;
 	*)
-	    ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`"
+	    subnets=`get_routed_subnets $subnet`
-	    source="$subnet"
+	    [ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
-	    if [ -z "$ipaddr" ]; then
+	    subnet="$subnets"
 		fatal_error \
 		  "Interface $subnet must be up before Shorewall starts"
 	    fi
 	    subnet="`echo $ipaddr | sed s/"    "// | cut -d' ' -f2`"
 	    [ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32"
 	    subnet="-s $subnet"	    
 	    ;;
 	esac
 	if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
 	    list_search $address $aliases_to_add || \
-		aliases_to_add="$aliases_to_add $address $interface" 
+		aliases_to_add="$aliases_to_add $address $fullinterface" 
 	fi
 	destination=$destnet
@ -2939,7 +3020,15 @@ setup_masq()
 	if [ -n "$nomasq" ]; then
 	    newchain=masq${masq_seq}
 	    createnatchain $newchain
-	    addnatrule $chain -d $destnet $iface $subnet -j $newchain
+	    
 	    if [ -n "$subnet" ]; then
 		for s in $subnet; do
 		    addnatrule $chain -d $destnet $iface -s $s -j $newchain
 		done
 	    else
 		addnatrule $chain -d $destnet $iface -j $newchain
 	    fi
 	    masq_seq=$(($masq_seq + 1))
 	    chain=$newchain
 	    subnet=
@ -2949,29 +3038,38 @@ setup_masq()
 	    for addr in `separate_list $nomasq`; do
 		addnatrule $chain -s $addr -j RETURN
 	    done
 	    source="$source except $nomasq"
 	else
 	    destnet="-d $destnet"
 	fi
 	if [ -n "$subnet" ]; then
 	    for s in $subnet; do
 		if [ -n "$address" ]; then
-	    addnatrule $chain $subnet $destnet $iface \
+		    addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address
-		-j SNAT --to-source $address
+		    echo "   To $destination from $s through ${interface} using $address"
 	    using=" using $address"
 		else
-	    addnatrule $chain $subnet $destnet $iface -j MASQUERADE
+		    addnatrule $chain -s $s $destnet $iface -j MASQUERADE
-	    using=
+		    echo "   To $destination from $s through ${interface}"
 		fi
 	    done
 	elif [ -n "$address" ]; then
 	    addnatrule $chain $destnet $iface -j SNAT --to-source $address
 	    echo "   To $destination from $source through ${interface} using $address"
 	else
 	    addnatrule $chain $destnet $iface -j MASQUERADE
 	    echo "   To $destination from $source through ${interface}"
 	fi
 	[ -n "$nomasq" ] && source="$source except $nomasq"
 	echo "   To $destination from $source through ${interface}${using}"
    }
    strip_file masq $1
    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
-    while read interface subnet address; do
+    while read fullinterface subnet address; do
-	expandv interface subnet address
+	expandv fullinterface subnet address
 	[ -n "$NAT_ENABLED" ] && setup_one || \
 	    error_message "Warning: NAT disabled; masq rule ignored"
    done < $TMP_DIR/masq
@ -3195,9 +3293,10 @@ add_ip_aliases()
 	    val=${val%% scope*}
 	fi
-	run_ip addr add ${external}${val} dev $interface
+	run_ip addr add ${external}${val} dev $interface $label
 	echo "$external $interface" >> ${STATEDIR}/nat
-	echo "   IP Address $external added to interface $interface"
+	[ -n "$label" ] && label="with $label"
 	echo "   IP Address $external added to interface $interface $label"
    }
    set -- $aliases_to_add
@ -3205,6 +3304,14 @@ add_ip_aliases()
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
 	label=
 	if [ "$interface" != "${interface%:*}" ]; then
 	    label="${interface#*:}"
 	    interface="${interface%:*}"
 	    label="label $interface:$label"
 	fi
 	primary=`find_interface_address $interface`
 	shift;shift
 	[ "x${primary}" = "x${external}" ] || do_one
@ -3350,11 +3457,14 @@ initialize_netfilter () {
 # Build the common chain -- called during [re]start and refresh
 #
 build_common_chain() {
    if [ -n "$OLD_PING_HANDLING" ]; then
        #
        # PING
        #
 	[ -n "$FORWARDPING" ] && \
 	    run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
    fi
    #
    # Common ICMP rules
    #
@ -3907,6 +4017,7 @@ define_firewall() # $1 = Command (Start or Restart)
    process_rules $rules
    if [ -n "$OLD_PING_HANDLING" ]; then
 	echo "Setting up ICMP Echo handling..."
 	filterping_interfaces="`find_interfaces_by_option filterping`"
@ -3924,6 +4035,7 @@ define_firewall() # $1 = Command (Start or Restart)
 		    -p icmp --icmp-type echo-request -j $target
 	    fi
 	done
    fi
    policy=`find_file policy`
@ -4161,15 +4273,15 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    rulenum=2
 		fi
-		if ! list_search $interface $filterping_interfaces; then
+		if list_search $interface $filterping_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
-		if ! list_search $interface $maclist_interfaces; then
+		if list_search $interface $maclist_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
-		if ! list_search $interface $tcpflags_interfaces; then
+		if list_search $interface $tcpflags_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
@ -4194,11 +4306,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 			rulenum=2
 		    fi
-		    if ! list_search $interface $maclist_interfaces; then
+		    if list_search $interface $maclist_interfaces; then
 			rulenum=$(($rulenum + 1))
 		    fi
-		    if ! list_search $interface $tcpflags_interfaces; then
+		    if list_search $interface $tcpflags_interfaces; then
 			rulenum=$(($rulenum + 1))
 		    fi
 		fi
@ -4344,7 +4456,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
    while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D `input_chain $interface` -i $interface -s $host -j $chain 
+		qt iptables -D `input_chain $interface` -s $host -j $chain 
 	    else
 		source_chain=`forward_chain $interface`
 		eval dest_hosts=\"\$${z2}_hosts\"
@ -4471,6 +4583,7 @@ do_initialize() {
    TCP_FLAGS_LOG_LEVEL=
    RFC1918_LOG_LEVEL=
    MARK_IN_FORWARD_CHAIN=
    OLD_PING_HANDLING=
    SHARED_DIR=/usr/lib/shorewall
    FUNCTIONS=
    VERSION_FILE=
@ -4596,7 +4709,10 @@ do_initialize() {
    else
 	CLEAR_TC=
    fi
    OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
    [ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No"
    run_user_exit params
--- a/STABLE/init.sh
+++ b/STABLE/init.sh
@ -5,7 +5,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
-#     (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called:
 #	/etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
 #
-#     (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #       Seawall documentation is available at http://seawall.sourceforge.net
 #
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.13
+VERSION=1.3.14
 usage() # $1 = exit status
 {
--- a/STABLE/interfaces
+++ b/STABLE/interfaces
@ -46,18 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
 #			noping	     - icmp echo-request (ping) packets
 #				       addressed to the firewall should
 #				       be ignored on this interface
 #			filterping   - icmp echo-request (ping) packets 
 #				       addressed to the firewall should
 #				       be controlled by the rules file and
 #				       applicable policy. If neither 'noping'
 #				       nor 'filterping' are specified then
 #				       the firewall will respond to 'ping'
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
@ -117,29 +105,28 @@
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27 and you want pings from the internet
+#			206.191.149.192/27. You have a DMZ with subnet
 #			to be ignored. You interface a DMZ with subnet
 #			192.168.2.0/24 using eth2. You want to be able to
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
-#			net	eth0	206.191.149.223	noping,dhcp
+#			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
-#			net	eth0	detect		noping,dhcp
+#			net	eth0	detect		dhcp
 #			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
-#			connections and you want to ignore ping requests.
+#			connections.
 #
-#			net	ppp0	-		noping
+#			net	ppp0	-
 ##############################################################################
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE/masq
+++ b/STABLE/masq
@ -9,7 +9,15 @@
 # Columns are:
 #
 #	INTERFACE -- Outgoing interface. This is usually your internet
-#		     interface. This may be qualified by adding the character
+#		     interface. If ADD_SNAT_ALIASES=Yes in
 #		     /etc/shorewall/shorewall.conf, you may add ":" and
 #		     a digit to indicate that you want the alias added with
 #                    that name (e.g., eth0:0). This will allow the alias to
 #		     be displayed with ifconfig. THAT IS THE ONLY USE FOR 
 #		     THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER 
 #		     PLACE IN YOUR SHOREWALL CONFIGURATION.
 #
 #		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
 #
@ -74,13 +82,12 @@
 #	Example 4:
 #
 #		  You want all outgoing traffic from 192.168.1.0/24 through
-#		  eth0 to use source address 206.124.146.176.
+#		  eth0 to use source address 206.124.146.176 which is NOT the
 #		  primary address of eth0. You want 206.124.146.176 added to 
 #		  be added to eth0 with name eth0:0.
 #
-#			eth0	192.168.1.0/24	206.124.146.176
+#			eth0:0	192.168.1.0/24	206.124.146.176
 #
 #		  This would normally be done when you have a static external
 #		  IP address since it makes the processing of outgoing 
 #		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE/nat
+++ b/STABLE/nat
@ -16,7 +16,13 @@
 #			IP address of the interface named in the next
 #			column and must not be a DNS Name.
 #	INTERFACE	Interface that we want to EXTERNAL address to appear
-#                       on
+#                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
 #			follow the interface name with ":" and a digit to 
 #			indicate that you want Shorewall to add the alias
 #			with this name (e.g., "eth0:0"). That allows you to
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #       ALL INTERFACES  If Yes or yes (or left empty), NAT will be effective
 #                       from all hosts. If No or no then NAT will be effective
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -2,48 +2,104 @@ This is a minor release of Shorewall that has a couple of new features.
 New features include:
-1) A new 'DNAT-' action has been added for entries in the
+1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
-   /etc/shorewall/rules file. DNAT- is intended for advanced users who
+   set to Yes, Shorewall ping handling is as it has always been (see
-   wish to minimize the number of rules that connection requests must
+   http://www.shorewall.net/ping.html).
   traverse.
-   A Shorewall DNAT rule actually generates two iptables rules: a
+   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
-   header rewriting rule in the 'nat' table and an ACCEPT rule in the
+   policies just like any other connection request. The FORWARDPING
-   'filter' table. A DNAT- rule only generates the first of these
+   option in shorewall.conf is ignored and the 'noping' and
-   rules. This is handy when you have several DNAT rules that would
+   'filterping' options in /etc/shorewall/interfaces will generate an
-   generate the same ACCEPT rule.
+   error.
-   Here are three rules from my previous rules file:
+2) It is now possible to direct Shorewall to create a "label" such as
   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
   and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
   instead of just the interface name:
-	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
+   a) In the INTERFACE column of /etc/shorewall/masq
-	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
+   b) In the INTERFACE column of /etc/shorewall/nat
 	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
-   These three rules ended up generating _three_ copies of 
+3) The ability to name your VLAN interfaces using the $dev.$vid
   convention (e.g., "eth0.0") has been restored. This capability was
   inadvertently broken in version 1.3.12.
-	 ACCEPT net  dmz:206.124.146.177 tcp smtp
+4) Support has been added for defining OpenVPN tunnels in the
   /etc/shorewall/tunnels file.
-   By writing the rules this way, I end up with only one copy of the
+5) When an interface name is entered in the SUBNET column of the
-   ACCEPT rule.
+   /etc/shorewall/masq file, Shorewall previously masqueraded traffic
   from only the first subnet defined on that interface. It did not
   masquerade traffic from:
-	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
+   a) The subnets associated with other addresses on the interface.
-	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
+   b) Subnets accessed through local routers.
 	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
-2) The 'shorewall check' command now prints out the applicable policy
+   Beginning with Shorewall 1.3.14, if you enter an interface name in
-   between each pair of zones.
+   the SUBNET column, shorewall will use the firewall's routing table
   to construct the masquerading/SNAT rules.
-3. A new CLEAR_TC option has been added to shorewall.conf. If this
+   Example 1 -- This is how it works in 1.3.14.
   option is set to 'No' then Shorewall won't clear the current
   traffic control rules during [re]start. This setting is intended
   for use by people that prefer to configure traffic shaping when
   the network interfaces come up rather than when the firewall
   is started. If that is what you want to do, set TC_ENABLED=Yes and
   CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
   way, your traffic shaping rules can still use the 'fwmark'
   classifier based on packet marking defined in /etc/shorewall/tcrules.
-4. A new SHARED_DIR variable has been added that allows distribution
+   [root@gateway test]# cat /etc/shorewall/masq
-   packagers to easily move the shared directory (default
+   #INTERFACE              SUBNET                  ADDRESS
-   /usr/lib/shorewall). Users should never have a need to change the
+   eth0                    eth2                    206.124.146.176
-   value of this shorewall.conf setting.
+   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]# shorewall start
   ...
   Masqueraded Subnets and Hosts:
       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
   Processing /etc/shorewall/tos...
   When upgrading to Shorewall 1.3.14, if you have multiple local
   subnets connected to an interface that is specified in the SUBNET
   column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
   file will need changing. In most cases, you will simply be able to
   remove redundant entries. In some cases though, you might want to change
   from using the interface name to listing specific subnetworks if the
   change described above will cause masquerading to occur on
   subnetworks that you don't wish to masquerade.
   Example 2 -- Suppose that your current config is as follows:
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   eth0			   192.168.10.0/24	   206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#
   In this case, the second entry in /etc/shorewall/masq is no longer
   required.
   Example 3 -- What if your current configuration is like this?
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#
   In this case, you would want to change the entry in
   /etc/shorewall/masq to:
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    192.168.1.0/24          206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE/shorewall
+++ b/STABLE/shorewall
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
-#     (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #
 #	This file should be placed in /sbin/shorewall.
@ -649,7 +649,7 @@ case "$1" in
 	[ $# -ne 3 ] && usage 1
 	exec $FIREWALL $debugging $nolock $1 $2 $3
 	;;
-    show)
+    show|list)
 	[ $# -gt 2 ] && usage 1
 	case "$2" in
 	connections)
--- a/STABLE/shorewall.conf
+++ b/STABLE/shorewall.conf
@ -6,7 +6,7 @@
 #
 #  This file should be placed in /etc/shorewall
 #
-#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #
 # You should not have to change the variables in this section -- they are set
@ -401,12 +401,17 @@ MUTEX_TIMEOUT=60
 LOGNEWNOTSYN=
 #
-# Forward "Ping"
+# Old Ping Handling
 #
-# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
+# If this option is set to "Yes" then Shorewall will use its old ping handling
-# forwarded by the firewall.
+# facility including the FORWARDPING option in this file and the 'noping' and
-
+# 'filterping' interface options. If this option is set to 'No' then ping
-FORWARDPING=Yes
+# is handled via policy and rules just like any other connection request.
 #
 # If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
 # DON'T DELETE IT!!!!!!
 #
 OLD_PING_HANDLING=No
 #
 # NEWNOTSYN
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.13
+%define version 1.3.14
 %define release 1
 %define prefix /usr
@ -105,6 +105,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Fri Feb 07 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-1
 * Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0RC1
 * Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0Beta2
 * Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0Beta1
 * Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.13
 * Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/tcrules
+++ b/STABLE/tcrules
@ -17,10 +17,20 @@
 #	MARK		The mark value which is an
 #			integer in the range 1-255
 #
 #			May optionally be followed by ":P" or ":F"
 #			where ":P" indicates that marking should occur in
 #			the PREROUTING chain and ":F" indicates that marking
 #			should occur in the FORWARD chain. If neither
 #			":P" nor ":F" follow the mark value then the chain is
 #			determined by the setting of MARK_IN_FORWARD_CHAIN in
 #			/etc/shorewall/shorewall.conf.
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses 
 #			and/or subnets. Use $FW if the packet originates on
-#			the firewall.
+#			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs 
 #			in the OUTPUT chain).
 #
 #			MAC addresses must be prefixed with "~" and use
 #			"-" as a separator.
--- a/STABLE/tunnel
+++ b/STABLE/tunnel
@ -9,7 +9,7 @@ RCDLINKS="2,S45 3,S45 6,K45"
 #    
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
 #
-#     (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #   Modify the following variables to match your configuration
 #
--- a/STABLE/tunnels
+++ b/STABLE/tunnels
@ -1,16 +1,21 @@
 #
 # Shorewall 1.3 - /etc/shorewall/tunnels
 #
-#	This file defines IPSEC, GRE and IPIP tunnels.
+#	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
-#	IPIP and GRE tunnels must be configured on the firewall/gateway itself.
+#	IPIP, GRE and OPENVPN tunnels must be configured on the
-#	IPSEC endpoints may be defined on the firewall/gateway or on an
+#	firewall/gateway itself. IPSEC endpoints may be defined
-#	internal system.
+#	on the firewall/gateway or on an internal system.
 #
 #	The columns are:
 #
 #	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ip"
-#			"gre","pptpclient" or "pptpserver"
+#			"gre", "pptpclient", "pptpserver" or "openvpn".
 #
 #			If type is "openvpn", it may optionally be followed
 #			by ":" and the port number used by the tunnel. if no
 #			":" and port number are included, then the default port
 #			of 5000 will be used
 #
 #	ZONE	    --	The zone of the physical interface through which
 #			tunnel traffic passes. This is normally your internet
@ -20,10 +25,12 @@
 #			remote getway has no fixed address (Road Warrior)
 #			then specify the gateway as 0.0.0.0/0.
 #
-#	GATEWAY ZONES --	Optional. If the gateway system specified in the third
+#	GATEWAY 
 #	ZONES --	Optional. If the gateway system specified in the third
 #			column is a standalone host then this column should
-#			contain a comma-separated list of the names of the zones that
+#			contain a comma-separated list of the names of the
-#			the host might be in. This column only applies to IPSEC tunnels.
+#			zones that the host might be in. This column only
 #			applies to IPSEC tunnels.
 #
 #		Example 1:
 #
@ -71,5 +78,12 @@
 #
 #			pptpserver	net
 #
-# TYPE			ZONE	GATEWAY		GATEWAY ZONE
+#		Example 7:
 #
 #			OPENVPN tunnel. The remote gateway is 4.33.99.124 and
 #			openvpn uses port 7777.
 #
 #			openvpn:7777	net	4.33.99.124
 #
 # TYPE			ZONE	GATEWAY		GATEWAY ZONE	PORT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
 #
-#     (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.13
+VERSION=1.3.14
 usage() # $1 = exit status
 {