Version 1.3.9b

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@290 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-10-09 15:47:48 +00:00 · 2002-10-09 15:47:48 +00:00 · 53d582d396
commit 53d582d396
parent ad21569d2a
16 changed files with 3710 additions and 3479 deletions
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -29,7 +29,7 @@
  </tbody>   
 </table>
-<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
+<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
  port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked 
  everywhere and can't find <b>how to do it</b>.</a></p>
@ -37,31 +37,31 @@
  but it doesn't work.</a></p>
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
-to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local 
+ to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local 
-network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal 
+ network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal
-clients can't</b>.</a></p>
+ clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
  subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts 
-in  Z. Hosts in Z cannot communicate with each other using their external 
+ in  Z. Hosts in Z cannot communicate with each other using their external 
  (non-RFC1918 addresses) so they <b>can't access each other using their DNS
  names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN 
-Messenger </b>with  Shorewall. What do I do?</a></p>
+ Messenger </b>with  Shorewall. What do I do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
-to  check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
+ to  check my firewall and it shows <b>some ports as 'closed' rather than 
- Why?</a></p>
+'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
  of my firewall and it showed 100s of ports as open!!!!</a></p>
 <p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now 
-I <b> can't ping</b> through the firewall</a></p>
+ I <b> can't ping</b> through the firewall</a></p>
 <p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
- written and  how do I <b>change the destination</b>?</a></p>
+  written and  how do I <b>change the destination</b>?</a></p>
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
  that work with Shorewall?</a></p>
@ -71,13 +71,13 @@ I <b> can't ping</b> through the firewall</a></p>
  work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
-on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
+ on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
-my  interfaces </b>properly?</a></p>
+ my  interfaces </b>properly?</a></p>
 <p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does 
-it  work with?</a></p>
+ it  work with?</a></p>
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
 support?</a></p>
@ -87,31 +87,32 @@ support?</a></p>
 <p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
-and it has an internel  web server that allows me to configure/monitor it 
+ and it has an internel  web server that allows me to configure/monitor it 
-but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface, 
+ but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface, 
-it also blocks the <b>cable modems  web server</b></a>.</p>
+ it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
-IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+ IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable 
-1918  filtering on my external interface, <b>my DHCP client cannot renew its
+RFC 1918  filtering on my external interface, <b>my DHCP client cannot renew 
-lease</b>.</a></p>
+its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
-out to  the net</b></a></p>
+ out to  the net</b></a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
  all over my console</b> making it unusable!</a></p>
 <hr>    
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
-my my personal PC with IP address 192.168.1.5. I've looked everywhere and 
+ my my personal PC with IP address 192.168.1.5. I've looked everywhere and 
-can't find how to do it.</h4>
+ can't find how to do it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to 
-do port forwarding under Shorewall. Assuming that you have a dynamic external 
+ do port forwarding under Shorewall. Assuming that you have a dynamic external 
-IP address, the format of a port-forwarding rule to a local system is as follows:</p>
+ IP address, the format of a port-forwarding rule to a local system is as 
 follows:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -132,8 +133,10 @@ IP address, the format of a port-forwarding rule to a local system is as follows
          <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
          <td><i>&lt;protocol&gt;</i></td>
          <td><i>&lt;port #&gt;</i></td>
-        <td> </td>
+          <td> <br>
-        <td> </td>
+        </td>
          <td> <br>
        </td>
        </tr>
    </tbody>         
@ -141,7 +144,7 @@ IP address, the format of a port-forwarding rule to a local system is as follows
    </blockquote>
 <p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, 
-the rule is:</p>
+ the rule is:</p>
 <blockquote>            
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -162,8 +165,10 @@ the rule is:</p>
          <td>loc:192.168.1.5</td>
          <td>udp</td>
          <td>7777</td>
-        <td> </td>
+          <td> <br>
-        <td> </td>
+        </td>
          <td> <br>
        </td>
        </tr>
    </tbody>         
@ -205,32 +210,33 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
    </blockquote>
 <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
-but  it doesn't work</h4>
+ but  it doesn't work</h4>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
      <li>You are trying to test from inside your firewall (no, that  won't 
-work -- see <a href="#faq2">FAQ #2</a>).</li>
+ work -- see <a href="#faq2">FAQ #2</a>).</li>
      <li>You have a more basic problem with your local system such as an 
-incorrect default gateway configured (it should be set to the IP address
+ incorrect default gateway configured (it should be set to the IP address
-of your  firewall's internal interface).</li>
+ of your  firewall's internal interface).</li>
 </ul>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
-(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients 
+ (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients
-can browse http://www.mydomain.com but internal clients can't.</h4>
+ can browse http://www.mydomain.com but internal clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-    <li>Having an internet-accessible server in your local network     is 
+      <li>Having an internet-accessible server in your local network    
-like raising foxes in the corner of your hen house. If the server is     compromised,
+is  like raising foxes in the corner of your hen house. If the server is
-there's nothing between that server and your other internal     systems.
+    compromised, there's nothing between that server and your other internal 
-For the cost of another NIC and a cross-over cable, you can put      your
+    systems. For the cost of another NIC and a cross-over cable, you can put
-server in a DMZ such that it is isolated from your local systems -     assuming
+     your server in a DMZ such that it is isolated from your local systems 
-that the Server can be located near the Firewall, of course :-)</li>
+-     assuming that the Server can be located near the Firewall, of course 
 :-)</li>
      <li>The accessibility problem is best solved using    <a
 href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
 a separate DNS server for local clients) such that www.mydomain.com resolves
@ -241,8 +247,8 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <p align="left">If you insist on an IP solution to the accessibility problem 
  rather than a DNS solution, then assuming that your external interface is
-eth0  and your internal interface is eth1  and that eth1 has IP address 192.168.1.254 
+ eth0  and your internal interface is eth1  and that eth1 has IP address 192.168.1.254
-with subnet 192.168.1.0/24, do the following:</p>
+ with subnet 192.168.1.0/24, do the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
  for eth1.</p>
@ -281,13 +287,13 @@ with subnet 192.168.1.0/24, do the following:</p>
    </div>
 <div align="left">    
-<pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
+<pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
    </div>
 <div align="left">    
 <p align="left">That rule only works of course if you have a static external 
-IP  address. If you  have a dynamic IP address and are running Shorewall 1.3.4
+ IP  address. If you  have a dynamic IP address and are running Shorewall 
-or later then include this in  /etc/shorewall/params:</p>
+1.3.4 or later then include this in  /etc/shorewall/params:</p>
   </div>
 <div align="left">    
@ -334,17 +340,17 @@ or later then include this in  /etc/shorewall/params:</p>
   </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
-subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. 
+ subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z.
-Hosts in Z cannot communicate with each other using their external (non-RFC1918 
+ Hosts in Z cannot communicate with each other using their external (non-RFC1918 
-addresses) so they can't access each other using their DNS names.</h4>
+ addresses) so they can't access each other using their DNS names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
-using Bind Version 9 "views". It allows both external and internal clients 
+ using Bind Version 9 "views". It allows both external and internal clients 
-to access a NATed host using the host's DNS name.</p>
+ to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
  static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses 
-and can be accessed externally and internally using the same address. </p>
+ and can be accessed externally and internally using the same address. </p>
 <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
 traffic through your firewall then:</p>
@ -398,7 +404,8 @@ traffic through your firewall then:</p>
          <td>dmz</td>
          <td>dmz</td>
          <td>ACCEPT</td>
-        <td> </td>
+          <td> <br>
        </td>
        </tr>
    </tbody>         
@ -406,7 +413,7 @@ traffic through your firewall then:</p>
    </blockquote>
 <div align="left">    
-<pre align="left">     dmz    dmz    ACCEPT</pre>
+<pre align="left">     dmz    dmz    ACCEPT</pre>
    </div>
 <p align="left">In /etc/shorewall/masq:</p>
@ -423,7 +430,8 @@ traffic through your firewall then:</p>
        <tr>
          <td width="93">eth2</td>
          <td width="31">192.168.2.0/24</td>
-        <td width="120"> </td>
+          <td width="120"> <br>
        </td>
        </tr>
    </tbody>         
@ -431,46 +439,46 @@ traffic through your firewall then:</p>
    </blockquote>
 <h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger 
-with Shorewall. What do I do?</h4>
+ with Shorewall. What do I do?</h4>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
-tracking/NAT module</a> that may help. Also check the Netfilter mailing list 
+ tracking/NAT module</a> that may help. Also check the Netfilter mailing list
-archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
+ archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
-</p>
+ </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
-to    check my firewall and it shows some ports as 'closed' rather than 'blocked'. 
+ to    check my firewall and it shows some ports as 'closed' rather than 'blocked'.
    Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-always    rejects connection requests on TCP port 113 rather than dropping 
+ always    rejects connection requests on TCP port 113 rather than dropping 
-them. This is    necessary to prevent outgoing connection problems to services 
+ them. This is    necessary to prevent outgoing connection problems to services 
-that use the    'Auth' mechanism for identifying requesting users. Shorewall 
+ that use the    'Auth' mechanism for identifying requesting users. Shorewall 
-also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. These
+ also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. 
-are ports that are    used by Windows (Windows <u>can</u> be configured to
+These are ports that are    used by Windows (Windows <u>can</u> be configured 
-use the DCE cell locator    on port 135). Rejecting these connection requests 
+to use the DCE cell locator    on port 135). Rejecting these connection requests 
-rather than dropping them    cuts down slightly on the amount of Windows chatter
+ rather than dropping them    cuts down slightly on the amount of Windows 
-on LAN segments connected    to the Firewall. </p>
+chatter on LAN segments connected    to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
-your    ISP preventing you from running a web server in violation of your 
+ your    ISP preventing you from running a web server in violation of your 
-Service    Agreement.</p>
+ Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
    firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
-section about    UDP scans. If nmap gets <b>nothing</b> back from your firewall 
+ section about    UDP scans. If nmap gets <b>nothing</b> back from your firewall 
-then it reports    the port as open. If you want to see which UDP ports are 
+ then it reports    the port as open. If you want to see which UDP ports are
-really open,    temporarily change your net-&gt;all policy to REJECT, restart 
+ really open,    temporarily change your net-&gt;all policy to REJECT, restart
-Shorewall and do    the nmap UDP scan again.</p>
+ Shorewall and do    the nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
-can't ping through the firewall</h4>
+ can't ping through the firewall</h4>
 <p align="left"><b>Answer: </b>If you want your firewall to be totally open 
-for "ping": </p>
+ for "ping": </p>
 <p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
    b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
@ -478,24 +486,24 @@ for "ping": </p>
 <blockquote>          
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
-j ACCEPT </p>
+ -j ACCEPT </p>
    </blockquote>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
- and  how do I change the destination?</h4>
+  and  how do I change the destination?</h4>
 <p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
 (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
 (see "man openlog") and you get to choose the log level (again, see "man
 syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- href="Documentation.htm#Rules">rules</a>. The destination for messaged  logged
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged 
-by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
+logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
-you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
+When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
 system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages 
-through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
+ through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
-- If you want to log all messages, set: </p>
+ -- If you want to log all messages, set: </p>
 <div align="left">    
 <pre align="left">     LOGLIMIT=""<br>     LOGBURST=""</pre>
@ -505,7 +513,7 @@ through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewal
  with Shorewall?</h4>
 <p align="left"><b>Answer: </b>Here are several links that may be helpful: 
-</p>
+ </p>
 <blockquote>          
  <p align="left"><a
@ -518,21 +526,21 @@ through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewal
  stop', I can't connect to anything. Why doesn't that command work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into 
-a safe state whereby only those interfaces/hosts having the 'routestopped' 
+ a safe state whereby only those interfaces/hosts having the 'routestopped' 
-option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. 
+ option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. 
-If you want to totally open up your firewall, you must use the 'shorewall 
+ If you want to totally open up your firewall, you must use the 'shorewall 
-clear' command. </p>
+ clear' command. </p>
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
  7.x, I get messages about insmod failing -- what's wrong?</h4>
 <p align="left"><b>Answer: </b>The output you will see looks something like 
-this:</p>
+ this:</p>
 <pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
 <p align="left">This is usually cured by the following sequence of commands: 
-</p>
+ </p>
 <div align="left">    
 <pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
@ -540,13 +548,14 @@ this:</p>
 <div align="left">    
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
-for  problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
+ for  problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
   </div>
-<h4 align="left">     
+<h4 align="left">      </h4>
 <h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces
-properly?</h4>
+ properly?</h4>
-      </h4>
+          
 <p align="left">I just installed Shorewall and when I issue the start command, 
    I see the following:</p>
@ -573,7 +582,7 @@ properly?</h4>
 <h4 align="left">11. What Features does it have?</h4>
 <p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall 
-Feature      List</a>.</p>
+ Feature      List</a>.</p>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
@ -586,17 +595,17 @@ them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
-(<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
+ (<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
-and "Fire<u>wall</u>".</p>
+ and "Fire<u>wall</u>".</p>
-<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
+<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
-and it has an  internal web server that allows me to configure/monitor it 
+ and it has an  internal web server that allows me to configure/monitor it 
-but as expected if I  enable rfc1918 blocking for my eth0 interface (the internet
+ but as expected if I  enable rfc1918 blocking for my eth0 interface (the 
-one), it also blocks  the cable modems web server.</h4>
+internet one), it also blocks  the cable modems web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
-that will let all traffic to and from the 192.168.100.1 address  of the modem 
+ that will let all traffic to and from the 192.168.100.1 address  of the modem
-in/out but still block all other rfc1918 addresses.</p>
+ in/out but still block all other rfc1918 addresses.</p>
 <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
 than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
@ -630,7 +639,41 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
    </div>
 <div align="left">      
-<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.</p>
+<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
 </p>
 <p align="left">Note: If you add a second IP address to your external firewall 
 interface to correspond to the modem address, you must also make an entry 
 in /etc/shorewall/rfc1918 for that address. For example, if you configure 
 the address 192.168.100.2 on your firewall, then you would add two entries 
 to /etc/shorewall/rfc1918:  <br>
 </p>
 <blockquote>   
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
     <tbody>
       <tr>
         <td valign="top"><u><b>SUBNET</b></u><br>
         </td>
         <td valign="top"><u><b>TARGET</b></u><br>
         </td>
       </tr>
       <tr>
         <td valign="top">192.168.100.1<br>
         </td>
         <td valign="top">RETURN<br>
         </td>
       </tr>
       <tr>
         <td valign="top">192.168.100.2<br>
         </td>
         <td valign="top">RETURN<br>
         </td>
       </tr>
    </tbody>   
  </table>
 </blockquote>
   </div>
 <div align="left">      
@ -646,17 +689,17 @@ lease.</h4>
   </div>
 <h4 align="left"><a name="faq15"></a>15. My local systems can't see out to 
-the  net</h4>
+ the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
-the net", I wonder  where the poster bought computers with eyes and what those
+ the net", I wonder  where the poster bought computers with eyes and what 
-computers will "see"  when things are working properly. That aside, the most
+those computers will "see"  when things are working properly. That aside, 
-common causes of this  problem are:</p>
+the most common causes of this  problem are:</p>
 <ol>
      <li>               
    <p align="left">The default gateway on each local system isn't set to 
-the    IP address of the local firewall interface.</p>
+ the    IP address of the local firewall interface.</p>
       </li>
      <li>               
    <p align="left">The entry for the local network in the /etc/shorewall/masq 
@ -665,29 +708,27 @@ the    IP address of the local firewall interface.</p>
      <li>               
    <p align="left">The DNS settings on the local systems are wrong or the 
    user is running a DNS server on the firewall and hasn't enabled UDP and 
-TCP    port 53 from the firewall to the internet.</p>
+ TCP    port 53 from the firewall to the internet.</p>
       </li>
 </ol>
 <h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages 
-all  over my console making it unusable!</h4>
+ all  over my console making it unusable!</h4>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
-to your startup    scripts or place it in /etc/shorewall/start. Under RedHat, 
+ to your startup    scripts or place it in /etc/shorewall/start. Under RedHat, 
-the max log level    that is sent to the console is specified in /etc/sysconfig/init 
+ the max log level    that is sent to the console is specified in /etc/sysconfig/init 
-in the    LOGLEVEL variable.</p>
+ in the    LOGLEVEL variable.</p>
-<div align="left">
+<div align="left">     </div>
 <p align="left"></p>
 </div>
-<p align="left"><font size="2">Last updated 9/23/2002 - <a
+<p align="left"><font size="2">Last updated 10/8/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-   <br>
+ </p>
- <br>
+ 
 </body>
 </html>
--- a/STABLE/documentation/Install.htm
+++ b/STABLE/documentation/Install.htm
@ -1,147 +1,176 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Shorewall Installation</title>
 <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
 <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-<body>
+  <meta http-equiv="Content-Type"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ content="text/html; charset=windows-1252">
  <title>Shorewall Installation</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Installation and
 Upgrade</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<p align="center"><b>Before upgrading, be sure to review the
+<p align="center"><b>Before upgrading, be sure to review the <a
-<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
+ href="upgrade_issues.htm">Upgrade Issues</a></b></p>
 <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
-<a href="#Install_Tarball">Install
+ <a href="#Install_Tarball">Install using tarball</a><br>
-using tarball</a><br>
+ <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
-<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
+ <a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
-<a href="#Upgrade_Tarball">Upgrade
+ <a href="#Config_Files">Configuring Shorewall</a><br>
-using tarball</a><br>
+ <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
-<a href="#Config_Files">Configuring Shorewall</a><br>
+ 
 <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
 <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
-<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell 
+ 
-prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4 
+<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
-either from the
+shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
-<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update 
+1.2.4  either from the <a
-site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before 
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
-attempting to start Shorewall.</b></p>
+ site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
 attempting to start Shorewall.</b></p>
 <ul>
   <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
   <br>
-  <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a 
+   <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
-  conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this 
+a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
-  happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall 
+If this    happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
-  rpm&gt;).</li>
+&lt;shorewall    rpm&gt;).</li>
-  <li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM 
+   <li>Edit the <a href="#Config_Files"> configuration files</a> to match
-AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE 
+your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
-FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO 
+SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
-START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, 
+IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
-ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
+AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
-  <li>Start the firewall by typing &quot;shorewall start&quot;</li>
+TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
 CONNECTIVITY.</b></font></li>
   <li>Start the firewall by typing "shorewall start"</li>
 </ul>
-    <p><a name="Install_Tarball"></a>To
+     
-    install Shorewall using the tarball and install
+<p><a name="Install_Tarball"></a>To     install Shorewall using the tarball
-    script: </p>
+and install     script: </p>
 <ul>
   <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
   <li>cd to the shorewall directory (the version is encoded in the     
-            directory name as in &quot;shorewall-1.1.10&quot;).</li>
+       directory name as in "shorewall-1.1.10").</li>
   <li>If you are using <a
-            href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
+ href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
-          <a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
+ href="http://www.redhat.com">RedHat</a>,           <a
-          <a href="http://www.slackware.com/">Slackware</a> or
+ href="http://www.linux-mandrake.com">Mandrake</a>, <a
-          <a href="http://www.debian.org">Debian</a>
+ href="http://www.corel.com">Corel</a>,           <a
-            then type &quot;./install.sh&quot;</li>
+ href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
   <li>If you are using <a href="http://www.suse.com">SuSe</a> then type 
-    &quot;./install.sh /etc/init.d&quot;</li>
+   "./install.sh /etc/init.d"</li>
-  <li>If your distribution has directory
+   <li>If your distribution has directory             /etc/rc.d/init.d or
-            /etc/rc.d/init.d or /etc/init.d then type
+/etc/init.d then type             "./install.sh"</li>
-            &quot;./install.sh&quot;</li>
+   <li>For other distributions, determine where your             distribution
-  <li>For other distributions, determine where your
+installs init scripts and type             "./install.sh &lt;init script
-            distribution installs init scripts and type
+directory&gt;</li>
-            &quot;./install.sh &lt;init script directory&gt;</li>
+   <li>Edit the <a href="#Config_Files"> configuration files</a> to match
-  <li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
+your configuration.</li>
-  <li>Start the firewall by typing &quot;shorewall
+   <li>Start the firewall by typing "shorewall             start"</li>
-            start&quot;</li>
+   <li>If the install script was unable to configure Shorewall to be started
-  <li>If the install script was unable to configure Shorewall to be started automatically at boot,
+automatically at boot,             see <a
-            see <a href="Documentation.htm#Starting">these
+ href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
-            instructions</a>.</li>
+ 
 </ul>
-<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
+ 
-version:</p>
+<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you 
+and are upgrading to a new version:</p>
-have entries in the /etc/shorewall/hosts file then please check your 
+ 
-/etc/shorewall/interfaces file to be sure that it contains an entry for each 
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-interface mentioned in the hosts file. Also, there are certain 1.2 rule forms 
+and you  have entries in the /etc/shorewall/hosts file then please check
-that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and 
+for each  interface mentioned in the hosts file. Also, there are certain
-host file for 1.3 compatibility using the &quot;shorewall check&quot; command after 
+1.2 rule forms  that are no longer supported under 1.3 (you must use the
-installing the latest version of 1.3.</p>
+new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
 details. You can check your rules and  host file for 1.3 compatibility using
 the "shorewall check" command after  installing the latest version of 1.3.</p>
 <ul>
-  <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
+   <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
-    are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
+you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
-    you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
+installed,     you must use the "--oldpackage" option to rpm (e.g., "rpm 
-    -Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
+   -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").   
-  <p>
+    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
-  <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a 
+rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-  conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this 
+is installed. If this    happens, simply use the --nodeps option to rpm (rpm
-  happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall 
+-Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
-  rpm&gt;).<br>
+     </p>
-&nbsp;</li>
+  </li>
-  <li>See if there are any incompatibilities between your configuration and the 
+  <li>See if there are any incompatibilities between your configuration and
-  new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
+the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
   <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
+ 
-using the tarball:</p>
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you 
+and are upgrading to a new version using the tarball:</p>
-have entries in the /etc/shorewall/hosts file then please check your 
+ 
-/etc/shorewall/interfaces file to be sure that it contains an entry for each 
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
-interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule 
+and you  have entries in the /etc/shorewall/hosts file then please check
-forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). 
+your  /etc/shorewall/interfaces file to be sure that it contains an entry
-See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules 
+for each  interface mentioned in the hosts file.  Also, there are certain
-and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after 
+1.2 rule  forms that are no longer supported under 1.3 (you must use the
-installing the latest version of 1.3.</p>
+new 1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
 for details. You can check your rules  and host file for 1.3 compatibility
 using the "shorewall check" command after  installing the latest version
 of 1.3.</p>
 <ul>
   <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
   <li>cd to the shorewall directory (the version is encoded in the     
-            directory name as in &quot;shorewall-3.0.1&quot;).</li>
+       directory name as in "shorewall-3.0.1").</li>
   <li>If you are using <a
-            href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
+ href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
-          <a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
+ href="http://www.redhat.com">RedHat</a>,           <a
-          <a href="http://www.slackware.com/">Slackware</a> or
+ href="http://www.linux-mandrake.com">Mandrake</a>, <a
-          <a href="http://www.debian.org">Debian</a>
+ href="http://www.corel.com">Corel</a>,           <a
-            then type &quot;./install.sh&quot;</li>
+ href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
   <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type 
-    &quot;./install.sh /etc/init.d&quot;</li>
+   "./install.sh /etc/init.d"</li>
-  <li>If your distribution has directory
+   <li>If your distribution has directory             /etc/rc.d/init.d or
-            /etc/rc.d/init.d or /etc/init.d then type
+/etc/init.d then type             "./install.sh"</li>
-            &quot;./install.sh&quot;</li>
+   <li>For other distributions, determine where your             distribution
-  <li>For other distributions, determine where your
+installs init scripts and type             "./install.sh &lt;init script
-            distribution installs init scripts and type
+directory&gt;</li>
-            &quot;./install.sh &lt;init script directory&gt;</li>
+   <li>See if there are any incompatibilities between your configuration
-  <li>See if there are any incompatibilities between your configuration and the 
+and the    new Shorewall version (type "shorewall check") and correct as
-  new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
+necessary.</li>
-  <li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
+   <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-    <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
+     
-<p>You will need to edit some or all of these configuration files to match your 
+<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
-setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
+ 
-QuickStart Guides</a> contain all of the information you need.</p>
+<p>You will need to edit some or all of these configuration files to match
 your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
 QuickStart Guides</a> contain all of the information you need.</p>
 <ul>
   <li>/etc/shorewall/shorewall.conf - used to set several firewall     
   parameters.</li>
-  <li>/etc/shorewall/params - use this file to set shell variables that you will
+   <li>/etc/shorewall/params - use this file to set shell variables that
-    expand in other files.</li>
+you will     expand in other files.</li>
   <li>/etc/shorewall/zones - partition the firewall's view of the world 
       into <i>zones.</i></li>
   <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
@ -156,19 +185,23 @@ QuickStart Guides</a> contain all of the information you need.</p>
      overall policies established in /etc/shorewall/policy.</li>
   <li>/etc/shorewall/nat - defines static NAT rules.</li>
   <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
-  <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts 
+   <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
-  accessible when Shorewall is stopped.</li>
+hosts    accessible when Shorewall is stopped.</li>
-  <li>/etc/shorewall/tcrules - defines marking of packets for later use by
+   <li>/etc/shorewall/tcrules - defines marking of packets for later use
-    traffic control/shaping.</li>
+by     traffic control/shaping.</li>
   <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet 
        headers.</li>
   <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on 
       the firewall system.</li>
   <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
 </ul>
 <p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
 Eastep</a> </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-</body></html>
+</ul>
 <p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
  <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall News</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -26,13 +27,21 @@
  </tbody>           
 </table>
-<p><b>9/30/2002 - Shorewall 1.3.9a</b></p>
+<p><b>10/9/2002 - Shorewall 1.3.9b</b></p>
-Roles up the fix for broken tunnels.<br>
+This release rolls up fixes to the installer and to the firewall script.<br>
 <p><b>10/6/2002 - Shorewall.net now running on RH8.0<br>
  </b><br>
  The firewall and server here at shorewall.net are now running RedHat release 
 8.0.<br>
                <b><br>
 9/30/2002 - Shorewall 1.3.9a</b></p>
  Roles up the fix for broken tunnels.<br>
 <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b></p>
-There is an updated firewall script at <a
+  There is an updated firewall script at <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
+ -- copy that file to /usr/lib/shorewall/firewall.<br>
 <p><b>9/28/2002 - Shorewall 1.3.9</b></p>
@ -41,15 +50,16 @@ There is an updated firewall script at <a
 <ul>
         <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a> 
-are   now allowed in Shorewall config files (although I recommend against 
+ are   now allowed in Shorewall config files (although I recommend against 
-using  them).</li>
+ using  them).</li>
-       <li>The connection SOURCE may now be qualified by both interface and 
+         <li>The connection SOURCE may now be qualified by both interface 
- IP  address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
+and   IP  address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
-       <li>Shorewall startup is now disabled after initial installation until 
+         <li>Shorewall startup is now disabled after initial installation 
-  the file /etc/shorewall/startup_disabled is removed. This avoids nasty surprises
+until    the file /etc/shorewall/startup_disabled is removed. This avoids 
- during reboot for users who install Shorewall but don't configure it.</li>
+nasty surprises  during reboot for users who install Shorewall but don't configure
-    <li>The 'functions' and 'version' files and the 'firewall' symbolic link
+it.</li>
- have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease
+      <li>The 'functions' and 'version' files and the 'firewall' symbolic 
 link  have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease
  the LFS police at Debian.<br>
      </li>
@ -75,8 +85,8 @@ using  them).</li>
 <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
    Restored<br>
        </b></p>
-      A couple of recent configuration changes at www.shorewall.net had the 
+        A couple of recent configuration changes at www.shorewall.net had 
- negative  effect of breaking the Search facility:<br>
+the   negative  effect of breaking the Search facility:<br>
 <ol>
          <li>Mailing List Archive Search was not available.</li>
@ -98,13 +108,13 @@ using  them).</li>
           </p>
 <ul>
-           <li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option has
+             <li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option
- been   added  to shorewall.conf. This option determines whether Shorewall
+has   been   added  to shorewall.conf. This option determines whether Shorewall
- accepts   TCP packets  which are not part of an established connection and
+  accepts   TCP packets  which are not part of an established connection
- that are   not 'SYN' packets  (SYN flag on and ACK flag off).</li>
+and   that are   not 'SYN' packets  (SYN flag on and ACK flag off).</li>
             <li>The need for the 'multi' option to communicate between zones 
  za  and  zb on the same interface is removed in the case where the chain 
-'za2zb'   and/or  'zb2za' exists. 'za2zb' will exist if:</li>
+ 'za2zb'   and/or  'zb2za' exists. 'za2zb' will exist if:</li>
  <ul>
               <li>       There is a policy for za to zb; or     </li>
@ -117,8 +127,8 @@ using  them).</li>
 <ul>
             <li>The /etc/shorewall/blacklist file now contains three columns.
   In  addition  to the SUBNET/ADDRESS column, there are optional PROTOCOL
-and  PORT  columns  to block only certain applications from the blacklisted
+ and  PORT  columns  to block only certain applications from the blacklisted
-addresses.<br>
+ addresses.<br>
             </li>
 </ul>
@ -175,7 +185,7 @@ addresses.<br>
 <ul>
               <li>The 'icmp.def' file is now empty! The rules in that file 
-were   required  in     ipchains firewalls but are not required in Shorewall.
+ were   required  in     ipchains firewalls but are not required in Shorewall.
  Users   who have      ALLOWRELATED=No in <a
 href="Documentation.htm#Conf">shorewall.conf</a>    should     see the <a
 href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
@ -189,7 +199,7 @@ were   required  in     ipchains firewalls but are not required in Shorewall.
  to  the   rfc1918     file.</li>
               <li>Shorewall now works with iptables 1.2.7</li>
               <li>The documentation and web site no longer uses FrontPage
-themes.</li>
+ themes.</li>
 </ul>
@ -207,7 +217,8 @@ the   Frontpage files have been removed.</p>
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
 <p>This branch will only be updated after I release a new version of Shorewall 
-      so you can always update from this branch to get the latest stable tree.</p>
+       so you can always update from this branch to get the latest stable 
 tree.</p>
 <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
  to the <a href="errata.htm">Errata Page</a></b></p>
@ -221,15 +232,15 @@ the   Frontpage files have been removed.</p>
 <ul>
               <li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart 
-   Guides      </a>    including the <a href="shorewall_setup_guide.htm">Shorewall 
+    Guides      </a>    including the <a
-   Setup  Guide.</a></li>
+ href="shorewall_setup_guide.htm">Shorewall     Setup  Guide.</a></li>
-             <li>Shorewall will now DROP TCP packets that are not part of 
+               <li>Shorewall will now DROP TCP packets that are not part
-or      related to an existing connection and that are not SYN packets. These 
+of  or      related to an existing connection and that are not SYN packets. 
-  "New      not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN
+These    "New      not SYN" packets may be optionally logged by setting the 
-    option     in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+LOGNEWNOTSYN     option     in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
               <li>The processing of "New not SYN" packets may be extended
-by  commands    in     the new <a href="shorewall_extension_scripts.htm">newnotsyn 
+ by  commands    in     the new <a
- extension    script</a>.</li>
+ href="shorewall_extension_scripts.htm">newnotsyn   extension    script</a>.</li>
 </ul>
@ -238,10 +249,10 @@ by  commands    in     the new <a href="shorewall_extension_scripts.htm">newnots
 <p>This interim release:</p>
 <ul>
-             <li>Causes the firewall script to remove the lock file if it 
+               <li>Causes the firewall script to remove the lock file if
-is  killed.</li>
+it  is  killed.</li>
-             <li>Once again allows lists in the second column of the    <a
+               <li>Once again allows lists in the second column of the  
- href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
+     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
               <li>Includes the latest <a
 href="shorewall_quickstart_guide.htm">QuickStart       Guides</a>.</li>
@ -254,7 +265,7 @@ is  killed.</li>
     The guide is intended   for use by people who are setting up Shorewall 
  to   manage multiple public IP   addresses and by people who want to learn 
  more   about Shorewall than is   described in the single-address guides. 
-Feedback   on the new guide is welcome.</p>
+ Feedback   on the new guide is welcome.</p>
 <p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
@ -275,7 +286,7 @@ Feedback   on the new guide is welcome.</p>
 <ul>
               <li>Empty and invalid source and destination qualifiers are
-now   detected   in     the rules file. It is a good idea to use the 'shorewall
+ now   detected   in     the rules file. It is a good idea to use the 'shorewall
   check' command   before     you issue a 'shorewall restart' command be
 be   sure that you don't   have any     configuration problems that will
 prevent   a successful restart.</li>
@ -289,8 +300,8 @@ prevent   a successful restart.</li>
  This     option facilitates Proxy ARP sub-netting as described in the Proxy
  ARP        subnetting mini-HOWTO (<a
 href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>). 
-        Specifying the proxyarp option for an interface causes Shorewall to
+         Specifying the proxyarp option for an interface causes Shorewall 
-  set      /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
+to   set      /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
               <li>The Samples have been updated to reflect the new capabilities
    in  this     release. </li>
@ -307,21 +318,21 @@ prevent   a successful restart.</li>
 <ul>
               <li>A new <a href="Documentation.htm#Routestopped">    /etc/shorewall/routestopped</a> 
-    file has been added. This file is intended to     eventually replace the
+     file has been added. This file is intended to     eventually replace 
-       <b>routestopped</b> option in the     /etc/shorewall/interface and
+the        <b>routestopped</b> option in the     /etc/shorewall/interface 
-/etc/shorewall/hosts    files. This new file makes     remote firewall administration
+and /etc/shorewall/hosts    files. This new file makes     remote firewall 
-easier by  allowing  any IP or subnet to be     enabled while Shorewall is
+administration easier by  allowing  any IP or subnet to be     enabled while 
-stopped.</li>
+Shorewall is stopped.</li>
               <li>An /etc/shorewall/stopped <a
 href="Documentation.htm#Scripts">extension       script</a> has been added. 
   This script is invoked after Shorewall has       stopped.</li>
-             <li>A <b>DETECT_DNAT_ADDRS </b>option has been added to    <a
+               <li>A <b>DETECT_DNAT_ADDRS </b>option has been added to  
- href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this 
+     <a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When 
-        option is selected, DNAT rules only apply when the destination address 
+this          option is selected, DNAT rules only apply when the destination 
-    is the     external interface's primary IP address.</li>
+address      is the     external interface's primary IP address.</li>
               <li>The <a href="shorewall_quickstart_guide.htm">QuickStart
-Guide</a>     has     been broken into three guides and has been almost entirely
+ Guide</a>     has     been broken into three guides and has been almost
-rewritten.</li>
+entirely  rewritten.</li>
               <li>The Samples have been updated to reflect the new capabilities
    in  this     release. </li>
@ -340,15 +351,15 @@ rewritten.</li>
               <li>Entries in /etc/shorewall/interface that use the wildcard
  character    ("+")     now have the "multi" option assumed.</li>
               <li>The 'rfc1918' chain in the mangle table has been renamed 
-'man1918'     to     make log messages generated from that chain distinguishable 
+ 'man1918'     to     make log messages generated from that chain distinguishable 
-from   those      generated by the 'rfc1918' chain in the filter table.</li>
+ from   those      generated by the 'rfc1918' chain in the filter table.</li>
               <li>Interface names appearing in the hosts file are now validated
    against  the     interfaces file.</li>
               <li>The TARGET column in the rfc1918 file is now checked for 
-correctness.</li>
+ correctness.</li>
-             <li>The chain structure in the nat table has been changed to 
+               <li>The chain structure in the nat table has been changed
-reduce    the     number of rules that a packet must traverse and to correct 
+to  reduce    the     number of rules that a packet must traverse and to
-problems    with     NAT_BEFORE_RULES=No</li>
+correct  problems    with     NAT_BEFORE_RULES=No</li>
               <li>The "hits" command has been enhanced.</li>
 </ul>
@ -376,12 +387,12 @@ problems    with     NAT_BEFORE_RULES=No</li>
 <ul>
               <li>A <a href="Documentation.htm#Starting">logwatch command</a>
   has   been     added to /sbin/shorewall.</li>
-             <li>A <a href="blacklisting_support.htm">dynamic blacklist facility</a> 
+               <li>A <a href="blacklisting_support.htm">dynamic blacklist 
-    has     been added.</li>
+facility</a>      has     been added.</li>
               <li>Support for the <a href="Documentation.htm#Conf">Netfilter 
  multiport        match function</a> has been added.</li>
               <li>The files <b>firewall, functions </b>and <b>version</b>
-have   been   moved     from /etc/shorewall to /var/lib/shorewall.</li>
+ have   been   moved     from /etc/shorewall to /var/lib/shorewall.</li>
 </ul>
@ -402,8 +413,8 @@ copying   tools like HTTrack and WebStripper. These mindless tools:</p>
 <p>These tools/weapons are particularly damaging when combined with CVS Web 
       because they doggedly follow every link in the cgi-generated HTML resulting
     in   1000s of executions of the cvsweb.cgi script. Yesterday, I spend
-several    hours   implementing measures to block these tools but unfortunately, 
+ several    hours   implementing measures to block these tools but unfortunately,
-these    measures   resulted in my server OOM-ing under even moderate load.</p>
+ these    measures   resulted in my server OOM-ing under even moderate load.</p>
 <p>Until I have the time to understand the cause of the OOM (or until I buy 
       more RAM if that is what is required), CVS Web access will remain Password
@ -426,9 +437,9 @@ these    measures   resulted in my server OOM-ing under even moderate load.</p>
 <ul>
               <li>Corrects a serious problem with "all <i>&lt;zone&gt;</i> 
-CONTINUE"     policies.     This problem is present in all versions of Shorewall 
+ CONTINUE"     policies.     This problem is present in all versions of Shorewall 
-that   support  the     CONTINUE policy. These previous versions optimized 
+ that   support  the     CONTINUE policy. These previous versions optimized 
-away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it with the "all2all" 
+ away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it with the "all2all"
  chain with the usual result that a     policy of REJECT was enforced rather
  than the intended CONTINUE policy.</li>
               <li>Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a> 
@ -455,8 +466,8 @@ away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it with the "all2all
 incorporates the following:</p>
 <ul>
-             <li>Support for the /etc/shorewall/whitelist file has been withdrawn. 
+               <li>Support for the /etc/shorewall/whitelist file has been 
-    If you     need whitelisting, see <a
+withdrawn.      If you     need whitelisting, see <a
 href="/1.3/whitelisting_under_shorewall.htm">these     instructions</a>.</li>
 </ul>
@ -468,11 +479,11 @@ away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it with the "all2all
 <ul>
               <li>The structure of the firewall is changed markedly. There 
-is  now   an INPUT     and a FORWARD chain for each interface; this reduces
+ is  now   an INPUT     and a FORWARD chain for each interface; this reduces
  the  number   of rules that     a packet must traverse, especially in complicated
   setups.</li>
-             <li><a href="Documentation.htm#Exclude">Sub-zones may now be 
+               <li><a href="Documentation.htm#Exclude">Sub-zones may now
-excluded     from     DNAT and REDIRECT rules.</a></li>
+be  excluded     from     DNAT and REDIRECT rules.</a></li>
               <li>The names of the columns in a number of the configuration
  files    have been     changed to be more consistent and self-explanatory
  and the   documentation has     been updated accordingly.</li>
@ -486,15 +497,15 @@ excluded     from     DNAT and REDIRECT rules.</a></li>
       features:</p>
 <ul>
-             <li>Simplified rule syntax which makes the intent of each rule 
+               <li>Simplified rule syntax which makes the intent of each
- clearer    and     hopefully makes Shorewall easier to learn.</li>
+rule   clearer    and     hopefully makes Shorewall easier to learn.</li>
-             <li>Upward compatibility with 1.2 configuration files has been 
+               <li>Upward compatibility with 1.2 configuration files has
- maintained    so     that current users can migrate to the new syntax at 
+been   maintained    so     that current users can migrate to the new syntax
-their convenience.</li>
+at  their convenience.</li>
-             <li><b><font color="#cc6666">WARNING:  Compatibility with the
+               <li><b><font color="#cc6666">WARNING:  Compatibility with
- old       parameterized sample configurations has NOT been maintained. Users
+the   old       parameterized sample configurations has NOT been maintained.
- still        running those configurations should migrate to the new sample
+Users   still        running those configurations should migrate to the new
- configurations        before upgrading to 1.3 Beta 1.</font></b></li>
+sample   configurations        before upgrading to 1.3 Beta 1.</font></b></li>
 </ul>
@ -504,16 +515,16 @@ their convenience.</li>
 <ul>
               <li><a href="Documentation.htm#Whitelist">White-listing</a>
-is  supported.</li>
+ is  supported.</li>
               <li><a href="Documentation.htm#Policy">SYN-flood protection
     </a>is    added.</li>
               <li>IP addresses added under <a
 href="Documentation.htm#Conf">ADD_IP_ALIASES         and ADD_SNAT_ALIASES</a> 
-now inherit the VLSM and Broadcast Address   of  the     interface's primary 
+ now inherit the VLSM and Broadcast Address   of  the     interface's primary 
-IP address.</li>
+ IP address.</li>
               <li>The order in which port forwarding DNAT and Static DNAT
-       <a href="Documentation.htm#Conf">can now be reversed</a> so that port 
+        <a href="Documentation.htm#Conf">can now be reversed</a> so that
-     forwarding    rules can override the contents of <a
+port       forwarding    rules can override the contents of <a
 href="Documentation.htm#NAT">    /etc/shorewall/nat</a>.     </li>
 </ul>
@ -562,17 +573,17 @@ Unstable Branch</a></li>
 <p>In this version:</p>
 <ul>
-             <li>The 'try' command now accepts an optional timeout. If the
+               <li>The 'try' command now accepts an optional timeout. If
- timeout    is     given in the command, the standard configuration will
+the   timeout    is     given in the command, the standard configuration
-automatically     be     restarted after the new configuration has been running
+will automatically     be     restarted after the new configuration has been
-for that  length   of     time. This prevents a remote admin from being locked
+running for that  length   of     time. This prevents a remote admin from
-out of the firewall   in     the case where the new configuration starts
+being locked out of the firewall   in     the case where the new configuration
-but prevents access.</li>
+starts but prevents access.</li>
               <li>Kernel route filtering may now be enabled globally using 
-the   new       ROUTE_FILTER parameter in <a
+ the   new       ROUTE_FILTER parameter in <a
 href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
-             <li>Individual IP source addresses and/or subnets may now be 
+               <li>Individual IP source addresses and/or subnets may now
-excluded     from     masquerading/SNAT.</li>
+be  excluded     from     masquerading/SNAT.</li>
               <li>Simple "Yes/No" and "On/Off" values are now case-insensitive 
   in      /etc/shorewall/shorewall.conf.</li>
@ -600,9 +611,9 @@ excluded     from     masquerading/SNAT.</li>
 <p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
 <p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart 
-    Guide</a>   is now available. This Guide and its accompanying sample configurations
+     Guide</a>   is now available. This Guide and its accompanying sample 
-    are   expected to provide a replacement for the recently withdrawn parameterized
+configurations     are   expected to provide a replacement for the recently 
-      samples. </p>
+withdrawn parameterized       samples. </p>
 <p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
@ -652,12 +663,12 @@ Unstable Distribution</a>.</li>
               <li>A "shorewall try" command has been added (syntax: shorewall
   try       <i>     &lt;configuration directory&gt;</i>). This command attempts
   "shorewall  -c <i>    &lt;configuration directory&gt;</i> start" and if
-that  results in the firewall     being stopped due to an error, a "shorewall
+ that  results in the firewall     being stopped due to an error, a "shorewall
-start"  command  is executed. The     'try' command allows you to create
+ start"  command  is executed. The     'try' command allows you to create
 a new <a href="Documentation.htm#Configs">    configuration</a> and attempt
-to start    it; if there is an error that leaves     your firewall in the
+ to start    it; if there is an error that leaves     your firewall in the
-stopped state,    it will automatically be restarted using     the default
+ stopped state,    it will automatically be restarted using     the default
-configuration (in   /etc/shorewall).</li>
+ configuration (in   /etc/shorewall).</li>
               <li>A new variable ADD_SNAT_ALIASES has been added to    <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>. If this 
         variable is set to "Yes", Shorewall will automatically add IP addresses 
@ -714,12 +725,13 @@ configuration (in   /etc/shorewall).</li>
 <ul>
               <li>UPnP probes (UDP destination port 1900) are now silently 
-dropped     in the    <i>common</i> chain</li>
+ dropped     in the    <i>common</i> chain</li>
               <li>RFC 1918 checking in the mangle table has been streamlined 
  to  no  longer     require packet marking. RFC 1918 checking in the filter 
  table   has been     changed to require half as many rules as previously.</li>
-             <li>A 'shorewall check' command has been added that does a cursory 
+               <li>A 'shorewall check' command has been added that does a 
-   validation      of the zones, interfaces, hosts, rules and policy files.</li>
+cursory     validation      of the zones, interfaces, hosts, rules and policy 
 files.</li>
 </ul>
@ -734,14 +746,14 @@ dropped     in the    <i>common</i> chain</li>
 <ul>
               <li>$-variables may now be used anywhere in the configuration
  files    except     /etc/shorewall/zones.</li>
-             <li>The interfaces and hosts files now have their contents validated 
+               <li>The interfaces and hosts files now have their contents 
-    before     any changes are made to the existing Netfilter configuration. 
+validated      before     any changes are made to the existing Netfilter configuration.
    The appearance     of a zone name that isn't defined in /etc/shorewall/zones
-   causes "shorewall     start" and "shorewall restart" to abort without changing
+    causes "shorewall     start" and "shorewall restart" to abort without
-   the Shorewall state.     Unknown options in either file cause a warning
+changing    the Shorewall state.     Unknown options in either file cause
- to  be issued.</li>
+a warning  to  be issued.</li>
               <li>A problem occurring when BLACKLIST_LOGLEVEL was not set
-has   been       corrected.</li>
+ has   been       corrected.</li>
 </ul>
@ -762,17 +774,17 @@ has   been       corrected.</li>
              <li>A "shorewall version" command has been added</li>
              <li>The default value of the STATEDIR variable in     /etc/shorewall/shorewall.conf 
     has been changed to /var/lib/shorewall in     order to conform to the 
-GNU/Linux    File Hierarchy Standard, Version 2.2.</li>
+ GNU/Linux    File Hierarchy Standard, Version 2.2.</li>
 </ul>
 <p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
 <ul>
-            <li>The "fw" zone <a href="Documentation.htm#FW">may now be given 
+              <li>The "fw" zone <a href="Documentation.htm#FW">may now be 
-  a      different name</a>.</li>
+given    a      different name</a>.</li>
              <li>You may now place end-of-line comments (preceded by '#')
-in  any   of  the     configuration files</li>
+ in  any   of  the     configuration files</li>
              <li>There is now protection against against two state changing
  operations         occuring concurrently. This is implemented using the
 'lockfile'  utility    if     it is available (lockfile is part of procmail);
@ -810,7 +822,7 @@ name "lock".</li>
 <ul>
              <li>The "shorewall status" command no longer hangs.</li>
              <li>The "shorewall monitor" command now displays the icmpdef
-chain</li>
+ chain</li>
              <li>The CLIENT PORT(S) column in tcrules is no longer ignored</li>
 </ul>
@ -840,20 +852,20 @@ chain</li>
              <li>Support for IP blacklisting has been added            
    <ul>
-              <li>You specify whether you want packets from blacklisted hosts 
+                <li>You specify whether you want packets from blacklisted 
-  dropped   or         rejected using the <a
+hosts    dropped   or         rejected using the <a
 href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION           </a>setting 
   in /etc/shorewall/shorewall.conf</li>
-              <li>You specify whether you want packets from blacklisted hosts 
+                <li>You specify whether you want packets from blacklisted 
-  logged   and         at what syslog level using the <a
+hosts    logged   and         at what syslog level using the <a
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>         setting 
     in /etc/shorewall/shorewall.conf</li>
                <li>You list the IP addresses/subnets that you wish to blacklist
    in          <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
                <li>You specify the interfaces you want checked against the 
-blacklist             using the new "<a
+ blacklist             using the new "<a
 href="Documentation.htm#BLInterface">blacklist</a>"             option in 
-/etc/shorewall/interfaces.</li>
+ /etc/shorewall/interfaces.</li>
                <li>The black list is refreshed from /etc/shorewall/blacklist 
  by  the           "shorewall refresh" command.</li>
@ -862,16 +874,17 @@ blacklist             using the new "<a
              <li>Use of TCP RST replies has been expanded              
    <ul>
-              <li>TCP connection requests rejected because of a REJECT policy 
+                <li>TCP connection requests rejected because of a REJECT
-  are   now         replied with a TCP RST packet.</li>
+policy    are   now         replied with a TCP RST packet.</li>
                <li>TCP connection requests rejected because of a protocol=all
-  rule   in         /etc/shorewall/rules are now replied with a TCP RST packet.</li>
+   rule   in         /etc/shorewall/rules are now replied with a TCP RST
 packet.</li>
    </ul>
              </li>
              <li>A <a href="Documentation.htm#Logfile">LOGFILE</a> specification 
-   has  been     added to /etc/shorewall/shorewall.conf. LOGFILE is used to
+    has  been     added to /etc/shorewall/shorewall.conf. LOGFILE is used 
-  tell the     /sbin/shorewall program where to look for Shorewall messages.</li>
+to   tell the     /sbin/shorewall program where to look for Shorewall messages.</li>
 </ul>
@ -882,8 +895,8 @@ blacklist             using the new "<a
 <ul>
              <li>Unless you have explicitly enabled Auth connections (tcp
-port   113)   to your     firewall, these connections will be REJECTED rather 
+ port   113)   to your     firewall, these connections will be REJECTED rather 
-than   DROPPED.   This     speeds up connection establishment to some servers.</li>
+ than   DROPPED.   This     speeds up connection establishment to some servers.</li>
              <li>Orphan DNS replies are now silently dropped.</li>
 </ul>
@ -904,8 +917,8 @@ than   DROPPED.   This     speeds up connection establishment to some servers.</
 <p>In version 1.2.1:</p>
 <ul>
-            <li><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
+              <li><a href="Documentation.htm#LogUncleanOption">Logging of 
-         Packets</a> is added. </li>
+Mangled/Invalid          Packets</a> is added. </li>
              <li>The <a href="IPIP.htm">tunnel script</a> has been corrected.</li>
              <li>'shorewall show tc' now correctly handles tunnels.</li>
@ -919,14 +932,14 @@ than   DROPPED.   This     speeds up connection establishment to some servers.</
 <ul>
              <li>Support for <a href="traffic_shaping.htm">Traffic Control/Shaping</a></li>
              <li>Support for <a href="Documentation.htm#Unclean">Filtering 
-of      Mangled/Invalid Packets</a></li>
+ of      Mangled/Invalid Packets</a></li>
              <li>Support for <a href="IPIP.htm">GRE Tunnels</a></li>
 </ul>
 <p>For the next month or so, I will continue to provide corrections to version
       1.1.18 as necessary so that current version 1.1.x users will not be
-forced    into a  quick upgrade to 1.2.0 just to have access to bug fixes.</p>
+ forced    into a  quick upgrade to 1.2.0 just to have access to bug fixes.</p>
 <p>For those of you who have installed one of the Beta RPMS, you will need 
     to  use the "--oldpackage" option when upgrading to 1.2.0:</p>
@ -936,8 +949,8 @@ forced    into a  quick upgrade to 1.2.0 just to have access to bug fixes.</p>
             </blockquote>
 <p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
-     Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site
+      Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web
-   is  mirrored at <a href="http://www.infohiiway.com/shorewall"
+site     is  mirrored at <a href="http://www.infohiiway.com/shorewall"
 target="_top">http://www.infohiiway.com/shorewall</a>  and the ftp site
 is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
@ -948,7 +961,7 @@ Configurations</a> has been released</b>. In this version:</p>
 <ul>
              <li>Ping is now allowed between the zones.</li>
              <li>In the three-interface configuration, it is now possible
-to  configure    the     internet services that are to be available to servers 
+ to  configure    the     internet services that are to be available to servers 
  in the DMZ. </li>
 </ul>
@ -959,11 +972,11 @@ to  configure    the     internet services that are to be available to servers
 <ul>
              <li>The spelling of ADD_IP_ALIASES has been corrected in the
-shorewall.conf          file</li>
+ shorewall.conf          file</li>
              <li>The logic for deleting user-defined chains has been simplified
    so  that it     avoids a bug in the LRP version of the 'cut' utility.</li>
              <li>The /var/lib/lrpkg/shorwall.conf file has been corrected
-to  properly        display the NAT entry in that file.</li>
+ to  properly        display the NAT entry in that file.</li>
 </ul>
@ -1006,13 +1019,13 @@ to  properly        display the NAT entry in that file.</li>
              <li>A new "shorewall show connections" command has been added.</li>
              <li>In the "shorewall monitor" output, the currently tracked
       connections  are now shown on a separate page.</li>
-            <li>Prior to this release, Shorewall unconditionally added the
+              <li>Prior to this release, Shorewall unconditionally added
- external    IP     adddress(es) specified in /etc/shorewall/nat. Beginning
+the   external    IP     adddress(es) specified in /etc/shorewall/nat. Beginning
  with version           1.1.16, a new parameter (<a
 href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)           may be set
  to "no" (or "No") to inhibit this behavior.       This   allows IP aliases
- created using your distribution's network       configuration    tools to
+  created using your distribution's network       configuration    tools
- be used in static NAT. </li>
+to   be used in static NAT. </li>
 </ul>
@ -1034,21 +1047,21 @@ to  properly        display the NAT entry in that file.</li>
              <li>Shorewall now supports alternate configuration directories. 
  When   an      alternate directory is specified when starting or restarting 
  Shorewall        (e.g., "shorewall -c /etc/testconf restart"), Shorewall 
-will first     look for configuration files in the alternate directory then 
+ will first     look for configuration files in the alternate directory then 
-in     /etc/shorewall.    To create an alternate configuration simply:<br>
+ in     /etc/shorewall.    To create an alternate configuration simply:<br>
                1. Create a New Directory<br>
-              2. Copy to that directory any of your configuration files that
+                2. Copy to that directory any of your configuration files 
-  you   want to     change.<br>
+that   you   want to     change.<br>
                3. Modify the copied files as needed.<br>
                4. Restart Shorewall specifying the new directory.</li>
              <li>The rules for allowing/disallowing icmp echo-requests (pings) 
   are   now     moved after rules created when processing the rules file. 
-This  allows   you to     add rules that selectively allow/deny ping based 
+ This  allows   you to     add rules that selectively allow/deny ping based 
-on source  or  destination     address.</li>
+ on source  or  destination     address.</li>
              <li>Rules that specify multiple client ip addresses or subnets
  no  longer   cause     startup failures.</li>
-            <li>Zone names in the policy file are now validated against the 
+              <li>Zone names in the policy file are now validated against 
- zones    file.</li>
+the   zones    file.</li>
              <li>If you have <a href="Documentation.htm#MangleEnabled">packet
   mangling</a>        support enabled, the "<a
 href="Documentation.htm#Interfaces">norfc1918</a>"        interface option
@ -1062,15 +1075,15 @@ on source  or  destination     address.</li>
 <ul>
              <li>Shell variables can now be used to parameterize Shorewall 
-rules.</li>
+ rules.</li>
              <li>The second column in the hosts file may now contain a comma-separated
          list.<br>
                <br>
                Example:<br>
                    sea        eth0:130.252.100.0/24,206.191.149.0/24</li>
              <li>Handling of multi-zone interfaces has been improved. See
-the       <a href="Documentation.htm#Interfaces">documentation     for the
+ the       <a href="Documentation.htm#Interfaces">documentation     for the
-/etc/shorewall/interfaces     file</a>.</li>
+ /etc/shorewall/interfaces     file</a>.</li>
 </ul>
@ -1093,13 +1106,15 @@ the       <a href="Documentation.htm#Interfaces">documentation     for the
              <li>A "shorewall refresh" command has been added to allow for 
     refreshing   the rules associated with the broadcast address on a dynamic 
       interface.   This command should be used in place of "shorewall   
-restart"  when the  internet interface's IP address changes.</li>
+ restart"  when the  internet interface's IP address changes.</li>
-            <li>The /etc/shorewall/start file (if any) is now processed after 
+              <li>The /etc/shorewall/start file (if any) is now processed 
-  all      temporary rules have been deleted. This change prevents the accidental
+after    all      temporary rules have been deleted. This change prevents 
-         removal of rules added during the processing of that file.</li>
+the accidental          removal of rules added during the processing of that 
 file.</li>
              <li>The "dhcp" interface option is now applicable to firewall 
     interfaces   used by a DHCP server running on the firewall.</li>
-            <li>The RPM can now be built from the .tgz file using "rpm -tb" </li>
+              <li>The RPM can now be built from the .tgz file using "rpm
 -tb" </li>
 </ul>
@ -1107,14 +1122,14 @@ restart"  when the  internet interface's IP address changes.</li>
 <ul>
              <li>Shorewall now enables Ipv4 Packet Forwarding by default.
-Packet    forwarding      may be disabled by specifying IP_FORWARD=Off in
+ Packet    forwarding      may be disabled by specifying IP_FORWARD=Off in
     /etc/shorewall/shorewall.conf.     If you don't want Shorewall to enable
-or     disable packet forwarding,   add  IP_FORWARDING=Keep to your     /etc/shorewall/shorewall.conf
+ or     disable packet forwarding,   add  IP_FORWARDING=Keep to your    
-file.</li>
+/etc/shorewall/shorewall.conf  file.</li>
-            <li>The "shorewall hits" command no longer lists extraneous service 
+              <li>The "shorewall hits" command no longer lists extraneous 
-       names in its last report.</li>
+service         names in its last report.</li>
              <li>Erroneous instructions in the comments at the head of the 
-firewall     script     have been corrected.</li>
+ firewall     script     have been corrected.</li>
 </ul>
@ -1123,18 +1138,18 @@ firewall     script     have been corrected.</li>
 <ul>
              <li>The "tunnels" file <u>really</u> is in the RPM now.</li>
              <li>SNAT can now be applied to port-forwarded connections.</li>
-            <li>A bug which would cause firewall start failures in some dhcp
+              <li>A bug which would cause firewall start failures in some 
-  configurations        has been fixed.</li>
+dhcp   configurations        has been fixed.</li>
              <li>The firewall script now issues a message if you have the
-name   of  an      interface in the second column in an entry in /etc/shorewall/masq
+ name   of  an      interface in the second column in an entry in /etc/shorewall/masq
     and that     interface is not up.</li>
              <li>You can now configure Shorewall so that it<a
 href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or     mangle
 netfilter modules</a>.</li>
-            <li>Thanks to Alex  Polishchuk, the "hits" command     from seawall 
+              <li>Thanks to Alex  Polishchuk, the "hits" command     from 
-   is  now in shorewall.</li>
+seawall     is  now in shorewall.</li>
              <li>Support for <a href="IPIP.htm">IPIP tunnels</a> has been
-added.</li>
+ added.</li>
 </ul>
@ -1155,11 +1170,11 @@ added.</li>
 <ul>
              <li>The TOS rules are now deleted when the firewall is stopped.</li>
              <li>The .rpm will now install regardless of which version of
-iptables     is       installed.</li>
+ iptables     is       installed.</li>
              <li>The .rpm will now install without iproute2 being installed.</li>
              <li>The documentation has been cleaned up.</li>
              <li>The sample configuration files included in Shorewall have 
-been   formatted         to 80 columns for ease of editing on a VGA console.</li>
+ been   formatted         to 80 columns for ease of editing on a VGA console.</li>
 </ul>
@ -1168,22 +1183,22 @@ been   formatted         to 80 columns for ease of editing on a VGA console.</li
 <ul>
              <li><a href="Documentation.htm#lograte">You may now rate-limit
  the   packet  log.</a></li>
-            <li><font face="Century Gothic, Arial, Helvetica"> Previous versions
+              <li><font face="Century Gothic, Arial, Helvetica"> Previous 
-    of      Shorewall have an implementation of Static NAT which violates
+versions     of      Shorewall have an implementation of Static NAT which 
-the    principle      of least surprise.  NAT only occurs for packets arriving
+violates the    principle      of least surprise.  NAT only occurs for packets 
-  at  (DNAT) or      send from (SNAT) the interface named in the INTERFACE
+arriving   at  (DNAT) or      send from (SNAT) the interface named in the 
- column  of     /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
+INTERFACE  column  of     /etc/shorewall/nat. Beginning with version 1.1.6, 
- regardless      of which interface packets come from or are destined to.
+NAT effective  regardless      of which interface packets come from or are 
-To get     compatibility  with prior versions, I have added a new "ALL <a
+destined to. To get     compatibility  with prior versions, I have added a
- href="NAT.htm#AllInterFaces">"ALL     INTERFACES"  column to /etc/shorewall/nat</a>.
+new "ALL <a href="NAT.htm#AllInterFaces">"ALL     INTERFACES"  column to /etc/shorewall/nat</a>.
    By placing     "no" or "No" in the new column, the NAT behavior of  
  prior   versions may be retained. </font></li>
-            <li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels
+              <li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC
-   where  the remote     gateway is a standalone system has been improved</a>.
+Tunnels     where  the remote     gateway is a standalone system has been
-   Previously,  it was     necessary to include an additional rule allowing
+improved</a>.     Previously,  it was     necessary to include an additional
-  UDP port 500 traffic to     pass through the tunnel. Shorewall will now
+rule allowing    UDP port 500 traffic to     pass through the tunnel. Shorewall
-create   this rule automatically     when you place the name of the remote
+will now  create   this rule automatically     when you place the name of
-peer's  zone in a new GATEWAY ZONE     column in /etc/shorewall/tunnels. </li>
+the remote  peer's  zone in a new GATEWAY ZONE     column in /etc/shorewall/tunnels. </li>
 </ul>
@ -1192,11 +1207,11 @@ peer's  zone in a new GATEWAY ZONE     column in /etc/shorewall/tunnels.
 <ul>
              <li><a href="Documentation.htm#modules">You may now pass parameters 
    when  loading     netfilter modules and you can specify the modules to 
-load.</a></li>
+ load.</a></li>
              <li>Compressed modules are now loaded. This requires that you 
-modutils     support     loading compressed modules.</li>
+ modutils     support     loading compressed modules.</li>
              <li><a href="Documentation.htm#TOS">You may now set the Type
-of  Service    (TOS)     field in packets.</a></li>
+ of  Service    (TOS)     field in packets.</a></li>
              <li>Corrected rules generated for port redirection (again).</li>
 </ul>
@ -1211,7 +1226,7 @@ of  Service    (TOS)     field in packets.</a></li>
  error         messages were reported.</li>
              <li>Corrected rules generated for port redirection.</li>
              <li>The order in which iptables kernel modules are loaded has 
-been         corrected (Thanks to Mark Pavlidis). </li>
+ been         corrected (Thanks to Mark Pavlidis). </li>
 </ul>
@ -1223,21 +1238,21 @@ been         corrected (Thanks to Mark Pavlidis).
              <li>/tmp/shorewallpolicy-$$ is now removed if there is an error 
  while      starting the firewall.</li>
              <li>/etc/shorewall/icmp.def and /etc/shorewall/common.def are 
-now   used     to define the icmpdef and common chains unless overridden by
+ now   used     to define the icmpdef and common chains unless overridden 
-the     presence   of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
+by the     presence   of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
-            <li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been 
+              <li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has
-   corrected.   An extra space after "/etc/shorwall/policy" has been   removed 
+been     corrected.   An extra space after "/etc/shorwall/policy" has been
-  and "/etc/shorwall/rules"   has been added.</li>
+  removed    and "/etc/shorwall/rules"   has been added.</li>
              <li>When a sub-shell encounters a fatal error and has stopped 
-the     firewall,  it now kills the main shell so that the main shell will 
+ the     firewall,  it now kills the main shell so that the main shell will 
   not    continue.</li>
-            <li>A problem has been corrected where a sub-shell stopped the
+              <li>A problem has been corrected where a sub-shell stopped
- firewall      and main shell continued resulting in a perplexing error message
+the   firewall      and main shell continued resulting in a perplexing error
-       referring to "common.so" resulted.</li>
+message         referring to "common.so" resulted.</li>
              <li>Previously, placing "-" in the PORT(S) column in   /etc/shorewall/rules 
     resulted in an error message during start. This   has been corrected.</li>
-            <li>The first line of "install.sh" has been corrected -- I had
+              <li>The first line of "install.sh" has been corrected -- I
-   inadvertently   deleted the initial "#".</li>
+had     inadvertently   deleted the initial "#".</li>
 </ul>
@ -1247,9 +1262,9 @@ the     firewall,  it now kills the main shell so that the main shell will
              <li>Port redirection now works again.</li>
              <li>The icmpdef and common chains <a
 href="Documentation.htm#Icmpdef">may        now be user-defined</a>.</li>
-            <li>The firewall no longer fails to start if "routefilter" is 
+              <li>The firewall no longer fails to start if "routefilter"
-      specified  for an interface that isn't started. A warning message is 
+is        specified  for an interface that isn't started. A warning message 
- now         issued  in this case.</li>
+is   now         issued  in this case.</li>
              <li>The LRP Version is renamed "shorwall" for 8,3 MSDOS file
       system  compatibility.</li>
              <li>A couple of LRP-specific problems were corrected.</li>
@ -1268,9 +1283,9 @@ the     firewall,  it now kills the main shell so that the main shell will
              <li>The common chain is traversed from INPUT, OUTPUT and FORWARD
   before          logging occurs</li>
              <li>The source has been cleaned up dramatically</li>
-            <li>DHCP DISCOVER packets with RFC1918 source addresses no longer 
+              <li>DHCP DISCOVER packets with RFC1918 source addresses no
-        generate log messages. Linux DHCP clients generate such packets and
+longer          generate log messages. Linux DHCP clients generate such packets 
-   it's         annoying to see them logged. </li>
+and    it's         annoying to see them logged. </li>
 </ul>
@ -1279,19 +1294,19 @@ the     firewall,  it now kills the main shell so that the main shell will
 <ul>
              <li>Log messages now indicate the packet disposition.</li>
              <li>Error messages have been improved.</li>
-            <li>The ability to define zones consisting of an enumerated set 
+              <li>The ability to define zones consisting of an enumerated 
- of  hosts         and/or subnetworks has been added.</li>
+set   of  hosts         and/or subnetworks has been added.</li>
              <li>The zone-to-zone chain matrix is now sparse so that only
-those    chains         that contain meaningful rules are defined.</li>
+ those    chains         that contain meaningful rules are defined.</li>
              <li>240.0.0.0/4 and 169.254.0.0/16 have been added to the source
         subnetworks whose packets are dropped under the <i>norfc1918</i>
 interface            option.</li>
              <li>Exits are now provided for executing an user-defined script 
  when   a        chain is defined, when the firewall is initialized, when 
-the firewall    is       started, when the firewall is stopped and when the 
+ the firewall    is       started, when the firewall is stopped and when the
-firewall is  cleared.</li>
+ firewall is  cleared.</li>
-            <li>The Linux kernel's route filtering facility can now be specified
+              <li>The Linux kernel's route filtering facility can now be
-          selectively on network interfaces.</li>
+specified            selectively on network interfaces.</li>
 </ul>
@ -1306,7 +1321,7 @@ firewall is  cleared.</li>
              <li>Adds the ability to specify logging in entries in the 
     /etc/shorewall/rules    file.</li>
              <li>Correct handling of the icmp-def chain so that only ICMP
-packets     are        sent through the chain.</li>
+ packets     are        sent through the chain.</li>
              <li>Compresses the output of "shorewall monitor" if awk is
      installed.   Allows the command to work if awk isn't installed (although
         it's not   pretty).</li>
@ -1319,8 +1334,8 @@ packets     are        sent through the chain.</li>
 <ul>
              <li>The PATH variable in the firewall script now includes /usr/local/bin
            and /usr/local/sbin.</li>
-            <li>DMZ-related chains are now correctly deleted if the DMZ is
+              <li>DMZ-related chains are now correctly deleted if the DMZ 
- deleted.</li>
+is  deleted.</li>
              <li>The interface OPTIONS for "gw" interfaces are no longer 
      ignored.</li>
@ -1329,9 +1344,9 @@ packets     are        sent through the chain.</li>
 <p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
        additional "gw" (gateway) zone for tunnels and it supports IPSEC
  tunnels    with end-points on the firewall. There is also a .lrp available
-now.</b></p>
+ now.</b></p>
-<p><font size="2">Updated 9/23/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a> 
     </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">     Copyright</font>
@ -1346,5 +1361,7 @@ now.</b></p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -37,7 +37,8 @@
              <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
              <li> <a href="Install.htm">Installation/Upgrade/</a><br>
        <a href="Install.htm">Configuration</a></li>
-            <li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
+              <li> <a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
              <li> <a href="Documentation.htm">Reference Manual</a></li>
              <li> <a href="FAQ.htm">FAQs</a></li>
               <li><a href="useful_links.html">Useful Links</a><br>
@ -50,8 +51,8 @@
              <li> <a href="shorewall_mirrors.htm">Mirrors</a>          
          <ul>
-              <li><a target="_top" href="http://slovakia.shorewall.net">Slovak 
+                <li><a target="_top"
-  Republic</a></li>
+ href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
                <li><a target="_top"
 href="http://shorewall.infohiiway.com">Texas,   USA</a></li>
                <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
@ -59,6 +60,7 @@
 href="http://shorewall.correofuego.com.ar">Argentina</a></li>
                <li><a target="_top" href="http://france.shorewall.net">France</a></li>
          </ul>
              </li>
@ -80,7 +82,7 @@
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
                  <strong><br>
-  <b>Note: </b></strong>Search is unavailable Daily 0100-0200 GMT.<br>
+    <b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
    <strong></strong>      
  <p><strong>Quick Search</strong><br>
          <font face="Arial" size="-1">     <input type="text"
@ -106,5 +108,7 @@
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/blacklisting_support.htm
+++ b/STABLE/documentation/blacklisting_support.htm
@ -31,8 +31,7 @@
 <h2>Static Blacklisting</h2>
-<p>Shorewall static blacklisting support has the following configuration
+<p>Shorewall static blacklisting support has the following configuration parameters:</p>
 parameters:</p>
 <ul>
    <li>You specify whether you want packets from blacklisted hosts dropped 
@ -50,8 +49,8 @@ names in the blacklist file.<br>
    <li>You specify the interfaces whose incoming packets you want checked 
 against     the blacklist using the "<a
 href="Documentation.htm#Interfaces">blacklist</a>"     option in /etc/shorewall/interfaces.</li>
-   <li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
+    <li>The black list is refreshed from /etc/shorewall/blacklist by the
- href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
+"<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
 </ul>
@ -59,10 +58,10 @@ against     the blacklist using the "<a
 <p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting 
 doesn't use any configuration parameters but is rather controlled using 
- /sbin/shorewall commands:</p>
+/sbin/shorewall commands:</p>
 <ul>
-   <li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
+    <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed 
 IP    addresses to be silently dropped by the firewall.</li>
    <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed 
 IP    addresses to be rejected by the firewall.</li>
@ -76,7 +75,7 @@ be    automatically restored the next time that the firewall is restarted.</li>
 <p>Example 1:</p>
-<pre>     shorewall deny 192.0.2.124 192.0.2.125</pre>
+<pre>     shorewall drop 192.0.2.124 192.0.2.125</pre>
 <p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
@ -86,10 +85,11 @@ be    automatically restored the next time that the firewall is restarted.</li>
 <p>    Reenables access from 192.0.2.125.</p>
-<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -20,6 +20,7 @@
          <tbody>
          <tr>
            <td width="100%">                                           
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
            </td>
          </tr>
@ -38,59 +39,95 @@
   it to your Linux system.</b></p>
                       </li>
          <li>                                             
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory 
+untar the archive, replace the        'firewall' script in the untarred directory
   with the one you downloaded        below, and then run install.sh.</b></p>
                       </li>
          <li>                                             
    <p align="left">          <b>When the instructions say to install a corrected
   firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
-or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
+  or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
-the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
+  the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
         or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
         and /var/lib/shorewall/firewall  are symbolic links that point 
-   to the 'shorewall' file used by your  system initialization scripts to 
+      to the 'shorewall' file used by your  system initialization scripts
-       start Shorewall during boot. It is  that file that must be overwritten 
+to         start Shorewall during boot. It is  that file that must be overwritten
-       with the corrected script. </b></p>
+         with the corrected script.</b></p>
  </li>
  <li>
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
 ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
 do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
              </p>
  </li>
 </ol>
 <ul>
          <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-       <li>                            <b><a href="#V1.3">Problems in Version 
+          <li>                            <b><a href="#V1.3">Problems in
- 1.3</a></b></li>
+Version    1.3</a></b></li>
          <li>                            <b><a href="errata_2.htm">Problems
-in  Version 1.2</a></b></li>
+  in  Version 1.2</a></b></li>
          <li>                            <b><font color="#660066">  <a
 href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
          <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
          <li>                            <b><a href="#Debug">Problems with 
-kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
+ kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
          <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
-       <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and 
+          <li><b><a href="#Multiport">Problems with iptables version 1.2.7
-     MULTIPORT=Yes</a></b></li>
+ and       MULTIPORT=Yes</a></b></li>
    <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
    </li>
 </ul>
 <hr>                              
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
-<h3>Version 1.3.9</h3>
+<h3>Version 1.3.9a</h3>
 <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script at
 <a href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
 </a>-- copy that file to /usr/lib/shorewall/firewall as descripbed above.<br>
 <br>
 Version 1.3.8   
 <ul>
-    <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
+  <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
- policy file doesn't work.</li>
+the following message appears during "shorewall [re]start":</li>
 </ul>
 <pre>          recalculate_interfacess: command not found<br></pre>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
 corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described 
 above.<br>
 </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
 single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
 to 'recalculate_interface'. <br>
 </blockquote>
 <ul>
  <li>The installer (install.sh) issues a misleading message "Common functions
 installed in /var/lib/shorewall/functions" whereas the file is installed
 in /usr/lib/shorewall/functions. The installer also performs incorrectly
 when updating old configurations that had the file /etc/shorewall/functions.
    <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
 is an updated version that corrects these problems.<br>
    </a></li>
 </ul>
 <h3>Version 1.3.9</h3>
   <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
 at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
 -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
    <br>
   Version 1.3.8      
 <ul>
       <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
 the  policy file doesn't work.</li>
       <li>A DNAT rule with the same original and new IP addresses but with 
-different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
+ different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 
-25 - 10.1.1.1")<br>
+ 25 - 10.1.1.1")<br>
       </li>
 </ul>
@ -131,12 +168,12 @@ different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
 <ol>
                                       <li>If the firewall is running a DHCP
-server,                                   the client won't be able to obtain 
+  server,                                   the client won't be able to obtain
-an IP  address                                  lease from that server.</li>
+  an IP  address                                  lease from that server.</li>
                                       <li>With this order of checking, the 
-"dhcp"                                   option cannot be used as a noise-reduction 
+ "dhcp"                                   option cannot be used as a noise-reduction
-                                  measure where there are both dynamic and 
+                                    measure where there are both dynamic
- static                                  clients on a LAN segment.</li>
+and    static                                  clients on a LAN segment.</li>
 </ol>
@ -165,9 +202,10 @@ an IP  address                                  lease from that server.</li>
 <ul>
                   <li>                                                 
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
- an error occurs when the firewall            script attempts to add an SNAT 
+   an error occurs when the firewall            script attempts to add an
- alias.  </p>
+SNAT   alias.  </p>
        </li>
        <li>                                                          
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
@ -235,10 +273,10 @@ an IP  address                                  lease from that server.</li>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
-        to not verify that the zones named in the /etc/shorewall/policy file
+         to not verify that the zones named in the /etc/shorewall/policy
-           have been previously defined in the /etc/shorewall/zones file.
+file            have been previously defined in the /etc/shorewall/zones
-The            "shorewall check" command does perform this verification so
+file. The            "shorewall check" command does perform this verification
-it's a            good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
              changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -248,22 +286,22 @@ it's a            good idea to run that command after you have made configuratio
   by that name" then you probably have an entry in            /etc/shorewall/hosts
   that specifies an interface that you didn't            include in /etc/shorewall/interfaces.
   To correct this problem, you            must add an entry to /etc/shorewall/interfaces.
- Shorewall 1.3.3 and            later versions produce a clearer error message 
+   Shorewall 1.3.3 and            later versions produce a clearer error
- in this case.</p>
+message    in this case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version
+           file can be identified by its size (56284 bytes). The correct
-           has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
 <ul>
                   <li>The code to detect a duplicate interface entry in
           /etc/shorewall/interfaces contained a typo that prevented it from
             working correctly. </li>
-                <li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
+                   <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
- "NAT_BEFORE_RULES=Yes".</li>
+like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -274,6 +312,7 @@ it's a            good idea to run that command after you have made configuratio
 <ul>
                   <li>                                                 
    <p align="left">The IANA have just announced the allocation of subnet
              221.0.0.0/8. This           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
@ -290,22 +329,24 @@ it's a            good idea to run that command after you have made configuratio
          packet is sent through the limit chain twice).</li>
                   <li>An unnecessary jump to the policy chain is sometimes 
            generated for a CONTINUE policy.</li>
-                <li>When an option is given for more than one interface in
+                   <li>When an option is given for more than one interface
-              /etc/shorewall/interfaces then depending on the option, Shorewall 
+ in               /etc/shorewall/interfaces then depending on the option,
-              may ignore all but the first appearence of the option. For example:<br>
+Shorewall                may ignore all but the first appearence of the option.
 For example:<br>
                   <br>
                   net    eth0    dhcp<br>
                   loc    eth1    dhcp<br>
                   <br>
                   Shorewall will ignore the 'dhcp' on eth1.</li>
                   <li>Update 17 June 2002 - The bug described in the prior 
-bullet               affects the following options: dhcp, dropunclean, logunclean, 
+ bullet               affects the following options: dhcp, dropunclean, logunclean,
-              norfc1918, routefilter, multi, filterping and noping. An additional 
+                norfc1918, routefilter, multi, filterping and noping. An
-              bug has been found that affects only the 'routestopped' option.<br>
+additional                 bug has been found that affects only the 'routestopped'
 option.<br>
                   <br>
-                Users who downloaded the corrected script prior to 1850 GMT 
+                   Users who downloaded the corrected script prior to 1850
- today              should download and install the corrected script again 
+ GMT   today              should download and install the corrected script
- to ensure              that this second problem is corrected.</li>
+ again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -348,13 +389,13 @@ bullet               affects the following options: dhcp, dropunclean, logunclea
    corrected 1.2.3 rpm which you can download here</a>  and I have also built
           an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
- iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
+iptables-1.2.4   rpm which you can download here</a>. If  you are currently
   running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
     </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
   has   released an iptables-1.2.4 RPM of their own which you can download
-from<font color="#ff6633">   <a
+  from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
     </font>I have installed this RPM   on my firewall and it works fine.</p>
@ -396,6 +437,7 @@ from<font color="#ff6633">   <a
       "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
        </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
   RPM on SuSE</h3>
@ -429,7 +471,22 @@ from<font color="#ff6633">   <a
 </ul>
-<p><font size="2">  Last updated 9/28/2002 -                             
+<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
     </h3>
  /etc/shorewall/nat entries of the following form will result in Shorewall
 being unable to start:<br>
  <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
  Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
  The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
 has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
 contains corrected support under a new kernel configuraiton option; see
 <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
 <p><font size="2">  Last updated 10/9/2002 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -438,5 +495,8 @@ from<font color="#ff6633">   <a
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list_problems.htm
+++ b/STABLE/documentation/mailing_list_problems.htm
@ -1,59 +1,49 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+     
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+     
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>Mailing List Problems</title>
+ content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Mailing List Problems</title>
 </head>
  <body>
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
+      <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <h2 align="left">Shorewall.net is currently experiencing mail delivery problems
-to at least one address in each of the following domains:</h2>
+ to at least one address in each of the following domains:</h2>
 <blockquote>      
  <div align="left">        
-    <pre>2020ca - delivery to this domain has been disabled (cause unknown)
+  <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>familie-fleischhacker.de - (connection timed out)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
 excite.com - delivery to this domain has been disabled (cause unknown)
 epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
 familie-fleischhacker.de - (connection timed out)
 gmx.net - delivery to this domain has been disabled (cause unknown)
 hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
 intercom.net - delivery to this domain has been disabled (cause unknown)
 initialcs.com - delivery to this domain has been disabled (cause unknown)
 intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
 khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
 kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
 littleblue.de - (connection timed out)
 opermail.net - delivery to this domain has been disabled (cause unknown)
 penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
 scip-online.de - delivery to this domain has been disabled (cause unknown)
 spctnet.com - connection timed out - delivery to this domain has been disabled
 telusplanet.net - delivery to this domain has been disabled (cause unknown)
 yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
    </div>
-</blockquote>
+  </blockquote>
-<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
+<p align="left"><font size="2">Last updated 10/6/2002 20:30 GMT - <a
-<a href="support.htm">Tom
+ href="support.htm">Tom Eastep</a></font></p>
 Eastep</a></font></p>
-<p align="left"><a href="copyright.htm">
+<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
-<font face="Trebuchet MS">
+ size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
 <font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
 <p align="left">&nbsp;</p>
 <p align="left"> </p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
@ -34,7 +34,7 @@
 <blockquote>                                  
  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). 
 My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
-is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) 
+ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
   and a DMZ connected to eth1 (192.168.2.0/24). </p>
  <p> I use:<br>
@ -42,9 +42,9 @@ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1
  <ul>
      <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
-and external address 206.124.146.178.</li>
+ and external address 206.124.146.178.</li>
-     <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses: 
+      <li>Proxy ARP for wookie (my Linux System). This system has two IP
-192.168.1.3/24 and 206.124.146.179/24.</li>
+addresses:  192.168.1.3/24 and 206.124.146.179/24.</li>
      <li>SNAT through the primary gateway address (206.124.146.176) for  
 my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
@ -53,15 +53,15 @@ my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
  <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
  <p> Wookie  runs Samba and acts as the a WINS server.  Wookie is in its
-own 'whitelist' zone  called 'me'.</p>
+ own 'whitelist' zone  called 'me'.</p>
  <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
-It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software 
+ It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
-and is managed by Proxy ARP. It connects to the  local network through the 
+ and is managed by Proxy ARP. It connects to the  local network through the
-PopTop server running on my firewall. </p>
+ PopTop server running on my firewall. </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
-Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
+ Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server 
 (Pure-ftpd). The system   also runs fetchmail to fetch our email from our 
 old and current ISPs. That server is managed through Proxy ARP.</p>
@ -72,7 +72,7 @@ Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
  <p> I run an SNMP server on my firewall to serve <a
 href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
-in the DMZ.</p>
+ in the DMZ.</p>
  <p align="center">                           <img border="0"
 src="images/network.png" width="764" height="846">
@ -87,14 +87,14 @@ in the DMZ.</p>
           default gateway used by the firewall itself). On the firewall, 
                           Shorewall automatically adds a host route to  
                        206.124.146.177 through eth1 (192.168.2.1) because
-of                           the entry in /etc/shorewall/proxyarp (see below).</p>
+ of                           the entry in /etc/shorewall/proxyarp (see below).</p>
  <p>A similar setup is used on eth3 (192.168.3.1) which                
           interfaces to my laptop (206.124.146.180).</p>
  <p><font color="#ff0000" size="5">                           Note: My files
- use features not available before                            Shorewall version 
+  use features not available before                            Shorewall
-1.3.4.</font></p>
+version  1.3.4.</font></p>
    </blockquote>
 <h3>Shorewall.conf</h3>
@ -108,8 +108,8 @@ of                           the entry in /etc/shorewall/proxyarp (see below).</
 <h3>Interfaces File: </h3>
 <blockquote>                                      
-  <p> This is set up so that I can start the firewall before bringing up my
+  <p> This is set up so that I can start the firewall before bringing up
-Ethernet  interfaces. </p>
+my Ethernet  interfaces. </p>
       </blockquote>
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp<br>	dmz	eth1 		206.124.146.255	-<br>	net	eth3		206.124.146.255 norfc1918<br>	-	texas 		-<br>	loc	ppp+<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -140,10 +140,11 @@ Ethernet  interfaces. </p>
 <blockquote>                                                
  <p> Although most of our internal systems use static NAT, my wife's system
- (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
+  (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
 laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
    </blockquote>
-<pre><font size="2" face="Courier">	#INTERFACE 	SUBNET		ADDRESS<br>	eth0 		192.168.1.0/24	206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
+<pre><font size="2" face="Courier">	#INTERFACE 	SUBNET		ADDRESS<br>	eth0 		192.168.1.0/24	206.124.146.176<br>        texas           206.124.146.179 192.168.1.254<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
 <h3>NAT File: </h3>
@ -151,18 +152,21 @@ Ethernet  interfaces. </p>
 <h3>Proxy ARP File:</h3>
-<pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
+<pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROU</font><font
 face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br>        206.124.146.179 eth2            eth0            No<br></font><font
 face="Courier" size="2">	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
 <h3>Rules File (The shell variables                                     
      are set in /etc/shorewall/params):</h3>
 <pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	ACCEPT		net		fw			tcp	1723<br>	ACCEPT		net		fw			gre<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-<p><font size="2"> Last updated 9/19/2002  - </font><font size="2">      
+<p><font size="2"> Last updated 10/1/2002  - </font><font size="2">     
                                       <a href="support.htm">Tom Eastep</a></font> 
   </p>
     <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/quotes.htm
+++ b/STABLE/documentation/quotes.htm
@ -29,17 +29,19 @@
 <p>"I just installed Shorewall after weeks of messing with       ipchains/iptables 
 and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
-</p>
+ </p>
-"My case was almost like [the one above]. Well. instead of 'weeks' it was
+ "My case was almost like [the one above]. Well. instead of 'weeks' it was 
 'months' for me, and I think I needed two minutes more:<br>
 <ul>
   <li>One to see that I had no Internet access from the firewall itself.</li>
   <li>Other to see that this was the default configuration, and it was enough 
 to uncomment a line in /etc/shorewall/policy.<br>
   </li>
 </ul>
-Minutes instead of months! Congratulations and thanks for such a simple and
+ Minutes instead of months! Congratulations and thanks for such a simple
-well documented thing for something as huge as iptables." -- JV, Spain. 
+and well documented thing for something as huge as iptables." -- JV, Spain.
 <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without 
 any problems. Your documentation is great and I really appreciate       your 
@ -51,25 +53,25 @@ scripts but this one is till now the best." -- B.R,       Netherlands
      </p>
 <p>"Never in my +12 year career as a sys admin have I witnessed       someone 
-so relentless in developing a secure, state of the art, save and       useful
+so relentless in developing a secure, state of the art, safe and       useful 
 product as the Shorewall firewall package for no cost or obligation      
- involved." -- Mario Kericki, Toronto           </p>
+involved." -- Mario Kerecki, Toronto           </p>
 <p>"one time more to report, that your great shorewall in the latest     
-   release       1.2.9 is working fine for me with SuSE Linux 7.3! I now
+  release       1.2.9 is working fine for me with SuSE Linux 7.3! I now have
-have 7 machines up       and running with shorewall on several versions -
+7 machines up       and running with shorewall on several versions - starting
-starting with 1.2.2 up to       the new 1.2.9 and I never have encountered
+with 1.2.2 up to       the new 1.2.9 and I never have encountered any problems!"
-any problems!" -- SM, Germany</p>
+-- SM, Germany</p>
 <p>"You have the best support of any other package I've ever       used." 
 -- SE, US           </p>
 <p>"Because our company has information which has been classified by the 
- national government as secret, our security doesn't stop by putting a fence
+national government as secret, our security doesn't stop by putting a fence 
 around our company. Information security is a hot issue. We also make use 
 of  checkpoint firewalls, but not all of the internet servers are guarded 
-by  checkpoint, some of them are running....Shorewall." -- Name withheld
+by  checkpoint, some of them are running....Shorewall." -- Name withheld by
-by request,  Europe</p>
+request,  Europe</p>
 <p>"thanx for all your efforts you put into shorewall - this product stands 
 out  against a lot of commercial stuff i´ve been working with in terms of 
@ -90,12 +92,13 @@ people  recommending it. :-)<br>
  <br>
   </p>
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002 
 - <a href="support.htm">Tom Eastep</a>      </font>                      
                      </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -20,12 +20,13 @@
                                    <td width="100%" height="90">       
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                        </a></i></font><font color="#ffffff">Shorewall 1.3
+                               </a></i></font><font color="#ffffff">Shorewall 
- -        <font size="4">"<i>iptables made easy"</i></font></font></h1>
+  1.3   -        <font size="4">"<i>iptables made easy"</i></font></font></h1>
      <div align="center"><a href="1.2" target="_top"><font
@ -49,31 +50,36 @@
                                      <td width="90%">                  
      <h2 align="left">What is it?</h2>
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                           
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
       that can be used on a dedicated firewall system, a multi-function 
      gateway/router/server or on a standalone GNU/Linux system.</p>
      <p>This program is free software; you can redistribute it and/or modify 
            it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                                   <br>
-                             This program is distributed in the hope that 
+                                    This program is distributed in the hope 
-it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the
+ that   it  will   be  useful,    but        WITHOUT ANY WARRANTY; without 
- implied   warranty  of MERCHANTABILITY           or FITNESS FOR A PARTICULAR
+ even the  implied   warranty  of MERCHANTABILITY           or FITNESS FOR 
- PURPOSE.   See the  GNU General Public License          for more details.<br>
+ A PARTICULAR    PURPOSE.   See the  GNU General Public License          for
 more details.<br>
                                   <br>
-                             You should have received a copy of the GNU General 
+                                    You should have received a copy of the
-   Public    License          along with this program; if not, write to the 
+ GNU   General     Public    License          along with this program; if
-  Free Software    Foundation,          Inc., 675 Mass Ave, Cambridge, MA 
+not, write  to the    Free Software    Foundation,          Inc., 675 Mass
-02139,   USA</p>
+Ave, Cambridge,  MA  02139,   USA</p>
@ -81,12 +87,14 @@ it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                        </a>Jacques        Nilo and Eric Wolzak have a LEAF 
+                               </a>Jacques        Nilo and Eric Wolzak have 
- distribution       called        <i>Bering</i> that        features Shorewall-1.3.3 
+ a  LEAF   distribution       called        <i>Bering</i> that        features 
- and  Kernel-2.4.18.      You can find their work at:   <a
+  Shorewall-1.3.3   and  Kernel-2.4.18.      You can find their work at: 
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+       <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
@ -94,51 +102,79 @@ it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the
-      <p><b>9/30/2002 - Shorewall 1.3.9a </b><b><img border="0"
+             
      <h2></h2>
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                          </b></p>
 This release rolls up fixes to the installer and to the firewall script.<br>
 <b><br>
 10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                          </b><br>
      <br>
  The firewall and server here at shorewall.net are now running RedHat release
 8.0.<br>
      <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>                         
      </b></p>
        Roles up the fix for broken tunnels.<br>
-      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!! </b><b><img
+      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>               
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
-There is an updated firewall script at <a
+            <img src="images/j0233056.gif" alt="Brown Paper Bag"
 width="50" height="86" align="left">
       There is an updated firewall script at <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-- copy that file to /usr/lib/shorewall/firewall.<br>
+   -- copy that file to /usr/lib/shorewall/firewall.<br>
-      <p><b>9/28/2002 - Shorewall 1.3.9 </b><b><img border="0"
+                                                       
- src="images/new10.gif" width="28" height="12" alt="(New)">
+      <p><b><br>
            </b></p>
      <p><b><br>
            </b></p>
      <p><b><br>
      9/28/2002 - Shorewall 1.3.9 </b><b>                          </b></p>
      <p>In this version:<br>
             </p>
      <ul>
-             <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a> 
+                    <li><a href="configuration_file_basics.htm#dnsnames">DNS
-  are now allowed in Shorewall config files (although I recommend against 
+  Names</a>     are now allowed in Shorewall config files (although I recommend
-using  them).</li>
+  against   using  them).</li>
-             <li>The connection SOURCE may now be qualified by both interface 
+                    <li>The connection SOURCE may now be qualified by both
-  and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
+ interface      and IP address in a <a href="Documentation.htm#Rules">Shorewall
 rule</a>.</li>
                    <li>Shorewall startup is now disabled after initial installation
-  until the file /etc/shorewall/startup_disabled is removed. This avoids nasty
+      until the file /etc/shorewall/startup_disabled is removed. This avoids
-  surprises at reboot for users who install Shorewall but don't configure 
+   nasty   surprises at reboot for users who install Shorewall but don't
-it.</li>
+configure     it.</li>
-            <li>The 'functions' and 'version' files and the 'firewall' symbolic
+                   <li>The 'functions' and 'version' files and the 'firewall' 
- link have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease
+  symbolic   link have been  moved from /var/lib/shorewall to /usr/lib/shorewall 
- the LFS police at Debian.<br>
+  to appease   the LFS police at Debian.<br>
                   </li>
      </ul>
      <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
       Restored</b><b>                   </b><br>
                     </p>
                   <img src="images/j0233056.gif" alt="Brown Paper Bag"
 width="50" height="86" align="left">
-        A couple of recent configuration changes at www.shorewall.net broke 
+               A couple of recent configuration changes at www.shorewall.net
- the  Search facility:<br>
+  broke    the  Search facility:<br>
      <blockquote>                                                       
        <ol>
                       <li>Mailing List Archive Search was not available.</li>
                       <li>The Site Search index was incomplete</li>
@ -149,38 +185,45 @@ it.</li>
                   </blockquote>
                Hopefully these problems are now corrected.             
      <p><b>9/18/2002 -  Debian 1.3.8 Packages Available </b><b>         
         </b><br>
                          </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
                      <b> </b>                                          
      <p><b>9/16/2002 - Shorewall 1.3.8</b><b>                   </b></p>
      <p>In this version:<br>
                          </p>
      <ul>
-                          <li>A NEWNOTSYN option has been added to shorewall.conf.
+                                 <li>A NEWNOTSYN option has been added to 
-     This   option  determines whether Shorewall accepts TCP packets which
+shorewall.conf.         This   option  determines whether Shorewall accepts 
- are    not part   of an  established connection and that are not 'SYN' packets
+TCP packets which     are    not part   of an  established connection and 
-   (SYN  flag on   and ACK  flag off).</li>
+that are not 'SYN'  packets     (SYN  flag on   and ACK  flag off).</li>
                                 <li>The need for the 'multi' option to communicate 
     between     zones    za and zb on the same interface is removed in the 
-case   where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will exist
+  case   where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will 
-if:                                                                     
+exist  if:                                                               
          <ul>
                                    <li>There is a policy for za to zb; or</li>
-                             <li>There is at least one rule for za to zb. 
+                                    <li>There is at least one rule for za 
-                                    </li>
+to  zb.                                       </li>
@ -188,72 +231,88 @@ if:
                                </li>
      </ul>
      <ul>
-                          <li>The /etc/shorewall/blacklist file now contains
+                                 <li>The /etc/shorewall/blacklist file now
-  three    columns.     In addition to the SUBNET/ADDRESS column, there are
+ contains     three    columns.     In addition to the SUBNET/ADDRESS column,
-  optional    PROTOCOL and    PORT columns to block only certain applications
+ there are    optional    PROTOCOL and    PORT columns to block only certain
-  from the   blacklisted addresses.<br>
+ applications     from the   blacklisted addresses.<br>
                            </li>
      </ul>
      <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
      <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
      <p>This is a role up of a fix for "DNAT" rules where the source zone 
            is $FW   (fw).</p>
      <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
      <p>This is a role up of the "shorewall refresh" bug fix and the change 
            which   reverses the order of "dhcp" and "norfc1918" checking.</p>
      <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
      <p><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
            is now available.</p>
      <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
      <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now 
            mirrored   at <a target="_top"
 href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
      <p><a href="News.htm">More News</a></p>
      <h2><a name="Donations"></a>Donations</h2>
      </td>
                                      <td width="88" bgcolor="#4b017c"
 valign="top" align="center">             <a
@ -266,6 +325,7 @@ if:
                                  </center>
                                </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -274,6 +334,7 @@ if:
                               <td width="100%" style="margin-top: 1px;"> 
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
@ -281,8 +342,8 @@ if:
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-but if       you try it and find it useful, please consider making a donation
+if       you try it and find it useful, please consider making a donation 
            to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                               </td>
@ -292,9 +353,11 @@ but if       you try it and find it useful, please consider making a donation
  </tbody>                         
 </table>
-<p><font size="2">Updated       9/30/2002 - <a href="support.htm">Tom Eastep</a></font> 
+       
 <p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a></font>
      <br>
-</p>
+ </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -29,7 +29,7 @@
 <p align="center">       <img border="3" src="images/Hiking1.jpg"
 alt="Tom on the PCT - 1991" width="374" height="365">
-</p>
+   </p>
 <p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,  
    Washington  -- Sept       1991.<br>
@ -41,9 +41,9 @@
        <li>BA Mathematics from <a href="http://www.wsu.edu">Washington State 
  University</a>  1967</li>
        <li>MA Mathematics from <a href="http://www.washington.edu">University
-of Washington</a> 1969</li>
+  of Washington</a> 1969</li>
        <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
-) 1969 - 1980</li>
+  ) 1969 - 1980</li>
        <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
   (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
        <li>Married 1969 - no children.</li>
@ -54,10 +54,10 @@ of Washington</a> 1969</li>
  operating system from the NonStop Enterprise Division of HP. </p>
 <p>I became interested in Internet Security when I established a home office 
-in 1999 and had DSL service installed in our       home. I investigated ipchains
+ in 1999 and had DSL service installed in our       home. I investigated ipchains
-and developed the scripts which are now collectively known as <a
+ and developed the scripts which are now collectively known as <a
 href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
-on what I learned from Seattle Firewall, I then       designed and wrote
+ on what I learned from Seattle Firewall, I then       designed and wrote 
 Shorewall. </p>
 <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, 
@ -67,22 +67,23 @@ Shorewall. </p>
 <ul>
        <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs 
-and LNE100TX      (Tulip) NIC - My personal Windows system.</li>
+ and LNE100TX      (Tulip) NIC - My personal Windows system. Also has SuSE
-     <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
+ 8.0 installed.</li>
-My      personal Linux System which runs Samba configured as a WINS server.
+        <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC 
-This      system also has <a href="http://www.vmware.com/">VMware</a> installed
+-  My      personal Linux System which runs Samba configured as a WINS server. 
-and      can run both <a href="http://www.debian.org">Debian</a> and    
+ This      system also has <a href="http://www.vmware.com/">VMware</a> installed 
 and      can run both <a href="http://www.debian.org">Debian</a> and    
    <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
-     <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
+        <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
-&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server      (Bind).</li>
+(Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
-     <li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
+     (Bind).</li>
- 3      LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
+        <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
-1.3.9 (Yep -- I run them before I release them) and a DHCP     server.  Also
+(Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.9a  and a DHCP
- runs PoPToP for     road warrior access.</li>
+    server.  Also   runs PoPToP for     road warrior access.</li>
        <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
     personal system.</li>
        <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 
-and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
+ and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
 </ul>
@ -95,17 +96,20 @@ and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
 <p><a href="http://www.redhat.com"><img border="0"
 src="images/poweredby.png" width="88" height="31">
-</a><a href="http://www.compaq.com"><img border="0"
+   </a><a href="http://www.compaq.com"><img border="0"
 src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
-</a><a href="http://www.pureftpd.org"><img border="0"
+   </a><a href="http://www.pureftpd.org"><img border="0"
 src="images/pure.jpg" width="88" height="31">
-</a><font size="4"><a href="http://www.apache.org"><img border="0"
+   </a><font size="4"><a href="http://www.apache.org"><img border="0"
 src="images/apache_pb1.gif" hspace="2" width="170" height="20">
-</a>  </font></p>
+   </a>  </font></p>
-<p><font size="2">Last updated 9/19/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 10/6/2002 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
      <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -30,22 +30,22 @@
  </tbody>  
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.</p>
+we must  all first walk before we can run.</p>
 <h2>The Guides</h2>
 <p>These guides provide step-by-step instructions for configuring Shorewall
-in  common firewall setups.</p>
+ in  common firewall setups.</p>
 <p>The following guides are for users who have a single public IP address:</p>
 <ul>
     <li><a href="standalone.htm">Standalone</a> Linux System</li>
     <li><a href="two-interface.htm">Two-interface</a> Linux System acting
-as a    firewall/router for a small local network</li>
+ as a    firewall/router for a small local network</li>
     <li><a href="three-interface.htm">Three-interface</a> Linux System acting
-as a    firewall/router for a small local network and a DMZ.</li>
+ as a    firewall/router for a small local network and a DMZ.</li>
 </ul>
@ -54,15 +54,15 @@ as a    firewall/router for a small local network and a DMZ.</li>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
  the steps necessary to set up a firewall where there are multiple public
-IP  addresses involved or if you want to learn more about Shorewall than is
+ IP  addresses involved or if you want to learn more about Shorewall than
- explained in the single-address guides above.</p>
+is  explained in the single-address guides above.</p>
 <ul>
     <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
     <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
     <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
     <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
-and Routing</a>     
+ and Routing</a>          
    <ul>
       <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
       <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
@ -77,8 +77,8 @@ Protocol</a></li>
    </ul>
     </li>
-    <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a> 
+     <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
-    
+Network</a>           
    <ul>
       <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -102,15 +102,16 @@ Protocol</a></li>
     </li>
     <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
     <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
-and    Stopping the Firewall</a></li>
+ and    Stopping the Firewall</a></li>
 </ul>
 <h2><a name="Documentation"></a>Additional Documentation</h2>
 <p>The following documentation covers a variety of topics and supplements
-the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described 
+ the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
-above.</p>
+ above. Please review the appropriate guide before trying to use this documentation
 directly.</p>
 <ul>
     <li><a href="blacklisting_support.htm">Blacklisting</a>          
@ -121,7 +122,7 @@ above.</p>
    </ul>
     </li>
     <li><a href="configuration_file_basics.htm">Common configuration file
-features</a>     
+ features</a>          
    <ul>
       <li>Comments in configuration files</li>
       <li>Line Continuation</li>
@ -162,13 +163,13 @@ features</a>
     </li>
     <li><a href="dhcp.htm">DHCP</a></li>
     <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
-Scripts</a></font>    (How to extend Shorewall without modifying Shorewall 
+ Scripts</a></font>    (How to extend Shorewall without modifying Shorewall
-code)</li>
+ code)</li>
     <li><a href="fallback.htm">Fallback/Uninstall</a></li>
     <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
     <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
     <li><a href="myfiles.htm">My  Configuration Files</a> (How I personally
-use Shorewall)</li>
+ use Shorewall)</li>
     <li><a href="ports.htm">Port Information</a>          
    <ul>
       <li>Which applications use which ports</li>
@ -188,7 +189,7 @@ use Shorewall)</li>
       <li><a href="IPIP.htm">GRE and IPIP</a></li>
       <li><a href="PPTP.htm">PPTP</a></li>
       <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
-to a      remote network.</li>
+ to a      remote network.</li>
    </ul>
     </li>
@ -199,11 +200,12 @@ to a      remote network.</li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 9/16/2002 - <a
+<p><font size="2">Last modified 10/5/2002 - <a
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/two-interface.htm
+++ b/STABLE/documentation/two-interface.htm
@ -35,7 +35,7 @@
 <p>This guide doesn't attempt to acquaint you with all of the features of
   Shorewall. It rather focuses on what is required to configure Shorewall
-in its  most common configuration:</p>
+ in its  most common configuration:</p>
 <ul>
       <li>Linux system used as a firewall/router for a small local network.</li>
@ -52,10 +52,10 @@ in its  most common configuration:</p>
    </p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
- (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
- this  package is installed by the presence of an <b>ip</b> program on your
+if  this  package is installed by the presence of an <b>ip</b> program on
- firewall  system. As root, you can use the 'which' command to check for
+your  firewall  system. As root, you can use the 'which' command to check
-this  program:</p>
+for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
@ -69,23 +69,23 @@ this  program:</p>
         If you edit your configuration files on a Windows system, you must 
 save them as  Unix files if your editor supports that option or you must 
 run them through  dos2unix before trying to use them. Similarly, if you copy 
-a configuration file  from your Windows hard drive to a floppy disk, you
+a configuration file  from your Windows hard drive to a floppy disk, you must
-must run dos2unix against the  copy before using it with Shorewall.</p>
+run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
  of    dos2unix</a></li>
       <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-Version  of    dos2unix</a></li>
+ Version  of    dos2unix</a></li>
 </ul>
 <h2 align="left">Shorewall Concepts</h2>
-<p>The configuration files for Shorewall are contained in the directory 
+<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
-/etc/shorewall -- for simple setups, you will only need to deal with a few
+-- for simple setups, you will only need to deal with a few of  these as
-of  these as described in this guide.  After you have <a
+described in this guide.  After you have <a href="Install.htm">installed
- href="Install.htm">installed Shorewall</a>,  download the <a
+Shorewall</a>,  download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
  un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
   (these files will replace files with the same name).</p>
@ -127,8 +127,8 @@ of  these as described in this guide.  After you have <a
  in  terms of zones.</p>
 <ul>
-      <li>You express your default policy for connections from one zone to
+       <li>You express your default policy for connections from one zone
- another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -136,14 +136,14 @@ of  these as described in this guide.  After you have <a
 </ul>
 <p>For each connection request entering the firewall, the request is first
- checked against the  /etc/shorewall/rules file. If no rule in that file matches
+  checked against the  /etc/shorewall/rules file. If no rule in that file
- the connection  request then the first policy in /etc/shorewall/policy that
+matches  the connection  request then the first policy in /etc/shorewall/policy
- matches the    request is applied. If that policy is REJECT or DROP  the
+that  matches the    request is applied. If that policy is REJECT or DROP 
-request is first  checked against the rules in /etc/shorewall/common (the
+the request is first  checked against the rules in /etc/shorewall/common
-samples provide that  file for you).</p>
+(the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample has
+<p>The /etc/shorewall/policy file included with the two-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -185,7 +185,7 @@ the  following policies:</p>
 <blockquote>             
  <p>In the two-interface sample, the line below is included but commented
  out. If  you want your firewall system to have full access to servers on
-the internet,  uncomment that line.</p>
+ the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -214,7 +214,7 @@ the internet,  uncomment that line.</p>
 <ol>
       <li>allow all connection requests from your local network to the internet</li>
       <li>drop (ignore) all connection requests from the internet to your
-firewall     or local network</li>
+ firewall     or local network</li>
       <li>optionally accept all connection requests from the firewall to 
 the     internet (if you uncomment the additional policy)</li>
       <li>reject all other connection requests.</li>
@ -231,9 +231,9 @@ the     internet (if you uncomment the additional policy)</li>
 height="635">
    </p>
-<p align="left">The firewall has two network interfaces. Where Internet 
+<p align="left">The firewall has two network interfaces. Where Internet  connectivity
-connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+is through a cable or DSL "Modem", the <i>External Interface</i>  will be
- will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling 
  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be 
@ -243,14 +243,15 @@ your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-       If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then you 
+        If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then
- will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+you   will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
 /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
  (eth1  or eth0) and will be connected to a hub or switch. Your other computers
  will be  connected to the same hub/switch (note: If you have only a single
- internal system,  you can connect the firewall directly to the computer using
+  internal system,  you can connect the firewall directly to the computer
- a <i>cross-over </i> cable).</p>
+using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
@ -262,11 +263,11 @@ your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
        The Shorewall two-interface sample configuration assumes that  the
-external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>. 
+ external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
  If your  configuration is different, you will have to modify the sample
-<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file 
+ <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
-accordingly.  While you are there, you may wish to  review the list of options 
+ accordingly.  While you are there, you may wish to  review the list of options
-that are  specified for the interfaces. Some hints:</p>
+ that are  specified for the interfaces. Some hints:</p>
 <ul>
       <li>                       
@ -286,15 +287,15 @@ that are  specified for the interfaces. Some hints:</p>
 <p align="left">Before going further, we should say a few words about Internet
   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
  <i> Public</i> IP address. This address may be assigned via the<i> Dynamic
- Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
+  Host  Configuration Protocol</i> (DHCP) or as part of establishing your
-  when you dial in (standard modem) or establish your PPP connection. In
+connection   when you dial in (standard modem) or establish your PPP connection.
-rare   cases, your ISP may assign you a<i> static</i> IP address; that means
+In rare   cases, your ISP may assign you a<i> static</i> IP address; that
-that  you  configure your firewall's external interface to use that address
+means that  you  configure your firewall's external interface to use that
-permanently.<i>  </i>However your external address is assigned, it will be
+address permanently.<i>  </i>However your external address is assigned, it
-shared by all of your systems when you access the  Internet. You will have
+will be shared by all of your systems when you access the  Internet. You
-to assign your  own addresses in your  internal network (the Internal Interface
+will have to assign your  own addresses in your  internal network (the Internal
-on your firewall  plus your other  computers). RFC 1918 reserves several
+Interface on your firewall  plus your other  computers). RFC 1918 reserves
-<i>Private </i>IP address ranges for this  purpose:</p>
+several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">       
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -304,8 +305,8 @@ on your firewall  plus your other  computers). RFC 1918 reserves several
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
           Before starting Shorewall, you should look at the IP address of
-your  external    interface and if it is one of the above ranges, you should 
+ your  external    interface and if it is one of the above ranges, you should
-remove  the    'norfc1918' option from the external interface's entry in 
+ remove  the    'norfc1918' option from the external interface's entry in
   /etc/shorewall/interfaces.</p>
    </div>
@ -313,13 +314,13 @@ remove  the    'norfc1918' option from the external interface's entry in
 <p align="left">You will want to assign your addresses from the same <i> 
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
     to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
- will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
+  will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
- reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as the
+is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as
- <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
+the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
- using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
+described  using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
- notation</a> with consists of the subnet address followed    by "/24". The
+</i>(CIDR)  notation</a> with consists of the subnet address followed   
- "24" refers to the number of    consecutive leading "1" bits from the left
+by "/24". The  "24" refers to the number of    consecutive leading "1" bits
- of the subnet mask. </p>
+from the left  of the subnet mask. </p>
    </div>
 <div align="left">       
@ -362,23 +363,23 @@ remove  the    'norfc1918' option from the external interface's entry in
 <div align="left">       
 <p align="left">One of the purposes of subnetting is to allow all computers
  in the    subnet to understand which other computers can be communicated
-with directly.    To communicate with systems outside of the subnetwork, systems
+ with directly.    To communicate with systems outside of the subnetwork,
-send packets    through a<i>  gateway</i>  (router).</p>
+systems send packets    through a<i>  gateway</i>  (router).</p>
    </div>
 <div align="left">       
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
        Your local computers (computer    1 and computer 2 in the above diagram)
- should be configured with their<i>    default gateway</i> to be the IP address 
+  should be configured with their<i>    default gateway</i> to be the IP
- of the firewall's internal    interface.<i>      </i> </p>
+address   of the firewall's internal    interface.<i>      </i> </p>
    </div>
 <p align="left">The foregoing short discussion barely scratches the surface
   regarding subnetting and routing. If you are interested in learning more
  about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
  What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
-A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <p align="left">The remainder of this quide will assume that you have configured
   your network as shown here:</p>
@ -398,18 +399,18 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
  host, the  firewall must perform <i>Network Address Translation </i>(NAT).
  The firewall  rewrites the source address in the packet to be the address
  of the firewall's  external interface; in other words, the firewall makes
- it look as if the firewall  itself is initiating the connection.  This is 
+  it look as if the firewall  itself is initiating the connection.  This
- necessary so that the  destination host will be able to route return packets 
+is   necessary so that the  destination host will be able to route return
- back to the firewall  (remember that packets whose destination address is 
+packets   back to the firewall  (remember that packets whose destination
- reserved by RFC 1918 can't  be routed across the internet so the remote host
+address is   reserved by RFC 1918 can't  be routed across the internet so
- can't address its response to  computer 1). When the firewall receives a
+the remote host  can't address its response to  computer 1). When the firewall
-return packet, it  rewrites the destination address  back to 10.10.10.1 and
+receives a return packet, it  rewrites the destination address  back to 10.10.10.1
- forwards the packet on to computer 1. </p>
+and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> but you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
       <li>                       
@ -433,8 +434,8 @@ return packet, it  rewrites the destination address  back to 10.10.10.1 and
 height="13">
        If your external firewall interface is <b>eth0</b>, you do not  need
  to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq
- and change the first column to the name of your external  interface and the
+  and change the first column to the name of your external  interface and
- second column to the name of your internal interface.</p>
+the  second column to the name of your internal interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
@ -447,16 +448,16 @@ return packet, it  rewrites the destination address  back to 10.10.10.1 and
 <p align="left">One of your goals may be to run one or more servers on your
   local computers. Because these computers have RFC-1918 addresses, it is
-not  possible for clients on the internet to connect directly to them. It 
+ not  possible for clients on the internet to connect directly to them. It
-is rather  necessary for those clients to address their connection requests 
+ is rather  necessary for those clients to address their connection requests
-to the firewall  who rewrites the destination address to the address of your 
+ to the firewall  who rewrites the destination address to the address of
- server and forwards  the packet to that server. When your server responds, 
+your   server and forwards  the packet to that server. When your server responds,
- the firewall automatically  performs SNAT to rewrite the source address in
+  the firewall automatically  performs SNAT to rewrite the source address
- the response.</p>
+in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
  Destination Network Address Translation</i> (DNAT). You configure port 
- forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
+forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules
  is:</p>
@ -523,13 +524,13 @@ port&gt;</i>]</td>
 <ul>
       <li>You must test the above rule from a client outside of your local 
- network    (i.e., don't test from a browser running on computers 1 or 2
+ network    (i.e., don't test from a browser running on computers 1 or 2 or
-or  on the    firewall). If you want to be able to access your web server
+ on the    firewall). If you want to be able to access your web server using
-using  the IP    address of your external interface, see <a
+ the IP    address of your external interface, see <a
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
       <li>Many ISPs block incoming connection requests to port 80. If you
-have     problems connecting to your web server, try the following rule and 
+ have     problems connecting to your web server, try the following rule
-try     connecting to port 5000.</li>
+and  try     connecting to port 5000.</li>
 </ul>
@ -568,35 +569,35 @@ that  you require.</p>
 <p align="left">Normally, when you connect to your ISP, as part of getting
  an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
-will be  automatically configured (e.g., the /etc/resolv.conf file will be 
+ will be  automatically configured (e.g., the /etc/resolv.conf file will
-written).  Alternatively, your ISP may have given you the IP address of a 
+be  written).  Alternatively, your ISP may have given you the IP address
-pair of DNS <i> name servers</i> for you to manually configure as your primary 
+of a  pair of DNS <i> name servers</i> for you to manually configure as your
-and secondary  name servers. Regardless of how DNS gets configured on your 
+primary  and secondary  name servers. Regardless of how DNS gets configured
-firewall, it is <u>your</u> responsibility to configure the resolver in your 
+on your  firewall, it is <u>your</u> responsibility to configure the resolver
- internal systems. You can take one of two approaches:</p>
+in your   internal systems. You can take one of two approaches:</p>
 <ul>
       <li>                       
    <p align="left">You can configure your internal systems to use your ISP's
- name    servers. If you ISP gave you the addresses of their servers or if 
+  name    servers. If you ISP gave you the addresses of their servers or
- those    addresses are available on their web site, you can configure your 
+if   those    addresses are available on their web site, you can configure
- internal    systems to use those addresses. If that information isn't available, 
+your   internal    systems to use those addresses. If that information isn't
- look in    /etc/resolv.conf on your firewall system -- the name servers are
+available,   look in    /etc/resolv.conf on your firewall system -- the name
- given in    "nameserver" records in that file.   </p>
+servers are  given in    "nameserver" records in that file.   </p>
      </li>
      <li>                       
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
        You can configure a<i> Caching Name Server </i>on your    firewall.<i>
      </i>Red Hat has an RPM for a caching name server (the RPM also    requires
- the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take 
+  the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you   
- this approach, you configure your internal systems to use the firewall  
+take   this approach, you configure your internal systems to use the firewall
   itself as their primary (and only) name server. You use the internal IP
   address of the firewall (10.10.10.254 in the example above) for the name
-    server address. To allow your local systems to talk to your caching name 
+     server address. To allow your local systems to talk to your caching
-    server, you must open port 53 (both UDP and TCP) from the local network 
+name      server, you must open port 53 (both UDP and TCP) from the local
- to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
+network   to the    firewall; you do that by adding the following rules in
-      </p>
+/etc/shorewall/rules.       </p>
      </li>
 </ul>
@ -685,7 +686,7 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
 <div align="left">       
 <p align="left">Those rules allow DNS access from your firewall and may be
-    removed if you commented out the line in /etc/shorewall/policy allowing 
+     removed if you uncommented the line in /etc/shorewall/policy allowing
  all    connections from the firewall to the internet.</p>
    </div>
@ -806,12 +807,13 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
 <div align="left">       
 <p align="left">Those two rules would of course be in addition to the rules
-    listed above under "You can configure a Caching Name Server on your firewall"</p>
+     listed above under "You can configure a Caching Name Server on your
 firewall"</p>
    </div>
 <div align="left">       
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
    </div>
 <div align="left">       
@ -865,9 +867,9 @@ connections  as required.</p>
 width="13" height="13" alt="Arrow">
       The <a href="Install.htm">installation procedure </a>   configures 
 your system to start Shorewall at system boot  but beginning with Shorewall 
-version 1.3.9 startup is disabled so that your system won't try to start
+version 1.3.9 startup is disabled so that your system won't try to start Shorewall
-Shorewall before configuration is complete. Once you have completed configuration
+before configuration is complete. Once you have completed configuration of
-of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
    </p>
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,22 +893,22 @@ and set 'startup=1'.</font><br>
 height="13">
        The two-interface sample assumes that you want to enable    routing 
 to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If   
- your local network isn't connected to <b>eth1</b> or if you wish to enable
+your local network isn't connected to <b>eth1</b> or if you wish to enable 
   access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
    </div>
 <div align="left">       
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
  the    internet, do not issue a "shorewall stop" command unless you have
-added an    entry for the IP address that you are connected from to   <a
+ added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.  
 Also, I don't recommend using "shorewall restart"; it is better to create
  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
  and    test it using the <a href="Documentation.htm#Starting">"shorewall
-try" command</a>.</p>
+ try" command</a>.</p>
    </div>
-<p align="left"><font size="2">Last updated 9/26/2002 - <a
+<p align="left"><font size="2">Last updated 10/9/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
@ -915,5 +917,6 @@ try" command</a>.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.9a
+VERSION=1.3.9b
 usage() # $1 = exit status
 {
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.9a
+VERSION=1.3.9b
 usage() # $1 = exit status
 {
@ -167,6 +167,8 @@ while [ $# -gt 0 ] ; do
    ARGS="yes"
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
@ -282,13 +284,18 @@ fi
 # Install the functions file
 #
 if [ -f ${PREFIX}/etc/shorewall/functions ]; then
    backup_file ${PREFIX}/etc/shorewall/functions
    rm -f  ${PREFIX}/etc/shorewall/functions
 fi
 if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
    backup_file ${PREFIX}/var/lib/shorewall/functions
    rm -f  ${PREFIX}/var/lib/shorewall/functions
 fi
 install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
-echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions"
+echo -e "\nCommon functions installed in ${PREFIX}/usr/lib/shorewall/functions"
 #
 # Install the common.def file
 #
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.9a
+VERSION=1.3.9b
 usage() # $1 = exit status
 {