Shorewall 1.3.7b

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@221 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-08-26 22:17:49 +00:00 · 2002-08-26 22:17:49 +00:00 · 8dc5bd0ed8
commit 8dc5bd0ed8
parent 580cfb6c61
21 changed files with 348 additions and 151 deletions
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -533,7 +533,9 @@ problem are:</p>
 over my console making it unusable!</h4>
  <p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup 
-  scripts or place it in /etc/shorewall/start.</p>
+  scripts or place it in /etc/shorewall/start. Under RedHat, the max log level 
  that is sent to the console is specified in /etc/sysconfig/init in the 
  LOGLEVEL variable.</p>
  <h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my 
  interfaces properly?</h4>
@ -566,7 +568,7 @@ over my console making it unusable!</h4>
  zone is defined as all hosts connected through eth1.</div>
 <p align="left"><font size="2">Last updated 
-8/15/2002 - <a href="support.htm">Tom
+8/24/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
--- a/STABLE/documentation/IPIP.htm
+++ b/STABLE/documentation/IPIP.htm
@ -42,7 +42,25 @@ parameter to the type of tunnel that you want to create.</p>
 <blockquote>
 <p align="left">tunnel_type=gre</p>
 </blockquote>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>gw</b> zone. In
+<p align="left">On each firewall, you will need to declare a zone to represent 
 the remote subnet. We'll assume that this zone is called 'vpn' and declare it in 
 /etc/shorewall/zones on both systems as follows.</p>
 <blockquote>
    <table border="2" cellpadding="2" style="border-collapse: collapse">
               <tr>
              <td><strong>ZONE</strong></td>
              <td><strong>DISPLAY</strong></td>
              <td><strong>COMMENTS</strong></td>
          </tr>
          <tr>
              <td>vpn</td>
              <td>VPN</td>
              <td>Remote Subnet</td>
          </tr>
    </table>
 </blockquote>
 <p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone. In
 /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse">
@ -53,7 +71,7 @@ parameter to the type of tunnel that you want to create.</p>
      <td><b>OPTIONS</b></td>
    </tr>
    <tr>
-      <td>gw</td>
+      <td>vpn</td>
      <td>tosysb</td>
      <td>10.255.255.255</td>
      <td>&nbsp;</td>
@ -88,7 +106,7 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
  gateway=134.28.54.2<br>
  subnet=10.0.0.0/8</p>
 </blockquote>
-<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>gw</b>
+<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
 zone. In /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse">
@ -99,7 +117,7 @@ zone. In /etc/shorewall/interfaces:</p>
      <td><b>OPTIONS</b></td>
    </tr>
    <tr>
-      <td>gw</td>
+      <td>vpn</td>
      <td>tosysa</td>
      <td>192.168.1.255</td>
      <td>&nbsp;</td>
@ -135,7 +153,7 @@ zone. In /etc/shorewall/interfaces:</p>
 <p>You can rename the modified tunnel scripts if you like; be sure that they are
 secured so that root can execute them.  </p>
-      <p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and 
+      <p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and 
      the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic 
      in both directions, you can use the policy file:</p>
@ -150,13 +168,13 @@ secured so that root can execute them.  </p>
          </tr>
          <tr>
              <td>loc</td>
-              <td>gw</td>
+              <td>vpn</td>
              <td>ACCEPT</td>
          <td>&nbsp;</td>
          </tr>
          <tr>
-              <td>gw</td>
+              <td>vpn</td>
              <td>loc</td>
              <td>ACCEPT</td>
          <td>&nbsp;</td>
@ -168,7 +186,7 @@ secured so that root can execute them.  </p>
 run the modified tunnel script with the &quot;start&quot; argument on each
 system. The systems in the two masqueraded subnetworks can now talk to each
 other</p>
-<p><font size="2">Updated 5/18/2002 - <a href="support.htm">Tom
+<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
 Eastep</a> </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@ -17,6 +17,31 @@
  </tr>
 </table>
 <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
 <p>This is a role up of the &quot;shorewall refresh&quot; bug fix and the change which 
 reverses the order of &quot;dhcp&quot; and &quot;norfc1918&quot; checking.</p>
 <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
 <p><a href="ftp://france.shorewall.net/pub/mirrors/shorewall">
 ftp://france.shorewall.net/pub/mirrors/shorewall</a> is now available.</p>
 <p><b>8/25/2002 - Shorewall Mirror in France</b></p>
 <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored 
 at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
 <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
 <p>Lorenzo Martignoni reports that the packages for version 1.3.7a  are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
 <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author -- Shorewall 1.3.7a 
 released</b></p>
 <p>1.3.7a corrects problems occurring in  rules file processing when starting Shorewall 
 1.3.7.</p>
 <p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002</b></p>
 <p>Features in this release include:</p>
@ -1024,7 +1049,7 @@ version:</p>
  additional &quot;gw&quot; (gateway) zone for tunnels and it supports IPSEC
  tunnels with end-points on the firewall. There is also a .lrp available now.</b></p>
-    <p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
+    <p><font size="2">Updated 8/26/2002 - <a href="support.htm">Tom
 Eastep</a> </font></p>
    <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
--- a/STABLE/documentation/Shorewall_index_frame.htm
+++ b/STABLE/documentation/Shorewall_index_frame.htm
@ -55,6 +55,7 @@
        <li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
        <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
        <li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
        <li><a target="_top" href="http://france.shorewall.net">France</a></li>
      </ul>
      </li>
    </ul>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -66,7 +66,7 @@ AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED
 FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO 
 START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, 
 ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p>
-<p>Download Latest Version (<b>1.3.7</b>): <b>Remember that updates to the mirrors 
+<p>Download Latest Version (<b>1.3.7a</b>): <b>Remember that updates to the mirrors 
 occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>
  <table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
@ -118,8 +118,8 @@ occur 1-12 hours after an update to the primary site.</b></p>
      <a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
        <a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
        .tgz</a>&nbsp;<br>
-        <a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">Download
+        <a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">
-        .rpm</a></td>
+      Download .lrp</a></td>
    </tr>
    <tr>
      <td>Hamburg, Germany</td>
@ -154,6 +154,20 @@ occur 1-12 hours after an update to the primary site.</b></p>
        <a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
      Download .lrp</a></td>
    </tr>
    <tr>
      <td>Paris, France</td>
      <td>Shorewall.net</td>
      <td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
        <a href="http://france.shorewall.net/pub/LATEST.tgz">Download
        .tgz</a>&nbsp;<br>
        <a href="http://france.shorewall.net/pub/LATEST.lrp">Download
        .lrp</a></td>
      <td>
      <a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
        <a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
        .tgz</a>&nbsp;<br>
        <a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download .lrp</a></td>
    </tr>
  </table>
 </blockquote>
 <p>Browse Download Sites:</p>
@ -198,6 +212,13 @@ occur 1-12 hours after an update to the primary site.</b></p>
      <a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">
      Browse</a></td>
    </tr>
    <tr>
      <td>France</td>
      <td>Shorewall.net</td>
      <td><a href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
      <td>
      <a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
    </tr>
    <tr>
      <td>California, USA (Incomplete)</td>
      <td>Sourceforge.net</td>
@ -216,7 +237,7 @@ Shorewall component. There's no guarantee that what you find there will work at
 all.</p>
 </blockquote>
-<p align="left"><font size="2">Last Updated 8/22/2002 - <a href="support.htm">Tom
+<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -65,15 +65,15 @@ dos2unix</a></u>
 <ul>
   <li><b><a href="#Upgrade">Upgrade Issues</a></b></li>
   <li>
-            
+                
-          <b><font color="#660066">
+          <b><a href="#V1.3">Problems in Version 1.3</a></b></li>
 <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
   <li>
          <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
   <li>
-          <b><a href="#V1.3">Problems in Version 1.3</a></b></li>
+          <b><font color="#660066">
 <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
   <li>
          <b><font color="#660066"><a href="#iptables">
@ -88,112 +88,58 @@ dos2unix</a></u>
 </ul>
 <hr>
-          <h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
+          <h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
-                              <h3>Version &gt;= 1.3.7</h3>
+                              <h3>Version 1.3.7a</h3>
-                              <p>Users specifying ALLOWRELATED=No in 
+                              <p>&quot;shorewall refresh&quot; is not creating the proper 
-                              /etc/shorewall.conf will need to include the 
+                              rule for FORWARDPING=Yes. Consequently, after 
-                              following rules in their /etc/shorewall/icmpdef 
+                              &quot;shorewall refresh&quot;, the firewall will not forward 
-                              file (creating this file if necessary):</p>
+                              icmp echo-request (ping) packets. Installing
                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
                              this corrected firewall script</a> in /var/lib/shorewall/firewall 
                              as described above corrects this problem.</p>
-                              <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+                              <h3>Version &lt;= 1.3.7a</h3>
 	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
 <p>Users having an /etc/shorewall/icmpdef file may remove the &quot;. 
 /etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now 
 empty.</p>
 <h3><b><a name="Bering">Upgrading </a>Bering to 
                              Shorewall &gt;= 1.3.3</b></h3>
-                              <p>To properly upgrade with Shorewall version 
+                              <p>If &quot;norfc1918&quot; and &quot;dhcp&quot; are both specified as 
-                              1.3.3 and later:</p>
+                              options on a given interface then RFC 1918 
                              checking is occurring before DHCP checking. This 
                              means that if a DHCP client broadcasts using an 
                              RFC 1918 source address, then the firewall will 
                              reject the broadcast (usually logging it). This 
                              has two problems:</p>
                              <ol>
-                                <li>Be sure you have a backup -- you will need 
+                                <li>If the firewall is running a DHCP server, 
-                                to transcribe any Shorewall configuration 
+                                the client won't be able to obtain an IP address 
-                                changes that you have made to the new 
+                                lease from that server.</li>
-                                configuration.</li>
+                                <li>With this order of checking, the &quot;dhcp&quot; 
-                                <li>Replace the shorwall.lrp package provided on 
+                                option cannot be used as a noise-reduction 
-                                the Bering floppy with the later one. If you did 
+                                measure where there are both dynamic and static 
-                                not obtain the later version from Jacques's 
+                                clients on a LAN segment.</li>
                                site, see additional instructions below.</li>
                                <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                file and remove the /var/lib/shorewall entry if 
                                present. Then do not forget to backup root.lrp !</li>
 </ol>
 <p>The .lrp that I release isn't set up for a two-interface firewall like 
 Jacques's. You need to follow the <a href="two-interface.htm">instructions for 
 setting up a two-interface firewall</a> plus you also need to add the following 
 two Bering-specific rules to /etc/shorewall/rules:</p>
 <blockquote>
   <pre># Bering specific rules:
 # allow loc to fw udp/53 for dnscache to work
 # allow loc to fw tcp/80 for weblet to work
 #
 ACCEPT loc fw udp 53
 ACCEPT loc fw tcp 80</pre>
 </blockquote>
-          <h3 align="Left">Version &gt;= 1.3.6</h3>
+                              <p>
-                
+                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
-          <p align="Left">If you have a pair of firewall systems configured for 
+                              This version of the 1.3.7a firewall script </a>
-          failover, you will need to modify your firewall setup slightly under 
+                              corrects the problem. It must be installed in /var/lib/shorewall 
-          Shorewall versions &gt;= 1.3.6. </p>
+                              as described above.</p>
-                
+
-          <ol>
+                              <h3>Version 1.3.7</h3>
-            <li>
+
-                
+                              <p>Version 1.3.7 dead on arrival -- please use 
-          <p align="Left">Create the file /etc/shorewall/newnotsyn and in it add 
+                              version 1.3.7a and check your version against 
-          the following rule<br>
+                              these md5sums -- if there's a difference, please 
-          <br>
+                              download again.</p>
-          <font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the 
+
-          connection tracking table can be rebuilt<br>
+                              <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
+	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
-          # from non-SYN packets after takeover.<br>
+	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
-&nbsp;</font></li>
+ <p>In other words, type &quot;md5sum &lt;<i>whatever package you downloaded</i>&gt; and 
- <li>
+ compare the result with what you see above.</p>
-                
+ <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7 
-          <p align="Left">Create /etc/shorewall/common (if you don't already 
+ version in each sequence from now on.</p>
          have that file) and include the following:<br>
          <br>
          <font face="Courier">run_iptables -A common -p tcp --tcp-flags 
          ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
          #tracking table. <br>
          . /etc/shorewall/common.def</font></li>
 </ol>
          <h3 align="Left">Versions &gt;= 1.3.5</h3>
          <p align="Left">Some forms of pre-1.3.0 rules file syntax are no 
          longer supported. </p>
          <p align="Left">Example 1:</p>
          <div align="left">
            <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
 </div>
          <p align="Left">Must be replaced with:</p>
          <div align="left">
            <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
 </div>
 <div align="left">
   <p align="left">Example 2:</div>
 <div align="left">
   <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
 </div>
 <div align="left">
   <p align="left">Must be replaced with:</div>
 <div align="left">
   <pre>	REDIRECT	loc	3128	tcp	80</pre>
 </div>
          <h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
          <h3 align="Left">Version 1.3.6</h3>
@ -352,6 +298,120 @@ ACCEPT loc fw tcp 80</pre>
          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
          corrected version is here</a>.</li>
 </ul>
 <hr>
          <h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
                              <h3>Version &gt;= 1.3.7</h3>
                              <p>Users specifying ALLOWRELATED=No in 
                              /etc/shorewall.conf will need to include the 
                              following rules in their /etc/shorewall/icmpdef 
                              file (creating this file if necessary):</p>
                              <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
 	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
 <p>Users having an /etc/shorewall/icmpdef file may remove the &quot;. 
 /etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now 
 empty.</p>
 <h3><b><a name="Bering">Upgrading </a>Bering to 
                              Shorewall &gt;= 1.3.3</b></h3>
                              <p>To properly upgrade with Shorewall version 
                              1.3.3 and later:</p>
                              <ol>
                                <li>Be sure you have a backup -- you will need 
                                to transcribe any Shorewall configuration 
                                changes that you have made to the new 
                                configuration.</li>
                                <li>Replace the shorwall.lrp package provided on 
                                the Bering floppy with the later one. If you did 
                                not obtain the later version from Jacques's 
                                site, see additional instructions below.</li>
                                <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                file and remove the /var/lib/shorewall entry if 
                                present. Then do not forget to backup root.lrp !</li>
 </ol>
 <p>The .lrp that I release isn't set up for a two-interface firewall like 
 Jacques's. You need to follow the <a href="two-interface.htm">instructions for 
 setting up a two-interface firewall</a> plus you also need to add the following 
 two Bering-specific rules to /etc/shorewall/rules:</p>
 <blockquote>
   <pre># Bering specific rules:
 # allow loc to fw udp/53 for dnscache to work
 # allow loc to fw tcp/80 for weblet to work
 #
 ACCEPT loc fw udp 53
 ACCEPT loc fw tcp 80</pre>
 </blockquote>
          <h3 align="Left">Version &gt;= 1.3.6</h3>
          <p align="Left">If you have a pair of firewall systems configured for 
          failover, you will need to modify your firewall setup slightly under 
          Shorewall versions &gt;= 1.3.6. </p>
          <ol>
            <li>
          <p align="Left">Create the file /etc/shorewall/newnotsyn and in it add 
          the following rule<br>
          <br>
          <font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the 
          connection tracking table can be rebuilt<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
          # from non-SYN packets after takeover.<br>
 &nbsp;</font></li>
 <li>
          <p align="Left">Create /etc/shorewall/common (if you don't already 
          have that file) and include the following:<br>
          <br>
          <font face="Courier">run_iptables -A common -p tcp --tcp-flags 
          ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
          #tracking table. <br>
          . /etc/shorewall/common.def</font></li>
 </ol>
          <h3 align="Left">Versions &gt;= 1.3.5</h3>
          <p align="Left">Some forms of pre-1.3.0 rules file syntax are no 
          longer supported. </p>
          <p align="Left">Example 1:</p>
          <div align="left">
            <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
 </div>
          <p align="Left">Must be replaced with:</p>
          <div align="left">
            <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
 </div>
 <div align="left">
   <p align="left">Example 2:</div>
 <div align="left">
   <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
 </div>
 <div align="left">
   <p align="left">Must be replaced with:</div>
 <div align="left">
   <pre>	REDIRECT	loc	3128	tcp	80</pre>
 </div>
          <h3 align="Left">Version &gt;= 1.3.2</h3>
          <p align="Left">The functions and versions files together with the 
          'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
          If you have applications that access these files, those applications 
          should be modified accordingly.</p>
 <hr>
        <h3 align="Left"><a name="iptables"></a><font color="#660066">
@ -435,9 +495,9 @@ Aborted (core dumped)
                              installed, simply use the &quot;--nodeps&quot; option to 
                              rpm.</p>
-                              <p>Installing: rpm -ivh <i>&lt;shorewall rpm&gt;</i></p>
+                              <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
-                              <p>Upgrading: rpm -Uvh <i>&lt;shorewall rpm&gt;</i></p>
+                              <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
                              <h3><a name="Multiport"></a><b>Problems with 
                              iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
@ -445,7 +505,8 @@ Aborted (core dumped)
                              <p>The iptables 1.2.7 release of iptables has made 
                              an incompatible change to the syntax used to 
                              specify multiport match rules; as a consequence, 
-                              if you install iptables 1.2.7 you must</p>
+                              if you install iptables 1.2.7 you must be running 
                              Shorewall 1.3.7a or later or:</p>
                              <ul>
                                <li>set MULTIPORT=No in 
@ -457,7 +518,7 @@ Aborted (core dumped)
                                as described above.</li>
 </ul>
 <p><font size="2">
- Last updated 8/22/2002 -
+ Last updated 8/26/2002 -
                              <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
--- a/STABLE/documentation/images/proxyarp.png
+++ b/STABLE/documentation/images/proxyarp.png
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -6,16 +6,18 @@
 <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
 <meta name="ProgId" content="FrontPage.Editor.Document">
 <title>Shorewall Mailing Lists</title>
-<meta name="Microsoft Theme" content="boldstri 011">
+<meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
  <tr>
    <td width="100%">
    <h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
 <img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
    <p align="right"><font color="#FFFFFF"><b>Powered by Postfix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    </b></font>
    </td>
  </tr>
 </table>
--- a/STABLE/documentation/mailing_list_problems.htm
+++ b/STABLE/documentation/mailing_list_problems.htm
@ -26,6 +26,7 @@ to at least one address in each of the following domains:</h2>
    <pre>2020ca - delivery to this domain has been disabled (cause unknown)
 excite.com - delivery to this domain has been disabled (cause unknown)
 epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
 familie-fleischhacker.de - (connection timed out)
 gmx.net - delivery to this domain has been disabled (cause unknown)
 hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
 intercom.net - delivery to this domain has been disabled (cause unknown)
@ -33,6 +34,7 @@ initialcs.com - delivery to this domain has been disabled (cause unknown)
 intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
 khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
 kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
 littleblue.de - (connection timed out)
 opermail.net - delivery to this domain has been disabled (cause unknown)
 penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
 scip-online.de - delivery to this domain has been disabled (cause unknown)
@ -42,7 +44,7 @@ yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
  </div>
 </blockquote>
-<p align="left"><font size="2">Last updated 7/26/2002 19:39 GMT -
+<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
 <a href="support.htm">Tom
 Eastep</a></font></p>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -63,9 +63,38 @@
      <h2>News</h2>
- <p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
+ <p><b>8/26/2002 - Shorewall 1.3.7b
 <img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
 <p>This is a role up of the &quot;shorewall refresh&quot; bug fix and the change which 
 reverses the order of &quot;dhcp&quot; and &quot;norfc1918&quot; checking.</p>
 <p><b>8/26/2002 - French FTP Mirror is Operational
 <img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
 <p><a href="ftp://france.shorewall.net/pub/mirrors/shorewall">
 ftp://france.shorewall.net/pub/mirrors/shorewall</a> is now available.</p>
 <p><b>8/25/2002 - Shorewall Mirror in France
 <img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
 <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored 
 at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
 <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available
 <img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
 <p>Lorenzo Martignoni reports that the packages for version 1.3.7a  are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
 <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author 
 -- Shorewall 1.3.7a released
 <img border="0" src="images/j0233056.gif" width="50" height="80" align="middle"></b></p>
 <p>1.3.7a corrects problems occurring in  rules file processing when starting Shorewall 
 1.3.7.</p>
 <p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
 <p>Features in this release include:</p>
      <ul>
@ -150,7 +179,7 @@
 </table>
      <p><font size="2">Updated
-      8/22/2002 - <a href="support.htm">Tom Eastep</a>
+      8/26/2002 - <a href="support.htm">Tom Eastep</a>
     </font>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -73,17 +73,20 @@ Washington</a>
  <ul>
    <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX 
    (Tulip) NIC - My personal Windows system.</li>
-    <li>Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My 
+    <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My 
-    personal Linux System which runs Samba configured as a WINS server.</li>
+    personal Linux System which runs Samba configured as a WINS server. This 
    system also has <a href="http://www.vmware.com/">VMware</a> installed and 
    can run both <a href="http://www.debian.org">Debian</a> and
    <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
    <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
 - Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server 
    (Bind).</li>
-    <li>PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3 
+    <li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3 
    LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP  
  server.  Also  runs PoPToP for     road warrior access.</li>
    <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's     personal system.</li>
    <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and     EEPRO100
-in expansion base - My main work system.</li>
+in expansion base and LinkSys WAC11 - My main work system.</li>
  </ul>
  <p>For more about our network see <a href="myfiles.htm">my Shorewall
  Configuration</a>.</p>
--- a/STABLE/documentation/shorewall_features.htm
+++ b/STABLE/documentation/shorewall_features.htm
@ -50,7 +50,7 @@
  </li>
  <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
    IP addresses and subnetworks is supported.</li>
-  <li><a href="Documentation.htm#Starting"><b>Operational support</b></a>:
+  <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
  <ul>
    <li>Commands to start, stop and clear the firewall</li>
    <li>Supports status             monitoring
--- a/STABLE/documentation/shorewall_firewall_structure.htm
+++ b/STABLE/documentation/shorewall_firewall_structure.htm
@ -43,7 +43,11 @@ from the internet and from the DMZ and in       some cases, from each other.</li
 network hosts.</p>
 <p>While zones are normally disjoint (no two zones have a host in common), 
 there are cases where nested or overlapping zone definitions are appropriate.</p>
- <p>Packets entering the firewall first pass through the <i>mangle </i>table's 
+ <p>For a general picture of how packets traverse a Netfilter firewall, see
 <a href="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES">
 http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES.</a><br>
 <br>
 Packets entering the firewall first pass through the <i>mangle </i>table's 
 PREROUTING chain (you can see the mangle table by typing &quot;shorewall show 
 mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b> 
 option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop 
@ -55,10 +59,25 @@ from the internet and from the DMZ and in       some cases, from each other.</li
 control.</p>
 <p>Next, if the packet isn't part of an established connection, it passes 
 through the<i> nat</i> table's PREROUTING chain (you can see the nat table by 
- typing &quot;shorewall show nat&quot;). </p>
+ typing &quot;shorewall show nat&quot;). If you are doing both static nat and 
 port forwarding, the order in which chains are traversed is dependent on the 
 setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then 
 packets will ender a chain called <i>interface_</i>in where <i>interface</i> is 
 the name of the interface on which the packet entered. Here it's destination IP 
 is compared to each of the <i>EXTERNAL</i> IP addresses from /etc/shorewall/nat 
 that correspond to this interface; if there is a match, DNAT is applied and the 
 packet header is modified to the IP in the <i>INTERNAL</i> column of the nat 
 file record. If the destination address doesn't match any of the rules in the
 <i>interface_</i>in chain then the packet enters a chain called <i>sourcezone</i>_dnat 
 where <i>sourcezone</i> is the source zone of the packet. There it is compared 
 for a match against each of the DNAT records in the rules file that specify <i>
 sourcezone </i>as the source zone. If a match is found, the destination IP 
 address (and possibly the destination port) is modified based on the rule 
 matched. If NAT_BEFORE_RULES is off, then the order of traversal of the <i>
 interface_</i>in and <i>sourcezone</i>_dnat is reversed.</p>
      <p>
- Traffic entering the 
+ Traffic is next sent to an<i> input </i>chain in the mail Netfilter table 
- firewall is sent to an<i> input </i>chain. If the traffic is destined for the 
+ (called 'filter'). If the traffic is destined for the 
 firewall itself, the name of the input chain is formed by appending &quot;_in&quot; to 
 the interface name. So traffic on eth0 destined for the firewall will enter a 
 chain called <i>eth0_in</i>. The input chain for traffic that will be routed to 
@ -151,6 +170,6 @@ its own separate connection from   the firewall to zone B.</p>
 zone and you are having problems connecting from a local client to an   internet 
 server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font>
    (see point 3 above).</p>
-<p><font size="2">Last modified 7/26/2002 - <a href="support.htm">Tom
+<p><font size="2">Last modified 8/22/2002 - <a href="support.htm">Tom
 Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
 <font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
--- a/STABLE/documentation/shorewall_mirrors.htm
+++ b/STABLE/documentation/shorewall_mirrors.htm
@ -36,6 +36,8 @@ It is mirrored at:</p>
  <li><a target="_top" href="http://germany.shorewall.net">
  http://germany.shorewall.net</a> (Hamburg, Germany)</li>
  <li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li>
  <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a> 
  (Paris, France)</li>
 </ul>
 <p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
 and is located in Washington State, USA.&nbsp;
@ -50,8 +52,11 @@ It is mirrored at:</p>
  ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li>
  <li>
  <a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li>
  <li>
  <a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
  (Paris, France)</li>
 </ul>
-<p align="left"><font size="2">Last Updated 7/16/2002 - <a href="support.htm">Tom
+<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
--- a/STABLE/documentation/shorewall_prerequisites.htm
+++ b/STABLE/documentation/shorewall_prerequisites.htm
@ -18,7 +18,7 @@
  </tr>
 </table>
 <ul>
-  <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm">
+  <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm">
    Check here for kernel configuration       information.</a>
     If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
    see       the Seattle Firewall site</a>
@ -43,7 +43,7 @@
  <li>The firewall monitoring display is greatly improved if you have awk 
     (gawk) installed.</li>
 </ul>
-<p align="left"><font size="2">Last updated 8/4/2002 - <a href="support.htm">Tom
+<p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -19,20 +19,22 @@
  </tr>
 </table>
 <h3 align="left">Before Reporting a Problem</h3>
 <blockquote>
 <h3 align="left"> <span style="font-weight: 400"><i>
-&quot;It is easier to post a problem than to use your own brain&quot; -- </i>
+&quot;<font size="3">It is easier to post a problem than to use your own brain&quot;
 </font>-- </i>
 <font size="2">Weitse Venema (creator of Postfix)</font></span></h3>
-</blockquote>
+
 <p align="left"> <i>&quot;Any sane computer with tell you how it works -- you just 
 have to ask it the right questions&quot; </i>-- <font size="2">Tom Eastep</font></p>
 <h3 align="left">Before Reporting a Problem</h3>
 <p>There are a number of sources for problem solution information.</p>
 <ul>
  <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
  <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains a 
  number of tips to help you solve common problems.</li>
  <li>The <a href="errata.htm">   Errata</a> has links to download updated 
  components.</li>
  <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
  <li>The Mailing List Archives are a useful source of problem solving 
  information.</li>
 </ul>
@ -116,7 +118,7 @@ to respond promptly to mailing list posts.&nbsp;&nbsp; <a href="mailto:teastep@s
 <p>To Subscribe to the  mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
    .</p>
-<p align="left"><font size="2">Last Updated 8/17/2002 - Tom
+<p align="left"><font size="2">Last Updated 8/24`/2002 - Tom
 Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
--- a/STABLE/documentation/traffic_shaping.htm
+++ b/STABLE/documentation/traffic_shaping.htm
@ -55,6 +55,9 @@ utilities.</p>
    normally not required as Shorewall's method of clearing qdisc and filter
    definitions is pretty general.</li>
 </ul>
 <h3 align="left">Kernel Configuration</h3>
 <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
 <p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
 <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
 <p align="left">The fwmark classifier provides a convenient way to classify
 packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
@ -200,7 +203,7 @@ use to others.</p>
  configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br>
  </font></p>
 </blockquote>
-<p><font size="2">Last Updated 6/18/2002 - <a href="support.htm">Tom
+<p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.7
+VERSION=1.3.7b
 usage() # $1 = exit status
 {
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.7
+VERSION=1.3.7b
 usage() # $1 = exit status
 {
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.7
+%define version 1.3.7b
 %define release 1
 %define prefix /usr
@ -76,6 +76,10 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7b
 * Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7a
 * Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7
 * Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.7
+VERSION=1.3.7b
 usage() # $1 = exit status
 {