Move 2.2.0+ to STABLE2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1939 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-02-02 21:07:23 +00:00 · 2005-02-02 21:07:23 +00:00 · a32c5eb849
commit a32c5eb849
parent d356631782
74 changed files with 3940 additions and 1823 deletions
--- a/STABLE2/INSTALL
+++ b/STABLE2/INSTALL
@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
+Shoreline Firewall (Shorewall) Version 2.2
 -----         ----
 -----------------------------------------------------------------------------
--- a/STABLE2/accounting
+++ b/STABLE2/accounting
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Accounting File
+# Shorewall version 2.2 - Accounting File
 #
 # /etc/shorewall/accounting
 #
@ -47,9 +47,12 @@
 #			Format the same as the SOURCE column.
 #
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
-#			number.
+#			number, or "ipp2p"
 #
-#	DEST PORT	Destination Port number
+#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p" then
 #			this column must contain an ipp2p option ("iptables -m 
 #			ipp2p --help") without the leading "--". If no option
 #			is given in this column, "ipp2p" is assumed.
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
@ -61,13 +64,33 @@
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
 #	USER/GROUP	This column may only be non-empty if the CHAIN is
 #			OUTPUT.
 #			
 #			The column may contain:
 #
 #			   [!][<user name or number>][:<group name or number>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
 #			the effective <user> and/or <group> specified (or is
 #			NOT running under that id if "!" is given).
 #
 #			Examples:
 #
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
 #
 #	Please see http://shorewall.net/Accounting.html for examples and 
 #	additional information about how to use this file.
 #
-#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE
+#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE	USER/
-#							PORT		PORT
+#							PORT		PORT	GROUP
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/action.AllowAuth
+++ b/STABLE2/action.AllowAuth
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowAuth
+# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
 #
 #	This action accepts Auth (identd) traffic.
 #
--- a/STABLE2/action.AllowDNS
+++ b/STABLE2/action.AllowDNS
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowDNS
+# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
 #
 #	This action accepts DNS traffic.
 #
--- a/STABLE2/action.AllowFTP
+++ b/STABLE2/action.AllowFTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowFTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
 #
 #	This action accepts FTP traffic. See
 #	http://www.shorewall.net/FTP.html for additional considerations.
--- a/STABLE2/action.AllowICMPs
+++ b/STABLE2/action.AllowICMPs
@ -0,0 +1,11 @@
 #
 # Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
 #
 #	ACCEPT needed ICMP types
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 #
 ACCEPT	-		-		icmp	fragmentation-needed
 ACCEPT	-		-		icmp	time-exceeded
--- a/STABLE2/action.AllowIMAP
+++ b/STABLE2/action.AllowIMAP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
 #
 #	This action accepts IMAP traffic (secure and insecure):
 #
--- a/STABLE2/action.AllowNNTP
+++ b/STABLE2/action.AllowNNTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
 #
 #	This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
 #
--- a/STABLE2/action.AllowNTP
+++ b/STABLE2/action.AllowNTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowNTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
 #
 #	This action accepts NTP traffic (ntpd).
 #
@ -7,4 +7,5 @@
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
 #                       	        	PORT    PORT(S)    DEST         LIMIT
 ACCEPT	 -	        -               udp	123
 ACCEPT	 -		-		udp	1024:	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/action.AllowPCA
+++ b/STABLE2/action.AllowPCA
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPCA
+# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
 #
 #	This action accepts PCAnywere (tm)
 #
--- a/STABLE2/action.AllowPOP3
+++ b/STABLE2/action.AllowPOP3
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
+# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
 #
 #	This action accepts POP3 traffic (secure and insecure):
 #
--- a/STABLE2/action.AllowPing
+++ b/STABLE2/action.AllowPing
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPing
+# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
 #
 #	This action accepts 'ping' requests.
 #
--- a/STABLE2/action.AllowRdate
+++ b/STABLE2/action.AllowRdate
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowRdate
+# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
 #
 #	This action accepts remote time retrieval (rdate).
 #
--- a/STABLE2/action.AllowSMB
+++ b/STABLE2/action.AllowSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSMB
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
 #
 #	Allow Microsoft SMB traffic. You need to invoke this action in
 #	both directions.
--- a/STABLE2/action.AllowSMTP
+++ b/STABLE2/action.AllowSMTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
 #
 #	This action accepts SMTP (email) traffic.
 #
--- a/STABLE2/action.AllowSNMP
+++ b/STABLE2/action.AllowSNMP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
 #
 #	This action accepts SNMP traffic (including traps):
 #
--- a/STABLE2/action.AllowSSH
+++ b/STABLE2/action.AllowSSH
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSSH
+# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
 #
 #	This action accepts secure shell (SSH) traffic.
 #
--- a/STABLE2/action.AllowTelnet
+++ b/STABLE2/action.AllowTelnet
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
+# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
 #
 #	This action accepts Telnet traffic. For traffic over the
 #	internet, telnet is inappropriate; use SSH instead
--- a/STABLE2/action.AllowTrcrt
+++ b/STABLE2/action.AllowTrcrt
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
+# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
 #
 #	This action accepts Traceroute (for up to 30 hops):
 #
--- a/STABLE2/action.AllowVNC
+++ b/STABLE2/action.AllowVNC
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowVNC
+# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
 #
 #	This action accepts VNC traffic for VNC display's 0 - 9.
 #
--- a/STABLE2/action.AllowVNCL
+++ b/STABLE2/action.AllowVNCL
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowVNC
+# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
 #
 #	This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
 #
--- a/STABLE2/action.AllowWeb
+++ b/STABLE2/action.AllowWeb
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowWeb
+# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
 #
 #	This action accepts WWW traffic (secure and insecure):
 #
@ -7,5 +7,5 @@
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 ACCEPT	 -		-		tcp	80
-ACCEPT	 -		-		TCP	443
+ACCEPT	 -		-		tcp	443
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/action.Drop
+++ b/STABLE2/action.Drop
@ -1,16 +1,49 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.Drop
+# Shorewall 2.2 /usr/share/shorewall/action.Drop
 #
 #	The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose of the action
 # is:
 #
 #	a) Avoid logging lots of useless cruft. 
 #	b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
 #	   Otherwise, you may experience problems establishing connections with
 #	   servers that use auth.
 #       c) Ensure that certain ICMP packets that are necessary for successful 
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#TARGET  	SOURCE		DEST      	PROTO
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
 # Reject 'auth'
 #
 RejectAuth
 #
 # Don't log broadcasts
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs	-		-		icmp
 #
 # Drop packets that in the INVALID state -- these are usually ICMP packets and just
 # confuse people when they appear in the log.
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DropSMB
 DropUPnP
-dropNotSyn
+#
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn	-		-		tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/action.DropDNSrep
+++ b/STABLE2/action.DropDNSrep
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
+# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
 #
 #	This action silently drops DNS UDP replies
 #
--- a/STABLE2/action.DropPing
+++ b/STABLE2/action.DropPing
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropPing
+# Shorewall 2.2 /usr/share/shorewall/action.DropPing
 #
 #	This action silently drops 'ping' requests.
 #
--- a/STABLE2/action.DropSMB
+++ b/STABLE2/action.DropSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropSMB
+# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
 #
 #	This action silently drops Microsoft SMB traffic
 #
--- a/STABLE2/action.DropUPnP
+++ b/STABLE2/action.DropUPnP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropUPnP
+# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
 #
 #	This action silently drops UPnP probes on UDP port 1900
 #
--- a/STABLE2/action.Reject
+++ b/STABLE2/action.Reject
@ -1,16 +1,46 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.Reject
+# Shorewall 2.2 /usr/share/shorewall/action.Reject
 #
 #	The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose of the action
 # is:
 #
 #	a) Avoid logging lots of useless cruft. 
 #       b) Ensure that certain ICMP packets that are necessary for successful 
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#TARGET  	SOURCE		DEST      	PROTO
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
 # Don't log 'auth' REJECT
 #
 RejectAuth
 #
 # Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs	-		-		icmp
 #
 # Drop packets that in the INVALID state -- these are usually ICMP packets and just
 # confuse people when they appear in the log (these ICMPs cannot be rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the lot.
 #
 RejectSMB
 DropUPnP
-dropNotSyn
+#
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn	-		-		tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/action.RejectAuth
+++ b/STABLE2/action.RejectAuth
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.RejectAuth
+# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
 #
 #	This action silently rejects Auth (tcp 113) traffic
 #
--- a/STABLE2/action.RejectSMB
+++ b/STABLE2/action.RejectSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.RejectSMB
+# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
 #
 #	This action silently rejects Microsoft SMB traffic
 #
--- a/STABLE2/action.template
+++ b/STABLE2/action.template
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.template
+# Shorewall 2.2 /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form 
 #	/etc/shorewall/action.<action-name> where <action> is an
@ -37,6 +37,10 @@
 #			ACCEPT:debugging). This causes the packet to be
 #			logged at the specified level.
 #
 #			The special log level 'none' does not result in logging
 #			but rather exempts the rule from being overridden by a
 #			non-forcing log level when the action is invoked.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
@ -61,6 +65,10 @@
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
 #			10.0.0.4-10.0.0.9	Range of IP addresses; your
 #						kernel and iptables must have
 #						iprange match support. 
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
@ -77,10 +85,6 @@
 #	DEST		Location of Server. Same as above with the exception that
 #			MAC addresses are not allowed.
 #
 #			Unlike in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
@ -155,6 +159,6 @@
 #					#of the 'kids' group
 #
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#                       	        	PORT		PORT(S)    LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/actions
+++ b/STABLE2/actions
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/actions
+# Shorewall 2.2 /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules 
 #	(/etc/shorewall/rules). You define the iptables rules to
--- a/STABLE2/actions.std
+++ b/STABLE2/actions.std
@ -1,19 +1,17 @@
 #
-# Shorewall 2.0 /usr/share/shorewall/actions.std
+# Shorewall 2.2 /usr/share/shorewall/actions.std
 #
 #
 # Builtin Actions are:
 #
 #    allowBcast		#Silently Allow Broadcast/multicast
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
 #    rLogNonSyn         #Log Non-syn TCP packets with disposition REJECT
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
-#    allowInvalid       #Accept packets that are in the INVALID conntrack
+#    allowInvalid	#Accept packets that are in the INVALID
-#                       #state
+#			#conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
@ -36,6 +34,7 @@ AllowSMB	#Allow MS Networking
 AllowAuth	#Allow Auth (identd)
 AllowSMTP	#Allow SMTP (Email)
 AllowPOP3	#Allow reading mail via POP3
 AllowICMPs	#Allows critical ICMP types
 AllowIMAP	#Allow reading mail via IMAP
 AllowTelnet	#Allow Telnet Access (not recommended for use over the
 		#Internet)
--- a/STABLE2/blacklist
+++ b/STABLE2/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Blacklist File
+# Shorewall 2.2 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
@ -7,7 +7,9 @@
 #
 # Columns are:
 #
-#	ADDRESS/SUBNET 	- Host address, subnetwork or MAC address
+#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address or IP address
 #			  range (if your kernel and iptables contain iprange
 #			  match support).
 #
 # 			  MAC addresses must be prefixed with "~" and use "-"
 #			  as a separator.
@ -21,10 +23,10 @@
 #			  is TCP (6) or UDP (17). A comma-separated list
 #			  of port numbers or service names from /etc/services.
 #
-# When a packet arrives on in interface that has the 'blacklist' option
+# When a packet arrives on an interface that has the 'blacklist' option
-# specified, its source IP address is checked against this file and disposed of
+# specified in /etc/shorewall/interfaces, its source IP address is checked
-# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
+# against this file and disposed of according to the BLACKLIST_DISPOSITION and
-# /etc/shorewall/shorewall.conf
+# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
 #
 # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
 # the protocol (and one of the ports if PORTS supplied) are blocked.
--- a/STABLE2/bogons
+++ b/STABLE2/bogons
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0-- Bogons File
+# Shorewall 2.2-- Bogons File
 #
 # /etc/shorewall/bogons
 #
@ -14,7 +14,9 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNET		The subnet (host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			include iprange match support).
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@ -1,121 +1,222 @@
-Changes in 2.0.4
+Changes in 2.2.1
-1) Fix DNAT logging with 'fw' as the source zone.
+1) Add examples to the zones and policy files.
-Change in 2.0.5
+2) Simon Matter's patch for umask.
-1) Eradicate more RESTOREBASE messages.
+Changes since 2.0.3
-2) Remove 'mangle' reference from shorewall.conf.
+1) Fix security vulnerability involving temporary files/directories.
-Change in 2.0.6
+2) Hack security fix so that it works under Slackware.
-1) Add PKTTYPE option.
+3) Correct mktempfile() for case where mktemp isn't installed.
-       shorewall.conf
+4) Implement 'dropInvalid' builtin action.
       firewall
-2) Sanitized some correct but confusing code in determine_hosts().
+5) Fix logging nat rules.
-   There was a loop:
+6) Fix COMMAND typos.
-	 for networks in $networks
+7) Add PKTTYPE option.
 	 ...
-   It now reads:
+8) Enhancements to /etc/shorewall/masq
-	 for network in $networks
+8) Allow overriding ADD_IP_ALIASES=Yes
 	 ... 
 9) Fix syntax error in setup_nat()
-3) Don't give shorewall.conf and zones execute permission.
+10) Port "shorewall status" changes from 2.0.7.
 4) Backport 'dropInvalid' from 2.1
-Changes in 2.0.7
+11) All config files are now empty.
-1) Include output of "ip rule ls" and "ip route ls" in "shorewall
+12) Port blacklisting fix from 2.0.7
   status".
-2) Consult PKTTYPE when generating 'REJECT' rules.
+13) Pass rule chain and display chain separately to log_rule_limit.
    Prep work for action logging.
-3) Enhance IP/Routing output in "shorewall status".
+14) Show the iptables/ip/tc command that failed when failure is fatal.
-4) Correct handling of multiple 'blacklist' interfaces.
+15) Implement STARTUP_ENABLED.
-5) Add "0.0.0.0 RETURN" to nobogons.
+16) Added DNAT ONLY column to /etc/shorewall/nat.
-Changes in 2.0.8
+17) Removed SNAT from ORIGINAL DESTINATION column.
-1) Removed dead code from process_actions2()
+18) Removed DNAT ONLY column.
-2) Corrected read command in process_actions2() (userspec)
+19) Added IPSEC column to /etc/shorewall/masq.
-Changes in 2.0.9
+20) No longer enforce source port 500 for ISAKMP.
-1) Corrected setup_tc1() handling of the PROTO column.
+21) Apply policy to interface/host options.
-2) Added warning about ADD_SNAT_ALIASES in the masq file.
+22) Fix policy and maclist.
-3) Added "brctl show" to the status command. 
+23) Implement additional IPSEC options for zones and masq entries.
-Changes in 2.0.10
+24) Deprecate the -c option in /sbin/shorewall.
-1) Corrected GATEWAY handling for 'pptpserver's
+25) Allow distinct input and output IPSEC parameters.
-2) Correct log rule number generation.
+26) Allow source port remapping in /etc/shorewall/masq.
-3) Add clarification to /etc/shorewall/tcrules.
+27) Include params file on 'restore'
-4) Apply part of Ian Allen's fix for down interface in the SUBNET
+28) Apply Richard Musil's patch.
   column of /etc/shorewall/masq.
-5) Add key /proc settings to "shorewall status" output.
+29) Correct parsing of PROTO column in setup_tc1().
-Changes in 2.0.11
+30) Verify Physdev match if BRIDGING=Yes
-1) Add note for Slackware users to INSTALL.
+31) Don't NAT tunnel traffic.
-2) Correct bogons file.
+32) Fix shorewall.spec to run chkconfig/insserv after initial install.
-3) Replace service names by port numbers in /etc/shorewall/tos.
+33) Add iprange support.
-4) Added NNTPS to action.AllowNNTP.
+34) Add CLASSIFY support.
-5) Fix install.sh
+35) Fix iprange support so that ranges in both source and destination
    work.
-Changes in 2.0.12
+36) Remove logunclean and dropunclean
-1) Correct typo in shorewall.conf.
+37) Fixed proxy arp flag setting for complex configurations.
-2) Fix "shorewall add" and "shorewall delete" with bridging.
+38) Added RETAIN_ALIASES option.
-3) Implement variable expansion in INCLUDE directives
+39) Relax OpenVPN source port restrictions.
-4) Split restore-base into two files.
+40) Implement DELAYBLACKLISTLOAD.
-5) Correct dynamic zone OUTPUT handling.
+41) Avoid double-setting proxy arp flags.
-Changes in 2.0.13
+42) Fix DELAYBLACKLISTLOAD=No.
-1) Correct typo in "shorewall add" code.
+43) Merge 'brctl show' change from 2.0.9.
-Changes in 2.0.14
+44) Implememt LOGTAGONLY.
-1)  Log drops due to policy rate limiting.
+45) Merge 'tcrules' clarification from 2.0.10.
-2)  Fix typo in interfaces file.
+46) Implement 'sourceroute' interface option.
-3)  Eliminate "bad variable" errors during stop/clear.
+47) Add 'AllowICMPs' action.
-4)  Fix typo in tunnels file.
+48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
    handled before traffic from non-IPSEC zones.
-Changes in 2.0.15
+49) Correct logmartians handling.
-1)  Increased port range for Traceroute.
+50) Add a clarification and fix a typo in the blacklist file.
-2)  Corrected port of rate-limit logging change.
+51) Allow setting a specify MSS value.
-Changes in 2.0.16
+52) Detect duplicate zone names.
-1)  Backport DROPINVALID from 2.2.0.
+53) Add mss=<number> option to the ipsec file.
 54) Added CONNMARK/ipp2p support.
 55) Added LOGALLNEW support.
 56) Fix typo in check_config()
 57) Allow outgoing NTP responses in action.AllowNTP.
 58) Clarification of the 'ipsec' hosts file option.
 59) Allow list in the SUBNET column of the rfc1918 file.
 60) Restore missing '#' in the rfc1918 file.
 61) Add note for Slackware users to INSTALL.
 62) Allow interface in DEST tcrules column.
 63) Remove 'ipt_unclean' from search expression in "log" commands.
 64) Remove nonsense from IPSEC description in masq file.
 65) Correct typo in rules file.
 66) Update bogons file.
 67) Add a rule for NNTPS to action.AllowNNTP
 68) Fix "shorewall add"
 69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
 70) Correct typo in shorewall.conf.
 71) Add the 'icmp_echo_ignore_all' file to the /proc display.
 72) Apply Tuomas Jormola's IPTABLES patch.
 73) Fixed some bugs in Tuomas's patch.
 74) Correct bug in "shorewall add"
 75) Correct bridge handling in "shorewall add" and "shorewall delete"
 76) Add "shorewall show zones"
 77) Remove dependency of "show zones" on dynamic zones.
 78) Implement variable expansion in INCLUDE directives
 79) More fixes for "shorewall delete" with bridging.
 80) Split restore-base into two files.
 81) Correct OUTPUT handling of dynamic zones.
 83) Add adapter statistics to the output of "shorewall status".
 84) Log drops due to policy rate limiting.
 85) Continue determining capabilities when fooX1234 already exists.
 86) Corrected typo in interfaces file.
 87) Add DROPINVALID option.
 88) Allow list of hosts in add and delete commands. Fix ipsec problem
    with "add" and "delete"
 89) Clarify add/delete syntax in /sbin/shorewall usage summary.
 90) Implement OpenVPN TCP support.
 91) Simplify the absurdly over-engineered code that restores the
    dynamic chain.
 92) Add OPENVPNPORT option.
 93) Remove OPENVPNPORT option and change default port to 1194.
 94) Avoid shell error during "shorewall stop/clear"
 95) Change encryption to blowfish in 'ipsecvpn' script.
 96) Correct rate limiting rule example.
 97) Fix <if>:: handling in setup_masq().
 98) Fix mis-leading typo in tunnels.
 99) Fix brain-dead ipsec option handling in setup_masq().
 100) Reconcile ipsec masq file implementation with the documentation.
 101) Add netfilter module display to status output.
 102) Add 'allowInvalid' builtin action.
 103) Expand range of Traceroute ports.
 102) Correct uninitialized variable in setup_ecn()
 103) Allow DHCP to be IPSEC-encrypted.
--- a/STABLE2/configpath
+++ b/STABLE2/configpath
@ -1,7 +1,7 @@
 #
-# Shorewall version 2.0 - Default Config Path 
+# Shorewall version 2.2 - Default Config Path 
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
--- a/STABLE2/ecn
+++ b/STABLE2/ecn
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/ecn
+# Shorewall 2.2 - /etc/shorewall/ecn
 #
 #	Use this file to list the destinations for which you want to
 #	disable ECN.
@ -12,7 +12,9 @@
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  If left empty or supplied as "-",
-#			  0.0.0.0/0 is assumed.
+#			  0.0.0.0/0 is assumed. If your kernel and iptables
 #			  include iprange match support then IP address ranges
 #			  are also permitted.
 ##############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/fallback.sh
+++ b/STABLE2/fallback.sh
@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
-#     (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://seattlefirewall.dyndns.org
 #
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.0.16
+VERSION=2.2.0
 usage() # $1 = exit status
 {
@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
 restore_file /etc/shorewall/interfaces
 restore_file /etc/shorewall/ipsec
 restore_file /etc/shorewall/hosts
 restore_file /etc/shorewall/rules
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
--- a/STABLE2/functions
+++ b/STABLE2/functions
@ -1,6 +1,27 @@
 #!/bin/sh
 #
-# Shorewall 2.0 -- /usr/share/shorewall/functions
+# Shorewall 2.2 -- /usr/share/shorewall/functions
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
 #
 truncate() # $1 = length
 {
    cut -b -${1}
 }
 #
 # Split a colon-separated list into a space-separated list
 #
 split() {
    local ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 #
 # Search a list looking for a match -- returns zero if a match found
@ -229,7 +250,7 @@ find_zones() # $1 = name of the zone file
 	    \#*)
 		;;
            $FW)
-	        echo "Reserved zone name \"$zone\" in zones file ignored" >&2
+	        echo "   Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
 		;;
            *)
 		echo $zone
@ -255,12 +276,16 @@ determine_zones()
    multi_display=Multi-zone
    strip_file zones $zonefile
    zones=$(find_zones $TMP_DIR/zones)
-    zones=$(echo $zones) # Remove extra trash
+    newzones=
    for zone in $zones; do
 	dsply=$(find_display $zone $TMP_DIR/zones)
 	[ ${#zone} -gt 5 ] && echo "   Warning: Zone name longer than 5 characters: $zone" >&2
 	eval ${zone}_display=\$dsply
 	newzones="$newzones $zone"
    done
    zones=${newzones# }
 }
 #
@ -377,7 +402,7 @@ mktempfile() {
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
    else
@ -393,7 +418,7 @@ mktempfile() {
 		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
    fi
@ -417,10 +442,10 @@ mktempdir() {
 	    mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 	    ;;
 	*)
-	    echo "   ERROR:Internal error in mktempdir"
+	    echo "   ERROR:Internal error in mktempdir" >&2
 	    ;;
 	esac
-}		
+}	
 #
 # Read a file and handle "INCLUDE" directives
@ -531,13 +556,20 @@ encodeaddr() {
 ip_range() {
    local first last l x y z vlsm
-    case $1 in 
+    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
+	!*)
-	;;
+	    #
-    *)
+	    # Let iptables complain if it's a range
-	echo $1
+	    #
-	return
+	    echo $1
-	;;
+	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
@ -680,6 +712,9 @@ chain_base() #$1 = interface
 	    *-*)
 		c="${c%-*}_${c##*-}"
 		;;
 	    *%*)
 		c="${c%\%*}_${c##*%}"
 		;;
 	    *)
 		echo ${c:=common}
 		return
@ -699,11 +734,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
    case $1 in
 	*+)
-	    #
+	    test  "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
 	    # Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
 	    # variable expansion :-(
 	    #
 	    test  "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
 	    ;;
 	*)
 	    test "x$1" = "x$2"
@ -767,3 +798,11 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
 }
--- a/STABLE2/help
+++ b/STABLE2/help
@ -1,11 +1,11 @@
 #!/bin/sh
 #
-# Shorewall help subsystem - V2.0 - 2/14/2004
+# Shorewall help subsystem - V2.2
 #
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
-#     (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
 #                     Steve Herber (herber@thing.com)
 #
 #	This file should be placed in /usr/share/shorewall/help
@ -29,11 +29,18 @@
 case $1 in
 add)
-	echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
+	echo "add: add <interface>[:<host-list>] ... <zone>
-    Adds a host or subnet to a dynamic zone usually used with VPN's.
+    Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
-    shorewall add interface[:port][:host] zone - Adds the specified interface
+    shorewall add interface:host-list ... zone - Adds the specified interface
-    (and bridge port/host if included) to the specified zone.
+    (and host-list if included) to the specified zone.
    A host-list is a comma-separated list whose elements are:
        A host or network address
        The name of a bridge port
        The name of a bridge port followed by a colon (":") and a host or
        network address.
    Example:
@ -46,7 +53,9 @@ add)
 address|host)
        echo "<$1>: 
    May be either a host IP address such as 192.168.1.4 or a network address in
-    CIDR format like 192.168.1.0/24"
+    CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
    match support then IP address ranges of the form <low address>-<high address>
    are also permitted."
 	;;
 allow)
@ -60,7 +69,7 @@ allow)
 	;;
 check)
-	echo "check: check [ -c <configuration-directory> ]
+	echo "check: check [ <configuration-directory> ]
   Performs a cursory validation of the zones, interfaces, hosts,
   rules and policy files.  Use this if you are unsure of any edits
   you have made to the shorewall configuration.  See the try command
@ -93,11 +102,18 @@ debug)
 	;;
 delete)
-	echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
+	echo "delete: delete <interface>[:<host-list>] ... <zone>
-    Deletes a host or subnet from a dynamic zone usually used with VPN's.
+    Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
-    shorewall delete interface[:port][:host] zone - Deletes the specified
+    shorewall delete interface[:host-list] ... zone - Deletes the specified
-    interface (and bridge port/host if included) from the specified zone.
+    interfaces (and host list if included) from the specified zone.
    A host-list is a comma-separated list whose elements are:
        A host or network address
        The name of a bridge port
        The name of a bridge port followed by a colon (":") and a host or
        network address.
    Example:
@ -187,7 +203,7 @@ reset)
 	;;
 restart)
-	echo "restart: restart [ -q ] [ -c <configuration-directory> ]
+	echo "restart: [ -q ] restart [ <configuration-directory> ]
    Restart is the same as a shorewall stop && shorewall start.
    Existing connections are maintained.
    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
@ -217,7 +233,7 @@ save)
 	;;
 show)
-	echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
+	echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)
@ -236,17 +252,20 @@ show)
    shorewall show tc - displays information about the traffic
 	control/shaping configuration.
    shorewall show zones - displays the contents of all zones.
    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 start)
-	echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
+	echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
    Start shorewall.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies.
    If \"-q\" is specified, less detail is displayed making it easier to spot warnings
    If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
-    in shorewall.conf will be restored if that saved configuration exists"
+    in shorewall.conf will be restored if that saved configuration exists. In that
    case, a <configuration-directory> may not be specified".
 	;;
 stop)
--- a/STABLE2/hosts
+++ b/STABLE2/hosts
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/hosts
+# Shorewall 2.2 - /etc/shorewall/hosts
 #
 #	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -28,12 +28,15 @@
 #			a) The IP address of a host
 #			b) A subnetwork in the form
 #			   <subnet-address>/<mask width>
-#			c) A physical port name; only allowed when the
+#			c) An IP address range of the form <low address>-<high
 #			   address>. Your kernel and iptables must have iprange
 #			   match support.
 #			d) A physical port name; only allowed when the
 #			   interface names a bridge created by the
 #			   brctl addbr command. This port must not
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
-#			   host or network IP.
+#			   host or network IP or a range.
 #			   See http://www.shorewall.net/Bridge.html for details.
 #
 #		  Examples:
@ -43,6 +46,7 @@
 #			eth3:192.168.2.0/24,192.168.3.1
 #			br0:eth4
 #			br0:eth0:192.168.1.16/28
 #			eth4:192.168.1.44-192.168.1.49
 #
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
@ -124,5 +128,12 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
 #			ipsec        - The zone is accessed via a
 #				       kernel 2.6 ipsec SA. Note that if the
 #				       zone named in the ZONE column is 
 #				       specified as an IPSEC zone in the
 #				       /etc/shorewall/ipsec file then you do NOT
 #				       need to specify the 'ipsec' option here.
 #
 #ZONE		HOST(S)				OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
--- a/STABLE2/init
+++ b/STABLE2/init
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/init
+# Shorewall 2.2 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
--- a/STABLE2/init.sh
+++ b/STABLE2/init.sh
@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
-#     (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
--- a/STABLE2/initdone
+++ b/STABLE2/initdone
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/initdone
+# Shorewall 2.2 -- /etc/shorewall/initdone
 #
 # Add commands below that you want to be executed during 
 # "shorewall start" or "shorewall restart" commands at the point where
--- a/STABLE2/install.sh
+++ b/STABLE2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.0.16
+VERSION=2.2.0
 usage() # $1 = exit status
 {
@ -176,16 +176,16 @@ echo  "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
 #
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
-mkdir -p ${PREFIX}/etc/shorewall         && chmod 700 ${PREFIX}/etc/shorewall
+mkdir -p ${PREFIX}/etc/shorewall
-mkdir -p ${PREFIX}/usr/share/shorewall   && chmod 700 ${PREFIX}/usr/share/shorewall
+mkdir -p ${PREFIX}/usr/share/shorewall
-mkdir -p ${PREFIX}/var/lib/shorewall     && chmod 700 ${PREFIX}/var/lib/shorewall
+mkdir -p ${PREFIX}/var/lib/shorewall
 #
 # Install the config file
 #
 if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
   backup_file /etc/shorewall/shorewall.conf
 else
-   run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
+   run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
   echo
   echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
 fi
@ -195,7 +195,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/zones ]; then
    backup_file /etc/shorewall/zones
 else
-    run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones
+    run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
    echo
    echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
 fi
@ -247,6 +247,16 @@ else
    echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
 fi
 #
 # Install the ipsec file
 #
 if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
    backup_file /etc/shorewall/ipsec
 else
    run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
    echo
    echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
 fi
 #
 # Install the hosts file
 #
 if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
@ -539,53 +549,45 @@ fi
 #
 install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
-if [ -z "$PREFIX" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
-    if [ -n "$first_install" ]; then
+    if [ -n "$DEBIAN" ]; then
-	if [ -n "$DEBIAN" ]; then
+	run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
-	    run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
+	ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
-	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+	echo
-	    echo
+	echo "shorewall will start automatically at boot"
-	    echo "shorewall will start automatically at boot"
+	echo "Set startup=1 in /etc/default/shorewall to enable"
-	    echo "Set startup=1 in /etc/default/shorewall to enable"
+    else
-	else
+	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if insserv /etc/init.d/shorewall ; then
-		if insserv /etc/init.d/shorewall ; then
+		echo
-		    echo
+		echo "shorewall will start automatically at boot"
-		    echo "shorewall will start automatically at boot"
+		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
-		    echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
+	    else
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add shorewall ; then
 		    echo
 		    echo "shorewall will start automatically in run levels as follows:"
 		    echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
 		    chkconfig --list shorewall
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add shorewall default; then
 		    echo
 		    echo "shorewall will start automatically at boot"
 		    echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
 		else
 		    cant_autostart
 		fi
 	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
-	    
+	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	    echo \
+	    if chkconfig --add shorewall ; then
-"########################################################################
+		echo
-#      REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL            #
+		echo "shorewall will start automatically in run levels as follows:"
-########################################################################" > /etc/shorewall/startup_disabled
+		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
 		chkconfig --list shorewall
 	    else
 		cant_autostart
 	    fi
 	elif [ -x /sbin/rc-update ]; then
 	    if rc-update add shorewall default; then
 		echo
 		echo "shorewall will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
 	    else
 		cant_autostart
 	    fi
 	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 	    cant_autostart
 	fi
-    elif [ -n "$DEBIAN" -a ! -f /etc/default/shorewall ]; then
+    fi
- 	run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
+fi
-    fi	
+
 fi	   
 #
 #  Report Success
 #
--- a/STABLE2/interfaces
+++ b/STABLE2/interfaces
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Interfaces File
+# Shorewall 2.2 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@ -75,12 +75,23 @@
 #				       option does not cover those ranges
 #				       reserved by RFC 1918 -- see above).
 #
 #				       I PERSONALLY RECOMMEND AGAINST USING
 #				       THE 'nobogons' OPTION.
 #
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
 #				       the /etc/shorewall/shorewall.conf file.
 #
-#	.	.	blacklist    - Check packets arriving on this interface
+#			logmartians  - turn on kernel martian logging (logging
 #				       of packets with impossible source
 #				       addresses. It is suggested that if you
 #				       set routefilter on an interface that
 #				       you also set logmartians. This option
 #				       may also be enabled globally in the
 #				       /etc/shorewall/shorewall.conf file.
 #
 #			blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
 #
--- a/STABLE2/ipsec
+++ b/STABLE2/ipsec
@ -0,0 +1,58 @@
 #
 # Shorewall 2.2 - /etc/shorewall/ipsec
 #
 #	This file defines the attributes of zones with respect to
 #	IPSEC. To use this file, you must be running a 2.6 kernel and
 #       both your kernel and iptables must include Policy Match Support.
 #
 #	The columns are:
 #
 #		ZONE	The name of a zone defined in /etc/shorewall/zones. The
 #			$FW zone may not be listed.
 #
 #		IPSEC   Yes --  Communication with all zone hosts is encrypted
 #		ONLY	No  --  Communication with some zone hosts is encrypted. 
 #				Encrypted hosts are designated using the 'ipsec'
 #				option in /etc/shorewall/hosts. 				
 #
 #		OPTIONS,        A comma-separated list of options as follows:
 #		IN OPTIONS,
 #		OUT OPTIONS	reqid=<number> where <number> is specified
 #				using setkey(8) using the 'unique:<number>
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
 #				the SA used to encrypt/decrypt packets.
 #
 #				proto=ah|esp|ipcomp
 #
 #				mss=<number> (sets the MSS field in TCP packets) 
 #
 #				mode=transport|tunnel
 #
 #				tunnel-src=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
 #				tunnel-dst=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
 #				strict  Means that packets must match all rules.
 #
 #				next    Separates rules; can only be used with
 #                                       strict..
 #
 #			Example:
 #				mode=transport,reqid=44
 #
 #		The options in the OPTIONS column are applied to both incoming
 #		and outgoing traffic. The IN OPTIONS are applied to incoming
 #		traffic (in addition to OPTIONS) and the OUT OPTIONS are 
 #		applied to outgoing traffic.
 #
 #		If you wish to leave a column empty but need to make an entry
 #		in a following column, use "-".
 ###################################################################################
 #ZONE	IPSEC	OPTIONS			IN			OUT
 #	ONLY				OPTIONS			OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/ipsecvpn
+++ b/STABLE2/ipsecvpn
@ -0,0 +1,296 @@
 #!/bin/sh
 ################################################################################
 #
 #    ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode
 #                IPSEC connection
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
 #     (c) 2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 RCDLINKS="2,S42 3,S42 6,K42"
 #### BEGIN INIT INFO
 # Provides:	  ipsecvpn
 # Required-Start: $shorewall
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
 # Description:	  starts and stops a tunnel-mode VPN connection
 ### END INIT INFO
 # chkconfig: 2345 26 89
 # description: IPSEC tunnel-mode connection
 #
 ################################################################################
 #
 # External Interface
 #
 INTERFACE=eth0
 #
 # Remote IPSEC Gateway
 #
 GATEWAY=1.2.3.4
 #
 # Networks behind the remote gateway (space-separated list)
 #
 NETWORKS="192.168.1.0/24"
 #
 # Directory where X.509 certificates are stored.
 #
 CERTS=/etc/certs
 #
 # Certificate to be used for this connection. The cert 
 # directory must contain:
 #
 #     ${CERT}.pem     - the certificate
 #     ${CERT}_key.pem - the certificates's key
 #
 CERT=roadwarrior
 #
 #     The setkey binary
 #
 SETKEY=/usr/sbin/setkey
 #
 #     The racoon binary
 #
 RACOON=/usr/sbin/racoon
 #
 # Message to stderr
 #
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
 }
 #
 # Fatal error -- stops the firewall after issuing the error message
 #
 fatal_error() # $* = Error Message
 {
    echo "   Error: $@" >&2
    exit 2
 }
 #
 # Find interface address--returns the first IP address assigned to the passed
 # device
 #
 find_first_interface_address() # $1 = interface
 {
    #
    # get the line of output containing the first IP address
    #
    addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
    #
    # If there wasn't one, bail out now
    #
    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
    #
    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
    # along with everything else on the line
    #
    echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
 }
 #
 # Create a Racoon configuration file using the variables above
 #
 make_racoon_conf() {
    echo "path certificate \"$CERTS\";"
    echo
    echo "listen"
    echo "{"
    echo "    isakmp $IPADDR;"
    echo "}"
    echo
    echo "remote $GATEWAY"
    echo "{"
    echo "    exchange_mode main;"
    echo "    certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";"
    echo "    verify_cert on;"
    echo "    my_identifier asn1dn ;"
    echo "    peers_identifier asn1dn ;"
    echo "    verify_identifier on ;"
    echo "    lifetime time 24 hour ;"
    echo "    proposal {"
    echo "        encryption_algorithm blowfish;"
    echo "        hash_algorithm sha1;"
    echo "        authentication_method rsasig ;"
    echo "        dh_group 2 ;"
    echo "    }"
    echo "}"
    echo
    for network in $NETWORKS; do
 	echo "sainfo address $IPADDR/32 any address $network any"
 	echo "{"
 	echo "    pfs_group 2;"
 	echo "    lifetime time 12 hour ;"
 	echo "    encryption_algorithm blowfish ;"
 	echo "    authentication_algorithm hmac_sha1, hmac_md5 ;"
 	echo "    compression_algorithm deflate ;"
 	echo "}"
 	echo
 	echo "sainfo address $network any address $IPADDR/32 any"
 	echo "{"
 	echo "    pfs_group 2;"
 	echo "    lifetime time 12 hour ;"
 	echo "    encryption_algorithm blowfish ;"
 	echo "    authentication_algorithm hmac_sha1, hmac_md5 ;"
 	echo "    compression_algorithm deflate ;"
 	echo "}"
    done
    echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any"
    echo "{"
    echo "    pfs_group 2;"
    echo "    lifetime time 12 hour ;"
    echo "    encryption_algorithm blowfish ;"
    echo "    authentication_algorithm hmac_sha1, hmac_md5 ;"
    echo "    compression_algorithm deflate ;"
    echo "}"
    echo
    echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any"
    echo "{"
    echo "    pfs_group 2;"
    echo "    lifetime time 12 hour ;"
    echo "    encryption_algorithm blowfish ;"
    echo "    authentication_algorithm hmac_sha1, hmac_md5 ;"
    echo "    compression_algorithm deflate ;"
    echo "}"
 }
 #
 # Make a setkey configuration file using the variables above
 #
 make_setkey_conf() 
 {
    echo "flush;"
    echo "spdflush;"
    echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out  ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
    echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in   ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
    for network in $NETWORKS; do
 	echo "spdadd $IPADDR/32 $network any -P out  ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
 	echo "spdadd $network $IPADDR/32 any -P in   ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
    done
 }
 #
 # Start the Tunnel
 #
 start() 
 {
    #
    # Get the first IP address configured on the device in INTERFACE
    #
    IPADDR=$(find_first_interface_address $INTERFACE)
    #
    # Create the name of the setkey temporary file
    #
    TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
    [ $? -eq 0 ] || fatal_error "Can't create temporary file name"
    #
    # Create the file
    #
    make_setkey_conf > $TEMPFILE
    #
    # Create the SPD
    #
    $SETKEY -f $TEMPFILE
    #
    # We can now remove the file
    #
    rm -f $TEMPFILE
    #
    # Create another name -- make this distict to aid debugging
    # (just comment out the 'rm' commands)
    #
    TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
    [ $? -eq 0 ] || fatal_error "Can't create temporary file name"
    #
    # Create the file
    #
    make_racoon_conf > $TEMPFILE
    #
    # Start Racoon Daemon
    #
    $RACOON -4 -f $TEMPFILE
    #
    # Once the Daemon is running, we can remove the file
    #
    rm -f $TEMPFILE
 }
 #
 # Stop the Tunnel
 #
 stop() 
 {
    #
    # Kill any racoon daemons
    #
    killall racoon
    #
    # Purge the SAD and SPD
    #
    setkey -F -FP
 }
 #
 # Display command syntax and abend
 #
 usage() 
 {
    error_message "usage: $(basename $0) [start|stop|restart]"
    exit 1
 }
 ################################################################################
 #                       C O D E    S T A R T S    H E R E
 ################################################################################
 [ $# -eq 1 ] || usage
 case $1 in
    start)
 	start
 	;;
    stop)
 	stop
 	;;
    restart)
 	stop
 	sleep 2
 	start
 	;;
    *)
 	usage
 	;;
 esac
--- a/STABLE2/maclist
+++ b/STABLE2/maclist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - MAC list file
+# Shorewall 2.2 - MAC list file
 #
 # /etc/shorewall/maclist
 #
@ -15,7 +15,9 @@
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
-#			list of host and/or subnet addresses.
+#			list of host and/or subnet addresses. If your kernel
 #			and iptables have iprange match support then IP 
 #			address ranges are also allowed.
 ##############################################################################
 #INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE2/masq
+++ b/STABLE2/masq
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - Masquerade file
+# Shorewall 2.2 - Masquerade file
 #
 # /etc/shorewall/masq
 #
@ -20,6 +20,24 @@
 #		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
 #		     If you wish to inhibit the action of ADD_SNAT_ALIASES
 #		     for this entry then include the ":" but omit the digit:
 #
 #				eth0:
 #				eth2::192.0.2.32/27
 #
 #		     Normally Masq/SNAT rules are evaluated after those for
 #		     one-to-one NAT (/etc/shorewall/nat file). If you want
 #		     the rule to be applied before one-to-one NAT rules,
 #		     prefix the interface name with "+":
 #
 #			+eth0
 #			+eth0:192.0.2.32/27
 #			+eth0:2
 #
 #		     This feature should only be required if you need to 
 #		     insert rules in this file that preempt entries in
 #		     /etc/shorewall/nat.
 #
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
@ -42,13 +60,6 @@
 #				will automatically add this address to the
 #				INTERFACE named in the first column.
 #
 #				If you have set ADD_SNAT_ALIASES=Yes in
 #				/etc/shorewall/shorewall.conf then DO NOT
 #				PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
 #				ADDRESS IN THIS COLUMN -- If you do so, you
 #				will loose your default route when Shorewall
 #				starts.
 #
 #				You may also specify a range of up to 256
 #				IP addresses if you want the SNAT address to
 #				be assigned from that range in a round-robin
@ -59,9 +70,22 @@
 #
 #				Finally, you may also specify a comma-separated
 #				list of ranges and/or addresses in this column.
-#				
+#
 #				This column may not contain DNS Names.
 #
 #				Normally, Netfilter will attempt to retain
 #				the source port number. You may cause 
 #				netfilter to remap the source port by following
 #				an address or range (if any) by ":" and
 #				a port range with the format <low port>-
 #				<high port>. If this is done, you must 
 #				specify "tcp" or "udp" in the PROTO column.
 #				
 #				Examples:
 #
 #					192.0.2.4:5000-6000
 #					:4000-5000
 #
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.
@ -82,6 +106,42 @@
 #				support and a maximum of 15 ports may be 
 #				listed.
 #				
 #	IPSEC -- (Optional)	If you specify a value other than "-" in this
 #				column, you must be running kernel 2.6 and 
 #				your kernel and iptables must include policy
 #				match support.
 #
 #				Comma-separated list of options from the following.
 #				Only packets that will be encrypted via an SA that
 #				matches these options will have their source address
 #				changed.
 #
 #					Yes or yes -- must be the only option listed
 #					and matches all outbound traffic that will be
 #					encrypted.
 #
 #					reqid=<number> where <number> is specified
 #					using setkey(8) using the 'unique:<number>
 #					option for the SPD level.
 #
 #					spi=<number> where <number> is the SPI of
 #					the SA.
 #
 #					proto=ah|esp|ipcomp 
 #
 #					mode=transport|tunnel
 #
 #					tunnel-src=<address>[/<mask>] (only
 #					available with mode=tunnel)
 #
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel) 
 #
 #					strict  Means that packets must match all
 #						rules.
 #
 #					next    Separates rules; can only be used
 #						with strict..
 #
 #	Example 1:
 #
@ -136,5 +196,5 @@
 #		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
 #
 ###############################################################################
-#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)
+#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE2/modules
+++ b/STABLE2/modules
@ -1,5 +1,5 @@
 ##############################################################################
-# Shorewall 2.0 /etc/shorewall/modules
+# Shorewall 2.2 /etc/shorewall/modules
 #
 # This file loads the modules needed by the firewall.
 #
--- a/STABLE2/nat
+++ b/STABLE2/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0  -- Network Address Translation Table
+# Shorewall 2.2  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
@ -16,6 +16,7 @@
 #	EXTERNAL	External IP Address - this should NOT be the primary
 #			IP address of the interface named in the next
 #			column and must not be a DNS Name.
 #
 #	INTERFACE	Interface that you want to EXTERNAL address to appear
 #                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
 #			follow the interface name with ":" and a digit to
@ -24,14 +25,21 @@
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
 #
 #			If you want to override ADD_IP_ALIASES=Yes for a
 #			particular entry, follow the interface name with
 #			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #
 #       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
 #                       If No or no (or left empty) then NAT will be effective
 #                       only through the interface named in the INTERFACE
 #                       column
 #
 #       LOCAL           If Yes or yes, NAT will be effective from the firewall
 #                       system
 ##############################################################################
-#EXTERNAL	INTERFACE	INTERNAL	ALL	 		LOCAL
+#EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
 #						INTERFACES
 #
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/STABLE2/netmap
+++ b/STABLE2/netmap
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0  -- Network Mapping Table
+# Shorewall 2.2  -- Network Mapping Table
 #
 # /etc/shorewall/netmap
 #
--- a/STABLE2/params
+++ b/STABLE2/params
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/params
+# Shorewall 2.2 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #
--- a/STABLE2/policy
+++ b/STABLE2/policy
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Policy File
+# Shorewall 2.2 -- Policy File
 #
 # /etc/shorewall/policy
 #
@ -66,20 +66,24 @@
 #			and the size of an acceptable burst. If not specified,
 #			TCP connections are not limited.
 #
-#	As shipped, the default policies are:
+#	Example:
 #
 #	a) All connections from the local network to the internet are allowed
 #	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
 #
 #	#SOURCE		DEST		POLICY		LOG
 #	#						LEVEL
 #	loc		net		ACCEPT
 #	net		all		DROP		info
 #	#
 #	# THE FOLLOWING POLICY MUST BE LAST
 #	#	
 #	all		all		REJECT		info 
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #						LEVEL
 loc		net		ACCEPT
 net		all		DROP		info
 #
 # THE FOLLOWING POLICY MUST BE LAST
 #	
 all		all		REJECT		info 
 #LAST LINE -- DO NOT REMOVE
--- a/STABLE2/proxyarp
+++ b/STABLE2/proxyarp
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0 -- Proxy ARP
+# Shorewall 2.2 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@ -1,235 +1,600 @@
-Shorewall 2.0.16
+Shorewall 2.2.1
 ----------------------------------------------------------------------
 Problems Corrected in version 2.0.4
 1)  A DNAT rule with 'fw' as the source that specified logging caused
    "shorewall start" to fail.
 ----------------------------------------------------------------------
 Problems Corrected in version 2.0.5
 1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during 
   "shorewll stop" in the case where DISABLE_IPV6=Yes in 
   shorewall.conf.
 2) An anachronistic reference to the mangle option was removed from
   shorewall.conf.
 ----------------------------------------------------------------------
 Problems Corrected in version 2.0.6
 1) Some users have reported the pkttype match option in iptables/
   Netfilter failing to match certain broadcast packets. The result 
   is that the firewall log shows a lot of broadcast packets.
   Other users have complained of the following message when 
   starting Shorewall:
 	    modprobe: cant locate module ipt_pkttype
   Users experiencing either of these problems can use PKTTYPE=No in
   shorewall.conf to cause Shorewall to use IP address filtering of 
   broadcasts rather than packet type.
 2) The shorewall.conf and zones file are no longer given execute
   permission by the installer script.
 3) ICMP packets that are in the INVALID state are now dropped by the
   Reject and Drop default actions. They do so using the new 
   'dropInvalid' builtin action.
 -----------------------------------------------------------------------
 Problems Corrected in version 2.0.7
 1) The PKTTYPE option introduced in version 2.0.6 is now used when
   generating rules to REJECT packets. Broadcast packets are silently
   dropped rather than being rejected with an ICMP (which is a protocol
   violation) and users whose kernels have broken packet type match
   support are likely to see messages reporting this violation.
   Setting PKTTYPE=No should cause these messages to cease. 
 2) Multiple interfaces with the 'blacklist' option no longer result in
   an error message at startup.
 3) The following has been added to /etc/shorewall/bogons:
       0.0.0.0	 RETURN
   This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
   broadcasts. 
 -----------------------------------------------------------------------
 New Features in version 2.0.7
 1) To improve supportability, the "shorewall status" command now
   includes IP and Route configuration information.
   Example:
   IP Configuration
   1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
      inet6 ::1/128 scope host
   2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
      inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
   3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
      inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
   5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
      link/sit 0.0.0.0 brd 0.0.0.0
   6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
      inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
   7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
      link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
      inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
      inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
   Routing Rules
   0:      from all lookup local	
   32765:  from all fwmark       ca lookup www.out
   32766:  from all lookup main
   32767:  from all lookup default
   Table local:
   broadcast 192.168.1.0 dev br0  proto kernel  scope link  src 192.168.1.3
   broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
   local 192.168.1.3 dev br0  proto kernel  scope host  src 192.168.1.3
   broadcast 192.168.1.255 dev br0  proto kernel  scope link  src 192.168.1.3
   broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
   local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
   local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
   Table www.out:
   default via 192.168.1.3 dev br0
   Table main:
   192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.3
   default via 192.168.1.254 dev br0
   Table default:
 -----------------------------------------------------------------------
 Problems Corrected in version 2.0.8
 1) User/group restricted rules now work in actions.
 -----------------------------------------------------------------------
-Problems Corrected in version 2.0.9
+Problems corrected in version 2.2.1
-1) Previously, an empty PROTO column or a value of "all" in that column
+1) The /etc/shorewall/policy file contained a misleading comment and
-   would cause errors when processing the /etc/shorewall/tcrules file.
+   both that file and the /etc/shorewall/zones file lacked examples.
-New Fewatures in version 2.0.9
+2) Shorewall previously used root's default umask which could cause
-
+   files in /var/lib/shorewall to be world-readable. Shorewall now uses
-1) The "shorewall status" command now includes the output of "brctl
+   umask 0177.
   show" if the bridge tools are installed.
 -----------------------------------------------------------------------
-Problems corrected in version 2.0.10
+Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
-1) The GATEWAY column was previously ignored in 'pptpserver' entries in
+1)  Shorewall configuration files except shorewall.conf are now empty
-   /etc/shorewall/tunnels.
+    (they contain only comments). If you wish to retain the defaults
    in any of the following files, you should copy these files before
    upgrading them then restore them after the upgrade:
-2) When log rule numbers are included in the LOGFORMAT, duplicate
+    /etc/shorewall/zones
-   rule numbers could previously be generated.
+    /etc/shorewall/policy
    /etc/shorewall/tos
-3) The /etc/shorewall/tcrules file now includes a note to the effect
+2)  The following builtin actions have been removed and have been
-   that rule evaluation continues after a match.
+    replaced by the new action logging implementation described in the
    new features below.
-4) The error message produced if Shorewall couldn't obtain the routes 
+	logNotSyn
-   through an interface named in the SUBNET column of
+	rLogNotSyn
-   /etc/shorewall/masq was less than helpful since it didn't include
+	dLogNotSyn
   the interface name.
 -----------------------------------------------------------------------
 New Features in 2.0.10
-The "shorewall status" command has been enhanced to include the values
+3)  If shorewall.conf is upgraded to the latest version, it needs to be
-of key /proc settings:
+    modified to set STARTUP_ENABLED=Yes
-Example from a two-interface firewall:
+4)  The Leaf/Bering version of Shorewall was previously named:
-/proc
+	shorwall-<version>.lrp
-   /proc/sys/net/ipv4/ip_forward = 1
+    Beginning with 2.2, that file will now be named:
-   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
+
-   /proc/sys/net/ipv4/conf/all/arp_filter = 0
+	shorewall-lrp-<version>.tgz
-   /proc/sys/net/ipv4/conf/all/rp_filter = 0
+
-   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
+    Simply rename that file to 'shorwall.lrp' when installing it on your
-   /proc/sys/net/ipv4/conf/default/arp_filter = 0
+    LEAF/Bering system.
-   /proc/sys/net/ipv4/conf/default/rp_filter = 0
+
-   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
+5)  The ORIGINAL DEST column of the /etc/shorewall/rules file may no
-   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
+    longer contain a second (SNAT) address. You must use an entry in
-   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
+    /etc/shorewall/masq instead.
-   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
+
-   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
+    Example from Shorewall FAQ #1:
-   /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
+
-   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
+    Prior to Shorewall 2.2:
-   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
+
-   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
+	  /etc/shorewall/interfaces
 		loc	eth1	detect	routeback,...
 	  /etc/shorewall/rules
 		DNAT	loc	loc:192.168.1.12	tcp	80 \
 			-	130.252.100.69:192.168.1.254
    Shorewall 2.2 and Later:
 	  /etc/shorewall/interfaces
 		loc	eth1	detect	routeback,...
 	  /etc/shorewall/masq:
 		eth1	eth1	192.168.1.254	tcp	80	
 	  /etc/shorewall/rules:
 		DNAT	loc	loc:192.168.1.12	tcp	80 \
 			-	130.252.100.69
 6)  The 'logunclean' and 'dropunclean' options that were deprecated in
    Shorewall 2.0 have now been removed completely.
 7)  A new IPTABLES variable has been added to shorewall.conf. This
    variable names the iptables executable that Shorewall will use. The
    variable is set to "/sbin/iptables". If you use the new
    shorewall.conf, you may need to change this setting to maintain
    compabibility with your current setup (if you use your existing
    shorewall.conf that does not set IPTABLES then you should
    experience no change in behavior).
 8)  The default port for OpenVPN tunnels has been changed from 5000 to
    1194 to reflect the recent IANA allocation of that port for
    OpenVPN.
 -----------------------------------------------------------------------
-Problems corrected in 2.0.11
+New Features in Shorewall 2.2.0:
-1) The INSTALL file now include special instructions for Slackware
+1)  ICMP packets that are in the INVALID state are now dropped by the
-   users.
+    Reject and Drop default actions. They do so using the new 
    'dropInvalid' builtin action. An 'allowInvalid' builtin action is
    also provided which accepts packets in that state.
-2) The bogons file has been updated.
+2)  The /etc/shorewall/masq file INTERFACE column now allows additional
    options.
-3) Service names are replaced by port numbers in /etc/shorewall/tos.
+    Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT 
    rules defined in the /etc/shorewall/nat file. If you preceed the
    interface name with a plus sign ("+") then the rule will be
    evaluated before one-to-one NAT.
-4) A typo in the install.sh file that caused an error during a new
+    Examples:
 install has been corrected.
 -----------------------------------------------------------------------
 New Features in 2.0.11
-1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
+	+eth0
 	+eth1:192.0.2.32/27
-----------------------------------------------------------------------
+    Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
-Problems corrected in 2.0.12
+    entry by following the interface name by ":" but no digit. 
-1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
+    Examples:
-2) The "shorewall add" and "shorewall delete" commands now work in a
+	eth0:
-   bridged environment. The syntax is:
+	eth1::192.0.2.32/27
 	+eth3:
-	   shorewall add <interface>[:<port>]:<address> <zone>
+3)  Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
-	   shorewall delete <interface>[:<port>]:<address> <zone>
+    you to override the setting of ADD_IP_ALIASES=Yes by following the
    interface name with ":" but no digit.
-   Examples:
+4)  All configuration files in the Shorewall distribution with the
    exception of shorewall.conf are now empty. In particular, the
    /etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos
    files now have no active entries. Hopefully this will stop the
    questions on the support and development lists regarding why the
    default entries are the way they are.
-	   shorewall add br0:eth2:192.168.1.3 OK
+5)  Previously, including a log level (and optionally a log tag) on a
-	   shorewall delete br0:eth2:192.168.1.3 OK
+    rule that specified a user-defined (or Shorewall-defined) action
    would log all traffic passed to the action. Beginning with this
    release, specifying a log level in a rule that specifies a user-
    or Shorewall-defined action will cause each rule in the action to
    be logged with the specified level (and tag).
-3) Previously, "shorewall save" created an out-of-sequence restore
+    The extent to which logging of action rules occurs is goverend by
-   script. The commands saved in the user's /etc/shorewall/start script
+    the following:
   were executed prior to the Netfilter configuration being
   restored. This has been corrected so that "shorewall save" now
   places those commands at the end of the script. 
-   To accomplish this change, the "restore base" file
+    a) When you invoke an action and specify a log level, only those
-   (/var/lib/shorewall/restore-base) has been split into two files:
+    rules in the action that have no log level will be changed to log
    at the level specified at the action invocation.
-   /var/lib/shorewall/restore-base -- commands to be executed before
+    Example:
   Netfilter the configuration is restored.
-   /var/lib/shorewall/restore-tail -- commands to be executed after the
+	/etc/shorewall/action.foo:
   Netfilter configuration is restored.
-4) Previously, traffic from the firewall to a dynamic zone member host
+		ACCEPT	-	-	tcp	22
-   did not need to match the interface specified when the host was
+		bar:info	
   added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
   zone Z then traffic out of any firewall interface to 1.2.3.4 will
   obey the fw->Z policies and rules. This has been corrected.
-----------------------------------------------------------------------
+	/etc/shorewall/rules:
 New Features in 2.0.12
-1)  Variable expansion may now be used with the INCLUDE directive.
+		foo:debug	fw	net
 	Logging in the invoked 'foo' action will be:
 		ACCEPT:debug	-	-	tcp	22
 		bar:info	
    b) If you follow the log level with "!" then logging will
    be at that level for all rules recursively invoked by the action
    Example:
 	/etc/shorewall/action.foo:
 		ACCEPT	-	-	tcp	22
 		bar:info	
 	/etc/shorewall/rules:
 		foo:debug!	fw	net
 	Logging in the invoke 'foo' action will be:
 		ACCEPT:debug	-	-	tcp	22
 		bar:debug!
    This change has an effect on extension scripts used with
    user-defined actions. If you define an action 'acton' and you have
    an /etc/shorewall/acton script then when that script is invoked,
    the following three variables will be set for use by the script:
 	$CHAIN = the name of the chain where your rules are to be
 	placed. When logging is used on an action invocation,
 	Shorewall creates a chain with a slightly different name from
 	the action itself.
 	$LEVEL = Log level. If empty, no logging was specified.
 	$TAG   = Log Tag.
    Example:
    /etc/shorewall/rules:
 	acton:info:test
    Your /etc/shorewall/acton file will be run with:
 	 $CHAIN="%acton1"
 	 $LEVEL="info"
 	 $TAG="test"
 6)  The /etc/shorewall/startup_disabled file is no longer created when 
    Shorewall is first installed. Rather, the variable STARTUP_ENABLED
    is set to 'No' in /etc/shorewall/shorewall.conf. In order to get 
    Shorewall to start, that variable's value must be set to
    'Yes'. This change accomplishes two things:
    a) It prevents Shorewall from being started prematurely by the
    user's initialization scripts.
    b) It causes /etc/shorewall/shorewall.conf to be modified so that
    it won't be replaced by upgrades using RPM.
 7)  Some additional support has been added for the 2.6 Kernel IPSEC
    implementation. To use this support, you must have installed the
    IPSEC policy match patch and the four IPSEC/Netfilter patches
    from Patch-0-Matic-ng. The policy match patch affects both your
    kernel and iptables.
    There are two ways to specify that IPSEC is to be used when
    communicating with a set of hosts; both methods involve the new
    /etc/shorewall/ipsec file:
    a) If encrypted communication is used with all hosts in a zone,
    then you can designate the zone as an "ipsec" zone by placing
    'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
 	#ZONE		IPSEC	OPTIONS ...
 	#		ONLY
 	vpn		Yes
    The hosts in the zone (if any) must be specified in
    /etc/shorewall/hosts but you do not need to specify the 'ipsec'
    option on the entries in that file (see below).
    Dynamic zones involving IPSEC must use that technique.
    Example:
    Under 2.4 Kernel FreeS/Wan:
 	  /etc/shorewall/zones:
 	  net	Net	The big bad Internet
 	  vpn	VPN	Remote Network
 	  /etc/shorewall/interfaces:
 	  net	eth0	...
 	  vpn	ipsec0	...
    Under 2.6 Kernel with this new support:
 	/etc/shorewall/zones:
 	net		Net	The big bad Internet
 	vpn		VPN	Remote Network
 	/etc/shorewall/interfaces:
 	net	eth0	...
 	/etc/shorewall/hosts:
 	vpn	eth0:0.0.0.0/0
 	/etc/shorewall/ipsec
 	vpn	Yes
    b) If only part of the hosts in a zone require encrypted
    communication, you may use of the new 'ipsec' option in
    /etc/shorewall/hosts to designate those hosts.
    Example:
    Under 2.4 Kernel FreeS/Wan:
 	  /etc/shorewall/zones:
 	  net	Net	The big bad Internet
 	  loc	Local	Extended local zone
 	  /etc/shorewall/interfaces:
 	  net	eth0	...
 	  loc	eth1	...
 	  loc	ipsec0	...
    Under 2.6 Kernel with this new support:
 	/etc/shorewall/zones:
 	net		Net	The big bad Internet
 	vpn      	VPN	Remote Network
 	/etc/shorewall/interfaces:
 	net	eth0	...
 	loc	eth1	...
 	/etc/shorewall/hosts:
 	vpn	eth0:0.0.0.0/0	ipsec,...
    Regardless of which technique you choose, you can specify
    additional SA options for the zone in the /etc/shorewall/ipsec
    entry.
    The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
    input-output, input and output characteristics of the security
    associations to be used to decrypt (input) or encrypt (output) traffic
    to/from the zone.
    The available options are:
 	reqid[!]=<number> where <number> is specified using setkey(8) using
 	the 'unique:<number>' option for the SPD level.
 	 spi[!]=<number> where <number> is the SPI of the SA. Since
 	 different SAs are used to encrypt and decrypt traffic, this
 	 option should only be listed in the IN OPTIONS and OUT OPTIONS
 	 columns.
 	 proto[!]=ah|esp|ipcomp
 	 mss=<number> (sets the MSS value in TCP SYN packets and is not
                       related to policy matching) 
 	 mode[!]=transport|tunnel
 	 tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel)
 	 tunnel-dst[!]=<address>[/<mask>] (only available with
 	 mode=tunnel). Because tunnel source and destination are
 	 dependent on the direction of the traffic, these options
 	 should only appear in the IN OPTIONS and OUT OPTIONS columns.
 	 strict  (if specified, packets must match all policies;
 	 policies are delimited by 'next').
 	 next    (only available with strict)
    Examples:
 	#ZONE	IPSEC	OPTIONS			IN		OUT...
 	#	ONLY				OPTIONS		OPTIONS
 	vpn	Yes	mode=tunnel,proto=esp	spi=1000	spi=1001
 	loc	No	reqid=44,mode=transport
    The /etc/shorewall/masq file has a new IPSEC column added. If you
    specify Yes or yes in that column then the unencrypted packets will
    have their source address changed. Otherwise, the unencrypted
    packets will not have their source addresses changed. This column
    may also contain a comma-separated list of the options specified
    above in which case only those packets that will be encrypted
    by an SA matching the given options will have their source address
    changed.
 8)  To improve interoperability, tunnels of type 'ipsec' no longer
    enforce the use of source port 500 for ISAKMP and OpenVPN 
    tunnels no longer enforce use of the specified port as both the
    source and destination ports.
 9)  A new 'allowBcast' builtin action has been added -- it silently
    allows broadcasts and multicasts.
 10) The -c option in /sbin/shorewall commands is now deprecated. The
    commands where -c was previously allowed now permit you to specify
    a configuration directory after the command:
      shorewall check   [ <configuration-directory> ]
      shorewall restart [ <configuration-directory> ]
      shorewall start   [ <configuration-directory> ]
 11) Normally, when SNAT or MASQUERADE is applied to a tcp or udp 
    connection, Netfilter attempts to retain the source port 
    number. If it has to change to port number to avoid 
    <source address>,<source port> conflicts, it tries to do so
    within port ranges ( < 512, 512-1023, and > 1023). You may
    now specify an explicit range of source ports to be used 
    by following the address or address range (if any) in the
    ADDRESS column with ":" and a port range in the format
    <low-port>-<high-port>. You must specify either "tcp" or
    "udp" in the PROTO column.
    Examples 1 -- MASQUERADE with tcp source ports 4000-5000:
    #INTERFACE SUBNET		  ADDRESS		PROTO
    eth0       192.168.1.0/24	  :4000-5000		tcp
    Example 2 -- SNAT with udp source ports 7000-8000:
    #INTERFACE SUBNET		  ADDRESS		PROTO
    eth0       10.0.0.0/8	  192.0.2.44:7000-8000	udp
 12) You may now account by user/group ID for outbound traffic from the
    firewall itself with entries in /etc/shorewall/accounting. Such
    accounting rules must be placed in the OUTPUT chain.
    See the comments at the top of /etc/shorewall/accounting for
    details.
 13) Shorewall now verifies that your kernel and iptables have physdev
    match support if BRIDGING=Yes in shorewall.conf.
 14) Beginning with this release, if your kernel and iptables have
    iprange match support (see the output from "shorewall check"), then
    with the exception of the /etc/shorewall/netmap file, anywhere that
    a network address may appear an IP address range of the form <low
    address>-<high address> may also appear.
 15) Support has been added for the iptables CLASSIFY target. That
    target allows you to classify packets for traffic shaping directly
    rather than indirectly through fwmark. Simply enter the
    <major>:<minor> classification in the first column of
    /etc/shorewall/tcrules:
    Example:
 	#MARK/      SOURCE       DEST      PROTO     PORT(S)
 	#CLASSIFY
 	1:30	    -		 eth0	   tcp	     25
    Note that when using this form of rule, it is acceptable to include
    the name of an interface in the DEST column.
    Marking using the CLASSIFY target always occurs in the POSTROUTING
    chain of the mangle table and is not affected by the setting of
    MARK_IN_FORWARD_CHAIN in shorewall.conf.
 16) During "shorewall start", IP addresses to be added as a consequence
    of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
    when /etc/shorewall/nat and /etc/shorewall/masq are processed then
    the are re-added later. This is done to help ensure that the
    addresses can be added with the specified labels but can have
    the undesirable side effect of causing routes to be quietly
    deleted. A new RETAIN_ALIASES option has been added to
    shorewall.conf; when this option is set to Yes, existing addresses
    will not be deleted. Regardless of the setting of RETAIN_ALIASES,
    addresses added during "shorewall start" are still deleted at a
    subsequent "shorewall stop" or "shorewall restart".
 17) Users with a large black list (from /etc/shorewall/blacklist) may 
    want to set the new DELAYBLACKLISTLOAD option in
    shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
    enable new connections before loading the blacklist rules. While
    this may allow connections from blacklisted hosts to slip by during
    construction of the blacklist, it can substantially reduce the time
    that all new connections are disabled during "shorewall [re]start".
 18) Using the default LOGFORMAT, chain names longer than 11 characters 
    (such as in user-defined actions) may result in log prefix
    truncation. A new shorewall.conf action  LOGTAGONLY has been added
    to deal with this problem. When LOGTAGONLY=Yes, logging rules that
    specify a log tag will substitute the tag for the chain name in the
    log prefix.
    Example -- file /etc/shorewall/action.thisisaverylogactionname:
    Rule:
 	DROP:info:ftp	0.0.0.0/0	0.0.0.0/0	tcp	    21
    Log prefix with LOGTAGONLY=No:
 	Shorewall:thisisaverylongacti
    Log prefix with LOGTAGONLY=Yes:
 	Shorewall:ftp:DROP
 19) Shorewall now resets the 'accept_source_route' flag for all
    interfaces. If you wish to accept source routing on an interface,
    you must specify the new 'sourceroute' interface option in
    /etc/shorewall/interfaces.
 20) The default Drop and Reject actions now invoke the new standard
    action 'AllowICMPs'. This new action accepts critical ICMP types:
 	Type 3 code 4 (fragmentation needed)
 	Type 11       (TTL exceeded)
 21) Explicit control over the kernel's Martian logging is now provided
    using the new 'logmartians' interface option. If you include
    'logmartians' in the interface option list then logging of Martian
    packets on will be enabled on the specified interface.
    If you wish to globally enable martian logging, you can set
    LOG_MARTIANS=Yes in shorewall.conf.
 22) You may now cause Shorewall to use the '--set-mss' option of the
    TCPMSS target. In other words, you can cause Shorewall to set the
    MSS field of SYN packets passing through the firewall to the value
    you specify. This feature extends the existing CLAMPMSS option in
    /etc/shorewall/shorewall.conf by allowing that option to have a
    numeric value as well as the values "Yes" and "No".
    Example:
 	CLAMPMSS=1400 
 23) Shorewall now includes support for the ipp2p match facility. This
    is a departure from my usual policy in that the ipp2p match
    facility is included in Patch-O-Matic-NG and is unlikely to ever be
    included in the kernel.org source tree. Questions about how to
    install the patch or how to build your kernel and/or iptables
    should not be posted on the Shorewall mailing lists.
    In the following files, the "PROTO" or "PROTOCOL" column may
    contain "ipp2p":
       /etc/shorewall/rules
       /etc/shorewall/tcrules
       /etc/shorewall/accounting
    When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
    PORT(S) or PORT(S) column may contain a recognized ipp2p option;
    for a list of the options and their meaning, at a root prompt:
 	iptables -m ipp2p --help
    You must not include the leading "--" on the option; Shorewall will
    supply those characters for you. If you do not include an option
    then "ipp2p" is assumed (Shorewall will generate "-m ipp2p
    --ipp2p").
 24) Shorewall now has support for the CONNMARK target from iptables.
    See the /etc/shorewall/tcrules file for details.
 25) A new debugging option LOGALLNEW has been added to
    shorewall.conf. When set to a log level, this option causes
    Shorewall to generaate a logging rule as the first rule in each
    builtin chain.
    - The table name is used as the chain name in the log prefix.
    - The chain name is used as the target in the log prefix.
    Example: Using the default LOGFORMAT, the log prefix for logging
    from the nat table's PREROUTING chain is:
 	 Shorewall:nat:PREROUTING
    IMPORTANT: There is no rate limiting on these logging rules so
    use LOGALLNEW at your own risk; it may cause high CPU and disk
    utilization and you may not be able to control your firewall after
    you enable this option.
    DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
    BE SENT TO ANOTHER SYSTEM.
 26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
    SUBNETS and it is now possible to specify a list of addresses in
    that column.
 27) The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS).
 28) For consistency, the CLIENT PORT(S) column in the tcrules file has
    been renamed SOURCE PORT(S).
 29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown
    in the output of "shorewall status".
 30) A new IPTABLES option has been added to shorewall.conf. IPTABLES
    can be used to designate the iptables executable to be used by
    Shorewall. If not specified, the iptables executable determined by
    the PATH setting is used.
 31) You can now use the "shorewall show zones" command to display the
    current contents of the zones. This is particularly useful if you
    use dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
    Example:
 	ursa:/etc/shorewall # shorewall show zones
 	Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST 2004
 	loc
 	   eth0:192.168.1.0/24
 	   eth1:1.2.3.4
 	net	   
 	   eth0:0.0.0.0/0
 	WiFi
 	   eth1:0.0.0.0/0
 	sec
 	   eth1:0.0.0.0/0
 	ursa:/etc/shorewall #
 32) Variable expansion may now be used with the INCLUDE directive.
    Example:
@ -240,46 +605,18 @@ New Features in 2.0.12
        Any other config file:
 	    INCLUDE $FILE
 -----------------------------------------------------------------------
 Problems corrected in 2.0.13
-1) A typo in /usr/share/shorewall/firewall caused the following:
+33) The output of "shorewall status" now includes the results of "ip
    -stat link ls". This helps diagnose performance problems caused by
    link errors.
-   /usr/share/shorewall/firewall: line 1: match_destination_hosts: command 
+34) Previously, when rate-limiting was specified in
   not found
 -----------------------------------------------------------------------
 New Features in 2.0.14
 1)  Previously, when rate-limiting was specified in
    /etc/shorewall/policy (LIMIT:BURST column), any traffic which
    exceeded the specified rate was silently dropped. Now, if a log
    level is given in the entry (LEVEL column) then drops are logged at
    that level at a rate of 5/min with a burst of 5.
 -----------------------------------------------------------------------
 Problems corrected in 2.0.14
-1)  A typo in the /etc/shorewall/interfaces file has been fixed.
+35) Recent 2.6 kernels include code that evaluates TCP packets based on
 2)  "bad variable" error messages occurring during "shorewall stop" and
    "shorewall clear" have been eliminated.
 3)  A misleading typo in /etc/shorewall/tunnels has been corrected.
 -----------------------------------------------------------------------
 Problems corrected in 2.0.15
 1)  The range of ports opened by the AllowTrcrt action has been
    expanded to 33434:33524.
 2)  Code mis-ported from 2.2.0 caused the following error during
    "shorewall start" where SYN rate-limiting is present in
    /etc/shorewall/policy:
      Bad argument `DROP'
      Try `iptables -h' or 'iptables --help' for more information.
 -----------------------------------------------------------------------
 New Features in 2.0.16
 1)  Recent 2.6 kernels include code that evaluates TCP packets based on
    TCP Window analysis. This can cause packets that were previously
    classified as NEW or ESTABLISHED to be classified as INVALID.
@ -299,3 +636,52 @@ New Features in 2.0.16
    If not specified or if specified as empty (e.g., DROPINVALID="")
    then DROPINVALID=Yes is assumed.
 36) The "shorewall add" and "shorewall delete" commands now accept a
    list of hosts to add or delete.
    Examples:
    shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12
    shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12
    The above commands may also be written:
    shorewall add eth1:1.2.3.4,2.3.4.5 z12
    shorewall delete eth1:1.2.3.4,2.3.4.5 z12
 37) TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
    type. OpenVPN entries in /etc/shorewall/tunnels have this format:
    openvpn[:{tcp|udp}][:<port>]	<zone>		<gateway>
    Examples:
 	openvpn:tcp		net	1.2.3.4 # TCP tunnel on port 1194
 	openvpn:3344		net	1.2.3.4 # UDP on port 3344
 	openvpn:tcp:4455	net	1.2.3.4	# TCP on port 4455
 38) A new 'ipsecvpn' script is included in the tarball and in the
    RPM. The RPM installs the file in the Documentation directory
    (/usr/share/doc/packages/shorewall-2.2.0-0RC1).
    This script is intended for use on Roadwarrior laptops for
    establishing an IPSEC SA to/from remote networks. The script has
    some limitations:
    - Only one instance of the script may be used at a time.
    - Only the first SPD accessed will be instantiated at the remote
      gateway. So while the script creates SPDs to/from the remote
      gateway and each network listed in the NETWORKS setting at the
      front of the script, only one of these may be used at a time.
 39) The IANA has recently registered port 1194 for use by OpenVPN. In
    previous versions of Shorewall (and OpenVPN), the default port was
    5000 but has been changed to 1194 to conform to the new OpenVPN
    default.
 40) The output of "shorewall status" now lists the loaded netfilter
    kernel modules.
 41) The range of UDP ports opened by the AllowTrcrt action has been
    increased to 33434:33524.
--- a/STABLE2/rfc1918
+++ b/STABLE2/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0-- RFC1918 File
+# Shorewall 2.2 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
@ -12,14 +12,17 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNETS		A comma-separated list of subnet addresses
 #			(host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			have iprange match support). 
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
 #			logdrop - log then drop
 #
 ###############################################################################
-#SUBNET			TARGET
+#SUBNETS		TARGET
 172.16.0.0/12		logdrop		# RFC 1918
 192.168.0.0/16		logdrop		# RFC 1918
 10.0.0.0/8		logdrop		# RFC 1918
--- a/STABLE2/routestopped
+++ b/STABLE2/routestopped
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #
@ -12,6 +12,10 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  addresses. If your kernel and iptables include
 #			  iprange match support, IP address ranges are also
 #			  allowed.
 #
 #			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #	OPTIONS         - (Optional) A comma-separated list of
--- a/STABLE2/rules
+++ b/STABLE2/rules
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Rules File
+# Shorewall version 2.2 - Rules File
 #
 # /etc/shorewall/rules
 #
@ -72,6 +72,20 @@
 #			DNAT:debug). This causes the packet to be
 #			logged at the specified level.
 #
 #			If the ACTION names an action defined in
 #			/etc/shorewall/actions or in
 #			/usr/share/shorewall/actions.std then:
 #
 #			- If the log level is followed by "!' then all rules
 #			  in the action are logged at the log level.
 #
 #			- If the log level is not followed by "!" then only
 #			  those rules in the action that do not specify 
 #			  logging are logged at the specified level.
 #
 #			- The special log level 'none!' suppresses logging
 #			  by the action.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
@ -104,6 +118,10 @@
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
@ -115,6 +133,10 @@
 #			loc:~00-A0-C9-15-39-78  Host in the local zone with
 #                                               MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
 #						Hosts 192.0.2.11-192.0.2.17 in
 #						the net zone.
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, loc:eth1 specifies a
@ -145,7 +167,7 @@
 #				3. You may not specify both an interface and
 #				   an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
@ -166,14 +188,20 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
-#			"all".
+#			a number, or "all". "ipp2p" requires ipp2p match
 #			support in your kernel and iptables.
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example "bit"
 #			for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
@ -195,8 +223,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ORIGINAL DEST in the next column, then
+#			specify an ORIGINAL DEST in the next column, then place
-#			place "-" in this column.
+#			"-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@ -223,14 +251,6 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
 #			The address (list) may optionally be followed by
 #			a colon (":") and a second IP address. This causes
 #			Shorewall to use the second IP address as the source
 #			address in forwarded packets. See the Shorewall
 #			documentation for restrictions concerning this feature.
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this colume:
 # 
@ -281,9 +301,9 @@
 #		 to local system 192.168.1.3 with a limit of 3 per second and
 #		 a maximum burst of 10
 #
-#	#ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL	RATE
-#	#                                       	PORT    PORT(S) DEST
+#	#                                       	PORT    PORT(S) DEST		LIMIT
-#	DNAT<3/sec:10>	net	loc:192.168.1.3 tcp	http
+#	DNAT		net	loc:192.168.1.3 tcp	http	-	-		3/sec:10
 #
 #	Example: Redirect all locally-originating www connection requests to
 #		 port 3128 on the firewall (Squid running on the firewall
--- a/STABLE2/shorewall
+++ b/STABLE2/shorewall
@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
+#     Shorewall Packet Filtering Firewall Control Program - V2.2
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
-#     (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@ -33,7 +33,7 @@
 #
 #          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
 #          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
-#	   shorewall start			   Starts the firewall
+#	   shorewall start 			   Starts the firewall
 #	   shorewall restart			   Restarts the firewall
 #	   shorewall stop			   Stops the firewall
 #	   shorewall monitor [ refresh-interval ]  Repeatedly Displays firewall status
@ -134,6 +134,24 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
 #
 iptablesbug()
 {
    if qt which awk ; then
 	awk 'BEGIN           {sline=""; };\
             /^-j/           { print sline $0; next };\
             /-m policy.*-j/ { print $0; next };\
             /-m policy/     { sline=$0; next };\
                             {print ; sline="" }'
    else
 	echo "   Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
 	cat
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
@ -174,6 +192,19 @@ get_config() {
    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
    if [ -n "$IPTABLES" ]; then
 	if [ ! -e "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
 	    exit 2
 	fi
    else
 	IPTABLES=$(which iptables 2> /dev/null)
 	if [ -z "$IPTABLES" ] ; then
 	    echo "   ERROR: Can't find iptables executable" >&2
 	    exit 2
 	fi
    fi
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -e "$SHOREWALL_SHELL" ]; then
 	    echo "   ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@ -205,7 +236,7 @@ display_chains()
 	TMPFILE=$(mktempfile)
 	[ -n "$TMPFILE" ] || { echo "   ERROR:Cannot create temporary file" >&2; exit 1; }
-	iptables -L $IPT_OPTIONS >> $TMPFILE
+	$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
 	clear
 	echo "$banner $(date)"
@ -288,7 +319,7 @@ display_chains()
 	qt rm -f $TMPFILE
    else
-	iptables -L -n -v
+	$IPTABLES -L -n -v
 	timed_read
    fi
    trap - 1 2 3 4 5 6 9
@ -315,10 +346,9 @@ packet_log() # $1 = number of messages
    [ -n "$realtail" ] && options="-n$1"
-    grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
+    grep "${LOGFORMAT}" $LOGFILE | \
 	 sed s/" kernel:"// | \
 	 sed s/" $host $LOGFORMAT"/" "/ | \
 	 sed s/" $host kernel: ipt_unclean: "/" "/ | \
 	 sed 's/MAC=.* SRC=/SRC=/' | \
 	 tail $options
 }
@ -388,9 +418,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 		   #		     an 'interesting' packet count changes
 {
    get_config
    host=$(echo $HOSTNAME | sed 's/\..*$//')
-    oldrejects=$(iptables -L -v -n | grep 'LOG')
+    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
    if [ $1 -lt 0 ]; then
 	let "timeout=- $1"
@ -423,7 +452,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	show_reset
-	rejects=$(iptables -L -v -n | grep 'LOG')
+	rejects=$($IPTABLES -L -v -n | grep 'LOG')
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
@ -450,7 +479,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	echo
 	echo "NAT Status"
 	echo
-	iptables -t nat -L $IPT_OPTIONS
+	$IPTABLES -t nat -L $IPT_OPTIONS
 	timed_read
 	clear
@ -459,7 +488,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
 	echo
 	echo "TOS/MARK Status"
 	echo
-	iptables -t mangle -L $IPT_OPTIONS
+	$IPTABLES -t mangle -L $IPT_OPTIONS
 	timed_read
 	clear
@ -498,9 +527,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
    get_config
    host=$(echo $HOSTNAME | sed 's/\..*$//')
-    oldrejects=$(iptables -L -v -n | grep 'LOG')
+    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
    if [ $1 -lt 0 ]; then
 	timeout=$((- $1))
@ -522,7 +550,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	show_reset
-	rejects=$(iptables -L -v -n | grep 'LOG')
+	rejects=$($IPTABLES -L -v -n | grep 'LOG')
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
@ -562,11 +590,11 @@ usage() # $1 = exit status
 {
    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
    echo "where <command> is one of:"
-    echo "   add <interface>[:<host>] <zone>"
+    echo "   add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check"
+    echo "   check [ <directory> ]"
    echo "   clear"
-    echo "   delete <interface>[:<host>] <zone>"
+    echo "   delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
    echo "   drop <address> ..."
    echo "   forget [ <file name> ]"
    echo "   help [ <command > | host | address ]"
@ -578,15 +606,17 @@ usage() # $1 = exit status
    echo "   refresh"
    echo "   reject <address> ..."
    echo "   reset"
-    echo "   restart"
+    echo "   restart [ <directory> ]"
    echo "   restore [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
+    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
-    echo "   start"
+    echo "   start [ <directory> ]"
    echo "   stop"
    echo "   status"
    echo "   try <directory> [ <timeout> ]"
    echo "   version"
    echo 
    echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
    exit $1
 }
@ -598,8 +628,11 @@ show_reset() {
 	echo "Counters reset $(cat $STATEDIR/restarted)" && \
 	echo
 }
-
+#
-show_proc() {
+# Display's the passed file name followed by "=" and the file's contents.
 #
 show_proc() # $1 = name of a file  
 {
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
@ -721,6 +754,8 @@ ensure_config_path
 export CONFIG_PATH
 get_config
 [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 if [ ! -f $FIREWALL ]; then
@ -765,8 +800,28 @@ esac
 case "$1" in
    start)
-	[ $# -ne 1 ] && usage 1
+	case $# in
-	get_config
+	    1)
 		;;
 	    2)
 		[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
 		if [ ! -d $2 ]; then
 		    if [ -e $2 ]; then
 			echo "$2 is not a directory" >&2 && exit 2
 		    else
 			echo "Directory $2 does not exist" >&2 && exit 2
 		    fi
 		fi
 		SHOREWALL_DIR=$2
 		export SHOREWALL_DIR
 		;;
 	    *)
 		usage 1
 		;;
 	esac
 	if [ -n "$FAST" ]; then
 	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
@ -783,15 +838,37 @@ case "$1" in
 	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
 	fi
 	;;
-    stop|restart|reset|clear|refresh|check)
+    stop|reset|clear|refresh)
 	[ $# -ne 1 ] && usage 1
-	get_config
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
 	;;
    check|restart)
 	case $# in
 	    1)
 		;;
 	    2)
 		[ -n "$SHOREWALL_DIR" ] && usage 2
 		if [ ! -d $2 ]; then
 		    if [ -e $2 ]; then
 			echo "$2 is not a directory" >&2 && exit 2
 		    else
 			echo "Directory $2 does not exist" >&2 && exit 2
 		    fi
 		fi
 		SHOREWALL_DIR=$2
 		export SHOREWALL_DIR
 		;;
 	    *)
 		usage 1
 		;;
 	esac
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
 	;;
    add|delete)
-	[ $# -ne 3 ] && usage 1
+	[ $# -lt 3 ] && usage 1
-	get_config
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
 	;;
    show|list)
    	[ -n "$debugging" ] && set -x
@ -807,18 +884,17 @@ case "$1" in
 	    echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    iptables -t nat -L $IPT_OPTIONS
+	    $IPTABLES -t nat -L $IPT_OPTIONS
 	    ;;
 	tos|mangle)
 	    [ $# -gt 2 ] && usage 1
 	    echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    iptables -t mangle -L $IPT_OPTIONS
+	    $IPTABLES -t mangle -L $IPT_OPTIONS
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    get_config
 	    echo "Shorewall-$version Log at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
@ -837,6 +913,24 @@ case "$1" in
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 2 ] && usage 1
 	    [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 	    if [ -f $STATEDIR/zones ]; then
 		echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
 		echo
 		while read zone hosts; do
 		    echo $zone
 		    for host in $hosts; do
 			echo "   $host"
 		    done
 		done < $STATEDIR/zones
 		echo
 	    else
 		echo "   ERROR: $STATEDIR/zones does not exist" >&2
 		exit 1
 	    fi
 	    ;;
 	*)
 	    shift
@ -845,10 +939,10 @@ case "$1" in
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    iptables -L $chain $IPT_OPTIONS
+		    $IPTABLES -L $chain $IPT_OPTIONS
 		done
 	    else
-		iptables -L $IPT_OPTIONS
+		$IPTABLES -L $IPT_OPTIONS
 	    fi
 	    ;;
 	esac
@ -866,29 +960,32 @@ case "$1" in
    status)
    	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
 	echo "Shorewall-$version Status at $HOSTNAME - $(date)"
 	echo
 	show_reset
 	host=$(echo $HOSTNAME | sed 's/\..*$//')
-	iptables -L $IPT_OPTIONS
+	$IPTABLES -L $IPT_OPTIONS
 	echo
 	packet_log 20
 	echo
 	echo "NAT Table"
 	echo
-	iptables -t nat -L $IPT_OPTIONS
+	$IPTABLES -t nat -L $IPT_OPTIONS
 	echo
 	echo "Mangle Table"
 	echo
-	iptables -t mangle -L $IPT_OPTIONS
+	$IPTABLES -t mangle -L $IPT_OPTIONS
 	echo
 	cat /proc/net/ip_conntrack
 	echo
 	echo "IP Configuration"
 	echo
 	ip addr ls
 	echo
 	echo "IP Stats"
 	echo
 	ip -stat link ls
 	if qt which brctl; then
 	    echo
@ -902,9 +999,10 @@ case "$1" in
 	echo
 	show_proc /proc/sys/net/ipv4/ip_forward
 	show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
 	for directory in /proc/sys/net/ipv4/conf/*; do
-	    for file in proxy_arp arp_filter rp_filter; do
+	    for file in proxy_arp arp_filter rp_filter log_martians; do
 		show_proc $directory/$file
 	    done
 	done
@ -920,11 +1018,17 @@ case "$1" in
 	    echo
 	    ip route ls table $table
 	done
 	if qt which lsmod; then
 	    echo
 	    echo "Modules"
 	    echo
 	    lsmod | grep -E '^ip_|^ipt_'
 	fi
 	;;
    hits)
    	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] || usage 1
 	get_config
 	clear
 	echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
 	echo
@ -972,10 +1076,10 @@ case "$1" in
 	[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
 	[ $# -lt 2 -o $# -gt 3 ] && usage 1
 	if ! $0 $debugging -c $2 restart; then
-	    if ! iptables -L shorewall > /dev/null 2> /dev/null; then
+	    if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
 		$0 start
 	    fi
-	elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
+	elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
 	    $0 start
 	elif [ $# -eq 3 ]; then
 	    sleep $3
@ -998,9 +1102,9 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    qt iptables -D dynamic -s $1 -j reject
+	    qt $IPTABLES -D dynamic -s $1 -j reject
-	    qt iptables -D dynamic -s $1 -j DROP
+	    qt $IPTABLES -D dynamic -s $1 -j DROP
-	    iptables -A dynamic -s $1 -j DROP || break 1
+	    $IPTABLES -A dynamic -s $1 -j DROP || break 1
 	    echo "$1 Dropped"
 	done
 	mutex_off
@ -1011,9 +1115,9 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    qt iptables -D dynamic -s $1 -j reject
+	    qt $IPTABLES -D dynamic -s $1 -j reject
-	    qt iptables -D dynamic -s $1 -j DROP
+	    qt $IPTABLES -D dynamic -s $1 -j DROP
-	    iptables -A dynamic -s $1 -j reject || break 1
+	    $IPTABLES -A dynamic -s $1 -j reject || break 1
 	    echo "$1 Rejected"
 	done
 	mutex_off
@ -1024,7 +1128,7 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    if	qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
+	    if	qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
 		echo "$1 Allowed"
 	    else
 		echo "$1 Not Dropped or Rejected"
@ -1035,8 +1139,6 @@ case "$1" in
    save)
    	[ -n "$debugging" ] && set -x
 	get_config
 	case $# in
 	1)
 	    ;;
@ -1053,7 +1155,7 @@ case "$1" in
 	mutex_on
-	if qt iptables -L shorewall -n; then
+	if qt $IPTABLES -L shorewall -n; then
 	    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 	    if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@ -1064,11 +1166,11 @@ case "$1" in
 			echo "   ERROR: Reserved file name: $RESTOREFILE"
 			;;
 		    *)
-			if iptables -L dynamic -n > /var/lib/shorewall/save; then
+			if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
 			    echo "   Dynamic Rules Saved"
 			    if [ -f /var/lib/shorewall/restore-base ]; then
 				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
-				if iptables-save >> /var/lib/shorewall/restore-$$ ; then
+				if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
 				    echo __EOF__ >> /var/lib/shorewall/restore-$$
 				    [ -f /var/lib/shorewall/restore-tail ] && \
 					cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
@ -1094,7 +1196,6 @@ case "$1" in
 	mutex_off
 	;;
    forget)
 	get_config
 	case $# in
 	1)
 	    ;;
@ -1114,7 +1215,7 @@ case "$1" in
 	    rm -f $RESTOREPATH
 	    echo "    $RESTOREPATH removed"
 	elif [ -f $RESTOREPATH ]; then
-	    echo "   ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
 	fi
 	;;
    ipcalc)
@ -1153,7 +1254,6 @@ case "$1" in
 	esac
 	;;
    restore)
 	get_config
 	case $# in
 	1)
 	    ;;
--- a/STABLE2/shorewall.conf
+++ b/STABLE2/shorewall.conf
@ -1,5 +1,5 @@
 ##############################################################################
-#  /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -7,6 +7,14 @@
 #  This file should be placed in /etc/shorewall
 #
 #  (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #                      S T A R T U P   E N A B L E D
 ##############################################################################
 # Once you have configured Shorewall, you may change the setting of
 # this variable to 'Yes'
 STARTUP_ENABLED=No
 ##############################################################################
 #                              L O G G I N G
 ##############################################################################
@ -15,6 +23,11 @@
 # to syslog (8) the importance of a message and a number of parameters
 # in this file have log levels as their value.
 #
 # These levels are defined by syslog and are used to determine the destination
 # of the messages through entries in /etc/syslog.conf (5). The syslog
 # documentation refers to these as "priorities"; Netfilter calls them "levels"
 # and Shorewall also uses that term.  
 #
 # Valid levels are:
 #
 #	7	debug
@ -80,6 +93,18 @@ LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 #
 # LOG FORMAT Continued
 #
 # Using the default LOGFORMAT, chain names may not exceed 11 characters or 
 # truncation of the log prefix may occur. Longer chain names may be used with
 # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is 
 # specified then the tag is included in the log prefix in place of the chain
 # name.
 #
 LOGTAGONLY=No
 #
 # LOG RATE LIMITING
 #
@ -110,6 +135,18 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGRATE=
 LOGBURST=
 #
 # LOG ALL NEW
 #
 # This option should only be used when you are trying to analyze a problem.
 # It causes all packets in the Netfilter NEW state to be logged as the 
 # first rule in each builtin chain. To use this option, set LOGALLNEW to 
 # the log level that you want these packets logged at (e.g.,
 # LOGALLNEW=debug).
 #
 LOGALLNEW=
 #
 # BLACKLIST LOG LEVEL
 #
@ -201,9 +238,29 @@ SMURF_LOG_LEVEL=info
 #
 BOGON_LOG_LEVEL=info
 #
 # MARTIAN LOGGING
 #
 # Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
 # that have impossible source IP addresses. This logging may be enabled 
 # on individual interfaces by using the 'logmartians' option in
 # /etc/shorewall/interfaces.
 #
 LOG_MARTIANS=No
 ################################################################################
 #       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
 ################################################################################
 #
 # IPTABLES
 #
 # Full path to iptables executable Shorewall uses to build the firewall. If 
 # not specified or if specified with an empty value (e.g., IPTABLES="") then
 # the iptables executable located via the PATH setting below is used.
 #
 IPTABLES=
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.
@ -320,13 +377,29 @@ ADD_IP_ALIASES=Yes
 #
 ADD_SNAT_ALIASES=No
 #
 # RETAIN EXISTING ALIASES/IP ADDRESSES
 #
 # Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
 # will first delete the address then re-add it. This is to ensure that the
 # address is added with the specified label. Unfortunately, this can cause
 # problems if it results in the deletion of the last IP address on an
 # interface because then all routes through the interface are automatically 
 # removed.
 #
 # You can cause Shorewall to retain existing addresses by setting
 # RETAIN_ALIASES=Yes. 
 #
 RETAIN_ALIASES=No
 #
 # ENABLE TRAFFIC SHAPING
 #
 # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
 # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
-# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
-
+# you must enable packet mangling above.
 #
 TC_ENABLED=No
 #
@ -392,6 +465,14 @@ MARK_IN_FORWARD_CHAIN=No
 #
 # If left blank, or set to "No" or "no", the option is not enabled.
 #
 # You may also set this option to a numeric value in which case Shorewall will
 # set up a rule to modify the MSS value in SYN packets to the value that
 # you specify.
 #
 # Example:
 #
 #	CLAMPMSS=1400
 #
 CLAMPMSS=No
 #
@ -550,6 +631,14 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes
 #
 # Users with a large blacklist find that "shorwall [re]start" takes a long
 # time and that new connections are disabled during that time. By setting
 # DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
 # before loading the blacklist.
 DELAYBLACKLISTLOAD=No
 # MODULE NAME SUFFIX
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally
@ -608,16 +697,9 @@ DYNAMIC_ZONES=No
 # USE PKTTYPE MATCH 
 #
 # Some users have reported problems with the PKTTYPE match extension not being
-# able to match certain broadcast packets. 
+# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
-#
+# will use IP addresses to detect broadcasts rather than pkttype. If not given 
-# Other users have complained of the following message when 
+# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
 # starting Shorewall:
 #
 #	    modprobe: cant locate module ipt_pkttype
 #
 # If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
 # broadcasts rather than pkttype. If not given or if given as empty
 # (PKTTYPE="") then PKTTYPE=Yes is assumed.
 PKTTYPE=Yes
--- a/STABLE2/shorewall.spec
+++ b/STABLE2/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.0.16
+%define version 2.2.0
 %define release 1
 %define prefix /usr
@ -41,12 +41,6 @@ rm -rf $RPM_BUILD_ROOT
 %post
 if [ $1 -eq 1 ]; then
    	echo \
 "########################################################################
 #      REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL            #
 ########################################################################" \
 	> /etc/shorewall/startup_disabled
 	if [ -x /sbin/insserv ]; then
 		/sbin/insserv /etc/rc.d/shorewall
 	elif [ -x /sbin/chkconfig ]; then
@ -76,6 +70,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
@ -106,6 +101,7 @@ fi
 %attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
 %attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
 %attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
 %attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
 %attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
@ -138,386 +134,37 @@ fi
 %attr(0600,root,root) /usr/share/shorewall/bogons
 %attr(0600,root,root) /usr/share/shorewall/configpath
-%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
+%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
 %changelog
-* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
+* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.16-1
+- Updated to 2.2.0-1
-* Wed Jan 12 2005 Tom Eastep tom@shorewall.net
+* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.15-1
+- Updated to 2.2.0-0RC5
-* Mon Jan 03 2005 Tom Eastep tom@shorewall.net
+* Thu Jan 06 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.14-1
+- Updated to 2.2.0-0RC4
-* Thu Dec 02 2004 Tom Eastep tom@shorewall.net
+* Thu Dec 30 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.13-1
+- Updated to 2.2.0-0RC3
-* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
+* Fri Dec 24 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.12-1
+- Updated to 2.2.0-0RC2
-* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
+* Sun Dec 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.11-1
+- Updated to 2.2.0-0RC1
-* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
+- Added ipsecvpn file
- Updated to 2.0.10-1
+* Sat Dec 11 2004 Tom Eastep tom@shorewall.net
-* Thu Sep 23 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta8
- Updated to 2.0.9-1
+* Mon Nov 29 2004 Tom Eastep tom@shorewall.net
-* Sun Aug 22 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta7
- Updated to 2.0.8-1
+* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
-* Tue Jul 20 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta6
- Updated to 2.0.7-1
+* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
-* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta5
- Updated to 2.0.6-1
+* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
-* Fri Jul 09 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta4
- Updated to 2.0.5-1
+* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
-* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta3
- Updated to 2.0.4-1
+* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
-* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta2
- Updated to 2.0.3c-1
+* Fri Oct 22 2004 Tom Eastep tom@shorewall.net
-* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta1
 - Updated to 2.0.3b-1
 * Mon Jun 28 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.3a-1
 * Wed Jun 23 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.3-1
 * Sat Jun 19 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.2-0RC2
 * Tue Jun 15 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.2-0RC1
 * Mon Jun 14 2004 Tom Eastep tom@shorewall.net
 - Added %attr spec for /etc/init.d/shorewall
 * Sat May 15 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.2a-1
 * Thu May 13 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.2-1
 * Mon May 10 2004 Tom Eastep tom@shorewall.net
 - Add /etc/shorewall/initdone
 * Fri May 07 2004 Tom Eastep tom@shorewall.net
 - Shorewall 2.0.2-RC1
 * Tue May 04 2004 Tom Eastep tom@shorewall.net
 - Shorewall 2.0.2-Beta2
 * Tue Apr 13 2004 Tom Eastep tom@shorewall.net
 - Add /usr/share/shorewall/configpath
 * Mon Apr 05 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1-1
 * Thu Apr 02 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1 RC5
 * Thu Apr 01 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1 RC4
 * Sun Mar 28 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1 RC3
 * Thu Mar 25 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1 RC2
 * Wed Mar 24 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1 RC1
 * Fri Mar 19 2004 Tom Eastep tom@shorewall.net
 - Updated for 2.0.1 Beta 2
 * Thu Mar 18 2004 Tom Eastep tom@shorewall.net
 - Added netmap file
 * Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
 - Update for 2.0.1 Beta 1
 * Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
 - Add bogons file
 * Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
 - Update for 2.0.0 Final
 * Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
 - Update for RC2
 * Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
 - Update for RC1
 * Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
 - Moved rfc1918 to /usr/share/shorewall
 - Update for Beta 3
 * Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
 - Removed common.def
 - Unconditionally replace actions.std
 - Update for Beta 2
 * Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
 - Added action.AllowPCA
 * Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
 - Updates for Shorewall 2.0.0.
 * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
 - Remove Documentation from this RPM
 * Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
 - Updated for Beta 2
 * Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
 - Added User Defined Actions Files
 * Wed Dec 03 2003 Tom Eastep <tom@shorewall.net>
 - Added User Defined Actions Files
 * Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.8
 * Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.8-0RC2
 * Thu Oct 30 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.8-0RC1
 * Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.7-1
 - Removed conflict with 2.2 Kernels
 * Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.7-0RC2
 * Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.7-0RC1
 * Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.7-0Beta2
 * Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.7-0Beta1
 * Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
 - Added /etc/shorewall/users
 - Changed version to 1.4.6_20030823-1
 * Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030821-1
 - Added /etc/shorewall/usersets
 * Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030813-1
 * Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
 - Added /etc/shorewall/accounting
 * Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030809-1
 * Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030731-1
 * Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
 - Added /usr/share/shorewall/help
 - Changed version to 1.4.6_20030727-1
 * Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030726-1
 * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-1
 * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-0RC1
 * Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-0Beta2
 * Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-0Beta1
 * Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.5-1
 * Thu May 29 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.4b-1
 * Tue May 27 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.4a-1
 * Thu May 22 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.4-1
 * Mon May 19 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.3a-1
 * Sun May 18 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.3-1
 * Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.2-1
 * Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.1-1
 * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-1
 * Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0RC2
 * Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0RC1
 * Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.0-0Beta2
 * Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
 - Add ecn file
 * Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.4.0-0Beta1
 * Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.4.0Alpha1
 - Delete icmp.def
 - Move firewall and version to /usr/share/shorewall
 * Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0RC1
 * Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0Beta2
 * Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.14-0Beta1
 * Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.13
 * Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12
 * Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta3
 * Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta2
 * Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.12-0Beta1
 - Add init, start, stop and stopped files.
 * Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11a
 * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11
 * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.10
 * Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.10b1
 * Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
 - Added maclist file
 * Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.10
 - Replaced symlink with real file
 * Wed Oct 09 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.9b
 * Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.9a
 * Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.8
 * Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.8
 * Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7c
 * Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7b
 * Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7a
 * Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.7
 * Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.6
 * Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.5b
 * Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.4
 * Wed Jul 10 2002 Tom Eastep <tom@shorewall.net>
 - Added 'routestopped' configuration file.
 * Fri Jul 05 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.3
 * Sat Jun 15 2002 Tom Eastep <tom@shorewall.net>
 - Changed version and release for new convention
 - Moved version,firewall and functions to /var/lib/shorewall
 * Sun Jun 02 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.2
 * Fri May 31 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.1
 - Added the rfc1918 file
 * Wed May 29 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.0
 * Mon May 20 2002 Tom Eastep <tom@shorewall.net>
 - Removed whitelist file
 * Sat May 18 2002 Tom Eastep <tom@shorewall.net>
 - changed version to 91
 * Wed May 8 2002 Tom Eastep <tom@shorewall.net>
 - changed version to 90
 - removed 'provides' tag.
 * Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
 - changed version to 13
 - Added whitelist file.
 * Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
 - changed version to 12
 * Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
 - Merged Stefan's changes to create single RPM
 * Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
 - changed to SuSE Linux 7.3
 * Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 11
 * Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 10
 * Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 9
 * Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 8
 * Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 7
 * Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 6
 * Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 5
 * Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 4
 - Merged Ajay's change to allow build by non-root
 * Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 3
 * Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
 - changed Version to 2
 - Updated URL
 - Added blacklist file
 * Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
 - changed Version to 1
 * Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
 - changed Version to 0
 * Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
 - changed Version to Rc1
 * Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
 - changed Version to Beta2
 * Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
 - changed Version to 1.2
 - added tcrules file
 * Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
 - changed release to 17
 * Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
 - changed release to 16
 * Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - changed release to 15
 * Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - changed release to 14
 * Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - changed release to 13
 - added params file
 * Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 12
 * Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 11
 * Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
 - reorganized spec file
 - s/Copyright/License/
 - now will build fron rpm -tb
 * Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 10
 * Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 9
 - Added tunnel file
 - Readded tunnels file
 * Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 8
 * Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 7
 - Changed iptables dependency.
 * Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 6
 - Added tunnels file
 * Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 5
 - Added modules and tos files
 * Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 4
 - Added changelog.txt and releasenotes.txt
 * Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed release to 3
 * Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Added files common.def and icmpdef.def
 - Changed release to 2
 * Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
 - Changed the release to 1.
 * Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Changed the version to 1.1
 - Added hosts file
 * Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Changed the release to 4
 - Added Zones and Functions files
 * Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Change ipchains dependency to an iptables dependency and
  changed the release to 3
 * Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Add additional files.
 * Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
 - Change version to 1.0.2
 * Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Change version to 1.0.1
 * Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Changes for Shorewall
 * Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Change version to 4.1.0
 * Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Change version to 4.0.4
 * Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Change version to 4.0.2
 * Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
 - Changed version to 4.0
 * Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
 - Added dmzclients file
 * Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
 - Added ftpserver file
 * Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
 - Added "nat" and "proxyarp" files for 4.0
 * Mon May 20 2000 Tom Eastep <teastep@evergo.net>
 - added updown file
 * Sat May 20 2000 Simon Piette <spiette@generation.net>
 - Corrected the group - Networking/Utilities
 - Added "noreplace" attributes to config files, so current confis is not
  changed.
 - Added the version file.
 * Sat May 20 2000 Tom Eastep <teastep@evergo.net>
 - Converted Simon's patch to version 3.1
 * Sat May 20 2000 Simon Piette <spiette@generation.net>
 - 3.0.2 Initial RPM
  Patched the install script so it can take a PREFIX variable
--- a/STABLE2/start
+++ b/STABLE2/start
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/start
+# Shorewall 2.2 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.
--- a/STABLE2/stop
+++ b/STABLE2/stop
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/stop
+# Shorewall 2.2 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
--- a/STABLE2/stopped
+++ b/STABLE2/stopped
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/stopped
+# Shorewall 2.2 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
--- a/STABLE2/tcrules
+++ b/STABLE2/tcrules
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Traffic Control Rules File
+# Shorewall version 2.2 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #
@ -19,20 +19,65 @@
 # Columns are:
 #
 #
-#	MARK		The mark value which is an
+#	MARK/		a) A mark value which is a integer in the range 1-255
-#			integer in the range 1-255
+#       CLASSIFY
 #			   May optionally be followed by ":P" or ":F"
 #			   where ":P" indicates that marking should occur in
 #			   the PREROUTING chain and ":F" indicates that marking
 #			   should occur in the FORWARD chain. If neither
 #			   ":P" nor ":F" follow the mark value then the chain is
 #			   determined by the setting of MARK_IN_FORWARD_CHAIN in
 #			   /etc/shorewall/shorewall.conf.
 #
-#			May optionally be followed by ":P" or ":F"
+#			   If your kernel and iptables include CONNMARK support
-#			where ":P" indicates that marking should occur in
+#			   then you can also mark the connection rather than
-#			the PREROUTING chain and ":F" indicates that marking
+#			   the packet.
-#			should occur in the FORWARD chain. If neither
+#
-#			":P" nor ":F" follow the mark value then the chain is
+#			   The mark value may be optionally followed by "/" 
-#			determined by the setting of MARK_IN_FORWARD_CHAIN in
+#		           and a mask value (used to determine those bits of
-#			/etc/shorewall/shorewall.conf.
+#                          the connection mark to actually be set). The
 #                          mark and optional mask are then followed by one of:
 #
 #				C - Mark the connection in the chain determined
 #                                   by the setting of MARK_IN_FORWARD_CHAIN
 #
 #			        CF: Mark the conneciton in the FORWARD chain
 #
 #				CP: Mark the connection in the PREROUTING chain.
 #
 #			b) A classification of the form <major>:<minor> where
 #		    	   <major> and <minor> are integers. Corresponds to 
 #			   the 'class' specification in these traffic shaping
 #			   modules:
 #
 #				- atm
 #				- cbq
 #				- dsmark
 #				- pfifo_fast
 #				- htb
 #				- prio
 #
 #			   Classify always occurs in the POSTROUTING chain.
 #
 #			c) RESTORE[/mask] -- restore the packet's mark from the
 #			   connection's mark using the supplied mask if any.
 #			   Your kernel and iptables must  include CONNMARK support.
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			c) SAVE[/mask] -- save the packet's mark to the
 #			   connection's mark using the supplied mask if any.
 #			   Your kernel and iptables must  include CONNMARK support.
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			d) CONTINUE -- don't process any more marking rules in
 #			   the table. As in a) above, may be followed by ":P" or
 #			   ":F".
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
-#			and/or subnets. Use $FW if the packet originates on
+#			and/or subnets. If your kernel and iptables include
 #			iprange match support, IP address ranges are also
 #			allowed. Use $FW if the packet originates on
 #			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs
 #			in the OUTPUT chain).
@ -43,22 +88,34 @@
 #			Example: ~00-A0-C9-15-39-78
 #
 #	DEST		Destination of the packet. Comma separated list of
-#			IP addresses and/or subnets.
+#			IP addresses and/or subnets. If your kernel and 
 #			iptables include iprange match support, IP address
 #			ranges are also allowed.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#                       If the MARK column specificies a classification of
-#			or "all".
+#                       the form <major>:<minor> then this column may also
 #                       contain an interface name.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
 #			a number, or "all". "ipp2p" requires ipp2p match
 #			support in your kernel and iptables.
 #
 #	PORT(S)		Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example "bit"
 #			for bit-torrent). If no PORT is given, "ipp2p" is
 #			assumed.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following field is supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
-#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#	SOURCE PORT(S)	(Optional) Source port(s). If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
@ -75,9 +132,21 @@
 #			   [<user name or number>]:[<group name or number>]
 #
 #			The colon is optionnal when specifying only a user.
-#			Examples : john: / john / :users / john:users	
+#			Examples : john: / john / :users / john:users
 #
 #	TEST		Defines a test on the existing packet or connection mark. 
 #			The rule will match only if the test returns true. Tests
 #			have the format [!]<value>[/<mask>][:C]
 #
 #			Where:
 #
 #				!	Inverts the test (not equal)
 #				<value> Value of the packet or connection mark.
 #				<mask>  A mask to be applied to the mark before
 #					testing 
 #				:C	Designates a connection mark. If omitted,
 #					the packet mark's value is tested.
 ##############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
 #								PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/STABLE2/tos
+++ b/STABLE2/tos
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- /etc/shorewall/tos
+# Shorewall 2.2 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
@ -43,10 +43,4 @@
 #
 ##############################################################################
 #SOURCE DEST		PROTOCOL	SOURCE PORTS	DEST PORTS	TOS
 all	all		tcp		-		22		16
 all	all		tcp		22		-		16
 all	all		tcp		-		21		16
 all	all		tcp		21		-		16
 all	all		tcp		20		-		8
 all	all		tcp		-		20		8
 #LAST LINE -- Add your entries above -- DO NOT REMOVE
--- a/STABLE2/tunnel
+++ b/STABLE2/tunnel
@ -2,14 +2,14 @@
 RCDLINKS="2,S45 3,S45 6,K45"
 ################################################################################
-#   Script to create a gre or ipip tunnel -- Shorewall 2.0
+#   Script to create a gre or ipip tunnel -- Shorewall 2.2
 #
 #   Modified - Steve Cowles 5/9/2000
 #     Incorporated init {start|stop} syntax and iproute2 usage
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
-#     (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #   Modify the following variables to match your configuration
 #
--- a/STABLE2/tunnels
+++ b/STABLE2/tunnels
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/tunnels
+# Shorewall 2.2 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
@ -34,7 +34,10 @@
 #
 #	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
 #			remote getway has no fixed address (Road Warrior)
-#			then specify the gateway as 0.0.0.0/0.
+#			then specify the gateway as 0.0.0.0/0. May be 
 #			specified as a network address and if your kernel and
 #			iptables include iprange match support then IP address
 #			ranges are also allowed.
 #
 #	GATEWAY
 #	ZONES --	Optional. If the gateway system specified in the third
--- a/STABLE2/uninstall.sh
+++ b/STABLE2/uninstall.sh
@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
-#     (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.0.16
+VERSION=2.2.0
 usage() # $1 = exit status
 {
--- a/STABLE2/zones
+++ b/STABLE2/zones
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/zones
+# Shorewall 2.2 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #
@ -11,9 +11,15 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
 #--------------------------------------------------------------------------------
 # Example zones:
 #
-#ZONE	DISPLAY		COMMENTS
+#    You have a three interface firewall with internet, local and DMZ interfaces.
-net	Net		Internet
+#
-loc	Local		Local networks
+#	#ZONE	DISPLAY		COMMENTS
-dmz	DMZ		Demilitarized zone
+#	net	Internet	The big bad Internet
 #	loc	Local		Local Network
 #	dmz	DMZ		Demilitarized zone.
 #
 #ZONE			DISPLAY		COMMENTS
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE