Shorwall 1.4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@507 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 01:37:59 +02:00 · 2003-03-18 15:16:33 +00:00 · 2003-03-18 15:16:33 +00:00 · f3790a541b
commit f3790a541b
parent f4237467b6
67 changed files with 16988 additions and 17079 deletions
--- a/STABLE/INSTALL
+++ b/STABLE/INSTALL
@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
+Shoreline Firewall (Shorewall) Version 1.4 - 3/14/2003
 -----         ----
 -----------------------------------------------------------------------------
@ -28,7 +28,7 @@ o Edit the configuration files to fit your environment.
  To do this, I strongly advise you to follow the instructions at:
-      http://shorewall.sf.net/shorewall_quickstart_guide.htm
+      http://www.shorewall.net/shorewall_quickstart_guide.htm
 o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
  Debian, then type "./install.sh".
@ -36,7 +36,7 @@ o For other distributions, determine where your distribution installs
  init scripts and type "./install.sh <init script directory>"
 o Start the firewall by typing "shorewall start"
 o If the install script was unable to configure Shoreline Firewall to
-  start audomatically at boot, see the HTML documentation contains in the
+  start automatically at boot, see the HTML documentation contains in the
  "documentation" directory.
 Upgrade:
--- a/STABLE/blacklist
+++ b/STABLE/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Blacklist File
+# Shorewall 1.4 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -1,22 +1,66 @@
-Changes since 1.3.13
+Changes since 1.3.14
-1. Fix 'shorewall add' bug.
+1. All versions changed to 1.4.
-2. Add OLD_PING_HANDLING option
+2. Rework of error message generation to make the 'firewall' script
   smaller.
-3. Allow adding alias labels under ADD_IP_ALIASES=Yes.
+3. Deimplemented MERGE_HOSTS=No.
-4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes.
+4. Generate error for <dev>:<integer> name in interfaces file.
-5. Use the routing table to generate list of subnets to be masqueraded
+5. Deimplement old ping handling.
   when an interface name appears in the SUBNET column of
   /etc/shorewall/masq.
-6. Restore $dev.$vid naming of VLAN interfaces.
+6. Deimplement 'routestopped' interface/hosts option.
-7. Updated copyrights for 2003.
+7. Strip comments from potentially large files while the firewall is
   still up and running during 'restart'.
-8. Added support for openvpn tunnels on arbitrary ports
+8. Disallow the old port forwarding/redirection syntax.
-9. Corrected rule number calculation problem in 'shorewall add' command
+9. Reorganize shorewall.conf.
 10. Added support for LOG target.
 11. Move firewall and version (one more time....)
 12. Add late DNS reply rule to the common chain.
 12. Corrected rule number calculation problem in 'shorewall add' command
    processing.
 13. Update Documentation for 1.4
 14. Remove icmp.def file.
 15. Added CONTINUE rule target.
 16. Added Andrew Zhoglo's fix for logunclean.
 17. Removed 'multi' option.
 18. Support 802.11b devices with maclist.
 19. Don't detect loopback simply by name.
 20. Removed trailing white space from all files.
 21. Improved parsing of comma-separated lists.
 22. Add ECN Removal support
 23. Add TCP ports 445 and 139 to the common silent list.
 24. Remove 'check' command support.
 25. Restore 'check' command support.
 26. Remove unused function find_interface_broadcasts()
 27. Remove stale comments in the params file.
 28. Silently drop INVALID state packets
 29. Ignore the 'default' route when detecting masq'd networks.
 30. REALLY process the params file first now (honest).
--- a/STABLE/common.def
+++ b/STABLE/common.def
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/common.def
+# Shorewall 1.4 -- /etc/shorewall/common.def
 #
 # This file defines the rules that are applied before a policy of
 # DROP or REJECT is applied. In addition to the rules defined in this file,
@ -14,14 +14,12 @@
 #
 run_iptables -A common -p icmp -j icmpdef
 ############################################################################
 # Drop invalid state TCP packets
 #
 run_iptables -A common -m state -p tcp --state INVALID -j DROP
 ############################################################################
 # NETBIOS chatter
 #
 run_iptables -A common -p udp --dport 137:139     -j REJECT
 run_iptables -A common -p udp --dport 445         -j REJECT
 run_iptables -A common -p tcp --dport 139         -j REJECT
 run_iptables -A common -p tcp --dport 445         -j REJECT
 run_iptables -A common -p tcp --dport 135	  -j reject
 ############################################################################
 # UPnP
@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 # AUTH -- Silently reject it so that connections don't get delayed.
 #
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
--- a/STABLE/documentation/Documentation.htm
+++ b/STABLE/documentation/Documentation.htm
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
--- a/STABLE/documentation/IPIP.htm
+++ b/STABLE/documentation/IPIP.htm
@ -1,52 +1,76 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>GRE/IPIP Tunnels</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">GRE and IPIP Tunnels</font></h1>
+      <h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<h3><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
+ 
-over the internet; use them at your own risk</h3>
+<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure
-<p>GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks.&nbsp;GRE
+when used over the internet; use them at your own risk</h3>
-tunnels were introduced in shorewall version 1.2.0_Beta2.</p>
+ 
-<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
+<p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded
-and Shaping HOWTO</a> work fine with Shorewall. Shorewall also includes a tunnel
+networks.</p>
-script for automating tunnel configuration. If you have installed the RPM, the
+ 
-tunnel script may be found in the Shorewall documentation directory (usually
+<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
-/usr/share/doc/shorewall-&lt;version&gt;/).</p>
+Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall
 also includes a tunnel script for automating tunnel configuration. If you
 have installed the RPM, the tunnel script may be found in the Shorewall documentation
 directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
 <h2>Bridging two Masqueraded Networks</h2>
 <p>Suppose that we have the following situation:</p>
-<p align="center">
+ 
-<img border="0" src="images/TwoNets1.png" width="745" height="427"></p>
+<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
-<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able to
+ height="427">
-communicate with the systems in the 10.0.0.0/8 network. This is accomplished
+</p>
-through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file
+ 
-and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
+<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
 to communicate with the systems in the 10.0.0.0/8 network. This is accomplished 
 through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy
 file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
 <p align="left">The 'tunnel' script is not installed in /etc/shorewall by 
 default -- If you install using the tarball, the script is included in the 
-tarball; if you install using the RPM, the file is in your Shorewall
+tarball; if you install using the RPM, the file is in your Shorewall documentation
-documentation directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
+directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
 <p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type' 
 parameter to the type of tunnel that you want to create.</p>
 <p align="left">Example:</p>
 <blockquote> 
  <p align="left">tunnel_type=gre</p>
 </blockquote>
 <p align="left">On each firewall, you will need to declare a zone to represent
-the remote subnet. We'll assume that this zone is called 'vpn' and declare it in 
+ the remote subnet. We'll assume that this zone is called 'vpn' and declare
-/etc/shorewall/zones on both systems as follows.</p>
+it in  /etc/shorewall/zones on both systems as follows.</p>
 <blockquote>     
-    <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
                <tbody>
      <tr>
               <td><strong>ZONE</strong></td>
               <td><strong>DISPLAY</strong></td>
@ -58,12 +82,16 @@ the remote subnet. We'll assume that this zone is called 'vpn' and declare it in
               <td>Remote Subnet</td>
           </tr>
    </tbody>
  </table>
  </blockquote>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone. In
+ 
-/etc/shorewall/interfaces:</p>
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
 zone. In /etc/shorewall/interfaces:</p>
 <blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
     <tbody>
      <tr>
       <td><b>ZONE</b></td>
       <td><b>INTERFACE</b></td>
@ -74,13 +102,18 @@ the remote subnet. We'll assume that this zone is called 'vpn' and declare it in
       <td>vpn</td>
       <td>tosysb</td>
       <td>10.255.255.255</td>
-      <td>&nbsp;</td>
+       <td> </td>
     </tr>
    </tbody>
  </table>
 </blockquote>
 <p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
 <blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
     <tbody>
      <tr>
       <td><b>TYPE</b></td>
       <td><b>ZONE</b></td>
@ -91,13 +124,18 @@ the remote subnet. We'll assume that this zone is called 'vpn' and declare it in
       <td>ipip</td>
       <td>net</td>
       <td>134.28.54.2</td>
-      <td>&nbsp;</td>
+       <td> </td>
     </tr>
    </tbody>
  </table>
 </blockquote>
 <p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
 encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
 <p>In the tunnel script on system A:</p>
 <blockquote>   
  <p>tunnel=tosysb<br>
   myrealip=206.161.148.9 (for GRE tunnel only)<br>
@ -106,10 +144,13 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
   gateway=134.28.54.2<br>
   subnet=10.0.0.0/8</p>
 </blockquote>
 <p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b> 
 zone. In /etc/shorewall/interfaces:</p>
 <blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
     <tbody>
      <tr>
       <td><b>ZONE</b></td>
       <td><b>INTERFACE</b></td>
@ -120,13 +161,18 @@ zone. In /etc/shorewall/interfaces:</p>
       <td>vpn</td>
       <td>tosysa</td>
       <td>192.168.1.255</td>
-      <td>&nbsp;</td>
+       <td> </td>
     </tr>
    </tbody>
  </table>
 </blockquote>
 <p>In /etc/shorewall/tunnels on system B, we have:</p>
 <blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
     <tbody>
      <tr>
       <td><b>TYPE</b></td>
       <td><b>ZONE</b></td>
@ -137,11 +183,15 @@ zone. In /etc/shorewall/interfaces:</p>
       <td>ipip</td>
       <td>net</td>
       <td>206.191.148.9</td>
-      <td>&nbsp;</td>
+       <td> </td>
     </tr>
    </tbody>
  </table>
 </blockquote>
 <p>And in the tunnel script on system B:</p>
 <blockquote>   
  <p>tunnel=tosysa<br>
   myrealip=134.28.54.2 (for GRE tunnel only)<br>
@ -150,16 +200,17 @@ zone. In /etc/shorewall/interfaces:</p>
   gateway=206.191.148.9<br>
   subnet=192.168.1.0/24</p>
 </blockquote>
 <p>You can rename the modified tunnel scripts if you like; be sure that they are
 secured so that root can execute them.  </p>
-      <p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and 
+<p>You can rename the modified tunnel scripts if you like; be sure that they
-      the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic 
+are secured so that root can execute them.  </p>
      in both directions, you can use the policy file:</p>
 <p align="left"> You will need to allow traffic between the "vpn" zone and
       the "loc" zone on both systems -- if you simply want to admit all
 traffic        in both directions, you can use the policy file:</p>
 <blockquote>         
-        <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
                <tbody>
      <tr>
               <td><strong>SOURCE</strong></td>
               <td><strong>DEST</strong></td>
@ -170,27 +221,28 @@ secured so that root can execute them.  </p>
               <td>loc</td>
               <td>vpn</td>
               <td>ACCEPT</td>
-          <td>&nbsp;</td>
+           <td> </td>
           </tr>
                               <tr>
               <td>vpn</td>
               <td>loc</td>
               <td>ACCEPT</td>
-          <td>&nbsp;</td>
+           <td> </td>
           </tr>
    </tbody>
  </table>
 </blockquote>
 <p>On both systems, restart Shorewall and
 run the modified tunnel script with the &quot;start&quot; argument on each
 system. The systems in the two masqueraded subnetworks can now talk to each
 other</p>
 <p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
 Eastep</a> </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <p>On both systems, restart Shorewall and run the modified tunnel script
 with the "start" argument on each system. The systems in the two masqueraded
 subnetworks can now talk to each other</p>
 <p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
  <br>
 </body>
 </html>
--- a/STABLE/documentation/Install.htm
+++ b/STABLE/documentation/Install.htm
@ -89,37 +89,38 @@ directory&gt;</li>
       <li>Edit the <a href="#Config_Files"> configuration files</a> to match
  your configuration.</li>
       <li>Start the firewall by typing "shorewall             start"</li>
-     <li>If the install script was unable to configure Shorewall to be started
+       <li>If the install script was unable to configure Shorewall to be
- automatically at boot,             see <a
+started   automatically at boot,             see <a
 href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
 </ul>
 <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
-disk, simply replace the "shorwall.lrp" file on the image with the file that
+ disk, simply replace the "shorwall.lrp" file on the image with the file
-you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
+that  you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
 Guide</a> for information about further steps required.</p>
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
  and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
 and you  have entries in the /etc/shorewall/hosts file then please check
 your  /etc/shorewall/interfaces file to be sure that it contains an entry
 for each  interface mentioned in the hosts file. Also, there are certain
-1.2 rule forms  that are no longer supported under 1.3 (you must use the
+1.2 rule forms  that are no longer supported under 1.4 (you must use the
-new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
+new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
-details. You can check your rules and  host file for 1.3 compatibility using
+details.</p>
 the "shorewall check" command after  installing the latest version of 1.3.</p>
 <ul>
-     <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
+       <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: 
- you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
+    </b>If  you     are installing version 1.2.0 and have one of the 1.2.0 
-installed,     you must use the "--oldpackage" option to rpm (e.g., "rpm
+Beta RPMs installed,     you must use the "--oldpackage" option to rpm (e.g., 
-    -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").             
+"rpm     -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").                 
    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
  rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-is installed. If this    happens, simply use the --nodeps option to rpm (rpm
+ is installed. If this    happens, simply use the --nodeps option to rpm
- -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
+(rpm   -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
         </p>
      </li>
      <li>See if there are any incompatibilities between your configuration 
@ -131,15 +132,13 @@ and the    new Shorewall version (type "shorewall check") and correct as necessa
 <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
 and are upgrading to a new version using the tarball:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
 and you  have entries in the /etc/shorewall/hosts file then please check
 your  /etc/shorewall/interfaces file to be sure that it contains an entry
 for each  interface mentioned in the hosts file.  Also, there are certain
-1.2 rule  forms that are no longer supported under 1.3 (you must use the
+1.2 rule  forms that are no longer supported under 1.4 (you must use the
-new 1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
+new 1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
-for details. You can check your rules  and host file for 1.3 compatibility
+for details. </p>
 using the "shorewall check" command after  installing the latest version
 of 1.3.</p>
 <ul>
   <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -160,56 +159,27 @@ or  /etc/init.d then type             "./install.sh"</li>
  installs init scripts and type             "./install.sh &lt;init script
 directory&gt;</li>
       <li>See if there are any incompatibilities between your configuration 
- and the    new Shorewall version (type "shorewall check") and correct as
+and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
 necessary.</li>
       <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-         <a name="LRP_Upgrade"></a>If you already have a running Bering installation
+           <a name="LRP_Upgrade"></a>If you already have a running Bering 
-and wish to upgrade to a later version of Shorewall:<br>
+installation and wish to upgrade to a later version of Shorewall:<br>
  <br>
      <b>UNDER CONSTRUCTION...</b><br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
-<p>You will need to edit some or all of these configuration files to match
+<p>You will need to edit some or all of the configuration files to match
 your  setup. In most cases, the <a
 href="shorewall_quickstart_guide.htm">Shorewall   QuickStart Guides</a>
 contain all of the information you need.</p>
 <ul>
     <li>/etc/shorewall/shorewall.conf - used to set several firewall   
     parameters.</li>
     <li>/etc/shorewall/params - use this file to set shell variables that
 you will     expand in other files.</li>
     <li>/etc/shorewall/zones - partition the firewall's view of the world 
        into <i>zones.</i></li>
     <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
     <li>/etc/shorewall/interfaces - describes the interfaces on the    
    firewall system.</li>
     <li>/etc/shorewall/hosts - allows defining zones in terms of individual 
         hosts and subnetworks.</li>
   <li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
   </li>
     <li>/etc/shorewall/masq - directs the firewall where to use many-to-one 
         (dynamic) NAT a.k.a. Masquerading.</li>
     <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
     <li>/etc/shorewall/rules - defines rules that are exceptions to the
        overall policies established in /etc/shorewall/policy.</li>
     <li>/etc/shorewall/nat - defines static NAT rules.</li>
     <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
     <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
 hosts    accessible when Shorewall is stopped.</li>
     <li>/etc/shorewall/tcrules - defines marking of packets for later use
 by     traffic control/shaping.</li>
     <li>/etc/shorewall/tos - defines rules for setting the TOS field in
 packet          headers.</li>
     <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on 
        the firewall system.</li>
     <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
 </ul>
-<p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
  </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>   © <font
@ -217,5 +187,7 @@ packet          headers.</li>
      <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/MAC_Validation.html
+++ b/STABLE/documentation/MAC_Validation.html
@ -26,13 +26,12 @@
  </tbody>            
 </table>
        <br>
-      Beginning with Shorewall version 1.3.10, all traffic from an interface
+        All traffic from an interface    or  from a subnet on an interface
-  or  from a subnet on an interface can be verified to originate from a defined
+can be verified to originate from a defined     set of MAC addresses. Furthermore,
-   set of MAC addresses. Furthermore, each MAC address may be optionally
+each MAC address may be optionally associated    with one or more IP addresses.
 associated    with one or more IP addresses. <br>
 <br>
-  <b>You must have the iproute package (ip utility) installed to use MAC
+    <br>
-Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
+    <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
 - module name ipt_mac.o).</b><br>
    <br>
    There are four components to this facility.<br>
@ -47,15 +46,16 @@ to MAC verification.</li>
 is specified for a subnet, all traffic from that subnet  is subject to MAC 
 verification.</li>
          <li>The /etc/shorewall/maclist file. This file is used to associate 
- MAC  addresses with interfaces and to optionally associate IP addresses with
+  MAC  addresses with interfaces and to optionally associate IP addresses 
- MAC  addresses.</li>
+with  MAC  addresses.</li>
          <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
    in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
-The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
+ The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
-determines   the disposition of connection requests that fail MAC verification.
+and  determines   the disposition of connection requests that fail MAC verification.
 The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
-requests that fail verification  are to be logged. If set the the empty value
+ requests that fail verification  are to be logged. If set the the empty
-(e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
+value  (e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are
 not logged.<br>
          </li>
 </ol>
@ -65,8 +65,8 @@ requests that fail verification  are to be logged. If set the the empty value
          <li>INTERFACE - The name of an ethernet interface on the Shorewall
  system.</li>
          <li>MAC - The MAC address of a device on the ethernet segment connected
-   by INTERFACE. It is not necessary to use the Shorewall MAC format in this
+    by INTERFACE. It is not necessary to use the Shorewall MAC format in
-   column although you may use that format if you so choose.</li>
+this     column although you may use that format if you so choose.</li>
          <li>IP Address - An optional comma-separated list of IP addresses 
 for   the device whose MAC is listed in the MAC column.</li>
@ -78,17 +78,16 @@ for   the device whose MAC is listed in the MAC column.</li>
 <pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
        <b>/etc/shorewall/interfaces:</b><br>
-<pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,filterping,maclist<br>     dmz             eth1            192.168.2.255   filterping<br>     net             eth3            206.124.146.255 filterping,blacklist<br>     -               texas           192.168.9.255   filterping<br>     loc             ppp+            -               filterping<br></pre>
+<pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,maclist<br>     dmz             eth1            192.168.2.255<br>     net             eth3            206.124.146.255 blacklist<br>     -               texas           192.168.9.255<br>     loc             ppp+<br></pre>
        <b>/etc/shorewall/maclist:</b><br>
 <pre>     #INTERFACE              MAC                     IP ADDRESSES (Optional)<br>     eth2                    00:A0:CC:63:66:89       192.168.1.3      #Wookie<br>     eth2                    00:10:B5:EC:FD:0B       192.168.1.4      #Tarry<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.5      #Ursa<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.128/26 #PPTP Clients to server on Ursa<br>     eth2                    00:06:25:aa:a8:0f       192.168.1.7      #Eastept1 (Wireless)<br>     eth2                    00:04:5A:0E:85:B9       192.168.1.250    #Wap<br></pre>
-      As shown above, I use MAC Verification on <a href="myfiles.htm">my
+        As shown above, I use MAC Verification on my local    zone.<br>
 local    zone</a>.<br>
 <h3>Example 2: Router in Local Zone</h3>
-      Suppose now that I add a second ethernet segment to my local zone and 
+        Suppose now that I add a second ethernet segment to my local zone 
- gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and 
+and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15 
- IP address  192.168.1.253. Hosts in the second segment have IP addresses 
+and   IP address  192.168.1.253. Hosts in the second segment have IP addresses 
 in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
    file:<br>
@ -99,7 +98,7 @@ in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorew
   by the router so that traffic's MAC address will be that of the router
 (00:06:43:45:C6:15)    and not that of the host sending the traffic.    
-<p><font size="2">   Updated 1/7/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 2/21/2002 - <a href="support.htm">Tom  Eastep</a> 
       </font></p>
@ -107,5 +106,7 @@ in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorew
 <p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/Shorewall_Squid_Usage.html
+++ b/STABLE/documentation/Shorewall_Squid_Usage.html
@ -41,8 +41,8 @@
      &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
      <br>
      <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-     &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run 
+      &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to
- as  a transparent proxy  as described at <a
+run   as  a transparent proxy  as described at <a
 href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
      <b><br>
      </b><b><img src="images/BD21298_3.gif" alt="" width="13"
@ -56,10 +56,6 @@ files, siimply create  them.<br>
 in  the  local zone, that zone must be defined ONLY by its interface -- no 
 /etc/shorewall/hosts   file entries. That is because the packets being routed 
 to the Squid server   still have their original destination IP addresses.<br>
     <br>
     <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
      </b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed 
  on your firewall.<br>
      <br>
      <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
       </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
@ -86,9 +82,9 @@ DMZ</a></li>
 </ol>
 <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
-        You want to redirect all local www connection requests          EXCEPT
+         You want to redirect all local www connection requests         
-                                                    those to your     own
+EXCEPT                                                     those to your
-   http server                                                  (206.124.146.177)
+    own    http server                                                  (206.124.146.177) 
            to a Squid                                                  transparent 
          proxy  running on the firewall and listening on port 3128. Squid 
    will     of course  require access to remote web servers.<br>
@ -494,5 +490,6 @@ zone to the internet.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -65,11 +65,14 @@
                                           <li><a
 href="useful_links.html">Useful     Links</a><br>
                                           </li>
-                                         <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
+                                          <li> <a
 href="troubleshoot.htm">Troubleshooting</a></li>
                                          <li> <a href="errata.htm">Errata</a></li>
                                          <li> <a
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
-                                         <li> <a href="support.htm">Support</a></li>
+                                          <li> <a href="support.htm">Getting 
 help or Answers to Questions</a><br>
         </li>
                              <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
@ -110,7 +113,8 @@
      <ul>
-                                         <li>   <a href="News.htm">News Archive</a></li>
+                                          <li>   <a href="News.htm">News
 Archive</a></li>
                                          <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
                                          <li> <a href="quotes.htm">Quotes
@ -152,16 +156,8 @@ from   Users</a></li>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001-2003 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a><a
 href="http://www.shorewall.net" target="_top"> </a></p>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
                     </a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_sfindex_frame.htm
+++ b/STABLE/documentation/Shorewall_sfindex_frame.htm
@ -16,8 +16,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                                     <base
+                                                                        
- target="main">                                                          
+  <base target="main">                                                  
  <meta name="Microsoft Theme" content="none">
 </head>
@ -44,7 +44,7 @@
      <ul>
                                           <li> <a
- href="seattlefirewall_index.htm">Home</a></li>
+ href="sourceforge_index.htm">Home</a></li>
                                                   <li> <a
 href="shorewall_features.htm">Features</a></li>
                                           <li> <a
@ -70,7 +70,8 @@
                                           <li> <a href="errata.htm">Errata</a></li>
                                           <li> <a
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
-                                          <li> <a href="support.htm">Support</a></li>
+                                           <li> <a href="support.htm">Getting 
 Help or Answers to Questions</a></li>
                                <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
@ -99,17 +100,20 @@
          </ul>
                                           </li>
      </ul>
      <ul>
                                           <li>   <a href="News.htm">News 
 Archive</a></li>
@ -125,6 +129,7 @@ Archive</a></li>
      </ul>
                                         </td>
                                       </tr>
@ -133,6 +138,7 @@ Archive</a></li>
  </tbody>                                    
 </table>
 <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
                        <strong><br>
                                 <b>Note: </b></strong>Search is unavailable
@ -140,9 +146,9 @@ Archive</a></li>
                                 <strong></strong>                      
  <p><strong>Quick Search</strong><br>
-                                      <font face="Arial" size="-1">     <input
+                                       <font face="Arial" size="-1">    
- type="text" name="words" size="15"></font><font size="-1"> </font>   <font
+  <input type="text" name="words" size="15"></font><font size="-1"> </font>
- face="Arial" size="-1">     <input type="hidden" name="format"
+  <font face="Arial" size="-1">     <input type="hidden" name="format"
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
@ -153,12 +159,9 @@ Archive</a></li>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001-2003 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a><br>
-                                                                    <br>
+</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/configuration_file_basics.htm
+++ b/STABLE/documentation/configuration_file_basics.htm
@ -40,8 +40,8 @@
 <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
 <ul>
-                        <li>/etc/shorewall/shorewall.conf - used to set several 
+                          <li>/etc/shorewall/shorewall.conf - used to set 
-   firewall             parameters.</li>
+several     firewall             parameters.</li>
                          <li>/etc/shorewall/params - use this file to set
 shell    variables     that you will     expand in other files.</li>
                          <li>/etc/shorewall/zones - partition the firewall's 
@ -52,8 +52,8 @@ high-level      policy.</li>
     on  the          firewall system.</li>
                          <li>/etc/shorewall/hosts - allows defining zones
 in  terms    of  individual           hosts and subnetworks.</li>
-                        <li>/etc/shorewall/masq - directs the firewall where
+                          <li>/etc/shorewall/masq - directs the firewall
-  to  use   many-to-one            (dynamic) Network Address Translation
+where    to  use   many-to-one            (dynamic) Network Address Translation
 (a.k.a.    Masquerading)   and  Source          Network Address Translation
 (SNAT).</li>
                          <li>/etc/shorewall/modules - directs the firewall 
@ -65,22 +65,24 @@ exceptions      to  the         overall policies established in /etc/shorewall/p
  ARP.</li>
                          <li>/etc/shorewall/routestopped (Shorewall 1.3.4
 and   later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
-                        <li>/etc/shorewall/tcrules - defines marking of packets 
+                          <li>/etc/shorewall/tcrules - defines marking of 
-   for   later   use by     traffic control/shaping or policy routing.</li>
+packets     for   later   use by     traffic control/shaping or policy routing.</li>
                          <li>/etc/shorewall/tos - defines rules for setting
  the   TOS   field   in packet         headers.</li>
-                        <li>/etc/shorewall/tunnels - defines IPSEC, GRE and 
+                          <li>/etc/shorewall/tunnels - defines IPSEC, GRE 
- IPIP   tunnels    with end-points on         the firewall system.</li>
+and   IPIP   tunnels    with end-points on         the firewall system.</li>
                          <li>/etc/shorewall/blacklist - lists blacklisted
 IP/subnet/MAC        addresses.</li>
-     <li>/etc/shorewall/init - commands that you wish to execute at the beginning 
+       <li>/etc/shorewall/init - commands that you wish to execute at the 
- of a "shorewall start" or "shorewall restart".</li>
+beginning   of a "shorewall start" or "shorewall restart".</li>
       <li>/etc/shorewall/start - commands that you wish to execute at the
 completion  of a "shorewall start" or "shorewall restart"</li>
-     <li>/etc/shorewall/stop - commands that you wish to execute at the beginning 
+       <li>/etc/shorewall/stop - commands that you wish to execute at the 
- of a "shorewall stop".</li>
+beginning   of a "shorewall stop".</li>
-     <li>/etc/shorewall/stopped - commands that you wish to execute at the
+       <li>/etc/shorewall/stopped - commands that you wish to execute at
- completion of a "shorewall stop".<br>
+the   completion of a "shorewall stop".</li>
  <li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
 - RFC 3168) to remote hosts or networks.<br>
  </li>
 </ul>
@ -88,9 +90,9 @@ completion  of a "shorewall start" or "shorewall restart"</li>
 <h2><a name="Comments"></a>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-              character a pound sign ("#"). You may also place comments at
+               character a pound sign ("#"). You may also place comments
- the    end  of any line, again by       delimiting the comment from the
+at   the    end  of any line, again by       delimiting the comment from
-rest  of   the line  with a pound sign.</p>
+the rest  of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -125,12 +127,12 @@ start    as  a result  of DNS problems then don't say that you were not forewarn
        configuration files may be specified as either IP addresses or DNS 
   Names.<br>
                  <br>
-               DNS names in iptables rules  aren't nearly as useful as they 
+                 DNS names in iptables rules  aren't nearly as useful as
- first    appear.    When a DNS name appears in a rule,  the iptables utility 
+they   first    appear.    When a DNS name appears in a rule,  the iptables
- resolves    the name    to one or more IP addresses and inserts  those addresses 
+utility   resolves    the name    to one or more IP addresses and inserts
- into    the rule.  So  changes in the DNS-&gt;IP address relationship  that 
+ those addresses   into    the rule.  So  changes in the DNS-&gt;IP address
- occur   after the firewall    has started have absolutely no effect on the 
+relationship  that   occur   after the firewall    has started have absolutely
-  firewall's   ruleset.    </p>
+no effect on the    firewall's   ruleset.    </p>
 <p align="left">     If your firewall rules include DNS names then:</p>
@ -141,13 +143,13 @@ won't        start.</li>
  won't        start.</li>
                   <li>If your Name Server(s) is(are) down then your firewall 
  won't        start.</li>
-                 <li>If your startup scripts try to start your firewall before
+                   <li>If your startup scripts try to start your firewall 
-   starting     your DNS server then your firewall won't start.<br>
+before    starting     your DNS server then your firewall won't start.<br>
                  </li>
                   <li>Factors totally outside your control (your ISP's router
   is      down   for example), can prevent your firewall from starting.</li>
-                <li>You must bring up your network interfaces prior to starting 
+                  <li>You must bring up your network interfaces prior to
-   your   firewall.<br>
+starting     your   firewall.<br>
                  </li>
 </ul>
@ -181,8 +183,8 @@ configuration       files.<br>
                   <li>In the /etc/shorewall/nat file.</li>
 </ul>
-                These restrictions are not imposed by Shorewall simply for
+                  These restrictions are not imposed by Shorewall simply
- your inconvenience but are rather limitations of iptables.<br>
+for   your inconvenience but are rather limitations of iptables.<br>
 <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
@ -198,8 +200,8 @@ no white space following the "!".</p>
 <ul>
                          <li>Must not have any embedded white space.<br>
-                        Valid: routestopped,dhcp,norfc1918<br>
+                          Valid: routefilter,dhcp,norfc1918<br>
-                        Invalid: routestopped,     dhcp,              norfc1818</li>
+                          Invalid: routefilter,     dhcp,              norfc1818</li>
                          <li>If you use line continuation to break a comma-separated 
      list,   the          continuation line(s) must begin in column 1 (or 
 there     would  be embedded          white space)</li>
@ -217,8 +219,8 @@ in  any   order.</li>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
               port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
-      if you want to forward the range of tcp ports 4000 through 4100 to local
+       if you want to forward the range of tcp ports 4000 through 4100 to 
-     host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
               </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
@ -238,7 +240,7 @@ the high port number, a value of 65535 is assumed.<br>
 <blockquote>                                                             
-  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
+  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
                       </blockquote>
 <p><br>
@ -258,10 +260,11 @@ the high port number, a value of 65535 is assumed.<br>
 <blockquote>                                                             
-  <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
+  <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
                       </blockquote>
                                                             </font>    
 <p>Variables may be used anywhere in the              other configuration 
        files.</p>
@ -292,11 +295,11 @@ a  series    of  6  hex numbers        separated by colons. Example:<br>
       (1582.8     Mb)<br>
                       Interrupt:11 Base address:0x1800<br>
                        <br>
-                      Because Shorewall uses colons as a separator for address
+                        Because Shorewall uses colons as a separator for
-   fields,     Shorewall requires        MAC addresses to be written in another
+address     fields,     Shorewall requires        MAC addresses to be written
-   way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
+in another     way. In   Shorewall, MAC addresses        begin with a tilde
-consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
+("~") and  consist   of 6  hex numbers separated by        hyphens. In Shorewall,
-MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
+the  MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
             </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
@ -306,31 +309,31 @@ MAC address    in  the example above would be        written "~02-00-08-E3-FA-55
 <h2><a name="Levels"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-       The <a href="starting_and_stopping_shorewall.htm">shorewall start and
+        The <a href="starting_and_stopping_shorewall.htm">shorewall start 
-   restart</a>       commands allow you to specify an alternate configuration 
+and    restart</a>       commands allow you to specify an alternate configuration 
    directory and    Shorewall will use the files in the alternate directory 
-  rather than the  corresponding  files in /etc/shorewall. The alternate directory
+   rather than the  corresponding  files in /etc/shorewall. The alternate 
-   need not contain a complete  configuration; those files not in the alternate
+directory    need not contain a complete  configuration; those files not in
-   directory  will be read from  /etc/shorewall.</p>
+the alternate    directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
         by:</p>
 <ol>
-                        <li>  copying the files that need modification from 
+                          <li>  copying the files that need modification
- /etc/shorewall       to a separate      directory;</li>
+from   /etc/shorewall       to a separate      directory;</li>
                          <li>  modify those files in the separate directory; 
  and</li>
                          <li>  specifying the separate directory in a shorewall
-   start    or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
+    start    or  shorewall     restart command (e.g., <i><b>shorewall -c
-      restart</b></i>  ).</li>
+/etc/testconfig        restart</b></i>  ).</li>
 </ol>
-<p><font size="2">   Updated 2/7/2003 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 2/24/2003 - <a href="support.htm">Tom  Eastep</a>
            </font></p>
@ -342,5 +345,7 @@ MAC address    in  the example above would be        written "~02-00-08-E3-FA-55
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -35,15 +35,16 @@
    for the configuration that most closely matches your own.<br>
         </b></p>
-<p>The entire set of Shorewall documentation is available in PDF format  at:</p>
+<p>The entire set of Shorewall documentation is available in PDF format 
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
             <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
            <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> 
    </p>
-<p>The documentation in HTML format is included   in the .rpm and in the .tgz
+<p>The documentation in HTML format is included   in the .rpm and in the
-packages below.</p>
+.tgz packages below.</p>
 <p>  Once you've printed the appropriate QuickStart Guide, download <u> 
   one</u> of the modules:</p>
@ -59,8 +60,8 @@ packages below.</p>
      I can mention them here. See the   <a href="Install.htm">Installation
  Instructions</a>    if you have problems    installing the RPM.</li>
                     <li>If you are running LRP, download the .lrp file (you
- might    also   want  to     download the .tgz so you will have a copy of 
+  might    also   want  to     download the .tgz so you will have a copy
- the documentation).</li>
+of   the documentation).</li>
                     <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> 
      and   would      like a .deb package, Shorewall is included in both 
 the     <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
@ -103,10 +104,11 @@ can be obtained using the following command:<br>
 <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY        INSTALL
  THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION    
- IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed   configuration
+   IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed 
-    of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
+ configuration     of your firewall, you can enable startup by removing the
  file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
+<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates 
     to the    mirrors  occur 1-12 hours after an update to the Washington 
 State site.</b></p>
@ -287,9 +289,11 @@ can be obtained using the following command:<br>
                         <td><a
 href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
                           <a
- href="http://france.shorewall.net/pub/LATEST.tgz">Download              .tgz</a> <br>
+ href="http://france.shorewall.net/pub/LATEST.tgz">Download             
 .tgz</a> <br>
                           <a
- href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
+ href="http://france.shorewall.net/pub/LATEST.lrp">Download             
 .lrp</a><br>
                         <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download         
   .md5sums<br>
@ -448,10 +452,5 @@ can be obtained using the following command:<br>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -5,7 +5,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
-  <title>Shorewall 1.3 Errata</title>
+  <title>Shorewall 1.4 Errata</title>
@ -16,6 +16,8 @@
  <meta name="Microsoft Theme" content="none">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
@ -40,7 +42,6 @@
 <ol>
                        <li>                                            
    <p align="left">          <b><u>I</u>f you use a Windows system to download
          a corrected     script, be sure to run the script through <u> 
          <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -49,27 +50,16 @@
                                     </li>
                        <li>                                            
-               
+    <p align="left">          <b>If you are installing Shorewall for the
-    <p align="left">          <b>If you are installing Shorewall for the first
+first time and plan to use the        .tgz and install.sh script, you can
-time and plan to use the        .tgz and install.sh script, you can untar
+untar the archive, replace the        'firewall' script in the untarred directory
 the archive, replace the        'firewall' script in the untarred directory 
          with the one you downloaded        below, and then run install.sh.</b></p>
                                     </li>
                        <li>                                            
-               
+    <p align="left">          <b>When the instructions say to install a corrected 
-    <p align="left">          <b>If you are running a Shorewall version earlier 
+       firewall   script in        /usr/share/shorewall/firewall, you may 
-    than 1.3.11, when the instructions say to install a corrected        firewall
+rename the existing file before copying in the new file.</b></p>
    script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
      or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to 
 overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD 
 /etc/shorewall/firewall               or /var/lib/shorewall/firewall  before 
 you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall 
 are symbolic links that point           to the 'shorewall' file used by your
 system initialization scripts     to         start Shorewall during boot.
 It is  that file that must be overwritten              with the corrected 
 script. Beginning with Shorewall 1.3.11, you may rename the existing file 
 before copying in the new file.</b></p>
                </li>
                <li>                                                    
@ -84,8 +74,10 @@ before copying in the new file.</b></p>
 <ul>
                        <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
   <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
   </li>
                        <li>                            <b><a
- href="#V1.3">Problems      in  Version    1.3</a></b></li>
+ href="errata_3.html">Problems      in  Version    1.3</a></b></li>
                        <li>                            <b><a
 href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
                        <li>                            <b><font
@ -94,8 +86,8 @@ before copying in the new file.</b></p>
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
   on RH7.2</a></font></b></li>
                        <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
-iptables</a></b></li>
+RedHat iptables</a></b></li>
                        <li><b><a href="#SuSE">Problems installing/upgrading
  RPM   on  SuSE</a></b></li>
                        <li><b><a href="#Multiport">Problems with iptables
@ -107,486 +99,14 @@ iptables</a></b></li>
 </ul>
 <hr>                                            
-<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
+<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
-<h3>Version 1.3.14</h3>
+<h3></h3>
-       
+ None. 
-<ul>
+<hr width="100%" size="2">                                            
      <li>There is an <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
  rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
 223.0.0.0/8.</li>
 </ul>
 <ul>
      <li>The documentation for the routestopped file claimed that a comma-separated
  list could appear in the second column while the code only supported a
 single   host or network address.</li>
     <li>Log messages produced by 'logunclean' and 'dropunclean' were not 
 rate-limited.</li>
   <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
 support the 'maclist' interface option.</li>
  <li>Log messages generated by RFC 1918 filtering are not rate limited.<br>
  </li>
 </ul>
   These four problems have been corrected in <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
  firewall script</a> which may be installed in /usr/lib/shorewall as described
  above.<br>
 <h3>Version 1.3.13</h3>
 <ul>
          <li>The 'shorewall add' command produces an error message referring 
  to  'find_interfaces_by_maclist'.</li>
         <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
       <li>The 'shorewall add' command can fail with "iptables: Index of
 insertion   too big".<br>
       </li>
 </ul>
       All three problems are corrected by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this 
    firewall script</a> which may be installed in /usr/lib/shorewall as described 
    above.<br>
 <ul>
        <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
 eth0.1)   are not supported in this version or in 1.3.12. If you need such
 support,   post on the users list and I can provide you with a patched version.<br>
        </li>
 </ul>
 <h3>Version 1.3.12</h3>
 <ul>
           <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
  is  the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem 
  is  corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this 
    firewall script</a> which may be installed in /usr/lib/shorewall as described 
    above.</li>
        <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
 eth0.1)   are not supported in this version or in 1.3.13. If you need such
 support,   post on the users list and I can provide you with a patched version.<br>
         </li>
 </ul>
 <h3>Version 1.3.12 LRP</h3>
 <ul>
            <li>The .lrp was missing the /etc/shorewall/routestopped file 
 --  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this
 problem.<br>
            </li>
 </ul>
 <h3>Version 1.3.11a</h3>
 <ul>
             <li><a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This 
     copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 
 82.0.0.0/8.<br>
             </li>
 </ul>
 <h3>Version 1.3.11</h3>
 <ul>
                <li>When installing/upgrading using the .rpm, you may receive 
  the   following   warnings:<br>
                  <br>
                   user teastep does not exist - using root<br>
                   group teastep does not exist - using root<br>
                  <br>
              These warnings are harmless and may be ignored. Users downloading 
   the   .rpm  from shorewall.net or mirrors should no longer see these warnings 
   as  the .rpm you will get from there has been corrected.</li>
               <li>DNAT rules that exclude a source subzone (SOURCE column
 contains     !  followed by a sub-zone list) result in an error message
 and  Shorewall    fails  to start.<br>
                 <br>
             Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this 
      corrected script</a> in /usr/lib/shorewall/firewall to correct this 
 problem.     Thanks go to Roger Aich who analyzed this problem and provided 
 a fix.<br>
                <br>
            This problem is corrected in version 1.3.11a.<br>
               </li>
 </ul>
 <h3>Version 1.3.10</h3>
 <ul>
                  <li>If you experience problems connecting to a PPTP server
  running     on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, 
           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
       version of the firewall script</a> may help. Please report any cases 
  where     installing this script in /usr/lib/shorewall/firewall solved your
  connection     problems. Beginning with version 1.3.10, it is safe to save
  the old version     of /usr/lib/shorewall/firewall before copying in the
 new one since /usr/lib/shorewall/firewall     is the real script now and
 not just a symbolic link to the real script.<br>
                  </li>
 </ul>
 <h3>Version 1.3.9a</h3>
 <ul>
                   <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
       then  the following message appears during "shorewall [re]start":</li>
 </ul>
 <pre>          recalculate_interfacess: command not found<br></pre>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
         corrects this problem.Copy the script to /usr/lib/shorewall/firewall
    as   described  above.<br>
                 </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the 
        single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' 
        to 'recalculate_interface'. <br>
                 </blockquote>
 <ul>
                   <li>The installer (install.sh) issues a misleading message 
  "Common     functions   installed in /var/lib/shorewall/functions" whereas 
  the file   is  installed  in /usr/lib/shorewall/functions. The installer 
 also performs   incorrectly  when updating old configurations that had the 
 file /etc/shorewall/functions.         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here 
        is an updated version that corrects these problems.<br>
                     </a></li>
 </ul>
 <h3>Version 1.3.9</h3>
                    <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated 
 firewall     script    at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
         -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
                     <br>
                    Version 1.3.8                       
 <ul>
                        <li> Use of shell variables in the LOG LEVEL or SYNPARMS
    columns     of  the  policy file doesn't work.</li>
                        <li>A DNAT rule with the same original and new IP 
 addresses      but   with   different  port numbers doesn't work (e.g., "DNAT 
 loc dmz:10.1.1.1:24        tcp   25 - 10.1.1.1")<br>
                        </li>
 </ul>
                      Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">    
                          this corrected firewall script</a> in /var/lib/shorewall/firewall 
                                          as described above corrects these 
  problems.                              
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                        
       result in an error message. Installing                           
   <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          this corrected firewall script</a> in /var/lib/shorewall/firewall 
                                          as described above corrects this 
 problem.</p>
 <h3>Version 1.3.7a</h3>
 <p>"shorewall refresh" is not creating the proper                        
       rule for FORWARDPING=Yes. Consequently, after                    
           "shorewall refresh", the firewall will not forward           
                    icmp echo-request (ping) packets. Installing        
                      <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          this corrected firewall script</a> in /var/lib/shorewall/firewall 
                                          as described above corrects this 
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
 <p>If "norfc1918" and "dhcp" are both specified as                       
        options on a given interface then RFC 1918                      
         checking is occurring before DHCP checking. This               
                means that if a DHCP client broadcasts using an         
                      RFC 1918 source address, then the firewall will   
                            reject the broadcast (usually logging it). This 
                                          has two problems:</p>
 <ol>
                                                        <li>If the firewall 
 is  running     a  DHCP   server,                                   the client
  won't be   able   to obtain   an IP  address                          
       lease  from that   server.</li>
                                                        <li>With this order 
 of  checking,      the   "dhcp"                                   option 
 cannot  be used as   a  noise-reduction                                  
  measure  where there   are  both dynamic and    static                
                 clients  on a LAN segment.</li>
 </ol>
 <p>                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          This version of the 1.3.7a firewall script </a>
                                          corrects the problem. It must be
 installed          in /var/lib/shorewall                               
 as  described  above.</p>
 <h3>Version 1.3.7</h3>
 <p>Version 1.3.7 dead on arrival -- please use                           
    version 1.3.7a and check your version against                       
        these md5sums -- if there's a difference, please                
               download again.</p>
 <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
 <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; 
           and   compare the result with what you see above.</p>
 <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the 
           .7   version in each sequence from now on.</p>
 <h3 align="left">Version 1.3.6</h3>
 <ul>
                                    <li>                                
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf, 
           an error occurs when the firewall            script attempts to 
 add    an   SNAT   alias.  </p>
                         </li>
                         <li>                                           
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options 
          cause errors during startup when Shorewall is run with iptables 
           1.2.7. </p>
                         </li>
 </ul>
 <p align="left">These problems are fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
      this correct firewall script</a> which must be installed in       
    /var/lib/shorewall/ as described above. These problems are also     
      corrected in version 1.3.7.</p>
 <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
 <p align="left">A line was inadvertently deleted from the "interfaces    
       file" -- this line should be added back in if the version that you 
                      downloaded is missing it:</p>
 <p align="left">net    eth0    detect               routefilter,dhcp,norfc1918</p>
 <p align="left">If you downloaded two-interfaces-a.tgz then the above    
       line should already be in the file.</p>
 <h3 align="left">Version 1.3.5-1.3.5b</h3>
 <p align="left">The new 'proxyarp' interface option doesn't work :-(     
      This is fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">    
      this corrected firewall script</a> which must be installed in     
      /var/lib/shorewall/ as described above.</p>
 <h3 align="left">Versions 1.3.4-1.3.5a</h3>
 <p align="left">Prior to version 1.3.4, host file entries such as the    
       following were allowed:</p>
 <div align="left">                                    
 <pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
                         </div>
 <div align="left">                           
 <p align="left">That capability was lost in version 1.3.4 so that it is only 
               possible to  include a single host specification on each line. 
    This         problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this 
               modified 1.3.5a firewall script</a>. Install the script in 
 /var/lib/pub/shorewall/firewall               as instructed above.</p>
                       </div>
 <div align="left">                           
 <p align="left">This problem is corrected in version 1.3.5b.</p>
                       </div>
 <h3 align="left">Version 1.3.5</h3>
 <p align="left">REDIRECT rules are broken in this version. Install       
   <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">    
      this corrected firewall script</a> in /var/lib/pub/shorewall/firewall 
                      as instructed above. This problem is corrected in version 
      1.3.5a.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
        to not verify that the zones named in the /etc/shorewall/policy file
           have been previously defined in the /etc/shorewall/zones file.
 The            "shorewall check" command does perform this verification so
 it's a            good idea to run that command after you have made configuration 
                      changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
 <p align="left">If you have upgraded from Shorewall 1.2 and after        
   "Activating rules..." you see the message: "iptables: No            chains/target/match 
           by that name" then you probably have an entry in            /etc/shorewall/hosts 
           that specifies an interface that you didn't            include 
 in   /etc/shorewall/interfaces.        To correct this problem, you      
     must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 
 and             later versions produce a clearer error    message    in this
 case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
          file can be identified by its size (56284 bytes). The correct version
           has a size of 38126 bytes.</p>
 <ul>
                                    <li>The code to detect a duplicate interface
    entry    in             /etc/shorewall/interfaces contained a typo that
  prevented    it from               working correctly. </li>
                                    <li>"NAT_BEFORE_RULES=No" was broken; 
 it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
 <p align="left">Both problems are corrected in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">    
      this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> 
           as described above.</p>
 <ul>
                                    <li>                                
    <p align="left">The IANA have just announced the allocation of subnet 
                      221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">     
     updated rfc1918</a> file reflects that allocation.</p>
                                                     </li>
 </ul>
 <h3 align="left">Version 1.3.1</h3>
 <ul>
                                    <li>TCP SYN packets may be double counted 
  when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy 
  (i.e.,    each              packet is sent through the limit chain twice).</li>
                                    <li>An unnecessary jump to the policy 
 chain    is  sometimes                 generated for a CONTINUE policy.</li>
                                    <li>When an option is given for more
 than   one   interface      in               /etc/shorewall/interfaces then
 depending    on the option,     Shorewall                may ignore all but
 the first   appearence of the   option.  For example:<br>
                                    <br>
                                    net    eth0    dhcp<br>
                                    loc    eth1    dhcp<br>
                                    <br>
                                    Shorewall will ignore the 'dhcp' on eth1.</li>
                                    <li>Update 17 June 2002 - The bug described 
   in  the   prior    bullet               affects the following options: 
 dhcp,   dropunclean,   logunclean,                 norfc1918, routefilter, 
 multi,   filterping and   noping. An additional                 bug has been 
 found   that affects only   the 'routestopped' option.<br>
                                    <br>
                                    Users who downloaded the corrected script 
  prior    to  1850   GMT   today              should download and install 
 the corrected     script   again   to ensure              that this second 
 problem is corrected.</li>
 </ul>
 <p align="left">These problems are corrected in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">    
      this firewall script</a> which should be installed in            /etc/shorewall/firewall 
           as described above.</p>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
                                    <li>Folks who downloaded 1.3.0 from the 
 links    on  the   download    page              before 23:40 GMT, 29 May 
 2002 may    have  downloaded   1.2.13    rather than              1.3.0. 
 The "shorewall    version"  command   will tell    you which version     
        that you   have installed.</li>
                                    <li>The documentation NAT.htm file uses 
 non-existent                  wallpaper and bullet graphic files. The   
       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">     
     corrected version is here</a>.</li>
 </ul>
 <hr>                                               
 <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
 <p align="left">The upgrade issues have moved to           <a
 href="upgrade_issues.htm">a separate page</a>.</p>
@ -597,8 +117,8 @@ The "shorewall    version"  command   will tell    you which version
 <blockquote>                                                             
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
-                    prevent it from working with Shorewall. Regrettably,
+                  prevent it from working with Shorewall. Regrettably,  RedHat 
- RedHat       released    this buggy iptables in RedHat   7.2. </p>
+     released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
@ -622,8 +142,8 @@ The "shorewall    version"  command   will tell    you which version
  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
          the patches are available         for download. This <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
-                which corrects a problem with parsing of the --log-level
+              which corrects a problem with parsing of the --log-level specification
-specification            while         this <a
+          while         this <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
                  corrects a problem in handling the  TOS target.</p>
@ -660,43 +180,36 @@ specification            while         this <a
          the     Netfilter 'mangle' table. You can correct the problem by
 installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
-               this iptables RPM</a>. If you are already running a 1.2.5
+             this iptables RPM</a>. If you are already running a 1.2.5 version 
-version        of       iptables, you will need to specify the --oldpackage
+     of       iptables, you will need to specify the --oldpackage option to
-option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+  rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                      </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
          RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict                      
         with kernel &lt;= 2.2 yet you have a 2.4 kernel                
               installed, simply use the "--nodeps" option to           
                    rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <h3><a name="Multiport"></a><b>Problems with                            
   iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made                      
         an incompatible change to the syntax used to                   
            specify multiport match rules; as a consequence,            
                   if you install iptables 1.2.7 you must be running    
                           Shorewall 1.3.7a or later or:</p>
 <ul>
                                                     <li>set MULTIPORT=No 
-  in                                   /etc/shorewall/shorewall.conf; or
+in                                   /etc/shorewall/shorewall.conf; or </li>
  </li>
                                                     <li>if you are running 
 Shorewall      1.3.6    you may                                  install 
                                <a
@ -708,20 +221,20 @@ option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i3
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                   </h3>
-                   /etc/shorewall/nat entries of the following form will
+                /etc/shorewall/nat entries of the following form will result
-result    in  Shorewall     being unable to start:<br>
+  in  Shorewall     being unable to start:<br>
                <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-                   The solution is to put "no" in the LOCAL column. Kernel
+                The solution is to put "no" in the LOCAL column. Kernel support 
- support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has
+   for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled 
- disabled  it.   The  2.4.19 kernel   contains corrected support under a
+it.   The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
-new  kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+   option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 3/8/2003 -                              
+<p><font size="2">  Last updated 2/8/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
--- a/STABLE/documentation/errata_3.html
+++ b/STABLE/documentation/errata_3.html
@ -0,0 +1,715 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
                          <tbody>
                          <tr>
                            <td width="100%">                           
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
                            </td>
                          </tr>
  </tbody>                      
 </table>
 <p align="center">       <b><u>IMPORTANT</u></b></p>
 <ol>
                          <li>                                          
    <p align="left">          <b><u>I</u>f you use a Windows system to download
           a corrected     script, be sure to run the script through <u>
           <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
 style="text-decoration: none;"> dos2unix</a></u>      after you have moved
           it to your Linux system.</b></p>
                                       </li>
                          <li>                                          
    <p align="left">          <b>If you are installing Shorewall for the
 first time and plan to use the        .tgz and install.sh script, you can
 untar the archive, replace the        'firewall' script in the untarred directory
           with the one you downloaded        below, and then run install.sh.</b></p>
                                       </li>
                          <li>                                          
    <p align="left">          <b>If you are running a Shorewall version earlier
    than 1.3.11, when the instructions say to install a corrected       
 firewall     script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
      or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
 overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD
 /etc/shorewall/firewall               or /var/lib/shorewall/firewall  before
 you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall
 are symbolic links that point           to the 'shorewall' file used by
 your  system initialization scripts     to         start Shorewall during
 boot. It is  that file that must be overwritten              with the corrected
 script. Beginning with Shorewall 1.3.11, you may rename the existing file
 before copying in the new file.</b></p>
                  </li>
                  <li>                                                  
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
        ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
  For    example,  do NOT install the 1.3.9a firewall script if you are running
   1.3.7c.</font></b><br>
                              </p>
                  </li>
 </ol>
 <ul>
                          <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
                          <li>                            <b><a
 href="#V1.3">Problems      in  Version    1.3</a></b></li>
                          <li>                            <b><a
 href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
                          <li>                            <b><font
 color="#660066">       <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
                          <li>                            <b><font
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
    on RH7.2</a></font></b></li>
                          <li>                            <b><a
 href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
 RedHat iptables</a></b></li>
                          <li><b><a href="#SuSE">Problems installing/upgrading
   RPM   on  SuSE</a></b></li>
                          <li><b><a href="#Multiport">Problems with iptables
  version     1.2.7    and       MULTIPORT=Yes</a></b></li>
                    <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 
 and   NAT</a></b><br>
                    </li>
 </ul>
 <hr>                                              
 <h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.14</h3>
 <ul>
   <li>There is an <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated 
  rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 
 223.0.0.0/8.</li>
 </ul>
 <ul>
   <li>The documentation for the routestopped file claimed that a comma-separated 
  list could appear in the second column while the code only supported a single
  host or network address.</li>
   <li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
   <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
 support  the 'maclist' interface option.</li>
   <li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
  <li>The firewall fails to start in the case where you have "eth0 eth1"
 in /etc/shorewall/masq and the default route is through eth1.<br>
   </li>
 </ul>
    These problems have been corrected in <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this 
  firewall script</a> which may be installed in /usr/lib/shorewall as described 
  above.<br>
 <h3>Version 1.3.13</h3>
 <ul>
         <li>The 'shorewall add' command produces an error message referring
  to  'find_interfaces_by_maclist'.</li>
        <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
      <li>The 'shorewall add' command can fail with "iptables: Index of insertion
  too big".<br>
      </li>
 </ul>
      All three problems are corrected by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
    firewall script</a> which may be installed in /usr/lib/shorewall as described
    above.<br>
 <ul>
       <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., 
 eth0.1)   are not supported in this version or in 1.3.12. If you need such 
 support,   post on the users list and I can provide you with a patched version.<br>
       </li>
 </ul>
 <h3>Version 1.3.12</h3>
 <ul>
          <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect 
 is  the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
  is  corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
    firewall script</a> which may be installed in /usr/lib/shorewall as described
    above.</li>
       <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., 
 eth0.1)   are not supported in this version or in 1.3.13. If you need such 
 support,   post on the users list and I can provide you with a patched version.<br>
        </li>
 </ul>
 <h3>Version 1.3.12 LRP</h3>
 <ul>
           <li>The .lrp was missing the /etc/shorewall/routestopped file
 --  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects
 this  problem.<br>
           </li>
 </ul>
 <h3>Version 1.3.11a</h3>
 <ul>
            <li><a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
     copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
 82.0.0.0/8.<br>
            </li>
 </ul>
 <h3>Version 1.3.11</h3>
 <ul>
               <li>When installing/upgrading using the .rpm, you may receive
  the   following   warnings:<br>
                 <br>
                  user teastep does not exist - using root<br>
                  group teastep does not exist - using root<br>
                 <br>
             These warnings are harmless and may be ignored. Users downloading
   the   .rpm  from shorewall.net or mirrors should no longer see these warnings
   as  the .rpm you will get from there has been corrected.</li>
              <li>DNAT rules that exclude a source subzone (SOURCE column 
 contains     !  followed by a sub-zone list) result in an error message and 
 Shorewall    fails  to start.<br>
                <br>
            Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
      corrected script</a> in /usr/lib/shorewall/firewall to correct this
 problem.     Thanks go to Roger Aich who analyzed this problem and provided
 a fix.<br>
               <br>
           This problem is corrected in version 1.3.11a.<br>
              </li>
 </ul>
 <h3>Version 1.3.10</h3>
 <ul>
                 <li>If you experience problems connecting to a PPTP server 
 running     on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
       version of the firewall script</a> may help. Please report any cases
  where     installing this script in /usr/lib/shorewall/firewall solved
 your   connection     problems. Beginning with version 1.3.10, it is safe
 to save   the old version     of /usr/lib/shorewall/firewall before copying
 in the  new one since /usr/lib/shorewall/firewall     is the real script
 now and not just a symbolic link to the real script.<br>
                 </li>
 </ul>
 <h3>Version 1.3.9a</h3>
 <ul>
                  <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No 
      then  the following message appears during "shorewall [re]start":</li>
 </ul>
 <pre>          recalculate_interfacess: command not found<br></pre>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
        corrects this problem.Copy the script to /usr/lib/shorewall/firewall 
   as   described  above.<br>
                </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
        single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
        to 'recalculate_interface'. <br>
                </blockquote>
 <ul>
                  <li>The installer (install.sh) issues a misleading message
  "Common     functions   installed in /var/lib/shorewall/functions" whereas
  the file   is  installed  in /usr/lib/shorewall/functions. The installer
 also performs   incorrectly  when updating old configurations that had the
 file /etc/shorewall/functions.         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
        is an updated version that corrects these problems.<br>
                    </a></li>
 </ul>
 <h3>Version 1.3.9</h3>
                   <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
 firewall     script    at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
        -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
                    <br>
                   Version 1.3.8                      
 <ul>
                       <li> Use of shell variables in the LOG LEVEL or SYNPARMS 
   columns     of  the  policy file doesn't work.</li>
                       <li>A DNAT rule with the same original and new IP
 addresses      but   with   different  port numbers doesn't work (e.g., "DNAT
 loc dmz:10.1.1.1:24        tcp   25 - 10.1.1.1")<br>
                       </li>
 </ul>
                     Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
                                          as described above corrects these
  problems.                             
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                       
        result in an error message. Installing                          
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
                                          as described above corrects this
 problem.</p>
 <h3>Version 1.3.7a</h3>
 <p>"shorewall refresh" is not creating the proper                       
        rule for FORWARDPING=Yes. Consequently, after                   
            "shorewall refresh", the firewall will not forward          
                     icmp echo-request (ping) packets. Installing       
                       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
                                          as described above corrects this
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
 <p>If "norfc1918" and "dhcp" are both specified as                      
         options on a given interface then RFC 1918                     
          checking is occurring before DHCP checking. This              
                 means that if a DHCP client broadcasts using an        
                       RFC 1918 source address, then the firewall will  
                             reject the broadcast (usually logging it). This
                                          has two problems:</p>
 <ol>
                                                       <li>If the firewall
 is  running     a  DHCP   server,                                   the
 client   won't be   able   to obtain   an IP  address                   
              lease  from that   server.</li>
                                                       <li>With this order
 of  checking,      the   "dhcp"                                   option
 cannot  be used as   a  noise-reduction                                 
   measure  where there   are  both dynamic and    static               
                  clients  on a LAN segment.</li>
 </ol>
 <p>                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           This version of the 1.3.7a firewall script </a> 
                                         corrects the problem. It must be 
 installed          in /var/lib/shorewall                                as 
 described  above.</p>
 <h3>Version 1.3.7</h3>
 <p>Version 1.3.7 dead on arrival -- please use                          
     version 1.3.7a and check your version against                      
         these md5sums -- if there's a difference, please               
                download again.</p>
 <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
 <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
           and   compare the result with what you see above.</p>
 <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
           .7   version in each sequence from now on.</p>
 <h3 align="left">Version 1.3.6</h3>
 <ul>
                                   <li>                                 
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
           an error occurs when the firewall            script attempts to
 add    an   SNAT   alias.  </p>
                        </li>
                        <li>                                            
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
           cause errors during startup when Shorewall is run with iptables
           1.2.7. </p>
                        </li>
 </ul>
 <p align="left">These problems are fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
       this correct firewall script</a> which must be installed in      
     /var/lib/shorewall/ as described above. These problems are also    
       corrected in version 1.3.7.</p>
 <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
 <p align="left">A line was inadvertently deleted from the "interfaces   
        file" -- this line should be added back in if the version that you
                      downloaded is missing it:</p>
 <p align="left">net    eth0    detect               routefilter,dhcp,norfc1918</p>
 <p align="left">If you downloaded two-interfaces-a.tgz then the above   
        line should already be in the file.</p>
 <h3 align="left">Version 1.3.5-1.3.5b</h3>
 <p align="left">The new 'proxyarp' interface option doesn't work :-(    
       This is fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
       this corrected firewall script</a> which must be installed in    
       /var/lib/shorewall/ as described above.</p>
 <h3 align="left">Versions 1.3.4-1.3.5a</h3>
 <p align="left">Prior to version 1.3.4, host file entries such as the   
        following were allowed:</p>
 <div align="left">                                   
 <pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
                        </div>
 <div align="left">                          
 <p align="left">That capability was lost in version 1.3.4 so that it is only
               possible to  include a single host specification on each line.
    This         problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
               modified 1.3.5a firewall script</a>. Install the script in
 /var/lib/pub/shorewall/firewall               as instructed above.</p>
                      </div>
 <div align="left">                          
 <p align="left">This problem is corrected in version 1.3.5b.</p>
                      </div>
 <h3 align="left">Version 1.3.5</h3>
 <p align="left">REDIRECT rules are broken in this version. Install      
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
       this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
                      as instructed above. This problem is corrected in version
      1.3.5a.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
         to not verify that the zones named in the /etc/shorewall/policy
 file            have been previously defined in the /etc/shorewall/zones
 file. The            "shorewall check" command does perform this verification
 so it's a            good idea to run that command after you have made configuration
                      changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
 <p align="left">If you have upgraded from Shorewall 1.2 and after       
    "Activating rules..." you see the message: "iptables: No            chains/target/match
           by that name" then you probably have an entry in            /etc/shorewall/hosts
           that specifies an interface that you didn't            include
 in   /etc/shorewall/interfaces.        To correct this problem, you     
      must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3
 and             later versions produce a clearer error    message    in
 this  case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
           file can be identified by its size (56284 bytes). The correct
 version            has a size of 38126 bytes.</p>
 <ul>
                                   <li>The code to detect a duplicate interface 
   entry    in             /etc/shorewall/interfaces contained a typo that 
 prevented    it from               working correctly. </li>
                                   <li>"NAT_BEFORE_RULES=No" was broken;
 it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
 <p align="left">Both problems are corrected in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">   
       this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
           as described above.</p>
 <ul>
                                   <li>                                 
    <p align="left">The IANA have just announced the allocation of subnet
                      221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
      updated rfc1918</a> file reflects that allocation.</p>
                                                    </li>
 </ul>
 <h3 align="left">Version 1.3.1</h3>
 <ul>
                                   <li>TCP SYN packets may be double counted
  when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy
  (i.e.,    each              packet is sent through the limit chain twice).</li>
                                   <li>An unnecessary jump to the policy
 chain    is  sometimes                 generated for a CONTINUE policy.</li>
                                   <li>When an option is given for more than
  one   interface      in               /etc/shorewall/interfaces then depending
   on the option,     Shorewall                may ignore all but the first
  appearence of the   option.  For example:<br>
                                   <br>
                                   net    eth0    dhcp<br>
                                   loc    eth1    dhcp<br>
                                   <br>
                                   Shorewall will ignore the 'dhcp' on eth1.</li>
                                   <li>Update 17 June 2002 - The bug described
   in  the   prior    bullet               affects the following options:
 dhcp,   dropunclean,   logunclean,                 norfc1918, routefilter,
 multi,   filterping and   noping. An additional                 bug has been
 found   that affects only   the 'routestopped' option.<br>
                                   <br>
                                   Users who downloaded the corrected script
  prior    to  1850   GMT   today              should download and install
 the corrected     script   again   to ensure              that this second
 problem is corrected.</li>
 </ul>
 <p align="left">These problems are corrected in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">   
       this firewall script</a> which should be installed in            /etc/shorewall/firewall
           as described above.</p>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
                                   <li>Folks who downloaded 1.3.0 from the
 links    on  the   download    page              before 23:40 GMT, 29 May
 2002 may    have  downloaded   1.2.13    rather than              1.3.0.
 The "shorewall    version"  command   will tell    you which version    
         that you   have installed.</li>
                                   <li>The documentation NAT.htm file uses
 non-existent                  wallpaper and bullet graphic files. The  
        <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
      corrected version is here</a>.</li>
 </ul>
 <hr>                                              
 <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
 <p align="left">The upgrade issues have moved to           <a
 href="upgrade_issues.htm">a separate page</a>.</p>
 <hr>                                                
 <h3 align="left"><a name="iptables"></a><font color="#660066">  Problem with
           iptables version 1.2.3</font></h3>
 <blockquote>                                                             
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
                   prevent it from working with Shorewall. Regrettably,  RedHat
      released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
            corrected 1.2.3 rpm which you can download here</a>  and I have 
  also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently
           running RedHat 7.1, you can install either of these RPMs     
        <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
           has   released an iptables-1.2.4 RPM of their own which you can
 download         from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
             </font>I have installed this RPM   on my firewall and it works 
  fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
           the patches are available         for download. This <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
               which corrects a problem with parsing of the --log-level specification
           while         this <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
                   corrects a problem in handling the  TOS target.</p>
  <p align="left">To install one of the above patches:</p>
  <ul>
                                 <li>cd iptables-1.2.3/extensions</li>
                                 <li>patch -p0 &lt; <i>the-patch-file</i></li>
  </ul>
                                  </blockquote>
 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
               and RedHat iptables</h3>
 <blockquote>                                                             
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
           may     experience the following:</p>
  <blockquote>                                                           
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                          </blockquote>
  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
  user-space debugging code was not updated to reflect recent changes in
           the     Netfilter 'mangle' table. You can correct the problem
 by   installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
              this iptables RPM</a>. If you are already running a 1.2.5 version 
      of       iptables, you will need to specify the --oldpackage option 
 to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                        </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
           RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict                      
         with kernel &lt;= 2.2 yet you have a 2.4 kernel                
               installed, simply use the "--nodeps" option to           
                    rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <h3><a name="Multiport"></a><b>Problems with                            
   iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made                      
         an incompatible change to the syntax used to                   
            specify multiport match rules; as a consequence,            
                   if you install iptables 1.2.7 you must be running    
                           Shorewall 1.3.7a or later or:</p>
 <ul>
                                                       <li>set MULTIPORT=No 
 in                                   /etc/shorewall/shorewall.conf; or </li>
                                                       <li>if you are running 
  Shorewall      1.3.6    you may                                  install 
                                 <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                             this firewall script</a> in /var/lib/shorewall/firewall
                                            as described above.</li>
 </ul>
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                     </h3>
                  /etc/shorewall/nat entries of the following form will result
   in  Shorewall     being unable to start:<br>
                  <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                  Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
                  The solution is to put "no" in the LOCAL column. Kernel 
 support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has 
 disabled  it.   The  2.4.19 kernel   contains corrected support under a new 
 kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
 <p><font size="2">  Last updated 3/8/2003 -                              
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
             </p>
             <br>
            <br>
           <br>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -27,8 +27,8 @@
 border="0">
                         <tbody>
                          <tr>
-                             <td width="33%" valign="middle"
+                           <td width="33%" valign="middle" align="left">
- align="left">                                                          
+                                                                        
      <h1 align="center"><a
@ -51,9 +51,9 @@
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
              </td>
              <td valign="middle" width="33%">                     <a
- href="http://www.postfix.org/">       <img alt="(Postfix Logo)"
+ href="http://www.postfix.org/">       <img
- height="66" width="124" border="0" align="right"
+ src="images/small-picture.gif" align="right" border="0" width="115"
- src="images/postfix-white.gif">
+ height="45" alt="(Postfix Logo)">
                            </a><br>
      <div align="left"><a href="http://www.spamassassin.org"><img
@ -62,10 +62,9 @@
           </a> </div>
           <br>
      <div align="right"><br>
              <b><font color="#ffffff"><br>
-           </font></b><br>
+     Powered by Postfix    </font></b><br>
              </div>
              </td>
                         </tr>
@ -79,7 +78,6 @@
 read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
 Guide</a>.<br>
 </h1>
 <p align="left">If you experience problems with any of these lists, please 
           let <a href="mailto:teastep@shorewall.net">me</a> know</p>
@ -102,8 +100,8 @@
     (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
            </li>
                    <li>to ensure that the sender address is fully qualified.</li>
-                      <li>to verify that the sender's domain has an A or
+                    <li>to verify that the sender's domain has an A or MX 
-MX  record    in  DNS.</li>
+record    in  DNS.</li>
                    <li>to ensure that the host name in the HELO/EHLO command 
  is  a  valid    fully-qualified  DNS name that resolves.</li>
@ -132,8 +130,8 @@ will be bounced by  the list server.<br>
          If you find that you are missing an occasional list post, your
 e-mail    admin  may be blocking mail whose <i>Received:</i> headers contain
 the names   of certain ISPs. Again, I believe that such policies hurt more
- than they  help but I'm not prepared to go so far as to start stripping
+than they  help but I'm not prepared to go so far as to start stripping <i>Received:</i>
-<i>Received:</i>      headers to circumvent those policies.<br>
+    headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -166,8 +164,8 @@ will be bounced by  the list server.<br>
 value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-                        Search: <input type="text" size="30"
+                      Search: <input type="text" size="30" name="words"
- name="words" value="">    <input type="submit" value="Search"> </p>
+ value="">    <input type="submit" value="Search"> </p>
                      </form>
@ -274,13 +272,11 @@ list may be found at <a
 <ul>
                         <li>                                           
    <p align="left">Follow the same link above that you used to subscribe
           to the  list.</p>
                         </li>
                         <li>                                           
    <p align="left">Down at the bottom of that page is the following text:
           " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
 password      reminder,         or change your subscription options enter
@ -289,7 +285,6 @@ your subscription              email address:". Enter your email  address
                         </li>
                         <li>                                           
    <p align="left">There will now be a box where you can enter your password
           and  click on "Unsubscribe"; if you have forgotten your password,
   there      is  another  button that will cause your password to be emailed
@ -309,5 +304,8 @@ your subscription              email address:". Enter your email  address
 <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
--- a/STABLE/documentation/ping.html
+++ b/STABLE/documentation/ping.html
@ -24,15 +24,50 @@
 </table>
    <br>
    Shorewall 'Ping' management has evolved over time with the latest change 
- coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>)
+ coming in Shorewall version 1.4.0. <br>
- was added to /etc/shorewall/shorewall.conf. The value of that option determines
+     
- the overall handling of ICMP echo requests (pings).<br>
+<h2>Shorewall Versions &gt;= 1.4.0</h2>
 In order to accept ping requests from zone z1 to zone z2 where the policy 
 for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the 
 form:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
   </blockquote>
   Example: <br>
   <br>
   To permit ping from the local zone to the firewall:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
   </blockquote>
       If you would like to accept 'ping' by default even when the relevant
 policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
 already exist and in that file place the following command:<br>
 <blockquote>         
  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
   </blockquote>
   With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
 you need a rule of the form:<br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
   </blockquote>
   Example:<br>
   <br>
   To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
 <br>
 <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
 icmp&nbsp;&nbsp;&nbsp; 8<br>
 </blockquote>
 <h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
   In 1.3.14, Ping handling was put under control of the rules and policies 
 just like any other connection request. In order to accept ping requests 
-from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT and z1
+from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
-is not the firewall zone, you need a rule in /etc/shoreall/rules of the form:<br>
+a rule in /etc/shoreall/rules of the form:<br>
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -83,9 +118,9 @@ already exist and in that file place the following command:<br>
 <ol>
      <li>Ping requests addressed to the firewall itself; and</li>
-     <li>Ping requests being forwarded to another system. Included here are 
+      <li>Ping requests being forwarded to another system. Included here
- all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple 
+are   all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
- routing.</li>
+and simple   routing.</li>
 </ol>
    These cases will be covered separately.<br>
@ -113,8 +148,8 @@ the  interface that receives the ping request then the request will be responded
    &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; 
 Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
    <br>
-   Example 1. Accept pings from the net to the dmz (pings are responded to
+    Example 1. Accept pings from the net to the dmz (pings are responded
- with an ICMP echo-reply):<br>
+to  with an ICMP echo-reply):<br>
    <br>
    &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
  icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -129,8 +164,8 @@ the  interface that receives the ping request then the request will be responded
 destination  is applied.<br>
 <ol>
-     <li>If the relevant policy is ACCEPT then the request is responded to
+      <li>If the relevant policy is ACCEPT then the request is responded
- with an ICMP echo-reply.</li>
+to  with an ICMP echo-reply.</li>
      <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
  then the request is responded to with an ICMP echo-reply.</li>
      <li>Otherwise, the relevant REJECT or DROP policy is used and the request
@ -147,5 +182,6 @@ destination  is applied.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/ports.htm
+++ b/STABLE/documentation/ports.htm
@ -184,13 +184,8 @@ to a server with IP address a.b.c.d in zone z2:<br>
 </blockquote>
 <blockquote>               
-  <p>Note that my rules only cover NFS using UDP (the normal case) and your
+  <p>Note that my rules only cover NFS using UDP (the normal case). There 
-milage may vary depending on the software you are using (I'm using RH8.0
+is lots of additional information at    <a
 on both ends). In particular, the local port range in my server starts at
 32768 (It's 32768 - 61000; I could probably get away with just opening those
 ports).<br>
  <br>
 There is lots of additional information at    <a
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
     </blockquote>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -7,16 +7,17 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
-  <title>Shoreline Firewall (Shorewall) 1.3</title>
+  <title>Shoreline Firewall (Shorewall) 1.4</title>
-                                                     <base
+                                                                        
- target="_self">
+          <base target="_self">
 </head>
  <body>
@ -31,7 +32,8 @@
                                         <tr>
-                                           <td width="100%" height="90">
+                                                  <td width="100%"
 height="90">                                                            
@ -47,28 +49,40 @@
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                                      </a></i></font><font
+                                             </a></i></font><a
- color="#ffffff">Shorewall           1.3     -               <font
+ href="http://www.shorewall.net" target="_top"><img border="1"
- size="4">"<i>iptables                   made  easy"</i></font></font></h1>
+ src="images/shorewall.jpg" width="119" height="38" hspace="4"
-                                                                        
+ alt="(Shorewall Logo)" align="right" vspace="4">
-                                                                        
+                          </a></h1>
-                                                                        
+                 <small><small><small><small><a
-                                                                        
+ href="http://www.shorewall.net" target="_top">        </a></small></small></small></small><big></big>
      <div align="center"><a
 href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
      <div align="center">              
      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
        </div>
                               <br>
      <p><a href="http://www.shorewall.net" target="_top">              
       </a> </p>
      <div align="center"><a href="http://1.3/index.htm" target="_top"><font
 color="#ffffff">Shorewall 1.3 Site is here</font></a>                   
             <br>
                                                  </div>
        </td>
                                              </tr>
@ -107,6 +121,7 @@
      <h2 align="left">What is it?</h2>
@ -120,9 +135,10 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+                 
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-       that can be used on a dedicated firewall system, a multi-function 
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -136,28 +152,30 @@
      <p>This program is free software; you can redistribute it and/or modify
-                                                 it        under the terms 
+                                                     it        under the
- of         <a href="http://www.gnu.org/licenses/gpl.html">Version       
+terms      of         <a href="http://www.gnu.org/licenses/gpl.html">Version
-2 of  the GNU General Public License</a> as published by the Free Software 
+       2 of  the GNU General Public License</a> as published by the Free
-       Foundation.<br>
+Software            Foundation.<br>
                                                 <br>
                                            This   program     is  distributed
         in   the     hope     that     it   will     be  useful,    but
        WITHOUT    ANY      WARRANTY;      without      even the   implied
- warranty       of MERCHANTABILITY                or  FITNESS    FOR   A
+   warranty       of MERCHANTABILITY                or  FITNESS    FOR  
-PARTICULAR       PURPOSE.        See the    GNU General     Public  License
+A  PARTICULAR       PURPOSE.        See the    GNU General     Public  License 
             for   more details.<br>
                                                 <br>
                                            You   should    have   received 
     a   copy     of   the     GNU     General         Public      License
-         along     with    this   program;       if  not,    write  to  the
+              along     with    this   program;       if  not,    write 
-   Free Software           Foundation,              Inc.,  675     Mass 
+to    the    Free Software           Foundation,              Inc.,  675
-Ave,  Cambridge,   MA    02139,       USA</p>
+    Mass   Ave,  Cambridge,   MA    02139,       USA</p>
@ -183,15 +201,17 @@ Ave,  Cambridge,   MA    02139,       USA</p>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                      </a>Jacques              Nilo   and 
+                                             </a>Jacques              Nilo
-  Eric     Wolzak       have     a   LEAF  (router/firewall/gateway      
+   and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway
-  on  a  floppy,    CD    or compact     flash)  distribution        called 
+          on  a  floppy,    CD    or compact     flash)  distribution   
-              <i>Bering</i>          that          features      Shorewall-1.3.14
+    called                 <i>Bering</i>          that          features
-    and    Kernel-2.4.20.          You    can  find    their    work at:
+     Shorewall-1.3.14      and    Kernel-2.4.20.          You    can  find
-               <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+   their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                                            </a></p>
@ -199,70 +219,33 @@ Ave,  Cambridge,   MA    02139,       USA</p>
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+      <p><b>Congratulations to Jacques and Eric on the recent release of
-1.1!!! </b><br>
+Bering 1.1!!! </b><br>
                                                       </p>
-                                                                        
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
-                                                                        
+(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
      <h2>News</h2>
-                                                                        
+      <p><b>3/17/2003 - Shorewall 1.4.0 </b><b>       </b><b><img
      <h2></h2>
      <p><b>3/7/2003 - Shorewall 1.4.0 RC2 </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-      </b><b>                  </b></p>
+             </b><b>                  </b></p>
                                                          Shorewall 1.4 represents
- the  next  step in the evolution of Shorewall. The main thrust of the initial
+     the  next  step in the evolution of Shorewall. The main thrust of the
-  release  is simply to remove the cruft that has accumulated in Shorewall
+ initial    release  is simply to remove the cruft that has accumulated in
- over time.       <br>
+ Shorewall   over time.       <br>
              <br>
              <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
     ('ip' utility).</b><br>
              <br>
-           Function from 1.3 that has been omitted from this version include:<br>
+                  Function from 1.3 that has been omitted from this version 
 include:<br>
      <ol>
-                      <li>The MERGE_HOSTS variable in shorewall.conf is no
+         <li>The MERGE_HOSTS variable in shorewall.conf  is  no  longer supported. 
- longer supported.    Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+   Shorewall 1.4 behavior is the same as 1.3 with  MERGE_HOSTS=Yes.<br>
                     <br>
                   </li>
         <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
@ -279,8 +262,8 @@ Ave,  Cambridge,   MA    02139,       USA</p>
     an error at startup if specified.<br>
                     <br>
                   </li>
-             <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
+         <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules  is  no 
-no  longer   accepted.<br>
+ longer   accepted.<br>
                     <br>
                   </li>
         <li>The ALLOWRELATED variable in shorewall.conf is no longer   
@ -293,6 +276,7 @@ supported.     Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<
      </ol>
                  Changes for 1.4 include:<br>
      <ol>
         <li>The /etc/shorewall/shorewall.conf file has been completely 
   reorganized    into logical sections.<br>
@ -310,9 +294,9 @@ are now installed in /usr/share/shorewall.<br>
                     <br>
                   </li>
         <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
-  1.4  no  longer unconditionally accepts outbound ICMP packets. So if you 
+     1.4  no  longer unconditionally accepts outbound ICMP packets. So if 
- want to 'ping'  from the firewall, you will need the appropriate rule or 
+you    want to 'ping'  from the firewall, you will need the appropriate rule 
-policy.<br>
+or   policy.<br>
                    <br>
                  </li>
         <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
@ -326,22 +310,56 @@ policy.<br>
   may  now be turned off on a host or network basis using the new /etc/shorewall/ecn 
    file. To use this facility:<br>
               <br>
-       a) You must be running kernel 2.4.20<br>
+              a) You must be running kernel 2.4.20<br>
-       b) You must have applied the patch in<br>
+              b) You must have applied the patch in<br>
-       http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
+              http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
-       c) You must have iptables 1.2.7a installed.<br>
+              c) You must have iptables 1.2.7a installed.<br>
               <br>
             </li>
         <li>The /etc/shorewall/params file is now processed first so  that 
- variables may be used in the /etc/shorewall/shorewall.conf file.</li>
+  variables may be used in the /etc/shorewall/shorewall.conf file.<br>
               <br>
             </li>
         <li value="10">Shorewall now gives a more helpful diagnostic when 
  the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' 
  command is issued.<br>
          <br>
        </li>
         <li>The SHARED_DIR variable has been removed from shorewall.conf. 
  This variable was for use by package maintainers and was not documented 
 for  general use.<br>
          <br>
        </li>
         <li>Shorewall now ignores 'default' routes when detecting masq'd 
  networks.<br>
        </li>
      </ol>
   You may download the release candidate from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
- target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+ target="_top"></a>       
-         </blockquote>
+      <p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
      <p>A roleup of the following bug fixes and other updates:</p>
      <ul>
              <li>There is an updated rfc1918 file that reflects the resent 
 allocation  of 222.0.0.0/8 and  223.0.0.0/8.</li>
           <li>The documentation for the routestopped file claimed that a 
 comma-separated      list could appear in the second column while the code 
 only supported a  single   host or network address.</li>
            <li>Log messages produced by 'logunclean' and 'dropunclean' were
   not  rate-limited.          802.11b devices with names of the form <i>wlan</i>&lt;n&gt; 
  don't  support the 'maclist' interface option.</li>
            <li>Log messages generated by RFC 1918 filtering are not rate 
 limited.</li>
                             <li>The firewall fails to start in the case
 where   you have "eth0  eth1" in /etc/shorewall/masq and the default route
 is through   eth1.</li>
      </ul>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                   </b></p>
@ -350,67 +368,71 @@ may  now be turned off on a host or network basis using the new /etc/shorewall/e
      <ol>
-                   <li>An OLD_PING_HANDLING option has been added to shorewall.conf. 
+                          <li>An OLD_PING_HANDLING option has been added
-     When   set to Yes, Shorewall ping handling is as it has always been (see
+to  shorewall.conf.        When   set to Yes, Shorewall ping handling is
-    http://www.shorewall.net/ping.html).<br>
+as it  has always been  (see     http://www.shorewall.net/ping.html).<br>
                           <br>
-                When OLD_PING_HANDLING=No, icmp echo (ping) is handled via
+                       When OLD_PING_HANDLING=No, icmp echo (ping) is handled 
- rules    and   policies   just like any other connection request. The FORWARDPING=Yes
+  via   rules    and   policies   just like any other connection request. 
-    option   in shorewall.conf   and the 'noping' and 'filterping' options
+The  FORWARDPING=Yes      option   in shorewall.conf   and the 'noping' and 
- in   /etc/shorewall/interfaces   will   all generate an error.<br>
+'filterping'  options   in   /etc/shorewall/interfaces   will   all generate 
 an error.<br>
                           <br>
                         </li>
-                   <li>It is now possible to direct Shorewall to create a 
+                          <li>It is now possible to direct Shorewall to create
-"label"     such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes 
+   a  "label"     such   as   "eth0:0" for IP addresses that it creates under
-    and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead 
+   ADD_IP_ALIASES=Yes      and  ADD_SNAT_ALIASES=Yes.  This is done by specifying
-   of just  the interface name:<br>
+   the label instead     of just  the interface name:<br>
-                 <br>
+                        <br>
-                   a) In the INTERFACE column of /etc/shorewall/masq<br>
+                          a) In the INTERFACE column of /etc/shorewall/masq<br>
-                   b) In the INTERFACE column of /etc/shorewall/nat<br>
+                          b) In the INTERFACE column of /etc/shorewall/nat<br>
-                 </li>
+                        </li>
                          <li>Support for OpenVPN Tunnels.<br>
                       <br>
                   </li>
-                   <li>Support for VLAN devices with names of the form $DEV.$VID
+                          <li>Support for VLAN devices with names of the
-    (e.g.,  eth0.0)<br>
+form   $DEV.$VID      (e.g.,  eth0.0)<br>
                         <br>
                       </li>
-                <li>In /etc/shorewall/tcrules, the MARK value may be optionally
+                       <li>In /etc/shorewall/tcrules, the MARK value may
-   followed by ":" and either 'F' or 'P' to designate that the marking will
+be  optionally      followed by ":" and either 'F' or 'P' to designate that 
-  occur in the FORWARD or PREROUTING chains respectively. If this additional
+the  marking will     occur in the FORWARD or PREROUTING chains respectively. 
-  specification is omitted, the chain used to mark packets will be determined
+If this additional     specification is omitted, the chain used to mark packets 
-  by the setting of the MARK_IN_FORWARD_CHAIN option in <a
+ will be determined     by the setting of the MARK_IN_FORWARD_CHAIN option 
- href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+ in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                       <br>
                     </li>
-                   <li>When an interface name is entered in the SUBNET column 
+                          <li>When an interface name is entered in the SUBNET 
-  of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded traffic
+  column    of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded
-    from  only the first subnet   defined on that interface. It did not masquerade 
+   traffic     from  only the first subnet   defined on that interface. It
-    traffic from:<br>
+ did  not masquerade      traffic from:<br>
-                 <br>
+                        <br>
-                   a) The subnets associated with other addresses on the
+                          a) The subnets associated with other addresses
-interface.<br>
+on  the   interface.<br>
-                   b) Subnets accessed through local routers.<br>
+                          b) Subnets accessed through local routers.<br>
-                 <br>
+                        <br>
                       Beginning with Shorewall 1.3.14, if you enter an interface 
    name   in  the   SUBNET  column, shorewall will use the firewall's routing 
    table   to construct   the masquerading/SNAT rules.<br>
-                 <br>
+                        <br>
                       Example 1 -- This is how it works in 1.3.14.<br>
-                   <br>
+                          <br>
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                          
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
+                          
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
-          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
+                          
-                 <br>
+          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                        <br>
                       When upgrading to Shorewall 1.3.14, if you have multiple 
   local    subnets     connected  to an interface that is specified in the 
  SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq 
@ -419,38 +441,45 @@ redundant entries.  In some  cases though, you  might want to change from
  using the interface  name to listing specific subnetworks  if the change
 described above will cause masquerading  to occur on subnetworks  that you
 don't wish to masquerade.<br>
-                 <br>
+                        <br>
-                Example 2 -- Suppose that your current config is as follows:<br>
+                       Example 2 -- Suppose that your current config is as
-                   <br>
+ follows:<br>
                          <br>
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                          
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
+                          
-                 <br>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-                   In this case, the second entry in /etc/shorewall/masq
+                        <br>
                          In this case, the second entry in /etc/shorewall/masq 
   is  no  longer    required.<br>
-                 <br>
+                        <br>
-                Example 3 -- What if your current configuration is like this?<br>
+                       Example 3 -- What if your current configuration is 
-                 <br>
+like   this?<br>
                        <br>
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                          
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
+                          
-                 <br>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-                   In this case, you would want to change the entry in  /etc/shorewall/masq
+                        <br>
-        to:<br>
+                          In this case, you would want to change the entry
 in   /etc/shorewall/masq         to:<br>
-          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                          
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                          </li>
@ -460,44 +489,11 @@ is  no  longer    required.<br>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b> 
                        </b></p>
-              Webmin version 1.060 now has Shorewall support included as
+                     Webmin version 1.060 now has Shorewall support included
-standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
+  as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>.<b> 
         </b>                                                            
-      <p><b></b></p>
+      <p><a href="News.htm">More News</a></p>
      <p><b></b></p>
      <ul>
      </ul>
      <p><b></b><a href="News.htm">More News</a></p>
      <h2><a name="Donations"></a>Donations</h2>
@ -545,11 +541,12 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                                        </a></p>
+                                               </a></p>
@ -561,11 +558,12 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+                                                  
-if       you try it and find it useful, please consider making a donation 
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                                                     to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                                             </td>
@ -583,12 +581,9 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                             <br>
 </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_extension_scripts.htm
+++ b/STABLE/documentation/shorewall_extension_scripts.htm
@ -41,7 +41,8 @@ placed in /etc/shorewall and   are processed  using the Bourne shell "source"
 mechanism. The   following scripts can be  supplied:</p>
 <ul>
-    <li>init -- invoked early in "shorewall start" and       "shorewall restart"</li>
+     <li>init -- invoked early in "shorewall start" and       "shorewall
 restart"</li>
     <li>start -- invoked after the firewall has been started or restarted.</li>
     <li>stop -- invoked as a first step when the firewall is being stopped.</li>
     <li>stopped -- invoked after the firewall has been stopped.</li>
@ -58,10 +59,11 @@ chain     has been created but before any rules have been added to it.</li>
 <p><u><b>If your version of Shorewall doesn't have the file that you want 
 to use from the above list, you can simply create the file yourself.</b></u></p>
 <p>   You can also supply a script with the same name as any of the filter 
  chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules
- file has been processed but before the   /etc/shorewall/policy file has been
+  file has been processed but before the   /etc/shorewall/policy file has
- processed.</p>
+been  processed.</p>
@ -84,8 +86,8 @@ for making your own customized file.</p>
-<p>   If you decide to create /etc/shorewall/common it is a good idea to
+<p>   If you decide to create /etc/shorewall/common it is a good idea to use
-use the    following technique</p>
+the    following technique</p>
@ -113,21 +115,12 @@ if the policy is ACCEPT or CONTINUE.</p>
-<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
+<p align="left"><font size="2">Last updated 2/18/2003 - <a
 be   rejected by the firewall. It is recommended with this setting that you
 create   the file /etc/shorewall/icmpdef and in it place the following commands:</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
 <p align="left"><font size="2">Last updated 12/22/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
-M. Eastep</font></a></p>
+Thomas M. Eastep</font></a></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_prerequisites.htm
+++ b/STABLE/documentation/shorewall_prerequisites.htm
@ -31,10 +31,10 @@ Shorewall Requires:<br>
 <ul>
      <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6. 
-     <a href="kernel.htm">     Check here for kernel configuration      
+     <a href="kernel.htm">     Check here for kernel configuration       information.</a>
-information.</a>       If you are looking for a firewall for use with 2.2
+      If you are looking for a firewall for use with 2.2 kernels, <a
-kernels, <a href="http://seawall.sf.net">     see       the Seattle Firewall
+ href="http://seawall.sf.net">     see       the Seattle Firewall  site</a>
- site</a>     .</li>
+    .</li>
      <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
 href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The 
 buggy iptables version 1.2.3    is included in RedHat 7.2 and you should 
@ -42,11 +42,10 @@ upgrade to iptables 1.2.4 prior to    installing Shorewall. Version 1.2.4
 is available   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> 
   and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
-     <li>Some features require iproute ("ip" utility). The iproute package
+      <li>Iproute ("ip" utility). The iproute package  is     included with
- is     included with most distributions but may not be installed by default.
+most distributions but may not be installed by default.  The     official
- The     official download site is <a
+download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
- href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">   <font
+ target="_blank">   <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
 face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. 
    </li>
      <li>A Bourne shell or derivative such as bash or ash. This shell must
 have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
@ -57,11 +56,12 @@ awk        (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 11/10/2002 - <a
+<p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
     <br>
   <br>
  <br>
 <br>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -2,17 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall QuickStart Guide</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -27,10 +32,11 @@
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
    (HOWTO's)<br>
-                   Version 3.1</font></h1>
+                       Version 4.0</font></h1>
                           </td>
                         </tr>
  </tbody>                      
 </table>
@ -47,11 +53,11 @@ we must  all first walk before we can run.<br>
 <p>The following guides are for <b>users who have a single public IP address</b>:</p>
 <ul>
-                     <li><a href="standalone.htm">Standalone</a> Linux System
+                         <li><a href="standalone.htm">Standalone</a> Linux
- (<a href="standalone_fr.html">Version Française</a>)</li>
+ System   (<a href="standalone_fr.html">Version Française</a>)</li>
-                     <li><a href="two-interface.htm">Two-interface</a> Linux
+                         <li><a href="two-interface.htm">Two-interface</a>
-  System    acting    as a    firewall/router for a small local network (<a
+ Linux    System    acting    as a    firewall/router for a small local network
- href="two-interface_fr.html">Version Française</a>)</li>
+ (<a href="two-interface_fr.html">Version Française</a>)</li>
                         <li><a href="three-interface.htm">Three-interface</a>
   Linux    System    acting  as a    firewall/router for a small local network
   and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
@ -69,30 +75,31 @@ Shorewall      than   is  explained in the single-address guides above.</b></p>
 <ul>
                         <li><a
 href="shorewall_setup_guide.htm#Introduction">1.0   Introduction</a></li>
-                     <li><a href="shorewall_setup_guide.htm#Concepts">2.0 
+                         <li><a
-Shorewall      Concepts</a></li>
+ href="shorewall_setup_guide.htm#Concepts">2.0   Shorewall      Concepts</a></li>
-                     <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 
+                         <li><a
- Network     Interfaces</a></li>
+ href="shorewall_setup_guide.htm#Interfaces">3.0   Network     Interfaces</a></li>
-                     <li><a href="shorewall_setup_guide.htm#Addressing">4.0 
+                         <li><a
- Addressing,       Subnets  and Routing</a>                              
+ href="shorewall_setup_guide.htm#Addressing">4.0   Addressing,       Subnets
  and Routing</a>                                                       
    <ul>
-                       <li><a href="shorewall_setup_guide.htm#Addresses">4.1
+                           <li><a
-  IP  Addresses</a></li>
+ href="shorewall_setup_guide.htm#Addresses">4.1   IP  Addresses</a></li>
                                       <li><a
 href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
-                       <li><a href="shorewall_setup_guide.htm#Routing">4.3
+                           <li><a
- Routing</a></li>
+ href="shorewall_setup_guide.htm#Routing">4.3   Routing</a></li>
-                       <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
+                           <li><a href="shorewall_setup_guide.htm#ARP">4.4
-   Resolution      Protocol</a></li>
+ Address     Resolution      Protocol</a></li>
    </ul>
    <ul>
-                       <li><a href="shorewall_setup_guide.htm#RFC1918">4.5
+                           <li><a
- RFC   1918</a></li>
+ href="shorewall_setup_guide.htm#RFC1918">4.5   RFC   1918</a></li>
    </ul>
@ -101,23 +108,24 @@ Shorewall      Concepts</a></li>
  Setting     up  your   Network</a>                                    
    <ul>
-                       <li><a href="shorewall_setup_guide.htm#Routed">5.1 
+                           <li><a
-Routed</a></li>
+ href="shorewall_setup_guide.htm#Routed">5.1   Routed</a></li>
    </ul>
    <ul>
-                       <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
+                           <li><a
-  Non-routed</a>                                                        
+ href="shorewall_setup_guide.htm#NonRouted">5.2   Non-routed</a>         
        <ul>
-                         <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 
+                             <li><a
- SNAT</a></li>
+ href="shorewall_setup_guide.htm#SNAT">5.2.1    SNAT</a></li>
-                         <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 
+                             <li><a
- DNAT</a></li>
+ href="shorewall_setup_guide.htm#DNAT">5.2.2    DNAT</a></li>
                             <li><a
 href="shorewall_setup_guide.htm#ProxyARP">5.2.3    Proxy    ARP</a></li>
                             <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
@ -125,6 +133,7 @@ Routed</a></li>
        </ul>
                           </li>
                           <li><a href="shorewall_setup_guide.htm#Rules">5.3
@ -135,7 +144,8 @@ Rules</a></li>
    </ul>
                         </li>
-                     <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
+                         <li><a href="shorewall_setup_guide.htm#DNS">6.0
 DNS</a></li>
                         <li><a
 href="shorewall_setup_guide.htm#StartingAndStopping">7.0   Starting    and 
        Stopping the Firewall</a></li>
@ -146,12 +156,13 @@ Rules</a></li>
 <p>The following documentation covers a variety of topics and <b>supplements
           the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
-   described      above</b>. Please review the appropriate guide before trying
+     described      above</b>. Please review the appropriate guide before
-   to use this    documentation directly.</p>
+trying     to use this    documentation directly.</p>
 <ul>
-                     <li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased
+                         <li><a
-(virtual) Interfaces (e.g., eth0:0)</a><br>
+ href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces 
 (e.g., eth0:0)</a><br>
   </li>
   <li><a href="blacklisting_support.htm">Blacklisting</a>              
@ -163,8 +174,9 @@ Rules</a></li>
    </ul>
                         </li>
-                     <li><a href="configuration_file_basics.htm">Common configuration 
+                         <li><a href="configuration_file_basics.htm">Common 
-      file   features</a>                                                
+ configuration        file   features</a>                                
    <ul>
                           <li><a
@ -172,8 +184,8 @@ Rules</a></li>
   files</a></li>
                           <li><a
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
-                       <li><a href="configuration_file_basics.htm#Ports">Port 
+                           <li><a
-  Numbers/Service Names</a></li>
+ href="configuration_file_basics.htm#Ports">Port    Numbers/Service Names</a></li>
                           <li><a
 href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
                           <li><a
@ -187,14 +199,15 @@ Rules</a></li>
                           <li><a
 href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
 a test configuration)</a></li>
-                       <li><a href="configuration_file_basics.htm#MAC">Using
+                           <li><a
-  MAC Addresses in Shorewall</a></li>
+ href="configuration_file_basics.htm#MAC">Using    MAC Addresses in Shorewall</a></li>
    </ul>
                         </li>
-                     <li><a href="Documentation.htm">Configuration File Reference 
+                         <li><a href="Documentation.htm">Configuration File 
-    Manual</a>                                                           
+ Reference      Manual</a>                                               
    <ul>
                           <li>   <a href="Documentation.htm#Variables">params</a></li>
@ -232,7 +245,9 @@ a test configuration)</a></li>
                         <li><a href="dhcp.htm">DHCP</a></li>
                         <li><font color="#000099"><a
 href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code through the use of
 files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
 etc.)</li>
                         <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                         <li><a href="shorewall_firewall_structure.htm">Firewall
    Structure</a></li>
@ -242,12 +257,14 @@ to extend Shorewall without modifying Shorewall  code)</li>
            </li>
                         <li><a href="MAC_Validation.html">MAC Verification</a><br>
           </li>
-       <li><a href="myfiles.htm">My  Configuration Files</a> (How  I  personally 
+                                <li><a href="myfiles.htm">My Shorewall Configuration 
-      use Shorewall)</li>
+ (How I personally use Shorewall)</a><br>
     </li>
     <li><a href="ping.html">'Ping' Management</a><br>
             </li>
             <li><a href="ports.htm">Port Information</a>               
    <ul>
                           <li>Which applications use which ports</li>
                           <li>Ports used by Trojans</li>
@ -266,9 +283,10 @@ to extend Shorewall without modifying Shorewall  code)</li>
                   </li>
  </ul>
-                     <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
+                         <li><font color="#000099"><a href="NAT.htm">Static 
-     <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
+ NAT</a></font></li>
- with Shorewall</a><br>
+         <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
 Proxy    with Shorewall</a><br>
         </li>
                         <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
                         <li>VPN                                        
@ -293,15 +311,11 @@ List   Creation</a></li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M. 
   Eastep</font></a><br>
 </p>
 <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_setup_guide.htm
+++ b/STABLE/documentation/shorewall_setup_guide.htm
@ -65,11 +65,11 @@ more  about Shorewall than is contained in the  <a
  I  release -- I  suggest that you consider installing a stock Shorewall
 lrp  from the  shorewall.net site before you proceed.</p>
-<p>This guide assumes that you have the iproute/iproute2 package installed 
+<p>Shorewall requires that the iproute/iproute2 package be installed    (on
-  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
+ RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell  if 
-if  this  package is installed by the presence of an <b>ip</b> program on 
+this  package is installed by the presence of an <b>ip</b> program on  your
-your  firewall  system. As root, you can use the 'which' command to check 
+ firewall  system. As root, you can use the 'which' command to check  for
-for this  program:</p>
+this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -80,11 +80,12 @@ for this  program:</p>
       .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-          If you edit your configuration files on a Windows system, you must
+            If you edit your configuration files on a Windows system, you 
-  save them as  Unix files if your editor supports that option or you must
+must   save them as  Unix files if your editor supports that option or you 
- run them through  dos2unix before trying to use them with Shorewall. Similarly,
+must  run them through  dos2unix before trying to use them with Shorewall. 
-  if you copy a configuration file  from your Windows hard drive to a floppy
+Similarly,   if you copy a configuration file  from your Windows hard drive 
-  disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+to a floppy   disk, you must run dos2unix against the  copy before using it
 with Shorewall.</p>
 <ul>
          <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
@ -142,8 +143,8 @@ file.   In  this guide, the default name (<b>fw</b>) will be used.</p>
 <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning 
   to  zone names. Zones are entirely what YOU make of them. That means that 
-  you should  not expect Shorewall to do something special "because this is
+   you should  not expect Shorewall to do something special "because this 
-  the internet zone"  or "because that is the DMZ".</p>
+is   the internet zone"  or "because that is the DMZ".</p>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
           Edit the  /etc/shorewall/zones file and make any changes necessary.</p>
@ -175,8 +176,8 @@ packets.  With Shorewall, you:</p>
 zone   is what you       want for this client/server pair, you need do nothing 
 further.</li>
                <li>  If the POLICY is not what you want, then you must add 
-a  rule.  That rule       is expressed in terms of the client's zone and the
+ a  rule.  That rule       is expressed in terms of the client's zone and 
- server's  zone.</li>
+the  server's  zone.</li>
 </ol>
@ -184,15 +185,15 @@ a  rule.  That rule       is expressed in terms of the client's zone and the
 to the   firewall and are also allowed from the firewall to zone B <font
 color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed 
   from zone A to zone  B</u></b></font>.   It rather means that you can have
-  a proxy running on the firewall that accepts   a connection from zone A 
+   a proxy running on the firewall that accepts   a connection from zone
-and  then establishes its own separate connection from   the firewall to zone
+A  and  then establishes its own separate connection from   the firewall to
-B.</p>
+zone B.</p>
 <p>For each connection request entering the firewall, the request is first 
    checked against the /etc/shorewall/rules file. If no rule in that file 
 matches   the connection request then the first policy in /etc/shorewall/policy 
-that   matches the request is applied. If that policy is REJECT or DROP  the
+ that   matches the request is applied. If that policy is REJECT or DROP  
- request  is first checked against the rules in /etc/shorewall/common.def.</p>
+the  request  is first checked against the rules in /etc/shorewall/common.def.</p>
 <p>The default /etc/shorewall/policy file  has the  following policies:</p>
@ -238,9 +239,10 @@ that   matches the request is applied. If that policy is REJECT or DROP
 <ol>
          <li>allow all connection requests from your local network to the
 internet</li>
-        <li>drop (ignore) all connection requests from the internet to your 
+          <li>drop (ignore) all connection requests from the internet to
- firewall     or local network and log a message at the <i>info</i> level 
+your   firewall     or local network and log a message at the <i>info</i>
-(<a href="shorewall_logging.html">here</a> is a description of log levels).</li>
+level  (<a href="shorewall_logging.html">here</a> is a description of log
 levels).</li>
          <li>reject all other connection requests and log a message at the 
     <i>info</i>      level. When a request is rejected, the firewall will 
 return an RST (if   the    protocol is TCP) or an ICMP port-unreachable packet
@ -261,9 +263,9 @@ for other protocols.</li>
 <p align="left">In this diagram:</p>
 <ul>
-        <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used 
+          <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is
- to  isolate your  internet-accessible servers from your local systems so 
+used   to  isolate your  internet-accessible servers from your local systems
-that  if one of those  servers is compromised, you still have the firewall 
+so  that  if one of those  servers is compromised, you still have the firewall 
 between  the compromised  system and your local systems. </li>
          <li>The Local Zone consists of systems Local 1, Local 2 and Local 
 3.    </li>
@ -277,8 +279,8 @@ between  the compromised  system and your local systems. </li>
       </p>
 <p align="left">The simplest way to define zones is to simply associate the 
-  zone  name (previously defined in /etc/shorewall/zones) with a network interface.
+   zone  name (previously defined in /etc/shorewall/zones) with a network 
-  This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
+interface.   This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
    file.</p>
 <p align="left">The firewall illustrated above has three network interfaces. 
@ -286,35 +288,35 @@ between  the compromised  system and your local systems. </li>
    Interface</i> will be the Ethernet adapter that is connected to that "Modem"
    (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
   <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
-  <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
+   <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External 
-  will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular
+Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
-  modem, your External  Interface will also be <b>ppp0</b>. If you connect
+a regular   modem, your External  Interface will also be <b>ppp0</b>. If
- using ISDN, you external  interface will be <b>ippp0.</b></p>
+you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
           If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then
-you   will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf">
+ you   will want to set  CLAMPMSS=yes in <a
-/etc/shorewall/shorewall.conf.</a></p>
+ href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0, 
    eth1 or eth2) and will be connected to a hub or switch. Your local computers 
-   will be connected to the same switch (note: If you have only a single local
+    will be connected to the same switch (note: If you have only a single 
-  system,  you can connect the firewall directly to the computer using a
+local   system,  you can connect the firewall directly to the computer using 
-<i>cross-over   </i> cable).</p>
+a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter 
   (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
- computers will  be connected to the same switch (note: If you have only a
+  computers will  be connected to the same switch (note: If you have only 
- single DMZ system,  you can connect the firewall directly to the computer 
+a  single DMZ system,  you can connect the firewall directly to the computer 
  using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-     </b></u>Do not connect more than one interface  to the same hub or switch 
+       </b></u>Do not connect more than one interface  to the same hub or 
-  (even for testing). It won't work the way that you  expect it to and you 
+switch    (even for testing). It won't work the way that you  expect it to 
- will end up confused and believing that Linux networking doesn't work at 
+and you   will end up confused and believing that Linux networking doesn't 
-all.</p>
+work at  all.</p>
 <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -450,10 +452,10 @@ many times as necessary.</p>
 <h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
 <p align="left">Normally, your ISP will assign you a set of <i> Public</i> 
-  IP addresses. You will configure your firewall's external interface to use
+   IP addresses. You will configure your firewall's external interface to 
-   one of those addresses permanently and you will then have to decide how
+use    one of those addresses permanently and you will then have to decide 
- you are  going to use the rest of your addresses. Before we tackle that question
+how  you are  going to use the rest of your addresses. Before we tackle that 
-  though, some  background is in order.</p>
+question   though, some  background is in order.</p>
 <p align="left">If you are thoroughly familiar with IP addressing and routing, 
    you may <a href="#Options">go to the next section</a>.</p>
@ -537,15 +539,15 @@ that  you are likely to work with will understand CIDR and Class-based networkin
 <p align="left">As you can see by this definition, in each subnet of size 
   <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that can
-  be assigned to    hosts). The first and last address in the subnet are used
+   be assigned to    hosts). The first and last address in the subnet are
-  for the subnet    address and subnet broadcast address respectively. Consequently,
+used   for the subnet    address and subnet broadcast address respectively. 
-  small    subnetworks are more wasteful of IP addresses than are large ones.
+Consequently,   small    subnetworks are more wasteful of IP addresses than 
-  </p>
+are large ones.   </p>
 <p align="left">Since <b>n</b> is a power of two, we can easily calculate 
-  the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more common
+   the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more 
-  subnet sizes, the size and its natural logarithm are given in the    following
+common   subnet sizes, the size and its natural logarithm are given in the 
-  table:</p>
+   following   table:</p>
 <blockquote>                        
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -742,8 +744,9 @@ subnet mask  has 26 leading one bits:</p>
 <p align="left">The subnet mask has the property that if you logically AND 
   the    subnet mask with an address in the subnet, the result is the subnet 
   address.    Just as important, if you logically AND the subnet mask with 
- an address    outside the subnet, the result is NOT the subnet address. As
+  an address    outside the subnet, the result is NOT the subnet address. 
- we will see    below, this property of subnet masks is very useful in routing.</p>
+As  we will see    below, this property of subnet masks is very useful in 
 routing.</p>
 <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose 
      Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as
@ -827,7 +830,7 @@ to VLSM <b>/v</b>.</p>
 <h3 align="left"><a name="Routing"></a>4.3 Routing</h3>
 <p align="left">One of the purposes of subnetting is that it forms the basis 
-   for routing. Here's the routing table on <a href="myfiles.htm">my firewall</a>:</p>
+    for routing. Here's the routing table on my firewall:</p>
 <div align="left">          
 <blockquote>                          
@ -838,12 +841,12 @@ to VLSM <b>/v</b>.</p>
 <p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in 
   the  Dallas, Texas area.<br>
        <br>
-      The first three routes are <i>host routes</i> since they indicate how 
+        The first three routes are <i>host routes</i> since they indicate 
- to  get to  a single host. In the 'netstat' output this can be seen by the 
+how   to  get to  a single host. In the 'netstat' output this can be seen 
- "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column. 
+by the   "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags
- The remainder  are 'net' routes since they tell the  kernel how to route 
+column.   The remainder  are 'net' routes since they tell the  kernel how
-packets to a subnetwork.  The last route is the <i>default  route</i> and 
+to route  packets to a subnetwork.  The last route is the <i>default  route</i>
-the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
+and  the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
 <p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
 it starts at the top of the routing table and:</p>
@ -863,10 +866,12 @@ the  table entry.</p>
    <ul>
            <li>                                                        
        <p align="left">If the 'Gateway' column is non-zero, the packet is 
   sent to the  gateway over the interface named in the 'Iface' column.</p>
            </li>
            <li>                                                        
        <p align="left">Otherwise, the packet is sent directly to <b>A </b>over 
   the  interface named in the 'iface' column.</p>
            </li>
@ -887,8 +892,8 @@ at your  ISP.</p>
 <p align="left">Lets take an example. Suppose that we want to route a packet 
   to  192.168.1.5. That address clearly doesn't match any of the host routes 
-  in the  table but if we logically and that address with 255.255.255.0, the
+   in the  table but if we logically and that address with 255.255.255.0, 
-  result is  192.168.1.0 which matches this routing table entry:</p>
+the   result is  192.168.1.0 which matches this routing table entry:</p>
 <div align="left">          
 <blockquote>                          
@ -901,19 +906,19 @@ at your  ISP.</p>
 <p align="left">One more thing needs to be emphasized -- all outgoing packet 
   are  sent using the routing table and reply packets are not a special case.
   There  seems to be a common mis-conception whereby people think that request
-  packets  are like salmon and contain a genetic code that is magically transferred 
+   packets  are like salmon and contain a genetic code that is magically
-  to  reply packets so that the replies follow the reverse route taken by 
+transferred    to  reply packets so that the replies follow the reverse route
-the  request.  That isn't the case; the replies may take a totally different 
+taken by  the  request.  That isn't the case; the replies may take a totally
-route  back to the  client than was taken by the requests -- they are totally 
+different  route  back to the  client than was taken by the requests -- they
-independent.</p>
+are totally  independent.</p>
 <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
 <p align="left">When sending packets over Ethernet, IP addresses aren't used. 
    Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC) 
    addresses. Each Ethernet device has it's own unique  MAC address which 
-is   burned into a PROM on the device during manufacture. You can obtain the
+ is   burned into a PROM on the device during manufacture. You can obtain 
-MAC of  an Ethernet device using the 'ip' utility:</p>
+the MAC of  an Ethernet device using the 'ip' utility:</p>
 <blockquote>                        
  <div align="left">                          
@ -959,11 +964,11 @@ with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
        </blockquote>
 <p align="left">The leading question marks are a result of my having specified 
-   the 'n' option (Windows 'arp' doesn't allow that option) which causes the
+    the 'n' option (Windows 'arp' doesn't allow that option) which causes 
-  'arp'  program to forego IP-&gt;DNS name translation. Had I not given that
+the   'arp'  program to forego IP-&gt;DNS name translation. Had I not given 
-  option, the  question marks would have been replaced with the FQDN corresponding
+that   option, the  question marks would have been replaced with the FQDN 
-  to each IP  address. Notice that the last entry in the table records the
+corresponding   to each IP  address. Notice that the last entry in the table 
- information we saw  using tcpdump above.</p>
+records the  information we saw  using tcpdump above.</p>
 <h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
@ -1036,9 +1041,9 @@ your  ISP will    handle that set of addresses in one of two ways:</p>
            <li>                                      
    <p align="left"><b>Routed - </b>Traffic to any of your addresses will 
   be    routed through a single <i>gateway address</i>. This will generally 
-  only be    done if your ISP has assigned you a complete subnet (/29 or larger).
+   only be    done if your ISP has assigned you a complete subnet (/29 or 
-  In this    case, you will assign the gateway address as the IP address
+larger).   In this    case, you will assign the gateway address as the IP 
-of   your    firewall/router's external interface.     </p>
+address of   your    firewall/router's external interface.     </p>
         </li>
         <li>                                      
    <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each 
@ -1058,8 +1063,8 @@ of   your    firewall/router's external interface.     </p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
          If you are using the Debian package, please check your shorewall.conf
-  file to ensure that the following are set correctly; if they are not, change
+   file to ensure that the following are set correctly; if they are not,
-  them appropriately:<br>
+change    them appropriately:<br>
       </p>
 <ul>
@ -1080,8 +1085,8 @@ of   your    firewall/router's external interface.     </p>
      192.0.2.64 - 192.0.2.79 and that your firewall's external IP address 
 is     192.0.2.65. Your ISP has also told you that you should use a netmask 
 of     255.255.255.0 (so your /28 is part of a larger /24). With this many 
-IP     addresses, you are able to subnet your /28 into two /29's and set up
+ IP     addresses, you are able to subnet your /28 into two /29's and set 
-your     network as shown in the following diagram.</p>
+up your     network as shown in the following diagram.</p>
       </div>
 <div align="left">          
@ -1099,12 +1104,12 @@ be    configured to 192.0.2.66 and the default gateway for hosts in the local
 <div align="left">          
 <p align="left">Notice that this arrangement is rather wasteful of public 
-  IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses,
+   IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet 
-     192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66
+addresses,      192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and
-  and    168.0.2.73 for internal addresses on the firewall/router. Nevertheless,
+192.0.2.66   and    168.0.2.73 for internal addresses on the firewall/router. 
-  it    shows how subnetting can work and if we were dealing with a /24 rather
+Nevertheless,   it    shows how subnetting can work and if we were dealing 
-  than a    /28 network, the use of 6 IP addresses out of 256 would be justified
+with a /24 rather   than a    /28 network, the use of 6 IP addresses out of
-  because    of the simplicity of the setup.</p>
+256 would be justified   because    of the simplicity of the setup.</p>
       </div>
 <div align="left">          
@ -1123,10 +1128,10 @@ routing  table on    DMZ 1 will look like this:</p>
 <div align="left">          
 <p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65" 
      request and no device on the DMZ Ethernet segment has that IP address. 
-  Oddly    enough, the firewall will respond to the request with the MAC address
+   Oddly    enough, the firewall will respond to the request with the MAC 
-  of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames addressed
+address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames 
-  to that    MAC address and the frames will be received (correctly) by the
+addressed   to that    MAC address and the frames will be received (correctly) 
-  firewall/router.</p>
+by the   firewall/router.</p>
       </div>
 <div align="left">          
@ -1135,8 +1140,8 @@ routing  table on    DMZ 1 will look like this:</p>
   connecting of multiple firewall/router interfaces to the same hub or switch.
   When an ARP request for one of the firewall/router's IP addresses is sent
 by    another system connected to the hub/switch, all    of the firewall's 
-  interfaces that connect to the hub/switch can respond! It    is then a race
+   interfaces that connect to the hub/switch can respond! It    is then a 
-  as to which "here-is" response reaches the sender first.</p>
+race   as to which "here-is" response reaches the sender first.</p>
       </div>
 <div align="left">          
@ -1203,16 +1208,17 @@ problem.</p>
 <p align="left">With SNAT, an internal LAN segment is configured using RFC 
   1918    addresses. When a host <b>A </b>on this internal segment initiates 
   a    connection to host <b>B</b> on the internet, the firewall/router rewrites
-  the    IP header in the request to use one of your public IP addresses as
+   the    IP header in the request to use one of your public IP addresses
-  the source    address. When <b>B</b> responds and the response is received 
+as   the source    address. When <b>B</b> responds and the response is received
-  by the firewall,    the firewall changes the destination address back to 
+   by the firewall,    the firewall changes the destination address back
- the RFC 1918 address of   <b>A</b> and forwards the response back to <b>A.</b></p>
+to   the RFC 1918 address of   <b>A</b> and forwards the response back to
 <b>A.</b></p>
       </div>
 <div align="left">          
 <p align="left">Let's suppose that you decide to use SNAT on your local zone 
-     and use public address 192.0.2.176 as both your firewall's external IP
+      and use public address 192.0.2.176 as both your firewall's external 
-  address    and the source IP address of internet requests sent from that
+IP   address    and the source IP address of internet requests sent from that
 zone.</p>
       </div>
@ -1262,9 +1268,9 @@ problem.</p>
 <div align="left">          
 <p align="left">This example used the normal technique of assigning the same 
-     public IP address for the firewall external interface and for SNAT. If
+      public IP address for the firewall external interface and for SNAT. 
-  you    wanted to use a different IP address, you would either have to use
+If   you    wanted to use a different IP address, you would either have to 
-  your    distributions network configuration tools to add that IP address 
+use   your    distributions network configuration tools to add that IP address 
  to the    external interface or you could set ADD_SNAT_ALIASES=Yes in  
 /etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
       </div>
@ -1275,9 +1281,9 @@ problem.</p>
 <div align="left">          
 <p align="left">When SNAT is used, it is impossible for hosts on the internet 
-     to initiate a connection to one of the internal systems since those systems
+      to initiate a connection to one of the internal systems since those 
-  do    not have a public IP address. DNAT provides a way to allow selected
+systems   do    not have a public IP address. DNAT provides a way to allow 
-     connections from the internet.</p>
+selected      connections from the internet.</p>
       </div>
 <div align="left">          
@ -1440,8 +1446,8 @@ will     probably be HOURS before that system can communicate with the internet.
     </p>
 <ol>
-    <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
+      <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
- Vol 1</i> reveals that a <br>
+Illustrated,   Vol 1</i> reveals that a <br>
        <br>
    "gratuitous" ARP packet should cause the ISP's router to refresh their
 ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the
@ -1461,18 +1467,19 @@ iputils package include "arping", whose "-U" flag does just that:<br>
  IP&gt;</b></font><br>
         <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
         <br>
-   Stevens goes on to mention that not all systems respond correctly to gratuitous 
+     Stevens goes on to mention that not all systems respond correctly to 
- ARPs, but googling for "arping -U" seems to support the idea that it works 
+gratuitous   ARPs, but googling for "arping -U" seems to support the idea 
- most of the time.<br>
+that it works   most of the time.<br>
         <br>
       </li>
      <li>You    can call your ISP and ask them to purge the stale ARP cache
  entry but many    either can't or won't purge individual entries.</li>
 </ol>
-   You can determine if your    ISP's gateway ARP cache is stale using ping
+     You can determine if your    ISP's gateway ARP cache is stale using
- and tcpdump. Suppose that we    suspect that the gateway router has a stale
+ping   and tcpdump. Suppose that we    suspect that the gateway router has
- ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
+a stale   ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump
 as follows:</div>
 <div align="left">       
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
@ -1554,9 +1561,10 @@ your daughter's   web    server running on system Local 3.</p>
 <div align="left">          
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-            Suppose now that you have decided to give your daughter her own 
+              Suppose now that you have decided to give your daughter her 
- IP  address    (192.0.2.179) for both inbound and outbound connections. You
+own   IP  address    (192.0.2.179) for both inbound and outbound connections. 
- would  do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
+You  would  do that by    adding an entry in <a
 href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
       </div>
 <div align="left">          
@ -1592,8 +1600,8 @@ your daughter's   web    server running on system Local 3.</p>
 <div align="left">          
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-            Once the relationship between 192.0.2.179 and 192.168.201.4 is
+              Once the relationship between 192.0.2.179 and 192.168.201.4 
- established  by    the nat file entry above, it is no longer    appropriate
+is  established  by    the nat file entry above, it is no longer    appropriate
  to use a DNAT  rule for you daughter's web server -- you would    rather
 just use an ACCEPT  rule:</p>
       </div>
@ -1639,7 +1647,8 @@ access   any    servers on the internet and the DMZ can't access any other
 host (including   the    firewall). With the exception of <a
 href="#DNAT">DNAT rules</a> which   cause    address translation and allow 
 the translated connection request  to pass    through the firewall, the way
-to allow connection requests through   your    firewall is to use ACCEPT rules.</p>
+ to allow connection requests through   your    firewall is to use ACCEPT 
 rules.</p>
       </div>
 <div align="left">          
@ -1939,8 +1948,9 @@ subnet    needs to have it's own public IP.
              If you haven't already, it would be a good idea to browse through
     <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just 
   to see    if there is anything there that might be of interest. You might 
-  also want to    look at the other configuration files that you haven't touched
+   also want to    look at the other configuration files that you haven't 
-  yet just to get    a feel for the other things that Shorewall can do.</p>
+touched   yet just to get    a feel for the other things that Shorewall can 
 do.</p>
       </div>
 <div align="left">          
@ -1990,10 +2000,10 @@ subnet    needs to have it's own public IP.
 <div align="left">          
 <p align="left">The setup described here requires that your network interfaces 
-     be brought up before Shorewall can start. This opens a short window during
+      be brought up before Shorewall can start. This opens a short window 
-     which you have no firewall protection. If you replace 'detect' with
+during      which you have no firewall protection. If you replace 'detect' 
-the   actual    broadcast addresses in the entries above, you can bring up
+with the   actual    broadcast addresses in the entries above, you can bring 
-Shorewall   before    you bring up your network interfaces.</p>
+up Shorewall   before    you bring up your network interfaces.</p>
       </div>
 <div align="left">          
@ -2340,9 +2350,9 @@ servers.    You can  combine the two into a single BIND 9 server using <i>Views.
 <div align="left">          
 <p align="left">Suppose that your domain is foobar.net and you want the two 
      DMZ systems named www.foobar.net and mail.foobar.net and you want the 
- three    local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
+  three    local systems named "winken.foobar.net, blinken.foobar.net and 
-     You want your firewall to be known as firewall.foobar.net externally
+nod.foobar.net.      You want your firewall to be known as firewall.foobar.net 
-and  it's    interface to the local network to be know as gateway.foobar.net 
+externally and  it's    interface to the local network to be know as gateway.foobar.net 
 and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS server 
  on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
       </div>
@ -2496,7 +2506,7 @@ systems   that you    want to be able to access the firewall when it is stopped.
  try" command</a>.</p>
       </div>
-<p align="left"><font size="2">Last updated 2/13/2003 - <a
+<p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
@ -2507,5 +2517,7 @@ systems   that you    want to be able to access the firewall when it is stopped.
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@ -50,7 +50,7 @@
 src="images/washington.jpg" border="0">
                                                </a></i></font><font
- color="#ffffff">Shorewall           1.3     -               <font
+ color="#ffffff">Shorewall           1.4     -               <font
 size="4">"<i>iptables                   made  easy"</i></font></font><a
 href="http://www.sf.net">                  </a></h1>
@ -64,8 +64,9 @@
-      <div align="center"><a href="/1.2/index.html" target="_top"><font
+           
- color="#ffffff">Shorewall 1.2 Site here</font></a></div>
+      <div align="center"><a href="/1.3/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.3 Site here</font></a></div>
                   </td>
                                                                     </tr>
@ -73,6 +74,7 @@
  </tbody>                                                               
 </table>
@ -103,6 +105,7 @@
      <h2 align="left">What is it?</h2>
@ -120,8 +123,8 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is 
           a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) 
     based      firewall        that can be used on a dedicated firewall system,
-   a multi-function             gateway/router/server or on a standalone GNU/Linux
+     a multi-function             gateway/router/server or on a standalone 
-   system.</p>
+ GNU/Linux    system.</p>
@ -136,8 +139,8 @@
      <p>This program is free software; you can redistribute it and/or modify 
-                                                    it        under the terms 
+                                                      it        under the 
-    of         <a href="http://www.gnu.org/licenses/gpl.html">Version    
+terms      of         <a href="http://www.gnu.org/licenses/gpl.html">Version 
       2 of  the GNU General Public License</a> as published by the Free Software
           Foundation.<br>
@ -146,16 +149,16 @@
                                               This   program     is  distributed 
          in   the     hope     that     it   will     be  useful,    but 
        WITHOUT    ANY      WARRANTY;      without      even the   implied 
-  warranty       of MERCHANTABILITY                or  FITNESS    FOR   A
+    warranty       of MERCHANTABILITY                or  FITNESS    FOR  
- PARTICULAR       PURPOSE.        See the    GNU General     Public  License
+A  PARTICULAR       PURPOSE.        See the    GNU General     Public  License
               for   more details.<br>
                                                    <br>
                                               You   should    have   received
       a   copy     of   the     GNU     General         Public      License 
-             along     with    this   program;       if  not,    write  to
+               along     with    this   program;       if  not,    write 
-   the    Free Software           Foundation,              Inc.,  675   
+to    the    Free Software           Foundation,              Inc.,  675 
   Mass   Ave,  Cambridge,   MA    02139,       USA</p>
@ -187,16 +190,16 @@
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                            </a>Jacques              Nilo 
+                                                </a>Jacques             
-  and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway 
+Nilo     and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway 
           on  a  floppy,    CD    or compact     flash)  distribution   
    called                 <i>Bering</i>          that          features 
    Shorewall-1.3.14      and    Kernel-2.4.20.          You    can  find 
    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                                                    <b>Congratulations to 
+                                                        <b>Congratulations
-Jacques     and   Eric   on  the   recent    release     of  Bering  1.1!!! 
+ to  Jacques     and   Eric   on  the   recent    release     of  Bering
-      <br>
+ 1.1!!!        <br>
                                                        </b>            
@ -219,22 +222,24 @@ Jacques     and   Eric   on  the   recent    release     of  Bering  1.1!!!
-      <p><b>3/7/2003 - Shorewall 1.4.0 RC2  </b><b>       </b><b><img
+      <p><b>3/17/2003 - Shorewall 1.4.0  </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b><b>                  </b></p>
                                                        Shorewall 1.4 represents
-  the  next  step in the evolution of Shorewall. The main thrust of the initial
+    the  next  step in the evolution of Shorewall. The main thrust of the
-  release  is simply to remove the cruft that has accumulated in Shorewall
+initial    release  is simply to remove the cruft that has accumulated in
- over time.       <br>
+Shorewall   over time.       <br>
            <br>
            <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
    ('ip' utility).</b><br>
            <br>
-            Function from 1.3 that has been omitted from this version include:<br>
+                Function from 1.3 that has been omitted from this version 
 include:<br>
      <ol>
-                      <li>The MERGE_HOSTS variable in shorewall.conf is no
+        <li>The MERGE_HOSTS variable in shorewall.conf is  no  longer supported.
- longer supported.    Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+   Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
                  <br>
                </li>
        <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;  
@ -251,20 +256,20 @@ Jacques     and   Eric   on  the   recent    release     of  Bering  1.1!!!
   an error at startup if specified.<br>
                  <br>
                </li>
-             <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
+        <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is  no 
-no  longer   accepted.<br>
+longer   accepted.<br>
                  <br>
                </li>
-             <li>The ALLOWRELATED variable in shorewall.conf is no longer 
+        <li>The ALLOWRELATED variable in shorewall.conf is no longer   supported.
-supported.     Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+    Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
                <br>
              </li>
        <li>The icmp.def file has been removed.<br>
              </li>
      </ol>
                Changes for 1.4 include:<br>
      <ol>
        <li>The /etc/shorewall/shorewall.conf file has been completely  
 reorganized    into logical sections.<br>
@ -305,14 +310,47 @@ may  now be turned off on a host or network basis using the new /etc/shorewall/e
            <br>
          </li>
        <li>The /etc/shorewall/params file is now processed first so  that
- variables may be used in the /etc/shorewall/shorewall.conf file.</li>
+  variables may be used in the /etc/shorewall/shorewall.conf file.<br>
-                                       
+            <br>
          </li>
        <li value="10">Shorewall now gives a more helpful diagnostic when
 the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
 command is issued.<br>
       <br>
     </li>
        <li>The SHARED_DIR variable has been removed from shorewall.conf.
 This variable was for use by package maintainers and was not documented
 for  general use.<br>
       <br>
     </li>
        <li>Shorewall now ignores 'default' routes when detecting masq'd
 networks.<br>
     </li>
      </ol>
-   You may download the Release Candidate from:<br>
+      <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
      <p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
      <p>A roleup of the following bug fixes and other updates:</p>
      <ul>
           <li>There is an updated rfc1918 file that reflects the resent
 allocation  of 222.0.0.0/8 and  223.0.0.0/8. </li>
         <li>The documentation for the routestopped file claimed that a comma-separated 
    list could appear in the second column while the code only supported a
 single   host or network address. </li>
         <li>Log messages produced by 'logunclean' and 'dropunclean' were 
 not  rate-limited. </li>
         <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
 don't  support the 'maclist' interface option. </li>
         <li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
         <li>The firewall fails to start in the case where you have "eth0 
 eth1" in /etc/shorewall/masq and the default route is through eth1      
        </li>
      </ul>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
      <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
    </blockquote>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                  </b></p>
@ -325,16 +363,16 @@ may  now be turned off on a host or network basis using the new /etc/shorewall/e
       When   set to Yes, Shorewall ping handling is as it has always been
 (see     http://www.shorewall.net/ping.html).<br>
                       <br>
-               When OLD_PING_HANDLING=No, icmp echo (ping) is handled via 
+                   When OLD_PING_HANDLING=No, icmp echo (ping) is handled 
-rules    and   policies   just like any other connection request. The FORWARDPING=Yes 
+via   rules    and   policies   just like any other connection request. The 
-   option   in shorewall.conf   and the 'noping' and 'filterping' options 
+FORWARDPING=Yes      option   in shorewall.conf   and the 'noping' and 'filterping' 
-in   /etc/shorewall/interfaces   will   all generate an error.<br>
+options   in   /etc/shorewall/interfaces   will   all generate an error.<br>
                       <br>
                     </li>
-                  <li>It is now possible to direct Shorewall to create a
+                      <li>It is now possible to direct Shorewall to create
-"label"     such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+ a  "label"     such   as   "eth0:0" for IP addresses that it creates under
-    and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
+ ADD_IP_ALIASES=Yes      and  ADD_SNAT_ALIASES=Yes.  This is done by specifying
-   of just  the interface name:<br>
+ the label instead     of just  the interface name:<br>
                    <br>
                      a) In the INTERFACE column of /etc/shorewall/masq<br>
                      b) In the INTERFACE column of /etc/shorewall/nat<br>
@ -342,24 +380,25 @@ in   /etc/shorewall/interfaces   will   all generate an error.<br>
                      <li>Support for OpenVPN Tunnels.<br>
                   <br>
               </li>
-                  <li>Support for VLAN devices with names of the form $DEV.$VID 
+                      <li>Support for VLAN devices with names of the form 
-   (e.g.,  eth0.0)<br>
+$DEV.$VID      (e.g.,  eth0.0)<br>
                      <br>
                    </li>
-                <li>In /etc/shorewall/tcrules, the MARK value may be optionally
+                    <li>In /etc/shorewall/tcrules, the MARK value may be
-   followed by ":" and either 'F' or 'P' to designate that the marking will
+optionally      followed by ":" and either 'F' or 'P' to designate that the
-  occur in the FORWARD or PREROUTING chains respectively. If this additional
+marking will     occur in the FORWARD or PREROUTING chains respectively.
-  specification is omitted, the chain used to mark packets will be determined
+If this additional     specification is omitted, the chain used to mark packets
-  by the setting of the MARK_IN_FORWARD_CHAIN option in <a
+will be determined     by the setting of the MARK_IN_FORWARD_CHAIN option
- href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                   <br>
                 </li>
-                  <li>When an interface name is entered in the SUBNET column
+                      <li>When an interface name is entered in the SUBNET 
-  of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded traffic 
+column    of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded
-   from  only the first subnet   defined on that interface. It did not masquerade
+ traffic     from  only the first subnet   defined on that interface. It
-    traffic from:<br>
+did  not masquerade      traffic from:<br>
                    <br>
-                  a) The subnets associated with other addresses on the interface.<br>
+                      a) The subnets associated with other addresses on the 
 interface.<br>
                      b) Subnets accessed through local routers.<br>
                    <br>
                   Beginning with Shorewall 1.3.14, if you enter an interface 
@ -381,12 +420,12 @@ table   to construct   the masquerading/SNAT rules.<br>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                    <br>
-               When upgrading to Shorewall 1.3.14, if you have multiple local 
+                   When upgrading to Shorewall 1.3.14, if you have multiple 
-  subnets     connected  to an interface that is specified in the SUBNET column
+ local    subnets     connected  to an interface that is specified in the 
-  of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq file will
+SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq 
-need  changing.   In most cases, you  will simply be able to remove redundant
+file will need  changing.   In most cases, you  will simply be able to remove 
-entries.  In some  cases though, you  might want to change from using the
+redundant entries.  In some  cases though, you  might want to change from 
-interface  name to listing specific subnetworks  if the change described
+using the interface  name to listing specific subnetworks  if the change described
 above will cause masquerading  to occur on subnetworks  that you don't wish
 to masquerade.<br>
                    <br>
@ -401,10 +440,11 @@ to masquerade.<br>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                    <br>
-                  In this case, the second entry in /etc/shorewall/masq is
+                      In this case, the second entry in /etc/shorewall/masq 
- no  longer    required.<br>
+ is  no  longer    required.<br>
                    <br>
-               Example 3 -- What if your current configuration is like this?<br>
+                   Example 3 -- What if your current configuration is like
 this?<br>
                    <br>
@ -415,8 +455,8 @@ to masquerade.<br>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                    <br>
-                  In this case, you would want to change the entry in  /etc/shorewall/masq 
+                      In this case, you would want to change the entry in 
-       to:<br>
+ /etc/shorewall/masq         to:<br>
@ -429,11 +469,10 @@ to masquerade.<br>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
                      </b></p>
-              Webmin version 1.060 now has Shorewall support included as
+                  Webmin version 1.060 now has Shorewall support included 
-standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>
+as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>
        <b>      </b>                                                   
      <p><b></b></p>
@ -452,6 +491,7 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
      </ul>
@ -461,6 +501,7 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
      <p><a href="News.htm">More News</a></p>
@ -501,6 +542,7 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
@ -526,6 +568,7 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
  </tbody>                                                               
 </table>
@ -574,6 +617,7 @@ standard.      See        <a href="http://www.webmin.com">http://www.webmin.com<
      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                                                      to       <a
@ -596,12 +640,10 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                <br>
 </p>
 <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/standalone.htm
+++ b/STABLE/documentation/standalone.htm
@ -43,7 +43,7 @@
 </ul>
-<p>This guide assumes that you have the iproute/iproute2 package installed 
+<p>Shorewall requires that you have the iproute/iproute2 package installed
   (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
 if  this  package is installed by the presence of an <b>ip</b> program on
 your  firewall  system. As root, you can use the 'which' command to check
@ -58,11 +58,11 @@ for this  program:</p>
      .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-          If you edit your configuration files on a Windows system, you must
+           If you edit your configuration files on a Windows system, you
-  save them as  Unix files if your editor supports that option or you must
+must   save them as  Unix files if your editor supports that option or you
- run them through  dos2unix before trying to use them. Similarly, if you
+must  run them through  dos2unix before trying to use them. Similarly, if
-copy  a configuration file  from your Windows hard drive to a floppy disk,
+you copy  a configuration file  from your Windows hard drive to a floppy
-you must run dos2unix against the  copy before using it with Shorewall.</p>
+disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
         <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -77,8 +77,8 @@ you must run dos2unix against the  copy before using it with Shorewall.</p>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
      The configuration files for Shorewall are contained in the directory
- /etc/shorewall -- for simple setups, you  only need to deal with a few of
+  /etc/shorewall -- for simple setups, you  only need to deal with a few
-  these as described in this guide.  After you have <a
+of   these as described in this guide.  After you have <a
 href="Install.htm">installed  Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, 
 un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
@ -90,8 +90,8 @@ you must run dos2unix against the  copy before using it with Shorewall.</p>
   and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a
-  set of  <i>zones.</i> In the one-interface sample configuration, only one 
+   set of  <i>zones.</i> In the one-interface sample configuration, only
-  zone is  defined:</p>
+one    zone is  defined:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -129,11 +129,11 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
   checked against the  /etc/shorewall/rules file. If no rule in that file
 matches  the connection  request then the first policy in /etc/shorewall/policy
 that  matches the    request is applied. If that policy is REJECT or DROP 
-the request is first  checked against the rules in /etc/shorewall/common (the
+ the request is first  checked against the rules in /etc/shorewall/common
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample has
+<p>The /etc/shorewall/policy file included with the one-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -191,21 +191,21 @@ catchall      policy).</li>
 <p align="left">The firewall has a single network interface. Where Internet
    connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-   will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
+    will be the ethernet adapter (<b>eth0</b>) that is connected to that
-   <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
+"Modem"     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
-   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
+<u>P</u>rotocol     over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-   <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
+<u>T</u>unneling    <u>P</u>rotocol </i>(PPTP) in which case the External
- a <b>ppp0</b>. If you connect via a regular modem, your External  Interface 
+Interface will be  a <b>ppp0</b>. If you connect via a regular modem, your
-  will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
+External  Interface    will also be <b>ppp0</b>. If you connect using ISDN,
-  will be<b> ippp0.</b></p>
+your external  interface    will be<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
-         The Shorewall one-interface sample configuration assumes that  the 
+          The Shorewall one-interface sample configuration assumes that 
- external  interface is <b>eth0</b>.  If your configuration is different, 
+the   external  interface is <b>eth0</b>.  If your configuration is different,
 you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
- While you  are there, you may wish to  review the list of options that are 
+  While you  are there, you may wish to  review the list of options that
- specified  for the interface. Some hints:</p>
+are   specified  for the interface. Some hints:</p>
 <ul>
         <li>                                 
@ -214,8 +214,8 @@ you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
        </li>
        <li>                                 
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
-  or if you have a static IP    address, you can remove "dhcp" from the option 
+   or if you have a static IP    address, you can remove "dhcp" from the
-  list. </p>
+option    list. </p>
        </li>
 </ul>
@ -241,8 +241,8 @@ you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
              Before starting Shorewall, you should look at the IP address
-of  your external    interface and if it is one of the above ranges, you should
+ of  your external    interface and if it is one of the above ranges, you
- remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+should  remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
      </div>
 <div align="left">         
@ -284,8 +284,8 @@ of  your external    interface and if it is one of the above ranges, you should
       </div>
 <div align="left">         
-<p align="left">Example - You want to run a Web Server and a POP3 Server on
+<p align="left">Example - You want to run a Web Server and a POP3 Server
-your firewall    system:</p>
+on your firewall    system:</p>
      </div>
 <div align="left">         
@ -327,8 +327,8 @@ your firewall    system:</p>
       </div>
 <div align="left">         
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, see <a href="ports.htm">here</a>.</p>
+application uses, see <a href="ports.htm">here</a>.</p>
      </div>
 <div align="left">         
@ -384,8 +384,7 @@ uses, see <a href="ports.htm">here</a>.</p>
  your system to start Shorewall at system boot but beginning with Shorewall 
  version 1.3.9 startup is disabled so that your system won't try to start 
 Shorewall before configuration is complete. Once you have completed configuration 
- of your firewall, you can enable Shorewall startup by removing the file
+ of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
 /etc/shorewall/startup_disabled.<br>
      </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
@ -410,11 +409,11 @@ uses, see <a href="ports.htm">here</a>.</p>
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.  
 Also, I don't recommend using "shorewall restart"; it is better to create
   an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
-  and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
+   and    test it using the <a
- try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
      </div>
-<p align="left"><font size="2">Last updated 1/26/2003 - <a
+<p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
@ -425,5 +424,6 @@ Thomas   M. Eastep</font></a></p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/starting_and_stopping_shorewall.htm
+++ b/STABLE/documentation/starting_and_stopping_shorewall.htm
@ -41,13 +41,13 @@
 <p>   If you have a permanent internet connection such as DSL     or Cable,
-    I  recommend that you start the firewall     automatically at boot. Once
+      I  recommend that you start the firewall     automatically at boot.
-   you  have installed      "firewall" in your init.d directory, simply type
+Once     you  have installed      "firewall" in your init.d directory, simply
-       "chkconfig --add firewall". This will start the     firewall in run
+type         "chkconfig --add firewall". This will start the     firewall
- levels   2-5 and stop it in run levels 1 and 6.     If you want to configure
+in run   levels   2-5 and stop it in run levels 1 and 6.     If you want
- your  firewall differently from this     default, you can use the "--level"
+to configure   your  firewall differently from this     default, you can
- option  in     chkconfig (see "man chkconfig") or using your     favorite
+use the "--level"   option  in     chkconfig (see "man chkconfig") or using
- graphical  run-level editor.</p>
+your     favorite   graphical  run-level editor.</p>
@ -60,14 +60,14 @@
            </p>
 <ol>
-          <li>Shorewall startup is disabled by default. Once you have configured
+              <li>Shorewall startup is disabled by default. Once you have 
-    your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
+configured      your firewall, you can enable startup by removing the file 
-    Note: Users of the .deb package must edit /etc/default/shorewall and
+/etc/shorewall/startup_disabled.      Note: Users of the .deb package must 
-set    'startup=1'.<br>
+edit /etc/default/shorewall and set    'startup=1'.<br>
              </li>
-          <li>If you use dialup, you may want to start the firewall     in
+              <li>If you use dialup, you may want to start the firewall 
- your   /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall 
+   in  your   /etc/ppp/ip-up.local   script. I recommend just placing   
- restart"   in that script.</li>
+ "shorewall    restart"   in that script.</li>
 </ol>
@ -91,11 +91,14 @@ set    'startup=1'.<br>
                <li>shorewall clear - remove all rules and chains       
     installed    by Shoreline  Firewall</li>
                <li>shorewall refresh - refresh the rules involving the broadcast 
-          addresses  of firewall interfaces and the black and white lists.</li>
+            addresses  of firewall interfaces, <a
 href="blacklisting_support.htm">the black list</a>, <a
 href="traffic_shaping.htm">traffic control rules</a> and <a
 href="ECN.html">ECN control rules</a>.</li>
 </ul>
-    If you include the keyword <i>debug</i> as the first argument, then a 
+        If you include the keyword <i>debug</i> as the first argument, then 
-shell  trace of the command is produced as in:<br>
+ a  shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
@ -114,52 +117,60 @@ information in the file /tmp/trace<br>
 <ul>
-            <li>shorewall status - produce a verbose report about the firewall
+                <li>shorewall status - produce a verbose report about the 
-             (iptables -L -n -v)</li>
+firewall               (iptables -L -n -v)</li>
-            <li>shorewall show <i>chain</i> - produce a verbose report about
+                <li>shorewall show <i>chain</i> - produce a verbose report
-      <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
+ about        <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
-            <li>shorewall show nat - produce a verbose report about the nat 
+                <li>shorewall show nat - produce a verbose report about the 
- table             (iptables -t nat -L -n -v)</li>
+ nat   table             (iptables -t nat -L -n -v)</li>
-            <li>shorewall show tos - produce a verbose report about the mangle
+                <li>shorewall show tos - produce a verbose report about the 
-   table          (iptables -t mangle -L -n -v)</li>
+ mangle    table          (iptables -t mangle -L -n -v)</li>
                <li>shorewall show log - display the last 20 packet log entries.</li>
                <li>shorewall show connections - displays the IP connections
  currently     being     tracked by the firewall.</li>
                <li>shorewall                                           
                                         show                           
-                                                     tc     - displays information
+                                                         tc     - displays
-    about the traffic control/shaping configuration.</li>
+ information      about the traffic control/shaping configuration.</li>
-            <li>shorewall monitor [ delay ] - Continuously display the firewall 
+                <li>shorewall monitor [ delay ] - Continuously display the
-             status, last 20 log entries and nat. When the log entry display
+ firewall               status, last 20 log entries and nat. When the log
-              changes, an audible alarm is sounded.</li>
+entry display                changes, an audible alarm is sounded.</li>
                <li>shorewall hits - Produces several reports about the Shorewall 
    packet  log          messages in the current /var/log/messages file.</li>
-            <li>shorewall version -  Displays the installed     version number.</li>
+                <li>shorewall version -  Displays the installed     version 
-            <li>shorewall check -  Performs a <u>cursory</u> validation 
+ number.</li>
-   of  the  zones, interfaces, hosts, rules and policy files.    <font
+   <li>shorewall check -  Performs a <u>cursory</u> validation     of  the 
- size="4" color="#ff6666"><b>The "check" command does not parse and     validate
+ zones, interfaces, hosts, rules and policy files.<br>
-  the   generated iptables commands so even though the "check" command  
+     <br>
-  completes   successfully, the configuration may fail to start. See the
+     <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored 
-    recommended   way to make configuration changes described below. </b></font>
+and does not parse and     validate   the   generated iptables commands. Even
 though the "check" command     completes   successfully, the configuration 
 may fail to start. Problem reports that complain about errors that the 'check' 
 command does not detect will not be accepted.<br>
     <br>
 See the     recommended   way to make configuration changes described below.</b></font><br>
    <br>
   </li>
                <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> 
    ]  -  Restart shorewall using the     specified configuration and if an
-error   occurs or if the<i> timeout </i>    option is given and the new configuration
+  error   occurs or if the<i> timeout </i>    option is given and the new
-    has been up for that many seconds     then shorewall is restarted using
+configuration     has been up for that many seconds     then shorewall is
-  the  standard configuration.</li>
+restarted using   the  standard configuration.</li>
-            <li>shorewall deny, shorewall reject, shorewall accept and shorewall
+                <li>shorewall deny, shorewall reject, shorewall accept and
-    save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
+ shorewall      save     implement <a href="blacklisting_support.htm">dynamic
-            <li>shorewall logwatch (added in version 1.3.2) - Monitors the
+ blacklisting</a>.</li>
-        <a href="#Conf">LOGFILE </a>and produces an audible alarm when new 
+                <li>shorewall logwatch (added in version 1.3.2) - Monitors
- Shorewall       messages are logged.</li>
+ the          <a href="#Conf">LOGFILE </a>and produces an audible alarm when
 new   Shorewall       messages are logged.</li>
 </ul>
-      Finally, the "shorewall" program may be used to dynamically alter the 
+          Finally, the "shorewall" program may be used to dynamically alter 
- contents  of a zone.<br>
+ the   contents  of a zone.<br>
 <ul>
-        <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds 
+            <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
- the  specified interface (and host if included) to the specified zone.</li>
+ Adds   the  specified interface (and host if included) to the specified
 zone.</li>
            <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- 
  Deletes   the specified interface (and host if included) from the specified 
  zone.</li>
@ -170,13 +181,14 @@ zone.</li>
  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
    -- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
-        <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
+            <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 
-  -- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
+vpn1</b></font>    -- deletes the address 192.0.2.24  from interface ipsec0 
 from zone vpn1<br>
            </blockquote>
          </blockquote>
-<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and 
+<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and 
      <b>shorewall try </b>commands allow you to specify which <a
 href="configuration_file_basics.htm#Configs">   Shorewall configuration</a> 
       to use:</p>
@ -191,9 +203,10 @@ zone.</li>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall 
-     is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> 
+       is going to use a file in /etc/shorewall it will first look in the 
-      . If the file is present in the <i>configuration-directory</i>, that 
+<i>configuration-directory</i>        . If the file is present in the <i>configuration-directory</i>, 
- file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
+that   file    will be used; otherwise, the file in /etc/shorewall will be 
 used.</p>
@ -210,21 +223,22 @@ zone.</li>
                        <li><font color="#009900"><b>cd /etc/test</b></font></li>
-                    <li>&lt;copy any files that you need to change from /etc/shorewall
+                        <li>&lt;copy any files that you need to change from 
-    to . and change them here&gt;</li>
+ /etc/shorewall     to . and change them here&gt;</li>
   <li><font color="#009900"><b>shorewall -c . check</b></font></li>
   <li>&lt;correct any errors found by check and check again&gt;</li>
-                    <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
+                                                                        
                                              <li><font color="#009900"><b>/sbin/shorewall
 try .</b></font></li>
 </ul>
 <p>  If the configuration starts but doesn't work, just "shorewall restart"
-    to   restore the old configuration. If the new configuration fails to
+      to   restore the old configuration. If the new configuration fails
-start,    the   "try" command will automatically start the old one for you.</p>
+to   start,    the   "try" command will automatically start the old one for
 you.</p>
@ -257,10 +271,10 @@ start,    the   "try" command will automatically start the old one for you.</p>
 <p>    <br>
        </p>
-     You will note that the commands that result in state transitions use 
+         You will note that the commands that result in state transitions 
-the  word "firewall" rather than "shorewall". That is because the actual transitions
+use   the  word "firewall" rather than "shorewall". That is because the actual 
- are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall on
+ transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall 
- Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
+ on  Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
       <br>
 <table cellpadding="2" cellspacing="2" border="1">
@ -314,23 +328,14 @@ the  word "firewall" rather than "shorewall". That is because the actual transit
 </table>
       <br>
-<p><font size="2">   Updated 2/10/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 2/27/2003 - <a href="support.htm">Tom  Eastep</a> 
         </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-       © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+         © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-                                                                        
+ </p>
                                   <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -10,20 +10,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Support Guide</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -38,6 +25,7 @@
      <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                                       </font></h1>
@ -50,75 +38,42 @@
 </table>
-<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
+<h2>Before Reporting a Problem or Asking a Question<br>
-    emailed directly to me, I try to spend some time each day answering questions
+ </h2>
-    on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
+                                                       There are a number 
- style="font-weight: 400;"></span></big></b></p>
+of  sources of Shorewall information. Please     try these before you   post. 
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
 <h1>Before Reporting a Problem</h1>
     <i>"Well at least you tried to read the documentation, which is a lot
 more  than some people on this list appear to do.</i>"<br>
     <br>
 <div align="center">- Wietse Venema - On the Postfix mailing list<br>
     </div>
     <br>
                                             There are a number of sources
 for   problem     solution information. Please     try these before you
 post.                            
 <h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-                       <li>More than half of the questions posted on the
+                                 <li>More than half of the questions posted 
-support     list   have answers directly accessible from the <a
+ on  the   support     list   have answers directly accessible from the <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
                 <br>
                         </li>
                         <li>                                   The <a
 href="FAQ.htm">FAQ</a>     has  solutions to  more than 20 common      problems.
              </li>
 </ul>
 <h3>                     </h3>
 <ul>
                <li>                                   The     <a
 href="troubleshoot.htm">Troubleshooting</a>  Information          contains
-        a    number of tips to help you solve common problems.         </li>
+            a    number of tips to help you solve common problems.      
    </li>
 </ul>
 <h3>                     </h3>
 <ul>
               <li>                                   The     <a
 href="errata.htm">   Errata</a> has links  to  download        updated 
    components.         </li>
-</ul>
+                <li>                                   The Site and Mailing
-                                         
+     List   Archives     search facility can locate documents and posts 
-<h3>                     </h3>
+  about         similar   problems:         </li>
 <ul>
                       <li>                                   The Mailing 
 List   Archives     search facility can locate   posts    about         similar
  problems:         </li>
 </ul>
 <h2>                                     </h2>
-<h2>Mailing List Archive Search</h2>
+<h2>Site and Mailing List Archive Search</h2>
-<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
+<blockquote>      
-                                                                        
+  <form method="post"
-                                      
+ action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
  <p> <font size="-1"> Match:                                           
    <select name="method">
    <option value="and">All </option>
@ -126,15 +81,11 @@ List   Archives     search facility can locate   posts    about         similar
    <option value="boolean">Boolean </option>
    </select>
      Format:                    
    <select name="format">
    <option value="builtin-long">Long </option>
    <option value="builtin-short">Short </option>
    </select>
      Sort by:                    
    <select name="sort">
    <option value="score">Score </option>
    <option value="time">Time </option>
@ -143,66 +94,55 @@ List   Archives     search facility can locate   posts    about         similar
    <option value="revtime">Reverse Time </option>
    <option value="revtitle">Reverse Title </option>
    </select>
-                                     </font> <input type="hidden"
+       </font><input type="hidden" name="config" value="htdig"><input
- name="config" value="htdig">    <input type="hidden" name="restrict"
+ type="hidden" name="restrict" value=""><font size="-1"> Include  Mailing 
- value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
+  List Archives:                    
- name="exclude" value=""> <br>
+    <select size="1" name="exclude">
-                                     Search: <input type="text"
+    <option value="">Yes</option>
- size="30" name="words" value="">    <input type="submit" value="Search">
+    <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
-  </p>
+    </select>
       </font><br>
      Search: <input type="text" size="30" name="words" value=""> <input
 type="submit" value="Search"><br>
    </form>
  </blockquote>
-<h2>Problem Reporting Guidelines </h2>
+<h2>Problem Reporting Guidelines<br>
-                    <i>"Let me see if I can translate your message into a 
+      </h2>
 real-world      example.      It would be like saying that you have three 
 rooms at home,     and when you   walk  into one of the rooms, you detect 
 this strange smell.      Can anyone tell  you  what that strange smell is?<br>
                    <br>
                    Now, all of us could do some wonderful guessing as to 
 the   smell    and   even   what's causing it.  You would be absolutely amazed 
 at the range   and   variety   of smells we could come up with.  Even more 
 amazing is that   all   of the explanations   for the smells would be completely 
 plausible."<br>
                    </i><br>
 <div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
                    </div>
                    <br>
 <h3>                     </h3>
 <ul>
-                <li>Please remember we only know what is posted in your message.
+                          <li>Please remember we only know what is posted 
-     Do  not  leave out any information that appears to be correct,  or was
+in  your   message.      Do  not  leave out any information that appears to
-  mentioned    in  a previous post. There have been countless  posts by people
+be  correct,    or was   mentioned    in  a previous post. There have been
-  who were   sure  that some part of their  configuration was correct when
+countless   posts   by people   who were   sure  that some part of their
- it actually   contained  a small error.  We tend to be skeptics where detail
+  configuration  was correct  when  it actually   contained  a small error.
-  is lacking.<br>
+  We tend to be  skeptics where  detail   is lacking.<br>
                            <br>
                          </li>
-                <li>Please keep in mind that you're asking for <strong>free</strong>
+                          <li>Please keep in mind that you're asking for
-      technical  support. Any help we offer is an act of generosity, not
+    <strong>free</strong>            technical  support. Any help we offer
-an   obligation.    Try  to make it easy for us to help you. Follow good,
+is an act of generosity, not    an   obligation.    Try  to make it easy
-courteous   practices    in writing  and formatting your e-mail. Provide
+for us to help you. Follow good,    courteous   practices    in writing 
-details that   we need if  you  expect good  answers. <em>Exact quoting </em>
+and formatting your e-mail. Provide   details that   we need if  you  expect
-of error messages,  log  entries,  command output, and other output is better
+good  answers. <em>Exact quoting     </em>  of error messages,  log  entries,
-than a paraphrase  or  summary.<br>
+ command output, and other output  is better   than a paraphrase  or  summary.<br>
                            <br>
                          </li>
-                <li>                                   Please don't describe
+                          <li>                                   Please don't 
-  your   environment   and then  ask  us  to  send   you             custom
+  describe     your   environment   and then  ask  us  to  send   you    
-  configuration   files.   We're here  to answer   your  questions     but
+        custom     configuration   files.   We're here  to answer   your 
- we           can't   do your   job for you.<br>
+questions     but    we           can't   do your   job for you.<br>
                            <br>
                                 </li>
-                <li>When reporting a problem, <strong>ALWAYS</strong> include 
+                          <li>When reporting a problem, <strong>ALWAYS</strong> 
-  this   information:</li>
+   include     this   information:</li>
 </ul>
 <ul>
  <ul>
                            <li>the exact version of Shorewall you are running.<br>
                              <br>
@ -210,8 +150,10 @@ than a paraphrase  or  summary.<br>
                         </b>    <br>
                            </li>
  </ul>
  <ul>
                            <li>the exact kernel version you are running<br>
                              <br>
@ -219,8 +161,10 @@ than a paraphrase  or  summary.<br>
                              <br>
                              </b></font></li>
  </ul>
  <ul>
                            <li>the complete, exact output of<br>
                              <br>
@ -228,8 +172,10 @@ than a paraphrase  or  summary.<br>
                              <br>
                              </b></font></li>
  </ul>
  <ul>
                            <li>the complete, exact output of<br>
                              <br>
@ -237,10 +183,13 @@ than a paraphrase  or  summary.<br>
                              <br>
                              </b></font></li>
  </ul>
  <ul>
-                  <li>If your kernel is modularized, the exact output from<br>
+                            <li>If your kernel is modularized, the exact
 output    from<br>
                              <br>
                              <font color="#009900"><b>lsmod</b></font><br>
                              <br>
@ -249,15 +198,16 @@ than a paraphrase  or  summary.<br>
 style="color: green; font-weight: bold;">ping</code> failure responses<br>
                      <br>
                    </li>
-          <li>If you installed Shorewall using one of the QuickStart Guides,
+                    <li>If you installed Shorewall using one of the QuickStart
-  please  indicate which one. <br>
+   Guides,     please  indicate which one. <br>
                      <br>
                    </li>
-          <li><b>If you are running Shorewall under Mandrake using the Mandrake
+                    <li><b>If you are running Shorewall under Mandrake using
-   installation of Shorewall, please say so.</b><br>
+  the   Mandrake     installation of Shorewall, please say so.</b><br>
                              <br>
                            </li>
  </ul>
 </ul>
@ -277,91 +227,69 @@ than a paraphrase  or  summary.<br>
             4. Post the /tmp/status.txt file as an attachment.<br>
                            <br>
                          </li>
-                <li>As a general matter, please <strong>do not edit the diagnostic
+                                                           <li>As a general 
-     information</strong>   in an attempt to conceal your IP address, netmask,
+ matter,   please <strong>do not edit the  diagnostic      information</strong> 
-     nameserver addresses,  domain name, etc. These aren't secrets, and concealing
+   in   an attempt to conceal your IP address,  netmask,      nameserver addresses,
-     them often misleads  us (and 80% of the time, a hacker could derive
+    domain name, etc. These aren't secrets,  and concealing      them often
-them     anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
+  misleads  us (and 80% of the time, a hacker  could derive them     anyway
-                           
+  from information  contained in the SMTP headers  of your post).<br>
-</ul>
+           <br>
-                           
+           <strong></strong></li>
-<ul>
+         <li>Do you see  any   "Shorewall"      messages ("<b><font
-                                         
+ color="#009900">/sbin/shorewall  show   log</font></b>")            when 
-</ul>
+     you exercise the function that is giving   you problems? If   so,   include
-                                         
+   the message(s) in your post along with a  copy of your /etc/shorewall/interfaces 
-<h3>                     </h3>
+        file.<br>
 <ul>
 </ul>
 <h3>                     </h3>
 <ul>
                       <li>                                   Do you see
 any   "Shorewall"      messages ("<b><font color="#009900">/sbin/shorewall
 show   log</font></b>")            when   you exercise the function that
 is giving   you problems? If   so,   include the message(s) in your post
 along with a  copy of your /etc/shorewall/interfaces      file.<br>
           <br>
         </li>
         <li>Please include any of the Shorewall configuration  files   
   (especially               the    /etc/shorewall/hosts file if you have 
 modified    that     file)      that  you    think are    relevant. If you
 include /etc/shorewall/rules,         please include /etc/shorewall/policy
-as well (rules are meaningless unless      one also knows the policies).
+ as well (rules are meaningless   unless      one also knows the policies).<br>
           <br>
         </li>
-                                         
+         <li>If an error occurs    when   you   try   to "<font
-</ul>
+ color="#009900"><b>shorewall  start</b></font>",        include     a  
-                                         
+ trace (See the <a href="troubleshoot.htm">Troubleshooting</a>          
-<h3>                     </h3>
+ section  for    instructions).<br>
-                                         
+           <br>
 <ul>
 </ul>
 <h3>                     </h3>
 <ul>
                              <li>                         If an error occurs 
  when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>",
      include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
          section  for    instructions).         </li>
 </ul>
 <h3>                     </h3>
 <ul>
                       <li>                                             
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
           your             network layout, etc. to the Mailing List  -- your
     post      will  be rejected.</b></h3>
         </li>
         <li><b>The list server limits posts to 120kb so don't  post  GIFs
   of               your             network layout, etc. to the Mailing
 List    --   your      post      will  be rejected.</b></li>
 </ul>
 <blockquote>                                                             
 The author gratefully   acknowleges that the above list was  heavily    
 plagiarized    from the  excellent LEAF document by <i>Ray</i>  <em>Olszewski</em> 
    found  at  <a
 href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
 </blockquote>
-<h2>Please post in plain text</h2>
+<h2>When using the mailing list, please post in plain text</h2>
-<blockquote>            </blockquote>
+<blockquote>                                                            
     A growing  number of MTAs serving list subscribers are rejecting   
  all    HTML  traffic.  At least one MTA has gone so far as to blacklist
-shorewall.net      "for continuous abuse" because it has been my policy to 
+  shorewall.net      "for  continuous abuse" because it has been my policy
-allow HTML in  list    posts!!<br>
+ to  allow HTML in  list    posts!!<br>
    <br>
-                   I think that blocking all HTML is a Draconian way to control 
+                             I think that blocking all HTML is a Draconian
-   spam    and  that the ultimate losers here are not the spammers but the 
+ way   to  control     spam    and  that the ultimate losers here are not
- list  subscribers      whose MTAs are bouncing all shorewall.net mail. As 
+the spammers    but the   list  subscribers      whose MTAs are bouncing
- one list  subscriber   wrote  to me privately "These e-mail admin's need 
+all shorewall.net    mail. As   one list  subscriber   wrote  to me privately
-to get a <i>(expletive   deleted)</i>  life instead of trying to rid the planet
+ "These e-mail admin's   need  to get a <i>(expletive   deleted)</i>  life
-of HTML based e-mail".   Nevertheless,  to allow subscribers to receive list
+ instead of trying to rid   the planet of HTML based e-mail".   Nevertheless,
-posts as must as possible,   I have now   configured the list server at shorewall.net
+  to allow subscribers  to  receive list posts as must as possible,   I have
-to strip all HTML   from outgoing  posts.<br>
+ now   configured the  list  server at shorewall.net to strip all HTML  
 from  outgoing  posts.<br>
  </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -370,33 +298,36 @@ to strip all HTML   from outgoing  posts.<br>
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem 
-          to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users 
+               to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF 
-   mailing       list</a>.</span></h4>
+  Users      mailing       list</a>.</span></h4>
-                   <b>If you run Shorewall under MandrakeSoft Multi Network 
+                             <b>If you run Shorewall under MandrakeSoft Multi 
- Firewall     (MNF)   and you have not purchased an MNF license from MandrakeSoft 
+  Network     Firewall     (MNF)   and you have not purchased an MNF license 
- then    you can  post non MNF-specific Shorewall questions to the </b><a
+  from MandrakeSoft     then    you can  post non MNF-specific Shorewall questions
- href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
+  to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
-   list</a>         or to the <a
+  users mailing       list</a>. <b>Do not expect to get free MNF support
- href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
+on the list or forum.</b><br>
 Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-   list</a> or to the <a
+        list</a>.</p>
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a>.</p>
                               </blockquote>
-<p>The Shorewall List Server provides additional information about <a
+                   
- href="http://lists.shorewall.net/mailing_list.htm">Shorewall Mailing Lists</a>.<br>
+<p>To Subscribe to the  mailing list go to <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
                             .<br>
         </p>
 <p>For information on other Shorewall mailing lists, go to <a
 href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
         </p>
-<p align="left"><font size="2">Last Updated 3/6/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
--- a/STABLE/documentation/three-interface.htm
+++ b/STABLE/documentation/three-interface.htm
@ -31,8 +31,8 @@
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up a Linux system as a firewall for a small network
-      with  DMZ is a  fairly straight-forward task if you understand the basics
+       with  DMZ is a  fairly straight-forward task if you understand the
-      and follow the  documentation.</p>
+basics       and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of
        Shorewall. It rather focuses on what is required to configure Shorewall
@ -54,9 +54,9 @@
 height="635">
              </p>
-<p>This guide assumes that you have the iproute/iproute2 package installed 
+<p>Shorewall requires that you have the iproute/iproute2 package installed
-      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
+       (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
-    if  this  package is installed by the presence of an <b>ip</b> program 
+tell     if  this  package is installed by the presence of an <b>ip</b> program
  on   your  firewall  system. As root, you can use the 'which' command to
 check   for this  program:</p>
@ -75,8 +75,9 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
                   If you edit your configuration files on a Windows system,
  you   must   save them as  Unix files if your editor supports that option
  or you   must  run them through  dos2unix before trying to use them. Similarly,
- if   you copy  a configuration file  from your Windows hard drive to a floppy 
+  if   you copy  a configuration file  from your Windows hard drive to a
-  disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+floppy    disk, you must run dos2unix against the  copy before using it with
 Shorewall.</p>
 <ul>
                 <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
@ -92,21 +93,21 @@ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
          The configuration files for Shorewall are contained in the directory
-   /etc/shorewall -- for simple setups, you will only need to deal with a 
+    /etc/shorewall -- for simple setups, you will only need to deal with
-few  of  these as described in this guide.  After you have <a
+a  few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
       sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy
- the    files to /etc/shorewall  (the files will replace files with the same 
+  the    files to /etc/shorewall  (the files will replace files with the
- names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
+same   names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
-      file on your system -- each file contains detailed  configuration instructions 
+       file on your system -- each file contains detailed  configuration
-      and default entries.</p>
+instructions        and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a
-      set of  <i>zones.</i> In the three-interface sample configuration, the
+       set of  <i>zones.</i> In the three-interface sample configuration,
-   following   zone names are used:</p>
+the    following   zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -149,10 +150,10 @@ one   zone   to  another    zone in the<a
 </ul>
 <p>For each connection request entering the firewall, the request is first
-      checked against the  /etc/shorewall/rules file. If no rule in that file
+       checked against the  /etc/shorewall/rules file. If no rule in that
-    matches  the connection  request then the first policy in /etc/shorewall/policy 
+file     matches  the connection  request then the first policy in /etc/shorewall/policy
-    that  matches the    request is applied. If that policy is REJECT or DROP 
+     that  matches the    request is applied. If that policy is REJECT or
-    the request is first  checked against the rules in /etc/shorewall/common 
+DROP      the request is first  checked against the rules in /etc/shorewall/common
    (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample
@ -253,21 +254,21 @@ make   any   changes  that you  wish.</p>
    <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
    <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
    <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External
-  Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
+   Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
-  a regular modem, your External  Interface will also be <b>ppp0</b>. If
+via   a regular modem, your External  Interface will also be <b>ppp0</b>.
-you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
+If you   connect using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-                 If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then
+                  If your external interface is <b>ppp0</b>  or <b>ippp0
-    you   will want to  set CLAMPMSS=yes in <a
+</b>then     you   will want to  set CLAMPMSS=yes in <a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
        eth1 or eth2) and will be connected to a hub or switch. Your local
-computers       will be connected to the same switch (note: If you have only 
+ computers       will be connected to the same switch (note: If you have
-a single   local   system,  you can connect the firewall directly to the computer
+only  a single   local   system,  you can connect the firewall directly to
-using   a <i>cross-over   </i> cable).</p>
+the computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
       (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your
@ -285,9 +286,9 @@ hub   or  switch    (even for testing). It won't work the way that you  expect
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                  The Shorewall three-interface sample configuration assumes
- that    the   external interface is <b>eth0, </b>the local interface is <b>eth1
+  that    the   external interface is <b>eth0, </b>the local interface is
-  </b>and    the DMZ interface is <b> eth2</b>.  If your configuration is
+<b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration
-different,    you will have to modify the sample  /etc/shorewall/interfaces
+is different,    you will have to modify the sample  /etc/shorewall/interfaces 
 file accordingly.     While you are there, you may wish to  review the list 
 of options that are    specified for the interfaces. Some hints:</p>
@ -300,8 +301,8 @@ different,    you will have to modify the sample  /etc/shorewall/interfaces
                <li>                                                    
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
-      or if you have a static IP    address, you can remove "dhcp" from the 
+       or if you have a static IP    address, you can remove "dhcp" from
-  option    list. </p>
+the    option    list. </p>
                </li>
 </ul>
@ -310,16 +311,17 @@ different,    you will have to modify the sample  /etc/shorewall/interfaces
 <p align="left">Before going further, we should say a few words about Internet
        Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
-a  single    <i> Public</i> IP address. This address may be assigned via the<i>
+ a  single    <i> Public</i> IP address. This address may be assigned via
- Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
+the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
- your  connection   when you dial in (standard modem) or establish your PPP
+establishing  your  connection   when you dial in (standard modem) or establish
- connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
+your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
-address; that  means that  you  configure your firewall's external interface 
+IP address; that  means that  you  configure your firewall's external interface
- to use that  address permanently.<i>  </i>Regardless of how the address is
+  to use that  address permanently.<i>  </i>Regardless of how the address
- assigned, it  will be shared by all of your  systems when you access the
+is  assigned, it  will be shared by all of your  systems when you access
-Internet. You will have to assign your  own addresses  for your internal network
+the Internet. You will have to assign your  own addresses  for your internal
-(the local and DMZ Interfaces on  your firewall plus your other  computers).
+network (the local and DMZ Interfaces on  your firewall plus your other 
-RFC 1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
+computers). RFC 1918 reserves several <i>Private  </i>IP address ranges for
 this  purpose:</p>
 <div align="left">                 
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -339,8 +341,8 @@ interface's   entry  in    /etc/shorewall/interfaces.</p>
         sub-network </i>or <i>subnet</i> and your DMZ addresses from another 
    subnet.  For our purposes, we can consider a subnet    to consists of 
 a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a 
-<i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved
+<i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as
-as    the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet
+   the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet 
 Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
  </i>(CIDR)</a>   notation with consists of the subnet address  followed
@ -382,8 +384,8 @@ Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using
 <div align="left">                 
 <p align="left">It is conventional to assign the internal interface either
-      the    first usable address in the subnet (10.10.10.1 in the above example)
+       the    first usable address in the subnet (10.10.10.1 in the above
-      or the    last usable address (10.10.10.254).</p>
+example)       or the    last usable address (10.10.10.254).</p>
              </div>
 <div align="left">                 
@ -406,8 +408,8 @@ set to the   IP address  of the firewall's DMZ interface.
 <p align="left">The foregoing short discussion barely scratches the surface
        regarding subnetting and routing. If you are interested in learning
  more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
-      What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas 
+       What Everyone  Needs to Know about Addressing &amp; Routing",</i>
-     A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
        your network as shown here:</p>
@ -423,10 +425,10 @@ set to the   IP address  of the firewall's DMZ interface.
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
      <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
-your external interface an RFC 1918  address. If that address is in the 10.10.10.0/24 
+ your external interface an RFC 1918  address. If that address is in the
-subnet then you will need  to select a DIFFERENT RFC 1918 subnet for your 
+10.10.10.0/24  subnet then you will need  to select a DIFFERENT RFC 1918
-local network and if it is in the 10.10.11.0/24 subnet then you will need 
+subnet for your  local network and if it is in the 10.10.11.0/24 subnet then
-to select a different RFC 1918 subnet for your DMZ.</b><br>
+you will need  to select a different RFC 1918 subnet for your DMZ.</b><br>
    </p>
 <p align="left">IP Masquerading (SNAT)</p>
@ -436,20 +438,20 @@ to select a different RFC 1918 subnet for your DMZ.</b><br>
   forward    packets  which have an RFC-1918 destination address. When one
  of your local    systems  (let's assume local computer 1) sends a connection
   request to an   internet host, the  firewall must perform <i>Network Address
-  Translation   </i>(NAT). The firewall  rewrites the source address in the 
+   Translation   </i>(NAT). The firewall  rewrites the source address in
-  packet to be  the address of the firewall's  external interface; in other 
+the    packet to be  the address of the firewall's  external interface; in
-  words, the firewall   makes it look as if the firewall  itself is initiating 
+other    words, the firewall   makes it look as if the firewall  itself is
-  the connection.  This  is necessary so that the  destination host will be
+initiating    the connection.  This  is necessary so that the  destination
-  able to route return packets   back to the firewall  (remember that packets
+host will be   able to route return packets   back to the firewall  (remember
-  whose destination address is   reserved by RFC 1918 can't  be routed accross
+that packets   whose destination address is   reserved by RFC 1918 can't
-  the internet). When the firewall   receives a return packet, it  rewrites
+ be routed accross   the internet). When the firewall   receives a return
-  the destination address back to 10.10.10.1   and  forwards the packet on
+packet, it  rewrites   the destination address back to 10.10.10.1   and 
- to local computer 1. </p>
+forwards the packet on  to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> and you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
                 <li>                                                   
@ -473,8 +475,8 @@ to select a different RFC 1918 subnet for your DMZ.</b><br>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                  If your external firewall interface is <b>eth0</b>, your
-local     interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then 
+ local     interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b>
-you  do  not  need to  modify the file provided with the sample. Otherwise, 
+then  you  do  not  need to  modify the file provided with the sample. Otherwise,
 edit    /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -489,8 +491,8 @@ your static  IP  in column    3 makes <br>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
          If you are using the Debian package, please check your shorewall.conf
-  file to ensure that the following are set correctly; if they are not, change 
+   file to ensure that the following are set correctly; if they are not,
-  them appropriately:<br>
+change    them appropriately:<br>
       </p>
 <ul>
@ -503,17 +505,17 @@ your static  IP  in column    3 makes <br>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your
-      DMZ computers. Because these computers have RFC-1918 addresses, it is
+       DMZ computers. Because these computers have RFC-1918 addresses, it
-  not     possible for clients on the internet to connect directly to them.
+is   not     possible for clients on the internet to connect directly to
-  It is   rather  necessary for those clients to address their connection 
+them.   It is   rather  necessary for those clients to address their connection
 requests    to your firewall  who rewrites the destination address to the
 address of   your server and forwards  the packet to that server. When your
 server responds,     the firewall automatically  performs SNAT to rewrite
 the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
-       Destination Network Address Translation</i> (DNAT). You configure
+       Destination Network Address Translation</i> (DNAT). You configure port
-port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+     forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules
       is:</p>
@ -547,8 +549,8 @@ port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
  </table>
               </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
-the same  as <i>&lt;port&gt;</i>.</p>
+be the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
        TCP port 80 to that system:</p>
@ -596,8 +598,8 @@ the same  as <i>&lt;port&gt;</i>.</p>
                 <li>When you are connecting to your server from your local 
 systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
                 <li>Many ISPs block incoming connection requests to port 
-80.   If  you   have     problems connecting to your web server, try the
+80.   If  you   have     problems connecting to your web server, try the following
-following   rule and  try     connecting to port 5000 (e.g., connect to <a
+  rule and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your
       external IP).</li>
@ -632,8 +634,8 @@ following   rule and  try     connecting to port 5000 (e.g., connect to <a
               </blockquote>
 <p>If you want to be able  to access your server from the local network using
-      your external address, then  if you have a static external IP you can 
+       your external address, then  if you have a static external IP you
-  replace    the loc-&gt;dmz rule above with:</p>
+can    replace    the loc-&gt;dmz rule above with:</p>
 <blockquote>                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -709,17 +711,17 @@ following   rule and  try     connecting to port 5000 (e.g., connect to <a
 address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
-                 At this point, add the DNAT and  ACCEPT rules for your servers.
+                  At this point, add the DNAT and  ACCEPT rules for your
-    </p>
+servers.     </p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting
       an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
-     will be  automatically configured (e.g., the /etc/resolv.conf file will 
+      will be  automatically configured (e.g., the /etc/resolv.conf file
-   be  written).  Alternatively, your ISP may have given you the IP address 
+will     be  written).  Alternatively, your ISP may have given you the IP
-  of a  pair of DNS <i> name servers</i> for you to manually configure as 
+address    of a  pair of DNS <i> name servers</i> for you to manually configure
-your    primary  and secondary  name servers. It is <u>your</u> responsibility 
+as  your    primary  and secondary  name servers. It is <u>your</u> responsibility
  to   configure  the resolver in your  internal systems. You can take one
 of two   approaches:</p>
@ -730,19 +732,20 @@ of two   approaches:</p>
       name    servers. If you ISP gave you the addresses of their servers
 or   if   those    addresses are available on their web site, you can configure
    your   internal    systems to use those addresses. If that information
-isn't   available,   look in    /etc/resolv.conf on your firewall system --
+ isn't   available,   look in    /etc/resolv.conf on your firewall system
-the name  servers are  given in    "nameserver" records in that file.   </p>
+-- the name  servers are  given in    "nameserver" records in that file.
  </p>
                </li>
                <li>                                                    
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
                  You can configure a<i> Caching Name Server </i>on your
-  firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name
+   firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching
- server (which     also     requires the 'bind' RPM) and for Bering users,
+name  server (which     also     requires the 'bind' RPM) and for Bering
- there is dnscache.lrp.     If you    take this approach, you configure your
+users,  there is dnscache.lrp.     If you    take this approach, you configure
- internal systems to use    the caching    name server as their primary (and
+your  internal systems to use    the caching    name server as their primary
- only) name server. You  use  the internal IP    address of the firewall
+(and  only) name server. You  use  the internal IP    address of the firewall 
 (10.10.10.254  in the example  above)    for the name    server address if 
 you choose to  run the name server  on your   firewall. To allow your local 
 systems to talk  to your caching name      server,   you must open port 53 
@ -918,8 +921,8 @@ by adding the rules  in /etc/shorewall/rules.       </p>
 <div align="left">                 
 <p align="left">Those rules allow DNS access from your firewall and may be
-         removed if you commented out the line in /etc/shorewall/policy allowing 
+          removed if you commented out the line in /etc/shorewall/policy
-      all    connections from the firewall to the internet.</p>
+allowing        all    connections from the firewall to the internet.</p>
              </div>
 <div align="left">                 
@ -1056,8 +1059,8 @@ by adding the rules  in /etc/shorewall/rules.       </p>
              </div>
 <div align="left">                 
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
              </div>
 <div align="left">                 
@ -1098,11 +1101,13 @@ uses, look <a href="ports.htm">here</a>.</p>
 <div align="left">                 
 <p align="left">                </p>
 <p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
      Bering users will want to add the following two rules to be compatible 
 with Jacques's Shorewall configuration.<br>
 </p>
 <div align="left">                 
 <blockquote>                                               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -1146,6 +1151,7 @@ with Jacques's Shorewall configuration.<br>
  </table>
                 </blockquote>
               </div>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                  Now modify    /etc/shorewall/rules to add or remove other 
@ -1178,9 +1184,9 @@ with Jacques's Shorewall configuration.<br>
          and stopped using "shorewall stop". When the firewall is stopped,
  routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
-         running firewall may be restarted using the "shorewall restart" command.
+          running firewall may be restarted using the "shorewall restart"
-      If    you want to totally remove any trace of Shorewall from your Netfilter
+command.       If    you want to totally remove any trace of Shorewall from
-         configuration, use "shorewall clear".</p>
+your Netfilter          configuration, use "shorewall clear".</p>
              </div>
 <div align="left">                 
@ -1199,12 +1205,12 @@ set   of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
 have     added an    entry for the IP address that you are connected from
 to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
     Also, I don't recommend using "shorewall restart"; it is better to create
-      an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
+       an   <i><a href="configuration_file_basics.htm#Configs">alternate
-      and    test it using the <a
+configuration</a></i>        and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
              </div>
-<p align="left"><font size="2">Last updated 1/30/2003 - <a
+<p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
@ -1223,5 +1229,6 @@ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/traffic_shaping.htm
+++ b/STABLE/documentation/traffic_shaping.htm
@ -21,6 +21,7 @@
                   <tr>
                    <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
                    </td>
                  </tr>
@ -28,63 +29,63 @@
  </tbody>               
 </table>
-<p align="left">Beginning with version 1.2.0, Shorewall has limited support 
+<p align="left">Shorewall has limited support       for traffic shaping/control.
-     for traffic shaping/control. In order to use traffic shaping under Shorewall, 
+ In order to use traffic shaping under Shorewall,       it is essential that
-     it is essential that you get a copy of the <a
+ you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
- href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, 
+ and Shaping HOWTO</a>,       version 0.3.0 or later.</p>
     version 0.3.0 or later. You must also install the iproute (iproute2) 
 package     to provide the "ip" and "tc" utilities.</p>
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
 <ul>
                  <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. 
   Traffic     Shaping  also requires that you enable packet mangling.</li>
-    <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in
+        <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added 
-Shorewall  1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the
+in  Shorewall  1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), 
-setting of  this variable determines whether Shorewall clears the traffic
+the  setting of  this variable determines whether Shorewall clears the traffic
  shaping configuration  during Shorewall [re]start and Shorewall stop. <br>
        </li>
-              <li><b>/etc/shorewall/tcrules</b> - A file where you can specify 
+                  <li><b>/etc/shorewall/tcrules</b> - A file where you can
-     firewall     marking of packets. The firewall mark value may be used 
+ specify       firewall     marking of packets. The firewall mark value may
-to classify     packets  for traffic shaping/control.<br>
+ be used  to classify     packets  for traffic shaping/control.<br>
                  </li>
-              <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that 
+                  <li><b>/etc/shorewall/tcstart </b>- A user-supplied file
- is     sourced     by Shorewall during "shorewall start" and which you can 
+ that   is     sourced     by Shorewall during "shorewall start" and which
-     use to define     your traffic shaping disciplines and classes. I have 
+ you can       use to define     your traffic shaping disciplines and classes. 
- provided     a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> 
+ I have   provided     a <a
- that does     table-driven CBQ shaping but if you read the traffic shaping 
+ href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>   that does 
- sections of     the     HOWTO mentioned above, you can probably code your 
+   table-driven CBQ shaping but if you read the traffic shaping   sections 
- own faster than     you can     learn how to use my sample. I personally 
+ of     the     HOWTO mentioned above, you can probably code your   own faster 
-use     <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see 
+ than     you can     learn how to use my sample. I personally  use     <a
-below).  HTB         support may eventually become an integral part of Shorewall 
+ href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below). 
 HTB         support may eventually become an integral part of Shorewall 
 since  HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
 HTB is a standard     part of the kernel but iproute2 must be patched  in
 order  to     use it.<br>
                    <br>
-                In tcstart, when you want to run the 'tc' utility, use the
+                    In tcstart, when you want to run the 'tc' utility, use
- run_tc    function      supplied by shorewall if you want tc errors to stop
+ the   run_tc    function      supplied by shorewall if you want tc errors
- the firewall.<br>
+ to stop   the firewall.<br>
              <br>
-      You can generally use off-the-shelf traffic shaping scripts by simply 
+          You can generally use off-the-shelf traffic shaping scripts by
- copying  them to /etc/shorewall/tcstart. I use <a
+simply    copying  them to /etc/shorewall/tcstart. I use <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
-  that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
+    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
- modified  it according to the Wonder Shaper README). <b>WARNING: </b>If
+and    modified  it according to the Wonder Shaper README). <b>WARNING: </b>If
 you  use use Masquerading or SNAT (i.e., you only have one external IP address)
   then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
- script won't work. Traffic shaping occurs after SNAT has already been applied
+   script won't work. Traffic shaping occurs after SNAT has already been
- so when traffic shaping happens, all outbound traffic will have as a source 
+applied    so when traffic shaping happens, all outbound traffic will have
-  address the IP addresss of your firewall's external interface.<br>
+as a source     address the IP addresss of your firewall's external interface.<br>
            </li>
-              <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that 
+                  <li><b>/etc/shorewall/tcclear</b> - A user-supplied file
- is     sourced     by Shorewall when it is clearing traffic shaping. This 
+ that   is     sourced     by Shorewall when it is clearing traffic shaping.
- file is     normally     not required as Shorewall's method of clearing qdisc
+ This   file is     normally     not required as Shorewall's method of clearing 
- and filter     definitions     is pretty general.</li>
+ qdisc  and filter     definitions     is pretty general.</li>
 </ul>
-  Shorewall allows you to start traffic shaping when Shorewall itself starts
+      Shorewall allows you to start traffic shaping when Shorewall itself 
- or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
+starts   or it allows you to bring up traffic shaping when you bring up your 
 interfaces.<br>
      <br>
      To start traffic shaping when Shorewall starts:<br>
@ -94,20 +95,21 @@ you  use use Masquerading or SNAT (i.e., you only have one external IP address)
  shaping rules.</li>
        <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
   shaping. That is usually unnecessary.</li>
-    <li>If your tcstart script uses the 'fwmark' classifier, you can mark 
+        <li>If your tcstart script uses the 'fwmark' classifier, you can
-packets using entries in /etc/shorewall/tcrules.</li>
+mark   packets using entries in /etc/shorewall/tcrules.</li>
 </ol>
-  To start traffic shaping when you bring up your network interfaces, you 
+      To start traffic shaping when you bring up your network interfaces, 
-will have to arrange for your traffic shaping configuration script to be run
+you   will have to arrange for your traffic shaping configuration script to
-at that time. How you do that is distribution dependent and will not be covered
+be  run at that time. How you do that is distribution dependent and will not
-here. You then should:<br>
+be covered here. You then should:<br>
 <ol>
        <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
-    <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
+        <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
-    <li value="4">If your tcstart script uses the 'fwmark' classifier, you
+ scripts.</li>
- can mark packets using entries in /etc/shorewall/tcrules.</li>
+        <li value="4">If your tcstart script uses the 'fwmark' classifier,
 you   can mark packets using entries in /etc/shorewall/tcrules.</li>
 </ol>
@ -128,44 +130,44 @@ here. You then should:<br>
 <p align="left">Normally, packet marking occurs in the PREROUTING chain before
    any address rewriting takes place. This makes it impossible to mark inbound
-  packets based on their destination address when SNAT or Masquerading are
+    packets based on their destination address when SNAT or Masquerading
- being used. Beginning with Shorewall 1.3.12, you can cause packet marking
+are    being used. Beginning with Shorewall 1.3.12, you can cause packet
- to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
+marking    to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
-in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+option  in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
        </p>
 <p align="left">Columns in the file are as follows:</p>
 <ul>
-              <li>MARK - Specifies the mark value is to be assigned in case 
+                  <li>MARK - Specifies the mark value is to be assigned in
- of      a match. This is an integer in the range 1-255. Beginning with Shorewall 
+ case   of      a match. This is an integer in the range 1-255. Beginning
-version 1.3.14, this value may be optionally followed by ":" and either 'F' 
+with Shorewall  version 1.3.14, this value may be optionally followed by
-or 'P' to designate that the marking will occur in the FORWARD or PREROUTING 
+":" and either 'F'  or 'P' to designate that the marking will occur in the
-chains respectively. If this additional specification is omitted, the chain 
+FORWARD or PREROUTING  chains respectively. If this additional specification
-used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN 
+is omitted, the chain  used to mark packets will be determined by the setting
-option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+of the MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                    <br>
                    Example - 5<br>
                  </li>
                  <li>SOURCE - The source of the packet. If the packet originates 
        on  the firewall, place "fw" in this column. Otherwise, this is a 
-  comma-separated   list of interface names, IP addresses, MAC addresses in
+    comma-separated   list of interface names, IP addresses, MAC addresses 
-   <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
+ in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
                    <br>
                    Examples<br>
                        eth0<br>
                        192.168.2.4,192.168.1.0/24<br>
                  </li>
-              <li>DEST -- Destination of the packet. Comma-separated list 
+                  <li>DEST -- Destination of the packet. Comma-separated
-of      IP  addresses and/or subnets.<br>
+list   of      IP  addresses and/or subnets.<br>
                  </li>
                  <li>PROTO - Protocol - Must be the name of a protocol from
      /etc/protocol,    a number or "all"<br>
                  </li>
-              <li>PORT(S) - Destination Ports. A comma-separated list of
+                  <li>PORT(S) - Destination Ports. A comma-separated list 
-Port       names  (from /etc/services), port numbers or port ranges (e.g.,
+of  Port       names  (from /etc/services), port numbers or port ranges (e.g.,
-21:22);     if     the  protocol is "icmp", this column is interpreted as
+  21:22);     if     the  protocol is "icmp", this column is interpreted
-the     destination    icmp  type(s).<br>
+as   the     destination    icmp  type(s).<br>
                  </li>
                  <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. 
  If      omitted,  any source port is acceptable. Specified as a comma-separate
@ -174,8 +176,9 @@ If      omitted,  any source port is acceptable. Specified as a comma-separate
 </ul>
 <p align="left">Example 1 - All packets arriving on eth1 should be marked 
-     with 1. All packets arriving on eth2 and eth3 should be marked with 2.
+       with 1. All packets arriving on eth2 and eth3 should be marked with 
-  All packets   originating on the firewall itself should be marked with 3.</p>
+ 2.   All packets   originating on the firewall itself should be marked with 
 3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
                  <tbody>
@ -307,25 +310,30 @@ hand-crafted  rules in my <b>/etc/shorewall/tcstart</b>  file:<br>
                          </blockquote>
 <p>My tcrules file that went with this tcstart file is shown in Example 1
-   above. You can look at my <a href="myfiles.htm">network   configuration</a>
+     above. You can look at <a href="myfiles.htm">my configuration</a> to
-   to get an idea of why I wanted   these particular rules.<br>
+see why I wanted shaping of this type.<br>
           </p>
 <ol>
             <li>I wanted to allow up to 140kbits/second for traffic outbound 
  from   my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
- can  use all available bandwidth if there is no traffic from the local systems 
+  can  use all available bandwidth if there is no traffic from the local
-   or from my laptop or firewall).</li>
+systems     or from my laptop or firewall).</li>
             <li>My laptop and local systems could use up to 224kbits/second.</li>
-         <li>My firewall could use up to 20kbits/second.<br>
+             <li>My firewall could use up to 20kbits/second.</li>
         </li>
 </ol>
 You see <a href="myfiles.htm">the rest of my Shorewall configuration</a> 
 to see how this fit in. <br>
-<p><font size="2">Last Updated 2/13/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
        © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/troubleshoot.htm
+++ b/STABLE/documentation/troubleshoot.htm
@ -80,9 +80,9 @@ actually an ill-conceived network setup. Here are several popular snafus:
 <ul>
              <li>Port           Forwarding where client and server are in
 the   same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
-            <li>Changing the IP address of a local system to be in the external 
+              <li>Changing the IP address of a local system to be in the
-   subnet,      thinking that Shorewall will suddenly believe that the system 
+external     subnet,      thinking that Shorewall will suddenly believe that
-   is in the      'net' zone.</li>
+the system     is in the      'net' zone.</li>
              <li>Multiple interfaces connected to the same HUB or Switch.
 Given    the way      that the Linux kernel respond to ARP "who-has" requests,
 this    type of setup      does NOT work the way that you expect it to.</li>
@ -154,11 +154,12 @@ policy   (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
  Either can't ping when you think you should be able to or are able to ping
 when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
 href="ping.html"> is described here</a>.<br>
 <h3 align="left">Other Gotchas</h3>
 <ul>
-            <li>Seeing rejected/dropped packets logged out of the INPUT or
+              <li>Seeing rejected/dropped packets logged out of the INPUT 
- FORWARD        chains? This means that:                                
+or  FORWARD        chains? This means that:                              
    <ol>
                <li>your zone definitions are screwed up and the host that
@ -166,14 +167,14 @@ is  sending   the        packets or the destination host isn't in any zone
 (using  an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
 file are you?);         or</li>
                <li>the source and destination hosts are both connected to
-the   same         interface and that interface doesn't have the 'multi'
+ the   same         interface and you don't have a policy or rule for the 
-option   specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+source zone to or from the destination zone.</li>
    </ol>
              </li>
              <li>Remember that Shorewall doesn't automatically allow ICMP
-    type  8 ("ping") requests to be sent between zones. If you want     pings
+     type  8 ("ping") requests to be sent between zones. If you want    
-  to be  allowed between zones, you need a rule of the form:<br>
+pings    to be  allowed between zones, you need a rule of the form:<br>
               <br>
                   ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;   
     icmp        echo-request<br>
@ -183,39 +184,32 @@ have   the      following in /etc/shorewall/nat:<br>
               <br>
                   10.1.1.2    eth0        130.252.100.18<br>
               <br>
-             and you ping 130.252.100.18, unless you have allowed icmp type 
+               and you ping 130.252.100.18, unless you have allowed icmp
- 8  between  the     zone containing the system you are pinging from and the
+type   8  between  the     zone containing the system you are pinging from
- zone containing       10.1.1.2, the ping requests will be dropped. This is
+and the  zone containing       10.1.1.2, the ping requests will be dropped. </li>
- true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
+              <li>If you specify "routefilter" for an interface,     that 
-            <li>If you specify "routefilter" for an interface,     that interface 
+interface     must be up prior to starting the firewall.</li>
-   must be up prior to starting the firewall.</li>
+              <li>Is your routing correct? For example, internal systems
-            <li>Is your routing correct? For example, internal systems usually
+usually     need to      be configured with their default gateway set to
-   need to      be configured with their default gateway set to the IP address
+the IP address     of their      nearest firewall interface. One often overlooked
-   of their      nearest firewall interface. One often overlooked aspect
+aspect of   routing is that      in order for two hosts to communicate, the
-of   routing is that      in order for two hosts to communicate, the routing
+routing  between  them must be set      up <u>in both directions.</u> So
-between  them must be set      up <u>in both directions.</u> So when setting
+when setting  up routing   between <b>A</b>      and<b> B</b>, be sure to
-up routing   between <b>A</b>      and<b> B</b>, be sure to verify that the
+verify that the  route from       <b>B</b> back to <b>A</b>      is defined.</li>
-route from       <b>B</b> back to <b>A</b>      is defined.</li>
+              <li>Some versions of LRP (EigerStein2Beta for example) have 
-            <li>Some versions of LRP (EigerStein2Beta for example) have a 
+a      shell  with broken variable expansion. <a
    shell  with broken variable expansion. <a
 href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected 
    shell from the Shorewall Errata download site.</a>     </li>
              <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-            <li>Some features require the "ip" program. That     program
+              <li>Shorewall requires the "ip" program. That     program  is
-is  generally   included in the "iproute" package which should     be included 
+ generally   included in the "iproute" package which should     be included 
  with your  distribution (though many distributions don't install     iproute 
  by     default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
     .</li>
-            <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts 
+                           <li>Problems with NAT? Be sure that you let Shorewall 
-   then the zone must be entirely   defined in /etc/shorewall/hosts unless 
+add all      external  addresses to be use with NAT unless you have set <a
 you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). 
  For example, if a zone has two interfaces but   only one interface has an
  entry in /etc/shorewall/hosts then hosts attached to   the other interface 
  will     <u>not</u> be considered part of the zone.</li>
            <li>Problems with NAT? Be sure that you let Shorewall add all 
    external  addresses to be use with NAT unless you have set <a
 href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
 </ul>
@ -228,10 +222,12 @@ is  generally   included in the "iproute" package which should     be included
 <blockquote> </blockquote>
                  </font>                     
-<p><font size="2">Last updated 1/7/2003 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 2/21/2003 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -60,24 +60,22 @@ Frame    Relay,    dial-up    ...</li>
     applet. From the Mandrake Control Center, select "Network &amp; Internet"
     then "Connection Sharing".<br>
 </b></p>
 <p><b>Note however, that the Shorewall configuration produced by Mandrake 
 Internet Connection Sharing is strange and is apt to confuse you if you use 
-the rest of this documentation (it has two local zones; "loc" and "masq"
+the rest of this documentation (it has two local zones; "loc" and "masq" where
-where "loc" is empty; this conflicts with this documentation which assumes
+"loc" is empty; this conflicts with this documentation which assumes a single
-a single local zone "loc"). We therefore recommend that once you have set
+local zone "loc"). We therefore recommend that once you have set up this
-up this sharing that you uninstall the Mandrake Shorewall RPM and install
+sharing that you uninstall the Mandrake Shorewall RPM and install the one
-the one from the <a href="download.htm">download page</a> then follow the
+from the <a href="download.htm">download page</a> then follow the instructions
-instructions in this Guide.</b><br>
+in this Guide.</b><br>
  </p>
-<p><br>
+<p>Shorewall requires that you have the iproute/iproute2 package installed
         </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
        (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
-tell     if  this  package is installed by the presence of an <b>ip</b> program 
+ tell     if  this  package is installed by the presence of an <b>ip</b>
-  on   your  firewall  system. As root, you can use the 'which' command to 
+program    on   your  firewall  system. As root, you can use the 'which'
- check   for this  program:</p>
+command to   check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -86,8 +84,8 @@ tell     if  this  package is installed by the presence of an <b>ip</b> program
        changes. Points at which configuration changes are  recommended are
  flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-               . Configuration notes that are unique to LEAF/Bering are marked
+                . Configuration notes that are unique to LEAF/Bering are
- with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
+marked  with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
 height="36">
   </p>
@ -95,8 +93,9 @@ tell     if  this  package is installed by the presence of an <b>ip</b> program
                     If you edit your configuration files on a Windows system,
   you   must   save them as  Unix files if your editor supports that option
   or you   must  run them through  dos2unix before trying to use them. Similarly,
-  if   you copy  a configuration file  from your Windows hard drive to a floppy
+   if   you copy  a configuration file  from your Windows hard drive to a
-   disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+floppy    disk, you must run dos2unix against the  copy before using it with
 Shorewall.</p>
 <ul>
                   <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
@ -120,12 +119,12 @@ a  few  of  these as described in this guide.  After you have <a
 /etc/shorewall        (these files will replace files with the same name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual
-       file on your system -- each file contains detailed  configuration instructions
+        file on your system -- each file contains detailed  configuration
-       and default entries.</p>
+instructions        and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a
-       set of  <i>zones.</i> In the two-interface sample configuration, the 
+        set of  <i>zones.</i> In the two-interface sample configuration,
-  following     zone names are used:</p>
+the    following     zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -171,8 +170,8 @@ file     matches  the connection  request then the first policy in /etc/shorewal
 DROP      the request is first  checked against the rules in /etc/shorewall/common
     (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample has
+<p>The /etc/shorewall/policy file included with the two-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>                                                   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -263,9 +262,9 @@ firewall     to  the     internet (if you uncomment the additional policy)</li>
 height="635">
                </p>
-<p align="left">The firewall has two network interfaces. Where Internet 
+<p align="left">The firewall has two network interfaces. Where Internet  connectivity
-connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+is through a cable or DSL "Modem", the <i>External Interface</i>  will be
- will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
        <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
         over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
   <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
@ -281,9 +280,9 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
        (eth1  or eth0) and will be connected to a hub or switch. Your other
-  computers     will be  connected to the same hub/switch (note: If you have 
+   computers     will be  connected to the same hub/switch (note: If you
-  only a single     internal system,  you can connect the firewall directly 
+have    only a single     internal system,  you can connect the firewall
-  to the computer   using  a <i>cross-over </i> cable).</p>
+directly    to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
@ -296,22 +295,23 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
 width="13" height="13">
                    The Shorewall two-interface sample configuration assumes
  that    the   external  interface is <b>eth0</b> and the internal interface
- is <b>eth1</b>.     If your  configuration is different, you will have to 
+  is <b>eth1</b>.     If your  configuration is different, you will have
- modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+to   modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-  file    accordingly.  While you are there, you may wish to  review the
+  file    accordingly.  While you are there, you may wish to  review the list
-list   of options   that are  specified for the interfaces. Some hints:</p>
+  of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
                   <li>                                                 
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
-       you can replace the    "detect" in the second column with "-".   </p>
+        you can replace the    "detect" in the second column with "-".  
    </p>
                  </li>
                  <li>                                                  
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
-       or if you have a static IP    address, you can remove "dhcp" from the
+        or if you have a static IP    address, you can remove "dhcp" from
-   option    list. </p>
+the    option    list. </p>
                  </li>
 </ul>
@ -321,15 +321,15 @@ list   of options   that are  specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet
         Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
  a  single    <i> Public</i> IP address. This address may be assigned via
-the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
+ the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
- your  connection   when you dial in (standard modem) or establish your PPP
+establishing  your  connection   when you dial in (standard modem) or establish
- connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
+your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
-address; that  means that  you  configure your firewall's external interface 
+IP address; that  means that  you  configure your firewall's external interface
   to use that  address permanently.<i>  </i>However your external address
-is  assigned, it  will be shared by all of your systems when you access the 
+ is  assigned, it  will be shared by all of your systems when you access
- Internet. You will have to assign your  own addresses in your  internal network
+the   Internet. You will have to assign your  own addresses in your  internal
-(the Internal  Interface on your firewall  plus your other  computers). RFC
+network (the Internal  Interface on your firewall  plus your other  computers).
-1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
+RFC 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">                   
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -338,8 +338,8 @@ is  assigned, it  will be shared by all of your systems when you access the
 <div align="left">                   
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                      Before starting Shorewall, you should look at the IP
+                       Before starting Shorewall, you should look at the
- address     of  your  external    interface and if it is one of the above
+IP  address     of  your  external    interface and if it is one of the above 
 ranges, you    should  remove  the    'norfc1918' option from the external 
 interface's   entry  in    /etc/shorewall/interfaces.</p>
                </div>
@ -347,15 +347,15 @@ is  assigned, it  will be shared by all of your systems when you access the
 <div align="left">                   
 <p align="left">You will want to assign your addresses from the same <i> 
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
-          to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a 
+           to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
-subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address 
+a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
 x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is
 reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
 a subnet  is  described  using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
  </i>(CIDR)  notation</a> with consists of the subnet  address followed
- by "/24". The  "24" refers to the number of    consecutive  leading "1" bits
+   by "/24". The  "24" refers to the number of    consecutive  leading "1"
-from the left  of the subnet mask. </p>
+bits from the left  of the subnet mask. </p>
                </div>
 <div align="left">                   
@ -415,8 +415,8 @@ the   above    diagram)   should be configured with their<i>    default gateway<
 <p align="left">The foregoing short discussion barely scratches the surface
         regarding subnetting and routing. If you are interested in learning
   more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
-       What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
+        What Everyone  Needs to Know about Addressing &amp; Routing",</i>
-      A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
         your network as shown here:</p>
@ -431,33 +431,33 @@ the   above    diagram)   should be configured with their<i>    default gateway<
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
        <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
- your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 
+  your external interface an RFC 1918 address. If that address is in the
- subnet then you will need to select a DIFFERENT RFC 1918 subnet for your 
+10.10.10.0/24   subnet then you will need to select a DIFFERENT RFC 1918
-local network.</b><br>
+subnet for your  local network.</b><br>
     </p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
        to as <i>non-routable</i> because the Internet backbone routers don't
-   forward    packets  which have an RFC-1918 destination address. When one 
+    forward    packets  which have an RFC-1918 destination address. When
-  of your local    systems  (let's assume computer 1) sends a connection request
+one    of your local    systems  (let's assume computer 1) sends a connection
-   to an internet    host, the  firewall must perform <i>Network Address
+request    to an internet    host, the  firewall must perform <i>Network
-Translation     </i>(NAT).    The firewall  rewrites the source address in
+Address Translation     </i>(NAT).    The firewall  rewrites the source address
-the packet to   be the address    of the firewall's  external interface; in
+in the packet to   be the address    of the firewall's  external interface;
-other words,   the firewall makes    it look as if the firewall  itself is
+in other words,   the firewall makes    it look as if the firewall  itself
-initiating the   connection.  This is   necessary so that the  destination 
+is initiating the   connection.  This is   necessary so that the  destination
 host will be able   to route return packets   back to the firewall  (remember
 that packets whose   destination address is   reserved by RFC 1918 can't
 be routed across the   internet so the remote host  can't address its response
 to  computer 1).  When the firewall receives a return packet, it  rewrites
-the destination address  back to 10.10.10.1  and  forwards the packet on to
+ the destination address  back to 10.10.10.1  and  forwards the packet on
-computer 1. </p>
+to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> but you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
                   <li>                                                 
@ -483,9 +483,9 @@ computer 1. </p>
 height="13">
                    If your external firewall interface is <b>eth0</b>, you 
 do  not    need   to modify the file provided with the sample. Otherwise, 
- edit   /etc/shorewall/masq      and change the first column to the name
+ edit   /etc/shorewall/masq      and change the first column to the name of
-of  your  external  interface and    the  second column to the name of your
+ your  external  interface and    the  second column to the name of your internal
-internal   interface.</p>
+  interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
@ -498,8 +498,8 @@ internal   interface.</p>
        <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
            If you are using the Debian package, please check your shorewall.conf
-   file to ensure that the following are set correctly; if they are not, change
+    file to ensure that the following are set correctly; if they are not,
-   them appropriately:<br>
+change    them appropriately:<br>
        </p>
 <ul>
@ -513,12 +513,12 @@ internal   interface.</p>
 <p align="left">One of your goals may be to run one or more servers on your
         local computers. Because these computers have RFC-1918 addresses,
-it   is   not  possible for clients on the internet to connect directly to 
+ it   is   not  possible for clients on the internet to connect directly
-them.   It   is rather  necessary for those clients to address their connection 
+to  them.   It   is rather  necessary for those clients to address their
- requests     to the firewall  who rewrites the destination address to the 
+connection   requests     to the firewall  who rewrites the destination address
- address of   your   server and forwards  the packet to that server. When 
+to the   address of   your   server and forwards  the packet to that server.
-your server responds,     the firewall automatically  performs SNAT to rewrite 
+When  your server responds,     the firewall automatically  performs SNAT
- the source address   in  the response.</p>
+to rewrite   the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
        Destination Network Address Translation</i> (DNAT). You configure 
@ -592,9 +592,9 @@ port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <ul>
                   <li>You must test the above rule from a client outside 
 of  your   local    network    (i.e., don't test from a browser running on 
-computers     1 or 2  or  on the    firewall). If you want to be able to
+computers     1 or 2  or  on the    firewall). If you want to be able to access
-access your  web   server  using  the IP    address of your external interface,
+your  web   server  using  the IP    address of your external interface, see
-see <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
+    <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
                   <li>Many ISPs block incoming connection requests to port 
 80.   If  you   have     problems connecting to your web server, try the 
 following   rule and  try     connecting to port 5000.</li>
@ -637,10 +637,10 @@ DNAT   rules    that  you require.</p>
 <p align="left">Normally, when you connect to your ISP, as part of getting
        an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
-      will be  automatically configured (e.g., the /etc/resolv.conf file will
+       will be  automatically configured (e.g., the /etc/resolv.conf file
-    be  written).  Alternatively, your ISP may have given you the IP address
+will     be  written).  Alternatively, your ISP may have given you the IP
-   of a  pair of DNS <i> name servers</i> for you to manually configure as
+address    of a  pair of DNS <i> name servers</i> for you to manually configure
- your    primary  and secondary  name servers. Regardless of how DNS gets 
+as  your    primary  and secondary  name servers. Regardless of how DNS gets
 configured    on your  firewall, it is <u>your</u> responsibility to configure
 the resolver    in your   internal systems. You can take one of two approaches:</p>
@ -663,12 +663,12 @@ the resolver    in your   internal systems. You can take one of two approaches:<
    firewall.<i>          </i>Red Hat has an RPM for a caching name server 
 (the  RPM also    requires    the 'bind' RPM) and for Bering users, there 
 is dnscache.lrp.  If you    take   this approach, you configure your internal 
- systems to use  the firewall    itself as their primary (and only) name
+ systems to use  the firewall    itself as their primary (and only) name server.
-server.  You use the  internal IP     address of the firewall (10.10.10.254
+ You use the  internal IP     address of the firewall (10.10.10.254 in the
-in the  example above)  for the name       server address. To allow your
+ example above)  for the name       server address. To allow your local systems
-local systems  to talk to  your caching name      server, you must open port
+ to talk to  your caching name      server, you must open port 53 (both UDP
-53 (both UDP  and TCP) from  the local network   to the    firewall; you
+ and TCP) from  the local network   to the    firewall; you do that by adding
-do that by adding  the following  rules in /etc/shorewall/rules.       </p>
+ the following  rules in /etc/shorewall/rules.       </p>
                  </li>
 </ul>
@ -883,19 +883,19 @@ do that by adding  the following  rules in /etc/shorewall/rules.       </p>
 <div align="left">                   
 <p align="left">Those two rules would of course be in addition to the rules
-          listed above under "You can configure a Caching Name Server on your
+           listed above under "You can configure a Caching Name Server on
-    firewall"</p>
+your     firewall"</p>
                </div>
 <div align="left">                   
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
                </div>
 <div align="left">                   
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-          the internet because it uses clear text (even for login!). If you 
+           the internet because it uses clear text (even for login!). If
-  want     shell    access to your firewall from the internet, use SSH:</p>
+you    want     shell    access to your firewall from the internet, use SSH:</p>
                </div>
 <div align="left">                   
@ -980,8 +980,8 @@ uses, look <a href="ports.htm">here</a>.</p>
 <p align="left"><br>
   <img border="0" src="images/BD21298_.gif" width="13" height="13">
-                   Now edit your    /etc/shorewall/rules file to add or delete
+                    Now edit your    /etc/shorewall/rules file to add or
-   other    connections  as required.</p>
+delete    other    connections  as required.</p>
                </div>
 <div align="left">                   
@ -994,8 +994,8 @@ uses, look <a href="ports.htm">here</a>.</p>
                   The <a href="Install.htm">installation procedure </a>
  configures       your system to start Shorewall at system boot  but beginning
 with Shorewall      version 1.3.9 startup is disabled so that your system
-won't try to start     Shorewall before configuration is complete. Once you 
+ won't try to start     Shorewall before configuration is complete. Once
-have completed configuration     of your firewall, you can enable Shorewall 
+you  have completed configuration     of your firewall, you can enable Shorewall
 startup by removing the file   /etc/shorewall/startup_disabled.<br>
                </p>
@ -1020,8 +1020,8 @@ your Netfilter          configuration, use "shorewall clear".</p>
 height="13">
                    The two-interface sample assumes that you want to enable
     routing     to/from <b>eth1 </b>(the local network) when Shorewall is
-stopped.  If    your local network isn't connected to <b>eth1</b> or if you 
+ stopped.  If    your local network isn't connected to <b>eth1</b> or if
-wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped
+you  wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped 
   accordingly.</p>
                </div>
@ -1030,18 +1030,19 @@ wish to  enable       access to/from other hosts, change /etc/shorewall/routesto
        the    internet, do not issue a "shorewall stop" command unless you
  have     added an    entry for the IP address that you are connected from
  to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-     Also, I don't recommend using "shorewall restart"; it is better to create 
+      Also, I don't recommend using "shorewall restart"; it is better to
-       an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
+create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
-       and    test it using the <a
+configuration</a></i>        and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
                </div>
-<p align="left"><font size="2">Last updated 2/13/2003 - <a
+<p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
  Thomas      M. Eastep</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/upgrade_issues.htm
+++ b/STABLE/documentation/upgrade_issues.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Upgrade Issues</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -31,6 +32,72 @@
 <p>For upgrade instructions see the                               <a
 href="Install.htm">Install/Upgrade page</a>.</p>
 <h3> </h3>
 <h3>Version &gt;= 1.4.0</h3>
 <b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package 
 ('ip' utility).</b><br>
 <br>
 If you are upgrading from a version &lt; 1.4.0, then:<br>
 <ul>
      <li>The <b>noping </b>and <b>forwardping</b> interface options are
 no  longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. 
 ICMP echo-request (ping) packets are treated just like any other connection 
 request and are subject to rules and policies.</li>
      <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in 
 /etc/shorewall/interfaces   now generate a Shorewall error at startup (they
 always have produced warnings   in iptables).</li>
      <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
 Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
 are  determined by BOTH the interfaces and hosts files when there are entries
 for the zone in both files.</li>
      <li>The <b>routestopped</b> option in the interfaces and hosts file 
 has  been eliminated; use entries in the routestopped file instead.</li>
      <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer 
  accepted; you must convert to using the new syntax.</li>
      <li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
  supported.  Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
      <li value="6">Late-arriving DNS replies are not dropped by default; 
 there  is no need for your own /etc/shorewall/common file simply to avoid 
 logging  these packets.</li>
      <li value="6">The 'firewall', 'functions' and 'version' file have been
  moved to /usr/share/shorewall.</li>
     <li value="6">The icmp.def file has been removed. If you include it
 from  /etc/shorewall/icmpdef, you will need to modify that file.</li>
    <li value="8">The 'multi' interface option is no longer supported.  Shorewall 
 will generate rules for sending packets back out the same interface that 
 they arrived on in two cases:</li>
 </ul>
 <ul>
  <ul>
      <li>There is an <u>explicit</u> policy for the source zone to or from
 the destination zone. An explicit policy names both zones and does not use
 the 'all' reserved word.</li>
  </ul>
  <ul>
      <li>There are one or more rules for traffic for the source zone to
 or  from the destination zone including rules that use the 'all' reserved
 word.  Exception: if the source zone and destination zone are the same then
 the rule must be explicit - it must name the zone in both the SOURCE and
 DESTINATION  columns.</li>
  </ul>
  <li>If you followed the advice in FAQ #2 and call find_interface_address
 in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
  </li>
 </ul>
 <ul>
 </ul>
 <h3>Version &gt;= 1.3.14</h3>
     <img src="images/BD21298_3.gif" alt="" width="13" height="13">
          Beginning in version 1.3.14, Shorewall treats entries in <a
@ -39,13 +106,15 @@ involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
   <b>column</b>:<br>
 <ul>
-   <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface 
+        <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the 
-(as shown by "ip addr show <i>interface</i>") and would masquerade traffic 
+ interface  (as shown by "ip addr show <i>interface</i>") and would masquerade 
-from that subnet. Any other subnets that routed through eth1 needed their 
+ traffic  from that subnet. Any other subnets that routed through eth1 needed 
-own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li>
+ their  own entry in /etc/shorewall/masq to be masqueraded or to have SNAT 
-   <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing 
+ applied.</li>
-table to determine ALL subnets routed through the named interface. Traffic 
+        <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
-originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
+ routing   table to determine ALL subnets routed through the named interface.
 Traffic   originating in ANY of those subnets is masqueraded or has SNAT
 applied.</li>
 </ul>
      You will need to make a change to your configuration if:<br>
@ -76,16 +145,17 @@ to:<br>
 <pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
      <img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.
+         Version 1.3.14 also introduced simplified ICMP echo-request (ping) 
-The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used
+ handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
-to specify that the old (pre-1.3.14) ping handling is to be used (If the
+ is used  to specify that the old (pre-1.3.14) ping handling is to be used 
-option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
+ (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes 
  is assumed). I don't plan on supporting the old handling indefinitely so 
 I urge current users to migrate to using the new handling as soon as possible. 
  See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
 <h3>Version 1.3.10</h3>
-  If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
+       If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
- 1.3.10, you will need to use the '--force' option:<br>
+to  version   1.3.10, you will need to use the '--force' option:<br>
       <br>
 <blockquote>                     
@ -93,8 +163,8 @@ See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
       </blockquote>
 <h3>Version &gt;= 1.3.9</h3>
-    The 'functions' file has moved to /usr/lib/shorewall/functions. If you
+         The 'functions' file has moved to /usr/lib/shorewall/functions.
- have  an application that uses functions from that file, your application
+If  you   have  an application that uses functions from that file, your application 
   will need to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.8</h3>
@ -125,19 +195,19 @@ See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
   1.3.3 and later:</p>
 <ol>
-                                       <li>Be sure you have a backup -- you 
+                                            <li>Be sure you have a backup 
- will  need                                  to transcribe any Shorewall configuration
+--  you   will  need                                  to transcribe any Shorewall
-                                   changes that you have made to the new
+  configuration                                    changes that you have
-                                 configuration.</li>
+made   to the new                                  configuration.</li>
-                                       <li>Replace the shorwall.lrp package 
+                                            <li>Replace the shorwall.lrp
- provided  on                                  the Bering floppy with the 
+package     provided  on                                  the Bering floppy
-later one.  If you did                                  not obtain the later 
+with the    later one.  If you did                                  not obtain
-version from Jacques's                                  site, see additional 
+the later   version from Jacques's                                  site,
-instructions  below.</li>
+see additional   instructions  below.</li>
                                            <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                      file and remove the /var/lib/shorewall 
- entry  if                                  present. Then do not forget to
+   entry  if                                  present. Then do not forget 
- backup  root.lrp !</li>
+to   backup  root.lrp !</li>
 </ol>
@ -165,16 +235,18 @@ and   1.3.7</p>
                      <br>
                      <font face="Courier">run_iptables -A newnotsyn -j RETURN
   #  So  that the            connection tracking table can be rebuilt<br>
-                                                      # from non-SYN packets
+                                                           # from non-SYN 
-  after  takeover.<br>
+packets     after  takeover.<br>
             </font>  </p>
             </li>
             <li>                                                       
    <p align="left">Create /etc/shorewall/common (if you don't already   
        have that file) and include the following:<br>
                      <br>
-                 <font face="Courier">run_iptables -A common -p tcp --tcp-flags
+                      <font face="Courier">run_iptables -A common -p tcp
-              ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
+--tcp-flags                 ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
 connection<br>
              #tracking table. <br>
                      . /etc/shorewall/common.def</font> </p>
@ -222,7 +294,7 @@ and   1.3.7</p>
                If you have applications that access these files, those applications 
                should be modified accordingly.</p>
-<p><font size="2">  Last updated 1/25/2003 -                             
+<p><font size="2">  Last updated 3/6/2003 -                              
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
@ -230,5 +302,10 @@ and   1.3.7</p>
       </p>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/whitelisting_under_shorewall.htm
+++ b/STABLE/documentation/whitelisting_under_shorewall.htm
@ -1,60 +1,73 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Whitelisting under Shorewall</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Whitelisting under Shorewall</font></h1>
+      <h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <p align="left">For a brief time, the 1.2 version of Shorewall supported an
-/etc/shorewall/whitelist file. This file was intended to contain a list of IP 
+ /etc/shorewall/whitelist file. This file was intended to contain a list of
-addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was 
+IP  addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist 
-implemented as a stop-gap measure until the facilities necessary for 
+file was  implemented as a stop-gap measure until the facilities necessary 
-implementing white lists using zones was in place. As of Version 1.3 RC1, those 
+for  implementing white lists using zones was in place. As of Version 1.3 
-facilities were available.</p>
+RC1, those  facilities were available.</p>
-<p align="left">White lists are most often used to give special privileges to a 
+   
-set&nbsp; of hosts within an organization. Let us suppose that we have the 
+<p align="left">White lists are most often used to give special privileges 
 to a  set  of hosts within an organization. Let us suppose that we have the 
 following environment:</p>
 <ul>
-  <li>A firewall with three interfaces -- one to the internet, one 
+    <li>A firewall with three interfaces -- one to the internet, one    to 
-  to a local network and one to a DMZ.</li>
+a local network and one to a DMZ.</li>
-  <li>The local network uses SNAT to the internet and is comprised 
+    <li>The local network uses SNAT to the internet and is comprised    of 
-  of the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 
+the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 
-  local network, the technique described here in no way depends on that or on 
+   local network, the technique described here in no way depends on that or
-  SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
+on    SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
-  <li>The network operations staff have workstations with IP 
+    <li>The network operations staff have workstations with IP    addresses 
-  addresses in the class C network 10.10.10.0/24</li>
+in the class C network 10.10.10.0/24</li>
-  <li>We want the network operations staff to have full access to 
+    <li>We want the network operations staff to have full access to    all 
-  all other hosts.</li>
+other hosts.</li>
    <li>We want the network operations staff to bypass the transparent  
 HTTP proxy running on our firewall.</li>
 </ul>
 <p align="left">The basic approach will be that we will place the operations 
 staff's class C in its own zone called <b>ops</b>. Here are the appropriate 
 configuration files:</p>
 <h2 align="left">Zone File</h2>
 <blockquote>      
  <table border="2">
                          <tbody>
       <tr>
-         <td><b>
+           <td><b>   ZONE</b></td>
-  ZONE</b></td>
+           <td><b>   DISPLAY</b></td>
-         <td><b>
+           <td><b>   COMMENTS</b></td>
  DISPLAY</b></td>
         <td><b>
  COMMENTS</b></td>
         </tr>
                      <tr>
           <td>net</td>
           <td>Net</td>
@ -76,22 +89,23 @@ configuration files:</p>
           <td>Demilitarized  zone</td>
         </tr>
    </tbody>   
  </table>
  </blockquote>
-<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- since
+   
-<b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
+<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- 
 since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
 <h2>Interfaces File</h2>
 <blockquote>      
  <table border="2">
                            <tbody>
       <tr>
-         <td><b>
+           <td><b>   ZONE</b></td>
-  ZONE</b></td>
+           <td><b>   INTERFACE</b></td>
-         <td><b>
+           <td><b>   BROADCAST</b></td>
-  INTERFACE</b></td>
+           <td><b>   OPTIONS</b></td>
         <td><b>
  BROADCAST</b></td>
         <td><b>
  OPTIONS</b></td>
         </tr>
         <tr>
           <td>net</td>
@ -103,138 +117,140 @@ configuration files:</p>
           <td>dmz</td>
           <td>eth1</td>
           <td>&lt;whatever&gt;</td>
-         <td>routestopped</td>
+           <td><br>
         </td>
         </tr>
         <tr>
           <td>-</td>
           <td>eth2</td>
           <td>10.10.255.255</td>
-         <td>&nbsp;</td>
+           <td> </td>
         </tr>
    </tbody>   
  </table>
  </blockquote>
-<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, we 
+   
-don't specify a zone for it here.</p>
+<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, 
 we  don't specify a zone for it here.</p>
 <h2>Hosts File</h2>
-<blockquote>
+   
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">            
                                                                </font> 
  <table border="2">
                                      <tbody>
       <tr>
-         <td><b>
+           <td><b>   ZONE</b></td>
-  ZONE</b></td>
+           <td><b>   HOST(S)</b></td>
-         <td><b>
+           <td><b>   OPTIONS</b></td>
  HOST(S)</b></td>
         <td><b>
  OPTIONS</b></td>
         </tr>
         <tr>
           <td>ops</td>
           <td>eth2:10.10.10.0/24</td>
- <font face="Century Gothic, Arial, Helvetica">
+   <td><br>
-                                                   
+         </td>
         <td>routestopped</td>
   </font>
             </tr>
         <tr>
           <td>loc</td>
           <td>eth2:0.0.0.0/0</td>
-         <td>&nbsp;</td>
+           <td> </td>
         </tr>
    </tbody>   
  </table>
  </blockquote>
 <p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is 
 stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
-firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 
+ firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather
-10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into 
+than  10.10.0.0/16 so that the limited broadcast address (255.255.255.255) 
-that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for 
+falls into  that zone. If I used 10.10.0.0/16 then I would have to have a 
-that special address.</p>
+separate entry for  that special address.</p>
 <h2>Policy File</h2>
-<blockquote>
+   
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">            
                                                                    </font> 
  <table border="2">
                                        <tbody>
       <tr>
           <td><b>SOURCE</b></td>
           <td><b>DEST</b></td>
-         <td><b>
+           <td><b>   POLICY</b></td>
-  POLICY</b></td>
+           <td><b>   LOG LEVEL</b></td>
         <td><b>
  LOG LEVEL</b></td>
           <td><b>LIMIT:BURST</b></td>
         </tr>
         <tr>
-         <td><font color="#0000FF">ops</font></td>
+           <td><font color="#0000ff">ops</font></td>
-         <td><font color="#0000FF">all</font></td>
+           <td><font color="#0000ff">all</font></td>
-         <td><font color="#0000FF">ACCEPT</font></td>
+           <td><font color="#0000ff">ACCEPT</font></td>
         <td> </td>
-         <td>&nbsp;</td>
+         <td> </td>
         <td>&nbsp;</td>
         </tr>
         <tr>
-         <td><font color="#0000FF">all</font></td>
+           <td><font color="#0000ff">all</font></td>
-         <td><font color="#0000FF">ops</font></td>
+           <td><font color="#0000ff">ops</font></td>
-         <td><font color="#0000FF">CONTINUE</font></td>
+           <td><font color="#0000ff">CONTINUE</font></td>
         <td> </td>
-         <td>&nbsp;</td>
+         <td> </td>
         <td>&nbsp;</td>
         </tr>
         <tr>
           <td>loc</td>
           <td>net</td>
           <td>ACCEPT</td>
- <font face="Century Gothic, Arial, Helvetica">
+   <td> </td>
-                  
+         <td> </td>
         <td>&nbsp;</td>
         <td>&nbsp;</td>
    </font>
              </tr>
         <tr>
           <td>net</td>
           <td>all</td>
           <td>DROP</td>
           <td>info</td>
-         <td>&nbsp;</td>
+           <td> </td>
         </tr>
         <tr>
           <td>all</td>
           <td>all</td>
           <td>REJECT</td>
           <td>info</td>
-         <td>&nbsp;</td>
+           <td> </td>
         </tr>
    </tbody>   
  </table>
  </blockquote>
-<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy file.
+   
-<font color="#FF0000"><b>WARNING: You must be running Shorewall 1.3.1 or later 
+<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy 
-for the above to work properly.</b></font></p>
+file.<font color="#ff0000"><b></b></font></p>
 <h2>Rules File</h2>
-<blockquote>
+   
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">          </font> 
  <table border="2">
                                                    <tbody>
       <tr>
    <font face="Century Gothic, Arial, Helvetica">
      <td><b>ACTION</b></td>
           <td><b>SOURCE</b></td>
           <td><b>DEST</b></td>
-         <td><b>
+           <td><b>   PROTO</b></td>
  PROTO</b></td>
           <td><b>DEST<br>
    PORT(S)</b></td>
           <td><b>SOURCE<br>
           PORT(S)</b></td>
           <td><b>ORIGINAL<br>
           DEST</b></td>
    </font>
                                                         </tr>
         <tr>
           <td>REDIRECT</td>
@ -242,40 +258,69 @@ for the above to work properly.</b></font></p>
           <td>3128</td>
           <td>tcp</td>
           <td>http</td>
-         <td>&nbsp;</td>
+           <td> </td>
-         <td>&nbsp;</td>
+           <td> </td>
         </tr>
         <tr>
           <td>...</td>
-         <td>&nbsp;</td>
+           <td> </td>
-         <td>&nbsp;</td>
+           <td> </td>
-         <td>&nbsp;</td>
+           <td> </td>
-         <td>&nbsp;</td>
+           <td> </td>
-         <td>&nbsp;</td>
+           <td> </td>
-         <td>&nbsp;</td>
+           <td> </td>
         </tr>
    </tbody>   
  </table>
  </blockquote>
 <p>This is the rule that transparently redirects web traffic to the transparent 
-proxy running on the firewall. The SOURCE column explicitly excludes the <b>ops</b> 
+ proxy running on the firewall. The SOURCE column explicitly excludes the 
-zone from the rule.</p>
+<b>ops</b>  zone from the rule.</p>
 <h2>Routestopped File</h2>
 <blockquote>
  <table border="2">
    <tbody>
      <tr>
        <td><b>INTERFACE</b><br>
        </td>
          <td><b>   HOST(S)</b></td>
                  </tr>
        <tr>
        <td valign="top">eth1<br>
        </td>
        <td valign="top"><br>
        </td>
      </tr>
      <tr>
          <td>eth2<br>
        </td>
          <td>10.10.10.0/24</td>
              </tr>
    </tbody>
  </table>
 <br>
 </blockquote>
-                                                                                  <p><font size="2">
+                                     
-  Updated 5/31/2002 - <a href="support.htm">Tom 
+<p><font size="2">   Updated 2/18/2003 - <a href="support.htm">Tom  Eastep</a>
 Eastep</a>
    </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-  © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
+   © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
                            <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.3.14
+VERSION=1.4.0
 usage() # $1 = exit status
 {
@ -49,14 +49,18 @@ restore_file() # $1 = file to restore
    fi
 }
-if [ ! -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
+if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
    echo "Shorewall Version $VERSION is not installed"
    exit 1
 fi
 echo "Backing Out Installation of Shorewall $VERSION"
-if [ -L /usr/lib/shorewall/firewall ]; then
+if [ -L /usr/share/shorewall/init ]; then
    FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'`
    restore_file $FIREWALL
    restore_file /usr/share/shorewall/firewall
 elif [ -L /usr/lib/shorewall/firewall ]; then
    FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
    restore_file $FIREWALL
 elif [ -L /var/lib/shorewall/firewall ]; then
@ -127,6 +131,8 @@ restore_file /etc/shorewall/stop
 restore_file /etc/shorewall/stopped
 restore_file /etc/shorewall/ecn
 if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
    restore_file /usr/lib/shorewall/version
    oldversion="`cat /usr/lib/shorewall/version`"
--- a/STABLE/firewall
+++ b/STABLE/firewall
--- a/STABLE/functions
+++ b/STABLE/functions
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 1.3 -- /usr/lib/shorewall/functions
+# Shorewall 1.4 -- /usr/lib/shorewall/functions
 #
 # Suppress all output for a command
@ -29,6 +29,21 @@ separate_list() {
    local list
    local part
    local newlist
    #
    # There's been whining about us not catching embedded white space in
    # comma-separated lists. This is an attempt to snag some of the cases.
    #
    # The 'terminator' function will be set by the 'firewall' script to
    # either 'startup_error' or 'fatal_error' depending on the command and
    # command phase
    #
    case "$@" in
 	*,|,*|*,,*|*[[:space:]]*)
            [ -n "$terminator" ] && \
 		$terminator "Invalid comma-separated list \"$@\""
            echo "Warning -- invalid comma-separated list \"$@\"" >&2
 	    ;;
    esac
    list="$@"
    part="${list%%,*}"
--- a/STABLE/hosts
+++ b/STABLE/hosts
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - /etc/shorewall/hosts
+# Shorewall 1.4 - /etc/shorewall/hosts
 #
 #    WARNING: 90% of Shorewall users don't need to add entries to this
 #             file and 80% of those who try to add such entries get it
@ -30,11 +30,6 @@
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
 #
 #			routestopped - (Deprecated -- use
 #				       /etc/shorewall/routestopped)
 #				       route messages to and from this
 #				       member when the firewall is in the
 #				       stopped state
 #			maclist	     - Connection requests from these hosts
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
--- a/STABLE/init
+++ b/STABLE/init
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/init
+# Shorewall 1.4 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
--- a/STABLE/init.sh
+++ b/STABLE/init.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.14
+VERSION=1.4.0
 usage() # $1 = exit status
 {
@ -93,6 +93,18 @@ backup_file() # $1 = file to backup
    fi
 }
 delete_file() # $1 = file to delete
 {
    if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
 	if (mv $1 ${1}-${VERSION}.bkout); then
 	    echo
 	    echo "$1 moved to ${1}-${VERSION}.bkout"
        else
 	    exit 1
        fi
    fi
 }
 modify_rclocal()
 {
    if [ -f /etc/rc.d/rc.local ]; then
@ -261,10 +273,10 @@ echo
 echo  "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
 #
-# Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed
+# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
 mkdir -p ${PREFIX}/etc/shorewall
-mkdir -p ${PREFIX}/usr/lib/shorewall
+mkdir -p ${PREFIX}/usr/share/shorewall
 mkdir -p ${PREFIX}/var/lib/shorewall
 #
 # Install the config file
@ -300,10 +312,10 @@ if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
    rm -f  ${PREFIX}/var/lib/shorewall/functions
 fi
-install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
+install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
 echo
-echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions"
+echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
 #
 # Install the common.def file
 #
@ -311,13 +323,11 @@ install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
 echo
 echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
 #
 # Install the icmp.def file
 #
 install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
-echo
+#
-echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
+# Delete the icmp.def file
 #
 delete_file icmp.def
 #
 # Install the policy file
@ -528,10 +538,22 @@ else
    echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
 fi
 #
 # Install the ECN file
 #
 if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
    backup_file /etc/shorewall/ecn
 else
    run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
    echo
    echo "ECN  file installed as ${PREFIX}/etc/shorewall/ecn"
 fi
 #
 # Backup the version file
 #
 if [ -z "$PREFIX" ]; then
-    if [ -f /usr/lib/shorewall/version ]; then
+    if [ -f /usr/share/shorewall/version ]; then
 	backup_file /usr/share/shorewall/version
    elif [ -f /usr/lib/shorewall/version ]; then
 	backup_file /usr/lib/shorewall/version
    elif [ -n "$oldversion" ]; then
 	echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
@ -542,10 +564,10 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${PREFIX}/usr/lib/shorewall/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
-chmod 644 ${PREFIX}/usr/lib/shorewall/version
+chmod 644 ${PREFIX}/usr/share/shorewall/version
 #
-# Remove and create the symbolic link to the firewall script
+# Remove and create the symbolic link to the init script
 #
 if [ -z "$PREFIX" ]; then
@ -554,12 +576,13 @@ if [ -z "$PREFIX" ]; then
    [ -L /usr/lib/shorewall/firewall ] && \
 	mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
    rm -f /usr/lib/shorewall/init
-    ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init
+    rm -f /usr/share/shorewall/init
    ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init
 fi
 #
 # Install the firewall script
 #
-install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544
+install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
 if [ -z "$PREFIX" -a -n "$first_install" ]; then
    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/STABLE/interfaces
+++ b/STABLE/interfaces
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Interfaces File
+# Shorewall 1.4 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@ -46,11 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
@ -59,9 +54,6 @@
 #				       enabled in shorewall.conf, packets
 #				       whose destination addresses are
 #				       reserved by RFC 1918 are also rejected.
 #			multi	     - This interface has multiple IP
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
@ -106,21 +98,19 @@
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
 #			206.191.149.192/27. You have a DMZ with subnet
-#			192.168.2.0/24 using eth2. You want to be able to
+#			192.168.2.0/24 using eth2.
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
 #			net	eth0	206.191.149.223	dhcp
-#			local	eth1	192.168.1.255	routestopped
+#			local	eth1	192.168.1.255
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
 #			net	eth0	detect		dhcp
-#			loc	eth1	detect		routestopped
+#			loc	eth1	detect
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
--- a/STABLE/maclist
+++ b/STABLE/maclist
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - MAC list file
+# Shorewall 1.4 - MAC list file
 #
 # /etc/shorewall/maclist
 #
--- a/STABLE/masq
+++ b/STABLE/masq
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - Masquerade file
+# Shorewall 1.4 - Masquerade file
 #
 # /etc/shorewall/masq
 #
--- a/STABLE/modules
+++ b/STABLE/modules
@ -1,7 +1,12 @@
 ##############################################################################
-# Shorewall 1.3 /etc/shorewall/modules
+# Shorewall 1.4 /etc/shorewall/modules
 #
 # This file loads the modules needed by the firewall.
 #
 # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
 # dependency order. i.e., if M2 depends on M1 then you must load M1 before
 # you load M2.
 #
    loadmodule ip_tables
    loadmodule iptable_filter
--- a/STABLE/nat
+++ b/STABLE/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3  -- Network Address Translation Table
+# Shorewall 1.4  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
--- a/STABLE/params
+++ b/STABLE/params
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 /etc/shorewall/params
+# Shorewall 1.4 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #
@ -11,7 +11,7 @@
 #
 #	NET_IF=eth0
 #	NET_BCAST=130.252.100.255
-#	NET_OPTIONS=noping,norfc1918
+#	NET_OPTIONS=routefilter,norfc1918
 #
 # Example (/etc/shorewall/interfaces record):
 #
@ -19,25 +19,7 @@
 #
 # The result will be the same as if the record had been written
 #
-#	net	eth0		130.252.100.255	noping,norfc1918
+#	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 # Variables can be used in the following places in the other configuration
 # files:
 #
 # /etc/shorewall/interfaces:
 # /etc/shorewall/hosts
 #
 # 	All except the first column.
 #
 # /etc/shorewall/rules
 #
 #	First column after ":".
 #	All remaining columns
 #
 # /etc/shorewall/tunnels
 # /etc/shorewall/proxyarp
 # /etc/shorewall/nat
 #
 #	All columns
 ##############################################################################
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
--- a/STABLE/policy
+++ b/STABLE/policy
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Policy File
+# Shorewall 1.4 -- Policy File
 #
 # /etc/shorewall/policy
 #
--- a/STABLE/proxyarp
+++ b/STABLE/proxyarp
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3 -- Proxy ARP
+# Shorewall 1.4 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -1,105 +1,94 @@
-This is a minor release of Shorewall that has a couple of new features.
+This is a major release of Shorewall.
-New features include:
+Function from 1.3 that has been omitted from this version includes:
-1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
+1) The MERGE_HOSTS variable in shorewall.conf is no longer
-   set to Yes, Shorewall ping handling is as it has always been (see
+   supported. Shorewall 1.4 behavior is the same as 1.3 with
-   http://www.shorewall.net/ping.html).
+   MERGE_HOSTS=Yes.
-   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
+2) Interface names of the form <device>:<integer> in
-   policies just like any other connection request. The FORWARDPING
+   /etc/shorewall/interfaces now generate an error.
   option in shorewall.conf is ignored and the 'noping' and
   'filterping' options in /etc/shorewall/interfaces will generate an
   error.
-2) It is now possible to direct Shorewall to create a "label" such as
+3) Shorewall 1.4 implements behavior consistent with
-   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+   OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
-   and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
+   at startup as will specification of the 'noping' or 'filterping'
-   instead of just the interface name:
+   interface options.
-   a) In the INTERFACE column of /etc/shorewall/masq
+4) The 'routestopped' option in the /etc/shorewall/interfaces and
-   b) In the INTERFACE column of /etc/shorewall/nat
+   /etc/shorewall/hosts files is no longer supported and will generate
   an error at startup if specified.
-3) The ability to name your VLAN interfaces using the $dev.$vid
+5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
-   convention (e.g., "eth0.0") has been restored. This capability was
+   accepted.
   inadvertently broken in version 1.3.12.
-4) Support has been added for defining OpenVPN tunnels in the
+6) The ALLOWRELATED variable in shorewall.conf is no longer
-   /etc/shorewall/tunnels file.
+   supported. Shorewall 1.4 behavior is the same as 1.3 with
   ALLOWRELATED=Yes.
-5) When an interface name is entered in the SUBNET column of the
+7) The 'multi' interface option is no longer supported. Shorewall will
-   /etc/shorewall/masq file, Shorewall previously masqueraded traffic
+   generate rules for sending packets back out the same interface
-   from only the first subnet defined on that interface. It did not
+   that they arrived on in two cases:
   masquerade traffic from:
-   a) The subnets associated with other addresses on the interface.
+   a) There is an _explicit_ policy for the source zone to the
-   b) Subnets accessed through local routers.
+   destination zone. An explicit policy names both zones and does not
   use the 'all' reserved word.
-   Beginning with Shorewall 1.3.14, if you enter an interface name in
+   b) There are one or more rules for traffic for the source zone to
-   the SUBNET column, shorewall will use the firewall's routing table
+   or from the destination zone including rules that use the 'all'
-   to construct the masquerading/SNAT rules.
+   reserved word. Exception: If the source and the destination are
   the same zone then the rule must be explicit - it must name the zone
   in both the SOURCE and DESTINATION columns.
-   Example 1 -- This is how it works in 1.3.14.
+Changes for 1.4 include:
-   [root@gateway test]# cat /etc/shorewall/masq
+1) shorewall.conf has been completely reorganized into logical
-   #INTERFACE              SUBNET                  ADDRESS
+   sections.
   eth0                    eth2                    206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-   [root@gateway test]# ip route show dev eth2
+2) LOG is now a valid action for a rule (/etc/shorewall/rules).
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
-   [root@gateway test]# ip route show dev eth2
+3) The firewall script and version file are now installed in
-   192.168.1.0/24  scope link
+   /usr/share/shorewall.
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]# shorewall start
   ...
   Masqueraded Subnets and Hosts:
       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
   Processing /etc/shorewall/tos...
-   When upgrading to Shorewall 1.3.14, if you have multiple local
+4. Late arriving DNS replies are now silently dropped in the common
-   subnets connected to an interface that is specified in the SUBNET
+   chain by default.
   column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
   file will need changing. In most cases, you will simply be able to
   remove redundant entries. In some cases though, you might want to change
   from using the interface name to listing specific subnetworks if the
   change described above will cause masquerading to occur on
   subnetworks that you don't wish to masquerade.
-   Example 2 -- Suppose that your current config is as follows:
+5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
   longer unconditionally accepts outbound ICMP packets. So if you want
   to 'ping' from the firewall, you will need the appropriate rule or
   policy.
-   [root@gateway test]# cat /etc/shorewall/masq
+6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   eth0			   192.168.10.0/24	   206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-   [root@gateway test]# ip route show dev eth2
+7) 802.11b devices with names of the form wlan<n> now support the
-   192.168.1.0/24  scope link
+   'maclist' option.
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#
-   In this case, the second entry in /etc/shorewall/masq is no longer
+8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
-   required.
+   utility).
-   Example 3 -- What if your current configuration is like this?
+9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
   off on a host or network basis using the new /etc/shorewall/ecn
   file. To use this facility:
-   [root@gateway test]# cat /etc/shorewall/masq
+   a) You must be running kernel 2.4.20
-   #INTERFACE              SUBNET                  ADDRESS
+   b) You must have applied the patch in
-   eth0                    eth2                    206.124.146.176
+   http://www.shorewall/net/pub/shorewall/ecn/patch.
-   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+   c) You must have iptables 1.2.7a installed.
 10) The /etc/shorewall/params file is now processed first so that
    variables may be used in the /etc/shorewall/shorewall.conf file.
 11) Packets with state INVALID are now silently dropped.
 12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
    compatibility kernel module is loaded and a 'shorewall start'
    command is issued.
 13) The SHARED_DIR variable has been removed from shorewall.conf. This
    variable was for use by package maintainers and was not documented
    for general use.
 14) Shorewall now ignores 'default' routes when detecting masq'd
    networks.
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#
   In this case, you would want to change the entry in
   /etc/shorewall/masq to:
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    192.168.1.0/24          206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE/rfc1918
+++ b/STABLE/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- RFC1918 File
+# Shorewall 1.4 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
@ -25,7 +25,7 @@
 192.0.2.0/24		logdrop		# Example addresses
 192.168.0.0/16		logdrop		# RFC 1918
 #
-# The following are generated using the Python program found at:
+# The following are generated with the help of the Python program found at:
 #
 #	http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
 #
@ -43,6 +43,8 @@
 39.0.0.0/8		logdrop		# Reserved
 41.0.0.0/8		logdrop		# Reserved
 42.0.0.0/8		logdrop		# Reserved
 49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 58.0.0.0/7		logdrop		# Reserved
 60.0.0.0/8		logdrop		# Reserved
 70.0.0.0/7		logdrop		# Reserved
@ -53,6 +55,8 @@
 96.0.0.0/3		logdrop		# Reserved
 127.0.0.0/8		logdrop		# Loopback
 197.0.0.0/8		logdrop		# Reserved
 198.18.0.0/15		logdrop		# Reserved
 201.0.0.0/8		logdrop		# Reserved - Central & South America
 240.0.0.0/4		logdrop		# Reserved
 #
 # End of generated entries
--- a/STABLE/routestopped
+++ b/STABLE/routestopped
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #
@ -12,7 +12,7 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
-#			  addresses. If left empty or supplied as "-", 
+#			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #
 # Example:
--- a/STABLE/rules
+++ b/STABLE/rules
@ -1,5 +1,5 @@
 #
-# Shorewall version 1.3 - Rules File
+# Shorewall version 1.4 - Rules File
 #
 # /etc/shorewall/rules
 #
@ -30,18 +30,25 @@
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If
 #					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#			Beginning with Shorewall version 1.3.12, you may
+#			You may also specify ULOG (must be in upper case) as a
-#			also specify ULOG (must be in upper case) as a log level.\
+#			log level.This will log to the ULOG target for routing
-#			This will log to the ULOG target and sent to a separate log
+#			to a separate log through use of ulogd
 #			through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
@ -90,6 +97,8 @@
 #				2. In DNAT rules, only IP addresses are
 #				   allowed; no FQDNs or subnet addresses
 #				   are permitted.
 #				3. You may not specify both an interface and
 #				   an address.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
@ -106,10 +115,8 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			"all" or "related". If "related", the remainder of the
+#			"all".
 #			entry must be omitted and connection requests that are
 #			related to existing requests will be accepted.
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
--- a/STABLE/shorewall
+++ b/STABLE/shorewall
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
+#     Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@ -84,6 +84,7 @@
 #
 # Display a chain if it exists
 #
 showfirstchain() # $1 = name of chain
 {
    awk \
@ -570,24 +571,11 @@ fi
 [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHARED_DIR=/usr/lib/shorewall
 MUTEX_TIMEOUT=
 if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
    config=$SHOREWALL_DIR/shorewall.conf
 else
    config=/etc/shorewall/shorewall.conf
 fi
 if [ -f $config ]; then
    . $config
 else
    echo "$config does not exist!" >&2
    exit 2
 fi
 [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 SHARED_DIR=/usr/share/shorewall
 FIREWALL=$SHARED_DIR/firewall
 FUNCTIONS=$SHARED_DIR/functions
 VERSION_FILE=$SHARED_DIR/version
@ -599,6 +587,15 @@ else
    exit 2
 fi
 config=`find_file shorewall.conf`
 if [ -f $config ]; then
    . $config
 else
    echo "$config does not exist!" >&2
    exit 2
 fi
 if [ ! -f $FIREWALL ]; then
    echo "ERROR: Shorewall is not properly installed"
    if [ -L $FIREWALL ]; then
--- a/STABLE/shorewall.conf
+++ b/STABLE/shorewall.conf
@ -1,5 +1,5 @@
 ##############################################################################
-#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -8,12 +8,7 @@
 #
 #  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
-#
+#                              L O G G I N G
 # You should not have to change the variables in this section -- they are set
 # by the packager of your Shorewall distribution
 #
 SHARED_DIR=/usr/lib/shorewall
 #
 ##############################################################################
 #
 # General note about log levels. Log levels are a method of describing
@ -45,59 +40,19 @@ SHARED_DIR=/usr/lib/shorewall
 # configured to log all Shorewall message to their own log file
 ################################################################################
 #
-# PATH - Change this if you want to change the order in which Shorewall
+# LOG FILE LOCATION
 #        searches directories for executable files.	
 #
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+# This variable tells the /sbin/shorewall program where to look for Shorewall
 # log messages. If not set or set to an empty string (e.g., LOGFILE="") then
 # /var/log/messages is assumed.
 #
 # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
 #          look for Shorewall messages.It does NOT control the destination for
 #          these messages. For information about how to do that, see
 #
 #              http://www.shorewall.net/shorewall_logging.html
-#
+LOGFILE=/var/log/messages
 # NAME OF THE FIREWALL ZONE
 #
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 #
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set this to "".
 #
 SUBSYSLOCK=/var/lock/subsys/shorewall
 #
 # SHOREWALL TEMPORARY STATE DIRECTORY
 #
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 STATEDIR=/var/lib/shorewall
 #
 # ALLOW RELATED CONNECTIONS
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
 # that are related to already established connections. For example, you want
 # to accept FTP data connections. If you say "no" here, then to accept
 # these connections between particular zones or hosts, you must include
 # explicit "related" rules in /etc/shorewall/rules.
 #
 ALLOWRELATED=yes
 #
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
 #
 # LOG RATE LIMITING
@ -132,25 +87,122 @@ LOGBURST=
 # packets are logged under the 'logunclean' interface option. If the variable
 # is empty, these packets will still be logged at the 'info' level.
 #
-# See the comment at the top of this file for a description of log levels
+# See the comment at the top of this section for a description of log levels
 #
 LOGUNCLEAN=info
 #
-# LOG FILE LOCATION
+# BLACKLIST LOG LEVEL
 #
-# This variable tells the /sbin/shorewall program where to look for Shorewall
+# Set this variable to the syslogd level that you want blacklist packets logged
-# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# (beware of DOS attacks resulting from such logging). If not set, no logging
-# /var/log/messages is assumed.
+# of blacklist packets occurs.
 #
-# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+# See the comment at the top of this section for a description of log levels
 #          look for Shorewall messages.It does NOT control the destination for
 #          these messages. For information about how to do that, see
 #
-#              http://www.shorewall.net/FAQ.htm#faq6
+BLACKLIST_LOGLEVEL=
-LOGFILE=/var/log/messages
+#
 # LOGGING 'New not SYN' rejects
 #
 # This variable only has an effect when NEWNOTSYN=No (see below).
 #
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged,
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this section for a description of log levels
 #
 RFC1918_LOG_LEVEL=info
 ################################################################################
 #       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
 ################################################################################
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.
 #
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set this to "".
 #
 SUBSYSLOCK=/var/lock/subsys/shorewall
 #
 # SHOREWALL TEMPORARY STATE DIRECTORY
 #
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 STATEDIR=/var/lib/shorewall
 #
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################
 # NAME OF THE FIREWALL ZONE
 #
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 #
 # ENABLE NAT SUPPORT
@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No
 TC_ENABLED=No
 #
-# BLACKLIST DISPOSITION
+# Clear Traffic Shapping/Control
 #
-# Set this variable to the action that you want to perform on packets from
+# If this option is set to 'No' then Shorewall won't clear the current
-# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# traffic control rules during [re]start. This setting is intended
-# DROP is assumed.
+# for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
-BLACKLIST_DISPOSITION=DROP
+# If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #
-# BLACKLIST LOG LEVEL
+# Mark Packets in the forward chain
 #
-# Set this variable to the syslogd level that you want blacklist packets logged
+# When processing the tcrules file, Shorewall normally marks packets in the
-# (beward of DOS attacks resulting from such logging). If not set, no logging
+# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
-# of blacklist packets occurs.
+# this to "Yes". If not specified or if set to the empty value (e.g.,
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
-# See the comment at the top of this file for a description of log levels
+# Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
-BLACKLIST_LOGLEVEL=
+# Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #
 # MSS CLAMPING
@ -335,39 +403,6 @@ MULTIPORT=No
 DETECT_DNAT_IPADDRS=No
 #
 # MERGE HOSTS FILE
 #
 # The traditional behavior of the /etc/shorewall/hosts file has been that
 # if that file has ANY entry for a zone then the zone must be defined 
 # entirely in the hosts file. This is counter-intuitive and has caused 
 # people some problems.
 #
 # By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
 # is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
 # are added to the contents described in the /etc/shorewall/interfaces file.
 #
 # Example: Suppose that we have the following interfaces and hosts files:
 #
 # Interfaces:
 #
 #	net	eth0
 #	loc	eth1	
 #	-	ppp+
 #
 # Hosts:
 #
 #	loc	ppp+:192.168.1.0/24
 #	wrk	ppp+:!192.168.1.0/24
 #
 # With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
 # ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
 # ppp+:192.168.1.0 and eth1:0.0.0.0/0
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
 MERGE_HOSTS=Yes
 #
 # MUTEX TIMEOUT
 #
@ -383,36 +418,6 @@ MERGE_HOSTS=Yes
 MUTEX_TIMEOUT=60
 #
 # LOGGING 'New not SYN' rejects
 #
 # This variable only has an effect when NEWNOTSYN=No (see below).
 #
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this file for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=
 #
 # Old Ping Handling
 #
 # If this option is set to "Yes" then Shorewall will use its old ping handling
 # facility including the FORWARDPING option in this file and the 'noping' and
 # 'filterping' interface options. If this option is set to 'No' then ping
 # is handled via policy and rules just like any other connection request.
 #
 # If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
 # DON'T DELETE IT!!!!!!
 #
 OLD_PING_HANDLING=No
 #
 # NEWNOTSYN
 #
@ -430,6 +435,18 @@ OLD_PING_HANDLING=No
 NEWNOTSYN=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
 #
 # BLACKLIST DISPOSITION
 #
 # Set this variable to the action that you want to perform on packets from
 # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
 # DROP is assumed.
 #
 BLACKLIST_DISPOSITION=DROP
 #
 # MAC List Disposition
 #
@ -441,18 +458,6 @@ NEWNOTSYN=No
 MACLIST_DISPOSITION=REJECT
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Disposition
 #
@ -463,64 +468,4 @@ MACLIST_LOG_LEVEL=info
 TCP_FLAGS_DISPOSITION=DROP
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this file for a description of log levels
 # 
 RFC1918_LOG_LEVEL=info
 #
 # Mark Packets in the forward chain
 #
 # When processing the tcrules file, Shorewall normally marks packets in the
 # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
 # this to "Yes". If not specified or if set to the empty value (e.g., 
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for 
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #
 # Clear Traffic Shapping/Control
 #
 # If this option is set to 'No' then Shorewall won't clear the current
 # traffic control rules during [re]start. This setting is intended
 # for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
 # If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #LAST LINE -- DO NOT REMOVE
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.14
+%define version 1.4.0
 %define release 1
 %define prefix /usr
@ -15,7 +15,7 @@ Source: %{name}-%{version}.tgz
 URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables
+Requires: iptables iproute
 Conflicts: kernel <= 2.2
 %description
@ -71,11 +71,10 @@ fi
 %files
 /etc/init.d/shorewall
 %attr(0700,root,root) %dir /etc/shorewall
-%attr(0700,root,root) %dir /usr/lib/shorewall
+%attr(0700,root,root) %dir /usr/share/shorewall
 %attr(0700,root,root) %dir /var/lib/shorewall
-%attr(0600,root,root) /usr/lib/shorewall/version
+%attr(0600,root,root) /usr/share/shorewall/version
 %attr(0600,root,root) /etc/shorewall/common.def
 %attr(0600,root,root) /etc/shorewall/icmp.def
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
@ -98,15 +97,30 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/start
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
 %attr(0544,root,root) /sbin/shorewall
-%attr(0444,root,root) /usr/lib/shorewall/functions
+%attr(0444,root,root) /usr/share/shorewall/functions
-%attr(0544,root,root) /usr/lib/shorewall/firewall
+%attr(0544,root,root) /usr/share/shorewall/firewall
 %doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
-* Fri Feb 07 2003 Tom Eastep <tom@shorewall.net>
+* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-1
+- Changed version to 1.4.0-1
 * Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0RC2
 * Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0RC1
 * Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0Beta2
 * Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
 - Add ecn file
 * Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.4.0-0Beta1
 * Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.4.0Alpha1
 - Delete icmp.def
 - Move firewall and version to /usr/share/shorewall
 * Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0RC1
 * Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
--- a/STABLE/start
+++ b/STABLE/start
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/start
+# Shorewall 1.4 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.
--- a/STABLE/stop
+++ b/STABLE/stop
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/stop
+# Shorewall 1.4 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
--- a/STABLE/stopped
+++ b/STABLE/stopped
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/stopped
+# Shorewall 1.4 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
--- a/STABLE/tcrules
+++ b/STABLE/tcrules
@ -1,5 +1,5 @@
 #
-# Shorewall version 1.3 - Traffic Control Rules File
+# Shorewall version 1.4 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #
--- a/STABLE/tos
+++ b/STABLE/tos
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- /etc/shorewall/tos
+# Shorewall 1.4 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
--- a/STABLE/tunnel
+++ b/STABLE/tunnel
@ -2,7 +2,7 @@
 RCDLINKS="2,S45 3,S45 6,K45"
 ################################################################################
-#   Script to create a gre or ipip tunnel -- Shorewall 1.3
+#   Script to create a gre or ipip tunnel -- Shorewall 1.4
 #
 #   Modified - Steve Cowles 5/9/2000
 #     Incorporated init {start|stop} syntax and iproute2 usage
--- a/STABLE/tunnels
+++ b/STABLE/tunnels
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - /etc/shorewall/tunnels
+# Shorewall 1.4 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.14
+VERSION=1.4.0
 usage() # $1 = exit status
 {
@ -108,6 +108,7 @@ fi
 rm -rf /etc/shorewall
 rm -rf /usr/lib/shorewall
 rm -rf /var/lib/shorewall
 rm -rf /usr/share/shorewall
 echo "Shorewall Uninstalled"
--- a/STABLE/zones
+++ b/STABLE/zones
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 /etc/shorewall/zones
+# Shorewall 1.4 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #