Shorewall 2.0.0 Alpha1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@443 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-04-11 21:08:22 +02:00 · 2003-02-08 20:58:44 +00:00 · 2003-02-08 20:58:44 +00:00 · ef51c04d1d
commit ef51c04d1d
parent b0e5d0b131
35 changed files with 452 additions and 574 deletions
--- a/Shorewall/INSTALL
+++ b/Shorewall/INSTALL
@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
+Shoreline Firewall (Shorewall) Version 2.0 - 3/14/2003
 -----         ----
 -----------------------------------------------------------------------------
@ -28,7 +28,7 @@ o Edit the configuration files to fit your environment.
  To do this, I strongly advise you to follow the instructions at:
-      http://shorewall.sf.net/shorewall_quickstart_guide.htm
+      http://www.shorewall.net/shorewall_quickstart_guide.htm
 o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
  Debian, then type "./install.sh".
--- a/Shorewall/blacklist
+++ b/Shorewall/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Blacklist File
+# Shorewall 2.0 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,22 +1,30 @@
-Changes since 1.3.13
+Changes since 1.3.14
-1. Fix 'shorewall add' bug.
+1. All versions changed to 2.0.
-2. Add OLD_PING_HANDLING option
+2. Rework of error message generation to make the 'firewall' script
   smaller.
-3. Allow adding alias labels under ADD_IP_ALIASES=Yes.
+3. Deimplemented MERGE_HOSTS=No.
-4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes.
+4. Generate error for <dev>:<integer> name in interfaces file.
-5. Use the routing table to generate list of subnets to be masqueraded
+5. Deimplement old ping handling.
   when an interface name appears in the SUBNET column of
   /etc/shorewall/masq.
-6. Restore $dev.$vid naming of VLAN interfaces.
+6. Deimplement 'routestopped' interface/hosts option.
-7. Updated copyrights for 2003.
+7. Strip comments from potentially large files while the firewall is
   still up and running during 'restart'.
-8. Added support for openvpn tunnels on arbitrary ports
+8. Disallow the old port forwarding/redirection syntax.
-9. Corrected rule number calculation problem in 'shorewall add' command
+9. Reorganize shorewall.conf.
-   processing.
+
 10. Added support for LOG target.
 11. Move firewall and version (one more time....)
 12. Add late DNS reply rule to the common chain.
 12. Corrected rule number calculation problem in 'shorewall add' command
    processing.
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/common.def
+# Shorewall 2.0 -- /etc/shorewall/common.def
 #
 # This file defines the rules that are applied before a policy of 
 # DROP or REJECT is applied. In addition to the rules defined in this file,
@ -36,5 +36,9 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 # AUTH -- Silently reject it so that connections don't get delayed.
 #
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.14RC1
+VERSION=2.0.0Alpha1
 usage() # $1 = exit status
 {
@ -49,14 +49,18 @@ restore_file() # $1 = file to restore
    fi	
 }
-if [ ! -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
+if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
    echo "Shorewall Version $VERSION is not installed"
    exit 1
 fi
 echo "Backing Out Installation of Shorewall $VERSION"
-if [ -L /usr/lib/shorewall/firewall ]; then
+if [ -L /usr/share/shorewall/init ]; then
    FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'`
    restore_file $FIREWALL
    restore_file /usr/share/shorewall/firewall
 elif [ -L /usr/lib/shorewall/firewall ]; then
    FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
    restore_file $FIREWALL
 elif [ -L /var/lib/shorewall/firewall ]; then
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
@ -95,7 +95,7 @@ error_message() # $* = Error Message
 #
 fatal_error() # $* = Error Message
 {
-    echo "   $@" >&2
+    echo "   Error: $@" >&2
    stop_firewall
    exit 2
 }
@ -106,7 +106,7 @@ fatal_error() # $* = Error Message
 #
 startup_error() # $* = Error Message
 {
-    echo "   $@" >&2
+    echo "   Error: $@" >&2
    my_mutex_off
    [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
    kill $$
@ -225,13 +225,12 @@ run_tc() {
 # variable ${1}_exists and set its value to Yes to indicate that the chain now
 # exists.
 #
-createchain() # $1 = chain name, $2 = If non-null, don't create default rules
+createchain() # $1 = chain name, $2 = If "yes", create default rules
 {
    run_iptables -N $1
-    if [ $# -eq 1 ]; then
+    if [ $2 = yes ]; then
-	state="ESTABLISHED"
+	state="ESTABLISHED,RELATED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
 	[ -z "$NEWNOTSYN" ] && \
 	    run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
@ -273,7 +272,7 @@ mangle_chain_exists() # $1 = chain name
 #
 ensurechain() # $1 = chain name
 {
-    havechain $1 || createchain $1
+    havechain $1 || createchain $1 yes
 }
 #
@ -502,8 +501,11 @@ determine_interfaces() {
 # Determine the defined hosts in each zone and generate report
 #
 determine_hosts() {
-    do_a_zone()
+
-    {
+    for zone in $zones; do
 	hosts=`find_hosts $zone`
 	hosts=`echo $hosts` # Remove extra trash
 	eval interfaces=\$${zone}_interfaces
 	for interface in $interfaces; do
@ -513,10 +515,7 @@ determine_hosts() {
 		hosts="$hosts $interface:0.0.0.0/0"
 	    fi
 	done
    }
    recalculate_interfaces()
    {
 	interfaces=
 	for host in $hosts; do
@ -531,32 +530,6 @@ determine_hosts() {
 	done
 	eval ${zone}_interfaces="\$interfaces"
    }
    for zone in $zones; do
 	hosts=`find_hosts $zone`
 	hosts=`echo $hosts` # Remove extra trash
 	if [ -n "MERGE_HOSTS" ]; then
 	    #
 	    # Zone will be the union of its host and interface definitions
 	    #
 	    do_a_zone
 	    recalculate_interfaces
 	elif [ -n "$hosts" ]; then
 	    #
 	    # Zone is defined in terms of hosts -- derive the interface list
 	    # from the host list
 	    #
 	    recalculate_interface
 	else
 	    #
 	    # If no hosts are defined for a zone then the zone consists of any
 	    # host that can send us messages via the interfaces to the zone
 	    #
 	    do_a_zone
 	fi
 	eval ${zone}_hosts="\$hosts"
 	if [ -n "$hosts" ]; then
@ -591,10 +564,16 @@ validate_interfaces_file() {
 	fi
 	[ "x$interface" = "xlo" ] && \
-	    startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
+	    startup_error "The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
 	list_search $interface $all_interfaces && \
-	    startup_error "Error: Duplicate Interface $interface"
+	    startup_error "Duplicate Interface $interface"
 	case $interface in
 	    *:*)
 		startup_error "Invalid Interface Name: $interface"
 		;;
 	esac
 	all_interfaces="$all_interfaces $interface"
 	options=`separate_list $options`
@ -606,21 +585,17 @@ validate_interfaces_file() {
 	for option in $options; do
 	    case $option in
-		dhcp|routestopped|norfc1918|multi|tcpflags)
+		dhcp|norfc1918|multi|tcpflags)
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
 		noping|filterping)
 		    [ -n "$OLD_PING_HANDLING" ] || \
 			startup_error "Option $option only allowed with old ping handling"
 		    ;;
 		*)
 		    error_message "Warning: Invalid option ($option) in record \"$r\""
 		    ;;
 	    esac
 	done
-    [ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined"
+    [ -z "$all_interfaces" ] && startup_error "No Interfaces Defined"
    done < $TMP_DIR/interfaces
 }
@ -642,7 +617,7 @@ validate_hosts_file() {
 	    for option in `separate_list $options`; do
 		case $option in
-		    routestopped|maclist|-)
+		    maclist|-)
 			;;
 		    *)
 			error_message "Warning: Invalid option ($option) in record \"$r\""
@ -725,7 +700,7 @@ validate_rule() {
 		serv=$server
 		;;
 	    ~*)
-		startup_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address"
+		startup_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 		;;
 	    *)
 		dest_interface="-o $server"
@ -771,21 +746,29 @@ validate_rule() {
 	REJECT)
 	    target=reject
 	    [ -n "$servport" ] && \
-		startup_error "Error: server port may not be specified in a REJECT rule;"\
+		startup_error "Server port may not be specified in a REJECT rule;"\
                              "rule: \"$rule\""
 	    ;;
 	ACCEPT)
 	    [ -n "$servport" ] && \
-		startup_error "Error: server port may not be specified in an ACCEPT rule;"\
+		startup_error "Server port may not be specified in an ACCEPT rule;"\
                              "rule: \"$rule\""
 	    ;;
 	LOG)
 	    [ -n "$servport" ] && \
 		startup_error "Server port may not be specified in an LOG rule;"\
                              "rule: \"$rule\""
 	    [ -n "$loglevel" ] || \
 		startup_error "LOG target requires a log level"
 	    ;;
 	REDIRECT)
-	    [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
+	    [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
 		" specify a server IP; rule: \"$rule\""
 	    servport=${servport:=$port}
 	    ;;
 	DNAT)
-	    [ -n "$serv" ] || startup_error "Error: DNAT rules require a" \
+	    [ -n "$serv" ] || startup_error "DNAT rules require a" \
 		" server address; rule: \"$rule\""
 	    ;;
 	esac
@ -805,17 +788,17 @@ validate_rule() {
 		#
 		if [ -z "$NAT_ENABLED" ]; then
 		    startup_error \
-		    "Error - Rule \"$rule\" requires NAT which is disabled"
+		    "Rule \"$rule\" requires NAT which is disabled"
 		fi
 		if [ "$target" != "ACCEPT" ]; then
-		    startup_error "Error - Only ACCEPT rules may specify " \
+		    startup_error "Only ACCEPT rules may specify " \
 			"port mapping; rule \"$rule\""
 		fi
 	    fi
 	else
 	    [ -n "$addr" ] && startup_error \
-		  "Error: An ADDRESS ($addr) is only allowed in" \
+		  "An ADDRESS ($addr) is only allowed in" \
 		  " a DNAT or REDIRECT rule: \"$rule\""
 	fi
    }
@ -835,9 +818,7 @@ validate_rule() {
    logtarget="$target"
    #
    # DNAT and REDIRECT targets were implemented in version 1.3 to replace
-    # an older syntax. We simply map the new syntax into the old and proceed;
+    # an older syntax. We simply map the new syntax into the old and proceed.
    # that way, people who have files with the old syntax don't need to
    # convert right away.
    #
    case $target in
    DNAT)
@ -858,11 +839,10 @@ validate_rule() {
 	    servers="fw::$servers"
 	fi
 	;;
-    ACCEPT|DROP|REJECT)
+    ACCEPT|DROP|REJECT|LOG)
 	;;
    *)
-	startup_error "Error: Invalid target;" \
+	startup_error "Invalid target; rule: \"$rule\""
 		      " rule: \"$rule\""
    esac
@ -873,7 +853,7 @@ validate_rule() {
 	clientzone="${clients%%:*}"
 	clients="${clients#*:}"
 	[ -z "$clientzone" -o -z "$clients" ] && \
-	   startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
+	   startup_error "Empty source zone or qualifier: rule \"$rule\""
    fi
    if [ "$clientzone" = "${clientzone%\!*}" ]; then
@ -883,13 +863,13 @@ validate_rule() {
 	clientzone="${clientzone%\!*}"
 	[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
-	    startup_error "Error: Exclude list only allowed with DNAT or REDIRECT"
+	    startup_error "Exclude list only allowed with DNAT or REDIRECT"
    fi
    #
    # Validate the Source Zone
    #
    if ! validate_zone $clientzone; then
-	[ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\""
+	[ "x$clientzone" = xall ] || startup_error "Undefined Client Zone in rule \"$rule\""
    fi
    source=$clientzone
@ -910,18 +890,18 @@ validate_rule() {
 	    serverport="${servers#*:}"
 	    servers="${servers%:*}"
 	    [ -z "$serverzone" -o -z "$serverport" ] && \
-	        startup_error "Error: Empty destination zone or server port: rule \"$rule\""
+	        startup_error "Empty destination zone or server port: rule \"$rule\""
 	else
 	    serverport=
 	    [ -z "$serverzone" -o -z "$servers" ] && \
-	        startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
+	        startup_error "Empty destination zone or qualifier: rule \"$rule\""
 	fi
    fi
    #
    # Validate the destination zone
    #
    if ! validate_zone $serverzone; then
-	[ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\""
+	[ "x$serverzone" = xall ] || startup_error "Undefined Server Zone in rule \"$rule\""
    fi
    dest=$serverzone
@ -976,13 +956,13 @@ validate_rules() # $1 = name of rules file
 	expandv clients servers protocol ports cports address
 	case "$target" in
-	ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
+	ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*)
 	    rule="`echo $target $clients $servers $protocol $ports $cports $address`"
 	    validate_rule
 	    ;;
 	*)
 	    rule="`echo $target $clients $servers $protocol $ports $cports $address`"
-	    startup_error "Error: Invalid Target - rule \"$rule\" ignored"
+	    startup_error "Invalid Target - rule \"$rule\" ignored"
 	    ;;
 	esac
    done < $TMP_DIR/rules
@ -1013,7 +993,7 @@ validate_policy()
    all_policy_chains=
-    strip_file policy $policy
+    strip_file policy
    while read client server policy loglevel synparams; do
 	expandv client server policy loglevel synparams
@ -1027,7 +1007,7 @@ validate_policy()
 	    ;;
 	*)
 	    if ! validate_zone $client; then
-		startup_error "Error: Undefined zone $client"
+		startup_error "Undefined zone $client"
 	    fi
 	esac
@ -1037,7 +1017,7 @@ validate_policy()
 	    ;;
 	*)
 	    if ! validate_zone $server; then
-		startup_error "Error: Undefined zone $server"
+		startup_error "Undefined zone $server"
 	    fi
 	esac
@ -1045,17 +1025,17 @@ validate_policy()
 	ACCEPT|REJECT|DROP|CONTINUE)
 	    ;;
 	*)
-	    startup_error "Error: Invalid policy $policy"
+	    startup_error "Invalid policy $policy"
 	    ;;
 	esac
 	chain=${client}2${server}
 	[ "x$chain" = "x${FW}2${FW}" ] && \
-	    startup_error "Error: fw->fw policy not allowed: $policy"
+	    startup_error "fw->fw policy not allowed: $policy"
 	if is_policy_chain $chain ; then
-	    startup_error "Error: Duplicate policy $policy"
+	    startup_error "Duplicate policy $policy"
 	fi
 	[ "x$loglevel" = "x-" ] && loglevel=
@ -1275,7 +1255,7 @@ stop_firewall() {
    deleteallchains
-    hosts="`find_hosts_by_option routestopped`"
+    hosts=
    strip_file routestopped 
@ -1522,8 +1502,6 @@ setup_proxy_arp() {
    > ${STATEDIR}/proxyarp
    strip_file proxyarp
    while read address interface external haveroute; do
 	expandv address interface external haveroute
 	setup_one_proxy_arp
@ -1578,7 +1556,7 @@ setup_mac_lists() {
 	    eth*)
 		;;
 	    *)
-		fatal_error "Error: MAC verification is only supported on ethernet devices: $interface"
+		fatal_error "MAC verification is only supported on ethernet devices: $interface"
 		;;
 	esac
@ -1587,7 +1565,6 @@ setup_mac_lists() {
    #
    # Process the maclist file producing the verification rules
    #
    strip_file maclist
    while read interface mac addresses; do
 	expandv interface mac addresses
@ -1595,7 +1572,7 @@ setup_mac_lists() {
 	chain=`mac_chain $interface`
 	if ! havechain $chain ; then
-	    fatal_error "Error: No hosts on $interface have the maclist option specified"
+	    fatal_error "No hosts on $interface have the maclist option specified"
 	fi
 	macpart=`mac_match $mac`
@ -1629,7 +1606,7 @@ setup_mac_lists() {
 	blob=`ip addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'`
 	[ -z "$blob" ] && \
-	    fatal_error "Error: Interface $interface must be up before Shorewall can start"
+	    fatal_error "Interface $interface must be up before Shorewall can start"
 	set -- $blob
@ -1728,8 +1705,6 @@ setup_nat() {
    #
    > ${STATEDIR}/nat
    strip_file nat
    echo "Setting up NAT..."
    while read external interface internal allints localnat; do
@ -1807,7 +1782,7 @@ process_tc_rule()
 		    ;;
 		*)
 		    if ! list_search $source $all_interfaces; then
-			fatal_error "Error: Unknown interface $source in rule \"$rule\""
+			fatal_error "Unknown interface $source in rule \"$rule\""
 		    fi
 		    r="-i $source "
@ -1976,19 +1951,18 @@ refresh_tc() {
 add_nat_rule() {
    local chain
-    # Be sure NAT is enabled
+    # Be sure we should and can NAT
-
+    
-    if [ -z "$NAT_ENABLED" ]; then
+    case $logtarget in
-	fatal_error \
+	DNAT|REDIRECT)
-	    "Error - Rule \"$rule\" requires NAT which is disabled"
+	    if [ -z "$NAT_ENABLED" ]; then
-    fi
+		fatal_error "Rule \"$rule\" requires NAT which is disabled"
-
+	    fi
-    # Onle ACCEPT (plus DNAT and REDIRECT) may result in NAT
+	    ;;
-
+	*)
-    if [ "$target" != "ACCEPT" ]; then
+	    fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\""
-	fatal_error "Error - Only DNAT and REDIRECT rules may specify " \
+	    ;;
-	    "port mapping; rule \"$rule\""
+    esac
    fi
    # Parse SNAT address if any
@ -2126,20 +2100,19 @@ add_a_rule()
    # Set destination variables
    dest_interface=
    serv=
    [ -n "$server" ] && case "$server" in
    -)
 	serv=
 	;;
    *.*.*)
 	serv=$server
 	;;
    ~*)
-	fatal_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address"
+	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
    *)
 	dest_interface="-o $server"
 	serv=
 	;;
    esac
@ -2180,8 +2153,7 @@ add_a_rule()
 	    ;;
 	all|ALL)
 	    [ -n "$port" ] && [ "x${port}" != "x-" ] && \
-		fatal_error "Port number not allowed with \"all\";" \
+		fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
 				" rule: \"$rule\""
 	    proto=
 	    ;;
 	related|RELATED)
@ -2191,8 +2163,7 @@ add_a_rule()
 	*)
 	    state=
 	    [ -n "$port" ] && [ "x${port}" != "x-" ] && \
-		fatal_error "Port number not allowed with protocol " \
+		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
 		"\"$proto\"; rule: \"$rule\""
 	    ;;
    esac
@ -2204,18 +2175,21 @@ add_a_rule()
 	REJECT)
 	    target=reject
 	    [ -n "$servport" ] && \
-		fatal_error "Error: server port may not be specified in a REJECT rule;"\
+		fatal_error "Server port may not be specified in a REJECT rule;"\
                            "rule: \"$rule\""
 	    ;;
 	REDIRECT)
-	    [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
+	    [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
 		" specify a server IP; rule: \"$rule\""
 	    servport=${servport:=$port}
 	    ;;
 	DNAT)
-	    [ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \
+	    [ -n "$serv" ] || fatal_error "DNAT rules require a" \
 		" server address; rule: \"$rule\""
 	    ;;
 	LOG)
 	    [ -z "$loglevel" ] && fatal_error "LOG requires log level"
 	    ;;
    esac
    # Complain if the rule is really a policy
@ -2260,7 +2234,7 @@ add_a_rule()
 	# Destination is a simple zone
 	[ -n "$addr" ] && fatal_error \
-	    "Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \
+	    "An ORIGINAL DESTINATION ($addr) is only allowed in" \
 	    " a DNAT or REDIRECT: \"$rule\""
 	if [ -n "$loglevel" ]; then
@ -2276,8 +2250,10 @@ add_a_rule()
 	    fi
 	fi
-	run_iptables2 -A $chain $proto $multiport $dest_interface $state \
+	if [ $logtarget != LOG ]; then
-	    $cli $sports $dports -j $target
+	    run_iptables2 -A $chain $proto $multiport $dest_interface $state \
 		$cli $sports $dports -j $target
 	fi
    fi
 }
@ -2349,7 +2325,7 @@ process_rule() # $1 = target
 	clientzone="${clients%%:*}"
 	clients="${clients#*:}"
 	[ -z "$clientzone" -o -z "$clients" ] && \
-	   fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
+	   fatal_error "Empty source zone or qualifier: rule \"$rule\""
    fi
    if [ "$clientzone" = "${clientzone%\!*}" ]; then
@ -2359,11 +2335,11 @@ process_rule() # $1 = target
 	clientzone="${clientzone%\!*}"
 	[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
-	    fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT"
+	    fatal_error "Exclude list only allowed with DNAT or REDIRECT"
    fi
    if ! validate_zone $clientzone; then
-	fatal_error "Error: Undefined Client Zone in rule \"$rule\""
+	fatal_error "Undefined Client Zone in rule \"$rule\""
    fi
    # Parse and validate destination
@ -2383,16 +2359,16 @@ process_rule() # $1 = target
 	    serverport="${servers#*:}"
 	    servers="${servers%:*}"
 	    [ -z "$serverzone" -o -z "$serverport" ] && \
-	        fatal_error "Error: Empty destination zone or server port: rule \"$rule\""
+	        fatal_error "Empty destination zone or server port: rule \"$rule\""
 	else
 	    serverport=
 	    [ -z "$serverzone" -o -z "$servers" ] && \
-	        startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
+	        startup_error "Empty destination zone or qualifier: rule \"$rule\""
 	fi
    fi
    if ! validate_zone $serverzone; then
-	fatal_error "Error: Undefined Server Zone in rule \"$rule\""
+	fatal_error "Undefined Server Zone in rule \"$rule\""
    fi
    dest=$serverzone
@ -2466,12 +2442,10 @@ process_rules() # $1 = name of rules file
 	done
    }
    strip_file rules $1
    while read xtarget xclients xservers xprotocol xports xcports xaddress; do
 	case "$xtarget" in
-	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
+	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*|LOG|LOG:*)
 		expandv xclients xservers xprotocol xports xcports xaddress
 		if [ "x$xclients" = xall ]; then
@ -2493,7 +2467,7 @@ process_rules() # $1 = name of rules file
 		;;
 	    *)
 		rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
-		fatal_error "Error: Invalid Target in rule \"$rule\""
+		fatal_error "Invalid Target in rule \"$rule\""
 		;;
 	esac
@ -2871,7 +2845,7 @@ default_policy() # $1 = client $2 = server
    if [ -n "$chain1" ]; then
 	apply_default $1 $2
    else
-	fatal_error "Error: No default policy for zone $1 to zone $2"
+	fatal_error "No default policy for zone $1 to zone $2"
    fi
 }
@ -2921,7 +2895,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
    [ -n "$chain" ] && { echo $chain; return; }
-    fatal_error "Error: No appropriate chain for zone $1 to zone $2"
+    fatal_error "No appropriate chain for zone $1 to zone $2"
 }
 #
@ -2975,7 +2949,7 @@ setup_masq()
 	interface=${fullinterface%:*}
 	if ! list_search $interface $all_interfaces; then
-	    fatal_error "Error: Unknown interface $interface"
+	    fatal_error "Unknown interface $interface"
 	fi
 	if [ "$subnet" = "${subnet%!*}" ]; then
@ -3348,7 +3322,7 @@ initialize_netfilter () {
    determine_zones
-    [ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
+    [ -z "$zones" ] && startup_error "No Zones Defined"
    display_list "Zones:" $zones
@ -3368,6 +3342,17 @@ initialize_netfilter () {
    determine_interfaces
    determine_hosts
    #
    # The some files might be large so strip them while the firewall is still running
    # (restart command). This reduces the length of time that the firewall isn't
    # accepting new connections.
    #
    strip_file rules
    strip_file proxyarp
    strip_file maclist
    strip_file nat
    deletechain shorewall
@ -3399,7 +3384,8 @@ initialize_netfilter () {
    #
    run_iptables -A INPUT   -p udp --dport 53 -j ACCEPT # I suppose that there
                                                        # is an idiot somewhere
-                                                        # who needs this
+                                                        # who needs this    strip_file nat
    run_iptables -A OUTPUT  -p udp --dport 53 -j ACCEPT
    run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
@ -3458,13 +3444,6 @@ initialize_netfilter () {
 #
 build_common_chain() {
    if [ -n "$OLD_PING_HANDLING" ]; then
        #
        # PING
        #
 	[ -n "$FORWARDPING" ] && \
 	    run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
    fi
    #
    # Common ICMP rules
    #
@ -3618,7 +3597,7 @@ add_common_rules() {
 		logdrop|DROP|RETURN)
 		    ;;
 		*)
-		    fatal_error "   Error:Illegal target ($target) for $subnet"
+		    fatal_error "Illegal target ($target) for $subnet"
 		    ;;
 	    esac
@ -3780,7 +3759,7 @@ apply_policy_rules() {
 	    # related sessions associated with sessions going
 	    # in the other direction
 	    #
-	    createchain $chain
+	    createchain $chain yes
 	    #
 	    # If either client or server is 'all' then this MUST be
@ -4017,26 +3996,6 @@ define_firewall() # $1 = Command (Start or Restart)
    process_rules $rules
    if [ -n "$OLD_PING_HANDLING" ]; then
 	echo "Setting up ICMP Echo handling..."
 	filterping_interfaces="`find_interfaces_by_option filterping`"
 	noping_interfaces="`find_interfaces_by_option noping`"
 	for interface in $all_interfaces; do
 	    if ! list_search $interface $filterping_interfaces; then
 		if list_search $interface $noping_interfaces; then
 		    target=DROP
 		else
 		    target=ACCEPT
 		fi
 		run_iptables -A `input_chain $interface` \
 		    -p icmp --icmp-type echo-request -j $target
 	    fi
 	done
    fi
    policy=`find_file policy`
    echo "Processing $policy..."
@ -4086,7 +4045,7 @@ check_config() {
    determine_zones
-    [ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
+    [ -z "$zones" ] && startup_error "No Zones Defined"
    display_list "Zones:" $zones
@ -4109,7 +4068,7 @@ check_config() {
    echo "Validating policy file..."
-    validate_policy	
+    validate_policy 	
    rm -rf $TMP_DIR
@ -4129,7 +4088,7 @@ refresh_firewall()
    validate_interfaces_file
-    [ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
+    [ -z "$zones" ] && startup_error "No Zones Defined"
    determine_interfaces
@ -4171,7 +4130,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
    do_iptables() # $@ = command
    {
 	if ! iptables $@ ; then
-	    startup_error "Error: can't add $1 to zone $2"
+	    startup_error "Can't add $1 to zone $2"
 	fi
    }
@ -4196,26 +4155,25 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
    #
    zone=$2
-    validate_zone $zone || startup_error "Error: Unknown zone: $zone"
+    validate_zone $zone || startup_error "Unknown zone: $zone"
-    [ "$zone" = $FW ] && startup_error "Error: Can't add $1 to firewall zone"
+    [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
    #
    # Be sure that Shorewall has been restarted using a DZ-aware version of the code
    #
-    [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found"
+    [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found"
-    [ -f ${STATEDIR}/zones ]  || startup_error "Error: ${STATEDIR}/zones -- file not found"
+    [ -f ${STATEDIR}/zones ]  || startup_error "${STATEDIR}/zones -- file not found"
    #
    # Be sure that the interface was present at last [re]start
    #
    if ! chain_exists `input_chain $interface` ; then
-	startup_error "Error: Unknown interface $interface"
+	startup_error "Unknown interface $interface"
    fi
    #
    # Build lists of interfaces with special rules
    #
    dhcp_interfaces=`find_interfaces_by_option dhcp`
    blacklist_interfaces=`find_interfaces_by_option blacklist`
    filterping_interfaces=`find_interfaces_by_option filterping`
    maclist_interfaces=`find_interfaces_by_option maclist`
    tcpflags_interfaces=`find_interfaces_by_option tcpflags`
    #
@ -4234,7 +4192,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 	    for h in $hosts; do
 		if [ "$h" = "$newhost" ]; then
 		    rm -f ${STATEDIR}/zones_$$
-		    startup_error "Error: $1 already in zone $zone"
+		    startup_error "$1 already in zone $zone"
 		fi
 	    done
@ -4273,10 +4231,6 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    rulenum=2
 		fi
 		if list_search $interface $filterping_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
 		if list_search $interface $maclist_interfaces; then
 		    rulenum=$(($rulenum + 1))
 		fi
@ -4417,19 +4371,19 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
    zone=$2
-    validate_zone $zone || startup_error "Error: Unknown zone: $zone"
+    validate_zone $zone || startup_error "Unknown zone: $zone"
-    [ "$zone" = $FW ] && startup_error "Error: Can't remove $1 from firewall zone"
+    [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone"
    #
    # Be sure that Shorewall has been restarted using a DZ-aware version of the code
    #
-    [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found"
+    [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found"
-    [ -f ${STATEDIR}/zones ]  || startup_error "Error: ${STATEDIR}/zones -- file not found"
+    [ -f ${STATEDIR}/zones ]  || startup_error "${STATEDIR}/zones -- file not found"
    #
    # Be sure that the interface was present at last [re]start
    #
    if ! chain_exists `input_chain $interface` ; then
-	startup_error "Error: Unknown interface $interface"
+	startup_error "Unknown interface $interface"
    fi
    #
    # Normalize the first argument to this function
@ -4555,7 +4509,7 @@ do_initialize() {
    FW=
    SUBSYSLOCK=
    STATEDIR=
-    ALLOWRELATED=
+    ALLOWRELATED=Yes
    LOGRATE=
    LOGBURST=
    LOGPARMS=
@ -4572,7 +4526,6 @@ do_initialize() {
    NAT_BEFORE_RULES=
    MULTIPORT=
    DETECT_DNAT_IPADDRS=
    MERGE_HOSTS=
    MUTEX_TIMEOUT=
    NEWNOTSYN=
    LOGNEWNOTSYN=
@ -4583,8 +4536,7 @@ do_initialize() {
    TCP_FLAGS_LOG_LEVEL=
    RFC1918_LOG_LEVEL=
    MARK_IN_FORWARD_CHAIN=
-    OLD_PING_HANDLING=
+    SHARED_DIR=/usr/share/shorewall
    SHARED_DIR=/usr/lib/shorewall
    FUNCTIONS=
    VERSION_FILE=
@ -4633,6 +4585,8 @@ do_initialize() {
    [ -z "$FW" ] && FW=fw
    ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
    [ -n "$ALLOWRELATED" ] || \
 	startup_error "ALLOWRELATED=No is not supported"
    NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
    MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
    ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
@ -4668,8 +4622,10 @@ do_initialize() {
    NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
    MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
    DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
    MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
    FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
    [ -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is no longer supported"
    NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
    maclist_target=reject
@ -4709,10 +4665,6 @@ do_initialize() {
    else
 	CLEAR_TC=
    fi
    OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
    [ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No"
    run_user_exit params
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 1.3 -- /usr/lib/shorewall/functions
+# Shorewall 2.0 -- /usr/lib/shorewall/functions
 #
 # Suppress all output for a command
--- a/Shorewall/hosts
+++ b/Shorewall/hosts
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - /etc/shorewall/hosts
+# Shorewall 2.0 - /etc/shorewall/hosts
 #
 #    WARNING: 90% of Shorewall users don't need to add entries to this
 #             file and 80% of those who try to add such entries get it
@ -30,11 +30,6 @@
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
 #
 #			routestopped - (Deprecated -- use
 #				       /etc/shorewall/routestopped)
 #				       route messages to and from this
 #				       member when the firewall is in the
 #				       stopped state
 #			maclist	     - Connection requests from these hosts
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
--- a/Shorewall/init
+++ b/Shorewall/init
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/init
+# Shorewall 2.0 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.14RC1
+VERSION=2.0.0Alpha1
 usage() # $1 = exit status
 {
@ -93,6 +93,18 @@ backup_file() # $1 = file to backup
    fi
 }
 delete_file() # $1 = file to delete
 {
    if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
 	if (mv $1 ${1}-${VERSION}.bkout); then
 	    echo
 	    echo "$1 moved to ${1}-${VERSION}.bkout"
        else
 	    exit 1
        fi
    fi
 }    
 modify_rclocal()
 {
    if [ -f /etc/rc.d/rc.local ]; then
@ -261,10 +273,10 @@ echo
 echo  "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
 #
-# Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed
+# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
 mkdir -p ${PREFIX}/etc/shorewall
-mkdir -p ${PREFIX}/usr/lib/shorewall
+mkdir -p ${PREFIX}/usr/share/shorewall
 mkdir -p ${PREFIX}/var/lib/shorewall
 #
 # Install the config file
@ -300,10 +312,10 @@ if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
    rm -f  ${PREFIX}/var/lib/shorewall/functions
 fi
-install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
+install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
 echo
-echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions"
+echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
 #
 # Install the common.def file
 #
@ -311,13 +323,11 @@ install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
 echo
 echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
 #
 # Install the icmp.def file
 #
 install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
-echo
+#
-echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
+# Delete the icmp.def file
 #
 delete_file icmp.def
 #
 # Install the policy file
@ -531,7 +541,9 @@ fi
 # Backup the version file
 #
 if [ -z "$PREFIX" ]; then
-    if [ -f /usr/lib/shorewall/version ]; then
+    if [ -f /usr/share/shorewall/version ]; then
 	backup_file /usr/share/shorewall/version
    elif [ -f /usr/lib/shorewall/version ]; then
 	backup_file /usr/lib/shorewall/version
    elif [ -n "$oldversion" ]; then
 	echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
@ -542,10 +554,10 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${PREFIX}/usr/lib/shorewall/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
-chmod 644 ${PREFIX}/usr/lib/shorewall/version
+chmod 644 ${PREFIX}/usr/share/shorewall/version
 #
-# Remove and create the symbolic link to the firewall script
+# Remove and create the symbolic link to the init script
 #
 if [ -z "$PREFIX" ]; then
@ -554,12 +566,13 @@ if [ -z "$PREFIX" ]; then
    [ -L /usr/lib/shorewall/firewall ] && \
 	mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
    rm -f /usr/lib/shorewall/init
-    ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init
+    rm -f /usr/share/shorewall/init
    ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init
 fi
 #
 # Install the firewall script
 #
-install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544
+install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
 if [ -z "$PREFIX" -a -n "$first_install" ]; then
    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall/interfaces
+++ b/Shorewall/interfaces
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Interfaces File
+# Shorewall 2.0 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@ -46,11 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
@ -106,21 +101,19 @@
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
 #			206.191.149.192/27. You have a DMZ with subnet
-#			192.168.2.0/24 using eth2. You want to be able to
+#			192.168.2.0/24 using eth2.
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
 #			net	eth0	206.191.149.223	dhcp
-#			local	eth1	192.168.1.255	routestopped
+#			local	eth1	192.168.1.255
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
 #			net	eth0	detect		dhcp
-#			loc	eth1	detect		routestopped
+#			loc	eth1	detect
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
--- a/Shorewall/maclist
+++ b/Shorewall/maclist
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - MAC list file
+# Shorewall 2.0 - MAC list file
 #
 # /etc/shorewall/maclist
 #
--- a/Shorewall/masq
+++ b/Shorewall/masq
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - Masquerade file
+# Shorewall 2.0 - Masquerade file
 #
 # /etc/shorewall/masq
 #
--- a/Shorewall/modules
+++ b/Shorewall/modules
@ -1,7 +1,12 @@
 ##############################################################################
-# Shorewall 1.3 /etc/shorewall/modules
+# Shorewall 2.0 /etc/shorewall/modules
 #
 # This file loads the modules needed by the firewall.
 #
 # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
 # dependency order. i.e., if M2 depends on M1 then you must load M1 before
 # you load M2.
 #
    loadmodule ip_tables
    loadmodule iptable_filter
--- a/Shorewall/nat
+++ b/Shorewall/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3  -- Network Address Translation Table
+# Shorewall 2.0  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
--- a/Shorewall/params
+++ b/Shorewall/params
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 /etc/shorewall/params
+# Shorewall 2.0 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #
@ -11,7 +11,7 @@
 #
 #	NET_IF=eth0
 #	NET_BCAST=130.252.100.255
-#	NET_OPTIONS=noping,norfc1918
+#	NET_OPTIONS=routefilter,norfc1918
 #
 # Example (/etc/shorewall/interfaces record):
 #
@ -19,7 +19,7 @@
 #
 # The result will be the same as if the record had been written
 #
-#	net	eth0		130.252.100.255	noping,norfc1918
+#	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 # Variables can be used in the following places in the other configuration
 # files:
--- a/Shorewall/policy
+++ b/Shorewall/policy
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Policy File
+# Shorewall 2.0 -- Policy File
 #
 # /etc/shorewall/policy
 #
--- a/Shorewall/proxyarp
+++ b/Shorewall/proxyarp
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3 -- Proxy ARP
+# Shorewall 2.0 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,105 +1,41 @@
-This is a minor release of Shorewall that has a couple of new features.
+This is a major release of Shorewall.
-New features include:
+Function from 1.3 that has been omitted from this version include:
-1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
+1) The MERGE_HOSTS variable in shorewall.conf is no longer
-   set to Yes, Shorewall ping handling is as it has always been (see
+   supported. Shorewall 2.0 behavior is the same as 1.3 with
-   http://www.shorewall.net/ping.html).
+   MERGE_HOSTS=Yes.
-   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
+2. Interface names of the form <device>:<integer> in
-   policies just like any other connection request. The FORWARDPING
+   /etc/shorewall/interfaces now generate an error.
   option in shorewall.conf is ignored and the 'noping' and
   'filterping' options in /etc/shorewall/interfaces will generate an
   error.
-2) It is now possible to direct Shorewall to create a "label" such as
+3. Shorewall 2.0 implements behavior consistent with
-   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+   OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
-   and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
+   at startup as will specification of the 'noping' or 'filterping'
-   instead of just the interface name:
+   interface options.
-   a) In the INTERFACE column of /etc/shorewall/masq
+4. The 'routestopped' option in the /etc/shorewall/interfaces and
-   b) In the INTERFACE column of /etc/shorewall/nat
+   /etc/shorewall/hosts files is no longer supported and will generate
   an error at startup if specified.
-3) The ability to name your VLAN interfaces using the $dev.$vid
+5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
-   convention (e.g., "eth0.0") has been restored. This capability was
+   accepted.
   inadvertently broken in version 1.3.12.
-4) Support has been added for defining OpenVPN tunnels in the
+6. The ALLOWRELATED variable in shorewall.conf is no longer
-   /etc/shorewall/tunnels file.
+   supported. Shorewall 2.0 behavior is the same as 1.3 with
   ALLOWRELATED=Yes.
-5) When an interface name is entered in the SUBNET column of the
+Changes for 2.0 include:
   /etc/shorewall/masq file, Shorewall previously masqueraded traffic
   from only the first subnet defined on that interface. It did not
   masquerade traffic from:
-   a) The subnets associated with other addresses on the interface.
+1. shorewall.conf has been completely reorganized into logical
-   b) Subnets accessed through local routers.
+   sections.
-   Beginning with Shorewall 1.3.14, if you enter an interface name in
+2. LOG is now a valid action for a rule (/etc/shorewall/rules).
   the SUBNET column, shorewall will use the firewall's routing table
   to construct the masquerading/SNAT rules.
-   Example 1 -- This is how it works in 1.3.14.
+3. The firewall script and version file are now installed in
-   
+   /usr/share/shorewall.
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]# shorewall start
   ...
   Masqueraded Subnets and Hosts:
       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
   Processing /etc/shorewall/tos...
-   When upgrading to Shorewall 1.3.14, if you have multiple local
+4. Late arriving DNS replies are now silently dropped in the common
-   subnets connected to an interface that is specified in the SUBNET
+   chain by default.
   column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
   file will need changing. In most cases, you will simply be able to
   remove redundant entries. In some cases though, you might want to change
   from using the interface name to listing specific subnetworks if the
   change described above will cause masquerading to occur on
   subnetworks that you don't wish to masquerade.
-   Example 2 -- Suppose that your current config is as follows:
+ 
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   eth0			   192.168.10.0/24	   206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#
   In this case, the second entry in /etc/shorewall/masq is no longer
   required.
   Example 3 -- What if your current configuration is like this?
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#
   In this case, you would want to change the entry in
   /etc/shorewall/masq to:
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    192.168.1.0/24          206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall/rfc1918
+++ b/Shorewall/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- RFC1918 File
+# Shorewall 2.0 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
--- a/Shorewall/routestopped
+++ b/Shorewall/routestopped
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #
--- a/Shorewall/rules
+++ b/Shorewall/rules
@ -1,5 +1,5 @@
 #
-# Shorewall version 1.3 - Rules File
+# Shorewall version 2.0 - Rules File
 #
 # /etc/shorewall/rules
 #
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
+#     Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2003
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]	      
 #
@ -570,7 +570,7 @@ fi
 [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-SHARED_DIR=/usr/lib/shorewall
+SHARED_DIR=/usr/share/shorewall
 MUTEX_TIMEOUT=
 if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -1,5 +1,5 @@
 ##############################################################################
-#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
@ -8,13 +8,16 @@
 #
 #  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
-#
+#       D I S T R I B U T I O N - S P E C I F I C   S E T T I N G S
 ##############################################################################
 # You should not have to change the variables in this section -- they are set
 # by the packager of your Shorewall distribution
 #
-SHARED_DIR=/usr/lib/shorewall
+SHARED_DIR=/usr/share/shorewall
 #
 ##############################################################################
 #                              L O G G I N G
 ##############################################################################
 #
 # General note about log levels. Log levels are a method of describing 
 # to syslog (8) the importance of a message and a number of parameters
@ -45,59 +48,19 @@ SHARED_DIR=/usr/lib/shorewall
 # configured to log all Shorewall message to their own log file
 ################################################################################
 #
-# PATH - Change this if you want to change the order in which Shorewall
+# LOG FILE LOCATION
 #        searches directories for executable files.	
 #
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+# This variable tells the /sbin/shorewall program where to look for Shorewall
 # log messages. If not set or set to an empty string (e.g., LOGFILE="") then
 # /var/log/messages is assumed.
 #
 # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
 #          look for Shorewall messages.It does NOT control the destination for
 #          these messages. For information about how to do that, see
 #
 #              http://www.shorewall.net/shorewall_logging.html
-#
+LOGFILE=/var/log/messages
 # NAME OF THE FIREWALL ZONE
 #
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 #
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set this to "".
 #
 SUBSYSLOCK=/var/lock/subsys/shorewall
 #
 # SHOREWALL TEMPORARY STATE DIRECTORY
 #
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 STATEDIR=/var/lib/shorewall
 #
 # ALLOW RELATED CONNECTIONS
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
 # that are related to already established connections. For example, you want
 # to accept FTP data connections. If you say "no" here, then to accept
 # these connections between particular zones or hosts, you must include
 # explicit "related" rules in /etc/shorewall/rules.
 #
 ALLOWRELATED=yes
 #
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
 #
 # LOG RATE LIMITING
@ -132,25 +95,133 @@ LOGBURST=
 # packets are logged under the 'logunclean' interface option. If the variable
 # is empty, these packets will still be logged at the 'info' level.
 #
-# See the comment at the top of this file for a description of log levels
+# See the comment at the top of this section for a description of log levels
 #
 LOGUNCLEAN=info
 #
-# LOG FILE LOCATION
+# BLACKLIST LOG LEVEL
 #
-# This variable tells the /sbin/shorewall program where to look for Shorewall
+# Set this variable to the syslogd level that you want blacklist packets logged
-# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# (beware of DOS attacks resulting from such logging). If not set, no logging
-# /var/log/messages is assumed.
+# of blacklist packets occurs.
 #
-# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+# See the comment at the top of this section for a description of log levels
 #          look for Shorewall messages.It does NOT control the destination for
 #          these messages. For information about how to do that, see
 #
-#              http://www.shorewall.net/FAQ.htm#faq6
+BLACKLIST_LOGLEVEL=
-LOGFILE=/var/log/messages
+#
 # LOGGING 'New not SYN' rejects
 #
 # This variable only has an effect when NEWNOTSYN=No (see below).
 #
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 #
 # See the comment at the top of this section for a description of log levels
 # 
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 #
 # See the comment at the top of this section for a description of log levels
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this section for a description of log levels
 # 
 RFC1918_LOG_LEVEL=info
 ################################################################################
 #       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
 ################################################################################
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.	
 #
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set this to "".
 #
 SUBSYSLOCK=/var/lock/subsys/shorewall
 #
 # SHOREWALL TEMPORARY STATE DIRECTORY
 #
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 STATEDIR=/var/lib/shorewall
 #
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################
 # NAME OF THE FIREWALL ZONE
 #
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 # ALLOW RELATED CONNECTIONS
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
 # that are related to already established connections. For example, you want
 # to accept FTP data connections. If you say "no" here, then to accept
 # these connections between particular zones or hosts, you must include
 # explicit "related" rules in /etc/shorewall/rules.
 #
 ALLOWRELATED=yes
 #
 # ENABLE NAT SUPPORT
@ -214,24 +285,40 @@ ADD_SNAT_ALIASES=No
 TC_ENABLED=No
 #
-# BLACKLIST DISPOSITION
+# Clear Traffic Shapping/Control
 #
-# Set this variable to the action that you want to perform on packets from
+# If this option is set to 'No' then Shorewall won't clear the current
-# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# traffic control rules during [re]start. This setting is intended
-# DROP is assumed.
+# for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
-BLACKLIST_DISPOSITION=DROP
+# If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #
-# BLACKLIST LOG LEVEL
+# Mark Packets in the forward chain
 #
-# Set this variable to the syslogd level that you want blacklist packets logged
+# When processing the tcrules file, Shorewall normally marks packets in the
-# (beward of DOS attacks resulting from such logging). If not set, no logging
+# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
-# of blacklist packets occurs.
+# this to "Yes". If not specified or if set to the empty value (e.g., 
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
-# See the comment at the top of this file for a description of log levels
+# Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for 
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
-BLACKLIST_LOGLEVEL=
+# Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #
 # MSS CLAMPING
@ -335,39 +422,6 @@ MULTIPORT=No
 DETECT_DNAT_IPADDRS=No
 #
 # MERGE HOSTS FILE
 #
 # The traditional behavior of the /etc/shorewall/hosts file has been that
 # if that file has ANY entry for a zone then the zone must be defined 
 # entirely in the hosts file. This is counter-intuitive and has caused 
 # people some problems.
 #
 # By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
 # is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
 # are added to the contents described in the /etc/shorewall/interfaces file.
 #
 # Example: Suppose that we have the following interfaces and hosts files:
 #
 # Interfaces:
 #
 #	net	eth0
 #	loc	eth1	
 #	-	ppp+
 #
 # Hosts:
 #
 #	loc	ppp+:192.168.1.0/24
 #	wrk	ppp+:!192.168.1.0/24
 #
 # With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
 # ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
 # ppp+:192.168.1.0 and eth1:0.0.0.0/0
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
 MERGE_HOSTS=Yes
 #
 # MUTEX TIMEOUT
 #
@ -383,36 +437,6 @@ MERGE_HOSTS=Yes
 MUTEX_TIMEOUT=60
 #
 # LOGGING 'New not SYN' rejects
 #
 # This variable only has an effect when NEWNOTSYN=No (see below).
 #
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this file for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=
 #
 # Old Ping Handling
 #
 # If this option is set to "Yes" then Shorewall will use its old ping handling
 # facility including the FORWARDPING option in this file and the 'noping' and
 # 'filterping' interface options. If this option is set to 'No' then ping
 # is handled via policy and rules just like any other connection request.
 #
 # If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
 # DON'T DELETE IT!!!!!!
 #
 OLD_PING_HANDLING=No
 #
 # NEWNOTSYN
 #
@ -430,6 +454,18 @@ OLD_PING_HANDLING=No
 NEWNOTSYN=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
 #
 # BLACKLIST DISPOSITION
 #
 # Set this variable to the action that you want to perform on packets from
 # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
 # DROP is assumed.
 #
 BLACKLIST_DISPOSITION=DROP
 #
 # MAC List Disposition
 #
@ -441,18 +477,6 @@ NEWNOTSYN=No
 MACLIST_DISPOSITION=REJECT
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Disposition
 #
@ -463,64 +487,4 @@ MACLIST_LOG_LEVEL=info
 TCP_FLAGS_DISPOSITION=DROP
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this file for a description of log levels
 # 
 RFC1918_LOG_LEVEL=info
 #
 # Mark Packets in the forward chain
 #
 # When processing the tcrules file, Shorewall normally marks packets in the
 # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
 # this to "Yes". If not specified or if set to the empty value (e.g., 
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for 
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #
 # Clear Traffic Shapping/Control
 #
 # If this option is set to 'No' then Shorewall won't clear the current
 # traffic control rules during [re]start. This setting is intended
 # for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
 # If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
-%define version 1.3.14
+%define version 2.0.0
-%define release 0RC1
+%define release 0Alpha1
 %define prefix /usr
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -71,11 +71,10 @@ fi
 %files 
 /etc/init.d/shorewall
 %attr(0700,root,root) %dir /etc/shorewall
-%attr(0700,root,root) %dir /usr/lib/shorewall
+%attr(0700,root,root) %dir /usr/share/shorewall
 %attr(0700,root,root) %dir /var/lib/shorewall
-%attr(0600,root,root) /usr/lib/shorewall/version
+%attr(0600,root,root) /usr/share/shorewall/version
 %attr(0600,root,root) /etc/shorewall/common.def
 %attr(0600,root,root) /etc/shorewall/icmp.def
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
@ -99,12 +98,16 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
 %attr(0544,root,root) /sbin/shorewall
-%attr(0444,root,root) /usr/lib/shorewall/functions
+%attr(0444,root,root) /usr/share/shorewall/functions
-%attr(0544,root,root) /usr/lib/shorewall/firewall
+%attr(0544,root,root) /usr/share/shorewall/firewall
 %doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 2.0.0Alpha1
 - Delete icmp.def
 - Move firewall and version to /usr/share/shorewall
 * Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0RC1
 * Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/start
+++ b/Shorewall/start
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/start
+# Shorewall 2.0 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has 
 # been started or restarted.
--- a/Shorewall/stop
+++ b/Shorewall/stop
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/stop
+# Shorewall 2.0 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
--- a/Shorewall/stopped
+++ b/Shorewall/stopped
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/stopped
+# Shorewall 2.0 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@ -1,5 +1,5 @@
 #
-# Shorewall version 1.3 - Traffic Control Rules File
+# Shorewall version 2.0 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #
--- a/Shorewall/tos
+++ b/Shorewall/tos
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- /etc/shorewall/tos
+# Shorewall 2.0 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
--- a/Shorewall/tunnel
+++ b/Shorewall/tunnel
@ -2,7 +2,7 @@
 RCDLINKS="2,S45 3,S45 6,K45"
 ################################################################################
-#   Script to create a gre or ipip tunnel -- Shorewall 1.3
+#   Script to create a gre or ipip tunnel -- Shorewall 2.0
 #
 #   Modified - Steve Cowles 5/9/2000
 #     Incorporated init {start|stop} syntax and iproute2 usage
--- a/Shorewall/tunnels
+++ b/Shorewall/tunnels
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - /etc/shorewall/tunnels
+# Shorewall 2.0 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.14RC1
+VERSION=2.0.0Alpha1
 usage() # $1 = exit status
 {
@ -108,6 +108,7 @@ fi
 rm -rf /etc/shorewall
 rm -rf /usr/lib/shorewall
 rm -rf /var/lib/shorewall
 rm -rf /usr/share/shorewall
 echo "Shorewall Uninstalled"
--- a/Shorewall/zones
+++ b/Shorewall/zones
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 /etc/shorewall/zones
+# Shorewall 2.0 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #