Shorewall 1.3.14 Release

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@438 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-02-08 20:46:02 +00:00 · 2003-02-08 20:46:02 +00:00 · 10b51d1991
commit 10b51d1991
parent dfc7974ea0
12 changed files with 4860 additions and 5259 deletions
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/blacklisting_support.htm
+++ b/Shorewall-docs/blacklisting_support.htm
@ -31,23 +31,24 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration parameters:</p>
+<p>Shorewall static blacklisting support has the following configuration
 parameters:</p>
 <ul>
     <li>You specify whether you want packets from blacklisted hosts dropped
-or     rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
+ or     rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a> 
     setting in /etc/shorewall/shorewall.conf</li>
     <li>You specify whether you want packets from blacklisted hosts logged
-and at     what syslog level using the <a
+ and at     what syslog level using the <a
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>     setting in
-/etc/shorewall/shorewall.conf</li>
+ /etc/shorewall/shorewall.conf</li>
-    <li>You list the IP addresses/subnets that you wish to blacklist in <a
+     <li>You list the IP addresses/subnets that you wish to blacklist in
- href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning 
+    <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
-with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service 
+ with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
-names in the blacklist file.<br>
+ names in the blacklist file.<br>
    </li>
     <li>You specify the interfaces whose incoming packets you want checked
-against     the blacklist using the "<a
+ against     the blacklist using the "<a
 href="Documentation.htm#Interfaces">blacklist</a>"     option in /etc/shorewall/interfaces.</li>
     <li>The black list is refreshed from /etc/shorewall/blacklist by the 
 "<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
@ -58,37 +59,40 @@ against     the blacklist using the "<a
 <p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
  doesn't use any configuration parameters but is rather controlled using
-/sbin/shorewall commands:</p>
+ /sbin/shorewall commands:</p>
 <ul>
     <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
-IP    addresses to be silently dropped by the firewall.</li>
+ IP    addresses to be silently dropped by the firewall.</li>
-    <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed 
+     <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
-IP    addresses to be rejected by the firewall.</li>
+listed  IP    addresses to be rejected by the firewall.</li>
     <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
-from hosts    previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
+ from hosts    previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
     <li>save - save the dynamic blacklisting configuration so that it will
-be    automatically restored the next time that the firewall is restarted.</li>
+ be    automatically restored the next time that the firewall is restarted.</li>
     <li>show dynamic - displays the dynamic blacklisting configuration.</li>
 </ul>
 Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
 /etc/shorewall/interfaces.<br>
 <p>Example 1:</p>
-<pre>     shorewall drop 192.0.2.124 192.0.2.125</pre>
+<pre>     <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
 <p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
 <p>Example 2:</p>
-<pre>     shorewall allow 192.0.2.125</pre>
+<pre>     <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
 <p>    Reenables access from 192.0.2.125.</p>
-<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
+  © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -21,6 +21,7 @@
                   <tr>
                    <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
                    </td>
                  </tr>
@ -41,44 +42,45 @@
 <ul>
                        <li>/etc/shorewall/shorewall.conf - used to set several 
   firewall             parameters.</li>
-                       <li>/etc/shorewall/params - use this file to set shell 
+                        <li>/etc/shorewall/params - use this file to set
-  variables     that you will     expand in other files.</li>
+shell    variables     that you will     expand in other files.</li>
                        <li>/etc/shorewall/zones - partition the firewall's 
 view   of  the   world         into <i>zones.</i></li>
-                       <li>/etc/shorewall/policy - establishes firewall high-level
+                        <li>/etc/shorewall/policy - establishes firewall
-     policy.</li>
+high-level      policy.</li>
                        <li>/etc/shorewall/interfaces - describes the interfaces
    on  the          firewall system.</li>
-                       <li>/etc/shorewall/hosts - allows defining zones in
+                        <li>/etc/shorewall/hosts - allows defining zones
- terms    of  individual           hosts and subnetworks.</li>
+in  terms    of  individual           hosts and subnetworks.</li>
                        <li>/etc/shorewall/masq - directs the firewall where
- to  use   many-to-one            (dynamic) Network Address Translation (a.k.a.
+  to  use   many-to-one            (dynamic) Network Address Translation
-   Masquerading)   and  Source          Network Address Translation (SNAT).</li>
+(a.k.a.    Masquerading)   and  Source          Network Address Translation
 (SNAT).</li>
                        <li>/etc/shorewall/modules - directs the firewall 
 to  load   kernel    modules.</li>
                        <li>/etc/shorewall/rules - defines rules that are 
 exceptions      to  the         overall policies established in /etc/shorewall/policy.</li>
                        <li>/etc/shorewall/nat - defines static NAT rules.</li>
                        <li>/etc/shorewall/proxyarp - defines use of Proxy
-ARP.</li>
+ ARP.</li>
-                       <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and 
+                        <li>/etc/shorewall/routestopped (Shorewall 1.3.4
- later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
+and   later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
                        <li>/etc/shorewall/tcrules - defines marking of packets 
   for   later   use by     traffic control/shaping or policy routing.</li>
                        <li>/etc/shorewall/tos - defines rules for setting
-the   TOS   field   in packet         headers.</li>
+ the   TOS   field   in packet         headers.</li>
                        <li>/etc/shorewall/tunnels - defines IPSEC, GRE and 
 IPIP   tunnels    with end-points on         the firewall system.</li>
-                       <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC 
+                        <li>/etc/shorewall/blacklist - lists blacklisted
-      addresses.</li>
+IP/subnet/MAC        addresses.</li>
     <li>/etc/shorewall/init - commands that you wish to execute at the beginning 
 of a "shorewall start" or "shorewall restart".</li>
-    <li>/etc/shorewall/start - commands that you wish to execute at the completion
+     <li>/etc/shorewall/start - commands that you wish to execute at the
- of a "shorewall start" or "shorewall restart"</li>
+completion  of a "shorewall start" or "shorewall restart"</li>
     <li>/etc/shorewall/stop - commands that you wish to execute at the beginning 
 of a "shorewall stop".</li>
     <li>/etc/shorewall/stopped - commands that you wish to execute at the
-completion of a "shorewall stop".<br>
+ completion of a "shorewall stop".<br>
     </li>
 </ul>
@ -87,8 +89,8 @@ completion of a "shorewall stop".<br>
 <p>You may place comments in configuration files by making the first non-whitespace
              character a pound sign ("#"). You may also place comments at
-the    end  of any line, again by       delimiting the comment from the rest 
+ the    end  of any line, again by       delimiting the comment from the
-of   the line  with a pound sign.</p>
+rest  of   the line  with a pound sign.</p>
 <p>Examples:</p>
@ -110,9 +112,9 @@ of   the line  with a pound sign.</p>
 <p align="left">     </p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
-       using DNS names in Shorewall configuration files. If you use DNS names 
+        using DNS names in Shorewall configuration files. If you use DNS
-    and   you are called out of bed at 2:00AM because Shorewall won't start 
+names      and   you are called out of bed at 2:00AM because Shorewall won't
-  as  a result  of DNS problems then don't say that you were not forewarned. 
+start    as  a result  of DNS problems then don't say that you were not forewarned.
   <br>
                </b></p>
@ -180,14 +182,14 @@ configuration       files.<br>
 </ul>
                These restrictions are not imposed by Shorewall simply for
-your inconvenience but are rather limitations of iptables.<br>
+ your inconvenience but are rather limitations of iptables.<br>
 <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
 <p>Where specifying an IP address, a subnet or an interface, you can     
  precede the item with "!" to specify the complement of the item. For  
-      example, !192.168.1.4 means "any host but 192.168.1.4". There must
+     example, !192.168.1.4 means "any host but 192.168.1.4". There must be
-be no white space following the "!".</p>
+no white space following the "!".</p>
 <h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -201,8 +203,8 @@ be no white space following the "!".</p>
                        <li>If you use line continuation to break a comma-separated 
     list,   the          continuation line(s) must begin in column 1 (or 
 there     would  be embedded          white space)</li>
-                       <li>Entries in a comma-separated list may appear in
+                        <li>Entries in a comma-separated list may appear
- any   order.</li>
+in  any   order.</li>
 </ul>
@ -215,11 +217,13 @@ there     would  be embedded          white space)</li>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
              port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
-      if you want to forward the range of tcp ports 4000 through 4100 to
+      if you want to forward the range of tcp ports 4000 through 4100 to local
-local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+     host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
             </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
 If you omit the low port number, a value of zero is assumed; if you omit
 the high port number, a value of 65535 is assumed.<br>
 <h2><a name="Variables"></a>Using Shell Variables</h2>
@ -271,8 +275,8 @@ local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
  unique MAC address.<br>
                      <br>
-                     In GNU/Linux, MAC addresses are usually written as a 
+                      In GNU/Linux, MAC addresses are usually written as
-series    of  6  hex numbers        separated by colons. Example:<br>
+a  series    of  6  hex numbers        separated by colons. Example:<br>
                      <br>
                     [root@gateway root]# ifconfig eth0<br>
                     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -290,9 +294,9 @@ series    of  6  hex numbers        separated by colons. Example:<br>
                      <br>
                      Because Shorewall uses colons as a separator for address
   fields,     Shorewall requires        MAC addresses to be written in another
-  way. In   Shorewall, MAC addresses        begin with a tilde ("~") and consist
+   way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
-  of 6  hex numbers separated by        hyphens. In Shorewall, the MAC address
+consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
-   in  the example above would be        written "~02-00-08-E3-FA-55".<br>
+MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
           </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation 
@ -302,12 +306,12 @@ series    of  6  hex numbers        separated by colons. Example:<br>
 <h2><a name="Levels"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-       The <a href="starting_and_stopping_shorewall.htm">shorewall start
+       The <a href="starting_and_stopping_shorewall.htm">shorewall start and
-and    restart</a>       commands allow you to specify an alternate configuration
+   restart</a>       commands allow you to specify an alternate configuration 
   directory and    Shorewall will use the files in the alternate directory 
-  rather than the  corresponding  files in /etc/shorewall. The alternate
+  rather than the  corresponding  files in /etc/shorewall. The alternate directory
-directory    need not contain a complete  configuration; those files not
+   need not contain a complete  configuration; those files not in the alternate
-in the alternate    directory  will be read from  /etc/shorewall.</p>
+   directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration 
        by:</p>
@ -326,16 +330,17 @@ in the alternate    directory  will be read from  /etc/shorewall.</p>
-<p><font size="2">   Updated 12/29/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 2/7/2003 - <a href="support.htm">Tom  Eastep</a>
           </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-          © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+          © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -21,6 +21,7 @@
                   <tr>
                    <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
                    </td>
                  </tr>
@ -34,26 +35,25 @@
   for the configuration that most closely matches your own.<br>
      </b></p>
-<p>The entire set of Shorewall documentation is available in PDF format 
+<p>The entire set of Shorewall documentation is available in PDF format  at:</p>
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
          <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
         <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
   </p>
-<p>The documentation in HTML format is included   in the .rpm and in the
+<p>The documentation in HTML format is included   in the .rpm and in the .tgz
-.tgz packages below.</p>
+packages below.</p>
 <p>  Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
-                 <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> 
+                  <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
-             Linux PPC</b> or     <b> TurboLinux</b> distribution     with
+    <b>               Linux PPC</b> or     <b> TurboLinux</b> distribution
-  a  2.4   kernel,   you can use the  RPM version (note: the            
+    with   a  2.4   kernel,   you can use the  RPM version (note: the   
-RPM   should   also work  with other distributions that             store
+         RPM   should   also work  with other distributions that        
-init  scripts in  /etc/init.d  and that             include chkconfig or
+    store init  scripts in  /etc/init.d  and that             include chkconfig
-insserv).  If you find  that it works   in other cases, let <a
+or insserv).  If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
    I can mention them here. See the   <a href="Install.htm">Installation 
 Instructions</a>    if you have problems    installing the RPM.</li>
@ -61,11 +61,11 @@ Instructions</a>    if you have problems    installing the RPM.</li>
 might    also   want  to     download the .tgz so you will have a copy of 
 the documentation).</li>
                  <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
-    and   would      like a .deb package, Shorewall is included in both the
+     and   would      like a .deb package, Shorewall is included in both
-    <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
+the     <a href="http://packages.debian.org/testing/net/shorewall.html">Debian 
     Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
- Unstable Branch</a>.</li>
+Unstable Branch</a>.</li>
                  <li>Otherwise, download the <i>shorewall</i>          
  module    (.tgz)</li>
@ -76,7 +76,7 @@ the documentation).</li>
 <p>Please verify the version that you have        downloaded -- during the 
       release of a new version of Shorewall, the links        below may 
- point      to a newer or an older version than is shown below.</p>
+point      to a newer or an older version than is shown below.</p>
 <ul>
                  <li>RPM - "rpm -qip LATEST.rpm"</li>
@ -91,16 +91,16 @@ the documentation).</li>
 <p>Once you have verified the        version, check the        <font
 color="#ff0000"> <a href="errata.htm"> errata</a></font>           to see 
 if there are updates that apply to the version        that you have      
- downloaded.</p>
+downloaded.</p>
 <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY        INSTALL 
 THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION       
- IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed   configuration
+IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed   configuration 
   of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates 
+<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
-   to the    mirrors  occur 1-12 hours after an update to the Washington State
+    to the    mirrors  occur 1-12 hours after an update to the Washington
-site.</b></p>
+State site.</b></p>
 <blockquote>                                                
  <table border="2" cellspacing="3" cellpadding="3"
@ -239,11 +239,9 @@ site.</b></p>
                      <td><a
 href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
                        <a
- href="http://france.shorewall.net/pub/LATEST.tgz">Download             
+ href="http://france.shorewall.net/pub/LATEST.tgz">Download              .tgz</a> <br>
 .tgz</a> <br>
                        <a
- href="http://france.shorewall.net/pub/LATEST.lrp">Download             
+ href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
 .lrp</a><br>
                      <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
  .md5sums</a></td>
@ -374,14 +372,14 @@ site.</b></p>
 <blockquote>                                              
  <p align="left">The <a target="_top"
- href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository at
+ href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository
-       cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
+at        cvs.shorewall.net</a> contains the latest snapshots of the each
-       component. There's no guarantee that what you find there will work
+ Shorewall        component. There's no guarantee that what you find there
-at    all.<br>
+will work at    all.<br>
          </p>
        </blockquote>
-<p align="left"><font size="2">Last Updated 1/13/2003 - <a
+<p align="left"><font size="2">Last Updated 2/7/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -389,5 +387,6 @@ at    all.<br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -30,6 +30,7 @@
                        </td>
                      </tr>
  </tbody>                  
 </table>
@ -46,9 +47,9 @@
                                   </li>
                      <li>                                              
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory 
+untar the archive, replace the        'firewall' script in the untarred directory
         with the one you downloaded        below, and then run install.sh.</b></p>
                                   </li>
                      <li>                                              
@ -56,20 +57,22 @@ the archive, replace the        'firewall' script in the untarred directory
    <p align="left">          <b>If you are running a Shorewall version earlier
  than 1.3.11, when the instructions say to install a corrected        firewall
  script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
-   or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
+     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
-       the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
+overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD
-              or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
+/etc/shorewall/firewall               or /var/lib/shorewall/firewall  before
-              and /var/lib/shorewall/firewall  are symbolic links that point
+you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall
-          to the 'shorewall' file used by your  system initialization scripts
+ are symbolic links that point           to the 'shorewall' file used by
-    to         start Shorewall during boot. It is  that file that must be
+your  system initialization scripts     to         start Shorewall during
-overwritten              with the corrected script. Beginning with Shorewall
+boot. It is  that file that must be overwritten              with the corrected
-1.3.11, you may rename the existing file before copying in the new file.</b></p>
+script. Beginning with Shorewall 1.3.11, you may rename the existing file
 before copying in the new file.</b></p>
              </li>
              <li>                                                      
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-     ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
+      ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
-   example,  do NOT install the 1.3.9a firewall script if you are running 
+For    example,  do NOT install the 1.3.9a firewall script if you are running
-1.3.7c.</font></b><br>
+ 1.3.7c.</font></b><br>
                          </p>
              </li>
@ -86,12 +89,13 @@ overwritten              with the corrected script. Beginning with Shorewall
                      <li>                            <b><font
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
  on RH7.2</a></font></b></li>
-                     <li>                            <b><a href="#Debug">Problems 
+                      <li>                            <b><a
-    with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
 RedHat iptables</a></b></li>
                      <li><b><a href="#SuSE">Problems installing/upgrading
-RPM   on  SuSE</a></b></li>
+ RPM   on  SuSE</a></b></li>
-                     <li><b><a href="#Multiport">Problems with iptables version 
+                      <li><b><a href="#Multiport">Problems with iptables
-   1.2.7    and       MULTIPORT=Yes</a></b></li>
+version     1.2.7    and       MULTIPORT=Yes</a></b></li>
                <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and 
 NAT</a></b><br>
                </li>
@ -105,35 +109,39 @@ RPM   on  SuSE</a></b></li>
 <h3>Version 1.3.13</h3>
 <ul>
-    <li>The 'shorewall add' command produces an error message referring to
+     <li>The 'shorewall add' command produces an error message referring
- 'find_interfaces_by_maclist'.</li>
+to  'find_interfaces_by_maclist'.</li>
-   <li>The 'shorewall delete' command can leave behind undeleted rules.<br>
+    <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
  <li>The 'shorewall add' command can fail with "iptables: Index of insertion
 too big".<br>
  </li>
 </ul>
- Both problems are corrected by <a
+  All three problems are corrected by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
  firewall script</a> which may be installed in /usr/lib/shorewall as described
  above.<br>
 <ul>
   <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) 
 are not supported in this version or in 1.3.12. If you need such support, 
 post on the users list and I can provide you with a patched version.<br>
   </li>
 </ul>
 <h3>Version 1.3.12</h3>
 <ul>
      <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
-the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is 
+ the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
-corrected  by <a
+is  corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
  firewall script</a> which may be installed in /usr/lib/shorewall as described
  above.</li>
   <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
-are not supported in this version or in 1.3.13. If you need such support, 
+ are not supported in this version or in 1.3.13. If you need such support,
-post on the users list and I can provide you with a patched version.<br>
+ post on the users list and I can provide you with a patched version.<br>
    </li>
 </ul>
@ -160,15 +168,15 @@ new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<
 <h3>Version 1.3.11</h3>
 <ul>
-          <li>When installing/upgrading using the .rpm, you may receive the 
+           <li>When installing/upgrading using the .rpm, you may receive
- following   warnings:<br>
+the   following   warnings:<br>
             <br>
              user teastep does not exist - using root<br>
              group teastep does not exist - using root<br>
             <br>
         These warnings are harmless and may be ignored. Users downloading
-the   .rpm  from shorewall.net or mirrors should no longer see these warnings 
+ the   .rpm  from shorewall.net or mirrors should no longer see these warnings
-as  the .rpm you will get from there has been corrected.</li>
+ as  the .rpm you will get from there has been corrected.</li>
          <li>DNAT rules that exclude a source subzone (SOURCE column contains
   !  followed by a sub-zone list) result in an error message and Shorewall
  fails  to start.<br>
@ -190,11 +198,12 @@ as  the .rpm you will get from there has been corrected.</li>
   on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
         <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
-    version of the firewall script</a> may help. Please report any cases where
+     version of the firewall script</a> may help. Please report any cases
-    installing this script in /usr/lib/shorewall/firewall solved your connection
+where     installing this script in /usr/lib/shorewall/firewall solved your
-    problems. Beginning with version 1.3.10, it is safe to save the old version
+connection     problems. Beginning with version 1.3.10, it is safe to save
-    of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
+the old version     of /usr/lib/shorewall/firewall before copying in the
-    is the real script now and not just a symbolic link to the real script.<br>
+new one since /usr/lib/shorewall/firewall     is the real script now and
 not just a symbolic link to the real script.<br>
             </li>
 </ul>
@ -222,11 +231,11 @@ as  the .rpm you will get from there has been corrected.</li>
            </blockquote>
 <ul>
-             <li>The installer (install.sh) issues a misleading message "Common 
+              <li>The installer (install.sh) issues a misleading message
-   functions   installed in /var/lib/shorewall/functions" whereas the file 
+"Common     functions   installed in /var/lib/shorewall/functions" whereas
- is  installed  in /usr/lib/shorewall/functions. The installer also performs 
+the file   is  installed  in /usr/lib/shorewall/functions. The installer
- incorrectly  when updating old configurations that had the file /etc/shorewall/functions. 
+also performs   incorrectly  when updating old configurations that had the
-       <a
+file /etc/shorewall/functions.         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
      is an updated version that corrects these problems.<br>
                </a></li>
@ -253,8 +262,8 @@ as  the .rpm you will get from there has been corrected.</li>
                 Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                       as described above corrects these problems.
+                                        as described above corrects these
-                       
+problems.                         
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                       
@ -262,7 +271,8 @@ as  the .rpm you will get from there has been corrected.</li>
    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                       as described above corrects this problem.</p>
+                                        as described above corrects this
 problem.</p>
 <h3>Version 1.3.7a</h3>
@ -273,7 +283,8 @@ as  the .rpm you will get from there has been corrected.</li>
                       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                       as described above corrects this problem.</p>
+                                        as described above corrects this
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
@ -304,7 +315,7 @@ where there   are  both dynamic and    static
                           This version of the 1.3.7a firewall script </a> 
                                       corrects the problem. It must be installed
         in /var/lib/shorewall                                as described
-above.</p>
+ above.</p>
 <h3>Version 1.3.7</h3>
@ -328,8 +339,8 @@ above.</p>
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-        an error occurs when the firewall            script attempts to add 
+         an error occurs when the firewall            script attempts to
-  an   SNAT   alias.  </p>
+add    an   SNAT   alias.  </p>
                    </li>
                    <li>                                                
@ -399,10 +410,10 @@ above.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
-        to not verify that the zones named in the /etc/shorewall/policy file
+         to not verify that the zones named in the /etc/shorewall/policy
-           have been previously defined in the /etc/shorewall/zones file.
+file            have been previously defined in the /etc/shorewall/zones
-The            "shorewall check" command does perform this verification so
+file. The            "shorewall check" command does perform this verification
-it's a            good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
                    changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -411,21 +422,22 @@ it's a            good idea to run that command after you have made configuratio
    "Activating rules..." you see the message: "iptables: No            chains/target/match
         by that name" then you probably have an entry in            /etc/shorewall/hosts
         that specifies an interface that you didn't            include in
-/etc/shorewall/interfaces.        To correct this problem, you           
+ /etc/shorewall/interfaces.        To correct this problem, you         
-must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 and 
+  must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3
-           later versions produce a clearer error    message    in this case.</p>
+and             later versions produce a clearer error    message    in this
 case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version
+           file can be identified by its size (56284 bytes). The correct
-           has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
 <ul>
                               <li>The code to detect a duplicate interface 
- entry    in             /etc/shorewall/interfaces contained a typo that
+ entry    in             /etc/shorewall/interfaces contained a typo that prevented
-prevented    it from               working correctly. </li>
+   it from               working correctly. </li>
                               <li>"NAT_BEFORE_RULES=No" was broken; it behaved 
   just   like   "NAT_BEFORE_RULES=Yes".</li>
@ -451,29 +463,30 @@ prevented    it from               working correctly. </li>
 <h3 align="left">Version 1.3.1</h3>
 <ul>
-                              <li>TCP SYN packets may be double counted when
+                               <li>TCP SYN packets may be double counted
-             LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e., 
+when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy
-  each              packet is sent through the limit chain twice).</li>
+(i.e.,    each              packet is sent through the limit chain twice).</li>
                               <li>An unnecessary jump to the policy chain
-is  sometimes                 generated for a CONTINUE policy.</li>
+ is  sometimes                 generated for a CONTINUE policy.</li>
-                              <li>When an option is given for more than one 
+                               <li>When an option is given for more than
- interface      in               /etc/shorewall/interfaces then depending 
+one   interface      in               /etc/shorewall/interfaces then depending
-on the option,     Shorewall                may ignore all but the first appearence
+ on the option,     Shorewall                may ignore all but the first
-of the   option.  For example:<br>
+appearence of the   option.  For example:<br>
                               <br>
                               net    eth0    dhcp<br>
                               loc    eth1    dhcp<br>
                               <br>
                               Shorewall will ignore the 'dhcp' on eth1.</li>
                               <li>Update 17 June 2002 - The bug described
-in  the   prior    bullet               affects the following options: dhcp,
+ in  the   prior    bullet               affects the following options: dhcp, 
 dropunclean,   logunclean,                 norfc1918, routefilter, multi, 
 filterping and   noping. An additional                 bug has been found 
 that affects only   the 'routestopped' option.<br>
                               <br>
-                              Users who downloaded the corrected script prior 
+                               Users who downloaded the corrected script
-  to  1850   GMT   today              should download and install the corrected
+prior    to  1850   GMT   today              should download and install
-    script   again   to ensure              that this second problem is corrected.</li>
+the corrected     script   again   to ensure              that this second
 problem is corrected.</li>
 </ul>
@ -489,7 +502,7 @@ in  the   prior    bullet               affects the following options: dhcp,
  on  the   download    page              before 23:40 GMT, 29 May 2002 may
  have  downloaded   1.2.13    rather than              1.3.0. The "shorewall
  version"  command   will tell    you which version              that you
-have installed.</li>
+ have installed.</li>
                               <li>The documentation NAT.htm file uses non-existent 
                wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
@ -519,14 +532,14 @@ have installed.</li>
          corrected 1.2.3 rpm which you can download here</a>  and I have 
 also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
- iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
+iptables-1.2.4   rpm which you can download here</a>. If  you are currently
         running RedHat 7.1, you can install either of these RPMs       
      <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
-        has   released an iptables-1.2.4 RPM of their own which you can download 
+         has   released an iptables-1.2.4 RPM of their own which you can
-       from<font color="#ff6633">   <a
+download         from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
           </font>I have installed this RPM   on my firewall and it works 
 fine.</p>
@ -560,15 +573,17 @@ fine.</p>
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
         may     experience the following:</p>
  <blockquote>                                                           
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                      </blockquote>
  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
  user-space debugging code was not updated to reflect recent changes in
-        the     Netfilter 'mangle' table. You can correct the problem by installing
+         the     Netfilter 'mangle' table. You can correct the problem by
-           <a
+installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
            this iptables RPM</a>. If you are already running a 1.2.5 version 
    of       iptables, you will need to specify the --oldpackage option to 
@ -612,7 +627,7 @@ Shorewall      1.3.6    you may                                  install
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                 </h3>
              /etc/shorewall/nat entries of the following form will result
-in  Shorewall     being unable to start:<br>
+ in  Shorewall     being unable to start:<br>
              <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -620,11 +635,11 @@ in  Shorewall     being unable to start:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
              The solution is to put "no" in the LOCAL column. Kernel support 
-  for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled
+  for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it.
-it.   The  2.4.19 kernel   contains corrected support under a new kernel
+  The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
-configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+   option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 1/25/2003 -                            
+<p><font size="2">  Last updated 2/8/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
@ -638,5 +653,6 @@ configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewal
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -41,6 +41,7 @@
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35" alt="">
                          </a>                                          
      <p align="right"><font color="#ffffff"><b>      </b></font>     </p>
                          </td>
            <td valign="middle" width="34%" align="center">             
@ -105,27 +106,27 @@
 <h2>Please post in plain text</h2>
          A growing number of MTAs serving list subscribers are rejecting 
 all   HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net 
-  "for  continuous abuse" because it has been my policy to allow HTML in
+  "for  continuous abuse" because it has been my policy to allow HTML in list
-list   posts!!<br>
+  posts!!<br>
          <br>
          I think that blocking all HTML is a Draconian way to control spam 
  and   that the ultimate losers here are not the spammers but the list subscribers
     whose MTAs are bouncing all shorewall.net mail. As one list subscriber
  wrote  to me privately "These e-mail admin's need to get a <i>(explitive
-deleted)</i>  life instead of trying to rid the planet of HTML based e-mail". 
+ deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
-Nevertheless,  to allow subscribers to receive list posts as must as possible, 
+ Nevertheless,  to allow subscribers to receive list posts as must as possible,
-I have now  configured the list server at shorewall.net to strip all HTML 
+ I have now  configured the list server at shorewall.net to strip all HTML
-from outgoing  posts. This means that HTML-only posts will be bounced by the
+ from outgoing  posts. This means that HTML-only posts will be bounced by
-list server.<br>
+the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
       </p>
 <h2>Other Mail Delivery Problems</h2>
        If you find that you are missing an occasional list post, your e-mail 
-  admin  may be blocking mail whose <i>Received:</i> headers contain the
+  admin  may be blocking mail whose <i>Received:</i> headers contain the names
-names   of certain ISPs. Again, I believe that such policies hurt more than
+  of certain ISPs. Again, I believe that such policies hurt more than they
-they  help but I'm not prepared to go so far as to start stripping <i>Received:</i> 
+ help but I'm not prepared to go so far as to start stripping <i>Received:</i>
   headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -163,30 +164,30 @@ they  help but I'm not prepared to go so far as to start stripping <i>Received:<
 value="">    <input type="submit" value="Search"> </p>
                    </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the
+<h2 align="left"><font color="#ff0000">Please do not try to download the entire
-entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
+Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-won't stand the traffic. If I catch you, you will be blacklisted.<br>
+stand the traffic. If I catch you, you will be blacklisted.<br>
             </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
                  If you want to trust X.509 certificates issued by Shoreline 
  Firewall     (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a>
-        in your browser. If you don't wish to trust my certificates then you
+         in your browser. If you don't wish to trust my certificates then
-   can    either use unencrypted access when subscribing to Shorewall mailing
+you    can    either use unencrypted access when subscribing to Shorewall
-   lists    or you can use secure access (SSL) and accept the server's certificate
+mailing    lists    or you can use secure access (SSL) and accept the server's
-    when   prompted by your browser.<br>
+certificate     when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users
-         to get answers to questions and to report problems. Information of
+          to get answers to questions and to report problems. Information
-  general       interest to the Shorewall user community is also posted to
+of   general       interest to the Shorewall user community is also posted
- this list.</p>
+to  this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
          the <a href="http://www.shorewall.net/support.htm">problem reporting
-guidelines</a>.</b></p>
+ guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list:<br>
    </p>
@ -206,9 +207,9 @@ guidelines</a>.</b></p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
@ -260,8 +261,8 @@ may be found at <a
          the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing
-          from Mailman-managed lists although Mailman 2.1 has attempted to 
+           from Mailman-managed lists although Mailman 2.1 has attempted
- make  this less confusing. To unsubscribe:</p>
+to   make  this less confusing. To unsubscribe:</p>
 <ul>
                       <li>                                             
@ -293,10 +294,11 @@ may be found at <a
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
 <p align="left"><font size="2">Last updated 2/3/2003 - <a
- href="support.htm">Tom Eastep</a></font></p>
+ href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
-© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-</p>
+ </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -52,11 +52,11 @@ firewall to accommodate.</p>
 <p>DNS</p>
 <blockquote>            
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
-want to   open TCP Port 53 as well.<br>
+to   open TCP Port 53 as well.<br>
-     If you are configuring a server, only open TCP Port 53 if you will return
+      If you are configuring a server, only open TCP Port 53 if you will
- long   replies to queries or if you need to enable ZONE transfers. In the
+return  long   replies to queries or if you need to enable ZONE transfers. In
- latter   case, be sure that your server is properly configured.</p>
+the  latter   case, be sure that your server is properly configured.</p>
    </blockquote>
 <p>ICQ   </p>
@ -130,9 +130,9 @@ want to   open TCP Port 53 as well.<br>
     </p>
  <p>If you run an FTP server on a nonstandard port or you need to access
-such a server, then you must specify that port in /etc/shorewall/modules. 
+ such a server, then you must specify that port in /etc/shorewall/modules.
-For example, if you run an FTP server that listens on port 49 then you would 
+ For example, if you run an FTP server that listens on port 49 then you would
-have:<br>
+ have:<br>
     </p>
  <blockquote>               
@ -142,10 +142,10 @@ have:<br>
     </blockquote>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may
-have problems accessing regular FTP servers.</p>
+ have problems accessing regular FTP servers.</p>
-  <p>If there is a possibility that these modules might be loaded before
+  <p>If there is a possibility that these modules might be loaded before Shorewall
-Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
+starts, then you should include the port list in /etc/modules.conf:<br>
     </p>
  <blockquote>               
@ -172,23 +172,32 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
    </blockquote>
-<p>NFS</p>
+<p>NFS<br>
 </p>
 <blockquote>
  <p>I personally use the following rules for opening access from zone z1
 to a server with IP address a.b.c.d in zone z2:<br>
  </p>
  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
 </blockquote>
 <blockquote>            
-  <p>There's some good information at    <a
+  <p>Note that my rules only cover NFS using UDP (the normal case). There
 is lots of additional information at    <a
 href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
    </blockquote>
-<p>Didn't find what you are looking for -- have you looked in your own  
+<p>Didn't find what you are looking for -- have you looked in your own   /etc/services
-/etc/services file? </p>
+file? </p>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
+<p><font size="2">Last updated 2/7/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-   <a href="copyright.htm"><font size="2">Copyright</font>
+    <a href="copyright.htm"><font size="2">Copyright</font>   © <font
-  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -6,6 +6,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,13 +14,14 @@
-                                                                      <base
+                                                                        
- target="_self">
+         <base target="_self">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
@ -45,7 +47,7 @@
                           </a></i></font><font color="#ffffff">Shorewall 
     1.3     -               <font size="4">"<i>iptables                 
-made  easy"</i></font></font></h1>
+ made  easy"</i></font></font></h1>
@ -77,6 +79,7 @@ made  easy"</i></font></font></h1>
 <div align="center">                                                     
 <center>                                                                 
@ -109,9 +112,10 @@ made  easy"</i></font></font></h1>
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+                   
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-       that can be used on a dedicated firewall system, a multi-function 
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -123,10 +127,12 @@ made  easy"</i></font></font></h1>
      <p>This program is free software; you can redistribute it and/or modify
-                                          it        under the terms of <a
+                                            it        under the terms of
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+      <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
-Public License</a> as published by the Free Software        Foundation.<br>
+the GNU General Public License</a> as published by the Free Software    
   Foundation.<br>
                               <br>
@ -139,10 +145,11 @@ Public License</a> as published by the Free Software        Foundation.<br>
                               <br>
                          You   should    have   received     a  copy   of
-the     GNU     General         Public      License             along  with
+  the     GNU     General         Public      License             along 
-  this   program;       if  not,    write  to  the    Free Software     
+with    this   program;       if  not,    write  to  the    Free Software
-  Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,
+       Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA
-     USA</p>
+ 02139,       USA</p>
@ -169,8 +176,8 @@ the     GNU     General         Public      License             along  with
 border="0" src="images/leaflogo.gif" width="49" height="36">
                           </a>Jacques              Nilo   and   Eric   Wolzak
-    have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD
+      have     a   LEAF  (router/firewall/gateway         on  a floppy, 
-   or compact     flash)  distribution        called              <i>Bering</i>
+ CD    or compact     flash)  distribution        called              <i>Bering</i> 
       that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
       You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
@ -179,15 +186,15 @@ the     GNU     General         Public      License             along  with
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+      <p><b>Congratulations to Jacques and Eric on the recent release of
-1.0 Final!!! </b><br>
+Bering 1.0 Final!!! </b><br>
                                     </p>
-      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
- href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
+(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -212,6 +219,7 @@ the     GNU     General         Public      License             along  with
      <h2></h2>
@ -220,71 +228,50 @@ the     GNU     General         Public      License             along  with
-      <p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
+                 
      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
-      <p>Includes the Beta 2 content plus support for OpenVPN tunnels.</p>
+      <p>New features include</p>
      <p> The release candidate may be downloaded from:<br>
           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
             <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
           </blockquote>
      <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
      <p>Includes the Beta 1 content plus restores VLAN device names of the
  form $dev.$vid (e.g., eth0.1)</p>
      <p> The beta may be downloaded from:<br>
           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
             <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
           </blockquote>
      <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
         </b><br>
           </p>
      <p>The Beta includes the following changes:<br>
      </p>
      <ol>
        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-  When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
+When   set to Yes, Shorewall ping handling is as it has always been (see
 http://www.shorewall.net/ping.html).<br>
         <br>
     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
- policies   just like any other connection request. The FORWARDPING=Yes option
+policies   just like any other connection request. The FORWARDPING=Yes option 
- in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
+in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
- will   all generate an error.<br>
+will   all generate an error.<br>
         <br>
       </li>
-             <li>It is now possible to direct Shorewall to create a "label" 
+        <li>It is now possible to direct Shorewall to create a "label" such
- such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes 
+ as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
- and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
+and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
- just  the interface name:<br>
+of just  the interface name:<br>
      <br>
        a) In the INTERFACE column of /etc/shorewall/masq<br>
        b) In the INTERFACE column of /etc/shorewall/nat<br>
      </li>
-             <li>When an interface name is entered in the SUBNET column of
+        <li>Support for OpenVPN Tunnels.<br>
- the  /etc/shorewall/masq file, Shorewall previously masqueraded traffic
+     <br>
-from  only  the first subnet defined on that interface. It did not masquerade 
+ </li>
        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
 eth0.0)<br>
     <br>
   </li>
        <li>When an interface name is entered in the SUBNET column of the
 /etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
 only the first subnet   defined on that interface. It did not masquerade
 traffic from:<br>
      <br>
        a) The subnets associated with other addresses on the interface.<br>
        b) Subnets accessed through local routers.<br>
      <br>
-      Beginning with Shorewall 1.3.14, if you enter an interface name in
+     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
-the   SUBNET  column, shorewall will use the firewall's routing table to
+ SUBNET  column, shorewall will use the firewall's routing table to construct 
-construct   the masquerading/SNAT rules.<br>
+ the masquerading/SNAT rules.<br>
      <br>
     Example 1 -- This is how it works in 1.3.14.<br>
        <br>
@ -293,371 +280,53 @@ construct   the masquerading/SNAT rules.<br>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
-          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos... <br></pre>
+          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
      <br>
     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
-  connected  to an interface that is specified in the SUBNET column of an
+ connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
-/etc/shorewall/masq   entry, your /etc/shorewall/masq file will need changing.
+  entry, your /etc/shorewall/masq file will need changing. In most cases,
-In most cases, you  will simply be able to remove redundant entries. In some
+you  will simply be able to remove redundant entries. In some cases though,
-cases though, you  might want to change from using the interface name to
+you  might want to change from using the interface name to listing specific
-listing specific subnetworks  if the change described above will cause masquerading
+subnetworks  if the change described above will cause masquerading to occur
-to occur on subnetworks  that you don't wish to masquerade.<br>
+on subnetworks  that you don't wish to masquerade.<br>
      <br>
     Example 2 -- Suppose that your current config is as follows:<br>
        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
      <br>
        In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
      <br>
     Example 3 -- What if your current configuration is like this?<br>
      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
      <br>
        In this case, you would want to change the entry in  /etc/shorewall/masq 
  to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
        </li>
      </ol>
-     The beta may be downloaded from:<br>
+ <br>
-      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
+      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
-             <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+      </b><b><img border="0" src="images/new10.gif" width="28"
-           </blockquote>
+ height="12" alt="(New)">
      <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b>
             </b></p>
   Webmin version 1.060 now has Shorewall support included as standard. See
       <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>   </b>
      <p><b></b></p>
-      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 
+      <p><b></b></p>
   documenation.          the PDF may be downloaded from</p>
                                               <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                              <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a> 
      <p><b>1/17/2003 - shorewall.net has MOVED</b><b></b></p>
      <p>Thanks to the generosity of Alex Martin and <a
 href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
 ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
 big thanks to Alex for making this happen.<br>
              </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><br>
               </p>
      <p>Just includes a few things that I had on the burner:<br>
          </p>
      <ol>
                 <li>A new 'DNAT-' action has been added for entries in the 
 /etc/shorewall/rules    file. DNAT- is intended for advanced users who wish 
 to minimize the number    of rules that connection requests must traverse.<br>
              <br>
          A Shorewall DNAT rule actually generates two iptables rules: a
 header    rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter' 
 table.    A DNAT-  rule only generates the first of these rules. This is handy
 when    you have  several DNAT rules that would generate the same ACCEPT rule.<br>
              <br>
             Here are three rules from my previous rules file:<br>
              <br>
                  DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
                  DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
                  ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
              <br>
             These three rules ended up generating _three_ copies of<br>
              <br>
                   ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
              <br>
             By writing the rules this way, I end up with only one copy of
 the   ACCEPT  rule.<br>
              <br>
                  DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
                  DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
                  ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
              <br>
            </li>
                 <li>The 'shorewall check' command now prints out the applicable
    policy between each pair of zones.<br>
              <br>
            </li>
                 <li>A new CLEAR_TC option has been added to shorewall.conf.
  If  this  option is set to 'No' then Shorewall won't clear the current
 traffic    control  rules during [re]start. This setting is intended for
 use by people    that prefer  to configure traffic shaping when the network
 interfaces come    up rather than  when the firewall is started. If that
 is what you want to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not
 supply an /etc/shorewall/tcstart    file. That way,  your traffic shaping
 rules can still use the 'fwmark' classifier   based on  packet marking defined
 in /etc/shorewall/tcrules.<br>
              <br>
            </li>
                 <li>A new SHARED_DIR variable has been added that allows 
 distribution     packagers to easily move the shared directory (default /usr/lib/shorewall). 
    Users should never have a need to change the value of this shorewall.conf 
    setting.<br>
            </li>
      </ol>
      <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
                                                          </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall 
       Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
                     </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>    
                                                 </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
        documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                  <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                              </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
                               </b></p>
      <p>     Features include:<br>
                           </p>
      <ol>
                         <li>"shorewall refresh" now reloads the traffic
 shaping     rules    (tcrules     and tcstart).</li>
                         <li>"shorewall debug [re]start" now turns off debugging
    after    an  error   occurs. This places the point of the failure near
 the   end of   the trace rather   than up in the middle of it.</li>
                         <li>"shorewall [re]start" has been speeded up by 
 more   than   40%   with   my  configuration. Your milage may vary.</li>
                         <li>A "shorewall show classifiers" command has been
  added    which    shows   the current packet classification filters. The
 output from   this  command  is  also added as a separate page in "shorewall
 monitor"</li>
                         <li>ULOG (must be all caps) is now accepted as a 
 valid    syslog    level   and  causes the subject packets to be logged using 
 the   ULOG target    rather   than  the LOG target. This allows you to run 
 ulogd   (available from             <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
           and log all Shorewall messages <a
 href="shorewall_logging.html">to    a  separate  log file</a>.</li>
                         <li>If you are running a kernel that has a FORWARD 
 chain    in  the   mangle    table ("shorewall show mangle" will show you 
 the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes 
 in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for 
 marking         input packets based on their destination even when you are 
 using  Masquerading        or SNAT.</li>
                         <li>I have cluttered up the /etc/shorewall directory 
  with   empty    'init',    'start', 'stop' and 'stopped' files. If you already
  have  a file    with one   of these names, don't worry -- the upgrade process
  won't  overwrite    your file.</li>
                         <li>I have added a new RFC1918_LOG_LEVEL variable
 to            <a href="Documentation.htm#Conf">shorewall.conf</a>. This
 variable   specifies       the syslog level at which packets are logged as
 a result  of entries in   the   /etc/shorewall/rfc1918 file. Previously,
 these packets   were always   logged   at the 'info' level.<br>
                    </li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
                        </p>
                  This version corrects a problem with Blacklist logging. 
 In  Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the 
 firewall   would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                                   </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                       </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                           </b></p>
                      The first public Beta version of Shorewall 1.3.12 is
 now   available      (Beta  1 was made available to a limited audience).
      <br>
                       <br>
                       Features include:<br>
                       <br>
      <ol>
                              <li>"shorewall refresh" now reloads the traffic 
  shaping     rules    (tcrules  and tcstart).</li>
                              <li>"shorewall debug [re]start" now turns off 
 debugging      after    an  error occurs. This places the point of the failure 
 near the    end of the   trace  rather than up in the middle of it.</li>
                              <li>"shorewall [re]start" has been speeded
 up  by  more   than   40%   with  my configuration. Your milage may vary.</li>
                              <li>A "shorewall show classifiers" command
 has   been   added    which    shows the current packet classification filters.
  The output   from    this command    is also added as a separate page in
 "shorewall monitor"</li>
                              <li>ULOG (must be all caps) is now accepted 
 as  a  valid    syslog    level  and causes the subject packets to be logged
 using  the ULOG   target   rather than the LOG target. This allows you to
 run ulogd  (available   from            <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
           and log all Shorewall messages <a
 href="shorewall_logging.html">to    a  separate  log file</a>.</li>
                              <li>If you are running a kernel that has a
 FORWARD     chain    in  the   mangle table ("shorewall show mangle" will
 show you  the   chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes
  in  shorewall.conf.     This allows  for  marking input packets based on
 their  destination even   when  you are using  Masquerading or SNAT.</li>
                              <li>I have cluttered up the /etc/shorewall
 directory      with   empty    'init', 'start', 'stop' and 'stopped' files.
 If you already      have   a file  with  one of these names, don't worry
 -- the upgrade process      won't   overwrite  your  file.</li>
      </ol>
                       You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                       </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
                         </a></b></p>
                        Shorewall is at the center of MandrakeSoft's recently-announced 
             <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
            Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
            release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>        
                                   </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally 
             delivered. I have installed 9.0 on one of my systems and I am 
 now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
                                  </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                         
                  </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT 
              with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 
     users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> 
                                            </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
                 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                       <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                                   </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                 
                </b></p>
      <p>In this version:</p>
      <ul>
                                        <li>A 'tcpflags' option has been
 added    to  entries     in            <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.     
     This option causes Shorewall to make a set of sanity check on TCP  
 packet       header flags.</li>
                                        <li>It is now allowed to use 'all'
 in  the   SOURCE    or  DEST   column    in a <a
 href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must  appear
 by itself (in may not be qualified)  and it does   not  enable   intra-zone
 traffic.  For example, the rule           <br>
                                     <br>
                                     ACCEPT loc all tcp 80<br>
                                     <br>
                                 does not enable http traffic from 'loc'
 to  'loc'.</li>
                                        <li>Shorewall's use of the 'echo' 
 command     is  now   compatible      with   bash clones such as ash and dash.</li>
                                        <li>fw-&gt;fw policies now generate 
 a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
 ignored</li>
@ -738,11 +407,11 @@ command     is  now   compatible      with   bash clones such as ash and dash.</
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
-if       you try it and find it useful, please consider making a donation 
+but if       you try it and find it useful, please consider making a donation
                                            to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                           </td>
@ -758,13 +427,9 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                    <br>
-    </p>
+</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_features.htm
+++ b/Shorewall-docs/shorewall_features.htm
@ -46,6 +46,9 @@
      </li>
      <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a> 
 to  help    get your first firewall up and running quickly</li>
  <li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
 href="http://www.webmin.com">http://www.webmin.com</a>)<br>
  </li>
      <li>Extensive <b> <a
 href="shorewall_quickstart_guide.htm#Documentation">documentation</a>   
  </b>   included in the .tgz and .rpm downloads.</li>
@ -93,22 +96,23 @@ fallback          and uninstall facilities</b></a> for users who can't use
 or choose  not         to use the RPM or Debian packages.</li>
        <li>Included as a standard part of<b> <a
 href="http://leaf.sourceforge.net/devel/jnilo">     LEAF/Bering</a> </b>(router/firewall
-on a floppy, CD or compact flash).</li>
+ on a floppy, CD or compact flash).</li>
    </ul>
     </li>
-    <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
+     <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
-     <b>Verification</b><br>
+Address      <b>Verification</b><br>
       </a><br>
      </li>
 </ul>
-<p><font size="2">Last updated 1/31/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -40,6 +40,7 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
@ -108,6 +109,7 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is 
    a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based 
    firewall        that can be used on a dedicated firewall system, a multi-function 
@ -123,28 +125,30 @@
      <p>This program is free software; you can redistribute it and/or modify 
                                               it        under the terms of
        <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
-the GNU General Public License</a> as published by the Free Software    
+ the GNU General Public License</a> as published by the Free Software   
    Foundation.<br>
                                      <br>
-                              This   program     is  distributed       in 
+                                 This   program     is  distributed     
- the     hope     that     it   will     be  useful,    but         WITHOUT
+ in   the     hope     that     it   will     be  useful,    but        
-  ANY      WARRANTY;      without      even the   implied    warranty   
+WITHOUT    ANY      WARRANTY;      without      even the   implied    warranty
     of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR
-  PURPOSE.        See the    GNU General     Public  License           for
+     PURPOSE.        See the    GNU General     Public  License         
- more details.<br>
+ for   more details.<br>
                                      <br>
                                 You   should    have   received     a  copy
-  of   the     GNU     General         Public      License             along 
+    of   the     GNU     General         Public      License            
-  with    this   program;       if  not,    write  to  the    Free Software
+along     with    this   program;       if  not,    write  to  the    Free
-         Foundation,              Inc.,  675     Mass  Ave,  Cambridge, 
+Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge, 
-MA    02139,       USA</p>
+ MA    02139,       USA</p>
@ -168,21 +172,23 @@ MA    02139,       USA</p>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
                                  </a>Jacques              Nilo   and   Eric
-  Wolzak       have     a   LEAF  (router/firewall/gateway         on  a floppy,
+    Wolzak       have     a   LEAF  (router/firewall/gateway         on 
-   CD    or compact     flash)  distribution        called              <i>Bering</i>
+a  floppy,    CD    or compact     flash)  distribution        called   
-         that          features      Shorewall-1.3.10  and    Kernel-2.4.18.
+          <i>Bering</i>          that          features      Shorewall-1.3.10
-         You    can  find    their    work at:                <a
+  and    Kernel-2.4.18.          You    can  find    their    work at:  
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+             <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                          <b>Congratulations to Jacques and 
-Eric   on  the   recent    release     of  Bering  1.0 Final!!! <br>
+ Eric   on  the   recent    release     of  Bering  1.0 Final!!! <br>
                                          </b>                          
      <h2>News</h2>
@ -197,45 +203,16 @@ Eric   on  the   recent    release     of  Bering  1.0 Final!!! <br>
-      <p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
+                  
      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
-      <p>Includes the Beta 2 content plus support for OpenVPN tunnels.<br>
+      <p>New features include</p>
      </p>
      <p> The release candidate may be downloaded from:<br>
           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"><br>
 ftp://ftp.shorewall.net/pub/shorewall/Beta</a></blockquote>
      <p></p>
      <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
         </b></p>
      <p>Includes the Beta 1 content plus restores VLAN device names of the 
 form $dev.$vid (e.g., eth0.1)</p>
      <p> The beta may be downloaded from:<br>
           </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
            <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
          </blockquote>
      <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
        </b><br>
     </p>
      <p>The Beta includes the following changes:<br>
     </p>
      <ol>
        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-  When set to Yes, Shorewall ping handling is as it has always been (see
+When   set to Yes, Shorewall ping handling is as it has always been (see
 http://www.shorewall.net/ping.html).<br>
         <br>
     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
@ -244,17 +221,24 @@ in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/
 will   all generate an error.<br>
         <br>
       </li>
-            <li>It is now possible to direct Shorewall to create a "label"
+        <li>It is now possible to direct Shorewall to create a "label" such
- such  as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+ as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
- and  ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
+and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
 of just  the interface name:<br>
      <br>
        a) In the INTERFACE column of /etc/shorewall/masq<br>
        b) In the INTERFACE column of /etc/shorewall/nat<br>
      </li>
-            <li>When an interface name is entered in the SUBNET column of 
+        <li>Support for OpenVPN Tunnels.<br>
-the  /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
+     <br>
- only  the first subnet defined on that interface. It did not masquerade
+ </li>
        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
 eth0.0)<br>
     <br>
   </li>
        <li>When an interface name is entered in the SUBNET column of the
 /etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
 only the first subnet   defined on that interface. It did not masquerade
 traffic from:<br>
      <br>
        a) The subnets associated with other addresses on the interface.<br>
@ -286,7 +270,8 @@ on subnetworks  that you don't wish to masquerade.<br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#<br></pre>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
      <br>
        In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
      <br>
@ -295,381 +280,31 @@ on subnetworks  that you don't wish to masquerade.<br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]# <br></pre>
+          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
      <br>
        In this case, you would want to change the entry in  /etc/shorewall/masq 
  to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
        </li>
      </ol>
     The beta may be downloaded from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
     </blockquote>
      <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b> 
         </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
   documenation.          the PDF may be downloaded from</p>
                                               <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                              <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
      <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b>    </b></p>
      <p>Thanks to the generosity of Alex Martin and <a
 href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and ftp.shorewall.net
 are now hosted on a system in Bellevue, Washington.  A big thanks to Alex
 for making this happen.<br>
        </p>
      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                              </b><br>
         </p>
      <p>Just includes a few things that I had on the burner:<br>
         </p>
      <ol>
                <li>A new 'DNAT-' action has been added for entries in the
 /etc/shorewall/rules    file. DNAT- is intended for advanced users who wish
 to minimize the number    of rules that connection requests must traverse.<br>
             <br>
         A Shorewall DNAT rule actually generates two iptables rules: a header
   rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter'
 table.    A DNAT-  rule only generates the first of these rules. This is
 handy when    you have  several DNAT rules that would generate the same ACCEPT
 rule.<br>
             <br>
            Here are three rules from my previous rules file:<br>
             <br>
                 DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
                 DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
                 ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
             <br>
            These three rules ended up generating _three_ copies of<br>
             <br>
                  ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
             <br>
            By writing the rules this way, I end up with only one copy of 
 the   ACCEPT  rule.<br>
             <br>
                 DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
                 DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
                 ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
             <br>
           </li>
                <li>The 'shorewall check' command now prints out the applicable 
   policy between each pair of zones.<br>
             <br>
           </li>
                <li>A new CLEAR_TC option has been added to shorewall.conf. 
 If  this  option is set to 'No' then Shorewall won't clear the current traffic
   control  rules during [re]start. This setting is intended for use by people
   that prefer  to configure traffic shaping when the network interfaces
 come    up rather than  when the firewall is started. If that is what you
 want to   do, set TC_ENABLED=Yes  and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
   file. That way,  your traffic shaping rules can still use the 'fwmark'
 classifier   based on  packet marking defined in /etc/shorewall/tcrules.<br>
             <br>
           </li>
                <li>A new SHARED_DIR variable has been added that allows
 distribution     packagers to easily move the shared directory (default /usr/lib/shorewall).
    Users should never have a need to change the value of this shorewall.conf
    setting.</li>
      </ol>
-      <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
+      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
      </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
             </b></p>
-                                                                        
+    Webmin version 1.060 now has Shorewall support included as standard.
-                               
+See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b> 
-      <p><b>Until further notice, I will not be involved in either Shorewall 
+ </b>              
      Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
              </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
                                                 </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
       documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                            </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
                                </b></p>
      <p>     Features include:<br>
                          </p>
      <ol>
                        <li>"shorewall refresh" now reloads the traffic shaping 
   rules    (tcrules     and tcstart).</li>
                        <li>"shorewall debug [re]start" now turns off debugging 
   after    an  error   occurs. This places the point of the failure near 
 the   end of   the trace rather   than up in the middle of it.</li>
                        <li>"shorewall [re]start" has been speeded up by
 more   than   40%   with   my  configuration. Your milage may vary.</li>
                        <li>A "shorewall show classifiers" command has been 
 added    which    shows   the current packet classification filters. The 
 output from   this  command  is  also added as a separate page in "shorewall 
 monitor"</li>
                        <li>ULOG (must be all caps) is now accepted as a
 valid    syslog    level   and  causes the subject packets to be logged using
 the   ULOG target    rather   than  the LOG target. This allows you to run
 ulogd   (available from             <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
          and log all Shorewall messages <a
 href="shorewall_logging.html">to    a  separate log file</a>.</li>
                        <li>If you are running a kernel that has a FORWARD
 chain    in  the   mangle    table ("shorewall show mangle" will show you
 the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes
 in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
 marking         input packets based on their destination even when you are
 using  Masquerading        or SNAT.</li>
                        <li>I have cluttered up the /etc/shorewall directory
  with   empty    'init',    'start', 'stop' and 'stopped' files. If you
 already   have  a file    with one   of these names, don't worry -- the upgrade
 process   won't  overwrite    your file.</li>
                        <li>I have added a new RFC1918_LOG_LEVEL variable 
 to            <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
  specifies       the syslog level at which packets are logged as a result
 of entries in   the   /etc/shorewall/rfc1918 file. Previously, these packets
  were always   logged   at the 'info' level.</li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
                  </p>
                  This version corrects a problem with Blacklist logging. 
 In  Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the 
 firewall   would   fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                                  </p>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                        <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                      </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                            </b></p>
                     The first public Beta version of Shorewall 1.3.12 is 
 now   available      (Beta  1 was made available only to a limited audience). 
      <br>
                      <br>
                      Features include:<br>
                      <br>
      <ol>
                             <li>"shorewall refresh" now reloads the traffic
  shaping     rules    (tcrules  and tcstart).</li>
                             <li>"shorewall debug [re]start" now turns off
 debugging      after    an  error occurs. This places the point of the failure
 near the    end of the   trace  rather than up in the middle of it.</li>
                             <li>"shorewall [re]start" has been speeded up
 by  more   than   40%   with  my configuration. Your milage may vary.</li>
                             <li>A "shorewall show classifiers" command has 
 been   added    which    shows the current packet classification filters. 
 The output   from    this command    is also added as a separate page in 
 "shorewall monitor"</li>
                             <li>ULOG (must be all caps) is now accepted
 as  a  valid    syslog    level  and causes the subject packets to be logged 
 using  the ULOG   target   rather than the LOG target. This allows you to 
 run ulogd  (available   from            <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
          and log all Shorewall messages <a
 href="shorewall_logging.html">to    a  separate log file</a>.</li>
                             <li>If you are running a kernel that has a FORWARD 
   chain    in  the   mangle table ("shorewall show mangle" will show you 
 the   chains   in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes 
 in  shorewall.conf.     This allows  for  marking input packets based on 
 their  destination even   when  you are using  Masquerading or SNAT.</li>
                             <li>I have cluttered up the /etc/shorewall directory 
    with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
    have   a file  with  one of these names, don't worry -- the upgrade process 
    won't   overwrite  your  file.</li>
      </ol>
                      You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                        <a
 href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
                      </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
                        </a></b></p>
                       Shorewall is at the center of MandrakeSofts's recently-announced 
             <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
           Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
           release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
             delivered. I have installed 9.0 on one of my systems and I am
 now    in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
                                 </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
              with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
     users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                                            </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
                 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                       <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                                   </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b>                        
          </b></p>
      <p>In this version:</p>
      <ul>
                                        <li>A 'tcpflags' option has been
 added    to  entries     in            <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.     
     This option causes Shorewall to make a set of sanity check on TCP  
 packet       header flags.</li>
                                        <li>It is now allowed to use 'all'
 in  the   SOURCE    or  DEST   column    in a <a
 href="Documentation.htm#Rules">rule</a>.    When   used,  'all'   must  appear
 by itself (in may not be qualified)  and it does   not  enable   intra-zone
 traffic.  For example, the rule           <br>
                                     <br>
                                     ACCEPT loc all tcp 80<br>
                                     <br>
                                 does not enable http traffic from 'loc'
 to  'loc'.</li>
                                        <li>Shorewall's use of the 'echo' 
 command     is  now   compatible      with   bash clones such as ash and dash.</li>
                                        <li>fw-&gt;fw policies now generate 
 a  startup     error.    fw-&gt;fw      rules  generate a warning and are 
 ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
                             </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
                 documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                                       <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                                   </p>
      <p><b></b></p>
      <ul>
@ -686,7 +321,8 @@ command     is  now   compatible      with   bash clones such as ash and dash.</
-      <p><b></b><a href="News.htm">More News</a></p>
+      <p><a href="News.htm">More News</a></p>
@ -726,13 +362,14 @@ command     is  now   compatible      with   bash clones such as ash and dash.</
      <h2><a name="Donations"></a>Donations</h2>
         </td>
-                                      <td width="88" bgcolor="#4b017c"
+                                         <td width="88"
- valign="top" align="center">              <br>
+ bgcolor="#4b017c" valign="top" align="center">              <br>
                                                          </td>
                                     </tr>
@ -761,7 +398,8 @@ command     is  now   compatible      with   bash clones such as ash and dash.</
                              <tr>
-                               <td width="100%" style="margin-top: 1px;"> 
+                                  <td width="100%"
 style="margin-top: 1px;">                                              
@ -787,11 +425,11 @@ command     is  now   compatible      with   bash clones such as ash and dash.</
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-but if       you try it and find it useful, please consider making a donation
+if       you try it and find it useful, please consider making a donation 
                                               to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight        
+ href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Children's Foundation.</font></a> Thanks!</font></p>
+Foundation.</font></a> Thanks!</font></p>
                                  </td>
@ -808,12 +446,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font> 
+ 
 <p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
                                         <br>
-   </p>
+</p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -32,6 +32,7 @@
      <h1 align="center"><font color="#ffffff">Shorewall Support<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                        </font></h1>
@ -43,15 +44,21 @@
 </table>
 <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions 
-emailed directly to me, I try to spend some time each day answering questions 
+ emailed directly to me, I try to spend some time each day answering questions 
-on the Shorewall Users Mailing List.</font></big><span
+ on the Shorewall Users Mailing List.</font></big><span
 style="font-weight: 400;"></span></big></b></p>
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
 <h1>Before Reporting a Problem</h1>
-                                      There are a number of sources for problem 
+<i>"Well at least you tried to read the documentation, which is a lot more
-   solution information. Please     try these before you post.           
+than some people on this list appear to do.</i>"<br>
 <br>
 <div align="center">- Wietse Venema - On the Postfix mailing list<br>
 </div>
 <br>
                                        There are a number of sources for 
 problem     solution information. Please     try these before you post.  
 <h3>                                     </h3>
@ -59,7 +66,7 @@ on the Shorewall Users Mailing List.</font></big><span
 <ul>
                  <li>More than half of the questions posted on the support 
-list   have answers directly accessible from the <a
+ list   have answers directly accessible from the <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
            <br>
          </li>
@ -89,8 +96,8 @@ list   have answers directly accessible from the <a
 <h3>                     </h3>
 <ul>
-                <li>                                   The Mailing List Archives 
+                  <li>                                   The Mailing List 
-   search facility can locate   posts    about         similar problems: 
+Archives     search facility can locate   posts    about         similar problems:
        </li>
 </ul>
@ -125,8 +132,8 @@ list   have answers directly accessible from the <a
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-                              </font> <input type="hidden" name="config"
+                                </font> <input type="hidden"
- value="htdig">    <input type="hidden" name="restrict"
+ name="config" value="htdig">    <input type="hidden" name="restrict"
 value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
                                Search: <input type="text" size="30"
@ -139,10 +146,10 @@ list   have answers directly accessible from the <a
  and when you   walk  into one of the rooms, you detect this strange smell. 
   Can anyone tell  you  what that strange smell is?<br>
               <br>
-             Now, all of us could do some wonderful guessing as to the smell
+               Now, all of us could do some wonderful guessing as to the
-  and   even   what's causing it.  You would be absolutely amazed at the
+smell    and   even   what's causing it.  You would be absolutely amazed
-range   and   variety   of smells we could come up with.  Even more amazing
+at the range   and   variety   of smells we could come up with.  Even more
-is that   all   of the explanations   for the smells would be completely
+amazing is that   all   of the explanations   for the smells would be completely
 plausible."<br>
               </i><br>
@ -164,9 +171,9 @@ plausible."<br>
   technical  support. Any help we offer is an act of generosity, not an obligation.
   Try  to make it easy for us to help you. Follow good, courteous practices
   in writing  and formatting your e-mail. Provide details that we need if
-you  expect good  answers. <em>Exact quoting </em> of error messages, log 
+ you  expect good  answers. <em>Exact quoting </em> of error messages, log
-entries,  command output, and other output is better than a paraphrase or 
+ entries,  command output, and other output is better than a paraphrase or
-summary.<br>
+ summary.<br>
             <br>
           </li>
           <li>                                   Please don't describe your
@ -175,8 +182,8 @@ summary.<br>
  do your   job for you.<br>
             <br>
                  </li>
-         <li>When reporting a problem, <strong>ALWAYS</strong> include this 
+           <li>When reporting a problem, <strong>ALWAYS</strong> include
- information:</li>
+this   information:</li>
 </ul>
@ -225,7 +232,15 @@ summary.<br>
               <br>
             </li>
             <li>the exact wording of any <code
- style="color: green; font-weight: bold;">ping</code> failure responses.<br>
+ style="color: green; font-weight: bold;">ping</code> failure responses<br>
       <br>
     </li>
     <li>If you installed Shorewall using one of the QuickStart Guides, please 
 indicate which one. <br>
       <br>
     </li>
     <li><b>If you are running Shorewall under Mandrake using the Mandrake 
 installation of Shorewall, please say so.</b><br>
               <br>
             </li>
@ -236,12 +251,13 @@ summary.<br>
 <ul>
           <li><b>NEVER </b>include the output of "<b><font
 color="#009900">iptables    -L</font></b>". Instead, if you are having connection
-problems please post the exact output of<br>
+ problems of any kind, post the exact output of<br>
             <br>
             <b><font color="#009900">/sbin/shorewall status<br>
             <br>
-           </font></b>Since that command generates a lot of output, we suggest
+             </font></b>Since that command generates a lot of output, we
-   that you redirect the output to a file and attach the file to your post<br>
+suggest     that you redirect the output to a file and attach the file to
 your post<br>
             <br>
             <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
             <br>
@ -250,7 +266,7 @@ problems please post the exact output of<br>
  information</strong>   in an attempt to conceal your IP address, netmask, 
  nameserver addresses,  domain name, etc. These aren't secrets, and concealing 
  them often misleads  us (and 80% of the time, a hacker could derive them 
-anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
+ anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
 </ul>
@ -270,12 +286,12 @@ anyway from information  contained in the SMTP headers of your post).<strong></s
                  <li>                                   Do you see any "Shorewall" 
    messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>") 
          when   you exercise the function that is giving you problems? If 
-so,   include the message(s) in your post along with a copy of your /etc/shorewall/interfaces 
+ so,   include the message(s) in your post along with a copy of your /etc/shorewall/interfaces 
    file.<br>
             <br>
           </li>
           <li>Please include any of the Shorewall configuration  files 
-(especially             the    /etc/shorewall/hosts file if you have modified
+  (especially             the    /etc/shorewall/hosts file if you have modified
  that   file)      that  you    think are    relevant. If you include /etc/shorewall/rules, 
    please include /etc/shorewall/policy as well (rules are meaningless unless 
    one also knows the policies).                      </li>
@ -291,8 +307,8 @@ so,   include the message(s) in your post along with a copy of your /etc/shorewa
 <h3>                     </h3>
 <ul>
-                       <li>                         If an error occurs when 
+                         <li>                         If an error occurs
- you   try   to "<font color="#009900"><b>shorewall  start</b></font>",  
+when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>", 
   include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
       section  for    instructions).         </li>
@ -310,26 +326,26 @@ so,   include the message(s) in your post along with a copy of your /etc/shorewa
 </ul>
         The author gratefully acknowleges that the above list was heavily
-plagiarized    from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
+ plagiarized    from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
-found  at  <a
+ found  at  <a
 href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
 <h2>Please post in plain text</h2>
 <blockquote>            </blockquote>
           A growing number of MTAs serving list subscribers are rejecting
-all    HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net 
+ all    HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net 
-   "for continuous abuse" because it has been my policy to allow HTML in list
+    "for continuous abuse" because it has been my policy to allow HTML in 
-   posts!!<br>
+list    posts!!<br>
             <br>
              I think that blocking all HTML is a Draconian way to control
-spam    and  that the ultimate losers here are not the spammers but the list
+ spam    and  that the ultimate losers here are not the spammers but the
-subscribers      whose MTAs are bouncing all shorewall.net mail. As one list
+list  subscribers      whose MTAs are bouncing all shorewall.net mail. As
-subscriber   wrote  to me privately "These e-mail admin's need to get a <i>(expletive 
+one list  subscriber   wrote  to me privately "These e-mail admin's need
- deleted)</i>  life instead of trying to rid the planet of HTML based e-mail". 
+to get a <i>(expletive   deleted)</i>  life instead of trying to rid the
- Nevertheless,  to allow subscribers to receive list posts as must as possible, 
+planet of HTML based e-mail".   Nevertheless,  to allow subscribers to receive
- I have now   configured the list server at shorewall.net to strip all HTML 
+list posts as must as possible,   I have now   configured the list server
- from outgoing  posts.<br>
+at shorewall.net to strip all HTML   from outgoing  posts.<br>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -337,16 +353,16 @@ subscriber   wrote  to me privately "These e-mail admin's need to get a <i>(expl
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem
        to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
-mailing       list</a>.</span></h4>
+ mailing       list</a>.</span></h4>
              <b>If you run Shorewall under MandrakeSoft Multi Network Firewall 
   (MNF)   and you have not purchased an MNF license from MandrakeSoft then 
  you can  post non MNF-specific Shorewall questions to the </b><a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
-list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
+ list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
-list.</a></p>
+ list.</a></p>
                </blockquote>
@ -357,7 +373,7 @@ list.</a></p>
                     .</p>
-<p align="left"><font size="2">Last Updated 2/3/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 2/4/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -365,5 +381,7 @@ list.</a></p>
       <br>
       <br>
     <br>
  <br>
 <br>
 </body>
 </html>