<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                                                                        
                                                               
  <meta http-equiv="Content-Language" content="en-us">
                                                                        
                                                               
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
                                                                        
                                                               
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                        
                                                               
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
                                                                        
                                                                        
                                                                        
                    
  <meta name="Microsoft Theme" content="none">
</head>
  <body>
                                                                      
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
                                     <tbody>
                                      <tr>
                                       <td width="100%">                
                                                                        
                                                                        
                                                                         
     
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                                       </td>
                                     </tr>
                                                                        
                                                               
  </tbody>                                  
</table>
                                                                      
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b> 
                 port</b> 7777 to my my personal PC with IP address 192.168.1.5. 
       I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
                                                                     
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
                  but it doesn't work.<br>
                         </a></p>
                                                                     
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with 
            port forwarding</a></p>
                                                 
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
                 to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
     in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com
           but    <b>internal  clients can't</b>.</a></p>
                                                                     
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
                  subnet and I use <b>static NAT</b> to assign non-RFC1918
 addresses          to   hosts   in  Z. Hosts in Z cannot communicate with
 each other  using      their    external    (non-RFC1918 addresses) so they
 <b>can't access each     other using   their DNS   names.</b></a></p>
                                                                      
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
  or <b>MSN                Instant Messenger </b>with  Shorewall. What do
I  do?</a></p>
                                                                     
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
                 to  check my firewall and it shows <b>some ports as 'closed'
    rather       than     'blocked'.</b>  Why?</a></p>
                                                                     
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
                  of my firewall and it showed 100s of ports as open!!!!</a></p>
                                                                     
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
                 I <b> can't ping</b> through the firewall</a></p>
                                                                      
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
                  written and  how do I <b>change the destination</b>?</a></p>
                                                                        
                                                             
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
                  that work with Shorewall?</a></p>
     
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
 href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect 
 requests. Can i exclude these error messages for this port temporarily from 
 logging in Shorewall?</a><br>
   </p>
     
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow 
 of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.� 
 They get dropped, but what the heck are they?</a><br>
   </p>
     
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
                  work?</a></p>
                                                                      
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
                 on RedHat</b> I get messages about insmod failing -- what's
    wrong?</a></p>
                                                                      
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
                 my  interfaces </b>properly?</a></p>
                                                                        
    
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
                 it  work with?</a></p>
                                                                      
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
 support?</a></p>
                                                                      
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
                                                                      
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
                                                                     
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
                 and it has an internel  web server that allows me to configure/monitor
              it   but as expected if I enable <b> rfc1918 blocking</b> for
  my   eth0     interface,       it also blocks the <b>cable modems  web
server</b></a>.</p>
                                                                     
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
                 IP  addresses, my ISP's DHCP server has an RFC 1918 address.
    If   I  enable       RFC 1918  filtering on my external interface, <b>my
   DHCP  client  cannot    renew   its lease</b>.</a></p>
                                                                      
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
                 out to  the net</b></a></p>
                                                                      
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
                  all over my console</b> making it unusable!<br>
                              </a></p>
                                           <b>17</b>. <a href="#faq17">How
 do  I  find   out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
                          <br>
                          <b>18.</b> <a href="#faq18">Is there any way to 
use   <b>aliased      ip  addresses</b>    with Shorewall, and maintain separate 
  rulesets for    different   IPs?</a><br>
                      <br>
                      <b>19. </b><a href="#faq19">I have added <b>entries 
to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do 
anything</b>.  Why?</a><br>
                     <br>
                     <b>20. </b><a href="#faq20">I have just set  up  a 
server.      <b>Do  I have to change Shorewall to allow access to my server
  from   the  internet?<br>
           <br>
           </b></a><b>21. </b><a href="#faq21">I see these <b>strange log 
entries      </b>occasionally;    what are they?<br>
                   </a><br>
           <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that
    I  want to <b>run when Shorewall starts.</b> Which file do I put them
in?</a><br>
         <br>
         <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b>
 on  your   <b>web site</b>?</a><br>
      <br>
      <b>24: </b><a href="#faq24">How can I <b>allow conections</b> to let's
  say  the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
                     
<hr>                                   
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
                 my my personal PC with IP address 192.168.1.5. I've looked
  everywhere           and    can't find how to do it.</h4>
                                                                     
<p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to
                 do port forwarding under Shorewall. The format of a port-forwarding
           rule to a local system is as   follows:</p>
                                                                     
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                       <tbody>
                                        <tr>
                                         <td><u><b>ACTION</b></u></td>
                                         <td><u><b>SOURCE</b></u></td>
                                         <td><u><b>DESTINATION</b></u></td>
                                         <td><u><b>PROTOCOL</b></u></td>
                                         <td><u><b>PORT</b></u></td>
                                         <td><u><b>SOURCE PORT</b></u></td>
                                         <td><u><b>ORIG. DEST.</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>DNAT</td>
                                         <td>net</td>
                                         <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
           port</i>&gt;]</td>
                                         <td><i>&lt;protocol&gt;</i></td>
                                         <td><i>&lt;port #&gt;</i></td>
                                         <td> <br>
                                       </td>
                                         <td> <br>
                                       </td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                                                     
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5,
                 the rule is:</p>
                                                                     
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                       <tbody>
                                        <tr>
                                         <td><u><b>ACTION</b></u></td>
                                         <td><u><b>SOURCE</b></u></td>
                                         <td><u><b>DESTINATION</b></u></td>
                                         <td><u><b>PROTOCOL</b></u></td>
                                         <td><u><b>PORT</b></u></td>
                                         <td><u><b>SOURCE PORT</b></u></td>
                                         <td><u><b>ORIG. DEST.</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>DNAT</td>
                                         <td>net</td>
                                         <td>loc:192.168.1.5</td>
                                         <td>udp</td>
                                         <td>7777</td>
                                         <td> <br>
                                       </td>
                                         <td> <br>
                                       </td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                                                     
<div align="left">                      <font face="Courier">     </font>If 
      you want to forward requests directed to a particular address ( <i>&lt;external 
      IP&gt;</i> ) on your firewall to an internal system:</div>
                                                                     
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                       <tbody>
                                        <tr>
                                         <td><u><b>ACTION</b></u></td>
                                         <td><u><b>SOURCE</b></u></td>
                                         <td><u><b>DESTINATION</b></u></td>
                                         <td><u><b>PROTOCOL</b></u></td>
                                         <td><u><b>PORT</b></u></td>
                                         <td><u><b>SOURCE PORT</b></u></td>
                                         <td><u><b>ORIG. DEST.</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>DNAT</td>
                                         <td>net</td>
                                         <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
           port</i>&gt;]</td>
                                         <td><i>&lt;protocol&gt;</i></td>
                                         <td><i>&lt;port #&gt;</i></td>
                                         <td>-</td>
                                         <td><i>&lt;external IP&gt;</i></td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                                                     
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
                 but  it doesn't work</h4>
                                                                     
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
                                                                     
<ul>
                                     <li>You are trying to test from inside 
 your   firewall     (no,   that    won't    work -- see <a href="#faq2">FAQ 
 #2</a>).</li>
                                     <li>You have a more basic problem with 
 your   local    system    such   as  an   incorrect default gateway configured
  (it  should    be set to   the IP   address    of your  firewall's internal
  interface).</li>
                                                                     
</ul>
                                                                     
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port 
            forwarding</h4>
                         <b>Answer: </b>To further diagnose this problem:<br>
                                                 
<ul>
                           <li>As root, type "iptables -t nat -Z". This clears
   the   NetFilter      counters   in the nat table.</li>
                           <li>Try to connect to the redirected port from 
an  external     host.</li>
                           <li>As root type "shorewall show nat"</li>
                           <li>Locate the appropriate DNAT rule. It will
be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat' 
in the above   examples).</li>
                           <li>Is the packet count in the first column non-zero?
    If  so,   the   connection    request is reaching the firewall and is
being    redirected    to   the server.  In  this case, the problem is usually 
 a  missing  or incorrect      default gateway   setting on the server (the 
 server's  default  gateway  should    be the IP address   of the firewall's 
 interface  to the  server).</li>
                           <li>If the packet count is zero:</li>
                                                                        
                          
  <ul>
                             <li>the connection request is not reaching your
  server    (possibly      it  is being blocked by your ISP); or</li>
                             <li>you are trying to connect to a secondary 
IP  address     on  your   firewall   and your rule is only redirecting the
 primary  IP  address    (You  need to specify   the secondary IP address
in the "ORIG.   DEST." column    in  your DNAT rule);  or</li>
                             <li>your DNAT rule doesn't match the connection
  request     in  some   other   way. In that case, you may have to use a
packet  sniffer     such  as tcpdump  or  ethereal to further diagnose the
problem.<br>
                             </li>
                                                                        
                          
  </ul>
                                                 
</ul>
                                                 
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
                 (IP 130.151.100.69) to system 192.168.1.5 in my local network.
      External         clients  can browse http://www.mydomain.com but internal
      clients can't.</h4>
                                                                     
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
                                                                     
<ul>
                                     <li>Having an internet-accessible server 
  in  your   local    network         is  like raising foxes in the corner 
 of your  hen   house.  If  the server     is      compromised, there's nothing
   between  that  server  and  your other   internal        systems. For
the    cost of another  NIC and  a cross-over  cable,   you can   put   
  your   server in a DMZ such  that it is isolated  from your   local systems
   -      assuming that the  Server can be located  near the Firewall,  
of course     :-)</li>
                                     <li>The accessibility problem is best
 solved    using           <a href="shorewall_setup_guide.htm#DNS">Bind Version
     9 "views"</a>     (or using a separate DNS server for local clients)
such   that www.mydomain.com     resolves to 130.141.100.69     externally
and 192.168.1.5   internally. That's    what I do here at     shorewall.net
for my local systems   that use static   NAT.</li>
                                                                     
</ul>
                                                                     
<p align="left">If you insist on an IP solution to the accessibility problem
                  rather than a DNS solution, then assuming that your external
     interface          is  eth0  and your internal interface is eth1  and
 that    eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24,
 do   the following:</p>
                                                                     
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
                  for eth1 (No longer required as of Shorewall version 1.3.9).</p>
                                                                     
<div align="left">                                   
<p align="left">b) In /etc/shorewall/rules, add:</p>
                                  </div>
                                                                     
<div align="left">                                   
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                       <tbody>
                                        <tr>
                                         <td><u><b>ACTION</b></u></td>
                                         <td><u><b>SOURCE</b></u></td>
                                         <td><u><b>DESTINATION</b></u></td>
                                         <td><u><b>PROTOCOL</b></u></td>
                                         <td><u><b>PORT</b></u></td>
                                         <td><u><b>SOURCE PORT</b></u></td>
                                         <td><u><b>ORIG. DEST.</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>DNAT</td>
                                         <td>loc:192.168.1.0/24</td>
                                         <td>loc:192.168.1.5</td>
                                         <td>tcp</td>
                                         <td>www</td>
                                         <td>-</td>
                                         <td>130.151.100.69:192.168.1.254</td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                   </div>
                                                                        
                                   
<div align="left">                                   
<p align="left">That rule only works of course if you have a static external
                 IP  address. If you  have a dynamic IP address and are running
      Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
                                  </div>
                                                                     
<div align="left">                                   
<pre>     ETH0_IP=`find_interface_address eth0`</pre>
                                   </div>
                                                                     
<div align="left">                                   
<p align="left">and make your DNAT rule:</p>
                                  </div>
                                                                     
<div align="left">                                   
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                       <tbody>
                                        <tr>
                                         <td><u><b>ACTION</b></u></td>
                                         <td><u><b>SOURCE</b></u></td>
                                         <td><u><b>DESTINATION</b></u></td>
                                         <td><u><b>PROTOCOL</b></u></td>
                                         <td><u><b>PORT</b></u></td>
                                         <td><u><b>SOURCE PORT</b></u></td>
                                         <td><u><b>ORIG. DEST.</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>DNAT</td>
                                         <td>loc:192.168.1.0/24</td>
                                         <td>loc:192.168.1.5</td>
                                         <td>tcp</td>
                                         <td>www</td>
                                         <td>-</td>
                                         <td>$ETH0_IP:192.168.1.254</td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                   </div>
                                                                     
<div align="left">                                   
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
                  client to automatically restart Shorewall each time that
 you    get    a  new    IP   address.</p>
                                  </div>
                                                                     
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
                 subnet and I use static NAT to assign non-RFC1918 addresses
   to   hosts      in   Z.  Hosts in Z cannot communicate with each other
using    their  external      (non-RFC1918     addresses) so they can't access
each    other  using their    DNS  names.</h4>
                                                                     
<p align="left"><b>Answer: </b>This is another problem that is best solved
                 using Bind Version 9 "views". It allows both external and
 internal         clients       to access a NATed host using the host's DNS
 name.</p>
                                                                     
<p align="left">Another good way to approach this problem is to switch from 
                 static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 
          addresses      and can be accessed externally and internally using 
   the    same   address.  </p>
                                                                     
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
                                                                     
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces 
            (If you are running a Shorewall version earlier than 1.3.9).<br>
                                   b) Set the Z-&gt;Z policy to ACCEPT.<br>
                                   c) Masquerade Z to itself.<br>
                                   <br>
                                   Example:</p>
                                                                     
<p align="left">Zone: dmz<br>
                                   Interface: eth2<br>
                                   Subnet: 192.168.2.0/24</p>
                                                                     
<p align="left">In /etc/shorewall/interfaces:</p>
                                                                     
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber2">
                                       <tbody>
                                        <tr>
                                         <td><u><b>ZONE</b></u></td>
                                         <td><u><b>INTERFACE</b></u></td>
                                         <td><u><b>BROADCAST</b></u></td>
                                         <td><u><b>OPTIONS</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>dmz</td>
                                         <td>eth2</td>
                                         <td>192.168.2.255</td>
                                         <td>multi</td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                                                     
<p align="left">In /etc/shorewall/policy:</p>
                                                                     
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                                       <tbody>
                                        <tr>
                                         <td><u><b>SOURCE </b></u></td>
                                         <td><u><b>DESTINATION</b></u></td>
                                         <td><u><b>POLICY</b></u></td>
                                         <td><u><b>LIMIT:BURST</b></u></td>
                                       </tr>
                                       <tr>
                                         <td>dmz</td>
                                         <td>dmz</td>
                                         <td>ACCEPT</td>
                                         <td> <br>
                                       </td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                                                        
                                                             
<p align="left">In /etc/shorewall/masq:</p>
                                                                     
<blockquote>                                                             
                                           
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3" width="369">
                                       <tbody>
                                        <tr>
                                         <td width="93"><u><b>INTERFACE </b></u></td>
                                         <td width="31"><u><b>SUBNET</b></u></td>
                                         <td width="120"><u><b>ADDRESS</b></u></td>
                                       </tr>
                                       <tr>
                                         <td width="93">eth2</td>
                                         <td width="31">192.168.2.0/24</td>
                                         <td width="120"> <br>
                                       </td>
                                       </tr>
                                                                        
                                                                        
                                                             
    </tbody>                                                            
                                         
  </table>
                                   </blockquote>
                                                                     
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant
  Messenger                with Shorewall. What do I do?</h4>
                                                                     
<p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
                 tracking/NAT module</a> that may help with Netmeeting. Look
  <a href="http://linux-igd.sourceforge.net">here</a> for a solution for
MSN   IM but be aware that there are significant security risks involved
with this  solution. Also check the Netfilter      mailing        list  archives
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.     
         </p>
                                                                        
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
                 to    check my firewall and it shows some ports as 'closed'
   rather       than     'blocked'.     Why?</h4>
                                                                        
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
                 always    rejects connection requests on TCP port 113 rather
    than     dropping        them. This is    necessary to prevent outgoing
  connection       problems to   services    that use the    'Auth' mechanism
  for identifying       requesting  users.  Shorewall    also rejects TCP
   ports 135, 137 and    139  as well as  UDP ports  137-139.   These are
ports that are    used  by  Windows  (Windows  <u>can</u>  be configured
  to use the DCE cell locator       on port  135). Rejecting these  connection
requests   rather than dropping    them    cuts down slightly on the amount
of Windows  chatter on LAN segments    connected      to the Firewall. </p>
                                                                        
<p align="left">If you are seeing port 80 being 'closed', that's probably
                 your    ISP preventing you from running a web server in
violation          of   your     Service    Agreement.</p>
                                                                        
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
                    firewall and it showed 100s of ports as open!!!!</h4>
                                                                        
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
                 section about    UDP scans. If nmap gets <b>nothing</b>
back     from     your     firewall   then it reports    the port as open.
If you    want to   see  which    UDP ports are  really open,    temporarily
change    your net-&gt;all     policy    to REJECT, restart  Shorewall and
do    the   nmap UDP scan again.</p>
                                                                      
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
                 can't ping through the firewall</h4>
                                                                     
<p align="left"><b>Answer: </b>If you want your firewall to be totally open
                 for "ping": </p>
                                                                     
<p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
                                   b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
                                   c) Add the following to /etc/shorewall/icmpdef:
     </p>
                                                                     
<blockquote>                                                            
                                         
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
                 -j ACCEPT<br>
              </p>
            </blockquote>
            For a complete description of Shorewall 'ping' management, see
 <a href="ping.html">this page</a>.                                     
                                          
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
                 and  how do I change the destination?</h4>
                                                                     
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
 and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
                When you have changed /etc/syslog.conf, be sure to restart
 syslogd        (on    a  RedHat system, "service syslog restart"). </p>
                                                                     
<p align="left">By default, older versions of Shorewall ratelimited log messages
                 through <a href="Documentation.htm#Conf">settings</a> in
/etc/shorewall/shorewall.conf                 -- If you want to log all messages,
set: </p>
                                                                     
<div align="left">                                   
<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
 href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
                                   </div>
                                                                     
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work 
                 with Shorewall?</h4>
                                                                     
<p align="left"><b>Answer: </b>Here are several links that may be helpful:
                 </p>
                                                                     
<blockquote>                                                            
                                         
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                                   <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
                                   <a
 href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
                        http://www.logwatch.org</a><br>
  <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
                  </p>
                </blockquote>
                I personnaly use Logwatch. It emails me a report each day 
from   my  various    systems with each report summarizing the logged activity
 on  the  corresponding    system.                                      
                                  
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 
 are <b>flooding the logs</b> with their connect requests. Can i exclude these
 error messages for this port temporarily from logging in Shorewall?</h4>
   Temporarily add the following rule:<br>
     
<pre>	DROP��� net��� fw��� udp��� 10619</pre>
     
<h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow 
 of these DROP messages from port 53 to some high numbered port.� They get 
 dropped, but what the heck are they?</h4>
     
<pre>Jan� 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
   <b>Answer: </b>There are two possibilities:<br>
     
<ol>
     <li>They are late-arriving replies to DNS queries.</li>
     <li>They are corrupted reply packets.</li>
     
</ol>
   You can distinguish the difference by setting the <b>logunclean</b> option 
 (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) on 
 your external interface (eth0 in the above example). If they get logged twice,
 they are corrupted. I solve this problem by using an /etc/shorewall/common 
 file like this:<br>
     
<blockquote>         
  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
   </blockquote>
   The above file is also include in all of my sample configurations available 
 in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
     
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
                 stop', I can't connect to anything. Why doesn't that command 
    work?</h4>
                                                                     
<p align="left">The 'stop' command is intended to place your firewall into
                 a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
     are    activated.         If you want to totally open up your firewall,
   you  must    use the 'shorewall         clear' command. </p>
                                                                     
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
     I get messages about insmod failing -- what's wrong?</h4>
                                                                     
<p align="left"><b>Answer: </b>The output you will see looks something like
                 this:</p>
                                                                     
<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
                                                                     
<p align="left">This is usually cured by the following sequence of commands:
                 </p>
                                                                     
<div align="left">                                   
<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
                                   </div>
                                                                     
<div align="left">                                   
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
                 for  problems concerning the version of iptables (v1.2.3)
 shipped        with     RH7.2.</p>
                                  </div>
                                                                     
<h4 align="left">      </h4>
                                                               
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces 
                properly?</h4>
                                                                        
<p align="left">I just installed Shorewall and when I issue the start command,
                    I see the following:</p>
                                                                      
<div align="left">                                     
<pre>     Processing /etc/shorewall/shorewall.conf ...<br>     Processing /etc/shorewall/params ...<br>     Starting Shorewall...<br>     Loading Modules...<br>     Initializing...<br>     Determining Zones...<br>     Zones: net loc<br>     Validating interfaces file...<br>     Validating hosts file...<br>     Determining Hosts in Zones...<br><b>     Net Zone: eth0:0.0.0.0/0<br>     Local Zone: eth1:0.0.0.0/0<br></b>     Deleting user chains...<br>     Creating input Chains...<br>     ...</pre>
                                   </div>
                                                                     
<div align="left">                                     
<p align="left">Why can't Shorewall detect my interfaces properly?</p>
                                  </div>
                                                                     
<div align="left">                                     
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net    zone is defined as all hosts that are connected through eth0 and the
local    zone is defined as all hosts connected through eth1</p>
                                  </div>
                                                                         
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
     with?</h4>
                                                                         
<p align="left">Shorewall works with any GNU/Linux distribution that includes
                      the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
                                                                   
<h4 align="left">11. What Features does it have?</h4>
                                                                         
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall
                 Feature      List</a>.</p>
                                                                   
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
                                                                         
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
find myself doing      other things. I guess I just don't care enough if
Shorewall has a GUI to      invest the effort to create one myself. There
are several Shorewall GUI      projects underway however and I will publish
links to them when the authors      feel that they are ready. </p>
                                                                   
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
                                                                         
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
                 (<a href="http://www.cityofshoreline.com">the      city
where      I  live</a>)          and "Fire<u>wall</u>". The full name of
the product      is actually "Shoreline Firewall" but "Shorewall" is must
more commonly   used.</p>
                                                                   
<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
                 and it has an  internal web server that allows me to configure/monitor
              it   but as expected if I  enable rfc1918 blocking for my eth0
   interface          (the  internet one), it also blocks  the cable modems
  web server.</h4>
                                                                         
<p align="left">Is there any way it can add a rule before the  rfc1918 blocking
                 that will let all traffic to and from the 192.168.100.1
address         of   the    modem  in/out but still block all other rfc1918
addresses?</p>
                                                                         
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than      1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
                                                                   
<div align="left">                                     
<pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
                                   </div>
                                                                     
<div align="left">                                     
<p align="left">If you are running version 1.3.1 or later, simply add the
                    following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
                                  </div>
                                                                     
<div align="left">                                     
<blockquote>                                                             
                                             
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                                         <tbody>
                                        <tr>
                                           <td><u><b>SUBNET </b></u></td>
                                           <td><u><b>TARGET</b></u></td>
                                         </tr>
                                         <tr>
                                           <td>192.168.100.1</td>
                                           <td>RETURN</td>
                                         </tr>
                                                                        
                                                                        
                                                               
    </tbody>                                                            
                                         
  </table>
                                     </blockquote>
                                   </div>
                                                                       
<div align="left">                                     
<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
                                </p>
                                                               
<p align="left">Note: If you add a second IP address to your external firewall
                interface to correspond to the modem address, you must also
  make     an   entry      in /etc/shorewall/rfc1918 for that address. For
 example,    if you   configure      the address 192.168.100.2 on your firewall,
 then   you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                                </p>
                                                               
<blockquote>                                                            
                                   
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
                                    <tbody>
                                      <tr>
                                        <td valign="top"><u><b>SUBNET</b></u><br>
                                        </td>
                                        <td valign="top"><u><b>TARGET</b></u><br>
                                        </td>
                                      </tr>
                                      <tr>
                                        <td valign="top">192.168.100.1<br>
                                        </td>
                                        <td valign="top">RETURN<br>
                                        </td>
                                      </tr>
                                      <tr>
                                        <td valign="top">192.168.100.2<br>
                                        </td>
                                        <td valign="top">RETURN<br>
                                        </td>
                                      </tr>
                                                                        
                                                                        
                                             
    </tbody>                                                            
                                   
  </table>
                                </blockquote>
                                  </div>
                                                                       
<div align="left">                                     
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918    filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
                                   </div>
                                                                       
<div align="left">                                     
<p align="left">The solution is the same as FAQ 14 above. Simply substitute
                    the IP address of your ISPs DHCP server.</p>
                                  </div>
                                                                     
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to
                 the  net</h4>
                                                                      
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
                 the net", I wonder  where the poster bought computers with
  eyes     and    what     those computers will "see"  when things are working
  properly.      That   aside,     the most common causes of this  problem
 are:</p>
                                                                      
<ol>
                                     <li>                               
                                                                        
                                                                
    <p align="left">The default gateway on each local system isn't set to
                 the    IP address of the local firewall interface.</p>
                                      </li>
                                     <li>                               
                                                                        
                                                                
    <p align="left">The entry for the local network in the /etc/shorewall/masq
                    file is wrong or missing.</p>
                                      </li>
                                     <li>                               
                                                                        
                                                                
    <p align="left">The DNS settings on the local systems are wrong or the
                    user is running a DNS server on the firewall and hasn't
  enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
                                      </li>
                                                                     
</ol>
                                                                     
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
                 all  over my console making it unusable!</h4>
                                                                        
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
                 to your startup    scripts or place it in /etc/shorewall/start.
       Under      RedHat,    the max log level    that is sent to the console
    is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
                              </p>
                                                           
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
     logged?</h4>
                              <b>Answer: </b>Logging occurs out of a number 
 of  chains    (as   indicated      in  the log message) in Shorewall:<br>
                                                           
<ol>
                                <li><b>man1918 - </b>The destination address
  is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target 
  --  see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                <li><b>rfc1918</b> - The source address is
 listed    in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target
 -- see      <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                               <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> 
     or      <b>all2all          </b>-  You have a<a
 href="Documentation.htm#Policy"> policy</a> that     specifies a  log level
       and this packet is being logged under that policy.     If you intend
   to   ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                               </li>
                                <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>-
Either    you   have   a<a href="Documentation.htm#Policy"> policy</a> for
    <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b> that specifies
a log level and this     packet is being         logged under that policy
or this packet matches    a     <a href="Documentation.htm#Rules">rule</a>
that includes a log level.</li>
                         <li><b>&lt;interface&gt;_mac</b> - The packet is 
being    logged    under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
                         </li>
                                <li><b>logpkt</b> - The packet is being logged
   under    the       <b>logunclean</b>            <a
 href="Documentation.htm#Interfaces">interface   option</a>.</li>
                                <li><b>badpkt </b>- The packet is being logged
   under    the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified 
     in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
                                <li><b>blacklst</b> - The packet is being 
logged    because     the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
                                <li><b>newnotsyn </b>- The packet is being
 logged    because     it  is  a  TCP   packet that is not part of any current
 connection    yet  it   is not a syn  packet.   Options affecting the logging
 of such  packets   include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN 
     </b>in         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                               <li><b>INPUT</b> or <b>FORWARD</b> - The packet
   has   a  source    IP  address    that isn't in any of your defined zones
   ("shorewall    check"    and  look at the   printed zone definitions)
or   the chain is FORWARD   and   the destination  IP  isn't in any of your
defined    zones.</li>
                      <li><b>logflags </b>- The packet is being logged because
   it  failed    the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
                      </li>
                                                           
</ol>
                                                   
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
             with Shorewall, and maintain separate rulesets for different
IPs?</h4>
                          <b>Answer: </b>Yes. You simply use the IP address 
 in  your   rules    (or   if  you  use NAT, use the local IP address in your
 rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated
  and will   disappear eventually.      Neither   iproute  (ip and tc) nor
 iptables supports   that notation so  neither    does   Shorewall.  <br>
                          <br>
                          <b>Example 1:</b><br>
                          <br>
                          /etc/shorewall/rules                          
<pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
 class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
 class="moz-txt-citetags"></span></pre>
                          <span class="moz-txt-citetags"></span><b>Example
 2  (NAT):</b><br>
                          <br>
                          <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
                                                   
<pre wrap=""><span class="moz-txt-citetags"></span><span
 class="moz-txt-citetags"></span>     192.0.2.126	eth0	10.1.1.126</pre>
                          /etc/shorewall/rules                          
<pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
 class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
 class="moz-txt-citetags"></span><br></pre>
                       <b>Example 3 (DNAT):<br>
                       </b>                       
<pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
                                           
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
           but they don't seem to do anything. Why?</h4>
                      You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
           so the contents of the tcrules file are simply being ignored.<br>
                                         
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have 
          to change Shorewall to allow access to my server from the internet?</b><br>
                     </h4>
                     Yes. Consult the <a
 href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that you
used during your initial setup for information about      how to set  up
rules for your server.<br>
                                     
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; 
         what are they?<br>
                   </h4>
                                        
<blockquote>                                                         
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
                   </blockquote>
                   192.0.2.3 is external on my firewall... 172.16.0.0/24
is  my  internal     LAN<br>
                   <br>
                   <b>Answer: </b>While most people associate the Internet
 Control     Message     Protocol (ICMP) with 'ping', ICMP is a key piece
of  the internet.     ICMP   is  used to report problems back to the sender
of a packet; this   is  what  is happening  here. Unfortunately, where NAT
is involved (including     SNAT,  DNAT and Masquerade),  there are a lot
of broken implementations.    That is  what you are seeing with  these messages.<br>
                   <br>
                  Here is my interpretation of what is happening -- to confirm
   this   analysis,    one would have to have packet sniffers placed a both
  ends of   the connection.<br>
                  <br>
                  Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent
 a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to send a
response   (the response   information  is in the brackets -- note source
port 53 which   marks this as  a DNS reply).  When the response was returned
to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10
and forwarded the packet  to  172.16.1.10  who no longer had  a connection
on UDP port 2857. This causes    a port unreachable  (type 3, code  3) to
be generated back to 192.0.2.3.   As this packet is sent  back through  206.124.146.179,
 that box correctly   changes the source address  in the packet  to 206.124.146.179
 but doesn't   reset the DST IP in the original   DNS response  similarly.
 When the ICMP   reaches your firewall (192.0.2.3),   your firewall  has
no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't
  appear to be related   to anything that was sent. The final   result is
that the packet gets logged   and dropped in the all2all chain. I  have also
seen cases where the source   IP in the ICMP itself isn't set back  to the
external IP of the remote NAT   gateway; that causes your firewall to  log
and drop the packet out of the   rfc1918 chain because the source IP is 
reserved by RFC 1918.<br>
                     
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
     I want to <b>run when Shorewall starts.</b> Which file do I put them 
in?</h4>
                   You can place these commands in one of the <a
 href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
sure that you look at the contents of the chain(s) that you will be modifying 
     with your commands to be sure that the commands will do what they are 
 intended.    Many iptables commands published in HOWTOs and other instructional 
 material    use the -A command which adds the rules to the end of the chain. 
 Most chains    that Shorewall constructs end with an unconditional DROP, 
ACCEPT or REJECT    rule and any rules that you add after that will be ignored. 
Check "man iptables"   and look at the -I (--insert) command.<br>
                 
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your 
    web site?</h4>
         The Shorewall web site is almost font neutral (it doesn't explicitly 
   specify fonts except on a few pages) so the fonts you see are largely the
  default fonts configured  in your browser. If you don't like them then reconfigure
  your browser.<br>
           
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
   the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
      In the SOURCE column of the rule, follow "net" by a colon and a list
 of  the host/subnet addresses as a comma-separated list.<br>
           
<pre>��� net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
      Example:<br>
           
<pre>    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22<br></pre>
                                                                        
<div align="left">     </div>
                       <font size="2">Last updated 1/30/2003 - <a
 href="support.htm">Tom   Eastep</a></font>                             
                    
<p><a href="copyright.htm"><font size="2">Copyright</font>               �
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
</body>
</html>