Shorewall 1.3.11 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@339 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2002-11-24 20:08:19 +00:00 · 2002-11-24 20:08:19 +00:00 · faf32c61de
commit faf32c61de
parent aff32b8269
25 changed files with 8986 additions and 8388 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -12,6 +12,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -32,14 +33,14 @@
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
       port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
-looked     everywhere and can't find <b>how to do it</b>.</a></p>
+  looked     everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
       but it doesn't work.<br>
    </a></p>
 <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
-port forwarding</a></p>
+  port forwarding</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
      to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my 
@ -72,7 +73,7 @@ than     'blocked'.</b>  Why?</a></p>
       that work with Shorewall?</a></p>
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 
- 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
+'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
       work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
@ -85,7 +86,7 @@ than     'blocked'.</b>  Why?</a></p>
      it  work with?</a></p>
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
- support?</a></p>
+support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
@ -107,11 +108,18 @@ than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
       all over my console</b> making it unusable!<br>
         </a></p>
-                   <b>17</b>. <a href="#faq17">How do I find out <b>why this 
+                      <b>17</b>. <a href="#faq17">How do I find out <b>why
- is</b> getting  <b>logged?</b></a><br>
+ this   is</b> getting  <b>logged?</b></a><br>
     <br>
     <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b> 
- with Shorewall, and maintain separate rulesets for different IPs?</a>  
+  with Shorewall, and maintain separate rulesets for different IPs?</a><br>
 <br>
 <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
 but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
 <br>
 <b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
 <b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
 </a> 
 <hr>              
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
      my my personal PC with IP address 192.168.1.5. I've looked everywhere 
@ -139,7 +147,8 @@ rule to a local system is as   follows:</p>
                  <tr>
                    <td>DNAT</td>
                    <td>net</td>
-                 <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
+                    <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
 port</i>&gt;]</td>
                    <td><i>&lt;protocol&gt;</i></td>
                    <td><i>&lt;port #&gt;</i></td>
                    <td> <br>
@ -148,6 +157,7 @@ rule to a local system is as   follows:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -180,6 +190,7 @@ rule to a local system is as   follows:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -188,8 +199,8 @@ rule to a local system is as   follows:</p>
 <pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
              </div>
-<p align="left">If you want to forward requests directed to a particular address
+<p align="left">If you want to forward requests directed to a particular
-( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
+address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
 <blockquote>                                          
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -207,13 +218,15 @@ rule to a local system is as   follows:</p>
                  <tr>
                    <td>DNAT</td>
                    <td>net</td>
-                 <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
+                    <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
 port</i>&gt;]</td>
                    <td><i>&lt;protocol&gt;</i></td>
                    <td><i>&lt;port #&gt;</i></td>
                    <td>-</td>
                    <td><i>&lt;external IP&gt;</i></td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -224,42 +237,43 @@ rule to a local system is as   follows:</p>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-             <li>You are trying to test from inside your firewall (no, that 
+                <li>You are trying to test from inside your firewall (no, 
-  won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
+that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
-             <li>You have a more basic problem with your local system such
+                <li>You have a more basic problem with your local system
- as  an   incorrect default gateway configured (it should be set to the IP
+such   as  an   incorrect default gateway configured (it should be set to
- address    of your  firewall's internal interface).</li>
+the IP   address    of your  firewall's internal interface).</li>
 </ul>
 <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
-forwarding</h4>
+  forwarding</h4>
    <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
      <li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
-in the nat table.</li>
+  in the nat table.</li>
      <li>Try to connect to the redirected port from an external host.</li>
      <li>As root type "shorewall show nat"</li>
-   <li>Locate the appropriate DNAT rule. It will be in a chain called <i>zone</i>_dnat 
+      <li>Locate the appropriate DNAT rule. It will be in a chain called
-where <i>zone</i> is the zone that includes the server ('loc' in the above 
+    <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the server
-examples).</li>
+('loc' in the above   examples).</li>
      <li>Is the packet count in the first column non-zero? If so, the connection
-request is reaching the firewall and is being redirected to the server. In 
+  request is reaching the firewall and is being redirected to the server.
-this case, the problem is usually a missing or incorrect default gateway setting
+In  this case, the problem is usually a missing or incorrect default gateway
-on the server (the server's default gateway should be the IP address of the
+ setting on the server (the server's default gateway should be the IP address
-firewall's interface to the server).</li>
+ of the firewall's interface to the server).</li>
      <li>If the packet count is zero:</li>
  <ul>
-     <li>the connection request is not reaching your server (possibly it
+        <li>the connection request is not reaching your server (possibly
-is being blocked by your ISP); or</li>
+it  is being blocked by your ISP); or</li>
        <li>you are trying to connect to a secondary IP address on your firewall
-and your rule is only redirecting the primary IP address (You need to specify 
+  and your rule is only redirecting the primary IP address (You need to specify
-the secondary IP address in the "ORIG. DEST." column in your DNAT rule); or</li>
+  the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
 or</li>
        <li>your DNAT rule doesn't match the connection request in some other
-way. In that case, you may have to use a packet sniffer such as tcpdump or 
+  way. In that case, you may have to use a packet sniffer such as tcpdump
-ethereal to further diagnose the problem.<br>
+or  ethereal to further diagnose the problem.<br>
        </li>
  </ul>
@ -276,16 +290,15 @@ ethereal to further diagnose the problem.<br>
                <li>Having an internet-accessible server in your local network
       is  like raising foxes in the corner of your hen house. If the server 
   is      compromised, there's nothing between that server and your other 
-internal        systems. For the cost of another NIC and a cross-over cable,
+ internal        systems. For the cost of another NIC and a cross-over cable, 
-you can   put      your server in a DMZ such that it is isolated from your
+ you can   put      your server in a DMZ such that it is isolated from your 
-local systems    -     assuming that the Server can be located near the Firewall,
+ local systems    -     assuming that the Server can be located near the Firewall,
  of course    :-)</li>
                <li>The accessibility problem is best solved using    <a
- href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or
+ href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
-using a separate DNS server for local clients) such that www.mydomain.com
+a separate DNS server for local clients) such that www.mydomain.com resolves
-resolves to 130.141.100.69     externally and 192.168.1.5 internally. That's
+to 130.141.100.69     externally and 192.168.1.5 internally. That's what
-what I do here at     shorewall.net for my local systems that use static
+I do here at     shorewall.net for my local systems that use static NAT.</li>
 NAT.</li>
 </ul>
@ -325,6 +338,7 @@ NAT.</li>
                    <td>130.151.100.69:192.168.1.254</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -372,6 +386,7 @@ NAT.</li>
                    <td>$ETH0_IP:192.168.1.254</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -385,24 +400,24 @@ new    IP   address.</p>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
      subnet and I use static NAT to assign non-RFC1918 addresses to hosts 
-in   Z.  Hosts in Z cannot communicate with each other using their external
+ in   Z.  Hosts in Z cannot communicate with each other using their external 
-(non-RFC1918     addresses) so they can't access each other using their DNS
+ (non-RFC1918     addresses) so they can't access each other using their DNS
-names.</h4>
+ names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
      using Bind Version 9 "views". It allows both external and internal clients
      to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
-     static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
+       static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
-     and can be accessed externally and internally using the same address.
+addresses      and can be accessed externally and internally using the same
- </p>
+address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all
+<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
-Z-&gt;Z traffic through your firewall then:</p>
+traffic through your firewall then:</p>
 <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
-(If you are running a Shorewall version earlier than 1.3.9).<br>
+  (If you are running a Shorewall version earlier than 1.3.9).<br>
              b) Set the Z-&gt;Z policy to ACCEPT.<br>
              c) Masquerade Z to itself.<br>
              <br>
@ -431,6 +446,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                    <td>multi</td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -455,6 +471,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -481,6 +498,7 @@ Z-&gt;Z traffic through your firewall then:</p>
                  </td>
                  </tr>
    </tbody>                                       
  </table>
              </blockquote>
@ -504,14 +522,14 @@ Z-&gt;Z traffic through your firewall then:</p>
  services    that use the    'Auth' mechanism for identifying requesting 
 users.  Shorewall    also rejects TCP    ports 135, 137 and 139 as well as 
 UDP ports  137-139.   These are ports that are    used by Windows (Windows 
-<u>can</u>  be configured   to use the DCE cell locator    on port 135).
+<u>can</u>  be configured   to use the DCE cell locator    on port 135). Rejecting
-Rejecting these  connection requests   rather than dropping them    cuts
+these  connection requests   rather than dropping them    cuts down slightly
-down slightly on the amount of Windows  chatter on LAN segments connected
+on the amount of Windows  chatter on LAN segments connected    to the Firewall.
-   to the Firewall. </p>
+</p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
      your    ISP preventing you from running a web server in violation of 
-your     Service    Agreement.</p>
+ your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
         firewall and it showed 100s of ports as open!!!!</h4>
@ -540,12 +558,12 @@ your     Service    Agreement.</p>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
       and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
+(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-facility (see "man openlog") and you get to choose the log level (again,
+(see "man openlog") and you get to choose the log level (again, see "man
-see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
+syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged 
- logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
+logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
     When you have changed /etc/syslog.conf, be sure to restart syslogd (on 
  a  RedHat system, "service syslog restart"). </p>
@ -569,7 +587,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
              <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
              <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
-http://www.logwatch.org</a><br>
+   http://www.logwatch.org</a><br>
     </p>
              </blockquote>
@ -620,9 +638,9 @@ http://www.logwatch.org</a><br>
             </div>
 <div align="left">                
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
-Net    zone is defined as all hosts that are connected through eth0 and the
+   zone is defined as all hosts that are connected through eth0 and the local
-local    zone is defined as all hosts connected through eth1</p>
+   zone is defined as all hosts connected through eth1</p>
             </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
@ -638,11 +656,11 @@ local    zone is defined as all hosts connected through eth1</p>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
-find myself doing      other things. I guess I just don't care enough if
+myself doing      other things. I guess I just don't care enough if Shorewall
-Shorewall has a GUI to      invest the effort to create one myself. There
+has a GUI to      invest the effort to create one myself. There are several
-are several Shorewall GUI      projects underway however and I will publish
+Shorewall GUI      projects underway however and I will publish links to
-links to them when the authors      feel that they are ready. </p>
+them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
@ -659,9 +677,8 @@ links to them when the authors      feel that they are ready. </p>
      that will let all traffic to and from the 192.168.100.1 address  of 
 the    modem  in/out but still block all other rfc1918 addresses.</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
-earlier than      1.3.1, create /etc/shorewall/start and in it, place the
+than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 following:</p>
 <div align="left">                
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -686,6 +703,7 @@ following:</p>
                      <td>RETURN</td>
                    </tr>
    </tbody>                                       
  </table>
                </blockquote>
@ -730,10 +748,10 @@ following:</p>
             </div>
 <div align="left">                
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
-IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
+   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-RFC 1918    filtering on my external interface, my DHCP client cannot renew
+1918    filtering on my external interface, my DHCP client cannot renew its
-its lease.</h4>
+lease.</h4>
              </div>
 <div align="left">                
@ -751,14 +769,17 @@ aside,     the most common causes of this  problem are:</p>
 <ol>
                <li>                                                    
    <p align="left">The default gateway on each local system isn't set to 
      the    IP address of the local firewall interface.</p>
                 </li>
                <li>                                                    
    <p align="left">The entry for the local network in the /etc/shorewall/masq 
         file is wrong or missing.</p>
                 </li>
                <li>                                                    
    <p align="left">The DNS settings on the local systems are wrong or the 
         user is running a DNS server on the firewall and hasn't enabled UDP
   and   TCP    port 53 from the firewall to the internet.</p>
@ -772,7 +793,7 @@ aside,     the most common causes of this  problem are:</p>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
      to your startup    scripts or place it in /etc/shorewall/start. Under 
  RedHat,    the max log level    that is sent to the console is specified 
-in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
+ in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
         </p>
 <h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
@ -787,16 +808,19 @@ in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
    with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
          <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
-    </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that specifies
+      </b>-  You have a<a href="Documentation.htm#Policy"> policy</a> that
-a  log level and this packet is being logged under that policy. If you intend
+ specifies a  log level and this packet is being logged under that policy.
- to ACCEPT this traffic then you need a  <a
+ If you intend  to ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a> to that effect.<br>
          </li>
           <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
 href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to 
   <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being 
   logged under that policy or this packet matches  a <a
- href="Documentation.htm#Rules">rule</a> that include a log level.</li>
+ href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
    <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
     <b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
    </li>
           <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b> 
        <a href="Documentation.htm#Interfaces">interface option</a>.</li>
           <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b> 
@ -805,25 +829,25 @@ a  log level and this packet is being logged under that policy. If you intend
           <li><b>blacklst</b> - The packet is being logged because the source
   IP  is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist 
        </a>file.</li>
-        <li><b>newnotsyn </b>- The packet is being logged because it is a 
+           <li><b>newnotsyn </b>- The packet is being logged because it is
-TCP   packet that is not part of any current connection yet it is not a syn 
+ a  TCP   packet that is not part of any current connection yet it is not
-packet.   Options affecting the logging of such packets include <b>NEWNOTSYN 
+a syn  packet.   Options affecting the logging of such packets include <b>NEWNOTSYN
      </b>and       <b>LOGNEWNOTSYN </b>in     <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-       <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP address 
+          <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP 
-  that isn't in any of your defined zones ("shorewall check" and look at the
+address    that isn't in any of your defined zones ("shorewall check" and 
-  printed zone definitions) or the chain is FORWARD and the destination IP
+look at the   printed zone definitions) or the chain is FORWARD and the destination
- isn't in any of your defined zones.</li>
+ IP  isn't in any of your defined zones.</li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
  with Shorewall, and maintain separate rulesets for different IPs?</h4>
-  <b>Answer: </b>Yes. You simply use the IP address in your rules (or if
+     <b>Answer: </b>Yes. You simply use the IP address in your rules (or
-you  use NAT, use the local IP address in your rules). <b>Note:</b> The ":n"
+if  you  use NAT, use the local IP address in your rules). <b>Note:</b> The 
-notation  (e.g., eth0:0) is deprecated and will disappear eventually. Neither
+":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
- iproute  (ip and tc) nor iptables supports that notation so neither does
+Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
- Shorewall.  <br>
+does   Shorewall.  <br>
     <br>
     <b>Example 1:</b><br>
     <br>
@ -840,17 +864,33 @@ notation  (e.g., eth0:0) is deprecated and will disappear eventually. Neither
     /etc/shorewall/rules     
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
 class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
- class="moz-txt-citetags"></span><span class="moz-txt-citetags"></span></pre>
+ class="moz-txt-citetags"></span><br></pre>
  <b>Example 3 (DNAT):<br>
  </b>  
 <pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
 but they don't seem to do anything. Why?</h4>
 You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
 so the contents of the tcrules file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
 to change Shorewall to allow access to my server from the internet?</b><br>
 </h4>
 Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
 that you used during your initial setup for information about how to set
 up rules for your server.<br>
 <br>
 <div align="left">     </div>
-                      
+  <font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
 <p align="left"><font size="2">Last updated 11/09/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
     <br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_CVS_Access.html
+++ b/Shorewall-docs/Shorewall_CVS_Access.html
@ -41,12 +41,12 @@ THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
    </div>
 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002
- - <a href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a>
+  - <a href="support.htm">Tom Eastep</a>        </font>                 
-       </font>                                             </p>
+                           </p>
-<p><font face="Trebuchet MS"><a
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font
+ &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
- size="2">Copyright</font>  &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+     <br>
    <br>
   <br>
  <br>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -2,17 +2,22 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                              <base
+                                                                        
- target="main">                                              
+     <base target="main">                                               
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -41,11 +46,11 @@
                  <li> <a href="Install.htm">Installation/Upgrade/</a><br>
                    <a href="Install.htm">Configuration</a><br>
                  </li>
-              <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides 
+                  <li> <a href="shorewall_quickstart_guide.htm">QuickStart
- (HOWTOs)</a><br>
+ Guides   (HOWTOs)</a><br>
                   </li>
                                          <li> <a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
                          <li> <a href="Documentation.htm">Reference Manual</a></li>
                          <li> <a href="FAQ.htm">FAQs</a></li>
                           <li><a href="useful_links.html">Useful Links</a><br>
@ -70,40 +75,49 @@
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                            <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
-            <li><a href="http://shorewall.sf.net" target="_top">SourceForge</a><br>
+                <li><a href="http://www.shorewall.net" target="_top">Washington
 State, USA</a><br>
                </li>
          </ul>
                          </li>
      </ul>
      <ul>
                          <li>   <a href="News.htm">News Archive</a></li>
                          <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
                          <li> <a href="quotes.htm">Quotes from Users</a></li>
                          <li> <a href="shoreline.htm">About the Author</a></li>
-                      <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
+                          <li> <a
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                        </td>
                      </tr>
  </tbody>                   
 </table>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
                  <strong><br>
-            <b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
+                <b>Note: </b></strong>Search is unavailable Daily 0200-0330 
 GMT.<br>
                <strong></strong>                                        
  <p><strong>Quick Search</strong><br>
-                  <font face="Arial" size="-1">     <input type="text"
+                      <font face="Arial" size="-1">     <input
- name="words" size="15"></font><font size="-1"> </font>   <font
+ type="text" name="words" size="15"></font><font size="-1"> </font>   <font
 face="Arial" size="-1">     <input type="hidden" name="format"
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
@ -120,8 +134,10 @@
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
      </a><br>
   <br>
   </p>
   <br>
- 
+  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -49,22 +49,22 @@ policy.</li>
              <li>/etc/shorewall/interfaces - describes the interfaces on 
 the          firewall system.</li>
              <li>/etc/shorewall/hosts - allows defining zones in terms of
-individual           hosts and subnetworks.</li>
+ individual           hosts and subnetworks.</li>
              <li>/etc/shorewall/masq - directs the firewall where to use 
 many-to-one            (dynamic) Network Address Translation (a.k.a. Masquerading) 
 and  Source          Network Address Translation (SNAT).</li>
              <li>/etc/shorewall/modules - directs the firewall to load kernel 
  modules.</li>
              <li>/etc/shorewall/rules - defines rules that are exceptions
-to  the         overall policies established in /etc/shorewall/policy.</li>
+ to  the         overall policies established in /etc/shorewall/policy.</li>
              <li>/etc/shorewall/nat - defines static NAT rules.</li>
              <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
              <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) 
 -  defines  hosts    accessible when Shorewall is stopped.</li>
              <li>/etc/shorewall/tcrules - defines marking of packets for 
 later   use by     traffic control/shaping or policy routing.</li>
-             <li>/etc/shorewall/tos - defines rules for setting the TOS field
+              <li>/etc/shorewall/tos - defines rules for setting the TOS
-  in packet         headers.</li>
+field   in packet         headers.</li>
              <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels 
  with end-points on         the firewall system.</li>
              <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
@ -75,9 +75,9 @@ later   use by     traffic control/shaping or policy routing.</li>
 <h2>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-        character a pound sign ("#"). You may also place comments at the end
+         character a pound sign ("#"). You may also place comments at the
- of any line, again by       delimiting the comment from the rest of the
+end  of any line, again by       delimiting the comment from the rest of
-line  with a pound sign.</p>
+the line  with a pound sign.</p>
 <p>Examples:</p>
@ -99,9 +99,9 @@ line  with a pound sign.</p>
 <p align="left">     </p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
-  using DNS names in Shorewall configuration files. If you use DNS names and
+   using DNS names in Shorewall configuration files. If you use DNS names
-  you are called out of bed at 2:00AM because Shorewall won't start as a
+and   you are called out of bed at 2:00AM because Shorewall won't start as
-result  of DNS problems then don't say that you were not forewarned. <br>
+a result  of DNS problems then don't say that you were not forewarned. <br>
      </b></p>
 <p align="left"><b>    -Tom<br>
@ -120,7 +120,7 @@ So  change in the DNS-&gt;IP address relationship  that occur after the firewall
 <ul>
       <li>If your /etc/resolv.conf is wrong then your firewall won't   
-start.</li>
+ start.</li>
       <li>If your /etc/nsswitch.conf is wrong then your firewall won't 
   start.</li>
       <li>If your Name Server(s) is(are) down then your firewall won't 
@ -129,9 +129,9 @@ start.</li>
  your DNS server then your firewall won't start.<br>
      </li>
       <li>Factors totally outside your control (your ISP's router is   
-down   for example), can prevent your firewall from starting.</li>
+ down   for example), can prevent your firewall from starting.</li>
      <li>You must bring up your network interfaces prior to starting your
-firewall.<br>
+ firewall.<br>
      </li>
 </ul>
@ -172,8 +172,8 @@ inconvenience   by Shorewall. <br>
 <p>Where specifying an IP address, a subnet or an interface, you can     
  precede the item with "!" to specify the complement of the item. For  
-      example, !192.168.1.4 means "any host but 192.168.1.4". There must
+     example, !192.168.1.4 means "any host but 192.168.1.4". There must be
-be no white space following the "!".</p>
+no white space following the "!".</p>
 <h2>Comma-separated Lists</h2>
@ -201,7 +201,7 @@ would  be embedded          white space)</li>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
         port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
 if you want to forward the range of tcp ports 4000 through 4100 to local
-host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
   </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
@ -252,7 +252,7 @@ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
  unique MAC address.<br>
            <br>
            In GNU/Linux, MAC addresses are usually written as a series of
-6  hex numbers        separated by colons. Example:<br>
+ 6  hex numbers        separated by colons. Example:<br>
            <br>
           [root@gateway root]# ifconfig eth0<br>
           eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -267,22 +267,23 @@ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
            <br>
            Because Shorewall uses colons as a separator for address fields,
  Shorewall requires        MAC addresses to be written in another way. In
-Shorewall, MAC addresses        begin with a tilde ("~") and consist of 6 
+ Shorewall, MAC addresses        begin with a tilde ("~") and consist of
-hex numbers separated by        hyphens. In Shorewall, the MAC address in 
+6  hex numbers separated by        hyphens. In Shorewall, the MAC address
-the example above would be        written "~02-00-08-E3-FA-55".<br>
+in  the example above would be        written "~02-00-08-E3-FA-55".<br>
-</p>
+ </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
 in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
-</p>
+ </p>
-<h2>Shorewall Configurations</h2>
+<h2><a name="Configs"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
  The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
-     commands allow you to specify an alternate configuration directory and
+      commands allow you to specify an alternate configuration directory
-   Shorewall will use the files in the alternate directory rather than the
+and    Shorewall will use the files in the alternate directory rather than
- corresponding  files in /etc/shorewall. The alternate directory need not
+the  corresponding  files in /etc/shorewall. The alternate directory need
-contain a complete  configuration; those files not in the alternate directory
+not contain a complete  configuration; those files not in the alternate directory 
 will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
@ -293,7 +294,7 @@ will be read from  /etc/shorewall.</p>
  to a separate      directory;</li>
              <li>  modify those files in the separate directory; and</li>
              <li>  specifying the separate directory in a shorewall start
-or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
+ or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
 restart</b></i>  ).</li>
 </ol>
@ -301,7 +302,7 @@ or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
-<p><font size="2">   Updated 10/24/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
      </font></p>
@ -315,5 +316,6 @@ or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -20,6 +20,7 @@
           <tbody>
            <tr>
             <td width="100%">                                          
      <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
             </td>
           </tr>
@ -35,23 +36,24 @@
 <ul>
           <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>   
-      Linux PPC</b> or     <b> TurboLinux</b> distribution     with a 2.4 
+         Linux PPC</b> or     <b> TurboLinux</b> distribution     with a
-kernel,   you can use the  RPM version (note: the             RPM should also
+2.4   kernel,   you can use the  RPM version (note: the             RPM should
-work  with other distributions that             store init scripts in /etc/init.d
+ also work  with other distributions that             store init scripts
- and that             include chkconfig or insserv). If you find that it
+in  /etc/init.d  and that             include chkconfig or insserv). If you
-works   in other cases, let <a href="mailto:teastep@shorewall.net">     me</a>
+find  that it works   in other cases, let <a
-               know so that I can mention them here. See the   <a
+ href="mailto:teastep@shorewall.net">     me</a>                know so that
- href="Install.htm">Installation Instructions</a> if you have problems  
+ I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
- installing the RPM.</li>
+ if you have problems    installing the RPM.</li>
-        <li>If you are running LRP, download the .lrp file (you might also
+           <li>If you are running LRP, download the .lrp file (you might
- want  to     download the .tgz so you will have a copy of the documentation).</li>
+also   want  to     download the .tgz so you will have a copy of the documentation).</li>
           <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> 
-and   would      like a .deb package, Shorewall is in both the    <a
+ and   would      like a .deb package, Shorewall is in both the    <a
- href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian    
-Branch</a> and the    <a
+Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian   
-Unstable Branch</a>.</li>
+ Unstable Branch</a>.</li>
-        <li>Otherwise, download the <i>shorewall</i>             module (.tgz)</li>
+           <li>Otherwise, download the <i>shorewall</i>             module
 (.tgz)</li>
 </ul>
@ -64,10 +66,10 @@ Unstable Branch</a>.</li>
 <ul>
           <li>RPM - "rpm -qip LATEST.rpm"</li>
-        <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will contain 
+           <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will
-  the version)</li>
+ contain    the version)</li>
-        <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf &lt;downloaded 
+           <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf
-  .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
+&lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
 </ul>
@ -78,11 +80,12 @@ Unstable Branch</a>.</li>
 <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
    INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
-  IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed configuration
+    IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed
-  of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
+configuration    of your firewall, you can enable startup by removing the
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the 
+<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates 
-  mirrors  occur 1-12 hours after an update to the primary site.</b></p>
+to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>                           
  <table border="2" cellspacing="3" cellpadding="3"
@ -95,23 +98,15 @@ Unstable Branch</a>.</li>
               <td><b>FTP</b></td>
             </tr>
             <tr>
-            <td>Washington State, USA</td>
+          <td valign="top">SourceForge<br>
-            <td>Shorewall.net</td>
+          </td>
-            <td><a
+          <td valign="top">sf.net<br>
- href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download  .rpm</a><br>
+          </td>
-              <a
+          <td valign="top"><a
- href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download      
+ href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
-     .tgz</a> <br>
+          </td>
-              <a
+          <td valign="top"><br>
- href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download      
+          </td>
     .lrp</a></td>
            <td><a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> 
      Download .rpm</a> <br>
              <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
 target="_blank">Download         .tgz</a> <br>
              <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
 target="_blank">Download         .lrp</a></td>
        </tr>
             <tr>
               <td>Slovak Republic</td>
@ -123,7 +118,10 @@ Unstable Branch</a>.</li>
       .tgz</a> <br>
                 <a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download 
-      .lrp</a></td>
+       .lrp</a><br>
               <a
 href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">      
       Download.md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
    .rpm</a>  <br>
@ -132,7 +130,10 @@ Unstable Branch</a>.</li>
            .tgz</a> <br>
                 <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download 
-           .rpm</a></td>
+            .rpm</a><br>
               <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">    
         Download.md5sums</a></td>
             </tr>
             <tr>
               <td>Texas, USA</td>
@ -145,7 +146,10 @@ Unstable Branch</a>.</li>
            .tgz</a> <br>
                 <a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download 
-           .lrp</a></td>
+            .lrp</a><br>
               <a
 href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">    
         Download.md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
                 <a target="_blank"
@ -153,7 +157,10 @@ Unstable Branch</a>.</li>
  .tgz</a> <br>
                 <a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">       Download
-  .lrp</a></td>
+    .lrp</a><br>
               <a
 href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">           
  Download.md5sums</a></td>
             </tr>
             <tr>
               <td>Hamburg, Germany</td>
@ -166,7 +173,10 @@ Unstable Branch</a>.</li>
     .tgz</a><br>
               <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download   
-      .lrp</a></td>
+     .lrp</a><br>
               <a
 href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">       
      Download.md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">       Download
    .rpm</a>  <br>
@ -175,7 +185,10 @@ Unstable Branch</a>.</li>
     .tgz</a> <br>
                 <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download   
-    .lrp</a></td>
+     .lrp</a><br>
               <a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download 
        .md5sums</a></td>
             </tr>
             <tr>
               <td>Martinez (Zona Norte - GBA), Argentina</td>
@ -188,7 +201,10 @@ Unstable Branch</a>.</li>
            .tgz</a> <br>
                 <a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> 
-         Download .lrp</a></td>
+          Download .lrp</a><br>
               <a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download 
 .md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
    .rpm</a>  <br>
@ -197,7 +213,10 @@ Unstable Branch</a>.</li>
            .tgz</a> <br>
                 <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> 
-         Download .lrp</a></td>
+          Download .lrp</a><br>
               <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download 
 .md5sums</a></td>
             </tr>
             <tr>
               <td>Paris, France</td>
@ -207,7 +226,9 @@ Unstable Branch</a>.</li>
                 <a href="http://france.shorewall.net/pub/LATEST.tgz">Download
           .tgz</a> <br>
                 <a href="http://france.shorewall.net/pub/LATEST.lrp">Download
-         .lrp</a></td>
+           .lrp</a><br>
               <a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
           .md5sums</a></td>
               <td>       <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
    .rpm</a>  <br>
@ -216,17 +237,40 @@ Unstable Branch</a>.</li>
            .tgz</a> <br>
                 <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
-  .lrp</a></td>
+    .lrp</a><br>
               <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
    .md5sums</a></td>
             </tr>
         <tr>
-        <td valign="top">SourceForge (California, USA)<br>
+           <td valign="middle">Washington State, USA<br>
          </td>
-        <td valign="top">sf.net<br>
+           <td valign="middle">Shorewall.net<br>
          </td>
           <td valign="top"><a
- href="http://sourceforge.net/projects/shorewall">Download</a><br>
+ href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download  .rpm</a><br>
                 <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download       
    .tgz</a> <br>
                 <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download       
    .lrp</a><br>
           <a
 href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download   
        .md5sums</a><br>
          </td>
-        <td valign="top"><br>
+           <td valign="top"><a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
        Download .rpm</a> <br>
                 <a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
         .tgz</a> <br>
                 <a
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
         .lrp</a><br>
           <a target="_blank"
 href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download    
    .md5sums</a><br>
          </td>
         </tr>
@ -234,7 +278,25 @@ Unstable Branch</a>.</li>
  </table>
         </blockquote>
-<p>Browse Download Sites:</p>
+<p align="left"><b>Documentation in PDF format:</b><br>
 </p>
 <blockquote>   
  <p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
 the Shorewall 1.3.10 documenation (the documentation in HTML format is included
 in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
 </blockquote>
 <blockquote>   
  <blockquote><a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
 http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
   </blockquote>
 </blockquote>
 <p><b>Browse Download Sites:</b></p>
 <blockquote>                           
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -246,23 +308,26 @@ Unstable Branch</a>.</li>
               <td><b>FTP</b></td>
             </tr>
              <tr>
-            <td>Washington State, USA</td>
+               <td>SourceForge<br>
-            <td>Shorewall.net</td>
+          </td>
-            <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
+               <td>sf.net</td>
-            <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
+               <td><a
- target="_blank">Browse</a></td>
+ href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
               <td>N/A</td>
              </tr>
             <tr>
               <td>Slovak Republic</td>
               <td>Shorewall.net</td>
-            <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
+               <td><a
 href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
               <td>       <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
             </tr>
             <tr>
               <td>Texas, USA</td>
               <td>Infohiiway.com</td>
-            <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
+               <td><a
 href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
               <td><a target="_blank"
 href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
             </tr>
@ -290,26 +355,29 @@ Unstable Branch</a>.</li>
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
             </tr>
              <tr>
-            <td>California, USA (Incomplete)</td>
+               <td>Washington State, USA</td>
-            <td>Sourceforge.net</td>
+               <td>Shorewall.net</td>
-            <td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
+               <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
-            <td>N/A</td>
+               <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
 target="_blank">Browse</a></td>
              </tr>
    </tbody>                        
  </table>
         </blockquote>
-<p align="left">CVS:</p>
+<p align="left"><b>CVS:</b></p>
 <blockquote>                         
  <p align="left">The <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS  repository at
    cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
-  component. There's no guarantee that what you find there will work at  all.</p>
+    component. There's no guarantee that what you find there will work at
 all.<br>
   </p>
 </blockquote>
-<p align="left"><font size="2">Last Updated 11/9/2002 - <a
+<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -320,5 +388,8 @@ Unstable Branch</a>.</li>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -33,8 +33,8 @@
 <ol>
            <li>                                                       
    <p align="left">          <b><u>I</u>f you use a Windows system to download
-   a corrected     script, be sure to run the script through <u>        <a
+    a corrected     script, be sure to run the script through <u>       
- href="http://www.megaloman.com/%7Ehany/software/hd2u/"
+    <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
 style="text-decoration: none;"> dos2unix</a></u>      after you have moved
    it to your Linux system.</b></p>
                         </li>
@ -57,24 +57,25 @@ to         start Shorewall during boot. It is  that file that must be overwritte
    </li>
    <li>          
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
+ ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
-do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
+example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
                </p>
    </li>
 </ol>
 <ul>
            <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
            <li>                            <b><a href="#V1.3">Problems in
-Version    1.3</a></b></li>
+ Version    1.3</a></b></li>
            <li>                            <b><a href="errata_2.htm">Problems
   in  Version 1.2</a></b></li>
            <li>                            <b><font color="#660066">  <a
 href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
            <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
-          <li>                            <b><a href="#Debug">Problems with 
+            <li>                            <b><a href="#Debug">Problems
- kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
+with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
            <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
            <li><b><a href="#Multiport">Problems with iptables version 1.2.7
  and       MULTIPORT=Yes</a></b></li>
@ -86,48 +87,70 @@ Version    1.3</a></b></li>
 <hr>                                
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.10</h3>
 <ul>
   <li>If you experience problems connecting to a PPTP server running on
 your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
 version of the firewall script</a> may help. Please report any cases where
 installing this script in /usr/lib/shorewall/firewall solved your connection
 problems. Beginning with version 1.3.10, it is safe to save the old version
 of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
 is the real script now and not just a symbolic link to the real script.<br>
   </li>
 </ul>
 <h3>Version 1.3.9a</h3>
 <ul>
    <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
-the following message appears during "shorewall [re]start":</li>
+ the following message appears during "shorewall [re]start":</li>
 </ul>
 <pre>          recalculate_interfacess: command not found<br></pre>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described 
+ corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
-above.<br>
+ above.<br>
-</blockquote>
+  </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
-single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
+ single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
-to 'recalculate_interface'. <br>
+ to 'recalculate_interface'. <br>
-</blockquote>
+  </blockquote>
 <ul>
    <li>The installer (install.sh) issues a misleading message "Common functions
-installed in /var/lib/shorewall/functions" whereas the file is installed
+ installed in /var/lib/shorewall/functions" whereas the file is installed
 in /usr/lib/shorewall/functions. The installer also performs incorrectly
 when updating old configurations that had the file /etc/shorewall/functions.
    <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
-is an updated version that corrects these problems.<br>
+ is an updated version that corrects these problems.<br>
      </a></li>
 </ul>
 <h3>Version 1.3.9</h3>
     <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
-at  <a
+ at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
+ -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
      <br>
     Version 1.3.8        
 <ul>
-       <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
+         <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
- the  policy file doesn't work.</li>
+of  the  policy file doesn't work.</li>
-       <li>A DNAT rule with the same original and new IP addresses but with 
+         <li>A DNAT rule with the same original and new IP addresses but
- different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 
+with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
- 25 - 10.1.1.1")<br>
+tcp   25 - 10.1.1.1")<br>
         </li>
 </ul>
@ -167,13 +190,15 @@ at  <a
                                   has two problems:</p>
 <ol>
-                                       <li>If the firewall is running a DHCP
+                                         <li>If the firewall is running a 
-  server,                                   the client won't be able to obtain
+DHCP   server,                                   the client won't be able 
-  an IP  address                                  lease from that server.</li>
+to obtain   an IP  address                                  lease from that 
-                                       <li>With this order of checking, the 
+server.</li>
- "dhcp"                                   option cannot be used as a noise-reduction
+                                         <li>With this order of checking, 
-                                    measure where there are both dynamic
+the   "dhcp"                                   option cannot be used as a 
-and    static                                  clients on a LAN segment.</li>
+noise-reduction                                     measure where there are 
 both dynamic and    static                                  clients on a LAN
 segment.</li>
 </ol>
@ -205,9 +230,10 @@ and    static                                  clients on a LAN segment.</li>
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
    an error occurs when the firewall            script attempts to add an
-SNAT   alias.  </p>
+ SNAT   alias.  </p>
          </li>
          <li>                                                          
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
           cause errors during startup when Shorewall is run with iptables
    1.2.7. </p>
@ -268,7 +294,8 @@ SNAT   alias.  </p>
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
       this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
-              as instructed above. This problem is corrected in version 1.3.5a.</p>
+               as instructed above. This problem is corrected in version
 1.3.5a.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
@ -298,10 +325,10 @@ version            has a size of 38126 bytes.</p>
 <ul>
                     <li>The code to detect a duplicate interface entry in
-           /etc/shorewall/interfaces contained a typo that prevented it from
+            /etc/shorewall/interfaces contained a typo that prevented it
-             working correctly. </li>
+from               working correctly. </li>
                     <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
-like   "NAT_BEFORE_RULES=Yes".</li>
+ like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -331,8 +358,8 @@ like   "NAT_BEFORE_RULES=Yes".</li>
             generated for a CONTINUE policy.</li>
                     <li>When an option is given for more than one interface
  in               /etc/shorewall/interfaces then depending on the option,
-Shorewall                may ignore all but the first appearence of the option.
+ Shorewall                may ignore all but the first appearence of the
-For example:<br>
+option.  For example:<br>
                     <br>
                     net    eth0    dhcp<br>
                     loc    eth1    dhcp<br>
@ -358,10 +385,10 @@ option.<br>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
-                   <li>Folks who downloaded 1.3.0 from the links on the download
+                     <li>Folks who downloaded 1.3.0 from the links on the 
-   page              before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
+download    page              before 23:40 GMT, 29 May 2002 may have downloaded 
-   rather than              1.3.0. The "shorewall version" command will tell
+1.2.13    rather than              1.3.0. The "shorewall version" command 
-   you which version              that you have installed.</li>
+will tell    you which version              that you have installed.</li>
                     <li>The documentation NAT.htm file uses non-existent 
           wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
@ -386,8 +413,8 @@ option.<br>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-    corrected 1.2.3 rpm which you can download here</a>  and I have also built
+     corrected 1.2.3 rpm which you can download here</a>  and I have also 
-           an <a
+built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently
    running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
@ -462,8 +489,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 <ul>
                                         <li>set MULTIPORT=No in        
                         /etc/shorewall/shorewall.conf; or </li>
-                                       <li>if you are running Shorewall 1.3.6 
+                                         <li>if you are running Shorewall 
-  you may                                  install                       
+1.3.6    you may                                  install                
                <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                             this firewall script</a> in /var/lib/shorewall/firewall
@ -486,7 +513,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  contains corrected support under a new kernel configuraiton option; see
 <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 10/9/2002 -                            
+<p><font size="2">  Last updated 11/24/2002 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -498,5 +525,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/images/Vexira_Antivirus_Logo.gif
+++ b/Shorewall-docs/images/Vexira_Antivirus_Logo.gif
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -16,23 +16,27 @@
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+ style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
- bgcolor="#400169" height="90">
+ border="0">
         <tbody>
          <tr>
           <td width="100%">                                            
      <h1 align="center"><a
- href="http://www.gnu.org/software/mailman/mailman.html">        <img
+ href="http://www.centralcommand.com/linux_products.html"><img
- border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
+ src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
- height="35">
+ height="79" align="left">
      </a><a href="http://www.gnu.org/software/mailman/mailman.html">   
    <img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
 width="110" height="35">
            </a><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45">
            </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
-      <p align="right"><font color="#ffffff"><b>Powered by Postfix       
+      <p align="right"><font color="#ffffff"><b><br>
-  </b></font>     </p>
+Powered by Postfix          </b></font>     </p>
            </td>
         </tr>
@ -54,18 +58,30 @@
 <h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
 src="images/but3.png" hspace="3" width="88" height="31">
- </a><a href="http://osirusoft.com/"> </a></h2>
+      </a><a href="http://osirusoft.com/"> </a></h2>
 <p>Before subscribing please read my <a href="spam_filters.htm">policy  
    about list traffic that bounces.</a> Also please note that the mail server
-       at shorewall.net checks the sender of incoming mail against the open 
+          at shorewall.net checks incoming mail:<br>
-relay        databases at <a href="http://ordb.org">ordb.org.</a></p>
+  </p>
 <ol>
    <li>against the open   relay        databases at <a
 href="http://ordb.org">ordb.org.</a></li>
    <li>to ensure that the sender address is fully qualified.</li>
    <li>to verify that the sender's domain has an A or MX record in DNS.</li>
    <li>to ensure that the host name in the HELO/EHLO command is a valid
 fully-qualified  DNS name.<br>
    </li>
 </ol>
 <h2></h2>
 <h2 align="left">Mailing Lists Archive Search</h2>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
  <p> <font size="-1"> Match:                
  <select name="method">
  <option value="and">All </option>
@ -94,17 +110,29 @@ relay        databases at <a href="http://ordb.org">ordb.org.</a></p>
 type="submit" value="Search"> </p>
      </form>
 <h2 align="left">Shorewall CA Certificate</h2>
    If you want to trust X.509 certificates issued by Shoreline Firewall
 (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a>
  in your browser. If you don't wish to trust my certificates then you can
 either use unencrypted access when subscribing to Shorewall mailing lists
 or you can use secure access (SSL) and accept the server's certificate when
 prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users
-to get answers to questions and to report problems. Information of general 
+   to get answers to questions and to report problems. Information of general
-interest to the Shorewall user community is also posted to this list.</p>
+   interest to the Shorewall user community is also posted to this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
-the <a href="support.htm">problem reporting guidelines</a>.</b></p>
+   the <a href="support.htm">problem reporting guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
  SSL: <a
 href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
 <p align="left">To post to the list, post to <a
 href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
@ -112,37 +140,42 @@ the <a href="support.htm">problem reporting guidelines</a>.</b></p>
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the 
   Shorewall community. To subscribe, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
-   
+  SSL: <a
-<p align="left">The list archives are at <a
+ href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
 target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
    </a><br>
    The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
 <p align="left">The Shorewall Development Mailing list provides a forum for
-the exchange of ideas about the future of Shorewall and for coordinating ongoing
+   the exchange of ideas about the future of Shorewall and for coordinating
-Shorewall Development.</p>
+  ongoing Shorewall Development.</p>
 <p align="left">To subscribe to the mailing list, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
-   
+  SSL: <a
-<p align="left">To post to the list, post to <a
+ href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
 target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
    To post to the list, post to <a
 href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
 <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
-the  Mailing Lists</h2>
+   the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing
    from Mailman-managed lists. To unsubscribe:</p>
@ -150,19 +183,19 @@ the  Mailing Lists</h2>
 <ul>
         <li>                               
    <p align="left">Follow the same link above that you used to subscribe
-to the  list.</p>
+   to the  list.</p>
         </li>
         <li>                               
    <p align="left">Down at the bottom of that page is the following text:
-"To  change your subscription (set options like digest and delivery modes, 
+   "To  change your subscription (set options like digest and delivery modes,
-get a  reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
+   get a  reminder of your password, <b>or unsubscribe</b> from &lt;name
-enter  your subscription email address:". Enter your email address in the
+of   list&gt;), enter  your subscription email address:". Enter your email
-box and click  on the "Edit Options" button.</p>
+address   in the box and click  on the "Edit Options" button.</p>
         </li>
         <li>                               
    <p align="left">There will now be a box where you can enter your password
-and  click on "Unsubscribe"; if you have forgotten your password, there is 
+   and  click on "Unsubscribe"; if you have forgotten your password, there
-another  button that will cause your password to be emailed to you.</p>
+ is  another  button that will cause your password to be emailed to you.</p>
         </li>
 </ul>
@ -172,12 +205,17 @@ another  button that will cause your password to be emailed to you.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 9/27/2002 - <a
+<p align="left"><font size="2">Last updated 11/22/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
        <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list_problems.htm
+++ b/Shorewall-docs/mailing_list_problems.htm
@ -20,6 +20,7 @@
           <tbody>
            <tr>
             <td width="100%">                                          
      <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
             </td>
           </tr>
@ -32,11 +33,11 @@
 <blockquote>                           
  <div align="left">                             
-  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
           </div>
         </blockquote>
-<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
+<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -49,5 +50,8 @@
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -19,7 +19,7 @@
      <tr>
       <td width="100%">                   
      <h1 align="center"><font color="#ffffff">Ports required for Various
-Services/Applications</font></h1>
+ Services/Applications</font></h1>
       </td>
     </tr>
@ -28,8 +28,8 @@ Services/Applications</font></h1>
 <p>In addition to those applications described in <a
 href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
-are some other services/applications that you may need to configure your firewall
+ are some other services/applications that you may need to configure your
-to accommodate.</p>
+firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
@ -52,18 +52,18 @@ to accommodate.</p>
 <p>DNS</p>
 <blockquote>         
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-to   open TCP Port 53 as well.<br>
+want to   open TCP Port 53 as well.<br>
     If you are configuring a server, only open TCP Port 53 if you will return
-long   replies to queries or if you need to enable ZONE transfers. In the 
+ long   replies to queries or if you need to enable ZONE transfers. In the
-latter   case, be sure that your server is properly configured.</p>
+ latter   case, be sure that your server is properly configured.</p>
   </blockquote>
 <p>ICQ   </p>
 <blockquote>         
  <p>UDP Port 4000. You will also need to open a range of TCP ports which
-you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
+ you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
   </blockquote>
 <p>PPTP</p>
@ -77,7 +77,8 @@ you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
 <blockquote>         
  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
-500.    These should be opened in both directions.</p>
+ 500.    These should be opened in both directions (Lots more information
  <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
   </blockquote>
 <p>SMTP</p>
@ -142,8 +143,9 @@ have:<br>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
 have problems accessing regular FTP servers.</p>
-  <p>If there is a possibility that these modules might be loaded before Shorewall
+   
-starts, then you should include the port list in /etc/modules.conf:<br>
+  <p>If there is a possibility that these modules might be loaded before
 Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
    </p>
  <blockquote>          
@ -177,16 +179,17 @@ starts, then you should include the port list in /etc/modules.conf:<br>
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
   </blockquote>
-<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
+<p>Didn't find what you are looking for -- have you looked in your own  
-file? </p>
+/etc/services file? </p>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
+<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
   <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -4,23 +4,27 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
             <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
                                                              <tbody>
                                                         <tr>
-                                                      <td width="100%"
+                                                                <td
- height="90">                                                            
+ width="100%" height="90">                                               
@ -36,7 +40,10 @@
-      <div align="center"><a href="1.2" target="_top"><font
+                                                                        
      <div align="center"><a
 href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
                                                    </div>
                                                    <br>
@ -49,13 +56,16 @@
 </table>
 <div align="center">                                                    
 <center>                                                              
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                <tbody>
                                                         <tr>
-                                                        <td width="90%">
+                                                                  <td
 width="90%">                                                           
@ -68,6 +78,7 @@
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
@ -78,21 +89,24 @@
      <p>This program is free software; you can redistribute it and/or modify 
                          it        under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
 Public License</a> as published by the Free Software        Foundation.<br>
                                                               <br>
-                                                      This program is distributed 
+                                                                This program
-    in  the   hope   that   it  will   be  useful,    but        WITHOUT ANY
+  is  distributed       in  the   hope   that   it  will   be  useful,  
-   WARRANTY;   without   even the  implied   warranty  of MERCHANTABILITY 
+ but         WITHOUT  ANY    WARRANTY;   without   even the  implied   warranty 
-          or FITNESS  FOR   A PARTICULAR    PURPOSE.   See the  GNU General 
+   of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR    PURPOSE. 
-  Public License          for  more details.<br>
+     See the  GNU General     Public License          for  more details.<br>
                                                               <br>
-                                                      You should have received
+                                                                You should
-   a  copy   of  the   GNU   General     Public    License          along
+ have   received     a  copy   of  the   GNU   General     Public    License
-with   this program;    if  not, write  to the    Free Software    Foundation,
+          along  with   this program;    if  not, write  to the    Free Software 
-          Inc., 675    Mass  Ave, Cambridge,  MA  02139,   USA</p>
+      Foundation,            Inc., 675    Mass  Ave, Cambridge,  MA  02139, 
    USA</p>
@ -106,39 +120,31 @@ with   this program;    if  not, write  to the    Free Software    Foundation,
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                                 </a>Jacques        Nilo
+                                                           </a>Jacques  
-and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway on a floppy,
+     Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway
-CD  or compact  flash) distribution       called        <i>Bering</i>  that
+ on  a floppy,   CD  or compact  flash) distribution       called       
-       features     Shorewall-1.3.9b and  Kernel-2.4.18.      You can  find
+      <i>Bering</i>    that          features     Shorewall-1.3.10 and  Kernel-2.4.18.
- their   work at:          <a
+     You    can  find    their   work at:          <a
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+ href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
       </a></p>
      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
 1.0 Final!!! </b><br>
  </p>
      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
      <h2>Thinking of Downloading this Site for Offline Browsing?</h2>
          You may want to reconsider -- this site is <u><b>181 MB!!!</b></u>
   and   you will almost certainly be blacklisted before you download the
 whole   thing  (my SDSL is only 384kbs so I'll have lots of time to catch
 you).  Besides, if you simply download the product and install it, you get
 the essential parts of the site in a fraction of the time. And do you really
 want to download:<br>
      <ul>
        <li>Both text and HTML versions of every post ever made on  three
   different mailing lists (67.5 MB)?</li>
        <li>Every .rpm, .tgz and .lrp ever released for both Shorewall (92MB)?</li>
        <li>The Shorewall 1.2 site (16.2MB).<br>
               </li>
      </ul>
          You get all that and more if you do a blind recurive copy of this 
 site.   Happy downloading!<br>
      <h2>News</h2>
@ -147,78 +153,77 @@ whole   thing  (my SDSL is only 384kbs so I'll have lots of time to catch
      <h2></h2>
      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                     </b></p>
-      <p>The Shorewall 1.3 web site is now mirrored at SourceForge on <a
+      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
 </p>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                               </b></p>
      <p>In this version:</p>
      <ul>
-          <li>You may now <a href="IPSEC.htm#Dynamic">define the contents 
+        <li>A 'tcpflags' option has been added to entries in <a
- of a zone dynamically</a> with the <a
+ href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
- href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
+This option causes Shorewall to make a set of sanity check on TCP packet
-  delete" commands</a>. These commands are expected to be used primarily
+header flags.</li>
-within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
+        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
-updown   scripts.</li>
+a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
-          <li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
+When used, 'all' must appear by itself (in may not be qualified) and it does 
-   on ethernet segments. You can specify the set of allowed MAC addresses
+not enable intra-zone traffic. For example, the rule <br>
-on   the segment and you can optionally tie each MAC address to one or more
+     <br>
-IP  addresses.</li>
+     ACCEPT loc all tcp 80<br>
-          <li>PPTP Servers and Clients running on the firewall system may 
+     <br>
- now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
+ does not enable http traffic from 'loc' to 'loc'.</li>
-          <li>A new 'ipsecnat' tunnel type is supported for use when the
+        <li>Shorewall's use of the 'echo' command is now compatible with
-          <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
+bash clones such as ash and dash.</li>
-          <li>The PATH used by Shorewall may now be specified in <a
+        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
- href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+generate a warning and are ignored</li>
          <li>The main firewall script is now /usr/lib/shorewall/firewall.
  The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
  to do the real work. This change makes custom distributions such as for
 Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
 that tends  to have distribution-dependent code.</li>
      </ul>
 If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version 
 1.3.10, you will need to use the '--force' option:<br>
-      <blockquote>            
+      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>   
-        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
+                           </b></p>
  </blockquote>
-      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
+      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
- href="http://www.gentoo.org"><br>
+ documenation. the PDF may be downloaded from</p>
               </a></p>
         Alexandru Hartmann reports that his Shorewall package is now a part
  of        <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>. 
  Thanks Alex!<br>
-      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
+      <p>    <a
-           In this version:<br>
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
       <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
   </p>
      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>        
                      </b></p>
      <p>The main Shorewall web site is now back at SourceForge at <a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
           </p>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b>                        
  </b></p>
      <p>In this version:</p>
      <ul>
                    <li>You may now <a href="IPSEC.htm#Dynamic">define the
-contents      of a zone dynamically</a> with the <a
+ contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
       delete" commands</a>. These commands are expected to be used primarily
    within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
    updown   scripts.</li>
-                   <li>Shorewall can now do<a href="MAC_Validation.html"> 
+                    <li>Shorewall can now do<a
-MAC   verification</a>    on ethernet segments. You can specify the set of 
+ href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments.
-allowed   MAC addresses on   the segment and you can optionally tie each MAC
+You can specify the set  of allowed   MAC addresses   on   the segment and
-address   to one or more IP  addresses.</li>
+you can optionally tie each MAC address   to one or more   IP  addresses.</li>
-                   <li>PPTP Servers and Clients running on the firewall system
+                    <li>PPTP Servers and Clients running on the firewall
-   may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
+system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
   file.</li>
                    <li>A new 'ipsecnat' tunnel type is supported for use 
 when   the             <a href="IPSEC.htm">remote IPSEC endpoint is behind 
@ -227,15 +232,68 @@ a NAT   gateway</a>.</li>
           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                    <li>The main firewall script is now /usr/lib/shorewall/firewall.
       The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
-     to do the real work. This change makes custom distributions such as for
+       to do the real work. This change makes custom distributions such as
-   Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
+ for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
     that tends  to have distribution-dependent code.</li>
      </ul>
           If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
  to  version   1.3.10, you will need to use the '--force' option:<br>
      <blockquote>                                                       
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
            </blockquote>
      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
 href="http://www.gentoo.org"><br>
                         </a></p>
                   Alexandru Hartmann reports that his Shorewall package
 is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo
 Linux  distribution</a>.       Thanks Alex!<br>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
                     In this version:<br>
      <ul>
                             <li>You may now <a href="IPSEC.htm#Dynamic">define 
   the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
          delete" commands</a>. These commands are expected to be used primarily 
       within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
       updown   scripts.</li>
                             <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments. 
    You can specify the set of  allowed   MAC addresses on   the segment and
   you can optionally tie each MAC address   to one or more IP  addresses.</li>
                             <li>PPTP Servers and Clients running on the
 firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
        file.</li>
                             <li>A new 'ipsecnat' tunnel type is supported
 for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
 is   behind   a NAT   gateway</a>.</li>
                             <li>The PATH used by Shorewall may now be specified
    in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                             <li>The main firewall script is now /usr/lib/shorewall/firewall. 
          The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
          to do the real work. This change makes custom distributions such 
 as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
        that tends  to have distribution-dependent code.</li>
      </ul>
                    You may download the Beta from:<br>
      <ul>
                            <li><a
 href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
@ -244,31 +302,37 @@ a NAT   gateway</a>.</li>
                            </li>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>       
                         </b><br>
                                 </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b></p>
-                  This release rolls up fixes to the installer and to the 
+                            This release rolls up fixes to the installer
-firewall     script.<br>
+and   to  the   firewall     script.<br>
                             <b><br>
-                  10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
+                            10/6/2002 - Shorewall.net now running on RH8.0
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+       </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
                                                      </b><br>
                                  <br>
-                    The firewall and server here at shorewall.net are now 
+                              The firewall and server here at shorewall.net 
-running     RedHat    release   8.0.<br>
+ are   now   running     RedHat    release   8.0.<br>
@ -278,27 +342,32 @@ running     RedHat    release   8.0.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>               
          </b></p>
                                        <img src="images/j0233056.gif"
 alt="Brown Paper Bag" width="50" height="86" align="left">
-                         There is an updated firewall script at <a
+                                   There is an updated firewall script at 
      <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
                 -- copy that file to /usr/lib/shorewall/firewall.<br>
      <p><b><br>
                                        </b></p>
      <p><b><br>
                                        </b></p>
      <p><b><br>
                                  9/28/2002 - Shorewall 1.3.9 </b><b>   
                            </b></p>
@ -306,32 +375,37 @@ running     RedHat    release   8.0.<br>
      <p>In this version:<br>
                                         </p>
      <ul>
                                                <li><a
 href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now 
             allowed in Shorewall config files (although I recommend   against 
       using       them).</li>
-                                      <li>The connection SOURCE may now be
+                                                <li>The connection SOURCE 
- qualified      by  both   interface      and IP address in a <a
+may   now   be  qualified      by  both   interface      and IP address in 
- href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-                                      <li>Shorewall startup is now disabled 
+                                                <li>Shorewall startup is
- after    initial     installation       until the file /etc/shorewall/startup_disabled 
+now   disabled     after    initial     installation       until the file
-    is removed.     This avoids    nasty   surprises at reboot for users who
+/etc/shorewall/startup_disabled          is removed.     This avoids    nasty
-   install Shorewall     but don't configure     it.</li>
+  surprises at reboot for users     who    install Shorewall     but don't
-                                     <li>The 'functions' and 'version' files
+configure     it.</li>
-  and   the   'firewall'      symbolic   link have been  moved from /var/lib/shorewall
+                                               <li>The 'functions' and 'version'
-     to /usr/lib/shorewall      to appease   the LFS police at Debian.<br>
+    files    and   the   'firewall'      symbolic   link have been  moved
 from    /var/lib/shorewall       to /usr/lib/shorewall      to appease  
 the LFS   police at Debian.<br>
                                               </li>
      </ul>
@ -340,6 +414,7 @@ running     RedHat    release   8.0.<br>
      <p><a href="News.htm">More News</a></p>
@ -347,16 +422,18 @@ running     RedHat    release   8.0.<br>
      <h2><a name="Donations"></a>Donations</h2>
                                  </td>
-                                                        <td width="88"
+                                                                  <td
- bgcolor="#4b017c" valign="top" align="center">             <a
+ width="88" bgcolor="#4b017c" valign="top" align="center">             <a
 href="http://sourceforge.net">M</a></td>
                                                                </tr>
  </tbody>                                                     
 </table>
                                                              </center>
@ -368,8 +445,9 @@ running     RedHat    release   8.0.<br>
 bgcolor="#4b017c">
                                                         <tbody>
                                                         <tr>
-                                                 <td width="100%"
+                                                           <td
- style="margin-top: 1px;">                                               
+ width="100%" style="margin-top: 1px;">                                 
@ -383,6 +461,7 @@ running     RedHat    release   8.0.<br>
      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                          to       <a href="http://www.starlight.org"><font
@ -396,10 +475,12 @@ if       you try it and find it useful, please consider making a donation
 </table>
-<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
                    <br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sfindex.htm
+++ b/Shorewall-docs/sfindex.htm
@ -8,7 +8,7 @@
 </head>
 <frameset cols="242,*">
-  <frame name="contents" target="main" src="Shorewall_index_frame.htm">
+  <frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
  <frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
  <noframes>
  <body>
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@ -28,32 +28,32 @@
 </table>
 <p align="left"><b>Remember that updates to the mirrors are often delayed
-for  6-12 hours after an update to the primary site.</b></p>
+ for  6-12 hours after an update to the primary site.</b></p>
 <p align="left">The main Shorewall Web Site is <a
- href="http://www.shorewall.net">http://www.shorewall.net</a> and is located
+ href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a> 
-in Washington State, USA. It is mirrored at:</p>
+and is located in California, USA. It is mirrored at:</p>
 <ul>
     <li><a target="_top" href="http://slovakia.shorewall.net">   http://slovakia.shorewall.net</a> 
     (Slovak Republic).</li>
-   <li>     <a href="http://www.infohiiway.com/shorewall" target="_top"> 
+     <li>     <a href="http://www.infohiiway.com/shorewall"
- http://shorewall.infohiiway.com</a>     (Texas, USA).</li>
+ target="_top">   http://shorewall.infohiiway.com</a>     (Texas, USA).</li>
     <li><a target="_top" href="http://germany.shorewall.net">   http://germany.shorewall.net</a>
-(Hamburg, Germany)</li>
+ (Hamburg, Germany)</li>
     <li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a>
-(Martinez (Zona Norte - GBA), Argentina)</li>
+ (Martinez (Zona Norte - GBA), Argentina)</li>
     <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
    (Paris, France)</li>
-  <li><a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
+    <li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
-(California, USA)<br>
+ (Washington State, USA)<br>
    </li>
 </ul>
 <p align="left">The main Shorewall FTP Site is <a
 href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a> 
-and is located in Washington State, USA.  It is mirrored at:</p>
+ and is located in Washington State, USA.  It is mirrored at:</p>
 <ul>
     <li><a target="_blank"
@ -63,15 +63,17 @@ and is located in Washington State, USA.
 target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>     (Texas, USA).</li>
     <li><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall">   ftp://germany.shorewall.net/pub/shorewall</a>
-(Hamburg, Germany)</li>
+ (Hamburg, Germany)</li>
     <li>   <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
-(Martinez (Zona Norte - GBA), Argentina)</li>
+ (Martinez (Zona Norte - GBA), Argentina)</li>
     <li>   <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
    (Paris, France)</li>
 </ul>
 Search results and the mailing list archives are always fetched from the
 site in Washington State.<br>
 <p align="left"><font size="2">Last Updated 11/09/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
@ -79,5 +81,7 @@ and is located in Washington State, USA.
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -26,43 +26,44 @@
  </tbody>  
 </table>
    <br>
 Shorewall Requires:<br>
 <ul>
     <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
-    <a href="kernel.htm">     Check here for kernel configuration       information.</a> 
+     <a href="kernel.htm">     Check here for kernel configuration      
-     If you are looking for a firewall for use with 2.2 kernels, <a
+information.</a>       If you are looking for a firewall for use with 2.2
- href="http://www.shorewall.net/seawall">     see       the Seattle Firewall
+kernels, <a href="http://seawall.sf.net">     see       the Seattle Firewall
-site</a>     .</li>
+ site</a>     .</li>
     <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
 href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
-buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
+ buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
 upgrade to iptables 1.2.4 prior to    installing Shorewall. Version 1.2.4
 is available   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
-   and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
+   and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
 to be    running kernel 2.4.18 or later, NO currently-available RedHat iptables
 RPM    will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
  </li>
     <li>Some features require iproute ("ip" utility). The iproute package
-is     included with most distributions but may not be installed by default.
+ is     included with most distributions but may not be installed by default.
-The     official download site is <a
+ The     official download site is <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">   <font
 face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. 
   </li>
-   <li>A Bourne shell or derivative such as bash or ash. Must have correct
+     <li>A Bourne shell or derivative such as bash or ash. This shell must 
-      support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
+have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
    },        ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> 
     } and       ${<i>variable</i>##<i>pattern</i>}.</li>
-   <li>The firewall monitoring display is greatly improved if you have awk
+     <li>The firewall monitoring display is greatly improved if you have
-      (gawk) installed.</li>
+awk        (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 9/19/2002 - <a
+<p align="left"><font size="2">Last updated 11/10/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -22,6 +22,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
        Version 3.1</font></h1>
            </td>
@ -42,8 +43,8 @@ must  all first walk before we can run.</p>
 <ul>
          <li><a href="standalone.htm">Standalone</a> Linux System</li>
-        <li><a href="two-interface.htm">Two-interface</a> Linux System acting 
+          <li><a href="two-interface.htm">Two-interface</a> Linux System
-  as a    firewall/router for a small local network</li>
+acting    as a    firewall/router for a small local network</li>
          <li><a href="three-interface.htm">Three-interface</a> Linux System
  acting  as a    firewall/router for a small local network and a DMZ.</li>
@ -59,8 +60,10 @@ must  all first walk before we can run.</p>
 <ul>
          <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
-        <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
+          <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
-        <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
+Concepts</a></li>
          <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
 Interfaces</a></li>
          <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
  Subnets  and Routing</a>                                   
    <ul>
@ -79,8 +82,8 @@ must  all first walk before we can run.</p>
    </ul>
          </li>
-        <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your 
+          <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
- Network</a>                          
+your   Network</a>                                    
    <ul>
            <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -93,24 +96,25 @@ must  all first walk before we can run.</p>
              <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
              <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
              <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
-ARP</a></li>
+ ARP</a></li>
              <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
        </ul>
            </li>
            <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-          <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
+            <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
- Ends</a></li>
+and   Ends</a></li>
    </ul>
          </li>
          <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
-        <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting 
+          <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 
-  and    Stopping the Firewall</a></li>
+Starting    and    Stopping the Firewall</a></li>
 </ul>
-<h2><a name="Documentation"></a>Additional Documentation</h2>
+<h2><a name="Documentation"></a>Documentation Index</h2>
 <p>The following documentation covers a variety of topics and <b>supplements 
   the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described 
@ -127,7 +131,7 @@ ARP</a></li>
    </ul>
          </li>
          <li><a href="configuration_file_basics.htm">Common configuration
-file   features</a>                         
+ file   features</a>                                   
    <ul>
            <li>Comments in configuration files</li>
            <li>Line Continuation</li>
@ -154,9 +158,11 @@ file   features</a>
            <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
            <li><a href="Documentation.htm#Common">common</a></li>
            <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
-          <li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
+            <li><font color="#000099"><a
 href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
            <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
-          <li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
+            <li><font color="#000099"><a
 href="Documentation.htm#Tunnels">tunnels</a></font></li>
            <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
            <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
            <li><a href="Documentation.htm#modules">modules</a></li>
@ -188,6 +194,11 @@ file   features</a>
          <li><a href="samba.htm">Samba</a></li>
          <li><font color="#000099"><a
 href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
  <ul>
    <li>Description of all /sbin/shorewall commands</li>
    <li>How to safely test a Shorewall configuration change<br>
    </li>
  </ul>
          <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
          <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
          <li>VPN                                   
@ -196,7 +207,7 @@ file   features</a>
            <li><a href="IPIP.htm">GRE and IPIP</a></li>
            <li><a href="PPTP.htm">PPTP</a></li>
            <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
-firewall   to a      remote network.</li>
+ firewall   to a      remote network.</li>
    </ul>
          </li>
@ -207,15 +218,10 @@ firewall   to a      remote network.</li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/3/2002 - <a
+<p><font size="2">Last modified 11/19/2002 - <a
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
-<p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
+<p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
-       <br>
+</p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -4,17 +4,19 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
-                                                                  <base
+                                                                        
- target="_self">
+                                         <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -27,41 +29,43 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
                                                                  </a></i></font><font
 color="#ffffff">Shorewall      1.3   -        <font size="4">"<i>iptables 
-        made easy"</i></font></font><a href="http://www.sf.net"><img
+              made easy"</i></font></font><a href="http://www.sf.net">   
 align="right" alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=1"
 width="88" height="31" hspace="4" vspace="4">
       </a></h1>
-      <div align="center"><a
+                                                          
- href="http://www.shorewall.net/1.2/index.htm" target="_top"><font
+      <div align="center"><a href="/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a></div>
                                     </td>
                    </tr>
  </tbody>                                                            
 </table>
 <div align="center">                                                     
 <center>                                                                 
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                       <tbody>
                                                                <tr>
-                                                             <td
+                                                                        
- width="90%">                                                            
+      <td width="90%">                                                  
@ -74,6 +78,8 @@
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
@ -84,22 +90,27 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify
                              it        under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
 General Public License</a> as published by the Free Software        Foundation.<br>
                                                                      <br>
-                                                           This program is
+                                                                       This 
- distributed       in  the   hope   that   it  will   be  useful,    but
+ program     is  distributed       in  the   hope   that   it  will   be 
-       WITHOUT  ANY    WARRANTY;   without   even the  implied   warranty
+useful,    but         WITHOUT  ANY    WARRANTY;   without   even the  implied 
- of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR    PURPOSE.
+  warranty      of MERCHANTABILITY             or FITNESS  FOR   A PARTICULAR 
-   See the  GNU General     Public License          for  more details.<br>
+    PURPOSE.        See the  GNU General     Public License          for 
 more details.<br>
                                                                      <br>
-                                                           You should have
+                                                                       You
- received     a  copy   of  the   GNU   General     Public    License   
+ should    have   received     a  copy   of  the   GNU   General     Public
-      along  with   this program;    if  not, write  to the    Free Software
+    License             along  with   this program;    if  not, write  to
-    Foundation,            Inc., 675    Mass  Ave, Cambridge,  MA  02139,
+the    Free Software        Foundation,            Inc., 675    Mass  Ave,
-  USA</p>
+Cambridge,  MA  02139,      USA</p>
@ -114,44 +125,18 @@ General Public License</a> as published by the Free Software        Foundation.<
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
                                                                  </a>Jacques 
-Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway on
+         Nilo   and   Eric   Wolzak    have   a  LEAF (router/firewall/gateway 
-a floppy,   CD  or compact  flash) distribution       called        <i>Bering</i>
+    on  a floppy,   CD  or compact  flash) distribution       called     
- that          features     Shorewall-1.3.9b and  Kernel-2.4.18.      You 
+        <i>Bering</i>    that          features     Shorewall-1.3.10 and 
-can  find    their   work at:          <a
+Kernel-2.4.18.       You    can  find    their   work at:          <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                                                                        
+       <b>Congratulations to Jacques and Eric on the recent release of Bering 
-                                                                        
+1.0 Final!!! <br>
-                                                                        
+       </b>       
      <h2>Thinking of Downloading this Site for Offline Browsing?</h2>
           You may want to reconsider -- this site is <u><b>181 MB!!!</b></u> 
   and   you will almost certainly be blacklisted before you download the 
 whole   thing  (my SDSL is only 384kbs so I'll have lots of time to catch 
 you).  Besides, if you simply download the product and install it, you get 
 the essential parts of the site in a fraction of the time. And do you really 
 want to download:<br>
      <ul>
                   <li>Both text and HTML versions of every post ever made
 on  three    different mailing lists (67.5 MB)?</li>
                   <li>Every .rpm, .tgz and .lrp ever released for both Shorewall 
 (92MB)?</li>
                <li>The Shorewall 1.2 site (16.2MB).<br>
                </li>
      </ul>
           You get all that and more if you do a blind recurive copy of this
  site.   Happy downloading!<br>
      <h2>News</h2>
@ -162,64 +147,61 @@ whole   thing  (my SDSL is only 384kbs so I'll have lots of time to catch
      <p><b>11/09/2002 - Shorewall is Back on SourceForge</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                      </b></p>
-      <p>The Shorewall 1.3 web site is now mirrored at SourceForge at <a
+      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
       </p>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                               </b></p>
      <p>In this version:</p>
      <ul>
-               <li>You may now <a href="IPSEC.htm#Dynamic">define the contents
+        <li>A 'tcpflags' option has been added to entries in <a
-    of a zone dynamically</a> with the <a
+ href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
- href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
+This option causes Shorewall to make a set of sanity check on TCP packet
-    delete" commands</a>. These commands are expected to be used primarily 
+header flags.</li>
- within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
+        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
- updown   scripts.</li>
+a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
-               <li>Shorewall can now do<a href="MAC_Validation.html"> MAC 
+When used, 'all' must appear by itself (in may not be qualified) and it does 
-verification</a>      on ethernet segments. You can specify the set of allowed 
+not enable intra-zone traffic. For example, the rule <br>
-MAC addresses   on   the segment and you can optionally tie each MAC address 
+     <br>
-to one or more   IP  addresses.</li>
+     ACCEPT loc all tcp 80<br>
-               <li>PPTP Servers and Clients running on the firewall system
+     <br>
- may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
+ does not enable http traffic from 'loc' to 'loc'.</li>
- file.</li>
+        <li>Shorewall's use of the 'echo' command is now compatible with
-               <li>A new 'ipsecnat' tunnel type is supported for use when 
+bash clones such as ash and dash.</li>
-the             <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT 
+        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
-gateway</a>.</li>
+generate a warning and are ignored</li>
               <li>The PATH used by Shorewall may now be specified in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
               <li>The main firewall script is now /usr/lib/shorewall/firewall. 
    The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
    to do the real work. This change makes custom distributions such as for 
  Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
  that tends  to have distribution-dependent code.</li>
      </ul>
-      If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to
+      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> </b><b><img
- version   1.3.10, you will need to use the '--force' option:<br>
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                               </b></p>
-      <blockquote>                                                      
+      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
 documenation. the PDF may be downloaded from</p>
-        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
+      <p>    <a
-       </blockquote>
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
       <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
   </p>
-      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
+      <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
- href="http://www.gentoo.org"><br>
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-                    </a></p>
+                                  </b></p>
              Alexandru Hartmann reports that his Shorewall package is now
 a  part   of        <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
     Thanks Alex!<br>
-      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
+      <p>The main Shorewall web site is now at SourceForge at <a
-                In this version:<br>
+ href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
                   </p>
      <p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                  </b></p>
      <p>In this version:</p>
      <ul>
@ -231,27 +213,87 @@ gateway</a>.</li>
       updown   scripts.</li>
                           <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments. 
-  You can specify the set of  allowed   MAC addresses on   the segment and
+   You can specify the set  of allowed   MAC addresses   on   the segment 
- you can optionally tie each MAC address   to one or more IP  addresses.</li>
+and   you can optionally tie each MAC address   to one or more   IP  addresses.</li>
                           <li>PPTP Servers and Clients running on the firewall 
   system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
       file.</li>
-                        <li>A new 'ipsecnat' tunnel type is supported for 
+                           <li>A new 'ipsecnat' tunnel type is supported
-use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint is 
+for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
-behind   a NAT   gateway</a>.</li>
+is   behind   a NAT   gateway</a>.</li>
                           <li>The PATH used by Shorewall may now be specified
   in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                           <li>The main firewall script is now /usr/lib/shorewall/firewall. 
          The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
          to do the real work. This change makes custom distributions such 
-as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall
+ as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shorewall 
        that tends  to have distribution-dependent code.</li>
      </ul>
                  If you have installed the 1.3.10 Beta 1 RPM and are now 
 upgrading      to  version   1.3.10, you will need to use the '--force' option:<br>
      <blockquote>                                                      
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
                   </blockquote>
      <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
 href="http://www.gentoo.org"><br>
                                </a></p>
                          Alexandru Hartmann reports that his Shorewall package 
   is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo 
  Linux  distribution</a>.       Thanks Alex!<br>
      <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>               </b></p>
                            In this version:<br>
      <ul>
                                    <li>You may now <a
 href="IPSEC.htm#Dynamic">define     the   contents      of a zone dynamically</a>
   with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
 and   "shorewall            delete" commands</a>. These commands are expected
 to  be used primarily         within             <a
 href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>         updown  
 scripts.</li>
                                    <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments.
        You can specify the set of  allowed   MAC addresses on   the segment
   and    you can optionally tie each MAC address   to one or more IP  addresses.</li>
                                    <li>PPTP Servers and Clients running
 on  the   firewall     system    may   now be defined in the<a
 href="PPTP.htm"> /etc/shorewall/tunnels</a>           file.</li>
                                    <li>A new 'ipsecnat' tunnel type is supported 
    for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
    is   behind   a NAT   gateway</a>.</li>
                                    <li>The PATH used by Shorewall may now
 be  specified      in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                    <li>The main firewall script is now /usr/lib/shorewall/firewall.
              The script in /etc/init.d/shorewall is very small and uses
 /sbin/shorewall               to do the real work. This change makes custom
 distributions such     as   for    Debian  and for Gentoo easier to manage
 since it is /etc/init.d/shorewall            that tends  to have distribution-dependent
 code.</li>
      </ul>
                           You may download the Beta from:<br>
      <ul>
                                   <li><a
 href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
@ -260,32 +302,40 @@ as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shor
                                   </li>
      </ul>
      <p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>      
                          </b><br>
                                        </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                             </b></p>
-                       This release rolls up fixes to the installer and to
+                                   This release rolls up fixes to the installer 
- the   firewall     script.<br>
+   and   to  the   firewall     script.<br>
                                    <b><br>
-                       10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
+                                   10/6/2002 - Shorewall.net now running
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+on  RH8.0          </b><b><img border="0" src="images/new10.gif"
 width="28" height="12" alt="(New)">
                                                             </b><br>
                                         <br>
-                         The firewall and server here at shorewall.net are
+                                     The firewall and server here at shorewall.net
- now   running     RedHat    release   8.0.<br>
+     are   now   running     RedHat    release   8.0.<br>
@ -296,11 +346,14 @@ as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shor
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>                
         </b></p>
-                                   <img src="images/j0233056.gif"
+                                               <img
- alt="Brown Paper Bag" width="50" height="86" align="left">
+ src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
-                              There is an updated firewall script at <a
+ align="left">
                                          There is an updated firewall script 
  at        <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
                     -- copy that file to /usr/lib/shorewall/firewall.<br>
@ -308,18 +361,21 @@ as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shor
      <p><b><br>
                                               </b></p>
      <p><b><br>
                                               </b></p>
      <p><b><br>
                                         9/28/2002 - Shorewall 1.3.9 </b><b>
                                 </b></p>
@ -327,33 +383,40 @@ as   for    Debian  and for Gentoo easier to manage since it is /etc/init.d/shor
      <p>In this version:<br>
                                                </p>
      <ul>
                                                       <li><a
 href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now
-           allowed in Shorewall config files (although I recommend   against
+                 allowed in Shorewall config files (although I recommend
-     using       them).</li>
+  against          using       them).</li>
-                                           <li>The connection SOURCE may
+                                                       <li>The connection 
-now   be  qualified      by  both   interface      and IP address in a <a
+SOURCE    may   now   be  qualified      by  both   interface      and IP 
- href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+address  in  a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-                                           <li>Shorewall startup is now disabled
+                                                       <li>Shorewall startup
-    after    initial     installation       until the file /etc/shorewall/startup_disabled
+  is  now   disabled     after    initial     installation       until the
-       is removed.     This avoids    nasty   surprises at reboot for users
+ file  /etc/shorewall/startup_disabled          is removed.     This avoids
-  who    install Shorewall     but don't configure     it.</li>
+    nasty    surprises at reboot for users     who    install Shorewall 
-                                          <li>The 'functions' and 'version' 
+   but don't  configure     it.</li>
- files    and   the   'firewall'      symbolic   link have been  moved from 
+                                                      <li>The 'functions' 
- /var/lib/shorewall       to /usr/lib/shorewall      to appease   the LFS 
+and   'version'      files    and   the   'firewall'      symbolic   link 
-police at Debian.<br>
+have  been  moved  from    /var/lib/shorewall       to /usr/lib/shorewall 
     to appease   the LFS   police at Debian.<br>
                                                      </li>
      </ul>
@ -363,6 +426,7 @@ police at Debian.<br>
      <p><a href="News.htm">More News</a></p>
@ -371,29 +435,49 @@ police at Debian.<br>
      <h2> </h2>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
                     </a></h1>
      <h4>       </h4>
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
      <h2><a name="Donations"></a>Donations</h2>
                                         </td>
-                                                             <td
+                                                                        
- width="88" bgcolor="#4b017c" valign="top" align="center">             <br>
+      <td width="88" bgcolor="#4b017c" valign="top" align="center">     
       <br>
                       </td>
                                                                       </tr>
  </tbody>                                                            
 </table>
                                                                     </center>
                                                                   </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
                                                                <tbody>
                                                                <tr>
-                                                      <td width="100%"
+                                                                  <td
- style="margin-top: 1px;">                                              
+ width="100%" style="margin-top: 1px;">                                  
@ -409,22 +493,29 @@ police at Debian.<br>
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
-                        to       <a href="http://www.starlight.org"><font
+                              to       <a
- color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
 Children's Foundation.</font></a> Thanks!</font></p>
                                                                  </td>
                                                                </tr>
  </tbody>                                                            
 </table>
-<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font> 
+    
 <p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
                      <br>
-</p>
+   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -30,11 +30,11 @@
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up Shorewall on a standalone Linux system is very 
-easy if you understand the basics and follow the  documentation.</p>
+ easy if you understand the basics and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of 
- Shorewall. It rather focuses on what is required to configure Shorewall in
+  Shorewall. It rather focuses on what is required to configure Shorewall 
-one  of its  most common configurations:</p>
+in one  of its  most common configurations:</p>
 <ul>
      <li>Linux system</li>
@ -44,31 +44,31 @@ one  of its  most common configurations:</p>
 </ul>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if 
+ (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
-this  package is installed by the presence of an <b>ip</b> program on your 
+ this  package is installed by the presence of an <b>ip</b> program on your
-firewall  system. As root, you can use the 'which' command to check for this 
+ firewall  system. As root, you can use the 'which' command to check for
-program:</p>
+this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you read through the guide  first to familiarize yourself 
-with what's involved then go back through it again  making your configuration 
+ with what's involved then go back through it again  making your configuration 
-changes.  Points at which configuration changes  are recommended are flagged 
+ changes.  Points at which configuration changes  are recommended are flagged 
-with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
   .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
        If you edit your configuration files on a Windows system, you must
-save them as  Unix files if your editor supports that option or you must
+ save them as  Unix files if your editor supports that option or you must
 run them through  dos2unix before trying to use them. Similarly, if you copy
 a configuration file  from your Windows hard drive to a floppy disk, you
 must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
      <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
-of    dos2unix</a></li>
+ of    dos2unix</a></li>
-    <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version 
+      <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
@ -84,12 +84,12 @@ un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
 during Shorewall installation).</p>
 <p>As each file is introduced, I suggest that you  look through the actual 
-file on your system -- each file contains detailed  configuration instructions 
+ file on your system -- each file contains detailed  configuration instructions 
-and default entries.</p>
+ and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a 
-set of  <i>zones.</i> In the one-interface sample configuration, only one 
+ set of  <i>zones.</i> In the one-interface sample configuration, only one 
-zone is  defined:</p>
+ zone is  defined:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -112,11 +112,11 @@ zone is  defined:</p>
  the firewall itself is known as <b>fw</b>.</p>
 <p>Rules about what traffic to allow and what traffic to deny are expressed 
-in  terms of zones.</p>
+ in  terms of zones.</p>
 <ul>
      <li>You express your default policy for connections from one zone to
-another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
     </a>file.</li>
      <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,11 +124,11 @@ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
 </ul>
 <p>For each connection request entering the firewall, the request is first 
-checked against the  /etc/shorewall/rules file. If no rule in that file matches 
+ checked against the  /etc/shorewall/rules file. If no rule in that file matches
-the connection  request then the first policy in /etc/shorewall/policy that 
+ the connection  request then the first policy in /etc/shorewall/policy that
-matches the    request is applied. If that policy is REJECT or DROP  the request
+ matches the    request is applied. If that policy is REJECT or DROP  the
-is first  checked against the rules in /etc/shorewall/common (the samples
+request is first  checked against the rules in /etc/shorewall/common (the
-provide that  file for you).</p>
+samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the one-interface sample has
 the  following policies:</p>
@ -176,14 +176,15 @@ the  following policies:</p>
 <ol>
      <li>allow all connection requests from the firewall to the internet</li>
-    <li>drop (ignore) all connection requests from the internet to your firewall</li>
+      <li>drop (ignore) all connection requests from the internet to your 
 firewall</li>
      <li>reject all other connection requests (Shorewall requires this catchall 
    policy).</li>
 </ol>
 <p>At this point, edit your /etc/shorewall/policy and make any changes that 
-you  wish.</p>
+ you  wish.</p>
 <h2 align="left">External Interface</h2>
@ -194,26 +195,26 @@ you  wish.</p>
  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
 a <b>ppp0</b>. If you connect via a regular modem, your External  Interface 
-will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
+ will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
-will be<b> ippp0.</b></p>
+ will be<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
-     The Shorewall one-interface sample configuration assumes that  the external 
+       The Shorewall one-interface sample configuration assumes that  the 
-interface is <b>eth0</b>.  If your configuration is different, you will have 
+external  interface is <b>eth0</b>.  If your configuration is different, you
-to modify the sample  /etc/shorewall/interfaces file accordingly. While you 
+will have  to modify the sample  /etc/shorewall/interfaces file accordingly. 
-are there, you may wish to  review the list of options that are specified 
+While you  are there, you may wish to  review the list of options that are 
-for the interface. Some hints:</p>
+specified  for the interface. Some hints:</p>
 <ul>
      <li>                  
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-you can replace the    "detect" in the second column with "-".   </p>
+ you can replace the    "detect" in the second column with "-".   </p>
     </li>
     <li>                  
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-or if you have a static IP    address, you can remove "dhcp" from the option 
+ or if you have a static IP    address, you can remove "dhcp" from the option 
-list. </p>
+ list. </p>
     </li>
 </ul>
@ -224,7 +225,7 @@ list. </p>
 <div align="left">    
 <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges 
-for  use in private networks:</p>
+ for  use in private networks:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -233,14 +234,14 @@ for  use in private networks:</p>
 <p align="left">These addresses are sometimes referred to as <i>non-routable</i> 
    because the Internet backbone routers will not forward a packet whose 
   destination address is reserved by RFC 1918. In some cases though, ISPs 
-are    assigning these addresses then using <i>Network Address Translation 
+ are    assigning these addresses then using <i>Network Address Translation 
-</i>to    rewrite packet headers when forwarding to/from the internet.</p>
+ </i>to    rewrite packet headers when forwarding to/from the internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
           Before starting Shorewall, you should look at the IP address of
-your external    interface and if it is one of the above ranges, you should
+ your external    interface and if it is one of the above ranges, you should
-remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+ remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
   </div>
 <div align="left">      
@ -249,7 +250,7 @@ remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p
 <div align="left">      
 <p align="left">If you wish to enable connections from the internet to your 
-firewall, the general format is:</p>
+ firewall, the general format is:</p>
   </div>
 <div align="left">      
@ -332,7 +333,7 @@ uses, see <a href="ports.htm">here</a>.</p>
 <div align="left">      
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
    the internet because it uses clear text (even for login!). If you want 
-shell    access to your firewall from the internet, use SSH:</p>
+ shell    access to your firewall from the internet, use SSH:</p>
   </div>
 <div align="left">      
@ -372,7 +373,7 @@ shell    access to your firewall from the internet, use SSH:</p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
       At this point, edit    /etc/shorewall/rules to add other connections 
-as desired.</p>
+ as desired.</p>
   </div>
 <div align="left">      
@ -383,43 +384,45 @@ as desired.</p>
 <p align="left">          <img border="0" src="images/BD21298_2.gif"
 width="13" height="13" alt="Arrow">
        The <a href="Install.htm">installation procedure </a>   configures
-your system to start Shorewall at system boot but beginning with Shorewall
+ your system to start Shorewall at system boot but beginning with Shorewall
-version 1.3.9 startup is disabled so that your system won't try to start
+ version 1.3.9 startup is disabled so that your system won't try to start
 Shorewall before configuration is complete. Once you have completed configuration
 of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
   </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
-package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
+ package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
   </p>
   </div>
 <div align="left">      
 <p align="left">The firewall is started using the "shorewall start" command 
    and stopped using "shorewall stop". When the firewall is stopped, routing 
-is    enabled on those hosts that have an entry in   <a
+ is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
    running firewall may be restarted using the "shorewall restart" command. 
-If    you want to totally remove any trace of Shorewall from your Netfilter 
+ If    you want to totally remove any trace of Shorewall from your Netfilter 
    configuration, use "shorewall clear".</p>
   </div>
 <div align="left">      
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
-the    internet, do not issue a "shorewall stop" command unless you have added
+ the    internet, do not issue a "shorewall stop" command unless you have 
-an    entry for the IP address that you are connected from to   <a
+added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
-an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
+ an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-and    test it using the <a href="Documentation.htm#Starting">"shorewall try"
+ and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
-command</a>.</p>
+try" command</a>.</p>
   </div>
-<p align="left"><font size="2">Last updated 9/26/2002 - <a
+<p align="left"><font size="2">Last updated 11/21/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
-M. Eastep</font></a></p>
+ M. Eastep</font></a></p>
     <br>
   <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -61,11 +61,11 @@ run-level editor.</p>
     <li>Shorewall startup is disabled by default. Once you have configured 
 your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. 
 Note: Users of the .deb package must edit /etc/default/shorewall and set
-'startup=1'.<br>
+ 'startup=1'.<br>
     </li>
     <li>If you use dialup, you may want to start the firewall     in your
-/etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart" 
+ /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart"
-in that script.</li>
+ in that script.</li>
 </ol>
@ -118,8 +118,8 @@ table          (iptables -t mangle -L -n -v)</li>
       <li>shorewall monitor [ delay ] - Continuously display the firewall
           status, last 20 log entries and nat. When the log entry display 
           changes, an audible alarm is sounded.</li>
-      <li>shorewall hits - Produces several reports about the Shorewall packet
+       <li>shorewall hits - Produces several reports about the Shorewall
- log          messages in the current /var/log/messages file.</li>
+packet  log          messages in the current /var/log/messages file.</li>
       <li>shorewall version -  Displays the installed     version number.</li>
       <li>shorewall check -  Performs a <u>cursory</u> validation     of 
 the  zones, interfaces, hosts, rules and policy files.    <font size="4"
@ -127,38 +127,43 @@ the  zones, interfaces, hosts, rules and policy files.    <font size="4"
 generated iptables commands so even though the "check" command     completes 
 successfully, the configuration may fail to start. See the     recommended 
 way to make configuration changes described below. </b></font>    </li>
-      <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] 
+       <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
-  Restart shorewall using the     specified configuration and if an error
+]  -  Restart shorewall using the     specified configuration and if an error 
 occurs or if the<i> timeout </i>    option is given and the new configuration 
- has been up for that many seconds     then shorewall is restarted using
+ has been up for that many seconds     then shorewall is restarted using the
-the  standard configuration.</li>
+ standard configuration.</li>
       <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
 save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
-      <li>shorewall logwatch (added in version 1.3.2) - Monitors the    <a
+       <li>shorewall logwatch (added in version 1.3.2) - Monitors the   
- href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
+    <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall 
     messages are logged.</li>
 </ul>
-Finally, the "shorewall" program may be used to dynamically alter the contents
+ Finally, the "shorewall" program may be used to dynamically alter the contents 
 of a zone.<br>
 <ul>
   <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the 
 specified interface (and host if included) to the specified zone.</li>
   <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes 
 the specified interface (and host if included) from the specified zone.</li>
 </ul>
 <blockquote>Examples:<br>
  <blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 
 from interface ipsec0 to the zone vpn1<br>
-shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
+ shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 
 from interface ipsec0 from zone vpn1<br>
   </blockquote>
-</blockquote>
+ </blockquote>
 <p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
   <b>shorewall try </b>commands allow you to specify which <a
- href="#Configs">   Shorewall configuration</a>    to use:</p>
+ href="configuration_file_basics.htm#Configs">   Shorewall configuration</a>
   to use:</p>
 <blockquote>                                                             
@ -170,8 +175,8 @@ from interface ipsec0 from zone vpn1<br>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
   is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
-   . If the file is present in the <i>configuration-directory</i>, that file 
+    . If the file is present in the <i>configuration-directory</i>, that
-  will be used; otherwise, the file in /etc/shorewall will be used.</p>
+file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -225,7 +230,7 @@ from interface ipsec0 from zone vpn1<br>
-<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
     </font></p>
@ -237,5 +242,6 @@ from interface ipsec0 from zone vpn1<br>
                              <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -22,6 +22,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
            </td>
          </tr>
@ -29,31 +30,37 @@
  </tbody>       
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
-is easier to post a problem than to use your own brain" </font>-- </i> <font
+easier to post a problem than to use your own brain" </font>-- </i> <font
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you
+<p align="left"> <i>"Any sane computer will tell you how it works -- you just
-just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+ have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
 <blockquote> </blockquote>
 <p><span style="font-weight: 400;"><i>"It irks me when people believe that 
   free software        comes at no cost. The cost is incredibly high."</i> 
- - <font size="2">       Wietse Venema</font></span></p>
+  - <font size="2">       Wietse Venem<br>
 </font></span></p>
 <h3 align="left">Before Reporting a Problem</h3>
 <b><i>"Reading the documentation fully is a prerequisite to getting help 
 for your particular situation. I know it's harsh but you will have to get 
 so far on your own before you can get reasonable help from a list full of 
 busy people. A mailing list is not a tool to speed up your day by being spoon
 fed</i></b><i><b>".</b> </i>-- Simon White<br>
-<p>There are a number of sources for problem solution information.</p>
+<p>There are also a number of sources for problem solution information.</p>
 <ul>
          <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
          <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
-contains  a    number of tips to help you solve common problems.</li>
+  contains  a    number of tips to help you solve common problems.</li>
-       <li>The <a href="errata.htm">   Errata</a> has links to download updated
+          <li>The <a href="errata.htm">   Errata</a> has links to download
-     components.</li>
+ updated      components.</li>
-       <li>The Mailing List Archives search facility can locate posts about 
+          <li>The Mailing List Archives search facility can locate posts
-      similar problems:</li>
+about         similar problems:</li>
 </ul>
@ -89,33 +96,44 @@ contains  a    number of tips to help you solve common problems.</li>
 type="submit" value="Search"> </p>
     </form>
-<h3 align="left">Problem Reporting Guidelines</h3>
+<h3 align="left">Problem Reporting Guideline</h3>
 <ul>
          <li>When reporting a problem, give as much information as you can.
-Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+  Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
          <li>Please don't describe your environment and then ask us to send
-you             custom configuration files. We're here to answer your questions
+  you             custom configuration files. We're here to answer your questions 
   but we           can't do your job for you.</li>
-       <li>Do you see any "Shorewall" messages in     /var/log/messages when
+          <li>Do you see any "Shorewall" messages in     /var/log/messages
-  you exercise the function that is giving you problems?</li>
+ when   you exercise the function that is giving you problems?</li>
          <li>Have you looked at the packet flow with a tool like tcpdump 
    to  try to understand what is going on?</li>
-       <li>Have you tried using the diagnostic capabilities of the     application
+          <li>Have you tried using the diagnostic capabilities of the   
-  that isn't working? For example, if "ssh" isn't able     to connect, using
+ application    that isn't working? For example, if "ssh" isn't able    
-  the "-v" option gives you a lot of valuable     diagnostic information.</li>
+to connect, using    the "-v" option gives you a lot of valuable     diagnostic 
 information.</li>
          <li>Please include any of the Shorewall configuration files (especially 
   the    /etc/shorewall/hosts file if you have modified that file) that you
   think are    relevant. If an error occurs when you try to "shorewall start",
   include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
   section for    instructions).</li>
-       <li>The list server limits posts to 120kb so don't post GIFs of your 
+          <li>The list server limits posts to 120kb so don't post GIFs of 
-           network layout, etc to the Mailing List -- your post will be rejected.</li>
+your             network layout, etc to the Mailing List -- your post will 
 be rejected.</li>
 </ul>
 <h3>Where to Send your Problem Report or to Ask for Help</h3>
-         <b></b>
+            <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
 reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
 on October 3, 2002; MandrakeSoft issued a charge against my credit card
 on  October 4, 2002 (they are really effecient at that part of the order
 process)  and I haven't heard a word from them since (although their news
 letters boast  that 9.0 boxed sets have been shipping for the last two weeks).
 If they can't  fill my 9.0 order within <u>6 weeks after they have billed
 my credit card</u>  then I refuse to spend my free time supporting of their
 product for them.<br>
 <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please 
    post your question or problem to the <a
 href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
@ -135,14 +153,11 @@ you             custom configuration files. We're here to answer your questions
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
        .</p>
-<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-      <br>
+</p>
-    <br>
+ 
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -20,6 +20,7 @@
          <tbody>
           <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
            </td>
          </tr>
@ -54,9 +55,9 @@
 <p>This guide assumes that you have the iproute/iproute2 package installed 
   (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell 
-if  this  package is installed by the presence of an <b>ip</b> program on 
+ if  this  package is installed by the presence of an <b>ip</b> program on 
-your  firewall  system. As root, you can use the 'which' command to check 
+ your  firewall  system. As root, you can use the 'which' command to check 
-for this  program:</p>
+ for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -67,10 +68,10 @@ for this  program:</p>
       </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-          If you edit your configuration files on a Windows system, you must
+            If you edit your configuration files on a Windows system, you 
-  save them as  Unix files if your editor supports that option or you must
+must   save them as  Unix files if your editor supports that option or you 
- run them through  dos2unix before trying to use them. Similarly, if you
+must  run them through  dos2unix before trying to use them. Similarly, if 
-copy  a configuration file  from your Windows hard drive to a floppy disk,
+you copy  a configuration file  from your Windows hard drive to a floppy disk,
 you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
@ -97,8 +98,8 @@ of  these as described in this guide.  After you have <a
   and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a 
-  set of  <i>zones.</i> In the three-interface sample configuration, the following
+   set of  <i>zones.</i> In the three-interface sample configuration, the 
-  zone names are used:</p>
+following   zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -133,7 +134,7 @@ of  these as described in this guide.  After you have <a
 <ul>
          <li>You express your default policy for connections from one zone 
-to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
       </a>file.</li>
          <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -142,10 +143,10 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
 <p>For each connection request entering the firewall, the request is first 
   checked against the  /etc/shorewall/rules file. If no rule in that file 
-matches  the connection  request then the first policy in /etc/shorewall/policy 
+ matches  the connection  request then the first policy in /etc/shorewall/policy 
-that  matches the    request is applied. If that policy is REJECT or DROP  
+ that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common (the
+ the request is first  checked against the rules in /etc/shorewall/common 
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample 
   has the  following policies:</p>
@ -218,18 +219,18 @@ samples provide that  file for you).</p>
 <ol>
          <li>allow all connection requests from your local network to the
-internet</li>
+ internet</li>
-        <li>drop (ignore) all connection requests from the internet to your 
+          <li>drop (ignore) all connection requests from the internet to
- firewall     or local network</li>
+your   firewall     or local network</li>
-        <li>optionally accept all connection requests from the firewall to
+          <li>optionally accept all connection requests from the firewall 
- the     internet (if you uncomment the additional policy)</li>
+to  the     internet (if you uncomment the additional policy)</li>
          <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-         At this point, edit your /etc/shorewall/policy  file and make any
+           At this point, edit your /etc/shorewall/policy  file and make
- changes  that you  wish.</p>
+any   changes  that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -239,37 +240,38 @@ internet</li>
 <p align="left">The firewall has three network interfaces. Where Internet 
    connectivity is through a cable or DSL "Modem", the <i>External Interface</i> 
-   will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+    will be the ethernet adapter that is connected to that "Modem" (e.g., 
-  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
+<b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
-   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
+<u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
-  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
+<u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External Interface
-a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
+will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular
-your External  Interface will also be <b>ppp0</b>. If you connect using ISDN,
+modem, your External  Interface will also be <b>ppp0</b>. If you connect
-  you external  interface will be <b>ippp0.</b></p>
+using ISDN,   you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
           If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then
-you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
+ you   will want to  set CLAMPMSS=yes in <a
-/etc/shorewall/shorewall.conf.</a></p>
+ href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
    eth1 or eth2) and will be connected to a hub or switch. Your local computers 
-   will be connected to the same switch (note: If you have only a single local
+    will be connected to the same switch (note: If you have only a single 
-  system,  you can connect the firewall directly to the computer using a
+local   system,  you can connect the firewall directly to the computer using 
-<i>cross-over   </i> cable).</p>
+a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
   (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
- computers will  be connected to the same switch (note: If you have only a
+  computers will  be connected to the same switch (note: If you have only 
- single DMZ system,  you can connect the firewall directly to the computer 
+a  single DMZ system,  you can connect the firewall directly to the computer 
  using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-     </b></u>Do not connect more than one interface  to the same hub or switch 
+       </b></u>Do not connect more than one interface  to the same hub or 
-  (even for testing). It won't work the way that you  expect it to and you 
+switch    (even for testing). It won't work the way that you  expect it to 
- will end up confused and  believing that Shorewall doesn't work at all.</p>
+and you   will end up confused and  believing that Shorewall doesn't work 
 at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
@ -299,14 +301,14 @@ you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
    Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
   <i> Public</i> IP address. This address may be assigned via the<i> Dynamic
   Host  Configuration Protocol</i> (DHCP) or as part of establishing your
-connection   when you dial in (standard modem) or establish your PPP connection. 
+ connection   when you dial in (standard modem) or establish your PPP connection.
-In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
+ In rare   cases, your ISP may assign you a<i> static</i> IP address; that
-means that  you  configure your firewall's external interface to use that 
+ means that  you  configure your firewall's external interface to use that
-address permanently.<i>  </i>Regardless of how the address is assigned, it 
+ address permanently.<i>  </i>Regardless of how the address is assigned,
-will be shared by all of your  systems when you access the Internet. You will
+it  will be shared by all of your  systems when you access the Internet.
-have to assign your  own addresses  for your internal network (the local and
+You will have to assign your  own addresses  for your internal network (the
-DMZ Interfaces on  your firewall plus your other  computers). RFC 1918 reserves
+local and DMZ Interfaces on  your firewall plus your other  computers). RFC
-several <i>Private  </i>IP address ranges for this  purpose:</p>
+1918 reserves several <i>Private  </i>IP address ranges for this  purpose:</p>
 <div align="left">          
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -316,22 +318,23 @@ several <i>Private  </i>IP address ranges for this  purpose:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
              Before starting Shorewall, you should look at the IP address
-of  your  external    interface and if it is one of the above ranges, you
+ of  your  external    interface and if it is one of the above ranges, you
-should  remove  the    'norfc1918' option from the external interface's entry
+ should  remove  the    'norfc1918' option from the external interface's
-in    /etc/shorewall/interfaces.</p>
+entry  in    /etc/shorewall/interfaces.</p>
       </div>
 <div align="left">          
 <p align="left">You will want to assign your local addresses from one <i>
      sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-subnet.  For our purposes, we can consider a subnet    to consists of a range
+ subnet.  For our purposes, we can consider a subnet    to consists of a
-of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
+range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
-Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
+ Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
- Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>.
+  Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>  
- In Shorewall,  a subnet is described using <a href="subnet_masks.htm"><i>Classless
+<i>Address</i>.  In Shorewall,  a subnet is described using <a
- InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet
+ href="subnet_masks.htm"><i>Classless  InterDomain Routing </i>(CIDR)</a> 
-address  followed    by "/24". The "24" refers to the number of    consecutive
+notation with consists of the subnet address  followed    by "/24". The "24" 
-"1"  bits from the left of the subnet mask. </p>
+refers to the number of    consecutive "1"  bits from the left of the subnet 
 mask. </p>
       </div>
 <div align="left">          
@ -375,17 +378,17 @@ address  followed    by "/24". The "24" refers to the number of    consecutive
 <p align="left">One of the purposes of subnetting is to allow all computers 
   in the    subnet to understand which other computers can be communicated 
  with directly.    To communicate with systems outside of the subnetwork, 
-systems send packets    through a<i>  gateway</i>  (router).</p>
+ systems send packets    through a<i>  gateway</i>  (router).</p>
       </div>
 <div align="left">          
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-         Your local  computers    (Local Computers 1 &amp; 2) should be configured 
+           Your local  computers    (Local Computers 1 &amp; 2) should be 
-  with their<i>    default gateway</i> set to the IP address of the firewall's 
+configured    with their<i>    default gateway</i> set to the IP address of
-  internal interface    and your DMZ computers ( DMZ Computers 1 &amp; 2) 
+the firewall's    internal interface    and your DMZ computers ( DMZ Computers 
-should  be configured with their    default gateway set to the IP address 
+1 &amp; 2)  should  be configured with their    default gateway set to the 
-of the firewall's DMZ interface.   </p>
+IP address  of the firewall's DMZ interface.   </p>
       </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -408,17 +411,18 @@ of the firewall's DMZ interface.
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
   to as <i>non-routable</i> because the Internet backbone routers don't forward
-  packets  which have an RFC-1918 destination address. When one of your local 
+   packets  which have an RFC-1918 destination address. When one of your
-  systems  (let's assume local computer 1) sends a connection request to an
+local    systems  (let's assume local computer 1) sends a connection request
-  internet host, the  firewall must perform <i>Network Address Translation 
+to an   internet host, the  firewall must perform <i>Network Address Translation
  </i>(NAT). The firewall  rewrites the source address in the packet to be
-the address of the firewall's  external interface; in other words, the firewall 
+ the address of the firewall's  external interface; in other words, the firewall
- makes it look as if the firewall  itself is initiating the connection.  This
+  makes it look as if the firewall  itself is initiating the connection. 
- is necessary so that the  destination host will be able to route return packets
+This  is necessary so that the  destination host will be able to route return
-  back to the firewall  (remember that packets whose destination address
+packets   back to the firewall  (remember that packets whose destination
-is   reserved by RFC 1918 can't  be routed accross the internet). When the
+address is   reserved by RFC 1918 can't  be routed accross the internet).
-firewall   receives a return packet, it  rewrites the destination address
+When the firewall   receives a return packet, it  rewrites the destination
-back to 10.10.10.1   and  forwards the packet on to local computer 1. </p>
+address back to 10.10.10.1   and  forwards the packet on to local computer
 1. </p>
 <p align="left">On Linux systems, the above process is often referred to as<i>
 IP Masquerading</i> and you will also see the term <i>Source Network Address
@ -445,27 +449,28 @@ back to 10.10.10.1   and  forwards the packet on to local computer 1. </p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
           If your external firewall interface is <b>eth0</b>, your local 
-interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
+ interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
-not  need to  modify the file provided with the sample. Otherwise, edit 
+ not  need to  modify the file provided with the sample. Otherwise, edit
-/etc/shorewall/masq   and change it to match your configuration.</p>
+ /etc/shorewall/masq   and change it to match your configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-         If your external IP  is static, you can enter it in the third column 
+           If your external IP  is static, you can enter it in the third
-  in the /etc/shorewall/masq entry  if you like although your firewall will 
+column    in the /etc/shorewall/masq entry  if you like although your firewall
-  work fine if you leave that column  empty. Entering your static IP in column 
+will    work fine if you leave that column  empty. Entering your static IP
-  3 makes processing outgoing packets a  little more efficient. </p>
+in column    3 makes processing outgoing packets a  little more efficient.
 </p>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your 
   DMZ computers. Because these computers have RFC-1918 addresses, it is not
-   possible for clients on the internet to connect directly to them. It is 
+    possible for clients on the internet to connect directly to them. It
- rather  necessary for those clients to address their connection requests 
+is   rather  necessary for those clients to address their connection requests 
-to your firewall  who rewrites the destination address to the address of your
+ to your firewall  who rewrites the destination address to the address of 
-server and forwards  the packet to that server. When your server responds, 
+your server and forwards  the packet to that server. When your server responds, 
- the firewall automatically  performs SNAT to rewrite the source address in
+  the firewall automatically  performs SNAT to rewrite the source address 
- the response.</p>
+in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
    Destination Network Address Translation</i> (DNAT). You configure port
@ -549,9 +554,9 @@ the same  as <i>&lt;port&gt;</i>.</p>
 <ul>
          <li>When you are connecting to your server from your local systems, 
  you  must    use the server's internal IP address (10.10.11.2).</li>
-        <li>Many ISPs block incoming connection requests to port 80. If you 
+          <li>Many ISPs block incoming connection requests to port 80. If 
- have     problems connecting to your web server, try the following rule and
+you   have     problems connecting to your web server, try the following rule
- try     connecting to port 5000 (e.g., connect to <a
+and  try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your 
   external IP).</li>
@ -661,27 +666,27 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
           At this point, add the DNAT and  ACCEPT rules for your servers.
-</p>
+ </p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
   an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
- will be  automatically configured (e.g., the /etc/resolv.conf file will be
+  will be  automatically configured (e.g., the /etc/resolv.conf file will 
- written).  Alternatively, your ISP may have given you the IP address of
+be  written).  Alternatively, your ISP may have given you the IP address of
 a  pair of DNS <i> name servers</i> for you to manually configure as your 
-primary  and secondary  name servers. It is <u>your</u> responsibility to 
+ primary  and secondary  name servers. It is <u>your</u> responsibility to 
-configure  the resolver in your  internal systems. You can take one of two 
+ configure  the resolver in your  internal systems. You can take one of two 
-approaches:</p>
+ approaches:</p>
 <ul>
          <li>                                      
    <p align="left">You can configure your internal systems to use your ISP's 
-  name    servers. If you ISP gave you the addresses of their servers or if
+   name    servers. If you ISP gave you the addresses of their servers or 
-  those    addresses are available on their web site, you can configure your
+if   those    addresses are available on their web site, you can configure 
-  internal    systems to use those addresses. If that information isn't available,
+your   internal    systems to use those addresses. If that information isn't 
-  look in    /etc/resolv.conf on your firewall system -- the name servers
+available,   look in    /etc/resolv.conf on your firewall system -- the name 
-are  given in    "nameserver" records in that file.   </p>
+servers are  given in    "nameserver" records in that file.   </p>
         </li>
         <li>                                      
    <p align="left"><img border="0" src="images/BD21298_2.gif"
@ -690,12 +695,13 @@ are  given in    "nameserver" records in that file.   </p>
  or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
  also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
  If you    take this approach, you configure your internal systems to use 
-the caching    name server as their primary (and only) name server. You use 
+ the caching    name server as their primary (and only) name server. You use
-the internal IP    address of the firewall (10.10.10.254 in the example above) 
+ the internal IP    address of the firewall (10.10.10.254 in the example above)
-  for the name    server address if you choose to run the name server on your
+   for the name    server address if you choose to run the name server on
-  firewall. To allow your local systems to talk to your caching name    server,
+your   firewall. To allow your local systems to talk to your caching name 
-  you must open port 53 (both UDP and TCP) from the local network to the
+   server,   you must open port 53 (both UDP and TCP) from the local network 
-   server; you do that by adding the rules in /etc/shorewall/rules.     </p>
+to the    server; you do that by adding the rules in /etc/shorewall/rules. 
    </p>
         </li>
 </ul>
@ -1054,8 +1060,9 @@ uses, look <a href="ports.htm">here</a>.</p>
         The <a href="Install.htm">installation procedure </a>   configures 
  your system to start Shorewall at system boot  but beginning with Shorewall
  version 1.3.9 startup is disabled so that your system won't try to start
-Shorewall before configuration is complete. Once you have completed configuration
+ Shorewall before configuration is complete. Once you have completed configuration
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+ of your firewall, you can enable Shorewall startup by removing the file
 /etc/shorewall/startup_disabled.<br>
       </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1077,11 +1084,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
 <div align="left">          
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-         The three-interface sample assumes that you want to enable    routing 
+           The three-interface sample assumes that you want to enable   
-  to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ) when Shorewall 
+routing    to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
-  is stopped.    If these two interfaces don't connect to your local network 
+when Shorewall    is stopped.    If these two interfaces don't connect to
-  and DMZ or if you    want to enable a different set of hosts, modify /etc/shorewall/routestopped 
+your local network    and DMZ or if you    want to enable a different set
-     accordingly.</p>
+of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
       </div>
 <div align="left">          
@ -1090,12 +1097,12 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
  added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
-  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
+   an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-  and    test it using the <a href="Documentation.htm#Starting">"shorewall 
+   and    test it using the <a
- try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
       </div>
-<p align="left"><font size="2">Last updated 10/22/2002 - <a
+<p align="left"><font size="2">Last updated 11/21/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -1106,5 +1113,7 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@ -28,60 +28,61 @@
 <h3 align="left">Check the Errata</h3>
 <p align="left">Check the <a href="errata.htm">Shorewall Errata</a>  to be
-sure   that there isn't an update that you are missing for your version of
+ sure   that there isn't an update that you are missing for your version
-the   firewall.</p>
+of  the   firewall.</p>
 <h3 align="left">Check the FAQs</h3>
 <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
-problems.</p>
+ problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
        If you receive an error message when starting or restarting the firewall
-and you can't determine the cause, then do the following:   
+ and you can't determine the cause, then do the following:     
 <ul>
       <li>shorewall debug start 2&gt; /tmp/trace</li>
       <li>Look at the /tmp/trace file and see if that helps you     determine
-what the problem is.</li>
+ what the problem is.</li>
       <li>If you still can't determine what's wrong then see the     <a
 href="support.htm">support page</a>.</li>
 </ul>
-<h3>Your test environment</h3>
+<h3>Your network environment</h3>
 <p>Many times when people have problems with Shorewall, the problem is  
- actually an ill-conceived test setup. Here are several popular snafus: </p>
+ actually an ill-conceived network setup. Here are several popular snafus:
 </p>
 <ul>
       <li>Port           Forwarding where client and server are in the same
-subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+ subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
       <li>Changing the IP address of a local system to be in the external
-subnet,      thinking that Shorewall will suddenly believe that the system
+ subnet,      thinking that Shorewall will suddenly believe that the system
-is in the      'net' zone.</li>
+ is in the      'net' zone.</li>
-     <li>Multiple interfaces connected to the same HUB or Switch. Given the
+       <li>Multiple interfaces connected to the same HUB or Switch. Given 
-way      that the Linux kernel respond to ARP "who-has" requests, this type
+the way      that the Linux kernel respond to ARP "who-has" requests, this 
-of setup      does NOT work the way that you expect it to.</li>
+type of setup      does NOT work the way that you expect it to.</li>
 </ul>
 <h3 align="left">If you are having connection problems:</h3>
 <p align="left">If the appropriate policy for the connection that you are
-trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
+ trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
-TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
+ TO MAKE IT WORK. Such additional rules will NEVER make it work, they add 
-to your rule set and they represent a big security hole in the event that
+clutter to your rule set and they represent a big security hole in the event 
-you forget to remove them later.</p>
+that you forget to remove them later.</p>
 <p align="left">I also recommend against setting all of your policies to
       ACCEPT in an effort to make something work. That robs you of one of
-your        best diagnostic tools - the "Shorewall" messages that Netfilter
+ your        best diagnostic tools - the "Shorewall" messages that Netfilter
-will        generate when you try to connect in a way that isn't permitted
+ will        generate when you try to connect in a way that isn't permitted
-by your        rule set.</p>
+ by your        rule set.</p>
 <p align="left">Check your log. If you don't see Shorewall  messages, then
-your problem is probably NOT a Shorewall problem. If you DO see packet messages,
+ your problem is probably NOT a Shorewall problem. If you DO see packet messages,
-it may be an indication that you are missing one or more rules -- see <a
+ it may be an indication that you are missing one or more rules -- see <a
 href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear 
@ -97,13 +98,13 @@ it may be an indication that you are missing one or more rules -- see <a
        <font face="Century Gothic, Arial, Helvetica">            
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
-LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
+ LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
           </font>            
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
       <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
+ -- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
     <a href="FAQ.htm#faq17">FAQ 17).</a></li>
       <li>IN=eth2 - the packet entered the firewall via eth2</li>
       <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
@ -115,9 +116,14 @@ LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</f
 </ul>
 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and  192.168.1.3
-is in the "loc" zone. I was missing the rule:</p>
+ is in the "loc" zone. I was missing the rule:</p>
-<p align="left">ACCEPT    dmz    loc    udp    53</p>
+<p align="left">ACCEPT    dmz    loc    udp    53<br>
 </p>
 <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information 
 about how to interpret the chain name appearing in a Shorewall log message.<br>
 </p>
 <h3 align="left">Other Gotchas</h3>
@ -126,60 +132,60 @@ is in the "loc" zone. I was missing the rule:</p>
      chains? This means that:          
    <ol>
         <li>your zone definitions are screwed up and the host that is sending
-the        packets or the destination host isn't in any zone (using an  
+ the        packets or the destination host isn't in any zone (using an 
-    <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
+     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
-       or</li>
+you?);         or</li>
         <li>the source and destination hosts are both connected to the same
        interface and that interface doesn't have the 'multi' option specified
-in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+ in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
       </li>
       <li>Remember that Shorewall doesn't automatically allow ICMP     type
-8 ("ping") requests to be sent between zones. If you want     pings to be
+ 8 ("ping") requests to be sent between zones. If you want     pings to be
-allowed between zones, you need a rule of the form:<br>
+ allowed between zones, you need a rule of the form:<br>
        <br>
            ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
-icmp        echo-request<br>
+ icmp        echo-request<br>
        <br>
-      The ramifications of this can be subtle. For example, if you have the
+        The ramifications of this can be subtle. For example, if you have 
-     following in /etc/shorewall/nat:<br>
+the      following in /etc/shorewall/nat:<br>
        <br>
            10.1.1.2    eth0        130.252.100.18<br>
        <br>
-      and you ping 130.252.100.18, unless you have allowed icmp type 8 between 
+        and you ping 130.252.100.18, unless you have allowed icmp type 8
-the     zone containing the system you are pinging from and the zone containing
+between  the     zone containing the system you are pinging from and the
-     10.1.1.2, the ping requests will be dropped. This is true even if you 
+zone containing       10.1.1.2, the ping requests will be dropped. This is
-have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
+true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
       <li>If you specify "routefilter" for an interface,     that interface
-must be up prior to starting the firewall.</li>
+ must be up prior to starting the firewall.</li>
-     <li>Is your routing correct? For example, internal systems usually need
+       <li>Is your routing correct? For example, internal systems usually 
-to      be configured with their default gateway set to the IP address of
+need to      be configured with their default gateway set to the IP address 
-their      nearest firewall interface. One often overlooked aspect of routing
+of their      nearest firewall interface. One often overlooked aspect of routing
 is that      in order for two hosts to communicate, the routing between them
 must be set      up <u>in both directions.</u> So when setting up routing
-between <b>A</b>      and<b> B</b>, be sure to verify that the route from
+ between <b>A</b>      and<b> B</b>, be sure to verify that the route from
     <b>B</b> back to <b>A</b>      is defined.</li>
-     <li>Some versions of LRP (EigerStein2Beta for example) have a     shell
+       <li>Some versions of LRP (EigerStein2Beta for example) have a    
-with broken variable expansion. <a
+shell  with broken variable expansion. <a
 href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
-shell from the Shorewall Errata download site.</a>     </li>
+ shell from the Shorewall Errata download site.</a>     </li>
       <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
       <li>Some features require the "ip" program. That     program is generally
-included in the "iproute" package which should     be included with your
+ included in the "iproute" package which should     be included with your
 distribution (though many distributions don't install     iproute by    
 default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
-.</li>
+ .</li>
       <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
-then the zone must be entirely   defined in /etc/shorewall/hosts unless you
+ then the zone must be entirely   defined in /etc/shorewall/hosts unless
-have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
+you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
 For example, if a zone has two interfaces but   only one interface has an
 entry in /etc/shorewall/hosts then hosts attached to   the other interface
 will     <u>not</u> be considered part of the zone.</li>
-     <li>Problems with NAT? Be sure that you let Shorewall add all     external
+       <li>Problems with NAT? Be sure that you let Shorewall add all    
-addresses to be use with NAT unless you have set <a
+external  addresses to be use with NAT unless you have set <a
 href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
 </ul>
@ -190,10 +196,10 @@ addresses to be use with NAT unless you have set <a
          <font face="Century Gothic, Arial, Helvetica">            
 <blockquote> </blockquote>
           </font>              
-<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-  <br>
+</p>
 </body>
 </html>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -68,9 +68,9 @@ for this  program:</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
          If you edit your configuration files on a Windows system, you must
  save them as  Unix files if your editor supports that option or you must
-run them through  dos2unix before trying to use them. Similarly, if you copy 
+ run them through  dos2unix before trying to use them. Similarly, if you
-a configuration file  from your Windows hard drive to a floppy disk, you must
+copy  a configuration file  from your Windows hard drive to a floppy disk,
-run dos2unix against the  copy before using it with Shorewall.</p>
+you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
        <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
@ -82,10 +82,10 @@ run dos2unix against the  copy before using it with Shorewall.</p>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
+<p>The configuration files for Shorewall are contained in the directory 
-- for simple setups, you will only need to deal with a few of  these as
+/etc/shorewall -- for simple setups, you will only need to deal with a few
-described in this guide.  After you have <a href="Install.htm">installed
+of  these as described in this guide.  After you have <a
-Shorewall</a>,  download the <a
+ href="Install.htm">installed Shorewall</a>,  download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
  un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall 
   (these files will replace files with the same name).</p>
@ -139,11 +139,11 @@ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
  checked against the  /etc/shorewall/rules file. If no rule in that file 
 matches  the connection  request then the first policy in /etc/shorewall/policy 
 that  matches the    request is applied. If that policy is REJECT or DROP  
-the request is first  checked against the rules in /etc/shorewall/common
+the request is first  checked against the rules in /etc/shorewall/common (the
-(the samples provide that  file for you).</p>
+samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -212,11 +212,12 @@ has the  following policies:</p>
 <p>The above policy will:</p>
 <ol>
-       <li>allow all connection requests from your local network to the internet</li>
+        <li>allow all connection requests from your local network to the
 internet</li>
        <li>drop (ignore) all connection requests from the internet to your 
 firewall     or local network</li>
        <li>optionally accept all connection requests from the firewall to
-the     internet (if you uncomment the additional policy)</li>
+ the     internet (if you uncomment the additional policy)</li>
        <li>reject all other connection requests.</li>
 </ol>
@ -231,15 +232,15 @@ the     internet (if you uncomment the additional policy)</li>
 height="635">
     </p>
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
   <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
   <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem, 
+ a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
-your External  Interface will also be <b>ppp0</b>. If you connect via ISDN, 
+ your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
-your external  interface will be <b>ippp0.</b></p>
+ your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -256,9 +257,9 @@ using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
     </b></u>Do not connect the internal and external interface  to the same
- hub or switch (even for testing). It won't work the way that you think that 
+  hub or switch (even for testing). It won't work the way that you think
- it will and you will end up confused and  believing that Shorewall doesn't 
+that   it will and you will end up confused and  believing that Shorewall
- work at all.</p>
+doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
@ -292,8 +293,8 @@ connection   when you dial in (standard modem) or establish your PPP connection.
 In rare   cases, your ISP may assign you a<i> static</i> IP address; that 
 means that  you  configure your firewall's external interface to use that 
 address permanently.<i>  </i>However your external address is assigned, it 
-will be shared by all of your systems when you access the  Internet. You
+will be shared by all of your systems when you access the  Internet. You will
-will have to assign your  own addresses in your  internal network (the Internal
+have to assign your  own addresses in your  internal network (the Internal 
 Interface on your firewall  plus your other  computers). RFC 1918 reserves 
 several <i>Private </i>IP address ranges for this  purpose:</p>
@ -304,10 +305,10 @@ several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-           Before starting Shorewall, you should look at the IP address of
+            Before starting Shorewall, you should look at the IP address
- your  external    interface and if it is one of the above ranges, you should
+of  your  external    interface and if it is one of the above ranges, you
- remove  the    'norfc1918' option from the external interface's entry in
+should  remove  the    'norfc1918' option from the external interface's entry
-   /etc/shorewall/interfaces.</p>
+in    /etc/shorewall/interfaces.</p>
     </div>
 <div align="left">        
@ -316,11 +317,11 @@ several <i>Private </i>IP address ranges for this  purpose:</p>
     to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet 
  will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 
 is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as 
-the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
+the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
-described  using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
+ using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
-</i>(CIDR)  notation</a> with consists of the subnet address followed   
+ notation</a> with consists of the subnet address followed    by "/24". The
-by "/24". The  "24" refers to the number of    consecutive leading "1" bits
+ "24" refers to the number of    consecutive leading "1" bits from the left
-from the left  of the subnet mask. </p>
+ of the subnet mask. </p>
     </div>
 <div align="left">        
@ -370,9 +371,9 @@ systems send packets    through a<i>
 <div align="left">        
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-        Your local computers (computer    1 and computer 2 in the above diagram)
+         Your local computers (computer    1 and computer 2 in the above
-  should be configured with their<i>    default gateway</i> to be the IP
+diagram)   should be configured with their<i>    default gateway</i> to be
-address   of the firewall's internal    interface.<i>      </i> </p>
+the IP address   of the firewall's internal    interface.<i>      </i> </p>
     </div>
 <p align="left">The foregoing short discussion barely scratches the surface 
@ -399,18 +400,18 @@ address   of the firewall's internal    interface.<i>
  host, the  firewall must perform <i>Network Address Translation </i>(NAT). 
  The firewall  rewrites the source address in the packet to be the address 
  of the firewall's  external interface; in other words, the firewall makes 
-  it look as if the firewall  itself is initiating the connection.  This
+  it look as if the firewall  itself is initiating the connection.  This is
-is   necessary so that the  destination host will be able to route return
+  necessary so that the  destination host will be able to route return packets
-packets   back to the firewall  (remember that packets whose destination
+  back to the firewall  (remember that packets whose destination address
-address is   reserved by RFC 1918 can't  be routed across the internet so
+is   reserved by RFC 1918 can't  be routed across the internet so the remote
-the remote host  can't address its response to  computer 1). When the firewall
+host  can't address its response to  computer 1). When the firewall receives
-receives a return packet, it  rewrites the destination address  back to 10.10.10.1
+a return packet, it  rewrites the destination address  back to 10.10.10.1 
 and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
        <li>                            
@ -432,8 +433,8 @@ with  Netfilter:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-        If your external firewall interface is <b>eth0</b>, you do not  need
+         If your external firewall interface is <b>eth0</b>, you do not 
-  to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq
+need   to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq 
  and change the first column to the name of your external  interface and 
 the  second column to the name of your internal interface.</p>
@ -450,14 +451,14 @@ the  second column to the name of your internal interface.</p>
   local computers. Because these computers have RFC-1918 addresses, it is 
 not  possible for clients on the internet to connect directly to them. It 
 is rather  necessary for those clients to address their connection requests 
- to the firewall  who rewrites the destination address to the address of
+ to the firewall  who rewrites the destination address to the address of your
-your   server and forwards  the packet to that server. When your server responds,
+  server and forwards  the packet to that server. When your server responds, 
  the firewall automatically  performs SNAT to rewrite the source address 
 in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
   Destination Network Address Translation</i> (DNAT). You configure port
-forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
  is:</p>
@ -479,7 +480,7 @@ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
            <td>DNAT</td>
            <td>net</td>
            <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
-port&gt;</i>]</td>
+ port&gt;</i>]</td>
            <td><i>&lt;protocol&gt;</i></td>
            <td><i>&lt;port&gt;</i></td>
            <td> </td>
@ -524,13 +525,13 @@ port&gt;</i>]</td>
 <ul>
        <li>You must test the above rule from a client outside of your local
- network    (i.e., don't test from a browser running on computers 1 or 2 or
+  network    (i.e., don't test from a browser running on computers 1 or 2
- on the    firewall). If you want to be able to access your web server using
+or  on the    firewall). If you want to be able to access your web server
- the IP    address of your external interface, see <a
+using  the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
        <li>Many ISPs block incoming connection requests to port 80. If you 
- have     problems connecting to your web server, try the following rule
+ have     problems connecting to your web server, try the following rule and
-and  try     connecting to port 5000.</li>
+ try     connecting to port 5000.</li>
 </ul>
@ -563,15 +564,15 @@ and  try     connecting to port 5000.</li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
         At this point, modify  /etc/shorewall/rules to add any DNAT rules
-that  you require.</p>
+ that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting 
  an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
- will be  automatically configured (e.g., the /etc/resolv.conf file will
+ will be  automatically configured (e.g., the /etc/resolv.conf file will be
-be  written).  Alternatively, your ISP may have given you the IP address
+ written).  Alternatively, your ISP may have given you the IP address of
-of a  pair of DNS <i> name servers</i> for you to manually configure as your
+a  pair of DNS <i> name servers</i> for you to manually configure as your 
 primary  and secondary  name servers. Regardless of how DNS gets configured 
 on your  firewall, it is <u>your</u> responsibility to configure the resolver 
 in your   internal systems. You can take one of two approaches:</p>
@ -579,25 +580,25 @@ in your   internal systems. You can take one of two approaches:</p>
 <ul>
        <li>                            
    <p align="left">You can configure your internal systems to use your ISP's 
-  name    servers. If you ISP gave you the addresses of their servers or
+  name    servers. If you ISP gave you the addresses of their servers or if
-if   those    addresses are available on their web site, you can configure
+  those    addresses are available on their web site, you can configure your
-your   internal    systems to use those addresses. If that information isn't
+  internal    systems to use those addresses. If that information isn't available,
-available,   look in    /etc/resolv.conf on your firewall system -- the name
+  look in    /etc/resolv.conf on your firewall system -- the name servers
-servers are  given in    "nameserver" records in that file.   </p>
+are  given in    "nameserver" records in that file.   </p>
       </li>
       <li>                            
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         You can configure a<i> Caching Name Server </i>on your    firewall.<i> 
      </i>Red Hat has an RPM for a caching name server (the RPM also    requires 
-  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you   
+  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take
-take   this approach, you configure your internal systems to use the firewall
+  this approach, you configure your internal systems to use the firewall 
  itself as their primary (and only) name server. You use the internal IP 
   address of the firewall (10.10.10.254 in the example above) for the name 
-     server address. To allow your local systems to talk to your caching
+     server address. To allow your local systems to talk to your caching name
-name      server, you must open port 53 (both UDP and TCP) from the local
+     server, you must open port 53 (both UDP and TCP) from the local network
-network   to the    firewall; you do that by adding the following rules in
+  to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
-/etc/shorewall/rules.       </p>
+      </p>
       </li>
 </ul>
@ -807,13 +808,12 @@ network   to the    firewall; you do that by adding the following rules in
 <div align="left">        
 <p align="left">Those two rules would of course be in addition to the rules 
-     listed above under "You can configure a Caching Name Server on your
+     listed above under "You can configure a Caching Name Server on your firewall"</p>
 firewall"</p>
     </div>
 <div align="left">        
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
     </div>
 <div align="left">        
@ -855,7 +855,7 @@ application uses, look <a href="ports.htm">here</a>.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         Now edit your    /etc/shorewall/rules file to add or delete other
-connections  as required.</p>
+ connections  as required.</p>
     </div>
 <div align="left">        
@ -867,14 +867,14 @@ connections  as required.</p>
 width="13" height="13" alt="Arrow">
        The <a href="Install.htm">installation procedure </a>   configures
  your system to start Shorewall at system boot  but beginning with Shorewall
-version 1.3.9 startup is disabled so that your system won't try to start Shorewall
+ version 1.3.9 startup is disabled so that your system won't try to start
-before configuration is complete. Once you have completed configuration of
+Shorewall before configuration is complete. Once you have completed configuration
-your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
     </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
 color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
-and set 'startup=1'.</font><br>
+ and set 'startup=1'.</font><br>
    </p>
      </div>
@ -893,7 +893,7 @@ and set 'startup=1'.</font><br>
 height="13">
         The two-interface sample assumes that you want to enable    routing
  to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If 
-your local network isn't connected to <b>eth1</b> or if you wish to enable 
+  your local network isn't connected to <b>eth1</b> or if you wish to enable
    access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
     </div>
@ -903,12 +903,12 @@ your local network isn't connected to <b>eth1</b> or if you wish to enable
 added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
-  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
+  an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-  and    test it using the <a href="Documentation.htm#Starting">"shorewall
+  and    test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall 
 try" command</a>.</p>
     </div>
-<p align="left"><font size="2">Last updated 10/9/2002 - <a
+<p align="left"><font size="2">Last updated 11/21/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
@ -918,5 +918,6 @@ your local network isn't connected to <b>eth1</b> or if you wish to enable
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/useful_links.html
+++ b/Shorewall-docs/useful_links.html
@ -48,17 +48,16 @@
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
 src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
 align="middle" hspace="4" border="0">
-<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
+ <img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
 align="middle" border="0">
  </a><br>
  </h3>
  <br>
- <font size="2">Last updated 9/16/2002 - <a
+  <font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font> 
 href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font>
-<p><font face="Trebuchet MS"><a
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font
+ &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
- size="2">Copyright</font>  &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+    <br>
   <br>
  <br>
 <br>