Shorewall 1.4.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@518 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-03-22 00:25:40 +00:00 · 2003-03-22 00:25:40 +00:00 · 8377f70bc7
commit 8377f70bc7
parent 04d78dc49f
20 changed files with 8653 additions and 8585 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@ -50,17 +50,30 @@
 <ul>
        <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
        <br>
-       <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
+        <b>Note1: </b>Some SuSE users have encountered a problem whereby
- reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
+rpm  reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel
-installed.  If this    happens, simply use the --nodeps option to rpm (rpm
+is installed.  If this    happens, simply use the --nodeps option to rpm
-ivh --nodeps  &lt;shorewall    rpm&gt;).</li>
+(rpm -ivh --nodeps  &lt;shorewall    rpm&gt;).<br>
-       <li>Edit the <a href="#Config_Files"> configuration files</a> to match
+    <br>
-  your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
+    <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
 on the iproute package. Unfortunately, some distributions call this package
 iproute2 which will cause the installation of Shorewall to fail with the
 diagnostic:<br>
    <br>
      error: failed dependencies:iproute is needed by  shorewall-1.4.0-1   
    <br>
    <br>
 This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
 &lt;shorewall rpm&gt;).<br>
    <br>
  </li>
        <li>Edit the <a href="#Config_Files"> configuration files</a> to
 match   your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> 
  SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
  IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND 
  AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY 
-NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO
+NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE
-RESTORE NETWORK  CONNECTIVITY.</b></font></li>
+NETWORK  CONNECTIVITY.</b></font></li>
        <li>Start the firewall by typing "shorewall start"</li>
 </ul>
@ -79,15 +92,15 @@ RESTORE NETWORK  CONNECTIVITY.</b></font></li>
 href="http://www.corel.com">Corel</a>,           <a
 href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
-       <li>If you are using <a href="http://www.suse.com">SuSe</a> then type 
+        <li>If you are using <a href="http://www.suse.com">SuSe</a> then
-     "./install.sh /etc/init.d"</li>
+type       "./install.sh /etc/init.d"</li>
        <li>If your distribution has directory             /etc/rc.d/init.d 
 or  /etc/init.d then type             "./install.sh"</li>
        <li>For other distributions, determine where your             distribution 
  installs init scripts and type             "./install.sh &lt;init script 
 directory&gt;</li>
-       <li>Edit the <a href="#Config_Files"> configuration files</a> to match
+        <li>Edit the <a href="#Config_Files"> configuration files</a> to
-  your configuration.</li>
+match   your configuration.</li>
        <li>Start the firewall by typing "shorewall             start"</li>
        <li>If the install script was unable to configure Shorewall to be 
 started   automatically at boot,             see <a
@ -96,20 +109,19 @@ started   automatically at boot,             see <a
 </ul>
 <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering 
- disk, simply replace the "shorwall.lrp" file on the image with the file
+ disk, simply replace the "shorwall.lrp" file on the image with the file that
-that  you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
+ you downloaded. See the <a href="two-interface.htm">two-interface QuickStart 
 Guide</a> for information about further steps required.</p>
 <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed 
  and are upgrading to a new version:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
-and you  have entries in the /etc/shorewall/hosts file then please check
+or and you  have entries in the /etc/shorewall/hosts file then please check 
 your  /etc/shorewall/interfaces file to be sure that it contains an entry 
 for each  interface mentioned in the hosts file. Also, there are certain 
-1.2 rule forms  that are no longer supported under 1.4 (you must use the
+1.2 rule forms  that are no longer supported under 1.4 (you must use the new
-new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
+1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
 details.</p>
 <ul>
        <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
@ -117,28 +129,38 @@ details.</p>
 Beta RPMs installed,     you must use the "--oldpackage" option to rpm (e.g.,
 "rpm     -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").               
-    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby
+    <p>   <b>Note1: </b>Some SuSE users have encountered a problem whereby 
  rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel 
- is installed. If this    happens, simply use the --nodeps option to rpm
+ is installed. If this    happens, simply use the --nodeps option to rpm (rpm
-(rpm   -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
+  -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
-         </p>
+    <br>
    <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on
 the iproute package. Unfortunately, some distributions call this package iproute2
 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
   <br>
      error: failed dependencies:iproute is needed by  shorewall-1.4.0-1
    <br>
   <br>
 This may be worked around by using the --nodeps option of rpm (rpm -Uvh
 --nodeps &lt;shorewall rpm&gt;). </p>
       </li>
       <li>See if there are any incompatibilities between your configuration
-and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
+ and the    new Shorewall version (type "shorewall check") and correct as
 necessary.</li>
        <li>Restart the firewall (shorewall restart).</li>
 </ul>
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
-and are upgrading to a new version using the tarball:</p>
+are upgrading to a new version using the tarball:</p>
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
-and you  have entries in the /etc/shorewall/hosts file then please check
+you  have entries in the /etc/shorewall/hosts file then please check your
-your  /etc/shorewall/interfaces file to be sure that it contains an entry
+ /etc/shorewall/interfaces file to be sure that it contains an entry for
-for each  interface mentioned in the hosts file.  Also, there are certain
+each  interface mentioned in the hosts file.  Also, there are certain 1.2
-1.2 rule  forms that are no longer supported under 1.4 (you must use the
+rule  forms that are no longer supported under 1.4 (you must use the new
-new 1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
+1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
-for details. </p>
+details. </p>
 <ul>
    <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -151,15 +173,16 @@ for details. </p>
 href="http://www.corel.com">Corel</a>,           <a
 href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
-       <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type 
+        <li>If you are using<a href="http://www.suse.com"> SuSe</a> then
-     "./install.sh /etc/init.d"</li>
+type       "./install.sh /etc/init.d"</li>
        <li>If your distribution has directory             /etc/rc.d/init.d 
 or  /etc/init.d then type             "./install.sh"</li>
        <li>For other distributions, determine where your             distribution 
  installs init scripts and type             "./install.sh &lt;init script 
 directory&gt;</li>
        <li>See if there are any incompatibilities between your configuration
-and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
+ and the    new Shorewall version (type "shorewall check") and correct as
 necessary.</li>
        <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
@ -171,15 +194,14 @@ installation and wish to upgrade to a later version of Shorewall:<br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
 <p>You will need to edit some or all of the configuration files to match 
- your  setup. In most cases, the <a
+your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
- href="shorewall_quickstart_guide.htm">Shorewall   QuickStart Guides</a>
+  QuickStart Guides</a> contain all of the information you need.</p>
 contain all of the information you need.</p>
 <ul>
 </ul>
-<p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a> 
  </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>   © <font
@ -189,5 +211,6 @@ contain all of the information you need.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@ -29,8 +29,8 @@
 <p>Proxy ARP allows you to insert a firewall in front of a set of servers 
      without changing their IP addresses and without having to re-subnet. 
-Before you try to use this technique, I strongly recommend that you read the
+ Before you try to use this technique, I strongly recommend that you read 
-<a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
+the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
 <p>The following figure represents a Proxy ARP     environment.</p>
@ -83,7 +83,16 @@ or /etc/shorewall/nat.</p>
 <p>The lower systems (130.252.100.18 and 130.252.100.19) should have their 
      subnet mask and default gateway configured exactly the same way that 
-the      Firewall system's eth0 is configured.</p>
+ the      Firewall system's eth0 is configured.  In other words, they should
 be configured just like they would be if they were parallel to the firewall
 rather than behind it.<br>
 </p>
 <p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
 (130.252.100.18 and 130.252.100.19 in the above example)  to the external
 interface (eth0 in this example) of the firewall.</b></font><br>
                     </p>
 <div align="left">            </div>
 <div align="left">      
 <p align="left">A word of warning is in order here. ISPs typically configure 
@ -97,22 +106,22 @@ There are a couple of things that you can try:<br>
     <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, 
 Vol 1</i> reveals that a <br>
       <br>
- "gratuitous" ARP packet should cause the ISP's router to refresh their ARP 
+   "gratuitous" ARP packet should cause the ISP's router to refresh their 
-cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC 
+ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the 
-address for its own IP; in addition to ensuring that the IP address isn't 
+MAC  address for its own IP; in addition to ensuring that the IP address isn't
 a duplicate...<br>
       <br>
- "if the host sending the gratuitous ARP has just changed its hardware address..., 
+   "if the host sending the gratuitous ARP has just changed its hardware
-this packet causes any other host...that has an entry in its cache for the 
+address...,  this packet causes any other host...that has an entry in its
-old hardware address to update its ARP cache entry accordingly."<br>
+cache for the  old hardware address to update its ARP cache entry accordingly."<br>
       <br>
   Which is, of course, exactly what you want to do when you switch a host
 from being exposed to the Internet to behind Shorewall using proxy ARP (or
 static NAT for that matter). Happily enough, recent versions of Redhat's
 iputils package include "arping", whose "-U" flag does just that:<br>
       <br>
-     <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied 
+       <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly
-IP&gt;</i></b></font><br>
+proxied  IP&gt;</i></b></font><br>
       <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
       <br>
   Stevens goes on to mention that not all systems respond correctly to gratuitous 
@ -122,8 +131,8 @@ most of the time.<br>
  To use arping with Proxy ARP in the above example, you would have to:<br>
      <br>
      <font color="#009900"><b>    shorewall clear<br>
-    </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 dev
+      </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18
-eth0<br>
+dev  eth0<br>
      ip addr add 130.252.100.19 dev eth0</b></font><br>
       <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
      <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
@ -170,10 +179,12 @@ gateway's ARP cache still    associates 130.252.100.19 with the NIC in that
 system rather than with the firewall's    eth0.</p>
   </div>
-<p><font size="2">Last updated 1/26/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
    <a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -42,6 +42,7 @@
 <ol>
                         <li>                                           
    <p align="left">          <b><u>I</u>f you use a Windows system to download 
          a corrected     script, be sure to run the script through <u>  
         <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -50,13 +51,15 @@
                                      </li>
                         <li>                                           
-    <p align="left">          <b>If you are installing Shorewall for the
+   
-first time and plan to use the        .tgz and install.sh script, you can
+    <p align="left">          <b>If you are installing Shorewall for the first
-untar the archive, replace the        'firewall' script in the untarred directory
+time and plan to use the        .tgz and install.sh script, you can untar
 the archive, replace the        'firewall' script in the untarred directory 
          with the one you downloaded        below, and then run install.sh.</b></p>
                                      </li>
                         <li>                                           
    <p align="left">          <b>When the instructions say to install a corrected
        firewall   script in        /usr/share/shorewall/firewall, you may
 rename the existing file before copying in the new file.</b></p>
@ -86,8 +89,8 @@ rename the existing file before copying in the new file.</b></p>
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3
    on RH7.2</a></font></b></li>
                         <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
-RedHat iptables</a></b></li>
+iptables</a></b></li>
                         <li><b><a href="#SuSE">Problems installing/upgrading 
  RPM   on  SuSE</a></b></li>
                         <li><b><a href="#Multiport">Problems with iptables 
@ -103,7 +106,16 @@ and   NAT</a></b><br>
 <h3></h3>
- None. 
+  
 <h3>1.4.0</h3>
 <ul>
  <li>When running under certain shells Shorewall will attempt to create
 ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
 /etc/shorewall/ecn or you can install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
 correct script</a> in /usr/share/shorewall/firewall as described above.<br>
  </li>
 </ul>
 <hr width="100%" size="2">                                             
 <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -117,8 +129,8 @@ and   NAT</a></b><br>
 <blockquote>                                                            
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
-                  prevent it from working with Shorewall. Regrettably,  RedHat 
+                   prevent it from working with Shorewall. Regrettably, 
-     released    this buggy iptables in RedHat   7.2. </p>
+RedHat       released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
@ -181,32 +193,38 @@ download         from<font color="#ff6633">   <a
 installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
              this iptables RPM</a>. If you are already running a 1.2.5 version
-     of       iptables, you will need to specify the --oldpackage option to
+      of       iptables, you will need to specify the --oldpackage option
-  rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                       </blockquote>
 <h3><a name="SuSE"></a>Problems                                installing/upgrading 
          RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict                       
        with kernel &lt;= 2.2 yet you have a 2.4 kernel                 
              installed, simply use the "--nodeps" option to            
                   rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
 <h3><a name="Multiport"></a><b>Problems with                             
  iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made                       
        an incompatible change to the syntax used to                    
           specify multiport match rules; as a consequence,             
                  if you install iptables 1.2.7 you must be running     
                          Shorewall 1.3.7a or later or:</p>
 <ul>
                                                      <li>set MULTIPORT=No
 in                                   /etc/shorewall/shorewall.conf; or </li>
@ -229,17 +247,18 @@ in                                   /etc/shorewall/shorewall.conf; or </li>
                 Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-                The solution is to put "no" in the LOCAL column. Kernel support 
+                 The solution is to put "no" in the LOCAL column. Kernel
-   for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled 
+support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has
-it.   The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
+disabled  it.   The  2.4.19 kernel   contains corrected support under a new
-   option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 2/8/2003 -                             
+<p><font size="2">  Last updated 3/21/2003 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@ -34,13 +34,16 @@
 <h1>My Current Network </h1>
 <blockquote>                                                            
-  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small> 
+  <p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
  use a combination of Static NAT and Proxy ARP, neither of which are relevant
  to a simple configuration with a single public IP address.</small></b></big><big><b><small>
- If you have just a single public IP address, most of what you see here won't 
+  If you have just a single public IP address, most of what you see here
- apply to your setup so beware of copying parts of this configuration and 
+won't   apply to your setup so beware of copying parts of this configuration
-expecting them to work for you. What you copy may or may not work in your
+and  expecting them to work for you. What you copy may or may not work in
-configuration. </small></b></big><br>
+your configuration.<br>
  </small></b></big></p>
  <p><big><b><small><big><font color="#ff0000">Warning 2:</font></big> </small></b></big><b>My
 configuration uses features introduced in Shorewall version 1.4.1.</b><br>
      </p>
  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
@ -52,13 +55,13 @@ configuration. </small></b></big><br>
             </p>
  <ul>
-              <li>Static NAT for Ursa (my XP System) - Internal address 192.168.1.5
+               <li>Static NAT for Ursa (my XP System) - Internal address
-     and external address 206.124.146.178.</li>
+192.168.1.5      and external address 206.124.146.178.</li>
               <li>Static NAT for Wookie (my Linux System). Internal address
 192.168.1.3 and external address 206.124.146.179.</li>
               <li>SNAT through the primary gateway address (206.124.146.176) 
-  for    my Wife's system (Tarry)  and the laptop when connected through
+  for    my Wife's system (Tarry)  and the laptop when connected through the
-the Wireless Access Point (wap)</li>
+Wireless Access Point (wap)</li>
  </ul>
@ -99,10 +102,10 @@ X applications tunnel through SSH to XWin.exe running on Ursa.</p>
   255.255.255.0. The server's default gateway is                       
    206.124.146.254 (Router at my ISP. This is the same                 
          default gateway used by the firewall itself). On the firewall,
-                               Shorewall automatically adds a host route to
+                                Shorewall automatically adds a host route
-                            206.124.146.177 through eth1 (192.168.2.1) because
+to                             206.124.146.177 through eth1 (192.168.2.1)
-    of                           the entry in /etc/shorewall/proxyarp (see
+because     of                           the entry in /etc/shorewall/proxyarp
- below).</p>
+(see  below).</p>
  <p>A similar setup is used on eth3 (192.168.3.1) which                 
          interfaces to my laptop (206.124.146.180).<br>
@ -122,6 +125,7 @@ X applications tunnel through SSH to XWin.exe running on Ursa.</p>
  </blockquote>
 <h4> </h4>
 <h3>Params File (Edited):</h3>
 <blockquote>MIRRORS=<i>&lt;list of shorewall mirror ip addresses&gt;</i><br>
@ -141,8 +145,8 @@ X applications tunnel through SSH to XWin.exe running on Ursa.</p>
 <blockquote>                                                             
-  <p> This is set up so that I can start the firewall before bringing up
+  <p> This is set up so that I can start the firewall before bringing up my
-my Ethernet  interfaces. </p>
+Ethernet  interfaces. </p>
                </blockquote>
 <blockquote>      
@ -166,7 +170,7 @@ my Ethernet  interfaces. </p>
 <h3>Policy File:</h3>
 <blockquote>      
-  <pre>#SOURCE		DESTINATION	POLICY		LOG LEVEL	BURST:LIMIT<br>me              all             ACCEPT<br>tx              me              ACCEPT<br>all             me              CONTINUE        -               2/sec:5<br>loc             net             ACCEPT<br>$FW             loc             ACCEPT<br>$FW             tx              ACCEPT<br>loc             tx              ACCEPT<br>loc             fw              REJECT          $LOG<br>net             net             ACCEPT<br>net             all             DROP            $LOG            10/sec:40<br>all             all             REJECT          $LOG<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br></pre>
+  <pre>#SOURCE		DESTINATION	POLICY		LOG LEVEL	BURST:LIMIT<br>me		loc		NONE<br>loc		me		NONE<br>me              all             ACCEPT<br>tx              me              ACCEPT<br>all             me              CONTINUE        -               2/sec:5<br>loc             net             ACCEPT<br>$FW             loc             ACCEPT<br>$FW             tx              ACCEPT<br>loc             tx              ACCEPT<br>loc             fw              REJECT          $LOG<br>net             all             DROP            $LOG            10/sec:40<br>all             all             REJECT          $LOG<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br></pre>
  </blockquote>
 <h3>Masq File: </h3>
@ -223,5 +227,6 @@ my Ethernet  interfaces. </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@ -27,6 +27,10 @@
  </tbody>  
 </table>
 <p>"The configuration is intuitive and flexible, and much easier than any
 of the other iptables-based firewall programs out there. After sifting through
 many other scripts, it is obvious that yours is the most well thought-out
 and complete one available." -- BC, USA</p>
 <p>"I just installed Shorewall after weeks of messing with       ipchains/iptables
 and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
  </p>
@ -35,8 +39,8 @@ and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
 <ul>
    <li>One to see that I had no Internet access from the firewall itself.</li>
-   <li>Other to see that this was the default configuration, and it was enough 
+    <li>Other to see that this was the default configuration, and it was
-to uncomment a line in /etc/shorewall/policy.<br>
+enough  to uncomment a line in /etc/shorewall/policy.<br>
    </li>
 </ul>
@ -44,8 +48,8 @@ to uncomment a line in /etc/shorewall/policy.<br>
 and well documented thing for something as huge as iptables." -- JV, Spain. 
 <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without
-any problems. Your documentation is great and I really appreciate       your 
+ any problems. Your documentation is great and I really appreciate      
-network configuration info. That really helped me out alot.       THANKS!!!" 
+your  network configuration info. That really helped me out alot.       THANKS!!!"
 -- MM.           </p>
 <p>"[Shorewall is a] great, great project. I've used/tested may       firewall
@ -58,10 +62,10 @@ product as the Shorewall firewall package for no cost or obligation
  involved." -- Mario Kerecki, Toronto           </p>
 <p>"one time more to report, that your great shorewall in the latest    
-  release       1.2.9 is working fine for me with SuSE Linux 7.3! I now have
+   release       1.2.9 is working fine for me with SuSE Linux 7.3! I now
-7 machines up       and running with shorewall on several versions - starting
+have 7 machines up       and running with shorewall on several versions -
-with 1.2.2 up to       the new 1.2.9 and I never have encountered any problems!"
+starting with 1.2.2 up to       the new 1.2.9 and I never have encountered
-- SM, Germany</p>
+any problems!" -- SM, Germany</p>
 <p>"You have the best support of any other package I've ever       used."
 -- SE, US           </p>
@ -70,8 +74,8 @@ with 1.2.2 up to       the new 1.2.9 and I never have encountered any problems!"
 national government as secret, our security doesn't stop by putting a fence
  around our company. Information security is a hot issue. We also make use
 of  checkpoint firewalls, but not all of the internet servers are guarded
-by  checkpoint, some of them are running....Shorewall." -- Name withheld by
+ by  checkpoint, some of them are running....Shorewall." -- Name withheld
-request,  Europe</p>
+by request,  Europe</p>
 <p>"thanx for all your efforts you put into shorewall - this product stands
 out  against a lot of commercial stuff i´ve been working with in terms of
@ -82,8 +86,8 @@ out  against a lot of commercial stuff i
  Shorewall won hands down." -- RG, Toronto</p>
 <p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
-is a  wonderful piece of software. I've just sent out an email to about 30 
+ is a  wonderful piece of software. I've just sent out an email to about
-people  recommending it. :-)<br>
+30  people  recommending it. :-)<br>
   While I had previously taken the time (maybe 40 hours) to really understand
  ipchains, then spent at least an hour per server customizing and carefully
  scrutinizing firewall rules, I've got shorewall running on my home firewall,
@ -92,12 +96,13 @@ people  recommending it. :-)<br>
   <br>
    </p>
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002 
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
 - <a href="support.htm">Tom Eastep</a>      </font>                    
                        </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+  © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -63,6 +63,7 @@
          </div>
      <p><a href="http://www.shorewall.net" target="_top">              
       </a> </p>
@ -78,7 +79,7 @@
-      <div align="center"><a href="http://1.3/index.htm" target="_top"><font
+      <div align="center"><a href="1.3" target="_top"><font
 color="#ffffff">Shorewall 1.3 Site is here</font></a>                   
             <br>
@ -219,6 +220,7 @@ to    the    Free Software           Foundation,              Inc.,  675
      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.1!!! </b><br>
                                                         </p>
@ -228,271 +230,48 @@ Bering 1.1!!! </b><br>
      <h2>News</h2>
-      <p><b>3/17/2003 - Shorewall 1.4.0 </b><b>       </b><b><img
+      <p><b>3/24/2003 - Shorewall 1.4.1 </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
               </b><b>                  </b></p>
-                                                          Shorewall 1.4 represents
+This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
-     the  next  step in the evolution of Shorewall. The main thrust of the
+and removes additional warts.<br>
 initial    release  is simply to remove the cruft that has accumulated in
 Shorewall   over time.       <br>
      <br>
-              <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
+      <b>Problems Corrected:</b><br>
     ('ip' utility).</b><br>
              <br>
                  Function from 1.3 that has been omitted from this version 
 include:<br>
      <ol>
-         <li>The MERGE_HOSTS variable in shorewall.conf  is  no  longer supported. 
+        <li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
-   Shorewall 1.4 behavior is the same as 1.3 with  MERGE_HOSTS=Yes.<br>
+it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
-                     <br>
+file is empty. That problem has been corrected so that ECN disabling rules
-                   </li>
+are only added if there are entries in /etc/shorewall/ecn.</li>
         <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
   in  /etc/shorewall/interfaces   now generate an error.<br>
                     <br>
                   </li>
         <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. 
        OLD_PING_HANDLING=Yes will generate an error at startup as will specification 
        of the 'noping' or 'filterping' interface options.<br>
                     <br>
                   </li>
         <li>The 'routestopped' option in the /etc/shorewall/interfaces 
   and  /etc/shorewall/hosts   files is no longer supported and will generate
     an error at startup if specified.<br>
                     <br>
                   </li>
         <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules  is  no 
 longer   accepted.<br>
                     <br>
                   </li>
         <li>The ALLOWRELATED variable in shorewall.conf is no longer   
 supported.     Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
                   <br>
                 </li>
         <li>The icmp.def file has been removed.<br>
                 </li>
      </ol>
-                  Changes for 1.4 include:<br>
+      <b>New Features:</b><br>
-                                                                        
+      <blockquote>Note: In the list that follows, the term <i>group </i>refers
-                                 
+to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
 a host address) accessed through a particular interface. Examples:<br>
        <blockquote>eth0:0.0.0.0/0<br>
 eth2:192.168.1.0/24<br>
 eth3:192.0.2.123<br>
        </blockquote>
 You can use the "shorewall check" command to see the groups associated with
 each of your zones.<br>
      </blockquote>
      <ol>
-         <li>The /etc/shorewall/shorewall.conf file has been completely 
+        <li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
-   reorganized    into logical sections.<br>
+one group<i> </i>then if there is no explicit Z to Z policy and there are
-                     <br>
+no rules governing traffic from Z to Z then Shorewall will permit all traffic
-                   </li>
+between the groups in the zone.</li>
-         <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
+        <li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
-                     <br>
+to handle traffic from a group to itself.</li>
-                   </li>
+        <li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
-         <li>The firewall script, common functions file and version   file 
+specified from Z1 to Z2:</li>
 are now installed in /usr/share/shorewall.<br>
                     <br>
                   </li>
         <li>Late arriving DNS replies are now silently dropped in  the 
 common   chain  by default.<br>
                     <br>
                   </li>
         <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
     1.4  no  longer unconditionally accepts outbound ICMP packets. So if 
 you    want to 'ping'  from the firewall, you will need the appropriate rule 
 or   policy.<br>
                    <br>
                  </li>
         <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
                    <br>
                  </li>
         <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
     now support the 'maclist' option.<br>
                    <br>
                  </li>
         <li value="8">Explicit Congestion Notification (ECN - RFC 3168)
   may  now be turned off on a host or network basis using the new /etc/shorewall/ecn 
    file. To use this facility:<br>
               <br>
              a) You must be running kernel 2.4.20<br>
              b) You must have applied the patch in<br>
              http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
              c) You must have iptables 1.2.7a installed.<br>
               <br>
             </li>
         <li>The /etc/shorewall/params file is now processed first so  that 
  variables may be used in the /etc/shorewall/shorewall.conf file.<br>
               <br>
             </li>
         <li value="10">Shorewall now gives a more helpful diagnostic when 
  the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' 
  command is issued.<br>
          <br>
        </li>
         <li>The SHARED_DIR variable has been removed from shorewall.conf. 
  This variable was for use by package maintainers and was not documented 
 for  general use.<br>
          <br>
        </li>
         <li>Shorewall now ignores 'default' routes when detecting masq'd 
  networks.<br>
        </li>
      </ol>
       <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top"></a>       
      <p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
      <p>A roleup of the following bug fixes and other updates:</p>
      <ul>
-              <li>There is an updated rfc1918 file that reflects the resent 
+        <li>There may be no rules created that govern connections from Z1
- allocation  of 222.0.0.0/8 and  223.0.0.0/8.</li>
+to Z2.</li>
-           <li>The documentation for the routestopped file claimed that a 
+        <li>Shorewall will not create any infrastructure to handle traffic
-comma-separated      list could appear in the second column while the code 
+from Z1 to Z2.</li>
 only supported a  single   host or network address.</li>
            <li>Log messages produced by 'logunclean' and 'dropunclean' were
   not  rate-limited.          802.11b devices with names of the form <i>wlan</i>&lt;n&gt; 
  don't  support the 'maclist' interface option.</li>
            <li>Log messages generated by RFC 1918 filtering are not rate 
 limited.</li>
                             <li>The firewall fails to start in the case
 where   you have "eth0  eth1" in /etc/shorewall/masq and the default route
 is through   eth1.</li>
      </ul>
-                                                                        
+See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
-                                                               
+of how these changes may affect your configuration.<br>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                   </b></p>
      <p>New features include</p>
      <ol>
                          <li>An OLD_PING_HANDLING option has been added
 to  shorewall.conf.        When   set to Yes, Shorewall ping handling is
 as it  has always been  (see     http://www.shorewall.net/ping.html).<br>
                           <br>
                       When OLD_PING_HANDLING=No, icmp echo (ping) is handled 
  via   rules    and   policies   just like any other connection request. 
 The  FORWARDPING=Yes      option   in shorewall.conf   and the 'noping' and 
 'filterping'  options   in   /etc/shorewall/interfaces   will   all generate 
 an error.<br>
                           <br>
                         </li>
                          <li>It is now possible to direct Shorewall to create
   a  "label"     such   as   "eth0:0" for IP addresses that it creates under
   ADD_IP_ALIASES=Yes      and  ADD_SNAT_ALIASES=Yes.  This is done by specifying
   the label instead     of just  the interface name:<br>
                        <br>
                          a) In the INTERFACE column of /etc/shorewall/masq<br>
                          b) In the INTERFACE column of /etc/shorewall/nat<br>
                        </li>
                          <li>Support for OpenVPN Tunnels.<br>
                       <br>
                   </li>
                          <li>Support for VLAN devices with names of the
 form   $DEV.$VID      (e.g.,  eth0.0)<br>
                         <br>
                       </li>
                       <li>In /etc/shorewall/tcrules, the MARK value may
 be  optionally      followed by ":" and either 'F' or 'P' to designate that 
 the  marking will     occur in the FORWARD or PREROUTING chains respectively. 
 If this additional     specification is omitted, the chain used to mark packets 
 will be determined     by the setting of the MARK_IN_FORWARD_CHAIN option 
 in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                       <br>
                     </li>
                          <li>When an interface name is entered in the SUBNET 
  column    of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded
   traffic     from  only the first subnet   defined on that interface. It
 did  not masquerade      traffic from:<br>
                        <br>
                          a) The subnets associated with other addresses
 on  the   interface.<br>
                          b) Subnets accessed through local routers.<br>
                        <br>
                       Beginning with Shorewall 1.3.14, if you enter an interface 
    name   in  the   SUBNET  column, shorewall will use the firewall's routing 
    table   to construct   the masquerading/SNAT rules.<br>
                        <br>
                       Example 1 -- This is how it works in 1.3.14.<br>
                          <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                        <br>
                       When upgrading to Shorewall 1.3.14, if you have multiple 
   local    subnets     connected  to an interface that is specified in the 
  SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq 
  file will need  changing.   In most cases, you  will simply be able to remove
  redundant entries.  In some  cases though, you  might want to change from
  using the interface  name to listing specific subnetworks  if the change
 described above will cause masquerading  to occur on subnetworks  that you
 don't wish to masquerade.<br>
                        <br>
                       Example 2 -- Suppose that your current config is as
 follows:<br>
                          <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                        <br>
                          In this case, the second entry in /etc/shorewall/masq 
   is  no  longer    required.<br>
                        <br>
                       Example 3 -- What if your current configuration is 
 like   this?<br>
                        <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                        <br>
                          In this case, you would want to change the entry
 in   /etc/shorewall/masq         to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                          </li>
      </ol>
                   <br>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b> 
                        </b></p>
                     Webmin version 1.060 now has Shorewall support included
  as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>.<b> 
         </b>                                                            
      <p><a href="News.htm">More News</a></p>
      <h2><a name="Donations"></a>Donations</h2>
@ -511,6 +290,7 @@ like   this?<br>
  </tbody>                                                              
 </table>
@ -581,9 +361,11 @@ Children's Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                              <br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -47,8 +47,8 @@
                  <li>Burroughs Corporation (now <a
 href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
                  <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
-       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
+        (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
- present</li>
+-  present</li>
                  <li>Married 1969 - no children.</li>
 </ul>
@ -58,15 +58,15 @@
 <p>I became interested in Internet Security when I established a home office 
      in 1999 and had DSL service installed in our       home. I investigated 
-    ipchains  and developed the scripts which are now collectively known
+    ipchains  and developed the scripts which are now collectively known as
-as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>.
+  <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding
-Expanding       on what I learned from Seattle Firewall, I then       designed
+      on what I learned from Seattle Firewall, I then       designed and
-and wrote      Shorewall. </p>
+wrote      Shorewall. </p>
 <p>I telework from our <a
 href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
- href="http://www.cityofshoreline.com">Shoreline,        Washington</a> 
+ href="http://www.cityofshoreline.com">Shoreline,        Washington</a>  where
-where I live with my wife Tarry.  </p>
+I live with my wife Tarry.  </p>
 <p>Our current home network consists of: </p>
@ -76,22 +76,22 @@ where I live with my wife Tarry.
 Serves as a PPTP server for Road Warrior access. Dual boots <a
 href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                  <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
-   NIC   -  My      personal Linux System which runs Samba configured as
+   NIC   -  My      personal Linux System which runs Samba configured as a
-a  WINS  server.    This      system also has <a
+ WINS  server.    This      system also has <a
- href="http://www.vmware.com/">VMware</a>  installed    and      can run
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run both
-both     <a href="http://www.debian.org">Debian  Woody</a> and         <a
+    <a href="http://www.debian.org">Debian  Woody</a> and         <a
 href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
                  <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  
 - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), 
 DNS  server        (Bind 9).</li>
                  <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3    
-LNE100TX      (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.14 
+ LNE100TX      (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.4.0  
 and a DHCP        server.</li>
-                 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - 
+                  <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
-My  wife's        personal system.</li>
+-  My  wife's        personal system.</li>
                  <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
- EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main 
+  EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My
- work system.</li>
+main   work system.</li>
 </ul>
@ -118,12 +118,13 @@ My  wife's        personal system.</li>
 width="125" height="40" hspace="4">
               </font></p>
-<p><font size="2">Last updated 3/7/2003 - </font><font size="2">       <a
+<p><font size="2">Last updated 3/17/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
                <font face="Trebuchet MS"><a href="copyright.htm"><font
 size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas 
 M. Eastep.</font></a></font><br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -30,11 +30,12 @@
  Shorewall Requires:<br>
 <ul>
-      <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6. 
+       <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
-     <a href="kernel.htm">     Check here for kernel configuration       information.</a>
+With current releases of Shorewall, Traffic Shaping/Control requires at least
-      If you are looking for a firewall for use with 2.2 kernels, <a
+2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
- href="http://seawall.sf.net">     see       the Seattle Firewall  site</a>
+      information.</a>       If you are looking for a firewall for use with
-    .</li>
+2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle Firewall
 site</a>     .</li>
       <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
 href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
  buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
@ -56,7 +57,7 @@ awk        (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 2/21/2003 - <a
+<p align="left"><font size="2">Last updated 3/19/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -65,5 +66,6 @@ awk        (gawk) installed.</li>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -61,8 +61,8 @@
   general  guidelines and will point you to other resources as necessary.</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-            If you run LEAF Bering, your Shorewall configuration is NOT what
+              If you run LEAF Bering, your Shorewall configuration is NOT 
-  I  release -- I  suggest that you consider installing a stock Shorewall
+what   I  release -- I  suggest that you consider installing a stock Shorewall
 lrp  from the  shorewall.net site before you proceed.</p>
 <p>Shorewall requires that the iproute/iproute2 package be installed    (on
@ -76,7 +76,8 @@ this  program:</p>
 <p>I recommend that you first read through the  guide to familiarize yourself 
    with what's involved then go back through it again  making your configuration 
    changes. Points at which configuration changes are  recommended are flagged 
-   with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+    with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
         .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
@ -84,14 +85,15 @@ this  program:</p>
 must   save them as  Unix files if your editor supports that option or you 
 must  run them through  dos2unix before trying to use them with Shorewall. 
 Similarly,   if you copy a configuration file  from your Windows hard drive 
-to a floppy   disk, you must run dos2unix against the  copy before using it
+ to a floppy   disk, you must run dos2unix against the  copy before using 
-with Shorewall.</p>
+it with Shorewall.</p>
 <ul>
-          <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
+            <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
   of    dos2unix</a></li>
          <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
 Version     of    dos2unix</a></li>
            <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
 of    dos2unix</a></li>
 </ul>
@ -107,8 +109,8 @@ of  these as described in this guide. Skeleton files are created during the
    and some contain default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a 
-   set of  <i>zones.</i> In the default installation, the following zone names
+    set of  <i>zones.</i> In the default installation, the following zone 
-   are used:</p>
+names    are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -137,8 +139,8 @@ of  these as described in this guide. Skeleton files are created during the
    file.</p>
 <p>Shorewall also recognizes the firewall system as its own zone - by default, 
-    the firewall itself is known as <b>fw</b> but that may be changed in the
+     the firewall itself is known as <b>fw</b> but that may be changed in 
-   <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
+the    <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
  file.   In  this guide, the default name (<b>fw</b>) will be used.</p>
 <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning 
@ -153,11 +155,11 @@ is   the internet zone"  or "because that is the DMZ".</p>
    in  terms of zones.</p>
 <ul>
-          <li>You express your default policy for connections from one zone 
+            <li>You express your default policy for connections from one
- to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
        </a>file.</li>
-          <li>You define exceptions to those default policies in the   <a
+            <li>You define exceptions to those default policies in the  
- href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+    <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
 </ul>
@ -173,19 +175,19 @@ is   the internet zone"  or "because that is the DMZ".</p>
                  <li>  Identify the source zone.</li>
                  <li>  Identify the destination zone.</li>
                  <li>  If the POLICY from the client's zone to the server's
- zone   is what you       want for this client/server pair, you need do nothing 
+  zone   is what you       want for this client/server pair, you need do
- further.</li>
+nothing   further.</li>
-                <li>  If the POLICY is not what you want, then you must add 
+                  <li>  If the POLICY is not what you want, then you must 
- a  rule.  That rule       is expressed in terms of the client's zone and 
+add   a  rule.  That rule       is expressed in terms of the client's zone 
-the  server's  zone.</li>
+and  the  server's  zone.</li>
 </ol>
 <p>  Just because connections of a particular type are allowed from zone A
 to the   firewall and are also allowed from the firewall to zone B <font
 color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed 
-   from zone A to zone  B</u></b></font>.   It rather means that you can have
+    from zone A to zone  B</u></b></font>.   It rather means that you can 
-   a proxy running on the firewall that accepts   a connection from zone
+have    a proxy running on the firewall that accepts   a connection from zone
 A  and  then establishes its own separate connection from   the firewall to
 zone B.</p>
@ -237,28 +239,28 @@ the  request  is first checked against the rules in /etc/shorewall/common.def.</
 <p>The above policy will:</p>
 <ol>
-          <li>allow all connection requests from your local network to the
+            <li>allow all connection requests from your local network to
- internet</li>
+the   internet</li>
            <li>drop (ignore) all connection requests from the internet to
 your   firewall     or local network and log a message at the <i>info</i>
 level  (<a href="shorewall_logging.html">here</a> is a description of log
 levels).</li>
-          <li>reject all other connection requests and log a message at the 
+            <li>reject all other connection requests and log a message at 
-     <i>info</i>      level. When a request is rejected, the firewall will 
+the       <i>info</i>      level. When a request is rejected, the firewall 
- return an RST (if   the    protocol is TCP) or an ICMP port-unreachable packet
+will   return an RST (if   the    protocol is TCP) or an ICMP port-unreachable 
- for other protocols.</li>
+packet  for other protocols.</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-           At this point, edit your /etc/shorewall/policy and make any changes
+             At this point, edit your /etc/shorewall/policy and make any
-   that you  wish.</p>
+changes     that you  wish.</p>
 <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
 <p align="left">For the remainder of this guide, we'll refer to the following 
-    diagram. While it may not look like your own network, it can be used to
+     diagram. While it may not look like your own network, it can be used 
-   illustrate the important aspects of Shorewall configuration.</p>
+to    illustrate the important aspects of Shorewall configuration.</p>
 <p align="left">In this diagram:</p>
@ -280,18 +282,18 @@ so  that  if one of those  servers is compromised, you still have the firewall
 <p align="left">The simplest way to define zones is to simply associate the 
    zone  name (previously defined in /etc/shorewall/zones) with a network 
-interface.   This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
+ interface.   This  is done in the <a
-    file.</p>
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>      file.</p>
 <p align="left">The firewall illustrated above has three network interfaces. 
     Where Internet connectivity is through a cable or DSL "Modem", the <i>External 
-    Interface</i> will be the Ethernet adapter that is connected to that "Modem"
+     Interface</i> will be the Ethernet adapter that is connected to that 
-    (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
+"Modem"     (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint 
    <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
    <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External 
-Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via
+ Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect 
-a regular   modem, your External  Interface will also be <b>ppp0</b>. If
+via a regular   modem, your External  Interface will also be <b>ppp0</b>. 
-you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
+If you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -313,10 +315,10 @@ a  single DMZ system,  you can connect the firewall directly to the computer
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-       </b></u>Do not connect more than one interface  to the same hub or 
+         </b></u>Do not connect more than one interface  to the same hub
-switch    (even for testing). It won't work the way that you  expect it to 
+or  switch    (even for testing). It won't work the way that you  expect
-and you   will end up confused and believing that Linux networking doesn't 
+it to  and you   will end up confused and believing that Linux networking
-work at  all.</p>
+doesn't  work at  all.</p>
 <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -500,11 +502,11 @@ Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,  1999, ISBN
 <p align="left">The class of a network was uniquely determined by the value 
    of the high  order byte of its address so you could look at an IP address 
-   and immediately  determine the associated <i>netmask</i>. The netmask is
+    and immediately  determine the associated <i>netmask</i>. The netmask 
-  a number that when  logically ANDed with an address isolates the <i>network 
+is   a number that when  logically ANDed with an address isolates the <i>network 
    number</i>; the  remainder of the address is the <i>host number</i>. For
-  example, in the Class C  address 192.0.2.14, the network number is hex C00002
+   example, in the Class C  address 192.0.2.14, the network number is hex
-  and the host number is hex  0E.</p>
+C00002   and the host number is hex  0E.</p>
 <p align="left">As the internet grew, it became clear that such a gross 
 partitioning of the 32-bit address space was going to be very limiting (early
@ -538,9 +540,9 @@ that  you are likely to work with will understand CIDR and Class-based networkin
 </ol>
 <p align="left">As you can see by this definition, in each subnet of size 
-   <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that can
+    <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that 
-   be assigned to    hosts). The first and last address in the subnet are
+can    be assigned to    hosts). The first and last address in the subnet 
-used   for the subnet    address and subnet broadcast address respectively. 
+are used   for the subnet    address and subnet broadcast address respectively. 
 Consequently,   small    subnetworks are more wasteful of IP addresses than 
 are large ones.   </p>
@ -749,8 +751,8 @@ As  we will see    below, this property of subnet masks is very useful in
 routing.</p>
 <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose 
-      Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as
+       Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork 
-  "<b>a.b.c.d/v</b>"    using <i>CIDR</i> <i>Notation</i>.  </p>
+as   "<b>a.b.c.d/v</b>"    using <i>CIDR</i> <i>Notation</i>.  </p>
 <p align="left">Example:</p>
@ -843,10 +845,11 @@ routing.</p>
          <br>
          The first three routes are <i>host routes</i> since they indicate 
 how   to  get to  a single host. In the 'netstat' output this can be seen 
-by the   "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags
+ by the   "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the 
-column.   The remainder  are 'net' routes since they tell the  kernel how
+Flags column.   The remainder  are 'net' routes since they tell the  kernel 
-to route  packets to a subnetwork.  The last route is the <i>default  route</i>
+how to route  packets to a subnetwork.  The last route is the <i>default 
-and  the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
+route</i> and  the gateway mentioned in that route is called the <i>default 
 gateway</i>.</p>
 <p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
 it starts at the top of the routing table and:</p>
@ -904,9 +907,9 @@ the   result is  192.168.1.0 which matches this routing table entry:</p>
         </div>
 <p align="left">One more thing needs to be emphasized -- all outgoing packet 
-   are  sent using the routing table and reply packets are not a special case.
+    are  sent using the routing table and reply packets are not a special 
-   There  seems to be a common mis-conception whereby people think that request
+case.    There  seems to be a common mis-conception whereby people think that
-   packets  are like salmon and contain a genetic code that is magically
+request    packets  are like salmon and contain a genetic code that is magically
 transferred    to  reply packets so that the replies follow the reverse route
 taken by  the  request.  That isn't the case; the replies may take a totally
 different  route  back to the  client than was taken by the requests -- they
@ -954,8 +957,8 @@ the card    itself. </p>
 <p align="left">In order to avoid having to exchange ARP information each 
    time  that an IP packet is to be sent, systems maintain an <i>ARP cache</i> 
-   of  IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your system
+    of  IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your 
-   (including  your Windows system) using the 'arp' command:</p>
+system    (including  your Windows system) using the 'arp' command:</p>
 <blockquote>                              
  <div align="left">                                
@ -976,10 +979,11 @@ records the  information we saw  using tcpdump above.</p>
 href="http://www.iana.org">Internet Assigned Number Authority</a> </i>(IANA) 
     who delegates allocations on a geographic basis to <i>Regional Internet 
    Registries</i> (RIRs). For example, allocation for the Americas and for 
-  sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American 
+   sub-Sahara Africa is delegated to the <i><a
-    Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn delegate
+ href="http://www.arin.net">American      Registry for Internet Numbers</a> 
-   to  national registries. Most of us don't deal with these registrars but
+</i>(ARIN). These RIRs may in turn delegate    to  national registries. Most 
-  rather get  our IP addresses from our ISP.</p>
+of us don't deal with these registrars but   rather get  our IP addresses 
 from our ISP.</p>
 <p align="left">It's a fact of life that most of us can't afford as many Public
 IP addresses as we have devices to assign them to so we end up making use
@ -993,9 +997,9 @@ for this  purpose:</p>
 <div align="left">            
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
    to    as <i>non-routable</i> because the Internet backbone routers don't 
-  forward    packets which have an RFC-1918 destination address. This is understandable
+   forward    packets which have an RFC-1918 destination address. This is 
-      given that anyone can select any of these addresses for their private
+understandable       given that anyone can select any of these addresses for
-  use.</p>
+their private   use.</p>
         </div>
 <div align="left">            
@ -1105,11 +1109,11 @@ be    configured to 192.0.2.66 and the default gateway for hosts in the local
 <div align="left">            
 <p align="left">Notice that this arrangement is rather wasteful of public 
    IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet 
-addresses,      192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and
+ addresses,      192.0.2.71 and 192.0.2.79 for subnet broadcast addresses 
-192.0.2.66   and    168.0.2.73 for internal addresses on the firewall/router. 
+and 192.0.2.66   and    168.0.2.73 for internal addresses on the firewall/router. 
 Nevertheless,   it    shows how subnetting can work and if we were dealing 
-with a /24 rather   than a    /28 network, the use of 6 IP addresses out of
+ with a /24 rather   than a    /28 network, the use of 6 IP addresses out 
-256 would be justified   because    of the simplicity of the setup.</p>
+of 256 would be justified   because    of the simplicity of the setup.</p>
         </div>
 <div align="left">            
@ -1170,8 +1174,8 @@ if    the setup is routed). </p>
 <div align="left">            
 <p align="left">Clearly, that set of addresses doesn't comprise a subnetwork 
       and there aren't enough addresses for all of the network interfaces. 
- There  are    four different techniques that can be used to work around this
+  There  are    four different techniques that can be used to work around 
- problem.</p>
+this  problem.</p>
         </div>
 <div align="left">            
@ -1207,8 +1211,8 @@ if    the setup is routed). </p>
 <div align="left">            
 <p align="left">With SNAT, an internal LAN segment is configured using RFC 
    1918    addresses. When a host <b>A </b>on this internal segment initiates 
-   a    connection to host <b>B</b> on the internet, the firewall/router rewrites
+    a    connection to host <b>B</b> on the internet, the firewall/router 
-   the    IP header in the request to use one of your public IP addresses
+rewrites    the    IP header in the request to use one of your public IP addresses
 as   the source    address. When <b>B</b> responds and the response is received
   by the firewall,    the firewall changes the destination address back
 to   the RFC 1918 address of   <b>A</b> and forwards the response back to
@ -1218,8 +1222,8 @@ to   the RFC 1918 address of   <b>A</b> and forwards the response back to
 <div align="left">            
 <p align="left">Let's suppose that you decide to use SNAT on your local zone 
       and use public address 192.0.2.176 as both your firewall's external 
-IP   address    and the source IP address of internet requests sent from that
+ IP   address    and the source IP address of internet requests sent from 
- zone.</p>
+that  zone.</p>
         </div>
 <div align="left">            
@ -1235,8 +1239,9 @@ IP   address    and the source IP address of internet requests sent from that
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
-           The systems in    the local zone would be configured with a default
+             The systems in    the local zone would be configured with a
-   gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
+default     gateway of 192.168.201.1    (the IP address of the firewall's
 local interface).</div>
 <div align="left">    </div>
@ -1289,9 +1294,9 @@ selected      connections from the internet.</p>
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-               Suppose that your daughter wants to run a web server on her
+                 Suppose that your daughter wants to run a web server on
- system   "Local 3". You    could allow connections to the internet to her
+her   system   "Local 3". You    could allow connections to the internet
- server by  adding the following    entry in <a
+to her   server by  adding the following    entry in <a
 href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
         </div>
@ -1427,9 +1432,17 @@ respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
     </p>
 <p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured 
- to have the IP addresses shown but should have the same default gateway as
+  to have the IP addresses shown but should have the same default gateway 
- the firewall itself -- namely 192.0.2.254.<br>
+as  the firewall itself -- namely 192.0.2.254.  In other words, they should
 be configured just like they would be if they were parallel to the firewall
 rather than behind it.<br>
 </p>
 <p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
 (192.0.2.177 and 192.0.2.178 in the above example)  to the external interface
 (eth0 in this example) of the firewall.</b></font><br>
                     </p>
 <div align="left">            </div>
                       </div>
 <div align="left">            
@ -1450,30 +1463,30 @@ will     probably be HOURS before that system can communicate with the internet.
 Illustrated,   Vol 1</i> reveals that a <br>
          <br>
      "gratuitous" ARP packet should cause the ISP's router to refresh their
- ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the
+  ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting
- MAC  address for its own IP; in addition to ensuring that the IP address
+the   MAC  address for its own IP; in addition to ensuring that the IP address
 isn't  a duplicate,...<br>
           <br>
       "if the host sending the gratuitous ARP has just changed its hardware
  address...,  this packet causes any other host...that has an entry in its
  cache for the  old hardware address to update its ARP cache entry accordingly."<br>
           <br>
-     Which is, of course, exactly what you want to do when you switch a host
+       Which is, of course, exactly what you want to do when you switch a 
-  from being exposed to the Internet to behind Shorewall using proxy ARP
+host   from being exposed to the Internet to behind Shorewall using proxy 
- (or  static NAT for that matter). Happily enough, recent versions of Redhat's
+ARP  (or  static NAT for that matter). Happily enough, recent versions of 
- iputils package include "arping", whose "-U" flag does just that:<br>
+Redhat's  iputils package include "arping", whose "-U" flag does just that:<br>
           <br>
-         <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly proxied
+           <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly 
-  IP&gt;</b></font><br>
+proxied   IP&gt;</b></font><br>
           <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
           <br>
-     Stevens goes on to mention that not all systems respond correctly to 
+       Stevens goes on to mention that not all systems respond correctly
-gratuitous   ARPs, but googling for "arping -U" seems to support the idea 
+to  gratuitous   ARPs, but googling for "arping -U" seems to support the
-that it works   most of the time.<br>
+idea  that it works   most of the time.<br>
           <br>
         </li>
-      <li>You    can call your ISP and ask them to purge the stale ARP cache
+        <li>You    can call your ISP and ask them to purge the stale ARP
-  entry but many    either can't or won't purge individual entries.</li>
+cache    entry but many    either can't or won't purge individual entries.</li>
 </ol>
       You can determine if your    ISP's gateway ARP cache is stale using
@ -1508,8 +1521,8 @@ as follows:</div>
       different from the destination MAC address in the echo reply!! In this
    case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
       was the MAC address of DMZ 1. In other words, the gateway's ARP cache
-  still    associates 192.0.2.177 with the NIC in DMZ 1 rather than with the
+    still    associates 192.0.2.177 with the NIC in DMZ 1 rather than with
-  firewall's    eth0.</p>
+the   firewall's    eth0.</p>
         </div>
 <div align="left">            
@ -1520,9 +1533,9 @@ as follows:</div>
 <p align="left">With static NAT, you assign local systems RFC 1918 addresses 
       then establish a one-to-one mapping between those addresses and public 
    IP    addresses. For outgoing connections SNAT (Source Network Address
- Translation) occurs and on incoming connections      DNAT (Destination Network
+  Translation) occurs and on incoming connections      DNAT (Destination
- Address Translation) occurs. Let's go back to our earlier example involving
+Network   Address Translation) occurs. Let's go back to our earlier example
- your daughter's   web    server running on system Local 3.</p>
+involving   your daughter's   web    server running on system Local 3.</p>
         </div>
 <div align="left">            
@ -1533,8 +1546,8 @@ as follows:</div>
 <div align="left">            
 <p align="left">Recall that in this setup, the local network is using SNAT 
-   and    is sharing the firewall external IP (192.0.2.176) for outbound connections.
+    and    is sharing the firewall external IP (192.0.2.176) for outbound 
-      This is done with the following entry in /etc/shorewall/masq:</p>
+connections.       This is done with the following entry in /etc/shorewall/masq:</p>
         </div>
 <div align="left">            
@ -1642,12 +1655,12 @@ is  established  by    the nat file entry above, it is no longer    appropriate
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-              With the default policies, your local systems (Local 1-3) can 
+                With the default policies, your local systems (Local 1-3) 
- access   any    servers on the internet and the DMZ can't access any other 
+can   access   any    servers on the internet and the DMZ can't access any 
- host (including   the    firewall). With the exception of <a
+other   host (including   the    firewall). With the exception of <a
 href="#DNAT">DNAT rules</a> which   cause    address translation and allow 
- the translated connection request  to pass    through the firewall, the way
+  the translated connection request  to pass    through the firewall, the 
- to allow connection requests through   your    firewall is to use ACCEPT 
+way  to allow connection requests through   your    firewall is to use ACCEPT 
 rules.</p>
         </div>
@ -1945,12 +1958,12 @@ subnet    needs to have it's own public IP.
 <div align="left">            
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-              If you haven't already, it would be a good idea to browse through
+                If you haven't already, it would be a good idea to browse 
-     <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just 
+through      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> 
-   to see    if there is anything there that might be of interest. You might 
+just     to see    if there is anything there that might be of interest. You
-   also want to    look at the other configuration files that you haven't 
+might     also want to    look at the other configuration files that you
-touched   yet just to get    a feel for the other things that Shorewall can 
+haven't  touched   yet just to get    a feel for the other things that Shorewall
-do.</p>
+can  do.</p>
         </div>
 <div align="left">            
@ -2492,7 +2505,8 @@ externally and  it's    interface to the local network to be know as gateway.foo
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
                Edit the /etc/shorewall/routestopped file and configure those 
- systems   that you    want to be able to access the firewall when it is stopped.</p>
+  systems   that you    want to be able to access the firewall when it is 
 stopped.</p>
         </div>
 <div align="left">            
@ -2506,7 +2520,7 @@ externally and  it's    interface to the local network to be know as gateway.foo
   try" command</a>.</p>
         </div>
-<p align="left"><font size="2">Last updated 2/21/2003 - <a
+<p align="left"><font size="2">Last updated 3/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
@ -2519,5 +2533,7 @@ externally and  it's    interface to the local network to be know as gateway.foo
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -122,8 +122,8 @@
      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
            a       <a href="http://www.netfilter.org">Netfilter</a> (iptables)
-     based      firewall        that can be used on a dedicated firewall system,
+      based      firewall        that can be used on a dedicated firewall
-     a multi-function             gateway/router/server or on a standalone 
+system,      a multi-function             gateway/router/server or on a standalone
  GNU/Linux    system.</p>
@ -141,8 +141,8 @@
      <p>This program is free software; you can redistribute it and/or modify
                                                       it        under the
 terms      of         <a href="http://www.gnu.org/licenses/gpl.html">Version
-       2 of  the GNU General Public License</a> as published by the Free Software
+        2 of  the GNU General Public License</a> as published by the Free
-           Foundation.<br>
+Software            Foundation.<br>
                                                     <br>
@ -150,8 +150,8 @@ terms      of         <a href="http://www.gnu.org/licenses/gpl.html">Version
           in   the     hope     that     it   will     be  useful,    but
         WITHOUT    ANY      WARRANTY;      without      even the   implied
     warranty       of MERCHANTABILITY                or  FITNESS    FOR
-A  PARTICULAR       PURPOSE.        See the    GNU General     Public  License
+  A  PARTICULAR       PURPOSE.        See the    GNU General     Public 
-               for   more details.<br>
+License                for   more details.<br>
                                                     <br>
@ -222,255 +222,9 @@ Nilo     and     Eric     Wolzak       have     a   LEAF  (router/firewall/gatew
-      <p><b>3/17/2003 - Shorewall 1.4.0  </b><b>       </b><b><img
+      <p><b>3/24/2003 - Shorewall 1.4.1 </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
           </b><b>                  </b></p>
                                                        Shorewall 1.4 represents
    the  next  step in the evolution of Shorewall. The main thrust of the
 initial    release  is simply to remove the cruft that has accumulated in
 Shorewall   over time.       <br>
            <br>
            <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package 
    ('ip' utility).</b><br>
            <br>
                Function from 1.3 that has been omitted from this version 
 include:<br>
      <ol>
        <li>The MERGE_HOSTS variable in shorewall.conf is  no  longer supported.
   Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
                  <br>
                </li>
        <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;  
 in  /etc/shorewall/interfaces   now generate an error.<br>
                  <br>
                </li>
        <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
       OLD_PING_HANDLING=Yes will generate an error at startup as will specification
       of the 'noping' or 'filterping' interface options.<br>
                  <br>
                </li>
        <li>The 'routestopped' option in the /etc/shorewall/interfaces  
 and  /etc/shorewall/hosts   files is no longer supported and will generate 
   an error at startup if specified.<br>
                  <br>
                </li>
        <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is  no 
 longer   accepted.<br>
                  <br>
                </li>
        <li>The ALLOWRELATED variable in shorewall.conf is no longer   supported.
    Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
                <br>
              </li>
        <li>The icmp.def file has been removed.<br>
              </li>
      </ol>
                Changes for 1.4 include:<br>
      <ol>
        <li>The /etc/shorewall/shorewall.conf file has been completely  
 reorganized    into logical sections.<br>
                  <br>
                </li>
        <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
                  <br>
                </li>
        <li>The firewall script, common functions file and version  file
 are now installed in /usr/share/shorewall.<br>
                  <br>
                </li>
        <li>Late arriving DNS replies are now silently dropped in  the  
 common   chain  by default.<br>
                  <br>
                </li>
        <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
   1.4  no  longer unconditionally accepts outbound ICMP packets. So if you
   want to 'ping'  from the firewall, you will need the appropriate rule or
  policy.<br>
                 <br>
               </li>
        <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
                 <br>
               </li>
        <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> 
   now support the 'maclist' option.<br>
                 <br>
               </li>
        <li value="8">Explicit Congestion Notification (ECN - RFC 3168) 
 may  now be turned off on a host or network basis using the new /etc/shorewall/ecn
    file. To use this facility:<br>
            <br>
           a) You must be running kernel 2.4.20<br>
           b) You must have applied the patch in<br>
           http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
           c) You must have iptables 1.2.7a installed.<br>
            <br>
          </li>
        <li>The /etc/shorewall/params file is now processed first so  that
  variables may be used in the /etc/shorewall/shorewall.conf file.<br>
            <br>
          </li>
        <li value="10">Shorewall now gives a more helpful diagnostic when
 the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
 command is issued.<br>
       <br>
     </li>
        <li>The SHARED_DIR variable has been removed from shorewall.conf.
 This variable was for use by package maintainers and was not documented
 for  general use.<br>
       <br>
     </li>
        <li>Shorewall now ignores 'default' routes when detecting masq'd
 networks.<br>
     </li>
      </ol>
      <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
      <p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
          </b></p>
      <p>A roleup of the following bug fixes and other updates:</p>
      <ul>
           <li>There is an updated rfc1918 file that reflects the resent
 allocation  of 222.0.0.0/8 and  223.0.0.0/8. </li>
         <li>The documentation for the routestopped file claimed that a comma-separated 
    list could appear in the second column while the code only supported a
 single   host or network address. </li>
         <li>Log messages produced by 'logunclean' and 'dropunclean' were 
 not  rate-limited. </li>
         <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
 don't  support the 'maclist' interface option. </li>
         <li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
         <li>The firewall fails to start in the case where you have "eth0 
 eth1" in /etc/shorewall/masq and the default route is through eth1      
        </li>
      </ul>
      <p><b>2/8/2003 - Shorewall 1.3.14</b><b>                  </b></p>
      <p>New features include</p>
      <ol>
                      <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
       When   set to Yes, Shorewall ping handling is as it has always been
 (see     http://www.shorewall.net/ping.html).<br>
                       <br>
                   When OLD_PING_HANDLING=No, icmp echo (ping) is handled 
 via   rules    and   policies   just like any other connection request. The 
 FORWARDPING=Yes      option   in shorewall.conf   and the 'noping' and 'filterping' 
 options   in   /etc/shorewall/interfaces   will   all generate an error.<br>
                       <br>
                     </li>
                      <li>It is now possible to direct Shorewall to create
 a  "label"     such   as   "eth0:0" for IP addresses that it creates under
 ADD_IP_ALIASES=Yes      and  ADD_SNAT_ALIASES=Yes.  This is done by specifying
 the label instead     of just  the interface name:<br>
                    <br>
                      a) In the INTERFACE column of /etc/shorewall/masq<br>
                      b) In the INTERFACE column of /etc/shorewall/nat<br>
                    </li>
                      <li>Support for OpenVPN Tunnels.<br>
                   <br>
               </li>
                      <li>Support for VLAN devices with names of the form 
 $DEV.$VID      (e.g.,  eth0.0)<br>
                      <br>
                    </li>
                    <li>In /etc/shorewall/tcrules, the MARK value may be
 optionally      followed by ":" and either 'F' or 'P' to designate that the
 marking will     occur in the FORWARD or PREROUTING chains respectively.
 If this additional     specification is omitted, the chain used to mark packets
 will be determined     by the setting of the MARK_IN_FORWARD_CHAIN option
 in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                   <br>
                 </li>
                      <li>When an interface name is entered in the SUBNET 
 column    of  the  /etc/shorewall/masq   file, Shorewall previously masqueraded
 traffic     from  only the first subnet   defined on that interface. It
 did  not masquerade      traffic from:<br>
                    <br>
                      a) The subnets associated with other addresses on the 
 interface.<br>
                      b) Subnets accessed through local routers.<br>
                    <br>
                   Beginning with Shorewall 1.3.14, if you enter an interface 
  name   in  the   SUBNET  column, shorewall will use the firewall's routing 
  table   to construct   the masquerading/SNAT rules.<br>
                    <br>
                   Example 1 -- This is how it works in 1.3.14.<br>
                      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
                    <br>
                   When upgrading to Shorewall 1.3.14, if you have multiple 
 local    subnets     connected  to an interface that is specified in the 
 SUBNET column   of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq 
 file will need  changing.   In most cases, you  will simply be able to remove 
 redundant entries.  In some  cases though, you  might want to change from 
 using the interface  name to listing specific subnetworks  if the change described
 above will cause masquerading  to occur on subnetworks  that you don't wish
 to masquerade.<br>
                    <br>
                   Example 2 -- Suppose that your current config is as follows:<br>
                      <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                    <br>
                      In this case, the second entry in /etc/shorewall/masq 
 is  no  longer    required.<br>
                    <br>
                   Example 3 -- What if your current configuration is like
 this?<br>
                    <br>
          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
                    <br>
                      In this case, you would want to change the entry in 
 /etc/shorewall/masq         to:<br>
          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                      </li>
      </ol>
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
                      </b></p>
                  Webmin version 1.060 now has Shorewall support included 
 as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.com</a>
         <b>      </b>                                                  
@ -482,6 +236,7 @@ as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.
      <ul>
@ -502,6 +257,50 @@ as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.
      <p>This release follows up on 1.4.0. It corrects a problem introduced
 in 1.4.0 and removes additional warts.<br>
 <br>
 <b>Problems Corrected:</b><br>
 </p>
      <ol>
        <li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), 
 it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
 is empty. That problem has been corrected so that ECN disabling rules are
 only added if there are entries in /etc/shorewall/ecn.</li>
      </ol>
 <b>New Features:</b><br>
      <blockquote>Note: In the list that follows, the term <i>group </i>refers 
 to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be 
 a host address) accessed through a particular interface. Examples:<br>
        <blockquote>eth0:0.0.0.0/0<br>
 eth2:192.168.1.0/24<br>
 eth3:192.0.2.123<br>
   </blockquote>
 You can use the "shorewall check" command to see the groups associated with
 each of your zones.<br>
 </blockquote>
      <ol>
        <li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
 one group<i> </i>then if there is no explicit Z to Z policy and there are
 no rules governing traffic from Z to Z then Shorewall will permit all traffic
 between the groups in the zone.</li>
        <li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
 to handle traffic from a group to itself.</li>
        <li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
 specified from Z1 to Z2:</li>
      </ol>
      <ul>
        <li>There may be no rules created that govern connections from Z1
 to Z2.</li>
        <li>Shorewall will not create any infrastructure to handle traffic
 from Z1 to Z2.</li>
      </ul>
 See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
 of how these changes may affect your configuration.
      <p><a href="News.htm">More News</a></p>
@ -559,6 +358,7 @@ as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.
                                                        <td width="88"
 bgcolor="#4b017c" valign="top" align="center">              <br>
      </td>
                                                    </tr>
@ -618,11 +418,11 @@ as  standard.      See        <a href="http://www.webmin.com">http://www.webmin.
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
-if       you try it and find it useful, please consider making a donation 
+but if       you try it and find it useful, please consider making a donation
                                                       to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                                                 </td>
@ -633,6 +433,7 @@ Foundation.</font></a> Thanks!</font></p>
  </tbody>                                                              
 </table>
@ -640,10 +441,11 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                               <br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -46,8 +46,8 @@ of  sources of Shorewall information. Please     try these before you   post.
 <ul>
                                   <li>More than half of the questions posted 
- on  the   support     list   have answers directly accessible from the <a
+  on  the   support     list   have answers directly accessible from the 
- href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
+   <a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
                           </li>
                           <li>                                   The <a
 href="FAQ.htm">FAQ</a>     has  solutions to  more than 20 common      problems.
@ -113,8 +113,8 @@ of  sources of Shorewall information. Please     try these before you   post.
 <ul>
                            <li>Please remember we only know what is posted 
-in  your   message.      Do  not  leave out any information that appears to
+ in  your   message.      Do  not  leave out any information that appears 
-be  correct,    or was   mentioned    in  a previous post. There have been
+to be  correct,    or was   mentioned    in  a previous post. There have been
 countless   posts   by people   who were   sure  that some part of their
   configuration  was correct  when  it actually   contained  a small error.
   We tend to be  skeptics where  detail   is lacking.<br>
@ -129,8 +129,8 @@ good  answers. <em>Exact quoting     </em>  of error messages,  log  entries,
 command output, and other output  is better   than a paraphrase  or  summary.<br>
                              <br>
                            </li>
-                          <li>                                   Please don't 
+                            <li>                                   Please 
-  describe     your   environment   and then  ask  us  to  send   you    
+don't    describe     your   environment   and then  ask  us  to  send   you
            custom     configuration   files.   We're here  to answer   your
 questions     but    we           can't   do your   job for you.<br>
                              <br>
@ -144,7 +144,8 @@ questions     but    we           can't   do your   job for you.<br>
  <ul>
-                            <li>the exact version of Shorewall you are running.<br>
+                              <li>the exact version of Shorewall you are
 running.<br>
                                <br>
                                <b><font color="#009900">shorewall version</font><br>
                           </b>    <br>
@ -202,9 +203,8 @@ output    from<br>
    Guides,     please  indicate which one. <br>
                        <br>
                      </li>
-                    <li><b>If you are running Shorewall under Mandrake using
+                      <li><b>If you are running Shorewall under Mandrake
-  the   Mandrake     installation of Shorewall, please say so.</b><br>
+using    the   Mandrake     installation of Shorewall, please say so.</b><br>
                              <br>
                              </li>
@ -213,10 +213,10 @@ output    from<br>
 </ul>
 <ul>
-                          <li><b>NEVER </b>include the output of "<b><font
+                            
- color="#009900">iptables    -L</font></b>". Instead,<font
+  <ul>
- color="#ff0000"><u><i><big> <b>if you are having connection  problems of 
+    <li><font color="#ff0000"><u><i><big><b>If you are having connection
-      any kind then:</b></big></i></u></font><br>
+ problems of        any kind then:</b></big></i></u></font><br>
                   <br>
               1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
                   <br>
@ -227,18 +227,19 @@ output    from<br>
               4. Post the /tmp/status.txt file as an attachment.<br>
                              <br>
                            </li>
  </ul>
                                                             <li>As a general 
  matter,   please <strong>do not edit the  diagnostic      information</strong> 
-   in   an attempt to conceal your IP address,  netmask,      nameserver addresses,
+    in   an attempt to conceal your IP address,  netmask,      nameserver 
-    domain name, etc. These aren't secrets,  and concealing      them often
+addresses,     domain name, etc. These aren't secrets,  and concealing   
-  misleads  us (and 80% of the time, a hacker  could derive them     anyway
+  them often   misleads  us (and 80% of the time, a hacker  could derive them
-  from information  contained in the SMTP headers  of your post).<br>
+    anyway   from information  contained in the SMTP headers  of your post).<br>
             <br>
             <strong></strong></li>
           <li>Do you see  any   "Shorewall"      messages ("<b><font
 color="#009900">/sbin/shorewall  show   log</font></b>")            when 
-     you exercise the function that is giving   you problems? If   so,   include
+      you exercise the function that is giving   you problems? If   so,  
-   the message(s) in your post along with a  copy of your /etc/shorewall/interfaces 
+include    the message(s) in your post along with a  copy of your /etc/shorewall/interfaces 
         file.<br>
             <br>
           </li>
@ -285,8 +286,8 @@ the spammers    but the   list  subscribers      whose MTAs are bouncing
 all shorewall.net    mail. As   one list  subscriber   wrote  to me privately
  "These e-mail admin's   need  to get a <i>(expletive   deleted)</i>  life
  instead of trying to rid   the planet of HTML based e-mail".   Nevertheless,
-  to allow subscribers  to  receive list posts as must as possible,   I have
+   to allow subscribers  to  receive list posts as must as possible,   I
- now   configured the  list  server at shorewall.net to strip all HTML  
+have   now   configured the  list  server at shorewall.net to strip all HTML
  from  outgoing  posts.<br>
    </blockquote>
@ -300,34 +301,37 @@ from  outgoing  posts.<br>
 style="font-weight: 400;">please           post your question or problem 
                to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF 
   Users      mailing       list</a>.</span></h4>
-                             <b>If you run Shorewall under MandrakeSoft Multi 
+                               <b>If you run Shorewall under MandrakeSoft 
-  Network     Firewall     (MNF)   and you have not purchased an MNF license 
+Multi    Network     Firewall     (MNF)   and you have not purchased an MNF 
-  from MandrakeSoft     then    you can  post non MNF-specific Shorewall questions
+license    from MandrakeSoft     then    you can  post non MNF-specific Shorewall 
-  to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
+questions   to the </b><a
-  users mailing       list</a>. <b>Do not expect to get free MNF support
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall   users mailing 
-on the list or forum.</b><br>
+      list</a> or to the <a
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
-        list</a>.</p>
+         list</a> or to the <a
 href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a>.<br>
 To Subscribe to the  mailing list go to <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
                              .<br>
           </p>
                                 </blockquote>
 <p>To Subscribe to the  mailing list go to <a
 href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
                             .<br>
         </p>
 <p>For information on other Shorewall mailing lists, go to <a
 href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
           </p>
-<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -335,5 +339,7 @@ on the list or forum.</b><br>
    </p>
      <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@ -32,7 +32,8 @@
 <p align="left">Shorewall has limited support       for traffic shaping/control. 
 In order to use traffic shaping under Shorewall,       it is essential that 
 you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing 
- and Shaping HOWTO</a>,       version 0.3.0 or later.</p>
+ and Shaping HOWTO</a>,       version 0.3.0 or later. It is also necessary
 to be running Linux Kernel 2.4.18 or later.</p>
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
@ -54,13 +55,13 @@ the  setting of  this variable determines whether Shorewall clears the traffic
  I have   provided     a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>   that does
    table-driven CBQ shaping but if you read the traffic shaping   sections
- of     the     HOWTO mentioned above, you can probably code your   own faster 
+  of     the     HOWTO mentioned above, you can probably code your   own
- than     you can     learn how to use my sample. I personally  use     <a
+faster   than     you can     learn how to use my sample. I personally  use
- href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below). 
+    <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below).
 HTB         support may eventually become an integral part of Shorewall
-since  HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
+ since  HTB   is a     lot simpler and better-documented than CBQ. As of
- HTB is a standard     part of the kernel but iproute2 must be patched  in
+2.4.20,  HTB is a standard     part of the kernel but iproute2 must be patched
- order  to     use it.<br>
+ in  order  to     use it.<br>
                     <br>
                     In tcstart, when you want to run the 'tc' utility, use 
 the   run_tc    function      supplied by shorewall if you want tc errors 
@ -69,13 +70,13 @@ since  HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
           You can generally use off-the-shelf traffic shaping scripts by 
 simply    copying  them to /etc/shorewall/tcstart. I use <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) 
-    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
+    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
-and    modified  it according to the Wonder Shaper README). <b>WARNING: </b>If
+   modified  it according to the Wonder Shaper README). <b>WARNING: </b>If 
 you  use use Masquerading or SNAT (i.e., you only have one external IP address) 
   then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] 
-   script won't work. Traffic shaping occurs after SNAT has already been
+   script won't work. Traffic shaping occurs after SNAT has already been applied
-applied    so when traffic shaping happens, all outbound traffic will have
+   so when traffic shaping happens, all outbound traffic will have as a source
-as a source     address the IP addresss of your firewall's external interface.<br>
+    address the IP addresss of your firewall's external interface.<br>
             </li>
                   <li><b>/etc/shorewall/tcclear</b> - A user-supplied file 
 that   is     sourced     by Shorewall when it is clearing traffic shaping. 
@ -84,8 +85,8 @@ as a source     address the IP addresss of your firewall's external interface.<b
 </ul>
       Shorewall allows you to start traffic shaping when Shorewall itself
-starts   or it allows you to bring up traffic shaping when you bring up your 
+ starts   or it allows you to bring up traffic shaping when you bring up
-interfaces.<br>
+your  interfaces.<br>
       <br>
       To start traffic shaping when Shorewall starts:<br>
@ -100,9 +101,9 @@ mark   packets using entries in /etc/shorewall/tcrules.</li>
 </ol>
       To start traffic shaping when you bring up your network interfaces,
-you   will have to arrange for your traffic shaping configuration script to
+ you   will have to arrange for your traffic shaping configuration script
-be  run at that time. How you do that is distribution dependent and will not
+to be  run at that time. How you do that is distribution dependent and will
-be covered here. You then should:<br>
+not be covered here. You then should:<br>
 <ol>
         <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
@ -130,28 +131,28 @@ be covered here. You then should:<br>
 <p align="left">Normally, packet marking occurs in the PREROUTING chain before 
    any address rewriting takes place. This makes it impossible to mark inbound 
-    packets based on their destination address when SNAT or Masquerading
+    packets based on their destination address when SNAT or Masquerading are
-are    being used. Beginning with Shorewall 1.3.12, you can cause packet
+   being used. Beginning with Shorewall 1.3.12, you can cause packet marking
-marking    to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
+   to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
-option  in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+ in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
         </p>
 <p align="left">Columns in the file are as follows:</p>
 <ul>
-                  <li>MARK - Specifies the mark value is to be assigned in
+                   <li>MARK - Specifies the mark value is to be assigned
- case   of      a match. This is an integer in the range 1-255. Beginning
+in  case   of      a match. This is an integer in the range 1-255. Beginning 
-with Shorewall  version 1.3.14, this value may be optionally followed by
+with Shorewall  version 1.3.14, this value may be optionally followed by ":"
-":" and either 'F'  or 'P' to designate that the marking will occur in the
+and either 'F'  or 'P' to designate that the marking will occur in the FORWARD
-FORWARD or PREROUTING  chains respectively. If this additional specification
+or PREROUTING  chains respectively. If this additional specification is omitted,
-is omitted, the chain  used to mark packets will be determined by the setting
+the chain  used to mark packets will be determined by the setting of the
-of the MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
                     <br>
                     Example - 5<br>
                   </li>
                   <li>SOURCE - The source of the packet. If the packet originates
-        on  the firewall, place "fw" in this column. Otherwise, this is a 
+         on  the firewall, place "fw" in this column. Otherwise, this is
-    comma-separated   list of interface names, IP addresses, MAC addresses 
+a      comma-separated   list of interface names, IP addresses, MAC addresses
  in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
                     <br>
                     Examples<br>
@ -161,12 +162,12 @@ of the MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewa
                   <li>DEST -- Destination of the packet. Comma-separated 
 list   of      IP  addresses and/or subnets.<br>
                   </li>
-                  <li>PROTO - Protocol - Must be the name of a protocol from
+                   <li>PROTO - Protocol - Must be the name of a protocol
-      /etc/protocol,    a number or "all"<br>
+from       /etc/protocol,    a number or "all"<br>
                   </li>
                   <li>PORT(S) - Destination Ports. A comma-separated list
-of  Port       names  (from /etc/services), port numbers or port ranges (e.g.,
+ of  Port       names  (from /etc/services), port numbers or port ranges
-  21:22);     if     the  protocol is "icmp", this column is interpreted
+(e.g.,   21:22);     if     the  protocol is "icmp", this column is interpreted 
 as   the     destination    icmp  type(s).<br>
                   </li>
                   <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
@ -177,8 +178,8 @@ as   the     destination    icmp  type(s).<br>
 <p align="left">Example 1 - All packets arriving on eth1 should be marked
        with 1. All packets arriving on eth2 and eth3 should be marked with
- 2.   All packets   originating on the firewall itself should be marked with 
+  2.   All packets   originating on the firewall itself should be marked
- 3.</p>
+with   3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
                   <tbody>
@ -233,8 +234,8 @@ as   the     destination    icmp  type(s).<br>
 </table>
 <p align="left">Example 2 - All GRE (protocol 47) packets not originating
-       on the firewall and destined for 155.186.235.151 should be marked with
+        on the firewall and destined for 155.186.235.151 should be marked
-    12.</p>
+with     12.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
                   <tbody>
@ -316,9 +317,9 @@ see why I wanted shaping of this type.<br>
 <ol>
              <li>I wanted to allow up to 140kbits/second for traffic outbound
-  from   my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
+   from   my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
-  can  use all available bandwidth if there is no traffic from the local
+traffic   can  use all available bandwidth if there is no traffic from the
-systems     or from my laptop or firewall).</li>
+local systems     or from my laptop or firewall).</li>
              <li>My laptop and local systems could use up to 224kbits/second.</li>
              <li>My firewall could use up to 20kbits/second.</li>
@ -326,7 +327,7 @@ systems     or from my laptop or firewall).</li>
  You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
 to see how this fit in. <br>
-<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
         © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -335,5 +336,6 @@ to see how this fit in. <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@ -11,6 +11,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -22,6 +23,7 @@
                   <tr>
                     <td width="100%">                                  
      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
                     </td>
                   </tr>
@ -29,50 +31,158 @@
  </tbody>               
 </table>
 <p>For upgrade instructions see the                               <a
- href="Install.htm">Install/Upgrade page</a>.</p>
+ href="Install.htm">Install/Upgrade page</a>.<br>
   </p>
 <p>It is important that you read all of the sections on this page where the 
 version number mentioned in the section title is later than what you are 
 currently running. <br>
   </p>
 <h3> </h3>
 <h3>Version &gt;= 1.4.1</h3>
 <ul>
   <li>Beginning with Version 1.4.1, intra-zone traffic is accepted by default. 
 Previously, traffic from a zone to itself was treated just like any other 
 traffic; any matching rules were applied followed by enforcement of the appropriate 
 policy. With 1.4.1 and later versions, unless you have explicit rules for 
 traffic from Z to Z or you have an explicit Z to Z policy (where "Z" is some 
 zone) then traffic within zone Z will be accepted. If you do have one or more
 explicit rules for Z to Z or if you have an explicit Z to Z policy then the
 behavior is as it was in prior versions.</li>
 </ul>
 <blockquote>   
  <ol>
     <li>If you have a Z Z ACCEPT policy for a zone to allow traffic between 
 two interfaces to the same zone, that policy can be removed and traffic between 
 the interfaces will traverse fewer rules than previously.</li>
     <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
 rules then your configuration should not require any change.</li>
    <li>If you are currently relying on a implicit policy (one that has "all"
 in either the SOURCE or DESTINATION column) to prevent traffic between two
 interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
 add an explicit DROP or REJECT policy for Z to Z.<br>
    </li>
  </ol>
 </blockquote>
 <ul>
   <li>Beginning with Version 1.4.1, Shorewall will never create rules to 
 deal with traffic from a given <i>interface:subnetwork </i>back to itself. 
 The <i>multi</i> interface option is no longer available so if you want to
 route traffic between two subnetworks on the same interface then either:</li>
 </ul>
 <blockquote>   
  <ol>
     <li>The subnetworks must be in different zones; or</li>
     <li>You must use the /etc/shorewall/hosts file to define the subnetworks 
 in a single zone.</li>
  </ol>
 </blockquote>
 Example 1 -- Two zones:<br>
 <blockquote>
  <pre>/etc/shorewall/zones<br><br>z1	Zone1	The first Zone<br>z2	Zone2	The secont Zone<br><br>/etc/shorewall/policy<br><br>z1	z2	ACCEPT<br>z2	z1	ACCEPT<br><br>/etc/shorewall/interfaces<br><br>-	eth1	192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1	eth1:192.168.1.0/24<br>z2	eth1:192.168.2.0/24<br></pre>
 </blockquote>
 Example 2 -- One zone:
 <blockquote>
  <pre><br>/etc/shorewall/zones<br><br>z	Zone	The Zone<br><br>/etc/shorewall/interfaces<br><br>-	eth1	192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z	eth1:192.168.1.0/24<br>z	eth1:192.168.2.0/24<br></pre>
 </blockquote>
 Note that in the second example, we don't need any policy since z-&gt;z traffic
 is accepted by default. The second technique is preferable if you want unlimited
 access between the two subnetworks.<br>
 <br>
 Sometimes, you want two separate zones on one interface but you don't want
 Shorewall to set up any infrastructure to handle traffic between them. <br>
 <br>
 Example:<br>
 <blockquote>   
  <pre>/etc/shorewall/zones<br><br>z1	Zone1	The first Zone<br>z2	Zone2	The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2	eth1	192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1	eth1:192.168.1.3<br></pre>
 </blockquote>
 Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
 in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
 can prevent Shorewall from setting up any infrastructure to handle traffic
 between z1 and z2 by using the new NONE policy:<br>
 <blockquote>
  <pre>/etc/shorewall/policy<br><pre>z1	z2	NONE<br>z2	z1	NONE</pre></pre>
 </blockquote>
 Note that NONE policies are generally used in pairs unless there is asymetric
 routing where only the traffic on one direction flows through the firewall
 and you are using a NONE polciy in the other direction. 
 <h3>Version &gt;= 1.4.0</h3>
- <b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package 
+     <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
-('ip' utility).</b><br>
+ package  ('ip' utility).</b><br>
  <br>
  <b>Note: </b>Unfortunately, some distributions call this package iproute2
 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
     <br>
        error: failed dependencies:iproute is needed by  shorewall-1.4.0-1
     <br>
     <br>
   This may be worked around by using the --nodeps option of rpm (rpm -Uvh
 --nodeps &lt;shorewall rpm&gt;).<br>
     <br>
     If you are upgrading from a version &lt; 1.4.0, then:<br>
 <ul>
-      <li>The <b>noping </b>and <b>forwardping</b> interface options are
+          <li>The <b>noping </b>and <b>forwardping</b> interface options
-no  longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. 
+are   no  longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. 
  ICMP echo-request (ping) packets are treated just like any other connection 
  request and are subject to rules and policies.</li>
-      <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in 
+          <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
-/etc/shorewall/interfaces   now generate a Shorewall error at startup (they
+in   /etc/shorewall/interfaces   now generate a Shorewall error at startup
-always have produced warnings   in iptables).</li>
+(they   always have produced warnings   in iptables).</li>
          <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
-Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
+  Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
-are  determined by BOTH the interfaces and hosts files when there are entries
+contents   are  determined by BOTH the interfaces and hosts files when there
-for the zone in both files.</li>
+are entries   for the zone in both files.</li>
-      <li>The <b>routestopped</b> option in the interfaces and hosts file 
+          <li>The <b>routestopped</b> option in the interfaces and hosts
-has  been eliminated; use entries in the routestopped file instead.</li>
+file   has  been eliminated; use entries in the routestopped file instead.</li>
-      <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer 
+          <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
-  accepted; you must convert to using the new syntax.</li>
+longer     accepted; you must convert to using the new syntax.</li>
-      <li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
+          <li value="6">The ALLOWRELATED variable in shorewall.conf is no 
-  supported.  Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
+longer    supported.  Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
-      <li value="6">Late-arriving DNS replies are not dropped by default; 
+          <li value="6">Late-arriving DNS replies are now dropped by default; 
  there  is no need for your own /etc/shorewall/common file simply to avoid 
  logging  these packets.</li>
-      <li value="6">The 'firewall', 'functions' and 'version' file have been
+          <li value="6">The 'firewall', 'functions' and 'version' file have 
-  moved to /usr/share/shorewall.</li>
+ been   moved to /usr/share/shorewall.</li>
-     <li value="6">The icmp.def file has been removed. If you include it
+         <li value="6">The icmp.def file has been removed. If you include 
-from  /etc/shorewall/icmpdef, you will need to modify that file.</li>
+it  from  /etc/shorewall/icmpdef, you will need to modify that file.</li>
  <ul>
  </ul>
      <li>If you followed the advice in FAQ #2 and call find_interface_address
  in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
      </li>
 </ul>
 <ul>
 </ul>
 <h3>Version 1.4.0</h3>
 <ul>
   <li value="8">The 'multi' interface option is no longer supported.  Shorewall 
  will generate rules for sending packets back out the same interface that 
 they arrived on in two cases:</li>
 </ul>
-<ul>
+<blockquote>   
  <ul>
     <li>There is an <u>explicit</u> policy for the source zone to or from 
  the destination zone. An explicit policy names both zones and does not use
@ -88,29 +198,21 @@ the rule must be explicit - it must name the zone in both the SOURCE and
 DESTINATION  columns.</li>
  </ul>
-  <li>If you followed the advice in FAQ #2 and call find_interface_address
+ </blockquote>
 in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
  </li>
 </ul>
 <ul>
 </ul>
 <h3>Version &gt;= 1.3.14</h3>
         <img src="images/BD21298_3.gif" alt="" width="13" height="13">
              Beginning in version 1.3.14, Shorewall treats entries in <a
 href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
-   involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
+     involves entries with an <b>interface name</b> in the <b>SUBNET</b>
-   <b>column</b>:<br>
+(second)      <b>column</b>:<br>
 <ul>
-        <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the 
+            <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
- interface  (as shown by "ip addr show <i>interface</i>") and would masquerade 
+on  the   interface  (as shown by "ip addr show <i>interface</i>") and would 
- traffic  from that subnet. Any other subnets that routed through eth1 needed 
+masquerade   traffic  from that subnet. Any other subnets that routed through 
- their  own entry in /etc/shorewall/masq to be masqueraded or to have SNAT 
+eth1 needed   their  own entry in /etc/shorewall/masq to be masqueraded or 
- applied.</li>
+to have SNAT   applied.</li>
            <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
   routing   table to determine ALL subnets routed through the named interface.
   Traffic   originating in ANY of those subnets is masqueraded or has SNAT
@ -120,8 +222,8 @@ applied.</li>
          You will need to make a change to your configuration if:<br>
 <ol>
-        <li>You have one or more entries in /etc/shorewall/masq with an interface
+            <li>You have one or more entries in /etc/shorewall/masq with
-   name in the SUBNET (second) column; and</li>
+an  interface    name in the SUBNET (second) column; and</li>
            <li>That interface connects to more than one subnetwork.</li>
 </ol>
@ -145,13 +247,14 @@ applied.</li>
 <pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
          <img src="images/BD21298_3.gif" alt="" width="13" height="13">
-         Version 1.3.14 also introduced simplified ICMP echo-request (ping) 
+             Version 1.3.14 also introduced simplified ICMP echo-request
- handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
+(ping)    handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
   is used  to specify that the old (pre-1.3.14) ping handling is to be used 
   (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes 
-  is assumed). I don't plan on supporting the old handling indefinitely so 
+    is assumed). I don't plan on supporting the old handling indefinitely 
- I urge current users to migrate to using the new handling as soon as possible. 
+so   I urge current users to migrate to using the new handling as soon as 
-  See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
+possible.    See the <a href="ping.html">'Ping' handling documentation</a> 
 for details.<br>
 <h3>Version 1.3.10</h3>
           If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
@ -164,8 +267,8 @@ to  version   1.3.10, you will need to use the '--force' option:<br>
 <h3>Version &gt;= 1.3.9</h3>
             The 'functions' file has moved to /usr/lib/shorewall/functions.
-If  you   have  an application that uses functions from that file, your application 
+  If  you   have  an application that uses functions from that file, your
-   will need to be changed to reflect this change of location.<br>
+application     will need to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.8</h3>
@ -180,8 +283,8 @@ If  you   have  an application that uses functions from that file, your applicat
 <p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf 
       will need to include the                                following rules
-   in  their /etc/shorewall/icmpdef                                file (creating 
+     in  their /etc/shorewall/icmpdef                                file
-     this file if necessary):</p>
+(creating       this file if necessary):</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -196,14 +299,14 @@ If  you   have  an application that uses functions from that file, your applicat
 <ol>
                                                <li>Be sure you have a backup 
--  you   will  need                                  to transcribe any Shorewall
+  --  you   will  need                                  to transcribe any 
-  configuration                                    changes that you have
+Shorewall   configuration                                    changes that 
-made   to the new                                  configuration.</li>
+you have made   to the new                                  configuration.</li>
                                                <li>Replace the shorwall.lrp
  package     provided  on                                  the Bering floppy
-with the    later one.  If you did                                  not obtain
+  with the    later one.  If you did                                  not
-the later   version from Jacques's                                  site,
+obtain  the later   version from Jacques's                              
-see additional   instructions  below.</li>
+   site,  see additional   instructions  below.</li>
                                                <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                        file and remove the /var/lib/shorewall 
     entry  if                                  present. Then do not forget 
@ -213,8 +316,8 @@ to   backup  root.lrp !</li>
 <p>The .lrp that I release isn't set up for a two-interface firewall like 
         Jacques's. You need to follow the <a href="two-interface.htm">instructions 
-     for   setting up a two-interface firewall</a> plus you also need to add
+       for   setting up a two-interface firewall</a> plus you also need to 
-   the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
+ add    the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
 <blockquote>                                                 
  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
@ -233,8 +336,9 @@ to   backup  root.lrp !</li>
    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
                  the following rule<br>
                          <br>
-                      <font face="Courier">run_iptables -A newnotsyn -j RETURN
+                          <font face="Courier">run_iptables -A newnotsyn
-   #  So  that the            connection tracking table can be rebuilt<br>
+-j  RETURN    #  So  that the            connection tracking table can be
 rebuilt<br>
                                                               # from non-SYN 
  packets     after  takeover.<br>
                 </font>  </p>
@ -244,9 +348,9 @@ packets     after  takeover.<br>
    <p align="left">Create /etc/shorewall/common (if you don't already   
        have that file) and include the following:<br>
                          <br>
-                      <font face="Courier">run_iptables -A common -p tcp
+                          <font face="Courier">run_iptables -A common -p
--tcp-flags                 ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
+tcp   --tcp-flags                 ACK,FIN,RST ACK -j ACCEPT #Accept Acks
-connection<br>
+to rebuild   connection<br>
                #tracking table. <br>
                          . /etc/shorewall/common.def</font> </p>
@ -291,10 +395,10 @@ connection<br>
 <p align="left">The functions and versions files together with the       
    'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
-                If you have applications that access these files, those applications 
+                  If you have applications that access these files, those 
-                should be modified accordingly.</p>
+applications                  should be modified accordingly.</p>
-<p><font size="2">  Last updated 3/6/2003 -                              
+<p><font size="2">  Last updated 3/18/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
@ -302,10 +406,5 @@ connection<br>
  </p>
  <br>
 <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -5,3 +5,5 @@ Changes since 1.4.0
 2. Never create rules for <iface>:<subnet> to itself.
 3. Always allow intrazone traffic.
 4. Correct building of ECN interface list under ash.
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.0
+VERSION=1.4.1
 usage() # $1 = exit status
 {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.0
+VERSION=1.4.1
 usage() # $1 = exit status
 {
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.0
+%define version 1.4.1
 %define release 1
 %define prefix /usr
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.1-1
 * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-1
 * Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.0
+VERSION=1.4.1
 usage() # $1 = exit status
 {