Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1663 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-10-04 16:47:43 +00:00 · 2004-10-04 16:47:43 +00:00 · 8434b752f7
commit 8434b752f7
parent 757b144de2
11 changed files with 527 additions and 295 deletions
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@ -2027,6 +2027,28 @@ ACCEPT   fw      net    tcp     www</programlisting>
          <emphasis role="bold">THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
          FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
          CONFIGURATION.</emphasis></para>
          <para>Normally MASQUERADE/SNAT rules are evaluated after one-to-one
          NAT rules defined in the <link
          linkend="NAT"><filename>/etc/shorewall/nat</filename></link> file.
          Beginning with Shorewall 2.1.1, if you preceed the interface name
          with a plus sign ("+") then the rule will be evaluated before
          one-to-one NAT.</para>
          <para>Examples:</para>
          <programlisting>+eth0
 +eth1:192.0.2.32/27</programlisting>
          <para>Also new in the Shorewall 2.1 series, the effect of
          ADD_SNAT_ALIASES=Yes can be negated for an entry by following the
          interface name by ":" but no digit. </para>
          <para>Examples:</para>
          <programlisting>eth0:
 eth1::192.0.2.32/27
 +eth3</programlisting>
        </listitem>
      </varlistentry>
@ -2382,6 +2404,14 @@ eth0                  eth1            206.124.146.176</programlisting>
          the ipconfig utility. <emphasis role="bold">THAT IS THE ONLY THING
          THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN
          YOUR SHOREWALL CONFIGURATION.</emphasis></para>
          <para>Beginning with Shorewall 2.1.1, the effect of
          ADD_IP_ALIASES=Yes can be negated for an entry by following the
          interface name by ":" but no digit. </para>
          <para>Example:</para>
          <programlisting>eth0:</programlisting>
        </listitem>
      </varlistentry>
@ -3627,6 +3657,16 @@ eth1                -</programlisting>
    <title>Revision History</title>
    <para><revhistory>
        <revision>
          <revnumber>1.19</revnumber>
          <date>2004-09012</date>
          <authorinitials>TE</authorinitials>
          <revremark>Changes for Shorewall 2.1.</revremark>
        </revision>
        <revision>
          <revnumber>1.18</revnumber>
--- a/Shorewall-docs2/Install.xml
+++ b/Shorewall-docs2/Install.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-06-25</pubdate>
+    <pubdate>2004-09-12</pubdate>
    <copyright>
      <year>2001</year>
@ -35,7 +35,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -45,11 +46,13 @@
    <para>If you install using the .deb, you will find that your <filename
    class="directory">/etc/shorewall</filename> directory is empty. This is
    intentional. The released configuration file skeletons may be found on
-    your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
+    your system in the directory <filename
    class="directory">/usr/share/doc/shorewall/default-config</filename>.
    Simply copy the files you need from that directory to <filename
    class="directory">/etc/shorewall</filename> and modify the copies.</para>
-    <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
+    <para>Note that you must copy <filename
    class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
    and /usr/share/doc/shorewall/default-config/modules to <filename
    class="directory">/etc/shorewall</filename> even if you do not modify
    those files.</para>
@ -60,9 +63,9 @@
    <important>
      <para>Before attempting installation, I strongly urge you to read and
-      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
+      print a copy of the <ulink
-      QuickStart</ulink> Guide for the configuration that most closely matches
+      url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
-      your own.</para>
+      for the configuration that most closely matches your own.</para>
    </important>
    <para>To install Shorewall using the RPM:</para>
@ -71,14 +74,15 @@
      <listitem>
        <para>Install the RPM</para>
-        <programlisting><command>rpm -ivh &#60;shorewall rpm&#62;</command></programlisting>
+        <programlisting><command>rpm -ivh &lt;shorewall rpm&gt;</command></programlisting>
        <note>
          <para>Some SuSE users have encountered a problem whereby rpm reports
-          a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
+          a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-          installed. If this happens, simply use the --nodeps option to rpm.</para>
+          installed. If this happens, simply use the --nodeps option to
          rpm.</para>
-          <programlisting><filename><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></filename></programlisting>
+          <programlisting><filename><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></filename></programlisting>
        </note>
        <note>
@ -89,9 +93,10 @@
          <programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
-          <para>This may be worked around by using the --nodeps option of rpm.</para>
+          <para>This may be worked around by using the --nodeps option of
          rpm.</para>
-          <programlisting><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
+          <programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
        </note>
      </listitem>
@ -110,6 +115,14 @@
        </warning>
      </listitem>
      <listitem>
        <para>Enable startup by removing
        <filename>/etc/shorewall/startup_disabled</filename> (If you are
        running Shorewall 2.1.3 or later, edit
        /<filename>etc/shorewall/shorewall.conf</filename> and set
        STARTUP_ENABLED to Yes).</para>
      </listitem>
      <listitem>
        <para>Start the firewall by typing</para>
@ -123,9 +136,9 @@
    <important>
      <para>Before attempting installation, I strongly urge you to read and
-      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
+      print a copy of the <ulink
-      QuickStart</ulink> Guide for the configuration that most closely matches
+      url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
-      your own.</para>
+      for the configuration that most closely matches your own.</para>
    </important>
    <para>To install Shorewall using the tarball and install script:</para>
@ -141,18 +154,19 @@
      </listitem>
      <listitem>
-        <para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
+        <para>If you are running <ulink
-        you need Shorewall 2.0.2 RC1 or later. If you are installing a
+        url="http://www.slackware.com">Slackware</ulink>, you need Shorewall
-        Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
+        2.0.2 RC1 or later. If you are installing a Shorewall version earlier
-        the install.sh file and change the lines</para>
+        than 2.0.3 Beta 1 then you must also edit the install.sh file and
        change the lines</para>
-        <programlisting>DEST=&#34;/etc/init.d&#34;
+        <programlisting>DEST="/etc/init.d"
-INIT=&#34;shorewall&#34;</programlisting>
+INIT="shorewall"</programlisting>
        <para>to</para>
-        <programlisting>DEST=&#34;/etc/rc.d&#34;
+        <programlisting>DEST="/etc/rc.d"
-INIT=&#34;rc.firewall&#34;</programlisting>
+INIT="rc.firewall"</programlisting>
      </listitem>
      <listitem>
@ -172,9 +186,26 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      </listitem>
      <listitem>
-        <para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
+        <para>Enable Startup:</para>
-        (Debian users will edit <filename>/etc/default/shorewall</filename>
+
-        and set startup=1).</para>
+        <itemizedlist>
          <listitem>
            <para>Users running Shorewall 2.1.3 or later, edit
            <filename>/etc/shorewall/shorewall.conf</filename> and set
            STARTUP_ENABLED=Yes.</para>
          </listitem>
          <listitem>
            <para>Users running Shorewall 2.1.2 or earlier and using the .deb
            should edit <filename>/etc/default/shorewall</filename> and set
            startup=1.</para>
          </listitem>
          <listitem>
            <para>All other users, remove the file
            <filename>/etc/shorewall/startup_disabled</filename></para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
@ -186,7 +217,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      <listitem>
        <para>If the install script was unable to configure Shorewall to be
        started automatically at boot, see <ulink
-        url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
+        url="starting_and_stopping_shorewall.htm">these
        instructions</ulink>.</para>
      </listitem>
    </orderedlist>
  </section>
@ -196,15 +228,16 @@ INIT=&#34;rc.firewall&#34;</programlisting>
    <important>
      <para>Before attempting installation, I strongly urge you to read and
-      print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
+      print a copy of the <ulink
-      QuickStart</ulink> Guide for the configuration that most closely matches
+      url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
-      your own.</para>
+      for the configuration that most closely matches your own.</para>
    </important>
    <para>To install my version of Shorewall on a fresh Bering disk, simply
    replace the <quote>shorwall.lrp</quote> file on the image with the file
    that you downloaded. See the <ulink url="two-interface.htm">two-interface
-    QuickStart Guide</ulink> for information about further steps required.</para>
+    QuickStart Guide</ulink> for information about further steps
    required.</para>
  </section>
  <section id="Upgrade_RPM">
@ -224,22 +257,23 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      please check your /etc/shorewall/interfaces file to be sure that it
      contains an entry for each interface mentioned in the hosts file. Also,
      there are certain 1.2 rule forms that are no longer supported under 1.4
-      (you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
+      (you must use the new 1.4 syntax). See <ulink
-      upgrade issues</ulink> for details.</para>
+      url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
    </important>
    <orderedlist>
      <listitem>
        <para>Upgrade the RPM</para>
-        <programlisting><command>rpm -Uvh &#60;shorewall rpm file&#62;</command></programlisting>
+        <programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt;</command></programlisting>
        <note>
          <para>Some SuSE users have encountered a problem whereby rpm reports
-          a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
+          a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
-          installed. If this happens, simply use the --nodeps option to rpm.</para>
+          installed. If this happens, simply use the --nodeps option to
          rpm.</para>
-          <programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
+          <programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
        </note>
        <note>
@ -250,15 +284,17 @@ INIT=&#34;rc.firewall&#34;</programlisting>
          <programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
-          <para>This may be worked around by using the --nodeps option of rpm.</para>
+          <para>This may be worked around by using the --nodeps option of
          rpm.</para>
-          <programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
+          <programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
        </note>
      </listitem>
      <listitem>
        <para>See if there are any incompatibilities between your
-        configuration and the new Shorewall version and correct as necessary.</para>
+        configuration and the new Shorewall version and correct as
        necessary.</para>
        <programlisting><command>shorewall check</command></programlisting>
      </listitem>
@ -288,8 +324,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      please check your /etc/shorewall/interfaces file to be sure that it
      contains an entry for each interface mentioned in the hosts file. Also,
      there are certain 1.2 rule forms that are no longer supported under 1.4
-      (you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
+      (you must use the new 1.4 syntax). See <ulink
-      upgrade issues</ulink> for details.</para>
+      url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
    </important>
    <orderedlist>
@ -305,18 +341,19 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      </listitem>
      <listitem>
-        <para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
+        <para>If you are running <ulink
-        you should use Shorewall 2.0.2 RC1 or later. If you are installing a
+        url="http://www.slackware.com">Slackware</ulink>, you should use
-        Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
+        Shorewall 2.0.2 RC1 or later. If you are installing a Shorewall
-        the install.sh file and change the lines</para>
+        version earlier than 2.0.3 Beta 1 then you must also edit the
        install.sh file and change the lines</para>
-        <programlisting>DEST=&#34;/etc/init.d&#34;
+        <programlisting>DEST="/etc/init.d"
-INIT=&#34;shorewall&#34;</programlisting>
+INIT="shorewall"</programlisting>
        <para>to</para>
-        <programlisting>DEST=&#34;/etc/rc.d&#34;
+        <programlisting>DEST="/etc/rc.d"
-INIT=&#34;rc.firewall&#34;</programlisting>
+INIT="rc.firewall"</programlisting>
      </listitem>
      <listitem>
@ -332,7 +369,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      <listitem>
        <para>See if there are any incompatibilities between your
-        configuration and the new Shorewall version and correct as necessary.</para>
+        configuration and the new Shorewall version and correct as
        necessary.</para>
        <programlisting><command>shorewall check</command></programlisting>
      </listitem>
@ -346,7 +384,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
      <listitem>
        <para>If the install script was unable to configure Shorewall to be
        started automatically at boot, see <ulink
-        url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
+        url="starting_and_stopping_shorewall.htm">these
        instructions</ulink>.</para>
      </listitem>
    </orderedlist>
  </section>
@ -375,6 +414,7 @@ INIT=&#34;rc.firewall&#34;</programlisting>
  <section>
    <title>Uninstall/Fallback</title>
-    <para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
+    <para>See <quote><ulink url="fallback.htm">Fallback and
    Uninstall</ulink></quote>.</para>
  </section>
 </article>
--- a/Shorewall-docs2/User_defined_Actions.xml
+++ b/Shorewall-docs2/User_defined_Actions.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-25</pubdate>
+    <pubdate>2004-09-17</pubdate>
    <copyright>
      <year>2003</year>
@ -31,28 +31,33 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Creating a New Action</title>
-    <para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
+    <para>Prior to Shorewall version 1.4.9, rules in
-    were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
+    <filename>/etc/shorewall/rules</filename> were limited to those defined by
-    Beginning with Shorewall version 1.4.9, users may use sequences of these
+    Netfilter (ACCEPT, DROP, REJECT, etc.). Beginning with Shorewall version
-    elementary operations to define more complex actions.</para>
+    1.4.9, users may use sequences of these elementary operations to define
    more complex actions.</para>
    <para>To define a new action:</para>
    <orderedlist>
      <listitem>
-        <para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
+        <para>Add a line to
-        that names your new action. Action names must be valid shell variable
+        <filename><filename>/etc/shorewall/actions</filename></filename> that
-        names as well as valid Netfilter chain names. It is recommended that
+        names your new action. Action names must be valid shell variable names
-        the name you select for a new action begins with with a capital
+        ((must begin with a letter and be composed of letters, digits and
-        letter; that way, the name won&#39;t conflict with a Shorewall-defined
+        underscore characters) as well as valid Netfilter chain names. If you
-        chain name.</para>
+        intend to log from the action, the name must have a maximum of 11
        characters. It is recommended that the name you select for a new
        action begins with with a capital letter; that way, the name won't
        conflict with a Shorewall-defined chain name.</para>
        <para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
        be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
@ -71,8 +76,9 @@
      <listitem>
        <para>Once you have defined your new action name (ActionName), then
-        copy /usr/share/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
+        copy /usr/share/shorewall/action.template to
-        (for example, if your new action name is <quote>Foo</quote> then copy
+        <filename>/etc/shorewall/action.ActionName</filename> (for example, if
        your new action name is <quote>Foo</quote> then copy
        <filename>/usr/share/shorewall/action.template</filename> to
        <filename>/etc/shorewall/action.Foo</filename>).</para>
      </listitem>
@ -87,10 +93,11 @@
    <itemizedlist>
      <listitem>
        <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
-        &#60;<emphasis>action</emphasis>&#62; where &#60;<emphasis>action</emphasis>&#62;
+        &lt;<emphasis>action</emphasis>&gt; where
-        is a previously-defined action (that is, it must precede the action
+        &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
-        being defined in this file in your <filename>/etc/shorewall/actions</filename>
+        (that is, it must precede the action being defined in this file in
-        file). These actions have the same meaning as they do in the
+        your <filename>/etc/shorewall/actions</filename> file). These actions
        have the same meaning as they do in the
        <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
        processing of the current action and returns to the point where that
        action was invoked). The TARGET may optionally be followed by a colon
@ -120,13 +127,14 @@
        MAC addresses are not allowed.</para>
        <para>Unlike in the SOURCE column, you may specify a range of up to
-        256 IP addresses using the syntax &#60;<emphasis>first ip</emphasis>&#62;-&#60;<emphasis>last
+        256 IP addresses using the syntax &lt;<emphasis>first
-        ip</emphasis>&#62;.</para>
+        ip</emphasis>&gt;-&lt;<emphasis>last ip</emphasis>&gt;.</para>
      </listitem>
      <listitem>
-        <para>PROTO - Protocol - Must be <quote>tcp</quote>, <quote>udp</quote>,
+        <para>PROTO - Protocol - Must be <quote>tcp</quote>,
-        <quote>icmp</quote>, a number, or <quote>all</quote>.</para>
+        <quote>udp</quote>, <quote>icmp</quote>, a number, or
        <quote>all</quote>.</para>
      </listitem>
      <listitem>
@ -135,8 +143,8 @@
        ranges; if the protocol is <quote>icmp</quote>, this column is
        interpreted as the destination icmp-type(s).</para>
-        <para>A port range is expressed as &#60;<emphasis>low port</emphasis>&#62;:&#60;<emphasis>high
+        <para>A port range is expressed as &lt;<emphasis>low
-        port</emphasis>&#62;.</para>
+        port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
        <para>This column is ignored if PROTOCOL = all but must be entered if
        any of the following ields are supplied. In that case, it is suggested
@ -156,7 +164,8 @@
          </listitem>
        </orderedlist>
-        <para>Otherwise, a separate rule will be generated for each port.</para>
+        <para>Otherwise, a separate rule will be generated for each
        port.</para>
      </listitem>
      <listitem>
@ -164,9 +173,8 @@
        source port is acceptable. Specified as a comma-separated list of port
        names, port numbers or port ranges.</para>
-        <para>If you don&#39;t want to restrict client ports but need to
+        <para>If you don't want to restrict client ports but need to specify
-        specify an ADDRESS in the next column, then place &#34;-&#34; in this
+        an ADDRESS in the next column, then place "-" in this column.</para>
        column.</para>
        <para>If your kernel contains multi-port match support, then only a
        single Netfilter rule will be generated if in this list and in the
@ -182,18 +190,19 @@
          </listitem>
        </orderedlist>
-        <para>Otherwise, a separate rule will be generated for each port.</para>
+        <para>Otherwise, a separate rule will be generated for each
        port.</para>
      </listitem>
      <listitem>
        <para>RATE LIMIT - You may rate-limit the rule by placing a value in
        this column:</para>
-        <para><programlisting>     &#60;<emphasis>rate</emphasis>&#62;/&#60;<emphasis>interval</emphasis>&#62;[:&#60;<emphasis>burst</emphasis>&#62;]</programlisting>where
+        <para><programlisting>     &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
-        &#60;<emphasis>rate</emphasis>&#62; is the number of connections per
+        &lt;<emphasis>rate</emphasis>&gt; is the number of connections per
-        &#60;<emphasis>interval</emphasis>&#62; (<quote>sec</quote> or
+        &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
-        <quote>min</quote>) and &#60;<emphasis>burst</emphasis>&#62; is the
+        <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
-        largest burst permitted. If no &#60;<emphasis>burst</emphasis>&#62; is
+        largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
        given, a value of 5 is assumed. There may be no whitespace embedded in
        the specification.</para>
@ -207,30 +216,33 @@
        any of the following:</para>
        <simplelist>
-          <member>[!]&#60;<emphasis>user number</emphasis>&#62;[:]</member>
+          <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
-          <member>[!]&#60;<emphasis>user name</emphasis>&#62;[:]</member>
+          <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
-          <member>[!]:&#60;<emphasis>group number</emphasis>&#62;</member>
+          <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
-          <member>[!]:&#60;<emphasis>group name</emphasis>&#62;</member>
+          <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user number</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          number</emphasis>&#62;</member>
+          number</emphasis>&gt;:&lt;<emphasis>group
          number</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          number</emphasis>&#62;</member>
+          name</emphasis>&gt;:&lt;<emphasis>group
          number</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user inumber</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          name</emphasis>&#62;</member>
+          inumber</emphasis>&gt;:&lt;<emphasis>group
          name</emphasis>&gt;</member>
-          <member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
+          <member>[!]&lt;<emphasis>user
-          name</emphasis>&#62;</member>
+          name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
        </simplelist>
      </listitem>
    </itemizedlist>
-    <para>Omitted column entries should be entered using a dash (&#34;-:).</para>
+    <para>Omitted column entries should be entered using a dash ("-:).</para>
    <para>Example:</para>
@ -244,13 +256,123 @@
    <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
 LogAndAccept loc         fw          tcp      22</programlisting>
    <para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
    log tag) on a rule that specified a user-defined (or Shorewall-defined)
    action would log all traffic passed to the action. Beginning with
    Shorewall 2.1.2, specifying a log level in a rule that specifies a user-
    or Shorewall-defined action will cause each rule in the action to be
    logged with the specified level (and tag).</para>
    <para>The extent to which logging of action rules occur is goverend by the
    following:</para>
    <orderedlist>
      <listitem>
        <para>When you invoke an action and specify a log level, only those
        rules in the action that have no log level will be changed to log at
        the level specified at the action invocation.</para>
        <para>Example:</para>
        <para>/etc/shorewall/action.foo</para>
        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 foo:debug    fw         net</programlisting>
        <para>Logging in the invoke 'foo' action will be as if foo had been
        defined as:</para>
        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT:debug -          -        tcp      22
 bar:info</programlisting>
      </listitem>
      <listitem>
        <para>If you follow the log level with "!" then logging will be at
        that level for all rules recursively invoked by the action.</para>
        <para>Example:</para>
        <para>/etc/shorewall/action.foo</para>
        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 foo:debug!    fw         net</programlisting>
        <para>Logging in the invoke 'foo' action will be as if foo had been
        defined as:</para>
        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
    </orderedlist>
    <para>The change in Shorewall 2.1.2 has an effect on extension scripts
    used with user-defined actions. If you define an action 'acton' and you
    have an <filename>/etc/shorewall/acton</filename> script then when that
    script is invoked, the following three variables will be set for use by
    the script:</para>
    <itemizedlist>
      <listitem>
        <para>$CHAIN = the name of the chain where your rules are to be
        placed. When logging is used on an action invocation, Shorewall
        creates a chain with a slightly different name from the action
        itself.</para>
      </listitem>
      <listitem>
        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
      </listitem>
      <listitem>
        <para>$TAG = Log Tag.</para>
      </listitem>
    </itemizedlist>
    <para>Example:</para>
    <para><filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION          SOURCE           DEST
 acton:info:test  fw               net</programlisting>
    <para>Your /etc/shorewall/acton file will be run with:</para>
    <itemizedlist>
      <listitem>
        <para>$CHAIN="%acton1"</para>
      </listitem>
      <listitem>
        <para>$LEVEL="info"</para>
      </listitem>
      <listitem>
        <para>$TAG="test"</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Standard Actions In Shorewall 2.0</title>
    <para>Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
-    defined actions. These defined actions are listed in <filename>/usr/share/shorewall/actions.std</filename>.</para>
+    defined actions. These defined actions are listed in
    <filename>/usr/share/shorewall/actions.std</filename>.</para>
    <para>The <filename>/usr/share/shorewall/actions.std</filename> file
    includes the common actions <quote>Drop</quote> for DROP policies and
@ -268,27 +390,32 @@ AllowFTP  loc         fw</programlisting>
    <para><filename>/usr/share/shorewall/actions.std</filename> is processed
    before <filename>/etc/shorewall/actions</filename> and if you have any
-    actions defined with the same name as one in <filename>/usr/share/shorewall/actions.std</filename>,
+    actions defined with the same name as one in
-    your version in <filename class="directory">/etc/shorewall</filename> will
+    <filename>/usr/share/shorewall/actions.std</filename>, your version in
-    be the one used. So if you wish to modify a standard action, simply copy
+    <filename class="directory">/etc/shorewall</filename> will be the one
-    the associated action file from <filename class="directory">/usr/share/shorewall
+    used. So if you wish to modify a standard action, simply copy the
-    </filename>to <filename class="directory">/etc/shorewall and modify</filename>
+    associated action file from <filename
-    it to suit your needs. The next <command>shorewall restart</command> will
+    class="directory">/usr/share/shorewall </filename>to <filename
-    cause your action to be installed in place of the standard one. In
+    class="directory">/etc/shorewall and modify</filename> it to suit your
-    particular, if you want to modify the common actions <quote>Drop</quote>
+    needs. The next <command>shorewall restart</command> will cause your
-    or <quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
+    action to be installed in place of the standard one. In particular, if you
-    <filename>Action.Reject</filename> to <filename class="directory">/etc/shorewall</filename>
+    want to modify the common actions <quote>Drop</quote> or
-    and modify that copy as desired.</para>
+    <quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
    <filename>Action.Reject</filename> to <filename
    class="directory">/etc/shorewall</filename> and modify that copy as
    desired.</para>
  </section>
  <section>
    <title>Creating an Action using an Extension Script</title>
    <para>There may be cases where you wish to create a chain with rules that
-    can&#39;t be constructed using the tools defined in the action.template.
+    can't be constructed using the tools defined in the action.template. In
-    In that case, you can use an extension script.<note><para>If you actually
+    that case, you can use an extension script.<note>
-    need an action to drop broadcast packets, use the <command>dropBcast</command>
+        <para>If you actually need an action to drop broadcast packets, use
-    standard action rather than create one like this.</para></note></para>
+        the <command>dropBcast</command> standard action rather than create
        one like this.</para>
      </note></para>
    <example>
      <title>An action to drop all broadcast packets</title>
--- a/Shorewall-docs2/bridge.xml
+++ b/Shorewall-docs2/bridge.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-23</pubdate>
+    <pubdate>2004-10-04</pubdate>
    <copyright>
      <year>2004</year>
@ -433,6 +433,12 @@ loc      eth1           detect</programlisting></para>
 net      br0:eth0
 dmz      br0:eth2</programlisting>
      </listitem>
      <listitem>
        <para>The DMZ systems need a route to the 192.168.201.0/24 network via
        192.0.2.176 to enable them to communicate with the local
        network.</para>
      </listitem>
    </orderedlist>
  </section>
@ -456,4 +462,4 @@ dmz      br0:eth2</programlisting>
      </listitem>
    </itemizedlist>
  </section>
-</article>
+</article>
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-07</pubdate>
+    <pubdate>2004-10-02</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -213,8 +213,7 @@ OMAK=&lt;ip address of tipper while we are at our second home&gt;
 LOG=info
 EXT_IF=eth1
 INT_IF=eth0
-DMZ_IF=eth2
+DMZ_IF=eth2</programlisting></para>
 </programlisting></para>
      </blockquote>
    </section>
@ -223,10 +222,10 @@ DMZ_IF=eth2
      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
 omak    Omak            Our Laptop at our second home
 net     Internet        Internet
 dmz     DMZ             Demilitarized zone
 loc     Local           Local networks
 omak    Omak            Our Laptop at our second home
 tx      Texas           Peer Network in Dallas
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 </programlisting>
@ -242,7 +241,7 @@ tx      Texas           Peer Network in Dallas
        <programlisting>#ZONE   INTERFACE BROADCAST       OPTIONS
 net     $EXT_IF   206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
-loc     $INT_IF   detect          dhcp
+loc     $INT_IF   192.168.1.255   dhcp
 dmz     $DMZ_IF   -
 -       texas     -
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -351,9 +350,8 @@ all             all             REJECT          $LOG
      <blockquote>
        <para>Although most of our internal systems use one-to-one NAT, my
-        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
+        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
-        my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
+        does our laptop (192.168.3.8) and visitors with laptops.</para>
        with laptops.</para>
        <para>The first entry allows access to the DSL modem and uses features
        introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
@ -861,4 +859,4 @@ default via 192.168.1.254 dev br0</programlisting>
      </blockquote>
    </section>
  </section>
-</article>
+</article>
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-07-14</pubdate>
+    <pubdate>2004-09-12</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -39,9 +40,9 @@
    <para>Setting up Shorewall on a standalone Linux system is very easy if
    you understand the basics and follow the documentation.</para>
-    <para>This guide doesn&#39;t attempt to acquaint you with all of the
+    <para>This guide doesn't attempt to acquaint you with all of the features
-    features of Shorewall. It rather focuses on what is required to configure
+    of Shorewall. It rather focuses on what is required to configure Shorewall
-    Shorewall in one of its most common configurations:</para>
+    in one of its most common configurations:</para>
    <itemizedlist>
      <listitem>
@ -62,11 +63,11 @@
      <title>Requirements</title>
      <para>Shorewall requires that you have the iproute/iproute2 package
-      installed (on RedHat, the package is called <emphasis>iproute</emphasis>).
+      installed (on RedHat, the package is called
-      You can tell if this package is installed by the presence of an
+      <emphasis>iproute</emphasis>). You can tell if this package is installed
-      <emphasis role="bold">ip</emphasis> program on your firewall system. As
+      by the presence of an <emphasis role="bold">ip</emphasis> program on
-      root, you can use the <quote>which</quote> command to check for this
+      your firewall system. As root, you can use the <quote>which</quote>
-      program:</para>
+      command to check for this program:</para>
      <programlisting>[root@gateway root]# <command>which ip</command>
 /sbin/ip
@ -77,8 +78,8 @@
      <title>Before you start</title>
      <para>I recommend that you read through the guide first to familiarize
-      yourself with what&#39;s involved then go back through it again making
+      yourself with what's involved then go back through it again making your
-      your configuration changes.</para>
+      configuration changes.</para>
      <caution>
        <para>If you edit your configuration files on a Windows system, you
@ -92,8 +93,9 @@
          <member><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
          Version of dos2unix</ulink></member>
-          <member><ulink url="http://www.megaloman.com/~hany/software/hd2u/">Linux
+          <member><ulink
-          Version of dos2unix</ulink></member>
+          url="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
          dos2unix</ulink></member>
        </simplelist>
      </caution>
    </section>
@ -102,7 +104,8 @@
      <title>Conventions</title>
      <para>Points at which configuration changes are recommended are flagged
-      with <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
+      with <inlinegraphic fileref="images/BD21298_.gif"
      format="GIF" />.</para>
    </section>
  </section>
@ -112,10 +115,11 @@
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>If you have an ADSL Modem and you use PPTP to communicate with a
-    server in that modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
+    server in that modem, you must make the <ulink
-    recommended here</ulink> <emphasis role="underline">in addition to those
+    url="PPTP.htm#PPTP_ADSL">changes recommended here</ulink> <emphasis
-    described in the steps below</emphasis>. ADSL with PPTP is most commonly
+    role="underline">in addition to those described in the steps
-    found in Europe, notably in Austria.</para>
+    below</emphasis>. ADSL with PPTP is most commonly found in Europe, notably
    in Austria.</para>
  </section>
  <section>
@ -126,12 +130,13 @@
    <para>The configuration files for Shorewall are contained in the directory
    <filename class="directory">/etc/shorewall</filename> -- for simple
    setups, you only need to deal with a few of these as described in this
-    guide. After you have <ulink url="Install.htm">installed Shorewall</ulink>,
+    guide. After you have <ulink url="Install.htm">installed
-    <emphasis role="bold">download the <ulink
+    Shorewall</ulink>, <emphasis role="bold">download the <ulink
    url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
    sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
    files to /etc/shorewall (they will replace files with the same names that
-    were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
+    were placed in /etc/shorewall during Shorewall
    installation)</emphasis>.</para>
    <warning>
      <para><emphasis role="bold">Note to Debian Users</emphasis></para>
@ -139,11 +144,14 @@
      <para>If you install using the .deb, you will find that your <filename
      class="directory">/etc/shorewall</filename> directory is empty. This is
      intentional. The released configuration file skeletons may be found on
-      your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
+      your system in the directory <filename
      class="directory">/usr/share/doc/shorewall/default-config</filename>.
      Simply copy the files you need from that directory to <filename
-      class="directory">/etc/shorewall</filename> and modify the copies.</para>
+      class="directory">/etc/shorewall</filename> and modify the
      copies.</para>
-      <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
+      <para>Note that you must copy <filename
      class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
      and /usr/share/doc/shorewall/default-config/modules to <filename
      class="directory">/etc/shorewall</filename> even if you do not modify
      those files.</para>
@ -177,10 +185,12 @@
      </tgroup>
    </informaltable>
-    <para>Shorewall zones are defined in <ulink url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
+    <para>Shorewall zones are defined in <ulink
    url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
    <para>Shorewall also recognizes the firewall system as its own zone - by
-    default, the firewall itself is known as <emphasis role="bold">fw</emphasis>.</para>
+    default, the firewall itself is known as <emphasis
    role="bold">fw</emphasis>.</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones.</para>
@ -188,7 +198,8 @@
    <itemizedlist>
      <listitem>
        <para>You express your default policy for connections from one zone to
-        another zone in the <ulink url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
+        another zone in the <ulink
        url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
        file.</para>
      </listitem>
@ -200,12 +211,13 @@
    </itemizedlist>
    <para>For each connection request entering the firewall, the request is
-    first checked against the <filename><filename>/etc/shorewall/rules</filename></filename>
+    first checked against the
-    file. If no rule in that file matches the connection request then the
+    <filename><filename>/etc/shorewall/rules</filename></filename> file. If no
-    first policy in <filename>/etc/shorewall/policy</filename> that matches
+    rule in that file matches the connection request then the first policy in
-    the request is applied. If there is a <ulink
+    <filename>/etc/shorewall/policy</filename> that matches the request is
-    url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
+    applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
-    policy in <filename>/etc/shorewall/actions</filename> or
+    action</ulink> defined for the policy in
    <filename>/etc/shorewall/actions</filename> or
    <filename>/usr/share/shorewall/actions.std</filename> then that action is
    peformed before the action is applied.</para>
@ -221,7 +233,8 @@ all            all                REJECT   info</programlisting>
    <orderedlist>
      <listitem>
-        <para>allow all connection requests from the firewall to the internet</para>
+        <para>allow all connection requests from the firewall to the
        internet</para>
      </listitem>
      <listitem>
@ -244,15 +257,16 @@ all            all                REJECT   info</programlisting>
    <para>The firewall has a single network interface. Where Internet
    connectivity is through a cable or DSL <quote>Modem</quote>, the
-    <emphasis>External Interface</emphasis> will be the ethernet adapter (<emphasis
+    <emphasis>External Interface</emphasis> will be the ethernet adapter
-    role="bold">eth0</emphasis>) that is connected to that <quote>Modem</quote>
+    (<emphasis role="bold">eth0</emphasis>) that is connected to that
-    <emphasis role="underline">unless</emphasis> you connect via
+    <quote>Modem</quote> <emphasis role="underline">unless</emphasis> you
-    <emphasis>Point-to-Point Protocol over Ethernet</emphasis> (PPPoE) or
+    connect via <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
-    <emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP) in which
+    (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP)
-    case the External Interface will be a <emphasis role="bold">ppp0</emphasis>.
+    in which case the External Interface will be a <emphasis
-    If you connect via a regular modem, your External Interface will also be
+    role="bold">ppp0</emphasis>. If you connect via a regular modem, your
-    <emphasis role="bold">ppp0</emphasis>. If you connect using ISDN, your
+    External Interface will also be <emphasis role="bold">ppp0</emphasis>. If
-    external interface will be <emphasis role="bold">ippp0</emphasis>.</para>
+    you connect using ISDN, your external interface will be <emphasis
    role="bold">ippp0</emphasis>.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -264,25 +278,28 @@ all            all                REJECT   info</programlisting>
    Some hints:</para>
    <tip>
-      <para>If your external interface is <emphasis role="bold">ppp0</emphasis>
+      <para>If your external interface is <emphasis
-      or <emphasis role="bold">ippp0</emphasis>, you can replace the
+      role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis>,
-      <quote>detect</quote> in the second column with <quote>-</quote>.</para>
+      you can replace the <quote>detect</quote> in the second column with
      <quote>-</quote>.</para>
    </tip>
    <tip>
-      <para>If your external interface is <emphasis role="bold">ppp0</emphasis>
+      <para>If your external interface is <emphasis
-      or <emphasis role="bold">ippp0</emphasis> or if you have a static IP
+      role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis> or
-      address, you can remove <quote>dhcp</quote> from the option list.</para>
+      if you have a static IP address, you can remove <quote>dhcp</quote> from
      the option list.</para>
    </tip>
    <tip>
      <para>If you specify <emphasis>norfc1918</emphasis> for your external
      interface, you will want to check the <ulink url="errata.htm">Shorewall
-      Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918
+      Errata</ulink> periodically for updates to the
-      file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename>
+      <filename>/usr/share/shorewall/rfc1918 file</filename>. Alternatively,
-      to <filename>/etc/shorewall/rfc1918</filename> then <ulink
+      you can copy <filename>/usr/share/shorewall/rfc1918</filename> to
-      url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
+      <filename>/etc/shorewall/rfc1918</filename> then <ulink
-      file as I do</ulink>.</para>
+      url="myfiles.htm#RFC1918">strip down your
      <filename>/etc/shorewall/rfc1918</filename> file as I do</ulink>.</para>
    </tip>
  </section>
@ -296,12 +313,12 @@ all            all                REJECT   info</programlisting>
 172.16.0.0  - 172.31.255.255
 192.168.0.0 - 192.168.255.255</programlisting>
-    <para>These addresses are sometimes referred to as <emphasis>non-routable</emphasis>
+    <para>These addresses are sometimes referred to as
-    because the Internet backbone routers will not forward a packet whose
+    <emphasis>non-routable</emphasis> because the Internet backbone routers
-    destination address is reserved by RFC 1918. In some cases though, ISPs
+    will not forward a packet whose destination address is reserved by RFC
-    are assigning these addresses then using <emphasis>Network Address
+    1918. In some cases though, ISPs are assigning these addresses then using
-    Translation</emphasis> to rewrite packet headers when forwarding to/from
+    <emphasis>Network Address Translation</emphasis> to rewrite packet headers
-    the internet.</para>
+    when forwarding to/from the internet.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -319,7 +336,8 @@ all            all                REJECT   info</programlisting>
    actions included in your version of Shorewall in the file
    <filename>/usr/share/shorewall/actions.std</filename>.</para>
-    <para>Those actions that allow a connection begin with <quote>Allow</quote>.</para>
+    <para>Those actions that allow a connection begin with
    <quote>Allow</quote>.</para>
    <para>If you wish to enable connections from the internet to your firewall
    and you find an appropriate <quote>Allow</quote> action in
@ -327,7 +345,7 @@ all            all                REJECT   info</programlisting>
    rule in <filename>/etc/shorewall/rules</filename> is:</para>
    <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
-&#60;<emphasis>action</emphasis>&#62;  net       fw</programlisting>
+&lt;<emphasis>action</emphasis>&gt;  net       fw</programlisting>
    <example>
      <title>You want to run a Web Server and a POP3 Server on your firewall
@ -341,10 +359,11 @@ AllowPOP3 net       fw</programlisting>
    <para>You may also choose to code your rules directly without using the
    pre-defined actions. This will be necessary in the event that there is not
    a pre-defined action that meets your requirements. In that case the
-    general format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
+    general format of a rule in <filename>/etc/shorewall/rules</filename>
    is:</para>
    <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
-ACCEPT    net       fw              <emphasis>&#60;protocol&#62;</emphasis>  <emphasis>&#60;port&#62;</emphasis></programlisting>
+ACCEPT    net       fw              <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
    <example>
      <title>You want to run a Web Server and a POP3 Server on your firewall
@ -355,12 +374,12 @@ ACCEPT    net       fw              tcp          80
 ACCEPT    net       fw              tcp          110</programlisting></para>
    </example>
-    <para>If you don&#39;t know what port and protocol a particular
+    <para>If you don't know what port and protocol a particular application
-    application uses, see <ulink url="ports.htm">here</ulink>.</para>
+    uses, see <ulink url="ports.htm">here</ulink>.</para>
    <important>
-      <para>I don&#39;t recommend enabling telnet to/from the internet because
+      <para>I don't recommend enabling telnet to/from the internet because it
-      it uses clear text (even for login!). If you want shell access to your
+      uses clear text (even for login!). If you want shell access to your
      firewall from the internet, use SSH:</para>
      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
@ -380,34 +399,46 @@ AllowSSH  net       fw            </programlisting>
    <para>The <ulink url="Install.htm">installation procedure</ulink>
    configures your system to start Shorewall at system boot but beginning
-    with Shorewall version 1.3.9 startup is disabled so that your system
+    with Shorewall version 1.3.9 startup is disabled so that your system won't
-    won&#39;t try to start Shorewall before configuration is complete. Once
+    try to start Shorewall before configuration is complete. Once you have
-    you have completed configuration of your firewall, you can enable
+    completed configuration of your firewall, you can enable Shorewall startup
-    Shorewall startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.</para>
+    by removing the file
    <filename>/etc/shorewall/startup_disabled</filename>.</para>
    <important>
      <para><emphasis role="bold">Users of the .deb package must edit
-      <filename>/etc/default/shorewall</filename> and set <quote>startup=1</quote>.</emphasis></para>
+      <filename>/etc/default/shorewall</filename> and set
      <quote>startup=1</quote>.</emphasis></para>
    </important>
-    <para>The firewall is started using the <quote><command>shorewall start</command></quote>
+    <important>
-    command and stopped using <quote><command>shorewall stop</command></quote>.
+      <para><emphasis role="bold">If you are running Shorewall 2.1.3 or later,
-    When the firewall is stopped, routing is enabled on those hosts that have
+      you must enable startup by editing /etc/shorewall/shorewall.conf and
-    an entry in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
+      setting STARTUP_ENABLED=Yes.</emphasis></para>
    </important>
    <para>The firewall is started using the <quote><command>shorewall
    start</command></quote> command and stopped using
    <quote><command>shorewall stop</command></quote>. When the firewall is
    stopped, routing is enabled on those hosts that have an entry in
    <filename><ulink
    url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
    A running firewall may be restarted using the <quote><command>shorewall
    restart</command></quote> command. If you want to totally remove any trace
-    of Shorewall from your Netfilter configuration, use <quote><command>shorewall
+    of Shorewall from your Netfilter configuration, use
-    clear</command></quote>.</para>
+    <quote><command>shorewall clear</command></quote>.</para>
    <warning>
      <para>If you are connected to your firewall from the internet, do not
      issue a <quote><command>shorewall stop</command></quote> command unless
      you have added an entry for the IP address that you are connected from
-      to <ulink url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
+      to <ulink
-      Also, I don&#39;t recommend using <quote><command>shorewall restart</command></quote>;
+      url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
-      it is better to create an <emphasis><ulink
+      Also, I don't recommend using <quote><command>shorewall
-      url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis>
+      restart</command></quote>; it is better to create an <emphasis><ulink
-      and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
+      url="configuration_file_basics.htm#Configs">alternate
      configuration</ulink></emphasis> and test it using the <ulink
      url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
      try</command></quote> command</ulink>.</para>
    </warning>
  </section>
@ -424,11 +455,57 @@ AllowSSH  net       fw            </programlisting>
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-16</date><authorinitials>TE</authorinitials><revremark>Move
+    <para><revhistory>
-    /etc/shorewall/rfc1918 to /usr/share/shorewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Update
+        <revision>
-    for Shorewall 2.0</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
+          <revnumber>1.7</revnumber>
-    Changes</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
+
-    tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
+          <date>2004-02-16</date>
-    Docbook Conversion</revremark></revision></revhistory></para>
+
          <authorinitials>TE</authorinitials>
          <revremark>Move /etc/shorewall/rfc1918 to
          /usr/share/shorewall.</revremark>
        </revision>
        <revision>
          <revnumber>1.6</revnumber>
          <date>2004-02-05</date>
          <authorinitials>TE</authorinitials>
          <revremark>Update for Shorewall 2.0</revremark>
        </revision>
        <revision>
          <revnumber>1.5</revnumber>
          <date>2004-01-05</date>
          <authorinitials>TE</authorinitials>
          <revremark>Standards Changes</revremark>
        </revision>
        <revision>
          <revnumber>1.4</revnumber>
          <date>2003-12-30</date>
          <authorinitials>TE</authorinitials>
          <revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
        </revision>
        <revision>
          <revnumber>1.3</revnumber>
          <date>2003-11-15</date>
          <authorinitials>TE</authorinitials>
          <revremark>Initial Docbook Conversion</revremark>
        </revision>
      </revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs2/starting_and_stopping_shorewall.xml
+++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-08-10</pubdate>
+    <pubdate>2004-09-12</pubdate>
    <copyright>
      <year>2004</year>
@ -176,7 +176,10 @@
            file <filename>/etc/shorewall/startup_disabled</filename>. Note:
            Users of the .deb package must edit
            <filename>/etc/default/shorewall</filename> and set
-            <quote>startup=1</quote>.</para>
+            <quote>startup=1</quote> while users who are running Shorewall
            2.1.3 or later must edit
            <filename>/etc/shorewall/shorewall.conf</filename> and set
            STARTUP_ENABLED=Yes.</para>
          </listitem>
          <listitem>
--- a/Shorewall-docs2/support.xml
+++ b/Shorewall-docs2/support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-07</pubdate>
+    <pubdate>2004-09-21</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -269,7 +269,8 @@
  <section>
    <title>Where to Send your Problem Report or to Ask for Help</title>
-    <para><emphasis role="bold">If you run the current development
+    <para><emphasis role="bold">If you run the current development release and
    your question involves a feature that is only available in the development
    release</emphasis> (see the <ulink url="ReleaseModel.html">Shorewall
    Release Model page</ulink>) -- please post your question or problem to the
    <ulink url="mailto:shorewall-devel@lists.shorewall.net">Shorewall
@ -303,72 +304,4 @@
    url="http://lists.shorewall.net">http://lists.shorewall.net</ulink>
    .</para>
  </section>
-
+</article>
  <appendix>
    <title>Revision History</title>
    <para><revhistory>
        <revision>
          <revnumber>1.6</revnumber>
          <date>2003-07-03</date>
          <authorinitials>TE</authorinitials>
          <revremark>New Release Model</revremark>
        </revision>
        <revision>
          <revnumber>1.5</revnumber>
          <date>2003-05-16</date>
          <authorinitials>TE</authorinitials>
          <revremark>Add link to the troubleshooting section</revremark>
        </revision>
        <revision>
          <revnumber>1.4</revnumber>
          <date>2003-03-15</date>
          <authorinitials>TE</authorinitials>
          <revremark>Remove Newbies Mailing List.</revremark>
        </revision>
        <revision>
          <revnumber>1.3</revnumber>
          <date>2003-02-19</date>
          <authorinitials>TE</authorinitials>
          <revremark>Admonish against including "iptables -L"
          output.</revremark>
        </revision>
        <revision>
          <revnumber>1.2</revnumber>
          <date>2003-01-01</date>
          <authorinitials>TE</authorinitials>
          <revremark>Removed .GIF and moved note about unsupported releases.
          Move Revision History to this Appendix.</revremark>
        </revision>
        <revision>
          <revnumber>1.1</revnumber>
          <date>2003-12-19</date>
          <authorinitials>TE</authorinitials>
          <revremark>Corrected URL for Newbies List</revremark>
        </revision>
      </revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs2/template.xml
+++ b/Shorewall-docs2/template.xml
@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Operating Shorewall</title>
+    <title></title>
    <authorgroup>
      <author>
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
--- a/Shorewall-docs2/three-interface.xml
+++ b/Shorewall-docs2/three-interface.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-06</pubdate>
+    <pubdate>2004-09-12</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -931,6 +931,10 @@ ACCEPT    net       fw                  tcp        80       </programlisting><it
        <para>Users of the <filename>.deb</filename> package must edit
        <filename>/etc/default/shorewall</filename> and set
        <varname>startup=1</varname>.</para>
      </important><important>
        <para>Users running Shorewall 2.1.3 or later should edit
        <filename>/etc/shorewall/shorewall.conf</filename> and set
        STARTUP_ENABLED=Yes.</para>
      </important>The firewall is started using the <command>shorewall
    start</command> command and stopped using <command>shorewall
    stop</command>. When the firewall is stopped, routing is enabled on those
--- a/Shorewall-docs2/two-interface.xml
+++ b/Shorewall-docs2/two-interface.xml
@ -859,6 +859,9 @@ ACCEPT     loc       fw      tcp       80          #Allow Weblet to work</progra
        <para>Users of the .deb package must edit <filename
        class="directory">/etc/default/</filename><filename>shorewall</filename>
        and set <varname>startup=1</varname>.</para>
      </important><important>
        <para>Users running Shorewall 2.1.3 or later must edit
        /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes.</para>
      </important> The firewall is started using the <quote><command>shorewall
    start</command></quote> command and stopped using
    <quote><command>shorewall stop</command></quote>. When the firewall is