From 84ed075e10cf1d25631a85ff6676b7cd7855ca1a Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 19 Feb 2003 23:21:55 +0000
Subject: [PATCH] More Shorewall 1.4.0 changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@455 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-docs/Documentation.htm              | 6093 ++++++++---------
 Shorewall-docs/FAQ.htm                        | 2127 +++---
 Shorewall-docs/MAC_Validation.html            |  153 +-
 Shorewall-docs/News.htm                       | 3131 +++++----
 Shorewall-docs/Shorewall_Squid_Usage.html     |  788 +--
 Shorewall-docs/configuration_file_basics.htm  |  625 +-
 Shorewall-docs/errata.htm                     |  761 +-
 Shorewall-docs/mailing_list.htm               |  400 +-
 Shorewall-docs/myfiles.htm                    |  190 -
 Shorewall-docs/ping.html                      |  275 +-
 Shorewall-docs/seattlefirewall_index.htm      |  388 +-
 Shorewall-docs/shoreline.htm                  |  165 +-
 .../shorewall_extension_scripts.htm           |  139 +-
 Shorewall-docs/shorewall_quickstart_guide.htm |  414 +-
 Shorewall-docs/shorewall_setup_guide.htm      | 4114 +++++------
 Shorewall-docs/sourceforge_index.htm          |  482 +-
 Shorewall-docs/spam_filters.htm               |   79 +-
 .../starting_and_stopping_shorewall.htm       |  455 +-
 Shorewall-docs/support.htm                    |  569 +-
 Shorewall-docs/traffic_shaping.htm            |  587 +-
 Shorewall-docs/troubleshoot.htm               |  371 +-
 Shorewall-docs/two-interface.htm              | 1691 ++---
 Shorewall-docs/upgrade_issues.htm             |  447 +-
 .../whitelisting_under_shorewall.htm          |  547 +-
 24 files changed, 12304 insertions(+), 12687 deletions(-)
 delete mode 100644 Shorewall-docs/myfiles.htm

diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm
index 6561d1473..c7d295e72 100644
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
@@ -2,1766 +2,1736 @@
 <html>
 <head>
                                                                         
-                                   
+                                               
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
                                                                         
-                          
+                                      
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                         
-                          
+                                      
   <meta name="ProgId" content="FrontPage.Editor.Document">
-  <title>Shorewall 1.3 Documentation</title>
+  <title>Shorewall 1.4 Documentation</title>
                                                                         
-                                                              <base
- target="_self">                                                        
-                
+                                                                        
+ <base target="_self">                                                  
+                               
   <meta name="Microsoft Theme" content="none, default">
                                                                         
-                       
+                                   
   <meta name="Microsoft Border" content="none, default">
+       
+  <meta name="author" content="Tom Eastep">
 </head>
   <body>
-                                                  
+                                                        
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber4"
  bgcolor="#400169" height="90">
-                            <tbody>
-                            <tr>
-                              <td width="100%">                         
+                               <tbody>
+                               <tr>
+                                 <td width="100%">                      
                                                                         
                                                                         
-  
-      <h1 align="center"><font color="#ffffff">Shorewall 1.3 Reference</font></h1>
-                              </td>
-                            </tr>
-                                                                        
-                         
-  </tbody>                        
-</table>
-                                                                       
-<h2 align="center">This documentation is intended primarily for reference.
-                   Step-by-step instructions for configuring Shorewall in
-common       setups     may        be found in the <a
- href="shorewall_quickstart_guide.htm">QuickStart     Guides</a>.</h2>
-                                                                        
-                
-<h2>Components</h2>
-                                                                        
-   
-<p>Shorewall consists of the following components:     </p>
-                                                                
-<ul>
-                            <li><b><a href="#Variables">params</a></b> -- 
-a  parameter      file   installed    in     /etc/shorewall that can be used 
- to establish    the  values   of shell  variables      for use in other files.</li>
-                            <li><b>    <a href="#Conf">shorewall.conf</a></b> 
-  --  a  parameter      file   installed in /etc/shorewall           that 
-is  used  to set several     firewall   parameters.</li>
-                            <li><b>    <a href="#Zones">zones</a></b> - a 
-parameter      file   installed     in /etc/shorewall that defines       
-   a network    partitioning    into "zones"</li>
-                            <li><b>    <a href="#Policy">policy</a></b> --
- a  parameter      file   installed   in /etc/shorewall/ that           establishes
-   overall      firewall   policy.</li>
-                            <li><b>    <a href="#Rules">rules</a> </b> -- 
-a  parameter      file   installed    in /etc/shorewall and used         
- to  express firewall      rules   that are  exceptions  to the high-level 
-          policies established      in   /etc/shorewall/policy.</li>
-                            <li><b><a href="#Blacklist">blacklist</a> --
-    </b>a    parameter      file   installed  in /etc/shorewall and used
-    to list  blacklisted  IP/subnet/MAC       addresses.</li>
-                            <li><b>   functions</b> -- a set of shell functions 
-   used   by  both   the   firewall and     shorewall shell programs. Installed 
-   in  /etc/shorewall     prior   to version 1.3.2, in /var/lib/shorewall 
-in   version  s 1.3.2-1.3.8    and in /usr/lib/shorewall in later versions.</li>
-                            <li><b>    <a href="#modules">modules</a></b> 
---  a  parameter      file   installed  in /etc/shorewall and that       
- specifies   kernel  modules    and   their parameters.  Shorewall will 
-       automatically    load the  modules    specified in this file.</li>
-                            <li><a href="#TOS"><b>   tos</b> </a>-- a parameter 
-   file   installed      in  /etc/shorewall that is used to         specify 
-  how the   Type of Service      (TOS)  field in packets is to be set.</li>
-                            <li><a href="#Scripts"><b>   icmp.def</b> </a>--
-  a  parameter      file   installed  in /etc/shorewall and that        
-specifies    the default      handling   of ICMP  packets when the applicable
-policy  is      DROP or  REJECT.</li>
-                            <li><b><a href="#Scripts">common.def</a></b>
---  a  parameter      file   installed   in     in /etc/shorewall that defines 
- firewall-wide    rules   that   are applied   before a     DROP or REJECT 
- policy is applied.</li>
-                            <li><b>    <a href="#Interfaces">interfaces</a> 
-     </b>   --  a  parameter      file installed in /etc/shorewall/      
-    and  used   to  describe  the  interfaces    on the firewall system.</li>
-                            <li><a href="#Hosts"><b>   hosts</b> </a>-- a 
-parameter      file   installed     in /etc/shorewall/ and           used 
- to describe    individual    hosts or  subnetworks   in zones.</li>
-                     <li><b><a href="#Maclist">maclist</a> </b>-- a parameter 
-  file   installed     in /etc/shorewall and used to verify the MAC address 
-  (and possibly  also   the  IP address(es)) of devices.<br>
-                     </li>
-                            <li><b>    <a href="#Masq">masq</a></b> - This
- file             also   describes  IP masquerading under Shorewall  and
-is  installed      in            /etc/shorewall.</li>
-                            <li><b><a
- href="shorewall_firewall_structure.htm">firewall</a></b>         -- a shell
-  program that  reads the configuration files in           /etc/shorewall
-     and configures your             firewall. This file is  installed in
-your     init.d             directory (/etc/rc.d/init.d  ) where it is renamed
-       <i>shorewall.</i>         /etc/shorewall/firewall   (/var/lib/shorewall/firewall
-    in versions 1.3.2-1.3.8    and /usr/lib/shorewall/firewall   in 1.3.9
-and      later) is a symbolic link    to this program.</li>
-                            <li><b>    <a href="#NAT">nat</a></b> -- a parameter
-    file   in  /etc/shorewall     used to define <a href="#NAT">  static
-           NAT</a>    .</li>
-                            <li><b>    <a href="#ProxyArp">proxyarp</a></b> 
- --  a  parameter      file   in /etc/shorewall used to define <a
- href="#ProxyArp">   Proxy           Arp</a>     .</li>
-                            <li><b><a href="#rfc1918">rfc1918</a></b> --
-a  parameter      file   in      /etc/shorewall used to define the treatment
- of packets  under    the         <a href="#Interfaces">norfc1918 interface
- option</a>.</li>
-                            <li><b><a href="#Routestopped">routestopped</a></b> 
-   --  a  parameter      file  in     /etc/shorewall used to define those 
-hosts   that  can access   the   firewall  when     Shorewall is stopped.</li>
-                            <li><a href="traffic_shaping.htm#tcrules"><b>tcrules</b>
-          </a>--    a  parameter  file in /etc/shorewall used to define rules
-    for      classifying     packets for      <a
- href="traffic_shaping.htm">Traffic         Shaping/Control</a>.</li>
-                            <li><b>    <a href="#Tunnels">tunnels</a></b> 
---  a  parameter      file   in  /etc/shorewall used to define           IPSec
-  tunnels.</li>
-                            <li><b>    <a href="#Starting">shorewall</a>
-    </b>   --  a  shell    program     (requiring a Bourne shell  or    
-        derivative)      used to   control and    monitor             the
-firewall. This should   be   placed in   /sbin or in             /usr/sbin
-(the install.sh script   and  the rpm install   this file              in
-/sbin).</li>
-                            <li><b>    version</b> -- a file created in /etc/shorewall/ 
-                        (/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall 
-          beginning in version 1.3.9) that describes   the version of  Shorewall 
-                   installed on your system.</li>
-                                                  
-</ul>
-                                                                        
- 
-<h2><a name="Variables"></a>       /etc/shorewall/params</h2>
-                                                                        
-  
-<p>You may use the file /etc/shorewall/params     file to set shell variables
-            that you can then use in some of the other    configuration files.</p>
-                                                                        
-  
-<p>It is suggested that variable names begin with an upper case letter<font
- size="1">      </font>to distinguish them from variables used internally
-            within the  Shorewall    programs</p>
-                                                                        
-  
-<p>Example:</p>
-                                                                        
-  
-<pre><font face="Courier"> 	NET_IF=eth0<br>	NET_BCAST=130.252.100.255<br>	NET_OPTIONS=blacklist,norfc1918</font></pre>
-                                                  
-<p>Example (/etc/shorewall/interfaces record):</p>
-                                                  
-<pre>	<font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
-                                                  
-<p>The result will be the same as if the record had been written</p>
-                                                  
-<pre>	<font face="Courier">net eth0 130.252.100.255 blacklist,norfc1918</font></pre>
-                                                  
-<p>Variables may be used anywhere in the              other configuration
-            files.</p>
-                                                                        
                           
-<h2><b><a name="Zones"></a>                   </b>/etc/shorewall/zones</h2>
+      <h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
+                                 </td>
+                               </tr>
                                                                         
-                                      
-<p>This file  is used  to define the   network zones.  There is one entry
-            in /etc/shorewall/zones  for each zone;   Columns in an entry
-are:</p>
-                                                                        
-   
-<ul>
-                            <li><b>   ZONE</b> - short name for the zone. 
-The   name   should    be  5  characters  or less in     length and consist 
-of  lower-case   letters    or  numbers.  Short  names must begin     with 
-a letter and the   name assigned      to the firewall  is reserved for   
-   use by Shorewall   itself. Note that     the output produced    by iptables 
-is much       easier   to read if you  select   short names that  are  three 
-characters or less        in length.  The name   "all" may not be used as 
-    a zone name nor  may the zone name  assigned to  the firewall itself 
- via the FW     variable   in     <a href="#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-                            <li><b>   DISPLAY</b> - The name of the zone
-as  displayed      during    Shorewall   startup.</li>
-                            <li><b>   COMMENTS</b> - Any comments that you
- want   to  make   about    the  zone.       Shorewall  ignores these comments.</li>
-                                                  
-</ul>
-                                                                        
-                                      
-<p>The /etc/shorewall/zones file released with Shorewall  is as follows:</p>
-                                                                        
-    
-<table border="1" style="border-collapse: collapse;" cellpadding="2">
-                                <tbody>
-                                                 <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   DISPLAY</b></td>
-                                  <td><b>   COMMENTS</b></td>
-                                </tr>
-                                             <tr>
-                                  <td>net</td>
-                                  <td>Net</td>
-                                  <td>Internet</td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>Local</td>
-                                  <td>Local  networks</td>
-                                </tr>
-                                <tr>
-                                  <td>dmz</td>
-                                  <td>DMZ</td>
-                                  <td>Demilitarized  zone</td>
-                                </tr>
-                                                                        
-                                                                        
-                  
-  </tbody>                                                               
-                 
+                                     
+  </tbody>                           
 </table>
                                                                         
-             
-<p>You may  add, delete and modify entries in the /etc/shorewall/zones file
-              as desired  so long as you have at least one zone defined.</p>
+    
+<h2 align="center">This documentation is intended primarily for reference. 
+                    Step-by-step instructions for configuring Shorewall in 
+ common       setups     may        be found in the <a
+ href="shorewall_quickstart_guide.htm">QuickStart     Guides</a>.</h2>
                                                                         
-              
-<p><b><font size="5" color="#ff0000">  Warning 1: </font><font
- color="#ff0000"> If you rename or delete a   zone,  you should perform "shorewall
-            stop; shorewall start" to   install the change  rather than "shorewall
-         restart".</font></b></p>
+                      
+<h2>Components</h2>
+                                                                        
+         
+<p>Shorewall consists of the following components:     </p>
                                                                       
-<p><b><font size="5" color="#ff0000">Warning 2: </font><font
- color="#ff0000">The  order of entries in the /etc/shorewall/zones file is
-            significant <a href="#Nested">in  some cases</a>.</font></b></p>
-                                                                        
-              
-<h2><font color="#660066"><a name="Interfaces"></a>                   </font>/etc/shorewall/interfaces</h2>
-                                                                        
-              
-<p>This file  is used to tell the firewall which of your firewall's network
-              interfaces  are connected to which zone. There will be one
-entry      in     /etc/shorewall/interfaces   for each of your interfaces.
-Columns    in  an  entry    are:</p>
-                                                  
 <ul>
-                            <li><b>   ZONE</b> - A zone defined in the <a
- href="#Zones">/etc/shorewall/zones</a>               file or  "-". If you
-       specify "-", you must use the <a href="#Hosts">   /etc/shorewall/hosts</a>
-                file to define the zones      accessed via this interface.</li>
-                            <li><b>   INTERFACE</b> - the name of the interface 
-   (examples:      eth0,    ppp0, ipsec+). Each interface can be listed on 
- only  one record     in this file. <font color="#ff0000"><b>D</b><b>O NOT 
- INCLUDE  THE  LOOPBACK     INTERFACE (lo) IN THIS FILE!!!</b></font></li>
-                            <li><b>   BROADCAST</b> - the broadcast address(es) 
-   for   the   sub-network(s)     attached to the       interface. This should 
-   be  left empty  for P-T-P interfaces     (ppp*, ippp*); if     you need 
- to  specify   options  for such an interface,    enter "-" in this column. 
-     If you supply  the  special value "detect" in   this column, the firewall 
-   will     automatically    determine the broadcast   address. In order to
-  use "detect":                                                         
-                                                              
-    <ul>
-                            <li>you must have iproute installed</li>
-                            <li>the interface must be up before you start 
-your   firewall</li>
-                            <li>the interface must only be attached to  
-  a  single    sub-network       (i.e., there must have a single broadcast
- address).        </li>
+                               <li><b><a href="#Variables">params</a></b> 
+--  a  parameter      file   installed    in     /etc/shorewall that can be
+used   to establish    the  values   of shell  variables      for use in
+other files.</li>
+                               <li><b>    <a href="#Conf">shorewall.conf</a></b>
+    --  a  parameter      file   installed in /etc/shorewall           that
+  is  used  to set several     firewall   parameters.</li>
+                               <li><b>    <a href="#Zones">zones</a></b>
+-  a  parameter      file   installed     in /etc/shorewall that defines
+          a network    partitioning    into "zones"</li>
+                               <li><b>    <a href="#Policy">policy</a></b>
+ --  a  parameter      file   installed   in /etc/shorewall/ that       
+   establishes    overall      firewall   policy.</li>
+                               <li><b>    <a href="#Rules">rules</a> </b> 
+--  a  parameter      file   installed    in /etc/shorewall and used     
+     to  express firewall      rules   that are  exceptions  to the high-level
+            policies established      in   /etc/shorewall/policy.</li>
+                               <li><b><a href="#Blacklist">blacklist</a>
+--      </b>a    parameter      file   installed  in /etc/shorewall and used 
+    to list  blacklisted  IP/subnet/MAC       addresses.</li>
+                               <li><b>   functions</b> -- a set of shell
+functions      used   by  both   the   firewall and     shorewall shell programs.
+Installed      in  /etc/shorewall     prior   to version 1.3.2, in /var/lib/shorewall
+  in   version  s 1.3.2-1.3.8    and in /usr/lib/shorewall in later versions.</li>
+                               <li><b>    <a href="#modules">modules</a></b>
+  --  a  parameter      file   installed  in /etc/shorewall and that    
+    specifies   kernel  modules    and   their parameters.  Shorewall will
+        automatically    load the  modules    specified in this file.</li>
+                                                              <li><a
+ href="#TOS"><b>   tos</b> </a>-- a parameter      file   installed     
+in  /etc/shorewall that is used to         specify     how the   Type of
+Service      (TOS)  field in packets is to be set.<br>
+  </li>
+                               <li><b><a href="#Scripts">common.def</a></b> 
+ --  a  parameter      file   installed   in     in /etc/shorewall that defines
+   firewall-wide    rules   that   are applied   before a     DROP or REJECT
+   policy is applied.</li>
+                               <li><b>    <a href="#Interfaces">interfaces</a>
+       </b>   --  a  parameter      file installed in /etc/shorewall/   
+       and  used   to  describe  the  interfaces    on the firewall system.</li>
+                               <li><a href="#Hosts"><b>   hosts</b> </a>--
+ a  parameter      file   installed     in /etc/shorewall/ and          
+used    to describe    individual    hosts or  subnetworks   in zones.</li>
+                        <li><b><a href="#Maclist">maclist</a> </b>-- a parameter
+    file   installed     in /etc/shorewall and used to verify the MAC address
+    (and possibly  also   the  IP address(es)) of devices.<br>
+                        </li>
+                               <li><b>    <a href="#Masq">masq</a></b> -
+This   file             also   describes  IP masquerading under Shorewall
+ and is  installed      in            /etc/shorewall.</li>
+                               <li><b><a
+ href="shorewall_firewall_structure.htm">firewall</a></b>         -- a shell 
+   program that  reads the configuration files in           /etc/shorewall 
+      and configures your             firewall. This file is  installed in 
+ your     init.d             directory (/etc/rc.d/init.d  ) where it is renamed 
+        <i>shorewall.</i>         /etc/shorewall/firewall   (/var/lib/shorewall/firewall 
+     in versions 1.3.2-1.3.8    and /usr/lib/shorewall/firewall   in 1.3.9 
+ and      later) is a symbolic link    to this program.</li>
+                               <li><b>    <a href="#NAT">nat</a></b> -- a 
+parameter      file   in  /etc/shorewall     used to define <a
+ href="#NAT">  static            NAT</a>    .</li>
+                               <li><b>    <a href="#ProxyArp">proxyarp</a></b>
+   --  a  parameter      file   in /etc/shorewall used to define <a
+ href="#ProxyArp">   Proxy           Arp</a>     .</li>
+                               <li><b><a href="#rfc1918">rfc1918</a></b>
+--  a  parameter      file   in      /etc/shorewall used to define the treatment 
+  of packets  under    the         <a href="#Interfaces">norfc1918 interface 
+  option</a>.</li>
+                               <li><b><a href="#Routestopped">routestopped</a></b>
+     --  a  parameter      file  in     /etc/shorewall used to define those
+  hosts   that  can access   the   firewall  when     Shorewall is stopped.</li>
+                               <li><a href="traffic_shaping.htm#tcrules"><b>tcrules</b> 
+           </a>--    a  parameter  file in /etc/shorewall used to define rules
+     for      classifying     packets for      <a
+ href="traffic_shaping.htm">Traffic         Shaping/Control</a>.</li>
+                               <li><b>    <a href="#Tunnels">tunnels</a></b>
+  --  a  parameter      file   in  /etc/shorewall used to define        
+  IPSec   tunnels.</li>
+                               <li><b>    <a href="#Starting">shorewall</a> 
+     </b>   --  a  shell    program     (requiring a Bourne shell  or    
+        derivative)      used to   control and    monitor             the 
+firewall. This should   be   placed in   /sbin or in             /usr/sbin 
+(the install.sh script   and  the rpm install   this file              in 
+/sbin).</li>
+                               <li><b>    version</b> -- a file created in
+ /etc/shorewall/                          (/var/lib/shorewall in version
+1.3.2-1.3.8  and /usr/lib/shorewall            beginning in version 1.3.9)
+that describes    the version of  Shorewall                     installed
+on your system.</li>
+                                                        
+</ul>
+                                                                        
+       
+<h2><a name="Variables"></a>       /etc/shorewall/params</h2>
+                                                                        
+        
+<p>You may use the file /etc/shorewall/params     file to set shell variables 
+             that you can then use in some of the other    configuration files.</p>
+                                                                        
+        
+<p>It is suggested that variable names begin with an upper case letter<font
+ size="1">      </font>to distinguish them from variables used internally 
+             within the  Shorewall    programs</p>
+                                                                        
+        
+<p>Example:</p>
+                                                                        
+        
+<pre><font face="Courier"> 	NET_IF=eth0<br>	NET_BCAST=130.252.100.255<br>	NET_OPTIONS=blacklist,norfc1918</font></pre>
+                                                        
+<p>Example (/etc/shorewall/interfaces record):</p>
+                                                        
+<pre>	<font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
+                                                        
+<p>The result will be the same as if the record had been written</p>
+                                                        
+<pre>	<font face="Courier">net eth0 130.252.100.255 blacklist,norfc1918</font></pre>
+                                                        
+<p>Variables may be used anywhere in the              other configuration 
+             files.</p>
+                                                                        
+                                
+<h2><b><a name="Zones"></a>                   </b>/etc/shorewall/zones</h2>
+                                                                        
+                                            
+<p>This file  is used  to define the   network zones.  There is one entry 
+             in /etc/shorewall/zones  for each zone;   Columns in an entry 
+ are:</p>
+                                                                        
+         
+<ul>
+                               <li><b>   ZONE</b> - short name for the zone.
+  The   name   should    be  5  characters  or less in     length and consist
+  of  lower-case   letters    or  numbers.  Short  names must begin     with
+  a letter and the   name assigned      to the firewall  is reserved for
+      use by Shorewall   itself. Note that     the output produced    by
+iptables   is much       easier   to read if you  select   short names that
+ are  three   characters or less        in length.  The name   "all" may
+not be used as       a zone name nor  may the zone name  assigned to  the
+firewall itself    via the FW     variable   in     <a href="#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+                               <li><b>   DISPLAY</b> - The name of the zone 
+ as  displayed      during    Shorewall   startup.</li>
+                               <li><b>   COMMENTS</b> - Any comments that 
+you   want   to  make   about    the  zone.       Shorewall  ignores these 
+comments.</li>
+                                                        
+</ul>
+                                                                        
+                                            
+<p>The /etc/shorewall/zones file released with Shorewall  is as follows:</p>
+                                                                        
+          
+<table border="1" style="border-collapse: collapse;" cellpadding="2">
+                                   <tbody>
+                                                    <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   DISPLAY</b></td>
+                                     <td><b>   COMMENTS</b></td>
+                                   </tr>
+                                                <tr>
+                                     <td>net</td>
+                                     <td>Net</td>
+                                     <td>Internet</td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>Local</td>
+                                     <td>Local  networks</td>
+                                   </tr>
+                                   <tr>
+                                     <td>dmz</td>
+                                     <td>DMZ</td>
+                                     <td>Demilitarized  zone</td>
+                                   </tr>
                                                                         
                                                                         
-    </ul>
+                              
+  </tbody>                                                              
+                     
+</table>
                                                                         
-          </li>
-                            <li><b>   OPTIONS</b> - a comma-separated list
- of  options.     Possible     options       include:                   
+                   
+<p>You may  add, delete and modify entries in the /etc/shorewall/zones file 
+               as desired  so long as you have at least one zone defined.</p>
                                                                         
+                    
+<p><b><font size="5" color="#ff0000">  Warning 1: </font><font
+ color="#ff0000"> If you rename or delete a   zone,  you should perform "shorewall 
+             stop; shorewall start" to   install the change  rather than "shorewall
+          restart".</font></b></p>
                                                                         
    
-    <p>   <b>tcpflags </b>(added in version 1.3.11) - This option causes Shorewall
-to make sanity checks on the header flags in TCP packets arriving on this
-interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these
-flag combinations are typically used for "silent" port scans. Packets  failing
-these checks are logged according to the TCP_FLAGS_LOG_LEVEL option  in<a
- href="#Conf"> /etc/shorewall/shorewall.conf</a> and are disposed of according
- to the TCP_FLAGS_DISPOSITION option.<br>
-                     <b><br>
-                 blacklist</b> - This option causes incoming packets on this
-                      interface to be checked against the <a
+<p><b><font size="5" color="#ff0000">Warning 2: </font><font
+ color="#ff0000">The  order of entries in the /etc/shorewall/zones file is 
+             significant <a href="#Nested">in  some cases</a>.</font></b></p>
+                                                                        
+                    
+<h2><font color="#660066"><a name="Interfaces"></a>                   </font>/etc/shorewall/interfaces</h2>
+                                                                        
+                    
+<p>This file  is used to tell the firewall which of your firewall's network 
+               interfaces  are connected to which zone. There will be one 
+entry      in     /etc/shorewall/interfaces   for each of your interfaces. 
+Columns    in  an  entry    are:</p>
+                                                        
+<ul>
+                               <li><b>   ZONE</b> - A zone defined in the 
+    <a href="#Zones">/etc/shorewall/zones</a>               file or  "-". 
+If you         specify "-", you must use the <a href="#Hosts">   /etc/shorewall/hosts</a> 
+                 file to define the zones      accessed via this interface.</li>
+                               <li><b>   INTERFACE</b> - the name of the
+interface      (examples:      eth0,    ppp0, ipsec+). Each interface can
+be listed on   only  one record     in this file. <font color="#ff0000"><b>D</b><b>O
+NOT   INCLUDE  THE  LOOPBACK     INTERFACE (lo) IN THIS FILE!!!</b></font></li>
+                               <li><b>   BROADCAST</b> - the broadcast address(es)
+     for   the   sub-network(s)     attached to the       interface. This
+should     be  left empty  for P-T-P interfaces     (ppp*, ippp*); if   
+ you need   to  specify   options  for such an interface,    enter "-" in
+this column.       If you supply  the  special value "detect" in   this column,
+the firewall     will     automatically    determine the broadcast   address.
+In order to   use "detect":                                             
+                                                                        
+                
+    <ul>
+                               <li>you must have iproute installed</li>
+                               <li>the interface must be up before you start
+  your   firewall</li>
+                               <li>the interface must only be attached to 
+    a  single    sub-network       (i.e., there must have a single broadcast 
+  address).        </li>
+                                                                        
+                                                                        
+                 
+    </ul>
+                                                                        
+             </li>
+                               <li><b>   OPTIONS</b> - a comma-separated
+list   of  options.     Possible     options       include:             
+                                                                        
+                                                                        
+                        
+    <p>   <b>tcpflags </b>(added in version 1.3.11) - This option causes
+Shorewall to make sanity checks on the header flags in TCP packets arriving
+on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH;
+these flag combinations are typically used for "silent" port scans. Packets
+ failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option
+ in<a href="#Conf"> /etc/shorewall/shorewall.conf</a> and are disposed of
+according  to the TCP_FLAGS_DISPOSITION option.<br>
+                        <b><br>
+                    blacklist</b> - This option causes incoming packets on
+ this                       interface to be checked against the <a
  href="#Blacklist">blacklist</a>.<b><br>
-                           <br>
-                           dhcp</b> - The interface is assigned an IP address 
-  via   DHCP   or  is        used  by a DHCP server running on the firewall. 
-  The        firewall    will   be configured  to allow DHCP traffic to and 
-  from  the       interface    even   when the firewall  is stopped. You may
-  also  wish to use this option    if you   have a static IP but    you are
-  on a LAN segment that has a lot   of Laptops   that use DHCP and you  
- select  the     <b>norfc1918     </b>option  (see below).</p>
+                              <br>
+                              dhcp</b> - The interface is assigned an IP
+address     via   DHCP   or  is        used  by a DHCP server running on
+the firewall.     The        firewall    will   be configured  to allow DHCP
+traffic to and    from  the       interface    even   when the firewall 
+is stopped. You may   also  wish to use this option    if you   have a static
+IP but    you are   on a LAN segment that has a lot   of Laptops   that use
+DHCP and you    select  the     <b>norfc1918     </b>option  (see below).</p>
                                                                         
                                                                         
-                                                 
-    <p>   <b>   noping</b> - <b>This option is deprecated and is not available
-  when OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf.</b> ICMP echo-request
-  (ping) packets addressed to           the firewall will be ignored by this
-        interface. <br>
-        <br>
-                           <b>filterping </b>- <b>This option is deprecated 
- and is not available when OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf.</b>
-  ICMP echo-request (ping) packets  addressed      to  the   firewall   
-will   be handled according to the /etc/shorewall/rules        and     /etc/shorewall/policy
-  file. If the applicable policy is DROP   or   REJECT   and  you    have
-supplied  your own /etc/shorewall/icmpdef file   then  these   'ping'  requests
-   will be passed through the rules in that   file  before  being dropped
- or    rejected. If neither <b>noping     </b>nor           <b>filterping</b>
-    is specified  then the    firewall will automatically    ACCEPT these
-'ping'    requests. If both     <b>noping</b>    and <b>filterping      
- </b>are specified,        <b>filterping</b>  takes precedence.</p>
+                                                                   
+    <p>   <b>norfc1918</b> - Packets arriving on this interface and that 
+           have a source    address that is reserved in RFC 1918 or in other 
+     RFCs     will   be dropped after    being optionally logged. If <a
+ href="#Conf">packet    mangling   is  enabled in     /etc/shorewall/shorewall.conf</a> 
+         , then   packets arriving   on this interface     that have a destination 
+       address   that is reserved by  one of these RFCs will also be     logged
+      and dropped.<br>
+                              <br>
+                              Addresses blocked by the standard <a
+ href="#rfc1918">      <b>rfc1918          </b>file</a>      include those 
+    addresses reserved  by RFC1918 plus   other   ranges reserved   by the 
+    IANA or by other RFCs.</p>
                                                                         
                                                                         
-                                                 
-    <p>   <b>   routestopped</b> - Beginning with Shorewall 1.3.4, this option
-            is deprecated    in favor of the <a href="#Routestopped">/etc/shorewall/routestopped</a>
-            file. When the firewall is stopped, traffic to and from     
- this      interface      will be accepted and routing will occur between
-this       interface  and    other <i>routestopped </i>interfaces.</p>
+                                                                   
+    <p>   Beware that as IPv4 addresses become in increasingly short supply, 
+             ISPs are    beginning to use RFC 1918 addresses within their 
+own    infrastructure.         Also,    many cable and DSL "modems" have an
+RFC   1918 address that  can    be   used through    a web browser for management
+  and monitoring functions.      If   you want to specify   <b>norfc1918</b> 
+   on your external interface   but   need   to allow access to    certain 
+ addresses   from the above list,   see     <a href="FAQ.htm#faq14">FAQ 14.</a></p>
                                                                         
                                                                         
-                                                 
-    <p>   <b>   norfc1918</b> - Packets arriving on this interface and that
-            have a source    address that is reserved in RFC 1918 or in other
-    RFCs     will   be dropped after    being optionally logged. If <a
- href="#Conf">packet    mangling   is  enabled in     /etc/shorewall/shorewall.conf</a>
-        , then   packets arriving   on this interface     that have a destination
-      address   that is reserved by  one of these RFCs will also be     logged
-     and dropped.<br>
-                           <br>
-                           Addresses blocked by the standard <a
- href="#rfc1918">      <b>rfc1918          </b>file</a>      include those
-   addresses reserved  by RFC1918 plus   other   ranges reserved   by the
-   IANA or by other RFCs.</p>
-                                                                        
-                                                                        
-                                                 
-    <p>   Beware that as IPv4 addresses become in increasingly short supply,
-            ISPs are    beginning to use RFC 1918 addresses within their
-own    infrastructure.         Also,    many cable and DSL "modems" have
-an RFC   1918 address that  can    be   used through    a web browser for
-management   and monitoring functions.      If   you want to specify   <b>norfc1918</b>
-  on your external interface   but   need   to allow access to    certain
-addresses   from the above list,   see     <a href="FAQ.htm#faq14">FAQ 14.</a></p>
-                                                                        
-                                                                        
-                                                 
-    <p>   <b>   routefilter</b> -       Invoke the Kernel's route filtering
-            (anti-spoofing) facility on this  interface. The kernel     
- will     reject       any packets incoming on this interface  that have
-a source         address      that would be routed outbound through another
- interface     on the       firewall.         <font color="#ff0000">Warning:
-    </font>If    you specify this option       for an interface then the
+                                                                   
+    <p>   <b>   routefilter</b> -       Invoke the Kernel's route filtering 
+             (anti-spoofing) facility on this  interface. The kernel     
+ will     reject       any packets incoming on this interface  that have a
+source         address      that would be routed outbound through another 
+  interface     on the       firewall.         <font color="#ff0000">Warning: 
+     </font>If    you specify this option       for an interface then the 
 interface must be    up prior to starting the         firewall.</p>
                                                                         
                                                                         
-                                                 
-    <p>   <b>   multi</b> - The       interface has multiple addresses and
-            you want to be able  to route between       them. Example: you
- have     two    addresses  on your single  local interface eth1,       one
- each  in   subnets    192.168.1.0/24  and 192.168.2.0/24  and you want to
-       route   between  these  subnets. Because  you only have one interface
- in the       local zone,  Shorewall  won't normally  create a rule to forward
-  packets   from       eth1  to eth1.  Adding "multi" to the entry for eth1
-  will cause         Shorewall  to create  the loc2loc chain  and the appropriate
-  forwarding          rule.</p>
+                                                                   
+    <p>   <b>dropunclean</b> - Packets from this interface that         
+           are selected by the 'unclean' match target in iptables will  
+                  be <a href="#LogUnclean">optionally logged</a> and then
+dropped.                  <font color="#ff0000"><b>Warning: This feature
+                    requires   that UNCLEAN match support be configured in
+your                     kernel,   either in the kernel itself or as a module.
+UNCLEAN                          support  is broken in some versions of the
+kernel  but    appears                       to work ok in 2.4.17-rc1.<br>
+                                                <br>
+                                                Update 12/17/2001: </b></font>The 
+    unclean     match    patch   from                     2.4.17-rc1 is <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean.patch">available
+                                  for download</a>. I am currently running
+ this     patch      applied                      to kernel 2.4.16.</p>
                                                                         
                                                                         
-                   
-    <p><b>dropunclean</b> - Packets from this interface that            
-        are selected by the 'unclean' match target in iptables will     
-               be <a href="#LogUnclean">optionally logged</a> and then dropped.
-                <font color="#ff0000"><b>Warning: This feature          
-          requires   that UNCLEAN match support be configured in your   
-                 kernel,   either in the kernel itself or as a module. UNCLEAN
-                        support  is broken in some versions of the kernel
-but    appears                       to work ok in 2.4.17-rc1.<br>
-                                             <br>
-                                             Update 12/17/2001: </b></font>The
-   unclean     match    patch   from                     2.4.17-rc1 is <a
- href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean.patch">available 
-                                for download</a>. I am currently running this
-    patch      applied                      to kernel 2.4.16.</p>
+                                     
+    <p><font color="#ff0000"><b>Update                     12/20/2001: </b></font>I've
+                                  seen a number of tcp connection requests
+ with     OPT    (020405B4<u>0000080A</u>...)                        being
+ dropped    in the       <i>badpkt</i> chain. This appears   to be      
+              a bug in   the remote TCP stack whereby it is 8-byte   aligning
+                     a timestamp (TCP option 8) but rather than padding 
+with  0x01                        it is padding with 0x00. It's a tough call
+whether   to   deny                     people access to your servers because
+ of this   rather    minor                      bug in their networking software.
+ If  you wish    to disable   the                     check that causes these
+  connections     to be dropped,       <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean1.patch">here's
+                      a kernel patch</a> against 2.4.17-rc2.</p>
                                                                         
                                                                         
-                   
-    <p><font color="#ff0000"><b>Update                     12/20/2001: </b></font>I've 
-                                seen a number of tcp connection requests with
-    OPT    (020405B4<u>0000080A</u>...)                        being dropped
-   in the       <i>badpkt</i> chain. This appears   to be               
-     a bug in   the remote TCP stack whereby it is 8-byte   aligning    
-                a timestamp (TCP option 8) but rather than padding  with 0x01
-                       it is padding with 0x00. It's a tough call whether 
-to   deny                     people access to your servers because  of this 
- rather    minor                      bug in their networking software.  If
- you wish    to disable   the                     check that causes these 
-connections     to be dropped,       <a
- href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean1.patch">here's 
-                     a kernel patch</a> against 2.4.17-rc2.</p>
+                                     
+    <p><b>logunclean                     </b>- This option works like <b>dropunclean</b>
+                                  with the exception that packets selected
+ by   the    'unclean'                          match target in iptables
+are  logged        <i>but   not dropped</i>.                          The
+level  at which    the packets  are logged is determined     by         
+           the setting    of     <a href="#LogUnclean">LOGUNCLEAN</a>   
+ and if                     LOGUNCLEAN    has not been set, "info" is assumed.</p>
                                                                         
                                                                         
-                   
-    <p><b>logunclean                     </b>- This option works like <b>dropunclean</b> 
-                                with the exception that packets selected by
-  the    'unclean'                          match target in iptables are logged
-       <i>but   not dropped</i>.                          The level at which
-   the packets  are logged is determined     by                     the setting
-   of     <a href="#LogUnclean">LOGUNCLEAN</a>     and if               
-     LOGUNCLEAN    has not been set, "info" is assumed.</p>
-                                                                        
-                                                                        
-                   
-    <p><b>proxyarp </b>(Added in version 1.3.5) - This option           
-          causes Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp
-                                 and is used when implementing Proxy ARP
-Sub-netting            as                      described at             
-       <a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">      
-              http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. Do <u>
-                    not</u> set this option if you are implementing Proxy
-ARP                      through entries in <a href="#ProxyArp">        
-            /etc/shorewall/proxyarp</a>.<br>
-                        <br>
-                        <b>maclist</b> (Added in version 1.3.10) - If this
- option    is  specified,     all connection requests from this interface
-are subject    to      <a href="MAC_Validation.html">MAC Verification</a>.
-May only be  specified   for     ethernet interfaces.</p>
-                  </li>
-                                                  
+                                     
+    <p><b>proxyarp </b>(Added in version 1.3.5) - This option            
+         causes Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp 
+                                  and is used when implementing Proxy ARP 
+Sub-netting            as                      described at              
+      <a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">       
+             http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. Do <u> 
+                    not</u> set this option if you are implementing Proxy 
+ARP                      through entries in <a href="#ProxyArp">         
+           /etc/shorewall/proxyarp</a>.<br>
+                           <br>
+                           <b>maclist</b> (Added in version 1.3.10) - If
+this   option    is  specified,     all connection requests from this interface 
+ are subject    to      <a href="MAC_Validation.html">MAC Verification</a>. 
+ May only be  specified   for     ethernet interfaces.</p>
+                     </li>
+                                                        
 </ul>
-                               
+                                     
 <p>My recommendations concerning options:<br>
-                </p>
-                               
+                   </p>
+                                     
 <ul>
-                  <li>External Interface -- <b>tcpflags,blacklist,norfc1918,routefilter</b></li>
-                  <li>Internal Interface -- <b>routestopped</b></li>
-                 <li>Wireless Interface -- <b>maclist,routefilter,tcpflags</b><br>
-                 </li>
-                  <li>Don't use <b>dropunclean</b> -- It's broken in my opinion</li>
-                  <li>Use <b>logunclean</b> only when you are trying to debug 
-  a  problem</li>
-                 <li>Use <b>dhcp</b>,<b>multi</b> and <b>proxyarp</b> when
- needed.<br>
-                 </li>
-                               
+                     <li>External Interface -- <b>tcpflags,blacklist,norfc1918,routefilter</b></li>
+                     <li>Wireless Interface -- <b>maclist,routefilter,tcpflags</b><br>
+                    </li>
+                     <li>Don't use <b>dropunclean</b> -- It's broken in my
+ opinion</li>
+                     <li>Use <b>logunclean</b> only when you are trying to
+ debug    a  problem</li>
+                    <li>Use <b>dhcp </b>and <b>proxyarp</b> when   needed.<br>
+                    </li>
+                                     
 </ul>
-                               
+                                     
 <p>        </p>
                                                                         
-                                      
-<p>Example  1: You have a conventional firewall setup in which eth0 connects
-              to a Cable  or DSL modem and eth1 connects to your local network
-     and    eth0   gets   its IP address via DHCP. You want to check all
-packets        entering  from   the internet                    against the
-<a href="#Blacklist">black  list</a>.   Your /etc/shorewall/interfaces file
-       would be as follows:</p>
+                                            
+<p>Example  1: You have a conventional firewall setup in which eth0 connects 
+               to a Cable  or DSL modem and eth1 connects to your local network 
+      and    eth0   gets   its IP address via DHCP. You want to check all 
+packets        entering  from   the internet                    against the 
+<a href="#Blacklist">black  list</a>.   Your /etc/shorewall/interfaces file 
+        would be as follows:</p>
                                                                         
-                                    
-<blockquote>                                                             
-                               
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                   <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   BROADCAST</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>net</td>
-                                  <td>eth0</td>
-                                  <td>detect</td>
-                                  <td>dhcp,norfc1918,blacklist</td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>eth1</td>
-                                  <td>detect</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-    </tbody>                                                            
-                                                                        
- 
-  </table>
-                        </blockquote>
-                                                                        
-                                        
-<p>Example  2: You have a standalone dialup GNU/Linux System. Your   /etc/shorewall/interfaces 
-             file would be:</p>
-                                                                        
-                                           
+                                          
 <blockquote>                                                            
-                                   
+                                         
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                     <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   BROADCAST</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>net</td>
-                                  <td>ppp0</td>
-                                                                        
-                    <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                                   <tbody>
+                                                      <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   BROADCAST</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>net</td>
+                                     <td>eth0</td>
+                                     <td>detect</td>
+                                     <td>dhcp,norfc1918,blacklist</td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>eth1</td>
+                                     <td>detect</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                            
-                                                                        
-       
-  </table>
-                        </blockquote>
-                                                                        
-                                                 
-<p>Example 3: You have local interface eth1 with two IP                 
-      addresses - 192.168.1.1/24 and 192.168.12.1/24</p>
-                                                                        
-                        
-<blockquote>                                                            
-                                   
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                                     <tbody>
-                              <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   BROADCAST</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>eth1</td>
-                                                                        
-                    <td>192.168.1.255,192.168.12.255</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                         
-   
-    </tbody>                                                            
-           
-  </table>
-                          </blockquote>
-                                                                        
-                                                 
-<h2><font color="#660066"><a name="Hosts"></a>                       </font>/etc/shorewall/hosts
-            Configuration</h2>
-                                                                        
-                        
-<p>For most applications, specifying zones entirely  in terms of network
-  interfaces is sufficient. There may be times though  where you need to
-define a   zone to be a more general collection of hosts.  This is the purpose
-of the   /etc/shorewall/hosts file.</p>
-                                                                        
-                                                 
-<p><b><font color="#ff0000">WARNING: </font>90% of                      
- Shorewall users don't need to put entries in this file and             
-          80% of those who try to add such entries do it wrong.         
-              Unless you are ABSOLUTELY SURE that you need entries in   
-                    this file, don't touch it.</b></p>
-                                                                        
-                                                 
-<p>Columns in this file  are:</p>
-                                                                        
-                            
-<ul>
-                            <li><b>   ZONE </b> - A zone defined in the <a
- href="#Zones">/etc/shorewall/zones</a>               file.</li>
-                            <li><b>   HOST(S)</b> - The name of a network 
-interface      followed     by  a colon       (":")  followed by either:</li>
-                                                  
-</ul>
-                                                                        
-                                                  
-<blockquote>                                                            
-                                                                        
                  
-  <ol>
+    </tbody>                                                             
                                                                         
-                                          <li>An IP address (example - eth1:192.168.1.3)</li>
+         
+  </table>
+                           </blockquote>
                                                                         
-                                          <li>A subnet in CIDR notation<i>
-                                </i>(example - eth2:192.168.2.0/24)</li>
+                                              
+<p>Example  2: You have a standalone dialup GNU/Linux System. Your   /etc/shorewall/interfaces
+               file would be:</p>
+                                                                        
+                                                 
+<blockquote>                                                             
+                                           
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                        <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   BROADCAST</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>net</td>
+                                     <td>ppp0</td>
+                                                                        
+                       <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
-                                 
-  </ol>
+                                                                        
+                       
+    </tbody>                                                             
+                                                                        
+               
+  </table>
+                           </blockquote>
+                                                                        
+                                                       
+<p>Example 3: You have local interface eth1 with two IP                  
+     addresses - 192.168.1.1/24 and 192.168.12.1/24</p>
+                                                                        
+                              
+<blockquote>                                                             
+                                           
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                                        <tbody>
+                                 <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   BROADCAST</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>eth1</td>
+                                                                        
+                       <td>192.168.1.255,192.168.12.255</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
-                                 
-  <p>The interface name much match an entry in                          /etc/shorewall/interfaces.</p>
-                              </blockquote>
                                                                         
-                             
+                      
+    </tbody>                                                             
+                   
+  </table>
+                             </blockquote>
+                                                                        
+                                                       
+<h2><font color="#660066"><a name="Hosts"></a>                       </font>/etc/shorewall/hosts 
+             Configuration</h2>
+                                                                        
+                              
+<p>For most applications, specifying zones entirely  in terms of network 
+ interfaces is sufficient. There may be times though  where you need to define
+a   zone to be a more general collection of hosts.  This is the purpose of
+the   /etc/shorewall/hosts file.</p>
+                                                                        
+                                                       
+<p><b><font color="#ff0000">WARNING: </font>90% of                       
+Shorewall users don't need to put entries in this file and              
+         80% of those who try to add such entries do it wrong.          
+             Unless you are ABSOLUTELY SURE that you need entries in    
+                   this file, don't touch it.</b></p>
+                                                                        
+                                                       
+<p>Columns in this file  are:</p>
+                                                                        
+                                  
 <ul>
-                            <li><b>   OPTIONS</b> - A comma-separated list
- of  options.</li>
-                                                  
+                               <li><b>   ZONE </b> - A zone defined in the
+     <a href="#Zones">/etc/shorewall/zones</a>               file.</li>
+                               <li><b>   HOST(S)</b> - The name of a network
+  interface      followed     by  a colon       (":")  followed by either:</li>
+                                                        
 </ul>
                                                                         
                                                         
-<blockquote>                                                            
-                                                                        
-                       
-  <p><b>routestopped</b> - Beginning with Shorewall                     
-      1.3.4, this option is deprecated in favor of the                  
-        <a href="#Routestopped">/etc/shorewall/routestopped</a>         
-                  file. When the firewall is stopped,  traffic to and from
-                  this host (these hosts) will be accepted and routing  will
-   occur      between   this     host and other <i>routestopped </i>interfaces
-    and  hosts.<br>
-                      <br>
-                      <b>maclist - </b>Added in version 1.3.10. If specified, 
-  connection      requests   from the hosts specified in this entry are subject 
-  to <a href="MAC_Validation.html">MAC Verification</a>. This option is only 
-  valid        for ethernet interfaces.<br>
-                      </p>
-                              </blockquote>
-                                                                        
-                                                              
-<p>If you don't define any hosts for a zone, the  hosts in the zone default
-              to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0,  i1, ... are
-the    interfaces         to   the zone.</p>
-                                                                        
-                                                              
-<p><b><font size="4" color="#ff0000">Note 1: </font></b>    You probably
-DON'T want to specify   any hosts for your internet zone since  the hosts
-that you specify will be the   only ones that you will be able to access
-without adding additional rules.</p>
-                                                                        
-                                                               
-<p><font color="#ff0000" size="4"><b>Note 2:  </b>                      
-    </font>                           The setting of the MERGE_HOSTS variable
-            in                           <a href="#Conf">/etc/shorewall/shorewall.conf</a>
-            has                            an important effect on how the
-host     file     is  processed.                            Please read the
-description      of   that  variable                            carefully.</p>
-                                                                        
-                                                             
-<p>Example:</p>
-                                                                        
-                                                             
-<p>Your local interface is eth1 and you have two  groups of local hosts that
-            you want to make into separate zones:</p>
-                                                                        
-                                
-<ul>
-                            <li>192.168.1.0/25 </li>
-                            <li>192.168.1.128/25</li>
-                                                  
-</ul>
-                                                                        
-                                                      
-<p>   Your /etc/shorewall/interfaces file might look like:</p>
-                                                                        
-                                                            
-<blockquote>                                                            
-                                         
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                           <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   BROADCAST</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>net</td>
-                                  <td>eth0</td>
-                                  <td>detect</td>
-                                  <td>dhcp,norfc1918</td>
-                                </tr>
-                                <tr>
-                                  <td>-</td>
-                                  <td>eth1</td>
-                                  <td>detect</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                       
-    </tbody>                                                            
+<blockquote>                                                             
                                                                         
                          
-  </table>
-                        </blockquote>
+  <ol>
                                                                         
-                                                                  
-<p>   The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces 
-             to multiple zones.</p>
+                                             <li>An IP address (example - 
+eth1:192.168.1.3)</li>
                                                                         
-                                                                   
-<p>   Your /etc/shorewall/hosts file might look like:</p>
+                                             <li>A subnet in CIDR notation<i> 
+                                 </i>(example - eth2:192.168.2.0/24)</li>
                                                                         
-                                                                   
-<blockquote>                                <font
- face="Century Gothic, Arial, Helvetica">                               
-                                             </font>                    
-                                                   
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                             <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   HOST(S)</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>loc1</td>
-                                  <td>eth1:192.168.1.0/25</td>
-                          <td> <br>
-                  </td>
-                                </tr>
-                                    <tr>
-                                  <td>loc2</td>
-                                  <td>eth1:192.168.1.128/25</td>
-                                  <td>routestopped</td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                             
-    </tbody>                                                            
-                                                                        
-                               
-  </table>
-                        </blockquote>
-                                                                        
-                                                                        
-<p>   Hosts in 'loc2' can communicate with the firewall while Shorewall is
-            stopped   -- those in 'loc1' cannot.</p>
-                                                                        
-                                                                         
-<h4><font color="#660066"><a name="Nested"></a>   Nested and Overlapping
-Zones</font></h4>
-                                                                        
-                                                                         
-<p>   The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow 
- you  to define nested or overlapping zones. Such overlapping/nested zones
-            are   allowed and Shorewall processes zones in the order that
-  they     appear     in  the /etc/shorewall/zones file. So if you have nested
-  zones,     you   want    the  sub-zone to appear before the super-zone
-and   in the  case   of   overlapping     zones, the rules that will apply
-to hosts  that  belong   to both   zones is   determined by which zone appears
-first  in /etc/shorewall/zones.</p>
-                                                                        
-                                                                         
-<p>   Hosts that belong to more than  one  zone may be managed by the rules
-            of all of those zones. This is done through  use of the special
-  <a href="#CONTINUE">CONTINUE policy</a>    described below.</p>
-                                                                        
-                                                                         
-<h2><font color="#660066"><a name="Policy"></a>                         
-     </font>/etc/shorewall/policy Configuration.</h2>
-                                                                        
-                                               
-<p>This file is used to describe the firewall  policy regarding   establishment
-            of connections. Connection establishment  is described in terms
-    of   <i>clients</i>     who initiate connections and <i>   servers </i>who
-    receive     those connection     requests. Policies defined in  /etc/shorewall/policy
-       describe   which zones    are allowed to establish connections  with
-  other     zones.</p>
-                                                                        
-                                                                        
-  
-<p>Policies established in /etc/shorewall/policy  can be viewed as default
-              policies. If no rule in /etc/shorewall/rules applies  to a
-particular             connection request then the policy from /etc/shorewall/policy
- is   applied.</p>
-                                                                        
-                                                                        
-  
-<p>Four policies are defined:</p>
                                                                         
                                              
-<ul>
-                            <li><b>   ACCEPT</b> - The connection is allowed.</li>
-                            <li><b>   DROP</b> - The connection request is
- ignored.</li>
-                            <li><b>   REJECT</b> - The connection request 
-is  rejected     with   an  RST  (TCP) or an ICMP       destination-unreachable
-   packet  being   returned     to the client.</li>
-                            <li><b>   CONTINUE </b> - The connection is neither 
-   ACCEPTed,      DROPped    nor REJECTed.     CONTINUE may be used when one
-   or both of  the    zones named    in the entry are       sub-zones of
-or   intersect with  another    zone. For  more  information, see       below.
-    </li>
-                                                  
-</ul>
-                                                                        
-                                                                    
-<p>   For each policy specified in /etc/shorewall/policy, you can indicate
-              that  you want a message sent to your system log each time
-that     the    policy    is   applied.</p>
-                                                                        
-                                                                      
-<p>   Entries in /etc/shorewall/policy have four columns as follows:</p>
-                                                                        
-                                                                      
-<ol>
-                                                                        
-                                                    <li>   <b>   SOURCE</b> 
- -  The   name   of  a  client   zone (a zone defined in the <a
- href="#Zones">   /etc/shorewall/zones              file</a>   , the <a
- href="#Conf">name of the firewall zone</a>   or   "all").</li>
-                                                                        
-                                                    <li>   <b>   DEST</b> 
--  The   name   of  a  destination    zone (a zone defined in the <a
- href="#Zones">   /etc/shorewall/zones            file</a>   , the <a
- href="#Conf">name of the firewall zone</a> or   "all").  Shorewall automatically 
-   allows all traffic from the firewall to  itself so  the <a
- href="#Conf">name   of the firewall zone</a> cannot appear   in both the 
-  SOURCE and DEST columns.</li>
-                                                                        
-                                                    <li>   <b>   POLICY</b> 
- -  The   default     policy    for connection requests from the SOURCE  
-    zone  to the DESTINATION     zone.</li>
-                                                                        
-                                                    <li>   <b>   LOG LEVEL</b>
-   -  Optional.      If  left  empty, no log message is generated when  
-    the  policy is  applied.     Otherwise,  this column should contain an
-integer    or       name indicating     a <a
- href="shorewall_logging.html">syslog level</a>.</li>
-                                                                        
-                                                    <li>   <b>LIMIT:BURST 
-    </b>-    Optional.      If  left   empty, TCP    connection requests from
-the <b>SOURCE</b>    zone     to the      <b>DEST</b>   zone will    not
-be rate-limited. Otherwise,     this    column  specifies the maximum   rate
-at    which TCP connection   requests     will be accepted followed by a
-colon  (":")    followed by the  maximum  burst   size that will be tolerated.
-Example:      <b>   10/sec:40</b>   specifies    that the maximum rate of
-TCP connection  requests    allowed   will be 10  per  second and a burst
-of 40 connections will  be tolerated.      Connection  requests  in excess
-of these limits will be dropped.</li>
-                                                                        
-                                                                      
-</ol>
-                                                                        
-                                                                      
-<p>   In the SOURCE and DEST columns, you can enter "all" to   indicate all
-             zones. </p>
-                                                                        
-                                                                      
-<p>   The policy file installed by default is as follows:</p>
-                                                                        
-                                                                         
-<blockquote>                                  <font
- face="Century Gothic, Arial, Helvetica">                               
-                                                 </font>                
-                                                       
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                               <tr>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   POLICY</b></td>
-                                  <td><b>   LOG LEVEL</b></td>
-                                  <td><b>LIMIT:BURST</b></td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>net</td>
-                                  <td>ACCEPT</td>
-                          <td> <br>
-                  </td>
-                                                                        
-                                <td> <br>
-                  </td>
-                                </tr>
-                                     <tr>
-                                  <td>net</td>
-                                  <td>all</td>
-                                  <td>DROP</td>
-                                  <td>info</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>REJECT</td>
-                                  <td>info</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+  </ol>
                                                                         
                                                                         
+                                             
+  <p>The interface name much match an entry in                          /etc/shorewall/interfaces.</p>
+                                 </blockquote>
                                                                         
                                    
-    </tbody>                                                            
-                                                                        
-                                     
-  </table>
-                        </blockquote>
-                                                                        
-                                                                        
-      
-<p>   This table may be interpreted as follows:</p>
-                                                                        
-                  
 <ul>
-                            <li>All connection requests from the local network
-   to  hosts    on  the         internet  are accepted.</li>
-                            <li>All connection requests originating from
-the   internet     are   ignored    and       logged at level KERNEL.INFO.</li>
-                            <li>All other connection requests are rejected
- and   logged.</li>
-                                                  
+                               <li><b>   OPTIONS</b> - A comma-separated
+list   of  option</li>
+                                                        
 </ul>
                                                                         
-        
-<p><b><font size="4" color="#ff0000">   WARNING:</font></b></p>
+                                                              
+<blockquote>                                                             
                                                                         
-        
-<p><font color="#ff0000"><b>   The firewall   script processes</b> <b> the
-            /etc/shorewall/policy file from  top to bottom and <u>uses  
-the    first      applicable   policy that it finds.</u>    For example,
-in the   following      policy file,   the policy for (loc, loc)  connections
-would   be ACCEPT  as     specified in  the first entry even though  the
-third entry   in the file  specifies   REJECT.</b></font></p>
+                               
+  <p><b>maclist - </b>Added in version 1.3.10. If specified,    connection
+      requests   from the hosts specified in this entry are subject    to
+  <a href="MAC_Validation.html">MAC Verification</a>. This option is only
+   valid        for ethernet interfaces.<br>
+                         </p>
+                                 </blockquote>
                                                                         
-        
-<blockquote>                                   <font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                 <tr>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>POLICY</b></td>
-                                  <td><b>LOG LEVEL</b></td>
-                                  <td><b>LIMIT:BURST</b></td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>all</td>
-                                  <td>ACCEPT</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                                                                    
+<p>If you don't define any hosts for a zone, the  hosts in the zone default 
+               to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0,  i1, ... are 
+the    interfaces         to   the zone.</p>
                                                                         
-      <tr>
-                                  <td>net</td>
-                                  <td>all</td>
-                                  <td>DROP</td>
-                                  <td>info</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>loc</td>
-                                  <td>REJECT</td>
-                                  <td>info</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                                                                    
+<p><b><font size="4" color="#ff0000">Note: </font></b>    You probably DON'T
+want to specify   any hosts for your internet zone since  the hosts that
+you specify will be the   only ones that you will be able to access without
+adding additional rules.</p>
                                                                         
                                                                         
                                                                         
-                                         
-    </tbody>                                                            
+                                                               
+<p>Example:</p>
                                                                         
-                                           
-  </table>
-                        </blockquote>
+                                                                   
+<p>Your local interface is eth1 and you have two  groups of local hosts that 
+             you want to make into separate zones:</p>
                                                                         
-          
-<h4><font color="#660066"><a name="CONTINUE"></a>                       
-           The CONTINUE policy</font></h4>
+                                      
+<ul>
+                               <li>192.168.1.0/25 </li>
+                               <li>192.168.1.128/25</li>
+                                                        
+</ul>
                                                                         
-          
-<p>   Where zones are <a href="#Nested">nested or overlapping</a>   , the
-            CONTINUE policy allows hosts that are within multiple zones to
- be    managed       under the rules of all of these zones. Let's look at
-an example:</p>
+                                                            
+<p>   Your /etc/shorewall/interfaces file might look like:</p>
                                                                         
-          
-<p>   /etc/shorewall/zones:</p>
-                                                                        
-          
-<blockquote>                                                            
-                                               
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                   <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   DISPLAY</b></td>
-                                  <td><b>   COMMENTS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>sam</td>
-                                  <td>Sam</td>
-                                  <td>Sam's  system at home</td>
-                                </tr>
-                                <tr>
-                                  <td>net</td>
-                                  <td>Internet</td>
-                                  <td>The  Internet</td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>Loc</td>
-                                  <td>Local  Network</td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                                               
-    </tbody>                                                            
-                                                                        
-                                                 
-  </table>
-                        </blockquote>
-                                                                        
-            
-<p>   /etc/shorewall/interfaces:</p>
-                                                                        
-            
+                                                                  
 <blockquote>                                                             
                                                  
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                     <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   BROADCAST</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>-</td>
-                                  <td>eth0</td>
-                                  <td>detect</td>
-                                  <td>dhcp,norfc1918</td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>eth1</td>
-                                  <td>detect</td>
-                                  <td>routestopped</td>
-                                </tr>
+                                   <tbody>
+                                                              <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   BROADCAST</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>net</td>
+                                     <td>eth0</td>
+                                     <td>detect</td>
+                                     <td>dhcp,norfc1918</td>
+                                   </tr>
+                                   <tr>
+                                     <td>-</td>
+                                     <td>eth1</td>
+                                     <td>detect</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                         
+    </tbody>                                                             
+                                                                        
+                                 
+  </table>
+                           </blockquote>
+                                                                        
+                                                                        
+<p>   The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces
+               to multiple zones.</p>
+                                                                        
+                                                                         
+<p>   Your /etc/shorewall/hosts file might look like:</p>
+                                                                        
+                                                                         
+<blockquote>                                <font
+ face="Century Gothic, Arial, Helvetica">                                
+                                            </font>                     
+                                                           
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   HOST(S)</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc1</td>
+                                     <td>eth1:192.168.1.0/25</td>
+                             <td> <br>
+                     </td>
+                                   </tr>
+                                       <tr>
+                                     <td>loc2</td>
+                                     <td>eth1:192.168.1.128/25</td>
+                                     <td><br>
+          </td>
+        </tr>
+           
+    </tbody>      
+  </table>
+                           </blockquote>
+                                                                        
+                                                                        
+     
+<p>   Hosts in 'loc2' can communicate with the firewall while Shorewall is 
+             stopped   -- those in 'loc1' cannot.</p>
+                                                                        
+                                                                        
+      
+<h4><font color="#660066"><a name="Nested"></a>   Nested and Overlapping Zones</font></h4>
+                                                                        
+                                                                        
+      
+<p>   The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow  
+you  to define nested or overlapping zones. Such overlapping/nested zones 
+             are   allowed and Shorewall processes zones in the order that 
+   they     appear     in  the /etc/shorewall/zones file. So if you have nested
+   zones,     you   want    the  sub-zone to appear before the super-zone 
+and   in the  case   of   overlapping     zones, the rules that will apply 
+to hosts  that  belong   to both   zones is   determined by which zone appears 
+ first  in /etc/shorewall/zones.</p>
+                                                                        
+                                                                        
+      
+<p>   Hosts that belong to more than  one  zone may be managed by the rules 
+             of all of those zones. This is done through  use of the special 
+   <a href="#CONTINUE">CONTINUE policy</a>    described below.</p>
+                                                                        
+                                                                        
+      
+<h2><font color="#660066"><a name="Policy"></a>                          
+    </font>/etc/shorewall/policy Configuration.</h2>
+                                                                        
+                                                     
+<p>This file is used to describe the firewall  policy regarding   establishment 
+             of connections. Connection establishment  is described in terms 
+     of   <i>clients</i>     who initiate connections and <i>   servers </i>who 
+     receive     those connection     requests. Policies defined in  /etc/shorewall/policy 
+        describe   which zones    are allowed to establish connections  with 
+   other     zones.</p>
+                                                                        
+                                                                        
+        
+<p>Policies established in /etc/shorewall/policy  can be viewed as default 
+               policies. If no rule in /etc/shorewall/rules applies  to a 
+particular             connection request then the policy from /etc/shorewall/policy 
+  is   applied.</p>
+                                                                        
+                                                                        
+        
+<p>Four policies are defined:</p>
+                                                                        
+                                                   
+<ul>
+                               <li><b>   ACCEPT</b> - The connection is allowed.</li>
+                               <li><b>   DROP</b> - The connection request
+ is  ignored.</li>
+                               <li><b>   REJECT</b> - The connection request
+  is  rejected     with   an  RST  (TCP) or an ICMP       destination-unreachable 
+    packet  being   returned     to the client.</li>
+                               <li><b>   CONTINUE </b> - The connection is
+ neither     ACCEPTed,      DROPped    nor REJECTed.     CONTINUE may be
+used  when one    or both of  the    zones named    in the entry are    
+  sub-zones  of or   intersect with  another    zone. For  more  information,
+see       below.     </li>
+                                                        
+</ul>
+                                                                        
+                                                                        
+ 
+<p>   For each policy specified in /etc/shorewall/policy, you can indicate 
+               that  you want a message sent to your system log each time 
+that     the    policy    is   applied.</p>
+                                                                        
+                                                                        
+   
+<p>   Entries in /etc/shorewall/policy have four columns as follows:</p>
+                                                                        
+                                                                        
+   
+<ol>
+                                                                        
+                                                       <li>   <b>   SOURCE</b>
+   -  The   name   of  a  client   zone (a zone defined in the <a
+ href="#Zones">   /etc/shorewall/zones              file</a>   , the <a
+ href="#Conf">name of the firewall zone</a>   or   "all").</li>
+                                                                        
+                                                       <li>   <b>   DEST</b>
+  -  The   name   of  a  destination    zone (a zone defined in the <a
+ href="#Zones">   /etc/shorewall/zones            file</a>   , the <a
+ href="#Conf">name of the firewall zone</a> or   "all").  Shorewall automatically
+     allows all traffic from the firewall to  itself so  the <a
+ href="#Conf">name   of the firewall zone</a> cannot appear   in both the
+    SOURCE and DEST columns.</li>
+                                                                        
+                                                       <li>   <b>   POLICY</b>
+   -  The   default     policy    for connection requests from the SOURCE
+      zone  to the DESTINATION     zone.</li>
+                                                                        
+                                                       <li>   <b>   LOG LEVEL</b> 
+    -  Optional.      If  left  empty, no log message is generated when  
+    the  policy is  applied.     Otherwise,  this column should contain an
+ integer    or       name indicating     a <a
+ href="shorewall_logging.html">syslog level</a>.</li>
+                                                                        
+                                                       <li>   <b>LIMIT:BURST
+      </b>-    Optional.      If  left   empty, TCP    connection requests
+ from the <b>SOURCE</b>    zone     to the      <b>DEST</b>   zone will 
+  not be rate-limited. Otherwise,     this    column  specifies the maximum
+   rate at    which TCP connection   requests     will be accepted followed
+ by a colon  (":")    followed by the  maximum  burst   size that will be
+tolerated. Example:      <b>   10/sec:40</b>   specifies    that the maximum
+rate of TCP connection  requests    allowed   will be 10  per  second and
+a burst of 40 connections will  be tolerated.      Connection  requests 
+in excess of these limits will be dropped.</li>
+                                                                        
+                                                                        
+   
+</ol>
+                                                                        
+                                                                        
+   
+<p>   In the SOURCE and DEST columns, you can enter "all" to   indicate all 
+              zones. </p>
+                                                                        
+                                                                        
+   
+<p>   The policy file installed by default is as follows:</p>
+                                                                        
+                                                                        
+      
+<blockquote>                                  <font
+ face="Century Gothic, Arial, Helvetica">                                
+                                                </font>                 
+                                                               
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                  <tr>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   POLICY</b></td>
+                                     <td><b>   LOG LEVEL</b></td>
+                                     <td><b>LIMIT:BURST</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>net</td>
+                                     <td>ACCEPT</td>
+                             <td> <br>
+                     </td>
+                                                                        
+                                   <td> <br>
+                     </td>
+                                   </tr>
+                                        <tr>
+                                     <td>net</td>
+                                     <td>all</td>
+                                     <td>DROP</td>
+                                     <td>info</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>REJECT</td>
+                                     <td>info</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                      
-    </tbody>                                                            
+    </tbody>                                                             
                                                                         
-                                                       
+                                             
   </table>
-                        </blockquote>
+                           </blockquote>
+                                                                        
+                                                                        
+            
+<p>   This table may be interpreted as follows:</p>
+                                                                        
+                        
+<ul>
+                               <li>All connection requests from the local 
+network     to  hosts    on  the         internet  are accepted.</li>
+                               <li>All connection requests originating from 
+ the   internet     are   ignored    and       logged at level KERNEL.INFO.</li>
+                               <li>All other connection requests are rejected 
+  and   logged.</li>
+                                                        
+</ul>
                                                                         
               
-<p>   /etc/shorewall/hosts:</p>
+<p><b><font size="4" color="#ff0000">   WARNING:</font></b></p>
                                                                         
               
-<blockquote>                                         <font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
+<p><font color="#ff0000"><b>   The firewall   script processes</b> <b> the 
+             /etc/shorewall/policy file from  top to bottom and <u>uses  
+the    first      applicable   policy that it finds.</u>    For example, in
+the   following      policy file,   the policy for (loc, loc)  connections 
+would   be ACCEPT  as     specified in  the first entry even though  the third
+entry   in the file  specifies   REJECT.</b></font></p>
+                                                                        
+              
+<blockquote>                                   <font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                       <tr>
-                                  <td><b>   ZONE</b></td>
-                                  <td><b>   HOST(S)</b></td>
-                                  <td><b>   OPTIONS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>net</td>
-                                  <td>eth0:0.0.0.0/0</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                                   <tbody>
+                                                                    <tr>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>POLICY</b></td>
+                                     <td><b>LOG LEVEL</b></td>
+                                     <td><b>LIMIT:BURST</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>all</td>
+                                     <td>ACCEPT</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
-            <tr>
-                                  <td>sam</td>
-                                  <td>eth0:206.191.149.197</td>
-                                  <td>routestopped</td>
-                                </tr>
+         <tr>
+                                     <td>net</td>
+                                     <td>all</td>
+                                     <td>DROP</td>
+                                     <td>info</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>loc</td>
+                                     <td>REJECT</td>
+                                     <td>info</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                            
-    </tbody>                                                            
+    </tbody>                                                             
                                                                         
-                                                             
+                                                   
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
                 
-<p>   Note that Sam's home system is a member of both the <b>sam</b> zone
-            and  the                                         <b>net</b> zone
-   and    <a href="#Nested">   as described above</a>   , that means that
-<b>sam</b>       must be listed before <b>net</b>  in /etc/shorewall/zones.</p>
+<h4><font color="#660066"><a name="CONTINUE"></a>                        
+          The CONTINUE policy</font></h4>
                                                                         
                 
-<p>   /etc/shorewall/policy:</p>
+<p>   Where zones are <a href="#Nested">nested or overlapping</a>   , the 
+             CONTINUE policy allows hosts that are within multiple zones to
+  be    managed       under the rules of all of these zones. Let's look at
+ an example:</p>
                                                                         
                 
-<blockquote>                                           <font
- face="Century Gothic, Arial, Helvetica">          </font><font
- face="Century Gothic, Arial, Helvetica">          </font>               
+<p>   /etc/shorewall/zones:</p>
+                                                                        
+                
+<blockquote>                                                             
                                                        
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                        
-      <tr>
-                                  <td><b>          SOURCE</b></td>
-                                  <td><b>          DEST</b></td>
-                                  <td><b>   POLICY</b></td>
-                                  <td><b>   LOG LEVEL</b></td>
-                                </tr>
-                                <tr>
-                                  <td>loc</td>
-                                  <td>net</td>
-                                  <td>ACCEPT</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-              <tr>
-                                  <td>sam</td>
-                                  <td>all</td>
-                                  <td>CONTINUE</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-              <tr>
-                                  <td>net</td>
-                                  <td>all</td>
-                                  <td>DROP</td>
-                                  <td>info</td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>REJECT</td>
-                                  <td>info</td>
-                                </tr>
+                                   <tbody>
+                                                                      <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   DISPLAY</b></td>
+                                     <td><b>   COMMENTS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>sam</td>
+                                     <td>Sam</td>
+                                     <td>Sam's  system at home</td>
+                                   </tr>
+                                   <tr>
+                                     <td>net</td>
+                                     <td>Internet</td>
+                                     <td>The  Internet</td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>Loc</td>
+                                     <td>Local  Network</td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                  
-    </tbody>                                                            
+    </tbody>                                                             
                                                                         
-                                                                   
+                                                         
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
                   
-<p>   The second entry above says that when Sam is the client, connection
-            requests   should first be process under rules where the source
-  zone     is   <b>sam</b>  and if there is no match then the connection
-request    should     be  treated under   rules where the source zone is
-<b>net</b>.    It is important       that this policy   be listed BEFORE
-the next policy    (<b>net</b> to <b>all</b>).</p>
+<p>   /etc/shorewall/interfaces:</p>
                                                                         
                   
-<p>   Partial /etc/shorewall/rules:</p>
-                                                                        
-                  
-<blockquote>                                             <font
- face="Century Gothic, Arial, Helvetica">          </font><font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
+<blockquote>                                                            
+                                                           
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                        
-        <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
-                                                                        
-             </tr>
-                                <tr>
-                                  <td>...</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                <tr>
-                                  <td>DNAT</td>
-                                  <td>sam</td>
-                                  <td>loc:192.168.1.3</td>
-                                  <td>tcp</td>
-                                  <td>ssh</td>
-                                  <td>-</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>DNAT</td>
-                                  <td>net</td>
-                                  <td>loc:192.168.1.5</td>
-                                  <td>tcp</td>
-                                  <td>www</td>
-                                  <td>-</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>...</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                                   <tbody>
+                                                                        <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   BROADCAST</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>-</td>
+                                     <td>eth0</td>
+                                     <td>detect</td>
+                                     <td>dhcp,norfc1918</td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>eth1</td>
+                                     <td>detect</td>
+                                     <td><br>
+        </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                        
-    </tbody>                                                            
-                                                                        
+    </tbody>                                                             
                                                                         
+                                                               
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
                     
-<p>   Given these two rules, Sam can connect to the firewall's internet interface
-              with ssh and the connection request will be forwarded to 192.168.1.3.
-          Like   all hosts in the <b>net</b> zone, Sam can connect to the
-firewall's          internet    interface on TCP port 80 and the connection
-request will     be   forwarded  to   192.168.1.5. The order of the rules
-is not significant.</p>
+<p>   /etc/shorewall/hosts:</p>
                                                                         
-                      
-<p>   <a name="Exclude"></a>Sometimes it is necessary to suppress port forwarding
-               for a sub-zone. For example, suppose that all hosts can SSH
- to   the    firewall       and be forwarded to 192.168.1.5 EXCEPT Sam. When
- Sam   connects    to the     firewall's external IP, he should be connected
- to  the firewall    itself.   Because    of the way that Netfilter is constructed,
-    this requires    two rules   as follows:</p>
-                                                                        
-                      
-<blockquote>                                                             
-                                                       
-  <p>    </p>
-                                                                        
-  <font face="Century Gothic, Arial, Helvetica">          </font><font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
+                    
+<blockquote>                                         <font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                              <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
-                                     </tr>
+                                   <tbody>
                                                                         
-        <tr>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>...</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
+       <tr>
+                                     <td><b>   ZONE</b></td>
+                                     <td><b>   HOST(S)</b></td>
+                                     <td><b>   OPTIONS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>net</td>
+                                     <td>eth0:0.0.0.0/0</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+               <tr>
+                                     <td>sam</td>
+                                     <td>eth0:206.191.149.197</td>
+                                     <td><br>
+        </td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                         
+   
+    </tbody>                                                             
+                                                                        
+                                                                     
+  </table>
+                           </blockquote>
+                                                                        
+                      
+<p>   Note that Sam's home system is a member of both the <b>sam</b> zone 
+             and  the                                         <b>net</b> zone
+    and    <a href="#Nested">   as described above</a>   , that means that
+ <b>sam</b>       must be listed before <b>net</b>  in /etc/shorewall/zones.</p>
+                                                                        
+                      
+<p>   /etc/shorewall/policy:</p>
+                                                                        
+                      
+<blockquote>                                           <font
+ face="Century Gothic, Arial, Helvetica">          </font><font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                        
+         <tr>
+                                     <td><b>          SOURCE</b></td>
+                                     <td><b>          DEST</b></td>
+                                     <td><b>   POLICY</b></td>
+                                     <td><b>   LOG LEVEL</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>loc</td>
+                                     <td>net</td>
+                                     <td>ACCEPT</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                 <tr>
+                                     <td>sam</td>
+                                     <td>all</td>
+                                     <td>CONTINUE</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                 <tr>
+                                     <td>net</td>
+                                     <td>all</td>
+                                     <td>DROP</td>
+                                     <td>info</td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>REJECT</td>
+                                     <td>info</td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+          
+    </tbody>                                                             
+                                                                        
+                                                                        
+ 
+  </table>
+                           </blockquote>
+                                                                        
+                        
+<p>   The second entry above says that when Sam is the client, connection 
+             requests   should first be process under rules where the source 
+   zone     is   <b>sam</b>  and if there is no match then the connection 
+request    should     be  treated under   rules where the source zone is <b>net</b>.
+   It is important       that this policy   be listed BEFORE the next policy
+   (<b>net</b> to <b>all</b>).</p>
+                                                                        
+                        
+<p>   Partial /etc/shorewall/rules:</p>
+                                                                        
+                        
+<blockquote>                                             <font
+ face="Century Gothic, Arial, Helvetica">          </font><font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                        
+           <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
                                                                         
                 </tr>
-                                <tr>
-                                  <td>DNAT</td>
-                                  <td>sam</td>
-                                  <td>fw</td>
-                                  <td>tcp</td>
-                                  <td>ssh</td>
-                                  <td>-</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>DNAT</td>
-                                  <td>net!sam</td>
-                                  <td>loc:192.168.1.3</td>
-                                  <td>tcp</td>
-                                  <td>ssh</td>
-                                  <td>-</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>...</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                                   <tr>
+                                     <td>...</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                   <tr>
+                                     <td>DNAT</td>
+                                     <td>sam</td>
+                                     <td>loc:192.168.1.3</td>
+                                     <td>tcp</td>
+                                     <td>ssh</td>
+                                     <td>-</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>DNAT</td>
+                                     <td>net</td>
+                                     <td>loc:192.168.1.5</td>
+                                     <td>tcp</td>
+                                     <td>www</td>
+                                     <td>-</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>...</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
-                                                                      
-    </tbody>                                                            
-           
+                                                                        
+                
+    </tbody>                                                             
+                                                                        
+                                                                        
+       
   </table>
-                          </blockquote>
+                           </blockquote>
                                                                         
-                      
-<p>The first rule allows Sam SSH                                        
-     access to the firewall. The second                                 
-            rule says that any clients from the                         
-                    net zone with the exception of those                
-                             in the 'sam' zone should have their        
-                                     connection port forwarded to       
-                                      192.168.1.3. If you need to exclude
-                                             more than one zone in this way,
-            you                                              can list the
-zones      separated      by                                            
+                          
+<p>   Given these two rules, Sam can connect to the firewall's internet interface 
+               with ssh and the connection request will be forwarded to 192.168.1.3. 
+           Like   all hosts in the <b>net</b> zone, Sam can connect to the 
+ firewall's          internet    interface on TCP port 80 and the connection 
+ request will     be   forwarded  to   192.168.1.5. The order of the rules 
+ is not significant.</p>
+                                                                        
+                            
+<p>   <a name="Exclude"></a>Sometimes it is necessary to suppress port forwarding 
+                for a sub-zone. For example, suppose that all hosts can SSH 
+  to   the    firewall       and be forwarded to 192.168.1.5 EXCEPT Sam. When
+  Sam   connects    to the     firewall's external IP, he should be connected
+  to  the firewall    itself.   Because    of the way that Netfilter is constructed,
+     this requires    two rules   as follows:</p>
+                                                                        
+                            
+<blockquote>                                                            
+                                                                 
+  <p>    </p>
+                                                                        
+     <font face="Century Gothic, Arial, Helvetica">          </font><font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                 <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
+                                        </tr>
+                                                                        
+           <tr>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>...</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                                                        
+                   </tr>
+                                   <tr>
+                                     <td>DNAT</td>
+                                     <td>sam</td>
+                                     <td>fw</td>
+                                     <td>tcp</td>
+                                     <td>ssh</td>
+                                     <td>-</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>DNAT</td>
+                                     <td>net!sam</td>
+                                     <td>loc:192.168.1.3</td>
+                                     <td>tcp</td>
+                                     <td>ssh</td>
+                                     <td>-</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>...</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+               
+    </tbody>                                                             
+                   
+  </table>
+                             </blockquote>
+                                                                        
+                            
+<p>The first rule allows Sam SSH                                         
+    access to the firewall. The second                                  
+           rule says that any clients from the                          
+                   net zone with the exception of those                 
+                            in the 'sam' zone should have their         
+                                    connection port forwarded to        
+                                     192.168.1.3. If you need to exclude 
+                                            more than one zone in this way, 
+             you                                              can list the 
+ zones      separated      by                                            
  commas  (e.g.,    net!sam,joe,fred).                                   
                This    technique also may be   used  when               
                               the ACTION is REDIRECT.</p>
                                                                         
                                                                         
-                                         
-<h2><font color="#660066"><a name="Rules"></a>                          
-                  </font>/etc/shorewall/rules</h2>
+                                               
+<h2><font color="#660066"><a name="Rules"></a>                           
+                 </font>/etc/shorewall/rules</h2>
                                                                         
                                                                         
-                                         
-<p>The /etc/shorewall/rules file  defines exceptions to the policies   established
-            in the /etc/shorewall/policy  file. There is one entry in   /etc/shorewall/rules
-            for each of these rules. <br>
-                 </p>
-                                 
-<p>Shorewall automatically enables firewall-&gt;firewall traffic over the 
-        loopback interface (lo) -- that traffic cannot be regulated using 
-rules      and  any rule that tries to regulate such traffic will generate 
-a warning      and will be ignored.<br>
-                 </p>
+                                               
+<p>The /etc/shorewall/rules file  defines exceptions to the policies   established 
+             in the /etc/shorewall/policy  file. There is one entry in   /etc/shorewall/rules
+             for each of these rules. <br>
+                    </p>
+                                       
+<p>Shorewall automatically enables firewall-&gt;firewall traffic over the
+          loopback interface (lo) -- that traffic cannot be regulated using
+  rules      and  any rule that tries to regulate such traffic will generate
+  a warning      and will be ignored.<br>
+                    </p>
                                                                         
                                                                         
-                                            
+                                                  
 <p>Entries in the file have the  following columns:</p>
-                                                  
+                                                        
 <ul>
-                            <li><b>ACTION</b>                           
+                               <li><b>ACTION</b>                        
                                                                         
-                   
+                                     
     <ul>
-                              <li>ACCEPT, DROP or REJECT. These have the
-same   meaning     here   as  in  the       policy file above.</li>
-                              <li>DNAT -- Causes the connection request to
- be  forwarded      to  the   system        specified in the DEST column
-(port   forwarding).    "DNAT"   stands   for "<u>D</u>estination       <u>N</u>etwork 
-          <u>A</u>ddress            <u>T</u>ranslation"</li>
-                  <li>DNAT- -- The above ACTION (DNAT) generates two iptables 
-  rules:    1) and header-rewriting rule in the Netfilter 'nat' table and; 
- 2) an ACCEPT    rule in the Netfilter 'filter' table. DNAT- works like DNAT 
- but only generates    the header-rewriting rule.<br>
-                  </li>
-                              <li>REDIRECT -- Causes the connection request 
- to  be  redirected      to  a port on       the local (firewall) system.</li>
+                                 <li>ACCEPT, DROP, REJECT, CONTINUE. These
+have the same    meaning     here   as  in  the       policy file above.</li>
+                                 <li>DNAT -- Causes the connection request
+ to  be  forwarded      to  the   system        specified in the DEST column 
+ (port   forwarding).    "DNAT"   stands   for "<u>D</u>estination       
+       <u>N</u>etwork            <u>A</u>ddress            <u>T</u>ranslation"</li>
+                     <li>DNAT- -- The above ACTION (DNAT) generates two iptables
+    rules:    1) and header-rewriting rule in the Netfilter 'nat' table and;
+   2) an ACCEPT    rule in the Netfilter 'filter' table. DNAT- works like
+DNAT   but only generates    the header-rewriting rule.<br>
+                     </li>
+                                 <li>REDIRECT -- Causes the connection request
+   to  be  redirected      to  a port on       the local (firewall) system.</li>
+      <li>LOG - Log the packet -- requires a syslog level (see below).</li>
                                                                         
                                                                         
-  
+                    
     </ul>
                                                                         
                                                                         
-  
+                    
     <p>The ACTION may optionally be followed by     ":" and a <a
- href="shorewall_logging.html">syslog  level</a> (example: REJECT:info).
-This causes the     packet to be logged   at   the specified level prior
-to being processed according     to the specified      ACTION.<br>
-                            <br>
-                            The use of DNAT or REDIRECT requires that you 
-have       <a href="#NatEnabled">NAT     enabled</a>.<br>
-                              </p>
-                          </li>
-                          <li><b>SOURCE</b> - Describes the source hosts
-to  which    the   rule   applies..    The contents of this field must begin 
-      with    the  name of   a zone defined    in /etc/shorewall/zones, $FW 
- or "all".  If  the      ACTION  is DNAT or REDIRECT, sub-zones   may be excluded
- from  the  rule  by     following  the initial zone name with   "!' and
-a  comma-separated    list of those     sub-zones to be excluded. There 
- is  an <a href="#Exclude">example</a> above.<br>
-                            <br>
-                            If the source is not 'all' then the source may
- be  further     restricted   by adding a colon (":") followed    by a  
-  comma-separated      list of qualifiers.   Qualifiers are may        include:
+ href="shorewall_logging.html">syslog  level</a> (example: REJECT:info). This
+causes the     packet to be logged   at   the specified level prior to being
+processed according     to the specified      ACTION. Note: if the ACTION
+is LOG then you MUST specify a syslog level.<br>
+                               <br>
+                               The use of DNAT or REDIRECT requires that
+you   have       <a href="#NatEnabled">NAT     enabled</a>.<br>
+                                 </p>
+                             </li>
+                             <li><b>SOURCE</b> - Describes the source hosts 
+ to  which    the   rule   applies..    The contents of this field must begin
+        with    the  name of   a zone defined    in /etc/shorewall/zones,
+$FW   or "all".  If  the      ACTION  is DNAT or REDIRECT, sub-zones   may
+be excluded  from  the  rule  by     following  the initial zone name with
+  "!' and a  comma-separated    list of those     sub-zones to be excluded.
+ There   is  an <a href="#Exclude">example</a> above.<br>
+                               <br>
+                               If the source is not 'all' then the source 
+may   be  further     restricted   by adding a colon (":") followed    by 
+a     comma-separated      list of qualifiers.   Qualifiers are may      
+ include:                                                               
                                                                         
-                                                     
+      
     <ul>
-                              <li>An interface name - refers to any connection
-   requests     arriving     on           the specified interface (example
- loc:eth4).  Beginning    with   Shorwall 1.3.9, the interface name may optionally
- be followed by  a  colon  (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, 
-       net:eth0:192.0.2.0/24).</li>
-                              <li>An IP address - refers to a connection
-request     from   the   host   with            the specified address (example
-net:155.186.235.151).         If the  ACTION is DNAT, this must not be a
+                                 <li>An interface name - refers to any connection 
+    requests     arriving     on           the specified interface (example 
+  loc:eth4).  Beginning    with   Shorwall 1.3.9, the interface name may optionally
+  be followed by  a  colon  (":") and an IP address or subnet (examples:
+loc:eth4:192.168.4.22,         net:eth0:192.0.2.0/24).</li>
+                                 <li>An IP address - refers to a connection 
+ request     from   the   host   with            the specified address (example 
+ net:155.186.235.151).         If the  ACTION is DNAT, this must not be a 
 DNS name.</li>
-                              <li>A MAC Address in <a href="#MAC">Shorewall 
- format</a>.</li>
-                              <li>A subnet - refers to a connection request 
- from   any   host   in  the         specified  subnet (example net:155.186.235.0/24).</li>
+                                 <li>A MAC Address in <a href="#MAC">Shorewall
+   format</a>.</li>
+                                 <li>A subnet - refers to a connection request
+   from   any   host   in  the         specified  subnet (example net:155.186.235.0/24).</li>
                                                                         
                                                                         
-  
+                    
     </ul>
-                            </li>
-                            <li><b>DEST</b> - Describes the destination host(s) 
-   to  which    the   rule   applies. May take any of the forms described 
-      above for    SOURCE   plus  the following two additional forms:    
+                               </li>
+                               <li><b>DEST</b> - Describes the destination
+ host(s)     to  which    the   rule   applies. May take any of the forms
+described        above for    SOURCE   plus  the following two additional
+forms:                                                                  
                                                                         
-                                              
     <ul>
-                              <li>An IP address followed by a colon and the 
- port           <u>number</u>        that            the server is listening 
- on (service  names from /etc/services        are  not            allowed 
-- example loc:192.168.1.3:80).          <br>
-                       </li>
-                              <li>A single port number (again, service names
-  are   not   allowed)     --  this form is only allowed       if the ACTION
-  is REDIRECT    and refers    to a  server running on the firewall itself
- and           listening  on the   specified  port.<br>
-                       </li>
+                                 <li>An IP address followed by a colon and
+ the   port           <u>number</u>        that            the server is
+listening    on (service  names from /etc/services        are  not      
+     allowed   - example loc:192.168.1.3:80).          <br>
+                          </li>
+                                 <li>A single port number (again, service 
+names    are   not   allowed)     --  this form is only allowed       if the
+ACTION    is REDIRECT    and refers    to a  server running on the firewall 
+itself   and           listening  on the   specified  port.<br>
+                          </li>
                                                                         
                                                                         
-  
+                    
     </ul>
-                            </li>
-                            <li><b>   PROTO</b> - Protocol. Must be a protocol
-   name   from   /etc/protocols,     a number,        "all" or "related".
-Specifies     the protocol    of the connection           request. "related"
-should be   specified only  if you  have given ALLOWRELATED="no"     in /etc/shorewall/shorewall.conf
-       and you  wish       to override that setting    for related connections
-     originating   with  the       client(s) and server(s)    specified in
- this    rule. When "related"         is given for the protocol,   the remainder
-   of  the columns should be  left         blank.</li>
-                            <li><b>    DEST   PORT(S)</b> - Port or port
-range    (&lt;low     port&gt;:&lt;high     port&gt;) being connected to.
-May only    be       specified     if the protocol     is tcp, udp or icmp.
-For icmp,    this column's       contents   are interpreted     as an icmp
-type. If you   don't want to specify        DEST PORT(S)  but need    to
-include information    in one of the columns  to the       right,  enter
- "-"  in this column.  You  may give a list of ports   and/or port ranges
-    separated  by commas.  Port  numbers may be either integers   or service
+                               </li>
+                               <li><b>   PROTO</b> - Protocol. Must be a
+protocol     name   from   /etc/protocols,     a number or        "all". 
+Specifies     the protocol    of the connection           request.</li>
+                               <li><b>    DEST   PORT(S)</b> - Port or port 
+ range    (&lt;low     port&gt;:&lt;high     port&gt;) being connected to. 
+ May only    be       specified     if the protocol     is tcp, udp or icmp. 
+ For icmp,    this column's       contents   are interpreted     as an icmp 
+ type. If you   don't want to specify        DEST PORT(S)  but need    to 
+include information    in one of the columns  to the       right,  enter 
+"-"  in this column.  You  may give a list of ports   and/or port ranges 
+   separated  by commas.  Port  numbers may be either integers   or service 
 names     from /etc/services.</li>
-                            <li><b>    SOURCE</b> <b>PORTS(S) </b>- May be
- used   to  restrict     the   rule to a particular     client port or port
- range   (a port range  is   specified   as &lt;low port     number&gt;:&lt;high 
- port  number&gt;).  If  you don't want   to restrict client ports but   
- want to specify something    in the next column,   enter "-" in this column. 
- If     you wish to specify    a list of port number   or ranges, separate 
- the  list     elements with commas    (with no embedded white  space). Port 
- numbers  may be     either integers   or service names from /etc/services.</li>
-                            <li><b>ORIGINAL DEST</b> - This column may only 
- be  non-empty      if  the   ACTION is DNAT     or     REDIRECT.<br>
-                            <br>
-                            If DNAT or REDIRECT is the ACTION and the ORIGINAL
-   DEST   column    is  left  empty,     any connection request arriving
-at   the firewall   from    the  SOURCE  that matches     the rule will be
-forwarded    or redirected.     This  works  fine  for connection     requests
-arriving    from the internet     where  the firewall   has only a single
-    external    IP address. When the    firewall  has multiple   external
-IP addresses or       when the SOURCE is   other than  the internet,  there
-will usually be   a desire     for the rule   to only apply  to those connection
-  requests    directed to a     particular    IP address (see  Example 2
-below for   another   usage). That IP     address    (or a comma-separated
+                               <li><b>    SOURCE</b> <b>PORTS(S) </b>- May
+ be  used   to  restrict     the   rule to a particular     client port or
+ port  range   (a port range  is   specified   as &lt;low port     number&gt;:&lt;high
+   port  number&gt;).  If  you don't want   to restrict client ports but
+    want to specify something    in the next column,   enter "-" in this
+column.    If     you wish to specify    a list of port number   or ranges,
+separate    the  list     elements with commas    (with no embedded white
+ space). Port   numbers  may be     either integers   or service names from
+/etc/services.</li>
+                               <li><b>ORIGINAL DEST</b> - This column may 
+only   be  non-empty      if  the   ACTION is DNAT     or     REDIRECT.<br>
+                               <br>
+                               If DNAT or REDIRECT is the ACTION and the
+ORIGINAL     DEST   column    is  left  empty,     any connection request
+arriving at   the firewall   from    the  SOURCE  that matches     the rule
+will be forwarded    or redirected.     This  works  fine  for connection
+    requests arriving    from the internet     where  the firewall   has
+only a single     external    IP address. When the    firewall  has multiple
+  external IP addresses or       when the SOURCE is   other than  the internet,
+ there will usually be   a desire     for the rule   to only apply  to those
+connection   requests    directed to a     particular    IP address (see
+ Example 2 below for   another   usage). That IP     address    (or a comma-separated 
  list of such addresses)     is specified in the     ORIGINAL DEST column.<br>
-                            <br>
-                            The IP address may be optionally followed by
-":"   and   a      second    IP  address. This latter address, if present,
-is used  as   the   source      address   for packets forwarded to the server
-(This  is  called   "Source  NAT"  or     SNAT).<br>
+                               <br>
+                               The IP address may be optionally followed
+by  ":"   and   a      second    IP  address. This latter address, if present, 
+ is used  as   the   source      address   for packets forwarded to the server 
+ (This  is  called   "Source  NAT"  or     SNAT).<br>
                                                                         
-    <br>
+       <br>
                                                                         
-    <b><font color="#ff6633">Note:  </font>    When using SNAT, it is a good
-idea to qualify the source with an IP address     or subnet. Otherwise, it
-is likely that SNAT will occur on connections other     than those described
-in the rule. The reason for this is that SNAT occurs in     the Netfilter
-POSTROUTING hook where it is not possible to restrict the scope     of a
+       <b><font color="#ff6633">Note:  </font>    When using SNAT, it is
+a  good idea to qualify the source with an IP address     or subnet. Otherwise,
+ it is likely that SNAT will occur on connections other     than those described 
+ in the rule. The reason for this is that SNAT occurs in     the Netfilter 
+ POSTROUTING hook where it is not possible to restrict the scope     of a 
 rule by incoming interface.     <br>
-                            <br>
-                                  </b>Example: DNAT     loc<u>:192.168.1.0/24</u> 
-            loc:192.168.1.3        tcp    www        -    206.124.146.179:192.168.1.3<b><br>
-                                  <br>
-                                  </b>If SNAT is not used (no ":" and second
-  IP  address),      the         original source address is used. If you
-want   any  destination     address    to match     the rule but want to
-specify   SNAT,  simply use a  colon  followed    by the SNAT     address.</li>
-                                                  
+                               <br>
+                                     </b>Example: DNAT     loc<u>:192.168.1.0/24</u>
+              loc:192.168.1.3        tcp    www        -    206.124.146.179:192.168.1.3<b><br>
+                                     <br>
+                                     </b>If SNAT is not used (no ":" and
+second    IP  address),      the         original source address is used.
+If you want   any  destination     address    to match     the rule but want
+to specify   SNAT,  simply use a  colon  followed    by the SNAT     address.</li>
+                                                        
 </ul>
                                                                         
                                                                         
-                                                     
+                                                           
 <p><b>   <font face="Century Gothic, Arial, Helvetica">   <a
- name="PortForward"></a>   </font>Example 1. </b> You wish to forward all
-            ssh connection requests from the    internet to local system
+ name="PortForward"></a>   </font>Example 1. </b> You wish to forward all 
+             ssh connection requests from the    internet to local system 
 192.168.1.3.      </p>
                                                                         
-                            
-<blockquote>                                                 <font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                        
-            <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
-                                                                        
-                 </tr>
-                                <tr>
-                                  <td>DNAT</td>
-                                  <td>net</td>
-                                  <td>loc:192.168.1.3</td>
-                                  <td>tcp</td>
-                                  <td>ssh</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-          
-    </tbody>                                                            
-                                                                        
-                                                                        
-           
-  </table>
-                        </blockquote>
-                                                                        
-                               
-<p><b>   Example 2. </b> You want to redirect all local www connection requests
-            EXCEPT                                                  those
-to   your     own    http server                                        
-         (206.124.146.177)         to a Squid                           
-                      transparent       proxy  running on the firewall and
-listening   on port 3128. Squid    will     of course  require access to
-remote web servers.  This example shows yet                             
-                      another use for the ORIGINAL                      
-                                DEST column; here, connection           
-                                           requests  that were NOT      
-                                             <a href="#GettingStarted"> 
-                                               (notice the "!")</a> originally
-                                                    destined to 206.124.146.177
-    are                                                  redirected to local
-   port  3128.</p>
-                                                                        
                                   
-<blockquote>                                                   <font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
+<blockquote>                                                 <font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
+                                   <tbody>
                                                                         
-              <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
+               <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
                                                                         
-                   </tr>
-                                <tr>
-                                  <td>REDIRECT</td>
-                                  <td>loc</td>
-                                  <td>3128</td>
-                                  <td>tcp</td>
-                                  <td>www</td>
-                                  <td> -<br>
-                  </td>
-                                  <td>!206.124.146.177</td>
-                                </tr>
-                                <tr>
-                                  <td>ACCEPT</td>
-                                  <td>fw</td>
-                                  <td>net</td>
-                                  <td>tcp</td>
-                                  <td>www</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                    </tr>
+                                   <tr>
+                                     <td>DNAT</td>
+                                     <td>net</td>
+                                     <td>loc:192.168.1.3</td>
+                                     <td>tcp</td>
+                                     <td>ssh</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                
-    </tbody>                                                            
+                            
+    </tbody>                                                             
                                                                         
                                                                         
-                 
+                   
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
                                      
-<p><b>Example 3. </b> You want to run a web server at 155.186.235.222 in
-your  DMZ    and have it accessible remotely and locally. the DMZ is managed
-         by  Proxy ARP   or by classical sub-netting.</p>
+<p><b>   Example 2. </b> You want to redirect all local www connection requests 
+             EXCEPT                                                  those 
+ to   your     own    http server                                        
+         (206.124.146.177)         to a Squid                           
+                      transparent       proxy  running on the firewall and 
+ listening   on port 3128. Squid    will     of course  require access to 
+remote web servers.  This example shows yet                              
+                     another use for the ORIGINAL                       
+                               DEST column; here, connection            
+                                          requests  that were NOT       
+                                            <a href="#GettingStarted">  
+                                              (notice the "!")</a> originally 
+                                                    destined to 206.124.146.177 
+     are                                                  redirected to local 
+    port  3128.</p>
                                                                         
                                         
-<blockquote>                                                     <font
- face="Century Gothic, Arial, Helvetica">          </font><font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
+<blockquote>                                                   <font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
+                                   <tbody>
                                                                         
-                <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
+                 <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
                                                                         
-                     </tr>
-                                <tr>
-                                  <td>ACCEPT</td>
-                                  <td>net</td>
-                                  <td>dmz:155.186.235.222</td>
-                                  <td>tcp</td>
-                                  <td>www</td>
-                                  <td>-</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                        <tr>
-                                  <td>ACCEPT</td>
-                                  <td>loc</td>
-                                  <td>dmz:155.186.235.222</td>
-                                  <td>tcp</td>
-                                  <td>www</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                      </tr>
+                                   <tr>
+                                     <td>REDIRECT</td>
+                                     <td>loc</td>
+                                     <td>3128</td>
+                                     <td>tcp</td>
+                                     <td>www</td>
+                                     <td> -<br>
+                     </td>
+                                     <td>!206.124.146.177</td>
+                                   </tr>
+                                   <tr>
+                                     <td>ACCEPT</td>
+                                     <td>fw</td>
+                                     <td>net</td>
+                                     <td>tcp</td>
+                                     <td>www</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                      
-    </tbody>                                                            
+                                  
+    </tbody>                                                             
                                                                         
                                                                         
-                       
+                         
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
                                            
-<p><b>   Example 4. </b> You want to run wu-ftpd on 192.168.2.2 in your masqueraded
-                DMZ. Your internet interface address is 155.186.235.151 and
-  you    want     the  FTP   server to be accessible from the internet in
-addition      to the   local   192.168.1.0/24 and dmz 192.168.2.0/24    
-subnetworks.    Note  that  since the   server is in the 192.168.2.0/24 subnetwork,
+<p><b>Example 3. </b> You want to run a web server at 155.186.235.222 in your
+ DMZ    and have it accessible remotely and locally. the DMZ is managed 
+        by  Proxy ARP   or by classical sub-netting.</p>
+                                                                        
+                                              
+<blockquote>                                                     <font
+ face="Century Gothic, Arial, Helvetica">          </font><font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                        
+                   <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
+                                                                        
+                        </tr>
+                                   <tr>
+                                     <td>ACCEPT</td>
+                                     <td>net</td>
+                                     <td>dmz:155.186.235.222</td>
+                                     <td>tcp</td>
+                                     <td>www</td>
+                                     <td>-</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                           <tr>
+                                     <td>ACCEPT</td>
+                                     <td>loc</td>
+                                     <td>dmz:155.186.235.222</td>
+                                     <td>tcp</td>
+                                     <td>www</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                        
+    </tbody>                                                             
+                                                                        
+                                                                        
+                               
+  </table>
+                           </blockquote>
+                                                                        
+                                                 
+<p><b>   Example 4. </b> You want to run wu-ftpd on 192.168.2.2 in your masqueraded 
+                 DMZ. Your internet interface address is 155.186.235.151 and
+   you    want     the  FTP   server to be accessible from the internet in
+ addition      to the   local   192.168.1.0/24 and dmz 192.168.2.0/24   
+ subnetworks.    Note  that  since the   server is in the 192.168.2.0/24 subnetwork,
  we    can assume   that access  to the server from that subnet will not
 involve     the   firewall   (<a href="FAQ.htm#faq2">but see FAQ 2</a>).
 Note that  unless   you                                                 
@@ -1772,332 +1742,334 @@ Note that  unless   you
                                            cannot leave it blank in the 
                                                     second rule though because
                                                      then <u>all ftp connections</u>
-                                                      originating in the
+                                                       originating in the
 local                                                        subnet 192.168.1.0/24
-  would                                                      be sent to 192.168.2.2
-    <u>                                                     regardless of
-the    site that                                                      the
-user  was  trying to                                                    
- connect  to</u>.  That is                                              
-       clearly  not what you want                                       
-             <img border="0" src="images/SY00079.gif" width="20"
- height="20" align="top">
-                        .</p>
+   would                                                      be sent to
+192.168.2.2      <u>                                                    
+regardless of  the    site that                                         
+            the  user  was  trying to                                   
+                  connect  to</u>.  That is                             
+                        clearly  not what you want                      
+                              <img border="0" src="images/SY00079.gif"
+ width="20" height="20" align="top">
+                           .</p>
                                                                         
-                                              
+                                                    
 <blockquote>                                                       <font
  face="Century Gothic, Arial, Helvetica">          </font><font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
+                                   <tbody>
                                                                         
-                  <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
+                     <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
                                                                         
-                       </tr>
-                                <tr>
-                                  <td>DNAT</td>
-                                  <td>net</td>
-                                  <td>dmz:192.168.2.2</td>
-                                  <td>tcp</td>
-                                  <td>ftp</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                <tr>
-                                  <td>DNAT</td>
-                                  <td>loc:192.168.1.0/24</td>
-                                  <td>dmz:192.168.2.2</td>
-                                  <td>tcp</td>
-                                  <td>ftp</td>
-                                  <td>-</td>
-                                            <td>155.186.235.151</td>
-                                </tr>
+                          </tr>
+                                   <tr>
+                                     <td>DNAT</td>
+                                     <td>net</td>
+                                     <td>dmz:192.168.2.2</td>
+                                     <td>tcp</td>
+                                     <td>ftp</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                   <tr>
+                                     <td>DNAT</td>
+                                     <td>loc:192.168.1.0/24</td>
+                                     <td>dmz:192.168.2.2</td>
+                                     <td>tcp</td>
+                                     <td>ftp</td>
+                                     <td>-</td>
+                                               <td>155.186.235.151</td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                            
-    </tbody>                                                            
+                                              
+    </tbody>                                                             
                                                                         
                                                                         
-                             
+                                     
   </table>
-                        </blockquote>
-                                                                        
-                                                                        
-                                                                       
-<p>If you are running  wu-ftpd, you should restrict the range of passive
-  in your   /etc/ftpaccess  file. I only need a few simultaneous FTP sessions
-            so I use port   range 65500-65535.  In /etc/ftpaccess, this entry
-    is   appropriate:</p>
-                                                                        
-                                                                        
-                                                                         
-<blockquote>                                                            
-                                                                        
-                                                                        
-                                         
-  <p>   passive ports   0.0.0.0/0 65500 65534</p>
-                              </blockquote>
-                                                                        
-                                                                        
-                                                                        
-      
-<p>If you are running  pure-ftpd, you would include "-p   65500:65534" on
-            the pure-ftpd runline.</p>
-                                                                        
-                                                                        
-                                                                        
-      
-<p>The important point here is to ensure that the port range used for FTP
-              passive connections is unique and will not overlap with any
-usage      on   the     firewall system.</p>
-                                                                        
-                                                                        
-                                                                        
-      
-<p><b>Example 5. </b>You                                                
-         wish to allow unlimited                                        
-                 DMZ access to the host                                 
-                        with MAC address                                
-                         02:00:08:E3:FA:55.</p>
-                                                                        
-                                                                        
-                                                                        
-      
-<blockquote>                                                           <font
- face="Century Gothic, Arial, Helvetica">          </font>               
-                                                       
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                                                        
-          <tbody>
-                              <tr>
-                             <td><b>ACTION</b></td>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>   PROTO</b></td>
-                                  <td><b>DEST<br>
-                           PORT(S)</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>ORIGINAL<br>
-                                  DEST</b></td>
-                                                                        
-                 </tr>
-                                <tr>
-                                  <td>ACCEPT</td>
-                                  <td>loc:~02-00-08-E3-FA-55</td>
-                                  <td>dmz</td>
-                                  <td>all</td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-         
-    </tbody>                                                            
-           
-  </table>
-                          </blockquote>
-                                                                        
-                                                                        
-                                                              <b>Example
-6.</b>    You   wish   to allow access to the SMTP server in your DMZ from
-all zones.<br>
-                                 
-<blockquote>                                                   
-  <table cellpadding="2" cellspacing="0" border="1">
-                     <tbody>
-                       <tr>
-                         <td valign="top"><b>ACTION</b><br>
-                         </td>
-                         <td valign="top"><b>SOURCE<br>
-                         </b></td>
-                         <td valign="top"><b>DEST<br>
-                         </b></td>
-                         <td valign="top"><b>PROTO<br>
-                         </b></td>
-                         <td valign="top"><b>DEST<br>
-                 PORT(S)<br>
-                         </b></td>
-                         <td valign="top"><b>SOURCE<br>
-                 PORT(S)<br>
-                         </b></td>
-                         <td valign="top"><b>ORIGINAL<br>
-                 DEST<br>
-                         </b></td>
-                       </tr>
-                       <tr>
-                         <td valign="top">ACCEPT<br>
-                         </td>
-                         <td valign="top">all<br>
-                         </td>
-                         <td valign="top">dmz<br>
-                         </td>
-                         <td valign="top">tcp<br>
-                         </td>
-                         <td valign="top">25<br>
-                         </td>
-                         <td valign="top"><br>
-                         </td>
-                         <td valign="top"><br>
-                         </td>
-                       </tr>
-                                                                        
-                            
-    </tbody>                                                   
-  </table>
-                   <br>
-                 Note: When 'all' is used as a source or destination, intra-zone
-    traffic     is not affected. In this example, if there were two DMZ interfaces
-    then   the  above rule would NOT enable SMTP traffic between hosts on
-these    interfaces.<br>
-            </blockquote>
-            <b>Example 7 (For advanced users running Shorewall version 1.3.13 
-  or  later).   </b>From the internet, you with to forward tcp port 25 directed
-    to 192.0.2.178   and 192.0.2.179 to host 192.0.2.177 in your DMZ. You
-also    want to allow access  from the internet directly to tcp port 25 on
-192.0.2.177.    <br>
-                       
-<blockquote>                                    
-  <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>ACTION</b><br>
-                   </td>
-                   <td valign="top"><b>SOURCE<br>
-                   </b></td>
-                   <td valign="top"><b>DEST<br>
-                   </b></td>
-                   <td valign="top"><b>PROTO<br>
-                   </b></td>
-                   <td valign="top"><b>DEST<br>
-             PORT(S)<br>
-                   </b></td>
-                   <td valign="top"><b>SOURCE<br>
-             PORT(S)<br>
-                   </b></td>
-                   <td valign="top"><b>ORIGINAL<br>
-             DEST<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">DNAT-<br>
-                   </td>
-                   <td valign="top">net<br>
-                   </td>
-                   <td valign="top">dmz:192.0.2.177<br>
-                   </td>
-                   <td valign="top">tcp<br>
-                   </td>
-                   <td valign="top">25<br>
-                   </td>
-                   <td valign="top">0<br>
-                   </td>
-                   <td valign="top">192.0.2.178<br>
-                   </td>
-                 </tr>
-                 <tr>
-                   <td valign="top">DNAT-<br>
-                   </td>
-                   <td valign="top">net<br>
-                   </td>
-                   <td valign="top">dmz:192.0.2.177<br>
-                   </td>
-                   <td valign="top">tcp<br>
-                   </td>
-                   <td valign="top">25<br>
-                   </td>
-                   <td valign="top">0<br>
-                   </td>
-                   <td valign="top">192.0.2.179<br>
-                   </td>
-                 </tr>
-                 <tr>
-                   <td valign="top">ACCEPT<br>
-                   </td>
-                   <td valign="top">net<br>
-                   </td>
-                   <td valign="top">dmz:192.0.2.177<br>
-                   </td>
-                   <td valign="top">tcp<br>
-                   </td>
-                   <td valign="top">25<br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                 </tr>
-                                                                        
-  
-    </tbody>                                     
-  </table>
-            </blockquote>
-            Using "DNAT-" rather than "DNAT" avoids two extra copies of the 
- third    rule  from being generated.<br>
-                                 
-<p><a href="ports.htm">Look here for information on other services.</a> 
-                                                             </p>
+                           </blockquote>
                                                                         
                                                                         
                                                                         
     
-<h2><a name="Common">                                                   
-     </a>/etc/shorewall/common</h2>
+<p>If you are running  wu-ftpd, you should restrict the range of passive 
+ in your   /etc/ftpaccess  file. I only need a few simultaneous FTP sessions 
+             so I use port   range 65500-65535.  In /etc/ftpaccess, this entry
+     is   appropriate:</p>
                                                                         
                                                                         
                                                                         
       
-<p>Shorewall allows                                                     
-    definition of rules that                                            
-             apply between all zones.                                   
-                      By default, these rules                           
-                              are defined in the file                   
-                                      /etc/shorewall/common.def         
-                                                but may be modified to  
-                                                       suit individual  
-                                                       requirements. Rather
-                                                                     than
-modify                                                                /etc/shorewall/common.def,
-                                                                     you
-should       copy     that                                              
-           file   to                                                    
-     /etc/shorewall/common                                              
-                      and modify      that     file.</p>
+<blockquote>                                                             
+                                                                        
+                                                                        
+                                                 
+  <p>   passive ports   0.0.0.0/0 65500 65534</p>
+                                 </blockquote>
                                                                         
                                                                         
                                                                         
-      
-<p>The                                                          /etc/shorewall/common
-                                                                     file
-is   expected         to                                                
+            
+<p>If you are running  pure-ftpd, you would include "-p   65500:65534" on 
+             the pure-ftpd runline.</p>
+                                                                        
+                                                                        
+                                                                        
+            
+<p>The important point here is to ensure that the port range used for FTP 
+               passive connections is unique and will not overlap with any 
+ usage      on   the     firewall system.</p>
+                                                                        
+                                                                        
+                                                                        
+            
+<p><b>Example 5. </b>You                                                 
+        wish to allow unlimited                                         
+                DMZ access to the host                                  
+                       with MAC address                                 
+                        02:00:08:E3:FA:55.</p>
+                                                                        
+                                                                        
+                                                                        
+            
+<blockquote>                                                           <font
+ face="Century Gothic, Arial, Helvetica">          </font>              
+                                                                 
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                                                        
+             <tbody>
+                                 <tr>
+                                <td><b>ACTION</b></td>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>   PROTO</b></td>
+                                     <td><b>DEST<br>
+                              PORT(S)</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>ORIGINAL<br>
+                                     DEST</b></td>
+                                                                        
+                    </tr>
+                                   <tr>
+                                     <td>ACCEPT</td>
+                                     <td>loc:~02-00-08-E3-FA-55</td>
+                                     <td>dmz</td>
+                                     <td>all</td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                           
+    </tbody>                                                             
+                   
+  </table>
+                             </blockquote>
+                                                                        
+                                                                        
+                                                                 <b>Example 
+ 6.</b>    You   wish   to allow access to the SMTP server in your DMZ from 
+ all zones.<br>
+                                       
+<blockquote>                                                            
+  <table cellpadding="2" cellspacing="0" border="1">
+                        <tbody>
+                          <tr>
+                            <td valign="top"><b>ACTION</b><br>
+                            </td>
+                            <td valign="top"><b>SOURCE<br>
+                            </b></td>
+                            <td valign="top"><b>DEST<br>
+                            </b></td>
+                            <td valign="top"><b>PROTO<br>
+                            </b></td>
+                            <td valign="top"><b>DEST<br>
+                    PORT(S)<br>
+                            </b></td>
+                            <td valign="top"><b>SOURCE<br>
+                    PORT(S)<br>
+                            </b></td>
+                            <td valign="top"><b>ORIGINAL<br>
+                    DEST<br>
+                            </b></td>
+                          </tr>
+                          <tr>
+                            <td valign="top">ACCEPT<br>
+                            </td>
+                            <td valign="top">all<br>
+                            </td>
+                            <td valign="top">dmz<br>
+                            </td>
+                            <td valign="top">tcp<br>
+                            </td>
+                            <td valign="top">25<br>
+                            </td>
+                            <td valign="top"><br>
+                            </td>
+                            <td valign="top"><br>
+                            </td>
+                          </tr>
+                                                                        
+                                              
+    </tbody>                                                            
+  </table>
+                      <br>
+                    Note: When 'all' is used as a source or destination,
+intra-zone      traffic     is not affected. In this example, if there were
+two DMZ interfaces      then   the  above rule would NOT enable SMTP traffic
+between hosts on  these    interfaces.<br>
+               </blockquote>
+               <b>Example 7 (For advanced users running Shorewall version 
+1.3.13    or  later).   </b>From the internet, you with to forward tcp port 
+25 directed      to 192.0.2.178   and 192.0.2.179 to host 192.0.2.177 in your
+DMZ. You  also    want to allow access  from the internet directly to tcp
+port 25 on  192.0.2.177.    <br>
+                             
+<blockquote>                                             
+  <table cellpadding="2" cellspacing="0" border="1">
+                  <tbody>
+                    <tr>
+                      <td valign="top"><b>ACTION</b><br>
+                      </td>
+                      <td valign="top"><b>SOURCE<br>
+                      </b></td>
+                      <td valign="top"><b>DEST<br>
+                      </b></td>
+                      <td valign="top"><b>PROTO<br>
+                      </b></td>
+                      <td valign="top"><b>DEST<br>
+                PORT(S)<br>
+                      </b></td>
+                      <td valign="top"><b>SOURCE<br>
+                PORT(S)<br>
+                      </b></td>
+                      <td valign="top"><b>ORIGINAL<br>
+                DEST<br>
+                      </b></td>
+                    </tr>
+                    <tr>
+                      <td valign="top">DNAT-<br>
+                      </td>
+                      <td valign="top">net<br>
+                      </td>
+                      <td valign="top">dmz:192.0.2.177<br>
+                      </td>
+                      <td valign="top">tcp<br>
+                      </td>
+                      <td valign="top">25<br>
+                      </td>
+                      <td valign="top">0<br>
+                      </td>
+                      <td valign="top">192.0.2.178<br>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td valign="top">DNAT-<br>
+                      </td>
+                      <td valign="top">net<br>
+                      </td>
+                      <td valign="top">dmz:192.0.2.177<br>
+                      </td>
+                      <td valign="top">tcp<br>
+                      </td>
+                      <td valign="top">25<br>
+                      </td>
+                      <td valign="top">0<br>
+                      </td>
+                      <td valign="top">192.0.2.179<br>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td valign="top">ACCEPT<br>
+                      </td>
+                      <td valign="top">net<br>
+                      </td>
+                      <td valign="top">dmz:192.0.2.177<br>
+                      </td>
+                      <td valign="top">tcp<br>
+                      </td>
+                      <td valign="top">25<br>
+                      </td>
+                      <td valign="top"><br>
+                      </td>
+                      <td valign="top"><br>
+                      </td>
+                    </tr>
+                                                                        
+                    
+    </tbody>                                              
+  </table>
+               </blockquote>
+               Using "DNAT-" rather than "DNAT" avoids two extra copies of
+ the   third    rule  from being generated.<br>
+                                       
+<p><a href="ports.htm">Look here for information on other services.</a>  
+                                                            </p>
+                                                                        
+                                                                        
+                                                                        
+          
+<h2><a name="Common">                                                    
+    </a>/etc/shorewall/common</h2>
+                                                                        
+                                                                        
+                                                                        
+            
+<p>Shorewall allows                                                      
+   definition of rules that                                             
+            apply between all zones.                                    
+                     By default, these rules                            
+                             are defined in the file                    
+                                     /etc/shorewall/common.def          
+                                               but may be modified to   
+                                                      suit individual   
+                                                      requirements. Rather 
+                                                                      than 
+ modify                                                                /etc/shorewall/common.def, 
+                                                                      you 
+should       copy     that                                               
+          file   to                                                     
+    /etc/shorewall/common                                               
+                     and modify      that     file.</p>
+                                                                        
+                                                                        
+                                                                        
+            
+<p>The                                                          /etc/shorewall/common 
+                                                                      file 
+ is   expected         to                                                
          contain   iptables                                             
                  commands;   rather      than                           
                               running  iptables                         
                                    directly,  you should   run          
-                                               it indirectly   using the
-                                                         Shorewall   function
- 'run_iptables'.                                                        
+                                               it indirectly   using the 
+                                                        Shorewall   function 
+  'run_iptables'.                                                        
  That way, if iptables                                                  
        encounters an error,   the                                       
                   firewall will   be safely                             
@@ -2105,136 +2077,139 @@ is   expected         to
                                                                         
                                                                         
                                                                         
-      
-<h2><a name="Masq"></a>                                                 
-       /etc/shorewall/masq</h2>
+            
+<h2><a name="Masq"></a>                                                  
+      /etc/shorewall/masq</h2>
                                                                         
                                                                         
                                                                         
-      
-<p>The /etc/shorewall/masq  file is used to define classical IP   Masquerading
-            and Source Network Address Translation  (SNAT). There is one
-entry      in    the   file for each subnet that   you want to masquerade.
+            
+<p>The /etc/shorewall/masq  file is used to define classical IP   Masquerading 
+             and Source Network Address Translation  (SNAT). There is one 
+entry      in    the   file for each subnet that   you want to masquerade. 
 In order     to make    use  of this feature, you must have <a
  href="#NatEnabled">NAT      enabled</a>      .</p>
                                                                         
                                                                         
                                                                         
-      
+            
 <p> Columns are:</p>
-                                                  
+                                                        
 <ul>
-                            <li><b>   INTERFACE</b> - The interface that
-will   masquerade      the   subnet;   this is       normally your internet
-interface.   This interface      name can be  optionally        qualified
-by adding ":"   and a subnet or   host   IP. When this        qualification
- is added, only   packets addressed   to that  host or subnet  will     
- be masqueraded.  Beginning with Shorewall version 1.3.14, if you have set
-ADD_SNAT_ALIASES=Yes  in <a href="#Conf">/etc/shorewall/shorewall.conf</a>,
-you can cause Shorewall  to create an alias <i>label </i>of the form <i>interfacename:digit
-    </i>(e.g.,  eth0:0) by placing that label in this column. See example
-5 below. Alias labels created in this way allow the alias to be visible to
-the ipconfig utility.     <b>THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
-FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.</b></li>
-                            <li><b>   SUBNET</b> - The subnet that you want 
- to  have   masqueraded       through the     INTERFACE. This may be expressed
-   as a single  IP address,      a subnet or an     interface name. In the
- latter  instance,  the interface     must be configured and     started
-before  Shorewall  is started as Shorewall     will determine the subnet
-    based  on information   obtained from the 'ip'     utility. <b><font
- color="#ff0000">When using Shorewall 1.3.13 or earlier, when an interface 
- name is specified, Shorewall will only masquerade traffic from the first 
-subnetwork on the named interface; if the interface interfaces to more that 
-one subnetwork, you will need to add additional entries to this file for each
-of those other subnetworks. Beginning with Shorewall 1.3.14, shorewall will
-masquerade/SNAT traffic from any host that is routed through the named interface.</font></b><br>
-                            <br>
-                            The subnet may be optionally followed by "!'
-    and   a  comma-separated        list of addresses and/or subnets that 
-are  to be       excluded from masquerading.</li>
-                            <li><b>ADDRESS</b> - The source address to be 
-used       for   outgoing     packets. This column is optional and if left 
-blank,    the  current       primary     IP address of the interface in the 
-first  column   is used.  If you have     a static IP on that interface, listing
- it here  makes processing   of output        packets a little less expensive
- for the  firewall. If you specify an address in this column, it must be
-an  IP address  configured on the INTERFACE or you must have ADD_SNAT_ALIASES
-  enabled in     <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                                                  
+                               <li><b>   INTERFACE</b> - The interface that 
+ will   masquerade      the   subnet;   this is       normally your internet 
+ interface.   This interface      name can be  optionally        qualified 
+ by adding ":"   and a subnet or   host   IP. When this        qualification 
+  is added, only   packets addressed   to that  host or subnet  will     
+ be masqueraded.  Beginning with Shorewall version 1.3.14, if you have set 
+ ADD_SNAT_ALIASES=Yes  in <a href="#Conf">/etc/shorewall/shorewall.conf</a>, 
+ you can cause Shorewall  to create an alias <i>label </i>of the form <i>interfacename:digit 
+     </i>(e.g.,  eth0:0) by placing that label in this column. See example 
+ 5 below. Alias labels created in this way allow the alias to be visible to
+ the ipconfig utility.     <b>THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
+ FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.</b></li>
+                               <li><b>   SUBNET</b> - The subnet that you 
+want   to  have   masqueraded       through the     INTERFACE. This may be 
+expressed     as a single  IP address,      a subnet or an     interface name.
+In the   latter  instance,  the interface     must be configured and    
+started before  Shorewall  is started as Shorewall     will determine the
+subnet     based  on information   obtained from the 'ip'     utility.  
+  <b><font color="#ff0000">When using Shorewall 1.3.13 or earlier, when an
+interface   name is specified, Shorewall will only masquerade traffic from
+the first  subnetwork on the named interface; if the interface interfaces 
+to more that  one subnetwork, you will need to add additional entries to this
+file for each of those other subnetworks. Beginning with Shorewall 1.3.14, 
+shorewall will masquerade/SNAT traffic from any host that is routed through 
+the named interface.</font></b><br>
+                               <br>
+                               The subnet may be optionally followed by "!' 
+     and   a  comma-separated        list of addresses and/or subnets that
+  are  to be       excluded from masquerading.</li>
+                               <li><b>ADDRESS</b> - The source address to 
+be  used       for   outgoing     packets. This column is optional and if 
+left  blank,    the  current       primary     IP address of the interface 
+in the  first  column   is used.  If you have     a static IP on that interface,
+ listing  it here  makes processing   of output        packets a little less
+ expensive  for the  firewall. If you specify an address in this column,
+it  must be an  IP address  configured on the INTERFACE or you must have
+ADD_SNAT_ALIASES    enabled in     <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li>
+                                                        
 </ul>
                                                                         
                                                                         
-                 
-<p><b>   Example 1: </b> You have eth0 connected to a cable modem and eth1
-            connected  to   your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq
-            file would look   like:    </p>
-                                                                        
-                                                         
-<blockquote>                                                             
-                                                                     
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                        
-                      <tr>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   SUBNET</b></td>
-                                  <td><b>ADDRESS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>eth0</td>
-                                  <td>192.168.9.0/24</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                        
-    </tbody>                                                            
-                                                                        
-                                                                        
-                                         
-  </table>
-                        </blockquote>
-                                                                        
-                                                               
-<p><b>   Example 2:</b> You have a number of IPSEC tunnels through ipsec0
-              and you  want to masquerade traffic from your 192.168.9.0/24
- subnet       to   the   remote  subnet 10.1.0.0/16 only.</p>
+                       
+<p><b>   Example 1: </b> You have eth0 connected to a cable modem and eth1 
+             connected  to   your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq 
+             file would look   like:    </p>
                                                                         
                                                                
 <blockquote>                                                            
-                                                                       
+                                                                        
+     
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
+                                   <tbody>
                                                                         
-                        <tr>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   SUBNET</b></td>
-                                  <td><b>ADDRESS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>ipsec0:10.1.0.0/16</td>
-                                  <td>192.168.9.0/24</td>
-                                  <td> <br>
-                  </td>
-                                </tr>
+                         <tr>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   SUBNET</b></td>
+                                     <td><b>ADDRESS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>eth0</td>
+                                     <td>192.168.9.0/24</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                                              
-    </tbody>                                                            
+                                                          
+    </tbody>                                                             
                                                                         
                                                                         
-                                               
+                                                 
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
-                                                                   
-<p><b>   Example 3:</b> You have a DSL line connected on eth0 and a local
-            network                                                     
+                                                                     
+<p><b>   Example 2:</b> You have a number of IPSEC tunnels through ipsec0 
+               and you  want to masquerade traffic from your 192.168.9.0/24 
+  subnet       to   the   remote  subnet 10.1.0.0/16 only.</p>
+                                                                        
+                                                                     
+<blockquote>                                                             
+                                                                        
+     
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                        
+                           <tr>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   SUBNET</b></td>
+                                     <td><b>ADDRESS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>ipsec0:10.1.0.0/16</td>
+                                     <td>192.168.9.0/24</td>
+                                     <td> <br>
+                     </td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                
+    </tbody>                                                             
+                                                                        
+                                                                        
+                                                       
+  </table>
+                           </blockquote>
+                                                                        
+                                                                         
+<p><b>   Example 3:</b> You have a DSL line connected on eth0 and a local 
+             network                                                     
      (192.168.10.0/24)                                                  
                connected  to   eth1.  You                               
                            want   all local-&gt;net                     
@@ -2242,313 +2217,313 @@ an  IP address  configured on the INTERFACE or you must have ADD_SNAT_ALIASES
                                             source address              
                                               206.124.146.176.</p>
                                                                         
-      
-<blockquote>                                                             
-             
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                                                                        
-                    <tbody>
-                              <tr>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   SUBNET</b></td>
-                                  <td><b>ADDRESS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>eth0</td>
-                                  <td>192.168.10.0/24</td>
-                                  <td>206.124.146.176</td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                       
-    </tbody>                                                            
-           
-  </table>
-                          </blockquote>
-                                                                        
-                                                                     
-<p><b>Example 4: </b>                                                   
-         Same as example 3                                              
-               except that you wish                                     
-                        to exclude                                      
-                       192.168.10.44 and                                
-                             192.168.10.45 from                         
-                                    the SNAT rule.</p>
-                                                                        
-                                                                        
-                                                                        
-                
+            
 <blockquote>                                                            
-                                                                        
- 
+                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
                                                                         
-                    <tbody>
-                              <tr>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   SUBNET</b></td>
-                                  <td><b>ADDRESS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>eth0</td>
-                                  <td>192.168.10.0/24!192.168.10.44,192.168.10.45</td>
-                                  <td>206.124.146.176</td>
-                                </tr>
+                       <tbody>
+                                 <tr>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   SUBNET</b></td>
+                                     <td><b>ADDRESS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>eth0</td>
+                                     <td>192.168.10.0/24</td>
+                                     <td>206.124.146.176</td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                                       
-    </tbody>                                                            
-           
+                                                         
+    </tbody>                                                             
+                   
   </table>
-                          </blockquote>
+                             </blockquote>
                                                                         
-                                                                   <b>Example
- 5 (Shorewall version &gt;= 1.3.14): </b>You have a second IP address (206.124.146.177)
- assigned to you and wish to use it for SNAT of the subnet 192.168.12.0/24.
- You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes
- in <a href="#Conf">/etc/shorewall/shorewall.conf</a>.<br>
-   
+                                                                        
+  
+<p><b>Example 4: </b>                                                    
+        Same as example 3                                               
+              except that you wish                                      
+                       to exclude                                       
+                      192.168.10.44 and                                 
+                            192.168.10.45 from                          
+                                   the SNAT rule.</p>
+                                                                        
+                                                                        
+                                                                        
+                      
 <blockquote>                                                             
-             
+                                                                        
+         
   <table border="1" cellpadding="2" style="border-collapse: collapse;">
                                                                         
-                    <tbody>
-                              <tr>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   SUBNET</b></td>
-                                  <td><b>ADDRESS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>eth0:0</td>
-                                  <td>192.168.12.0/24</td>
-                                  <td>206.124.146.177</td>
-                                </tr>
+                       <tbody>
+                                 <tr>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   SUBNET</b></td>
+                                     <td><b>ADDRESS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>eth0</td>
+                                     <td>192.168.10.0/24!192.168.10.44,192.168.10.45</td>
+                                     <td>206.124.146.176</td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                                       
-    </tbody>                                                            
-           
+                                                         
+    </tbody>                                                             
+                   
   </table>
-                          </blockquote>
-   
-<h2><font color="#660066"><b><a name="ProxyArp"></a>                    
-                                          </b></font>/etc/shorewall/proxyarp</h2>
+                             </blockquote>
+                                                                        
+                                                                      <b>Example 
+  5 (Shorewall version &gt;= 1.3.14): </b>You have a second IP address (206.124.146.177) 
+  assigned to you and wish to use it for SNAT of the subnet 192.168.12.0/24. 
+  You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes 
+  in <a href="#Conf">/etc/shorewall/shorewall.conf</a>.<br>
+         
+<blockquote>                                                            
+                       
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                                                        
+                       <tbody>
+                                 <tr>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   SUBNET</b></td>
+                                     <td><b>ADDRESS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>eth0:0</td>
+                                     <td>192.168.12.0/24</td>
+                                     <td>206.124.146.177</td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
-                
-<p>If you want to                                                       
-      use proxy ARP on an                                               
-              entire sub-network,                                       
-                      I suggest that you                                
-                             look at                                    
-                        <a
- href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">               
-                                             http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>.
                                                                         
+                                                         
+    </tbody>                                                             
+                   
+  </table>
+                             </blockquote>
+         
+<h2><font color="#660066"><b><a name="ProxyArp"></a>                     
+                                         </b></font>/etc/shorewall/proxyarp</h2>
+                                                                        
+                                                                        
+                                                                        
+                      
+<p>If you want to                                                        
+     use proxy ARP on an                                                
+             entire sub-network,                                        
+                     I suggest that you                                 
+                            look at                                     
+                       <a
+ href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">                
+                                            http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. 
+                                                                         
 If   you    decide      to use                                          
                    the    technique                                     
                          described  in  that                            
                                  HOWTO,   you can set                   
                                           the proxy_arp flag            
                                                  for an interface       
-                                                      (/proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp)
-                                                                      by
-including          the <b>                                              
-              proxyarp</b>         option                               
-                              in   the   interface's                    
-                                         record in                      
-                                      <a href="#Interfaces">            
-                                                /etc/shorewall/interfaces</a>.
-                                                             When using Proxy
-ARP                                                                sub-netting,
-   you do                                                             <u>NOT</u>
-   include                                                              any
-  entries in                                                            
- /etc/shorewall/proxyarp.            </p>
-                                                                        
-                                                                        
-                                                                        
-                
-<p>The /etc/shorewall/proxyarp  file is used to define <a
- href="ProxyARP.htm">Proxy ARP</a>. The file is                         
-                                    typically used for                  
-                                           enabling Proxy ARP           
-                                                  on a small set of     
-                                                        systems since you
-                                                             need one entry
-            in                                                          
-   this     file     for each                                           
-                  system    using proxy                                 
-                            ARP. Columns are:</p>
-                                                  
-<ul>
-                            <li><b>   ADDRESS</b> - address of the system.</li>
-                            <li><b>   INTERFACE</b> - the interface that
-connects     to  the   system.     If the interface  is      obvious from
-the subnetting,      you may   enter "-"    in this column.</li>
-                            <li><b>   EXTERNAL</b> - the external interface 
- that   you   want   to  honor   ARP requests       for the ADDRESS specified 
- in  the first   column.</li>
-                            <li><b>HAVEROUTE</b> - If                   
-                                             you already have           
-                                                     a route through    
-                                                            INTERFACE to
-                                                                ADDRESS,
-this                                                                   column 
-should                                                                   
- contain                                                                
-  "Yes"                                                                 or
-                                                                "yes".  
-                                                              If you want 
-                                                                Shorewall 
-to add                                                                 the 
-route,      the                                                          
-        column    should                                                
-                    contain                                             
-                     "No"                                               
-                 or                                                     
-            "no".</li>
-                                                  
-</ul>
-                                                  
-<p><font color="#cc6666"><b>Note: After you have made a change to the   /etc/shorewall/proxyarp
-            file, you may need to flush the ARP cache of all   routers on
-the    LAN    segment    connected to the interface specified in the EXTERNAL
-   column   of the change/added    entry(s). If you are having problems communicating
-         between an individual    host (A) on that segment and a system whose
-    entry    has   changed, you may   need to flush the ARP cache on host
-A  as  well.</b></font></p>
-                                                                        
-                                                                        
-                                
-<p><font color="#cc6666"><b>ISPs typically have ARP configured with long
-TTL   (hours!) so if your ISPs router has a stale cache entry (as seen using
-"tcpdump   -nei &lt;external interface&gt; host &lt;IP addr&gt;"), it may
-take a long while to time   out. I personally have had to contact my ISP
-and ask them to delete a stale   entry in order to restore a system to working
-order after changing my proxy ARP   settings. </b></font></p>
-                                                                        
-                                                                        
-                                                                        
-                  
-<p><b>Example:                                                          
-   </b> You have  public IP addresses 155.182.235.0/28. You configure   your
-            firewall as follows:</p>
-                                                  
-<ul>
-                            <li>eth0 - 155.186.235.1 (internet connection)</li>
-                            <li>eth1 - 192.168.9.0/24 (masqueraded local
-systems)</li>
-                            <li>eth2 - 192.168.10.1 (interface to your DMZ)</li>
-                                                  
-</ul>
-                                                                        
-                                                                        
-                   
-<p>   In your DMZ, you want to install a Web/FTP server with public address
-              155.186.235.4. On the Web server, you subnet just like the
-firewall's           eth0   and   you configure 155.186.235.1 as the default
-gateway.  In   your       /etc/shorewall/proxyarp   file, you will have:</p>
-                                                                        
-                                                                     
-<blockquote>                                                            
-                                                                        
- 
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
-                                                                        
-                          <tr>
-                                  <td><b>   ADDRESS</b></td>
-                                  <td><b>   INTERFACE</b></td>
-                                  <td><b>   EXTERNAL</b></td>
-                                  <td><b>HAVEROUTE</b></td>
-                                </tr>
-                                <tr>
-                                  <td>155.186.235.4</td>
-                                  <td>eth2</td>
-                                  <td>eth0</td>
-                                  <td>No</td>
-                                </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                    
-    </tbody>                                                            
-                                                                        
-                                                                        
-                                                     
-  </table>
-                        </blockquote>
-                                                                        
-              
-<p>   Note: You may want to configure the servers in your DMZ with a   subnet
-             that is smaller than the subnet of your internet interface.
-See    the      Proxy    ARP Subnet Mini HOWTO (<a
- href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>)
-            for details. In this case you will want to place   "Yes" in the
-  HAVEROUTE          column.</p>
-                                                                        
-              
-<p>To learn how I use Proxy ARP  in my DMZ, see <a href="myfiles.htm">my
-configuration files</a>.</p>
-                                                                        
-              
-<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and 
-FreeS/Wan on the same system unless you are prepared to suffer the  consequences.
-            If you start or restart Shorewall with an IPSEC tunnel active,
-  the    proxied      IP addresses are mistakenly assigned to the IPSEC tunnel
-  device     (ipsecX)      rather than to the interface that you specify
-in   the INTERFACE    column   of   /etc/shorewall/proxyarp. I haven't had
-the   time to debug this   problem   so  I  can't say if it is a bug in the
-Kernel   or in FreeS/Wan.   </p>
-                                                  
-<p>You <b>might</b> be able to work around this problem using the following
-            (I  haven't tried it):</p>
-                                                  
-<p>In /etc/shorewall/init, include:</p>
-                                                  
-<p>     qt service ipsec stop</p>
-                                                  
-<p>In /etc/shorewall/start, include:</p>
-                                                  
-<p>    qt service ipsec start</p>
-                                                                        
-                                                                        
-  
-<h2><font color="#660066"><b><a name="NAT"></a>                         
-                                       </b></font>/etc/shorewall/nat</h2>
+                                                      (/proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp) 
+                                                                       by 
+including          the <b>                                               
+             proxyarp</b>         option                                
+                             in   the   interface's                     
+                                        record in                       
+                                     <a href="#Interfaces">             
+                                               /etc/shorewall/interfaces</a>. 
+                                                             When using Proxy 
+ ARP                                                                sub-netting, 
+    you do                                                             <u>NOT</u> 
+    include                                                              any
+   entries in                                                           
+  /etc/shorewall/proxyarp.            </p>
                                                                         
                                                                         
                                                                         
                       
-<p>The /etc/shorewall/nat  file is used to define static NAT. There is one
-              entry in the file for each  static NAT relationship that you
- wish     to   define.   In   order to make use of  this feature, you must
- have <a href="#NatEnabled">NAT   enabled</a>   .</p>
+<p>The /etc/shorewall/proxyarp  file is used to define <a
+ href="ProxyARP.htm">Proxy ARP</a>. The file is                          
+                                   typically used for                   
+                                          enabling Proxy ARP            
+                                                 on a small set of      
+                                                       systems since you 
+                                                            need one entry 
+             in                                                          
+   this     file     for each                                           
+                  system    using proxy                                 
+                            ARP. Columns are:</p>
+                                                        
+<ul>
+                               <li><b>   ADDRESS</b> - address of the system.</li>
+                               <li><b>   INTERFACE</b> - the interface that 
+ connects     to  the   system.     If the interface  is      obvious from 
+ the subnetting,      you may   enter "-"    in this column.</li>
+                               <li><b>   EXTERNAL</b> - the external interface
+   that   you   want   to  honor   ARP requests       for the ADDRESS specified
+   in  the first   column.</li>
+                               <li><b>HAVEROUTE</b> - If                
+                                                you already have        
+                                                        a route through 
+                                                               INTERFACE
+to                                                                  ADDRESS, 
+this                                                                   column
+  should                                                                
+    contain                                                             
+     "Yes"                                                              
+  or                                                                 "yes".
+                                                                 If you want
+                                                                  Shorewall
+  to add                                                                
+the   route,      the                                                   
+               column    should                                         
+                           contain                                      
+                            "No"                                        
+                        or                                              
+                   "no".</li>
+                                                        
+</ul>
+                                                        
+<p><font color="#cc6666"><b>Note: After you have made a change to the   /etc/shorewall/proxyarp 
+             file, you may need to flush the ARP cache of all   routers on 
+ the    LAN    segment    connected to the interface specified in the EXTERNAL 
+    column   of the change/added    entry(s). If you are having problems communicating
+          between an individual    host (A) on that segment and a system
+whose      entry    has   changed, you may   need to flush the ARP cache
+on host  A  as  well.</b></font></p>
+                                                                        
+                                                                        
+                                      
+<p><font color="#cc6666"><b>ISPs typically have ARP configured with long TTL
+  (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump
+  -nei &lt;external interface&gt; host &lt;IP addr&gt;"), it may take a long
+while to time   out. I personally have had to contact my ISP and ask them
+to delete a stale   entry in order to restore a system to working order after
+changing my proxy ARP   settings. </b></font></p>
                                                                         
                                                                         
                                                                         
                         
+<p><b>Example:                                                           
+  </b> You have  public IP addresses 155.182.235.0/28. You configure   your 
+             firewall as follows:</p>
+                                                        
+<ul>
+                               <li>eth0 - 155.186.235.1 (internet connection)</li>
+                               <li>eth1 - 192.168.9.0/24 (masqueraded local 
+ systems)</li>
+                               <li>eth2 - 192.168.10.1 (interface to your 
+DMZ)</li>
+                                                        
+</ul>
+                                                                        
+                                                                        
+                         
+<p>   In your DMZ, you want to install a Web/FTP server with public address 
+               155.186.235.4. On the Web server, you subnet just like the 
+firewall's           eth0   and   you configure 155.186.235.1 as the default 
+gateway.  In   your       /etc/shorewall/proxyarp   file, you will have:</p>
+                                                                        
+                                                                        
+  
+<blockquote>                                                             
+                                                                        
+         
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+                                   <tbody>
+                                                                        
+                             <tr>
+                                     <td><b>   ADDRESS</b></td>
+                                     <td><b>   INTERFACE</b></td>
+                                     <td><b>   EXTERNAL</b></td>
+                                     <td><b>HAVEROUTE</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>155.186.235.4</td>
+                                     <td>eth2</td>
+                                     <td>eth0</td>
+                                     <td>No</td>
+                                   </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                      
+    </tbody>                                                             
+                                                                        
+                                                                        
+                                                             
+  </table>
+                           </blockquote>
+                                                                        
+                    
+<p>   Note: You may want to configure the servers in your DMZ with a   subnet 
+              that is smaller than the subnet of your internet interface. 
+See    the      Proxy    ARP Subnet Mini HOWTO (<a
+ href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>) 
+             for details. In this case you will want to place   "Yes" in the
+   HAVEROUTE          column.</p>
+                                                                        
+                                                                        
+                                        
+<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
+ FreeS/Wan on the same system unless you are prepared to suffer the  consequences. 
+             If you start or restart Shorewall with an IPSEC tunnel active, 
+   the    proxied      IP addresses are mistakenly assigned to the IPSEC tunnel
+   device     (ipsecX)      rather than to the interface that you specify
+in   the INTERFACE    column   of   /etc/shorewall/proxyarp. I haven't had
+the   time to debug this   problem   so  I  can't say if it is a bug in the
+Kernel   or in FreeS/Wan.   </p>
+                                                        
+<p>You <b>might</b> be able to work around this problem using the following 
+             (I  haven't tried it):</p>
+                                                        
+<p>In /etc/shorewall/init, include:</p>
+                                                        
+<p>     qt service ipsec stop</p>
+                                                        
+<p>In /etc/shorewall/start, include:</p>
+                                                        
+<p>    qt service ipsec start</p>
+                                                                        
+                                                                        
+        
+<h2><font color="#660066"><b><a name="NAT"></a>                          
+                                      </b></font>/etc/shorewall/nat</h2>
+                                                                        
+                                                                        
+                                                                        
+                            
+<p>The /etc/shorewall/nat  file is used to define static NAT. There is one 
+               entry in the file for each  static NAT relationship that you 
+  wish     to   define.   In   order to make use of  this feature, you must 
+  have <a href="#NatEnabled">NAT   enabled</a>   .</p>
+                                                                        
+                                                                        
+                                                                        
+                              
 <p>                                                               <font
- color="#ff0000">                                                       
-       <b>IMPORTANT: If                                                 
-              all you want to do                                        
-                       is forward ports                                 
-                              to servers behind                         
-                                      your firewall, you                
-                                               do NOT want to use       
-                                                        static NAT. Port
-                                                               forwarding
-can be                                                                accomplished
-            with                                                        
+ color="#ff0000">                                                        
+      <b>IMPORTANT: If                                                  
+             all you want to do                                         
+                      is forward ports                                  
+                             to servers behind                          
+                                     your firewall, you                 
+                                              do NOT want to use        
+                                                       static NAT. Port 
+                                                              forwarding can
+be                                                                accomplished 
+             with                                                        
        simple      entries in                                           
                     the                                                 
              <a href="#Rules">                                          
@@ -2562,39 +2537,39 @@ can be                                                                accomplish
                                                 to static NAT           
                                                     because the         
                                                       internal systems  
-                                                             are accessed
-using                                                                   
-the same   IP                                                           
-      address   internally                                              
-                         and  externally.</b></font></p>
+                                                             are accessed 
+using                                                                    the
+same   IP                                                               
+  address   internally                                                  
+                     and  externally.</b></font></p>
                                                                         
                                                                         
                                                                         
-                        
+                              
 <p>Columns in an entry are:</p>
-                                                  
+                                                        
 <ul>
-                            <li><b>   EXTERNAL</b> - External IP address
--      <u>This     should    NOT   be  the primary IP     address of the
+                               <li><b>   EXTERNAL</b> - External IP address 
+ -      <u>This     should    NOT   be  the primary IP     address of the 
 interface  named in   the next  column.</u></li>
-                            <li><b>   INTERFACE</b> - Interface that you
-want   the   EXTERNAL     IP  address  to appear       on. Beginning with
-Shorewall  version 1.3.14, if you have set ADD_IP_ALIASES=Yes in <a
- href="#Conf">/etc/shorewall/shorewall.conf</a>,   you can specify an alias
-label of the form <i>interfacename:digit </i>(e.g.,  eth0:0) and Shorewall
-will create the alias with that label. Alias labels  created in this way
-allow the alias to be visible to the ipconfig utility.      <b>THAT IS THE
-ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE
+                               <li><b>   INTERFACE</b> - Interface that you 
+ want   the   EXTERNAL     IP  address  to appear       on. Beginning with 
+ Shorewall  version 1.3.14, if you have set ADD_IP_ALIASES=Yes in <a
+ href="#Conf">/etc/shorewall/shorewall.conf</a>,   you can specify an alias 
+ label of the form <i>interfacename:digit </i>(e.g.,  eth0:0) and Shorewall 
+ will create the alias with that label. Alias labels  created in this way 
+allow the alias to be visible to the ipconfig utility.      <b>THAT IS THE 
+ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE 
 IN YOUR SHOREWALL CONFIGURATION.</b> </li>
-                            <li><b>   INTERNAL </b> - Internal IP address.</li>
-                            <li><b>ALL                                  
-                                    INTERFACES</b>                      
-                                                - If Yes                
-                                                      or yes (or        
-                                                              left      
-                                                                empty), 
-                                                                     NAT
-will                                                                    
+                               <li><b>   INTERNAL </b> - Internal IP address.</li>
+                               <li><b>ALL                               
+                                       INTERFACES</b>                   
+                                                   - If Yes             
+                                                         or yes (or     
+                                                                 left   
+                                                                   empty),
+                                                                       NAT 
+ will                                                                    
     be                                                                  
      effective                                                          
                   from     all                                          
@@ -2604,478 +2579,365 @@ will
                                                        will be          
                                                             effective   
                                                                    only 
-                                                                     through
-                                                                      the
-                                                                      interface
-                                                                      named
-in                                                                      
+                                                                     through 
+                                                                       the 
+                                                                       interface 
+                                                                       named 
+ in                                                                      
  the                                                                    
    INTERFACE                                                            
-              column.           <b>    Note:</b>     If two or more NATed
-systems are connected  to   the   same firewall     interface     and you
-want them to be able to  communicate      using their EXTERNAL IP     addresses,
- then you will want  to specify  the        <b>multi</b> option in the  
-  <a href="#Interfaces">/etc/shorewall/interface</a>      entry for that
-interface.</li>
-                            <li><b>LOCAL</b> - If Yes or yes and the ALL
-INTERFACES      column    contains    Yes     or yes, NAT will be effective
-from the firewall     system.        <b>Note:       </b>For this     to work,
-you must be running     kernel  2.4.19  or later  and iptables 1.2.6a or
-    later and you must   have  enabled       <b>CONFIG_IP_NF_NAT_LOCAL</b>
-    in your     kernel.</li>
-                                                  
+              column.</li>
+                               <li><b>LOCAL</b> - If Yes or yes and the ALL 
+ INTERFACES      column    contains    Yes     or yes, NAT will be effective 
+ from the firewall     system.        <b>Note:       </b>For this     to work,
+ you must be running     kernel  2.4.19  or later  and iptables 1.2.6a or
+    later and you must   have  enabled       <b>CONFIG_IP_NF_NAT_LOCAL</b> 
+     in your     kernel.</li>
+                                                        
 </ul>
                                                                         
-                                      
-<p><b><a href="NAT.htm">   Look here for additional information and an example.</a> 
-                                                                         
-  </b></p>
+                                            
+<p><b><a href="NAT.htm">   Look here for additional information and an example.</a>
+                                                                        
+     </b></p>
                                                                         
                                                                         
-   
-<h2><font color="#660066"><a name="Tunnels"></a>                        
-                                      </font>/etc/shorewall/tunnels</h2>
+         
+<h2><font color="#660066"><a name="Tunnels"></a>                         
+                                     </font>/etc/shorewall/tunnels</h2>
                                                                         
-                                                                         
-<p>   The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, 
-<a href="http://openvpn.sourceforge.net/">OpenVPN</a>          and PPTP tunnels 
- with   end-points on your firewall. To use ipsec,    you    must   install 
-version  1.9, 1.91 or the   current <a
- href="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</a>      development
-snapshot. </p>
                                                                         
-                                                                         
-<p>   Note: For kernels 2.4.4 and above, you will need to use version 1.91
-            or  a development   snapshot as patching with version 1.9 results
-    in   kernel     compilation  errors.</p>
+      
+<p>   The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP,
+  <a href="http://openvpn.sourceforge.net/">OpenVPN</a>          and PPTP
+tunnels   with   end-points on your firewall. To use ipsec,    you    must
+  install  version  1.9, 1.91 or the   current <a
+ href="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</a>      development snapshot.
+</p>
                                                                         
-                                                                         
-<p><b><a href="IPSEC.htm">   Instructions for setting up IPSEC tunnels may
-            be found   here,</a></b> <b><a href="IPIP.htm">instructions for
-  IPIP     and   GRE   tunnels are here</a></b>, <b><a
- href="OPENVPN.html">instructions for OpenVPN tunnels are here</a></b>, and
-<b><a href="PPTP.htm">instructions       for PPTP tunnels are here</a>.</b></p>
-                                       
+                                                                        
+      
+<p>   Note: For kernels 2.4.4 and above, you will need to use version 1.91 
+             or  a development   snapshot as patching with version 1.9 results 
+     in   kernel     compilation  errors.</p>
+                                                                        
+                                                                        
+      
+<p><b><a href="IPSEC.htm">   Instructions for setting up IPSEC tunnels may 
+             be found   here,</a></b> <b><a href="IPIP.htm">instructions for
+   IPIP     and   GRE   tunnels are here</a></b>, <b><a
+ href="OPENVPN.html">instructions for OpenVPN tunnels are here</a></b>, and 
+ <b><a href="PPTP.htm">instructions       for PPTP tunnels are here</a>.</b></p>
+                                             
 <h2><a name="Conf"></a>/etc/shorewall/shorewall.conf</h2>
                                                                         
-                                                                         
+                                                                        
+      
 <p>   This file is used to set the following firewall parameters:</p>
-                                                  
+                                                        
 <ul>
-                            <li><b>OLD_PING_HANDLING - </b>Added at version 
- 1.3.14.<br>
-    If this option is set to 'Yes' then the old and confusing ICMP echo-request
-  (Ping) handling is enabled. This includes the 'noping' and 'filterping'
-interface  options and the FORWARDPING option below. If this option is set
-to "No" then  ping requests are handled using rules and policies just like
-any other connection  request. For upward compatibility with only configurations,
-if this option  is omitted OLD_PING_HANDLING=Yes is assumed. New Shorewall
-users should leave  this option set to "No".<br>
-        <br>
-    For a complete description of how ping handling works under Shorewall,
- see      <a href="ping.html">ping.html</a>.<br>
-        <br>
-      </li>
-      <li><b>CLEAR_TC</b> - Added at version 1.3.13<br>
-      If this option is set to 'No' then Shorewall won't clear the current
- traffic  control rules during [re]start. This setting is intended for use
- by people  that prefer to configure traffic shaping when the network interfaces
- come  up rather than when the firewall is started. If that is what you want
- to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart 
-  file. That way, your traffic shaping rules can still use the 'fwmark' classifier 
-  based on packet marking defined in /etc/shorewall/tcrules. If not specified, 
-  CLEAR_TC=Yes is assumed.<br>
-       </li>
-       <li><b>MARK_IN_FORWARD_CHAIN </b>- Added at version  1.3.12<br>
-             If your kernel has a FORWARD chain in the mangle table, you
-may   set   MARK_IN_FORWARD_CHAIN=Yes   to cause the marking specified in
-the     <a href="traffic_shaping.htm#tcrules">tcrules file</a> to occur in
-that  chain      rather than in the PREROUTING chain. This permits you to
-mark inbound  traffic    based on its destination address when SNAT or Masquerading
-are  in use. To   determine if your kernel has a FORWARD chain in the mangle 
- table,  use the   "/sbin/shorewall show mangle" command; if a FORWARD chain 
- is displayed   then   your kernel will support this option. If this option 
- is not specified   or  if it is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") 
- then  MARK_IN_FORWARD_CHAIN=No   is assumed.<br>
-               </li>
-               <li><b>RFC1918_LOG_LEVEL - </b>Added at version 1.3.12<br>
-              This parameter determines the level at which packets logged 
-under    the       <a href="Documentation.htm#rfc1918">'norfc1918'  mechanism 
-    </a>    are logged.  The value must be a valid <a
- href="shorewall_logging.html">syslog    level</a>  and if no level is given, 
- then info is assumed. Prior to Shorewall    version  1.3.12, these packets 
- are always logged at the info level.</li>
-               <li><b>TCP_FLAGS_DISPOSITION - </b>Added in Version 1.3.11<br>
-             Determines the disposition of TCP packets that fail the checks 
- enabled      by  the <a href="#Interfaces%5C">tcpflags</a> interface option 
- and must    have   a value of ACCEPT (accept the packet), REJECT (send an 
- RST response)    or DROP   (ignore the packet). If not set or if set to the
- empty value (e.g.,    TCP_FLAGS_DISPOSITION="")   then TCP_FLAGS_DISPOSITION=DROP 
- is assumed.</li>
-                   <li><b>TCP_FLAGS_LOG_LEVEL - </b>Added in Version 1.3.11<br>
-                 Determines the <a href="shorewall_logging.html">syslog 
-level</a>      for  logging packets that fail the checks  enabled by the
-    <a href="#Interfaces">tcpflags</a> interface option.The value  must be
- a valid        syslogd log level. If you don't want to log these packets,
-   set to   the    empty value (e.g., TCP_FLAGS_LOG_LEVEL="").<br>
-                   </li>
-                   <li><b>MACLIST_DISPOSITION </b>- Added in Version 1.3.10<br>
-                    Determines the disposition of connections requests that 
- fail       <a href="MAC_Validation.html">MAC Verification</a> and must have 
- the  value ACCEPT (accept the connection request anyway), REJECT (reject 
-the connection   request) or DROP (ignore the connection request). If not 
-set or if set to   the empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT
-    is assumed.</li>
-                      <li><b>MACLIST_LOG_LEVEL </b>- Added in Version 1.3.10<br>
+                                      <li><b>CLEAR_TC</b> - Added at version
+ 1.3.13<br>
+         If this option is set to 'No' then Shorewall won't clear the current 
+  traffic  control rules during [re]start. This setting is intended for use 
+  by people  that prefer to configure traffic shaping when the network interfaces 
+  come  up rather than when the firewall is started. If that is what you want
+  to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
+    file. That way, your traffic shaping rules can still use the 'fwmark'
+classifier    based on packet marking defined in /etc/shorewall/tcrules.
+If not specified,    CLEAR_TC=Yes is assumed.<br>
+          </li>
+          <li><b>MARK_IN_FORWARD_CHAIN </b>- Added at version  1.3.12<br>
+                If your kernel has a FORWARD chain in the mangle table, you 
+ may   set   MARK_IN_FORWARD_CHAIN=Yes   to cause the marking specified in 
+ the     <a href="traffic_shaping.htm#tcrules">tcrules file</a> to occur in
+ that  chain      rather than in the PREROUTING chain. This permits you to
+ mark inbound  traffic    based on its destination address when SNAT or Masquerading
+ are  in use. To   determine if your kernel has a FORWARD chain in the mangle
+  table,  use the   "/sbin/shorewall show mangle" command; if a FORWARD chain
+  is displayed   then   your kernel will support this option. If this option
+  is not specified   or  if it is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="")
+  then  MARK_IN_FORWARD_CHAIN=No   is assumed.<br>
+                  </li>
+                  <li><b>RFC1918_LOG_LEVEL - </b>Added at version 1.3.12<br>
+                 This parameter determines the level at which packets logged
+  under    the       <a href="Documentation.htm#rfc1918">'norfc1918'  mechanism
+      </a>    are logged.  The value must be a valid <a
+ href="shorewall_logging.html">syslog    level</a>  and if no level is given,
+   then info is assumed. Prior to Shorewall    version  1.3.12, these packets
+   are always logged at the info level.</li>
+                  <li><b>TCP_FLAGS_DISPOSITION - </b>Added in Version 1.3.11<br>
+                Determines the disposition of TCP packets that fail the checks
+   enabled      by  the <a href="#Interfaces%5C">tcpflags</a> interface option
+   and must    have   a value of ACCEPT (accept the packet), REJECT (send
+an   RST response)    or DROP   (ignore the packet). If not set or if set
+to the  empty value (e.g.,    TCP_FLAGS_DISPOSITION="")   then TCP_FLAGS_DISPOSITION=DROP
+   is assumed.</li>
+                      <li><b>TCP_FLAGS_LOG_LEVEL - </b>Added in Version 1.3.11<br>
                     Determines the <a href="shorewall_logging.html">syslog
-  level</a>     for logging connection requests that  fail      <a
- href="MAC_Validation.html">MAC Verification</a>. The value must  be  a valid
-       syslogd log level. If you don't want to log these connection requests,
-     set  to the empty value (e.g., MACLIST_LOG_LEVEL="").<br>
+  level</a>      for  logging packets that fail the checks  enabled by the 
+     <a href="#Interfaces">tcpflags</a> interface option.The value  must be
+  a valid        syslogd log level. If you don't want to log these packets, 
+    set to   the    empty value (e.g., TCP_FLAGS_LOG_LEVEL="").<br>
                       </li>
-                      <li><b>NEWNOTSYN </b>- Added in Version 1.3.8<br>
-                       When set to "Yes" or "yes", Shorewall will filter
-TCP   packets     that   are   not  part of an established connention and
-that  are not SYN    packets   (SYN  flag on - ACK flag off). If set to "No",
-Shorewall   will  silently   drop   such  packets.  If not set or set to
-the empty value   (e.g.,  "NEWNOTSYN="),     NEWNOTSYN=No  is  assumed.<br>
-                           <br>
-                       If you have a HA setup with failover to another firewall,
-    you   should    have   NEWNOTSYN=Yes on both firewalls. You should also
-  select   NEWNOTSYN=Yes    if  you have asymmetric routing.<br>
+                      <li><b>MACLIST_DISPOSITION </b>- Added in Version 1.3.10<br>
+                       Determines the disposition of connections requests 
+that   fail       <a href="MAC_Validation.html">MAC Verification</a> and must
+have   the  value ACCEPT (accept the connection request anyway), REJECT (reject
+ the connection   request) or DROP (ignore the connection request). If not
+ set or if set to   the empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT
+     is assumed.</li>
+                         <li><b>MACLIST_LOG_LEVEL </b>- Added in Version
+1.3.10<br>
+                       Determines the <a href="shorewall_logging.html">syslog 
+   level</a>     for logging connection requests that  fail      <a
+ href="MAC_Validation.html">MAC Verification</a>. The value must  be  a valid 
+        syslogd log level. If you don't want to log these connection requests, 
+      set  to the empty value (e.g., MACLIST_LOG_LEVEL="").<br>
                          </li>
-                         <li><b>FORWARDPING</b> - Added in Version 1.3.7
--      <b>This  option is deprecated and is not available when OLD_PING_HANDLING=No
- (see above).</b><br>
-                            When set to "Yes" or "yes", ICMP echo-request 
-(ping)    packets     from   interfaces      that specify "filterping" are 
-ACCEPTed    by the firewall.     When  set to "No"  or     "no", such ping 
-requests  are  silently dropped   unless   they are handled  by an     explicit 
-entry  in  the <a href="#Rules">rules  file</a>. If not specified,  "No" 
-   is assumed. </li>
+                         <li><b>NEWNOTSYN </b>- Added in Version 1.3.8<br>
+                          When set to "Yes" or "yes", Shorewall will filter 
+ TCP   packets     that   are   not  part of an established connention and 
+ that  are not SYN    packets   (SYN  flag on - ACK flag off). If set to "No",
+ Shorewall   will  silently   drop   such  packets.  If not set or set to
+the empty value   (e.g.,  "NEWNOTSYN="),     NEWNOTSYN=No  is  assumed.<br>
+                              <br>
+                          If you have a HA setup with failover to another 
+firewall,      you   should    have   NEWNOTSYN=Yes on both firewalls. You 
+should also    select   NEWNOTSYN=Yes    if  you have asymmetric routing.<br>
+                            </li>
                             <li><b>LOGNEWNOTSYN</b> - Added in Version 1.3.6<br>
-                            Beginning with version 1.3.6, Shorewall drops 
-non-SYN     TCP   packets     that  are     not part of an existing connection. 
-If  you   would   like to  log   these  packets,     set LOGNEWNOTSYN to the
-        <a href="shorewall_logging.html">syslog  level</a> at which you want
-   the packets  logged.     Example: LOGNEWNOTSYN=ULOG|<br>
-                            <br>
-                            <b>Note: </b>Packets logged under this option 
-are   usually     the   result    of     broken remote IP stacks rather than 
-the   result of   any sort   of attempt    to     breach your firewall.<br>
-                          </li>
-                            <li><b>MERGE_HOSTS </b>- Added in Version 1.3.5<br>
-                            Prior to 1.3.5, when the <a href="#Hosts">/etc/shorewall/hosts</a>
-           file      included an entry for a zone then the entire zone had
- to   be   defined    in  the     /etc/shorewall/hosts file and any associations
-    between   the zone   and      interfaces in the <a
- href="#Interfaces">/etc/shorewall/interfaces</a>             file     were
-ignored. This behavior is preserved if MERGE_HOSTS=No       or   if   MERGE_HOSTS
-    is not set or is set to the empty value.<br>
-                            <br>
-                            Beginning with version 1.3.5, if MERGE_HOSTS=Yes, 
-  then   zone   assignments     in     the /etc/shorewall/hosts file are ADDED
-  to  those in  the     /etc/shorewall/interfaces     file. <br>
-                            <br>
-                            Example:<br>
-                            <br>
-                            Interfaces File:<br>
-                                                                        
-                                                                        
-    <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber2">
-                              <tbody>
-                                <tr>
-                                <td><u><b>ZONE</b></u></td>
-                                <td><u><b>HOSTS</b></u></td>
-                                <td><u><b>BROADCAST</b></u></td>
-                                <td><u><b>OPTIONS</b></u></td>
-                              </tr>
-                              <tr>
-                                <td>loc</td>
-                                <td>eth1</td>
-                                <td>-</td>
-                                <td>dhcp</td>
-                              </tr>
-                              <tr>
-                                <td>-</td>
-                                <td>ppp+</td>
-                                <td> <br>
-                    </td>
-                                <td> <br>
-                    </td>
-                              </tr>
-                                                                        
-                                                                        
-                                                  
-      </tbody>                                                          
-                                                             
-    </table>
-                                                                        
-                                                                        
-  
-    <p><br>
-                            Hosts File:<br>
-                          </p>
-                                                                        
-                                                                        
-  
-    <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber3">
-                              <tbody>
-                                <tr>
-                                <td><u><b>ZONE</b></u></td>
-                                <td><u><b>HOSTS</b></u></td>
-                              </tr>
-                              <tr>
-                                <td>loc</td>
-                                <td>ppp+:192.168.12.0/24</td>
-                              </tr>
-                                                                        
-                                                                        
-                                                  
-      </tbody>                                                          
-                                                             
-    </table>
-                                                                        
-                                                                        
-  
-    <p><font face="Courier"><br>
-                            </font>With MERGE_HOSTS=No, the<b> loc</b> zone 
- consists     of  only   ppp+:192.168.12.0/24;       with MERGE_HOSTS=Yes, 
- it includes    eth1:0.0.0.0/0     and ppp+:192.168.12.0/24.<br>
-                              </p>
-                          </li>
-                          <li><b>DETECT_DNAT_ADDRS</b> - Added in Version 
-1.3.4<br>
-                        If set to "Yes" or "yes", Shorewall will detect the 
- IP  address(es)       of  the  interface(es) to the source zone and will 
-include  this (these)     address(es)     in DNAT rules as the original destination
-   IP address. If   set to "No" or   "no",  Shorewall will not detect this
- (these)  address(es)    and any destination   IP  address will match the
-DNAT rule.  If not specified    or empty, "DETECT_DNAT_ADDRS=Yes"     is
-assumed.<br>
-                          </li>
-                          <li><b>MULTIPORT</b> - Added in Version 1.3.2<br>
-                            If set to "Yes" or "yes", Shorewall will use
-the   Netfilter      multiport          facility. In order to use this facility,
-  your kernel    must  have multiport          support (CONFIG_IP_NF_MATCH_MULTIPORT).
-  When    this  support is used,   Shorewall       will generate a single
-rule  from    each record in the /etc/shorewall/rules      file     that
+                               Beginning with version 1.3.6, Shorewall drops
+  non-SYN     TCP   packets     that  are     not part of an existing connection.
+  If  you   would   like to  log   these  packets,     set LOGNEWNOTSYN to
+ the         <a href="shorewall_logging.html">syslog  level</a> at which
+you  want    the packets  logged.     Example: LOGNEWNOTSYN=ULOG|<br>
+                               <br>
+                               <b>Note: </b>Packets logged under this option
+  are   usually     the   result    of     broken remote IP stacks rather
+than  the   result of   any sort   of attempt    to     breach your firewall.</li>
+                                                          <li><b>DETECT_DNAT_ADDRS</b>
+ - Added in Version  1.3.4<br>
+  If set to "Yes" or "yes", Shorewall will detect the   IP  address(es) 
+     of  the  interface(es) to the source zone and will  include  this (these)
+     address(es)     in DNAT rules as the original destination    IP address.
+ If   set to "No" or   "no",  Shorewall will not detect this  (these)  address(es)
+    and any destination   IP  address will match the DNAT rule.  If not specified
+    or empty, "DETECT_DNAT_ADDRS=Yes"     is assumed.<br>
+                             </li>
+                             <li><b></b><b>MULTIPORT</b> - Added in Version
+ 1.3.2<br>
+                               If set to "Yes" or "yes", Shorewall will use 
+ the   Netfilter      multiport          facility. In order to use this facility, 
+   your kernel    must  have multiport          support (CONFIG_IP_NF_MATCH_MULTIPORT). 
+   When    this  support is used,   Shorewall       will generate a single 
+ rule  from    each record in the /etc/shorewall/rules      file     that 
 meets these criteria:<br>
                                                                         
                                                                         
+                 
     <ul>
-                              <li>No port range(s) specified</li>
-                              <li>Specifies 15 or fewer ports</li>
+                                 <li>No port range(s) specified</li>
+                                 <li>Specifies 15 or fewer ports</li>
                                                                         
                                                                         
-  
+                    
     </ul>
                                                                         
                                                                         
-  
-    <p>Rules not meeting those criteria will continue to generate an individual
-                rule for each listed port or port range.    </p>
-                          </li>
-                          <li><b>NAT_BEFORE_RULES</b><br>
-                            If set to "No" or "no", port forwarding rules 
-can   override     the   contents    of     the <a href="#NAT">/etc/shorewall/nat</a> 
-  file.    If set   to "Yes" or   "yes",     port forwarding rules cannot 
-override   static   NAT.   If not set or  set to an     empty value, "Yes" 
-is assumed.</li>
-                            <li><b>FW<br>
+                    
+    <p>Rules not meeting those criteria will continue to generate an individual 
+                 rule for each listed port or port range.    </p>
+                             </li>
+                             <li><b>NAT_BEFORE_RULES</b><br>
+                               If set to "No" or "no", port forwarding rules
+  can   override     the   contents    of     the <a href="#NAT">/etc/shorewall/nat</a>
+    file.    If set   to "Yes" or   "yes",     port forwarding rules cannot
+  override   static   NAT.   If not set or  set to an     empty value, "Yes"
+  is assumed.</li>
+                               <li><b>FW<br>
                                                                         
-                      </b>This                                          
-                           parameter                                    
-                                 specifies    the                       
-                                           name    of the               
-                                                   firewall zone.       
-                                                           If not set or
-                                                                  if set
-to  an                                                                  
- empty   string,                                                        
-              the value                                                 
-                     "fw"                                               
-                    is assumed.</li>
-                            <li><b>SUBSYSLOCK</b><br>
-                                  This parameter should be set to the name
- of  a  file   that   the   firewall          should create if it starts
-successfully     and   remove   when   it stops.  Creating        and removing
-this file   allows   Shorewall   to work   with your  distribution's    
-   initscripts.   For RedHat,  this  should be  set to /var/lock/subsys/shorewall.
-         For Debian, the value  is /var/state/shorewall   and in LEAF it
-is                                                                   /var/run/shorwall.
-                                                                       Example:
-        SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
-                            <li><b>   STATEDIR</b><br>
-                                  This parameter specifies the name of a
-directory      where    Shorewall      stores        state information. If
-the directory      doesn't   exist when Shorewall     starts,        it will
-create the directory.     Example:   STATEDIR=/tmp/shorewall.<br>
-                            <br>
-                            <b>NOTE:</b> If you change the STATEDIR variable
-  while    the   firewall     is     running, create the new directory if
-necessary    then copy  the contents      of the     old directory to the
-new directory.        </li>
-                            <li><b>   ALLOWRELATED</b><br>
-                                  This parameter must be assigned the value 
- "Yes"          ("yes")     or  "No" ("no") and specifies whether       Shorewall 
-  allows     connection   requests   that are related to an already      
-allowed  connection.     If you   say "No"  ("no"), you can       still override
-this  setting by   including   "related" rules in        /etc/shorewall/rules 
-("related"   given   as the protocol).   If you specify     ALLOWRELATED=No, 
-you will  need to  include rules in        <a
- href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>    to 
-   handle common ICMP packet types.</li>
-                            <li><b>   MODULESDIR</b><br>
-                                  This parameter specifies the directory
-where    your   kernel    netfilter     modules       may be found. If you
-leave  the  variable   empty,    Shorewall  will   supply the       value
-"/lib/modules/`uname    -r`/kernel/net/ipv4/netfilter.</li>
-                            <li><b>   LOGRATE </b> and <b> LOGBURST</b><br>
-                                  These parameters set the match rate and 
-initial     burst    size   for   logged     packets. Please see the iptables 
-man page    for a  description    of   the behavior     of these parameters 
-(the iptables    option  --limit is   set  by LOGRATE and     --limit-burst 
-is set by LOGBURST).    If  both parameters    are  set       empty, no rate-limiting 
-will occur.<br>
-                            <br>
-                            Example:<br>
-                             LOGRATE=10/minute<br>
-                             LOGBURST=5<br>
-                          </li>
-                            <li><b>LOGFILE</b><br>
+                         </b>This                                       
+                              parameter                                 
+                                    specifies    the                    
+                                              name    of the            
+                                                      firewall zone.    
+                                                              If not set
+or                                                                    if
+set to  an                                                              
+     empty   string,                                                    
+                  the value                                             
+                         "fw"                                           
+                        is assumed.</li>
+                               <li><b>SUBSYSLOCK</b><br>
+                                     This parameter should be set to the
+name   of  a  file   that   the   firewall          should create if it starts 
+successfully     and   remove   when   it stops.  Creating        and removing 
+this file   allows   Shorewall   to work   with your  distribution's     
+  initscripts.   For RedHat,  this  should be  set to /var/lock/subsys/shorewall. 
+         For Debian, the value  is /var/state/shorewall   and in LEAF it is
+                                                                  /var/run/shorwall. 
+                                                                        Example: 
+         SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
+                               <li><b>   STATEDIR</b><br>
+                                     This parameter specifies the name of 
+a  directory      where    Shorewall      stores        state information. 
+If  the directory      doesn't   exist when Shorewall     starts,        it
+will  create the directory.     Example:   STATEDIR=/tmp/shorewall.<br>
+                               <br>
+                               <b>NOTE:</b> If you change the STATEDIR variable 
+   while    the   firewall     is     running, create the new directory if 
+ necessary    then copy  the contents      of the     old directory to the 
+ new directory.        </li>
+                               <li><b>MODULESDIR</b><br>
+                                     This parameter specifies the directory 
+ where    your   kernel    netfilter     modules       may be found. If you 
+ leave  the  variable   empty,    Shorewall  will   supply the       value 
+ "/lib/modules/`uname    -r`/kernel/net/ipv4/netfilter.</li>
+                               <li><b>   LOGRATE </b> and <b> LOGBURST</b><br>
+                                     These parameters set the match rate
+and   initial     burst    size   for   logged     packets. Please see the
+iptables   man page    for a  description    of   the behavior     of these
+parameters   (the iptables    option  --limit is   set  by LOGRATE and  
+  --limit-burst   is set by LOGBURST).    If  both parameters    are  set
+      empty, no rate-limiting  will occur.<br>
+                               <br>
+                               Example:<br>
+                                LOGRATE=10/minute<br>
+                                LOGBURST=5<br>
+                             </li>
+                               <li><b>LOGFILE</b><br>
                                                                         
-                  This   parameter                                      
-                             tells the                                  
-                                 /sbin/shorewall                        
-                                           program where                
-                                                  to look for           
-                                                       Shorewall        
-                                                          messages when 
-                                                                 processing 
- the                                                                     "show
-                                                                   log",
-                                                                  "monitor", 
-                                                                      "status" 
-                                                                       and 
-                                                                   "hits" 
-                                                                  commands. 
-   If                                                                    not
-   assigned                                                             
-        or if  assigned                                                 
-                    an empty                                            
-                         value,                                         
-                           /var/log/messages                            
-                                         is assumed.</li>
-                            <li><b>NAT_ENABLED</b><br>
-                                  This parameter determines whether Shorewall 
-  supports     NAT   operations. NAT            operations include:<br>
-                                  <br>
-                                      Static NAT<br>
-                                      Port Forwarding<br>
-                                      Port Redirection<br>
-                                      Masquerading<br>
-                                  <br>
-                                  If the parameter has no value or has a
-value    of  "Yes"    or        "yes"  then NAT is enabled. If the parameter
-has  a  value  of       "no"    or  "No" then  NAT is disabled.<br>
-                                       </li>
-                            <li><b>    MANGLE_ENABLED</b><br>
-                                  This parameter determines if packet mangling
-   is  enabled.     If  the   parameter        has no value or has a value
- of  "Yes"  or "yes"    than        packet mangling  is enabled. If the parameter
-   has  a value of   "no"       or "No" then packet  mangling is disabled.
- If  packet  mangling  is       disabled,   the /etc/shorewall/tos  file
-is  ignored.<br>
-                                       </li>
-                            <li><b>   IP_FORWARDING</b><br>
-                                  This parameter determines whether Shorewall 
-  enables     or  disables     IPV4        Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
-        Possible   values   are:<br>
-                                  <br>
-                                      On or on - packet forwarding will be
- enabled.<br>
-                                      Off or off - packet forwarding will 
-be  disabled.<br>
-                                      Keep or keep - Shorewall will neither 
- enable    nor         disable    packet forwarding.<br>
-                                  <br>
-                                  If this variable is not set or is given 
-an  empty    value    (IP_FORWARD="")             then IP_FORWARD=On is assumed.<br>
-                                   </li>
-                            <li><b>ADD_IP_ALIASES</b><br>
-                                 This parameter determines whether Shorewall
-  automatically        adds   the                                       
-                                  <i>external         </i>address(es) in
-    <a href="#NAT">/etc/shorewall/nat</a>           . If the variable   
-   is set to "Yes" or "yes" then Shorewall automatically                adds
-these aliases. If it is set to "No" or "no", you       must     add   these
-aliases yourself using your distribution's network       configuration  
+                     This   parameter                                   
+                                tells the                               
+                                    /sbin/shorewall                     
+                                              program where             
+                                                     to look for        
+                                                          Shorewall     
+                                                             messages when
+                                                                   processing
+   the                                                                  
+  "show                                                                 
+  log",                                                                 
+ "monitor",                                                             
+          "status"                                                      
+                  and                                                   
+                 "hits"                                                 
+                  commands.     If                                      
+                             not    assigned                            
+                                         or if  assigned                
+                                                     an empty           
+                                                          value,        
+                                                            /var/log/messages
+                                                                     is assumed.</li>
+                               <li><b>NAT_ENABLED</b><br>
+                                     This parameter determines whether Shorewall
+    supports     NAT   operations. NAT            operations include:<br>
+                                     <br>
+                                         Static NAT<br>
+                                         Port Forwarding<br>
+                                         Port Redirection<br>
+                                         Masquerading<br>
+                                     <br>
+                                     If the parameter has no value or has 
+a  value    of  "Yes"    or        "yes"  then NAT is enabled. If the parameter 
+ has  a  value  of       "no"    or  "No" then  NAT is disabled.<br>
+                                          </li>
+                               <li><b>    MANGLE_ENABLED</b><br>
+                                     This parameter determines if packet
+mangling     is  enabled.     If  the   parameter        has no value or
+has a value   of  "Yes"  or "yes"    than        packet mangling  is enabled.
+If the parameter     has  a value of   "no"       or "No" then packet  mangling 
+is disabled.   If  packet  mangling  is       disabled,   the /etc/shorewall/tos 
+ file is  ignored.<br>
+                                          </li>
+                               <li><b>   IP_FORWARDING</b><br>
+                                     This parameter determines whether Shorewall
+    enables     or  disables     IPV4        Packet Forwarding (/proc/sys/net/ipv4/ip_forward). 
+         Possible   values   are:<br>
+                                     <br>
+                                         On or on - packet forwarding will
+ be  enabled.<br>
+                                         Off or off - packet forwarding will
+  be  disabled.<br>
+                                         Keep or keep - Shorewall will neither
+   enable    nor         disable    packet forwarding.<br>
+                                     <br>
+                                     If this variable is not set or is given
+  an  empty    value    (IP_FORWARD="")             then IP_FORWARD=On is
+assumed.<br>
+                                      </li>
+                               <li><b>ADD_IP_ALIASES</b><br>
+                                    This parameter determines whether Shorewall 
+   automatically        adds   the                                       
+                                  <i>external         </i>address(es) in 
+   <a href="#NAT">/etc/shorewall/nat</a>           . If the variable    
+  is set to "Yes" or "yes" then Shorewall automatically                adds 
+ these aliases. If it is set to "No" or "no", you       must     add   these 
+ aliases yourself using your distribution's network       configuration  
      tools.<br>
-                                 <br>
-                                 If this variable is not set or is given
-an  empty    value    (ADD_IP_ALIASES="")             then ADD_IP_ALIASES=Yes 
- is assumed.</li>
-                            <li><b>ADD_SNAT_ALIASES</b><br>
-                            This parameter determines whether Shorewall automatically 
-      adds   the   SNAT      <i>    ADDRESS </i>in <a href="#Masq">/etc/shorewall/masq</a>.
-          If the  variable is     set to "Yes" or "yes" then Shorewall automatically
-          adds these  addresses. If     it is set to "No" or "no", you must
-  add    these    addresses  yourself using your     distribution's network
-  configuration      tools.<br>
-                                 <br>
-                                 If this variable is not set or is given
-an  empty    value    (ADD_SNAT_ALIASES="")             then ADD_SNAT_ALIASES=No 
- is assumed.<br>
-                            </li>
-                            <li><b>LOGUNCLEAN</b><br>
+                                    <br>
+                                    If this variable is not set or is given 
+ an  empty    value    (ADD_IP_ALIASES="")             then ADD_IP_ALIASES=Yes
+   is assumed.</li>
+                               <li><b>ADD_SNAT_ALIASES</b><br>
+                               This parameter determines whether Shorewall
+ automatically        adds   the   SNAT      <i>    ADDRESS </i>in <a
+ href="#Masq">/etc/shorewall/masq</a>.           If the  variable is    
+set to "Yes" or "yes" then Shorewall automatically           adds these 
+addresses. If     it is set to "No" or "no", you must   add    these    addresses
+ yourself using your     distribution's network   configuration      tools.<br>
+                                    <br>
+                                    If this variable is not set or is given 
+ an  empty    value    (ADD_SNAT_ALIASES="")             then ADD_SNAT_ALIASES=No
+   is assumed.<br>
+                               </li>
+                               <li><b>LOGUNCLEAN</b><br>
                                                                         
-                  This   parameter                                      
-                             determines the                             
-                                     logging level                      
-                                            of                          
-                                         mangled/invalid                
-                                                   packets              
-                                                     controlled by      
-                                                            the '<a
- href="#Unclean">dropunclean                                            
-                          and logunclean</a>'                           
-                                            interface                   
-                                                    options.      If    
-                                                              LOGUNCLEAN
-    is                                                                  
-empty                                                                   
-   (LOGUNCLEAN=)                                                        
-              then  packets                                             
-                       selected   by                                    
-                              'dropclean'   are                         
-                                         dropped                        
-                                             silently                   
-                                                  ('logunclean'         
-                                                             packets    are
-                                                                  logged
-   under                                                                
-  the  'info' log                                                       
-           level).                                                      
-            Otherwise,                                                  
-                 these packets                                          
-                         are logged  at                                 
-                                 the specified                          
-                                        level                           
-                                       (Example:                        
-                                          LOGUNCLEAN=debug).</li>
-                            <li><b>BLACKLIST_DISPOSITION</b><br>
+                     This   parameter                                   
+                                determines the                          
+                                        logging level                   
+                                               of                       
+                                            mangled/invalid             
+                                                      packets           
+                                                        controlled by   
+                                                               the '<a
+ href="#Unclean">dropunclean                                             
+                         and logunclean</a>'                            
+                                           interface                    
+                                                   options.      If     
+                                                             LOGUNCLEAN 
+   is                                                                   empty
+                                                                      (LOGUNCLEAN=)
+                                                                      then
+ packets                                                                
+    selected   by                                                       
+           'dropclean'   are                                            
+                      dropped                                           
+                          silently                                      
+                               ('logunclean'                            
+                                          packets    are                
+                                                  logged    under       
+                                                           the  'info' log
+                                                                  level).
+                                                                  Otherwise,
+                                                                   these
+packets                                                                 
+  are logged  at                                                        
+          the specified                                                 
+                 level                                                  
+                (Example:                                               
+                   LOGUNCLEAN=debug).</li>
+                               <li><b>BLACKLIST_DISPOSITION</b><br>
                                                                         
-                  This   parameter                                      
-                             determines the                             
-                                     disposition of                     
-                                             packets from               
-                                                   blacklisted          
-                                                         hosts. It may  
-                                                                have the
-value                                                                   
+                     This   parameter                                   
+                                determines the                          
+                                        disposition of                  
+                                                packets from            
+                                                      blacklisted       
+                                                            hosts. It may 
+                                                                  have the 
+ value                                                                   
   DROP if   the                                                         
            packets    are   to                                          
                          be  dropped  or                                
@@ -3085,631 +2947,626 @@ value
                                                        with an ICMP     
                                                              port       
                                                            unreachable  
-                                                                reply or
-a TCP                                                                   RST
-(tcp                                                                   only).
-If you                                                                  
+                                                                reply or a
+TCP                                                                   RST 
+ (tcp                                                                   only). 
+ If you                                                                  
 do not assign                                                           
         a value  or if                                                  
                 you  assign  an                                         
                          empty  value                                   
                                then  DROP is                            
                                       assumed.</li>
-                            <li><b>BLACKLIST_LOGLEVEL</b><br>
+                               <li><b>BLACKLIST_LOGLEVEL</b><br>
                                                                         
-                  This   paremter                                       
-                            determines if                               
-                                   packets from                         
-                                         blacklisted                    
-                                               hosts are                
-                                                   logged and it        
-                                                          determines the
-                                                                  syslog
-level                                                                   
-  that they    are                                                      
-              to  be logged                                             
-                        at. Its    value                                
-                                   is a <a href="shorewall_logging.html">syslog
- level</a>                                                              
-        (Example:                                                       
-                BLACKLIST_LOGLEVEL=debug).                              
-                                           If   you    do not           
-                                                       assign a value   
-                                                               or if you
-                                                                  assign
-an                                                                   empty
-value                                                                   then
-packets                                                                 
-   from                                                                 
- blacklisted                                                            
-         hosts  are  not                                                
-                  logged.</li>
-                            <li><b>CLAMPMSS</b><br>
+                     This   paremter                                    
+                               determines if                            
+                                      packets from                      
+                                            blacklisted                 
+                                                  hosts are             
+                                                      logged and it     
+                                                             determines the 
+                                                                   syslog 
+level                                                                    
+ that they    are                                                       
+             to  be logged                                              
+                       at. Its    value                                 
+                                  is a <a href="shorewall_logging.html">syslog 
+ level</a>                                                               
+       (Example:                                                        
+               BLACKLIST_LOGLEVEL=debug).                               
+                                          If   you    do not            
+                                                      assign a value    
+                                                              or if you 
+                                                                 assign an
+                                                                  empty value
+                                                                  then packets
+                                                                    from
+                                                                  blacklisted
+                                                                     hosts
+ are  not                                                               
+   logged.</li>
+                               <li><b>CLAMPMSS</b><br>
                                                                         
-                  This   parameter                                      
-                             enables the                                
-                                  TCP Clamp MSS                         
-                                         to PMTU                        
-                                          feature of                    
-                                              Netfilter and             
-                                                     is usually         
-                                                         required when  
-                                                                your internet 
-                                                                    connection 
-    is                                                                   
-through      PPPoE                                                      
-              or PPTP.   If                                             
-                     set  to                                            
-                      "Yes"                                             
-                      or                                                
-                  "yes",                                                
-                  the feature    is                                     
-                              enabled.      If                          
-                                        left     blank or               
-                                                    set to              
-                                                    "No"                
-                                                  or                    
-                                              "no",                     
-                                                the feature    is       
-                                                           not   enabled. 
-                                                                   Note: This
-                                                                   option 
-                                                                  requires 
-                                                                    CONFIG_IP_NF_TARGET_TCPMSS 
-                                                                         
-   <a href="kernel.htm">in                                              
-                    your kernel</a>.</li>
-                            <li><b>ROUTE_FILTER</b><br>
-                            If this parameter is given the value "Yes" or 
-"yes"    then   route    filtering        (anti-spoofing) is     enabled on
-all network   interfaces.     The default    value is "no".</li>
-                                                     
+                     This   parameter                                   
+                                enables the                             
+                                     TCP Clamp MSS                      
+                                            to PMTU                     
+                                             feature of                 
+                                                 Netfilter and          
+                                                        is usually      
+                                                            required when 
+                                                                  your internet
+                                                                      connection
+      is                                                                
+   through      PPPoE                                                   
+                 or PPTP.   If                                          
+                        set  to                                         
+                         "Yes"                                          
+                         or                                             
+                     "yes",                                             
+                     the feature    is                                  
+                                 enabled.      If                       
+                                           left     blank or            
+                                                       set to           
+                                                       "No"             
+                                                     or                 
+                                                 "no",                  
+                                                   the feature    is    
+                                                              not   enabled.
+                                                                     Note:
+ This                                                                   
+option                                                                  
+  requires                                                              
+        CONFIG_IP_NF_TARGET_TCPMSS                                      
+                                         <a href="kernel.htm">in        
+                                                          your kernel</a>.</li>
+                               <li><b>ROUTE_FILTER</b><br>
+                               If this parameter is given the value "Yes" 
+or  "yes"    then   route    filtering        (anti-spoofing) is     enabled
+ on all network   interfaces.     The default    value is "no".</li>
+                                                           
 </ul>
                                                                         
                                                                         
                                                                         
-                       
-<h2><a name="modules"></a>                                              
-                /etc/shorewall/modules Configuration</h2>
+                             
+<h2><a name="modules"></a>                                               
+               /etc/shorewall/modules Configuration</h2>
                                                                         
                                                                         
                                                                         
-                        
-<p>The file  /etc/shorewall/modules contains commands for loading the kernel
-              modules  required by Shorewall-defined firewall rules. Shorewall
-     will     source    this  file during start/restart provided that it
-exists      and that    the directory     specified by the MODULESDIR parameter
-exists      (see <a href="#Conf">/etc/shorewall/shorewall.conf</a>      
-above).</p>
+                              
+<p>The file  /etc/shorewall/modules contains commands for loading the kernel 
+               modules  required by Shorewall-defined firewall rules. Shorewall 
+      will     source    this  file during start/restart provided that it 
+exists      and that    the directory     specified by the MODULESDIR parameter 
+exists      (see <a href="#Conf">/etc/shorewall/shorewall.conf</a>       above).</p>
                                                                         
                                                                         
                                                                         
-                        
-<p>The file  that is   released with Shorewall calls the Shorewall function
-            "loadmodule"  for the set of modules that I load.</p>
+                              
+<p>The file  that is   released with Shorewall calls the Shorewall function 
+             "loadmodule"  for the set of modules that I load.</p>
                                                                         
                                                                         
                                                                         
-                        
+                              
 <p>The <i>loadmodule</i>    function is called as follows:</p>
                                                                         
                                                                         
                                                                         
-                        
-<blockquote>                                                            
-                                                                        
-                                                                        
-                                                                    
-  <p>loadmodule                                                         
-        <i>&lt;modulename&gt;                                           
-                      </i>[ <i>   &lt;module parameters&gt; </i>]</p>
-                              </blockquote>
-                                                                        
-                                                                        
-                                                                        
                               
+<blockquote>                                                             
+                                                                        
+                                                                        
+                                                                        
+   
+  <p>loadmodule                                                          
+       <i>&lt;modulename&gt;                                            
+                     </i>[ <i>   &lt;module parameters&gt; </i>]</p>
+                                 </blockquote>
+                                                                        
+                                                                        
+                                                                        
+                                    
 <p>where</p>
                                                                         
                                                                         
                                                                         
-                              
-<blockquote>                                                            
+                                    
+<blockquote>                                                             
                                                                         
                                                                         
                                                                         
+       
   <p><i>&lt;modulename&gt;                </i></p>
                                                                         
                                                                         
                                                                         
                                                                         
-           
-  <blockquote>                                                          
-                                                                        
-                                                                        
-                                                                        
-                                                           
-    <p>is  the name of the modules without the trailing ".o" (example   
-   ip_conntrack).</p>
-                                </blockquote>
+                       
+  <blockquote>                                                           
                                                                         
                                                                         
                                                                         
                                                                         
-                  
+    <p>is  the name of the modules without the trailing ".o" (example    
+  ip_conntrack).</p>
+                                   </blockquote>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                              
   <p><i>   &lt;module parameters&gt;</i></p>
                                                                         
                                                                         
                                                                         
                                                                         
-                  
-  <blockquote>                                                          
+                              
+  <blockquote>                                                           
                                                                         
                                                                         
                                                                         
-                                                                 
+                                                                        
+      
     <p>   Optional parameters to the insmod utility.</p>
-                                </blockquote>
-                              </blockquote>
+                                   </blockquote>
+                                 </blockquote>
                                                                         
                                                                         
                                                                         
-                                               
-<p>   The function determines if the module named by <i>&lt;modulename&gt;
-            </i>   is   already loaded and if not then the function determines
-     if   the    ".o"    file corresponding to the module exists in the <i>moduledirectory</i>;
-            if so,   then the following command is executed:</p>
+                                                     
+<p>   The function determines if the module named by <i>&lt;modulename&gt; 
+             </i>   is   already loaded and if not then the function determines 
+      if   the    ".o"    file corresponding to the module exists in the <i>moduledirectory</i>;
+             if so,   then the following command is executed:</p>
                                                                         
                                                                         
                                                                         
-                                               
-<blockquote>                                                            
+                                                     
+<blockquote>                                                             
                                                                         
                                                                         
                                                                         
-                   
-  <p>   insmod <i>moduledirectory</i>/<i>&lt;modulename&gt;</i>.o <i>&lt;module
-                 parameters&gt;</i></p>
-                              </blockquote>
-                                                                        
-                                                                        
-                                                                        
-                                                      
-<p>   If the file doesn't exist, the function determines of the ".o.gz" 
- file  corresponding to the module exists in the <i>moduledirectory</i>.
-If it   does, the function assumes that the running configuration supports
-compressed     modules and execute the following command:</p>
-                                                                        
-                                                                        
-                                                                        
-                                                      
-<blockquote>                                                            
-                                                                        
-                                                                        
-                                                                        
-                         
-  <p>   insmod <i>moduledirectory/&lt;modulename&gt;.</i>o.gz &lt;<i>module
-                parameters&gt;</i></p>
-                              </blockquote>
-                                                                        
-                                                                        
-                                                                        
-                                                          
-<h2><a name="TOS"></a>                                                  
-                        /etc/shorewall/tos Configuration</h2>
+                           
+  <p>   insmod <i>moduledirectory</i>/<i>&lt;modulename&gt;</i>.o <i>&lt;module 
+                  parameters&gt;</i></p>
+                                 </blockquote>
                                                                         
                                                                         
                                                                         
                                                             
-<p>   The /etc/shorewall/tos file allows you to set the Type of Service field
-             in    packet headers based on packet source, packet destination,
-    protocol,         source    port and destination port. In order for this
-   file to be processed        by   Shorewall, you must have <a
+<p>   If the file doesn't exist, the function determines of the ".o.gz"  
+file  corresponding to the module exists in the <i>moduledirectory</i>. If
+it   does, the function assumes that the running configuration supports compressed
+    modules and execute the following command:</p>
+                                                                        
+                                                                        
+                                                                        
+                                                            
+<blockquote>                                                             
+                                                                        
+                                                                        
+                                                                        
+                                 
+  <p>   insmod <i>moduledirectory/&lt;modulename&gt;.</i>o.gz &lt;<i>module 
+                 parameters&gt;</i></p>
+                                 </blockquote>
+                                                                        
+                                                                        
+                                                                        
+                                                                
+<h2><a name="TOS"></a>                                                   
+                       /etc/shorewall/tos Configuration</h2>
+                                                                        
+                                                                        
+                                                                        
+                                                                  
+<p>   The /etc/shorewall/tos file allows you to set the Type of Service field 
+              in    packet headers based on packet source, packet destination, 
+     protocol,         source    port and destination port. In order for this
+    file to be processed        by   Shorewall, you must have <a
  href="#MangleEnabled">mangle support    enabled</a>     .</p>
                                                                         
                                                                         
                                                                         
-                                                            
+                                                                  
 <p>   Entries in the file have the following columns:</p>
                                                                         
-                                                           
+                                                                 
 <ul>
-                            <li><b>   SOURCE</b> -- The source zone. May
-be  qualified      by  following     the zone name       with a colon (":") 
-and  either an   IP   address,  an IP  subnet,   a MAC address     in <a
- href="#MAC">Shorewall     Format</a>  or the        name   of an interface. 
- This column may also  contain   the <a href="#FW">name of               
-                                                   the firewall</a>     
-                                                               zone to  
-     indicate  packets originating   on the firewall itself or "all" to 
-     indicate any  source.</li>
-                            <li><b>   DEST</b> -- The destination zone. May 
- be  qualified      by  following   the zone       name with a colon (":") 
- and  either an IP   address   or an IP        subnet.  Because packets are 
- marked  prior to routing,   you   may not specify         the  name of an 
- interface.  This column may  also contain         "all"   to indicate  any 
- destination.</li>
-                            <li><b>   PROTOCOL</b> -- The name of a protocol
-  in  /etc/protocols        or  the protocol's       number.</li>
-                            <li><b>   SOURCE PORT(S)</b> -- The source port 
- or  a  port   range.    For   all ports, place        a hyphen ("-") in this
- column.</li>
-                            <li><b>   DEST PORT(S)</b>  -- The destination
- port   or  a  port   range.    To indicate       all ports, place a hyphen
- ("-")   in this  column.</li>
-                            <li><b>   TOS</b> -- The type of service. Must
- be  one   of  the   following:</li>
-                                                  
+                               <li><b>   SOURCE</b> -- The source zone. May 
+ be  qualified      by  following     the zone name       with a colon (":")
+  and  either an   IP   address,  an IP  subnet,   a MAC address     in <a
+ href="#MAC">Shorewall     Format</a>  or the        name   of an interface.
+   This column may also  contain   the <a href="#FW">name of            
+                                                      the firewall</a>  
+                                                                  zone to
+       indicate  packets originating   on the firewall itself or "all" to
+      indicate any  source.</li>
+                               <li><b>   DEST</b> -- The destination zone.
+ May   be  qualified      by  following   the zone       name with a colon
+ (":")   and  either an IP   address   or an IP        subnet.  Because packets
+ are   marked  prior to routing,   you   may not specify         the  name
+ of an   interface.  This column may  also contain         "all"   to indicate
+  any   destination.</li>
+                               <li><b>   PROTOCOL</b> -- The name of a protocol 
+   in  /etc/protocols        or  the protocol's       number.</li>
+                               <li><b>   SOURCE PORT(S)</b> -- The source 
+port   or  a  port   range.    For   all ports, place        a hyphen ("-") 
+in this  column.</li>
+                               <li><b>   DEST PORT(S)</b>  -- The destination 
+  port   or  a  port   range.    To indicate       all ports, place a hyphen 
+  ("-")   in this  column.</li>
+                               <li><b>   TOS</b> -- The type of service.
+Must   be  one   of  the   following:</li>
+                                                        
 </ul>
                                                                         
                                                                         
-                                                  
-<blockquote>                                                            
-                                                                        
-                                                                        
-     
-  <blockquote>                                                          
-                                                                        
-                                                                        
-                                                             
-    <p>   Minimize-Delay (16)<br>
-                                  Maximize-Throughput (8)<br>
-                                  Maximize-Reliability (4)<br>
-                                  Minimize-Cost (2)<br>
-                                  Normal-Service (0)</p>
-                           </blockquote>
-                          </blockquote>
-                                                                        
-                                                                        
-                                               
-<p>   The /etc/shorewall/tos file that is included with Shorewall contains
-            the    following entries.</p>
-                                                                        
-                                                                        
-                                                  
+                                                        
 <blockquote>                                                             
+                                                                        
+                                                                        
              
+  <blockquote>                                                           
+                                                                        
+                                                                        
+                                                                        
+  
+    <p>   Minimize-Delay (16)<br>
+                                     Maximize-Throughput (8)<br>
+                                     Maximize-Reliability (4)<br>
+                                     Minimize-Cost (2)<br>
+                                     Normal-Service (0)</p>
+                              </blockquote>
+                             </blockquote>
+                                                                        
+                                                                        
+                                                     
+<p>   The /etc/shorewall/tos file that is included with Shorewall contains 
+             the    following entries.</p>
+                                                                        
+                                                                        
+                                                        
+<blockquote>                                                            
+                       
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-                                <tbody>
+                                   <tbody>
                                                                         
-                                      <tr>
-                                  <td><b>SOURCE</b></td>
-                                  <td><b>DEST</b></td>
-                                  <td><b>PROTOCOL</b></td>
-                                  <td><b>SOURCE<br>
-                                  PORT(S)</b></td>
-                                  <td><b>DEST  PORT(S)</b></td>
-                                  <td><b>TOS</b></td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>tcp</td>
-                                  <td>-</td>
-                                  <td>ssh</td>
-                                  <td>16</td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>tcp</td>
-                                  <td>ssh</td>
-                                  <td>-</td>
-                                  <td>16</td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>tcp</td>
-                                  <td>-</td>
-                                  <td>ftp</td>
-                                  <td>16</td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>tcp</td>
-                                  <td>ftp</td>
-                                  <td>-</td>
-                                  <td>16</td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>tcp</td>
-                                  <td>-</td>
-                                  <td>ftp-data</td>
-                                  <td>8</td>
-                                </tr>
-                                <tr>
-                                  <td>all</td>
-                                  <td>all</td>
-                                  <td>tcp</td>
-                                  <td>ftp-data</td>
-                                  <td>-</td>
-                                  <td>8</td>
-                                </tr>
+                                         <tr>
+                                     <td><b>SOURCE</b></td>
+                                     <td><b>DEST</b></td>
+                                     <td><b>PROTOCOL</b></td>
+                                     <td><b>SOURCE<br>
+                                     PORT(S)</b></td>
+                                     <td><b>DEST  PORT(S)</b></td>
+                                     <td><b>TOS</b></td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>tcp</td>
+                                     <td>-</td>
+                                     <td>ssh</td>
+                                     <td>16</td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>tcp</td>
+                                     <td>ssh</td>
+                                     <td>-</td>
+                                     <td>16</td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>tcp</td>
+                                     <td>-</td>
+                                     <td>ftp</td>
+                                     <td>16</td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>tcp</td>
+                                     <td>ftp</td>
+                                     <td>-</td>
+                                     <td>16</td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>tcp</td>
+                                     <td>-</td>
+                                     <td>ftp-data</td>
+                                     <td>8</td>
+                                   </tr>
+                                   <tr>
+                                     <td>all</td>
+                                     <td>all</td>
+                                     <td>tcp</td>
+                                     <td>ftp-data</td>
+                                     <td>-</td>
+                                     <td>8</td>
+                                   </tr>
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
-                                  
-    </tbody>                                                            
+                                                    
+    </tbody>                                                             
                                                                         
                                                                         
                                                                         
-                                     
+                                             
   </table>
-                        </blockquote>
+                           </blockquote>
                                                                         
                                                                         
-                                                        
-<p><b>WARNING: </b>Users have reported that odd routing problems result from
-            adding the ESP and AH protocols to the /etc/shorewall/tos file.
-   </p>
+                                                              
+<p><b>WARNING: </b>Users have reported that odd routing problems result from 
+             adding the ESP and AH protocols to the /etc/shorewall/tos file. 
+    </p>
                                                                         
                                                                         
-                                                        
+                                                              
 <h2><a name="Blacklist"></a>/etc/shorewall/blacklist</h2>
                                                                         
                                                                         
-                                                        
-<p>Each                                                                 
-               line                                                     
-                           in                                           
-                                     /etc/shorewall/blacklist           
-                                                                     contains 
-                                                                         
-                  an                                                    
-                            IP                                          
-                                      address, a MAC address in <a
- href="#MAC">Shorewall      Format</a>                                   
-                                             or                         
-                                                       subnet           
-                                                                     address. 
-                                                                         
-           Example:</p>
+                                                              
+<p>Each                                                                  
+              line                                                      
+                          in                                            
+                                    /etc/shorewall/blacklist            
+                                                                    contains
                                                                         
-                                                  
+                     an                                                 
+                               IP                                       
+                                         address, a MAC address in <a
+ href="#MAC">Shorewall      Format</a>                                  
+                                              or                        
+                                                        subnet          
+                                                                      address.
+                                                                        
+              Example:</p>
+                                                                        
+                                                        
 <pre>      130.252.100.69<br>      206.124.146.0/24</pre>
                                                                         
                                                                         
-                                                        
-<p>Packets                                                              
-                  <u><b>from</b></u>                                    
-                                            hosts                       
-                                                         listed         
-                                                                       in 
-                                                                         
-                  the                                                   
-                             blacklist                                  
-                                              file                      
-                                                          will          
-                                                                      be 
+                                                              
+<p>Packets                                                               
+                 <u><b>from</b></u>                                     
+                                           hosts                        
+                                                        listed          
+                                                                      in
                                                                         
-      disposed                                                          
-                          of                                            
-                                    according                           
-                                                     to                 
-                                                               the      
+                     the                                                
+                                blacklist                               
+                                                 file                   
+                                                             will       
                                                                         
- value                                                                  
-                  assigned                                              
-                                      to                                
-                                                the <a href="#Conf">BLACKLIST_DISPOSITION</a> 
-                                                                         
-             and   <a href="#Conf">BLACKLIST_LOGLEVEL </a>variables     
+be                                                                      
+           disposed                                                     
+                               of                                       
+                                         according                      
+                                                          to            
+                                                                    the 
                                                                         
-  in                                                                    
-             /etc/shorewall/shorewall.conf.                             
-                                                       Only             
-                                                                   packets 
-                                                                         
-       arriving                                                         
-                       on                                               
-                                 interfaces                             
-                                                   that                 
-                                                               have     
+      value                                                             
+                       assigned                                         
+                                           to                           
+                                                     the <a href="#Conf">BLACKLIST_DISPOSITION</a>
                                                                         
-  the                                                                   
-                '<a href="#Interfaces">blacklist</a>'                   
-                                                                 option 
+                and   <a href="#Conf">BLACKLIST_LOGLEVEL </a>variables  
                                                                         
-      in                                                                
-                 /etc/shorewall/interfaces                              
-                                                  are                   
-                                                             checked    
+     in                                                                 
+                /etc/shorewall/shorewall.conf.                          
+                                                          Only          
+                                                                      packets
                                                                         
-   against                                                              
-                  the                                                   
-                             blacklist. The black list is  designed to prevent 
-  listed     hosts/subnets from accessing services on <u><b>your</b></u> 
-  network.<br>
-                       </p>
-                                             
+          arriving                                                      
+                          on                                            
+                                    interfaces                          
+                                                      that              
+                                                                  have  
+                                                                        
+     the                                                                
+                   '<a href="#Interfaces">blacklist</a>'                
+                                                                    option
+                                                                        
+       in                                                               
+                  /etc/shorewall/interfaces                             
+                                                   are                  
+                                                              checked   
+                                                                        
+    against                                                             
+                   the                                                  
+                              blacklist. The black list is  designed to prevent
+    listed     hosts/subnets from accessing services on <u><b>your</b></u>
+    network.<br>
+                          </p>
+                                                   
 <p>Beginning with Shorewall 1.3.8, the blacklist file has three columns:<br>
-                       </p>
-                                             
+                          </p>
+                                                   
 <ul>
-                         <li><b>ADDRESS/SUBNET - </b>As described above.</li>
-                         <li><b>PROTOCOL</b> - Optional. If specified, only 
- packets     specifying      this protocol will be blocked.</li>
-                         <li><b>PORTS - </b>Optional; may only be given if
- PROTOCOL     is  tcp,   udp   or icmp. Expressed as a comma-separated list
- of port numbers     or service   names  (from /etc/services). If present,
- only packets destined     for the specified     protocol and one of the
-listed  ports are blocked.   When  the PROTOCOL is  icmp,   the PORTS column
-contains  a comma-separated     list  of ICMP type numbers  or  names (see
+                            <li><b>ADDRESS/SUBNET - </b>As described above.</li>
+                            <li><b>PROTOCOL</b> - Optional. If specified, 
+only   packets     specifying      this protocol will be blocked.</li>
+                            <li><b>PORTS - </b>Optional; may only be given
+ if  PROTOCOL     is  tcp,   udp   or icmp. Expressed as a comma-separated
+ list  of port numbers     or service   names  (from /etc/services). If present, 
+  only packets destined     for the specified     protocol and one of the 
+listed  ports are blocked.   When  the PROTOCOL is  icmp,   the PORTS column 
+contains  a comma-separated     list  of ICMP type numbers  or  names (see 
 "iptables  -h icmp").<br>
-                         </li>
-                                             
+                            </li>
+                                                   
 </ul>
                                                                         
                                                                         
-                                                        
-<p>Shorewall also has a <a href="blacklisting_support.htm">dynamic blacklist
-            capability.</a></p>
+                                                              
+<p>Shorewall also has a <a href="blacklisting_support.htm">dynamic blacklist 
+             capability.</a></p>
                                                                         
                                                                         
-                                                        
-<p><font color="#cc6666"><b>IMPORTANT: The Shorewall blacklist file is <u>NOT</u>
-            designed to police your users' web browsing -- to do that, I
+                                                              
+<p><font color="#cc6666"><b>IMPORTANT: The Shorewall blacklist file is <u>NOT</u> 
+             designed to police your users' web browsing -- to do that, I 
 suggest        that     you install and configure Squid (<a
  href="http://www.squid-cache.org">http://www.squid-cache.org</a>).     </b></font></p>
                                                                         
                                                                         
                                                                         
                                                                         
-     
+           
 <h2><a name="rfc1918"></a>/etc/shorewall/rfc1918 (Added in Version 1.3.1)</h2>
                                                                         
                                                                         
                                                                         
                                                                         
-     
-<p>This file lists the subnets affected by the <a href="#Interfaces"><i>norfc1918</i>
-            interface option</a>. Columns in the file are:</p>
+           
+<p>This file lists the subnets affected by the <a href="#Interfaces"><i>norfc1918</i> 
+             interface option</a>. Columns in the file are:</p>
                                                                         
                                                                         
                                                                         
                                                                         
-     
+           
 <ul>
                                                                         
-                                  <li><b>SUBNET</b> - The subnet using VLSM 
- notation     (e.g.,    192.168.0.0/16).</li>
+                                     <li><b>SUBNET</b> - The subnet using 
+VLSM   notation     (e.g.,    192.168.0.0/16).</li>
                                                                         
-                                  <li><b>TARGET<i> </i></b>- What to do with
-  packets     to/from     the   SUBNET:                                 
+                                     <li><b>TARGET<i> </i></b>- What to do
+ with   packets     to/from     the   SUBNET:                           
                                                                         
-             
+                                  
     <ul>
                                                                         
-                                    <li><b>RETURN</b> - Process the packet
- normally     thru   the   rules   and policies.</li>
+                                       <li><b>RETURN</b> - Process the packet 
+  normally     thru   the   rules   and policies.</li>
                                                                         
-                                    <li><b>DROP</b> - Silently drop the packet.</li>
+                                       <li><b>DROP</b> - Silently drop the
+ packet.</li>
                                                                         
-                                    <li><b>logdrop</b> - Log then drop the
- packet    --  see  the <a href="#Conf">RFC1918_LOG_LEVEL</a> parameter above.</li>
+                                       <li><b>logdrop</b> - Log then drop 
+the   packet    --  see  the <a href="#Conf">RFC1918_LOG_LEVEL</a> parameter 
+above.</li>
                                                                         
                                                                         
                                                                         
-        
+                          
     </ul>
                                                                         
-                                  </li>
-                                                  
+                                     </li>
+                                                        
 </ul>
                                                                         
                                                                         
                                                                         
                                                                         
-     
-<h2><a name="Routestopped"></a>/etc/shorewall/routestopped (Added in Version 
-          1.3.4)</h2>
+           
+<h2><a name="Routestopped"></a>/etc/shorewall/routestopped (Added in Version
+            1.3.4)</h2>
                                                                         
                                                                         
                                                                         
                                                                         
-     
-<p>This file defines the hosts that are accessible from the firewall when
-            the firewall is stopped.  Columns in the file are:</p>
+           
+<p>This file defines the hosts that are accessible from the firewall when 
+             the firewall is stopped.  Columns in the file are:</p>
                                                                         
                                                                         
                                                                         
                                                                         
-     
+           
 <ul>
                                                                         
-                                  <li><b>INTERFACE </b>- The firewall interface 
-   through     which    the  host(s) comminicate with the firewall.</li>
+                                     <li><b>INTERFACE </b>- The firewall
+interface      through     which    the  host(s) comminicate with the firewall.</li>
                                                                         
-                                  <li><b>HOST(S) </b>- (Optional) - A comma-separated 
-      list   of  IP/Subnet  addresses. If not supplied or supplied as "-" 
-then     0.0.0.0/0    is  assumed.</li>
-                                                  
+                                     <li><b>HOST(S) </b>- (Optional) - A
+comma-separated         list   of  IP/Subnet  addresses. If not supplied
+or supplied as "-"   then     0.0.0.0/0    is  assumed.</li>
+                                                        
 </ul>
                                                                         
                                                                         
                                                                         
                                                                         
-     
-<p>Example: When your firewall is stopped, you want firewall accessibility
-            from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces
-         through   eth1 and your local hosts through eth2.</p>
+           
+<p>Example: When your firewall is stopped, you want firewall accessibility 
+             from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces
+          through   eth1 and your local hosts through eth2.</p>
                                                                         
                                                                         
                                                                         
                                                                         
-     
-<blockquote>                                                            
+           
+<blockquote>                                                             
                                                                         
-                     
+                             
   <table border="2" style="border-collapse: collapse;" id="AutoNumber1"
  cellpadding="2">
                                                                         
-                                    <tbody>
-                              <tr>
+                                       <tbody>
+                                 <tr>
                                                                         
-                                      <td><u><b>INTERFACE</b></u></td>
+                                         <td><u><b>INTERFACE</b></u></td>
                                                                         
-                                      <td><u><b>HOST(S)</b></u></td>
+                                         <td><u><b>HOST(S)</b></u></td>
                                                                         
-                                    </tr>
+                                       </tr>
                                                                         
-                                    <tr>
+                                       <tr>
                                                                         
-                                      <td>eth2</td>
+                                         <td>eth2</td>
                                                                         
-                                      <td>192.168.1.0/24</td>
+                                         <td>192.168.1.0/24</td>
                                                                         
-                                    </tr>
+                                       </tr>
                                                                         
-                                    <tr>
+                                       <tr>
                                                                         
-                                      <td>eth1</td>
+                                         <td>eth1</td>
                                                                         
-                                      <td>-</td>
+                                         <td>-</td>
                                                                         
-                                    </tr>
+                                       </tr>
+                                                                        
+                                                                        
+                                                                        
+                          
+    </tbody>                                                             
+                   
+  </table>
+                             </blockquote>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+             
+<h2><a name="Maclist"></a>/etc/shorewall/maclist (Added in Version 1.3.10)</h2>
+                       This file is described in the <a
+ href="MAC_Validation.html">MAC   Validation     Documentation</a>.<br>
+                       <br>
+                                             
+<p><font size="-1">   Updated 2/18/2003 - <a href="support.htm">Tom  Eastep</a>
+                 </font></p>
                                                                         
                                                                         
                                                                         
         
-    </tbody>                                                            
-           
-  </table>
-                          </blockquote>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-       
-<h2><a name="Maclist"></a>/etc/shorewall/maclist (Added in Version 1.3.10)</h2>
-                    This file is described in the <a
- href="MAC_Validation.html">MAC   Validation     Documentation</a>.<br>
-                    <br>
-                                       
-<p><font size="-1">   Updated 3/4/2003 - <a href="support.htm">Tom  Eastep</a> 
-               </font></p>
-                                                                        
-                                                                        
-                                                                        
-  
 <p><a href="copyright.htm"><font size="2">Copyright</font>           © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-            <br>
-            </p>
-            <br>
-            <br>
-         <br>
-        <br>
-       <br>
-      <br>
-     <br>
-    <br>
-   <br>
+  </p>
   <br>
  <br>
 </body>
diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm
index 401f1db4d..0f88673a9 100644
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@@ -2,1256 +2,1283 @@
 <html>
 <head>
                                                                         
-                                                                         
- 
+                                                                        
+              
   <meta http-equiv="Content-Language" content="en-us">
                                                                         
-                                                                         
- 
+                                                                        
+              
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
                                                                         
-                                                                         
- 
+                                                                        
+              
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                         
-                                                                         
- 
+                                                                        
+              
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Shorewall FAQ</title>
                                                                         
                                                                         
                                                                         
-                                         
+                                                              
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
                                                                         
-   
+         
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber4"
  bgcolor="#400169" height="90">
-                                        <tbody>
-                                         <tr>
-                                          <td width="100%">             
+                                           <tbody>
+                                            <tr>
+                                             <td width="100%">          
                                                                         
                                                                         
                                                                         
-                              
+                                                      
       <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
-                                          </td>
-                                        </tr>
+                                             </td>
+                                           </tr>
                                                                         
-                                                                         
- 
-  </tbody>                                     
+                                                                        
+              
+  </tbody>                                        
 </table>
                                                                         
-   
-<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
-                   port</b> 7777 to my my personal PC with IP address 192.168.1.5.
-         I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
+         
+<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b> 
+                    port</b> 7777 to my my personal PC with IP address 192.168.1.5. 
+          I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
                                                                         
-  
-<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
-                   but it doesn't work.<br>
-                            </a></p>
+        
+<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
+                     but it doesn't work.<br>
+                               </a></p>
                                                                         
-  
-<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
-              port forwarding</a></p>
-                                                       
-<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
-                  to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 
-      in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com 
-            but    <b>internal  clients can't</b>.</a></p>
+        
+<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with 
+               port forwarding</a></p>
+                                                             
+<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
+                    to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
+        in   my   local      network. <b>External clients can browse</b>
+http://www.mydomain.com               but    <b>internal  clients can't</b>.</a></p>
                                                                         
-  
-<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
-                   subnet and I use <b>static NAT</b> to assign non-RFC1918 
-  addresses          to   hosts   in  Z. Hosts in Z cannot communicate with 
-  each other  using      their    external    (non-RFC1918 addresses) so they
-  <b>can't access each     other using   their DNS   names.</b></a></p>
+        
+<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
+                     subnet and I use <b>static NAT</b> to assign non-RFC1918
+    addresses          to   hosts   in  Z. Hosts in Z cannot communicate
+with     each other  using      their    external    (non-RFC1918 addresses)
+so  they   <b>can't access each     other using   their DNS   names.</b></a></p>
                                                                         
-   
-<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b> 
-   or <b>MSN                Instant Messenger </b>with  Shorewall. What do 
- I  do?</a></p>
+         
+<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
+     or <b>MSN                Instant Messenger </b>with  Shorewall. What
+do   I  do?</a></p>
                                                                         
-  
-<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
-                  to  check my firewall and it shows <b>some ports as 'closed' 
-     rather       than     'blocked'.</b>  Why?</a></p>
+        
+<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
+                    to  check my firewall and it shows <b>some ports as 'closed'
+       rather       than     'blocked'.</b>  Why?</a></p>
                                                                         
-  
-<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
-                   of my firewall and it showed 100s of ports as open!!!!</a></p>
+        
+<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
+                     of my firewall and it showed 100s of ports as open!!!!</a></p>
                                                                         
-  
-<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now 
-                  I <b> can't ping</b> through the firewall</a></p>
+        
+<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
+                    I <b> can't ping</b> through the firewall</a></p>
                                                                         
-   
-<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
-                   written and  how do I <b>change the destination</b>?</a></p>
+         
+<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
+                     written and  how do I <b>change the destination</b>?</a></p>
                                                                         
-                                                                   
-<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
-                   that work with Shorewall?</a></p>
-           
+                                                                         
+<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
+                     that work with Shorewall?</a></p>
+                 
 <p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
- href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
-   requests. Can i exclude these error messages for this port temporarily
-from   logging in Shorewall?</a><br>
-      </p>
-           
-<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
-   of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>. 
-   They get dropped, but what the heck are they?</a><br>
-      </p>
-           
-<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
-in Shorewall log messages <b>so long</b>? I thought MAC addresses were only
-6 bytes in length.</a><b><br>
-</b></p>
-<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 
-'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
-                   work?</a></p>
+ href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect 
+    requests. Can i exclude these error messages for this port temporarily 
+ from   logging in Shorewall?</a><br>
+         </p>
+                 
+<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow 
+    of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.  
+    They get dropped, but what the heck are they?</a><br>
+         </p>
+                 
+<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b> 
+ in Shorewall log messages <b>so long</b>? I thought MAC addresses were only 
+ 6 bytes in length.</a><b><br>
+   </b></p>
+     
+<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
+ 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
+                     work?</a></p>
                                                                         
-   
-<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
-                  on RedHat</b> I get messages about insmod failing -- what's 
-     wrong?</a></p>
+         
+<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
+                    on RedHat</b> I get messages about insmod failing --
+what's        wrong?</a></p>
                                                                         
-   
-<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
-                  my  interfaces </b>properly?</a></p>
+         
+<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
+                    my  interfaces </b>properly?</a></p>
                                                                         
-          
-<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does 
-                  it  work with?</a></p>
+                
+<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
+                    it  work with?</a></p>
                                                                         
-   
-<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
-support?</a></p>
+         
+<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
+ support?</a></p>
                                                                         
-   
+         
 <p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
                                                                         
-   
+         
 <p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
                                                                         
-  
-<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
-                  and it has an internel  web server that allows me to configure/monitor 
-               it   but as expected if I enable <b> rfc1918 blocking</b> for
-   my   eth0     interface,       it also blocks the <b>cable modems  web
-server</b></a>.</p>
+        
+<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
+                    and it has an internel  web server that allows me to
+configure/monitor                  it   but as expected if I enable <b> rfc1918
+blocking</b>  for    my   eth0     interface,       it also blocks the <b>cable
+modems  web server</b></a>.</p>
                                                                         
-  
-<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
-                  IP  addresses, my ISP's DHCP server has an RFC 1918 address. 
-     If   I  enable       RFC 1918  filtering on my external interface, <b>my 
-    DHCP  client  cannot    renew   its lease</b>.</a></p>
+        
+<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
+                    IP  addresses, my ISP's DHCP server has an RFC 1918 address.
+       If   I  enable       RFC 1918  filtering on my external interface,
+<b>my      DHCP  client  cannot    renew   its lease</b>.</a></p>
                                                                         
-   
-<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
-                  out to  the net</b></a></p>
+         
+<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
+                    out to  the net</b></a></p>
                                                                         
-   
-<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
-                   all over my console</b> making it unusable!<br>
-                                 </a></p>
-                                              <b>17</b>. <a
- href="#faq17">How   do  I  find   out   <b>why    this traffic   is</b>
-getting  <b>logged?</b></a><br>
-                             <br>
-                             <b>18.</b> <a href="#faq18">Is there any way 
-to  use   <b>aliased      ip  addresses</b>    with Shorewall, and maintain
- separate    rulesets for    different   IPs?</a><br>
-                         <br>
-                         <b>19. </b><a href="#faq19">I have added <b>entries
-  to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do
-  anything</b>.  Why?</a><br>
-                        <br>
-                        <b>20. </b><a href="#faq20">I have just set  up 
-a   server.      <b>Do  I have to change Shorewall to allow access to my
-server    from   the  internet?<br>
-              <br>
-              </b></a><b>21. </b><a href="#faq21">I see these <b>strange
-log   entries      </b>occasionally;    what are they?<br>
-                      </a><br>
-              <b>22. </b><a href="#faq22">I have some <b>iptables commands
- </b>that     I  want to <b>run when Shorewall starts.</b> Which file do
+         
+<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
+                     all over my console</b> making it unusable!<br>
+                                    </a></p>
+                                                 <b>17</b>. <a
+ href="#faq17">How   do  I  find   out   <b>why    this traffic   is</b> getting
+ <b>logged?</b></a><br>
+                                <br>
+                                <b>18.</b> <a href="#faq18">Is there any
+way   to  use   <b>aliased      ip  addresses</b>    with Shorewall, and
+maintain   separate    rulesets for    different   IPs?</a><br>
+                            <br>
+                            <b>19. </b><a href="#faq19">I have added <b>entries 
+   to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do 
+   anything</b>.  Why?</a><br>
+                           <br>
+                           <b>20. </b><a href="#faq20">I have just set  up
+  a   server.      <b>Do  I have to change Shorewall to allow access to my 
+ server    from   the  internet?<br>
+                 <br>
+                 </b></a><b>21. </b><a href="#faq21">I see these <b>strange 
+ log   entries      </b>occasionally;    what are they?<br>
+                         </a><br>
+                 <b>22. </b><a href="#faq22">I have some <b>iptables commands 
+  </b>that     I  want to <b>run when Shorewall starts.</b> Which file do 
 I  put them in?</a><br>
+               <br>
+               <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b>
+    on  your   <b>web site</b>?</a><br>
             <br>
-            <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b> 
-  on  your   <b>web site</b>?</a><br>
-         <br>
-         <b>24. </b><a href="#faq24">How can I <b>allow conections</b> to 
-let's    say  the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
-<br>
-                           
-<hr>                                      
-<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
-                  my my personal PC with IP address 192.168.1.5. I've looked 
-   everywhere           and    can't find how to do it.</h4>
+            <b>24. </b><a href="#faq24">How can I <b>allow conections</b> 
+to  let's    say  the ssh port only<b> from specific IP Addresses</b> on the
+internet?</a><br>
+   <br>
+                                 
+<hr>                                         
+<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
+                    my my personal PC with IP address 192.168.1.5. I've looked
+     everywhere           and    can't find how to do it.</h4>
                                                                         
-  
+        
 <p align="left"><b>Answer: </b>The <a
  href="Documentation.htm#PortForward"> first example</a> in the <a
- href="Documentation.htm#Rules">rules file documentation</a> shows how to 
-                  do port forwarding under Shorewall. The format of a port-forwarding 
-            rule to a local system is as   follows:</p>
+ href="Documentation.htm#Rules">rules file documentation</a> shows how to
+                    do port forwarding under Shorewall. The format of a port-forwarding
+              rule to a local system is as   follows:</p>
                                                                         
-  
-<blockquote>                                                            
-                                                     
+        
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber1">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>ACTION</b></u></td>
-                                            <td><u><b>SOURCE</b></u></td>
-                                            <td><u><b>DESTINATION</b></u></td>
-                                            <td><u><b>PROTOCOL</b></u></td>
-                                            <td><u><b>PORT</b></u></td>
-                                            <td><u><b>SOURCE PORT</b></u></td>
-                                            <td><u><b>ORIG. DEST.</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>DNAT</td>
-                                            <td>net</td>
-                                            <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
-            port</i>&gt;]</td>
-                                            <td><i>&lt;protocol&gt;</i></td>
-                                            <td><i>&lt;port #&gt;</i></td>
-                                            <td> <br>
-                                          </td>
-                                            <td> <br>
-                                          </td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>ACTION</b></u></td>
+                                               <td><u><b>SOURCE</b></u></td>
+                                               <td><u><b>DESTINATION</b></u></td>
+                                               <td><u><b>PROTOCOL</b></u></td>
+                                               <td><u><b>PORT</b></u></td>
+                                               <td><u><b>SOURCE PORT</b></u></td>
+                                               <td><u><b>ORIG. DEST.</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>DNAT</td>
+                                               <td>net</td>
+                                               <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
+              port</i>&gt;]</td>
+                                               <td><i>&lt;protocol&gt;</i></td>
+                                               <td><i>&lt;port #&gt;</i></td>
+                                               <td> <br>
+                                             </td>
+                                               <td> <br>
+                                             </td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
+                                         </blockquote>
                                                                         
-  
-<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, 
-                  the rule is:</p>
+        
+<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5,
+                    the rule is:</p>
                                                                         
-  
-<blockquote>                                                            
-                                                     
+        
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber1">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>ACTION</b></u></td>
-                                            <td><u><b>SOURCE</b></u></td>
-                                            <td><u><b>DESTINATION</b></u></td>
-                                            <td><u><b>PROTOCOL</b></u></td>
-                                            <td><u><b>PORT</b></u></td>
-                                            <td><u><b>SOURCE PORT</b></u></td>
-                                            <td><u><b>ORIG. DEST.</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>DNAT</td>
-                                            <td>net</td>
-                                            <td>loc:192.168.1.5</td>
-                                            <td>udp</td>
-                                            <td>7777</td>
-                                            <td> <br>
-                                          </td>
-                                            <td> <br>
-                                          </td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>ACTION</b></u></td>
+                                               <td><u><b>SOURCE</b></u></td>
+                                               <td><u><b>DESTINATION</b></u></td>
+                                               <td><u><b>PROTOCOL</b></u></td>
+                                               <td><u><b>PORT</b></u></td>
+                                               <td><u><b>SOURCE PORT</b></u></td>
+                                               <td><u><b>ORIG. DEST.</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>DNAT</td>
+                                               <td>net</td>
+                                               <td>loc:192.168.1.5</td>
+                                               <td>udp</td>
+                                               <td>7777</td>
+                                               <td> <br>
+                                             </td>
+                                               <td> <br>
+                                             </td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
+                                         </blockquote>
                                                                         
-  
-<div align="left">                      <font face="Courier">     </font>If
-        you want to forward requests directed to a particular address ( <i>&lt;external
-        IP&gt;</i> ) on your firewall to an internal system:</div>
+        
+<div align="left">                      <font face="Courier">     </font>If 
+         you want to forward requests directed to a particular address ( <i>&lt;external
+         IP&gt;</i> ) on your firewall to an internal system:</div>
                                                                         
-  
-<blockquote>                                                            
-                                                     
+        
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber1">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>ACTION</b></u></td>
-                                            <td><u><b>SOURCE</b></u></td>
-                                            <td><u><b>DESTINATION</b></u></td>
-                                            <td><u><b>PROTOCOL</b></u></td>
-                                            <td><u><b>PORT</b></u></td>
-                                            <td><u><b>SOURCE PORT</b></u></td>
-                                            <td><u><b>ORIG. DEST.</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>DNAT</td>
-                                            <td>net</td>
-                                            <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
-            port</i>&gt;]</td>
-                                            <td><i>&lt;protocol&gt;</i></td>
-                                            <td><i>&lt;port #&gt;</i></td>
-                                            <td>-</td>
-                                            <td><i>&lt;external IP&gt;</i></td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>ACTION</b></u></td>
+                                               <td><u><b>SOURCE</b></u></td>
+                                               <td><u><b>DESTINATION</b></u></td>
+                                               <td><u><b>PROTOCOL</b></u></td>
+                                               <td><u><b>PORT</b></u></td>
+                                               <td><u><b>SOURCE PORT</b></u></td>
+                                               <td><u><b>ORIG. DEST.</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>DNAT</td>
+                                               <td>net</td>
+                                               <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
+              port</i>&gt;]</td>
+                                               <td><i>&lt;protocol&gt;</i></td>
+                                               <td><i>&lt;port #&gt;</i></td>
+                                               <td>-</td>
+                                               <td><i>&lt;external IP&gt;</i></td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
+                                         </blockquote>
                                                                         
-Finally,  if you need to forward a range of ports, in the PORT column specify
-the range  as <i>low-port</i>:<i>high-port</i>.<br>
-   
-<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
-                  but  it doesn't work</h4>
+   Finally,  if you need to forward a range of ports, in the PORT column
+specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
+         
+<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
+                    but  it doesn't work</h4>
                                                                         
-  
+        
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
                                                                         
-  
+        
 <ul>
-                                        <li>You are trying to test from inside
-   your   firewall     (no,   that    won't    work -- see <a
+                                           <li>You are trying to test from
+ inside    your   firewall     (no,   that    won't    work -- see <a
  href="#faq2">FAQ   #2</a>).</li>
-                                        <li>You have a more basic problem 
-with   your   local    system    such   as  an   incorrect default gateway 
-configured    (it  should    be set to   the IP   address    of your  firewall's 
-internal    interface).</li>
+                                           <li>You have a more basic problem
+  with   your   local    system    such   as  an   incorrect default gateway
+  configured    (it  should    be set to   the IP   address    of your  firewall's
+  internal    interface).</li>
                                                                         
-  
+        
 </ul>
                                                                         
-  
-<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
-              forwarding</h4>
-                            <b>Answer: </b>To further diagnose this problem:<br>
-                                                       
+        
+<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port 
+               forwarding</h4>
+                               <b>Answer: </b>To further diagnose this problem:<br>
+                                                             
 <ul>
-                              <li>As root, type "iptables -t nat -Z". This
- clears    the   NetFilter      counters   in the nat table.</li>
-                              <li>Try to connect to the redirected port from
-  an  external     host.</li>
-                              <li>As root type "shorewall show nat"</li>
-                              <li>Locate the appropriate DNAT rule. It will 
- be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat'
-  in the above   examples).</li>
-                              <li>Is the packet count in the first column 
-non-zero?      If  so,   the   connection    request is reaching the firewall 
-and is  being    redirected    to   the server.  In  this case, the problem 
-is usually   a  missing  or incorrect      default gateway   setting on the 
-server (the   server's  default  gateway  should    be the IP address   of 
-the firewall's   interface  to the  server).</li>
-                              <li>If the packet count is zero:</li>
+                                 <li>As root, type "iptables -t nat -Z".
+This   clears    the   NetFilter      counters   in the nat table.</li>
+                                 <li>Try to connect to the redirected port
+ from   an  external     host.</li>
+                                 <li>As root type "shorewall show nat"</li>
+                                 <li>Locate the appropriate DNAT rule. It 
+will   be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat'
+   in the above   examples).</li>
+                                 <li>Is the packet count in the first column
+  non-zero?      If  so,   the   connection    request is reaching the firewall
+  and is  being    redirected    to   the server.  In  this case, the problem
+  is usually   a  missing  or incorrect      default gateway   setting on
+the  server (the   server's  default  gateway  should    be the IP address
+  of  the firewall's   interface  to the  server).</li>
+                                 <li>If the packet count is zero:</li>
                                                                         
-                                      
+                                                  
   <ul>
-                                <li>the connection request is not reaching
- your   server    (possibly      it  is being blocked by your ISP); or</li>
-                                <li>you are trying to connect to a secondary
-  IP  address     on  your   firewall   and your rule is only redirecting
-the  primary  IP  address    (You  need to specify   the secondary IP address 
- in the "ORIG.   DEST." column    in  your DNAT rule);  or</li>
-                                <li>your DNAT rule doesn't match the connection 
-   request     in  some   other   way. In that case, you may have to use a
- packet  sniffer     such  as tcpdump  or  ethereal to further diagnose the
- problem.<br>
-                                </li>
+                                   <li>the connection request is not reaching 
+  your   server    (possibly      it  is being blocked by your ISP); or</li>
+                                   <li>you are trying to connect to a secondary 
+   IP  address     on  your   firewall   and your rule is only redirecting 
+ the  primary  IP  address    (You  need to specify   the secondary IP address
+   in the "ORIG.   DEST." column    in  your DNAT rule);  or</li>
+                                   <li>your DNAT rule doesn't match the connection
+     request     in  some   other   way. In that case, you may have to use
+ a  packet  sniffer     such  as tcpdump  or  ethereal to further diagnose
+ the  problem.<br>
+                                   </li>
                                                                         
-                                      
+                                                  
   </ul>
-                                                       
+                                                             
 </ul>
-                                                       
-<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
-                  (IP 130.151.100.69) to system 192.168.1.5 in my local network. 
-       External         clients  can browse http://www.mydomain.com but internal 
-       clients can't.</h4>
+                                                             
+<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
+                    (IP 130.151.100.69) to system 192.168.1.5 in my local
+network.         External         clients  can browse http://www.mydomain.com
+but internal         clients can't.</h4>
                                                                         
-  
+        
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
                                                                         
-  
+        
 <ul>
-                                        <li>Having an internet-accessible 
-server    in  your   local    network         is  like raising foxes in the 
-corner   of your  hen   house.  If  the server     is      compromised, there's
- nothing    between  that  server  and  your other   internal        systems.
- For the    cost of another  NIC and  a cross-over  cable,   you can   put
-      your   server in a DMZ such  that it is isolated  from your   local
-systems    -      assuming that the  Server can be located  near the Firewall,
-  of course     :-)</li>
-                                        <li>The accessibility problem is
-best   solved    using           <a href="shorewall_setup_guide.htm#DNS">Bind 
-Version       9 "views"</a>     (or using a separate DNS server for local 
-clients)  such   that www.mydomain.com     resolves to 130.141.100.69    
-externally  and 192.168.1.5   internally. That's    what I do here at   
- shorewall.net  for my local systems   that use static   NAT.</li>
+                                           <li>Having an internet-accessible
+  server    in  your   local    network         is  like raising foxes in
+the  corner   of your  hen   house.  If  the server     is      compromised,
+there's  nothing    between  that  server  and  your other   internal   
+    systems.  For the    cost of another  NIC and  a cross-over  cable, 
+ you can   put       your   server in a DMZ such  that it is isolated  from
+your   local systems    -      assuming that the  Server can be located 
+near the Firewall,   of course     :-)</li>
+                                           <li>The accessibility problem
+is  best   solved    using           <a
+ href="shorewall_setup_guide.htm#DNS">Bind  Version       9 "views"</a>  
+  (or using a separate DNS server for local  clients)  such   that www.mydomain.com 
+    resolves to 130.141.100.69     externally  and 192.168.1.5   internally. 
+That's    what I do here at     shorewall.net  for my local systems   that 
+use static   NAT.</li>
                                                                         
-  
+        
 </ul>
                                                                         
-  
-<p align="left">If you insist on an IP solution to the accessibility problem 
-                   rather than a DNS solution, then assuming that your external 
-      interface          is  eth0  and your internal interface is eth1  and 
-  that    eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, 
-  do   the following:</p>
                                                                         
-  
-<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
-                   for eth1 (No longer required as of Shorewall version 1.3.9).</p>
+                
+<p align="left">If you insist on an IP solution to the accessibility problem
+                     rather than a DNS solution, then assuming that your
+external         interface          is  eth0  and your internal interface
+is eth1  and    that    eth1 has IP   address      192.168.1.254  with subnet
+192.168.1.0/24, in /etc/shorewall/rules, add:</p>
                                                                         
-  
-<div align="left">                                      
-<p align="left">b) In /etc/shorewall/rules, add:</p>
-                                     </div>
+        
+<div align="left">                                                      
+                          </div>
                                                                         
-  
-<div align="left">                                      
-<blockquote>                                                            
-                                                     
+        
+<div align="left">                                         
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber1">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>ACTION</b></u></td>
-                                            <td><u><b>SOURCE</b></u></td>
-                                            <td><u><b>DESTINATION</b></u></td>
-                                            <td><u><b>PROTOCOL</b></u></td>
-                                            <td><u><b>PORT</b></u></td>
-                                            <td><u><b>SOURCE PORT</b></u></td>
-                                            <td><u><b>ORIG. DEST.</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>DNAT</td>
-                                            <td>loc:192.168.1.0/24</td>
-                                            <td>loc:192.168.1.5</td>
-                                            <td>tcp</td>
-                                            <td>www</td>
-                                            <td>-</td>
-                                            <td>130.151.100.69:192.168.1.254</td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>ACTION</b></u></td>
+                                               <td><u><b>SOURCE</b></u></td>
+                                               <td><u><b>DESTINATION</b></u></td>
+                                               <td><u><b>PROTOCOL</b></u></td>
+                                               <td><u><b>PORT</b></u></td>
+                                               <td><u><b>SOURCE PORT</b></u></td>
+                                               <td><u><b>ORIG. DEST.</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>DNAT</td>
+                                               <td>loc:192.168.1.0/24</td>
+                                               <td>loc:192.168.1.5</td>
+                                               <td>tcp</td>
+                                               <td>www</td>
+                                               <td>-</td>
+                                               <td>130.151.100.69:192.168.1.254</td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
-                                      </div>
+                                         </blockquote>
+                                         </div>
                                                                         
-                                         
-<div align="left">                                      
-<p align="left">That rule only works of course if you have a static external 
-                  IP  address. If you  have a dynamic IP address and are running
-       Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
-                                     </div>
+                                               
+<div align="left">                                         
+<p align="left">That rule only works of course if you have a static external
+                    IP  address. If you  have a dynamic IP address and are
+ running        Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
+                                        </div>
                                                                         
-  
-<div align="left">                                      
+        
+<div align="left">                                         
 <pre>     ETH0_IP=`find_interface_address eth0`</pre>
-                                      </div>
+                                         </div>
                                                                         
-  
-<div align="left">                                      
+        
+<div align="left">                                         
 <p align="left">and make your DNAT rule:</p>
-                                     </div>
+                                        </div>
                                                                         
-  
-<div align="left">                                      
-<blockquote>                                                            
-                                                     
+        
+<div align="left">                                         
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber1">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>ACTION</b></u></td>
-                                            <td><u><b>SOURCE</b></u></td>
-                                            <td><u><b>DESTINATION</b></u></td>
-                                            <td><u><b>PROTOCOL</b></u></td>
-                                            <td><u><b>PORT</b></u></td>
-                                            <td><u><b>SOURCE PORT</b></u></td>
-                                            <td><u><b>ORIG. DEST.</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>DNAT</td>
-                                            <td>loc:192.168.1.0/24</td>
-                                            <td>loc:192.168.1.5</td>
-                                            <td>tcp</td>
-                                            <td>www</td>
-                                            <td>-</td>
-                                            <td>$ETH0_IP:192.168.1.254</td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>ACTION</b></u></td>
+                                               <td><u><b>SOURCE</b></u></td>
+                                               <td><u><b>DESTINATION</b></u></td>
+                                               <td><u><b>PROTOCOL</b></u></td>
+                                               <td><u><b>PORT</b></u></td>
+                                               <td><u><b>SOURCE PORT</b></u></td>
+                                               <td><u><b>ORIG. DEST.</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>DNAT</td>
+                                               <td>loc:192.168.1.0/24</td>
+                                               <td>loc:192.168.1.5</td>
+                                               <td>tcp</td>
+                                               <td>www</td>
+                                               <td>-</td>
+                                               <td>$ETH0_IP:192.168.1.254</td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
-                                      </div>
+                                         </blockquote>
+                                         </div>
                                                                         
-  
-<div align="left">                                      
-<p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
-                   client to automatically restart Shorewall each time that 
-  you    get    a  new    IP   address.</p>
-                                     </div>
+        
+<div align="left">                                         
+<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
+                     client to automatically restart Shorewall each time
+that     you    get    a  new    IP   address.</p>
+                                        </div>
                                                                         
-  
-<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
-                  subnet and I use static NAT to assign non-RFC1918 addresses 
-    to   hosts      in   Z.  Hosts in Z cannot communicate with each other 
- using    their  external      (non-RFC1918     addresses) so they can't access
- each    other  using their    DNS  names.</h4>
+        
+<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
+                    subnet and I use static NAT to assign non-RFC1918 addresses
+      to   hosts      in   Z.  Hosts in Z cannot communicate with each other
+   using    their  external      (non-RFC1918     addresses) so they can't
+ access  each    other  using their    DNS  names.</h4>
                                                                         
-  
-<p align="left"><b>Answer: </b>This is another problem that is best solved 
-                  using Bind Version 9 "views". It allows both external and 
-  internal         clients       to access a NATed host using the host's DNS
-  name.</p>
+        
+<p align="left"><b>Answer: </b>This is another problem that is best solved
+                    using Bind Version 9 "views". It allows both external
+and    internal         clients       to access a NATed host using the host's
+ DNS   name.</p>
                                                                         
-  
-<p align="left">Another good way to approach this problem is to switch from
-                   static NAT to Proxy ARP. That way, the hosts in Z have
-non-RFC1918            addresses      and can be accessed externally and
+        
+<p align="left">Another good way to approach this problem is to switch from 
+                    static NAT to Proxy ARP. That way, the hosts in Z have 
+ non-RFC1918            addresses      and can be accessed externally and 
 internally using     the    same   address.  </p>
                                                                         
-  
-<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
-traffic through your firewall then:</p>
+        
+<p align="left">If you don't like those solutions and prefer routing all
+Z-&gt;Z traffic through your firewall then:</p>
                                                                         
-  
-<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
-              (If you are running a Shorewall version earlier than 1.3.9).<br>
-                                      b) Set the Z-&gt;Z policy to ACCEPT.<br>
-                                      c) Masquerade Z to itself.<br>
-                                      <br>
-                                      Example:</p>
+        
+<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
+                                         b) Masquerade Z to itself.<br>
+                                         <br>
+                                         Example:</p>
                                                                         
-  
+        
 <p align="left">Zone: dmz<br>
-                                      Interface: eth2<br>
-                                      Subnet: 192.168.2.0/24</p>
+                                         Interface: eth2<br>
+                                         Subnet: 192.168.2.0/24</p>
                                                                         
-  
+        
 <p align="left">In /etc/shorewall/interfaces:</p>
                                                                         
-  
-<blockquote>                                                            
-                                                     
+        
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber2">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>ZONE</b></u></td>
-                                            <td><u><b>INTERFACE</b></u></td>
-                                            <td><u><b>BROADCAST</b></u></td>
-                                            <td><u><b>OPTIONS</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>dmz</td>
-                                            <td>eth2</td>
-                                            <td>192.168.2.255</td>
-                                            <td>multi</td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>ZONE</b></u></td>
+                                               <td><u><b>INTERFACE</b></u></td>
+                                               <td><u><b>BROADCAST</b></u></td>
+                                               <td><u><b>OPTIONS</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>dmz</td>
+                                               <td>eth2</td>
+                                               <td>192.168.2.255</td>
+                                               <td><br>
+        </td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
+                                         </blockquote>
                                                                         
-  
+        
 <p align="left">In /etc/shorewall/policy:</p>
                                                                         
-  
-<blockquote>                                                            
-                                                     
+        
+<blockquote>                                                             
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
-                                          <tbody>
-                                           <tr>
-                                            <td><u><b>SOURCE </b></u></td>
-                                            <td><u><b>DESTINATION</b></u></td>
-                                            <td><u><b>POLICY</b></u></td>
-                                            <td><u><b>LIMIT:BURST</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td>dmz</td>
-                                            <td>dmz</td>
-                                            <td>ACCEPT</td>
-                                            <td> <br>
-                                          </td>
-                                          </tr>
+                                             <tbody>
+                                              <tr>
+                                               <td><u><b>SOURCE </b></u></td>
+                                               <td><u><b>DESTINATION</b></u></td>
+                                               <td><u><b>POLICY</b></u></td>
+                                               <td><u><b>LIMIT:BURST</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td>dmz</td>
+                                               <td>dmz</td>
+                                               <td>ACCEPT</td>
+                                               <td> <br>
+                                             </td>
+                                             </tr>
                                                                         
                                                                         
                                                                         
-     
-    </tbody>                                                             
-                                                 
+                       
+    </tbody>                                                            
+                                                           
   </table>
-                                      </blockquote>
+                                         </blockquote>
                                                                         
-                                                                   
+                                                                         
 <p align="left">In /etc/shorewall/masq:</p>
                                                                         
+        
+<blockquote>                                                             
+                                                             
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3" width="369">
+                                             <tbody>
+                                              <tr>
+                                               <td width="93"><u><b>INTERFACE 
+          </b></u></td>
+                                               <td width="31"><u><b>SUBNET</b></u></td>
+                                               <td width="120"><u><b>ADDRESS</b></u></td>
+                                             </tr>
+                                             <tr>
+                                               <td width="93">eth2</td>
+                                               <td width="31">192.168.2.0/24</td>
+                                               <td width="120"> <br>
+                                             </td>
+                                             </tr>
+                                                                        
+                                                                        
+                                                                        
+                       
+    </tbody>                                                            
+                                                           
+  </table>
+                                         </blockquote>
+                                                                        
+        
+<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant
+     Messenger                with Shorewall. What do I do?</h4>
+                                                                        
+        
+<p align="left"><b>Answer: </b>There is an <a
+ href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
+                    tracking/NAT module</a> that may help with Netmeeting.
+ Look    <a href="http://linux-igd.sourceforge.net">here</a> for a solution
+ for MSN   IM but be aware that there are significant security risks involved
+ with this  solution. Also check the Netfilter      mailing        list 
+archives    at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
+              </p>
+                                                                        
+           
+<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
+                    to    check my firewall and it shows some ports as 'closed'
+      rather       than     'blocked'.     Why?</h4>
+                                                                        
+           
+<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
+                    always    rejects connection requests on TCP port 113
+rather       than     dropping        them. This is    necessary to prevent
+outgoing     connection       problems to   services    that use the    'Auth'
+mechanism     for identifying       requesting  users.  Shorewall    also
+rejects TCP      ports 135, 137 and    139  as well as  UDP ports  137-139.
+  These are   ports that are    used  by  Windows  (Windows  <u>can</u> 
+be configured    to use the DCE cell locator       on port  135). Rejecting
+these  connection   requests   rather than dropping    them    cuts down
+slightly on the amount   of Windows  chatter on LAN segments    connected
+     to the Firewall. </p>
+                                                                        
+           
+<p align="left">If you are seeing port 80 being 'closed', that's probably
+                    your    ISP preventing you from running a web server
+in   violation          of   your     Service    Agreement.</p>
+                                                                        
+           
+<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
+                       firewall and it showed 100s of ports as open!!!!</h4>
+                                                                        
+           
+<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
+                    section about    UDP scans. If nmap gets <b>nothing</b>
+  back     from     your     firewall   then it reports    the port as open.
+  If you    want to   see  which    UDP ports are  really open,    temporarily
+   change    your net-&gt;all     policy    to REJECT, restart  Shorewall
+and   do    the   nmap UDP scan again.</p>
+                                                                        
+         
+<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
+                    can't ping through the firewall</h4>
+                                                                        
+        
+<p align="left"><b>Answer: </b>If you want your firewall to be totally open
+                    for "ping", </p>
+                                                                        
+        
+<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
+<br>
+                                         b) Be sure that the first command
+in the file is ". /etc/shorewall/common.def"<br>
+                                         c) Add the following to /etc/shorewall/common
+        </p>
+                                                                        
+        
+<blockquote>                                                            
+                                                           
+  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
+                    -j ACCEPT<br>
+                    </p>
+                  </blockquote>
+                  For a complete description of Shorewall 'ping' management,
+  see   <a href="ping.html">this page</a>.                              
+                                                       
+<h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
+                    and  how do I change the destination?</h4>
+                                                                        
+        
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
+syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
+facility (see "man openlog") and you get to choose the log level (again,
+see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
+ and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
+                   When you have changed /etc/syslog.conf, be sure to restart
+    syslogd        (on    a  RedHat system, "service syslog restart"). </p>
+                                                                        
+        
+<p align="left">By default, older versions of Shorewall ratelimited log messages
+                    through <a href="Documentation.htm#Conf">settings</a>
+in   /etc/shorewall/shorewall.conf                 -- If you want to log
+all messages,  set: </p>
+                                                                        
+        
+<div align="left">                                         
+<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
+ href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
+                                         </div>
+                                                                        
+        
+<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work 
+                    with Shorewall?</h4>
+                                                                        
+        
+<p align="left"><b>Answer: </b>Here are several links that may be helpful:
+                    </p>
+                                                                        
+        
+<blockquote>                                                            
+                                                           
+  <p align="left"><a
+ href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
+                                         <a
+ href="http://www.fireparse.com">http://www.fireparse.com</a><br>
+                                         <a
+ href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
+ href="http://www.logwatch.org"><br>
+                              http://www.logwatch.org</a><br>
+        <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
+                        </p>
+                      </blockquote>
+                      I personnaly use Logwatch. It emails me a report each 
+ day   from   my  various    systems with each report summarizing the logged 
+ activity   on  the  corresponding    system.                            
+                                                  
+<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 
+    are <b>flooding the logs</b> with their connect requests. Can i exclude 
+  these  error messages for this port temporarily from logging in Shorewall?</h4>
+         Temporarily add the following rule:<br>
+                 
+<pre>	DROP    net    fw    udp    10619</pre>
+                 
+<h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow 
+    of these DROP messages from port 53 to some high numbered port.  They 
+get    dropped, but what the heck are they?</h4>
+                 
+<pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
+         <b>Answer: </b>There are two possibilities:<br>
+                 
+<ol>
+           <li>They are late-arriving replies to DNS queries.</li>
+           <li>They are corrupted reply packets.</li>
+                 
+</ol>
+         You can distinguish the difference by setting the <b>logunclean</b>
+  option   (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) 
+  on   your external interface (eth0 in the above example). If they get logged 
+  twice,  they are corrupted. I solve this problem by using an /etc/shorewall/common 
+    file like this:<br>
+                 
+<blockquote>                           
+  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
+         </blockquote>
+         The above file is also include in all of my sample configurations
+ available    in the <a href="shorewall_quickstart_guide.htm">Quick Start
+Guides</a> and in the common.def file in Shorewall 1.4.0 and later.<br>
+                 
+<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in 
+ Shorewall log messages so long? I thought MAC addresses were only 6 bytes 
+ in length. What is labeled as the MAC address in a Shorewall log message 
+is actually the Ethernet frame header. In contains:<br>
+    </h4>
+     
+<ul>
+     <li>the destination MAC address (6 bytes)</li>
+     <li>the source MAC address (6 bytes)</li>
+     <li>the ethernet frame type (2 bytes)</li>
+     
+</ul>
+    Example:<br>
+    <br>
+    MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00<br>
+       
+<ul>
+     <li>Destination MAC address = 00:04:4c:dc:e2:28</li>
+     <li>Source MAC address = 00:b0:8e:cf:3c:4c</li>
+     <li>Ethernet Frame Type = 08:00 (IP Version 4)</li>
+     
+</ul>
+     
+<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall 
+                    stop', I can't connect to anything. Why doesn't that command
+       work?</h4>
+                                                                        
+        
+<p align="left">The 'stop' command is intended to place your firewall into
+                    a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
+        are    activated.         If you want to totally open up your firewall,
+      you  must    use the 'shorewall         clear' command. </p>
+                                                                        
+        
+<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
+        I get messages about insmod failing -- what's wrong?</h4>
+                                                                        
+        
+<p align="left"><b>Answer: </b>The output you will see looks something like
+                    this:</p>
+                                                                        
+        
+<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
+                                                                        
+        
+<p align="left">This is usually cured by the following sequence of commands:
+                    </p>
+                                                                        
+        
+<div align="left">                                         
+<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
+                                         </div>
+                                                                        
+        
+<div align="left">                                         
+<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
+                    for  problems concerning the version of iptables (v1.2.3)
+    shipped        with     RH7.2.</p>
+                                        </div>
+                                                                        
+        
+<h4 align="left">      </h4>
+                                                                        
+  
+<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces 
+                   properly?</h4>
+                                                                        
+           
+<p align="left">I just installed Shorewall and when I issue the start command,
+                       I see the following:</p>
+                                                                        
+         
+<div align="left">                                           
+<pre>     Processing /etc/shorewall/shorewall.conf ...<br>     Processing /etc/shorewall/params ...<br>     Starting Shorewall...<br>     Loading Modules...<br>     Initializing...<br>     Determining Zones...<br>     Zones: net loc<br>     Validating interfaces file...<br>     Validating hosts file...<br>     Determining Hosts in Zones...<br><b>     Net Zone: eth0:0.0.0.0/0<br>     Local Zone: eth1:0.0.0.0/0<br></b>     Deleting user chains...<br>     Creating input Chains...<br>     ...</pre>
+                                         </div>
+                                                                        
+        
+<div align="left">                                           
+<p align="left">Why can't Shorewall detect my interfaces properly?</p>
+                                        </div>
+                                                                        
+        
+<div align="left">                                           
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The
+Net    zone is defined as all hosts that are connected through eth0 and the
+local    zone is defined as all hosts connected through eth1</p>
+                                        </div>
+                                                                        
+            
+<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
+     with?</h4>
+                                                                        
+            
+<p align="left">Shorewall works with any GNU/Linux distribution that includes
+                         the <a href="shorewall_prerequisites.htm">proper
+prerequisites</a>.</p>
+                                                                        
+      
+<h4 align="left">11. What Features does it have?</h4>
+                                                                        
+            
+<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall
+                    Feature      List</a>.</p>
+                                                                        
+      
+<h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
+                                                                        
+            
+<p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin
+  1.060 and later versions. See <a href="http://www.webmin.com">http://www.webmin.com</a>
+  </p>
+                                                                        
+      
+<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
+                                                                        
+            
+<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
+                    (<a href="http://www.cityofshoreline.com">the      city
+  where      I  live</a>)          and "Fire<u>wall</u>". The full name of
+ the product      is actually "Shoreline Firewall" but "Shorewall" is must
+ more commonly   used.</p>
+                                                                        
+      
+<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
+                    and it has an  internal web server that allows me to
+configure/monitor                  it   but as expected if I  enable rfc1918
+blocking for my  eth0     interface          (the  internet one), it also
+blocks  the cable  modems    web server.</h4>
+                                                                        
+            
+<p align="left">Is there any way it can add a rule before the  rfc1918 blocking
+                    that will let all traffic to and from the 192.168.100.1
+  address         of   the    modem  in/out but still block all other rfc1918
+  addresses?</p>
+                                                                        
+            
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall
+earlier than      1.3.1, create /etc/shorewall/start and in it, place the
+following:</p>
+                                                                        
+      
+<div align="left">                                           
+<pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
+                                         </div>
+                                                                        
+        
+<div align="left">                                           
+<p align="left">If you are running version 1.3.1 or later, simply add the
+                       following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
+                                        </div>
+                                                                        
+        
+<div align="left">                                           
+<blockquote>                                                             
+                                                               
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+                                               <tbody>
+                                              <tr>
+                                                 <td><u><b>SUBNET </b></u></td>
+                                                 <td><u><b>TARGET</b></u></td>
+                                               </tr>
+                                               <tr>
+                                                 <td>192.168.100.1</td>
+                                                 <td>RETURN</td>
+                                               </tr>
+                                                                        
+                                                                        
+                                                                        
+                          
+    </tbody>                                                            
+                                                           
+  </table>
+                                           </blockquote>
+                                         </div>
+                                                                        
+          
+<div align="left">                                           
+<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
+                                      </p>
+                                                                        
+  
+<p align="left">Note: If you add a second IP address to your external firewall
+                   interface to correspond to the modem address, you must
+also     make     an   entry      in /etc/shorewall/rfc1918 for that address.
+For    example,    if you   configure      the address 192.168.100.2 on your
+firewall,    then   you would   add two entries      to /etc/shorewall/rfc1918:
+ <br>
+                                      </p>
+                                                                        
   
 <blockquote>                                                            
                                                      
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber3" width="369">
+  <table cellpadding="2" border="1" style="border-collapse: collapse;">
                                           <tbody>
-                                           <tr>
-                                            <td width="93"><u><b>INTERFACE
-         </b></u></td>
-                                            <td width="31"><u><b>SUBNET</b></u></td>
-                                            <td width="120"><u><b>ADDRESS</b></u></td>
-                                          </tr>
-                                          <tr>
-                                            <td width="93">eth2</td>
-                                            <td width="31">192.168.2.0/24</td>
-                                            <td width="120"> <br>
-                                          </td>
-                                          </tr>
-                                                                        
-                                                                        
-                                                                        
-     
-    </tbody>                                                             
-                                                 
-  </table>
-                                      </blockquote>
-                                                                        
-  
-<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant 
-   Messenger                with Shorewall. What do I do?</h4>
-                                                                        
-  
-<p align="left"><b>Answer: </b>There is an <a
- href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
-                  tracking/NAT module</a> that may help with Netmeeting. Look
-   <a href="http://linux-igd.sourceforge.net">here</a> for a solution for
-MSN   IM but be aware that there are significant security risks involved with
-this  solution. Also check the Netfilter      mailing        list  archives 
- at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.     
-         </p>
-                                                                        
-     
-<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
-                  to    check my firewall and it shows some ports as 'closed' 
-    rather       than     'blocked'.     Why?</h4>
-                                                                        
-     
-<p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-                  always    rejects connection requests on TCP port 113 rather 
-     than     dropping        them. This is    necessary to prevent outgoing 
-   connection       problems to   services    that use the    'Auth' mechanism 
-   for identifying       requesting  users.  Shorewall    also rejects TCP 
-    ports 135, 137 and    139  as well as  UDP ports  137-139.   These are 
- ports that are    used  by  Windows  (Windows  <u>can</u>  be configured 
-  to use the DCE cell locator       on port  135). Rejecting these  connection 
- requests   rather than dropping    them    cuts down slightly on the amount 
- of Windows  chatter on LAN segments    connected      to the Firewall. </p>
-                                                                        
-     
-<p align="left">If you are seeing port 80 being 'closed', that's probably 
-                  your    ISP preventing you from running a web server in 
-violation          of   your     Service    Agreement.</p>
-                                                                        
-     
-<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
-                     firewall and it showed 100s of ports as open!!!!</h4>
-                                                                        
-     
-<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
-                  section about    UDP scans. If nmap gets <b>nothing</b> 
-back     from     your     firewall   then it reports    the port as open. 
-If you    want to   see  which    UDP ports are  really open,    temporarily 
- change    your net-&gt;all     policy    to REJECT, restart  Shorewall and 
- do    the   nmap UDP scan again.</p>
-                                                                        
-   
-<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
-                  can't ping through the firewall</h4>
-                                                                        
-  
-<p align="left"><b>Answer: </b>If you want your firewall to be totally open 
-                  for "ping": </p>
-                                                                        
-  
-<p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
-                                      b) Copy /etc/shorewall/icmp.def to
-/etc/shorewall/icmpdef<br>
-                                      c) Add the following to /etc/shorewall/icmpdef: 
-      </p>
-                                                                        
-  
-<blockquote>                                                             
-                                                 
-  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
-                  -j ACCEPT<br>
-                 </p>
-               </blockquote>
-               For a complete description of Shorewall 'ping' management, 
-see   <a href="ping.html">this page</a>.                                 
-                                                 
-<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
-                   and  how do I change the destination?</h4>
-                                                                        
-  
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-(see "man openlog") and you get to choose the log level (again, see "man
-syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- href="Documentation.htm#Rules">rules</a>. The destination for messaged 
-logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
-                 When you have changed /etc/syslog.conf, be sure to restart 
-  syslogd        (on    a  RedHat system, "service syslog restart"). </p>
-                                                                        
-  
-<p align="left">By default, older versions of Shorewall ratelimited log messages 
-                  through <a href="Documentation.htm#Conf">settings</a> in 
- /etc/shorewall/shorewall.conf                 -- If you want to log all messages,
- set: </p>
-                                                                        
-  
-<div align="left">                                      
-<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
- href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
-                                      </div>
-                                                                        
-  
-<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
-                   with Shorewall?</h4>
-                                                                        
-  
-<p align="left"><b>Answer: </b>Here are several links that may be helpful: 
-                  </p>
-                                                                        
-  
-<blockquote>                                                             
-                                                 
-  <p align="left"><a
- href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
-                                      <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
-                                      <a
- href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
- href="http://www.logwatch.org"><br>
-                           http://www.logwatch.org</a><br>
-     <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
-                     </p>
-                   </blockquote>
-                   I personnaly use Logwatch. It emails me a report each
-day   from   my  various    systems with each report summarizing the logged
-activity   on  the  corresponding    system.                            
-                                               
-<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
-   are <b>flooding the logs</b> with their connect requests. Can i exclude
- these  error messages for this port temporarily from logging in Shorewall?</h4>
-      Temporarily add the following rule:<br>
-           
-<pre>	DROP    net    fw    udp    10619</pre>
-           
-<h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow
-   of these DROP messages from port 53 to some high numbered port.  They
-get    dropped, but what the heck are they?</h4>
-           
-<pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
-      <b>Answer: </b>There are two possibilities:<br>
-           
-<ol>
-        <li>They are late-arriving replies to DNS queries.</li>
-        <li>They are corrupted reply packets.</li>
-           
-</ol>
-      You can distinguish the difference by setting the <b>logunclean</b> 
-option   (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
- on   your external interface (eth0 in the above example). If they get logged
- twice,  they are corrupted. I solve this problem by using an /etc/shorewall/common
-   file like this:<br>
-           
-<blockquote>                  
-  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
-      </blockquote>
-      The above file is also include in all of my sample configurations available
-   in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
-           
-<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
-Shorewall log messages so long? I thought MAC addresses were only 6 bytes
-in length. What is labeled as the MAC address in a Shorewall log message
-is actually the Ethernet frame header. In contains:<br>
- </h4>
-<ul>
-  <li>the destination MAC address (6 bytes)</li>
-  <li>the source MAC address (6 bytes)</li>
-  <li>the ethernet frame type (2 bytes)</li>
-</ul>
- Example:<br>
- <br>
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00<br>
- 
-<ul>
-  <li>Destination MAC address = 00:04:4c:dc:e2:28</li>
-  <li>Source MAC address = 00:b0:8e:cf:3c:4c</li>
-  <li>Ethernet Frame Type = 08:00 (IP Version 4)</li>
-</ul>
-<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
-                   stop', I can't connect to anything. Why doesn't that command
-      work?</h4>
-                                                                        
-  
-<p align="left">The 'stop' command is intended to place your firewall into 
-                  a safe state whereby only those hosts listed in /etc/shorewall/routestopped' 
-      are    activated.         If you want to totally open up your firewall, 
-    you  must    use the 'shorewall         clear' command. </p>
-                                                                        
-  
-<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, 
-      I get messages about insmod failing -- what's wrong?</h4>
-                                                                        
-  
-<p align="left"><b>Answer: </b>The output you will see looks something like 
-                  this:</p>
-                                                                        
-  
-<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
-                                                                        
-  
-<p align="left">This is usually cured by the following sequence of commands: 
-                  </p>
-                                                                        
-  
-<div align="left">                                      
-<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
-                                      </div>
-                                                                        
-  
-<div align="left">                                      
-<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
-                  for  problems concerning the version of iptables (v1.2.3) 
-  shipped        with     RH7.2.</p>
-                                     </div>
-                                                                        
-  
-<h4 align="left">      </h4>
-                                                                     
-<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces
-                  properly?</h4>
-                                                                        
-     
-<p align="left">I just installed Shorewall and when I issue the start command, 
-                     I see the following:</p>
-                                                                        
-   
-<div align="left">                                        
-<pre>     Processing /etc/shorewall/shorewall.conf ...<br>     Processing /etc/shorewall/params ...<br>     Starting Shorewall...<br>     Loading Modules...<br>     Initializing...<br>     Determining Zones...<br>     Zones: net loc<br>     Validating interfaces file...<br>     Validating hosts file...<br>     Determining Hosts in Zones...<br><b>     Net Zone: eth0:0.0.0.0/0<br>     Local Zone: eth1:0.0.0.0/0<br></b>     Deleting user chains...<br>     Creating input Chains...<br>     ...</pre>
-                                      </div>
-                                                                        
-  
-<div align="left">                                        
-<p align="left">Why can't Shorewall detect my interfaces properly?</p>
-                                     </div>
-                                                                        
-  
-<div align="left">                                        
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
-   zone is defined as all hosts that are connected through eth0 and the local
-   zone is defined as all hosts connected through eth1</p>
-                                     </div>
-                                                                        
-      
-<h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
-    with?</h4>
-                                                                        
-      
-<p align="left">Shorewall works with any GNU/Linux distribution that includes 
-                       the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
-                                                                         
-<h4 align="left">11. What Features does it have?</h4>
-                                                                        
-      
-<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall 
-                  Feature      List</a>.</p>
-                                                                         
-<h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
-                                                                        
-      
-<p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin 
-1.060 and later versions. See <a href="http://www.webmin.com">http://www.webmin.com</a> 
-</p>
-                                                                         
-<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
-                                                                        
-      
-<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
-                  (<a href="http://www.cityofshoreline.com">the      city 
-where      I  live</a>)          and "Fire<u>wall</u>". The full name of the
-product      is actually "Shoreline Firewall" but "Shorewall" is must more
-commonly   used.</p>
-                                                                         
-<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
-                  and it has an  internal web server that allows me to configure/monitor 
-               it   but as expected if I  enable rfc1918 blocking for my eth0
-    interface          (the  internet one), it also blocks  the cable modems
-   web server.</h4>
-                                                                        
-      
-<p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
-                  that will let all traffic to and from the 192.168.100.1 
-address         of   the    modem  in/out but still block all other rfc1918 
-addresses?</p>
-                                                                        
-      
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
-than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
-                                                                         
-<div align="left">                                        
-<pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
-                                      </div>
-                                                                        
-  
-<div align="left">                                        
-<p align="left">If you are running version 1.3.1 or later, simply add the 
-                     following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
-                                     </div>
-                                                                        
-  
-<div align="left">                                        
-<blockquote>                                                            
-                                                       
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber3">
-                                            <tbody>
-                                           <tr>
-                                              <td><u><b>SUBNET </b></u></td>
-                                              <td><u><b>TARGET</b></u></td>
+                                            <tr>
+                                              <td valign="top"><u><b>SUBNET</b></u><br>
+                                              </td>
+                                              <td valign="top"><u><b>TARGET</b></u><br>
+                                              </td>
                                             </tr>
                                             <tr>
-                                              <td>192.168.100.1</td>
-                                              <td>RETURN</td>
+                                              <td valign="top">192.168.100.1<br>
+                                              </td>
+                                              <td valign="top">RETURN<br>
+                                              </td>
+                                            </tr>
+                                            <tr>
+                                              <td valign="top">192.168.100.2<br>
+                                              </td>
+                                              <td valign="top">RETURN<br>
+                                              </td>
                                             </tr>
                                                                         
                                                                         
                                                                         
         
-    </tbody>                                                             
-                                                 
+    </tbody>                                                            
+                                                     
   </table>
-                                        </blockquote>
-                                      </div>
+                                      </blockquote>
+                                        </div>
                                                                         
-    
-<div align="left">                                        
-<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
-                                   </p>
-                                                                     
-<p align="left">Note: If you add a second IP address to your external firewall 
-                 interface to correspond to the modem address, you must also 
-   make     an   entry      in /etc/shorewall/rfc1918 for that address. For 
-  example,    if you   configure      the address 192.168.100.2 on your firewall, 
-  then   you would   add two entries      to /etc/shorewall/rfc1918:  <br>
-                                   </p>
-                                                                     
-<blockquote>                                                             
-                                           
-  <table cellpadding="2" border="1" style="border-collapse: collapse;">
-                                       <tbody>
-                                         <tr>
-                                           <td valign="top"><u><b>SUBNET</b></u><br>
-                                           </td>
-                                           <td valign="top"><u><b>TARGET</b></u><br>
-                                           </td>
-                                         </tr>
-                                         <tr>
-                                           <td valign="top">192.168.100.1<br>
-                                           </td>
-                                           <td valign="top">RETURN<br>
-                                           </td>
-                                         </tr>
-                                         <tr>
-                                           <td valign="top">192.168.100.2<br>
-                                           </td>
-                                           <td valign="top">RETURN<br>
-                                           </td>
-                                         </tr>
+          
+<div align="left">                                           
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
+IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
+RFC 1918    filtering on my external interface, my DHCP client cannot renew
+its lease.</h4>
+                                         </div>
                                                                         
+          
+<div align="left">                                           
+<p align="left">The solution is the same as FAQ 14 above. Simply substitute
+                       the IP address of your ISPs DHCP server.</p>
+                                        </div>
                                                                         
-                                                               
-    </tbody>                                                             
-                                           
-  </table>
-                                   </blockquote>
-                                     </div>
+        
+<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to
+                    the  net</h4>
                                                                         
-    
-<div align="left">                                        
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
-   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-1918    filtering on my external interface, my DHCP client cannot renew its
-lease.</h4>
-                                      </div>
+         
+<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
+                    the net", I wonder  where the poster bought computers
+with     eyes     and    what     those computers will "see"  when things
+are working     properly.      That   aside,     the most common causes of
+this  problem    are:</p>
                                                                         
-    
-<div align="left">                                        
-<p align="left">The solution is the same as FAQ 14 above. Simply substitute 
-                     the IP address of your ISPs DHCP server.</p>
-                                     </div>
-                                                                        
-  
-<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to 
-                  the  net</h4>
-                                                                        
-   
-<p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
-                  the net", I wonder  where the poster bought computers with 
-   eyes     and    what     those computers will "see"  when things are working 
-   properly.      That   aside,     the most common causes of this  problem 
-  are:</p>
-                                                                        
-   
+         
 <ol>
-                                        <li>                            
+                                           <li>                         
                                                                         
                                                                         
-         
-    <p align="left">The default gateway on each local system isn't set to 
-                  the    IP address of the local firewall interface.</p>
-                                         </li>
-                                        <li>                            
+                           
+    <p align="left">The default gateway on each local system isn't set to
+                    the    IP address of the local firewall interface.</p>
+                                            </li>
+                                           <li>                         
                                                                         
                                                                         
-         
-    <p align="left">The entry for the local network in the /etc/shorewall/masq 
-                     file is wrong or missing.</p>
-                                         </li>
-                                        <li>                            
+                           
+    <p align="left">The entry for the local network in the /etc/shorewall/masq
+                       file is wrong or missing.</p>
+                                            </li>
+                                           <li>                         
                                                                         
                                                                         
-         
-    <p align="left">The DNS settings on the local systems are wrong or the 
-                     user is running a DNS server on the firewall and hasn't 
-   enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
-                                         </li>
+                           
+    <p align="left">The DNS settings on the local systems are wrong or the
+                       user is running a DNS server on the firewall and hasn't
+     enabled        UDP    and   TCP    port 53 from the firewall to the
+internet.</p>
+                                            </li>
                                                                         
-  
+        
 </ol>
                                                                         
-  
-<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages 
-                  all  over my console making it unusable!</h4>
+        
+<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
+                    all  over my console making it unusable!</h4>
                                                                         
-     
-<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
-                  to your startup    scripts or place it in /etc/shorewall/start. 
-        Under      RedHat,    the max log level    that is sent to the console 
-     is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
-                                 </p>
-                                                                 
-<h4><a name="faq17"></a>17. How do I find out why this traffic is getting 
-      logged?</h4>
-                                 <b>Answer: </b>Logging occurs out of a number
-   of  chains    (as   indicated      in  the log message) in Shorewall:<br>
-                                                                 
+           
+<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
+                    to your startup    scripts or place it in /etc/shorewall/start.
+          Under      RedHat,    the max log level    that is sent to the
+console        is   specified     in /etc/sysconfig/init    in the    LOGLEVEL
+variable.<br>
+                                    </p>
+                                                                       
+<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
+        logged?</h4>
+                                    <b>Answer: </b>Logging occurs out of
+a  number    of  chains    (as   indicated      in  the log message) in Shorewall:<br>
+                                                                       
 <ol>
-                                   <li><b>man1918 - </b>The destination address 
-   is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target
-    --  see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-                                   <li><b>rfc1918</b> - The source address
- is  listed    in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target 
-  -- see      <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-                                  <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
-       or      <b>all2all          </b>-  You have a<a
- href="Documentation.htm#Policy"> policy</a> that     specifies a  log level 
-        and this packet is being logged under that policy.     If you intend 
-    to   ACCEPT this traffic then you need a  <a
+                                      <li><b>man1918 - </b>The destination
+ address     is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop
+     </b>target     --  see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
+                                      <li><b>rfc1918</b> - The source address 
+  is  listed    in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target
+    -- see      <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
+                                     <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> 
+        or      <b>all2all          </b>-  You have a<a
+ href="Documentation.htm#Policy"> policy</a> that     specifies a  log level
+          and this packet is being logged under that policy.     If you intend
+      to   ACCEPT this traffic then you need a  <a
  href="Documentation.htm#Rules">rule</a>   to that effect.<br>
-                                  </li>
-                                   <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- 
- Either    you   have   a<a href="Documentation.htm#Policy"> policy</a> for 
-     <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b> that specifies 
- a log level and this     packet is being         logged under that policy 
- or this packet matches    a     <a href="Documentation.htm#Rules">rule</a> 
- that includes a log level.</li>
-                            <li><b>&lt;interface&gt;_mac</b> - The packet 
-is  being    logged    under    the      <b>maclist</b> <a
+                                     </li>
+                                      <li><b>&lt;zone1&gt;2&lt;zone2&gt;
+    </b>-    Either    you   have   a<a href="Documentation.htm#Policy">
+policy</a> for       <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b>
+that specifies   a log level and this     packet is being         logged
+under that policy   or this packet matches    a     <a
+ href="Documentation.htm#Rules">rule</a>   that includes a log level.</li>
+                               <li><b>&lt;interface&gt;_mac</b> - The packet
+  is  being    logged    under    the      <b>maclist</b> <a
  href="Documentation.htm#Interfaces">interface     option</a>.<br>
-                            </li>
-                                   <li><b>logpkt</b> - The packet is being
- logged    under    the       <b>logunclean</b>            <a
+                               </li>
+                                      <li><b>logpkt</b> - The packet is being 
+  logged    under    the       <b>logunclean</b>            <a
  href="Documentation.htm#Interfaces">interface   option</a>.</li>
-                                   <li><b>badpkt </b>- The packet is being
- logged    under    the       <b>dropunclean</b>            <a
- href="Documentation.htm#Interfaces">interface  option</a> as specified  
-    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-                                   <li><b>blacklst</b> - The packet is being
-  logged    because     the   source    IP  is blacklisted in the<a
+                                      <li><b>badpkt </b>- The packet is being 
+  logged    under    the       <b>dropunclean</b>            <a
+ href="Documentation.htm#Interfaces">interface  option</a> as specified 
+     in the <b>LOGUNCLEAN </b>setting in <a
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+                                      <li><b>blacklst</b> - The packet is 
+being    logged    because     the   source    IP  is blacklisted in the<a
  href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
-                                   <li><b>newnotsyn </b>- The packet is being 
-  logged    because     it  is  a  TCP   packet that is not part of any current 
-  connection    yet  it   is not a syn  packet.   Options affecting the logging 
-  of such  packets   include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN
-       </b>in         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                                  <li><b>INPUT</b> or <b>FORWARD</b> - The
- packet    has   a  source    IP  address    that isn't in any of your defined
- zones    ("shorewall    check"    and  look at the   printed zone definitions) 
- or   the chain is FORWARD   and   the destination  IP  isn't in any of your 
- defined    zones.</li>
-                         <li><b>logflags </b>- The packet is being logged 
-because     it  failed    the   checks implemented by the <b>tcpflags </b><a
+                                      <li><b>newnotsyn </b>- The packet is
+ being    logged    because     it  is  a  TCP   packet that is not part
+of  any current    connection    yet  it   is not a syn  packet.   Options
+affecting  the logging    of such  packets   include       <b>NEWNOTSYN 
+     </b>and        <b>LOGNEWNOTSYN        </b>in         <a
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+                                     <li><b>INPUT</b> or <b>FORWARD</b> - 
+The   packet    has   a  source    IP  address    that isn't in any of your 
+defined   zones    ("shorewall    check"    and  look at the   printed zone 
+definitions)   or   the chain is FORWARD   and   the destination  IP  isn't 
+in any of your   defined    zones.</li>
+                            <li><b>logflags </b>- The packet is being logged
+  because     it  failed    the   checks implemented by the <b>tcpflags </b><a
  href="Documentation.htm#Interfaces">interface option</a>.<br>
-                         </li>
-                                                                 
+                            </li>
+                                                                       
 </ol>
-                                                         
-<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
-              with Shorewall, and maintain separate rulesets for different 
- IPs?</h4>
-                             <b>Answer: </b>Yes. You simply use the IP address
-   in  your   rules    (or   if  you  use NAT, use the local IP address in
- your  rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated 
-   and will   disappear eventually.      Neither   iproute  (ip and tc) nor 
-  iptables supports   that notation so  neither    does   Shorewall.  <br>
-                             <br>
-                             <b>Example 1:</b><br>
-                             <br>
-                             /etc/shorewall/rules                       
-     
+                                                               
+<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
+                with Shorewall, and maintain separate rulesets for different
+   IPs?</h4>
+                                <b>Answer: </b>Yes. You simply use the IP 
+address     in  your   rules    (or   if  you  use NAT, use the local IP address
+in   your  rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0)
+is deprecated     and will   disappear eventually.      Neither   iproute
+ (ip and tc) nor    iptables supports   that notation so  neither    does
+  Shorewall.  <br>
+                                <br>
+                                <b>Example 1:</b><br>
+                                <br>
+                                /etc/shorewall/rules                    
+           
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
  class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
  class="moz-txt-citetags"></span></pre>
-                             <span class="moz-txt-citetags"></span><b>Example 
-  2  (NAT):</b><br>
-                             <br>
-                             <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
-                                                         
+                                <span class="moz-txt-citetags"></span><b>Example
+    2  (NAT):</b><br>
+                                <br>
+                                <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
+                                                               
 <pre wrap=""><span class="moz-txt-citetags"></span><span
  class="moz-txt-citetags"></span>     192.0.2.126	eth0	10.1.1.126</pre>
-                             /etc/shorewall/rules                       
-     
+                                /etc/shorewall/rules                    
+           
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
  class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
  class="moz-txt-citetags"></span><br></pre>
-                          <b>Example 3 (DNAT):<br>
-                          </b>                          
+                             <b>Example 3 (DNAT):<br>
+                             </b>                             
 <pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
+                                                       
+<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
+              but they don't seem to do anything. Why?</h4>
+                            You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
+              so the contents of the tcrules file are simply being ignored.<br>
+                                                     
+<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have 
+             to change Shorewall to allow access to my server from the internet?</b><br>
+                           </h4>
+                           Yes. Consult the <a
+ href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that you
+used during your initial setup for information about      how to set  up
+rules for your server.<br>
                                                  
-<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
-            but they don't seem to do anything. Why?</h4>
-                         You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
-            so the contents of the tcrules file are simply being ignored.<br>
-                                               
-<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
-            to change Shorewall to allow access to my server from the internet?</b><br>
-                        </h4>
-                        Yes. Consult the <a
- href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that
-you used during your initial setup for information about      how to set
- up rules for your server.<br>
-                                           
-<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
-           what are they?<br>
-                      </h4>
-                                              
-<blockquote>                                                            
-     
+<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; 
+            what are they?<br>
+                         </h4>
+                                                    
+<blockquote>                                                             
+             
   <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
-                      </blockquote>
-                      192.0.2.3 is external on my firewall... 172.16.0.0/24 
- is  my  internal     LAN<br>
-                      <br>
-                      <b>Answer: </b>While most people associate the Internet 
-  Control     Message     Protocol (ICMP) with 'ping', ICMP is a key piece 
- of  the internet.     ICMP   is  used to report problems back to the sender 
- of a packet; this   is  what  is happening  here. Unfortunately, where NAT 
- is involved (including     SNAT,  DNAT and Masquerade),  there are a lot 
-of broken implementations.    That is  what you are seeing with  these messages.<br>
-                      <br>
-                     Here is my interpretation of what is happening -- to 
-confirm     this   analysis,    one would have to have packet sniffers placed 
-a both    ends of   the connection.<br>
-                     <br>
-                     Host 172.16.1.10 behind NAT gateway 206.124.146.179
-sent   a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to
-send a  response   (the response   information  is in the brackets -- note
-source  port 53 which   marks this as  a DNS reply).  When the response was
-returned  to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10 
-and forwarded the packet  to  172.16.1.10  who no longer had  a connection 
-on UDP port 2857. This causes    a port unreachable  (type 3, code  3) to 
-be generated back to 192.0.2.3.   As this packet is sent  back through  206.124.146.179, 
-  that box correctly   changes the source address  in the packet  to 206.124.146.179 
-  but doesn't   reset the DST IP in the original   DNS response  similarly. 
-  When the ICMP   reaches your firewall (192.0.2.3),   your firewall  has 
-no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't 
-   appear to be related   to anything that was sent. The final   result is 
- that the packet gets logged   and dropped in the all2all chain. I  have also
- seen cases where the source   IP in the ICMP itself isn't set back  to the
- external IP of the remote NAT   gateway; that causes your firewall to  log
- and drop the packet out of the   rfc1918 chain because the source IP is
- reserved by RFC 1918.<br>
-                           
-<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
-       I want to <b>run when Shorewall starts.</b> Which file do I put them
-  in?</h4>
-                      You can place these commands in one of the <a
- href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
-Be sure that you look at the contents of the chain(s) that you will be modifying
-       with your commands to be sure that the commands will do what they
-are    intended.    Many iptables commands published in HOWTOs and other
-instructional    material    use the -A command which adds the rules to the
-end of the chain.    Most chains    that Shorewall constructs end with an
-unconditional DROP,   ACCEPT or REJECT    rule and any rules that you add
-after that will be ignored.   Check "man iptables"   and look at the -I (--insert)
-command.<br>
+                         </blockquote>
+                         192.0.2.3 is external on my firewall... 172.16.0.0/24
+   is  my  internal     LAN<br>
+                         <br>
+                         <b>Answer: </b>While most people associate the Internet
+    Control     Message     Protocol (ICMP) with 'ping', ICMP is a key piece
+   of  the internet.     ICMP   is  used to report problems back to the sender
+   of a packet; this   is  what  is happening  here. Unfortunately, where
+NAT   is involved (including     SNAT,  DNAT and Masquerade),  there are
+a lot  of broken implementations.    That is  what you are seeing with  these
+messages.<br>
+                         <br>
+                        Here is my interpretation of what is happening -- 
+to  confirm     this   analysis,    one would have to have packet sniffers 
+placed  a both    ends of   the connection.<br>
+                        <br>
+                        Host 172.16.1.10 behind NAT gateway 206.124.146.179 
+ sent   a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to 
+send a  response   (the response   information  is in the brackets -- note 
+source  port 53 which   marks this as  a DNS reply).  When the response was 
+returned  to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10
+  and forwarded the packet  to  172.16.1.10  who no longer had  a connection
+  on UDP port 2857. This causes    a port unreachable  (type 3, code  3)
+to   be generated back to 192.0.2.3.   As this packet is sent  back through
+ 206.124.146.179,    that box correctly   changes the source address  in
+the packet  to 206.124.146.179    but doesn't   reset the DST IP in the original
+  DNS response  similarly.    When the ICMP   reaches your firewall (192.0.2.3),
+  your firewall  has  no  record of having   sent a DNS reply to 172.16.1.10
+so   this ICMP doesn't     appear to be related   to anything that was sent.
+The final   result is   that the packet gets logged   and dropped in the
+all2all chain. I  have also  seen cases where the source   IP in the ICMP
+itself isn't set back  to the  external IP of the remote NAT   gateway; that
+causes your firewall to  log  and drop the packet out of the   rfc1918 chain
+because the source IP is  reserved by RFC 1918.<br>
+                                 
+<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
+        I want to <b>run when Shorewall starts.</b> Which file do I put them 
+   in?</h4>
+                         You can place these commands in one of the <a
+ href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
+sure that you look at the contents of the chain(s) that you will be modifying 
+        with your commands to be sure that the commands will do what they 
+are    intended.    Many iptables commands published in HOWTOs and other instructional
+   material    use the -A command which adds the rules to the end of the
+chain.    Most chains    that Shorewall constructs end with an unconditional
+DROP,   ACCEPT or REJECT    rule and any rules that you add after that will
+be ignored.   Check "man iptables"   and look at the -I (--insert) command.<br>
+                             
+<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your 
+       web site?</h4>
+               The Shorewall web site is almost font neutral (it doesn't
+explicitly       specify fonts except on a few pages) so the fonts you see
+are largely   the   default fonts configured  in your browser. If you don't
+like them then  reconfigure   your browser.<br>
+                       
+<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
+      the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
+            In the SOURCE column of the rule, follow "net" by a colon and 
+a  list   of  the host/subnet addresses as a comma-separated list.<br>
                        
-<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
-      web site?</h4>
-            The Shorewall web site is almost font neutral (it doesn't explicitly
-     specify fonts except on a few pages) so the fonts you see are largely
- the   default fonts configured  in your browser. If you don't like them
-then  reconfigure   your browser.<br>
-                 
-<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say 
-    the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
-         In the SOURCE column of the rule, follow "net" by a colon and a
-list   of  the host/subnet addresses as a comma-separated list.<br>
-                 
 <pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
-         Example:<br>
-                 
+            Example:<br>
+                       
 <pre>    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22<br></pre>
+     
 <h4></h4>
                                                                         
-     
+           
 <div align="left">     </div>
-                          <font size="2">Last updated 2/6/2003 - <a
- href="support.htm">Tom   Eastep</a></font>                              
-                      
-<p><a href="copyright.htm"><font size="2">Copyright</font>              
-© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-</p>
+                             <font size="2">Last updated 2/18/2003 - <a
+ href="support.htm">Tom   Eastep</a></font>                             
+                          
+<p><a href="copyright.htm"><font size="2">Copyright</font>               ©
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+   </p>
+   <br>
+  <br>
+ <br>
 </body>
 </html>
diff --git a/Shorewall-docs/MAC_Validation.html b/Shorewall-docs/MAC_Validation.html
index c4770f15b..76184b5cc 100644
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@@ -2,110 +2,109 @@
 <html>
 <head>
   <title>MAC Verification</title>
-                                         
+                                                
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-                       
+                           
   <meta name="author" content="Tom Eastep">
 </head>
   <body>
-           
+             
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber4"
  bgcolor="#400169" height="90">
-               <tbody>
-              <tr>
-                <td width="100%">                                       
-                                    
+                <tbody>
+               <tr>
+                 <td width="100%">                                      
+                                            
       <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
-       </h1>
-                <br>
-       </td>
-              </tr>
-                                          
-  </tbody>          
+        </h1>
+                 <br>
+        </td>
+               </tr>
+                                              
+  </tbody>           
 </table>
-      <br>
-      Beginning with Shorewall version 1.3.10, all traffic from an interface
-  or  from a subnet on an interface can be verified to originate from a defined
-   set of MAC addresses. Furthermore, each MAC address may be optionally
-associated    with one or more IP addresses. <br>
-  <br>
-  <b>You must have the iproute package (ip utility) installed to use MAC
-Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
+       <br>
+       Beginning with Shorewall version 1.3.10, all traffic from an interface 
+  or  from a subnet on an interface can be verified to originate from a defined 
+   set of MAC addresses. Furthermore, each MAC address may be optionally associated
+   with one or more IP addresses. <br>
+   <br>
+   <b>You must have the iproute package (ip utility) installed to use MAC 
+Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC 
 - module name ipt_mac.o).</b><br>
-  <br>
-  There are four components to this facility.<br>
-           
+   <br>
+   There are four components to this facility.<br>
+             
 <ol>
-        <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
-this option is specified, all traffic arriving on the interface is subjet
-to MAC verification.</li>
-        <li>The <b>maclist </b>option in <a
- href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option 
-is specified for a subnet, all traffic from that subnet  is subject to MAC 
+         <li>The <b>maclist</b> interface option in <a
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
+option is specified, all traffic arriving on the interface is subjet to MAC
 verification.</li>
-        <li>The /etc/shorewall/maclist file. This file is used to associate 
- MAC  addresses with interfaces and to optionally associate IP addresses with
- MAC  addresses.</li>
-        <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
-   in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
-The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
-determines   the disposition of connection requests that fail MAC verification.
-The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
-requests that fail verification  are to be logged. If set the the empty value
+         <li>The <b>maclist </b>option in <a
+ href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option
+ is specified for a subnet, all traffic from that subnet  is subject to MAC
+ verification.</li>
+         <li>The /etc/shorewall/maclist file. This file is used to associate
+  MAC  addresses with interfaces and to optionally associate IP addresses
+with  MAC  addresses.</li>
+         <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables 
+   in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> 
+The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and 
+determines   the disposition of connection requests that fail MAC verification. 
+The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection 
+requests that fail verification  are to be logged. If set the the empty value 
 (e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
-        </li>
-           
+         </li>
+             
 </ol>
-      The columns in /etc/shorewall/maclist are:<br>
-           
+       The columns in /etc/shorewall/maclist are:<br>
+             
 <ul>
-        <li>INTERFACE - The name of an ethernet interface on the Shorewall
+         <li>INTERFACE - The name of an ethernet interface on the Shorewall 
  system.</li>
-        <li>MAC - The MAC address of a device on the ethernet segment connected
-   by INTERFACE. It is not necessary to use the Shorewall MAC format in this
+         <li>MAC - The MAC address of a device on the ethernet segment connected 
+   by INTERFACE. It is not necessary to use the Shorewall MAC format in this 
    column although you may use that format if you so choose.</li>
-        <li>IP Address - An optional comma-separated list of IP addresses 
-for   the device whose MAC is listed in the MAC column.</li>
-           
+         <li>IP Address - An optional comma-separated list of IP addresses
+ for   the device whose MAC is listed in the MAC column.</li>
+             
 </ul>
-           
+             
 <h3>Example 1: Here are my files:</h3>
-      <b>/etc/shorewall/shorewall.conf:<br>
-      </b>      
+       <b>/etc/shorewall/shorewall.conf:<br>
+       </b>       
 <pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
-      <b>/etc/shorewall/interfaces:</b><br>
-           
-<pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,filterping,maclist<br>     dmz             eth1            192.168.2.255   filterping<br>     net             eth3            206.124.146.255 filterping,blacklist<br>     -               texas           192.168.9.255   filterping<br>     loc             ppp+            -               filterping<br></pre>
-      <b>/etc/shorewall/maclist:</b><br>
-           
+       <b>/etc/shorewall/interfaces:</b><br>
+             
+<pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,maclist<br>     dmz             eth1            192.168.2.255<br>     net             eth3            206.124.146.255 blacklist<br>     -               texas           192.168.9.255<br>     loc             ppp+<br></pre>
+       <b>/etc/shorewall/maclist:</b><br>
+             
 <pre>     #INTERFACE              MAC                     IP ADDRESSES (Optional)<br>     eth2                    00:A0:CC:63:66:89       192.168.1.3      #Wookie<br>     eth2                    00:10:B5:EC:FD:0B       192.168.1.4      #Tarry<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.5      #Ursa<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.128/26 #PPTP Clients to server on Ursa<br>     eth2                    00:06:25:aa:a8:0f       192.168.1.7      #Eastept1 (Wireless)<br>     eth2                    00:04:5A:0E:85:B9       192.168.1.250    #Wap<br></pre>
-      As shown above, I use MAC Verification on <a href="myfiles.htm">my
-local    zone</a>.<br>
-           
+       As shown above, I use MAC Verification on my local    zone.<br>
+             
 <h3>Example 2: Router in Local Zone</h3>
-      Suppose now that I add a second ethernet segment to my local zone and 
- gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and 
- IP address  192.168.1.253. Hosts in the second segment have IP addresses 
-in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
+       Suppose now that I add a second ethernet segment to my local zone
+and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15
+and   IP address  192.168.1.253. Hosts in the second segment have IP addresses
+ in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist 
    file:<br>
-           
+             
 <pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
-      This entry accomodates traffic from the router itself (192.168.1.253) 
- and  from the second LAN segment (192.168.2.0/24). Remember that all traffic
-  being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded
-  by the router so that traffic's MAC address will be that of the router
-(00:06:43:45:C6:15)    and not that of the host sending the traffic.    
- 
-<p><font size="2">   Updated 1/7/2002 - <a href="support.htm">Tom  Eastep</a> 
-      </font></p>
+       This entry accomodates traffic from the router itself (192.168.1.253)
+  and  from the second LAN segment (192.168.2.0/24). Remember that all traffic 
+  being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded 
+  by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
+   and not that of the host sending the traffic.       
+<p><font size="2">   Updated 2/18/2002 - <a href="support.htm">Tom  Eastep</a>
+       </font></p>
                                                                         
                                                                         
-                                                
-<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
+                                                  
+<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy; 
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-</p>
+ </p>
+ <br>
 </body>
 </html>
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm
index e27dd03e3..35e3ef5b0 100644
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
@@ -3,2158 +3,2293 @@
 <head>
                                                                         
                                                                         
-                  
+                                          
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall News</title>
                                                                         
                                                                         
                                                                         
-                                                                     
+                                                                        
+                                      
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                         
                                                                         
-                  
+                                          
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
   <body>
                                                                         
-           
+                       
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
-                                            <tbody>
-                                             <tr>
-                                              <td width="100%">         
+                                                  <tbody>
+                                                   <tr>
+                                                    <td width="100%">   
                                                                         
                                                                         
                                                                         
-                                                              
+                                                                        
+                                     
       <h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
-                                              </td>
-                                            </tr>
+                                                    </td>
+                                                  </tr>
                                                                         
                                                                         
-                  
-  </tbody>                                         
+                                          
+  </tbody>                                               
 </table>
                                                                         
-            
-<p><b>2/8/2003 - Shoreawll 1.3.14</b></p>
+                        
+<p><b>3/14/2003 - Shorewall 1.4.0</b><b>                  </b></p>
+                                           Shorewall 1.4 represents the next
+ step in the evolution of Shorewall. The main thrust of the initial release
+ is simply to remove the cruft that has accumulated in Shorewall over time.
+ <br>
+   Function from 1.3 that has been omitted from this version include:<br>
+     
+<ol>
+    <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported. 
+Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+       <br>
+     </li>
+    <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in /etc/shorewall/interfaces
+ now generate an error.<br>
+       <br>
+     </li>
+    <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. 
+ OLD_PING_HANDLING=Yes will generate an error at startup as will specification 
+ of the 'noping' or 'filterping' interface options.<br>
+       <br>
+     </li>
+    <li>The 'routestopped' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts 
+ files is no longer supported and will generate an error at startup if specified.<br>
+       <br>
+     </li>
+    <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer 
+accepted.<br>
+       <br>
+     </li>
+    <li>The ALLOWRELATED variable in shorewall.conf is no longer supported. 
+ Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+     <br>
+   </li>
+   <li>The icmp.def file has been removed.<br>
+   </li>
+   
+</ol>
+   Changes for 1.4 include:<br>
+     
+<ol>
+    <li>The /etc/shorewall/shorewall.conf file has been completely reorganized
+ into logical sections.<br>
+       <br>
+     </li>
+    <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
+       <br>
+     </li>
+    <li>The firewall script and version file are now installed in /usr/share/shorewall.<br>
+       <br>
+     </li>
+    <li>Late arriving DNS replies are now silently dropped in the common
+chain  by default.<br>
+       <br>
+     </li>
+    <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4
+no  longer unconditionally accepts outbound ICMP packets. So if you want
+to 'ping'  from the firewall, you will need the appropriate rule or policy. 
+  </li>
+   
+</ol>
+   
+<p><b>2/8/2003 - Shoreawall 1.3.14</b></p>
+           
 <p>New features include</p>
+           
 <ol>
-  <li>An OLD_PING_HANDLING option has been added to shorewall.conf. When 
- set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
-         <br>
-     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
-policies   just like any other connection request. The FORWARDPING=Yes option 
-in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-will   all generate an error.<br>
-         <br>
-       </li>
-  <li>It is now possible to direct Shorewall to create a "label" such  as 
- "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and  ADD_SNAT_ALIASES=Yes.
- This is done by specifying the label instead of just  the interface name:<br>
-      <br>
-        a) In the INTERFACE column of /etc/shorewall/masq<br>
-        b) In the INTERFACE column of /etc/shorewall/nat<br>
-      </li>
-  <li>Support for OpenVPN Tunnels.<br>
-    <br>
-  </li>
-  <li>Support for VLAN devices with names of the form $DEV.$VID (e.g., eth0.0)<br>
-    <br>
-  </li>
-  <li>When an interface name is entered in the SUBNET column of the /etc/shorewall/masq 
-  file, Shorewall previously masqueraded traffic from only the first subnet 
-  defined on that interface. It did not masquerade traffic from:<br>
-      <br>
-        a) The subnets associated with other addresses on the interface.<br>
-        b) Subnets accessed through local routers.<br>
-      <br>
-     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
- SUBNET  column, shorewall will use the firewall's routing table to construct 
- the masquerading/SNAT rules.<br>
-      <br>
-     Example 1 -- This is how it works in 1.3.14.<br>
-        <br>
-                             
-    <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-    <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
-                             
-    <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
-      <br>
-     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
- connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
-  entry, your /etc/shorewall/masq file will need changing. In most cases,
-you  will simply be able to remove redundant entries. In some cases though,
-you  might want to change from using the interface name to listing specific
-subnetworks  if the change described above will cause masquerading to occur
-on subnetworks  that you don't wish to masquerade.<br>
-      <br>
-     Example 2 -- Suppose that your current config is as follows:<br>
-        <br>
-                             
-    <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-    <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, the second entry in /etc/shorewall/masq is no longer
- required.<br>
-      <br>
-     Example 3 -- What if your current configuration is like this?<br>
-      <br>
-                             
-    <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-    <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, you would want to change the entry in  /etc/shorewall/masq 
-  to:<br>
-                             
-    <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-  </li>
-</ol>
-<p><br>
-<b>2/5/2003 - Shorewall Support included in Webmin 1.060</b></p>
- 
-<p>Webmin version 1.060 now has Shorewall support included as standard. See 
-<a href="http://www.webmin.com">http://www.webmin.com</a>.<br>
- <b><br>
- 2/4/2003 - Shorewall 1.3.14-RC1</b></p>
-   
-<p>Includes the Beta 2 content plus support for OpenVPN tunnels.</p>
-   
-<p><b>1/28/2003 - Shorewall 1.3.14-Beta2</b></p>
-       
-<p>Includes the Beta 1 content plus restores VLAN device names of the form
-  $dev.$vid (e.g., eth0.1)</p>
-       
-<p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><br>
-    </p>
-         
-<p>The Beta includes the following changes:<br>
-     </p>
-         
-<ol>
-       <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-When   set to Yes, Shorewall ping handling is as it has always been (see
+        <li>An OLD_PING_HANDLING option has been added to shorewall.conf. 
+When     set to Yes, Shorewall ping handling is as it has always been (see 
 http://www.shorewall.net/ping.html).<br>
-         <br>
-     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
-policies   just like any other connection request. The FORWARDPING=Yes option 
-in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-will   all generate an error.<br>
-         <br>
-       </li>
-       <li>It is now possible to direct Shorewall to create a "label" such
- as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
-and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
-of just  the interface name:<br>
-      <br>
-        a) In the INTERFACE column of /etc/shorewall/masq<br>
-        b) In the INTERFACE column of /etc/shorewall/nat<br>
-      </li>
-       <li>When an interface name is entered in the SUBNET column of the
-/etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
-only the first subnet   defined on that interface. It did not masquerade
+               <br>
+           When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules 
+ and   policies   just like any other connection request. The FORWARDPING=Yes 
+ option   in shorewall.conf   and the 'noping' and 'filterping' options in 
+ /etc/shorewall/interfaces   will   all generate an error.<br>
+               <br>
+             </li>
+        <li>It is now possible to direct Shorewall to create a "label" such 
+  as    "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+  and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
+ of just  the interface name:<br>
+            <br>
+              a) In the INTERFACE column of /etc/shorewall/masq<br>
+              b) In the INTERFACE column of /etc/shorewall/nat<br>
+            </li>
+        <li>Support for OpenVPN Tunnels.<br>
+          <br>
+        </li>
+        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
+  eth0.0)<br>
+        <br>
+      </li>
+      <li>In /etc/shorewall/tcrules, the MARK value may be optionally followed
+  by ":" and either 'F' or 'P' to designate that the marking will occur in
+ the FORWARD or PREROUTING chains respectively. If this additional specification
+  is omitted, the chain used to mark packets will be determined by the setting
+  of the MARK_IN_FORWARD_CHAIN option in <a
+ href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+          <br>
+        </li>
+        <li>When an interface name is entered in the SUBNET column of the 
+/etc/shorewall/masq      file, Shorewall previously masqueraded traffic from 
+only the first subnet      defined on that interface. It did not masquerade 
 traffic from:<br>
-      <br>
-        a) The subnets associated with other addresses on the interface.<br>
-        b) Subnets accessed through local routers.<br>
-      <br>
-     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
- SUBNET  column, shorewall will use the firewall's routing table to construct 
- the masquerading/SNAT rules.<br>
-      <br>
-     Example 1 -- This is how it works in 1.3.14.<br>
-        <br>
-                             
+            <br>
+              a) The subnets associated with other addresses on the interface.<br>
+              b) Subnets accessed through local routers.<br>
+            <br>
+           Beginning with Shorewall 1.3.14, if you enter an interface name
+ in  the   SUBNET  column, shorewall will use the firewall's routing table
+ to construct   the masquerading/SNAT rules.<br>
+            <br>
+           Example 1 -- This is how it works in 1.3.14.<br>
+              <br>
+                                                                 
     <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
+                                                                 
     <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
-                             
+                                                                 
     <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
-      <br>
-     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
- connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
-  entry, your /etc/shorewall/masq file will need changing. In most cases,
-you  will simply be able to remove redundant entries. In some cases though,
-you  might want to change from using the interface name to listing specific
-subnetworks  if the change described above will cause masquerading to occur
-on subnetworks  that you don't wish to masquerade.<br>
-      <br>
-     Example 2 -- Suppose that your current config is as follows:<br>
-        <br>
-                             
+            <br>
+           When upgrading to Shorewall 1.3.14, if you have multiple local 
+subnets     connected  to an interface that is specified in the SUBNET column 
+of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq file will need 
+changing.   In most cases, you  will simply be able to remove redundant entries. 
+In some  cases though, you  might want to change from using the interface 
+name to listing specific subnetworks  if the change described above will cause
+masquerading  to occur on subnetworks  that you don't wish to masquerade.<br>
+            <br>
+           Example 2 -- Suppose that your current config is as follows:<br>
+              <br>
+                                                                 
     <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
+                                                                 
     <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, the second entry in /etc/shorewall/masq is no longer
- required.<br>
-      <br>
-     Example 3 -- What if your current configuration is like this?<br>
-      <br>
-                             
+            <br>
+              In this case, the second entry in /etc/shorewall/masq is no 
+longer    required.<br>
+            <br>
+           Example 3 -- What if your current configuration is like this?<br>
+            <br>
+                                                                 
     <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
+                                                                 
     <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, you would want to change the entry in  /etc/shorewall/masq 
-  to:<br>
-                             
+            <br>
+              In this case, you would want to change the entry in  /etc/shorewall/masq 
+     to:<br>
+                                                                 
     <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-         <b> </b></li>
-         
+        </li>
+           
 </ol>
-         
+           
+<p><br>
+      <b>2/5/2003 - Shorewall Support included in Webmin 1.060</b></p>
+             
+<p>Webmin version 1.060 now has Shorewall support included as standard. See 
+   <a href="http://www.webmin.com">http://www.webmin.com</a>.<br>
+       <b><br>
+       2/4/2003 - Shorewall 1.3.14-RC1</b></p>
+               
+<p>Includes the Beta 2 content plus support for OpenVPN tunnels.</p>
+               
+<p><b>1/28/2003 - Shorewall 1.3.14-Beta2</b></p>
+                   
+<p>Includes the Beta 1 content plus restores VLAN device names of the form
+     $dev.$vid (e.g., eth0.1)</p>
+                   
+<p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><br>
+          </p>
+                     
+<p>The Beta includes the following changes:<br>
+           </p>
+                     
+<ol>
+             <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
+   When   set to Yes, Shorewall ping handling is as it has always been (see
+  http://www.shorewall.net/ping.html).<br>
+               <br>
+           When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules 
+ and   policies   just like any other connection request. The FORWARDPING=Yes 
+ option   in shorewall.conf   and the 'noping' and 'filterping' options in 
+ /etc/shorewall/interfaces   will   all generate an error.<br>
+               <br>
+             </li>
+             <li>It is now possible to direct Shorewall to create a "label" 
+ such   as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+  and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
+ of just  the interface name:<br>
+            <br>
+              a) In the INTERFACE column of /etc/shorewall/masq<br>
+              b) In the INTERFACE column of /etc/shorewall/nat<br>
+            </li>
+             <li>When an interface name is entered in the SUBNET column of
+ the   /etc/shorewall/masq   file, Shorewall previously masqueraded traffic
+ from   only the first subnet   defined on that interface. It did not masquerade
+  traffic from:<br>
+            <br>
+              a) The subnets associated with other addresses on the interface.<br>
+              b) Subnets accessed through local routers.<br>
+            <br>
+           Beginning with Shorewall 1.3.14, if you enter an interface name
+ in  the   SUBNET  column, shorewall will use the firewall's routing table
+ to construct   the masquerading/SNAT rules.<br>
+            <br>
+           Example 1 -- This is how it works in 1.3.14.<br>
+              <br>
+                                                                 
+    <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                                                                 
+    <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
+                                                                 
+    <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
+            <br>
+           When upgrading to Shorewall 1.3.14, if you have multiple local 
+subnets     connected  to an interface that is specified in the SUBNET column 
+of an   /etc/shorewall/masq   entry, your /etc/shorewall/masq file will need 
+changing.   In most cases, you  will simply be able to remove redundant entries. 
+In some  cases though, you  might want to change from using the interface 
+name to listing specific subnetworks  if the change described above will cause
+masquerading  to occur on subnetworks  that you don't wish to masquerade.<br>
+            <br>
+           Example 2 -- Suppose that your current config is as follows:<br>
+              <br>
+                                                                 
+    <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                                                                 
+    <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
+            <br>
+              In this case, the second entry in /etc/shorewall/masq is no 
+longer    required.<br>
+            <br>
+           Example 3 -- What if your current configuration is like this?<br>
+            <br>
+                                                                 
+    <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+                                                                 
+    <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
+            <br>
+              In this case, you would want to change the entry in  /etc/shorewall/masq 
+     to:<br>
+                                                                 
+    <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+               <b> </b></li>
+                     
+</ol>
+                     
 <p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b></p>
-                                                 
+                                                             
 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. 
-            the PDF may be downloaded from</p>
-                                              <a
+               the PDF may be downloaded from</p>
+                                                    <a
  href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
  target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                             <a
+                                   <a
  href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a> 
-        
-<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b></p>
                  
+<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b></p>
+                             
 <p>Thanks to the generosity of Alex Martin and <a
  href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net  and
 ftp.shorewall.net are now hosted on a system in Bellevue, Washington.  A
 big thanks to Alex for making this happen.<br>
-         </p>
-                 
+               </p>
+                             
 <p><b>1/13/2003 - Shorewall 1.3.13<br>
-         </b></p>
-                 
+               </b></p>
+                             
 <p>Just includes a few things that I had on the burner:<br>
-         </p>
-                 
+               </p>
+                             
 <ol>
-           <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules 
-    file. DNAT- is intended for advanced users who wish to minimize the number 
-    of rules that connection requests must traverse.<br>
-             <br>
-         A Shorewall DNAT rule actually generates two iptables rules: a header
-   rewriting  rule in the 'nat' table and an ACCEPT rule in the 'filter'
-table.    A DNAT-  rule only generates the first of these rules. This is
-handy when    you have  several DNAT rules that would generate the same ACCEPT
-rule.<br>
-             <br>
-            Here are three rules from my previous rules file:<br>
-             <br>
-                 DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
-                 DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
-                 ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
-             <br>
-            These three rules ended up generating _three_ copies of<br>
-             <br>
-                  ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
-             <br>
-            By writing the rules this way, I end up with only one copy of 
-the   ACCEPT   rule.<br>
-             <br>
-                 DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
-                 DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
-                 ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
-             <br>
-           </li>
-           <li>The 'shorewall check' command now prints out the applicable
- policy    between each pair of zones.<br>
-             <br>
-           </li>
-           <li>A new CLEAR_TC option has been added to shorewall.conf. If 
-this   option  is set to 'No' then Shorewall won't clear the current traffic 
-control   rules  during [re]start. This setting is intended for use by people 
-that  prefer to configure traffic shaping when the network interfaces come 
-up rather  than  when the firewall is started. If that is what you want to 
-do, set TC_ENABLED=Yes    and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
- file. That way,   your traffic shaping rules can still use the 'fwmark'
-classifier  based on   packet marking defined in /etc/shorewall/tcrules.<br>
-             <br>
-           </li>
-           <li>A new SHARED_DIR variable has been added that allows distribution
-    packagers to easily move the shared directory (default /usr/lib/shorewall).
-    Users should never have a need to change the value of this shorewall.conf
-    setting.<br>
-           </li>
-                 
+                 <li>A new 'DNAT-' action has been added for entries in the 
+ /etc/shorewall/rules       file. DNAT- is intended for advanced users who 
+ wish to minimize the number      of rules that connection requests must traverse.<br>
+                   <br>
+               A Shorewall DNAT rule actually generates two iptables rules: 
+ a  header    rewriting  rule in the 'nat' table and an ACCEPT rule in the 
+ 'filter'  table.    A DNAT-  rule only generates the first of these rules. 
+ This is handy when    you have  several DNAT rules that would generate the 
+ same ACCEPT rule.<br>
+                   <br>
+                  Here are three rules from my previous rules file:<br>
+                   <br>
+                       DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
+                       DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
+                       ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
+                   <br>
+                  These three rules ended up generating _three_ copies of<br>
+                   <br>
+                        ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
+                   <br>
+                  By writing the rules this way, I end up with only one copy
+  of  the   ACCEPT   rule.<br>
+                   <br>
+                       DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
+                       DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
+                       ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
+                   <br>
+                 </li>
+                 <li>The 'shorewall check' command now prints out the applicable
+    policy    between each pair of zones.<br>
+                   <br>
+                 </li>
+                 <li>A new CLEAR_TC option has been added to shorewall.conf.
+  If  this   option  is set to 'No' then Shorewall won't clear the current
+ traffic  control   rules  during [re]start. This setting is intended for
+use by people  that  prefer to configure traffic shaping when the network
+interfaces come  up rather  than  when the firewall is started. If that is
+what you want to  do, set TC_ENABLED=Yes    and CLEAR_TC=No and do not supply
+an /etc/shorewall/tcstart   file. That way,   your traffic shaping rules
+can still use the 'fwmark' classifier  based on   packet marking defined
+in /etc/shorewall/tcrules.<br>
+                   <br>
+                 </li>
+                 <li>A new SHARED_DIR variable has been added that allows 
+distribution       packagers to easily move the shared directory (default 
+/usr/lib/shorewall).       Users should never have a need to change the value 
+of this shorewall.conf       setting.<br>
+                 </li>
+                             
 </ol>
-                 
+                             
 <p><b>1/6/2003 - <big><big><big>BURNOUT</big></big></big></b><b>        
                                          </b></p>
-                     
+                                 
 <p><b>Until further notice, I will not be involved in either Shorewall Development
-     or Shorewall Support</b></p>
-                     
+        or Shorewall Support</b></p>
+                                 
 <p><b>-Tom Eastep</b><br>
-           </p>
-                     
+                 </p>
+                                 
 <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b></p>
-                                                 
+                                                             
 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. 
-            the PDF may be downloaded from</p>
-                                                 
+               the PDF may be downloaded from</p>
+                                                             
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
  target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                             <a
+                                   <a
  href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                         </p>
-                                                 
+                               </p>
+                                                             
 <p><b>12/27/2002 - Shorewall 1.3.12 Released</b></p>
-                       
+                                   
 <p>     Features include:<br>
-                     </p>
-                       
+                           </p>
+                                   
 <ol>
-              <li>"shorewall refresh" now reloads the traffic shaping rules 
- (tcrules       and tcstart).</li>
-              <li>"shorewall debug [re]start" now turns off debugging after 
- an  error     occurs. This places the point of the failure near the end of
- the  trace  rather   than up in the middle of it.</li>
-              <li>"shorewall [re]start" has been speeded up by more than
-40%   with    my   configuration. Your milage may vary.</li>
-              <li>A "shorewall show classifiers" command has been added which 
-  shows      the current packet classification filters. The output from this 
-  command    is   also added as a separate page in "shorewall monitor"</li>
-              <li>ULOG (must be all caps) is now accepted as a valid syslog 
- level     and   causes the subject packets to be logged using the ULOG target 
- rather     than   the LOG target. This allows you to run ulogd (available 
- from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-        and log all Shorewall messages <a href="shorewall_logging.html">to 
- a  separate  log file</a>.</li>
-              <li>If you are running a kernel that has a FORWARD chain in 
-the   mangle      table ("shorewall show mangle" will show you the chains 
-in the   mangle  table),     you can set MARK_IN_FORWARD_CHAIN=Yes in <a
- href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
-       input packets based on their destination even when you are using 
-Masquerading        or SNAT.</li>
-              <li>I have cluttered up the /etc/shorewall directory with empty 
-  'init',       'start', 'stop' and 'stopped' files. If you already have a
- file with  one    of these names, don't worry -- the upgrade process won't 
- overwrite  your  file.</li>
-              <li>I have added a new RFC1918_LOG_LEVEL variable to <a
- href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
-      the syslog level at which packets are logged as a result of entries
-in   the   /etc/shorewall/rfc1918 file. Previously, these packets were always
-  logged   at the 'info' level.<br>
-              </li>
-                       
+                    <li>"shorewall refresh" now reloads the traffic shaping 
+ rules    (tcrules       and tcstart).</li>
+                    <li>"shorewall debug [re]start" now turns off debugging 
+ after    an  error     occurs. This places the point of the failure near 
+the end  of  the  trace  rather   than up in the middle of it.</li>
+                    <li>"shorewall [re]start" has been speeded up by more 
+than   40%   with    my   configuration. Your milage may vary.</li>
+                    <li>A "shorewall show classifiers" command has been added 
+  which    shows      the current packet classification filters. The output 
+  from this    command    is   also added as a separate page in "shorewall 
+ monitor"</li>
+                    <li>ULOG (must be all caps) is now accepted as a valid
+ syslog    level     and   causes the subject packets to be logged using
+the  ULOG target   rather     than   the LOG target. This allows you to run
+ulogd  (available    from <a
+ href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+           and log all Shorewall messages <a
+ href="shorewall_logging.html">to    a  separate  log file</a>.</li>
+                    <li>If you are running a kernel that has a FORWARD chain
+  in  the   mangle      table ("shorewall show mangle" will show you the
+chains    in the   mangle  table),     you can set MARK_IN_FORWARD_CHAIN=Yes
+in     <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for 
+ marking          input packets based on their destination even when you are
+using  Masquerading        or SNAT.</li>
+                    <li>I have cluttered up the /etc/shorewall directory
+with   empty    'init',       'start', 'stop' and 'stopped' files. If you
+already   have a  file with  one    of these names, don't worry -- the upgrade
+process   won't   overwrite  your  file.</li>
+                    <li>I have added a new RFC1918_LOG_LEVEL variable to
+    <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
+         the syslog level at which packets are logged as a result of entries
+   in   the   /etc/shorewall/rfc1918 file. Previously, these packets were
+always     logged   at the 'info' level.<br>
+                    </li>
+                                   
 </ol>
-                       
+                                   
 <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3<br>
-             </b></p>
-             This version corrects a problem with Blacklist logging. In Beta
-  2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall
-would   fail  to start and "shorewall  refresh" would also fail.<br>
-                         
+                   </b></p>
+                   This version corrects a problem with Blacklist logging.
+ In  Beta   2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the
+ firewall   would   fail  to start and "shorewall  refresh" would also fail.<br>
+                                     
 <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b></p>
-                         
+                                     
 <p>The first public Beta version of Shorewall 1.3.12 is now available (Beta
-       1 was made available only to a limited audience).<br>
-            </p>
-                 Features include:<br>
-                                 
+          1 was made available only to a limited audience).<br>
+                  </p>
+                       Features include:<br>
+                                             
 <ol>
-                   <li>"shorewall refresh" now reloads the traffic shaping
- rules    (tcrules     and tcstart).</li>
-                   <li>"shorewall debug [re]start" now turns off debugging
- after    an  error    occurs. This places the point of the failure near
-the  end of   the  trace rather   than up in the middle of it.</li>
-                   <li>"shorewall [re]start" has been speeded up by more
-than   40%   with   my  configuration. Your milage may vary.</li>
-                   <li>A "shorewall show classifiers" command has been added
-  which    shows    the current packet classification filters. The output
-from  this   command  is  also added as a separate page in "shorewall monitor"</li>
-                   <li>ULOG (must be all caps) is now accepted as a valid 
-syslog    level    and  causes the subject packets to be logged using the 
-ULOG target    rather    than  the LOG target. This allows you to run ulogd 
-(available  from      <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-        and log all Shorewall messages <a href="shorewall_logging.html">to 
- a  separate  log file</a>.</li>
-                   <li>If you are running a kernel that has a FORWARD chain 
- in  the   mangle    table ("shorewall show mangle" will show you the chains
-  in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
-    This allows for  marking  input packets based on their destination even
-  when  you are using  Masquerading  or SNAT.</li>
-                   <li>I have cluttered up the /etc/shorewall directory with
-  empty    'init',    'start', 'stop' and 'stopped' files. If you already
-have  a file    with one   of these names, don't worry -- the upgrade process
-won't  overwrite    your file.</li>
-                                 
+                         <li>"shorewall refresh" now reloads the traffic
+shaping     rules    (tcrules     and tcstart).</li>
+                         <li>"shorewall debug [re]start" now turns off debugging
+    after    an  error    occurs. This places the point of the failure near
+  the  end of   the  trace rather   than up in the middle of it.</li>
+                         <li>"shorewall [re]start" has been speeded up by 
+more   than   40%   with   my  configuration. Your milage may vary.</li>
+                         <li>A "shorewall show classifiers" command has been
+  added    which    shows    the current packet classification filters. The
+  output  from  this   command  is  also added as a separate page in "shorewall
+  monitor"</li>
+                         <li>ULOG (must be all caps) is now accepted as a 
+valid    syslog    level    and  causes the subject packets to be logged using
+the    ULOG target    rather    than  the LOG target. This allows you to
+run ulogd    (available  from      <a
+ href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+           and log all Shorewall messages <a
+ href="shorewall_logging.html">to    a  separate  log file</a>.</li>
+                         <li>If you are running a kernel that has a FORWARD 
+ chain    in  the   mangle    table ("shorewall show mangle" will show you 
+ the chains    in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes 
+ in shorewall.conf.      This allows for  marking  input packets based on 
+their destination even    when  you are using  Masquerading  or SNAT.</li>
+                         <li>I have cluttered up the /etc/shorewall directory 
+  with   empty    'init',    'start', 'stop' and 'stopped' files. If you already
+  have  a file    with one   of these names, don't worry -- the upgrade process
+  won't  overwrite    your file.</li>
+                                             
 </ol>
-                 You may download the Beta from:<br>
-                                 
+                       You may download the Beta from:<br>
+                                             
 <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
-                   <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
- target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
-                 </blockquote>
-                                 
+                         <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
+                       </blockquote>
+                                             
 <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
  href="http://www.mandrakesoft.com"><img src="images/logo2.png"
  alt="Powered by Mandrake Linux" width="140" height="21" border="0">
-                    </a></b></p>
-                    Shorewall is at the center of MandrakeSoft's recently-announced 
-     <a
+                          </a></b></p>
+                          Shorewall is at the center of MandrakeSoft's recently-announced 
+        <a
  href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
-          Network Firewall (MNF)</a> product. Here is the <a
+             Network Firewall (MNF)</a> product. Here is the <a
  href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
-         release</a>.<br>
-                                       
+            release</a>.<br>
+                                                   
 <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b></p>
-                                         
+                                                     
 <p>Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. 
-          I have installed 9.0 on one of my systems and I am now in a position 
-     to   support  Shorewall users who run Mandrake 9.0.</p>
-                                         
+             I have installed 9.0 on one of my systems and I am now in a position
+        to   support  Shorewall users who run Mandrake 9.0.</p>
+                                                     
 <p><b>12/6/2002 - Debian 1.3.11a Packages Available<br>
-                                       </b></p>
+                                             </b></p>
                                                                         
-    
+                
 <p>Apt-get sources listed at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
-                                                         
+                                                                     
 <p><b>12/3/2002 - Shorewall 1.3.11a</b></p>
-                                             
+                                                         
 <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT with 
-           excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users 
-   who    don't    need rules of this type need not upgrade to 1.3.11.</p>
-                                             
+              excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 
+users      who    don't    need rules of this type need not upgrade to 1.3.11.</p>
+                                                         
 <p><b>11/24/2002 - Shorewall 1.3.11</b></p>
-                                               
+                                                           
 <p>In this version:</p>
-                                               
+                                                           
 <ul>
-                          <li>A 'tcpflags' option has been added to entries 
- in      <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
-   This option causes Shorewall to make a set of sanity check on TCP packet
-  header flags.</li>
-                          <li>It is now allowed to use 'all' in the SOURCE
- or  DEST   column    in  a      <a href="Documentation.htm#Rules">rule</a>. 
- When  used,   'all'  must  appear  by  itself (in may not be qualified) and
- it does not   enable  intra-zone  traffic.   For example, the rule <br>
-                            <br>
-                            ACCEPT loc all tcp 80<br>
-                            <br>
-                        does not enable http traffic from 'loc' to 'loc'.</li>
-                          <li>Shorewall's use of the 'echo' command is now
- compatible      with   bash   clones such as ash and dash.</li>
-                          <li>fw-&gt;fw policies now generate a startup error.
-   fw-&gt;fw      rules    generate  a warning and are ignored</li>
-                                               
+                                <li>A 'tcpflags' option has been added to 
+entries     in      <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+      This option causes Shorewall to make a set of sanity check on TCP packet
+     header flags.</li>
+                                <li>It is now allowed to use 'all' in the 
+SOURCE    or  DEST   column    in  a      <a
+ href="Documentation.htm#Rules">rule</a>.     When  used,   'all'  must  appear
+ by  itself (in may not be qualified)   and  it does not   enable  intra-zone
+ traffic.   For example, the rule     <br>
+                                  <br>
+                                  ACCEPT loc all tcp 80<br>
+                                  <br>
+                              does not enable http traffic from 'loc' to
+'loc'.</li>
+                                <li>Shorewall's use of the 'echo' command 
+is  now   compatible      with   bash   clones such as ash and dash.</li>
+                                <li>fw-&gt;fw policies now generate a startup 
+  error.    fw-&gt;fw      rules    generate  a warning and are ignored</li>
+                                                           
 </ul>
-                                               
+                                                           
 <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b></p>
-                                                 
+                                                             
 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. 
-            the PDF may be downloaded from</p>
-                                                 
+               the PDF may be downloaded from</p>
+                                                             
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
  target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
-                             <a
+                                   <a
  href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
-                         </p>
-                                                 
+                               </p>
+                                                             
 <p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>              
           </b></p>
                                                                         
-            
+                        
 <p>The main Shorewall 1.3 web site is now back at SourceForge at <a
  href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
-                               </p>
+                                     </p>
                                                                         
-          
+                      
 <p><b>11/09/2002 - Shorewall 1.3.10</b></p>
-                                                     
+                                                                 
 <p>In this version:</p>
-                                                     
+                                                                 
 <ul>
-                             <li>You may now <a href="IPSEC.htm#Dynamic">define 
-   the   contents      of  a  zone  dynamically</a> with the <a
- href="starting_and_stopping_shorewall.htm">"shorewall  add" and "shorewall
-              delete" commands</a>. These commands are expected to  be used
-  primarily          within            <a
+                                   <li>You may now <a
+ href="IPSEC.htm#Dynamic">define     the   contents      of  a  zone  dynamically</a> 
+  with the <a href="starting_and_stopping_shorewall.htm">"shorewall  add" 
+and  "shorewall               delete" commands</a>. These commands are expected 
+  to  be used   primarily          within            <a
  href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>          updown 
 scripts.</li>
-                             <li>Shorewall can now do<a
+                                   <li>Shorewall can now do<a
  href="MAC_Validation.html">  MAC   verification</a>         on ethernet segments.
 You can specify the set of   allowed MAC addresses      on   the segment
 and you can optionally tie each   MAC address to one or   more   IP  addresses.</li>
-                             <li>PPTP Servers and Clients running on the
-firewall     system    may    now   be  defined in the<a href="PPTP.htm">
-/etc/shorewall/tunnels</a>         file.</li>
-                             <li>A new 'ipsecnat' tunnel type is supported
- for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
- is   behind   a NAT   gateway</a>.</li>
-                             <li>The PATH used by Shorewall may now be specified
-    in      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                             <li>The main firewall script is now /usr/lib/shorewall/firewall. 
-           The   script  in /etc/init.d/shorewall is very small and uses /sbin/shorewall
-           to do the  real work. This change makes custom distributions such
-   as   for    Debian  and  for Gentoo easier to manage since it is /etc/init.d/shorewall
-          that tends  to have distribution-dependent code</li>
-                                                     
+                                   <li>PPTP Servers and Clients running on
+ the   firewall     system    may    now   be  defined in the<a
+ href="PPTP.htm">  /etc/shorewall/tunnels</a>         file.</li>
+                                   <li>A new 'ipsecnat' tunnel type is supported
+    for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint
+    is   behind   a NAT   gateway</a>.</li>
+                                   <li>The PATH used by Shorewall may now 
+be  specified      in      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+                                   <li>The main firewall script is now /usr/lib/shorewall/firewall. 
+              The   script  in /etc/init.d/shorewall is very small and uses 
+  /sbin/shorewall            to do the  real work. This change makes custom 
+  distributions such    as   for    Debian  and  for Gentoo easier to manage 
+  since it is /etc/init.d/shorewall           that tends  to have distribution-dependent 
+  code</li>
+                                                                 
 </ul>
-                                                     
+                                                                 
 <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><b>         </b><a
  href="http://www.gentoo.org"><br>
-                                   </a></p>
-                             Alexandru Hartmann reports that his Shorewall
- package     is  now   a  part   of  <a href="http://www.gentoo.org">the
-Gentoo  Linux    distribution</a>.      Thanks    Alex!<br>
-                                                               
-<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>         </b></p>
-                               In this version:<br>
+                                         </a></p>
+                                   Alexandru Hartmann reports that his Shorewall
+    package     is  now   a  part   of  <a href="http://www.gentoo.org">the
+  Gentoo  Linux    distribution</a>.      Thanks    Alex!<br>
                                                                         
-      
+  
+<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b>         </b></p>
+                                     In this version:<br>
+                                                                        
+                  
 <ul>
-                              <li>You may now <a
+                                    <li>You may now <a
  href="IPSEC.htm#Dynamic">define     the   contents      of  a  zone dynamically</a>
-with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
-"shorewall               delete" commands</a>. These commands are expected
-to be used  primarily          within             <a
+   with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
+and   "shorewall               delete" commands</a>. These commands are expected
+   to be used  primarily          within             <a
  href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>          updown  
 scripts.</li>
-                              <li>Shorewall can now do<a
+                                    <li>Shorewall can now do<a
  href="MAC_Validation.html">  MAC   verification</a>        on ethernet segments.
-     You can specify the set  of  allowed MAC addresses     on   the segment
-   and  you can optionally tie  each  MAC address to one or  more   IP  addresses.</li>
-                              <li>PPTP Servers and Clients running on the 
-firewall     system    may    now   be  defined in the<a href="PPTP.htm"> 
-/etc/shorewall/tunnels</a>         file.</li>
-                              <li>A new 'ipsecnat' tunnel type is supported 
- for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
- is   behind   a NAT   gateway</a>.</li>
-                              <li>The PATH used by Shorewall may now be specified 
-    in      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                              <li>The main firewall script is now /usr/lib/shorewall/firewall.
-            The   script in /etc/init.d/shorewall is very small and uses
-/sbin/shorewall             to  do the real work. This change makes custom
-distributions such     as   for    Debian   and for Gentoo easier to manage
-since it is /etc/init.d/shorewall            that tends   to have distribution-dependent 
-code.</li>
-                                                       
+        You can specify the set  of  allowed MAC addresses     on   the segment
+      and  you can optionally tie  each  MAC address to one or  more   IP
+ addresses.</li>
+                                    <li>PPTP Servers and Clients running
+on  the   firewall     system    may    now   be  defined in the<a
+ href="PPTP.htm">  /etc/shorewall/tunnels</a>         file.</li>
+                                    <li>A new 'ipsecnat' tunnel type is supported 
+    for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
+    is   behind   a NAT   gateway</a>.</li>
+                                    <li>The PATH used by Shorewall may now
+ be  specified      in      <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+                                    <li>The main firewall script is now /usr/lib/shorewall/firewall.
+               The   script in /etc/init.d/shorewall is very small and uses
+  /sbin/shorewall             to  do the real work. This change makes custom
+  distributions such     as   for    Debian   and for Gentoo easier to manage
+  since it is /etc/init.d/shorewall            that tends   to have distribution-dependent 
+   code.</li>
+                                                                   
 </ul>
-                              You may download the Beta from:<br>
-                                                                       
-<ul>
-                              <li><a
- href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
-                              <li><a
- href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a></li>
-                                                       
-</ul>
-                                                       
-<p><b>10/10/2002 -  Debian 1.3.9b Packages Available<br>
-                                       </b></p>
+                                    You may download the Beta from:<br>
                                                                         
-    
+          
+<ul>
+                                    <li><a
+ href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
+                                    <li><a
+ href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a></li>
+                                                                   
+</ul>
+                                                                   
+<p><b>10/10/2002 -  Debian 1.3.9b Packages Available<br>
+                                             </b></p>
+                                                                        
+                
 <p>Apt-get sources listed at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
-                                                         
+                                                                     
 <p><b>10/9/2002 - Shorewall 1.3.9b</b></p>
-                              This release rolls up fixes to the installer
- and   to  the   firewall     script.<br>
-                                                           
+                                    This release rolls up fixes to the installer
+    and   to  the   firewall     script.<br>
+                                                                       
 <p><b>10/6/2002 - Shorewall.net now running on RH8.0<br>
-                                </b><br>
-                                The firewall and server here at shorewall.net 
-  are   now   running     RedHat    release  8.0.<br>
-                                              <b><br>
-                               9/30/2002 - Shorewall 1.3.9a</b></p>
-                                Roles up the fix for broken tunnels.<br>
-                                                               
+                                      </b><br>
+                                      The firewall and server here at shorewall.net 
+     are   now   running     RedHat    release  8.0.<br>
+                                                    <b><br>
+                                     9/30/2002 - Shorewall 1.3.9a</b></p>
+                                      Roles up the fix for broken tunnels.<br>
+                                                                        
+  
 <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b></p>
-                                There is an updated firewall script at <a
+                                      There is an updated firewall script 
+at  <a
  href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
  target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-                -- copy that file to /usr/lib/shorewall/firewall.<br>
-                                                                 
+                   -- copy that file to /usr/lib/shorewall/firewall.<br>
+                                                                        
+    
 <p><b>9/28/2002 - Shorewall 1.3.9</b></p>
-                                                                         
+                                                                        
+            
 <p>In this version:<br>
-                                     </p>
-                                                                         
+                                           </p>
+                                                                        
+            
 <ul>
-                                       <li><a
+                                             <li><a
  href="configuration_file_basics.htm#dnsnames">DNS   Names</a>      are 
  now allowed in Shorewall config files (although I recommend   against  
    using  them).</li>
-                                       <li>The connection SOURCE may now
-be  qualified      by  both   interface      and   IP  address in a <a
- href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-                                       <li>Shorewall startup is now disabled
-  after    initial     installation       until    the file /etc/shorewall/startup_disabled
-     is   removed.  This avoids       nasty surprises  during reboot for
-users      who  install Shorewall  but don't      configure it.</li>
-                                    <li>The 'functions' and 'version' files 
- and   the   'firewall'      symbolic     link  have been  moved from /var/lib/shorewall 
-     to /usr/lib/shorewall       to   appease   the LFS police at Debian.<br>
-                                    </li>
-                                                                         
+                                             <li>The connection SOURCE may
+ now   be  qualified      by  both   interface      and   IP  address in
+a      <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+                                             <li>Shorewall startup is now 
+disabled     after    initial     installation       until    the file /etc/shorewall/startup_disabled
+        is   removed.  This avoids       nasty surprises  during reboot for
+  users      who  install Shorewall  but don't      configure it.</li>
+                                          <li>The 'functions' and 'version' 
+ files    and   the   'firewall'      symbolic     link  have been  moved 
+from /var/lib/shorewall        to /usr/lib/shorewall       to   appease  
+the LFS police at Debian.<br>
+                                          </li>
+                                                                        
+            
 </ul>
-                                                                         
+                                                                        
+            
 <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
-                    Restored</b><br>
-                                              </p>
-                                            <img
+                       Restored</b><br>
+                                                    </p>
+                                                  <img
  src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
  align="left">
-                                        A couple of recent configuration
-changes     at  www.shorewall.net          broke    the  Search facility:<br>
+                                              A couple of recent configuration
+   changes     at  www.shorewall.net          broke    the  Search facility:<br>
                                                                         
-                          
+                                      
 <blockquote>                                                            
-                                                           
+                                                                        
+   
   <ol>
-                                         <li>Mailing List Archive Search
-was   not   available.</li>
-                                         <li>The Site Search index was incomplete</li>
-                                         <li>Only one page of matches was 
-presented.</li>
+                                               <li>Mailing List Archive Search
+   was   not   available.</li>
+                                               <li>The Site Search index
+was   incomplete</li>
+                                               <li>Only one page of matches 
+ was   presented.</li>
                                                                         
                                                                         
- 
+                         
   </ol>
-                                            </blockquote>
-                                         Hopefully these problems are now 
-corrected.                                          
+                                                  </blockquote>
+                                               Hopefully these problems are 
+ now   corrected.                                                
 <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
-                   Restored<br>
-                                      </b></p>
-                                      A couple of recent configuration changes
-   at  www.shorewall.net          had   the   negative  effect of breaking
- the  Search  facility:<br>
+                      Restored<br>
+                                            </b></p>
+                                            A couple of recent configuration
+  changes     at  www.shorewall.net          had   the   negative  effect
+of  breaking   the  Search  facility:<br>
                                                                         
-  
+              
 <ol>
-                                        <li>Mailing List Archive Search was 
- not   available.</li>
-                                        <li>The Site Search index was incomplete</li>
-                                        <li>Only one page of matches was
-presented.</li>
+                                              <li>Mailing List Archive Search 
+  was   not   available.</li>
+                                              <li>The Site Search index was 
+ incomplete</li>
+                                              <li>Only one page of matches
+ was   presented.</li>
                                                                         
-  
+              
 </ol>
-                                      Hopefully these problems are now corrected.<br>
+                                            Hopefully these problems are
+now   corrected.<br>
                                                                         
-  
+              
 <p><b>9/18/2002 -  Debian 1.3.8 Packages Available<br>
-                                       </b></p>
+                                             </b></p>
                                                                         
-    
+                
 <p>Apt-get sources listed at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
                                                                         
-    
+                
 <p><b>9/16/2002 - Shorewall 1.3.8</b></p>
                                                                         
-        
+                    
 <p>In this version:<br>
-                                         </p>
-                                                                        
-        
-<ul>
-                                           <li>A <a
- href="Documentation.htm#Conf">NEWNOTSYN</a>        option    has   been
-  added  to shorewall.conf. This option determines      whether  Shorewall
-         accepts   TCP packets  which are not part of an   established  
- connection      and   that are   not 'SYN' packets  (SYN flag   on and ACK
-flag    off).</li>
-                                           <li>The need for the 'multi' option
-   to  communicate       between     zones    za  and  zb on the same interface 
-   is removed in  the    case where   the  chain   'za2zb'   and/or  'zb2za' 
-   exists. 'za2zb'  will   exist if:</li>
-                                                                        
-                                                                        
-                 
-  <ul>
-                                             <li>       There is a policy 
-for   za  to  zb;   or          </li>
-                                                <li>There is at least one 
-rule   for   za  to  zb.</li>
-                                                                        
-                                                                        
-             
-  </ul>
-                                                                        
-        
-</ul>
+                                               </p>
                                                                         
                     
 <ul>
-                                           <li>The /etc/shorewall/blacklist 
- file   now   contains     three    columns.     In  addition  to the SUBNET/ADDRESS
-    column,   there   are  optional    PROTOCOL   and  PORT  columns  to
-block     only certain   applications     from the   blacklisted   addresses.<br>
-                                           </li>
+                                                 <li>A <a
+ href="Documentation.htm#Conf">NEWNOTSYN</a>        option    has   been
+  added  to shorewall.conf. This option determines      whether  Shorewall
+            accepts   TCP packets  which are not part of an   established
+   connection      and   that are   not 'SYN' packets  (SYN flag   on and
+ACK  flag    off).</li>
+                                                 <li>The need for the 'multi' 
+  option    to  communicate       between     zones    za  and  zb on the 
+same  interface     is removed in  the    case where   the  chain   'za2zb' 
+  and/or   'zb2za'     exists. 'za2zb'  will   exist if:</li>
                                                                         
-        
+                                                                        
+                                         
+  <ul>
+                                                   <li>       There is a
+policy    for   za  to  zb;   or          </li>
+                                                      <li>There is at least 
+ one   rule   for   za  to  zb.</li>
+                                                                        
+                                                                        
+                                     
+  </ul>
+                                                                        
+                    
 </ul>
                                                                         
-        
+                                
+<ul>
+                                                 <li>The /etc/shorewall/blacklist 
+    file   now   contains     three    columns.     In  addition  to the SUBNET/ADDRESS
+      column,   there   are  optional    PROTOCOL   and  PORT  columns  to
+ block     only certain   applications     from the   blacklisted   addresses.<br>
+                                                 </li>
+                                                                        
+                    
+</ul>
+                                                                        
+                    
 <p><b>9/11/2002 - Debian 1.3.7c Packages Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Apt-get sources listed at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
                                                                         
-                                          
+                                                      
 <p>This is a role up of a fix for "DNAT" rules where the source zone is $FW 
-                      (fw).</p>
+                         (fw).</p>
                                                                         
-                                          
+                                                      
 <p><b>8/31/2002 - I'm not available</b></p>
                                                                         
-                                          
+                                                      
 <p>I'm currently on vacation  -- please respect my need for a couple of 
  weeks free of Shorewall problem reports.</p>
                                                                         
-                                          
+                                                      
 <p>-Tom</p>
                                                                         
-                                          
+                                                      
 <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
                                                                         
-                                          
+                                                      
 <p>This is a role up of the "shorewall refresh" bug fix and the change which 
-                      reverses the order of "dhcp" and "norfc1918" checking.</p>
+                         reverses the order of "dhcp" and "norfc1918" checking.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
                                                                         
-                                          
+                                                      
 <p><a target="_blank"
  href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
-                    is now available.</p>
+                       is now available.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/25/2002 - Shorewall Mirror in France</b></p>
                                                                         
-                                          
+                                                      
 <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored 
-                      at <a target="_top"
+                         at <a target="_top"
  href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Martignoni reports that the packages for version 1.3.7a  are available 
-                    at <a
+                       at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author 
-                    -- Shorewall 1.3.7a   released<img border="0"
+                       -- Shorewall 1.3.7a   released<img border="0"
  src="images/j0233056.gif" width="50" height="80" align="middle">
-                                         </b></p>
+                                               </b></p>
                                                                         
-                                          
+                                                      
 <p>1.3.7a corrects problems occurring in  rules file processing when starting 
-                    Shorewall   1.3.7.</p>
+                       Shorewall   1.3.7.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002</b></p>
                                                                         
-                                          
+                                                      
 <p>Features in this release include:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>The 'icmp.def' file is now 
- empty!    The   rules    in  that   file   were   required  in     ipchains 
- firewalls    but   are not   required   in   Shorewall.    Users   who have 
-      ALLOWRELATED=No      in <a href="Documentation.htm#Conf">shorewall.conf</a> 
-    should     see    the     <a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
-                                             <li>A 'FORWARDPING' option has 
- been   added    to      <a href="Documentation.htm#Conf">    shorewall.conf</a>.
-    The effect    of  setting             this variable to Yes is the same
- as       the effect    of  adding an   ACCEPT       rule   for ICMP echo-request
-    in    <a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
-      Users                  who have such a rule in icmpdef are encouraged
-  to  switch to   FORWARDPING=Yes.</li>
-                                             <li>The loopback CLASS A Network 
-  (127.0.0.0/8)        has   been   added    to  the   rfc1918     file.</li>
-                                             <li>Shorewall now works with 
-iptables     1.2.7</li>
-                                             <li>The documentation and web
- site   no  longer    uses   FrontPage      themes.</li>
+                                                   <li>The 'icmp.def' file
+ is  now   empty!    The   rules    in  that   file   were   required  in
+    ipchains   firewalls    but   are not   required   in   Shorewall.  
+ Users   who have        ALLOWRELATED=No      in <a
+ href="Documentation.htm#Conf">shorewall.conf</a>      should     see    the
+    <a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
+                                                   <li>A 'FORWARDPING' option 
+  has   been   added    to      <a href="Documentation.htm#Conf">    shorewall.conf</a>.
+       The effect    of  setting             this variable to Yes is the
+same     as       the effect    of  adding an   ACCEPT       rule   for ICMP
+echo-request        in    <a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
+         Users                  who have such a rule in icmpdef are encouraged
+     to  switch to   FORWARDPING=Yes.</li>
+                                                   <li>The loopback CLASS 
+A  Network     (127.0.0.0/8)        has   been   added    to  the   rfc1918 
+    file.</li>
+                                                   <li>Shorewall now works
+ with   iptables     1.2.7</li>
+                                                   <li>The documentation
+and   web   site   no  longer    uses   FrontPage      themes.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                          
+                                                      
 <p>I would like to thank John Distler for his valuable input regarding TCP 
-                    SYN   and ICMP treatment in Shorewall. That input has 
-led    to   marked       improvement      in   Shorewall in the last two releases.</p>
+                       SYN   and ICMP treatment in Shorewall. That input has
+   led    to   marked       improvement      in   Shorewall in the last two
+  releases.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/13/2002 - Documentation in the <a target="_top"
  href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
                                                                         
-                                          
+                                                      
 <p>The Shorewall-docs project now contains just the HTML and image files -
 the   Frontpage files have been removed.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top"
  href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
                                                                         
-                                          
+                                                      
 <p>This branch will only be updated after I release a new version of Shorewall 
-                      so you can always update from this branch to get the 
- latest       stable       tree.</p>
+                         so you can always update from this branch to get 
+the    latest       stable       tree.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
   to the <a href="errata.htm">Errata Page</a></b></p>
                                                                         
-                                          
+                                                      
 <p>Now there is one place to go to look for issues involved with upgrading 
-                    to   recent versions of Shorewall.</p>
+                       to   recent versions of Shorewall.</p>
                                                                         
-                                          
+                                                      
 <p><b>8/7/2002 - Shorewall 1.3.6</b></p>
                                                                         
-                                          
+                                                      
 <p>This is primarily a bug-fix rollup with a couple of new features:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>The latest <a
+                                                   <li>The latest <a
  href="shorewall_quickstart_guide.htm">QuickStart       Guides      </a> 
   including the <a href="shorewall_setup_guide.htm">Shorewall     Setup 
 Guide.</a></li>
-                                             <li>Shorewall will now DROP
-TCP   packets     that   are   not   part   of  or      related to an existing
- connection   and  that   are not  SYN   packets.    These    "New      not
- SYN" packets   may  be optionally   logged   by setting  the  LOGNEWNOTSYN
-     option     in     <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-                                             <li>The processing of "New not 
- SYN"   packets     may   be  extended     by  commands    in     the new 
-    <a href="shorewall_extension_scripts.htm">newnotsyn   extension    script</a>.</li>
+                                                   <li>Shorewall will now 
+DROP   TCP   packets     that   are   not   part   of  or      related to 
+an existing    connection   and  that   are not  SYN   packets.    These 
+  "New      not   SYN" packets   may  be optionally   logged   by setting 
+ the  LOGNEWNOTSYN        option     in     <a
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+                                                   <li>The processing of
+"New   not   SYN"   packets     may   be  extended     by  commands    in
+    the   new      <a href="shorewall_extension_scripts.htm">newnotsyn  
+extension     script</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>7/30/2002 - Shorewall 1.3.5b Released</b></p>
                                                                         
-                                          
+                                                      
 <p>This interim release:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Causes the firewall script 
- to  remove    the   lock   file   if  it  is  killed.</li>
-                                             <li>Once again allows lists
-in  the   second    column    of  the          <a
+                                                   <li>Causes the firewall
+ script    to  remove    the   lock   file   if  it  is  killed.</li>
+                                                   <li>Once again allows
+lists    in  the   second    column    of  the          <a
  href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>          file.</li>
-                                             <li>Includes the latest <a
- href="shorewall_quickstart_guide.htm">QuickStart       Guides</a>.</li>
+                                                   <li>Includes the latest
+     <a href="shorewall_quickstart_guide.htm">QuickStart       Guides</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>7/29/2002 - New Shorewall Setup Guide Available</b></p>
                                                                         
-                                          
+                                                      
 <p>The first draft of this guide is available at  <a
  href="http://www.shorewall.net/shorewall_setup_guide.htm">  http://www.shorewall.net/shorewall_setup_guide.htm</a>. 
-                    The guide is intended   for use by people who are setting 
-    up   Shorewall          to   manage multiple public IP   addresses and 
- by   people   who want  to   learn     more   about Shorewall than is   described
-    in the   single-address     guides.    Feedback   on the new guide is
-welcome.</p>
+                       The guide is intended   for use by people who are setting
+       up   Shorewall          to   manage multiple public IP   addresses 
+and    by   people   who want  to   learn     more   about Shorewall than 
+is   described     in the   single-address     guides.    Feedback   on the 
+new  guide is welcome.</p>
                                                                         
-                                          
+                                                      
 <p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Martignoni reports that the packages are version 1.3.5a and are 
-                    available at <a
+                       available at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>7/27/2002 - Shorewall 1.3.5a Released</b></p>
                                                                         
-                                          
+                                                      
 <p>This interim release restores correct handling of REDIRECT rules. </p>
                                                                         
-                                          
+                                                      
 <p><b>7/26/2002 - Shorewall 1.3.5 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>This will be the last Shorewall release for a while. I'm going to be 
  focusing on rewriting a lot of the documentation.</p>
                                                                         
-                                          
+                                                      
 <p><b> </b>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Empty and invalid source 
-and   destination       qualifiers      are   now   detected   in     the 
-rules   file. It is a  good    idea to use   the   'shorewall     check' command
-   before     you  issue   a 'shorewall restart'     command be  be   sure
- that you don't   have any       configuration problems     that will prevent
-   a successful  restart.</li>
-                                             <li>Added <b>MERGE_HOSTS</b> 
-variable     in      <a href="Documentation.htm#Conf">    shorewall.conf</a> 
-to provide     saner  behavior               of the /etc/shorewall/hosts 
-   file.</li>
-                                             <li>The time that the counters 
- were   last   reset    is  now   displayed      in  the      heading of the
- 'status'    and   'show'   commands.</li>
-                                             <li>A <b>proxyarp </b>option 
-has   been   added    for   entries     in         <a
+                                                   <li>Empty and invalid
+source    and   destination       qualifiers      are   now   detected  
+in     the    rules   file. It is a  good    idea to use   the   'shorewall
+    check'   command    before     you  issue   a 'shorewall restart'   
+ command be  be   sure  that you don't   have any       configuration problems
+    that  will prevent    a successful  restart.</li>
+                                                   <li>Added <b>MERGE_HOSTS</b> 
+   variable     in      <a href="Documentation.htm#Conf">    shorewall.conf</a> 
+   to provide     saner  behavior               of the /etc/shorewall/hosts 
+      file.</li>
+                                                   <li>The time that the
+counters     were   last   reset    is  now   displayed      in  the    
+ heading of   the  'status'    and   'show'   commands.</li>
+                                                   <li>A <b>proxyarp </b>option 
+   has   been   added    for   entries     in         <a
  href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.     
        This     option facilitates Proxy ARP sub-netting as described  in
   the    Proxy    ARP        subnetting mini-HOWTO (<a
  href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>). 
-                        Specifying the proxyarp option for an interface causes 
-     Shorewall          to   set      /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
-                                             <li>The Samples have been updated
-   to  reflect     the   new   capabilities       in  this     release. </li>
+                           Specifying the proxyarp option for an interface 
+ causes       Shorewall          to   set      /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
+                                                   <li>The Samples have been
+  updated     to  reflect     the   new   capabilities       in  this   
+ release.    </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>7/16/2002 - New Mirror in Argentina</b></p>
                                                                         
-                                          
+                                                      
 <p>Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in 
-                      Argentina. Thanks Buanzo!!!</p>
+                         Argentina. Thanks Buanzo!!!</p>
                                                                         
-                                          
+                                                      
 <p><b>7/16/2002 - Shorewall 1.3.4 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>A new <a
+                                                   <li>A new <a
  href="Documentation.htm#Routestopped">     /etc/shorewall/routestopped</a>
-                  file has been added. This file is  intended to     eventually
-      replace       the        <b>routestopped</b> option   in the     /etc/shorewall/interface
-             and /etc/shorewall/hosts    files.  This new file makes    
-remote       firewall       administration easier by  allowing   any IP or
-subnet  to   be      enabled     while   Shorewall is stopped.</li>
-                                             <li>An /etc/shorewall/stopped
-     <a href="Documentation.htm#Scripts">extension       script</a> has been
- added.                  This script is invoked after Shorewall has     
- stopped.</li>
-                                             <li>A <b>DETECT_DNAT_ADDRS </b>option
-     has   been   added    to         <a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. 
-              When  this          option is selected, DNAT rules only apply 
-  when     the    destination    address      is the     external interface's 
+                     file has been added. This file is  intended to     eventually
+         replace       the        <b>routestopped</b> option   in the   
+ /etc/shorewall/interface                and /etc/shorewall/hosts    files.
+ This new file makes     remote       firewall       administration easier
+by  allowing   any IP or subnet  to   be      enabled     while   Shorewall
+is stopped.</li>
+                                                   <li>An /etc/shorewall/stopped
+        <a href="Documentation.htm#Scripts">extension       script</a> has
+ been   added.                  This script is invoked after Shorewall has
+       stopped.</li>
+                                                   <li>A <b>DETECT_DNAT_ADDRS 
+      </b>option      has   been   added    to         <a
+ href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>.         
+      When  this          option is selected, DNAT rules only apply    when 
+      the    destination    address      is the     external interface's 
   primary     IP address.</li>
-                                             <li>The <a
+                                                   <li>The <a
  href="shorewall_quickstart_guide.htm">QuickStart       Guide</a>     has
-              been broken into three guides and has been almost     entirely
-    rewritten.</li>
-                                             <li>The Samples have been updated
-   to  reflect     the   new   capabilities       in  this     release. </li>
+                 been broken into three guides and has been almost     entirely
+       rewritten.</li>
+                                                   <li>The Samples have been
+  updated     to  reflect     the   new   capabilities       in  this   
+ release.    </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>7/8/2002 - Shorewall 1.3.3 Debian Package Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Marignoni reports that the packages are available at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>7/6/2002 - Shorewall 1.3.3 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Entries in /etc/shorewall/interface
-      that   use   the   wildcard     character    ("+")     now have the
-"multi"      option   assumed.</li>
-                                             <li>The 'rfc1918' chain in the 
- mangle    table    has   been   renamed     'man1918'     to     make log 
- messages   generated    from  that chain   distinguishable     from   those 
-      generated   by the    'rfc1918'   chain in   the filter table.</li>
-                                             <li>Interface names appearing
- in  the   hosts    file   are   now   validated      against  the     interfaces 
-  file.</li>
-                                             <li>The TARGET column in the 
-rfc1918     file   is  now   checked     for   correctness.</li>
-                                             <li>The chain structure in the 
- nat   table    has   been   changed     to  reduce    the     number of rules
- that  a packet    must   traverse   and to   correct  problems    with 
-   NAT_BEFORE_RULES=No</li>
-                                             <li>The "hits" command has been
-  enhanced.</li>
+                                                   <li>Entries in /etc/shorewall/interface
+         that   use   the   wildcard     character    ("+")     now have
+the    "multi"      option   assumed.</li>
+                                                   <li>The 'rfc1918' chain
+ in  the   mangle    table    has   been   renamed     'man1918'     to 
+   make  log   messages   generated    from  that chain   distinguishable
+    from    those        generated   by the    'rfc1918'   chain in   the
+filter table.</li>
+                                                   <li>Interface names appearing
+    in  the   hosts    file   are   now   validated      against  the   
+ interfaces     file.</li>
+                                                   <li>The TARGET column
+in  the   rfc1918     file   is  now   checked     for   correctness.</li>
+                                                   <li>The chain structure
+ in  the   nat   table    has   been   changed     to  reduce    the    
+number   of rules  that  a packet    must   traverse   and to   correct 
+problems     with     NAT_BEFORE_RULES=No</li>
+                                                   <li>The "hits" command 
+has   been   enhanced.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>6/25/2002 - Samples Updated for 1.3.2</b></p>
                                                                         
-                                          
+                                                      
 <p>The comments in the sample configuration files have been updated to reflect 
-                      new features introduced in Shorewall 1.3.2.</p>
+                         new features introduced in Shorewall 1.3.2.</p>
                                                                         
-                                          
+                                                      
 <p><b>6/25/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Marignoni reports that the package is available at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
                                                                         
-                                          
+                                                      
 <p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
  <a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
   PDF format.</p>
                                                                         
-                                          
+                                                      
 <p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>A <a
+                                                   <li>A <a
  href="Documentation.htm#Starting">logwatch      command</a>       has  
 been     added to /sbin/shorewall.</li>
-                                             <li>A <a
+                                                   <li>A <a
  href="blacklisting_support.htm">dynamic     blacklist      facility</a>
      has     been added.</li>
-                                             <li>Support for the <a
+                                                   <li>Support for the <a
  href="Documentation.htm#Conf">Netfilter      multiport        match function</a>
-            has been added.</li>
-                                             <li>The files <b>firewall, functions 
-        </b>and         <b>version</b>        have   been   moved     from 
- /etc/shorewall   to   /var/lib/shorewall.</li>
+               has been added.</li>
+                                                   <li>The files <b>firewall, 
+  functions          </b>and         <b>version</b>        have   been   moved
+      from   /etc/shorewall   to   /var/lib/shorewall.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
                                                                         
-                                          
+                                                      
 <p>Last weekend, I installed the CVS Web package to provide brower-based access
   to the Shorewall CVS repository. Since then, I have had several instances
 where   my server was almost unusable due to the high load generated by website
 copying   tools like HTTrack and WebStripper. These mindless tools:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Ignore robot.txt files.</li>
-                                             <li>Recursively copy everything
-  that   they   find.</li>
-                                             <li>Should be classified as
-weapons     rather    than   tools.</li>
+                                                   <li>Ignore robot.txt files.</li>
+                                                   <li>Recursively copy everything
+     that   they   find.</li>
+                                                   <li>Should be classified 
+ as  weapons     rather    than   tools.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p>These tools/weapons are particularly damaging when combined with CVS Web 
-                      because they doggedly follow every link in the cgi-generated 
-         HTML     resulting      in   1000s of executions of the cvsweb.cgi 
-  script.       Yesterday,     I spend  several    hours   implementing measures 
-  to block      these tools  but   unfortunately,  these    measures   resulted 
-   in my  server    OOM-ing under   even  moderate load.</p>
+                         because they doggedly follow every link in the cgi-generated 
+            HTML     resulting      in   1000s of executions of the cvsweb.cgi 
+     script.       Yesterday,     I spend  several    hours   implementing 
+ measures    to block      these tools  but   unfortunately,  these    measures 
+   resulted     in my  server    OOM-ing under   even  moderate load.</p>
                                                                         
-                                          
+                                                      
 <p>Until I have the time to understand the cause of the OOM (or until I buy 
-                      more RAM if that is what is required), CVS Web access 
-  will     remain       Password        Protected. </p>
+                         more RAM if that is what is required), CVS Web access 
+     will     remain       Password        Protected. </p>
                                                                         
-                                          
+                                                      
 <p><b>6/5/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Marignoni reports that the package is available at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>6/2/2002 - Samples Corrected</b></p>
                                                                         
-                                          
+                                                      
 <p>The 1.3.0 samples configurations had several serious problems that prevented 
-                      DNS and SSH from working properly. These problems have 
-   been     corrected          in  the  <a
+                         DNS and SSH from working properly. These problems 
+ have     been     corrected          in  the  <a
  href="/pub/shorewall/samples-1.3.1">1.3.1    samples.</a></p>
                                                                         
-                                          
+                                                      
 <p><b>6/1/2002 - Shorewall 1.3.1 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>Hot on the heels of 1.3.0, this release:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Corrects a serious problem 
- with   "all       <i>&lt;zone&gt;</i>           CONTINUE"     policies. 
-   This   problem   is present in all versions     of   Shorewall   that 
- support   the     CONTINUE  policy. These previous    versions   optimized 
-   away  the "all2<i>&lt;zone&gt;</i>"        chain and    replaced it  with 
- the "all2all"   chain with the usual  result that a     policy of REJECT 
- was enforced rather   than the intended  CONTINUE policy.</li>
-                                             <li>Adds an <a
+                                                   <li>Corrects a serious 
+problem     with   "all       <i>&lt;zone&gt;</i>           CONTINUE"    
+policies.       This   problem   is present in all versions     of   Shorewall 
+  that     support   the     CONTINUE  policy. These previous    versions 
+  optimized       away  the "all2<i>&lt;zone&gt;</i>"        chain and   
+replaced it  with   the "all2all"   chain with the usual  result that a 
+   policy of REJECT   was enforced rather   than the intended  CONTINUE policy.</li>
+                                                   <li>Adds an <a
  href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>             
   file for defining the exact behavior of the<a
  href="Documentation.htm#Interfaces">     'norfc1918' interface option</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>5/29/2002 - Shorewall 1.3.0 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 
  includes:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>A 'filterping' interface 
-option    that   allows    ICMP   echo-request       (ping)      requests 
-addressed    to the   firewall   to be handled  by entries     in      /etc/shorewall/rules
-     and   /etc/shorewall/policy.</li>
+                                                   <li>A 'filterping' interface 
+   option    that   allows    ICMP   echo-request       (ping)      requests 
+   addressed    to the   firewall   to be handled  by entries     in     
+/etc/shorewall/rules       and   /etc/shorewall/policy.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>5/23/2002 - Shorewall 1.3 RC1 Available</b></p>
                                                                         
-                                          
+                                                      
 <p>In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) 
  incorporates the following:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Support for the /etc/shorewall/whitelist 
-        file   has   been   withdrawn.      If you     need whitelisting, 
-see        <a href="/1.3/whitelisting_under_shorewall.htm">these     instructions</a>.</li>
+                                                   <li>Support for the /etc/shorewall/whitelist 
+           file   has   been   withdrawn.      If you     need whitelisting, 
+   see        <a href="/1.3/whitelisting_under_shorewall.htm">these     instructions</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                          
+                                                      
 <p><b>5/19/2002 - Shorewall 1.3 Beta 2 Available</b></p>
                                                                         
-                                          
+                                                      
 <p>In addition to the changes in Beta 1, this release which carries the 
  designation 1.2.91 adds:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>The structure of the firewall
-   is  changed     markedly.      There    is  now   an INPUT     and a FORWARD 
-   chain for  each   interface;    this  reduces    the  number   of rules 
- that      a packet   must  traverse,   especially  in complicated     setups.</li>
-                                             <li><a
+                                                   <li>The structure of the 
+ firewall     is  changed     markedly.      There    is  now   an INPUT 
+   and a FORWARD     chain for  each   interface;    this  reduces    the 
+ number   of rules   that      a packet   must  traverse,   especially  in 
+ complicated     setups.</li>
+                                                   <li><a
  href="Documentation.htm#Exclude">Sub-zones      may   now   be  excluded 
-         from     DNAT and REDIRECT rules.</a></li>
-                                             <li>The names of the columns 
-in  a  number    of  the   configuration        files    have been     changed
-  to  be more   consistent    and self-explanatory        and the   documentation
-   has     been updated   accordingly.</li>
-                                             <li>The sample configurations
- have   been   updated     for   1.3.</li>
+            from     DNAT and REDIRECT rules.</a></li>
+                                                   <li>The names of the columns 
+   in  a  number    of  the   configuration        files    have been    
+changed    to  be more   consistent    and self-explanatory        and the 
+  documentation     has     been updated   accordingly.</li>
+                                                   <li>The sample configurations
+    have   been   updated     for   1.3.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                          
+                                                      
 <p><b>5/17/2002 - Shorewall 1.3 Beta 1 Available</b></p>
                                                                         
-                                          
+                                                      
 <p>Beta 1 carries the version designation 1.2.90 and implements the following 
-                      features:</p>
+                         features:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Simplified rule syntax which 
-  makes    the   intent    of  each   rule   clearer    and     hopefully 
-makes  Shorewall     easier to   learn.</li>
-                                             <li>Upward compatibility with
- 1.2   configuration        files    has   been   maintained    so     that
- current   users can migrate        to the  new  syntax   at  their convenience.</li>
-                                             <li><b><font
+                                                   <li>Simplified rule syntax 
+  which    makes    the   intent    of  each   rule   clearer    and     hopefully
+   makes  Shorewall     easier to   learn.</li>
+                                                   <li>Upward compatibility 
+ with   1.2   configuration        files    has   been   maintained    so 
+    that   current   users can migrate        to the  new  syntax   at  their 
+ convenience.</li>
+                                                   <li><b><font
  color="#cc6666">WARNING:       Compatibility        with   the   old   
    parameterized sample configurations      has NOT been     maintained.
    Users   still        running those configurations      should   migrate
- to the  new  sample   configurations        before upgrading     to  1.3
-Beta 1.</font></b></li>
+    to the  new  sample   configurations        before upgrading     to 
+1.3    Beta 1.</font></b></li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>5/4/2002 - Shorewall 1.2.13 is Available</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li><a
+                                                   <li><a
  href="Documentation.htm#Whitelist">White-listing</a>          is  supported.</li>
-                                             <li><a
+                                                   <li><a
  href="Documentation.htm#Policy">SYN-flood      protection          </a>is
-        added.</li>
-                                             <li>IP addresses added under 
-    <a href="Documentation.htm#Conf">ADD_IP_ALIASES         and ADD_SNAT_ALIASES</a> 
-                now inherit the VLSM and Broadcast Address   of  the     interface's
-           primary     IP address.</li>
-                                             <li>The order in which port
-forwarding      DNAT   and   Static    DNAT          <a
+           added.</li>
+                                                   <li>IP addresses added 
+under        <a href="Documentation.htm#Conf">ADD_IP_ALIASES         and ADD_SNAT_ALIASES</a>
+                   now inherit the VLSM and Broadcast Address   of  the 
+   interface's            primary     IP address.</li>
+                                                   <li>The order in which 
+port   forwarding      DNAT   and   Static    DNAT          <a
  href="Documentation.htm#Conf">can     now be   reversed</a>   so   that port
       forwarding    rules can override     the  contents of <a
  href="Documentation.htm#NAT">    /etc/shorewall/nat</a>.         </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>4/30/2002 - Shorewall Debian News</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the    <a
  href="http://packages.debian.org/testing/net/shorewall.html">Debian    
 Testing Branch</a> and the    <a
  href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
 Unstable Branch</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>4/20/2002 - Shorewall 1.2.12 is Available</b></p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>The 'try' command works
-again</li>
-                                             <li>There is now a single RPM
- that   also   works    with   SuSE.</li>
+                                                   <li>The 'try' command
+works    again</li>
+                                                   <li>There is now a single
+  RPM   that   also   works    with   SuSE.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>4/17/2002 - Shorewall Debian News</b></p>
                                                                         
-                                          
+                                                      
 <p>Lorenzo Marignoni reports that:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Shorewall 1.2.10 is in the 
-        <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
-       Testing Branch</a></li>
-                                             <li>Shorewall 1.2.11 is in the 
-        <a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
-       Unstable Branch</a></li>
+                                                   <li>Shorewall 1.2.10 is
+ in  the          <a
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian     
+  Testing Branch</a></li>
+                                                   <li>Shorewall 1.2.11 is
+ in  the          <a
+ href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
+   Unstable Branch</a></li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p>Thanks, Lorenzo!</p>
                                                                         
-                                          
+                                                      
 <p><b>4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE</b></p>
                                                                         
-                                          
+                                                      
 <p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there 
-                    is   now a Shorewall 1.2.11  <a
+                       is   now a Shorewall 1.2.11  <a
  href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm">
-                      SuSE RPM</a> available. </p>
+                         SuSE RPM</a> available. </p>
                                                                         
-                                          
+                                                      
 <p><b>4/13/2002 - Shorewall 1.2.11 Available </b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>The 'try' command now accepts
-   an  optional     timeout.     If  the   timeout    is     given in the
-command,    the standard     configuration      will automatically     be
-    restarted    after the new    configuration has    been  running for
-that  length   of       time. This  prevents  a remote admin    from  being
-locked out of the   firewall   in     the case  where the new configuration
-    starts but prevents   access.</li>
-                                             <li>Kernel route filtering may 
- now   be  enabled     globally     using    the   new       ROUTE_FILTER 
-parameter   in     <a href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
-                                             <li>Individual IP source addresses 
-   and/or    subnets     may   now   be  excluded     from     masquerading/SNAT.</li>
-                                             <li>Simple "Yes/No" and "On/Off" 
-  values    are   now   case-insensitive         in      /etc/shorewall/shorewall.conf.</li>
+                                                   <li>The 'try' command
+now   accepts     an  optional     timeout.     If  the   timeout    is 
+   given   in the  command,    the standard     configuration      will automatically
+      be      restarted    after the new    configuration has    been  running
+  for that  length   of       time. This  prevents  a remote admin    from
+  being locked out of the   firewall   in     the case  where the new configuration
+      starts but prevents   access.</li>
+                                                   <li>Kernel route filtering 
+  may   now   be  enabled     globally     using    the   new       ROUTE_FILTER 
+   parameter   in     <a href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
+                                                   <li>Individual IP source 
+ addresses      and/or    subnets     may   now   be  excluded     from  
+  masquerading/SNAT.</li>
+                                                   <li>Simple "Yes/No" and
+ "On/Off"     values    are   now   case-insensitive         in      /etc/shorewall/shorewall.conf.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                          
+                                                      
 <p><b>4/13/2002 - Hamburg Mirror now has FTP </b></p>
                                                                         
-                                          
+                                                      
 <p>Stefan now has an FTP mirror at  <a target="_blank"
  href="ftp://germany.shorewall.net/pub/shorewall">  ftp://germany.shorewall.net/pub/shorewall</a>.  
-                    Thanks Stefan!</p>
+                       Thanks Stefan!</p>
                                                                         
-                                          
+                                                      
 <p><b>4/12/2002 - New Mirror in Hamburg</b></p>
                                                                         
-                                          
+                                                      
 <p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there 
-                    is   now a mirror of the Shorewall website at  <a
+                       is   now a mirror of the Shorewall website at  <a
  target="_top" href="http://germany.shorewall.net">  http://germany.shorewall.net</a>. 
-          </p>
+             </p>
                                                                         
-                                          
+                                                      
 <p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
                                                                         
-                                          
+                                                      
 <p><a href="shorewall_quickstart_guide.htm">Version 1.1 of the QuickStart 
-                    Guide</a>   is now available. Thanks to those who have 
- read     version        1.0    and  offered their   suggestions. Corrections 
- have    also been  made     to the   sample  scripts.</p>
+                       Guide</a>   is now available. Thanks to those who have
+    read     version        1.0    and  offered their   suggestions. Corrections
+    have    also been  made     to the   sample  scripts.</p>
                                                                         
-                                          
+                                                      
 <p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
                                                                         
-                                          
+                                                      
 <p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart 
-                    Guide</a>   is now available. This Guide and its accompanying 
-        sample       configurations     are   expected to provide a replacement 
-      for  the recently       withdrawn parameterized       samples. </p>
+                       Guide</a>   is now available. This Guide and its accompanying 
+           sample       configurations     are   expected to provide a replacement 
+         for  the recently       withdrawn parameterized       samples. </p>
                                                                         
-                                          
+                                                      
 <p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
                                                                         
-                                          
+                                                      
 <p>Although the <a
  href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized 
-                      samples</a> have allowed people to get a firewall up 
- and    running        quickly,       they   have unfortunately set the wrong 
- level    of expectation        among those      who have used   them. I am
- therefore    withdrawing support        for the samples     and I am recommending
-   that   they not be used in   new    Shorewall installations.</p>
+                         samples</a> have allowed people to get a firewall 
+ up   and    running        quickly,       they   have unfortunately set the
+ wrong   level    of expectation        among those      who have used  
+them.  I am  therefore    withdrawing support        for the samples    
+and I am  recommending    that   they not be used in   new    Shorewall installations.</p>
                                                                         
-                                          
+                                                      
 <p><b>4/2/2002 - Updated Log Parser</b></p>
                                                                         
-                                          
+                                                      
 <p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated 
-                      version of his  <a href="pub/shorewall/parsefw/">CGI-based 
-       log    parser</a>         with corrected date   handling. </p>
+                         version of his  <a
+ href="pub/shorewall/parsefw/">CGI-based           log    parser</a>     
+   with corrected date   handling. </p>
                                                                         
-                                          
+                                                      
 <p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
                                                                         
-                                          
+                                                      
 <p>The quick search on the home page now excludes the mailing list archives. 
-                      The <a href="htdig/search.html">Extended Search</a> 
-allows       excluding          the     archives or restricting the search 
-to just   the    archives. An   archive      search   form   is also available 
-on the  <a href="http://lists.shorewall.net/mailing_list.htm">mailing    
- list information    page</a>.</p>
+                         The <a href="htdig/search.html">Extended Search</a> 
+   allows       excluding          the     archives or restricting the search 
+   to just   the    archives. An   archive      search   form   is also available 
+   on the  <a href="http://lists.shorewall.net/mailing_list.htm">mailing 
+    list information    page</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>The 1.2.10 Debian Package
- is   available      at      <a
+                                                   <li>The 1.2.10 Debian
+Package     is   available      at      <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
-                                             <li>Shorewall 1.2.9 is now in
- the          <a
+                                                   <li>Shorewall 1.2.9 is 
+now   in  the          <a
  href="http://packages.debian.org/unstable/net/shorewall.html">Debian   
     Unstable Distribution</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>3/25/2002 - Log Parser Available</b></p>
                                                                         
-                                          
+                                                      
 <p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided a  <a
  href="pub/shorewall/parsefw/">CGI-based log parser</a> for Shorewall. Thanks 
-                      John.</p>
+                         John.</p>
                                                                         
-                                          
+                                                      
 <p><b>3/20/2002 - Shorewall 1.2.10 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>A "shorewall try" command
- has   been   added    (syntax:     shorewall      try       <i>     &lt;configuration 
-    directory&gt;</i>).     This   command attempts     "shorewall  -c <i> 
-    &lt;configuration directory&gt;</i>        start" and if   that  results 
-   in the firewall     being stopped due  to   an   error, a "shorewall  
-start"     command  is executed. The     'try'  command      allows you to
-create   a new <a href="Documentation.htm#Configs">    configuration</a> 
-    and  attempt   to start    it; if there is an error that leaves     your
-   firewall   in the   stopped state,    it will automatically be restarted 
- using      the  default   configuration (in   /etc/shorewall).</li>
-                                             <li>A new variable ADD_SNAT_ALIASES
-    has   been   added    to         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.
-              If this           variable is set to "Yes", Shorewall will
-automatically              add IP addresses           listed in the third
-column of the     <a href="Documentation.htm#Masq">     /etc/shorewall/masq</a>
-file.</li>
-                                             <li>Copyright notices have been
-  added    to  the   documenation.</li>
+                                                   <li>A "shorewall try"
+command     has   been   added    (syntax:     shorewall      try       <i>
+    &lt;configuration        directory&gt;</i>).     This   command attempts
+    "shorewall  -c     <i>       &lt;configuration directory&gt;</i>    
+   start" and if   that  results      in the firewall     being stopped due
+ to   an   error, a "shorewall   start"     command  is executed. The   
+ 'try'  command      allows you to create   a new <a
+ href="Documentation.htm#Configs">    configuration</a>       and  attempt
+  to start    it; if there is an error that leaves     your    firewall 
+ in the   stopped state,    it will automatically be restarted     using
+     the  default   configuration (in   /etc/shorewall).</li>
+                                                   <li>A new variable ADD_SNAT_ALIASES
+       has   been   added    to         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.
+                 If this           variable is set to "Yes", Shorewall will
+  automatically              add IP addresses           listed in the third
+  column of the     <a href="Documentation.htm#Masq">     /etc/shorewall/masq</a>
+  file.</li>
+                                                   <li>Copyright notices
+have   been   added    to  the   documenation.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>3/11/2002 - Shorewall 1.2.9 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>Filtering by <a
+                                                   <li>Filtering by <a
  href="Documentation.htm#MAC">MAC   address</a>       has   been added. 
    MAC addresses may be used as the  source address   in:               
                                                                         
                                                                         
-                                             
+                                                                        
+  
     <ul>
-                                               <li>Filtering rules (<a
- href="Documentation.htm#Rules">/etc/shorewall/rules</a>)</li>
-                                               <li>Traffic Control Classification 
-    Rules    (<a href="traffic_shaping.htm#tcrules">/etc/shorewall/tcrules</a>)</li>
-                                               <li>TOS Rules (<a
+                                                     <li>Filtering rules
+(<a href="Documentation.htm#Rules">/etc/shorewall/rules</a>)</li>
+                                                     <li>Traffic Control
+Classification        Rules    (<a href="traffic_shaping.htm#tcrules">/etc/shorewall/tcrules</a>)</li>
+                                                     <li>TOS Rules (<a
  href="Documentation.htm#TOS">/etc/shorewall/tos</a>)</li>
-                                               <li>Blacklist (<a
+                                                     <li>Blacklist (<a
  href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a>)</li>
                                                                         
                                                                         
                                                                         
-                               
+                                                                   
     </ul>
-                                             </li>
-                                             <li>Several bugs have been fixed</li>
-                                             <li>The 1.2.9 Debian Package 
-is  also   available      at      <a
+                                                   </li>
+                                                   <li>Several bugs have
+been   fixed</li>
+                                                   <li>The 1.2.9 Debian Package 
+   is  also   available      at      <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                          
+                                                      
 <p><b>3/1/2002 - 1.2.8 Debian Package is Available</b></p>
                                                                         
-                                          
+                                                      
 <p>See <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
                                                                         
-                                         
+                                                     
 <p><b>2/25/2002 - New Two-interface Sample</b></p>
                                                                         
-          
+                      
 <p>I've enhanced the two interface sample to allow access from the firewall 
-                    to  servers in the local zone - <a
+                       to  servers in the local zone - <a
  href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">
-                     http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz</a></p>
+                        http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz</a></p>
                                                                         
-            
+                        
 <p><b>2/23/2002 - Shorewall 1.2.8 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects 
  problems associated with the lock file used to prevent multiple state-changing 
-                      operations from occuring simultaneously. My apologies 
-  for    any    inconvenience          my   carelessness may have caused.</p>
+                         operations from occuring simultaneously. My apologies 
+     for    any    inconvenience          my   carelessness may have caused.</p>
                                                                         
-                                          
+                                                      
 <p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>UPnP probes (UDP destination 
-  port   1900)    are   now   silently     dropped     in the    <i>common</i> 
-  chain</li>
-                                             <li>RFC 1918 checking in the 
-mangle    table    has   been   streamlined       to  no  longer     require 
-packet    marking.    RFC 1918  checking   in the filter      table   has 
-been     changed to  require  half  as many rules  as previously.</li>
-                                             <li>A 'shorewall check' command
-  has   been   added    that   does   a  cursory     validation      of the
-  zones,   interfaces,   hosts,   rules   and   policy  files.</li>
+                                                   <li>UPnP probes (UDP destination 
+     port   1900)    are   now   silently     dropped     in the    <i>common</i> 
+     chain</li>
+                                                   <li>RFC 1918 checking
+in  the   mangle    table    has   been   streamlined       to  no  longer
+    require   packet    marking.    RFC 1918  checking   in the filter  
+   table   has   been     changed to  require  half  as many rules  as previously.</li>
+                                                   <li>A 'shorewall check'
+ command     has   been   added    that   does   a  cursory     validation
+      of the    zones,   interfaces,   hosts,   rules   and   policy  files.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                          
+                                                      
 <p><b>2/18/2002 - 1.2.6 Debian Package is Available</b></p>
                                                                         
-                                          
+                                                      
 <p>See <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
                                                                         
-                                          
+                                                      
 <p><b>2/8/2002 - Shorewall 1.2.6 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                          
+                                                      
 <ul>
-                                             <li>$-variables may now be used
-  anywhere     in  the   configuration        files    except     /etc/shorewall/zones.</li>
-                                             <li>The interfaces and hosts 
-files    now   have   their    contents     validated      before     any 
-changes   are made   to the  existing    Netfilter    configuration.     The
-appearance        of   a zone name that isn't   defined  in  /etc/shorewall/zones 
-    causes  "shorewall        start" and "shorewall   restart"  to abort without
- changing     the Shorewall    state.     Unknown options  in either file
-cause a warning   to  be issued.</li>
-                                             <li>A problem occurring when 
-BLACKLIST_LOGLEVEL          was   not   set   has   been       corrected.</li>
+                                                   <li>$-variables may now
+ be  used   anywhere     in  the   configuration        files    except 
+   /etc/shorewall/zones.</li>
+                                                   <li>The interfaces and 
+hosts    files    now   have   their    contents     validated      before 
+    any    changes   are made   to the  existing    Netfilter    configuration. 
+    The appearance        of   a zone name that isn't   defined  in  /etc/shorewall/zones 
+       causes  "shorewall        start" and "shorewall   restart"  to abort 
+  without  changing     the Shorewall    state.     Unknown options  in either 
+  file cause a warning   to  be issued.</li>
+                                                   <li>A problem occurring
+ when   BLACKLIST_LOGLEVEL          was   not   set   has   been       corrected.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>2/4/2002 - Shorewall 1.2.5 Debian Package Available</b></p>
                                                                         
-                                          
+                                                      
 <p>see <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
                                                                         
-                                          
+                                                      
 <p><b>2/1/2002 - Shorewall 1.2.5 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>Due to installation problems with Shorewall 1.2.4, I have released Shorewall
-                      1.2.5. Sorry for the rapid-fire development.</p>
+                         1.2.5. Sorry for the rapid-fire development.</p>
                                                                         
-                                          
+                                                      
 <p>In version 1.2.5:</p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li>The installation problems 
-have   been   corrected.</li>
-                                            <li><a
+                                                  <li>The installation problems 
+   have   been   corrected.</li>
+                                                  <li><a
  href="Documentation.htm#Masq">SNAT</a>      is  now   supported.</li>
-                                            <li>A "shorewall version" command 
-  has   been   added</li>
-                                            <li>The default value of the
-STATEDIR     variable     in      /etc/shorewall/shorewall.conf         has
-been changed     to /var/lib/shorewall         in     order to conform to
-the    GNU/Linux        File Hierarchy Standard,       Version  2.2.</li>
+                                                  <li>A "shorewall version" 
+ command     has   been   added</li>
+                                                  <li>The default value of
+ the   STATEDIR     variable     in      /etc/shorewall/shorewall.conf  
+      has  been changed     to /var/lib/shorewall         in     order to
+conform to  the    GNU/Linux        File Hierarchy Standard,       Version
+ 2.2.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li>The "fw" zone <a
+                                                  <li>The "fw" zone <a
  href="Documentation.htm#FW">may   now   be  given    a      different name</a>.</li>
-                                            <li>You may now place end-of-line 
-  comments     (preceded      by  '#')   in  any   of  the     configuration 
-  files</li>
-                                            <li>There is now protection against 
-   against     two   state    changing     operations         occuring concurrently. 
-   This    is implemented     using the   'lockfile'  utility    if     it 
- is  available    (lockfile is  part   of procmail);   otherwise,  a less 
-  robust      technique    is used.  The lockfile   is created   in the STATEDIR 
-  defined    in     /etc/shorewall/shorewall.conf       and has the  name 
-"lock".</li>
-                                            <li>"shorewall start" no longer 
- fails    if  "detect"     is      specified      in      <a
+                                                  <li>You may now place end-of-line 
+     comments     (preceded      by  '#')   in  any   of  the     configuration 
+     files</li>
+                                                  <li>There is now protection 
+  against     against     two   state    changing     operations         occuring
+  concurrently.     This    is implemented     using the   'lockfile'  utility
+     if     it   is  available    (lockfile is  part   of procmail);   otherwise,
+   a less    robust      technique    is used.  The lockfile   is created
+  in the STATEDIR    defined    in     /etc/shorewall/shorewall.conf    
+  and has the  name  "lock".</li>
+                                                  <li>"shorewall start" no
+ longer    fails    if  "detect"     is      specified      in      <a
  href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>       
       for an interface with subnet mask 255.255.255.255.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>1/27/2002 - Shorewall 1.2.3 Debian Package Available </b>-- see <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
                                                                         
-                                         
+                                                     
 <p><b>1/20/2002 - Corrected firewall script available </b></p>
                                                                         
-                                         
+                                                     
 <p>Corrects a problem with BLACKLIST_LOGLEVEL. See <a href="errata.htm">the
-                     errata</a> for details.</p>
+                        errata</a> for details.</p>
                                                                         
-                                          
+                                                      
 <p><b>1/19/2002 - Shorewall 1.2.3 Released</b></p>
                                                                         
-                                         
+                                                     
 <p>This is a minor feature and bugfix release. The single new feature is:</p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li>Support for TCP MSS Clamp 
-to  PMTU   --  This   support     is  usually     required   when     the 
-internet   connection    is  via PPPoE    or PPTP  and may    be enabled 
-using the      <a href="Documentation.htm#ClampMSS">CLAMPMSS</a>       option 
-in  /etc/shorewall/shorewall.conf.</li>
+                                                  <li>Support for TCP MSS 
+Clamp    to  PMTU   --  This   support     is  usually     required   when 
+    the    internet   connection    is  via PPPoE    or PPTP  and may    be
+enabled    using the      <a href="Documentation.htm#ClampMSS">CLAMPMSS</a> 
+      option   in  /etc/shorewall/shorewall.conf.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-          
+                      
 <p>The following problems were corrected:</p>
                                                                         
-          
+                      
 <ul>
-                                            <li>The "shorewall status" command
-   no  longer    hangs.</li>
-                                            <li>The "shorewall monitor" command 
-   now   displays     the   icmpdef     chain</li>
-                                            <li>The CLIENT PORT(S) column 
-in  tcrules     is  no  longer    ignored</li>
+                                                  <li>The "shorewall status"
+  command     no  longer    hangs.</li>
+                                                  <li>The "shorewall monitor" 
+  command     now   displays     the   icmpdef     chain</li>
+                                                  <li>The CLIENT PORT(S)
+column    in  tcrules     is  no  longer    ignored</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-          
+                      
 <p><b>1/18/2002 - Shorewall 1.2.2 packaged with new </b><a
  href="http://leaf.sourceforge.net">LEAF</a><b> release</b></p>
                                                                         
-                                         
+                                                     
 <p>Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
-                     that includes Shorewall 1.2.2. See <a
+                        that includes Shorewall 1.2.2. See <a
  href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a>
-                     for details.</p>
+                        for details.</p>
                                                                         
-                                         
+                                                     
 <p><b>1/11/2002 - Debian Package (.deb) Now Available - </b>Thanks to <a
  href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni</a>, a 1.2.2 
-                    Shorewall Debian package is now available. There is a 
-link     to   Lorenzo's          site  from the <a href="download.htm">Shorewall 
-   download     page</a>.</p>
+                       Shorewall Debian package is now available. There is 
+ a  link     to   Lorenzo's          site  from the <a
+ href="download.htm">Shorewall     download     page</a>.</p>
                                                                         
-                                         
+                                                     
 <p><b>1/9/2002 - Updated 1.2.2 /sbin/shorewall available - </b><a
  href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version </a>restores 
-                    the "shorewall status" command to health.</p>
+                       the "shorewall status" command to health.</p>
                                                                         
-                                          
+                                                      
 <p><b>1/8/2002 - Shorewall 1.2.2 Released</b></p>
                                                                         
-                                         
+                                                     
 <p>In version 1.2.2</p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li>Support for IP blacklisting 
- has   been   added                                                      
+                                                  <li>Support for IP blacklisting 
+    has   been   added                                                   
                                                                         
                                                                         
-          
+                                           
     <ul>
-                                              <li>You specify whether you 
-want   packets     from   blacklisted       hosts    dropped   or        
-rejected   using the            <a
+                                                    <li>You specify whether 
+ you   want   packets     from   blacklisted       hosts    dropped   or 
+       rejected   using the            <a
  href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION            
   </a>setting            in /etc/shorewall/shorewall.conf</li>
-                                              <li>You specify whether you 
-want   packets     from   blacklisted       hosts    logged   and        
-at what   syslog level    using   the <a
+                                                    <li>You specify whether 
+ you   want   packets     from   blacklisted       hosts    logged   and 
+       at what   syslog level    using   the <a
  href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>              
 setting            in /etc/shorewall/shorewall.conf</li>
-                                              <li>You list the IP addresses/subnets 
-     that   you   wish   to  blacklist      in          <a
+                                                    <li>You list the IP addresses/subnets 
+        that   you   wish   to  blacklist      in          <a
  href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
-                                              <li>You specify the interfaces
-  you   want   checked     against     the   blacklist             using
-the   new  "<a href="Documentation.htm#BLInterface">blacklist</a>"      
-      option  in             /etc/shorewall/interfaces.</li>
-                                              <li>The black list is refreshed 
-  from   /etc/shorewall/blacklist             by  the           "shorewall 
- refresh"   command.</li>
+                                                    <li>You specify the interfaces
+     you   want   checked     against     the   blacklist             using
+  the   new  "<a href="Documentation.htm#BLInterface">blacklist</a>"    
+        option  in             /etc/shorewall/interfaces.</li>
+                                                    <li>The black list is 
+refreshed      from   /etc/shorewall/blacklist             by  the       
+   "shorewall     refresh"   command.</li>
                                                                         
                                                                         
                                                                         
-                             
+                                                                 
     </ul>
-                                            </li>
-                                            <li>Use of TCP RST replies has
- been   expanded                                                        
+                                                  </li>
+                                                  <li>Use of TCP RST replies
+  has   been   expanded                                                 
                                                                         
                                                                         
-          
+                                               
     <ul>
-                                              <li>TCP connection requests 
-rejected     because     of  a  REJECT    policy    are   now         replied 
-with a  TCP  RST packet.</li>
-                                              <li>TCP connection requests 
-rejected     because     of  a  protocol=all       rule   in         /etc/shorewall/rules
-     are now    replied   with a TCP RST   packet.</li>
+                                                    <li>TCP connection requests 
+   rejected     because     of  a  REJECT    policy    are   now         replied
+   with a  TCP  RST packet.</li>
+                                                    <li>TCP connection requests 
+   rejected     because     of  a  protocol=all       rule   in         /etc/shorewall/rules
+        are now    replied   with a TCP RST   packet.</li>
                                                                         
                                                                         
                                                                         
-                             
+                                                                 
     </ul>
-                                            </li>
-                                            <li>A <a
+                                                  </li>
+                                                  <li>A <a
  href="Documentation.htm#Logfile">LOGFILE</a>       specification       
 has  been     added to /etc/shorewall/shorewall.conf.       LOGFILE is used
    to   tell the     /sbin/shorewall program where to   look    for Shorewall
-      messages.</li>
+         messages.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>1/5/2002 - New Parameterized Samples (<a
  href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.2.0/"
  target="_blank">version 1.2.0</a>) released. </b>These are minor updates 
-                    to the previously-released samples. There are two new 
-rules      added:</p>
+                       to the previously-released samples. There are two new
+   rules      added:</p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li>Unless you have explicitly
- enabled     Auth   connections       (tcp   port   113)   to your     firewall,
- these     connections   will be  REJECTED     rather   than   DROPPED. 
- This     speeds  up connection   establishment    to   some servers.</li>
-                                            <li>Orphan DNS replies are now
- silently     dropped.</li>
+                                                  <li>Unless you have explicitly
+    enabled     Auth   connections       (tcp   port   113)   to your   
+ firewall,    these     connections   will be  REJECTED     rather   than
+  DROPPED.   This     speeds  up connection   establishment    to   some
+servers.</li>
+                                                  <li>Orphan DNS replies
+are   now   silently     dropped.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-          
+                      
 <p>See the README file for upgrade instructions.</p>
                                                                         
-            
+                        
 <p><b>1/1/2002 - <u><font color="#ff6633">Shorewall Mailing List Moving</font></u></b></p>
                                                                         
-                                          
+                                                      
 <p>The Shorewall mailing list hosted at <a href="http://sourceforge.net"> 
-                    Sourceforge</a> is moving to Shorewall.net.  If you are 
-  a  current        subscriber        to the list at Sourceforge, please <a
- href="shorewall_mailing_list_migration.htm">see  these instructions</a>. 
-                    If you would like to subscribe to the new list, visit 
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
+                       Sourceforge</a> is moving to Shorewall.net.  If you 
+ are    a  current        subscriber        to the list at Sourceforge, please 
+  <a href="shorewall_mailing_list_migration.htm">see  these instructions</a>. 
+                       If you would like to subscribe to the new list, visit 
+   <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>12/31/2001 - Shorewall 1.2.1 Released</b></p>
                                                                         
-                                          
+                                                      
 <p>In version 1.2.1:</p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li><a
+                                                  <li><a
  href="Documentation.htm#LogUncleanOption">Logging     of  Mangled/Invalid 
-                  Packets</a> is added. </li>
-                                            <li>The <a href="IPIP.htm">tunnel 
-  script</a>      has   been   corrected.</li>
-                                            <li>'shorewall show tc' now correctly 
-    handles     tunnels.</li>
+                     Packets</a> is added. </li>
+                                                  <li>The <a
+ href="IPIP.htm">tunnel     script</a>      has   been   corrected.</li>
+                                                  <li>'shorewall show tc' 
+now   correctly      handles     tunnels.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist  releasing
 1.2 on 12/21/2001</b></p>
                                                                         
-                                          
+                                                      
 <p>Version 1.2 contains the following new features:</p>
                                                                         
-                                         
+                                                     
 <ul>
-                                            <li>Support for <a
+                                                  <li>Support for <a
  href="traffic_shaping.htm">Traffic     Control/Shaping</a></li>
-                                            <li>Support for <a
+                                                  <li>Support for <a
  href="Documentation.htm#Unclean">Filtering      of      Mangled/Invalid
 Packets</a></li>
-                                            <li>Support for <a
+                                                  <li>Support for <a
  href="IPIP.htm">GRE   Tunnels</a></li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p>For the next month or so, I will continue to provide corrections to version
-                      1.1.18 as necessary so that current version 1.1.x users
-    will     not    be   forced    into a  quick upgrade to 1.2.0 just to
-have    access    to bug   fixes.</p>
+                         1.1.18 as necessary so that current version 1.1.x
+ users      will     not    be   forced    into a  quick upgrade to 1.2.0
+just to  have    access    to bug   fixes.</p>
                                                                         
-           
+                       
 <p>For those of you who have installed one of the Beta RPMS, you will need 
-                    to  use the "--oldpackage" option when upgrading to 1.2.0:</p>
+                       to  use the "--oldpackage" option when upgrading to 
+ 1.2.0:</p>
                                                                         
-           
+                       
 <blockquote>                                                            
-                                                                 
-  <p>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</p>
-                                           </blockquote>
                                                                         
-                                         
+         
+  <p>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</p>
+                                                 </blockquote>
+                                                                        
+                                                     
 <p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
-                     Cowles</a>, there is now a Shorewall mirror in Texas.
- </b>This         web    site     is  mirrored at <a
+                        Cowles</a>, there is now a Shorewall mirror in Texas.
+    </b>This         web    site     is  mirrored at <a
  href="http://www.infohiiway.com/shorewall" target="_top">http://www.infohiiway.com/shorewall</a>
-            and the ftp site is at <a
+               and the ftp site is at <a
  href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
                                                                         
-                                               
+                                                           
 <p><b>11/30/2001 - A new set of the parameterized <a
  href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample      
 Configurations</a> has been released</b>. In this version:</p>
                                                                         
-                                    
+                                                
 <ul>
-                                            <li>Ping is now allowed between 
- the   zones.</li>
-                                            <li>In the three-interface configuration, 
-      it  is  now   possible     to  configure    the     internet services 
-  that    are  to  be available   to  servers    in the DMZ. </li>
+                                                  <li>Ping is now allowed 
+between     the   zones.</li>
+                                                  <li>In the three-interface
+  configuration,        it  is  now   possible     to  configure    the 
+   internet services    that    are  to  be available   to  servers    in
+the  DMZ. </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                 
+                             
 <p><b>11/20/2001 - The current version of Shorewall is 1.1.18. </b></p>
                                                                         
-                                          
+                                                      
 <p>In this version:</p>
                                                                         
-                                    
+                                                
 <ul>
-                                            <li>The spelling of ADD_IP_ALIASES
-   has   been   corrected      in  the   shorewall.conf          file</li>
-                                            <li>The logic for deleting user-defined 
-     chains    has   been   simplified      so  that it     avoids a bug in
-  the   LRP version    of   the 'cut'   utility.</li>
-                                            <li>The /var/lib/lrpkg/shorwall.conf
-    file   has   been   corrected      to  properly        display the NAT
- entry   in  that file.</li>
+                                                  <li>The spelling of ADD_IP_ALIASES
+      has   been   corrected      in  the   shorewall.conf          file</li>
+                                                  <li>The logic for deleting
+  user-defined       chains    has   been   simplified      so  that it 
+   avoids a bug in   the   LRP version    of   the 'cut'   utility.</li>
+                                                  <li>The /var/lib/lrpkg/shorwall.conf
+       file   has   been   corrected      to  properly        display the
+NAT    entry   in  that file.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                               
+                                                           
 <p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj
-                           Ontkanin</a>, there is now a Shorewall mirror
-in   the    Slovak       Republic</b>.       The website is now mirrored
-at <a href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall</a>
-                           and the FTP site is mirrored at <a
+                              Ontkanin</a>, there is now a Shorewall mirror
+  in   the    Slovak       Republic</b>.       The website is now mirrored
+ at <a href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall</a>
+                              and the FTP site is mirrored at <a
  href="ftp://ftp.nrg.sk/mirror/shorewall">ftp://ftp.nrg.sk/mirror/shorewall</a>.</p>
                                                                         
-                                          
+                                                      
 <p><b>11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.</b>
-                         There are three sample configurations:</p>
+                            There are three sample configurations:</p>
                                                                         
-                                    
+                                                
 <ul>
-                                            <li>One Interface -- for a standalone 
-    system.</li>
-                                            <li>Two Interfaces -- A masquerading
-    firewall.</li>
-                                            <li>Three Interfaces -- A masquerading
-     firewall     with   DMZ.</li>
+                                                  <li>One Interface -- for
+ a  standalone      system.</li>
+                                                  <li>Two Interfaces -- A 
+masquerading       firewall.</li>
+                                                  <li>Three Interfaces -- 
+A  masquerading       firewall     with   DMZ.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                                            
+                                                        
 <p>Samples may be downloaded from <a
  href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17">    ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17</a>
-                        .   See the README file for instructions.</p>
+                           .   See the README file for instructions.</p>
                                                                         
-                                                   
+                                                               
 <p><b>11/1/2001 - The current version of Shorewall is 1.1.17</b>.  I intend
-                             this to be the last of the 1.1 Shorewall releases.</p>
+                                this to be the last of the 1.1 Shorewall
+releases.</p>
                                                                         
-                                                   
+                                                               
 <p> In this version:</p>
                                                                         
-                                    
+                                                
 <ul>
-                                            <li>The handling of <a
+                                                  <li>The handling of <a
  href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>                   has
-             been corrected. </li>
+                been corrected. </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                 
+                             
 <p><b>10/22/2001 - The current version of Shorewall is 1.1.16</b>. In this
-                     version:</p>
+                        version:</p>
                                                                         
-             
+                         
 <ul>
-                                            <li>A new "shorewall show connections"
-     command     has   been   added.</li>
-                                            <li>In the "shorewall monitor"
- output,     the   currently      tracked           connections  are now
-shown  on a  separate     page.</li>
-                                            <li>Prior to this release, Shorewall
-    unconditionally         added    the   external    IP     adddress(es)
- specified   in /etc/shorewall/nat.         Beginning     with version  
-        1.1.16,   a new parameter (<a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)
-             may be set              to "no" (or "No") to inhibit this behavior.
-          This   allows    IP   aliases       created using your distribution's
-    network       configuration          tools    to   be used in static
+                                                  <li>A new "shorewall show 
+ connections"       command     has   been   added.</li>
+                                                  <li>In the "shorewall monitor"
+    output,     the   currently      tracked           connections  are now
+  shown  on a  separate     page.</li>
+                                                  <li>Prior to this release,
+  Shorewall      unconditionally         added    the   external    IP  
+  adddress(es)   specified   in /etc/shorewall/nat.         Beginning   
+ with version           1.1.16,   a new parameter (<a
+ href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)               may be
+ set              to "no" (or "No") to inhibit this behavior.           
+This    allows    IP   aliases       created using your distribution's  
+   network        configuration          tools    to   be used in static
 NAT. </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-                 
+                             
 <p><b>10/15/2001 - The current version of Shorewall is 1.1.15.</b> In this
-                     version:</p>
+                        version:</p>
                                                                         
-             
+                         
 <ul>
-                                            <li>Support for nested zones
-has   been   improved.      See       <a href="Documentation.htm#Nested">
- the  documentation</a>    for        details</li>
-                                            <li>Shorewall now correctly checks
-   the   alternate      configuration        directory    for     the 'zones'
-   file.</li>
+                                                  <li>Support for nested
+zones    has   been   improved.      See       <a
+ href="Documentation.htm#Nested">   the  documentation</a>    for       
+details</li>
+                                                  <li>Shorewall now correctly 
+  checks    the   alternate      configuration        directory    for   
+ the 'zones'    file.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>10/4/2001 - The current version of Shorewall is 1.1.14.</b> In this 
-                    version</p>
+                       version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Shorewall now supports alternate
-    configuration        directories.       When   an      alternate directory
-    is specified when     starting  or restarting       Shorewall       
-(e.g.,     "shorewall -c /etc/testconf     restart"),  Shorewall      will
-first     look for configuration files  in   the alternate  directory   then
-  in      /etc/shorewall.    To create  an  alternate configuration  simply:<br>
-                                              1. Create a New Directory<br>
-                                              2. Copy to that directory any 
- of  your   configuration        files    that   you   want to     change.<br>
-                                              3. Modify the copied files
-as  needed.<br>
-                                              4. Restart Shorewall specifying 
-  the   new   directory.</li>
-                                            <li>The rules for allowing/disallowing
-     icmp   echo-requests        (pings)     are   now     moved after rules
-   created   when processing  the    rules  file.   This  allows   you to
-    add rules   that selectively  allow/deny    ping  based   on source 
-or   destination      address.</li>
-                                            <li>Rules that specify multiple 
- client    ip  addresses      or  subnets     no  longer   cause     startup 
- failures.</li>
-                                            <li>Zone names in the policy
-file   are   now   validated      against     the   zones    file.</li>
-                                            <li>If you have <a
+                                                  <li>Shorewall now supports
+  alternate      configuration        directories.       When   an      alternate
+  directory      is specified when     starting  or restarting       Shorewall
+         (e.g.,     "shorewall -c /etc/testconf     restart"),  Shorewall
+     will first     look for configuration files  in   the alternate  directory
+    then   in      /etc/shorewall.    To create  an  alternate configuration
+   simply:<br>
+                                                    1. Create a New Directory<br>
+                                                    2. Copy to that directory 
+  any   of  your   configuration        files    that   you   want to    
+change.<br>
+                                                    3. Modify the copied
+files    as  needed.<br>
+                                                    4. Restart Shorewall
+specifying      the   new   directory.</li>
+                                                  <li>The rules for allowing/disallowing
+        icmp   echo-requests        (pings)     are   now     moved after
+rules      created   when processing  the    rules  file.   This  allows
+  you to       add rules   that selectively  allow/deny    ping  based  
+on source  or   destination      address.</li>
+                                                  <li>Rules that specify
+multiple     client    ip  addresses      or  subnets     no  longer   cause
+    startup     failures.</li>
+                                                  <li>Zone names in the policy
+   file   are   now   validated      against     the   zones    file.</li>
+                                                  <li>If you have <a
  href="Documentation.htm#MangleEnabled">packet     mangling</a>        support
-              enabled, the "<a href="Documentation.htm#Interfaces">norfc1918</a>"
-               interface option     now logs and drops any incoming packets
-  on   the    interface           that have     an RFC 1918 destination address.</li>
+                 enabled, the "<a href="Documentation.htm#Interfaces">norfc1918</a>"
+                  interface option     now logs and drops any incoming packets
+     on   the    interface           that have     an RFC 1918 destination
+ address.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>9/12/2001 - The current version of Shorewall is 1.1.13</b>. In this 
-                    version</p>
+                       version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Shell variables can now be
- used   to  parameterize       Shorewall      rules.</li>
-                                            <li>The second column in the
-hosts    file   may   now   contain     a  comma-separated           list.<br>
-                                              <br>
-                                              Example:<br>
-                                                  sea        eth0:130.252.100.0/24,206.191.149.0/24</li>
-                                            <li>Handling of multi-zone interfaces 
-    has   been   improved.      See   the       <a
+                                                  <li>Shell variables can 
+now   be  used   to  parameterize       Shorewall      rules.</li>
+                                                  <li>The second column in
+ the   hosts    file   may   now   contain     a  comma-separated       
+   list.<br>
+                                                    <br>
+                                                    Example:<br>
+                                                        sea        eth0:130.252.100.0/24,206.191.149.0/24</li>
+                                                  <li>Handling of multi-zone
+  interfaces      has   been   improved.      See   the       <a
  href="Documentation.htm#Interfaces">documentation       for the   /etc/shorewall/interfaces 
-          file</a>.</li>
+             file</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>8/28/2001 - The current version of Shorewall is 1.1.12</b>. In this 
-                    version</p>
+                       version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Several columns in the rules
-  file   may   now   contain     comma-separated         lists.</li>
-                                            <li>Shorewall is now more rigorous
-   in  parsing     the   options     in      /etc/shorewall/interfaces.</li>
-                                            <li>Complementation using "!" 
-is  now   supported      in  rules.</li>
+                                                  <li>Several columns in
+the   rules    file   may   now   contain     comma-separated         lists.</li>
+                                                  <li>Shorewall is now more 
+ rigorous     in  parsing     the   options     in      /etc/shorewall/interfaces.</li>
+                                                  <li>Complementation using 
+ "!"   is  now   supported      in  rules.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>7/28/2001 - The current version of Shorewall is 1.1.11</b>. In this 
-                    version</p>
+                       version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>A "shorewall refresh" command 
-  has   been   added    to  allow    for       refreshing   the rules associated 
-   with the   broadcast    address  on   a dynamic         interface.   This 
-   command should   be used   in place of "shorewall       restart"  when 
-the    internet interface's   IP  address changes.</li>
-                                            <li>The /etc/shorewall/start
-file   (if   any)   is  now   processed      after    all      temporary
-rules have  been   deleted.     This  change prevents      the accidental
-         removal  of  rules added     during  the processing of   that  file.</li>
-                                            <li>The "dhcp" interface option 
- is  now   applicable      to  firewall         interfaces   used by a DHCP 
- server  running  on the   firewall.</li>
-                                            <li>The RPM can now be built
-from   the   .tgz   file   using    "rpm   -tb" </li>
+                                                  <li>A "shorewall refresh" 
+ command     has   been   added    to  allow    for       refreshing   the 
+ rules associated      with the   broadcast    address  on   a dynamic   
+     interface.   This     command should   be used   in place of "shorewall 
+       restart"  when  the    internet interface's   IP  address changes.</li>
+                                                  <li>The /etc/shorewall/start
+   file   (if   any)   is  now   processed      after    all      temporary
+  rules have  been   deleted.     This  change prevents      the accidental
+           removal  of  rules added     during  the processing of   that
+ file.</li>
+                                                  <li>The "dhcp" interface
+ option    is  now   applicable      to  firewall         interfaces   used
+ by a DHCP    server  running  on the   firewall.</li>
+                                                  <li>The RPM can now be
+built    from   the   .tgz   file   using    "rpm   -tb" </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Shorewall now enables Ipv4
- Packet    Forwarding      by  default.     Packet    forwarding      may
-be disabled    by specifying     IP_FORWARD=Off    in       /etc/shorewall/shorewall.conf. 
-        If you don't     want Shorewall  to  enable   or     disable packet 
-  forwarding,    add  IP_FORWARDING=Keep     to your      /etc/shorewall/shorewall.conf
-     file.</li>
-                                            <li>The "shorewall hits" command
-  no  longer    lists    extraneous      service         names in its last
- report.</li>
-                                            <li>Erroneous instructions in 
-the   comments     at  the   head   of  the   firewall     script     have 
-been   corrected.</li>
+                                                  <li>Shorewall now enables 
+ Ipv4   Packet    Forwarding      by  default.     Packet    forwarding  
+   may  be disabled    by specifying     IP_FORWARD=Off    in       /etc/shorewall/shorewall.conf. 
+           If you don't     want Shorewall  to  enable   or     disable packet 
+     forwarding,    add  IP_FORWARDING=Keep     to your      /etc/shorewall/shorewall.conf
+        file.</li>
+                                                  <li>The "shorewall hits"
+ command     no  longer    lists    extraneous      service         names
+in its last    report.</li>
+                                                  <li>Erroneous instructions
+  in  the   comments     at  the   head   of  the   firewall     script 
+   have  been   corrected.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>The "tunnels" file <u>really</u>
-    is  in  the   RPM   now.</li>
-                                            <li>SNAT can now be applied to
- port-forwarded        connections.</li>
-                                            <li>A bug which would cause firewall
-    start    failures     in  some   dhcp   configurations        has been
- fixed.</li>
-                                            <li>The firewall script now issues
-   a  message     if  you   have   the   name   of  an      interface in
-the    second  column    in an  entry   in /etc/shorewall/masq         and
-that       interface  is  not   up.</li>
-                                            <li>You can now configure Shorewall 
-   so  that   it<a href="Documentation.htm#NatEnabled"> doesn't require the 
-  NAT and/or      mangle netfilter modules</a>.</li>
-                                            <li>Thanks to Alex  Polishchuk, 
- the   "hits"    command         from   seawall     is  now in shorewall.</li>
-                                            <li>Support for <a
+                                                  <li>The "tunnels" file
+    <u>really</u>        is  in  the   RPM   now.</li>
+                                                  <li>SNAT can now be applied 
+  to  port-forwarded        connections.</li>
+                                                  <li>A bug which would cause 
+  firewall     start    failures     in  some   dhcp   configurations    
+   has been  fixed.</li>
+                                                  <li>The firewall script 
+now   issues    a  message     if  you   have   the   name   of  an      interface
+  in the    second  column    in an  entry   in /etc/shorewall/masq     
+   and that       interface  is  not   up.</li>
+                                                  <li>You can now configure 
+ Shorewall      so  that   it<a href="Documentation.htm#NatEnabled"> doesn't 
+ require the    NAT and/or      mangle netfilter modules</a>.</li>
+                                                  <li>Thanks to Alex  Polishchuk, 
+    the   "hits"    command         from   seawall     is  now in shorewall.</li>
+                                                  <li>Support for <a
  href="IPIP.htm">IPIP    tunnels</a>       has   been   added.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>A typo in the sample rules
- file   has   been   corrected.</li>
-                                            <li>It is now possible to restrict
-   masquerading       by<a href="Documentation.htm#Masq">     destination
-host   or subnet.</a></li>
-                                            <li>It is now possible to have
- static        <a href="NAT.htm#LocalPackets">NAT  rules     applied to packets
- originating                   on the firewall itself</a>.</li>
+                                                  <li>A typo in the sample
+ rules    file   has   been   corrected.</li>
+                                                  <li>It is now possible
+to  restrict     masquerading       by<a href="Documentation.htm#Masq"> 
+   destination   host   or subnet.</a></li>
+                                                  <li>It is now possible
+to  have   static        <a href="NAT.htm#LocalPackets">NAT  rules     applied 
+ to packets   originating                   on the firewall itself</a>.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>The TOS rules are now deleted 
-  when   the   firewall     is  stopped.</li>
-                                            <li>The .rpm will now install 
-regardless      of  which    version     of  iptables     is       installed.</li>
-                                            <li>The .rpm will now install 
-without     iproute2     being    installed.</li>
-                                            <li>The documentation has been
- cleaned     up.</li>
-                                            <li>The sample configuration
-files    included     in  Shorewall      have   been   formatted        
-to 80 columns    for ease     of editing on a  VGA   console.</li>
+                                                  <li>The TOS rules are now 
+ deleted     when   the   firewall     is  stopped.</li>
+                                                  <li>The .rpm will now install 
+   regardless      of  which    version     of  iptables     is       installed.</li>
+                                                  <li>The .rpm will now install 
+   without     iproute2     being    installed.</li>
+                                                  <li>The documentation has 
+ been   cleaned     up.</li>
+                                                  <li>The sample configuration
+   files    included     in  Shorewall      have   been   formatted     
+   to 80 columns    for ease     of editing on a  VGA   console.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li><a
+                                                  <li><a
  href="Documentation.htm#lograte">You   may   now   rate-limit      the 
  packet  log.</a></li>
-                                            <li>  Previous      versions
-    of       Shorewall have an implementation of Static NAT which      violates 
-  the           principle      of least surprise.  NAT only occurs for   packets
-     arriving      at  (DNAT) or      send from (SNAT) the interface named
-   in the   INTERFACE     column  of     /etc/shorewall/nat. Beginning with
-  version   1.1.6,   NAT    effective  regardless      of which interface
- packets  come from  or are    destined to. To get     compatibility  with
- prior versions,     I have  added     a new "ALL <a
+                                                  <li>  Previous      versions
+       of       Shorewall have an implementation of Static NAT which    
+ violates     the           principle      of least surprise.  NAT only occurs
+for   packets      arriving      at  (DNAT) or      send from (SNAT) the
+interface  named    in the   INTERFACE     column  of     /etc/shorewall/nat.
+Beginning  with   version   1.1.6,   NAT    effective  regardless      of
+which interface    packets  come from  or are    destined to. To get    
+compatibility  with    prior versions,     I have  added     a new "ALL <a
  href="NAT.htm#AllInterFaces">"ALL     INTERFACES"      column    to  /etc/shorewall/nat</a>.
-     By placing     "no" or "No" in   the new column,      the NAT behavior
- of     prior   versions may be retained. </li>
-                                            <li>The treatment of <a
+        By placing     "no" or "No" in   the new column,      the NAT behavior
+    of     prior   versions may be retained. </li>
+                                                  <li>The treatment of <a
  href="IPSEC.htm#RoadWarrior">IPSEC    Tunnels     where  the remote     gateway
 is a standalone system has been    improved</a>.     Previously,  it was
     necessary to include an additional    rule allowing    UDP port 500 traffic
@@ -2162,221 +2297,219 @@ to     pass through the tunnel. Shorewall    will now  create   this rule
 automatically     when you place the name of   the remote  peer's  zone in
 a new GATEWAY ZONE     column in /etc/shorewall/tunnels. </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li><a
+                                                  <li><a
  href="Documentation.htm#modules">You   may   now   pass   parameters   
   when  loading     netfilter modules and   you  can specify   the  modules
-     to   load.</a></li>
-                                            <li>Compressed modules are now
- loaded.     This   requires     that   you   modutils     support     loading
- compressed     modules.</li>
-                                            <li><a
+        to   load.</a></li>
+                                                  <li>Compressed modules
+are   now   loaded.     This   requires     that   you   modutils     support
+    loading   compressed     modules.</li>
+                                                  <li><a
  href="Documentation.htm#TOS">You   may   now   set   the   Type   of  Service
-      (TOS)     field in packets.</a></li>
-                                            <li>Corrected rules generated 
-for   port   redirection       (again).</li>
+         (TOS)     field in packets.</a></li>
+                                                  <li>Corrected rules generated 
+   for   port   redirection       (again).</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li> <a
+                                                  <li> <a
  href="Documentation.htm#Conf">Accepting      RELATED     connections   
    is  now       optional.</a></li>
-                                            <li>Corrected problem where if
- "shorewall      start"    aborted     early          (due to kernel configuration
- errors     for example),    superfluous     'sed'    error         messages
- were reported.</li>
-                                            <li>Corrected rules generated 
-for   port   redirection.</li>
-                                            <li>The order in which iptables 
- kernel    modules     are   loaded    has   been         corrected (Thanks 
- to Mark   Pavlidis). </li>
+                                                  <li>Corrected problem where 
+  if  "shorewall      start"    aborted     early          (due to kernel 
+configuration   errors     for example),    superfluous     'sed'    error 
+        messages   were reported.</li>
+                                                  <li>Corrected rules generated 
+   for   port   redirection.</li>
+                                                  <li>The order in which
+iptables     kernel    modules     are   loaded    has   been         corrected
+(Thanks     to Mark   Pavlidis). </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-           
+                       
 <p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Correct message issued when 
- Proxy    ARP   address     added    (Thanks     to  Jason    Kirtland).</li>
-                                            <li>/tmp/shorewallpolicy-$$ is
- now   removed     if  there    is  an  error    while      starting the
-firewall.</li>
-                                            <li>/etc/shorewall/icmp.def and 
- /etc/shorewall/common.def              are   now   used     to define the 
- icmpdef and common chains unless       overridden       by the     presence 
-   of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
-                                            <li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf
-             has   been     corrected.   An extra space after "/etc/shorwall/policy"
-           has  been     removed    and "/etc/shorwall/rules"   has been
-added.</li>
-                                            <li>When a sub-shell encounters 
- a  fatal    error    and   has   stopped     the     firewall,  it now kills 
-  the main    shell so   that  the main   shell will      not    continue.</li>
-                                            <li>A problem has been corrected
-  where    a  sub-shell      stopped     the   firewall      and main shell
-  continued    resulting  in  a  perplexing   error   message         referring
-  to "common.so"    resulted.</li>
-                                            <li>Previously, placing "-" in
- the   PORT(S)     column    in    /etc/shorewall/rules        resulted in
- an error   message    during start.    This    has been corrected.</li>
-                                            <li>The first line of "install.sh"
-   has   been   corrected      --  I  had     inadvertently   deleted the
-initial    "#".</li>
+                                                  <li>Correct message issued
+  when   Proxy    ARP   address     added    (Thanks     to  Jason    Kirtland).</li>
+                                                  <li>/tmp/shorewallpolicy-$$ 
+  is  now   removed     if  there    is  an  error    while      starting 
+the  firewall.</li>
+                                                  <li>/etc/shorewall/icmp.def 
+  and   /etc/shorewall/common.def              are   now   used     to define 
+  the   icmpdef and common chains unless       overridden       by the   
+ presence     of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
+                                                  <li>In the .lrp, the file 
+ /var/lib/lrpkg/shorwall.conf               has   been     corrected.   An 
+ extra space after "/etc/shorwall/policy"             has  been     removed 
+    and "/etc/shorwall/rules"   has been added.</li>
+                                                  <li>When a sub-shell encounters 
+    a  fatal    error    and   has   stopped     the     firewall,  it now 
+ kills    the main    shell so   that  the main   shell will      not    continue.</li>
+                                                  <li>A problem has been
+corrected      where    a  sub-shell      stopped     the   firewall    
+ and main shell      continued    resulting  in  a  perplexing   error  
+message         referring      to "common.so"    resulted.</li>
+                                                  <li>Previously, placing 
+"-"   in  the   PORT(S)     column    in    /etc/shorewall/rules        resulted 
+  in  an error   message    during start.    This    has been corrected.</li>
+                                                  <li>The first line of "install.sh"
+      has   been   corrected      --  I  had     inadvertently   deleted
+the    initial    "#".</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
                                                                         
-          
+                      
 <ul>
-                                            <li>Port redirection now works
- again.</li>
-                                            <li>The icmpdef and common chains 
-      <a href="Documentation.htm#Icmpdef">may        now be user-defined</a>.</li>
-                                            <li>The firewall no longer fails
-  to  start    if  "routefilter"        is        specified  for an interface 
-  that  isn't    started.  A warning  message      is   now         issued 
-  in this  case.</li>
-                                            <li>The LRP Version is renamed
- "shorwall"      for   8,3   MSDOS    file         system  compatibility.</li>
-                                            <li>A couple of LRP-specific
-problems     were   corrected.</li>
+                                                  <li>Port redirection now
+ works    again.</li>
+                                                  <li>The icmpdef and common
+  chains        <a href="Documentation.htm#Icmpdef">may        now be user-defined</a>.</li>
+                                                  <li>The firewall no longer
+  fails    to  start    if  "routefilter"        is        specified  for
+an  interface    that  isn't    started.  A warning  message      is   now
+        issued    in this  case.</li>
+                                                  <li>The LRP Version is
+renamed     "shorwall"      for   8,3   MSDOS    file         system  compatibility.</li>
+                                                  <li>A couple of LRP-specific
+   problems     were   corrected.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>4/8/2001 - Shorewall is now affiliated with the <a
  href="http://leaf.sourceforge.net">Leaf       Project</a> </b> <a
  href="http://leaf.sourceforge.net">   <img border="0"
  src="images/leaflogo.gif" width="49" height="36">
-                                         </a></p>
+                                               </a></p>
                                                                         
-            
+                        
 <p><b>4/5/2001 - The current version of Shorewall is 1.1.1. In this version:</b></p>
                                                                         
-           
+                       
 <ul>
-                                            <li>The common chain is traversed 
-  from   INPUT,    OUTPUT    and   FORWARD     before          logging occurs</li>
-                                            <li>The source has been cleaned 
- up  dramatically</li>
-                                            <li>DHCP DISCOVER packets with
- RFC1918     source    addresses      no  longer          generate log messages.
- Linux     DHCP clients    generate   such   packets  and    it's       
- annoying   to  see them logged. </li>
+                                                  <li>The common chain is 
+traversed      from   INPUT,    OUTPUT    and   FORWARD     before       
+  logging occurs</li>
+                                                  <li>The source has been 
+cleaned     up  dramatically</li>
+                                                  <li>DHCP DISCOVER packets 
+ with   RFC1918     source    addresses      no  longer          generate 
+log messages.   Linux     DHCP clients    generate   such   packets  and 
+  it's         annoying   to  see them logged. </li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>3/25/2001 - The current version of Shorewall is 1.1.0. In this version:</b></p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Log messages now indicate 
-the   packet    disposition.</li>
-                                            <li>Error messages have been
-improved.</li>
-                                            <li>The ability to define zones 
- consisting      of  an  enumerated      set   of  hosts         and/or subnetworks 
- has   been   added.</li>
-                                            <li>The zone-to-zone chain matrix 
-  is  now   sparse    so  that   only   those    chains         that contain 
-  meaningful    rules  are  defined.</li>
-                                            <li>240.0.0.0/4 and 169.254.0.0/16
-   have   been   added    to  the   source          subnetworks whose packets
-   are dropped   under the        <i>norfc1918</i>     interface        
-   option.</li>
-                                            <li>Exits are now provided for
- executing      an  user-defined       script    when   a        chain is
-defined, when    the  firewall  is initialized,       when   the firewall
-   is       started,     when the firewall  is stopped   and    when the
- firewall is  cleared.</li>
-                                            <li>The Linux kernel's route
-filtering      facility     can   now   be  specified            selectively
-on network     interfaces.</li>
+                                                  <li>Log messages now indicate 
+   the   packet    disposition.</li>
+                                                  <li>Error messages have 
+been   improved.</li>
+                                                  <li>The ability to define 
+ zones    consisting      of  an  enumerated      set   of  hosts        
+and/or subnetworks   has   been   added.</li>
+                                                  <li>The zone-to-zone chain
+  matrix    is  now   sparse    so  that   only   those    chains       
+ that  contain    meaningful    rules  are  defined.</li>
+                                                  <li>240.0.0.0/4 and 169.254.0.0/16
+      have   been   added    to  the   source          subnetworks whose
+packets       are dropped   under the        <i>norfc1918</i>     interface
+           option.</li>
+                                                  <li>Exits are now provided
+  for   executing      an  user-defined       script    when   a        chain
+  is  defined, when    the  firewall  is initialized,       when   the firewall
+      is       started,     when the firewall  is stopped   and    when the
+   firewall is  cleared.</li>
+                                                  <li>The Linux kernel's
+route    filtering      facility     can   now   be  specified          
+ selectively    on network     interfaces.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>3/19/2001 - The current version of Shorewall is 1.0.4. This version:</b></p>
                                                                         
-           
+                       
 <ul>
-                                            <li>Allows user-defined zones.
- Shorewall      now   has   only   one   pre-defined            zone (fw)
-with the remaining      zones   being   defined   in  the new configuration
-            file /etc/shorewall/zones.         The /etc/shorewall/zones 
-   file released     in this       version    provides     behavior that
-is compatible     with Shorewall     1.0.3. </li>
-                                            <li>Adds the ability to specify 
- logging     in  entries     in  the         /etc/shorewall/rules    file.</li>
-                                            <li>Correct handling of the icmp-def
-    chain    so  that   only   ICMP   packets     are        sent through
-the    chain.</li>
-                                            <li>Compresses the output of
-"shorewall      monitor"     if  awk   is        installed.   Allows the
-command to work     if awk isn't    installed   (although           it's
-not   pretty).</li>
+                                                  <li>Allows user-defined 
+zones.    Shorewall      now   has   only   one   pre-defined            zone
+(fw)   with the remaining      zones   being   defined   in  the new configuration
+              file /etc/shorewall/zones.         The /etc/shorewall/zones
+     file released     in this       version    provides     behavior that
+ is compatible     with Shorewall     1.0.3. </li>
+                                                  <li>Adds the ability to 
+specify     logging     in  entries     in  the         /etc/shorewall/rules 
+   file.</li>
+                                                  <li>Correct handling of 
+the   icmp-def     chain    so  that   only   ICMP   packets     are     
+  sent   through the    chain.</li>
+                                                  <li>Compresses the output 
+ of  "shorewall      monitor"     if  awk   is        installed.   Allows 
+the command to work     if awk isn't    installed   (although           it's
+  not   pretty).</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
-                       release with no new features.</b></p>
+                          release with no new features.</b></p>
                                                                         
-           
+                       
 <ul>
-                                            <li>The PATH variable in the
-firewall     script    now   includes     /usr/local/bin             and
-/usr/local/sbin.</li>
-                                            <li>DMZ-related chains are now
- correctly      deleted     if  the   DMZ   is  deleted.</li>
-                                            <li>The interface OPTIONS for 
-"gw"   interfaces      are   no  longer          ignored.</li>
+                                                  <li>The PATH variable in
+ the   firewall     script    now   includes     /usr/local/bin         
+   and  /usr/local/sbin.</li>
+                                                  <li>DMZ-related chains
+are   now   correctly      deleted     if  the   DMZ   is  deleted.</li>
+                                                  <li>The interface OPTIONS 
+ for   "gw"   interfaces      are   no  longer          ignored.</li>
                                                                         
-          
+                      
 </ul>
                                                                         
-            
+                        
 <p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
-                       additional "gw" (gateway) zone for tunnels and it
-supports         IPSEC        tunnels    with end-points on the firewall.
-There is also     a  .lrp available        now.</b></p>
+                          additional "gw" (gateway) zone for tunnels and
+it   supports         IPSEC        tunnels    with end-points on the firewall.
+  There is also     a  .lrp available        now.</b></p>
                                                                         
-               
-<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a> 
-                    </font></p>
+                           
+<p><font size="2">Updated 2/13/2003 - <a href="support.htm">Tom Eastep</a> 
+                       </font></p>
                                                                         
-               
+                           
 <p><a href="copyright.htm"><font size="2">     Copyright</font> © <font
  size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
-       </p>
-       <br>
-      <br>
-     <br>
-    <br>
+   </p>
    <br>
   <br>
  <br>
diff --git a/Shorewall-docs/Shorewall_Squid_Usage.html b/Shorewall-docs/Shorewall_Squid_Usage.html
index a310704f3..814a48dcd 100644
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@@ -2,368 +2,332 @@
 <html>
 <head>
   <title>Shorewall Squid Usage</title>
-                                  
+                                         
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-                   
+                       
   <meta name="author" content="Tom Eastep">
 </head>
   <body>
-         
+           
 <table cellpadding="0" cellspacing="0" border="0" width="100%"
  bgcolor="#400169">
-   <tbody>
-     <tr>
-       <td valign="middle" width="33%" bgcolor="#400169"><a
+    <tbody>
+      <tr>
+        <td valign="middle" width="33%" bgcolor="#400169"><a
  href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
  alt="" width="88" height="31" hspace="4">
-       </a><br>
-       </td>
-       <td valign="middle" height="90" align="center" width="34%"><font
+        </a><br>
+        </td>
+        <td valign="middle" height="90" align="center" width="34%"><font
  color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
-       </td>
-       <td valign="middle" height="90" width="33%" align="right"><a
+        </td>
+        <td valign="middle" height="90" width="33%" align="right"><a
  href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
  alt="" width="100" height="31" hspace="4">
-       </a><br>
-       </td>
-     </tr>
-   
-  </tbody> 
+        </a><br>
+        </td>
+      </tr>
+       
+  </tbody>  
 </table>
- <br>
-    This page covers Shorewall configuration to use with <a
- href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent 
-  Proxy</b></u>.&nbsp;<br>
-   <a href="#DMZ"></a><br>
-     <img border="0" src="images/j0213519.gif" width="60" height="60"
+  <br>
+     This page covers Shorewall configuration to use with <a
+ href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
+   Proxy</b></u>.&nbsp;<br>
+    <a href="#DMZ"></a><br>
+      <img border="0" src="images/j0213519.gif" width="60" height="60"
  alt="Caution" align="middle">
-   &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
-   <br>
-   <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-   &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run 
-as  a transparent proxy  as described at <a
+    &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
+    <br>
+    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
+    &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
+ as  a transparent proxy  as described at <a
  href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
-   <b><br>
-   </b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-   &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start 
- and /etc/shorewall/init -- if you don't have those files, siimply create 
-them.<br>
-   <br>
-   <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in 
-the  local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts 
- file entries. That is because the packets being routed to the Squid server 
- still have their original destination IP addresses.<br>
-   <br>
-   <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    </b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed 
- on your firewall.<br>
-   <br>
-   <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid 
-server.<br>
-   <br>
-   <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf 
- file<br>
-   <br>
-   &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
- </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
-   <br>
-   Three different configurations are covered:<br>
-          
+    <b><br>
+    </b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
+    &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
+  and /etc/shorewall/init -- if you don't have those files, siimply create
+ them.<br>
+    <br>
+    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
+     </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
+ the  local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
+  file entries. That is because the packets being routed to the Squid server
+  still have their original destination IP addresses.<br>
+    <br>
+    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
+     </b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed
+  on your firewall.<br>
+    <br>
+    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
+     </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
+ server.<br>
+    <br>
+    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
+     </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
+/etc/shorewall/conf   file<br>
+    <br>
+    &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
+  </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
+    <br>
+    Three different configurations are covered:<br>
+            
 <ol>
-     <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
- Firewall.</a></li>
-     <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
+      <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
+the  Firewall.</a></li>
+      <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the 
 local  network</a></li>
-     <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
-     
+      <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
+       
 </ol>
-        
+          
 <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
-      You want to redirect all local www connection requests          EXCEPT
-                                                   those to your     own
-   http server                                                  (206.124.146.177)
-           to a Squid                                                  transparent
-         proxy  running on the firewall and listening on port 3128. Squid
+       You want to redirect all local www connection requests          EXCEPT 
+                                                   those to your     own 
+  http server                                                  (206.124.146.177) 
+           to a Squid                                                  transparent 
+         proxy  running on the firewall and listening on port 3128. Squid 
    will     of course  require access to remote web servers.<br>
-     <br>
-     In /etc/shorewall/rules:<br>
-     <br>
+      <br>
+      In /etc/shorewall/rules:<br>
+      <br>
+           
+<blockquote>                  
+  <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                <tbody>
+                                                                        
+              <tr>
+                             <td><b>ACTION</b></td>
+                                  <td><b>SOURCE</b></td>
+                                  <td><b>DEST</b></td>
+                                  <td><b>   PROTO</b></td>
+                                  <td><b>DEST<br>
+                           PORT(S)</b></td>
+                                  <td><b>SOURCE<br>
+                                  PORT(S)</b></td>
+                                  <td><b>ORIGINAL<br>
+                                  DEST</b></td>
+                                                                        
+                   </tr>
+                                <tr>
+                                  <td>REDIRECT</td>
+                                  <td>loc</td>
+                                  <td>3128</td>
+                                  <td>tcp</td>
+                                  <td>www</td>
+                                  <td> -<br>
+                  </td>
+                                  <td>!206.124.146.177</td>
+                                </tr>
+                                <tr>
+                                  <td>ACCEPT</td>
+                                  <td>fw</td>
+                                  <td>net</td>
+                                  <td>tcp</td>
+                                  <td>www</td>
+                                  <td> <br>
+                  </td>
+                                  <td> <br>
+                  </td>
+                                </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                
+    </tbody>                                                            
+                                                                        
+                                                                        
+                 
+  </table>
+                        <br>
+      </blockquote>
+           
+<h2><a name="Local"></a>Squid Running in the local network</h2>
+       You want to redirect all local www connection requests  to a Squid 
+                                                 transparent       proxy 
+running   in your local zone at 192.168.1.3 and listening on port  3128.
+ Your local  interface is eth1. There may also be a web server running on
+192.168.1.3. It is assumed that web access is already enabled from the local
+zone to the internet.<br>
+              
+<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with 
+   other aspects of your gateway including but not limited to traffic shaping 
+   and route redirection. For that reason, <b>I don't recommend it</b>.<br>
+        </p>
+               
+<ul>
+        <li>On your firewall system, issue the following command<br>
+       </li>
+           
+</ul>
+             
+<blockquote>                     
+  <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
+       </blockquote>
+             
+<ul>
+        <li>In /etc/shorewall/init, put:<br>
+         </li>
+           
+</ul>
+              
+<blockquote>                     
+  <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br>	ip rule add fwmark 202 table www.out<br>	ip route add default via 192.168.1.3 dev eth1 table www.out<br>	ip route flush cache<br>	echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
+       </blockquote>
+             
+<ul>
+        <li>In /etc/shorewall/rules:<br>
+       <br>
+                           
+    <table border="1" cellpadding="2" style="border-collapse: collapse;">
+                                <tbody>
+                                                                        
+              <tr>
+                             <td><b>ACTION</b></td>
+                                  <td><b>SOURCE</b></td>
+                                  <td><b>DEST</b></td>
+                                  <td><b>   PROTO</b></td>
+                                  <td><b>DEST<br>
+                           PORT(S)</b></td>
+                                  <td><b>SOURCE<br>
+                                  PORT(S)</b></td>
+                                  <td><b>ORIGINAL<br>
+                                  DEST</b></td>
+                                                                        
+                   </tr>
+                                <tr>
+                                  <td>ACCEPT<br>
+             </td>
+                                  <td>loc</td>
+                                  <td>loc<br>
+             </td>
+                                  <td>tcp</td>
+                                  <td>www</td>
+                                  <td> <br>
+                  </td>
+                                  <td><br>
+             </td>
+                                </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                   
+      </tbody>                                                           
+                                                                        
+                                                                        
+                        
+    </table>
+       <br>
+     </li>
+     <li>Alternativfely, you can have the following policy:<br>
+       <br>
+                 
+    <table cellpadding="2" cellspacing="0" border="1">
+         <tbody>
+           <tr>
+             <td valign="top"><b>SOURCE<br>
+             </b></td>
+             <td valign="top"><b>DESTINATION<br>
+             </b></td>
+             <td valign="top"><b>POLICY<br>
+             </b></td>
+             <td valign="top"><b>LOG LEVEL<br>
+             </b></td>
+             <td valign="top"><b>BURST PARAMETERS<br>
+             </b></td>
+           </tr>
+           <tr>
+             <td valign="top">loc<br>
+             </td>
+             <td valign="top">loc<br>
+             </td>
+             <td valign="top">ACCEPT<br>
+             </td>
+             <td valign="top"><br>
+             </td>
+             <td valign="top"><br>
+             </td>
+           </tr>
+                       
+      </tbody>               
+    </table>
+       <br>
+     </li>
+     <li>In /etc/shorewall/start add:<br>
+       </li>
+         
+</ul>
          
 <blockquote>               
-  <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                               <tbody>
-                                                                        
-             <tr>
-                            <td><b>ACTION</b></td>
-                                 <td><b>SOURCE</b></td>
-                                 <td><b>DEST</b></td>
-                                 <td><b>   PROTO</b></td>
-                                 <td><b>DEST<br>
-                          PORT(S)</b></td>
-                                 <td><b>SOURCE<br>
-                                 PORT(S)</b></td>
-                                 <td><b>ORIGINAL<br>
-                                 DEST</b></td>
-                                                                        
-                  </tr>
-                               <tr>
-                                 <td>REDIRECT</td>
-                                 <td>loc</td>
-                                 <td>3128</td>
-                                 <td>tcp</td>
-                                 <td>www</td>
-                                 <td> -<br>
-                 </td>
-                                 <td>!206.124.146.177</td>
-                               </tr>
-                               <tr>
-                                 <td>ACCEPT</td>
-                                 <td>fw</td>
-                                 <td>net</td>
-                                 <td>tcp</td>
-                                 <td>www</td>
-                                 <td> <br>
-                 </td>
-                                 <td> <br>
-                 </td>
-                               </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-          
-    </tbody>                                                             
-                                                                        
-                                                                        
-             
-  </table>
-                       <br>
+  <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
      </blockquote>
          
-<h2><a name="Local"></a>Squid Running in the local network</h2>
-      You want to redirect all local www connection requests  to a Squid
-                                                 transparent       proxy
- running   in your local zone at 192.168.1.3 and listening on port  3128. 
-Your local  interface is eth1. There may also be a web server running on 192.168.1.3.
-It is assumed that web access is already enabled from the local zone to the
-internet.<br>
-            
-<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
-   other aspects of your gateway including but not limited to traffic shaping
-   and route redirection. For that reason, <b>I don't recommend it</b>.<br>
-       </p>
-             
 <ul>
-       <li>On your firewall system, issue the following command<br>
-      </li>
-         
-</ul>
-           
-<blockquote>                  
-  <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
-      </blockquote>
-           
-<ul>
-       <li>In /etc/shorewall/init, put:<br>
-        </li>
-         
-</ul>
-            
-<blockquote>                  
-  <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br>	ip rule add fwmark 202 table www.out<br>	ip route add default via 192.168.1.3 dev eth1 table www.out<br>	ip route flush cache<br>	echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
-      </blockquote>
-           
-<ul>
-       <li>In /etc/shorewall/rules:<br>
-      <br>
-                     
-    <table border="1" cellpadding="2" style="border-collapse: collapse;">
-                               <tbody>
-                                                                        
-             <tr>
-                            <td><b>ACTION</b></td>
-                                 <td><b>SOURCE</b></td>
-                                 <td><b>DEST</b></td>
-                                 <td><b>   PROTO</b></td>
-                                 <td><b>DEST<br>
-                          PORT(S)</b></td>
-                                 <td><b>SOURCE<br>
-                                 PORT(S)</b></td>
-                                 <td><b>ORIGINAL<br>
-                                 DEST</b></td>
-                                                                        
-                  </tr>
-                               <tr>
-                                 <td>ACCEPT<br>
-            </td>
-                                 <td>loc</td>
-                                 <td>loc<br>
-            </td>
-                                 <td>tcp</td>
-                                 <td>www</td>
-                                 <td> <br>
-                 </td>
-                                 <td><br>
-            </td>
-                               </tr>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                           
-      </tbody>                                                          
-                                                                        
-                                                                        
-                    
-    </table>
-      <br>
-    </li>
-    <li>Alternativfely, you can have the following policy:<br>
-      <br>
-           
-    <table cellpadding="2" cellspacing="0" border="1">
-        <tbody>
-          <tr>
-            <td valign="top"><b>SOURCE<br>
-            </b></td>
-            <td valign="top"><b>DESTINATION<br>
-            </b></td>
-            <td valign="top"><b>POLICY<br>
-            </b></td>
-            <td valign="top"><b>LOG LEVEL<br>
-            </b></td>
-            <td valign="top"><b>BURST PARAMETERS<br>
-            </b></td>
-          </tr>
-          <tr>
-            <td valign="top">loc<br>
-            </td>
-            <td valign="top">loc<br>
-            </td>
-            <td valign="top">ACCEPT<br>
-            </td>
-            <td valign="top"><br>
-            </td>
-            <td valign="top"><br>
-            </td>
-          </tr>
-               
-      </tbody>          
-    </table>
-      <br>
-    </li>
-    <li>In /etc/shorewall/start add:<br>
-      </li>
-       
-</ul>
-       
-<blockquote>            
-  <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
-    </blockquote>
-       
-<ul>
-      <li>On 192.168.1.3, arrange for the following command to be executed
+       <li>On 192.168.1.3, arrange for the following command to be executed 
  after   networking has come up<br>
-                                            
+                                                  
     <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
-        </li>
-           
+         </li>
+             
 </ul>
-         
-<blockquote>  If you are running RedHat on the server, you can simply execute
-  the following  commands after you have typed the iptables command above:<br>
-      </blockquote>
            
-<blockquote>                  
+<blockquote>  If you are running RedHat on the server, you can simply execute 
+  the following  commands after you have typed the iptables command above:<br>
+       </blockquote>
+             
+<blockquote>                     
   <blockquote>          </blockquote>
-               
+                   
   <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
  color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
-        </blockquote>
-       
+         </blockquote>
+         
 <blockquote>  </blockquote>
-           
+             
 <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
-     You have a single Linux system in your DMZ with IP address 192.0.2.177.
-  You want to run both a web server and Squid on that system. Your DMZ interface
+      You have a single Linux system in your DMZ with IP address 192.0.2.177. 
+  You want to run both a web server and Squid on that system. Your DMZ interface 
   is eth1 and your local interface is eth2.<br>
-         
+           
 <ul>
-       <li>On your firewall system, issue the following command<br>
-      </li>
-            
+        <li>On your firewall system, issue the following command<br>
+       </li>
+              
 </ul>
-         
-<blockquote>                  
+           
+<blockquote>                     
   <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
-      </blockquote>
-            
+       </blockquote>
+              
 <ul>
-       <li>In /etc/shorewall/init, put:<br>
-        </li>
+        <li>In /etc/shorewall/init, put:<br>
+         </li>
+           
+</ul>
+               
+<blockquote>                     
+  <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br>	ip rule add fwmark 202 table www.out<br>	ip route add default via 192.0.2.177 dev eth1 table www.out<br>	ip route flush cache<br>fi</b></font><br></pre>
+       </blockquote>
+              
+<ul>
+        <li>&nbsp;Do<b> one </b>of the following:<br>
+     <br>
+ A) In /etc/shorewall/start add<br>
+       </li>
          
 </ul>
-             
-<blockquote>                  
-  <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br>	ip rule add fwmark 202 table www.out<br>	ip route add default via 192.0.2.177 dev eth1 table www.out<br>	ip route flush cache<br>fi</b></font><br></pre>
-      </blockquote>
-            
-<ul>
-       <li>&nbsp;Do<b> one </b>of the following:<br>
-    <br>
-A) In /etc/shorewall/start add<br>
-      </li>
-       
-</ul>
-       
-<blockquote>            
+         
+<blockquote>               
   <pre><b><font color="#009900">	iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
-</blockquote>
-             
-<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
+ </blockquote>
+               
+<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf 
 and add the following entry in /etc/shorewall/tcrules:<br>
-</blockquote>
-<blockquote>
-  <blockquote>
-    <table cellpadding="2" border="1" cellspacing="0">
-      <tbody>
-        <tr>
-          <td valign="top">MARK<br>
-          </td>
-          <td valign="top">SOURCE<br>
-          </td>
-          <td valign="top">DESTINATION<br>
-          </td>
-          <td valign="top">PROTOCOL<br>
-          </td>
-          <td valign="top">PORT<br>
-          </td>
-          <td valign="top">CLIENT PORT<br>
-          </td>
-        </tr>
-        <tr>
-          <td valign="top">202<br>
-          </td>
-          <td valign="top">eth2<br>
-          </td>
-          <td valign="top">0.0.0.0/0<br>
-          </td>
-          <td valign="top">tcp<br>
-          </td>
-          <td valign="top">80<br>
-          </td>
-          <td valign="top">-<br>
-          </td>
-        </tr>
-      </tbody>
-    </table>
-  </blockquote>
-C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
-</blockquote>
+ </blockquote>
+ 
 <blockquote>   
   <blockquote>     
     <table cellpadding="2" border="1" cellspacing="0">
@@ -383,7 +347,7 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
            </td>
          </tr>
          <tr>
-           <td valign="top">202:P<br>
+           <td valign="top">202<br>
            </td>
            <td valign="top">eth2<br>
            </td>
@@ -400,90 +364,130 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
       </tbody>     
     </table>
    </blockquote>
-  <br>
-</blockquote>
+ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
+ </blockquote>
+ 
+<blockquote>      
+  <blockquote>          
+    <table cellpadding="2" border="1" cellspacing="0">
+        <tbody>
+          <tr>
+            <td valign="top">MARK<br>
+            </td>
+            <td valign="top">SOURCE<br>
+            </td>
+            <td valign="top">DESTINATION<br>
+            </td>
+            <td valign="top">PROTOCOL<br>
+            </td>
+            <td valign="top">PORT<br>
+            </td>
+            <td valign="top">CLIENT PORT<br>
+            </td>
+          </tr>
+          <tr>
+            <td valign="top">202:P<br>
+            </td>
+            <td valign="top">eth2<br>
+            </td>
+            <td valign="top">0.0.0.0/0<br>
+            </td>
+            <td valign="top">tcp<br>
+            </td>
+            <td valign="top">80<br>
+            </td>
+            <td valign="top">-<br>
+            </td>
+          </tr>
+               
+      </tbody>          
+    </table>
+    </blockquote>
+   <br>
+ </blockquote>
+ 
 <ul>
-       <li>In /etc/shorewall/rules, you will need:</li>
-         
-</ul>
-         
-<blockquote>               
-  <table cellpadding="2" border="1" cellspacing="0">
-         <tbody>
-           <tr>
-             <td valign="top">ACTION<br>
-             </td>
-             <td valign="top">SOURCE<br>
-             </td>
-             <td valign="top">DEST<br>
-             </td>
-             <td valign="top">PROTO<br>
-             </td>
-             <td valign="top">DEST<br>
-     PORT(S)<br>
-             </td>
-             <td valign="top">CLIENT<br>
-     PORT(2)<br>
-             </td>
-             <td valign="top">ORIGINAL<br>
-     DEST<br>
-             </td>
-           </tr>
-           <tr>
-             <td valign="top">ACCEPT<br>
-             </td>
-             <td valign="top">dmz<br>
-             </td>
-             <td valign="top">net<br>
-             </td>
-             <td valign="top">tcp<br>
-             </td>
-             <td valign="top">80<br>
-             </td>
-             <td valign="top"><br>
-             </td>
-             <td valign="top"><br>
-             </td>
-           </tr>
-                             
-    </tbody>               
-  </table>
-       <br>
-     </blockquote>
-         
-<ul>
-       <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
-  command to be executed after  networking has come up<br>
-                                            
-    <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
-        </li>
+        <li>In /etc/shorewall/rules, you will need:</li>
            
 </ul>
-         
-<blockquote>  If you are running RedHat on the server, you can simply execute
-  the following  commands after you have typed the iptables command above:<br>
-      </blockquote>
-            
+           
 <blockquote>                  
+  <table cellpadding="2" border="1" cellspacing="0">
+          <tbody>
+            <tr>
+              <td valign="top">ACTION<br>
+              </td>
+              <td valign="top">SOURCE<br>
+              </td>
+              <td valign="top">DEST<br>
+              </td>
+              <td valign="top">PROTO<br>
+              </td>
+              <td valign="top">DEST<br>
+      PORT(S)<br>
+              </td>
+              <td valign="top">CLIENT<br>
+      PORT(2)<br>
+              </td>
+              <td valign="top">ORIGINAL<br>
+      DEST<br>
+              </td>
+            </tr>
+            <tr>
+              <td valign="top">ACCEPT<br>
+              </td>
+              <td valign="top">dmz<br>
+              </td>
+              <td valign="top">net<br>
+              </td>
+              <td valign="top">tcp<br>
+              </td>
+              <td valign="top">80<br>
+              </td>
+              <td valign="top"><br>
+              </td>
+              <td valign="top"><br>
+              </td>
+            </tr>
+                                   
+    </tbody>                  
+  </table>
+        <br>
+      </blockquote>
+           
+<ul>
+        <li>On 192.0.2.177 (your Web/Squid server), arrange for the following 
+  command to be executed after  networking has come up<br>
+                                                  
+    <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
+         </li>
+             
+</ul>
+           
+<blockquote>  If you are running RedHat on the server, you can simply execute 
+  the following  commands after you have typed the iptables command above:<br>
+       </blockquote>
+              
+<blockquote>                     
   <blockquote>          </blockquote>
-               
+                   
   <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
  color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
-        </blockquote>
-       
+         </blockquote>
+         
 <blockquote>  </blockquote>
-            
-<p><font size="-1">   Updated 1/23/2003 - <a
- href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a>  
-          </font></p>
+              
+<p><font size="-1">   Updated 1/23/2003 - <a href="support.htm">Tom  Eastep</a>
+            </font></p>
                                                                         
                                                                         
-                                                                    <a
+                                                                     <a
  href="copyright.htm"><font size="2">Copyright</font>           &copy; <font
  size="2">2003 Thomas M. Eastep.</font></a><br>
-           <br>
-       <br>
-     <br>
+            <br>
+        <br>
+      <br>
+   <br>
   <br>
  <br>
 </body>
diff --git a/Shorewall-docs/configuration_file_basics.htm b/Shorewall-docs/configuration_file_basics.htm
index 2e6379b18..2ee3e74f0 100644
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@@ -1,343 +1,344 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                                             
+                                                                 
   <meta http-equiv="Content-Language" content="en-us">
-                                                             
+                                                                 
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                                             
+                                                                 
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                                                             
+                                                                 
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Configuration File Basics</title>
 </head>
   <body>
-                                
+                                  
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
-                  <tbody>
-                   <tr>
-                    <td width="100%">                                   
+                   <tbody>
+                    <tr>
+                     <td width="100%">                                  
+                                                                        
+         
+      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
+                     </td>
+                   </tr>
+                                                                 
+  </tbody>                
+</table>
+                                       
+<p><b><font color="#ff0000">Warning: </font>If you copy or edit your    
+   configuration files on a system running Microsoft Windows, you <u>must</u>
+               run them through <a
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">       dos2unix</a>
+        before you use them with Shorewall.</b></p>
+                                                          
+<h2><a name="Files"></a>Files</h2>
+                                                          
+<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
+                                                          
+<ul>
+                         <li>/etc/shorewall/shorewall.conf - used to set
+several     firewall             parameters.</li>
+                         <li>/etc/shorewall/params - use this file to set 
+shell    variables     that you will     expand in other files.</li>
+                         <li>/etc/shorewall/zones - partition the firewall's
+  view   of  the   world         into <i>zones.</i></li>
+                         <li>/etc/shorewall/policy - establishes firewall 
+high-level      policy.</li>
+                         <li>/etc/shorewall/interfaces - describes the interfaces 
+    on  the          firewall system.</li>
+                         <li>/etc/shorewall/hosts - allows defining zones 
+in  terms    of  individual           hosts and subnetworks.</li>
+                         <li>/etc/shorewall/masq - directs the firewall where 
+  to  use   many-to-one            (dynamic) Network Address Translation (a.k.a.
+   Masquerading)   and  Source          Network Address Translation (SNAT).</li>
+                         <li>/etc/shorewall/modules - directs the firewall
+ to  load   kernel    modules.</li>
+                         <li>/etc/shorewall/rules - defines rules that are
+ exceptions      to  the         overall policies established in /etc/shorewall/policy.</li>
+                         <li>/etc/shorewall/nat - defines static NAT rules.</li>
+                         <li>/etc/shorewall/proxyarp - defines use of Proxy 
+ ARP.</li>
+                         <li>/etc/shorewall/routestopped (Shorewall 1.3.4 
+and   later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
+                         <li>/etc/shorewall/tcrules - defines marking of
+packets     for   later   use by     traffic control/shaping or policy routing.</li>
+                         <li>/etc/shorewall/tos - defines rules for setting 
+ the   TOS   field   in packet         headers.</li>
+                         <li>/etc/shorewall/tunnels - defines IPSEC, GRE
+and   IPIP   tunnels    with end-points on         the firewall system.</li>
+                         <li>/etc/shorewall/blacklist - lists blacklisted 
+IP/subnet/MAC        addresses.</li>
+      <li>/etc/shorewall/init - commands that you wish to execute at the
+beginning   of a "shorewall start" or "shorewall restart".</li>
+      <li>/etc/shorewall/start - commands that you wish to execute at the 
+completion  of a "shorewall start" or "shorewall restart"</li>
+      <li>/etc/shorewall/stop - commands that you wish to execute at the
+beginning   of a "shorewall stop".</li>
+      <li>/etc/shorewall/stopped - commands that you wish to execute at the 
+ completion of a "shorewall stop".<br>
+      </li>
+                                 
+</ul>
+                                       
+<h2><a name="Comments"></a>Comments</h2>
+                                                          
+<p>You may place comments in configuration files by making the first non-whitespace 
+              character a pound sign ("#"). You may also place comments at 
+ the    end  of any line, again by       delimiting the comment from the rest
+ of   the line  with a pound sign.</p>
+                                                          
+<p>Examples:</p>
+                                                          
+<pre># This is a comment</pre>
+                               
+<pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
+                                 
+<h2><a name="Continuation"></a>Line Continuation</h2>
+                                                          
+<p>You may continue lines in the configuration files using the usual backslash
+        ("\") followed        immediately by a new line character.</p>
+                                                          
+<p>Example:</p>
+                                                          
+<pre>ACCEPT	net	fw	tcp \<br>smtp,www,pop3,imap  #Services running on the firewall</pre>
+                                 
+<h2><a name="dnsnames"></a>Using DNS Names</h2>
+                                  
+<p align="left">     </p>
+                               
+<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> 
+        using DNS names in Shorewall configuration files. If you use DNS names
+     and   you are called out of bed at 2:00AM because Shorewall won't start
+   as  a result  of DNS problems then don't say that you were not forewarned. 
+   <br>
+                 </b></p>
+                                 
+<p align="left"><b>    -Tom<br>
+                 </b></p>
+                                 
+<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
+        configuration files may be specified as either IP addresses or DNS
+   Names.<br>
+                 <br>
+                DNS names in iptables rules  aren't nearly as useful as they
+  first    appear.    When a DNS name appears in a rule,  the iptables utility
+  resolves    the name    to one or more IP addresses and inserts  those
+addresses   into    the rule.  So  changes in the DNS-&gt;IP address relationship
+ that   occur   after the firewall    has started have absolutely no effect
+on the    firewall's   ruleset.    </p>
+                               
+<p align="left">     If your firewall rules include DNS names then:</p>
+                                    
+<ul>
+                  <li>If your /etc/resolv.conf is wrong then your firewall
+ won't        start.</li>
+                  <li>If your /etc/nsswitch.conf is wrong then your firewall
+  won't        start.</li>
+                  <li>If your Name Server(s) is(are) down then your firewall
+  won't        start.</li>
+                  <li>If your startup scripts try to start your firewall
+before    starting     your DNS server then your firewall won't start.<br>
+                 </li>
+                  <li>Factors totally outside your control (your ISP's router 
+  is      down   for example), can prevent your firewall from starting.</li>
+                 <li>You must bring up your network interfaces prior to starting
+    your   firewall.<br>
+                 </li>
+                               
+</ul>
+                                 
+<p align="left"> Each DNS name much be fully qualified and include a minumum
+        of two periods (although one may be trailing). This restriction is
+ imposed       by Shorewall to insure backward compatibility with existing
+ configuration       files.<br>
+                 <br>
+                 Examples of valid DNS names:<br>
+                 </p>
+                               
+<ul>
+                  <li>mail.shorewall.net</li>
+                  <li>shorewall.net. (note the trailing period).</li>
+                               
+</ul>
+                 Examples of invalid DNS names:<br>
+                                 
+<ul>
+                  <li>mail (not fully qualified)</li>
+                  <li>shorewall.net (only one period)</li>
+                               
+</ul>
+                 DNS names may not be used as:<br>
+                                 
+<ul>
+                  <li>The server address in a DNAT rule (/etc/shorewall/rules 
+  file)</li>
+                  <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
+                  <li>In the /etc/shorewall/nat file.</li>
+                               
+</ul>
+                 These restrictions are not imposed by Shorewall simply for 
+ your inconvenience but are rather limitations of iptables.<br>
+                               
+<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
+                                               
+<p>Where specifying an IP address, a subnet or an interface, you can    
+   precede the item with "!" to specify the complement of the item. For 
+      example, !192.168.1.4 means "any host but 192.168.1.4". There must
+be no white space following the "!".</p>
+                                               
+<h2><a name="Lists"></a>Comma-separated Lists</h2>
+                                               
+<p>Comma-separated lists are allowed in a number of contexts within the  
+     configuration files. A comma separated list:</p>
+                                               
+<ul>
+                         <li>Must not have any embedded white space.<br>
+                         Valid: routefilter,dhcp,norfc1918<br>
+                         Invalid: routefilter,     dhcp,              norfc1818</li>
+                         <li>If you use line continuation to break a comma-separated
+      list,   the          continuation line(s) must begin in column 1 (or
+ there     would  be embedded          white space)</li>
+                         <li>Entries in a comma-separated list may appear 
+in  any   order.</li>
+                                 
+</ul>
+                                               
+<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
+                                               
+<p>Unless otherwise specified, when giving a port number you can use    
+   either an integer or a service name from /etc/services. </p>
+                                               
+<h2><a name="Ranges"></a>Port Ranges</h2>
+                                               
+<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
+               port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
+       if you want to forward the range of tcp ports 4000 through 4100 to
+local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+              </p>
+                           
+<pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
+ If you omit the low port number, a value of zero is assumed; if you omit 
+the high port number, a value of 65535 is assumed.<br>
+                                               
+<h2><a name="Variables"></a>Using Shell Variables</h2>
+                                               
+<p>You may use the /etc/shorewall/params     file to set shell variables
+  that you can then use in some of the other    configuration files.</p>
+                                                           
+<p>It is suggested that variable names begin with an upper case letter<font
+ size="1">      </font>to distinguish them from variables used internally
+        within the  Shorewall    programs</p>
+                                                           
+<p>Example:</p>
+                                                           
+<blockquote>                                                            
+                   
+  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
+                      </blockquote>
+                                                                 
+<p><br>
+                      Example (/etc/shorewall/interfaces record):</p>
+                                           <font
+ face="Century Gothic, Arial, Helvetica">                               
+     
+<blockquote>                                                            
+                         
+  <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
+                      </blockquote>
+                                                        </font>         
+                                                                
+<p>The result will be the same as if the record had been written</p>
+                                               <font
+ face="Century Gothic, Arial, Helvetica">                               
+       
+<blockquote>                                                            
+                               
+  <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
+                      </blockquote>
+                                                            </font>     
                                                                         
  
-      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
-                    </td>
-                  </tr>
-                                                             
-  </tbody>               
-</table>
-                                     
-<p><b><font color="#ff0000">Warning: </font>If you copy or edit your     
-  configuration files on a system running Microsoft Windows, you <u>must</u> 
-              run them through <a
- href="http://www.megaloman.com/%7Ehany/software/hd2u/">       dos2unix</a> 
-       before you use them with Shorewall.</b></p>
-                                                        
-<h2><a name="Files"></a>Files</h2>
-                                                        
-<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
-                                                        
-<ul>
-                        <li>/etc/shorewall/shorewall.conf - used to set several 
-   firewall             parameters.</li>
-                        <li>/etc/shorewall/params - use this file to set
-shell    variables     that you will     expand in other files.</li>
-                        <li>/etc/shorewall/zones - partition the firewall's 
- view   of  the   world         into <i>zones.</i></li>
-                        <li>/etc/shorewall/policy - establishes firewall
-high-level      policy.</li>
-                        <li>/etc/shorewall/interfaces - describes the interfaces
-    on  the          firewall system.</li>
-                        <li>/etc/shorewall/hosts - allows defining zones
-in  terms    of  individual           hosts and subnetworks.</li>
-                        <li>/etc/shorewall/masq - directs the firewall where
-  to  use   many-to-one            (dynamic) Network Address Translation
-(a.k.a.    Masquerading)   and  Source          Network Address Translation
-(SNAT).</li>
-                        <li>/etc/shorewall/modules - directs the firewall 
-to  load   kernel    modules.</li>
-                        <li>/etc/shorewall/rules - defines rules that are 
-exceptions      to  the         overall policies established in /etc/shorewall/policy.</li>
-                        <li>/etc/shorewall/nat - defines static NAT rules.</li>
-                        <li>/etc/shorewall/proxyarp - defines use of Proxy
- ARP.</li>
-                        <li>/etc/shorewall/routestopped (Shorewall 1.3.4
-and   later)    -  defines  hosts    accessible when Shorewall is stopped.</li>
-                        <li>/etc/shorewall/tcrules - defines marking of packets 
-   for   later   use by     traffic control/shaping or policy routing.</li>
-                        <li>/etc/shorewall/tos - defines rules for setting
- the   TOS   field   in packet         headers.</li>
-                        <li>/etc/shorewall/tunnels - defines IPSEC, GRE and 
- IPIP   tunnels    with end-points on         the firewall system.</li>
-                        <li>/etc/shorewall/blacklist - lists blacklisted
-IP/subnet/MAC        addresses.</li>
-     <li>/etc/shorewall/init - commands that you wish to execute at the beginning 
- of a "shorewall start" or "shorewall restart".</li>
-     <li>/etc/shorewall/start - commands that you wish to execute at the
-completion  of a "shorewall start" or "shorewall restart"</li>
-     <li>/etc/shorewall/stop - commands that you wish to execute at the beginning 
- of a "shorewall stop".</li>
-     <li>/etc/shorewall/stopped - commands that you wish to execute at the
- completion of a "shorewall stop".<br>
-     </li>
-                               
-</ul>
-                                     
-<h2><a name="Comments"></a>Comments</h2>
-                                                        
-<p>You may place comments in configuration files by making the first non-whitespace
-              character a pound sign ("#"). You may also place comments at
- the    end  of any line, again by       delimiting the comment from the
-rest  of   the line  with a pound sign.</p>
-                                                        
-<p>Examples:</p>
-                                                        
-<pre># This is a comment</pre>
-                             
-<pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
-                               
-<h2><a name="Continuation"></a>Line Continuation</h2>
-                                                        
-<p>You may continue lines in the configuration files using the usual backslash 
-       ("\") followed        immediately by a new line character.</p>
-                                                        
-<p>Example:</p>
-                                                        
-<pre>ACCEPT	net	fw	tcp \<br>smtp,www,pop3,imap  #Services running on the firewall</pre>
-                               
-<h2><a name="dnsnames"></a>Using DNS Names</h2>
-                                
-<p align="left">     </p>
-                             
-<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
-        using DNS names in Shorewall configuration files. If you use DNS
-names      and   you are called out of bed at 2:00AM because Shorewall won't
-start    as  a result  of DNS problems then don't say that you were not forewarned.
-   <br>
-                </b></p>
-                               
-<p align="left"><b>    -Tom<br>
-                </b></p>
-                               
-<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall 
-       configuration files may be specified as either IP addresses or DNS 
-  Names.<br>
-                <br>
-               DNS names in iptables rules  aren't nearly as useful as they 
- first    appear.    When a DNS name appears in a rule,  the iptables utility 
- resolves    the name    to one or more IP addresses and inserts  those addresses 
- into    the rule.  So  changes in the DNS-&gt;IP address relationship  that 
- occur   after the firewall    has started have absolutely no effect on the 
-  firewall's   ruleset.    </p>
-                             
-<p align="left">     If your firewall rules include DNS names then:</p>
-                                  
-<ul>
-                 <li>If your /etc/resolv.conf is wrong then your firewall 
-won't        start.</li>
-                 <li>If your /etc/nsswitch.conf is wrong then your firewall 
- won't        start.</li>
-                 <li>If your Name Server(s) is(are) down then your firewall 
- won't        start.</li>
-                 <li>If your startup scripts try to start your firewall before
-   starting     your DNS server then your firewall won't start.<br>
-                </li>
-                 <li>Factors totally outside your control (your ISP's router
-  is      down   for example), can prevent your firewall from starting.</li>
-                <li>You must bring up your network interfaces prior to starting 
-   your   firewall.<br>
-                </li>
-                             
-</ul>
-                               
-<p align="left"> Each DNS name much be fully qualified and include a minumum 
-       of two periods (although one may be trailing). This restriction is 
-imposed       by Shorewall to insure backward compatibility with existing 
-configuration       files.<br>
-                <br>
-                Examples of valid DNS names:<br>
-                </p>
-                             
-<ul>
-                 <li>mail.shorewall.net</li>
-                 <li>shorewall.net. (note the trailing period).</li>
-                             
-</ul>
-                Examples of invalid DNS names:<br>
-                               
-<ul>
-                 <li>mail (not fully qualified)</li>
-                 <li>shorewall.net (only one period)</li>
-                             
-</ul>
-                DNS names may not be used as:<br>
-                               
-<ul>
-                 <li>The server address in a DNAT rule (/etc/shorewall/rules
-  file)</li>
-                 <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
-                 <li>In the /etc/shorewall/nat file.</li>
-                             
-</ul>
-                These restrictions are not imposed by Shorewall simply for
- your inconvenience but are rather limitations of iptables.<br>
-                             
-<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
-                                             
-<p>Where specifying an IP address, a subnet or an interface, you can     
-  precede the item with "!" to specify the complement of the item. For  
-     example, !192.168.1.4 means "any host but 192.168.1.4". There must be
-no white space following the "!".</p>
-                                             
-<h2><a name="Lists"></a>Comma-separated Lists</h2>
-                                             
-<p>Comma-separated lists are allowed in a number of contexts within the 
-      configuration files. A comma separated list:</p>
-                                             
-<ul>
-                        <li>Must not have any embedded white space.<br>
-                        Valid: routestopped,dhcp,norfc1918<br>
-                        Invalid: routestopped,     dhcp,              norfc1818</li>
-                        <li>If you use line continuation to break a comma-separated 
-     list,   the          continuation line(s) must begin in column 1 (or 
-there     would  be embedded          white space)</li>
-                        <li>Entries in a comma-separated list may appear
-in  any   order.</li>
-                               
-</ul>
-                                             
-<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
-                                             
-<p>Unless otherwise specified, when giving a port number you can use     
-  either an integer or a service name from /etc/services. </p>
-                                             
-<h2><a name="Ranges"></a>Port Ranges</h2>
-                                             
-<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
-              port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, 
-      if you want to forward the range of tcp ports 4000 through 4100 to local
-     host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
-             </p>
-                         
-<pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
-If you omit the low port number, a value of zero is assumed; if you omit
-the high port number, a value of 65535 is assumed.<br>
-                                             
-<h2><a name="Variables"></a>Using Shell Variables</h2>
-                                             
-<p>You may use the /etc/shorewall/params     file to set shell variables 
- that you can then use in some of the other    configuration files.</p>
-                                                         
-<p>It is suggested that variable names begin with an upper case letter<font
- size="1">      </font>to distinguish them from variables used internally 
-       within the  Shorewall    programs</p>
-                                                         
-<p>Example:</p>
-                                                         
-<blockquote>                                                             
-               
-  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
-                     </blockquote>
-                                                               
-<p><br>
-                     Example (/etc/shorewall/interfaces record):</p>
-                                          <font
- face="Century Gothic, Arial, Helvetica">                                
-   
-<blockquote>                                                             
-                     
-  <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
-                     </blockquote>
-                                                       </font>          
-                                                              
-<p>The result will be the same as if the record had been written</p>
-                                              <font
- face="Century Gothic, Arial, Helvetica">                                
-     
-<blockquote>                                                             
-                           
-  <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
-                     </blockquote>
-                                                           </font>      
-                                                                        
-<p>Variables may be used anywhere in the              other configuration 
-       files.</p>
-                                                                     
+<p>Variables may be used anywhere in the              other configuration
+        files.</p>
+                                                                       
 <h2><a name="MAC"></a>Using MAC Addresses</h2>
-                                             
-<p>Media Access Control (MAC)        addresses can be used to specify packet 
-       source in several of the        configuration files. To use this feature, 
-       your kernel must have MAC        Address Match support (CONFIG_IP_NF_MATCH_MAC) 
-       included.</p>
-                                     
-<p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
-  unique MAC address.<br>
-                      <br>
-                      In GNU/Linux, MAC addresses are usually written as
+                                               
+<p>Media Access Control (MAC)        addresses can be used to specify packet
+        source in several of the        configuration files. To use this
+feature,         your kernel must have MAC        Address Match support (CONFIG_IP_NF_MATCH_MAC)
+        included.</p>
+                                       
+<p>MAC addresses are 48 bits wide and each Ethernet Controller has a    
+   unique MAC address.<br>
+                       <br>
+                       In GNU/Linux, MAC addresses are usually written as 
 a  series    of  6  hex numbers        separated by colons. Example:<br>
-                      <br>
-                     [root@gateway root]# ifconfig eth0<br>
-                     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
-                     inet addr:206.124.146.176 Bcast:206.124.146.255    
-   Mask:255.255.255.0<br>
-                     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
-                     RX packets:2398102 errors:0 dropped:0 overruns:0   
-    frame:0<br>
-                     TX packets:3044698 errors:0 dropped:0 overruns:0   
-    carrier:0<br>
-                     collisions:30394 txqueuelen:100<br>
-                     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221  
-     (1582.8     Mb)<br>
-                     Interrupt:11 Base address:0x1800<br>
-                      <br>
-                      Because Shorewall uses colons as a separator for address
-   fields,     Shorewall requires        MAC addresses to be written in another
-   way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
-consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
+                       <br>
+                      [root@gateway root]# ifconfig eth0<br>
+                      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
+                      inet addr:206.124.146.176 Bcast:206.124.146.255   
+    Mask:255.255.255.0<br>
+                      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
+                      RX packets:2398102 errors:0 dropped:0 overruns:0  
+     frame:0<br>
+                      TX packets:3044698 errors:0 dropped:0 overruns:0  
+     carrier:0<br>
+                      collisions:30394 txqueuelen:100<br>
+                      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 
+      (1582.8     Mb)<br>
+                      Interrupt:11 Base address:0x1800<br>
+                       <br>
+                       Because Shorewall uses colons as a separator for address 
+   fields,     Shorewall requires        MAC addresses to be written in another 
+   way. In   Shorewall, MAC addresses        begin with a tilde ("~") and 
+consist   of 6  hex numbers separated by        hyphens. In Shorewall, the 
 MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
-           </p>
-                     
-<p><b>Note: </b>It is not necessary to use the special Shorewall notation 
-     in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
-           </p>
-                                             
+            </p>
+                       
+<p><b>Note: </b>It is not necessary to use the special Shorewall notation
+      in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
+            </p>
+                                               
 <h2><a name="Levels"></a>Shorewall Configurations</h2>
-                                     
-<p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-       The <a href="starting_and_stopping_shorewall.htm">shorewall start and
-   restart</a>       commands allow you to specify an alternate configuration 
-   directory and    Shorewall will use the files in the alternate directory 
-  rather than the  corresponding  files in /etc/shorewall. The alternate directory
-   need not contain a complete  configuration; those files not in the alternate
-   directory  will be read from  /etc/shorewall.</p>
-                                     
-<p>  This facility permits you to easily create a test or temporary configuration 
-        by:</p>
-                                     
+                                       
+<p>  Shorewall allows you to have configuration  directories other than /etc/shorewall.
+        The <a href="starting_and_stopping_shorewall.htm">shorewall start
+and    restart</a>       commands allow you to specify an alternate configuration
+    directory and    Shorewall will use the files in the alternate directory
+   rather than the  corresponding  files in /etc/shorewall. The alternate
+directory    need not contain a complete  configuration; those files not
+in the alternate    directory  will be read from  /etc/shorewall.</p>
+                                       
+<p>  This facility permits you to easily create a test or temporary configuration
+         by:</p>
+                                       
 <ol>
-                        <li>  copying the files that need modification from 
- /etc/shorewall       to a separate      directory;</li>
-                        <li>  modify those files in the separate directory; 
- and</li>
-                        <li>  specifying the separate directory in a shorewall
-   start    or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig 
-      restart</b></i>  ).</li>
-                                     
+                         <li>  copying the files that need modification from
+  /etc/shorewall       to a separate      directory;</li>
+                         <li>  modify those files in the separate directory;
+  and</li>
+                         <li>  specifying the separate directory in a shorewall 
+   start    or  shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig
+       restart</b></i>  ).</li>
+                                       
 </ol>
                                                                         
                                                                         
                                                                         
-                                                                
-<p><font size="2">   Updated 2/7/2003 - <a href="support.htm">Tom  Eastep</a>
+                                                                  
+<p><font size="2">   Updated 2/7/2003 - <a href="support.htm">Tom  Eastep</a> 
            </font></p>
                                                                         
                                                                         
-                                                         
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-          © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-    </p>
+                                                           
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+           © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
+     </p>
+     <br>
     <br>
    <br>
   <br>
diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm
index 5a2a445dd..628748a58 100644
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@@ -2,657 +2,244 @@
 <html>
 <head>
                                                                         
-       
+               
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-  <title>Shorewall 1.3 Errata</title>
+  <title>Shorewall 1.4 Errata</title>
                                                                         
-                                                                     
+                                                                        
+          
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                         
-       
+               
   <meta name="ProgId" content="FrontPage.Editor.Document">
                                                                         
-               
+                       
   <meta name="Microsoft Theme" content="none">
+   
+  <meta name="author" content="Tom Eastep">
 </head>
   <body>
-                                      
+                                          
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#400169" height="90">
-                      <tbody>
-                      <tr>
-                        <td width="100%">                               
+                        <tbody>
+                        <tr>
+                          <td width="100%">                             
                                                                         
-                           
+                                           
       <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
-                        </td>
-                      </tr>
+                          </td>
+                        </tr>
                                                                         
- 
-  </tbody>                  
+         
+  </tbody>                    
 </table>
-                                                   
+                                                       
 <p align="center">       <b><u>IMPORTANT</u></b></p>
-                                                   
+                                                       
 <ol>
-                      <li>                                              
-                                                          
+                        <li>                                            
+                                                                      
     <p align="left">          <b><u>I</u>f you use a Windows system to download
-         a corrected     script, be sure to run the script through <u>  
-         <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
+          a corrected     script, be sure to run the script through <u> 
+          <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
  style="text-decoration: none;"> dos2unix</a></u>      after you have moved
-         it to your Linux system.</b></p>
-                                   </li>
-                      <li>                                              
-                                                          
+          it to your Linux system.</b></p>
+                                     </li>
+                        <li>                                            
+                                                                      
     <p align="left">          <b>If you are installing Shorewall for the
 first time and plan to use the        .tgz and install.sh script, you can
 untar the archive, replace the        'firewall' script in the untarred directory
-         with the one you downloaded        below, and then run install.sh.</b></p>
-                                   </li>
-                      <li>                                              
-                                                          
-    <p align="left">          <b>If you are running a Shorewall version earlier
-  than 1.3.11, when the instructions say to install a corrected        firewall
-  script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
-     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
-overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD
-/etc/shorewall/firewall               or /var/lib/shorewall/firewall  before
-you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall
- are symbolic links that point           to the 'shorewall' file used by
-your  system initialization scripts     to         start Shorewall during
-boot. It is  that file that must be overwritten              with the corrected
-script. Beginning with Shorewall 1.3.11, you may rename the existing file
-before copying in the new file.</b></p>
-              </li>
-              <li>                                                      
-     
+          with the one you downloaded        below, and then run install.sh.</b></p>
+                                     </li>
+                        <li>                                            
+                                                                      
+    <p align="left">          <b>When the instructions say to install a corrected 
+       firewall   script in        /usr/share/shorewall/firewall, you may 
+rename the existing file before copying in the new file.</b></p>
+                </li>
+                <li>                                                    
+                 
     <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
-      ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
-For    example,  do NOT install the 1.3.9a firewall script if you are running
- 1.3.7c.</font></b><br>
-                          </p>
-              </li>
-                       
+       ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
+ For    example,  do NOT install the 1.3.9a firewall script if you are running
+  1.3.7c.</font></b><br>
+                            </p>
+                </li>
+                           
 </ol>
-                                                   
+                                                       
 <ul>
-                      <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-                      <li>                            <b><a href="#V1.3">Problems 
-    in  Version    1.3</a></b></li>
-                      <li>                            <b><a
+                        <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
+   <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
+   </li>
+                        <li>                            <b><a
+ href="errata_3.html">Problems      in  Version    1.3</a></b></li>
+                        <li>                            <b><a
  href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
-                      <li>                            <b><font
+                        <li>                            <b><font
  color="#660066">       <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
-                      <li>                            <b><font
+                        <li>                            <b><font
  color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
-  on RH7.2</a></font></b></li>
-                      <li>                            <b><a
+   on RH7.2</a></font></b></li>
+                        <li>                            <b><a
  href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
 RedHat iptables</a></b></li>
-                      <li><b><a href="#SuSE">Problems installing/upgrading
- RPM   on  SuSE</a></b></li>
-                      <li><b><a href="#Multiport">Problems with iptables
-version     1.2.7    and       MULTIPORT=Yes</a></b></li>
-                <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and 
- NAT</a></b><br>
-                </li>
-                                      
+                        <li><b><a href="#SuSE">Problems installing/upgrading
+  RPM   on  SuSE</a></b></li>
+                        <li><b><a href="#Multiport">Problems with iptables
+ version     1.2.7    and       MULTIPORT=Yes</a></b></li>
+                  <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 
+and   NAT</a></b><br>
+                  </li>
+                                          
 </ul>
-                                      
-<hr>                                          
-<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
-                                                                        
-           
-<h3>Version 1.3.13</h3>
-     
-<ul>
-     <li>The 'shorewall add' command produces an error message referring
-to  'find_interfaces_by_maclist'.</li>
-    <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
-  <li>The 'shorewall add' command can fail with "iptables: Index of insertion
-too big".<br>
-  </li>
-     
-</ul>
-  All three problems are corrected by <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
-  firewall script</a> which may be installed in /usr/lib/shorewall as described
-  above.<br>
- 
-<ul>
-   <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) 
-are not supported in this version or in 1.3.12. If you need such support, 
-post on the users list and I can provide you with a patched version.<br>
-   </li>
- 
-</ul>
-        
-<h3>Version 1.3.12</h3>
-       
-<ul>
-      <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
- the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
-is  corrected  by <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
-  firewall script</a> which may be installed in /usr/lib/shorewall as described
-  above.</li>
-   <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
- are not supported in this version or in 1.3.13. If you need such support,
- post on the users list and I can provide you with a patched version.<br>
-    </li>
-       
-</ul>
-       
-<h3>Version 1.3.12 LRP</h3>
-         
-<ul>
-       <li>The .lrp was missing the /etc/shorewall/routestopped file -- a 
-new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
-       </li>
-         
-</ul>
-         
-<h3>Version 1.3.11a</h3>
-           
-<ul>
-        <li><a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
-   copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
-        </li>
-           
-</ul>
-           
-<h3>Version 1.3.11</h3>
-                 
-<ul>
-           <li>When installing/upgrading using the .rpm, you may receive
-the   following   warnings:<br>
-             <br>
-              user teastep does not exist - using root<br>
-              group teastep does not exist - using root<br>
-             <br>
-         These warnings are harmless and may be ignored. Users downloading
- the   .rpm  from shorewall.net or mirrors should no longer see these warnings
- as  the .rpm you will get from there has been corrected.</li>
-          <li>DNAT rules that exclude a source subzone (SOURCE column contains
-   !  followed by a sub-zone list) result in an error message and Shorewall
-  fails  to start.<br>
-            <br>
-        Install <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
-    corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. 
-   Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
-           <br>
-       This problem is corrected in version 1.3.11a.<br>
-          </li>
-                 
-</ul>
-                 
-<h3>Version 1.3.10</h3>
-                     
-<ul>
-             <li>If you experience problems connecting to a PPTP server running 
-   on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
-         <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
-     version of the firewall script</a> may help. Please report any cases
-where     installing this script in /usr/lib/shorewall/firewall solved your
-connection     problems. Beginning with version 1.3.10, it is safe to save
-the old version     of /usr/lib/shorewall/firewall before copying in the
-new one since /usr/lib/shorewall/firewall     is the real script now and
-not just a symbolic link to the real script.<br>
-             </li>
-                     
-</ul>
-                     
-<h3>Version 1.3.9a</h3>
-                       
-<ul>
-              <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No 
-    then  the following message appears during "shorewall [re]start":</li>
-                       
-</ul>
-                         
-<pre>          recalculate_interfacess: command not found<br></pre>
-                       
-<blockquote> The updated firewall script at  <a
- href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
- target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-      corrects this problem.Copy the script to /usr/lib/shorewall/firewall 
- as   described  above.<br>
-            </blockquote>
-                       
-<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
-      single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
-      to 'recalculate_interface'. <br>
-            </blockquote>
-                       
-<ul>
-              <li>The installer (install.sh) issues a misleading message
-"Common     functions   installed in /var/lib/shorewall/functions" whereas
-the file   is  installed  in /usr/lib/shorewall/functions. The installer
-also performs   incorrectly  when updating old configurations that had the
-file /etc/shorewall/functions.         <a
- href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
-      is an updated version that corrects these problems.<br>
-                </a></li>
-                       
-</ul>
-                         
-<h3>Version 1.3.9</h3>
-               <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall 
-  script    at  <a
- href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
- target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-      -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
-                <br>
-               Version 1.3.8                  
-<ul>
-                   <li> Use of shell variables in the LOG LEVEL or SYNPARMS 
- columns     of  the  policy file doesn't work.</li>
-                   <li>A DNAT rule with the same original and new IP addresses
-   but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
-     tcp   25 - 10.1.1.1")<br>
-                   </li>
-                                 
-</ul>
-                 Installing                               <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
-                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                        as described above corrects these
-problems.                         
-<h3>Version 1.3.7b</h3>
-                                                                    
-<p>DNAT rules where the source zone is 'fw' ($FW)                       
-        result in an error message. Installing                          
-    <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
-                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                        as described above corrects this
-problem.</p>
-                                                                    
-<h3>Version 1.3.7a</h3>
-                                                                    
-<p>"shorewall refresh" is not creating the proper                       
-        rule for FORWARDPING=Yes. Consequently, after                   
-            "shorewall refresh", the firewall will not forward          
-                     icmp echo-request (ping) packets. Installing       
-                       <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
-                           this corrected firewall script</a> in /var/lib/shorewall/firewall
-                                        as described above corrects this
-problem.</p>
-                                                                    
-<h3>Version &lt;= 1.3.7a</h3>
-                                                                    
-<p>If "norfc1918" and "dhcp" are both specified as                      
-         options on a given interface then RFC 1918                     
-          checking is occurring before DHCP checking. This              
-                 means that if a DHCP client broadcasts using an        
-                       RFC 1918 source address, then the firewall will  
-                             reject the broadcast (usually logging it). This
-                                        has two problems:</p>
-                                                                    
-<ol>
-                                                   <li>If the firewall is 
-running     a  DHCP   server,                                   the client 
-won't be   able   to obtain   an IP  address                             
-    lease  from that   server.</li>
-                                                   <li>With this order of 
-checking,      the   "dhcp"                                   option cannot 
-be used as   a  noise-reduction                                     measure 
-where there   are  both dynamic and    static                            
-     clients  on a LAN segment.</li>
-                                      
-</ol>
-                                                                        
-           
-<p>                               <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
-                           This version of the 1.3.7a firewall script </a> 
-                                       corrects the problem. It must be installed
-         in /var/lib/shorewall                                as described
- above.</p>
-                                                                    
-<h3>Version 1.3.7</h3>
-                                                                    
-<p>Version 1.3.7 dead on arrival -- please use                          
-     version 1.3.7a and check your version against                      
-         these md5sums -- if there's a difference, please               
-                download again.</p>
-                                                                    
-<pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
-                                      
-<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
-         and   compare the result with what you see above.</p>
-                                      
-<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
-         .7   version in each sequence from now on.</p>
-                                                                
-<h3 align="left">Version 1.3.6</h3>
-                                                                
-<ul>
-                               <li>                                     
-                                                                        
-       
-    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-         an error occurs when the firewall            script attempts to
-add    an   SNAT   alias.  </p>
-                    </li>
-                    <li>                                                
-                                                                     
-    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
-           cause errors during startup when Shorewall is run with iptables
-         1.2.7. </p>
-                    </li>
-                                   
-</ul>
-                                                                
-<p align="left">These problems are fixed in           <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
-       this correct firewall script</a> which must be installed in      
-     /var/lib/shorewall/ as described above. These problems are also    
-       corrected in version 1.3.7.</p>
-                                                                
-<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
-                                                                
-<p align="left">A line was inadvertently deleted from the "interfaces   
-        file" -- this line should be added back in if the version that you
-                    downloaded is missing it:</p>
-                                                                
-<p align="left">net    eth0    detect               routefilter,dhcp,norfc1918</p>
-                                                                
-<p align="left">If you downloaded two-interfaces-a.tgz then the above   
-        line should already be in the file.</p>
-                                                                
-<h3 align="left">Version 1.3.5-1.3.5b</h3>
-                                                                
-<p align="left">The new 'proxyarp' interface option doesn't work :-(    
-       This is fixed in           <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
-       this corrected firewall script</a> which must be installed in    
-       /var/lib/shorewall/ as described above.</p>
-                                                                
-<h3 align="left">Versions 1.3.4-1.3.5a</h3>
-                                                                
-<p align="left">Prior to version 1.3.4, host file entries such as the   
-        following were allowed:</p>
-                                                                
-<div align="left">                               
-<pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
-                    </div>
-                                      
-<div align="left">                      
-<p align="left">That capability was lost in version 1.3.4 so that it is only
-             possible to  include a single host specification on each line.
-  This         problem is corrected by    <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
-             modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
-             as instructed above.</p>
-                  </div>
-                                                       
-<div align="left">                      
-<p align="left">This problem is corrected in version 1.3.5b.</p>
-                  </div>
-                                                                
-<h3 align="left">Version 1.3.5</h3>
-                                                                
-<p align="left">REDIRECT rules are broken in this version. Install      
-    <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
-       this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
-                    as instructed above. This problem is corrected in version
-    1.3.5a.</p>
-                                                                
-<h3 align="left">Version 1.3.n, n &lt; 4</h3>
-                                                                
-<p align="left">The "shorewall start" and "shorewall restart" commands  
-         to not verify that the zones named in the /etc/shorewall/policy
-file            have been previously defined in the /etc/shorewall/zones
-file. The            "shorewall check" command does perform this verification
-so it's a            good idea to run that command after you have made configuration
-                    changes.</p>
-                                                                
-<h3 align="left">Version 1.3.n, n &lt; 3</h3>
-                                                                
-<p align="left">If you have upgraded from Shorewall 1.2 and after       
-    "Activating rules..." you see the message: "iptables: No            chains/target/match
-         by that name" then you probably have an entry in            /etc/shorewall/hosts
-         that specifies an interface that you didn't            include in
- /etc/shorewall/interfaces.        To correct this problem, you         
-  must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3
-and             later versions produce a clearer error    message    in this
-case.</p>
-                                                                
-<h3 align="left">Version 1.3.2</h3>
-                                                                
-<p align="left">Until approximately 2130 GMT on 17 June 2002, the       
-    download sites contained an incorrect version of the .lrp file. That
-           file can be identified by its size (56284 bytes). The correct
-version            has a size of 38126 bytes.</p>
-                                                                
-<ul>
-                               <li>The code to detect a duplicate interface 
- entry    in             /etc/shorewall/interfaces contained a typo that prevented
-   it from               working correctly. </li>
-                               <li>"NAT_BEFORE_RULES=No" was broken; it behaved 
-   just   like   "NAT_BEFORE_RULES=Yes".</li>
-                                      
-</ul>
-                                                                
-<p align="left">Both problems are corrected in           <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">   
-       this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
-         as described above.</p>
-                                                                
-<ul>
-                               <li>                                     
-                                                                        
-       
-    <p align="left">The IANA have just announced the allocation of subnet
-                    221.0.0.0/8. This           <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
-      updated rfc1918</a> file reflects that allocation.</p>
-                                                </li>
-                                      
-</ul>
-                                                                
-<h3 align="left">Version 1.3.1</h3>
-                                                                
-<ul>
-                               <li>TCP SYN packets may be double counted
-when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy
-(i.e.,    each              packet is sent through the limit chain twice).</li>
-                               <li>An unnecessary jump to the policy chain
- is  sometimes                 generated for a CONTINUE policy.</li>
-                               <li>When an option is given for more than
-one   interface      in               /etc/shorewall/interfaces then depending
- on the option,     Shorewall                may ignore all but the first
-appearence of the   option.  For example:<br>
-                               <br>
-                               net    eth0    dhcp<br>
-                               loc    eth1    dhcp<br>
-                               <br>
-                               Shorewall will ignore the 'dhcp' on eth1.</li>
-                               <li>Update 17 June 2002 - The bug described
- in  the   prior    bullet               affects the following options: dhcp, 
- dropunclean,   logunclean,                 norfc1918, routefilter, multi, 
- filterping and   noping. An additional                 bug has been found 
- that affects only   the 'routestopped' option.<br>
-                               <br>
-                               Users who downloaded the corrected script
-prior    to  1850   GMT   today              should download and install
-the corrected     script   again   to ensure              that this second
-problem is corrected.</li>
-                                      
-</ul>
-                                                                
-<p align="left">These problems are corrected in           <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">   
-       this firewall script</a> which should be installed in            /etc/shorewall/firewall
-         as described above.</p>
-                                                                
-<h3 align="left">Version 1.3.0</h3>
-                                                                
-<ul>
-                               <li>Folks who downloaded 1.3.0 from the links
-  on  the   download    page              before 23:40 GMT, 29 May 2002 may
-  have  downloaded   1.2.13    rather than              1.3.0. The "shorewall
-  version"  command   will tell    you which version              that you
- have installed.</li>
-                               <li>The documentation NAT.htm file uses non-existent 
-                wallpaper and bullet graphic files. The           <a
- href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
-      corrected version is here</a>.</li>
-                                      
-</ul>
-                                      
-<hr>                                          
-<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
-                                                                
-<p align="left">The upgrade issues have moved to           <a
- href="upgrade_issues.htm">a separate page</a>.</p>
-                                                       
+                                          
 <hr>                                            
-<h3 align="left"><a name="iptables"></a><font color="#660066">  Problem with
-         iptables version 1.2.3</font></h3>
-                                                   
-<blockquote>                                                             
-             
-  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
-                 prevent it from working with Shorewall. Regrettably,  RedHat 
-    released    this buggy iptables in RedHat   7.2. </p>
-                                                                        
-                     
-  <p align="left"> I have built a <a
- href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-          corrected 1.2.3 rpm which you can download here</a>  and I have 
-also     built            an <a
- href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently
-         running RedHat 7.1, you can install either of these RPMs       
-      <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
+<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
                                                                         
                
-  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
-         has   released an iptables-1.2.4 RPM of their own which you can
-download         from<font color="#ff6633">   <a
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
-           </font>I have installed this RPM   on my firewall and it works 
-fine.</p>
-                                                                        
-                     
-  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
-         the patches are available         for download. This <a
- href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
-             which corrects a problem with parsing of the --log-level specification
-         while         this <a
- href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
-                 corrects a problem in handling the  TOS target.</p>
-                                                                        
-                       
-  <p align="left">To install one of the above patches:</p>
-                                                                        
-       
-  <ul>
-                             <li>cd iptables-1.2.3/extensions</li>
-                             <li>patch -p0 &lt; <i>the-patch-file</i></li>
-                                                                        
-       
-  </ul>
-                              </blockquote>
-                                                                        
-       
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
-               and RedHat iptables</h3>
-                                      
-<blockquote>                                                          
-  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
-         may     experience the following:</p>
-                                                                        
-   
-  <blockquote>                                                           
-                                    
-    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
-                      </blockquote>
-                                                                        
-   
-  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
-  user-space debugging code was not updated to reflect recent changes in
-         the     Netfilter 'mangle' table. You can correct the problem by
-installing            <a
- href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
-            this iptables RPM</a>. If you are already running a 1.2.5 version 
-    of       iptables, you will need to specify the --oldpackage option to 
- rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
-                    </blockquote>
+<h3></h3>
+ None. 
+<hr width="100%" size="2">                                            
+<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
+                                                                    
+<p align="left">The upgrade issues have moved to           <a
+ href="upgrade_issues.htm">a separate page</a>.</p>
+                                                           
+<hr>                                              
+<h3 align="left"><a name="iptables"></a><font color="#660066">  Problem with
+          iptables version 1.2.3</font></h3>
+                                                       
+<blockquote>                                                             
+                   
+  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
+                  prevent it from working with Shorewall. Regrettably,  RedHat 
+     released    this buggy iptables in RedHat   7.2. </p>
                                                                         
                              
+  <p align="left"> I have built a <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
+           corrected 1.2.3 rpm which you can download here</a>  and I have 
+ also     built            an <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
+iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+          running RedHat 7.1, you can install either of these RPMs      
+       <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
+                                                                        
+                       
+  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
+          has   released an iptables-1.2.4 RPM of their own which you can
+download         from<font color="#ff6633">   <a
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
+            </font>I have installed this RPM   on my firewall and it works 
+ fine.</p>
+                                                                        
+                             
+  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
+          the patches are available         for download. This <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
+              which corrects a problem with parsing of the --log-level specification
+          while         this <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
+                  corrects a problem in handling the  TOS target.</p>
+                                                                        
+                               
+  <p align="left">To install one of the above patches:</p>
+                                                                        
+               
+  <ul>
+                               <li>cd iptables-1.2.3/extensions</li>
+                               <li>patch -p0 &lt; <i>the-patch-file</i></li>
+                                                                        
+               
+  </ul>
+                                </blockquote>
+                                                                        
+           
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
+               and RedHat iptables</h3>
+                                          
+<blockquote>                                                             
+ 
+  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
+          may     experience the following:</p>
+                                                                        
+           
+  <blockquote>                                                           
+                                              
+    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
+                        </blockquote>
+                                                                        
+           
+  <p>The RedHat iptables RPM is compiled with debugging enabled but the  
+  user-space debugging code was not updated to reflect recent changes in
+          the     Netfilter 'mangle' table. You can correct the problem by
+ installing            <a
+ href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
+             this iptables RPM</a>. If you are already running a 1.2.5 version 
+     of       iptables, you will need to specify the --oldpackage option to
+  rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+                      </blockquote>
+                                                                        
+                                 
 <h3><a name="SuSE"></a>Problems                                installing/upgrading
-         RPM on SuSE</h3>
-                                                                    
+          RPM on SuSE</h3>
+                                                                        
 <p>If you find that rpm complains about a conflict                      
          with kernel &lt;= 2.2 yet you have a 2.4 kernel                
                installed, simply use the "--nodeps" option to           
                     rpm.</p>
-                                                                    
+                                                                        
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
-                                                                    
+                                                                        
 <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
-                                                                    
+                                                                        
 <h3><a name="Multiport"></a><b>Problems with                            
    iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
-                                                                    
+                                                                        
 <p>The iptables 1.2.7 release of iptables has made                      
          an incompatible change to the syntax used to                   
             specify multiport match rules; as a consequence,            
                    if you install iptables 1.2.7 you must be running    
                            Shorewall 1.3.7a or later or:</p>
-                                                                    
+                                                                        
 <ul>
-                                                   <li>set MULTIPORT=No in
-                                  /etc/shorewall/shorewall.conf; or </li>
-                                                   <li>if you are running 
-Shorewall      1.3.6    you may                                  install 
-                               <a
+                                                     <li>set MULTIPORT=No 
+in                                   /etc/shorewall/shorewall.conf; or </li>
+                                                     <li>if you are running 
+ Shorewall      1.3.6    you may                                  install 
+                                <a
  href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                              this firewall script</a> in /var/lib/shorewall/firewall
-                                          as described above.</li>
-                           
+                                           as described above.</li>
+                               
 </ul>
-                           
+                               
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
-                 </h3>
-              /etc/shorewall/nat entries of the following form will result
- in  Shorewall     being unable to start:<br>
-              <br>
-                           
+                   </h3>
+                /etc/shorewall/nat entries of the following form will result
+  in  Shorewall     being unable to start:<br>
+                <br>
+                               
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-              Error message is:<br>
-                           
+                Error message is:<br>
+                               
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-              The solution is to put "no" in the LOCAL column. Kernel support 
-  for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it.
-  The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
+                The solution is to put "no" in the LOCAL column. Kernel support 
+   for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled 
+it.   The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-                                      
+                                          
 <p><font size="2">  Last updated 2/8/2003 -                             
  <a href="support.htm">Tom Eastep</a></font> </p>
-                                       
+                                           
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-         </p>
-         <br>
-        <br>
-       <br>
-      <br>
-     <br>
-    <br>
-   <br>
-  <br>
+ </p>
  <br>
 </body>
 </html>
diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm
index 8fd3276af..094d29e17 100644
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@@ -2,152 +2,152 @@
 <html>
 <head>
                                                                         
-       
+           
   <meta http-equiv="Content-Language" content="en-us">
                                                                         
-       
+           
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
                                                                         
-       
+           
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                         
-       
+           
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Shorewall Mailing Lists</title>
                                                                         
-                                                                     
+                                                                        
+   
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-           
+             
 <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
  style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
  border="0">
-                       <tbody>
-                        <tr>
-                         <td width="33%" valign="middle" align="left">  
+                        <tbody>
+                         <tr>
+                          <td width="33%" valign="middle" align="left"> 
                                                                         
-                                                                     
+                                                                        
+    
       <h1 align="center"><a
  href="http://www.centralcommand.com/linux_products.html"><img
  src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
  height="79" align="left">
-                    </a></h1>
+                     </a></h1>
                                                                         
                                                                         
-                                             <a
+                                              <a
  href="http://www.gnu.org/software/mailman/mailman.html">         <img
  border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
  height="35" alt="">
-                          </a>                                          
- 
+                           </a>                                         
+         
       <p align="right"><font color="#ffffff"><b>      </b></font>     </p>
-                          </td>
-            <td valign="middle" width="34%" align="center">             
-                            
+                           </td>
+             <td valign="middle" width="34%" align="center">            
+                                    
       <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
-            </td>
-            <td valign="middle" width="33%">                     <a
+             </td>
+             <td valign="middle" width="33%">                     <a
  href="http://www.postfix.org/">       <img
  src="images/small-picture.gif" align="right" border="0" width="115"
  height="45" alt="(Postfix Logo)">
-                          </a><br>
-                                 
+                           </a><br>
+                                         
       <div align="left"><a href="http://www.spamassassin.org"><img
  src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
  border="0">
-         </a> </div>
-         <br>
-                                               
+          </a> </div>
+          <br>
+                                                       
       <div align="right"><br>
-            <b><font color="#ffffff"><br>
-   Powered by Postfix    </font></b><br>
-            </div>
-            </td>
-                       </tr>
+             <b><font color="#ffffff"><br>
+    Powered by Postfix    </font></b><br>
+             </div>
+             </td>
+                        </tr>
                                                                         
-       
-  </tbody>                    
+           
+  </tbody>                     
 </table>
-                                          
-<h2 align="left">Not getting List Mail? -- <a
- href="mailing_list_problems.htm">Check Here</a></h2>
-                                          
-<p align="left">If you experience problems with any of these lists, please 
-          let <a href="mailto:teastep@shorewall.net">me</a> know</p>
-                                          
+                                                                        
+               
+<p align="left">If you experience problems with any of these lists, please
+           let <a href="mailto:teastep@shorewall.net">me</a> know</p>
+                                            
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
-                                          
-<p align="left">You can report such problems by sending mail to tom dot eastep
+                                            
+<p align="left">You can report such problems by sending mail to tom dot eastep 
            at hp dot com.</p>
-                                                
+                                                  
 <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
  href="http://osirusoft.com/"> </a></h2>
                                                                         
-     
-<p>Before subscribing please read my <a href="spam_filters.htm">policy  
-    about list traffic that bounces.</a> Also please note that the mail server
+       
+<p>Before subscribing please read my <a href="spam_filters.htm">policy   
+   about list traffic that bounces.</a> Also please note that the mail server 
                  at shorewall.net checks incoming mail:<br>
-                </p>
-                               
+                 </p>
+                                 
 <ol>
-                  <li>against <a href="http://spamassassin.org">Spamassassin</a>
+                   <li>against <a href="http://spamassassin.org">Spamassassin</a> 
     (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
-          </li>
-                  <li>to ensure that the sender address is fully qualified.</li>
-                  <li>to verify that the sender's domain has an A or MX record
-   in  DNS.</li>
-                  <li>to ensure that the host name in the HELO/EHLO command 
- is  a  valid    fully-qualified  DNS name that resolves.</li>
-                               
+           </li>
+                   <li>to ensure that the sender address is fully qualified.</li>
+                   <li>to verify that the sender's domain has an A or MX
+record    in  DNS.</li>
+                   <li>to ensure that the host name in the HELO/EHLO command
+  is  a  valid    fully-qualified  DNS name that resolves.</li>
+                                 
 </ol>
-                   
+                     
 <h2>Please post in plain text</h2>
-          A growing number of MTAs serving list subscribers are rejecting 
-all   HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net 
-  "for  continuous abuse" because it has been my policy to allow HTML in list
-  posts!!<br>
-          <br>
-          I think that blocking all HTML is a Draconian way to control spam 
-  and   that the ultimate losers here are not the spammers but the list subscribers
-     whose MTAs are bouncing all shorewall.net mail. As one list subscriber
-  wrote  to me privately "These e-mail admin's need to get a <i>(explitive
- deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
- Nevertheless,  to allow subscribers to receive list posts as must as possible,
- I have now  configured the list server at shorewall.net to strip all HTML
- from outgoing  posts. This means that HTML-only posts will be bounced by
+           A growing number of MTAs serving list subscribers are rejecting
+ all   HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net
+   "for  continuous abuse" because it has been my policy to allow HTML in
+list   posts!!<br>
+           <br>
+           I think that blocking all HTML is a Draconian way to control spam
+   and   that the ultimate losers here are not the spammers but the list
+subscribers      whose MTAs are bouncing all shorewall.net mail. As one list
+subscriber   wrote  to me privately "These e-mail admin's need to get a <i>(explitive 
+ deleted)</i>  life instead of trying to rid the planet of HTML based e-mail". 
+ Nevertheless,  to allow subscribers to receive list posts as must as possible, 
+ I have now  configured the list server at shorewall.net to strip all HTML 
+ from outgoing  posts. This means that HTML-only posts will be bounced by 
 the list server.<br>
-             
-<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
-       </p>
                
+<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
+        </p>
+                 
 <h2>Other Mail Delivery Problems</h2>
-        If you find that you are missing an occasional list post, your e-mail 
-  admin  may be blocking mail whose <i>Received:</i> headers contain the names
-  of certain ISPs. Again, I believe that such policies hurt more than they
- help but I'm not prepared to go so far as to start stripping <i>Received:</i>
+         If you find that you are missing an occasional list post, your e-mail
+   admin  may be blocking mail whose <i>Received:</i> headers contain the
+names   of certain ISPs. Again, I believe that such policies hurt more than
+they  help but I'm not prepared to go so far as to start stripping <i>Received:</i> 
    headers to circumvent those policies.<br>
-                   
+                     
 <h2 align="left">Mailing Lists Archive Search</h2>
-                                         
-<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
-                                                           
-  <p> <font size="-1"> Match:                                            
-             
+                                           
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
+                                                              
+  <p> <font size="-1"> Match:                                           
+                 
   <select name="method">
   <option value="and">All </option>
   <option value="or">Any </option>
   <option value="boolean">Boolean </option>
   </select>
-                    Format:                                             
-           
+                     Format:                                            
+               
   <select name="format">
   <option value="builtin-long">Long </option>
   <option value="builtin-short">Short </option>
   </select>
-                    Sort by:                                            
-             
+                     Sort by:                                           
+                 
   <select name="sort">
   <option value="score">Score </option>
   <option value="time">Time </option>
@@ -156,149 +156,151 @@ the list server.<br>
   <option value="revtime">Reverse Time </option>
   <option value="revtitle">Reverse Title </option>
   </select>
-                    </font> <input type="hidden" name="config"
+                     </font> <input type="hidden" name="config"
  value="htdig">    <input type="hidden" name="restrict"
  value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
  name="exclude" value=""> <br>
-                    Search: <input type="text" size="30" name="words"
+                     Search: <input type="text" size="30" name="words"
  value="">    <input type="submit" value="Search"> </p>
-                    </form>
+                     </form>
                                                                         
-<h2 align="left"><font color="#ff0000">Please do not try to download the entire
-Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-stand the traffic. If I catch you, you will be blacklisted.<br>
-             </font></h2>
-                         
+ 
+<h2 align="left"><font color="#ff0000">Please do not try to download the
+entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
+won't stand the traffic. If I catch you, you will be blacklisted.<br>
+              </font></h2>
+                           
 <h2 align="left">Shorewall CA Certificate</h2>
-                  If you want to trust X.509 certificates issued by Shoreline 
-  Firewall     (such   as the one used on my web site), you may <a
- href="Shorewall_CA_html.html">download and install my CA certificate</a>
-         in your browser. If you don't wish to trust my certificates then
-you    can    either use unencrypted access when subscribing to Shorewall
-mailing    lists    or you can use secure access (SSL) and accept the server's
+                   If you want to trust X.509 certificates issued by Shoreline
+   Firewall     (such   as the one used on my web site), you may <a
+ href="Shorewall_CA_html.html">download and install my CA certificate</a> 
+         in your browser. If you don't wish to trust my certificates then 
+you    can    either use unencrypted access when subscribing to Shorewall 
+mailing    lists    or you can use secure access (SSL) and accept the server's 
 certificate     when   prompted by your browser.<br>
-                                   
+                                     
 <h2 align="left">Shorewall Users Mailing List</h2>
-                                         
-<p align="left">The Shorewall Users Mailing list provides a way for users
-          to get answers to questions and to report problems. Information
-of   general       interest to the Shorewall user community is also posted
+                                           
+<p align="left">The Shorewall Users Mailing list provides a way for users 
+          to get answers to questions and to report problems. Information 
+of   general       interest to the Shorewall user community is also posted 
 to  this list.</p>
-                                         
-<p align="left"><b>Before posting a problem report to this list, please see
-          the <a href="http://www.shorewall.net/support.htm">problem reporting
+                                           
+<p align="left"><b>Before posting a problem report to this list, please see 
+          the <a href="http://www.shorewall.net/support.htm">problem reporting 
  guidelines</a>.</b></p>
-                                              
-<p align="left">To subscribe to the mailing list:<br>
-    </p>
-       
-<ul>
-      <li><b>Insecure: </b><a
- href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
-      <li><b>SSL:</b> <a
- href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
- target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
-       
-</ul>
-                                   
-<p align="left">To post to the list, post to <a
- href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
-                                         
-<p align="left">The list archives are at <a
- href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-                                         
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-list may be found at <a
- href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
-                                         
-<h2 align="left">Shorewall Announce Mailing List</h2>
-                                              
-<p align="left">This list is for announcements of general interest to the 
-          Shorewall community. To subscribe:<br>
-    </p>
-       
-<p align="left"></p>
-       
-<ul>
-      <li><b>Insecure:</b> <a
- href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
-      <li><b>SSL</b>: <a
- href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
- target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
-       
-</ul>
-       
-<p align="left"><br>
-                  The list archives are at <a
- href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
-                                         
-<h2 align="left">Shorewall Development Mailing List</h2>
-                                         
-<p align="left">The Shorewall Development Mailing list provides a forum for
-          the exchange of ideas about the future of Shorewall and for coordinating
-         ongoing Shorewall Development.</p>
-                                              
+                                                
 <p align="left">To subscribe to the mailing list:<br>
      </p>
-       
+         
 <ul>
-      <li><b>Insecure: </b><a
+       <li><b>Insecure: </b><a
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
+       <li><b>SSL:</b> <a
+ href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
+ target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
+         
+</ul>
+                                     
+<p align="left">To post to the list, post to <a
+ href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
+                                           
+<p align="left">The list archives are at <a
+ href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
+                                           
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+may be found at <a
+ href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
+                                           
+<h2 align="left">Shorewall Announce Mailing List</h2>
+                                                
+<p align="left">This list is for announcements of general interest to the
+           Shorewall community. To subscribe:<br>
+     </p>
+         
+<p align="left"></p>
+         
+<ul>
+       <li><b>Insecure:</b> <a
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
+       <li><b>SSL</b>: <a
+ href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
+ target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
+         
+</ul>
+         
+<p align="left"><br>
+                   The list archives are at <a
+ href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
+                                           
+<h2 align="left">Shorewall Development Mailing List</h2>
+                                           
+<p align="left">The Shorewall Development Mailing list provides a forum for 
+          the exchange of ideas about the future of Shorewall and for coordinating 
+         ongoing Shorewall Development.</p>
+                                                
+<p align="left">To subscribe to the mailing list:<br>
+      </p>
+         
+<ul>
+       <li><b>Insecure: </b><a
  href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
-      <li><b>SSL:</b> <a
+       <li><b>SSL:</b> <a
  href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
  target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
-       
+         
 </ul>
-       
+         
 <p align="left">              To post to the list, post to <a
  href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
-                                         
+                                           
 <p align="left">The list archives are at <a
  href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
-                                         
-<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
+                                           
+<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of 
           the  Mailing Lists</h2>
-                                         
-<p align="left">There seems to be near-universal confusion about unsubscribing
-           from Mailman-managed lists although Mailman 2.1 has attempted
-to   make  this less confusing. To unsubscribe:</p>
-                                         
+                                           
+<p align="left">There seems to be near-universal confusion about unsubscribing 
+           from Mailman-managed lists although Mailman 2.1 has attempted to
+  make  this less confusing. To unsubscribe:</p>
+                                           
 <ul>
-                       <li>                                             
-                                                       
-    <p align="left">Follow the same link above that you used to subscribe
+                        <li>                                            
+                                                             
+    <p align="left">Follow the same link above that you used to subscribe 
           to the  list.</p>
-                       </li>
-                       <li>                                             
-                                                       
-    <p align="left">Down at the bottom of that page is the following text:
-          " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
-    reminder,         or change your subscription options enter your subscription 
-            email address:". Enter your email  address   in the box and click
-     on the "<b>Unsubscribe</b> or edit options" button.</p>
-                       </li>
-                       <li>                                             
-                                                       
-    <p align="left">There will now be a box where you can enter your password
-          and  click on "Unsubscribe"; if you have forgotten your password,
-  there      is  another  button that will cause your password to be emailed
+                        </li>
+                        <li>                                            
+                                                             
+    <p align="left">Down at the bottom of that page is the following text: 
+          " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password 
+    reminder,         or change your subscription options enter your subscription
+             email address:". Enter your email  address   in the box and
+click      on the "<b>Unsubscribe</b> or edit options" button.</p>
+                        </li>
+                        <li>                                            
+                                                             
+    <p align="left">There will now be a box where you can enter your password 
+          and  click on "Unsubscribe"; if you have forgotten your password, 
+  there      is  another  button that will cause your password to be emailed 
   to you.</p>
-                       </li>
-                                         
+                        </li>
+                                           
 </ul>
-                                         
-<hr>                     
+                                           
+<hr>                      
 <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
-                                         
+                                           
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-                                         
-<p align="left"><font size="2">Last updated 2/3/2003 - <a
+                                           
+<p align="left"><font size="2">Last updated 2/18/2003 - <a
  href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-                                         
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
-<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
- </p>
+                                           
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+  </p>
+  <br>
  <br>
 </body>
 </html>
diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm
deleted file mode 100644
index e43a34778..000000000
--- a/Shorewall-docs/myfiles.htm
+++ /dev/null
@@ -1,190 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-<head>
-                                     
-  <meta http-equiv="Content-Type"
- content="text/html; charset=windows-1252">
-  <title>My Shorewall Configuration</title>
-                                                                 
-  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                     
-  <meta name="ProgId" content="FrontPage.Editor.Document">
-                                         
-  <meta name="Microsoft Theme" content="none">
-</head>
-  <body>
-                       
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#400169" height="90">
-                 <tbody>
-            <tr>
-                   <td width="100%">                                    
-                              
-      <h1 align="center"><font color="#ffffff">About My Network</font></h1>
-                   </td>
-                 </tr>
-                                       
-  </tbody>        
-</table>
-                                         
-<blockquote> </blockquote>
-                                            
-<h1>My Current Network </h1>
-                                           
-<blockquote>                                                    
-  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small> 
-use a combination of Static NAT and Proxy ARP, neither of which are relevant 
-to a simple configuration with a single public IP address.</small></b></big><big><b><small> 
-If you have just a single public IP address, most of what you see here won't 
-apply to your setup so beware of copying parts of this configuration and expecting
-them to work for you. What you copy may or may not work in your setup. </small></b></big><br>
-   </p>
-   
-  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). 
-    My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
-    is connected to eth0. I have a local network connected to eth2 (subnet
- 192.168.1.0/24)     and a DMZ connected to eth1 (192.168.2.0/24). </p>
-                                                           
-  <p> I use:<br>
-          </p>
-                               
-  <ul>
-            <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
-    and external address 206.124.146.178.</li>
-            <li>Proxy ARP for wookie (my Linux System). This system has two 
- IP  addresses:  192.168.1.3/24 and 206.124.146.179/24.</li>
-            <li>SNAT through the primary gateway address (206.124.146.176)
- for    my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
-                               
-  </ul>
-                                                           
-  <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
-                                                           
-  <p> Wookie  runs Samba and acts as the a WINS server.  Wookie is in its
-    own 'whitelist' zone  called 'me'.</p>
-                                                           
-  <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
-    It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
-software     and is managed by Proxy ARP. It connects to the  local network
-through  the   PopTop server running on my firewall. </p>
-                                                           
-  <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
-    Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
-server    (Pure-ftpd). The system   also runs fetchmail to fetch our email
-from our    old and current ISPs. That server is managed through Proxy ARP.</p>
-                                                           
-  <p> The firewall system itself runs a DHCP server that serves the local
-      network.</p>
-                                                           
-  <p> All administration and publishing is done using ssh/scp.</p>
-                                                           
-  <p> I run an SNMP server on my firewall to serve <a
- href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
-    in the DMZ.</p>
-                                                           
-  <p align="center">                           <img border="0"
- src="images/network.png" width="764" height="846">
-          </p>
-                                                           
-  <p> </p>
-                                                           
-  <p>The ethernet interface in the Server is configured                 
-         with IP address 206.124.146.177, netmask                       
-    255.255.255.0. The server's default gateway is                      
-     206.124.146.254 (Router at my ISP. This is the same                
-           default gateway used by the firewall itself). On the firewall, 
-                              Shorewall automatically adds a host route to 
-                           206.124.146.177 through eth1 (192.168.2.1) because
-    of                           the entry in /etc/shorewall/proxyarp (see
- below).</p>
-                                                           
-  <p>A similar setup is used on eth3 (192.168.3.1) which                
-           interfaces to my laptop (206.124.146.180).<br>
-     </p>
-           
-  <p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior 
- access.<br>
-     </p>
-                                                           
-  <p><font color="#ff0000" size="5"></font></p>
-   </blockquote>
-     
-<h3>Shorewall.conf</h3>
-                     
-<pre>	SUBSYSLOCK=/var/lock/subsys/shorewall<br>	STATEDIR=/var/state/shorewall<br><br>	LOGRATE=<br>	LOGBURST=<br><br>	ADD_IP_ALIASES="Yes"<br><br>	CLAMPMSS=Yes<br><br>	MULTIPORT=Yes</pre>
-                   
-<h3>Zones File:</h3>
-                   
-<pre><font face="Courier" size="2">	#ZONE 	DISPLAY 	COMMENTS<br>	net	Internet	Internet<br>	me	Eastep		My Workstation<br>	loc	Local		Local networks<br>	dmz	DMZ		Demilitarized zone<br>	tx	Texas		Peer Network in Dallas Texas<br>	#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
-                   
-<h3>Interfaces File: </h3>
-                                               
-<blockquote>                                                        
-  <p> This is set up so that I can start the firewall before bringing up
-my Ethernet  interfaces. </p>
-             </blockquote>
-                     
-<pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp,filterping,maclist<br>	dmz	eth1 		206.124.146.255	filterping<br>	net	eth3		206.124.146.255 filterping,blacklist<br>	-	texas 		-               filterping<br>	loc	ppp+		-		filterping<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-                   
-<h3>Hosts File: </h3>
-                     
-<pre><font face="Courier" size="2">	#ZONE 		HOST(S)			OPTIONS<br>	me		eth2:192.168.1.3,eth2:206.124.146.179<br>	tx 		texas:192.168.9.0/24<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
-                                                   
-<h3>Routestopped File:</h3>
-                     
-<pre><font face="Courier" size="2">	#INTERFACE	HOST(S)<br>	eth1		206.124.146.177<br>	eth2 		-<br>	eth3 		206.124.146.180</font></pre>
-                   
-<h3>Common File: </h3>
-                   
-<pre><font size="2" face="Courier">	. /etc/shorewall/common.def<br>	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
- 
-<h3>Policy File:</h3>
-                     
-<pre><font size="2" face="Courier">
-	#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
-	me	all	ACCEPT
-	tx	me	ACCEPT		#Give Texas access to my personal system
-	all	me	CONTINUE	#<font
- color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br>					</font>#<font
- color="#ff0000">	  this policy to work as expected!!!</font>	<br>	loc 	loc 	ACCEPT<br>	loc 	net	ACCEPT<br>	$FW	loc	ACCEPT<br>	$FW	tx	ACCEPT<br>	loc	tx	ACCEPT<br>	loc	fw	REJECT<br>	net	net	ACCEPT<br>	net	all	DROP	info		10/sec:40<br>	all	all	REJECT	info<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
-                   
-<h3>Masq File: </h3>
-                                                         
-<blockquote>                                                            
-     
-  <p> Although most of our internal systems use static NAT, my wife's system
-     (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
-  laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
-          </blockquote>
-                     
-<pre><font size="2" face="Courier">	#INTERFACE 	SUBNET		ADDRESS<br>	eth0 		192.168.1.0/24	206.124.146.176<br>        texas           206.124.146.179 192.168.1.254<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
-                   
-<h3>NAT File: </h3>
-                   
-<pre><font size="2" face="Courier">	#EXTERNAL	INTERFACE	INTERNAL	ALL	LOCAL<br>	206.124.146.178 eth0 		192.168.1.5 	No 	No<br>	206.124.146.179 eth0 		192.168.1.3 	No 	No<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
-                                                             
-<h3>Proxy ARP File:</h3>
-                   
-<pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROU</font><font
- face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br></font><pre><font
- face="Courier" size="2">	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
-                                                             
-<h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
-   
-<pre><small>	#TYPE           ZONE    GATEWAY</small><small>	<br>	gre             net     $TEXAS</small><small><br>	#LAST LINE -- DO NOT REMOVE<br></small></pre>
-   
-<h3>Rules File (The shell variables                                     
-      are set in /etc/shorewall/params):</h3>
-                     
-<pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	ACCEPT		net		loc:192.168.1.5		tcp	1723<br>	ACCEPT		net		loc:192.168.1.5		gre<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-                                                                
-<p><font size="2"> Last updated 1/12/2003  - </font><font size="2">     
-                                       <a href="support.htm">Tom Eastep</a></font> 
-      </p>
-           <a href="copyright.htm"><font size="2">Copyright</font>      © 
-<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  <br>
- <br>
-</body>
-</html>
diff --git a/Shorewall-docs/ping.html b/Shorewall-docs/ping.html
index fdf4b1126..7a392c7bb 100644
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@@ -2,147 +2,184 @@
 <html>
 <head>
   <title>ICMP Echo-request (Ping)</title>
-             
+                           
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-       
+               
   <meta name="author" content="Tom Eastep">
 </head>
   <body>
-   
+       
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
-     <tbody>
-      <tr>
-       <td width="100%">                   
+       <tbody>
+        <tr>
+         <td width="100%">                                 
       <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
-       </td>
-     </tr>
-         
-  </tbody>  
+         </td>
+       </tr>
+                 
+  </tbody>    
 </table>
-  <br>
-  Shorewall 'Ping' management has evolved over time with the latest change 
-coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>) 
-was added to /etc/shorewall/shorewall.conf. The value of that option determines 
-the overall handling of ICMP echo requests (pings).<br>
- 
-<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
- In 1.3.14, Ping handling was put under control of the rules and policies 
-just like any other connection request. In order to accept ping requests from
-zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
-a rule in /etc/shoreall/rules of the form:<br>
- 
+    <br>
+    Shorewall 'Ping' management has evolved over time with the latest change 
+ coming in Shorewall version 1.4.0. <br>
+     
+<h2>Shorewall Versions &gt;= 1.4.0</h2>
+ In order to accept ping requests from zone z1 to zone z2 where the policy 
+for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the 
+form:<br>
+     
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
-  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
- </blockquote>
- Example: <br>
- <br>
- To permit ping from the local zone to the firewall:<br>
- 
+   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+   Example: <br>
+   <br>
+   To permit ping from the local zone to the firewall:<br>
+     
 <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
-icmp&nbsp;&nbsp;&nbsp; 8<br>
- </blockquote>
-     If you would like to accept 'ping' by default even when the relevant
-policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
-already exist and in that file place the following command:<br>
- 
-<blockquote>   
+ icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+       If you would like to accept 'ping' by default even when the relevant
+ policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
+ already exist and in that file place the following command:<br>
+     
+<blockquote>         
   <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
- </blockquote>
- With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
-you need a rule of the form:<br>
- 
+   </blockquote>
+   With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
+ you need a rule of the form:<br>
+     
 <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
-  </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
- </blockquote>
- Example:<br>
+   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+   Example:<br>
+   <br>
+   To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
  <br>
- To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
  
 <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
-icmp&nbsp;&nbsp;&nbsp; 8<br>
+ icmp&nbsp;&nbsp;&nbsp; 8<br>
  </blockquote>
  
-<blockquote>      </blockquote>
- 
-<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
- </h2>
- There are several aspects to the old Shorewall Ping management:<br>
-   
-<ol>
-    <li>The <b>noping</b> and <b>filterping </b>interface options in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
-    <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf"> 
-/etc/shorewall/shorewall.conf</a>.</li>
-    <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
-   
-</ol>
-  There are two cases to consider:<br>
-   
-<ol>
-    <li>Ping requests addressed to the firewall itself; and</li>
-    <li>Ping requests being forwarded to another system. Included here are
- all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
- routing.</li>
-   
-</ol>
-  These cases will be covered separately.<br>
-   
-<h3>Ping Requests Addressed to the Firewall Itself</h3>
-  For ping requests addressed to the firewall, the sequence is as follows:<br>
-   
-<ol>
-    <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
-the  interface that receives the ping request then the request will be responded
- to with an ICMP echo-reply.</li>
-    <li>If <b>noping</b> is specified for the interface that receives the 
-ping request then the request is ignored.</li>
-    <li>If <b>filterping </b>is specified for the interface then the request
- is passed to the rules/policy evaluation.</li>
-   
-</ol>
-   
-<h3>Ping Requests Forwarded by the Firewall</h3>
-  These requests are <b>always</b> passed to rules/policy evaluation.<br>
-   
-<h3>Rules Evaluation</h3>
-  Ping requests are ICMP type 8. So the general rule format is:<br>
-  <br>
-  &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; 
-Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
-  <br>
-  Example 1. Accept pings from the net to the dmz (pings are responded to 
-with an ICMP echo-reply):<br>
-  <br>
-  &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
- icmp&nbsp;&nbsp;&nbsp; 8<br>
-  <br>
-  Example 2. Drop pings from the net to the firewall<br>
-  <br>
-  &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
- icmp&nbsp;&nbsp;&nbsp; 8<br>
-   
-<h3>Policy Evaluation</h3>
-  If no applicable rule is found, then the policy for the source to the destination
- is applied.<br>
-   
-<ol>
-    <li>If the relevant policy is ACCEPT then the request is responded to 
-with an ICMP echo-reply.</li>
-    <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
- then the request is responded to with an ICMP echo-reply.</li>
-    <li>Otherwise, the relevant REJECT or DROP policy is used and the request
- is either rejected or simply ignored.</li>
-   
-</ol>
-   
-<p><font size="2">Updated 1/21/2003 - <a href="support.htm">Tom Eastep</a> 
-</font></p>
+<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
+   In 1.3.14, Ping handling was put under control of the rules and policies 
+ just like any other connection request. In order to accept ping requests 
+from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
+a rule in /etc/shoreall/rules of the form:<br>
      
+<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
+   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+   Example: <br>
+   <br>
+   To permit ping from the local zone to the firewall:<br>
+     
+<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
+ icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+       If you would like to accept 'ping' by default even when the relevant
+ policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
+ already exist and in that file place the following command:<br>
+     
+<blockquote>         
+  <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
+   </blockquote>
+   With that rule in place, if you want to ignore 'ping' from z1 to z2 then 
+ you need a rule of the form:<br>
+     
+<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; 
+   </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+   Example:<br>
+   <br>
+   To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
+     
+<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; 
+ icmp&nbsp;&nbsp;&nbsp; 8<br>
+   </blockquote>
+     
+<blockquote>      </blockquote>
+     
+<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
+   </h2>
+   There are several aspects to the old Shorewall Ping management:<br>
+       
+<ol>
+      <li>The <b>noping</b> and <b>filterping </b>interface options in <a
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+      <li>The <b>FORWARDPING</b> option in<a
+ href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf</a>.</li>
+      <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+       
+</ol>
+    There are two cases to consider:<br>
+       
+<ol>
+      <li>Ping requests addressed to the firewall itself; and</li>
+      <li>Ping requests being forwarded to another system. Included here
+are   all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
+and simple   routing.</li>
+       
+</ol>
+    These cases will be covered separately.<br>
+       
+<h3>Ping Requests Addressed to the Firewall Itself</h3>
+    For ping requests addressed to the firewall, the sequence is as follows:<br>
+       
+<ol>
+      <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
+ the  interface that receives the ping request then the request will be responded
+  to with an ICMP echo-reply.</li>
+      <li>If <b>noping</b> is specified for the interface that receives the 
+ ping request then the request is ignored.</li>
+      <li>If <b>filterping </b>is specified for the interface then the request
+  is passed to the rules/policy evaluation.</li>
+       
+</ol>
+       
+<h3>Ping Requests Forwarded by the Firewall</h3>
+    These requests are <b>always</b> passed to rules/policy evaluation.<br>
+       
+<h3>Rules Evaluation</h3>
+    Ping requests are ICMP type 8. So the general rule format is:<br>
+    <br>
+    &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; 
+ Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
+    <br>
+    Example 1. Accept pings from the net to the dmz (pings are responded
+to  with an ICMP echo-reply):<br>
+    <br>
+    &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
+  icmp&nbsp;&nbsp;&nbsp; 8<br>
+    <br>
+    Example 2. Drop pings from the net to the firewall<br>
+    <br>
+    &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
+  icmp&nbsp;&nbsp;&nbsp; 8<br>
+       
+<h3>Policy Evaluation</h3>
+    If no applicable rule is found, then the policy for the source to the 
+destination  is applied.<br>
+       
+<ol>
+      <li>If the relevant policy is ACCEPT then the request is responded
+to  with an ICMP echo-reply.</li>
+      <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
+  then the request is responded to with an ICMP echo-reply.</li>
+      <li>Otherwise, the relevant REJECT or DROP policy is used and the request
+  is either rejected or simply ignored.</li>
+       
+</ol>
+       
+<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a> 
+ </font></p>
+         
 <p><a href="copyright.htm"><font size="2">Copyright</font>  &copy; <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
+     <br>
+    <br>
    <br>
   <br>
  <br>
diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm
index 5e0a09cab..4f53c7d9f 100644
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@@ -6,31 +6,32 @@
                                                                         
                                                                         
                                                                         
-      
+                                      
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-  <title>Shoreline Firewall (Shorewall) 1.3</title>
+  <title>Shoreline Firewall (Shorewall) 1.4</title>
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
-         <base target="_self">
+                                         <base target="_self">      
+  <meta name="author" content="Tom Eastep">
 </head>
   <body>
                                                                         
                                                                         
                                                                         
-  
+                  
 <table border="0" cellpadding="0" cellspacing="4"
  style="border-collapse: collapse;" width="100%" id="AutoNumber3"
  bgcolor="#4b017c">
                                                                         
-                          <tbody>
+                                  <tbody>
                                                                         
-                       <tr>
+                               <tr>
                                                                         
-                                <td width="100%" height="90">           
+                                        <td width="100%" height="90">   
                                                                         
                                                                         
                                                                         
@@ -39,15 +40,16 @@
                                                                         
                                                                         
                                                                         
-                             
+                                                                        
+                    
       <h1 align="center"> <font size="4"><i>           <a
  href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
  alt="Shorwall Logo" height="70" width="85" align="left"
  src="images/washington.jpg" border="0">
                                                                         
-                           </a></i></font><font color="#ffffff">Shorewall 
-     1.3     -               <font size="4">"<i>iptables                 
- made  easy"</i></font></font></h1>
+                                   </a></i></font><font color="#ffffff">Shorewall 
+1.4     -               <font size="4">"<i>iptables                   made 
+  easy"</i></font></font></h1>
                                                                         
                                                                         
                                                                         
@@ -56,42 +58,44 @@
                                                                         
                                                                         
                                                                         
-                                                              
+                                                                        
+                                                     
       <div align="center"><a
- href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
- color="#ffffff">Shorewall 1.2 Site here</font></a><br>
+ href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
+ color="#ffffff">Shorewall 1.3 Site here</font></a><br>
                                                                         
-                    </div>
+                            </div>
                                                                         
-                    <br>
+                            <br>
                                                                         
-                                </td>
+                                        </td>
+                                                                        
+                                    </tr>
                                                                         
-                            </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                                                                  
-  </tbody>                                                              
                          
+  </tbody>                                                              
+                                 
 </table>
                                                                         
                                                                         
                                                                         
-   
+                   
 <div align="center">                                                     
-                                           
+                                                   
 <center>                                                                 
-                               
+                                       
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                         
-                            <tbody>
+                                    <tbody>
                                                                         
-                       <tr>
+                               <tr>
                                                                         
-                                  <td width="90%">                      
+                                          <td width="90%">              
                                                                         
                                                                         
                                                                         
@@ -100,7 +104,8 @@
                                                                         
                                                                         
                                                                         
-                                                      
+                                                                        
+                                             
       <h2 align="left">What is it?</h2>
                                                                         
                                                                         
@@ -112,7 +117,8 @@
                                                                         
                                                                         
                                                                         
-                   
+                                                                        
+          
       <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
 a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
 firewall        that can be used on a dedicated firewall system, a multi-function
@@ -127,28 +133,30 @@ firewall        that can be used on a dedicated firewall system, a multi-functio
                                                                         
                                                                         
                                                                         
-                  
+                                                                        
+         
       <p>This program is free software; you can redistribute it and/or modify
-                                            it        under the terms of
-      <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
-the GNU General Public License</a> as published by the Free Software    
-   Foundation.<br>
+                                                it        under the terms
+of         <a href="http://www.gnu.org/licenses/gpl.html">Version       
+2 of  the GNU General Public License</a> as published by the Free Software
+       Foundation.<br>
                                                                         
-                               <br>
+                                       <br>
                                                                         
-                          This   program     is  distributed       in  the
-   hope     that     it   will     be  useful,    but         WITHOUT  ANY 
-    WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY 
-              or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the
-   GNU General     Public  License           for  more details.<br>
+                                  This   program     is  distributed    
+  in   the     hope     that     it   will     be  useful,    but       
+ WITHOUT    ANY      WARRANTY;      without      even the   implied    warranty 
+     of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR 
+    PURPOSE.        See the    GNU General     Public  License          
+for   more details.<br>
                                                                         
-                               <br>
+                                       <br>
                                                                         
-                          You   should    have   received     a  copy   of
-  the     GNU     General         Public      License             along 
-with    this   program;       if  not,    write  to  the    Free Software
-       Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA
- 02139,       USA</p>
+                                  You   should    have   received     a 
+copy     of   the     GNU     General         Public      License       
+     along     with    this   program;       if  not,    write  to  the 
+  Free Software           Foundation,              Inc.,  675     Mass  Ave,
+ Cambridge,   MA    02139,       USA</p>
                                                                         
                                                                         
                                                                         
@@ -159,7 +167,8 @@ with    this   program;       if  not,    write  to  the    Free Software
                                                                         
                                                                         
                                                                         
-                  
+                                                                        
+         
       <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
                                                                         
                                                                         
@@ -171,28 +180,31 @@ with    this   program;       if  not,    write  to  the    Free Software
                                                                         
                                                                         
                                                                         
-                                     
+                                                                        
+                            
       <p> <a href="http://leaf.sourceforge.net" target="_top"><img
  border="0" src="images/leaflogo.gif" width="49" height="36">
                                                                         
-                           </a>Jacques              Nilo   and   Eric   Wolzak
-      have     a   LEAF  (router/firewall/gateway         on  a floppy, 
- CD    or compact     flash)  distribution        called              <i>Bering</i> 
-       that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
-       You    can  find    their    work at:                <a
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
-                                          </a></p>
-                                                                        
-                                                                        
-                                                                        
-                                                                    
+                                   </a>Jacques              Nilo   and  
+Eric     Wolzak       have     a   LEAF  (router/firewall/gateway       
+ on  a  floppy,    CD    or compact     flash)  distribution        called
+             <i>Bering</i>          that          features      Shorewall-1.3.14 
+  and    Kernel-2.4.20.          You    can  find    their    work at:   
+            <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+      </a></p>
       <p><b>Congratulations to Jacques and Eric on the recent release of
-Bering 1.0 Final!!! </b><br>
-                                     </p>
+Bering 1.1!!!</b><br>
+                                                  </p>
                                                                         
                                                                         
                                                                         
-                                                                    
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                     
       <h2>This is a mirror of the main Shorewall web site at SourceForge
 (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
                                                                         
@@ -207,7 +219,8 @@ Bering 1.0 Final!!! </b><br>
                                                                         
                                                                         
                                                                         
-                                                         
+                                                                        
+                                               
       <h2>News</h2>
                                                                         
                                                                         
@@ -219,7 +232,7 @@ Bering 1.0 Final!!! </b><br>
                                                                         
                                                                         
                                                                         
-     
+                                                                     
       <h2></h2>
                                                                         
                                                                         
@@ -228,116 +241,111 @@ Bering 1.0 Final!!! </b><br>
                                                                         
                                                                         
                                                                         
-                 
-      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-             </b></p>
- 
-      <p>New features include</p>
- 
-      <ol>
-        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-When   set to Yes, Shorewall ping handling is as it has always been (see
-http://www.shorewall.net/ping.html).<br>
-         <br>
-     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
-policies   just like any other connection request. The FORWARDPING=Yes option 
-in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-will   all generate an error.<br>
-         <br>
-       </li>
-        <li>It is now possible to direct Shorewall to create a "label" such
- as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
-and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
-of just  the interface name:<br>
-      <br>
-        a) In the INTERFACE column of /etc/shorewall/masq<br>
-        b) In the INTERFACE column of /etc/shorewall/nat<br>
-      </li>
-        <li>Support for OpenVPN Tunnels.<br>
-     <br>
- </li>
-        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
-eth0.0)<br>
-     <br>
-   </li>
-        <li>When an interface name is entered in the SUBNET column of the
-/etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
-only the first subnet   defined on that interface. It did not masquerade
-traffic from:<br>
-      <br>
-        a) The subnets associated with other addresses on the interface.<br>
-        b) Subnets accessed through local routers.<br>
-      <br>
-     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
- SUBNET  column, shorewall will use the firewall's routing table to construct 
- the masquerading/SNAT rules.<br>
-      <br>
-     Example 1 -- This is how it works in 1.3.14.<br>
-        <br>
-                             
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
-                             
-          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
-      <br>
-     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
- connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
-  entry, your /etc/shorewall/masq file will need changing. In most cases,
-you  will simply be able to remove redundant entries. In some cases though,
-you  might want to change from using the interface name to listing specific
-subnetworks  if the change described above will cause masquerading to occur
-on subnetworks  that you don't wish to masquerade.<br>
-      <br>
-     Example 2 -- Suppose that your current config is as follows:<br>
-        <br>
-                             
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, the second entry in /etc/shorewall/masq is no longer
- required.<br>
-      <br>
-     Example 3 -- What if your current configuration is like this?<br>
-      <br>
-                             
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, you would want to change the entry in  /etc/shorewall/masq 
-  to:<br>
-                             
-          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-        </li>
-      </ol>
- <br>
- 
-      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
-      </b><b><img border="0" src="images/new10.gif" width="28"
- height="12" alt="(New)">
-             </b></p>
-   Webmin version 1.060 now has Shorewall support included as standard. See
-       <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>   </b>
-             
-      <p><b></b></p>
-                                                               
-      <p><b></b></p>
+                                                                        
        
+      <p><b>3/14/2003 - Shorewall 1.4.0</b><b>       </b><b><img
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+                     </b></p>
+                                                                 
+      <p></p>
+   Shorewall 1.4 represents the next step in the evolution of Shorewall.
+The  main thrust of the initial release is simply to remove the cruft that
+has  accumulated in Shorewall over time. <br>
+   Function from 1.3 that has been omitted from this version include:<br>
+                       
+      <ol>
+           <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported. 
+ Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+             <br>
+           </li>
+           <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
+in  /etc/shorewall/interfaces now generate an error.<br>
+             <br>
+           </li>
+           <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. 
+ OLD_PING_HANDLING=Yes will generate an error at startup as will specification 
+ of the 'noping' or 'filterping' interface options.<br>
+             <br>
+           </li>
+           <li>The 'routestopped' option in the /etc/shorewall/interfaces 
+and  /etc/shorewall/hosts files is no longer supported and will generate an
+error  at startup if specified.<br>
+             <br>
+           </li>
+           <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no 
+longer  accepted.<br>
+             <br>
+           </li>
+           <li>The ALLOWRELATED variable in shorewall.conf is no longer supported. 
+ Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+           <br>
+         </li>
+         <li>The icmp.def file has been removed.<br>
+          <br>
+        </li>
+        <li value="8">The 'multi' interface option is no longer supported.
+ Shorewall will generate rules for sending packets back out the same interface
+that they arrived on in two cases:</li>
+      </ol>
+ 
+      <ul>
+        <li>There is an <u>explicit</u> policy for the source zone to or
+from the destination zone. An explicit policy names both zones and does not
+use the 'all' reserved word.</li>
+        <li>There are one or more rules for traffic for the source zone to
+or from the destination zone including rules that use the 'all' reserved
+word. Exception: if the source zone and destination zone are the same then
+the rule must be explicit - it must name the zone in both the SOURCE and
+DESTINATION columns.<br>
+   </li>
+      </ul>
+      <ol>
+                       
+      </ol>
+   Changes for 1.4 include:<br>
+                       
+      <ol>
+           <li>The /etc/shorewall/shorewall.conf file has been completely 
+reorganized  into logical sections.<br>
+             <br>
+           </li>
+           <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
+             <br>
+           </li>
+           <li>The firewall script and version file are now installed in
+/usr/share/shorewall.<br>
+             <br>
+           </li>
+           <li>Late arriving DNS replies are now silently dropped in the
+common  chain by default.<br>
+             <br>
+           </li>
+           <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
+1.4 no longer unconditionally accepts outbound ICMP packets. So if you want 
+ to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
+          <br>
+        </li>
+        <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> now
+support the 'maclist' option.<br>
+        </li>
+                       
+      </ol>
+                                                                        
+                                              
       <ul>
                                                                         
                                                                         
                                                                         
-                                                            
+                                                                        
+                                                   
       </ul>
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
-                                                   
+                                                                        
+                                          
       <p><b></b><a href="News.htm">More News</a></p>
                                                                         
                                                                         
@@ -349,40 +357,45 @@ on subnetworks  that you don't wish to masquerade.<br>
                                                                         
                                                                         
                                                                         
-                                     
+                                                                        
+                            
       <h2><a name="Donations"></a>Donations</h2>
                                                                         
-                                                                     </td>
                                                                         
-                                  <td width="88" bgcolor="#4b017c"
- valign="top" align="center">              <a
+          </td>
+                                                                        
+                                          <td width="88"
+ bgcolor="#4b017c" valign="top" align="center">              <a
  href="http://sourceforge.net">M</a></td>
                                                                         
-                              </tr>
+                                      </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                                                                   
+                                                                        
+                          
   </tbody>                                                              
-                         
+                                 
 </table>
                                                                         
-                        </center>
+                                </center>
                                                                         
-                      </div>
+                              </div>
                                                                         
                                                                         
-                                                                   
+                                                                        
+          
 <table border="0" cellpadding="5" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber2"
  bgcolor="#4b017c">
                                                                         
-                     <tbody>
+                             <tbody>
                                                                         
-                       <tr>
+                               <tr>
                                                                         
-                           <td width="100%" style="margin-top: 1px;">   
+                                   <td width="100%"
+ style="margin-top: 1px;">                                               
                                                                         
                                                                         
                                                                         
@@ -391,12 +404,12 @@ on subnetworks  that you don't wish to masquerade.<br>
                                                                         
                                                                         
                                                                         
-                                   
+                                                
       <p align="center"><a href="http://www.starlight.org">        <img
  border="4" src="images/newlog.gif" width="57" height="100" align="left"
  hspace="10">
                                                                         
-                             </a></p>
+                                     </a></p>
                                                                         
                                                                         
                                                                         
@@ -406,30 +419,33 @@ on subnetworks  that you don't wish to masquerade.<br>
                                                                         
                                                                         
                                                                         
-                                                    
+                                                                        
+                                           
       <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
-                                            to       <a
+                                                to       <a
  href="http://www.starlight.org"><font color="#ffffff">Starlight        
 Children's Foundation.</font></a> Thanks!</font></p>
                                                                         
-                           </td>
+                                   </td>
                                                                         
-                       </tr>
+                               </tr>
                                                                         
                                                                         
                                                                         
                                                                         
-                                                             
+                                                                        
+                   
   </tbody>                                                              
-                         
+                                 
 </table>
                                                                         
                                                                         
-                                                            
-<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font> 
+                                                                        
+   
+<p><font size="2">Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                                                          
-                                    <br>
+                                        <br>
 </p>
 </body>
 </html>
diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm
index f1b1ba204..93cc0f007 100644
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@@ -1,126 +1,125 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                                 
+                                                     
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>About the Shorewall Author</title>
                                                                         
-             
+                    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                                 
-  <meta name="ProgId" content="FrontPage.Editor.Document">
                                                      
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+                                                         
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-                                  
+                                    
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#400169" height="90">
-                    <tbody>
-               <tr>
-                      <td width="100%">                                 
-                                                      
+                     <tbody>
+                <tr>
+                       <td width="100%">                                
+                                                              
       <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
-                      </td>
-                    </tr>
-                                                   
-  </tbody>           
+                       </td>
+                     </tr>
+                                                       
+  </tbody>            
 </table>
-                                          
+                                            
 <p align="center">       <img border="3" src="images/TomNTarry.png"
  alt="Tom on the PCT - 1991" width="316" height="392">
-           </p>
-                                          
+            </p>
+                                            
 <p align="center">Tarry &amp; Tom -- August 2002<br>
-                  <br>
-       </p>
-                                   
+                   <br>
+        </p>
+                                     
 <ul>
-                <li>Born 1945 in <a
+                 <li>Born 1945 in <a
  href="http://www.experiencewashington.com">Washington     State</a> .</li>
-                <li>BA Mathematics from <a href="http://www.wsu.edu">Washington 
-   State    University</a>  1967</li>
-                <li>MA Mathematics from <a
+                 <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
+    State    University</a>  1967</li>
+                 <li>MA Mathematics from <a
  href="http://www.washington.edu">University      of Washington</a> 1969</li>
-                <li>Burroughs Corporation (now <a
+                 <li>Burroughs Corporation (now <a
  href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
-                <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
-       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
--  present</li>
-                <li>Married 1969 - no children.</li>
-                         
-</ul>
-                               
-<p>I am currently a member of the design team for the next-generation    
-  operating system from the NonStop Enterprise Division of HP. </p>
-                               
-<p>I became interested in Internet Security when I established a home office 
-     in 1999 and had DSL service installed in our       home. I investigated 
-   ipchains  and developed the scripts which are now collectively known as 
- <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
-     on what I learned from Seattle Firewall, I then       designed and wrote 
-    Shorewall. </p>
-                               
-<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, 
-      Washington</a>  where I live with my wife Tarry. </p>
-                               
-<p>Our current home network consists of: </p>
+                 <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> 
+       (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
+ present</li>
+                 <li>Married 1969 - no children.</li>
                            
-<ul>
-                <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB 
- IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Serves
-as a PPTP server for Road Warrior access. Dual boots <a
- href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
-                <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
-  NIC   -  My      personal Linux System which runs Samba configured as a 
-WINS  server.    This      system also has <a
- href="http://www.vmware.com/">VMware</a>  installed    and      can run both
-    <a href="http://www.debian.org">Debian  Woody</a> and         <a
- href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
-                <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  
-- Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), 
-DNS  server        (Bind 9).</li>
-                <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX 
-    (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.14  and a DHCP
-       server.</li>
-                <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
-My  wife's        personal system.</li>
-                <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
- EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main
- work system.</li>
-                         
 </ul>
-                         
-<p>For more about our network see <a href="myfiles.htm">my Shorewall   Configuration</a>.</p>
-                               
+                                 
+<p>I am currently a member of the design team for the next-generation   
+   operating system from the NonStop Enterprise Division of HP. </p>
+                                 
+<p>I became interested in Internet Security when I established a home office
+      in 1999 and had DSL service installed in our       home. I investigated
+    ipchains  and developed the scripts which are now collectively known
+as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>.
+Expanding       on what I learned from Seattle Firewall, I then       designed
+and wrote      Shorewall. </p>
+                                 
+<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
+       Washington</a>  where I live with my wife Tarry. </p>
+                                 
+<p>Our current home network consists of: </p>
+                             
+<ul>
+                 <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
+20GB   IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system.
+Serves as a PPTP server for Road Warrior access. Dual boots <a
+ href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
+                 <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
+   NIC   -  My      personal Linux System which runs Samba configured as
+a  WINS  server.    This      system also has <a
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run
+both     <a href="http://www.debian.org">Debian  Woody</a> and         <a
+ href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
+                 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
+ - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
+ DNS  server        (Bind 9).</li>
+                 <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3     
+LNE100TX      (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.4.0
+Alpha 2  and a DHCP        server.</li>
+                 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - 
+My  wife's        personal system.</li>
+                 <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard 
+ EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main 
+ work system.</li>
+                           
+</ul>
+                           
 <p>All of our        other systems are made by <a
  href="http://www.compaq.com">Compaq</a> (part        of the new <a
  href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
  href="http://www.netgear.com">Netgear</a>       FA310TXs.</p>
-                                 
+                                   
 <p><a href="http://www.redhat.com"><img border="0"
  src="images/poweredby.png" width="88" height="31">
-           </a><a href="http://www.compaq.com"><img border="0"
+            </a><a href="http://www.compaq.com"><img border="0"
  src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
-           </a><a href="http://www.pureftpd.org"><img border="0"
+            </a><a href="http://www.pureftpd.org"><img border="0"
  src="images/pure.jpg" width="88" height="31">
-           </a><font size="4"><a href="http://www.apache.org"><img
+            </a><font size="4"><a href="http://www.apache.org"><img
  border="0" src="images/apache_pb1.gif" hspace="2" width="170"
  height="20">
-    </a><a href="http://www.mandrakelinux.com"><img
+     </a><a href="http://www.mandrakelinux.com"><img
  src="images/medbutton.png" alt="Powered by Mandrake" width="90"
  height="32">
-   </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
+    </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
  width="125" height="40" hspace="4">
-             </font></p>
-                                     
-<p><font size="2">Last updated 1/24/2003 - </font><font size="2">       <a
+              </font></p>
+                                       
+<p><font size="2">Last updated 2/18/2003 - </font><font size="2">       <a
  href="support.htm">Tom Eastep</a></font>  </p>
-              <font face="Trebuchet MS"><a href="copyright.htm"><font
- size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas 
-M. Eastep.</font></a></font><br>
+               <font face="Trebuchet MS"><a href="copyright.htm"><font
+ size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas
+ M. Eastep.</font></a></font><br>
+  <br>
  <br>
 </body>
 </html>
diff --git a/Shorewall-docs/shorewall_extension_scripts.htm b/Shorewall-docs/shorewall_extension_scripts.htm
index 650be5874..73910506c 100644
--- a/Shorewall-docs/shorewall_extension_scripts.htm
+++ b/Shorewall-docs/shorewall_extension_scripts.htm
@@ -1,133 +1,126 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
- 
+     
   <meta http-equiv="Content-Language" content="en-us">
- 
+     
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
- 
+     
   <meta name="ProgId" content="FrontPage.Editor.Document">
- 
+     
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Extension Scripts</title>
 </head>
   <body>
                                                                         
-           
+             
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
                                                                         
-            <tbody>
-    <tr>
+             <tbody>
+     <tr>
                                                                         
-              <td width="100%">                                         
-                                             
+               <td width="100%">                                        
+                                                     
       <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
                                                                         
-              </td>
+               </td>
                                                                         
-            </tr>
+             </tr>
                                                                         
-          
-  </tbody>
+              
+  </tbody> 
 </table>
                                                                         
-                                                 
-<p>  Extension scripts are   user-provided  scripts that are invoked at various
-points during firewall   start, restart,  stop and clear. The scripts are
-placed in /etc/shorewall and   are processed  using the Bourne shell "source"
+                                                   
+<p>  Extension scripts are   user-provided  scripts that are invoked at various 
+points during firewall   start, restart,  stop and clear. The scripts are 
+placed in /etc/shorewall and   are processed  using the Bourne shell "source" 
 mechanism. The   following scripts can be  supplied:</p>
-  
+    
 <ul>
-    <li>init -- invoked early in "shorewall start" and       "shorewall restart"</li>
-    <li>start -- invoked after the firewall has been started or restarted.</li>
-    <li>stop -- invoked as a first step when the firewall is being stopped.</li>
-    <li>stopped -- invoked after the firewall has been stopped.</li>
-    <li>clear -- invoked after the firewall has been cleared.</li>
-    <li>refresh -- invoked while the firewall is being refreshed but before
+     <li>init -- invoked early in "shorewall start" and       "shorewall
+restart"</li>
+     <li>start -- invoked after the firewall has been started or restarted.</li>
+     <li>stop -- invoked as a first step when the firewall is being stopped.</li>
+     <li>stopped -- invoked after the firewall has been stopped.</li>
+     <li>clear -- invoked after the firewall has been cleared.</li>
+     <li>refresh -- invoked while the firewall is being refreshed but before 
 the     common and/or blacklst chains have been rebuilt.</li>
-    <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
+     <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' 
 chain     has been created but before any rules have been added to it.</li>
- 
+   
 </ul>
                                                                         
                                                                         
                                                                         
-                                    
-<p><u><b>If your version of Shorewall doesn't have the file that you want
+                                      
+<p><u><b>If your version of Shorewall doesn't have the file that you want 
 to use from the above list, you can simply create the file yourself.</b></u></p>
-<p>   You can also supply a script with the same name as any of the filter
-  chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules 
- file has been processed but before the   /etc/shorewall/policy file has been
- processed.</p>
+ 
+<p>   You can also supply a script with the same name as any of the filter 
+  chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules
+  file has been processed but before the   /etc/shorewall/policy file has
+been  processed.</p>
                                                                         
                                                                         
                                                                         
-                                    
-<p>The /etc/shorewall/common file receives special treatment. If this file
-is present, the rules that it       defines will totally replace the default
-rules in the common chain. These         default rules are contained in the
-file /etc/shorewall/common.def which        may be used as a starting point
+                                      
+<p>The /etc/shorewall/common file receives special treatment. If this file 
+is present, the rules that it       defines will totally replace the default 
+rules in the common chain. These         default rules are contained in the 
+file /etc/shorewall/common.def which        may be used as a starting point 
 for making your own customized file.</p>
                                                                         
                                                                         
                                                                         
-                                    
-<p>   Rather than running iptables directly, you should run it using the
-  function  run_iptables. Similarly, rather than running "ip" directly, 
- you should use run_ip. These functions accept the same arguments as the
-  underlying command but cause the firewall to be stopped if an error occurs
+                                      
+<p>   Rather than running iptables directly, you should run it using the 
+ function  run_iptables. Similarly, rather than running "ip" directly,  
+you should use run_ip. These functions accept the same arguments as the 
+ underlying command but cause the firewall to be stopped if an error occurs 
   during processing of the command.</p>
                                                                         
                                                                         
                                                                         
-                                   
-<p>   If you decide to create /etc/shorewall/common it is a good idea to
-use the    following technique</p>
+                                     
+<p>   If you decide to create /etc/shorewall/common it is a good idea to use
+the    following technique</p>
                                                                         
                                                                         
                                                                         
-                                   
+                                     
 <p>   /etc/shorewall/common:</p>
                                                                         
                                                                         
                                                                         
-                                   
-<blockquote>                                                            
-                        
+                                     
+<blockquote>                                                             
+                          
   <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
-  </blockquote>
-  
-<p>If you need to supercede a rule in the released common.def file, you can
-add   the superceding rule before the '.' command. Using this technique allows
-  you to add new rules while still getting the benefit of the latest common.def
+   </blockquote>
+    
+<p>If you need to supercede a rule in the released common.def file, you can 
+add   the superceding rule before the '.' command. Using this technique allows 
+  you to add new rules while still getting the benefit of the latest common.def 
   file.</p>
                                                                         
                                                                         
-                           
-<p>Remember that /etc/shorewall/common defines rules   that are only applied
-if the applicable policy is DROP or REJECT. These rules   are NOT applied
+                             
+<p>Remember that /etc/shorewall/common defines rules   that are only applied 
+if the applicable policy is DROP or REJECT. These rules   are NOT applied 
 if the policy is ACCEPT or CONTINUE.</p>
                                                                         
                                                                         
-                           
-<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will
-be   rejected by the firewall. It is recommended with this setting that you
-create   the file /etc/shorewall/icmpdef and in it place the following commands:</p>
-                                                                        
-                                                                        
-                                                                        
-                                   
-<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
-                                                                        
-          
-<p align="left"><font size="2">Last updated 12/22/2002 - <a
+                             
+<p align="left"><font size="2">Last updated 2/18/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
-  
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
-M. Eastep</font></a></p>
-  <br>
+    
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
+Thomas M. Eastep</font></a></p>
+   <br>
+ <br>
 </body>
 </html>
diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm
index 5d90139ad..ea3043acd 100644
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@@ -1,299 +1,299 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                                                     
+                                                                        
   <meta http-equiv="Content-Language" content="en-us">
-                                                                     
+                                                                        
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                                                     
+                                                                        
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                                                                     
+                                                                        
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall QuickStart Guide</title>
                                                                         
-                                                
+                                                       
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-                                    
+                                      
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#400169" height="90">
-                    <tbody>
-                     <tr>
-                      <td width="100%">                                 
+                     <tbody>
+                      <tr>
+                       <td width="100%">                                
                                                                         
-                 
-      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides 
- (HOWTO's)<br>
-                  Version 3.1</font></h1>
-                      </td>
-                    </tr>
-                                                                     
-  </tbody>                 
+                         
+      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
+  (HOWTO's)<br>
+                   Version 3.1</font></h1>
+                       </td>
+                     </tr>
+                                                                        
+  </tbody>                  
 </table>
-                                    
-<p align="center">With thanks to Richard who reminded me once again that we
-must  all first walk before we can run.<br>
- The French Translations are courtesy of Patrice Vetsel<br>
- </p>
-                                    
+                                      
+<p align="center">With thanks to Richard who reminded me once again that
+we must  all first walk before we can run.<br>
+  The French Translations are courtesy of Patrice Vetsel<br>
+  </p>
+                                      
 <h2>The Guides</h2>
-                                   
-<p>These guides provide step-by-step instructions for configuring Shorewall 
-        in  common firewall setups.</p>
-                                   
+                                     
+<p>These guides provide step-by-step instructions for configuring Shorewall
+         in  common firewall setups.</p>
+                                     
 <p>The following guides are for <b>users who have a single public IP address</b>:</p>
-                                   
+                                     
 <ul>
-                    <li><a href="standalone.htm">Standalone</a> Linux System 
-(<a href="standalone_fr.html">Version Française</a>)</li>
-                    <li><a href="two-interface.htm">Two-interface</a> Linux 
- System    acting    as a    firewall/router for a small local network (<a
+                     <li><a href="standalone.htm">Standalone</a> Linux System
+ (<a href="standalone_fr.html">Version Française</a>)</li>
+                     <li><a href="two-interface.htm">Two-interface</a> Linux
+  System    acting    as a    firewall/router for a small local network (<a
  href="two-interface_fr.html">Version Française</a>)</li>
-                    <li><a href="three-interface.htm">Three-interface</a> 
-Linux    System    acting  as a    firewall/router for a small local network 
-and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
-                                   
+                     <li><a href="three-interface.htm">Three-interface</a>
+ Linux    System    acting  as a    firewall/router for a small local network
+ and  a  DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
+                                     
 </ul>
-                                   
-<p>The above guides are designed to get your first firewall up and running 
-         quickly in the three most common Shorewall configurations.</p>
-                                   
-<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines 
-         the steps necessary to set up a firewall where <b>there are multiple 
-    public    IP  addresses involved or if you want to learn more about Shorewall 
-    than   is  explained in the single-address guides above.</b></p>
-                                   
+                                     
+<p>The above guides are designed to get your first firewall up and running
+          quickly in the three most common Shorewall configurations.</p>
+                                     
+<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
+          the steps necessary to set up a firewall where <b>there are multiple
+     public    IP  addresses involved or if you want to learn more about
+Shorewall      than   is  explained in the single-address guides above.</b></p>
+                                     
 <ul>
-                    <li><a href="shorewall_setup_guide.htm#Introduction">1.0
-  Introduction</a></li>
-                    <li><a href="shorewall_setup_guide.htm#Concepts">2.0
+                     <li><a
+ href="shorewall_setup_guide.htm#Introduction">1.0   Introduction</a></li>
+                     <li><a href="shorewall_setup_guide.htm#Concepts">2.0 
 Shorewall      Concepts</a></li>
-                    <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
+                     <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 
  Network     Interfaces</a></li>
-                    <li><a href="shorewall_setup_guide.htm#Addressing">4.0
- Addressing,       Subnets  and Routing</a>                             
-                                                       
+                     <li><a href="shorewall_setup_guide.htm#Addressing">4.0 
+ Addressing,       Subnets  and Routing</a>                              
+                                                           
     <ul>
-                      <li><a href="shorewall_setup_guide.htm#Addresses">4.1 
- IP  Addresses</a></li>
-                                  <li><a
+                       <li><a href="shorewall_setup_guide.htm#Addresses">4.1
+  IP  Addresses</a></li>
+                                   <li><a
  href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
-                      <li><a href="shorewall_setup_guide.htm#Routing">4.3 
-Routing</a></li>
-                      <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address 
-  Resolution      Protocol</a></li>
+                       <li><a href="shorewall_setup_guide.htm#Routing">4.3
+ Routing</a></li>
+                       <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
+   Resolution      Protocol</a></li>
                                                                         
-                                
+                                      
     </ul>
                                                                         
-                                
+                                      
     <ul>
-                      <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 
-RFC   1918</a></li>
+                       <li><a href="shorewall_setup_guide.htm#RFC1918">4.5
+ RFC   1918</a></li>
                                                                         
-                                
+                                      
     </ul>
-                    </li>
-                    <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting 
-   up  your   Network</a>                                                
-                                    
+                     </li>
+                     <li><a href="shorewall_setup_guide.htm#Options">5.0
+Setting     up  your   Network</a>                                      
+                                                   
     <ul>
-                      <li><a href="shorewall_setup_guide.htm#Routed">5.1
+                       <li><a href="shorewall_setup_guide.htm#Routed">5.1 
 Routed</a></li>
                                                                         
-                                
+                                      
     </ul>
                                                                         
-                                
+                                      
     <ul>
-                      <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 
- Non-routed</a>                                                          
+                       <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
+  Non-routed</a>                                                        
                                                                         
-                            
+                                       
         <ul>
-                        <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
+                         <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 
  SNAT</a></li>
-                        <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
+                         <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 
  DNAT</a></li>
-                        <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
-   Proxy    ARP</a></li>
-                        <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 
-Static    NAT</a></li>
+                         <li><a
+ href="shorewall_setup_guide.htm#ProxyARP">5.2.3    Proxy    ARP</a></li>
+                         <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
+ Static    NAT</a></li>
                                                                         
                                                                         
-                             
+                                       
         </ul>
-                      </li>
-                      <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
-                      <li><a
+                       </li>
+                       <li><a href="shorewall_setup_guide.htm#Rules">5.3
+Rules</a></li>
+                       <li><a
  href="shorewall_setup_guide.htm#OddsAndEnds">5.4   Odds   and   Ends</a></li>
                                                                         
-                                
+                                      
     </ul>
-                    </li>
-                    <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
-                    <li><a
- href="shorewall_setup_guide.htm#StartingAndStopping">7.0   Starting    and
+                     </li>
+                     <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
+                     <li><a
+ href="shorewall_setup_guide.htm#StartingAndStopping">7.0   Starting    and 
       Stopping the Firewall</a></li>
-                                   
-</ul>
-                                   
-<h2><a name="Documentation"></a>Documentation Index</h2>
-                                   
-<p>The following documentation covers a variety of topics and <b>supplements 
-        the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> 
-  described      above</b>. Please review the appropriate guide before trying 
-  to use this    documentation directly.</p>
-                                   
-<ul>
-                    <li><a href="blacklisting_support.htm">Blacklisting</a> 
-                                                                         
-           
-    <ul>
-                      <li>Static Blacklisting using /etc/shorewall/blacklist</li>
-                      <li>Dynamic Blacklisting using /sbin/shorewall</li>
-                                                                        
-                                
-    </ul>
-                    </li>
-                    <li><a href="configuration_file_basics.htm">Common configuration
-      file   features</a>                                               
                                      
+</ul>
+                                     
+<h2><a name="Documentation"></a>Documentation Index</h2>
+                                     
+<p>The following documentation covers a variety of topics and <b>supplements
+         the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
+   described      above</b>. Please review the appropriate guide before trying
+   to use this    documentation directly.</p>
+                                     
+<ul>
+                     <li><a href="blacklisting_support.htm">Blacklisting</a>
+                                                                        
+                  
     <ul>
-                      <li><a
- href="configuration_file_basics.htm#Comments">Comments  in configuration 
-files</a></li>
-                      <li><a
+                       <li>Static Blacklisting using /etc/shorewall/blacklist</li>
+                       <li>Dynamic Blacklisting using /sbin/shorewall</li>
+                                                                        
+                                      
+    </ul>
+                     </li>
+                     <li><a href="configuration_file_basics.htm">Common configuration 
+      file   features</a>                                                
+                                         
+    <ul>
+                       <li><a
+ href="configuration_file_basics.htm#Comments">Comments  in configuration
+ files</a></li>
+                       <li><a
  href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
-                      <li><a href="configuration_file_basics.htm#Ports">Port
+                       <li><a href="configuration_file_basics.htm#Ports">Port 
   Numbers/Service Names</a></li>
-                      <li><a href="configuration_file_basics.htm#Ranges">Port
-  Ranges</a></li>
-                      <li><a
+                       <li><a
+ href="configuration_file_basics.htm#Ranges">Port   Ranges</a></li>
+                       <li><a
  href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
-                      <li><a
+                       <li><a
  href="configuration_file_basics.htm#dnsnames">Using  DNS Names</a><br>
-                 </li>
-                      <li><a
- href="configuration_file_basics.htm#Compliment">Complementing an IP address 
- or Subnet</a></li>
-                      <li><a
- href="configuration_file_basics.htm#Configs">Shorewall   Configurations
-(making a test configuration)</a></li>
-                      <li><a href="configuration_file_basics.htm#MAC">Using 
- MAC Addresses in Shorewall</a></li>
+                  </li>
+                       <li><a
+ href="configuration_file_basics.htm#Compliment">Complementing an IP address
+  or Subnet</a></li>
+                       <li><a
+ href="configuration_file_basics.htm#Configs">Shorewall   Configurations (making
+a test configuration)</a></li>
+                       <li><a href="configuration_file_basics.htm#MAC">Using
+  MAC Addresses in Shorewall</a></li>
                                                                         
-                                               
+                                                     
     </ul>
-                    </li>
-                    <li><a href="Documentation.htm">Configuration File Reference
-    Manual</a>                                                          
-                              
+                     </li>
+                     <li><a href="Documentation.htm">Configuration File Reference 
+    Manual</a>                                                           
+                                  
     <ul>
-                      <li>   <a href="Documentation.htm#Variables">params</a></li>
-                      <li><font color="#000099"><a
+                       <li>   <a href="Documentation.htm#Variables">params</a></li>
+                       <li><font color="#000099"><a
  href="Documentation.htm#Zones">zones</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#Interfaces">interfaces</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#Hosts">hosts</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#Policy">policy</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#Rules">rules</a></font></li>
-                      <li><a href="Documentation.htm#Common">common</a></li>
-                      <li><font color="#000099"><a
+                       <li><a href="Documentation.htm#Common">common</a></li>
+                       <li><font color="#000099"><a
  href="Documentation.htm#Masq">masq</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#NAT">nat</a></font></li>
-                      <li><font color="#000099"><a
+                       <li><font color="#000099"><a
  href="Documentation.htm#Tunnels">tunnels</a></font></li>
-                      <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
-                      <li><font color="#000099"><a
+                       <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
+                       <li><font color="#000099"><a
  href="Documentation.htm#Conf">shorewall.conf</a></font></li>
-                      <li><a href="Documentation.htm#modules">modules</a></li>
-                      <li><a href="Documentation.htm#TOS">tos</a> </li>
-                      <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
-                      <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
-                      <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
+                       <li><a href="Documentation.htm#modules">modules</a></li>
+                       <li><a href="Documentation.htm#TOS">tos</a> </li>
+                       <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
+                       <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
+                       <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
                                                                         
-                                
+                                      
     </ul>
-                    </li>
-                    <li><a href="dhcp.htm">DHCP</a></li>
-                    <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
-(How to extend Shorewall without modifying Shorewall  code)</li>
-                    <li><a href="fallback.htm">Fallback/Uninstall</a></li>
-                    <li><a href="shorewall_firewall_structure.htm">Firewall 
- Structure</a></li>
-                    <li><font color="#000099"><a href="kernel.htm">Kernel 
-Configuration</a></font></li>
-       <li><a href="shorewall_logging.html">Logging</a><br>
-       </li>
-                    <li><a href="MAC_Validation.html">MAC Verification</a><br>
-      </li>
-      <li><a href="myfiles.htm">My  Configuration Files</a> (How  I  personally
-      use Shorewall)</li>
-                    <li><a href="ping.html">'Ping' Management</a><br>
+                     </li>
+                     <li><a href="dhcp.htm">DHCP</a></li>
+                     <li><font color="#000099"><a
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
+to extend Shorewall without modifying Shorewall  code)</li>
+                     <li><a href="fallback.htm">Fallback/Uninstall</a></li>
+                     <li><a href="shorewall_firewall_structure.htm">Firewall
+  Structure</a></li>
+                     <li><font color="#000099"><a href="kernel.htm">Kernel
+ Configuration</a></font></li>
+        <li><a href="shorewall_logging.html">Logging</a><br>
         </li>
-        <li><a href="ports.htm">Port Information</a>                    
-                                                                
+                     <li><a href="MAC_Validation.html">MAC Verification</a><br>
+       </li>
+                            <li><a href="ping.html">'Ping' Management</a><br>
+         </li>
+         <li><a href="ports.htm">Port Information</a>                   
+                                                                      
     <ul>
-                      <li>Which applications use which ports</li>
-                      <li>Ports used by Trojans</li>
+                       <li>Which applications use which ports</li>
+                       <li>Ports used by Trojans</li>
                                                                         
-                                
+                                      
     </ul>
-                    </li>
-                    <li><a href="ProxyARP.htm">Proxy ARP</a></li>
-                    <li><a href="samba.htm">Samba</a></li>
-                    <li><font color="#000099"><a
+                     </li>
+                     <li><a href="ProxyARP.htm">Proxy ARP</a></li>
+                     <li><a href="samba.htm">Samba</a></li>
+                     <li><font color="#000099"><a
  href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
-                                       
+                                           
   <ul>
-              <li>Description of all /sbin/shorewall commands</li>
-              <li>How to safely test a Shorewall configuration change<br>
-              </li>
-                                       
+               <li>Description of all /sbin/shorewall commands</li>
+               <li>How to safely test a Shorewall configuration change<br>
+               </li>
+                                           
   </ul>
-                    <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
-    <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy 
-with Shorewall</a><br>
-    </li>
-                    <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
-                    <li>VPN                                             
-                                       
+                     <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
+     <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
+ with Shorewall</a><br>
+     </li>
+                     <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
+                     <li>VPN                                            
+                                             
     <ul>
-                      <li><a href="IPSEC.htm">IPSEC</a></li>
-                      <li><a href="IPIP.htm">GRE and IPIP</a></li>
-      <li><a href="OPENVPN.html">OpenVPN</a><br>
-      </li>
-                      <li><a href="PPTP.htm">PPTP</a></li>
-                      <li><a href="VPN.htm">IPSEC/PPTP</a> from a system
+                       <li><a href="IPSEC.htm">IPSEC</a></li>
+                       <li><a href="IPIP.htm">GRE and IPIP</a></li>
+       <li><a href="OPENVPN.html">OpenVPN</a><br>
+       </li>
+                       <li><a href="PPTP.htm">PPTP</a></li>
+                       <li><a href="VPN.htm">IPSEC/PPTP</a> from a system 
 behind    your   firewall   to a      remote network.</li>
                                                                         
-                                
+                                      
     </ul>
-                    </li>
-                    <li><a href="whitelisting_under_shorewall.htm">White
+                     </li>
+                     <li><a href="whitelisting_under_shorewall.htm">White 
 List   Creation</a></li>
-                                   
+                                     
 </ul>
-                                   
+                                     
 <p>If you use one of these guides and have a suggestion for improvement <a
  href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-                                   
+                                     
 <p><font size="2">Last modified 2/4/2003 - <a href="support.htm">Tom Eastep</a></font></p>
-                                    
-<p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M.
+                                      
+<p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M. 
  Eastep</font></a><br>
-    </p>
+     </p>
+     <br>
     <br>
    <br>
   <br>
diff --git a/Shorewall-docs/shorewall_setup_guide.htm b/Shorewall-docs/shorewall_setup_guide.htm
index 872073076..1e30cdea6 100644
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@@ -1,424 +1,207 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                 
+                         
   <meta http-equiv="Content-Language" content="en-us">
-                 
+                         
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                 
+                         
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                 
+                         
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Setup Guide</title>
-                              
+                                            
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-          
+              
 <h1 align="center">Shorewall Setup Guide</h1>
-         
+             
 <p><a href="#Introduction">1.0 Introduction</a><br>
-     <a href="#Concepts">2.0 Shorewall Concepts</a><br>
-     <a href="#Interfaces">3.0 Network Interfaces</a><br>
-     <a href="#Addressing">4.0 Addressing, Subnets and Routing</a></p>
-         
-<blockquote>             
+       <a href="#Concepts">2.0 Shorewall Concepts</a><br>
+       <a href="#Interfaces">3.0 Network Interfaces</a><br>
+       <a href="#Addressing">4.0 Addressing, Subnets and Routing</a></p>
+             
+<blockquote>                   
   <p><a href="#Addresses">4.1 IP Addresses</a><br>
-     <a href="#Subnets">4.2 Subnets</a><br>
-     <a href="#Routing">4.3 Routing</a><br>
-     <a href="#ARP">4.4 Address Resolution Protocol</a><br>
-     <a href="#RFC1918">4.5 RFC 1918</a></p>
-     </blockquote>
-         
-<p><a href="#Options">5.0 Setting up your Network</a></p>
-         
-<blockquote>             
-  <p><a href="#Routed">5.1 Routed</a><br>
-     <a href="#NonRouted">5.2 Non-routed</a></p>
-                   
-  <blockquote>                     
-    <p><a href="#SNAT">5.2.1 SNAT</a><br>
-     <a href="#DNAT">5.2.2 DNAT</a><br>
-     <a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
-     <a href="#NAT">5.2.4 Static NAT</a></p>
+       <a href="#Subnets">4.2 Subnets</a><br>
+       <a href="#Routing">4.3 Routing</a><br>
+       <a href="#ARP">4.4 Address Resolution Protocol</a><br>
+       <a href="#RFC1918">4.5 RFC 1918</a></p>
        </blockquote>
-                 
+             
+<p><a href="#Options">5.0 Setting up your Network</a></p>
+             
+<blockquote>                   
+  <p><a href="#Routed">5.1 Routed</a><br>
+       <a href="#NonRouted">5.2 Non-routed</a></p>
+                           
+  <blockquote>                               
+    <p><a href="#SNAT">5.2.1 SNAT</a><br>
+       <a href="#DNAT">5.2.2 DNAT</a><br>
+       <a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
+       <a href="#NAT">5.2.4 Static NAT</a></p>
+         </blockquote>
+                         
   <p><a href="#Rules">5.3 Rules</a><br>
-     <a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
-     </blockquote>
-         
+       <a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
+       </blockquote>
+             
 <p><a href="#DNS">6.0 DNS</a><br>
-     <a href="#StartingAndStopping">7.0 Starting and Stopping the Firewall</a></p>
-         
+       <a href="#StartingAndStopping">7.0 Starting and Stopping the Firewall</a></p>
+             
 <h2><a name="Introduction"></a>1.0 Introduction</h2>
-         
+             
 <p>This guide is intended for users who are setting up Shorewall in an  environment
-  where a set of public IP addresses must be managed or who want to  know
-more  about Shorewall than is contained in the  <a
+   where a set of public IP addresses must be managed or who want to  know
+ more  about Shorewall than is contained in the  <a
  href="shorewall_quickstart_guide.htm">single-address  guides</a>. Because
-  the  range of possible applications is so broad, the Guide will give you
- general  guidelines and will point you to other resources as necessary.</p>
-         
+   the  range of possible applications is so broad, the Guide will give you
+  general  guidelines and will point you to other resources as necessary.</p>
+             
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-         If you run LEAF Bering, your Shorewall configuration is NOT what 
-I  release -- I  suggest that you consider installing a stock Shorewall lrp 
-from the  shorewall.net site before you proceed.</p>
-         
+           If you run LEAF Bering, your Shorewall configuration is NOT what 
+ I  release -- I  suggest that you consider installing a stock Shorewall lrp
+ from the  shorewall.net site before you proceed.</p>
+             
 <p>This guide assumes that you have the iproute/iproute2 package installed
-  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-if  this  package is installed by the presence of an <b>ip</b> program on
-your  firewall  system. As root, you can use the 'which' command to check
-for this  program:</p>
-         
+   (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
+ if  this  package is installed by the presence of an <b>ip</b> program on
+ your  firewall  system. As root, you can use the 'which' command to check
+ for this  program:</p>
+             
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-       
+           
 <p>I recommend that you first read through the  guide to familiarize yourself
-  with what's involved then go back through it again  making your configuration
-  changes. Points at which configuration changes are  recommended are flagged
-  with <img border="0" src="images/BD21298_.gif" width="13" height="13">
-    .</p>
-         
+   with what's involved then go back through it again  making your configuration
+   changes. Points at which configuration changes are  recommended are flagged
+   with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+      .</p>
+             
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-         If you edit your configuration files on a Windows system, you must 
- save them as  Unix files if your editor supports that option or you must 
-run them through  dos2unix before trying to use them with Shorewall. Similarly, 
- if you copy a configuration file  from your Windows hard drive to a floppy 
- disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
-         
+           If you edit your configuration files on a Windows system, you
+must   save them as  Unix files if your editor supports that option or you
+must  run them through  dos2unix before trying to use them with Shorewall.
+Similarly,   if you copy a configuration file  from your Windows hard drive
+to a floppy   disk, you must run dos2unix against the  copy before using
+it with Shorewall.</p>
+             
 <ul>
-       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
-  of    dos2unix</a></li>
-       <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
- Version  of    dos2unix</a></li>
-         
+         <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
+   of    dos2unix</a></li>
+         <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
+  Version  of    dos2unix</a></li>
+             
 </ul>
-         
+             
 <h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
-         
+             
 <p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
 -- for most setups, you will only need to deal with a few of  these as described
 in this guide. Skeleton files are created during the <a
  href="Install.htm">Shorewall Installation Process</a>.</p>
-         
+             
 <p>As each file is introduced, I suggest that you  look through the actual
-  file on your system -- each file contains detailed  configuration instructions
-  and some contain default entries.</p>
-         
+   file on your system -- each file contains detailed  configuration instructions
+   and some contain default entries.</p>
+             
 <p>Shorewall views the network where it is running as being composed of a
-  set of  <i>zones.</i> In the default installation, the following zone names
-  are used:</p>
-         
+   set of  <i>zones.</i> In the default installation, the following zone
+names    are used:</p>
+             
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
  cellspacing="0" id="AutoNumber2">
-       <tbody>
-        <tr>
-         <td><u><b>Name</b></u></td>
-         <td><u><b>Description</b></u></td>
-       </tr>
-       <tr>
-         <td><b>net</b></td>
-         <td><b>The Internet</b></td>
-       </tr>
-       <tr>
-         <td><b>loc</b></td>
-         <td><b>Your Local Network</b></td>
-       </tr>
-       <tr>
-         <td><b>dmz</b></td>
-         <td><b>Demilitarized Zone</b></td>
-       </tr>
-                   
-  </tbody>    
+         <tbody>
+          <tr>
+           <td><u><b>Name</b></u></td>
+           <td><u><b>Description</b></u></td>
+         </tr>
+         <tr>
+           <td><b>net</b></td>
+           <td><b>The Internet</b></td>
+         </tr>
+         <tr>
+           <td><b>loc</b></td>
+           <td><b>Your Local Network</b></td>
+         </tr>
+         <tr>
+           <td><b>dmz</b></td>
+           <td><b>Demilitarized Zone</b></td>
+         </tr>
+                           
+  </tbody>      
 </table>
-         
+             
 <p>Zones are defined in the <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>
-  file.</p>
-         
+   file.</p>
+             
 <p>Shorewall also recognizes the firewall system as its own zone - by default,
-   the firewall itself is known as <b>fw</b> but that may be changed in the 
-  <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a> file.
-  In  this guide, the default name (<b>fw</b>) will be used.</p>
-         
+    the firewall itself is known as <b>fw</b> but that may be changed in
+the    <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a> 
+file.   In  this guide, the default name (<b>fw</b>) will be used.</p>
+             
 <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
-  to  zone names. Zones are entirely what YOU make of them. That means that
-  you should  not expect Shorewall to do something special "because this
+   to  zone names. Zones are entirely what YOU make of them. That means that
+   you should  not expect Shorewall to do something special "because this
 is   the internet zone"  or "because that is the DMZ".</p>
-         
+             
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-        Edit the  /etc/shorewall/zones file and make any changes necessary.</p>
-         
+          Edit the  /etc/shorewall/zones file and make any changes necessary.</p>
+             
 <p>Rules about what traffic to allow and what traffic to deny are expressed
-  in  terms of zones.</p>
-         
+   in  terms of zones.</p>
+             
 <ul>
-       <li>You express your default policy for connections from one zone
-to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
-     </a>file.</li>
-       <li>You define exceptions to those default policies in the   <a
+         <li>You express your default policy for connections from one zone
+ to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+      </a>file.</li>
+         <li>You define exceptions to those default policies in the   <a
  href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
-         
+             
 </ul>
-               
+                   
 <p>  Shorewall is built on top of the <a href="http://www.netfilter.org">Netfilter</a>
-  kernel facility. Netfilter   implements a   <a
+   kernel facility. Netfilter   implements a   <a
  href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
-  tracking function</a> that allows what is often referred to   as <i>stateful
-  inspection</i> of packets. This stateful property allows   firewall rules
-  to be defined in terms of <i>connections</i> rather than   in terms of
+   tracking function</a> that allows what is often referred to   as <i>stateful
+   inspection</i> of packets. This stateful property allows   firewall rules
+   to be defined in terms of <i>connections</i> rather than   in terms of
  packets.  With Shorewall, you:</p>
-               
+                   
 <ol>
-             <li>  Identify the source zone.</li>
-             <li>  Identify the destination zone.</li>
-             <li>  If the POLICY from the client's zone to the server's zone
-  is what you       want for this client/server pair, you need do nothing
-further.</li>
-             <li>  If the POLICY is not what you want, then you must add
-a  rule.  That rule       is expressed in terms of the client's zone and
+               <li>  Identify the source zone.</li>
+               <li>  Identify the destination zone.</li>
+               <li>  If the POLICY from the client's zone to the server's 
+zone   is what you       want for this client/server pair, you need do nothing
+ further.</li>
+               <li>  If the POLICY is not what you want, then you must add
+ a  rule.  That rule       is expressed in terms of the client's zone and
 the  server's  zone.</li>
-               
+                   
 </ol>
-               
+                   
 <p>  Just because connections of a particular type are allowed from zone
 A to the   firewall and are also allowed from the firewall to zone B <font
  color="#ff6633"><b><u>   DOES NOT mean that these connections are allowed
-  from zone A to zone  B</u></b></font>.   It rather means that you can have
-  a proxy running on the firewall that accepts   a connection from zone A
-and  then establishes its own separate connection from   the firewall to
-zone B.</p>
-         
+   from zone A to zone  B</u></b></font>.   It rather means that you can
+have    a proxy running on the firewall that accepts   a connection from
+zone A  and  then establishes its own separate connection from   the firewall
+to zone B.</p>
+             
 <p>For each connection request entering the firewall, the request is first
-   checked against the /etc/shorewall/rules file. If no rule in that file
-matches   the connection request then the first policy in /etc/shorewall/policy
-that   matches the request is applied. If that policy is REJECT or DROP 
+    checked against the /etc/shorewall/rules file. If no rule in that file
+ matches   the connection request then the first policy in /etc/shorewall/policy
+ that   matches the request is applied. If that policy is REJECT or DROP 
 the  request  is first checked against the rules in /etc/shorewall/common.def.</p>
-         
+             
 <p>The default /etc/shorewall/policy file  has the  following policies:</p>
-         
-<blockquote>               
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber3">
-         <tbody>
-          <tr>
-           <td><u><b>Source Zone</b></u></td>
-           <td><u><b>Destination Zone</b></u></td>
-           <td><u><b>Policy</b></u></td>
-           <td><u><b>Log Level</b></u></td>
-           <td><u><b>Limit:Burst</b></u></td>
-         </tr>
-         <tr>
-           <td>loc</td>
-           <td>net</td>
-           <td>ACCEPT</td>
-           <td> </td>
-           <td> </td>
-         </tr>
-         <tr>
-           <td>net</td>
-           <td>all</td>
-           <td>DROP</td>
-           <td>info</td>
-           <td> </td>
-         </tr>
-         <tr>
-           <td>all</td>
-           <td>all</td>
-           <td>REJECT</td>
-           <td>info</td>
-           <td> </td>
-         </tr>
-                           
-    </tbody>            
-  </table>
-     </blockquote>
-         
-<p>The above policy will:</p>
-         
-<ol>
-       <li>allow all connection requests from your local network to the internet</li>
-       <li>drop (ignore) all connection requests from the internet to your
- firewall     or local network and log a message at the <i>info</i> level
-(<a href="shorewall_logging.html">here</a> is a description of log levels).</li>
-       <li>reject all other connection requests and log a message at the
-    <i>info</i>      level. When a request is rejected, the firewall will
-return an RST (if   the    protocol is TCP) or an ICMP port-unreachable packet
-for other protocols.</li>
-         
-</ol>
-         
-<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-        At this point, edit your /etc/shorewall/policy and make any changes 
- that you  wish.</p>
-         
-<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
-         
-<p align="left">For the remainder of this guide, we'll refer to the following
-   diagram. While it may not look like your own network, it can be used to
-  illustrate the important aspects of Shorewall configuration.</p>
-         
-<p align="left">In this diagram:</p>
-         
-<ul>
-       <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
- to  isolate your  internet-accessible servers from your local systems so
-that  if one of those  servers is compromised, you still have the firewall
-between  the compromised  system and your local systems. </li>
-       <li>The Local Zone consists of systems Local 1, Local 2 and Local
-3.    </li>
-       <li>All systems from the ISP outward comprise the Internet Zone. </li>
-         
-</ul>
-         
-<p align="center"> <img border="0" src="images/dmz3.png" width="692"
- height="635">
-    </p>
-         
-<p align="left">The simplest way to define zones is to simply associate the
-  zone  name (previously defined in /etc/shorewall/zones) with a network
-interface.   This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-   file.</p>
-         
-<p align="left">The firewall illustrated above has three network interfaces.
-   Where Internet connectivity is through a cable or DSL "Modem", the <i>External
-   Interface</i> will be the Ethernet adapter that is connected to that "Modem"
-   (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
-  <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-  <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
-Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
-via a regular   modem, your External  Interface will also be <b>ppp0</b>.
-If you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
-         
-<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
- height="13">
-        If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then you 
- will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
-         
-<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
-   eth1 or eth2) and will be connected to a hub or switch. Your local computers
-   will be connected to the same switch (note: If you have only a single
-local   system,  you can connect the firewall directly to the computer using
-a <i>cross-over   </i> cable).</p>
-         
-<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
-  (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ
- computers will  be connected to the same switch (note: If you have only
-a  single DMZ system,  you can connect the firewall directly to the computer
- using a <i>cross-over </i> cable).</p>
-         
-<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
- width="60" height="60">
-    </b></u>Do not connect more than one interface  to the same hub or switch
-  (even for testing). It won't work the way that you  expect it to and you
- will end up confused and believing that Linux networking doesn't work at
-all.</p>
-         
-<p align="left">For the remainder of this Guide, we will assume that:</p>
-         
-<ul>
-       <li>                     
-    <p align="left">The external interface is <b>eth0</b>.</p>
-       </li>
-       <li>                     
-    <p align="left">The Local interface is <b>eth1</b>.</p>
-       </li>
-       <li>                     
-    <p align="left">The DMZ interface is <b>eth2</b>.</p>
-       </li>
-         
-</ul>
-         
-<p align="left">The Shorewall default configuration does not define the contents
-   of any zone. To define the above configuration using the  /etc/shorewall/interfaces
-  file, that file would might contain:</p>
-         
-<blockquote>               
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-         <tbody>
-          <tr>
-           <td><u><b>Zone</b></u></td>
-           <td><u><b>Interface</b></u></td>
-           <td><u><b>Broadcast</b></u></td>
-           <td><u><b>Options</b></u></td>
-         </tr>
-         <tr>
-           <td>net</td>
-           <td>eth0</td>
-           <td>detect</td>
-           <td>norfc1918</td>
-         </tr>
-         <tr>
-           <td>loc</td>
-           <td>eth1</td>
-           <td>detect</td>
-           <td> </td>
-         </tr>
-         <tr>
-           <td>dmz</td>
-           <td>eth2</td>
-           <td>detect</td>
-           <td> </td>
-         </tr>
-                           
-    </tbody>            
-  </table>
-     </blockquote>
-         
-<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
- height="13">
-         Edit the /etc/shorewall/interfaces file and define the network interfaces
-  on  your firewall and associate each interface with a zone. If you have
-a  zone that  is interfaced through more than one interface, simply include
- one entry for each  interface and repeat the zone name as many times as
-necessary.</p>
-         
-<p align="left">Example:</p>
-         
-<blockquote>               
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-         <tbody>
-          <tr>
-           <td><u><b>Zone</b></u></td>
-           <td><u><b>Interface</b></u></td>
-           <td><u><b>Broadcast</b></u></td>
-           <td><u><b>Options</b></u></td>
-         </tr>
-         <tr>
-           <td>net</td>
-           <td>eth0</td>
-           <td>detect</td>
-           <td>norfc1918</td>
-         </tr>
-         <tr>
-           <td>loc</td>
-           <td>eth1</td>
-           <td>detect</td>
-           <td> </td>
-         </tr>
-         <tr>
-           <td>loc</td>
-           <td>eth2</td>
-           <td>detect</td>
-           <td>dhcp</td>
-         </tr>
-                           
-    </tbody>            
-  </table>
-     </blockquote>
-         
-<div align="left">       
-<p align="left">When you have more than one interface to a zone, you will
-     usually want a policy that permits intra-zone traffic:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+             
+<blockquote>                     
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
            <tbody>
-          <tr>
+            <tr>
              <td><u><b>Source Zone</b></u></td>
              <td><u><b>Destination Zone</b></u></td>
              <td><u><b>Policy</b></u></td>
@@ -427,80 +210,301 @@ necessary.</p>
            </tr>
            <tr>
              <td>loc</td>
-             <td>loc</td>
+             <td>net</td>
              <td>ACCEPT</td>
              <td> </td>
              <td> </td>
            </tr>
-                             
-    </tbody>            
+           <tr>
+             <td>net</td>
+             <td>all</td>
+             <td>DROP</td>
+             <td>info</td>
+             <td> </td>
+           </tr>
+           <tr>
+             <td>all</td>
+             <td>all</td>
+             <td>REJECT</td>
+             <td>info</td>
+             <td> </td>
+           </tr>
+                                       
+    </tbody>                  
   </table>
        </blockquote>
-     </div>
-         
+             
+<p>The above policy will:</p>
+             
+<ol>
+         <li>allow all connection requests from your local network to the 
+internet</li>
+         <li>drop (ignore) all connection requests from the internet to your
+  firewall     or local network and log a message at the <i>info</i> level
+ (<a href="shorewall_logging.html">here</a> is a description of log levels).</li>
+         <li>reject all other connection requests and log a message at the
+     <i>info</i>      level. When a request is rejected, the firewall will
+ return an RST (if   the    protocol is TCP) or an ICMP port-unreachable
+packet  for other protocols.</li>
+             
+</ol>
+             
+<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
+          At this point, edit your /etc/shorewall/policy and make any changes 
+  that you  wish.</p>
+             
+<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
+             
+<p align="left">For the remainder of this guide, we'll refer to the following
+    diagram. While it may not look like your own network, it can be used
+to    illustrate the important aspects of Shorewall configuration.</p>
+             
+<p align="left">In this diagram:</p>
+             
+<ul>
+         <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
+  to  isolate your  internet-accessible servers from your local systems so
+ that  if one of those  servers is compromised, you still have the firewall
+ between  the compromised  system and your local systems. </li>
+         <li>The Local Zone consists of systems Local 1, Local 2 and Local
+ 3.    </li>
+         <li>All systems from the ISP outward comprise the Internet Zone. 
+  </li>
+             
+</ul>
+             
+<p align="center"> <img border="0" src="images/dmz3.png" width="692"
+ height="635">
+      </p>
+             
+<p align="left">The simplest way to define zones is to simply associate the
+   zone  name (previously defined in /etc/shorewall/zones) with a network
+interface.   This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+    file.</p>
+             
+<p align="left">The firewall illustrated above has three network interfaces.
+    Where Internet connectivity is through a cable or DSL "Modem", the <i>External
+    Interface</i> will be the Ethernet adapter that is connected to that
+"Modem"     (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
+   <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
+   <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
+Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
+via a regular   modem, your External  Interface will also be <b>ppp0</b>.
+If you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
+             
+<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
+ height="13">
+          If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then 
+you   will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> 
+/etc/shorewall/shorewall.conf.</a></p>
+             
+<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
+    eth1 or eth2) and will be connected to a hub or switch. Your local computers
+    will be connected to the same switch (note: If you have only a single
+local   system,  you can connect the firewall directly to the computer using
+a <i>cross-over   </i> cable).</p>
+             
+<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
+   (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ
+  computers will  be connected to the same switch (note: If you have only
+a  single DMZ system,  you can connect the firewall directly to the computer
+  using a <i>cross-over </i> cable).</p>
+             
+<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
+ width="60" height="60">
+      </b></u>Do not connect more than one interface  to the same hub or
+switch    (even for testing). It won't work the way that you  expect it to
+and you   will end up confused and believing that Linux networking doesn't
+work at  all.</p>
+             
+<p align="left">For the remainder of this Guide, we will assume that:</p>
+             
+<ul>
+         <li>                               
+    <p align="left">The external interface is <b>eth0</b>.</p>
+         </li>
+         <li>                               
+    <p align="left">The Local interface is <b>eth1</b>.</p>
+         </li>
+         <li>                               
+    <p align="left">The DMZ interface is <b>eth2</b>.</p>
+         </li>
+             
+</ul>
+             
+<p align="left">The Shorewall default configuration does not define the contents
+    of any zone. To define the above configuration using the  /etc/shorewall/interfaces
+   file, that file would might contain:</p>
+             
+<blockquote>                     
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+           <tbody>
+            <tr>
+             <td><u><b>Zone</b></u></td>
+             <td><u><b>Interface</b></u></td>
+             <td><u><b>Broadcast</b></u></td>
+             <td><u><b>Options</b></u></td>
+           </tr>
+           <tr>
+             <td>net</td>
+             <td>eth0</td>
+             <td>detect</td>
+             <td>norfc1918</td>
+           </tr>
+           <tr>
+             <td>loc</td>
+             <td>eth1</td>
+             <td>detect</td>
+             <td> </td>
+           </tr>
+           <tr>
+             <td>dmz</td>
+             <td>eth2</td>
+             <td>detect</td>
+             <td> </td>
+           </tr>
+                                       
+    </tbody>                  
+  </table>
+       </blockquote>
+             
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-         You may define more complicated zones using the <a
+           Edit the /etc/shorewall/interfaces file and define the network 
+interfaces   on  your firewall and associate each interface with a zone. If
+you have a  zone that  is interfaced through more than one interface, simply
+include  one entry for each  interface and repeat the zone name as many times
+as necessary.</p>
+             
+<p align="left">Example:</p>
+             
+<blockquote>                     
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+           <tbody>
+            <tr>
+             <td><u><b>Zone</b></u></td>
+             <td><u><b>Interface</b></u></td>
+             <td><u><b>Broadcast</b></u></td>
+             <td><u><b>Options</b></u></td>
+           </tr>
+           <tr>
+             <td>net</td>
+             <td>eth0</td>
+             <td>detect</td>
+             <td>norfc1918</td>
+           </tr>
+           <tr>
+             <td>loc</td>
+             <td>eth1</td>
+             <td>detect</td>
+             <td> </td>
+           </tr>
+           <tr>
+             <td>loc</td>
+             <td>eth2</td>
+             <td>detect</td>
+             <td>dhcp</td>
+           </tr>
+                                       
+    </tbody>                  
+  </table>
+       </blockquote>
+             
+<div align="left">         
+<p align="left">When you have more than one interface to a zone, you will
+      usually want a policy that permits intra-zone traffic:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+             <tbody>
+            <tr>
+               <td><u><b>Source Zone</b></u></td>
+               <td><u><b>Destination Zone</b></u></td>
+               <td><u><b>Policy</b></u></td>
+               <td><u><b>Log Level</b></u></td>
+               <td><u><b>Limit:Burst</b></u></td>
+             </tr>
+             <tr>
+               <td>loc</td>
+               <td>loc</td>
+               <td>ACCEPT</td>
+               <td> </td>
+               <td> </td>
+             </tr>
+                                         
+    </tbody>                  
+  </table>
+         </blockquote>
+       </div>
+             
+<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
+ height="13">
+           You may define more complicated zones using the <a
  href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file but in most
-   cases, that isn't necessary.</p>
-         
+    cases, that isn't necessary.</p>
+             
 <h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
-         
+             
 <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
-  IP addresses. You will configure your firewall's external interface to
+   IP addresses. You will configure your firewall's external interface to
 use    one of those addresses permanently and you will then have to decide
 how  you are  going to use the rest of your addresses. Before we tackle that
 question   though, some  background is in order.</p>
-         
+             
 <p align="left">If you are thoroughly familiar with IP addressing and routing,
-   you may <a href="#Options">go to the next section</a>.</p>
-         
+    you may <a href="#Options">go to the next section</a>.</p>
+             
 <p align="left">The following discussion barely scratches the surface of
 addressing and routing. If you are interested in learning more about  this
 subject, I highly recommend <i>"IP Fundamentals: What Everyone  Needs to
 Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
  1999, ISBN 0-13-975483-0.</p>
-         
+             
 <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
-         
+             
 <p align="left">IP version 4 (<i>IPv4) </i>addresses  are 32-bit numbers.
-  The notation w.x.y.z refers to an address where the high-order byte has
-value  "w", the next  byte has value "x", etc. If we take the address 192.0.2.14
-  and express it in  hexadecimal,  we get:</p>
-         
-<blockquote>               
+   The notation w.x.y.z refers to an address where the high-order byte has
+ value  "w", the next  byte has value "x", etc. If we take the address 192.0.2.14
+   and express it in  hexadecimal,  we get:</p>
+             
+<blockquote>                     
   <p align="left">C0.00.02.0E</p>
-     </blockquote>
-         
+       </blockquote>
+             
 <p align="left">or looking at it as a 32-bit integer</p>
-         
-<blockquote>               
+             
+<blockquote>                     
   <p align="left">C000020E</p>
-     </blockquote>
-           
+       </blockquote>
+               
 <h3 align="left"><a name="Subnets"></a>4.2 Subnets</h3>
-         
+             
 <p align="left">You will still hear the terms "Class A network", "Class B
-   network" and "Class C network". In the early days of IP,  networks only
- came  in three sizes (there were also Class D networks but they were used
- differently):</p>
-         
-<blockquote>               
+    network" and "Class C network". In the early days of IP,  networks only
+  came  in three sizes (there were also Class D networks but they were used
+  differently):</p>
+             
+<blockquote>                     
   <p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
-                   
+                           
   <p align="left">Class B -  netmask 255.255.0.0, size = 2 ** 16</p>
-                   
+                           
   <p align="left">Class C -  netmask 255.255.255.0, size = 256</p>
-     </blockquote>
-         
+       </blockquote>
+             
 <p align="left">The class of a network was uniquely determined by the value
-  of the high  order byte of its address so you could look at an IP address
-  and immediately  determine the associated <i>netmask</i>. The netmask is
- a number that when  logically ANDed with an address isolates the <i>network
-  number</i>; the  remainder of the address is the <i>host number</i>. For
- example, in the Class C  address 192.0.2.14, the network number is hex C00002
- and the host number is hex  0E.</p>
-         
+   of the high  order byte of its address so you could look at an IP address
+   and immediately  determine the associated <i>netmask</i>. The netmask
+is   a number that when  logically ANDed with an address isolates the <i>network
+   number</i>; the  remainder of the address is the <i>host number</i>. For
+  example, in the Class C  address 192.0.2.14, the network number is hex
+C00002   and the host number is hex  0E.</p>
+             
 <p align="left">As the internet grew, it became clear that such a gross  partitioning
 of the 32-bit address space was going to be very limiting (early  on, large
 corporations and universities were assigned their own class A  network!).
@@ -508,2000 +512,2008 @@ After some false starts, the current technique of <i>subnetting</i>  these
 networks into smaller <i>subnetworks</i> evolved; that technique is referred
 to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that
  you are likely to work with will understand CIDR and Class-based networking
-  is largely a  thing of the past.</p>
-         
+   is largely a  thing of the past.</p>
+             
 <p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is
-     a contiguous set of IP addresses such that:</p>
-         
+      a contiguous set of IP addresses such that:</p>
+             
 <ol>
-       <li>                       
+         <li>                                 
     <p align="left">The number of addresses in the set is a power of 2; and</p>
-       </li>
-       <li>                       
+         </li>
+         <li>                                 
     <p align="left">The first address in the set is a multiple of the set
-  size.</p>
-       </li>
-       <li>                       
+   size.</p>
+         </li>
+         <li>                                 
     <p align="left">The first address in the subnet is reserved and is referred
-  to as the <i>   subnet address.</i></p>
-       </li>
-       <li>                       
+   to as the <i>   subnet address.</i></p>
+         </li>
+         <li>                                 
     <p align="left">The last address in the subnet is reserved as the <i>subnet's
-  broadcast    address.</i></p>
-       </li>
-         
+   broadcast    address.</i></p>
+         </li>
+             
 </ol>
-           
+               
 <p align="left">As you can see by this definition, in each subnet of size
-  <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that can
-  be assigned to    hosts). The first and last address in the subnet are
-used   for the subnet    address and subnet broadcast address respectively.
+   <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that
+can    be assigned to    hosts). The first and last address in the subnet
+are used   for the subnet    address and subnet broadcast address respectively.
 Consequently,   small    subnetworks are more wasteful of IP addresses than
 are large ones.   </p>
-           
+               
 <p align="left">Since <b>n</b> is a power of two, we can easily calculate
-  the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more
+   the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more
 common   subnet sizes, the size and its natural logarithm are given in the
    following   table:</p>
-         
-<blockquote>               
+             
+<blockquote>                     
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber5">
-         <tbody>
-          <tr>
-           <td><u><b>n</b></u></td>
-           <td><u><b>log2 n</b></u></td>
-           <td><u><b>(32 - log2 n)</b></u></td>
-         </tr>
-         <tr>
-           <td>8</td>
-           <td>3</td>
-           <td>29</td>
-         </tr>
-         <tr>
-           <td>16</td>
-           <td>4</td>
-           <td>28</td>
-         </tr>
-         <tr>
-           <td>32</td>
-           <td>5</td>
-           <td>27</td>
-         </tr>
-         <tr>
-           <td>64</td>
-           <td>6</td>
-           <td>26</td>
-         </tr>
-         <tr>
-           <td>128</td>
-           <td>7</td>
-           <td>25</td>
-         </tr>
-         <tr>
-           <td>256</td>
-           <td>8</td>
-           <td>24</td>
-         </tr>
-         <tr>
-           <td>512</td>
-           <td>9</td>
-           <td>23</td>
-         </tr>
-         <tr>
-           <td>1024</td>
-           <td>10</td>
-           <td>22</td>
-         </tr>
-         <tr>
-           <td>2048</td>
-           <td>11</td>
-           <td>21</td>
-         </tr>
-         <tr>
-           <td>4096</td>
-           <td>12</td>
-           <td>20</td>
-         </tr>
-         <tr>
-           <td>8192</td>
-           <td>13</td>
-           <td>19</td>
-         </tr>
-         <tr>
-           <td>16384</td>
-           <td>14</td>
-           <td>18</td>
-         </tr>
-         <tr>
-           <td>32768</td>
-           <td>15</td>
-           <td>17</td>
-         </tr>
-         <tr>
-           <td>65536</td>
-           <td>16</td>
-           <td>16</td>
-         </tr>
-                           
-    </tbody>            
+           <tbody>
+            <tr>
+             <td><u><b>n</b></u></td>
+             <td><u><b>log2 n</b></u></td>
+             <td><u><b>(32 - log2 n)</b></u></td>
+           </tr>
+           <tr>
+             <td>8</td>
+             <td>3</td>
+             <td>29</td>
+           </tr>
+           <tr>
+             <td>16</td>
+             <td>4</td>
+             <td>28</td>
+           </tr>
+           <tr>
+             <td>32</td>
+             <td>5</td>
+             <td>27</td>
+           </tr>
+           <tr>
+             <td>64</td>
+             <td>6</td>
+             <td>26</td>
+           </tr>
+           <tr>
+             <td>128</td>
+             <td>7</td>
+             <td>25</td>
+           </tr>
+           <tr>
+             <td>256</td>
+             <td>8</td>
+             <td>24</td>
+           </tr>
+           <tr>
+             <td>512</td>
+             <td>9</td>
+             <td>23</td>
+           </tr>
+           <tr>
+             <td>1024</td>
+             <td>10</td>
+             <td>22</td>
+           </tr>
+           <tr>
+             <td>2048</td>
+             <td>11</td>
+             <td>21</td>
+           </tr>
+           <tr>
+             <td>4096</td>
+             <td>12</td>
+             <td>20</td>
+           </tr>
+           <tr>
+             <td>8192</td>
+             <td>13</td>
+             <td>19</td>
+           </tr>
+           <tr>
+             <td>16384</td>
+             <td>14</td>
+             <td>18</td>
+           </tr>
+           <tr>
+             <td>32768</td>
+             <td>15</td>
+             <td>17</td>
+           </tr>
+           <tr>
+             <td>65536</td>
+             <td>16</td>
+             <td>16</td>
+           </tr>
+                                       
+    </tbody>                  
   </table>
-     </blockquote>
-           
+       </blockquote>
+               
 <p align="left">You will notice that the above table also contains a column
-     for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
-  Mask</i> for a network of size <b>n</b>.    From the above table, we can
- derive the following one which is a little easier to use.</p>
-         
-<blockquote>               
+      for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
+   Mask</i> for a network of size <b>n</b>.    From the above table, we can
+  derive the following one which is a little easier to use.</p>
+             
+<blockquote>                     
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber5">
-         <tbody>
-          <tr>
-           <td><u><b>Size of Subnet</b></u></td>
-           <td><u><b>VLSM</b></u></td>
-           <td><u><b>Subnet Mask</b></u></td>
-         </tr>
-         <tr>
-           <td>8</td>
-           <td>/29</td>
-           <td>255.255.255.248</td>
-         </tr>
-         <tr>
-           <td>16</td>
-           <td>/28</td>
-           <td>255.255.255.240</td>
-         </tr>
-         <tr>
-           <td>32</td>
-           <td>/27</td>
-           <td>255.255.255.224</td>
-         </tr>
-         <tr>
-           <td>64</td>
-           <td>/26</td>
-           <td>255.255.255.192</td>
-         </tr>
-         <tr>
-           <td>128</td>
-           <td>/25</td>
-           <td>255.255.255.128</td>
-         </tr>
-         <tr>
-           <td>256</td>
-           <td>/24</td>
-           <td>255.255.255.0</td>
-         </tr>
-         <tr>
-           <td>512</td>
-           <td>/23</td>
-           <td>255.255.254.0</td>
-         </tr>
-         <tr>
-           <td>1024</td>
-           <td>/22</td>
-           <td>255.255.252.0</td>
-         </tr>
-         <tr>
-           <td>2048</td>
-           <td>/21</td>
-           <td>255.255.248.0</td>
-         </tr>
-         <tr>
-           <td>4096</td>
-           <td>/20</td>
-           <td>255.255.240.0</td>
-         </tr>
-         <tr>
-           <td>8192</td>
-           <td>/19</td>
-           <td>255.255.224.0</td>
-         </tr>
-         <tr>
-           <td>16384</td>
-           <td>/18</td>
-           <td>255.255.192.0</td>
-         </tr>
-         <tr>
-           <td>32768</td>
-           <td>/17</td>
-           <td>255.255.128.0</td>
-         </tr>
-         <tr>
-           <td>65536</td>
-           <td>/16</td>
-           <td>255.255.0.0</td>
-         </tr>
-         <tr>
-           <td>2 ** 24</td>
-           <td>/8</td>
-           <td>255.0.0.0</td>
-         </tr>
-                           
-    </tbody>            
+           <tbody>
+            <tr>
+             <td><u><b>Size of Subnet</b></u></td>
+             <td><u><b>VLSM</b></u></td>
+             <td><u><b>Subnet Mask</b></u></td>
+           </tr>
+           <tr>
+             <td>8</td>
+             <td>/29</td>
+             <td>255.255.255.248</td>
+           </tr>
+           <tr>
+             <td>16</td>
+             <td>/28</td>
+             <td>255.255.255.240</td>
+           </tr>
+           <tr>
+             <td>32</td>
+             <td>/27</td>
+             <td>255.255.255.224</td>
+           </tr>
+           <tr>
+             <td>64</td>
+             <td>/26</td>
+             <td>255.255.255.192</td>
+           </tr>
+           <tr>
+             <td>128</td>
+             <td>/25</td>
+             <td>255.255.255.128</td>
+           </tr>
+           <tr>
+             <td>256</td>
+             <td>/24</td>
+             <td>255.255.255.0</td>
+           </tr>
+           <tr>
+             <td>512</td>
+             <td>/23</td>
+             <td>255.255.254.0</td>
+           </tr>
+           <tr>
+             <td>1024</td>
+             <td>/22</td>
+             <td>255.255.252.0</td>
+           </tr>
+           <tr>
+             <td>2048</td>
+             <td>/21</td>
+             <td>255.255.248.0</td>
+           </tr>
+           <tr>
+             <td>4096</td>
+             <td>/20</td>
+             <td>255.255.240.0</td>
+           </tr>
+           <tr>
+             <td>8192</td>
+             <td>/19</td>
+             <td>255.255.224.0</td>
+           </tr>
+           <tr>
+             <td>16384</td>
+             <td>/18</td>
+             <td>255.255.192.0</td>
+           </tr>
+           <tr>
+             <td>32768</td>
+             <td>/17</td>
+             <td>255.255.128.0</td>
+           </tr>
+           <tr>
+             <td>65536</td>
+             <td>/16</td>
+             <td>255.255.0.0</td>
+           </tr>
+           <tr>
+             <td>2 ** 24</td>
+             <td>/8</td>
+             <td>255.0.0.0</td>
+           </tr>
+                                       
+    </tbody>                  
   </table>
-     </blockquote>
-           
+       </blockquote>
+               
 <p align="left">Notice that the VLSM is written with a slash ("/") -- you
-  will    often hear a subnet of size 64 referred to as a "slash 26" subnet
-  and one of    size 8 referred to as a "slash 29".</p>
-           
+   will    often hear a subnet of size 64 referred to as a "slash 26" subnet
+   and one of    size 8 referred to as a "slash 29".</p>
+               
 <p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
-  simply a 32-bit number with the first "VLSM"    bits set to one and the
-remaining  bits set to zero. For example, for a subnet    of size 64, the
-subnet mask  has 26 leading one bits:</p>
-         
-<blockquote>               
+   simply a 32-bit number with the first "VLSM"    bits set to one and the
+ remaining  bits set to zero. For example, for a subnet    of size 64, the
+ subnet mask  has 26 leading one bits:</p>
+             
+<blockquote>                     
   <p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
-  =    255.255.255.192</p>
-     </blockquote>
-           
+   =    255.255.255.192</p>
+       </blockquote>
+               
 <p align="left">The subnet mask has the property that if you logically AND
-  the    subnet mask with an address in the subnet, the result is the subnet
-  address.    Just as important, if you logically AND the subnet mask with
- an address    outside the subnet, the result is NOT the subnet address.
+   the    subnet mask with an address in the subnet, the result is the subnet
+   address.    Just as important, if you logically AND the subnet mask with
+  an address    outside the subnet, the result is NOT the subnet address.
 As  we will see    below, this property of subnet masks is very useful in
 routing.</p>
-           
+               
 <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
-     Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as
- "<b>a.b.c.d/v</b>"    using <i>CIDR</i> <i>Notation</i>.  </p>
-           
+      Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork
+as   "<b>a.b.c.d/v</b>"    using <i>CIDR</i> <i>Notation</i>.  </p>
+               
 <p align="left">Example:</p>
-         
-<blockquote>               
+             
+<blockquote>                     
   <table border="2" style="border-collapse: collapse;" id="AutoNumber1"
  cellpadding="2">
-           <tbody>
-          <tr>
-             <td><b>Subnet:</b></td>
-             <td>10.10.10.0 - 10.10.10.127</td>
-           </tr>
-           <tr>
-             <td><b>Subnet Size:</b></td>
-             <td>128</td>
-           </tr>
-           <tr>
-             <td><b>Subnet Address:</b></td>
-             <td>10.10.10.0</td>
-           </tr>
-           <tr>
-             <td><b>Broadcast Address:</b></td>
-             <td>10.10.10.127</td>
-           </tr>
-           <tr>
-             <td><b>CIDR Notation:</b></td>
-             <td>10.10.10.0/25</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><b>Subnet:</b></td>
+               <td>10.10.10.0 - 10.10.10.127</td>
+             </tr>
+             <tr>
+               <td><b>Subnet Size:</b></td>
+               <td>128</td>
+             </tr>
+             <tr>
+               <td><b>Subnet Address:</b></td>
+               <td>10.10.10.0</td>
+             </tr>
+             <tr>
+               <td><b>Broadcast Address:</b></td>
+               <td>10.10.10.127</td>
+             </tr>
+             <tr>
+               <td><b>CIDR Notation:</b></td>
+               <td>10.10.10.0/25</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-     </blockquote>
-         
+       </blockquote>
+             
 <p align="left">There are two degenerate subnets that need mentioning; namely,
-  the  subnet with one member and the subnet with 2 ** 32 members.</p>
-         
-<blockquote>               
+   the  subnet with one member and the subnet with 2 ** 32 members.</p>
+             
+<blockquote>                     
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber5">
-         <tbody>
-          <tr>
-           <td><u><b>Size of Subnetwork</b></u></td>
-           <td><u><b>VLSM Length</b></u></td>
-           <td><u><b>Subnet Mask</b></u></td>
-           <td><u><b>CIDR Notation</b></u></td>
-         </tr>
-         <tr>
-           <td>1</td>
-           <td>32</td>
-           <td>255.255.255.255</td>
-           <td>a.b.c.d/32</td>
-         </tr>
-         <tr>
-           <td>2 ** 32</td>
-           <td>0</td>
-           <td>0.0.0.0</td>
-           <td>0.0.0.0/0</td>
-         </tr>
-                           
-    </tbody>            
+           <tbody>
+            <tr>
+             <td><u><b>Size of Subnetwork</b></u></td>
+             <td><u><b>VLSM Length</b></u></td>
+             <td><u><b>Subnet Mask</b></u></td>
+             <td><u><b>CIDR Notation</b></u></td>
+           </tr>
+           <tr>
+             <td>1</td>
+             <td>32</td>
+             <td>255.255.255.255</td>
+             <td>a.b.c.d/32</td>
+           </tr>
+           <tr>
+             <td>2 ** 32</td>
+             <td>0</td>
+             <td>0.0.0.0</td>
+             <td>0.0.0.0/0</td>
+           </tr>
+                                       
+    </tbody>                  
   </table>
-     </blockquote>
-         
-<p align="left">So any address <b>a.b.c.d </b>may also be written <b> a.b.c.d/32</b>
-  and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
-         
-<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
-   used to describe the ip configuration of a network interface (the 'ip'
-utility   also uses this syntax). This simply means that the interface is
-configured  with  ip address <b>a.b.c.d</b> and with the netmask that corresponds
-to VLSM <b>/v</b>.</p>
-         
-<p align="left">Example: 192.0.2.65/29</p>
-         
-<p align="left">    The interface is configured with IP address  192.0.2.65
-  and netmask 255.255.255.248.</p>
-         
-<h3 align="left"><a name="Routing"></a>4.3 Routing</h3>
-         
-<p align="left">One of the purposes of subnetting is that it forms the basis
-   for routing. Here's the routing table on <a href="myfiles.htm">my firewall</a>:</p>
-         
-<div align="left">       
-<blockquote>                 
-  <pre>[root@gateway root]# netstat -nr<br>Kernel IP routing table<br>Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface<br>192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas<br>206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1<br>206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3<br>192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3<br>192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1<br>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2<br>206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0<br>192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas<br>127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo<br>0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0<br>[root@gateway root]#</pre>
        </blockquote>
-     </div>
-         
+             
+<p align="left">So any address <b>a.b.c.d </b>may also be written <b> a.b.c.d/32</b>
+   and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
+             
+<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
+    used to describe the ip configuration of a network interface (the 'ip'
+ utility   also uses this syntax). This simply means that the interface is
+ configured  with  ip address <b>a.b.c.d</b> and with the netmask that corresponds
+ to VLSM <b>/v</b>.</p>
+             
+<p align="left">Example: 192.0.2.65/29</p>
+             
+<p align="left">    The interface is configured with IP address  192.0.2.65
+   and netmask 255.255.255.248.</p>
+             
+<h3 align="left"><a name="Routing"></a>4.3 Routing</h3>
+             
+<p align="left">One of the purposes of subnetting is that it forms the basis
+    for routing. Here's the routing table on my firewall:</p>
+             
+<div align="left">         
+<blockquote>                       
+  <pre>[root@gateway root]# netstat -nr<br>Kernel IP routing table<br>Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface<br>192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas<br>206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1<br>206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3<br>192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3<br>192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1<br>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2<br>206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0<br>192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas<br>127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo<br>0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0<br>[root@gateway root]#</pre>
+         </blockquote>
+       </div>
+             
 <p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in
-  the  Dallas, Texas area.<br>
-     <br>
-     The first three routes are <i>host routes</i> since they indicate how
- to  get to  a single host. In the 'netstat' output this can be seen by the
- "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column.
- The remainder  are 'net' routes since they tell the  kernel how to route
-packets to a subnetwork.  The last route is the <i>default  route</i> and
-the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
-         
+   the  Dallas, Texas area.<br>
+       <br>
+       The first three routes are <i>host routes</i> since they indicate
+how   to  get to  a single host. In the 'netstat' output this can be seen
+by the   "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the
+Flags column.   The remainder  are 'net' routes since they tell the  kernel
+how to route  packets to a subnetwork.  The last route is the <i>default
+ route</i> and  the gateway mentioned in that route is called the <i>default
+ gateway</i>.</p>
+             
 <p align="left">When the kernel is trying to send a packet to IP address
 <b>A</b>,  it starts at the top of the routing table and:</p>
-         
+             
 <ul>
-       <li>                     
+         <li>                               
     <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
 in the  table entry.</p>
-       </li>
-       <li>                     
+         </li>
+         <li>                               
     <p align="left">The result is compared with the 'Destination' value in
-  the table  entry.</p>
-       </li>
-       <li>                     
+   the table  entry.</p>
+         </li>
+         <li>                               
     <p align="left">If the result and the 'Destination' value are the same,
-  then:</p>
-                           
+   then:</p>
+                                       
     <ul>
-         <li>                                     
+           <li>                                                       
         <p align="left">If the 'Gateway' column is non-zero, the packet is
-  sent to the  gateway over the interface named in the 'Iface' column.</p>
-         </li>
-         <li>                                     
+   sent to the  gateway over the interface named in the 'Iface' column.</p>
+           </li>
+           <li>                                                       
         <p align="left">Otherwise, the packet is sent directly to <b>A </b>over
-  the  interface named in the 'iface' column.</p>
-         </li>
-                           
+   the  interface named in the 'iface' column.</p>
+           </li>
+                                       
     </ul>
-       </li>
-       <li>                     
+         </li>
+         <li>                               
     <p align="left">Otherwise, the above steps are repeated on the next entry
-  in the  table.</p>
-       </li>
-         
+   in the  table.</p>
+         </li>
+             
 </ul>
-         
+             
 <p align="left">Since the default route matches any IP address (<b>A</b>
 land  0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
 table  entries are sent to the <i>default gateway</i> which is usually a
 router at your  ISP.</p>
-         
+             
 <p align="left">Lets take an example. Suppose that we want to route a packet
-  to  192.168.1.5. That address clearly doesn't match any of the host routes
-  in the  table but if we logically and that address with 255.255.255.0,
+   to  192.168.1.5. That address clearly doesn't match any of the host routes
+   in the  table but if we logically and that address with 255.255.255.0,
 the   result is  192.168.1.0 which matches this routing table entry:</p>
-         
-<div align="left">       
-<blockquote>                 
+             
+<div align="left">         
+<blockquote>                       
   <pre>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2</pre>
-       </blockquote>
-           
+         </blockquote>
+               
 <p>So to route a packet to 192.168.1.5, the packet is sent directly over
 eth2.</p>
-    </div>
-         
+      </div>
+             
 <p align="left">One more thing needs to be emphasized -- all outgoing packet
-  are  sent using the routing table and reply packets are not a special case.
-  There  seems to be a common mis-conception whereby people think that request
-  packets  are like salmon and contain a genetic code that is magically transferred
-  to  reply packets so that the replies follow the reverse route taken by
-the  request.  That isn't the case; the replies may take a totally different
-route  back to the  client than was taken by the requests -- they are totally
-independent.</p>
-         
+   are  sent using the routing table and reply packets are not a special
+case.    There  seems to be a common mis-conception whereby people think
+that request    packets  are like salmon and contain a genetic code that
+is magically transferred    to  reply packets so that the replies follow
+the reverse route taken by  the  request.  That isn't the case; the replies
+may take a totally different  route  back to the  client than was taken by
+the requests -- they are totally  independent.</p>
+             
 <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
-         
+             
 <p align="left">When sending packets over Ethernet, IP addresses aren't used.
-   Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
-   addresses. Each Ethernet device has it's own unique  MAC address which
-is   burned into a PROM on the device during manufacture. You can obtain
+    Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
+    addresses. Each Ethernet device has it's own unique  MAC address which
+ is   burned into a PROM on the device during manufacture. You can obtain
 the MAC of  an Ethernet device using the 'ip' utility:</p>
-         
-<blockquote>               
-  <div align="left">                 
+             
+<blockquote>                     
+  <div align="left">                       
   <pre>[root@gateway root]# ip addr show eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br>link/ether <u>02:00:08:e3:fa:55</u> brd ff:ff:ff:ff:ff:ff<br>inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br>inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0<br>inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0<br>[root@gateway root]#</pre>
-       </div>
-     </blockquote>
-         
-<div align="left">       
+         </div>
+       </blockquote>
+             
+<div align="left">         
 <p align="left">As you can see from the above output, the MAC is 6 bytes
 (48    bits) wide. A card's MAC is usually also printed on a label attached
 to the card    itself. </p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">Because IP uses IP addresses and Ethernet uses MAC addresses,
-     a mechanism is required to translate an IP address into a MAC address;
-  that is    the purpose of the <i>Address Resolution Protocol</i> (ARP).
-Here  is ARP in    action:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
-  <div align="left">                   
+      a mechanism is required to translate an IP address into a MAC address;
+   that is    the purpose of the <i>Address Resolution Protocol</i> (ARP).
+ Here  is ARP in    action:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
+  <div align="left">                         
   <pre>[root@gateway root]# tcpdump -nei eth2 arp<br>tcpdump: listening on eth2<br>09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254<br>09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0<br><br>2 packets received by filter<br>0 packets dropped by kernel<br>[root@gateway root]#<br></pre>
+           </div>
+         </blockquote>
+       </div>
+             
+<p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
+   to  know the MAC of the device with IP address 192.168.1.19. The system
+ having  that  IP address is responding that the MAC address of the device
+ with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
+             
+<p align="left">In order to avoid having to exchange ARP information each
+   time  that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
+   of  IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your
+system    (including  your Windows system) using the 'arp' command:</p>
+             
+<blockquote>                     
+  <div align="left">                       
+  <pre>[root@gateway root]# arp -na<br>? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1<br>? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2<br>? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2<br>? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0<br>? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</pre>
          </div>
        </blockquote>
-     </div>
-         
-<p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
-  to  know the MAC of the device with IP address 192.168.1.19. The system
-having  that  IP address is responding that the MAC address of the device
-with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
-         
-<p align="left">In order to avoid having to exchange ARP information each
-  time  that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
-  of  IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your system
-  (including  your Windows system) using the 'arp' command:</p>
-         
-<blockquote>               
-  <div align="left">                 
-  <pre>[root@gateway root]# arp -na<br>? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1<br>? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2<br>? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2<br>? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0<br>? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</pre>
-       </div>
-     </blockquote>
-         
+             
 <p align="left">The leading question marks are a result of my having specified
-   the 'n' option (Windows 'arp' doesn't allow that option) which causes
+    the 'n' option (Windows 'arp' doesn't allow that option) which causes
 the   'arp'  program to forego IP-&gt;DNS name translation. Had I not given
 that   option, the  question marks would have been replaced with the FQDN
 corresponding   to each IP  address. Notice that the last entry in the table
 records the  information we saw  using tcpdump above.</p>
-         
+             
 <h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
-         
+             
 <p align="left">IP addresses are allocated by the <i> <a
  href="http://www.iana.org">Internet Assigned Number Authority</a> </i>(IANA)
-   who delegates allocations on a geographic basis to <i>Regional Internet
-  Registries</i> (RIRs). For example, allocation for the Americas and for
- sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American
-   Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn delegate
-  to  national registries. Most of us don't deal with these registrars but
- rather get  our IP addresses from our ISP.</p>
-         
+    who delegates allocations on a geographic basis to <i>Regional Internet
+   Registries</i> (RIRs). For example, allocation for the Americas and for
+  sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American
+    Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn
+delegate    to  national registries. Most of us don't deal with these registrars
+but   rather get  our IP addresses from our ISP.</p>
+             
 <p align="left">It's a fact of life that most of us can't afford as many
 Public  IP addresses as we have devices to assign them to so we end up making
 use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
 ranges for this  purpose:</p>
-         
-<div align="left">       
+             
+<div align="left">         
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
-  to    as <i>non-routable</i> because the Internet backbone routers don't
- forward    packets which have an RFC-1918 destination address. This is understandable
-     given that anyone can select any of these addresses for their private
- use.</p>
-    </div>
-         
-<div align="left">       
+   to    as <i>non-routable</i> because the Internet backbone routers don't
+  forward    packets which have an RFC-1918 destination address. This is
+understandable       given that anyone can select any of these addresses
+for their private   use.</p>
+      </div>
+             
+<div align="left">         
 <p align="left">When selecting addresses from these ranges, there's a couple
-     of things to keep in mind:</p>
-    </div>
-         
-<div align="left">       
+      of things to keep in mind:</p>
+      </div>
+             
+<div align="left">         
 <ul>
-         <li>                    
+           <li>                              
     <p align="left">As the IPv4 address space becomes depleted, more and
 more      organizations (including ISPs) are beginning to use RFC 1918 addresses
-  in      their infrastructure.     </p>
-      </li>
-      <li>                    
+   in      their infrastructure.     </p>
+        </li>
+        <li>                              
     <p align="left">You don't want to use addresses that are being used by
-       your ISP or by another organization with whom you want to establish
- a VPN      relationship.    </p>
-      </li>
-       
+        your ISP or by another organization with whom you want to establish
+  a VPN      relationship.    </p>
+        </li>
+           
 </ul>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">So it's a good idea to check with your ISP to see if they
-  are    using (or are planning to use) private addresses before you decide
-  the    addresses that you are going to use.</p>
-    </div>
-         
-<div align="left">       
+   are    using (or are planning to use) private addresses before you decide
+   the    addresses that you are going to use.</p>
+      </div>
+             
+<div align="left">         
 <h2 align="left"><a name="Options"></a>5.0 Setting up your Network</h2>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">The choice of how to set up your network depends primarily
-  on    how many Public IP addresses you have vs. how many addressable entities
-  you    have in your network. Regardless of how many addresses you have,
-your  ISP will    handle that set of addresses in one of two ways:</p>
-    </div>
-         
-<div align="left">       
+   on    how many Public IP addresses you have vs. how many addressable entities
+   you    have in your network. Regardless of how many addresses you have,
+ your  ISP will    handle that set of addresses in one of two ways:</p>
+      </div>
+             
+<div align="left">         
 <ol>
-         <li>                       
+           <li>                                 
     <p align="left"><b>Routed - </b>Traffic to any of your addresses will
-  be    routed through a single <i>gateway address</i>. This will generally
-  only be    done if your ISP has assigned you a complete subnet (/29 or
+   be    routed through a single <i>gateway address</i>. This will generally
+   only be    done if your ISP has assigned you a complete subnet (/29 or
 larger).   In this    case, you will assign the gateway address as the IP
 address of   your    firewall/router's external interface.     </p>
-      </li>
-      <li>                       
+        </li>
+        <li>                                 
     <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
-  of your    addresses directly.   </p>
-      </li>
-       
+   of your    addresses directly.   </p>
+        </li>
+           
 </ol>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">In the subsections that follow, we'll look at each of these
-     separately.<br>
-  </p>
-   
+      separately.<br>
+    </p>
+       
 <p align="left">Before we begin, there is one thing for you to check:</p>
-   
+       
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13" alt="">
-       If you are using the Debian package, please check your shorewall.conf 
- file to ensure that the following are set correctly; if they are not, change 
- them appropriately:<br>
-    </p>
-   
+         If you are using the Debian package, please check your shorewall.conf 
+  file to ensure that the following are set correctly; if they are not, change 
+  them appropriately:<br>
+      </p>
+       
 <ul>
-    <li>NAT_ENABLED=Yes</li>
-    <li>IP_FORWARDING=On<br>
-     </li>
-   
+      <li>NAT_ENABLED=Yes</li>
+      <li>IP_FORWARDING=On<br>
+       </li>
+       
 </ul>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <h3 align="left"><a name="Routed"></a>5.1 Routed</h3>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">Let's assume that your ISP has assigned you the subnet  
  192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
-     192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
-is     192.0.2.65. Your ISP has also told you that you should use a netmask
-of     255.255.255.0 (so your /28 is part of a larger /24). With this many
-IP     addresses, you are able to subnet your /28 into two /29's and set
+      192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
+ is     192.0.2.65. Your ISP has also told you that you should use a netmask
+ of     255.255.255.0 (so your /28 is part of a larger /24). With this many
+ IP     addresses, you are able to subnet your /28 into two /29's and set
 up your     network as shown in the following diagram.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="center">   <img border="0" src="images/dmz4.png" width="726"
  height="635">
-    </p>
-    </div>
-         
-<div align="left">       
+      </p>
+      </div>
+             
+<div align="left">         
 <p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
 Local    network is 192.0.2.72/29. The default gateway for hosts in the DMZ
 would be    configured to 192.0.2.66 and the default gateway for hosts in
 the local    network would be 192.0.2.73.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">Notice that this arrangement is rather wasteful of public
-  IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
+   IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
 addresses,      192.0.2.71 and 192.0.2.79 for subnet broadcast addresses
 and 192.0.2.66   and    168.0.2.73 for internal addresses on the firewall/router.
 Nevertheless,   it    shows how subnetting can work and if we were dealing
 with a /24 rather   than a    /28 network, the use of 6 IP addresses out
 of 256 would be justified   because    of the simplicity of the setup.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">The astute reader may have noticed that the Firewall/Router's
-     external interface is actually part of the DMZ subnet (192.0.2.64/29).
-  What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
-routing  table on    DMZ 1 will look like this:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      external interface is actually part of the DMZ subnet (192.0.2.64/29).
+   What if    DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
+ routing  table on    DMZ 1 will look like this:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <pre>Kernel IP routing table<br>Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface<br>192.0.2.64 	0.0.0.0 	255.255.255.248 U     40  0         0 eth0<br>0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0</pre>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
-     request and no device on the DMZ Ethernet segment has that IP address.
-  Oddly    enough, the firewall will respond to the request with the MAC
+      request and no device on the DMZ Ethernet segment has that IP address.
+   Oddly    enough, the firewall will respond to the request with the MAC
 address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames
 addressed   to that    MAC address and the frames will be received (correctly)
 by the   firewall/router.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">It is this rather unexpected ARP behavior on the part of
 the    Linux Kernel that prompts the warning earlier in this guide regarding
 the    connecting of multiple firewall/router interfaces to the same hub
 or switch.    When an ARP request for one of the firewall/router's IP addresses
 is sent by    another system connected to the hub/switch, all    of the firewall's
-  interfaces that connect to the hub/switch can respond! It    is then a
+   interfaces that connect to the hub/switch can respond! It    is then a
 race   as to which "here-is" response reaches the sender first.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <h3 align="left"><a name="NonRouted"></a>5.2 Non-routed</h3>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">If you have the above situation but it is    non-routed,
 you can configure your network exactly as described above with one    additional
-  twist; simply specify the "proxyarp" option on all three firewall    interfaces
-  in the /etc/shorewall/interfaces file.</p>
-    </div>
-         
-<div align="left">       
+   twist; simply specify the "proxyarp" option on all three firewall    interfaces
+   in the /etc/shorewall/interfaces file.</p>
+      </div>
+             
+<div align="left">         
 <p align="left">Most of us don't have the luxury of having enough public
 IP    addresses to set up our networks as shown in the preceding example
 (even if    the setup is routed). </p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left"><b>For the remainder of this section, assume that  your ISP
-  has    assigned you IP addresses 192.0.2.176-180 and has told you to use
- netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
-    </div>
-         
-<div align="left">       
+   has    assigned you IP addresses 192.0.2.176-180 and has told you to use
+  netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
+      </div>
+             
+<div align="left">         
 <p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
-     and there aren't enough addresses for all of the network interfaces.
-There  are    four different techniques that can be used to work around this
-problem.</p>
-    </div>
-         
-<div align="left">       
+      and there aren't enough addresses for all of the network interfaces.
+ There  are    four different techniques that can be used to work around
+this  problem.</p>
+      </div>
+             
+<div align="left">         
 <ul>
-         <li>                       
+           <li>                                 
     <p align="left"><i>Source Network Address Translation </i>(SNAT).   
      </p>
-      </li>
-      <li>                       
+        </li>
+        <li>                                 
     <p align="left"><i>Destination Network Address Translation </i>(DNAT)
-  also    known as <i>Port Forwarding.</i>     </p>
-      </li>
-      <li>                       
+   also    known as <i>Port Forwarding.</i>     </p>
+        </li>
+        <li>                                 
     <p align="left"><i>Proxy ARP.</i>     </p>
-      </li>
-      <li>                       
+        </li>
+        <li>                                 
     <p align="left"><i>Network Address Translation</i> (NAT) also referred
-  to as   <i>Static NAT</i>.   </p>
-      </li>
-       
+   to as   <i>Static NAT</i>.   </p>
+        </li>
+           
 </ul>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">Often a combination of these techniques is used. Each of
 these    will be discussed in the sections that follow.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <h4 align="left"><a name="SNAT"></a> 5.2.1 SNAT</h4>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">With SNAT, an internal LAN segment is configured using RFC
-  1918    addresses. When a host <b>A </b>on this internal segment initiates
-  a    connection to host <b>B</b> on the internet, the firewall/router rewrites
-  the    IP header in the request to use one of your public IP addresses
-as   the source    address. When <b>B</b> responds and the response is received
-  by the firewall,    the firewall changes the destination address back to
- the RFC 1918 address of   <b>A</b> and forwards the response back to <b>A.</b></p>
-    </div>
-         
-<div align="left">       
+   1918    addresses. When a host <b>A </b>on this internal segment initiates
+   a    connection to host <b>B</b> on the internet, the firewall/router
+rewrites    the    IP header in the request to use one of your public IP
+addresses as   the source    address. When <b>B</b> responds and the response
+is received    by the firewall,    the firewall changes the destination address
+back to   the RFC 1918 address of   <b>A</b> and forwards the response back
+to <b>A.</b></p>
+      </div>
+             
+<div align="left">         
 <p align="left">Let's suppose that you decide to use SNAT on your local zone
-     and use public address 192.0.2.176 as both your firewall's external
+      and use public address 192.0.2.176 as both your firewall's external
 IP   address    and the source IP address of internet requests sent from
 that  zone.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <h2 align="center">   <img border="0" src="images/dmz5.png" width="745"
  height="635">
-    </h2>
-     </div>
-         
+      </h2>
+       </div>
+             
 <div align="left">   The local zone has been subnetted as 192.168.201.0/29
-  (netmask    255.255.255.248).</div>
-         
+   (netmask    255.255.255.248).</div>
+             
 <div align="left">    </div>
-         
+             
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
  width="13" height="13">
-        The systems in    the local zone would be configured with a default 
- gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
-         
+          The systems in    the local zone would be configured with a default 
+  gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
+             
 <div align="left">    </div>
-         
+             
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
  width="13" height="13">
-        SNAT is    configured in Shorewall using the <a
+          SNAT is    configured in Shorewall using the <a
  href="Documentation.htm#Masq">   /etc/shorewall/masq file</a>.</div>
-         
-<div align="left">       
-<blockquote>                 
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber6">
-           <tbody>
-          <tr>
-             <td width="33%"><u><b>INTERFACE</b></u></td>
-             <td width="33%"><u><b>SUBNET</b></u></td>
-             <td width="34%"><u><b>ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td width="33%">eth0</td>
-             <td width="33%">192.168.201.0/29</td>
-             <td width="34%">192.0.2.176</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td width="33%"><u><b>INTERFACE</b></u></td>
+               <td width="33%"><u><b>SUBNET</b></u></td>
+               <td width="34%"><u><b>ADDRESS</b></u></td>
+             </tr>
+             <tr>
+               <td width="33%">eth0</td>
+               <td width="33%">192.168.201.0/29</td>
+               <td width="34%">192.0.2.176</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">This example used the normal technique of assigning the same
-     public IP address for the firewall external interface and for SNAT.
+      public IP address for the firewall external interface and for SNAT.
 If   you    wanted to use a different IP address, you would either have to
 use   your    distributions network configuration tools to add that IP address
- to the    external interface or you could set ADD_SNAT_ALIASES=Yes in  
- /etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
-    </div>
-         
-<div align="left">       
+  to the    external interface or you could set ADD_SNAT_ALIASES=Yes in 
+  /etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
+      </div>
+             
+<div align="left">         
 <h4 align="left"><a name="DNAT"></a>5.2.2 DNAT</h4>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">When SNAT is used, it is impossible for hosts on the internet
-     to initiate a connection to one of the internal systems since those
+      to initiate a connection to one of the internal systems since those
 systems   do    not have a public IP address. DNAT provides a way to allow
 selected      connections from the internet.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-            Suppose that your daughter wants to run a web server on her system
-  "Local 3". You    could allow connections to the internet to her server
-by  adding the following    entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+              Suppose that your daughter wants to run a web server on her 
+system   "Local 3". You    could allow connections to the internet to her 
+server by  adding the following    entry in <a
+ href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL DESTINATION</b></u></td>
-           </tr>
-           <tr>
-             <td>DNAT</td>
-             <td>net</td>
-             <td>loc:192.168.201.4</td>
-             <td>tcp</td>
-             <td>www</td>
-             <td>-</td>
-             <td>192.0.2.176</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+               <td><u><b>SOURCE PORT</b></u></td>
+               <td><u><b>ORIGINAL DESTINATION</b></u></td>
+             </tr>
+             <tr>
+               <td>DNAT</td>
+               <td>net</td>
+               <td>loc:192.168.201.4</td>
+               <td>tcp</td>
+               <td>www</td>
+               <td>-</td>
+               <td>192.0.2.176</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">If one of your daughter's friends at address <b>A</b> wants
-  to    access your daughter's server, she can connect to <a
+   to    access your daughter's server, she can connect to <a
  href="http://192.0.2.176">   http://192.0.2.176</a> (the firewall's external
-  IP address) and the firewall    will rewrite the destination IP address
-to  192.168.201.4 (your daughter's system)    and forward the request. When
-your  daughter's server responds, the firewall will    rewrite the source
-address  back to 192.0.2.176 and send the response back to   <b>A.</b></p>
-    </div>
-         
-<div align="left">       
+   IP address) and the firewall    will rewrite the destination IP address
+ to  192.168.201.4 (your daughter's system)    and forward the request. When
+ your  daughter's server responds, the firewall will    rewrite the source
+ address  back to 192.0.2.176 and send the response back to   <b>A.</b></p>
+      </div>
+             
+<div align="left">         
 <p align="left">This example used the firewall's external IP address for
 DNAT.    You can use another of your public IP addresses but Shorewall will
 not add    that address to the firewall's external interface for you.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <h4 align="left"><a name="ProxyARP"></a>5.2.3 Proxy ARP</h4>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">The idea behind proxy ARP is that:</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <ul>
-         <li>                       
+           <li>                                 
     <p align="left">A host <b>H </b>behind your firewall is assigned one
 of your    public IP addresses (<b>A)</b> and is assigned the same netmask
     <b>(M) </b>as    the firewall's external interface.     </p>
-      </li>
-      <li>                       
+        </li>
+        <li>                                 
     <p align="left">The firewall responds to ARP "who has" requests for <b>A.</b> 
-      </p>
-      </li>
-      <li>                       
+       </p>
+        </li>
+        <li>                                 
     <p align="left">When <b>H</b> issues an ARP "who has" request for an
 address    in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
 will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
-      </li>
-       
+        </li>
+           
 </ul>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">Let suppose that we decide to use Proxy ARP on the DMZ in
-  our    example network.</p>
-    </div>
-         
-<div align="left">       
+   our    example network.</p>
+      </div>
+             
+<div align="left">         
 <p align="center">   <img border="0" src="images/dmz6.png" width="745"
  height="635">
-    </p>
-    </div>
-         
+      </p>
+      </div>
+             
 <div align="left">   Here, we've assigned the IP addresses 192.0.2.177 to
-  system DMZ 1 and    192.0.2.178 to DMZ 2. Notice that we've just assigned
-  an arbitrary RFC 1918 IP    address and subnet mask to the DMZ interface
- on the firewall. That address and    netmask isn't relevant - just be sure
- it doesn't overlap another subnet that    you've defined.</div>
-         
+   system DMZ 1 and    192.0.2.178 to DMZ 2. Notice that we've just assigned
+   an arbitrary RFC 1918 IP    address and subnet mask to the DMZ interface
+  on the firewall. That address and    netmask isn't relevant - just be sure
+  it doesn't overlap another subnet that    you've defined.</div>
+             
 <div align="left">    </div>
-         
+             
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
  width="13" height="13">
-        The Shorewall    configuration of Proxy ARP is done using the   <a
- href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div>
-         
-<div align="left">       
-<blockquote>                 
+          The Shorewall    configuration of Proxy ARP is done using the 
+ <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" id="AutoNumber8"
  style="border-collapse: collapse;">
-           <tbody>
-          <tr>
-             <td><u><b>ADDRESS</b></u></td>
-             <td><u><b>INTERFACE</b></u></td>
-             <td><u><b>EXTERNAL</b></u></td>
-             <td><u><b>HAVE ROUTE</b></u></td>
-           </tr>
-           <tr>
-             <td>192.0.2.177</td>
-             <td>eth2</td>
-             <td>eth0</td>
-             <td>No</td>
-           </tr>
-           <tr>
-             <td>192.0.2.178</td>
-             <td>eth2</td>
-             <td>eth0</td>
-             <td>No</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ADDRESS</b></u></td>
+               <td><u><b>INTERFACE</b></u></td>
+               <td><u><b>EXTERNAL</b></u></td>
+               <td><u><b>HAVE ROUTE</b></u></td>
+             </tr>
+             <tr>
+               <td>192.0.2.177</td>
+               <td>eth2</td>
+               <td>eth0</td>
+               <td>No</td>
+             </tr>
+             <tr>
+               <td>192.0.2.178</td>
+               <td>eth2</td>
+               <td>eth0</td>
+               <td>No</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">Because the HAVE ROUTE column contains No, Shorewall will
-  add    host routes thru eth2 to 192.0.2.177 and 192.0.2.178.<br>
-</p>
-<p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
-to have the IP addresses shown but should have the same default gateway as
-the firewall itself -- namely 192.0.2.254.<br>
-</p>
-    </div>
-         
-<div align="left">       
-<p align="left"></p>
- </div>
- 
-<div align="left"> 
-<div align="left">    
-<p align="left">A word of warning is in order here. ISPs typically configure 
-   their routers with a long ARP cache timeout. If you move a system from 
-   parallel to your firewall to behind your firewall with Proxy ARP, it will 
-   probably be HOURS before that system can communicate with the internet. 
-There are a couple of things that you can try:<br>
+   add    host routes thru eth2 to 192.0.2.177 and 192.0.2.178.<br>
   </p>
    
+<p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
+ to have the IP addresses shown but should have the same default gateway
+as  the firewall itself -- namely 192.0.2.254.<br>
+  </p>
+      </div>
+             
+<div align="left">         
+<p align="left"></p>
+   </div>
+     
+<div align="left">   
+<div align="left">      
+<p align="left">A word of warning is in order here. ISPs typically configure 
+    their routers with a long ARP cache timeout. If you move a system from 
+    parallel to your firewall to behind your firewall with Proxy ARP, it will
+    probably be HOURS before that system can communicate with the internet. 
+ There are a couple of things that you can try:<br>
+    </p>
+       
 <ol>
-   <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, 
-Vol 1</i> reveals that a <br>
-     <br>
- "gratuitous" ARP packet should cause the ISP's router to refresh their ARP 
-cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC 
-address for its own IP; in addition to ensuring that the IP address isn't 
-a duplicate,...<br>
-      <br>
-  "if the host sending the gratuitous ARP has just changed its hardware address...,
- this packet causes any other host...that has an entry in its cache for the
- old hardware address to update its ARP cache entry accordingly."<br>
-      <br>
-  Which is, of course, exactly what you want to do when you switch a host 
-from being exposed to the Internet to behind Shorewall using proxy ARP  (or 
-static NAT for that matter). Happily enough, recent versions of Redhat's iputils
-package include "arping", whose "-U" flag does just that:<br>
-      <br>
-      <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly proxied 
-IP&gt;</b></font><br>
-      <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
-      <br>
-  Stevens goes on to mention that not all systems respond correctly to gratuitous
- ARPs, but googling for "arping -U" seems to support the idea that it works
- most of the time.<br>
-      <br>
-    </li>
-   <li>You    can call your ISP and ask them to purge the stale ARP cache 
-entry but many    either can't or won't purge individual entries.</li>
- 
+     <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, 
+ Vol 1</i> reveals that a <br>
+       <br>
+   "gratuitous" ARP packet should cause the ISP's router to refresh their 
+ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the 
+MAC  address for its own IP; in addition to ensuring that the IP address isn't
+ a duplicate,...<br>
+        <br>
+    "if the host sending the gratuitous ARP has just changed its hardware 
+address...,  this packet causes any other host...that has an entry in its 
+cache for the  old hardware address to update its ARP cache entry accordingly."<br>
+        <br>
+    Which is, of course, exactly what you want to do when you switch a host 
+ from being exposed to the Internet to behind Shorewall using proxy ARP  (or
+ static NAT for that matter). Happily enough, recent versions of Redhat's 
+iputils package include "arping", whose "-U" flag does just that:<br>
+        <br>
+        <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly proxied 
+ IP&gt;</b></font><br>
+        <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
+        <br>
+    Stevens goes on to mention that not all systems respond correctly to
+gratuitous   ARPs, but googling for "arping -U" seems to support the idea
+that it works   most of the time.<br>
+        <br>
+      </li>
+     <li>You    can call your ISP and ask them to purge the stale ARP cache 
+ entry but many    either can't or won't purge individual entries.</li>
+     
 </ol>
-  You can determine if your    ISP's gateway ARP cache is stale using ping 
-and tcpdump. Suppose that we    suspect that the gateway router has a stale 
-ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
-   
-<div align="left">    
+    You can determine if your    ISP's gateway ARP cache is stale using ping 
+ and tcpdump. Suppose that we    suspect that the gateway router has a stale 
+ ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
+       
+<div align="left">      
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
-  </div>
-   
-<div align="left">    
+    </div>
+       
+<div align="left">      
 <p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we 
-will    assume is 130.252.100.254):</p>
- </div>
-   
-<div align="left">    
+ will    assume is 130.252.100.254):</p>
+   </div>
+       
+<div align="left">      
 <pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
-  </div>
-         </div>
-         
-<div align="left">       
+    </div>
+           </div>
+             
+<div align="left">         
 <p align="left">We can now observe the tcpdump output:</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 192.0.2.177 &gt; 192.0.2.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 192.0.2.254 &gt; 192.0.2.177 : icmp: echo reply</pre>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">Notice that the source MAC address in the echo request is
-     different from the destination MAC address in the echo reply!! In this
-  case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
-     was the MAC address of DMZ 1. In other words, the gateway's ARP cache
- still    associates 192.0.2.177 with the NIC in DMZ 1 rather than with the
- firewall's    eth0.</p>
-    </div>
-         
-<div align="left">       
+      different from the destination MAC address in the echo reply!! In this
+   case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
+      was the MAC address of DMZ 1. In other words, the gateway's ARP cache
+  still    associates 192.0.2.177 with the NIC in DMZ 1 rather than with
+the   firewall's    eth0.</p>
+      </div>
+             
+<div align="left">         
 <h4 align="left"><a name="NAT"></a>5.2.4 Static NAT</h4>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">With static NAT, you assign local systems RFC 1918 addresses
-     then establish a one-to-one mapping between those addresses and public
-  IP    addresses. For outgoing connections SNAT occurs and on incoming connections
-     DNAT occurs. Let's go back to our earlier example involving your daughter's
-  web    server running on system Local 3.</p>
-    </div>
-         
-<div align="left">       
+      then establish a one-to-one mapping between those addresses and public
+   IP    addresses. For outgoing connections SNAT (Source Network Address 
+Translation) occurs and on incoming connections      DNAT (Destination Network 
+Address Translation) occurs. Let's go back to our earlier example involving 
+your daughter's   web    server running on system Local 3.</p>
+      </div>
+             
+<div align="left">         
 <p align="center"><img border="0" src="images/dmz5.png" width="745"
  height="635">
-    </p>
-    </div>
-         
-<div align="left">       
+      </p>
+      </div>
+             
+<div align="left">         
 <p align="left">Recall that in this setup, the local network is using SNAT
-  and    is sharing the firewall external IP (192.0.2.176) for outbound connections.
-     This is done with the following entry in /etc/shorewall/masq:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+   and    is sharing the firewall external IP (192.0.2.176) for outbound
+connections.       This is done with the following entry in /etc/shorewall/masq:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber6">
-           <tbody>
-          <tr>
-             <td width="33%"><u><b>INTERFACE</b></u></td>
-             <td width="33%"><u><b>SUBNET</b></u></td>
-             <td width="34%"><u><b>ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td width="33%">eth0</td>
-             <td width="33%">192.168.201.0/29</td>
-             <td width="34%">192.0.2.176</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td width="33%"><u><b>INTERFACE</b></u></td>
+               <td width="33%"><u><b>SUBNET</b></u></td>
+               <td width="34%"><u><b>ADDRESS</b></u></td>
+             </tr>
+             <tr>
+               <td width="33%">eth0</td>
+               <td width="33%">192.168.201.0/29</td>
+               <td width="34%">192.0.2.176</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-           Suppose now that you have decided to give your daughter her own
- IP  address    (192.0.2.179) for both inbound and outbound connections.
+             Suppose now that you have decided to give your daughter her
+own   IP  address    (192.0.2.179) for both inbound and outbound connections.
 You  would  do that by    adding an entry in <a
  href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellspacing="0" cellpadding="2" id="AutoNumber9"
  style="border-collapse: collapse;">
-           <tbody>
-          <tr>
-             <td>EXTERNAL</td>
-             <td>INTERFACE</td>
-             <td>INTERNAL</td>
-             <td>ALL INTERFACES </td>
-             <td>LOCAL</td>
-           </tr>
-           <tr>
-             <td>192.0.2.179</td>
-             <td>eth0</td>
-             <td>192.168.201.4</td>
-             <td>No</td>
-             <td>No</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td>EXTERNAL</td>
+               <td>INTERFACE</td>
+               <td>INTERNAL</td>
+               <td>ALL INTERFACES </td>
+               <td>LOCAL</td>
+             </tr>
+             <tr>
+               <td>192.0.2.179</td>
+               <td>eth0</td>
+               <td>192.168.201.4</td>
+               <td>No</td>
+               <td>No</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">With this entry in place, you daughter has her own IP address
-     and the other two local systems share the firewall's IP address.</p>
-    </div>
-         
-<div align="left">       
+      and the other two local systems share the firewall's IP address.</p>
+      </div>
+             
+<div align="left">         
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-           Once the relationship between 192.0.2.179 and 192.168.201.4 is 
-established  by    the nat file entry above, it is no longer    appropriate 
-to use a DNAT  rule for you daughter's web server -- you would    rather just
-use an ACCEPT  rule:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+             Once the relationship between 192.0.2.179 and 192.168.201.4
+is  established  by    the nat file entry above, it is no longer    appropriate 
+ to use a DNAT  rule for you daughter's web server -- you would    rather 
+just use an ACCEPT  rule:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL DESTINATION</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>loc:192.168.201.4</td>
-             <td>tcp</td>
-             <td>www</td>
-             <td> </td>
-             <td> </td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+               <td><u><b>SOURCE PORT</b></u></td>
+               <td><u><b>ORIGINAL DESTINATION</b></u></td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>loc:192.168.201.4</td>
+               <td>tcp</td>
+               <td>www</td>
+               <td> </td>
+               <td> </td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <h3 align="left"><a name="Rules"></a>5.3 Rules</h3>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-           With the default policies, your local systems (Local 1-3) can
-access   any    servers on the internet and the DMZ can't access any other
-host (including   the    firewall). With the exception of <a
+             With the default policies, your local systems (Local 1-3) can
+ access   any    servers on the internet and the DMZ can't access any other
+ host (including   the    firewall). With the exception of <a
  href="#DNAT">DNAT rules</a> which   cause    address translation and allow
-the translated connection request  to pass    through the firewall, the way
-to allow connection requests through   your    firewall is to use ACCEPT
+ the translated connection request  to pass    through the firewall, the
+way  to allow connection requests through   your    firewall is to use ACCEPT
 rules.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left"><b>NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't
-     used in this section, they won't be shown</b></p>
-    </div>
-         
-<div align="left">       
+      used in this section, they won't be shown</b></p>
+      </div>
+             
+<div align="left">         
 <p align="left">You probably want to allow ping between your zones:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>loc</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz</td>
-             <td>loc</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>loc</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz</td>
+               <td>loc</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">Let's suppose that you run mail and pop3 servers on DMZ 2
-  and    a Web Server on DMZ 1. The rules that you would need are:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+   and    a Web Server on DMZ 1. The rules that you would need are:</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>COMMENTS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail from the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>pop3</td>
-             <td># Pop3 from the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail from the Local Network</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>pop3</td>
-             <td># Pop3 from the Local Network</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail from the Firewall</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz:192.0.2.178</td>
-             <td>net</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail to the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>http</td>
-             <td># WWW from the Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>https</td>
-             <td># Secure HTTP from the Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>https</td>
-             <td># Secure HTTP from the Local Net</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+               <td><u><b>COMMENTS</b></u></td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail from the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>pop3</td>
+               <td># Pop3 from the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail from the Local Network</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>pop3</td>
+               <td># Pop3 from the Local Network</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>fw</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail from the Firewall</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz:192.0.2.178</td>
+               <td>net</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail to the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>http</td>
+               <td># WWW from the Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>https</td>
+               <td># Secure HTTP from the Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>https</td>
+               <td># Secure HTTP from the Local Net</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">If you run a public DNS server on 192.0.2.177, you would
 need    to add the following rules:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>COMMENTS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.177</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS from the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS from the internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:192.0.2.177</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS from firewall</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS from firewall</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.177</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS from the local Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS from the local Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz:192.0.2.177</td>
-             <td>net</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS to the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz:192.0.2.177</td>
-             <td>net</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS to the Internet</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+               <td><u><b>COMMENTS</b></u></td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.177</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS from the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS from the internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>fw</td>
+               <td>dmz:192.0.2.177</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS from firewall</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>fw</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS from firewall</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.177</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS from the local Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS from the local Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz:192.0.2.177</td>
+               <td>net</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS to the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz:192.0.2.177</td>
+               <td>net</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS to the Internet</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">You probably want some way to communicate with your firewall
-     and DMZ systems from the local network -- I recommend SSH which through
-  its    scp utility can also do publishing and software update distribution.</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      and DMZ systems from the local network -- I recommend SSH which through
+   its    scp utility can also do publishing and software update distribution.</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>COMMENTS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz</td>
-             <td>tcp</td>
-             <td>ssh</td>
-             <td># SSH to the DMZ</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>ssh</td>
-             <td># SSH to the Firewall</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+               <td><u><b>COMMENTS</b></u></td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz</td>
+               <td>tcp</td>
+               <td>ssh</td>
+               <td># SSH to the DMZ</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>fw</td>
+               <td>tcp</td>
+               <td>ssh</td>
+               <td># SSH to the Firewall</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <h3 align="left"><a name="OddsAndEnds"></a>5.4 Odds and Ends</h3>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">The above discussion reflects my personal preference for
 using    Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
 I prefer    to use NAT only in cases where a system that is part of an RFC
 1918 subnet    needs to have it's own public IP. </p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-           If you haven't already, it would be a good idea to browse through 
-   <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just
-  to see    if there is anything there that might be of interest. You might
-  also want to    look at the other configuration files that you haven't
+             If you haven't already, it would be a good idea to browse through 
+    <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just
+   to see    if there is anything there that might be of interest. You might
+   also want to    look at the other configuration files that you haven't
 touched   yet just to get    a feel for the other things that Shorewall can
 do.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">In case you haven't been keeping score, here's the final
 set    of configuration files for our sample network. Only those that were
 modified    from the original installation are shown.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">/etc/shorewall/interfaces (The "options" will be very   
 site-specific).</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" id="AutoNumber4">
-         <tbody>
-          <tr>
-           <td><u><b>Zone</b></u></td>
-           <td><u><b>Interface</b></u></td>
-           <td><u><b>Broadcast</b></u></td>
-           <td><u><b>Options</b></u></td>
-         </tr>
-         <tr>
-           <td>net</td>
-           <td>eth0</td>
-           <td>detect</td>
-           <td>norfc1918,routefilter </td>
-         </tr>
-         <tr>
-           <td>loc</td>
-           <td>eth1</td>
-           <td>detect</td>
-           <td> </td>
-         </tr>
-         <tr>
-           <td>dmz</td>
-           <td>eth2</td>
-           <td>detect</td>
-           <td> </td>
-         </tr>
-                           
-    </tbody>            
+           <tbody>
+            <tr>
+             <td><u><b>Zone</b></u></td>
+             <td><u><b>Interface</b></u></td>
+             <td><u><b>Broadcast</b></u></td>
+             <td><u><b>Options</b></u></td>
+           </tr>
+           <tr>
+             <td>net</td>
+             <td>eth0</td>
+             <td>detect</td>
+             <td>norfc1918,routefilter </td>
+           </tr>
+           <tr>
+             <td>loc</td>
+             <td>eth1</td>
+             <td>detect</td>
+             <td> </td>
+           </tr>
+           <tr>
+             <td>dmz</td>
+             <td>eth2</td>
+             <td>detect</td>
+             <td> </td>
+           </tr>
+                                       
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">The setup described here requires that your network interfaces
-     be brought up before Shorewall can start. This opens a short window
+      be brought up before Shorewall can start. This opens a short window
 during      which you have no firewall protection. If you replace 'detect'
 with the   actual    broadcast addresses in the entries above, you can bring
 up Shorewall   before    you bring up your network interfaces.</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" id="AutoNumber4">
-         <tbody>
-          <tr>
-           <td><u><b>Zone</b></u></td>
-           <td><u><b>Interface</b></u></td>
-           <td><u><b>Broadcast</b></u></td>
-           <td><u><b>Options</b></u></td>
-         </tr>
-         <tr>
-           <td>net</td>
-           <td>eth0</td>
-           <td>192.0.2.255</td>
-           <td>norfc1918,routefilter </td>
-         </tr>
-         <tr>
-           <td>loc</td>
-           <td>eth1</td>
-           <td>192.168.201.7</td>
-           <td> </td>
-         </tr>
-         <tr>
-           <td>dmz</td>
-           <td>eth2</td>
-           <td>192.168.202.7</td>
-           <td> </td>
-         </tr>
-                           
-    </tbody>            
+           <tbody>
+            <tr>
+             <td><u><b>Zone</b></u></td>
+             <td><u><b>Interface</b></u></td>
+             <td><u><b>Broadcast</b></u></td>
+             <td><u><b>Options</b></u></td>
+           </tr>
+           <tr>
+             <td>net</td>
+             <td>eth0</td>
+             <td>192.0.2.255</td>
+             <td>norfc1918,routefilter </td>
+           </tr>
+           <tr>
+             <td>loc</td>
+             <td>eth1</td>
+             <td>192.168.201.7</td>
+             <td> </td>
+           </tr>
+           <tr>
+             <td>dmz</td>
+             <td>eth2</td>
+             <td>192.168.202.7</td>
+             <td> </td>
+           </tr>
+                                       
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">/etc/shorewall/masq - Local subnet</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber6">
-           <tbody>
-          <tr>
-             <td width="33%"><u><b>INTERFACE</b></u></td>
-             <td width="33%"><u><b>SUBNET</b></u></td>
-             <td width="34%"><u><b>ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td width="33%">eth0</td>
-             <td width="33%">192.168.201.0/29</td>
-             <td width="34%">192.0.2.176</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td width="33%"><u><b>INTERFACE</b></u></td>
+               <td width="33%"><u><b>SUBNET</b></u></td>
+               <td width="34%"><u><b>ADDRESS</b></u></td>
+             </tr>
+             <tr>
+               <td width="33%">eth0</td>
+               <td width="33%">192.168.201.0/29</td>
+               <td width="34%">192.0.2.176</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">/etc/shorewall/proxyarp - DMZ</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" id="AutoNumber8"
  style="border-collapse: collapse;">
-           <tbody>
-          <tr>
-             <td><u><b>ADDRESS</b></u></td>
-             <td><u><b>INTERFACE</b></u></td>
-             <td><u><b>EXTERNAL</b></u></td>
-             <td><u><b>HAVE ROUTE</b></u></td>
-           </tr>
-           <tr>
-             <td>192.0.2.177</td>
-             <td>eth2</td>
-             <td>eth0</td>
-             <td>No</td>
-           </tr>
-           <tr>
-             <td>192.0.2.178</td>
-             <td>eth2</td>
-             <td>eth0</td>
-             <td>No</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ADDRESS</b></u></td>
+               <td><u><b>INTERFACE</b></u></td>
+               <td><u><b>EXTERNAL</b></u></td>
+               <td><u><b>HAVE ROUTE</b></u></td>
+             </tr>
+             <tr>
+               <td>192.0.2.177</td>
+               <td>eth2</td>
+               <td>eth0</td>
+               <td>No</td>
+             </tr>
+             <tr>
+               <td>192.0.2.178</td>
+               <td>eth2</td>
+               <td>eth0</td>
+               <td>No</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">/etc/shorewall/nat- Daughter's System</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" id="AutoNumber9"
  style="border-collapse: collapse;">
-           <tbody>
-          <tr>
-             <td>EXTERNAL</td>
-             <td>INTERFACE</td>
-             <td>INTERNAL</td>
-             <td>ALL INTERFACES </td>
-             <td>LOCAL</td>
-           </tr>
-           <tr>
-             <td>192.0.2.179</td>
-             <td>eth0</td>
-             <td>192.168.201.4</td>
-             <td>No</td>
-             <td>No</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td>EXTERNAL</td>
+               <td>INTERFACE</td>
+               <td>INTERNAL</td>
+               <td>ALL INTERFACES </td>
+               <td>LOCAL</td>
+             </tr>
+             <tr>
+               <td>192.0.2.179</td>
+               <td>eth0</td>
+               <td>192.168.201.4</td>
+               <td>No</td>
+               <td>No</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">/etc/shorewall/rules</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber7">
-           <tbody>
-          <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>COMMENTS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail from the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>pop3</td>
-             <td># Pop3 from the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail from the Local Network</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>pop3</td>
-             <td># Pop3 from the Local Network</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail from the Firewall</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz:192.0.2.178</td>
-             <td>net</td>
-             <td>tcp</td>
-             <td>smtp</td>
-             <td># Mail to the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>http</td>
-             <td># WWW from the Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>https</td>
-             <td># Secure HTTP from the Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.178</td>
-             <td>tcp</td>
-             <td>https</td>
-             <td># Secure HTTP from the Local Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.177</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS from the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS from the internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:192.0.2.177</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS from firewall</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS from firewall</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.177</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS from the local Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:192.0.2.177</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS from the local Net</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz:192.0.2.177</td>
-             <td>net</td>
-             <td>udp</td>
-             <td>domain</td>
-             <td># UDP DNS to the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz:192.0.2.177</td>
-             <td>net</td>
-             <td>tcp</td>
-             <td>domain</td>
-             <td># TCP DNS to the Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>dmz</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-             <td># Ping</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>loc</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-             <td>#  "</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz</td>
-             <td>loc</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-             <td># "</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz</td>
-             <td>icmp</td>
-             <td>echo-request</td>
-             <td># "</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz</td>
-             <td>tcp</td>
-             <td>ssh</td>
-             <td># SSH to the DMZ</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>ssh</td>
-             <td># SSH to the Firewall</td>
-           </tr>
-                             
-    </tbody>            
+             <tbody>
+            <tr>
+               <td><u><b>ACTION</b></u></td>
+               <td><u><b>SOURCE</b></u></td>
+               <td><u><b>DESTINATION</b></u></td>
+               <td><u><b>PROTOCOL</b></u></td>
+               <td><u><b>PORT</b></u></td>
+               <td><u><b>COMMENTS</b></u></td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail from the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>pop3</td>
+               <td># Pop3 from the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail from the Local Network</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>pop3</td>
+               <td># Pop3 from the Local Network</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>fw</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail from the Firewall</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz:192.0.2.178</td>
+               <td>net</td>
+               <td>tcp</td>
+               <td>smtp</td>
+               <td># Mail to the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>http</td>
+               <td># WWW from the Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>https</td>
+               <td># Secure HTTP from the Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.178</td>
+               <td>tcp</td>
+               <td>https</td>
+               <td># Secure HTTP from the Local Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.177</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS from the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS from the internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>fw</td>
+               <td>dmz:192.0.2.177</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS from firewall</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>fw</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS from firewall</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.177</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS from the local Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz:192.0.2.177</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS from the local Net</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz:192.0.2.177</td>
+               <td>net</td>
+               <td>udp</td>
+               <td>domain</td>
+               <td># UDP DNS to the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz:192.0.2.177</td>
+               <td>net</td>
+               <td>tcp</td>
+               <td>domain</td>
+               <td># TCP DNS to the Internet</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>dmz</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+               <td># Ping</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>net</td>
+               <td>loc</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+               <td>#  "</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>dmz</td>
+               <td>loc</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+               <td># "</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz</td>
+               <td>icmp</td>
+               <td>echo-request</td>
+               <td># "</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>dmz</td>
+               <td>tcp</td>
+               <td>ssh</td>
+               <td># SSH to the DMZ</td>
+             </tr>
+             <tr>
+               <td>ACCEPT</td>
+               <td>loc</td>
+               <td>fw</td>
+               <td>tcp</td>
+               <td>ssh</td>
+               <td># SSH to the Firewall</td>
+             </tr>
+                                         
+    </tbody>                  
   </table>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <h2 align="left"><a name="DNS"></a>6.0 DNS</h2>
-     </div>
-         
-<div align="left">       
+       </div>
+             
+<div align="left">         
 <p align="left">Given the collection of RFC 1918 and public addresses in
 this    setup, it only makes sense to have separate internal and external
 DNS servers.    You can  combine the two into a single BIND 9 server using
 <i>Views.   </i>   If you are not interested in Bind 9 views, you can   <a
  href="#StartingAndStopping">go to the next section</a>.</p>
-    </div>
-         
-<div align="left">       
+      </div>
+             
+<div align="left">         
 <p align="left">Suppose that your domain is foobar.net and you want the two
-     DMZ systems named www.foobar.net and mail.foobar.net and you want the
- three    local systems named "winken.foobar.net, blinken.foobar.net and
+      DMZ systems named www.foobar.net and mail.foobar.net and you want the
+  three    local systems named "winken.foobar.net, blinken.foobar.net and
 nod.foobar.net.      You want your firewall to be known as firewall.foobar.net
 externally and  it's    interface to the local network to be know as gateway.foobar.net
-and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
- on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
-    </div>
-         
-<div align="left">       
+ and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
+  on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
+      </div>
+             
+<div align="left">         
 <p align="left">The /etc/named.conf file would look like this:</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
-  <div align="left">                   
+      </div>
+             
+<div align="left">         
+<blockquote>                       
+  <div align="left">                         
   <pre>options {<br>	directory "/var/named";<br>	listen-on { 127.0.0.1 ; 192.0.2.177; };<br>};<br><br>logging {<br>	channel xfer-log {<br>		file "/var/log/named/bind-xfer.log";<br>		print-category yes;<br>		print-severity yes;<br>		print-time yes;<br>		severity info;<br>	};<br>	category xfer-in { xfer-log; };<br>	category xfer-out { xfer-log; };<br>	category notify { xfer-log; };<br>};</pre>
-         </div>
-                     
-  <div align="left">                   
+           </div>
+                             
+  <div align="left">                         
   <pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br>	#<br>	# These are the clients that see this view<br>	#<br>	match-clients { 192.168.201.0/29;<br>			192.168.202.0/29;<br>			127.0.0/24;<br>			192.0.2.176/32; <br>			192.0.2.178/32;<br>			192.0.2.179/32;<br>			192.0.2.180/32; };<br>	#<br>	# If this server can't complete the request, it should use outside<br>	# servers to do so<br>	#<br>	recursion yes;<br><br>	zone "." in {<br>		type hint;<br>		file "int/root.cache";<br>	};<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.foobar";<br>	};<br><br>	zone "0.0.127.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.127.0.0";	<br>	};<br><br>	zone "201.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.201";<br>	};<br><br>	zone "202.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.202";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.176";<br>	};<br> (or status NAT for that matter)<br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.206.124.146.179";<br>	};<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br>	match-clients { any; };<br>	#<br>	# If we can't answer the query, we tell the client so<br>	#<br>	recursion no;<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify yes;<br>		allow-update {none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "ext/db.foobar";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br> 		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.176";<br>	};<br><br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.179";<br>	};<br>};</pre>
-         </div>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+           </div>
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">Here are the files in /var/named (those not shown are usually
-     included in your bind disbribution).</p>
-       
+      included in your bind disbribution).</p>
+           
 <p align="left">db.192.0.2.176 - This is    the reverse zone for the firewall's
-  external interface</p>
-       
-<blockquote>                 
+   external interface</p>
+           
+<blockquote>                       
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32<br>; Filename: db.192.0.2.176<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.<br></pre>
-       </blockquote>
-     </div>
-         
-<div align="left">     
+         </blockquote>
+       </div>
+             
+<div align="left">       
 <div align="left">   db.192.0.2.177 - This is the reverse zone for the www/DNS
-  server    
-<blockquote>                 
+   server      
+<blockquote>                       
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32<br>; Filename: db.192.0.2.177<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.<br></pre>
-       </blockquote>
-     </div>
-     </div>
-         
-<div align="left">     
+         </blockquote>
+       </div>
+       </div>
+             
+<div align="left">       
 <div align="left">   db.192.0.2.178 - This is the reverse zone for the mail
-  server    
-<blockquote>                 
+   server      
+<blockquote>                       
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32<br>; Filename: db.192.0.2.178<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.<br></pre>
-       </blockquote>
-     </div>
-     </div>
-         
-<div align="left">     
+         </blockquote>
+       </div>
+       </div>
+             
+<div align="left">       
 <div align="left">   db.192.0.2.179 - This is the reverse zone for daughter's
-  web server's public    IP    
-<blockquote>                 
+   web server's public    IP      
+<blockquote>                       
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32<br>; Filename: db.192.0.2.179<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.<br></pre>
-       </blockquote>
-     </div>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+       </div>
+             
+<div align="left">         
 <p align="left">int/db.127.0.0 - The reverse zone for localhost</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8<br>; Filename: db.127.0.0<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>				2001092901 ; serial<br>				10800 ; refresh (3 hour)<br>				3600 ; retry (1 hour)<br>				604800 ; expire (7 days)<br>				86400 ) ; minimum (1 day)<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800		IN NS	ns1.foobar.net.<br><br>; ############################################################<br>; Iverse Address Arpa Records (PTR's)<br>; ############################################################<br>1	86400		IN PTR	localhost.foobar.net.</pre>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">int/db.192.168.201 - Reverse zone for the local net. This
-  is    only shown to internal clients</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+   is    only shown to internal clients</p>
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29<br>; Filename: db.192.168.201<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (<br>				2002032501 ; serial<br>				10800 ; refresh (3 hour)<br>				3600 ; retry (1 hour)<br>				604800 ; expire (7 days)<br>				86400 ) ; minimum (1 day)<br><br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800		IN NS	ns1.foobar.net.<br><br>; ############################################################<br>; Iverse Address Arpa Records (PTR's)<br>; ############################################################<br>1	86400		IN PTR 	gateway.foobar.net.<br>2	86400		IN PTR	winken.foobar.net.<br>3	86400		IN PTR	blinken.foobar.net.<br>4	86400		IN PTR	nod.foobar.net.</pre>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">int/db.192.168.202 - Reverse zone for the firewall's DMZ
    interface</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
-  <div align="left">                   
+      </div>
+             
+<div align="left">         
+<blockquote>                       
+  <div align="left">                         
   <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29<br>; Filename: db.192.168.202<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (<br>				2002032501 ; serial<br>				10800 ; refresh (3 hour)<br>				3600 ; retry (1 hour)<br>				604800 ; expire (7 days)<br>				86400 ) ; minimum (1 day)<br><br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@		604800	IN NS	ns1.foobar.net.<br><br>; ############################################################<br>; Iverse Address Arpa Records (PTR's)<br>; ############################################################<br>1 		86400 IN PTR	dmz.foobar.net.</pre>
-         </div>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+           </div>
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">int/db.foobar - Forward zone for use by internal clients.</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
+      </div>
+             
+<div align="left">         
+<blockquote>                       
   <pre>;##############################################################<br>; Start of Authority for foobar.net.<br>; Filename: db.foobar<br>;##############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2002071501 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ); minimum (1 day)<br>;############################################################<br>; foobar.net Nameserver Records (NS)<br>;############################################################<br>@ 		604800	IN NS	ns1.foobar.net.<br><br>;############################################################<br>; Foobar.net Office Records (ADDRESS)<br>;############################################################<br>localhost	86400 	IN A 	127.0.0.1<br><br>firewall	86400	IN A	192.0.2.176<br>www		86400	IN A	192.0.2.177<br>ns1 		86400	IN A 	192.0.2.177<br>www		86400	IN A	192.0.2.177<br><br>gateway		86400	IN A 	192.168.201.1<br>winken		86400	IN A 	192.168.201.2<br>blinken		86400	IN A	192.168.201.3<br>nod		86400	IN A	192.168.201.4</pre>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <p align="left">ext/db.foobar - Forward zone for external clients</p>
-    </div>
-         
-<div align="left">       
-<blockquote>                 
-  <div align="left">                   
+      </div>
+             
+<div align="left">         
+<blockquote>                       
+  <div align="left">                         
   <pre>;##############################################################<br>; Start of Authority for foobar.net.<br>; Filename: db.foobar<br>;##############################################################<br>@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2002052901 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ); minimum (1 day)<br>;############################################################<br>; Foobar.net Nameserver Records (NS)<br>;############################################################<br>@		86400	IN NS	ns1.foobar.net.<br>@		86400	IN NS	<i>&lt;secondary NS&gt;</i>.<br>;############################################################<br>; Foobar.net 	Foobar Wa Office Records (ADDRESS)<br>;############################################################<br>localhost	86400	IN A	127.0.0.1<br>;<br>; The firewall itself<br>;<br>firewall	86400	IN A	192.0.2.176<br>;<br>; The DMZ<br>;<br>ns1		86400	IN A	192.0.2.177<br>www		86400	IN A	192.0.2.177<br>mail		86400	IN A	192.0.2.178<br>;<br>; The Local Network<br>;<br>nod		86400	IN A	192.0.2.179<br><br>;############################################################<br>; Current Aliases for foobar.net (CNAME)<br>;############################################################<br><br>;############################################################<br>; foobar.net MX Records (MAIL EXCHANGER)<br>;############################################################<br>foobar.net.	86400	IN A	192.0.2.177<br>		86400 	IN MX 0 mail.foobar.net.<br>		86400	IN MX 1 <i>&lt;backup MX&gt;</i>.</pre>
-         </div>
-       </blockquote>
-     </div>
-         
-<div align="left">       
+           </div>
+         </blockquote>
+       </div>
+             
+<div align="left">         
 <h2 align="left"><a name="StartingAndStopping"></a>7.0 Starting and Stopping
-  Your Firewall</h2>
-     </div>
-         
-<div align="left">       
+   Your Firewall</h2>
+       </div>
+             
+<div align="left">         
 <p align="left">The <a href="Install.htm">installation procedure </a>   configures
-  your system to start Shorewall at system boot.</p>
-    </div>
-         
-<div align="left">       
+   your system to start Shorewall at system boot.</p>
+      </div>
+             
+<div align="left">         
 <p align="left">The firewall is started using the "shorewall start" command
-     and stopped using "shorewall stop". When the firewall is stopped, routing
-  is    enabled on those hosts that have an entry in   <a
+      and stopped using "shorewall stop". When the firewall is stopped, routing
+   is    enabled on those hosts that have an entry in   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
-     running firewall may be restarted using the "shorewall restart" command.
-  If    you want to totally remove any trace of Shorewall from your Netfilter
-     configuration, use "shorewall clear".</p>
-    </div>
-         
-<div align="left">       
+      running firewall may be restarted using the "shorewall restart" command.
+   If    you want to totally remove any trace of Shorewall from your Netfilter
+      configuration, use "shorewall clear".</p>
+      </div>
+             
+<div align="left">         
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-           Edit the /etc/shorewall/routestopped file and configure those
-systems   that you    want to be able to access the firewall when it is stopped.</p>
-    </div>
-         
-<div align="left">       
+             Edit the /etc/shorewall/routestopped file and configure those
+ systems   that you    want to be able to access the firewall when it is
+stopped.</p>
+      </div>
+             
+<div align="left">         
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-  the    internet, do not issue a "shorewall stop" command unless you have
- added an    entry for the IP address that you are connected from to   <a
+   the    internet, do not issue a "shorewall stop" command unless you have
+  added an    entry for the IP address that you are connected from to   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.  
  Also, I don't recommend using "shorewall restart"; it is better to create
-  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
-  and    test it using the <a href="Documentation.htm#Starting">"shorewall
- try" command</a>.</p>
-    </div>
-          
-<p align="left"><font size="2">Last updated 1/13/2003 - <a
+   an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
+   and    test it using the <a href="Documentation.htm#Starting">"shorewall
+  try" command</a>.</p>
+      </div>
+              
+<p align="left"><font size="2">Last updated 2/18/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
-          
+              
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
-Thomas  M. Eastep</font></a></p>
-          <br>
+ Thomas  M. Eastep</font></a></p>
+            <br>
+      <br>
+     <br>
     <br>
    <br>
   <br>
diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm
index f1733f3f1..877ae5862 100644
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@@ -6,31 +6,34 @@
                                                                         
                                                                         
                                                                         
-                                  
+                                                              
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-  <title>Shoreline Firewall (Shorewall) 1.3</title>
+  <title>Shoreline Firewall (Shorewall) 1.4</title>
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
-                                     <base target="_self">
+                                                                 <base
+ target="_self">      
+  <meta name="author" content="Tom Eastep">
 </head>
   <body>
                                                                         
                                                                         
                                                                         
-                
+                              
 <table border="0" cellpadding="0" cellspacing="4"
  style="border-collapse: collapse;" width="100%" id="AutoNumber3"
  bgcolor="#4b017c">
                                                                         
-                                 <tbody>
+                                        <tbody>
                                                                         
-                              <tr>
+                                     <tr>
                                                                         
-                                       <td width="100%" height="90">    
+                                              <td width="100%"
+ height="90">                                                            
                                                                         
                                                                         
                                                                         
@@ -40,16 +43,16 @@
                                                                         
                                                                         
                                                                         
-            
+     
       <h1 align="center"> <font size="4"><i>           <a
  href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
  alt="Shorwall Logo" height="70" width="85" align="left"
  src="images/washington.jpg" border="0">
                                                                         
-                                  </a></i></font><font color="#ffffff">Shorewall
-         1.3     -               <font size="4">"<i>iptables            
-      made  easy"</i></font></font><a href="http://www.sf.net">         
-        </a></h1>
+                                         </a></i></font><font
+ color="#ffffff">Shorewall 1.4     -               <font size="4">"<i>iptables 
+                   made  easy"</i></font></font><a
+ href="http://www.sf.net">                  </a></h1>
                                                                         
                                                                         
                                                                         
@@ -59,34 +62,36 @@
                                                                         
                                                                         
                                                                         
-                                             
-      <div align="center"><a href="/1.2/index.html" target="_top"><font
- color="#ffffff">Shorewall 1.2 Site here</font></a></div>
-                                                                        </td>
-                                                       </tr>
+                                                                        
+                            
+      <div align="center"><a href="/1.3/index.html" target="_top"><font
+ color="#ffffff">Shorewall 1.3 Site here</font></a></div>
+                                                                        
+            </td>
+                                                              </tr>
                                                                         
                                                                         
                                                                         
-                     
-  </tbody>                                                               
-                               
+                                                 
+  </tbody>                                                              
+                                       
 </table>
                                                                         
                                                                         
                                                                         
-                 
-<div align="center">                                                    
-                                                   
-<center>                                                                
-                                       
+                               
+<div align="center">                                                     
+                                                         
+<center>                                                                 
+                                             
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                         
-                                   <tbody>
+                                          <tbody>
                                                                         
-                              <tr>
+                                     <tr>
                                                                         
-                                         <td width="90%">               
+                                                <td width="90%">        
                                                                         
                                                                         
                                                                         
@@ -96,7 +101,8 @@
                                                                         
                                                                         
                                                                         
-                                     
+                                                                        
+                    
       <h2 align="left">What is it?</h2>
                                                                         
                                                                         
@@ -109,11 +115,12 @@
                                                                         
                                                                         
                                                                         
-  
-      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is 
-    a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based 
-    firewall        that can be used on a dedicated firewall system, a multi-function 
-           gateway/router/server or on a standalone GNU/Linux system.</p>
+                                                          
+      <p>The Shoreline Firewall, more commonly known as  "Shorewall",  is
+        a       <a href="http://www.netfilter.org">Netfilter</a> (iptables)
+  based      firewall        that can be used on a dedicated firewall system,
+  a multi-function             gateway/router/server or on a standalone GNU/Linux
+  system.</p>
                                                                         
                                                                         
                                                                         
@@ -125,29 +132,29 @@
                                                                         
                                                                         
                                                                         
- 
-      <p>This program is free software; you can redistribute it and/or modify 
-                                               it        under the terms of
-        <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
- the GNU General Public License</a> as published by the Free Software   
-    Foundation.<br>
+                                                         
+      <p>This program is free software; you can redistribute it and/or modify
+                                                   it        under the terms
+   of         <a href="http://www.gnu.org/licenses/gpl.html">Version    
+   2 of  the GNU General Public License</a> as published by the Free Software
+         Foundation.<br>
                                                                         
-                                      <br>
+                                             <br>
                                                                         
-                                 This   program     is  distributed     
- in   the     hope     that     it   will     be  useful,    but        
-WITHOUT    ANY      WARRANTY;      without      even the   implied    warranty
-     of MERCHANTABILITY                or  FITNESS    FOR   A PARTICULAR
-     PURPOSE.        See the    GNU General     Public  License         
- for   more details.<br>
+                                        This   program     is  distributed
+       in   the     hope     that     it   will     be  useful,    but  
+      WITHOUT    ANY      WARRANTY;      without      even the   implied
+   warranty       of MERCHANTABILITY                or  FITNESS    FOR  
+A  PARTICULAR       PURPOSE.        See the    GNU General     Public  License 
+           for   more details.<br>
                                                                         
-                                      <br>
+                                             <br>
                                                                         
-                                 You   should    have   received     a  copy
-    of   the     GNU     General         Public      License            
-along     with    this   program;       if  not,    write  to  the    Free
-Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge, 
- MA    02139,       USA</p>
+                                        You   should    have   received 
+   a   copy     of   the     GNU     General         Public      License
+            along     with    this   program;       if  not,    write  to 
+ the    Free Software           Foundation,              Inc.,  675     Mass
+  Ave,  Cambridge,   MA    02139,       USA</p>
                                                                         
                                                                         
                                                                         
@@ -159,7 +166,7 @@ Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge
                                                                         
                                                                         
                                                                         
- 
+                                                         
       <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
                                                                         
                                                                         
@@ -172,23 +179,25 @@ Software           Foundation,              Inc.,  675     Mass  Ave,  Cambridge
                                                                         
                                                                         
                                                                         
-                    
+                                                                        
+   
       <p> <a href="http://leaf.sourceforge.net" target="_top"><img
  border="0" src="images/leaflogo.gif" width="49" height="36">
                                                                         
-                                  </a>Jacques              Nilo   and   Eric
-    Wolzak       have     a   LEAF  (router/firewall/gateway         on 
-a  floppy,    CD    or compact     flash)  distribution        called   
-          <i>Bering</i>          that          features      Shorewall-1.3.10
-  and    Kernel-2.4.18.          You    can  find    their    work at:  
-             <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                                          <b>Congratulations to Jacques and 
- Eric   on  the   recent    release     of  Bering  1.0 Final!!! <br>
-                                          </b>                          
+                                         </a>Jacques              Nilo  
+and     Eric     Wolzak       have     a   LEAF  (router/firewall/gateway
+        on  a  floppy,    CD    or compact     flash)  distribution     
+  called                 <i>Bering</i>          that          features  
+   Shorewall-1.3.14      and    Kernel-2.4.20.          You    can  find
+   their    work at:                <a
+ href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
+                                                <b>                     
+                        </b>                                            
                                                                         
                                                                         
                                                                         
-     
+                                    <b>Congratulations to Jacques and Eric
+on the recent release of Bering 1.1!!!</b><br>
       <h2>News</h2>
                                                                         
                                                                         
@@ -203,100 +212,98 @@ a  floppy,    CD    or compact     flash)  distribution        called
                                                                         
                                                                         
                                                                         
-                  
-      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
+                                                                        
+ 
+      <p><b>3/14/2003 - Shorewall 1.4.0</b><b>       </b><b><img
  border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
-             </b></p>
-  
-      <p>New features include</p>
-  
+                     </b></p>
+                                            Shorewall 1.4 represents the
+next  step in the evolution of Shorewall. The main thrust of the initial
+release  is simply to remove the cruft that has accumulated in Shorewall
+over time.        <br>
+       <br>
+    Function from 1.3 that has been omitted from this version include:<br>
+                         
       <ol>
-        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
-When   set to Yes, Shorewall ping handling is as it has always been (see
-http://www.shorewall.net/ping.html).<br>
-         <br>
-     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
-policies   just like any other connection request. The FORWARDPING=Yes option 
-in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
-will   all generate an error.<br>
-         <br>
-       </li>
-        <li>It is now possible to direct Shorewall to create a "label" such
- as   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
-and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
-of just  the interface name:<br>
-      <br>
-        a) In the INTERFACE column of /etc/shorewall/masq<br>
-        b) In the INTERFACE column of /etc/shorewall/nat<br>
-      </li>
-        <li>Support for OpenVPN Tunnels.<br>
-     <br>
- </li>
-        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
-eth0.0)<br>
-     <br>
-   </li>
-        <li>When an interface name is entered in the SUBNET column of the
-/etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
-only the first subnet   defined on that interface. It did not masquerade
-traffic from:<br>
-      <br>
-        a) The subnets associated with other addresses on the interface.<br>
-        b) Subnets accessed through local routers.<br>
-      <br>
-     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
- SUBNET  column, shorewall will use the firewall's routing table to construct 
- the masquerading/SNAT rules.<br>
-      <br>
-     Example 1 -- This is how it works in 1.3.14.<br>
-        <br>
-                             
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
-                             
-          <pre>   [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
-      <br>
-     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
- connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
-  entry, your /etc/shorewall/masq file will need changing. In most cases,
-you  will simply be able to remove redundant entries. In some cases though,
-you  might want to change from using the interface name to listing specific
-subnetworks  if the change described above will cause masquerading to occur
-on subnetworks  that you don't wish to masquerade.<br>
-      <br>
-     Example 2 -- Suppose that your current config is as follows:<br>
-        <br>
-                             
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   eth0                    192.168.10.0/24         206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, the second entry in /etc/shorewall/masq is no longer
- required.<br>
-      <br>
-     Example 3 -- What if your current configuration is like this?<br>
-      <br>
-                             
-          <pre>   [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    eth2                    206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                             
-          <pre>   [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24  scope link<br>   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>   [root@gateway test]#</pre>
-      <br>
-        In this case, you would want to change the entry in  /etc/shorewall/masq 
-  to:<br>
-                             
-          <pre>   #INTERFACE              SUBNET                  ADDRESS<br>   eth0                    192.168.1.0/24          206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+           <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
+  Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
+        <br>
+      </li>
+           <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
+in  /etc/shorewall/interfaces now generate an error.<br>
+        <br>
+      </li>
+           <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
+  OLD_PING_HANDLING=Yes will generate an error at startup as will specification
+  of the 'noping' or 'filterping' interface options.<br>
+        <br>
+      </li>
+           <li>The 'routestopped' option in the /etc/shorewall/interfaces 
+and  /etc/shorewall/hosts files is no longer supported and will generate an
+error  at startup if specified.<br>
+        <br>
+      </li>
+           <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no 
+longer  accepted.<br>
+        <br>
+      </li>
+           <li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
+  Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
+           <br>
+         </li>
+         <li>The icmp.def file has been removed.<br>
+          <br>
         </li>
+        <li value="8">The 'multi' interface option is no longer supported.
+ Shorewall will generate rules for sending packets back out the same interface
+that they arrived on in two cases:</li>
       </ol>
  
-      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
-      </b><b><img border="0" src="images/new10.gif" width="28"
- height="12" alt="(New)">
-             </b></p>
-    Webmin version 1.060 now has Shorewall support included as standard.
-See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b> 
- </b>              
-      <p><b></b></p>
+      <ul>
+        <li>There is an <u>explicit</u> policy for the source zone to or
+from the destination zone. An explicit policy names both zones and does not
+use the 'all' reserved word.</li>
+        <li>There are one or more rules for traffic for the source zone to
+or from the destination zone including rules that use the 'all' reserved
+word. Exception: if the source zone and destination zone are the same then
+the rule must be explicit - it must name the zone in both the SOURCE and
+DESTINATION columns.</li>
+      </ul>
+      <ul>
+                       
+      </ul>
+    Changes for 1.4 include:<br>
+                         
+      <ol>
+           <li>The /etc/shorewall/shorewall.conf file has been completely 
+reorganized  into logical sections.<br>
+        <br>
+      </li>
+           <li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
+        <br>
+      </li>
+           <li>The firewall script and version file are now installed in
+/usr/share/shorewall.<br>
+        <br>
+      </li>
+           <li>Late arriving DNS replies are now silently dropped in the
+common  chain by default.<br>
+        <br>
+      </li>
+           <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall 
+1.4 no longer unconditionally accepts outbound ICMP packets. So if you want 
+ to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
+          <br>
+        </li>
+        <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> now
+support the 'maclist' option.<br>
+          <br>
+        </li>
+                       
+      </ol>
+                                                         
+      <p></p>
+    <b>    </b>                                                         
                                                                         
                                                                         
                                                                         
@@ -304,7 +311,8 @@ See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
                                                                         
                                                                         
                                                                         
-                                                  
+                                                                        
+              
       <ul>
                                                                         
                                                                         
@@ -312,7 +320,8 @@ See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
                                                                         
                                                                         
                                                                         
-                                                         
+                                                                        
+                                       
       </ul>
                                                                         
                                                                         
@@ -320,7 +329,8 @@ See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
                                                                         
                                                                         
                                                                         
-                                                                 
+                                                                        
+                                               
       <p><a href="News.htm">More News</a></p>
                                                                         
                                                                         
@@ -333,28 +343,32 @@ See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
                                                                         
                                                                         
                                                                         
-                    
+                                                                        
+   
       <h2> </h2>
                                                                         
                                                                         
                                                                         
                                                                         
-                                                                   
+                                                                        
+                                                  
       <h1 align="center"><a href="http://www.sf.net"><img align="left"
  alt="SourceForge Logo"
  src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
-                                                        </a></h1>
+                                                               </a></h1>
                                                                         
                                                                         
                                                                         
                                                                         
-                                                                   
+                                                                        
+                                                  
       <h4>       </h4>
                                                                         
                                                                         
                                                                         
                                                                         
-                                                           
+                                                                        
+                                          
       <h2>This site is hosted by the generous folks at <a
  href="http://www.sf.net">SourceForge.net</a>         </h2>
                                                                         
@@ -362,15 +376,78 @@ See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
                                                                         
                                                                         
                                                                         
-       
+                                                               
       <h2><a name="Donations"></a>Donations</h2>
                                                                         
                                                                         
-         </td>
+                </td>
                                                                         
-                                         <td width="88"
+                                                <td width="88"
  bgcolor="#4b017c" valign="top" align="center">              <br>
-                                                          </td>
+                                                                 </td>
+                                                                        
+                                            </tr>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                  
+  </tbody>                                                              
+                                       
+</table>
+                                                                        
+                                      </center>
+                                                                        
+                                    </div>
+                                                                        
+                                                                        
+                                                                        
+                      
+<table border="0" cellpadding="5" cellspacing="0"
+ style="border-collapse: collapse;" width="100%" id="AutoNumber2"
+ bgcolor="#4b017c">
+                                                                        
+                                   <tbody>
+                                                                        
+                                     <tr>
+                                                                        
+                                         <td width="100%"
+ style="margin-top: 1px;">                                               
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                 
+      <p align="center"><a href="http://www.starlight.org">        <img
+ border="4" src="images/newlog.gif" width="57" height="100" align="left"
+ hspace="10">
+                                                                        
+                                          </a></p>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                  
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+but if       you try it and find it useful, please consider making a donation
+                                                   to       <a
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
+Children's Foundation.</font></a> Thanks!</font></p>
+                                                                        
+                                         </td>
                                                                         
                                      </tr>
                                                                         
@@ -378,78 +455,17 @@ See        <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
                                                                         
                                                                         
                                                                         
-                      
-  </tbody>                                                               
-                               
+                                           
+  </tbody>                                                              
+                                       
 </table>
                                                                         
-                               </center>
-                                                                        
-                             </div>
-                                                                        
-                                                                        
-                                                                        
-        
-<table border="0" cellpadding="5" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber2"
- bgcolor="#4b017c">
-                                                                        
-                            <tbody>
-                                                                        
-                              <tr>
-                                                                        
-                                  <td width="100%"
- style="margin-top: 1px;">                                              
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                          
-      <p align="center"><a href="http://www.starlight.org">        <img
- border="4" src="images/newlog.gif" width="57" height="100" align="left"
- hspace="10">
-                                                                        
-                                   </a></p>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                   
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-if       you try it and find it useful, please consider making a donation 
-                                               to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
-Foundation.</font></a> Thanks!</font></p>
-                                                                        
-                                  </td>
-                                                                        
-                              </tr>
-                                                                        
-                                                                        
-                                                                        
                                                                         
                                                                         
                
-  </tbody>                                                               
-                               
-</table>
-                                                                        
-                                                                        
-                                                                        
- 
-<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
-                                                                        
-                                         <br>
+<p><font size="2">Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font> 
+                                                                         
+                                           <br>
 </p>
 </body>
 </html>
diff --git a/Shorewall-docs/spam_filters.htm b/Shorewall-docs/spam_filters.htm
index b44664292..11ba8eb3d 100644
--- a/Shorewall-docs/spam_filters.htm
+++ b/Shorewall-docs/spam_filters.htm
@@ -1,62 +1,69 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
- 
+     
   <meta http-equiv="Content-Language" content="en-us">
- 
+     
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
- 
+     
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
- 
+     
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>SPAM Filters</title>
 </head>
   <body>
-  
+    
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
-   <tbody>
-    <tr>
-     <td width="100%">     
+    <tbody>
+     <tr>
+      <td width="100%">            
       <h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
-     </td>
-   </tr>
- 
-  </tbody>
+      </td>
+    </tr>
+     
+  </tbody> 
 </table>
-  
+    
 <h1 align="center"><br>
- <a href="http://ordb.org"> <a href="http://www.spamassassin.org"><img
+  <a href="http://ordb.org"> </a><a href="http://www.spamassassin.org"><img
  src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
  height="38">
-</a><img border="0" src="images/but3.png" hspace="3" width="88"
+ </a><img border="0" src="images/but3.png" hspace="3" width="88"
  height="31">
-</a></h1>
- 
-<p>Like all of you, I'm concerned about the increasing volume of Unsolicited 
-Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
-you who are installing SPAM filters on your mail servers. A couple of recent
-incidents involving mis-configured filters have prompted me to establish
-this page to spell out what I will do when these filters bounce list postings.</p>
- 
-<p>When your SPAM filter bounces/rejects list mail, I will:</p>
- 
+ </h1>
+   
+<p>Like all of you, I'm concerned about the increasing volume of Unsolicited
+ Commercial Email (UCE or SPAM). I am therefore sympathetic with those of 
+you who are installing SPAM filters on your mail servers. A couple of recent 
+incidents involving mis-configured filters have prompted me to establish this
+page to spell out what I will do when these filters bounce list postings.</p>
+   
+<p>When your SPAM filter bounces/rejects list mail <b>and I can identify
+who you are</b>, I will:</p>
+   
 <ol>
-   <li>immediately turn off delivery to you from all Shorewall lists to which
-you subscribe.</li>
-   <li><u>try</u> to send you an email from a source other than shorewall.net</li>
- 
+    <li>immediately turn off delivery to you from all Shorewall lists to
+which you subscribe.</li>
+    <li><u>try</u> to send you an email from a source other than shorewall.net</li>
+   
 </ol>
- 
-<p>When you have corrected the problem, please let me know and I will re-enable 
-delivery (or you can reenable delivery yourself).</p>
- 
+   
+<p>When you have corrected the problem, please let me know and I will re-enable
+ delivery (or you can reenable delivery yourself).<br>
+</p>
+<p>Note that many brain-dead spam filters inform the sender that a post was
+rejected as spam but fail to provide any clue about the original addressee!!!
+If I don't know who you are, I can't tell you about the problem...<br>
+</p>
+   
 <p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
-  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+    
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
  © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-  <br>
+   <br>
+ <br>
 </body>
 </html>
diff --git a/Shorewall-docs/starting_and_stopping_shorewall.htm b/Shorewall-docs/starting_and_stopping_shorewall.htm
index f055e0998..c3d8cf4e1 100644
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@@ -1,13 +1,13 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                             
+                                 
   <meta http-equiv="Content-Language" content="en-us">
-                             
+                                 
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                             
+                                 
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                             
+                                 
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Starting and Stopping Shorewall</title>
@@ -15,315 +15,316 @@
   <body>
                                                                         
                                                                         
-                                             
+                                               
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
                                                                         
-                 <tbody>
-           <tr>
+                  <tbody>
+            <tr>
                                                                         
-                   <td width="100%">                                    
+                    <td width="100%">                                   
                                                                         
-                       
-      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
-   the Firewall</font></h1>
+                               
+      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
+    the Firewall</font></h1>
                                                                         
-                   </td>
+                    </td>
                                                                         
-                 </tr>
+                  </tr>
                                                                         
-                                    
-  </tbody>       
+                                        
+  </tbody>        
 </table>
                                                                         
                                                                         
                                                                         
-                                            
-<p>   If you have a permanent internet connection such as DSL     or Cable, 
-   I  recommend that you start the firewall     automatically at boot. Once 
-  you  have installed      "firewall" in your init.d directory, simply type 
-      "chkconfig --add firewall". This will start the     firewall in run 
-levels   2-5 and stop it in run levels 1 and 6.     If you want to configure 
-your  firewall differently from this     default, you can use the "--level" 
-option  in     chkconfig (see "man chkconfig") or using your     favorite 
-graphical  run-level editor.</p>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-     
-<p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
-       </p>
-             
-<ol>
-         <li>Shorewall startup is disabled by default. Once you have configured 
-   your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. 
-   Note: Users of the .deb package must edit /etc/default/shorewall and set
-   'startup=1'.<br>
-         </li>
-         <li>If you use dialup, you may want to start the firewall     in 
-your   /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall
- restart"   in that script.</li>
-             
-</ol>
-             
-<p>                                                                      
-          </p>
-                                                                        
-                                                                        
-                                                                        
                                               
-<p>   You can manually start and stop Shoreline Firewall using     the "shorewall"
+<p>   If you have a permanent internet connection such as DSL     or Cable,
+    I  recommend that you start the firewall     automatically at boot. Once
+   you  have installed      "firewall" in your init.d directory, simply type
+       "chkconfig --add firewall". This will start the     firewall in run
+ levels   2-5 and stop it in run levels 1 and 6.     If you want to configure
+ your  firewall differently from this     default, you can use the "--level"
+ option  in     chkconfig (see "man chkconfig") or using your     favorite
+ graphical  run-level editor.</p>
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+                                                                        
+       
+<p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
+        </p>
+               
+<ol>
+          <li>Shorewall startup is disabled by default. Once you have configured
+    your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
+    Note: Users of the .deb package must edit /etc/default/shorewall and
+set    'startup=1'.<br>
+          </li>
+          <li>If you use dialup, you may want to start the firewall     in
+ your   /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall 
+ restart"   in that script.</li>
+               
+</ol>
+               
+<p>                                                                     
+           </p>
+                                                                        
+                                                                        
+                                                                        
+                                                
+<p>   You can manually start and stop Shoreline Firewall using     the "shorewall" 
      shell program: </p>
                                                                         
-                
+                  
 <ul>
-           <li>shorewall start - starts the firewall</li>
-           <li>shorewall stop - stops the firewall</li>
-           <li>shorewall restart - stops the firewall (if it's          
-  running)   and  then starts it again</li>
-           <li>shorewall reset - reset the packet and byte counters     
-       in the  firewall</li>
-           <li>shorewall clear - remove all rules and chains            
-installed    by Shoreline  Firewall</li>
-           <li>shorewall refresh - refresh the rules involving the broadcast
+            <li>shorewall start - starts the firewall</li>
+            <li>shorewall stop - stops the firewall</li>
+            <li>shorewall restart - stops the firewall (if it's         
+   running)   and  then starts it again</li>
+            <li>shorewall reset - reset the packet and byte counters    
+        in the  firewall</li>
+            <li>shorewall clear - remove all rules and chains           
+ installed    by Shoreline  Firewall</li>
+            <li>shorewall refresh - refresh the rules involving the broadcast 
           addresses  of firewall interfaces and the black and white lists.</li>
-               
+                 
 </ul>
-   If you include the keyword <i>debug</i> as the first argument, then a
+    If you include the keyword <i>debug</i> as the first argument, then a 
 shell  trace of the command is produced as in:<br>
-     
+       
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
                                                                         
                                                                         
                                                                         
-                                              
-<p>The above command would trace the 'start' command and place the trace information
-in the file /tmp/trace<br>
-  </p>
-   
-<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
+                                                
+<p>The above command would trace the 'start' command and place the trace
+information in the file /tmp/trace<br>
+   </p>
+     
+<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the 
  bottom of this page.<br>
-  </p>
-   
+   </p>
+     
 <p>The "shorewall" program may also be used to monitor the     firewall.</p>
                                                                         
-                
+                  
 <ul>
-           <li>shorewall status - produce a verbose report about the firewall 
-            (iptables -L -n -v)</li>
-           <li>shorewall show <i>chain</i> - produce a verbose report about 
-     <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
-           <li>shorewall show nat - produce a verbose report about the nat
+            <li>shorewall status - produce a verbose report about the firewall
+             (iptables -L -n -v)</li>
+            <li>shorewall show <i>chain</i> - produce a verbose report about
+      <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
+            <li>shorewall show nat - produce a verbose report about the nat 
  table             (iptables -t nat -L -n -v)</li>
-           <li>shorewall show tos - produce a verbose report about the mangle 
-  table          (iptables -t mangle -L -n -v)</li>
-           <li>shorewall show log - display the last 20 packet log entries.</li>
-           <li>shorewall show connections - displays the IP connections currently 
-   being     tracked by the firewall.</li>
-           <li>shorewall                                                
-                                    show                                
-                                                    tc     - displays information 
-   about the traffic control/shaping configuration.</li>
-           <li>shorewall monitor [ delay ] - Continuously display the firewall
-             status, last 20 log entries and nat. When the log entry display 
-             changes, an audible alarm is sounded.</li>
-           <li>shorewall hits - Produces several reports about the Shorewall
+            <li>shorewall show tos - produce a verbose report about the mangle
+   table          (iptables -t mangle -L -n -v)</li>
+            <li>shorewall show log - display the last 20 packet log entries.</li>
+            <li>shorewall show connections - displays the IP connections
+currently     being     tracked by the firewall.</li>
+            <li>shorewall                                               
+                                     show                               
+                                                     tc     - displays information
+    about the traffic control/shaping configuration.</li>
+            <li>shorewall monitor [ delay ] - Continuously display the firewall 
+             status, last 20 log entries and nat. When the log entry display
+              changes, an audible alarm is sounded.</li>
+            <li>shorewall hits - Produces several reports about the Shorewall 
   packet  log          messages in the current /var/log/messages file.</li>
-           <li>shorewall version -  Displays the installed     version number.</li>
-           <li>shorewall check -  Performs a <u>cursory</u> validation  
-  of  the  zones, interfaces, hosts, rules and policy files.    <font
- size="4" color="#ff6666"><b>The "check" command does not parse and     validate 
- the   generated iptables commands so even though the "check" command    
-completes   successfully, the configuration may fail to start. See the  
-  recommended   way to make configuration changes described below. </b></font> 
-   </li>
-           <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
-  ]  -  Restart shorewall using the     specified configuration and if an
-error   occurs or if the<i> timeout </i>    option is given and the new configuration 
-   has been up for that many seconds     then shorewall is restarted using 
- the  standard configuration.</li>
-           <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
-   save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
-           <li>shorewall logwatch (added in version 1.3.2) - Monitors the 
-       <a href="#Conf">LOGFILE </a>and produces an audible alarm when new
+            <li>shorewall version -  Displays the installed     version number.</li>
+            <li>shorewall check -  Performs a <u>cursory</u> validation 
+   of  the  zones, interfaces, hosts, rules and policy files.    <font
+ size="4" color="#ff6666"><b>The "check" command does not parse and     validate
+  the   generated iptables commands so even though the "check" command  
+  completes   successfully, the configuration may fail to start. See the
+    recommended   way to make configuration changes described below. </b></font>
+    </li>
+            <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> 
+  ]  -  Restart shorewall using the     specified configuration and if an 
+error   occurs or if the<i> timeout </i>    option is given and the new configuration
+    has been up for that many seconds     then shorewall is restarted using
+  the  standard configuration.</li>
+            <li>shorewall deny, shorewall reject, shorewall accept and shorewall
+    save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
+            <li>shorewall logwatch (added in version 1.3.2) - Monitors the
+        <a href="#Conf">LOGFILE </a>and produces an audible alarm when new 
  Shorewall       messages are logged.</li>
-               
+                 
 </ul>
-     Finally, the "shorewall" program may be used to dynamically alter the
+      Finally, the "shorewall" program may be used to dynamically alter the 
  contents  of a zone.<br>
-         
+           
 <ul>
-       <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds
+        <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds 
  the  specified interface (and host if included) to the specified zone.</li>
-       <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
-Deletes   the specified interface (and host if included) from the specified
+        <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- 
+Deletes   the specified interface (and host if included) from the specified 
 zone.</li>
-         
+           
 </ul>
-         
+           
 <blockquote>Examples:<br>
-                   
-  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> 
- -- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
-       <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font> 
- -- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
-       </blockquote>
-     </blockquote>
+                       
+  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
+  -- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
+        <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
+  -- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
+        </blockquote>
+      </blockquote>
                                                                         
-                                                        
-<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
+                                                          
+<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and 
      <b>shorewall try </b>commands allow you to specify which <a
- href="configuration_file_basics.htm#Configs">   Shorewall configuration</a>
+ href="configuration_file_basics.htm#Configs">   Shorewall configuration</a> 
      to use:</p>
                                                                         
-                                                       
-<blockquote>                                                             
+                                                         
+<blockquote>                                                            
                                                                         
-       
+           
   <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
-         shorewall try <i>configuration-directory</i></p>
-         </blockquote>
+          shorewall try <i>configuration-directory</i></p>
+          </blockquote>
                                                                         
-                                                             
-<p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
-     is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
-      . If the file is present in the <i>configuration-directory</i>, that
+                                                               
+<p>  If a <i>configuration-directory</i> is specified, each time that Shorewall 
+     is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> 
+      . If the file is present in the <i>configuration-directory</i>, that 
  file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
                                                                         
                                                                         
                                                                         
-             
-<p>  When changing the configuration of a production firewall, I recommend 
-   the   following:</p>
+               
+<p>  When changing the configuration of a production firewall, I recommend
+    the   following:</p>
                                                                         
                                                                         
                                                                         
-             
+               
 <ul>
                                                                         
-                   <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
+                    <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
                                                                         
-                   <li><font color="#009900"><b>cd /etc/test</b></font></li>
+                    <li><font color="#009900"><b>cd /etc/test</b></font></li>
                                                                         
-                   <li>&lt;copy any files that you need to change from /etc/shorewall 
-   to . and change them here&gt;</li>
+                    <li>&lt;copy any files that you need to change from /etc/shorewall
+    to . and change them here&gt;</li>
                                                                         
-                   <li><font color="#009900"><b>shorewall -c . check</b></font></li>
+                    <li><font color="#009900"><b>shorewall -c . check</b></font></li>
                                                                         
-                   <li>&lt;correct any errors found by check and check again&gt;</li>
+                    <li>&lt;correct any errors found by check and check again&gt;</li>
                                                                         
-                   <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
-               
+                    <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
+                 
 </ul>
                                                                         
-                                                             
-<p>  If the configuration starts but doesn't work, just "shorewall restart" 
-   to   restore the old configuration. If the new configuration fails to start,
-   the   "try" command will automatically start the old one for you.</p>
+                                                               
+<p>  If the configuration starts but doesn't work, just "shorewall restart"
+    to   restore the old configuration. If the new configuration fails to
+start,    the   "try" command will automatically start the old one for you.</p>
                                                                         
                                                                         
                                                                         
-             
+               
 <p>  When the new configuration works then just </p>
                                                                         
                                                                         
                                                                         
-             
+               
 <ul>
                                                                         
-                   <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
+                    <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
                                                                         
-                   <li><font color="#009900"><b>cd</b></font></li>
+                    <li><font color="#009900"><b>cd</b></font></li>
                                                                         
-                   <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
-               
+                    <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
+                 
 </ul>
                                                                         
                                                                         
                                                                         
-             
+               
 <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
-</p>
-<div align="center"><img
- src="file:///J:/Shorewall-docs/images/State_Diagram.png"
+ </p>
+ 
+<div align="center"><img src="images/State_Diagram.png"
  alt="(State Diagram)" width="747" height="714" align="middle">
-<br>
-</div>
-     
+ <br>
+ </div>
+       
 <p>    <br>
-   </p>
-    You will note that the commands that result in state transitions use
-the  word "firewall" rather than "shorewall". That is because the actual
-transitions  are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
-on  Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
-  <br>
-   
+    </p>
+     You will note that the commands that result in state transitions use 
+the  word "firewall" rather than "shorewall". That is because the actual transitions
+ are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall on
+ Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
+   <br>
+     
 <table cellpadding="2" cellspacing="2" border="1">
-     <tbody>
-       <tr>
-         <td valign="top">shorewall start<br>
-         </td>
-         <td valign="top">firewall start<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">shorewall stop<br>
-         </td>
-         <td valign="top">firewall stop<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">shorewall restart<br>
-         </td>
-         <td valign="top">firewall restart<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">shorewall add<br>
-         </td>
-         <td valign="top">firewall add<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">shorewall delete<br>
-         </td>
-         <td valign="top">firewall delete<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">shorewall refresh<br>
-         </td>
-         <td valign="top">firewall refresh<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">shorewall try<br>
-         </td>
-         <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
-   If unsuccessful then firewall start (standard configuration)<br>
-   If timeout then firewall restart (standard configuration)<br>
-         </td>
-       </tr>
-           
-  </tbody>   
+      <tbody>
+        <tr>
+          <td valign="top">shorewall start<br>
+          </td>
+          <td valign="top">firewall start<br>
+          </td>
+        </tr>
+        <tr>
+          <td valign="top">shorewall stop<br>
+          </td>
+          <td valign="top">firewall stop<br>
+          </td>
+        </tr>
+        <tr>
+          <td valign="top">shorewall restart<br>
+          </td>
+          <td valign="top">firewall restart<br>
+          </td>
+        </tr>
+        <tr>
+          <td valign="top">shorewall add<br>
+          </td>
+          <td valign="top">firewall add<br>
+          </td>
+        </tr>
+        <tr>
+          <td valign="top">shorewall delete<br>
+          </td>
+          <td valign="top">firewall delete<br>
+          </td>
+        </tr>
+        <tr>
+          <td valign="top">shorewall refresh<br>
+          </td>
+          <td valign="top">firewall refresh<br>
+          </td>
+        </tr>
+        <tr>
+          <td valign="top">shorewall try<br>
+          </td>
+          <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
+    If unsuccessful then firewall start (standard configuration)<br>
+    If timeout then firewall restart (standard configuration)<br>
+          </td>
+        </tr>
+               
+  </tbody>    
 </table>
-  <br>
-   
-<p><font size="2">   Updated 1/29/2003 - <a href="support.htm">Tom  Eastep</a>
+   <br>
+     
+<p><font size="2">   Updated 2/10/2003 - <a href="support.htm">Tom  Eastep</a> 
        </font></p>
                                                                         
                                                                         
-                                         
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-      © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+                                           
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+       © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
                                                                         
                                                                         
-                                  <br>
+                                   <br>
+        <br>
        <br>
       <br>
      <br>
diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm
index 8e6c88b57..ba24f7016 100644
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@@ -2,128 +2,129 @@
 <html>
 <head>
                                                                         
-                                                               
+                                                                   
   <meta http-equiv="Content-Language" content="en-us">
                                                                         
-                                                               
+                                                                   
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
                                                                         
-                                                               
+                                                                   
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                         
-                                                               
+                                                                   
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Support</title>
                                                                         
                                                                         
                                                                         
-                    
+                           
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-                                                                      
+                                                                        
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#400169" height="90">
-                                     <tbody>
-                                      <tr>
-                                       <td width="100%">                
+                                      <tbody>
+                                       <tr>
+                                        <td width="100%">               
                                                                         
                                                                         
-                                                                         
-     
+                                                                        
+              
       <h1 align="center"><font color="#ffffff">Shorewall Support<img
  src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
-                        </font></h1>
-                                       </td>
-                                     </tr>
+                         </font></h1>
+                                        </td>
+                                      </tr>
                                                                         
-                                                               
-  </tbody>                                  
+                                                                   
+  </tbody>                                   
 </table>
-                                                                      
-<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions 
- emailed directly to me, I try to spend some time each day answering questions 
- on the Shorewall Users Mailing List.</font></big><span
+                                                                        
+<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
+  emailed directly to me, I try to spend some time each day answering questions
+  on the Shorewall Users Mailing List.</font></big><span
  style="font-weight: 400;"></span></big></b></p>
-                                            
+                                              
 <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
-                               
+                                 
 <h1>Before Reporting a Problem</h1>
-<i>"Well at least you tried to read the documentation, which is a lot more
+ <i>"Well at least you tried to read the documentation, which is a lot more 
 than some people on this list appear to do.</i>"<br>
-<br>
+ <br>
+ 
 <div align="center">- Wietse Venema - On the Postfix mailing list<br>
-</div>
-<br>
-                                        There are a number of sources for 
-problem     solution information. Please     try these before you post.  
-                   
+ </div>
+ <br>
+                                         There are a number of sources for
+ problem     solution information. Please     try these before you post.
+                      
 <h3>                                     </h3>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                  <li>More than half of the questions posted on the support 
- list   have answers directly accessible from the <a
+                   <li>More than half of the questions posted on the support
+  list   have answers directly accessible from the <a
  href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
-            <br>
-          </li>
-          <li>                                   The <a href="FAQ.htm">FAQ</a>
+             <br>
+           </li>
+           <li>                                   The <a href="FAQ.htm">FAQ</a> 
    has  solutions to  more than 20 common      problems.         </li>
-                               
+                                 
 </ul>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                  <li>                                   The <a
- href="troubleshoot.htm">Troubleshooting</a>  Information          contains 
-     a    number of tips to help you solve common problems.         </li>
-                               
+                   <li>                                   The <a
+ href="troubleshoot.htm">Troubleshooting</a>  Information          contains
+      a    number of tips to help you solve common problems.         </li>
+                                 
 </ul>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                  <li>                                   The <a
- href="errata.htm">   Errata</a> has links  to  download        updated 
-    components.         </li>
-                               
+                   <li>                                   The <a
+ href="errata.htm">   Errata</a> has links  to  download        updated  
+   components.         </li>
+                                 
 </ul>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                  <li>                                   The Mailing List 
-Archives     search facility can locate   posts    about         similar problems:
-        </li>
-                               
+                   <li>                                   The Mailing List
+ Archives     search facility can locate   posts    about         similar
+problems:         </li>
+                                 
 </ul>
-                               
+                                 
 <h2>                                     </h2>
-                                                               
+                                                                 
 <h2>Mailing List Archive Search</h2>
-                                                               
-<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> 
-                                                                         
-                   
-  <p> <font size="-1"> Match:                                            
-                                                 
+                                                                 
+<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
+                                                                        
+                        
+  <p> <font size="-1"> Match:                                           
+                                                     
   <select name="method">
   <option value="and">All </option>
   <option value="or">Any </option>
   <option value="boolean">Boolean </option>
   </select>
-                                Format:                                 
-                                                           
+                                 Format:                                
+                                                               
   <select name="format">
   <option value="builtin-long">Long </option>
   <option value="builtin-short">Short </option>
   </select>
-                                Sort by:                                
-                                                             
+                                 Sort by:                               
+                                                                 
   <select name="sort">
   <option value="score">Score </option>
   <option value="time">Time </option>
@@ -132,255 +133,257 @@ Archives     search facility can locate   posts    about         similar problem
   <option value="revtime">Reverse Time </option>
   <option value="revtitle">Reverse Title </option>
   </select>
-                                </font> <input type="hidden"
+                                 </font> <input type="hidden"
  name="config" value="htdig">    <input type="hidden" name="restrict"
  value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
  name="exclude" value=""> <br>
-                                Search: <input type="text" size="30"
+                                 Search: <input type="text" size="30"
  name="words" value="">    <input type="submit" value="Search"> </p>
-           </form>
-                                                               
+            </form>
+                                                                 
 <h2>Problem Reporting Guidelines </h2>
-               <i>"Let me see if I can translate your message into a real-world 
-   example.      It would be like saying that you have three rooms at home, 
-  and when you   walk  into one of the rooms, you detect this strange smell. 
-   Can anyone tell  you  what that strange smell is?<br>
-               <br>
-               Now, all of us could do some wonderful guessing as to the
-smell    and   even   what's causing it.  You would be absolutely amazed
-at the range   and   variety   of smells we could come up with.  Even more
-amazing is that   all   of the explanations   for the smells would be completely
-plausible."<br>
-               </i><br>
-                             
+                <i>"Let me see if I can translate your message into a real-world
+    example.      It would be like saying that you have three rooms at home,
+   and when you   walk  into one of the rooms, you detect this strange smell.
+    Can anyone tell  you  what that strange smell is?<br>
+                <br>
+                Now, all of us could do some wonderful guessing as to the 
+smell    and   even   what's causing it.  You would be absolutely amazed at
+the range   and   variety   of smells we could come up with.  Even more amazing
+is that   all   of the explanations   for the smells would be completely plausible."<br>
+                </i><br>
+                               
 <div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
-               </div>
-               <br>
+                </div>
+                <br>
                                                                         
+ 
 <h3>                     </h3>
-                                  
+                                    
 <ul>
-           <li>Please remember we only know what is posted in your message. 
-  Do  not  leave out any information that appears to be correct,  or was mentioned
-   in  a previous post. There have been countless  posts by people who were
-  sure  that some part of their  configuration was correct when it actually
-  contained  a small error.  We tend to be skeptics where detail is lacking.<br>
-             <br>
-           </li>
-           <li>Please keep in mind that you're asking for <strong>free</strong> 
-   technical  support. Any help we offer is an act of generosity, not an obligation.
-   Try  to make it easy for us to help you. Follow good, courteous practices
-   in writing  and formatting your e-mail. Provide details that we need if
- you  expect good  answers. <em>Exact quoting </em> of error messages, log
- entries,  command output, and other output is better than a paraphrase or
- summary.<br>
-             <br>
-           </li>
-           <li>                                   Please don't describe your
-  environment   and then  ask  us  to  send   you             custom configuration
-  files.   We're here  to answer   your  questions     but we           can't
-  do your   job for you.<br>
-             <br>
-                  </li>
-           <li>When reporting a problem, <strong>ALWAYS</strong> include
+            <li>Please remember we only know what is posted in your message.
+   Do  not  leave out any information that appears to be correct,  or was
+mentioned    in  a previous post. There have been countless  posts by people
+who were   sure  that some part of their  configuration was correct when
+it actually   contained  a small error.  We tend to be skeptics where detail
+is lacking.<br>
+              <br>
+            </li>
+            <li>Please keep in mind that you're asking for <strong>free</strong>
+    technical  support. Any help we offer is an act of generosity, not an
+obligation.    Try  to make it easy for us to help you. Follow good, courteous
+practices    in writing  and formatting your e-mail. Provide details that
+we need if  you  expect good  answers. <em>Exact quoting </em> of error messages,
+log  entries,  command output, and other output is better than a paraphrase
+or  summary.<br>
+              <br>
+            </li>
+            <li>                                   Please don't describe
+your   environment   and then  ask  us  to  send   you             custom
+configuration   files.   We're here  to answer   your  questions     but
+we           can't   do your   job for you.<br>
+              <br>
+                   </li>
+            <li>When reporting a problem, <strong>ALWAYS</strong> include 
 this   information:</li>
-                 
+                   
+</ul>
+                          
+<ul>
+                                       
+  <ul>
+              <li>the exact version of Shorewall you are running.<br>
+                <br>
+                <b><font color="#009900">shorewall version</font><br>
+           </b>    <br>
+              </li>
+                                       
+  </ul>
+                                       
+  <ul>
+              <li>the exact kernel version you are running<br>
+                <br>
+                <font color="#009900"><b>uname -a<br>
+                <br>
+                </b></font></li>
+                                       
+  </ul>
+                                       
+  <ul>
+              <li>the complete, exact output of<br>
+                <br>
+                <font color="#009900"><b>ip addr show<br>
+                <br>
+                </b></font></li>
+                                       
+  </ul>
+                                       
+  <ul>
+              <li>the complete, exact output of<br>
+                <br>
+                <font color="#009900"><b>ip route show<br>
+                <br>
+                </b></font></li>
+                                       
+  </ul>
+                                       
+  <ul>
+              <li>If your kernel is modularized, the exact output from<br>
+                <br>
+                <font color="#009900"><b>lsmod</b></font><br>
+                <br>
+              </li>
+              <li>the exact wording of any <code
+ style="color: green; font-weight: bold;">ping</code> failure responses<br>
+        <br>
+      </li>
+      <li>If you installed Shorewall using one of the QuickStart Guides,
+please  indicate which one. <br>
+        <br>
+      </li>
+      <li><b>If you are running Shorewall under Mandrake using the Mandrake
+ installation of Shorewall, please say so.</b><br>
+                <br>
+              </li>
+                                       
+  </ul>
+                   
 </ul>
                         
 <ul>
-                                   
-  <ul>
-             <li>the exact version of Shorewall you are running.<br>
-               <br>
-               <b><font color="#009900">shorewall version</font><br>
-          </b>    <br>
-             </li>
-                                   
-  </ul>
-                                   
-  <ul>
-             <li>the exact kernel version you are running<br>
-               <br>
-               <font color="#009900"><b>uname -a<br>
-               <br>
-               </b></font></li>
-                                   
-  </ul>
-                                   
-  <ul>
-             <li>the complete, exact output of<br>
-               <br>
-               <font color="#009900"><b>ip addr show<br>
-               <br>
-               </b></font></li>
-                                   
-  </ul>
-                                   
-  <ul>
-             <li>the complete, exact output of<br>
-               <br>
-               <font color="#009900"><b>ip route show<br>
-               <br>
-               </b></font></li>
-                                   
-  </ul>
-                                   
-  <ul>
-             <li>If your kernel is modularized, the exact output from<br>
-               <br>
-               <font color="#009900"><b>lsmod</b></font><br>
-               <br>
-             </li>
-             <li>the exact wording of any <code
- style="color: green; font-weight: bold;">ping</code> failure responses<br>
-       <br>
-     </li>
-     <li>If you installed Shorewall using one of the QuickStart Guides, please 
-indicate which one. <br>
-       <br>
-     </li>
-     <li><b>If you are running Shorewall under Mandrake using the Mandrake 
-installation of Shorewall, please say so.</b><br>
-               <br>
-             </li>
-                                   
-  </ul>
-                 
-</ul>
-                      
-<ul>
-           <li><b>NEVER </b>include the output of "<b><font
- color="#009900">iptables    -L</font></b>". Instead, if you are having connection
- problems of any kind, post the exact output of<br>
-             <br>
-             <b><font color="#009900">/sbin/shorewall status<br>
-             <br>
-             </font></b>Since that command generates a lot of output, we
-suggest     that you redirect the output to a file and attach the file to
+            <li><b>NEVER </b>include the output of "<b><font
+ color="#009900">iptables    -L</font></b>". Instead, <b>if you are having
+connection  problems of any kind</b>, post the exact output of<br>
+              <br>
+              <b><font color="#009900">/sbin/shorewall status<br>
+              <br>
+              </font></b>Since that command generates a lot of output, we 
+suggest     that you redirect the output to a file and attach the file to 
 your post<br>
-             <br>
-             <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
-             <br>
-           </li>
-           <li>As a general matter, please <strong>do not edit the diagnostic 
-  information</strong>   in an attempt to conceal your IP address, netmask, 
-  nameserver addresses,  domain name, etc. These aren't secrets, and concealing 
-  them often misleads  us (and 80% of the time, a hacker could derive them 
- anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
-                 
+              <br>
+              <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
+              <br>
+            </li>
+            <li>As a general matter, please <strong>do not edit the diagnostic
+   information</strong>   in an attempt to conceal your IP address, netmask,
+   nameserver addresses,  domain name, etc. These aren't secrets, and concealing
+   them often misleads  us (and 80% of the time, a hacker could derive them
+  anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
+                   
 </ul>
-                 
+                   
 <ul>
-                               
+                                 
 </ul>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                                        
+                                          
 </ul>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                  <li>                                   Do you see any "Shorewall" 
-    messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>") 
-          when   you exercise the function that is giving you problems? If 
- so,   include the message(s) in your post along with a copy of your /etc/shorewall/interfaces 
-    file.<br>
-             <br>
-           </li>
-           <li>Please include any of the Shorewall configuration  files 
-  (especially             the    /etc/shorewall/hosts file if you have modified
-  that   file)      that  you    think are    relevant. If you include /etc/shorewall/rules, 
-    please include /etc/shorewall/policy as well (rules are meaningless unless 
-    one also knows the policies).                      </li>
-                               
+                   <li>                                   Do you see any
+"Shorewall"      messages ("<b><font color="#009900">/sbin/shorewall show
+log</font></b>")            when   you exercise the function that is giving
+you problems? If   so,   include the message(s) in your post along with a
+copy of your /etc/shorewall/interfaces      file.<br>
+              <br>
+            </li>
+            <li>Please include any of the Shorewall configuration  files
+   (especially             the    /etc/shorewall/hosts file if you have modified 
+  that   file)      that  you    think are    relevant. If you include /etc/shorewall/rules,
+     please include /etc/shorewall/policy as well (rules are meaningless
+unless      one also knows the policies).                      </li>
+                                 
 </ul>
-                               
+                                 
 <h3>                     </h3>
-                               
+                                 
 <ul>
-                           
-</ul>
-                               
-<h3>                     </h3>
-                               
-<ul>
-                         <li>                         If an error occurs
-when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>", 
-   include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
-       section  for    instructions).         </li>
-                               
-</ul>
-                               
-<h3>                     </h3>
-                               
-<ul>
-                  <li>                                                  
                              
-    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of
-         your             network layout, etc. to the Mailing List  -- your
-   post      will  be rejected.</b></h3>
-           </li>
-                               
 </ul>
-         The author gratefully acknowleges that the above list was heavily
- plagiarized    from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
+                                 
+<h3>                     </h3>
+                                 
+<ul>
+                          <li>                         If an error occurs 
+when   you   try   to "<font color="#009900"><b>shorewall  start</b></font>",
+    include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
+        section  for    instructions).         </li>
+                                 
+</ul>
+                                 
+<h3>                     </h3>
+                                 
+<ul>
+                   <li>                                                 
+                                   
+    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
+         your             network layout, etc. to the Mailing List  -- your 
+   post      will  be rejected.</b></h3>
+            </li>
+                                 
+</ul>
+          The author gratefully acknowleges that the above list was heavily 
+ plagiarized    from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> 
  found  at  <a
  href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
-                                
+                                  
 <h2>Please post in plain text</h2>
-                         
-<blockquote>            </blockquote>
-           A growing number of MTAs serving list subscribers are rejecting
- all    HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net 
-    "for continuous abuse" because it has been my policy to allow HTML in 
-list    posts!!<br>
-             <br>
-              I think that blocking all HTML is a Draconian way to control
- spam    and  that the ultimate losers here are not the spammers but the
-list  subscribers      whose MTAs are bouncing all shorewall.net mail. As
-one list  subscriber   wrote  to me privately "These e-mail admin's need
-to get a <i>(expletive   deleted)</i>  life instead of trying to rid the
-planet of HTML based e-mail".   Nevertheless,  to allow subscribers to receive
-list posts as must as possible,   I have now   configured the list server
-at shorewall.net to strip all HTML   from outgoing  posts.<br>
-                                 
-<h2>Where to Send your Problem Report or to Ask for Help</h2>
-                                                                
-<blockquote>                                                
-  <h4>If you run Shorewall under Bering -- <span
- style="font-weight: 400;">please           post your question or problem
-        to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
- mailing       list</a>.</span></h4>
-              <b>If you run Shorewall under MandrakeSoft Multi Network Firewall 
-   (MNF)   and you have not purchased an MNF license from MandrakeSoft then 
-  you can  post non MNF-specific Shorewall questions to the </b><a
- href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
- list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
-                                                               
-  <p>Otherwise, please post your question or problem to the <a
- href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
- list.</a></p>
-                </blockquote>
-                                                                        
-                                                                        
-                                                                        
-                                                              
-<p>To Subscribe to the  mailing list go to <a
- href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> 
-                     .</p>
-                                                                        
                            
-<p align="left"><font size="2">Last Updated 2/4/2003 - Tom Eastep</font></p>
-                                                                      
+<blockquote>            </blockquote>
+            A growing number of MTAs serving list subscribers are rejecting 
+ all    HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net
+     "for continuous abuse" because it has been my policy to allow HTML in
+ list    posts!!<br>
+              <br>
+               I think that blocking all HTML is a Draconian way to control 
+ spam    and  that the ultimate losers here are not the spammers but the list
+ subscribers      whose MTAs are bouncing all shorewall.net mail. As one
+list  subscriber   wrote  to me privately "These e-mail admin's need to get
+a <i>(expletive   deleted)</i>  life instead of trying to rid the planet
+of HTML based e-mail".   Nevertheless,  to allow subscribers to receive list
+posts as must as possible,   I have now   configured the list server at shorewall.net
+to strip all HTML   from outgoing  posts.<br>
+                                   
+<h2>Where to Send your Problem Report or to Ask for Help</h2>
+                                                                  
+<blockquote>                                                   
+  <h4>If you run Shorewall under Bering -- <span
+ style="font-weight: 400;">please           post your question or problem 
+        to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users 
+ mailing       list</a>.</span></h4>
+               <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
+    (MNF)   and you have not purchased an MNF license from MandrakeSoft then
+   you can  post non MNF-specific Shorewall questions to the </b><a
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
+ list.</a>         <b>Do not expect to get free MNF support on the list.</b><br>
+                                                                   
+  <p>Otherwise, please post your question or problem to the <a
+ href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing 
+ list.</a></p>
+                 </blockquote>
+                                                                        
+                                                                        
+                                                                        
+                                                                
+<p>To Subscribe to the  mailing list go to <a
+ href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
+                      .</p>
+                                                                        
+                             
+<p align="left"><font size="2">Last Updated 2/9/2003 - Tom Eastep</font></p>
+                                                                        
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
  size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-       </p>
-       <br>
-       <br>
-     <br>
+        </p>
+        <br>
+        <br>
+      <br>
+   <br>
   <br>
  <br>
 </body>
diff --git a/Shorewall-docs/traffic_shaping.htm b/Shorewall-docs/traffic_shaping.htm
index d1888baa0..8b6828abd 100644
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@@ -1,324 +1,333 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                     
+                                                 
   <meta http-equiv="Content-Language" content="en-us">
-                                     
+                                                 
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-                                     
+                                                 
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                     
+                                                 
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Traffic Shaping</title>
 </head>
   <body>
-                    
+                          
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
-            <tbody>
-             <tr>
-              <td width="100%">                                         
-                          
+               <tbody>
+                <tr>
+                 <td width="100%">                                      
+                                                  
       <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
-              </td>
-            </tr>
-                                     
-  </tbody>         
+                 </td>
+               </tr>
+                                                 
+  </tbody>            
 </table>
-                   
-<p align="left">Beginning with version 1.2.0, Shorewall has limited support 
-    for traffic shaping/control. In order to use traffic shaping under Shorewall, 
-    it is essential that you get a copy of the <a
- href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, 
-    version 0.3.0 or later. You must also install the iproute (iproute2) package
-    to provide the "ip" and "tc" utilities.</p>
-                    
+                         
+<p align="left">Beginning with version 1.2.0, Shorewall has limited support
+      for traffic shaping/control. In order to use traffic shaping under
+Shorewall,       it is essential that you get a copy of the <a
+ href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
+      version 0.3.0 or later. You must also install the iproute (iproute2)
+ package     to provide the "ip" and "tc" utilities.</p>
+                          
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
-                    
+                          
 <ul>
-            <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. 
-Traffic     Shaping  also requires that you enable packet mangling.</li>
-  <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in Shorewall
-1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of
-this variable determines whether Shorewall clears the traffic shaping configuration
-during Shorewall [re]start and Shorewall stop. <br>
-  </li>
-            <li><b>/etc/shorewall/tcrules</b> - A file where you can specify 
-    firewall     marking of packets. The firewall mark value may be used to
-classify     packets  for traffic shaping/control.<br>
-            </li>
-            <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that 
-is     sourced     by Shorewall during "shorewall start" and which you can 
-    use to define     your traffic shaping disciplines and classes. I have 
-provided     a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> 
-that does     table-driven CBQ shaping but if you read the traffic shaping 
-sections of     the     HOWTO mentioned above, you can probably code your 
-own faster than     you can     learn how to use my sample. I personally use
-    <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see below). 
-HTB         support may eventually become an integral part of Shorewall since
- HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
-HTB is a standard     part of the kernel but iproute2 must be patched  in
-order  to     use it.<br>
-              <br>
-              In tcstart, when you want to run the 'tc' utility, use the
-run_tc    function      supplied by shorewall if you want tc errors to stop
-the firewall.<br>
-        <br>
-    You can generally use off-the-shelf traffic shaping scripts by simply 
-copying  them to /etc/shorewall/tcstart. I use <a
- href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
- that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
-modified  it according to the Wonder Shaper README). <b>WARNING: </b>If you
-use use Masquerading or SNAT (i.e., you only have one external IP address)
-then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
-script won't work. Traffic shaping occurs after SNAT has already been applied
-so when traffic shaping happens, all outbound traffic will have as a source 
- address the IP addresss of your firewall's external interface.<br>
-      </li>
-            <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that 
-is     sourced     by Shorewall when it is clearing traffic shaping. This 
-file is     normally     not required as Shorewall's method of clearing qdisc 
-and filter     definitions     is pretty general.</li>
-                   
+               <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
+  Traffic     Shaping  also requires that you enable packet mangling.</li>
+     <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in 
+Shorewall  1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the 
+setting of  this variable determines whether Shorewall clears the traffic 
+shaping configuration  during Shorewall [re]start and Shorewall stop. <br>
+     </li>
+               <li><b>/etc/shorewall/tcrules</b> - A file where you can specify
+      firewall     marking of packets. The firewall mark value may be used
+ to classify     packets  for traffic shaping/control.<br>
+               </li>
+               <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that
+  is     sourced     by Shorewall during "shorewall start" and which you
+can       use to define     your traffic shaping disciplines and classes.
+I have   provided     a <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>   that does
+    table-driven CBQ shaping but if you read the traffic shaping   sections
+of     the     HOWTO mentioned above, you can probably code your   own faster
+than     you can     learn how to use my sample. I personally  use     <a
+ href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below).
+ HTB         support may eventually become an integral part of Shorewall
+ since  HTB   is a     lot simpler and better-documented than CBQ. As of
+2.4.20,  HTB is a standard     part of the kernel but iproute2 must be patched
+ in  order  to     use it.<br>
+                 <br>
+                 In tcstart, when you want to run the 'tc' utility, use the 
+ run_tc    function      supplied by shorewall if you want tc errors to stop 
+ the firewall.<br>
+           <br>
+       You can generally use off-the-shelf traffic shaping scripts by simply
+  copying  them to /etc/shorewall/tcstart. I use <a
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) 
+  that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and 
+ modified  it according to the Wonder Shaper README). <b>WARNING: </b>If you
+ use use Masquerading or SNAT (i.e., you only have one external IP address) 
+ then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] 
+ script won't work. Traffic shaping occurs after SNAT has already been applied 
+ so when traffic shaping happens, all outbound traffic will have as a source
+   address the IP addresss of your firewall's external interface.<br>
+         </li>
+               <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that
+  is     sourced     by Shorewall when it is clearing traffic shaping. This
+  file is     normally     not required as Shorewall's method of clearing
+qdisc  and filter     definitions     is pretty general.</li>
+                         
 </ul>
-Shorewall allows you to start traffic shaping when Shorewall itself starts
-or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
-<br>
-To start traffic shaping when Shorewall starts:<br>
+   Shorewall allows you to start traffic shaping when Shorewall itself starts 
+ or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
+   <br>
+   To start traffic shaping when Shorewall starts:<br>
+     
 <ol>
-  <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
-  <li>Supply an /etc/shorewall/tcstart script to configure your traffic shaping
-rules.</li>
-  <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
-shaping. That is usually unnecessary.</li>
-  <li>If your tcstart script uses the 'fwmark' classifier, you can mark packets
-using entries in /etc/shorewall/tcrules.</li>
+     <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
+     <li>Supply an /etc/shorewall/tcstart script to configure your traffic
+ shaping rules.</li>
+     <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic 
+ shaping. That is usually unnecessary.</li>
+     <li>If your tcstart script uses the 'fwmark' classifier, you can mark
+ packets using entries in /etc/shorewall/tcrules.</li>
+     
 </ol>
-To start traffic shaping when you bring up your network interfaces, you will
-have to arrange for your traffic shaping configuration script to be run at
-that time. How you do that is distribution dependent and will not be covered
-here. You then should:<br>
+   To start traffic shaping when you bring up your network interfaces, you
+ will have to arrange for your traffic shaping configuration script to be
+run at that time. How you do that is distribution dependent and will not
+be covered here. You then should:<br>
+     
 <ol>
-  <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
-  <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
-  <li value="4">If your tcstart script uses the 'fwmark' classifier, you
-can mark packets using entries in /etc/shorewall/tcrules.</li>
+     <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
+     <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
+     <li value="4">If your tcstart script uses the 'fwmark' classifier, you 
+ can mark packets using entries in /etc/shorewall/tcrules.</li>
+     
 </ol>
-                   
+                         
 <h3 align="left">Kernel Configuration</h3>
-                   
+                         
 <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
-                   
+                         
 <p align="center"><img border="0" src="images/QoS.png" width="590"
  height="764">
-         </p>
-                   
+            </p>
+                         
 <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
-                   
-<p align="left">The fwmark classifier provides a convenient way to classify
-     packets for traffic shaping. The /etc/shorewall/tcrules file provides
- a  means  for specifying these marks in a tabular fashion.<br>
-  </p>
-   
-<p align="left">Normally, packet marking occurs in the PREROUTING chain before
- any address rewriting takes place. This makes it impossible to mark inbound
- packets based on their destination address when SNAT or Masquerading are
-being used. Beginning with Shorewall 1.3.12, you can cause packet marking
-to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
-<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
-  </p>
-                   
-<p align="left">Columns in the file are as follows:</p>
-                   
-<ul>
-            <li>MARK - Specifies the mark value is to be assigned in case 
-of      a match. This is an integer in the range 1-255.<br>
-              <br>
-              Example - 5<br>
-            </li>
-            <li>SOURCE - The source of the packet. If the packet originates 
-     on  the firewall, place "fw" in this column. Otherwise, this is a   
- comma-separated   list of interface names, IP addresses, MAC addresses in
-   <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
-              <br>
-              Examples<br>
-                  eth0<br>
-                  192.168.2.4,192.168.1.0/24<br>
-            </li>
-            <li>DEST -- Destination of the packet. Comma-separated list of
-     IP  addresses and/or subnets.<br>
-            </li>
-            <li>PROTO - Protocol - Must be the name of a protocol from  
-  /etc/protocol,    a number or "all"<br>
-            </li>
-            <li>PORT(S) - Destination Ports. A comma-separated list of Port 
-     names  (from /etc/services), port numbers or port ranges (e.g., 21:22);
-   if     the  protocol is "icmp", this column is interpreted as the    
-destination    icmp  type(s).<br>
-            </li>
-            <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
-     omitted,  any source port is acceptable. Specified as a comma-separate
-  list      of port names, port numbers or port ranges.</li>
-                   
-</ul>
-                   
-<p align="left">Example 1 - All packets arriving on eth1 should be marked 
-    with 1. All packets arriving on eth2 and eth3 should be marked with 2. 
- All packets   originating on the firewall itself should be marked with 3.</p>
-                   
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-            <tbody>
-             <tr>
-              <td><b>MARK</b></td>
-              <td><b>SOURCE</b></td>
-              <td><b>DEST</b></td>
-              <td><b>PROTO</b></td>
-              <td><b>PORT(S)</b></td>
-              <td><b>CLIENT PORT(S)</b></td>
-            </tr>
-            <tr>
-              <td>1</td>
-              <td>eth1</td>
-              <td>0.0.0.0/0</td>
-              <td>all</td>
-              <td> </td>
-              <td> </td>
-            </tr>
-            <tr>
-              <td>2</td>
-              <td>eth2</td>
-              <td>0.0.0.0/0</td>
-              <td>all</td>
-              <td> </td>
-              <td> </td>
-            </tr>
-            <tr>
-           <td valign="top">2<br>
-           </td>
-           <td valign="top">eth3<br>
-           </td>
-           <td valign="top">0.0.0.0/0<br>
-           </td>
-           <td valign="top">all<br>
-           </td>
-           <td valign="top"><br>
-           </td>
-           <td valign="top"><br>
-           </td>
-         </tr>
-         <tr>
-              <td>3</td>
-              <td>fw</td>
-              <td>0.0.0.0/0</td>
-              <td>all</td>
-              <td> </td>
-              <td> </td>
-            </tr>
-                                     
-  </tbody>         
-</table>
-                   
-<p align="left">Example 2 - All GRE (protocol 47) packets not originating 
-    on the firewall and destined for 155.186.235.151 should be marked with 
- 12.</p>
-                   
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-            <tbody>
-             <tr>
-              <td><b>MARK</b></td>
-              <td><b>SOURCE</b></td>
-              <td><b>DEST</b></td>
-              <td><b>PROTO</b></td>
-              <td><b>PORT(S)</b></td>
-              <td><b>CLIENT PORT(S)</b></td>
-            </tr>
-            <tr>
-              <td>12</td>
-              <td>0.0.0.0/0</td>
-              <td>155.186.235.151</td>
-              <td>47</td>
-              <td> </td>
-              <td> </td>
-            </tr>
-                                     
-  </tbody>         
-</table>
-                   
-<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 
-    and destined for 155.186.235.151 should be marked with 22.</p>
-                   
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-            <tbody>
-             <tr>
-              <td><b>MARK</b></td>
-              <td><b>SOURCE</b></td>
-              <td><b>DEST</b></td>
-              <td><b>PROTO</b></td>
-              <td><b>PORT(S)</b></td>
-              <td><b>CLIENT PORT(S)</b></td>
-            </tr>
-            <tr>
-              <td>22</td>
-              <td>192.168.1.0/24</td>
-              <td>155.186.235.151</td>
-              <td>tcp</td>
-              <td>22</td>
-              <td> </td>
-            </tr>
-                                     
-  </tbody>         
-</table>
-                   
-<h3>My Setup<br>
-    </h3>
-                   
-<p>While I am currently using the HTB version of <a
- href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
- wshaper.htb  to <b>/etc/shorewall/tcstart</b> and modified it as shown in 
-the Wondershaper README),  I have also run with the following set of hand-crafted 
-rules in my <b>/etc/shorewall/tcstart</b>  file:<br>
-    </p>
-       
-<blockquote>            
-  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
-                                   
-  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
-                                   
-  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
-                                   
-  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
-                                   
-  <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
-                                   
-  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
-                                   
-  <pre>echo "   Defined fwmark filters"<br></pre>
-                    </blockquote>
-         
-<p>My tcrules file that went with this tcstart file is shown in Example 1
-  above. You can look at my <a href="myfiles.htm">network   configuration</a>
-  to get an idea of why I wanted   these particular rules.<br>
+                         
+<p align="left">The fwmark classifier provides a convenient way to classify 
+      packets for traffic shaping. The /etc/shorewall/tcrules file provides 
+  a  means  for specifying these marks in a tabular fashion.<br>
      </p>
          
+<p align="left">Normally, packet marking occurs in the PREROUTING chain before 
+  any address rewriting takes place. This makes it impossible to mark inbound 
+  packets based on their destination address when SNAT or Masquerading are 
+ being used. Beginning with Shorewall 1.3.12, you can cause packet marking 
+ to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
+ <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+     </p>
+                         
+<p align="left">Columns in the file are as follows:</p>
+                         
+<ul>
+               <li>MARK - Specifies the mark value is to be assigned in case
+  of      a match. This is an integer in the range 1-255. Beginning with
+Shorewall  version 1.3.14, this value may be optionally followed by ":" and
+either 'F'  or 'P' to designate that the marking will occur in the FORWARD
+or PREROUTING  chains respectively. If this additional specification is omitted,
+the chain  used to mark packets will be determined by the setting of the
+MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+                 <br>
+                 Example - 5<br>
+               </li>
+               <li>SOURCE - The source of the packet. If the packet originates
+       on  the firewall, place "fw" in this column. Otherwise, this is a
+    comma-separated   list of interface names, IP addresses, MAC addresses
+in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
+                 <br>
+                 Examples<br>
+                     eth0<br>
+                     192.168.2.4,192.168.1.0/24<br>
+               </li>
+               <li>DEST -- Destination of the packet. Comma-separated list
+ of      IP  addresses and/or subnets.<br>
+               </li>
+               <li>PROTO - Protocol - Must be the name of a protocol from 
+    /etc/protocol,    a number or "all"<br>
+               </li>
+               <li>PORT(S) - Destination Ports. A comma-separated list of 
+Port       names  (from /etc/services), port numbers or port ranges (e.g., 
+21:22);     if     the  protocol is "icmp", this column is interpreted as 
+the     destination    icmp  type(s).<br>
+               </li>
+               <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
+ If      omitted,  any source port is acceptable. Specified as a comma-separate 
+   list      of port names, port numbers or port ranges.</li>
+                         
+</ul>
+                         
+<p align="left">Example 1 - All packets arriving on eth1 should be marked
+      with 1. All packets arriving on eth2 and eth3 should be marked with
+2.   All packets   originating on the firewall itself should be marked with
+3.</p>
+                         
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+               <tbody>
+                <tr>
+                 <td><b>MARK</b></td>
+                 <td><b>SOURCE</b></td>
+                 <td><b>DEST</b></td>
+                 <td><b>PROTO</b></td>
+                 <td><b>PORT(S)</b></td>
+                 <td><b>CLIENT PORT(S)</b></td>
+               </tr>
+               <tr>
+                 <td>1</td>
+                 <td>eth1</td>
+                 <td>0.0.0.0/0</td>
+                 <td>all</td>
+                 <td> </td>
+                 <td> </td>
+               </tr>
+               <tr>
+                 <td>2</td>
+                 <td>eth2</td>
+                 <td>0.0.0.0/0</td>
+                 <td>all</td>
+                 <td> </td>
+                 <td> </td>
+               </tr>
+               <tr>
+              <td valign="top">2<br>
+              </td>
+              <td valign="top">eth3<br>
+              </td>
+              <td valign="top">0.0.0.0/0<br>
+              </td>
+              <td valign="top">all<br>
+              </td>
+              <td valign="top"><br>
+              </td>
+              <td valign="top"><br>
+              </td>
+            </tr>
+            <tr>
+                 <td>3</td>
+                 <td>fw</td>
+                 <td>0.0.0.0/0</td>
+                 <td>all</td>
+                 <td> </td>
+                 <td> </td>
+               </tr>
+                                                 
+  </tbody>            
+</table>
+                         
+<p align="left">Example 2 - All GRE (protocol 47) packets not originating
+      on the firewall and destined for 155.186.235.151 should be marked with
+   12.</p>
+                         
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+               <tbody>
+                <tr>
+                 <td><b>MARK</b></td>
+                 <td><b>SOURCE</b></td>
+                 <td><b>DEST</b></td>
+                 <td><b>PROTO</b></td>
+                 <td><b>PORT(S)</b></td>
+                 <td><b>CLIENT PORT(S)</b></td>
+               </tr>
+               <tr>
+                 <td>12</td>
+                 <td>0.0.0.0/0</td>
+                 <td>155.186.235.151</td>
+                 <td>47</td>
+                 <td> </td>
+                 <td> </td>
+               </tr>
+                                                 
+  </tbody>            
+</table>
+                         
+<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
+      and destined for 155.186.235.151 should be marked with 22.</p>
+                         
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+               <tbody>
+                <tr>
+                 <td><b>MARK</b></td>
+                 <td><b>SOURCE</b></td>
+                 <td><b>DEST</b></td>
+                 <td><b>PROTO</b></td>
+                 <td><b>PORT(S)</b></td>
+                 <td><b>CLIENT PORT(S)</b></td>
+               </tr>
+               <tr>
+                 <td>22</td>
+                 <td>192.168.1.0/24</td>
+                 <td>155.186.235.151</td>
+                 <td>tcp</td>
+                 <td>22</td>
+                 <td> </td>
+               </tr>
+                                                 
+  </tbody>            
+</table>
+                         
+<h3>My Setup<br>
+       </h3>
+                         
+<p>While I am currently using the HTB version of <a
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied 
+  wshaper.htb  to <b>/etc/shorewall/tcstart</b> and modified it as shown in
+ the Wondershaper README),  I have also run with the following set of hand-crafted
+ rules in my <b>/etc/shorewall/tcstart</b>  file:<br>
+       </p>
+             
+<blockquote>                     
+  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
+                                               
+  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
+                                               
+  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
+                                               
+  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
+                                               
+  <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
+                                               
+  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
+                                               
+  <pre>echo "   Defined fwmark filters"<br></pre>
+                       </blockquote>
+               
+<p>My tcrules file that went with this tcstart file is shown in Example 1 
+   above.<br>
+        </p>
+               
 <ol>
-       <li>I wanted to allow up to 140kbits/second for traffic outbound from
-  my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
-can  use all available bandwidth if there is no traffic from the local systems 
-  or from my laptop or firewall).</li>
-       <li>My laptop and local systems could use up to 224kbits/second.</li>
-       <li>My firewall could use up to 20kbits/second.<br>
-       </li>
-         
+          <li>I wanted to allow up to 140kbits/second for traffic outbound
+ from   my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic 
+ can  use all available bandwidth if there is no traffic from the local systems
+    or from my laptop or firewall).</li>
+          <li>My laptop and local systems could use up to 224kbits/second.</li>
+          <li>My firewall could use up to 20kbits/second.<br>
+          </li>
+               
 </ol>
-                        
-<p><font size="2">Last Updated 12/31/2002 - <a href="support.htm">Tom Eastep</a></font></p>
-                    
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-  </p>
-  <br>
+                              
+<p><font size="2">Last Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+                          
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+       © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
+ </p>
  <br>
 </body>
 </html>
diff --git a/Shorewall-docs/troubleshoot.htm b/Shorewall-docs/troubleshoot.htm
index cc4d05907..a102f4090 100644
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@@ -1,237 +1,232 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                 
+                                     
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Troubleshooting</title>
-                                                          
+                                                                 
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                 
+                                     
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
   <body>
-                            
+                              
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" bordercolor="#111111" width="100%"
  id="AutoNumber1" bgcolor="#400169" height="90">
-                <tbody>
-           <tr>
-                  <td width="100%">                                     
-                      
+                 <tbody>
+            <tr>
+                   <td width="100%">                                    
+                              
       <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
  src="images/obrasinf.gif" alt="Beating head on table" width="90"
  height="90" align="middle">
-         </font></h1>
-                  </td>
-                </tr>
-                                   
-  </tbody>       
+          </font></h1>
+                   </td>
+                 </tr>
+                                       
+  </tbody>        
 </table>
-                               
+                                 
 <h3 align="left">Check the Errata</h3>
-                          
-<p align="left">Check the <a href="errata.htm">Shorewall Errata</a>  to be 
-   sure   that there isn't an update that you are missing for your version 
- of  the   firewall.</p>
-                          
+                            
+<p align="left">Check the <a href="errata.htm">Shorewall Errata</a>  to be
+    sure   that there isn't an update that you are missing for your version
+  of  the   firewall.</p>
+                            
 <h3 align="left">Check the FAQs</h3>
-                          
-<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common 
-   problems.</p>
-                                
+                            
+<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
+    problems.</p>
+                                  
 <h3 align="left">If the firewall fails to start</h3>
-             If you receive an error message when starting or restarting
-the   firewall  and you can't determine the cause, then do the following:
-         
+              If you receive an error message when starting or restarting 
+the   firewall  and you can't determine the cause, then do the following: 
+          
 <ul>
-            <li>Make a note of the error message that you see.<br>
-   </li>
-   <li>shorewall debug start 2&gt; /tmp/trace</li>
-            <li>Look at the /tmp/trace file and see if that helps you   
- determine    what the problem is. Be sure you find the place in the log
-where the error message you saw is generated -- in 99.9% of the cases, it
-will not be near the end of the log because after startup errors, Shorewall
+             <li>Make a note of the error message that you see.<br>
+    </li>
+    <li>shorewall debug start 2&gt; /tmp/trace</li>
+             <li>Look at the /tmp/trace file and see if that helps you  
+  determine    what the problem is. Be sure you find the place in the log 
+where the error message you saw is generated -- in 99.9% of the cases, it 
+will not be near the end of the log because after startup errors, Shorewall 
 goes through a "shorewall stop" phase which will also be traced.</li>
-            <li>If you still can't determine what's wrong then see the  
-      <a href="support.htm">support page</a>.</li>
-                 
+             <li>If you still can't determine what's wrong then see the 
+       <a href="support.htm">support page</a>.</li>
+                   
 </ul>
- Here's an example. During startup, a user sees the following:<br>
- 
-<blockquote>   
-  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
- </blockquote>
- A search through the trace for "No chain/target/match by that name" turned 
-up the following:  
-<blockquote>   
-  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
- </blockquote>
- The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with 
-tcp-reset". In this case, the user had compiled his own kernel and had forgotten 
-to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
-                
-<h3>Your network environment</h3>
-                 
-<p>Many times when people have problems with Shorewall, the problem is   
-actually an ill-conceived network setup. Here are several popular snafus: 
-  </p>
-                 
-<ul>
-            <li>Port           Forwarding where client and server are in
-the   same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
-            <li>Changing the IP address of a local system to be in the external 
-   subnet,      thinking that Shorewall will suddenly believe that the system 
-   is in the      'net' zone.</li>
-            <li>Multiple interfaces connected to the same HUB or Switch.
-Given    the way      that the Linux kernel respond to ARP "who-has" requests,
-this    type of setup      does NOT work the way that you expect it to.</li>
-                 
-</ul>
-                        
-<h3 align="left">If you are having connection problems:</h3>
-                          
-<p align="left">If the appropriate policy for the connection that you are 
-   trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
-    TO MAKE IT WORK. Such additional rules will NEVER make it work, they
-add    clutter to your rule set and they represent a big security hole in
-the event   that you forget to remove them later.</p>
-                          
-<p align="left">I also recommend against setting all of your policies to 
-      ACCEPT in an effort to make something work. That robs you of one of 
-   your        best diagnostic tools - the "Shorewall" messages that Netfilter 
-   will        generate when you try to connect in a way that isn't permitted 
-   by your        rule set.</p>
-                          
-<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
-  see Shorewall  messages, then  your problem is probably NOT a Shorewall
-problem.  If you DO see packet messages,  it may be an indication that you
-are missing  one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
-                        
-<p align="left">While you are troubleshooting, it is a good idea to clear
-          two variables in /etc/shorewall/shorewall.conf:</p>
-                        
-<p align="left">LOGRATE=""<br>
-              LOGBURST=""</p>
-                        
-<p align="left">This way, you will see all of the log messages being     
- generated (be sure to restart shorewall after clearing these variables).</p>
-                        
-<p align="left">Example:</p>
-             <font face="Century Gothic, Arial, Helvetica">             
+  Here's an example. During startup, a user sees the following:<br>
    
-<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:     
-  Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 
-   LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 
-LEN=47</font></p>
-                </font>                 
-<p align="left">Let's look at the important parts of this message:</p>
-                     
-<ul>
-            <li>all2all:REJECT - This packet was REJECTed out of the all2all
-  chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT
-policy   (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
-            <li>IN=eth2 - the packet entered the firewall via eth2</li>
-            <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
-            <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
-            <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
-            <li>PROTO=UDP - UDP Protocol</li>
-            <li>DPT=53 - DNS</li>
+<blockquote>      
+  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
+  </blockquote>
+  A search through the trace for "No chain/target/match by that name" turned
+ up the following:   
+<blockquote>      
+  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
+  </blockquote>
+  The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
+ tcp-reset". In this case, the user had compiled his own kernel and had forgotten
+ to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) 
                  
+<h3>Your network environment</h3>
+                   
+<p>Many times when people have problems with Shorewall, the problem is  
+ actually an ill-conceived network setup. Here are several popular snafus:
+   </p>
+                   
+<ul>
+             <li>Port           Forwarding where client and server are in 
+the   same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+             <li>Changing the IP address of a local system to be in the external
+    subnet,      thinking that Shorewall will suddenly believe that the system
+    is in the      'net' zone.</li>
+             <li>Multiple interfaces connected to the same HUB or Switch. 
+Given    the way      that the Linux kernel respond to ARP "who-has" requests, 
+this    type of setup      does NOT work the way that you expect it to.</li>
+                   
 </ul>
-                        
-<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and  192.168.1.3 
-   is in the "loc" zone. I was missing the rule:</p>
+                          
+<h3 align="left">If you are having connection problems:</h3>
+                            
+<p align="left">If the appropriate policy for the connection that you are
+    trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
+    TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
+   clutter to your rule set and they represent a big security hole in the
+event   that you forget to remove them later.</p>
+                            
+<p align="left">I also recommend against setting all of your policies to
+       ACCEPT in an effort to make something work. That robs you of one of
+    your        best diagnostic tools - the "Shorewall" messages that Netfilter
+    will        generate when you try to connect in a way that isn't permitted
+    by your        rule set.</p>
+                            
+<p align="left">Check your log ("/sbin/shorewall show log"). If you don't 
+  see Shorewall  messages, then  your problem is probably NOT a Shorewall 
+problem.  If you DO see packet messages,  it may be an indication that you 
+are missing  one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
+                          
+<p align="left">While you are troubleshooting, it is a good idea to clear 
+          two variables in /etc/shorewall/shorewall.conf:</p>
+                          
+<p align="left">LOGRATE=""<br>
+               LOGBURST=""</p>
+                          
+<p align="left">This way, you will see all of the log messages being    
+  generated (be sure to restart shorewall after clearing these variables).</p>
+                          
+<p align="left">Example:</p>
+              <font face="Century Gothic, Arial, Helvetica">            
+     
+<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
+   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
+    LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53
+ LEN=47</font></p>
+                 </font>                  
+<p align="left">Let's look at the important parts of this message:</p>
                        
+<ul>
+             <li>all2all:REJECT - This packet was REJECTed out of the all2all 
+  chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT policy
+  (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
+             <li>IN=eth2 - the packet entered the firewall via eth2</li>
+             <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
+             <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
+             <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
+             <li>PROTO=UDP - UDP Protocol</li>
+             <li>DPT=53 - DNS</li>
+                   
+</ul>
+                          
+<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and  192.168.1.3
+    is in the "loc" zone. I was missing the rule:</p>
+                         
 <p align="left">ACCEPT    dmz    loc    udp    53<br>
-      </p>
-           
-<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
+       </p>
+             
+<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information 
    about how to interpret the chain name appearing in a Shorewall log message.<br>
-      </p>
-                              
+       </p>
+                                
 <h3 align="left">'Ping' Problems?</h3>
-Either can't ping when you think you should be able to or are able to ping
+ Either can't ping when you think you should be able to or are able to ping 
 when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
  href="ping.html"> is described here</a>.<br>
+ 
 <h3 align="left">Other Gotchas</h3>
-                     
+                       
 <ul>
-            <li>Seeing rejected/dropped packets logged out of the INPUT or
- FORWARD        chains? This means that:                                
-  
+             <li>Seeing rejected/dropped packets logged out of the INPUT
+or  FORWARD        chains? This means that:                             
+          
     <ol>
-              <li>your zone definitions are screwed up and the host that
-is  sending   the        packets or the destination host isn't in any zone
-(using  an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
+               <li>your zone definitions are screwed up and the host that 
+is  sending   the        packets or the destination host isn't in any zone 
+(using  an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> 
 file are you?);         or</li>
-              <li>the source and destination hosts are both connected to
-the   same         interface and that interface doesn't have the 'multi'
-option   specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
-                                               
+               <li>the source and destination hosts are both connected to 
+the   same         interface and you don't have a policy or rule for the
+source zone to or from the destination zone.</li>
+                                                     
     </ol>
-            </li>
-            <li>Remember that Shorewall doesn't automatically allow ICMP
-    type  8 ("ping") requests to be sent between zones. If you want     pings
+             </li>
+             <li>Remember that Shorewall doesn't automatically allow ICMP 
+    type  8 ("ping") requests to be sent between zones. If you want     pings 
   to be  allowed between zones, you need a rule of the form:<br>
-             <br>
-                 ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;   
+              <br>
+                  ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
     icmp        echo-request<br>
-             <br>
-             The ramifications of this can be subtle. For example, if you 
-have   the      following in /etc/shorewall/nat:<br>
-             <br>
-                 10.1.1.2    eth0        130.252.100.18<br>
-             <br>
-             and you ping 130.252.100.18, unless you have allowed icmp type 
- 8  between  the     zone containing the system you are pinging from and the
- zone containing       10.1.1.2, the ping requests will be dropped. This is
- true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
-            <li>If you specify "routefilter" for an interface,     that interface 
-   must be up prior to starting the firewall.</li>
-            <li>Is your routing correct? For example, internal systems usually
-   need to      be configured with their default gateway set to the IP address
-   of their      nearest firewall interface. One often overlooked aspect
-of   routing is that      in order for two hosts to communicate, the routing
-between  them must be set      up <u>in both directions.</u> So when setting
-up routing   between <b>A</b>      and<b> B</b>, be sure to verify that the
+              <br>
+              The ramifications of this can be subtle. For example, if you
+ have   the      following in /etc/shorewall/nat:<br>
+              <br>
+                  10.1.1.2    eth0        130.252.100.18<br>
+              <br>
+              and you ping 130.252.100.18, unless you have allowed icmp type
+  8  between  the     zone containing the system you are pinging from and
+the  zone containing       10.1.1.2, the ping requests will be dropped. </li>
+             <li>If you specify "routefilter" for an interface,     that
+interface     must be up prior to starting the firewall.</li>
+             <li>Is your routing correct? For example, internal systems usually 
+   need to      be configured with their default gateway set to the IP address 
+   of their      nearest firewall interface. One often overlooked aspect of
+  routing is that      in order for two hosts to communicate, the routing 
+between  them must be set      up <u>in both directions.</u> So when setting 
+up routing   between <b>A</b>      and<b> B</b>, be sure to verify that the 
 route from       <b>B</b> back to <b>A</b>      is defined.</li>
-            <li>Some versions of LRP (EigerStein2Beta for example) have a 
-    shell  with broken variable expansion. <a
- href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected 
-   shell from the Shorewall Errata download site.</a>     </li>
-            <li>Do you have your kernel properly configured? <a
+             <li>Some versions of LRP (EigerStein2Beta for example) have
+a      shell  with broken variable expansion. <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
+    shell from the Shorewall Errata download site.</a>     </li>
+             <li>Do you have your kernel properly configured? <a
  href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-            <li>Some features require the "ip" program. That     program
-is  generally   included in the "iproute" package which should     be included 
- with your  distribution (though many distributions don't install     iproute 
- by     default). You may also download the latest source tarball from <a
- href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
+             <li>Some features require the "ip" program. That     program 
+is  generally   included in the "iproute" package which should     be included
+  with your  distribution (though many distributions don't install     iproute
+  by     default). You may also download the latest source tarball from <a
+ href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
     .</li>
-            <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts 
-   then the zone must be entirely   defined in /etc/shorewall/hosts unless 
- you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). 
-  For example, if a zone has two interfaces but   only one interface has an
-  entry in /etc/shorewall/hosts then hosts attached to   the other interface 
-  will     <u>not</u> be considered part of the zone.</li>
-            <li>Problems with NAT? Be sure that you let Shorewall add all 
-    external  addresses to be use with NAT unless you have set <a
+                          <li>Problems with NAT? Be sure that you let Shorewall
+add all      external  addresses to be use with NAT unless you have set <a
  href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
-                 
+                   
 </ul>
-                     
+                       
 <h3>Still Having Problems?</h3>
-                     
+                       
 <p>See the<a href="support.htm"> support page.<br>
-</a></p>
-               <font face="Century Gothic, Arial, Helvetica">           
-     
+ </a></p>
+                <font face="Century Gothic, Arial, Helvetica">          
+       
 <blockquote> </blockquote>
-                </font>                   
-<p><font size="2">Last updated 1/7/2003 - Tom Eastep</font>  </p>
-                  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-</p>
+                 </font>                    
+<p><font size="2">Last updated 2/18/2003 - Tom Eastep</font>  </p>
+                    
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ </p>
+ <br>
 </body>
 </html>
diff --git a/Shorewall-docs/two-interface.htm b/Shorewall-docs/two-interface.htm
index ef83fa92d..d6ebaeaff 100644
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@@ -1,713 +1,534 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                                     
+                                                             
   <meta http-equiv="Content-Language" content="en-us">
-                                                     
+                                                             
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                                     
+                                                             
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                                                     
+                                                             
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Two-Interface Firewall</title>
                                                                         
-                    
+                                  
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-                            
+                                
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber5"
  bgcolor="#400169" height="90">
-                <tbody>
-                 <tr>
-                  <td width="100%">                                     
-                                                          
+                  <tbody>
+                   <tr>
+                    <td width="100%">                                   
+                                                                        
+ 
       <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
-                  </td>
-                </tr>
-                                                     
-  </tbody>             
+                    </td>
+                  </tr>
+                                                             
+  </tbody>               
 </table>
-                           
+                               
 <p align="left">Setting up a Linux system as a firewall for a small network 
-      is a  fairly straight-forward task if you understand the basics and 
-follow      the  documentation.</p>
-                           
+       is a  fairly straight-forward task if you understand the basics and 
+ follow      the  documentation.</p>
+                               
 <p>This guide doesn't attempt to acquaint you with all of the features of 
-       Shorewall. It rather focuses on what is required to configure Shorewall 
-     in its  most common configuration:</p>
-                           
+        Shorewall. It rather focuses on what is required to configure Shorewall 
+      in its  most common configuration:</p>
+                               
 <ul>
-                <li>Linux system used as a firewall/router for a small local
-  network.</li>
-                <li>Single public IP address.</li>
-                <li>Internet connection through cable modem, DSL, ISDN, Frame 
-  Relay,    dial-up    ...</li>
-                           
+                  <li>Linux system used as a firewall/router for a small
+local    network.</li>
+                  <li>Single public IP address.</li>
+                  <li>Internet connection through cable modem, DSL, ISDN, 
+Frame    Relay,    dial-up    ...</li>
+                               
 </ul>
-                           
+                               
 <p align="left">Here is a schematic of a typical installation.</p>
-                           
+                               
 <p align="center"> <img border="0" src="images/basics.png" width="444"
  height="635">
-             </p>
-                           
+               </p>
+                               
 <p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily 
-   configure the above setup using the Mandrake "Internet Connection Sharing" 
-   applet. From the Mandrake Control Center, select "Network &amp; Internet" 
-   then "Connection Sharing". You should not need to refer to this guide.</b><br>
-       </p>
-             
+    configure the above setup using the Mandrake "Internet Connection Sharing" 
+    applet. From the Mandrake Control Center, select "Network &amp; Internet" 
+    then "Connection Sharing".<br>
+</b></p>
+<p><b>Note however, that the Shorewall configuration produced by Mandrake
+Internet Connection Sharing is strange and is apt to confuse you if you use
+the rest of this documentation (it has two local zones; "loc" and "masq"
+where "loc" is empty; this conflicts with this documentation which assumes
+a single local zone "loc"). We therefore recommend that once you have set
+up this sharing that you uninstall the Mandrake Shorewall RPM and install
+the one from the <a href="download.htm">download page</a> then follow the
+instructions in this Guide.</b><br>
+ </p>
+                  
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-      (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-    if  this  package is installed by the presence of an <b>ip</b> program 
- on   your  firewall  system. As root, you can use the 'which' command to 
-check   for this  program:</p>
-                           
+       (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can 
+tell     if  this  package is installed by the presence of an <b>ip</b> program 
+  on   your  firewall  system. As root, you can use the 'which' command to 
+ check   for this  program:</p>
+                               
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-                         
+                             
 <p>I recommend that you first read through the  guide to familiarize yourself 
-      with what's involved then go back through it again  making your configuration 
-      changes. Points at which configuration changes are  recommended are 
-flagged      with <img border="0" src="images/BD21298_.gif" width="13"
+       with what's involved then go back through it again  making your configuration 
+       changes. Points at which configuration changes are  recommended are 
+ flagged      with <img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-             . Configuration notes that are unique to LEAF/Bering are marked
-with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
+               . Configuration notes that are unique to LEAF/Bering are marked
+ with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
  height="36">
-</p>
-                           
+  </p>
+                               
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-                  If you edit your configuration files on a Windows system, 
- you   must   save them as  Unix files if your editor supports that option 
- or you   must  run them through  dos2unix before trying to use them. Similarly, 
- if   you copy  a configuration file  from your Windows hard drive to a floppy 
-  disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
-                           
+                    If you edit your configuration files on a Windows system, 
+  you   must   save them as  Unix files if your editor supports that option 
+  or you   must  run them through  dos2unix before trying to use them. Similarly, 
+  if   you copy  a configuration file  from your Windows hard drive to a floppy
+   disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+                               
 <ul>
-                <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
-  Version     of    dos2unix</a></li>
-                <li><a
+                  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows 
+   Version     of    dos2unix</a></li>
+                  <li><a
  href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version
  of    dos2unix</a></li>
-                           
+                               
 </ul>
-                           
+                               
 <h2 align="left">Shorewall Concepts</h2>
-                           
+                               
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
  alt="">
-          The configuration files for Shorewall are contained in the directory
-    /etc/shorewall -- for simple setups, you will only need to deal with
+            The configuration files for Shorewall are contained in the directory
+     /etc/shorewall -- for simple setups, you will only need to deal with
 a  few  of  these as described in this guide.  After you have <a
  href="Install.htm">installed Shorewall</a>,  <b>download the <a
  href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
-      un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
-       (these files will replace files with the same name).</b></p>
-                           
+       un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to 
+/etc/shorewall        (these files will replace files with the same name).</b></p>
+                               
 <p>As each file is introduced, I suggest that you  look through the actual 
-      file on your system -- each file contains detailed  configuration instructions 
-      and default entries.</p>
-                           
+       file on your system -- each file contains detailed  configuration instructions
+       and default entries.</p>
+                               
 <p>Shorewall views the network where it is running as being composed of a 
-      set of  <i>zones.</i> In the two-interface sample configuration, the 
- following     zone names are used:</p>
-                           
+       set of  <i>zones.</i> In the two-interface sample configuration, the 
+  following     zone names are used:</p>
+                               
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
  cellspacing="0" id="AutoNumber2">
-                <tbody>
-                 <tr>
-                  <td><u><b>Name</b></u></td>
-                  <td><u><b>Description</b></u></td>
-                </tr>
-                <tr>
-                  <td><b>net</b></td>
-                  <td><b>The Internet</b></td>
-                </tr>
-                <tr>
-                  <td><b>loc</b></td>
-                  <td><b>Your Local Network</b></td>
-                </tr>
-                                                       
-  </tbody>             
+                  <tbody>
+                   <tr>
+                    <td><u><b>Name</b></u></td>
+                    <td><u><b>Description</b></u></td>
+                  </tr>
+                  <tr>
+                    <td><b>net</b></td>
+                    <td><b>The Internet</b></td>
+                  </tr>
+                  <tr>
+                    <td><b>loc</b></td>
+                    <td><b>Your Local Network</b></td>
+                  </tr>
+                                                               
+  </tbody>               
 </table>
-                           
+                               
 <p>Zones are defined in the <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a> 
-      file.</p>
-                           
+       file.</p>
+                               
 <p>Shorewall also recognizes the firewall system as its own zone - by default, 
-       the firewall itself is known as <b>fw.</b></p>
-                           
+        the firewall itself is known as <b>fw.</b></p>
+                               
 <p>Rules about what traffic to allow and what traffic to deny are expressed 
-      in  terms of zones.</p>
-                           
+       in  terms of zones.</p>
+                               
 <ul>
-                <li>You express your default policy for connections from
-one   zone   to  another    zone in the<a
+                  <li>You express your default policy for connections from
+ one   zone   to  another    zone in the<a
  href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
-                <li>You define exceptions to those default policies in the
-       <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
-                           
+                  <li>You define exceptions to those default policies in
+the         <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+                               
 </ul>
-                           
+                               
 <p>For each connection request entering the firewall, the request is first 
-      checked against the  /etc/shorewall/rules file. If no rule in that file
-    matches  the connection  request then the first policy in /etc/shorewall/policy 
-    that  matches the    request is applied. If that policy is REJECT or DROP 
-    the request is first  checked against the rules in /etc/shorewall/common 
-   (the samples provide that  file for you).</p>
-                           
+       checked against the  /etc/shorewall/rules file. If no rule in that 
+file     matches  the connection  request then the first policy in /etc/shorewall/policy 
+     that  matches the    request is applied. If that policy is REJECT or 
+DROP      the request is first  checked against the rules in /etc/shorewall/common 
+    (the samples provide that  file for you).</p>
+                               
 <p>The /etc/shorewall/policy file included with the two-interface sample has
 the  following policies:</p>
-                           
-<blockquote>                                          
+                               
+<blockquote>                                                
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
-                  <tbody>
-                   <tr>
-                    <td><u><b>Source Zone</b></u></td>
-                    <td><u><b>Destination Zone</b></u></td>
-                    <td><u><b>Policy</b></u></td>
-                    <td><u><b>Log Level</b></u></td>
-                    <td><u><b>Limit:Burst</b></u></td>
-                  </tr>
-                  <tr>
-                    <td>loc</td>
-                    <td>net</td>
-                    <td>ACCEPT</td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
-                  <tr>
-                    <td>net</td>
-                    <td>all</td>
-                    <td>DROP</td>
-                    <td>info</td>
-                    <td> </td>
-                  </tr>
-                  <tr>
-                    <td>all</td>
-                    <td>all</td>
-                    <td>REJECT</td>
-                    <td>info</td>
-                    <td> </td>
-                  </tr>
+                    <tbody>
+                     <tr>
+                      <td><u><b>Source Zone</b></u></td>
+                      <td><u><b>Destination Zone</b></u></td>
+                      <td><u><b>Policy</b></u></td>
+                      <td><u><b>Log Level</b></u></td>
+                      <td><u><b>Limit:Burst</b></u></td>
+                    </tr>
+                    <tr>
+                      <td>loc</td>
+                      <td>net</td>
+                      <td>ACCEPT</td>
+                      <td> </td>
+                      <td> </td>
+                    </tr>
+                    <tr>
+                      <td>net</td>
+                      <td>all</td>
+                      <td>DROP</td>
+                      <td>info</td>
+                      <td> </td>
+                    </tr>
+                    <tr>
+                      <td>all</td>
+                      <td>all</td>
+                      <td>REJECT</td>
+                      <td>info</td>
+                      <td> </td>
+                    </tr>
                                                                         
-        
-    </tbody>                                       
+                    
+    </tbody>                                             
   </table>
-              </blockquote>
-                           
-<blockquote>                                        
+                </blockquote>
+                               
+<blockquote>                                              
   <p>In the two-interface sample, the line below is included but commented 
-      out. If  you want your firewall system to have full access to servers 
-  on   the internet,  uncomment that line.</p>
-                                                     
+       out. If  you want your firewall system to have full access to servers 
+   on   the internet,  uncomment that line.</p>
+                                                             
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
-                  <tbody>
-                   <tr>
-                    <td><u><b>Source Zone</b></u></td>
-                    <td><u><b>Destination Zone</b></u></td>
-                    <td><u><b>Policy</b></u></td>
-                    <td><u><b>Log Level</b></u></td>
-                    <td><u><b>Limit:Burst</b></u></td>
-                  </tr>
-                  <tr>
-                    <td>fw</td>
-                    <td>net</td>
-                    <td>ACCEPT</td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
+                    <tbody>
+                     <tr>
+                      <td><u><b>Source Zone</b></u></td>
+                      <td><u><b>Destination Zone</b></u></td>
+                      <td><u><b>Policy</b></u></td>
+                      <td><u><b>Log Level</b></u></td>
+                      <td><u><b>Limit:Burst</b></u></td>
+                    </tr>
+                    <tr>
+                      <td>fw</td>
+                      <td>net</td>
+                      <td>ACCEPT</td>
+                      <td> </td>
+                      <td> </td>
+                    </tr>
                                                                         
-        
-    </tbody>                                       
+                    
+    </tbody>                                             
   </table>
-              </blockquote>
-                           
+                </blockquote>
+                               
 <p>The above policy will:</p>
-                           
+                               
 <ol>
-                <li>allow all connection requests from your local network 
-to  the   internet</li>
-                <li>drop (ignore) all connection requests from the internet 
- to  your   firewall     or local network</li>
-                <li>optionally accept all connection requests from the firewall 
-   to  the     internet (if you uncomment the additional policy)</li>
-                <li>reject all other connection requests.</li>
-                           
+                  <li>allow all connection requests from your local network 
+ to  the   internet</li>
+                  <li>drop (ignore) all connection requests from the internet 
+  to  your   firewall     or local network</li>
+                  <li>optionally accept all connection requests from the
+firewall     to  the     internet (if you uncomment the additional policy)</li>
+                  <li>reject all other connection requests.</li>
+                               
 </ol>
-                           
+                               
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-                 At this point, edit your /etc/shorewall/policy and make
-any   changes     that you  wish.</p>
-                           
+                   At this point, edit your /etc/shorewall/policy and make
+ any   changes     that you  wish.</p>
+                               
 <h2 align="left">Network Interfaces</h2>
-                           
+                               
 <p align="center"> <img border="0" src="images/basics.png" width="444"
  height="635">
-             </p>
-                           
+               </p>
+                               
 <p align="left">The firewall has two network interfaces. Where Internet 
 connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
  will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
-       <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
-       over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
- <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External 
- Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect 
-via a regular modem,   your External  Interface will also be <b>ppp0</b>. 
-If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
-                           
+        <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
+        over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint 
+  <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External 
+  Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect 
+ via a regular modem,   your External  Interface will also be <b>ppp0</b>. 
+ If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
+                               
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-                 If your external interface is <b>ppp0</b>  or<b> ippp0</b> 
-  then   you   will want to  set CLAMPMSS=yes in <a
+                   If your external interface is <b>ppp0</b>  or<b> ippp0</b> 
+   then   you   will want to  set CLAMPMSS=yes in <a
  href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
-                           
+                               
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter 
-      (eth1  or eth0) and will be connected to a hub or switch. Your other 
- computers     will be  connected to the same hub/switch (note: If you have 
- only a single     internal system,  you can connect the firewall directly 
- to the computer   using  a <i>cross-over </i> cable).</p>
-                           
+       (eth1  or eth0) and will be connected to a hub or switch. Your other 
+  computers     will be  connected to the same hub/switch (note: If you have 
+  only a single     internal system,  you can connect the firewall directly 
+  to the computer   using  a <i>cross-over </i> cable).</p>
+                               
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
  width="60" height="60">
-             </b></u>Do not connect the internal and external interface 
-to  the   same   hub or switch (even for testing). It won't work the way
-that  you think  that   it will and you will end up confused and  believing
-that  Shorewall   doesn't   work at all.</p>
-                           
+               </b></u>Do not connect the internal and external interface 
+ to  the   same   hub or switch (even for testing). It won't work the way
+ that  you think  that   it will and you will end up confused and  believing
+ that  Shorewall   doesn't   work at all.</p>
+                               
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
  width="13" height="13">
-                 The Shorewall two-interface sample configuration assumes 
-that    the   external  interface is <b>eth0</b> and the internal interface 
-is <b>eth1</b>.     If your  configuration is different, you will have to 
-modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
- file    accordingly.  While you are there, you may wish to  review the list
- of options   that are  specified for the interfaces. Some hints:</p>
-                           
+                   The Shorewall two-interface sample configuration assumes 
+ that    the   external  interface is <b>eth0</b> and the internal interface 
+ is <b>eth1</b>.     If your  configuration is different, you will have to 
+ modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+  file    accordingly.  While you are there, you may wish to  review the
+list   of options   that are  specified for the interfaces. Some hints:</p>
+                               
 <ul>
-                <li>                                                    
-               
+                  <li>                                                  
+                           
     <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-      you can replace the    "detect" in the second column with "-".   </p>
-               </li>
-               <li>                                                     
-              
+       you can replace the    "detect" in the second column with "-".   </p>
+                 </li>
+                 <li>                                                   
+                          
     <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-      or if you have a static IP    address, you can remove "dhcp" from the 
-  option    list. </p>
-               </li>
-                         
+       or if you have a static IP    address, you can remove "dhcp" from the
+   option    list. </p>
+                 </li>
+                             
 </ul>
-                           
+                               
 <h2 align="left">IP Addresses</h2>
-                           
+                               
 <p align="left">Before going further, we should say a few words about Internet 
-       Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
-a  single    <i> Public</i> IP address. This address may be assigned via the<i>
- Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
+        Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you 
+ a  single    <i> Public</i> IP address. This address may be assigned via 
+the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing
  your  connection   when you dial in (standard modem) or establish your PPP
  connection.  In rare   cases, your ISP may assign you a<i> static</i> IP
 address; that  means that  you  configure your firewall's external interface 
- to use that  address permanently.<i>  </i>However your external address is
- assigned, it  will be shared by all of your systems when you access the 
-Internet. You will have to assign your  own addresses in your  internal network
+  to use that  address permanently.<i>  </i>However your external address 
+is  assigned, it  will be shared by all of your systems when you access the 
+ Internet. You will have to assign your  own addresses in your  internal network
 (the Internal  Interface on your firewall  plus your other  computers). RFC
 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
-                           
-<div align="left">                
+                               
+<div align="left">                  
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-              </div>
-                           
-<div align="left">                
+                </div>
+                               
+<div align="left">                  
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-                    Before starting Shorewall, you should look at the IP
-address     of  your  external    interface and if it is one of the above
-ranges, you    should  remove  the    'norfc1918' option from the external
-interface's   entry  in    /etc/shorewall/interfaces.</p>
-             </div>
-                           
-<div align="left">                
+                      Before starting Shorewall, you should look at the IP
+ address     of  your  external    interface and if it is one of the above
+ ranges, you    should  remove  the    'norfc1918' option from the external
+ interface's   entry  in    /etc/shorewall/interfaces.</p>
+               </div>
+                               
+<div align="left">                  
 <p align="left">You will want to assign your addresses from the same <i>
   sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet 
-         to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
-      will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
-    is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved
- as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet
- is  described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
- InterDomain Routing  </i>(CIDR)  notation</a> with consists of the subnet
- address followed    by "/24". The  "24" refers to the number of    consecutive
- leading "1" bits from the left  of the subnet mask. </p>
-             </div>
-                           
-<div align="left">                
+          to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a 
+subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address 
+x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is 
+reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, 
+a subnet  is  described  using <a
+ href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing 
+ </i>(CIDR)  notation</a> with consists of the subnet  address followed  
+ by "/24". The  "24" refers to the number of    consecutive  leading "1" bits
+from the left  of the subnet mask. </p>
+               </div>
+                               
+<div align="left">                  
 <p align="left">Example sub-network:</p>
-             </div>
-                           
-<div align="left">                
-<blockquote>                                            
+               </div>
+                               
+<div align="left">                  
+<blockquote>                                                  
   <table border="1" style="border-collapse: collapse;" id="AutoNumber1"
  cellpadding="2">
-                    <tbody>
-                   <tr>
-                      <td><b>Range:</b></td>
-                      <td>10.10.10.0 - 10.10.10.255</td>
-                    </tr>
-                    <tr>
-                      <td><b>Subnet Address:</b></td>
-                      <td>10.10.10.0</td>
-                    </tr>
-                    <tr>
-                      <td><b>Broadcast Address:</b></td>
-                      <td>10.10.10.255</td>
-                    </tr>
-                    <tr>
-                      <td><b>CIDR Notation:</b></td>
-                      <td>10.10.10.0/24</td>
-                    </tr>
+                      <tbody>
+                     <tr>
+                        <td><b>Range:</b></td>
+                        <td>10.10.10.0 - 10.10.10.255</td>
+                      </tr>
+                      <tr>
+                        <td><b>Subnet Address:</b></td>
+                        <td>10.10.10.0</td>
+                      </tr>
+                      <tr>
+                        <td><b>Broadcast Address:</b></td>
+                        <td>10.10.10.255</td>
+                      </tr>
+                      <tr>
+                        <td><b>CIDR Notation:</b></td>
+                        <td>10.10.10.0/24</td>
+                      </tr>
                                                                         
-          
-    </tbody>                                       
+                      
+    </tbody>                                             
   </table>
-                </blockquote>
-              </div>
-                           
-<div align="left">                
+                  </blockquote>
+                </div>
+                               
+<div align="left">                  
 <p align="left">It is conventional to assign the internal interface either 
-      the    first usable address in the subnet (10.10.10.1 in the above example)
-      or the    last usable address (10.10.10.254).</p>
-             </div>
-                           
-<div align="left">                
+       the    first usable address in the subnet (10.10.10.1 in the above 
+example)       or the    last usable address (10.10.10.254).</p>
+               </div>
+                               
+<div align="left">                  
 <p align="left">One of the purposes of subnetting is to allow all computers 
-      in the    subnet to understand which other computers can be communicated 
-     with directly.    To communicate with systems outside of the subnetwork, 
-    systems send packets    through a<i>  gateway</i>  (router).</p>
-             </div>
-                           
-<div align="left">                
+       in the    subnet to understand which other computers can be communicated 
+      with directly.    To communicate with systems outside of the subnetwork, 
+     systems send packets    through a<i>  gateway</i>  (router).</p>
+               </div>
+                               
+<div align="left">                  
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-                 Your local computers (computer    1 and computer 2 in the
- above    diagram)   should be configured with their<i>    default gateway</i>
- to  be  the IP address   of the firewall's internal    interface.<i>     
- </i>  </p>
-             </div>
-                           
+                   Your local computers (computer    1 and computer 2 in
+the   above    diagram)   should be configured with their<i>    default gateway</i>
+  to  be  the IP address   of the firewall's internal    interface.<i>     
+  </i>  </p>
+               </div>
+                               
 <p align="left">The foregoing short discussion barely scratches the surface 
-       regarding subnetting and routing. If you are interested in learning 
- more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
-      What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas 
-     A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
-                           
+        regarding subnetting and routing. If you are interested in learning 
+  more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
+       What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
+      A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
+                               
 <p align="left">The remainder of this quide will assume that you have configured 
-       your network as shown here:</p>
-                           
+        your network as shown here:</p>
+                               
 <p align="center"> <img border="0" src="images/basics1.png" width="444"
  height="635">
-             </p>
-                           
+               </p>
+                               
 <p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.<br>
-  </p>
-   
+    </p>
+       
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13" alt="">
-     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign 
-your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 
-subnet then you will need to select a DIFFERENT RFC 1918 subnet for your local
-network.</b><br>
-  </p>
-                           
+       <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign 
+ your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 
+ subnet then you will need to select a DIFFERENT RFC 1918 subnet for your 
+local network.</b><br>
+    </p>
+                               
 <h2 align="left">IP Masquerading (SNAT)</h2>
-                           
+                               
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
-      to as <i>non-routable</i> because the Internet backbone routers don't 
-  forward    packets  which have an RFC-1918 destination address. When one 
- of your local    systems  (let's assume computer 1) sends a connection request 
-  to an internet    host, the  firewall must perform <i>Network Address Translation 
-   </i>(NAT).    The firewall  rewrites the source address in the packet to
-  be the address    of the firewall's  external interface; in other words, 
- the firewall makes    it look as if the firewall  itself is initiating the 
- connection.  This is   necessary so that the  destination host will be able 
- to route return packets   back to the firewall  (remember that packets whose 
- destination address is   reserved by RFC 1918 can't  be routed across the 
- internet so the remote host  can't address its response to  computer 1). 
-When the firewall receives a return packet, it  rewrites the destination address
- back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
-                           
+       to as <i>non-routable</i> because the Internet backbone routers don't 
+   forward    packets  which have an RFC-1918 destination address. When one 
+  of your local    systems  (let's assume computer 1) sends a connection request
+   to an internet    host, the  firewall must perform <i>Network Address
+Translation     </i>(NAT).    The firewall  rewrites the source address in
+the packet to   be the address    of the firewall's  external interface; in
+other words,   the firewall makes    it look as if the firewall  itself is
+initiating the   connection.  This is   necessary so that the  destination 
+host will be able   to route return packets   back to the firewall  (remember 
+that packets whose   destination address is   reserved by RFC 1918 can't 
+be routed across the   internet so the remote host  can't address its response 
+to  computer 1).  When the firewall receives a return packet, it  rewrites 
+the destination address  back to 10.10.10.1  and  forwards the packet on to
+computer 1. </p>
+                               
 <p align="left">On Linux systems, the above process is often referred to as<i>
  IP Masquerading</i> but you will also see the term <i>Source Network Address
  Translation </i>(SNAT) used. Shorewall follows the convention used with
  Netfilter:</p>
-                           
+                               
 <ul>
-                <li>                                                    
-               
+                  <li>                                                  
+                           
     <p align="left"><i>Masquerade</i> describes the case where you let your 
-         firewall system automatically detect the external interface address. 
-          </p>
-               </li>
-               <li>                                                     
-              
+          firewall system automatically detect the external interface address. 
+           </p>
+                 </li>
+                 <li>                                                   
+                          
     <p align="left"><i>SNAT</i> refers to the case when you explicitly specify 
-      the    source address that you want outbound packets from your local 
- network     to use.    </p>
-               </li>
-                         
+       the    source address that you want outbound packets from your local 
+  network     to use.    </p>
+                 </li>
+                             
 </ul>
-                           
+                               
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with 
-       entries in the /etc/shorewall/masq file. You will normally use Masquerading 
-      if  your external IP is dynamic and SNAT if the IP is static.</p>
-                           
+        entries in the /etc/shorewall/masq file. You will normally use Masquerading 
+       if  your external IP is dynamic and SNAT if the IP is static.</p>
+                               
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-                 If your external firewall interface is <b>eth0</b>, you
-do  not    need   to modify the file provided with the sample. Otherwise,
-edit   /etc/shorewall/masq      and change the first column to the name of
-your  external  interface and    the  second column to the name of your internal 
- interface.</p>
-                           
+                   If your external firewall interface is <b>eth0</b>, you
+ do  not    need   to modify the file provided with the sample. Otherwise,
+ edit   /etc/shorewall/masq      and change the first column to the name
+of  your  external  interface and    the  second column to the name of your
+internal   interface.</p>
+                               
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-                 If your external IP is  static, you can enter it in the
-third    column    in the /etc/shorewall/masq entry if  you like although
-your firewall    will    work fine if you leave that column empty.  Entering
-your static  IP  in column    3 makes processing outgoing packets a little
- more efficient.<br>
-     <br>
-     <img border="0" src="images/BD21298_.gif" width="13" height="13"
+                   If your external IP is  static, you can enter it in the
+ third    column    in the /etc/shorewall/masq entry if  you like although
+ your firewall    will    work fine if you leave that column empty.  Entering
+ your static  IP  in column    3 makes processing outgoing packets a little
+  more efficient.<br>
+       <br>
+       <img border="0" src="images/BD21298_.gif" width="13" height="13"
  alt="">
-         If you are using the Debian package, please check your shorewall.conf 
-  file to ensure that the following are set correctly; if they are not, change 
-  them appropriately:<br>
-     </p>
-         
+           If you are using the Debian package, please check your shorewall.conf 
+   file to ensure that the following are set correctly; if they are not, change
+   them appropriately:<br>
+       </p>
+             
 <ul>
-       <li>NAT_ENABLED=Yes</li>
-       <li>IP_FORWARDING=On<br>
-       </li>
-         
+         <li>NAT_ENABLED=Yes</li>
+         <li>IP_FORWARDING=On<br>
+         </li>
+             
 </ul>
-                           
+                               
 <h2 align="left">Port Forwarding (DNAT)</h2>
-                           
+                               
 <p align="left">One of your goals may be to run one or more servers on your 
-       local computers. Because these computers have RFC-1918 addresses, it
-  is   not  possible for clients on the internet to connect directly to them.
-  It   is rather  necessary for those clients to address their connection 
-requests     to the firewall  who rewrites the destination address to the 
-address of   your   server and forwards  the packet to that server. When your
-server responds,     the firewall automatically  performs SNAT to rewrite 
-the source address   in  the response.</p>
-                           
+        local computers. Because these computers have RFC-1918 addresses, 
+it   is   not  possible for clients on the internet to connect directly to 
+them.   It   is rather  necessary for those clients to address their connection 
+ requests     to the firewall  who rewrites the destination address to the 
+ address of   your   server and forwards  the packet to that server. When 
+your server responds,     the firewall automatically  performs SNAT to rewrite 
+ the source address   in  the response.</p>
+                               
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-       Destination Network Address Translation</i> (DNAT). You configure
+        Destination Network Address Translation</i> (DNAT). You configure
 port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
-                           
+                               
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
-      is:</p>
-                           
-<blockquote>                                          
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-                  <tbody>
-                   <tr>
-                    <td><u><b>ACTION</b></u></td>
-                    <td><u><b>SOURCE</b></u></td>
-                    <td><u><b>DESTINATION</b></u></td>
-                    <td><u><b>PROTOCOL</b></u></td>
-                    <td><u><b>PORT</b></u></td>
-                    <td><u><b>SOURCE PORT</b></u></td>
-                    <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                  </tr>
-                  <tr>
-                    <td>DNAT</td>
-                    <td>net</td>
-                    <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
-     port&gt;</i>]</td>
-                    <td><i>&lt;protocol&gt;</i></td>
-                    <td><i>&lt;port&gt;</i></td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
-                                                                        
-        
-    </tbody>                                       
-  </table>
-              </blockquote>
-                           
-<p>Example - you run a Web Server on computer 2 and you want to forward incoming 
-       TCP port 80 to that system:</p>
-                           
-<blockquote>                                          
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-                  <tbody>
-                   <tr>
-                    <td><u><b>ACTION</b></u></td>
-                    <td><u><b>SOURCE</b></u></td>
-                    <td><u><b>DESTINATION</b></u></td>
-                    <td><u><b>PROTOCOL</b></u></td>
-                    <td><u><b>PORT</b></u></td>
-                    <td><u><b>SOURCE PORT</b></u></td>
-                    <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                  </tr>
-                  <tr>
-                    <td>DNAT</td>
-                    <td>net</td>
-                    <td>loc:10.10.10.2</td>
-                    <td>tcp</td>
-                    <td>80</td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
-                                                                        
-        
-    </tbody>                                       
-  </table>
-              </blockquote>
-                           
-<p>A couple of important points  to keep in mind:</p>
-                           
-<ul>
-                <li>You must test the above rule from a client outside of 
-your   local    network    (i.e., don't test from a browser running on computers
-   1 or 2  or  on the    firewall). If you want to be able to access your
-web   server  using  the IP    address of your external interface, see <a
- href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-                <li>Many ISPs block incoming connection requests to port
-80.   If  you   have     problems connecting to your web server, try the
-following   rule and  try     connecting to port 5000.</li>
-                           
-</ul>
-                           
-<blockquote>                                          
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-                  <tbody>
-                   <tr>
-                    <td><u><b>ACTION</b></u></td>
-                    <td><u><b>SOURCE</b></u></td>
-                    <td><u><b>DESTINATION</b></u></td>
-                    <td><u><b>PROTOCOL</b></u></td>
-                    <td><u><b>PORT</b></u></td>
-                    <td><u><b>SOURCE PORT</b></u></td>
-                    <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                  </tr>
-                  <tr>
-                    <td>DNAT</td>
-                    <td>net</td>
-                    <td>loc:10.10.10.2:80</td>
-                    <td>tcp</td>
-                    <td>5000</td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
-                                                                        
-        
-    </tbody>                                       
-  </table>
-              </blockquote>
-                           
-<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
-                 At this point, modify  /etc/shorewall/rules to add any DNAT
-  rules    that  you require.</p>
-                           
-<h2 align="left">Domain Name Server (DNS)</h2>
-                           
-<p align="left">Normally, when you connect to your ISP, as part of getting 
-      an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
-     will be  automatically configured (e.g., the /etc/resolv.conf file will 
-   be  written).  Alternatively, your ISP may have given you the IP address 
-  of a  pair of DNS <i> name servers</i> for you to manually configure as 
-your    primary  and secondary  name servers. Regardless of how DNS gets configured
-   on your  firewall, it is <u>your</u> responsibility to configure the resolver
-   in your   internal systems. You can take one of two approaches:</p>
-                           
-<ul>
-                <li>                                                    
-               
-    <p align="left">You can configure your internal systems to use your ISP's 
-      name    servers. If you ISP gave you the addresses of their servers 
-or   if   those    addresses are available on their web site, you can configure 
-   your   internal    systems to use those addresses. If that information 
-isn't   available,   look in    /etc/resolv.conf on your firewall system --
-the name  servers are  given in    "nameserver" records in that file.   </p>
-               </li>
-               <li>                                                     
-              
-    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
- height="13">
-                 You can configure a<i> Caching Name Server </i>on your 
-  firewall.<i>          </i>Red Hat has an RPM for a caching name server
-(the  RPM also    requires    the 'bind' RPM) and for Bering users, there
-is dnscache.lrp.  If you    take   this approach, you configure your internal
-systems to use  the firewall    itself as their primary (and only) name server.
-You use the  internal IP     address of the firewall (10.10.10.254 in the
-example above)  for the name       server address. To allow your local systems
-to talk to  your caching name      server, you must open port 53 (both UDP
-and TCP) from  the local network   to the    firewall; you do that by adding 
-the following  rules in /etc/shorewall/rules.       </p>
-               </li>
-                         
-</ul>
-                           
-<blockquote>                                          
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-                  <tbody>
-                   <tr>
-                    <td><u><b>ACTION</b></u></td>
-                    <td><u><b>SOURCE</b></u></td>
-                    <td><u><b>DESTINATION</b></u></td>
-                    <td><u><b>PROTOCOL</b></u></td>
-                    <td><u><b>PORT</b></u></td>
-                    <td><u><b>SOURCE PORT</b></u></td>
-                    <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                  </tr>
-                  <tr>
-                    <td>ACCEPT</td>
-                    <td>loc</td>
-                    <td>fw</td>
-                    <td>tcp</td>
-                    <td>53</td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
-                  <tr>
-                    <td>ACCEPT</td>
-                    <td>loc</td>
-                    <td>fw</td>
-                    <td>udp</td>
-                    <td>53</td>
-                    <td> </td>
-                    <td> </td>
-                  </tr>
-                                                                        
-        
-    </tbody>                                       
-  </table>
-              </blockquote>
-                           
-<div align="left">                
-<h2 align="left">Other Connections</h2>
-              </div>
-                           
-<div align="left">                
-<p align="left">The two-interface sample includes the following rules:</p>
-             </div>
-                           
-<div align="left">                
-<blockquote>                                            
+       is:</p>
+                               
+<blockquote>                                                
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
                     <tbody>
-                   <tr>
+                     <tr>
                       <td><u><b>ACTION</b></u></td>
                       <td><u><b>SOURCE</b></u></td>
                       <td><u><b>DESTINATION</b></u></td>
@@ -717,325 +538,507 @@ the following  rules in /etc/shorewall/rules.       </p>
                       <td><u><b>ORIGINAL ADDRESS</b></u></td>
                     </tr>
                     <tr>
-                      <td>ACCEPT</td>
-                      <td>fw</td>
+                      <td>DNAT</td>
                       <td>net</td>
-                      <td>tcp</td>
-                      <td>53</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>fw</td>
-                      <td>net</td>
-                      <td>udp</td>
-                      <td>53</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-                                                                        
-          
-    </tbody>                                       
-  </table>
-                </blockquote>
-              </div>
-                           
-<div align="left">                
-<p align="left">Those rules allow DNS access from your firewall and may be 
-         removed if you uncommented the line in /etc/shorewall/policy allowing 
-      all    connections from the firewall to the internet.</p>
-             </div>
-                           
-<div align="left">                
-<p align="left">The sample also includes:</p>
-             </div>
-                           
-<div align="left">                
-<blockquote>                                            
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-                    <tbody>
-                   <tr>
-                      <td><u><b>ACTION</b></u></td>
-                      <td><u><b>SOURCE</b></u></td>
-                      <td><u><b>DESTINATION</b></u></td>
-                      <td><u><b>PROTOCOL</b></u></td>
-                      <td><u><b>PORT</b></u></td>
-                      <td><u><b>SOURCE PORT</b></u></td>
-                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>loc</td>
-                      <td>fw</td>
-                      <td>tcp</td>
-                      <td>22</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-                                                                        
-          
-    </tbody>                                       
-  </table>
-                </blockquote>
-              </div>
-                           
-<div align="left">                
-<p align="left">That rule allows you to run an SSH server on your firewall 
-      and    connect to that server from your local systems.</p>
-             </div>
-                           
-<div align="left">                
-<p align="left">If you wish to enable other connections between your firewall 
-         and other systems, the general format is:</p>
-             </div>
-                           
-<div align="left">                
-<blockquote>                                            
-  <table border="1" cellpadding="2" style="border-collapse: collapse;"
- id="AutoNumber4">
-                    <tbody>
-                   <tr>
-                      <td><u><b>ACTION</b></u></td>
-                      <td><u><b>SOURCE</b></u></td>
-                      <td><u><b>DESTINATION</b></u></td>
-                      <td><u><b>PROTOCOL</b></u></td>
-                      <td><u><b>PORT</b></u></td>
-                      <td><u><b>SOURCE PORT</b></u></td>
-                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td><i>&lt;source zone&gt;</i></td>
-                      <td><i>&lt;destination zone&gt;</i></td>
+                      <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
+      port&gt;</i>]</td>
                       <td><i>&lt;protocol&gt;</i></td>
                       <td><i>&lt;port&gt;</i></td>
                       <td> </td>
                       <td> </td>
                     </tr>
                                                                         
-          
-    </tbody>                                       
+                    
+    </tbody>                                             
   </table>
                 </blockquote>
-              </div>
+                               
+<p>Example - you run a Web Server on computer 2 and you want to forward incoming 
+        TCP port 80 to that system:</p>
+                               
+<blockquote>                                                
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+                    <tbody>
+                     <tr>
+                      <td><u><b>ACTION</b></u></td>
+                      <td><u><b>SOURCE</b></u></td>
+                      <td><u><b>DESTINATION</b></u></td>
+                      <td><u><b>PROTOCOL</b></u></td>
+                      <td><u><b>PORT</b></u></td>
+                      <td><u><b>SOURCE PORT</b></u></td>
+                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                    </tr>
+                    <tr>
+                      <td>DNAT</td>
+                      <td>net</td>
+                      <td>loc:10.10.10.2</td>
+                      <td>tcp</td>
+                      <td>80</td>
+                      <td> </td>
+                      <td> </td>
+                    </tr>
+                                                                        
+                    
+    </tbody>                                             
+  </table>
+                </blockquote>
+                               
+<p>A couple of important points  to keep in mind:</p>
+                               
+<ul>
+                  <li>You must test the above rule from a client outside
+of  your   local    network    (i.e., don't test from a browser running on
+computers     1 or 2  or  on the    firewall). If you want to be able to
+access your  web   server  using  the IP    address of your external interface,
+see <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
+                  <li>Many ISPs block incoming connection requests to port
+ 80.   If  you   have     problems connecting to your web server, try the
+following   rule and  try     connecting to port 5000.</li>
+                               
+</ul>
+                               
+<blockquote>                                                
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+                    <tbody>
+                     <tr>
+                      <td><u><b>ACTION</b></u></td>
+                      <td><u><b>SOURCE</b></u></td>
+                      <td><u><b>DESTINATION</b></u></td>
+                      <td><u><b>PROTOCOL</b></u></td>
+                      <td><u><b>PORT</b></u></td>
+                      <td><u><b>SOURCE PORT</b></u></td>
+                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                    </tr>
+                    <tr>
+                      <td>DNAT</td>
+                      <td>net</td>
+                      <td>loc:10.10.10.2:80</td>
+                      <td>tcp</td>
+                      <td>5000</td>
+                      <td> </td>
+                      <td> </td>
+                    </tr>
+                                                                        
+                    
+    </tbody>                                             
+  </table>
+                </blockquote>
+                               
+<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
+                   At this point, modify  /etc/shorewall/rules to add any 
+DNAT   rules    that  you require.</p>
+                               
+<h2 align="left">Domain Name Server (DNS)</h2>
+                               
+<p align="left">Normally, when you connect to your ISP, as part of getting 
+       an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
+      will be  automatically configured (e.g., the /etc/resolv.conf file will
+    be  written).  Alternatively, your ISP may have given you the IP address
+   of a  pair of DNS <i> name servers</i> for you to manually configure as
+ your    primary  and secondary  name servers. Regardless of how DNS gets 
+configured    on your  firewall, it is <u>your</u> responsibility to configure 
+the resolver    in your   internal systems. You can take one of two approaches:</p>
+                               
+<ul>
+                  <li>                                                  
                            
-<div align="left">                
+    <p align="left">You can configure your internal systems to use your ISP's 
+       name    servers. If you ISP gave you the addresses of their servers 
+ or   if   those    addresses are available on their web site, you can configure 
+    your   internal    systems to use those addresses. If that information 
+ isn't   available,   look in    /etc/resolv.conf on your firewall system 
+-- the name  servers are  given in    "nameserver" records in that file. 
+ </p>
+                 </li>
+                 <li>                                                   
+                          
+    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
+ height="13">
+                   You can configure a<i> Caching Name Server </i>on your 
+   firewall.<i>          </i>Red Hat has an RPM for a caching name server
+ (the  RPM also    requires    the 'bind' RPM) and for Bering users, there
+ is dnscache.lrp.  If you    take   this approach, you configure your internal
+ systems to use  the firewall    itself as their primary (and only) name
+server.  You use the  internal IP     address of the firewall (10.10.10.254
+in the  example above)  for the name       server address. To allow your
+local systems  to talk to  your caching name      server, you must open port
+53 (both UDP  and TCP) from  the local network   to the    firewall; you
+do that by adding  the following  rules in /etc/shorewall/rules.       </p>
+                 </li>
+                             
+</ul>
+                               
+<blockquote>                                                
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+                    <tbody>
+                     <tr>
+                      <td><u><b>ACTION</b></u></td>
+                      <td><u><b>SOURCE</b></u></td>
+                      <td><u><b>DESTINATION</b></u></td>
+                      <td><u><b>PROTOCOL</b></u></td>
+                      <td><u><b>PORT</b></u></td>
+                      <td><u><b>SOURCE PORT</b></u></td>
+                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                    </tr>
+                    <tr>
+                      <td>ACCEPT</td>
+                      <td>loc</td>
+                      <td>fw</td>
+                      <td>tcp</td>
+                      <td>53</td>
+                      <td> </td>
+                      <td> </td>
+                    </tr>
+                    <tr>
+                      <td>ACCEPT</td>
+                      <td>loc</td>
+                      <td>fw</td>
+                      <td>udp</td>
+                      <td>53</td>
+                      <td> </td>
+                      <td> </td>
+                    </tr>
+                                                                        
+                    
+    </tbody>                                             
+  </table>
+                </blockquote>
+                               
+<div align="left">                  
+<h2 align="left">Other Connections</h2>
+                </div>
+                               
+<div align="left">                  
+<p align="left">The two-interface sample includes the following rules:</p>
+               </div>
+                               
+<div align="left">                  
+<blockquote>                                                  
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+                      <tbody>
+                     <tr>
+                        <td><u><b>ACTION</b></u></td>
+                        <td><u><b>SOURCE</b></u></td>
+                        <td><u><b>DESTINATION</b></u></td>
+                        <td><u><b>PROTOCOL</b></u></td>
+                        <td><u><b>PORT</b></u></td>
+                        <td><u><b>SOURCE PORT</b></u></td>
+                        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>fw</td>
+                        <td>net</td>
+                        <td>tcp</td>
+                        <td>53</td>
+                        <td> </td>
+                        <td> </td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>fw</td>
+                        <td>net</td>
+                        <td>udp</td>
+                        <td>53</td>
+                        <td> </td>
+                        <td> </td>
+                      </tr>
+                                                                        
+                      
+    </tbody>                                             
+  </table>
+                  </blockquote>
+                </div>
+                               
+<div align="left">                  
+<p align="left">Those rules allow DNS access from your firewall and may be 
+          removed if you uncommented the line in /etc/shorewall/policy allowing 
+       all    connections from the firewall to the internet.</p>
+               </div>
+                               
+<div align="left">                  
+<p align="left">The sample also includes:</p>
+               </div>
+                               
+<div align="left">                  
+<blockquote>                                                  
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+                      <tbody>
+                     <tr>
+                        <td><u><b>ACTION</b></u></td>
+                        <td><u><b>SOURCE</b></u></td>
+                        <td><u><b>DESTINATION</b></u></td>
+                        <td><u><b>PROTOCOL</b></u></td>
+                        <td><u><b>PORT</b></u></td>
+                        <td><u><b>SOURCE PORT</b></u></td>
+                        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>loc</td>
+                        <td>fw</td>
+                        <td>tcp</td>
+                        <td>22</td>
+                        <td> </td>
+                        <td> </td>
+                      </tr>
+                                                                        
+                      
+    </tbody>                                             
+  </table>
+                  </blockquote>
+                </div>
+                               
+<div align="left">                  
+<p align="left">That rule allows you to run an SSH server on your firewall 
+       and    connect to that server from your local systems.</p>
+               </div>
+                               
+<div align="left">                  
+<p align="left">If you wish to enable other connections between your firewall 
+          and other systems, the general format is:</p>
+               </div>
+                               
+<div align="left">                  
+<blockquote>                                                  
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+                      <tbody>
+                     <tr>
+                        <td><u><b>ACTION</b></u></td>
+                        <td><u><b>SOURCE</b></u></td>
+                        <td><u><b>DESTINATION</b></u></td>
+                        <td><u><b>PROTOCOL</b></u></td>
+                        <td><u><b>PORT</b></u></td>
+                        <td><u><b>SOURCE PORT</b></u></td>
+                        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td><i>&lt;source zone&gt;</i></td>
+                        <td><i>&lt;destination zone&gt;</i></td>
+                        <td><i>&lt;protocol&gt;</i></td>
+                        <td><i>&lt;port&gt;</i></td>
+                        <td> </td>
+                        <td> </td>
+                      </tr>
+                                                                        
+                      
+    </tbody>                                             
+  </table>
+                  </blockquote>
+                </div>
+                               
+<div align="left">                  
 <p align="left">Example - You want to run a Web Server on your firewall 
   system:</p>
-             </div>
-                           
-<div align="left">                
-<blockquote>                                            
+               </div>
+                               
+<div align="left">                  
+<blockquote>                                                  
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-                    <tbody>
-                   <tr>
-                      <td><u><b>ACTION</b></u></td>
-                      <td><u><b>SOURCE</b></u></td>
-                      <td><u><b>DESTINATION</b></u></td>
-                      <td><u><b>PROTOCOL</b></u></td>
-                      <td><u><b>PORT</b></u></td>
-                      <td><u><b>SOURCE PORT</b></u></td>
-                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>net</td>
-                      <td>fw</td>
-                      <td>tcp</td>
-                      <td>80</td>
-                      <td>#Allow web access</td>
-                      <td>from the internet</td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>loc</td>
-                      <td>fw</td>
-                      <td>tcp</td>
-                      <td>80</td>
-                      <td>#Allow web access</td>
-                      <td>from the local network</td>
-                    </tr>
+                      <tbody>
+                     <tr>
+                        <td><u><b>ACTION</b></u></td>
+                        <td><u><b>SOURCE</b></u></td>
+                        <td><u><b>DESTINATION</b></u></td>
+                        <td><u><b>PROTOCOL</b></u></td>
+                        <td><u><b>PORT</b></u></td>
+                        <td><u><b>SOURCE PORT</b></u></td>
+                        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>net</td>
+                        <td>fw</td>
+                        <td>tcp</td>
+                        <td>80</td>
+                        <td>#Allow web access</td>
+                        <td>from the internet</td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>loc</td>
+                        <td>fw</td>
+                        <td>tcp</td>
+                        <td>80</td>
+                        <td>#Allow web access</td>
+                        <td>from the local network</td>
+                      </tr>
                                                                         
-          
-    </tbody>                                       
+                      
+    </tbody>                                             
   </table>
-                </blockquote>
-              </div>
-                           
-<div align="left">                
+                  </blockquote>
+                </div>
+                               
+<div align="left">                  
 <p align="left">Those two rules would of course be in addition to the rules 
-         listed above under "You can configure a Caching Name Server on your 
-   firewall"</p>
-             </div>
-                           
-<div align="left">                
+          listed above under "You can configure a Caching Name Server on your
+    firewall"</p>
+               </div>
+                               
+<div align="left">                  
 <p align="left">If you don't know what port and protocol a particular    application
 uses, look <a href="ports.htm">here</a>.</p>
-             </div>
-                           
-<div align="left">                
+               </div>
+                               
+<div align="left">                  
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
-         the internet because it uses clear text (even for login!). If you 
- want     shell    access to your firewall from the internet, use SSH:</p>
-             </div>
-                           
-<div align="left">                
-<blockquote>                                            
+          the internet because it uses clear text (even for login!). If you 
+  want     shell    access to your firewall from the internet, use SSH:</p>
+               </div>
+                               
+<div align="left">                  
+<blockquote>                                                  
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-                    <tbody>
-                   <tr>
-                      <td><u><b>ACTION</b></u></td>
-                      <td><u><b>SOURCE</b></u></td>
-                      <td><u><b>DESTINATION</b></u></td>
-                      <td><u><b>PROTOCOL</b></u></td>
-                      <td><u><b>PORT</b></u></td>
-                      <td><u><b>SOURCE PORT</b></u></td>
-                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>net</td>
-                      <td>fw</td>
-                      <td>tcp</td>
-                      <td>22</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
+                      <tbody>
+                     <tr>
+                        <td><u><b>ACTION</b></u></td>
+                        <td><u><b>SOURCE</b></u></td>
+                        <td><u><b>DESTINATION</b></u></td>
+                        <td><u><b>PROTOCOL</b></u></td>
+                        <td><u><b>PORT</b></u></td>
+                        <td><u><b>SOURCE PORT</b></u></td>
+                        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>net</td>
+                        <td>fw</td>
+                        <td>tcp</td>
+                        <td>22</td>
+                        <td> </td>
+                        <td> </td>
+                      </tr>
                                                                         
-          
-    </tbody>                                       
+                      
+    </tbody>                                             
   </table>
-                </blockquote>
-              </div>
-                           
-<div align="left">                
+                  </blockquote>
+                </div>
+                               
+<div align="left">                  
 <p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
  width="49" height="36">
-    Bering users will want to add the following two rules to be compatible
-with Jacques's Shorewall configuration.</p>
-<div align="left">                
-<blockquote>                                            
+      Bering users will want to add the following two rules to be compatible
+ with Jacques's Shorewall configuration.</p>
+   
+<div align="left">                  
+<blockquote>                                                  
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-                    <tbody>
-                   <tr>
-                      <td><u><b>ACTION</b></u></td>
-                      <td><u><b>SOURCE</b></u></td>
-                      <td><u><b>DESTINATION</b></u></td>
-                      <td><u><b>PROTOCOL</b></u></td>
-                      <td><u><b>PORT</b></u></td>
-                      <td><u><b>SOURCE PORT</b></u></td>
-                      <td><u><b>ORIGINAL ADDRESS</b></u></td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>loc<br>
-        </td>
-                      <td>fw</td>
-                      <td>udp<br>
-        </td>
-                      <td>53<br>
-        </td>
-                      <td>#Allow DNS Cache to</td>
-                      <td>work<br>
-        </td>
-                    </tr>
-                    <tr>
-                      <td>ACCEPT</td>
-                      <td>loc</td>
-                      <td>fw</td>
-                      <td>tcp</td>
-                      <td>80</td>
-                      <td>#Allow weblet to work</td>
-                      <td><br>
-        </td>
-                    </tr>
+                      <tbody>
+                     <tr>
+                        <td><u><b>ACTION</b></u></td>
+                        <td><u><b>SOURCE</b></u></td>
+                        <td><u><b>DESTINATION</b></u></td>
+                        <td><u><b>PROTOCOL</b></u></td>
+                        <td><u><b>PORT</b></u></td>
+                        <td><u><b>SOURCE PORT</b></u></td>
+                        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>loc<br>
+          </td>
+                        <td>fw</td>
+                        <td>udp<br>
+          </td>
+                        <td>53<br>
+          </td>
+                        <td>#Allow DNS Cache to</td>
+                        <td>work<br>
+          </td>
+                      </tr>
+                      <tr>
+                        <td>ACCEPT</td>
+                        <td>loc</td>
+                        <td>fw</td>
+                        <td>tcp</td>
+                        <td>80</td>
+                        <td>#Allow weblet to work</td>
+                        <td><br>
+          </td>
+                      </tr>
                                                                         
-          
-    </tbody>                                       
+                      
+    </tbody>                                             
   </table>
-                </blockquote>
-              </div>
+                  </blockquote>
+                </div>
+   
 <p align="left"><br>
-<img border="0" src="images/BD21298_.gif" width="13" height="13">
-                 Now edit your    /etc/shorewall/rules file to add or delete
-  other    connections  as required.</p>
-             </div>
-                           
-<div align="left">                
+  <img border="0" src="images/BD21298_.gif" width="13" height="13">
+                   Now edit your    /etc/shorewall/rules file to add or delete
+   other    connections  as required.</p>
+               </div>
+                               
+<div align="left">                  
 <h2 align="left">Starting and Stopping Your Firewall</h2>
-              </div>
-                           
-<div align="left">                
+                </div>
+                               
+<div align="left">                  
 <p align="left">          <img border="0" src="images/BD21298_2.gif"
  width="13" height="13" alt="Arrow">
-                The <a href="Install.htm">installation procedure </a>   configures
-      your system to start Shorewall at system boot  but beginning with Shorewall
-     version 1.3.9 startup is disabled so that your system won't try to start
-    Shorewall before configuration is complete. Once you have completed configuration
-    of your firewall, you can enable Shorewall startup by removing the file
-  /etc/shorewall/startup_disabled.<br>
-             </p>
-                     
+                  The <a href="Install.htm">installation procedure </a> 
+ configures       your system to start Shorewall at system boot  but beginning 
+with Shorewall      version 1.3.9 startup is disabled so that your system 
+won't try to start     Shorewall before configuration is complete. Once you 
+have completed configuration     of your firewall, you can enable Shorewall 
+startup by removing the file   /etc/shorewall/startup_disabled.<br>
+               </p>
+                         
 <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
  color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
-     and set 'startup=1'.</font><br>
-            </p>
-              </div>
-                           
-<div align="left">                
+      and set 'startup=1'.</font><br>
+              </p>
+                </div>
+                               
+<div align="left">                  
 <p align="left">The firewall is started using the "shorewall start" command 
-         and stopped using "shorewall stop". When the firewall is stopped, 
- routing     is    enabled on those hosts that have an entry in   <a
+          and stopped using "shorewall stop". When the firewall is stopped, 
+  routing     is    enabled on those hosts that have an entry in   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
-         running firewall may be restarted using the "shorewall restart" command.
-      If    you want to totally remove any trace of Shorewall from your Netfilter
-         configuration, use "shorewall clear".</p>
-             </div>
-                           
-<div align="left">                
+          running firewall may be restarted using the "shorewall restart" 
+command.       If    you want to totally remove any trace of Shorewall from 
+your Netfilter          configuration, use "shorewall clear".</p>
+               </div>
+                               
+<div align="left">                  
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-                 The two-interface sample assumes that you want to enable 
-   routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
- If    your local network isn't connected to <b>eth1</b> or if you wish to
- enable       access to/from other hosts, change /etc/shorewall/routestopped
-  accordingly.</p>
-             </div>
-                           
-<div align="left">                
+                   The two-interface sample assumes that you want to enable 
+    routing     to/from <b>eth1 </b>(the local network) when Shorewall is 
+stopped.  If    your local network isn't connected to <b>eth1</b> or if you 
+wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped
+   accordingly.</p>
+               </div>
+                               
+<div align="left">                  
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
-      the    internet, do not issue a "shorewall stop" command unless you 
-have     added an    entry for the IP address that you are connected from 
-to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
-    Also, I don't recommend using "shorewall restart"; it is better to create 
-      an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> 
-      and    test it using the <a
+       the    internet, do not issue a "shorewall stop" command unless you 
+ have     added an    entry for the IP address that you are connected from 
+ to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+     Also, I don't recommend using "shorewall restart"; it is better to create 
+       an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
+       and    test it using the <a
  href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
-             </div>
-                           
-<p align="left"><font size="2">Last updated 1/21/2003 - <a
+               </div>
+                               
+<p align="left"><font size="2">Last updated 2/13/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
-                            
+                                
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003
- Thomas      M. Eastep</font></a></p>
-               <br>
-             <br>
-            <br>
-           <br>
-          <br>
-         <br>
-        <br>
-       <br>
-      <br>
-     <br>
-    <br>
-   <br>
-  <br>
+  Thomas      M. Eastep</font></a><br>
+ </p>
  <br>
 </body>
 </html>
diff --git a/Shorewall-docs/upgrade_issues.htm b/Shorewall-docs/upgrade_issues.htm
index 88f1cbcd7..ecc24f0cd 100755
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@@ -1,233 +1,294 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                 
+                                             
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Upgrade Issues</title>
-                                                          
+                                                                        
+      
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                 
+                                             
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                                         
+                                                     
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
-              
+                    
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#400169" height="90">
-          <tbody>
-          <tr>
-            <td width="100%">                                           
-    
+             <tbody>
+             <tr>
+               <td width="100%">                                        
+                            
       <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
-            </td>
-          </tr>
-                          
-  </tbody>      
+               </td>
+             </tr>
+                                      
+  </tbody>         
 </table>
-                                                        
+                                                              
 <p>For upgrade instructions see the                               <a
  href="Install.htm">Install/Upgrade page</a>.</p>
-                                            
-<h3>Version &gt;= 1.3.14</h3>
-<img src="images/BD21298_3.gif" alt="" width="13" height="13">
-     Beginning in version 1.3.14, Shorewall treats entries in <a
- href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change 
-involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) 
-<b>column</b>:<br>
+                                                  
+<h3> </h3>
+ 
+<h3>Version &gt;= 1.4.0</h3>
+  If you are upgrading from a version &lt; 1.4.0, then:<br>
+     
+<ul>
+    <li>The <b>noping </b>and <b>forwardping</b> interface options are no 
+longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. ICMP
+echo-request (ping) packets are treated just like any other connection request
+and are subject to rules and policies.</li>
+    <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in  /etc/shorewall/interfaces
+ now generate a Shorewall error at startup (they always have produced warnings
+ in iptables).</li>
+    <li>The MERGE_HOSTS variable has been removed from shorewall.conf. Shorewall 
+1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents are
+determined by BOTH the interfaces and hosts files when there are entries
+for the zone in both files.</li>
+    <li>The <b>routestopped</b> option in the interfaces and hosts file has
+ been eliminated; use entries in the routestopped file instead.</li>
+    <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer 
+ accepted; you must convert to using the new syntax.</li>
+    <li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
+ supported.  Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
+    <li value="6">Late-arriving DNS replies are not dropped by default; there
+ is no need for your own /etc/shorewall/common file simply to avoid logging
+ these packets.</li>
+    <li value="6">The 'firewall', 'functions' and 'version' file have been
+ moved to /usr/share/shorewall.</li>
+   <li value="6">The icmp.def file has been removed. If you include it from 
+/etc/shorewall/icmpdef, you will need to modify that file.</li>
+  <li value="8">The 'multi' interface option is no longer supported.  Shorewall 
+will generate rules for sending packets back out the same interface that they
+arrived on in two cases:</li>
+</ul>
  
 <ul>
-   <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface 
-(as shown by "ip addr show <i>interface</i>") and would masquerade traffic 
-from that subnet. Any other subnets that routed through eth1 needed their 
-own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li>
-   <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing 
-table to determine ALL subnets routed through the named interface. Traffic 
-originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
- 
+  <ul>
+    <li>There is an <u>explicit</u> policy for the source zone to or from
+the destination zone. An explicit policy names both zones and does not use
+the 'all' reserved word.</li>
+  </ul>
+  <ul>
+    <li>There are one or more rules for traffic for the source zone to or
+from the destination zone including rules that use the 'all' reserved word. 
+Exception: if the source zone and destination zone are the same then the rule
+must be explicit - it must name the zone in both the SOURCE and DESTINATION 
+columns.</li>
+  </ul>
 </ul>
- You will need to make a change to your configuration if:<br>
- 
-<ol>
-   <li>You have one or more entries in /etc/shorewall/masq with an interface 
-name in the SUBNET (second) column; and</li>
-   <li>That interface connects to more than one subnetwork.</li>
- 
-</ol>
- Two examples:<br>
- <br>
-  <b>Example 1</b> -- Suppose that your current config is as follows:<br>
-    <br>
- 
-<pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE              SUBNET                  ADDRESS<br>	eth0                    eth2                    206.124.146.176<br>	eth0                    192.168.10.0/24         206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>	[root@gateway test]#</pre>
- 
-<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer 
-required.<br>
- </blockquote>
- <b>Example 2</b>-- What if your current configuration is like this?<br>
- 
-<pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    eth2                    206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	<br>	[root@gateway test]#</pre>
- 
-<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq 
-to:<br>
- </blockquote>
- 
-<pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
- <img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.
-The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used
-to specify that the old (pre-1.3.14) ping handling is to be used (If the
-option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
-is assumed). I don't plan on supporting the old handling indefinitely so
-I urge current users to migrate to using the new handling as soon as possible.
-See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
-<h3>Version 1.3.10</h3>
-  If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
- 1.3.10, you will need to use the '--force' option:<br>
-  <br>
+<ul>
    
-<blockquote>      
-  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
-  </blockquote>
+</ul>
    
-<h3>Version &gt;= 1.3.9</h3>
-    The 'functions' file has moved to /usr/lib/shorewall/functions. If you
- have  an application that uses functions from that file, your application
- will need to be changed to reflect this change of location.<br>
+<h3>Version &gt;= 1.3.14</h3>
+   <img src="images/BD21298_3.gif" alt="" width="13" height="13">
+        Beginning in version 1.3.14, Shorewall treats entries in <a
+ href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
+  involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
+  <b>column</b>:<br>
+       
+<ul>
+      <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the 
+interface  (as shown by "ip addr show <i>interface</i>") and would masquerade 
+traffic  from that subnet. Any other subnets that routed through eth1 needed 
+their  own entry in /etc/shorewall/masq to be masqueraded or to have SNAT 
+applied.</li>
+      <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
+routing   table to determine ALL subnets routed through the named interface.
+Traffic   originating in ANY of those subnets is masqueraded or has SNAT
+applied.</li>
+       
+</ul>
+    You will need to make a change to your configuration if:<br>
        
-<h3>Version &gt;= 1.3.8</h3>
-                                            
-<p>If you have a pair of firewall systems configured for            failover
-   or if you have asymmetric routing, you will need to modify           
-                    your firewall setup slightly under Shorewall        
-                       versions &gt;= 1.3.8. Beginning with version 1.3.8,
-                               you must set NEWNOTSYN=Yes in your       
-                        /etc/shorewall/shorewall.conf file.</p>
-                                            
-<h3>Version &gt;= 1.3.7</h3>
-                                            
-<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf
-   will need to include the                                following rules
- in  their /etc/shorewall/icmpdef                                file (creating
-   this file if necessary):</p>
-                                            
-<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
-              
-<p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def"
-   command from that file since the icmp.def file is now   empty.</p>
-              
-<h3><b><a name="Bering">Upgrading </a>Bering to                         
-      Shorewall &gt;= 1.3.3</b></h3>
-                                            
-<p>To properly upgrade with Shorewall version                           
-    1.3.3 and later:</p>
-                                            
 <ol>
-                                       <li>Be sure you have a backup -- you 
- will  need                                  to transcribe any Shorewall configuration
-                                   changes that you have made to the new
-                                 configuration.</li>
-                                       <li>Replace the shorwall.lrp package 
- provided  on                                  the Bering floppy with the 
-later one.  If you did                                  not obtain the later 
-version from Jacques's                                  site, see additional 
-instructions  below.</li>
-                                       <li>Edit the /var/lib/lrpkg/root.exclude.list
-                                    file and remove the /var/lib/shorewall
- entry  if                                  present. Then do not forget to
- backup  root.lrp !</li>
+      <li>You have one or more entries in /etc/shorewall/masq with an interface
+  name in the SUBNET (second) column; and</li>
+      <li>That interface connects to more than one subnetwork.</li>
+       
+</ol>
+    Two examples:<br>
+    <br>
+     <b>Example 1</b> -- Suppose that your current config is as follows:<br>
+       <br>
+       
+<pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE              SUBNET                  ADDRESS<br>	eth0                    eth2                    206.124.146.176<br>	eth0                    192.168.10.0/24         206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>	[root@gateway test]#</pre>
+       
+<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
+  required.<br>
+    </blockquote>
+    <b>Example 2</b>-- What if your current configuration is like this?<br>
+       
+<pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    eth2                    206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	<br>	[root@gateway test]#</pre>
+       
+<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
+  to:<br>
+    </blockquote>
+       
+<pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+    <img src="images/BD21298_3.gif" alt="" width="13" height="13">
+       Version 1.3.14 also introduced simplified ICMP echo-request (ping) 
+handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
+is used  to specify that the old (pre-1.3.14) ping handling is to be used 
+(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes 
+ is assumed). I don't plan on supporting the old handling indefinitely so 
+I urge current users to migrate to using the new handling as soon as possible. 
+ See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
+     
+<h3>Version 1.3.10</h3>
+     If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to 
+version   1.3.10, you will need to use the '--force' option:<br>
+     <br>
+         
+<blockquote>               
+  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
+     </blockquote>
+         
+<h3>Version &gt;= 1.3.9</h3>
+       The 'functions' file has moved to /usr/lib/shorewall/functions. If 
+you   have  an application that uses functions from that file, your application 
+  will need to be changed to reflect this change of location.<br>
+             
+<h3>Version &gt;= 1.3.8</h3>
+                                                  
+<p>If you have a pair of firewall systems configured for            failover 
+    or if you have asymmetric routing, you will need to modify           
+                    your firewall setup slightly under Shorewall        
+                       versions &gt;= 1.3.8. Beginning with version 1.3.8, 
+                                you must set NEWNOTSYN=Yes in your       
+                        /etc/shorewall/shorewall.conf file.</p>
+                                                  
+<h3>Version &gt;= 1.3.7</h3>
+                                                  
+<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf 
+    will need to include the                                following rules 
+  in  their /etc/shorewall/icmpdef                                file (creating 
+    this file if necessary):</p>
+                                                  
+<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
+                    
+<p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def" 
+    command from that file since the icmp.def file is now   empty.</p>
+                    
+<h3><b><a name="Bering">Upgrading </a>Bering to                          
+     Shorewall &gt;= 1.3.3</b></h3>
+                                                  
+<p>To properly upgrade with Shorewall version                            
+   1.3.3 and later:</p>
+                                                  
+<ol>
+                                          <li>Be sure you have a backup --
+ you   will  need                                  to transcribe any Shorewall
+ configuration                                    changes that you have made
+ to the new                                  configuration.</li>
+                                          <li>Replace the shorwall.lrp package
+   provided  on                                  the Bering floppy with the
+  later one.  If you did                                  not obtain the
+later   version from Jacques's                                  site, see
+additional   instructions  below.</li>
+                                          <li>Edit the /var/lib/lrpkg/root.exclude.list 
+                                     file and remove the /var/lib/shorewall 
+  entry  if                                  present. Then do not forget to
+  backup  root.lrp !</li>
+                       
+</ol>
+                    
+<p>The .lrp that I release isn't set up for a two-interface firewall like 
+      Jacques's. You need to follow the <a href="two-interface.htm">instructions 
+    for   setting up a two-interface firewall</a> plus you also need to add 
+  the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
+                    
+<blockquote>                               
+  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
+           </blockquote>
+                                              
+<h3 align="left">Version  1.3.6 and 1.3.7</h3>
+                                              
+<p align="left">If you have a pair of firewall systems configured for    
+       failover or if you have asymmetric routing, you will need to modify 
+               your firewall setup slightly under Shorewall versions 1.3.6 
+ and   1.3.7</p>
+                                              
+<ol>
+                      <li>                                              
+                          
+    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
+               the following rule<br>
+                    <br>
+                    <font face="Courier">run_iptables -A newnotsyn -j RETURN
+  #  So  that the            connection tracking table can be rebuilt<br>
+                                                         # from non-SYN packets 
+   after  takeover.<br>
+           </font>  </p>
+           </li>
+           <li>                                                         
+               
+    <p align="left">Create /etc/shorewall/common (if you don't already   
+        have that file) and include the following:<br>
+                    <br>
+                    <font face="Courier">run_iptables -A common -p tcp --tcp-flags 
+               ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
+                                                                              
+             #tracking table. <br>
+                    . /etc/shorewall/common.def</font> </p>
+           </li>
                  
 </ol>
-              
-<p>The .lrp that I release isn't set up for a two-interface firewall like
-     Jacques's. You need to follow the <a href="two-interface.htm">instructions
-   for   setting up a two-interface firewall</a> plus you also need to add
- the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
-              
-<blockquote>                      
-  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
-        </blockquote>
-                                        
-<h3 align="left">Version  1.3.6 and 1.3.7</h3>
-                                        
-<p align="left">If you have a pair of firewall systems configured for   
-        failover or if you have asymmetric routing, you will need to modify
-              your firewall setup slightly under Shorewall versions 1.3.6
-and   1.3.7</p>
-                                        
-<ol>
-                   <li>                                                 
-        
-    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
-              the following rule<br>
-                 <br>
-                 <font face="Courier">run_iptables -A newnotsyn -j RETURN 
-#  So  that the            connection tracking table can be rebuilt<br>
-                                                      # from non-SYN packets
-  after  takeover.<br>
-        </font>  </p>
-        </li>
-        <li>                                                          
-    <p align="left">Create /etc/shorewall/common (if you don't already  
-         have that file) and include the following:<br>
-                 <br>
-                 <font face="Courier">run_iptables -A common -p tcp --tcp-flags
-              ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
-                                                                          
-            #tracking table. <br>
-                 . /etc/shorewall/common.def</font> </p>
-        </li>
-           
-</ol>
-                                        
+                                              
 <h3 align="left">Versions &gt;= 1.3.5</h3>
-                                        
-<p align="left">Some forms of pre-1.3.0 rules file syntax are no        
-   longer supported. </p>
-                                        
+                                              
+<p align="left">Some forms of pre-1.3.0 rules file syntax are no         
+  longer supported. </p>
+                                              
 <p align="left">Example 1:</p>
-                                        
-<div align="left">                   
+                                              
+<div align="left">                      
 <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
-        </div>
-                                        
+           </div>
+                                              
 <p align="left">Must be replaced with:</p>
-                                        
-<div align="left">                   
+                                              
+<div align="left">                      
 <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
-        </div>
-              
-<div align="left">          
+           </div>
+                    
+<div align="left">             
 <p align="left">Example 2:</p>
-      </div>
-              
-<div align="left">          
+         </div>
+                    
+<div align="left">             
 <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
-        </div>
-              
-<div align="left">          
+           </div>
+                    
+<div align="left">             
 <p align="left">Must be replaced with:</p>
-      </div>
-              
-<div align="left">          
+         </div>
+                    
+<div align="left">             
 <pre>	REDIRECT	loc	3128	tcp	80</pre>
-        </div>
-                                        
+           </div>
+                                              
 <h3 align="left">Version &gt;= 1.3.2</h3>
-                                        
-<p align="left">The functions and versions files together with the      
-     'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
-              If you have applications that access these files, those applications
-              should be modified accordingly.</p>
-                               
-<p><font size="2">  Last updated 1/25/2003 -                             
- <a href="support.htm">Tom Eastep</a></font> </p>
-               
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-     © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-  </p>
+                                              
+<p align="left">The functions and versions files together with the       
+    'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
+               If you have applications that access these files, those applications 
+               should be modified accordingly.</p>
+                                     
+<p><font size="2">  Last updated 2/14/2003 -                            
+  <a href="support.htm">Tom Eastep</a></font> </p>
+                     
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+      © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
+     </p>
+     <br>
+    <br>
+   <br>
   <br>
  <br>
 </body>
diff --git a/Shorewall-docs/whitelisting_under_shorewall.htm b/Shorewall-docs/whitelisting_under_shorewall.htm
index c0a706c56..47518f19d 100644
--- a/Shorewall-docs/whitelisting_under_shorewall.htm
+++ b/Shorewall-docs/whitelisting_under_shorewall.htm
@@ -1,281 +1,326 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<meta name="ProgId" content="FrontPage.Editor.Document">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
-<title>Whitelisting under Shorewall</title>
+     
+  <meta http-equiv="Content-Language" content="en-us">
+     
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+     
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+     
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <title>Whitelisting under Shorewall</title>
 </head>
-
-<body>
-
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
-  <tr>
-    <td width="100%">
-    <h1 align="center"><font color="#FFFFFF">Whitelisting under Shorewall</font></h1>
-    </td>
-  </tr>
+  <body>
+    
+<table border="0" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+ id="AutoNumber1" bgcolor="#400169" height="90">
+    <tbody>
+     <tr>
+      <td width="100%">            
+      <h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
+      </td>
+    </tr>
+     
+  </tbody> 
 </table>
-<p align="left">For a brief time, the 1.2 version of Shorewall supported an 
-/etc/shorewall/whitelist file. This file was intended to contain a list of IP 
-addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was 
-implemented as a stop-gap measure until the facilities necessary for 
-implementing white lists using zones was in place. As of Version 1.3 RC1, those 
-facilities were available.</p>
-<p align="left">White lists are most often used to give special privileges to a 
-set&nbsp; of hosts within an organization. Let us suppose that we have the 
-following environment:</p>
+   
+<p align="left">For a brief time, the 1.2 version of Shorewall supported an
+ /etc/shorewall/whitelist file. This file was intended to contain a list of
+IP  addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist 
+file was  implemented as a stop-gap measure until the facilities necessary 
+for  implementing white lists using zones was in place. As of Version 1.3 
+RC1, those  facilities were available.</p>
+   
+<p align="left">White lists are most often used to give special privileges 
+to a  set  of hosts within an organization. Let us suppose that we have the 
+ following environment:</p>
+   
 <ul>
-  <li>A firewall with three interfaces -- one to the internet, one 
-  to a local network and one to a DMZ.</li>
-  <li>The local network uses SNAT to the internet and is comprised 
-  of the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 
-  local network, the technique described here in no way depends on that or on 
-  SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
-  <li>The network operations staff have workstations with IP 
-  addresses in the class C network 10.10.10.0/24</li>
-  <li>We want the network operations staff to have full access to 
-  all other hosts.</li>
-  <li>We want the network operations staff to bypass the transparent 
-  HTTP proxy running on our firewall.</li>
+    <li>A firewall with three interfaces -- one to the internet, one    to 
+a local network and one to a DMZ.</li>
+    <li>The local network uses SNAT to the internet and is comprised    of 
+the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 
+   local network, the technique described here in no way depends on that or
+on    SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
+    <li>The network operations staff have workstations with IP    addresses 
+in the class C network 10.10.10.0/24</li>
+    <li>We want the network operations staff to have full access to    all 
+other hosts.</li>
+    <li>We want the network operations staff to bypass the transparent  
+ HTTP proxy running on our firewall.</li>
+   
 </ul>
+   
 <p align="left">The basic approach will be that we will place the operations 
-staff's class C in its own zone called <b>ops</b>. Here are the appropriate 
-configuration files:</p>
+ staff's class C in its own zone called <b>ops</b>. Here are the appropriate 
+ configuration files:</p>
+   
 <h2 align="left">Zone File</h2>
-<blockquote>
+   
+<blockquote>      
   <table border="2">
-                        <tr>
-         <td><b>
-  ZONE</b></td>
-         <td><b>
-  DISPLAY</b></td>
-         <td><b>
-  COMMENTS</b></td>
-       </tr>
-            
+                          <tbody>
        <tr>
-         <td>net</td>
-         <td>Net</td>
-         <td>Internet</td>
-       </tr>
-       <tr>
-         <td>ops</td>
-         <td>Operations</td>
-         <td>Operations Staff's Class C</td>
-       </tr>
-       <tr>
-         <td>loc</td>
-         <td>Local</td>
-         <td>Local Class B</td>
-       </tr>
-       <tr>
-         <td>dmz</td>
-         <td>DMZ</td>
-         <td>Demilitarized  zone</td>
-       </tr>
-                                               
-                  </table>
-</blockquote>
-<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- since
-<b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
+           <td><b>   ZONE</b></td>
+           <td><b>   DISPLAY</b></td>
+           <td><b>   COMMENTS</b></td>
+         </tr>
+                      <tr>
+           <td>net</td>
+           <td>Net</td>
+           <td>Internet</td>
+         </tr>
+         <tr>
+           <td>ops</td>
+           <td>Operations</td>
+           <td>Operations Staff's Class C</td>
+         </tr>
+         <tr>
+           <td>loc</td>
+           <td>Local</td>
+           <td>Local Class B</td>
+         </tr>
+         <tr>
+           <td>dmz</td>
+           <td>DMZ</td>
+           <td>Demilitarized  zone</td>
+         </tr>
+                                                                        
+    </tbody>   
+  </table>
+  </blockquote>
+   
+<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- 
+since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
+   
 <h2>Interfaces File</h2>
-<blockquote>
+   
+<blockquote>      
   <table border="2">
-                          <tr>
-         <td><b>
-  ZONE</b></td>
-         <td><b>
-  INTERFACE</b></td>
-         <td><b>
-  BROADCAST</b></td>
-         <td><b>
-  OPTIONS</b></td>
-       </tr>
+                            <tbody>
        <tr>
-         <td>net</td>
-         <td>eth0</td>
-         <td>&lt;whatever&gt;</td>
-         <td>&lt;options&gt;</td>
-       </tr>
-       <tr>
-         <td>dmz</td>
-         <td>eth1</td>
-         <td>&lt;whatever&gt;</td>
-         <td>routestopped</td>
-       </tr>
-       <tr>
-         <td>-</td>
-         <td>eth2</td>
-         <td>10.10.255.255</td>
-         <td>&nbsp;</td>
-       </tr>
-                                                   
-                    </table>
-</blockquote>
-<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, we 
-don't specify a zone for it here.</p>
+           <td><b>   ZONE</b></td>
+           <td><b>   INTERFACE</b></td>
+           <td><b>   BROADCAST</b></td>
+           <td><b>   OPTIONS</b></td>
+         </tr>
+         <tr>
+           <td>net</td>
+           <td>eth0</td>
+           <td>&lt;whatever&gt;</td>
+           <td>&lt;options&gt;</td>
+         </tr>
+         <tr>
+           <td>dmz</td>
+           <td>eth1</td>
+           <td>&lt;whatever&gt;</td>
+           <td><br>
+         </td>
+         </tr>
+         <tr>
+           <td>-</td>
+           <td>eth2</td>
+           <td>10.10.255.255</td>
+           <td> </td>
+         </tr>
+                                                                        
+     
+    </tbody>   
+  </table>
+  </blockquote>
+   
+<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, 
+we  don't specify a zone for it here.</p>
+   
 <h2>Hosts File</h2>
-<blockquote>
+   
+<blockquote>   <font face="Century Gothic, Arial, Helvetica">            
+                                                                </font> 
+ 
   <table border="2">
-                                    <tr>
-         <td><b>
-  ZONE</b></td>
-         <td><b>
-  HOST(S)</b></td>
-         <td><b>
-  OPTIONS</b></td>
-       </tr>
+                                      <tbody>
        <tr>
-         <td>ops</td>
-         <td>eth2:10.10.10.0/24</td>
- <font face="Century Gothic, Arial, Helvetica">
-                                                   
-              
-         <td>routestopped</td>
-   </font>
-       </tr>
-       <tr>
-         <td>loc</td>
-         <td>eth2:0.0.0.0/0</td>
-         <td>&nbsp;</td>
-       </tr>
-                                                                       
-                              </table>
-</blockquote>
+           <td><b>   ZONE</b></td>
+           <td><b>   HOST(S)</b></td>
+           <td><b>   OPTIONS</b></td>
+         </tr>
+         <tr>
+           <td>ops</td>
+           <td>eth2:10.10.10.0/24</td>
+   <td><br>
+         </td>
+             </tr>
+         <tr>
+           <td>loc</td>
+           <td>eth2:0.0.0.0/0</td>
+           <td> </td>
+         </tr>
+                                                                        
+                                    
+    </tbody>   
+  </table>
+  </blockquote>
+   
 <p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is 
-stopped, only the hosts in the <b>ops</b> zone will be allowed to access the 
-firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 
-10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into 
-that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for 
-that special address.</p>
+stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
+ firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather
+than  10.10.0.0/16 so that the limited broadcast address (255.255.255.255) 
+falls into  that zone. If I used 10.10.0.0/16 then I would have to have a 
+separate entry for  that special address.</p>
+   
 <h2>Policy File</h2>
-<blockquote>
-  <table border="2">
-                                      <tr>
-         <td><b>SOURCE</b></td>
-         <td><b>DEST</b></td>
-         <td><b>
-  POLICY</b></td>
-         <td><b>
-  LOG LEVEL</b></td>
-         <td><b>LIMIT:BURST</b></td>
-       </tr>
-       <tr>
-         <td><font color="#0000FF">ops</font></td>
-         <td><font color="#0000FF">all</font></td>
-         <td><font color="#0000FF">ACCEPT</font></td>
-                                                   
-                  
-         <td>&nbsp;</td>
-                                                   
-                  
-         <td>&nbsp;</td>
-       </tr>
-       <tr>
-         <td><font color="#0000FF">all</font></td>
-         <td><font color="#0000FF">ops</font></td>
-         <td><font color="#0000FF">CONTINUE</font></td>
-                                                   
-                  
-         <td>&nbsp;</td>
-                                                   
-                  
-         <td>&nbsp;</td>
-       </tr>
-       <tr>
-         <td>loc</td>
-         <td>net</td>
-         <td>ACCEPT</td>
- <font face="Century Gothic, Arial, Helvetica">
-                                                   
-                  
-         <td>&nbsp;</td>
-                                                   
-                  
-         <td>&nbsp;</td>
-    </font>
-       </tr>
-       <tr>
-         <td>net</td>
-         <td>all</td>
-         <td>DROP</td>
-         <td>info</td>
-         <td>&nbsp;</td>
-       </tr>
-       <tr>
-         <td>all</td>
-         <td>all</td>
-         <td>REJECT</td>
-         <td>info</td>
-         <td>&nbsp;</td>
-       </tr>
-                                                                        
+   
+<blockquote>   <font face="Century Gothic, Arial, Helvetica">            
+                                                                    </font> 
   
-                                </table>
-</blockquote>
-<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy file.
-<font color="#FF0000"><b>WARNING: You must be running Shorewall 1.3.1 or later 
-for the above to work properly.</b></font></p>
+  <table border="2">
+                                        <tbody>
+       <tr>
+           <td><b>SOURCE</b></td>
+           <td><b>DEST</b></td>
+           <td><b>   POLICY</b></td>
+           <td><b>   LOG LEVEL</b></td>
+           <td><b>LIMIT:BURST</b></td>
+         </tr>
+         <tr>
+           <td><font color="#0000ff">ops</font></td>
+           <td><font color="#0000ff">all</font></td>
+           <td><font color="#0000ff">ACCEPT</font></td>
+                                                                        
+         <td> </td>
+                                                                        
+         <td> </td>
+         </tr>
+         <tr>
+           <td><font color="#0000ff">all</font></td>
+           <td><font color="#0000ff">ops</font></td>
+           <td><font color="#0000ff">CONTINUE</font></td>
+                                                                        
+         <td> </td>
+                                                                        
+         <td> </td>
+         </tr>
+         <tr>
+           <td>loc</td>
+           <td>net</td>
+           <td>ACCEPT</td>
+   <td> </td>
+                                                                        
+         <td> </td>
+              </tr>
+         <tr>
+           <td>net</td>
+           <td>all</td>
+           <td>DROP</td>
+           <td>info</td>
+           <td> </td>
+         </tr>
+         <tr>
+           <td>all</td>
+           <td>all</td>
+           <td>REJECT</td>
+           <td>info</td>
+           <td> </td>
+         </tr>
+                                                                        
+                                          
+    </tbody>   
+  </table>
+  </blockquote>
+   
+<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy 
+file.<font color="#ff0000"><b></b></font></p>
+   
 <h2>Rules File</h2>
+   
+<blockquote>   <font face="Century Gothic, Arial, Helvetica">          </font> 
+  
+  <table border="2">
+                                                    <tbody>
+       <tr>
+      <td><b>ACTION</b></td>
+           <td><b>SOURCE</b></td>
+           <td><b>DEST</b></td>
+           <td><b>   PROTO</b></td>
+           <td><b>DEST<br>
+    PORT(S)</b></td>
+           <td><b>SOURCE<br>
+           PORT(S)</b></td>
+           <td><b>ORIGINAL<br>
+           DEST</b></td>
+                                                         </tr>
+         <tr>
+           <td>REDIRECT</td>
+           <td>loc!ops</td>
+           <td>3128</td>
+           <td>tcp</td>
+           <td>http</td>
+           <td> </td>
+           <td> </td>
+         </tr>
+         <tr>
+           <td>...</td>
+           <td> </td>
+           <td> </td>
+           <td> </td>
+           <td> </td>
+           <td> </td>
+           <td> </td>
+         </tr>
+                                                                        
+                                                                        
+     
+    </tbody>   
+  </table>
+  </blockquote>
+   
+<p>This is the rule that transparently redirects web traffic to the transparent 
+ proxy running on the firewall. The SOURCE column explicitly excludes the 
+<b>ops</b>  zone from the rule.</p>
+<h2>Routestopped File</h2>
+ 
 <blockquote>
   <table border="2">
-                                                  <tr>
-    <font face="Century Gothic, Arial, Helvetica">
-         <td><b>ACTION</b></td>
-         <td><b>SOURCE</b></td>
-         <td><b>DEST</b></td>
-         <td><b>
-  PROTO</b></td>
-         <td><b>DEST<br>
-  PORT(S)</b></td>
-         <td><b>SOURCE<br>
-         PORT(S)</b></td>
-         <td><b>ORIGINAL<br>
-         DEST</b></td>
-    </font>
-                                                  </tr>
-       <tr>
-         <td>REDIRECT</td>
-         <td>loc!ops</td>
-         <td>3128</td>
-         <td>tcp</td>
-         <td>http</td>
-         <td>&nbsp;</td>
-         <td>&nbsp;</td>
-       </tr>
-       <tr>
-         <td>...</td>
-         <td>&nbsp;</td>
-         <td>&nbsp;</td>
-         <td>&nbsp;</td>
-         <td>&nbsp;</td>
-         <td>&nbsp;</td>
-         <td>&nbsp;</td>
-       </tr>
+    <tbody>
+      <tr>
+        <td><b>INTERFACE</b><br>
+        </td>
+          <td><b>   HOST(S)</b></td>
+                  </tr>
+        <tr>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+      <tr>
+          <td>eth2<br>
+        </td>
+          <td>10.10.10.0/24</td>
+              </tr>
                                                                         
-                          
-                                            </table>
+                                      
+    </tbody>
+  </table>
+ <br>
 </blockquote>
-<p>This is the rule that transparently redirects web traffic to the transparent 
-proxy running on the firewall. The SOURCE column explicitly excludes the <b>ops</b> 
-zone from the rule.</p>
                                                                         
                                                                         
-                       
-                                                                                  <p><font size="2">
-  Updated 5/31/2002 - <a href="support.htm">Tom 
-Eastep</a>
-   </font></p>
+                                                                        
+                                     
+<p><font size="2">   Updated 2/18/2003 - <a href="support.htm">Tom  Eastep</a>
+    </font></p>
                                                                         
                                                                         
-                       
-  <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-  © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
+                             
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+   © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
                                                                         
                                                                         
-                       
-  </body>
-
-</html>
\ No newline at end of file
+                            <br>
+ <br>
+</body>
+</html>