Changes for 1.3.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@265 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-09-29 21:42:38 +00:00 · 2002-09-29 21:42:38 +00:00 · 17eb5cd1bb
commit 17eb5cd1bb
parent 9e24f2bdd7
21 changed files with 10779 additions and 10067 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
@ -10,6 +10,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall 1.3 Documentation</title>
                                                   <base target="_self">
  <meta name="Microsoft Theme" content="none, default">
  <meta name="Microsoft Border" content="none, default">
@ -52,20 +53,23 @@ in /etc/shorewall/ that           establishes  overall firewall policy.</li>
       <li><b>    <a href="#Rules">rules</a> </b> -- a parameter file installed 
 in /etc/shorewall and used           to express firewall rules that are exceptions
 to the high-level           policies established in /etc/shorewall/policy.</li>
-     <li><b><a href="#Blacklist">blacklist</a> -- </b>a parameter file installed 
+       <li><b><a href="#Blacklist">blacklist</a> -- </b>a parameter file
-in /etc/shorewall and used     to list blacklisted IP/subnet/MAC addresses.</li>
+installed  in /etc/shorewall and used     to list blacklisted IP/subnet/MAC
 addresses.</li>
       <li><b>   functions</b> -- a set of shell functions used by both the 
 firewall and     shorewall shell programs. Installed in /etc/shorewall prior 
-to version 1.3.2     and in /var/lib/shorewall in later versions.</li>
+ to version 1.3.2, in /var/lib/shorewall in version s 1.3.2-1.3.8 and in
-     <li><b>    <a href="#modules">modules</a></b> -- a parameter file installed 
+/usr/lib/shorewall in later versions.</li>
-in /etc/shorewall and that         specifies kernel modules and their parameters. 
+       <li><b>    <a href="#modules">modules</a></b> -- a parameter file
-Shorewall will         automatically  load the modules specified in this file.</li>
+installed  in /etc/shorewall and that         specifies kernel modules and
-     <li><a href="#TOS"><b>   tos</b> </a>-- a parameter file installed in 
+their parameters.  Shorewall will         automatically  load the modules
-/etc/shorewall that is used to         specify how the Type of Service (TOS) 
+specified in this file.</li>
-field in packets is to be set.</li>
+       <li><a href="#TOS"><b>   tos</b> </a>-- a parameter file installed 
-     <li><a href="#Scripts"><b>   icmp.def</b> </a>-- a parameter file installed 
+in  /etc/shorewall that is used to         specify how the Type of Service 
-in /etc/shorewall and that         specifies the default handling of ICMP 
+(TOS)  field in packets is to be set.</li>
-packets when the applicable policy is     DROP or REJECT.</li>
+       <li><a href="#Scripts"><b>   icmp.def</b> </a>-- a parameter file
 installed  in /etc/shorewall and that         specifies the default handling
 of ICMP  packets when the applicable policy is     DROP or REJECT.</li>
       <li><b><a href="#Scripts">common.def</a></b> -- a parameter file installed 
 in     in /etc/shorewall that defines firewall-wide rules that are applied 
 before a     DROP or REJECT policy is applied.</li>
@ -75,38 +79,41 @@ on the firewall system.</li>
       <li><a href="#Hosts"><b>   hosts</b> </a>-- a parameter file installed 
 in /etc/shorewall/ and           used  to describe individual hosts or subnetworks 
 in zones.</li>
-     <li><b>    <a href="#Masq">masq</a></b> - This file           also describes 
+       <li><b>    <a href="#Masq">masq</a></b> - This file           also 
-IP masquerading under Shorewall  and is installed in           /etc/shorewall.</li>
+describes  IP masquerading under Shorewall  and is installed in          
-     <li><b><a href="#Structure">firewall</a></b> -- a shell program that 
+/etc/shorewall.</li>
-reads the configuration files in           /etc/shorewall and configures your
+       <li><b><a href="shorewall_firewall_structure.htm">firewall</a></b>
-            firewall. This file is  installed in your init.d            
+-- a shell program that  reads the configuration files in           /etc/shorewall
-directory (/etc/rc.d/init.d  ) where it is renamed <i>shorewall.</i>    
+and configures your             firewall. This file is  installed in your
- /etc/shorewall/firewall (/var/lib/shorewall/firewall in version 1.3.2 and
+init.d             directory (/etc/rc.d/init.d  ) where it is renamed <i>shorewall.</i>  
-    later) is a symbolic link to this program.</li>
+    /etc/shorewall/firewall (/var/lib/shorewall/firewall in versions 1.3.2-1.3.8
 and /usr/lib/shorewall/firewall in 1.3.9 and     later) is a symbolic link
 to this program.</li>
       <li><b>    <a href="#NAT">nat</a></b> -- a parameter file in /etc/shorewall 
 used to define <a href="#NAT">  static            NAT</a>   .</li>
       <li><b>    <a href="#ProxyArp">proxyarp</a></b> -- a parameter file
-in /etc/shorewall used to define <a href="#ProxyArp">   Proxy           Arp</a>
+ in /etc/shorewall used to define <a href="#ProxyArp">   Proxy          
-   .</li>
+Arp</a>     .</li>
       <li><b><a href="#rfc1918">rfc1918</a></b> -- a parameter file in 
   /etc/shorewall used to define the treatment of packets under the    <a
 href="#Interfaces">norfc1918 interface option</a>.</li>
-     <li><b><a href="#Routestopped">routestopped</a></b> -- a parameter file 
+       <li><b><a href="#Routestopped">routestopped</a></b> -- a parameter 
-in     /etc/shorewall used to define those hosts that can access the firewall 
+file  in     /etc/shorewall used to define those hosts that can access the 
-when     Shorewall is stopped.</li>
+firewall  when     Shorewall is stopped.</li>
-     <li><a href="traffic_shaping.htm#tcrules"><b>tcrules</b> </a>-- a parameter 
+       <li><a href="traffic_shaping.htm#tcrules"><b>tcrules</b> </a>-- a
-file in /etc/shorewall used to define rules for     classifying packets for 
+parameter  file in /etc/shorewall used to define rules for     classifying
-    <a href="traffic_shaping.htm">Traffic     Shaping/Control</a>.</li>
+packets for      <a href="traffic_shaping.htm">Traffic     Shaping/Control</a>.</li>
-     <li><b>    <a href="#Tunnels">tunnels</a></b> -- a parameter file in 
+       <li><b>    <a href="#Tunnels">tunnels</a></b> -- a parameter file
-/etc/shorewall used to define           IPSec  tunnels.</li>
+in  /etc/shorewall used to define           IPSec  tunnels.</li>
       <li><b>    <a href="#Starting">shorewall</a> </b> -- a shell program 
 (requiring a Bourne shell  or             derivative) used to control and 
 monitor             the firewall. This should be placed in /sbin or in  
          /usr/sbin (the install.sh script and the rpm install this file 
           in /sbin).</li>
-     <li><b>    <a href="#Version">version</a></b> -- a file created in /etc/shorewall/ 
+       <li><b>    version</b> -- a file created in /etc/shorewall/      
-                (/var/lib/shorewall in version 1.3.2 and later) that describes 
+           (/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall
- the version of  Shorewall             installed on your system.</li>
+beginning in version 1.3.9) that describes   the version of  Shorewall  
          installed on your system.</li>
 </ul>
@ -140,18 +147,18 @@ files.</p>
 in /etc/shorewall/zones  for each zone;   Columns in an entry are:</p>
 <ul>
-     <li><b>   ZONE</b> - short name for the zone. The name should be 5 characters 
+       <li><b>   ZONE</b> - short name for the zone. The name should be 5 
-or less in     length and consist of lower-case letters or numbers. Short 
+characters  or less in     length and consist of lower-case letters or numbers. 
-names must begin     with a letter and the name assigned to the firewall is
+Short  names must begin     with a letter and the name assigned to the firewall 
-reserved for       use by Shorewall itself. Note that the output produced
+is reserved for       use by Shorewall itself. Note that the output produced
   by iptables is much       easier to read if you select short names that
 are  three characters or less       in length. The name "all" may not be
 used as     a zone name nor may the zone name assigned to the firewall itself 
 via the FW     variable in <a href="#Conf">/etc/shorewall/shorewall.conf</a>.</li>
       <li><b>   DISPLAY</b> - The name of the zone as displayed during Shorewall 
 startup.</li>
-     <li><b>   COMMENTS</b> - Any comments that you want to make about the 
+       <li><b>   COMMENTS</b> - Any comments that you want to make about
-zone.       Shorewall  ignores these comments.</li>
+the  zone.       Shorewall  ignores these comments.</li>
 </ul>
@ -180,6 +187,7 @@ zone.       Shorewall  ignores these comments.</li>
             <td>Demilitarized  zone</td>
           </tr>
  </tbody>                                                            
 </table>
@ -209,9 +217,9 @@ accessed via this interface.</li>
 ppp0, ipsec+)</li>
       <li><b>   BROADCAST</b> - the broadcast address(es) for the sub-network(s) 
 attached to the       interface. This should be left empty for P-T-P interfaces 
-(ppp*, ippp*); if     you need to specify options for such an interface, enter
+ (ppp*, ippp*); if     you need to specify options for such an interface, 
-"-" in this column.     If you supply the special value "detect" in this
+enter "-" in this column.     If you supply the special value "detect" in 
-column, the firewall will     automatically determine the broadcast address.
+this column, the firewall will     automatically determine the broadcast address.
 In order to use "detect":               
    <ul>
       <li>you must have iproute installed</li>
@ -239,13 +247,14 @@ that use DHCP and you    select the <b>norfc1918 </b>option (see below).</p>
 the firewall will be ignored by this       interface.<br>
      <br>
      <b>filterping </b>- ICMP echo-request (ping) packets addressed to the 
-firewall    will be handled according to the /etc/shorewall/rules and    /etc/shorewall/policy
+ firewall    will be handled according to the /etc/shorewall/rules and   
-file. If the applicable policy is DROP or REJECT and you    have supplied
+/etc/shorewall/policy file. If the applicable policy is DROP or REJECT and 
-your own /etc/shorewall/icmpdef file then these 'ping' requests    will be
+you    have supplied your own /etc/shorewall/icmpdef file then these 'ping' 
-passed through the rules in that file before being dropped or    rejected.
+requests    will be passed through the rules in that file before being dropped 
-If neither <b>noping </b>nor <b>filterping</b> is specified then the    firewall
+or    rejected. If neither <b>noping </b>nor <b>filterping</b> is specified 
-will automatically ACCEPT these 'ping' requests. If both <b>noping</b>  
+then the    firewall will automatically ACCEPT these 'ping' requests. If both
- and <b>filterping </b>are specified, <b>filterping</b> takes precedence.</p>
+    <b>noping</b>    and <b>filterping </b>are specified, <b>filterping</b> 
 takes precedence.</p>
    <p>   <b>   routestopped</b> - Beginning with Shorewall 1.3.4, this option 
 is deprecated    in favor of the <a href="#Routestopped">/etc/shorewall/routestopped</a> 
@ -274,8 +283,8 @@ to allow access to    certain addresses from the above list, see <a
    <p>   <b>   routefilter</b> -       Invoke the Kernel's route filtering 
 (anti-spoofing) facility on this  interface. The kernel       will reject 
-any packets incoming on this interface  that have a source       address that
+ any packets incoming on this interface  that have a source       address 
-would be routed outbound through another  interface on the       firewall. 
+that would be routed outbound through another  interface on the       firewall. 
     <font color="#ff0000">Warning: </font>If  you specify this option   
   for an interface then the interface must be  up prior to starting the 
     firewall.</p>
@ -285,8 +294,8 @@ you want to be able  to route between       them. Example: you have two addresse
 on your single  local interface eth1,       one each in subnets 192.168.1.0/24
 and 192.168.2.0/24  and you want to       route between these subnets. Because
 you only have one interface in the       local zone, Shorewall won't normally
-create a rule to forward packets from       eth1 to eth1. Adding "multi" to
+ create a rule to forward packets from       eth1 to eth1. Adding "multi"
-the entry for eth1 will cause       Shorewall to create the loc2loc chain 
+to the entry for eth1 will cause       Shorewall to create the loc2loc chain
 and the appropriate forwarding       rule.</p>
    <p><b>dropunclean</b> - Packets from this interface that             
@ -295,8 +304,8 @@ and the appropriate forwarding       rule.</p>
     <font color="#ff0000"><b>Warning: This feature                     requires 
 that UNCLEAN match support be configured in your                     kernel, 
 either in the kernel itself or as a module. UNCLEAN                     support
-is broken in some versions of the kernel but appears                     to
+ is broken in some versions of the kernel but appears                   
-work ok in 2.4.17-rc1.<br>
+ to work ok in 2.4.17-rc1.<br>
                        <br>
                        Update 12/17/2001: </b></font>The unclean match patch 
 from                     2.4.17-rc1 is <a
@ -309,10 +318,10 @@ applied                      to kernel 2.4.16.</p>
                      being dropped in the <i>badpkt</i> chain. This appears 
 to be                     a bug in the remote TCP stack whereby it is 8-byte 
 aligning                     a timestamp (TCP option 8) but rather than padding
-with 0x01                     it is padding with 0x00. It's a tough call whether
+ with 0x01                     it is padding with 0x00. It's a tough call
-to deny                     people access to your servers because of this
+whether to deny                     people access to your servers because 
-rather minor                     bug in their networking software. If you
+of this rather minor                     bug in their networking software. 
-wish to disable the                     check that causes these connections 
+If you wish to disable the                     check that causes these connections 
 to be dropped, <a
 href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean1.patch">here's
                    a kernel patch</a> against 2.4.17-rc2.</p>
@ -326,8 +335,8 @@ and if                     LOGUNCLEAN has not been set, "info" is assumed.</p>
    <p><b>proxyarp </b>(Added in version 1.3.5) - This option            
         causes Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp 
-                     and is used when implementing Proxy ARP Sub-netting as
+                      and is used when implementing Proxy ARP Sub-netting 
-                     described at                     <a
+as                      described at                     <a
 href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">                
    http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. Do <u>        
            not</u> set this option if you are implementing Proxy ARP   
@ -375,6 +384,7 @@ Your /etc/shorewall/interfaces file would be as follows:</p>
 <p>Example  2: You have a standalone dialup GNU/Linux System. Your   /etc/shorewall/interfaces
   file would be:</p>
 <blockquote>                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;">
           <tbody>
@ -622,12 +632,13 @@ connection request then the policy from /etc/shorewall/policy  is applied.</p>
 <p>Four policies are defined:</p>
 <ul>
       <li><b>   ACCEPT</b> - The connection is allowed.</li>
       <li><b>   DROP</b> - The connection request is ignored.</li>
-     <li><b>   REJECT</b> - The connection request is rejected with an RST 
+       <li><b>   REJECT</b> - The connection request is rejected with an
-(TCP) or an ICMP       destination-unreachable  packet being returned to the
+RST  (TCP) or an ICMP       destination-unreachable  packet being returned
-client.</li>
+to the client.</li>
       <li><b>   CONTINUE </b> - The connection is neither ACCEPTed, DROPped 
 nor REJECTed.     CONTINUE may be used when one or both of the zones named 
 in the entry are       sub-zones of or intersect with another zone. For more
@ -657,10 +668,11 @@ zone (a zone defined in the <a href="#Zones">   /etc/shorewall/zones
                               <li>   <b>   POLICY</b> - The default policy 
 for connection requests from the SOURCE       zone to the DESTINATION zone.</li>
-                             <li>   <b>   LOG LEVEL</b> - Optional. If left 
+                               <li>   <b>   LOG LEVEL</b> - Optional. If
-empty, no log message is generated when       the policy is applied. Otherwise, 
+left  empty, no log message is generated when       the policy is applied.
-this column should contain an integer  or       name indicating a syslog level.
+Otherwise,  this column should contain an integer  or       name indicating
-See the syslog.conf man page for  a       description of each log level.</li>
+a syslog level. See the syslog.conf man page for  a       description of
 each log level.</li>
                               <li>   <b>LIMIT:BURST </b>- Optional. If left 
 empty, TCP    connection requests from the <b>SOURCE</b> zone to the <b>DEST</b> 
@ -740,8 +752,8 @@ and       logged at level KERNEL.INFO.</li>
 <p><font color="#ff0000"><b>   The firewall   script processes</b> <b> the 
 /etc/shorewall/policy file from  top to bottom and <u>uses   the first applicable 
 policy that it finds.</u>    For example, in the following   policy file, 
-the policy for (loc, loc)  connections would be ACCEPT as   specified in the
+ the policy for (loc, loc)  connections would be ACCEPT as   specified in 
-first entry even though  the third entry in the file specifies   REJECT.</b></font></p>
+the first entry even though  the third entry in the file specifies   REJECT.</b></font></p>
 <blockquote>                                   <font
 face="Century Gothic, Arial, Helvetica">          </font>         
@ -846,6 +858,7 @@ under the rules of all of these zones. Let's look at an example:</p>
           </tr>
    </tbody>                                                             
  </table>
@ -874,6 +887,7 @@ under the rules of all of these zones. Let's look at an example:</p>
           </tr>
    </tbody>                                                             
  </table>
@ -926,6 +940,7 @@ be listed before <b>net</b>
    </tbody>                                                             
  </table>
   </blockquote>
@ -1106,24 +1121,26 @@ in the /etc/shorewall/policy  file. There is one entry in   /etc/shorewall/rules
 for each of these rules. </p>
 <p>Entries in the file have the  following columns:</p>
 <ul>
       <li><b>ACTION</b>               
    <ul>
-       <li>ACCEPT, DROP or REJECT. These have the same meaning here as in 
+         <li>ACCEPT, DROP or REJECT. These have the same meaning here as
-the       policy file above.</li>
+in  the       policy file above.</li>
-       <li>DNAT -- Causes the connection request to be forwarded to the system 
+         <li>DNAT -- Causes the connection request to be forwarded to the 
-      specified in the DEST column (port forwarding). "DNAT" stands for "<u>D</u>estination
+system        specified in the DEST column (port forwarding). "DNAT" stands 
-      <u>N</u>etwork <u>A</u>ddress <u>T</u>ranslation"</li>
+for "<u>D</u>estination       <u>N</u>etwork <u>A</u>ddress <u>T</u>ranslation"</li>
         <li>REDIRECT -- Causes the connection request to be redirected to
 a port on       the local (firewall) system.</li>
    </ul>
    <p>The ACTION may optionally be followed by     ":" and a syslogd log 
-level (example: REJECT:info). This causes the     packet to be logged at the
+ level (example: REJECT:info). This causes the     packet to be logged at 
-specified level prior to being processed according     to the specified ACTION.<br>
+the specified level prior to being processed according     to the specified 
 ACTION.<br>
       <br>
       The use of DNAT or REDIRECT requires that you have <a
 href="#NatEnabled">NAT     enabled</a>.<br>
@ -1141,9 +1158,12 @@ by a     comma-separated list of qualifiers. Qualifiers are may        include:
    <ul>
         <li>An interface name - refers to any connection requests arriving 
-on           the specified interface (example loc:eth4).</li>
+ on           the specified interface (example loc:eth4). Beginning with Shorwall
-       <li>An IP address - refers to a connection request from the host with 
+1.3.9, the interface name may optionally be followed by a colon (":") and
-          the specified address (example net:155.186.235.151)</li>
+an IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).</li>
         <li>An IP address - refers to a connection request from the host 
 with            the specified address (example net:155.186.235.151). If the 
 ACTION is DNAT, this must not be a DNS name.</li>
         <li>A MAC Address in <a href="#MAC">Shorewall format</a>.</li>
         <li>A subnet - refers to a connection request from any host in the 
       specified  subnet (example net:155.186.235.0/24).</li>
@ -1151,16 +1171,16 @@ on           the specified interface (example loc:eth4).</li>
    </ul>
       </li>
       <li><b>DEST</b> - Describes the destination host(s) to which the rule 
-applies. May take any of the forms described       above for SOURCE plus the
+ applies. May take any of the forms described       above for SOURCE plus 
-following two additional forms:         
+the following two additional forms:                   
    <ul>
-       <li>An IP address followed by a colon and the port <u>number</u> that 
+         <li>An IP address followed by a colon and the port <u>number</u> 
-          the server is listening on (service names from /etc/services are 
+that            the server is listening on (service names from /etc/services 
-not            allowed - example loc:192.168.1.3:80). </li>
+are  not            allowed - example loc:192.168.1.3:80). </li>
-       <li>A single port number (again, service names are not allowed) -- 
+         <li>A single port number (again, service names are not allowed)
-this form is only allowed       if the ACTION is REDIRECT and refers to a 
+--  this form is only allowed       if the ACTION is REDIRECT and refers
-server running on the firewall itself and           listening on the specified 
+to a  server running on the firewall itself and           listening on the
-port.</li>
+specified  port.</li>
    </ul>
       </li>
@ -1169,15 +1189,16 @@ a number,        "all" or "related". Specifies the protocol  of the connection
       request. "related" should be specified only if you  have given ALLOWRELATED="no" 
 in /etc/shorewall/shorewall.conf and you  wish       to override that setting 
 for related connections originating with  the       client(s) and server(s) 
-specified in this rule. When "related"        is given for the protocol, the
+ specified in this rule. When "related"        is given for the protocol, 
-remainder of the columns should be left         blank.</li>
+the remainder of the columns should be left         blank.</li>
       <li><b>    DEST   PORT(S)</b> - Port or port range (&lt;low port&gt;:&lt;high 
 port&gt;) being connected to. May only be       specified  if the protocol 
 is tcp, udp or icmp. For icmp, this column's       contents  are interpreted 
 as an icmp type. If you don't want to specify       DEST PORT(S)  but need 
 to include information in one of the columns to the       right,  enter "-"
 in this column. You may give a list of ports and/or port ranges     separated
-by commas. Port numbers may be either integers or service names     from /etc/services.</li>
+ by commas. Port numbers may be either integers or service names     from
 /etc/services.</li>
       <li><b>    SOURCE</b> <b>PORTS(S) </b>- May be used to restrict the
 rule to a particular     client port or port range (a port range is specified 
 as &lt;low port     number&gt;:&lt;high port number&gt;). If you don't want 
@ -1188,19 +1209,19 @@ space). Port numbers may be     either integers or service names from /etc/servi
       <li><b>ORIGINAL DEST</b> - This column may only be non-empty if the
 ACTION is DNAT     or     REDIRECT.<br>
       <br>
-     If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column is left 
+       If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column is
-empty,     any connection request arriving at the firewall from the SOURCE 
+left  empty,     any connection request arriving at the firewall from the
-that matches     the rule will be forwarded or redirected. This works fine 
+SOURCE  that matches     the rule will be forwarded or redirected. This works
-for connection     requests arriving from the internet where the firewall 
+fine  for connection     requests arriving from the internet where the firewall 
 has only a single     external IP address. When the firewall has multiple 
-external IP addresses or     when the SOURCE is other than the internet, there
+ external IP addresses or     when the SOURCE is other than the internet, 
-will usually be a desire     for the rule to only apply to those connection 
+there will usually be a desire     for the rule to only apply to those connection 
 requests directed to a     particular IP address (see Example 2 below for 
 another usage). That IP     address (or a comma-separated list of such addresses) 
 is specified in the     ORIGINAL DEST column.<br>
       <br>
-     The IP address may be optionally followed by ":" and a     second IP 
+       The IP address may be optionally followed by ":" and a     second
-address. This latter address, if present, is used as the source     address 
+IP  address. This latter address, if present, is used as the source     address 
 for packets forwarded to the server (This is called "Source NAT" or     SNAT).<br>
                                                    <br>
                                                    <b><font
@ -1273,8 +1294,8 @@ require access to remote web servers. This example shows yet
                                              <a href="#GettingStarted"> 
                                               (notice the "!")</a> originally 
                                                  destined to 206.124.146.177 
-are                                                  redirected to local port
+ are                                                  redirected to local 
-3128.</p>
+port 3128.</p>
 <blockquote>                                                   <font
 face="Century Gothic, Arial, Helvetica">          </font>         
@ -1367,21 +1388,22 @@ by  Proxy ARP   or by classical sub-netting.</p>
  </table>
   </blockquote>
 <p><b>   Example 4. </b> You want to run wu-ftpd on 192.168.2.2 in your masqueraded 
-    DMZ. Your internet interface address is 155.186.235.151 and you want the
+     DMZ. Your internet interface address is 155.186.235.151 and you want 
- FTP   server to be accessible from the internet in addition to the local 
+the  FTP   server to be accessible from the internet in addition to the local 
 192.168.1.0/24 and dmz 192.168.2.0/24     subnetworks. Note that since the 
-server is in the 192.168.2.0/24 subnetwork,  we   can assume that access to
+ server is in the 192.168.2.0/24 subnetwork,  we   can assume that access 
-the server from that subnet will not involve  the   firewall (<a
+to the server from that subnet will not involve  the   firewall (<a
 href="FAQ.htm#faq2">but see FAQ 2</a>). Note that unless you            
                                         have more than one external    
                                                 IP address, you can leave 
                                                      the ORIGINAL DEST column 
                                                      blank in the first rule.
-You                                                      cannot leave it blank
+ You                                                      cannot leave it
-in the                                                      second rule though
+blank in the                                                      second rule
-because                                                      then <u>all
+though because                                                      then
-ftp connections</u>                                                     
+<u>all ftp connections</u>                                              
       originating in the local                                         
            subnet 192.168.1.0/24 would                                 
                    be sent to 192.168.2.2 <u>                          
@ -1393,6 +1415,7 @@ originating in the local
 src="images/SY00079.gif" width="20" height="20" align="top">
   .</p>
 <blockquote>                                                       <font
 face="Century Gothic, Arial, Helvetica">          </font><font
 face="Century Gothic, Arial, Helvetica">          </font>         
@ -1527,8 +1550,8 @@ the pure-ftpd runline.</p>
                                                      requirements. Rather 
                                                          than modify    
                                                     /etc/shorewall/common.def, 
-                                                         you should copy that
+                                                          you should copy 
-                                                         file to        
+that                                                          file to    
                                                     /etc/shorewall/common 
                                                         and modify that file.</p>
@ -1557,8 +1580,8 @@ function 'run_iptables'.
 <p>The /etc/shorewall/masq  file is used to define classical IP   Masquerading 
 and Source Network Address Translation  (SNAT). There is one entry in  the 
-file for each subnet that   you want to masquerade. In order to make use of
+ file for each subnet that   you want to masquerade. In order to make use 
-this feature, you must have <a href="#NatEnabled">NAT   enabled</a>   .</p>
+of this feature, you must have <a href="#NatEnabled">NAT   enabled</a>   .</p>
@ -1618,8 +1641,8 @@ file would look   like:
 <p><b>   Example 2:</b> You have a number of IPSEC tunnels through ipsec0 
-  and you  want to masquerade traffic from your 192.168.9.0/24 subnet to the
+   and you  want to masquerade traffic from your 192.168.9.0/24 subnet to 
-  remote  subnet 10.1.0.0/16 only.</p>
+the   remote  subnet 10.1.0.0/16 only.</p>
 <blockquote>                                                             
@ -1648,10 +1671,11 @@ file would look   like:
 <p><b>   Example 3:</b> You have a DSL line connected on eth0 and a local 
 network                                                           (192.168.10.0/24)
-                                                           connected to eth1. 
+                                                            connected to
-You                                                           want all local-&gt;net
+eth1.  You                                                           want
-                                                           connections to 
+all local-&gt;net                                                       
-use                                                           source address
+     connections to  use                                                
          source address                                                
            206.124.146.176.</p>
 <blockquote>            
@ -1723,16 +1747,16 @@ use                                                           source address
                                                              If you decide 
 to use                                                              the technique
                                                              described in
-that                                                              HOWTO, you
+ that                                                              HOWTO, 
-can set                                                              the
+you can set                                                              the
 proxy_arp flag                                                          
   for an interface                                                     
        (/proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp)    
                                                         by including the
 <b>                                                             proxyarp</b> 
 option                                                              in the 
-interface's                                                              record
+ interface's                                                             
-in                                                             <a
+record in                                                             <a
 href="#Interfaces">                                                     
       /etc/shorewall/interfaces</a>.                                   
                          When using Proxy ARP                          
@ -1753,14 +1777,14 @@ in                                                             <a
                                                            need one entry 
 in                                                              this file 
 for each                                                              system 
-using proxy                                                              ARP.
+ using proxy                                                             
-Columns are:</p>
+ARP. Columns are:</p>
 <ul>
       <li><b>   ADDRESS</b> - address of the system.</li>
       <li><b>   INTERFACE</b> - the interface that connects to the system. 
-If the interface  is      obvious from the subnetting, you may enter "-" in
+ If the interface  is      obvious from the subnetting, you may enter "-" 
-this column.</li>
+in this column.</li>
       <li><b>   EXTERNAL</b> - the external interface that you want to honor 
 ARP requests       for the ADDRESS specified in the first column.</li>
       <li><b>HAVEROUTE</b> - If                                        
@ -1788,8 +1812,8 @@ ARP requests       for the ADDRESS specified in the first column.</li>
 file, you may need to flush the ARP cache of all   routers on the LAN segment 
 connected to the interface specified in the EXTERNAL   column of the change/added 
 entry(s). If you are having problems communicating   between an individual 
-host (A) on that segment and a system whose entry has   changed, you may need
+ host (A) on that segment and a system whose entry has   changed, you may 
-to flush the ARP cache on host A as well.</b></font></p>
+need to flush the ARP cache on host A as well.</b></font></p>
 <p><font color="#cc6666"><b>ISPs typically have ARP configured with long TTL
@ -1859,8 +1883,8 @@ files</a>.</p>
 If you start or restart Shorewall with an IPSEC tunnel active,  the proxied 
 IP addresses are mistakenly assigned to the IPSEC tunnel device  (ipsecX) 
 rather than to the interface that you specify in the INTERFACE column  of 
-/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
+ /etc/shorewall/proxyarp. I haven't had the time to debug this problem so 
- can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
+I  can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
 <p>You <b>might</b> be able to work around this problem using the following 
 (I  haven't tried it):</p>
@ -1921,10 +1945,10 @@ the                                                               <a
 <p>Columns in an entry are:</p>
 <ul>
-     <li><b>   EXTERNAL</b> - External IP address - <u>This should NOT be 
+       <li><b>   EXTERNAL</b> - External IP address - <u>This should NOT
-the primary IP     address of the interface named in the next column.</u></li>
+be  the primary IP     address of the interface named in the next column.</u></li>
-     <li><b>   INTERFACE</b> - Interface that you want the EXTERNAL IP address 
+       <li><b>   INTERFACE</b> - Interface that you want the EXTERNAL IP
-to appear       on.</li>
+address  to appear       on.</li>
       <li><b>   INTERNAL </b> - Internal IP address.</li>
       <li><b>ALL                                                       
               INTERFACES</b>                                           
@ -1936,9 +1960,9 @@ to appear       on.</li>
                                                      be                
                                                      effective         
                                                             from all   
-                                                                 hosts. If
+                                                                   hosts. 
-                                                                       No 
+If                                                                       
-or no                                                                    
+No  or no                                                               
       then NAT                                                         
             will be                                                    
                  effective                                             
@ -1971,8 +1995,8 @@ in your     kernel.</li>
 <p>   The /etc/shorewall/tunnels file allows you to define IPSec, GRE and 
-IPIP tunnels  with   end-points on your firewall. To use ipsec, you must install
+ IPIP tunnels  with   end-points on your firewall. To use ipsec, you must 
-version  1.9, 1.91 or the   current <a
+install version  1.9, 1.91 or the   current <a
 href="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</a>      development snapshot. </p>
@ -1997,37 +2021,37 @@ about setting up PPTP
 <ul>
       <li><b>NEWNOTSYN </b>- Added in Version 1.3.8<br>
-When set to "Yes" or "yes", Shorewall will filter TCP packets that are not
+  When set to "Yes" or "yes", Shorewall will filter TCP packets that are
-part of an established connention and that are not SYN packets (SYN flag
+not  part of an established connention and that are not SYN packets (SYN
-on - ACK flag off). If set to "No", Shorewall will silently drop such packets.
+flag on - ACK flag off). If set to "No", Shorewall will silently drop such
-If not set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No is
+packets.  If not set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No
-assumed.<br>
+is  assumed.<br>
      <br>
  If you have a HA setup with failover to another firewall, you should have
 NEWNOTSYN=Yes on both firewalls. You should also select NEWNOTSYN=Yes if
 you have asymmetric routing.<br>
    </li>
    <li><b>FORWARDPING</b> - Added in Version 1.3.7<br>
-     When set to "Yes" or "yes", ICMP echo-request (ping) packets from interfaces 
+       When set to "Yes" or "yes", ICMP echo-request (ping) packets from
-    that specify "filterping" are ACCEPTed by the firewall. When set to "No" 
+interfaces      that specify "filterping" are ACCEPTed by the firewall. When
-or     "no", such ping requests are silently dropped unless they are handled 
+set to "No"  or     "no", such ping requests are silently dropped unless
-by an     explicit entry in the <a href="#Rules">rules file</a>. If not specified, 
+they are handled  by an     explicit entry in the <a href="#Rules">rules
-"No"     is assumed.</li>
+file</a>. If not specified,  "No"     is assumed.</li>
       <li><b>LOGNEWNOTSYN</b> - Added in Version 1.3.6<br>
-     Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets that 
+       Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets
-are     not part of an existing connection. If you would like to log these 
+that  are     not part of an existing connection. If you would like to log
-packets,     set LOGNEWNOTSYN to the syslog level at which you want the packets 
+these  packets,     set LOGNEWNOTSYN to the syslog level at which you want
-logged.     Example: LOGNEWNOTSYN=debug|<br>
+the packets  logged.     Example: LOGNEWNOTSYN=debug|<br>
       <br>
       <b>Note: </b>Packets logged under this option are usually the result 
 of     broken remote IP stacks rather than the result of any sort of attempt 
 to     breach your firewall.<br>
     </li>
       <li><b>MERGE_HOSTS </b>- Added in Version 1.3.5<br>
-     Prior to 1.3.5, when the <a href="#Hosts">/etc/shorewall/hosts</a> file 
+       Prior to 1.3.5, when the <a href="#Hosts">/etc/shorewall/hosts</a> 
-    included an entry for a zone then the entire zone had to be defined in 
+file      included an entry for a zone then the entire zone had to be defined 
-the     /etc/shorewall/hosts file and any associations between the zone and 
+in  the     /etc/shorewall/hosts file and any associations between the zone 
-    interfaces in the <a href="#Interfaces">/etc/shorewall/interfaces</a> 
+and      interfaces in the <a href="#Interfaces">/etc/shorewall/interfaces</a> 
 file     were ignored. This behavior is preserved if MERGE_HOSTS=No or if 
 MERGE_HOSTS     is not set or is set to the empty value.<br>
       <br>
@ -2089,8 +2113,8 @@ file. <br>
         </p>
     </li>
     <li><b>DETECT_DNAT_ADDRS</b> - Added in Version 1.3.4<br>
- If set to "Yes" or "yes", Shorewall will detect the IP address(es) of the 
+   If set to "Yes" or "yes", Shorewall will detect the IP address(es) of
-interface(es) to the source zone and will include this (these) address(es) 
+the  interface(es) to the source zone and will include this (these) address(es) 
 in DNAT rules as the original destination IP address. If set to "No" or "no",
 Shorewall will not detect this (these) address(es) and any destination IP
 address will match the DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" 
@ -2122,23 +2146,23 @@ set to an     empty value, "Yes" is assumed.</li>
                                                                    parameter
                                                                    specifies 
 the                                                                   name 
-of the                                                                   firewall
+ of the                                                                  
-zone.                                                                   If
+firewall zone.                                                          
-not set or                                                              
+        If not set or                                                   
               if set to an                                             
                     empty string,                                      
                            the value                                   
                               "fw"                                     
                             is assumed.</li>
       <li><b>SUBSYSLOCK</b><br>
-           This parameter should be set to the name of a file that the firewall 
+             This parameter should be set to the name of a file that the
-        should create if it starts successfully and remove when it stops. 
+firewall          should create if it starts successfully and remove when
-Creating        and removing this file allows Shorewall to work with your 
+it stops.  Creating        and removing this file allows Shorewall to work
-distribution's        initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. 
+with your  distribution's        initscripts. For RedHat, this should be
-        For Debian, the value is /var/state/shorewall and in LEAF it is  
+set to /var/lock/subsys/shorewall.          For Debian, the value is /var/state/shorewall
 and in LEAF it is                                                       
           /var/run/shorwall.                                           
-                                                                   Example: 
+                         Example:      SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
    SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
       <li><b>   STATEDIR</b><br>
             This parameter specifies the name of a directory where Shorewall 
  stores        state information. If the directory doesn't exist when Shorewall 
@ -2149,13 +2173,13 @@ is     running, create the new directory if necessary then copy the contents
 of the     old directory to the new directory. </li>
       <li><b>   ALLOWRELATED</b><br>
             This parameter must be assigned the value "Yes"       ("yes")
-or  "No" ("no") and specifies whether       Shorewall allows connection requests 
+ or  "No" ("no") and specifies whether       Shorewall allows connection
- that are related to an already       allowed connection. If you say "No" 
+requests   that are related to an already       allowed connection. If you
-("no"), you can       still override this setting by including "related" rules
+say "No"  ("no"), you can       still override this setting by including
-in        /etc/shorewall/rules ("related" given as the protocol). If you
+"related" rules in        /etc/shorewall/rules ("related" given as the protocol).
-specify     ALLOWRELATED=No, you will need to include rules in    <a
+If you specify     ALLOWRELATED=No, you will need to include rules in   
- href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a> to    
+    <a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>
-handle common ICMP packet types.</li>
+to     handle common ICMP packet types.</li>
       <li><b>   MODULESDIR</b><br>
             This parameter specifies the directory where your kernel netfilter
   modules       may be found. If you leave the variable empty, Shorewall
@ -2163,8 +2187,8 @@ will   supply the       value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter
       <li><b>   LOGRATE </b> and <b> LOGBURST</b><br>
             These parameters set the match rate and initial burst size for 
 logged     packets. Please see the iptables man page for a description of 
-the behavior     of these parameters (the iptables option --limit is set by
+ the behavior     of these parameters (the iptables option --limit is set 
-LOGRATE and     --limit-burst is set by LOGBURST). If both parameters are
+by LOGRATE and     --limit-burst is set by LOGBURST). If both parameters are
 set       empty, no rate-limiting will occur.<br>
       <br>
       Example:<br>
@ -2204,15 +2228,15 @@ parameter
                 Masquerading<br>
             <br>
             If the parameter has no value or has a value of "Yes" or   
- "yes"  then NAT is enabled. If the parameter has a value of       "no" or 
+   "yes"  then NAT is enabled. If the parameter has a value of       "no" 
-"No" then  NAT is disabled.<br>
+or  "No" then  NAT is disabled.<br>
                  </li>
       <li><b>    MANGLE_ENABLED</b><br>
-           This parameter determines if packet mangling is enabled. If the
+             This parameter determines if packet mangling is enabled. If
- parameter        has no value or has a value of "Yes" or "yes" than    
+the   parameter        has no value or has a value of "Yes" or "yes" than
      packet mangling  is enabled. If the parameter has a value of "no" 
- or "No" then packet  mangling is disabled. If packet mangling is       disabled,
+     or "No" then packet  mangling is disabled. If packet mangling is   
- the /etc/shorewall/tos  file is ignored.<br>
+   disabled,   the /etc/shorewall/tos  file is ignored.<br>
                  </li>
       <li><b>   IP_FORWARDING</b><br>
             This parameter determines whether Shorewall enables or disables
@ -2232,17 +2256,17 @@ values   are:<br>
 the                                                                    
     <i>external         </i>address(es) in <a href="#NAT">/etc/shorewall/nat</a>
  . If the variable       is set to "Yes" or "yes" then Shorewall automatically
-       adds these aliases. If it is set to "No" or "no", you       must add
+        adds these aliases. If it is set to "No" or "no", you       must
- these aliases yourself using your distribution's network       configuration
+add   these aliases yourself using your distribution's network       configuration
  tools.<br>
            <br>
            If this variable is not set or is given an empty value (ADD_IP_ALIASES="")
         then ADD_IP_ALIASES=Yes is assumed.</li>
       <li><b>ADD_SNAT_ALIASES</b><br>
-     This parameter determines whether Shorewall automatically adds the SNAT 
+       This parameter determines whether Shorewall automatically adds the 
-    <i>    ADDRESS </i>in <a href="#Masq">/etc/shorewall/masq</a>. If the 
+SNAT      <i>    ADDRESS </i>in <a href="#Masq">/etc/shorewall/masq</a>. If
-variable is     set to "Yes" or "yes" then Shorewall automatically adds these 
+the  variable is     set to "Yes" or "yes" then Shorewall automatically adds
-addresses. If     it is set to "No" or "no", you must add these addresses 
+these  addresses. If     it is set to "No" or "no", you must add these addresses
 yourself using your     distribution's network configuration tools.<br>
            <br>
            If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="")
@ -2356,8 +2380,8 @@ parameter
                                                                  "Yes" 
                                                                 or     
                                                             "yes",     
-                                                            the feature is
+                                                             the feature
-                                                                  enabled.
+is                                                                    enabled.
 If                                                                   left
 blank or                                                               
    set to                                                              
@ -2406,6 +2430,7 @@ value is "no".</li>
 <blockquote>                                                             
  <p>loadmodule                                                          
       <i>&lt;modulename&gt;                                            
                     </i>[ <i>   &lt;module parameters&gt; </i>]</p>
@ -2425,6 +2450,7 @@ value is "no".</li>
  <blockquote>                                                           
@ -2435,10 +2461,12 @@ value is "no".</li>
  <p><i>   &lt;module parameters&gt;</i></p>
  <blockquote>                                                           
@ -2512,16 +2540,16 @@ the zone name       with a colon (":") and either an IP address, an IP subnet,
 a MAC address     in <a href="#MAC">Shorewall Format</a> or the       name 
 of an interface. This column may also contain the <a href="#FW">name of 
                                                                 the firewall</a>
-                                                                   zone to 
+                                                                    zone
-      indicate  packets originating on the firewall itself or "all" to   
+to        indicate  packets originating on the firewall itself or "all" to
      indicate any  source.</li>
       <li><b>   DEST</b> -- The destination zone. May be qualified by following 
 the zone       name with a colon (":") and either an IP address or an IP 
      subnet.  Because packets are marked prior to routing, you may not specify 
       the  name of an interface. This column may also contain        "all" 
 to indicate  any destination.</li>
-     <li><b>   PROTOCOL</b> -- The name of a protocol in /etc/protocols or 
+       <li><b>   PROTOCOL</b> -- The name of a protocol in /etc/protocols 
-the protocol's       number.</li>
+or  the protocol's       number.</li>
       <li><b>   SOURCE PORT(S)</b> -- The source port or a port range. For 
 all ports, place        a hyphen ("-") in this column.</li>
       <li><b>   DEST PORT(S)</b>  -- The destination port or a port range. 
@ -2706,19 +2734,22 @@ Format</a>
 designed to prevent listed hosts/subnets from accessing services on <u><b>your</b></u> 
 network.<br>
  </p>
 <p>Beginning with Shorewall 1.3.8, the blacklist file has three columns:<br>
  </p>
 <ul>
    <li><b>ADDRESS/SUBNET - </b>As described above.</li>
-  <li><b>PROTOCOL</b> - Optional. If specified, only packets specifying this
+    <li><b>PROTOCOL</b> - Optional. If specified, only packets specifying 
-protocol will be blocked.</li>
+this protocol will be blocked.</li>
    <li><b>PORTS - </b>Optional; may only be given if PROTOCOL is tcp, udp
-or icmp. Expressed as a comma-separated list of port numbers or service names
+ or icmp. Expressed as a comma-separated list of port numbers or service
-(from /etc/services). If present, only packets destined for the specified
+names  (from /etc/services). If present, only packets destined for the specified
 protocol and one of the listed ports are blocked. When the PROTOCOL is icmp,
 the PORTS column contains a comma-separated list of ICMP type numbers or
 names (see "iptables -h icmp").<br>
    </li>
 </ul>
@ -2786,11 +2817,12 @@ the firewall is stopped.
 <ul>
-           <li><b>INTERFACE </b>- The firewall interface through which the 
+             <li><b>INTERFACE </b>- The firewall interface through which
-host(s) comminicate with the firewall.</li>
+the  host(s) comminicate with the firewall.</li>
-           <li><b>HOST(S) </b>- (Optional) - A comma-separated list of IP/Subnet 
+             <li><b>HOST(S) </b>- (Optional) - A comma-separated list of
-addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is assumed.</li>
+IP/Subnet  addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is
 assumed.</li>
 </ul>
@ -2842,7 +2874,7 @@ eth1 and your local hosts through eth2.</p>
-<p><font size="2">   Updated 9/16/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 9/28/2002 - <a href="support.htm">Tom  Eastep</a>
     </font></p>
@ -2858,5 +2890,7 @@ eth1 and your local hosts through eth2.</p>
     </font><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -1,50 +1,67 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Shorewall FAQs</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
-<p align="left"><b>1. </b><a href="#faq1">&nbsp;I want to <b>forward</b> UDP <b>
+<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
 port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked 
 everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
 but it doesn't work.</a></p>
-<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests to www.mydomain.com (IP
+   
-130.151.100.69) to system 192.168.1.5 in my local network. <b>External clients can browse</b>
+<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
-http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
+to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local 
-<p align="left"><b>2a. </b><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918 
+network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal 
-subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts in 
+clients can't</b>.</a></p>
-Z. Hosts in Z cannot communicate with each other using their external 
+   
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
 subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts 
 in  Z. Hosts in Z cannot communicate with each other using their external 
 (non-RFC1918 addresses) so they <b>can't access each other using their DNS 
 names.</b></a></p>
-<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting </b>with 
+<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN 
-Shorewall. What do I do?</a></p>
+Messenger </b>with  Shorewall. What do I do?</a></p>
-<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner to 
+   
-check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b> 
+<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
 to  check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
 Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
 of my firewall and it showed 100s of ports as open!!!!</a></p>
-<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now I <b>
+   
-can't ping</b> through the firewall</a></p>
+<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now 
 I <b> can't ping</b> through the firewall</a></p>
 <p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
-written and&nbsp; how do I <b>change the destination</b>?</a></p>
+ written and  how do I <b>change the destination</b>?</a></p>
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
 that work with Shorewall?</a></p>
@ -53,49 +70,53 @@ that work with Shorewall?</a></p>
 'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
 work?</a></p>
-<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall on RedHat 7.x</b>, I
+<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
-get messages about insmod failing -- what's wrong?</a></p>
+on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
-<p align="left"><b>9. </b><a href="#faq9"><b>Why </b>does Shorewall <b>only accept IP addresses</b> as
+<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
-opposed to FQDNs?</a></p>
+my  interfaces </b>properly?</a></p>
-<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does it 
+<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does 
-work with?</a></p>
+it  work with?</a></p>
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
 support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
-<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>&quot;Shorewall&quot;?</b></a></p>
+<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem and it has an internel 
 web server that allows me to configure/monitor it but as expected if I enable <b>
 rfc1918 blocking</b> for my eth0 interface, it also blocks the <b>cable modems 
 web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public IP 
 addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 
 filtering on my external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
-<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see out to 
+<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
-the net</b></a></p>
+and it has an internel  web server that allows me to configure/monitor it 
 but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface, 
 it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
 IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
 1918  filtering on my external interface, <b>my DHCP client cannot renew its
 lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
 out to  the net</b></a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
 all over my console</b> making it unusable!</a></p>
 <p align="left"><b>17. </b><a href="#faq17">Why can't Shorewall <b>detect my 
 interfaces </b>properly?</a></p>
 <blockquote>
 <p align="left">&nbsp;</p>
 </blockquote>
 <hr>  
-<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
+<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
-address 192.168.1.5. I've looked everywhere and can't find how to do it.</h4>
+my my personal PC with IP address 192.168.1.5. I've looked everywhere and 
-<p align="left"><b>Answer: </b>The <a href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#Rules">rules
+can't find how to do it.</h4>
-file documentation</a> shows how to do port forwarding under Shorewall. Assuming
+   
-that you have a dynamic external IP address, the format of a port-forwarding
+<p align="left"><b>Answer: </b>The <a
-rule to a local system is as follows:</p>
+ href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to 
 do port forwarding under Shorewall. Assuming that you have a dynamic external 
 IP address, the format of a port-forwarding rule to a local system is as follows:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
      <tbody>
       <tr>
        <td><u><b>ACTION</b></u></td>
        <td><u><b>SOURCE</b></u></td>
@ -111,15 +132,21 @@ rule to a local system is as follows:</p>
        <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
        <td><i>&lt;protocol&gt;</i></td>
        <td><i>&lt;port #&gt;</i></td>
-      <td>&nbsp;</td>
+        <td> </td>
-      <td>&nbsp;</td>
+        <td> </td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
-<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, the
+   
-rule is:</p>
+<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, 
 the rule is:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
      <tbody>
       <tr>
        <td><u><b>ACTION</b></u></td>
        <td><u><b>SOURCE</b></u></td>
@ -135,18 +162,25 @@ rule is:</p>
        <td>loc:192.168.1.5</td>
        <td>udp</td>
        <td>7777</td>
-      <td>&nbsp;</td>
+        <td> </td>
-      <td>&nbsp;</td>
+        <td> </td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
 <div align="left">  
 <pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
  </div>
 <p align="left">If you want to forward requests directed to a particular
 address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
      <tbody>
       <tr>
        <td><u><b>ACTION</b></u></td>
        <td><u><b>SOURCE</b></u></td>
@ -165,46 +199,63 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
        <td>-</td>
        <td><i>&lt;external IP&gt;</i></td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
-<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions but 
+   
-it doesn't work</h4>
+<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
 but  it doesn't work</h4>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-  <li>You are trying to test from inside your firewall (no, that 
+    <li>You are trying to test from inside your firewall (no, that  won't 
-won't work -- see <a href="#faq2">FAQ #2</a>).</li>
+work -- see <a href="#faq2">FAQ #2</a>).</li>
    <li>You have a more basic problem with your local system such as an 
-incorrect default gateway configured (it should be set to the IP address of your 
+incorrect default gateway configured (it should be set to the IP address
-firewall's internal interface).</li>
+of your  firewall's internal interface).</li>
 </ul>
-<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
+   
-130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
+<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
-http://www.mydomain.com but internal clients can't.</h4>
+(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients 
 can browse http://www.mydomain.com but internal clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-  <li>Having an internet-accessible server in your local network
+    <li>Having an internet-accessible server in your local network     is 
-    is like raising foxes in the corner of your hen house. If the server is
+like raising foxes in the corner of your hen house. If the server is     compromised,
-    compromised, there's nothing between that server and your other internal
+there's nothing between that server and your other internal     systems.
-    systems. For the cost of another NIC and a cross-over cable, you can put
+For the cost of another NIC and a cross-over cable, you can put      your
-    your server in a DMZ such that it is isolated from your local systems -
+server in a DMZ such that it is isolated from your local systems -     assuming
-    assuming that the Server can be located near the Firewall, of course :-)</li>
+that the Server can be located near the Firewall, of course :-)</li>
-  <li>The accessibility problem is best solved using 
+    <li>The accessibility problem is best solved using    <a
-  <a href="shorewall_setup_guide.htm#DNS">Bind Version
+ href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
-    9 &quot;views&quot;</a> (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69
+a separate DNS server for local clients) such that www.mydomain.com resolves
-    externally and 192.168.1.5 internally. That's what I do here at
+to 130.141.100.69     externally and 192.168.1.5 internally. That's what
-    shorewall.net for my local systems that use static NAT.</li>
+I do here at     shorewall.net for my local systems that use static NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem 
-rather than a DNS solution, then assuming that your external interface is eth0 
+ rather than a DNS solution, then assuming that your external interface is 
-and your internal interface is eth1 
+eth0  and your internal interface is eth1  and that eth1 has IP address 192.168.1.254 
-and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
+with subnet 192.168.1.0/24, do the following:</p>
-<p align="left">a) In /etc/shorewall/interfaces, specify &quot;multi&quot; as an option 
+   
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
 for eth1.</p>
 <div align="left">  
-<p align="left">b) In /etc/shorewall/rules, add:</div>
+<p align="left">b) In /etc/shorewall/rules, add:</p>
 </div>
 <div align="left">  
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
      <tbody>
       <tr>
        <td><u><b>ACTION</b></u></td>
        <td><u><b>SOURCE</b></u></td>
@ -223,25 +274,35 @@ for eth1.</p>
        <td>-</td>
        <td>130.151.100.69:192.168.1.254</td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
  </div>
 <div align="left">  
-<pre align="left">     <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre>
+<pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
  </div>
 <div align="left">  
-<p align="left">That rule only works of course if you have a static external IP 
+<p align="left">That rule only works of course if you have a static external 
-address. If you 
+IP  address. If you  have a dynamic IP address and are running Shorewall 1.3.4
-have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in 
+or later then include this in  /etc/shorewall/params:</p>
-/etc/shorewall/params:</div>
+ </div>
 <div align="left">  
 <pre>     ETH0_IP=`find_interface_address eth0`</pre>
  </div>
 <div align="left">  
-<p align="left">and make your DNAT rule:</div>
+<p align="left">and make your DNAT rule:</p>
 </div>
 <div align="left">  
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
      <tbody>
       <tr>
        <td><u><b>ACTION</b></u></td>
        <td><u><b>SOURCE</b></u></td>
@ -260,37 +321,50 @@ have a dynamic IP address and are running Shorewall 1.3.4 or later then include
        <td>-</td>
        <td>$ETH0_IP:192.168.1.254</td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
  </div>
 <div align="left">  
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
 client to automatically restart Shorewall each time that you get a new IP 
-address.</div>
+ address.</p>
-<h4 align="left"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
+ </div>
-use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
+   
-communicate with each other using their external (non-RFC1918 addresses) so they
+<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
-can't access each other using their DNS names.</h4>
+subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. 
-<p align="left"><b>Answer: </b>This is another problem that is best solved using Bind Version 9
+Hosts in Z cannot communicate with each other using their external (non-RFC1918 
-&quot;views&quot;. It allows both external and internal clients to access a
+addresses) so they can't access each other using their DNS names.</h4>
-NATed host using the host's DNS name.</p>
+   
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
 using Bind Version 9 "views". It allows both external and internal clients 
 to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
-static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and
+ static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses 
-can be accessed externally and internally using the same address.&nbsp;</p>
+and can be accessed externally and internally using the same address. </p>
 <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
 traffic through your firewall then:</p>
-<p align="left">a) Specify &quot;multi&quot; on the entry for Z's interface in
+   
-/etc/shorewall/interfaces.<br>
+<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.<br>
  b) Set the Z-&gt;Z policy to ACCEPT.<br>
  c) Masquerade Z to itself.<br>
  <br>
  Example:</p>
 <p align="left">Zone: dmz<br>
  Interface: eth2<br>
  Subnet: 192.168.2.0/24</p>
 <p align="left">In /etc/shorewall/interfaces:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber2">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber2">
      <tbody>
       <tr>
        <td><u><b>ZONE</b></u></td>
        <td><u><b>INTERFACE</b></u></td>
@ -303,11 +377,17 @@ Subnet: 192.168.2.0/24</p>
        <td>192.168.2.255</td>
        <td>multi</td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
 <p align="left">In /etc/shorewall/policy:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
      <tbody>
       <tr>
        <td><u><b>SOURCE </b></u></td>
        <td><u><b>DESTINATION</b></u></td>
@ -318,16 +398,23 @@ Subnet: 192.168.2.0/24</p>
        <td>dmz</td>
        <td>dmz</td>
        <td>ACCEPT</td>
-      <td>&nbsp;</td>
+        <td> </td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
 <div align="left">  
-<pre align="left">     dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre>
+<pre align="left">     dmz    dmz    ACCEPT</pre>
  </div>
 <p align="left">In /etc/shorewall/masq:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" width="369">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3" width="369">
      <tbody>
       <tr>
        <td width="93"><u><b>INTERFACE </b></u></td>
        <td width="31"><u><b>SUBNET</b></u></td>
@ -336,154 +423,198 @@ Subnet: 192.168.2.0/24</p>
      <tr>
        <td width="93">eth2</td>
        <td width="31">192.168.2.0/24</td>
-      <td width="120">&nbsp;</td>
+        <td width="120"> </td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
 <h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?</h4>
 <p align="left"><b>Answer: </b>There is an <a href="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/"> H.323 connection tracking/NAT module</a> that may help.
 Also check the Netfilter mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. </p>
-  <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner to 
+<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger 
-  check my firewall and it shows some ports as 'closed' rather than 'blocked'. 
+with Shorewall. What do I do?</h4>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
 tracking/NAT module</a> that may help. Also check the Netfilter mailing list 
 archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
 </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
 to    check my firewall and it shows some ports as 'closed' rather than 'blocked'. 
   Why?</h4>
-  <p align="left"><b>Answer: </b>The common.def included with version 1.3.x always 
+<p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-  rejects connection requests on TCP port 113 rather than dropping them. This is 
+always    rejects connection requests on TCP port 113 rather than dropping 
-  necessary to prevent outgoing connection problems to services that use the 
+them. This is    necessary to prevent outgoing connection problems to services 
-  'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP 
+that use the    'Auth' mechanism for identifying requesting users. Shorewall 
-  ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are 
+also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. These
-  used by Windows (Windows <u>can</u> be configured to use the DCE cell locator 
+are ports that are    used by Windows (Windows <u>can</u> be configured to
-  on port 135). Rejecting these connection requests rather than dropping them 
+use the DCE cell locator    on port 135). Rejecting these connection requests 
-  cuts down slightly on the amount of Windows chatter on LAN segments connected 
+rather than dropping them    cuts down slightly on the amount of Windows chatter
-  to the Firewall. </p>
+on LAN segments connected    to the Firewall. </p>
-  <p align="left">If you are seeing port 80 being 'closed', that's probably your 
+<p align="left">If you are seeing port 80 being 'closed', that's probably 
-  ISP preventing you from running a web server in violation of your Service 
+your    ISP preventing you from running a web server in violation of your 
-  Agreement.</p>
+Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
   firewall and it showed 100s of ports as open!!!!</h4>
-  <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page section about 
+<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
-  UDP scans. If nmap gets <b>nothing</b> back from your firewall then it reports 
+section about    UDP scans. If nmap gets <b>nothing</b> back from your firewall 
-  the port as open. If you want to see which UDP ports are really open, 
+then it reports    the port as open. If you want to see which UDP ports are 
-  temporarily change your net-&gt;all policy to REJECT, restart Shorewall and do 
+really open,    temporarily change your net-&gt;all policy to REJECT, restart 
-  the nmap UDP scan again.</p>
+Shorewall and do    the nmap UDP scan again.</p>
-<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
+<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
-firewall</h4>
+can't ping through the firewall</h4>
-<p align="left"><b>Answer: </b>If you want your firewall to be totally open for
+   
-&quot;ping&quot;: </p>
+<p align="left"><b>Answer: </b>If you want your firewall to be totally open 
-<p align="left">a) Do NOT specify 'noping' on any interface in
+for "ping": </p>
-/etc/shorewall/interfaces.<br>
+   
 <p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
  b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
  c) Add the following to /etc/shorewall/icmpdef: </p>
 <blockquote>    
-<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j
+  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
-ACCEPT </p>
+-j ACCEPT </p>
  </blockquote>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
-and&nbsp; how do I change the destination?</h4>
+ and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog (see &quot;man
+   
-syslog&quot;) to log messages. It always uses the LOG_KERN (kern) facility (see
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-&quot;man openlog&quot;) and you get to choose the log level (again, see
+(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-&quot;man syslog&quot;) in your <a href="Documentation.htm#Policy">policies</a>
+(see "man openlog") and you get to choose the log level (again, see "man
-and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
-logged by syslog is controlled by /etc/syslog.conf (see &quot;man
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged  logged
-syslog.conf&quot;). When you have changed /etc/syslog.conf, be sure to restart
+by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
-syslogd (on a RedHat system, &quot;service syslog restart&quot;). </p>
+you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
-<p align="left">By default, older versions of Shorewall ratelimited log messages through
+system, "service syslog restart"). </p>
-<a href="Documentation.htm#Conf">settings</a>
+   
-in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: </p>
+<p align="left">By default, older versions of Shorewall ratelimited log messages 
 through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
 -- If you want to log all messages, set: </p>
 <div align="left">  
-<pre align="left">     LOGLIMIT=&quot;&quot;
+<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""</pre>
     LOGBURST=&quot;&quot;</pre>
  </div>
 <h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
 with Shorewall?</h4>
-<p align="left"><b>Answer: </b>Here are several links that may be helpful: </p>
+   
 <p align="left"><b>Answer: </b>Here are several links that may be helpful: 
 </p>
 <blockquote>    
-<p align="left"><a href="http://www.shorewall.net/pub/shorewall/parsefw/">
+  <p align="left"><a
-http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
+ href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
  <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
  <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
  </blockquote>
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
 stop', I can't connect to anything. Why doesn't that command work?</h4>
-<p align="left">The 'stop' command is intended to place your firewall into a
+   
-safe state whereby only those interfaces/hosts having the 'routestopped' option
+<p align="left">The 'stop' command is intended to place your firewall into 
-in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want
+a safe state whereby only those interfaces/hosts having the 'routestopped' 
-to totally open up your firewall, you must use the 'shorewall clear' command. </p>
+option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. 
 If you want to totally open up your firewall, you must use the 'shorewall 
 clear' command. </p>
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
 7.x, I get messages about insmod failing -- what's wrong?</h4>
-<p align="left"><b>Answer: </b>The output you will see looks something like this:</p>
+   
-<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
+<p align="left"><b>Answer: </b>The output you will see looks something like 
-     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
+this:</p>
-     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
+   
-     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
+<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
-     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
+   
-     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
+<p align="left">This is usually cured by the following sequence of commands: 
-     Perhaps iptables or your kernel needs to be upgraded.</pre>
+</p>
-<p align="left">This is usually cured by the following sequence of commands: </p>
+   
 <div align="left">  
-<pre align="left">     service ipchains stop
+<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
     chkconfig --delete ipchains
     rmmod ipchains</pre>
  </div>
 <div align="left">  
-<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> for 
+<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
-problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</div>
+for  problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
-<h4 align="left">     <a name="faq9"></a>9. Why does Shorewall only accept IP
+ </div>
-addresses as opposed to FQDNs?</h4><p align="left">     <b>Answer: </b>FQDNs in iptables rules 
+   
-aren't nearly as useful as they first appear. When a DNS name appears in a rule, 
+<h4 align="left">     
-the iptables utility resolves the name to one or more IP addresses and inserts 
+<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces
-those addresses into the rule. So change in the DNS-&gt;IP address relationship 
+properly?</h4>
-that occur after the firewall has started have absolutely no effect on the 
+      </h4>
-firewall's ruleset.</p>
+<p align="left">I just installed Shorewall and when I issue the start command, 
-<p align="left">     I'm also trying to protect
+   I see the following:</p>
-people from themselves. If your firewall rules include FQDN's then:</p>
+    
-<ul>
+<div align="left">    
-  <li>If your /etc/resolv.conf is wrong then your firewall won't
+<pre>     Processing /etc/shorewall/shorewall.conf ...<br>     Processing /etc/shorewall/params ...<br>     Starting Shorewall...<br>     Loading Modules...<br>     Initializing...<br>     Determining Zones...<br>     Zones: net loc<br>     Validating interfaces file...<br>     Validating hosts file...<br>     Determining Hosts in Zones...<br><b>     Net Zone: eth0:0.0.0.0/0<br>     Local Zone: eth1:0.0.0.0/0<br></b>     Deleting user chains...<br>     Creating input Chains...<br>     ...</pre>
-    start.</li>
+  </div>
-  <li>If your /etc/nsswitch.conf is wrong then your firewall won't
+   
-    start.</li>
+<div align="left">    
-  <li>If your Name Server(s) is(are) down then your firewall won't
+<p align="left">Why can't Shorewall detect my interfaces properly?</p>
-    start.</li>
+ </div>
-  <li>Factors totally outside your control (your ISP's router is
+   
-    down for example), can prevent your firewall from starting.</li>
+<div align="left">    
-</ul>
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
   zone is defined as all hosts that are connected through eth0 and the local
   zone is defined as all hosts connected through eth1</p>
 </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
    with?</h4>
 <p align="left">Shorewall works with any GNU/Linux distribution that includes 
-    the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left">11. What Features does it have?</h4>
+     the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
-    <p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall Feature 
+ 
-    List</a>.<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
+<h4 align="left">11. What Features does it have?</h4>
-    <p align="left"><b>Answer: </b>Every time I've started to work on one, I find myself doing 
+       
-    other things. I guess I just don't care enough if Shorewall has a GUI to 
+<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall 
-    invest the effort to create one myself. There are several Shorewall GUI 
+Feature      List</a>.</p>
-    projects underway however and I will publish links to them when the authors 
+ 
-    feel that they are ready. <h4 align="left">
+<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?</h4>
+       
-    <p align="left"><b>Answer: </b>Shorewall is a concatenation of &quot;<u>Shore</u>line&quot; (<a href="http://www.cityofshoreline.com">the 
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
-    city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left">
+myself doing      other things. I guess I just don't care enough if Shorewall
-<a name="faq14"></a>14.&nbsp; I'm connected via a cable modem and it has an 
+has a GUI to      invest the effort to create one myself. There are several
-internal web server that allows me to configure/monitor it but as expected if I 
+Shorewall GUI      projects underway however and I will publish links to
-enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks 
+them when the authors      feel that they are ready. </p>
-the cable modems web server.</h4>
+ 
-    <p align="left">Is there any way it can add a rule before the 
+<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
-rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address 
+       
-of the modem in/out but still block all other rfc1918 addresses.</p>
+<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
-    <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier than 
+(<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
-    1.3.1, create /etc/shorewall/start and in it, place the following:<div align="left">
+and "Fire<u>wall</u>".</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
 and it has an  internal web server that allows me to configure/monitor it 
 but as expected if I  enable rfc1918 blocking for my eth0 interface (the internet
 one), it also blocks  the cable modems web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
 that will let all traffic to and from the 192.168.100.1 address  of the modem 
 in/out but still block all other rfc1918 addresses.</p>
 <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
 than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 <div align="left">    
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
  </div>
 <div align="left">    
 <p align="left">If you are running version 1.3.1 or later, simply add the 
-  following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</div>
+   following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
 </div>
 <div align="left">    
 <blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
        <tbody>
       <tr>
          <td><u><b>SUBNET </b></u></td>
          <td><u><b>TARGET</b></u></td>
@ -492,88 +623,71 @@ of the modem in/out but still block all other rfc1918 addresses.</p>
          <td>192.168.100.1</td>
          <td>RETURN</td>
        </tr>
    </tbody>   
  </table>
    </blockquote>
  </div>
 <div align="left">    
-  <p align="left">Be sure that you add the entry ABOVE the entry for 
+<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.</p>
-  192.168.0.0/16.</div>
+ </div>
 <div align="left">    
 <h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
-  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 
+   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-  filtering on my external interface, my DHCP client cannot renew its lease.</h4>
+1918    filtering on my external interface, my DHCP client cannot renew its
 lease.</h4>
  </div>
 <div align="left">    
 <p align="left">The solution is the same as FAQ 14 above. Simply substitute 
-  the IP address of your ISPs DHCP server.</div>
+   the IP address of your ISPs DHCP server.</p>
-<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to the 
+ </div>
 net</h4>
-<p align="left"><b>Answer: </b>Every time I read &quot;systems can't see out to the net&quot;, I wonder 
+<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to 
-where the poster bought computers with eyes and what those computers will &quot;see&quot; 
+the  net</h4>
-when things are working properly. That aside, the most common causes of this 
+    
-problem are:</p>
+<p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
 the net", I wonder  where the poster bought computers with eyes and what those
 computers will "see"  when things are working properly. That aside, the most
 common causes of this  problem are:</p>
 <ol>
-  <li><p align="left">The default gateway on each local system isn't set to the 
+    <li>     
-  IP address of the local firewall interface.</p>
+    <p align="left">The default gateway on each local system isn't set to 
-
+the    IP address of the local firewall interface.</p>
     </li>
-  <li><p align="left">The entry for the local network in the /etc/shorewall/masq 
+    <li>     
    <p align="left">The entry for the local network in the /etc/shorewall/masq 
   file is wrong or missing.</p>
     </li>
-  <li><p align="left">The DNS settings on the local systems are wrong or the 
+    <li>     
-  user is running a DNS server on the firewall and hasn't enabled UDP and TCP 
+    <p align="left">The DNS settings on the local systems are wrong or the 
-  port 53 from the firewall to the internet.</p>
+   user is running a DNS server on the firewall and hasn't enabled UDP and 
-
+TCP    port 53 from the firewall to the internet.</p>
     </li>
 </ol>
 <h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages all 
 over my console making it unusable!</h4>
-  <p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup 
+<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages 
-  scripts or place it in /etc/shorewall/start. Under RedHat, the max log level 
+all  over my console making it unusable!</h4>
  that is sent to the console is specified in /etc/sysconfig/init in the 
  LOGLEVEL variable.</p>
-  <h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my 
+<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
-  interfaces properly?</h4>
+to your startup    scripts or place it in /etc/shorewall/start. Under RedHat, 
-
+the max log level    that is sent to the console is specified in /etc/sysconfig/init 
-  <p align="left">I just installed Shorewall and when I issue the start command, 
+in the    LOGLEVEL variable.</p>
  I see the following:</p>
 <div align="left">
-  <pre>     Processing /etc/shorewall/shorewall.conf ...
+<p align="left"></p>
     Processing /etc/shorewall/params ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
 <b>     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
 </b>     Deleting user chains...
     Creating input Chains...
     ...</pre>
 </div>
 <div align="left">
  <p align="left">Why can't Shorewall detect my interfaces properly?</div>
 <div align="left">
  <p align="left"><b>Answer: </b>The above output is perfectly normal. The Net 
  zone is defined as all hosts that are connected through eth0 and the local 
  zone is defined as all hosts connected through eth1.</div>
-<p align="left"><font size="2">Last updated 
+<p align="left"><font size="2">Last updated 9/23/2002 - <a
-8/24/2002 - <a href="support.htm">Tom
+ href="support.htm">Tom Eastep</a></font></p>
 Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -1,106 +1,106 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+                 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
                  <base target="main">             
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#4B017C" height="90">
+         
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#4b017c" height="90">
       <tbody>
        <tr>
         <td width="100%" height="90">                                 
-    <h3 align="center"><font color="#FFFFFF">Shorewall</font></h3>
+      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
         </td>
       </tr>
       <tr>
-    <td width="100%" bgcolor="#FFFFFF">
+         <td width="100%" bgcolor="#ffffff">                            
      <ul>
-      <li>
+           <li> <a href="seattlefirewall_index.htm">Home</a></li>
-<a href="seattlefirewall_index.htm">Home</a></li>
+                   <li> <a href="shorewall_features.htm">Features</a></li>
-      <li>
+           <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
-<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
+           <li> <a href="download.htm">Download</a></li>
-      <li>
+           <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
-<a href="shorewall_features.htm">Features</a></li>
+           <li> <a href="Install.htm">Installation/Upgrade/</a><br>
      <li>
 <a href="shorewall_prerequisites.htm">Requirements</a></li>
      <li>
 <a href="download.htm">Download</a></li>
      <li>
 <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
      <li>
 <a href="Install.htm">Installation/Upgrade/</a><br>
     <a href="Install.htm">Configuration</a></li>
-      <li>
+           <li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
-<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
+           <li> <a href="Documentation.htm">Reference Manual</a></li>
-      <li>
+           <li> <a href="FAQ.htm">FAQs</a></li>
-<a href="Documentation.htm">Reference Manual</a></li>
+            <li><a href="useful_links.html">Useful Links</a><br>
-      <li>
+            </li>
-<a href="FAQ.htm">FAQs</a></li>
+           <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
-      <li>
+           <li> <a href="errata.htm">Errata</a></li>
-<a href="troubleshoot.htm">Troubleshooting</a></li>
+           <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
-      <li>
+           <li> <a href="support.htm">Support</a></li>
-<a href="errata.htm">Errata</a></li>
+           <li> <a href="mailing_list.htm">Mailing Lists</a></li>
-      <li>
+           <li> <a href="shorewall_mirrors.htm">Mirrors</a>             
-<a href="upgrade_issues.htm">Upgrade Issues</a></li>
+                              
-      <li>
+          <ul>
-<a href="support.htm">Support</a></li>
+             <li><a target="_top" href="http://slovakia.shorewall.net">Slovak
-      <li>
+  Republic</a></li>
-<a href="mailing_list.htm">Mailing Lists</a></li>
+             <li><a target="_top" href="http://shorewall.infohiiway.com">Texas,
-      <li>
+  USA</a></li>
 <a href="shorewall_mirrors.htm">Mirrors</a><ul>
        <li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
        <li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
             <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
-        <li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
+             <li><a target="_top"
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
             <li><a target="_top" href="http://france.shorewall.net">France</a></li>
          </ul>
           </li>
      </ul>
      <ul>
-      <li>
+           <li>   <a href="News.htm">News Archive</a></li>
-  <a href="News.htm">News Archive</a></li>
+           <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
-      <li>
+           <li> <a href="quotes.htm">Quotes from Users</a></li>
-<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li>
+           <li> <a href="shoreline.htm">About the Author</a></li>
-      <li>
+           <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
-<a href="quotes.htm">Quotes from Users</a></li>
+                                     
      <li>
 <a href="shoreline.htm">About the Author</a></li>
      <li>
 <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
         </td>
       </tr>
  </tbody>    
 </table>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
-  <p>
+             
-  <strong>Quick Search</strong><br>
+  <p>   <strong>Quick Search</strong><br>
-  <font face="Arial" size="-1">
+       <font face="Arial" size="-1">     <input type="text" name="words"
-    <input type=text name=words size=15></font><font size="-1"> </font>
+ size="15"></font><font size="-1"> </font>   <font face="Arial"
-  <font face="Arial" size="-1">
+ size="-1">     <input type="hidden" name="format" value="long">     <input
-    <input type=hidden name=format value=long>
+ type="hidden" name="method" value="and">     <input type="hidden"
-    <input type=hidden name=method value=and>
+ name="config" value="htdig">     <input type="submit" value="Search"></font> 
    <input type=hidden name=config value=htdig>
    <input type="submit" value="Search"></font>
    </p>
-  <font face="Arial">
+       <font face="Arial">   <input type="hidden" name="exclude"
-  <input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]">
+ value="[http://www.shorewall.net/pipermail/*]">   </font> </form>
  </font>
 </form>
-<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p>
+<p><b><a href="htdig/search.html">Extended Search</a></b></p>
-<p><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <p><a href="http://www.shorewall.net" target="_top">
 <img border="1" src="images/shorewall.jpg" width="119" height="38" hspace="0"></a></p>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
    </a></p>
      <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -1,41 +1,49 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Configuration File Basics</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1>
+      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
      </td>
    </tr>
 </table>
      <p><b><font color="#FF0000">Warning: </font>If you copy or edit your 
      configuration files on a system running Microsoft Windows, you <u>must</u> 
      run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
      dos2unix</a> before you use them with Shorewall.</b></p>
  </tbody> 
 </table>
 <p><b><font color="#ff0000">Warning: </font>If you copy or edit your     
  configuration files on a system running Microsoft Windows, you <u>must</u> 
       run them through <a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">       dos2unix</a> 
 before you use them with Shorewall.</b></p>
 <h2>Files</h2>
 <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
 <ul>
          <li>/etc/shorewall/shorewall.conf - used to set several firewall
         parameters.</li>
-        <li>/etc/shorewall/params - use this file to set shell variables that you will
+          <li>/etc/shorewall/params - use this file to set shell variables 
-    expand in other files.</li>
+that you will     expand in other files.</li>
-        <li>/etc/shorewall/zones - partition the firewall's view of the world
+          <li>/etc/shorewall/zones - partition the firewall's view of the 
-        into <i>zones.</i></li>
+world         into <i>zones.</i></li>
          <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
          <li>/etc/shorewall/interfaces - describes the interfaces on the
        firewall system.</li>
@ -44,50 +52,122 @@
          <li>/etc/shorewall/masq - directs the firewall where to use many-to-one 
         (dynamic) Network Address Translation (a.k.a. Masquerading) and Source
         Network Address Translation (SNAT).</li>
-        <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
+          <li>/etc/shorewall/modules - directs the firewall to load kernel 
-        <li>/etc/shorewall/rules - defines rules that are exceptions to the
+modules.</li>
-        overall policies established in /etc/shorewall/policy.</li>
+          <li>/etc/shorewall/rules - defines rules that are exceptions to 
 the         overall policies established in /etc/shorewall/policy.</li>
          <li>/etc/shorewall/nat - defines static NAT rules.</li>
          <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
-        <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts 
+          <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines 
-  accessible when Shorewall is stopped.</li>
+hosts    accessible when Shorewall is stopped.</li>
-        <li>/etc/shorewall/tcrules - defines marking of packets for later use by
+          <li>/etc/shorewall/tcrules - defines marking of packets for later 
-    traffic control/shaping or policy routing.</li>
+use by     traffic control/shaping or policy routing.</li>
-        <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
+          <li>/etc/shorewall/tos - defines rules for setting the TOS field 
-        headers.</li>
+in packet         headers.</li>
-        <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
+          <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels 
-        the firewall system.</li>
+with end-points on         the firewall system.</li>
-        <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
+          <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
 addresses.</li>
 </ul>
 <h2>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace
-      character a pound sign (&quot;#&quot;). You may also place comments at the end of any line, again by
+       character a pound sign ("#"). You may also place comments at the end 
-      delimiting the comment from the rest of the line with a pound sign.</p>
+of any line, again by       delimiting the comment from the rest of the line 
-            
+with a pound sign.</p>
 <p>Examples:</p>
 <pre># This is a comment</pre>
 <pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
      <pre># This is a comment</pre><pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
 <h2>Line Continuation</h2>
-     
+<p>You may continue lines in the configuration files using the usual backslash 
-      <p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed 
+("\") followed        immediately by a new line character.</p>
      immediately by a new line character.</p>
 <p>Example:</p>
 <pre>ACCEPT	net	fw	tcp \<br>smtp,www,pop3,imap  #Services running on the firewall</pre>
 <h2><a name="dnsnames"></a>Using DNS Names</h2>
 <p align="left">     </p>
 <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
 using DNS names in Shorewall configuration files. If you use DNS names and
 you are called out of bed at 2:00AM because Shorewall won't start as a result
 of DNS problems then don't say that you were not forewarned. <br>
  </b></p>
 <p align="left"><b>    -Tom<br>
  </b></p>
 <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall 
 configuration files may be specified either as IP addresses or as DNS Names.<br>
  <br>
 DNS names in iptables rules  aren't nearly as useful as they first appear. 
 When a DNS name appears in a rule,  the iptables utility resolves the name 
 to one or more IP addresses and inserts  those addresses into the rule. So 
 change in the DNS-&gt;IP address relationship  that occur after the firewall 
 has started have absolutely no effect on the  firewall's ruleset.    </p>
 <p align="left">     If your firewall rules include DNS names then:</p>
 <ul>
   <li>If your /etc/resolv.conf is wrong then your firewall won't     start.</li>
   <li>If your /etc/nsswitch.conf is wrong then your firewall won't     start.</li>
   <li>If your Name Server(s) is(are) down then your firewall won't     start.</li>
   <li>If your startup scripts try to start your firewall before starting 
 your DNS server then your firewall won't start.<br>
  </li>
   <li>Factors totally outside your control (your ISP's router is     down
 for example), can prevent your firewall from starting.</li>
  <li>You must bring up your network interfaces prior to starting your firewall.<br>
  </li>
 </ul>
 <p align="left"> Each DNS name much be fully qualified and include a minumum 
 of two periods (although one may be trailing). This restriction is imposed 
 by Shorewall to insure backward compatibility with existing configuration 
 files.<br>
  <br>
  Examples of valid DNS names:<br>
  </p>
 <ul>
   <li>mail.shorewall.net</li>
   <li>shorewall.net.</li>
 </ul>
  Examples of invalid DNS names:<br>
 <ul>
   <li>mail (not fully qualified)</li>
   <li>shorewall.net (only one period)</li>
 </ul>
  DNS names may not be used as:<br>
 <ul>
   <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
   <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
   <li>In the /etc/shorewall/nat file.</li>
 </ul>
  These are iptables restrictions and are not simply imposed for your inconvenience 
 by Shorewall. <br>
  <br>
      <pre>ACCEPT	net	fw	tcp \
 smtp,www,pop3,imap  #Services running on the firewall</pre>
 <h2>Complementing an Address or Subnet</h2>
 <p>Where specifying an IP address, a subnet or an interface, you can     
-      precede the item with &quot;!&quot; to specify the complement of the item. For 
+  precede the item with "!" to specify the complement of the item. For   
-      example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
+    example, !192.168.1.4 means "any host but 192.168.1.4".</p>
 <h2>Comma-separated Lists</h2>
@ -97,12 +177,12 @@ smtp,www,pop3,imap  #Services running on the firewall</pre>
 <ul>
          <li>Must not have any embedded white space.<br>
          Valid: routestopped,dhcp,norfc1918<br>
-        Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp; 
+          Invalid: routestopped,     dhcp,              norfc1818</li>
-        norfc1818</li>
+          <li>If you use line continuation to break a comma-separated list, 
-        <li>If you use line continuation to break a comma-separated list, the 
+the          continuation line(s) must begin in column 1 (or there would be
-        continuation line(s) must begin in column 1 (or there would be embedded 
+embedded          white space)</li>
        white space)</li>
          <li>Entries in a comma-separated list may appear in any order.</li>
 </ul>
 <h2>Port Numbers/Service Names</h2>
@ -117,108 +197,95 @@ smtp,www,pop3,imap  #Services running on the firewall</pre>
 <h2>Using Shell Variables</h2>
-      <p>You may use the file /etc/shorewall/params 
+<p>You may use the file /etc/shorewall/params     file to set shell variables 
-   file to set shell variables that you can then use in some of the other 
+that you can then use in some of the other    configuration files.</p>
  configuration files.</p>
-      <p>It is suggested that variable names begin with an upper case letter<font size="1">
+<p>It is suggested that variable names begin with an upper case letter<font
-     </font>to distinguish them from variables used internally within the 
+ size="1">      </font>to distinguish them from variables used internally 
-Shorewall    programs</p>
+within the  Shorewall    programs</p>
 <p>Example:</p>
 <blockquote>                                   
-        <pre>NET_IF=eth0
+  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
 NET_BCAST=130.252.100.255
 NET_OPTIONS=noping,norfc1918</pre>
       </blockquote>
 <p><br>
       Example (/etc/shorewall/interfaces record):</p>
-                       
+                            <font
-  <font face="Century Gothic, Arial, Helvetica">    
+ face="Century Gothic, Arial, Helvetica">                      
 <blockquote>                                         
  <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
       </blockquote>
                                         </font>                        
 <p>The result will be the same as if the record had been written</p>
-                           
+                                <font
-  <font face="Century Gothic, Arial, Helvetica">    
+ face="Century Gothic, Arial, Helvetica">                        
 <blockquote>                                               
  <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
       </blockquote>
                                             </font>                    
-            <p>Variables may be used anywhere in the 
+<p>Variables may be used anywhere in the              other configuration 
-            other configuration files.</p>
+files.</p>
 <h2>Using MAC Addresses</h2>
-      <p>Media Access Control (MAC) 
+<p>Media Access Control (MAC)        addresses can be used to specify packet 
-      addresses can be used to specify packet source in several of the 
+source in several of the        configuration files. To use this feature, 
-      configuration files. To use this feature, your kernel must have MAC 
+your kernel must have MAC        Address Match support (CONFIG_IP_NF_MATCH_MAC) 
-      Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
+included.</p>
 <p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
  unique MAC address.<br>
        <br>
-      In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers 
+        In GNU/Linux, MAC addresses are usually written as a series of 6
-      separated by colons. Example:<br>
+hex numbers        separated by colons. Example:<br>
        <br>
-&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
+       [root@gateway root]# ifconfig eth0<br>
-&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
+       eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
-&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255 
+       inet addr:206.124.146.176 Bcast:206.124.146.255        Mask:255.255.255.0<br>
-      Mask:255.255.255.0<br>
+       UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
-&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
+       RX packets:2398102 errors:0 dropped:0 overruns:0        frame:0<br>
-&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0 
+       TX packets:3044698 errors:0 dropped:0 overruns:0        carrier:0<br>
-      frame:0<br>
+       collisions:30394 txqueuelen:100<br>
-&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0 
+       RX bytes:419871805 (400.4 Mb) TX bytes:1659782221        (1582.8 Mb)<br>
-      carrier:0<br>
+       Interrupt:11 Base address:0x1800<br>
 &nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
 &nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 
      (1582.8 Mb)<br>
 &nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
        <br>
-      Because Shorewall uses colons as a separator for address fields, Shorewall requires 
+        Because Shorewall uses colons as a separator for address fields,
-      MAC addresses to be written in another way. In Shorewall, MAC addresses 
+Shorewall requires        MAC addresses to be written in another way. In
-      begin with a tilde (&quot;~&quot;) and consist of 6 hex numbers separated by 
+Shorewall, MAC addresses        begin with a tilde ("~") and consist of 6
-      hyphens. In Shorewall, the MAC address in the example above would be 
+hex numbers separated by        hyphens. In Shorewall, the MAC address in
-      written &quot;~02-00-08-E3-FA-55&quot;.</p>
+the example above would be        written "~02-00-08-E3-FA-55".</p>
 <h2>Shorewall Configurations</h2>
-      <p>
+         
- Shorewall allows you to have configuration 
+<p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-directories other than /etc/shorewall. The <a href="#Starting">shorewall start
+The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
 and restart</a>
    commands allow you to specify an alternate configuration directory and 
 Shorewall will use the files in the alternate directory rather than the corresponding
 files in /etc/shorewall. The alternate directory need not contain a complete
 configuration; those files not in the alternate directory will be read from
 /etc/shorewall.</p>
-      <p>
+         
- This facility permits you to easily create a test or temporary configuration 
+<p>  This facility permits you to easily create a test or temporary configuration 
 by:</p>
 <ol>
-        <li>
+          <li>  copying the files that need modification from /etc/shorewall 
- copying the files that need modification from /etc/shorewall to a separate 
+to a separate      directory;</li>
-    directory;</li>
+          <li>  modify those files in the separate directory; and</li>
-        <li>
+          <li>  specifying the separate directory in a shorewall start or 
- modify those files in the separate directory; and</li>
+shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
        <li>
 specifying the separate directory in a shorewall start or shorewall    
 restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
 ).</li>
 </ol>
-                                                                                  <p><font size="2">
+                                    
-  Updated 8/6/2002 - <a href="support.htm">Tom 
+<p><font size="2">   Updated 9/24/2002 - <a href="support.htm">Tom  Eastep</a>
 Eastep</a>
    </font></p>
@ -227,7 +294,7 @@ Eastep</a>
   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-                       
+                            <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -36,19 +36,19 @@
 <ul>
    <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>          
  Linux PPC</b> or     <b> TurboLinux</b> distribution     with a 2.4 kernel, 
-you can use the  RPM version (note: the             RPM should also work
+you can use the  RPM version (note: the             RPM should also work with
-with other distributions that             store init scripts in /etc/init.d
+other distributions that             store init scripts in /etc/init.d and
-and that             include chkconfig or insserv). If you find that it works
+that             include chkconfig or insserv). If you find that it works 
 in other cases, let <a href="mailto:teastep@shorewall.net">     me</a>   
            know so that I can mention them here. See the   <a
 href="Install.htm">Installation Instructions</a> if you have problems   
 installing the RPM.</li>
    <li>If you are running LRP, download the .lrp file (you might also want 
 to     download the .tgz so you will have a copy of the documentation).</li>
-   <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would 
+    <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
-    like a .deb package, Shorewall is in both the    <a
+would      like a .deb package, Shorewall is in both the    <a
- href="http://packages.debian.org/testing/net/shorewall.html">Debian    
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
-Testing Branch</a> and the    <a
+Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
 Unstable Branch</a>.</li>
    <li>Otherwise, download the <i>shorewall</i>             module (.tgz)</li>
@ -59,8 +59,8 @@ Testing Branch</a> and the    <a
 and  there is an documentation .deb that also contains the documentation.</p>
 <p>Please verify the version that you have        downloaded -- during the 
-release of a new version of Shorewall, the links        below may  point
+release of a new version of Shorewall, the links        below may  point to
-to a newer or an older version than is shown below.</p>
+a newer or an older version than is shown below.</p>
 <ul>
    <li>RPM - "rpm -qip LATEST.rpm"</li>
@ -78,12 +78,10 @@ that you have       downloaded.</font></p>
 <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY 
 INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
-IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
+IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed configuration
-AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
+of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
 TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
 CONNECTIVITY.</b></font></p>
-<p>Download Latest Version (<b>1.3.8</b>): <b>Remember that updates to the
+<p>Download Latest Version (<b>1.3.9</b>): <b>Remember that updates to the 
 mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>      
@ -295,11 +293,12 @@ cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
 component. There's no guarantee that what you find there will work at  all.</p>
   </blockquote>
-<p align="left"><font size="2">Last Updated 9/2/2002 - <a
+<p align="left"><font size="2">Last Updated 9/26/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -2,115 +2,120 @@
 <html>
 <head>
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
- <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+      
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
      <tbody>
      <tr>
        <td width="100%">                    
-     <h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
        </td>
      </tr>
  </tbody>  
 </table>
- <p align="center">
+<p align="center">       <b><u>IMPORTANT</u></b></p>
      <b><u>IMPORTANT</u></b></p>
 <ol>
      <li>                         
-            
+    <p align="left">          <b><u>I</u>f you use a Windows system to download
- <p align="left">
+ a corrected     script, be sure to run the script through <u>        <a
-  
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/"
-      <b><u>I</u>f you use a Windows system to download a corrected     script, be sure to
+ style="text-decoration: none;"> dos2unix</a></u>      after you have moved
-run the script through <u> 
+ it to your Linux system.</b></p>
      <a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
 dos2unix</a></u>
     after you have moved it to your Linux system.</b></p>
                   </li>
      <li>                         
-            
+    <p align="left">          <b>If you are installing Shorewall for the
- <p align="left">
+first time and plan to use the        .tgz and install.sh script, you can
-  
+untar the archive, replace the        'firewall' script in the untarred directory
-      <b>If you are installing Shorewall for the first time and plan to use the 
+ with the one you downloaded        below, and then run install.sh.</b></p>
      .tgz and install.sh script, you can untar the archive, replace the 
      'firewall' script in the untarred directory with the one you downloaded 
      below, and then run install.sh.</b></p>
                   </li>
      <li>                         
-            
+    <p align="left">          <b>When the instructions say to install a corrected
- <p align="left">
+ firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
-  
+or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
-      <b>When the instructions say to install a corrected firewall script in 
+the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
      /etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the 
      existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
       or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
       and /var/lib/shorewall/firewall  are symbolic links that point   
    to the 'shorewall' file used by your  system initialization scripts to
       start Shorewall during boot. It is  that file that must be overwritten
       with the corrected script. </b></p>
                   </li>
 </ol>
 <ul>
      <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-   <li>
+      <li>                            <b><a href="#V1.3">Problems in Version
-                
+ 1.3</a></b></li>
-          <b><a href="#V1.3">Problems in Version 1.3</a></b></li>
+      <li>                            <b><a href="errata_2.htm">Problems
-   <li>
+in  Version 1.2</a></b></li>
-                
+      <li>                            <b><font color="#660066">  <a
-          <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
+ href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
-   <li>
+      <li>                            <b><font color="#660066"><a
-                
+ href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
-          <b><font color="#660066">
+      <li>                            <b><a href="#Debug">Problems with kernels
- <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
+ &gt;= 2.4.18 and            RedHat iptables</a></b></li>
   <li>
          <b><font color="#660066"><a href="#iptables">
   Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
   <li>
          <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and 
          RedHat iptables</a></b></li>
      <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
      <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
     MULTIPORT=Yes</a></b></li>
 </ul>
 <hr>
-          <h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
+</ul>
 <hr>                          
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.8</h3>
 <ul>
   <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the 
 policy file doesn't work.</li>
   <li>A DNAT rule with the same original and new IP addresses but with different 
 port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
   </li>
 </ul>
 Installing                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
                                as described above corrects these problems.
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                       
        result in an error message. Installing                          
-                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
+    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
                                as described above corrects this problem.</p>
 <h3>Version 1.3.7a</h3>
-                              <p>&quot;shorewall refresh&quot; is not creating the proper 
+<p>"shorewall refresh" is not creating the proper                       
        rule for FORWARDPING=Yes. Consequently, after                   
-                              &quot;shorewall refresh&quot;, the firewall will not forward 
+            "shorewall refresh", the firewall will not forward          
                     icmp echo-request (ping) packets. Installing       
-                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
+                       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           this corrected firewall script</a> in /var/lib/shorewall/firewall
                                as described above corrects this problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
-                              <p>If &quot;norfc1918&quot; and &quot;dhcp&quot; are both specified as 
+<p>If "norfc1918" and "dhcp" are both specified as                      
         options on a given interface then RFC 1918                     
          checking is occurring before DHCP checking. This              
                 means that if a DHCP client broadcasts using an        
@ -119,20 +124,21 @@ dos2unix</a></u>
                                has two problems:</p>
 <ol>
-                                <li>If the firewall is running a DHCP server, 
+                                   <li>If the firewall is running a DHCP
-                                the client won't be able to obtain an IP address 
+server,                                   the client won't be able to obtain
-                                lease from that server.</li>
+an IP  address                                  lease from that server.</li>
-                                <li>With this order of checking, the &quot;dhcp&quot; 
+                                   <li>With this order of checking, the "dhcp"
                                  option cannot be used as a noise-reduction
-                                measure where there are both dynamic and static 
+                                  measure where there are both dynamic and
-                                clients on a LAN segment.</li>
+ static                                  clients on a LAN segment.</li>
 </ol>
-                              <p>
+<p>                               <a
-                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           This version of the 1.3.7a firewall script </a> 
-                              corrects the problem. It must be installed in /var/lib/shorewall 
+                               corrects the problem. It must be installed
-                              as described above.</p>
+ in /var/lib/shorewall                                as described above.</p>
 <h3>Version 1.3.7</h3>
@ -141,129 +147,136 @@ dos2unix</a></u>
         these md5sums -- if there's a difference, please               
                download again.</p>
-                              <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
+<pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
 	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
 	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
 <p>In other words, type &quot;md5sum &lt;<i>whatever package you downloaded</i>&gt; and 
 compare the result with what you see above.</p>
 <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7 
 version in each sequence from now on.</p>
-          <h3 align="Left">Version 1.3.6</h3>
+<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
 and   compare the result with what you see above.</p>
 <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
 .7   version in each sequence from now on.</p>
 <h3 align="left">Version 1.3.6</h3>
 <ul>
               <li>                                      
-                
+    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-          <p align="Left">If ADD_SNAT_ALIASES=Yes is specified in 
+ an error occurs when the firewall            script attempts to add an SNAT
-          /etc/shorewall/shorewall.conf, an error occurs when the firewall 
+ alias.  </p>
-          script attempts to add an SNAT alias.</li>
+    </li>
    <li>                                      
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
           cause errors during startup when Shorewall is run with iptables
 1.2.7. </p>
    </li>
          <p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options 
          cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
 </ul>
-          <p align="Left">These problems are fixed in
+<p align="left">These problems are fixed in           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
       this correct firewall script</a> which must be installed in      
     /var/lib/shorewall/ as described above. These problems are also    
       corrected in version 1.3.7.</p>
-          <h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
+<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
-          <p align="Left">A line was inadvertently deleted from the &quot;interfaces 
+<p align="left">A line was inadvertently deleted from the "interfaces   
-          file&quot; -- this line should be added back in if the version that you 
+        file" -- this line should be added back in if the version that you
            downloaded is missing it:</p>
-          <p align="Left">net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; detect&nbsp;&nbsp;&nbsp; 
+<p align="left">net    eth0    detect               routefilter,dhcp,norfc1918</p>
          routefilter,dhcp,norfc1918</p>
-          <p align="Left">If you downloaded two-interfaces-a.tgz then the above 
+<p align="left">If you downloaded two-interfaces-a.tgz then the above   
        line should already be in the file.</p>
-          <h3 align="Left">Version 1.3.5-1.3.5b</h3>
+<h3 align="left">Version 1.3.5-1.3.5b</h3>
-          <p align="Left">The new 'proxyarp' interface option doesn't work :-( 
+<p align="left">The new 'proxyarp' interface option doesn't work :-(    
-          This is fixed in
+       This is fixed in           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
       this corrected firewall script</a> which must be installed in    
       /var/lib/shorewall/ as described above.</p>
-          <h3 align="Left">Versions 1.3.4-1.3.5a</h3>
+<h3 align="left">Versions 1.3.4-1.3.5a</h3>
-          <p align="Left">Prior to version 1.3.4, host file entries such as the 
+<p align="left">Prior to version 1.3.4, host file entries such as the   
        following were allowed:</p>
 <div align="left">               
 <pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
    </div>
 <div align="left">      
 <p align="left">That capability was lost in version 1.3.4 so that it is only
-   possible to&nbsp; include a single host specification on each line. This 
+     possible to  include a single host specification on each line. This
-   problem is corrected by
+    problem is corrected by    <a
-   <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this 
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
     modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
-   as instructed above.</div>
+     as instructed above.</p>
  </div>
 <div align="left">      
-   <p align="left">This problem is corrected in version 1.3.5b.</div>
+<p align="left">This problem is corrected in version 1.3.5b.</p>
  </div>
-          <h3 align="Left">Version 1.3.5</h3>
+<h3 align="left">Version 1.3.5</h3>
-          <p align="Left">REDIRECT rules are broken in this version. Install
+<p align="left">REDIRECT rules are broken in this version. Install      
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
+    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
       this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
            as instructed above. This problem is corrected in version 1.3.5a.</p>
-          <h3 align="Left">Version 1.3.n, n &lt; 4</h3>
+<h3 align="left">Version 1.3.n, n &lt; 4</h3>
-          <p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands 
+<p align="left">The "shorewall start" and "shorewall restart" commands  
-          to not verify that the zones named in the /etc/shorewall/policy file 
+         to not verify that the zones named in the /etc/shorewall/policy
-          have been previously defined in the /etc/shorewall/zones file. The 
+file            have been previously defined in the /etc/shorewall/zones
-          &quot;shorewall check&quot; command does perform this verification so it's a 
+file. The            "shorewall check" command does perform this verification
-          good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
            changes.</p>
-          <h3 align="Left">Version 1.3.n, n &lt; 3</h3>
+<h3 align="left">Version 1.3.n, n &lt; 3</h3>
-          <p align="Left">If you have upgraded from Shorewall 1.2 and after 
+<p align="left">If you have upgraded from Shorewall 1.2 and after       
-          &quot;Activating rules...&quot; you see the message: &quot;iptables: No 
+    "Activating rules..." you see the message: "iptables: No            chains/target/match
-          chains/target/match by that name&quot; then you probably have an entry in 
+ by that name" then you probably have an entry in            /etc/shorewall/hosts
-          /etc/shorewall/hosts that specifies an interface that you didn't 
+ that specifies an interface that you didn't            include in /etc/shorewall/interfaces.
-          include in /etc/shorewall/interfaces. To correct this problem, you 
+ To correct this problem, you            must add an entry to /etc/shorewall/interfaces.
-          must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and 
+ Shorewall 1.3.3 and            later versions produce a clearer error message
-          later versions produce a clearer error message in this case.</p>
+ in this case.</p>
-          <h3 align="Left">Version 1.3.2</h3>
+<h3 align="left">Version 1.3.2</h3>
-          <p align="Left">Until approximately 2130 GMT on 17 June 2002, the 
+<p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version 
+           file can be identified by its size (56284 bytes). The correct
-          has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
 <ul>
               <li>The code to detect a duplicate interface entry in    
       /etc/shorewall/interfaces contained a typo that prevented it from
           working correctly. </li>
-            <li>&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.</li>
+               <li>"NAT_BEFORE_RULES=No" was broken; it behaved just like 
 "NAT_BEFORE_RULES=Yes".</li>
 </ul>
-          <p align="Left">Both problems are corrected in
+<p align="left">Both problems are corrected in           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">   
-          this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
+       this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
 as described above.</p>
 <ul>
               <li>                                      
-                
+    <p align="left">The IANA have just announced the allocation of subnet
-          <p align="Left">The IANA have just announced the allocation of subnet 
+            221.0.0.0/8. This           <a
-          221.0.0.0/8. This
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
      updated rfc1918</a> file reflects that allocation.</p>
                                </li>
 </ul>
-          <h3 align="Left">Version 1.3.1</h3>
+<h3 align="left">Version 1.3.1</h3>
 <ul>
               <li>TCP SYN packets may be double counted when           
@ -273,10 +286,11 @@ dos2unix</a></u>
          generated for a CONTINUE policy.</li>
               <li>When an option is given for more than one interface in 
             /etc/shorewall/interfaces then depending on the option, Shorewall
-            may ignore all but the first appearence of the option. For example:<br>
+              may ignore all but the first appearence of the option. For
 example:<br>
               <br>
-            net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
+               net    eth0    dhcp<br>
-            loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
+               loc    eth1    dhcp<br>
               <br>
               Shorewall will ignore the 'dhcp' on eth1.</li>
               <li>Update 17 June 2002 - The bug described in the prior bullet
@ -284,116 +298,105 @@ dos2unix</a></u>
              norfc1918, routefilter, multi, filterping and noping. An additional
              bug has been found that affects only the 'routestopped' option.<br>
               <br>
-            Users who downloaded the corrected script prior to 1850 GMT today 
+               Users who downloaded the corrected script prior to 1850 GMT
-            should download and install the corrected script again to ensure 
+ today              should download and install the corrected script again
-            that this second problem is corrected.</li>
+ to ensure              that this second problem is corrected.</li>
 </ul>
-          <p align="Left">These problems are corrected in
+<p align="left">These problems are corrected in           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">   
-          this firewall script</a> which should be installed in 
+       this firewall script</a> which should be installed in            /etc/shorewall/firewall
-          /etc/shorewall/firewall as described above.</p>
+ as described above.</p>
-          <h3 align="Left">Version 1.3.0</h3>
+<h3 align="left">Version 1.3.0</h3>
 <ul>
-            <li>Folks who downloaded 1.3.0 from the links on the download page 
+               <li>Folks who downloaded 1.3.0 from the links on the download
-            before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than 
+ page              before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
-            1.3.0. The &quot;shorewall version&quot; command will tell you which version 
+ rather than              1.3.0. The "shorewall version" command will tell
-            that you have installed.</li>
+ you which version              that you have installed.</li>
               <li>The documentation NAT.htm file uses non-existent     
-          wallpaper and bullet graphic files. The
+      wallpaper and bullet graphic files. The           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
      corrected version is here</a>.</li>
 </ul>
 <hr>
          <h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
          <p align="Left">The upgrade issues have moved to
          <a href="upgrade_issues.htm">a separate page</a>.</p>
 <hr>                          
 <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
-        <h3 align="Left"><a name="iptables"></a><font color="#660066">
+<p align="left">The upgrade issues have moved to           <a
- Problem with iptables version 1.2.3</font></h3>
+ href="upgrade_issues.htm">a separate page</a>.</p>
 <hr>                            
 <h3 align="left"><a name="iptables"></a><font color="#660066">  Problem with
 iptables version 1.2.3</font></h3>
 <blockquote>                            
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
         prevent it from working with Shorewall. Regrettably,  RedHat released
 this buggy iptables in RedHat   7.2. </p>
-        <p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
+  <p align="left"> I have built a <a
-        prevent it from working with Shorewall. Regrettably, 
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-RedHat released this buggy iptables in RedHat   7.2.&nbsp;</p>
+  corrected 1.2.3 rpm which you can download here</a>  and I have also built 
         an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
   </b>you upgrade to RedHat 7.2.</p>
-        <p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
+  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
- corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
+ has   released an iptables-1.2.4 RPM of their own which you can download
-        an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
+from<font color="#ff6633">   <a
- iptables-1.2.4   rpm which you can download here</a>. If 
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
-you are currently running RedHat 7.1, you can install either of these RPMs 
+   </font>I have installed this RPM   on my firewall and it works fine.</p>
          <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
-  <p align="Left"><font color="#FF6633"><b>Update
+  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
-  11/9/2001: </b></font>RedHat has
+ the patches are available         for download. This <a
-  released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
-  <a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
+     which corrects a problem with parsing of the --log-level specification
-  </font>I have installed this RPM
+ while         this <a
-  on my firewall and it works fine.</p>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
         corrects a problem in handling the  TOS target.</p>
-        <p align="Left">If you
+  <p align="left">To install one of the above patches:</p>
        would like to patch iptables 1.2.3 yourself, the patches are available
        for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
    which corrects a problem with parsing of the --log-level specification while
        this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
        corrects a problem in handling the&nbsp; TOS target.</p>
          <p align="Left">To install one of the above patches:</p>
  <ul>
             <li>cd iptables-1.2.3/extensions</li>
             <li>patch -p0 &lt; <i>the-patch-file</i></li>
        </ul>
  </ul>
              </blockquote>
 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
               and RedHat iptables</h3>
 <blockquote>          
-   <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may 
+  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
-   experience the following:</p>
+ may     experience the following:</p>
  <blockquote>                
-     <pre># shorewall start
+    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
 Processing /etc/shorewall/shorewall.conf ...
 Processing /etc/shorewall/params ...
 Starting Shorewall...
 Loading Modules...
 Initializing...
 Determining Zones...
 Zones: net
 Validating interfaces file...
 Validating hosts file...
 Determining Hosts in Zones...
 Net Zone: eth0:0.0.0.0/0
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
 Aborted (core dumped)
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
 Aborted (core dumped)
 </pre>
   </blockquote>
   <p>The RedHat iptables RPM is compiled with debugging enabled but the 
   user-space debugging code was not updated to reflect recent changes in the 
   Netfilter 'mangle' table. You can correct the problem by installing
   <a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
   this iptables RPM</a>. If you are already running a 1.2.5 version of 
   iptables, you will need to specify the --oldpackage option to rpm (e.g., 
   &quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
      </blockquote>
-                              <h3><a name="SuSE"></a>Problems 
+  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
-                              installing/upgrading RPM on SuSE</h3>
+  user-space debugging code was not updated to reflect recent changes in
 the     Netfilter 'mangle' table. You can correct the problem by installing 
    <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
    this iptables RPM</a>. If you are already running a 1.2.5 version of 
   iptables, you will need to specify the --oldpackage option to rpm (e.g.,
     "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
    </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
 RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict                      
         with kernel &lt;= 2.2 yet you have a 2.4 kernel                
-                              installed, simply use the &quot;--nodeps&quot; option to 
+               installed, simply use the "--nodeps" option to           
                    rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -412,18 +415,22 @@ Aborted (core dumped)
 <ul>
                                   <li>set MULTIPORT=No in              
                   /etc/shorewall/shorewall.conf; or </li>
-                                <li>if you are running Shorewall 1.3.6 you may 
+                                   <li>if you are running Shorewall 1.3.6 
-                                install
+you may                                  install                         
-                                <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
+       <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                             this firewall script</a> in /var/lib/shorewall/firewall
                                  as described above.</li>
 </ul>
- <p><font size="2">
+      
- Last updated 9/1/2002 -
+<p><font size="2">  Last updated 9/28/2002 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+    <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -1,32 +1,48 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mailing Lists</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
+      <h1 align="center"><a
-<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
+ href="http://www.gnu.org/software/mailman/mailman.html">        <img
-    <p align="right"><font color="#FFFFFF"><b>Powered by Postfix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
-    </b></font>
+ height="35">
       </a><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45">
       </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
      <p align="right"><font color="#ffffff"><b>Powered by Postfix       
  </b></font>     </p>
       </td>
    </tr>
  </tbody> 
 </table>
-<p align="left">
+<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
 <b>Note: </b>The list server limits posts to 120kb.</p>
-<h2 align="left">Not getting List Mail? -- <a href="mailing_list_problems.htm">Check
+<h2 align="left">Not getting List Mail? -- <a
-Here</a></h2>
+ href="mailing_list_problems.htm">Check Here</a></h2>
 <p align="left">If you experience problems with any of these lists, please
 let <a href="mailto:teastep@shorewall.net">me</a> know</p>
@ -36,104 +52,132 @@ let <a href="mailto:teastep@shorewall.net">me</a> know</p>
 <p align="left">You can report such problems by sending mail to tom dot eastep 
 at hp dot com.</p>
-      <h2>A Word about SPAM Filters
+<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
-<a href="http://ordb.org">
+ src="images/but3.png" hspace="3" width="88" height="31">
-<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><a href="http://osirusoft.com/"><img border="0" src="images/ORE.jpg" width="88" height="37"></a></h2>
+ </a><a href="http://osirusoft.com/"> </a></h2>
 <p>Before subscribing please read my <a href="spam_filters.htm">policy   
   about list traffic that bounces.</a> Also please note that the mail server 
-      at shorewall.net checks the sender of incoming mail against the open relay 
+       at shorewall.net checks the sender of incoming mail against the open 
-      databases at <a href="http://ordg.org">ordb.org</a> and at
+relay        databases at <a href="http://ordb.org">ordb.org.</a></p>
      <a href="http://osirusoft.com">osirusoft.com</a>.</p>
-      <h2>Search the Mailing List Archives</h2>
+<h2></h2>
-<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch">
+<h2 align="left">Mailing Lists Archive Search</h2>
-<p>
+   
-<font size="-1">
+<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
-Match: <select name="method">
+  <p> <font size="-1"> Match: 
-<option value="and">All
+  <select name="method">
-<option value="or">Any
+  <option value="and">All </option>
-<option value="boolean">Boolean
+  <option value="or">Any </option>
  <option value="boolean">Boolean </option>
  </select>
-Format: <select name="format">
+ Format: 
-<option value="builtin-long">Long
+  <select name="format">
-<option value="builtin-short">Short
+  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
-Sort by: <select name="sort">
+ Sort by: 
-<option value="score">Score
+  <select name="sort">
-<option value="time">Time
+  <option value="score">Score </option>
-<option value="title">Title
+  <option value="time">Time </option>
-<option value="revscore">Reverse Score
+  <option value="title">Title </option>
-<option value="revtime">Reverse Time
+  <option value="revscore">Reverse Score </option>
-<option value="revtitle">Reverse Title
+  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-</font>
+ </font> <input type="hidden" name="config" value="htdig"> <input
-<input type="hidden" name="config" value="htdig">
+ type="hidden" name="restrict"
-<input type="hidden" name="restrict" value="[http://www.shorewall.net/pipermail/.*]">
+ value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
-<input type="hidden" name="exclude" value="">
+ name="exclude" value=""> <br>
-<br>
+ Search: <input type="text" size="30" name="words" value=""> <input
-Search:
+ type="submit" value="Search"> </p>
 <input type="text" size="30" name="words" value="">
 <input type="submit" value="Search"> </p>
 </form>
 <h2 align="left">Shorewall Users Mailing List</h2>
-<p align="left">The Shorewall Users Mailing list provides a way for users to get
+   
-answers to questions and to report problems.
+<p align="left">The Shorewall Users Mailing list provides a way for users 
-Information of general interest to the Shorewall user community is also posted
+to get answers to questions and to report problems. Information of general 
-to this list.</p>
+interest to the Shorewall user community is also posted to this list.</p>
-<p align="left"><b>Before posting a problem report to this list, please see the
+   
-<a href="support.htm">problem reporting guidelines</a>.</b></p>
+<p align="left"><b>Before posting a problem report to this list, please see 
-<p align="left">To subscribe to the mailing list, go to
+the <a href="support.htm">problem reporting guidelines</a>.</b></p>
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
+   
-<p align="left">To post to the list, post to <a href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
+<p align="left">To subscribe to the mailing list, go to <a
-<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <a href="http://sourceforge.net">Sourceforge</a>.
+   
-The archives from that list may be found at <a href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
+<p align="left">To post to the list, post to <a
 href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
 <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
 <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
 may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
 <p align="left">This list is for announcements of general interest to the
-Shorewall community. To subscribe, go to
+ Shorewall community. To subscribe, go to <a
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
-<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
+   
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
-<p align="left">The Shorewall Development Mailing list provides a forum for the
+   
-exchange of ideas about the future of Shorewall and for coordinating ongoing
+<p align="left">The Shorewall Development Mailing list provides a forum for 
 the exchange of ideas about the future of Shorewall and for coordinating ongoing
 Shorewall Development.</p>
-<p align="left">To subscribe to the mailing list, go to
+   
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
+<p align="left">To subscribe to the mailing list, go to <a
-<p align="left">To post to the list, post to <a href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>.&nbsp;</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
-<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
+   
-<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of the 
+<p align="left">To post to the list, post to <a
-Mailing Lists</h2>
+ href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
 <p align="left">The list archives are at <a
 href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
 <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of 
 the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing 
 from Mailman-managed lists. To unsubscribe:</p>
 <ul>
    <li>      
-<p align="left">Follow the same link above that you used to subscribe to the 
+    <p align="left">Follow the same link above that you used to subscribe 
-list.</p>
+to the  list.</p>
    </li>
    <li>      
-<p align="left">Down at the bottom of that page is the following text: &quot;To 
+    <p align="left">Down at the bottom of that page is the following text: 
-change your subscription (set options like digest and delivery modes, get a 
+"To  change your subscription (set options like digest and delivery modes, 
-reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;), enter 
+get a  reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
-your subscription email address:&quot;. Enter your email address in the box and click 
+enter  your subscription email address:". Enter your email address in the
-on the &quot;Edit Options&quot; button.</p>
+box and click  on the "Edit Options" button.</p>
    </li>
    <li>      
-<p align="left">There will now be a box where you can enter your password and 
+    <p align="left">There will now be a box where you can enter your password 
-click on &quot;Unsubscribe&quot;; if you have forgotten your password, there is another 
+and  click on "Unsubscribe"; if you have forgotten your password, there is 
-button that will cause your password to be emailed to you.</p>
+another  button that will cause your password to be emailed to you.</p>
    </li>
 </ul>
 <hr>  
 <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
 <p align="left"><font size="2">Last updated 7/26/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
 <font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
 <p align="left"><font size="2">Last updated 9/27/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@ -39,16 +39,18 @@ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1
  <p> I use:<br>
   </p>
  <ul>
     <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 
 and external address 206.124.146.178.</li>
     <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses: 
 192.168.1.3/24 and 206.124.146.179/24.</li>
-    <li>SNAT through the primary gateway address (206.124.146.176) for  my
+     <li>SNAT through the primary gateway address (206.124.146.176) for 
-Wife's system (tarry)  and the Wireless Access Point (wap)</li>
+my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
  </ul>
-  <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
+  <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
  <p> Wookie  runs Samba and acts as the a WINS server.  Wookie is in its 
 own 'whitelist' zone  called 'me'.</p>
@ -106,8 +108,8 @@ of                           the entry in /etc/shorewall/proxyarp (see below).</
 <h3>Interfaces File: </h3>
 <blockquote>                                   
-  <p> This is set up so that I can start the firewall before bringing up
+  <p> This is set up so that I can start the firewall before bringing up my
-my Ethernet  interfaces. </p>
+Ethernet  interfaces. </p>
      </blockquote>
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp<br>	dmz	eth1 		206.124.146.255	-<br>	net	eth3		206.124.146.255 norfc1918<br>	-	texas 		-<br>	loc	ppp+<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -156,10 +158,11 @@ my Ethernet  interfaces. </p>
 <pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	ACCEPT		net		fw			tcp	1723<br>	ACCEPT		net		fw			gre<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-<p><font size="2"> Last updated 9/14/2002  - </font><font size="2">     
+<p><font size="2"> Last updated 9/19/2002  - </font><font size="2">      
                                      <a href="support.htm">Tom Eastep</a></font>
   </p>
    <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@ -1,96 +1,101 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Quotes from Shorewall Users</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1>
+      <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <p>"I just installed Shorewall after weeks of messing with       ipchains/iptables
 and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
 </p>
 "My case was almost like [the one above]. Well. instead of 'weeks' it was
 'months' for me, and I think I needed two minutes more:<br>
 <ul>
  <li>One to see that I had no Internet access from the firewall itself.</li>
  <li>Other to see that this was the default configuration, and it was enough
 to uncomment a line in /etc/shorewall/policy.<br>
  </li>
 </ul>
 Minutes instead of months! Congratulations and thanks for such a simple and
 well documented thing for something as huge as iptables." -- JV, Spain. 
-      <p>&quot;I just installed Shorewall after weeks of messing with
+<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without
-      ipchains/iptables and I had it up and running in under 20 minutes!&quot;
+any problems. Your documentation is great and I really appreciate       your
-      -- JL, Ohio
+network configuration info. That really helped me out alot.       THANKS!!!"
 -- MM.           </p>
 <p>"[Shorewall is a] great, great project. I've used/tested may       firewall
 scripts but this one is till now the best." -- B.R,       Netherlands   
       </p>
 <p>"Never in my +12 year career as a sys admin have I witnessed       someone
 so relentless in developing a secure, state of the art, save and       useful
 product as the Shorewall firewall package for no cost or obligation     
 involved." -- Mario Kericki, Toronto           </p>
-      <p>&quot;I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
+<p>"one time more to report, that your great shorewall in the latest    
-      without any problems. Your documentation is great and I really appreciate
+   release       1.2.9 is working fine for me with SuSE Linux 7.3! I now
-      your network configuration info. That really helped me out alot.
+have 7 machines up       and running with shorewall on several versions -
-      THANKS!!!&quot; -- MM.
+starting with 1.2.2 up to       the new 1.2.9 and I never have encountered
-          </p>
+any problems!" -- SM, Germany</p>
 <p>"You have the best support of any other package I've ever       used."
 -- SE, US           </p>
-      <p>&quot;[Shorewall is a] great, great project. I've used/tested may
+<p>"Because our company has information which has been classified by the
      firewall scripts but this one is till now the best.&quot; -- B.R,
      Netherlands
          </p>
      <p>&quot;Never in my +12 year career as a sys admin have I witnessed
      someone so relentless in developing a secure, state of the art, save and
      useful product as the Shorewall firewall package for no cost or obligation
      involved.&quot; -- Mario Kericki, Toronto
          </p>
      <p>&quot;one time more to report, that your great shorewall in the latest 
      release
      1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up
      and running with shorewall on several versions - starting with 1.2.2 up to
      the new 1.2.9 and I never have encountered any problems!&quot; -- SM, Germany</p>
      <p>&quot;You have the best support of any other package I've ever
      used.&quot; -- SE, US
          </p>
 <p>&quot;Because our company has information which has been classified by the 
 national government as secret, our security doesn't stop by putting a fence
-around our company. Information security is a hot issue. We also make use of 
+ around our company. Information security is a hot issue. We also make use
-checkpoint firewalls, but not all of the internet servers are guarded by 
+of  checkpoint firewalls, but not all of the internet servers are guarded
-checkpoint, some of them are running....Shorewall.&quot; -- Name withheld by request, 
+by  checkpoint, some of them are running....Shorewall." -- Name withheld
-Europe</p>
+by request,  Europe</p>
-<p>&quot;thanx for all your efforts you put into shorewall - this product stands out 
+<p>"thanx for all your efforts you put into shorewall - this product stands
-against a lot of commercial stuff i´ve been working with in terms of 
+out  against a lot of commercial stuff i´ve been working with in terms of
-flexibillity, quality &amp; support&quot; -- RM, Austria</p>
+ flexibillity, quality &amp; support" -- RM, Austria</p>
-<p>&quot;I have never seen such a complete firewall package that is so easy to 
+<p>"I have never seen such a complete firewall package that is so easy to
 configure. I searched the Debian package system for firewall scripts and
-Shorewall won hands down.&quot; -- RG, Toronto</p>
+ Shorewall won hands down." -- RG, Toronto</p>
-<p>&quot;My respects... I've just found and installed Shorewall 1.3.3-1 and it is a 
+<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
-wonderful piece of software. I've just sent out an email to about 30 people 
+is a  wonderful piece of software. I've just sent out an email to about 30
-recommending it. :-)<br>
+people  recommending it. :-)<br>
 While I had previously taken the time (maybe 40 hours) to really understand
 ipchains, then spent at least an hour per server customizing and carefully
 scrutinizing firewall rules, I've got shorewall running on my home firewall,
-with rulesets and policies that I know make sense, in under 20 minutes.&quot; -- RP, 
+ with rulesets and policies that I know make sense, in under 20 minutes."
-Guatamala<br>
+-- RP,  Guatamala<br>
 <br>
-&nbsp;</p>
+  </p>
 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
 7/9/2002 - <a href="support.htm">Tom Eastep</a>
     </font>
 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
 - <a href="support.htm">Tom Eastep</a>      </font>                     
                       </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -2,37 +2,44 @@
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
               <base target="_self">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
                          <tbody>
                     <tr>
-           <td width="100%">           
+                            <td width="100%" height="90">               
      <h1 align="center"> <font size="4"><i>           <a
- href="http://www.cityofshoreline.com">       <img border="0"
+ href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
- src="images/washington.jpg" align="right" width="100" height="82">
+ alt="Shorwall Logo" height="70" width="85" align="left"
-      <img border="0" src="images/washington.jpg" align="left"
+ src="images/washington.jpg" border="0">
- width="100" height="82">
+                       </a></i></font><font color="#ffffff">Shorewall 1.3 
-      </a></i></font><font color="#ffffff">Shorewall 1.3 - <font
+-        <font size="4">"<i>iptables made easy"</i></font></font></h1>
- size="4">"<i>iptables made easy"</i></font></font></h1>
+                                                                         
      <div align="center"><a href="1.2" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
                </div>
                <br>
                            </td>
                          </tr>
  </tbody>                 
 </table>
 <div align="center">                          
 <center>                          
 <table border="0" cellpadding="0" cellspacing="0"
@ -41,185 +48,208 @@
                     <tr>
                              <td width="90%">                          
      <h2 align="left">What is it?</h2>
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                                                                        
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+                                    
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
      <p>This program is free software; you can redistribute it and/or modify 
        it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                           <br>
-           This program is distributed in the hope that it will be useful,
+                            This program is distributed in the hope that
-but        WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the 
-       or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+implied   warranty  of MERCHANTABILITY           or FITNESS FOR A PARTICULAR 
-       for more details.<br>
+PURPOSE.   See the  GNU General Public License          for more details.<br>
                           <br>
-           You should have received a copy of the GNU General Public License
+                            You should have received a copy of the GNU General
-       along with this program; if not, write to the Free Software Foundation,
+   Public    License          along with this program; if not, write to the
-       Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
+  Free Software    Foundation,          Inc., 675 Mass Ave, Cambridge, MA
 02139,   USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
-      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
+                                                                        
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-      </a>Jacques        Nilo and Eric Wolzak have a LEAF distribution called
+                       </a>Jacques        Nilo and Eric Wolzak have a LEAF
-      <i>Bering</i> that        features Shorewall-1.3.3 and Kernel-2.4.18.
+ distribution       called        <i>Bering</i> that        features Shorewall-1.3.3
-You can find their work at:   <a
+ and  Kernel-2.4.18.      You can find their work at:   <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
      <h2>News</h2>
-      <p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
+                                                                        
- src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
+                      
- height="12">
+      <p><b>9/28/2002 - Shorewall 1.3.9</b></p>
 </b></p>
      <p>In this version:<br>
     </p>
      <ul>
-        <li>A NEWNOTSYN option has been added to shorewall.conf. This option
+            <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
-determines whether Shorewall accepts TCP packets which are not part of an
+  are now allowed in Shorewall config files (although I recommend against
-established connection and that are not 'SYN' packets (SYN flag on and ACK
+using  them).</li>
-flag off).</li>
+            <li>The connection SOURCE may now be qualified by both interface
-        <li>The need for the 'multi' option to communicate between zones
+  and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
-za and zb on the same interface is removed in the case where the chain 'za2zb'
+            <li>Shorewall startup is now disabled after initial installation
-and/or 'zb2za' exists. 'za2zb' will exist if:</li>
+  until the file /etc/shorewall/startup_disabled is removed. This avoids
-        <ul>
+nasty   surprises at reboot for users who install Shorewall but don't configure
-          <li>       
+it.</li>
-            <blockquote>There is a policy for za to zb; or</blockquote>
+           <li>The 'functions' and 'version' files and the 'firewall' symbolic 
 link have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease 
 the LFS police at Debian.<br>
           </li>
-          <li>       
+                               
            <blockquote>There is at least one rule for za to zb.</blockquote>
     </li>
        </ul>
      </ul>
      <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
   Restored</b><b> </b><b><img border="0" src="images/new10.gif"
 width="28" height="12" alt="(New)">
                  </b><br>
             </p>
           <img src="images/j0233056.gif" alt="Brown Paper Bag"
 width="50" height="86" align="left">
       A couple of recent configuration changes at www.shorewall.net broke
 the  Search facility:<br>
      <blockquote>                                             
        <ol>
               <li>Mailing List Archive Search was not available.</li>
               <li>The Site Search index was incomplete</li>
               <li>Only one page of matches was presented.</li>
        </ol>
           </blockquote>
        Hopefully these problems are now corrected.                     
      <p><b>9/18/2002 -  Debian 1.3.8 Packages Available </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b><br>
                  </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
              <b> </b>                                                  
      <p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b></p>
      <p>In this version:<br>
                  </p>
      <ul>
-        <li>The /etc/shorewall/blacklist file now contains three columns.
+                         <li>A NEWNOTSYN option has been added to shorewall.conf. 
-In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and
+    This   option  determines whether Shorewall accepts TCP packets which 
-PORT columns to block only certain applications from the blacklisted addresses.<br>
+are    not part   of an  established connection and that are not 'SYN' packets 
  (SYN  flag on   and ACK  flag off).</li>
                         <li>The need for the 'multi' option to communicate 
 between     zones    za and zb on the same interface is removed in the case 
 where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will exist if: 
          <ul>
                            <li>There is a policy for za to zb; or</li>
                            <li>There is at least one rule for za to zb.
                                    </li>
          </ul>
                        </li>
      </ul>
      <ul>
                         <li>The /etc/shorewall/blacklist file now contains 
 three    columns.     In addition to the SUBNET/ADDRESS column, there are 
 optional    PROTOCOL and    PORT columns to block only certain applications 
 from the   blacklisted addresses.<br>
                    </li>
      </ul>
      <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
      <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
      <p>This is a role up of a fix for "DNAT" rules where the source zone 
        is $FW   (fw).</p>
      <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
      <p>This is a role up of the "shorewall refresh" bug fix and the change 
        which   reverses the order of "dhcp" and "norfc1918" checking.</p>
      <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
      <p><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
        is now available.</p>
      <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
      <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now 
-mirrored   at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
+        mirrored   at <a target="_top"
 href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
      <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
      <p>Lorenzo Martignoni reports that the packages for version 1.3.7a
 are available at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
      <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
 its Author   -- Shorewall 1.3.7a released  <img border="0"
 src="images/j0233056.gif" width="50" height="80" align="middle">
      </b></p>
      <p>1.3.7a corrects problems occurring in  rules file processing when
 starting Shorewall   1.3.7.</p>
      <p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
      <p>Features in this release include:</p>
      <ul>
         <li>The 'icmp.def' file is now empty! The rules in that file were
         required in ipchains firewalls but are not required in Shorewall.
 Users          who have ALLOWRELATED=No in <a
 href="Documentation.htm#Conf">         shorewall.conf</a> should see the
          <a href="errata.htm#Upgrade">Upgrade          Issues</a>.</li>
         <li>A 'FORWARDPING' option has been added to         <a
 href="Documentation.htm#Conf">shorewall.conf</a>. The effect of        
 setting this variable to Yes is the same as the effect of adding an    
     ACCEPT rule for ICMP echo-request in         <a
 href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.     
    Users who have such a rule in icmpdef are encouraged to switch to   
      FORWARDPING=Yes.</li>
         <li>The loopback CLASS A Network (127.0.0.0/8) has been added to
 the          rfc1918 file.</li>
         <li>Shorewall now works with iptables 1.2.7.</li>
         <li>The documentation and Web site no longer use FrontPage themes.</li>
      </ul>
      <p>I would like to thank John Distler for his valuable input regarding
 TCP SYN   and ICMP treatment in Shorewall. That input has led to marked improvement
 in   Shorewall in the last two releases.</p>
      <p><b>8/13/2002 - Documentation in the <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">  CVS Repository</a></b></p>
      <p>The Shorewall-docs project now contains just the HTML and image
 files - the   Frontpage files have been removed.</p>
      <p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
 target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">  CVS
 Repository</a></b></p>
      <p>This branch will only be updated after I release a new version of
 Shorewall   so you can always update from this branch to get the latest stable
 tree.</p>
      <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
 added   to the <a href="errata.htm">Errata Page</a></b></p>
      <p>Now there is one place to go to look for issues involved with upgrading
 to   recent versions of Shorewall.</p>
      <p><b>8/7/2002 - Shorewall 1.3.6</b></p>
      <p>This is primarily a bug-fix rollup with a couple of new features:</p>
      <ul>
    <li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
          </a>    including the <a href="shorewall_setup_guide.htm">Shorewall
 Setup Guide.</a></li>
    <li>Shorewall will now DROP TCP packets that are not part of or related
 to an     existing connection and that are not SYN packets. These "New not
 SYN" packets     may be optionally logged by setting the LOGNEWNOTSYN option
 in <a href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
    <li>The processing of "New not SYN" packets may be extended by commands
 in     the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
 script</a>.</li>
      </ul>
      <p><a href="News.htm">More News</a></p>
      <h2><a name="Donations"></a>Donations</h2>
                                                                 </td>
-             <td width="88" bgcolor="#4b017c" valign="top"
+                              <td width="88" bgcolor="#4b017c"
- align="center">             <a href="http://sourceforge.net">M</a></td>
+ valign="top" align="center">             <a
 href="http://sourceforge.net">M</a></td>
                            </tr>
  </tbody>                 
 </table>
                          </center>
@ -231,26 +261,35 @@ script</a>.</li>
                     <tbody>
                     <tr>
                       <td width="100%" style="margin-top: 1px;">       
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-      <img border="4" src="images/newlog.gif" width="57" height="100"
+                        </a></p>
 align="right" hspace="10">
      </a></p>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+                                                                     
-but if       you try it and find it useful, please consider making a donation
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-to       <a href="http://www.starlight.org"><font color="#ffffff">Starlight
+if       you try it and find it useful, please consider making a donation 
-Children's Foundation.</font></a> Thanks!</font></p>
+        to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                       </td>
                     </tr>
  </tbody>                 
 </table>
-<p><font size="2">Updated       9/16/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated       9/27/2002 - <a href="support.htm">Tom Eastep</a></font>
-     </font>                                                            
+                                                                        
  <br>
         </p>
          <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -2,49 +2,44 @@
 <html>
 <head>
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>About the Shorewall Author</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
-
+<table border="0" cellpadding="0" cellspacing="0"
-  
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
-      <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ bgcolor="#400169" height="90">
         <tbody>
    <tr>
           <td width="100%">           
-          <h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1>
+      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
           </td>
         </tr>
  </tbody>
 </table>
 <p align="center">       <img border="3" src="images/Hiking1.jpg"
 alt="Tom on the PCT - 1991" width="374" height="365">
 </p>
-  
+<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass, 
-      <p align="Center">
+     Washington  -- Sept       1991.<br>
-      <img border="3" src="images/Hiking1.jpg" alt="Tom on the PCT - 1991" width="374" height="365"></p>
+       <font size="2">Photo       by Ken Mazawa</font></p>
      <p align="Center">Tom on the Pacific Crest Trail north of Stevens Pass,
      Washington&nbsp; -- Sept
      1991.<br>
      <font size="2">Photo
      by Ken Mazawa</font></p>
 <ul>
     <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
-State</a>
+ State</a> .</li>
 .</li>
     <li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
-University</a>
+ University</a>  1967</li>
 1967</li>
     <li>MA Mathematics from <a href="http://www.washington.edu">University 
 of Washington</a> 1969</li>
     <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a> 
@ -52,57 +47,65 @@ of Washington</a> 1969</li>
     <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> 
 (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
     <li>Married 1969 - no children.</li>
 </ul>
 <p>I am currently a member of the design team for the next-generation   
   operating system from the NonStop Enterprise Division of HP. </p>
-      <p>I became interested in Internet Security
+<p>I became interested in Internet Security when I established a home office
-when I established a home office in 1999 and had DSL service installed in our
+in 1999 and had DSL service installed in our       home. I investigated ipchains
-      home. I investigated
+and developed the scripts which are now collectively known as <a
-ipchains and developed the scripts which are now collectively known as <a href="http://seawall.sourceforge.net"> Seattle
+ href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding
-      Firewall</a>. Expanding on what I learned from Seattle Firewall, I then
+on what I learned from Seattle Firewall, I then       designed and wrote
-      designed and wrote Shorewall. </p>
+Shorewall. </p>
-      <p>I telework from our home in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, 
+<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
-Washington</a>
+ Washington</a>  where I live with my wife Tarry. </p>
 where I live with my wife Tarry. </p>
 <p>Our current home network consists of: </p>
 <ul>
-    <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX 
+     <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
-    (Tulip) NIC - My personal Windows system.</li>
+and LNE100TX      (Tulip) NIC - My personal Windows system.</li>
-    <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My 
+     <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
-    personal Linux System which runs Samba configured as a WINS server. This 
+My      personal Linux System which runs Samba configured as a WINS server.
-    system also has <a href="http://www.vmware.com/">VMware</a> installed and 
+This      system also has <a href="http://www.vmware.com/">VMware</a> installed
-    can run both <a href="http://www.debian.org">Debian</a> and
+and      can run both <a href="http://www.debian.org">Debian</a> and    
    <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
-    <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
+     <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server 
+&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server      (Bind).</li>
-    (Bind).</li>
+     <li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
-    <li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3 
+- 3      LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
-    LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP  
+1.3.9 (Yep -- I run them before I release them) and a DHCP     server.  Also
-  server.  Also  runs PoPToP for     road warrior access.</li>
+ runs PoPToP for     road warrior access.</li>
-    <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's     personal system.</li>
+     <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's 
-    <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and     EEPRO100
+   personal system.</li>
-in expansion base and LinkSys WAC11 - My main work system.</li>
+     <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
 and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
 </ul>
  <p>For more about our network see <a href="myfiles.htm">my Shorewall
  Configuration</a>.</p>
-      <p>All of our 
+<p>For more about our network see <a href="myfiles.htm">my Shorewall   Configuration</a>.</p>
      other systems are made by <a href="http://www.compaq.com">Compaq</a> (part 
      of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a>
      FA310TXs.</p>
 <p>All of our        other systems are made by <a
 href="http://www.compaq.com">Compaq</a> (part        of the new <a
 href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
 href="http://www.netgear.com">Netgear</a>       FA310TXs.</p>
- <p><a href="http://www.redhat.com"><img border="0" src="images/poweredby.png" width="88" height="31"></a><a href="http://www.compaq.com"><img border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"></a><a href="http://www.pureftpd.org"><img border="0" src="images/pure.jpg" width="88" height="31"></a><font size="4"><a href="http://www.apache.org"><img border="0" src="images/apache_pb1.gif" hspace="2" width="170" height="20"></a>
+<p><a href="http://www.redhat.com"><img border="0"
- </font></p>
+ src="images/poweredby.png" width="88" height="31">
 </a><a href="http://www.compaq.com"><img border="0"
 src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
 </a><a href="http://www.pureftpd.org"><img border="0"
 src="images/pure.jpg" width="88" height="31">
 </a><font size="4"><a href="http://www.apache.org"><img border="0"
 src="images/apache_pb1.gif" hspace="2" width="170" height="20">
 </a>  </font></p>
-      
+<p><font size="2">Last updated 9/19/2002 - </font><font size="2">       <a
-      <p><font size="2">Last updated 8/16/2002 - </font><font size="2">
+ href="support.htm">Tom Eastep</a></font>  </p>
      <a href="support.htm">Tom Eastep</a></font>
 </p>
   <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -1,40 +1,53 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Prerequisites</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <ul>
-  <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm">
+   <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
-    Check here for kernel configuration       information.</a>
+    <a href="kernel.htm">     Check here for kernel configuration       information.</a> 
-     If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
+     If you are looking for a firewall for use with 2.2 kernels, <a
-    see       the Seattle Firewall site</a>
+ href="http://www.shorewall.net/seawall">     see       the Seattle Firewall
-    .</li>
+site</a>     .</li>
-  <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a href="errata.htm">Errata</a>.
+   <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
-  <font color="#FF0000"><b>WARNING: </b></font>The buggy iptables version 1.2.3 
+ href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
-  is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to 
+buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
-  installing Shorewall. Version 1.2.4 is available
+upgrade to iptables 1.2.4 prior to    installing Shorewall. Version 1.2.4
-  <a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> 
+is available   <a
-  and in the <a href="errata.htm">Shorewall Errata</a>. If you are going to be 
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
-  running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM 
+   and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
-  will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. </li>
+to be    running kernel 2.4.18 or later, NO currently-available RedHat iptables
-  <li>Some features require iproute ("ip" utility). The iproute package is
+RPM    will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
-    included with most distributions but may not be installed by default. The
+  </li>
-    official download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
+   <li>Some features require iproute ("ip" utility). The iproute package
-  <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
+is     included with most distributions but may not be installed by default.
 The     official download site is <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">   <font
 face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. 
  </li>
   <li>A Bourne shell or derivative such as bash or ash. Must have correct
      support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
@ -42,13 +55,14 @@
    } and       ${<i>variable</i>##<i>pattern</i>}.</li>
   <li>The firewall monitoring display is greatly improved if you have awk
      (gawk) installed.</li>
 </ul>
 <p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
-<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
+<p align="left"><font size="2">Last updated 9/19/2002 - <a
-<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -30,8 +30,8 @@
  </tbody> 
 </table>
-<p align="center">With thanks to Richard who reminded me once again that
+<p align="center">With thanks to Richard who reminded me once again that we
-we must  all first walk before we can run.</p>
+must  all first walk before we can run.</p>
 <h2>The Guides</h2>
@ -54,8 +54,8 @@ as a    firewall/router for a small local network and a DMZ.</li>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines 
 the steps necessary to set up a firewall where there are multiple public 
-IP  addresses involved or if you want to learn more about Shorewall than
+IP  addresses involved or if you want to learn more about Shorewall than is
-is  explained in the single-address guides above.</p>
+ explained in the single-address guides above.</p>
 <ul>
    <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -67,7 +67,8 @@ and Routing</a>
      <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
      <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
      <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
-     <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
+      <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
 Protocol</a></li>
    </ul>
@ -77,6 +78,7 @@ and Routing</a>
    </ul>
    </li>
    <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a> 
    <ul>
      <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -84,6 +86,7 @@ and Routing</a>
    <ul>
      <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> 
        <ul>
        <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
        <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -125,6 +128,8 @@ features</a>
      <li>Port Numbers/Service Names</li>
      <li>Port Ranges</li>
      <li>Using Shell Variables</li>
      <li>Using DNS Names<br>
 </li>
      <li>Complementing an IP address or Subnet</li>
      <li>Shorewall Configurations (making a test configuration)</li>
      <li>Using MAC Addresses in Shorewall</li>
@ -132,6 +137,7 @@ features</a>
    </ul>
    </li>
    <li><a href="Documentation.htm">Configuration File Reference Manual</a> 
    <ul>
      <li>   <a href="Documentation.htm#Variables">params</a></li>
      <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
@ -198,5 +204,6 @@ to a      remote network.</li>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -1,74 +1,99 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Standalone Firewall</title>
 </head>
  <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber6" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">         
-
+      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
 <h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1>
       </td>
    </tr>
  </tbody> 
 </table>
 <h2 align="center">Version 2.0.1</h2>
-<p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the 
+   
-documentation.</p>
+<p align="left">Setting up Shorewall on a standalone Linux system is very 
 easy if you understand the basics and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of 
-Shorewall. It rather focuses on what is required to configure Shorewall in one 
+ Shorewall. It rather focuses on what is required to configure Shorewall in
-of its 
+one  of its  most common configurations:</p>
-most common configurations:</p>
+   
 <ul>
    <li>Linux system</li>
    <li>Single external IP address</li>
    <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
 </ul>
-<p>This guide assumes that you have the iproute/iproute2 package installed (on 
+   
-RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this 
+<p>This guide assumes that you have the iproute/iproute2 package installed 
-package is installed by the presence of an <b>ip</b> program on your firewall 
+(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if 
-system. As root, you can use the 'which' command to check for this program:</p>
+this  package is installed by the presence of an <b>ip</b> program on your 
-<pre>     [root@gateway root]# which ip
+firewall  system. As root, you can use the 'which' command to check for this 
-     /sbin/ip
+program:</p>
-     [root@gateway root]#</pre><p>I recommend that you read through the guide 
+   
-first to familiarize yourself with what's involved then go back through it again 
+<pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-making your configuration changes.&nbsp; Points at which configuration changes 
+ 
-are recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
+<p>I recommend that you read through the guide  first to familiarize yourself 
-<p><img border="0" src="images/j0213519.gif" width="60" height="60">&nbsp;&nbsp;&nbsp; 
+with what's involved then go back through it again  making your configuration 
-If you edit your configuration files on a Windows system, you must save them as 
+changes.  Points at which configuration changes  are recommended are flagged 
-Unix files if your editor supports that option or you must run them through 
+with <img border="0" src="images/BD21298_.gif" width="13" height="13">
-dos2unix before trying to use them. Similarly, if you copy a configuration file 
+ .</p>
-from your Windows hard drive to a floppy disk, you must run dos2unix against the 
+   
-copy before using it with Shorewall.</p>
+<p><img border="0" src="images/j0213519.gif" width="60" height="60">
      If you edit your configuration files on a Windows system, you must
 save them as  Unix files if your editor supports that option or you must
 run them through  dos2unix before trying to use them. Similarly, if you copy
 a configuration file  from your Windows hard drive to a floppy disk, you
 must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
-  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of 
+    <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
-  dos2unix</a></li>
+of    dos2unix</a></li>
-  <li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of 
+    <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version 
-  dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
 <p>The configuration files for Shorewall are contained in the directory 
 /etc/shorewall -- for simple setups, you  only need to deal with a few of
-these as described in this guide.  After you have <a href="Install.htm">installed Shorewall</a>, 
+ these as described in this guide.  After you have <a href="Install.htm">installed
-download the <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, un-tar it 
+Shorewall</a>,  download the <a
-(tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
+ href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
 un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
 (they will replace files with the same names that were placed in /etc/shorewall
 during Shorewall installation).</p>
-<p>As each file is introduced, I suggest that you 
+   
-look through the actual file on your system -- each file contains detailed 
+<p>As each file is introduced, I suggest that you  look through the actual 
-configuration instructions and default entries.</p>
+file on your system -- each file contains detailed  configuration instructions 
-<p>Shorewall views the network where it is running as being composed of a set of 
+and default entries.</p>
-<i>zones.</i> In the one-interface sample configuration, only one zone is 
+   
-defined:</p>
+<p>Shorewall views the network where it is running as being composed of a 
-<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
+set of  <i>zones.</i> In the one-interface sample configuration, only one 
 zone is  defined:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
    <tbody>
     <tr>
      <td><u><b>Name</b></u></td>
      <td><u><b>Description</b></u></td>
@ -77,30 +102,41 @@ defined:</p>
      <td><b>net</b></td>
      <td><b>The Internet</b></td>
    </tr>
  </tbody> 
 </table>
-<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
+   
-/etc/shorewall/zones</a>.</p>
+<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
 <p>Shorewall also recognizes the firewall system as its own zone - by default, 
 the firewall itself is known as <b>fw</b>.</p>
 <p>Rules about what traffic to allow and what traffic to deny are expressed in 
 terms of zones.</p>
 <ul>
  <li>You express your default policy for connections from one zone to another 
  zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
  <li>You define exceptions to those default policies in the
  <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first checked against the 
 /etc/shorewall/rules file. If no rule in that file matches the connection 
 request then the first policy in /etc/shorewall/policy that matches the 
-request is applied. If that policy is REJECT or DROP&nbsp; the request is first 
+<p>Rules about what traffic to allow and what traffic to deny are expressed 
-checked against the rules in /etc/shorewall/common (the samples provide that 
+in  terms of zones.</p>
-file for you).</p>
+   
-<p>The /etc/shorewall/policy file included with the one-interface sample has the 
+<ul>
-following policies:</p>
+    <li>You express your default policy for connections from one zone to
 another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
    </a>file.</li>
    <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first 
 checked against the  /etc/shorewall/rules file. If no rule in that file matches 
 the connection  request then the first policy in /etc/shorewall/policy that 
 matches the    request is applied. If that policy is REJECT or DROP  the request
 is first  checked against the rules in /etc/shorewall/common (the samples
 provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the one-interface sample has
 the  following policies:</p>
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
      <tbody>
       <tr>
        <td><u><b>SOURCE ZONE</b></u></td>
        <td><u><b>DESTINATION ZONE</b></u></td>
@ -112,87 +148,115 @@ following policies:</p>
        <td>fw</td>
        <td>net</td>
        <td>ACCEPT</td>
-      <td>&nbsp;</td>
+        <td> </td>
-      <td>&nbsp;</td>
+        <td> </td>
      </tr>
      <tr>
        <td>net</td>
        <td>net</td>
        <td>DROP</td>
        <td>info</td>
-      <td>&nbsp;</td>
+        <td> </td>
      </tr>
      <tr>
        <td>all</td>
        <td>all</td>
        <td>REJECT</td>
        <td>info</td>
-      <td>&nbsp;</td>
+        <td> </td>
      </tr>
    </tbody>   
  </table>
  </blockquote>
-<pre>     fw		net	ACCEPT
+   
-     net	all	DROP	info
+<pre>     fw		net	ACCEPT<br>     net	all	DROP	info<br>     all	all	REJECT	info</pre>
-     all	all	REJECT	info</pre>
+   
 <p>The above policy will:</p>
 <ol>
    <li>allow all connection requests from the firewall to the internet</li>
    <li>drop (ignore) all connection requests from the internet to your firewall</li>
    <li>reject all other connection requests (Shorewall requires this catchall 
   policy).</li>
 </ol>
-<p>At this point, edit your /etc/shorewall/policy and make any changes that you 
+   
-wish.</p>
+<p>At this point, edit your /etc/shorewall/policy and make any changes that 
 you  wish.</p>
 <h2 align="left">External Interface</h2>
 <p align="left">The firewall has a single network interface. Where Internet 
-connectivity is through a cable or DSL &quot;Modem&quot;, the <i>External Interface</i> 
+ connectivity is through a cable or DSL "Modem", the <i>External Interface</i> 
-will be the ethernet adapter (<b>eth0</b>) that is connected to that &quot;Modem&quot;&nbsp;
+ will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
 <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
 over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a <b>ppp0</b>. If you connect via a regular modem, your External 
+ <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-Interface will also be <b>ppp0</b>. If you connect using ISDN, your external 
+a <b>ppp0</b>. If you connect via a regular modem, your External  Interface 
-interface will be<b> ippp0.</b></p>
+will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
-<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; The Shorewall one-interface sample configuration assumes that 
+will be<b> ippp0.</b></p>
-the external interface is <b>eth0</b>. 
+   
-If your configuration is different, you will have to modify the sample 
+<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
-/etc/shorewall/interfaces file accordingly. While you are there, you may wish to 
+ height="13">
-review the list of options that are specified for the interface. Some hints:</p>
+     The Shorewall one-interface sample configuration assumes that  the external 
 interface is <b>eth0</b>.  If your configuration is different, you will have 
 to modify the sample  /etc/shorewall/interfaces file accordingly. While you 
 are there, you may wish to  review the list of options that are specified 
 for the interface. Some hints:</p>
 <ul>
    <li>        
-  <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, you can replace the 
+    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-  &quot;detect&quot; in the second column with &quot;-&quot;.</li>
+you can replace the    "detect" in the second column with "-".   </p>
   </li>
   <li>        
-  <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> or if you have a static IP 
+    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-  address, you can remove &quot;dhcp&quot; from the option list.</li>
+or if you have a static IP    address, you can remove "dhcp" from the option 
 list. </p>
   </li>
 </ul>
 <div align="left">    
 <h2 align="left">IP Addresses</h2>
  </div>
 <div align="left">  
-<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges for 
+<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges 
-use in private networks:</p>
+for  use in private networks:</p>
 <div align="left">    
-  <pre>     10.0.0.0    - 10.255.255.255
+<pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
     172.16.0.0  - 172.31.255.255
     192.168.0.0 - 192.168.255.255</pre>
  </div>
 <p align="left">These addresses are sometimes referred to as <i>non-routable</i> 
   because the Internet backbone routers will not forward a packet whose 
-  destination address is reserved by RFC 1918. In some cases though, ISPs are 
+  destination address is reserved by RFC 1918. In some cases though, ISPs 
-  assigning these addresses then using <i>Network Address Translation </i>to 
+are    assigning these addresses then using <i>Network Address Translation 
-  rewrite packet headers when forwarding to/from the internet.</p>
+</i>to    rewrite packet headers when forwarding to/from the internet.</p>
-  <p align="left"><img border="0" src="images/BD21298_.gif" align="left" width="13" height="13">&nbsp;&nbsp;&nbsp;&nbsp; 
+     
-  Before starting Shorewall, you should look at the IP address of your external 
+<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
-  interface and if it is one of the above ranges, you should remove the 
+ width="13" height="13">
-  'norfc1918' option from the entry in /etc/shorewall/interfaces.</div>
+         Before starting Shorewall, you should look at the IP address of
 your external    interface and if it is one of the above ranges, you should
 remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
 </div>
 <div align="left">    
 <h2 align="left">Enabling other Connections</h2>
  </div>
 <div align="left">    
-  <p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div>
+<p align="left">If you wish to enable connections from the internet to your 
 firewall, the general format is:</p>
 </div>
 <div align="left">    
 <blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
        <tbody>
       <tr>
          <td><u><b>ACTION</b></u></td>
          <td><u><b>SOURCE</b></u></td>
@ -208,18 +272,25 @@ use in private networks:</p>
          <td>fw</td>
          <td><i>&lt;protocol&gt;</i></td>
          <td><i>&lt;port&gt;</i></td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
        </tr>
    </tbody>   
  </table>
    </blockquote>
  </div>
 <div align="left">    
-  <p align="left">Example - You want to run a Web Server and a POP3 Server on your firewall 
+<p align="left">Example - You want to run a Web Server and a POP3 Server on
-  system:</div>
+your firewall    system:</p>
 </div>
 <div align="left">    
 <blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber5">
        <tbody>
       <tr>
          <td><u><b>ACTION</b></u></td>
          <td><u><b>SOURCE</b></u></td>
@ -235,8 +306,8 @@ use in private networks:</p>
          <td>fw</td>
          <td>tcp</td>
          <td>80</td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
        </tr>
        <tr>
          <td>ACCEPT</td>
@ -244,22 +315,31 @@ use in private networks:</p>
          <td>fw</td>
          <td>tcp</td>
          <td>110</td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
        </tr>
    </tbody>   
  </table>
    </blockquote>
  </div>
 <div align="left">    
-  <p align="left">If you don't know what port and protocol a particular 
+<p align="left">If you don't know what port and protocol a particular    application
-  application uses, see <a href="ports.htm">here</a>.</div>
+uses, see <a href="ports.htm">here</a>.</p>
 </div>
 <div align="left">    
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
-  the internet because it uses clear text (even for login!). If you want shell 
+   the internet because it uses clear text (even for login!). If you want 
-  access to your firewall from the internet, use SSH:</div>
+shell    access to your firewall from the internet, use SSH:</p>
 </div>
 <div align="left">    
 <blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
        <tbody>
       <tr>
          <td><u><b>ACTION</b></u></td>
          <td><u><b>SOURCE</b></u></td>
@ -275,46 +355,72 @@ use in private networks:</p>
          <td>fw</td>
          <td>tcp</td>
          <td>22</td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
        </tr>
    </tbody>   
  </table>
    </blockquote>
  </div>
 <div align="left">    
 <pre>     ACCEPT	net	fw	tcp	22</pre>
  </div>
 <div align="left">    
-  <p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, edit 
+<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
-  /etc/shorewall/rules to add other connections as desired.</div>
+ height="13">
     At this point, edit    /etc/shorewall/rules to add other connections 
 as desired.</p>
 </div>
 <div align="left">    
 <h2 align="left">Starting and Stopping Your Firewall</h2>
  </div>
 <div align="left">
  <p align="left">The <a href="Install.htm">installation procedure </a>
  configures your system to start Shorewall at system boot.</div>
 <div align="left">
  <p align="left">The firewall is started using the &quot;shorewall start&quot; command 
  and stopped using &quot;shorewall stop&quot;. When the firewall is stopped, routing is 
  enabled on those hosts that have an entry in
  <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
  running firewall may be restarted using the &quot;shorewall restart&quot; command. If 
  you want to totally remove any trace of Shorewall from your Netfilter 
  configuration, use &quot;shorewall clear&quot;.</div>
 <div align="left">
  <p align="left"><b>WARNING: </b>If you are connected to your firewall from the 
  internet, do not issue a &quot;shorewall stop&quot; command unless you have added an 
  entry for the IP address that you are connected from to
  <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using &quot;shorewall restart&quot;; it is better to create an
  <i><a href="Documentation.htm#Configs">alternate configuration</a></i> and 
  test it using the <a href="Documentation.htm#Starting">&quot;shorewall try&quot; command</a>.</div>
 <p align="left"><font size="2">Last updated 
 7/23/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
+<div align="left">    
 <p align="left">          <img border="0" src="images/BD21298_2.gif"
 width="13" height="13" alt="Arrow">
      The <a href="Install.htm">installation procedure </a>   configures
 your system to start Shorewall at system boot but beginning with Shorewall
 version 1.3.9 startup is disabled so that your system won't try to start
 Shorewall before configuration is complete. Once you have completed configuration
 of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
 </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
 package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
 </p>
 </div>
 <div align="left">    
 <p align="left">The firewall is started using the "shorewall start" command 
   and stopped using "shorewall stop". When the firewall is stopped, routing 
 is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
   running firewall may be restarted using the "shorewall restart" command. 
 If    you want to totally remove any trace of Shorewall from your Netfilter 
   configuration, use "shorewall clear".</p>
 </div>
 <div align="left">    
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
 the    internet, do not issue a "shorewall stop" command unless you have added
 an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
  Also, I don't recommend using "shorewall restart"; it is better to create 
 an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
 and    test it using the <a href="Documentation.htm#Starting">"shorewall try"
 command</a>.</p>
 </div>
 <p align="left"><font size="2">Last updated 9/26/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
 M. Eastep</font></a></p>
   <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -1,73 +1,103 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Starting and Stopping Shorewall</title>
 </head>
  <body>
-                                                                                <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
           <tbody>
     <tr>
             <td width="100%">                                          
-                                                                                    <h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1>
+                                                 
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
 the Firewall</font></h1>
             </td>
           </tr>
  </tbody> 
 </table>
-                                                                                <p>
+                                
-  If you have a permanent internet connection such as DSL     or Cable, I 
+<p>   If you have a permanent internet connection such as DSL     or Cable, 
-recommend that you start the firewall     automatically at boot. Once you 
+I  recommend that you start the firewall     automatically at boot. Once you
-have installed      "firewall" in your init.d directory, simply type     "chkconfig
+ have installed      "firewall" in your init.d directory, simply type   
--add firewall". This will start the     firewall in run levels 2-5 and stop
+ "chkconfig --add firewall". This will start the     firewall in run levels 
-it in run levels 1 and 6.     If you want to configure your firewall differently
+2-5 and stop it in run levels 1 and 6.     If you want to configure your firewall
-from this     default, you can use the "--level" option in     chkconfig
+differently from this     default, you can use the "--level" option in  
-(see "man chkconfig") or using your     favorite graphical run-level editor.</p>
+  chkconfig (see "man chkconfig") or using your     favorite graphical run-level
 editor.</p>
                                                                                <p><strong><u>
  <font color="#000099">
  Important Note:</font></u> </strong></p>
 <p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
 </p>
 <ol>
   <li>Shorewall startup is disabled by default. Once you have configured 
 your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. 
 Note: Users of the .deb package must edit /etc/default/shorewall and set
 'startup=1'.<br>
   </li>
   <li>If you use dialup, you may want to start the firewall     in your
 /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart"
 in that script.</li>
 </ol>
 <p>                                                                      
  If you use dialup, you may want to start the firewall     in your /etc/ppp/ip-up.local
 script. I recommend just placing     "shorewall restart" in that script.
          </p>
-                                                                                <p>
+                                  
-  You can manually start and stop Shoreline Firewall using     the "shorewall"
+<p>   You can manually start and stop Shoreline Firewall using     the "shorewall"
  shell program: </p>
 <ul>
     <li>shorewall start - starts the firewall</li>
     <li>shorewall stop - stops the firewall</li>
-   <li>shorewall restart - stops the firewall (if it's             running) and
+     <li>shorewall restart - stops the firewall (if it's             running) 
- then starts it again</li>
+and  then starts it again</li>
-   <li>shorewall reset - reset the packet and byte counters             in the 
+     <li>shorewall reset - reset the packet and byte counters           
-firewall</li>
+ in the  firewall</li>
-   <li>shorewall clear - remove all rules and chains             installed by
+     <li>shorewall clear - remove all rules and chains             installed 
-Shoreline  Firewall</li>
+by Shoreline  Firewall</li>
-   <li>shorewall refresh - refresh the rules involving the broadcast         addresses
+     <li>shorewall refresh - refresh the rules involving the broadcast  
- of firewall interfaces and the black and white lists.</li>
+      addresses  of firewall interfaces and the black and white lists.</li>
 </ul>
-                                                                                <p>
+                                  
-  The "shorewall" program may also be used to monitor the     firewall.</p>
+<p>   The "shorewall" program may also be used to monitor the     firewall.</p>
 <ul>
     <li>shorewall status - produce a verbose report about the firewall 
@ -79,96 +109,108 @@ Shoreline  Firewall</li>
     <li>shorewall show tos - produce a verbose report about the mangle table 
        (iptables -t mangle -L -n -v)</li>
     <li>shorewall show log - display the last 20 packet log entries.</li>
-   <li>shorewall show connections - displays the IP connections currently being 
+     <li>shorewall show connections - displays the IP connections currently 
-   tracked by the firewall.</li>
+being     tracked by the firewall.</li>
     <li>shorewall                                                      
                              show                                      
-                                                                                    tc 
+                                              tc     - displays information 
-   - displays information about the traffic control/shaping configuration.</li>
+about the traffic control/shaping configuration.</li>
     <li>shorewall monitor [ delay ] - Continuously display the firewall
          status, last 20 log entries and nat. When the log entry display 
          changes, an audible alarm is sounded.</li>
-   <li>shorewall hits - Produces several reports about the Shorewall packet log 
+     <li>shorewall hits - Produces several reports about the Shorewall packet 
-        messages in the current /var/log/messages file.</li>
+log          messages in the current /var/log/messages file.</li>
-   <li>shorewall version -  Displays the installed
+     <li>shorewall version -  Displays the installed     version number.</li>
-    version number.</li>
+     <li>shorewall check -  Performs a <u>cursory</u> validation     of the 
-   <li>shorewall check -  Performs a <u>cursory</u> validation 
+zones, interfaces, hosts, rules and policy files.    <font size="4"
-   of the zones, interfaces, hosts, rules and policy files.
+ color="#ff6666"><b>The "check" command does not parse and     validate the 
-   <font size="4" color="#FF6666"><b>The &quot;check&quot; command does not parse and 
+generated iptables commands so even though the "check" command     completes 
-   validate the generated iptables commands so even though the &quot;check&quot; command 
+successfully, the configuration may fail to start. See the     recommended 
-   completes successfully, the configuration may fail to start. See the 
+way to make configuration changes described below. </b></font>    </li>
-   recommended way to make configuration changes described below. </b></font>
+     <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
-   </li>
+-  Restart shorewall using the     specified configuration and if an error 
-   <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -  Restart shorewall using the 
+occurs or if the<i> timeout </i>    option is given and the new configuration 
-   specified configuration and if an error occurs or if the<i> timeout </i>
+has been up for that many seconds     then shorewall is restarted using the 
-   option is given and the new configuration has been up for that many seconds 
+standard configuration.</li>
-   then shorewall is restarted using the standard configuration.</li>
+     <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
-   <li>shorewall deny, shorewall reject, shorewall accept and shorewall save 
+save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
-   implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
+     <li>shorewall logwatch (added in version 1.3.2) - Monitors the    <a
-   <li>shorewall logwatch (added in version 1.3.2) - Monitors the
+ href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall 
   <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall 
    messages are logged.</li>
 </ul>
-                                                                                <p>
+                                            
- The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b>&nbsp;and
+<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
- <b>shorewall try </b>commands allow you to specify which <a href="#Configs">
+  <b>shorewall try </b>commands allow you to specify which <a
-  Shorewall configuration</a>
+ href="#Configs">   Shorewall configuration</a>    to use:</p>
-   to use:</p>
+                                                                        
 <blockquote>                                                             
-                                                                                  <p>
+  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
 shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
   shorewall try <i>configuration-directory</i></p>
   </blockquote>
-                                                                                  <p>
+                                                 
- If a <i>configuration-directory</i> is specified, each time that Shorewall
+<p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
  is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
   . If the file is present in the <i>configuration-directory</i>, that file
  will be used; otherwise, the file in /etc/shorewall will be used.</p>
-                                                                                  <p>
+ 
- When changing the configuration of a production firewall, I recommend the 
+<p>  When changing the configuration of a production firewall, I recommend 
- following:</p>
+the   following:</p>
 <ul>
             <li>mkdir /etc/test</li>
             <li>cd /etc/test</li>
-                                                                                    <li>&lt;copy any files that you need to change from /etc/shorewall to . and change them here&gt;</li>
+                                                                        
             <li>&lt;copy any files that you need to change from /etc/shorewall 
 to . and change them here&gt;</li>
             <li>shorewall -c . check</li>
             <li>&lt;correct any errors found by check and check again&gt;</li>
             <li>/sbin/shorewall try .</li>
 </ul>
-                                                                                  <p>
+                                                 
- If the configuration starts but doesn't work, just &quot;shorewall restart&quot; to 
+<p>  If the configuration starts but doesn't work, just "shorewall restart" 
- restore the old configuration. If the new configuration fails to start, the 
+to   restore the old configuration. If the new configuration fails to start, 
- &quot;try&quot; command will automatically start the old one for you.</p>
+the   "try" command will automatically start the old one for you.</p>
-                                                                                  <p>
+ 
- When the new configuration works then just </p>
+<p>  When the new configuration works then just </p>
 <ul>
             <li>cp * /etc/shorewall</li>
             <li>cd</li>
             <li>rm -rf /etc/test</li>
 </ul>
-                                                                                  <p><font size="2">
+ 
-  Updated 8/8/2002 - <a href="support.htm">Tom 
+<p><font size="2">   Updated 9/26/2002 - <a href="support.htm">Tom  Eastep</a>
 Eastep</a>
    </font></p>
@ -177,7 +219,7 @@ Eastep</a>
   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-                       
+                            <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -29,17 +29,18 @@
  </tbody>   
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
-is easier to post a problem than to use your own brain" </font>-- </i> <font
+easier to post a problem than to use your own brain" </font>-- </i> <font
- size="2">Weitse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
+ size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer with tell you how it works -- you
+<p align="left"> <i>"Any sane computer will tell you how it works -- you just
-just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+ have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
 <blockquote> </blockquote>
 <p><span style="font-weight: 400;"><i>"It irks me when people believe that 
 free software        comes at no cost. The cost is incredibly high."</i> 
- <font size="2">       Weitse Venema</font></span></p>
+- <font size="2">       Wietse Venema</font></span></p>
 <h3 align="left">Before Reporting a Problem</h3>
@ -47,20 +48,16 @@ free software        comes at no cost. The cost is incredibly high."</i>
 <ul>
      <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
-   <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains
+      <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
-a    number of tips to help you solve common problems.</li>
+contains  a    number of tips to help you solve common problems.</li>
      <li>The <a href="errata.htm">   Errata</a> has links to download updated 
    components.</li>
-   <li>The Mailing List Archives are a useful source of problem solving  
+      <li>The Mailing List Archives search facility can locate posts about
- information.</li>
+      similar problems:</li>
 </ul>
-<blockquote> 
+<h4>Mailing List Archive Search</h4>
  <p>The archives from the  mailing List are at <a
 href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
  <h3>Search the  Mailing List Archives at Shorewall.net</h3>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
  <p> <font size="-1"> Match: 
@ -90,20 +87,19 @@ a    number of tips to help you solve common problems.</li>
 Search: <input type="text" size="30" name="words" value=""> <input
 type="submit" value="Search"> </p>
 </form>
                                </blockquote>
 <h3 align="left">Problem Reporting Guidelines</h3>
 <ul>
-   <li>When reporting a problem, give as much information as you can. Reports 
+      <li>When reporting a problem, give as much information as you can.
-that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
-   <li>Please don't describe your environment and then ask us to send you 
+      <li>Please don't describe your environment and then ask us to send
-          custom configuration files. We're here to answer your questions
+you             custom configuration files. We're here to answer your questions 
 but we           can't do your job for you.</li>
      <li>Do you see any "Shorewall" messages in     /var/log/messages when 
 you exercise the function that is giving you problems?</li>
-   <li>Have you looked at the packet flow with a tool like tcpdump     to
+      <li>Have you looked at the packet flow with a tool like tcpdump   
-try to understand what is going on?</li>
+ to  try to understand what is going on?</li>
      <li>Have you tried using the diagnostic capabilities of the     application 
 that isn't working? For example, if "ssh" isn't able     to connect, using 
 the "-v" option gives you a lot of valuable     diagnostic information.</li>
@ -138,10 +134,13 @@ to  help people who have a similar question or problem in the future.</p>
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
      .</p>
-<p align="left"><font size="2">Last Updated 9/14/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -41,7 +41,8 @@ in one  of its more popular configurations:</p>
      <li>Linux system used as a firewall/router for a small local network.</li>
      <li>Single public IP address.</li>
      <li>DMZ connected to a separate ethernet interface.</li>
-   <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, ...</li>
+      <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
 ...</li>
 </ul>
@ -54,10 +55,11 @@ in one  of its more popular configurations:</p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
 (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
 this  package is installed by the presence of an <b>ip</b> program on your
-firewall  system. As root, you can use the 'which' command to check for this
+ firewall  system. As root, you can use the 'which' command to check for
-program:</p>
+this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the guide    to familiarize yourself 
 with what's involved then go back through it again  making your configuration 
 changes. Points at which configuration changes are  recommended are flagged 
@ -65,26 +67,26 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
   </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you edit your configuration files on a Windows system, you must save
+        If you edit your configuration files on a Windows system, you must
-them as  Unix files if your editor supports that option or you must run them
+ save them as  Unix files if your editor supports that option or you must
-through  dos2unix before trying to use them. Similarly, if you copy a configuration
+run them through  dos2unix before trying to use them. Similarly, if you copy
-file  from your Windows hard drive to a floppy disk, you must run dos2unix
+a configuration file  from your Windows hard drive to a floppy disk, you
-against the  copy before using it with Shorewall.</p>
+must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
      <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
 of    dos2unix</a></li>
-   <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
+      <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
+<p>The configuration files for Shorewall are contained in the directory 
-- for simple setups, you will only need to deal with a few of  these as
+/etc/shorewall -- for simple setups, you will only need to deal with a few
-described in this guide.  After you have <a href="Install.htm">installed
+of  these as described in this guide.  After you have <a
-Shorewall</a>,  download the <a
+ href="Install.htm">installed Shorewall</a>,  download the <a
 href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface 
 sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy the 
 files to /etc/shorewall  (the files will replace files with the same names 
@ -130,8 +132,9 @@ zone names are used:</p>
 in  terms of zones.</p>
 <ul>
-   <li>You express your default policy for connections from one zone to another
+      <li>You express your default policy for connections from one zone to
-   zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
+ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
     </a>file.</li>
      <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -215,17 +218,17 @@ the internet,  uncomment that line.</p>
 <ol>
      <li>allow all connection requests from your local network to the internet</li>
-   <li>drop (ignore) all connection requests from the internet to your firewall
+      <li>drop (ignore) all connection requests from the internet to your 
-   or local network</li>
+firewall     or local network</li>
-   <li>optionally accept all connection requests from the firewall to the
+      <li>optionally accept all connection requests from the firewall to
-   internet (if you uncomment the additional policy)</li>
+the     internet (if you uncomment the additional policy)</li>
      <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-    At this point, edit your /etc/shorewall/policy  file and make any changes
+       At this point, edit your /etc/shorewall/policy  file and make any
-that you  wish.</p>
+changes  that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -238,15 +241,15 @@ that you  wish.</p>
  will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a
+  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your
+a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
-External  Interface will also be <b>ppp0</b>. If you connect using ISDN,
+your External  Interface will also be <b>ppp0</b>. If you connect using ISDN, 
 you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-    If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then you will
+       If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then you
-want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+ will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
  eth1 or eth2) and will be connected to a hub or switch. Your local computers 
@ -285,6 +288,7 @@ you can replace the    "detect" in the second column with "-".   </p>
 or if you have a static IP    address, you can remove "dhcp" from the option 
 list. </p>
     </li>
 </ul>
 <h2 align="left">IP Addresses</h2>
@ -293,14 +297,14 @@ list. </p>
  Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
 <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
 Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
- when you dial in (standard modem) or establish your PPP connection. In rare
+  when you dial in (standard modem) or establish your PPP connection. In
- cases, your ISP may assign you a<i> static</i> IP address; that means that
+rare   cases, your ISP may assign you a<i> static</i> IP address; that means
-you  configure your firewall's external interface to use that address permanently.<i> 
+that  you  configure your firewall's external interface to use that address
-</i>Regardless of how the address is assigned, it will be shared by all of
+permanently.<i>  </i>Regardless of how the address is assigned, it will be
-your  systems when you access the Internet. You will have to assign your
+shared by all of your  systems when you access the Internet. You will have
-own addresses  for your internal network (the local and DMZ Interfaces on
+to assign your  own addresses  for your internal network (the local and DMZ
-your firewall plus your other  computers). RFC 1918 reserves several <i>Private
+Interfaces on  your firewall plus your other  computers). RFC 1918 reserves
-</i>IP address ranges for this  purpose:</p>
+several <i>Private  </i>IP address ranges for this  purpose:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -309,20 +313,21 @@ your firewall plus your other  computers). RFC 1918 reserves several <i>Private
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-       Before starting Shorewall, you should look at the IP address of your
+          Before starting Shorewall, you should look at the IP address of 
-external    interface and if it is one of the above ranges, you should remove
+your  external    interface and if it is one of the above ranges, you should 
-the    'norfc1918' option from the external interface's entry in    /etc/shorewall/interfaces.</p>
+remove  the    'norfc1918' option from the external interface's entry in 
  /etc/shorewall/interfaces.</p>
   </div>
 <div align="left">      
 <p align="left">You will want to assign your local addresses from one <i>
-  sub-network </i>or <i>subnet</i> and your DMZ addresses from another subnet.
+    sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-For our purposes, we can consider a subnet    to consists of a range of addresses
+subnet.  For our purposes, we can consider a subnet    to consists of a range
-x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet Mask </i>of 255.255.255.0.
+of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
-The address x.y.z.0 is reserved as    the <i>Subnet Address</i> and x.y.z.255
+Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
-is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
+Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>. 
-a subnet is described using   <a href="subnet_masks.htm"> <i>Variable-Length
+In Shorewall,  a subnet is described using <a href="subnet_masks.htm"><i>Classless 
-   Subnet Mask </i>(VLSM)</a> notation with consists of the subnet address
+InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet address 
 followed    by "/24". The "24" refers to the number of    consecutive "1" 
 bits from the left of the subnet mask. </p>
   </div>
@ -349,7 +354,7 @@ bits from the left of the subnet mask. </p>
            <td>10.10.10.255</td>
          </tr>
          <tr>
-         <td><b>VLSM Notation:</b></td>
+            <td><b>CIDR Notation:</b></td>
            <td>10.10.10.0/24</td>
          </tr>
@ -367,8 +372,8 @@ or the    last usable address (10.10.10.254).</p>
 <div align="left">      
 <p align="left">One of the purposes of subnetting is to allow all computers 
 in the    subnet to understand which other computers can be communicated 
-with directly.    To communicate with systems outside of the subnetwork,
+with directly.    To communicate with systems outside of the subnetwork, systems
-systems send packets    through a<i>  gateway</i>  (router).</p>
+send packets    through a<i>  gateway</i>  (router).</p>
   </div>
 <div align="left">      
@ -404,8 +409,8 @@ to as <i>non-routable</i> because the Internet backbone routers don't forward
 packets  which have an RFC-1918 destination address. When one of your local 
 systems  (let's assume local computer 1) sends a connection request to an 
 internet host, the  firewall must perform <i>Network Address Translation 
-</i>(NAT). The firewall  rewrites the source address in the packet to be
+</i>(NAT). The firewall  rewrites the source address in the packet to be the
-the address of the firewall's  external interface; in other words, the firewall
+address of the firewall's  external interface; in other words, the firewall 
 makes it look as if the firewall  itself is initiating the connection.  This 
 is necessary so that the  destination host will be able to route return packets 
 back to the firewall  (remember that packets whose destination address is 
@ -413,10 +418,10 @@ reserved by RFC 1918 can't  be routed accross the internet). When the firewall
 receives a return packet, it  rewrites the destination address back to 10.10.10.1 
 and  forwards the packet on to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
+ IP Masquerading</i> and you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
      <li>                  
@ -429,6 +434,7 @@ with  Netfilter:</p>
 the    source address that you want outbound packets from your local network 
 to use.    </p>
     </li>
 </ul>
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with 
@ -453,15 +459,15 @@ work fine if you leave that column  empty. Entering your static IP in column
 <p align="left">One of your goals will be to run one or more servers on your 
 DMZ computers. Because these computers have RFC-1918 addresses, it is not 
  possible for clients on the internet to connect directly to them. It is 
-rather  necessary for those clients to address their connection requests
+rather  necessary for those clients to address their connection requests to
-to your firewall  who rewrites the destination address to the address of
+your firewall  who rewrites the destination address to the address of your
-your server and forwards  the packet to that server. When your server responds,
+server and forwards  the packet to that server. When your server responds, 
 the firewall automatically  performs SNAT to rewrite the source address in 
 the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-Destination Network Address Translation</i> (DNAT). You configure port  forwarding
+  Destination Network Address Translation</i> (DNAT). You configure port
-using DNAT rules in the /etc/shorewall/rules file.</p>
+ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
 is:</p>
@ -482,7 +488,8 @@ is:</p>
        <tr>
          <td>DNAT</td>
          <td>net</td>
-       <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
+          <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
 port&gt;</i>]</td>
          <td><i>&lt;protocol&gt;</i></td>
          <td><i>&lt;port&gt;</i></td>
          <td> </td>
@ -493,8 +500,8 @@ is:</p>
  </table>
    </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
-be the same  as <i>&lt;port&gt;</i>.</p>
+the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming 
  TCP port 80 to that system:</p>
@ -538,11 +545,11 @@ be the same  as <i>&lt;port&gt;</i>.</p>
 <p>A  couple of important points  to keep in mind:</p>
 <ul>
-   <li>When you are connecting to your server from your local systems, you
+      <li>When you are connecting to your server from your local systems, 
-must    use the server's internal IP address (10.10.11.2).</li>
+you  must    use the server's internal IP address (10.10.11.2).</li>
-   <li>Many ISPs block incoming connection requests to port 80. If you have
+      <li>Many ISPs block incoming connection requests to port 80. If you 
-   problems connecting to your web server, try the following rule and try
+have     problems connecting to your web server, try the following rule and 
-   connecting to port 5000 (e.g., connect to <a
+try     connecting to port 5000 (e.g., connect to <a
 href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your 
 external IP).</li>
@ -674,17 +681,18 @@ given in    "nameserver" records in that file.   </p>
     <li>                  
    <p align="left"><img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-    You can configure a<i> Caching Name Server </i>on your    firewall or
+       You can configure a<i> Caching Name Server </i>on your    firewall 
-in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which also
+or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
-   requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
+also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
-If you    take this approach, you configure your internal systems to use
+If you    take this approach, you configure your internal systems to use the
-the caching    name server as their primary (and only) name server. You use
+caching    name server as their primary (and only) name server. You use the
-the internal IP    address of the firewall (10.10.10.254 in the example above)
+internal IP    address of the firewall (10.10.10.254 in the example above) 
 for the name    server address if you choose to run the name server on your 
 firewall. To allow your local systems to talk to your caching name    server, 
 you must open port 53 (both UDP and TCP) from the local network to the  
 server; you do that by adding the rules in /etc/shorewall/rules. </p>
     </li>
 </ul>
 <blockquote>            
@ -984,8 +992,8 @@ on your firewall    system:</p>
   </div>
 <div align="left">      
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
   </div>
 <div align="left">      
@ -1035,8 +1043,19 @@ as required.</p>
    </div>
 <div align="left">      
-<p align="left">The <a href="Install.htm">installation procedure </a>   configures
+<p align="left">     <img border="0" src="images/BD21298_2.gif"
-your system to start Shorewall at system boot.</p>
+ width="13" height="13" alt="Arrow">
     The <a href="Install.htm">installation procedure </a>   configures 
 your system to start Shorewall at system boot  but beginning with Shorewall
 version 1.3.9 startup is disabled so that your system won't try to start
 Shorewall before configuration is complete. Once you have completed configuration
 of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
   </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
 color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
 and set 'startup=1'.</font><br>
  </p>
    </div>
 <div align="left">      
@ -1070,11 +1089,14 @@ and    test it using the <a href="Documentation.htm#Starting">"shorewall
 try" command</a>.</p>
   </div>
-<p align="left"><font size="2">Last updated 9/16/2002 - <a
+<p align="left"><font size="2">Last updated 9/26/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
 M. Eastep</font></a></p>
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -40,8 +40,8 @@ in its  most common configuration:</p>
 <ul>
      <li>Linux system used as a firewall/router for a small local network.</li>
      <li>Single public IP address.</li>
-   <li>Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up
+      <li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
-   ...</li>
+ dial-up    ...</li>
 </ul>
@ -54,10 +54,11 @@ in its  most common configuration:</p>
 <p>This guide assumes that you have the iproute/iproute2 package installed 
 (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
 this  package is installed by the presence of an <b>ip</b> program on your
-firewall  system. As root, you can use the 'which' command to check for this
+ firewall  system. As root, you can use the 'which' command to check for
-program:</p>
+this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself 
 with what's involved then go back through it again  making your configuration 
 changes. Points at which configuration changes are  recommended are flagged 
@ -65,26 +66,26 @@ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
   .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you edit your configuration files on a Windows system, you must save
+        If you edit your configuration files on a Windows system, you must
-them as  Unix files if your editor supports that option or you must run them
+ save them as  Unix files if your editor supports that option or you must
-through  dos2unix before trying to use them. Similarly, if you copy a configuration
+run them through  dos2unix before trying to use them. Similarly, if you copy
-file  from your Windows hard drive to a floppy disk, you must run dos2unix
+a configuration file  from your Windows hard drive to a floppy disk, you
-against the  copy before using it with Shorewall.</p>
+must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
      <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
 of    dos2unix</a></li>
-   <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
+      <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
+<p>The configuration files for Shorewall are contained in the directory 
-- for simple setups, you will only need to deal with a few of  these as
+/etc/shorewall -- for simple setups, you will only need to deal with a few
-described in this guide.  After you have <a href="Install.htm">installed
+of  these as described in this guide.  After you have <a
-Shorewall</a>,  download the <a
+ href="Install.htm">installed Shorewall</a>,  download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
 un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall 
  (these files will replace files with the same name).</p>
@ -126,8 +127,9 @@ file.</p>
 in  terms of zones.</p>
 <ul>
-   <li>You express your default policy for connections from one zone to another
+      <li>You express your default policy for connections from one zone to
-   zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
+ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
     </a>file.</li>
      <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -140,8 +142,8 @@ matches the    request is applied. If that policy is REJECT or DROP
 request is first  checked against the rules in /etc/shorewall/common (the
 samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -211,17 +213,17 @@ the internet,  uncomment that line.</p>
 <ol>
      <li>allow all connection requests from your local network to the internet</li>
-   <li>drop (ignore) all connection requests from the internet to your firewall
+      <li>drop (ignore) all connection requests from the internet to your 
-   or local network</li>
+firewall     or local network</li>
-   <li>optionally accept all connection requests from the firewall to the
+      <li>optionally accept all connection requests from the firewall to
-   internet (if you uncomment the additional policy)</li>
+the     internet (if you uncomment the additional policy)</li>
      <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-    At this point, edit your /etc/shorewall/policy and make any changes that
+       At this point, edit your /etc/shorewall/policy and make any changes
-you  wish.</p>
+ that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -229,15 +231,15 @@ you  wish.</p>
 height="635">
   </p>
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a
+  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your
+a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
-External  Interface will also be <b>ppp0</b>. If you connect via ISDN, your
+your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
-external  interface will be <b>ippp0.</b></p>
+your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -252,19 +254,19 @@ a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-</b></u>Do not connect the internal and external interface  to the same hub
+   </b></u>Do not connect the internal and external interface  to the same
-or switch (even for testing). It won't work the way that you think that it
+ hub or switch (even for testing). It won't work the way that you think that
-will and you will end up confused and  believing that Shorewall doesn't work
+ it will and you will end up confused and  believing that Shorewall doesn't
-at all.</p>
+ work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
-    The Shorewall two-interface sample configuration assumes that  the external
+       The Shorewall two-interface sample configuration assumes that  the 
-interface is <b>eth0</b> and the internal interface is <b>eth1</b>.  If your
+external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>. 
-configuration is different, you will have to modify the sample  <a
+ If your  configuration is different, you will have to modify the sample 
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file accordingly.
+<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file 
-While you are there, you may wish to  review the list of options that are
+accordingly.  While you are there, you may wish to  review the list of options 
-specified for the interfaces. Some hints:</p>
+that are  specified for the interfaces. Some hints:</p>
 <ul>
      <li>                  
@ -276,6 +278,7 @@ you can replace the    "detect" in the second column with "-".   </p>
 or if you have a static IP    address, you can remove "dhcp" from the option 
 list. </p>
     </li>
 </ul>
 <h2 align="left">IP Addresses</h2>
@ -284,14 +287,14 @@ list. </p>
  Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
 <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
 Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
- when you dial in (standard modem) or establish your PPP connection. In rare
+  when you dial in (standard modem) or establish your PPP connection. In
- cases, your ISP may assign you a<i> static</i> IP address; that means that
+rare   cases, your ISP may assign you a<i> static</i> IP address; that means
-you  configure your firewall's external interface to use that address permanently.<i> 
+that  you  configure your firewall's external interface to use that address
-</i>However your external address is assigned, it will be shared by all of
+permanently.<i>  </i>However your external address is assigned, it will be
-your systems when you access the  Internet. You will have to assign your
+shared by all of your systems when you access the  Internet. You will have
-own addresses in your  internal network (the Internal Interface on your firewall
+to assign your  own addresses in your  internal network (the Internal Interface
-plus your other  computers). RFC 1918 reserves several <i>Private </i>IP
+on your firewall  plus your other  computers). RFC 1918 reserves several
-address ranges for this  purpose:</p>
+<i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -300,9 +303,10 @@ address ranges for this  purpose:</p>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-       Before starting Shorewall, you should look at the IP address of your
+          Before starting Shorewall, you should look at the IP address of 
-external    interface and if it is one of the above ranges, you should remove
+your  external    interface and if it is one of the above ranges, you should 
-the    'norfc1918' option from the external interface's entry in    /etc/shorewall/interfaces.</p>
+remove  the    'norfc1918' option from the external interface's entry in 
  /etc/shorewall/interfaces.</p>
   </div>
 <div align="left">      
@ -312,7 +316,7 @@ the    'norfc1918' option from the external interface's entry in    /etc/shorewa
 will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
 reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as the
 <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
-using   <a href="subnet_masks.htm"> <i>Variable-Length    Subnet Mask </i>(VLSM)
+ using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
 notation</a> with consists of the subnet address followed    by "/24". The
 "24" refers to the number of    consecutive leading "1" bits from the left
 of the subnet mask. </p>
@ -340,7 +344,7 @@ of the subnet mask. </p>
            <td>10.10.10.255</td>
          </tr>
          <tr>
-         <td><b>VLSM Notation:</b></td>
+            <td><b>CIDR Notation:</b></td>
            <td>10.10.10.0/24</td>
          </tr>
@ -358,8 +362,8 @@ or the    last usable address (10.10.10.254).</p>
 <div align="left">      
 <p align="left">One of the purposes of subnetting is to allow all computers 
 in the    subnet to understand which other computers can be communicated 
-with directly.    To communicate with systems outside of the subnetwork,
+with directly.    To communicate with systems outside of the subnetwork, systems
-systems send packets    through a<i>  gateway</i>  (router).</p>
+send packets    through a<i>  gateway</i>  (router).</p>
   </div>
 <div align="left">      
@ -402,10 +406,10 @@ can't address its response to  computer 1). When the firewall receives a
 return packet, it  rewrites the destination address  back to 10.10.10.1 and
 forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
 <ul>
      <li>                  
@ -418,6 +422,7 @@ with  Netfilter:</p>
 the    source address that you want outbound packets from your local network 
 to use.    </p>
     </li>
 </ul>
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with 
@ -450,8 +455,8 @@ the firewall automatically  performs SNAT to rewrite the source address in
 the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-Destination Network Address Translation</i> (DNAT). You configure port  forwarding
+  Destination Network Address Translation</i> (DNAT). You configure port
-using DNAT rules in the /etc/shorewall/rules file.</p>
+ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
 is:</p>
@ -472,7 +477,8 @@ is:</p>
        <tr>
          <td>DNAT</td>
          <td>net</td>
-       <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
+          <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
 port&gt;</i>]</td>
          <td><i>&lt;protocol&gt;</i></td>
          <td><i>&lt;port&gt;</i></td>
          <td> </td>
@ -516,14 +522,14 @@ is:</p>
 <p>A couple of important points  to keep in mind:</p>
 <ul>
-   <li>You must test the above rule from a client outside of your local network
+      <li>You must test the above rule from a client outside of your local
-   (i.e., don't test from a browser running on computers 1 or 2 or on the
+ network    (i.e., don't test from a browser running on computers 1 or 2
-   firewall). If you want to be able to access your web server using the
+or  on the    firewall). If you want to be able to access your web server
-IP    address of your external interface, see <a href="FAQ.htm#faq2">Shorewall
+using  the IP    address of your external interface, see <a
-FAQ    #2</a>.</li>
+ href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-   <li>Many ISPs block incoming connection requests to port 80. If you have
+      <li>Many ISPs block incoming connection requests to port 80. If you 
-   problems connecting to your web server, try the following rule and try
+have     problems connecting to your web server, try the following rule and 
-   connecting to port 5000.</li>
+try     connecting to port 5000.</li>
 </ul>
@ -555,8 +561,8 @@ FAQ    #2</a>.</li>
    </blockquote>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
-    At this point, modify  /etc/shorewall/rules to add any DNAT rules that
+       At this point, modify  /etc/shorewall/rules to add any DNAT rules
-you require.</p>
+that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
@ -592,6 +598,7 @@ this approach, you configure your internal systems to use the firewall
 to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
      </p>
     </li>
 </ul>
 <blockquote>            
@ -803,8 +810,8 @@ and    connect to that server from your local systems.</p>
   </div>
 <div align="left">      
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
   </div>
 <div align="left">      
@ -845,8 +852,8 @@ shell    access to your firewall from the internet, use SSH:</p>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-    Now edit your    /etc/shorewall/rules file to add or delete other connections
+       Now edit your    /etc/shorewall/rules file to add or delete other
-as required.</p>
+connections  as required.</p>
   </div>
 <div align="left">      
@ -854,8 +861,19 @@ as required.</p>
    </div>
 <div align="left">      
-<p align="left">The <a href="Install.htm">installation procedure </a>   configures
+<p align="left">          <img border="0" src="images/BD21298_2.gif"
-your system to start Shorewall at system boot.</p>
+ width="13" height="13" alt="Arrow">
      The <a href="Install.htm">installation procedure </a>   configures
 your system to start Shorewall at system boot  but beginning with Shorewall
 version 1.3.9 startup is disabled so that your system won't try to start
 Shorewall before configuration is complete. Once you have completed configuration
 of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
   </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
 color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
 and set 'startup=1'.</font><br>
  </p>
    </div>
 <div align="left">      
@ -871,10 +889,10 @@ If    you want to totally remove any trace of Shorewall from your Netfilter
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-    The two-interface sample assumes that you want to enable    routing to/from
+       The two-interface sample assumes that you want to enable    routing
-<b>eth1 </b>(the local network) when Shorewall is stopped. If    your local
+ to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If  
-network isn't connected to <b>eth1</b> or if you wish to enable    access
+ your local network isn't connected to <b>eth1</b> or if you wish to enable
-to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
+   access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
   </div>
 <div align="left">      
@ -888,11 +906,14 @@ and    test it using the <a href="Documentation.htm#Starting">"shorewall
 try" command</a>.</p>
   </div>
-<p align="left"><font size="2">Last updated 9/16/2002 - <a
+<p align="left"><font size="2">Last updated 9/26/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
 M. Eastep</font></a></p>
     <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@ -2,43 +2,55 @@
 <html>
 <head>
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Upgrade Issues</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
- <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+    
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
     <tbody>
     <tr>
       <td width="100%">             
-     <h1 align="center"><font color="#FFFFFF">Upgrade Issues</font></h1>
+      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
       </td>
     </tr>
  </tbody> 
 </table>
-                              <p>For upgrade instructions see the
+<p>For upgrade instructions see the                               <a
-                              <a href="Install.htm">Install/Upgrade page</a>.</p>
+ href="Install.htm">Install/Upgrade page</a>.</p>
 <h3>Version &gt;= 1.3.8</h3>
 <p>If you have a pair of firewall systems configured for            failover 
 or if you have asymmetric routing, you will need to modify               
                your firewall setup slightly under Shorewall            
                   versions &gt;= 1.3.8. Beginning with version 1.3.7,   
                            you must set NEWNOTSYN=Yes in your          
                     /etc/shorewall/shorewall.conf file.</p>
 <h3>Version &gt;= 1.3.7</h3>
-                              <p>Users specifying ALLOWRELATED=No in 
+<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf 
-                              /etc/shorewall.conf will need to include the 
+will need to include the                                following rules in 
-                              following rules in their /etc/shorewall/icmpdef 
+their /etc/shorewall/icmpdef                                file (creating 
-                              file (creating this file if necessary):</p>
+this file if necessary):</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
 <p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def" 
 command from that file since the icmp.def file is now   empty.</p>
                              <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
 <p>Users having an /etc/shorewall/icmpdef file may remove the &quot;. 
 /etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now 
 empty.</p>
 <h3><b><a name="Bering">Upgrading </a>Bering to                          
     Shorewall &gt;= 1.3.3</b></h3>
@ -46,100 +58,108 @@
   1.3.3 and later:</p>
 <ol>
-                                <li>Be sure you have a backup -- you will need 
+                                  <li>Be sure you have a backup -- you will 
-                                to transcribe any Shorewall configuration 
+need                                  to transcribe any Shorewall configuration 
                                 changes that you have made to the new   
                              configuration.</li>
-                                <li>Replace the shorwall.lrp package provided on 
+                                  <li>Replace the shorwall.lrp package provided 
-                                the Bering floppy with the later one. If you did 
+on                                  the Bering floppy with the later one. 
-                                not obtain the later version from Jacques's 
+If you did                                  not obtain the later version from
-                                site, see additional instructions below.</li>
+Jacques's                                  site, see additional instructions 
 below.</li>
                                  <li>Edit the /var/lib/lrpkg/root.exclude.list 
-                                file and remove the /var/lib/shorewall entry if 
+                                 file and remove the /var/lib/shorewall entry 
-                                present. Then do not forget to backup root.lrp !</li>
+if                                  present. Then do not forget to backup 
 root.lrp !</li>
 </ol>
 <p>The .lrp that I release isn't set up for a two-interface firewall like 
- Jacques's. You need to follow the <a href="two-interface.htm">instructions for 
+  Jacques's. You need to follow the <a href="two-interface.htm">instructions 
- setting up a two-interface firewall</a> plus you also need to add the following 
+for   setting up a two-interface firewall</a> plus you also need to add the 
- two Bering-specific rules to /etc/shorewall/rules:</p>
+following   two Bering-specific rules to /etc/shorewall/rules:</p>
 <blockquote>       
-   <pre># Bering specific rules:
+  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
 # allow loc to fw udp/53 for dnscache to work
 # allow loc to fw tcp/80 for weblet to work
 #
 ACCEPT loc fw udp 53
 ACCEPT loc fw tcp 80</pre>
   </blockquote>
-          <h3 align="Left">Version &gt;= 1.3.6</h3>
+<h3 align="left">Version  1.3.6 and 1.3.7</h3>
-          <p align="Left">If you have a pair of firewall systems configured for 
+<p align="left">If you have a pair of firewall systems configured for    
-          failover, you will need to modify your firewall setup slightly under 
+       failover or if you have asymmetric routing, you will need to modify 
-          Shorewall versions &gt;= 1.3.6. </p>
+           your firewall setup slightly under Shorewall versions 1.3.6 and 
 1.3.7</p>
 <ol>
              <li>                                 
-                
+    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
          <p align="Left">Create the file /etc/shorewall/newnotsyn and in it add 
           the following rule<br>
            <br>
-          <font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the 
+            <font face="Courier">run_iptables -A newnotsyn -j RETURN # So 
-          connection tracking table can be rebuilt<br>
+that the            connection tracking table can be rebuilt<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
+                                                 # from non-SYN packets after 
-          # from non-SYN packets after takeover.<br>
+takeover.<br>
-&nbsp;</font></li>
+   </font>  </p>
   </li>
   <li>                                 
-                
+    <p align="left">Create /etc/shorewall/common (if you don't already   
          <p align="Left">Create /etc/shorewall/common (if you don't already 
        have that file) and include the following:<br>
            <br>
            <font face="Courier">run_iptables -A common -p tcp --tcp-flags 
           ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
+                                                                        
        #tracking table. <br>
-          . /etc/shorewall/common.def</font></li>
+            . /etc/shorewall/common.def</font> </p>
   </li>
 </ol>
-          <h3 align="Left">Versions &gt;= 1.3.5</h3>
+<h3 align="left">Versions &gt;= 1.3.5</h3>
-          <p align="Left">Some forms of pre-1.3.0 rules file syntax are no 
+<p align="left">Some forms of pre-1.3.0 rules file syntax are no         
  longer supported. </p>
-          <p align="Left">Example 1:</p>
+<p align="left">Example 1:</p>
 <div align="left">              
 <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
   </div>
-          <p align="Left">Must be replaced with:</p>
+<p align="left">Must be replaced with:</p>
 <div align="left">              
 <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
   </div>
 <div align="left">     
-   <p align="left">Example 2:</div>
+<p align="left">Example 2:</p>
 </div>
 <div align="left">     
 <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
   </div>
 <div align="left">     
-   <p align="left">Must be replaced with:</div>
+<p align="left">Must be replaced with:</p>
 </div>
 <div align="left">     
 <pre>	REDIRECT	loc	3128	tcp	80</pre>
   </div>
-          <h3 align="Left">Version &gt;= 1.3.2</h3>
+<h3 align="left">Version &gt;= 1.3.2</h3>
-          <p align="Left">The functions and versions files together with the 
+<p align="left">The functions and versions files together with the       
    'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
           If you have applications that access these files, those applications 
           should be modified accordingly.</p>
- <p><font size="2">
+<p><font size="2">  Last updated 9/28/2002 -                             
 Last updated 9/13/2002 -
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+   <br>
 <br>
 </body>
 </html>