Snapshot 20030809

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@691 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-01 15:35:50 +02:00 · 2003-08-09 17:14:58 +00:00 · 2003-08-09 17:14:58 +00:00 · edfbafc0cb
commit edfbafc0cb
parent b235cd19e1
40 changed files with 16289 additions and 19266 deletions
--- a/Shorewall-docs/CorpNetwork.htm
+++ b/Shorewall-docs/CorpNetwork.htm
@ -20,16 +20,18 @@
 <script><!--
 function PrivoxyWindowOpen(){return(null);}
 //--></script> 
 <table id="AutoNumber1" style="border-collapse: collapse;" height="90"
 cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
 border="0">
    <tbody>
    <tr>
      <td width="100%">              
-      <h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
+      <h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
-Internal        Servers</font></h1>
+       Servers</font></h1>
       </td>
     </tr>
  </tbody> 
 </table>
@ -51,15 +53,16 @@ used      and verify these </b><i>before</i><b> starting.</b>      </li>
     configuration especially if you have split DNS.</b>      </li>
     <li><b>System names and Internet IP addresses have been changed to protect 
     the innocent.</b> </li>
  </ul>
-  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This   
+  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This    configuration
-configuration uses a combination of Static NAT and Proxy ARP. This is   
+uses a combination of Static NAT and Proxy ARP. This is    generally not
-generally not relevant to a simple configuration with a single public IP
+relevant to a simple configuration with a single public IP    address.</small></b></big><big><b><small>
-   address.</small></b></big><big><b><small> If you have just a single public
+If you have just a single public IP    address, most of what you see here
-IP    address, most of what you see here won't apply to your setup so beware
+won't apply to your setup so beware of    copying parts of this configuration
-of    copying parts of this configuration and expecting them to work for
+and expecting them to work for you. What    you copy may or may not work
-you. What    you copy may or may not work in your    configuration.<br>
+in your    configuration.<br>
   </small></b></big><br>
   </p>
@ -67,15 +70,15 @@ you. What    you copy may or may not work in your    configuration.<br>
 internet is connected to eth0. The local network is connected via eth1   
 (10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have 
 an    IPSec tunnel connecting our offices in Germany to our offices in the 
-US. I    host two Microsoft Exchange servers for two different companies
+US. I    host two Microsoft Exchange servers for two different companies behind
-behind the    firewall hence, the two Exchange servers in the diagram below.</p>
+the    firewall hence, the two Exchange servers in the diagram below.</p>
  <p>Summary:<br>
   </p>
  <ul>
-     <li>SNAT for all systems connected to the LAN - Internal addresses 10.10.x.x
+      <li>SNAT for all systems connected to the LAN - Internal addresses
-     to external address 192.0.18.127.      </li>
+10.10.x.x      to external address 192.0.18.127.      </li>
     <li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address 
     10.10.1.8 and external address 192.0.18.70.      </li>
     <li>Static NAT for <i>Sims</i> (Inventory Management server). Internal 
@ -89,6 +92,7 @@ behind the    firewall hence, the two Exchange servers in the diagram below.</p>
     10.10.1.230 and external address 192.0.18.97.      </li>
     <li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address 
     10.10.1.60 and external address 192.0.18.115. </li>
  </ul>
  <p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with 
@ -124,31 +128,31 @@ an IPSec tunnel.</p>
  <p><b>Some Mistakes I Made:</b></p>
  <p>Yes, believe it or not, I made some really basic mistakes when building 
-   this firewall. Firstly, I had the new firewall setup in parallel with
+   this firewall. Firstly, I had the new firewall setup in parallel with the
-the old    firewall so that there was no interruption of service to my users.
+old    firewall so that there was no interruption of service to my users. 
 During my    out-bound testing, I set up systems on the LAN to utilize the 
-firewall which    worked fine. When testing my NAT connections, from the
+firewall which    worked fine. When testing my NAT connections, from the outside,
-outside, these would    fail and I could not understand why. Eventually,
+these would    fail and I could not understand why. Eventually, I changed
-I changed the default route    on the internal system I was trying to access,
+the default route    on the internal system I was trying to access, to point
-to point to the new firewall    and "bingo", everything worked as expected.
+to the new firewall    and "bingo", everything worked as expected. This oversight
-This oversight delayed my    deployment by a couple of days not to mention
+delayed my    deployment by a couple of days not to mention level of frustration
-level of frustration it    produced. </p>
+it    produced. </p>
  <p>Another problem that I encountered was in setting up the Proxyarp system 
 in    the DMZ. Initially I forgot to remove the entry for the eth2 from the 
   /etc/shorewall/masq file. Once my file settings were correct, I started 
-   verifying that the ARP caches on the firewall, as well as the outside
+   verifying that the ARP caches on the firewall, as well as the outside system
-system    "kaos", were showing the correct Ethernet MAC address. However,
+   "kaos", were showing the correct Ethernet MAC address. However, in testing
-in testing    remote access, I could access the system in the DMZ only from
+   remote access, I could access the system in the DMZ only from the firewall
-the firewall and    LAN but not from the Internet. The message I received
+and    LAN but not from the Internet. The message I received was "connection
-was "connection denied"    on all protocols. What I did not realize was that
+denied"    on all protocols. What I did not realize was that a "helpful"
-a "helpful" administrator    that had turned on an old system and assigned
+administrator    that had turned on an old system and assigned the same address
-the same address as the one I    was using for Proxyarp without notifying
+as the one I    was using for Proxyarp without notifying me. How did I work
-me. How did I work this out. I    shutdown the system in the DMZ, rebooted
+this out. I    shutdown the system in the DMZ, rebooted the router and flushed
-the router and flushed the ARP cache    on the firewall and kaos. Then, from
+the ARP cache    on the firewall and kaos. Then, from kaos, I started pinging
-kaos, I started pinging that IP address    and checked the updated ARP cache
+that IP address    and checked the updated ARP cache and lo-and-behold a
-and lo-and-behold a different MAC address    showed up. High levels of frustration
+different MAC address    showed up. High levels of frustration etc., etc.
-etc., etc. The administrator will    <i>not</i> be doing that again! :-)</p>
+The administrator will    <i>not</i> be doing that again! :-)</p>
  <p><b>Lessons Learned:</b></p>
@ -158,12 +162,13 @@ etc., etc. The administrator will    <i>not</i> be doing that again! :-)</p>
     <li>Understand what services you are going to allow in and out of the 
     firewall, whether they are TCP or UDP packets and make a note of these 
 port      numbers.      </li>
-    <li>Try to get quiet time to build the firewall - you need to focus on
+     <li>Try to get quiet time to build the firewall - you need to focus
-the      job at hand.      </li>
+on the      job at hand.      </li>
     <li>When asking for assistance, be honest and include as much detail 
 as      requested. Don't try and hide IP addresses etc., you will probably 
 screw up      the logs and make receiving assistance harder.      </li>
     <li>Read the documentation. </li>
  </ul>
  <p><b>Futures:</b></p>
@ -173,10 +178,9 @@ be    moving more systems from the LAN to the DMZ. I will also be watching
 the logs    for port scan programs etc. but, this should be standard security 
   maintenance.</p>
-  <p>Here are copies of my files. I have removed most of the internal   
+  <p>Here are copies of my files. I have removed most of the internal    documentation
-documentation for the purpose of this space however, my system still has
+for the purpose of this space however, my system still has the    original
-the    original files with all the comments and I highly recommend you do
+files with all the comments and I highly recommend you do the    same.</p>
 the    same.</p>
 </blockquote>
 <h3>Shorewall.conf</h3>
@ -272,10 +276,10 @@ function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
  <br>
 </p>
-<p><small><a
+<p><small><a href="GnuCopyright.htm">Copyright  2003 Thomas M. Eastep and
- href="file:///C:/Documents%20and%20Settings/Graeme%20Boyle/Local%20Settings/Temporary%20Internet%20Files/OLKD/GnuCopyright.htm">Copyright
+Graeme Boyle</a></small><br>
 2003 Thomas M. Eastep and Graeme Boyle</a></small><br>
 </p>
 <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
--- a/Shorewall-docs/FTP.html
+++ b/Shorewall-docs/FTP.html
@ -0,0 +1,234 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall and FTP</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
                  <tbody>
                   <tr>
                    <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
                    </td>
                  </tr>
  </tbody>           
 </table>
 <h2></h2>
 <blockquote>      </blockquote>
 <p>FTP transfers involve two TCP connections. The first <u>control</u> connection 
 goes from the FTP client to port 21 on the FTP server. This connection is 
 used for logon and to send commands and responses between the endpoints. 
 Data transfers (including the output of "ls" and "dir" commands) requires 
 a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
 that the client is operating in:<br>
   </p>
 <ul>
     <li>Passive Mode (default for web browsers) -- The client issues a PASV 
 command. Upon receipt of this command, the server listens on a dynamically-allocated 
 port then sends a PASV reply to the client. The PASV reply gives the IP address
 and port number that the server is listening on. The client then opens a
 second connection to that IP address and port number.</li>
     <li>Active Mode (often the default for line-mode clients) -- The client 
 listens on a dynamically-allocated port then sends a PORT command to the 
 server. The PORT command gives the IP address and port number that the client 
 is listening on. The server then opens a connection to that IP address and 
 port number; the <u>source port</u> for this connection is 20 (ftp-data in 
 /etc/services).</li>
 </ul>
   You can see these commands in action using your linux ftp command-line 
 client in debugging mode.  Note that my ftp client defaults to passive mode 
 and that I can toggle between passive and  active mode by issuing a "passive" 
 command:<br>
 <blockquote>         
  <pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
 color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
 color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x    5 0        0            4096 Nov  9  2002 archives<br>drwxr-xr-x    2 0        0            4096 Feb 12  2002 etc<br>drwxr-sr-x    6 0        50           4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
 color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
 color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x    5 0        0            4096 Nov  9  2002 archives<br>drwxr-xr-x    2 0        0            4096 Feb 12  2002 etc<br>drwxr-sr-x    6 0        50           4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
   </blockquote>
   Things to notice:<br>
 <ol>
     <li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
   </li>
   <li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
     <li>Command responses from the server over the control connection are
 numbered.<br>
     </li>
     <li>FTP uses a comma as a separator between the bytes of the IP address; 
 and</li>
     <li>When sending a port number, FTP sends the MSB then the LSB and separates 
 the two bytes by a comma. As shown in the PORT command, port 142,58 translates
 to 142*256+58 = 36410.<br>
     </li>
 </ol>
   Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
 local clients to remote servers will always work but active mode requires
 the firewall to dynamically open a "hole" for the server's connection back
 to the client. Similarly, if you are running an FTP server in your local
 zone then active mode should always work but passive mode requires the firewall
 to dynamically open a "hole" for the client's second connection to the server.
 This is the role of FTP connection-tracking support in the Linux kernel. 
 <div align="left"><br>
   Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved, 
 the PORT commands and PASV responses may  also need to be modified by the 
 firewall. This is the job of the FTP nat support kernel function.<br>
   </div>
 <p>Including FTP connection-tracking and NAT support normally means that the
 modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically
 loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/ 
 and you can determine if they are loaded using the 'lsmod' command:<br>
       </p>
 <blockquote>                
  <p>Example:<br>
       </p>
  <blockquote>                         
    <pre>[root@lists etc]# lsmod<br>Module                  Size  Used by    Not tainted<br>autofs                 12148   0  (autoclean) (unused)<br>ipt_TOS                 1560  12  (autoclean)<br>ipt_LOG                 4120   5  (autoclean)<br>ipt_REDIRECT            1304   1  (autoclean)<br>ipt_REJECT              3736   4  (autoclean)<br>ipt_state               1048  13  (autoclean)<br>ip_nat_irc              3152   0  (unused)<br><b>ip_nat_ftp              3888   0  (unused)</b><br>ip_conntrack_irc        3984   1<br><b>ip_conntrack_ftp        5008   1</b><br>ipt_multiport           1144   2  (autoclean)<br>ipt_conntrack           1592   0  (autoclean)<br>iptable_filter          2316   1  (autoclean)<br>iptable_mangle          2680   1  (autoclean)<br>iptable_nat            20568   3  (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack           26088   5  (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables              14488  12  [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip                  42464   0  (unused)<br>e100                   50596   1<br>keybdev                 2752   0  (unused)<br>mousedev                5236   0  (unused)<br>hid                    20868   0  (unused)<br>input                   5632   0  [keybdev mousedev hid]<br>usb-uhci               24684   0  (unused)<br>usbcore                73280   1  [hid usb-uhci]<br>ext3                   64704   2<br>jbd                    47860   2  [ext3]<br>[root@lists etc]#<br></pre>
       </blockquote>
     </blockquote>
 <blockquote>                        </blockquote>
 <p>If you want Shorewall to load these modules from an alternate directory, 
  you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf 
 to point to that directory.<br>
       </p>
 <p>Server configuration is covered in <a href="Documentation.htm#Rules">the
   /etc/shorewall/rules documentation</a>,<br>
       </p>
 <p>For a client, you must open outbound TCP port 21. <br>
                 </p>
 <p>The above discussion about commands and responses makes it clear that the
 FTP connection-tracking and NAT helpers must scan the traffic on the control
 connection looking for PASV and PORT commands as well as PASV responses. If
 you run an FTP server on a nonstandard port or you need to access      such
 a server,  you must therefore let the helpers know by specifying the port
 in /etc/shorewall/modules entries for the helpers.      For example, if you
 run an FTP server that listens on port 49 then you   would   have:<br>
                 </p>
 <blockquote>                                                 
  <p>loadmodule ip_conntrack_ftp ports=21,49<br>
               loadmodule ip_nat_ftp ports=21,49<br>
                   </p>
                 </blockquote>
 <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
      have problems accessing regular FTP servers.</p>
 <p>If there is a possibility that these modules might be loaded before Shorewall
  starts, then you should include the port list in /etc/modules.conf:<br>
                 </p>
 <blockquote>                                                 
  <p>options ip_conntrack_ftp ports=21,49<br>
               options ip_nat_ftp ports=21,49<br>
              </p>
            </blockquote>
 <p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
     and/or /etc/modules.conf, you must either:<br>
            </p>
 <ol>
              <li>Unload the modules and restart shorewall: (<b><font
 color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
     or</li>
              <li>Reboot</li>
 </ol>
 One problem that I see occasionally involves active mode and the FTP server 
 in my DMZ. I see the active data connection <u>to certain client IP addresses</u> 
 being continuously rejected by my firewall. It is my conjecture that there 
 is some broken client out there that is sending a PORT command that is being 
 either missed or mis-interpreted by the FTP connection tracking helper yet 
 it is being accepted by my FTP server. My solution is to add the following 
 rule:<br>
 <blockquote>   
  <table cellpadding="2" cellspacing="0" border="1">
     <tbody>
       <tr>
         <td valign="top"><b>ACTION<br>
         </b></td>
         <td valign="top"><b>SOURCE<br>
         </b></td>
         <td valign="top"><b>DESTINATION<br>
         </b></td>
         <td valign="top"><b>PROTOCOL<br>
         </b></td>
         <td valign="top"><b>PORT(S)<br>
         </b></td>
         <td valign="top"><b>SOURCE<br>
 PORT(S)<br>
         </b></td>
         <td valign="top"><b>ORIGINAL<br>
 DESTINATION<br>
         </b></td>
       </tr>
       <tr>
         <td valign="top">ACCEPT:info<br>
         </td>
         <td valign="top">dmz<br>
         </td>
         <td valign="top">net<br>
         </td>
         <td valign="top">tcp<br>
         </td>
         <td valign="top">-<br>
         </td>
         <td valign="top">20<br>
         </td>
         <td valign="top"><br>
         </td>
       </tr>
    </tbody>   
  </table>
   <br>
 </blockquote>
 The above rule accepts and logs all active mode connections from my DMZ
 to the net.<br>
 <blockquote>                                    
  <p>         </p>
                 </blockquote>
 <blockquote>     </blockquote>
 <p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
                <a href="copyright.htm"><font size="2">Copyright</font> 
 ©  <font size="2">2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/GenericTunnels.html
+++ b/Shorewall-docs/GenericTunnels.html
@ -0,0 +1,203 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Generic Tunnels</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 Shorewall includes built-in support for a wide range of VPN solutions.
 If you have need for a tunnel type that does not have explicit support,
 you can generally describe the tunneling software using "generic
 tunnels"<br>
 <h2>Bridging two Masqueraded Networks</h2>
 <p>Suppose that we have the following situation:</p>
 <p align="center"> <img border="0" src="images/TwoNets1.png"
 width="745" height="427"> </p>
 <p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
 able to communicate with the systems in the 10.0.0.0/8 network. This is
 accomplished through use of the /etc/shorewall/tunnels file, the
 /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
 included with Shorewall.<br>
 </p>
 <p align="left">Suppose that you have tunneling software that uses two
 different protocols:<br>
 </p>
 <p align="left">a) TCP port 1071<br>
 b) GRE (Protocol 47)<br>
 c) The tunnel interface on system A is "tun0" and the tunnel interface
 on system B is also "tun0".<br>
 </p>
 <p align="left">On each firewall, you will need to declare a zone to
 represent the remote subnet. We'll assume that this zone is called
 'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><strong>ZONE</strong></td>
        <td><strong>DISPLAY</strong></td>
        <td><strong>COMMENTS</strong></td>
      </tr>
      <tr>
        <td>vpn</td>
        <td>VPN</td>
        <td>Remote Subnet</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
 zone.
 In /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ZONE</b></td>
        <td><b>INTERFACE</b></td>
        <td><b>BROADCAST</b></td>
        <td><b>OPTIONS</b></td>
      </tr>
      <tr>
        <td>vpn</td>
        <td>tun0</td>
        <td>10.255.255.255</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p align="left">In /etc/shorewall/tunnels on system A, we need the
 following:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>TYPE</b></td>
        <td><b>ZONE</b></td>
        <td><b>GATEWAY</b></td>
        <td><b>GATEWAY ZONE</b></td>
      </tr>
      <tr>
        <td>generic:tcp:1071<br>
        </td>
        <td>net</td>
        <td>134.28.54.2</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td style="vertical-align: top;">generic:47<br>
        </td>
        <td style="vertical-align: top;">net<br>
        </td>
        <td style="vertical-align: top;">134.28.54.2<br>
        </td>
        <td style="vertical-align: top;"><br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p>These entries in /etc/shorewall/tunnels, opens the firewall so that
 TCP port 1071 and the Generalized Routing Encapsulation Protocol (47)
 will be accepted to/from the remote gateway.</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ZONE</b></td>
        <td><b>INTERFACE</b></td>
        <td><b>BROADCAST</b></td>
        <td><b>OPTIONS</b></td>
      </tr>
      <tr>
        <td>vpn</td>
        <td>tun0</td>
        <td>192.168.1.255</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p>In /etc/shorewall/tunnels on system B, we have:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>TYPE</b></td>
        <td><b>ZONE</b></td>
        <td><b>GATEWAY</b></td>
        <td><b>GATEWAY ZONE</b></td>
      </tr>
      <tr>
        <td>generic:tcp:1071<br>
        </td>
        <td>net</td>
        <td>206.191.148.9</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td style="vertical-align: top;">generic:47<br>
        </td>
        <td style="vertical-align: top;">net<br>
        </td>
        <td style="vertical-align: top;">134.28.54.2<br>
        </td>
        <td style="vertical-align: top;"><br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p align="left"> You will need to allow traffic between the "vpn" zone
 and the "loc" zone on both systems -- if you simply want to admit all
 traffic in both directions, you can use the policy file:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><strong>SOURCE</strong></td>
        <td><strong>DEST</strong></td>
        <td><strong>POLICY</strong></td>
        <td><strong>LOG LEVEL</strong></td>
      </tr>
      <tr>
        <td>loc</td>
        <td>vpn</td>
        <td>ACCEPT</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>vpn</td>
        <td>loc</td>
        <td>ACCEPT</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p>On both systems, restart Shorewall and start your VPN software on
 each system. The systems in the two masqueraded subnetworks
 can now talk to each other</p>
 <p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
 <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/PPTP.htm
+++ b/Shorewall-docs/PPTP.htm
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@ -2,36 +2,28 @@
 <html>
 <head>
  <title>Shorewall Squid Usage</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <table cellpadding="0" cellspacing="0" border="0" width="100%"
 bgcolor="#3366ff">
  <tbody>
    <tr>
      <td valign="middle" width="33%" bgcolor="#3366ff"><a
 href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
- alt="" width="88" height="31" hspace="4">
+ alt="" width="88" height="31" hspace="4"> </a><br>
                  </a><br>
      </td>
-                  <td valign="middle" height="90" align="center"
+      <td valign="middle" height="90" align="center" width="34%">
 width="34%">              
      <h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
      <h1> </h1>
      </td>
-                  <td valign="middle" height="90" width="33%"
+      <td valign="middle" height="90" width="33%" align="right"><a
- align="right"><a href="http://www.squid-cache.org/"><img
+ href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
- src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
+ alt="" width="100" height="31" hspace="4"> </a><br>
                  </a><br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
@ -40,69 +32,54 @@
 Proxy</b></u>. If you are running Shorewall 1.3, please see <a
 href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
 <br>
-                <img border="0" src="images/j0213519.gif" width="60"
+<img border="0" src="images/j0213519.gif" width="60" height="60"
- height="60" alt="Caution" align="middle">
+ alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
-              &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
+following general requirements:<br>
 <br>
-              <b><img src="images/BD21298_3.gif" alt="" width="13"
+<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
- height="13">
+&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
-              &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured 
+as a transparent proxy as described at <a
-  to  run   as  a transparent proxy  as described at <a
+ href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
 href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
 <b><br>
-              </b><b><img src="images/BD21298_3.gif" alt="" width="13"
+</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
- height="13">
+&nbsp;&nbsp;&nbsp; </b>The following instructions mention
-              &nbsp;&nbsp;&nbsp; </b>The following instructions mention the 
+the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
- files   /etc/shorewall/start   and /etc/shorewall/init -- if you don't have 
+have those files, siimply create them.<br>
 those   files, siimply create  them.<br>
 <br>
-              <b><img src="images/BD21298_3.gif" alt="" width="13"
+<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
- height="13">
+When the Squid server is in the DMZ zone or in the local zone, that
-               </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ 
+zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
-zone   or  in  the  local zone, that zone must be defined ONLY by its interface
+file entries. That is because the packets being routed to the Squid
-  -- no  /etc/shorewall/hosts   file entries. That is because the packets
+server still have their original destination IP addresses.<br>
 being   routed  to the Squid server   still have their original destination
 IP addresses.<br>
 <br>
-              <b><img src="images/BD21298_3.gif" alt="" width="13"
+<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
- height="13">
+You must have iptables installed on your Squid server.<br>
               </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on 
 your   Squid    server.<br>
 <br>
-              <b><img src="images/BD21298_3.gif" alt="" width="13"
+<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
- height="13">
+If you run a Shorewall version earlier than 1.4.6, you must have NAT
-               </b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
+and MANGLE enabled in your /etc/shorewall/conf file<br>
  than 1.4.6, you must have NAT and MANGLE enabled in your   /etc/shorewall/conf
    file<br>
 <br>
 &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
 NAT_ENABLED=Yes<br>
-            </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
+</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
 color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
 <br>
 Three different configurations are covered:<br>
 <ol>
-                <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running 
+  <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
-   on  the  Firewall.</a></li>
+running on the Firewall.</a></li>
-                <li><a href="Shorewall_Squid_Usage.html#Local">Squid running
+  <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
-  in  the  local  network</a></li>
+local network</a></li>
-                <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
+  <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
 in  the  DMZ</a></li>
 </ol>
 <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
-                 You want to redirect all local www connection requests EXCEPT
+You want to redirect all local www connection requests
-                                                       those to your    
+EXCEPT those to your own http server (206.124.146.177) to a Squid
-own       http server                                                  (206.124.146.177)
+transparent proxy running on the firewall
-                to a Squid                                              
+and listening on port 3128. Squid will of course require access
-   transparent            proxy  running on the firewall and listening on
+to remote web servers.<br>
 port  3128. Squid      will     of course  require access to remote web servers.<br>
 <br>
 In /etc/shorewall/rules:<br>
 <br>
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -139,64 +116,50 @@ port  3128. Squid      will     of course  require access to remote web servers.
        <td> <br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
 </blockquote>
-           There may be a requirement to exclude additional destination hosts 
+There may be a requirement to exclude additional destination
-  or networks from being redirected. For example, you might also want requests 
+hosts or networks from being redirected. For example, you might also
-  destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
+want
-  must add a manual rule in /etc/shorewall/start:<br>
+requests destined for 130.252.100.0/24 to not be routed to Squid. In
-         
+that
 case, you must add a manual rule in /etc/shorewall/start:<br>
 <blockquote>
  <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
 </blockquote>
-     &nbsp;To exclude additional hosts or networks, just add additional similar 
+&nbsp;To exclude additional hosts or networks, just add additional
-  rules.<br>
+similar rules.<br>
 <h2><a name="Local"></a>Squid Running in the local network</h2>
-                 You want to redirect all local www connection requests 
+You want to redirect all local www connection requests to a Squid
-to  a  Squid                                                    transparent 
+transparent proxy running in your local zone at 192.168.1.3 and
-      proxy   running   in your local zone at 192.168.1.3 and listening on 
+listening
-port   3128.    Your local  interface is eth1. There may also be a web server 
+on port 3128. Your local interface is eth1. There may also be a web
-running  on   192.168.1.3. It is assumed that web access is already enabled 
+server running on 192.168.1.3. It is assumed that web access is already
-from the  local   zone to the internet.<br>
+enabled from the local zone to the internet..<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
        other aspects of your gateway including but not limited to traffic
 shaping       and route redirection. For that reason, <b>I don't recommend
 it</b>.<br>
                  </p>
 <ul>
  <li>On your firewall system, issue the following command<br>
  </li>
 </ul>
 <blockquote>
  <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
 </blockquote>
 <ul>
  <li>In /etc/shorewall/init, put:<br>
  </li>
 </ul>
 <blockquote>
  <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br>	ip rule add fwmark 202 table www.out<br>	ip route add default via 192.168.1.3 dev eth1 table www.out<br>	ip route flush cache<br>	echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
 </blockquote>
 <ul>
-                  <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, 
+  <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
-  please upgrade to Shorewall 1.4.2 or later.<br>
+upgrade to Shorewall 1.4.2 or later.<br>
    <br>
  </li>
-           <li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
+  <li>If you are running Shorewall 1.4.2 or later, then in
 /etc/shorewall/interfaces:<br>
    <br>
    <table cellpadding="2" cellspacing="0" border="1">
      <tbody>
        <tr>
@ -219,14 +182,12 @@ from the  local   zone to the internet.<br>
          <td valign="top"><b>routeback</b><br>
          </td>
        </tr>
      </tbody>
    </table>
    <br>
  </li>
  <li>In /etc/shorewall/rules:<br>
    <br>
    <table border="1" cellpadding="2" style="border-collapse: collapse;">
      <tbody>
        <tr>
@ -254,14 +215,12 @@ from the  local   zone to the internet.<br>
          <td><br>
          </td>
        </tr>
      </tbody>
    </table>
  </li>
  <br>
  <li>Alternativfely, if you are running Shorewall 1.4.0 you can have
 the following policy in place of the above rule:<br>
    <table cellpadding="2" cellspacing="0" border="1">
      <tbody>
        <tr>
@ -288,84 +247,63 @@ from the  local   zone to the internet.<br>
          <td valign="top"><br>
          </td>
        </tr>
      </tbody>
    </table>
    <br>
  </li>
  <li>In /etc/shorewall/start add:<br>
  </li>
 </ul>
 <blockquote>
  <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
 </blockquote>
 <ul>
-                 <li>On 192.168.1.3, arrange for the following command to 
+  <li>On 192.168.1.3, arrange for the following command to be executed
-be  executed     after   networking has come up<br>
+after networking has come up<br>
    <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
  </li>
 </ul>
-                
+<blockquote> If you are running RedHat on the server, you can simply
-<blockquote>  If you are running RedHat on the server, you can simply execute
+execute the following commands after you have typed the iptables
-       the following  commands after you have typed the iptables command
+command above:<br>
 above:<br>
 </blockquote>
 <blockquote>
  <blockquote> </blockquote>
  <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
 color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
 </blockquote>
 <blockquote> </blockquote>
 <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
-                You have a single Linux system in your DMZ with IP address
+You have a single Linux system in your DMZ with IP address 192.0.2.177.
- 192.0.2.177.       You want to run both a web server and Squid on that system.
+You want to run both a web server and Squid on that system. Your DMZ
- Your DMZ  interface     is eth1 and your local interface is eth2.<br>
+interface is eth1 and your local interface is eth2.<br>
 <ul>
  <li>On your firewall system, issue the following command<br>
  </li>
 </ul>
 <blockquote>
  <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
 </blockquote>
 <ul>
  <li>In /etc/shorewall/init, put:<br>
  </li>
 </ul>
 <blockquote>
  <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br>	ip rule add fwmark 202 table www.out<br>	ip route add default via 192.0.2.177 dev eth1 table www.out<br>	ip route flush cache<br>fi</b></font><br></pre>
 </blockquote>
 <ul>
  <li>&nbsp;Do<b> one </b>of the following:<br>
    <br>
 A) In /etc/shorewall/start add<br>
  </li>
 </ul>
 <blockquote>
  <pre><b><font color="#009900">	iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
 </blockquote>
-                
+<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in
-<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
+/etc/shorewall/shorewall.conf and add the following entry in
-     and add the following entry in /etc/shorewall/tcrules:<br>
+/etc/shorewall/tcrules:<br>
 </blockquote>
 <blockquote>
  <blockquote>
    <table cellpadding="2" border="1" cellspacing="0">
@ -398,14 +336,12 @@ above:<br>
          <td valign="top">-<br>
          </td>
        </tr>
      </tbody>
    </table>
  </blockquote>
-           C) Run Shorewall 1.3.14 or later and add the following entry in
+C) Run Shorewall 1.3.14 or later and add the following entry
- /etc/shorewall/tcrules:<br>
+in /etc/shorewall/tcrules:<br>
 </blockquote>
 <blockquote>
  <blockquote>
    <table cellpadding="2" border="1" cellspacing="0">
@ -438,17 +374,13 @@ above:<br>
          <td valign="top">-<br>
          </td>
        </tr>
      </tbody>
    </table>
  </blockquote>
 </blockquote>
 <ul>
  <li>In /etc/shorewall/rules, you will need:</li>
 </ul>
 <blockquote>
  <table cellpadding="2" border="1" cellspacing="0">
    <tbody>
@ -503,42 +435,29 @@ above:<br>
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
 </blockquote>
 <ul>
-                  <li>On 192.0.2.177 (your Web/Squid server), arrange for 
+  <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
-the   following     command to be executed after  networking has come up<br>
+command to be executed after networking has come up<br>
    <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
  </li>
 </ul>
-                
+<blockquote> If you are running RedHat on the server, you can simply
-<blockquote>  If you are running RedHat on the server, you can simply execute
+execute the following commands after you have typed the iptables
-       the following  commands after you have typed the iptables command
+command above:<br>
 above:<br>
 </blockquote>
 <blockquote>
  <blockquote> </blockquote>
  <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
 color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
 </blockquote>
 <blockquote> </blockquote>
-                
+<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
 <p><font size="-1">   Updated 7/18/2003 - <a href="support.htm">Tom  Eastep</a>
 </font></p>
-                                                                        
+<a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
-        <a href="copyright.htm"><font size="2">Copyright</font>         
+ size="2">2003 Thomas M. Eastep.</font></a><br>
 &copy;    <font size="2">2003 Thomas M. Eastep.</font></a><br>
    <br>
   <br>
   <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
+++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
@ -27,20 +27,21 @@
 <h2>Background</h2>
          The traditional net-tools contain a program called <i>ifconfig</i>
- which    is used to configure network devices. ifconfig introduced the concept
+  which    is used to configure network devices. ifconfig introduced the
- of   <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
+concept   of   <i>aliased </i>or <i>virtual </i>interfaces. These virtual
- have   names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0)
+interfaces   have   names of the form <i>interface</i>:<i>integer </i>(e.g.,
-and  ifconfig   treats them more or less like real interfaces.<br>
+eth0:0) and  ifconfig   treats them more or less like real interfaces.<br>
          <br>
          Example:<br>
 <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55<br>          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0<br>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>          Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
         The ifconfig utility is being gradually phased out in favor of the 
-<i>ip</i>    utility which is part of the <i>iproute </i>package. The ip utility
+ <i>ip</i>    utility which is part of the <i>iproute </i>package. The ip 
-does   not use the concept of aliases or virtual interfaces but rather treats
+utility does   not use the concept of aliases or virtual interfaces but rather 
-additional    addresses on an interface as objects. The ip utility does provide
+treats additional    addresses on an interface as objects in their own right.
-for interaction   with ifconfig in that it allows addresses to be <i>labeled
+The ip utility does provide for interaction   with ifconfig in that it allows
-</i>and labels  may take the form of ipconfig virtual interfaces.<br>
+addresses to be <i>labeled </i>where these labels take the form of ipconfig
 virtual interfaces.<br>
          <br>
          Example:<br>
          <br>
@ -52,9 +53,26 @@ for interaction   with ifconfig in that it allows addresses to be <i>labeled
 <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
          The iptables program doesn't support virtual interfaces in either 
 it's   "-i"  or "-o" command options; as a consequence, Shorewall does not 
-allow   them to be used in the /etc/shorewall/interfaces file.<br>
+ allow   them to be used in the /etc/shorewall/interfaces file or anywhere
 else except as described in the discussion below. <br>
 <br>
 <h2>Adding Addresses to Interfaces</h2>
 Shorewall provides facilities for automatically adding addresses to interfaces
 as described in the following section. It is also easy to add them yourself
 using the <b>ip</b> utility. The above alias was added using:<br>
 <blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd 206.124.146.255
 dev eth0 label eth0:0</font></b><br>
 </blockquote>
 You probably want to arrange to add these addresses when the device is started
 rather than placing commands like the above in one of the Shorewall extension
 scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:<br>
 <br>
 <blockquote>
  <pre>#!/bin/sh<br><br>case $1 in<br>    eth0)<br>	/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br>	;;<br>esac&nbsp;<br></pre>
 </blockquote>
 RedHat systems also allow adding such aliases from the network administration
 GUI (which works well if you have a graphical environment on your firewall).<br>
 <h2>So how do I handle more than one address on an interface?</h2>
          The answer depends on what you are trying to do with the interfaces.
   In the sub-sections   that follow, we'll take a look at common scenarios.<br>
@ -91,7 +109,7 @@ with  the IP  address.<br>
                  </td>
                  <td valign="top">net<br>
                  </td>
-                <td valign="top">fw:206.124.146.178<br>
+                  <td valign="top">$FW:206.124.146.178<br>
                  </td>
                  <td valign="top">tcp<br>
                  </td>
@ -109,9 +127,9 @@ with  the IP  address.<br>
         </blockquote>
 <h3>DNAT</h3>
-        Suppose that I had set up eth0:0 as above and I wanted to port forward
+          Suppose that I had set up eth0:0 as above and I wanted to port
-   from  that virtual interface to a web server running in my local zone
+forward     from  that virtual interface to a web server running in my local
-at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
+zone at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
   file:<br>
          <br>
@ -185,8 +203,8 @@ at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/ru
  </table>
            <br>
          </blockquote>
-        Shorewall can create the alias (additional address) for you if you
+          Shorewall can create the alias (additional address) for you if
- set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
+you   set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
 with  Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
 interface)  so   that you can see the  created address using ifconfig. In
 addition to  setting   ADD_SNAT_ALIASES=Yes,  you specify the virtual interface
@ -288,9 +306,9 @@ each subsequent label.<br>
  </table>
            <br>
          </blockquote>
-        Shorewall can create the alias (additional address) for you if you
+          Shorewall can create the alias (additional address) for you if
- set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning with
+you   set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
- Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
+with   Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
 interface)  so   that you can see the  created address using ifconfig. In
 addition to  setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface
 name in the INTERFACE   column as follows:<br>
@ -491,8 +509,8 @@ and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
  </table>
            <br>
          </blockquote>
-        Note 1: If you are running Shorewall 1.3.10 or earlier then you must
+          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
-  specify   the <b>multi</b> option.<br>
+must   specify   the <b>multi</b> option.<br>
          <br>
          In /etc/shorewall/policy:<br>
          <br>
@ -601,8 +619,8 @@ not have administrative  privileges).<br>
  </table>
           <br>
          </blockquote>
-        Note 1: If you are running Shorewall 1.3.10 or earlier then you must
+          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
-  specify   the <b>multi</b> option.<br>
+must   specify   the <b>multi</b> option.<br>
          <br>
          In /etc/shorewall/hosts:<br>
@ -642,7 +660,7 @@ not have administrative  privileges).<br>
   that   you want to permit.<br>
          <br>
-<p align="left"><font size="2">Last Updated 6/22/2003 A - <a
+<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -2,18 +2,23 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                                     <base
+                                                                        
- target="main">                                                       
+              <base target="main">                                      
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -24,10 +29,16 @@
                                                            <tbody>
                                                             <tr>
                                                              <td
- width="100%" height="90">                                               
+ width="100%" height="90" align="center">                     
      <div align="center">                                               
                  </div>
         <a href="http://www.shorewall.net" target="_top"><img
 border="0" src="images/ProtectedBy.png" width="200" height="42"
 hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
-      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
+                 </a><br>
                                                             <br>
         </td>
                                                            </tr>
                                                            <tr>
@ -35,6 +46,8 @@
 width="100%" bgcolor="#ffffff">                                         
      <ul>
                                                                <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
@ -71,36 +84,17 @@
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
                                                                <li> <a
 href="support.htm">Getting   help or Answers to Questions</a></li>
-                       <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
+                           <li><a href="http://lists.shorewall.net">Mailing 
- href="http://lists.shorewall.net"> </a><br>
+ Lists</a><a href="http://lists.shorewall.net"> </a><br>
                           </li>
     <li><a href="shorewall_mirrors.htm">Mirrors</a>                     
          <ul>
                                                              <li><a
 target="_top" href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                                                              <li><a
 target="_top" href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                                                              <li><a
 target="_top" href="http://germany.shorewall.net">Germany</a></li>
-                                        <li><a target="_top"
+          <ul>
- href="http://france.shorewall.net">France</a></li>
+                                                                        
                          <li><a href="http://shorewall.syachile.cl"
 target="_top">Chile</a></li>
                         <li><a href="http://shorewall.greshko.com"
 target="_top">Taiwan</a></li>
                 <li><a href="http://argentina.shorewall.net"
 target="_top">Argentina</a></li>
              <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">Brazil</a><br>
              </li>
                                                  <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
                                                  </li>
@ -110,13 +104,7 @@
-      </ul>
+                <li>   <a href="News.htm">News    Archive</a></li>
      <ul>
                                                            <li>   <a
 href="News.htm">News    Archive</a></li>
                                                                <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
                                                                <li> <a
@ -137,11 +125,14 @@
                                                              </td>
                                                            </tr>
  </tbody>                      
 </table>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -35,11 +35,17 @@
 width="100%" bgcolor="#ffffff">                                         
      <ul>
                                                            <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
-                                                                   <li> <a
+                                                                    <li>
- href="shorewall_features.htm">Features</a></li>
+          <a href="shorewall_features.htm">Features</a></li>
            <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
     </li>
                                                            <li> <a
@ -73,46 +79,14 @@
 href="support.htm">Getting   help or Answers to Questions</a>           
       </li>
                                                 <li><a
- href="http://lists.shorewall.net">Mailing Lists</a> <br>
+ href="http://lists.shorewall.net">Mailing Lists</a></li>
-               </li>
+                                                                        
                                                <li><a
- href="shorewall_mirrors.htm">Mirrors</a>                               
+ href="shorewall_mirrors.htm">Mirrors</a></li>
          <ul>
                                                             <li><a
 target="_top" href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                                                             <li><a
 target="_top" href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                                                             <li><a
 target="_top" href="http://germany.shorewall.net">Germany</a></li>
                                      <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
                         <li><a href="http://shorewall.syachile.cl"
 target="_top">Chile</a></li>
                        <li><a href="http://shorewall.greshko.com"
 target="_top">Taiwan</a></li>
                 <li><a href="http://argentina.shorewall.net"
 target="_top">Argentina</a></li>
              <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">Brazil</a><br>
   </li>
                                                 <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
                                                 </li>
          </ul>
                                                           </li>
      </ul>
      <ul>
                                                                <li><a
 href="News.htm">News    Archive</a></li>
                                                            <li> <a
@ -130,6 +104,7 @@
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                                                          </td>
                                                        </tr>
@ -140,5 +115,6 @@
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/blacklisting_support.htm
+++ b/Shorewall-docs/blacklisting_support.htm
@ -31,7 +31,8 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration parameters:</p>
+<p>Shorewall static blacklisting support has the following configuration
 parameters:</p>
 <ul>
       <li>You specify whether you want packets from blacklisted hosts dropped
@ -42,9 +43,9 @@
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>     setting in
  /etc/shorewall/shorewall.conf</li>
       <li>You list the IP addresses/subnets that you wish to blacklist in
-    <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning 
+     <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
- with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service 
+Beginning   with Shorewall version 1.3.8, you may also specify PROTOCOL and
- names in the blacklist file.<br>
+Port numbers/Service   names in the blacklist file.<br>
      </li>
       <li>You specify the interfaces whose incoming packets you want checked
  against     the blacklist using the "<a
@ -61,19 +62,20 @@
  /sbin/shorewall commands:</p>
 <ul>
-      <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed 
+       <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
- IP    addresses to be silently dropped by the firewall.</li>
+listed   IP    addresses to be silently dropped by the firewall.</li>
       <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
 listed  IP    addresses to be rejected by the firewall.</li>
       <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
- from hosts    previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
+  from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i>
-      <li>save - save the dynamic blacklisting configuration so that it will 
+command.</li>
- be    automatically restored the next time that the firewall is restarted.</li>
+       <li>save - save the dynamic blacklisting configuration so that it
 will   be    automatically restored the next time that the firewall is restarted.</li>
       <li>show dynamic - displays the dynamic blacklisting configuration.</li>
 </ul>
- Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in 
+  Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
-/etc/shorewall/interfaces.<br>
+in  /etc/shorewall/interfaces.<br>
 <p>Example 1:</p>
@ -87,7 +89,7 @@ listed  IP    addresses to be rejected by the firewall.</li>
 <p>    Reenables access from 192.0.2.125.</p>
-<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
   © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
@ -95,5 +97,6 @@ listed  IP    addresses to be rejected by the firewall.</li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -42,8 +42,8 @@ for the configuration that most closely matches your own.<br>
 href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> 
        </p>
-<p>The documentation in HTML format is included   in the .rpm and in the
+<p>The documentation in HTML format is included   in the .rpm and in the .tgz
-.tgz packages below.</p>
+packages below.</p>
 <p>  Once you've printed the appropriate QuickStart Guide, download <u> 
  one</u> of the modules:</p>
@ -89,9 +89,8 @@ have a  copy of   the documentation).</li>
 <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY        INSTALL 
      THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
-   IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed 
+  IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed  configuration
-configuration        of your firewall, you can enable startup by removing
+       of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
 the   file /etc/shorewall/startup_disabled.</b></font></p>
 <p><b></b></p>
@ -128,7 +127,7 @@ the   file /etc/shorewall/startup_disabled.</b></font></p>
                                  <td><a
 href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
                                  <td><a target="_blank"
- href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
+ href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td>
                                </tr>
                                <tr>
                                  <td>Hamburg, Germany</td>
@ -199,8 +198,8 @@ the   file /etc/shorewall/startup_disabled.</b></font></p>
  <p align="left">The <a target="_top"
 href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository 
     at        cvs.shorewall.net</a> contains the latest snapshots of the 
-each      Shorewall        component. There's no guarantee that what you
+each      Shorewall        component. There's no guarantee that what you find
-find there     will work at    all.<br>
+there     will work at    all.<br>
      </p>
    </blockquote>
@ -216,7 +215,7 @@ find there     will work at    all.<br>
                      </p>
    </blockquote>
-<p align="left"><font size="2">Last Updated 7/15/2003 - <a
+<p align="left"><font size="2">Last Updated 8/4/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -230,5 +229,6 @@ find there     will work at    all.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -24,6 +24,7 @@
                                       <tr>
                                         <td width="100%">              
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
                                         </td>
                                       </tr>
@ -45,31 +46,31 @@
                                                    </li>
                                       <li>                             
-    <p align="left">          <b>If you are installing Shorewall for the
+    <p align="left">          <b>If you are installing Shorewall for the first
-first time and plan to use the        .tgz and install.sh script, you can
+time and plan to use the        .tgz and install.sh script, you can untar
-untar the archive, replace the        'firewall' script in the untarred directory 
+the archive, replace the        'firewall' script in the untarred directory
                 with the one you downloaded        below, and then run install.sh.</b></p>
                                                    </li>
                                       <li>                             
    <p align="left">          <b>When the instructions say to install a corrected
-             firewall   script in        /usr/share/shorewall/firewall, you 
+               firewall   script in        /usr/share/shorewall/firewall,
-  may    rename the existing file before copying in the new file.</b></p>
+you    may    rename the existing file before copying in the new file.</b></p>
                               </li>
                               <li>                                     
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-            ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
+              ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
-      For    example,  do NOT install the 1.3.9a firewall script if you are
+ BELOW.       For    example,  do NOT install the 1.3.9a firewall script
-  running     1.3.7c.</font></b><br>
+if  you are   running     1.3.7c.</font></b><br>
                                           </p>
                               </li>
 </ol>
 <ul>
-                                    <li><b><a href="upgrade_issues.htm">Upgrade 
+                                       <li><b><a
-   Issues</a></b></li>
+ href="upgrade_issues.htm">Upgrade     Issues</a></b></li>
                  <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
                  </li>
                                       <li>                            <b><a
@ -82,8 +83,8 @@ untar the archive, replace the        'firewall' script in the untarred director
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3
           on RH7.2</a></font></b></li>
                                       <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
-RedHat iptables</a></b></li>
+iptables</a></b></li>
                                       <li><b><a href="#SuSE">Problems installing/upgrading
         RPM   on  SuSE</a></b></li>
                                       <li><b><a href="#Multiport">Problems 
@ -103,15 +104,47 @@ REJECT  (also applies to 2.4.21-RC1) <img src="images/new10.gif"
 <h3></h3>
 <h3>1.4.6</h3>
 <ul>
    <li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
 fail to start with the error "ERROR:  Traffic Control requires Mangle";
 that  problem has been corrected in <a
 href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
 script</a> which may be installed in /var/share/shorewall/firewall as described
 above. This problem is also corrected in bugfix release 1.4.6a.</li>
   <li>This problem occurs in all versions supporting traffic control. If 
 a MAC address is used in the SOURCE column, an error occurs as follows:<br>
     <br>
      <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
     <br>
 For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
    <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
 firewall  script</a> which may be installed in /var/share/shorewall/firewall
 as described  above. For all other versions, you will have to edit your 'firewall'
 script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
 Locate the function add_tcrule_() and in that function, replace this line:<br>
     <br>
     r=`mac_match $source` <br>
     <br>
 with<br>
     <br>
      r="`mac_match $source` "<br>
     <br>
 Note that there must be a space before the ending quote!<br>
   </li>
 </ul>
 <h3>1.4.4b</h3>
 <ul>
-     <li>Shorewall is ignoring records in /etc/shorewall/routestopped that
+        <li>Shorewall is ignoring records in /etc/shorewall/routestopped
- have an empty second column (HOSTS). This problem may be corrected by installing
+that   have an empty second column (HOSTS). This problem may be corrected
-        <a
+by installing          <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
-as described above.</li>
+described above.</li>
      <li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
  file. This problem may be corrected by installing <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@ -123,13 +156,13 @@ file. This problem may be corrected by installing <a
 <h3>1.4.4-1.4.4a</h3>
 <ul>
-      <li>Log messages are being displayed on the system console even though
+         <li>Log messages are being displayed on the system console even
-  the log level for the console is set properly according to <a
+though    the log level for the console is set properly according to <a
 href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing 
         <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
-as described above.<br>
+described above.<br>
         </li>
 </ul>
@ -138,9 +171,9 @@ as described above.<br>
         </h3>
 <ul>
-       <li> If you have zone names that are 5 characters long, you may experience 
+          <li> If you have zone names that are 5 characters long, you may 
-  problems starting Shorewall because the --log-prefix in a logging rule is
+experience    problems starting Shorewall because the --log-prefix in a logging 
-  too long. Upgrade to Version 1.4.4a to fix this problem..</li>
+rule is   too long. Upgrade to Version 1.4.4a to fix this problem..</li>
 </ul>
@ -168,8 +201,8 @@ with fireparse    here at shorewall.net. The updated files may be found at
 directory     created in /tmp is not being removed. This problem may be corrected
 by  installing       <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
-as described above. <br>
+described above. <br>
             </li>
 </ul>
@ -208,8 +241,8 @@ produces     the harmless additional message:<br>
 <ul>
                <li>When running under certain shells Shorewall will attempt
-to  create    ECN rules even when /etc/shorewall/ecn is empty. You may either
+  to  create    ECN rules even when /etc/shorewall/ecn is empty. You may
-  just remove    /etc/shorewall/ecn or you can install <a
+either    just remove    /etc/shorewall/ecn or you can install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
       correct script</a> in /usr/share/shorewall/firewall as described above.<br>
                </li>
@ -241,11 +274,11 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
        <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
-               has   released an iptables-1.2.4 RPM of their own which you 
+                 has   released an iptables-1.2.4 RPM of their own which
- can    download         from<font color="#ff6633">   <a
+you    can    download         from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
-                  </font>I have installed this RPM   on my firewall and it 
+                    </font>I have installed this RPM   on my firewall and
- works      fine.</p>
+it   works      fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
                 the patches are available         for download. This <a
@ -264,14 +297,15 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  </ul>
                                               </blockquote>
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18               and
-and RedHat iptables</h3>
+RedHat iptables</h3>
 <blockquote>                                           
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
                 may     experience the following:</p>
  <blockquote>                                                          
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                                       </blockquote>
@ -280,9 +314,10 @@ and RedHat iptables</h3>
         the     Netfilter 'mangle' table. You can correct the problem by
        installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-                   this iptables RPM</a>. If you are already running a 1.2.5 
+                     this iptables RPM</a>. If you are already running a
-   version        of       iptables, you will need to specify the --oldpackage 
+1.2.5      version        of       iptables, you will need to specify the
-   option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+--oldpackage      option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage
 iptables-1.2.5-1.i386.rpm").</p>
                                     </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
@ -308,8 +343,8 @@ must   be  running                           Shorewall 1.3.7a or later or:</p>
                                                                    <li>set 
 MULTIPORT=No       in                                   /etc/shorewall/shorewall.conf;
  or     </li>
-                                                                 <li>if you 
+                                                                    <li>if
- are   running     Shorewall      1.3.6    you may                       
+ you   are   running     Shorewall      1.3.6    you may                
                 install                                    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
                        this firewall script</a> in /var/lib/shorewall/firewall
@ -319,8 +354,8 @@ or     </li>
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                                  </h3>
-                            /etc/shorewall/nat entries of the following form
+                               /etc/shorewall/nat entries of the following
-  will   result    in  Shorewall     being unable to start:<br>
+ form   will   result    in  Shorewall     being unable to start:<br>
                               <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -329,13 +364,13 @@ or     </li>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
                               The solution is to put "no" in the LOCAL column. 
   Kernel    support     for   LOCAL=yes   has never worked properly and 2.4.18-10
-  has    disabled  it.   The  2.4.19 kernel   contains corrected support under
+   has    disabled  it.   The  2.4.19 kernel   contains corrected support
-  a  new  kernel configuraiton    option; see <a
+under   a  new  kernel configuraiton    option; see <a
 href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
     <br>
-<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
+<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
-REJECT (also applies to 2.4.21-RC1)</b></h3>
+(also applies to 2.4.21-RC1)</b></h3>
     Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset" 
  is broken. The symptom most commonly seen is that REJECT rules act just 
 like  DROP rules when dealing with TCP. A kernel patch and precompiled modules 
@ -344,12 +379,13 @@ to fix this problem are available at <a
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
 <hr>                       
-<p><font size="2">  Last updated 6/13/2003 -   <a href="support.htm">Tom
+<p><font size="2">  Last updated 7/23/2003 -   <a href="support.htm">Tom Eastep</a></font>
-Eastep</a></font> </p>
+</p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/images/menuconfig1.jpg
+++ b/Shorewall-docs/images/menuconfig1.jpg
--- a/Shorewall-docs/images/netopts.jpg
+++ b/Shorewall-docs/images/netopts.jpg
--- a/Shorewall-docs/images/network.png
+++ b/Shorewall-docs/images/network.png
--- a/Shorewall-docs/images/network.vsd
+++ b/Shorewall-docs/images/network.vsd
--- a/Shorewall-docs/kernel.htm
+++ b/Shorewall-docs/kernel.htm
@ -25,8 +25,8 @@
  </tbody> 
 </table>
-<p>For information regarding configuring and building GNU/Linux kernels,
+<p>For information regarding configuring and building GNU/Linux kernels, see
-see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
+<a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
 <p>Here's a screen shot of my Network Options Configuration:</p>
@ -48,7 +48,7 @@ to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
 # CONFIG_PACKET_MMAP is not set<br>
 # CONFIG_NETLINK_DEV is not set<br>
 CONFIG_NETFILTER=y<br>
-   CONFIG_NETFILTER_DEBUG=y<br>
+# CONFIG_NETFILTER_DEBUG is not set<br>
 CONFIG_FILTER=y<br>
 CONFIG_UNIX=y<br>
 CONFIG_INET=y<br>
@ -62,104 +62,41 @@ to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
 CONFIG_IP_ROUTE_VERBOSE=y<br>
 # CONFIG_IP_ROUTE_LARGE_TABLES is not set<br>
 # CONFIG_IP_PNP is not set<br>
-   CONFIG_NET_IPIP=m<br>
+CONFIG_NET_IPIP=y<br>
-   CONFIG_NET_IPGRE=m<br>
+CONFIG_NET_IPGRE=y<br>
-   # CONFIG_NET_IPGRE_GROADCAST is not set<br>
+# CONFIG_NET_IPGRE_BROADCAST is not set<br>
 # CONFIG_IP_MROUTE is not set<br>
 # CONFIG_ARPD is not set<br>
 CONFIG_INET_ECN=y<br>
-   CONFIG_SYN_COOKIES=y</p>
+CONFIG_SYN_COOKIES=y<br>
  </p>
    </font> </blockquote>
 <p>Here's a screen shot of my Netfilter configuration:</p>
 <blockquote>     
-  <p><img border="0" src="images/menuconfig.jpg" width="609"
+  <p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
- height="842">
+ width="589" height="849">
  <br>
   </p>
  </blockquote>
-<p>Here's an excerpt from the corresponding .config file.</p>
+<p>Note that I have built everything I need as modules. You can also build
- 
+everything into your kernel but if you want to be able to deal with FTP running
-<blockquote>   
+on a non-standard port then I recommend that you modularize FTP Protocol
-  <p><font size="2">#<br>
+support.<br>
-   #   IP: Netfilter Configuration<br>
+</p>
-   #<br>
+<p>Here's the corresponding part of my .config file:<br>
   CONFIG_IP_NF_CONNTRACK=y<br>
   CONFIG_IP_NF_FTP=m<br>
   # CONFIG_IP_NF_QUEUE is not set<br>
   CONFIG_IP_NF_IPTABLES=y<br>
   CONFIG_IP_NF_MATCH_LIMIT=y<br>
   CONFIG_IP_NF_MATCH_MAC=y<br>
   CONFIG_IP_NF_MATCH_MARK=y<br>
   CONFIG_IP_NF_MATCH_MULTIPORT=y<br>
   CONFIG_IP_NF_MATCH_TOS=y<br>
   # CONFIG_IP_NF_MATCH_TCPMSS is not set<br>
   CONFIG_IP_NF_MATCH_STATE=y<br>
   # CONFIG_IP_NF_MATCH_UNCLEAN is not set<br>
   # CONFIG_IP_NF_MATCH_OWNER is not set<br>
   CONFIG_IP_NF_FILTER=y<br>
   CONFIG_IP_NF_TARGET_REJECT=y<br>
   # CONFIG_IP_NF_TARGET_MIRROR is not set<br>
   CONFIG_IP_NF_NAT=y<br>
   CONFIG_IP_NF_NAT_NEEDED=y<br>
   CONFIG_IP_NF_TARGET_MASQUERADE=y<br>
   CONFIG_IP_NF_TARGET_REDIRECT=y<br>
   CONFIG_IP_NF_NAT_FTP=m<br>
   CONFIG_IP_NF_MANGLE=y<br>
   CONFIG_IP_NF_TARGET_TOS=y<br>
   CONFIG_IP_NF_TARGET_MARK=y<br>
   CONFIG_IP_NF_TARGET_LOG=y<br>
   CONFIG_IP_NF_TARGET_TCPMSS=y<br>
   # CONFIG_IPV6 is not set</font><font face="Courier"><br>
   </font></p>
 </blockquote>
 <p>Note that I have built everything I need into the kernel except for the
 FTP connection tracking and NAT modules. I have also run successfully with
 all of the options selected above built as modules:</p>
 <blockquote>   
  <p><img border="0" src="images/menuconfig1.jpg" width="609"
 height="842">
 </p>
-  <p><font size="2">#<br>
+<blockquote>              
-   #   IP: Netfilter Configuration<br>
+  <pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
   #<br>
   CONFIG_IP_NF_CONNTRACK=m<br>
   CONFIG_IP_NF_FTP=m<br>
   # CONFIG_IP_NF_QUEUE is not set<br>
   CONFIG_IP_NF_IPTABLES=m<br>
   CONFIG_IP_NF_MATCH_LIMIT=m<br>
   CONFIG_IP_NF_MATCH_MAC=m<br>
   CONFIG_IP_NF_MATCH_MARK=m<br>
   CONFIG_IP_NF_MATCH_MULTIPORT=m<br>
   CONFIG_IP_NF_MATCH_TOS=m<br>
   # CONFIG_IP_NF_MATCH_TCPMSS is not set<br>
   CONFIG_IP_NF_MATCH_STATE=m<br>
   # CONFIG_IP_NF_MATCH_UNCLEAN is not set<br>
   # CONFIG_IP_NF_MATCH_OWNER is not set<br>
   CONFIG_IP_NF_FILTER=m<br>
   CONFIG_IP_NF_TARGET_REJECT=m<br>
   # CONFIG_IP_NF_TARGET_MIRROR is not set<br>
   CONFIG_IP_NF_NAT=m<br>
   CONFIG_IP_NF_NAT_NEEDED=m<br>
   CONFIG_IP_NF_TARGET_MASQUERADE=m<br>
   CONFIG_IP_NF_TARGET_REDIRECT=m<br>
   CONFIG_IP_NF_NAT_FTP=m<br>
   CONFIG_IP_NF_MANGLE=m<br>
   CONFIG_IP_NF_TARGET_TOS=m<br>
   CONFIG_IP_NF_TARGET_MARK=m<br>
   CONFIG_IP_NF_TARGET_LOG=m<br>
   CONFIG_IP_NF_TARGET_TCPMSS=m<br>
   # CONFIG_IPV6 is not set<br>
   </font></p>
   </blockquote>
-<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <a
+<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
  <a href="copyright.htm"><font size="2">Copyright</font> © <font
- size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
+ size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -12,6 +12,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mailing Lists</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -42,6 +43,7 @@
                                        </td>
                          <td valign="middle" width="34%" align="center"> 
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
                          </td>
                          <td valign="middle" width="33%">              
@ -66,15 +68,9 @@
  </tbody>            
 </table>
-                     
+                         If you experience problems with any of these lists,
-<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
+please                  let <a href="mailto:postmaster@shorewall.net">me</a>
-     read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
+know                                               
     Guide</a>.<br>
          </h1>
 <p align="left">If you experience problems with any of these lists, please
                let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
 <p align="left">You can report such problems by sending mail to tmeastep at
@ -92,27 +88,27 @@ incoming mail:<br>
 href="http://spamassassin.org">Spamassassin</a>          (including <a
 href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
                        </li>
-                              <li>to ensure that the sender address is fully
+                                <li>to ensure that the sender address is
-  qualified.</li>
+fully    qualified.</li>
                                <li>to verify that the sender's domain has
 an  A  or  MX  record    in  DNS.</li>
                                <li>to ensure that the host name in the HELO/EHLO 
-   command    is  a  valid    fully-qualified  DNS name that resolves.</li>
+    command    is  a  valid    fully-qualified  DNS name.</li>
 </ol>
 <h2>Please post in plain text</h2>
-                      A growing number of MTAs serving list subscribers are 
+                        A growing number of MTAs serving list subscribers 
- rejecting     all   HTML   traffic. At least one MTA has gone so far as to
+are   rejecting     all   HTML   traffic. At least one MTA has gone so far 
- blacklist  shorewall.net     "for  continuous abuse" because it has been 
+as to  blacklist  shorewall.net     "for  continuous abuse" because it has 
-my policy to  allow HTML in  list   posts!!<br>
+been  my policy to  allow HTML in  list   posts!!<br>
                        <br>
-                      I think that blocking all HTML is a Draconian way to
+                        I think that blocking all HTML is a Draconian way 
- control     spam    and   that the ultimate losers here are not the spammers
+to  control     spam    and   that the ultimate losers here are not the spammers
  but the    list subscribers      whose MTAs are bouncing all shorewall.net
  mail. As   one list subscriber   wrote  to me privately "These e-mail admin's
- need to  get a <i>(explitive   deleted)</i>  life instead of trying to rid
+  need to  get a <i>(explitive   deleted)</i>  life instead of trying to
- the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers
+rid   the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers
 to receive list   posts as must as possible,   I have now  configured the
 list server at shorewall.net   to strip all HTML   from outgoing  posts.
 This means that  HTML-only posts   will be bounced by  the list server.<br>
@ -121,11 +117,12 @@ This means that  HTML-only posts   will be bounced by  the list server.<br>
                     </p>
 <h2>Other Mail Delivery Problems</h2>
-                    If you find that you are missing an occasional list post, 
+                      If you find that you are missing an occasional list 
-  your   e-mail    admin  may be blocking mail whose <i>Received:</i> headers 
+post,    your   e-mail    admin  may be blocking mail whose <i>Received:</i> 
-  contain   the names   of certain ISPs. Again, I believe that such policies 
+headers    contain   the names   of certain ISPs. Again, I believe that such 
-  hurt more   than they  help but I'm not prepared to go so far as to start 
+policies    hurt more   than they  help but I'm not prepared to go so far 
-  stripping <i>Received:</i>      headers to circumvent those policies.<br>
+as to start    stripping <i>Received:</i>      headers to circumvent those 
 policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -138,11 +135,13 @@ This means that  HTML-only posts   will be bounced by  the list server.<br>
  <option value="boolean">Boolean </option>
  </select>
                                  Format:                               
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
                                  Sort by:                              
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -180,24 +179,9 @@ accept the server's    certificate     when   prompted by your browser.<br>
       of   general       interest to the Shorewall user community is also
 posted      to  this list.</p>
-<p align="left"><b>Before posting a problem report to this list, please see
+<p align="left"><b>To post a problem report to this list or to subscribe to
-                the <a href="http://www.shorewall.net/support.htm">problem
+the list, please see                 the <a
- reporting      guidelines</a>.</b></p>
+ href="http://www.shorewall.net/support.htm">problem  reporting      guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list:<br>
                </p>
 <ul>
                  <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
                  <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
 </ul>
 <p align="left">To post to the list, post to <a
 href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
@ -231,8 +215,8 @@ list may be found at <a
 <h2 align="left">Shorewall Development Mailing List</h2>
 <p align="left">The Shorewall Development Mailing list provides a forum for
-                the exchange of ideas about the future of Shorewall and for
+                 the exchange of ideas about the future of Shorewall and
-  coordinating             ongoing Shorewall Development.</p>
+for    coordinating             ongoing Shorewall Development.</p>
 <p align="left">To subscribe to the mailing list:<br>
                   </p>
@ -268,8 +252,8 @@ list may be found at <a
                                     <li>                               
    <p align="left">Down at the bottom of that page is the following text:
-                " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
+                 " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
-  a  password      reminder,         or change your subscription options
+get    a  password      reminder,         or change your subscription options
 enter     your subscription              email address:". Enter your email
 address       in the box and click      on the "<b>Unsubscribe</b> or edit
 options"   button.</p>
@ -277,9 +261,9 @@ options"   button.</p>
                                     <li>                               
    <p align="left">There will now be a box where you can enter your password
-                and  click on "Unsubscribe"; if you have forgotten your password,
+                 and  click on "Unsubscribe"; if you have forgotten your
-        there      is  another  button that will cause your password to be
+password,          there      is  another  button that will cause your password
- emailed       to you.</p>
+to be   emailed       to you.</p>
                                     </li>
 </ul>
@ -289,13 +273,12 @@ options"   button.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 7/7/2003 - <a
+<p align="left"><font size="2">Last updated 8/7/2003 - <a
 href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -18,6 +18,7 @@
               <tbody>
                <tr>
                 <td width="100%">                                      
      <h1 align="center"><font color="#ffffff">Ports required for Various
      Services/Applications</font></h1>
                 </td>
@ -28,8 +29,8 @@
 <p>In addition to those applications described in <a
 href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
-    are some other services/applications that you may need to configure your 
+      are some other services/applications that you may need to configure
-   firewall to accommodate.</p>
+your     firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
@ -52,11 +53,12 @@
 <p>DNS</p>
 <blockquote>                        
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-to   open TCP Port 53 as well.<br>
+want to   open TCP Port 53 as well.<br>
-            If you are configuring a server, only open TCP Port 53 if you 
+               If you are configuring a server, only open TCP Port 53 if
-will   return  long   replies to queries or if you need to enable ZONE transfers. In 
+you   will   return  long   replies to queries or if you need to enable ZONE
-  the  latter   case, be sure that your server is properly configured.</p>
+transfers. In     the  latter   case, be sure that your server is properly
 configured.</p>
             </blockquote>
 <p>ICQ   </p>
@ -101,8 +103,10 @@ will   return  long   replies to queries or if you need to enable ZONE transfers
  <p>TCP Port 110 (Secure = TCP Port 995)<br>
     </p>
   </blockquote>
 <p>IMAP<br>
   </p>
 <blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
   </blockquote>
@ -130,61 +134,13 @@ will   return  long   replies to queries or if you need to enable ZONE transfers
  <p>TCP Ports 80 and 443.</p>
             </blockquote>
-<p>FTP</p>
+<p>FTP<br>
 <blockquote>               
  <p>Server configuration is covered on in <a
 href="Documentation.htm#Rules">the   /etc/shorewall/rules documentation</a>,</p>
  <p>For a client, you must open outbound TCP port 21 and be sure that your 
      kernel is compiled to support FTP connection tracking. If you build 
 this      support as a module, Shorewall will automatically load the module 
 from     /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
           </p>
  <p>If you run an FTP server on a nonstandard port or you need to access 
   such a server, then you must specify that port in /etc/shorewall/modules. 
   For example, if you run an FTP server that listens on port 49 then you 
 would   have:<br>
  </p>
 <blockquote>      
-    <p>loadmodule ip_conntrack_ftp ports=21,49<br>
+  <p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
         loadmodule ip_nat_ftp ports=21,49<br>
  </p>
 </blockquote>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
   have problems accessing regular FTP servers.</p>
  <p>If there is a possibility that these modules might be loaded before Shorewall
 starts, then you should include the port list in /etc/modules.conf:<br>
           </p>
  <blockquote>                         
    <p>options ip_conntrack_ftp ports=21,49<br>
         options ip_nat_ftp ports=21,49<br>
        </p>
      </blockquote>
  <p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
  and/or /etc/modules.conf, you must either:<br>
      </p>
  <ol>
        <li>Unload the modules and restart shorewall: (<b><font
 color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
  or</li>
        <li>Reboot<br>
        </li>
  </ol>
  <p>         </p>
           </blockquote>
 <blockquote>     </blockquote>
 <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
 <blockquote> </blockquote>
@ -234,9 +190,12 @@ ICMP type 8 ('ping')<br>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 7/16/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-          <a href="copyright.htm"><font size="2">Copyright</font>   © <font
+             <a href="copyright.htm"><font size="2">Copyright</font>   ©
- size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@ -26,82 +26,116 @@
  </tbody>   
 </table>
-   <font size="3">"I have fought with IPtables for untold hours. First I
+    
-tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
+<ul>
  <li><font size="3">"I have fought with IPtables for untold hours. First
 I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield, 
 which also worked for 80%. Then I set out to write my own IPtables parser 
-in shell and awk, which was a lot of fun but never got me past the "hey,
+in shell and awk, which was a lot of fun but never got me past the "hey, cool"
-cool" stage. Then I discovered Shorewall. After about an hour, everything
+stage. Then I discovered Shorewall. After about an hour, everything just
-just worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
+worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
- 
+    <br>
-<p>"The configuration is intuitive and flexible, and much easier than any
+  </li>
- of the other iptables-based firewall programs out there. After sifting through
+  <li>"The configuration is intuitive and flexible, and much easier than
- many other scripts, it is obvious that yours is the most well thought-out
+any  of the other iptables-based firewall programs out there. After sifting
- and complete one available." -- BC, USA</p>
+through  many other scripts, it is obvious that yours is the most well thought-out 
-   
+ and complete one available." -- BC, USA<br>
-<p>"I just installed Shorewall after weeks of messing with       ipchains/iptables
+    <br>
  </li>
  <li>"I just installed Shorewall after weeks of messing with       ipchains/iptables 
  and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
-    </p>
+    <br>
-    "My case was almost like [the one above]. Well. instead of 'weeks' it 
+  </li>
-was  'months' for me, and I think I needed two minutes more:<br>
+  <li>"My case was almost like [the one above]. Well. instead of 'weeks'
 it  was  'months' for me, and I think I needed two minutes more:<br>
  </li>
 </ul>
 <ul>
  <ul>
    <li>One to see that I had no Internet access from the firewall itself.</li>
  </ul>
  <ul>
    <li>Other to see that this was the default configuration, and it was 
 enough  to uncomment a line in /etc/shorewall/policy.<br>
       </li>
  </ul>
 </ul>
-    Minutes instead of months! Congratulations and thanks for such a simple
+<ul>
- and well documented thing for something as huge as iptables." -- JV, Spain.
+  <li>     Minutes instead of months! Congratulations and thanks for such
 a simple  and well documented thing for something as huge as iptables." --
 JV, Spain.     </li>
 </ul>
 <ul>
  <li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1    
  without   any problems. Your documentation is great and I really appreciate
 your  network configuration info. That really helped me out alot.       THANKS!!!" 
  -- MM.           </li>
 </ul>
-<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without
+<ul>
-  any problems. Your documentation is great and I really appreciate your
+  <li>"[Shorewall is a] great, great project. I've used/tested may      
- network configuration info. That really helped me out alot.       THANKS!!!"
+firewall   scripts but this one is till now the best." -- B.R,       Netherlands
-  -- MM.           </p>
+        </li>
 </ul>
-<p>"[Shorewall is a] great, great project. I've used/tested may       firewall
+<ul>
-  scripts but this one is till now the best." -- B.R,       Netherlands 
+  <li>"Never in my +12 year career as a sys admin have I witnessed      
-       </p>
+someone   so relentless in developing a secure, state of the art, safe and
 <p>"Never in my +12 year career as a sys admin have I witnessed       someone
  so relentless in developing a secure, state of the art, safe and      
      useful   product as the Shorewall firewall package for no cost or obligation 
-  involved." -- Mario Kerecki, Toronto           </p>
+  involved." -- Mario Kerecki, Toronto           </li>
 </ul>
-<p>"one time more to report, that your great shorewall in the latest    release 
+<ul>
-      1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines 
+  <li>"one time more to report, that your great shorewall in the latest 
-up       and running with shorewall on several versions - starting with 1.2.2 
+  release        1.2.9 is working fine for me with SuSE Linux 7.3! I now
-up to       the new 1.2.9 and I never have encountered any problems!" -- SM,
+have 7 machines  up       and running with shorewall on several versions
-Germany</p>
+- starting with 1.2.2  up to       the new 1.2.9 and I never have encountered
 any problems!" -- SM, Germany</li>
 </ul>
-<p>"You have the best support of any other package I've ever       used."
+<ul>
-  -- SE, US           </p>
+  <li>"You have the best support of any other package I've ever       used." 
  -- SE, US           </li>
 </ul>
-<p>"Because our company has information which has been classified by the
+<ul>
  <li>"Because our company has information which has been classified by the 
 national government as secret, our security doesn't stop by putting a fence 
-   around our company. Information security is a hot issue. We also make
+   around our company. Information security is a hot issue. We also make use
-use   of  checkpoint firewalls, but not all of the internet servers are guarded
+  of  checkpoint firewalls, but not all of the internet servers are guarded 
  by  checkpoint, some of them are running....Shorewall." -- Name withheld 
- by request,  Europe</p>
+ by request,  Europe</li>
 </ul>
-<p>"thanx for all your efforts you put into shorewall - this product stands
+<ul>
-  out  against a lot of commercial stuff i´ve been working with in terms
+  <li>"thanx for all your efforts you put into shorewall - this product stands 
-of    flexibillity, quality &amp; support" -- RM, Austria</p>
+  out  against a lot of commercial stuff i´ve been working with in terms of
   flexibillity, quality &amp; support" -- RM, Austria</li>
 </ul>
-<p>"I have never seen such a complete firewall package that is so easy to
+<ul>
-   configure. I searched the Debian package system for firewall scripts and
+  <li>"I have never seen such a complete firewall package that is so easy
-   Shorewall won hands down." -- RG, Toronto</p>
+to    configure. I searched the Debian package system for firewall scripts
 and    Shorewall won hands down." -- RG, Toronto</li>
 </ul>
-<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
+<p></p>
-  is a  wonderful piece of software. I've just sent out an email to about
+<ul>
  <li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
 it   is a  wonderful piece of software. I've just sent out an email to about 
 30  people  recommending it. :-)<br>
    <br>
 While I had previously taken the time (maybe 40 hours) to really understand 
   ipchains, then spent at least an hour per server customizing and carefully 
   scrutinizing firewall rules, I've got shorewall running on my home firewall, 
   with rulesets and policies that I know make sense, in under 20 minutes." 
  -- RP,  Guatamala<br>
-     <br>
+  </li>
-      </p>
+</ul>
 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003 
  - <a href="support.htm">Tom Eastep</a>      </font>                    
@ -114,5 +148,6 @@ of    flexibillity, quality &amp; support" -- RM, Austria</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -1,619 +1,325 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
  <base target="_self">
 </head>
 <body>
 <table cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#3366ff">
  <tbody>
    <tr>
-                                                                        
+      <td width="33%" height="90" valign="middle" align="center"><a
-                                     <td width="33%" height="90"
+ href="http://www.cityofshoreline.com"> </a>
- valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
+      <div align="center"> <img src="images/Logo1.png"
- src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
+ alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
 border="0">
                          </a></td>
                          <td valign="middle" width="34%" align="center"
 bgcolor="#3366ff">                                                     
      <div align="center">                                              
                                              <img
 src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
       </div>
            </td>
                          <td valign="middle" width="33%">              
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><img border="0" src="images/shorewall.jpg" width="119"
 height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
            </a></h1>
                          <br>
      </td>
    </tr>
  </tbody>
 </table>
 <div align="center">
 <div align="center"> </div>
 <center>
 <div align="center"> </div>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
  <tbody>
    <tr>
      <td width="90%">
-                       
+      <h2>Introduction<br>
-      <div align="center">                                              
+      </h2>
                                              <br>
            </div>
      <h2 align="left">What is it?</h2>
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
      <p>This program is free software; you can redistribute it and/or modify 
     it          under      the    terms      of         <a
 href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
 General Public License</a> as published by the Free   Software          
 Foundation.<br>
                                    <br>
                         This     program         is   distributed      
     in    the       hope       that      it   will        be  useful,  
 but            WITHOUT        ANY         WARRANTY;         without    
      even  the    implied      warranty          of MERCHANTABILITY    
              or  FITNESS     FOR   A  PARTICULAR          PURPOSE.     
  See the     GNU  General     Public  License                for   more
 details.<br>
                                    <br>
                         You     should       have     received        a
  copy       of    the       GNU     General          Public         License
                 along       with    this   program;            if   not,
   write      to    the    Free   Software              Foundation,     
             Inc.,    675     Mass   Ave,  Cambridge,      MA    02139, 
     USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
      <h2>This is the Shorewall 1.4 Web Site</h2>
    The information on this site applies only to 1.4.x releases of Shorewall.
  For older versions:<br>
      <ul>
-                <li>The 1.3 site is <a
+        <li><a href="http://www.netfilter.org">Netfilter</a> - the
- href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
+packet filter facility built into the 2.4 and later Linux kernels.</li>
        <li>ipchains - the packet filter facility built into the 2.2
 Linux kernels. Also the name of the utility program used to configure
 and control that facility. Netfilter can be used in ipchains
 compatibility mode.<br>
        </li>
        <li>iptables - the utility program used to configure and
 control
 Netfilter. The term 'iptables' is often used to refer to the
 combination of iptables+Netfilter (with Netfilter not in
 ipchains compatibility mode).<br>
        </li>
      </ul>
 The Shoreline Firewall, more commonly known as "Shorewall", is
 high-level tool for configuring Netfilter. You describe your
 firewall/gateway requirements using entries in a set of configuration
 files. Shorewall reads those configuration files and with the help of
 the iptables utility, Shorewall configures Netfilter to match your
 requirements. Shorewall can be used on a dedicated firewall system, a
 multi-function gateway/router/server or on a standalone GNU/Linux
 system. Shorewall does not use Netfilter's ipchains compatibility mode
 and can thus take advantage of Netfilter's connection state tracking
 capabilities.<br>
      <br>
 This program is free software; you can redistribute it and/or modify it
 under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
 2 of the GNU
 General Public License</a> as published by the Free Software Foundation.<br>
      <p> This program is distributed in the hope that it will be
 useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 General Public License for more details.<br>
      <br>
 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
 675 Mass Ave, Cambridge, MA 02139, USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
 Eastep</a></p>
      <h2>This is the Shorewall 1.4 Web Site</h2>
 The information on this site applies only to 1.4.x releases of
 Shorewall. For older versions:<br>
      <ul>
        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
 target="_top">here.</a></li>
        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>.<br>
        </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
-                                        New to Shorewall? Start by selecting
+New to Shorewall? Start by selecting the <a
-  the         <a href="shorewall_quickstart_guide.htm">QuickStart  Guide</a>
+ href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
-  that   most closely               match your environment and follow the
+closely match your environment
-step  by   step instructions.<br>
+and follow the step by step instructions.<br>
      <h2>Looking for Information?</h2>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
-     Index</a> is a good place to start as is the Quick Search to your right.
+Index</a> is a good place to start as is the Quick Search to your
-                                                                        
+right.
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-                              If so, the documentation<b> </b>on this site
+If so, the documentation<b> </b>on
- will   not   apply   directly   to  your   setup.  If you want to use the
+this site will not apply directly to your setup. If you want
- documentation     that you  find here, you will want to consider uninstalling
+to use the documentation that you find here, you will want to consider
- what you have     and installing  a setup that matches    the documentation
+uninstalling what you have and installing a setup that matches the
-    on this site.     See the <a href="two-interface.htm">Two-interface 
+documentation on this site. See the <a href="two-interface.htm">Two-interface
 QuickStart Guide</a> for details.<br>
      <h2>News</h2>
-                                                                        
+      <p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
-                                                                        
+ style="border: 0px solid ; width: 28px; height: 12px;"
-                                                                        
+ src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
-                                                                        
+      <blockquote>
-                                                                        
+        <p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
-                                          
+        <a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
 target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
      </blockquote>
      <b>Problems Corrected since version 1.4.6</b><br>
      <ol>
-                                                                        
+        <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
-                                      
+variable was being tested before it was set.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of
 the tcrules file. Previously, these addresses resulted in an invalid
 iptables command.</li>
        <li>The "shorewall stop" command is now disabled when
 /etc/shorewall/startup_disabled exists. This prevents people from
 shooting themselves in the foot prior to having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages
 during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
 were being added to a PPP interface; the addresses were successfully
 added in spite of the messages.<br>
 &nbsp;&nbsp;&nbsp; <br>
 The firewall script has been modified to eliminate the error messages<br>
        </li>
      </ol>
-                                                                        
+      <b>Migration Issues:</b><br>
-                                                                        
+      <ol>
-                       
+        <li>Once you have installed this version of Shorewall, you must
-      <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
+restart Shorewall before you may use the 'drop', 'reject', 'allow' or
- src="images/new10.gif" width="28" height="12" alt="(New)">
+'save' commands.</li>
        <li>To maintain strict compatibility with previous versions,
 current uses of "shorewall drop" and "shorewall reject" should be
 replaced with "shorewall dropall" and "shorewall rejectall" </li>
      </ol>
      <b>New Features:</b><br>
      <ol>
        <li>Shorewall now creates a dynamic blacklisting chain for each
 interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
 commands use the routing table to determine which of these chains is to
 be used for blacklisting the specified IP address(es).<br>
          <br>
 Two new commands ('dropall' and 'rejectall') have been introduced that
 do what 'drop' and 'reject' used to do; namely, when an address is
 blacklisted using these new commands, it will be blacklisted on all of
 your firewall's interfaces.</li>
        <li>Thanks to Steve Herber, the 'help' command can now give
 command-specific help (e.g., shorewall help &lt;command&gt;).</li>
        <li>A new option "ADMINISABSENTMINDED" has been added to
 /etc/shorewall/shorewall.conf. This option has a default value of "No"
 for existing users which causes Shorewall's 'stopped' state &nbsp;to
 continue as it has been; namely, in the stopped state only traffic
 to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
          <br>
 With ADMINISABSENTMINDED=Yes (the default for new installs), in
 addition to traffic to/from the hosts listed in
 /etc/shorewall/routestopped, Shorewall will allow:<br>
          <br>
 &nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
 &nbsp;&nbsp; b) All traffic that is part of or related to an
 already-existing connection.<br>
          <br>
 &nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
 entered through an ssh session will not kill the session.<br>
          <br>
 &nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
 possible for people to shoot themselves in the foot.<br>
          <br>
 &nbsp;Example:<br>
          <br>
 &nbsp;/etc/shorewall/nat:<br>
          <br>
 &nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
 eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
          <br>
 &nbsp;/etc/shorewall/rules:<br>
          <br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
 loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
          <br>
 From a remote system, I ssh to 206.124.146.178 which establishes an SSH
 connection with local system 192.168.1.5. I then create a second SSH
 connection
 from that computer to the firewall and confidently type "shorewall
 stop".
 As part of its stop processing, Shorewall removes eth0:0 which kills my
 SSH
 connection to 192.168.1.5!!!</li>
        <li>Given the wide range of VPN software, I can never hope to
 add specific support for all of it. I have therefore decided to add
 "generic" tunnel support.<br>
 &nbsp;<br>
 Generic tunnels work pretty much like any of the other tunnel types.
 You usually add a zone to represent the systems at the other end of the
 tunnel and you add the appropriate rules/policies to<br>
 implement your security policy regarding traffic to/from those systems.<br>
 &nbsp;<br>
 In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
          <br>
 generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
 address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
 &nbsp;<br>
 where:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
 used by the tunnel<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
 is 'udp' or 'tcp' then this is the destination port number used by the
 tunnel.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
 the remote tunnel gateway<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
 address of the remote tunnel gateway.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
 Optional. A comma-separated list of zone names. If specified, the
 remote gateway is to be considered part of these zones.</li>
        <li>An 'arp_filter' option has been added to the
 /etc/shorewall/interfaces file. This option causes
 /proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
 result that this interface will only answer ARP 'who-has' requests from
 hosts that are routed out through that interface. Setting this option
 facilitates testing of your firewall where multiple firewall interfaces
 are connected to the same HUB/Switch (all interfaces connected to the
 single HUB/Switch should have this option specified). Note that using
 such a configuration in a production environment is strongly
 recommended against.<br>
        </li>
      </ol>
      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)"> <br>
      </b></p>
-                                                                        
+      <b>Problems Corrected since version 1.4.6:</b><br>
      <blockquote>                </blockquote>
      <p><b>Problems Corrected:</b><br>
           </p>
      <ol>
-                 <li>A problem seen on RH7.3 systems where Shorewall encountered
+        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
-    start  errors when started using the "service" mechanism has been worked
+then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
-   around.<br>
+Control requires Mangle"; that problem has been corrected.</li>
-               <br>
+        <li>Corrected handling of MAC addresses in the SOURCE column of
 the
 tcrules file. Previously, these addresses resulted in an invalid
 iptables
 command.</li>
        <li>The "shorewall stop" command is now disabled when
 /etc/shorewall/startup_disabled
 exists. This prevents people from shooting themselves in the foot prior
 to
 having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages
 during
 "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
 being
 added to a PPP interface; the addresses were successfully added in
 spite
 of the messages.<br>
 &nbsp;&nbsp; <br>
 The firewall script has been modified to eliminate the error messages.<br>
        </li>
                 <li>Where a list of IP addresses appears in the DEST column
  of  a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules
 in  the  nat  table (one for each element in the list). Shorewall now correctly
  creates   a single DNAT rule with multiple "--to-destination" clauses.<br>
              <br>
          </li>
                 <li>Corrected a problem in Beta 1 where DNS names containing 
  a  "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
                  <br>
                </li>
                <li>A number of problems with rule parsing have been corrected. 
   Corrections involve the handling of "z1!z2" in the SOURCE column as well 
  as lists in the ORIGINAL DESTINATION column.<br>
          <br>
        </li>
        <li>The message "Adding rules for DHCP" is now suppressed if there
 are no DHCP rules to add.<br>
        </li>
      </ol>
      <p><b>Migration Issues:</b><br>
          </p>
      <ol>
                 <li>In earlier versions, an undocumented feature allowed 
 entries     in the host file as follows:<br>
              <br>
              z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
              <br>
          This capability was never documented and has been removed in 1.4.6
  to  allow  entries of the following format:<br>
              <br>
              z   eth1:192.168.1.0/24,192.168.2.0/24<br>
              <br>
            </li>
                 <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
 have   been  removed from /etc/shorewall/shorewall.conf. These capabilities
 are  now automatically  detected by Shorewall (see below).<br>
            </li>
      </ol>
      <p><b>New Features:</b><br>
           </p>
      <ol>
                 <li>A 'newnotsyn' interface option has been added. This
 option    may  be specified in /etc/shorewall/interfaces and overrides the
 setting   NEWNOTSYN=No  for packets arriving on the associated interface.<br>
               <br>
             </li>
                 <li>The means for specifying a range of IP addresses in
 /etc/shorewall/masq      to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
 is enabled for   address   ranges.<br>
               <br>
             </li>
                 <li>Shorewall can now add IP addresses to subnets other
 than   the   first  one on an interface.<br>
               <br>
             </li>
                 <li>DNAT[-] rules may now be used to load balance (round-robin)
    over a  set of servers. Servers may be specified in a range of addresses
    given as &lt;first address&gt;-&lt;last address&gt;.<br>
               <br>
           Example:<br>
               <br>
               DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
               <br>
             </li>
                 <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
    options  have been removed and have been replaced by code that detects
 whether   these  capabilities are present in the current kernel. The output
 of the  start, restart and check commands have been enhanced to report the
 outcome:<br>
               <br>
           Shorewall has detected the following iptables/netfilter capabilities:<br>
              NAT: Available<br>
              Packet Mangling: Available<br>
              Multi-port Match: Available<br>
           Verifying Configuration...<br>
               <br>
             </li>
                 <li>Support for the Connection Tracking Match Extension
 has   been   added.  This extension is available in recent kernel/iptables
 releases   and   allows  for rules which match against elements in netfilter's
 connection    tracking  table. Shorewall automatically detects the availability
 of this    extension  and reports its availability in the output of the start,
 restart    and check  commands.<br>
               <br>
           Shorewall has detected the following iptables/netfilter capabilities:<br>
              NAT: Available<br>
              Packet Mangling: Available<br>
              Multi-port Match: Available<br>
              Connection Tracking Match: Available<br>
           Verifying Configuration...<br>
               <br>
           If this extension is available, the ruleset generated by Shorewall 
  is  changed  in the following ways:</li>
        <ul>
                   <li>To handle 'norfc1918' filtering, Shorewall will not
 create    chains  in the mangle table but will rather do all 'norfc1918'
 filtering   in the filter  table (rfc1918 chain).</li>
                   <li>Recall that Shorewall DNAT rules generate two netfilter
   rules;  one  in the nat table and one in the filter table. If the Connection
   Tracking  Match Extension is available, the rule in the filter table is
 extended  to  check that the original destination address was the same as
 specified  (or  defaulted to) in the DNAT rule.<br>
                 <br>
               </li>
        </ul>
                 <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) 
     may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
              <br>
          </li>
                 <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
              <br>
                ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt; 
    ]<br>
              <br>
          Examples:<br>
              <br>
                [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
                   CIDR=192.168.1.0/24<br>
                   NETMASK=255.255.255.0<br>
                   NETWORK=192.168.1.0<br>
                   BROADCAST=192.168.1.255<br>
                [root@wookie root]#<br>
              <br>
                [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
                   CIDR=192.168.1.0/24<br>
                   NETMASK=255.255.255.0<br>
                   NETWORK=192.168.1.0<br>
                   BROADCAST=192.168.1.255<br>
                [root@wookie root]#<br>
              <br>
          Warning:<br>
              <br>
          If your shell only supports 32-bit signed arithmatic (ash or dash), 
  then   the ipcalc command produces incorrect information for IP addresses 
  128.0.0.0-1   and for /1 networks. Bash should produce correct information 
  for all valid   IP addresses.<br>
              <br>
            </li>
                 <li>An 'iprange' command has been added to /sbin/shorewall.
            <br>
              <br>
                iprange &lt;address&gt;-&lt;address&gt;<br>
              <br>
          This command decomposes a range of IP addressses into a list of 
 network     and host addresses. The command can be useful if you need to construct
 an   efficient set of rules that accept connections from a range of network
 addresses.<br>
              <br>
          Note: If your shell only supports 32-bit signed arithmetic (ash 
 or  dash)   then the range may not span 128.0.0.0.<br>
              <br>
          Example:<br>
              <br>
                [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
                192.168.1.4/30<br>
                192.168.1.8/29<br>
                192.168.1.16/28<br>
                192.168.1.32/27<br>
                192.168.1.64/26<br>
                192.168.1.128/25<br>
                192.168.2.0/23<br>
                192.168.4.0/22<br>
                192.168.8.0/22<br>
                192.168.12.0/29<br>
                192.168.12.8/31<br>
                [root@gateway root]#<br>
              <br>
            </li>
                 <li>A list of host/net addresses is now allowed in an entry
  in  /etc/shorewall/hosts.<br>
              <br>
          Example:<br>
              <br>
              foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
          <br>
        </li>
        <li>The "shorewall check" command now includes the chain name when
 printing the applicable policy for each pair of zones.<br>
  <br>
     Example:<br>
  <br>
         Policy for dmz to net is REJECT using chain all2all<br>
  <br>
 This means that the policy for connections from the dmz to the internet is
 REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
 policy.<br>
          <br>
        </li>
        <li>Support for the 2.6 Kernel series has been added.<br>
        </li>
      </ol>
      <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
             <br>
             </b></p>
       Thanks to the folks at securityopensource.org.br, there is now a <a
 href="http://shorewall.securityopensource.org.br" target="_top">Shorewall 
   mirror in Brazil</a>.
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
                 </p>
      <ol>
                        <li>The command "shorewall debug try &lt;directory&gt;" 
   now   correctly   traces the attempt.</li>
                        <li>The INCLUDE directive now works properly in the 
 zones    file;    previously, INCLUDE in that file was ignored.</li>
                        <li>/etc/shorewall/routestopped records with an empty 
  second    column   are no longer ignored.<br>
                   </li>
      </ol>
      <p>New Features:<br>
                 </p>
      <ol>
                        <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
    rule   may  now contain a list of addresses. If the list begins with
 "!'    then the   rule  will take effect only if the original destination
 address    in the connection    request does not match any of the addresses
 listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
                               </b></p>
      <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel 
        and iptables 1.2.8 (using the "official" RPM from netfilter.org). 
 No   problems     have been encountered with this set of software. The Shorewall 
   version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
                  </p>
      <p><b>6/8/2003 - Updated Samples</b><b>                      </b></p>
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
         version 1.4.4.</p>
      <p><b></b></p>
      <ol>
      </ol>
      <p><a href="News.htm">More News</a></p>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
- alt="(Leaf Logo)">
+ alt="(Leaf Logo)"> </a>Jacques Nilo and Eric Wolzak have a LEAF
-                                                                        
+(router/firewall/gateway on a floppy, CD or compact flash) distribution
-                                </a>Jacques        Nilo       and     Eric
+called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
-     Wolzak          have       a   LEAF  (router/firewall/gateway      
+You can find their work at: <a
-                 on   a  floppy,       CD    or compact     flash)  distribution
+ href="http://leaf.sourceforge.net/devel/jnilo">
-                  called                 <i>Bering</i>          that    
+http://leaf.sourceforge.net/devel/jnilo<br>
     features                   Shorewall-1.4.2         and    Kernel-2.4.20.
            You        can     find         their    work at:           
          <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
      </a></p>
-                                                                        
+      <b>Congratulations to Jacques
-                                                                        
+and Eric on the recent release of Bering 1.2!!! </b><br>
                                   <b>Congratulations to Jacques and Eric 
 on  the   recent    release     of  Bering    1.2!!! </b><br>
      <h2><a name="Donations"></a>Donations</h2>
      </td>
-                                                                        
+      <td width="88" bgcolor="#3366ff" valign="top" align="center">
                                       <td width="88" bgcolor="#3366ff"
 valign="top" align="center">                                            
      <form method="post"
- action="http://lists.shorewall.net/cgi-bin/htsearch">                  
+ action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
-       <strong><br>
+        <font color="#ffffff"><b>Note: </b></font></strong><font
                                                                       <font
 color="#ffffff"><b>Note:              </b></font></strong><font
 color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
        <strong></strong>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-                                                                        
+        <font face="Arial" size="-1"> <input type="text" name="words"
-            <font face="Arial" size="-1">        <input type="text"
+ size="15"></font><font size="-1"> </font> <font face="Arial"
- name="words" size="15"></font><font size="-1"> </font>      <font
+ size="-1"> <input type="hidden" name="format" value="long"> <input
- face="Arial" size="-1">     <input type="hidden" name="format"
+ type="hidden" name="method" value="and"> <input type="hidden"
- value="long">     <input type="hidden" name="method" value="and">     <input
+ name="config" value="htdig"> <input type="submit" value="Search"></font>
- type="hidden" name="config" value="htdig">     <input type="submit"
+        </p>
- value="Search"></font>               </p>
+        <font face="Arial"> <input type="hidden" name="exclude"
-                                                                        
+ value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
            <font face="Arial">            <input type="hidden"
 name="exclude" value="[http://lists.shorewall.net/pipermail/*]">   </font>
         </form>
      <p><font color="#ffffff"><b><a
 href="http://lists.shorewall.net/htdig/search.html"><font
 color="#ffffff">Extended Search</font></a></b></font></p>
      <br>
      </td>
    </tr>
  </tbody>
 </table>
 </center>
 </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#3366ff">
  <tbody>
    <tr>
-                                                                        
+      <td width="100%" style="margin-top: 1px;" valign="middle">
                                <td width="100%"
 style="margin-top: 1px;" valign="middle">                              
      <p align="center"><a href="http://www.starlight.org"> <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
- hspace="10" alt="(Starlight Logo)">
+ hspace="10" alt="(Starlight Logo)"> </a></p>
                                  </a></p>
      <p align="center"><font size="4" color="#ffffff"><br>
-                         <font size="+2"> Shorewall is free but if      
+      <font size="+2"> Shorewall is free but if you try it and find it
-you   try   it  and   find   it useful, please consider making a donation
+useful, please consider making a donation to <a
-                                                                     to 
+ href="http://www.starlight.org"><font color="#ffffff">Starlight
-                 <a href="http://www.starlight.org"><font
+Children's Foundation.</font></a> Thanks!</font></font></p>
 color="#ffffff">Starlight      Children's              Foundation.</font></a>
 Thanks!</font></font></p>
      </td>
    </tr>
  </tbody>
 </table>
-                                                                        
+<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
 <p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font> 
 <br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -22,6 +22,7 @@
                                 <tr>
                                        <td width="100%">               
      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
                                        </td>
                                      </tr>
@ -57,52 +58,28 @@ Computers,      Incorporated</a>         (now part of the <a
       system from the NonStop Enterprise Division of HP. </p>
 <p>I became interested in Internet Security when I established a home office
-            in 1999 and had DSL service installed in our       home. I investigated
+              in 1999 and had DSL service installed in our       home. I
-          ipchains  and developed the scripts which are now collectively
+investigated             ipchains  and developed the scripts which are now
-known      as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. 
+collectively  known      as   <a href="http://seawall.sourceforge.net"> Seattle
-     Expanding       on what I learned from Seattle Firewall, I then     
+      Firewall</a>.        Expanding       on what I learned from Seattle
- designed    and wrote      Shorewall. </p>
+Firewall, I then       designed    and wrote      Shorewall. </p>
 <p>I telework from our <a
 href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
 href="http://www.cityofshoreline.com">Shoreline,        Washington</a>  where
 I live with my wife Tarry.  </p>
-<p>Our current home network consists of: </p>
+<p></p>
 <ul>
                              <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
 40GB   &amp;   20GB   IDE   HDs   and LNE100TX      (Tulip) NIC - My personal 
 Windows   system.   Serves as a PPTP server for Road Warrior access. Dual 
 boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                              <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, 
 LNE100TX(Tulip)        NIC   -  My      personal Linux System which runs 
 Samba.    This      system also has <a href="http://www.vmware.com/">VMware</a> 
 installed    and      can run both     <a href="http://www.debian.org">Debian 
  Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual 
  machines.</li>
                              <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, 
 EEPRO100     NIC    - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
 FTP    (Pure_ftpd),   DNS  server        (Bind 9).</li>
                              <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
 HD  -  3   LNE100TX       (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
   1.4.6Beta1, a DHCP         server and Samba configured as a WINS server..</li>
                              <li>Duron 750, Win ME, 192MB RAM, 20GB HD,
 RTL8139     NIC   -  My  wife's        personal system.</li>
                              <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
  HD,  built-in     EEPRO100, EEPRO100 in expansion base - My   work system.</li>
         <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC
 and   LinkSys  WET11 - Our Laptop.<br>
         </li>
 </ul>
-<p>For more about our network see <a href="myfiles.htm">my Shorewall   Configuration</a>.</p>
+<p>For information about our home network see <a href="myfiles.htm">my Shorewall
  Configuration files.</a></p>
 <p>All of our        other systems are made by <a
 href="http://www.compaq.com">Compaq</a> (part        of the new <a
- href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
+ href="http://www.hp.com/">HP</a>).</p>
 href="http://www.netgear.com">Netgear</a>       FA310TXs.</p>
 <p><a href="http://www.redhat.com"><img border="0"
 src="images/poweredby.png" width="88" height="31">
@ -117,8 +94,8 @@ and   LinkSys  WET11 - Our Laptop.<br>
                      </a><a href="http://www.mandrakelinux.com"><img
 src="images/medbutton.png" alt="Powered by Mandrake" width="90"
 height="32">
-                 </a><img src="images/shorewall.jpg"
+                     </a><img src="images/ProtectedBy.png"
- alt="Protected by Shorewall" width="125" height="40" hspace="4">
+ alt="Protected by Shorewall" width="200" height="42" hspace="4">
            <a href="http://www.opera.com"><img src="images/opera.png"
 alt="(Opera Logo)" width="102" height="39" border="0">
            </a>  <a href="http://www.hp.com"><img
@ -126,7 +103,7 @@ and   LinkSys  WET11 - Our Laptop.<br>
 height="75" border="0">
          </a><a href="http://www.opera.com"> </a>                 </font></p>
-<p><font size="2">Last updated 7/14/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 7/20/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
                                <font face="Trebuchet MS"><a
 href="copyright.htm"><font size="2">Copyright</font>       © <font
@ -134,5 +111,9 @@ and   LinkSys  WET11 - Our Laptop.<br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_logging.html
+++ b/Shorewall-docs/shorewall_logging.html
@ -28,8 +28,8 @@
    the notation <i>facility.priority</i>). <br>
        <br>
        The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
- kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through 
+  kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
-  <i>local7</i>.<br>
+through    <i>local7</i>.<br>
        <br>
        Throughout the Shorewall documentation, I will use the term <i>level</i>
    rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
@ -62,14 +62,14 @@ as   their  value.<br>
            <br>
            For most Shorewall logging, a level of 6 (info) is appropriate.
 Shorewall     log messages are generated by NetFilter and are logged using
-the <i>kern</i>    facility  and the level that you specify. If you are unsure 
+ the <i>kern</i>    facility  and the level that you specify. If you are
-of the level    to choose,  6 (info) is a safe bet. You may specify levels 
+unsure  of the level    to choose,  6 (info) is a safe bet. You may specify
-by name or by   number.<br>
+levels  by name or by   number.<br>
          <br>
-         Syslogd writes log messages to files (typically in /var/log/*) based 
+          Syslogd writes log messages to files (typically in /var/log/*)
-  on  their facility and level. The mapping of these facility/level pairs 
+based    on  their facility and level. The mapping of these facility/level
-to  log  files is done in /etc/syslog.conf (5). If you make changes to this 
+pairs  to  log  files is done in /etc/syslog.conf (5). If you make changes
-file,  you must restart syslogd before the changes can take effect.<br>
+to this  file,  you must restart syslogd before the changes can take effect.<br>
 <h3>Configuring a Separate Log for Shorewall Messages</h3>
          There are a couple of limitations to syslogd-based logging:<br>
@ -91,10 +91,10 @@ will send  them to a process called 'ulogd'. The  ulogd program is available
 from http://www.gnumonks.org/projects/ulogd  and  can be configured to log 
 all Shorewall message to their own log file.<br>
   <br>
-  <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from 
+   <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
-syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely 
+from  syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have
-no effect on your Shorewall logging (except for Shorewall status messages 
+absolutely  no effect on your Shorewall logging (except for Shorewall status
-which still go to syslog).<br>
+messages  which still go to syslog).<br>
      <br>
  You will need to have the kernel source available to compile ulogd.<br>
  <br>
@ -114,8 +114,8 @@ which still go to syslog).<br>
 </ol>
      If you are like me and don't have a development environment on your 
-firewall,   you can do the first six steps on another system then either
+firewall,   you can do the first six steps on another system then either NFS
-NFS mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> 
+mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
   directory and move it to your firewall system.<br>
      <br>
      Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
@ -125,11 +125,14 @@ NFS mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>v
      <li>syslogsync 1</li>
 </ol>
 Also on the firewall system:<br>
 <blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
 </blockquote>
      I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
 to  /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
-  to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
+   to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
-  --level 3 ulogd on" starts ulogd during boot up. Your init system may need
+"chkconfig   --level 3 ulogd on" starts ulogd during boot up. Your init system
-  something else done to activate the script.<br>
+may need   something else done to activate the script.<br>
   <br>
   You will need to change all instances of log levels (usually 'info') in
 your configuration files to 'ULOG' - this includes entries in the policy,
@ -138,15 +141,16 @@ rules and shorewall.conf files. Here's what I have:<br>
 <pre>	[root@gateway shorewall]# grep ULOG *<br>	policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br>	policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br>	policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br>	rules:REJECT:ULOG loc net tcp 6667<br>	shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br>	shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br>	[root@gateway shorewall]#<br></pre>
      Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
  that  you wish to log to&gt;</i>. This tells the /sbin/shorewall program
-where to look for the log when processing its "show log", "logwatch" and "monitor"
+ where to look for the log when processing its "show log", "logwatch" and
- commands.<br>
+"monitor"  commands.<br>
-<p><font size="2">   Updated 1/11/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 7/25/2003 - <a href="support.htm">Tom  Eastep</a>
           </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>           &copy;
 <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
       </p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@ -70,7 +70,7 @@ http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
          (Slovak Republic).</li>
               <li>     <a
 href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
-       (Texas, USA).</li>
+        (Texas, USA -- temporarily unavailable).</li>
               <li><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall">   ftp://germany.shorewall.net/pub/shorewall</a> 
     (Hamburg, Germany)</li>
@ -84,24 +84,15 @@ http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
        </li>
 </ul>
-        Search results and the mailing list archives are always fetched from
+          Search results and the mailing list archives are always fetched 
-  the  site in Washington State.<br>
+from   the  site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 7/15/2003 - <a
+<p align="left"><font size="2">Last Updated 8/4/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
-            <br>
+ </p>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -1,238 +1,181 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall QuickStart Guide</title>
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
-                                                                     
+      <h1 align="center"><font color="#ffffff">Shorewall QuickStart
-      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
+Guides (HOWTO's)<br>
          (HOWTO's)<br>
      </font></h1>
      </td>
    </tr>
  </tbody>
 </table>
-                        
+<p align="center">With thanks to Richard who reminded me once again
-<p align="center">With thanks to Richard who reminded me once again that
+that we
-we must  all first walk before we can run.<br>
+must all first walk before we can run.<br>
 The French Translations are courtesy of Patrice Vetsel<br>
 </p>
 <h2>The Guides</h2>
-                        
+<p>These guides provide step-by-step instructions for configuring
-<p>These guides provide step-by-step instructions for configuring Shorewall
+Shorewall in common firewall setups.</p>
-                 in  common firewall setups.</p>
+<p>If you have a <font color="#ff0000"><big><big><b>single public IP
-                        
+address</b></big></big></font>:</p>
 <p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
 <blockquote>
  <ul>
-                                     <li><a href="standalone.htm">Standalone</a>
+    <li><a href="standalone.htm">Standalone</a> Linux System (<a
-    Linux    System   (<a href="standalone_fr.html">Version Française</a>)</li>
+ href="standalone_fr.html">Version Française</a>)</li>
-                                     <li><a href="two-interface.htm">Two-interface</a>
+    <li><a href="two-interface.htm">Two-interface</a> Linux System
-       Linux    System    acting    as a    firewall/router for a small local
+acting as a firewall/router for a small local network (<a
-    network   (<a href="two-interface_fr.html">Version Française</a>)</li>
+ href="two-interface_fr.html">Version Française</a>)</li>
-                                     <li><a href="three-interface.htm">Three-interface</a>
+    <li><a href="three-interface.htm">Three-interface</a> Linux System
-         Linux    System    acting  as a    firewall/router for a small local
+acting as a firewall/router for a small local network and a DMZ. (<a
-    network     and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
+ href="three-interface_fr.html">Version Française</a>)</li>
  </ul>
-  <p>The above guides are designed to get your first firewall up and running
+  <p>The above guides are designed to get your first firewall up and
-                  quickly in the three most common Shorewall configurations.
+running quickly in the three most common Shorewall configurations. If
-If you want to learn more about Shorewall than is explained in the above
+you want to learn more about Shorewall than is explained in the above
-simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
+simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
-(See      Index Below) is for you.</p>
+Setup Guide</a> (See Index Below) is for you.</p>
 </blockquote>
-                                                
+<p>If you have <font color="#ff0000"><big><big><b>more than one public
-<p>If you have <font color="#ff0000"><big><big><b>more than one public IP
+IP address</b></big></big></font>:<br>
 address</b></big></big></font>:<br>
 </p>
-<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
+<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
-(See      Index Below) outlines              the steps necessary to set up
+Guide</a> (See Index Below) outlines the steps necessary to set up a
-a firewall      where there are <small><small><big><big>multiple        
+firewall where there are <small><small><big><big>multiple public IP
-public    IP  addresses</big></big></small></small> involved or   if  you
+addresses</big></big></small></small> involved or if you
 want to learn more about Shorewall than is explained in the
 single-address guides above.</blockquote>
 <ul>
 </ul>
 <h2><b><a name="Documentation"></a></b>Documentation Index</h2>
 <p>The following documentation covers a variety of topics and <b>supplements
-                 the  <a href="shorewall_quickstart_guide.htm">QuickStart
+the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
-Guides</a>           described      above</b>. Please review the appropriate
+described above</b>. Please review the appropriate guide before trying
-guide before      trying     to use this    documentation directly.</p>
+to use this documentation directly.</p>
 <ul>
-                                     <li><a
+  <li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual)
- href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
+Interfaces (e.g., eth0:0)</a><br>
      (e.g., eth0:0)</a><br>
  </li>
  <li><a href="blacklisting_support.htm">Blacklisting</a>
    <ul>
      <li>Static Blacklisting using /etc/shorewall/blacklist</li>
-                                       <li>Dynamic Blacklisting using /sbin/shorewall</li>
+      <li>Dynamic Blacklisting using
-                                                                        
+/sbin/shorewall</li>
    </ul>
  </li>
-                                     <li><a
+  <li><a href="starting_and_stopping_shorewall.htm">Commands</a>
- href="configuration_file_basics.htm">Common    configuration        file 
+(Description of
-     features</a>                                                        
+all /sbin/shorewall commands)</li>
-     
+  <li><a href="configuration_file_basics.htm">Common configuration file
 features</a>&nbsp;</li>
  <ul>
-                                       <li><a
+    <li><a href="configuration_file_basics.htm#Comments">Comments in
- href="configuration_file_basics.htm#Comments">Comments  in configuration
+configuration files</a></li>
-         files</a></li>
+    <li><a href="configuration_file_basics.htm#Continuation">Line
-                                       <li><a
+Continuation</a></li>
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
    <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
-Directive</a><br>
+Directive</a></li>
-             </li>
+    <li><a href="configuration_file_basics.htm#Ports">Port
-                                       <li><a
+Numbers/Service Names</a></li>
- href="configuration_file_basics.htm#Ports">Port    Numbers/Service Names</a></li>
+    <li><a href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
-                                       <li><a
+    <li><a href="configuration_file_basics.htm#Variables">Using Shell
- href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
+Variables</a></li>
-                                       <li><a
+    <li><a href="configuration_file_basics.htm#dnsnames">Using DNS Names</a></li>
- href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
+    <li><a href="configuration_file_basics.htm#Compliment">Complementing
-                                       <li><a
+an IP address or Subnet</a></li>
- href="configuration_file_basics.htm#dnsnames">Using  DNS Names</a><br>
+    <li><a href="configuration_file_basics.htm#Configs">Shorewall
-                                  </li>
+Configurations (making a test configuration)</a></li>
-                                       <li><a
+    <li><a href="configuration_file_basics.htm#MAC">Using MAC Addresses
- href="configuration_file_basics.htm#Compliment">Complementing an IP address
+in Shorewall</a> </li>
          or Subnet</a></li>
                                       <li><a
 href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
 a test configuration)</a></li>
                                       <li><a
 href="configuration_file_basics.htm#MAC">Using    MAC Addresses in Shorewall</a></li>
  </ul>
-                                     </li>
+  <li><a href="Documentation.htm">Configuration File Reference Manual</a>
                                     <li><a href="Documentation.htm">Configuration
     File   Reference      Manual</a>                                   
    <ul>
-                                       <li>   <a
+      <li> <a href="Documentation.htm#Variables">params</a></li>
- href="Documentation.htm#Variables">params</a></li>
+      <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
-                                       <li><font color="#000099"><a
+      <li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
- href="Documentation.htm#Zones">zones</a></font></li>
+      <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
-                                       <li><font color="#000099"><a
+      <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
- href="Documentation.htm#Interfaces">interfaces</a></font></li>
+      <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
-                                       <li><font color="#000099"><a
+      <li><a href="Documentation.htm#Common">common</a></li>
- href="Documentation.htm#Hosts">hosts</a></font></li>
+      <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
-                                       <li><font color="#000099"><a
+      <li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
- href="Documentation.htm#Policy">policy</a></font></li>
+      <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
-                                       <li><font color="#000099"><a
+      <li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
- href="Documentation.htm#Rules">rules</a></font></li>
+      <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
-                                       <li><a
+      <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
- href="Documentation.htm#Common">common</a></li>
+      <li><a href="Documentation.htm#modules">modules</a></li>
-                                       <li><font color="#000099"><a
+      <li><a href="Documentation.htm#TOS">tos</a> </li>
- href="Documentation.htm#Masq">masq</a></font></li>
+      <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
-                                       <li><font color="#000099"><a
+      <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
- href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
+      <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
                                       <li><font color="#000099"><a
 href="Documentation.htm#NAT">nat</a></font></li>
                                       <li><font color="#000099"><a
 href="Documentation.htm#Tunnels">tunnels</a></font></li>
                                       <li><a
 href="traffic_shaping.htm#tcrules">tcrules</a></li>
                                       <li><font color="#000099"><a
 href="Documentation.htm#Conf">shorewall.conf</a></font></li>
                                       <li><a
 href="Documentation.htm#modules">modules</a></li>
                                       <li><a
 href="Documentation.htm#TOS">tos</a>           </li>
                                       <li><a
 href="Documentation.htm#Blacklist">blacklist</a></li>
                                       <li><a
 href="Documentation.htm#rfc1918">rfc1918</a></li>
                                       <li><a
 href="Documentation.htm#Routestopped">routestopped</a></li>
    </ul>
  </li>
-                                     <li><a href="CorpNetwork.htm">Corporate
+  <li><a href="CorpNetwork.htm">Corporate Network Example</a>
- Network Example</a> (Contributed by a Graeme Boyle)<br>
+(Contributed by a Graeme Boyle)<br>
  </li>
  <li><a href="dhcp.htm">DHCP</a></li>
-                                     <li><a href="ECN.html">ECN Disabling 
+  <li><a href="ECN.html">ECN Disabling by host or subnet</a></li>
 by  host   or  subnet</a></li>
  <li><a href="errata.htm">Errata</a><br>
  </li>
-             <li><font color="#000099"><a
+  <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
- href="shorewall_extension_scripts.htm">Extension    Scripts</a></font>  
+Scripts</a></font> (How to extend Shorewall without modifying Shorewall
- (How to extend Shorewall without modifying Shorewall    code through the 
+code through the use of files in /etc/shorewall --
-   use of files in /etc/shorewall -- /etc/shorewall/start,   /etc/shorewall/stopped, 
+/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
   etc.)</li>
  <li><a href="fallback.htm">Fallback/Uninstall</a></li>
  <li><a href="FAQ.htm">FAQs</a><br>
  </li>
  <li><a href="shorewall_features.htm">Features</a><br>
  </li>
-                                     <li><a
+  <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
- href="shorewall_firewall_structure.htm">Firewall      Structure</a></li>
+  <li><a href="FTP.html">FTP and Shorewall</a><br>
  </li>
  <li><a href="support.htm">Getting help or answers to questions</a></li>
  <li>Greater Seattle Linux Users Group Presentation</li>
  <ul>
    <li><a href="GSLUG.htm">HTML</a></li>
    <li><a href="GSLUG.ppt">PowerPoint</a></li>
  </ul>
  <li><a href="Install.htm">Installation/Upgrade</a><br>
  </li>
-                                     <li><font color="#000099"><a
+  <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
 href="kernel.htm">Kernel     Configuration</a></font></li>
  <li><a href="shorewall_logging.html">Logging</a><br>
  </li>
-                                     <li><a href="MAC_Validation.html">MAC
+  <li><a href="MAC_Validation.html">MAC Verification</a></li>
 Verification</a></li>
  <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
  </li>
-                                            <li><a href="myfiles.htm">My
+  <li><a href="myfiles.htm">My Shorewall Configuration (How I
-Shorewall      Configuration   (How I personally use Shorewall)</a><br>
+personally use Shorewall)</a></li>
  <li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
  </li>
  <li><a href="ping.html">'Ping' Management</a><br>
  </li>
  <li><a href="ports.htm">Port Information</a>
    <ul>
      <li>Which applications use which ports</li>
      <li>Ports used by Trojans</li>
    </ul>
  </li>
-                                     <li><a href="ProxyARP.htm">Proxy ARP</a></li>
+  <li><a href="ProxyARP.htm">Proxy
 ARP</a></li>
  <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
  </li>
  <li><a href="samba.htm">Samba</a></li>
  <li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
  </li>
  <ul>
    <li><a href="shorewall_setup_guide.htm#Introduction">1.0
 Introduction</a></li>
@ -242,115 +185,85 @@ Introduction</a></li>
 Interfaces</a></li>
    <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
 Subnets and Routing</a>
      <ul>
-                  <li><a href="shorewall_setup_guide.htm#Addresses">4.1 
+        <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
- IP   Addresses</a></li>
+Addresses</a></li>
-                  <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
+        <li><a href="shorewall_setup_guide.htm#Subnets">4.2
 Subnets</a></li>
        <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
        <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
 Resolution Protocol (ARP)</a></li>
      </ul>
      <ul>
-                  <li><a href="shorewall_setup_guide.htm#RFC1918">4.5   RFC 
+        <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
   1918</a></li>
      </ul>
    </li>
-              <li><a href="shorewall_setup_guide.htm#Options">5.0   Setting 
+    <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
-     up   your   Network</a>                                             
+Network</a>
      <ul>
        <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
      </ul>
      <ul>
-                  <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 
+        <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
 Non-routed</a>                                                         
          <ul>
-                      <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
+            <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
-   SNAT</a></li>
+            <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
                      <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
   DNAT</a></li>
            <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
 Proxy ARP</a></li>
-                      <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 
+            <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
  Static       NAT</a></li>
          </ul>
        </li>
        <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-                  <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 
+        <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
-  Odds     and   Ends</a></li>
+and Ends</a></li>
      </ul>
    </li>
    <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
-              <li><a
+    <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
- href="shorewall_setup_guide.htm#StartingAndStopping">7.0     Starting  
+Starting and Stopping the Firewall</a></li>
  and          Stopping the Firewall</a></li>
  </ul>
  <li><font color="#000099"><a
- href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
+ href="starting_and_stopping_shorewall.htm">Starting/stopping the
-                                                
+Firewall</a></font></li>
  <ul>
-                               <li>Description of all /sbin/shorewall commands</li>
+    <li>Description of all /sbin/shorewall
-                               <li>How to safely test a Shorewall configuration 
+commands</li>
-   change<br>
+    <li>How to safely test a Shorewall configuration change<br>
    </li>
  </ul>
-                                     <li><font color="#000099"><a
+  <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
- href="NAT.htm">Static    NAT</a></font></li>
+  <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
-                     <li><a href="Shorewall_Squid_Usage.html">Squid as a
+with Shorewall</a></li>
-Transparent       Proxy    with Shorewall</a></li>
+  <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
                                     <li><a href="traffic_shaping.htm">Traffic
   Shaping/QOS</a></li>
  <li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
 doesn't work)</a><br>
  </li>
  <li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
  </li>
  <li>VPN
    <ul>
      <li><a href="IPSEC.htm">IPSEC</a></li>
-                                       <li><a href="IPIP.htm">GRE and IPIP</a></li>
+      <li><a href="IPIP.htm">GRE and
 IPIP</a></li>
      <li><a href="OPENVPN.html">OpenVPN</a><br>
      </li>
      <li><a href="PPTP.htm">PPTP</a></li>
      <li><a href="6to4.htm">6t04</a><br>
      </li>
-                                       <li><a href="VPN.htm">IPSEC/PPTP</a> 
+      <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
- from   a  system    behind    your   firewall   to a      remote network.</li>
+firewall to a remote network.</li>
-                                                                        
+      <li><a href="GenericTunnels.html">Other VPN types</a>.<br>
      </li>
    </ul>
  </li>
-                                     <li><a
+  <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
 href="whitelisting_under_shorewall.htm">White    List   Creation</a></li>
 </ul>
-                        
+<p>If you use one of these guides and have a suggestion for improvement
-<p>If you use one of these guides and have a suggestion for improvement <a
+<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
- href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
+<p><font size="2">Last modified 8/9/2003 - <a href="support.htm">Tom
-                        
+Eastep</a></font></p>
-<p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
-                        
+M. Eastep</font></a><br>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M.
         Eastep</font></a><br>
 </p>
 <br>
 </body>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -1,646 +1,339 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
  <base target="_self">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#3366ff">
  <tbody>
    <tr>
-                                                                        
+      <td width="33%" height="90" valign="middle" align="center"><a
-                                  <td width="33%" height="90"
+ href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
- valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
+ alt="(Shorewall Logo)" width="430" height="90"> <br>
 src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
 border="0">
                        </a></td>
                                           <td valign="middle"
 bgcolor="#3366ff" width="34%" align="center">                          
                                                                       <img
 src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
                        </td>
          <td valign="top" width="33"><br>
      </td>
    </tr>
  </tbody>
 </table>
 <div align="center">
 <center>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
  <tbody>
    <tr>
      <td width="90%">
-                                                                        
+      <h2>Introduction<br>
-                                                                        
+      </h2>
-                                                                        
+      <ul>
-                                                                        
+        <li><a href="http://www.netfilter.org">Netfilter</a> - the
-                          
+packet filter facility built into the 2.4 and later Linux kernels.</li>
-      <h2 align="left">What is it?</h2>
+        <li>ipchains - the packet filter facility built into the 2.2
-                                                                        
+Linux kernels. Also the name of the utility program used to configure
-                                                                        
+and control that facility. Netfilter can be used in ipchains
-                                                                        
+compatibility mode.<br>
-                                                                        
+        </li>
-                                                                        
+        <li>iptables - the utility program used to configure and
-                   
+control
-      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
+Netfilter. The term 'iptables' is often used to refer to the
-                                    a       <a
+combination of iptables+Netfilter (with Netfilter not in
- href="http://www.netfilter.org">Netfilter</a>               (iptables) 
+ipchains compatibility mode).<br>
-         based      firewall        that can be used     on   a  dedicated
+        </li>
-        firewall     system,      a multi-function             gateway/router/server
+      </ul>
-             or on a  standalone    GNU/Linux    system.</p>
+The
-                                                                        
+Shoreline Firewall, more commonly known as "Shorewall", is
-                                                                        
+high-level tool for configuring Netfilter. You describe your
-                                                                        
+firewall/gateway requirements using entries in a set of configuration
-                                                                        
+files. Shorewall reads those configuration files and with the help of
-                                                                        
+the iptables utility, Shorewall configures Netfilter to match your
-                 
+requirements. Shorewall can be used on a dedicated firewall system, a
-      <p>This program is free software; you can redistribute it and/or modify
+multi-function gateway/router/server or on a standalone GNU/Linux
-                                                                        
+system. Shorewall does not use Netfilter's ipchains compatibility mode
-      it          under      the    terms      of         <a
+and can thus take advantage of Netfilter's connection state tracking
 capabilities.
      <p>This program is free software; you can redistribute it and/or
 modify it under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
 GNU General Public License</a> as published by the Free Software
 Foundation.<br>
      <br>
-                                                                        
+This program is distributed in the hope that it will be useful, but
-                        This     program         is   distributed       
+WITHOUT ANY WARRANTY; without even the implied warranty of
-    in    the       hope       that      it   will        be  useful,   
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-but            WITHOUT        ANY         WARRANTY;         without     
+General Public License for more details.<br>
     even  the    implied      warranty          of MERCHANTABILITY     
             or  FITNESS     FOR   A  PARTICULAR          PURPOSE.      
 See the     GNU  General     Public  License                for   more details.<br>
      <br>
-                                                                        
+You should have received a copy of the GNU General Public License along
-                        You     should       have     received        a 
+with this program; if not, write to the Free Software Foundation, Inc.,
- copy       of    the       GNU     General          Public         License 
+675 Mass Ave, Cambridge, MA 02139, USA</p>
-                along       with    this   program;            if   not, 
+      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
-  write      to    the    Free   Software              Foundation,      
+Eastep</a></p>
            Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,  
    USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
      <h2>This is the Shorewall 1.4 Web Site</h2>
-   The information on this site applies only to 1.4.x releases of Shorewall. 
+The information on this site applies only to 1.4.x releases of
- For older versions:<br>
+Shorewall. For older versions:<br>
      <ul>
        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
 target="_top">here.</a></li>
        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>.<br>
        </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
-                                      New to Shorewall? Start by selecting
+New to Shorewall? Start by
- the         <a
+selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
- href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
+that most closely match your environment and
     Guide</a> that most closely              match your environment and
 follow the step by step instructions.<br>
      <h2>Looking for Information?</h2>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
-    Index</a> is a good place to start as is the Quick Search to your right. 
+Index</a> is a good place to start as is the Quick Search to your
-                                                           
+right.
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-                             If so, the documentation<b> </b>on this site 
+If so, the documentation<b> </b>on this site will not apply directly
-will   not  apply   directly   to  your   setup.  If you want to use the documentation
+to your setup. If you want to
-    that you  find here, you will want to consider uninstalling what you
+use the documentation that you find here, you will want to consider
-have     and installing  a setup that matches    the documentation    on
+uninstalling what you have and installing a setup that matches the
-this site.     See the <a href="two-interface.htm">Two-interface    QuickStart
+documentation on this site. See the <a href="two-interface.htm">Two-interface
-   Guide</a>     for details.                                           
+QuickStart Guide</a> for
-            
+details.
      <h2></h2>
      <h2><b>News</b></h2>
-                                                                        
+      <p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
-               
+ style="border: 0px solid ; width: 28px; height: 12px;"
-      <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
+ src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
 src="images/new10.gif" width="28" height="12" alt="(New)">
            <br>
            </b>   </p>
      <p><b>Problems Corrected:</b><br>
         </p>
      <ol>
        <li>A problem seen on RH7.3 systems where Shorewall encountered  
 start  errors when started using the "service" mechanism has been worked
  around.<br>
          <br>
        </li>
        <li>Where a list of IP addresses appears in the DEST column  of 
 a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in  the
 nat  table (one for each element in the list). Shorewall now correctly  creates
  a single DNAT rule with multiple "--to-destination" clauses.<br>
          <br>
        </li>
        <li>Corrected a problem in Beta 1 where DNS names containing  a 
 "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
          <br>
        </li>
        <li>A number of problems with rule parsing have been   corrected.
 Corrections involve the handling of "z1!z2" in the SOURCE column   as well
 as lists in the ORIGINAL DESTINATION column.<br>
          <br>
        </li>
        <li>The message "Adding rules for DHCP" is now suppressed if there
 are no DHCP rules to add.</li>
      </ol>
      <p><b>Migration Issues:</b><br>
        </p>
      <ol>
               <li>In earlier versions, an undocumented feature allowed entries 
   in the host file as follows:<br>
            <br>
            z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
            <br>
        This capability was never documented and has been removed in 1.4.6
 to  allow  entries of the following format:<br>
            <br>
            z   eth1:192.168.1.0/24,192.168.2.0/24<br>
            <br>
          </li>
               <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
 have   been  removed from /etc/shorewall/shorewall.conf. These capabilities
 are  now automatically  detected by Shorewall (see below).<br>
          </li>
      </ol>
      <p><b>New Features:</b><br>
         </p>
      <ol>
               <li>A 'newnotsyn' interface option has been added. This option 
  may  be specified in /etc/shorewall/interfaces and overrides the setting 
 NEWNOTSYN=No  for packets arriving on the associated interface.<br>
             <br>
           </li>
               <li>The means for specifying a range of IP addresses in /etc/shorewall/masq 
    to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for 
 address   ranges.<br>
             <br>
           </li>
               <li>Shorewall can now add IP addresses to subnets other than 
 the   first  one on an interface.<br>
             <br>
           </li>
               <li>DNAT[-] rules may now be used to load balance (round-robin)
   over a  set of servers. Servers may be specified in a range of addresses
   given as &lt;first address&gt;-&lt;last address&gt;.<br>
             <br>
         Example:<br>
             <br>
             DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
             <br>
           </li>
               <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
   options  have been removed and have been replaced by code that detects
 whether   these  capabilities are present in the current kernel. The output
 of the  start, restart and check commands have been enhanced to report the
 outcome:<br>
             <br>
         Shorewall has detected the following iptables/netfilter capabilities:<br>
            NAT: Available<br>
            Packet Mangling: Available<br>
            Multi-port Match: Available<br>
         Verifying Configuration...<br>
             <br>
           </li>
               <li>Support for the Connection Tracking Match Extension has
 been   added.  This extension is available in recent kernel/iptables releases 
 and   allows  for rules which match against elements in netfilter's connection 
  tracking  table. Shorewall automatically detects the availability of this 
  extension  and reports its availability in the output of the start, restart 
  and check  commands.<br>
             <br>
         Shorewall has detected the following iptables/netfilter capabilities:<br>
            NAT: Available<br>
            Packet Mangling: Available<br>
            Multi-port Match: Available<br>
            Connection Tracking Match: Available<br>
         Verifying Configuration...<br>
             <br>
         If this extension is available, the ruleset generated by Shorewall 
 is  changed  in the following ways:</li>
        <ul>
                 <li>To handle 'norfc1918' filtering, Shorewall will not
 create    chains  in the mangle table but will rather do all 'norfc1918'
 filtering   in the filter  table (rfc1918 chain).</li>
                 <li>Recall that Shorewall DNAT rules generate two netfilter
  rules;  one  in the nat table and one in the filter table. If the Connection
  Tracking  Match Extension is available, the rule in the filter table is
 extended  to  check that the original destination address was the same as
 specified  (or  defaulted to) in the DNAT rule.<br>
               <br>
             </li>
        </ul>
               <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) 
    may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
            <br>
        </li>
               <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
            <br>
              ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt; 
   ]<br>
            <br>
        Examples:<br>
            <br>
              [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
                 CIDR=192.168.1.0/24<br>
                 NETMASK=255.255.255.0<br>
                 NETWORK=192.168.1.0<br>
                 BROADCAST=192.168.1.255<br>
              [root@wookie root]#<br>
            <br>
              [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
                 CIDR=192.168.1.0/24<br>
                 NETMASK=255.255.255.0<br>
                 NETWORK=192.168.1.0<br>
                 BROADCAST=192.168.1.255<br>
              [root@wookie root]#<br>
            <br>
        Warning:<br>
            <br>
        If your shell only supports 32-bit signed arithmatic (ash or dash), 
 then   the ipcalc command produces incorrect information for IP addresses 
 128.0.0.0-1   and for /1 networks. Bash should produce correct information 
 for all valid   IP addresses.<br>
            <br>
          </li>
               <li>An 'iprange' command has been added to /sbin/shorewall.
           <br>
            <br>
              iprange &lt;address&gt;-&lt;address&gt;<br>
            <br>
        This command decomposes a range of IP addressses into a list of network 
   and host addresses. The command can be useful if you need to construct 
 an   efficient set of rules that accept connections from a range of network 
 addresses.<br>
            <br>
        Note: If your shell only supports 32-bit signed arithmetic (ash or
 dash)   then the range may not span 128.0.0.0.<br>
            <br>
        Example:<br>
            <br>
              [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
              192.168.1.4/30<br>
              192.168.1.8/29<br>
              192.168.1.16/28<br>
              192.168.1.32/27<br>
              192.168.1.64/26<br>
              192.168.1.128/25<br>
              192.168.2.0/23<br>
              192.168.4.0/22<br>
              192.168.8.0/22<br>
              192.168.12.0/29<br>
              192.168.12.8/31<br>
              [root@gateway root]#<br>
            <br>
          </li>
               <li>A list of host/net addresses is now allowed in an entry
 in  /etc/shorewall/hosts.<br>
            <br>
        Example:<br>
            <br>
            foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
          <br>
        </li>
        <li value="11">The "shorewall check" command now includes the chain
 name when printing the applicable policy for each pair of zones.<br>
  <br>
     Example:<br>
  <br>
         Policy for dmz to net is REJECT using chain all2all<br>
  <br>
 This means that the policy for connections from the dmz to the internet
 is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all 
 policy.<br>
     <br>
   </li>
        <li>Support for the 2.6 Kernel series has been added.<br>
   </li>
      </ol>
             <b>     </b>                                               
      <ol>
      </ol>
      <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
           <br>
      </b></p>
     Thanks to the folks at securityopensource.org.br, there is now a <a
 href="http://shorewall.securityopensource.org.br" target="_top">Shorewall 
  mirror in Brazil</a>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
               </p>
      <ol>
                      <li>The command "shorewall debug try &lt;directory&gt;" 
  now   correctly   traces the attempt.</li>
                      <li>The INCLUDE directive now works properly in the 
 zones    file;    previously, INCLUDE in that file was ignored.</li>
                      <li>/etc/shorewall/routestopped records with an empty 
 second    column   are no longer ignored.<br>
                 </li>
      </ol>
      <p>New Features:<br>
               </p>
      <ol>
                      <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
   rule   may  now contain a list of addresses. If the list begins with "!'
  then the   rule  will take effect only if the original destination address
  in the connection    request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
                              </b></p>
                 The firewall at shorewall.net has been upgraded to the 2.4.21
   kernel    and  iptables 1.2.8 (using the "official" RPM from netfilter.org).
   No problems     have been encountered with this set of software. The Shorewall 
   version  is   1.4.4b plus the accumulated changes for 1.4.5.          
      <p><b>6/8/2003 - Updated Samples</b><b>                         </b></p>
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
        version 1.4.4.</p>
      <p><b></b></p>
      <ol>
      </ol>
      <p><b></b></p>
      <p><b></b></p>
      <blockquote>
-                                                                        
+        <p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
-                                                                        
+        <a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
-                                 
+ target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
        <ol>
        </ol>
      </blockquote>
-                                                                        
+      <b>Problems Corrected since version 1.4.6</b><br>
-                                                                        
+      <ol>
-                                                                        
+        <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
-                                                                        
+variable was being tested before it was set.</li>
-                                                                     
+        <li>Corrected handling of MAC addresses in the SOURCE column of
-      <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
+the tcrules file. Previously, these addresses resulted in an invalid
-                                                <b>       </b>          
+iptables command.</li>
-                                                                        
+        <li>The
-                                                                        
+"shorewall stop" command is now disabled when
-                                                                        
+/etc/shorewall/startup_disabled exists. This prevents people from
-                                                                        
+shooting themselves in the foot prior to having configured Shorewall.</li>
-                         
+        <li>A change introduced in version 1.4.6 caused error messages
 during
 "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
 being added to a PPP interface; the addresses were successfully added
 in spite of the messages.<br>
 &nbsp;&nbsp;&nbsp; <br>
 The firewall script has been modified to eliminate the error messages<br>
        </li>
      </ol>
      <b>Migration Issues:</b><br>
      <ol>
        <li>Once you have installed this version of Shorewall, you must
 restart Shorewall before you may use the 'drop', 'reject', 'allow' or
 'save' commands.</li>
        <li>To maintain strict compatibility with previous versions,
 current uses of "shorewall drop" and "shorewall reject" should be
 replaced with "shorewall dropall" and "shorewall rejectall" </li>
      </ol>
      <b>New Features:</b><br>
      <ol>
        <li>Shorewall now creates a dynamic blacklisting chain for each
 interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
 commands use the routing table to determine which of these chains is to
 be used for blacklisting the specified IP address(es).<br>
          <br>
 Two new commands ('dropall' and 'rejectall') have been introduced that
 do what 'drop' and 'reject' used to do; namely, when an address is
 blacklisted using these new commands, it will be blacklisted on all of
 your firewall's interfaces.</li>
        <li>Thanks to Steve Herber, the 'help' command can now give
 command-specific help (e.g., shorewall help &lt;command&gt;).</li>
        <li>A new option "ADMINISABSENTMINDED" has been added to
 /etc/shorewall/shorewall.conf. This option has a default value of "No"
 for existing users which causes Shorewall's 'stopped' state &nbsp;to
 continue as it has been; namely, in the stopped state only traffic
 to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
          <br>
 With ADMINISABSENTMINDED=Yes (the default for new installs), in
 addition to traffic to/from the hosts listed in
 /etc/shorewall/routestopped, Shorewall will allow:<br>
          <br>
 &nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
 &nbsp;&nbsp; b) All traffic that is part of or related to an
 already-existing connection.<br>
          <br>
 &nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
 entered through an ssh session will not kill the session.<br>
          <br>
 &nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
 possible for people to shoot themselves in the foot.<br>
          <br>
 &nbsp;Example:<br>
          <br>
 &nbsp;/etc/shorewall/nat:<br>
          <br>
 &nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
 eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
          <br>
 &nbsp;/etc/shorewall/rules:<br>
          <br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
 loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
          <br>
 From a remote system, I ssh to 206.124.146.178 which establishes an SSH
 connection with local system 192.168.1.5. I then create a second SSH
 connection
 from that computer to the firewall and confidently type "shorewall
 stop".
 As part of its stop processing, Shorewall removes eth0:0 which kills my
 SSH
 connection to 192.168.1.5!!!</li>
        <li>Given
 the wide range of VPN software, I can never hope to add specific
 support for all of it. I have therefore decided to add "generic" tunnel
 support.<br>
 &nbsp;<br>
 Generic tunnels work pretty much like any of the other tunnel types.
 You usually add a zone to represent the systems at the other end of the
 tunnel and you add the appropriate rules/policies to<br>
 implement your security policy regarding traffic to/from those systems.<br>
 &nbsp;<br>
 In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
          <br>
 generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
 address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
 &nbsp;<br>
 where:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
 used by the tunnel<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
 is 'udp' or 'tcp' then this is the destination port number used by the
 tunnel.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
 the remote tunnel gateway<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
 address of the remote tunnel gateway.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
 Optional. A comma-separated list of zone
 names. If specified, the remote gateway is to be considered part of
 these zones.</li>
        <li>An 'arp_filter' option has been added to the
 /etc/shorewall/interfaces file. This option causes
 /proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
 result that this interface will only answer ARP 'who-has' requests from
 hosts that are routed out through that interface. Setting this option
 facilitates testing of your firewall where multiple firewall interfaces
 are connected to the same HUB/Switch (all interfaces connected to the
 single HUB/Switch should have this option specified). Note that using
 such a configuration in a production environment is strongly
 recommended against.<br>
        </li>
      </ol>
      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
 style="border: 0px solid ; width: 28px; height: 12px;"
 src="images/new10.gif" alt="(New)" title=""> <br>
      </b></p>
      <b>Problems Corrected since version 1.4.6:</b><br>
      <ol>
        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
 then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
 Control requires Mangle"; that problem has been corrected.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of
 the
 tcrules file. Previously, these addresses resulted in an invalid
 iptables
 command.</li>
        <li>The "shorewall stop" command is now disabled when
 /etc/shorewall/startup_disabled
 exists. This prevents people from shooting themselves in the foot prior
 to
 having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages
 during
 "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
 being
 added to a PPP interface; the addresses were successfully added in
 spite
 of the messages.<br>
 &nbsp;&nbsp; <br>
 The firewall script has been modified to eliminate the error messages.</li>
      </ol>
      <p><b><a href="News.htm">More News</a></b></p>
      <b> </b>
      <h2><b> </b></h2>
      <b> </b>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
- alt="(Leaf Logo)">
+ alt="(Leaf Logo)"> </a>Jacques Nilo and Eric Wolzak have a LEAF
-                                                                        
+(router/firewall/gateway on a floppy, CD or compact flash) distribution
-                               </a>Jacques        Nilo       and     Eric 
+called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
-    Wolzak          have       a   LEAF  (router/firewall/gateway        
+You can find their work at: <a
-               on   a  floppy,       CD    or compact     flash)  distribution 
+ href="http://leaf.sourceforge.net/devel/jnilo">
-                 called                 <i>Bering</i>          that      
+http://leaf.sourceforge.net/devel/jnilo</a></p>
-   features                   Shorewall-1.4.2         and    Kernel-2.4.20. 
+      <b>Congratulations to Jacques and Eric on the recent release of
-           You        can     find         their    work at:             
+Bering 1.2!!! </b><br>
        <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                      <b>Congratulations          to  Jacques 
      and     Eric     on   the     recent    release     of  Bering     
 1.2!!!          </b><br>
      <h1 align="center"><b><a href="http://www.sf.net"><img
 align="left" alt="SourceForge Logo"
- src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
+ src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> </a></b></h1>
                                                    </a></b></h1>
      <b> </b>
      <h4><b> </b></h4>
      <b> </b>
      <h2><b>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a> </b></h2>
      <b> </b>
      <h2><b><a name="Donations"></a>Donations</b></h2>
-                                                  <b>                   
+      <b> </b></td>
-          </b></td>
+      <td width="88" bgcolor="#3366ff" valign="top" align="center">
                                      <td width="88" bgcolor="#3366ff"
 valign="top" align="center">                                           
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch">
        <p><strong><br>
-                                          <font color="#ffffff"><b>Note:
+        <font color="#ffffff"><b>Note: </b></font></strong> <font
        </b></font></strong>                             <font
 color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
-                                 </p>
+&nbsp;</p>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-                                          <font face="Arial" size="-1"> 
+        <font face="Arial" size="-1"> <input type="text" name="words"
-                 <input type="text" name="words" size="15"></font><font
+ size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
- size="-1">           </font><font face="Arial" size="-1">           <input
+        <input type="hidden" name="format" value="long"> <input
 type="hidden" name="format" value="long">           <input
 type="hidden" name="method" value="and"> <input type="hidden"
- name="config" value="htdig">           <input type="submit"
+ name="config" value="htdig"> <input type="submit" value="Search"></font>
- value="Search"></font> </p>
+        </p>
-                                          <font face="Arial">           <input
+        <font face="Arial"> <input type="hidden" name="exclude"
- type="hidden" name="exclude"
+ value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
 value="[http://lists.shorewall.net/pipermail/*]">           </font>     
   </form>
      <p><font color="#ffffff"><b> <a
 href="http://lists.shorewall.net/htdig/search.html"> <font
 color="#ffffff">Extended Search</font></a></b></font></p>
-                                        <a target="_top"
+      <a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
- href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
+ target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
-                         </font></a><a target="_top"
+ color="#ffffff"><small><small><small></small></small></small></font></a><br>
 href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
      </td>
    </tr>
  </tbody>
 </table>
 </center>
 </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#3366ff">
  <tbody>
    <tr>
      <td width="100%" style="margin-top: 1px;">
      <p align="center"><a href="http://www.starlight.org"> <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
- hspace="10">
+ hspace="10"> </a></p>
                                </a></p>
      <p align="center"><font size="4" color="#ffffff"><br>
-                       <font size="+2">Shorewall is free but if       you 
+      <font size="+2">Shorewall is free but if you try it and find it
-try   it  and   find   it useful, please consider making a donation      
+useful, please consider making a donation to <a
-                                                                to      
+ href="http://www.starlight.org"><font color="#ffffff">Starlight
            <a href="http://www.starlight.org"><font color="#ffffff">Starlight
 Children's Foundation.</font></a> Thanks!</font></font></p>
      </td>
    </tr>
  </tbody>
 </table>
-                                                                        
+<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
 <p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
 </body>
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -1,19 +1,14 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Standalone Firewall</title>
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber6" bgcolor="#3366ff" height="90">
@ -23,78 +18,70 @@
      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
-      
+<p align="left">Setting up Shorewall on a standalone Linux system is
-<h2 align="center">Version 2.0.1</h2>
+very easy if you understand the basics and follow the documentation.</p>
-      
+<p>This guide doesn't attempt to acquaint you with all of the features
-<p align="left">Setting up Shorewall on a standalone Linux system is very 
+of Shorewall. It rather focuses on what is required to configure
-    easy if you understand the basics and follow the  documentation.</p>
+Shorewall in one of its most common configurations:</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of 
     Shorewall. It rather focuses on what is required to configure Shorewall 
   in one  of its  most common configurations:</p>
 <ul>
  <li>Linux system</li>
  <li>Single external IP address</li>
-            <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
+  <li>Connection through Cable Modem, DSL, ISDN, Frame Relay,
-      
+dial-up...</li>
 </ul>
-      
+<p>Shorewall requires that you have the iproute/iproute2 package
-<p>Shorewall requires that you have the iproute/iproute2 package installed 
+installed (on RedHat, the package is called <i>iproute</i>)<i>. </i>You
-    (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
+can tell if this package is installed by the presence of an <b>ip</b>
-  if  this  package is installed by the presence of an <b>ip</b> program on
+program
-  your  firewall  system. As root, you can use the 'which' command to check
+on your firewall system. As root, you can use the 'which' command to
-  for this  program:</p>
+check for this program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-      
+<p>I recommend that you read through the guide first to familiarize
-<p>I recommend that you read through the guide  first to familiarize yourself 
+yourself with what's involved then go back through it again making your
-    with what's involved then go back through it again  making your configuration 
+configuration changes.&nbsp; Points at which configuration changes are
-    changes.  Points at which configuration changes  are recommended are flagged
+recommended are
-    with <img border="0" src="images/BD21298_.gif" width="13"
+flagged with <img border="0" src="images/BD21298_.gif" width="13"
- height="13">
+ height="13"> .</p>
         .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-              If you edit your configuration files on a Windows system, you 
+&nbsp;&nbsp;&nbsp; If you edit your configuration files on a Windows
- must   save them as  Unix files if your editor supports that option or you 
+system,
- must  run them through  dos2unix before trying to use them. Similarly, if 
+you must save them as Unix files if your editor supports that option
- you copy  a configuration file  from your Windows hard drive to a floppy 
+or you must run them through dos2unix before trying to use them.
-disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+Similarly,
-      
+if you copy a configuration file from your Windows hard drive to a
 floppy disk, you must run dos2unix against the copy before using it
 with Shorewall.</p>
 <ul>
-            <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
+  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
 Version     of    dos2unix</a></li>
            <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
 of dos2unix</a></li>
-      
+  <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
 Version of dos2unix</a></li>
 </ul>
-      
+<h2 align="left">PPTP/ADSL</h2>
 <img style="border: 0px solid ; width: 13px; height: 13px;"
 src="images/BD21298_3.gif" title="" alt="">&nbsp;&nbsp;&nbsp; If you
 have an ADSL Modem and you use PPTP to communicate with a server in
 that modem, you must make the <a href="PPTP.htm#PPTP_ADSL">changes
 recommended here</a> in addition to those described in the steps below.
 ADSL with PPTP is most commonly found in Europe, notably in Austria.<br>
 <h2 align="left">Shorewall Concepts</h2>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
- alt="">
+ alt=""> &nbsp;&nbsp;&nbsp; The configuration files for Shorewall are
-         The configuration files for Shorewall are contained in the directory 
+contained in the directory /etc/shorewall -- for simple setups, you
-   /etc/shorewall -- for simple setups, you  only need to deal with a few 
+only need to deal with a few of these as described in this guide. After
-of   these as described in this guide.  After you have <a
+you have <a href="Install.htm">installed Shorewall</a>, <b>download
- href="Install.htm">installed  Shorewall</a>,  <b>download the <a
+the <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
- href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>, 
+sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
- un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
+files to /etc/shorewall (they will replace files with the same names
-  (they will replace files with the same names that were placed in /etc/shorewall 
+that were placed in /etc/shorewall during Shorewall installation)</b>.</p>
-  during Shorewall installation)</b>.</p>
+<p>As each file is introduced, I suggest that you look through the
-      
+actual file on your system -- each file contains detailed configuration
-<p>As each file is introduced, I suggest that you  look through the actual 
+instructions and default entries.</p>
-    file on your system -- each file contains detailed  configuration instructions 
+<p>Shorewall views the network where it is running as being composed of
-    and default entries.</p>
+a set of <i>zones.</i> In the one-interface sample configuration, only
 <p>Shorewall views the network where it is running as being composed of a 
    set of  <i>zones.</i> In the one-interface sample configuration, only 
 one zone is defined:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
  <tbody>
@ -106,37 +93,30 @@ one    zone is  defined:</p>
      <td><b>net</b></td>
      <td><b>The Internet</b></td>
    </tr>
  </tbody>
 </table>
-      
+<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
-<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
+/etc/shorewall/zones</a>.</p>
-      
+<p>Shorewall also recognizes the firewall system as its own zone - by
-<p>Shorewall also recognizes the firewall system as its own zone - by default, 
+default, the firewall itself is known as <b>fw</b>.</p>
-     the firewall itself is known as <b>fw</b>.</p>
+<p>Rules about what traffic to allow and what traffic to deny are
-      
+expressed in terms of zones.</p>
 <p>Rules about what traffic to allow and what traffic to deny are expressed 
    in  terms of zones.</p>
 <ul>
-            <li>You express your default policy for connections from one
+  <li>You express your default policy for connections from one zone to
-zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+another zone in the<a href="Documentation.htm#Policy">
-       </a>file.</li>
+/etc/shorewall/policy </a>file.</li>
-            <li>You define exceptions to those default policies in the  
+  <li>You define exceptions to those default policies in the <a
-    <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+ href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
-      
+<p>For each connection request entering the firewall, the request is
-<p>For each connection request entering the firewall, the request is first 
+first checked against the /etc/shorewall/rules file. If no rule in that
-    checked against the  /etc/shorewall/rules file. If no rule in that file 
+file matches the connection request then the first policy in
-  matches  the connection  request then the first policy in /etc/shorewall/policy 
+/etc/shorewall/policy that matches the request is applied. If that
-  that  matches the    request is applied. If that policy is REJECT or DROP  
+policy is REJECT or DROP&nbsp; the request is first checked against the
-  the request is first  checked against the rules in /etc/shorewall/common 
+rules in /etc/shorewall/common (the samples provide that file for you).</p>
- (the samples provide that  file for you).</p>
+<p>The /etc/shorewall/policy file included with the one-interface
-      
+sample
-<p>The /etc/shorewall/policy file included with the one-interface sample has
+has the following policies:</p>
 the  following policies:</p>
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -152,8 +132,8 @@ the  following policies:</p>
        <td>fw</td>
        <td>net</td>
        <td>ACCEPT</td>
-                <td> </td>
+        <td>&nbsp;</td>
-                <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>net</td>
@ -161,54 +141,45 @@ the  following policies:</p>
        </td>
        <td>DROP</td>
        <td>info</td>
-                <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>all</td>
        <td>all</td>
        <td>REJECT</td>
        <td>info</td>
-                <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p>The above policy will:</p>
 <ol>
  <li>allow all connection requests from the firewall to the internet</li>
-            <li>drop (ignore) all connection requests from the internet to
+  <li>drop (ignore) all connection requests from the internet
- your   firewall</li>
+to your firewall</li>
-            <li>reject all other connection requests (Shorewall requires
+  <li>reject all other connection requests (Shorewall requires this
-this   catchall      policy).</li>
+catchall policy).</li>
 </ol>
-      
+<p>At this point, edit your /etc/shorewall/policy and make any changes
-<p>At this point, edit your /etc/shorewall/policy and make any changes that 
+that you wish.</p>
    you  wish.</p>
 <h2 align="left">External Interface</h2>
-      
+<p align="left">The firewall has a single network interface. Where
-<p align="left">The firewall has a single network interface. Where Internet 
+Internet connectivity is through a cable or DSL "Modem", the <i>External
-     connectivity is through a cable or DSL "Modem", the <i>External Interface</i> 
+Interface</i> will be the ethernet adapter (<b>eth0</b>) that is
-     will be the ethernet adapter (<b>eth0</b>) that is connected to that 
+connected to that "Modem"&nbsp; <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
 "Modem"     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
 <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-<u>T</u>unneling    <u>P</u>rotocol </i>(PPTP) in which case the External 
+<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the
-Interface will be  a <b>ppp0</b>. If you connect via a regular modem, your 
+External Interface will be a <b>ppp0</b>. If you connect via a regular
-External  Interface    will also be <b>ppp0</b>. If you connect using ISDN, 
+modem, your External Interface will also be <b>ppp0</b>. If you
-your external  interface    will be<b> ippp0.</b></p>
+connect using ISDN, your external interface will be<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
- height="13">
+ height="13"> &nbsp;&nbsp;&nbsp; The Shorewall one-interface sample
-             The Shorewall one-interface sample configuration assumes that 
+configuration assumes that the external interface is <b>eth0</b>. If
-the   external  interface is <b>eth0</b>.  If your configuration is different, 
+your configuration is different, you will have to modify the sample
-  you will have  to modify the sample  /etc/shorewall/interfaces file accordingly. 
+/etc/shorewall/interfaces file accordingly. While you are there, you
-   While you  are there, you may wish to  review the list of options that 
+may wish to review the list of options that are specified for the
-are   specified  for the interface. Some hints:</p>
+interface. Some hints:</p>
 <ul>
  <li>
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
@ -217,45 +188,38 @@ are   specified  for the interface. Some hints:</p>
  <li>
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
 or if you have a static IP address, you can remove "dhcp" from the
-option    list. </p>
+option list.<br>
    </p>
  </li>
 </ul>
 <div align="left">
 <h2 align="left">IP Addresses</h2>
 </div>
 <div align="left">
-<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges 
+<p align="left">RFC 1918 reserves several <i>Private </i>IP address
-    for  use in private networks:</p>
+ranges for use in private networks:</p>
 <div align="left">
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
 </div>
 <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
 because the Internet backbone routers will not forward a packet whose
-      destination address is reserved by RFC 1918. In some cases though, ISPs
+destination address is reserved by RFC 1918. In some cases though,
-    are    assigning these addresses then using <i>Network Address Translation 
+ISPs are assigning these addresses then using <i>Network Address
-    </i>to    rewrite packet headers when forwarding to/from the internet.</p>
+Translation </i>to rewrite packet headers when forwarding to/from the
-      
+internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
- width="13" height="13">
+ width="13" height="13"> &nbsp;&nbsp;&nbsp;&nbsp; Before starting
-                 Before starting Shorewall, you should look at the IP address 
+Shorewall, you should look at the IP address of your external interface
-  of  your external    interface and if it is one of the above ranges, you 
+and if it is one of the above ranges, you should remove the 'norfc1918'
- should  remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+option from the entry in /etc/shorewall/interfaces.</p>
 </div>
 <div align="left">
 <h2 align="left">Enabling other Connections</h2>
 </div>
 <div align="left">
-<p align="left">If you wish to enable connections from the internet to your 
+<p align="left">If you wish to enable connections from the internet to
-    firewall, the general format is:</p>
+your firewall, the general format is:</p>
 </div>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -276,20 +240,18 @@ option    list. </p>
        <td>fw</td>
        <td><i>&lt;protocol&gt;</i></td>
        <td><i>&lt;port&gt;</i></td>
-                  <td> </td>
+        <td>&nbsp;</td>
-                  <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 </div>
 <div align="left">
-<p align="left">Example - You want to run a Web Server and a POP3 Server on
+<p align="left">Example - You want to run a Web Server and a POP3
-your firewall    system:</p>
+Server
 on your firewall system:</p>
 </div>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -310,8 +272,8 @@ your firewall    system:</p>
        <td>fw</td>
        <td>tcp</td>
        <td>80</td>
-                  <td> </td>
+        <td>&nbsp;</td>
-                  <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
@ -319,26 +281,23 @@ your firewall    system:</p>
        <td>fw</td>
        <td>tcp</td>
        <td>110</td>
-                  <td> </td>
+        <td>&nbsp;</td>
-                  <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 </div>
 <div align="left">
-<p align="left">If you don't know what port and protocol a particular application
+<p align="left">If you don't know what port and protocol a particular
- uses, see <a href="ports.htm">here</a>.</p>
+application uses, see <a href="ports.htm">here</a>.</p>
 </div>
 <div align="left">
-<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
+<p align="left"><b>Important: </b>I don't recommend enabling telnet
-       the internet because it uses clear text (even for login!). If you want
+to/from the internet because it uses clear text (even for login!). If
-    shell    access to your firewall from the internet, use SSH:</p>
+you
 want shell access to your firewall from the internet, use SSH:</p>
 </div>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -359,77 +318,58 @@ your firewall    system:</p>
        <td>fw</td>
        <td>tcp</td>
        <td>22</td>
-                  <td> </td>
+        <td>&nbsp;</td>
-                  <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 </div>
 <div align="left">
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
- height="13">
+ height="13"> &nbsp;&nbsp;&nbsp; At this point, edit
-             At this point, edit    /etc/shorewall/rules to add other connections 
+/etc/shorewall/rules to add other connections as desired.</p>
    as desired.</p>
 </div>
 <div align="left">
 <h2 align="left">Starting and Stopping Your Firewall</h2>
 </div>
 <div align="left">
-<p align="left">          <img border="0" src="images/BD21298_2.gif"
+<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
- width="13" height="13" alt="Arrow">
+ height="13" alt="Arrow"> &nbsp;&nbsp;&nbsp; The <a href="Install.htm">installation
-              The <a href="Install.htm">installation procedure </a>   configures 
+procedure </a> configures your system to start Shorewall at system
-   your system to start Shorewall at system boot but beginning with Shorewall 
+boot but beginning with Shorewall version 1.3.9 startup is disabled so
-   version 1.3.9 startup is disabled so that your system won't try to start 
+that your system won't try to start Shorewall before configuration is
-  Shorewall before configuration is complete. Once you have completed configuration 
+complete. Once you have completed configuration of your firewall, you
-  of your firewall, you can enable Shorewall startup by removing the file
+can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
 </p>
-      
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the
-<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
+.deb package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
    package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
 </p>
 </div>
 <div align="left">
-<p align="left">The firewall is started using the "shorewall start" command 
+<p align="left">The firewall is started using the "shorewall start"
-       and stopped using "shorewall stop". When the firewall is stopped, routing
+command and stopped using "shorewall stop". When the firewall is
-    is    enabled on those hosts that have an entry in   <a
+stopped,
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
+routing is enabled on those hosts that have an entry in <a
       running firewall may be restarted using the "shorewall restart" command. 
    If    you want to totally remove any trace of Shorewall from your Netfilter 
       configuration, use "shorewall clear".</p>
         </div>
 <div align="left">   
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
    the    internet, do not issue a "shorewall stop" command unless you have 
   added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-Also, I don't recommend using "shorewall restart"; it is better to create 
+A running firewall may be restarted using the "shorewall restart"
-    an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
+command. If you want to totally remove any trace of Shorewall from your
-    and    test it using the <a
+Netfilter configuration, use "shorewall clear".</p>
 </div>
 <div align="left">
 <p align="left"><b>WARNING: </b>If you are connected to your firewall
 from the internet, do not issue a "shorewall stop" command unless you
 have added an entry for the IP address that you are connected from
 to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 Also, I don't recommend using "shorewall restart"; it is better to
 create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
 </div>
-      
+<p align="left"><font size="2">Last updated 2/08/2003 - <a
 <p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-      
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
+2003 Thomas M. Eastep</font></a></p>
 Thomas   M. Eastep</font></a></p>
           <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -20,6 +20,7 @@
                            <tbody>
                     <tr>
                              <td width="100%">                         
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
        the Firewall</font></h1>
                              </td>
@ -41,10 +42,10 @@ your     favorite   graphical  run-level editor.</p>
                 </p>
 <ol>
-                <li>Shorewall startup is disabled by default. Once you have
+                   <li>Shorewall startup is disabled by default. Once you 
- configured      your firewall, you can enable startup by removing the file
+have   configured      your firewall, you can enable startup by removing the
- /etc/shorewall/startup_disabled.      Note: Users of the .deb package must
+file   /etc/shorewall/startup_disabled.      Note: Users of the .deb package
- edit /etc/default/shorewall and set    'startup=1'.<br>
+must   edit /etc/default/shorewall and set    'startup=1'.<br>
                   </li>
                   <li>If you use dialup, you may want to start the firewall 
    in  your   /etc/ppp/ip-up.local   script. I recommend just placing  "shorewall
@ -55,19 +56,25 @@ your     favorite   graphical  run-level editor.</p>
 <p>            </p>
 <p>   You can manually start and stop Shoreline Firewall using     the "shorewall" 
-        shell program: </p>
+         shell program. Please refer to the <a
 href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
 State Diagram</a> is shown at the     bottom of this page. </p>
 <ul>
                     <li>shorewall start - starts the firewall</li>
-                  <li>shorewall stop - stops the firewall</li>
+                     <li>shorewall stop - stops the firewall; the only traffic
 permitted through the firewall is from systems listed in /etc/shorewall/routestopped
 (Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
 then in addition, all existing connections are permitted and any new connections
 originating from the firewall itself are allowed).</li>
                     <li>shorewall restart - stops the firewall (if it's
       running)   and  then starts it again</li>
                     <li>shorewall reset - reset the packet and byte counters 
              in the  firewall</li>
                     <li>shorewall clear - remove all rules and chains  
-installed    by Shoreline  Firewall</li>
+   installed    by Shoreline  Firewall. The firewall is "wide open"</li>
-                  <li>shorewall refresh - refresh the rules involving the 
+                     <li>shorewall refresh - refresh the rules involving
-broadcast             addresses  of firewall interfaces, <a
+the   broadcast             addresses  of firewall interfaces, <a
 href="blacklisting_support.htm">the black list</a>, <a
 href="traffic_shaping.htm">traffic control rules</a> and <a
 href="ECN.html">ECN control rules</a>.</li>
@ -78,58 +85,65 @@ then   a  shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
-<p>The above command would trace the 'start' command and place the trace
+<p>The above command would trace the 'start' command and place the trace information
-information in the file /tmp/trace<br>
+in the file /tmp/trace<br>
 </p>
-<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
+<p>Beginning with version 1.4.7, shorewall can give detailed help about each 
-    bottom of this page.<br>
+of its commands:<br>
 </p>
 <ul>
   <li>shorewall help [ <i>command</i> | host | address ]<br>
   </li>
 </ul>
 <p>The "shorewall" program may also be used to monitor the     firewall.</p>
 <ul>
-                  <li>shorewall status - produce a verbose report about the
+                     <li>shorewall status - produce a verbose report about
- firewall               (iptables -L -n -v)</li>
+ the  firewall               (iptables -L -n -v)</li>
-                  <li>shorewall show <i>chain</i> - produce a verbose report
+                     <li>shorewall show <i>chain</i> - produce a verbose
-  about        <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
+report    about        <i>chain             </i>(iptables -L <i>chain</i>
 -n -v)</li>
                     <li>shorewall show nat - produce a verbose report about
  the  nat   table             (iptables -t nat -L -n -v)</li>
                     <li>shorewall show tos - produce a verbose report about
  the  mangle    table          (iptables -t mangle -L -n -v)</li>
-                  <li>shorewall show log - display the last 20 packet log 
+                     <li>shorewall show log - display the last 20 packet
-entries.</li>
+log   entries.</li>
                     <li>shorewall show connections - displays the IP connections 
    currently     being     tracked by the firewall.</li>
                     <li>shorewall                                      
-show                                                           tc     - displays
+   show                                                           tc    
-  information      about the traffic control/shaping configuration.</li>
+-  displays   information      about the traffic control/shaping configuration.</li>
                     <li>shorewall monitor [ delay ] - Continuously display 
 the   firewall               status, last 20 log entries and nat. When the 
 log  entry display                changes, an audible alarm is sounded.</li>
-                  <li>shorewall hits - Produces several reports about the 
+                     <li>shorewall hits - Produces several reports about
-Shorewall     packet  log          messages in the current /var/log/messages 
+the   Shorewall     packet  log          messages in the current /var/log/messages
  file.</li>
-                  <li>shorewall version -  Displays the installed     version
+                     <li>shorewall version -  Displays the installed    
-  number.</li>
+version    number.</li>
        <li>shorewall check -  Performs a <u>cursory</u> validation     of
  the   zones, interfaces, hosts, rules and policy files.<br>
          <br>
-       <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
+          <font size="4" color="#ff6666"><b>The "check" command is totally
- and does not parse and     validate   the   generated iptables commands. 
+ unsuppored  and does not parse and     validate   the   generated iptables
-Even though the "check" command     completes   successfully, the configuration
+ commands.  Even though the "check" command     completes   successfully,
- may fail to start. Problem reports that complain about errors that the 'check'
+the configuration  may fail to start. Problem reports that complain about
- command does not detect will not be accepted.<br>
+errors that the 'check'  command does not detect will not be accepted.<br>
          <br>
      See the     recommended   way to make configuration changes described 
 below.</b></font><br>
         <br>
        </li>
-                  <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
+                     <li>shorewall try<i> configuration-directory</i> [<i>
-     ]  -  Restart shorewall using the     specified configuration and if 
+ timeout</i>      ]  -  Restart shorewall using the     specified configuration
-an   error   occurs or if the<i> timeout </i>    option is given and the new
+ and if  an   error   occurs or if the<i> timeout </i>    option is given
-configuration     has been up for that many seconds     then shorewall is
+and the new configuration     has been up for that many seconds     then
-restarted using   the  standard configuration.</li>
+shorewall is restarted using   the  standard configuration.</li>
                     <li>shorewall deny, shorewall reject, shorewall accept 
 and   shorewall      save     implement <a
 href="blacklisting_support.htm">dynamic   blacklisting</a>.</li>
@ -138,26 +152,44 @@ and   shorewall      save     implement <a
 when   new   Shorewall       messages are logged.</li>
 </ul>
- Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands 
+    Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
-for dealing with IP addresses and IP address ranges:<br>
+commands   for dealing with IP addresses and IP address ranges:<br>
 <ul>
-   <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays 
+      <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
-the network address, broadcast address, network in CIDR notation and netmask 
+-  displays  the network address, broadcast address, network in CIDR notation
-corresponding to the input[s].</li>
+ and netmask  corresponding to the input[s].</li>
      <li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
  range of IP addresses into the equivalent list of network/host addresses.
      <br>
      </li>
 </ul>
 There is a set of commands dealing with <a
 href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
 <ul>
   <li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from 
 the listed   IP    addresses to be silently dropped by the firewall.</li>
   <li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from 
 the  listed  IP    addresses to be rejected by the firewall.</li>
   <li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt 
 of packets   from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i> 
 command.</li>
   <li>shorewall save - save the dynamic blacklisting configuration so that 
 it will   be    automatically restored the next time that the firewall is 
 restarted.</li>
   <li>show dynamic - displays the dynamic blacklisting chain.<br>
   </li>
 </ul>
     Finally, the "shorewall" program may be used to dynamically alter  the
   contents  of a zone.<br>
 <ul>
-              <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
+                 <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone 
-  Adds   the  specified interface (and host if included) to the specified
+    </i>-    Adds   the  specified interface (and host if included) to the 
-zone.</li>
+specified  zone.</li>
                 <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
      </i>-   Deletes   the specified interface (and host if included) from
  the specified   zone.</li>
@ -231,70 +263,106 @@ you.</p>
             </p>
              You will note that the commands that result in state transitions 
  use   the  word "firewall" rather than "shorewall". That is because the 
-actual   transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
+actual   transitions  are done by /usr/share/shorewall/firewall; /sbin/shorewall
-  on  Debian); /sbin/shorewall runs 'firewall" according to the following 
+ runs 'firewall" according to the following  table:<br>
 table:<br>
            <br>
 <table cellpadding="2" cellspacing="2" border="1">
               <tbody>
                 <tr>
        <td valign="top"><u><b>/sbin/shorewall Command</b><br>
        </u></td>
        <td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
        </u></td>
        <td valign="top"><u><b>Effect if the Command Succeeds</b><br>
        </u></td>
      </tr>
      <tr>
                   <td valign="top">shorewall start<br>
                   </td>
                   <td valign="top">firewall start<br>
                   </td>
        <td valign="top">The system filters packets based on your current 
 Shorewall Configuration<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall stop<br>
                   </td>
                   <td valign="top">firewall stop<br>
                   </td>
        <td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
 is passed to/from/through the firewall. For Shorewall versions beginning
 with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
 in addition, all existing connections are retained and all connection requests
 from the firewall are accepted.<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall restart<br>
                   </td>
                   <td valign="top">firewall restart<br>
                   </td>
        <td valign="top">Logically equivalent to "firewall stop;firewall
 start"<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall add<br>
                   </td>
                   <td valign="top">firewall add<br>
                   </td>
        <td valign="top">Adds a host or subnet to a dynamic zone<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall delete<br>
                   </td>
                   <td valign="top">firewall delete<br>
                   </td>
        <td valign="top">Deletes a host or subnet from a dynamic zone<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall refresh<br>
                   </td>
                   <td valign="top">firewall refresh<br>
                   </td>
        <td valign="top">Reloads rules dealing with static blacklisting,
 traffic  control and ECN.<br>
        </td>
                 </tr>
                 <tr>
        <td valign="top">shorewall clear<br>
        </td>
        <td valign="top">firewall clear<br>
        </td>
        <td valign="top">Removes all Shorewall rules, chains, addresses,
 routes  and ARP entries.<br>
        </td>
      </tr>
      <tr>
                   <td valign="top">shorewall try<br>
                   </td>
-                <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
+                   <td valign="top">firewall -c &lt;new configuration&gt; 
 restart<br>
             If unsuccessful then firewall start (standard configuration)<br>
             If timeout then firewall restart (standard configuration)<br>
                   </td>
        <td valign="top"><br>
        </td>
                 </tr>
  </tbody>     
 </table>
            <br>
-<p><font size="2">   Updated 7/6/2003 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 7/31/2003 - <a href="support.htm">Tom  Eastep</a> 
           </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
           © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -2,8 +2,10 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Support Guide</title>
@ -13,7 +15,9 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
  <tbody>
     <tr>
        <td width="100%">                                               
@ -24,8 +28,10 @@
                                                            </font></h1>
        </td>
    </tr>
  </tbody>                   
 </table>
@ -49,14 +55,14 @@
      </li>
                                      <li>                              
    The           <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
-      Information           contains                a    number of tips to
+       Information           contains                a    number of tips
- help    you solve common  problems.        </li>
+to   help    you solve common  problems.        </li>
                                     <li>                               
   The           <a href="http://www.shorewall.net/errata.htm">   Errata</a> 
 has links     to  download        updated     components.         </li>
                                      <li>                              
-  The   Site   and   Mailing        List   Archives     search facility can
+    The   Site   and   Mailing        List   Archives     search facility 
- locate   documents   and  posts    about         similar   problems:   
+can  locate   documents   and  posts    about         similar   problems: 
        </li>
 </ul>
@ -108,8 +114,8 @@ has links     to  download        updated     components.         </li>
 <ul>
                                               <li>Please remember we only
-know   what   is  posted    in  your   message.      Do  not  leave out any
+ know   what   is  posted    in  your   message.      Do  not  leave out
-information      that  appears   to be  correct,    or was   mentioned  
+any  information      that  appears   to be  correct,    or was   mentioned
   in  a previous    post.  There  have  been countless   posts   by people
  who were   sure    that some  part  of their     configuration  was correct
  when  it actually      contained   a  small error.     We tend to be  skeptics
@ -140,57 +146,67 @@ better   than a paraphrase   or  summary.<br>
 <ul>
  <ul>
-                                               <li>the exact version of Shorewall 
+                                                 <li>the exact version of 
-    you   are   running.<br>
+Shorewall      you   are   running.<br>
                                                   <br>
                                                   <b><font
 color="#009900">shorewall      version</font><br>
                                              </b>    <br>
                                                 </li>
  </ul>
  <ul>
  </ul>
  <ul>
-                                               <li>the complete, exact output 
+                                                 <li>the complete, exact
-  of<br>
+output    of<br>
                                                   <br>
                                                   <font color="#009900"><b>ip
   addr   show<br>
                                                   <br>
                                                   </b></font></li>
  </ul>
  <ul>
-                                               <li>the complete, exact output 
+                                                 <li>the complete, exact
-  of<br>
+output    of<br>
                                                   <br>
                                                   <font color="#009900"><b>ip
   route    show<br>
                                                   </b></font></li>
  </ul>
  <ul>
  </ul>
 </ul>
 <ul>
  <ul>
-                     <li><big><font color="#ff0000"><u><i><big><b>THIS IS 
+                       <li><small><small><font color="#ff0000"><u><i><big><b>THIS
-IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem is
+IS  IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your
-that some type of connection to/from or through your firewall isn't working 
+problem is that some type of connection to/from or through your firewall
-then please perform the following four steps:</big></big></big><br>
+isn't working  then please perform the following four steps:<br>
          <br>
    1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
                                      <br>
@ -199,8 +215,8 @@ then please perform the following four steps:</big></big></big><br>
                                  3.<b><font color="#009900"> /sbin/shorewall 
  status    &gt;   /tmp/status.txt</font></b><br>
                                      <br>
-                                4. Post the /tmp/status.txt file as an attachment 
+                                  4. Post the /tmp/status.txt file as an
-(you may compress it if you like).<br>
+attachment  (you may compress it if you like).<br>
                        <br>
                      </li>
                      <li>the exact wording of any <code
@ -211,19 +227,20 @@ then please perform the following four steps:</big></big></big><br>
        Guides,        please  indicate which one. <br>
                                           <br>
                                         </li>
-                    <li><b>If you are running Shorewall under Mandrake using
+                      <li><b>If you are running Shorewall under Mandrake
-     the     Mandrake      installation of Shorewall, please say so.<br>
+using       the     Mandrake      installation of Shorewall, please say so.<br>
                        <br>
                        </b></li>
  </ul>
         <li>As    a  general    matter,   please <strong>do not edit the 
 diagnostic        information</strong>        in   an attempt to conceal
 your IP address,     netmask,      nameserver    addresses,     domain name,
-etc. These aren't     secrets,  and concealing   them often   misleads  us
+ etc. These aren't     secrets,  and concealing   them often   misleads 
-(and 80% of the time,     a hacker  could derive them       anyway   from
+us  (and 80% of the time,     a hacker  could derive them       anyway  
-information  contained  in   the SMTP headers  of your post).<br>
+from  information  contained  in   the SMTP headers  of your post).<br>
                                <br>
                                <strong></strong></li>
                              <li>Do you see  any   "Shorewall"      messages 
@ -269,8 +286,8 @@ blacklist   shorewall.net      "for  continuous abuse" because it has been
 my policy   to  allow HTML in  list    posts!!<br>
                         <br>
                                                  I think that blocking all 
-HTML   is  a  Draconian      way   to  control     spam    and  that the ultimate
+ HTML   is  a  Draconian      way   to  control     spam    and  that the 
-  losers   here are not    the spammers    but the   list  subscribers  
+ultimate   losers   here are not    the spammers    but the   list  subscribers 
     whose MTAs   are bouncing    all shorewall.net    mail. As   one list
   subscriber    wrote    to me privately      "These e-mail admin's   need
   to get a <i>(expletive      deleted)</i>  life     instead of trying to
@ -278,13 +295,6 @@ rid   the planet of HTML based   e-mail".   Nevertheless,       to allow
 subscribers  to  receive list posts   as must as possible,   I  have   now
  configured the  list  server at shorewall.net   to strip all HTML    from
 outgoing  posts.<br>
      <br>
      <big><font color="#cc0000"><b>If you run your own outgoing mail server
  and it doesn't have a valid DNS PTR record, your email won't reach the
 lists   unless/until the postmaster notices that your posts are being rejected. 
 To  avoid this problem, you should configure your MTA to forward posts to 
 shorewall.net  through an MTA that <u>does</u> have a valid PTR record (such 
 as the one at your ISP). </b></font></big><br>
      </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -295,20 +305,26 @@ as the one at your ISP). </b></font></big><br>
                         to the <a
 href="mailto:leaf-user@lists.sourceforge.net">LEAF      Users      mailing 
             list</a>.</span></h4>
-                                                <b>If you run Shorewall under 
+                                                  <b>If you run Shorewall 
-  MandrakeSoft       Multi    Network     Firewall     (MNF)   and you have 
+under    MandrakeSoft       Multi    Network     Firewall     (MNF)   and 
-  not purchased  an   MNF  license    from MandrakeSoft     then    you can 
+you have    not purchased  an   MNF  license    from MandrakeSoft     then 
-   post non MNF-specific     Shorewall  questions   to the </b><a
+   you can     post non MNF-specific     Shorewall  questions   to the </b><a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall   users mailing 
               list</a>. <b>Do not expect to get free MNF support on the list</b>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-                 list</a> .</p>
+                  list.</a> </p>
-                                   
+                                           </blockquote>
 <h2>Subscribing to the Users Mailing List<br>
 </h2>
 <blockquote>
  <p>         To Subscribe to the  mailing list go to <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
-                                      .<br>
+  <br>
 Secure: <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
                              </p>
                                                    </blockquote>
@ -316,11 +332,13 @@ as the one at your ISP). </b></font></big><br>
 href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
                              </p>
-<p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@ -1,17 +1,13 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Troubleshooting</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
@ -20,108 +16,96 @@
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
 src="images/obrasinf.gif" alt="Beating head on table" width="90"
- height="90" align="middle">
+ height="90" align="middle"> </font></h1>
             </font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h3 align="left">Check the Errata</h3>
-    
+<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to
-<p align="left">Check the <a href="errata.htm">Shorewall Errata</a>  to be
+be sure that there isn't an update that you are missing for your
-     sure   that there isn't an update that you are missing for your version
+version of the firewall.</p>
   of  the   firewall.</p>
 <h3 align="left">Check the FAQs</h3>
-    
+<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to
-<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
+common problems.</p>
     problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
-                 If you receive an error message when starting or restarting
+If you receive an error message when starting or restarting the
-  the   firewall  and you can't determine the cause, then do the following:
+firewall and you can't determine the cause, then do the following:
 <ul>
  <li>Make a note of the error message that you see.<br>
  </li>
  <li>shorewall debug start 2&gt; /tmp/trace</li>
-                <li>Look at the /tmp/trace file and see if that helps you
+  <li>Look at the /tmp/trace file and see if that helps you determine
-   determine    what the problem is. Be sure you find the place in the log
+what the problem is. Be sure you find the place in the log where the
-  where the error message you saw is generated -- If you are using Shorewall 
+error message you saw is generated -- If you are using Shorewall 1.4.0
-1.4.0 or later, you should find the message near the end of the log.</li>
+or later, you should find the message near the end of the log.</li>
-                <li>If you still can't determine what's wrong then see the
+  <li>If you still can't determine what's wrong then see the <a
-         <a href="support.htm">support page</a>.</li>
+ href="support.htm">support page</a>.</li>
 </ul>
 Here's an example. During startup, a user sees the following:<br>
 <blockquote>
  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
 </blockquote>
 A search through the trace for "No chain/target/match by that name"
-turned   up the following:   
+turned up the following:&nbsp;
 <blockquote>
  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
 </blockquote>
-     The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
+The command that failed was: "iptables -A reject -p tcp -j REJECT
-  tcp-reset". In this case, the user had compiled his own kernel and had
+--reject-with tcp-reset". In this case, the user had compiled his own
 kernel and had
 forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
 <h3>Your network environment</h3>
-    
+<p>Many times when people have problems with Shorewall, the problem is
-<p>Many times when people have problems with Shorewall, the problem is actually 
+actually an ill-conceived network setup. Here are several popular
-an ill-conceived network setup. Here are several popular snafus:    </p>
+snafus: </p>
 <ul>
-                <li>Port           Forwarding where client and server are 
+  <li>Port Forwarding where client and server are in the same subnet.
-in  the   same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+See <a href="FAQ.htm">FAQ 2.</a></li>
-                <li>Changing the IP address of a local system to be in the
+  <li>Changing the IP address of a local system to be in the external
- external     subnet,      thinking that Shorewall will suddenly believe
+subnet, thinking that Shorewall will suddenly believe
 that the system is in the 'net' zone.</li>
-                <li>Multiple interfaces connected to the same HUB or Switch.
+  <li>Multiple interfaces connected to the same HUB or Switch. Given
-  Given    the way      that the Linux kernel respond to ARP "who-has" requests,
+the way that the Linux kernel respond to ARP "who-has" requests, this
-  this    type of setup      does NOT work the way that you expect it to.</li>
+type of setup does NOT work the way that you expect it to. If you
-    
+are running Shorewall version 1.4.7 or later, you can test using this
 kind of configuration if you specify
 the <span style="font-weight: bold;">arp_filter</span>
 option in /etc/shorewall/interfaces for all interfaces connected to the
 common hub/switch. Using such a setup with a production firewall is
 strongly recommended against.</li>
 </ul>
 <h3 align="left">If you are having connection problems:</h3>
-    
+<p align="left">If the appropriate policy for the connection that you
-<p align="left">If the appropriate policy for the connection that you are
+are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
     trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
 TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
-they  add    clutter to your rule set and they represent a big security hole
+they add clutter to your rule set and they represent a big security
 hole
 in the event that you forget to remove them later.</p>
-    
+<p align="left">I also recommend against setting all of your policies
-<p align="left">I also recommend against setting all of your policies to
+to ACCEPT in an effort to make something work. That robs you of one of
      ACCEPT in an effort to make something work. That robs you of one of
 your best diagnostic tools - the "Shorewall" messages that Netfilter
-     will        generate when you try to connect in a way that isn't permitted
+will generate when you try to connect in a way that isn't permitted by
-     by your        rule set.</p>
+your rule set.</p>
-    
+<p align="left">Check your log ("/sbin/shorewall show log"). If you
-<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
+don't see Shorewall messages, then your problem is probably NOT a
-    see Shorewall  messages, then  your problem is probably NOT a Shorewall
+Shorewall problem. If you DO see packet messages, it may be an
-  problem.  If you DO see packet messages,  it may be an indication that
+indication that
 you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
-    
+<p align="left">While you are troubleshooting, it is a good idea to
-<p align="left">While you are troubleshooting, it is a good idea to clear
+clear two variables in /etc/shorewall/shorewall.conf:</p>
            two variables in /etc/shorewall/shorewall.conf:</p>
 <p align="left">LOGRATE=""<br>
 LOGBURST=""</p>
-    
+<p align="left">This way, you will see all of the log messages being
-<p align="left">This way, you will see all of the log messages being  generated 
+generated (be sure to restart shorewall after clearing these variables).</p>
 (be sure to restart shorewall after clearing these variables).</p>
 <p align="left">Example:</p>
 <font face="Century Gothic, Arial, Helvetica">
-<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:   Shorewall:all2all:REJECT:IN=eth2 
+<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
- OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3     LEN=67 TOS=0x00 PREC=0x00 TTL=63 
+Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2
- ID=5805 DF PROTO=UDP SPT=1803 DPT=53  LEN=47</font></p>
+DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP
 SPT=1803 DPT=53 LEN=47</font></p>
 </font>
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
  <li>all2all:REJECT - This packet was REJECTed out of the
 all2all chain -- the packet was rejected under the "all"-&gt;"all"
@ -132,92 +116,85 @@ REJECT  policy   (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
  <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
  <li>PROTO=UDP - UDP Protocol</li>
  <li>DPT=53 - DNS</li>
 </ul>
-    
+<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
-<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and  192.168.1.3
+192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
-     is in the "loc" zone. I was missing the rule:</p>
+<p align="left">ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
-    
+loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53<br>
 <p align="left">ACCEPT    dmz    loc    udp    53<br>
 </p>
-    
+<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional
-<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
+information about how to interpret the chain name appearing in a
-     about how to interpret the chain name appearing in a Shorewall log message.<br>
+Shorewall log message.<br>
 </p>
 <h3 align="left">'Ping' Problems?</h3>
 Either can't ping when you think you should be able to or are able to
-ping  when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
+ping when you think that you shouldn't be allowed? Shorewall's 'Ping'
- href="ping.html"> is described here</a>.<br>
+Management<a href="ping.html"> is described here</a>.<br>
 <h3 align="left">Other Gotchas</h3>
 <ul>
-                <li>Seeing rejected/dropped packets logged out of the INPUT
+  <li>Seeing rejected/dropped packets logged out of the INPUT or
- or  FORWARD        chains? This means that:           
+FORWARD chains? This means that:
    <ol>
-                  <li>your zone definitions are screwed up and the host that
+      <li>your zone definitions are screwed up and the host that is
-  is  sending   the        packets or the destination host isn't in any zone
+sending the packets or the destination host isn't in any zone (using an
-  (using  an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
+        <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
-  file are you?);         or</li>
+are you?); or</li>
-                  <li>the source and destination hosts are both connected 
+      <li>the source and destination hosts are both connected to the
-to  the   same         interface and you don't have a policy or rule for the
+same interface and you don't have a policy or rule for the
 source zone to or from the destination zone.</li>
    </ol>
  </li>
-                <li>Remember that Shorewall doesn't automatically allow ICMP
+  <li>Remember that Shorewall doesn't automatically allow ICMP type 8
-      type  8 ("ping") requests to be sent between zones. If you want pings 
+("ping") requests to be sent between zones. If you want pings to be
-   to be  allowed between zones, you need a rule of the form:<br>
+allowed between zones, you need a rule of the form:<br>
    <br>
-                     ACCEPT    &lt;source     zone&gt;    &lt;destination 
+&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; &lt;source
-zone&gt;         icmp        echo-request<br>
+zone&gt;&nbsp;&nbsp;&nbsp; &lt;destination zone&gt;&nbsp;&nbsp;&nbsp;
 icmp&nbsp;&nbsp;&nbsp; echo-request<br>
    <br>
-                 The ramifications of this can be subtle. For example, if 
+The ramifications of this can be subtle. For example, if you have the
-you  have   the      following in /etc/shorewall/nat:<br>
+following in /etc/shorewall/nat:<br>
    <br>
-                     10.1.1.2    eth0        130.252.100.18<br>
+&nbsp;&nbsp;&nbsp; 10.1.1.2&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
 130.252.100.18<br>
    <br>
-                 and you ping 130.252.100.18, unless you have allowed icmp
+and you ping 130.252.100.18, unless you have allowed icmp type 8
- type   8  between  the     zone containing the system you are pinging from
+between the zone containing the system you are pinging from and the
- and the  zone containing       10.1.1.2, the ping requests will be dropped. </li>
+zone containing 10.1.1.2, the ping requests will be dropped.&nbsp;</li>
-                <li>If you specify "routefilter" for an interface,     that
+  <li>If you specify "routefilter" for an interface, that interface
- interface     must be up prior to starting the firewall.</li>
+must be up prior to starting the firewall.</li>
-                <li>Is your routing correct? For example, internal systems
+  <li>Is your routing correct? For example, internal systems usually
- usually     need to      be configured with their default gateway set to
+need to be configured with their default gateway set to
-the IP address     of their      nearest firewall interface. One often overlooked
+the IP address of their nearest firewall interface. One often
- aspect of   routing is that      in order for two hosts to communicate,
+overlooked aspect of routing is that in order for two hosts to
 communicate,
 the routing between them must be set up <u>in both directions.</u>
 So when setting up routing between <b>A</b> and<b> B</b>, be sure
 to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
-                <li>Some versions of LRP (EigerStein2Beta for example) have
+  <li>Some versions of LRP (EigerStein2Beta for example) have a shell
- a      shell  with broken variable expansion. <a
+with broken variable expansion. <a
- href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
+ href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a
-     shell from the Shorewall Errata download site.</a>     </li>
+corrected shell from the Shorewall Errata download site.</a> </li>
-                <li>Do you have your kernel properly configured? <a
+  <li>Do you have your kernel properly configured? <a href="kernel.htm">Click
- href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
+here to see my kernel configuration.</a> </li>
-                <li>Shorewall requires the "ip" program. That     program 
+  <li>Shorewall requires the "ip" program. That program is generally
- is  generally   included in the "iproute" package which should     be included
+included in the "iproute" package which should be included with your
-   with your  distribution (though many distributions don't install     iproute
+distribution (though many distributions don't install iproute by
-   by     default). You may also download the latest source tarball from
+default). You may also download the latest source tarball from <a
-    <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
+ href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
-      .</li>
+ftp://ftp.inr.ac.ru/ip-routing</a> .</li>
  <li>Problems with NAT? Be sure that you let
 Shorewall add all external addresses to be use with NAT unless you
 have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
 in /etc/shorewall/shorewall.conf.</li>
 </ul>
 <h3>Still Having Problems?</h3>
 <p>See the<a href="support.htm"> support page.<br>
 </a></p>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote> </blockquote>
 </font>
-<p><font size="2">Last updated 4/29/2003 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 8/8/2003 - Tom Eastep</font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </p>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.6-20030731
+VERSION=1.4.6-20030809
 usage() # $1 = exit status
 {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.6-20030731
+VERSION=1.4.6-20030809
 usage() # $1 = exit status
 {
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.6_20030731
+%define version 1.4.6_20030809
 %define release 1
 %define prefix /usr
@ -106,6 +106,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030809-1
 * Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030731-1
 * Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.6-20030731
+VERSION=1.4.6-20030809
 usage() # $1 = exit status
 {