Shorewall 1.4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@504 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-03-18 01:13:38 +00:00 · 2003-03-18 01:13:38 +00:00 · 52629f9049
commit 52629f9049
parent 09aed118b3
43 changed files with 4952 additions and 9553 deletions
--- a/Lrp/etc/init.d/shorewall
+++ b/Lrp/etc/init.d/shorewall
--- a/Lrp/etc/shorewall/blacklist
+++ b/Lrp/etc/shorewall/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Blacklist File
+# Shorewall 1.4 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
--- a/Lrp/etc/shorewall/common.def
+++ b/Lrp/etc/shorewall/common.def
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/common.def
+# Shorewall 1.4 -- /etc/shorewall/common.def
 #
 # This file defines the rules that are applied before a policy of
 # DROP or REJECT is applied. In addition to the rules defined in this file,
@ -14,14 +14,12 @@
 #
 run_iptables -A common -p icmp -j icmpdef
 ############################################################################
 # Drop invalid state TCP packets
 #
 run_iptables -A common -m state -p tcp --state INVALID -j DROP
 ############################################################################
 # NETBIOS chatter
 #
 run_iptables -A common -p udp --dport 137:139     -j REJECT
 run_iptables -A common -p udp --dport 445         -j REJECT
 run_iptables -A common -p tcp --dport 139         -j REJECT
 run_iptables -A common -p tcp --dport 445         -j REJECT
 run_iptables -A common -p tcp --dport 135	  -j reject
 ############################################################################
 # UPnP
@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 # AUTH -- Silently reject it so that connections don't get delayed.
 #
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
--- a/Lrp/etc/shorewall/hosts
+++ b/Lrp/etc/shorewall/hosts
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - /etc/shorewall/hosts
+# Shorewall 1.4 - /etc/shorewall/hosts
 #
 #    WARNING: 90% of Shorewall users don't need to add entries to this
 #             file and 80% of those who try to add such entries get it
@ -30,11 +30,6 @@
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
 #
 #			routestopped - (Deprecated -- use
 #				       /etc/shorewall/routestopped)
 #				       route messages to and from this
 #				       member when the firewall is in the
 #				       stopped state
 #			maclist	     - Connection requests from these hosts
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
--- a/Lrp/etc/shorewall/init
+++ b/Lrp/etc/shorewall/init
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/init
+# Shorewall 1.4 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
--- a/Lrp/etc/shorewall/interfaces
+++ b/Lrp/etc/shorewall/interfaces
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Interfaces File
+# Shorewall 1.4 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@ -46,11 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
@ -59,9 +54,6 @@
 #				       enabled in shorewall.conf, packets
 #				       whose destination addresses are
 #				       reserved by RFC 1918 are also rejected.
 #			multi	     - This interface has multiple IP
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
@ -106,27 +98,25 @@
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
 #			206.191.149.192/27. You have a DMZ with subnet
-#			192.168.2.0/24 using eth2. You want to be able to
+#			192.168.2.0/24 using eth2.
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
 #			net	eth0	206.191.149.223	dhcp
-#			local	eth1	192.168.1.255	routestopped
+#			local	eth1	192.168.1.255
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
-#			net	eth0	detect		noping,dhcp
+#			net	eth0	detect		dhcp
-#			loc	eth1	detect		routestopped
+#			loc	eth1	detect
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
-#			connections and you want to ignore ping requests.
+#			connections.
 #
-#			net	ppp0	-		noping
+#			net	ppp0	-
 ##############################################################################
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp/etc/shorewall/maclist
+++ b/Lrp/etc/shorewall/maclist
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - MAC list file
+# Shorewall 1.4 - MAC list file
 #
 # /etc/shorewall/maclist
 #
--- a/Lrp/etc/shorewall/masq
+++ b/Lrp/etc/shorewall/masq
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - Masquerade file
+# Shorewall 1.4 - Masquerade file
 #
 # /etc/shorewall/masq
 #
--- a/Lrp/etc/shorewall/modules
+++ b/Lrp/etc/shorewall/modules
@ -1,7 +1,12 @@
 ##############################################################################
-# Shorewall 1.3 /etc/shorewall/modules
+# Shorewall 1.4 /etc/shorewall/modules
 #
 # This file loads the modules needed by the firewall.
 #
 # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
 # dependency order. i.e., if M2 depends on M1 then you must load M1 before
 # you load M2.
 #
    loadmodule ip_tables
    loadmodule iptable_filter
--- a/Lrp/etc/shorewall/nat
+++ b/Lrp/etc/shorewall/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3  -- Network Address Translation Table
+# Shorewall 1.4  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
--- a/Lrp/etc/shorewall/params
+++ b/Lrp/etc/shorewall/params
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 /etc/shorewall/params
+# Shorewall 1.4 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #
@ -11,7 +11,7 @@
 #
 #	NET_IF=eth0
 #	NET_BCAST=130.252.100.255
-#	NET_OPTIONS=noping,norfc1918
+#	NET_OPTIONS=routefilter,norfc1918
 #
 # Example (/etc/shorewall/interfaces record):
 #
@ -19,25 +19,7 @@
 #
 # The result will be the same as if the record had been written
 #
-#	net	eth0		130.252.100.255	noping,norfc1918
+#	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 # Variables can be used in the following places in the other configuration
 # files:
 #
 # /etc/shorewall/interfaces:
 # /etc/shorewall/hosts
 #
 # 	All except the first column.
 #
 # /etc/shorewall/rules
 #
 #	First column after ":".
 #	All remaining columns
 #
 # /etc/shorewall/tunnels
 # /etc/shorewall/proxyarp
 # /etc/shorewall/nat
 #
 #	All columns
 ##############################################################################
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
--- a/Lrp/etc/shorewall/policy
+++ b/Lrp/etc/shorewall/policy
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- Policy File
+# Shorewall 1.4 -- Policy File
 #
 # /etc/shorewall/policy
 #
--- a/Lrp/etc/shorewall/proxyarp
+++ b/Lrp/etc/shorewall/proxyarp
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3 -- Proxy ARP
+# Shorewall 1.4 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #
--- a/Lrp/etc/shorewall/rfc1918
+++ b/Lrp/etc/shorewall/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- RFC1918 File
+# Shorewall 1.4 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
@ -25,7 +25,7 @@
 192.0.2.0/24		logdrop		# Example addresses
 192.168.0.0/16		logdrop		# RFC 1918
 #
-# The following are generated using the Python program found at:
+# The following are generated with the help of the Python program found at:
 #
 #	http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
 #
@ -43,6 +43,8 @@
 39.0.0.0/8		logdrop		# Reserved
 41.0.0.0/8		logdrop		# Reserved
 42.0.0.0/8		logdrop		# Reserved
 49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 58.0.0.0/7		logdrop		# Reserved
 60.0.0.0/8		logdrop		# Reserved
 70.0.0.0/7		logdrop		# Reserved
@ -53,7 +55,8 @@
 96.0.0.0/3		logdrop		# Reserved
 127.0.0.0/8		logdrop		# Loopback
 197.0.0.0/8		logdrop		# Reserved
-222.0.0.0/7		logdrop		# Reserved
+198.18.0.0/15		logdrop		# Reserved
 201.0.0.0/8		logdrop		# Reserved - Central & South America
 240.0.0.0/4		logdrop		# Reserved
 #
 # End of generated entries
--- a/Lrp/etc/shorewall/routestopped
+++ b/Lrp/etc/shorewall/routestopped
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #
@ -12,7 +12,7 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
-#			  addresses. If left empty or supplied as "-", 
+#			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #
 # Example:
--- a/Lrp/etc/shorewall/rules
+++ b/Lrp/etc/shorewall/rules
@ -1,5 +1,5 @@
 #
-# Shorewall version 1.3 - Rules File
+# Shorewall version 1.4 - Rules File
 #
 # /etc/shorewall/rules
 #
@ -30,18 +30,25 @@
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If
 #					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#			Beginning with Shorewall version 1.3.12, you may
+#			You may also specify ULOG (must be in upper case) as a
-#			also specify ULOG (must be in upper case) as a log level.\
+#			log level.This will log to the ULOG target for routing
-#			This will log to the ULOG target and sent to a separate log
+#			to a separate log through use of ulogd
 #			through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
@ -90,6 +97,8 @@
 #				2. In DNAT rules, only IP addresses are
 #				   allowed; no FQDNs or subnet addresses
 #				   are permitted.
 #				3. You may not specify both an interface and
 #				   an address.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
@ -106,10 +115,8 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			"all" or "related". If "related", the remainder of the
+#			"all".
 #			entry must be omitted and connection requests that are
 #			related to existing requests will be accepted.
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
--- a/Lrp/etc/shorewall/shorewall.conf
+++ b/Lrp/etc/shorewall/shorewall.conf
@ -1,19 +1,14 @@
 ##############################################################################
-#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
 #  This file should be placed in /etc/shorewall
 #
-#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
-#
+#                              L O G G I N G
 # You should not have to change the variables in this section -- they are set
 # by the packager of your Shorewall distribution
 #
 SHARED_DIR=/usr/lib/shorewall
 #
 ##############################################################################
 #
 # General note about log levels. Log levels are a method of describing
@ -45,59 +40,19 @@ SHARED_DIR=/usr/lib/shorewall
 # configured to log all Shorewall message to their own log file
 ################################################################################
 #
-# PATH - Change this if you want to change the order in which Shorewall
+# LOG FILE LOCATION
 #        searches directories for executable files.	
 #
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+# This variable tells the /sbin/shorewall program where to look for Shorewall
 # log messages. If not set or set to an empty string (e.g., LOGFILE="") then
 # /var/log/messages is assumed.
 #
 # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
 #          look for Shorewall messages.It does NOT control the destination for
 #          these messages. For information about how to do that, see
 #
 #              http://www.shorewall.net/shorewall_logging.html
-#
+LOGFILE=/var/log/messages
 # NAME OF THE FIREWALL ZONE
 #
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 #
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set this to "".
 #
 SUBSYSLOCK=/var/run/shorewall
 #
 # SHOREWALL TEMPORARY STATE DIRECTORY
 #
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 STATEDIR=/tmp/shorewall
 #
 # ALLOW RELATED CONNECTIONS
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
 # that are related to already established connections. For example, you want
 # to accept FTP data connections. If you say "no" here, then to accept
 # these connections between particular zones or hosts, you must include
 # explicit "related" rules in /etc/shorewall/rules.
 #
 ALLOWRELATED=yes
 #
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
 #
 # LOG RATE LIMITING
@ -132,25 +87,122 @@ LOGBURST=
 # packets are logged under the 'logunclean' interface option. If the variable
 # is empty, these packets will still be logged at the 'info' level.
 #
-# See the comment at the top of this file for a description of log levels
+# See the comment at the top of this section for a description of log levels
 #
 LOGUNCLEAN=info
 #
-# LOG FILE LOCATION
+# BLACKLIST LOG LEVEL
 #
-# This variable tells the /sbin/shorewall program where to look for Shorewall
+# Set this variable to the syslogd level that you want blacklist packets logged
-# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# (beware of DOS attacks resulting from such logging). If not set, no logging
-# /var/log/messages is assumed.
+# of blacklist packets occurs.
 #
-# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+# See the comment at the top of this section for a description of log levels
 #          look for Shorewall messages.It does NOT control the destination for
 #          these messages. For information about how to do that, see
 #
-#              http://www.shorewall.net/FAQ.htm#faq6
+BLACKLIST_LOGLEVEL=
-LOGFILE=/var/log/messages
+#
 # LOGGING 'New not SYN' rejects
 #
 # This variable only has an effect when NEWNOTSYN=No (see below).
 #
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged,
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged.
 #
 # See the comment at the top of this section for a description of log levels
 #
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this section for a description of log levels
 #
 RFC1918_LOG_LEVEL=info
 ################################################################################
 #       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
 ################################################################################
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.
 #
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set this to "".
 #
 SUBSYSLOCK=/var/run/shorewall
 #
 # SHOREWALL TEMPORARY STATE DIRECTORY
 #
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 STATEDIR=/tmp/shorewall
 #
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################
 # NAME OF THE FIREWALL ZONE
 #
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 #
 # ENABLE NAT SUPPORT
@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No
 TC_ENABLED=No
 #
-# BLACKLIST DISPOSITION
+# Clear Traffic Shapping/Control
 #
-# Set this variable to the action that you want to perform on packets from
+# If this option is set to 'No' then Shorewall won't clear the current
-# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# traffic control rules during [re]start. This setting is intended
-# DROP is assumed.
+# for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
-BLACKLIST_DISPOSITION=DROP
+# If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #
-# BLACKLIST LOG LEVEL
+# Mark Packets in the forward chain
 #
-# Set this variable to the syslogd level that you want blacklist packets logged
+# When processing the tcrules file, Shorewall normally marks packets in the
-# (beward of DOS attacks resulting from such logging). If not set, no logging
+# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
-# of blacklist packets occurs.
+# this to "Yes". If not specified or if set to the empty value (e.g.,
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
-# See the comment at the top of this file for a description of log levels
+# Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
-BLACKLIST_LOGLEVEL=
+# Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #
 # MSS CLAMPING
@ -335,39 +403,6 @@ MULTIPORT=No
 DETECT_DNAT_IPADDRS=No
 #
 # MERGE HOSTS FILE
 #
 # The traditional behavior of the /etc/shorewall/hosts file has been that
 # if that file has ANY entry for a zone then the zone must be defined 
 # entirely in the hosts file. This is counter-intuitive and has caused 
 # people some problems.
 #
 # By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
 # is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
 # are added to the contents described in the /etc/shorewall/interfaces file.
 #
 # Example: Suppose that we have the following interfaces and hosts files:
 #
 # Interfaces:
 #
 #	net	eth0
 #	loc	eth1	
 #	-	ppp+
 #
 # Hosts:
 #
 #	loc	ppp+:192.168.1.0/24
 #	wrk	ppp+:!192.168.1.0/24
 #
 # With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
 # ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
 # ppp+:192.168.1.0 and eth1:0.0.0.0/0
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
 MERGE_HOSTS=Yes
 #
 # MUTEX TIMEOUT
 #
@ -383,36 +418,6 @@ MERGE_HOSTS=Yes
 MUTEX_TIMEOUT=60
 #
 # LOGGING 'New not SYN' rejects
 #
 # This variable only has an effect when NEWNOTSYN=No (see below).
 #
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
 # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
 #
 # See the comment at the top of this file for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=
 #
 # Old Ping Handling
 #
 # If this option is set to "Yes" then Shorewall will use its old ping handling
 # facility including the FORWARDPING option in this file and the 'noping' and
 # 'filterping' interface options. If this option is set to 'No' then ping
 # is handled via policy and rules just like any other connection request.
 #
 # If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
 # DON'T DELETE IT!!!!!!
 #
 OLD_PING_HANDLING=No
 #
 # NEWNOTSYN
 #
@ -430,6 +435,18 @@ OLD_PING_HANDLING=No
 NEWNOTSYN=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
 #
 # BLACKLIST DISPOSITION
 #
 # Set this variable to the action that you want to perform on packets from
 # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
 # DROP is assumed.
 #
 BLACKLIST_DISPOSITION=DROP
 #
 # MAC List Disposition
 #
@ -441,18 +458,6 @@ NEWNOTSYN=No
 MACLIST_DISPOSITION=REJECT
 #
 # MAC List Log Level
 #
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 MACLIST_LOG_LEVEL=info
 #
 # TCP FLAGS Disposition
 #
@ -463,64 +468,4 @@ MACLIST_LOG_LEVEL=info
 TCP_FLAGS_DISPOSITION=DROP
 #
 # TCP FLAGS Log Level
 #
 # Specifies the logging level for packets that fail TCP Flags
 # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
 # such packets will not be logged. 
 #
 # See the comment at the top of this file for a description of log levels
 # 
 TCP_FLAGS_LOG_LEVEL=info
 #
 # RFC1918 Log Level
 #
 # Specifies the logging level for packets that fail RFC 1918
 # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
 # RFC1918_LOG_LEVEL=info is assumed.
 #
 # See the comment at the top of this file for a description of log levels
 # 
 RFC1918_LOG_LEVEL=info
 #
 # Mark Packets in the forward chain
 #
 # When processing the tcrules file, Shorewall normally marks packets in the
 # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
 # this to "Yes". If not specified or if set to the empty value (e.g., 
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
 # packets destined for Masqueraded/SNATed local hosts have had their destination
 # address rewritten so they can be marked based on their destination. When
 # packets are marked in the PREROUTING chain, packets destined for 
 # Masqueraded/SNATed local hosts still have a destination address corresponding
 # to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
 #       setting this variable to Yes may cause startup problems.
 MARK_IN_FORWARD_CHAIN=No
 #
 # Clear Traffic Shapping/Control
 #
 # If this option is set to 'No' then Shorewall won't clear the current
 # traffic control rules during [re]start. This setting is intended
 # for use by people that prefer to configure traffic shaping when
 # the network interfaces come up rather than when the firewall
 # is started. If that is what you want to do, set TC_ENABLED=Yes and
 # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
 # way, your traffic shaping rules can still use the 'fwmark'
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
 # If omitted, CLEAR_TC=Yes is assumed.
 CLEAR_TC=Yes
 #LAST LINE -- DO NOT REMOVE
--- a/Lrp/etc/shorewall/start
+++ b/Lrp/etc/shorewall/start
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/start
+# Shorewall 1.4 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.
--- a/Lrp/etc/shorewall/stop
+++ b/Lrp/etc/shorewall/stop
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/stop
+# Shorewall 1.4 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
--- a/Lrp/etc/shorewall/stopped
+++ b/Lrp/etc/shorewall/stopped
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 1.3 -- /etc/shorewall/stopped
+# Shorewall 1.4 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
--- a/Lrp/etc/shorewall/tcrules
+++ b/Lrp/etc/shorewall/tcrules
@ -1,5 +1,5 @@
 #
-# Shorewall version 1.3 - Traffic Control Rules File
+# Shorewall version 1.4 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #
--- a/Lrp/etc/shorewall/tos
+++ b/Lrp/etc/shorewall/tos
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- /etc/shorewall/tos
+# Shorewall 1.4 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
--- a/Lrp/etc/shorewall/tunnels
+++ b/Lrp/etc/shorewall/tunnels
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 - /etc/shorewall/tunnels
+# Shorewall 1.4 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
--- a/Lrp/etc/shorewall/zones
+++ b/Lrp/etc/shorewall/zones
@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 /etc/shorewall/zones
+# Shorewall 1.4 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #
--- a/Lrp/sbin/shorewall
+++ b/Lrp/sbin/shorewall
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
+#     Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@ -84,6 +84,7 @@
 #
 # Display a chain if it exists
 #
 showfirstchain() # $1 = name of chain
 {
    awk \
@ -570,24 +571,11 @@ fi
 [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHARED_DIR=/usr/lib/shorewall
 MUTEX_TIMEOUT=
 if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
    config=$SHOREWALL_DIR/shorewall.conf
 else
    config=/etc/shorewall/shorewall.conf
 fi
 if [ -f $config ]; then
    . $config
 else
    echo "$config does not exist!" >&2
    exit 2
 fi
 [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 SHARED_DIR=/usr/share/shorewall
 FIREWALL=$SHARED_DIR/firewall
 FUNCTIONS=$SHARED_DIR/functions
 VERSION_FILE=$SHARED_DIR/version
@ -599,6 +587,15 @@ else
    exit 2
 fi
 config=`find_file shorewall.conf`
 if [ -f $config ]; then
    . $config
 else
    echo "$config does not exist!" >&2
    exit 2
 fi
 if [ ! -f $FIREWALL ]; then
    echo "ERROR: Shorewall is not properly installed"
    if [ -L $FIREWALL ]; then
--- a/Lrp/var/lib/lrpkg/shorwall.list
+++ b/Lrp/var/lib/lrpkg/shorwall.list
@ -1,5 +1,5 @@
 etc/init.d/shorewall
 etc/shorewall
 sbin/shorewall
-usr/lib/shorewall
+usr/share/shorewall
 var/lib/lrpkg/shorwall.*
--- a/Lrp/var/lib/lrpkg/shorwall.version
+++ b/Lrp/var/lib/lrpkg/shorwall.version
@ -1 +1 @@
-1.3.14
+1.4.0
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -64,6 +64,7 @@ to do it</b>.</a></p>
 <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
                   port forwarding</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
                       to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
           in   my   local      network. <b>External clients can browse</b>
@ -126,9 +127,14 @@ to do it</b>.</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
                       on RedHat</b> I get messages about insmod failing --
- what's        wrong?</a></p>
+  what's        wrong?<br>
 </a></p>
 <p align="left"><b>8a. </b><a href="#faq8a">When I try to <b>start Shorewall 
 on RedHat</b> I get a message referring me to <b>FAQ #8</b></a><br>
 </p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
                       my  interfaces </b>properly?</a></p>
@ -149,15 +155,15 @@ support?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
                       and it has an internel  web server that allows me to
- configure/monitor                  it   but as expected if I enable <b> rfc1918
+  configure/monitor                  it   but as expected if I enable <b>
- blocking</b>  for    my   eth0     interface,       it also blocks the <b>cable
+rfc1918  blocking</b>  for    my   eth0     interface,       it also blocks
- modems  web server</b></a>.</p>
+the <b>cable  modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
                       IP  addresses, my ISP's DHCP server has an RFC 1918 
-address.         If   I  enable       RFC 1918  filtering on my external interface,
+ address.         If   I  enable       RFC 1918  filtering on my external 
- <b>my      DHCP  client  cannot    renew   its lease</b>.</a></p>
+interface,  <b>my      DHCP  client  cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
@ -176,11 +182,11 @@ any   way   to  use   <b>aliased      ip  addresses</b>    with Shorewall,
 and  maintain   separate    rulesets for    different   IPs?</a><br>
                                   <br>
                                   <b>19. </b><a href="#faq19">I have added 
-<b>entries      to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem
+ <b>entries      to  /etc/shorewall/tcrules</b>         but they <b>don't 
-to <b>do     anything</b>.  Why?</a><br>
+</b>seem to <b>do     anything</b>.  Why?</a><br>
                                  <br>
-                                <b>20. </b><a href="#faq20">I have just set 
+                                  <b>20. </b><a href="#faq20">I have just 
-  up   a   server.      <b>Do  I have to change Shorewall to allow access 
+set    up   a   server.      <b>Do  I have to change Shorewall to allow access 
 to my   server    from   the  internet?<br>
                        <br>
                        </b></a><b>21. </b><a href="#faq21">I see these <b>strange
@ -247,6 +253,7 @@ IP  address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
    </tbody>                                                             
  </table>
                                                </blockquote>
@ -287,6 +294,7 @@ IP  address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
    </tbody>                                                             
  </table>
                                                </blockquote>
@ -320,7 +328,8 @@ IP  address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
                                                      <td><i>&lt;protocol&gt;</i></td>
                                                      <td><i>&lt;port #&gt;</i></td>
                                                      <td>-</td>
-                                                    <td><i>&lt;external IP&gt;</i></td>
+                                                      <td><i>&lt;external 
 IP&gt;</i></td>
                                                    </tr>
@ -328,11 +337,12 @@ IP  address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
    </tbody>                                                             
  </table>
                                                </blockquote>
-        Finally,  if you need to forward a range of ports, in the PORT column 
+          Finally,  if you need to forward a range of ports, in the PORT
-  specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
+column    specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
 <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
                       but  it doesn't work</h4>
@ -347,8 +357,8 @@ IP  address&gt;</i>[:<i>&lt;local                port</i>&gt;]</td>
     <a href="#faq2">FAQ   #2</a>).</li>
                                                  <li>You have a more basic 
 problem     with   your   local    system    such   as  an   incorrect default 
-gateway     configured    (it  should    be set to   the IP   address    of
+ gateway     configured    (it  should    be set to   the IP   address   
-your  firewall's    internal    interface).</li>
+of your  firewall's    internal    interface).</li>
 </ul>
@ -356,15 +366,17 @@ your  firewall's    internal    interface).</li>
 <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
                   forwarding</h4>
-                                    <b>Answer: </b>To further diagnose this 
+                                      <b>Answer: </b>To further diagnose
- problem:<br>
+this   problem:<br>
 <ul>
                                        <li>As root, type "iptables -t nat
 -Z".   This   clears    the   NetFilter      counters   in the nat table.</li>
                                        <li>Try to connect to the redirected
  port   from   an  external     host.</li>
-                                      <li>As root type "shorewall show nat"</li>
+                                        <li>As root type "shorewall show
 nat"</li>
                                        <li>Locate the appropriate DNAT rule. 
  It  will   be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat
   ('net_dnat'    in the above   examples).</li>
@ -377,6 +389,7 @@ gateway    setting on  the  server (the   server's  default  gateway  should
                                        <li>If the packet count is zero:</li>
  <ul>
                                          <li>the connection request is not 
 reaching     your   server    (possibly      it  is being blocked by your 
@ -387,16 +400,19 @@ only  redirecting    the  primary  IP  address    (You  need to specify
 the secondary  IP address     in the "ORIG.   DEST." column    in  your
 DNAT rule);  or</li>
                                          <li>your DNAT rule doesn't match
-the   connection      request     in  some   other   way. In that case, you
+ the   connection      request     in  some   other   way. In that case,
-may   have to use  a  packet  sniffer     such  as tcpdump  or  ethereal
+you  may   have to use  a  packet  sniffer     such  as tcpdump  or  ethereal
 to further   diagnose  the  problem.<br>
                                          </li>
  </ul>
  </ul>
 </ul>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
                       (IP 130.151.100.69) to system 192.168.1.5 in my local 
   network.         External         clients  can browse http://www.mydomain.com 
@ -408,8 +424,8 @@ to further   diagnose  the  problem.<br>
 <ul>
                                                  <li>Having an internet-accessible 
-    server    in  your   local    network         is  like raising foxes in
+     server    in  your   local    network         is  like raising foxes 
-  the  corner   of your  hen   house.  If  the server     is      compromised, 
+in   the  corner   of your  hen   house.  If  the server     is      compromised, 
   there's  nothing    between  that  server  and  your other   internal 
      systems.  For the    cost of another  NIC and  a cross-over  cable, 
  you can   put       your   server in a DMZ such  that it is isolated  from 
@ -470,6 +486,7 @@ that    use static   NAT.</li>
    </tbody>                                                             
  </table>
                                                </blockquote>
                                                </div>
@ -477,9 +494,9 @@ that    use static   NAT.</li>
 <div align="left">                                                
 <p align="left">That rule only works of course if you have a static external 
-                      IP  address. If you  have a dynamic IP address and are
+                       IP  address. If you  have a dynamic IP address and 
-   running        Shorewall          1.3.4 or later then include this in
+are    running        Shorewall          1.3.4 or later then include this 
- /etc/shorewall/init:</p>
+in  /etc/shorewall/init:</p>
                                               </div>
@ -524,6 +541,7 @@ that    use static   NAT.</li>
    </tbody>                                                             
  </table>
                                                </blockquote>
                                                </div>
@ -538,15 +556,15 @@ that    use static   NAT.</li>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
                       subnet and I use static NAT to assign non-RFC1918 addresses
-        to   hosts      in   Z.  Hosts in Z cannot communicate with each other
+         to   hosts      in   Z.  Hosts in Z cannot communicate with each
-     using    their  external      (non-RFC1918     addresses) so they can't
+other      using    their  external      (non-RFC1918     addresses) so they
-   access  each    other  using their    DNS  names.</h4>
+can't    access  each    other  using their    DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
                       using Bind Version 9 "views". It allows both external 
-  and    internal         clients       to access a NATed host using the host's
+   and    internal         clients       to access a NATed host using the 
-   DNS   name.</p>
+host's    DNS   name.</p>
 <p align="left">Another good way to approach this problem is to switch from
@ -598,6 +616,7 @@ traffic through your firewall then:</p>
    </tbody>                                                             
  </table>
                                                </blockquote>
@ -630,6 +649,7 @@ traffic through your firewall then:</p>
    </tbody>                                                             
  </table>
                                                </blockquote>
@ -662,6 +682,7 @@ traffic through your firewall then:</p>
    </tbody>                                                             
  </table>
                                                </blockquote>
@ -681,8 +702,8 @@ traffic through your firewall then:</p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
-                      to    check my firewall and it shows some ports as 'closed'
+                       to    check my firewall and it shows some ports as 
-        rather       than     'blocked'.     Why?</h4>
+'closed'         rather       than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
@ -709,10 +730,10 @@ slightly on the amount   of Windows  chatter on LAN segments    connected
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
                       section about    UDP scans. If nmap gets <b>nothing</b> 
-    back     from     your     firewall   then it reports    the port as open.
+     back     from     your     firewall   then it reports    the port as 
-    If you    want to   see  which    UDP ports are  really open,    temporarily
+open.     If you    want to   see  which    UDP ports are  really open,  
-     change    your net-&gt;all     policy    to REJECT, restart  Shorewall
+ temporarily      change    your net-&gt;all     policy    to REJECT, restart 
-  and   do    the   nmap UDP scan again.</p>
+ Shorewall   and   do    the   nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
@ -725,14 +746,15 @@ slightly on the amount   of Windows  chatter on LAN segments    connected
 <p align="left">a) Create /etc/shorewall/common if it doesn't already exist. 
   <br>
-                                              b) Be sure that the first command 
+                                                b) Be sure that the first 
-  in the file is ". /etc/shorewall/common.def"<br>
+command    in the file is ". /etc/shorewall/common.def"<br>
                                                c) Add the following to /etc/shorewall/common 
           </p>
 <blockquote>                                                             
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
                       -j ACCEPT<br>
                           </p>
@ -751,7 +773,8 @@ syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
 href="Documentation.htm#Rules">rules</a>. The destination for messaged 
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
                      When you have changed /etc/syslog.conf, be sure to restart
-      syslogd        (on    a  RedHat system, "service syslog restart"). </p>
+       syslogd        (on    a  RedHat system, "service syslog restart"). 
 </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages 
@ -761,8 +784,10 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <div align="left">                                                
-<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
+<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br></pre>
- href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
+Beginning with Shorewall version 1.3.12, you can <a
 href="shorewall_logging.html">set up Shorewall to log all of its messages
 to a separate file</a>.<br>
                                                </div>
@ -776,6 +801,7 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <blockquote>                                                             
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                                                <a
@ -788,8 +814,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
                               </p>
                             </blockquote>
                             I personnaly use Logwatch. It emails me a report 
- each   day   from   my  various    systems with each report summarizing the
+  each   day   from   my  various    systems with each report summarizing 
- logged   activity   on  the  corresponding    system.                  
+the  logged   activity   on  the  corresponding    system.               
 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
        are <b>flooding the logs</b> with their connect requests. Can i exclude
@ -799,8 +825,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <pre>	DROP    net    fw    udp    10619</pre>
 <h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow
-       of these DROP messages from port 53 to some high numbered port.  They
+        of these DROP messages from port 53 to some high numbered port. 
-   get    dropped, but what the heck are they?</h4>
+They     get    dropped, but what the heck are they?</h4>
 <pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
                <b>Answer: </b>There are two possibilities:<br>
@ -813,8 +839,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
                You can distinguish the difference by setting the <b>logunclean</b> 
     option   (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
      on   your external interface (eth0 in the above example). If they get
- logged    twice,  they are corrupted. I solve this problem by using an /etc/shorewall/common
+  logged    twice,  they are corrupted. I solve this problem by using an
-       file like this:<br>
+/etc/shorewall/common         file like this:<br>
 <blockquote>                                                
  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -824,8 +850,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
   Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br>
 <h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
-    Shorewall log messages so long? I thought MAC addresses were only 6 bytes
+     Shorewall log messages so long? I thought MAC addresses were only 6
-    in length.</h4>
+bytes      in length.</h4>
   What is labeled as the MAC address in a Shorewall log message   is actually 
 the Ethernet frame header. IT contains:<br>
@ -873,14 +899,22 @@ the Ethernet frame header. IT contains:<br>
 <div align="left">                                                
-<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
+<pre align="left">     <b><font color="#009900">service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</font></b></pre>
                                                </div>
 <div align="left">                                                
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
                       for  problems concerning the version of iptables (v1.2.3) 
-      shipped        with     RH7.2.</p>
+       shipped        with     RH7.2.<br>
 </p>
 <h4><a name="faq8a"></a><b>8a. </b>When I try to start Shorewall on RedHat 
 I get a message referring me to FAQ #8</h4>
 <b>Answer:</b> This is usually cured by the sequence of commands shown above 
 in FAQ #8                                                                
 <h4>                                              </h4>
 </div>
@ -940,10 +974,10 @@ the Ethernet frame header. IT contains:<br>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
-                      (<a href="http://www.cityofshoreline.com">the      city
+                       (<a href="http://www.cityofshoreline.com">the     
-    where      I  live</a>)          and "Fire<u>wall</u>". The full name
+city     where      I  live</a>)          and "Fire<u>wall</u>". The full 
-of   the product      is actually "Shoreline Firewall" but "Shorewall" is
+name of   the product      is actually "Shoreline Firewall" but "Shorewall" 
-must   more commonly   used.</p>
+is must   more commonly   used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
@ -970,8 +1004,8 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 <div align="left">                                                  
 <p align="left">If you are running version 1.3.1 or later, simply add the 
-                         following to<a href="Documentation.htm#rfc1918"> 
+                          following to<a
-/etc/shorewall/rfc1918</a>:</p>
+ href="Documentation.htm#rfc1918">  /etc/shorewall/rfc1918</a>:</p>
                                               </div>
@ -983,7 +1017,8 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 id="AutoNumber3">
                                                      <tbody>
                                                     <tr>
-                                                      <td><u><b>SUBNET </b></u></td>
+                                                        <td><u><b>SUBNET
        </b></u></td>
                                                        <td><u><b>TARGET</b></u></td>
                                                      </tr>
                                                      <tr>
@ -996,6 +1031,7 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
    </tbody>                                                             
  </table>
                                                  </blockquote>
                                                </div>
@ -1116,8 +1152,8 @@ to the internet.</p>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting 
           logged?</h4>
-                                         <b>Answer: </b>Logging occurs out
+                                           <b>Answer: </b>Logging occurs
- of  a  number    of  chains    (as   indicated      in  the log message)
+out   of  a  number    of  chains    (as   indicated      in  the log message)
 in Shorewall:<br>
@ -1128,11 +1164,11 @@ in Shorewall:<br>
                                             <li><b>rfc1918</b> - The source
  address     is  listed    in  /etc/shorewall/rfc1918          with a <b>logdrop
      </b>target      -- see      <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-                                          <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
+                                            <li><b>all2&lt;zone&gt;</b>,
-           or      <b>all2all          </b>-  You have a<a
+    <b>&lt;zone&gt;2all</b>             or      <b>all2all          </b>-
- href="Documentation.htm#Policy"> policy</a> that     specifies a  log level 
+ You have a<a href="Documentation.htm#Policy"> policy</a> that     specifies
-            and this packet is being logged under that policy.     If you 
+a  log level              and this packet is being logged under that policy.
-intend        to   ACCEPT this traffic then you need a  <a
+    If you  intend        to   ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                                            </li>
                                             <li><b>&lt;zone1&gt;2&lt;zone2&gt; 
@ -1142,17 +1178,18 @@ intend        to   ACCEPT this traffic then you need a  <a
 this     packet is being         logged under that policy   or this packet 
 matches    a     <a href="Documentation.htm#Rules">rule</a>   that includes 
 a log level.</li>
-                                    <li><b>&lt;interface&gt;_mac</b> - The
+                                      <li><b>&lt;interface&gt;_mac</b> -
- packet    is  being    logged    under    the      <b>maclist</b> <a
+The   packet    is  being    logged    under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
                                      </li>
                                             <li><b>logpkt</b> - The packet 
 is  being    logged    under    the       <b>logunclean</b>            <a
 href="Documentation.htm#Interfaces">interface   option</a>.</li>
                                             <li><b>badpkt </b>- The packet 
-is  being    logged    under    the       <b>dropunclean</b>            <a
+ is  being    logged    under    the       <b>dropunclean</b>            
- href="Documentation.htm#Interfaces">interface  option</a> as specified  
+   <a href="Documentation.htm#Interfaces">interface  option</a> as specified 
-    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+      in the <b>LOGUNCLEAN </b>setting in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
                                             <li><b>blacklst</b> - The packet 
  is  being    logged    because     the   source    IP  is blacklisted in 
 the<a href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist     
@ -1176,6 +1213,7 @@ of   your  defined   zones    ("shorewall    check"    and  look at the
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
                   with Shorewall, and maintain separate rulesets for different 
      IPs?</h4>
@ -1185,8 +1223,8 @@ of   your  defined   zones    ("shorewall    check"    and  look at the
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
                 but they don't seem to do anything. Why?</h4>
                                   You probably haven't set TC_ENABLED=Yes
-in  /etc/shorewall/shorewall.conf                so the contents of the tcrules 
+ in  /etc/shorewall/shorewall.conf                so the contents of the
- file are simply being ignored.<br>
+tcrules   file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
                 to change Shorewall to allow access to my server from the
@ -1209,12 +1247,12 @@ you used during your initial setup for information about      how to set
      is  my  internal     LAN<br>
                                <br>
                                <b>Answer: </b>While most people associate
-the   Internet     Control     Message     Protocol (ICMP) with 'ping', ICMP
+ the   Internet     Control     Message     Protocol (ICMP) with 'ping',
-is   a key piece    of  the internet.     ICMP   is  used to report problems
+ICMP  is   a key piece    of  the internet.     ICMP   is  used to report
-back  to the sender    of a packet; this   is  what  is happening  here.
+problems  back  to the sender    of a packet; this   is  what  is happening
-Unfortunately,  where NAT   is involved (including     SNAT,  DNAT and Masquerade),
+ here. Unfortunately,  where NAT   is involved (including     SNAT,  DNAT
- there  are a lot  of broken implementations.    That is  what you are seeing
+and Masquerade),  there  are a lot  of broken implementations.    That is
-with   these messages.<br>
+ what you are seeing with   these messages.<br>
                                <br>
                               Here is my interpretation of what is happening 
  --  to  confirm     this   analysis,    one would have to have packet sniffers
@ -1222,13 +1260,13 @@ with   these messages.<br>
                               <br>
                               Host 172.16.1.10 behind NAT gateway 206.124.146.179
     sent   a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried
-to   send a  response   (the response   information  is in the brackets --
+ to   send a  response   (the response   information  is in the brackets
-note   source  port 53 which   marks this as  a DNS reply).  When the response
+--  note   source  port 53 which   marks this as  a DNS reply).  When the
- was  returned  to to 206.124.146.179,    it rewrote  the destination  IP
+response   was  returned  to to 206.124.146.179,    it rewrote  the destination
-TO 172.16.1.10   and forwarded the packet  to  172.16.1.10  who no longer
+ IP  TO 172.16.1.10   and forwarded the packet  to  172.16.1.10  who no longer
 had  a connection   on UDP port 2857. This causes    a port unreachable
-(type 3, code  3) to   be generated back to 192.0.2.3.   As this packet is
+ (type 3, code  3) to   be generated back to 192.0.2.3.   As this packet
-sent  back through  206.124.146.179,    that box correctly   changes the
+is sent  back through  206.124.146.179,    that box correctly   changes the
 source address  in the packet  to 206.124.146.179    but doesn't   reset
 the DST IP in the original   DNS response  similarly.    When the ICMP  
 reaches your firewall (192.0.2.3),   your firewall  has  no  record of having
@ -1246,20 +1284,20 @@ by RFC 1918.<br>
                                You can place these commands in one of the
 <a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
 Be sure that you look at the contents of the chain(s) that you will be modifying
-           with your commands to be sure that the commands will do what they
+            with your commands to be sure that the commands will do what
-   are    intended.    Many iptables commands published in HOWTOs and other
+they     are    intended.    Many iptables commands published in HOWTOs and
-  instructional    material    use the -A command which adds the rules to
+other    instructional    material    use the -A command which adds the rules
-the  end of the chain.    Most chains    that Shorewall constructs end with
+to  the  end of the chain.    Most chains    that Shorewall constructs end
-an  unconditional DROP,   ACCEPT or REJECT    rule and any rules that you
+with  an  unconditional DROP,   ACCEPT or REJECT    rule and any rules that
-add  after that will be ignored.   Check "man iptables"   and look at the
+you  add  after that will be ignored.   Check "man iptables"   and look at
-I (--insert)  command.<br>
+the  -I (--insert)  command.<br>
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
           web site?</h4>
                      The Shorewall web site is almost font neutral (it doesn't 
-  explicitly       specify fonts except on a few pages) so the fonts you see
+   explicitly       specify fonts except on a few pages) so the fonts you 
-  are largely   the   default fonts configured  in your browser. If you don't
+see   are largely   the   default fonts configured  in your browser. If you 
-  like them then  reconfigure   your browser.<br>
+don't   like them then  reconfigure   your browser.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say 
         the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
@ -1281,17 +1319,12 @@ add  after that will be ignored.   Check "man iptables"   and look at the
      <br>
      <font color="#009900"><b>    /sbin/shorewall version</b></font><br>
      <br>
-    <font size="2">Last updated 3/6/2003 - <a href="support.htm">Tom   Eastep</a></font>
+      <font size="2">Last updated 3/11/2003 - <a href="support.htm">Tom 
 Eastep</a></font>                                                      
 <p><a href="copyright.htm"><font size="2">Copyright</font>              
 © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
       <br>
      <br>
     <br>
     <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -37,8 +37,8 @@
                                        </td>
                                      </tr>
                                      <tr>
-                                      <td width="100%" bgcolor="#ffffff"> 
+                                        <td width="100%"
-                                                                         
+ bgcolor="#ffffff">                                                      
@ -59,25 +59,23 @@
                                   </li>
                                                          <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
-                                        <li> <a href="Documentation.htm">Reference
+                                          <li> <a
-     Manual</a></li>
+ href="Documentation.htm">Reference      Manual</a></li>
                                          <li> <a href="FAQ.htm">FAQs</a></li>
-                                         <li><a href="useful_links.html">Useful 
+                                           <li><a
-   Links</a><br>
+ href="useful_links.html">Useful     Links</a><br>
                                           </li>
-                                        <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
+                                          <li> <a
 href="troubleshoot.htm">Troubleshooting</a></li>
                                          <li> <a href="errata.htm">Errata</a></li>
                                          <li> <a
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
-                                        <li> <a href="support.htm">Support</a></li>
+                                          <li> <a href="support.htm">Getting 
-        <li><a href="Forum.html">Support Forum</a> <img
+help or Answers to Questions</a><br>
 src="images/new10.gif" alt="(New)" width="28" height="12">
          <br>
         </li>
-                                                   <li> <a
+                                                                        
- href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
+                              <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
-                                        <li> <a
+                                                                         
 href="shorewall_mirrors.htm">Mirrors</a>                                
@ -115,7 +113,8 @@
      <ul>
-                                        <li>   <a href="News.htm">News Archive</a></li>
+                                          <li>   <a href="News.htm">News
 Archive</a></li>
                                          <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
                                          <li> <a href="quotes.htm">Quotes
@ -157,15 +156,8 @@ Daily    0200-0330      GMT.<br>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001-2003 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a><a
 href="http://www.shorewall.net" target="_top"> </a></p>
 <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
 src="images/shorewall.jpg" width="119" height="38" hspace="0">
                    </a><br>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -16,8 +16,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                                 <base
+                                                                        
- target="main">                                                         
+  <base target="main">                                                  
  <meta name="Microsoft Theme" content="none">
 </head>
@ -44,7 +44,7 @@
      <ul>
                                           <li> <a
- href="seattlefirewall_index.htm">Home</a></li>
+ href="sourceforge_index.htm">Home</a></li>
                                                   <li> <a
 href="shorewall_features.htm">Features</a></li>
                                           <li> <a
@ -65,19 +65,16 @@
                                            <li><a
 href="useful_links.html">Useful     Links</a><br>
                                            </li>
-                                         <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
+                                           <li> <a
 href="troubleshoot.htm">Troubleshooting</a></li>
                                           <li> <a href="errata.htm">Errata</a></li>
                                           <li> <a
 href="upgrade_issues.htm">Upgrade     Issues</a></li>
-                                         <li> <a href="support.htm">Support</a></li>
+                                           <li> <a href="support.htm">Getting 
-        <li><a href="Forum.html">Support Forum</a> <img
+Help or Answers to Questions</a></li>
- src="images/new10.gif" alt="(New)" width="28" height="12">
+                                                                        
-   <br>
+                                <li> <a href="shorewall_mirrors.htm">Mirrors</a> 
- </li>
+                                                                         
                                                    <li> <a
 href="http://lists.shorewall.net/mailing_list.htm">Mailing  Lists</a></li>
                                         <li> <a
 href="shorewall_mirrors.htm">Mirrors</a>                               
@ -103,19 +100,23 @@
          </ul>
                                           </li>
      </ul>
      <ul>
-                                         <li>   <a href="News.htm">News Archive</a></li>
+                                           <li>   <a href="News.htm">News 
 Archive</a></li>
                                           <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
                                           <li> <a href="quotes.htm">Quotes 
@ -128,6 +129,7 @@ from   Users</a></li>
      </ul>
                                         </td>
                                       </tr>
@ -136,6 +138,7 @@ from   Users</a></li>
  </tbody>                                    
 </table>
 <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
                        <strong><br>
                                 <b>Note: </b></strong>Search is unavailable
@ -143,9 +146,9 @@ from   Users</a></li>
                                 <strong></strong>                      
  <p><strong>Quick Search</strong><br>
-                                     <font face="Arial" size="-1">     <input
+                                       <font face="Arial" size="-1">    
- type="text" name="words" size="15"></font><font size="-1"> </font>   <font
+  <input type="text" name="words" size="15"></font><font size="-1"> </font>
- face="Arial" size="-1">     <input type="hidden" name="format"
+  <font face="Arial" size="-1">     <input type="hidden" name="format"
 value="long">     <input type="hidden" name="method" value="and">     <input
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
@ -156,11 +159,9 @@ from   Users</a></li>
 <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001-2003 Thomas M. Eastep.</font></a></p>
+ size="2">2001-2003 Thomas M. Eastep.</font></a><br>
-                                                                   <br>
+</p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata_3.html
+++ b/Shorewall-docs/errata_3.html
@ -40,6 +40,7 @@
 <ol>
                          <li>                                          
    <p align="left">          <b><u>I</u>f you use a Windows system to download
           a corrected     script, be sure to run the script through <u>
           <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -48,6 +49,7 @@
                                       </li>
                          <li>                                          
    <p align="left">          <b>If you are installing Shorewall for the
 first time and plan to use the        .tgz and install.sh script, you can
 untar the archive, replace the        'firewall' script in the untarred directory
@ -55,9 +57,10 @@ untar the archive, replace the        'firewall' script in the untarred director
                                       </li>
                          <li>                                          
    <p align="left">          <b>If you are running a Shorewall version earlier
-   than 1.3.11, when the instructions say to install a corrected        firewall
+    than 1.3.11, when the instructions say to install a corrected       
-   script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
+firewall     script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
      or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
 overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD
 /etc/shorewall/firewall               or /var/lib/shorewall/firewall  before
@ -114,19 +117,26 @@ and   NAT</a></b><br>
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated 
  rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 
 223.0.0.0/8.</li>
 </ul>
 <ul>
   <li>The documentation for the routestopped file claimed that a comma-separated 
  list could appear in the second column while the code only supported a single
- host or network address. This has been corrected in <a
+  host or network address.</li>
   <li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
   <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
 support  the 'maclist' interface option.</li>
   <li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
  <li>The firewall fails to start in the case where you have "eth0 eth1"
 in /etc/shorewall/masq and the default route is through eth1.<br>
   </li>
 </ul>
    These problems have been corrected in <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this 
  firewall script</a> which may be installed in /usr/lib/shorewall as described 
- above.</li>
+  above.<br>
  <li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited. 
 This has been corrected in <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
 firewall script</a> (contains a fix for the preceding problem as well) which
 may be installed in /usr/lib/shorewall as described  above.<br>
   </li>
 </ul>
 <h3>Version 1.3.13</h3>
@ -145,9 +155,9 @@ may be installed in /usr/lib/shorewall as described  above.<br>
    above.<br>
 <ul>
-     <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) 
+       <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., 
- are not supported in this version or in 1.3.12. If you need such support, 
+eth0.1)   are not supported in this version or in 1.3.12. If you need such 
- post on the users list and I can provide you with a patched version.<br>
+support,   post on the users list and I can provide you with a patched version.<br>
       </li>
 </ul>
@ -161,9 +171,9 @@ is  the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
    firewall script</a> which may be installed in /usr/lib/shorewall as described
    above.</li>
-     <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
+       <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., 
-  are not supported in this version or in 1.3.13. If you need such support,
+eth0.1)   are not supported in this version or in 1.3.13. If you need such 
-  post on the users list and I can provide you with a patched version.<br>
+support,   post on the users list and I can provide you with a patched version.<br>
        </li>
 </ul>
@ -171,9 +181,9 @@ is  the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
 <h3>Version 1.3.12 LRP</h3>
 <ul>
-         <li>The .lrp was missing the /etc/shorewall/routestopped file -- 
+           <li>The .lrp was missing the /etc/shorewall/routestopped file
-a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this 
+--  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects
-problem.<br>
+this  problem.<br>
           </li>
 </ul>
@ -201,9 +211,9 @@ problem.<br>
             These warnings are harmless and may be ignored. Users downloading
   the   .rpm  from shorewall.net or mirrors should no longer see these warnings
   as  the .rpm you will get from there has been corrected.</li>
-            <li>DNAT rules that exclude a source subzone (SOURCE column contains
+              <li>DNAT rules that exclude a source subzone (SOURCE column 
-    !  followed by a sub-zone list) result in an error message and Shorewall
+contains     !  followed by a sub-zone list) result in an error message and 
-   fails  to start.<br>
+Shorewall    fails  to start.<br>
                <br>
            Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
@ -224,11 +234,11 @@ running     on  your firewall and you have a 'pptpserver' entry in /etc/shorewal
           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
       version of the firewall script</a> may help. Please report any cases
- where     installing this script in /usr/lib/shorewall/firewall solved your
+  where     installing this script in /usr/lib/shorewall/firewall solved
- connection     problems. Beginning with version 1.3.10, it is safe to save
+your   connection     problems. Beginning with version 1.3.10, it is safe
- the old version     of /usr/lib/shorewall/firewall before copying in the
+to save   the old version     of /usr/lib/shorewall/firewall before copying
-new one since /usr/lib/shorewall/firewall     is the real script now and
+in the  new one since /usr/lib/shorewall/firewall     is the real script
-not just a symbolic link to the real script.<br>
+now and not just a symbolic link to the real script.<br>
                 </li>
 </ul>
@ -268,8 +278,8 @@ file /etc/shorewall/functions.         <a
 </ul>
 <h3>Version 1.3.9</h3>
-                 <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall 
+                   <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
-   script    at  <a
+firewall     script    at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
        -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
@ -278,9 +288,9 @@ file /etc/shorewall/functions.         <a
 <ul>
                       <li> Use of shell variables in the LOG LEVEL or SYNPARMS 
   columns     of  the  policy file doesn't work.</li>
-                     <li>A DNAT rule with the same original and new IP addresses
+                       <li>A DNAT rule with the same original and new IP
-    but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
+addresses      but   with   different  port numbers doesn't work (e.g., "DNAT
-      tcp   25 - 10.1.1.1")<br>
+loc dmz:10.1.1.1:24        tcp   25 - 10.1.1.1")<br>
                       </li>
 </ul>
@ -291,6 +301,7 @@ file /etc/shorewall/functions.         <a
  problems.                             
 <h3>Version 1.3.7b</h3>
 <p>DNAT rules where the source zone is 'fw' ($FW)                       
        result in an error message. Installing                          
    <a
@ -299,8 +310,10 @@ file /etc/shorewall/functions.         <a
                                          as described above corrects this
 problem.</p>
 <h3>Version 1.3.7a</h3>
 <p>"shorewall refresh" is not creating the proper                       
        rule for FORWARDPING=Yes. Consequently, after                   
            "shorewall refresh", the firewall will not forward          
@ -311,8 +324,10 @@ problem.</p>
                                          as described above corrects this
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
 <p>If "norfc1918" and "dhcp" are both specified as                      
         options on a given interface then RFC 1918                     
          checking is occurring before DHCP checking. This              
@ -321,10 +336,11 @@ problem.</p>
                             reject the broadcast (usually logging it). This
                                          has two problems:</p>
 <ol>
                                                       <li>If the firewall
-is  running     a  DHCP   server,                                   the client 
+ is  running     a  DHCP   server,                                   the
- won't be   able   to obtain   an IP  address                            
+client   won't be   able   to obtain   an IP  address                   
              lease  from that   server.</li>
                                                       <li>With this order
 of  checking,      the   "dhcp"                                   option
@ -338,17 +354,20 @@ cannot  be used as   a  noise-reduction
 <p>                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           This version of the 1.3.7a firewall script </a> 
-                                        corrects the problem. It must be installed
+                                         corrects the problem. It must be 
-         in /var/lib/shorewall                                as described
+installed          in /var/lib/shorewall                                as 
- above.</p>
+described  above.</p>
 <h3>Version 1.3.7</h3>
 <p>Version 1.3.7 dead on arrival -- please use                          
     version 1.3.7a and check your version against                      
         these md5sums -- if there's a difference, please               
                download again.</p>
 <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
 <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
@ -450,8 +469,8 @@ so it's a            good idea to run that command after you have made configura
           that specifies an interface that you didn't            include
 in   /etc/shorewall/interfaces.        To correct this problem, you     
      must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3
-and             later versions produce a clearer error    message    in this
+ and             later versions produce a clearer error    message    in
-case.</p>
+this  case.</p>
 <h3 align="left">Version 1.3.2</h3>
@ -464,8 +483,8 @@ version            has a size of 38126 bytes.</p>
                                   <li>The code to detect a duplicate interface 
   entry    in             /etc/shorewall/interfaces contained a typo that 
 prevented    it from               working correctly. </li>
-                                 <li>"NAT_BEFORE_RULES=No" was broken; it 
+                                   <li>"NAT_BEFORE_RULES=No" was broken;
-behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
+it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -492,8 +511,8 @@ behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
                                   <li>TCP SYN packets may be double counted
  when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy
  (i.e.,    each              packet is sent through the limit chain twice).</li>
-                                 <li>An unnecessary jump to the policy chain
+                                   <li>An unnecessary jump to the policy
-  is  sometimes                 generated for a CONTINUE policy.</li>
+chain    is  sometimes                 generated for a CONTINUE policy.</li>
                                   <li>When an option is given for more than
  one   interface      in               /etc/shorewall/interfaces then depending
   on the option,     Shorewall                may ignore all but the first
@ -610,36 +629,42 @@ download         from<font color="#ff6633">   <a
  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
  user-space debugging code was not updated to reflect recent changes in
-          the     Netfilter 'mangle' table. You can correct the problem by
+           the     Netfilter 'mangle' table. You can correct the problem
- installing            <a
+by   installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
              this iptables RPM</a>. If you are already running a 1.2.5 version 
-     of       iptables, you will need to specify the --oldpackage option to
+      of       iptables, you will need to specify the --oldpackage option 
-  rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                        </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
           RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict                      
         with kernel &lt;= 2.2 yet you have a 2.4 kernel                
               installed, simply use the "--nodeps" option to           
                    rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <h3><a name="Multiport"></a><b>Problems with                            
   iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made                      
         an incompatible change to the syntax used to                   
            specify multiport match rules; as a consequence,            
                   if you install iptables 1.2.7 you must be running    
                           Shorewall 1.3.7a or later or:</p>
 <ul>
                                                       <li>set MULTIPORT=No 
 in                                   /etc/shorewall/shorewall.conf; or </li>
@ -662,12 +687,12 @@ in                                   /etc/shorewall/shorewall.conf; or </li>
                  Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-                The solution is to put "no" in the LOCAL column. Kernel support 
+                  The solution is to put "no" in the LOCAL column. Kernel 
-   for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled 
+support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has 
-it.   The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
+disabled  it.   The  2.4.19 kernel   contains corrected support under a new 
-   option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 2/18/2003 -                            
+<p><font size="2">  Last updated 3/8/2003 -                              
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
@ -684,5 +709,7 @@ it.   The  2.4.19 kernel   contains corrected support under a new kernel configu
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/images/Thumbs.db
+++ b/Shorewall-docs/images/Thumbs.db
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -7,6 +7,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
@ -15,9 +16,8 @@
-                                                             <base
+                                                                        
- target="_self">                     
+          <base target="_self">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
@ -43,33 +43,46 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                                        </a></i></font><font
+                                             </a></i></font><a
- color="#ffffff">Shorewall  1.4     -               <font size="4">"<i>iptables 
+ href="http://www.shorewall.net" target="_top"><img border="1"
-                   made    easy"</i></font></font></h1>
+ src="images/shorewall.jpg" width="119" height="38" hspace="4"
-                                                                        
+ alt="(Shorewall Logo)" align="right" vspace="4">
-                                                                        
+                          </a></h1>
-                                                                        
+                 <small><small><small><small><a
-                                                                        
+ href="http://www.shorewall.net" target="_top">        </a></small></small></small></small><big></big>
      <div align="center"><a
 href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.3 Site here</font></a><br>
      <div align="center">              
      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
        </div>
                                 <br>
      <p><a href="http://www.shorewall.net" target="_top">              
       </a> </p>
      <div align="center"><a href="http://1.3/index.htm" target="_top"><font
 color="#ffffff">Shorewall 1.3 Site is here</font></a>                   
             <br>
                                                  </div>
        </td>
                                              </tr>
@ -122,9 +135,10 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+                 
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-       that can be used on a dedicated firewall system, a multi-function 
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -138,28 +152,30 @@
      <p>This program is free software; you can redistribute it and/or modify
-                                                  it        under the terms 
+                                                     it        under the
-  of         <a href="http://www.gnu.org/licenses/gpl.html">Version      
+terms      of         <a href="http://www.gnu.org/licenses/gpl.html">Version
- 2 of  the GNU General Public License</a> as published by the Free Software 
+       2 of  the GNU General Public License</a> as published by the Free
-        Foundation.<br>
+Software            Foundation.<br>
                                                 <br>
                                            This   program     is  distributed
         in   the     hope     that     it   will     be  useful,    but
        WITHOUT    ANY      WARRANTY;      without      even the   implied
- warranty       of MERCHANTABILITY                or  FITNESS    FOR   A
+   warranty       of MERCHANTABILITY                or  FITNESS    FOR  
- PARTICULAR       PURPOSE.        See the    GNU General     Public  License
+A  PARTICULAR       PURPOSE.        See the    GNU General     Public  License 
             for   more details.<br>
                                                 <br>
                                            You   should    have   received 
     a   copy     of   the     GNU     General         Public      License
-           along     with    this   program;       if  not,    write  to
+              along     with    this   program;       if  not,    write 
- the    Free Software           Foundation,              Inc.,  675     Mass 
+to    the    Free Software           Foundation,              Inc.,  675
- Ave,  Cambridge,   MA    02139,       USA</p>
+    Mass   Ave,  Cambridge,   MA    02139,       USA</p>
@ -185,88 +201,51 @@
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                        </a>Jacques              Nilo   and 
+                                             </a>Jacques              Nilo
-   Eric     Wolzak       have     a   LEAF  (router/firewall/gateway     
+   and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway
-   on  a  floppy,    CD    or compact     flash)  distribution        called 
+          on  a  floppy,    CD    or compact     flash)  distribution   
-               <i>Bering</i>          that          features      Shorewall-1.3.14
+    called                 <i>Bering</i>          that          features
-     and    Kernel-2.4.20.          You    can  find    their    work at:
+     Shorewall-1.3.14      and    Kernel-2.4.20.          You    can  find
-               <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+   their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                                            </a></p>
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+                                                                        
-1.1!!!</b><br>
+                                                                        
      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.1!!! </b><br>
                                                       </p>
-                                                                        
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
-                                                                        
+(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
      <h2>News</h2>
-                                                                        
+      <p><b>3/17/2003 - Shorewall 1.4.0 </b><b>       </b><b><img
      <h2></h2>
      <p><b>3/14/2003 - Shorewall 1.4.0</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-                          </b></p>
+             </b><b>                  </b></p>
-                                                                        
+                                                          Shorewall 1.4 represents
-                               
+     the  next  step in the evolution of Shorewall. The main thrust of the
-      <p></p>
+ initial    release  is simply to remove the cruft that has accumulated in
-        Shorewall 1.4 represents the next step in the evolution of Shorewall. 
+ Shorewall   over time.       <br>
-  The  main thrust of the initial release is simply to remove the cruft that 
+              <br>
  has  accumulated in Shorewall over time.<br>
  <br>
              <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
     ('ip' utility).</b><br>
              <br>
-    Function from 1.3 that has been omitted from this version include:<br>
+                  Function from 1.3 that has been omitted from this version 
 include:<br>
      <ol>
-                         <li>The MERGE_HOSTS variable in shorewall.conf is 
+         <li>The MERGE_HOSTS variable in shorewall.conf  is  no  longer supported. 
-no longer supported.   Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+   Shorewall 1.4 behavior is the same as 1.3 with  MERGE_HOSTS=Yes.<br>
                     <br>
                   </li>
         <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
@ -283,8 +262,8 @@ no longer supported.   Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOST
     an error at startup if specified.<br>
                     <br>
                   </li>
-                <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
+         <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules  is  no 
-is  no  longer  accepted.<br>
+ longer   accepted.<br>
                     <br>
                   </li>
         <li>The ALLOWRELATED variable in shorewall.conf is no longer   
@ -292,32 +271,12 @@ is  no  longer  accepted.<br>
                   <br>
                 </li>
         <li>The icmp.def file has been removed.<br>
               <br>
                 </li>
             <li value="8">The 'multi' interface option is no longer supported. 
   Shorewall will generate rules for sending packets back out the same interface 
  that they arrived on in two cases:</li>
      </ol>
      <ul>
             <li>There is an <u>explicit</u> policy for the source zone to
 or  from the destination zone. An explicit policy names both zones and does 
 not  use the 'all' reserved word.</li>
             <li>There are one or more rules for traffic for the source zone
  to or from the destination zone including rules that use the 'all' reserved 
  word. Exception: if the source zone and destination zone are the same then 
  the rule must be explicit - it must name the zone in both the SOURCE and 
 DESTINATION columns.<br>
        </li>
      </ul>
      <ol>
      </ol>
                  Changes for 1.4 include:<br>
      <ol>
         <li>The /etc/shorewall/shorewall.conf file has been completely 
   reorganized    into logical sections.<br>
@ -326,18 +285,18 @@ is  no  longer  accepted.<br>
         <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
                     <br>
                   </li>
-                <li>The firewall script and version file are now installed
+         <li>The firewall script, common functions file and version   file 
- in  /usr/share/shorewall.<br>
+ are now installed in /usr/share/shorewall.<br>
                     <br>
                   </li>
-                <li>Late arriving DNS replies are now silently dropped in 
+         <li>Late arriving DNS replies are now silently dropped in  the 
-the   common  chain by default.<br>
+ common   chain  by default.<br>
                     <br>
                   </li>
         <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
-   1.4 no longer unconditionally accepts outbound ICMP packets. So if you
+     1.4  no  longer unconditionally accepts outbound ICMP packets. So if 
-want    to 'ping' from the firewall, you will need the appropriate rule or
+you    want to 'ping'  from the firewall, you will need the appropriate rule 
-policy.<br>
+or   policy.<br>
                    <br>
                  </li>
         <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
@ -347,53 +306,195 @@ policy.<br>
     now support the 'maclist' option.<br>
                    <br>
                  </li>
-        <li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
+         <li value="8">Explicit Congestion Notification (ECN - RFC 3168)
-now be turned off on a host or network basis using the new /etc/shorewall/ecn 
+   may  now be turned off on a host or network basis using the new /etc/shorewall/ecn 
    file. To use this facility:<br>
               <br>
-    a) You must be running kernel 2.4.20<br>
+              a) You must be running kernel 2.4.20<br>
-    b) You must have applied the patch in<br>
+              b) You must have applied the patch in<br>
-    http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
+              http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
-    c) You must have iptables 1.2.7a installed.<br>
+              c) You must have iptables 1.2.7a installed.<br>
               <br>
             </li>
         <li>The /etc/shorewall/params file is now processed first so  that 
  variables may be used in the /etc/shorewall/shorewall.conf file.<br>
               <br>
             </li>
         <li value="10">Shorewall now gives a more helpful diagnostic when 
  the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' 
  command is issued.<br>
          <br>
        </li>
         <li>The SHARED_DIR variable has been removed from shorewall.conf. 
  This variable was for use by package maintainers and was not documented 
 for  general use.<br>
          <br>
        </li>
         <li>Shorewall now ignores 'default' routes when detecting masq'd 
  networks.<br>
        </li>
      </ol>
       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top"></a>       
      <p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
-                                                                        
+      <p>A roleup of the following bug fixes and other updates:</p>
      <ul>
-                                                                        
+              <li>There is an updated rfc1918 file that reflects the resent 
-                                                                        
+ allocation  of 222.0.0.0/8 and  223.0.0.0/8.</li>
-                                                                        
+           <li>The documentation for the routestopped file claimed that a 
-                                                                        
+comma-separated      list could appear in the second column while the code 
-                                                                        
+only supported a  single   host or network address.</li>
            <li>Log messages produced by 'logunclean' and 'dropunclean' were
   not  rate-limited.          802.11b devices with names of the form <i>wlan</i>&lt;n&gt; 
  don't  support the 'maclist' interface option.</li>
            <li>Log messages generated by RFC 1918 filtering are not rate 
 limited.</li>
                             <li>The firewall fails to start in the case
 where   you have "eth0  eth1" in /etc/shorewall/masq and the default route
 is through   eth1.</li>
      </ul>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                   </b></p>
      <p>New features include</p>
      <ol>
                          <li>An OLD_PING_HANDLING option has been added
 to  shorewall.conf.        When   set to Yes, Shorewall ping handling is
 as it  has always been  (see     http://www.shorewall.net/ping.html).<br>
                           <br>
                       When OLD_PING_HANDLING=No, icmp echo (ping) is handled 
  via   rules    and   policies   just like any other connection request. 
 The  FORWARDPING=Yes      option   in shorewall.conf   and the 'noping' and 
 'filterping'  options   in   /etc/shorewall/interfaces   will   all generate 
 an error.<br>
                           <br>
                         </li>
                          <li>It is now possible to direct Shorewall to create
   a  "label"     such   as   "eth0:0" for IP addresses that it creates under
   ADD_IP_ALIASES=Yes      and  ADD_SNAT_ALIASES=Yes.  This is done by specifying
   the label instead     of just  the interface name:<br>
                        <br>
                          a) In the INTERFACE column of /etc/shorewall/masq<br>
                          b) In the INTERFACE column of /etc/shorewall/nat<br>
                        </li>
                          <li>Support for OpenVPN Tunnels.<br>
                       <br>
                   </li>
                          <li>Support for VLAN devices with names of the
 form   $DEV.$VID      (e.g.,  eth0.0)<br>
                         <br>
                       </li>
                       <li>In /etc/shorewall/tcrules, the MARK value may
 be  optionally      followed by ":" and either 'F' or 'P' to designate that 
 the  marking will     occur in the FORWARD or PREROUTING chains respectively. 
 If this additional     specification is omitted, the chain used to mark packets 
 will be determined     by the setting of the MARK_IN_FORWARD_CHAIN option 
 in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                       <br>
                     </li>
                          <li>When an interface name is entered in the SUBNET 
  column    of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded
   traffic     from  only the first subnet   defined on that interface. It
 did  not masquerade      traffic from:<br>
                        <br>
                          a) The subnets associated with other addresses
 on  the   interface.<br>
                          b) Subnets accessed through local routers.<br>
                        <br>
                       Beginning with Shorewall 1.3.14, if you enter an interface 
    name   in  the   SUBNET  column, shorewall will use the firewall's routing 
    table   to construct   the masquerading/SNAT rules.<br>
                        <br>
                       Example 1 -- This is how it works in 1.3.14.<br>
                          <br>
-                                                                        
+          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
      <p><b></b><a href="News.htm">More News</a></p>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                        <br>
                       When upgrading to Shorewall 1.3.14, if you have multiple 
   local    subnets     connected  to an interface that is specified in the 
  SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq 
  file will need  changing.   In most cases, you  will simply be able to remove
  redundant entries.  In some  cases though, you  might want to change from
  using the interface  name to listing specific subnetworks  if the change
 described above will cause masquerading  to occur on subnetworks  that you
 don't wish to masquerade.<br>
                        <br>
                       Example 2 -- Suppose that your current config is as
 follows:<br>
                          <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                        <br>
                          In this case, the second entry in /etc/shorewall/masq 
   is  no  longer    required.<br>
                        <br>
                       Example 3 -- What if your current configuration is 
 like   this?<br>
                        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                        <br>
                          In this case, you would want to change the entry
 in   /etc/shorewall/masq         to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                          </li>
      </ol>
                   <br>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b> 
                        </b></p>
                     Webmin version 1.060 now has Shorewall support included
  as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>.<b> 
         </b>                                                            
      <p><a href="News.htm">More News</a></p>
      <h2><a name="Donations"></a>Donations</h2>
@ -445,7 +546,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
-                                          </a></p>
+                                               </a></p>
@ -458,11 +559,11 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
-if       you try it and find it useful, please consider making a donation 
+but if       you try it and find it useful, please consider making a donation
                                                     to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                                             </td>
@ -480,10 +581,9 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                             <br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -40,8 +40,8 @@
  </tbody>                      
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.<br>
+we must  all first walk before we can run.<br>
      The French Translations are courtesy of Patrice Vetsel<br>
      </p>
@ -75,8 +75,8 @@ Shorewall      than   is  explained in the single-address guides above.</b></p>
 <ul>
                         <li><a
 href="shorewall_setup_guide.htm#Introduction">1.0   Introduction</a></li>
-                        <li><a href="shorewall_setup_guide.htm#Concepts">2.0
+                         <li><a
-  Shorewall      Concepts</a></li>
+ href="shorewall_setup_guide.htm#Concepts">2.0   Shorewall      Concepts</a></li>
                         <li><a
 href="shorewall_setup_guide.htm#Interfaces">3.0   Network     Interfaces</a></li>
                         <li><a
@ -108,8 +108,8 @@ Address     Resolution      Protocol</a></li>
  Setting     up  your   Network</a>                                    
    <ul>
-                          <li><a href="shorewall_setup_guide.htm#Routed">5.1
+                           <li><a
-  Routed</a></li>
+ href="shorewall_setup_guide.htm#Routed">5.1   Routed</a></li>
    </ul>
@ -122,10 +122,10 @@ Address     Resolution      Protocol</a></li>
        <ul>
-                            <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
+                             <li><a
-   SNAT</a></li>
+ href="shorewall_setup_guide.htm#SNAT">5.2.1    SNAT</a></li>
-                            <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
+                             <li><a
-   DNAT</a></li>
+ href="shorewall_setup_guide.htm#DNAT">5.2.2    DNAT</a></li>
                             <li><a
 href="shorewall_setup_guide.htm#ProxyARP">5.2.3    Proxy    ARP</a></li>
                             <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
@ -133,6 +133,7 @@ Address     Resolution      Protocol</a></li>
        </ul>
                           </li>
                           <li><a href="shorewall_setup_guide.htm#Rules">5.3
@ -143,7 +144,8 @@ Address     Resolution      Protocol</a></li>
    </ul>
                         </li>
-                        <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
+                         <li><a href="shorewall_setup_guide.htm#DNS">6.0
 DNS</a></li>
                         <li><a
 href="shorewall_setup_guide.htm#StartingAndStopping">7.0   Starting    and 
        Stopping the Firewall</a></li>
@ -154,8 +156,8 @@ Address     Resolution      Protocol</a></li>
 <p>The following documentation covers a variety of topics and <b>supplements
           the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
-    described      above</b>. Please review the appropriate guide before trying
+     described      above</b>. Please review the appropriate guide before
-    to use this    documentation directly.</p>
+trying     to use this    documentation directly.</p>
 <ul>
                         <li><a
@ -175,6 +177,7 @@ Address     Resolution      Protocol</a></li>
                         <li><a href="configuration_file_basics.htm">Common 
 configuration        file   features</a>                                
    <ul>
                           <li><a
 href="configuration_file_basics.htm#Comments">Comments  in configuration
@ -194,12 +197,13 @@ Address     Resolution      Protocol</a></li>
 href="configuration_file_basics.htm#Compliment">Complementing an IP address
    or Subnet</a></li>
                           <li><a
- href="configuration_file_basics.htm#Configs">Shorewall   Configurations
+ href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
-(making a test configuration)</a></li>
+a test configuration)</a></li>
                           <li><a
 href="configuration_file_basics.htm#MAC">Using    MAC Addresses in Shorewall</a></li>
    </ul>
                         </li>
                         <li><a href="Documentation.htm">Configuration File 
@ -240,8 +244,10 @@ Address     Resolution      Protocol</a></li>
                         </li>
                         <li><a href="dhcp.htm">DHCP</a></li>
                         <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-(How to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code through the use of
 files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
 etc.)</li>
                         <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                         <li><a href="shorewall_firewall_structure.htm">Firewall
    Structure</a></li>
@ -279,8 +285,8 @@ Address     Resolution      Protocol</a></li>
  </ul>
                         <li><font color="#000099"><a href="NAT.htm">Static 
 NAT</a></font></li>
-        <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy 
+         <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
-  with Shorewall</a><br>
+Proxy    with Shorewall</a><br>
         </li>
                         <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
                         <li>VPN                                        
@ -305,10 +311,11 @@ Address     Resolution      Protocol</a></li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M. 
   Eastep</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -10,7 +10,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
-  <title>Shoreline Firewall (Shorewall) 1.4</title>
+  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -18,7 +18,6 @@
                      <base target="_self">
  <meta name="author" content="Tom Eastep">
 </head>
  <body>
@ -51,8 +50,8 @@
 src="images/washington.jpg" border="0">
                                                </a></i></font><font
- color="#ffffff">Shorewall 1.4     -               <font size="4">"<i>iptables 
+ color="#ffffff">Shorewall           1.4     -               <font
-                     made  easy"</i></font></font><a
+ size="4">"<i>iptables                   made  easy"</i></font></font><a
 href="http://www.sf.net">                  </a></h1>
@ -65,6 +64,7 @@
      <div align="center"><a href="/1.3/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.3 Site here</font></a></div>
@ -74,6 +74,7 @@
  </tbody>                                                               
 </table>
@ -104,6 +105,7 @@
      <h2 align="left">What is it?</h2>
@ -139,8 +141,8 @@ GNU/Linux    system.</p>
      <p>This program is free software; you can redistribute it and/or modify 
                                                      it        under the 
 terms      of         <a href="http://www.gnu.org/licenses/gpl.html">Version 
-       2 of  the GNU General Public License</a> as published by the Free
+       2 of  the GNU General Public License</a> as published by the Free Software
-Software            Foundation.<br>
+           Foundation.<br>
                                                    <br>
@ -188,20 +190,21 @@ to    the    Free Software           Foundation,              Inc.,  675
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                                             </a>Jacques              Nilo
+                                                </a>Jacques             
-   and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway
+Nilo     and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway 
           on  a  floppy,    CD    or compact     flash)  distribution   
    called                 <i>Bering</i>          that          features 
    Shorewall-1.3.14      and    Kernel-2.4.20.          You    can  find 
    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                                                    <b>                 
+                                                        <b>Congratulations
 to  Jacques     and   Eric   on  the   recent    release     of  Bering
 1.1!!!        <br>
                                                        </b>            
-                                        <b>Congratulations to Jacques and 
+                                                                        
 Eric  on the recent release of Bering 1.1!!!</b><br>
      <h2>News</h2>
@ -219,22 +222,24 @@ Eric  on the recent release of Bering 1.1!!!</b><br>
-      <p><b>3/14/2003 - Shorewall 1.4.0</b><b>       </b><b><img
+      <p><b>3/17/2003 - Shorewall 1.4.0  </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-                         </b></p>
+          </b><b>                  </b></p>
                                                        Shorewall 1.4 represents
-the   next  step in the evolution of Shorewall. The main thrust of the initial
+    the  next  step in the evolution of Shorewall. The main thrust of the
- release  is simply to remove the cruft that has accumulated in Shorewall
+initial    release  is simply to remove the cruft that has accumulated in
-over time.       <br>
+Shorewall   over time.       <br>
            <br>
            <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
    ('ip' utility).</b><br>
            <br>
-        Function from 1.3 that has been omitted from this version include:<br>
+                Function from 1.3 that has been omitted from this version 
 include:<br>
      <ol>
-                        <li>The MERGE_HOSTS variable in shorewall.conf is 
+        <li>The MERGE_HOSTS variable in shorewall.conf is  no  longer supported.
-no longer supported.    Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+   Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
                  <br>
                </li>
        <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;  
@ -251,59 +256,40 @@ no longer supported.    Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOS
   an error at startup if specified.<br>
                  <br>
                </li>
-               <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
+        <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is  no 
- no  longer  accepted.<br>
+longer   accepted.<br>
                  <br>
                </li>
-               <li>The ALLOWRELATED variable in shorewall.conf is no longer 
+        <li>The ALLOWRELATED variable in shorewall.conf is no longer   supported.
- supported.   Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+    Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
                <br>
              </li>
        <li>The icmp.def file has been removed.<br>
              <br>
              </li>
            <li value="8">The 'multi' interface option is no longer supported.
   Shorewall will generate rules for sending packets back out the same interface
  that they arrived on in two cases:</li>
      </ol>
      <ul>
            <li>There is an <u>explicit</u> policy for the source zone to 
 or  from the destination zone. An explicit policy names both zones and does
 not  use the 'all' reserved word.</li>
            <li>There are one or more rules for traffic for the source zone 
 to or from the destination zone including rules that use the 'all' reserved
  word. Exception: if the source zone and destination zone are the same then
  the rule must be explicit - it must name the zone in both the SOURCE and
 DESTINATION columns.</li>
      </ul>
      <ul>
      </ul>
                Changes for 1.4 include:<br>
      <ol>
        <li>The /etc/shorewall/shorewall.conf file has been completely  
 reorganized    into logical sections.<br>
                  <br>
                </li>
-               <li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
+        <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
                  <br>
                </li>
-               <li>The firewall script and version file are now installed 
+        <li>The firewall script, common functions file and version  file
-in  /usr/share/shorewall.<br>
+ are now installed in /usr/share/shorewall.<br>
                  <br>
                </li>
-               <li>Late arriving DNS replies are now silently dropped in
+        <li>Late arriving DNS replies are now silently dropped in  the  
-the   common  chain by default.<br>
+common   chain  by default.<br>
                  <br>
                </li>
        <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
-  1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
+   1.4  no  longer unconditionally accepts outbound ICMP packets. So if you
-   to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
+   want to 'ping'  from the firewall, you will need the appropriate rule or
  policy.<br>
                 <br>
               </li>
        <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
@ -313,8 +299,8 @@ the   common  chain by default.<br>
   now support the 'maclist' option.<br>
                 <br>
               </li>
-        <li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
+        <li value="8">Explicit Congestion Notification (ECN - RFC 3168) 
-now be turned off on a host or network basis using the new /etc/shorewall/ecn 
+ may  now be turned off on a host or network basis using the new /etc/shorewall/ecn
    file. To use this facility:<br>
            <br>
           a) You must be running kernel 2.4.20<br>
@ -324,12 +310,167 @@ file. To use this facility:<br>
            <br>
          </li>
        <li>The /etc/shorewall/params file is now processed first so  that
-variables may be used in the /etc/shorewall/shorewall.conf file.</li>
+  variables may be used in the /etc/shorewall/shorewall.conf file.<br>
            <br>
          </li>
        <li value="10">Shorewall now gives a more helpful diagnostic when
 the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
 command is issued.<br>
       <br>
     </li>
        <li>The SHARED_DIR variable has been removed from shorewall.conf.
 This variable was for use by package maintainers and was not documented
 for  general use.<br>
       <br>
     </li>
        <li>Shorewall now ignores 'default' routes when detecting masq'd
 networks.<br>
     </li>
      </ol>
      <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
      <p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
      <p>A roleup of the following bug fixes and other updates:</p>
      <ul>
           <li>There is an updated rfc1918 file that reflects the resent
 allocation  of 222.0.0.0/8 and  223.0.0.0/8. </li>
         <li>The documentation for the routestopped file claimed that a comma-separated 
    list could appear in the second column while the code only supported a
 single   host or network address. </li>
         <li>Log messages produced by 'logunclean' and 'dropunclean' were 
 not  rate-limited. </li>
         <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
 don't  support the 'maclist' interface option. </li>
         <li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
         <li>The firewall fails to start in the case where you have "eth0 
 eth1" in /etc/shorewall/masq and the default route is through eth1      
        </li>
      </ul>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                  </b></p>
      <p>New features include</p>
      <ol>
                      <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
       When   set to Yes, Shorewall ping handling is as it has always been
 (see     http://www.shorewall.net/ping.html).<br>
                       <br>
                   When OLD_PING_HANDLING=No, icmp echo (ping) is handled 
 via   rules    and   policies   just like any other connection request. The 
 FORWARDPING=Yes      option   in shorewall.conf   and the 'noping' and 'filterping' 
 options   in   /etc/shorewall/interfaces   will   all generate an error.<br>
                       <br>
                     </li>
                      <li>It is now possible to direct Shorewall to create
 a  "label"     such   as   "eth0:0" for IP addresses that it creates under
 ADD_IP_ALIASES=Yes      and  ADD_SNAT_ALIASES=Yes.  This is done by specifying
 the label instead     of just  the interface name:<br>
                    <br>
                      a) In the INTERFACE column of /etc/shorewall/masq<br>
                      b) In the INTERFACE column of /etc/shorewall/nat<br>
                    </li>
                      <li>Support for OpenVPN Tunnels.<br>
                   <br>
               </li>
                      <li>Support for VLAN devices with names of the form 
 $DEV.$VID      (e.g.,  eth0.0)<br>
                      <br>
                    </li>
                    <li>In /etc/shorewall/tcrules, the MARK value may be
 optionally      followed by ":" and either 'F' or 'P' to designate that the
 marking will     occur in the FORWARD or PREROUTING chains respectively.
 If this additional     specification is omitted, the chain used to mark packets
 will be determined     by the setting of the MARK_IN_FORWARD_CHAIN option
 in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                   <br>
                 </li>
                      <li>When an interface name is entered in the SUBNET 
 column    of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded
 traffic     from  only the first subnet   defined on that interface. It
 did  not masquerade      traffic from:<br>
                    <br>
                      a) The subnets associated with other addresses on the 
 interface.<br>
                      b) Subnets accessed through local routers.<br>
                    <br>
                   Beginning with Shorewall 1.3.14, if you enter an interface 
  name   in  the   SUBNET  column, shorewall will use the firewall's routing 
  table   to construct   the masquerading/SNAT rules.<br>
                    <br>
                   Example 1 -- This is how it works in 1.3.14.<br>
                      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                    <br>
                   When upgrading to Shorewall 1.3.14, if you have multiple 
 local    subnets     connected  to an interface that is specified in the 
 SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq 
 file will need  changing.   In most cases, you  will simply be able to remove 
 redundant entries.  In some  cases though, you  might want to change from 
 using the interface  name to listing specific subnetworks  if the change described
 above will cause masquerading  to occur on subnetworks  that you don't wish
 to masquerade.<br>
                    <br>
                   Example 2 -- Suppose that your current config is as follows:<br>
                      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                    <br>
                      In this case, the second entry in /etc/shorewall/masq 
 is  no  longer    required.<br>
                    <br>
                   Example 3 -- What if your current configuration is like
 this?<br>
                    <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                    <br>
                      In this case, you would want to change the entry in 
 /etc/shorewall/masq         to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                      </li>
      </ol>
-      <p></p>
+      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
                      </b></p>
                  Webmin version 1.060 now has Shorewall support included 
 as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>
        <b>      </b>                                                   
@ -340,6 +481,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
      <ul>
@ -349,6 +491,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
      </ul>
@ -425,6 +568,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
  </tbody>                                                               
 </table>
@ -473,11 +617,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+ 
-but if       you try it and find it useful, please consider making a donation
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
 if       you try it and find it useful, please consider making a donation 
                                                      to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight        
+ href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Children's Foundation.</font></a> Thanks!</font></p>
+Foundation.</font></a> Thanks!</font></p>
                                                </td>
@ -495,7 +640,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                <br>
 </p>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -10,20 +10,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Support Guide</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -38,6 +25,7 @@
      <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                                       </font></h1>
@ -50,75 +38,42 @@
 </table>
-<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
+<h2>Before Reporting a Problem or Asking a Question<br>
-    emailed directly to me, I try to spend some time each day answering questions
+ </h2>
-    on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
+                                                       There are a number 
- style="font-weight: 400;"></span></big></b></p>
+of  sources of Shorewall information. Please     try these before you   post. 
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
 <h1>Before Reporting a Problem</h1>
     <i>"Well at least you tried to read the documentation, which is a lot
 more  than some people on this list appear to do.</i>"<br>
     <br>
 <div align="center">- Wietse Venema - On the Postfix mailing list<br>
     </div>
     <br>
                                             There are a number of sources
 for   problem     solution information. Please     try these before you
 post.                            
 <h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-                       <li>More than half of the questions posted on the
+                                 <li>More than half of the questions posted 
-support     list   have answers directly accessible from the <a
+ on  the   support     list   have answers directly accessible from the <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
                 <br>
                         </li>
                         <li>                                   The <a
 href="FAQ.htm">FAQ</a>     has  solutions to  more than 20 common      problems.
              </li>
 </ul>
 <h3>                     </h3>
 <ul>
                <li>                                   The     <a
 href="troubleshoot.htm">Troubleshooting</a>  Information          contains
-        a    number of tips to help you solve common problems.         </li>
+            a    number of tips to help you solve common problems.      
    </li>
 </ul>
 <h3>                     </h3>
 <ul>
               <li>                                   The     <a
 href="errata.htm">   Errata</a> has links  to  download        updated 
    components.         </li>
-</ul>
+                <li>                                   The Site and Mailing
-                                         
+     List   Archives     search facility can locate documents and posts 
-<h3>                     </h3>
+  about         similar   problems:         </li>
 <ul>
                       <li>                                   The Mailing 
 List   Archives     search facility can locate   posts    about         similar
  problems:         </li>
 </ul>
 <h2>                                     </h2>
-<h2>Mailing List Archive Search</h2>
+<h2>Site and Mailing List Archive Search</h2>
-<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
+<blockquote>      
-                                                                        
+  <form method="post"
-                                      
+ action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
  <p> <font size="-1"> Match:                                           
    <select name="method">
    <option value="and">All </option>
@ -126,15 +81,11 @@ List   Archives     search facility can locate   posts    about         similar
    <option value="boolean">Boolean </option>
    </select>
      Format:                    
    <select name="format">
    <option value="builtin-long">Long </option>
    <option value="builtin-short">Short </option>
    </select>
      Sort by:                    
    <select name="sort">
    <option value="score">Score </option>
    <option value="time">Time </option>
@ -143,66 +94,55 @@ List   Archives     search facility can locate   posts    about         similar
    <option value="revtime">Reverse Time </option>
    <option value="revtitle">Reverse Title </option>
    </select>
-                                     </font> <input type="hidden"
+       </font><input type="hidden" name="config" value="htdig"><input
- name="config" value="htdig">    <input type="hidden" name="restrict"
+ type="hidden" name="restrict" value=""><font size="-1"> Include  Mailing 
- value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
+  List Archives:                    
- name="exclude" value=""> <br>
+    <select size="1" name="exclude">
-                                     Search: <input type="text"
+    <option value="">Yes</option>
- size="30" name="words" value="">    <input type="submit" value="Search">
+    <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
-  </p>
+    </select>
       </font><br>
      Search: <input type="text" size="30" name="words" value=""> <input
 type="submit" value="Search"><br>
    </form>
  </blockquote>
-<h2>Problem Reporting Guidelines </h2>
+<h2>Problem Reporting Guidelines<br>
-                    <i>"Let me see if I can translate your message into a 
+      </h2>
 real-world      example.      It would be like saying that you have three 
 rooms at home,     and when you   walk  into one of the rooms, you detect 
 this strange smell.      Can anyone tell  you  what that strange smell is?<br>
                    <br>
                    Now, all of us could do some wonderful guessing as to 
 the   smell    and   even   what's causing it.  You would be absolutely amazed 
 at the range   and   variety   of smells we could come up with.  Even more 
 amazing is that   all   of the explanations   for the smells would be completely 
 plausible."<br>
                    </i><br>
 <div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
                    </div>
                    <br>
 <h3>                     </h3>
 <ul>
-                <li>Please remember we only know what is posted in your message.
+                          <li>Please remember we only know what is posted 
-     Do  not  leave out any information that appears to be correct,  or was
+in  your   message.      Do  not  leave out any information that appears to
-  mentioned    in  a previous post. There have been countless  posts by people
+be  correct,    or was   mentioned    in  a previous post. There have been
-  who were   sure  that some part of their  configuration was correct when
+countless   posts   by people   who were   sure  that some part of their
- it actually   contained  a small error.  We tend to be skeptics where detail
+  configuration  was correct  when  it actually   contained  a small error.
-  is lacking.<br>
+  We tend to be  skeptics where  detail   is lacking.<br>
                            <br>
                          </li>
-                <li>Please keep in mind that you're asking for <strong>free</strong>
+                          <li>Please keep in mind that you're asking for
-      technical  support. Any help we offer is an act of generosity, not
+    <strong>free</strong>            technical  support. Any help we offer
-an   obligation.    Try  to make it easy for us to help you. Follow good,
+is an act of generosity, not    an   obligation.    Try  to make it easy
-courteous   practices    in writing  and formatting your e-mail. Provide
+for us to help you. Follow good,    courteous   practices    in writing 
-details that   we need if  you  expect good  answers. <em>Exact quoting </em>
+and formatting your e-mail. Provide   details that   we need if  you  expect
-of error messages,  log  entries,  command output, and other output is better
+good  answers. <em>Exact quoting     </em>  of error messages,  log  entries,
-than a paraphrase  or  summary.<br>
+ command output, and other output  is better   than a paraphrase  or  summary.<br>
                            <br>
                          </li>
-                <li>                                   Please don't describe
+                          <li>                                   Please don't 
-  your   environment   and then  ask  us  to  send   you             custom
+  describe     your   environment   and then  ask  us  to  send   you    
-  configuration   files.   We're here  to answer   your  questions     but
+        custom     configuration   files.   We're here  to answer   your 
- we           can't   do your   job for you.<br>
+questions     but    we           can't   do your   job for you.<br>
                            <br>
                                 </li>
-                <li>When reporting a problem, <strong>ALWAYS</strong> include 
+                          <li>When reporting a problem, <strong>ALWAYS</strong> 
-  this   information:</li>
+   include     this   information:</li>
 </ul>
 <ul>
  <ul>
                            <li>the exact version of Shorewall you are running.<br>
                              <br>
@ -210,8 +150,10 @@ than a paraphrase  or  summary.<br>
                         </b>    <br>
                            </li>
  </ul>
  <ul>
                            <li>the exact kernel version you are running<br>
                              <br>
@ -219,8 +161,10 @@ than a paraphrase  or  summary.<br>
                              <br>
                              </b></font></li>
  </ul>
  <ul>
                            <li>the complete, exact output of<br>
                              <br>
@ -228,8 +172,10 @@ than a paraphrase  or  summary.<br>
                              <br>
                              </b></font></li>
  </ul>
  <ul>
                            <li>the complete, exact output of<br>
                              <br>
@ -237,10 +183,13 @@ than a paraphrase  or  summary.<br>
                              <br>
                              </b></font></li>
  </ul>
  <ul>
-                  <li>If your kernel is modularized, the exact output from<br>
+                            <li>If your kernel is modularized, the exact
 output    from<br>
                              <br>
                              <font color="#009900"><b>lsmod</b></font><br>
                              <br>
@ -249,15 +198,16 @@ than a paraphrase  or  summary.<br>
 style="color: green; font-weight: bold;">ping</code> failure responses<br>
                      <br>
                    </li>
-          <li>If you installed Shorewall using one of the QuickStart Guides,
+                    <li>If you installed Shorewall using one of the QuickStart
-  please  indicate which one. <br>
+   Guides,     please  indicate which one. <br>
                      <br>
                    </li>
-          <li><b>If you are running Shorewall under Mandrake using the Mandrake
+                    <li><b>If you are running Shorewall under Mandrake using
-   installation of Shorewall, please say so.</b><br>
+  the   Mandrake     installation of Shorewall, please say so.</b><br>
                              <br>
                            </li>
  </ul>
 </ul>
@ -277,91 +227,69 @@ than a paraphrase  or  summary.<br>
             4. Post the /tmp/status.txt file as an attachment.<br>
                            <br>
                          </li>
-                <li>As a general matter, please <strong>do not edit the diagnostic
+                                                           <li>As a general 
-     information</strong>   in an attempt to conceal your IP address, netmask,
+ matter,   please <strong>do not edit the  diagnostic      information</strong> 
-     nameserver addresses,  domain name, etc. These aren't secrets, and concealing
+   in   an attempt to conceal your IP address,  netmask,      nameserver addresses,
-     them often misleads  us (and 80% of the time, a hacker could derive
+    domain name, etc. These aren't secrets,  and concealing      them often
-them     anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
+  misleads  us (and 80% of the time, a hacker  could derive them     anyway
-                           
+  from information  contained in the SMTP headers  of your post).<br>
-</ul>
+           <br>
-                           
+           <strong></strong></li>
-<ul>
+         <li>Do you see  any   "Shorewall"      messages ("<b><font
-                                         
+ color="#009900">/sbin/shorewall  show   log</font></b>")            when 
-</ul>
+     you exercise the function that is giving   you problems? If   so,   include
-                                         
+   the message(s) in your post along with a  copy of your /etc/shorewall/interfaces 
-<h3>                     </h3>
+        file.<br>
 <ul>
 </ul>
 <h3>                     </h3>
 <ul>
                       <li>                                   Do you see
 any   "Shorewall"      messages ("<b><font color="#009900">/sbin/shorewall
 show   log</font></b>")            when   you exercise the function that
 is giving   you problems? If   so,   include the message(s) in your post
 along with a  copy of your /etc/shorewall/interfaces      file.<br>
           <br>
         </li>
         <li>Please include any of the Shorewall configuration  files   
   (especially               the    /etc/shorewall/hosts file if you have 
 modified    that     file)      that  you    think are    relevant. If you
 include /etc/shorewall/rules,         please include /etc/shorewall/policy
-as well (rules are meaningless unless      one also knows the policies).
+ as well (rules are meaningless   unless      one also knows the policies).<br>
           <br>
         </li>
-                                         
+         <li>If an error occurs    when   you   try   to "<font
-</ul>
+ color="#009900"><b>shorewall  start</b></font>",        include     a  
-                                         
+ trace (See the <a href="troubleshoot.htm">Troubleshooting</a>          
-<h3>                     </h3>
+ section  for    instructions).<br>
-                                         
+           <br>
 <ul>
 </ul>
 <h3>                     </h3>
 <ul>
                              <li>                         If an error occurs 
  when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>",
      include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
          section  for    instructions).         </li>
 </ul>
 <h3>                     </h3>
 <ul>
                       <li>                                             
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
           your             network layout, etc. to the Mailing List  -- your
     post      will  be rejected.</b></h3>
         </li>
         <li><b>The list server limits posts to 120kb so don't  post  GIFs
   of               your             network layout, etc. to the Mailing
 List    --   your      post      will  be rejected.</b></li>
 </ul>
 <blockquote>                                                             
 The author gratefully   acknowleges that the above list was  heavily    
 plagiarized    from the  excellent LEAF document by <i>Ray</i>  <em>Olszewski</em> 
    found  at  <a
 href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
 </blockquote>
-<h2>Please post in plain text</h2>
+<h2>When using the mailing list, please post in plain text</h2>
-<blockquote>            </blockquote>
+<blockquote>                                                            
     A growing  number of MTAs serving list subscribers are rejecting   
  all    HTML  traffic.  At least one MTA has gone so far as to blacklist
-shorewall.net      "for continuous abuse" because it has been my policy to 
+  shorewall.net      "for  continuous abuse" because it has been my policy
-allow HTML in  list    posts!!<br>
+ to  allow HTML in  list    posts!!<br>
    <br>
-                   I think that blocking all HTML is a Draconian way to control 
+                             I think that blocking all HTML is a Draconian
-   spam    and  that the ultimate losers here are not the spammers but the 
+ way   to  control     spam    and  that the ultimate losers here are not
- list  subscribers      whose MTAs are bouncing all shorewall.net mail. As 
+the spammers    but the   list  subscribers      whose MTAs are bouncing
- one list  subscriber   wrote  to me privately "These e-mail admin's need 
+all shorewall.net    mail. As   one list  subscriber   wrote  to me privately
-to get a <i>(expletive   deleted)</i>  life instead of trying to rid the planet
+ "These e-mail admin's   need  to get a <i>(expletive   deleted)</i>  life
-of HTML based e-mail".   Nevertheless,  to allow subscribers to receive list
+ instead of trying to rid   the planet of HTML based e-mail".   Nevertheless,
-posts as must as possible,   I have now   configured the list server at shorewall.net
+  to allow subscribers  to  receive list posts as must as possible,   I have
-to strip all HTML   from outgoing  posts.<br>
+ now   configured the  list  server at shorewall.net to strip all HTML  
 from  outgoing  posts.<br>
  </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -370,33 +298,36 @@ to strip all HTML   from outgoing  posts.<br>
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem 
-          to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users 
+               to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF 
-   mailing       list</a>.</span></h4>
+  Users      mailing       list</a>.</span></h4>
-                   <b>If you run Shorewall under MandrakeSoft Multi Network 
+                             <b>If you run Shorewall under MandrakeSoft Multi 
- Firewall     (MNF)   and you have not purchased an MNF license from MandrakeSoft 
+  Network     Firewall     (MNF)   and you have not purchased an MNF license 
- then    you can  post non MNF-specific Shorewall questions to the </b><a
+  from MandrakeSoft     then    you can  post non MNF-specific Shorewall questions
- href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
+  to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
-   list</a>         or to the <a
+  users mailing       list</a>. <b>Do not expect to get free MNF support
- href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
+on the list or forum.</b><br>
 Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-   list</a> or to the <a
+        list</a>.</p>
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a>.</p>
                               </blockquote>
 <p>To Subscribe to the  mailing list go to <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
-                        .</p>
+                             .<br>
         </p>
 <p>For information on other Shorewall mailing lists, go to <a
 href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
         </p>
-<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -60,3 +60,7 @@ Changes since 1.3.14
 27. Remove stale comments in the params file.
 28. Silently drop INVALID state packets
 29. Ignore the 'default' route when detecting masq'd networks.
 30. REALLY process the params file first now (honest).
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.0-RC2
+VERSION=1.4.0
 usage() # $1 = exit status
 {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.0-RC2
+VERSION=1.4.0
 usage() # $1 = exit status
 {
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -77,6 +77,18 @@ Changes for 1.4 include:
 10) The /etc/shorewall/params file is now processed first so that
    variables may be used in the /etc/shorewall/shorewall.conf file.
 11) Packets with state INVALID are now silently dropped.
 12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
    compatibility kernel module is loaded and a 'shorewall start'
    command is issued.
 13) The SHARED_DIR variable has been removed from shorewall.conf. This
    variable was for use by package maintainers and was not documented
    for general use.
 14) Shorewall now ignores 'default' routes when detecting masq'd
    networks.
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 1.4.0
-%define release 0RC2
+%define release 1
 %define prefix /usr
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-1
 * Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0RC2
 * Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.0-RC2
+VERSION=1.4.0
 usage() # $1 = exit status
 {