diff --git a/Shorewall/firewall b/Shorewall/firewall
index 493f503a8..0eb3f516c 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -487,14 +487,53 @@ flushmangle() # $1 = name of chain
 }
 
 #
-# Find the zones
+# This function assumes that the TMP_DIR variable is set and that
+# its value named an existing directory.
 #
-find_zones() # $1 = name of the zone file
+determine_zones()
 {
-    local zone rest
+    local zone parent parents rest new_zone_file=
 
-    while read zone rest; do
-	expandv zone
+    merge_zone()
+    {
+	local z zones="$ZONES" merged=
+
+	ZONES=
+
+	for z in $zones; do
+	    if [ -z "$merged" ] && list_search $z $parents; then
+		ZONES="$ZONES $zone"
+		merged=Yes
+	    fi
+	    ZONES="$ZONES $z"
+	done
+    }	
+
+    strip_file zones
+
+    ZONES=
+
+    [ "$IPSECFILE" = zones ] && new_zone_file=Yes
+
+    while read zone type rest; do
+	expandv zone type
+
+	case $zone in
+	    *:*)
+		parents=${zone#*:}
+		zone=${zone%:*}
+		[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
+		parents=$(separate_list $parents)
+		;;
+	    *)
+		parents=
+		;;
+	esac
+
+	for parent in $parents; do
+	    [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" 
+	    list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
+	done   
 
 	[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
 
@@ -502,35 +541,42 @@ find_zones() # $1 = name of the zone file
 	    [0-9*])
                 startup_error "Illegal zone name \"$zone\" in zones file"
 		;;
-            $FW|all|none)
-	        startup_error "Reserved zone name \"$zone\" in zones file ignored"
-		;;
-            *)
-		echo $zone
+            all|none)
+	        startup_error "Reserved zone name \"$zone\" in zones file"
 		;;
         esac
-    done < $1
-}
 
-#
-# This function assumes that the TMP_DIR variable is set and that
-# its value named an existing directory.
-#
-determine_zones()
-{
-    local zonefile=$(find_file zones) zones=
+	if [ -n "$new_zone_file" ]; then
+	    case ${type:=plain} in
+		plain|-)
+		    list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
+		    merge_zone
+		    ;;
+		ipsec)
+		    list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
+		    [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
+		    eval ${zone}_is_ipsec=Yes
+		    eval ${zone}_is_complex=Yes
+		    merge_zone
+		    ;;
+		firewall)
+		    list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
+		    [ -n "$parents" ] && startup_error "The firewall zone may not be nested"
+		    [ -n "$rest" ] && startup_error "OPTIONS not allowed in a firewall zone"
+		    FW=$zone
+		    ;;
+		*)
+		    startup_error "Invalid Zone Type: $zone"
+		    ;;
+	    esac
+	else
+	    ZONES="$ZONES $zone"
+	fi
+    done < $TMP_DIR/zones
 
-    strip_file zones $zonefile
+    [ -z "$ZONES" ] && startup_error "No plain or ipsec Zones Defined"
 
-    ZONES=
-    zones=$(find_zones $TMP_DIR/zones)
-
-    for zone in $zones; do
-	list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
-	ZONES="$ZONES $zone"
-    done
-
-    [ -z "$ZONES" ] && startup_error "ERROR: No Zones Defined"
+    [ -z "$FW" ] && startup_error "No Firewall Zone Defined"
 }
 
 #
@@ -2536,26 +2582,28 @@ setup_ipsec() {
 	    ;;
     esac
 
-    while read zone ipsec options in_options out_options mss; do
-	expandv zone ipsec options in_options out_options mss
+    while read zone type options in_options out_options mss; do
+	expandv zone type options in_options out_options mss
 
 	if [ -n "$using_ipsec" ]; then
 	    validate_zone1 $zone || fatal_error "Unknown zone: $zone"
 	fi
 
-	if [ -n "$ipsec" ]; then
-	    case $ipsec in
-		-|No|no)
-		    ;;
-		Yes|yes)
-		    [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
-		    eval ${zone}_is_ipsec=Yes
-		    eval ${zone}_is_complex=Yes
-		    ;;
-		*)
-		    fatal_error "Invalid IPSEC column value: $ipsec"
-		    ;;
-	    esac
+	if [ -n "$type" ]; then
+	    if [ -n "$using_ipsec" ]; then
+		case $type in
+		    No|no)
+			;;
+		    Yes|yes)
+			[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
+			eval ${zone}_is_ipsec=Yes
+			eval ${zone}_is_complex=Yes
+			;;
+		    *)
+			fatal_error "Invalid IPSEC column contents"
+			;;
+		esac
+	    fi
 	
 	    do_options ""     $options
 	    do_options "_in"  $in_options
@@ -9000,8 +9048,6 @@ do_initialize() {
 
     [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 
-    [ -z "$FW" ] && FW=fw
-
     ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
     [ -n "$ALLOWRELATED" ] || \
 	startup_error "ALLOWRELATED=No is not supported"
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 64937ebd6..9c3466ea8 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -89,6 +89,10 @@ Migration Considerations:
    columns of the /etc/shorewall/ipsec file. The latter file has been
    removed.
 
+   Additionally the FW option in shorewall.conf has been deprecated and
+   is no longer set to 'fw' by default. New users are expected to
+   define the firewall zone in /etc/shorewall/zones.
+
    Adhering to the principle of least astonishment, the old
    /etc/shorewall/ipsec file will continue to be supported. A new
    IPSECFILE variable in /etc/shorewall/shorewall.conf determines the
@@ -113,13 +117,16 @@ Migration Considerations:
 			The names "all" and "none" are reserved and may
 			not beused as zone names.
 
-	IPSEC		Yes --  Communication with all zone hosts is
-	ONLY			encrypted. Your kernel and iptables
-				must include policy match support.
-			No  --  Communication with some zone hosts may
-				be encrypted. Encrypted hosts are
-				designated using the 'ipsec' option in
-				/etc/shorewall/hosts. 				
+	TYPE	ipsec -	Communication with all zone hosts is encrypted
+			Your kernel and iptables must include policy
+			match support.
+		plain -	Communication with some zone hosts may be encrypted.
+			Encrypted hosts are designated using the 'ipsec'
+			option in /etc/shorewall/hosts.
+		firewall
+		      - Designates the firewall itself. You must have 
+			exactly one 'firewall' zone. No options are
+			permitted with a 'firewall' zone.
 
 	OPTIONS,		A comma-separated list of options as
 	IN OPTIONS,		follows:
@@ -226,7 +233,7 @@ Migration Considerations:
    ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
    information on the rules generated by entries in the tunnels file.
 
-10) In previous releases, the "refresh" command would source your tcstart
+10) In previous releases, the "refresh" command could source your tcstart
     script. Beginning with this release, "refresh" will run that script
     if it is executable but will not source it. Users of third-party TC
     scripts like WonderShaper should see no change provided that
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index b0bda8ecb..6b02eefb7 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -344,11 +344,11 @@ IPSECFILE=zones
 
 # NAME OF THE FIREWALL ZONE
 #
-# Name of the firewall zone -- if not set or if set to an empty string, "fw"
-# is assumed.
+# Name of the firewall zone -- if not set or if set to an empty string, then
+# you must include a definition of the firewall zone in /etc/shorewall/zones.
 #
 
-FW=fw
+FW=
 
 #
 # ENABLE IP FORWARDING
diff --git a/Shorewall/zones b/Shorewall/zones
index 93dd78b47..fb98f41b4 100644
--- a/Shorewall/zones
+++ b/Shorewall/zones
@@ -11,12 +11,16 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
-#	ONLY		Your kernel and iptables must include policy
+#	TYPE	ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
+#		plain -	Communication with some zone hosts may be encrypted.
 #			Encrypted hosts are designated using the 'ipsec'
 #			option in /etc/shorewall/hosts.
+#		firewall
+#		      - Designates the firewall itself. You must have 
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -65,12 +69,15 @@
 #	You have a three interface firewall with internet, local and DMZ
 #	interfaces.
 #
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
+#	#ZONE	TYPE		OPTIONS		IN			OUT
+#	#					OPTIONS			OPTIONS
+#	fw	firewall	
 #	net	
 #	loc
 #	dmz
 #
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE