Shorewall-1.4.6b

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@684 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-08-05 18:38:21 +00:00 · 2003-08-05 18:38:21 +00:00 · 1f72beecc8
commit 1f72beecc8
parent b2729de062
33 changed files with 14457 additions and 13546 deletions
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -56,3 +56,7 @@ Changes since 1.4.5
    MANGLE_ENABLED is set before it is tested.
 24. Fixed MAC address handling in the SOURCE column of tcrules.
 25. Disabled 'stop' command when startup is disabled.
 26. Fixed adding addresses to ppp interfaces.
--- a/STABLE/documentation/Documentation.htm
+++ b/STABLE/documentation/Documentation.htm
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/Shorewall_Squid_Usage.html
+++ b/STABLE/documentation/Shorewall_Squid_Usage.html
@ -48,18 +48,18 @@
 height="13">
               &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
   to  run   as  a transparent proxy  as described at <a
- href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
+ href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
               <b><br>
               </b><b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
-              &nbsp;&nbsp;&nbsp; </b>The following instructions mention the 
+               &nbsp;&nbsp;&nbsp; </b>The following instructions mention
- files   /etc/shorewall/start   and /etc/shorewall/init -- if you don't have 
+the   files   /etc/shorewall/start   and /etc/shorewall/init -- if you don't
- those   files, siimply create  them.<br>
+have   those   files, siimply create  them.<br>
               <br>
               <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
                </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
-zone   or  in  the  local zone, that zone must be defined ONLY by its interface
+ zone   or  in  the  local zone, that zone must be defined ONLY by its interface 
  -- no  /etc/shorewall/hosts   file entries. That is because the packets 
 being   routed  to the Squid server   still have their original destination 
 IP addresses.<br>
@ -67,7 +67,7 @@ IP addresses.<br>
               <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
                </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
-your   Squid    server.<br>
+ your   Squid    server.<br>
               <br>
               <b><img src="images/BD21298_3.gif" alt="" width="13"
 height="13">
@ -83,8 +83,8 @@ your   Squid    server.<br>
               Three different configurations are covered:<br>
 <ol>
-                <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running 
+                 <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
-   on  the  Firewall.</a></li>
+running     on  the  Firewall.</a></li>
                 <li><a href="Shorewall_Squid_Usage.html#Local">Squid running 
  in  the  local  network</a></li>
                 <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running 
@ -93,12 +93,13 @@ your   Squid    server.<br>
 </ol>
 <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
-                 You want to redirect all local www connection requests EXCEPT
+                  You want to redirect all local www connection requests
-                                                       those to your    
+EXCEPT                                                        those to your
-own       http server                                                  (206.124.146.177)
+    own       http server                                               
-                to a Squid                                              
+  (206.124.146.177)                 to a Squid                          
-   transparent            proxy  running on the firewall and listening on
+                       transparent            proxy  running on the firewall
-port  3128. Squid      will     of course  require access to remote web servers.<br>
+and listening on port  3128. Squid      will     of course  require access
 to remote web servers.<br>
                 <br>
                 In /etc/shorewall/rules:<br>
                 <br>
@ -144,24 +145,24 @@ port  3128. Squid      will     of course  require access to remote web servers.
  </table>
                                   <br>
                 </blockquote>
-           There may be a requirement to exclude additional destination hosts 
+            There may be a requirement to exclude additional destination
-  or networks from being redirected. For example, you might also want requests 
+hosts    or networks from being redirected. For example, you might also want
-  destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
+requests    destined for 130.252.100.0/24 to not be routed to Squid. In that
-  must add a manual rule in /etc/shorewall/start:<br>
+case, you   must add a manual rule in /etc/shorewall/start:<br>
 <blockquote>                  
  <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
      </blockquote>
-     &nbsp;To exclude additional hosts or networks, just add additional similar 
+      &nbsp;To exclude additional hosts or networks, just add additional
-  rules.<br>
+similar    rules.<br>
 <h2><a name="Local"></a>Squid Running in the local network</h2>
                  You want to redirect all local www connection requests
-to  a  Squid                                                    transparent 
+ to  a  Squid                                                    transparent
-      proxy   running   in your local zone at 192.168.1.3 and listening on 
+       proxy   running   in your local zone at 192.168.1.3 and listening
-port   3128.    Your local  interface is eth1. There may also be a web server 
+on  port   3128.    Your local  interface is eth1. There may also be a web
-running  on   192.168.1.3. It is assumed that web access is already enabled 
+server  running  on   192.168.1.3. It is assumed that web access is already
-from the  local   zone to the internet.<br>
+enabled  from the  local   zone to the internet.<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with 
        other aspects of your gateway including but not limited to traffic 
@ -255,6 +256,7 @@ from the  local   zone to the internet.<br>
                        </td>
                                           </tr>
      </tbody>                                                  
    </table>
                  </li>
@ -304,7 +306,7 @@ from the  local   zone to the internet.<br>
 <ul>
                  <li>On 192.168.1.3, arrange for the following command to
-be  executed     after   networking has come up<br>
+ be  executed     after   networking has come up<br>
    <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
                    </li>
@ -312,8 +314,7 @@ be  executed     after   networking has come up<br>
 </ul>
 <blockquote>  If you are running RedHat on the server, you can simply execute 
-       the following  commands after you have typed the iptables command
+       the following  commands after you have typed the iptables command above:<br>
 above:<br>
                  </blockquote>
 <blockquote>                           
@ -402,8 +403,8 @@ above:<br>
      </tbody>                                             
    </table>
              </blockquote>
-           C) Run Shorewall 1.3.14 or later and add the following entry in
+            C) Run Shorewall 1.3.14 or later and add the following entry
- /etc/shorewall/tcrules:<br>
+in  /etc/shorewall/tcrules:<br>
            </blockquote>
 <blockquote>                           
@ -511,7 +512,7 @@ above:<br>
 <ul>
                   <li>On 192.0.2.177 (your Web/Squid server), arrange for
-the   following     command to be executed after  networking has come up<br>
+ the   following     command to be executed after  networking has come up<br>
    <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
                    </li>
@ -519,8 +520,7 @@ the   following     command to be executed after  networking has come up<br>
 </ul>
 <blockquote>  If you are running RedHat on the server, you can simply execute 
-       the following  commands after you have typed the iptables command
+       the following  commands after you have typed the iptables command above:<br>
 above:<br>
                  </blockquote>
 <blockquote>                           
@ -532,13 +532,10 @@ above:<br>
 <blockquote>  </blockquote>
-<p><font size="-1">   Updated 7/18/2003 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="-1">   Updated 8/4/2003 - <a href="support.htm">Tom  Eastep</a> 
                 </font></p>
         <a href="copyright.htm"><font size="2">Copyright</font>        
  &copy;    <font size="2">2003 Thomas M. Eastep.</font></a><br>
    <br>
   <br>
   <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
+++ b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
@ -27,20 +27,21 @@
 <h2>Background</h2>
          The traditional net-tools contain a program called <i>ifconfig</i>
- which    is used to configure network devices. ifconfig introduced the concept
+  which    is used to configure network devices. ifconfig introduced the
- of   <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
+concept   of   <i>aliased </i>or <i>virtual </i>interfaces. These virtual
- have   names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0)
+interfaces   have   names of the form <i>interface</i>:<i>integer </i>(e.g.,
-and  ifconfig   treats them more or less like real interfaces.<br>
+eth0:0) and  ifconfig   treats them more or less like real interfaces.<br>
          <br>
          Example:<br>
 <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55<br>          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0<br>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>          Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
         The ifconfig utility is being gradually phased out in favor of the 
-<i>ip</i>    utility which is part of the <i>iproute </i>package. The ip utility
+ <i>ip</i>    utility which is part of the <i>iproute </i>package. The ip 
-does   not use the concept of aliases or virtual interfaces but rather treats
+utility does   not use the concept of aliases or virtual interfaces but rather 
-additional    addresses on an interface as objects. The ip utility does provide
+treats additional    addresses on an interface as objects in their own right.
-for interaction   with ifconfig in that it allows addresses to be <i>labeled
+The ip utility does provide for interaction   with ifconfig in that it allows
-</i>and labels  may take the form of ipconfig virtual interfaces.<br>
+addresses to be <i>labeled </i>where these labels take the form of ipconfig
 virtual interfaces.<br>
          <br>
          Example:<br>
          <br>
@ -51,18 +52,35 @@ for interaction   with ifconfig in that it allows addresses to be <i>labeled
 <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
          The iptables program doesn't support virtual interfaces in either 
-it's   "-i"  or "-o" command options; as a consequence, Shorewall does not 
+ it's   "-i"  or "-o" command options; as a consequence, Shorewall does not 
-allow   them to be used in the /etc/shorewall/interfaces file.<br>
+ allow   them to be used in the /etc/shorewall/interfaces file or anywhere
-        <br>
+else except as described in the discussion below. <br>
 <br>
 <h2>Adding Addresses to Interfaces</h2>
 Shorewall provides facilities for automatically adding addresses to interfaces
 as described in the following section. It is also easy to add them yourself
 using the <b>ip</b> utility. The above alias was added using:<br>
 <blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd 206.124.146.255
 dev eth0 label eth0:0</font></b><br>
 </blockquote>
 You probably want to arrange to add these addresses when the device is started
 rather than placing commands like the above in one of the Shorewall extension
 scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:<br>
 <br>
 <blockquote>
  <pre>#!/bin/sh<br><br>case $1 in<br>    eth0)<br>	/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br>	;;<br>esac&nbsp;<br></pre>
 </blockquote>
 RedHat systems also allow adding such aliases from the network administration
 GUI (which works well if you have a graphical environment on your firewall).<br>
 <h2>So how do I handle more than one address on an interface?</h2>
          The answer depends on what you are trying to do with the interfaces.
   In the sub-sections   that follow, we'll take a look at common scenarios.<br>
 <h3>Separate Rules</h3>
         If you need to make a rule for traffic to/from the firewall itself 
-that  only  applies to a particular IP address, simply qualify the $FW zone 
+ that  only  applies to a particular IP address, simply qualify the $FW zone 
-with  the IP  address.<br>
+ with  the IP  address.<br>
         <br>
         Example (allow SSH from net to eth0:0 above):<br>
         <br>
@ -91,7 +109,7 @@ with  the IP  address.<br>
                  </td>
                  <td valign="top">net<br>
                  </td>
-                <td valign="top">fw:206.124.146.178<br>
+                  <td valign="top">$FW:206.124.146.178<br>
                  </td>
                  <td valign="top">tcp<br>
                  </td>
@ -109,9 +127,9 @@ with  the IP  address.<br>
         </blockquote>
 <h3>DNAT</h3>
-        Suppose that I had set up eth0:0 as above and I wanted to port forward
+          Suppose that I had set up eth0:0 as above and I wanted to port
-   from  that virtual interface to a web server running in my local zone
+forward     from  that virtual interface to a web server running in my local
-at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
+zone at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
   file:<br>
          <br>
@ -185,8 +203,8 @@ at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/ru
  </table>
            <br>
          </blockquote>
-        Shorewall can create the alias (additional address) for you if you
+          Shorewall can create the alias (additional address) for you if
- set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
+you   set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
 with  Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
 interface)  so   that you can see the  created address using ifconfig. In
 addition to  setting   ADD_SNAT_ALIASES=Yes,  you specify the virtual interface
@ -216,10 +234,10 @@ name in  the INTERFACE   column as follows:<br>
  </table>
             </blockquote>
   Shorewall can also set up SNAT to round-robin over a range of IP addresses. 
-Do do that, you specify a range of IP addresses in the ADDRESS column. If 
+ Do do that, you specify a range of IP addresses in the ADDRESS column. If 
-you specify a label in the INTERFACE column, Shorewall will use that label 
+ you specify a label in the INTERFACE column, Shorewall will use that label 
-for the first address of the range and will increment the label by one for 
+ for the first address of the range and will increment the label by one for 
-each subsequent label.<br>
+ each subsequent label.<br>
   <br>
 <blockquote>                  
@ -253,7 +271,7 @@ each subsequent label.<br>
 <h3>STATIC NAT</h3>
          If you wanted to use static NAT to link eth0:0 with local address 
-192.168.1.3,    you would have the following in /etc/shorewall/nat:<br>
+ 192.168.1.3,    you would have the following in /etc/shorewall/nat:<br>
          <br>
 <blockquote>                  
@ -288,9 +306,9 @@ each subsequent label.<br>
  </table>
            <br>
          </blockquote>
-        Shorewall can create the alias (additional address) for you if you
+          Shorewall can create the alias (additional address) for you if
- set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning with
+you   set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
- Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
+with   Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
 interface)  so   that you can see the  created address using ifconfig. In
 addition to  setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface
 name in the INTERFACE   column as follows:<br>
@ -491,8 +509,8 @@ and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
  </table>
            <br>
          </blockquote>
-        Note 1: If you are running Shorewall 1.3.10 or earlier then you must
+          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
-  specify   the <b>multi</b> option.<br>
+must   specify   the <b>multi</b> option.<br>
          <br>
          In /etc/shorewall/policy:<br>
          <br>
@ -530,7 +548,7 @@ and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
            <br>
          </blockquote>
          Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
-192.168.20.0/24.     The primary IP address of eth1 is 192.168.1.254 and
+ 192.168.20.0/24.     The primary IP address of eth1 is 192.168.1.254 and
 eth1:0 is 192.168.20.254.     You want to make these subnetworks into separate
 zones and control the  access  between them (the users of the systems do
 not have administrative  privileges).<br>
@ -601,8 +619,8 @@ not have administrative  privileges).<br>
  </table>
           <br>
          </blockquote>
-        Note 1: If you are running Shorewall 1.3.10 or earlier then you must
+          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
-  specify   the <b>multi</b> option.<br>
+must   specify   the <b>multi</b> option.<br>
          <br>
          In /etc/shorewall/hosts:<br>
@ -642,7 +660,7 @@ not have administrative  privileges).<br>
   that   you want to permit.<br>
          <br>
-<p align="left"><font size="2">Last Updated 6/22/2003 A - <a
+<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -2,18 +2,23 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                                     <base
+                                                                        
- target="main">                                                       
+              <base target="main">                                      
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -24,10 +29,16 @@
                                                            <tbody>
                                                             <tr>
                                                              <td
- width="100%" height="90">                                               
+ width="100%" height="90" align="center">                     
      <div align="center">                                               
                  </div>
         <a href="http://www.shorewall.net" target="_top"><img
 border="0" src="images/ProtectedBy.png" width="200" height="42"
 hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
-      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
+                 </a><br>
                                                             <br>
         </td>
                                                            </tr>
                                                            <tr>
@ -35,6 +46,8 @@
 width="100%" bgcolor="#ffffff">                                         
      <ul>
                                                                <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
@ -71,36 +84,17 @@
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
                                                                <li> <a
 href="support.htm">Getting   help or Answers to Questions</a></li>
-                       <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
+                           <li><a href="http://lists.shorewall.net">Mailing 
- href="http://lists.shorewall.net"> </a><br>
+ Lists</a><a href="http://lists.shorewall.net"> </a><br>
                           </li>
     <li><a href="shorewall_mirrors.htm">Mirrors</a>                     
          <ul>
                                                              <li><a
 target="_top" href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                                                              <li><a
 target="_top" href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                                                              <li><a
 target="_top" href="http://germany.shorewall.net">Germany</a></li>
-                                        <li><a target="_top"
+          <ul>
- href="http://france.shorewall.net">France</a></li>
+                                                                        
                          <li><a href="http://shorewall.syachile.cl"
 target="_top">Chile</a></li>
                         <li><a href="http://shorewall.greshko.com"
 target="_top">Taiwan</a></li>
                 <li><a href="http://argentina.shorewall.net"
 target="_top">Argentina</a></li>
              <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">Brazil</a><br>
              </li>
                                                  <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
                                                  </li>
@ -110,13 +104,7 @@
-      </ul>
+                <li>   <a href="News.htm">News    Archive</a></li>
      <ul>
                                                            <li>   <a
 href="News.htm">News    Archive</a></li>
                                                                <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
                                                                <li> <a
@ -137,11 +125,14 @@
                                                              </td>
                                                            </tr>
  </tbody>                      
 </table>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
-</p>
+  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_sfindex_frame.htm
+++ b/STABLE/documentation/Shorewall_sfindex_frame.htm
@ -35,11 +35,17 @@
 width="100%" bgcolor="#ffffff">                                         
      <ul>
                                                            <li> <a
 href="seattlefirewall_index.htm">Home</a></li>
-                                                                   <li> <a
+                                                                    <li>
- href="shorewall_features.htm">Features</a></li>
+          <a href="shorewall_features.htm">Features</a></li>
            <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
     </li>
                                                            <li> <a
@ -73,47 +79,15 @@
 href="support.htm">Getting   help or Answers to Questions</a>           
       </li>
                                                 <li><a
- href="http://lists.shorewall.net">Mailing Lists</a> <br>
+ href="http://lists.shorewall.net">Mailing Lists</a></li>
-               </li>
+                                                                        
                                                <li><a
- href="shorewall_mirrors.htm">Mirrors</a>                               
+ href="shorewall_mirrors.htm">Mirrors</a></li>
          <ul>
                                                                <li><a
 target="_top" href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                                                             <li><a
 target="_top" href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                                                             <li><a
 target="_top" href="http://germany.shorewall.net">Germany</a></li>
                                      <li><a target="_top"
 href="http://france.shorewall.net">France</a></li>
                         <li><a href="http://shorewall.syachile.cl"
 target="_top">Chile</a></li>
                        <li><a href="http://shorewall.greshko.com"
 target="_top">Taiwan</a></li>
                 <li><a href="http://argentina.shorewall.net"
 target="_top">Argentina</a></li>
              <li><a href="http://shorewall.securityopensource.org.br"
 target="_top">Brazil</a><br>
   </li>
                                                 <li><a
 href="http://www.shorewall.net" target="_top">Washington    State, USA</a><br>
                                                 </li>
          </ul>
                                                           </li>
      </ul>
      <ul>
                                                           <li>   <a
 href="News.htm">News    Archive</a></li>
                                                            <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
@ -130,6 +104,7 @@
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
                                                          </td>
                                                        </tr>
@ -139,6 +114,7 @@
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
-</p>
+ </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/blacklisting_support.htm
+++ b/STABLE/documentation/blacklisting_support.htm
@ -31,7 +31,8 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration parameters:</p>
+<p>Shorewall static blacklisting support has the following configuration
 parameters:</p>
 <ul>
       <li>You specify whether you want packets from blacklisted hosts dropped
@ -42,15 +43,15 @@
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>     setting in
  /etc/shorewall/shorewall.conf</li>
       <li>You list the IP addresses/subnets that you wish to blacklist in
-    <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning 
+     <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
- with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service 
+Beginning   with Shorewall version 1.3.8, you may also specify PROTOCOL and
- names in the blacklist file.<br>
+Port numbers/Service   names in the blacklist file.<br>
      </li>
       <li>You specify the interfaces whose incoming packets you want checked
  against     the blacklist using the "<a
 href="Documentation.htm#Interfaces">blacklist</a>"     option in /etc/shorewall/interfaces.</li>
       <li>The black list is refreshed from /etc/shorewall/blacklist by the
-"<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
+ "<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
 </ul>
@ -61,19 +62,20 @@
  /sbin/shorewall commands:</p>
 <ul>
-      <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed 
+       <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
- IP    addresses to be silently dropped by the firewall.</li>
+listed   IP    addresses to be silently dropped by the firewall.</li>
       <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
-listed  IP    addresses to be rejected by the firewall.</li>
+ listed  IP    addresses to be rejected by the firewall.</li>
       <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
- from hosts    previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
+  from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i>
-      <li>save - save the dynamic blacklisting configuration so that it will 
+command.</li>
- be    automatically restored the next time that the firewall is restarted.</li>
+       <li>save - save the dynamic blacklisting configuration so that it
 will   be    automatically restored the next time that the firewall is restarted.</li>
       <li>show dynamic - displays the dynamic blacklisting configuration.</li>
 </ul>
- Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in 
+  Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
-/etc/shorewall/interfaces.<br>
+in  /etc/shorewall/interfaces.<br>
 <p>Example 1:</p>
@ -87,7 +89,7 @@ listed  IP    addresses to be rejected by the firewall.</li>
 <p>    Reenables access from 192.0.2.125.</p>
-<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
   © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
@ -95,5 +97,6 @@ listed  IP    addresses to be rejected by the firewall.</li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -30,7 +30,7 @@
 <p><b>I strongly urge you to read and print a copy of the       <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>   
-for the configuration that most closely matches your own.<br>
+ for the configuration that most closely matches your own.<br>
                  </b></p>
 <p>The entire set of Shorewall documentation is available in PDF format at:</p>
@ -42,8 +42,8 @@ for the configuration that most closely matches your own.<br>
 href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> 
        </p>
-<p>The documentation in HTML format is included   in the .rpm and in the
+<p>The documentation in HTML format is included   in the .rpm and in the .tgz
-.tgz packages below.</p>
+packages below.</p>
 <p>  Once you've printed the appropriate QuickStart Guide, download <u> 
  one</u> of the modules:</p>
@ -54,7 +54,7 @@ for the configuration that most closely matches your own.<br>
         with   a  2.4   kernel,   you can use the  RPM version (note: the 
          RPM   should   also work  with other distributions that     store
    init  scripts in  /etc/init.d  and that             include chkconfig
-or   insserv).  If you find  that it works   in other cases, let <a
+ or   insserv).  If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
          I can mention them here. See the   <a href="Install.htm">Installation 
      Instructions</a>    if you have problems    installing the RPM.</li>
@ -63,7 +63,7 @@ or   insserv).  If you find  that it works   in other cases, let <a
 have a  copy of   the documentation).</li>
                              <li>If you run <a
 href="http://www.debian.org"><b>Debian</b></a>          and   would     
- like a .deb package, Shorewall is included in both    the     <a
+like a .deb package, Shorewall is included in both    the     <a
 href="http://packages.debian.org/testing/net/shorewall.html">Debian     
    Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian  Unstable
@ -89,9 +89,8 @@ have a  copy of   the documentation).</li>
 <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY        INSTALL 
      THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
-   IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed 
+  IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed  configuration
-configuration        of your firewall, you can enable startup by removing
+       of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
 the   file /etc/shorewall/startup_disabled.</b></font></p>
 <p><b></b></p>
@ -128,7 +127,7 @@ the   file /etc/shorewall/startup_disabled.</b></font></p>
                                  <td><a
 href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
                                  <td><a target="_blank"
- href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
+ href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td>
                                </tr>
                                <tr>
                                  <td>Hamburg, Germany</td>
@ -199,8 +198,8 @@ the   file /etc/shorewall/startup_disabled.</b></font></p>
  <p align="left">The <a target="_top"
 href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS  repository 
     at        cvs.shorewall.net</a> contains the latest snapshots of the 
-each      Shorewall        component. There's no guarantee that what you
+each      Shorewall        component. There's no guarantee that what you find
-find there     will work at    all.<br>
+there     will work at    all.<br>
      </p>
    </blockquote>
@ -216,7 +215,7 @@ find there     will work at    all.<br>
                      </p>
    </blockquote>
-<p align="left"><font size="2">Last Updated 7/15/2003 - <a
+<p align="left"><font size="2">Last Updated 8/4/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
@ -230,5 +229,6 @@ find there     will work at    all.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -24,6 +24,7 @@
                                       <tr>
                                         <td width="100%">              
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
                                         </td>
                                       </tr>
@ -45,31 +46,31 @@
                                                    </li>
                                       <li>                             
-    <p align="left">          <b>If you are installing Shorewall for the
+    <p align="left">          <b>If you are installing Shorewall for the first
-first time and plan to use the        .tgz and install.sh script, you can
+time and plan to use the        .tgz and install.sh script, you can untar
-untar the archive, replace the        'firewall' script in the untarred directory 
+the archive, replace the        'firewall' script in the untarred directory
                 with the one you downloaded        below, and then run install.sh.</b></p>
                                                    </li>
                                       <li>                             
    <p align="left">          <b>When the instructions say to install a corrected
-             firewall   script in        /usr/share/shorewall/firewall, you 
+               firewall   script in        /usr/share/shorewall/firewall,
-  may    rename the existing file before copying in the new file.</b></p>
+you    may    rename the existing file before copying in the new file.</b></p>
                               </li>
                               <li>                                     
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-            ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
+              ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
-      For    example,  do NOT install the 1.3.9a firewall script if you are
+ BELOW.       For    example,  do NOT install the 1.3.9a firewall script
-  running     1.3.7c.</font></b><br>
+if  you are   running     1.3.7c.</font></b><br>
                                           </p>
                               </li>
 </ol>
 <ul>
-                                    <li><b><a href="upgrade_issues.htm">Upgrade 
+                                       <li><b><a
-   Issues</a></b></li>
+ href="upgrade_issues.htm">Upgrade     Issues</a></b></li>
                  <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
                  </li>
                                       <li>                            <b><a
@ -82,16 +83,16 @@ untar the archive, replace the        'firewall' script in the untarred director
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3
           on RH7.2</a></font></b></li>
                                       <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
-RedHat iptables</a></b></li>
+iptables</a></b></li>
                                       <li><b><a href="#SuSE">Problems installing/upgrading
         RPM   on  SuSE</a></b></li>
                                       <li><b><a href="#Multiport">Problems 
-with   iptables     version     1.2.7    and       MULTIPORT=Yes</a></b></li>
+ with   iptables     version     1.2.7    and       MULTIPORT=Yes</a></b></li>
                                 <li><b><a href="#NAT">Problems with RH Kernel
   2.4.18-10      and   NAT</a></b></li>
       <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and 
-REJECT  (also applies to 2.4.21-RC1) <img src="images/new10.gif"
+ REJECT  (also applies to 2.4.21-RC1) <img src="images/new10.gif"
 alt="(New)" width="28" height="12" border="0">
         </a><br>
         </b></li>
@ -103,17 +104,49 @@ REJECT  (also applies to 2.4.21-RC1) <img src="images/new10.gif"
 <h3></h3>
 <h3>1.4.6</h3>
 <ul>
    <li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
 fail to start with the error "ERROR:  Traffic Control requires Mangle";
 that  problem has been corrected in <a
 href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
 script</a> which may be installed in /var/share/shorewall/firewall as described
 above. This problem is also corrected in bugfix release 1.4.6a.</li>
   <li>This problem occurs in all versions supporting traffic control. If 
 a MAC address is used in the SOURCE column, an error occurs as follows:<br>
     <br>
      <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
     <br>
 For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
    <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
 firewall  script</a> which may be installed in /var/share/shorewall/firewall
 as described  above. For all other versions, you will have to edit your 'firewall'
 script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
 Locate the function add_tcrule_() and in that function, replace this line:<br>
     <br>
     r=`mac_match $source` <br>
     <br>
 with<br>
     <br>
      r="`mac_match $source` "<br>
     <br>
 Note that there must be a space before the ending quote!<br>
   </li>
 </ul>
 <h3>1.4.4b</h3>
 <ul>
-     <li>Shorewall is ignoring records in /etc/shorewall/routestopped that
+        <li>Shorewall is ignoring records in /etc/shorewall/routestopped
- have an empty second column (HOSTS). This problem may be corrected by installing
+that   have an empty second column (HOSTS). This problem may be corrected
-        <a
+by installing          <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
-as described above.</li>
+described above.</li>
      <li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
-file. This problem may be corrected by installing <a
+  file. This problem may be corrected by installing <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
 target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
      </li>
@ -123,13 +156,13 @@ file. This problem may be corrected by installing <a
 <h3>1.4.4-1.4.4a</h3>
 <ul>
-      <li>Log messages are being displayed on the system console even though
+         <li>Log messages are being displayed on the system console even
-  the log level for the console is set properly according to <a
+though    the log level for the console is set properly according to <a
 href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing 
         <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
-as described above.<br>
+described above.<br>
         </li>
 </ul>
@ -138,9 +171,9 @@ as described above.<br>
         </h3>
 <ul>
-       <li> If you have zone names that are 5 characters long, you may experience 
+          <li> If you have zone names that are 5 characters long, you may 
-  problems starting Shorewall because the --log-prefix in a logging rule is
+experience    problems starting Shorewall because the --log-prefix in a logging 
-  too long. Upgrade to Version 1.4.4a to fix this problem..</li>
+rule is   too long. Upgrade to Version 1.4.4a to fix this problem..</li>
 </ul>
@ -165,11 +198,11 @@ with fireparse    here at shorewall.net. The updated files may be found at
 <ul>
             <li>When an 'add' or 'delete' command is executed, a temporary 
-directory     created in /tmp is not being removed. This problem may be corrected
+ directory     created in /tmp is not being removed. This problem may be corrected
-by  installing       <a
+ by  installing       <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
-as described above. <br>
+described above. <br>
             </li>
 </ul>
@ -178,8 +211,8 @@ as described above. <br>
 <ul>
              <li>Some TCP requests are rejected in the 'common' chain with 
-an  ICMP   port-unreachable response rather than the more appropriate TCP
+ an  ICMP   port-unreachable response rather than the more appropriate TCP 
-RST  response.   This problem is corrected in <a
+ RST  response.   This problem is corrected in <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
 target="_top">this updated common.def file</a> which may be installed in
     /etc/shorewall/common.def.<br>
@ -191,7 +224,7 @@ RST  response.   This problem is corrected in <a
 <ul>
               <li>When a "shorewall check" command is executed, each "rule"
-produces     the harmless additional message:<br>
+  produces     the harmless additional message:<br>
                 <br>
                  /usr/share/shorewall/firewall: line 2174: [: =: unary operator
    expected<br>
@ -208,8 +241,8 @@ produces     the harmless additional message:<br>
 <ul>
                <li>When running under certain shells Shorewall will attempt
-to  create    ECN rules even when /etc/shorewall/ecn is empty. You may either
+  to  create    ECN rules even when /etc/shorewall/ecn is empty. You may
-  just remove    /etc/shorewall/ecn or you can install <a
+either    just remove    /etc/shorewall/ecn or you can install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
       correct script</a> in /usr/share/shorewall/firewall as described above.<br>
                </li>
@ -234,18 +267,18 @@ to  create    ECN rules even when /etc/shorewall/ecn is empty. You may either
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
                   corrected 1.2.3 rpm which you can download here</a>  and
-I  have     also     built            an <a
+  I  have     also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
+ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
                 running RedHat 7.1, you can install either of these RPMs
        <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
-               has   released an iptables-1.2.4 RPM of their own which you 
+                 has   released an iptables-1.2.4 RPM of their own which
- can    download         from<font color="#ff6633">   <a
+you    can    download         from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
-                  </font>I have installed this RPM   on my firewall and it 
+                    </font>I have installed this RPM   on my firewall and
- works      fine.</p>
+it   works      fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
                 the patches are available         for download. This <a
@ -264,14 +297,15 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  </ul>
                                               </blockquote>
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18               and
-and RedHat iptables</h3>
+RedHat iptables</h3>
 <blockquote>                                           
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
                 may     experience the following:</p>
  <blockquote>                                                          
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
                                       </blockquote>
@ -280,9 +314,10 @@ and RedHat iptables</h3>
         the     Netfilter 'mangle' table. You can correct the problem by
        installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-                   this iptables RPM</a>. If you are already running a 1.2.5 
+                     this iptables RPM</a>. If you are already running a
-   version        of       iptables, you will need to specify the --oldpackage 
+1.2.5      version        of       iptables, you will need to specify the
-   option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+--oldpackage      option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage
 iptables-1.2.5-1.i386.rpm").</p>
                                     </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
@ -302,14 +337,14 @@ and RedHat iptables</h3>
 <p>The iptables 1.2.7 release of iptables has made         an incompatible 
      change to the syntax used to            specify multiport match rules; 
   as   a consequence,                   if you install iptables 1.2.7 you 
-must   be  running                           Shorewall 1.3.7a or later or:</p>
+ must   be  running                           Shorewall 1.3.7a or later or:</p>
 <ul>
                                                                    <li>set 
-MULTIPORT=No       in                                   /etc/shorewall/shorewall.conf; 
+ MULTIPORT=No       in                                   /etc/shorewall/shorewall.conf;
-or     </li>
+  or     </li>
-                                                                 <li>if you 
+                                                                    <li>if
- are   running     Shorewall      1.3.6    you may                       
+ you   are   running     Shorewall      1.3.6    you may                
                 install                                    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
                        this firewall script</a> in /var/lib/shorewall/firewall
@ -319,8 +354,8 @@ or     </li>
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                                  </h3>
-                            /etc/shorewall/nat entries of the following form
+                               /etc/shorewall/nat entries of the following
-  will   result    in  Shorewall     being unable to start:<br>
+ form   will   result    in  Shorewall     being unable to start:<br>
                               <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -329,27 +364,28 @@ or     </li>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
                               The solution is to put "no" in the LOCAL column. 
   Kernel    support     for   LOCAL=yes   has never worked properly and 2.4.18-10
-  has    disabled  it.   The  2.4.19 kernel   contains corrected support under
+   has    disabled  it.   The  2.4.19 kernel   contains corrected support
-  a  new  kernel configuraiton    option; see <a
+under   a  new  kernel configuraiton    option; see <a
 href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
     <br>
-<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
+<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
-REJECT (also applies to 2.4.21-RC1)</b></h3>
+(also applies to 2.4.21-RC1)</b></h3>
     Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset" 
  is broken. The symptom most commonly seen is that REJECT rules act just 
 like  DROP rules when dealing with TCP. A kernel patch and precompiled modules 
-to fix this problem are available at <a
+ to fix this problem are available at <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
 <hr>                       
-<p><font size="2">  Last updated 6/13/2003 -   <a href="support.htm">Tom
+<p><font size="2">  Last updated 7/23/2003 -   <a href="support.htm">Tom Eastep</a></font>
-Eastep</a></font> </p>
+</p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/images/network.png
+++ b/STABLE/documentation/images/network.png
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -12,6 +12,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mailing Lists</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -42,6 +43,7 @@
                                       </td>
                         <td valign="middle" width="34%" align="center">
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
                         </td>
                         <td valign="middle" width="33%">               
@ -77,14 +79,14 @@
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
-<p align="left">You can report such problems by sending mail to tmeastep at
+<p align="left">You can report such problems by sending mail to tmeastep
-hotmail dot com.</p>
+at hotmail dot com.</p>
 <h2>A Word about the SPAM Filters at Shorewall.net <a
 href="http://osirusoft.com/"> </a></h2>
-<p>Please note that the mail server                     at shorewall.net checks
+<p>Please note that the mail server                     at shorewall.net
-incoming mail:<br>
+checks incoming mail:<br>
                             </p>
 <ol>
@ -102,30 +104,31 @@ an  A  or  MX  record    in  DNS.</li>
 </ol>
 <h2>Please post in plain text</h2>
-                      A growing number of MTAs serving list subscribers are 
+                       A growing number of MTAs serving list subscribers
- rejecting     all   HTML   traffic. At least one MTA has gone so far as to
+are   rejecting     all   HTML   traffic. At least one MTA has gone so far
- blacklist  shorewall.net     "for  continuous abuse" because it has been 
+as to  blacklist  shorewall.net     "for  continuous abuse" because it has
-my policy to  allow HTML in  list   posts!!<br>
+been  my policy to  allow HTML in  list   posts!!<br>
                       <br>
-                      I think that blocking all HTML is a Draconian way to
+                       I think that blocking all HTML is a Draconian way
- control     spam    and   that the ultimate losers here are not the spammers
+to  control     spam    and   that the ultimate losers here are not the spammers 
 but the    list subscribers      whose MTAs are bouncing all shorewall.net 
 mail. As   one list subscriber   wrote  to me privately "These e-mail admin's 
 need to  get a <i>(explitive   deleted)</i>  life instead of trying to rid 
 the planet  of HTML based e-mail".   Nevertheless,  to allow subscribers 
 to receive list   posts as must as possible,   I have now  configured the 
-list server at shorewall.net   to strip all HTML   from outgoing  posts.
+list server at shorewall.net   to strip all HTML   from outgoing  posts. This
-This means that  HTML-only posts   will be bounced by  the list server.<br>
+means that  HTML-only posts   will be bounced by  the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
                    </p>
 <h2>Other Mail Delivery Problems</h2>
-                    If you find that you are missing an occasional list post, 
+                     If you find that you are missing an occasional list
-  your   e-mail    admin  may be blocking mail whose <i>Received:</i> headers 
+post,    your   e-mail    admin  may be blocking mail whose <i>Received:</i>
-  contain   the names   of certain ISPs. Again, I believe that such policies 
+headers    contain   the names   of certain ISPs. Again, I believe that such
-  hurt more   than they  help but I'm not prepared to go so far as to start 
+policies    hurt more   than they  help but I'm not prepared to go so far
-  stripping <i>Received:</i>      headers to circumvent those policies.<br>
+as to start    stripping <i>Received:</i>      headers to circumvent those
 policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -138,11 +141,13 @@ This means that  HTML-only posts   will be bounced by  the list server.<br>
  <option value="boolean">Boolean </option>
  </select>
                                 Format:                                
  <select name="format">
  <option value="builtin-long">Long </option>
  <option value="builtin-short">Short </option>
  </select>
                                 Sort by:                                
  <select name="sort">
  <option value="score">Score </option>
  <option value="time">Time </option>
@ -159,9 +164,9 @@ This means that  HTML-only posts   will be bounced by  the list server.<br>
 name="words" value="">    <input type="submit" value="Search"> </p>
                                 </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the entire
+<h2 align="left"><font color="#ff0000">Please do not try to download the
-Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
+entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
-stand the traffic. If I catch you, you will be blacklisted.<br>
+won't stand the traffic. If I catch you, you will be blacklisted.<br>
                          </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
@ -170,8 +175,8 @@ stand the traffic. If I catch you, you will be blacklisted.<br>
 you  may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a> 
               in your browser. If you don't wish to trust my certificates 
 then     you    can    either use unencrypted access when subscribing to 
-Shorewall     mailing    lists    or you can use secure access (SSL) and
+Shorewall     mailing    lists    or you can use secure access (SSL) and accept
-accept the server's    certificate     when   prompted by your browser.<br>
+the server's    certificate     when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
@ -180,31 +185,16 @@ accept the server's    certificate     when   prompted by your browser.<br>
      of   general       interest to the Shorewall user community is also 
 posted      to  this list.</p>
-<p align="left"><b>Before posting a problem report to this list, please see
+<p align="left"><b>To post a problem report to this list or to subscribe
-                the <a href="http://www.shorewall.net/support.htm">problem
+to the list, please see                 the <a
- reporting      guidelines</a>.</b></p>
+ href="http://www.shorewall.net/support.htm">problem  reporting      guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list:<br>
                </p>
 <ul>
                  <li><b>Insecure: </b><a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
                  <li><b>SSL:</b> <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
 </ul>
 <p align="left">To post to the list, post to <a
 href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
-at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
-list may be found at <a
+may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
@ -269,10 +259,10 @@ list may be found at <a
    <p align="left">Down at the bottom of that page is the following text: 
                " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get 
-  a  password      reminder,         or change your subscription options
+  a  password      reminder,         or change your subscription options enter
-enter     your subscription              email address:". Enter your email
+    your subscription              email address:". Enter your email  address
- address       in the box and click      on the "<b>Unsubscribe</b> or edit
+      in the box and click      on the "<b>Unsubscribe</b> or edit options"
-options"   button.</p>
+  button.</p>
                                    </li>
                                    <li>                                
@ -289,13 +279,11 @@ options"   button.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 7/7/2003 - <a
+<p align="left"><font size="2">Last updated 8/1/2003 - <a
 href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
-<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  </p>
+</p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
--- a/STABLE/documentation/ports.htm
+++ b/STABLE/documentation/ports.htm
@ -18,6 +18,7 @@
               <tbody>
                <tr>
                 <td width="100%">                                      
      <h1 align="center"><font color="#ffffff">Ports required for Various
      Services/Applications</font></h1>
                 </td>
@ -28,8 +29,8 @@
 <p>In addition to those applications described in <a
 href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
-    are some other services/applications that you may need to configure your 
+      are some other services/applications that you may need to configure
-   firewall to accommodate.</p>
+your     firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
@ -52,11 +53,12 @@
 <p>DNS</p>
 <blockquote>                        
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably want
+  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-to   open TCP Port 53 as well.<br>
+want to   open TCP Port 53 as well.<br>
-            If you are configuring a server, only open TCP Port 53 if you 
+               If you are configuring a server, only open TCP Port 53 if
-will   return  long   replies to queries or if you need to enable ZONE transfers. In 
+you   will   return  long   replies to queries or if you need to enable ZONE
-  the  latter   case, be sure that your server is properly configured.</p>
+transfers. In     the  latter   case, be sure that your server is properly
 configured.</p>
             </blockquote>
 <p>ICQ   </p>
@ -100,11 +102,13 @@ will   return  long   replies to queries or if you need to enable ZONE transfers
 <blockquote>                        
  <p>TCP Port 110 (Secure = TCP Port 995)<br>
     </p>
-</blockquote>
+   </blockquote>
 <p>IMAP<br>
-</p>
+   </p>
 <blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
-</blockquote>
+   </blockquote>
 <p>TELNET</p>
@ -130,61 +134,13 @@ will   return  long   replies to queries or if you need to enable ZONE transfers
  <p>TCP Ports 80 and 443.</p>
             </blockquote>
-<p>FTP</p>
+<p>FTP<br>
  </p>
 <blockquote>      
-  <p>Server configuration is covered on in <a
+  <p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
 href="Documentation.htm#Rules">the   /etc/shorewall/rules documentation</a>,</p>
  <p>For a client, you must open outbound TCP port 21 and be sure that your 
      kernel is compiled to support FTP connection tracking. If you build 
 this      support as a module, Shorewall will automatically load the module 
 from     /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
  </p>
-                    
+</blockquote>
  <p>If you run an FTP server on a nonstandard port or you need to access 
   such a server, then you must specify that port in /etc/shorewall/modules. 
   For example, if you run an FTP server that listens on port 49 then you 
 would   have:<br>
           </p>
  <blockquote>                         
    <p>loadmodule ip_conntrack_ftp ports=21,49<br>
         loadmodule ip_nat_ftp ports=21,49<br>
             </p>
           </blockquote>
  <p>Note that you MUST include port 21 in the <i>ports</i> list or you may 
   have problems accessing regular FTP servers.</p>
  <p>If there is a possibility that these modules might be loaded before Shorewall
 starts, then you should include the port list in /etc/modules.conf:<br>
           </p>
  <blockquote>                         
    <p>options ip_conntrack_ftp ports=21,49<br>
         options ip_nat_ftp ports=21,49<br>
        </p>
      </blockquote>
  <p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
  and/or /etc/modules.conf, you must either:<br>
      </p>
  <ol>
        <li>Unload the modules and restart shorewall: (<b><font
 color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
  or</li>
        <li>Reboot<br>
        </li>
  </ol>
  <p>         </p>
           </blockquote>
 <blockquote>     </blockquote>
 <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
 <blockquote> </blockquote>
@ -200,7 +156,7 @@ starts, then you should include the port list in /etc/modules.conf:<br>
 <blockquote>                        
  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
-ICMP type 8 ('ping')<br>
+   ICMP type 8 ('ping')<br>
     </p>
             </blockquote>
@ -234,9 +190,12 @@ ICMP type 8 ('ping')<br>
 <p>Still looking? Try   <a
 href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-<p><font size="2">Last updated 7/16/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-          <a href="copyright.htm"><font size="2">Copyright</font>   © <font
+             <a href="copyright.htm"><font size="2">Copyright</font>   ©
- size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/quotes.htm
+++ b/STABLE/documentation/quotes.htm
@ -26,82 +26,116 @@
  </tbody>   
 </table>
   <font size="3">"I have fought with IPtables for untold hours. First I
 tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
 which also worked for 80%. Then I set out to write my own IPtables parser
 in shell and awk, which was a lot of fun but never got me past the "hey,
 cool" stage. Then I discovered Shorewall. After about an hour, everything
 just worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
 <p>"The configuration is intuitive and flexible, and much easier than any
 of the other iptables-based firewall programs out there. After sifting through
 many other scripts, it is obvious that yours is the most well thought-out
 and complete one available." -- BC, USA</p>
 <p>"I just installed Shorewall after weeks of messing with       ipchains/iptables
  and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
    </p>
    "My case was almost like [the one above]. Well. instead of 'weeks' it 
 was  'months' for me, and I think I needed two minutes more:<br>
 <ul>
-      <li>One to see that I had no Internet access from the firewall itself.</li>
+  <li><font size="3">"I have fought with IPtables for untold hours. First
-      <li>Other to see that this was the default configuration, and it was
+I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield, 
- enough  to uncomment a line in /etc/shorewall/policy.<br>
+which also worked for 80%. Then I set out to write my own IPtables parser 
 in shell and awk, which was a lot of fun but never got me past the "hey, cool"
 stage. Then I discovered Shorewall. After about an hour, everything just
 worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
    <br>
  </li>
  <li>"The configuration is intuitive and flexible, and much easier than
 any  of the other iptables-based firewall programs out there. After sifting
 through  many other scripts, it is obvious that yours is the most well thought-out 
 and complete one available." -- BC, USA<br>
    <br>
  </li>
  <li>"I just installed Shorewall after weeks of messing with       ipchains/iptables 
  and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
    <br>
  </li>
  <li>"My case was almost like [the one above]. Well. instead of 'weeks'
 it  was  'months' for me, and I think I needed two minutes more:<br>
  </li>
 </ul>
 <ul>
  <ul>
    <li>One to see that I had no Internet access from the firewall itself.</li>
  </ul>
  <ul>
    <li>Other to see that this was the default configuration, and it was 
 enough  to uncomment a line in /etc/shorewall/policy.<br>
       </li>
  </ul>
 </ul>
-    Minutes instead of months! Congratulations and thanks for such a simple
+<ul>
- and well documented thing for something as huge as iptables." -- JV, Spain.
+  <li>     Minutes instead of months! Congratulations and thanks for such
 a simple  and well documented thing for something as huge as iptables." --
 JV, Spain.     </li>
 </ul>
 <ul>
  <li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1    
  without   any problems. Your documentation is great and I really appreciate
 your  network configuration info. That really helped me out alot.       THANKS!!!" 
  -- MM.           </li>
 </ul>
-<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without
+<ul>
-  any problems. Your documentation is great and I really appreciate your
+  <li>"[Shorewall is a] great, great project. I've used/tested may      
- network configuration info. That really helped me out alot.       THANKS!!!"
+firewall   scripts but this one is till now the best." -- B.R,       Netherlands
-  -- MM.           </p>
+        </li>
 </ul>
-<p>"[Shorewall is a] great, great project. I've used/tested may       firewall
+<ul>
-  scripts but this one is till now the best." -- B.R,       Netherlands 
+  <li>"Never in my +12 year career as a sys admin have I witnessed      
-       </p>
+someone   so relentless in developing a secure, state of the art, safe and
      useful   product as the Shorewall firewall package for no cost or obligation 
  involved." -- Mario Kerecki, Toronto           </li>
 </ul>
-<p>"Never in my +12 year career as a sys admin have I witnessed       someone
+<ul>
-  so relentless in developing a secure, state of the art, safe and      
+  <li>"one time more to report, that your great shorewall in the latest 
-useful   product as the Shorewall firewall package for no cost or obligation
+  release        1.2.9 is working fine for me with SuSE Linux 7.3! I now
-  involved." -- Mario Kerecki, Toronto           </p>
+have 7 machines  up       and running with shorewall on several versions
 - starting with 1.2.2  up to       the new 1.2.9 and I never have encountered
 any problems!" -- SM, Germany</li>
 </ul>
-<p>"one time more to report, that your great shorewall in the latest    release 
+<ul>
-      1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines 
+  <li>"You have the best support of any other package I've ever       used." 
-up       and running with shorewall on several versions - starting with 1.2.2 
+  -- SE, US           </li>
-up to       the new 1.2.9 and I never have encountered any problems!" -- SM,
+</ul>
 Germany</p>
-<p>"You have the best support of any other package I've ever       used."
+<ul>
-  -- SE, US           </p>
+  <li>"Because our company has information which has been classified by the 
 <p>"Because our company has information which has been classified by the
 national government as secret, our security doesn't stop by putting a fence 
-   around our company. Information security is a hot issue. We also make
+   around our company. Information security is a hot issue. We also make use
-use   of  checkpoint firewalls, but not all of the internet servers are guarded
+  of  checkpoint firewalls, but not all of the internet servers are guarded 
  by  checkpoint, some of them are running....Shorewall." -- Name withheld 
- by request,  Europe</p>
+ by request,  Europe</li>
 </ul>
-<p>"thanx for all your efforts you put into shorewall - this product stands
+<ul>
-  out  against a lot of commercial stuff i´ve been working with in terms
+  <li>"thanx for all your efforts you put into shorewall - this product stands 
-of    flexibillity, quality &amp; support" -- RM, Austria</p>
+  out  against a lot of commercial stuff i´ve been working with in terms of
   flexibillity, quality &amp; support" -- RM, Austria</li>
 </ul>
-<p>"I have never seen such a complete firewall package that is so easy to
+<ul>
-   configure. I searched the Debian package system for firewall scripts and
+  <li>"I have never seen such a complete firewall package that is so easy
-   Shorewall won hands down." -- RG, Toronto</p>
+to    configure. I searched the Debian package system for firewall scripts
 and    Shorewall won hands down." -- RG, Toronto</li>
 </ul>
-<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
+<p></p>
-  is a  wonderful piece of software. I've just sent out an email to about
+<ul>
  <li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
 it   is a  wonderful piece of software. I've just sent out an email to about 
 30  people  recommending it. :-)<br>
-     While I had previously taken the time (maybe 40 hours) to really understand
+    <br>
 While I had previously taken the time (maybe 40 hours) to really understand 
   ipchains, then spent at least an hour per server customizing and carefully 
   scrutinizing firewall rules, I've got shorewall running on my home firewall, 
   with rulesets and policies that I know make sense, in under 20 minutes." 
  -- RP,  Guatamala<br>
-     <br>
+  </li>
-      </p>
+</ul>
 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003 
  - <a href="support.htm">Tom Eastep</a>      </font>                    
@ -114,5 +148,6 @@ of    flexibillity, quality &amp; support" -- RM, Austria</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -4,6 +4,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
@ -24,35 +25,18 @@
                                  <tr>
                                             <td width="33%" height="90"
- valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
+ valign="middle" align="center"><a href="http://www.cityofshoreline.com">
- src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
+                              </a>                            
 border="0">
                           </a></td>
                           <td valign="middle" width="34%"
 align="center" bgcolor="#3366ff">                                      
      <div align="center">                                              
-                                             <img src="images/Logo1.png"
+                                              <img
- alt="(Shorewall Logo)" width="430" height="90">
+ src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90"
 align="middle">
               </div>
           </td>
                           <td valign="middle" width="33%">             
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><img border="0" src="images/shorewall.jpg" width="119"
 height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
             </a></h1>
                           <br>
                           </td>
                                              </tr>
@ -76,23 +60,28 @@
                                               <td width="90%">         
      <div align="center">                                              
-                                             <br>
+                                                                        
      <div align="left">                            
      <h2>What is it?</h2>
          </div>
          </div>
      <h2 align="left">What is it?</h2>
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                                   
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
@ -100,11 +89,12 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
      <p>This program is free software; you can redistribute it and/or modify 
         it          under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
-GNU General Public License</a> as published by the Free   Software      
+General Public License</a> as published by the Free   Software          
 Foundation.<br>
                                            <br>
@ -115,14 +105,14 @@ GNU General Public License</a> as published by the Free   Software
          even  the    implied      warranty          of MERCHANTABILITY
                  or  FITNESS     FOR   A  PARTICULAR          PURPOSE. 
      See the     GNU  General     Public  License                for   more
-details.<br>
+    details.<br>
                                            <br>
-                          You     should       have     received        a 
+                                 You     should       have     received 
-  copy       of    the       GNU     General          Public         License 
+      a    copy       of    the       GNU     General          Public   
-                 along       with    this   program;            if   not, 
+     License                   along       with    this   program;      
-   write      to    the    Free   Software              Foundation,      
+     if   not,     write      to    the    Free   Software              Foundation, 
                    Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,
         USA</p>
@ -131,6 +121,7 @@ details.<br>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -142,70 +133,171 @@ details.<br>
      <h2>This is the Shorewall 1.4 Web Site</h2>
-     The information on this site applies only to 1.4.x releases of Shorewall. 
+            The information on this site applies only to 1.4.x releases of
-  For older versions:<br>
+ Shorewall.      For older versions:<br>
      <ul>
                        <li>The 1.3 site is <a
 href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
-                 <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
+                        <li>The 1.2 site is <a
- target="_top">here</a>.<br>
+ href="http://shorewall.net/1.2/" target="_top">here</a>.<br>
                   </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
-                                         New to Shorewall? Start by selecting 
+                                                New to Shorewall? Start by
-  the         <a href="shorewall_quickstart_guide.htm">QuickStart  Guide</a> 
+ selecting      the         <a href="shorewall_quickstart_guide.htm">QuickStart
-  that   most closely               match your environment and follow the 
+  Guide</a>      that   most closely               match your environment
-step  by   step instructions.<br>
+and follow the    step  by   step instructions.<br>
      <h2>Looking for Information?</h2>
-           The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation 
+                  The <a
-     Index</a> is a good place to start as is the Quick Search to your right. 
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation       
 Index</a> is a good place to start as is the Quick Search to your right. 
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-                               If so, the documentation<b> </b>on this site 
+                                      If so, the documentation<b> </b>on
- will   not   apply   directly   to  your   setup.  If you want to use the 
+this   site   will   not   apply   directly   to  your   setup.  If you want
- documentation     that you  find here, you will want to consider uninstalling 
+to  use the   documentation     that you  find here, you will want to consider 
- what you have     and installing  a setup that matches    the documentation 
+ uninstalling   what you have     and installing  a setup that matches   
-    on this site.     See the <a href="two-interface.htm">Two-interface  
+the documentation      on this site.     See the <a
- QuickStart    Guide</a>     for details.<br>
+ href="two-interface.htm">Two-interface    QuickStart    Guide</a>     for 
 details.<br>
      <h2>News</h2>
-                                                                        
+      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
      <ol>
      </ol>
      <p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                     <br>
             </b></p>
-      <b>Problems Corrected:</b><br>
+             <b>Problems Corrected since version 1.4.6:</b><br>
      <ol>
        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf   then
-Shorewall would fail to start with the error "ERROR:  Traffic Control requires
+ Shorewall would fail to start with the error "ERROR:  Traffic Control  
-Mangle"; that problem has been corrected.</li>
+requires  Mangle"; that problem has been corrected.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of the
 tcrules file. Previously, these addresses resulted in an invalid iptables
 command.</li>
        <li>The "shorewall stop" command is now disabled when /etc/shorewall/startup_disabled
 exists. This prevents people from shooting themselves in the foot prior to
 having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages during
 "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being
 added to a PPP interface; the addresses were successfully added in spite
 of the messages.<br>
    <br>
 The firewall script has been modified to eliminate the error messages.<br>
        </li>
      </ol>
-      <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
+      <p><b>7/31/2003 - Snapshot 1.4.6_20030731</b><b>         </b></p>
- src="images/new10.gif" width="28" height="12" alt="(New)">
+                       
-              </b><br>
+      <blockquote>                           
        <p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
           <a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
 target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
         </blockquote>
         <b>Problems Corrected since version 1.4.6</b><br>
      <ol>
           <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED variable 
 was being tested before it was set.</li>
           <li>Corrected handling of MAC addresses in the SOURCE column of
 the tcrules file. Previously, these addresses resulted in an invalid iptables 
 command.<br>
           </li>
      </ol>
         <b>Migration Issues:</b><br>
      <ol>
           <li>Once you have installed this version of Shorewall, you must
 restart Shorewall before you may use the 'drop', 'reject', 'allow' or 'save'
 commands.</li>
           <li>To maintain strict compatibility with previous versions, current 
 uses of "shorewall drop" and "shorewall reject" should be replaced with "shorewall
 dropall" and "shorewall rejectall" </li>
      </ol>
         <b>New Features:</b><br>
      <ol>
           <li>Shorewall now creates a dynamic blacklisting chain for each
 interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
 commands  use the routing table to determine which of these chains is to
 be used for  blacklisting the specified IP address(es).<br>
             <br>
   Two new commands ('dropall' and 'rejectall') have been introduced that 
 do  what 'drop' and 'reject' used to do; namely, when an address is blacklisted 
 using these new commands, it will be blacklisted on all of your firewall's 
 interfaces.</li>
          <li>Thanks to Steve Herber, the 'help' command can now give command-specific
 help (e.g., shorewall help &lt;command&gt;).</li>
         <li>A new option "ADMINISABSENTMINDED" has been added to /etc/shorewall/shorewall.conf. 
 This option has a default value of "No" for existing users which causes Shorewall's 
 'stopped' state  to continue as it has been; namely, in the stopped state 
 only traffic to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
           <br>
 With ADMINISABSENTMINDED=Yes (the default for new installs), in addition 
 to traffic to/from the hosts listed in /etc/shorewall/routestopped, Shorewall 
 will allow:<br>
           <br>
    a) All traffic originating from the firewall itself; and<br>
    b) All traffic that is part of or related to an already-existing connection.<br>
           <br>
  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" entered 
 through an ssh session will not kill the session.<br>
           <br>
  Note though that even with ADMINISABSENTMINDED=Yes, it is still possible 
 for people to shoot themselves in the foot.<br>
           <br>
  Example:<br>
           <br>
  /etc/shorewall/nat:<br>
           <br>
      206.124.146.178    eth0:0    192.168.1.5    <br>
           <br>
  /etc/shorewall/rules:<br>
           <br>
    ACCEPT    net    loc:192.168.1.5    tcp    22<br>
    ACCEPT    loc    fw        tcp    22<br>
           <br>
 From a remote system, I ssh to 206.124.146.178 which establishes an SSH
 connection with local system 192.168.1.5. I then create a second SSH connection
 from that computer to the firewall and confidently type "shorewall stop".
 As part of its stop processing, Shorewall removes eth0:0 which kills my SSH
 connection to 192.168.1.5!!!<br>
         </li>
      </ol>
      <p><b>7/22/2003 - Shorewall-1.4.6a</b><b><br>
             </b></p>
             <b>Problems Corrected:</b><br>
      <ol>
               <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
  then  Shorewall would fail to start with the error "ERROR:  Traffic Control
  requires  Mangle"; that problem has been corrected.</li>
      </ol>
      <p><b>7/20/2003 - Shorewall-1.4.6</b><b>                     </b><br>
             </p>
      <blockquote>                </blockquote>
@ -214,28 +306,30 @@ Mangle"; that problem has been corrected.</li>
      <ol>
-                  <li>A problem seen on RH7.3 systems where Shorewall encountered 
+                         <li>A problem seen on RH7.3 systems where Shorewall
-    start  errors when started using the "service" mechanism has been worked 
+  encountered       start  errors when started using the "service" mechanism
-   around.<br>
+  has been worked      around.<br>
                       <br>
                     </li>
-                  <li>Where a list of IP addresses appears in the DEST column 
+                         <li>Where a list of IP addresses appears in the
-  of  a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules 
+DEST   column    of  a  DNAT[-]  rule, Shorewall incorrectly created multiple 
-in  the  nat  table (one for each element in the list). Shorewall now correctly 
+DNAT   rules  in  the  nat  table (one for each element in the list). Shorewall 
-  creates   a single DNAT rule with multiple "--to-destination" clauses.<br>
+ now correctly    creates   a single DNAT rule with multiple "--to-destination" 
  clauses.<br>
                      <br>
                  </li>
-                  <li>Corrected a problem in Beta 1 where DNS names containing
+                         <li>Corrected a problem in Beta 1 where DNS names
-   a  "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
+ containing      a  "-"  were mis-handled when they appeared in the DEST
 column  of a rule.<br>
                          <br>
                        </li>
-                 <li>A number of problems with rule parsing have been corrected.
+                        <li>A number of problems with rule parsing have been
-    Corrections involve the handling of "z1!z2" in the SOURCE column as well
+  corrected.      Corrections involve the handling of "z1!z2" in the SOURCE
-   as lists in the ORIGINAL DESTINATION column.<br>
+  column as well     as lists in the ORIGINAL DESTINATION column.<br>
                  <br>
                </li>
-         <li>The message "Adding rules for DHCP" is now suppressed if there 
+                <li>The message "Adding rules for DHCP" is now suppressed 
-are no DHCP rules to add.<br>
+if  there   are no DHCP rules to add.<br>
                </li>
@ -247,20 +341,20 @@ are no DHCP rules to add.<br>
      <ol>
-                  <li>In earlier versions, an undocumented feature allowed
+                         <li>In earlier versions, an undocumented feature 
- entries     in the host file as follows:<br>
+allowed     entries     in the host file as follows:<br>
                      <br>
                      z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
                      <br>
-           This capability was never documented and has been removed in 1.4.6 
+                  This capability was never documented and has been removed 
-  to  allow  entries of the following format:<br>
+ in  1.4.6    to  allow  entries of the following format:<br>
                      <br>
                      z   eth1:192.168.1.0/24,192.168.2.0/24<br>
                      <br>
                    </li>
-                  <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options 
+                         <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
- have   been  removed from /etc/shorewall/shorewall.conf. These capabilities 
+ options     have   been  removed from /etc/shorewall/shorewall.conf. These
- are  now automatically  detected by Shorewall (see below).<br>
+ capabilities     are  now automatically  detected by Shorewall (see below).<br>
                    </li>
@ -272,36 +366,37 @@ are no DHCP rules to add.<br>
      <ol>
-                  <li>A 'newnotsyn' interface option has been added. This 
+                         <li>A 'newnotsyn' interface option has been added. 
-option    may  be specified in /etc/shorewall/interfaces and overrides the 
+ This   option    may  be specified in /etc/shorewall/interfaces and overrides
-setting   NEWNOTSYN=No  for packets arriving on the associated interface.<br>
+  the   setting   NEWNOTSYN=No  for packets arriving on the associated interface.<br>
                       <br>
                     </li>
-                  <li>The means for specifying a range of IP addresses in 
+                         <li>The means for specifying a range of IP addresses 
-/etc/shorewall/masq      to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes 
+  in  /etc/shorewall/masq      to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
-is enabled for   address   ranges.<br>
+    is enabled for   address   ranges.<br>
                       <br>
                     </li>
-                  <li>Shorewall can now add IP addresses to subnets other 
+                         <li>Shorewall can now add IP addresses to subnets
-than   the   first  one on an interface.<br>
+ other    than   the   first  one on an interface.<br>
                       <br>
                     </li>
-                  <li>DNAT[-] rules may now be used to load balance (round-robin) 
+                         <li>DNAT[-] rules may now be used to load balance
-    over a  set of servers. Servers may be specified in a range of addresses 
+ (round-robin)        over a  set of servers. Servers may be specified in
-    given as &lt;first address&gt;-&lt;last address&gt;.<br>
+a range of addresses        given as &lt;first address&gt;-&lt;last address&gt;.<br>
                       <br>
                   Example:<br>
                       <br>
                       DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
                       <br>
                     </li>
-                  <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration 
+                         <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
-    options  have been removed and have been replaced by code that detects 
+ configuration        options  have been removed and have been replaced by
- whether   these  capabilities are present in the current kernel. The output 
+ code that detects     whether   these  capabilities are present in the current
- of the  start, restart and check commands have been enhanced to report the 
+ kernel. The output     of the  start, restart and check commands have been
- outcome:<br>
+ enhanced to report  the   outcome:<br>
                       <br>
-            Shorewall has detected the following iptables/netfilter capabilities:<br>
+                   Shorewall has detected the following iptables/netfilter
 capabilities:<br>
                      NAT: Available<br>
                      Packet Mangling: Available<br>
                      Multi-port Match: Available<br>
@ -309,39 +404,43 @@ than   the   first  one on an interface.<br>
                       <br>
                     </li>
                         <li>Support for the Connection Tracking Match Extension
-has   been   added.  This extension is available in recent kernel/iptables 
+    has   been   added.  This extension is available in recent kernel/iptables
-releases   and   allows  for rules which match against elements in netfilter's 
+    releases   and   allows  for rules which match against elements in netfilter's
-connection    tracking  table. Shorewall automatically detects the availability 
+    connection    tracking  table. Shorewall automatically detects the availability
-of this    extension  and reports its availability in the output of the start, 
+    of this    extension  and reports its availability in the output of the
-restart    and check  commands.<br>
+  start,  restart    and check  commands.<br>
                       <br>
-            Shorewall has detected the following iptables/netfilter capabilities:<br>
+                   Shorewall has detected the following iptables/netfilter
 capabilities:<br>
                      NAT: Available<br>
                      Packet Mangling: Available<br>
                      Multi-port Match: Available<br>
                      Connection Tracking Match: Available<br>
                   Verifying Configuration...<br>
                       <br>
-            If this extension is available, the ruleset generated by Shorewall
+                   If this extension is available, the ruleset generated
-   is  changed  in the following ways:</li>
+by  Shorewall      is  changed  in the following ways:</li>
        <ul>
-                    <li>To handle 'norfc1918' filtering, Shorewall will not 
+                           <li>To handle 'norfc1918' filtering, Shorewall 
- create    chains  in the mangle table but will rather do all 'norfc1918' 
+will   not   create    chains  in the mangle table but will rather do all 
-filtering   in the filter  table (rfc1918 chain).</li>
+'norfc1918'    filtering   in the filter  table (rfc1918 chain).</li>
-                    <li>Recall that Shorewall DNAT rules generate two netfilter 
+                           <li>Recall that Shorewall DNAT rules generate
-   rules;  one  in the nat table and one in the filter table. If the Connection 
+two   netfilter      rules;  one  in the nat table and one in the filter
-   Tracking  Match Extension is available, the rule in the filter table is 
+table.   If the Connection      Tracking  Match Extension is available, the
- extended  to  check that the original destination address was the same as 
+rule in  the filter table is   extended  to  check that the original destination
- specified  (or  defaulted to) in the DNAT rule.<br>
+address  was the same as   specified  (or  defaulted to) in the DNAT rule.<br>
                         <br>
                       </li>
        </ul>
-                  <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
+                         <li>The shell used to interpret the firewall script
-      may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
+  (/usr/share/shorewall/firewall)        may now be specified using the SHOREWALL_SHELL
  parameter in shorewall.conf.<br>
                      <br>
                  </li>
                         <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
@ -358,7 +457,8 @@ filtering   in the filter  table (rfc1918 chain).</li>
                           BROADCAST=192.168.1.255<br>
                        [root@wookie root]#<br>
                      <br>
-                 [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
+                        [root@wookie root]# shorewall ipcalc 192.168.1.0
 255.255.255.0<br>
                           CIDR=192.168.1.0/24<br>
                           NETMASK=255.255.255.0<br>
                           NETWORK=192.168.1.0<br>
@ -367,10 +467,10 @@ filtering   in the filter  table (rfc1918 chain).</li>
                      <br>
                  Warning:<br>
                      <br>
-           If your shell only supports 32-bit signed arithmatic (ash or dash),
+                  If your shell only supports 32-bit signed arithmatic (ash 
-   then   the ipcalc command produces incorrect information for IP addresses
+ or  dash),    then   the ipcalc command produces incorrect information for 
-   128.0.0.0-1   and for /1 networks. Bash should produce correct information
+ IP  addresses    128.0.0.0-1   and for /1 networks. Bash should produce correct
-   for all valid   IP addresses.<br>
+  information    for all valid   IP addresses.<br>
                      <br>
                    </li>
                         <li>An 'iprange' command has been added to /sbin/shorewall.
@ -378,13 +478,13 @@ filtering   in the filter  table (rfc1918 chain).</li>
                      <br>
                        iprange &lt;address&gt;-&lt;address&gt;<br>
                      <br>
-           This command decomposes a range of IP addressses into a list of
+                  This command decomposes a range of IP addressses into a 
- network     and host addresses. The command can be useful if you need to
+list   of  network     and host addresses. The command can be useful if you 
-construct  an   efficient set of rules that accept connections from a range
+need   to construct  an   efficient set of rules that accept connections from
-of network  addresses.<br>
+a  range of network  addresses.<br>
                      <br>
-           Note: If your shell only supports 32-bit signed arithmetic (ash
+                  Note: If your shell only supports 32-bit signed arithmetic
- or  dash)   then the range may not span 128.0.0.0.<br>
+  (ash   or  dash)   then the range may not span 128.0.0.0.<br>
                      <br>
                  Example:<br>
                      <br>
@ -403,24 +503,24 @@ of network  addresses.<br>
                        [root@gateway root]#<br>
                      <br>
                    </li>
-                  <li>A list of host/net addresses is now allowed in an entry 
+                         <li>A list of host/net addresses is now allowed
-  in  /etc/shorewall/hosts.<br>
+in  an  entry    in  /etc/shorewall/hosts.<br>
                      <br>
                  Example:<br>
                      <br>
                      foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
                  <br>
                </li>
-         <li>The "shorewall check" command now includes the chain name when 
+                <li>The "shorewall check" command now includes the chain
-printing the applicable policy for each pair of zones.<br>
+name   when  printing the applicable policy for each pair of zones.<br>
         <br>
            Example:<br>
         <br>
                Policy for dmz to net is REJECT using chain all2all<br>
         <br>
        This means that the policy for connections from the dmz to the internet 
-is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all 
+   is REJECT and the applicable entry in the /etc/shorewall/policy was the 
-policy.<br>
+ all-&gt;all  policy.<br>
                  <br>
                </li>
                <li>Support for the 2.6 Kernel series has been added.<br>
@ -430,70 +530,13 @@ policy.<br>
      </ol>
      <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
              <br>
              </b></p>
        Thanks to the folks at securityopensource.org.br, there is now a
      <a href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
    mirror in Brazil</a>.       
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
                  </p>
      <ol>
                         <li>The command "shorewall debug try &lt;directory&gt;"
    now   correctly   traces the attempt.</li>
                         <li>The INCLUDE directive now works properly in
 the   zones    file;    previously, INCLUDE in that file was ignored.</li>
                         <li>/etc/shorewall/routestopped records with an
 empty    second    column   are no longer ignored.<br>
                    </li>
      </ol>
      <p>New Features:<br>
                  </p>
      <ol>
                         <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] 
    rule   may  now contain a list of addresses. If the list begins with "!'
   then the   rule  will take effect only if the original destination address
   in the connection    request does not match any of the addresses listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
                                </b></p>
      <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
         and iptables 1.2.8 (using the "official" RPM from netfilter.org).
 No   problems     have been encountered with this set of software. The Shorewall
    version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
                   </p>
      <p><b>6/8/2003 - Updated Samples</b><b>                      </b></p>
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall 
         version 1.4.4.</p>
      <p><b></b></p>
      <ol>
@ -511,23 +554,26 @@ empty    second    column   are no longer ignored.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
-                                 </a>Jacques        Nilo       and     Eric 
+                                        </a>Jacques        Nilo       and 
-     Wolzak          have       a   LEAF  (router/firewall/gateway       
+    Eric       Wolzak          have       a   LEAF  (router/firewall/gateway 
-                on   a  floppy,       CD    or compact     flash)  distribution 
+                         on   a  floppy,       CD    or compact     flash) 
-                  called                 <i>Bering</i>          that     
+  distribution                    called                 <i>Bering</i>   
-    features                   Shorewall-1.4.2         and    Kernel-2.4.20. 
+      that          features                   Shorewall-1.4.2         and 
-            You        can     find         their    work at:            
+     Kernel-2.4.20.              You        can     find         their   
-         <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+work  at:                      <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                                      </a></p>
-                                    <b>Congratulations to Jacques and Eric
+                                           <b>Congratulations to Jacques
- on  the   recent    release     of  Bering    1.2!!! </b><br>
+and   Eric   on  the   recent    release     of  Bering    1.2!!! </b><br>
@ -536,8 +582,9 @@ empty    second    column   are no longer ignored.<br>
                </td>
-                                        <td width="88" bgcolor="#3366ff"
+                                               <td width="88"
- valign="top" align="center">                                           
+ bgcolor="#3366ff" valign="top" align="center">                         
@ -545,23 +592,25 @@ empty    second    column   are no longer ignored.<br>
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch">                  
       <strong><br>
-                                                                        <font
+                                                                        
- color="#ffffff"><b>Note:              </b></font></strong><font
+              <font color="#ffffff"><b>Note:              </b></font></strong><font
 color="#ffffff">Search is unavailable      Daily    0200-0330      GMT.</font><br>
              <strong></strong>                                         
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-             <font face="Arial" size="-1">        <input type="text"
+                    <font face="Arial" size="-1">        <input
- name="words" size="15"></font><font size="-1"> </font>      <font
+ type="text" name="words" size="15"></font><font size="-1"> </font>     
- face="Arial" size="-1">     <input type="hidden" name="format"
+        <font face="Arial" size="-1">     <input type="hidden"
- value="long">     <input type="hidden" name="method" value="and">     <input
+ name="format" value="long">     <input type="hidden" name="method"
- type="hidden" name="config" value="htdig">     <input type="submit"
+ value="and">     <input type="hidden" name="config" value="htdig">     <input
- value="Search"></font>               </p>
+ type="submit" value="Search"></font>               </p>
                    <font face="Arial">            <input type="hidden"
 name="exclude" value="[http://lists.shorewall.net/pipermail/*]">   </font>
@ -581,6 +630,7 @@ empty    second    column   are no longer ignored.<br>
  </tbody>                                                          
 </table>
@ -604,6 +654,7 @@ empty    second    column   are no longer ignored.<br>
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10" alt="(Starlight Logo)">
@ -615,12 +666,14 @@ empty    second    column   are no longer ignored.<br>
      <p align="center"><font size="4" color="#ffffff"><br>
                                 <font size="+2"> Shorewall is free but if
       you   try   it  and   find   it useful, please consider making a donation
-                                                                     to  
+                                                                        
-                <a href="http://www.starlight.org"><font color="#ffffff">Starlight
+to                     <a href="http://www.starlight.org"><font
-     Children's              Foundation.</font></a> Thanks!</font></font></p>
+ color="#ffffff">Starlight      Children's              Foundation.</font></a>
   Thanks!</font></font></p>
                                        </td>
@ -628,13 +681,14 @@ empty    second    column   are no longer ignored.<br>
  </tbody>                                                          
 </table>
-<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 8/5/2003 - <a href="support.htm">Tom Eastep</a></font> 
-<br>
+  <br>
 </p>
 <br>
 </body>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -22,6 +22,7 @@
                                 <tr>
                                        <td width="100%">               
      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
                                        </td>
                                      </tr>
@ -47,7 +48,7 @@
                                  <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
                                  <li><a href="http://www.tandem.com">Tandem
-Computers,      Incorporated</a>         (now part of the <a
+  Computers,      Incorporated</a>         (now part of the <a
 href="http://www.hp.com">The     New HP</a>) 1980 -  present</li>
                                  <li>Married 1969 - no children.</li>
@ -57,52 +58,28 @@ Computers,      Incorporated</a>         (now part of the <a
       system from the NonStop Enterprise Division of HP. </p>
 <p>I became interested in Internet Security when I established a home office
-            in 1999 and had DSL service installed in our       home. I investigated
+              in 1999 and had DSL service installed in our       home. I
-          ipchains  and developed the scripts which are now collectively
+investigated             ipchains  and developed the scripts which are now
-known      as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. 
+collectively  known      as   <a href="http://seawall.sourceforge.net"> Seattle
-     Expanding       on what I learned from Seattle Firewall, I then     
+      Firewall</a>.        Expanding       on what I learned from Seattle
- designed    and wrote      Shorewall. </p>
+Firewall, I then       designed    and wrote      Shorewall. </p>
 <p>I telework from our <a
 href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
 href="http://www.cityofshoreline.com">Shoreline,        Washington</a>  where
 I live with my wife Tarry.  </p>
-<p>Our current home network consists of: </p>
+<p></p>
 <ul>
                              <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
 40GB   &amp;   20GB   IDE   HDs   and LNE100TX      (Tulip) NIC - My personal 
 Windows   system.   Serves as a PPTP server for Road Warrior access. Dual 
 boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                              <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, 
 LNE100TX(Tulip)        NIC   -  My      personal Linux System which runs 
 Samba.    This      system also has <a href="http://www.vmware.com/">VMware</a> 
 installed    and      can run both     <a href="http://www.debian.org">Debian 
  Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual 
  machines.</li>
                              <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, 
 EEPRO100     NIC    - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
 FTP    (Pure_ftpd),   DNS  server        (Bind 9).</li>
                              <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
 HD  -  3   LNE100TX       (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
   1.4.6Beta1, a DHCP         server and Samba configured as a WINS server..</li>
                              <li>Duron 750, Win ME, 192MB RAM, 20GB HD,
 RTL8139     NIC   -  My  wife's        personal system.</li>
                              <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
  HD,  built-in     EEPRO100, EEPRO100 in expansion base - My   work system.</li>
         <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC
 and   LinkSys  WET11 - Our Laptop.<br>
         </li>
 </ul>
-<p>For more about our network see <a href="myfiles.htm">my Shorewall   Configuration</a>.</p>
+<p>For information about our home network see <a href="myfiles.htm">my Shorewall
  Configuration files.</a></p>
 <p>All of our        other systems are made by <a
 href="http://www.compaq.com">Compaq</a> (part        of the new <a
- href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
+ href="http://www.hp.com/">HP</a>).</p>
 href="http://www.netgear.com">Netgear</a>       FA310TXs.</p>
 <p><a href="http://www.redhat.com"><img border="0"
 src="images/poweredby.png" width="88" height="31">
@ -117,8 +94,8 @@ and   LinkSys  WET11 - Our Laptop.<br>
                      </a><a href="http://www.mandrakelinux.com"><img
 src="images/medbutton.png" alt="Powered by Mandrake" width="90"
 height="32">
-                 </a><img src="images/shorewall.jpg"
+                     </a><img src="images/ProtectedBy.png"
- alt="Protected by Shorewall" width="125" height="40" hspace="4">
+ alt="Protected by Shorewall" width="200" height="42" hspace="4">
            <a href="http://www.opera.com"><img src="images/opera.png"
 alt="(Opera Logo)" width="102" height="39" border="0">
            </a>  <a href="http://www.hp.com"><img
@ -126,7 +103,7 @@ and   LinkSys  WET11 - Our Laptop.<br>
 height="75" border="0">
          </a><a href="http://www.opera.com"> </a>                 </font></p>
-<p><font size="2">Last updated 7/14/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 7/20/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
                                <font face="Trebuchet MS"><a
 href="copyright.htm"><font size="2">Copyright</font>       © <font
@ -134,5 +111,9 @@ and   LinkSys  WET11 - Our Laptop.<br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_logging.html
+++ b/STABLE/documentation/shorewall_logging.html
@ -28,8 +28,8 @@
    the notation <i>facility.priority</i>). <br>
        <br>
        The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
- kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through 
+  kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
-  <i>local7</i>.<br>
+through    <i>local7</i>.<br>
        <br>
        Throughout the Shorewall documentation, I will use the term <i>level</i>
    rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
@ -39,7 +39,7 @@
          </h3>
          Syslog levels are a method of describing to syslog (8) the importance
    of  a message and a number of Shorewall parameters have a syslog level
-as   their  value.<br>
+ as   their  value.<br>
            <br>
            Valid levels are:<br>
            <br>
@ -61,15 +61,15 @@ as   their  value.<br>
  emerg<br>
            <br>
            For most Shorewall logging, a level of 6 (info) is appropriate.
-Shorewall     log messages are generated by NetFilter and are logged using 
+ Shorewall     log messages are generated by NetFilter and are logged using
-the <i>kern</i>    facility  and the level that you specify. If you are unsure 
+ the <i>kern</i>    facility  and the level that you specify. If you are
-of the level    to choose,  6 (info) is a safe bet. You may specify levels 
+unsure  of the level    to choose,  6 (info) is a safe bet. You may specify
-by name or by   number.<br>
+levels  by name or by   number.<br>
          <br>
-         Syslogd writes log messages to files (typically in /var/log/*) based 
+          Syslogd writes log messages to files (typically in /var/log/*)
-  on  their facility and level. The mapping of these facility/level pairs 
+based    on  their facility and level. The mapping of these facility/level
-to  log  files is done in /etc/syslog.conf (5). If you make changes to this 
+pairs  to  log  files is done in /etc/syslog.conf (5). If you make changes
-file,  you must restart syslogd before the changes can take effect.<br>
+to this  file,  you must restart syslogd before the changes can take effect.<br>
 <h3>Configuring a Separate Log for Shorewall Messages</h3>
          There are a couple of limitations to syslogd-based logging:<br>
@ -84,17 +84,17 @@ file,  you must restart syslogd before the changes can take effect.<br>
 </ol>
          Beginning with Shorewall version 1.3.12, if your kernel has ULOG
-target    support (and most vendor-supplied kernels do), you may also specify 
+ target    support (and most vendor-supplied kernels do), you may also specify
-a log  level of ULOG (must be all caps). When  ULOG is used, Shorewall will 
+ a log  level of ULOG (must be all caps). When  ULOG is used, Shorewall will
-direct  netfilter to log the related messages  via the ULOG target which
+ direct  netfilter to log the related messages  via the ULOG target which 
 will send  them to a process called 'ulogd'. The  ulogd program is available 
 from http://www.gnumonks.org/projects/ulogd  and  can be configured to log 
 all Shorewall message to their own log file.<br>
   <br>
-  <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from 
+   <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
-syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely 
+from  syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have
-no effect on your Shorewall logging (except for Shorewall status messages 
+absolutely  no effect on your Shorewall logging (except for Shorewall status
-which still go to syslog).<br>
+messages  which still go to syslog).<br>
      <br>
  You will need to have the kernel source available to compile ulogd.<br>
  <br>
@ -114,8 +114,8 @@ which still go to syslog).<br>
 </ol>
      If you are like me and don't have a development environment on your 
-firewall,   you can do the first six steps on another system then either
+firewall,   you can do the first six steps on another system then either NFS
-NFS mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> 
+mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
   directory and move it to your firewall system.<br>
      <br>
      Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
@ -125,28 +125,32 @@ NFS mount your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>v
      <li>syslogsync 1</li>
 </ol>
 Also on the firewall system:<br>
 <blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
 </blockquote>
      I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
-to  /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" 
+ to  /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
-  to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
+   to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
-  --level 3 ulogd on" starts ulogd during boot up. Your init system may need
+"chkconfig   --level 3 ulogd on" starts ulogd during boot up. Your init system
-  something else done to activate the script.<br>
+may need   something else done to activate the script.<br>
   <br>
   You will need to change all instances of log levels (usually 'info') in
-your configuration files to 'ULOG' - this includes entries in the policy, 
+ your configuration files to 'ULOG' - this includes entries in the policy,
-rules and shorewall.conf files. Here's what I have:<br>
+ rules and shorewall.conf files. Here's what I have:<br>
 <pre>	[root@gateway shorewall]# grep ULOG *<br>	policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br>	policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br>	policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br>	rules:REJECT:ULOG loc net tcp 6667<br>	shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br>	shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br>	[root@gateway shorewall]#<br></pre>
      Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
  that  you wish to log to&gt;</i>. This tells the /sbin/shorewall program
-where to look for the log when processing its "show log", "logwatch" and "monitor"
+ where to look for the log when processing its "show log", "logwatch" and
- commands.<br>
+"monitor"  commands.<br>
-<p><font size="2">   Updated 1/11/2003 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 7/25/2003 - <a href="support.htm">Tom  Eastep</a>
           </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>           &copy;
-<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
+ <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
       </p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_mirrors.htm
+++ b/STABLE/documentation/shorewall_mirrors.htm
@ -43,7 +43,7 @@
               <li>     <a href="http://www.infohiiway.com/shorewall"
 target="_top">   http://shorewall.infohiiway.com</a>     (Texas, USA).</li>
               <li><a target="_top" href="http://germany.shorewall.net">
-http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
+  http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
                       <li><a target="_top"
 href="http://france.shorewall.net">http://france.shorewall.net</a>      
 (Paris, France)</li>
@ -70,7 +70,7 @@ http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
          (Slovak Republic).</li>
               <li>     <a
 href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
-       (Texas, USA).</li>
+        (Texas, USA -- temporarily unavailable).</li>
               <li><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall">   ftp://germany.shorewall.net/pub/shorewall</a> 
     (Hamburg, Germany)</li>
@ -84,24 +84,15 @@ http://germany.shorewall.net</a>     (Hamburg, Germany)</li>
        </li>
 </ul>
-        Search results and the mailing list archives are always fetched from
+          Search results and the mailing list archives are always fetched 
-  the  site in Washington State.<br>
+from   the  site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 7/15/2003 - <a
+<p align="left"><font size="2">Last Updated 8/4/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
-            <br>
+ </p>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -24,6 +24,7 @@
                                         <tr>
                                          <td width="100%">             
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides 
           (HOWTO's)<br>
                                      </font></h1>
@ -33,8 +34,8 @@
  </tbody>               
 </table>
-<p align="center">With thanks to Richard who reminded me once again that
+<p align="center">With thanks to Richard who reminded me once again that we
-we must  all first walk before we can run.<br>
+must  all first walk before we can run.<br>
                     The French Translations are courtesy of Patrice Vetsel<br>
                     </p>
@ -52,25 +53,28 @@ we must  all first walk before we can run.<br>
                                        <li><a href="two-interface.htm">Two-interface</a> 
        Linux    System    acting    as a    firewall/router for a small local
     network   (<a href="two-interface_fr.html">Version Française</a>)</li>
-                                     <li><a href="three-interface.htm">Three-interface</a>
+                                        <li><a
-         Linux    System    acting  as a    firewall/router for a small local
+ href="three-interface.htm">Three-interface</a>           Linux    System
-    network     and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
+   acting  as a    firewall/router for a small local      network     and
 a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
  </ul>
  <p>The above guides are designed to get your first firewall up and running 
                   quickly in the three most common Shorewall configurations. 
-If you want to learn more about Shorewall than is explained in the above
+ If you want to learn more about Shorewall than is explained in the above 
 simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> 
-(See      Index Below) is for you.</p>
+ (See      Index Below) is for you.</p>
-</blockquote>
+   </blockquote>
 <p>If you have <font color="#ff0000"><big><big><b>more than one public IP 
-address</b></big></big></font>:<br>
+ address</b></big></big></font>:<br>
-</p>
+   </p>
 <blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> 
-(See      Index Below) outlines              the steps necessary to set up
+ (See      Index Below) outlines              the steps necessary to set up
-a firewall      where there are <small><small><big><big>multiple        
+ a firewall      where there are <small><small><big><big>multiple       
-public    IP  addresses</big></big></small></small> involved or   if  you
+ public    IP  addresses</big></big></small></small> involved or   if  you
 want to learn more about   Shorewall      than   is  explained in   the 
 single-address guides above.</blockquote>
@ -82,8 +86,8 @@ single-address guides above.</blockquote>
 <p>The following documentation covers a variety of topics and <b>supplements 
                  the  <a href="shorewall_quickstart_guide.htm">QuickStart 
-Guides</a>           described      above</b>. Please review the appropriate
+ Guides</a>           described      above</b>. Please review the appropriate 
-guide before      trying     to use this    documentation directly.</p>
+ guide before      trying     to use this    documentation directly.</p>
 <ul>
                                        <li><a
@ -92,46 +96,41 @@ guide before      trying     to use this    documentation directly.</p>
                  </li>
                  <li><a href="blacklisting_support.htm">Blacklisting</a> 
    <ul>
                                          <li>Static Blacklisting using /etc/shorewall/blacklist</li>
-                                       <li>Dynamic Blacklisting using /sbin/shorewall</li>
+                                          <li>Dynamic Blacklisting using
 /sbin/shorewall</li>
    </ul>
                                        </li>
                                        <li><a
- href="configuration_file_basics.htm">Common    configuration        file 
+ href="starting_and_stopping_shorewall.htm">Commands</a>  (Description of
-     features</a>                                                        
+all /sbin/shorewall commands)</li>
    <li><a href="configuration_file_basics.htm">Common    configuration 
      file       features</a> </li>
  <ul>
-                                       <li><a
+      <li><a href="configuration_file_basics.htm#Comments">Comments  in configuration 
 href="configuration_file_basics.htm#Comments">Comments  in configuration
          files</a></li>
-                                       <li><a
+      <li><a href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
- href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
+      <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a></li>
-             <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
+      <li><a href="configuration_file_basics.htm#Ports">Port    Numbers/Service
-Directive</a><br>
+ Names</a></li>
      <li><a href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
      <li><a href="configuration_file_basics.htm#Variables">Using  Shell
 Variables</a></li>
      <li><a href="configuration_file_basics.htm#dnsnames">Using  DNS Names</a></li>
      <li><a href="configuration_file_basics.htm#Compliment">Complementing
 an IP address           or Subnet</a></li>
      <li><a href="configuration_file_basics.htm#Configs">Shorewall   Configurations
 (making a test configuration)</a></li>
      <li><a href="configuration_file_basics.htm#MAC">Using    MAC Addresses
 in Shorewall</a>                                                       
                               </li>
                                       <li><a
 href="configuration_file_basics.htm#Ports">Port    Numbers/Service Names</a></li>
                                       <li><a
 href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
                                       <li><a
 href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
                                       <li><a
 href="configuration_file_basics.htm#dnsnames">Using  DNS Names</a><br>
                                  </li>
                                       <li><a
 href="configuration_file_basics.htm#Compliment">Complementing an IP address
          or Subnet</a></li>
                                       <li><a
 href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
 a test configuration)</a></li>
                                       <li><a
 href="configuration_file_basics.htm#MAC">Using    MAC Addresses in Shorewall</a></li>
  </ul>
                                     </li>
                                        <li><a href="Documentation.htm">Configuration 
      File   Reference      Manual</a>                                   
@ -173,6 +172,7 @@ a test configuration)</a></li>
                                          <li><a
 href="Documentation.htm#Routestopped">routestopped</a></li>
    </ul>
                                        </li>
                                        <li><a href="CorpNetwork.htm">Corporate 
@ -180,7 +180,7 @@ a test configuration)</a></li>
       </li>
       <li><a href="dhcp.htm">DHCP</a></li>
                                        <li><a href="ECN.html">ECN Disabling
-by  host   or  subnet</a></li>
+  by  host   or  subnet</a></li>
         <li><a href="errata.htm">Errata</a><br>
         </li>
                <li><font color="#000099"><a
@ -195,6 +195,8 @@ by  host   or  subnet</a></li>
         </li>
                                        <li><a
 href="shorewall_firewall_structure.htm">Firewall      Structure</a></li>
         <li><a href="FTP.html">FTP and Shorewall</a><br>
   </li>
   <li><a href="support.htm">Getting help or answers to questions</a></li>
         <li>Greater Seattle Linux Users Group Presentation</li>
@ -209,24 +211,29 @@ by  host   or  subnet</a></li>
 href="kernel.htm">Kernel     Configuration</a></font></li>
                           <li><a href="shorewall_logging.html">Logging</a><br>
                           </li>
-                                     <li><a href="MAC_Validation.html">MAC
+                                        <li><a
- Verification</a></li>
+ href="MAC_Validation.html">MAC   Verification</a></li>
         <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
         </li>
                                               <li><a href="myfiles.htm">My 
-Shorewall      Configuration   (How I personally use Shorewall)</a><br>
+ Shorewall      Configuration   (How I personally use Shorewall)</a></li>
    <li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
    </li>
                    <li><a href="ping.html">'Ping' Management</a><br>
                            </li>
                            <li><a href="ports.htm">Port Information</a>
    <ul>
-                                       <li>Which applications use which ports</li>
+                                          <li>Which applications use which
 ports</li>
                                          <li>Ports used by Trojans</li>
    </ul>
                                        </li>
-                                     <li><a href="ProxyARP.htm">Proxy ARP</a></li>
+                                        <li><a href="ProxyARP.htm">Proxy
 ARP</a></li>
         <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
         </li>
                                        <li><a href="samba.htm">Samba</a></li>
@ -235,19 +242,22 @@ Shorewall      Configuration   (How I personally use Shorewall)</a><br>
  <ul>
                 <li><a href="shorewall_setup_guide.htm#Introduction">1.0 
-Introduction</a></li>
+  Introduction</a></li>
                 <li><a href="shorewall_setup_guide.htm#Concepts">2.0   Shorewall 
         Concepts</a></li>
-              <li><a href="shorewall_setup_guide.htm#Interfaces">3.0   Network
+                 <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 
-       Interfaces</a></li>
+ Network         Interfaces</a></li>
-              <li><a href="shorewall_setup_guide.htm#Addressing">4.0   Addressing, 
+                 <li><a href="shorewall_setup_guide.htm#Addressing">4.0 
-          Subnets    and Routing</a>                                     
+ Addressing,            Subnets    and Routing</a>                      
      <ul>
                     <li><a href="shorewall_setup_guide.htm#Addresses">4.1
   IP   Addresses</a></li>
-                  <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
+                     <li><a href="shorewall_setup_guide.htm#Subnets">4.2
-                  <li><a href="shorewall_setup_guide.htm#Routing">4.3   Routing</a></li>
+Subnets</a></li>
                     <li><a href="shorewall_setup_guide.htm#Routing">4.3
  Routing</a></li>
                     <li><a href="shorewall_setup_guide.htm#ARP">4.4   Address
       Resolution       Protocol (ARP)</a></li>
@ -256,8 +266,8 @@ Introduction</a></li>
      <ul>
-                  <li><a href="shorewall_setup_guide.htm#RFC1918">4.5   RFC 
+                     <li><a href="shorewall_setup_guide.htm#RFC1918">4.5
-   1918</a></li>
+  RFC     1918</a></li>
      </ul>
@ -266,7 +276,8 @@ Introduction</a></li>
       up   your   Network</a>                                          
      <ul>
-                  <li><a href="shorewall_setup_guide.htm#Routed">5.1   Routed</a></li>
+                     <li><a href="shorewall_setup_guide.htm#Routed">5.1 
 Routed</a></li>
      </ul>
@ -282,15 +293,17 @@ Introduction</a></li>
    SNAT</a></li>
                         <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 
    DNAT</a></li>
-                      <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
+                         <li><a
-     Proxy     ARP</a></li>
+ href="shorewall_setup_guide.htm#ProxyARP">5.2.3       Proxy     ARP</a></li>
                         <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
    Static       NAT</a></li>
          </ul>
                                          </li>
-                  <li><a href="shorewall_setup_guide.htm#Rules">5.3   Rules</a></li>
+                     <li><a href="shorewall_setup_guide.htm#Rules">5.3  
 Rules</a></li>
                     <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
    Odds     and   Ends</a></li>
@ -307,7 +320,8 @@ Introduction</a></li>
 href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
  <ul>
-                               <li>Description of all /sbin/shorewall commands</li>
+                                  <li>Description of all /sbin/shorewall
 commands</li>
                                  <li>How to safely test a Shorewall configuration
     change<br>
                                  </li>
@ -315,12 +329,12 @@ Introduction</a></li>
  </ul>
                                        <li><font color="#000099"><a
 href="NAT.htm">Static    NAT</a></font></li>
-                     <li><a href="Shorewall_Squid_Usage.html">Squid as a
+                        <li><a href="Shorewall_Squid_Usage.html">Squid as 
-Transparent       Proxy    with Shorewall</a></li>
+a  Transparent       Proxy    with Shorewall</a></li>
-                                     <li><a href="traffic_shaping.htm">Traffic
+                                        <li><a
-   Shaping/QOS</a></li>
+ href="traffic_shaping.htm">Traffic     Shaping/QOS</a></li>
-      <li><a href="troubleshoot.htm">Troubleshooting (Things to try if it 
+         <li><a href="troubleshoot.htm">Troubleshooting (Things to try if 
-doesn't  work)</a><br>
+it  doesn't  work)</a><br>
        </li>
         <li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
         </li>
@ -328,7 +342,8 @@ doesn't  work)</a><br>
    <ul>
                                          <li><a href="IPSEC.htm">IPSEC</a></li>
-                                       <li><a href="IPIP.htm">GRE and IPIP</a></li>
+                                          <li><a href="IPIP.htm">GRE and
 IPIP</a></li>
                          <li><a href="OPENVPN.html">OpenVPN</a><br>
                          </li>
                                          <li><a href="PPTP.htm">PPTP</a></li>
@ -337,6 +352,7 @@ doesn't  work)</a><br>
                                          <li><a href="VPN.htm">IPSEC/PPTP</a>
   from   a  system    behind    your   firewall   to a      remote network.</li>
    </ul>
                                        </li>
                                        <li><a
@ -347,7 +363,7 @@ doesn't  work)</a><br>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 7/30/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M. 
          Eastep</font></a><br>
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@ -4,6 +4,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
@ -24,17 +25,12 @@
                               <tr>
                                          <td width="33%" height="90"
- valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
+ valign="middle" align="center"><a href="http://www.cityofshoreline.com">
- src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
+                           </a><img src="images/Logo1.png"
- border="0">
+ alt="(Shorewall Logo)" width="430" height="90">
-                         </a></td>
+        <br>
                                            <td valign="middle"
 bgcolor="#3366ff" width="34%" align="center">                           
                                                                      <img
 src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
                         </td>
           <td valign="top" width="33"><br>
           </td>
                                                 </tr>
@ -44,6 +40,7 @@
 <div align="center">                                                     
 <center>                                                         
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
@ -58,6 +55,7 @@
      <h2 align="left">What is it?</h2>
@ -65,6 +63,7 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
                                        a       <a
 href="http://www.netfilter.org">Netfilter</a>               (iptables) 
@ -77,11 +76,12 @@
      <p>This program is free software; you can redistribute it and/or modify
          it          under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
-General Public License</a> as published by the Free   Software          
+GNU General Public License</a> as published by the Free   Software      
     Foundation.<br>
                                           <br>
@ -92,14 +92,14 @@ General Public License</a> as published by the Free   Software
         even  the    implied      warranty          of MERCHANTABILITY 
                 or  FITNESS     FOR   A  PARTICULAR          PURPOSE.  
     See the     GNU  General     Public  License                for   more 
-details.<br>
+   details.<br>
                                           <br>
-                         You     should       have     received        a
+                                You     should       have     received  
-  copy       of    the       GNU     General          Public         License
+     a    copy       of    the       GNU     General          Public    
-                 along       with    this   program;            if   not,
+    License                   along       with    this   program;       
-   write      to    the    Free   Software              Foundation,     
+    if   not,     write      to    the    Free   Software              Foundation,
                    Inc.,    675     Mass   Ave,  Cambridge,      MA    02139, 
        USA</p>
@ -108,6 +108,7 @@ details.<br>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -115,89 +116,214 @@ details.<br>
      <h2>This is the Shorewall 1.4 Web Site</h2>
-    The information on this site applies only to 1.4.x releases of Shorewall.
+           The information on this site applies only to 1.4.x releases of 
-  For older versions:<br>
+Shorewall.      For older versions:<br>
      <ul>
                      <li>The 1.3 site is <a
 href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
-               <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
+                      <li>The 1.2 site is <a
- target="_top">here</a>.<br>
+ href="http://shorewall.net/1.2/" target="_top">here</a>.<br>
                      </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
-                                       New to Shorewall? Start by selecting 
+                                              New to Shorewall? Start by
- the         <a
+selecting      the         <a href="shorewall_quickstart_guide.htm">QuickStart
- href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart 
+      Guide</a>  that most closely              match your environment and
-     Guide</a> that most closely              match your environment and follow
+follow      the step by  step instructions.<br>
-    the step by  step instructions.<br>
+                                                                        
      <h2>Looking for Information?</h2>
-          The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation 
+                 The <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation      
 Index</a> is a good place to start as is the Quick Search to your right. 
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-                              If so, the documentation<b> </b>on this site
+                                     If so, the documentation<b> </b>on this
- will   not  apply   directly   to  your   setup.  If you want to use the
+  site   will   not  apply   directly   to  your   setup.  If you want to
-documentation     that you  find here, you will want to consider uninstalling
+use  the  documentation     that you  find here, you will want to consider
-what you have     and installing  a setup that matches    the documentation
+uninstalling   what you have     and installing  a setup that matches   
-   on this site.     See the <a href="two-interface.htm">Two-interface  
+the documentation      on this site.     See the <a
- QuickStart    Guide</a>     for details.                               
+ href="two-interface.htm">Two-interface    QuickStart    Guide</a>     for
 details.                                                                
      <h2></h2>
      <h2><b>News</b></h2>
-      <p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
+     
      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                     <br>
             </b></p>
              <b>Problems Corrected since version 1.4.6:</b><br>
      <ol>
        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf   then
 Shorewall would fail to start with the error "ERROR:  Traffic Control  
 requires  Mangle"; that problem has been corrected.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of the
 tcrules file. Previously, these addresses resulted in an invalid iptables
 command.</li>
        <li>The "shorewall stop" command is now disabled when /etc/shorewall/startup_disabled 
 exists. This prevents people from shooting themselves in the foot prior to 
 having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages during
 "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being
 added to a PPP interface; the addresses were successfully added in spite
 of the messages.<br>
    <br>
 The firewall script has been modified to eliminate the error messages.<br>
   </li>
      </ol>
      <p><b>7/31/2003 - Snapshot 1.4.6_20030731 </b><b>          </b></p>
      <blockquote>                                       
        <p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
       <a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
 target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
     </blockquote>
      <p><b>Problems Corrected since version 1.4.6:</b><br>
     </p>
      <ol>
            <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED variable
  was being tested before it was set.</li>
            <li>Corrected handling of MAC addresses in the SOURCE column
 of  the tcrules file. Previously, these addresses resulted in an invalid
 iptables   command.<br>
       </li>
      </ol>
      <p><b>Migration Issues:</b><br>
     </p>
      <ol>
            <li>Once you have installed this version of Shorewall, you must 
 restart Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' 
 commands.</li>
            <li>To maintain strict compatibility with previous versions,
 current   uses of "shorewall drop" and "shorewall reject" should be replaced
 with "shorewall  dropall" and "shorewall rejectall" </li>
      </ol>
      <p><b>New Features:</b>          <br>
       </p>
      <ol>
         <li>Shorewall now creates a dynamic blacklisting chain for each
 interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands
 use the routing table to determine which of these chains is to be used for
 blacklisting the specified IP address(es).<br>
             <br>
   Two new commands ('dropall' and 'rejectall') have been introduced that 
 do  what 'drop' and 'reject' used to do; namely, when an address is blacklisted 
 using these new commands, it will be blacklisted on all of your firewall's 
 interfaces.</li>
         <li>Thanks to Steve Herber, the 'help' command can now give command-specific
 help (e.g., shorewall help &lt;command&gt;).</li>
         <li>A new option "ADMINISABSENTMINDED" has been added to /etc/shorewall/shorewall.conf.
 This option has a default value of "No" for existing users which causes
 Shorewall's  'stopped' state  to continue as it has been; namely, in the
 stopped state  only traffic to/from hosts listed in /etc/shorewall/routestopped
 is accepted.<br>
      <br>
  With ADMINISABSENTMINDED=Yes (the default for new installs), in addition
 to traffic to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
 will allow:<br>
      <br>
     a) All traffic originating from the firewall itself; and<br>
     b) All traffic that is part of or related to an already-existing connection.<br>
      <br>
   In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" entered 
 through an ssh session will not kill the session.<br>
      <br>
   Note though that even with ADMINISABSENTMINDED=Yes, it is still possible 
 for people to shoot themselves in the foot.<br>
      <br>
   Example:<br>
      <br>
   /etc/shorewall/nat:<br>
      <br>
       206.124.146.178    eth0:0    192.168.1.5    <br>
      <br>
   /etc/shorewall/rules:<br>
      <br>
     ACCEPT    net    loc:192.168.1.5    tcp    22<br>
     ACCEPT    loc    fw        tcp    22<br>
      <br>
  From a remote system, I ssh to 206.124.146.178 which establishes an SSH 
 connection with local system 192.168.1.5. I then create a second SSH connection 
 from that computer to the firewall and confidently type "shorewall stop". 
 As part of its stop processing, Shorewall removes eth0:0 which kills my SSH 
 connection to 192.168.1.5!!!<br>
    </li>
      </ol>
      <ol>
      </ol>
      <p><b>7/22/2003 - Shorewall-1.4.6a</b><b>                      <br>
        </b></p>
             <b>Problems Corrected:</b><br>
      <ol>
-        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
+               <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
-Shorewall would fail to start with the error "ERROR:  Traffic Control requires
+  then  Shorewall would fail to start with the error "ERROR:  Traffic Control
-Mangle"; that problem has been corrected.</li>
+  requires  Mangle"; that problem has been corrected.</li>
      </ol>
-      <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
+                                                       
- src="images/new10.gif" width="28" height="12" alt="(New)">
+      <p><b>7/20/2003 - Shorewall-1.4.6</b><b>                     <br>
             <br>
                    </b>   </p>
      <p><b>Problems Corrected:</b><br>
                 </p>
      <ol>
                <li>A problem seen on RH7.3 systems where Shorewall encountered 
      start  errors when started using the "service" mechanism has been worked
      around.<br>
                  <br>
                </li>
-         <li>Where a list of IP addresses appears in the DEST column  of
+                <li>Where a list of IP addresses appears in the DEST column 
- a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in 
+  of   a  DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules
-the  nat  table (one for each element in the list). Shorewall now correctly
+  in  the  nat  table (one for each element in the list). Shorewall now correctly 
   creates   a single DNAT rule with multiple "--to-destination" clauses.<br>
                  <br>
                </li>
-         <li>Corrected a problem in Beta 1 where DNS names containing  a
+                <li>Corrected a problem in Beta 1 where DNS names containing
- "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
+   a   "-"  were mis-handled when they appeared in the DEST column of a rule.<br>
                  <br>
                </li>
                <li>A number of problems with rule parsing have been   corrected.
- Corrections involve the handling of "z1!z2" in the SOURCE column   as well 
+     Corrections involve the handling of "z1!z2" in the SOURCE column   as
-as lists in the ORIGINAL DESTINATION column.<br>
+ well   as lists in the ORIGINAL DESTINATION column.<br>
                  <br>
                </li>
-         <li>The message "Adding rules for DHCP" is now suppressed if there 
+                <li>The message "Adding rules for DHCP" is now suppressed 
-are no DHCP rules to add.</li>
+if  there   are no DHCP rules to add.</li>
      </ol>
@ -205,99 +331,108 @@ are no DHCP rules to add.</li>
      <p><b>Migration Issues:</b><br>
                </p>
      <ol>
                       <li>In earlier versions, an undocumented feature allowed 
-entries     in the host file as follows:<br>
+   entries     in the host file as follows:<br>
                    <br>
                    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
                    <br>
-         This capability was never documented and has been removed in 1.4.6 
+                This capability was never documented and has been removed 
- to  allow  entries of the following format:<br>
+in  1.4.6    to  allow  entries of the following format:<br>
                    <br>
                    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
                    <br>
                  </li>
-                <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options 
+                       <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
-have   been  removed from /etc/shorewall/shorewall.conf. These capabilities 
+options     have   been  removed from /etc/shorewall/shorewall.conf. These
-are  now automatically  detected by Shorewall (see below).<br>
+capabilities     are  now automatically  detected by Shorewall (see below).<br>
                  </li>
      </ol>
      <p><b>New Features:</b><br>
                 </p>
      <ol>
-                <li>A 'newnotsyn' interface option has been added. This option
+                       <li>A 'newnotsyn' interface option has been added. 
-   may  be specified in /etc/shorewall/interfaces and overrides the setting
+This   option    may  be specified in /etc/shorewall/interfaces and overrides
-  NEWNOTSYN=No  for packets arriving on the associated interface.<br>
+ the   setting   NEWNOTSYN=No  for packets arriving on the associated interface.<br>
                     <br>
                   </li>
-                <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
+                       <li>The means for specifying a range of IP addresses 
-     to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
+ in  /etc/shorewall/masq      to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
-  address   ranges.<br>
+   is enabled for   address   ranges.<br>
                     <br>
                   </li>
-                <li>Shorewall can now add IP addresses to subnets other than
+                       <li>Shorewall can now add IP addresses to subnets
-  the   first  one on an interface.<br>
+other    than   the   first  one on an interface.<br>
                     <br>
                   </li>
-                <li>DNAT[-] rules may now be used to load balance (round-robin) 
+                       <li>DNAT[-] rules may now be used to load balance
-   over a  set of servers. Servers may be specified in a range of addresses 
+(round-robin)        over a  set of servers. Servers may be specified in
-   given as &lt;first address&gt;-&lt;last address&gt;.<br>
+a range of addresses        given as &lt;first address&gt;-&lt;last address&gt;.<br>
                     <br>
                 Example:<br>
                     <br>
                     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
                     <br>
                   </li>
-                <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration 
+                       <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
-   options  have been removed and have been replaced by code that detects 
+configuration        options  have been removed and have been replaced by
-whether   these  capabilities are present in the current kernel. The output 
+code that detects     whether   these  capabilities are present in the current
-of the  start, restart and check commands have been enhanced to report the 
+kernel. The output     of the  start, restart and check commands have been
-outcome:<br>
+enhanced to report  the   outcome:<br>
                     <br>
-          Shorewall has detected the following iptables/netfilter capabilities:<br>
+                 Shorewall has detected the following iptables/netfilter
 capabilities:<br>
                    NAT: Available<br>
                    Packet Mangling: Available<br>
                    Multi-port Match: Available<br>
                 Verifying Configuration...<br>
                     <br>
                   </li>
-                <li>Support for the Connection Tracking Match Extension has 
+                       <li>Support for the Connection Tracking Match Extension
- been   added.  This extension is available in recent kernel/iptables releases
+   has   been   added.  This extension is available in recent kernel/iptables
-  and   allows  for rules which match against elements in netfilter's connection
+   releases   and   allows  for rules which match against elements in netfilter's
-   tracking  table. Shorewall automatically detects the availability of this
+   connection    tracking  table. Shorewall automatically detects the availability
-   extension  and reports its availability in the output of the start, restart
+   of this    extension  and reports its availability in the output of the
-   and check  commands.<br>
+ start,  restart    and check  commands.<br>
                     <br>
-          Shorewall has detected the following iptables/netfilter capabilities:<br>
+                 Shorewall has detected the following iptables/netfilter
 capabilities:<br>
                    NAT: Available<br>
                    Packet Mangling: Available<br>
                    Multi-port Match: Available<br>
                    Connection Tracking Match: Available<br>
                 Verifying Configuration...<br>
                     <br>
-          If this extension is available, the ruleset generated by Shorewall
+                 If this extension is available, the ruleset generated by 
-  is  changed  in the following ways:</li>
+Shorewall      is  changed  in the following ways:</li>
        <ul>
-                  <li>To handle 'norfc1918' filtering, Shorewall will not 
+                         <li>To handle 'norfc1918' filtering, Shorewall will
-create    chains  in the mangle table but will rather do all 'norfc1918' filtering
+  not   create    chains  in the mangle table but will rather do all 'norfc1918'
-  in the filter  table (rfc1918 chain).</li>
+   filtering   in the filter  table (rfc1918 chain).</li>
-                  <li>Recall that Shorewall DNAT rules generate two netfilter 
+                         <li>Recall that Shorewall DNAT rules generate two
-  rules;  one  in the nat table and one in the filter table. If the Connection 
+ netfilter      rules;  one  in the nat table and one in the filter table.
-  Tracking  Match Extension is available, the rule in the filter table is 
+ If the Connection      Tracking  Match Extension is available, the rule
-extended  to  check that the original destination address was the same as 
+in  the filter table is   extended  to  check that the original destination
-specified  (or  defaulted to) in the DNAT rule.<br>
+address  was the same as   specified  (or  defaulted to) in the DNAT rule.<br>
                       <br>
                     </li>
        </ul>
-                <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
+                       <li>The shell used to interpret the firewall script
-     may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
+ (/usr/share/shorewall/firewall)        may now be specified using the SHOREWALL_SHELL
 parameter in shorewall.conf.<br>
                    <br>
                </li>
                       <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
@ -323,10 +458,10 @@ specified  (or  defaulted to) in the DNAT rule.<br>
                    <br>
                Warning:<br>
                    <br>
-         If your shell only supports 32-bit signed arithmatic (ash or dash),
+                If your shell only supports 32-bit signed arithmatic (ash 
-  then   the ipcalc command produces incorrect information for IP addresses
+or  dash),    then   the ipcalc command produces incorrect information for 
-  128.0.0.0-1   and for /1 networks. Bash should produce correct information
+IP  addresses    128.0.0.0-1   and for /1 networks. Bash should produce correct
-  for all valid   IP addresses.<br>
+  information    for all valid   IP addresses.<br>
                    <br>
                  </li>
                       <li>An 'iprange' command has been added to /sbin/shorewall.
@ -334,13 +469,13 @@ specified  (or  defaulted to) in the DNAT rule.<br>
                    <br>
                      iprange &lt;address&gt;-&lt;address&gt;<br>
                    <br>
-         This command decomposes a range of IP addressses into a list of
+                This command decomposes a range of IP addressses into a list
-network     and host addresses. The command can be useful if you need to
+  of  network     and host addresses. The command can be useful if you need
-construct  an   efficient set of rules that accept connections from a range
+  to construct  an   efficient set of rules that accept connections from
-of network  addresses.<br>
+a  range of network  addresses.<br>
                    <br>
-         Note: If your shell only supports 32-bit signed arithmetic (ash
+                Note: If your shell only supports 32-bit signed arithmetic
-or  dash)   then the range may not span 128.0.0.0.<br>
+ (ash   or  dash)   then the range may not span 128.0.0.0.<br>
                    <br>
                Example:<br>
                    <br>
@ -359,119 +494,138 @@ or  dash)   then the range may not span 128.0.0.0.<br>
                      [root@gateway root]#<br>
                    <br>
                  </li>
-                <li>A list of host/net addresses is now allowed in an entry 
+                       <li>A list of host/net addresses is now allowed in 
- in  /etc/shorewall/hosts.<br>
+an  entry    in  /etc/shorewall/hosts.<br>
                    <br>
                Example:<br>
                    <br>
                    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
                  <br>
                </li>
-         <li value="11">The "shorewall check" command now includes the chain 
+                <li value="11">The "shorewall check" command now includes 
-name when printing the applicable policy for each pair of zones.<br>
+the   chain  name when printing the applicable policy for each pair of zones.<br>
          <br>
             Example:<br>
          <br>
                 Policy for dmz to net is REJECT using chain all2all<br>
          <br>
         This means that the policy for connections from the dmz to the internet
-is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
+    is REJECT and the applicable entry in the /etc/shorewall/policy was the
- policy.<br>
+  all-&gt;all  policy.<br>
             <br>
           </li>
                <li>Support for the 2.6 Kernel series has been added.<br>
           </li>
      </ol>
                     <b>     </b>                                       
      <ol>
      </ol>
-      <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
+             
- src="images/new10.gif" width="28" height="12" alt="(New)">
+      <p><b>7/15/2003 - New Mirror in Brazil</b><b>                    <br>
            <br>
              </b></p>
-      Thanks to the folks at securityopensource.org.br, there is now a <a
+             Thanks to the folks at securityopensource.org.br, there is now 
- href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
+ a        <a href="http://shorewall.securityopensource.org.br"
-   mirror in Brazil</a>       
+ target="_top">Shorewall      mirror in Brazil</a>                       
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
      <p>Problems Corrected:<br>
                       </p>
      <ol>
                              <li>The command "shorewall debug try &lt;directory&gt;" 
      now   correctly   traces the attempt.</li>
-                       <li>The INCLUDE directive now works properly in the
+                              <li>The INCLUDE directive now works properly
- zones    file;    previously, INCLUDE in that file was ignored.</li>
+ in  the   zones    file;    previously, INCLUDE in that file was ignored.</li>
-                       <li>/etc/shorewall/routestopped records with an empty
+                              <li>/etc/shorewall/routestopped records with
-  second    column   are no longer ignored.<br>
+ an  empty    second    column   are no longer ignored.<br>
                         </li>
      </ol>
      <p>New Features:<br>
                       </p>
      <ol>
-                       <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] 
+                              <li>The ORIGINAL DEST column in a DNAT[-] or
-   rule   may  now contain a list of addresses. If the list begins with "!' 
+ REDIRECT[-]       rule   may  now contain a list of addresses. If the list
-  then the   rule  will take effect only if the original destination address 
+ begins with  "!'    then the   rule  will take effect only if the original
-  in the connection    request does not match any of the addresses listed.</li>
+ destination  address    in the connection    request does not match any
 of  the addresses  listed.</li>
      </ol>
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> 
                                  </b></p>
-                  The firewall at shorewall.net has been upgraded to the
+                         The firewall at shorewall.net has been upgraded
-2.4.21    kernel    and  iptables 1.2.8 (using the "official" RPM from netfilter.org). 
+to  the   2.4.21    kernel    and  iptables 1.2.8 (using the "official" RPM 
-   No problems     have been encountered with this set of software. The Shorewall
+from  netfilter.org).      No problems     have been encountered with this 
-    version  is   1.4.4b plus the accumulated changes for 1.4.5.        
+set of software. The Shorewall     version  is   1.4.4b plus the accumulated 
 changes for 1.4.5.                                                       
      <p><b>6/8/2003 - Updated Samples</b><b>                         </b></p>
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
            version 1.4.4.</p>
      <p><b></b></p>
      <ol>
      </ol>
      <p><b></b></p>
      <p><b></b></p>
      <blockquote>                                                      
        <ol>
@ -479,6 +633,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
        </ol>
                                                   </blockquote>
@ -487,15 +642,17 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
-      <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
+      <p><a href="News.htm"></a></p>
                                                        <b>       </b>  
      <p><b><a href="News.htm">More News</a></b></p>
-                                                              <b>      </b> 
+                                                                     <b>
           </b>                                                         
@ -508,21 +665,23 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
-                                </a>Jacques        Nilo       and     Eric
+                                       </a>Jacques        Nilo       and
-     Wolzak          have       a   LEAF  (router/firewall/gateway      
+    Eric       Wolzak          have       a   LEAF  (router/firewall/gateway
-                 on   a  floppy,       CD    or compact     flash)  distribution
+                         on   a  floppy,       CD    or compact     flash)
-                  called                 <i>Bering</i>          that    
+  distribution                    called                 <i>Bering</i>  
-     features                   Shorewall-1.4.2         and    Kernel-2.4.20.
+       that          features                   Shorewall-1.4.2         and
-            You        can     find         their    work at:           
+     Kernel-2.4.20.              You        can     find         their  
-          <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+ work  at:                      <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                                       <b>Congratulations          to  Jacques
+                                              <b>Congratulations        
-       and     Eric     on   the     recent    release     of  Bering   
+ to   Jacques         and     Eric     on   the     recent    release   
-   1.2!!!          </b><br>
+ of  Bering       1.2!!!          </b><br>
@ -538,6 +697,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
      <h4><b>       </b></h4>
                                                               <b>      </b>
@ -545,6 +705,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
      <h2><b>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </b></h2>
                                                               <b>      </b>
@ -553,12 +714,14 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
      <h2><b><a name="Donations"></a>Donations</b></h2>
                                                          <b>           
                  </b></td>
-                                       <td width="88" bgcolor="#3366ff"
+                                              <td width="88"
- valign="top" align="center">                                            
+ bgcolor="#3366ff" valign="top" align="center">                          
@ -568,6 +731,7 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
        <p><strong><br>
                                                  <font color="#ffffff"><b>Note:
            </b></font></strong>                             <font
@ -578,9 +742,10 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-                                           <font face="Arial" size="-1">
+                                                  <font face="Arial"
-                  <input type="text" name="words" size="15"></font><font
+ size="-1">                    <input type="text" name="words" size="15"></font><font
 size="-1">           </font><font face="Arial" size="-1">           <input
 type="hidden" name="format" value="long">           <input
 type="hidden" name="method" value="and">           <input type="hidden"
@ -594,19 +759,21 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
      <p><font color="#ffffff"><b>         <a
 href="http://lists.shorewall.net/htdig/search.html">         <font
 color="#ffffff">Extended Search</font></a></b></font></p>
                                                <a target="_top"
- href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> 
+ href="1.3/index.html"><font color="#ffffff">                           </font></a><a
-                         </font></a><a target="_top"
+ target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
- href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
+ color="#ffffff"><small><small><small></small></small></small></font></a><br>
                                                               </td>
                                        </tr>
  </tbody>                                                         
 </table>
@ -641,12 +808,14 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
      <p align="center"><font size="4" color="#ffffff"><br>
-                        <font size="+2">Shorewall is free but if       you
+                               <font size="+2">Shorewall is free but if 
- try   it  and   find   it useful, please consider making a donation    
+     you   try   it  and   find   it useful, please consider making a donation 
                                                                        to 
-              <a href="http://www.starlight.org"><font color="#ffffff">Starlight 
+                   <a href="http://www.starlight.org"><font
-      Children's               Foundation.</font></a> Thanks!</font></font></p>
+ color="#ffffff">Starlight        Children's               Foundation.</font></a> 
  Thanks!</font></font></p>
                                       </td>
@ -654,12 +823,15 @@ is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;
  </tbody>                                                         
 </table>
-<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 8/5/2003 - <a href="support.htm">Tom Eastep</a></font>
   <br>
 </p>
 <br>
 </p>
 </body>
 </html>
--- a/STABLE/documentation/standalone.htm
+++ b/STABLE/documentation/standalone.htm
@ -27,8 +27,6 @@
  </tbody>    
 </table>
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up Shorewall on a standalone Linux system is very
     easy if you understand the basics and follow the  documentation.</p>
@ -39,38 +37,39 @@
 <ul>
             <li>Linux system</li>
             <li>Single external IP address</li>
-            <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
+             <li>Connection through Cable Modem, DSL, ISDN, Frame Relay,
 dial-up...</li>
 </ul>
 <p>Shorewall requires that you have the iproute/iproute2 package installed
     (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-  if  this  package is installed by the presence of an <b>ip</b> program on
+   if  this  package is installed by the presence of an <b>ip</b> program
-  your  firewall  system. As root, you can use the 'which' command to check
+on   your  firewall  system. As root, you can use the 'which' command to
-  for this  program:</p>
+check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you read through the guide  first to familiarize yourself
     with what's involved then go back through it again  making your configuration
-    changes.  Points at which configuration changes  are recommended are flagged
+     changes.  Points at which configuration changes  are recommended are
-    with <img border="0" src="images/BD21298_.gif" width="13"
+flagged     with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
          .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-              If you edit your configuration files on a Windows system, you 
+               If you edit your configuration files on a Windows system,
- must   save them as  Unix files if your editor supports that option or you 
+you   must   save them as  Unix files if your editor supports that option
- must  run them through  dos2unix before trying to use them. Similarly, if 
+or you   must  run them through  dos2unix before trying to use them. Similarly,
- you copy  a configuration file  from your Windows hard drive to a floppy 
+if   you copy  a configuration file  from your Windows hard drive to a floppy
-disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+ disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
             <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
-Version     of    dos2unix</a></li>
+ Version     of    dos2unix</a></li>
             <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version 
- of    dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
@ -80,7 +79,7 @@ Version     of    dos2unix</a></li>
 alt="">
          The configuration files for Shorewall are contained in the directory
    /etc/shorewall -- for simple setups, you  only need to deal with a few
-of   these as described in this guide.  After you have <a
+ of   these as described in this guide.  After you have <a
 href="Install.htm">installed  Shorewall</a>,  <b>download the <a
 href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
  un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
@ -93,7 +92,7 @@ of   these as described in this guide.  After you have <a
 <p>Shorewall views the network where it is running as being composed of a
     set of  <i>zones.</i> In the one-interface sample configuration, only
-one    zone is  defined:</p>
+ one    zone is  defined:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -134,8 +133,8 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
   the request is first  checked against the rules in /etc/shorewall/common
  (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the one-interface sample has
+<p>The /etc/shorewall/policy file included with the one-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -179,8 +178,8 @@ the  following policies:</p>
 <ol>
             <li>allow all connection requests from the firewall to the internet</li>
-            <li>drop (ignore) all connection requests from the internet to
+             <li>drop (ignore) all connection requests from the internet
- your   firewall</li>
+to  your   firewall</li>
             <li>reject all other connection requests (Shorewall requires 
 this   catchall      policy).</li>
@ -194,20 +193,20 @@ this   catchall      policy).</li>
 <p align="left">The firewall has a single network interface. Where Internet
      connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
      will be the ethernet adapter (<b>eth0</b>) that is connected to that
-"Modem"     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
+ "Modem"     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
-<u>P</u>rotocol     over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
+ <u>P</u>rotocol     over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-<u>T</u>unneling    <u>P</u>rotocol </i>(PPTP) in which case the External 
+ <u>T</u>unneling    <u>P</u>rotocol </i>(PPTP) in which case the External
-Interface will be  a <b>ppp0</b>. If you connect via a regular modem, your 
+ Interface will be  a <b>ppp0</b>. If you connect via a regular modem, your
-External  Interface    will also be <b>ppp0</b>. If you connect using ISDN, 
+ External  Interface    will also be <b>ppp0</b>. If you connect using ISDN,
-your external  interface    will be<b> ippp0.</b></p>
+ your external  interface    will be<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
 height="13">
              The Shorewall one-interface sample configuration assumes that
-the   external  interface is <b>eth0</b>.  If your configuration is different, 
+ the   external  interface is <b>eth0</b>.  If your configuration is different,
   you will have  to modify the sample  /etc/shorewall/interfaces file accordingly.
    While you  are there, you may wish to  review the list of options that
-are   specified  for the interface. Some hints:</p>
+ are   specified  for the interface. Some hints:</p>
 <ul>
             <li>                    
@ -217,7 +216,7 @@ are   specified  for the interface. Some hints:</p>
            <li>                    
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
     or if you have a static IP    address, you can remove "dhcp" from the
-option    list. </p>
+ option    list. </p>
            </li>
 </ul>
@ -236,8 +235,8 @@ option    list. </p>
 <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
        because the Internet backbone routers will not forward a packet whose
-      destination address is reserved by RFC 1918. In some cases though, ISPs
+       destination address is reserved by RFC 1918. In some cases though,
-    are    assigning these addresses then using <i>Network Address Translation 
+ISPs     are    assigning these addresses then using <i>Network Address Translation
     </i>to    rewrite packet headers when forwarding to/from the internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -286,8 +285,8 @@ option    list. </p>
           </div>
 <div align="left">    
-<p align="left">Example - You want to run a Web Server and a POP3 Server on
+<p align="left">Example - You want to run a Web Server and a POP3 Server
-your firewall    system:</p>
+on your firewall    system:</p>
          </div>
 <div align="left">    
@ -335,8 +334,8 @@ your firewall    system:</p>
 <div align="left">    
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-       the internet because it uses clear text (even for login!). If you want
+        the internet because it uses clear text (even for login!). If you
-    shell    access to your firewall from the internet, use SSH:</p>
+want     shell    access to your firewall from the internet, use SSH:</p>
          </div>
 <div align="left">    
@ -397,8 +396,8 @@ your firewall    system:</p>
 <div align="left">    
 <p align="left">The firewall is started using the "shorewall start" command
-       and stopped using "shorewall stop". When the firewall is stopped, routing
+        and stopped using "shorewall stop". When the firewall is stopped,
-    is    enabled on those hosts that have an entry in   <a
+routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
        running firewall may be restarted using the "shorewall restart" command.
     If    you want to totally remove any trace of Shorewall from your Netfilter
@ -407,10 +406,10 @@ your firewall    system:</p>
 <div align="left">    
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-    the    internet, do not issue a "shorewall stop" command unless you have 
+     the    internet, do not issue a "shorewall stop" command unless you
-   added an    entry for the IP address that you are connected from to   <a
+have     added an    entry for the IP address that you are connected from
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-Also, I don't recommend using "shorewall restart"; it is better to create 
+ Also, I don't recommend using "shorewall restart"; it is better to create
     an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
     and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
@ -431,5 +430,6 @@ Also, I don't recommend using "shorewall restart"; it is better to create
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/starting_and_stopping_shorewall.htm
+++ b/STABLE/documentation/starting_and_stopping_shorewall.htm
@ -20,6 +20,7 @@
                            <tbody>
                     <tr>
                              <td width="100%">                         
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
        the Firewall</font></h1>
                              </td>
@ -33,7 +34,7 @@
  Once     you  have installed      "firewall" in your init.d directory, simply
  type         "chkconfig --add firewall". This will start the     firewall
  in run   levels   2-5 and stop it in run levels 1 and 6.     If you want
-to configure   your  firewall differently from this     default, you can
+ to configure   your  firewall differently from this     default, you can
 use the "--level"   option  in     chkconfig (see "man chkconfig") or using
 your     favorite   graphical  run-level editor.</p>
@ -41,10 +42,10 @@ your     favorite   graphical  run-level editor.</p>
                 </p>
 <ol>
-                <li>Shorewall startup is disabled by default. Once you have
+                   <li>Shorewall startup is disabled by default. Once you 
- configured      your firewall, you can enable startup by removing the file
+have   configured      your firewall, you can enable startup by removing the
- /etc/shorewall/startup_disabled.      Note: Users of the .deb package must
+file   /etc/shorewall/startup_disabled.      Note: Users of the .deb package
- edit /etc/default/shorewall and set    'startup=1'.<br>
+must   edit /etc/default/shorewall and set    'startup=1'.<br>
                   </li>
                   <li>If you use dialup, you may want to start the firewall 
    in  your   /etc/ppp/ip-up.local   script. I recommend just placing  "shorewall
@ -55,112 +56,143 @@ your     favorite   graphical  run-level editor.</p>
 <p>            </p>
 <p>   You can manually start and stop Shoreline Firewall using     the "shorewall" 
-        shell program: </p>
+         shell program. Please refer to the <a
 href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
 State Diagram</a> is shown at the     bottom of this page. </p>
 <ul>
                     <li>shorewall start - starts the firewall</li>
-                  <li>shorewall stop - stops the firewall</li>
+                     <li>shorewall stop - stops the firewall; the only traffic
 permitted through the firewall is from systems listed in /etc/shorewall/routestopped
 (Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
 then in addition, all existing connections are permitted and any new connections
 originating from the firewall itself are allowed).</li>
                     <li>shorewall restart - stops the firewall (if it's
       running)   and  then starts it again</li>
                     <li>shorewall reset - reset the packet and byte counters 
              in the  firewall</li>
                     <li>shorewall clear - remove all rules and chains  
-installed    by Shoreline  Firewall</li>
+   installed    by Shoreline  Firewall. The firewall is "wide open"</li>
-                  <li>shorewall refresh - refresh the rules involving the 
+                     <li>shorewall refresh - refresh the rules involving
-broadcast             addresses  of firewall interfaces, <a
+the   broadcast             addresses  of firewall interfaces, <a
 href="blacklisting_support.htm">the black list</a>, <a
 href="traffic_shaping.htm">traffic control rules</a> and <a
 href="ECN.html">ECN control rules</a>.</li>
 </ul>
             If you include the keyword <i>debug</i> as the first argument, 
-then   a  shell  trace of the command is produced as in:<br>
+ then   a  shell  trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
-<p>The above command would trace the 'start' command and place the trace
+<p>The above command would trace the 'start' command and place the trace information
-information in the file /tmp/trace<br>
+in the file /tmp/trace<br>
 </p>
-<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
+<p>Beginning with version 1.4.7, shorewall can give detailed help about each 
-    bottom of this page.<br>
+of its commands:<br>
 </p>
 <ul>
   <li>shorewall help [ <i>command</i> | host | address ]<br>
   </li>
 </ul>
 <p>The "shorewall" program may also be used to monitor the     firewall.</p>
 <ul>
-                  <li>shorewall status - produce a verbose report about the
+                     <li>shorewall status - produce a verbose report about
- firewall               (iptables -L -n -v)</li>
+ the  firewall               (iptables -L -n -v)</li>
-                  <li>shorewall show <i>chain</i> - produce a verbose report
+                     <li>shorewall show <i>chain</i> - produce a verbose
-  about        <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
+report    about        <i>chain             </i>(iptables -L <i>chain</i>
 -n -v)</li>
                     <li>shorewall show nat - produce a verbose report about
-the  nat   table             (iptables -t nat -L -n -v)</li>
+  the  nat   table             (iptables -t nat -L -n -v)</li>
                     <li>shorewall show tos - produce a verbose report about
-the  mangle    table          (iptables -t mangle -L -n -v)</li>
+  the  mangle    table          (iptables -t mangle -L -n -v)</li>
-                  <li>shorewall show log - display the last 20 packet log 
+                     <li>shorewall show log - display the last 20 packet
-entries.</li>
+log   entries.</li>
                     <li>shorewall show connections - displays the IP connections 
    currently     being     tracked by the firewall.</li>
                     <li>shorewall                                      
-show                                                           tc     - displays
+   show                                                           tc    
-  information      about the traffic control/shaping configuration.</li>
+-  displays   information      about the traffic control/shaping configuration.</li>
                     <li>shorewall monitor [ delay ] - Continuously display 
-the   firewall               status, last 20 log entries and nat. When the
+ the   firewall               status, last 20 log entries and nat. When the 
-log  entry display                changes, an audible alarm is sounded.</li>
+ log  entry display                changes, an audible alarm is sounded.</li>
-                  <li>shorewall hits - Produces several reports about the 
+                     <li>shorewall hits - Produces several reports about
-Shorewall     packet  log          messages in the current /var/log/messages 
+the   Shorewall     packet  log          messages in the current /var/log/messages
-file.</li>
+  file.</li>
-                  <li>shorewall version -  Displays the installed     version
+                     <li>shorewall version -  Displays the installed    
-  number.</li>
+version    number.</li>
        <li>shorewall check -  Performs a <u>cursory</u> validation     of
-the   zones, interfaces, hosts, rules and policy files.<br>
+  the   zones, interfaces, hosts, rules and policy files.<br>
          <br>
-       <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
+          <font size="4" color="#ff6666"><b>The "check" command is totally
- and does not parse and     validate   the   generated iptables commands. 
+ unsuppored  and does not parse and     validate   the   generated iptables
-Even though the "check" command     completes   successfully, the configuration
+ commands.  Even though the "check" command     completes   successfully,
- may fail to start. Problem reports that complain about errors that the 'check'
+the configuration  may fail to start. Problem reports that complain about
- command does not detect will not be accepted.<br>
+errors that the 'check'  command does not detect will not be accepted.<br>
          <br>
      See the     recommended   way to make configuration changes described 
-below.</b></font><br>
+ below.</b></font><br>
         <br>
        </li>
-                  <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
+                     <li>shorewall try<i> configuration-directory</i> [<i>
-     ]  -  Restart shorewall using the     specified configuration and if 
+ timeout</i>      ]  -  Restart shorewall using the     specified configuration
-an   error   occurs or if the<i> timeout </i>    option is given and the new
+ and if  an   error   occurs or if the<i> timeout </i>    option is given
-configuration     has been up for that many seconds     then shorewall is
+and the new configuration     has been up for that many seconds     then
-restarted using   the  standard configuration.</li>
+shorewall is restarted using   the  standard configuration.</li>
                     <li>shorewall deny, shorewall reject, shorewall accept 
-and   shorewall      save     implement <a
+ and   shorewall      save     implement <a
 href="blacklisting_support.htm">dynamic   blacklisting</a>.</li>
                     <li>shorewall logwatch (added in version 1.3.2) - Monitors 
   the          <a href="#Conf">LOGFILE </a>and produces an audible alarm 
 when   new   Shorewall       messages are logged.</li>
 </ul>
- Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands 
+    Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
-for dealing with IP addresses and IP address ranges:<br>
+commands   for dealing with IP addresses and IP address ranges:<br>
 <ul>
-   <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays 
+      <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
-the network address, broadcast address, network in CIDR notation and netmask 
+-  displays  the network address, broadcast address, network in CIDR notation
-corresponding to the input[s].</li>
+ and netmask  corresponding to the input[s].</li>
      <li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
-range of IP addresses into the equivalent list of network/host addresses. 
+  range of IP addresses into the equivalent list of network/host addresses.
      <br>
      </li>
 </ul>
 There is a set of commands dealing with <a
 href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
 <ul>
   <li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from 
 the listed   IP    addresses to be silently dropped by the firewall.</li>
   <li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from 
 the  listed  IP    addresses to be rejected by the firewall.</li>
   <li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt 
 of packets   from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i> 
 command.</li>
   <li>shorewall save - save the dynamic blacklisting configuration so that 
 it will   be    automatically restored the next time that the firewall is 
 restarted.</li>
   <li>show dynamic - displays the dynamic blacklisting chain.<br>
   </li>
 </ul>
     Finally, the "shorewall" program may be used to dynamically alter  the
   contents  of a zone.<br>
 <ul>
-              <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
+                 <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone 
-  Adds   the  specified interface (and host if included) to the specified
+    </i>-    Adds   the  specified interface (and host if included) to the 
-zone.</li>
+specified  zone.</li>
                 <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
      </i>-   Deletes   the specified interface (and host if included) from
-the specified   zone.</li>
+  the specified   zone.</li>
 </ul>
@ -197,7 +229,7 @@ be  used.</p>
                              <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
                              <li><font color="#009900"><b>cd /etc/test</b></font></li>
                              <li>&lt;copy any files that you need to change
-from  /etc/shorewall     to . and change them here&gt;</li>
+  from  /etc/shorewall     to . and change them here&gt;</li>
        <li><font color="#009900"><b>shorewall -c . check</b></font></li>
        <li>&lt;correct any errors found by check and check again&gt;</li>
                                                     <li><font
@ -207,8 +239,8 @@ from  /etc/shorewall     to . and change them here&gt;</li>
 <p>  If the configuration starts but doesn't work, just "shorewall restart" 
        to   restore the old configuration. If the new configuration fails 
-to   start,    the   "try" command will automatically start the old one for
+ to   start,    the   "try" command will automatically start the old one for
-you.</p>
+ you.</p>
 <p>  When the new configuration works then just </p>
@ -231,70 +263,106 @@ you.</p>
             </p>
              You will note that the commands that result in state transitions 
  use   the  word "firewall" rather than "shorewall". That is because the 
-actual   transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
+actual   transitions  are done by /usr/share/shorewall/firewall; /sbin/shorewall
-  on  Debian); /sbin/shorewall runs 'firewall" according to the following 
+ runs 'firewall" according to the following  table:<br>
 table:<br>
            <br>
 <table cellpadding="2" cellspacing="2" border="1">
               <tbody>
                 <tr>
        <td valign="top"><u><b>/sbin/shorewall Command</b><br>
        </u></td>
        <td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
        </u></td>
        <td valign="top"><u><b>Effect if the Command Succeeds</b><br>
        </u></td>
      </tr>
      <tr>
                   <td valign="top">shorewall start<br>
                   </td>
                   <td valign="top">firewall start<br>
                   </td>
        <td valign="top">The system filters packets based on your current 
 Shorewall Configuration<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall stop<br>
                   </td>
                   <td valign="top">firewall stop<br>
                   </td>
        <td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
 is passed to/from/through the firewall. For Shorewall versions beginning
 with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
 in addition, all existing connections are retained and all connection requests
 from the firewall are accepted.<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall restart<br>
                   </td>
                   <td valign="top">firewall restart<br>
                   </td>
        <td valign="top">Logically equivalent to "firewall stop;firewall
 start"<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall add<br>
                   </td>
                   <td valign="top">firewall add<br>
                   </td>
        <td valign="top">Adds a host or subnet to a dynamic zone<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall delete<br>
                   </td>
                   <td valign="top">firewall delete<br>
                   </td>
        <td valign="top">Deletes a host or subnet from a dynamic zone<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall refresh<br>
                   </td>
                   <td valign="top">firewall refresh<br>
                   </td>
        <td valign="top">Reloads rules dealing with static blacklisting,
 traffic  control and ECN.<br>
        </td>
                 </tr>
                 <tr>
        <td valign="top">shorewall clear<br>
        </td>
        <td valign="top">firewall clear<br>
        </td>
        <td valign="top">Removes all Shorewall rules, chains, addresses,
 routes  and ARP entries.<br>
        </td>
      </tr>
      <tr>
                   <td valign="top">shorewall try<br>
                   </td>
-                <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
+                   <td valign="top">firewall -c &lt;new configuration&gt; 
 restart<br>
             If unsuccessful then firewall start (standard configuration)<br>
             If timeout then firewall restart (standard configuration)<br>
                   </td>
        <td valign="top"><br>
        </td>
                 </tr>
  </tbody>     
 </table>
            <br>
-<p><font size="2">   Updated 7/6/2003 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 7/31/2003 - <a href="support.htm">Tom  Eastep</a> 
           </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
           © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -2,8 +2,10 @@
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Support Guide</title>
@ -13,7 +15,9 @@
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
  <tbody>
     <tr>
        <td width="100%">                                               
@ -24,8 +28,10 @@
                                                            </font></h1>
        </td>
    </tr>
  </tbody>                   
 </table>
@ -49,14 +55,14 @@
      </li>
                                      <li>                              
    The           <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
-      Information           contains                a    number of tips to
+       Information           contains                a    number of tips
- help    you solve common  problems.        </li>
+to   help    you solve common  problems.        </li>
                                     <li>                               
   The           <a href="http://www.shorewall.net/errata.htm">   Errata</a> 
-has links     to  download        updated     components.         </li>
+ has links     to  download        updated     components.         </li>
                                      <li>                              
-  The   Site   and   Mailing        List   Archives     search facility can
+    The   Site   and   Mailing        List   Archives     search facility 
- locate   documents   and  posts    about         similar   problems:   
+can  locate   documents   and  posts    about         similar   problems: 
        </li>
 </ul>
@ -108,17 +114,17 @@ has links     to  download        updated     components.         </li>
 <ul>
                                               <li>Please remember we only
-know   what   is  posted    in  your   message.      Do  not  leave out any
+ know   what   is  posted    in  your   message.      Do  not  leave out
-information      that  appears   to be  correct,    or was   mentioned  
+any  information      that  appears   to be  correct,    or was   mentioned
   in  a previous    post.  There  have  been countless   posts   by people
  who were   sure    that some  part  of their     configuration  was correct
  when  it actually      contained   a  small error.     We tend to be  skeptics
-where  detail    is lacking.<br>
+ where  detail    is lacking.<br>
                                                 <br>
                                               </li>
                                               <li>Please keep in mind that 
-you're    asking    for       <strong>free</strong>            technical 
+ you're    asking    for       <strong>free</strong>            technical 
-support.   Any help  we  offer   is an act of generosity, not    an   obligation.
+ support.   Any help  we  offer   is an act of generosity, not    an   obligation.
     Try  to make   it easy  for us to help you. Follow good,    courteous
   practices    in  writing and formatting your e-mail. Provide   details
 that    we need if  you  expect good  answers. <em>Exact quoting     </em>
@ -140,57 +146,67 @@ better   than a paraphrase   or  summary.<br>
 <ul>
  <ul>
-                                               <li>the exact version of Shorewall 
+                                                 <li>the exact version of 
-    you   are   running.<br>
+Shorewall      you   are   running.<br>
                                                   <br>
                                                   <b><font
 color="#009900">shorewall      version</font><br>
                                              </b>    <br>
                                                 </li>
  </ul>
  <ul>
  </ul>
  <ul>
-                                               <li>the complete, exact output 
+                                                 <li>the complete, exact
-  of<br>
+output    of<br>
                                                   <br>
                                                   <font color="#009900"><b>ip
   addr   show<br>
                                                   <br>
                                                   </b></font></li>
  </ul>
  <ul>
-                                               <li>the complete, exact output 
+                                                 <li>the complete, exact
-  of<br>
+output    of<br>
                                                   <br>
                                                   <font color="#009900"><b>ip
   route    show<br>
                                                   </b></font></li>
  </ul>
  <ul>
  </ul>
 </ul>
 <ul>
  <ul>
-                     <li><big><font color="#ff0000"><u><i><big><b>THIS IS 
+                       <li><small><small><font color="#ff0000"><u><i><big><b>THIS
-IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem is
+IS  IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your
-that some type of connection to/from or through your firewall isn't working 
+problem is that some type of connection to/from or through your firewall
-then please perform the following four steps:</big></big></big><br>
+isn't working  then please perform the following four steps:<br>
          <br>
    1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
                                      <br>
@ -199,8 +215,8 @@ then please perform the following four steps:</big></big></big><br>
                                  3.<b><font color="#009900"> /sbin/shorewall 
  status    &gt;   /tmp/status.txt</font></b><br>
                                      <br>
-                                4. Post the /tmp/status.txt file as an attachment 
+                                  4. Post the /tmp/status.txt file as an
-(you may compress it if you like).<br>
+attachment  (you may compress it if you like).<br>
                        <br>
                      </li>
                      <li>the exact wording of any <code
@ -211,26 +227,27 @@ then please perform the following four steps:</big></big></big><br>
        Guides,        please  indicate which one. <br>
                                           <br>
                                         </li>
-                    <li><b>If you are running Shorewall under Mandrake using
+                      <li><b>If you are running Shorewall under Mandrake
-     the     Mandrake      installation of Shorewall, please say so.<br>
+using       the     Mandrake      installation of Shorewall, please say so.<br>
                        <br>
                        </b></li>
  </ul>
         <li>As    a  general    matter,   please <strong>do not edit the 
-diagnostic        information</strong>        in   an attempt to conceal
+ diagnostic        information</strong>        in   an attempt to conceal
-your IP address,     netmask,      nameserver    addresses,     domain name,
+ your IP address,     netmask,      nameserver    addresses,     domain name,
-etc. These aren't     secrets,  and concealing   them often   misleads  us
+ etc. These aren't     secrets,  and concealing   them often   misleads 
-(and 80% of the time,     a hacker  could derive them       anyway   from
+us  (and 80% of the time,     a hacker  could derive them       anyway  
-information  contained  in   the SMTP headers  of your post).<br>
+from  information  contained  in   the SMTP headers  of your post).<br>
                                <br>
                                <strong></strong></li>
                              <li>Do you see  any   "Shorewall"      messages 
  ("<b><font color="#009900">/sbin/shorewall  show   log</font></b>")    
       when              you exercise the function that is giving   you problems?
  If   so,    include    the message(s) in your post along with a  copy of
-your /etc/shorewall/interfaces               file.<br>
+ your /etc/shorewall/interfaces               file.<br>
                                <br>
                              </li>
                              <li>Please include any of the Shorewall configuration 
@ -242,14 +259,14 @@ your /etc/shorewall/interfaces               file.<br>
                                <br>
                              </li>
                              <li>If an error occurs    when   you   try
-to  "<font color="#009900"><b>shorewall  start</b></font>",        include
+  to  "<font color="#009900"><b>shorewall  start</b></font>",        include
     a  trace       (See the <a
 href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>    
  section  for    instructions).<br>
                                <br>
                              </li>
                              <li><b>The list server limits posts to 120kb
-so  don't     post    GIFs     of               your             network
+ so  don't     post    GIFs     of               your             network
 layout,  etc.   to the Mailing   List    --   your      post      will  be
 rejected.</b></li>
@ -269,22 +286,15 @@ blacklist   shorewall.net      "for  continuous abuse" because it has been
 my policy   to  allow HTML in  list    posts!!<br>
                         <br>
                                                  I think that blocking all 
-HTML   is  a  Draconian      way   to  control     spam    and  that the ultimate
+ HTML   is  a  Draconian      way   to  control     spam    and  that the 
-  losers   here are not    the spammers    but the   list  subscribers  
+ultimate   losers   here are not    the spammers    but the   list  subscribers 
     whose MTAs   are bouncing    all shorewall.net    mail. As   one list
   subscriber    wrote    to me privately      "These e-mail admin's   need
   to get a <i>(expletive      deleted)</i>  life     instead of trying to
-rid   the planet of HTML based   e-mail".   Nevertheless,       to allow
+ rid   the planet of HTML based   e-mail".   Nevertheless,       to allow
 subscribers  to  receive list posts   as must as possible,   I  have   now
  configured the  list  server at shorewall.net   to strip all HTML    from
 outgoing  posts.<br>
      <br>
      <big><font color="#cc0000"><b>If you run your own outgoing mail server
  and it doesn't have a valid DNS PTR record, your email won't reach the
 lists   unless/until the postmaster notices that your posts are being rejected. 
 To  avoid this problem, you should configure your MTA to forward posts to 
 shorewall.net  through an MTA that <u>does</u> have a valid PTR record (such 
 as the one at your ISP). </b></font></big><br>
      </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -295,20 +305,26 @@ as the one at your ISP). </b></font></big><br>
                         to the <a
 href="mailto:leaf-user@lists.sourceforge.net">LEAF      Users      mailing 
             list</a>.</span></h4>
-                                                <b>If you run Shorewall under 
+                                                  <b>If you run Shorewall 
-  MandrakeSoft       Multi    Network     Firewall     (MNF)   and you have 
+under    MandrakeSoft       Multi    Network     Firewall     (MNF)   and 
-  not purchased  an   MNF  license    from MandrakeSoft     then    you can 
+you have    not purchased  an   MNF  license    from MandrakeSoft     then 
-   post non MNF-specific     Shorewall  questions   to the </b><a
+   you can     post non MNF-specific     Shorewall  questions   to the </b><a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall   users mailing 
               list</a>. <b>Do not expect to get free MNF support on the list</b>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-                 list</a> .</p>
+                  list.</a> </p>
-                                   
+                                           </blockquote>
 <h2>Subscribing to the Users Mailing List<br>
 </h2>
 <blockquote>
  <p>         To Subscribe to the  mailing list go to <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
-                                      .<br>
+  <br>
 Secure: <a
 href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
 target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
                              </p>
                                                    </blockquote>
@ -316,11 +332,13 @@ as the one at your ISP). </b></font></big><br>
 href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
                              </p>
-<p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/three-interface.htm
+++ b/STABLE/documentation/three-interface.htm
@ -28,15 +28,13 @@
  </tbody>      
 </table>
 <h2 align="center">Version 2.0.1</h2>
 <p align="left">Setting up a Linux system as a firewall for a small network
-         with  DMZ is a  fairly straight-forward task if you understand the 
+          with  DMZ is a  fairly straight-forward task if you understand
-  basics       and follow the  documentation.</p>
+the    basics       and follow the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of
-          Shorewall. It rather focuses on what is required to configure Shorewall 
+           Shorewall. It rather focuses on what is required to configure
-        in one  of its more popular configurations:</p>
+Shorewall          in one  of its more popular configurations:</p>
 <ul>
                       <li>Linux system used as a firewall/router for a small 
@ -55,37 +53,37 @@
                    </p>
 <p>Shorewall requires that you have the iproute/iproute2 package installed
-         (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can 
+          (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You
-  tell     if  this  package is installed by the presence of an <b>ip</b> 
+can    tell     if  this  package is installed by the presence of an <b>ip</b>
-program    on   your  firewall  system. As root, you can use the 'which' command
+ program    on   your  firewall  system. As root, you can use the 'which'
-to   check   for this  program:</p>
+command to   check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the guide    to familiarize yourself
-         with what's involved then go back through it again  making your configuration
+          with what's involved then go back through it again  making your
-         changes. Points at which configuration changes are  recommended
+configuration          changes. Points at which configuration changes are
-are    flagged      with <img border="0" src="images/BD21298_.gif"
+ recommended are    flagged      with <img border="0"
- width="13" height="13">
+ src="images/BD21298_.gif" width="13" height="13">
        . Configuration notes that are unique to LEAF/Bering are marked with <img
 src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
                     </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                         If you edit your configuration files on a Windows
-system,     you   must   save them as  Unix files if your editor supports 
+ system,     you   must   save them as  Unix files if your editor supports
-that option     or you   must  run them through  dos2unix before trying to 
+ that option     or you   must  run them through  dos2unix before trying
-use them. Similarly,     if   you copy  a configuration file  from your Windows 
+to  use them. Similarly,     if   you copy  a configuration file  from your
-hard drive to a  floppy    disk, you must run dos2unix against the  copy before
+Windows  hard drive to a  floppy    disk, you must run dos2unix against the
-using it with  Shorewall.</p>
+ copy before using it with  Shorewall.</p>
 <ul>
                       <li><a
 href="http://www.simtel.net/pub/pd/51438.html">Windows     Version     of 
    dos2unix</a></li>
                       <li><a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version of
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
-   dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
@ -94,13 +92,14 @@ using it with  Shorewall.</p>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
                The configuration files for Shorewall are contained in the
-directory       /etc/shorewall -- for simple setups, you will only need to 
+ directory       /etc/shorewall -- for simple setups, you will only need
-deal with  a  few  of  these as described in this guide.  After you have <a
+to  deal with  a  few  of  these as described in this guide.  After you have
- href="Install.htm">installed Shorewall</a>,  <b>download the <a
+<a href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface  
      sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy
     the    files to /etc/shorewall  (the files will replace files with the
- same   names    that were placed in  /etc/shorewall when Shorewall was installed)</b>.</p>
+  same   names    that were placed in  /etc/shorewall when Shorewall was
 installed)</b>.</p>
 <p>As each file is introduced, I suggest that you  look through the actual
          file on your system -- each file contains detailed  configuration
@ -143,18 +142,18 @@ deal with  a  few  of  these as described in this guide.  After you have <a
 <ul>
                       <li>You express your default policy for connections
-from   one   zone   to  another    zone in the<a
+ from   one   zone   to  another    zone in the<a
 href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                       <li>You define exceptions to those default policies
-in  the        <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+ in  the        <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first
          checked against the  /etc/shorewall/rules file. If no rule in that
   file     matches  the connection  request then the first policy in /etc/shorewall/policy
-       that  matches the    request is applied. If that policy is REJECT or
+        that  matches the    request is applied. If that policy is REJECT
-  DROP      the request is first  checked against the rules in /etc/shorewall/common 
+or   DROP      the request is first  checked against the rules in /etc/shorewall/common
       (the samples provide that  file for you).</p>
 <p>The /etc/shorewall/policy file included with the three-interface sample
@ -227,13 +226,12 @@ in  the        <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<
 <p>The above policy will:</p>
 <ol>
-                      <li>allow all connection requests from your local network 
+                       <li>allow all connection requests from your local
-   to  the   internet</li>
+network     to  the   internet</li>
                       <li>drop (ignore) all connection requests from the 
 internet     to  your   firewall     or local network</li>
                       <li>optionally accept all connection requests from 
-the   firewall     to  the     internet (if you uncomment the additional
+the   firewall     to  the     internet (if you uncomment the additional policy)</li>
 policy)</li>
                       <li>reject all other connection requests.</li>
 </ol>
@ -250,8 +248,8 @@ policy)</li>
 <p align="left">The firewall has three network interfaces. Where Internet
           connectivity is through a cable or DSL "Modem", the <i>External
-Interface</i>          will be the ethernet adapter that is connected to that
+ Interface</i>          will be the ethernet adapter that is connected to
-"Modem" (e.g.,      <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
+that "Modem" (e.g.,      <b>eth0</b>)    <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
       <u>P</u>rotocol    over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
       <u>T</u>unneling   <u>P</u>rotocol </i>(PPTP) in which case the External
      Interface will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
@ -267,30 +265,30 @@ Interface</i>          will be the ethernet adapter that is connected to that
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
           eth1 or eth2) and will be connected to a hub or switch. Your local
    computers       will be connected to the same switch (note: If you have
- only  a single   local   system,  you can connect the firewall directly to
+  only  a single   local   system,  you can connect the firewall directly
- the computer using   a <i>cross-over   </i> cable).</p>
+to  the computer using   a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
-         (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your
+          (eth0,  eth1 or eth2) and will be connected to a hub or switch.
-    DMZ    computers will  be connected to the same switch (note: If you
+Your     DMZ    computers will  be connected to the same switch (note: If
-have     only  a  single DMZ system,  you can connect the firewall directly 
+you have     only  a  single DMZ system,  you can connect the firewall directly
-to the    computer    using a <i>cross-over </i> cable).</p>
+ to the    computer    using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
                    </b></u>Do not connect more than one interface  to the
-same   hub   or  switch    (even for testing). It won't work the way that 
+ same   hub   or  switch    (even for testing). It won't work the way that
-you  expect   it to  and you   will end up confused and  believing that Shorewall 
+ you  expect   it to  and you   will end up confused and  believing that
-doesn't     work  at all.</p>
+Shorewall  doesn't     work  at all.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                        The Shorewall three-interface sample configuration
-assumes     that    the   external interface is <b>eth0, </b>the local interface 
+ assumes     that    the   external interface is <b>eth0, </b>the local interface
-is   <b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration 
+ is   <b>eth1   </b>and    the DMZ interface is <b> eth2</b>.  If your configuration
   is different,    you will have to modify the sample  /etc/shorewall/interfaces
    file accordingly.     While you are there, you may wish to  review the
-list   of options that are    specified for the interfaces. Some hints:</p>
+ list   of options that are    specified for the interfaces. Some hints:</p>
 <ul>
                       <li>                               
@ -309,18 +307,18 @@ list   of options that are    specified for the interfaces. Some hints:</p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet
-          Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
+           Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
-   a  single    <i> Public</i> IP address. This address may be assigned via
+you    a  single    <i> Public</i> IP address. This address may be assigned
-  the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
+via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part
- establishing  your  connection   when you dial in (standard modem) or establish
+of  establishing  your  connection   when you dial in (standard modem) or
- your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
+establish  your PPP  connection.  In rare   cases, your ISP may assign you
- IP address; that  means that  you  configure your firewall's external interface
+a<i> static</i>  IP address; that  means that  you  configure your firewall's
-    to use that  address permanently.<i>  </i>Regardless of how the address
+external interface     to use that  address permanently.<i>  </i>Regardless
-  is  assigned, it  will be shared by all of your  systems when you access
+of how the address   is  assigned, it  will be shared by all of your  systems
- the Internet. You will have to assign your  own addresses  for your internal
+when you access  the Internet. You will have to assign your  own addresses
- network (the local and DMZ Interfaces on  your firewall plus your other
+ for your internal  network (the local and DMZ Interfaces on  your firewall
-computers).  RFC 1918 reserves several <i>Private  </i>IP address ranges
+plus your other computers).  RFC 1918 reserves several <i>Private  </i>IP
-for this  purpose:</p>
+address ranges for this  purpose:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -329,24 +327,24 @@ for this  purpose:</p>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                          Before starting Shorewall, you should look at the 
+                           Before starting Shorewall, you should look at
- IP  address     of  your  external    interface and if it is one of the above
+the   IP  address     of  your  external    interface and if it is one of
-  ranges, you    should  remove  the    'norfc1918' option from the external
+the above   ranges, you    should  remove  the    'norfc1918' option from
-  interface's   entry  in    /etc/shorewall/interfaces.</p>
+the external   interface's   entry  in    /etc/shorewall/interfaces.</p>
                    </div>
 <div align="left">      
 <p align="left">You will want to assign your local addresses from one <i>
-           sub-network </i>or <i>subnet</i> and your DMZ addresses from another 
+            sub-network </i>or <i>subnet</i> and your DMZ addresses from
-      subnet.  For our purposes, we can consider a subnet    to consists of
+another        subnet.  For our purposes, we can consider a subnet    to
-  a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have 
+consists of   a  range  of addresses  x.y.z.0 - x.y.z.255. Such a subnet
-a  <i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved
+will    have  a  <i>Subnet    Mask </i>of 255.255.255.0.  The address x.y.z.0
-  as    the <i>Subnet     Address</i> and x.y.z.255  is reserved as the <i>Subnet 
+is reserved   as    the <i>Subnet     Address</i> and x.y.z.255  is reserved
-  Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet is described using <a
+as the <i>Subnet    Broadcast</i>   <i>Address</i>.  In Shorewall,  a subnet
- href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing 
+is described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
-    </i>(CIDR)</a>   notation with consists of the subnet address  followed 
+ InterDomain Routing      </i>(CIDR)</a>   notation with consists of the
-     by "/24". The "24"  refers to the number of    consecutive "1"  bits 
+subnet address  followed       by "/24". The "24"  refers to the number of
-from    the left of the subnet  mask. </p>
+   consecutive "1"  bits  from    the left of the subnet  mask. </p>
                    </div>
 <div align="left">      
@ -397,18 +395,18 @@ from    the left of the subnet  mask. </p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                        Your local  computers    (Local Computers 1 &amp; 
-2)  should    be  configured    with their<i>    default gateway</i> set
+2)  should    be  configured    with their<i>    default gateway</i> set to
-to the  IP address     of the firewall's    internal interface    and your
+the  IP address     of the firewall's    internal interface    and your DMZ
-DMZ computers  ( DMZ   Computers   1 &amp; 2)  should  be configured with
+computers  ( DMZ   Computers   1 &amp; 2)  should  be configured with their
-their    default  gateway   set to the   IP address  of the firewall's DMZ
+   default  gateway   set to the   IP address  of the firewall's DMZ interface.  
-interface.   </p>
+</p>
                    </div>
 <p align="left">The foregoing short discussion barely scratches the surface
           regarding subnetting and routing. If you are interested in learning
-    more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
+     more     about  IP addressing and routing, I highly recommend <i>"IP
-         What Everyone  Needs to Know about Addressing &amp; Routing",</i>
+Fundamentals:          What Everyone  Needs to Know about Addressing &amp;
- Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
           your network as shown here:</p>
@ -433,35 +431,35 @@ interface.
 <p align="left">IP Masquerading (SNAT)</p>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-         to as <i>non-routable</i> because the Internet backbone routers don't
+          to as <i>non-routable</i> because the Internet backbone routers
-     forward    packets  which have an RFC-1918 destination address. When
+don't      forward    packets  which have an RFC-1918 destination address.
-one    of your local    systems  (let's assume local computer 1) sends a
+When one    of your local    systems  (let's assume local computer 1) sends
-connection     request to an   internet host, the  firewall must perform <i>Network
+a connection     request to an   internet host, the  firewall must perform
-Address     Translation   </i>(NAT). The firewall  rewrites the source address
+<i>Network Address     Translation   </i>(NAT). The firewall  rewrites the
-in the    packet to be  the address of the firewall's  external interface;
+source address in the    packet to be  the address of the firewall's  external
-in other    words, the firewall   makes it look as if the firewall  itself
+interface; in other    words, the firewall   makes it look as if the firewall
-is initiating    the connection.  This  is necessary so that the  destination
+ itself is initiating    the connection.  This  is necessary so that the
-host will be   able to route return packets   back to the firewall  (remember
+ destination host will be   able to route return packets   back to the firewall
-that packets   whose destination address is   reserved by RFC 1918 can't
+ (remember that packets   whose destination address is   reserved by RFC
- be routed accross   the internet). When the firewall   receives a return
+1918 can't  be routed accross   the internet). When the firewall   receives
-packet, it  rewrites   the destination address back to 10.10.10.1   and forwards
+a return packet, it  rewrites   the destination address back to 10.10.10.1
-the packet on  to local computer 1. </p>
+  and forwards the packet on  to local computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> and you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
                       <li>                               
    <p align="left"><i>Masquerade</i> describes the case where you let your
-            firewall system automatically detect the external interface address. 
+             firewall system automatically detect the external interface
-             </p>
+address.               </p>
                      </li>
                      <li>                               
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
-         the    source address that you want outbound packets from your local 
+          the    source address that you want outbound packets from your
-    network     to use.    </p>
+local      network     to use.    </p>
                      </li>
 </ul>
@ -473,15 +471,16 @@ the packet on  to local computer 1. </p>
 height="13">
                        If your external firewall interface is <b>eth0</b>, 
 your   local     interface   <b>eth1 </b>and your DMZ interface is <b>eth2</b>
- then  you  do  not  need to  modify the file provided with the sample. Otherwise, 
+  then  you  do  not  need to  modify the file provided with the sample.
-   edit    /etc/shorewall/masq   and change it to match your configuration.</p>
+Otherwise,     edit    /etc/shorewall/masq   and change it to match your
 configuration.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-                       If your external IP  is static, you can enter it in
+                        If your external IP  is static, you can enter it
- the  third    column    in the /etc/shorewall/masq entry  if you like although 
+in  the  third    column    in the /etc/shorewall/masq entry  if you like
-  your firewall    will    work fine if you leave that column  empty. Entering 
+although    your firewall    will    work fine if you leave that column 
-  your static  IP  in column    3 makes <br>
+empty. Entering    your static  IP  in column    3 makes <br>
           processing outgoing packets a  little more efficient.<br>
           </p>
@ -502,13 +501,13 @@ the packet on  to local computer 1. </p>
 <h2 align="left">Port Forwarding (DNAT)</h2>
 <p align="left">One of your goals will be to run one or more servers on your
-         DMZ computers. Because these computers have RFC-1918 addresses, it
+          DMZ computers. Because these computers have RFC-1918 addresses,
-  is   not     possible for clients on the internet to connect directly to
+it   is   not     possible for clients on the internet to connect directly
- them.   It is   rather  necessary for those clients to address their connection
+to  them.   It is   rather  necessary for those clients to address their
-   requests    to your firewall  who rewrites the destination address to
+connection    requests    to your firewall  who rewrites the destination
-the    address of   your server and forwards  the packet to that server.
+address to the    address of   your server and forwards  the packet to that
-When your   server responds,     the firewall automatically  performs SNAT
+server. When your   server responds,     the firewall automatically  performs
-to rewrite   the source address   in  the response.</p>
+SNAT to rewrite   the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
          Destination Network Address Translation</i> (DNAT). You configure 
@ -545,8 +544,8 @@ to rewrite   the source address   in  the response.</p>
  </table>
                     </blockquote>
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
-the same  as <i>&lt;port&gt;</i>.</p>
+be the same  as <i>&lt;port&gt;</i>.</p>
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
           TCP port 80 to that system:</p>
@ -593,9 +592,9 @@ the same  as <i>&lt;port&gt;</i>.</p>
                       <li>When you are connecting to your server from your 
 local   systems,     you  must    use the server's internal IP address (10.10.11.2).</li>
                       <li>Many ISPs block incoming connection requests to
-port   80.   If  you   have     problems connecting to your web server, try 
+ port   80.   If  you   have     problems connecting to your web server,
-the  following   rule and  try     connecting to port 5000 (e.g., connect 
+try  the  following   rule and  try     connecting to port 5000 (e.g., connect
-to     <a href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z
+ to     <a href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z 
 is your         external IP).</li>
 </ul>
@ -700,7 +699,7 @@ to     <a href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z
                     </blockquote>
 <p>If you want to access your server from the DMZ using your external IP
-address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
+ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
                        At this point, add the DNAT and  ACCEPT rules for 
@ -709,23 +708,23 @@ your   servers.     </p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting
-         an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
+          an IP  address your firewall's <i>Domain Name Service </i>(DNS)
-        will be  automatically configured (e.g., the /etc/resolv.conf file
+resolver         will be  automatically configured (e.g., the /etc/resolv.conf
- will     be  written).  Alternatively, your ISP may have given you the IP
+file  will     be  written).  Alternatively, your ISP may have given you
- address    of a  pair of DNS <i> name servers</i> for you to manually configure
+the IP  address    of a  pair of DNS <i> name servers</i> for you to manually
- as  your    primary  and secondary  name servers. It is <u>your</u> responsibility
+configure  as  your    primary  and secondary  name servers. It is <u>your</u>
-    to   configure  the resolver in your  internal systems. You can take
+responsibility     to   configure  the resolver in your  internal systems.
-one    of two   approaches:</p>
+You can take one    of two   approaches:</p>
 <ul>
                       <li>                               
    <p align="left">You can configure your internal systems to use your ISP's
          name    servers. If you ISP gave you the addresses of their servers
-   or   if   those    addresses are available on their web site, you can configure
+    or   if   those    addresses are available on their web site, you can
-      your   internal    systems to use those addresses. If that information
+configure       your   internal    systems to use those addresses. If that
-   isn't   available,   look in    /etc/resolv.conf on your firewall system
+information    isn't   available,   look in    /etc/resolv.conf on your firewall
-  -- the name  servers are  given in    "nameserver" records in that file.
+system   -- the name  servers are  given in    "nameserver" records in that
-   </p>
+file.    </p>
                      </li>
                      <li>                               
    <p align="left"><img border="0" src="images/BD21298_2.gif"
@ -733,14 +732,14 @@ one    of two   approaches:</p>
                        You can configure a<i> Caching Name Server </i>on 
 your      firewall     or  in your DMZ.<i> </i>Red Hat has an RPM for a caching
  name  server (which     also     requires the 'bind' RPM) and for Bering
-users,  there is dnscache.lrp.     If you    take this approach, you configure 
+ users,  there is dnscache.lrp.     If you    take this approach, you configure
-your  internal systems to use    the caching    name server as their primary 
+ your  internal systems to use    the caching    name server as their primary
-(and  only) name server. You  use  the internal IP    address of the firewall 
+ (and  only) name server. You  use  the internal IP    address of the firewall
-(10.10.10.254  in the example  above)    for the name    server address if 
+ (10.10.10.254  in the example  above)    for the name    server address
-you choose to  run the name server  on your   firewall. To allow your local 
+if  you choose to  run the name server  on your   firewall. To allow your
-systems to talk  to your caching name      server,   you must open port 53 
+local  systems to talk  to your caching name      server,   you must open
-(both UDP and TCP)  from the local network   to the    server; you do that 
+port 53  (both UDP and TCP)  from the local network   to the    server; you
-by adding the rules  in /etc/shorewall/rules.       </p>
+do that  by adding the rules  in /etc/shorewall/rules.       </p>
                      </li>
 </ul>
@ -1051,7 +1050,8 @@ by adding the rules  in /etc/shorewall/rules.       </p>
 <div align="left">      
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
             the internet because it uses clear text (even for login!). If
-you    want     shell    access to your firewall from the internet, use SSH:</p>
+ you    want     shell    access to your firewall from the internet, use
 SSH:</p>
                    </div>
 <div align="left">      
@ -1168,15 +1168,15 @@ you  have completed configuration     of your firewall, you can enable Shorewall
     routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
             running firewall may be restarted using the "shorewall restart"
-  command.       If    you want to totally remove any trace of Shorewall from
+   command.       If    you want to totally remove any trace of Shorewall
-  your Netfilter          configuration, use "shorewall clear".</p>
+from   your Netfilter          configuration, use "shorewall clear".</p>
                    </div>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-                       The three-interface sample assumes that you want to
+                        The three-interface sample assumes that you want
- enable       routing    to/from <b>eth1 (</b>your local network) and<b>
+to  enable       routing    to/from <b>eth1 (</b>your local network) and<b> 
 eth2  </b>(DMZ)     when Shorewall    is stopped.    If these two interfaces 
 don't  connect  to   your local network    and DMZ or if you    want to enable 
 a  different  set   of hosts, modify /etc/shorewall/routestopped       accordingly.</p>
@ -1184,11 +1184,11 @@ a  different  set   of hosts, modify /etc/shorewall/routestopped       according
 <div align="left">      
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-         the    internet, do not issue a "shorewall stop" command unless you
+          the    internet, do not issue a "shorewall stop" command unless
-   have     added an    entry for the IP address that you are connected from
+you    have     added an    entry for the IP address that you are connected
-   to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
        Also, I don't recommend using "shorewall restart"; it is better to
-create         an   <i><a href="configuration_file_basics.htm#Configs">alternate 
+ create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
  configuration</a></i>        and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
                    </div>
@ -1200,5 +1200,6 @@ create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
    Thomas      M. Eastep</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -32,18 +32,18 @@
 <p align="left">Setting up a Linux system as a firewall for a small network
           is a  fairly straight-forward task if you understand the basics
-and    follow      the  documentation.</p>
+ and    follow      the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of
-           Shorewall. It rather focuses on what is required to configure Shorewall
+            Shorewall. It rather focuses on what is required to configure
-         in its  most common configuration:</p>
+Shorewall          in its  most common configuration:</p>
 <ul>
                         <li>Linux system used as a firewall/router for a 
 small   local    network.</li>
                         <li>Single public IP address.</li>
                         <li>Internet connection through cable modem, DSL,
-ISDN,    Frame    Relay,    dial-up    ...</li>
+ ISDN,    Frame    Relay,    dial-up    ...</li>
 </ul>
@ -54,14 +54,14 @@ ISDN,    Frame    Relay,    dial-up    ...</li>
                      </p>
 <p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
-       configure the above setup using the Mandrake "Internet Connection Sharing"
+        configure the above setup using the Mandrake "Internet Connection
-       applet. From the Mandrake Control Center, select "Network &amp; Internet"
+Sharing"        applet. From the Mandrake Control Center, select "Network
-       then "Connection Sharing".<br>
+&amp; Internet"        then "Connection Sharing".<br>
       </b></p>
 <p><b>Note however, that the Shorewall configuration produced by Mandrake
   Internet Connection Sharing is strange and is apt to confuse you if you
-use  the rest of this documentation (it has two local zones; "loc" and "masq"
+ use  the rest of this documentation (it has two local zones; "loc" and "masq" 
  where "loc" is empty; this conflicts with this documentation which assumes 
  a single local zone "loc"). We therefore recommend that once you have set 
  up this sharing that you uninstall the Mandrake Shorewall RPM and install 
@ -70,38 +70,38 @@ use  the rest of this documentation (it has two local zones; "loc" and "masq"
        </p>
 <p>Shorewall requires that you have the iproute/iproute2 package installed
-          (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
+           (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You
-   tell     if  this  package is installed by the presence of an <b>ip</b> 
+can    tell     if  this  package is installed by the presence of an <b>ip</b>
  program    on   your  firewall  system. As root, you can use the 'which'
-command to   check   for this  program:</p>
+ command to   check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself
           with what's involved then go back through it again  making your
-configuration          changes. Points at which configuration changes are 
+ configuration          changes. Points at which configuration changes are
  recommended are    flagged      with <img border="0"
 src="images/BD21298_.gif" width="13" height="13">
                      . Configuration notes that are unique to LEAF/Bering
-are   marked  with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
+ are   marked  with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
         </p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
                           If you edit your configuration files on a Windows
  system,     you   must   save them as  Unix files if your editor supports
- that option     or you   must  run them through  dos2unix before trying to
+  that option     or you   must  run them through  dos2unix before trying
- use them. Similarly,     if   you copy  a configuration file  from your Windows
+to  use them. Similarly,     if   you copy  a configuration file  from your
- hard drive to a  floppy    disk, you must run dos2unix against the  copy
+Windows  hard drive to a  floppy    disk, you must run dos2unix against the
-before using it with  Shorewall.</p>
+ copy before using it with  Shorewall.</p>
 <ul>
                         <li><a
 href="http://www.simtel.net/pub/pd/51438.html">Windows     Version     of 
     dos2unix</a></li>
                         <li><a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version of
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
-   dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
@ -114,8 +114,9 @@ the   directory      /etc/shorewall -- for simple setups, you will only need
 to   deal with a  few  of  these as described in this guide.  After you have 
 <a href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
-         un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
+          un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
-  /etc/shorewall        (these files will replace files with the same name).</b></p>
+to   /etc/shorewall        (these files will replace files with the same
 name).</b></p>
 <p>As each file is introduced, I suggest that you  look through the actual
           file on your system -- each file contains detailed  configuration
@ -158,19 +159,21 @@ to   deal with a  few  of  these as described in this guide.  After you have
  from   one   zone   to  another    zone in the<a
 href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                         <li>You define exceptions to those default policies
- in  the         <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+  in  the         <a href="Documentation.htm#Rules">/etc/shorewall/rules
    </a>file.</li>
 </ul>
 <p>For each connection request entering the firewall, the request is first
-          checked against the  /etc/shorewall/rules file. If no rule in that 
+           checked against the  /etc/shorewall/rules file. If no rule in
-   file     matches  the connection  request then the first policy in /etc/shorewall/policy 
+that     file     matches  the connection  request then the first policy
-        that  matches the    request is applied. If that policy is REJECT 
+in /etc/shorewall/policy          that  matches the    request is applied.
-or   DROP      the request is first  checked against the rules in /etc/shorewall/common 
+If that policy is REJECT  or   DROP      the request is first  checked against
-       (the samples provide that  file for you).</p>
+the rules in /etc/shorewall/common         (the samples provide that  file
 for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample has
+<p>The /etc/shorewall/policy file included with the two-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -211,8 +214,8 @@ the  following policies:</p>
 <blockquote>                  
  <p>In the two-interface sample, the line below is included but commented
-          out. If  you want your firewall system to have full access to servers 
+           out. If  you want your firewall system to have full access to
-      on   the internet,  uncomment that line.</p>
+servers        on   the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -240,19 +243,18 @@ the  following policies:</p>
 <ol>
                         <li>allow all connection requests from your local
-network     to  the   internet</li>
+ network     to  the   internet</li>
                         <li>drop (ignore) all connection requests from the 
 internet     to  your   firewall     or local network</li>
                         <li>optionally accept all connection requests from 
- the  firewall     to  the     internet (if you uncomment the additional
+ the  firewall     to  the     internet (if you uncomment the additional policy)</li>
 policy)</li>
                         <li>reject all other connection requests.</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-                         At this point, edit your /etc/shorewall/policy and 
+                          At this point, edit your /etc/shorewall/policy
- make   any   changes     that you  wish.</p>
+and   make   any   changes     that you  wish.</p>
 <h2 align="left">Network Interfaces</h2>
@ -260,11 +262,11 @@ policy)</li>
 height="635">
                      </p>
-<p align="left">The firewall has two network interfaces. Where Internet 
+<p align="left">The firewall has two network interfaces. Where Internet  connectivity
-connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+is through a cable or DSL "Modem", the <i>External Interface</i>  will be
- will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
-          <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
+           <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
-           over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
+<u>P</u>rotocol             over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
      <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
      Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect
     via a regular modem,   your External  Interface will also be <b>ppp0</b>.
@ -273,31 +275,31 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                          If your external interface is <b>ppp0</b>  or<b>
-ippp0</b>       then   you   will want to  set CLAMPMSS=yes in <a
+ ippp0</b>       then   you   will want to  set CLAMPMSS=yes in <a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
-          (eth1  or eth0) and will be connected to a hub or switch. Your other
+           (eth1  or eth0) and will be connected to a hub or switch. Your
-     computers     will be  connected to the same hub/switch (note: If you
+other      computers     will be  connected to the same hub/switch (note:
- have    only a single     internal system,  you can connect the firewall 
+If you  have    only a single     internal system,  you can connect the firewall
-directly    to the computer   using  a <i>cross-over </i> cable).</p>
+ directly    to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
                      </b></u>Do not connect the internal and external interface
-    to  the   same   hub or switch (even for testing). It won't work the way
+     to  the   same   hub or switch (even for testing). It won't work the
-   that  you think  that   it will and you will end up confused and  believing
+way    that  you think  that   it will and you will end up confused and 
-   that  Shorewall   doesn't   work at all.</p>
+believing    that  Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
                          The Shorewall two-interface sample configuration
-assumes     that    the   external  interface is <b>eth0</b> and the internal 
+ assumes     that    the   external  interface is <b>eth0</b> and the internal
-interface     is <b>eth1</b>.     If your  configuration is different, you 
+ interface     is <b>eth1</b>.     If your  configuration is different, you
-will have  to   modify the sample    <a
+ will have  to   modify the sample    <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>     file
    accordingly.  While you are there, you may wish to  review the  list
-of options   that are  specified for the interfaces. Some hints:</p>
+  of options   that are  specified for the interfaces. Some hints:</p>
 <ul>
                         <li>                               
@ -317,17 +319,17 @@ of options   that are  specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet
            Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
-you    a  single    <i> Public</i> IP address. This address may be assigned 
+ you    a  single    <i> Public</i> IP address. This address may be assigned
-via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part 
+ via   the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part
-of  establishing  your  connection   when you dial in (standard modem) or 
+ of  establishing  your  connection   when you dial in (standard modem) or
-establish  your PPP  connection.  In rare   cases, your ISP may assign you 
+ establish  your PPP  connection.  In rare   cases, your ISP may assign you
-a<i> static</i>  IP address; that  means that  you  configure your firewall's 
+ a<i> static</i>  IP address; that  means that  you  configure your firewall's
-external interface     to use that  address permanently.<i>  </i>However your
+ external interface     to use that  address permanently.<i>  </i>However
-external address   is  assigned, it  will be shared by all of your systems 
+your external address   is  assigned, it  will be shared by all of your systems
-when you access the   Internet. You will have to assign your  own addresses 
+ when you access the   Internet. You will have to assign your  own addresses
-in your  internal  network (the Internal  Interface on your firewall  plus 
+ in your  internal  network (the Internal  Interface on your firewall  plus
-your other  computers).  RFC 1918 reserves  several <i>Private </i>IP address 
+ your other  computers).  RFC 1918 reserves  several <i>Private </i>IP address
-ranges for this  purpose:</p>
+ ranges for this  purpose:</p>
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -337,23 +339,23 @@ ranges for this  purpose:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                             Before starting Shorewall, you should look at
-the   IP  address     of  your  external    interface and if it is one of 
+ the   IP  address     of  your  external    interface and if it is one of
-the above   ranges, you    should  remove  the    'norfc1918' option from 
+ the above   ranges, you    should  remove  the    'norfc1918' option from
-the external   interface's   entry  in    /etc/shorewall/interfaces.</p>
+ the external   interface's   entry  in    /etc/shorewall/interfaces.</p>
                      </div>
 <div align="left">      
 <p align="left">You will want to assign your addresses from the same <i>
-sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet 
+ sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
              to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
- a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
+  a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The
-   x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 
+address    x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255
-is   reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, 
+ is   reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
    a subnet  is  described  using <a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
     </i>(CIDR)  notation</a> with consists of the subnet  address followed
-    by "/24". The  "24" refers to the number of    consecutive  leading "1" 
+     by "/24". The  "24" refers to the number of    consecutive  leading
-  bits from the left  of the subnet mask. </p>
+"1"    bits from the left  of the subnet mask. </p>
                      </div>
 <div align="left">      
@ -404,7 +406,7 @@ is   reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                          Your local computers (computer    1 and computer
-2  in  the   above    diagram)   should be configured with their<i>    default 
+ 2  in  the   above    diagram)   should be configured with their<i>    default
  gateway</i>    to  be  the IP address   of the firewall's internal    interface.<i>     
     </i>  </p>
                      </div>
@ -412,8 +414,8 @@ is   reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
 <p align="left">The foregoing short discussion barely scratches the surface
            regarding subnetting and routing. If you are interested in learning
      more     about  IP addressing and routing, I highly recommend <i>"IP
-Fundamentals:          What Everyone  Needs to Know about Addressing &amp; 
+ Fundamentals:          What Everyone  Needs to Know about Addressing &amp;
-Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+ Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
            your network as shown here:</p>
@ -428,74 +430,74 @@ Routing",</i>  Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
              <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
- assign    your external interface an RFC 1918 address. If that address is 
+  assign    your external interface an RFC 1918 address. If that address
- in the 10.10.10.0/24   subnet then you will need to select a DIFFERENT RFC 
+is   in the 10.10.10.0/24   subnet then you will need to select a DIFFERENT
- 1918 subnet for your  local network.</b><br>
+RFC   1918 subnet for your  local network.</b><br>
           </p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
           to as <i>non-routable</i> because the Internet backbone routers
-don't      forward    packets  which have an RFC-1918 destination address. 
+ don't      forward    packets  which have an RFC-1918 destination address.
-When one    of your local    systems  (let's assume computer 1) sends a connection 
+ When one    of your local    systems  (let's assume computer 1) sends a
-  request    to an internet    host, the  firewall must perform <i>Network 
+connection    request    to an internet    host, the  firewall must perform
- Address Translation     </i>(NAT).    The firewall  rewrites the source address
+<i>Network   Address Translation     </i>(NAT).    The firewall  rewrites
- in the packet to   be the address    of the firewall's  external interface;
+the source address  in the packet to   be the address    of the firewall's
- in other words,   the firewall makes    it look as if the firewall  itself
+ external interface;  in other words,   the firewall makes    it look as
- is initiating the   connection.  This is   necessary so that the  destination
+if the firewall  itself  is initiating the   connection.  This is   necessary
-   host will be able   to route return packets   back to the firewall  (remember
+so that the  destination    host will be able   to route return packets 
-   that packets whose   destination address is   reserved by RFC 1918 can't
+ back to the firewall  (remember    that packets whose   destination address
-   be routed across the   internet so the remote host  can't address its
+is   reserved by RFC 1918 can't    be routed across the   internet so the
-response    to  computer 1).  When the firewall receives a return packet,
+remote host  can't address its response    to  computer 1).  When the firewall
-it  rewrites    the destination address  back to 10.10.10.1  and  forwards
+receives a return packet, it  rewrites    the destination address  back to
-the packet on   to computer 1. </p>
+10.10.10.1  and  forwards the packet on   to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> but you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
                         <li>                               
    <p align="left"><i>Masquerade</i> describes the case where you let your
-             firewall system automatically detect the external interface address.
+              firewall system automatically detect the external interface
-              </p>
+address.               </p>
                        </li>
                        <li>                               
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
-          the    source address that you want outbound packets from your local
+           the    source address that you want outbound packets from your
-     network     to use.    </p>
+local      network     to use.    </p>
                        </li>
 </ul>
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with
            entries in the /etc/shorewall/masq file. You will normally use
-Masquerading          if  your external IP is dynamic and SNAT if the IP is
+ Masquerading          if  your external IP is dynamic and SNAT if the IP
-static.</p>
+is static.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                          If your external firewall interface is <b>eth0</b>, 
  you  do  not    need   to modify the file provided with the sample. Otherwise,
    edit   /etc/shorewall/masq      and change the first column to the name 
-  of  your  external  interface and    the  second column to the name of
+  of  your  external  interface and    the  second column to the name of your
-your   internal   interface.</p>
+  internal   interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                          If your external IP is  static, you can enter it
-in  the  third    column    in the /etc/shorewall/masq entry if  you like 
+ in  the  third    column    in the /etc/shorewall/masq entry if  you like
-although    your firewall    will    work fine if you leave that column empty. 
+ although    your firewall    will    work fine if you leave that column
- Entering    your static  IP  in column    3 makes processing outgoing packets 
+empty.   Entering    your static  IP  in column    3 makes processing outgoing
-a little     more efficient.<br>
+packets  a little     more efficient.<br>
              <br>
              <img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
-                 If you are using the Debian package, please check your shorewall.conf 
+                  If you are using the Debian package, please check your
-      file to ensure that the following are set correctly; if they are not, 
+shorewall.conf        file to ensure that the following are set correctly;
-  change    them appropriately:<br>
+if they are not,    change    them appropriately:<br>
              </p>
 <ul>
@ -511,10 +513,10 @@ a little     more efficient.<br>
            local computers. Because these computers have RFC-1918 addresses,
    it   is   not  possible for clients on the internet to connect directly
  to  them.   It   is rather  necessary for those clients to address their
-connection   requests     to the firewall  who rewrites the destination address 
+ connection   requests     to the firewall  who rewrites the destination
-to the   address of   your   server and forwards  the packet to that server. 
+address  to the   address of   your   server and forwards  the packet to
-When  your server responds,     the firewall automatically  performs SNAT 
+that server.  When  your server responds,     the firewall automatically
-to rewrite   the source address   in  the response.</p>
+ performs SNAT  to rewrite   the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
           Destination Network Address Translation</i> (DNAT). You configure
@ -551,8 +553,8 @@ to rewrite   the source address   in  the response.</p>
  </table>
                       </blockquote>
-<p>Example - you run a Web Server on computer 2 and you want to forward incoming 
+<p>Example 1 - you run a Web Server on computer 2 and you want to forward
-           TCP port 80 to that system:</p>
+incoming             TCP port 80 to that system:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -581,17 +583,53 @@ to rewrite   the source address   in  the response.</p>
  </table>
                       </blockquote>
 <p>Example 2 - you run an FTP Server on computer 1 so you want to forward
 incoming TCP port 21 to that system:</p>
 <blockquote>                  
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                           <tbody>
                            <tr>
                             <td><u><b>ACTION</b></u></td>
                             <td><u><b>SOURCE</b></u></td>
                             <td><u><b>DESTINATION</b></u></td>
                             <td><u><b>PROTOCOL</b></u></td>
                             <td><u><b>PORT</b></u></td>
                             <td><u><b>SOURCE PORT</b></u></td>
                             <td><u><b>ORIGINAL ADDRESS</b></u></td>
                           </tr>
                           <tr>
                             <td>DNAT</td>
                             <td>net</td>
                             <td>loc:10.10.10.1</td>
                             <td>tcp</td>
                             <td>21<br>
        </td>
                             <td> </td>
                             <td> </td>
                           </tr>
    </tbody>                  
  </table>
                       </blockquote>
 <p>For FTP, you will also need to have FTP connection tracking and NAT support
 in your kernel. For vendor-supplied kernels, this means that the ip_conntrack_ftp
 and ip_nat_ftp modules must be loaded. Shorewall will automatically load
 these modules if they are available and located in the standard place under
 /lib/modules/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter.<br>
 </p>
 <p>A couple of important points  to keep in mind:</p>
 <ul>
                         <li>You must test the above rule from a client outside
   of  your   local    network    (i.e., don't test from a browser running
-on  computers     1 or 2  or  on the    firewall). If you want to be able 
+ on  computers     1 or 2  or  on the    firewall). If you want to be able
-to access your  web   server  using  the IP    address of your external interface,
+ to access your  web   server and/or FTP server from inside your firewall
-  see     <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
+ using  the IP    address of your external interface,   see     <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
                         <li>Many ISPs block incoming connection requests 
 to  port   80.   If  you   have     problems connecting to your web server,
-try  the  following   rule and  try     connecting to port 5000.</li>
+ try  the  following   rule and  try     connecting to port 5000.</li>
 </ul>
@ -623,30 +661,30 @@ try  the  following   rule and  try     connecting to port 5000.</li>
                       </blockquote>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
-                         At this point, modify  /etc/shorewall/rules to add 
+                          At this point, modify  /etc/shorewall/rules to
- any   DNAT   rules    that  you require.</p>
+add   any   DNAT   rules    that  you require.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
 <p align="left">Normally, when you connect to your ISP, as part of getting
           an IP  address your firewall's <i>Domain Name Service </i>(DNS)
-resolver         will be  automatically configured (e.g., the /etc/resolv.conf 
+ resolver         will be  automatically configured (e.g., the /etc/resolv.conf
-file  will     be  written).  Alternatively, your ISP may have given you the
+ file  will     be  written).  Alternatively, your ISP may have given you
-IP  address    of a  pair of DNS <i> name servers</i> for you to manually 
+the IP  address    of a  pair of DNS <i> name servers</i> for you to manually
-configure  as  your    primary  and secondary  name servers. Regardless of 
+ configure  as  your    primary  and secondary  name servers. Regardless
-how DNS gets   configured    on your  firewall, it is <u>your</u> responsibility 
+of  how DNS gets   configured    on your  firewall, it is <u>your</u> responsibility
-to configure   the resolver    in your   internal systems. You can take one 
+ to configure   the resolver    in your   internal systems. You can take
-of two approaches:</p>
+one  of two approaches:</p>
 <ul>
                         <li>                               
    <p align="left">You can configure your internal systems to use your ISP's
           name    servers. If you ISP gave you the addresses of their servers
     or   if   those    addresses are available on their web site, you can
-configure       your   internal    systems to use those addresses. If that 
+ configure       your   internal    systems to use those addresses. If that
-information    isn't   available,   look in    /etc/resolv.conf on your firewall 
+ information    isn't   available,   look in    /etc/resolv.conf on your
-system   -- the name  servers are  given in    "nameserver" records in that 
+firewall  system   -- the name  servers are  given in    "nameserver" records
-file.    </p>
+in that  file.    </p>
                        </li>
                        <li>                               
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -654,12 +692,12 @@ file.    </p>
                          You can configure a<i> Caching Name Server </i>on 
 your      firewall.<i>          </i>Red Hat has an RPM for a caching name 
 server   (the  RPM also    requires    the 'bind' RPM) and for Bering users, 
- there   is dnscache.lrp.  If you    take   this approach, you configure
+ there   is dnscache.lrp.  If you    take   this approach, you configure your
-your  internal   systems to use  the firewall    itself as their primary
+ internal   systems to use  the firewall    itself as their primary (and
-(and only)  name  server.  You use the  internal IP     address of the firewall
+only)  name  server.  You use the  internal IP     address of the firewall 
 (10.10.10.254   in the  example above)  for the name       server address. 
-To allow your  local systems  to talk to  your caching name      server,
+To allow your  local systems  to talk to  your caching name      server, you
-you must open port  53 (both UDP  and TCP) from  the local network   to the
+must open port  53 (both UDP  and TCP) from  the local network   to the 
  firewall; you do that by adding  the following  rules in /etc/shorewall/rules. 
      </p>
                        </li>
@ -751,7 +789,7 @@ you must open port  53 (both UDP  and TCP) from  the local network   to the
 <div align="left">      
 <p align="left">Those rules allow DNS access from your firewall and may be
              removed if you uncommented the line in /etc/shorewall/policy
-allowing          all    connections from the firewall to the internet.</p>
+ allowing          all    connections from the firewall to the internet.</p>
                      </div>
 <div align="left">      
@ -827,8 +865,7 @@ allowing          all    connections from the firewall to the internet.</p>
                       </div>
 <div align="left">      
-<p align="left">Example - You want to run a Web Server on your firewall 
+<p align="left">Example - You want to run a Web Server on your firewall  system:</p>
 system:</p>
                      </div>
 <div align="left">      
@ -871,8 +908,8 @@ system:</p>
 <div align="left">      
 <p align="left">Those two rules would of course be in addition to the rules
-             listed above under "You can configure a Caching Name Server on
+              listed above under "You can configure a Caching Name Server
-  your     firewall"</p>
+on   your     firewall"</p>
                      </div>
 <div align="left">      
@ -882,8 +919,9 @@ system:</p>
 <div align="left">      
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-             the internet because it uses clear text (even for login!). If 
+              the internet because it uses clear text (even for login!).
- you    want     shell    access to your firewall from the internet, use SSH:</p>
+If   you    want     shell    access to your firewall from the internet,
 use SSH:</p>
                      </div>
 <div align="left">      
@ -918,8 +956,8 @@ system:</p>
 <div align="left">      
 <p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
-            Bering users will want to add the following two rules to be compatible 
+             Bering users will want to add the following two rules to be
-   with Jacques's Shorewall configuration.</p>
+compatible     with Jacques's Shorewall configuration.</p>
 <div align="left">      
 <blockquote>                  
@ -965,7 +1003,8 @@ system:</p>
                       </div>
 <p align="left"><br>
-        <img border="0" src="images/BD21298_.gif" width="13" height="13">
+         <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                          Now edit your    /etc/shorewall/rules file to add 
 or  delete    other    connections  as required.</p>
                      </div>
@ -978,11 +1017,11 @@ system:</p>
 <p align="left">          <img border="0" src="images/BD21298_2.gif"
 width="13" height="13" alt="Arrow">
                         The <a href="Install.htm">installation procedure 
-</a>     configures       your system to start Shorewall at system boot 
+</a>     configures       your system to start Shorewall at system boot  but
-but beginning    with Shorewall      version 1.3.9 startup is disabled so
+beginning    with Shorewall      version 1.3.9 startup is disabled so that
-that your system    won't try to start     Shorewall before configuration
+your system    won't try to start     Shorewall before configuration is complete.
-is complete. Once  you  have completed configuration     of your firewall,
+Once  you  have completed configuration     of your firewall, you can enable
-you can enable Shorewall    startup by removing the file   /etc/shorewall/startup_disabled.<br>
+Shorewall    startup by removing the file   /etc/shorewall/startup_disabled.<br>
                      </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -998,37 +1037,36 @@ you can enable Shorewall    startup by removing the file   /etc/shorewall/startu
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
              running firewall may be restarted using the "shorewall restart"
    command.       If    you want to totally remove any trace of Shorewall
-from   your Netfilter          configuration, use "shorewall clear".</p>
+ from   your Netfilter          configuration, use "shorewall clear".</p>
                      </div>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-                         The two-interface sample assumes that you want to
+                          The two-interface sample assumes that you want
- enable       routing     to/from <b>eth1 </b>(the local network) when Shorewall 
+to  enable       routing     to/from <b>eth1 </b>(the local network) when
- is   stopped.  If    your local network isn't connected to <b>eth1</b> or 
+Shorewall   is   stopped.  If    your local network isn't connected to <b>eth1</b>
- if you  wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped 
+or   if you  wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped
      accordingly.</p>
                      </div>
 <div align="left">      
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
           the    internet, do not issue a "shorewall stop" command unless
-you    have     added an    entry for the IP address that you are connected 
+ you    have     added an    entry for the IP address that you are connected
-from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+ from    to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-        Also, I don't recommend using "shorewall restart"; it is better to 
+         Also, I don't recommend using "shorewall restart"; it is better
- create         an   <i><a href="configuration_file_basics.htm#Configs">alternate 
+to   create         an   <i><a
-  configuration</a></i>        and    test it using the <a
+ href="configuration_file_basics.htm#Configs">alternate    configuration</a></i>
       and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
                      </div>
-<p align="left"><font size="2">Last updated 6/27/2003 - <a
+<p align="left"><font size="2">Last updated 7/28/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
     Thomas      M. Eastep</font></a><br>
-  </p>
+</p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.6a
+VERSION=1.4.6b
 usage() # $1 = exit status
 {
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -3258,10 +3258,14 @@ add_ip_aliases()
 	# Get all of the lines that contain inet addresses 
 	#
 	ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_subnet $external $cidr; then
 			echo "/${cidr#*/} brd `broadcastaddress $cidr`"
 			break
 		    fi
 		    ;;
 	    esac
 	done
    }
@ -4007,10 +4011,9 @@ activate_rules()
 }
 #
-# Start/Restart the Firewall
+# Check for disabled startup
 #
-define_firewall() # $1 = Command (Start or Restart)
+check_disabled_startup() {
 {
    if [ -f /etc/shorewall/startup_disabled ]; then
 	echo "   Shorewall Startup is disabled -- to enable startup"
 	echo "   after you have completed Shorewall configuration,"
@ -4020,6 +4023,14 @@ define_firewall() # $1 = Command (Start or Restart)
 	my_mutex_off
 	exit 2
    fi
 }
 #
 # Start/Restart the Firewall
 #
 define_firewall() # $1 = Command (Start or Restart)
 {
    check_disabled_startup
    echo "${1}ing Shorewall..."
@ -4771,6 +4782,10 @@ case "$command" in
 	[ $# -ne 1 ] && usage
 	do_initialize
 	my_mutex_on
 	#
 	# Don't want to do a 'stop' when startup is disabled
 	#
 	check_disabled_startup 
 	echo -n "Stopping Shorewall..."
 	stop_firewall
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.6a
+VERSION=1.4.6b
 usage() # $1 = exit status
 {
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -27,6 +27,19 @@ Problems Corrected:
   tcrules file. Previously, these addresses resulted in an invalid
   iptables command.
 8) The "shorewall stop" command is now disabled when
   /etc/shorewall/startup_disabled exists. This prevents people from
   shooting themselves in the foot prior to having configured
   Shorewall.
 9) A change introduced in version 1.4.6 caused error messages during
   "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
   being added to a PPP interface; the addresses were successfully
   added in spite of the messages.
   The firewall script has been modified to eliminate the error
   messages.
 Migration Issues:
 1) In earlier versions, an undocumented feature allowed entries in
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.6a
+%define version 1.4.6b
 %define release 1
 %define prefix /usr
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Fri Aug 01 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6b-1
 * Tue Jul 22 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6a-1
 * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.6a
+VERSION=1.4.6b
 usage() # $1 = exit status
 {