Modify sourceforge_index.htm for HTML 4.01 Transitional Compatibility

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@838 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-12-13 00:25:04 +00:00 · 2003-12-13 00:25:04 +00:00 · 1698bf7e20
commit 1698bf7e20
parent c576b6ab74
1 changed files with 420 additions and 325 deletions
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -1,425 +1,520 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-  <meta http-equiv="Content-Type"
+<meta name="generator" content="HTML Tidy, see www.w3.org">
- content="text/html; charset=UTF-8">
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-  <title>Shoreline Firewall (Shorewall) 1.4</title>
+<title>Shoreline Firewall (Shorewall) 1.4</title>
-  <base target="_self">
+<base target="_self">
 </head>
 <body>
 <div align="center">
 <center>
-<table border="0" cellpadding="0" cellspacing="0"
+<table border="0" cellpadding="0" cellspacing="0" style=
- style="border-collapse: collapse;" width="100%" id="AutoNumber4">
+"border-collapse: collapse;" width="100%" id="AutoNumber4">
-  <tbody>
+<tbody>
-    <tr>
+<tr>
-      <td width="90%">
+<td width="90%">
-      <h2>Site Problem</h2>
+<h2>Site Problem</h2>
-The server that normally hosts www.shorewall.net and ftp.shorewall.net
+
-is currently down. Until it is back up, a small server with very
+The server that normally hosts www.shorewall.net and
-limited bandwidth is being used temporarly. You will likely experience
+ftp.shorewall.net is currently down. Until it is back up, a small
-better response time from the <a
+server with very limited bandwidth is being used temporarly. You
- href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
+will likely experience better response time from the <a href=
-or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
+"http://shorewall.sourceforge.net" target="_top">Sourceforge
-Sorry for the inconvenience.<br>
+site</a> or from one of the other <a href=
-      <br>
+"shorewall_mirrors.htm">mirrors</a>. Sorry for the
-      <h2>Introduction<br>
+inconvenience.<br>
-      </h2>
+ <br>
-      <ul>
+ 
-        <li><a href="http://www.netfilter.org">Netfilter</a> - the
+
-packet filter facility built into the 2.4 and later Linux kernels.</li>
+<h2>Introduction<br>
-        <li>ipchains - the packet filter facility built into the 2.2
+</h2>
-Linux kernels. Also the name of the utility program used to configure
+
-and control that facility. Netfilter can be used in ipchains
+<ul>
 <li><a href="http://www.netfilter.org">Netfilter</a> - the packet
 filter facility built into the 2.4 and later Linux kernels.</li>
 <li>ipchains - the packet filter facility built into the 2.2 Linux
 kernels. Also the name of the utility program used to configure and
 control that facility. Netfilter can be used in ipchains
 compatibility mode.<br>
-        </li>
+</li>
-        <li>iptables - the utility program used to configure and
+
-control Netfilter. The term 'iptables' is often used to refer to the
+<li>iptables - the utility program used to configure and control
 Netfilter. The term 'iptables' is often used to refer to the
 combination of iptables+Netfilter (with Netfilter not in ipchains
 compatibility mode).<br>
-        </li>
+</li>
-      </ul>
+</ul>
 The Shoreline Firewall, more commonly known as "Shorewall", is
 high-level tool for configuring Netfilter. You describe your
-firewall/gateway requirements using entries in a set of configuration
+firewall/gateway requirements using entries in a set of
-files. Shorewall reads those configuration files and with the help of
+configuration files. Shorewall reads those configuration files and
-the iptables utility, Shorewall configures Netfilter to match your
+with the help of the iptables utility, Shorewall configures
-requirements. Shorewall can be used on a dedicated firewall system, a
+Netfilter to match your requirements. Shorewall can be used on a
-multi-function gateway/router/server or on a standalone GNU/Linux
+dedicated firewall system, a multi-function gateway/router/server
-system. Shorewall does not use Netfilter's ipchains compatibility mode
+or on a standalone GNU/Linux system. Shorewall does not use
-and can thus take advantage of Netfilter's connection state tracking
+Netfilter's ipchains compatibility mode and can thus take advantage
-capabilities.
+of Netfilter's connection state tracking capabilities. 
-      <p>This program is free software; you can redistribute it and/or
+
-modify it under the terms of <a
+<p>This program is free software; you can redistribute it and/or
- href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
+modify it under the terms of <a href=
-General Public License</a> as published by the Free Software Foundation.<br>
+"http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
-      <br>
+Public License</a> as published by the Free Software
 Foundation.<br>
 <br>
 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General
+General Public License for more details.<br>
-Public License for more details.<br>
+<br>
-      <br>
+You should have received a copy of the GNU General Public License
-You should have received a copy of the GNU General Public License along
+along with this program; if not, write to the Free Software
-with this program; if not, write to the Free Software Foundation, Inc.,
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
-675 Mass Ave, Cambridge, MA 02139, USA</p>
+
-      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
+<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
 Eastep</a></p>
-      <h2>This is the Shorewall 1.4 Web Site</h2>
+
 <h2>This is the Shorewall 1.4 Web Site</h2>
 The information on this site applies only to 1.4.x releases of
 Shorewall. For older versions:<br>
-      <ul>
+ 
-        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
+
- target="_top">here.</a></li>
+<ul>
-        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
+<li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target=
- target="_top">here</a>.<br>
+"_top">here.</a></li>
-        </li>
+
-      </ul>
+<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target=
-      <h2>Getting Started with Shorewall</h2>
+"_top">here</a>.<br>
-New to Shorewall? Start by selecting the <a
+</li>
- href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
+</ul>
-closely match your environment and follow the step by step instructions.<br>
+
-      <h2>Looking for Information?</h2>
+<h2>Getting Started with Shorewall</h2>
-The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
+
-Index</a> is a good place to start as is the Quick Search in the frame
+New to Shorewall? Start by selecting the <a href=
-above.
+"shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
-      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
+closely match your environment and follow the step by step
-If so, the documentation<b> </b>on this site will not apply directly
+instructions.<br>
-to
+ 
-your setup. If you want to use the documentation that you find here,
+
-you will want to consider uninstalling what you have and installing a
+<h2>Looking for Information?</h2>
-setup that matches the documentation on this site. See the <a
+
- href="two-interface.htm">Two-interface QuickStart Guide</a> for
+The <a href=
-details.
+"shorewall_quickstart_guide.htm#Documentation">Documentation
-      <h2></h2>
+Index</a> is a good place to start as is the Quick Search in the
-      <h2><b>News</b></h2>
+frame above. 
-      <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1 </b><b> <img
+
- style="border: 0px solid ; width: 28px; height: 12px;"
+<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
- src="images/new10.gif" alt="(New)" title=""><br>
+
-      </b></p>
+If so, the documentation <b></b>on this site will not apply
-      <div style="margin-left: 40px;"><a
+directly to your setup. If you want to use the documentation that
- href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
+you find here, you will want to consider uninstalling what you have
-      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
+and installing a setup that matches the documentation on this site.
-      </div>
+See the <a href="two-interface.htm">Two-interface QuickStart
-      <p>Problems Corrected since version 1.4.8:<br>
+Guide</a> for details. 
-      </p>
+
-      <ol>
+<h2><b>News</b></h2>
-        <li>There has been a low continuing level of confusion over the
+
-terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
+<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img style=
-all instances of "Static NAT" have been replaced with "One-to-one NAT"
+"border: 0px solid ; width: 28px; height: 12px;" src=
-in the documentation and configuration files.</li>
+"images/new10.gif" alt="(New)" title=""><br>
-        <li>The description of NEWNOTSYN in shorewall.conf has been
+</b></p>
 <div style="margin-left: 40px;"><a href=
 "http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
 <a href="ftp://shorewall.net/pub/shorewall/Beta" target=
 "_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
 </div>
 <p>Problems Corrected since version 1.4.8:<br>
 </p>
 <ol>
 <li>There has been a low continuing level of confusion over the
 terms "Source NAT" (SNAT) and "Static NAT". To avoid future
 confusion, all instances of "Static NAT" have been replaced with
 "One-to-one NAT" in the documentation and configuration files.</li>
 <li>The description of NEWNOTSYN in shorewall.conf has been
 reworded for clarity.</li>
-        <li>Wild-card rules (those involving "all" as SOURCE or DEST)
+
-will no longer produce an error if they attempt to add a rule that
+<li>Wild-card rules (those involving "all" as SOURCE or DEST) will
-would override a NONE policy. The logic for expanding these wild-card
+no longer produce an error if they attempt to add a rule that would
 override a NONE policy. The logic for expanding these wild-card
 rules now simply skips those (SOURCE,DEST) pairs that have a NONE
 policy.<br>
-        </li>
+</li>
-      </ol>
+</ol>
-      <p>Migration Issues:<br>
+
-      <br>
+<p>Migration Issues:<br>
 <br>
 &nbsp;&nbsp;&nbsp; None.<br>
-      <br>
+<br>
 New Features:<br>
-      </p>
+</p>
-      <ol>
+
-        <li>To cut down on the number of "Why are these ports closed
+<ol>
-rather than stealthed?" questions, the SMB-related rules in
+<li>To cut down on the number of "Why are these ports closed rather
-/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
+than stealthed?" questions, the SMB-related rules in
-        <li>For easier identification, packets logged under the
+/etc/shorewall/common.def have been changed from 'reject' to
-'norfc1918' interface option are now logged out of chains named
+'DROP'.</li>
-'rfc1918'. Previously, such packets were logged under chains named
+
 <li>For easier identification, packets logged under the 'norfc1918'
 interface option are now logged out of chains named 'rfc1918'.
 Previously, such packets were logged under chains named
 'logdrop'.</li>
-        <li>Distributors and developers seem to be regularly inventing
+
-new naming conventions for kernel modules. To avoid the need to change
+<li>Distributors and developers seem to be regularly inventing new
-Shorewall code for each new convention, the MODULE_SUFFIX option has
+naming conventions for kernel modules. To avoid the need to change
-been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
+Shorewall code for each new convention, the MODULE_SUFFIX option
-for module names in your particular distribution. If MODULE_SUFFIX is
+has been added to shorewall.conf. MODULE_SUFFIX may be set to the
-not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
+suffix for module names in your particular distribution. If
-          <br>
+MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
 list "o gz ko o.gz".<br>
 <br>
 To see what suffix is used by your distribution:<br>
-          <br>
+<br>
 ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
-          <br>
+<br>
-All of the files listed should have the same suffix (extension). Set
+All of the files listed should have the same suffix (extension).
-MODULE_SUFFIX to that suffix.<br>
+Set MODULE_SUFFIX to that suffix.<br>
-          <br>
+<br>
 Examples:<br>
-          <br>
+<br>
 &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
 MODULE_SUFFIX="kzo"<br>
 &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
 MODULE_SUFFIX="kz.o"</li>
-        <li>Support for user defined rule ACTIONS has been implemented
+
 <li>Support for user defined rule ACTIONS has been implemented
 through two new files:<br>
-          <br>
+<br>
 /etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
-/etc/shorewall/action.template - For each user defined &lt;action&gt;,
+/etc/shorewall/action.template - For each user defined
-copy this file to /etc/shorewall/action.&lt;action&gt; and add the
+&lt;action&gt;, copy this file to
-appropriate rules for that &lt;action&gt;. Once an &lt;action&gt; has
+/etc/shorewall/action.&lt;action&gt; and add the appropriate rules
-been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
+for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
-DROP, etc.) in /etc/shorewall/rules.<br>
+it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
-          <br>
+in /etc/shorewall/rules.<br>
-Example: You want an action that logs a packet at the 'info' level and
+<br>
-accepts the connection.<br>
+Example: You want an action that logs a packet at the 'info' level
-          <br>
+and accepts the connection.<br>
 <br>
 In /etc/shorewall/actions, you would add:<br>
-          <br>
+<br>
 &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
-          <br>
+<br>
 You would then copy /etc/shorewall/action.template to
 /etc/shorewall/LogAndAccept and in that file, you would add the two
 rules:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
-      </ol>
+</ol>
-      <p><b>12/03/2003 - Support Torch Passed</b><b> <img
+
- style="border: 0px solid ; width: 28px; height: 12px;"
+<p><b>12/03/2003 - Support Torch Passed</b> <b><img style=
- src="images/new10.gif" alt="(New)" title=""></b></p>
+"border: 0px solid ; width: 28px; height: 12px;" src=
-Effective today, I am reducing my participation in the
+"images/new10.gif" alt="(New)" title=""></b></p>
-day-to-day support of Shorewall. As part of this shift to
+
-community-based Shorewall support a new <a
+Effective today, I am reducing my participation in the day-to-day
- href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
+support of Shorewall. As part of this shift to community-based
-Newbies mailing list</a>
+Shorewall support a new <a href=
-has been established to field questions and problems from new users. I
+"https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
-will not monitor that list personally. I will continue my active
+Newbies mailing list</a> has been established to field questions
-development of Shorewall
+and problems from new users. I will not monitor that list
-and will be available via the development list to handle development
+personally. I will continue my active development of Shorewall and
-issues -- Tom.
+will be available via the development list to handle development
-      <p><b>11/01/2003 - Shorewall 1.4.8 RC2</b><b> <img
+issues -- Tom. 
- style="border: 0px solid ; width: 28px; height: 12px;"
+
- src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
+<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img style=
-Given the small number of new features and the relatively few lines of
+"border: 0px solid ; width: 28px; height: 12px;" src=
-code that were changed, there will be no Beta for 1.4.8.<br>
+"images/new10.gif" alt="(New)" title=""></b> <b></b></p>
-      <p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
+
-      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
+Given the small number of new features and the relatively few lines
-      <br>
+of code that were changed, there will be no Beta for 1.4.8.<br>
-      </b>Problems Corrected since version 1.4.7:<br>
+ 
-      </p>
+
-      <ol>
+<p><b><a href=
-        <li>Tuomo Soini has supplied a correction to a problem that
+"http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
-occurs
+
 <a href="ftp://shorewall.net/pub/shorewall/Beta" target=
 "_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
 <br>
 </b> Problems Corrected since version 1.4.7:<br>
 </p>
 <ol>
 <li>Tuomo Soini has supplied a correction to a problem that occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
-&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or
 directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.</li>
-        <li>Andres Zhoglo has supplied a correction that avoids trying
+
-to use the multiport match iptables facility on ICMP rules.<br>
+<li>Andres Zhoglo has supplied a correction that avoids trying to
 use the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
-&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+&nbsp;&nbsp; Example of rule that previously caused "shorewall
-to fail:<br>
+start" to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
-          <br>
+<br>
-        </li>
+</li>
-        <li>Previously, if the following error message was issued,
+
 <li>Previously, if the following error message was issued,
 Shorewall was left in an inconsistent state.<br>
 &nbsp;<br>
-&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through
-          <br>
+interface xxx<br>
-        </li>
+<br>
-        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
+</li>
-been corrected.</li>
+
-        <li>In Shorewall 1.4.2, an optimization was added. This
+<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
-optimization
+corrected.</li>
-involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+
-defined using the /etc/shorewall/hosts file. It has since been
+<li>In Shorewall 1.4.2, an optimization was added. This
-discovered that in many cases these new chains contain redundant rules
+optimization involved creating a chain named "&lt;zone&gt;_frwd"
-and that the "optimization" turns out to be less than optimal. The
+for most zones defined using the /etc/shorewall/hosts file. It has
-implementation has now been corrected.</li>
+since been discovered that in many cases these new chains contain
-        <li>When the MARK value in a tcrules entry is followed by ":F"
+redundant rules and that the "optimization" turns out to be less
-or
+than optimal. The implementation has now been corrected.</li>
 <li>When the MARK value in a tcrules entry is followed by ":F" or
 ":P", the ":F" or ":P" was previously only applied to the first
-Netfilter rule generated by the entry. It is now applied to all entries.</li>
+Netfilter rule generated by the entry. It is now applied to all
-        <li>An incorrect comment concerning Debian's use of the
+entries.</li>
-SUBSYSLOCK option has been removed from shorewall.conf.</li>
+
-        <li>Previously, neither the 'routefilter' interface option nor
+<li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
-the
+option has been removed from shorewall.conf.</li>
-ROUTE_FILTER parameter were working properly. This has been corrected
+
-(thanks to Eric Bowles for his analysis and patch). The definition of
+<li>Previously, neither the 'routefilter' interface option nor the
-the ROUTE_FILTER option has changed however. Previously,
+ROUTE_FILTER parameter were working properly. This has been
-ROUTE_FILTER=Yes was documented as enabling route filtering on all
+corrected (thanks to Eric Bowles for his analysis and patch). The
-interfaces (which didn't work). Beginning with this release, setting
+definition of the ROUTE_FILTER option has changed however.
-ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
+Previously, ROUTE_FILTER=Yes was documented as enabling route
-up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
+filtering on all interfaces (which didn't work). Beginning with
-coexist with the use of the 'routefilter' option in the interfaces file.</li>
+this release, setting ROUTE_FILTER=Yes will enable route filtering
-        <li>If MAC verification was enabled on an interface with a /32
+of all interfaces brought up while Shorewall is started. As a
-address and
+consequence, ROUTE_FILTER=Yes can coexist with the use of the
-a broadcast address then an error would occur during startup.</li>
+'routefilter' option in the interfaces file.</li>
-      </ol>
+
 <li>If MAC verification was enabled on an interface with a /32
 address and a broadcast address then an error would occur during
 startup.</li>
 </ol>
 Migration Issues:<br>
-      <ol>
+ 
-        <li>The definition of the ROUTE_FILTER option in shorewall.conf
+
-has changed as described in item 8) above.<br>
+<ol>
-        </li>
+<li>The definition of the ROUTE_FILTER option in shorewall.conf has
-      </ol>
+changed as described in item 8) above.<br>
 </li>
 </ol>
 New Features:<br>
-      <ol>
+ 
-        <li>A new QUEUE action has been introduced for rules. QUEUE
+
-allows
+<ol>
-you to pass connection requests to a user-space filter such as ftwall
+<li>A new QUEUE action has been introduced for rules. QUEUE allows
-(http://p2pwall.sourceforge.net). The ftwall program
+you to pass connection requests to a user-space filter such as
-allows for effective filtering of p2p applications such as Kazaa. For
+ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
 for effective filtering of p2p applications such as Kazaa. For
 example, to use ftwall to filter P2P clients in the 'loc' zone, you
 would add the following rules:<br>
-          <br>
+<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
-          <br>
+<br>
-You would normally want to place those three rules BEFORE any ACCEPT
+You would normally want to place those three rules BEFORE any
-rules for loc-&gt;net udp or tcp.<br>
+ACCEPT rules for loc-&gt;net udp or tcp.<br>
-          <br>
+<br>
 Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
-        <li>A
+
-BLACKLISTNEWNONLY option has been added to shorewall.conf. When this
+<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf.
-option is set to "Yes", the blacklists (dynamic and static) are only
+When this option is set to "Yes", the blacklists (dynamic and
-consulted for new connection requests. When set to "No" (the default if
+static) are only consulted for new connection requests. When set to
-the variable is not set), the blacklists are consulted on every packet.<br>
+"No" (the default if the variable is not set), the blacklists are
-          <br>
+consulted on every packet.<br>
 <br>
 Setting this option to "No" allows blacklisting to stop existing
 connections from a newly blacklisted host but is more expensive in
 terms of packet processing time. This is especially true if the
 blacklists contain a large number of entries.</li>
-        <li>Chain names used in the /etc/shorewall/accounting file may
+
-now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
+<li>Chain names used in the /etc/shorewall/accounting file may now
-      </ol>
+begin with a digit ([0-9]) and may contain embedded dashes
-      <p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
+("-").</li>
-bag awards </b><b><img
+</ol>
- style="border: 0px solid ; width: 50px; height: 80px;"
+
- src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
+<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
-1.4.7c released.</b> </p>
+awards</b> <b><img style=
-      <ol>
+"border: 0px solid ; width: 50px; height: 80px;" src=
-        <li>The saga with "&lt;zone&gt;_frwd" chains continues. The
+"images/j0233056.gif" align="middle" title="" alt="">Shorewall
-1.4.7c script
+1.4.7c released.</b></p>
-produces a ruleset that should work for everyone even if it is not
+
-quite optimal. My apologies for this ongoing mess.</li>
+<ol>
-      </ol>
+<li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c
-      <p><b>10/24/2003 - Shorewall 1.4.7b</b><b> <img
+script produces a ruleset that should work for everyone even if it
- style="border: 0px solid ; width: 28px; height: 12px;"
+is not quite optimal. My apologies for this ongoing mess.</li>
- src="images/new10.gif" alt="(New)" title=""></b></p>
+</ol>
-      <p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
+
-      </p>
+<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img style=
-      <ol>
+"border: 0px solid ; width: 28px; height: 12px;" src=
-        <li>The fix for problem 5 in 1.4.7a was wrong with the result
+"images/new10.gif" alt="(New)" title=""></b></p>
-that
+
-"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
+<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
-is corrected in this release.<br>
+</p>
-        </li>
+
-      </ol>
+<ol>
-      <p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
+<li>The fix for problem 5 in 1.4.7a was wrong with the result that
-      <p>This is a bugfix rollup of the following problem corrections:<br>
+"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong
-      </p>
+code is corrected in this release.<br>
-      <ol>
+</li>
-        <li>Tuomo Soini has supplied a correction to a problem that
+</ol>
-occurs
+
 <p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
 <p>This is a bugfix rollup of the following problem
 corrections:<br>
 </p>
 <ol>
 <li>Tuomo Soini has supplied a correction to a problem that occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
-&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or
 directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.<br>
-          <br>
+<br>
-        </li>
+</li>
-        <li>Andres Zhoglo has supplied a correction that avoids trying
+
-to use the multiport match iptables facility on ICMP rules.<br>
+<li>Andres Zhoglo has supplied a correction that avoids trying to
 use the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
-&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+&nbsp;&nbsp; Example of rule that previously caused "shorewall
-to fail:<br>
+start" to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
-          <br>
+<br>
-        </li>
+</li>
-        <li>Previously, if the following error message was issued,
+
 <li>Previously, if the following error message was issued,
 Shorewall was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through
 interface xxx<br>
-          <br>
+<br>
-        </li>
+</li>
-        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
+
-been corrected.</li>
+<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
-        <li>In Shorewall 1.4.2, an optimization was added. This
+corrected.</li>
-optimization
+
-involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+<li>In Shorewall 1.4.2, an optimization was added. This
-defined using the /etc/shorewall/hosts file. It has since been
+optimization involved creating a chain named "&lt;zone&gt;_frwd"
-discovered that in many cases these new chains contain redundant rules
+for most zones defined using the /etc/shorewall/hosts file. It has
-and that the "optimization" turns out to be less than optimal. The
+since been discovered that in many cases these new chains contain
-implementation has now been corrected.</li>
+redundant rules and that the "optimization" turns out to be less
-        <li>When the MARK value in a tcrules entry is followed by ":F"
+than optimal. The implementation has now been corrected.</li>
-or
+
 <li>When the MARK value in a tcrules entry is followed by ":F" or
 ":P", the ":F" or ":P" was previously only applied to the first
-Netfilter rule generated by the entry. It is now applied to all entries.</li>
+Netfilter rule generated by the entry. It is now applied to all
-      </ol>
+entries.</li>
-      <p><b><a href="News.htm">More News</a></b></p>
+</ol>
-      <b> </b>
+
-      <h2><b> </b></h2>
+<p><b><a href="News.htm">More News</a></b></p>
-      <b> </b>
+
-      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
+ <b></b> 
- border="0" src="images/leaflogo.gif" width="49" height="36"
+
- alt="(Leaf Logo)"> </a>Jacques Nilo and Eric Wolzak have a LEAF
+<h2><b></b></h2>
-(router/firewall/gateway on a floppy, CD or compact flash) distribution
+
-called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
+ <b></b> 
-You can find their work at: <a
+
- href="http://leaf.sourceforge.net/devel/jnilo">
+<p><a href="http://leaf.sourceforge.net" target="_top"><img border=
-http://leaf.sourceforge.net/devel/jnilo</a></p>
+"0" src="images/leaflogo.gif" width="49" height="36" alt=
-      <b>Congratulations to Jacques and Eric on the recent release of
+"(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
-Bering 1.2!!! </b><br>
+(router/firewall/gateway on a floppy, CD or compact flash)
-      <h1 align="center"><b><a href="http://www.sf.net"><img
+distribution called <i>Bering</i> that features Shorewall-1.4.2 and
- align="left" alt="SourceForge Logo"
+Kernel-2.4.20. You can find their work at: <a href=
- src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> </a></b></h1>
+"http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
-      <b> </b>
+
-      <h4><b> </b></h4>
+<b>Congratulations to Jacques and Eric on the recent release of
-      <b> </b>
+Bering 1.2!!!</b> <br>
-      <h2><b>This site is hosted by the generous folks at <a
+ 
- href="http://www.sf.net">SourceForge.net</a></b></h2>
+
-      <br>
+<h1 align="center"><b><a href="http://www.sf.net"><img align="left"
-      <br>
+alt="SourceForge Logo" src=
-      <h2><b><a name="Donations"></a>Donations</b></h2>
+"http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
-      <b> </b></td>
+</a></b></h1>
-    </tr>
+
-  </tbody>
+ <b></b> 
 <h4><b></b></h4>
 <b></b> 
 <h2><b>This site is hosted by the generous folks at <a href=
 "http://www.sf.net">SourceForge.net</a></b></h2>
 <br>
 <br>
 <h2><b><a name="Donations"></a>Donations</b></h2>
 <b></b></td>
 </tr>
 </tbody>
 </table>
 </center>
 </div>
-<table border="0" cellpadding="5" cellspacing="0"
+
- style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
+<table border="0" cellpadding="5" cellspacing="0" style=
 "border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
 id="AutoNumber2">
-  <tbody>
+<tbody>
-    <tr>
+<tr>
-      <td style="width: 100%; margin-top: 1px;">
+<td style="width: 100%; margin-top: 1px;">
-      <p align="center"><a href="http://www.starlight.org"> <img
+<p align="center"><a href="http://www.starlight.org"><img border=
- border="4" src="images/newlog.gif" width="57" height="100" align="left"
+"4" src="images/newlog.gif" width="57" height="100" align="left"
- hspace="10"> </a></p>
+hspace="10" alt="Starlight Foundation Logo"></a></p>
-      <p align="center"><font size="4" color="#ffffff"><br>
+
-      <font size="+2">Shorewall is free but if you try it and find it
+<p align="center"><font size="4" color="#ffffff"><br>
-useful, please consider making a donation to <a
+ <font size="+2">Shorewall is free but if you try it and find it
- href="http://www.starlight.org"><font color="#ffffff">Starlight
+useful, please consider making a donation to <a href=
 "http://www.starlight.org"><font color="#ffffff">Starlight
 Children's Foundation.</font></a> Thanks!</font></font></p>
-      </td>
+</td>
-    </tr>
+</tr>
-  </tbody>
+</tbody>
 </table>
-<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom Eastep</a></font>
+
-<br>
+<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom
 Eastep</a></font><br>
 </p>
 </body>
 </html>