From c2ccd7fd3d4b5bbe126481548509da01d8661808 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 2 Dec 2003 23:51:46 +0000
Subject: [PATCH] Shorewall 1.4.8

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-docs/6to4.htm                       |  201 +-
 Shorewall-docs/Banner.html                    |   45 +
 Shorewall-docs/CorpNetwork.htm                |  404 ++-
 Shorewall-docs/Documentation.htm              |   58 +-
 Shorewall-docs/ECN.html                       |  133 +-
 Shorewall-docs/FAQ.htm                        |  313 +-
 Shorewall-docs/FTP.html                       |   63 +-
 Shorewall-docs/GenericTunnels.html            |   13 +-
 Shorewall-docs/GnuCopyright.htm               |  651 +++--
 Shorewall-docs/IPIP.htm                       |  299 +-
 Shorewall-docs/IPSEC.htm                      |   57 +-
 Shorewall-docs/Install.htm                    |  344 +--
 Shorewall-docs/MAC_Validation.html            |  186 +-
 Shorewall-docs/Multiple_Zones.html            |  551 ++++
 Shorewall-docs/NAT.htm                        |  196 +-
 Shorewall-docs/NetfilterOverview.html         |  104 +
 Shorewall-docs/News.htm                       |  303 +-
 Shorewall-docs/OPENVPN.html                   |  456 ++-
 Shorewall-docs/PPTP.htm                       |  378 ++-
 Shorewall-docs/ProxyARP.htm                   |  325 +--
 Shorewall-docs/SeattleInTheSpring.html        |   59 +-
 Shorewall-docs/Shorewall_CA_html.html         |  134 +-
 Shorewall-docs/Shorewall_CVS_Access.html      |   74 +-
 Shorewall-docs/Shorewall_Doesnt.html          |   37 +-
 Shorewall-docs/Shorewall_Squid_Usage.html     |  200 +-
 .../Shorewall_and_Aliased_Interfaces.html     | 1181 ++++----
 Shorewall-docs/Shorewall_and_Kazaa.html       |   32 +
 Shorewall-docs/Shorewall_index_frame.htm      |  156 +-
 Shorewall-docs/Shorewall_sfindex_frame.htm    |  144 +-
 Shorewall-docs/SourceforgeBanner.html         |   45 +
 Shorewall-docs/UserSets.html                  |  141 +
 Shorewall-docs/VPN.htm                        |  112 +-
 Shorewall-docs/blacklisting_support.htm       |  143 +-
 Shorewall-docs/configuration_file_basics.htm  |   31 +-
 Shorewall-docs/copyright.htm                  |   52 +-
 Shorewall-docs/dhcp.htm                       |  110 +-
 Shorewall-docs/download.htm                   |   47 +-
 Shorewall-docs/errata.htm                     |  156 +-
 Shorewall-docs/fallback.htm                   |   84 +-
 Shorewall-docs/gnu_mailman.htm                |  105 +-
 Shorewall-docs/images/Legend.png              |  Bin 1815 -> 1570 bytes
 Shorewall-docs/images/Logo.png                |  Bin 0 -> 3293 bytes
 Shorewall-docs/images/Logo1.gif               |  Bin 0 -> 10788 bytes
 Shorewall-docs/images/Logo2.gif               |  Bin 0 -> 10788 bytes
 Shorewall-docs/images/Logo3.png               |  Bin 0 -> 2275 bytes
 Shorewall-docs/images/MultiPPTP.png           |  Bin 0 -> 16164 bytes
 Shorewall-docs/images/MultiZone1.png          |  Bin 0 -> 11070 bytes
 Shorewall-docs/images/MultiZone1A.png         |  Bin 0 -> 13543 bytes
 Shorewall-docs/images/MultiZone1B.png         |  Bin 0 -> 13620 bytes
 Shorewall-docs/images/MultiZone2.png          |  Bin 0 -> 10370 bytes
 Shorewall-docs/images/Netfilter.png           |  Bin 25936 -> 26876 bytes
 Shorewall-docs/images/ProtectedBy.png         |  Bin 0 -> 4978 bytes
 Shorewall-docs/images/netfilterconf.png       |  Bin 0 -> 43376 bytes
 Shorewall-docs/images/staticnat.png           |  Bin 9725 -> 6422 bytes
 Shorewall-docs/images/staticnat.vsd           |  Bin 273392 -> 273392 bytes
 Shorewall-docs/index.htm                      |   33 +-
 Shorewall-docs/kernel.htm                     |   83 +-
 Shorewall-docs/mailing_list.htm               |   26 +-
 Shorewall-docs/myfiles.htm                    |   25 +-
 Shorewall-docs/ping.html                      |   13 +-
 Shorewall-docs/ports.htm                      |  266 +-
 Shorewall-docs/quotes.htm                     |  183 +-
 Shorewall-docs/samba.htm                      |  106 +-
 Shorewall-docs/seattlefirewall_index.htm      |  675 ++---
 Shorewall-docs/shoreline.htm                  |   16 +-
 .../shorewall_extension_scripts.htm           |  161 +-
 Shorewall-docs/shorewall_features.htm         |  161 +-
 .../shorewall_firewall_structure.htm          |  332 ---
 Shorewall-docs/shorewall_logging.html         |   46 +-
 Shorewall-docs/shorewall_mirrors.htm          |   21 +-
 Shorewall-docs/shorewall_prerequisites.htm    |  107 +-
 Shorewall-docs/shorewall_quickstart_guide.htm |   76 +-
 Shorewall-docs/shorewall_setup_guide.htm      |   45 +-
 Shorewall-docs/shorewall_setup_guide_fr.htm   | 2515 +++++++++++++++++
 Shorewall-docs/sourceforge_index.htm          |  602 ++--
 Shorewall-docs/standalone.htm                 |   27 +-
 Shorewall-docs/standalone_fr.html             |  769 +++--
 .../starting_and_stopping_shorewall.htm       |   21 +-
 Shorewall-docs/support.htm                    |   48 +-
 Shorewall-docs/three-interface.htm            |   33 +-
 Shorewall-docs/three-interface_fr.html        | 2064 +++++++-------
 Shorewall-docs/traffic_shaping.htm            |  619 ++--
 Shorewall-docs/troubleshoot.htm               |   23 +-
 Shorewall-docs/two-interface.htm              |   33 +-
 Shorewall-docs/two-interface_fr.html          | 2060 +++++++-------
 Shorewall-docs/upgrade_issues.htm             |  693 ++---
 Shorewall-docs/useful_links.html              |   66 +-
 .../whitelisting_under_shorewall.htm          |  502 ++--
 88 files changed, 11590 insertions(+), 8983 deletions(-)
 create mode 100755 Shorewall-docs/Banner.html
 create mode 100755 Shorewall-docs/Multiple_Zones.html
 create mode 100755 Shorewall-docs/NetfilterOverview.html
 create mode 100644 Shorewall-docs/Shorewall_and_Kazaa.html
 create mode 100755 Shorewall-docs/SourceforgeBanner.html
 create mode 100755 Shorewall-docs/UserSets.html
 create mode 100755 Shorewall-docs/images/Logo.png
 create mode 100644 Shorewall-docs/images/Logo1.gif
 create mode 100644 Shorewall-docs/images/Logo2.gif
 create mode 100755 Shorewall-docs/images/Logo3.png
 create mode 100755 Shorewall-docs/images/MultiPPTP.png
 create mode 100755 Shorewall-docs/images/MultiZone1.png
 create mode 100755 Shorewall-docs/images/MultiZone1A.png
 create mode 100755 Shorewall-docs/images/MultiZone1B.png
 create mode 100755 Shorewall-docs/images/MultiZone2.png
 create mode 100755 Shorewall-docs/images/ProtectedBy.png
 create mode 100644 Shorewall-docs/images/netfilterconf.png
 delete mode 100644 Shorewall-docs/shorewall_firewall_structure.htm
 create mode 100755 Shorewall-docs/shorewall_setup_guide_fr.htm

diff --git a/Shorewall-docs/6to4.htm b/Shorewall-docs/6to4.htm
index c7410c168..6ce05185e 100755
--- a/Shorewall-docs/6to4.htm
+++ b/Shorewall-docs/6to4.htm
@@ -1,144 +1,113 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-            
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>6to4 Tunnels</title>
-                     
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-            
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-      
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-      <tbody>
-       <tr>
-        <td width="100%">                     
-      <h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
-        </td>
-      </tr>
-            
-  </tbody>   
-</table>
-      
+<body>
+<h1 style="text-align: center;">6to4 Tunnels<br>
+</h1>
 <h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
-  </h3>
-   
-<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
- only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
-security  measures.</h3>
-      
-<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
- to another IPv6 network over an IPv4 infrastructure</p>
-      
-<p>More information on Linux and IPv6 can be found in the  <a
+</h3>
+<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
+Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
+provide any IPv6
+security measures.</h3>
+<p>6to4 tunneling with Shorewall can be used to connect your IPv6
+network to another IPv6 network over an IPv4 infrastructure</p>
+<p>More information on Linux and IPv6 can be found in the <a
  href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
-Details on how to setup a 6to4 tunnels are described in the section  <a
+Details on how to setup a 6to4 tunnels are described in the section <a
  href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
-  of 6to4 tunnels</a>.</p>
-      
+of 6to4 tunnels</a>.</p>
 <h2>Connecting two IPv6 Networks</h2>
-      
 <p>Suppose that we have the following situation:</p>
-      
 <p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
- width="745" height="427" alt="">
-   </p>
-      
-<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
- able to communicate with the systems in the 2002:488:999::/64 network. This
- is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
- utility for network interface  and routing configuration.</p>
-      
-<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
- /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
- is no need to declare a zone to  represent the remote IPv6 network. This
-remote network is not visible on IPv4 interfaces and to  iptables. All that
-is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
- Separate IPv6 interfaces and ip6tables rules need to be defined to handle
+ width="745" height="427" alt=""> </p>
+<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
+be able to communicate with the systems in the 2002:488:999::/64
+network. This is accomplished through use of the /etc/shorewall/tunnels
+file and the "ip" utility for network interface and routing
+configuration.</p>
+<p align="left">Unlike GRE and IPIP tunneling, the
+/etc/shorewall/policy, /etc/shorewall/interfaces and
+/etc/shorewall/zones files are not used. There is no need to declare a
+zone to represent the remote IPv6 network. This
+remote network is not visible on IPv4 interfaces and to iptables. All
+that
+is visible on the IPv4 level is an IPv4 stream which contains IPv6
+traffic. Separate IPv6 interfaces and ip6tables rules need to be
+defined to handle
 this traffic. </p>
-       
-<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
-      
-<blockquote>         
+<p align="left">In /etc/shorewall/tunnels on system A, we need the
+following:</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-        <tbody>
-         <tr>
-          <td><b>TYPE</b></td>
-          <td><b>ZONE</b></td>
-          <td><b>GATEWAY</b></td>
-          <td><b>GATEWAY ZONE</b></td>
-        </tr>
-        <tr>
-          <td>6to4</td>
-          <td>net</td>
-          <td>134.28.54.2</td>
-          <td> </td>
-        </tr>
-                  
-    </tbody>         
+    <tbody>
+      <tr>
+        <td><b>TYPE</b></td>
+        <td><b>ZONE</b></td>
+        <td><b>GATEWAY</b></td>
+        <td><b>GATEWAY ZONE</b></td>
+      </tr>
+      <tr>
+        <td>6to4</td>
+        <td>net</td>
+        <td>134.28.54.2</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-    </blockquote>
-      
-<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6 
-  encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
-      
+</blockquote>
+<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
+IPv6 encapsulation protocol (41) will be accepted to/from the remote
+gateway.</p>
 <p>Use the following commands to setup system A:</p>
-      
-<blockquote>         
+<blockquote>
   <p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
-     &gt;ip link set dev tun6to4 up<br>
-     &gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
-     &gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
-    </blockquote>
-      
+&gt;ip link set dev tun6to4 up<br>
+&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
+&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
+</blockquote>
 <p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
-      
-<blockquote>         
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-        <tbody>
-         <tr>
-          <td><b>TYPE</b></td>
-          <td><b>ZONE</b></td>
-          <td><b>GATEWAY</b></td>
-          <td><b>GATEWAY ZONE</b></td>
-        </tr>
-        <tr>
-          <td>6to4</td>
-          <td>net</td>
-          <td>206.191.148.9</td>
-          <td> </td>
-        </tr>
-                  
-    </tbody>         
+    <tbody>
+      <tr>
+        <td><b>TYPE</b></td>
+        <td><b>ZONE</b></td>
+        <td><b>GATEWAY</b></td>
+        <td><b>GATEWAY ZONE</b></td>
+      </tr>
+      <tr>
+        <td>6to4</td>
+        <td>net</td>
+        <td>206.191.148.9</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-    </blockquote>
-      
+</blockquote>
 <p>And use the following commands to setup system B:</p>
-      
-<blockquote>         
+<blockquote>
   <p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
-     &gt;ip link set dev tun6to4 up<br>
-     &gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
-     &gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
-    </blockquote>
-       
-<p>On both systems, restart Shorewall and issue the configuration commands
- as  listed above. The systems in both IPv6 subnetworks can now talk to each
- other using IPv6.</p>
-      
-<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a> 
- </font></p>
-      
-<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
+&gt;ip link set dev tun6to4 up<br>
+&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
+&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
+</blockquote>
+<p>On both systems, restart Shorewall and issue the configuration
+commands as listed above. The systems in both IPv6 subnetworks can now
+talk to each other using IPv6.</p>
+<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
+</font></p>
+<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
-     <br>
-   <br>
-  <br>
- <br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Banner.html b/Shorewall-docs/Banner.html
new file mode 100755
index 000000000..cd2fe8127
--- /dev/null
+++ b/Shorewall-docs/Banner.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="content-type"
+ content="text/html; charset=ISO-8859-1">
+  <title>Banner</title>
+  <meta name="author" content="Tom Eastep">
+  <base target="main">
+</head>
+<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
+ link="#000099" vlink="#990099" alink="#000099">
+<table cellpadding="0"
+ style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
+ id="AutoNumber3">
+  <tbody>
+    <tr>
+      <td style="text-align: center; width: 34%; vertical-align: top;">
+      <div align="center"> <img src="images/Logo1.png"
+ alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
+ align="middle" title=""> </div>
+      </td>
+      <td style="vertical-align: top;">
+      <form method="post"
+ action="http://lists.shorewall.net/cgi-bin/htsearch"
+ style="background-color: rgb(51, 102, 255);"> <strong><font
+ color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
+is unavailable Daily 0200-0330 GMT.</font><br>
+        <strong></strong>
+        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
+        <font face="Arial" size="-1"> <input type="text" name="words"
+ size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
+ type="hidden" name="format" value="long"> <input type="hidden"
+ name="method" value="and"> <input type="hidden" name="config"
+ value="htdig"> <input type="submit" value="Search"><b><font
+ color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
+ href="http://lists.shorewall.net/htdig/search.html"
+ style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
+        <font face="Arial"> <input type="hidden" name="exclude"
+ value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</body>
+</html>
diff --git a/Shorewall-docs/CorpNetwork.htm b/Shorewall-docs/CorpNetwork.htm
index 3c441c522..d6e05e68b 100644
--- a/Shorewall-docs/CorpNetwork.htm
+++ b/Shorewall-docs/CorpNetwork.htm
@@ -1,285 +1,229 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <html>
 <head>
- <!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
+<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
   <title>Corporate Shorewall Configuration</title>
-        
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-     
   <meta content="Microsoft FrontPage 5.0" name="GENERATOR">
-     
   <meta content="FrontPage.Editor.Document" name="ProgId">
-     
   <meta content="none" name="Microsoft Theme">
-     
   <meta content="Graeme Boyle" name="author">
 </head>
-  <body>
-   
+<body>
 <script><!--
 function PrivoxyWindowOpen(){return(null);}
-//--></script> 
- 
-<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
- cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
- border="0">
-    <tbody>
-    <tr>
-      <td width="100%">              
-      <h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
-       Servers</font></h1>
-       </td>
-     </tr>
-   
-  </tbody> 
-</table>
-   
+//--></script>
 <blockquote></blockquote>
-   
-<h1>Corporate Network</h1>
-   
+<h1 style="text-align: center;">Corporate Network</h1>
 <p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
  color="#ff0000"><b>:</b></font></big></p>
-   
-<blockquote>      
+<blockquote>
   <ul>
-      <li><b>This configuration is used on a corporate network that has a 
-Linux      (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5 
-     release,</b>      </li>
-     <li><b>Make sure you know what public IP addresses are currently being 
-used      and verify these </b><i>before</i><b> starting.</b>      </li>
-     <li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall 
-     configuration especially if you have split DNS.</b>      </li>
-     <li><b>System names and Internet IP addresses have been changed to protect 
-     the innocent.</b> </li>
-   
+    <li><b>This configuration is used on a corporate network that has a
+Linux (RedHat 8.0) server with three interfaces, running Shorewall
+1.4.5 release,</b> </li>
+    <li><b>Make sure you know what public IP addresses are currently
+being used and verify these </b><i>before</i><b> starting.</b> </li>
+    <li><b>Verify your DNS settings </b><i>before</i><b> starting any
+Shorewall configuration especially if you have split DNS.</b> </li>
+    <li><b>System names and Internet IP addresses have been changed to
+protect the innocent.</b> </li>
   </ul>
-       
-  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This    configuration
-uses a combination of Static NAT and Proxy ARP. This is    generally not
-relevant to a simple configuration with a single public IP    address.</small></b></big><big><b><small>
-If you have just a single public IP    address, most of what you see here
-won't apply to your setup so beware of    copying parts of this configuration
-and expecting them to work for you. What    you copy may or may not work
-in your    configuration.<br>
-   </small></b></big><br>
-   </p>
-       
-  <p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The   
-internet is connected to eth0. The local network is connected via eth1   
-(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have 
-an    IPSec tunnel connecting our offices in Germany to our offices in the 
-US. I    host two Microsoft Exchange servers for two different companies behind
-the    firewall hence, the two Exchange servers in the diagram below.</p>
-       
-  <p>Summary:<br>
-   </p>
-       
-  <ul>
-      <li>SNAT for all systems connected to the LAN - Internal addresses
-10.10.x.x      to external address 192.0.18.127.      </li>
-     <li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address 
-     10.10.1.8 and external address 192.0.18.70.      </li>
-     <li>Static NAT for <i>Sims</i> (Inventory Management server). Internal 
-     address 10.10.1.56 and external address 192.0.18.75.<br>
-      </li>
-     <li>Static NAT for <i>Project</i> (Project Web Server). Internal address 
-     10.10.1.55 and external address 192.0.18.84.      </li>
-     <li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address 
-     10.10.1.252 and external address 192.0.18.93.      </li>
-     <li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address 
-     10.10.1.230 and external address 192.0.18.97.      </li>
-     <li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address 
-     10.10.1.60 and external address 192.0.18.115. </li>
-   
-  </ul>
-       
-  <p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with 
-  RH8.0.</p>
-       
-  <p>The Firewall is also a proxy server running Privoxy 3.0.</p>
-       
-  <p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap, 
-   pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That 
-server    is managed through Proxy ARP.</p>
-       
-  <p>All administration and publishing is done using ssh/scp. I have X installed 
-   on the firewall and the system in the DMZ. X applications tunnel through 
-SSH    to Hummingbird Exceed running on a PC located in the LAN. Access to 
-the    firewall using SSH is restricted to systems in the LAN, DMZ or the 
-system Kaos    which is on the Internet and managed by me.</p>
-       
-  <p align="center"><img height="1000" alt="(Corporate Network Diagram)"
- src="images/CorpNetwork.gif" width="770" border="0">
+  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
+configuration
+uses a combination of One-to-one NAT and Proxy ARP. This is generally
+not
+relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
+If you have just a single public IP address, most of what you see here
+won't apply to your setup so beware of copying parts of this
+configuration
+and expecting them to work for you. What you copy may or may not work
+in your configuration.<br>
+  </small></b></big><br>
+  </p>
+  <p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
+internet is connected to eth0. The local network is connected via eth1
+(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
+have an IPSec tunnel connecting our offices in Germany to our offices
+in the US. I host two Microsoft Exchange servers for two different
+companies behind
+the firewall hence, the two Exchange servers in the diagram below.</p>
+  <p>Summary:<br>
   </p>
-       
-  <p></p>
-       
-  <p>The Ethernet 0 interface in the Server is configured with IP address 
-   192.0.18.68, netmask 255.255.255.192. The server's default gateway is 
-  192.0.18.65, the Router connected to my network and the ISP. This is the 
-   same default gateway used by the firewall itself. On the firewall, Shorewall 
-   automatically adds a host route to 192.0.18.80 through Ethernet 2    (192.168.21.1) 
-because of the entry in /etc/shorewall/proxyarp (see below). I    modified 
-the start, stop and init scripts to include the fixes suggested when    having 
-an IPSec tunnel.</p>
-       
-  <p><b>Some Mistakes I Made:</b></p>
-       
-  <p>Yes, believe it or not, I made some really basic mistakes when building 
-   this firewall. Firstly, I had the new firewall setup in parallel with the
-old    firewall so that there was no interruption of service to my users. 
-During my    out-bound testing, I set up systems on the LAN to utilize the 
-firewall which    worked fine. When testing my NAT connections, from the outside,
-these would    fail and I could not understand why. Eventually, I changed
-the default route    on the internal system I was trying to access, to point
-to the new firewall    and "bingo", everything worked as expected. This oversight
-delayed my    deployment by a couple of days not to mention level of frustration
-it    produced. </p>
-       
-  <p>Another problem that I encountered was in setting up the Proxyarp system 
-in    the DMZ. Initially I forgot to remove the entry for the eth2 from the 
-   /etc/shorewall/masq file. Once my file settings were correct, I started 
-   verifying that the ARP caches on the firewall, as well as the outside system
-   "kaos", were showing the correct Ethernet MAC address. However, in testing
-   remote access, I could access the system in the DMZ only from the firewall
-and    LAN but not from the Internet. The message I received was "connection
-denied"    on all protocols. What I did not realize was that a "helpful"
-administrator    that had turned on an old system and assigned the same address
-as the one I    was using for Proxyarp without notifying me. How did I work
-this out. I    shutdown the system in the DMZ, rebooted the router and flushed
-the ARP cache    on the firewall and kaos. Then, from kaos, I started pinging
-that IP address    and checked the updated ARP cache and lo-and-behold a
-different MAC address    showed up. High levels of frustration etc., etc.
-The administrator will    <i>not</i> be doing that again! :-)</p>
-       
-  <p><b>Lessons Learned:</b></p>
-       
   <ul>
-      <li>Read the documentation.      </li>
-     <li>Draw your network topology before starting.      </li>
-     <li>Understand what services you are going to allow in and out of the 
-     firewall, whether they are TCP or UDP packets and make a note of these 
-port      numbers.      </li>
-     <li>Try to get quiet time to build the firewall - you need to focus
-on the      job at hand.      </li>
-     <li>When asking for assistance, be honest and include as much detail 
-as      requested. Don't try and hide IP addresses etc., you will probably 
-screw up      the logs and make receiving assistance harder.      </li>
-     <li>Read the documentation. </li>
-   
+    <li>SNAT for all systems connected to the LAN - Internal addresses
+10.10.x.x to external address 192.0.18.127. </li>
+    <li>One-to-one NAT for <i>Polaris</i> (Exchange Server #2).
+Internal
+address 10.10.1.8 and external address 192.0.18.70. </li>
+    <li>One-to-one NAT for <i>Sims</i> (Inventory Management server).
+Internal address 10.10.1.56 and external address 192.0.18.75.<br>
+    </li>
+    <li>One-to-one NAT for <i>Project</i> (Project Web Server).
+Internal
+address 10.10.1.55 and external address 192.0.18.84. </li>
+    <li>One-to-one NAT for <i>Fortress</i> (Exchange Server). Internal
+address 10.10.1.252 and external address 192.0.18.93. </li>
+    <li>One-to-one NAT for <i>BBSRV</i> (Blackberry Server). Internal
+address 10.10.1.230 and external address 192.0.18.97. </li>
+    <li>One-to-one NAT for <i>Intweb</i> (Intranet Web Server).
+Internal
+address 10.10.1.60 and external address 192.0.18.115. </li>
+  </ul>
+  <p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
+with RH8.0.</p>
+  <p>The Firewall is also a proxy server running Privoxy 3.0.</p>
+  <p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
+imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
+1.1.0). That server is managed through Proxy ARP.</p>
+  <p>All administration and publishing is done using ssh/scp. I have X
+installed on the firewall and the system in the DMZ. X applications
+tunnel through SSH to Hummingbird Exceed running on a PC located in the
+LAN. Access to the firewall using SSH is restricted to systems in the
+LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
+  <p align="center"><img height="1000" alt="(Corporate Network Diagram)"
+ src="images/CorpNetwork.gif" width="770" border="0"> </p>
+  <p></p>
+  <p>The Ethernet 0 interface in the Server is configured with IP
+address 192.0.18.68, netmask 255.255.255.192. The server's default
+gateway is 192.0.18.65, the Router connected to my network and the ISP.
+This is the same default gateway used by the firewall itself. On the
+firewall, Shorewall automatically adds a host route to 192.0.18.80
+through Ethernet 2 (192.168.21.1) because of the entry in
+/etc/shorewall/proxyarp (see below). I modified the start, stop and
+init scripts to include the fixes suggested when having an IPSec tunnel.</p>
+  <p><b>Some Mistakes I Made:</b></p>
+  <p>Yes, believe it or not, I made some really basic mistakes when
+building this firewall. Firstly, I had the new firewall setup in
+parallel with the
+old firewall so that there was no interruption of service to my users.
+During my out-bound testing, I set up systems on the LAN to utilize the
+firewall which worked fine. When testing my NAT connections, from the
+outside,
+these would fail and I could not understand why. Eventually, I changed
+the default route on the internal system I was trying to access, to
+point
+to the new firewall and "bingo", everything worked as expected. This
+oversight
+delayed my deployment by a couple of days not to mention level of
+frustration
+it produced. </p>
+  <p>Another problem that I encountered was in setting up the Proxyarp
+system in the DMZ. Initially I forgot to remove the entry for the eth2
+from the /etc/shorewall/masq file. Once my file settings were correct,
+I started verifying that the ARP caches on the firewall, as well as the
+outside system "kaos", were showing the correct Ethernet MAC address.
+However, in testing remote access, I could access the system in the DMZ
+only from the firewall
+and LAN but not from the Internet. The message I received was
+"connection
+denied" on all protocols. What I did not realize was that a "helpful"
+administrator that had turned on an old system and assigned the same
+address
+as the one I was using for Proxyarp without notifying me. How did I
+work
+this out. I shutdown the system in the DMZ, rebooted the router and
+flushed
+the ARP cache on the firewall and kaos. Then, from kaos, I started
+pinging
+that IP address and checked the updated ARP cache and lo-and-behold a
+different MAC address showed up. High levels of frustration etc., etc.
+The administrator will <i>not</i> be doing that again! :-)</p>
+  <p><b>Lessons Learned:</b></p>
+  <ul>
+    <li>Read the documentation. </li>
+    <li>Draw your network topology before starting. </li>
+    <li>Understand what services you are going to allow in and out of
+the firewall, whether they are TCP or UDP packets and make a note of
+these port numbers. </li>
+    <li>Try to get quiet time to build the firewall - you need to focus
+on the job at hand. </li>
+    <li>When asking for assistance, be honest and include as much
+detail as requested. Don't try and hide IP addresses etc., you will
+probably screw up the logs and make receiving assistance harder. </li>
+    <li>Read the documentation. </li>
   </ul>
-       
   <p><b>Futures:</b></p>
-       
-  <p>This is by no means the final configuration. In the near future, I will 
-be    moving more systems from the LAN to the DMZ. I will also be watching 
-the logs    for port scan programs etc. but, this should be standard security 
-   maintenance.</p>
-       
-  <p>Here are copies of my files. I have removed most of the internal    documentation
-for the purpose of this space however, my system still has the    original
-files with all the comments and I highly recommend you do the    same.</p>
- </blockquote>
-   
+  <p>This is by no means the final configuration. In the near future, I
+will be moving more systems from the LAN to the DMZ. I will also be
+watching the logs for port scan programs etc. but, this should be
+standard security maintenance.</p>
+  <p>Here are copies of my files. I have removed most of the internal
+documentation
+for the purpose of this space however, my system still has the original
+files with all the comments and I highly recommend you do the same.</p>
+</blockquote>
 <h3>Shorewall.conf</h3>
-   
-<blockquote>   
+<blockquote>
   <pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Zones File</h3>
-   
-<blockquote>   
+<blockquote>
   <pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
  face="Courier" size="2"><br></font></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Interfaces File: </h3>
-   
-<blockquote>      
+<blockquote>
   <p>##############################################################################<br>
- #ZONE    INTERFACE BROADCAST OPTIONS<br>
- net eth0 62.123.106.127    routefilter,norfc1918,blacklist,tcpflags<br>
- loc eth1 detect    dhcp,routefilter<br>
- dmz eth2 detect<br>
- vpn1 ipsec0<br>
- #LAST LINE -- ADD YOUR    ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
- </blockquote>
-   
+#ZONE INTERFACE BROADCAST OPTIONS<br>
+net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
+loc eth1 detect dhcp,routefilter<br>
+dmz eth2 detect<br>
+vpn1 ipsec0<br>
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
+</blockquote>
 <h3>Routestopped File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
  face="Courier" size="2">	</font></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Policy File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Masq File: </h3>
-   
-<blockquote>   
+<blockquote>
   <pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
- </blockquote>
-   
+</blockquote>
 <h3>NAT File: </h3>
-   
-<blockquote>   
+<blockquote>
   <pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Proxy ARP File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE     	</font></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Tunnels File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
- </blockquote>
-   
+</blockquote>
 <h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
-   
-<blockquote>   
+<blockquote>
   <pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
- </blockquote>
-   
+</blockquote>
 <h3>Start File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
- </blockquote>
-   
+</blockquote>
 <h3>Stop File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
- </blockquote>
-   
+</blockquote>
 <h3>Init File:</h3>
-   
-<blockquote>   
+<blockquote>
   <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
- </blockquote>
-   
-<p><font size="2">Last updated 7/16/2003</font>  
+</blockquote>
+<p><font size="2">Last updated 11/13/2003</font>
 <script><!--
 function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
-//</script>
-  <br>
- </p>
-   
-<p><small><a href="GnuCopyright.htm">Copyright  2003 Thomas M. Eastep and
+//</script><br>
+</p>
+<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
+and
 Graeme Boyle</a></small><br>
- </p>
- <br>
- <br>
+</p>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm
index 5539401a4..07d3e3f14 100644
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
@@ -12,17 +12,8 @@
   <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Shorewall 1.4 Reference<br>
+</h1>
 <h2 align="center">This documentation is intended primarily for
 reference. Step-by-step instructions for configuring Shorewall in
 common setups may be found in the <a
@@ -66,7 +57,11 @@ field in packets is to be set.<br>
   <li><b><a href="#Scripts">common.def</a></b> -- a parameter file
 installed in in /etc/shorewall that defines firewall-wide rules that
 are applied before a DROP or REJECT policy is applied.</li>
-  <li><b> <a href="#Interfaces">interfaces</a> </b> -- a parameter
+  <li><span style="font-weight: bold;">init.sh </span>-- a shell
+script installed in /etc/init.d to automatically start Shorewall during
+boot.<br>
+    <b> </b></li>
+  <li><b><a href="#Interfaces">interfaces</a> </b> -- a parameter
 file installed in /etc/shorewall/ and used to describe the interfaces
 on the firewall system.</li>
   <li><a href="#Hosts"><b> hosts</b> </a>-- a parameter file installed
@@ -78,15 +73,12 @@ possibly also the IP address(es)) of devices.<br>
   </li>
   <li><b> <a href="#Masq">masq</a></b> - This file also describes IP
 masquerading under Shorewall and is installed in /etc/shorewall.</li>
-  <li><b><a href="shorewall_firewall_structure.htm">firewall</a></b> --
+  <li><b>firewall</b> --
 a shell program that reads the configuration files in /etc/shorewall
-and configures your firewall. This file is installed in your init.d
-directory (/etc/rc.d/init.d ) where it is renamed <i>shorewall.</i>
-/etc/shorewall/firewall (/var/lib/shorewall/firewall in versions
-1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 and later) is a
-symbolic link to this program.</li>
+and configures your firewall. This file is installed in
+/usr/share/shorewall.</li>
   <li><b> <a href="#NAT">nat</a></b> -- a parameter file in
-/etc/shorewall used to define <a href="#NAT"> static NAT</a> .</li>
+/etc/shorewall used to define <a href="#NAT">one-to-one NAT</a> .</li>
   <li><b> <a href="#ProxyArp">proxyarp</a></b> -- a parameter file in
 /etc/shorewall used to define <a href="#ProxyArp"> Proxy Arp</a> .</li>
   <li><b><a href="#rfc1918">rfc1918</a></b> -- a parameter file in
@@ -1190,6 +1182,13 @@ header-rewriting rule.<br>
       </li>
       <li>LOG - Log the packet -- requires
 a syslog level (see below).</li>
+      <li>QUEUE - Forward the packet to a user-space application. This
+facility is provided to allow interfacing to <a
+ href="http://p2pwall.sourceforge.net">ftwall</a> for <a
+ href="Shorewall_and_Kazaa.html">Kazaa filtering</a>. Note: When the
+protocol specified in the PROTO column is TCP ("tcp", "TCP" or "6"),
+Shorewall will only pass connection requests (SYN packets) to user
+space. This is for compatibility with ftwall.</li>
     </ul>
     <p>Beginning with Shorewall version 1.4.7, you may rate-limit the
 rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
@@ -2253,16 +2252,20 @@ following (I haven't tried it):</p>
 <p>In /etc/shorewall/start, include:</p>
 <p> qt service ipsec start</p>
 <h2><font color="#660066"><b><a name="NAT"></a> </b></font>/etc/shorewall/nat</h2>
-<p>The /etc/shorewall/nat file is used to define static NAT. There is
-one entry in the file for each static NAT relationship that you wish to
+<p>The /etc/shorewall/nat file is used to define one-to-one NAT. There
+is
+one entry in the file for each one-to-one NAT relationship that you
+wish to
 define. In order to make use of this feature, you must have <a
  href="#NatEnabled">NAT enabled</a> .</p>
 <p> <font color="#ff0000"> <b>IMPORTANT: If all you want to do is
 forward ports to servers behind your firewall, you do NOT want to use
-static NAT. Port forwarding can be accomplished with simple entries in
+one-to-one NAT. Port forwarding can be accomplished with simple entries
+in
 the <a href="#Rules"> rules file</a>. Also, in most cases <a
- href="#ProxyArp"> Proxy ARP</a> provides a superior solution to static
-NAT because the internal systems are accessed using the same IP address
+ href="#ProxyArp"> Proxy ARP</a> provides a superior solution to
+one-to-one NAT because the internal systems are accessed using the same
+IP address
 internally and externally.</b></font></p>
 <p>Columns in an entry are:</p>
 <ul>
@@ -2465,7 +2468,8 @@ individual rule for each listed port or port range. </p>
   <li><b>NAT_BEFORE_RULES</b><br>
 If set to "No" or "no", port forwarding rules can override the contents
 of the <a href="#NAT">/etc/shorewall/nat</a> file. If set to "Yes" or
-"yes", port forwarding rules cannot override static NAT. If not set or
+"yes", port forwarding rules cannot override one-to-one NAT. If not set
+or
 set to an empty value,
 "Yes" is assumed.</li>
   <li><b>FW<br>
@@ -2515,7 +2519,7 @@ this parameter is now automatically detected by Shorewall)<br>
 This parameter determines whether Shorewall supports NAT operations.
 NAT operations include:<br>
     <br>
-Static NAT<br>
+One-to-one NAT<br>
 Port Forwarding<br>
 Port Redirection<br>
 Masquerading<br>
@@ -2842,7 +2846,7 @@ Validation Documentation</a>.<br>
 <h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
 This file is described in the <a href="ECN.html">ECN Control
 Documentation</a>.<br>
-<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
+<p><font size="-1"> Updated 11/15/2003 - <a href="support.htm">Tom
 Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
diff --git a/Shorewall-docs/ECN.html b/Shorewall-docs/ECN.html
index e50fd131c..ba331c4cb 100644
--- a/Shorewall-docs/ECN.html
+++ b/Shorewall-docs/ECN.html
@@ -2,90 +2,75 @@
 <html>
 <head>
   <title>Shorewall and ECN</title>
-      
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-   
   <meta name="author" content="Tom Eastep">
 </head>
-  <body>
- 
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#3366ff" height="90">
-                                                        <tbody>
-                                                         <tr>
-                                                          <td
- width="100%">                   
-      <h1 align="center"><font color="#ffffff">ECN</font></h1>
-                                                          </td>
-                                                        </tr>
-          
-  </tbody>  
-</table>
- <br>
- Explicit Congestion Notification (ECN) is described in RFC 3168 and is a 
-proposed internet standard. Unfortunately, not all sites support ECN and when
-a TCP connection offering ECN is sent to sites that don't support it, the
+<body>
+<br>
+<h1 style="text-align: center;">ECN<br>
+</h1>
+Explicit Congestion Notification (ECN) is described in RFC 3168 and is
+a proposed internet standard. Unfortunately, not all sites support ECN
+and when
+a TCP connection offering ECN is sent to sites that don't support it,
+the
 result is often that the connection request is ignored.<br>
- <br>
- To allow ECN to be used, Shorewall allows you to enable ECN on your Linux 
-systems then disable it in your firewall when the destination matches a list 
-that you create (the /etc/shorewall/ecn file).<br>
- <br>
- You enable ECN by<br>
- <br>
- 
-<blockquote>   
+<br>
+To allow ECN to be used, Shorewall allows you to enable ECN on your
+Linux systems then disable it in your firewall when the destination
+matches a list that you create (the /etc/shorewall/ecn file).<br>
+<br>
+You enable ECN by<br>
+<br>
+<blockquote>
   <pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
- </blockquote>
- You must arrange for that command to be executed at system boot. Most distributions 
-have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
- <br>
- 
-<blockquote>   
+</blockquote>
+You must arrange for that command to be executed at system boot. Most
+distributions have a method for doing that -- on RedHat, you make an
+entry in /etc/sysctl.conf.<br>
+<br>
+<blockquote>
   <pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
- </blockquote>
- Entries in /etc/shorewall/ecn have two columns as follows:<br>
- <br>
- INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
- <br>
- HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or subnet) 
-of a system or group of systems accessed through the &nbsp;interface in the 
-first column. You may include a comma-separated list of such addresses in 
-this column. <br>
- <br>
- Example: Your external interface is eth0 and you want to disable ECN for 
-tcp connections to 192.0.2.0/24:<br>
- <br>
- In /etc/shorewall/ecn:<br>
- <br>
- 
-<blockquote>   
+</blockquote>
+Entries in /etc/shorewall/ecn have two columns as follows:<br>
+<br>
+INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
+<br>
+HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or
+subnet) of a system or group of systems accessed through the
+&nbsp;interface in the first column. You may include a comma-separated
+list of such addresses in this column. <br>
+<br>
+Example: Your external interface is eth0 and you want to disable ECN
+for tcp connections to 192.0.2.0/24:<br>
+<br>
+In /etc/shorewall/ecn:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-     <tbody>
-       <tr>
-         <td valign="top"><b>INTERFACE<br>
-         </b></td>
-         <td valign="top"><b>HOST(S)<br>
-         </b></td>
-       </tr>
-       <tr>
-         <td valign="top">eth0<br>
-         </td>
-         <td valign="top">192.0.2.0/24<br>
-         </td>
-       </tr>
-     
-    </tbody>   
+    <tbody>
+      <tr>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>HOST(S)<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">eth0<br>
+        </td>
+        <td valign="top">192.0.2.0/24<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-   <br>
- </blockquote>
- <font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom    Eastep</a></font>
-   
+  <br>
+</blockquote>
+<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
+Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  </p>
- <br>
+</p>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm
index 21f87bed1..053895cc6 100644
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@@ -10,20 +10,11 @@
   <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<h1>Looking for Step by Step Configuration Instructions? Check out the <a
- href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
+<h1 style="text-align: center;">Shorewall FAQs<br>
 </h1>
+<h2>Looking for Step by Step Configuration Instructions? Check out the <a
+ href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
+</h2>
 <h1>PORT FORWARDING<br>
 </h1>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b>
@@ -41,8 +32,8 @@ connection
 to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
 </p>
 <p align="left"><span style="font-weight: bold;">30.<a
- href="file:///vfat/Shorewall-docs/FAQ.htm#faq30"> </a></span><a
- href="#faq30">I'm confused about <span style="font-weight: bold;">when</span>
+ href="FAQ.htm#faq30"> </a></span><a href="FAQ.htm#faq30">I'm confused
+about <span style="font-weight: bold;">when</span>
 to use <span style="font-weight: bold;">DNAT</span> rules <span
  style="font-weight: bold;">and when</span> to use <span
  style="font-weight: bold;">ACCEPT</span> rules. </a> </p>
@@ -53,7 +44,7 @@ requests to www.mydomain.com (IP 130.151.100.69)
 to system 192.168.1.5 in my local network. <b>External clients can
 browse</b> http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq2a">I have a zone "Z" with an
-RFC1918 subnet and I use <b>static NAT</b> to
+RFC1918 subnet and I use <b>one-to-one NAT</b> to
 assign non-RFC1918 addresses to hosts in Z.
 Hosts in Z cannot communicate with each other using their external
 (non-RFC1918 addresses) so they <b>can't access
@@ -109,6 +100,11 @@ getting <b>logged?</b></a><br>
 <b><br>
 21. </b><a href="#faq21">I see these <b>strange log entries </b>occasionally;
 what are they?</a><br>
+<h1>ROUTING</h1>
+<span style="font-weight: bold;">32. </span><a href="#faq32">My
+firewall has <span style="font-weight: bold;">two connections to the
+internet from two different ISPs</span>. How do I set this up in
+Shorewall?</a><br>
 <h1>STARTING AND STOPPING<br>
 </h1>
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
@@ -140,6 +136,9 @@ your <b>web site</b>?</a><br>
 <b><br>
 25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
 I am <b>running</b>?</a><br>
+<br>
+<span style="font-weight: bold;">31. </span><a href="#faq31">Does
+Shorewall provide protection against...</a><br>
 <h1>RFC 1918<br>
 </h1>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable
@@ -173,7 +172,15 @@ only<b> from specific IP Addresses</b> on the internet?</a><br>
 options in nmap</b> on or behind the firewall, I get "<b>operation not
 permitted</b>". How can I use nmap with Shorewall?"</a><br>
 <br>
-<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my
+<b><span style="font-weight: bold;">26a.&nbsp; </span></b><a
+ href="#faq26a">When I try
+to use the <span style="font-weight: bold;">"-O" option of nmap</span>
+from the firewall system, I get "<span style="font-weight: bold;">operation
+not permitted". </span>How to I allow this option?</a><b><span
+ style="font-weight: bold;"><a href="#faq26a"> </a><br>
+<br>
+</span>27. </b><a href="#faq27">I am compiling a <b>new kernel</b>
+for my
 firewall<b>.</b> What should I look out for?</a><br>
 <br>
 <b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
@@ -282,8 +289,9 @@ three things:</p>
 <ul>
   <li>You are trying to test from inside your firewall (no, that won't
 work -- see <a href="#faq2">FAQ #2</a>).</li>
-  <li>You have a more basic problem with your local system such as an
-incorrect default gateway configured (it should be set to the IP
+  <li>You have a more basic problem with your local system (the one
+that you are trying to forward to) such as an
+incorrect default gateway (it should be set to the IP
 address of your firewall's internal interface).</li>
   <li>Your ISP is blocking that particular port inbound.<br>
   </li>
@@ -306,8 +314,9 @@ packet count in the first column non-zero? If so, the connection
 request is reaching the firewall and is being redirected to the server.
 In this case, the problem is
 usually a missing or incorrect default gateway setting
-on the server (the server's default gateway should be the
-IP address of the firewall's interface to the server).</li>
+on the local system (the system you are trying to forward to -- its
+default gateway should be the
+IP address of the firewall's interface to that system).</li>
   <li>If the
 packet count is zero:</li>
   <ul>
@@ -328,6 +337,7 @@ ethereal to further diagnose the problem.<br>
 want to connect to port 1022 on my firewall and have the firewall
 forward the connection to port 22 on local system 192.168.1.3. How do I
 do that?</h4>
+In /etc/shorewall/rules:<br>
 <div align="left">
 <blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -377,7 +387,7 @@ Firewall, of course :-)</li>
 using a separate DNS server for local clients) such that
 www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5
 internally. That's what I do here at shorewall.net for my local systems
-that use static NAT.</li>
+that use one-to-one NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility
 problem rather than a DNS solution, then assuming that your external
@@ -401,7 +411,7 @@ please upgrade to Shorewall 1.4.2 or later.<br>
   <li>In /etc/shorewall/interfaces:</li>
 </ul>
 <blockquote>
-  <table cellpadding="2" cellspacing="0" border="1">
+  <table cellpadding="2" border="1">
     <tbody>
       <tr>
         <td valign="top">ZONE<br>
@@ -507,7 +517,8 @@ DHCP/PPPoE client to automatically restart Shorewall each time that you
 get a new IP address.</p>
 </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an
-RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to
+RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses
+to
 hosts in Z. Hosts in Z cannot communicate with each other using their
 external (non-RFC1918 addresses) so they can't access each other using
 their DNS names.</h4>
@@ -521,7 +532,7 @@ solved using Bind Version 9 "views". It allows
 both external and internal clients to access
 a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch
-from static NAT to Proxy ARP. That way, the
+from one-to-one NAT to Proxy ARP. That way, the
 hosts in Z have non-RFC1918 addresses and can
 be accessed externally and internally using the same address.</p>
 <p align="left">If you don't like those solutions and prefer routing
@@ -984,9 +995,44 @@ cause of packets being logged in the FORWARD chain.<br>
   </li>
   <li><b>logflags </b>- The packet is being logged because it failed
 the checks implemented by the <b>tcpflags </b><a
- href="Documentation.htm#Interfaces">interface option</a>.<br>
-  </li>
+ href="Documentation.htm#Interfaces">interface option</a>.</li>
 </ol>
+<p align="left">Here is an example:</p>
+<font face="Century Gothic, Arial, Helvetica">
+<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
+Shorewall:<span style="text-decoration: underline;">all2all:REJECT</span>:<span
+ style="text-decoration: underline;">IN=eth2</span> <span
+ style="text-decoration: underline;">OUT=eth1</span> <span
+ style="text-decoration: underline;">SRC=192.168.2.2</span>
+<span style="text-decoration: underline;">DST=192.168.1.3</span> LEN=67
+TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF <span
+ style="text-decoration: underline;">PROTO=UDP</span>
+SPT=1803 <span style="text-decoration: underline;">DPT=53</span> LEN=47</font></p>
+</font>
+<p align="left">Let's look at the important parts of this message:</p>
+<ul>
+  <li>all2all:REJECT - This packet was REJECTed out of the <span
+ style="font-weight: bold;">all2all</span> chain -- the packet
+was rejected under the "all"-&gt;"all"
+REJECT policy (number 3 above).</li>
+  <li>IN=eth2 - the packet entered the firewall via eth2. If you see
+"IN=" with no interface name, the packet originated on the firewall
+itself.<br>
+  </li>
+  <li>OUT=eth1 - if accepted, the packet would be sent on eth1. If you
+see "OUT=" with no interface name, the packet would be processed by the
+firewall itself.<br>
+  </li>
+  <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
+  <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
+  <li>PROTO=UDP - UDP Protocol</li>
+  <li>DPT=53 - The destination port is 53 (DNS)<br>
+  </li>
+</ul>
+<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
+192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
+&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
+loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip
 addresses</b> with Shorewall, and maintain separate rulesets for
 different IPs?</h4>
@@ -1079,13 +1125,22 @@ Shorewall</b> I am <b>running</b>?<br>
 At the shell prompt, type:<br>
 <br>
 <font color="#009900"><b> /sbin/shorewall
-version</b></font><br>
+version<br>
+</b></font>
 <h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
 options in nmap on or behind the firewall, I get "operation not
 permitted".
 How can I use nmap with Shorewall?"</h4>
 Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
 "NEWNOTSYN=Yes" then restart Shorewall.<br>
+<br>
+<h4><a name="faq26a"></a><b><span style="font-weight: bold;">26a.&nbsp;
+</span></b>When I try to use the <span style="font-weight: bold;">"-O"
+option of nmap</span> from the firewall system, I get "<span
+ style="font-weight: bold;">operation not permitted". </span>How to I
+allow this option?</h4>
+Add this command to your /etc/shorewall/start file:<br>
+<pre style="margin-left: 40px;"><tt>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</tt><br></pre>
 <h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
 What
 should I look out for?</a></h4>
@@ -1118,8 +1173,208 @@ to allow connections from the internet to your local network. In all
 other cases, you use ACCEPT unless you need to hijack connections as
 they go through your firewall and handle them on the firewall box
 itself; in that case, you use a REDIRECT rule.<br>
+<h4><a name="faq31"></a>31. Does Shorewall provide protection
+against....</h4>
+<ol>
+  <li>IP Spoofing: Sending packets over the WAN interface using an
+internal LAP IP address as the source address? <span
+ style="font-weight: bold;">Answer: </span>Yes.</li>
+  <li>Tear Drop: Sending packets that contain overlapping fragments? <span
+ style="font-weight: bold;">Answer: </span>This is the responsibility
+of the IP stack, not the Netfilter-based firewall since fragment
+reassembly occurs before the stateful packet filter ever touches each
+packet.</li>
+  <li>Smurf and Fraggle: Sending packets that use the WAN or LAN
+broadcast address as the source address? <span
+ style="font-weight: bold;">Answer: </span>Shorewall can be configured
+to do that using the <a href="blacklisting_support.htm">blacklisting</a>
+facility.</li>
+  <li>Land Attack: Sending packets that use the same address as the
+source and destination address? <span style="font-weight: bold;">Answer:
+    </span>Yes, if the <a href="Documentation.htm#Interfaces">routefilter
+interface option</a> is selected.</li>
+  <li>DOS:<br>
+&nbsp;&nbsp; - SYN Dos<br>
+&nbsp;&nbsp; - ICMP Dos<br>
+&nbsp;&nbsp; - Per-host Dos protection<br>
+    <span style="font-weight: bold;">Answer: </span>Shorewall has
+facilities for limiting SYN and ICMP packets. Netfilter as included in
+standard Linux kernels doesn't support per-remote-host limiting except
+by explicit rule that specifies the host IP address; that form of
+limiting is supported by Shorewall.</li>
+</ol>
+<h4><a name="faq32"></a><span style="font-weight: bold;">32. </span>My
+firewall has two connections to the internet from two different ISPs.
+How do I set this up in Shorewall?</h4>
+Setting this up in Shorewall is easy; setting up the routing is a bit
+harder.<br>
 <br>
-<font size="2">Last updated 10/04/2003 - <a href="support.htm">Tom
+Assuming that eth0 and eth1 are the interfaces to the two ISPs then:<br>
+<br>
+/etc/shorewall/interfaces:<br>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber2">
+    <tbody>
+      <tr>
+        <td><u><b>ZONE</b></u></td>
+        <td><u><b>INTERFACE</b></u></td>
+        <td><u><b>BROADCAST</b></u></td>
+        <td><u><b>OPTIONS</b></u></td>
+      </tr>
+      <tr>
+        <td>net<br>
+        </td>
+        <td>eth0</td>
+        <td>detect<br>
+        </td>
+        <td>...<br>
+        </td>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">net<br>
+        </td>
+        <td style="vertical-align: top;">eth1<br>
+        </td>
+        <td style="vertical-align: top;">detect<br>
+        </td>
+        <td style="vertical-align: top;">...<br>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+/etc/shorewall/policy:<br>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+    <tbody>
+      <tr>
+        <td><u><b>SOURCE </b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>POLICY</b></u></td>
+        <td><u><b>LIMIT:BURST</b></u></td>
+      </tr>
+      <tr>
+        <td>net<br>
+        </td>
+        <td>net<br>
+        </td>
+        <td>DROP<br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<hr style="width: 100%; height: 2px;">The following information
+regarding setting up routing for this
+configuration is reproduced from the <a href="http://www.lartc.org">LARTC
+HOWTO</a> and has not been verified by the author. If you have
+questions or problems with the instructions given below, please post to
+the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.<br>
+<hr style="width: 100%; height: 2px;">A common configuration is the
+following, in which there are two providers
+that connect a local network (or even a single machine) to the big
+Internet.
+<pre class="SCREEN">                                                                 ________<br>                                          +------------+        /<br>                                          |            |       |<br>                            +-------------+ Provider 1 +-------<br>        __                  |             |            |     /<br>    ___/  \_         +------+-------+     +------------+    |<br>  _/        \__      |     if1      |                      /<br> /             \     |              |                      |<br>| Local network -----+ Linux router |                      |     Internet<br> \_           __/    |              |                      |<br>   \__     __/       |     if2      |                      \<br>      \___/          +------+-------+     +------------+    |<br>                            |             |            |     \<br>                            +-------------+ Provider 2 +-------<br>                                          |            |       |<br>                                          +------------+        \________</pre>
+<p>There are usually two questions given this setup.</p>
+<div class="SECT2">
+<h2 class="SECT2">Split access</h2>
+<p> The first is how to route answers to packets coming in over a
+particular provider, say Provider 1, back out again over that same
+provider. </p>
+<p> Let us first set some symbolical names. Let <b class="COMMAND">$IF1</b>
+be the name of the first interface (if1 in the picture above) and <b
+ class="COMMAND">$IF2</b> the name of the second interface. Then let <b
+ class="COMMAND">$IP1</b> be the IP address associated with <b
+ class="COMMAND">$IF1</b> and <b class="COMMAND">$IP2</b> the IP
+address associated with <b class="COMMAND">$IF2</b>. Next, let <b
+ class="COMMAND">$P1</b> be the IP address of the gateway at Provider
+1, and <b class="COMMAND">$P2</b> the IP address of the gateway at
+provider 2. Finally, let <b class="COMMAND">$P1_NET</b> be the IP
+network <b class="COMMAND">$P1</b> is in, and <b class="COMMAND">$P2_NET</b>
+the IP network <b class="COMMAND">$P2</b> is in. </p>
+<p> One creates two additional routing tables, say <b class="COMMAND">T1</b>
+and <b class="COMMAND">T2</b>. These are added in
+/etc/iproute2/rt_tables. Then you set up routing in these tables as
+follows: </p>
+<p> </p>
+<pre class="SCREEN">	  ip route add $P1_NET dev $IF1 src $IP1 table T1<br>	  ip route add default via $P1 table T1<br>	  ip route add $P2_NET dev $IF2 src $IP2 table T2<br>	  ip route add default via $P2 table T2<br>	</pre>
+Nothing spectacular, just build a route to the gateway and build a
+default route via that gateway, as you would do in the case of a single
+upstream provider, but put the routes in a separate table per provider.
+Note that the network route suffices, as it tells you how to find any
+host in that network, which includes the gateway, as specified above.
+<p> Next you set up the main routing table. It is a good idea to route
+things to the direct neighbour through the interface connected to that
+neighbour. Note the `src' arguments, they make sure the right outgoing
+IP address is chosen. </p>
+<pre class="SCREEN">	    ip route add $P1_NET dev $IF1 src $IP1<br>	    ip route add $P2_NET dev $IF2 src $IP2<br>	  </pre>
+Then, your preference for default route:
+<pre class="SCREEN">	    ip route add default via $P1<br>	  </pre>
+Next, you set up the routing rules. These actually choose what routing
+table to route with. You want to make sure that you route out a given
+interface if you already have the corresponding source address:
+<pre class="SCREEN">	    ip rule add from $IP1 table T1<br>	    ip rule add from $IP2 table T2<br>	  </pre>
+This set of commands makes sure all answers to traffic coming in on a
+particular interface get answered from that interface.
+<p> </p>
+<div class="WARNING">
+<table class="WARNING" width="100%" border="0">
+  <tbody>
+    <tr>
+      <td width="25" align="center" valign="top"><img
+ src="images/BD21298_.gif" hspace="5" alt="Warning" title=""
+ style="width: 13px; height: 13px;"></td>
+      <td align="left" valign="top">
+      <p>Reader Rod Roark notes: 'If $P0_NET is the local network and
+$IF0 is its interface,
+the following additional entries are desirable: </p>
+      <pre class="SCREEN">ip route add $P0_NET     dev $IF0 table T1<br>ip route add $P2_NET     dev $IF2 table T1<br>ip route add 127.0.0.0/8 dev lo   table T1<br>ip route add $P0_NET     dev $IF0 table T2<br>ip route add $P1_NET     dev $IF1 table T2<br>ip route add 127.0.0.0/8 dev lo   table T2                                      </pre>
+'</td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<p> Now, this is just the very basic setup. It will work for all
+processes running on the router itself, and for the local network, if
+it is masqueraded. If it is not, then you either have IP space from
+both providers or you are going to want to masquerade to one of the two
+providers. In both cases you will want to add rules selecting which
+provider to route out from based on the IP address of the machine in
+the local network. </p>
+</div>
+<div class="SECT2">
+<h2 class="SECT2">Load balancing</h2>
+<p> The second question is how to balance traffic going out over the
+two providers. This is actually not hard if you already have set up
+split access as above. </p>
+<p> Instead of choosing one of the two providers as your default route,
+you now set up the default route to be a multipath route. In the
+default kernel this will balance routes over the two providers. It is
+done as follows (once more building on the example in the section on
+split-access): </p>
+<pre class="SCREEN">	    ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \<br>	    nexthop via $P2 dev $IF2 weight 1<br>	  </pre>
+This will balance the routes over both providers. The <b
+ class="COMMAND">weight</b> parameters can be tweaked to favor one
+provider over the other.
+<p> Note that balancing will not be perfect, as it is route based, and
+routes are cached. This means that routes to often-used sites will
+always be over the same provider. </p>
+<p> Furthermore, if you really want to do this, you probably also want
+to look at Julian Anastasov's patches at <a
+ href="http://www.ssi.bg/%7Eja/#routes" target="_top">http://www.ssi.bg/~ja/#routes
+</a>, Julian's route patch page. They will make things nicer to work
+with. </p>
+</div>
+<hr style="width: 100%; height: 2px;">End of information reproduced
+from the LARTC HOWTO. If you have
+questions or problems with the instructions given above, please post to
+the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.
+<hr style="width: 100%; height: 2px;"><font size="2">Last updated
+11/20/2003 - <a href="support.htm">Tom
 Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/FTP.html b/Shorewall-docs/FTP.html
index b9311431e..f1291a564 100644
--- a/Shorewall-docs/FTP.html
+++ b/Shorewall-docs/FTP.html
@@ -8,19 +8,37 @@
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
 <h2></h2>
 <blockquote> </blockquote>
+<h1 style="text-align: center;">Shorewall and FTP<br>
+</h1>
+<hr style="width: 100%; height: 2px;">
+<p><span style="font-weight: bold;">NOTICE: </span>If you are running
+Mandrake 9.1 or 9.2 and are having problems with FTP, you have three
+choices:</p>
+<ol>
+  <li>Edit /usr/share/shorewall/firewall and replace this line:<br>
+    <br>
+&nbsp;&nbsp; <tt>for suffix in o gz ko ; do<br>
+    </tt><br>
+with<br>
+    <br>
+&nbsp;&nbsp; <tt>for suffix in o gz ko <span
+ style="font-weight: bold;">o.gz </span>; do<br>
+    <br>
+    </tt>and at a root shell prompt:<br>
+    <br>
+    <tt>&nbsp;<span style="font-weight: bold; color: rgb(0, 153, 0);">shorewall
+restart</span><br style="font-weight: bold; color: rgb(0, 153, 0);">
+    <br>
+    </tt></li>
+  <li>Install the Mandrake "cooker" version of Shorewall.<br>
+    <br>
+  </li>
+  <li>Upgrade to Shorewall 1.4.7 or later.<br>
+  </li>
+</ol>
+<hr style="width: 100%; height: 2px;">
 <p>FTP transfers involve two TCP connections. The first <u>control</u>
 connection goes from the FTP client to port 21 on the FTP server. This
 connection is used for logon and to send commands and responses between
@@ -30,7 +48,8 @@ connection is dependent on the <u>mode</u>
 that the client is operating in:<br>
 </p>
 <ul>
-  <li>Passive Mode (default for web browsers) -- The client issues a
+  <li>Passive Mode (often the default for web browsers) -- The client
+issues a
 PASV command. Upon receipt of this command, the server listens on a
 dynamically-allocated port then sends a PASV reply to the client. The
 PASV reply gives the IP address
@@ -91,13 +110,17 @@ that the
 modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
 Shorewall automatically
 loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
-and you can determine if they are loaded using the 'lsmod' command:<br>
+and you can determine if they are loaded using the 'lsmod' command. The
+&lt;<span style="font-style: italic;">kernel-version</span>&gt; may be
+obtained by typing<br>
 </p>
+<pre>	<span style="color: rgb(0, 153, 0);"><span
+ style="font-weight: bold;">uname -r</span></span>
+
+Example:<br></pre>
 <blockquote>
-  <p>Example:<br>
-  </p>
   <blockquote>
-    <pre>[root@lists etc]# lsmod<br>Module                  Size  Used by    Not tainted<br>autofs                 12148   0  (autoclean) (unused)<br>ipt_TOS                 1560  12  (autoclean)<br>ipt_LOG                 4120   5  (autoclean)<br>ipt_REDIRECT            1304   1  (autoclean)<br>ipt_REJECT              3736   4  (autoclean)<br>ipt_state               1048  13  (autoclean)<br>ip_nat_irc              3152   0  (unused)<br><b>ip_nat_ftp              3888   0  (unused)</b><br>ip_conntrack_irc        3984   1<br><b>ip_conntrack_ftp        5008   1</b><br>ipt_multiport           1144   2  (autoclean)<br>ipt_conntrack           1592   0  (autoclean)<br>iptable_filter          2316   1  (autoclean)<br>iptable_mangle          2680   1  (autoclean)<br>iptable_nat            20568   3  (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack           26088   5  (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables              14488  12  [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip                  42464   0  (unused)<br>e100                   50596   1<br>keybdev                 2752   0  (unused)<br>mousedev                5236   0  (unused)<br>hid                    20868   0  (unused)<br>input                   5632   0  [keybdev mousedev hid]<br>usb-uhci               24684   0  (unused)<br>usbcore                73280   1  [hid usb-uhci]<br>ext3                   64704   2<br>jbd                    47860   2  [ext3]<br>[root@lists etc]#<br></pre>
+    <pre>[root@lists etc]# lsmod<br>Module                  Size  Used by    Not tainted<br>autofs                 12148   0  (autoclean) (unused)<br>ipt_TOS                 1560  12  (autoclean)<br>ipt_LOG                 4120   5  (autoclean)<br>ipt_REDIRECT            1304   1  (autoclean)<br>ipt_REJECT              3736   4  (autoclean)<br>ipt_state               1048  13  (autoclean)<br>ip_nat_irc              3152   0  (unused)<br><b>ip_nat_ftp              3888   0  (unused)</b><br>ip_conntrack_irc        3984   1<br><b>ip_conntrack_ftp        5008   1</b><br>ipt_multiport           1144   2  (autoclean)<br>ipt_conntrack           1592   0  (autoclean)<br>iptable_filter          2316   1  (autoclean)<br>iptable_mangle          2680   1  (autoclean)<br>iptable_nat            20568   3  (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack           26088   5  (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc<br>					      ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp<br>                                              ipt_conntrack iptable_nat]<br>ip_tables              14488  12  [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state<br>                                  ipt_multiport ipt_conntrack iptable_filter<br>                                  iptable_mangle iptable_nat]<br>tulip                  42464   0  (unused)<br>e100                   50596   1<br>keybdev                 2752   0  (unused)<br>mousedev                5236   0  (unused)<br>hid                    20868   0  (unused)<br>input                   5632   0  [keybdev mousedev hid]<br>usb-uhci               24684   0  (unused)<br>usbcore                73280   1  [hid usb-uhci]<br>ext3                   64704   2<br>jbd                    47860   2  [ext3]<br>[root@lists etc]#<br></pre>
   </blockquote>
 </blockquote>
 <blockquote> </blockquote>
@@ -105,6 +128,12 @@ and you can determine if they are loaded using the 'lsmod' command:<br>
 directory, you need to set the MODULESDIR variable in
 /etc/shorewall/shorewall.conf to point to that directory.<br>
 </p>
+<p>If your FTP helper modules are compressed and have the names <span
+ style="font-style: italic;">ip_nat_ftp.o.gz </span>and <span
+ style="font-style: italic;">ip_conntrack_ftp.o.gz</span> then you will
+need Shorewall 1.4.7 or later if you want Shorewall to load them for
+you.<br>
+</p>
 <p>Server configuration is covered in <a href="Documentation.htm#Rules">the
 /etc/shorewall/rules documentation</a>,<br>
 </p>
@@ -203,7 +232,7 @@ to the net.<br>
   <p> </p>
 </blockquote>
 <blockquote> </blockquote>
-<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 12/01/2003 - </font><font size="2"> <a
  href="support.htm">Tom Eastep</a></font> </p>
 <a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/GenericTunnels.html b/Shorewall-docs/GenericTunnels.html
index 6509a4249..6340f2f85 100644
--- a/Shorewall-docs/GenericTunnels.html
+++ b/Shorewall-docs/GenericTunnels.html
@@ -8,17 +8,8 @@
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Generic Tunnels<br>
+</h1>
 Shorewall includes built-in support for a wide range of VPN solutions.
 If you have need for a tunnel type that does not have explicit support,
 you can generally describe the tunneling software using "generic
diff --git a/Shorewall-docs/GnuCopyright.htm b/Shorewall-docs/GnuCopyright.htm
index ef2028032..cd238fe96 100644
--- a/Shorewall-docs/GnuCopyright.htm
+++ b/Shorewall-docs/GnuCopyright.htm
@@ -1,341 +1,420 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
- 
   <meta http-equiv="Content-Language" content="en-us">
- 
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
- 
   <meta name="ProgId" content="FrontPage.Editor.Document">
- 
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Copyright</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-   <tbody>
-    <tr>
-     <td width="100%">     
-      <h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
-     </td>
-   </tr>
- 
-  </tbody>
-</table>
- 
+<body>
+<h1 style="text-align: center;">GNU Free Documentation License<br>
+</h1>
 <p>Version 1.1, March 2000 </p>
- 
 <pre>Copyright (C) 2000  Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA  02111-1307  USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
- 
 <p><strong>0. PREAMBLE</strong> </p>
- 
-<p>The purpose of this License is to make a manual, textbook, or other written 
-document "free" in the sense of freedom: to assure everyone the effective 
-freedom to copy and redistribute it, with or without modifying it, either 
-commercially or noncommercially. Secondarily, this License preserves for
-the author and publisher a way to get credit for their work, while not being 
-considered responsible for modifications made by others. </p>
- 
-<p>This License is a kind of "copyleft", which means that derivative works
-of the document must themselves be free in the same sense. It complements
-the GNU General Public License, which is a copyleft license designed for
+<p>The purpose of this License is to make a manual, textbook, or other
+written document "free" in the sense of freedom: to assure everyone the
+effective freedom to copy and redistribute it, with or without
+modifying it, either commercially or noncommercially. Secondarily, this
+License preserves for
+the author and publisher a way to get credit for their work, while not
+being considered responsible for modifications made by others. </p>
+<p>This License is a kind of "copyleft", which means that derivative
+works
+of the document must themselves be free in the same sense. It
+complements
+the GNU General Public License, which is a copyleft license designed
+for
 free software. </p>
- 
-<p>We have designed this License in order to use it for manuals for free software,
-because free software needs free documentation: a free program should come
-with manuals providing the same freedoms that the software does. But this 
-License is not limited to software manuals; it can be used for any textual
-work, regardless of subject matter or whether it is published as a printed
-book. We recommend this License principally for works whose purpose is instruction
+<p>We have designed this License in order to use it for manuals for
+free software,
+because free software needs free documentation: a free program should
+come
+with manuals providing the same freedoms that the software does. But
+this License is not limited to software manuals; it can be used for any
+textual
+work, regardless of subject matter or whether it is published as a
+printed
+book. We recommend this License principally for works whose purpose is
+instruction
 or reference. </p>
- 
 <p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
- 
-<p>This License applies to any manual or other work that contains a notice 
-placed by the copyright holder saying it can be distributed under the terms
-of this License. The "Document", below, refers to any such manual or work.
+<p>This License applies to any manual or other work that contains a
+notice placed by the copyright holder saying it can be distributed
+under the terms
+of this License. The "Document", below, refers to any such manual or
+work.
 Any member of the public is a licensee, and is addressed as "you". </p>
- 
-<p>A "Modified Version" of the Document means any work containing the Document 
-or a portion of it, either copied verbatim, or with modifications and/or translated
+<p>A "Modified Version" of the Document means any work containing the
+Document or a portion of it, either copied verbatim, or with
+modifications and/or translated
 into another language. </p>
- 
-<p>A "Secondary Section" is a named appendix or a front-matter section of
-the Document that deals exclusively with the relationship of the publishers
-or authors of the Document to the Document's overall subject (or to related 
-matters) and contains nothing that could fall directly within that overall 
-subject. (For example, if the Document is in part a textbook of mathematics,
-a Secondary Section may not explain any mathematics.) The relationship could
-be a matter of historical connection with the subject or with related matters,
-or of legal, commercial, philosophical, ethical or political position regarding
+<p>A "Secondary Section" is a named appendix or a front-matter section
+of
+the Document that deals exclusively with the relationship of the
+publishers
+or authors of the Document to the Document's overall subject (or to
+related matters) and contains nothing that could fall directly within
+that overall subject. (For example, if the Document is in part a
+textbook of mathematics,
+a Secondary Section may not explain any mathematics.) The relationship
+could
+be a matter of historical connection with the subject or with related
+matters,
+or of legal, commercial, philosophical, ethical or political position
+regarding
 them. </p>
- 
-<p>The "Invariant Sections" are certain Secondary Sections whose titles are 
-designated, as being those of Invariant Sections, in the notice that says
+<p>The "Invariant Sections" are certain Secondary Sections whose titles
+are designated, as being those of Invariant Sections, in the notice
+that says
 that the Document is released under this License. </p>
- 
-<p>The "Cover Texts" are certain short passages of text that are listed,
-as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
+<p>The "Cover Texts" are certain short passages of text that are
+listed,
+as Front-Cover Texts or Back-Cover Texts, in the notice that says that
+the
 Document is released under this License. </p>
- 
-<p>A "Transparent" copy of the Document means a machine-readable copy, represented
-in a format whose specification is available to the general public, whose
-contents can be viewed and edited directly and straightforwardly with generic
-text editors or (for images composed of pixels) generic paint programs or
-(for drawings) some widely available drawing editor, and that is suitable
-for input to text formatters or for automatic translation to a variety of
-formats suitable for input to text formatters. A copy made in an otherwise
-Transparent file format whose markup has been designed to thwart or discourage
-subsequent modification by readers is not Transparent. A copy that is not
+<p>A "Transparent" copy of the Document means a machine-readable copy,
+represented
+in a format whose specification is available to the general public,
+whose
+contents can be viewed and edited directly and straightforwardly with
+generic
+text editors or (for images composed of pixels) generic paint programs
+or
+(for drawings) some widely available drawing editor, and that is
+suitable
+for input to text formatters or for automatic translation to a variety
+of
+formats suitable for input to text formatters. A copy made in an
+otherwise
+Transparent file format whose markup has been designed to thwart or
+discourage
+subsequent modification by readers is not Transparent. A copy that is
+not
 "Transparent" is called "Opaque". </p>
- 
-<p>Examples of suitable formats for Transparent copies include plain ASCII 
-without markup, Texinfo input format, LaTeX input format, SGML or XML using
-a publicly available DTD, and standard-conforming simple HTML designed for
-human modification. Opaque formats include PostScript, PDF, proprietary formats
-that can be read and edited only by proprietary word processors, SGML or
-XML for which the DTD and/or processing tools are not generally available,
-and the machine-generated HTML produced by some word processors for output
+<p>Examples of suitable formats for Transparent copies include plain
+ASCII without markup, Texinfo input format, LaTeX input format, SGML or
+XML using
+a publicly available DTD, and standard-conforming simple HTML designed
+for
+human modification. Opaque formats include PostScript, PDF, proprietary
+formats
+that can be read and edited only by proprietary word processors, SGML
+or
+XML for which the DTD and/or processing tools are not generally
+available,
+and the machine-generated HTML produced by some word processors for
+output
 purposes only. </p>
- 
-<p>The "Title Page" means, for a printed book, the title page itself, plus
-such following pages as are needed to hold, legibly, the material this License 
-requires to appear in the title page. For works in formats which do not have
-any title page as such, "Title Page" means the text near the most prominent 
-appearance of the work's title, preceding the beginning of the body of the
+<p>The "Title Page" means, for a printed book, the title page itself,
+plus
+such following pages as are needed to hold, legibly, the material this
+License requires to appear in the title page. For works in formats
+which do not have
+any title page as such, "Title Page" means the text near the most
+prominent appearance of the work's title, preceding the beginning of
+the body of the
 text. </p>
- 
 <p><strong>2. VERBATIM COPYING</strong> </p>
- 
-<p>You may copy and distribute the Document in any medium, either commercially 
-or noncommercially, provided that this License, the copyright notices, and
-the license notice saying this License applies to the Document are reproduced
-in all copies, and that you add no other conditions whatsoever to those of
-this License. You may not use technical measures to obstruct or control the
-reading or further copying of the copies you make or distribute. However,
-you may accept compensation in exchange for copies. If you distribute a large
-enough number of copies you must also follow the conditions in section 3.
+<p>You may copy and distribute the Document in any medium, either
+commercially or noncommercially, provided that this License, the
+copyright notices, and
+the license notice saying this License applies to the Document are
+reproduced
+in all copies, and that you add no other conditions whatsoever to those
+of
+this License. You may not use technical measures to obstruct or control
+the
+reading or further copying of the copies you make or distribute.
+However,
+you may accept compensation in exchange for copies. If you distribute a
+large
+enough number of copies you must also follow the conditions in section
+3.
 </p>
- 
-<p>You may also lend copies, under the same conditions stated above, and
+<p>You may also lend copies, under the same conditions stated above,
+and
 you may publicly display copies. </p>
- 
 <p><strong>3. COPYING IN QUANTITY</strong> </p>
- 
-<p>If you publish printed copies of the Document numbering more than 100,
-and the Document's license notice requires Cover Texts, you must enclose
-the copies in covers that carry, clearly and legibly, all these Cover Texts:
-Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
-Both covers must also clearly and legibly identify you as the publisher of
-these copies. The front cover must present the full title with all words
-of the title equally prominent and visible. You may add other material on
-the covers in addition. Copying with changes limited to the covers, as long
-as they preserve the title of the Document and satisfy these conditions,
+<p>If you publish printed copies of the Document numbering more than
+100,
+and the Document's license notice requires Cover Texts, you must
+enclose
+the copies in covers that carry, clearly and legibly, all these Cover
+Texts:
+Front-Cover Texts on the front cover, and Back-Cover Texts on the back
+cover.
+Both covers must also clearly and legibly identify you as the publisher
+of
+these copies. The front cover must present the full title with all
+words
+of the title equally prominent and visible. You may add other material
+on
+the covers in addition. Copying with changes limited to the covers, as
+long
+as they preserve the title of the Document and satisfy these
+conditions,
 can be treated as verbatim copying in other respects. </p>
- 
-<p>If the required texts for either cover are too voluminous to fit legibly,
-you should put the first ones listed (as many as fit reasonably) on the actual 
-cover, and continue the rest onto adjacent pages. </p>
- 
-<p>If you publish or distribute Opaque copies of the Document numbering more 
-than 100, you must either include a machine-readable Transparent copy along
-with each Opaque copy, or state in or with each Opaque copy a publicly-accessible 
-computer-network location containing a complete Transparent copy of the Document,
-free of added material, which the general network-using public has access
-to download anonymously at no charge using public-standard network protocols.
-If you use the latter option, you must take reasonably prudent steps, when
-you begin distribution of Opaque copies in quantity, to ensure that this Transparent
-copy will remain thus accessible at the stated location until at least one
-year after the last time you distribute an Opaque copy (directly or through
+<p>If the required texts for either cover are too voluminous to fit
+legibly,
+you should put the first ones listed (as many as fit reasonably) on the
+actual cover, and continue the rest onto adjacent pages. </p>
+<p>If you publish or distribute Opaque copies of the Document numbering
+more than 100, you must either include a machine-readable Transparent
+copy along
+with each Opaque copy, or state in or with each Opaque copy a
+publicly-accessible computer-network location containing a complete
+Transparent copy of the Document,
+free of added material, which the general network-using public has
+access
+to download anonymously at no charge using public-standard network
+protocols.
+If you use the latter option, you must take reasonably prudent steps,
+when
+you begin distribution of Opaque copies in quantity, to ensure that
+this Transparent
+copy will remain thus accessible at the stated location until at least
+one
+year after the last time you distribute an Opaque copy (directly or
+through
 your agents or retailers) of that edition to the public. </p>
- 
-<p>It is requested, but not required, that you contact the authors of the 
-Document well before redistributing any large number of copies, to give them
+<p>It is requested, but not required, that you contact the authors of
+the Document well before redistributing any large number of copies, to
+give them
 a chance to provide you with an updated version of the Document. </p>
- 
 <p><strong>4. MODIFICATIONS</strong> </p>
- 
-<p>You may copy and distribute a Modified Version of the Document under the 
-conditions of sections 2 and 3 above, provided that you release the Modified 
-Version under precisely this License, with the Modified Version filling the
-role of the Document, thus licensing distribution and modification of the
-Modified Version to whoever possesses a copy of it. In addition, you must
+<p>You may copy and distribute a Modified Version of the Document under
+the conditions of sections 2 and 3 above, provided that you release the
+Modified Version under precisely this License, with the Modified
+Version filling the
+role of the Document, thus licensing distribution and modification of
+the
+Modified Version to whoever possesses a copy of it. In addition, you
+must
 do these things in the Modified Version: </p>
- 
-<p> </p>
- 
+<p>&nbsp;</p>
 <ul>
-   <li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
-a   title distinct from that of the Document, and from those of previous
-versions   (which should, if there were any, be listed in the History section
-of the   Document). You may use the same title as a previous version if the
-original   publisher of that version gives permission. </li>
-   <li><strong>B.</strong> List on the Title Page, as authors, one or more 
-  persons or entities responsible for authorship of the modifications in
-the   Modified Version, together with at least five of the principal authors
-of the   Document (all of its principal authors, if it has less than five).
-  </li>
-   <li><strong>C.</strong> State on the Title page the name of the publisher
-of   the Modified Version, as the publisher. </li>
-   <li><strong>D.</strong> Preserve all the copyright notices of the Document. 
-  </li>
-   <li><strong>E.</strong> Add an appropriate copyright notice for your 
- modifications adjacent to the other copyright notices. </li>
-   <li><strong>F.</strong> Include, immediately after the copyright notices,
-a   license notice giving the public permission to use the Modified Version
-under   the terms of this License, in the form shown in the Addendum below.
-  </li>
-   <li><strong>G.</strong> Preserve in that license notice the full lists
-of   Invariant Sections and required Cover Texts given in the Document's
-license   notice. </li>
-   <li><strong>H.</strong> Include an unaltered copy of this License. </li>
-   <li><strong>I.</strong> Preserve the section entitled "History", and its 
-  title, and add to it an item stating at least the title, year, new authors, 
-  and publisher of the Modified Version as given on the Title Page. If there
-is   no section entitled "History" in the Document, create one stating the
-title,   year, authors, and publisher of the Document as given on its Title
-Page, then   add an item describing the Modified Version as stated in the
-previous   sentence. </li>
-   <li><strong>J.</strong> Preserve the network location, if any, given in
-the   Document for public access to a Transparent copy of the Document, and
-likewise   the network locations given in the Document for previous versions
-it was based   on. These may be placed in the "History" section. You may
-omit a network   location for a work that was published at least four years
-before the Document   itself, or if the original publisher of the version
-it refers to gives   permission. </li>
-   <li><strong>K.</strong> In any section entitled "Acknowledgements" or 
- "Dedications", preserve the section's title, and preserve in the section
-all   the substance and tone of each of the contributor acknowledgements
-and/or   dedications given therein. </li>
-   <li><strong>L.</strong> Preserve all the Invariant Sections of the Document, 
-  unaltered in their text and in their titles. Section numbers or the equivalent 
-  are not considered part of the section titles. </li>
-   <li><strong>M.</strong> Delete any section entitled "Endorsements". Such
-a   section may not be included in the Modified Version. </li>
-   <li><strong>N.</strong> Do not retitle any existing section as "Endorsements" 
-  or to conflict in title with any Invariant Section. </li>
- 
+  <li><strong>A.</strong> Use in the Title Page (and on the covers, if
+any)
+a title distinct from that of the Document, and from those of previous
+versions (which should, if there were any, be listed in the History
+section
+of the Document). You may use the same title as a previous version if
+the
+original publisher of that version gives permission. </li>
+  <li><strong>B.</strong> List on the Title Page, as authors, one or
+more persons or entities responsible for authorship of the
+modifications in
+the Modified Version, together with at least five of the principal
+authors
+of the Document (all of its principal authors, if it has less than
+five). </li>
+  <li><strong>C.</strong> State on the Title page the name of the
+publisher
+of the Modified Version, as the publisher. </li>
+  <li><strong>D.</strong> Preserve all the copyright notices of the
+Document. </li>
+  <li><strong>E.</strong> Add an appropriate copyright notice for your
+modifications adjacent to the other copyright notices. </li>
+  <li><strong>F.</strong> Include, immediately after the copyright
+notices,
+a license notice giving the public permission to use the Modified
+Version
+under the terms of this License, in the form shown in the Addendum
+below. </li>
+  <li><strong>G.</strong> Preserve in that license notice the full
+lists
+of Invariant Sections and required Cover Texts given in the Document's
+license notice. </li>
+  <li><strong>H.</strong> Include an unaltered copy of this License. </li>
+  <li><strong>I.</strong> Preserve the section entitled "History", and
+its title, and add to it an item stating at least the title, year, new
+authors, and publisher of the Modified Version as given on the Title
+Page. If there
+is no section entitled "History" in the Document, create one stating
+the
+title, year, authors, and publisher of the Document as given on its
+Title
+Page, then add an item describing the Modified Version as stated in the
+previous sentence. </li>
+  <li><strong>J.</strong> Preserve the network location, if any, given
+in
+the Document for public access to a Transparent copy of the Document,
+and
+likewise the network locations given in the Document for previous
+versions
+it was based on. These may be placed in the "History" section. You may
+omit a network location for a work that was published at least four
+years
+before the Document itself, or if the original publisher of the version
+it refers to gives permission. </li>
+  <li><strong>K.</strong> In any section entitled "Acknowledgements" or
+"Dedications", preserve the section's title, and preserve in the
+section
+all the substance and tone of each of the contributor acknowledgements
+and/or dedications given therein. </li>
+  <li><strong>L.</strong> Preserve all the Invariant Sections of the
+Document, unaltered in their text and in their titles. Section numbers
+or the equivalent are not considered part of the section titles. </li>
+  <li><strong>M.</strong> Delete any section entitled "Endorsements".
+Such
+a section may not be included in the Modified Version. </li>
+  <li><strong>N.</strong> Do not retitle any existing section as
+"Endorsements" or to conflict in title with any Invariant Section. </li>
 </ul>
- 
-<p>If the Modified Version includes new front-matter sections or appendices
-that qualify as Secondary Sections and contain no material copied from the
-Document, you may at your option designate some or all of these sections
-as invariant. To do this, add their titles to the list of Invariant Sections
-in the Modified Version's license notice. These titles must be distinct from
+<p>If the Modified Version includes new front-matter sections or
+appendices
+that qualify as Secondary Sections and contain no material copied from
+the
+Document, you may at your option designate some or all of these
+sections
+as invariant. To do this, add their titles to the list of Invariant
+Sections
+in the Modified Version's license notice. These titles must be distinct
+from
 any other section titles. </p>
- 
-<p>You may add a section entitled "Endorsements", provided it contains nothing 
-but endorsements of your Modified Version by various parties--for example, 
-statements of peer review or that the text has been approved by an organization 
-as the authoritative definition of a standard. </p>
- 
-<p>You may add a passage of up to five words as a Front-Cover Text, and a 
-passage of up to 25 words as a Back-Cover Text, to the end of the list of
-Cover Texts in the Modified Version. Only one passage of Front-Cover Text
-and one of Back-Cover Text may be added by (or through arrangements made
-by) any one entity. If the Document already includes a cover text for the
-same cover, previously added by you or by arrangement made by the same entity
-you are acting on behalf of, you may not add another; but you may replace
-the old one, on explicit permission from the previous publisher that added
+<p>You may add a section entitled "Endorsements", provided it contains
+nothing but endorsements of your Modified Version by various
+parties--for example, statements of peer review or that the text has
+been approved by an organization as the authoritative definition of a
+standard. </p>
+<p>You may add a passage of up to five words as a Front-Cover Text, and
+a passage of up to 25 words as a Back-Cover Text, to the end of the
+list of
+Cover Texts in the Modified Version. Only one passage of Front-Cover
+Text
+and one of Back-Cover Text may be added by (or through arrangements
+made
+by) any one entity. If the Document already includes a cover text for
+the
+same cover, previously added by you or by arrangement made by the same
+entity
+you are acting on behalf of, you may not add another; but you may
+replace
+the old one, on explicit permission from the previous publisher that
+added
 the old one. </p>
- 
-<p>The author(s) and publisher(s) of the Document do not by this License
-give permission to use their names for publicity for or to assert or imply 
-endorsement of any Modified Version. </p>
- 
+<p>The author(s) and publisher(s) of the Document do not by this
+License
+give permission to use their names for publicity for or to assert or
+imply endorsement of any Modified Version. </p>
 <p><strong>5. COMBINING DOCUMENTS</strong> </p>
- 
-<p>You may combine the Document with other documents released under this License,
-under the terms defined in section 4 above for modified versions, provided
-that you include in the combination all of the Invariant Sections of all
-of the original documents, unmodified, and list them all as Invariant Sections
+<p>You may combine the Document with other documents released under
+this License,
+under the terms defined in section 4 above for modified versions,
+provided
+that you include in the combination all of the Invariant Sections of
+all
+of the original documents, unmodified, and list them all as Invariant
+Sections
 of your combined work in its license notice. </p>
- 
-<p>The combined work need only contain one copy of this License, and multiple 
-identical Invariant Sections may be replaced with a single copy. If there
-are multiple Invariant Sections with the same name but different contents,
-make the title of each such section unique by adding at the end of it, in
-parentheses, the name of the original author or publisher of that section
-if known, or else a unique number. Make the same adjustment to the section
-titles in the list of Invariant Sections in the license notice of the combined
+<p>The combined work need only contain one copy of this License, and
+multiple identical Invariant Sections may be replaced with a single
+copy. If there
+are multiple Invariant Sections with the same name but different
+contents,
+make the title of each such section unique by adding at the end of it,
+in
+parentheses, the name of the original author or publisher of that
+section
+if known, or else a unique number. Make the same adjustment to the
+section
+titles in the list of Invariant Sections in the license notice of the
+combined
 work. </p>
- 
-<p>In the combination, you must combine any sections entitled "History" in
-the various original documents, forming one section entitled "History"; likewise 
-combine any sections entitled "Acknowledgements", and any sections entitled 
-"Dedications". You must delete all sections entitled "Endorsements." </p>
- 
+<p>In the combination, you must combine any sections entitled "History"
+in
+the various original documents, forming one section entitled "History";
+likewise combine any sections entitled "Acknowledgements", and any
+sections entitled "Dedications". You must delete all sections entitled
+"Endorsements." </p>
 <p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
- 
-<p>You may make a collection consisting of the Document and other documents 
-released under this License, and replace the individual copies of this License 
-in the various documents with a single copy that is included in the collection, 
-provided that you follow the rules of this License for verbatim copying of
+<p>You may make a collection consisting of the Document and other
+documents released under this License, and replace the individual
+copies of this License in the various documents with a single copy that
+is included in the collection, provided that you follow the rules of
+this License for verbatim copying of
 each of the documents in all other respects. </p>
- 
-<p>You may extract a single document from such a collection, and distribute
-it individually under this License, provided you insert a copy of this License
-into the extracted document, and follow this License in all other respects
+<p>You may extract a single document from such a collection, and
+distribute
+it individually under this License, provided you insert a copy of this
+License
+into the extracted document, and follow this License in all other
+respects
 regarding verbatim copying of that document. </p>
- 
 <p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
- 
-<p>A compilation of the Document or its derivatives with other separate and 
-independent documents or works, in or on a volume of a storage or distribution 
-medium, does not as a whole count as a Modified Version of the Document, provided
-no compilation copyright is claimed for the compilation. Such a compilation
-is called an "aggregate", and this License does not apply to the other self-contained
-works thus compiled with the Document, on account of their being thus compiled,
+<p>A compilation of the Document or its derivatives with other separate
+and independent documents or works, in or on a volume of a storage or
+distribution medium, does not as a whole count as a Modified Version of
+the Document, provided
+no compilation copyright is claimed for the compilation. Such a
+compilation
+is called an "aggregate", and this License does not apply to the other
+self-contained
+works thus compiled with the Document, on account of their being thus
+compiled,
 if they are not themselves derivative works of the Document. </p>
- 
-<p>If the Cover Text requirement of section 3 is applicable to these copies
-of the Document, then if the Document is less than one quarter of the entire 
-aggregate, the Document's Cover Texts may be placed on covers that surround
-only the Document within the aggregate. Otherwise they must appear on covers
+<p>If the Cover Text requirement of section 3 is applicable to these
+copies
+of the Document, then if the Document is less than one quarter of the
+entire aggregate, the Document's Cover Texts may be placed on covers
+that surround
+only the Document within the aggregate. Otherwise they must appear on
+covers
 around the whole aggregate. </p>
- 
 <p><strong>8. TRANSLATION</strong> </p>
- 
-<p>Translation is considered a kind of modification, so you may distribute 
-translations of the Document under the terms of section 4. Replacing Invariant 
-Sections with translations requires special permission from their copyright 
-holders, but you may include translations of some or all Invariant Sections
-in addition to the original versions of these Invariant Sections. You may
-include a translation of this License provided that you also include the
-original English version of this License. In case of a disagreement between
-the translation and the original English version of this License, the original
+<p>Translation is considered a kind of modification, so you may
+distribute translations of the Document under the terms of section 4.
+Replacing Invariant Sections with translations requires special
+permission from their copyright holders, but you may include
+translations of some or all Invariant Sections
+in addition to the original versions of these Invariant Sections. You
+may
+include a translation of this License provided that you also include
+the
+original English version of this License. In case of a disagreement
+between
+the translation and the original English version of this License, the
+original
 English version will prevail. </p>
- 
 <p><strong>9. TERMINATION</strong> </p>
- 
-<p>You may not copy, modify, sublicense, or distribute the Document except
-as expressly provided for under this License. Any other attempt to copy,
-modify, sublicense or distribute the Document is void, and will automatically
-terminate your rights under this License. However, parties who have received
-copies, or rights, from you under this License will not have their licenses
+<p>You may not copy, modify, sublicense, or distribute the Document
+except
+as expressly provided for under this License. Any other attempt to
+copy,
+modify, sublicense or distribute the Document is void, and will
+automatically
+terminate your rights under this License. However, parties who have
+received
+copies, or rights, from you under this License will not have their
+licenses
 terminated so long as such parties remain in full compliance. </p>
- 
 <p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
- 
-<p>The Free Software Foundation may publish new, revised versions of the
-GNU Free Documentation License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
+<p>The Free Software Foundation may publish new, revised versions of
+the
+GNU Free Documentation License from time to time. Such new versions
+will
+be similar in spirit to the present version, but may differ in detail
+to
 address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
- 
-<p>Each version of the License is given a distinguishing version number.
-If the Document specifies that a particular numbered version of this License
-"or any later version" applies to it, you have the option of following the
-terms and conditions either of that specified version or of any later version
-that has been published (not as a draft) by the Free Software Foundation.
-If the Document does not specify a version number of this License, you may
-choose any version ever published (not as a draft) by the Free Software Foundation.
+<p>Each version of the License is given a distinguishing version
+number.
+If the Document specifies that a particular numbered version of this
+License
+"or any later version" applies to it, you have the option of following
+the
+terms and conditions either of that specified version or of any later
+version
+that has been published (not as a draft) by the Free Software
+Foundation.
+If the Document does not specify a version number of this License, you
+may
+choose any version ever published (not as a draft) by the Free Software
+Foundation.
 </p>
- 
-<p align="left"> </p>
-  <br>
+<p align="left">&nbsp;</p>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/IPIP.htm b/Shorewall-docs/IPIP.htm
index 28370194a..74069fa5d 100644
--- a/Shorewall-docs/IPIP.htm
+++ b/Shorewall-docs/IPIP.htm
@@ -1,98 +1,71 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>GRE/IPIP Tunnels</title>
-       
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-    <tbody>
-     <tr>
-      <td width="100%">       
-      <h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
-      </td>
-    </tr>
-    
-  </tbody> 
-</table>
-  
-<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure 
-when used over the internet; use them at your own risk</h3>
-  
-<p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded 
-networks.</p>
-  
-<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux 
-Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall 
-also includes a tunnel script for automating tunnel configuration. If you 
-have installed the RPM, the tunnel script may be found in the Shorewall documentation 
-directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
-  
+<body>
+<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
+</h1>
+<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
+insecure when used over the internet; use them at your own risk</h3>
+<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
+masqueraded networks.</p>
+<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
+Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
+Shorewall also includes a tunnel script for automating tunnel
+configuration. If you have installed the RPM, the tunnel script may be
+found in the Shorewall documentation directory (usually
+/usr/share/doc/shorewall-&lt;version&gt;/).</p>
 <h2>Bridging two Masqueraded Networks</h2>
-  
 <p>Suppose that we have the following situation:</p>
-  
-<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
- height="427">
- </p>
-  
-<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able 
-to communicate with the systems in the 10.0.0.0/8 network. This is accomplished 
-through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy 
-file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
-  
-<p align="left">The 'tunnel' script is not installed in /etc/shorewall by 
-default -- If you install using the tarball, the script is included in the 
-tarball; if you install using the RPM, the file is in your Shorewall documentation 
-directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
-  
-<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type' 
-parameter to the type of tunnel that you want to create.</p>
-  
+<p align="center"> <img border="0" src="images/TwoNets1.png"
+ width="745" height="427"> </p>
+<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
+able to communicate with the systems in the 10.0.0.0/8 network. This is
+accomplished through use of the /etc/shorewall/tunnels file, the
+/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
+included with Shorewall.</p>
+<p align="left">The 'tunnel' script is not installed in /etc/shorewall
+by default -- If you install using the tarball, the script is included
+in the tarball; if you install using the RPM, the file is in your
+Shorewall documentation directory (normally
+/usr/share/doc/shorewall-&lt;version&gt;).</p>
+<p align="left">In the /etc/shorewall/tunnel script, set the
+'tunnel_type' parameter to the type of tunnel that you want to create.</p>
 <p align="left">Example:</p>
-  
-<blockquote>   
+<blockquote>
   <p align="left">tunnel_type=gre</p>
-  </blockquote>
-  
-<p align="left">On each firewall, you will need to declare a zone to represent 
- the remote subnet. We'll assume that this zone is called 'vpn' and declare 
-it in  /etc/shorewall/zones on both systems as follows.</p>
-  
-<blockquote>   
+</blockquote>
+<p align="left">On each firewall, you will need to declare a zone to
+represent the remote subnet. We'll assume that this zone is called
+'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-                 <tbody>
-       <tr>
-                <td><strong>ZONE</strong></td>
-                <td><strong>DISPLAY</strong></td>
-                <td><strong>COMMENTS</strong></td>
-            </tr>
-            <tr>
-                <td>vpn</td>
-                <td>VPN</td>
-                <td>Remote Subnet</td>
-            </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><strong>ZONE</strong></td>
+        <td><strong>DISPLAY</strong></td>
+        <td><strong>COMMENTS</strong></td>
+      </tr>
+      <tr>
+        <td>vpn</td>
+        <td>VPN</td>
+        <td>Remote Subnet</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
+</blockquote>
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
+zone.
 In /etc/shorewall/interfaces:</p>
-  
-<blockquote>   
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-      <tbody>
-       <tr>
+    <tbody>
+      <tr>
         <td><b>ZONE</b></td>
         <td><b>INTERFACE</b></td>
         <td><b>BROADCAST</b></td>
@@ -102,19 +75,17 @@ In /etc/shorewall/interfaces:</p>
         <td>vpn</td>
         <td>tosysb</td>
         <td>10.255.255.255</td>
-        <td> </td>
+        <td>&nbsp;</td>
       </tr>
-      
-    </tbody>   
+    </tbody>
   </table>
-  </blockquote>
-  
-<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
-  
-<blockquote>   
+</blockquote>
+<p align="left">In /etc/shorewall/tunnels on system A, we need the
+following:</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-      <tbody>
-       <tr>
+    <tbody>
+      <tr>
         <td><b>TYPE</b></td>
         <td><b>ZONE</b></td>
         <td><b>GATEWAY</b></td>
@@ -124,34 +95,29 @@ In /etc/shorewall/interfaces:</p>
         <td>ipip</td>
         <td>net</td>
         <td>134.28.54.2</td>
-        <td> </td>
+        <td>&nbsp;</td>
       </tr>
-      
-    </tbody>   
+    </tbody>
   </table>
-  </blockquote>
-  
-<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP 
- encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
-  
+</blockquote>
+<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
+IP encapsulation protocol (4) will be accepted to/from the remote
+gateway.</p>
 <p>In the tunnel script on system A:</p>
-  
-<blockquote>   
+<blockquote>
   <p>tunnel=tosysb<br>
-    myrealip=206.161.148.9 (for GRE tunnel only)<br>
-    myip=192.168.1.1<br>
-    hisip=10.0.0.1<br>
-    gateway=134.28.54.2<br>
-    subnet=10.0.0.0/8</p>
-  </blockquote>
-  
-<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b> 
+myrealip=206.161.148.9 (for GRE tunnel only)<br>
+myip=192.168.1.1<br>
+hisip=10.0.0.1<br>
+gateway=134.28.54.2<br>
+subnet=10.0.0.0/8</p>
+</blockquote>
+<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
 zone. In /etc/shorewall/interfaces:</p>
-  
-<blockquote>   
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-      <tbody>
-       <tr>
+    <tbody>
+      <tr>
         <td><b>ZONE</b></td>
         <td><b>INTERFACE</b></td>
         <td><b>BROADCAST</b></td>
@@ -161,19 +127,16 @@ zone. In /etc/shorewall/interfaces:</p>
         <td>vpn</td>
         <td>tosysa</td>
         <td>192.168.1.255</td>
-        <td> </td>
+        <td>&nbsp;</td>
       </tr>
-      
-    </tbody>   
+    </tbody>
   </table>
-  </blockquote>
-  
+</blockquote>
 <p>In /etc/shorewall/tunnels on system B, we have:</p>
-  
-<blockquote>   
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-      <tbody>
-       <tr>
+    <tbody>
+      <tr>
         <td><b>TYPE</b></td>
         <td><b>ZONE</b></td>
         <td><b>GATEWAY</b></td>
@@ -183,67 +146,59 @@ zone. In /etc/shorewall/interfaces:</p>
         <td>ipip</td>
         <td>net</td>
         <td>206.191.148.9</td>
-        <td> </td>
+        <td>&nbsp;</td>
       </tr>
-      
-    </tbody>   
+    </tbody>
   </table>
-  </blockquote>
-  
+</blockquote>
 <p>And in the tunnel script on system B:</p>
-  
-<blockquote>   
+<blockquote>
   <p>tunnel=tosysa<br>
-    myrealip=134.28.54.2 (for GRE tunnel only)<br>
-    myip=10.0.0.1<br>
-    hisip=192.168.1.1<br>
-    gateway=206.191.148.9<br>
-    subnet=192.168.1.0/24</p>
-  </blockquote>
-  
-<p>You can rename the modified tunnel scripts if you like; be sure that they 
-are secured so that root can execute them.  </p>
-  
-<p align="left"> You will need to allow traffic between the "vpn" zone and 
-       the "loc" zone on both systems -- if you simply want to admit all traffic
-       in both directions, you can use the policy file:</p>
-  
-<blockquote>   
+myrealip=134.28.54.2 (for GRE tunnel only)<br>
+myip=10.0.0.1<br>
+hisip=192.168.1.1<br>
+gateway=206.191.148.9<br>
+subnet=192.168.1.0/24</p>
+</blockquote>
+<p>You can rename the modified tunnel scripts if you like; be sure that
+they are secured so that root can execute them. </p>
+<p align="left"> You will need to allow traffic between the "vpn" zone
+and the "loc" zone on both systems -- if you simply want to admit all
+traffic in both directions, you can use the policy file:</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-                 <tbody>
-       <tr>
-                <td><strong>SOURCE</strong></td>
-                <td><strong>DEST</strong></td>
-                <td><strong>POLICY</strong></td>
-                <td><strong>LOG LEVEL</strong></td>
-            </tr>
-            <tr>
-                <td>loc</td>
-                <td>vpn</td>
-                <td>ACCEPT</td>
-            <td> </td>
-            </tr>
-                                <tr>
-                <td>vpn</td>
-                <td>loc</td>
-                <td>ACCEPT</td>
-            <td> </td>
-            </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><strong>SOURCE</strong></td>
+        <td><strong>DEST</strong></td>
+        <td><strong>POLICY</strong></td>
+        <td><strong>LOG LEVEL</strong></td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>vpn</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>vpn</td>
+        <td>loc</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-  </blockquote>
-  
-<p>On both systems, restart Shorewall and run the modified tunnel script with
-the "start" argument on each system. The systems in the two masqueraded subnetworks
+</blockquote>
+<p>On both systems, restart Shorewall and run the modified tunnel
+script with
+the "start" argument on each system. The systems in the two masqueraded
+subnetworks
 can now talk to each other</p>
-  
-<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
-  
-<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
-   <br>
- <br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/IPSEC.htm b/Shorewall-docs/IPSEC.htm
index 537282ba3..9d832e994 100644
--- a/Shorewall-docs/IPSEC.htm
+++ b/Shorewall-docs/IPSEC.htm
@@ -8,17 +8,8 @@
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">IPSEC Tunnels<br>
+</h1>
 <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
 There is an excellent guide to configuring IPSEC tunnels at<a
  href="http://www.geocities.com/jixen66/">
@@ -34,10 +25,40 @@ to debug this problem so I can't say if it is a bug in the Kernel or in
 FreeS/Wan.&nbsp;</p>
 <p>You <b>might</b> be able to work around this problem using the
 following (I haven't tried it):</p>
-<p>In /etc/shorewall/init, include:</p>
-<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
-<p>In /etc/shorewall/start, include:</p>
-<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
+<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
+<div style="margin-left: 40px;"></div>
+<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec
+stop</p>
+<div style="margin-left: 40px;"></div>
+<p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
+<div style="margin-left: 40px;"></div>
+<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp; qt service ipsec start<br>
+</p>
+<p>Also, the documentation below assumes that you have disabled
+opportunistic encryption feature in FreeS/Wan 2.0 using the following
+additional entries in ipsec.conf:<br>
+</p>
+<p style="margin-left: 40px;"><tt>conn block<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
+<br>
+conn private<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
+<br>
+conn private-or-clear<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
+<br>
+conn clear-or-private<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
+<br>
+conn clear<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
+<br>
+conn packetdefault<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
+</tt></p>
+For further information see <a
+ href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
+</tt>
 <h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
 <p>Suppose that we have the following sutuation:</p>
 <font color="#660066">
@@ -631,7 +652,7 @@ issue the command":<br>
 <blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
 </blockquote>
 and the 'down' part will:<br>
-<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
+<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
   <br>
 </blockquote>
 <h3>Limitations of Dynamic Zones</h3>
@@ -664,7 +685,7 @@ DESTINATION<br>
       <tr>
         <td valign="top">DNAT<br>
         </td>
-        <td valign="top">z:dyn<br>
+        <td valign="top">z!dyn<br>
         </td>
         <td valign="top">loc:192.168.1.3<br>
         </td>
@@ -682,7 +703,7 @@ DESTINATION<br>
 </blockquote>
 Dynamic changes to the zone <b>dyn</b> will have no effect on the
 above rule.
-<p><font size="2">Last updated 8/12//2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
  href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/Install.htm b/Shorewall-docs/Install.htm
index 7c69068e7..d8daa5be8 100644
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@@ -1,221 +1,189 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Installation</title>
-                                   
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                    
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-          
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-             <tbody>
-              <tr>
-               <td width="100%">                                   
-      <h1 align="center"><font color="#ffffff">Shorewall Installation and 
-    Upgrade</font></h1>
-               </td>
-             </tr>
-                    
-  </tbody>     
-</table>
-          
+<body>
+<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
+</h1>
 <p align="center"><b>Before upgrading, be sure to review the <a
  href="upgrade_issues.htm">Upgrade Issues<br>
-    </a></b></p>
-       
-<div align="left"><b>Before attempting installation, I strongly urge you
-to read and print a copy of the       <a
- href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>    
-   for the configuration that most closely matches your own.</b><br>
-    </div>
-          
+</a></b></p>
+<div align="left"><b>Before attempting installation, I strongly urge
+you
+to read and print a copy of the <a
+ href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
+for the configuration that most closely matches your own.</b><br>
+</div>
 <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
-           <a href="#Install_Tarball">Install using tarball<br>
-        </a><a href="#LRP">Install the .lrp</a><br>
-           <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
-           <a href="#Upgrade_Tarball">Upgrade using tarball<br>
-        </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
-           <a href="#Config_Files">Configuring Shorewall</a><br>
-           <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
-          
+<a href="#Install_Tarball">Install using tarball<br>
+</a><a href="#LRP">Install the .lrp</a><br>
+<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
+<a href="#Upgrade_Tarball">Upgrade using tarball<br>
+</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
+<a href="#Config_Files">Configuring Shorewall</a><br>
+<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
 <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
-          
-<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a 
-    shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
-    1.2.4  either from the <a
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update 
-     site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
-     attempting to start Shorewall.</b></p>
-          
+<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
+a shell prompt, type "/sbin/iptables --version"), you must upgrade to
+version 1.2.4 either from the <a
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
+update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
+before attempting to start Shorewall.</b></p>
 <ul>
-             <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
-             <br>
-             <b>Note1: </b>Some SuSE  users have encountered a problem whereby 
-  rpm  reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel 
-  is installed.  If this    happens, simply use the --nodeps option to rpm 
- (rpm -ivh --nodeps  &lt;shorewall    rpm&gt;.<br>
-     <br>
-         <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent 
-  on the iproute package. Unfortunately, some distributions call this package 
-  iproute2 which will cause the installation of Shorewall to fail with the 
- diagnostic:<br>
-         <br>
-          error: failed dependencies:iproute is needed by  shorewall-1.4.x-1 
-     <br>
-         <br>
-     This may be worked around by using the --nodeps option of rpm (rpm -ivh
-  --nodeps &lt;shorewall rpm&gt;).<br>
-         <br>
-       </li>
-             <li>Edit the <a href="#Config_Files"> configuration files</a>
- to  match   your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
-     <u>NOT</u>    SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start"
-COMMAND.  SOME CONFIGURATION    IS REQUIRED BEFORE THE  FIREWALL WILL START.
-IF YOU  ISSUE A "start" COMMAND    AND THE FIREWALL FAILS TO  START, YOUR
-SYSTEM WILL NO LONGER ACCEPT ANY  NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE
-A "shorewall  clear" COMMAND TO  RESTORE NETWORK  CONNECTIVITY.</b></font></li>
-             <li>Start the firewall by typing "shorewall start"</li>
-          
+  <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
+    <br>
+    <b>Note1: </b>Some SuSE&nbsp; users have encountered a problem
+whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
+kernel is installed. If this happens, simply use the --nodeps option to
+rpm (rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
+    <br>
+    <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
+dependent on the iproute package. Unfortunately, some distributions
+call this package iproute2 which will cause the installation of
+Shorewall to fail with the diagnostic:<br>
+    <br>
+&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
+shorewall-1.4.x-1 <br>
+    <br>
+This may be worked around by using the --nodeps option of rpm (rpm -ivh
+--nodeps &lt;shorewall rpm&gt;).<br>
+    <br>
+  </li>
+  <li>Edit the <a href="#Config_Files"> configuration files</a> to
+match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
+SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
+COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
+IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
+SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
+ISSUE
+A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
+  <li>Start the firewall by typing "shorewall start"</li>
 </ul>
-          
-<p><a name="Install_Tarball"></a>To     install Shorewall using the tarball 
-    and install     script: </p>
-          
+<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
+and install script: </p>
 <ul>
-             <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
-             <li>cd to the shorewall directory (the version is encoded in 
-the               directory name as in "shorewall-1.1.10").</li>
-             <li>If you are using <a
+  <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
+  <li>cd to the shorewall directory (the version is encoded in the
+directory name as in "shorewall-1.1.10").</li>
+  <li>If you are using <a
  href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
- href="http://www.redhat.com">RedHat</a>,           <a
+ href="http://www.redhat.com">RedHat</a>, <a
  href="http://www.linux-mandrake.com">Mandrake</a>, <a
- href="http://www.corel.com">Corel</a>,           <a
- href="http://www.slackware.com/">Slackware</a> or           <a
- href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
-             <li>If you are using <a href="http://www.suse.com">SuSe</a>
-then   type       "./install.sh /etc/init.d"</li>
-             <li>If your distribution has directory             /etc/rc.d/init.d 
-   or  /etc/init.d then type             "./install.sh"</li>
-             <li>For other distributions, determine where your          
-  distribution    installs init scripts and type             "./install.sh
- &lt;init script   directory&gt;</li>
-             <li>Edit the <a href="#Config_Files"> configuration files</a>
- to  match   your configuration.</li>
-             <li>Start the firewall by typing "shorewall             start"</li>
-             <li>If the install script was unable to configure Shorewall
-to  be  started   automatically at boot,             see <a
- href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
-          
+ href="http://www.corel.com">Corel</a>, <a
+ href="http://www.slackware.com/">Slackware</a> or <a
+ href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
+  <li>If you are using <a href="http://www.suse.com">SuSe</a>
+then type "./install.sh /etc/init.d"</li>
+  <li>If your distribution has directory /etc/rc.d/init.d or
+/etc/init.d then type "./install.sh"</li>
+  <li>For other distributions, determine where your distribution
+installs init scripts and type "./install.sh &lt;init script
+directory&gt;</li>
+  <li>Edit the <a href="#Config_Files"> configuration files</a> to
+match your configuration.</li>
+  <li>Start the firewall by typing "shorewall start"</li>
+  <li>If the install script was unable to configure Shorewall
+to be started automatically at boot, see <a
+ href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
 </ul>
-          
-<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering 
-   disk, simply replace the "shorwall.lrp" file on the image with the file
-  that  you downloaded. See the <a href="two-interface.htm">two-interface
-QuickStart   Guide</a> for information about further steps required.</p>
-          
-<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed 
-    and are upgrading to a new version:</p>
-          
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
-and you  have entries in the /etc/shorewall/hosts file then please check 
-your  /etc/shorewall/interfaces file to be sure that it contains an entry 
-   for each  interface mentioned in the hosts file. Also, there are certain 
-  1.2 rule forms  that are no longer supported under 1.4 (you must use the
-  new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
-  details.</p>
-          
+<p><a name="LRP"></a>To install my version of Shorewall on a fresh
+Bering disk, simply replace the "shorwall.lrp" file on the image with
+the file that you downloaded. See the <a href="two-interface.htm">two-interface
+QuickStart Guide</a> for information about further steps required.</p>
+<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
+installed and are upgrading to a new version:</p>
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
+version or
+and you have entries in the /etc/shorewall/hosts file then please check
+your /etc/shorewall/interfaces file to be sure that it contains an
+entry for each interface mentioned in the hosts file. Also, there are
+certain 1.2 rule forms that are no longer supported under 1.4 (you must
+use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
+issues </a>for details.</p>
 <ul>
-             <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: 
-       </b>If  you     are installing version 1.2.0 and have one of the 1.2.0 
-   Beta RPMs installed,     you must use the "--oldpackage" option to rpm 
-(e.g.,   "rpm     -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").        
-                 
-    <p>   <b>Note1: </b>Some SuSE users have encountered a problem whereby 
-    rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel 
-   is installed. If this    happens, simply use the --nodeps option to rpm
-  (rpm   -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
-         <br>
-         <b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
-  on the iproute package. Unfortunately, some distributions call this package
-  iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
-        <br>
-           error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
-      <br>
-        <br>
-      This may be worked around by using the --nodeps option of rpm (rpm
--Uvh   --nodeps &lt;shorewall rpm&gt;). </p>
-            </li>
-            <li>See if there are any incompatibilities between your configuration 
-   and the    new Shorewall version (type "shorewall check") and correct as
-  necessary.</li>
-             <li>Restart the firewall (shorewall restart).</li>
-          
+  <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
+you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
+installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
+-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
+    <p> <b>Note1: </b>Some SuSE users have encountered a problem
+whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
+kernel is installed. If this happens, simply use the --nodeps option to
+rpm (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
+    <br>
+    <b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
+dependent on the iproute package. Unfortunately, some distributions
+call this package iproute2 which will cause the upgrade of Shorewall to
+fail with the diagnostic:<br>
+    <br>
+&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
+shorewall-1.4.0-1 <br>
+    <br>
+This may be worked around by using the --nodeps option of rpm (rpm
+-Uvh --nodeps &lt;shorewall rpm&gt;).&nbsp;</p>
+  </li>
+  <li>See if there are any incompatibilities between your configuration
+and the new Shorewall version (type "shorewall check") and correct as
+necessary.</li>
+  <li>Restart the firewall (shorewall restart).</li>
 </ul>
-          
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
+installed
 and are upgrading to a new version using the tarball:</p>
-          
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
-and you  have entries in the /etc/shorewall/hosts file then please check
-your  /etc/shorewall/interfaces file to be sure that it contains an entry
-for each  interface mentioned in the hosts file.  Also, there are certain
-1.2 rule  forms that are no longer supported under 1.4 (you must use the
-new 1.4 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a>
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
+version
+and you have entries in the /etc/shorewall/hosts file then please check
+your /etc/shorewall/interfaces file to be sure that it contains an
+entry
+for each interface mentioned in the hosts file.&nbsp; Also, there are
+certain
+1.2 rule forms that are no longer supported under 1.4 (you must use the
+new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
 for details. </p>
-          
 <ul>
-         <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
-             <li>cd to the shorewall directory (the version is encoded in 
-the               directory name as in "shorewall-3.0.1").</li>
-             <li>If you are using <a
+  <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
+  <li>cd to the shorewall directory (the version is encoded in the
+directory name as in "shorewall-3.0.1").</li>
+  <li>If you are using <a
  href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
- href="http://www.redhat.com">RedHat</a>,           <a
+ href="http://www.redhat.com">RedHat</a>, <a
  href="http://www.linux-mandrake.com">Mandrake</a>, <a
- href="http://www.corel.com">Corel</a>,           <a
- href="http://www.slackware.com/">Slackware</a> or           <a
- href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
-             <li>If you are using<a href="http://www.suse.com"> SuSe</a>
-then   type       "./install.sh /etc/init.d"</li>
-             <li>If your distribution has directory             /etc/rc.d/init.d 
-   or  /etc/init.d then type             "./install.sh"</li>
-             <li>For other distributions, determine where your          
-  distribution    installs init scripts and type             "./install.sh
- &lt;init script   directory&gt;</li>
-             <li>See if there are any incompatibilities between your configuration 
-   and the    new Shorewall version (type "shorewall check") and correct as
-  necessary.</li>
-             <li>Restart the firewall by typing "shorewall restart"</li>
-          
+ href="http://www.corel.com">Corel</a>, <a
+ href="http://www.slackware.com/">Slackware</a> or <a
+ href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
+  <li>If you are using<a href="http://www.suse.com"> SuSe</a>
+then type "./install.sh /etc/init.d"</li>
+  <li>If your distribution has directory /etc/rc.d/init.d or
+/etc/init.d then type "./install.sh"</li>
+  <li>For other distributions, determine where your distribution
+installs init scripts and type "./install.sh &lt;init script
+directory&gt;</li>
+  <li>See if there are any incompatibilities between your configuration
+and the new Shorewall version (type "shorewall check") and correct as
+necessary.</li>
+  <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-                 <a name="LRP_Upgrade"></a>If you already have a running
-Bering    installation and wish to upgrade to a later version of Shorewall:<br>
-        <br>
-            <b>UNDER CONSTRUCTION...</b><br>
-          
+<a name="LRP_Upgrade"></a>If you already have a running
+Bering installation and wish to upgrade to a later version of Shorewall:<br>
+<br>
+&nbsp;&nbsp;&nbsp; <b>UNDER CONSTRUCTION...</b><br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
-          
-<p>You will need to edit some or all of the configuration files to match your
- setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
-    QuickStart Guides</a> contain all of the information you need.</p>
-          
+<p>You will need to edit some or all of the configuration files to
+match your setup. In most cases, the <a
+ href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
+contain all of the information you need.</p>
 <ul>
-          
 </ul>
-          
-<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a> 
-    </font></p>
-          
-<p><a href="copyright.htm"><font size="2">Copyright</font>   © <font
+<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
+</font></p>
+<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  </p>
-  <br>
- <br>
+</p>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/MAC_Validation.html b/Shorewall-docs/MAC_Validation.html
index 4242b0e5a..55e1416e7 100644
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@@ -2,123 +2,103 @@
 <html>
 <head>
   <title>MAC Verification</title>
-                            
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-                
   <meta name="author" content="Tom Eastep">
 </head>
-  <body>
-        
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#3366ff" height="90">
-                     <tbody>
-                    <tr>
-                      <td width="100%">                             
-      <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
-             </h1>
-                      <br>
-             </td>
-                    </tr>
-                
-  </tbody>    
-</table>
-            <br>
-            All traffic from an interface    or  from a subnet on an interface
-  can be verified to originate from a defined     set of MAC addresses. Furthermore,
-  each MAC address may be optionally associated    with one or more IP addresses.
-  <br>
-        <br>
-        <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
-   - module name ipt_mac.o).</b><br>
-        <br>
-        There are four components to this facility.<br>
-        
+<body>
+<br>
+<h1 style="text-align: center;">MAC Verification<br>
+</h1>
+All traffic from an interface or from a subnet on an interface can be
+verified to originate from a defined set of MAC addresses. Furthermore,
+each MAC address may be optionally associated with one or more IP
+addresses. <br>
+<br>
+<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
+module name ipt_mac.o).</b><br>
+<br>
+There are four components to this facility.<br>
 <ol>
-              <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
-this option is specified, all traffic arriving on the interface is subjet
+  <li>The <b>maclist</b> interface option in <a
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+When
+this option is specified, all traffic arriving on the interface is
+subjet
 to MAC verification.</li>
-              <li>The <b>maclist </b>option in <a
- href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option
-   is specified for a subnet, all traffic from that subnet  is subject to
-MAC   verification.</li>
-              <li>The /etc/shorewall/maclist file. This file is used to associate
-    MAC  addresses with interfaces and to optionally associate IP addresses
-  with  MAC  addresses.</li>
-              <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL 
-    </b>variables      in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
-   The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
- and  determines   the disposition of connection requests that fail MAC verification.
-   The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
-   requests that fail verification  are to be logged. If set the the empty
- value  (e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are
- not logged.<br>
-              </li>
-        
+  <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
+When this option is specified for a subnet, all traffic from that
+subnet is subject to
+MAC verification.</li>
+  <li>The /etc/shorewall/maclist file. This file is used to associate
+MAC addresses with interfaces and to optionally associate IP addresses
+with MAC addresses.</li>
+  <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
+in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
+The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
+and determines the disposition of connection requests that fail MAC
+verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
+which connection requests that fail verification are to be logged. If
+set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
+connection requests are not logged.<br>
+  </li>
 </ol>
-            The columns in /etc/shorewall/maclist are:<br>
-        
+The columns in /etc/shorewall/maclist are:<br>
 <ul>
-              <li>INTERFACE - The name of an ethernet interface on the Shorewall
-    system.</li>
-              <li>MAC - The MAC address of a device on the ethernet segment 
- connected     by INTERFACE. It is not necessary to use the Shorewall MAC 
-format in this     column although you may use that format if you so choose.</li>
-              <li>IP Address - An optional comma-separated list of IP addresses
-   for   the device whose MAC is listed in the MAC column.</li>
-        
+  <li>INTERFACE - The name of an ethernet interface on the Shorewall
+system.</li>
+  <li>MAC - The MAC address of a device on the ethernet segment
+connected by INTERFACE. It is not necessary to use the Shorewall MAC
+format in this column although you may use that format if you so choose.</li>
+  <li>IP Address - An optional comma-separated list of IP addresses for
+the device whose MAC is listed in the MAC column.</li>
 </ul>
-        
-<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for 
-details about my setup):</h3>
-            <b>/etc/shorewall/shorewall.conf:<br>
-            </b>    
+<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
+for details about my setup):</h3>
+<b>/etc/shorewall/shorewall.conf:<br>
+</b>
 <pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
-            <b>/etc/shorewall/interfaces:</b><br>
-        
-<blockquote>         
+<b>/etc/shorewall/interfaces:</b><br>
+<blockquote>
   <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>WiFi    eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
-   </blockquote>
-            <b>/etc/shorewall/maclist:</b><br>
-        
-<blockquote>         
+</blockquote>
+<b>/etc/shorewall/maclist:</b><br>
+<blockquote>
   <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11<br>eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</pre>
-   </blockquote>
-   As shown above, I use MAC Verification on my wireless zone.<br>
-  <br>
-  <b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like 
-a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
-MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
-own MAC address. Consequently, I list the IP addresses of both devices in
+</blockquote>
+As shown above, I use MAC Verification on my wireless zone.<br>
+<br>
+<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
+like a wireless router with DHCP relay. When forwarding DHCP traffic,
+it uses the
+MAC address of the host (TIPPER) but for other forwarded traffic it
+uses it's
+own MAC address. Consequently, I list the IP addresses of both devices
+in
 /etc/shorewall/maclist.<br>
-        
 <h3>Example 2: Router in Wireless Zone</h3>
-            Suppose now that I add a second wireless segment to my wireless 
- zone and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15
-  and   IP address  192.168.3.253. Hosts in the second segment have IP addresses
-   in the subnet  192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
-      file:<br>
-        
+Suppose now that I add a second wireless segment to my wireless zone
+and gateway that segment via a router with MAC address
+00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
+segment have IP addresses in the subnet 192.168.4.0/24. I would add the
+following entry to my /etc/shorewall/maclist file:<br>
 <pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
-            This entry accomodates traffic from the router itself (192.168.3.253)
-    and  from the second wireless segment (192.168.4.0/24). Remember that
-all traffic    being  sent to my firewall from the 192.168.4.0/24 segment
-will be forwarded    by the router so that traffic's MAC address will be
-that of the router (00:06:43:45:C6:15)    and not that of the host sending
-the traffic.     
-<p><font size="2">   Updated 6/30/2002 - <a href="support.htm">Tom  Eastep</a>
-         </font></p>
-          
-<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
-   <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-      </p>
-      <br>
-     <br>
-    <br>
-   <br>
-  <br>
- <br>
+This entry accomodates traffic from the router itself (192.168.3.253)
+and from the second wireless segment (192.168.4.0/24). Remember that
+all traffic being sent to my firewall from the 192.168.4.0/24 segment
+will be forwarded by the router so that traffic's MAC address will be
+that of the router (00:06:43:45:C6:15) and not that of the host sending
+the traffic.
+<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
+</font></p>
+<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+</p>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Multiple_Zones.html b/Shorewall-docs/Multiple_Zones.html
new file mode 100755
index 000000000..4f45281b1
--- /dev/null
+++ b/Shorewall-docs/Multiple_Zones.html
@@ -0,0 +1,551 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <title>Multiple Zones per Interface</title>
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta name="author" content="Tom Eastep">
+</head>
+<body>
+<h2></h2>
+<blockquote> </blockquote>
+<h1 style="text-align: center;">Multiple Zones per Interface<br>
+</h1>
+While most configurations can be handled with each of the firewall's
+network interfaces assigned to a single zone, there are cases where you
+will want to divide the hosts accessed through an interface between two
+or more zones.<br>
+<ol>
+  <li>The interface has multiple addresses on multiple subnetworks.
+This case is covered in the <a
+ href="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
+documentation</a>.</li>
+  <li>You are using some form of NAT and want to access a server by its
+external IP address from the same LAN segment. This is covered in <a
+ href="FAQ.htm#faq2">FAQs 2 and 2a</a>.<br>
+  </li>
+  <li>There are routers accessible through the interface and you want
+to treat the networks accessed through that router as a separate zone.</li>
+  <li>Some of the hosts accessed through an interface have
+significantly different firewalling requirements from the others so you
+want to assign them to a different zone.</li>
+</ol>
+The key points to keep in mind when setting up multiple zones per
+interface are:<br>
+<ul>
+  <li>Shorewall generates rules for zones in the order that the zone
+declarations appear in /etc/shorewall/zones.</li>
+  <li>The order of entries in /etc/shorewall/hosts is immaterial as far
+as the generated ruleset is concerned.</li>
+</ul>
+<span style="font-weight: bold;">These examples use the local zone but
+the same technique works for any zone. </span>Remember that Shorewall
+doesn't have any conceptual knowledge of "Internet", "Local", or "DMZ"
+so all zones except the firewall itself ($FW) are the same as far as
+Shorewall is concerned.&nbsp; Also, the examples use private (RFC 1918)
+addresses but public IP addresses can be used in exactly the same way.<br>
+<h2>Router in the Local Zone<br>
+</h2>
+Here is an example of a router in the local zone.&nbsp; Note that <span
+ style="font-weight: bold;">the box called "Router" could be a VPN
+server</span> or other such device; from the point of view of this
+discussion, it makes no difference.<br>
+<br>
+<div style="text-align: center;"><img src="images/MultiZone1.png"
+ title="" alt="(Firewall connected to Internal Router)"
+ style="width: 556px; height: 335px;"><br>
+</div>
+<blockquote>
+  <p> </p>
+</blockquote>
+<blockquote> </blockquote>
+<h3>Can You Use the Standard Configuration?<br>
+</h3>
+In many cases, the <a href="two-interface.htm">standard two-interface
+Shorewall setup</a> will work fine in this configuration.&nbsp; It will
+work if:<br>
+<ul>
+  <li>The firewall requirements to/from the internet are the same for
+192.168.1.0/24 and 192.168.2.0/24.</li>
+  <li>The hosts in 192.168.1.0/24 know that the route to 192.168.2.0/24
+is through the <span style="font-weight: bold;">router.</span></li>
+</ul>
+All you have to do on the firewall is add a route to 192.168.2.0/24
+through the <span style="font-weight: bold;">router</span> and restart
+Shorewall.<br>
+<h3>Will One Zone be Enough?</h3>
+If the firewalling requirements for the two local networks is the same
+but the hosts in 192.168.1.0/24 don't know how to route to
+192.168.2.0/24 then you need to configure the firewall slightly
+differently. This type of configuration is rather stupid from an IP
+networking point of view but it is sometimes necessary because you
+simply don't want to have to reconfigure all of the hosts in
+192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
+firewall:<br>
+<ul>
+  <li>Add a route to 192.168.2.0/24 through the <span
+ style="font-weight: bold;">Router.</span></li>
+  <li>Set the 'routeback' and 'newnotsyn' options for eth1 (the local
+firewall interface) in /etc/shorewall/interfaces.</li>
+  <li>Restart Shorewall.<br>
+  </li>
+</ul>
+<h3>I Need Separate Zones</h3>
+If you need to make 192.168.2.0/24 into it's own zone, you can do it
+one of two ways; Nested Zones or Parallel Zones.<br>
+<h4>Nested Zones:</h4>
+You can define one zone (called it 'loc') as being all hosts connectied
+to eth1 and a second zone 'loc1' (192.168.2.0/24) as a sub-zone.<br>
+<br>
+<div style="text-align: center;"><img src="images/MultiZone1A.png"
+ title="" alt="" style="width: 607px; height: 415px;"><br>
+</div>
+<br>
+The advantage of this approach is that the zone 'loc1' can use CONTINUE
+policies such that if a connection request doesn't match a 'loc1' rule,
+it will be matched against the 'loc' rules. For example, if your
+loc1-&gt;net policy is CONTINUE then if a connection request from loc1
+to the internet doesn't match any rules for loc1-&gt;net then it will
+be checked against the loc-&gt;net rules.<br>
+<br>
+/etc/shorewall/zones:<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">Local2<br>
+      </td>
+      <td style="vertical-align: top;">Hosts access through internal
+router<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">Local<br>
+      </td>
+      <td style="vertical-align: top;">All hosts accessed via eth1<br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+Note that the sub-zone (loc1) is defined first!<br>
+<br>
+</div>
+/etc/shorewall/interfaces<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellspacing="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">eth1<br>
+      </td>
+      <td style="vertical-align: top;">192.168.1.255<br>
+      </td>
+      <td style="vertical-align: top;">...<br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+</div>
+/etc/shorewall/hosts<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">HOSTS<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">eth1:192.168.2.0/24<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<br>
+If you don't need Shorewall to set up infrastructure to route traffic
+between 'loc' and 'loc1', add these two policies:<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">SOURCE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">DEST<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">POLICY<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">LOG<br>
+LEVEL<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">loc1</td>
+      <td style="vertical-align: top;">NONE<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">NONE<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+      <td style="vertical-align: top;"> <br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<h4>Parallel Zones:</h4>
+You define both zones in the /etc/shorewall/hosts file to create two
+disjoint zones.<br>
+<br>
+<div style="text-align: center;"><img src="images/MultiZone1B.png"
+ title="" alt="" style="width: 588px; height: 415px;"><br>
+</div>
+<br>
+/etc/shorewall/zones:<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">Local1<br>
+      </td>
+      <td style="vertical-align: top;">Hosts accessed Directly from
+Firewall<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc2<br>
+      </td>
+      <td style="vertical-align: top;">Local2<br>
+      </td>
+      <td style="vertical-align: top;">Hosts accessed via internal
+Router<br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+Here it doesn't matter which zone is defined first.<br>
+<br>
+</div>
+/etc/shorewall/interfaces<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellspacing="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">-<br>
+      </td>
+      <td style="vertical-align: top;">eth1<br>
+      </td>
+      <td style="vertical-align: top;">192.168.1.255<br>
+      </td>
+      <td style="vertical-align: top;">...<br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+</div>
+/etc/shorewall/hosts<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">HOSTS<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">eth1:192.168.1.0/24<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc2<br>
+      </td>
+      <td style="vertical-align: top;">eth1:192.168.2.0/24<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<br>
+If you don't need Shorewall to set up infrastructure to route traffic
+between 'loc' and 'loc1', add these two policies:<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">SOURCE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">DEST<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">POLICY<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">LOG<br>
+LEVEL<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">loc1</td>
+      <td style="vertical-align: top;">NONE<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">NONE<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+      <td style="vertical-align: top;"> <br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<h2>Some Hosts have Special Firewalling Requirements</h2>
+There are cases where a subset of the addresses associated with an
+interface need special handling.&nbsp; Here's an example.<br>
+<br>
+<div style="text-align: center;"><img src="images/MultiZone2.png"
+ title="" alt="" style="height: 252px; width: 631px;"><br>
+</div>
+<br>
+In this example, addresses 192.168.1.8 - 192.168.1.15 (192.168.1.8/29)
+are to be treated as their own zone (loc1).<br>
+<br>
+/etc/shorewall/zones:<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">Local2<br>
+      </td>
+      <td style="vertical-align: top;">192.168.1.8 - 192.168.1.15<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">Local<br>
+      </td>
+      <td style="vertical-align: top;">All hosts accessed via eth1<br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+Note that the sub-zone (loc1) is defined first!<br>
+<br>
+</div>
+/etc/shorewall/interfaces<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellspacing="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">eth1<br>
+      </td>
+      <td style="vertical-align: top;">192.168.1.255<br>
+      </td>
+      <td style="vertical-align: top;">...<br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+</div>
+/etc/shorewall/hosts<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">HOSTS<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">eth1:192.168.1.8/29<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<br>
+You probably don't want Shorewall to set up infrastructure to route
+traffic
+between 'loc' and 'loc1' so you should add these two policies:<br>
+<div style="margin-left: 40px;"><br>
+<table cellpadding="2" border="1" style="text-align: left;">
+  <tbody>
+    <tr>
+      <td style="vertical-align: top; font-weight: bold;">SOURCE<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">DEST<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">POLICY<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">LOG<br>
+LEVEL<br>
+      </td>
+      <td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">loc1</td>
+      <td style="vertical-align: top;">NONE<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+    <tr>
+      <td style="vertical-align: top;">loc1<br>
+      </td>
+      <td style="vertical-align: top;">loc<br>
+      </td>
+      <td style="vertical-align: top;">NONE<br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+      <td style="vertical-align: top;"><br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+&nbsp;<br>
+</div>
+<p><font size="2">Last updated 11/21/2003 - </font><font size="2"> <a
+ href="support.htm">Tom Eastep</a></font> </p>
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
+ size="2">2003 Thomas M. Eastep.</font></a><br>
+</body>
+</html>
diff --git a/Shorewall-docs/NAT.htm b/Shorewall-docs/NAT.htm
index dec289ba3..5c1492d65 100644
--- a/Shorewall-docs/NAT.htm
+++ b/Shorewall-docs/NAT.htm
@@ -1,119 +1,107 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall NAT</title>
-                            
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-                                
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-       <tbody>
-        <tr>
-         <td width="100%">                            
-      <h1 align="center"><font color="#ffffff">Static Nat</font></h1>
-         </td>
-       </tr>
-                
-  </tbody>    
-</table>
+<body>
 <br>
-                <br>
-                
-<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward  
-     ports to servers behind your firewall, you do NOT want to use static
-  NAT.      Port forwarding can be accomplished with simple entries in the
-    <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
-<blockquote>                </blockquote>
-<p>Static NAT is a way to make systems behind a     firewall and configured
-  with private IP addresses (those     reserved for private use in RFC1918)
-  appear to have public IP     addresses. Before you try to use this technique,
-  I strongly recommend that you read the <a
- href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
-<blockquote>                </blockquote>
-<p>The following figure represents a static NAT     environment.</p>
-<blockquote>                
-  <p align="center"><strong>     <img src="images/staticnat.png"
- width="435" height="397">
-      </strong></p>
-                
-  <blockquote>     </blockquote>
-                </blockquote>
-<p align="left">Static NAT can be used to make the systems with the  10.1.1.* 
- addresses appear to be on the upper (130.252.100.*) subnet. If we     assume 
- that the interface to the upper subnet is eth0, then the following     /etc/shorewall/NAT 
- file would make the lower left-hand system appear to have     IP address 
-130.252.100.18 and the right-hand one to have IP address     130.252.100.19.</p>
-                
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-           <tbody>
-          <tr>
-             <td><b>EXTERNAL</b></td>
-             <td><b>INTERFACE</b></td>
-             <td><b>INTERNAL</b></td>
-             <td><b>ALL INTERFACES</b></td>
-             <td><b>LOCAL</b></td>
-           </tr>
-           <tr>
-             <td>130.252.100.18</td>
-             <td>eth0</td>
-             <td>10.1.1.2</td>
-             <td>yes</td>
-             <td>yes</td>
-           </tr>
-           <tr>
-             <td>130.252.100.19</td>
-             <td>eth0</td>
-             <td>10.1.1.3</td>
-             <td>yes</td>
-             <td>yes</td>
-           </tr>
-                        
-  </tbody>            
-</table>
-                
-<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
-      example) is (are) not included in any specification in /etc/shorewall/masq
-      or /etc/shorewall/proxyarp.</p>
-                
-<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used 
- to specify whether access to the external IP from all firewall   interfaces 
- should undergo NAT (Yes or yes) or if only access from the    interface in
- the INTERFACE column should undergo NAT. If you leave this     column empty,
- "Yes" is assumed. The ALL INTERFACES column was     added in version 1.1.6.</p>
-                
-<p>Note 2: Shorewall will automatically add the external address to the  
-    specified interface unless you specify <a
- href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no"     (or "No") in
-  /etc/shorewall/shorewall.conf; If you do not set     ADD_IP_ALIASES or
-if   you set it to "Yes" or "yes" then you must NOT configure your own alias(es). 
-   <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
- external addresses to an interface that is configured with a single subnetwork
- -- if your external interface has addresses in more than one subnetwork,
-Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
-                
-<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"     column
-  determine whether packets originating on the firewall itself and     destined
-  for the EXTERNAL address are redirected to the internal ADDRESS. If   
- this  column contains "yes" or "Yes" (and the ALL     INTERFACES COLUMN
-also contains  "Yes" or "yes") then     such packets are redirected; otherwise,
-such packets  are not redirected. The     LOCAL column was added in version
-1.1.8.</p>
-             
+<h1 style="text-align: center;">One-to-one NAT<br>
+</h1>
+<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
+ports to servers behind your firewall, you do NOT want to use
+one-to-one NAT. Port forwarding can be accomplished with simple entries
+in the <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
 <blockquote> </blockquote>
-        
-<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
+<p>One-to-one NAT is a way to make systems behind a firewall and
+configured
+with private IP addresses (those reserved for private use in RFC 1918)
+appear to have public IP addresses. Before you try to use this
+technique, I strongly recommend that you read the <a
+ href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
+<blockquote> </blockquote>
+<p>The following figure represents a one-to-one NAT environment.</p>
+<blockquote>
+  <p align="center"><strong> <img src="images/staticnat.png"
+ style="width: 456px; height: 397px;" title="" alt=""> </strong></p>
+  <blockquote> </blockquote>
+</blockquote>
+<p align="left">One-to-one NAT can be used to make the systems with the
+10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
+we assume that the interface to the upper subnet is eth0, then the
+following /etc/shorewall/NAT file would make the lower left-hand system
+appear to have IP address 130.252.100.18 and the right-hand one to have
+IP address 130.252.100.19.</p>
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+  <tbody>
+    <tr>
+      <td><b>EXTERNAL</b></td>
+      <td><b>INTERFACE</b></td>
+      <td><b>INTERNAL</b></td>
+      <td><b>ALL INTERFACES</b></td>
+      <td><b>LOCAL</b></td>
+    </tr>
+    <tr>
+      <td>130.252.100.18</td>
+      <td>eth0</td>
+      <td>10.1.1.2</td>
+      <td>yes</td>
+      <td>yes</td>
+    </tr>
+    <tr>
+      <td>130.252.100.19</td>
+      <td>eth0</td>
+      <td>10.1.1.3</td>
+      <td>yes</td>
+      <td>yes</td>
+    </tr>
+  </tbody>
+</table>
+<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
+above example) is (are) not included in any specification in
+/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
+<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
+used to specify whether access to the external IP from all firewall
+interfaces should undergo NAT (Yes or yes) or if only access from the
+interface in the INTERFACE column should undergo NAT. If you leave this
+column empty, "Yes" is assumed.&nbsp;The ALL INTERFACES column was
+added in version 1.1.6. <span style="font-weight: bold;">Specifying
+"Yes" in this column will </span><span
+ style="text-decoration: underline; font-weight: bold;">not</span><span
+ style="font-weight: bold;"> allow systems on the lower LAN to access
+each other using their public IP addresses.</span> For example, the
+lower left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and
+expect to be connected to the lower right-hand system. <a
+ href="FAQ.htm#faq2a">See FAQ 2a</a>.<br>
+</p>
+<p>Note 2: Shorewall will automatically add the external address to the
+specified interface unless you specify <a
+ href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
+/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
+if you set it to "Yes" or "yes" then you must NOT configure your own
+alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
+can only add external addresses to an interface that is configured with
+a single subnetwork -- if your external interface has addresses in more
+than one subnetwork,
+Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
+<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
+column determine whether packets originating on the firewall itself and
+destined for the EXTERNAL address are redirected to the internal
+ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
+COLUMN
+also contains "Yes" or "yes") then such packets are redirected;
+otherwise,
+such packets are not redirected. The LOCAL column was added in version
+1.1.8.</p>
+<blockquote> </blockquote>
+<p><font size="2">Last updated 11/222003 - </font><font size="2"> <a
  href="support.htm">Tom Eastep</a></font> </p>
-     <a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  <br>
- <br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/NetfilterOverview.html b/Shorewall-docs/NetfilterOverview.html
new file mode 100755
index 000000000..6050d6bfa
--- /dev/null
+++ b/Shorewall-docs/NetfilterOverview.html
@@ -0,0 +1,104 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="Content-Language" content="en-us">
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Netfilter Overview</title>
+  <meta name="author" content="Tom Eastep">
+</head>
+<body>
+<p align="left"><font size="2"><big></big></font></p>
+<h1 style="text-align: center;">Netfilter Overview<br>
+</h1>
+Netfilter consists of three <span style="font-style: italic;">tables: </span><span
+ style="font-weight: bold;">Filter, Nat </span>and <span
+ style="font-weight: bold;">Mangle</span>. Each table has a number of
+build-in <span style="font-style: italic;">chains: </span><span
+ style="font-weight: bold;"><span style="font-weight: bold;">PREROUTING,
+INPUT, FORWARD, OUTPUT </span></span>and <span
+ style="font-weight: bold;">POSTROUTING.<br>
+<br>
+</span>Rules in the various tables are used as follows:<br>
+<ul>
+  <li><span style="font-weight: bold;">Filter: </span>Packet filtering
+(rejecting, dropping or accepting packets)</li>
+  <li><span style="font-weight: bold;">Nat: </span>Network Address
+Translation including DNAT, SNAT and Masquerading</li>
+  <li><span style="font-weight: bold;">Mangle:</span> General packet
+header modification such as setting the TOS value or marking packets
+for policy routing and traffic shaping.<br>
+  </li>
+</ul>
+The following diagram shows how packets traverse the various builtin
+chains within Netfilter. Note that not all table/chain combinations are
+used.<br>
+<br>
+<div style="text-align: center;"><img src="images/Netfilter.png"
+ title="" alt="(Netfilter Flow Diagram)"
+ style="width: 541px; height: 826px;"><br>
+<br>
+<div style="text-align: left;"><br>
+"Local Process" means a process running on the Shorewall system itself.<br>
+<br>
+In the above diagram are boxes similar to this:<br>
+<br>
+<img src="images/Legend.png" title="" alt="(Diagram Legend)"
+ style="width: 145px; height: 97px;"><br>
+<br>
+The above box gives the name of the built-in <span
+ style="font-style: italic;">chain </span>(<span
+ style="font-weight: bold;">INPUT</span>) along with the names of the <span
+ style="font-style: italic;">tables </span>(<span
+ style="font-weight: bold;">Mangle </span>and <span
+ style="font-weight: bold;">Filter</span>) that the chain exists in and
+in the order that the chains are traversed. The above sample indicates
+that packets go first through the <span style="font-weight: bold;">INPUT</span>
+chain of the <span style="font-weight: bold;">Mangle </span>table
+then
+through the <span style="font-weight: bold;">INPUT</span> chain of the
+<span style="font-weight: bold;">Filter </span>table. When a chain is
+enclosed in parentheses, Shorewall does not use the named chain (<span
+ style="font-weight: bold;">INPUT)</span> in that table <span
+ style="font-weight: bold;">(Mangle)</span>.<br>
+<br>
+<span style="font-weight: bold;">IMPORTANT: </span>Keep in mind that
+chains in the <span style="font-weight: bold;">Nat</span> table are <span
+ style="text-decoration: underline;">only traversed for new connection
+requests</span> (including those related to existing connections) while
+the chains in the other tables are traversed on every packet.<br>
+<br>
+The above diagram should help you understand the output of "shorewall
+status".<br>
+<br>
+Here are some excerpts from "shorewall status" on a server with one
+interface (eth0):<br>
+<br>
+<pre style="margin-left: 40px;">[root@lists html]# shorewall status<br> <br>Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003<br>                                                                                                                                                                                    <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br><br></pre>
+The first table shown is the <span style="font-weight: bold;">Filter </span>table.<br>
+<pre style="margin-left: 40px;">                                                                                                                                                                                    <br>Chain INPUT (policy DROP 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> 679K  182M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0<br> 785K   93M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID<br></pre>
+The following rule indicates that all traffic destined for the firewall
+that comes into the firewall on eth0 is passed to a chain called
+"eth0_in". That chain will be shown further down.<br>
+<pre style="margin-left: 40px;"> 785K   93M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0<br>    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'<br>    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>                                                                                                                                                                                    <br>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>    0     0 accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID<br>    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0<br>    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'<br>    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>                                                                                                                                                                                    <br>Chain OUTPUT (policy DROP 1 packets, 60 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> 679K  182M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0<br> 922K  618M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID<br> 922K  618M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0<br>    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'<br>    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br></pre>
+Here is the eth0_in chain:<br>
+<pre style="margin-left: 40px;">Chain eth0_in (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br> 785K   93M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0<br> 785K   93M net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br></pre>
+The "dynamic" chain above is where dynamic blacklisting is done.<br>
+<br>
+Next comes the <span style="font-weight: bold;">Nat </span>table:<br>
+<pre style="margin-left: 40px;">NAT Table<br> <br>Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>20005 1314K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain net_dnat (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br>  638 32968 REDIRECT   tcp  --  *      *       0.0.0.0/0           !206.124.146.177    tcp dpt:80 redir ports 3128<br></pre>
+And finally, the <span style="font-weight: bold;">Mangle </span>table:&nbsp;<br>
+<pre style="margin-left: 40px;">Mangle Table<br> <br>Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>1464K  275M pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br> <br>Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>1601K  800M outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain outtos (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10<br> 315K  311M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10<br>  683 59143 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10<br> 3667 5357K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08<br> <br>Chain pretos (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br> 271K   15M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10<br>  730 41538 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08<br> 2065  111K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08<br></pre>
+<pre style="margin-left: 40px;"></pre>
+</div>
+</div>
+<p align="left"><font size="2">Last updated 10/14/2003 - <a
+ href="support.htm">Tom Eastep</a></font></p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
+</body>
+</html>
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm
index 2497af2f7..090e316b3 100644
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
@@ -8,17 +8,287 @@
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Shorewall News Archive<br>
+</h1>
+<p><b>11/07/2003 - Shorewall 1.4.8<br>
+<br>
+</b>Problems Corrected since version 1.4.7:<br>
+</p>
+<ol>
+  <li>Tuomo Soini has supplied a correction to a problem that occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.</li>
+  <li>Andres Zhoglo has supplied a correction that avoids trying to use
+the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+    <br>
+  </li>
+  <li>Previously, if the following error message was issued, Shorewall
+was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
+    <br>
+  </li>
+  <li>Handling of the LOGUNCLEAN option in shorewall.conf has been
+corrected.</li>
+  <li>In Shorewall 1.4.2, an optimization was added. This optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+  <li>When the MARK value in a tcrules entry is followed by ":F" or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.</li>
+  <li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
+option has been removed from shorewall.conf.</li>
+  <li>Previously, neither the 'routefilter' interface option nor the
+ROUTE_FILTER parameter were working properly. This has been corrected
+(thanks to Eric Bowles for his analysis and patch). The definition of
+the ROUTE_FILTER option has changed however. Previously,
+ROUTE_FILTER=Yes was documented as enabling route filtering on all
+interfaces (which didn't work). Beginning with this release, setting
+ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
+up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
+coexist with the use of the 'routefilter' option in the interfaces file.</li>
+  <li>If MAC verification was enabled on an interface with a /32
+address and a broadcast address then an error would occur during
+startup.</li>
+  <li>The NONE policy's intended use is to suppress the generating of
+rules that can't possibly be traversed. This means that a policy of
+NONE is inappropriate where the source or destination zone is $FW or
+"all". Shorewall now generates an error message if such a policy is
+given in /etc/shorewall/policy. Previously such a policy caused
+"shorewall start" to fail.</li>
+  <li>The 'routeback' option was broken for wildcard interfaces (e.g.,
+"tun+"). This has been corrected so that 'routeback' now works as
+expected in this case.<br>
+  </li>
+</ol>
+Migration Issues:<br>
+<ol>
+  <li>The definition of the ROUTE_FILTER option in shorewall.conf has
+changed as described in item 8) above.<br>
+  </li>
+</ol>
+New Features:<br>
+<ol>
+  <li>A new QUEUE action has been introduced for rules. QUEUE allows
+you to pass connection requests to a user-space filter such as ftwall
+(http://p2pwall.sourceforge.net). The ftwall program allows for
+effective filtering of p2p applications such as Kazaa. For example, to
+use ftwall to filter P2P clients in the 'loc' zone, you would add the
+following rules:<br>
+    <br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
+    <br>
+You would normally want to place those three rules BEFORE any ACCEPT
+rules for loc-&gt;net udp or tcp.<br>
+    <br>
+Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
+Shorewall will only pass connection requests (SYN packets) to user
+space. This is for compatibility with ftwall.</li>
+  <li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
+this option is set to "Yes", the blacklists (dynamic and static) are
+only consulted for new connection requests. When set to "No" (the
+default if the variable is not set), the blacklists are consulted on
+every packet.<br>
+    <br>
+Setting this option to "No" allows blacklisting to stop existing
+connections from a newly blacklisted host but is more expensive in
+terms of packet processing time. This is especially true if the
+blacklists contain a large number of entries.</li>
+  <li>Chain names used in the /etc/shorewall/accounting file may now
+begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
+</ol>
+<p><b>10/30/2003 - Shorewall 1.4.8 RC1<br>
+</b></p>
+Given the small number of new features and the relatively few lines of
+code that were changed, there will be no Beta for 1.4.8.<br>
+<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
+<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
+<br>
+</b>Problems Corrected since version 1.4.7:<br>
+</p>
+<ol>
+  <li>Tuomo Soini has supplied a correction to a problem that occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.</li>
+  <li>Andres Zhoglo has supplied a correction that avoids trying to use
+the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+    <br>
+  </li>
+  <li>Previously, if the following error message was issued, Shorewall
+was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
+    <br>
+  </li>
+  <li>Handling of the LOGUNCLEAN option in shorewall.conf has been
+corrected.</li>
+  <li>In Shorewall 1.4.2, an optimization was added. This optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+  <li>When the MARK value in a tcrules entry is followed by ":F" or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.</li>
+  <li>An incorrect comment concerning Debian's use of the SYBSYSLOCK
+option has been removed from shorewall.conf.</li>
+  <li>Previously, neither the 'routefilter' interface option nor the
+ROUTE_FILTER parameter were working properly. This has been corrected
+(thanks to Eric Bowles for his analysis and patch). The definition of
+the ROUTE_FILTER option has changed however. Previously,
+ROUTE_FILTER=Yes was documented as enabling route filtering on all
+interfaces (which didn't work). Beginning with this release, setting
+ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
+up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
+coexist with the use of the 'routefilter' option in the interfaces file.</li>
+</ol>
+Migration Issues:<br>
+<ol>
+  <li>The definition of the ROUTE_FILTER option in shorewall.conf has
+changed as described in item 8) above.<br>
+  </li>
+</ol>
+New Features:<br>
+<ol>
+  <li>A new QUEUE action has been introduced for rules. QUEUE allows
+you to pass connection requests to a user-space filter such as ftwall
+(http://p2pwall.sourceforge.net). The ftwall program allows for
+effective filtering of p2p applications such as Kazaa. For example, to
+use ftwall to filter P2P clients in the 'loc' zone, you would add the
+following rules:<br>
+    <br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
+    <br>
+You would normally want to place those three rules BEFORE any ACCEPT
+rules for loc-&gt;net udp or tcp.<br>
+    <br>
+Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
+Shorewall will only pass connection requests (SYN packets) to user
+space. This is for compatibility with ftwall.</li>
+  <li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
+this option is set to "Yes", the blacklists (dynamic and static) are
+only consulted for new connection requests. When set to "No" (the
+default if the variable is not set), the blacklists are consulted on
+every packet.<br>
+    <br>
+Setting this option to "No" allows blacklisting to stop existing
+connections from a newly blacklisted host but is more expensive in
+terms of packet processing time. This is especially true if the
+blacklists contain a large number of entries.</li>
+  <li>Chain names used in the /etc/shorewall/accounting file may now
+begin with a digit ([0-9]) and may contain embedded dashes ("-").<br>
+  </li>
+</ol>
+<b></b>
+<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
+awards </b><b><img
+ style="border: 0px solid ; width: 50px; height: 80px;"
+ src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
+1.4.7c released.</b></p>
+<ol>
+  <li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c
+script produces a ruleset that should work for everyone even if it is
+not quite optimal. My apologies for this ongoing mess.<br>
+  </li>
+</ol>
+<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
+This is a bugfx rollup of the 1.4.7a fixes plus:<br>
+<ol>
+  <li>The fix for problem 5 in 1.4.7a was wrong with the result that
+"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
+is corrected in this release.<br>
+  </li>
+</ol>
+<p><b>10/21/2003 - Shorewall 1.4.7a<br>
+</b></p>
+<p>This is a bugfix rollup of the following problem corrections:<br>
+</p>
+<ol>
+  <li>Tuomo Soini has supplied a correction to a problem that occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.<br>
+    <br>
+  </li>
+  <li>Andres Zhoglo has supplied a correction that avoids trying to use
+the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+    <br>
+  </li>
+  <li>Previously, if the following error message was issued, Shorewall
+was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through
+interface xxx<br>
+    <br>
+  </li>
+  <li>Handling of the LOGUNCLEAN option in shorewall.conf has been
+corrected.</li>
+  <li>In Shorewall 1.4.2, an optimization was added. This optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+  <li>When the MARK value in a tcrules entry is followed by ":F" or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.<br>
+  </li>
+</ol>
 <p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
 </b></p>
 <b>Problems Corrected since version 1.4.6 (Those in bold font were
@@ -290,7 +560,7 @@ where we started.<br>
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
   <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
- href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
+ href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.</li>
 </ol>
 <p><b>10/02/2003 - Shorewall 1.4.7 RC2</b><b><br>
@@ -555,7 +825,7 @@ where we started.<br>
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
   <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
- href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
+ href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.</li>
 </ol>
 <p><b>9/18/2003 - Shorewall 1.4.7 RC 1</b><b><br>
@@ -997,7 +1267,7 @@ where we started.<br>
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
   <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
- href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
+ href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.</li>
 </ol>
 <p><b>8/27/2003 - Shorewall Mirror in Australia</b></p>
@@ -1554,8 +1824,7 @@ ADDRESS column in /etc/shorewall/masq may now include a comma-separated
 list of addresses and/or address ranges. Netfilter will use all listed
 addresses/ranges in round-robin fashion. \</li>
   <li>An /etc/shorewall/accounting file has been added to allow for
-traffic accounting.&nbsp; See the <a
- href="file:///vfat/Shorewall-docs/Accounting.html">accounting
+traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
 documentation</a> for a description of this facility.</li>
   <li>Bridge interfaces (br[0-9]) may now be used in
 /etc/shorewall/maclist.</li>
@@ -4550,7 +4819,7 @@ deleted.</li>
 an additional "gw" (gateway) zone for tunnels and it supports IPSEC
 tunnels with end-points on the firewall. There is also a .lrp available
 now.</b></p>
-<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2">Updated 11/07/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
  size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/OPENVPN.html b/Shorewall-docs/OPENVPN.html
index 8a673f957..fdf39157b 100755
--- a/Shorewall-docs/OPENVPN.html
+++ b/Shorewall-docs/OPENVPN.html
@@ -1,284 +1,232 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>OpenVPN Tunnels</title>
-       
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-     <tbody>
-       <tr>
-       <td width="100%">       
-      <h1 align="center"><font color="#ffffff">OpenVPN Tunnels</font></h1>
-       </td>
-     </tr>
-    
-  </tbody> 
-</table>
-  
-<h3><br>
-   </h3>
-  
-<p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network) 
- daemon which can be used to securely link two or more private networks using 
- an encrypted tunnel over the internet. OpenVPN is an Open Source project 
-and is <a href="http://openvpn.sourceforge.net/license.html">licensed under 
-the GPL</a>. OpenVPN can be downloaded from <a
+<body>
+<h1 style="text-align: center;">OpenVPN Tunnels<br>
+</h1>
+<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
+Network) daemon which can be used to securely link two or more private
+networks using an encrypted tunnel over the internet. OpenVPN is an
+Open Source project and is <a
+ href="http://openvpn.sourceforge.net/license.html">licensed under the
+GPL</a>. OpenVPN can be downloaded from <a
  href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
-   </p>
-  
+</p>
 <p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
-   </p>
-  
+</p>
 <h2>Bridging two Masqueraded Networks</h2>
-  
 <p>Suppose that we have the following situation:</p>
-  
 <p align="center"><img border="0" src="images/TwoNets1.png" width="745"
- height="427">
-  </p>
-  
-<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able 
- to communicate with the systems in the 10.0.0.0/8 network. This is accomplished 
- through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy 
- file and OpenVPN.</p>
-  
-<p align="left">While it was possible to use the Shorewall start and stop 
- script to start and stop OpenVPN, I decided to use the init script of OpenVPN 
- to start and stop it.</p>
-  
-<p align="left">On each firewall, you will need to declare a zone to represent 
- the remote subnet. We'll assume that this zone is called 'vpn' and declare 
- it in  /etc/shorewall/zones on both systems as follows.</p>
-  
-<blockquote>   
+ height="427"> </p>
+<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
+able to communicate with the systems in the 10.0.0.0/8 network. This is
+accomplished through use of the /etc/shorewall/tunnels file and the
+/etc/shorewall/policy file and OpenVPN.</p>
+<p align="left">While it was possible to use the Shorewall start and
+stop script to start and stop OpenVPN, I decided to use the init script
+of OpenVPN to start and stop it.</p>
+<p align="left">On each firewall, you will need to declare a zone to
+represent the remote subnet. We'll assume that this zone is called
+'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-                  <tbody>
-         <tr>
-                 <td><strong>ZONE</strong></td>
-                 <td><strong>DISPLAY</strong></td>
-                 <td><strong>COMMENTS</strong></td>
-             </tr>
-             <tr>
-                 <td>vpn</td>
-                 <td>VPN</td>
-                 <td>Remote Subnet</td>
-             </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><strong>ZONE</strong></td>
+        <td><strong>DISPLAY</strong></td>
+        <td><strong>COMMENTS</strong></td>
+      </tr>
+      <tr>
+        <td>vpn</td>
+        <td>VPN</td>
+        <td>Remote Subnet</td>
+      </tr>
+    </tbody>
   </table>
-    </blockquote>
-  
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
+</blockquote>
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
+zone.
 In /etc/shorewall/interfaces:</p>
-  
-<blockquote>   
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-       <tbody>
-         <tr>
-         <td><b>ZONE</b></td>
-         <td><b>INTERFACE</b></td>
-         <td><b>BROADCAST</b></td>
-         <td><b>OPTIONS</b></td>
-       </tr>
-       <tr>
-         <td>vpn</td>
-         <td>tun0</td>
-         <td><br>
-           </td>
-         <td> </td>
-       </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>ZONE</b></td>
+        <td><b>INTERFACE</b></td>
+        <td><b>BROADCAST</b></td>
+        <td><b>OPTIONS</b></td>
+      </tr>
+      <tr>
+        <td>vpn</td>
+        <td>tun0</td>
+        <td><br>
+        </td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
-  
-<blockquote>   
+</blockquote>
+<p align="left">In /etc/shorewall/tunnels on system A, we need the
+following:</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-       <tbody>
-         <tr>
-         <td><b>TYPE</b></td>
-         <td><b>ZONE</b></td>
-         <td><b>GATEWAY</b></td>
-         <td><b>GATEWAY ZONE</b></td>
-       </tr>
-       <tr>
-         <td>openvpn</td>
-         <td>net</td>
-         <td>134.28.54.2</td>
-         <td> </td>
-       </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>TYPE</b></td>
+        <td><b>ZONE</b></td>
+        <td><b>GATEWAY</b></td>
+        <td><b>GATEWAY ZONE</b></td>
+      </tr>
+      <tr>
+        <td>openvpn</td>
+        <td>net</td>
+        <td>134.28.54.2</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN 
- traffic on the default port 5000/udp will be accepted to/from the remote 
-gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels 
- like this:<br>
-   </p>
-  
-<blockquote>   
+</blockquote>
+<p>This entry in /etc/shorewall/tunnels opens the firewall so that
+OpenVPN traffic on the default port 5000/udp will be accepted to/from
+the remote gateway. If you change the port used by OpenVPN to 7777, you
+can define&nbsp;/etc/shorewall/tunnels like this:<br>
+</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-       <tbody>
-         <tr>
-         <td><b>TYPE</b></td>
-         <td><b>ZONE</b></td>
-         <td><b>GATEWAY</b></td>
-         <td><b>GATEWAY ZONE</b></td>
-       </tr>
-       <tr>
-         <td>openvpn:7777</td>
-         <td>net</td>
-         <td>134.28.54.2</td>
-         <td> </td>
-       </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>TYPE</b></td>
+        <td><b>ZONE</b></td>
+        <td><b>GATEWAY</b></td>
+        <td><b>GATEWAY ZONE</b></td>
+      </tr>
+      <tr>
+        <td>openvpn:7777</td>
+        <td>net</td>
+        <td>134.28.54.2</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
+</blockquote>
 <p>This is the OpenVPN config on system A:</p>
-  
-<blockquote>   
+<blockquote>
   <p></p>
-   </blockquote>
-  
-<blockquote>   
+</blockquote>
+<blockquote>
   <p>dev tun<br>
-   local 206.162.148.9<br>
-   remote 134.28.54.2<br>
-   ifconfig 192.168.99.1 192.168.99.2<br>
-   up ./route-a.up<br>
-   tls-server<br>
-   dh dh1024.pem<br>
-   ca ca.crt<br>
-   cert my-a.crt<br>
-   key my-a.key<br>
-   comp-lzo<br>
-   verb 5<br>
-     </p>
-   </blockquote>
-  
-<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b> 
- zone. In /etc/shorewall/interfaces:</p>
-  
-<blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-       <tbody>
-         <tr>
-         <td><b>ZONE</b></td>
-         <td><b>INTERFACE</b></td>
-         <td><b>BROADCAST</b></td>
-         <td><b>OPTIONS</b></td>
-       </tr>
-       <tr>
-         <td>vpn</td>
-         <td>tun0</td>
-         <td>192.168.1.255</td>
-         <td> </td>
-       </tr>
-      
-    </tbody>   
-  </table>
-   </blockquote>
-  
-<p>In /etc/shorewall/tunnels on system B, we have:</p>
-  
-<blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-       <tbody>
-         <tr>
-         <td><b>TYPE</b></td>
-         <td><b>ZONE</b></td>
-         <td><b>GATEWAY</b></td>
-         <td><b>GATEWAY ZONE</b></td>
-       </tr>
-       <tr>
-         <td>openvpn</td>
-         <td>net</td>
-         <td>206.191.148.9</td>
-         <td> </td>
-       </tr>
-      
-    </tbody>   
-  </table>
-   </blockquote>
-  
-<p>And in the OpenVPN config on system B:</p>
-  
-<blockquote>   
-  <p>dev tun<br>
-   local 134.28.54.2<br>
-   remote 206.162.148.9<br>
-   ifconfig 192.168.99.2 192.168.99.1<br>
-   up ./route-b.up<br>
-   tls-client<br>
-   ca ca.crt<br>
-   cert my-b.crt<br>
-   key my-b.key<br>
-   comp-lzo<br>
-   verb 5<br>
-     </p>
-   </blockquote>
-  
-<p align="left">You will need to allow traffic between the "vpn" zone and 
-       the "loc" zone on both systems -- if you simply want to admit all traffic
-       in both directions, you can use the policy file:</p>
-  
-<blockquote>   
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-                  <tbody>
-         <tr>
-                 <td><strong>SOURCE</strong></td>
-                 <td><strong>DEST</strong></td>
-                 <td><strong>POLICY</strong></td>
-                 <td><strong>LOG LEVEL</strong></td>
-             </tr>
-             <tr>
-                 <td>loc</td>
-                 <td>vpn</td>
-                 <td>ACCEPT</td>
-             <td> </td>
-             </tr>
-                                 <tr>
-                 <td>vpn</td>
-                 <td>loc</td>
-                 <td>ACCEPT</td>
-             <td> </td>
-             </tr>
-      
-    </tbody>   
-  </table>
-   </blockquote>
-  
-<p>On both systems, restart Shorewall and start OpenVPN. The systems in the 
- two masqueraded subnetworks can now talk to each other.</p>
-  
-<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font> 
-<small>and Simon Mater</small><br>
+local 206.162.148.9<br>
+remote 134.28.54.2<br>
+ifconfig 192.168.99.1 192.168.99.2<br>
+up ./route-a.up<br>
+tls-server<br>
+dh dh1024.pem<br>
+ca ca.crt<br>
+cert my-a.crt<br>
+key my-a.key<br>
+comp-lzo<br>
+verb 5<br>
   </p>
-  
+</blockquote>
+<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
+zone. In /etc/shorewall/interfaces:</p>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><b>ZONE</b></td>
+        <td><b>INTERFACE</b></td>
+        <td><b>BROADCAST</b></td>
+        <td><b>OPTIONS</b></td>
+      </tr>
+      <tr>
+        <td>vpn</td>
+        <td>tun0</td>
+        <td>192.168.1.255</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p>In /etc/shorewall/tunnels on system B, we have:</p>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><b>TYPE</b></td>
+        <td><b>ZONE</b></td>
+        <td><b>GATEWAY</b></td>
+        <td><b>GATEWAY ZONE</b></td>
+      </tr>
+      <tr>
+        <td>openvpn</td>
+        <td>net</td>
+        <td>206.191.148.9</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p>And in the&nbsp;OpenVPN config on system B:</p>
+<blockquote>
+  <p>dev tun<br>
+local 134.28.54.2<br>
+remote 206.162.148.9<br>
+ifconfig 192.168.99.2 192.168.99.1<br>
+up ./route-b.up<br>
+tls-client<br>
+ca ca.crt<br>
+cert my-b.crt<br>
+key my-b.key<br>
+comp-lzo<br>
+verb 5<br>
+  </p>
+</blockquote>
+<p align="left">You will need to allow traffic between the "vpn" zone
+and the "loc" zone on both systems -- if you simply want to admit all
+traffic in both directions, you can use the policy file:</p>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><strong>SOURCE</strong></td>
+        <td><strong>DEST</strong></td>
+        <td><strong>POLICY</strong></td>
+        <td><strong>LOG LEVEL</strong></td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>vpn</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>vpn</td>
+        <td>loc</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p>On both systems, restart Shorewall and start OpenVPN. The systems in
+the two masqueraded subnetworks can now talk to each other.</p>
+<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
+<small>and Simon Mater</small><br>
+</p>
 <p><font size="2"> </font></p>
-  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
-  </font></a></font></p>
-   <br>
-   <br>
-  <br>
- <br>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
+</font></a></font></p>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/PPTP.htm b/Shorewall-docs/PPTP.htm
index aac549f73..9951bdb42 100644
--- a/Shorewall-docs/PPTP.htm
+++ b/Shorewall-docs/PPTP.htm
@@ -9,17 +9,8 @@
   <title>Shorewall PPTP</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">PPTP</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">PPTP<br>
+</h1>
 <h4>NOTE: I am no longer attempting to maintain MPPE patches for
 current
 Linux kernel's and pppd. I recommend that you refer to the following
@@ -263,9 +254,191 @@ status)<br>
 esac</font></p>
 </blockquote>
 <h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
-<p>I consider hosts connected to my PPTP server to be just like local
-systems.
-My key Shorewall entries are:</p>
+<h4><span style="text-decoration: underline;">Basic Setup</span><br>
+</h4>
+<p>Here' a basic setup that treats your remote users as if they were
+part of your <span style="font-weight: bold;">loc</span> zone. Note
+that if your primary internet connection uses ppp0, then be sure that <span
+ style="font-weight: bold;">loc</span> follows <span
+ style="font-weight: bold;">net</span> in /etc/shorewall/zones.<br>
+</p>
+<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
+</p>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><strong> TYPE</strong></td>
+        <td><strong> ZONE</strong></td>
+        <td><strong> GATEWAY</strong></td>
+        <td><strong> GATEWAY ZONE</strong></td>
+      </tr>
+      <tr>
+        <td>pptpserver<br>
+        </td>
+        <td>net</td>
+        <td>0.0.0.0/0<br>
+        </td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p><span style="font-weight: bold;">/etc/shorewall/interfaces:</span><br>
+</p>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><b>ZONE</b></td>
+        <td><b>INTERFACE</b></td>
+        <td><b>BROADCAST</b></td>
+        <td><b>OPTIONS</b></td>
+      </tr>
+      <tr>
+        <td>loc<br>
+        </td>
+        <td>ppp+</td>
+        <td>&nbsp;-</td>
+        <td><br>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<h4 style="text-decoration: underline;">Remote Users in a Separate Zone</h4>
+If you want to place your remote users in their own zone so that you
+can control connections between these users and the local network,
+follow this example. Note that if your primary internet connection uses
+ppp0 then be sure that <span style="font-weight: bold;">vpn</span>
+follows <span style="font-weight: bold;">net</span> in
+/etc/shorewall/zones as shown below.<br>
+<br>
+<span style="font-weight: bold;">/etc/shorewall/tunnels:<br>
+</span>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><strong> TYPE</strong></td>
+        <td><strong> ZONE</strong></td>
+        <td><strong> GATEWAY</strong></td>
+        <td><strong> GATEWAY ZONE</strong></td>
+      </tr>
+      <tr>
+        <td>pptpserver<br>
+        </td>
+        <td>net</td>
+        <td>0.0.0.0/0<br>
+        </td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<span style="font-weight: bold;">/etc/shorewall/zones:<br>
+</span>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><b>ZONE</b></td>
+        <td><b>DISPLAY</b></td>
+        <td><b>COMMENTS</b></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>Internet</td>
+        <td>The Internet</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>Local</td>
+        <td>Local Network <br>
+        </td>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">vpn</td>
+        <td style="vertical-align: top;">VPN<br>
+        </td>
+        <td style="vertical-align: top;">Remote Users<br>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<h4>/etc/shorewall/interfaces:</h4>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><b>ZONE</b></td>
+        <td><b>INTERFACE</b></td>
+        <td><b>BROADCAST</b></td>
+        <td><b>OPTIONS</b></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>eth0</td>
+        <td>206.124.146.255</td>
+        <td>norfc1918</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth2</td>
+        <td>192.168.10.255</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>vpn<br>
+        </td>
+        <td>ppp+</td>
+        <td>&nbsp;-</td>
+        <td><br>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+Your policies and rules may now be configured for traffic to/from the <span
+ style="font-weight: bold;">vpn</span> zone.<br>
+<h4><span style="text-decoration: underline;">Multiple Remote Networks</span><br>
+</h4>
+<p>Often there will be situations where you want multiple connections
+from remote networks with these networks having different firewalling
+requirements.<br>
+</p>
+<div style="text-align: center;"><img src="images/MultiPPTP.png"
+ title="" alt="" style="width: 846px; height: 544px;"><br>
+</div>
+<p>Here's how you configure this in Shorewall. Note that if your
+primary internet connection uses ppp0 then be sure that the <span
+ style="font-weight: bold;">vpn{1-3}</span> zones follows <span
+ style="font-weight: bold;">net</span> in /etc/shorewall/zones as shown
+below.<br>
+</p>
+<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
+</p>
+<blockquote>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><strong> TYPE</strong></td>
+        <td><strong> ZONE</strong></td>
+        <td><strong> GATEWAY</strong></td>
+        <td><strong> GATEWAY ZONE</strong></td>
+      </tr>
+      <tr>
+        <td>pptpserver<br>
+        </td>
+        <td>net</td>
+        <td>0.0.0.0/0<br>
+        </td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
 <h4>/etc/shorewall/zones:</h4>
 <blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
@@ -283,7 +456,31 @@ My key Shorewall entries are:</p>
       <tr>
         <td>loc</td>
         <td>Local</td>
-        <td>My Local Network including remote PPTP clients</td>
+        <td>Local Network <br>
+        </td>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">vpn1</td>
+        <td style="vertical-align: top;">Remote1<br>
+        </td>
+        <td style="vertical-align: top;">Remote Network 1<br>
+        </td>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">vpn2<br>
+        </td>
+        <td style="vertical-align: top;">Remote2<br>
+        </td>
+        <td style="vertical-align: top;">Remote Network 2<br>
+        </td>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">vpn3<br>
+        </td>
+        <td style="vertical-align: top;">Remote3<br>
+        </td>
+        <td style="vertical-align: top;">Remote Network 3<br>
+        </td>
       </tr>
     </tbody>
   </table>
@@ -307,13 +504,13 @@ My key Shorewall entries are:</p>
       <tr>
         <td>loc</td>
         <td>eth2</td>
-        <td>192.168.1.255</td>
+        <td>192.168.10.255</td>
         <td>&nbsp;</td>
       </tr>
       <tr>
         <td>-</td>
         <td>ppp+</td>
-        <td>&nbsp;</td>
+        <td>&nbsp;-</td>
         <td>&nbsp;</td>
       </tr>
     </tbody>
@@ -329,151 +526,32 @@ My key Shorewall entries are:</p>
         <td><b>OPTIONS</b></td>
       </tr>
       <tr>
-        <td>loc</td>
-        <td>eth2:192.168.1.0/24</td>
-        <td><br>
+        <td>vpn1<br>
         </td>
-      </tr>
-      <tr>
-        <td>loc</td>
         <td>ppp+:192.168.1.0/24</td>
         <td>&nbsp;</td>
       </tr>
-    </tbody>
-  </table>
-</blockquote>
-<h4>/etc/shorewall/policy:</h4>
-<blockquote>
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-    <tbody>
       <tr>
-        <td><b>SOURCE</b></td>
-        <td><b>DEST</b></td>
-        <td><b>POLICY</b></td>
-        <td><b>LOG LEVEL</b></td>
-      </tr>
-      <tr>
-        <td>loc</td>
-        <td>loc</td>
-        <td>ACCEPT</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<h4>/etc/shorewall/rules (For Shorewall versions up to and including
-1.3.9b):</h4>
-<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-    <tbody>
-      <tr>
-        <td><b>ACTION</b></td>
-        <td><b>SOURCE</b></td>
-        <td><b>DEST</b></td>
-        <td><b> PROTO</b></td>
-        <td><b>DEST<br>
-PORT(S)</b></td>
-        <td><b>SOURCE<br>
-PORT(S)</b></td>
-        <td><b>ORIGINAL<br>
-DEST</b></td>
-      </tr>
-      <tr>
-        <td>ACCEPT</td>
-        <td>net</td>
-        <td>fw</td>
-        <td>tcp</td>
-        <td>1723</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>ACCEPT</td>
-        <td>net</td>
-        <td>fw</td>
-        <td>47</td>
-        <td>-</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>ACCEPT</td>
-        <td>fw</td>
-        <td>net</td>
-        <td>47</td>
-        <td>-</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions
-1.3.10 and
-later)<br>
-</b></p>
-<blockquote>
-  <table cellpadding="2" border="2" style="border-collapse: collapse;">
-    <tbody>
-      <tr>
-        <td valign="top"><b>TYPE<br>
-        </b></td>
-        <td valign="top"><b>ZONE<br>
-        </b></td>
-        <td valign="top"><b>GATEWAY<br>
-        </b></td>
-        <td valign="top"><b>GATEWAY ZONE<br>
-        </b></td>
-      </tr>
-      <tr>
-        <td valign="top">pptpserver<br>
+        <td style="vertical-align: top;">vpn2<br>
         </td>
-        <td valign="top">net<br>
+        <td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
         </td>
-        <td valign="top">0.0.0.0/0<br>
+        <td style="vertical-align: top;"><br>
         </td>
-        <td valign="top"><br>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">vpn3<br>
+        </td>
+        <td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
+        </td>
+        <td style="vertical-align: top;"><br>
         </td>
       </tr>
     </tbody>
   </table>
 </blockquote>
-<p align="left"><br>
-Note: I have multiple ppp interfaces on my firewall. If you have a
-single
-ppp interface, you probably want:</p>
-<h4>/etc/shorewall/interfaces:</h4>
-<blockquote>
-  <table border="2" cellpadding="2" style="border-collapse: collapse;">
-    <tbody>
-      <tr>
-        <td><b>ZONE</b></td>
-        <td><b>INTERFACE</b></td>
-        <td><b>BROADCAST</b></td>
-        <td><b>OPTIONS</b></td>
-      </tr>
-      <tr>
-        <td>net</td>
-        <td>eth0</td>
-        <td>206.124.146.255</td>
-        <td>norfc1918</td>
-      </tr>
-      <tr>
-        <td>loc</td>
-        <td>eth2</td>
-        <td>192.168.1.255</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>loc</td>
-        <td>ppp0</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
+Your policies and rules can now be configured using separate zones
+(vpn1, vpn2, and vpn3) for the three remote network.<br>
 <h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
 Behind
 your Firewall</h2>
@@ -968,7 +1046,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
 That entry allows a PPTP tunnel to be established between your
 Shorewall system and the PPTP server in the modem.<br>
 </div>
-<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
+<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
diff --git a/Shorewall-docs/ProxyARP.htm b/Shorewall-docs/ProxyARP.htm
index 538a880b4..69828a93a 100644
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@@ -1,192 +1,165 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Proxy ARP</title>
-       
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
-    
   <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-           <tbody>
-        <tr>
-             <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
-             </td>
-           </tr>
-    
-  </tbody> 
-</table>
-  
-<p>Proxy ARP allows you to insert a firewall in front of a set of servers 
-      without changing their IP addresses and without having to re-subnet. 
- Before you try to use this technique, I strongly recommend that you read 
-the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
-  
-<p>The following figure represents a Proxy ARP     environment.</p>
-  
-<blockquote>   
-  <p align="center"><strong>     <img src="images/proxyarp.png"
- width="519" height="397">
-      </strong></p>
-    
-  <blockquote>     </blockquote>
-     </blockquote>
-  
-<p align="left">Proxy ARP can be used to make the systems with addresses 
-   130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) 
-      subnet.  Assuming that the upper firewall interface is eth0 and the 
-     lower interface is eth1, this is accomplished using the following entries 
- in      /etc/shorewall/proxyarp:</p>
-  
-<blockquote>   
+<body>
+<h1 style="text-align: center;">Proxy ARP<br>
+</h1>
+<p>Proxy ARP allows you to insert a firewall in front of a set of
+servers without changing their IP addresses and without having to
+re-subnet. Before you try to use this technique, I strongly recommend
+that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
+Guide.</a></p>
+<p>The following figure represents a Proxy ARP environment.</p>
+<blockquote>
+  <p align="center"><strong> <img src="images/proxyarp.png" width="519"
+ height="397"> </strong></p>
+  <blockquote> </blockquote>
+</blockquote>
+<p align="left">Proxy ARP can be used to make the systems with
+addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
+(130.252.100.*) subnet.&nbsp; Assuming that the upper firewall
+interface is eth0 and the lower interface is eth1, this is accomplished
+using the following entries in /etc/shorewall/proxyarp:</p>
+<blockquote>
   <table border="2" cellpadding="2" style="border-collapse: collapse;">
-           <tbody>
-          <tr>
-             <td><b>ADDRESS</b></td>
-             <td><b>INTERFACE</b></td>
-             <td><b>EXTERNAL</b></td>
-             <td><b>HAVEROUTE</b></td>
-           </tr>
-           <tr>
-             <td>130.252.100.18</td>
-             <td>eth1</td>
-             <td>eth0</td>
-             <td>no</td>
-           </tr>
-           <tr>
-             <td>130.252.100.19</td>
-             <td>eth1</td>
-             <td>eth0</td>
-             <td>no</td>
-           </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>ADDRESS</b></td>
+        <td><b>INTERFACE</b></td>
+        <td><b>EXTERNAL</b></td>
+        <td><b>HAVEROUTE</b></td>
+      </tr>
+      <tr>
+        <td>130.252.100.18</td>
+        <td>eth1</td>
+        <td>eth0</td>
+        <td>no</td>
+      </tr>
+      <tr>
+        <td>130.252.100.19</td>
+        <td>eth1</td>
+        <td>eth0</td>
+        <td>no</td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-  
-<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19  
-   in the above example) are not included in any specification in      /etc/shorewall/masq 
-or /etc/shorewall/nat.</p>
-  
-<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is 
-      irrelevant. </p>
-  
-<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their 
-      subnet mask and default gateway configured exactly the same way that 
- the      Firewall system's eth0 is configured.  In other words, they should 
-be configured just like they would be if they were parallel to the firewall 
-rather than behind it.<br>
-  </p>
-  
-<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es) 
-(130.252.100.18 and 130.252.100.19 in the above example)  to the external 
-interface (eth0 in this example) of the firewall.</b></font><br>
-                      </p>
- 
-<div align="left">            </div>
-  
-<div align="left"> 
-<p align="left">A word of warning is in order here. ISPs typically configure 
-    their routers with a long ARP cache timeout. If you move a system from 
-    parallel to your firewall to behind your firewall with Proxy ARP, it
-will     probably be HOURS before that system can communicate with the internet. 
- There are a couple of things that you can try:<br>
-    </p>
-  
+</blockquote>
+<p>Be sure that the internal systems (130.242.100.18 and
+130.252.100.19&nbsp; in the above example) are not included in any
+specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
+<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
+is irrelevant. </p>
+<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
+their subnet mask and default gateway configured exactly the same way
+that the Firewall system's eth0 is configured. In other words, they
+should be configured just like they would be if they were parallel to
+the firewall rather than behind it.<br>
+</p>
+<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
+address(es) (130.252.100.18 and 130.252.100.19 in the above
+example)&nbsp; to the external interface (eth0 in this example) of the
+firewall.</b></font><br>
+</p>
+<div align="left"> </div>
+<div align="left">
+<p align="left">A word of warning is in order here. ISPs typically
+configure their routers with a long ARP cache timeout. If you move a
+system from parallel to your firewall to behind your firewall with
+Proxy ARP, it
+will probably be HOURS before that system can communicate with the
+internet. There are a couple of things that you can try:<br>
+</p>
 <ol>
-      <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
-Illustrated,  Vol 1</i> reveals that a <br>
-        <br>
-    "gratuitous" ARP packet should cause the ISP's router to refresh their 
-ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the 
-MAC  address for its own IP; in addition to ensuring that the IP address
-isn't  a duplicate...<br>
-        <br>
-    "if the host sending the gratuitous ARP has just changed its hardware 
-address...,  this packet causes any other host...that has an entry in its 
-cache for the  old hardware address to update its ARP cache entry accordingly."<br>
-        <br>
-    Which is, of course, exactly what you want to do when you switch a host 
- from being exposed to the Internet to behind Shorewall using proxy ARP (or 
- static NAT for that matter). Happily enough, recent versions of Redhat's 
-iputils package include "arping", whose "-U" flag does just that:<br>
-        <br>
-        <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly 
-proxied  IP&gt;</i></b></font><br>
-        <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
-        <br>
-    Stevens goes on to mention that not all systems respond correctly to
-gratuitous  ARPs, but googling for "arping -U" seems to support the idea
-that it works  most of the time.<br>
-       <br>
-   To use arping with Proxy ARP in the above example, you would have to:<br>
-       <br>
-       <font color="#009900"><b>    shorewall clear<br>
-       </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 
-dev  eth0<br>
-       ip addr add 130.252.100.19 dev eth0</b></font><br>
-        <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
-       <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
-       <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
-       ip addr del 130.252.100.19 dev eth0<br>
-       shorewall start</font></b><br>
-       <br>
-     </li>
-      <li>You    can call your ISP and ask them to purge the stale ARP cache 
- entry but many    either can't or won't purge individual entries.</li>
-  
-</ol>
-    You can determine if your    ISP's gateway ARP cache is stale using ping 
- and tcpdump. Suppose that we    suspect that the gateway router has a stale 
- ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
-  
-<div align="left"> 
-<pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
-     </div>
-  
-<div align="left"> 
-<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we 
- will    assume is 130.252.100.254):</p>
-    </div>
-  
-<div align="left"> 
-<pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
-     </div>
-  
-<div align="left"> 
-<p align="left">We can now observe the tcpdump output:</p>
-    </div>
-  
-<div align="left"> 
-<pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
-     </div>
-  
-<div align="left"> 
-<p align="left">Notice that the source MAC address in the echo request is 
-    different from the destination MAC address in the echo reply!! In this 
- case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 
-    was the MAC address of the system on the lower left. In other words,
-the  gateway's ARP cache still    associates 130.252.100.19 with the NIC
-in that  system rather than with the firewall's    eth0.</p>
-    </div>
-  
-<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
- href="support.htm">Tom Eastep</a></font> </p>
-     <a href="copyright.htm"><font size="2">Copyright</font>  © <font
- size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+  <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
+Illustrated, Vol 1</i> reveals that a <br>
     <br>
-   <br>
-  <br>
- <br>
+"gratuitous" ARP packet should cause the ISP's router to refresh their
+ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
+the MAC address for its own IP; in addition to ensuring that the IP
+address
+isn't a duplicate...<br>
+    <br>
+"if the host sending the gratuitous ARP has just changed its hardware
+address..., this packet causes any other host...that has an entry in
+its cache for the old hardware address to update its ARP cache entry
+accordingly."<br>
+    <br>
+Which is, of course, exactly what you want to do when you switch a host
+from being exposed to the Internet to behind Shorewall using proxy ARP
+(or one-to-one NAT for that matter). Happily enough, recent versions of
+Redhat's iputils package include "arping", whose "-U" flag does just
+that:<br>
+    <br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I <i>&lt;net
+if&gt; &lt;newly proxied IP&gt;</i></b></font><br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
+66.58.99.83 # for example</b></font><br>
+    <br>
+Stevens goes on to mention that not all systems respond correctly to
+gratuitous ARPs, but googling for "arping -U" seems to support the idea
+that it works most of the time.<br>
+    <br>
+To use arping with Proxy ARP in the above example, you would have to:<br>
+    <br>
+    <font color="#009900"><b>&nbsp; &nbsp; shorewall clear<br>
+    </b></font>&nbsp; &nbsp; <font color="#009900"><b>ip addr add
+130.252.100.18 dev eth0<br>
+&nbsp; &nbsp; ip addr add 130.252.100.19 dev eth0</b></font><br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
+130.252.100.18</b></font><br>
+&nbsp; &nbsp; <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
+&nbsp; &nbsp; <b><font color="#009900">ip addr del 130.252.100.18 dev
+eth0<br>
+&nbsp; &nbsp; ip addr del 130.252.100.19 dev eth0<br>
+&nbsp; &nbsp; shorewall start</font></b><br>
+    <br>
+  </li>
+  <li>You can call your ISP and ask them to purge the stale ARP cache
+entry but many either can't or won't purge individual entries.</li>
+</ol>
+You can determine if your ISP's gateway ARP cache is stale using ping
+and tcpdump. Suppose that we suspect that the gateway router has a
+stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
+as follows:</div>
+<div align="left">
+<pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
+</div>
+<div align="left">
+<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
+we will assume is 130.252.100.254):</p>
+</div>
+<div align="left">
+<pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
+</div>
+<div align="left">
+<p align="left">We can now observe the tcpdump output:</p>
+</div>
+<div align="left">
+<pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
+</div>
+<div align="left">
+<p align="left">Notice that the source MAC address in the echo request
+is different from the destination MAC address in the echo reply!! In
+this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
+0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
+In other words,
+the gateway's ARP cache still associates 130.252.100.19 with the NIC
+in that system rather than with the firewall's eth0.</p>
+</div>
+<p><font size="2">Last updated 11/13/2003 - </font><font size="2"> <a
+ href="support.htm">Tom Eastep</a></font> </p>
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/SeattleInTheSpring.html b/Shorewall-docs/SeattleInTheSpring.html
index a3207f8b3..31c8c8231 100755
--- a/Shorewall-docs/SeattleInTheSpring.html
+++ b/Shorewall-docs/SeattleInTheSpring.html
@@ -1,53 +1,34 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Springtime in Seattle!!!</title>
-       
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-     <tbody>
-      <tr>
-       <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
-       </td>
-     </tr>
-    
-  </tbody> 
-</table>
-  
+<body>
+-+
 <h3><font color="#ff6633"></font></h3>
-  <img src="images/P1000048.jpg" alt="" width="640" height="480">
-  <br>
-  <br>
-  <b>March 6, 2003 - Nice day for a walk....</b><br>
-  <br>
-  <img src="images/P1000050.jpg" alt="" width="640" height="480">
- <br>
-  <br>
- <br>
- <img src="images/P1000049.jpg" alt="" width="480" height="640">
-  
-<p><b>The view from my office window -- think I'll go out and enjoy the deck 
-(Yes -- that is snow on the deck...)</b>.<br>
-  </p>
-  
-<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a> 
+<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
+</h1>
+<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
+<br>
+<b>March 6, 2003 - Nice day for a walk....</b><br>
+<br>
+<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
+<br>
+<br>
+<img src="images/P1000049.jpg" alt="" width="480" height="640">
+<p><b>The view from my office window -- think I'll go out and enjoy the
+deck (Yes -- that is snow on the deck...)</b>.<br>
+</p>
+<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
-  
-<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
-    <br>
-  <br>
- <br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Shorewall_CA_html.html b/Shorewall-docs/Shorewall_CA_html.html
index cd7d40ec9..c26ac9c80 100644
--- a/Shorewall-docs/Shorewall_CA_html.html
+++ b/Shorewall-docs/Shorewall_CA_html.html
@@ -2,93 +2,79 @@
 <html>
 <head>
   <title>Shorewall Certificate Authority</title>
-       
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-    
   <meta name="author" content="Tom Eastep">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-           <tbody>
-            <tr>
-             <td width="100%">        
-      <h1 align="center"><font color="#ffffff">Shorewall Certificate Authority 
- (CA) Certificate</font></h1>
-             </td>
-           </tr>
-    
-  </tbody> 
-</table>
-   <br>
-   Given that I develop and support Shorewall without asking for any renumeration, 
- I can hardly justify paying $200US+ a year to a Certificate Authority such 
- as Thawte (A Division of VeriSign) for an X.509 certificate to prove that 
- I am who I am. I have therefore established my own Certificate Authority 
-(CA) and sign my own X.509 certificates. I use these certificates on my list 
-server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>) 
+<body>
+<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
+Certificate<br>
+</h1>
+Given that I develop and support Shorewall without asking for any
+renumeration, I can hardly justify paying $200US+ a year to a
+Certificate Authority such as Thawte (A Division of VeriSign) for an
+X.509 certificate to prove that I am who I am. I have therefore
+established my own Certificate Authority (CA) and sign my own X.509
+certificates. I use these certificates on my list server (<a
+ href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
 which hosts parts of this web site.<br>
-   <br>
-   X.509 certificates are the basis for the Secure Socket Layer (SSL). As 
-part  of establishing an SSL session (URL https://...), your browser verifies 
-the  X.509 certificate supplied by the HTTPS server against the set of Certificate 
- Authority Certificates that were shipped with your browser. It is expected 
- that the server's certificate was issued by one of the authorities whose 
-identities are known to your browser. <br>
-   <br>
-   This mechanism, while supposedly guaranteeing that when you connect to 
-https://www.foo.bar  you are REALLY connecting to www.foo.bar, means that 
-the CAs literally have  a license to print money -- they are selling a string 
-of bits (an X.509 certificate)  for $200US+ per year!!!I <br>
-   <br>
-   I wish that I had decided to become a CA rather that designing and writing 
- Shorewall.<br>
-   <br>
-   What does this mean to you? It means that the X.509 certificate that my 
-server will present to your browser will not have been signed by one of the 
-authorities known to your browser. If you try to connect to my server using 
-SSL, your browser will frown and give you a dialog box asking if you want 
-to accept the sleezy X.509 certificate being presented by my server. <br>
-   <br>
-   There are two things that you can do:<br>
-  
+<br>
+X.509 certificates are the basis for the Secure Socket Layer (SSL). As
+part of establishing an SSL session (URL https://...), your browser
+verifies the X.509 certificate supplied by the HTTPS server against the
+set of Certificate Authority Certificates that were shipped with your
+browser. It is expected that the server's certificate was issued by one
+of the authorities whose identities are known to your browser. <br>
+<br>
+This mechanism, while supposedly guaranteeing that when you connect to
+https://www.foo.bar you are REALLY connecting to www.foo.bar, means
+that the CAs literally have a license to print money -- they are
+selling a string of bits (an X.509 certificate) for $200US+ per
+year!!!I <br>
+<br>
+I wish that I had decided to become a CA rather that designing and
+writing Shorewall.<br>
+<br>
+What does this mean to you? It means that the X.509 certificate that my
+server will present to your browser will not have been signed by one of
+the authorities known to your browser. If you try to connect to my
+server using SSL, your browser will frown and give you a dialog box
+asking if you want to accept the sleezy X.509 certificate being
+presented by my server. <br>
+<br>
+There are two things that you can do:<br>
 <ol>
-     <li>You can accept the mail.shorewall.net certificate when your browser 
- asks -- your acceptence of the certificate can be temporary (for that access 
- only) or perminent.</li>
-     <li>You can download and install <a href="ca.crt">my (self-signed) CA 
-certificate.</a> This will make my Certificate Authority known to your browser 
-so that it will accept any certificate signed by me. <br>
-     </li>
-  
+  <li>You can accept the mail.shorewall.net certificate when your
+browser asks -- your acceptence of the certificate can be temporary
+(for that access only) or perminent.</li>
+  <li>You can download and install <a href="ca.crt">my (self-signed)
+CA certificate.</a> This will make my Certificate Authority known to
+your browser so that it will accept any certificate signed by me. <br>
+  </li>
 </ol>
-   What are the risks?<br>
-  
+What are the risks?<br>
 <ol>
-     <li>If you install my CA certificate then you assume that I am trustworthy 
- and that Shorewall running on your firewall won't redirect HTTPS requests 
- intented to go to your bank's server to one of my systems that will present 
-your browser with a bogus certificate claiming that my server is that of
+  <li>If you install my CA certificate then you assume that I am
+trustworthy and that Shorewall running on your firewall won't redirect
+HTTPS requests intented to go to your bank's server to one of my
+systems that will present your browser with a bogus certificate
+claiming that my server is that of
 your bank.</li>
-     <li>If you only accept my server's certificate when prompted then the 
-most that you have to loose is that when you connect to https://mail.shorewall.net, 
- the server you are connecting to might not be mine.</li>
-  
+  <li>If you only accept my server's certificate when prompted then the
+most that you have to loose is that when you connect to
+https://mail.shorewall.net, the server you are connecting to might not
+be mine.</li>
 </ol>
-   I have my CA certificate loaded into all of my browsers but I certainly 
+I have my CA certificate loaded into all of my browsers but I certainly
 won't be offended if you decline to load it into yours... :-)<br>
-  
 <p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
-  
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
+ size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003
+Thomas M.
 Eastep.</font></a></font></p>
-    <br>
-   <br>
-  <br>
- <br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Shorewall_CVS_Access.html b/Shorewall-docs/Shorewall_CVS_Access.html
index e8fd279e7..e57b52b90 100644
--- a/Shorewall-docs/Shorewall_CVS_Access.html
+++ b/Shorewall-docs/Shorewall_CVS_Access.html
@@ -2,56 +2,38 @@
 <html>
 <head>
   <title>Shorewall CVS Access</title>
-       
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-    
   <meta name="author" content="Tom Eastep">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-          <tbody>
-          <tr>
-           <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Shorewall CVS Access</font> 
-    </h1>
-           <br>
-       </td>
-         </tr>
-    
-  </tbody> 
-</table>
-      <br>
-      Lots of people try to download the entire Shorewall website for off-line 
-  browsing, including the CVS portion. In addition to being an enormous volume 
-  of data (HTML versions of all versions of all Shorewall files), all of the
-  pages in Shorewall CVS access are cgi-generated which places a tremendous 
-  load on my little server. I have therefore resorted to making CVS access 
- password controlled. When you are asked to log in, enter "Shorewall" (NOTE 
- THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
-      <br>
-  
-<div align="center"> 
+<body>
+<br>
+<h1 style="text-align: center;">Shorewall CVS Access<br>
+</h1>
+Lots of people try to download the entire Shorewall website for
+off-line browsing, including the CVS portion. In addition to being an
+enormous volume of data (HTML versions of all versions of all Shorewall
+files), all of the pages in Shorewall CVS access are cgi-generated
+which places a tremendous load on my little server. I have therefore
+resorted to making CVS access password controlled. When you are asked
+to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
+the user name and the password.<br>
+<br>
+<div align="center">
 <h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
- target="_top">CVS Login</a>  &nbsp;<br>
-     </h3>
-      </div>
-  
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002 
-  - <a href="support.htm">Tom Eastep</a>        </font>                 
-         </p>
-  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- &copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-       <br>
-      <br>
-     <br>
-    <br>
-   <br>
-  <br>
- <br>
+ target="_top">CVS Login</a> &nbsp;<br>
+</h3>
+</div>
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
+1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Shorewall_Doesnt.html b/Shorewall-docs/Shorewall_Doesnt.html
index e96368499..5023a3942 100644
--- a/Shorewall-docs/Shorewall_Doesnt.html
+++ b/Shorewall-docs/Shorewall_Doesnt.html
@@ -9,20 +9,11 @@
 <body>
 <small> </small><small> </small><small> </small><small> </small><small>
 </small> <small> </small>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%"><small> </small>
-      <h1 align="center"><small><font color="#ffffff">Some things that
-Shorewall <b>Cannot</b> Do</font></small></h1>
-      <small> </small></td>
-    </tr>
-  </tbody>
-</table>
 <small><br>
-</small>Shorewall cannot:<br>
+</small>
+<h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
+</h1>
+Shorewall cannot:<br>
 <ul>
   <li>Be used to filter traffic through a Layer 2 Bridge</li>
   <li>Act as a "Personal Firewall" that allows internet access by
@@ -30,18 +21,28 @@ application.</li>
   <li>Be used with an Operating System other than Linux (version &gt;=
 2.4.0)<br>
   </li>
-  <li>Do content filtering -- better to use <a
- href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
+  <li>Do content filtering:</li>
+  <ul>
+    <li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
+for that.</li>
+    <li>Email -- Install something like <a
+ href="http://www.postfix.org">Postfix</a> on your firewall and
+integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
+and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
+    </li>
+  </ul>
 </ul>
 In addition:<br>
 <ul>
-  <li>Shorewall does not contain any support for Netfilter <span
- style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
+  <li>Shorewall does not contain any support for Netfilter <a
+ href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
+ style="font-style: italic;">Patch-O-Matic</span></a> features --
+Shorewall
 only supports features from released kernels.<br>
   </li>
 </ul>
 <br>
-<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
+<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
 Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/Shorewall_Squid_Usage.html b/Shorewall-docs/Shorewall_Squid_Usage.html
index 49b4ca3ea..e4046acad 100644
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@@ -7,19 +7,22 @@
   <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table cellpadding="0" cellspacing="0" border="0" width="100%"
- bgcolor="#3366ff">
+<table cellpadding="0" cellspacing="0" border="0"
+ style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
   <tbody>
     <tr>
-      <td valign="middle" width="33%" bgcolor="#3366ff"><a
+      <td valign="middle" width="33%" bgcolor="#3366ff"
+ style="background-color: rgb(255, 255, 255);"><a
  href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
  alt="" width="88" height="31" hspace="4"> </a><br>
       </td>
-      <td valign="middle" height="90" align="center" width="34%">
-      <h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
+      <td valign="middle" height="90" align="center" width="34%"
+ style="background-color: rgb(255, 255, 255);">
+      <h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
       <h1> </h1>
       </td>
-      <td valign="middle" height="90" width="33%" align="right"><a
+      <td valign="middle" height="90" width="33%" align="right"
+ style="background-color: rgb(255, 255, 255);"><a
  href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
  alt="" width="100" height="31" hspace="4"> </a><br>
       </td>
@@ -28,10 +31,14 @@
 </table>
 <br>
 This page covers Shorewall configuration to use with <a
- href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
-Proxy</b></u>. If you are running Shorewall 1.3, please see <a
- href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
+ href="http://www.squid-cache.org/">Squid </a>running as a <a
+ href="#Transparent">Transparent
+Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
 <br>
+If you are running Shorewall 1.3, please see <a
+ href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
+<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
+</h1>
 <img border="0" src="images/j0213519.gif" width="60" height="60"
  alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
 following general requirements:<br>
@@ -71,7 +78,7 @@ running on the Firewall.</a></li>
 local network</a></li>
   <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
 </ol>
-<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
+<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
 You want to redirect all local www connection requests
 EXCEPT those to your own http server (206.124.146.177) to a Squid
 transparent proxy running on the firewall
@@ -123,15 +130,49 @@ DEST</b></td>
 There may be a requirement to exclude additional destination
 hosts or networks from being redirected. For example, you might also
 want
-requests destined for 130.252.100.0/24 to not be routed to Squid. In
-that
-case, you must add a manual rule in /etc/shorewall/start:<br>
+requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
+<br>
+If you are running Shorewall version 1.4.5 or later, you may just add
+the additional hosts/networks to the ORIGINAL DEST column in your
+REDIRECT rule:<br>
+<br>
+<div style="margin-left: 40px;">
+<table border="1" cellpadding="2" style="border-collapse: collapse;">
+  <tbody>
+    <tr>
+      <td><b>ACTION</b></td>
+      <td><b>SOURCE</b></td>
+      <td><b>DEST</b></td>
+      <td><b> PROTO</b></td>
+      <td><b>DEST<br>
+PORT(S)</b></td>
+      <td><b>SOURCE<br>
+PORT(S)</b></td>
+      <td><b>ORIGINAL<br>
+DEST</b></td>
+    </tr>
+    <tr>
+      <td>REDIRECT</td>
+      <td>loc</td>
+      <td>3128</td>
+      <td>tcp</td>
+      <td>www</td>
+      <td> -<br>
+      </td>
+      <td>!206.124.146.177,130.252.100.0/24</td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<br>
+If you are running a Shorewall version earlier than 1.4.5, you must add
+a manual rule in /etc/shorewall/start:<br>
 <blockquote>
   <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
 </blockquote>
 &nbsp;To exclude additional hosts or networks, just add additional
 similar rules.<br>
-<h2><a name="Local"></a>Squid Running in the local network</h2>
+<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
 You want to redirect all local www connection requests to a Squid
 transparent proxy running in your local zone at 192.168.1.3 and
 listening
@@ -273,7 +314,8 @@ command above:<br>
  color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
 </blockquote>
 <blockquote> </blockquote>
-<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
+<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
+what I do)</h2>
 You have a single Linux system in your DMZ with IP address 192.0.2.177.
 You want to run both a web server and Squid on that system. Your DMZ
 interface is eth1 and your local interface is eth2.<br>
@@ -455,7 +497,133 @@ command above:<br>
  color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
 </blockquote>
 <blockquote> </blockquote>
-<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
+<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
+Assume that Squid is running in zone SZ and listening on port SP; all
+web sites that are to be accessed through Squid are in the 'net' zone.
+Then for each zone Z that needs access to the Squid server:<br>
+<br>
+<div style="margin-left: 40px;">
+<table cellpadding="2" border="1" cellspacing="0">
+  <tbody>
+    <tr>
+      <td valign="top">ACTION<br>
+      </td>
+      <td valign="top">SOURCE<br>
+      </td>
+      <td valign="top">DEST<br>
+      </td>
+      <td valign="top">PROTO<br>
+      </td>
+      <td valign="top">DEST<br>
+PORT(S)<br>
+      </td>
+      <td valign="top">CLIENT<br>
+PORT(2)<br>
+      </td>
+      <td valign="top">ORIGINAL<br>
+DEST<br>
+      </td>
+    </tr>
+    <tr>
+      <td valign="top">ACCEPT<br>
+      </td>
+      <td valign="top">Z<br>
+      </td>
+      <td valign="top">SZ<br>
+      </td>
+      <td valign="top">tcp<br>
+      </td>
+      <td valign="top">SP<br>
+      </td>
+      <td valign="top"><br>
+      </td>
+      <td valign="top"><br>
+      </td>
+    </tr>
+    <tr>
+      <td valign="top">ACCEPT<br>
+      </td>
+      <td valign="top">SZ<br>
+      </td>
+      <td valign="top">net<br>
+      </td>
+      <td valign="top">tcp<br>
+      </td>
+      <td valign="top">80<br>
+      </td>
+      <td valign="top"><br>
+      </td>
+      <td valign="top"><br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</div>
+<br>
+Example:<br>
+<br>
+<div style="margin-left: 40px;">Squid on the firewall listening on port
+8080 with access from the 'loc' zone:<br>
+<br>
+<table cellpadding="2" border="1" cellspacing="0">
+  <tbody>
+    <tr>
+      <td valign="top">ACTION<br>
+      </td>
+      <td valign="top">SOURCE<br>
+      </td>
+      <td valign="top">DEST<br>
+      </td>
+      <td valign="top">PROTO<br>
+      </td>
+      <td valign="top">DEST<br>
+PORT(S)<br>
+      </td>
+      <td valign="top">CLIENT<br>
+PORT(2)<br>
+      </td>
+      <td valign="top">ORIGINAL<br>
+DEST<br>
+      </td>
+    </tr>
+    <tr>
+      <td valign="top">ACCEPT<br>
+      </td>
+      <td valign="top">loc<br>
+      </td>
+      <td valign="top">$FW<br>
+      </td>
+      <td valign="top">tcp<br>
+      </td>
+      <td valign="top">8080<br>
+      </td>
+      <td valign="top"><br>
+      </td>
+      <td valign="top"><br>
+      </td>
+    </tr>
+    <tr>
+      <td valign="top">ACCEPT<br>
+      </td>
+      <td valign="top">$FW<br>
+      </td>
+      <td valign="top">net<br>
+      </td>
+      <td valign="top">tcp<br>
+      </td>
+      <td valign="top">80<br>
+      </td>
+      <td valign="top"><br>
+      </td>
+      <td valign="top"><br>
+      </td>
+    </tr>
+  </tbody>
+</table>
+<br>
+</div>
+<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
+Eastep</a>
 </font></p>
 <a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
  size="2">2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
index 0a0cd3529..4571a2295 100644
--- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
+++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
@@ -2,670 +2,635 @@
 <html>
 <head>
   <title>Shorewall and Aliased Interfaces</title>
-                                          
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-                        
   <meta name="author" content="Tom Eastep">
 </head>
-  <body>
-            
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-                             <tbody>
-                              <tr>
-                               <td width="100%">                        
-                   
-      <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
-                               </td>
-                             </tr>
-                         
-  </tbody>      
-</table>
-          <br>
-            
+<body>
+<h1 style="text-align: center;">Shorewall and Aliased Interfaces<br>
+</h1>
 <h2>Background</h2>
-          The traditional net-tools contain a program called <i>ifconfig</i>
-  which    is used to configure network devices. ifconfig introduced the
-concept   of   <i>aliased </i>or <i>virtual </i>interfaces. These virtual
-interfaces   have   names of the form <i>interface</i>:<i>integer </i>(e.g.,
-eth0:0) and  ifconfig   treats them more or less like real interfaces.<br>
-          <br>
-          Example:<br>
-            
+The traditional net-tools contain a program called <i>ifconfig</i>
+which is used to configure network devices. ifconfig introduced the
+concept of <i>aliased </i>or <i>virtual </i>interfaces. These
+virtual
+interfaces have names of the form <i>interface</i>:<i>integer </i>(e.g.,
+eth0:0) and ifconfig treats them more or less like real interfaces.<br>
+<br>
+Example:<br>
 <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55<br>          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0<br>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>          Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
-         The ifconfig utility is being gradually phased out in favor of the 
- <i>ip</i>    utility which is part of the <i>iproute </i>package. The ip 
-utility does   not use the concept of aliases or virtual interfaces but rather 
-treats additional    addresses on an interface as objects in their own right.
-The ip utility does provide for interaction   with ifconfig in that it allows
-addresses to be <i>labeled </i>where these labels take the form of ipconfig
+The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
+utility which is part of the <i>iproute </i>package. The ip utility
+does not use the concept of aliases or virtual interfaces but rather
+treats additional addresses on an interface as objects in their own
+right.
+The ip utility does provide for interaction with ifconfig in that it
+allows
+addresses to be <i>labeled </i>where these labels take the form of
+ipconfig
 virtual interfaces.<br>
-          <br>
-          Example:<br>
-          <br>
-            
+<br>
+Example:<br>
+<br>
 <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br>    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br>    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br>    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
-          Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
-  "eth0:0"  is a label for a particular address rather than a device name.<br>
-            
+Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
+"eth0:0" is a label for a particular address rather than a device name.<br>
 <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
-          The iptables program doesn't support virtual interfaces in either 
- it's   "-i"  or "-o" command options; as a consequence, Shorewall does not 
- allow   them to be used in the /etc/shorewall/interfaces file or anywhere
+The iptables program doesn't support virtual interfaces in either it's
+"-i" or "-o" command options; as a consequence, Shorewall does not
+allow them to be used in the /etc/shorewall/interfaces file or anywhere
 else except as described in the discussion below. <br>
 <br>
-            
 <h2>Adding Addresses to Interfaces</h2>
-Shorewall provides facilities for automatically adding addresses to interfaces
-as described in the following section. It is also easy to add them yourself
+Most distributions have a facility for adding additional addresses to
+interfaces. If you have already used your distribution's capability to
+add your required addresses, you can skip this section. <br>
+<br>
+Shorewall provides facilities for automatically adding addresses to
+interfaces
+as described in the following section. It is also easy to add them
+yourself
 using the <b>ip</b> utility. The above alias was added using:<br>
-<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd 206.124.146.255
+<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd
+206.124.146.255
 dev eth0 label eth0:0</font></b><br>
 </blockquote>
-You probably want to arrange to add these addresses when the device is started
-rather than placing commands like the above in one of the Shorewall extension
-scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:<br>
+You probably want to arrange to add these addresses when the device is
+started
+rather than placing commands like the above in one of the Shorewall
+extension
+scripts. For example, on RedHat systems, you can place the commands in
+/sbin/ifup-local:<br>
 <br>
 <blockquote>
   <pre>#!/bin/sh<br><br>case $1 in<br>    eth0)<br>	/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br>	;;<br>esac&nbsp;<br></pre>
 </blockquote>
-RedHat systems also allow adding such aliases from the network administration
-GUI (which works well if you have a graphical environment on your firewall).<br>
+RedHat systems also allow adding such aliases from the network
+administration
+GUI (which only works well if you have a graphical environment on your
+firewall).<br>
 <h2>So how do I handle more than one address on an interface?</h2>
-          The answer depends on what you are trying to do with the interfaces.
-   In the sub-sections   that follow, we'll take a look at common scenarios.<br>
-            
+The answer depends on what you are trying to do with the interfaces. In
+the sub-sections that follow, we'll take a look at common scenarios.<br>
 <h3>Separate Rules</h3>
-         If you need to make a rule for traffic to/from the firewall itself 
- that  only  applies to a particular IP address, simply qualify the $FW zone 
- with  the IP  address.<br>
-         <br>
-         Example (allow SSH from net to eth0:0 above):<br>
-         <br>
-            
-<blockquote>                  
+If you need to make a rule for traffic to/from the firewall itself that
+only applies to a particular IP address, simply qualify the $FW zone
+with the IP address.<br>
+<br>
+Example (allow SSH from net to eth0:0 above):<br>
+<br>
+<blockquote>
   <table cellpadding="2" border="1" cellspacing="0">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>ACTION<br>
-                  </b></td>
-                  <td valign="top"><b>SOURCE<br>
-                  </b></td>
-                  <td valign="top"><b>DESTINATION<br>
-                  </b></td>
-                  <td valign="top"><b>PROTOCOL<br>
-                  </b></td>
-                  <td valign="top"><b>PORT(S)<br>
-                  </b></td>
-                  <td valign="top"><b>SOURCE PORT(S)<br>
-                  </b></td>
-                  <td valign="top"><b>ORIGINAL DESTINATION<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">ACCEPT<br>
-                  </td>
-                  <td valign="top">net<br>
-                  </td>
-                  <td valign="top">$FW:206.124.146.178<br>
-                  </td>
-                  <td valign="top">tcp<br>
-                  </td>
-                  <td valign="top">22<br>
-                  </td>
-                  <td valign="top"><br>
-                 </td>
-                  <td valign="top"><br>
-                 </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ACTION<br>
+        </b></td>
+        <td valign="top"><b>SOURCE<br>
+        </b></td>
+        <td valign="top"><b>DESTINATION<br>
+        </b></td>
+        <td valign="top"><b>PROTOCOL<br>
+        </b></td>
+        <td valign="top"><b>PORT(S)<br>
+        </b></td>
+        <td valign="top"><b>SOURCE PORT(S)<br>
+        </b></td>
+        <td valign="top"><b>ORIGINAL DESTINATION<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">ACCEPT<br>
+        </td>
+        <td valign="top">net<br>
+        </td>
+        <td valign="top">$FW:206.124.146.178<br>
+        </td>
+        <td valign="top">tcp<br>
+        </td>
+        <td valign="top">22<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-           <br>
-         </blockquote>
-            
+  <br>
+</blockquote>
 <h3>DNAT</h3>
-          Suppose that I had set up eth0:0 as above and I wanted to port
-forward     from  that virtual interface to a web server running in my local
-zone at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
-   file:<br>
-          <br>
-            
-<blockquote>                  
+Suppose that I had set up eth0:0 as above and I wanted to port
+forward from that virtual interface to a web server running in my local
+zone at 192.168.1.3. That is accomplised by a single rule in the
+/etc/shorewall/rules file:<br>
+<br>
+<blockquote>
   <table cellpadding="2" border="1" cellspacing="0">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>ACTION<br>
-                  </b></td>
-                  <td valign="top"><b>SOURCE<br>
-                  </b></td>
-                  <td valign="top"><b>DESTINATION<br>
-                  </b></td>
-                  <td valign="top"><b>PROTOCOL<br>
-                  </b></td>
-                  <td valign="top"><b>PORT(S)<br>
-                  </b></td>
-                  <td valign="top"><b>SOURCE PORT(S)<br>
-                  </b></td>
-                  <td valign="top"><b>ORIGINAL DESTINATION<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">DNAT<br>
-                  </td>
-                  <td valign="top">net<br>
-                  </td>
-                  <td valign="top">loc:192.168.1.3<br>
-                  </td>
-                  <td valign="top">tcp<br>
-                  </td>
-                  <td valign="top">80<br>
-                  </td>
-                  <td valign="top">-<br>
-                  </td>
-                  <td valign="top">206.124.146.178<br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ACTION<br>
+        </b></td>
+        <td valign="top"><b>SOURCE<br>
+        </b></td>
+        <td valign="top"><b>DESTINATION<br>
+        </b></td>
+        <td valign="top"><b>PROTOCOL<br>
+        </b></td>
+        <td valign="top"><b>PORT(S)<br>
+        </b></td>
+        <td valign="top"><b>SOURCE PORT(S)<br>
+        </b></td>
+        <td valign="top"><b>ORIGINAL DESTINATION<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">DNAT<br>
+        </td>
+        <td valign="top">net<br>
+        </td>
+        <td valign="top">loc:192.168.1.3<br>
+        </td>
+        <td valign="top">tcp<br>
+        </td>
+        <td valign="top">80<br>
+        </td>
+        <td valign="top">-<br>
+        </td>
+        <td valign="top">206.124.146.178<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-            <br>
-          </blockquote>
-            
+  <br>
+</blockquote>
 <h3>SNAT</h3>
-          If you wanted to use eth0:0 as the IP address for outbound connections
-    from  your local zone (eth1), then in /etc/shorewall/masq:<br>
-          <br>
-            
-<blockquote>                  
+If you wanted to use eth0:0 as the IP address for outbound connections
+from your local zone (eth1), then in /etc/shorewall/masq:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>INTERFACE<br>
-                  </b></td>
-                  <td valign="top"><b>SUBNET<br>
-                  </b></td>
-                  <td valign="top"><b>ADDRESS<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">eth0<br>
-                  </td>
-                  <td valign="top">eth1<br>
-                  </td>
-                  <td valign="top">206.124.146.178<br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>SUBNET<br>
+        </b></td>
+        <td valign="top"><b>ADDRESS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">eth0<br>
+        </td>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top">206.124.146.178<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-            <br>
-          </blockquote>
-          Shorewall can create the alias (additional address) for you if
-you   set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
-with  Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
-interface)  so   that you can see the  created address using ifconfig. In
-addition to  setting   ADD_SNAT_ALIASES=Yes,  you specify the virtual interface
-name in  the INTERFACE   column as follows:<br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+Shorewall can create the alias (additional address) for you if
+you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
+Beginning
+with Shorewall 1.3.14, Shorewall can actually create the "label"
+(virtual
+interface) so that you can see the created address using ifconfig. In
+addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual
+interface
+name in the INTERFACE column as follows:<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>INTERFACE<br>
-                   </b></td>
-                   <td valign="top"><b>SUBNET<br>
-                   </b></td>
-                   <td valign="top"><b>ADDRESS<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">eth0:0<br>
-                   </td>
-                   <td valign="top">eth1<br>
-                   </td>
-                   <td valign="top">206.124.146.178<br>
-                   </td>
-                 </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>SUBNET<br>
+        </b></td>
+        <td valign="top"><b>ADDRESS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">eth0:0<br>
+        </td>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top">206.124.146.178<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-             </blockquote>
-   Shorewall can also set up SNAT to round-robin over a range of IP addresses. 
- Do do that, you specify a range of IP addresses in the ADDRESS column. If 
- you specify a label in the INTERFACE column, Shorewall will use that label 
- for the first address of the range and will increment the label by one for 
- each subsequent label.<br>
-   <br>
-     
-<blockquote>                  
+</blockquote>
+Shorewall can also set up SNAT to round-robin over a range of IP
+addresses. Do do that, you specify a range of IP addresses in the
+ADDRESS column. If you specify a label in the INTERFACE column,
+Shorewall will use that label for the first address of the range and
+will increment the label by one for each subsequent label.<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>INTERFACE<br>
-                   </b></td>
-                   <td valign="top"><b>SUBNET<br>
-                   </b></td>
-                   <td valign="top"><b>ADDRESS<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">eth0:0<br>
-                   </td>
-                   <td valign="top">eth1<br>
-                   </td>
-                   <td valign="top">206.124.146.178-206.124.146.180<br>
-                   </td>
-                 </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>SUBNET<br>
+        </b></td>
+        <td valign="top"><b>ADDRESS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">eth0:0<br>
+        </td>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top">206.124.146.178-206.124.146.180<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-             </blockquote>
-   The above would create three IP addresses:<br>
-   <br>
-   &nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
-   &nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
-   &nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
-                    
-<h3>STATIC NAT</h3>
-          If you wanted to use static NAT to link eth0:0 with local address 
- 192.168.1.3,    you would have the following in /etc/shorewall/nat:<br>
-          <br>
-            
-<blockquote>                  
+</blockquote>
+The above would create three IP addresses:<br>
+<br>
+&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
+&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
+&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
+<h3>One-to-one NAT</h3>
+If you wanted to use one-to-one NAT to link eth0:0 with local address
+192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>EXTERNAL<br>
-                  </b></td>
-                  <td valign="top"><b>INTERFACE<br>
-                  </b></td>
-                  <td valign="top"><b>INTERNAL<br>
-                  </b></td>
-                  <td valign="top"><b>ALL INTERFACES<br>
-                  </b></td>
-                  <td valign="top"><b>LOCAL<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">206.124.146.178<br>
-                  </td>
-                  <td valign="top">eth0<br>
-                  </td>
-                  <td valign="top">192.168.1.3<br>
-                  </td>
-                  <td valign="top">no<br>
-                  </td>
-                  <td valign="top">no<br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>EXTERNAL<br>
+        </b></td>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>INTERNAL<br>
+        </b></td>
+        <td valign="top"><b>ALL INTERFACES<br>
+        </b></td>
+        <td valign="top"><b>LOCAL<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">206.124.146.178<br>
+        </td>
+        <td valign="top">eth0<br>
+        </td>
+        <td valign="top">192.168.1.3<br>
+        </td>
+        <td valign="top">no<br>
+        </td>
+        <td valign="top">no<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-            <br>
-          </blockquote>
-          Shorewall can create the alias (additional address) for you if
-you   set   ADD_IP_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
-with   Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
-interface)  so   that you can see the  created address using ifconfig. In
-addition to  setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface
-name in the INTERFACE   column as follows:<br>
-          <br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+Shorewall can create the alias (additional address) for you if
+you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
+with Shorewall 1.3.14, Shorewall can actually create the "label"
+(virtual
+interface) so that you can see the created address using ifconfig. In
+addition to setting ADD_IP_ALIASES=Yes, you specify the virtual
+interface
+name in the INTERFACE column as follows:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>EXTERNAL<br>
-                   </b></td>
-                   <td valign="top"><b>INTERFACE<br>
-                   </b></td>
-                   <td valign="top"><b>INTERNAL<br>
-                   </b></td>
-                   <td valign="top"><b>ALL INTERFACES<br>
-                   </b></td>
-                   <td valign="top"><b>LOCAL<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">206.124.146.178<br>
-                   </td>
-                   <td valign="top">eth0:0<br>
-                   </td>
-                   <td valign="top">192.168.1.3<br>
-                   </td>
-                   <td valign="top">no<br>
-                   </td>
-                   <td valign="top">no<br>
-                   </td>
-                 </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>EXTERNAL<br>
+        </b></td>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>INTERNAL<br>
+        </b></td>
+        <td valign="top"><b>ALL INTERFACES<br>
+        </b></td>
+        <td valign="top"><b>LOCAL<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">206.124.146.178<br>
+        </td>
+        <td valign="top">eth0:0<br>
+        </td>
+        <td valign="top">192.168.1.3<br>
+        </td>
+        <td valign="top">no<br>
+        </td>
+        <td valign="top">no<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-             <br>
-         </blockquote>
-         In either case, to create rules that pertain only to this NAT pair,
-  you   simply qualify the local zone with the internal IP address.<br>
-         <br>
-         Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
-   192.168.1.3.<br>
-         <br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+In either case, to create rules that pertain only to this NAT pair, you
+simply qualify the local zone with the internal IP address.<br>
+<br>
+Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
+192.168.1.3.<br>
+<br>
+<blockquote>
   <table cellpadding="2" border="1" cellspacing="0">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>ACTION<br>
-                  </b></td>
-                  <td valign="top"><b>SOURCE<br>
-                  </b></td>
-                  <td valign="top"><b>DESTINATION<br>
-                  </b></td>
-                  <td valign="top"><b>PROTOCOL<br>
-                  </b></td>
-                  <td valign="top"><b>PORT(S)<br>
-                  </b></td>
-                  <td valign="top"><b>SOURCE PORT(S)<br>
-                  </b></td>
-                  <td valign="top"><b>ORIGINAL DESTINATION<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">ACCEPT<br>
-                  </td>
-                  <td valign="top">net<br>
-                  </td>
-                  <td valign="top">loc:192.168.1.3<br>
-                  </td>
-                  <td valign="top">tcp<br>
-                  </td>
-                  <td valign="top">22<br>
-                  </td>
-                  <td valign="top"><br>
-                 </td>
-                  <td valign="top"><br>
-                 </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ACTION<br>
+        </b></td>
+        <td valign="top"><b>SOURCE<br>
+        </b></td>
+        <td valign="top"><b>DESTINATION<br>
+        </b></td>
+        <td valign="top"><b>PROTOCOL<br>
+        </b></td>
+        <td valign="top"><b>PORT(S)<br>
+        </b></td>
+        <td valign="top"><b>SOURCE PORT(S)<br>
+        </b></td>
+        <td valign="top"><b>ORIGINAL DESTINATION<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">ACCEPT<br>
+        </td>
+        <td valign="top">net<br>
+        </td>
+        <td valign="top">loc:192.168.1.3<br>
+        </td>
+        <td valign="top">tcp<br>
+        </td>
+        <td valign="top">22<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-           <br>
-         </blockquote>
-            
+  <br>
+</blockquote>
 <h3>MULTIPLE SUBNETS</h3>
-          Sometimes multiple IP addresses are used because there are multiple 
-  subnetworks   configured on a LAN segment. This technique does not provide 
-  for any security   between the subnetworks if the users of the systems have
-  administrative privileges  because in that case, the users can simply manipulate
-  their system's routing  table to bypass your firewall/router. Nevertheless,
-  there are cases where  you simply want to consider the LAN segment itself
-  as a zone and allow your  firewall/router to route between the two subnetworks.<br>
-          <br>
-          Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
-  and   192.168.20.0/24.  The primary IP address of eth1 is 192.168.1.254
-and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
-  the two   subnetworks.<br>
-            
+Sometimes multiple IP addresses are used because there are multiple
+subnetworks configured on a LAN segment. This technique does not
+provide for any security between the subnetworks if the users of the
+systems have administrative privileges because in that case, the users
+can simply manipulate their system's routing table to bypass your
+firewall/router. Nevertheless, there are cases where you simply want to
+consider the LAN segment itself as a zone and allow your
+firewall/router to route between the two subnetworks.<br>
+<br>
+Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
+192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
+and eth1:0 is 192.168.20.254. You want to simply route all requests
+between the two subnetworks.<br>
 <h4>If you are running Shorewall 1.4.1 or Later</h4>
-      In /etc/shorewall/interfaces:<br>
-           
-<blockquote>                  
+In /etc/shorewall/interfaces:<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                <tr>
-                  <td valign="top"><b>ZONE<br>
-                  </b></td>
-                  <td valign="top"><b>INTERFACE<br>
-                  </b></td>
-                  <td valign="top"><b>BROADCAST<br>
-                  </b></td>
-                  <td valign="top"><b>OPTIONS<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">-<br>
-                  </td>
-                  <td valign="top">eth1<br>
-                  </td>
-                  <td valign="top">192.168.1.255,192.168.20.255<br>
-                  </td>
-                  <td valign="top"><br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ZONE<br>
+        </b></td>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>BROADCAST<br>
+        </b></td>
+        <td valign="top"><b>OPTIONS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">-<br>
+        </td>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top">192.168.1.255,192.168.20.255<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-        <br>
-      </blockquote>
-          In /etc/shorewall/hosts:<br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+In /etc/shorewall/hosts:<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>ZONE<br>
-                   </b></td>
-                   <td valign="top"><b>HOSTS<br>
-                   </b></td>
-                   <td valign="top"><b>OPTIONS<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">loc<br>
-                   </td>
-                   <td valign="top">eth1:192.168.1.0/24<br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                 </tr>
-                 <tr>
-                   <td valign="top">loc<br>
-                   </td>
-                   <td valign="top">eth1:192.168.20.0/24<br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                 </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ZONE<br>
+        </b></td>
+        <td valign="top"><b>HOSTS<br>
+        </b></td>
+        <td valign="top"><b>OPTIONS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">eth1:192.168.1.0/24<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+      <tr>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">eth1:192.168.20.0/24<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-        <br>
-      </blockquote>
-      Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
-   1.4.1 and later releases default to allowing intra-zone traffic.<br>
-           
+  <br>
+</blockquote>
+Note that you do NOT need any entry in /etc/shorewall/policy as
+Shorewall 1.4.1 and later releases default to allowing intra-zone
+traffic.<br>
 <h4>If you are running Shorewall 1.4.0 or earlier<br>
-      </h4>
-      In /etc/shorewall/interfaces:<br>
-          <br>
-            
-<blockquote>                  
+</h4>
+In /etc/shorewall/interfaces:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>ZONE<br>
-                  </b></td>
-                  <td valign="top"><b>INTERFACE<br>
-                  </b></td>
-                  <td valign="top"><b>BROADCAST<br>
-                  </b></td>
-                  <td valign="top"><b>OPTIONS<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">loc<br>
-                  </td>
-                  <td valign="top">eth1<br>
-                  </td>
-                  <td valign="top">192.168.1.255,192.168.20.255<br>
-                  </td>
-                  <td valign="top">Note 1:<br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ZONE<br>
+        </b></td>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>BROADCAST<br>
+        </b></td>
+        <td valign="top"><b>OPTIONS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top">192.168.1.255,192.168.20.255<br>
+        </td>
+        <td valign="top">Note 1:<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-            <br>
-          </blockquote>
-          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
-must   specify   the <b>multi</b> option.<br>
-          <br>
-          In /etc/shorewall/policy:<br>
-          <br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+Note 1: If you are running Shorewall 1.3.10 or earlier then you must
+specify the <b>multi</b> option.<br>
+<br>
+In /etc/shorewall/policy:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>SOURCE<br>
-                  </b></td>
-                  <td valign="top"><b>DESTINATION<br>
-                  </b></td>
-                  <td valign="top"><b>POLICY<br>
-                  </b></td>
-                  <td valign="top"><b>LOG LEVEL<br>
-                  </b></td>
-                  <td valign="top"><b>BURST:LIMIT<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">loc<br>
-                  </td>
-                  <td valign="top">loc<br>
-                  </td>
-                  <td valign="top">ACCEPT<br>
-                  </td>
-                  <td valign="top"><br>
-                  </td>
-                  <td valign="top"><br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>SOURCE<br>
+        </b></td>
+        <td valign="top"><b>DESTINATION<br>
+        </b></td>
+        <td valign="top"><b>POLICY<br>
+        </b></td>
+        <td valign="top"><b>LOG LEVEL<br>
+        </b></td>
+        <td valign="top"><b>BURST:LIMIT<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">ACCEPT<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-            <br>
-          </blockquote>
-          Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
- 192.168.20.0/24.     The primary IP address of eth1 is 192.168.1.254 and
-eth1:0 is 192.168.20.254.     You want to make these subnetworks into separate
-zones and control the  access  between them (the users of the systems do
-not have administrative  privileges).<br>
-          <br>
-          In /etc/shorewall/zones:<br>
-          <br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
+192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
+eth1:0 is 192.168.20.254. You want to make these subnetworks into
+separate
+zones and control the access between them (the users of the systems do
+not have administrative privileges).<br>
+<br>
+In /etc/shorewall/zones:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-              <tbody>
-                <tr>
-                  <td valign="top"><b>ZONE<br>
-                  </b></td>
-                  <td valign="top"><b>DISPLAY<br>
-                  </b></td>
-                  <td valign="top"><b>DESCRIPTION<br>
-                  </b></td>
-                </tr>
-                <tr>
-                  <td valign="top">loc<br>
-                  </td>
-                  <td valign="top">Local<br>
-                  </td>
-                  <td valign="top">Local Zone 1<br>
-                  </td>
-                </tr>
-                <tr>
-                  <td valign="top">loc2<br>
-                  </td>
-                  <td valign="top">Local2<br>
-                  </td>
-                  <td valign="top">Local Zone 2<br>
-                  </td>
-                </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ZONE<br>
+        </b></td>
+        <td valign="top"><b>DISPLAY<br>
+        </b></td>
+        <td valign="top"><b>DESCRIPTION<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">Local<br>
+        </td>
+        <td valign="top">Local Zone 1<br>
+        </td>
+      </tr>
+      <tr>
+        <td valign="top">loc2<br>
+        </td>
+        <td valign="top">Local2<br>
+        </td>
+        <td valign="top">Local Zone 2<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-            <br>
-          </blockquote>
-          In /etc/shorewall/interfaces:<br>
-          <br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+In /etc/shorewall/interfaces:<br>
+<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>ZONE<br>
-                   </b></td>
-                   <td valign="top"><b>INTERFACE<br>
-                   </b></td>
-                   <td valign="top"><b>BROADCAST<br>
-                   </b></td>
-                   <td valign="top"><b>OPTIONS<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">-<br>
-                   </td>
-                   <td valign="top">eth1<br>
-                   </td>
-                   <td valign="top">192.168.1.255,192.168.20.255<br>
-                   </td>
-                   <td valign="top">Note 1:<br>
-                   </td>
-                 </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ZONE<br>
+        </b></td>
+        <td valign="top"><b>INTERFACE<br>
+        </b></td>
+        <td valign="top"><b>BROADCAST<br>
+        </b></td>
+        <td valign="top"><b>OPTIONS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">-<br>
+        </td>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top">192.168.1.255,192.168.20.255<br>
+        </td>
+        <td valign="top">Note 1:<br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-           <br>
-          </blockquote>
-          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
-must   specify   the <b>multi</b> option.<br>
-          <br>
-          In /etc/shorewall/hosts:<br>
-            
-<blockquote>                  
+  <br>
+</blockquote>
+Note 1: If you are running Shorewall 1.3.10 or earlier then you must
+specify the <b>multi</b> option.<br>
+<br>
+In /etc/shorewall/hosts:<br>
+<blockquote>
   <table cellpadding="2" cellspacing="0" border="1">
-               <tbody>
-                 <tr>
-                   <td valign="top"><b>ZONE<br>
-                   </b></td>
-                   <td valign="top"><b>HOSTS<br>
-                   </b></td>
-                   <td valign="top"><b>OPTIONS<br>
-                   </b></td>
-                 </tr>
-                 <tr>
-                   <td valign="top">loc<br>
-                   </td>
-                   <td valign="top">eth1:192.168.1.0/24<br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                 </tr>
-                 <tr>
-                   <td valign="top">loc2<br>
-                   </td>
-                   <td valign="top">eth1:192.168.20.0/24<br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                 </tr>
-                                    
-    </tbody>                  
+    <tbody>
+      <tr>
+        <td valign="top"><b>ZONE<br>
+        </b></td>
+        <td valign="top"><b>HOSTS<br>
+        </b></td>
+        <td valign="top"><b>OPTIONS<br>
+        </b></td>
+      </tr>
+      <tr>
+        <td valign="top">loc<br>
+        </td>
+        <td valign="top">eth1:192.168.1.0/24<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+      <tr>
+        <td valign="top">loc2<br>
+        </td>
+        <td valign="top">eth1:192.168.20.0/24<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-           <br>
-          </blockquote>
-          In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
-   that   you want to permit.<br>
-          <br>
-            
-<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
+  <br>
+</blockquote>
+In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
+that you want to permit.<br>
+<br>
+<p align="left"><font size="2">Last Updated 11/13/2003 A - <a
  href="support.htm">Tom Eastep</a></font></p>
-            
-<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
-     <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
- </p>
- <br>
+<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+</p>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/Shorewall_and_Kazaa.html b/Shorewall-docs/Shorewall_and_Kazaa.html
new file mode 100644
index 000000000..a4b9fe8ad
--- /dev/null
+++ b/Shorewall-docs/Shorewall_and_Kazaa.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="content-type"
+ content="text/html; charset=ISO-8859-1">
+  <title>Shorewall and Kazaa</title>
+  <meta name="author" content="Tom Eastep">
+</head>
+<body>
+<h1 style="text-align: center;">Kazaa Filtering</h1>
+<br>
+Beginning with Shorewall version 1.4.8, Shorewall can interface to <span
+ style="font-weight: bold;">ftwall</span>. ftwall is part of the
+p2pwall project and is a user-space filter for applications based on
+the "Fast Track" peer to peer protocol. Applications using this
+protocol include Kazaa, KazaaLite, iMash and Grokster.<br>
+<br>
+To filter traffic from your 'loc' zone with ftwall, you insert the
+following rules <span style="text-decoration: underline;"><span
+ style="font-weight: bold;">near the top</span></span> of your
+/etc/shorewall/rules file (before and ACCEPT rules whose source is the
+'loc' zone).<br>
+<pre style="margin-left: 40px;">QUEUE   loc	     net	tcp<br>QUEUE   loc	     net	udp<br>QUEUE   loc	     fw		udp<br></pre>
+Now simply configure ftwall as described in the ftwall documentation
+and restart Shorewall.<br>
+<p align="left"><font size="2">Last updated 10/22/2003 - <a
+ href="support.htm">Tom Eastep</a></font></p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+&copy; <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
+<br>
+</body>
+</html>
diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm
index 87a4f6357..2a0b114f3 100644
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@@ -1,138 +1,66 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                                                        
-               
   <meta http-equiv="Content-Language" content="en-us">
-                                                                        
-               
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-                                                                        
-               
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                                                        
-               
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Shorewall Index</title>
-                                                                        
-                                                                        
-              <base target="main">                                      
-                            
+  <base target="main">
   <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
-                                            
+<body>
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#3366ff" height="90">
-                                                            <tbody>
-                                                             <tr>
-                                                              <td
- width="100%" height="90" align="center">                     
-      <div align="center">                                               
-                                                                        
-                  </div>
-         <a href="http://www.shorewall.net" target="_top"><img
- border="0" src="images/ProtectedBy.png" width="200" height="42"
- hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
-                                                                        
-                 </a><br>
-                                                             <br>
-         </td>
-                                                            </tr>
-                                                            <tr>
-                                                              <td
- width="100%" bgcolor="#ffffff">                                         
-                                                                        
-                                                                        
-                                                                        
-                                                                   
+  <tbody>
+    <tr>
+      <td width="100%" bgcolor="#ffffff">
       <ul>
-                                                                <li> <a
- href="seattlefirewall_index.htm">Home</a></li>
-                                                                        <li>
-            <a href="shorewall_features.htm">Features</a></li>
-               <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
-               </li>
-                                                                <li> <a
- href="shorewall_prerequisites.htm">Requirements</a></li>
-                                                                <li> <a
- href="download.htm">Download</a><br>
-                                                        </li>
-                                                        <li> <a
- href="Install.htm">Installation/Upgrade/</a><br>
-                                                          <a
- href="Install.htm">Configuration</a><br>
-                                                        </li>
-                                                        <li> <a
- href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
-                                                         </li>
-                                                                        
-               <li>             <b><a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
-                                                                        
-                                             <li> <a href="FAQ.htm">FAQs</a></li>
-                                                                 <li><a
- href="useful_links.html">Useful     Links</a><br>
-                                                                 </li>
-                                                                <li> <a
- href="troubleshoot.htm">Things to try if it doesn't work</a></li>
-                                                                <li> <a
- href="errata.htm">Errata</a></li>
-                                                                <li> <a
- href="upgrade_issues.htm">Upgrade     Issues</a></li>
-                                                                <li> <a
- href="support.htm">Getting   help or Answers to Questions</a></li>
-                           <li><a href="http://lists.shorewall.net">Mailing 
- Lists</a><a href="http://lists.shorewall.net"> </a><br>
-                           </li>
-                                                                        
-     <li><a href="shorewall_mirrors.htm">Mirrors</a>                     
-                                                                        
-                                                                        
-                                                                        
-       
+        <li> <a href="seattlefirewall_index.htm">Home</a></li>
+        <li> <a href="shorewall_features.htm">Features</a></li>
+        <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
+        </li>
+        <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
+        <li> <a href="download.htm">Download</a><br>
+        </li>
+        <li> <a href="Install.htm">Installation/Upgrade/</a><br>
+          <a href="Install.htm">Configuration</a><br>
+        </li>
+        <li> <a href="shorewall_quickstart_guide.htm">QuickStart
+Guides (HOWTOs)</a><br>
+        </li>
+        <li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
+        <li> <a href="FAQ.htm">FAQs</a></li>
+        <li><a href="useful_links.html">Useful Links</a><br>
+        </li>
+        <li> <a href="troubleshoot.htm">Things to try if it doesn't
+work</a></li>
+        <li> <a href="errata.htm">Errata</a></li>
+        <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
+        <li> <a href="support.htm">Getting help or Answers to Questions</a></li>
+        <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
+ href="http://lists.shorewall.net"> </a><br>
+        </li>
+        <li><a href="shorewall_mirrors.htm">Mirrors</a>
           <ul>
-                                                                        
-                                                                        
-                                                                        
-                                                                        
-                                          
           </ul>
-                                                                </li>
-                                                                        
-                                                                        
-                                                                        
-                <li>   <a href="News.htm">News    Archive</a></li>
-                                                                <li> <a
- href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                                                                <li> <a
- href="quotes.htm">Quotes     from   Users</a></li>
-                                                        
+        </li>
+        <li> <a href="News.htm">News Archive</a></li>
+        <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
+        <li> <a href="quotes.htm">Quotes from Users</a></li>
         <ul>
-                                                                        
-                                              
         </ul>
-                                                                <li> <a
- href="shoreline.htm">About    the   Author</a></li>
-                                                                <li> <a
- href="seattlefirewall_index.htm#Donations">Donations</a></li>
-                                                                        
-                                                                        
-                                 
+        <li> <a href="shoreline.htm">About the Author</a></li>
+        <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
       </ul>
-                                                              </td>
-                                                            </tr>
-                                                                        
-               
-  </tbody>                      
+      </td>
+    </tr>
+  </tbody>
 </table>
-                                            
-<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001-2003 Thomas M. Eastep.</font></a><br>
-  </p>
-  <br>
- <br>
+</p>
 </body>
 </html>
diff --git a/Shorewall-docs/Shorewall_sfindex_frame.htm b/Shorewall-docs/Shorewall_sfindex_frame.htm
index 49bf2dd7e..491f2666b 100644
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@@ -1,120 +1,68 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                                                        
   <meta http-equiv="Content-Language" content="en-us">
-                                                                        
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-                                                                        
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                                                        
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Shorewall Index</title>
-                                                                        
-                                                                     <base
- target="main">                                                       
+  <base target="main">
   <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
-                                    
+<body>
 <table border="0" cellpadding="0" cellspacing="0"
  style="border-collapse: collapse;" width="100%" id="AutoNumber1"
  bgcolor="#3366ff" height="90">
-                                                        <tbody>
-                                                         <tr>
-                                                          <td
- width="100%" height="90">                                               
-                                                                        
-           
-      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
-                                                          </td>
-                                                        </tr>
-                                                        <tr>
-                                                          <td
- width="100%" bgcolor="#ffffff">                                         
-                                                                        
-                                                                        
-                                                                        
-                                                                         
-                                                                        
-                                                                        
-                                                                        
-                                                 
+  <tbody>
+    <tr>
+      <td width="100%" bgcolor="#ffffff">
       <ul>
-                                                            <li> <a
- href="seattlefirewall_index.htm">Home</a></li>
-                                                                    <li>
-          <a href="shorewall_features.htm">Features</a></li>
-            <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
-     </li>
-                                                            <li> <a
- href="shorewall_prerequisites.htm">Requirements</a></li>
-                                                            <li> <a
- href="download.htm">Download</a><br>
-                                                    </li>
-                                                    <li> <a
- href="Install.htm">Installation/Upgrade/</a><br>
-                                                      <a
- href="Install.htm">Configuration</a><br>
-                                                    </li>
-                                                    <li> <a
- href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
-                                                     </li>
-                                                                        
-           <li>             <b><a
- href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
-                                                                        
-                                        <li> <a href="FAQ.htm">FAQs</a></li>
-                                                             <li><a
- href="useful_links.html">Useful     Links</a><br>
-                                                             </li>
-                                                            <li> <a
- href="troubleshoot.htm">Things to try if it doesn't work</a></li>
-                                                            <li> <a
- href="errata.htm">Errata</a></li>
-                                                            <li> <a
- href="upgrade_issues.htm">Upgrade     Issues</a></li>
-                                                            <li> <a
- href="support.htm">Getting   help or Answers to Questions</a>           
-       </li>
-                                                 <li><a
- href="http://lists.shorewall.net">Mailing Lists</a></li>
-                                                                        
-                                                                        
-                                                <li><a
- href="shorewall_mirrors.htm">Mirrors</a></li>
-                                                                        
-                                                                        
-                                                                        
-                                                                <li><a
- href="News.htm">News    Archive</a></li>
-                                                            <li> <a
- href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
-                          
+        <li> <a href="seattlefirewall_index.htm">Home</a></li>
+        <li> <a href="shorewall_features.htm">Features</a></li>
+        <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
+        </li>
+        <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
+        <li> <a href="download.htm">Download</a><br>
+        </li>
+        <li> <a href="Install.htm">Installation/Upgrade/</a><br>
+          <a href="Install.htm">Configuration</a><br>
+        </li>
+        <li> <a href="shorewall_quickstart_guide.htm">QuickStart
+Guides (HOWTOs)</a><br>
+        </li>
+        <li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
+        <li> <a href="FAQ.htm">FAQs</a></li>
+        <li><a href="useful_links.html">Useful Links</a><br>
+        </li>
+        <li> <a href="troubleshoot.htm">Things to try if it doesn't
+work</a></li>
+        <li> <a href="errata.htm">Errata</a></li>
+        <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
+        <li> <a href="support.htm">Getting help or Answers to Questions</a></li>
+        <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
+ href="http://lists.shorewall.net"> </a><br>
+        </li>
+        <li><a href="shorewall_mirrors.htm">Mirrors</a>
+          <ul>
+          </ul>
+        </li>
+        <li> <a href="News.htm">News Archive</a></li>
+        <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
+        <li> <a href="quotes.htm">Quotes from Users</a></li>
         <ul>
-                                                                        
-                
         </ul>
-                                                            <li> <a
- href="quotes.htm">Quotes     from   Users</a></li>
-                                                            <li> <a
- href="shoreline.htm">About    the   Author</a></li>
-                                                            <li> <a
- href="seattlefirewall_index.htm#Donations">Donations</a></li>
-                                                                        
-                                                                        
- 
+        <li> <a href="shoreline.htm">About the Author</a></li>
+        <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
       </ul>
-                                                          </td>
-                                                        </tr>
-                                                                        
-  </tbody>                  
+      </td>
+    </tr>
+  </tbody>
 </table>
-                                    
-<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001-2003 Thomas M. Eastep.</font></a><br>
- </p>
- <br>
+</p>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/SourceforgeBanner.html b/Shorewall-docs/SourceforgeBanner.html
new file mode 100755
index 000000000..cd2fe8127
--- /dev/null
+++ b/Shorewall-docs/SourceforgeBanner.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="content-type"
+ content="text/html; charset=ISO-8859-1">
+  <title>Banner</title>
+  <meta name="author" content="Tom Eastep">
+  <base target="main">
+</head>
+<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
+ link="#000099" vlink="#990099" alink="#000099">
+<table cellpadding="0"
+ style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
+ id="AutoNumber3">
+  <tbody>
+    <tr>
+      <td style="text-align: center; width: 34%; vertical-align: top;">
+      <div align="center"> <img src="images/Logo1.png"
+ alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
+ align="middle" title=""> </div>
+      </td>
+      <td style="vertical-align: top;">
+      <form method="post"
+ action="http://lists.shorewall.net/cgi-bin/htsearch"
+ style="background-color: rgb(51, 102, 255);"> <strong><font
+ color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
+is unavailable Daily 0200-0330 GMT.</font><br>
+        <strong></strong>
+        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
+        <font face="Arial" size="-1"> <input type="text" name="words"
+ size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
+ type="hidden" name="format" value="long"> <input type="hidden"
+ name="method" value="and"> <input type="hidden" name="config"
+ value="htdig"> <input type="submit" value="Search"><b><font
+ color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
+ href="http://lists.shorewall.net/htdig/search.html"
+ style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
+        <font face="Arial"> <input type="hidden" name="exclude"
+ value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
+      </td>
+    </tr>
+  </tbody>
+</table>
+</body>
+</html>
diff --git a/Shorewall-docs/UserSets.html b/Shorewall-docs/UserSets.html
new file mode 100755
index 000000000..33b457072
--- /dev/null
+++ b/Shorewall-docs/UserSets.html
@@ -0,0 +1,141 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="Content-Language" content="en-us">
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Controlling Traffic by UID/GID</title>
+  <meta name="author" content="Tom Eastep">
+</head>
+<body>
+<table border="0" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+ id="AutoNumber1" bgcolor="#3366ff" height="90">
+  <tbody>
+    <tr>
+      <td width="100%">
+      <h1 align="center"><font color="#ffffff">Controlling Output
+Traffic by UID/GID<br>
+      </font></h1>
+      </td>
+    </tr>
+  </tbody>
+</table>
+This capability was added in Shorewall release
+1.4.7.<br>
+<br>
+Netfilter provides the capability to filter packets generated on the
+firewall system by User Id and/or Group Id. Shorewall provides two
+separate but related ways to use this Netfilter capability:<br>
+<ol>
+  <li>Shorewall allows you to
+define collections of users called "<a href="#UserSet">User Sets</a>"
+and then to restrict
+certain rules in /etc/shorewall/rules to a given User Set.</li>
+  <li>Shorewall also allows you to restrict a given <a href="#Rule">rule
+    </a>to a particular user and/or group.<br>
+  </li>
+</ol>
+Since only packets created by programs running on the Shorewall box
+itself, only rules whose SOURCE is the firewall ($FW) may be restricted
+using either of the facilities.<br>
+<h2><a name="UserSet"></a>User Sets<br>
+</h2>
+Given the way that this facility is implemented in Shorewall, it is not
+possible to control logging of individual rules using a User Set and
+logging is rather specified on the User Set itself.<br>
+<br>
+User Sets are defined in the /etc/shorewall/usersets file. Columns in
+that file include:<br>
+<br>
+<div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The name of a User Set. Must be a legal
+shell
+identifier of no more than six (6) characters in length.<br>
+REJECT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
+Log level for connections rejected for this User Set.<br>
+ACCEPT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; Log
+level for connections accepted for this User Set.<br>
+DROP &nbsp;&nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
+&nbsp;&nbsp; Log level for connections dropped for this User Set.<br>
+</div>
+<br>
+In the REJECT and ACCEPT columns, if you don't want to specify a value
+in the column but you want to specify a value in a following column,
+you may enter "-".<br>
+<br>
+Users and/or groups are added to User Sets using the
+/etc/shorewall/users file. Columns in that file are:<br>
+<br>
+<div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
+&nbsp;&nbsp; &nbsp;&nbsp; The name of a User Set defined in
+/etc/shorewall/usersets.<br>
+USER&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
+&nbsp;&nbsp; The name of a user defined on the system or a user number.<br>
+GROUP&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
+The name of a group defined on the system or a number.<br>
+</div>
+<p align="left">Only one of the USER and GROUP
+column needs to be non-empty. If you wish to specify a GROUP but not a
+USER, enter "-" in the user column.<br>
+</p>
+<p align="left">If both USER and GROUP are
+specified then only programs running under that USER:GROUP pair will
+match rules specifying the User Set named in the USERSET column.<br>
+</p>
+<p align="left">Once a user set has been defined, its name may be
+placed in the USER SET column of the /etc/shorewall/rules file. <span
+ style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
+</span></span>When
+the name of a user set is given in the USER SET column, you may not
+include a log level in the ACTION column; logging of such rules is
+governed solely by the user set's definition in the
+/etc/shorewall/userset file.
+</p>
+<p align="left">Example: You want members of the
+'admin' group and 'root' to be able to use ssh on the firewall to
+connect to local systems. You want to log all connections accepted for
+these users using syslog at the 'info' level.<br>
+</p>
+<div style="margin-left: 40px;"></div>
+<p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
+<div style="margin-left: 40px;"></div>
+<pre style="margin-left: 80px;">#USERSET	REJECT	ACCEPT	DROP<br>admins		-	info<br></pre>
+<div style="margin-left: 40px;"></div>
+<p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
+</p>
+<div style="margin-left: 40px;"></div>
+<pre style="margin-left: 80px;">#USERSET	USER		GROUP<br>admins		-		admin<br>admins		root<br></pre>
+<div style="margin-left: 40px;">/etc/shorewall/rules<br>
+</div>
+<pre style="margin-left: 80px;">#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER<br>#						PORT(S)	DESTINATION		SET<br><br>ACCEPT	$FW	loc		tcp	22	-	-		-	admins<br></pre>
+<h2><a name="Rule"></a>Restricting a rule to a particular user and/or
+group<br>
+</h2>
+In cases where you may want to restrict a rule to a particular user
+and/or group, the USER SET column in the rules file may be specified as:<br>
+<br>
+<div style="margin-left: 40px;">[ &lt;<span style="font-style: italic;">user
+name or number</span>&gt; ] : [ &lt;<span style="font-style: italic;">group
+name or number</span>&gt; ]<br>
+<div style="text-align: left;"><br>
+</div>
+</div>
+When a user and/or group name is given in the USER SET column, it is OK
+to specify a log level in the ACTION column. <br>
+<br>
+Example: You want user <span style="font-style: italic;">mail </span>to
+be able to send email from the firewall to the local net zone<br>
+<br>
+<div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
+the ":" in the USER SET column entry).<br>
+<pre>#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER<br>#						PORT(S)	DESTINATION		SET<br><br>ACCEPT	$FW	loc		tcp	25	-	-		-	mail:</pre>
+</div>
+<p align="left"><font size="2">Last updated 9/19/2003 - <a
+ href="support.htm">Tom Eastep</a></font></p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
+</body>
+</html>
diff --git a/Shorewall-docs/VPN.htm b/Shorewall-docs/VPN.htm
index 334005fb6..4ee6b5aea 100755
--- a/Shorewall-docs/VPN.htm
+++ b/Shorewall-docs/VPN.htm
@@ -1,78 +1,59 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>VPN</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-    <tbody>
-     <tr>
-      <td width="100%">       
-      <h1 align="center"><font color="#ffffff">VPN</font></h1>
-      </td>
-    </tr>
-    
-  </tbody> 
-</table>
-  
-<p>It is often the case that a system behind the firewall needs to be able 
-to  access a remote network through Virtual Private Networking (VPN). The 
-two most  common means for doing this are IPSEC and PPTP. The basic setup 
-is shown in the  following diagram:</p>
-  
+<body>
+<h1 style="text-align: center;">VPN<br>
+</h1>
+<p>It is often the case that a system behind the firewall needs to be
+able to access a remote network through Virtual Private Networking
+(VPN). The two most common means for doing this are IPSEC and PPTP. The
+basic setup is shown in the following diagram:</p>
 <p align="center"><img border="0" src="images/VPN.png" width="568"
- height="796">
- </p>
-  
-<p align="left">A system with an RFC 1918 address needs to access a remote 
- network through a remote gateway. For this example, we will assume that the
- local system has IP address 192.168.1.12 and that the remote gateway has
-IP  address 192.0.2.224.</p>
-  
-<p align="left">If PPTP is being used, there are no firewall requirements 
-beyond  the default loc-&gt;net ACCEPT policy. There is one restriction however: 
-Only one  local system at a time can be connected to a single remote gateway 
-unless you  patch your kernel from the 'Patch-o-matic' patches available at
+ height="796"> </p>
+<p align="left">A system with an RFC 1918 address needs to access a
+remote network through a remote gateway. For this example, we will
+assume that the local system has IP address 192.168.1.12 and that the
+remote gateway has
+IP address 192.0.2.224.</p>
+<p align="left">If PPTP is being used, there are no firewall
+requirements beyond the default loc-&gt;net ACCEPT policy. There is one
+restriction however: Only one local system at a time can be connected
+to a single remote gateway unless you patch your kernel from the
+'Patch-o-matic' patches available at
 <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
-  
-<p align="left">If IPSEC is being used then only one system may connect to 
-the remote gateway and there are firewall configuration  requirements as follows:</p>
-  
-<blockquote>   
+<p align="left">If IPSEC is being used then only one system may connect
+to the remote gateway and there are firewall configuration requirements
+as follows:</p>
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  bordercolor="#111111" id="AutoNumber2" height="98">
-      <tbody>
-       <tr>
+    <tbody>
+      <tr>
         <td height="38"><u><b>ACTION</b></u></td>
         <td height="38"><u><b>SOURCE</b></u></td>
         <td height="38"><u><b>DESTINATION</b></u></td>
         <td height="38"><u><b>PROTOCOL</b></u></td>
         <td height="38"><u><b>PORT</b></u></td>
         <td height="38"><u><b>CLIENT<br>
-        PORT</b></u></td>
+PORT</b></u></td>
         <td height="38"><u><b>ORIGINAL<br>
-        DEST</b></u></td>
+DEST</b></u></td>
       </tr>
       <tr>
         <td height="19">DNAT</td>
         <td height="19">net:192.0.2.224</td>
         <td height="19">loc:192.168.1.12</td>
         <td height="19">50</td>
-        <td height="19"> </td>
-        <td height="19"> </td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
+        <td height="19">&nbsp;</td>
+        <td height="19">&nbsp;</td>
       </tr>
       <tr>
         <td height="19">DNAT</td>
@@ -80,27 +61,24 @@ the remote gateway and there are firewall configuration  requirements as follows
         <td height="19">loc:192.168.1.12</td>
         <td height="19">udp</td>
         <td height="19">500</td>
-        <td height="19"> </td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
+        <td height="19">&nbsp;</td>
       </tr>
-      
-    </tbody>   
+    </tbody>
   </table>
-  </blockquote>
-  
-<p>If you want to be able to give access to all of your local systems to the
- remote network, you should consider running a VPN client on your firewall. 
-As  starting points, see <a
- href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a> 
-or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
-  
-<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
- 
-<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> 
+</blockquote>
+<p>If you want to be able to give access to all of your local systems
+to the remote network, you should consider running a VPN client on your
+firewall. As starting points, see <a
+ href="Documentation.htm#Tunnels">
+http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
+ href="PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
+<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
+Eastep</a></font></p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
- 
-<p> </p>
-   <br>
- <br>
+<p>&nbsp;</p>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/blacklisting_support.htm b/Shorewall-docs/blacklisting_support.htm
index e8e955e64..f21c88ed9 100644
--- a/Shorewall-docs/blacklisting_support.htm
+++ b/Shorewall-docs/blacklisting_support.htm
@@ -1,102 +1,91 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-        
   <meta http-equiv="Content-Language" content="en-us">
-        
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-        
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-        
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Blacklisting Support</title>
 </head>
-  <body>
-    
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-       <tbody>
-        <tr>
-         <td width="100%">              
-      <h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
-         </td>
-       </tr>
-        
-  </tbody>  
-</table>
-    
-<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
-    
+<body>
+<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
+</h1>
+<p>Shorewall supports two different forms of blacklisting; static and
+dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
+option in /etc/shorewall/shorewall.conf controls the degree of
+blacklist filtering:<br>
+</p>
+<ol>
+  <li>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
+against the blacklist. New blacklist entries can be used to terminate
+existing connections. Versions of Shorewall prior to 1.4.8 behave in
+this manner.<br>
+  </li>
+  <li>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
+connection requests. Blacklists may not be used to terminate existing
+connections.</li>
+</ol>
+Only the source address is checked against the blacklists.<br>
 <h2>Static Blacklisting</h2>
-    
-<p>Shorewall static blacklisting support has the following configuration
+<p>Shorewall static blacklisting support has the following
+configuration
 parameters:</p>
-    
 <ul>
-       <li>You specify whether you want packets from blacklisted hosts dropped
-  or     rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
-      setting in /etc/shorewall/shorewall.conf</li>
-       <li>You specify whether you want packets from blacklisted hosts logged
-  and at     what syslog level using the <a
- href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>     setting in
-  /etc/shorewall/shorewall.conf</li>
-       <li>You list the IP addresses/subnets that you wish to blacklist in
-     <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
-Beginning   with Shorewall version 1.3.8, you may also specify PROTOCOL and
-Port numbers/Service   names in the blacklist file.<br>
-      </li>
-       <li>You specify the interfaces whose incoming packets you want checked
-  against     the blacklist using the "<a
- href="Documentation.htm#Interfaces">blacklist</a>"     option in /etc/shorewall/interfaces.</li>
-       <li>The black list is refreshed from /etc/shorewall/blacklist by the
- "<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
-    
+  <li>You specify whether you want packets from blacklisted hosts
+dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
+setting in /etc/shorewall/shorewall.conf</li>
+  <li>You specify whether you want packets from blacklisted hosts
+logged and at what syslog level using the <a
+ href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
+/etc/shorewall/shorewall.conf</li>
+  <li>You list the IP addresses/subnets that you wish to blacklist in <a
+ href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
+Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
+and
+Port numbers/Service names in the blacklist file.<br>
+  </li>
+  <li>You specify the interfaces whose incoming packets you want
+checked against the blacklist using the "<a
+ href="Documentation.htm#Interfaces">blacklist</a>" option in
+/etc/shorewall/interfaces.</li>
+  <li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
+ href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
 </ul>
-    
 <h2>Dynamic Blacklisting</h2>
-    
-<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
-   doesn't use any configuration parameters but is rather controlled using
-  /sbin/shorewall commands:</p>
-    
+<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
+blacklisting doesn't use any configuration parameters but is rather
+controlled using /sbin/shorewall commands:</p>
 <ul>
-       <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
-listed   IP    addresses to be silently dropped by the firewall.</li>
-       <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
- listed  IP    addresses to be rejected by the firewall.</li>
-       <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
-  from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i>
+  <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
+listed IP addresses to be silently dropped by the firewall.</li>
+  <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
+listed IP addresses to be rejected by the firewall.</li>
+  <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
+packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
 command.</li>
-       <li>save - save the dynamic blacklisting configuration so that it
-will   be    automatically restored the next time that the firewall is restarted.</li>
-       <li>show dynamic - displays the dynamic blacklisting configuration.</li>
-    
+  <li>save - save the dynamic blacklisting configuration so that it
+will be automatically restored the next time that the firewall is
+restarted.</li>
+  <li>show dynamic - displays the dynamic blacklisting configuration.</li>
 </ul>
-  Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
-in  /etc/shorewall/interfaces.<br>
-    
+Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
+in /etc/shorewall/interfaces.<br>
 <p>Example 1:</p>
-    
 <pre>     <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
-    
-<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
-    
+<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
+192.0.2.125</p>
 <p>Example 2:</p>
-    
 <pre>     <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
-    
-<p>    Reenables access from 192.0.2.125.</p>
-    
-<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
-    
+<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
+<p><font size="2">Last updated 11/14/2003 - <a href="support.htm">Tom
+Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-   © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
-      <br>
-    <br>
-   <br>
-  <br>
- <br>
+© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/configuration_file_basics.htm b/Shorewall-docs/configuration_file_basics.htm
index d75361d8d..f7aeb5895 100644
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@@ -9,17 +9,8 @@
   <title>Configuration File Basics</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Configuration Files<br>
+</h1>
 <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
 configuration files on a system running Microsoft Windows, you <u>must</u>
 run them through <a
@@ -46,7 +37,7 @@ and Source Network Address Translation (SNAT).</li>
 modules.</li>
   <li>/etc/shorewall/rules - defines rules that are exceptions to the
 overall policies established in /etc/shorewall/policy.</li>
-  <li>/etc/shorewall/nat - defines static NAT
+  <li>/etc/shorewall/nat - defines one-to-one NAT
 rules.</li>
   <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
   <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
@@ -254,18 +245,21 @@ that you can then use in some of the other configuration files.</p>
 <p>It is suggested that variable names begin with an upper case letter<font
  size="1"> </font>to distinguish them from variables used internally
 within the Shorewall programs</p>
-<p>Example:</p>
+<p>Example:<br>
+</p>
+<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/params<br>
+</p>
 <blockquote>
-  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
+  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
 </blockquote>
-<p><br>
-Example (/etc/shorewall/interfaces record):</p>
+<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/interfaces record:</p>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote>
   <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
 </blockquote>
 </font>
-<p>The result will be the same as if the record had been written</p>
+<p>&nbsp;&nbsp;&nbsp; The result will be the same as if the record had
+been written</p>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote>
   <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
@@ -331,7 +325,8 @@ The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
 allows you to attempt to restart using an alternate configuration and
 if an
 error occurs to automatically restart the standard configuration.<br>
-<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2"> Updated 11/20/2003 - <a href="support.htm">Tom
+Eastep</a>
 </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
diff --git a/Shorewall-docs/copyright.htm b/Shorewall-docs/copyright.htm
index b18869cfe..05fccb49b 100644
--- a/Shorewall-docs/copyright.htm
+++ b/Shorewall-docs/copyright.htm
@@ -1,46 +1,30 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Copyright</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-    <tbody>
-     <tr>
-      <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Copyright</font></h1>
-      </td>
-    </tr>
-    
-  </tbody> 
-</table>
-  
-<p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001, 
-2003  Thomas M Eastep<br>
-   </p>
-  
-<blockquote>   
-  <p align="left">Permission is granted to copy, distribute and/or modify 
-this    document under the terms of the GNU Free Documentation License, Version 
-1.1 or    any later version published by the Free Software Foundation; with 
-no Invariant    Sections, with no Front-Cover, and with no Back-Cover Texts. 
-A copy of the    license is included in the section entitled "<a
- href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
-   </p>
-  </blockquote>
-   <br>
- <br>
+<body>
+<h1 style="text-align: center;">Copyright<br>
+</h1>
+<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp;
+2000, 2001, 2003 Thomas M Eastep<br>
+&nbsp;</p>
+<blockquote>
+  <p align="left">Permission is granted to copy, distribute and/or
+modify this document under the terms of the GNU Free Documentation
+License, Version 1.1 or any later version published by the Free
+Software Foundation; with no Invariant Sections, with no Front-Cover,
+and with no Back-Cover Texts. A copy of the license is included in the
+section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
+License</a>".<br>
+&nbsp;</p>
+</blockquote>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/dhcp.htm b/Shorewall-docs/dhcp.htm
index 14816e07f..84954d805 100644
--- a/Shorewall-docs/dhcp.htm
+++ b/Shorewall-docs/dhcp.htm
@@ -1,85 +1,65 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>DHCP</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-    <tbody>
-     <tr>
-      <td width="100%">       
-      <h1 align="center"><font color="#ffffff">DHCP</font></h1>
-      </td>
-    </tr>
-    
-  </tbody> 
-</table>
-  
+<body>
+<h1 style="text-align: center;">DHCP<br>
+</h1>
 <h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
-  
 <ul>
-    <li>     
-    <p align="left">Specify the "dhcp" option on each interface to be  served
-by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-    file. This will generate rules that will allow DHCP to and from your firewall
-system.   </p>
-   </li>
-   <li>     
-    <p align="left">When starting "dhcpd", you need to list those     interfaces 
-on the run line. On a RedHat system, this is done by modifying     /etc/sysconfig/dhcpd. 
-    </p>
-   </li>
- 
+  <li>
+    <p align="left">Specify the "dhcp" option on each interface to be
+served
+by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+file. This will generate rules that will allow DHCP to and from your
+firewall
+system. </p>
+  </li>
+  <li>
+    <p align="left">When starting "dhcpd", you need to list those
+interfaces on the run line. On a RedHat system, this is done by
+modifying /etc/sysconfig/dhcpd. </p>
+  </li>
 </ul>
-  
 <h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
-  
 <ul>
-    <li>     
-    <p align="left">Specify the "dhcp" option for this interface in     the 
-    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-  file. This will generate rules that will allow DHCP to and from your firewall 
-system.      </p>
-   </li>
-   <li>     
-    <p align="left">If you know that the dynamic address is always going to
-be     in the same subnet, you can specify the subnet address in the interface's 
-    entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
-    file.   </p>
-   </li>
-   <li>     
-    <p align="left">If you don't know the subnet address in advance, you should
-    specify "detect" for the interface's subnet address in the <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>     file 
-and start Shorewall after the interface has started.   </p>
-   </li>
-   <li>     
-    <p align="left">In the event that the subnet address might change while 
-    Shorewall is started, you need to arrange for a "shorewall     refresh" 
-command to be executed when a new dynamic IP address gets     assigned to 
-the interface. Check your DHCP client's documentation. </p>
-   </li>
- 
+  <li>
+    <p align="left">Specify the "dhcp" option for this interface in the
+    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+file.&nbsp;This will generate rules that will allow DHCP to and from
+your firewall system. </p>
+  </li>
+  <li>
+    <p align="left">If you know that the dynamic address is always
+going to
+be in the same subnet, you can specify the subnet address in the
+interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+file. </p>
+  </li>
+  <li>
+    <p align="left">If you don't know the subnet address in advance,
+you should specify "detect" for the interface's subnet address in the <a
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
+and start Shorewall after the interface has started. </p>
+  </li>
+  <li>
+    <p align="left">In the event that the subnet address might change
+while Shorewall is started, you need to arrange for a "shorewall
+refresh" command to be executed when a new dynamic IP address gets
+assigned to the interface. Check your DHCP client's documentation. </p>
+  </li>
 </ul>
-  
 <p align="left"><font size="2">Last updated 11/03/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
-  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-   <br>
- <br>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/download.htm b/Shorewall-docs/download.htm
index 425321a66..d1c9f4e37 100644
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@@ -9,17 +9,8 @@
   <title>Download</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Shorewall Download<br>
+</h1>
 <p><b>I strongly urge you to read and print a copy of the <a
  href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
 for the configuration that most closely matches your own.<br>
@@ -86,20 +77,20 @@ removing the file /etc/shorewall/startup_disabled.</b></font></p>
         <td><b>HTTP</b></td>
         <td><b>FTP</b></td>
       </tr>
-      <tr>
-        <td>SourceForge<br>
-        </td>
-        <td>sf.net</td>
-        <td><a
- href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
-        <td>N/A</td>
-      </tr>
       <tr>
         <td>Slovak Republic</td>
         <td>Shorewall.net</td>
         <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
         <td> <a target="_blank"
  href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
+      </tr>
+      <tr>
+        <td style="vertical-align: top;">Washington State, USA</td>
+        <td style="vertical-align: top;">Shorewall.net</td>
+        <td style="vertical-align: top;"><a
+ href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
+        <td style="vertical-align: top;"><a
+ href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
       </tr>
       <tr>
         <td>Texas, USA</td>
@@ -144,7 +135,8 @@ Unavailable)</a></td>
         <td valign="top"><a
  href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
         </td>
-        <td valign="top">N/A<br>
+        <td valign="top"><a href="ftp://ftp.syachile.cl/pub/shorewall"
+ target="_top">Browse</a><br>
         </td>
       </tr>
       <tr>
@@ -159,11 +151,14 @@ Unavailable)</a></td>
         </td>
       </tr>
       <tr>
-        <td>Washington State, USA</td>
-        <td>Shorewall.net</td>
-        <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
-        <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
- target="_blank">Browse</a></td>
+        <td>Sourceforge - California, USA (Incomplete)<br>
+        </td>
+        <td>Sourceforge.net<br>
+        </td>
+        <td><a href="http://sourceforge.net/projects/shorewall">Browse<br>
+        </a></td>
+        <td>N/A<br>
+        </td>
       </tr>
     </tbody>
   </table>
@@ -187,7 +182,7 @@ These snapshots have undergone initial testing and will have been
 installed and run at shorewall.net.<br>
   </p>
 </blockquote>
-<p align="left"><font size="2">Last Updated 9/25/2003 - <a
+<p align="left"><font size="2">Last Updated 11/14/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm
index 247361e6f..5d14cceca 100644
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@@ -10,43 +10,36 @@
   <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
-Issues</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<p align="center"> <b><u>IMPORTANT</u></b></p>
+<p align="center"> </p>
+<h1 style="text-align: center;">Shorewall Errata<br>
+</h1>
+<p align="center"><b><u>IMPORTANT</u></b></p>
 <ol>
   <li>
     <p align="left"> <b><u>I</u>f you use a Windows system to download
 a corrected script, be sure to run the script through <u> <a
  href="http://www.megaloman.com/%7Ehany/software/hd2u/"
  style="text-decoration: none;"> dos2unix</a></u> after you have moved
-it to your Linux system.</b></p>
+it
+to your Linux system.</b></p>
   </li>
   <li>
     <p align="left"> <b>If you are installing Shorewall for the first
-time and plan to use the .tgz and install.sh script, you can untar
-the archive, replace the 'firewall' script in the untarred directory
-with the one you downloaded below, and then run install.sh.</b></p>
+time and plan to use the .tgz and install.sh script, you can untar the
+archive, replace the 'firewall' script in the untarred directory with
+the one you downloaded below, and then run install.sh.</b></p>
   </li>
   <li>
     <p align="left"> <b>When the instructions say to install a
-corrected firewall script in /usr/share/shorewall/firewall,
-you may rename the existing file before copying in the new file.</b></p>
+corrected firewall script in /usr/share/shorewall/firewall, you may
+rename the existing file before copying in the new file.</b></p>
   </li>
   <li>
     <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
 COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
-BELOW. For example, do NOT install the 1.3.9a firewall script
-if you are running 1.3.7c.</font></b><br>
+BELOW. For example, do NOT install the 1.3.9a firewall script if you
+are
+running 1.3.7c.</font></b><br>
     </p>
   </li>
 </ol>
@@ -61,8 +54,7 @@ Version 1.1</a></font></b></li>
   <li> <b><font color="#660066"><a href="#iptables"> Problem with
 iptables version 1.2.3 on RH7.2</a></font></b></li>
   <li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
-RedHat
-iptables</a></b></li>
+RedHat iptables</a></b></li>
   <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
   <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
 MULTIPORT=Yes</a></b></li>
@@ -75,12 +67,38 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
 <hr>
 <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
 <h3></h3>
+<h3>1.4.7</h3>
+<ul>
+  <li>Using some versions of 'ash' (such as from RH8) as the
+SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
+    <br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so: <br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.</li>
+  <li>When more than one ICMP type is listed in a rule and your kernel
+includes multiport match support,&nbsp; the firewall fails to
+start.&nbsp;</li>
+  <li>Regardless of the setting of LOGUNCLEAN, the value
+LOGUNCLEAN=info was used.</li>
+  <li>After the following error message, Shorewall was left in an
+inconsistent state:<br>
+    <br>
+Error: Unable to determine the routes through interface xxx<br>
+  </li>
+</ul>
+These problems have been corrected in this <a
+ href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
+script</a> which may be installed in /var/share/shorewall/firewall as
+described above.<br>
 <h3>1.4.6</h3>
 <ul>
   <li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
 would fail to start with the error "ERROR:&nbsp; Traffic Control
-requires Mangle";
-that problem has been corrected in <a
+requires
+Mangle"; that problem has been corrected in <a
  href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
 firewall script</a> which may be installed in
 /var/share/shorewall/firewall as described above. This problem is also
@@ -95,13 +113,10 @@ follows:<br>
 For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
 in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
 firewall script</a> which may be installed in
-/var/share/shorewall/firewall
-as described above. For all other versions, you will have to edit your
-'firewall'
-script (in versions 1.4.*, it is located in
-/usr/share/shorewall/firewall).
-Locate the function add_tcrule_() and in that function, replace this
-line:<br>
+/var/share/shorewall/firewall as described above. For all other
+versions, you will have to edit your 'firewall' script (in versions
+1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
+function add_tcrule_() and in that function, replace this line:<br>
     <br>
 &nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
 $source`&nbsp;</span><br>
@@ -116,13 +131,13 @@ Note that there must be a space before the ending quote!<br>
 </ul>
 <h3>1.4.4b</h3>
 <ul>
-  <li>Shorewall is ignoring records in /etc/shorewall/routestopped
-that have an empty second column (HOSTS). This problem may be corrected
-by installing <a
+  <li>Shorewall is ignoring records in /etc/shorewall/routestopped that
+have an empty second column (HOSTS). This problem may be corrected by
+installing <a
  href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
  target="_top">this firewall script</a> in
-/usr/share/shorewall/firewall as
-described above.</li>
+/usr/share/shorewall/firewall
+as described above.</li>
   <li>The INCLUDE directive doesn't work when placed in the
 /etc/shorewall/zones file. This problem may be corrected by installing <a
  href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@@ -138,8 +153,8 @@ though the log level for the console is set properly according to <a
 installing <a
  href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
  target="_top">this firewall script</a> in
-/usr/share/shorewall/firewall as
-described above.<br>
+/usr/share/shorewall/firewall
+as described above.<br>
   </li>
 </ul>
 <h3>1.4.4<br>
@@ -158,7 +173,8 @@ to allow integration of Shorewall with Fireparse
 of the integration problem. I have implimented a new LOGFORMAT variable
 which will replace LOGMARKER which has completely solved this problem
 and is currently in production with fireparse here at shorewall.net.
-The updated files may be found at <a
+The
+updated files may be found at <a
  href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
  target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
 See the 0README.txt file for details.<br>
@@ -171,8 +187,8 @@ directory created in /tmp is not being removed. This problem may be
 corrected by installing <a
  href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
  target="_top">this firewall script</a> in
-/usr/share/shorewall/firewall as
-described above. <br>
+/usr/share/shorewall/firewall
+as described above. <br>
   </li>
 </ul>
 <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
@@ -191,7 +207,8 @@ in /etc/shorewall/common.def.<br>
 produces the harmless additional message:<br>
     <br>
 &nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
-unary operator expected<br>
+unary operator
+expected<br>
     <br>
 You may correct the problem by installing <a
  href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
@@ -202,8 +219,8 @@ You may correct the problem by installing <a
 <h3>1.4.0</h3>
 <ul>
   <li>When running under certain shells Shorewall will attempt to
-create ECN rules even when /etc/shorewall/ecn is empty. You may
-either just remove /etc/shorewall/ecn or you can install <a
+create ECN rules even when /etc/shorewall/ecn is empty. You may either
+just remove /etc/shorewall/ecn or you can install <a
  href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
 correct script</a> in /usr/share/shorewall/firewall as described above.<br>
   </li>
@@ -222,17 +239,19 @@ released this buggy iptables in RedHat 7.2.&nbsp;</p>
   <p align="left"> I have built a <a
  href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
 corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
-also built an <a
+also
+built an <a
  href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
 iptables-1.2.4 rpm which you can download here</a>. If you are
-currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
-  </b>you upgrade to RedHat 7.2.</p>
+currently
+running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
+  </b>you
+upgrade to RedHat 7.2.</p>
   <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
-has released an iptables-1.2.4 RPM of their own which
-you can download from<font color="#ff6633"> <a
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
-  </font>I have installed this RPM on my firewall and
-it works fine.</p>
+has released an iptables-1.2.4 RPM of their own which you can download
+from<font color="#ff6633"> <a
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
+have installed this RPM on my firewall and it works fine.</p>
   <p align="left">If you would like to patch iptables 1.2.3 yourself,
 the patches are available for download. This <a
  href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@@ -246,8 +265,8 @@ corrects a problem in handling the&nbsp; TOS target.</p>
     <li>patch -p0 &lt; <i>the-patch-file</i></li>
   </ul>
 </blockquote>
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
-RedHat iptables</h3>
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and RedHat
+iptables</h3>
 <blockquote>
   <p>Users who use RedHat iptables RPMs and who upgrade to kernel
 2.4.18/19 may experience the following:</p>
@@ -259,10 +278,9 @@ user-space debugging code was not updated to reflect recent changes in
 the Netfilter 'mangle' table. You can correct the problem by installing
   <a
  href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-this iptables RPM</a>. If you are already running a
-1.2.5 version of iptables, you will need to specify the
---oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
-iptables-1.2.5-1.i386.rpm").</p>
+this iptables RPM</a>. If you are already running a 1.2.5 version of
+iptables, you will need to specify the --oldpackage option to rpm
+(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
 </blockquote>
 <h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict with kernel &lt;=
@@ -275,7 +293,8 @@ MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made an incompatible
 change to the syntax used to specify multiport match rules; as a
 consequence, if you install iptables 1.2.7 you must be running
-Shorewall 1.3.7a or later or:</p>
+Shorewall
+1.3.7a or later or:</p>
 <ul>
   <li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
   <li>if you are running Shorewall 1.3.6 you may install <a
@@ -293,23 +312,22 @@ Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
 The solution is to put "no" in the LOCAL column. Kernel support for
 LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
-2.4.19 kernel contains corrected support
-under a new kernel configuraiton option; see <a
- href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+2.4.19 kernel contains corrected support under a new kernel
+configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
 <br>
 <h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
-and REJECT
-(also applies to 2.4.21-RC1)</b></h3>
+and
+REJECT (also applies to 2.4.21-RC1)</b></h3>
 Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
 tcp-reset" is broken. The symptom most commonly seen is that REJECT
 rules act just like DROP rules when dealing with TCP. A kernel patch
-and precompiled modules to fix this problem are available at <a
+and
+precompiled modules to fix this problem are available at <a
  href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
  target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
 <hr>
-<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
-Eastep</a></font>
-</p>
+<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
+Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
diff --git a/Shorewall-docs/fallback.htm b/Shorewall-docs/fallback.htm
index 1141bd0b6..88b2cd87d 100644
--- a/Shorewall-docs/fallback.htm
+++ b/Shorewall-docs/fallback.htm
@@ -1,77 +1,61 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
- 
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Fallback and Uninstall</title>
-  
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
- 
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-   <tbody>
-    <tr>
-     <td width="100%">  
-      <h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
-      </td>
-   </tr>
- 
-  </tbody>
-</table>
-  
+<body>
+<div style="text-align: left;">
+<h1 style="text-align: center;">Fallback and Uninstall<br>
+</h1>
+<h1><strong></strong></h1>
+<h1><strong></strong></h1>
+</div>
 <p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
 script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
 script</strong></a><strong>.</strong></p>
-  
-<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall 
-using the Fallback Script</h2>
-  
-<p>If you install Shorewall and discover that it doesn't work for you, you
+<h2><a name="fallback"></a>Falling Back to the Previous Version of
+Shorewall using the Fallback Script</h2>
+<p>If you install Shorewall and discover that it doesn't work for you,
+you
 can fall back to your previously installed version. To do that:</p>
-  
 <ul>
-   <li>cd to the distribution directory for the version         of Seattle
-Firewall <u>that you are         currently running </u>(NOT the version 
-       that you want to fall back to).</li>
-   <li>Type "./fallback.sh"</li>
- 
+  <li>cd to the distribution directory for the version of Seattle
+Firewall <u>that you are currently running </u>(NOT the version that
+you want to fall back to).</li>
+  <li>Type "./fallback.sh"</li>
 </ul>
-  
-<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
-/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
-and /etc/shorewall/masq with the version of these files from before the current
+<h3><strong><u>Warning:</u> The fallback script will replace
+/etc/shorewall/policy,
+/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
+/etc/shorewall/proxyarp
+and /etc/shorewall/masq with the version of these files from before the
+current
 version was installed. Any changes to any of these files will be lost.</strong></h3>
-  
-<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using 
-rpm</h2>
-  
-<p>If your previous version of Shorewall was installed using RPM, you may
-fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
-a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
+<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
+using rpm</h2>
+<p>If your previous version of Shorewall was installed using RPM, you
+may
+fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;"
+at
+a root shell prompt (Example: "rpm -Uvh --force
+/downloads/shorewall-3.1=0noarch.rpm"
 would fall back to the 3.1-0 version of Shorewall).</p>
-  
 <h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
-  
 <p>If you no longer wish to use Shorewall, you may remove it by:</p>
-  
 <ul>
-   <li>cd to the distribution directory for the version         of Shorewall
+  <li>cd to the distribution directory for the version of Shorewall
 that you have installed.</li>
-   <li>type "./uninstall.sh"</li>
- 
+  <li>type "./uninstall.sh"</li>
 </ul>
-  
-<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
-  
+<p>If you installed using an rpm, at a root shell prompt type "rpm -e
+shorewall".</p>
 <p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
  href="support.htm">Tom Eastep</a></font> </p>
- <a href="copyright.htm"><font size="2">Copyright</font> © <font
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
 </body>
 </html>
diff --git a/Shorewall-docs/gnu_mailman.htm b/Shorewall-docs/gnu_mailman.htm
index 74c55a49b..dd2d374ae 100644
--- a/Shorewall-docs/gnu_mailman.htm
+++ b/Shorewall-docs/gnu_mailman.htm
@@ -1,80 +1,57 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>GNU Mailman</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-      <tbody>
-       <tr>
-        <td width="100%">       
-      <h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy 
- Way</font></h1>
-        </td>
-      </tr>
-    
-  </tbody> 
-</table>
-  
-<h1 align="center"> </h1>
-  
-<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael 
-  Tokarev as a suggested addition to the Postfix FAQ.</h4>
-  
+<body>
+<h1 align="center">GNU Mailman/Postfix the Easy Way&nbsp;</h1>
+<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
+Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
 <p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
-    <br>
-    A: Mailman uses a setgid wrapper that is designed to be used in system-wide 
-  aliases file so that rest of mailman's mail handling processes will run 
-with  proper uid/gid. Postfix has an ability to run a command specified in 
-an alias as  owner of that alias, thus mailman's wrapper is not needed here. 
- The best method  to invoke mailman's mail handling via aliases is to use 
-separate alias file  especially for mailman, and made it owned by mailman 
-and group mailman. Like:<br>
-    <br>
-    alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
-    <br>
-    Make sure that /var/mailman/aliases.db is owned by mailman user (this 
-may  be  done by executing postalias as mailman userid).<br>
-    <br>
-    Next, instead of using mailman-suggested aliases entries with wrapper, 
-use the  following:<br>
-    <br>
-    instead of<br>
-    mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
-    mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
-    mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
-    ...<br>
-    <br>
-    use<br>
-    mailinglist: /var/mailman/scripts/post mailinglist<br>
-    mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
-    mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
-    ...</p>
-  
-<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something 
-very similar so that no workaround is necessary. See the README.POSTFIX file 
-included with Mailman-2.1. </h4>
-  
+<br>
+A: Mailman uses a setgid wrapper that is designed to be used in
+system-wide aliases file so that rest of mailman's mail handling
+processes will run with proper uid/gid. Postfix has an ability to run a
+command specified in an alias as owner of that alias, thus mailman's
+wrapper is not needed here. The best method to invoke mailman's mail
+handling via aliases is to use separate alias file especially for
+mailman, and made it owned by mailman and group mailman. Like:<br>
+<br>
+alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
+<br>
+Make sure that /var/mailman/aliases.db is owned by mailman user (this
+may be done by executing postalias as mailman userid).<br>
+<br>
+Next, instead of using mailman-suggested aliases entries with wrapper,
+use the following:<br>
+<br>
+instead of<br>
+mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
+mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
+mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
+...<br>
+<br>
+use<br>
+mailinglist: /var/mailman/scripts/post mailinglist<br>
+mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
+mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
+...</p>
+<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
+something very similar so that no workaround is necessary. See the
+README.POSTFIX file included with Mailman-2.1.&nbsp;</h4>
 <p align="left"><font size="2">Last updated 12/29/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
-  
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-     <br>
-   <br>
-  <br>
- <br>
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
+Eastep.</font></a></font></p>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/images/Legend.png b/Shorewall-docs/images/Legend.png
index 8ae90a1ec32b9ebf45e98246699504316a94e22b..e97521e00d7ea97589aae490f2450e64459ca668 100755
GIT binary patch
delta 1481
zcmaiydpr{e0LO)mmXBv1ix_iC=RL10&l;O3YU#}TF{2M|m5;L(My$rdkjIdB<;rL`
zghSqiA@j<~Ylsv>F=OWX_dfTzyYJuM&+m`l@0TlGCPfV+0!p3W_Sf*fYmZy5XdBCt
z8udynpWigvF#1h2Q5FKc3IT){_KS!WNFw9KUv41dMb_1MmDL6}eyu$RYx+DBYf_1(
z$9ZxK#x;-v{CDEwW>CnoHa?#}Gd8C9vgI_!ZSK>jPrJLj6mZo6oob)J<3$_yi}X#N
z#`eay6TOWUm@%M5rbnC(mVf+h2t(k)+R~*CaT?<8n+XpNtQ8Lgg08PqQ(l@IHLnvg
z@OCFOeEs}l@5H!sRXy}$RHUvu$Tr`i*|%n8DfEeNGvx3D0=n|P3Z+Yo4WY=8P1)pE
zxov$6&t3m^<*3L=g(Rhcw_Q?aXQrnKd=L=}xJCtvp<)Wr^BFr$NoCpT;86+l+1IJC
z3&(Ic+@)CK&qCo?EL6~Q;T|AxhyA!yM^Vb8b51;(p?<p%{84(tx#7f%?BWQm!;0EO
zmYY0>{y?ob5kf1rAx~;c7hpWQS<%UL#ifU}ZdIVJa0ULUCnp22)|g1EuV(v~iDR7M
zfpHYvZ(Dn6AKPa-!3)FeP^nWjL#u#7Wtjs^>YH5u<nC~evjrzaFN3nOP1{U=WGDRs
zuv45@1OaZ6k^}3dV3u%(a<@7g3&w~3;vpiV0#!b21`U}RU5>1MT12L!>eJI@=4zr1
z&$++CGj6?Mb{9060aDO5kBEVPuRV}Y%UeQ0io3U9#{JLiY$!`1fjO=TF-pY!$?r3^
zx3{~Jq(Exw>g!xC*T>s?#VYDPbJWkAW3@dzoH2+BS=BU?=!H}2Q~o8Vf2d2ZSd_1q
zQ=E*p0c;V`dba;OK%r<uMGDVqblFcLy}U+OJuQuXRyB0uVio!t8*}nN3bZw-=Bq`@
zx-%-70i)5+TBK%D`m-~yf-UaGgVSD&M-w9c#LJol69VF=2Z1?~RiaUwF8V$aA%=44
zxXs~FVoVH1RH<VMpGSPp8ED=N+9;^k!tP~)ljhJ1A14<#ckDtH9wSN*0-}5y5z27o
z6bWrdDV$=bD}3unb>hQaa&G+04Ts62VT*N5tj3_e7P5Ow9$4{SyDL&=`oJtXTtwwv
zmX*xauAg_4aWr;A*=csLzA#P3kE<mL(8HAAk{m-DLAE0giPbbsptY(%<cFzOZW_j9
zo|Okwj^h>7<NXab#G0rpXFat)b9;<s*}-`5Z50MZSk98Rpz)L8vIPB94a50Aa(ecc
zv_MBakTnEokAtm5K)+lkjm(1;Am-YK7Lp(MXqj-l(%f@^mVEhlYgH*UYq%Yf<kXT^
zdZN<G&xR<BFih1MEjv=!VN}vYLp|GV^AA8^h4L%Co-bvRhT41czv3%;@1pwm<fAY^
zXwFsY1j@{-?poA9iV%0Nl_kVY)z|H$u~yWSN+7Ypi00B+)e#DK!qvQHVYE$Y!d&yq
z#7ljHMkv!A1uV$tcBs|7c>!yC__;KyM<AC-6s*3_B-kzt@Vt*P9oLiR$|Dey(#Z6j
zWql?FNMEz*`-y&L&(Yusr8Oh2XTWj1J63P-%kpUJG{G7B!G<@%b`5*I2D&ZXk<Ep`
zWPi^{=M}AY6wRBu)51z{i)Lk!przvs^`Yy=3raR(MAChuk$C+<q3bdP0J9?<P7-l%
zV`fidp<Hi6?9JReE}Vwob1s6|TF{LT<sFDazk&MqJ~|e3Wo9o>HwbmaIPBtagM>WN
z1-2=Yl`l_nhG6HZrXYFdQ~10*8EvV3DY2_c_ez6!ppvxH2;~3u^Z)H{41C$!%O|Eh
fr=Cw>GMTp3lILp!PW@OR@*O9K%kb*+{`dX@(@ozq

delta 1728
zcmb`FSvZ@C0zj#XO!&~EjVeO5Xsn^sG^jKLnOa(9j4hPkb%P+SwM0=FGm46RiwYS!
zO^lJ+iWZsL{!+VI#)Q#WYKnAPS<2k+KHtZCp3c*GI&})AiUmXpgzkcM@JbBasqXPK
zx}yA`)A#CLV}IYvfqIw%CLQj4U-g&RXb5~ByL%ELZG=9FNEeT#Qn$7W0cJwOL>uQL
z+%MDHo+Y^6UN4;!<nHd?+}tb|3#)s%zP{e~`ZesAFB)@DSa)}KRZY!d7=(Dly_9iG
zTU)y?^0>#yD+0v|ZdRrNX1q;=<%Y)|_?l_B-`_J*w3i3g49#kOvrEhVTfDY*Zbl>$
z^?wnIQ*?j-aAbO66_WJv?@ynYg0-I|)#;r6%3*xP(8Tica-S7*0DWqX^~WKP7yKDa
zEqg2o4-bEDJUxi--QM1=7dSt{E+LeD*pSb`oY~x0cBa@)!bpEk-jW9EHw@w^l<{V%
z>{F|l^9x=}9}d5Gnt}+|eeeQ!vJn9jV)w#;9Nfqnimywj(}yzMli`sn30Zs|vQH?H
zRM|(dY@1I59@>)|;qm3_ckaj39d>~pt!P+nq1kM9pTfN#(JY%yQA#l6g$pMpv@O>`
zY)#Rw?vz@DhT=fw2M8*5C=7sl@8WYjks@`5iOlV^mH<tqf)L2!UEW=;g66=G=?_NZ
z4h7fkmyxI`0Rv0qUgcDN6MvaH!tdFR+p@HpG;$~wt4}{dPW(#_JV37#Wl;E8t)2A8
z?|LP<0!t@nGJ2|OqxRxvqh9`Z^3hyM22K6)N_iFWcq?h9BWrTIb=~mNYG|ImFWwk2
zaUj^sdHD_<kt8AVVwQ#FSm&NMZp@-iWr>Vl!NB|UJr&G3*-aN<YP<uXf;l@N6=#B~
zRAc9{<N@JL5Ng<}uv8|9_=A@MJKR+Li%cLtHhrX4Jk;T+<Yp43aHeo`o3fR70r@d_
zmQ5;S4Cq`8kBzB@twirWbO|FbK4~F=Z97N)X$A9tI_hpzNE3`{^)&=5W5aB7708P1
z7^~L@rv^s4nAZ<~2)RHWIH6Dd=J{6FSzh>EQBsj2p!H<#nL4=jQDC46qP?1l7G*P=
ze9y1Tk{Sc&0JEQ`#u;}gW&)2M_G^OoPjuWS3E=bjI2`W3j}8tFQmIrqA0M9<dU96J
zG$o3gwnd}S=G}Krthp}c?mhLgc@ftKx{D`EGJTuk($+J|>7N>m<yvp7OGacZ?04{f
zia^7Nuvi{QTPSTi3%V8ykf%Wj$27{OtoS0|$D~XcK?z!jGeh1QYxXx2O!acs3Eoet
zf;tKBeoBoPg_Q?q9<!cWPYKm;e@dE{jWn%XZ25JqCq?5-cXC@cSc_<niKW%Q7dnKT
zZ|#Jo22!(GZegAMUjg%U8vXM#mM=nYWZy&j?GCJ@WB&NUYOi0HVm@hY*eb3=zCFYI
zfw;n#Vu8YUm9_H@!Kmj`w+@Tc6VmndnX2C^Ja)VjT{=ru-u1WbLVQltvAB^4k+SR5
zRI-lIRORL`$&R9*y2b}Ho^sBQ1rP)Vj^CN9TvR<xS3c9V%}{MR0e?fYRJy_SIViem
zlZAYu8_-raE<Lf6*H7@fq91b35;Kl$uX+bk3NnTu_E%r;8(V)l7a$;Lf3Lg(vnZ*f
zM*v+c?U6{o_cS3HILm|2azsXBC)}tWhfo4a1M54?7{nj2?X<~*`T~~joOdy&!aBr%
znykE#r8<V?(1+2-tdq6e(F%nI-;->-U9@TvhVglX;N!o$X7Et$ArPI~xSo3w%3|P%
zYhw;Kx$^4@3ndMBo=0@dH9%Cm5z+vc;gMrdWUYMk6}!NOj-X4j8mLTPqTx_06HH^z
zRJ|=AWw(L%#BI$i>rkdr2%~gYKux^%T%W0C!KQ}>4mRC4VuxYo*|$^t$=3k#O-Omg
zQI<{MkGSv*^|@=6xk7o!CS|52bSmxD0Iu^?2`y5{=+0XZ&%~-v6sdDcERduB4sFu2
ziZiU{I*H2d`W}90x!l?uk@{kk2_A_2wF81?DM`qoa;Q%)4ZP~?WVf^%X3qXKo`Px0
znIB>}A+L~LIZeCU-_|Q~VM^rcU1dIX9JuijIrP2LxA!$rjYcgLb4etxocNo<UxoQD
zcZ`w-xGT8Pf>#M%2cAd#R@?Z}Rra$G???|-OEoCK#4d+Hfn^<Y*#Av!{#We)h)+ow
iwRe0-gvy$jm>kOJyotvfK#A9-{)3C78<veBWc&lKDp`#H

diff --git a/Shorewall-docs/images/Logo.png b/Shorewall-docs/images/Logo.png
new file mode 100755
index 0000000000000000000000000000000000000000..e8c518ca9340fa756c58d9cac667a0e6fe2e3c89
GIT binary patch
literal 3293
zcmbuB`8yPR7skIcW1Vp^vPbrPjqF=9NEmyPozz35tl4YE5@QP?TQahfr6>=w4i9A~
z#=b8p8nR3Xum9maKiv2I>*qSxxy~JDZh8}b84dt|8ye_Y0sy&)07VD8(9S5^#0w*u
z8(ZDb(>tY5C~zhWBl6bYzkkVO^8Eb#`uaKou8X{62S=#W(1|m%xzWQF&^i<@ZZ9t0
z=VB72Ts&bMmjkXUbn*&j@ryRf%6$}&SXS4Vfx%c%sO|A_Qbpy+4Z|EI)m<&^bwQCh
zMWw-(j-9x~O&iB8UcvIfkVYMYavSIWgq2?hhJ97@+V%B6k}&Sl)@yHSp5T+}5z|?;
zcAk!n@4;BKXBYogwqBA{to93CyK}eZiexZplB^ebvblA<zP@w8F?}7Wa$)EIOVeBD
z|L1_Kx3_u#K*Sm9p{;_a*K$3=KB%+c94pu{wyZ_0D&|sO$BgET#>X1Y&+oK+F}{TI
z#eS|HdvjDI?7HrzkewYpOTjw$wb?Z{>;680AVu~(j(#vt)ym-)DbVi+w0dq*&dybl
zA>KRt-!=p4m6%C<F_G<L>J*p-ADN7J?rIV1{q-JOtKsk3F1pphY^AvJJ#qsU0u<+I
zhGpfUjWTn4J!|e)RcQ#3RIVT>*Qti-w_5ub-TTU%s%9nYo;m9|XP!z-Scb?#fWv{E
zk38byYNE2+KU0|oVW-STw=G`YpOQI6LVG|ueFP^;u0bdaJP>hHzs`%w&H=ELf^#R3
zaVcle8@iLBL5o^*&uaGozX1Wuh*O~Ow$Y+WAX~KNXHP&DZEakz6$3J}E3u*lLHIJa
zu|1mEPuTjVnncltwZBwWYkmAU?y>D)IbhUJ3=%^m*PAOVKH2QvC3*N>&K!e$9u;lT
z;*k;E+2Ypg6ixLzQbK@S81&#x>LZT~5kdJV>8b_?*%M63?)rF0&a?1v<I*uo_iLvU
zJDq4{?j-%XDHMJ${gQWmR%~t^n1$dDv>GM*4nnJ}#}u!8GXrHL+dfR?IGm_jDy;ht
zM7TGx*S&3FdFWAH_!S2ILIYCIh^Nx)G1jUyPO?U7cfUZ0U8xhU{&`}@mGus}8E-5e
z3HKh6ls*tJz4k>_Nkrg1$x{80c3-U5u6Q&X1W!;6HO|wVO0fZ#)}UxjEfe(o0yoRC
zOK6Ren1JuYdzZX^3x6&O^<k+9F&Z6^%##pT&FdsB?-5~K3r`~$ykoQ&=wk}2NjWn-
z1f7?5D*h)$Cx;#Qqoo5NN#}yuO2*=cBigu<eht!<U~7GkCm!rL1KivDTeE#3QSN_f
zGxIjwA-E_>epXLTsc!^+K4{9%iI4JWQjqk!Ekht>Z}xjq+=rPT-<d-|xiuC46c@#E
zHuxPoD6<4PHVOB{g9o&s{O)taEBGk~CPF%#e?y_pLBqD{lO9>1vLXWmsa5ECI2M=e
z<;6%aXMM_IZVqb+rovgGawUvNP+Yg{#bI=#8>e*3v=))CSwYAU?)GSN#mZuIOIYXI
z{39jh2!~}TBeXaBf#UPd#!3)`4uF4M(FJ~^*S<g4lGou0cqb2r$A%1pz4H$B(?9G)
z?tW|HFdv>XV8#6miNhx$a$V=2gZ<c^6G2X8$K5}k$v_k1zAVCjXO|DojB0VIOuARS
z#4%ctbZQvAqGD`<ug1^&g?5ry*1Kx%a>O>_)E!?8ICks?@MXPlhnm+jHSwElPR|B=
zBtn~}y$K$d5*aX9NW}FxAJ_F-U*&>=F$6pxg^8Wq*9u!T(%>}FoPKdUbW)_EXP2bE
z^CdJ54M9Yi1uO2#p0PE@Xb&TSV%^mJ4tVBTF?i*5n;mmH#wwJqUkIZ-sL>ZTdTsNn
zI7*QH0iAM5Sy7ToE9Y)LKTueFG9VJEKJI{BI$@EDryFwP3)?F~h=woc4r&S6C{iLM
z5xt67`*T0CC2*dpw58?ncSWWkG&?^)Eo*!MHPvvHWoAJIQo@t?2(X`NId|dZh}@}z
z+wA(vixl7B@r~#c#bJ4$A^cdSEIlB)UE9JAx&`uBJHh$eW^FN_uXAp%2Kq(F0O{V2
zPsg%g{$2N1SNEh?Y9DyUZ42Aize@V63s`WmMXdioT;_w+jqGHpcJj`rpB$>wXbgG)
zn-vR?%!A{p;Rh%-DQNaiV$7_GL)yw!{F?CBR-2u05Og%)(nDia>vbXuitd|7TQ7A<
zamv<oEpQ8JhTb=q_Jm|rZ8OElK~m10vD{^61_L9_5MXGgmlD79=}s%T?f|w9!j<DC
ztA&D1l8OBAMRR2zZD2&G&z6%$67Nz9u;DQ9Sgc$-j@Je9ab=cPh||$BZHf6)9}n)7
z1X;xt8;N)g#1ijbU6eiACBuea9u@YCdn?Yb)Y1x-smll6P>ndT;<VCWML0uINPa<R
zyx@~oEEg^(@y&Mhu@f>3op*E+I>7z{@|4g+<bTH9&A#kFjbnCUkmP(a=6v=K2pjiy
zZG>s^R+tFB$q{&s<0_2|pdoNcSPL>v7?Upp6hNB88)%2e<BrSDo0)fh2#MRT$r1*o
z^Gcll^gf)WUNm`Y#(Sqtm)_q8j`MbEE~0u2=Py4y5s$`w8p`NSA?W9S6!jBU+<BWG
z00|7^>~~9`r|%F$vQcWFDVi4k_TWYFcA0be{=XmIBg)2`q;Kj}elL0IvX5h9_}!y@
zpSnc~f`^`&K*V3U!4Ehbo-T*`8{0DJYG-ZHBrpz3GW>$>JA!@Li}&JB+W<q#{k1w}
zuhbe_w)beiq?39;Z-N-&WX{rL>!&hr<i$<){>z0cI(D*rszCOksk@4g2^U=S&xczu
zx3S^AF*44V*@$Q*uR|Th@6_h<GDRDR*)a%)_HMhSWxQGHr^guHW{48z>f>dcm}IqJ
zUbt9a05z`0$uEf3pC~vmmkf1T(vVqAZ9eV+nmbK3!pV(iUfl558t(7EYzATS=!PsK
z>W^NaxDO(ox9T>2OKd)(jE@Qwrd5uH8vAXC$Nwk#H(`&Hub%}>MzP)g_0|Cc>)m)S
zUE(rP>N<yb<ZKp;wg>Td>``u;q+6SBZcvcGz;pZiP>*7Fwf*y^<P0c|IKl`2xy$*v
zJ%OuTbfu(Al=l}})sUn8_IAlFbl`aKq6YXdV+;j|v{flc;?4a0x~Yyxd~UT!pgKHx
zaub!L2>OGnl1m-4O&8woP8zS$EBHg~6rR1L0{clu?^U0LMNO~ueP%lht??p7j?WFg
zgL}vRAewj|9f#Hme{!$U4Vn?|NZwKex?Xfh!(XL8sIA2lD7FR@JwKe{R!8D0(F_Tv
z%5!;5Y6;Epl|a05{=>O?mP9P*;#MsmKw}%XuB{k?vTcmBW2;DUJccF+lEa=$ZPjIg
z-Mh6V=bg*fxRBHDNKzVj2*gLc+{ThJqizw(+{V|~wOrMsvgb@-DT()haOz0TOMv7U
zddapsaps4sb4p^bH|BGMv|kfKTpJ%mgBwAyIEABd>cFHb3H~p0_dqnd{65XU{BFX>
z#gfaXr_IFEwcq|Im4~LZNE)g9BC&v<2@_obX&att)I6^x4J1>Q=9aFWM%(F0kmgPO
zh5TY;#Qj7d-?oH6a6w)3AqN7h!*1=!6x_%@CX}QjulwfM?N9Yl2}vxu{ekr0BuBd^
za>m)?lerH`#0wrvRD;_#d|f*lrp#0pnC&|xvZIILgjaMkX%mQ{y~G<kQ%`tALZug-
z)V@6G*&~D@asBJK>!m{}yf&VRU3JRSLW+<2E~geKxlbL`3gltCpxg=Tn->*I9PcQ2
zS4zewm0+KmuEohLK+u5)X*+zM9ewvlb^bE17prQDEX~um*RyZbTUp8$5`S9O7;7RL
z)jMxq8&b`4IeDkAlOXM$(M=tZu;%CTzy(#M<~&T_>qV#bYJ+7)xj&A!o6no|!{5eH
z2GPI<%vOJgi9pYU$rZPJj$zZ%e70811kp6zXwCXFFzs!1+3?YJkm(ITOg?#q$|MxX
zbdkgmqe<t%R570(HyG+w-n_uY>k6GQJhjczl*O+8y}PN778!h-Y3>vtCzd7boo<*K
zfgny6Jg;9hdnZGOZ;VrnzLI&JOt&sUP?*XyxJHvYU_5(<?EiCTO$%>SuA<*+rrI4E
z)HyYj5VxJ$!hdT|S(j2c5p%rYcsM<K*tl9)icP!eK2+58EJZ)^yeWU#Fmbmk*1k<8
z%QyJA2sQ?_`;Tf(MT2fn7B1cwudu-VH>ic&yr<(lp|-!}Ki#7>GshI>A3(OxJz@Gm
oR;tx&TR1)ZGZLiG+IG(58TrO|S7XZiqTvI>8>V{IIxdm_1JA)K+yDRo

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/Logo1.gif b/Shorewall-docs/images/Logo1.gif
new file mode 100644
index 0000000000000000000000000000000000000000..5f44fb3f8b03e7eba58c0ffbe9c4f2476993cbb5
GIT binary patch
literal 10788
zcmdU!_dnH-`~RQA;W*ql_SUg?PPS0T-a7V7hmci9HtE=#W6wCqrq{7|9g?l22t`NA
zXoym2>GS^n8Q<%6{doOy-R_ScuE+H-HZ{`F^tcCl1Cs!t?DOx-@%K+3ULNibzIjDi
zn5v$g8(7`g?(59G*GWmd?cY?FU|^&rgq4+0RpAs7Ml!QH+g;76Z??JQhUVqfH1sLT
zkGM*34G;EEx@2Jza}%GIq<<~R+#>CQpSM$Ke#pQ??31<dnQ5Q08Ml<~%fwnMyN0X}
z-%5U+rmTLCoA_ksHss&mowU9k(zbJ>Vbdw-iSw0tJ~;^)!wZC@=dLbp{*`OlotvI_
zoBVy;9xTv2f-{<_+gGmyUUp2sWD$JD<?jDh`2V*>PPz0$y*<Lby)cn}VZInUUvG@D
zsU;qe2mV+84-&v|N(2&<l2cL>K?s83Ogcn19X&(`F{G81S5#KrsjeZ{*45u_Xl!b3
zX>Dt7&d8>8c6A}>>A_}t#PG=IFslxI$HR$7lT*_(vj9lX#C`wiaM{8W<kEep;lJ*U
zO$q|Z*hu#}8-eCzRV|%6_<VTu<!dU)$g9bVdbb0oLhPY$ZGo0EXRTlTlF7EmjSX0%
zp0*T<=tHAfyvqKsoIY1m6A%l29AVV)sRSfvE?uv0t+_K3uQpu+T6c(n)7#5;s<Y`y
z4bGfzFJ$ZPebVcm;t~9@7(KJh?~dc=UmBKgq6Cp&IdNNwm73lfWqdvDYu!4m(uCRP
zGP)_J^zxMJvWNRnam|qXM(hEYjAT%^|NA}M(}@qYDC<72;S4a|e7RzeUVgPcXmsw?
zCu5@A>nCuaUKAmu(ETPiRd|JOp!35EiVoj2n{()eX4E^+h|IBZy;kx?IU+6&dZOR-
z0Hr>%K6bRaSU=279#-3EDrPi({L$6FX>6>6Js78bd0(G4?7^FJGu*0cX?yNpIk7MN
zWyI*p&h>=X{ZN%S&!+vAVg_Br6UKr~c}>c$yA{d_`#PD^-C*O^@W#p=P2|VjlH0F?
zyJ+fp+V#{7Zh1VAepZ!0j{YZYmz2ahyNH8PJq}yB+AOwbQu%hew{8ntO?s-I=ROrB
zYcjdfa1Ja6G7T^@?fX)&q76Y%L~L>#$YI@FrP7&x_uVO%w`aI}UC+o)+$73-$y*+Y
zrQzuL1IfGeg2!vR2%;4w&%ACFIp&lkZ?Fk}N|D(q@imfdk?dZk_>e}0Oy??%W$b+F
z+*N5~447m>D-x59gBT@>2;*&%%zi8&C$E_xLWkBx%F15xtuJ$y(AcN=&=Yh~)9$k+
z)=A$V?z{dCOmQ<{^*T&IN>vddl+;}^)Y^J)XnbI;{A)wU{yh1iUi>!~F^c+mGTeDw
z5shP+mTZ&14ExDuHI&(KOU0l(aA38359QPNMk{TcNh}+9h&p#VL0dxXZJL2Ln|QKS
z{lS==WZbtB!OPIkongfXcg_zB1-*+<wimgn^reAWIXm;y_)E1vhe#DFkOVSyG<8lX
zhH5i`>Iw4t#oQQ-D#RpBdRVAlFrO(}bYhH?D2{8j5dC8kN}ZPvN6oz`LSp)6{)PSR
zeSwfCyg~euooip}cI%T5sw@}l5ILPx5<_@;Q*_6*Z+_@NDX#vH8KZo1!&KQd7TvA<
zW=Zaz*BIhh&TdNqQi7>GCqmlb$3vW!`J^XKqDFo^TD-VDei~$-(4M1JAc?pSqT!)b
zRg~Z5X>iDmi-rF8K?mt|;01{`^>TSTnlI{YTu0xj_HV(TsFE{xG<Vn%xN7YYZ;AE$
z&7Z%eQ>ssdnVu=rp{bu>G>Q5WIH~x91gN#gWaob%24FelygyT?TtP9uASkV+DWa%>
zz;mR&($jUq=XsA>Bk5Sj9)MLJBw5N5=!40W!{`qlYUGNIY7da9YR`c8q+p8o(Zl(M
zOG2vBTk_nC0CQDh;Fbsg?e#PM?zpb<;<ph>8zUtWqt9NWL}0}(>KXx0(A_f$5cd~D
zJuDuB9I2yx>;&Y#*8__%`}}cIi^Zt5Rg1DyG&-^g^)cHc@8(z$JzoPK?-HnOAzm*{
zC05|rlBm*#3sp_pmKvQmS<s?j@M)u}I*R2w!(M{4A>TkyQ3#q|+6*aH@Tjr9KtByj
zET-pVLf!wUR_bL?c*9TUbnB_ar$XHhqoi)@6mkekEP<h9t;y$ncX_&<cs>7G9s-Xk
zW$I*vIeEogHlIMR1P#vmrC2&Sk-;dN0x3=90pKGBs@JA{LLIii16@_H^!C{giIyk$
zw5-jl6or2gl{PU~OTq1$15fof#B(y(8-x3yLe;>v66iYoms{0lpW54#bu#Ws79O^s
zvvmmW)r`Kc%Y4&Aa*rgK%XI0LC<Q*vD(p)II69i98PO;pvZuwI#{(Pz+$Lr8h1_n1
z5*91tN#vi=+uf<Hr^CP(!weJws6RN?!8Kw$38*$FvB?Db<aZ#)z`nqot*PF}OC4Q!
zs*LL_-;p-1k*{n9e^H-kE=Xw77V_rwK6(U9u;u8{En>3G7F8l(kl|bj?ic)`cO&iM
zjUkCD=7LdiQ5>i`&Bt^Z+1Z)<4WWn`V;)aTn2m?8PV6V7y9s15%@?D^FQ+38RGtYT
z6QhEQ4OjsIr|8X2bbP=wbEDAzHb#`f#K)%S{N~aV_`NC2<*j;U(~E7QR45Cs*~Xi1
zeyQN;6+6UPxzD~B4g9R=S$S8T@$kIWTL+PIcl_v^qku~>?BImLfxM+DGWp9h*>T@{
zH-9q{PaCWpw4t!-@O!aZkTz4LeeZkA50W6aZ<{Nt)_>{Nb6_UrhXisOgg;IY`SEJu
zitCbN6CAk#e;g+(s0Z$-V8_3YX+SK>lBNE+r>|S~z|qHq+|hKiUHY{wRH{FZga^Ch
zL9YliaVZnA!~R>m=WfNL$5c|cRVkVZogskzf;)+7!#@{-g%e;aHx8{&k>$iz9O^Jy
z@6GcU9g3PaOPcH&UhNQ|N~chDVG&id46&aNd$;a)WP(;K<_T9B^)4G06#o%cEgoHd
zRdf5@<mNs9@4A6E4zl-gIYR<{UflmQ8u$i~jq}p?iS!0kAC2GZ3yPS1NRXn3J|&|V
z?!^?dem`H&Gegt(f<nQEcbhJ}i-vd?#Sv!L(i<PYe`@1NMXYNOIe%%u`U(L2hZo`|
z0S=OTR91I|ET$-zBKZ5H!kd$R)2U_sC*M++#W@bA3Q%kD?}=T-?K+>nC%s;7>($eE
zdgVQf7A$_!J9!y!lT;<vDNH-`8<1N=EQfS=lc?QnTLl}xIuQy;5b1=FJ9CVg{-C=r
zGV%!(p7$OW9QclqCn}%mFHvSbA&y(26ANqu5xB#II-cMlYuWQ>73U%!cIR3WH4&9(
zG{Bihs%M)&6SDRr2E51J4jaNn!Am=Gll=I^oQH$kjt18%^f8+pZl^``=bXTQB{wfj
z<mlfY{tLX0U4haq<qvVw-}M%^h!%$<0v}j(=U=1RSS)}grALzV+L*-Z1{y-QjrVOV
z_OTVLR($~_MBR>OA+FJf=}0waDw2ta)iUn*JYGfu`B(F{KqWVe@&V#;gkfGV2jhU^
zmF({T%Lw)0taR;fZ3-wzAsp!>3DS->`x|v=ag4Mp;Du_+{j8c3E;#YQ1M%8B{c-df
z=xBc#`slw#=hLgUfOxtKO{FnhS0ln2h3%z6b_lTrx<P;O{zglz%OYqtJeY6f%S?i0
zYykG)7@U~O(Y2c=5z)Q&;tEOp3%lmkWY}%T#Rvvbr-WMqQy1wDfye?WzwgEYsWHXR
zSm$a@$_gD$ycOgzkOF6X0eoAI0>>8fqcQT5dlD;4da?u}*H`#L2@z6-1ptUHJ;uT}
zt}_yEABlVRRq0d`|5!BzCi!bp!J`#0EZvWfS3-jZ6%@wE(O_{W9;viM7j=Ut;}_+7
zwY5kvk{G}gqQ|)iNRmVTT(ul&NYbDt#s7dV`tt3RnsCxmkr?>Z?k!rsf($wBs)pYl
z05TJ9v(<9&1JKJlNDa8n^$b*&u)Prl%D(kzlul(ZNgcd<gK5=JD3OmjifhUwxMPYN
zM}ZDkqQg$4h;?a&`f-!SoL1-jPA{n%FWaSG<;JMdqUUxkwS6$0G=Puc8dE;J?`!hA
zSgN!vIlez*_Gw1O#Kj27yw|(&RAjggUhkoS(hUs&MYIwo-IgXnz0EP_2+*JgxXNkE
z$(0(%8!o<=davJ>vYXl`W!LS=lCx|${2ca<Eb!*Zk;Fo=CUN2e@}oRn8%{hkd#JhQ
zSeX;lmH|?m0^PQec*~8)4;b$c<X&%-&MVVXdIz3&vVNr(-$fDDF5-A5uD8#dxA7v6
zX<MOy<F@*XboE*>gx|GSkrqwYvJy(Oc(8UGg(Qd7V$zSaOrN0tcrKx*kuwrTRX0tI
zRndL}upUQQLPmkN@hPORmZl|PB>Tox*%@EXg*8=0G2r0ElR{M-U-p2S5<&Vs9u%WN
zZy)k;SeryWDvD*efahbf*;i2t4io&6>y!aEh`KjTr(M94c(>1eQ%54oxs>elrDzaw
zmz1vt7dTo*C~Nl-0LI0t1x;03WgU<{c5*eS`%OijVX!bGovv8frc9X}0Gso|I5J?Z
zAKQfvP-*c+kRwd3QQE=8BYJ6t)N*oyMAc6~2wky5WYGX6%=jv`3M(j!m;-k18_mGy
zfub+c5N$VdTjsW5A&c-$!Ra6A=6n%j87b%Rpi+3%a|!&jHQV7;ZdFDO%#cb+DB<tS
zox;<vb&9|4=;_1ai&}DTERiXNk0U*{cu|GX#A4H&H$GmE3(pDbCkyIX9O+dkHzb*u
zkh2Lk2MLxuq@qLLimxWb@r)cdX}r2Fs7iEY^JvJtY2lb&B3uDp=C2D^s;dhtrT6nL
zIhQVc%oaQZU@MwpP_V?JR(UkO>Wio7OvH2=N}G_i{Y5t13EYn0icdJ}@`h{TSkA`N
zgt@{8@2^)F!>j)Yh~p$XWhQU+H&`~iehi6UO0-1a8i!M%Ywt-ySU8crPG<_Zks0xK
zQKa>|%XJ1OCLkTv3CEmo7pK6wjE<TvI*GD|fxD@EB|K_060Wsb=&<<g(`%=xiFY<h
z{0E|v#j|7qQp=U`3MJ}A7NQ0|w1J<Jq%cuD(GNFPn50W0SG_Df^Ys|l6i_WOoiXJ-
zL%w}6spdW&zAAFe1UDT=9$OPY4%?1(fy}-)g&ljdt;UIRVlqj9Y7sDA2NR{rS{)<i
zR=oE#EGB9@HqgoFuDfP~MR$f;JjO1f4cYc%T3i@Cb#0-e3X^R#@GbM+P9OLyvqTaL
zkNo)0d>a5A+=Bg8rOc#MiEXce0>L+wLVZYwYS$A}xC}RixEMd~cgn@6pLXgP%YsvE
zz>!RSYg6|-{o0iNMhZoE{zwksC-1oQYv%X=+plyS0-FX;eR`$Ak|YhzPJ5<gOKza&
z0UyLXlgz3KdnWgElY9EjnkXdCvH+4qI)BU>D?6b#qq&!?3)m-Fy3HxQTUD3S2m!FB
zZBZ&3d+4NK;OT7NIZ_L~--YseU;6hd)Gr-MZT*}c_X_zHONOp&q$RJ}R3^8f5274c
zshycjJtvt8XQ|2C1z@51U?*V^n&acar!p&<p{37fIzSIypfjDR%+{(u8`ASK3fn5H
zJ6^JuVoiH&y3UAM^HR8k<?8iqFKCG;4<jYz=DL)r7k7>CDF*OPXE~yV!bn&1UX$(9
z5|XBrb@tv@@{w+@2}F7S@1}J1Pz@WGt{Rs;9T}Gqq?E>LNsVhVWCaNs4E+P)XftR@
z!swFEknH!$Ger0&x%GgtdA12Z50w0AGr1W7_zS?V{l=iQJZ+VHWEB+{LTkMhW?WZM
znY&xNJ|fsJ_du_h6?b=sfGv`>)e{((`Uy+S^F?~Mgt<*c#7%`)f#!0A!DHsXnxJ?l
zzj%3*7Lm2pjs(;2n%(#0@v`!y-b=$W(kF@QwQ>3>OdIy*RT-K~6M%0lj2A2$s;pd^
zkamb8r-6zr7`^Hwa>4sYYS3i%e58eXbe^=N-9Dh-FlpYZrx2VXs(qFXdq41}#bn(4
z^dF0hlqpj+ili@SD%qd4%6j@<OH%@KIn)LFXosvof@BUstF6>eGU?5(6B`)j@)5PX
z*$02yOnA{l$}t_-*a23oU6$TG6*);h>g>eJigt_I9GmVV6Iqe|v+fB=)}dmWwR4LB
z1JmX))VP8RcutNPP$>K<@13WD->l|e+1mQBXp+3%#$H5i)uk|}{i0sv#?5V3DJWov
zP;z=4Mul$zA9rKf&nDD3kIyt{!$K6u<|As?QA{cJQA?bdsG(>_6^AMXP5E~2C-dao
zOGqLN{86#!Bf+iDH5yO_%99{sWP!m`m~j?t3}5lpaS$Bs5#kekLm#_TI;ax7041Dx
z>=^S(G*lFAw<Ul2EYa!NtYb4k@L8RG+%UqDJg#$C!12-Zxrd0P>BdcSOSba2CjCnt
zkWQxVsES6EiPKdFW}yU@Ph)4Oq_Gj`szU!R9#mUgzxQ|jKT8OO0olp26x2%z%G9Hj
z)SB8GJV5M0Wwq2N?^{9&I%1(`0Q*WNCgl#1uP=KOg{~uT!bY>tv?l<)yW~hFc_r$T
z<`Mq9FZw5LR_Bn*Mf~IsE_zHv<&w;0m&-QwpDG0i>z;pK%DhKuVm)_MA+<lq1sPBS
z3%z>>4=E7#TFf5`E)1kD@UhSQD12eT5Hix~xNu#^YNI`b{W?s(Avrvwozt~LG%?dO
zL7~^OPU+`zmjKH<ZH3o8Tej27E}Q)3^7^^F=_Ir+%J=$Y9a@VmV0;|I)(QX0aZ$tc
zW;rl121g(^SDvZQKiIGhu>@4{{wG_hbR-37A}l@7{u&6GjoAtpe@y<u&P}%8P1F1%
zm+zpP5g{*O^6QMk>8d*P2Ftd)`u9yN=e81;SMA=_>c8U3SUa9Y;Z0dv(Zy}=YcfF<
zmg3mAABX)|DEWccOTAb8EWlTB`R#aBKWsl-m3S#fM!egnv+5j@zj~1DE#;&yAvj>g
zOy-E++?3m_38|)r2{T<e+CV2x(~*HZ|4rwR*E?NTI;$5G+-;I`N8EGvwryZ-)uq$C
zZ{_@H6t*(3;KII&{6+Bh+nr&nODShsKN$*$qtms4_nHYfllOlqPNv6A+>2LF9jj8q
zz})9gLUY9mT0f{T5vg`NN>phH_XjWE19NY|!IRyoO;%O(;`DD&7JDv3*y(g9;RVk%
zw|K)y8=4^BG~Jt+SJj^!w}{TWy|p3chSmoe%(?q4eW@Bdn{DNqwuh(JTDIJIPpYU}
zk2_APxTGJbdH2Ozw19JAhst;p{oX^yDn0(-6si4>PfooMB%sIgW$+JnUaT$ugO}oG
zm{5RI>Ek15$uGm5h9`8!Dy9NZO>9Y3YWUmUgd+#VAZ5D$z%a$HuF@^vt52z!jbC$>
zK!$jGX6h{g{EtVE0pll!_xC{y)*Lz7u?`K^qI}~mQhu@d6!VYW>VfT<OP_{%B~Nzl
zZ;`6JOX5hHoyS=djlw@*B1rc@DopWM|DtW|l@C8(0hil97s-AMwue`~fHBZ-gWFPf
zGEa86p(4f{N!khN(u#-+tas(->W%O>TjLiGo;v8h%h$cL`QhEt*PMVW?~}>H>fu%&
zeu4M@{iXyR@{xUIKgfBC#(a(Y>@VB-*i%7+2;aYSVsH`sm44!!4-x^-ZciI04z{P;
z+uhG>u>hZprm3@O3#~IhVR~(U4PLLu5u7uyPoqQF){{E%W~SKMQ#129et)oSIKa<3
zHlL#^sg_6?K4g-&_|q&00790t=A&&iazcI1*Q3tPTDF68H`=p6-6Kr*<IT;(O*~5_
zT)TO|^6%=o%a<+j+aLoI_pAGUyrm)!vr{-uiaiOJ=tt;Td}vW@Nu&&Yws?8Z<XY#8
z{@mJei^SPNGlO>Qba!JYmmFf5)Y2MavfLr8#Xl<OJmb*-&6EtjGCVG&c%TeQM9~WG
zFOi=k-O4%>QjlyIWawA=19DnR(Vk9vRM3V&SK-;`=5sgdU<_}vO@kdVfuTbb83CtZ
zMf8V@Fq0{cAxT-hDQco$29QX!aioU=@?=bZwz$UW^j%$q$W908IVWwR#pY>UwN|b}
z$y<LO`i3#=Kx%Q%ij8NWgl-PM0=V^}kXvJ#sBe(|&UN$@)i%~5(SL1AI9_VhCZ~Tz
zN^KfDsJ@JFGVDQ)EeEYqnF5$gy_^)@@bTMG7pK{}SZB5}E{#85rmqO;voZf{IgYbX
zN(iky%TZObZk!Kx>a)B#(!*iv_Y#5Y4<{PUZ}fazAxk^~cyd4{!6+U`Rf7T|6{>LC
z(R--73s<(h9G!H08&uh{U@TS0ZBzB|A?gCjNYHwEA!<DO7FSO-L*ih+c^tb)MAfYm
zo$qXDxprWJRY1-8A^qMKWsI(pZQ9hF=TxttG*RIew`g+po_ej<1-C=9ETwadbAe(j
zsbKXbE^j+Bg_r1Q$KXWCyA7i$0K7^=k26ZgnO!Z~3ojOP(qnhN6YhHdrhh(8cukkt
zyTr*7<Sp9u%TeEPdRN?J^mZde^wl*J<6jwrdPWzX<7MpW2qcinIy1PSGH5(HtFFO`
zx|T?;V$4Daev;XWFUVm`W@SU0<#g~TL!vi^L|Q+E3CHj4+2%u~R8~!SYW-O{P6{=P
z&+F=D6Dmp8|7Lu&EpCGSl6)t8p>@a~<_r?-g!h|c#0@3AyvF6Z=>*Nkj%NmfAKp!r
z$Svl3PCc4*q1S?uDseycpPX_?ntx&C7!Vg1FLNi2F({CO^^o#NUxlhW=hATt9BF+8
z{T)DH_=HpBo9^U4Ii?Zi`eGPyh}Y|xjqPRQz-Fc1JAWcT)mH%m8$q9$+yM44JP7kh
z6UHE<ozBq~lQc1*k;}W_RW{S5dmnNhYZ9Y(Dz0tf&R^UVd$CiewfJ-Q1%gRMgo~~^
z2}-riCL(gqlrAq7ss9Q7k1^+L3{0K%e){;)_dog!JCG1O)256Cx6;kqqqddHI1|S$
zw~02-ZKn8U5hFp>gq6*hf46pCqzdf}P8Tw3z|3z6V_S=g1YH(}G~z=mj-r}DTC039
zJav?3-79kDpCt8EofAQ$mjtTxX4R9Jv#-JssEf3rwajeXL)g4$(p94-pfiJ$#pa3o
zR*oQhD?XV8aGvJJ!f)B2V6L*UJ@&c;Rwrzdz$>m|PsuT^dsw)sewz6LHht?`J1nH(
z_@#RK{_@&kD(S=XaTlDzg3|{VI?oieJyI&@R(>);torDeilnsUB{3Dw%X-lGn9(cG
zY%gs)mOYK};pk?DC}s~vh(t9JqR|Kbc|&i8OGKrT5xj3}>0KvvkE75G;>~v@6f<Vn
z=cy^5g8|8l(Wb0nyD6`oYmE3!#`WJ&6M5tQH*%~L1mwfyc5nEt@)^_!PV6Gq;pjX8
zIz87Cl9OWbj=^C~##rr>pKI8&?*nPmE}lx+<kbX~b8F^r%JVaJ^j5GL&gm>93SFB8
zh{7!<86=Naycl`Q5<m7hqJT`NV?vLOKwCzC!H^i;2u72~Gi=B(It-A2vLhuL4cR0W
z-{fVXM?FnvDS{Q^xU`ipPqR@ybX*Fa)3THcp7$^{blws<-0KvXzj%3pMPDOL;+)la
zDtwmKpjhsdPSVQ{6zjc<Q;;5<@nDNxc<aeyPFqSpz-05R>e`45*<C-IpFy>ItzKi&
zXP!$#@OZ7;Y<n#<>Gja{;#!^5{hu^e+mp2c@r&>vj(6Jro=W;2lRGUj=~UFNmg%~4
zQDBiU_bP#stkCXZj4@k`o`O@a2YMLe4D#aba&9)X;XcRU?_aQS-2Z7-Y(`sMTqma(
zpSQAP%3o;Nv1=;s{pkI*0&lFe;8!lwYVFtsKNXIM9b8uMFs031f1^_7_s1u|1B+jc
z$wcgDb1=pQICb5FS{8-m8Q=fR62|urUBA^938Dev#bWxm5+5&LCcT)Sbm)`*+a^BT
zwLCl<dH+~qOj6<l`0IV?eQb`5i~t^#eq21F!Yl8-Jm>zQ;khQgX8PG5Ode$=YA}Wf
z`io(~<qGn^rFQuQrobdvtY}pKdg1k&K^Xb@M;o1NLgoj#<tsL)z2^kE4~cUD@Vh!P
zLf(pw(Y^gO+w*RQi}YP_#)no>+-uW{dk2v<g6{lOB6a6cK+KP!&HJ(%1qEIpvP}L;
z?k^tUY{XY46WsbgD{<<~*Wl=ms<pzQrP0FY`A+kH5}%et{4YnOFvgT`UAeb1sZQUS
ze${-Cn@H}HDsf?*w@3`>@S4F1>t?s0Ecm<o7U>^<Yzkgv{PgB0!b_s7Jim&$DRB*9
z72nlXTMG+V@J;O+{^!n7;jNG+Tj08tS^SjgBZ1*Jf<4}YK3?IY*Dwvih3}4B6@;zQ
zG)4z~_7bCes|Dp^Uka`&v-k#Y;aK}8Z>aTj{E&U=U9o!F*Z*z;*>~q7j{%@67p*>$
zWSMCGB&t_Lp+6y99=i1Q`{s;Mmo1}kpn!Ne_lkiAC5R07-;a5-$osZ^0rk;!+vV}C
zjc^90_rV1Hk|JeF<n-{Tz$jwR!nOjo>Z#7P^V@rx4Ce+P8dG*zvw_|lOV~kImN(gA
z`~{*I+2NN$U?oQ!L(KbR)*_bAaRD69$~O-i6;D5p9t=#utUtTV7sJ!!-11t1ju%0}
zKxW%$koL(TA*JK!o21iN*ye2M=mGTm{vs$r{f+b?eTi(>Uf;eo+@UV~mF2u~2|u2B
zvl2B@lG?qS*mu6RB`}Ikf64EIk9vX$?HhZQ(b6fKNyv1=*;lQur(eo0YUkh<GLnA(
z9dtjVWmSQS`L93b(@36CyX%>c1CB4(Ro`PA4-cT+`y@C@DuM<w_Xu1Qo?|?F|DCn~
z_uE3?n!;s}L+0YaH&d-`Z2#u}AcWN)P(O(A>WrFy{-$Jk>$St@$T{WLX53+V-+OB!
zrt{<Y*Bh?0Fodwbh-KhKSsMk6HMt8+g~Y!LDF};m-;EPVvW`mgNl=ga@gp?7UpLcH
z)&mTuV~850gTxncv{FAo2VdRD8~Rf!yJOH9Qv7=N?T_j~2WiN`v|vRF{8im8X)@+)
z`i(u#STU2}>C|8#o#W4Lur?_IDV>u4CH54fMs!T|erO!IaxD@=ixfsHRX>j-?FOEk
z2(?>Dc(@x9QL05d1gFzN?--mB!$Gg5Zpfu;FO{Tr9Ge-Y#qaMjULYqQN(QmkC7F~3
zs?lKE6u%0|cwE!<5N=3*CwY1|_}U7r;o<Mz1TheZw#ZEDTH;xgc;{7<S}5W6w~+Nx
zP~;()6cxl-9IA{}N;dX>yGukP6RWvcrqgb6oYN`tO1n^+_CuYBjIgOwN>Uv#yaQy-
zeus1j3iZ3NV^mPdWcsnOn*QExvB|5(z8MQrF&YVWQT?&C>ABK%usVg<;G0<s<sD6X
zM>O4%KxS)4-Ry8m?TxxUP<9${I33XGg-##1{_BKAnFK7N0Y;+7#Hz>SUf!3zw0Yko
zI+;K%ieZyS42x8_onyH6H<A-i#()Dv<IVjy6{d>Mpkqkc-zx}y1gjCRGOrR@c=G^8
zCl212??~49w8)T?D=gH!Zl9><l969ly+z9OryU`V1d!?hMoK3qOBJvU2J{%_FQn(0
zzp!}A8+xHEM|U7c-m#ccjHfupa7P#HrDUjL{Hyjd6lF^PsF-|;x}h4KsqS~{^Kx95
z1{=?GJiVzI3tFzvBoozK3a+INJ&)taCt2qMHiI##ekqDkMZ2ZND_zAuQu7yz!v2-U
zoY5>P(!6!euOQ$wI>%gsc#S9I=6*#G7hvyH<dhzu7F{S<ROoJ!fcwev-$12Ie`rc%
z_VdWf%OzU;lyW-b)boHK1EyTwsl+HcQ^_Q$Toe4j6MARRP={Qyx14Xcn=X=(npO(=
z@<lW==Da8_xfYrG-+uL9&cfpT+}`M-!!qb=bD=sz>W}mU?VoyMrbQ3^D&0(EFHRI4
zQmg7#Z*CcvP_GpM&S5S^#jE?l>wXFX<;hvnS3NaLwy%|tcO-W+s>f5k8h%_I;z{}3
zQuo@vlsB@pv8+@jwB{=^^rLa=XVMkUsCq?%tW@WsbiW#+>dmgAs^oOCv}lf!!)?2L
z@^o|dovG~8yplVH%aMY7B{`jUEzTF7Stt3Z*BwP%ZsQA87_9UD<*#tQG6qrqZN@up
zKU^GB#zHG>GCu!rxqf^<uXHdAn-urEoNUcjY~~-m<X92fFL~Q3iS00Z#;3M<@y^|d
zhCkf5yaydIzu>dq8xSv$?!S^{{2OcD`*+UdCL0z8nAHr-2>#3n4*peYh|2k`S@ys8
zPLzLnXk^X22x&Sa(sB*B%`eE;7v$%a9b1NXQc21;&98B;U3d<!3|tpm1O-}Sgv?qR
z%RQtjTBttov0d)f_bp`9z5lq~6=`)nrZr9eVxN1PXBs2DR_<&%H+k#<W17`V&XpsL
zHrVddd*k1s&$KqKA5}9-?Y$Lv5sGhhS@FH|fjODA$xcwd%WX)mfT08uIizslyw*^G
z*H$=Ca)Dm__e6#xwj>JwsnzUe23+@#{LLR&k<5EPIzww#V(OfdlX1IDR@;<wgUE}_
ze<+j=jRXh$r!N66qKj4cIs;{LT#I_n0v$`44KGcaMSVJNd<o<Ka7RcWR2}FN{m?rS
z2^{%#DQ0#(s<`KN<n6Q5#jx*5Xp9>x(CpD@Gx!<W_`e(wr7S}4v$4|+pv#M;+Bsa?
zb~}A<q_i8CdKyW3E%08!N#3T(v{XrYV(^g2`apf7r}$zg!GU<?!=Np1pTvjTPN%-D
zvRQrp0eO5lKSdu{OZGg*J}Nx6RdX&&0PsTvi&8}Z4m`*#Th$fYX85BCB*kaA`te58
zT718A?0CDN(j7z0XItzmYx5KXBHG$KwHGUD=0?f9L+@G}_xy(tDgTq_DEfOJ=h2V=
zH#su;zaCfgR`4Kh1&Hg0N3+uO+S~=7^W^cNj9u;We7wXLEuOiKUciI+xuD0fcnm+d
zYd#w3J(@n@<t9+Nku|o*+xPZ--`&ct>*r+=#eGJ7eN*7r@$!(8#Cb+6)V-d|Z(RSL
zjoYULjH`!FhFyLQJ0@qr(xC&c$8gMVPwt8^Twh09(gWSq5io{u%AMu0!a4R^^-{X{
zgzU;7U-lzKzRJ3+K>ry0KnpaN&~|wY`kHm$)@$5i(t6}!l{Rghx2f^me3meQsyGQU
zhCPTnnG9}+6ws5Gk1}ZXc5L`ZzZ=qBi(GLfL2b{{b5Dk&4F{Xa{?^)8DgrE1+OKd6
zPCL)f>`Axo*th!2PR@yp!yc2r8%)dVhceBr>k7#r78&-t&ck9>k%L=6o60B-5QnFn
zn;hxqpx3`1WVcNt+NUoPCvrw6n3|!InDHndxa7}#RKsZHtC<&n3Tgugm*emvxH-@4
zK19syu|32`o(-3O<eRN|zZK4tpY3fI<_BbeU^r9Y)I`1Nf#R!$%Odj+-dk+Tk8%Hk
zfm=S)RrBi_k`^C(o@&h$1&&t!_H@i%;25o|8Cg(ae7yBhut)_OLNrx81cf?WJ4PM{
zUUS|!SwJ)h%M9TbA6;T3+A`{R3!$#{1}>od6vz@T>W2@ldY>@_1141y6{$@{SsqJr
zOUv(^SUWD8Za7&s!hbEE+IG}2P;w#rN20F+M6>$^FrdIk8*v&~{tPB`SfBX>+!AmX
z$3BZ;f?QG1D-2jOfV=d~fdQb?R1Hx13n3nHy{yDp`#JD^gZ%o3n{g2TvKM>gL;a2y
zv45eJtP!hT2R_wHImAn68)obl)~*CBtCt1CY>$=^s?a(HB%<8^=Q3&)ti`Dy-y-}J
z-Pf*QUGcpCek7csgKx-&uUvm<`t7nd4wA#0q9w*Z4JtC?*4Pmt)?>y)Le}heh_|~F
zA1UC`QXn4|?D1Or>b3E70Y0AKNS}CxPFuf|vsohmc(je42cY$~Q6Bj&hXuH;WBrRx
ZX{YmRw>H>%Vf5od@6nx2P9Y?q^?$yeMQZ>6

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/Logo2.gif b/Shorewall-docs/images/Logo2.gif
new file mode 100644
index 0000000000000000000000000000000000000000..80156030037b649961a89945316063890eec8e00
GIT binary patch
literal 10788
zcmdU!_dnH-`~RQA;W*ql_SUg?PPS0T-W;1qhmci9HtE=#V{Z<!>2>T~hh(Ot2t`NA
zXoym2>GS^n8Q;gxk6*6a{rcf?T@PbZBMnWDyP!8P1pxp4{rhtK{nLk+hx<csUQrgN
zYv$$$S2wo%yK?V#Q4(+aH`gZ^7-<P%WhGQqI7Nh!%&ac<S92O#Y^~kUyu6x*K1KNv
zR|&4+!5&K17A7$_@o7o=*OJUF(k}RUJD28%3{J*ASqq<?@hO{iOX;~xth2Ij%=+-H
z<kxA+>i4+GPxfxZ{sTQp>)RpiJ2x6Por9jZTzSMNCm~~afspjv^^%)^<yv;vrsthz
ze;>E|3p9`5j27zl)hmIQozkr>g0Eb<^S=@P|CPuomwu?XN0_%4Cekm=7h~`1jWIU0
z!~^oc|MdSL0Su=^ATcR9B{dO*AQ;Z1LuAv@Lv#>BT3LBTWmR=eExE3~;Z9>yb4zPm
zdq+z~Hl?e(8$nMGw$LL+M#n~2b?7@EOg@~No|&BkKzb(bdrwEo7M>uN?m><J^=xcX
z5J<)*y4TqVG$*TS>HNXx!=o=>Q$a>vO<vTy9XJ(Y4}EI~w4OO@^XivOwgYZ_&<6Fi
zwNOMK8q4BU_J8I4xrUm6Sn%TrqfSgGAUSjC`h4rmU6^>a=^D|x!wj6>UcS>^%};7^
z=6ri0TX*h}UiTJ{;*Z7XnPq-=9zXxmxO@{Oi2TZl+e)m|^wucj>+M+U(P5P)%srRU
zO*y5Pr(Bmk+=q&5hut?~55Qz3gSx}t@8O=#e5gfP_eUBo0OQS<D-P)8SL;JY=U#m>
zCd$2j0tf0v5kd;xZ*o(GSNI0IKD?ml@XfHfgkEStz4MI79G}o@BVUvw;^Lqu`px%I
z>Z9x9N2`ksBi!T>wT<RtM&rjHUHzNK$2-}BaoU&n^=Ts>yg4_+t-6=C=l_)x`@>&G
zjIHckPk225Rf+R#I$SAc&_z69EZCISr0lv|p`5X=lR4cDHg1h<tW;|vKkk;?ejVIR
zQ_s_Gpk{E(<AL<EsswWMKWY1<B-Xh_9E|F9+{)Evu{)E>x6`wATi9yKQ~f;msVG^K
z$&H3{WHFFwgqdmImx2{-34$VGQxiZA>*gwz&h)$QPPx1T!=3ATM)u++QQk}5@<=QV
zN6#Nf-lZ2jUeiSottffs^<&6!=OlT9P54ua%ub1~k!-7E&oae_G$v#^Uui63?^Ext
zN*iauBoo?@m~0%xC{aY1XqRO6V*xpN%>)rTv~E&X_KI&qnTv$RKE;Qgpo^MupDVFR
z`u<?w^>1K`n*poWVFFUBiU^^k?vSCjw!6a<gKOnq8$0(Okss*Af4d|`Q9n<HyN)ZO
zaV#^E?edplKiRCtGFxt`7?cMNtdZ}fe45y3qfIc0WdjdT=T0YSONhNqGthPuPqu0}
z7?+cb`&J@&8Tz?1qIkdh{D@G{y9i|mk()|i8kv=|Ge1qdRQq#?RG|V%AX8^^*R*1&
zHWR3xAg^D{jlrlwOwyzWh3W;5GDV9{jByghacvf&e@sHDkL1Hq^Dl~!nEu&+VSoEx
zAmj;e5Wi&SJC=If`sITv%f&iHPN$T_5T4!?-3jfRA39NrtN&xhD4*OoU3QH{cPqa|
zlDqdchB%(H+ggB>U@FgvkT&@70H<X><%yH1m7j<fFYbt+0of<D=V=v4BJP7|cqmmB
z<#%}o9CqVkq5pl*NqQZ4L84u~T;87Mi+UT^*?+42Tkt2U<V>~Z4qF0Oode=6v0=aE
z^S5+L&51D6Gi5q7^%IOHQC|Wl6@QQbweFbg@(;uSEQg%;X6uzJD8?5ArL{Cg6g3cd
zj?`Cry3Y7K?=c%B9qaggu<C;(OIZSaFqv`~{lP<xT(ME(0WwwX8StJIO!Gc`@Tk#R
zNL6}Eo_i5su1XBt5&@vS0mk2**HvEpHbQA*q(ox$*=v;utk^|eBj5?TXEp)i{$i+y
z#bc18^^}iYfZX>6U=e12bez;`F=k`cs_Yz%j%-GK%=XB;IbKB1*T~1a1ZrD|H%L>7
z6*#ses<h!kRkOCGM%PUiv?v&S+N7$EV!6(+mmqD(HyBhDf~J=?Ly8qVZ0ab`Ps0+6
z={cED_dcqXdKnbn@Y6ZndMfd$P`A@4smCUT9D)){U?^E@_Br2Eo^CJRz`vG<z++08
zx)@<jUa?D?PoP(V250?JES;UnV3civl&10^@DT$wXwyES4qM^D?kZS%`|O8A%M*NB
z)@D_T!oP@0+nB4R;CAhSr+Pc$IT`GW!TnI7YT()kbe;aoZEAB*9URCy8FwTL4_ndM
zIt2F`M&H+EzUd*kM-t3sy7Wqv0-qKY_N4+G9Zl1WXcQ3H+iK3^0geK0Q!@HOZnr`S
zi<R*t^3Uk)p47I}5#Wnq28sYQ931Q5nlPRORJ*g-R04hSJCI{=Utr$ORPUp8XE&ZI
z<2uK8q>XFhE1Sh%)F+w?5}LJzyg9v(9s-kWIeK)9m~68}l?WJQI9G!E1;6OqNV|Ar
zSfYx#U`$*T2dd8SF<nM>b>)6TC}PH$ClV9p;^C{4`w8i80$EItiqYbi(-8+M&xDYP
zQNhIqtbl-X^kx@2KH!<TQRsggqe@}o<I{A0^XUov-W2BYHodZ$#dc9Dlm*vr<IOj}
zRPgkP9pbFq=U$8jepd9Xyra%|c;4!*qsX~xKl+v^z&eH<oK!fFw=_j2e|aW5;d}Sy
zZ${#2qm`pJ6jl>{H&zSMW~y}PdvEzc66E%6cV*T3FWqJy%%uE~K+b^h$4MeTUM*a4
zU2=SqBRAlW(^LiZz#SFr^!G6hh(%elG(7k8b;}++`k0VAmTtC7zm|nc_2-fBV0Sv`
z6JaJUWg>Rie~b6tsd)I9O6svHMN^?O1aLrbCsA$W=R&Y>0&L~Rq4g=UoY;m#9Y*WD
zdH$kPQS)X=vwh>M9RgJ89I7rXqKcLw4)9^`)c=l5(2B)8;VPrvVZ(yrKf-Fnqsy;q
zZoiw_yzBp6H}J+m_C79WSfJmF`=3T5-ypK-k@P(xy#dun<M;Z4B4!^Fr0Ahf$tZ@q
zF~zLk&o}VQ(loxHQ1IcM<_qtlA>KuCgxR(9rpND}+ImtE>l#GPUmCE!0s#Nvg}6z8
zqvRfy)m<TrDe6)Y{C!H{&B=i2^s@ewZ>h`T9EZ~dsI~a_#O~q_oloDBUN5)z>1jN@
z@}5Nt7C-5mx(v8UsuJrJW*i3$$Za8(!@9dk)E>62f{kBY2n8gFbVkUXImXO<(A^gq
z{e%k7dk+f^en-d?mCp>6C^MfBC#=wk1$Kc5++jjJPjHZp?D?~b^N|mFaxICPh{`h>
z;Os-yvn`(qS^E)#-V<(zjp3r8^^V*WKRz+%!O*so!L<r~%qEB1X%YQ7XYgOi%?pz`
z`u9fu0<U9Npma<5L)^@Fy~Qn}#o?&H2NvB&uTkwR7Qm9yLrHpVOkzzV4WZl4`!*K)
z*a}vwxquR)ZpX6_*XYA^q*^i+$wb6z8FzdhFC&5ct7TiDlAA^O0P#4&FfW*caZvF}
z_IH3~lzMPhy6(3&1r($Zj&za)X-As_O**tVM%oqdLJj3!R_zHFoOu7fcwO~C9K8lQ
z+Fyn~`mfRX^r|f&p6)_(X$;rZh_EJM2dR)9LTrI<&|kd2(Gu&j2$~HK<{SAklVBNJ
zfIT<{C#G_A?dC~Dbf1H`LK6SNu6Yd^cH6mR1cRtk!YzU6i*$!TWPz05cjJK6nBr%w
z^K~X=g^nlQ3i238fiu1UzAZ<AV~hFG7<tJ(iIpWiSpt#kD}14Z2&uvX07RD_W8oXu
z6^VC<#6A0}bSjB|teOIo{57fI(Fz!r?#IU~p+SQR3S;DGu(&giR9fOCb%Q4p7v=l3
zwMa0M7{C;w$GHedl0*JnwH$3s(x4{A|9~#~^6iwGaMDtd82HuhE!u#B3_0zphTk3l
zG81mI)p76x(93#A4Y<wq3{;k|yAcJ-zV&F5PGvAj9lCRaY1L3Dk&iiwYuY5ZbDA4R
zfeu%q!%n1#^=XCraZ|>eR_FXqtyPVe?bEMvW7KHT^ShSXJ{V3Kz{hZnDIebVHThjE
zRa%xDKaer^G$Uj3VuWPg>)m)NGF%6*_rO5uh6aElS_zYGOOv3!mY8z{Xh;KG<+S7E
zN{!<U7vD?0J77oIP3@Pm@9|{GSvDMb4tqxyc=O~)Vxd@*IPpRGF&?iCXP((T)O<^<
z%n54C0I5xZZre({<;LR&jrRw0uQy5OmFX$H1J66#ywZ#BrU+{naXb^(+vm;Oc#+4n
ztx&*mTm414dYu@;@7k+Ki{@)t38h&)So@7alH+PI=|@_oPtbon*611Jtb|e3O;cl4
zwBI1C$5ED$QQ&QS3Ms6mX-OE#zA;sH!IyJkO;u40IC$}-P!-3QJ*cKckbaK`#c0sm
z2YehhCQ%QIVi_*r`Iv0?Rg{9m1i$1uXTXi3?#(l47w{zB?Q`GMk%)3GC5L<|8bsVB
z<*UI3PL>hM+WiE8aj|MaQ`Jsc2c(akS`F%XQ;}yFEX+u!D^|8CQzi$%=DaYD4A|($
zcB2DST741Z2vZxBb};dXURoiwoSYz0^%D?6SL_g3G(ZV6zDlja3d$npfSvnB3-Ecc
z=!-N&+l}0oxoud;B79SD=100YU&MGu$~io!6khdQ0{?8yZe*2Pm5~E8tWpw6_&Zx&
zc>1+o@mIB;J}kbdCHKY>nNs*T(qoGkRTxbyHqCkC<Mp`koUnefpq|B%UWIaFl8Fg9
zn_zp8V97%&I`pmhYC@dI$Z?a#tLuWQL{~PC#>|@*PU$7W72sw5`f#QC`mj=ZKkt%r
z>B7fs!NUNyqB#ZyODt-YN8_u$c#6(O%%q{T30d1;WW$}o?Fg>;gtM34a7`Y|*?O8V
zSNP!l^$KHn^&bLpoMh+B<gI~5%NEy<A@NIzmIz$aNGf#gJxK@)C$iV;OanJEBmORm
zw0*yHoq>r7NJn+SG3PtPDX=c1ljbFzL|MbY-Bi939yJ;X*VZC*SbX;BwbRtZ>P-^=
zfv9Bh99e+WdS#+QiF%QRsDTe{<fkMlOcqZLz)ck<>5|A*FH6sSJ;pT!RBKFEOnL9H
zZ+}dxxsQjhiX1b+O~;AH&IFLdc3>|-X5X8`j=kAd<3u?znIu592$-mciBe^4P7(7f
z-g_DrlXaaN=wx*F9kZdL>fu(8@r!6fw*8paON^encF<9U$u=7JmU(xlAN-YBB8i1Z
zfBa{@4S<er!TzdJW>Tue_SZmx;2TPzKBPmn?~N&3hMPk!89yFy&c&#ocIg<)g41lk
zkxWBdbI&{dx|D$?3Pt$QksQEJ-nlfOnLqGvztU+KY#uuG>5~Rak~BEG9GH?Vxq;sM
zd=T?&GOH%+ncUk$?j0~|rjR_#0!R|+{4r~+?1a9ImOipB;E-hLHm~$<Rb5Ua1i+fM
zN2zG+p_77vr*r-1NUijK7s?xa>EEkRzjP|K4{&<iE#y}$8NRZSmb_+LncR*(h;n45
zc4ad4o@6SVr6z9|fQ9BmU4$WMo{tBg%B*CDmOh{92tBw2o#{$two(1rn4XtW*j`!F
z`I5C1YuanueMZcNm%=41*Pw5AK}$S&1Su&u->po&xNCe@F@Sd_%Lz3cM!K5!n(UC4
zkTk8Vv-iG|k92!YAj<oHnbOrmHEcq<YC`sObV5duQW~ozHKECn6(nRZ{11eq&7dU-
zBWs^w+3%HSi11Hx+W}+CTr>U=Q1YkU<YolmF95&x8;8>Jv{mwvRa9UYt@T!zaa~1a
z{!ZQcsNjIyeZ68<+?^c)wn)}aPhdjoCoJ)ZFVed;%xyX%ZaTaQG?ya`9W(#c1jRG?
z#mk$uh^%e)B$$TR?71tCmz5{=S&zs_pCqo=#p$OoZ8(@$WoRx<0=}^@Ua)MqvT|us
z+A)rt1}d^(^lFmG1@9lKK~vd}A}!RT^Q0y1_W}LJDf2cxh2RuX?Xzsydx1YKrs5vW
z{IR%5nKo6UNcw`Nk^@<*tf%j_G$k;XLoZ<;?vNEokjx=ywUzowCcVXVas$I$KB|^C
zcmHp@2`_qBIi?dEJIIQ)&(gcAA}7g5otu1F(P2@SW7~6NA}ca*);%G~CR9wbZhkRf
zaK=1_8dq=u&&e?h3WY!At$r%_&FaxBJ3Aj1O_JB!*o&yG`V{80U(}1-xcSX01qJLd
zN=}c%sPIkT;~p&g*@Rk`iP=VNScn4Ienjm$i7CZCY>g8WH5Bcv;!vfaDc{chWS*LT
z2}y*3KPnb|B)Ijt#saE9c@jj7EHHQqGtPlc;VZs6j)G&oLVSX6=wp{khg5<WpoBAz
zonl^zhKi!?x8zTsB|1Nwb7}zyKC5$&8%J4^Cv*-AI6itl_YjdZ-MDFP$yWZ>WMHWi
z(#g~vQ_+YralY!vER?|VY5WY8G(HMlRT$XCgKCTGcmJ;cX9=M&AUj!>f_f=InSPj(
zT3dI62Z%kWtdaWUeM?9|M=bOV;84lLq}(a;^<`h8&~*e(*l6yV_9UQphaAZyuS9*)
zGRmL#MgPRj>Kt;ph@br7k{%OLxg>M>(q-F*Pn80Mb<e*qW!|GSv7S4sklG*Qf()pE
zh2Fh`hZP8Wt>zB|7Y0)o_}FKE6uz)v2pR2iTDY!bwb2p6ejO&?kQ|xS&gtGEnwV*t
zpwMesr}Xo=OMqo{d*OA@*6sAN%O=0MynZfkIt#6f^1VJ;ht^^X7$3*5b-}-KE~#Pq
zvK*NhgCh`|E6>y)-QTbau>@4{{wG_hbR-37A}l@F@frx3i`fbne@y<u&P{gMP1F1%
zm+z>X5g{*O^6QMk>8d*P2Ftd)`u9yN=e81;SKZ##n!n=8SbLsD;Z0dP(Zy}=YcfF<
zmg3mAA4mLHDEWccOTAb8EWlTB`5kywKkNWpm1vzKBi`fFRdo)@Uo%AZmU7mY5FE5(
zCUeAZZpv-ehSX5Qgqf}!ZJ-lp=*U2x|E5dG>z(c^T{Vjd?zYLfqwYC-+qST_>e6Z6
zw{re83R@XiaA99X{v!DM?aqjmb;_BxPlf{G=yYx1y=DT=<o#cYv*~d&_u|!4r>fL2
zF!%YB&|I;Cwht;yM5_Ic5>;Bl{r=1M!2DZq=wx?#lT{VHIP)8n#h%L$c0S!nc)@ec
zE#5HFmL|wIL-!`;Rm~@-EuzbAUtNf~q0K=CbM8J%f2zjLW_!7&-QnrA)-8A5lPc=g
z<Ia;RF6sMf-u>|wt>Apvp)%e?zweN-N{>G{MQZ=!lT$AQ3Fx(a8T^Bt7i-6V|E2gD
zCKTXY`uIp%^2<n<;R&6wim3op8(UJ98veE~;mA=jNSW?GFii2Qt90x4np0|K)7M-j
zkRjfInR-hA|Ks6f!1&4Gy?xMvHAjwitV4sfDBpOClwWK<#r$Kpx^H*J`qOZq<jKyx
zEmD<tNgPSD>o{w&N%#j$1nKTeg()8EU$l$8^5N$z;Bv?3BH53@4)DqsFb4W<a9gT6
z^JIq`Dq_r$q@9qgS41wsdRKm~-UxrQHF5FasiW?@eBJ8J5AT+~<^)`MpG+Q654Za8
z3%vL5HznwhkL)Y^LC#Y&=4;$%f7!0bo(dX7_@4EN!A0;_`iV<ENCZ54JZ+sh*q&~0
z_dK)10(>%>rY@$fw66SwnYH~jc)bBfaLK?vjSgX3PwK*(nPTfs&CKWd{lWH;06&}9
ze2%K5IwED{kV)R+Pm3G?2wBdVkG0dt2@N@4kGi_**bdI!=*R+fk1#!tH#ZMA@hp{a
z-R1$yzpLjiU$(?=gA7dEukQKrmWn*cPT@Ey_9R%-kJ7XF(4yFqNE!NU@$#O@buJhE
zxwYdKiF1W!1|8U$o~BSPIm9xlwJpSCxl>q+e@xJ2)}s-cEg5=ccw9>HKpB*Xq7~j-
zlb<8q%DNI#kZc%a=vVp!a$0NAo=$pH(1t;G;o0Zr^Ec{Y3~#b+qdhT!p;HtY0jFU_
z^hb&?Qz=d%Nm;xpYNB5Tkw~<0q=y3XWL$r)xYqgfU44YePABO(CvCFT_Gx{MR<2{o
zTYnz<#&PUmYH{z1t!JQwZVtZ!xb>otTVsZ(Z;<}Zb?g+?KHe%ZaBWLCUTVxXXJAE2
zZ3a7}zKn1->_v_*2dz?>0+>s^oE6^i@!L}uXV|(~XSXt}C!R0USA_K2nt!&Oz*#6I
zgjSyAs47`E&Ih~nS>7D!;jj&RiNN&-lTGF~dOxm^C7u90IUti@6c41TK>?8pRk-cw
zJ=C3rD_dSp&N{x0s%%*>mMY}7se1STb%A6gXfv}AH4%M_tG9+BacICij$I_8>eh+Q
zcQ&+K2QbMhpyu*`es7C1PFKk`V`|QGs#j2&sBnv0G`VI^z0T``+o4&O(mBTYK(Uon
zu*RCp+n!9}C3@O3I8*X&!)OWsuhP&HjM8ytSBv(-i^ZJv*j=i_UGLrW&&LU`=`wql
zI9r0eMZ11E>O0QwikpqzZiI-wx@KbhD`QB{=)!Zni~}8k1TxuV1{YKYO+;taH#$?-
z63JDJSqQ;TGF$NlIgH7yY-qEbPX1&_^v1AA+ov$$_`N;5e5jPlswq!xI7`P#p=R-U
zUEOR(CCU2VjE}a%O|o0dcfl9hhW%mAAi*wpza>W8P}0k5LY|vW(0u%Ob};zCokWS;
zV!r3pqp3^uS};;2?x+5fQw~Y<FRUDc;^N|E?xb-B1#+++QXc86P*r^{9k;-d)?YBt
z2?T~uI!C_gN&b^#8d0t<h7pH&y`I_HT{aGEQR=Jy69KBe3J}-``po18u!rG6m`9p0
z4k7Jzj<%Sji3v?y-UY9+nXK=A$a$<ujNYlZwuw7`aZ~KYPQBLR&)pXYCKVAbx|$>?
z)h?Te$T?HGyi}zAC-^_coU<`7b<X?g<A>k>=rim<Lhx+6G8WuQH}8nrRxaaAoUq&`
z+CI0P=9@!|2GtN&He>$X+If*Gv@<kQ$gBY~za@-sEh-XpSs2oY53D$fYKLfT^2PA<
zQJzho$eDkV)Khg%1dU!2sM4ELPh!r#3PYeS(w5dbyKxs``<_WxjhcYY3{Dn%MBKM>
z0@>T}$t-}&3_lir%LWB=m5uMQ*C((#W0M44aTR+?j&t3`!p#jc%onifTi-fhAq}T5
zH8b~?*A7!jAD&NK!YM2`f4D^FnSypeN(J4@PbP@f9Q{&}l$Nv>Q{lX<2ThC{z4FZV
z(za*W)0h~EZefUG_F#laR1+Z@ec+!r^k%q3R4N(4`?ikWbxQX*3e6ziaz{cjW0w69
zHRW?KAbBy`lr?NO<+V$#5x>cV{u^o{Z`}VZ$4Ws!K1}ZLhTkfmL5<?XE@B;z&J&>1
zbFCpcDHiV-9M@!w)js*ThCTZ}m^O3CQz@IgnxJxS&HPPye#Va83O2(forOf9YqtPV
zxWy!c<cW$Gqi<Q_#~()&km+<x=&=!K%jho{5~CZzXzF;D4H-s<0TNL5q(q}(+oa-~
zye#ynr|B$3utFS{wi4!PHmaA7OTlwSmU6-KE~b{wTOx;hog(uWFE6m@Yotk>w>nRS
z&(azd%bn9ndijB3eRpsQ(nGTzY_SV(J$cM&OX&xgY@StJTajV=>u2*bsP?bbYfbvi
zb7=@3uXWpPuZ3p4Ub;S9o3pzAlcpL6vNj-o5gx+v&N$pvN#A2~rzIwxirUvPU3V!8
zEE48kB~X$TIy{UqW{c6&aO(9y4`ZA`Uc7zI&Bk`z=NSCG3${-CKh28GXse6s<P_uc
zR+dcp3#~i$&Bc8my}wrAjg=Ps%4OPYoVwws!V$4U%L*Q*wE63ARLcDR_yl-h@vAYJ
zi2ZC1#<&3I?z>RyqL4h}`=43D_<`Z;x7s5?G$6cKO#fEm<K@ew7mubK`=$T3i;r|K
zkIY5hJC+!il=uMtdS7}En<FD5fCr@?7mup&%DXSmyMJhWu1T+%e)b2GM_Gv)j3I*l
zVpwpwf;?#5A)mk$m;{Rzjp<)6yk0v5BR~IWr;|;{{2;e{#rCxCoFMlhaXtWkS5HRB
zThTGPcf4kM-otQ_zB|tN&?<_1ZANkLAhK4_ou5ji?mP^L`7ykCPgbL#zzal{$zRF+
z#Uq@J_{wC0TmNSzPM!T49Nk&9Rye#gR`@*M`O%-mrzH{p>k%o8G38rV?ygL!(|4s`
zH6P+8lKZ7fF0nqcNDS%pn#Bq0X1Ag&_<Q;n=^uY=4qjyZ^yVkROQO3xzlymzaSdS=
z-`!qU2Mbv6P4621=gv{#t&k>L;JTGr{FLb<f#ElTJ>G*pUg4wH2o1r7?}=O$gssvv
z#)f?M5~KTS1m$913a%=%_y%v`SO=zVsP%UKkbUW0v3lA+@NN>>U;UBC08o{SRv%5W
zOf-KI)hD7bkPt2pS-<_hIcwBy$0!^qAYRVBVxU0@BEtjsV%{wBzU^2*eRSQv^!V0B
zI0MuBV1j;0kuoK6X5>>~6tQ<<TLD}3ROj0H?LAF~b3+e|DZ8xMK;Mle?2s$Vn`|-u
z0#S_Y$V(xxk|T~G=6y125zFVe0FGznn}<z`r=Q0T2B%@xpWWt*;c0Sid2K-Fi=bd2
zvwbW``{a<2(s}ev(s?{=bFOsk0Q!Az5tN|*M*5JxM0RMeZ{Hf}R2Tlra^ARvAJ4p5
zi5e|Q?b%K2KVR1x7)7VQ<oCfxJ;8+bjlIff>6FbRWTx@#t2WouFJ%|Cb8rh8Nx%ON
zxu4OpszAm3HxTn_G|#BR^~}dXr<d!h?=en?2T<-k5*#HJK?9k41+EFtGoHQoPFsNc
zZ6R<?;WEe}bMfGtsn#}jVDo<v!Ws^!AH;Zd#>_u|Q?k7E+VOMbyz*-^?l8UYeYFuY
z`EmT~jn`QiLfBu#GVr2oi~`1+-36vY;@^c7gvGh<#)%}^M5Xy8s7L+y5t=@ro9QI$
z0fy5tL=DkF;)^(1sh^;uuWsZG{b`lmap(*we!b`RNA;kCG~`fPup$Nis_vFF6>~QI
z#vW&^m`U(VYA}$_@n<(!n-qbRPRaigdx}vbI;DC)FpgZg7Kx!n3Zs>3p2v}P1J6x{
z+OH%$*bRv&)uJ7OGijmK24}=@&}*q1a_QPjC8?dqW`=3;`@4)6$jOJ2L9F#jCS`$Y
zG}tc1uR<~&*L*#M8<O8ip4kn)wgPK-_`5el3<RPbGSjAxc-AD|W!0n(O1S+kWW5v=
zc>pFw1#uRKDr1$BjlJLQ64A)S8ZMTZw3{5~bc(#vE|jMIP$wcIZ0nVhR0j>Kfvmaj
zkPbniVHb9a3M!dOKQ>m=-@7d~b=BB6V?ioLBf&muAhs?&SGpcnrw|)`GwYzdqZ#jr
z=35fTZ0)F<ozAI!QMU)nP6G~S0=m4=>4VpQov<jAfJHRGNc5Oo^_ber`?8nz$Tx{j
zCQyrF*z6I*A{B1$6t4Y^<jj*X=m^nxbN@|;sp2!}7*h843W6WPYQ(F|t3(#wJb=-e
zgE!_olJ!wqWXQ=C7HVFPPt<eC$S<qjB4zqBP7p@|Nc8|CrIVAT3fP7MdJXdz((}w;
zSiI#8y-=2;JD4NyR7@$xQ=DSBqYL&@GE_1CReKqVGNpf1Og=^3P>s%1_q+9ZIj&oS
zjb|pF-qef*E!S_7iE1eY*HVX{$8qG7Z1Mryp_o*^6ve2b-O}Qf?&2S*`3ps1|4L)d
zXqFUd-n!;j5O5luV=h6w#uIXLzaoeWaBwbiP7hFvE)*;(bT>)B{bc!Xuu^6qG$k_o
zd1U3~5-om8Ih}Fpc|ec>Q!ejZVicXJWRg^_34Y)StsXMeA(!ke=iBe5i)5sxl|sIJ
z5iN{4FN#a9MdtpuU-Or<uy{YWFS_Wk4EowqsLqi3BRxU;r{1_}(F4CqHxt>5lSPNr
zs`}NNTgD~SYej%d*rlT4)&1agKLvsE<Sgl{o|+}w*GkAclDio-6RBQ}Kduh*q<n6z
zf9+7p8(G>^R;m(O`xP1b(Kz)p=?Z65gQ7uJs!LJ2UoBDfW_M9laynUBG)Kwtw*5YN
zrX{<2I{P%Qq}p&fQjo7Cr|XWz`NA{nBp>zqqlnAxe4z?M_1?ey70y@2AR4~SddKaD
zi(|@IXobzj=l?A?Ozh{C4rO7J;(nKtZP<#<{G*qgDnbV&Z#yTk9cIt^)U_;D--&4a
z!+pzp$O-ccKKs29@dD}oD_O?BsrJ2p*KBUGVPSw-?cl87&y3*UU!{hqoZp&d|9kI5
z`Im=A);<y;&16Jct^v3C1^N1e{JgSb%ka)BN%^MvwJvoF&*7E9>tc(bKwFHES!+|d
zhg3x?)dxPd&%OG-m5jRkAGf<At-jZ^w%K3ob6?ABQ>52Q^`=X+#~v`QS+nF)Iof24
z?K!<W@g4e1Yv=k=HLKLoSAiFy_|}va-#s6glUbMS4CP<C4apTSlt3bf6b_u%8Y=MG
z3I|Fq(2M`B$VkMNMBzWR+TF~6>;93y`2#DGdGAGMXw6AXpHp%+?vTl9pLS^!d6D@K
zh0>vs;DG=1CBQ{=vFct|piGWyQSVuxb1Ad&rAdpZPuGnvVf-Jeg#<#?fo{<ceWQ`U
zkzcoBX7|I2yKYC`K0DnE`<{fRxbXtbUX6BxpP^0v>j6>9BJ@5RJ3RopyjZG(!?k_4
z%lAe~hjFQ=k)+oG?-iWnZJJDLm82&I4~eV~HZ*yPFLn_eiB~=h+41&Ee7Nm=>f0up
z)$bpW$A|M%^ntZx&tn{-!eiSs=d%O=KUA<NRRrL`gUqs3-LdV4Kbk>Oe1@wZZ$zEN
z_v&M(+Xa>G7-Bx#Vt-k?rx*~?-tMWrSW!DaM&=!U*VeS>Ka5EE-+GRrzxQ(<4GVCS
zBcuQ8bwzIl58+mTxE^>cD^0K6UGO<i9v{ls)jrS1OMKDdnd{gEJcyqUdK`<#@PoVN
zW0Brt>62b=0;L;S<9odQZ_oGNsqDUfUKUZ@Z`9vE4UQi#4=YKWXT(B1>$&{K4e!~w
zeM-Q%2KZ#;(ytMx<SbY^bkOw}j`{7$T@i-s?`%)Hue&-5#t=@qvpiNf$A7C@r;AU@
zt_<;IKUCzatj`MckHHVNLh}jjm&c*6S@-O`CM>3GMjupZ(<XSEo6bGT5++a;r$ENA
z`%x!T!5xqSdg}5~2F<~q4gc_WW4ddRE3PD{{aJeM$w;)}Pz%}LM*B)dfMrU@6>h;9
zmq)XE(rr5qZT_-T^CA<l$JFme)AEMlOmmz1LNbU&hW)Phu$WWi;1<xPGKvGlk!hD^
zC;EBl^{@Nc?K6munTy29oY6_97N{g<BFYCY`SU2Majf#y?2A7IbpeFSad;8jyk~Yl
zB4+N`0pcUih08zm&DOlv2ItAo^>qmI12RA`oGEZ>qF!}h@zug*kw^F6TWrgZbN_;Y
zTRt;YkJdFLEk5=>)tW5|9IO28>6E>|F;-tYx}d`Nc<ZBJkqR`7Xs&nw3U#`6jy?{&
z=CX0JfM^t!8OAL>v}PpQG3s~=p|14>E};Ar$P$;-4<A_dJ!1$4OsXa;Qk#piJeK5^
zmftzEc3w8!aJFoM|5`k?>#S#><U$S)MPCJoW)BEpK!K08;xw@Q8BFN3Ir9m)CEzZO
zeHOz6xuT#~7_fE_XZ_8Q0ie@V4N&<DAs%wQti;*)Ir4pj{02r^a1j5p7klIb{mvJ$
zf1#DEQL8>jK2_@+qV?IvS^I^xD*?;uWx+7p!)1gjw2lFZDEI$e8FdOa;#81t5q^s9
z?@+L*cs_7163)=UH)g|Eu0JsSc3B$-$>B}W5)+?>6d7@A?1&JXapPej8}@4A?ViMk
z3V5^>$cF`cz1F^ZZ9H9ok0&|OCtsn{)~j<iYXtz0_ObH-wBA0(Bj4?~0JnFpf6*!J
Ya(V664%;k@eO%}}s@~)jLIPU<2OT4xs{jB1

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/Logo3.png b/Shorewall-docs/images/Logo3.png
new file mode 100755
index 0000000000000000000000000000000000000000..ef7860115e61b8023c29c1b04441953673c3e002
GIT binary patch
literal 2275
zcmbuA`9Bkm1I8T*(`)V{_nF+P)xz{~3^@}+=<CWcM@&s^j@-?WW0+WLWXT;ReMm@C
zzV2z{9_Cmx)aDNL^*?-{*Xw!SKRiD@KRubwPBs8p02db*!1g-S<%D@BRu$kq$(#Sg
zVoyMJc7R#^Vzx!suFC75kF2Bx`g`B<2n-AM3B>huw&8Ymx5Mz?A0h(_c7A(?3~_$V
z7vti^6y@h88eLtyV7K2h7Mf8V%nbTg&8w_{jCYiNl3&XB<Mc>Ph*2=&ZhqU0gF_+=
z_B_xxJYjs&)jz={?p5+AJLu8#sN|%`j*d-czk#ETAV36UcRQwwVshs{VK1xwo)rfN
zKC(q4J9<B6Vv@%ex89GfP0!9|R8G2NVG5o<%c$;beEZ(c#ip*4o|;;FvSXi}=yn2g
zq>Gd5-~UrwhHmS<TwMHlwor2zYPzKa{qU`^2u9T0Gf?~#wCVM&==lbF*4|&(!{CDQ
zgn3%r=0A=jTCQRRn9_L%i%R~>bMH5_jvy%Ni>a#KpWwN#l|&E0sObVY&8f=YwaH|2
zWg=AnGQb_bCQa>LiJ_zEX0DMby~vgJKXo8*r8R_DF=nhW0+!c8{H!XlaZ0=ptm(>~
zE8reR9+!X^f2k>~nYw01CA9r}Qbu)2Y4dsK(9<BT`w}RMDJ@<ExJEKqrv^8dW_?va
z2OjL&4~PEgUg{oSh2Y!eL7&~}qIs-gnHzc>o`x-0%U%0quwF9)V2f_9BHBDe#>t-I
zW<mU=n<FBbCXr0TL80l5{~irfA1!uI#)D*+Ag*KRwGaAixWmm2!M$Ja1})CrCzyA8
z<cIB&fhbLpjo;M(2b@A*K-Qm6-iotqyBgyxN;GCG1C{)Qgy+y?Cf)#oO5OF!NT4`e
z!l60}?wn7vlZRJ5DyzF+MPb?djUkYJKW7Z6$h2G&$Y?%86p}p>?ObC~2cDXDTJ;Mt
zOa-Y;+2h4We_dxlCiRT0q$vBcITK@#%4oYi?%0=dx=&2Og|jb$mi2583vDbEk5|S&
zCfrW`uAv#hpSqt?yxy;gykY1$7AJQvQx#Q__wP{0r=XM=nM3i9PirKa{3^yu3e^;)
zt)drR>;^1HAr8!zCATM3ySJKJq*YxNTfBNm5%Y43rCKwN%**aM*5ehrAOk|kRJC^$
zAAUGa?M-Z})62I>rCEJT18YxSotdYtu4%Ku5ooLjR^-Zz!FFQ;tk#M+bcc?mu6&4w
z3Q72obi~e?_FH&pDmL7L)zeIsiAx9JjUA^3RSwGC)DEty4RDTc(toN+vAR&m%$4D)
zdAUu`dWGtL;<U%^dBvZ}a3~&~!{6p|9#927<a{b6Y?Fd^@Za`i8*39(Rc@BA<j2!b
zO-~HPiGl`n8fFcZyS77-M$8a11J(;$9g7(K>%xB6_PKYHz|Vm;@8dqBO*n6Z4*DM|
zGJ)KdT(<`;0imsUeh^ySW!tTH1dwWa?LM_n?@fKu1R2P{x~6YkT?fY2Td@mP2G!am
zg@(nAf_RCYh#YIFfZ2kpr0RF1zVAm^46YS^`pjkm+?GHVh1|>8a^@Klfh&A-sL{Pd
zMDju4n>ImmoFr_$9n0ANBIopCTyPeTL?)C3NL9KRd|f?Uw>$8nDxHZSn#_lpFPq#8
z#rJc|9s3_F^E5=tSkq`5uRSDD7m4rA2`LnFr?33gCm;?0M3+fdCyDOe@1f0J-V#~|
zAC}pa0Cw@5NnN1f^<TQ;U3r4a8?`v?od>W}^clzIk%lXg!pmiXU?N)MN|Tlc#r}9o
z|7rTUT)7_V1FMDpw{3I!*+p^9hVe1fU_PQtueaC;(G8hjK+dlC79#gdn$4*YR1`<S
z$@!hQ5LC;~+MV`@#3g^b>8=F_ccp=f1xV<69r>uVr#p?k%`7Hy=;uovTe_x-4xjeM
zP|=bPk{D!$RF$LDqF)QmPU8lQ^Ri7wy5aQCa0EqY#JjO76YA4|*XG6=IN+phgg1fU
z4uFz0wwCY|@WhSBxOY>5|7{G<I8au%*j(oa=mEdIhCT7{ndzCCMoSr9;OE!tKn1ns
zH%BVF#w_#J706`SWh_QlvL>N!0+WL9Y<_mR@)ce32u5ZR$3u>(N;&i}od^+1KzeU3
zD%U47ozJY8kK{!_w^xz{{h~7Y*O+ja5?EFU$BuxDogx|eu`J}}-IeOc2(gDoJ3)5V
ziHTXqJQ-(5({wYlwBFn>LWS3;tYCSXIYtQKjN8-2^1IvJVtkl_maD{AYPf`+?qQ2+
zUig|l^mudp{)c5dAB_FV`OdCeCd3@OaLBorh^9~XZGwvWLltsjyOW;)a?JS8g4A)@
zqKpe(3&ieXwsRB>hJhQ(XXo@`KtbcxpQF@90zN(vM*b-B5uU<q`a<2V>gK}dRCqrN
zTCSFt%o|uoTtJMJwDF_heXUc2p*M32)g{fzcr2qQK|(3^o06}}psoKt68olzv3<r`
z7&??>fuQiSp6=xdc{lJZs_ucF^@MQ&P5bWf@wy)fIm%O;M#$o3zYobjn!Q3*Tm+zL
zu(GP<3T;6Gclr<ID>2dN^?c1_u%P8VVX`4ia-t5fceY_a{cFaZ_@Pbq47h2V+B^C}
zC;#eAh(Un9rqRZQ@^9v(0dg<|5f^PvP$8=@&FU#e&^rPpVaJ*!iA(0{+uu+Q(4w#{
zjn$N7{n%y!0ZFJQkIjS%<E-z7$pS@OSz)jX{MBp7^Wvy@%wW|BS@^F){-0xU&L<x5
zBe6x@9~JVJm%d7nn2Sq{-PJ-u`)^)tWqm@Oz(7%<%nsy=olMhkBmSTal7WP%QR&AD
zn%t_lc()TqN19OKZ@iQcd<5e?y=q?}!zgV(kH`Cm4xu=iXhosoR-cBWA0>akq;jsw
zx6fHgs{$s%A9r;{R{z$YwXBJ0->xlVTyjlK_>$WgxhLMq-$mbI?677#h>Jg2JJY6$
fe-3@G{^jCpS-Ap~x$AWD^IW!8PSDpDekuP0hro$t

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/MultiPPTP.png b/Shorewall-docs/images/MultiPPTP.png
new file mode 100755
index 0000000000000000000000000000000000000000..899790d9d9c3af40b89ca7b44680b2c0bff60961
GIT binary patch
literal 16164
zcmeHuWmKC%+hz#RLf}w}6^d(cmtdvEHAv9nEmGXwi?y`4L$KoRu7v`{y;yN~hvMJE
zyWiPgyJz?Bp0k`BGMUU=_uTT#Oy;`hs|s8O@)`mHfgp0Sl4>9jDjWm?Q(>S2HNjVX
zY``0elbVb;sBD;Q2l#+y{!Zx~2viw~b!UtYe5U#+tEL13c`|@N{y`wn4N&F34Fb7v
zf<U`QAdpZJ2=vMx*`z80AcIsC)uo;=(9ke2Ft9N&aIvw8u`zIQaS3p7iGdd}F&P;d
zFEIfX6%{KPF&!NpFBKUp9UY8{jFFKMMn?q$Y8V+=Sy?$bIbpn<Fc?fkMC2{-di&NG
z#;N#LL{d`HRD@SnR@U?_%v4fDMMcF_QC34kLq|u)R6|2wU*A+;CruV+Y;0^{VPRuq
zldCUTry=R!;Naro(y1@&;o;G*uju3Blj~qSZmbv(5D*+3JZ_;89v(jIV%qOv5gi>p
z>|+xjAHV3MKOEqaoSfVl9z6WjCoL^4D=TX_I=C}AJ~uaaI5~VcEq*aMpscKHI5(}T
zs;a-NsIIPVxGZ<Ls;sH0sjaPTwJK}4sjjoLbGWUor>AGNt!lWZXLxvcZhZL9pFeYR
zbE|WI78e&+7w1-i|Er6eo12G+ho`5fmzS51kB@*E|Nr0rixwEbC_Dp!gcIc?->JJB
z9Hia*t;r|+seQGbn^@uxBBdErcsq(+Z171r(t_8=O}Yc#avt2aXfIO{^wI_li+Fg<
z5ZsER8;G#c=*zv5$?#gJ)NoPv-1XKtqKAq)(B;F49~K3KL;7Uw8I3aiotXDo`70b5
zJ}vFfG_q(1fO`o*@MA1SBPEn&6D4`#&)^QsHz4#9CJ?ej4pTw}1pE0s)1MFBKbDWl
z7y|-={sR$I<bmv~80fLzp)8|O`h))f2!C>ds2M@XWmJ`p6mUmhN*pH|x<9@*2%?Pu
z!E|ErLNY=2pI^L1u>ugR)H-pWgrfZ43Wc4l{&OHi!i@hpO}K9UmS7wuMMsv0xW@(V
zWqx28EHruemT@7iKxc9aL6+?AFlJZN=azCpC!8p^=?IN8-(o?qDf0<LYL}r6K?z{m
z4one?4PJ0<W(To7SeXq5Vb99$U<8UnI^mo{ESxyV4#ZjdXO>TloOsBNSZM=V*)_;_
z^!)R)(4N{(^vt)x;Ow7F`m9m2Dw!YAdjj#@cW2`5uX)K|!j~~|7HYxaYv;#mKHr4!
zql-#&mgQvVf-F=5dK|{(n%Mxnh&hZ2BzUb8Q-p7esiGvS<2NAswMPV1I1?v7Ao^n&
zxN8dX9Vef+p}fs1$R8Ze$oU4Sr;Pw-3qii)LXUG|PcSBez#o4B5Gza-g;^bp4giE;
zBo%~_6Am;*Ed$2_5CqU;^|T8NW5a-N_T$Ns`LQOtuKm;EevJ{Q7$3EO%Boa?fj@WU
z36M@Qf&w+87Fg@Q7a9VQXDS_K;I(chbY)k4^gl&}#9Z*@LZRE2on_#UJ(wc17lhiy
z>PC~Wfc*YD8Bj6gJ1O+oWJ<@VL_Q#T4K2Nh476p#%;^f~s$>^X3PG2SMBIodETgMr
zlB4%T;=5b+#@Z9A8G&H|P<KyVh$0H~crrmi=|LzKaE;R9h%TPdYXCgquf=X+G6sCv
zVmD%O_}*$QuEEhgOS&l`)Y#jtON`#OaYV=<gNv}~7P=OA^ty27#pegdkA1j5wNZSK
zNYfZPhh_CM=P%+Zo)H`{L3-q6TZ{Zv0Oa%RzdtxMB1<Crmf(}D4i9u}do@P)DPJEn
z==4|ipG-N9C#y*Blz{wiQb7ULkjbvE3#r$~_)9Kbac>%Y>reIE((|JC+*O<MD18c7
zxdIJ3rbL;ds_?BwPQV;_M|Us1=4qsHuWhMhZvw*7-HWHcq?oh1b5CP)eJ9}TW^(Q8
z-a6#|+R#Fs5Yw^p;s?EBr^&|6j_V=Ad^joH*DXSr%}&s=I#OF`ptiS%?BRI4_LqIV
z`oneBGC~r{!f!ACGd9|es-hD73|82N@#6!n=}TdlpF*SLoC*{*Frf#|Y7S=CuTu+>
z+lec~5bG&~{WK)twPuv}F|$+X$q^!H(p8?*oi#=WoVHK-#VE%g1%AePj-E4<CDtXl
z@|I9k{N0<F+FkQZJMdS9cj5vp=?%y%@OMmR_;F%wHGCnySqHJgU`8y$6vtS!3#kdi
zcjtD*LF3ox073KUm&*=EPu8gj<YA_wE+p{D++i7&IJo-pKe8Mc^~%DhoxDTtRj?%`
z6#6OC8PKILkgDY?I0R<X*dkY;s47DO)j(&JhZYtdG|_Ai^kX(S_bX$-oy0H-dVgl$
z{Fo$E$i*l8tfLX_SC5#bmG~r<-0-|Jg~{j(K3BBY8-dULFeVim@o;^y^$*tB^2inh
zwS7)wTpBL&!*uvW?jBwS%7ysoTe~=|%ZA>MS_{=7!04TDgZNcD2=aL|+d^{JLIWg%
z$0*>K7r)UJbqC2e(uFxv;5w8Ge@s7z;j<^oh@{u32Fj<u8g4uun1kO9l<{;@z%97F
z_*F5Cv;6D8b1)kTW|4*mqB4x6MuGgXAH08kMrW0_(eET)pBzOWy^61uy(jz@e)o$x
z$8ZDtF$-?*qv{*hsE1goE|{xVC&3lbkPiY~5RCQ|reFK^fR*nD6Ib#rV_;cr0^Yp`
zTjYxPz!RfvN9J9`02u#u%hu)Tvpk@*n=6bXsv6skDFRt=xlMX7SeZP0h>5IDe6xu$
z&TE8jxmKfrHDw_kn8HsnM)^(-!;nGpc$MLrPZvuAO(lOLGl?SH^u+$KEjd#pw*@7f
z())PQzXZXr^D4g-ivK&YrpKbsiT2Yq0xyw>u~6!`rGaU)5mJe-0!!hFCeP(NRS4@t
zu>DS|H#gf@AIMGVr#haDt3uT3;zOC^(4b77pVZvjW|)f0y3<);=-85qh@(xBaM?Hi
zek%{WN`FYX(Zd~M4YM91NS$q{0vC;;itsTXoqwPH^_6Iu8R@QxTTcGH(VfW^aq{`V
zR*3RjQzXJSWyF5nx)Y`p#Fl)rWxNK<UAFLKUs@-h{>3CCGpDrY?MAC(G4Nce76I$7
zDVC%fMXMouv&6|NHuR40bIZ}RP$Zif4TsIs9F*gvG;$dXlk;J<!x%e!A&f$jAFkl^
zfmR1aY)kY;e!%K1m$ZhCHk8@qa2uD$in(U)X}%iSB5hg2a(I8X`rfdza=n|R`)7Np
zsaGo@TR@CPi_}W@hUQ{*;)>(}i}KHc!Q;!M(q**t*XLz@$!)mM_i-=T3*k`H$;Hj`
z+&cVwrua_l*0N76U2+$=j&>nP6*HPe%g>zg7Zec6Phxzm$3cUJUnWvs(K$?$6N+-X
z)@TX!G02P?s<L{IjJ$#|5fv7HZt6>BFlAT`XDC=_VY9PiM;r!jT6dl15H#RIr+z9?
z*3>Vy*>-+o)sAeSN#yYM3y)38d<gTW-A}g2uaeP1SB^cser9(mj{M}Fuxnyvkdba<
z8&@tqBEX<ly!=t;A3XPM+g`g68-!J;yIJGZ_oXn8cO4(F>;zKqGfmVw^b<Ar)?mHV
zxTtF>rXbg?Wlqyk8A@l=J!(t#LeW|~<vZQ2@h<E8#lK)rUCYyDzNT5^8KW2nh`s5t
zt>cG>=N6E5Ef<n5$hc}O$C)y^zfLxHa}@4iN+cI?S@mCQVzg&I#TN-5sBLZ_U9Lfh
z-pxqiET_<_fnf36PL;%}!>gJ?z{VwB>bWv`!*UWkCi2n|Xy4a3-~MX3rd-h7a_PB@
zv(&P4RPwTg<l@3jDJWl}?<Zmp4ok-Z=WBUjruVEZ+ALw(dzSv|U7+x{F@IhrV2$oS
z5q*bs7@Afn>!Sq$<$vrC%rCohSe{0Q%kbceK>n5s%fGP~Vi$4W{Y@R}qqFQx^Vl&_
zLEfA?iJFgS3e2|^aU9h`heNAhh(PA5h2=!-h1i7McYo1`daEuwGh7`~gdl5Wy>0<)
zo|N`~%Y{CPWT%7y6ODgSl_f3@aK>?v!(lk-LdSh5hIp{F5s_nFqb*yposL3rr{l>s
z1kP1hM<Mf32O?e^W(e%YnA1@HGm|8PI|}Cr4G!nrF+aEn;r_S+Heuncp6TQ*Sa4dL
z&x)!j%Q>-oz($2WNG>2Y0pB0Wmdrqj0o!Q=xsOj+tY-Pg=ArsSm9iMfv0*!AV(#M_
zmYpm9v96neP@6&qQe4=Mxv2a2wB--#fY^6EcD5PV;<Vf6z#fmm<AE1dnZZ+uoz<SZ
z-|^UlZh9Sz3aw^+u59M1#L8>WJ!pSy!Z?%j85KIQ|4cbAOo>s%o_pB(*o1Y~ga!mX
zD|x28nW9AZ%)TgkOu0VwbtSIp9bg|J59DC_o}>h_k_Cjc+~9OCqMzTUMalQn!A{@Z
z;Xl>xC^UN(n4i)aF7(>ID7AIDu*{J*;yKdNoZY>MZQ&CwIR8cmD}C2WU_7Z~=kxb_
z&uY&?{CoNc%DrC_$Tk3UcVo2ccGhk9Vra-Mg6H;MrWoXcV4>BeEp^D2d@G#Nr`XNm
z*KRRjTIpeLpQ}ywu(QuhI7f?vZQDt+tYzhkV(UE2>FsUpzRewX5b})>yk{_yt;uQ9
z#{pvpf_5)b&482h2TKQSG8-Z-lrY9M)@>WKWs@X6!?L?<(geFV27YhME%EiFdSAci
zxS9^|)gR-m#8|8XcGt4U=8p?~3pD9sf75+=I_@v-`>+-a)83fJ385Xn2lnwXs4u1s
zN6`IRuHEm>&zh_0N1goHVic>g+KmHZeHU9=+KVkIgC8m(`ri6eh!gifE!iD&Nk0iN
z^q|G#GJCheFfxwEkcCNcVoO;4U(wWo55{s%s#NN1AbfOP19kV|(^r>Id-VS@KT;Tb
zmV)fZ2h;7$Z%8f`t#J%A8Zdavk97nx^F-0C41vhXzn%!cd?>%wP4?5?*7p~eI;st%
zF%lyL!QWq>mM9}q66(2MD4$=Dx9*Blik7O=s>}oNN#1SfY~|TMV{4VbapXMs%D5vo
zTJIhU8_9dR-aWk=JfqW}Xe;vRLOf3Gc%@p}5jUs)DXL36%Eu(y>^6%>mf9Cm;FO-p
zqLw+&-`x~}?2CqzZ!?7kjWO8Gu#3MGrMrKW&-9qX&E`V)N95KhPxJl3aO6T1Z|3#$
zk#(tqU>X~`LpReCLq4LMmhZG(@L@|4fV1Vdnp$lP%Xc;A4QwkwMa;^cUKB756D5)2
zR5!k&FOG#bS|zD!zp8Tqfhwn)=dT%bJ?uY0JFI8&a%|?<?S;ziU*Y?umlyvD;5{I$
zFhrm%J8L%Bip<-yOAVFC@IF2K)hVu%L$2m9tgbf0jt^|WydyXpGv9QNS<9XMCGM{t
z5oM(?FxjQyFN!tuNe1ftnGGgw$!AJ>1~+$XY!?5~46HOesm(IW&eHQZ17C1B7Le89
zOWgKCX}$VHFZB()?hKY@$iev&<0<6>6-i2r>8xS1DNM`GYP&-k0t=qZ?~*JhU!xLn
zpdsO5vtvn!^mH6E0iE;WuPI=7KKH|hO)JSt9oY`g<w7;Rsh6w&1XJl=$<NwkI}W?1
z605nESj^d{hPRiM9|g8+pgC(^l)D=N6JL?Ht_v;+KgwJ7$T-`9sWMBam;5ENXm~)z
z$t}ebd)c`Yb<wqb^Y^FcvxUNrVuzG4@{!Ot*ta737hN(@5F5Y}4uzg$FZ}1y>nN}2
zsO*K(Uy2s&<uX}%iDpR(lXO@Z7WKk5TQzS~rnA|MbL*}MdKYjQt%UKx;QX`~B1<F4
z`Pu!RlXkS8<`{uh`FcaKC74$AY-;_{$>CpVf;wvg*v98J*0Rro=Iw2JQu>hwnU|M=
zbBWgYL$)_nev)`cI0UJ;BH(<*$aT*#yCvDf&u{3CH~uhDCS)8+2s}rs<Mi+xB)YgJ
zY+O|zdeEfYy|_N9UJAU;bQbFDy4Sx-e;;n~KvcIIr4&q+@?a86*?u2Lx{QW2xP4EI
z{qfRuT7-P`{AdvjT|S58dsPd}@Lz0CSIo01hw|zRI)(EpGhtA0oDUDB8pkQ^Cq`Bu
zjzdzIGq5|D$p2u)@3z?%jpH+;l8q8Pe2h~n=S79@R4hKKZ3Q>S=WL_Fax6}6kI9$M
z<pZ)>zt?5^Oc;)xhd$!MQ1T_v4a%AfXL1m*{Z41K1uvzEkw;8>Fgz53ZP%5_UgTB&
z=_WhF4-7A-3`F>KVwc;?Ph4hz$_Mh=@6LA&;R|jN>dblUa<^p`n$^NYO&2m9(J2O}
zJH38yT$WJaU3P*e<lfjE=HnfmFH_#oi#<Gx7gfK+At3&+B00eKenIq}SScfBDf2+R
z+_{QRu*S|+J3Qd9XLM6#RyD=<ZYZDMVK;RTsi^F7@AlE+v8Pu!@TNOCvu^*GKBP%Y
z<(u&P^qfK|q;;dwnQM_l)rMnToneJ(sKe|1MTY66eUVh=(v}}PcK3G^Q1;Y0*0ldL
z%nP4*yXSe}BHfa=Gx8-*%sl1IeYNFMVU7mJ+cV<rT-p~dLZVYKGfl5_bHmt#QOovf
z>n6tcQWi7rk9T^P?o%vo9t<^ZBa#!-v26y>Q|l3IUrTvsIy(~5sHZQ+&%;aqTnk2u
zjoaR=gi`vQ;jf+FD?irEx%p49pi6(BFxvC9V3}Bsyb!-TZeH^KfNXo*NjwM_o^|}W
zd7v(4Y@Pd4v+%<JJf+Rsd}n7iAem!`gX+y({*__jtIzf~4{q(&mF6P}Sp0V8{V>r*
z*N%W(g*WY$Cfhm56Qb*4_cym0c<1}%2-|*`)KRKy-?IaO1r6VnJY})_Yvpz{xXhVr
zKkQ<ajl|{aS^J;xLc*h&u<zC_I}^%}_lX()`1V37%hER5B7@np78NpDCU^g0zYC~x
z{DSrrwxYits`nW52Cczm&R<^^kC7gHgSF8}tkChkgtM`ag5c!~)0&Y;Heriz_)CKn
zzVEYA74N?ilC+y436u_=8lZMqjEcTgx;)KzAN><%%3Is~78M4}eegQYF=me%FyC~o
z07pB`no`5RF6%!mE9dt|zEPKmW-MO+36TBGvCe?a?dyWZvepbiKOM66oBPjs%Iyz3
zw;2!B%XEl-E|%3=E5(NFmLWcO2<NQcso&<^u9hKBrtgJWJ<Zzm<66GqLkG+_pr`N-
z$q9GUG}ziYJebcs!x_ybuS+Q|evoUdy3%rE;eJ337vO?xXF8xG4VXBqPn%{%k>2I6
z<3~$zvhjZiBKcQ3ogPHVA2<B`KKPyzlKjorx(P#nU9cZd&`@>S_EQwuLgZlSJe?$k
zng2oR*;UlXfM*`KAr6ruM+YtN6o=E;4j0t-d@D_hLi!$M14p6|nkC2&|29vSo2E<s
z>7^XttU*Ylvmd;h&OS4v+G$Zw6DUkw0a%Ots%h6OJEEQ&UPj6gjh|;VqA(th&%hEg
z;B;?K*kpioS8tzhco(CxQ=8V@r`c<-ktCfjwQtW{`r8QkAAk!*1qCuRXhvBFq3Csn
zLimghKKxup)-UI4tV*BMQk`wwoTac%D!HR#8W_6sYe3Uv-N#cqGi!n{`j<>3hh5~O
z?akg6=>&0aS4Pd5k=f$_rMl>2?JySnZ}TfNm};`*^Lsi76MAGSuHI?2`3vY+br#>D
zAiPLHL^nG6DoUX0?HcLQ&{x))jnCop9?VnjcRB}an@TR~y2fz*zUDHxgy65zG<5e+
z7<~j(#@QdAulOHE$x030&=Nt~TzBjBx4Q-o3eG%^1s&L9c*NtiUr?U6lyn;UYw@pS
zhG8Z?e@(mGq)zFtu&eDkgxiaUA9NLr;RY7Q`6yY4lL|uV;=xf26N}CMy>U6A*T4N<
z$V1C;Pe+tAE+Osr@Bi7Ttl!Re+Sr{f9fldHzO3EeyDPB2Y4>8`mdE0K81lPY6MK-s
z>7CcNafrbaJSl51XegGR@fs_KyUszJ=9=@qO>CAvbDDZ*utN7yS)pw4K;u&UCisR{
z+zK|eKkGH<bDd>>bcOz0s~P35_us-Anl-We_|<d6=4(>FqjF&~J1rvil*}9<)GFLM
zm9a`xWCWwpmRwcn#NU%YR?}Ep<JI+{_<ZS`f1Q6AK!nLR!r@<*F81R!O`PlAN`x|z
zV_OHKz{6Jv#{WVd#KIe6UWLp%<9nhg(}n#D)!w8UD?eYj%B3KdJN_2AX(pvI?h5<w
zzA`Mj1=}+ya2bLM9u{$EF)8N6cF;d?{%P3vVWLml+xdY3rJNlW-Y`Ca>=t#QgVNvI
z)&b9e-%D?oJTJ%J9ks;dxib99IG${Ap3{vUn*~Fbc|pkiLB{F6UFlBVl)K2`kjTgS
zdYX@Z0X-ZKd1-BA3ac|kzjtQdnI3%s2QHd%D3RLS#GA)a8fKn+Yd>IRjW+83j`OUp
z6O>O2;ce>t8TJjy_rYA;TgueVPD<J%KzixZxMwt-z2ztyC2OmG%}=^?E*pzyc6@M|
zSD(%!^7>Y4#<VxGC-jYnyx5e!RU}aGNDRHfW+wV{9?8IlG`QraftA(6G5>`2r$^M+
zgdv2>$tD^Pgp5;sN{_D5U;E8fyW;P;kvwZAYZ#13TO`pXo~g>-%0TtieO(H&bsl)E
z27+Ss=(6~gxZ^E1wtp-I_m()M$*O!TLNvw1+4D(J-xn5OxQs~a!g%5A&G<$`M)jz*
zvZSY3fb@%bCC0RfX8C3qU!#?8H7DQ0?&bLR(*+hDlU9VXh4{{-$Ij%w?5FCtd?KG*
z9Rs8d0i=aB-sK)dHsU*+V|1HMsiV*fnL^%dQRQywIk^7|9R4tlhHUD!XgH#@c4lHX
zRg9Q;0Ef44uec))rM4OUh7isAFO^;_@@k9liJG`N2lQlIR)vZnNMJ6Jh@k_8*Xxoa
zHEc_Q9<?8_czsXYZeWYNJ>zobZ_*>O0o|S0aL!KavTP__@Kt#9)@aRS09!UJ(CHL%
zQ7X$E4D8P&o8-g}8-!RmcLi@AHtaMRSnS2$#gmBU7Yde!vnrG255>2J<A*!9Guof6
zjg&8DqNLO~TCc+RL}Jxhum(~2gzw`goEqMu^6qSmPdZpWyem(9!I1S{_UtD({7u<!
zPSujy3PdlHO$*5fF_u&gWZ1Y|>$~hk7ViB$%b%<34xTNwnIDQ7-ZLUEfgo^_k}gi!
zGq65|<x;X;RO~YQIy6WN%nYb$8Ds{y#`-3p<R@COlq3Hn-gQPnM(DK)S%w&&D?KB5
zh8(Xm=O<Yoj?Rp%=5M-mg9R|e-htugVHaNb-A#~N?+JOG_seK0-%m+lxjSdy7ftx1
zvV#p;9Zg^GCSRl5)3k<kP4p)4a}UesKTfR?l9>4}s(o7iCH^8PKhe$RLYy7xr_|ei
z|J)~CViAv8IuQj<Gkv!IQ??Ec7F+VM*lRMrB>I~G>8i6WKG_37=}*q|N2McY>90wa
z-g{scXyWl_wR~wBE9I)i<F0ty!8B5FTmS9D$;8^0ugS+#k60+(rTNlLG-J+c4RAn7
zUq+S=KS(pIX>t2k)*!W-&^)?&k^CKV;j~XsUuUcH)yDbR>d?We0vX2}gC&D{EnK9+
znegL*^$A}@mz$kAJ_nO`JF^qkk)tSP(~-EjAxzb#Wp{Pf<9{B!H(xyX90!ZY{E|iD
z!MzL(a$QHHm&;;ug{NC`u|A8kFAkY~JJy{$|HI&E;q7}H(}U&5fBP?&G57pK1V>yx
zv7i$H&IU8(f)n+l^||Gm#w&qdxvb>_LQ<J>N8q4-C0{}b$<O}E?Q9pzYOz|nB2Qp(
zTo#OOVa)Q4Pn7mLb8t)^Q8fiAG=+<))b<|PJL;GH+izUC-k$2=!?#osinoUpo_2fx
z`#Ms~d1Dl6=)wMq`oB;0@9&a#Jy5i+)<dfQbEqG=t8Vr1rPbyo?H6wWT(-Nn3*9lN
z$C>+oT3Y9RzFs6!<IrcL>qO|gA3kIsI-fGuk7%)+9}bGBubj;Lr;w?=$`|uq4IvLp
z1q&lL@wD|A&*Z*#@#TCG6Te~9OA==l^cIJEofwB9_G7+{ESTascu3Soqv81BvPA={
z`LuGqlfbO)Un)5Wrih&abUox7zJht<<xEl+r9o2y@nJ&0n3!HA(d`I!dDW?RB{4m!
zPr*U0s-&lZrjU(<ubBqL!rHnA*EQJ*onO>a<x<daRS<&M$t6<%6a5>KQJ#4PHQ!Ay
z0?v!gAev^*V8;ccHfm*snM#f~05Rh8a(%Msw7YP_jww-=bk`*6{FigKH^Z__mu48J
z5Mv`tXQTtb3%o*ykcO!hF4*=ZsY4~)nn#qW(A}+MNXztGc*2jgavaT$qL_c*$adRx
z5sLR0lquxPde;8dN!X3lpoyGyY}!5&^!Nr#JngIf3-xo@`M6d#tvEFtjL9#o<b;ac
zG~ULNt(5Q!aq4{6G(Ra*rFoBiu5{RyOJ)40mqtM11s+2IKyv(X&OYp4D7mJlJ&=JU
z$4{p3LI!a>Q`9{&7S7nzYl`r^v!{`T+)kI?0r*$ng4;%>-V{|knN_TE`LQyIHHvrp
zxkbe8BB)-?^M&)v@#cRv)0)lxHQ`gZ)!Jap2q$cG7CX;+$PWDYW&VWRknSVJEC@RM
z*T1<*qBk~Bg>fZrK`8`(O5=JtH1Kl}gu*Z;BO~hAR?=gG{rV8c-tn{J&ia8%rEcRH
zgqF=2RXt~U-UaI_S>rO!Di|L1OKm_~s5s6m67?_!a>skTJ=;V0ZP-EW4xf4Qjmq=r
z!y#aA;<=75<&5Y@(4M?yj{oeR{&$j2i}ldnkysEblp3zfZimN=m{jeN(?Iz)E*G|}
zuZ8BLBZ!g+zsCG&arhkN0;XcBIrT)KFsao*NEQ+z6N}4k^K^9>_65~~l?mW_)G99y
zJ7UH3-hE1DZ#>|Lye(t#8rPnQhpUqH$6n$>iw@<+yMwpOg2Xv;bR80Hky8Y2Fb5s8
zu5N4x8V1Lak#r3yQ{@1>mzJ!}f7cmg3`EtyGF7a?)UfWdzobj@Z(DIEsnlQKRdS6K
zd;PiLQi|I5mKiWJoKBXjEZ#R&(&?x7O-F2m&UKxOxJ_dU9}6MR>=xE))(tQ&`D}BY
zcow(T9hSNbOe2NK8zTDKYUmPUZ*yircbS<lHj;y}6b5!P2`yGxq_h!8S({V8-WRC0
zgYgPb@c=*ixeteoSARXmocm*%T#_?a(Jl(@dm&4yA`T)PNT-$hy^X;lF9jLqFQu3J
zxfU!gr92*ghG|x&Vb|lkkjDF$(iEagjhcLJE!QzJ4^1p->a@m6*n<)lS_71SdkLeK
zqBzKx33%XEDLoP!aeq5fQg)qL6b|J!m3J|<P1y&TOKjAyY8?87)dZ+>snfljm>%3H
z)oZN9IigSkzW7CYw-=O1?Uri`eLTZ2j`EG?xeFEgc_DSpw3#0YQGQ$}(cAl~DxgNH
zi$u!l3LiOog~wWImNbO#Ur%Q5PgJXl4hom<OZ7khO`Y(LUp(%<a`mW~ldb8dn`IVj
zC(uXjH8ozmk6SUk8q3MWpzZ5`+&`=rHc0lCVNkZ8O(X1YVnOafy5X86YM`ERW@N2I
zEnQKB9RZw_WNf?WfEW8YaG-OxW0RQnl8tY{VC|QZj&iuYEWO^t`m=c9En~>CGmiDL
z^ZPW-x@94U>pFw@YWADz0@r#CRQ*)bf`_QsuR*fnMciXSt;3u9S<bIR!1;(-Q$vqL
z#uuVXLW*MY`8=y`TNC;*f3pN|9>zO%6p387CKm!k+#?Uqp8+Re*UhK9hp@v*l2E^s
z8`y~&zGdk%gQ!R9Z0T#Rk)9Y4W#5HS0+HQwt=<HpoPDCi3e2g{o;6znc7bZ_ra$#8
z^|q$Is?)2xhJLwZ)cq}HOFqBrC%;G|Z(p(*GME1yh9CV^^vEoi&fjbikEAhaZLsw9
zJjmvUi#$d^(Z>`qDD?7NR4o4q3MW_wR1P{vp_8Sj$ozb+bcf|3qDxMO7@~-573Jam
zp?_OvEp>M~oIsB+ykvXRRvgo}phw298WA=08D>xE%1z>~c}Dg-a<gVROXQ<$+F~P#
zAHG{$uW+g4x(Agnzp3)a%In74!mkrOiI@`2nD4mJKj{pHrwM<?FMYqtgdn{LO=<m&
z$ajZGwGqiD{OzAS^Zz3hKR6l}^UZ1X18SOL`1bmbR|->cC<Y5dA{Do1kS3q2tk8;-
z>^z2+Xv)4Qr^<AwSgRAyiGr&@T~n46DL0l%!eJq%&nq%M2gm#PWje)UfPkGRtj_c1
z(A<;F8Qr)pMV@;H%m3Op!Q$Rt@~+}8O=eC_zBPVf@7ZMAp1JKR)Pp`eDLXlu+oZiB
z%A4=9<nw7EW1j{O>-oARsY8J`*ub}G-K^2Dzw-<I)E6|m#-4r+GfPT72Q~Z~(?j3F
z%xKI9?@>r$s1(`rae~!uqFXGAwUXWZ{bLB9r%Hju;4gNi`XV3QOPabRQm&d;@Y#u*
z0{YWyJh%r0>XzX=ph4;SdR4L3-}`+ky>9GrbOvD8N9N%^mfsUpc3n=5b-Co#LO+=}
zzUIU*SRL-ntVyk`H#=oOlPCIlQ<~HgSjzhf&(C7TUAun|Sz}HbEXV!P$G_EcgGMIg
zz2Z|0P&!*>X&IzRy^?%PAO!=ypgghoAgEfiQClljucgT}*O<Iaw}7ix+pi^v>8DP;
zPn2)%+Oiy1OUy$~0)3C&SK~0>_cg}7-6zQ{mjGspKN?T+USkFy88h!WCHlB&#g^#V
zP)uku7#+8ET!&Fr`Q=VOMVSfaQ8g1cKx|+{mf#*U@f_Ai$J}X=Mkqa=COx1k)bo|!
z;1tX*_iyK2eU-4QLKbYcsxsK}4AY~gR`nrY{j#CIh(OKkQ@2UXplCYvpKI0frmJg-
zR)JI-+a{#@eB+D^ew1h^>PRekS^r_ziiW9jN2ZzjFLHg$g-jv!xXz(}(5b4`1+JM{
zcb}FLi*UR-a*ZL?5|2r1;RBm@eWV2{<%<vOrO#n<E6rAvhn`ot&j#vCUI!$TETRv&
zSPWFA)SL3XPpijwG;}Myvi+fT<gyrF#Mcsl9zMJu%(U`Lw+chHIb3HlBREw~@r1?J
zsNkLIBH#BR=8R^O^&N3!&TVw_!KdjK9}>Fm)9>0RExtI3iSU|i1Evz*_JTlU@5JTM
zdG<kE9*4k^;)%MdWt<h?kEA>s_Z9T~AS;f)C~Ze?1cfY%IZm@bY*pO7A=GJ1?JFN2
zWBvAxP)S&>$wrv1P>JBwA7n$HOQf(#4*864C&g3?Y$hH1!hi6Uat$XaBZeYV6<VsP
z?0)3m2srV02m1VE;-l0YT5Pnq+Z}q|ZXjXf{v{~~W+m)VblnQbgIB%GweBgntfk9X
zzjSjDa^ty<zk+Z0XceX+z52ke`cqDmgz&-OoT&@OjhX?ox;U|3ITzOBka{)a0seXo
z*hVuSCcH|IO><#gn1@UT!g;>Jd2!m}bht6RuSC{Y;tqvV+BS1osOVL2oKQYLjJ1hl
zEn~!A3e!*IL2^f`+a|p0@xqKbLf=oFq?<o5u5ZgJO3bTe@$!joN^?#+XsVxYo7!i~
zQm)oC7+8!jiEV+{j}N%wr}rBR)ZYXpRpuw!23cwV<PFo6_$^;$#?@}Y4gK(hA{$dL
zmmZJ{X1mC?xO0K$eOF<})i{+cDS))~d|8GHd{eh=SaXA!<I?PAZR?UJBQnV8U7SYP
z3c*00S8rB&-YnM7-%ei|-0hBSALICV-UyD(M|Jd3S*6>)+G6p(5{Q%;@@WxXqCPpe
z%znp>Tl2)~#FlvIAeW`STOWQ#)QIY3uw?#l(o`A`tsn<@x<T&c`GaPB^r6kJsV)m$
z4$5-nwAOZy^65U~1ht^Uw*Vc+e3QuXh(WCUbADti>z}I|c`MEdo<6##s9)ZW<UbsM
zr`-JE*V=5buS6kFB%meJM1{lV=k<7bKkfLqaCYA;aC8ysF@y*sW_#iVF&=EVZVzoM
z|J}_m`RcG9E-te2VkK?;_VXfSB{E$7cec84kh+Xj<l%CDWJ9*B&SPajLG<l~-Q)Jc
zhZ7@yqjTqW?UvM`H>_=BN9ZNV6q0*^V1R<u+ctaEhK2XN0P-XR>&`haYx-t4oSVVE
zD6N!(XY!BbH-Ygl9fhtvyCYoXKA4hZNdO&X8&Z2_cF|NQ(E<n5;4}4W<KG)C_8^fY
zjRU?lb0s+{Qacm+!cPZ~T&;gQpBY>@lX|c&tFr_S)kBJ1NF-lBp}<3?W`0)<o8p>(
zdg4|EFWV01xpwui9YV4J8Y^1MJwpdF#_$pymTb<$@G9AgKbp9sPbAyiOqf2^5X2P%
zuxs4If{N_i3D(>%{bMaO#THX~-u~+YIB4wZrbS_N2*>ATR1FY}#EgvL6$ymDaJi$8
zwOMH~$JmS{O9sdd<nEUQy2n^K1_Z>)CA5EPgLM63=!}qkA~Tb(6@-*lsrG{a4WA{4
z_enkbpv28+KR$9f1R+}9E#~Ws>W~wg=W3KSEdCmT2A?Bo_o8feB|t+0y2%N2QJT*v
z>uDADg`mPybRzqtQpA;nhyl*>;q6*DPf8xHbqx?>ttH*-G@@w?6cCt&V8;aCYxsL{
zB@tZvaR<=;VR<%QXHJJ)FD7TBEI^W@z=huUFWkGRizgAlEMO=MuPnX<QI&w0y{3Ha
zuT;pNQ3D!{pP>AYj+xFtQIUOI71LM}Mg5YQ45j%tkiZ9UNU&y-Ue1vs1}1X&wj<H)
z_$6Z|K&A?@5V~GXU(%sT&KDM~@OlL$zD4mtR}o5^fHdFkdEtrwa27g3P0~Y?9wd0X
z<NUsS%W7ZGWK${j1q2Ci2Dx5kh*0E#LHV&^#*Wd2Jk&sz!3OHg0;MxC5Lj^8kUpuN
zwjhk8YPbI9i!#SJj7CKu`TVsoV>ds9vbg(q;j~j=v|w_VCvbJX{X@gvWZdU4^0TK}
zl3KtAGA3RvrMdJpN(Ly)=X2;4&5!Gq1uP)o@DFhA)J0xjFDkrT57d0CoE|m@3`Amw
zv$3F#hnmJ-=r|y89?bv+-I5uE#0ly;eBcws90QzObMy>Qh?O14+Bo<cx^T~NOfM<5
zQ}Z7+8Q4`pxd@%s<2CyCG>7W|Z%qHH<M1JNYegKze**qik-cd&8J8S(;0=fj48;N(
z1p6oHIcITD3wd5bDBYWU1H|423;_DX?Oc5Zz|ZJ@F#zV@e3D7Qt_6ZIK`NUcH`>s!
z7}Mfj7&*SwuE+w(Lsd@>e}*JgaJc}PtX@xc6?&ckP?FJ6NqQ!IsSI|{V7W|B)_zup
z27+6J^-0yWSe&~0BW^Yp)>}bfZGfT$jH*zE#*;)C{lW1iXGMO;x&n0n&~7Bz$YK{}
z?D&$nqM+lKgJ;{KHUWNKUKvpCJbXYr?>M|yCWR`pSM4dq*7I8+pG<teR0TrxV8(u9
z6~-S_BFVpcc}fY<)-dXP5>lLw_A#f!*`aft24tiku(KMpa9=8nj}0dRP(Gi{YZ(;*
z6w%x?9uc&>L-I*T?A4t#S`s5XNpJFtfYRbN?|&-Y?#$4V=$<OS^ZeW;aPVwYiaJrr
z#6-{gg711|*BNW%lu}K@*@%(86bGJQNvmk~L$ska<0Gp>`=sn|dkB*Bb_jf}6%~ln
zTfm4eOdtjpH&O|VJ^;$9#tx&+<3H7PZKSFjz5h>D8`}KD?yOgn@4EzvfM<kBYCFKl
zNuBAE%+T|K@EKnH+#=O95(iX#4DrF-gsKYxM*G|9fS!jCS`g)BXJF@aL1zdA#+K1k
zT<`FR_z4(j?l`Z{@FUGrr#>%F7O)~3U<AwVR0h9ji{*2`IXthyHCg_c@UiSPf?C_>
z&A0P?FzrIM4m7APUtZmTk)vw-tK}AY^gMq6xPG0L6Or42X5YE~gBjZ4p$qv=nZLCc
z&Q@vk9D>v`x_h!e=V%HzyBCoC{)}Gl_a|wOc~M7=+3Z*f;PJ_&8P-)dTF(Wv(K#nf
zDgw%|)<|Z;w;&+@Ily7<$yI_7>>Wl<OC&JA^rGYTq=U1206Wb)5onLA8Vv%LijH_r
z^<C<THe4%}N;85$faGKYATHXaFKNH%qxXCR&}T0Qv?o-IYMurZ{#OQf0P>yiDTwwN
zIrFnSWS^Yrd`MxO>92t<9rmQzE<I;nVF&CfYKHb@IGZ8g@t&e{TFyvGD?oKMs86bC
zHqzde5Ee4g%Co<A^=4)Y<4>l49+)9FHbO3qu&S<eJLfr&VEqkPHHf-<a(l`^_OHEg
z)*jvi`4hE_{Oo+L0A)YpM0_><16XFHDjf=+@^yOByBgYwfajDgEL<U6A7z>MlC0;x
zwg6;rscNlfxeuUKZgC!#OQAP)>~u}<l1?UnQMW;-&U{-8aSn(bhJc~u@wj>BK)ZBP
zj2IphKuDC+3yY(tL??5S&+FJa0OtB%i8(JIQ+-z_gi26C69j_@UPWD|1BvaP3DmN~
zQGk4jVbPq{{}oJ~!&AOAZ2+6F(6l%)qmdlSJWNNPXz*<SH8699Bw5KiDFgjQhluH{
zz5v6Z-h4g&7Xi#E$~@2dUO(wtsizQQW9F4sGN7gNisLn#`0t&Cqvp{)N%GWzm}H$k
zcG@MF-2A@V4OGd{uu%5WSBNjBDs8)2Js>v3X%Z3xgGWg@lb2g}I_>BZ$Dj(IR|>CR
z1$GTALe_7ZzG`o1u}Njt{9YN}>HV9Nn6q*?Bq6tJW*o*sA5qNsM%MhbdMBPx{5$6(
zbCnf;1Y%Z-9l28JY_LX0(F9qON9r;0erPwUW^O&CXkvC=9qbP4)w+o5i;98f#_pY%
zrxf|ccJz7t5LWS{SkCzwCLL9DOT6x}JgHtsA92L^Uc_&yyOBW1ds(63V=m$$)oXoy
zEQhjJjxbQSF2<0-ndX`+GU{<pSZ69u9!iJ?+Y!RFAJ^#TC5y+f?TF?-j1lD{82O&#
zF1yya7OKmhR=2``-r{ei(Lb`2+Rjn~`87$YFmjeKDAkZF)+Z9Y3DJ9LL)yfi=#fgr
z!wkiun31>Temud=|6!6Pe4NviFTTk@yObPSdEDnFkrDS})l)Uj-Jrz!nC<NA_<d3l
ztm3$%un?P;5*sbxcRcv5ht1|l^j5=S$^x&0h}#=Cedd?HMnnZLL}jRBg17tx)Pz)}
zSkD`u^;C)gIo%I*MSsfnM)Ys2hC;G=9lE!ftJRj(+0znq1`crZsqC&)O0<i-@LD-Z
zR1l+v@_l=bqv52v3eynqG<})Kh>LzO{uHyIaU3pGSr+l(s+-;3k{SAoWOl0n*CQCQ
zne`c8ko=mtk!_9OSfG>P2%-*2gE^BsPUTLv{)_#fT5n8c!yU0{KDO;C9=hdF{sH*S
z2}A#GaA~z~Mh<xnlai8%{5W(SgXd$ero9p);QCKe@~g|Wr>=*lENx^Ur_v5`qES>6
z#YX-LegMwTTQ{dP$(V0A@j&L#L4McIl4`tIlx|x7_q%CDFEZnZ1Y;ek{sKRLBg}9+
z&uU7wa%E<}snYVSfF=m%hcZrRYkEJ&weXQ9t9`$3{`qEQj#(2CQl0@Fnt>;rU#0pG
zMn?_y)col3Axmy0X_NMulEngPGhqD^Bg*wTim8j?H9GzNU58;`<x<+Ro(-78j-(9-
zQ>mUyjHPu^L*IMGJD2HVssmmbu)K^x2)-ZW*G?ad(%1k*1pDeD#vIbHPQyhX{K%Lb
zHz1$P3ys@}g@;x01rIp%KYRYCZ0*KzR*no1XRR4|p0ww=33H$mjB`_K4!-B>>N_)B
z%L(yls9;=^EG@v!9|uhvKVLPTFT|DP5_aq4hMTC_{~*GTZ~ltk8-$1G4%O{sQem|#
zz}&LWw#0i5xGlAtWWj&WbIT#7NkdgA{?0cPKOS9A?;wS$9Efu^yKHit+kIe%y(%f`
zlrPnna}(P{oAYTE4<_7~*r$*mua3VlqaxECTrHH+PdD#c>o6DMxF0TT31v`ImfKyN
z3jZPW;p`*+R7=I-#%l~HJ6VI1ul-RI&1o6mln#Ub%XbmsHEB5s^_QpfBR)%8$8D$b
zj~Y91e2pJ$RV#x_*a$tO<_mpyB&A9eUU4L=ACGc^1ds*L7^|QUV(XpS7ng`AzWku^
z6d#+ns}ISOJzty5G+KS^Zf3_w!_LC|9R3W1qADPi>mC|C7(FiDDUNoCUSM4*w^TFr
zzo!^C@A!IEkTj=aURBf)?Z!X?FA1Og{_iSkXU^S&QhZEMhJ2XRwij2K>@w5&$7>Sd
zS^{vH0?)oTzx+})fq}YEw1aUYCyC%o(*>cuKZw>uZ?&*da=0^xUct%CgmD0@qGVFJ
z3<bV=Kc21Yu%AU`T*xB_d7gkVcYE5unhvp*qvLJjDv)TbU<r5bVaj3%+H)|@?MWnq
z_VuO}xKPLL{ByIk996C1gUDcepnb7aa#op<Kz`vmtVj4*^k1JH#aMY{1ex^wybBAf
zi_M9*%jIm$5{}lzFNotiWRK%2!h@?VtZC=olBg4<K>rZrE0&oulECSOBE1KmlRNxg
z5T6$mqulBJarCA4a?+k^%gyz}4(k-b?kcTt<zmmud;9)8ZM&`g7^(Z-JBH@3)Dsoe
zx^Xl<eX&$C=u_kqh_ug9`F1~KUB34nsaLY`{Z*(Q+1OX3OGpx-Mn0-%?EQFyELrdL
zB0M{dJMQ|rcinPwZ*kNu1(Rd;G<L*ScvCe0+nmmHw$xX{BF6m|bBBTDeRB~PeD~d+
z+Qv5)BHq)tfyZ~$QbNYnIqAlsO@1aVZN#D{nwGFA^<ntvv1s_tL?kzVUu&NS_D!<c
zv(Xo5f8n7fIjs_2=rUHb5m<cLz*P{Z!?0tIwlB_WYHn;(6ZLvoOL;8d?kz5HiU<M%
zcieJf=^PxrH$P#7(0|`}&2qb6tFV6kDJp*cmx0tYg(l_e#CMRsE;?L)%YSH(bom$U
zj%|kqfrU@mmlr1vudOp*yyu`b#UzA%$B*<k`Fqk%p~SoL!1%g&P?@m~CgfLeLK2`Z
z9%QTjeRyIzX|p}tX`klhwf%Pq6jWrv@t0go0@G^MFI3cWD{(GtqXH`uo$G<OiWnMK
zFj)uj&gPT3g(f*xZA`d92%-&^8KpA>?M6ZOEb%9S|3ZtGQFsj*(L|>8FfnSXu*f!0
z{MHZ`5Tk}&pGEz{L@k3IuB|hieb`ri-@N4o_G0CV;U`DOcKCran<OOT@n+MqZ2>s-
zABrTplHFNXNMrxau!#k)aaDS+J&XA>(39&&oaWT;LEks;0zd1RD%TDZ$m%tEFWkRL
z)9XybkwiftP0Cu8hf-<>4cO!1ydT8Z;s(Xn%j&oyS%%NXWP|&|Lf#i_(Fj+%7I-Cv
zaJqMLPp{=1ab!k^f%C2Lcw(g`l0F`MBmR<2l`I6=UZXoZXv~wrxSnKR{qgYylqBH1
z@Po9%f;iu5(iKHPA%i8CvV(Zf50gn{2;>aYAe1T~mvwdVt>8aT+Jo7NKDr>1Fn|aq
z|2ukuDeiTvRjRBc!!7m>^|QoFf*oWP*u^2G%B;bS(Ow+5<Tw3)yyTbp27WCK^4R)k
z=GQtXo$z}!E~Mm}*W<atjFRo=>9)i!4UW6oJXGMyAQoh@he@@osfPdSCc3HLZ_Ckr
zmEwDoPnv(eoKjv3Ue_80EBz)ucuyp1`f|HDMIitcf-N1;1naJ<5lq#V6d8l)nNhdf
z%^mnV#8`;86nvd#w>cGb=kl2)DmfN{*48kcUJV8X&QpBgY>Wuv&v~na{8VlIQ!XqX
zW_Ycxc!Q&FxJlXPomJaTm=h*fLjBlp#l0RSO0_OxW5#hAm#ppD{}ToM*;7C7xe68g
z7^bzB(a2PJhqhXXjX+V}nbeLnvrDvfp?(i-231=E>@?hb`(V)hW$8i(3VO&>zf&5?
zOr}5P#oe!TvS?v!_tt*o8AN=hv7fH*Y#nT9bnoec5S1B8Nm=wN9Tu|bK{YYpSF69i
zSf7<v47AAZNH$AL)u7XkRc4V>x2)bXR?QppOCaB=*$-D6{u&Gm<5@;~MV<t7k;G#C
z#24~jR-xENL13iaCTGG<sW?5S19L!kudK=@46hb7V~*noXSK0zhlSB_(7HhwemKh*
z4(s1LRSqh_f_+SLNzF>O0rt0lM)K#3YPe<?<{woCe*=ki1Kviu8l4#oWgWpVDZL-Z
zzLHfRF8SbkLVZ{fLEo%twH8Ul6DkL&b5uFdU1E<0e^p^7w<O>_Cm{a*q)VEM?&A2s
zR+;dd$%l+tas650NSW*~(SPnETGxE5!AC6$pWe=&og8Yv!PiPM#xK~1^n^#L<O0IR
zgj{D)5-$A`52|BNi+vj=vnH@#9O1H9Eqn_%%2kPxewDH611)f#Pey?skD@TEkV0!~
z8|K_oab}-=-`d*9Mbxoe3N6_S<0M)-**s(_4Y>*1u;A-jm=T)&8z6GJe73C`3wQKE
rGO&@_Qb5Rn>#09E{<jxg10G)#7OP2h+-5)BV+YAe!6nPYjXwVulP6H*

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/MultiZone1.png b/Shorewall-docs/images/MultiZone1.png
new file mode 100755
index 0000000000000000000000000000000000000000..a2391cab9eda83fb10914c43780ae5a53dcac319
GIT binary patch
literal 11070
zcmdsdXH-*9(DzM9AO;SE-X#?2AYG7RK)}$uG(!`lgMiYJAiW2q1?fek2-1r*DN+Tb
zO7Fd+AWeDsKOdgY@8@Uk-LtcE=Fa|hcJ}POvo}&(^9h^*4gdgL1+AzH0AM5lfV5x)
zx01)qp)$7>$V2yu0#H80w0+xv*vf0j13+aw@wFxNwvBv_*3|$2UrqqPh5*3jtq8jX
z0I!7rV8;Rg9;N{R?aPcNom)c$fVR56(tkD}5Eu+ba(k1I0CWK2KVqVyLQqjr-Bxt}
z5z{S+(NQ6hNDdATF(gt3$;AC1NeXdu%Wxq1`T2!z3%?|w4G0Md$?$Uv2}#Nb35oqj
zl0vtaq$FSoh>2OsNJ`4c$cQP5$;eouP$)5VF-1j1G#ah0u8u|raNBdkf?(R(+CGY6
z1_lPk#>N;71{sMAFhFObB{7%)OG`@|8ykCj`x0%Gv5#?(jis}*v)gTP4k$5JFT^Oi
zxw+wOFt1;~whyxR@$u=$s0&pI1q1{Xx>=4|s{8n~mblpj1qFqMhW0ySA|oSng90)`
z14i92v9Ym*p+N}=39u7bN6_n`0B4dDlH}y%^4QRY0E}^mG3*kCI79S@`iL!v;qiE?
zORAyBfI>XJ1fP(ZnOTBQR$NfzIOE98%?)Y_x|NEZh!qwVhPH+d;bTimN^+}m7w|#q
z2kQN~`10~{%m&7C!?L3!SNlXevo&+5Fte(vs-)z`_{7-Y%%HBWZm7J_ZO3i0ywLf;
zd8n$qsi`SwCCKK?X0ocpXUFGTQ(f#rY-?-lP*WX#20v3*)zoy;(a{mP6FJn{nz@i!
zHCmOtk^Jr3x7dT&$&S{h(I)&3KKUTIzrTOxTgS?`rlFysZ<F69hx%9gJ6ac7M@L6D
zZUvK*qcgYc&CJZq<ih04%+12W!p6eP%F4=ZwXv~raBy&Pa&mTdc5`!c8#(_6=(BdS
z8vt-sswm3qdz<ZNMhC7we2SHQ%tON3<%9)5a1e>5Zo61$_jd)KB-}me&o3-gebT%d
z5$!1a3GDM6u<RCYOC#|tr<ri@IX9&Lp7V8^8^>&9=1k>UZ`=;L%}+X#eV}S+Ge1B7
zxk{CB;k2FgE7sE|hJ8`Zp2S<R%6)KzZQ%%*;+=@=)u+)_-<D87XIH#<QpDvWJj=|k
zu*wwsv_h@+T{MpYh|NP)pdG*&SG1NA1~rJ76sEhW8Eu;8KeIanD`GMwh+~O6eks*a
znOZob%1xmHHEInG)ae`n-LFf>n@GQOT2_zbjXmb68=ItQ;Y3cIy4U2TVa6x4e_WaP
z*?{!&$0=mLznFeTjGNVzQhxG#fbSlYIaX&U@l5}{b8oX*05eLk-`BsI?jE~{UVIML
zxPC6aEvh%+DKQ7p+EZtW;v3^q`f>u7T?QSHUah#=?wL}fn*fduQL1`vVXogP!*1v{
zKbE(nEIyPJ`9<T{Z<GcNkI>1dvzQy#Je(N*NLfs_*}UuU>QVCVA(nO@%FS}FCb?rd
zh?87>_=DG!H!>5apR?!LGBzZZn7CcDh8v>o!>zG{Vyd44NAFBNpUmU4nB0*Af~v~%
z@^UCNRCLxP{O$6|&T;R==>OJQPfI!UA63^~i~frn?xNy(kwb^68U?IBoY~DP{F#`m
zv*oQ--XetOv|K+Pe5Av{@h1{O)^d+*i9l>-o+(ILqXWx5BIG5qCf^prq4mJ~Q9i#O
zBs}<?%qi{jzG6T`FZ?%rVT>ka!#NK;zAs_`H|}Im^b*pRf4oFi4#)SxX&Ue4w|3G^
z>+w4(!c`ZB&!hDqdDaDxC>;_hC_FKOZ1&(g)ZbJKNOS&EAC3Fk8zkSOSW_93kY<ny
zj3r24<0Uzvy7xX5$#WhIOI8z5TNTANmG}rdPiTU0A^tzlJ}-~&*WG>c$&Yg2hNM0k
zVfZ;LW)IyB?MnN@T5dH$Jy9#qX%UlS)~gn`a5UluoOri)lb|jN05toL)%YFznvq3g
zSxZT*AqpZVC9@}Y5oKdv#qLZ=&jA8c-C1*C-OuT3D(4;YCc4LhJm=tc-Vq6oZY21^
z2}Nlh#2ZB_jmc9xmkX;z6aUOw1FU$e<~*C|<||m4z!@y<Ov05SfayI5!e9G`bLYhb
zkFt_^nj<cH<Kc<URb8vtQXwBH{Ab=8eL)1!6}3TPKmd{S1^;_k*RSAwE?1HTUm>|W
zZ)KgtVJNOt$6Ls<R?<4DZT0j}5T?bpEq+<Vkve-MMTfiNB22GXDj<76M`&w743o5z
z3^vZ7DWlt3f+$OQcdb%C&*gY8OvuWNd>{`0V{5dlxqbcoPjo}E%a65k$6#zi(3*=X
zAq5W|eL4F$Gr*@eizBo!N68V;(}q1Se)uR}yMpA=yu2m*D{CDR!uu}mC@73<*fmg=
zy2dgS<>lja59<c%q{QV%T|vYKUuQCxN1=LjrbNM}(3_Qv4e(phpn3zsU({sowB4VH
z3I>APO!LoHMpZ&P=g^L2Xgw`r^}Gp?pcTb~V+wb22DsJ4qzH<x_F7$iU&KKr&x#vZ
zRub`lsXE>y)vE}CJ<yCeRqmHUn55LBNP7(g27Es?O_r&XM|Y?dvN*{0f{MSvBdQ$1
zZ=Q%8`7Z1FZt+tRjIQ$BWxw#(ZlYRDDOj(0e?YBwKa&b)Y_CB}KPJ6At_hWE`is(K
zaVAC<ajD;HcCp-5r!V*0@BI}Nzd43_SbpGg2RSBUe)qsWk|<Rjkt`%PR1ZZQWEmas
zS}$(q8^}KLyXFuNP1g8oEddK8<M$GWZ>~mCrR5AOe^9SbAcO@Dmwq=+&O4X1<^2Sw
zQik+8rMBJ8zE7QKD(A$8l4R_V946PQZp!t~pe-P(cyuc}KMC@7m@IKYEr*$lWW>AT
z&Kip?Poi*ki1Lh&(WdL)G8w-1Tou%=c)c4)+QxHWUy2d0w*5I>DVnaeqGDm0qd`fI
zu7ir*M}H}u96Ol;%bcXv7rC2O1&l*I$F}}Q)02Sil70FR*&VVH0fj*SV=uV@DdZ&7
zgsPs%RmHbrylS@wpBxgy?ij(>l>0gQ<G*z+a~Z!gwl>V*sY>yT;(qxA{L>{vg{sJ7
z)@Ee>4_<x7hP*;|TY?zH8J5FV@3WQ6X0V7ulGbLdtoUTW1dkH>MY{0ezw%RE_TA*c
zy!|mR^JZ_Z3WkDrPN#8HQb++`qXX-Q_YmKEs=eB7GHEZwbc;^IufZ*5!$M9rP?q6^
zzua`JK6_T>B^(2#@8m|OH@}p;coA8)vI<>ckH`L=43Luc<47s@rflMLgio0C5&gd3
z2nksw7pRP&6vQe&Yki-9jlZ@>@D1F}c*@pwA!_^<*%5dtca+_6PP0o^haqtu9_DXz
zt#VPV_7<sZt{P7JO2J0%?{9`BOJP|1pg0w`cXA)VPn`R_jw=^W@hJMYf>FFVk!p+j
zO;o34?1=CLlex}pozP;-svG8f!8UI^`>VZm&U)foV$Z#&R#)$JS_%?j*S?}o(P~p9
zku_S2zKnbEhkpPc{C(8P*jJ>gOaFGGetyq=*B1EMHZd(O_5LrL;Ft8N8O?_(74M9N
zTLX5P>Dn5w081m-+GJgPi=CdMxP_{+|K^xxaJdPKlyiroeYKv6fGPr>sy?7PWa(sB
zEA0L`(Q40r+SFX9D9MLprluGsnnd0=XTv0N!8@FP+Pm+KYO_N8k*J)&K1SqRSSBYC
z2b8*sP0nZ8Jn&es>XADkdZ)Z+&0X^i=enPP*XQ0ntNfbC4|B8CuMPZ9{Qs>_6BADt
zNfB_Q`f-o6kV(o%r}$m@e9hZPFJDSNq_wy4Kl$SN{clkO8422`m$fYKU^X6v;~*KH
zDN9IyE1~&sNmTk*9cq=odL+)(1EpVM#WIu2lNC?4a=zvzgE~5=A)uhCi8)(8BFMY=
zLuB%L^F5TqR#T)Rx9^fp&tS&u3}foR2t*XOx8|bY=>lXjJHp3(u3xYX{s1ype!%W3
zOsVqo<-blKWX#KTYT}+^Kn!Pnu4tnND8T>|JfHUYp<8|UD+hAg>^<<xaV1lY4C=jd
zu7<3|Fcc$UnQi(LPNGk>FqFjMtRFll_dE2Q%_OZL-mPvmXsB!3YJ^bkD9O~jh*~Y(
zwF<$Qy$6VFKIgIXL2ge1XHIzT&!55tdDws2kO%@Vj)MUXtzQkGr?5*pjI!VFc28Mi
zMo8V62_c7^96iCwiI=R}YaTm#Q&ILMxR-E*bj@E%RWdL_&@+hjM|F)4%tbv&c2?U2
z42dQ?91a;<ZaIAyy}7x#6n|e4+kDO46}+@Y>brT29Py9`)6qyod>I=H1`0G8+t7R;
zHP*Ra9uEHDBelcv&@6VOJE2!CM%R!m!@zB%vEJ<(?wOl#QGsiIBY;{z=uC|jv9U3U
zXvwHf<&JS6z)G^ub(7|^Vws3m-z~l&-Xo*MUETWjiNY*leSh#cQieYd!Pjd|4|{>2
z`gvBl?{p_3tP$;o&BT_eYGloRgm3Tdl^yD_%^c|ZpUkpAZ^8+BJBlA3S{>CDM069~
zL2I@kVLV_yYBJd$Y1MEOf-f`h0$B@od7B@<N`4aZ7-s&)XaC#IK37pY?rV#_eolw`
zoU<NTw&h&IV`Hk&`OGO(j)}c?efB_hI=Fw|xQw&7XlB_`<1(FW`M2KU>Ayd1H&-bu
z?<#MoKooatWG1NL_Z!Q0y}Yw^O})-&Up<h-ILJ4zsUS1=7Nl!VfavSb5+odbL!V+D
zW+6{`h390q-v`2q0{;bshobyNBsA%v0*iYSHS4cFdmN7R6Y!rHp8a?hYMokbW)N(|
z>1b<BPgF~S7LuEWhA54kIBNu6q64UzBrr57-*kk{@oQ6zs0iyvAMj&rNz>M+$`v7n
zWtp*s@!ofEh3D2p2u}HdtNGFH!H;f0@A)|$U^yM(5&6(B>WjT%6&|0}?-;;Q+D>8B
z0O{5BuOfg&=d4@qBj|a;GXd5b221Zj#nq&8XP#so7Xa6u3UiYjdp=0{c%KgFqVK<4
zc}KfC`#Ly<?EQIWmc9KJt*`*{m3K@J`MM*<lwkrN-R%aGcdvtcwHe(754A0Lt`03H
z0X&tan%~GGc6W}tx$a-HI1&mBXED8UyMh?>h5^FsR3M#MUUhd8r<ZK)IV?=XThX6N
zdHs{&#wq%CgnvHYQxm!De<&>09)R^O7c%!h>3CH4V&vrWQ@5~GTCGU&-Xo@aNda`)
z(o_x{@b=N#r2eQ)v_1EdMQbO^(ha$yF;>d~?txDif7=&X?A-A}{Z}WCJtFM!ITRVV
z_vvOiTI&T(jekL-U)sFfF`4yK2VA}tG;#VcCO$4NSJJ3kP5(jz!v-(S4X9#9E%6il
z%ent^+UfB~OdOl6K(h|5WZh;s3mD0AX_N79)x71D+5fn2@NLQ;GMOtgi2w==91Y!+
zd1P`YA`yaHU8MradquJFA&^UrVGxki&mVhBIa|@4JfP8^*;kC=|ClS81vHa=N40K<
zG;gkG&BntiS=LA}u;7&E_Zz)lE^X)xaf5WCGV`N!?PGePbhl%Yl`GA4lJcbFKDK{V
zCVvy5t^;_IRe>Q-6t}*KAQx`^KWz?-e!S8ZKrHDT-RQeQ{eOCt&w#Xe**aOWuNfD?
z|Gdya!77tPKBJID0?n(3!pM)&I-dzau&7nSS7J)lVD|Zyi}R(A1WoyFGMWYQF)cBG
zo3hA;^&Q;Bt$9}br(o7X^TwDM0O?V_W`hDB_nF@mXTKe5>1A6CLWYC5cTeN|42nzI
zi~gMmZHUZFypfSBv0$Irx8mijLPzyb3z<fLT$Sfk)se@Nu+RS@BF~x`u=4GE#_wMd
zEl<Ovp7&l2J4j|Kw3?-$+KpE75N<u!YyRl2J|fau`=9+M>;dA))zz2N9T~*nF4tiF
zAwK3Mn+9MFXiX<YCU}UwdA&aM%owoBu`DOlF`#JB50>b?7BXVDC-E2~u;!8Tc|9Tm
zz0|77|18Ma@7-P(oG%}?33n=ZI+UAF|Mu>&Sg)~7L=)XP<2E9?Mk6QMQYu&66(&Zz
zI@p7Bq`K<h3=1NilX@fk+xG2?=K0REagPigu^0Z6NlZ3>R^J&C3G^7g%6eYWc=%>P
z6n0HVhkHI=q#qZqx=ObfM_8pw&HOjICd^0XfSVd93W`CPgfr3=*SJ2@p4;1~rU*$&
zcq+2w&_<ix{Ll{nn*rx4JSbq62v)!i4=51BNIY!gc}i~DtE!qGJVO509ihNj&CHJ<
zl(wFKJ;N0bYQRO`$>K!vGCk~F67rk*zi6=_S&#clgHw3Yt&L_q6qtj{&ypozcT`;N
znxNVzTs9>>GBaJ1aIw*1uQ6!<lbswJIEsyPR{{b{FJq6|D{Oe2RaKRtY~-zb!^0sb
z#cy{(U^lLuNh(f%DqMdrkV>|eNK92v+W{dq?^=DU?-KP}%fiP|wl6dK;=uz>aYQx~
zMa^|k{HzMasz_OozSGrK$j8+jXb=U0N~lY$>OlZr4-=Hj*!2N!qS;Fn^SncW)cy;d
z$;*y`9@cQrxSmE5g8l;#1!YY}8kw}1oew*<L4M$(Ru`|VHwqQt+9a4HC-d27b)dM{
z|N705<fypT^}momGmqbV(*JNsq6-zM=p=fT_s2XV%2$nd2g;)Xe-ykC%6r&dd~H%}
z65nrSoQdbO^U;vwc3`$)iD3z)RdCg6j|TBCKFV*X|6MJT5m`wffmR=J_w-l1oe)nt
zu*j^&@<j3PZWcf2+X)t{0V8W9naL0?9*xQqQ(}W#ZQ51vv~^8~J*OlRxUm+wA%d2+
zmen9R2tu6IIKPZh4Y3h(v9}z}>CjNtTx&>2UOz9GFzQc*BQN%z|2z}22u45!Y^U1*
z{%Ig_ST4-sj&ypDgybNG)a2}`$xvE+8PI3L()o&nlBpZ=R`)os-$mVF(%%}|Tb5J-
z@58;YkeZ0^H=RU&RZ3<?iEOe{;JCTmMc60m@Rv;XR9?P5#$?}9fIGw{Ls|b}z8hbF
zUDFB`TKvie>pjWqM+ZA$;|GDhY`Epli?*rm5U7Cb+xR`8?>*e|VM6rP*M^++*rNny
zq>mnJEu_MhQfo34DiHW2<=>c+M!pk#QX;~6xPOmkRb}{uLqICj?P@1y{cxIuh28;i
zRg#s>^F{38V6yxGOYeA_rVwqXS@4>}$M@f|8cW}%Ja`_6)U4XITC!@Kz8bYl@KmC@
zcnT44jf-~zHGbOYB%v>{f0gosPr&tm+`Rx(-Qo7gDk$~6>lxQrUg%DnAV2Vajr}=l
z&+_l`F7Ca_!#@b>nr0ojD#EV19ThXe{H;E{;fJb@@lz2w>)%fjq>yJC0clMnW6fAI
zEl0D5{)OxCUkS3vvrjWBon2~_QA*SGv6>FFaJb2W7z<(o@uoAO;**}Mg^%l_5WLxr
zth%DhmqMxubE6UW566A_Th*phNbAm+;-_}s<r!;7>8Z5mUGz8XPrIt|F9JS|YuKEx
zn8|S1NzI;Hm(ZwDBaAXSK0XR7l-Algoo~v`)V=*^9h{%EHz>)aelie0VV3TlGd;I{
zi}la_AI_N~$d}9X{PR8!8RYY;v!!giaiZ()p--7K0!?fE<OgJaSyp>+QttI7O}4u^
zYl;NezM@BzUwobp{Y?pUIJff-oLXAhW56M<a#hf^y7tYFVe1TGmHzxnwH`xH>aa(b
zW(ExJF8K!KZmj+_|4I->b}C;Jqy)qnv(8%%j51$*p*y(fr9-?|6HT5+$H81!kk`Kw
z#F2PX+K4VFUgU!(sF%!z`(ILxrFN_O6XBP#-wqo`=N$AG%H~C7w@X{;iw+m`uX!{|
zZQ!tQcFcyWa(B&5xBuZs{;8XsppNVZj;K)>rIzpEkk6p`r<l^A!CA_Zcdb(r<$}j;
z^%k@y5|QmXVS-(m@IKF&fe)WV`9m|`+=GNXpmxWskNKps67bzmmO_%)2By_mx|sd2
z7-jfF+;<mO_9VHKQE-=4UDZmx;wK#F@a@j3W#AgKZ>n`@%6<0$fN9-daNBN}MZlL+
z=OIWu89%$Jj5!~90eF%VShoEU=;@Um_0pR=2}4Ov>hVKkcxTYiMrAz3UsI5)DS2Ge
zsy>7TdK*i4qRmccsZU<{x|D`z(CX?Hd!SM@%aY91(37mk*S$L9)#iabiy__2ySpN`
zNfMBV@8ynabJ{#*g2^8RQ>1;0W}_5zv4XR8W$)Ik6KwUcWi27S-<$Z<jl}OZN#Szu
z;mZkyBRId+5g@$(27Z!kn>BH5DIEF0BXEGa88^{=$r^H}E~c#SZz6w&n;K9##i-Cu
zBk1^=yqTonGvP6yV=$XIn<!H`TgA^uX(})6GH_(e8-FC+*dmK96L$>v>X@AJCdejW
z>>We6&=N2ZI3d(@l?k*d*sn-i=`CE+C@$GM1CP?HSvBgEgMT`n56sDHpIFd%y6OJL
z^q<hDgy;vCHDS}x_Sig>$#bxb9fKW}LA8K&4$`?=07Ek8BD(C7zku{fc~zdpCFhSJ
znM95(s^<m<actYwu#s7JD$hK3*otb#+-5S_ssk<(OeJ+*IIwj!tgu6Hkp<h_LG!ul
z)~0$-Mg~Z%l|%;zK|G?-(FN{FJ|eEKw+&vk_oY~?+-W_Bfx2FMq<L9X@4$^%oX2n4
zZy2|%ezt_+V2Ce%3M##O5aYAxR|>Iof9aD93I<#0y1g+mpZZ3A)Y#A+_V?c79I!}3
zvUg94Od;PBcF8&GUOfJAx^7_C#E{(SXtL@|{~m#Ig2o^ep`75>uUvZIYDEG+YiIU}
z8GM^}!b*7O`X&dSuyQ||w|o4+0KH+BocEsT$Fo>nYL4%6f8J?WeB6Cg`HJ#tV5BQr
z_A3!rn6T2A`0h}*QNOinR#ZjbuS<`t2_ulz;&=oXjppO256$HivrXFqF8HLl!QuSX
z=jjMsDWxYC`#8i2vr#&u;_WKpSgc6-$8bXYnIm3JB$HV8B;i)a;{*0*{-{b>h^r}|
zMBq;9m&%l0{ZiTA6WLR?VJY#}*k_rdgb=fa=!B!anwlz>ph6A9KcdxR?rhn8mm<r>
z5C=I55ZGUcsEhE<leSXdG2V<WxaWsY6m)Ln+vzz#76h-0*}6!hS=44Mjvzb3V)=~k
zPj#fcXl=1eijkDjjs`2|%3F<@eNxv)sah?6_zCe>r#wj@M2^H6&aC<t9ZnH+YC6}e
zv<jXnRgY|u20#bHxF+5z3*$DF)A#riL&zLXg}X1=so^U%y=X&X8>8cf3Fq<M#PJcH
zP-$jQ#!xWT$X>~5$?pa?UVgnI8_{+4d+-%G@u|-%l|Pu{K0cs2%4*`Fdii5N9>Pd0
zn<T)p4el`e5=9}pv3hMCkLNOg-4CW|;J=$KSv=*Xt3cZ{%<V?J<29G4HT3L?U>X^2
z074VG+jvIK&-`nR8Z&ErR*v#z+n*%0P{biyBs3iiR1^yJbHs|4{{H>j)AT$?VMmUZ
zAq0O^#cfwVzx(=Orc1q_&mFCQ7D7y<_p|EXPdtg$Yf9K#LJN+QWoOHSf<aWTZx86)
z+$_^u%ntjQa0lA9Qnc@sh@CIQ0o(>x;J?i`lSKg?%S<@K3bR<{ir?Q{P74Ab7ofil
zlX>>{aFT$`T1=p5FG&k&+UoVufu%DL?yu{0_RZx_*MJLo1n!5o|LbxC7HY>u-_gS-
zP;m23b{3OAUSC(b;@hel6S6&=uG<=^pOT8g`tSG1(UA5|OzcjzU92u%z4r4%sQx}S
zzn~URYF#VM3~XB>eq@^1?{~F$M)2tR@^rVf)Ek9h0V7gI2Xgo!y{T`c3+}^zAYnN3
zi`To~-#?g|3j9UccJ_;wHZ`^FJpa)zwch6QMwW}-HgoefpI?TLuKv)_Bh$!ky{us4
za|c+XBV@wO{P{vh(#!G?d;OI~-NnUa!SB#D(Dq@#Vap$ve<$qk?hvlg@{6FD<RD1?
z!c=)<JF4gDoG}k*^68uk*ce0ZAq82$IFgY56AEL{$}uZo$<sp8-w(q{v22>?dFzVe
z_^Q>c33@AU-#94Owp$P*1r@SFjs!X*Q8e1kk?-W(ecp;&nLRrr60$s)Mh5<yic7fk
z3tXWqzBzw#%aXP2-?AsRAokZn4b6&$Iit9VXubOSw`8V3hiLA18?Ei{r>EXB4GnZL
zOzhM&QXSaq%`TAjWgsc?!OcE!LMYPEIk#Lm9VlK`UXePm=O-%6df7>XJsJ$h90Ugw
zquYg0=>QSB_0YI8`X3()a*K!rc1aEb6ZvCf!f8{V_bkF6HOnhW6)GIB5_k!6CXs<)
zQ`nFhWPa%bO62n8#CkWN51vH+z&?v5O5HdT&v^N3<J7zRnY!eyXTphKXTi;Hf@``@
z&kYuvo0;CaTJQaqkj#ApC52z5Zme54u}%nAT5VXdog=U^+NhjOpIGWU975{l=J`Wx
zI8;T$#<%aa)Y7z+-QmF6GWc!m_=Axz*dOE)`|(cXpA{pX?I-xdP<JJf2i%0S$h+Ks
zV#gb%=j?9hOA5^4OGQc03%}*TIIfw1o9#S<ko*{11seH*{e$pF*Oo@C72(SK#9Aer
z+|kFu5b<7ms?%i`kGnNxWhPegw;o1j&X9&==IeKtR`s8h*XT_@lKb;)UmyEhlZ-JL
zqr$tA$l%f^?z7G~4n|~wDqZ2f3@Mt)inufi8^*TcuFKCPwMyKY&6D9LZ+=-H$30%V
zewL#ILHZL^?Y1mXUDr==Kho9o{neNTMLv)>yxMB^)1URxFO!pn3D_6@4N6xAI>eFH
zgrxGM8tWZ#`aZtDn;#rC&Je*Ny{FyXzg8y~7TC9c485~zWWb<BT_U;uo189#gPpwD
zvQ$fB^=X@&D!o#b+cQqguIH2dpVS>I{j>}mt)X|7No#7rsznoPrF<a^#Un^E0$|ic
zWD$u06lQ*tu`g;wy2(P3F^poRD+fnI6rXDqg?z9=v*vn0VzMH=Igv!8f=XCG^mQLp
z@rfTyNCk}G{GJxTdhh~Fv!H2}@C?;k=WwsM76>UwmK<E&mk9ckgjIqZJ5*0H17K+)
zbt<SUSI#cFP5nUmd{I#aNc=c05tv96K{ESLt0e$!%?yC{bC>5Ii2uw~d>ioFLYkt6
z$hL|DP?>aLd^C_a(~CAJ400}o|14nGvt9$e^&)ui<Dc>evA3~~6!&F#m~0qnUyZ_-
zFc0n-Kd$O|Pd9Bxs}x|;{?hw~{Zzie%U@9`giwVy7oHvdC5>D{XMTZjzqYt@EuDyH
zDVR<df@Gwbcp-SGEsT;-rb03(MjL%LzBYNxkSj02zF1qaqnjHPyS%^UL?|8s$H3D#
z2|&Fwv40W7FF}ou^V1}Za`lRA@v4Lm^WFwMOtjb<RaWNZyk|+lz+u_xd?`j8tAoVb
z5lu?WaNOPh1bgpaYWHO!h~&}xUP9270jB2@FECwGF#T-N{qZACP*5IRYDyi96KBNL
zj~Npuz4mFYotm5|YDY#5F4}={8LV9{dY(m=|Al$701_a_!cgwt+WTk8F@q8+(qCKP
zC<?I|iA*+Nn$w=E!4QOgt33NbZ^scr6k7X^u6r%!E(kpY>A&=ZAj?d}Y}fCg+&Q%;
z>)8Rz`8+8;Eg(@esH&A21ly(gZtUZby$_GH6r4Sq^R_pMccz9Qoo3(p*jGC?v5~PV
zCUbTt-v@H-zr)uGF(MyzK9pKNy8t7a&IV<?GJsS*4xsOu;`^2yz`A;W`0oT1ITvkL
zO-+S$s{7m6_D}#Bo;1MpE%|<o{t$U2<&yg;6q#{5;M4yfU^Q4K>TL#OxxesWq2utN
zN6(#?jSBl<4E1V1Eq0{VcB63>!hPF4hd)Le=tz}mD2)X|q!W$|SV1uJlcjPAFycV5
z!!Y!AdG-Z=nHd3}_@^Gw+^(0-Xa5WT74NM9Wyb&T=YJob?S3-9UXXmiY~qu1oF*8E
zzGz`IuZ|E5V^`+)(K6MH?Pz(-M>g)YeG;Cu$bD|sN`XBh=+)TwX&GT48Z&;qjT$uM
zydabQ^^_d@lAyQjvU$8s%EkRQ&$=Bt#Sccf08+B;R@0*3kP(NF0aD`FvHL@Fp8unp
zbw)MO&07J5G2dNvgJ5fOfe=QKjHo#(hM|6Va+Y~-4MPYyGV?JAW{celm#%M6#l+Gf
ze%+=v=L?{n11zAWqsZBwTd1^}SrYRtL{I#>u=-KSs!H^`8x3!T?`Zr@eyWlbR`N^=
z&JHX?aVuXd^^&LA-BEEbC-Z+9U^ArgY`RoPmq0FHIh5>5r+RmC{RdyRkl_rHn%}S5
zNSH55cQ0m`5B`y&P)Ej<JGtN6U%OcB+ZK^8D!sf~-43A%!^<6K8GrFsA%X2!F&G6i
z5iqazPdAu%Wk)~P=4G~#abe;bLvlUIi(ZDnix{5z$W@V$JRi!#>}R^I15Wy5yH-)p
zyP~b%Qh<z>w#fbO^TKcg=o>%w4!zPtVpIcotwi?^&1aH^{xI^qP$?>a!y*_!dTUn$
zkYB3+g;bFT&B9-q9!+}70(SxxecI~LhAxIRfB#o8vEwU7AW=vYomOy$LD<J=`y3Iw
zzdW}%2;uc?i8Kxc<&XjpMzzo?%itmWWeB!ASD(s*BwGW!@{`GnYDD-klw5&0!jRFj
z-~_B%xt$(bFU_HO-y~>k<2IJe+K+ZBz1AM~m$$daX#JN<JH!tv1RsG_>n}J4Cp34L
ztdedf;$GJNQV27R-%XT`F-|`$`i&I<7x*pVl{3W0XbhiBe%Ah=wQ`jTQRcFt6^*B(
zz>qvZ?}Yo=_4F4FO99q$c)ks*hULyI>f!z=Ps4jF!M;CLi{wc)TRh1bLRb{aWLr3x
z6OR)Fk^39X1`y;mU`3|Jdn`>{Q}K9Yt)k&B{j$R*jPzNuY4G_ct{K`AyOS@K3RZ$)
z59I829$%?)I=`_D9zh3pHvcz(`@pjHmY6{vwWRYK5G+<qa!`%$<;*o0K^m&5ckh43
zjr~8S>=(VTT8OT>fFh}4zkE0DE=`@~4|wZGi$#cyO4yQPovMG|Ik??RN6@nwN<h{3
zQLY9r5KNxk*@FhuE1{OXv;ajyVr#w|Ly-Ubpl)2%oCde6GN3SRVf<psz+c=TWrF8g
zI+U#6LMJF8=F#qg4qVP?Vc6L?WggR=Au4_y{edV7-}{S_%|#tZEbQ7Yw^8->2~?st
zPWKO&GfENsey7r!1Z^s@%&k6Od;*-XCL&-*-AS_t(B;9P7<&TbbvJh+5TeO_y_Urm
z3QP#wjPqg3H2D3y=PAKFq>x^Hi61&BP#_NOPc-zSF5hZNz1@*RUW!smTiulUHj*Os
zCKV02=m?qBjP>@U`TfWcYV=Fy>a<`YoHQ+B7Q!*7cib1jyyZqRVLpha!H^W{OZLZI
zB{e1)qy}$ye15rB!N)#Psjh7<I(7eCnW`tuEms#nQ1j4~S>gin=spe@XNJH#$SDU5
zzOLL=LF!K}9Gwc?eK<l+&kmnPQf_(3K;Np3zT6B!wNLW$eizkw*~jqn6BrS<&SEP5
zgvBl~uQ!gcQIBd-h}scBT^aPMn<`dMSq_?SDGkXFiZxIQ&OY`kqI1H-P*#QQZiMxn
zLazf#*q`z{)egNI>$bpmnom8&zvt*zIMbAB*JOORLc?C#R6ekOVI<kisz}=@i~OmI
z?O}oJo{KbxBnZt_9=xU6v~4T5m&T^m#ni+a#+0BEWu)(w&_j^T1S0YQy|8~va%*>y
zagBE#;myofPnHKFhX@lt=-EEoyRZC8m}%fqorC67PQNeX9qMT|9L{F@6|rWKm1=sN
zXvqkMyI0V_K$1JZSt#l&UaWCG<&{|PDQ)mX6kT^$RL~+x*y^bWmCQr&c55u8=hbF%
zctU3%I(V5^S;^ql+CS`=vZh(@lJ#3Q3ywME3z}|=-jO?{iCb3Z>%r0KcTf!og0^G?
v_K1&B(BU>Er9g81Q~~IyaBBECeM5j-qaO^~VITePA4C-;O~rBri?{y|?EL)u

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/MultiZone1A.png b/Shorewall-docs/images/MultiZone1A.png
new file mode 100755
index 0000000000000000000000000000000000000000..b374f705daaa72fc4e35c0c687b0cd9675dbf350
GIT binary patch
literal 13543
zcmb`uXH-*P@F*IZKwu$Ny7XQ`Q$VWpE+7z!5Q<pnMVf>zNRi%q6KO&K1(cEydNUvh
zC`gyyLTCvDxcU9>dTYJ+*8TF<dgsg8XZD^wv&+ovnKL`V)I=A^1_S^AKz%(ea{z!C
z0ss(|QjicJR!+Ki2rnXkb6pKUBZ^~(@Im_WvGHR7pgENa??guU=62CDHwFOS3IYI;
z?*M>H0w{7D00@u*0CpV#fJb=%0JBd~hnX?}Kmsr|ve5po4^mP91%QHrf|Qz+nt}pA
zOATNIP}5RVFj9~*GSbr0QZrKj_hO`Fp``_I11MNnC^#rs7#RWl1cDqaER59L)GRD4
zgc5+CA0Q6kXJMq}=H}pF;o#t)=I7_&=Aag*W)x=R=H}+-<^U)FD8$9Z2?YWZa)bgm
zKR>@Pp_w=bKpntMs1O&YmXi|}7N%CF<|ech76vFQ3yTX&5ej+$fVvdF6h8q>t4<40
zSLcwEqgGbtmy-jS0{9j9rKF@Nj3@wldcq0{)LL2q8-SdgoRor;l(Lk9f&#$Q6yOAq
zQkRlbmy=RgS5{W0u(VWHS69$eP$o2XvZU~&05~}T0s!iI>Uw&5fG~iTsh*LM5vivq
zAQtdiOPM;1+LX{qK!A~@C20bwsii3(8DME?2?z@VWCN668`;>{nA+Q0+FO!llLGPq
zmQI!lMhf=!_JCplbv891HWpA0DArSOB2cLUC<Fuml9OFsT>;tIfEGZ4z3J=MuSp5z
zHo$Ao*PaBT#l@}xuAaWW063t{QVURC?n@|FRRIPGEChIldG^}tg@l9vPyj$<V@OyC
zU<v?eX$cDpYk6&7<?BQ-MFD7Qn{qM&%mb3c0-~a#P_CwcB|ubc6aWs7B`~uINJvNk
z3=RSg35+BIFaQ7w1vm$!r>CRBJf-HPvI)%0&H`=$s3_m1FnhrKe13ku<)|fKX{k3k
zwlO=sxVV_*k|nz;o8^`Tu(?@YUS3>PoS%PNMPTyqQ0`m~m7k2tPp_-117I*q`B8xL
z^Tx);s;b+ms{EFg7QpRoTU#5du?p2#hiYl;=;%PTwZP%<?D_1qmU2`_TW@bK3f|E&
z)iMw77#tj2gSYhd-p=>JM@L6HW;+H^gQ(Hbs?91C3e`K`J2f@6gc{vM4bD$Z&CbsD
zZuSmt4zA5k&Cky-{rB9it*vctZXO;UVlbHV^Yh!=+m~Ge>HvVWt-jV{i(rR?;=7Lg
zb0L#Ms!D=z$Ni=O4ME`m(!-pF<k0d8N22DgxL;c48E5m>;9~oq-S;5Rt7uVwU8nWl
zXE;1o5#TlVsQ*?yuOqhb=!~O$efG6hD3$0=evO{rVMo;h?-Z45XylZ^*{Blqs5^f#
ze-U@GgkNa?awIVO`sH$0i0tx{<%{m4?xSS>q}~w*;f+4<xq!+2#_c%#@5KlqkB!5Z
zq>#U9*T)IjP1!Hi_^|X)oNnt%5_`vUn{80aJG$OR3b=-_MT(a`dLUg&<2Mr$Oc6W!
zQ-Tt%K(9m5$%_S+n<{n)AenW0DV)Hh5FSQR-FANLnjQ<!e&UMQJB^L)98w4eCEq)H
zI%uqE4aZ`J9sDv>j$x*{f=*a-G(9%_v^L^#gA|A5SW!gg!emR{G7TN%r(Sk;xX6^6
z9AkDxUg^_xy@^TFRK|QWw;HIvIm2;l?!*KN)wp#MN)u}}z9swROFa(X)_14iO0NCV
zuy4+(mMc?ETzhp(<6UF`Fk&hze5VPvJEnA<U3!@PC{uq$EZZpXz7eW1H}9SOQbCI0
z@pHeofe(v~&hP7?ybfd^&_<6g9k<e&J!Z@3(K<IA9UZtC)|YsqN#9&UB`eD`W`hgx
z(y<Jbq&*!}ZLFf<m$fbaQd(-<3T(`I9ZLhGevw!(zk%OhL8eR0pY)kcD8b`C0(I%6
z3bxhEMOj|Yupa+d88&^cz^hO9dAcW0hqq61vbXwe4_IXSVT+g6l+~r9?brua($MM2
z$e+3HF`m;V#-6hDTbz)eb#`Pr{yJt)A2f}NSbfoDv$gK2^UzDAo-oo%Z%c~)WVfCB
zmw2-PX5QgB|BF5cyv`RGnWghc_7gBmra03hu#NS*`PDuT#PW%n=#O!3b{j~=l*k*O
z=x=Vran3G4@;ECKda@c$X$5mvNu20Qng(0LHwTj+v$-r$ZyIgnn}T2E%#S~meKvXF
zh}#9%uxB)t#&Yu`Dwf~!GRT@<F4BM&k6W2a+X8yWl8QGeG)UUe`xAj}@m!k%5GGwJ
zi^-z&Fb;E_yp=a}KS-NfL?LGSB6%uX13<_|I+Bwuxw-Vd^rxnxPwr)M3SNdh#=60<
zbxueh)9w9KezBYDX96p>Kuc<EsU-hL*G$RWXJiA4wpb%(=s~}yxSeH@d$$fzL-Ds{
z&xVIh9M!z}L6IJpglQAY#%ihY0&lrZaxhfbb2rC;JW`NgPcCd17EWwWg0tOorNx=}
zH6Q+IB&<Hf%P&~C<A?`B3m%B%uv)Lr<DvJ|CQGH$H*<D1<E|TJ_Pw02Bw?pH%X7JY
z@Y?yr=)OycU&m(QNLIt%CzVQNRYRWg&BnC?P=b-@nrRNHtj0ARSq&?81MP$@7nZ<U
z6-RKyH9Ir@;E#Gyk0C3d5zInA1`mipcHV|P=UXtceLu$SPx58`hjD7y(IRFBCKa;|
zWDs^^v&2~|P){%ZG{~!X)Xf=7!CU}5dVJ}@aw7jerJ=~;?!#!9T<exaSY16^&!`Bw
zX0Iz}`T3e#2b&kpPdi#oNNE~kg3j2Oc^tsFO#$*GF@8^D`JN1dmCi0+6&SM<A<on6
zDvNq7s`$X2Ak;a}Mx%WBc_D(5zbFD6D{~mDqF#^<e_D<Pokq&E@;$!u`pL^O%;%(Z
zZZGc7+Gw&2`zPP&yxr^_*nOuXpDyfg7CbH%!)9za!|H1b{QRVM8i|DXCdvT5A)LtE
zXS=O--YzE}F8=h^oi${ymD@M*VKab2^!7J@WJ*e&$dpXV&5%L7prI4}$|D??7yDB;
z4}W0@3vG`xxvyXS*YL~kd}R{ZAEWvcOA}1G{2=+}Qs&$)^gHFV5K*Ay_}A*7ckJ%I
z@Mm#?%2~RKMPop_BA9}j*WDq8^o7<V+KRi?Umrpai7)QEfqpTLlb~%<Y7^+PBfQHF
zUm2cQs{WH{F}TiqEqchg=EQHeJnb^|bgx4ujO3as*tP&RpwIT5-0J;Af>%%dM=|%}
z;%E??@M!UAIH_@{*B*M73#xV}xHy#({_6P;`^h5NFt<2xn*;@Xb6AzmUsIDm%0=T^
z+ve=Ec$b=@*6ccn8o1*?R`W*{P{3XLz0ZeM)nXS|>faJw5E%BRHd8+0y&BnzkKHZ4
z3E_$v{<mU@Cn#<@;Y4}FPSiek7f*`$rElUn_4DABuHno$$a+WGL|ov*DB@ZkY)r<_
zPy4(*qbw2-4js9W=^DXc&dO$*k10>#n~sGVAG;^x=w;KNiuJvc|DIsr^+)md7%c-y
zf3YUzUyAMo1LBXD53D@mB{W=~JJB4J_^0>)DZM5IL(4bnGpmt&>33d=&Zsz;;Mh{s
zo!R0`JoxDjY<RAk>g<TdwJY-SSc@`Ll$%>3&1$dNzGxPxrx|NK{;_)AM4aUO;t!Po
z<k<k+BDN=+ShinGMEVtI=yLBDX_O;HrjPZX#^;Y0IlK<}k$1w!>4JbFEtz#U=7_<4
z+C18~?`M)_`6y=lRK(zz0at}gA+i_o;LSLeZr?XfTuhR2e8Xhm_I+Nf6vkdK<6oJ5
z6XYg?*#XLTm*&wsWz5q7$|DnBphamZ^dLY+rMgU1X+jgz@qRG)x~KHOwIl86ZGA;h
zMUzWzi>sFF*bES2_O+^?ddm2k?zf@sqNw^n>NZF@gH)oeY%+u%_hzf7`Xn2q8j~+0
zFJ@zmzKm647Kg~DP2KG@;?}z4n+K3uneH;LfPZku*A;HKpE9dbWC1h1-!~QPJ?4V`
zg5YC`8C!csYWk>QUx-d()3<f+(Y77&=A<*u-0~vm)f#}=n{)SPZg-JH4_rH6f4%l5
zZM&LzsE<?1jyRI6{4k=`WVz|`xIo$=;(!@-XMB!>^&v6q&l**hL>pc@O78fys^f{e
z8ek=C(-E35RB#Qf3a<P<tk2ovfXN>JlAzKwU)9zl=^D=C(iQ%XdE(9w<`j1xj~)eH
z-biTye5016qhXWN@97|-8FrnN87a!EOqfvG5gDYI<ieepQ&9w1`65fASh+nFH}mJu
zfU?Jw<p+Om?R81&-iOLn_<OsrDnIEOe^{4aQV2cYK+tC0#;Wl9e0FrCu)VV&i$CNM
z7_JhoxvvoKe8R9jqZKdcSJ2DcNGg3p5qzWYD5_4=3@`TtH*dF}ow4)h&&WR{miNj5
z5_SCT;kP^wLz;?|wgL7QFg*V#U?cep2ywj?vu4<8Ro5cj>_AnQP$=6T@GU`6H#7MT
z_`xaSe5yDz+bCu2W6Peg<D}HHnxcZwzYm>1$qqER3iVlv*A;Y}gO`GF2UJnGi>xJ6
z^vnmWZQH{168lf=<mjV;z^xL8Sw`3wuw+*lkHW2Lu#YgzdIGGt*k2fxE35yBa5C?G
zkuvv33=zbmep_Nbj|A7RCpk^~<n|tKogM`H$R6Jd?#6dU=1xKau9m%<J=hNK@<`e(
zCXr{8dc-ob=pvbG#@Mbc_kmMg-}p!VonC*8>5k!iGjJbNj&Q@y?|E7<jzmF?pNQPO
zLwEO6kC-FeA*A>R0@JCwn`{zsAm8oFKTg)Hou~inzF;i(VQjL?%6apx%|p2L9+zV8
zY`6pjiC+w@tsS4oL^#Ec6s^nCIxJfqKVtWQW@j_cUV7o!?oNn>;~nPRoH-(nfm06J
z+M&hWw7>DRR^p$#nr4GW<{mCQ*P(qoeEa~qq(3@-@pc_3lOhUXUZQyzJ~2w=9+nIB
z{Ti0w(kLo)*%1+0>wY`P^e<EdY9D;%iUiLf=HT~-yP@n$(W&>Qp#QLg-h6W<XtH23
z<?!b-x}VSNcR*fqHIMjb5dZEb_4Knx#6JriXYMsbTP8p8>F8hLvG*x}0LN7iW3e6R
z_f0p1iq$cMTF}<JZ%WhEN-aZFJ1{Em+qM-$_S-e7+htA%RS_v*S0qR(r3r4j4Rgbn
zWEyd_8@-;m(2UBj_Ip)vuKh2R67FMU!m4)3g+9;V7;T$egXUl)yVRT5oKdcR0YY{k
z{VarHQTNi_LD(q_(`b8!w9d0B^e#e6!>KMS9(n5q_+qeuJ@>Y%IA6ZgB?ZyJadx(J
z6-IKo<xd$EC`>GGDu*MM2Nw<<#NQ5mmRz?V_zJCxYT$iTA(B(e0fyJ2V@VkDK$Z9u
z*Wc+C!j|%DDE$KWcR8>$_`MvIdQOh)E0rhG4=uGWlc0$_>k3s1CH;@G*9(CVphHit
zQ@F0q#9Y=ddZ;hjN)E(m<;iYwM~2yu-x-bil|`z?AdTfW77@K8QfSbuzhR0sKd$?6
zBy22T&fZe=WIzU2ku||@9=~S63!6!Int^PPgzL2*drq+on^SXedr&rqeTdpI7+L|?
zzS0lRaLyfljICR-%v^3}H+21^ZYcsCn96@gYQiEl3xvk{oyM1yNu>=t(ivJGBQWux
zHx}!{e?Iv+!X@#N=iQUMQeok`z;27TtUdzgz6LqVmOXA{aO`ive)2F~x(9c@#3#jp
zBJ1P7CTXzl&eaEaZ+ts|K0F~Qn5m10Q6b3p5EKp%aGWa(kBKa8&Jgtd&E912Z-0v?
zss0K(Jk2uU9$`j`Tb(kaTa(@gYqgjA*>*ge%-%tK9@-N}ld-k}A#PGe_N7lPxKUpP
zA>@T>uZQynuVdP>B!{>^i$1BnVFrfqtjEt7)X@WER}8DWQN)myP~@dX^7+*G-PKiL
z(S{mCAk80xavL#IqtF3*fe@0bi`N{b+)!8N5Je$m{De`&;yK@?MT)mW)HmkUF>VB3
zdR!o8@`V^i`@siqlU`x*2s&qaX`gS%q12JzcZX16Y$;ZnrL@)27){?Q{C4WiK%u+2
zVmO2Lf%JbniQT;8Thu0r-xOoNP};F4=dGAl2xn^q86%DA$1kk#IrE@5pfEhP>@@XO
zLUI{9_)_ia&%6Z<N2@NBbt}jNFrfE7>W97HiRNn==`245wbM)H)L%KBZ+B^I?mIR_
zEQbaBFvceukFpgke_|PsuRhOk1(KIu&SIw2Zts4>U)(-6ovQL%>Cy7Rae|g`rX6kl
z^a1b1?>5b*4(%0$u3UFqu*~$uVIMJK8*P5c1lXnbBCFwA5|B#^n*HD8Im^dun$vfc
zzt(Y0-MdrmPV*c3yrI-&PX61?WKs?r^)b`@DqorAEk?!;<%X@(-{6LlWi21$-<MpW
z`<ahWI~za#Q!9LMAb9zSL;DN!ND%0DP)wsY#jk3T|8Vm`l9h+6vHfaf5S8Zt4Ih2F
z$UT#P_xrlo(|UmCX)zBZcD(N)6h~iDBmR+BwL#_XytdeRYpuH}sqm|XspG1C?z&oz
zf}VFrI8LggFia_Lx$3e1BVOw>y21w%j300vmk#xwmg*5WnX8(0!waNVk?QeAxp(b`
zA<)<IsiK@OX!%4bE&?y8>=k-rLW31me$m>HSPHGmm2I|mV~)*m)PfgA-)*|@q^Ls1
z^;8=hzizm_p!|6!%ZGYuZ*6t<nhh>W_sdQ6z2N8F(D0%6(_DfNcdk2Z#0;;qwaJt`
zY^=JgX60ugvET-3e)Psz=SAA6fw~ry<eue$Aief?Qm(}9SAsdi&mA=+!A6Enssic5
z%+t;G6v~@;pC0^beGAdk2ibf*_>?*Cx0u(xa}3q3pRF-7KY^}IQntcx@=mgAS*5q#
z3(x^)I_|eixoDMDs;_hfw2!$Q&6sSnh{Y%-r`}b(dlqi$sMysH)FDy*qkETu3NwYk
z!@l7sZoz*dYYRr{9K(mk-`_W_Fqu%*nP4`vqcnu;NCXs8LSiqvofX4RQ$YbTsXaMS
z#83Hy%`{vSp98r}%9*6&%-*!0V}3vV^2I&G(^t7{+z^3}@Wo}`R(|eP3@tAheO$Qg
z6rh>42S#8gizgToOq6?u=ica6Os4C-`3Ia{OgPjCY;y5AwI)8by{G!ZpL5X)IQ{_^
ziWnz?yjqpcdIN-{eT+%;zT6X8ap$j<ApdIkon{-(mOqnYD}HuN`7ZBac8m<74|5co
z0ei{Ssn6Q7!^e1jek?Z&`O~}e^DL#I_YE(Vnl3q&9cS#}N$golwCwfS?=6KDD%xn`
zK~orFm|jd_Kl7%gIn}k;&2IYGGPNo&ye5%Ze*?SG!4%&?LLR_f2*t_<Ee0(wx0Gsr
z7!;_HBh?%RFI7)NHcvF`V^dzEkJ=fp^2l0xIQNDFnSqrn8Byjjspd4t+0w;N6WRNZ
zex6x+PsYojkGhL0>+vDZnKiActY2HYN$=;Dz`EX9>ENmn%4djE=+09`4~)|Je<Xuf
zb`laUU++Cyxe?vmqX<@c3r7{E5uJSK$(_9&4eYx$t;NKuI$dY$vyaPW<QT6t^I@yn
z2L~pwTCp$@$~A_B-;92QBS^+H{l7;&STn0x=5GPt+)&llWtyP_Y**HqqfW)kkAr{)
zR|@!#&0%uv%+8$&XW+KUV(oR^6=1kxaSbLrPx3iZb?vw&ztnXWZV8~qVg$ld=?{Ec
zt~-T?vq#GQUNJf(W$2PGX_NnR&8o~c6q0#G{XM-rU%P_AqBTeDnDRLXK{I|nQQGb>
z9+}%xZA|%ndebccp=2!8W7O&NUy0u6Dc5yS!P_YSjgV>yhgyw3aQ5=y(cDJ`51Lbp
z;9bQg{DG~?<NLpMU>z1Tdw7~ouZ$xR+$E-aH{O`5wCP_GPtE9Pt}(PX7w6eQz8fJ?
zy2-WoR8jmyN%$x;0~UKxcW-Cdm(9a^OTY%#@zXh-$F_8RmF?arIqS0rcaMxK5!C;i
zL$ACHShkXGwn)B`#QK3~sOm{8v^@Z?I=+YK`g&~%zv<!5?t6sjvxBGLGcTO8%ehnw
z>SRiBm#j&vd`q`unp}B@ig&<cW34<h*y~c3kA5s0LC}pCZD8Q!E^O-vuR!yf=9)S=
zM9zNBZIH7v?5iI_3KD+sj-5m26By&?Qnrg<=lT!r9{~-d?`|{^nM2?R(#^p5yY~v_
z*OOZn(hqG&mQsm*QMbQQO5+|*zS25+{<#Ksxu!Xx+>E*GyG;RtO3!j<_WAyBP3Hnw
z7BbK3+j5WioyLzGhmszuM%~*~K4IPYw6%@K<idnXo6v{Z*I>=UmDShVu@Z<rA_r<{
zgR(CuOtQe{zU@nxFZ-tx%{wz{r_(vX>DOVJdn=(kOJhbjP7}2As{6*+`N@hK@Qd<1
z`;m-SA9w2Psk7{CFde+>)EwXPCT0HY&ALbqo<=uV`q-5Zd@%Roh&Az)U4HGKisrqO
z1;1cU=o8s#R*X{7Dw7-}h?6EBR1n6`xs$3>`mfeSzjS$(7FLFnnRYMPgEbwhn|%nS
z{1yk=!>17YJ8J9*20){c3L2KODbed=xdK>+(ODb2rOWKEI8I1H^I-R{PAUn=s$ANA
z#8d`BP1O2+gp~Gu>JFa#AD~d+)JD*^9<i>QTn+=0oz?kQ&yl;>sqQ*Wn~0-3FxnF)
z9TFQi|IOC?V#~2yv+(y~UD2C+Lq?d<E-tk=nSO&-c|nqBMjYoM8dw0kA_OE)V_;L|
zlLuyptFwxE8Y=%C1tgDwvJlJ~e_yGeti>5V&f`Ss?;4XET>1XEd{K{i*QJ-J_oK><
zF=0gC1BdcWF%RJQ!f&_aFuBnqtYx*?mFP9m5IE)(@m%p4p{BN+?UvAV9ekTOT@#js
z76|RI9%aw`*TwV%Y?9_>y%_`@AnEG$<Z}HpJ!6jgiC!~OGY5XgDE+;1*lyJH<XXMa
z_>$84doP$-(Z53iqtt~IJB5a*ZDKT-o7<an|GKD+oKv6RX;S|iQfHPut^3y4bv#T|
zQfKNtBGe8UVqgAuZ_KLj6OPm2zZGjQ+%Meaf?(W4Nu8jnTdkJ(9~dR&zIrljMmtnm
z!ogj*{@g%+@UzuCD*s<l@O!WrT7Wqd&cbZV)6tllT4}t87aqiM-d~%chmM5mtDV!G
zYOd&bq6E83?$tdTkV5nscH!6Dd;2G3P7p8lGuT+~O|Ic}!~Sp`of(p0jsLub&LRv6
zVy0lSA+`VM$uUTlV;t+;Gt^c`1Zn9iR{r{ob@fOh)nB=W1Jbx%-#wryqUPE8IQ;#I
zMM}=5VNTGXlG4ymFZ4+8R&a)AF3+u;Uf7sj_qu0yOig9XF-kvTxzCQU4QqW*LE#g{
zH@$v;?R1>SVsy~1F;H(|4x-ccc2nJUyoLR@F9CZ;-GgJG+p!NYJMm>@clXO0QI`23
z+drY-^c&@^Ya6m2k;pB!LPJu(lTdw&ci-x@2AJC!mP=q}t-Xji(9yA*4ZQ2Gz}!=^
z&5d*4HqPmj4H5^5F=p6KyQ(<v*D|A_T(00&Nl3VOb;}I%Ig>IpB>Q^c%}qDxKPa@Z
znC4gKTr$@+vOWN}CX4I4Vx%#Yuxd>O|E=~z(?T|0;D=vgba9T6NJ>xq9^yLf%7O-&
zdqYXeMp@<)S7tD2Ki>#Xo2_P2Cz??6`-u1#8O90hCBC2>+g-@4o)hWV`e@JumH4|R
z`NkmNp(T__r9QHlGxV6W0lpvluS2H^+U=*r#B(TWb}~>%yrA}PK?5{bq~KYWja!pY
z%1{d1Wfc7pBJl&fa+6Zk6a2LL{^W*Tctb+$`k3ly%g{o8N2Xp=d1z2rm1<|z88dii
z5s6YZCs}K8PC6M#Hw|sKPs|vbwkraKJ2N_XH;htxHlV<YheyC5Tj`_zm}1t7gWQF;
zNX!}D{!qit;^osJ1p3Rurb|SkkL^&|P%6WP8QoeVJv$_70>|q1F3pzUzUvjnNc4Vd
zPLVb@_Y>4{VNGhTC^E2_p`KO6)F7VE*}Xfcwm+Qw!gb-|4`Ney+v_)HwaD3UHFWzm
zooH@m!cPjBO?@l2foi{B6fmbAl2-VG%9&MAlni2#>K;;5SD-JD_wdbyWP@*bAcWvF
zo`T)@=*C9Sd=CZ2^5y=9v)v94cZx_=L{_XM(G<OIQ?s+LWHFHkqQ8n(_cCJ;&dsM5
zuQf**<(*$Ea>WdAO5^!JLsJ9JI-`{EZFIDn<<Q<9<9cGtWieA@o2V&1)D#>K`WGXR
zHacq9DO1w|r4Ik+>_?~cvZrDak|hHY;zXfp;C71NwL@wP+`Nj_UV<Mei4pu%?NzGR
z0c*!3hEgU)2GvtCcu0=nz=nuETKg7#5z2XNR^_ss5Bx_3`k1MQyrc@XrhJx@zLdC;
z^YgChMYFYYqUQD4_xnNRPwT$0uGf!}NK|uJD@br|WW_L2qR@3)hAFE^a$9Tmh4}2i
zRr2V&2m5_IkcsoBgayfvh5y4)oJe`uaOLWOruGcY{TJ;WW6u1}&-PApi!@dnIEaB?
zS=6)DNemgGKm1>Dg%BinNGN~JapQR2o>qtzqM$g!?r`VQT|Q^n2#Gbz$rYe@`qAl^
zu(#f8g*)Ui=%a|10?n;uZ~6TFEw_(59J`?4=p_BP0Y-rs;~3^pR^sC-hZkWlVUf>f
zhilT8l(7!~G(|G?NS?Ofy<RYXwc51D2JiuC{^;DH=@tXo)rHNSXsY302B)saEMfMZ
zKaLjNF%GWYxQzDD+OV2~Z$IPxl}ru>Hh}CtBjiEVof}D%unbK&{KB2+Sm3C7XOsRy
zC^XrB<Xm^Vjb@4K!h6oQgxi0FncaZ~cew;}B?QHCz)H*q-Aw}~{?l!L^`%X$Ki2j$
z2$@{1rGRw0ijD~ZnBm+mwUFV#!HxAyD=I;Q_4ghxNIcklL=Epx_zy6PIiz4Ug2_gh
zJ!DnrArEGpHfA*2V1<A5ZT2G^9NN4ib<K;;Mu3p<V8vCcbtZ8LZL3LpGP@TIT>eka
zCsvnDU78ejl)`~gTk^ErictZ+cq1AV*k#Z;XFZfkO0dcq8`m4y@?%R*m(cnh6iR!(
z>fO~?_ZjfRSI!ErNHwdX(_uvj4ca-j-ohLWECB`QD2?r4qn^_vPF$4p_xFupGFt6*
zz!jCWvM7?`omRA`qccgd3!HeMo(Ebk1V(KgE2-t2ggk8fHADk+gqIOrIn^?dA#sW(
zIN&{4-0{HoQ|wWRCY*TC5Ivx#KdAC%aIWu3qdV1?Ij{Zro%v^w+px9yO23<{n0zib
zD-q0sw=VSh3wuYaz|tLth2y241NHkf%0<ncs*1mp3MX6V&#jqYxi_Cyk|1%P-)_dk
zs+GWCu>beg*4D9H5Dez+;o;#a0e^H8yuax(*6H!VzF75*|Hbhiu)p0TP`GI<w|wTA
zWP3-!jh1$3ch>D*H0<8`-oq}Itu`RU4h-8oVV@o;T+iIginq5@4wQPB@nZ|-(B0vR
zn#1K{+>t-j9#*q_KWKHi7P#Ii4c}_N`SNi~3?j_fvh(d%DD>@OVvGCUSmsDu8*(RE
zgU7p%5N5+({3ZUUi>LadyQ8!$z3Co$HQ%~l2!dnd`8jtF!uIpmGi&gL^2cf;Pn1s*
zme@bGy+@p{6|&E@wYPiXdV?w9wyCh?Xy=azTFCPC*|LZO0{*2W^khID@(B1W>|g+f
zoS3d&J&71ag1zB5-2rzwC|wsRq+ww00@irH=VmVI?NvPX^7__V3wp5sdH?X>p!)=+
zgt!?Jz<zJPfZSY2a&(7ZyCa@{Tr)%(qG$Y|Gbvon5vh341oo1pzdQb%{<7ZY*zY_X
zUi~<N3<)M9#7+yCq+YHMIb!S9vb+7`RE4HOZcM)b)7QiO$LG{6l3gBNHAg&7ol9Iv
z;#(>@eo#P0QhSenc=`7v7IM31%zk_G<7gKjO3}F1)ct8@-x;<RD!nFvU84ZKznN>3
z)VRynTkIZNzxTcMtiB(CxD(p6a=adteZ0<<JB&R}4IIH9Ke8}gV_?tq&*d3UWDC)q
z+xK0Y|3c`)EgU}RR7Al|WYB4Ve7^6nK-~WodLRl#=H|gvR3Nd*tz$S&s3bIIEZ~>8
zo9e|n3QZ4vpa#*o33Ix7RImUqL3FjHFI%1Fl0o!VJ)bR*v;-zDgv8)<<DV!@I*3KX
zd@!-=kh!$v&}wVz_t{K#c4W^*f=r>7GZ05cm?vb>7ExrkEXqC5YWI#(Zyo2^%be++
zs!P<1*rJendDCqPU7J6%-`9<@)p$W8(eabfXA-!el&DWS;3|C^k8>U(NDG|<&2?xe
z7JPhpC~0LoNT%GpSiBc_k{S;pC+vvc39u`k;!wp}SA*@6i~~P^T)A_}u`)*K5Dl|h
z8+(g?^<8z#<-c)J!oMDa{I56kLMd-cgt|B`A??P5=gE`G{-3!HZz-KG?Cd(u7%Z=b
zYY;v%VqcY29y|zUAN!d0;zsWSmm=@@PwX+y&a3NS$?ZFlME}vDO3C-njT27m?(V*L
zEZ^dh=HAE>*z@eud)7^kR!cI-57gY~Xy1+jh6N`et9bLPyl|mpbbIT)$J)h0uI!Gk
z7o6uD`?Oj}_VOMln=ak$8inL`BHy)ZPp-xvJ$&5K^!HtSr6T0}N#&CPZv~c!-BV{^
z9Zg>y6O-U6vu?cNzrE^)_QaG_c-ErE$pRC+L^KUIl>F?@2cCc7zZu`dbK{r&`|s^0
zYQjI;SI!BgoGu4-zFFrp9ehFv1&^e-RCae4XS|sUyVfl!aU9NZ4eEV&vlcH6!J6j<
zhY^oX(mnIKl`h*23AE-Y;=#Jn!M}R^-Krm*G7~1`b10e`{;H;c_m0n@X+`_|A1F{<
z52R0$>?dyBfaU08>C@eovUISI=K9jewHlh-M1j{#+-iZjm=c)qy&%NLImdS}R(-Uq
zP`Xdp5i>+~iWdD<O8MQlNAh2Yp+vSqRhbl>nVLe<o??AiNNUm~go9_786qSAaHsHa
zC3Ub-VkCmA2mR2ldUZQ$#80gAhUn%XLF=A!9901WG`0XnfjPRX+hb&+*H`wD_q`aD
z?usHFnR*{PiSR>(5>x`m>P8q|RaBdoP6YV8fg^?c?MihW!NZl+`_fR9D4quC0%=6}
zlIE$MH>>#pcZBzMNuHr^J6}-Pt@!f*h#o_GQVB^aDiATVf7Y*Y9oJ0Ru*~!XRtqS*
z5s<Ja=Ze;5W5Ra{za7uPf{fP>gm@MMchQRF2!*vCSR>Yj3n?1yji4oZ63!A%q<edw
zAdG$>^w<$0B-0#?Wq{%YEC}vs5$t}vZW%q<R=6NA<z8Y8XUgB;D<9Hi&UA;ECeq87
zcR11I6jv-S;HN#}H57}O#B-{M9`i<StQ#j>)O4|NeT=-p($gF*fW<IKA#+#$lO>Yy
zzybf;rFR@oT-RB=2u~_FHrtrxtsoW{!-(r9M=~Q?C^aXjv6oC)R+|CeH~byiYrcYy
zjuMXfbRF5y4^G1(7OpTQT&Hm3Uu&VNVDh|`ByV^M)NT3-69&2X532Uoia^LDz+QS1
z5)CRLn|&U}0DX|(Q}DSn8YakKof!Z|&pan~Z#e|Q3yd6%XYG;TOv=wA9b#BFnWzUg
zL1YkP!6w1IMi+Q^jD*AG{Wh#<z#cDrRNlt~_x9jO_BcS_xekuIKfn8*{&{d4^qR8g
z42~LR4hZ<)qm(BJKS$MuF<y>6seM=Ni3A5fA6YM^fCpz81Yh!FfvMslT?|O(RCCHF
zrKFJ6bb-_$UhJBg=;}`9ikNcCzhe_ph_Zozau_`{RyRj^DPbi^m(bCZXc&4pV@Qb(
zdMuocKGjDv-M7I63q^zOSJ9WK5>yeN;r$~m^gyLW@3heWnWzEWp%5lgdW)Rr%PB?h
zOIw!0U^hp}C)rvzw5b-BS6TyeVDIi*WB~?Q=$2|7e#1`x^o)G3K4K-tQ0E;byr2{Y
zg36qXJb_4TkK(@FeECs5=4muTWgd3+cUhL$2t9KO{h@~adpF{&|N3oD^j3Y-S(M=!
z+y7K7p6qfi&;P~uRxfVD&OW+dTM8>*)DYIMU^n#TQ3L^R1Qz`a5in7Ak51=$KnIK*
zR=o!Vdp9hfYi)zz317DM@=qJAJ@NSU<js0Cc4AIM3JLyl60j#MZ3sbBu0p#n&5+E?
z3NvRYtBCGEwTG#uZ|+QustP_b6=6g%>*)Rfx(trKVEe#T-VqhWc$wtA;(@!IT5lKa
zYpb-i{*2ufWcpH>0~Pp<6NQ#Zj*4R4{NN@ZYC?U(L>qXbqhVS@r`wJdp&h0y#{4a@
z$mvBzEcCPKFhBitEHdRWRnLbr@G25#OCs_gV))u`&P1aC8n^%?;pfkv)7B9I-VH&F
zI^<M)i+hVPe>`*p>-j?Aq4jCQj78h9x8xA?%s;5gBfr$%Ij~yo45ax)(DnPI{RWk|
z0I&O-uPz-*cK^jphgvGp0nW6?0W+VIPXsT;>@RjD2s`-X?C0rSF~aQEth!&Pe{)j&
zoi4t84LkI>ke+<G#RS)phLkNu!p^Wrn)Me(9@YQNJ4Zj5%b0y$S9bX|?O%y(n9Fa(
z5sIcnlJSl|6Z{iV$<H0)Z5ajX8P?G!VGdZx5AD1I?D12+T?bU@tq72wR*GLW{YOBg
z{ktbNQhAF*lL(tho641)Afc69uYZx!n5sB~x-818VR`R1XtGL3ri@r+(i7_)5RiIC
z^aFJ9wqOzhJ+W9&vV({3aQ&_PoD}jVhnPdhk)?jw>>}q*IRd-+BL`;K9)3w`#wPFi
zpa3>jCnmhlw`|e;8FH<6$!A>zTYM75T(3Fs2~mQxk-q&c?kIBobp}%ClA7r%UHWLr
z2fn)qIt~v)g%GyS6z46QL>cyy+|5dleR}Xy+V5Y*Q6Y@b2P%+4wPXLgH&dJKs(vLp
zVa-H+ETzGCs(?*1^b8&vwpVg;cgcUx-y#?{GB=SC@amFxFcnJj!kbH8K4QH@NLTjL
z)7VSUeb(~NdUZd+rD1<52nRFlpy8)gcYpu=O0IJ8_VBb8-dY{V^-mD%E0{47ER2<5
zY*<A`T?$~Vgk-Il&(r;je$VMnSH`-_5cgTz6ZEDtu{nCiqetpI7j;|lGLDXAa91Nj
zI<b9~kU#`veq5u(jRm#_vxoaf!{U;-e{s@6V{N;D2t_2gPn&j^hLGbZu@tvlv{Jvy
zOA$a$3Ms$m-REtBp7Ei3*Fh2uGfiq=l^4RgeWTD=Btn8~1{TnT1XcNrwEQq~MeNs_
zC-w&=oJ}&?G)NuI<aYcJze)OkB#SP9f%3b^e?2Eta|vj^f&XzlEdX5_(R#ZjUK3#j
zP0$1F(1PxuXxNKf?&WJ{=&?lUi=*O|`ac50LAPWO=veiiPy!o)l$gZ`g8X7$pDz(q
zjeRuq0`mVv4eAFkYs-E2_bqc*zpgs^@S<aDo8`vm6XD;f&E}Lkc$q32Hq_CPA__Vc
zG)}u~f3mGvl`l(@HLdF$E)0bN^|q72h6iCncjk$TaOY7Bx(oH{Md?yjBnP@r-UJXi
z9M}up;m=0E&l!X+=cRN0jW-5TTX#0*Cms0kS`rdHlVOHo2YH}=)Mi2;w(72kn7-4C
zlbUz9g4`AR{oMHp_3U<951`rh_6wy)BnDj3EmYSE(^c-DsN_wal0ux;>${K0#=%N0
z(afu051L%GbidIYRB3HbSdf&4riP<p;v`QzyCjg5UE_`a%DcAw$}k~P2-IJ5K`HRo
zUEhh)g2CLhe~#FIu^O0$ghu5Ce5DFg1SLmFsMJ~NBuWbyl{|*l-eZuLT@EJ%BgE8E
zd(9_RyP_U*gYmE`@_6*joT^mhVhw|N=Tb47sr9p79e+ykJ?#OgGtIJwj^#E8g)HAM
z@rOI4rP-z05O;l5UU4}%C@adL6`lG$)iqn%8$;}uGdjoOJFF*50%%-GG7s+p`=jPI
zsqF1Z^yau3s;Pu%uVWKPmbnUb_75_r-uLh+I9(~E#!&<Z>lY|at0KO>`RY!oL&m6$
zy?`=oMuYgTlV1G})|m<cC*E4FQn`y&Y)J))I;?b+L((HsfuE+v69O$hj#AF15iHy&
zGmT^!ay8$;$M7*xrF2|g2-V++&sn0EhRne|k{mVPLi#HjS)I6WgK-@}sIxg%biIjQ
zSy2zU=0=0@K$7_zOYod>V5cKR)0;brR?MA}(XtOCcYD9J+`S1Ug0n@IuLGtcvR}|v
zMT6WZG4?+xAry=rzvnvvuq0Y)?G5Kx&^wwb&x3x6(DHiDE644xMCQyX>jp2&D1FA$
zMm|4`L9sHNX#UTN2|;Z_wUFUrc#y5W{HKzYdg+O7%SM7pVbYi1R3(EXha5KeSrU?H
z^g5(32nJ)^-#fb=2)EUqO8))?33e$7t$${To)OLP8V>`)*-rl2ZPXE5iu5-whfmQn
zd0R`OU?ym5;zxG>(rDPA@`cs+x|MoM{>8j2f<D{)-abn302+9A2LD$7zesbQ#QMpJ
zy54W7hk13%&5|4Li&3WLW-S_(o!coekY<mzOXfaJI{TTt8h2iof}48b!IeE91ro?*
zr+@KtC{W+{=eBvqZPZ7Bq6LaS$)jz=lB?0vWRR~JUPdY)EL$2{(3iQ>QHTLs&FP(V
zV#VdOZJukfVYo^uRXK)g+j@eYVexte+a-dWWViv29emwxZtV`@#q^x_>Noc2mkN6e
zd9fAQZ(MdmdcY7@cg3vLh-Qris$jA2QHH@WAkQ6M%H@+VM-kt;pk;b|qMwL<3qLNI
zkkHN62RyJ;S)tk!dFCiKKAK`Y$}`;Gut7C0BB;O1R>+mc-OT>br`PT{5~IX-_M`7{
zz!zZXAnE_bdEMa;(wbsZd6~~mW_@#c6)PQ0cLRyvuzIio5UZYcBdGjcuY&Vn%3HYf
zZ&SzvANXeaV06nzj}8*iRPOJjP?6B0F4InzM8#Jc5oSppJWMK^RLF|OI*zFFX$TWR
zB5SMHsXPPX*O`CaA*gj)j~WnR5@xWo$}AmK27mWrD}&h?RUnDpslS*gn`hAhS<-k>
zY{k6*P0_bKxh=~om_k}vrXUC>*zIgi-Bs+-bDBLYTfLXR-fC#MD8T|aYKEEJ#m-v<
zOquO}XYl5{OGe4Z1|Jk11&T=uyU=DfTtaf=BO(}eU)2&~0k*$@wcACYmU@l?y>~rf
z%lTE!sssM-^GNoE=Y(pNa=^F_VWg6Z9xKUB$EH)vBaTwj>(F4uz8-o-JsW}@K*n8G
zNMd;#725nrq$;f!rJ0=1(XZ8uiR&;`CThK}%c@Z;w${k>iyvj5Olru<Aire(eXnqV
zyZwvsO;9-b_{_GV0MPNuBI(fL%s?aJ*eF*#bbz_4<G8DU;3;e<S`^$NBb?s}_JA7u
zM~UDrKszctk-3gN6GGfr%*jq-8=;y=tu%6FY@%9h{vMR_4jxJz4N@y@d}W6gU_qZy
zQo!;5{~!UeZ}0iB7FHX5{*^<xPC)q`gCV8H))9OOg2_E5W<J&Y|9*{Nbm%JeUBhWS
kR#dI5aUu@(?^bPn)W9$)$~l*C(+HriZKBnv;TZkD0Px`4SO5S3

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/MultiZone1B.png b/Shorewall-docs/images/MultiZone1B.png
new file mode 100755
index 0000000000000000000000000000000000000000..c46ddd7ba7941d80b74db4701d8a14188e819845
GIT binary patch
literal 13620
zcmch8XE>Z)5a`RUwmiBJCE8kTv7+}b$`U;YVFl59FNrP)qOTf+6+|yVl+~j~??ekB
zN{B9ryWex~{c(TY=l;3p$9eb6nKLuzyfbI!oOd=(Pxldo5dr`JL{mf6008ij0D$+7
z7=(l5T!kLu9(djckCcJxappZ-1N=fsM+pGxl1cxd2ykt-=Nbk&01yNNfUqb4xWR$K
zegJ?k0s!`{0YDlJ0Q4StZThkR00Q)oMrt?&01SY^V1SqyAj4I-nv9H?7>uiNPfB7+
zGBPkNnD)P#mXeYZU<Sx&$p8ihN=jxj1~OV&S}-#+00o$7X#qAi1_lOVC@}zqGUE`~
zC@I<4n3);Ca4<0r!puy|L(9g-24`kKFf$N~64UbV0I~ov0s+PK!kI<cm;ptA0S*^s
zV}n8^d3bopWXVLKY=EpRpaBr85{vTiz~OMHD3nZAmPeEaDk=)-0SE*_gNKbrQc_eD
zp#kR+6&0n_P$V`Z2K4kKB_#nAfKWsr6cuG<Wi=#4!FFI`V`DNDnWU<uBLWJz0*Z=?
zlB%l2mX-htrK+k5_yQWLs$?h>5C~{!Xt>J40Y^t56tGj21c!oE^^mxtp%Dl~1Fou)
zw64ZrPftBPJs=K18Y2N;Up?dh3J@4*r-uYWLxBvyRZqjr%uLVH(immzX^i_FYKh~O
z4*=28#wZjD*FaeUMSvxaV_X~#0F(kiVxpa$oh6QMHDG7w3uI&f^*AXUEA$lYT<ts^
z?SN*$^}pf^<mXqIA%RW+C@S*w^aM&vfdQNpzP^F~6<{0y>gz*sV$1<%Dd9kK^ArjR
zECG~Ll)xGQbaqBZM*}-JwsFyk(ZImKl&2+dgkzpK?rT>c?hBj(!1y?D0i>j)WZ-0&
zn*;8EwNOi7X(>B98(3Q#j|(l$&d$%zXSiVic6N%2ib`<;9372kCstHc0H>$OeWcxz
zU2|z^QPHX7jpTTK##(kbaB-n}p;}#CJzkn$UtbU0-P!Hit(B(KH#b|JS~fQ~kJneX
zwY4=jUvzeMZq^rVHkbDF^u+DQjdykq3=E793=9tsS8P_4?vz$<R&NfpjgOCau60gL
zO|6X&_pJ4dkKgT#53Eg%&&|zkPK}SRjjzp3ZO%<CEiJ9Bt!-{@?(FOw9UYyXo?cvB
z+}+(}PnFOBfN+_ns*+K_v%`Ffkf(#83sx4DiR}YgBFh#G;{__-Lk_l+1DT#^1=WTj
zuI)m<X^zq+NN)azyhPLIG>N}4h$?C58*P4Pbf!&D#DK*Rdx;u~Q~fn;Nrgb&sI6Mt
zy59Ld0h7J@(-_CSfhu-z{KE0k8fYyT+xz))O>TW{D_;TjZ&il*sPpFU%gfKVe+!JL
zqQ6lsXmZIJX;F7^@&=g<t=vWV53e`i!wRy;{`9CFr$2_E1MJH=tT%&#+GnNk(mw4Z
z{9J>eTM8by`|4u1tFAZOKH<Zv%Lbq3(;xz!J6n#b!s34JotW%`k!v|Z)xrG#e}}sC
zh)PKKWA3^8+q)h49A@nEZoQSIk{Fb*XhcB#K42wh*fk9X3z1{LJAT+5|MrS*O=@+T
zB`+m=*d5P~WGc6XQ>O=Uq<mRWUK?Qko;IWbh59bJVF&zAUy=wQJNVE+rQKWJ-m%is
z2!+^^wfElMk7P==7|^Zc<%HA3yd6{Q1=f6+;$Y=CTS2Rj>8IC!PLZmRF&A@mxy?fk
zwbY@Im+uX##q}B|!X8&Hg*n#7>kxftb1bKi^umC){2EmtG)g~OEc%7@;LvGZ7%lSS
z@ehpm^P(CdOH9sIJ`#ccm}bXB+TD33ZVdWYWy^wb+$%)(d!D&aQbi9FQyWE2tv6~t
z9IB5uk^()1C}gWVPEM`FRDR{r^Cmasouv8ZAe)=ZExpAx9j6Xq_)<7VbIZes_)AFf
zq?UY|-O)VTANof6wRP%9_pZ?Rp0)HhB|)HRVR;ho#!WY(jD;F@P#CplG%6rckk`|g
zcAzarqmbR1z0=d*9^U7csXK?-H&&hOPq5Y)Gya~g9Pt42teCEj0Thtb%k{e8{g3n4
zVEp~|ivAr*sVLt0w3$kYe1-+HADUw2sXs+r*=9ejqb4_NfBIQhj0e<+N^mFs04BP9
z^e{Tj>q>8j{;;R0_boX_(du}Dr|qHYC|Xx;4t30xy{LUPA^-PmN;QGlhJn5B<S1!Z
zLc`gs%vtt(_GpDSvuw`}9gRzcO?0h?qj^{WrlRjL-WjA-(_<UzwVoiKC&8_mzG%YI
ziYL@A7!ff_TNMk=>>X+8aT-bK*I=2FXw3^1{k9@ztSHTUar@@MO^A`@lq2XFCaV5;
z4ki7}*rkjsEGz(Ah~(U2jAz9BW-+F)C&E+b&OVc#;>s;&uD2bsjR?|dV$m@m=czXN
z7M4*d_jFzwiH$tSI8YmDq>8Rm3d|^r(G>5jv*noRR?!)=ghu5nsJ7-c@Mp(|5*`8X
z9hcuYIPwwl8s|-|+uKUqAY8Gc0=|Xki`ma?%r9+n#(83z%^w<ni-d5VI=QJrXv|kq
zxE>hSkr)aqS8dWVXeo)2sj)nzEq>p~<X9Y|$*}{W=9*rI;vc{LI2VRVdbUttXpzk~
z1U^sa_?)gMkYO9)Je!q6Wk&&Hf*bQKr{o|S=7FjXT_wzuiisW{qcwZZgsUy0;NUn3
zri?w6j*i%hg3;fc^+S-U4<=vKi1e#|bG8VcgtM|j-3{oTA{LeLCQBT|b0G(P@Cx-B
zw&yF4&CwrV%ZFNi*7b49rS+U6uv>^KZ$8ypnZ`eYm$Bt8-=Z}H1)_N@@)JE5$jzkU
z*FhyA<Y^qwT*hYX9X{97c-6xB2?U=0YnC1!QIn5#98D3CW?hZ@o;Nz9-e)T^p}F<P
z@~1o6faC>d!Jf91GaJ3PU&p8F3o+z)*;E|~%h!MeqDLL)BFOKZ7rAhmZcE#!+xr+E
zill;7Tk&fK400u9)ZW)~YU-YFrMs)P%)jXJnZY3~zRiVSPNet6J7>BOo+7ciO1dAK
z!(*GYLr4v8qME`z>Mq`t_8JNL^&MjVLZ)?-4=pKoRK^Xh8WpN(k0vudq*)z5LARt5
z=D`W}C3#mNo`2gmp^QCch>YNtdPC)VkAtMCD9+~bwMXo9vX{6?(EEgM`MZtEX(P`J
zSL$;hrjQsg(s%3Y>bBIfkY99-I$QvUGnn(abt~yeOHP|RLc3fpHI0SGY6<yA$1+-?
zovESmiB}`&yEa<4#8RJ3m+|`>_a~+mS5%lo-RexQC?%bPbQ-vs#ZPkW&L~GzOn;b&
zTkrKEpC60Umnnl}5f-A=-|ubrw@!(v6pG7*wYx5|{#6)S;5G=(*dF7w{qfmTlj19w
zR7U@OE`pk)=e~BOagMaq)fHu~wVo5SmLI0u-V5NBft&*5Byyt(;eQXlIZ+`yB)j`O
ziN7AIt-L9ev^3VZR7#a|(@Q#4J2&F>Xa8!K0rBA)vK9_F+x-2ZAWxdE{ymyr8XfRd
zawy=$X6SyMPlXsl$pjBP{hNoIesd=<ooU@cfN4W174WUSBvVadjfKllf?n1V4(gZR
zgfMa?sj#XLCQP@iiE1{9Sn6P=$awkClFORqntU%(9)5&k*tM&|9ZQ~5e!XH-Cv-@8
z_hrum!~PVw*%rn8Tqh<*lwi|GGk1yDg~FA;u%&8k|0XxHJ}-9u>R+3NTq$rFePoKa
zQJ6mf?|=1grhE?T^GkAQW;Q{L`X)gKDiur*rEPf~t~gA_B#*9mueCGM8u>!K0<qzY
zc)`h*;URLh6iI|9_*<DX`%3Ouf6uc%ZXaNqEhY5Y+qJ?&zr;-M`A^(m2g5kBw-4Gl
zn`Fzk(^8(<QnIg;`!Y+HjHkYjAmOh30W1W4ccIfb3I8a4Oop-Xg7avG>VNq<Hcf3I
zA;l(=Ad;f7TcA-QPt!UbSJJkoG1vh?<OlmFka>_zdx{>{hk}KSG<AfLh2y%BTm-)4
zMYJ*%c^-V|+8@gAh9ZcW^j?Gs5+O2PNJkFYz2022c&sihb1mm-xi(K@@nv^J<~oFL
zDX{pQoJ=K{#9I1t^_?RZlE=}XXnRUYmU$Ms$W;MJ;HxcDpU@)LW^Vmp-Q$igGZ+_=
zJ1`(QmDh|~(maEIAUDoraTV16`@7kSw`R(Fd9O1dfg+M|d99|?>*({Yc|%U+(xb9&
z&8QA=n}xgT7zzb?6|AY;YCdI{Kjy>e0;`>_`>0~P%eL`E$o6kfmY4v<1!M5RY}4)b
z_gXx^NNCbScGJURVePVK9jB|_Rl-=iejiUpUh$GtMPkR_-Y9fZ+EengVFs}%5>TXx
zH_Ml+Oylo?>C^{$v0k7zFv;28^sT`f7hkuce;4RpBSMqT1`-^x&_jy^6K@D|Fy%)1
zCG6v%hyKG->S<<;Y)~-qt2dC3Qk#<8se7WoB6ERJ-S_^OS^F$Gv8=+cWiECrPoGFk
z)-&YT!^4xDGn^H}Nu~~zVcLaCy2fz^`P4bDSqP-Mg6kkYlw=+uhKNN7H)1G;PSlG~
zhHxDtHw(`ecg2{J-l0B&O{M2@XvlZqO~|n!4*MW5(}V{T(n#^(ODYKoi&0YYTkf()
zNt@iKcDr%6BwcDbl1Ve$j#F<!suDY-#>s=0dj;mHb9hXh?jxfzn(3>?`o_k~<>J#T
z&8dj&)-V5=>A9`bC`wmHJ0)44aSh*o=a~?$sR@sp?!}uM@=}OS3%9rlX3R8)XUjWw
z2Fw!+?VQgd=v1nN#Xt6<&LQ)LlJ{%R{H;{H_L{zNd+p7X`+stfiAMA=ljpCAx>^y?
z3_kTRK~=QmE%tnQCQXFMzdgFN<MQ9vs%$pAiX3um)*2Bx+99aU(TQo6z=AKRPZ334
z-?b`b*H^mx4vV;gM_U65z6P)mF^3-t^!j`sK5EKdkuX2hNB!oz#4pOZ0*{BXR&5a@
zu~XI2Lml0pG$W@+R;YEx{%Ch4OZB{}{^L1f3BnN88%HiV{jI<oe_=vJq}qB`6WQ}5
z&bsY1)JM`SYYExuDLnhjTTN8IHVQhO!T-Z!#VtB6`TaFHSpRRS+iMtOCIG9=@)Jh3
zgCWADaiQ|_usTqaT)JUR2c-E@FeYx~mwTD5*@`2)#)PkKKhf-TLs9WnM6ua{qOSru
znTK^8)|OJQu(fj5Wcr;Zy&g8}-Ox1A<{SI>F0LY=IvVnk#0=1hjrr8njHusw(~}H2
z+HD#(gcvaokBa%f;*w(C>X7GKRvSv_6@*aUFdgCi(`j!;^e^Tz{C!=~WR{j<tg5Lp
zLJY#As8fN8*Y1oQq8~)>@4cV)K2c;NJCP9Pr34M7L%=qLfwl3|uPM_O!k^fpZE@4G
zR8*o$;3U9s%(-2ANUqDErJpj-bSv&ph$@xt_H2X*KUk=s1vT_*na0yUnfyZ?%&Ry3
z$i5Er5DC$~35#$6hWTot1O{r3;*@XS`etg)(pFl{Sd_=wJIR{HDu1;D{a~ej*j|^T
z5-$LGMXWAHvm)vjhBdOot-{+Zw%^Z~JL5Gl9<8Yv^#O{NCOKBt<_~_e@rYVtOiRWI
z4fJeYv-Sf*#q^TDL=|Do5zj6(<MJ>_a8~9^9p7r|ULS(|7d>k9dX&Axa0GvER8EG{
zISW!=EE@|Ge(Zv$PRbW=tDKgEQg*7gF!mmqTGQ2Oy@i-(>awG&+bgh88A!!4uXUyp
z-d{5jY_Dzk4;ggG9s?VGztPJSIwk{O#v$5*X#Z1Fg5uN^L0Zx8Jxrord$bXI!*o89
z)vzq1W!`Xx)K}$=cc`Vs=hEBHs;mp-g_B*gq;ZSAg3npjHsu5uS}@7{8m_b!8bZtx
z(NbQgt)40%X@{|u2z?i+fzkjzvPvmLXNt3;iT4*xO70k%6eLmcWN$g??8Bxf^thpy
z-Ce5I6;i#GPUN}EmA{CTv}DQUjlEZPPQ8*4(FD(i26}l*#+$8+3e@+;-BHf=;><ON
zJ|DN3#QrvQMUI5~cOAOE`s>=Z5U!x!sYPbk8;0+p8?lVn3I0qNLPpcCV6{8FRB#VX
zvN{&>((GpN?q1g2S(mNbOdV+9cokY`&7VKu;zp+=y1`xeXfkrFqjmSejbmuw$m6+=
z*)zz!bA=1vSrTa<$#MVPO{aAO)AgD3tTTk84bkh3)%viAcfqz!6&RnPhC0xVe@>UZ
z{$2KMm-%~=?mi_!h5h?Y<|#$)RupOCeu^>WYIp?6|0*duzW<A@aeRV~`*6{;$PYUg
zxtzD9iO{T<R-rwwJ3&=Z)_rY3{E01&)TEbDw06>0?B4x$dGJW^*`F`5l40e)XwOsy
z0h(Fz%vq_qtIg9f2@%a@&nKrf2%`;i^jRH<0b@cy+b$O<luAUAKRaP-JcZU2{JWdD
z+~xPkcoGlE#9mpVH#3hdksC&N_^#@U#=8sGDA&onSR*bk3fFx0Z{CK;NFHw<1nCT!
zkCl&$>RtgcV~yBCyHEDMYK@x6?wctgx`Vj#@t=%UEdp@V#1vDNg_~=}#+VHk#XoDK
z;TH16#uru$>U1Aa1{Ru43wRl?hR(wxQeN0P{u-bY(>Y8*MmJD2;bT0Q{YuswZKT<v
zr)yu33t6XeL|=S}#|yZxD0AN|fT=xtTaxOw2hnImU^pvamcXKS&1Xr$6L8!2IPE&v
zCx#J2VuaB<FZZpy(W!O^oOQm2+j?=qSv4_;CGJF!u*R6(WWvYvnv!+VfhrEKbvlsa
zf;Pdmkt*Lfi`bwC#b?6lJN;9kavLJ^`+970zlHIqy_5BNXXN5hIp%z1@cTXK`3?iw
zDcixxsY$cO=(nr+87K~QBT3!yo_pbZqZGnr_8Fl;JH>HD{$0?&b9V#ZA1N42<$bUr
z`Us{qy~;=&4|~_TrScAja7@HtoT_u#L~{Ui=EUy<1M+{{^*?`+g+{C)--xG~s~_@r
zD2daoZkUjQ!pfCWH5Y#<_hG42csw@EVl>zEfy0=Dr>T3Uk5!FrG<}D*XZz2ZN4fUi
z-957SH*#mJD}b8>4+sJ$f8Lu*|8kEd9)5Ldd6r5-)9~PdB`X7(IQd@jBnhSdDrh4v
zeDa4Py9|OV@t%5bTQ8Ln;Xkz3C(t|>jWlx<DxO}S{dT9RV?2PN3*ylFekXNs2D>ea
z=%39~yVy9CD0PtMAk%e}U4PB(dw`vn|CdlAdkuYgb(Pk2wLN$@yvq12(Tbs3j!_e{
z`=IsGie~8Se15Wb24Yu?z;hBb{sOW6Od36-SQOlW5H{!Wq3?;qr#5SzS($m?G@Hl2
z3;zkFk#c5uG*~!`D4o<#9{%Voo@OalmhInT&4SEXz$1WVbA{~<B`aLVEQ{(fc7-j^
zOk^y7yB_yn>pE`!)Z4p@f^dl;heDO!Kh%Fa%N#*sYjl|!wT>STp#k(-5MgF2h<q`Z
zl3S1G34ABs0v-^fSqtgfApT_Jk(q6nvvmb{UG|Jm9J}S#LddXoZt=6xDF1Rmf)hc)
zQ(Li?eiJlwHoLdC$Gzr1Shj)JDj<fSBWvEYrVxBeGz~mVGeU&Fe9Fg$_8JHdAtaoA
zqxG<Lvr(1%%rgLP;B80CoUkRbZbT7I!uncGb1-3@J*;8!3-P>a`65f`s_#(?p^-Fs
z!DcR%C<RaLUuVYh*1by}@#$<C2b1dskAX@lJ?}|hcs2xNs69E!h%65;HS%|JWFs}M
zx~bfJJOecxu`wjmeVV@dR%7^}l`u`-uP{&%&k&8pTk{Zm0lpUly3K|`TH{E+d<9cG
z;NSE6af1H^8j#7DA2z#6d#Y*{UA~V`1ZuZKEI!aDqHk-;H=vi9kS)Ys2suErJO8yM
z58v-nxRZApQZ=k=^`5GYzGVNYv!?6$eJ1R1@_9&+b{XORbD|s~+J%3{5O2tz?Kka_
zCw(>32pi)m)2dhVS^gwQvgG*>WWNaOKw}`tLeJTczC+uawSpZ0bMVwC*qiP*CHeC6
z$s<y;ieEX?r$UT<<o_*(965w5%_jWSxgTRDnQI|(*t*>P@a<|1|AoY9*pt5d9u=)7
zu4SUHSsZBfezm^yXjgR2Gk7%T%^EmIg;d`kEzU8N{cuIB6%C7ubZWV-?DMMpa75O!
zV-JSlL*y@Mf?0%&n0n7rUa$s|`|Ye1$$WAS%QSZQ*zKbv-wm{pcW)1e!{o6xKkiRF
zNUBU=`9Q&A-EGj@A+@01D)ATlW$=NbE_?hYA9DV|+fRPBXww*vU)_35^zbpI1Uv$y
z>BF$S%`8@pB)Rue_vgWU5~$(MEw27Qu+*Wh4PNA3wkau(b#E#alK!i#&uy^7NQc5~
z%Z{bL=*w>(UPdnYcYN0t%OpmUeQiGF%Jza&xSK<Gtou^gk@P~vmeOsf6l=3BYoFH^
zu0r46K%Dp=U~;DGH!E+Y$~|>!-vrcA>tW+dVTf{Q#E{|pWoza>iJ)pB6Zc$wS3GUl
zljfknxB6rfhK-ZFFg$`$Q!hG9a>ob+{l`i4@Zfo%^J82z^bNI6^Y%`_Tyxb0TKEQ<
zID4sM$KFasVd#sE)ZhrU4pw2<4~uv;n8fAJH7(T2ksVU8yU=#w2!hCens2SCzoD4Y
z89Gz-WmP535Xl`X8^;@vh$<rEv3?=MUffQcCUnlc<;wB5&eBye+$$Ep86HRtv)Y#$
z2(<cXJq4!y@&bFmVOtZ;_lBr|h%@gTf^xuzm^N(dpwTz+fr{k@D2Dq<uilcwR>z2I
zZEeO=B~YjD9QZD4eICws&+rt6$!R}`9`Y}aL-jGIG%^n1Kv;rIS%@K5+jy*>%?#<>
zy|jB6bvy#M+HGU>Lb5z3{6MVN=c%qxHX{LTNMg~q&lhQ{XCf>gF(J=?HmY{K_$kyJ
z3p7+(Of2ElxN~6Y_%IaR9LZ(xy?7Mkce8MpiNPbN{vnwqx9+Be8CH)vxhV_PsPiM8
z`Apa-!Re8}^~4qS1a<lt4cSUeC#;mh&D$9s$N=lg`(_t>rkYYSfJbmtw{3?b%5-R`
zGuqk8Agsgdu=|+|1hKFk8bKI0b4tl<jn0bYQe6!AcZ?Z*z8{_o4`jp)>$-&VKm6!#
zzgVSKuA~@V2@hm~EwJX-$%p^3sPncNt>SXrlA&!Gp{7C0yL!m_Q!0-#W$cpe8y4Wr
zV{0d#bma0Vyw$s~6|wp2W{|E^dAZ}{&tuIXGf~S5mtCiym0&QUI??62-(El+d4szH
zby2s;36*{_YPQ5HT3)vIly_}+6Tetr5pQGx@6!5VA(j$m=tRc%_6Kd~kXo?4m#Jm?
z{EMKAmgf`oSjS+iugC|Wru@f*!4Kg}qE4V@!+#=zcUwZ~GPH<9mS6nHTD4Bf<;aJI
z{_6Bv%tU_#N7L_VNMD7flx+PG8`J;Tea3lBP9V6f{XqsfV-d`i=4WKt`k9^Se$T^^
zIJ4ya@vu)}TzB1l$NJp<7OR9tdnhLYZTYC7=-<rtHepA<GcoRy-80mgA;i<VkF(vp
zo?28k-8>;RbT&O@M~;Hz7?kFhCiEdl0h^&@#7SVur+$1xh+*Y_RwChK=(~6>xHm<a
zLmHpS$i1`5E@sjCDf=X=(%R`h?usf-dy>{`a&<MVoDq4qma!0?DI>7VmCYwmAj!Bf
z<Al|o`t~Qb<&UAi4Ur!Ok~xS7{m3kbvOP4{t3fN~I&1Xbtcy`s`jKw-Vb!@ikGpZN
zr9J7+#y9)l=8Hy0O~YmH`x@_VAY{h@rJ_0{G&uGCK1Kxp8Yv{`z=~|QYj$Yr-zE)d
zR47hFc>2ZC3FgzSaa1QFPUwjG?=P(tYaF?92QMd2*++2dhPvffHw)9PR1vxSiSe^i
zmiv9iQtDpc^c1D@N+}`#+u8fQ(wsAq$A2q-<hq<ZGflJ7Bd^bzm;vqN#{UOS6A;ag
zGyJsgre<Y#=js0;r_l|y<9O>(s;L_yv!bXYGY~S@@bGtf7gj6HtwgT)08?S!n!LNt
z|Ff&i@`-77;IO>8Q)&XOZoBO_WJ+rFcDb9gKfiBfs-KX0x>uX=EPPDX^7mYh&x4C?
z(~8=5PRUiu`!kTY)RiS4jwG$p<1;)KCMD`S7M4a0LqGMy@?j4I{G><sbCXXuk03nw
zd-sg{3c|{h1`j7-bngi>v{J?>XD66KHF<xSHcIVv-Izm={aWIol?IDirOoR?f2?i|
zb<3vKhu0x6i5_9N7DkJA8#~wlf@b7xKlb|akUz;o1{V|NkoJMXUAP_)$CfT?G46E$
z|I(^$H#!upGi1<Oa>z#@341z>mawhW*Y!g)?(EforEieFTD)i7;)ZO%-9SCw+cq;^
ztC&Fn5|<Kz0D2Lk0c!WuI8rp<PvOs^LofMm!&~ws+rB950k88s7>@jsQ8`>+3cEbd
z_*lrx_!@o@8U*6QRCpcc9Zl8PpNnwPKY{PfFsCZukq8`@AR>4&BNVWPrLv^v<ZCpk
z<-&URpYrq3K}MRRn5^Jp5xmb-?MP>qs}zM<d59F@1U<Y5G?a+@8r(8Dx{*C?iEmo+
z>Sh28gNgTvamjh@ex!n<Es_MCbN}`ydjkL2;RkV=`55Dz=I7Oz)B3vl$?BcAIV0M&
zbn^U4jDwO_5BX8H8sE8o1(o3oq$0IOLH%1^+-jvU#&2}&M=GTr9;i8|`1BX9Juz#{
zd|1n{Em-a&hpf$uOjR=te+*D63yS@^58kwXPrqSIM(N$aOgfnb`ZPH|J98kuCRa~F
zW7}D>l)|BsMLt{h5FX1czP|Hu!Hwyb-?u*{YfkHNk|ob{mU38UHD+g{1oiHq$7oSg
zm3K93`Gf|-^_*j~7LOm)LAq~lQ=Uh<7|FXuh|CxcdOQ3^lL;m`b}2ADTIUH8eR7;5
zJ!e`^YG^;ig68`k@UEPzfl3<XQt6&dpp%v);c7kq*5;pzK)o#uW;FFF!k90&PGi~v
zn(IlU(!mfXF2;*wLa=^c)$irgzOcs6T!|!^6DaCz4F9n>6m>I7w-JQM5jJ(1604Q5
z7QW8NG~=^kYH|}{&s>QjDVdHN7fy|MX6eVq5}GF%ITh62pfr}h5~uD?>cf~A=9~F3
z%}DTh=1O$A!J=8xA;~!WN!A_HwXN-ApKz}#!pMev63vwCH^smFPOohp9*=5lk`$bA
zPH1JW#E|@L-s~}@uqE18k{}~iOU3y4vQS+|2T*=<Dl}Z8iG%J%<*Y*z6}8Qr2#}|Z
znO~}q2U&-*9f}Qi0-bI3P4Fg4nAKRS#7ks?nR(C(0Y!_1`qEv;0qGZ+7b*8!;k(TT
z==ou>dGGtJMdkYi77+_;AK<D4$j(x&ocw$pDD{x74Q)nUUEMnN8Lwo}MVoIiMCid$
z+R+1ICC-*AXk(7X=(w)WoT(No4dR*}gR~cq8LrF7un_#z*4Eki@^C47u{S@w+?Ze1
zF3Hz#FjafLS_xEHIWdF#D1PcCo;zkcZh|t`*nN%<Q|R@%bbq-aao1n-=X(hRCi&Xv
zi|*N>%paR-TiqEGH(0%dYy<uiOJ@j8ZMv_c`}ilC?NU~l-9!IZ$6xRM1iw1_bdI2d
zFjWdA5x9T8EbkQ|c`F)ZxK9}5ZVzJ&`tfhQucs+dxtk2umufl|7)PEEs)qPGdD%J7
zfJyv0UvoFa8uIfX?kXIVEPFonQ?KCH@+-%q#2+WV$(?7v!a>}+e>Sv*{;uDgCqlf@
z2yJ{=0#1N^VvLnisqR>~tun$Ae$RcSrLOgw=-Z7_xzF#NvEz{4*zdU#+NBD&<FA&N
zR@yzc9{;N~Es2P$g<79dv)sFdAo}a@<Z~t$kwNHxyZ2)D6#f*xLEX%~TCE4Cji!bT
zZGr>KrLpNl_E}k3s1xI-W9*<j0o>&mK1^s5RaYYrQ9k^?u!3;sqPlc>>-IQznL?~K
z=xDd|2qZ=nL{7^REEa2#x!y1eKcie`(vqHmc4vkSZI$$=e9|yB$*f<@$T)X4&fOzA
zbvk-_m&~yK>O#dPtn2Dq9NxcP)(R8vd6OrZ4cT0lxvlzqnIFq$POcVit8dGLh%U#*
zY*4;|cKI!YY`1uR5EoY}v|cFKkYr5}u^I;H6RYj4Z#QqLTf{z>*XGP}*?w`l>JspW
z$hX%oubtihkn!UNkT@owI*R-9VibN4({ppGg_keR<LatRvrZP9NLR1(sV#@4aKaOj
zq&ybLj2R#d*tmfJ6+WS%c6M}tGb}rvV8WIE=RAs{#%D_!VcRmfJo8Msm&f{)3;E@1
zqbKO_WNl@I=VLJqz|ZFB!2xL`c;vS+@ws)j$G2qB&5hl2#^wEdIu~Brpjm~eKZI67
zdqG3luA!Re-3r|Gp3ddYs2MflnhE9-7I{)-y2iN0`0*synj@S*w@%_wcWRg;Jy!K|
zjx%P*!IT<7g083zhavRqpw`p~eXNhaNSD7WxZi1fOH?zKf)(~iPeZZ0Ze~&RSu<}L
z;g9^xc-ywOS~@9n9=)*?3Z1b>FfM#paxd*M3833V4FR{6%7LB_`Cb#p6QI3F2gy|&
zwEfvAr$iS+Gu_^Tkv>~}?p50xPRs`9L($m_;c}sdBWKIJi}YLF9l@a3LHm1WW0Q;8
zJ&r>{9A|RcPF#jMB~if_egml^zNsW3=@lKVE-+y##<v%Kgv!azsut({c+xD~vg>Ew
z1FmD#QCf@{<qoxm5a!qKBuQUrrYEjtXM1_tT_4QMY!Tf+%Rlcb2Ef-!Af%caQ8`<g
z)Fv$aJBCAb8qf%3gYBvNaezXr?3OAPA7<jclkJx}z}`y!Dl%+n0|+|y!b`i{d9(b0
z6y1`~m?T4Z*{;G>s{IawomsbskiU9^%P}B&yES5n=ToWM5}1$)yASgbksVOO_5~<P
zIgzgx(`ZqB!!(!}ko;*6;$-)eyN9S_(q1!9MMd0lD}Sx8`vqV5_Qz!Z-pY_@Mr^Qd
zzoO{(tqn;7|MIGU(IA7Te<|)EPGW%1|GpqLp04%dH<TlO$h5F?W5EU_z3Ca7g@ob7
zijtK7Q4P9lN>8oDO9IoZOf$b^T`6dT(3p6e&h~G3!`qqZ*|V7`*grw6(fFvAF@8eA
zZ@U&CL;c~NaZ8gW8(T#Zbc<cL=U{CPf3Zw^aV}UQj5pfd|3O%=Pkr400WxX#%`)NZ
zvGh#EtdwB=pIkI6>lR1tVR6f5+a=HI@g9)63`qzRmBbs!(+G`R7~EggYDtBBqfU)W
z<K6ni^bl!hYZ=>nZNqG~5&mm291%m(p4nhffmV0pVb8wGSC<dU%yc&?P_BIG5%v7>
zl*z~7V<%>)!M!;@whT(cLc)~SUKUYf+X2KKbBgktCdmXyw?z1-LtI);KI5@361&|Y
zwbeX`4|6LU2xh^h<+zWx9G<9usj4OctyHCaZ(cP>eridBXcenpX~yN}_&He|n(p<o
z+FHr~dVa9nC-ATQEwXxQz4m0Z_xHgF{kOhOote#=ms;3uk50=D+25D*3t3s;M*oAl
zlcFu6yB)XiVP%{=)ip_BVVYR13)mujFIPcuhPmPXsh&zTwh=~xmhA%?sv&4Jq|`wJ
z3uUkt$H#}+tMD@7?2izg2+$!D67E5q_UsbqM-466@-jzvRx@HgSl{$<!|U1qHusap
zlnYWKT6=&7_0{mb!MoD1xJBB)GIqQ)|DE{T0^H=^aUA>TVYl;JH#^JlVMk?OWLRhs
zfiJ3Cj?2U1Zh232i7X==Em{cMdx3_6Hqdl#5-}RBlj4sP;s3xQK(1x;9|iMSZ@!Fg
zpH})m8BDOC*Zw3&Ib&tW5I@Uh5WW!7{|6#-y`tA6$Fo_%N9Dnl*Gvk2W&NZ_A<nA=
zk7pk##OZN&22S<*TvxH`SWIL&G#*v$xPu=FJoB*rcodOMp>U;>AE|`h=0$h5-W|N$
z>&%E~?%QgU7=5NrV=w0OPNJQy!|G95*pMMY?&9<9?tJHo#9S-xW;?p9u~-wk&4uo)
zzcYN?`={edKNex<4Tl;Qd3=))6(vEpgQursk8j0uI*CLW8Q_&t2|RQV!k`n0Mon@s
z@>#@Qfj$&HHz$9>6oO3;t$d3N`Tc$`-(Ku8<1g!#oNTbwqB|aj%c%ZG1lI_)W-IoK
z&HTO;PM2ZYpy?}xK)E?DXXl!E^!nJW#U+sLfGXDeAs)jU?I;3QM}+zq2;_i~4<h!;
z>w>pigO3T$+jFt1V1pK3B+Xc9CKb{%aT4cwDUlS(olj!+>Pn2!)T<lH{*o*C0#L#p
zP;{w-zmJV58MQOXGeNu0L^<&=PBe8F97^*IC=V{v_ohgagMVE$6uD=u?BoW~#+3HV
zs8$Deyd@Uu{ubwe>iCTCD0=%-a3LK@Puu3%6=l201cxB~b$KGzX&B%6w~IKKj^Ase
zu@0*ladIO;;5WBr5kjI#5bqT&y0v)|thE?E)qlm>Ra=hZ)Eqo5cQSyeVmfTpq!-+N
zD_gOM)CT=x<r70s@WZoB1fiGrn|!M3TnhsAK1g-qJv8z@W-*>wnKm@43?Z5ANp&no
z)JB<j15~ovka=qeH$=N|$0L$I-)L-(FW*=iI+I6)p8C)_NG>6cg^*wo(J5oJf=Dvk
zZkOSR{=`wY05}p)@fYO-;uoa!gl{<-$fn=e`|ILZ#Z6()&K#c4D|(~h#7rXyl6m0U
zl|yh@_@2nu_5$XctBd?LZxA8YddRlOG-j{YidH<$-vc-3)RGmNCUN&tTG=9YZ+ryj
z>v|e5)=~9&?;E>F-Fi!WMMxBAb}bx}50eyLvQBw_>x?~>O<hJfe%b*e3nKQu-*$$n
zPEWrpo%V9m#yDR(Hs<}Oqg8T$%PHC=@3Q|A3ie6&S!5!=hN!y=#~sp+n^pXHZ}{N$
zKq2@}#7A37al{fWe~ZrKV$YT=)1;XG^sepr@0nV0O}z6_*H{mMe~RI|3XZ(YkZB{<
zsO!YQ8;;2*{bF5LFjD%NZ(ng+f*AU2vvAS5@>AZc>oF7ano540r=KmPM4aeE_O9u3
zRU>G*l^;qmzkFpWXni^#(tJKoj9!xd^X~@d@w#>zs=Cy%Gjki4^I4?mKVt7(|BB&b
zn#sGmIxVo<HP<dbYp4)SzE^+GzvIJRjlFpKDlx3Qs`t1?h#qn6EWdo?3`V-LynGef
z8a8D0dvVT+)7t6huiKv^1jv6mUz`6i;u$`T{bptLe_<^X={V`Mo%)?rl@b#h;7yoj
zoXI>#@97<q#$~-3{8DyS1~07)lW;r^L0=WHK0e2#XO{16e#RwpcJ2-ucHsPgQ`^<i
z$FR8L>l346+?&Y}?3BT6|NjmB+>G_vtB`xr@+<83Sf&(GWy@iQ{`PZQQXzL5E`7L{
z@7_S{uY`^2>LTr50gl84JginR^nZnTYIcf9R_4s-HyMM%g~Gh*6H*0mF&T<6lM={k
zi=p4W4Nui{q%Jsn^5U)}>fPn#S0QpvSlf*;>*b}8V3PJjovflb&6S1kf-4U!!n_Bp
zj;IkQ5E9p8B$S4jQudA^eZ=y&vnk)0_UX}`9i;{_CXFGXntpC)GA%IfHS=k;@*1K-
zGHEHBnd7jEN@-RBYF(T!*!eRXJEIUn_ccIa&gGZS%LfnW>CgkQf+!ON&j)Mtv$v==
zY0ap6*TkP9YnXE^KKs<)%mv&PhsC*TI0V1Ir!gG{!(50^yip7K_N?*)AJ3BC9dN@a
ze|)AF6`!?R)J^TDL~A>%eh%MG4IAyR#zpl@i<|8Qt$0Z&hDVfNE~sQ}T9qL&<&|A`
z(Df()@0Pi-=*Sz%VUjqJ(=*NyQ~j#`CT724;BhqGxP(qRqUszZr1x5}dqf(7v}Ai<
z?WaRM4om4{|L*jvtKIe~=WE}53mN5mkqH5_5@fG%yHhUJ{@P?uqqvlO>s&Gqqsa)D
z+Srh`v>FRvXQY~%Fm-m6%T<5VOXRF3JWEiscWdiWTcK+X2bAW#y}6Ww3;Coj1g{SN
z!eG`jYL`{Jk{y4#*5w1gxP-oKJh2KiBAh%4uaEi}v^xARxf;hsha*nAqp9|VN~0X9
z_k<g(6_k;zbes!fipagRFvgju;Lun|K&BDh;N+v)1DQC%040I7sGRo&f}Q*ZJz&^{
z<dplmbzl89HKoc24g-glpI@k=$QLvUo7M%+PHLlm_AIM>k&Q@>>Gr@M1Z25cseXWw
zAtK7FGT!Kcx;XD^jXQ*FtF-R0aR6Zi;V=|$b9;i)Y*Xjrx%tFkT8UsgG^3DYB6A^<
zO+tn2ywWzUznxg@kz9>yxdVCHHS?#BF=6EbZ}eW_f`Fh8s%i~Xl!)xaw^w;VU@&q<
zg^MpIF)VDzC8}?ChLg>@_yM2(qzkUco)aox_5cr$=3Fl>-X7QUkcs_7>YSJu{UKJ%
zNR$Z=FKv-H?rZrYMXaivQE~Aiu4hzTBScpY7uW0;QPYj7D`IWMl{dZjaSZh-GCnx`
z7x6SuQNJ@x4*TDt)PknJ_pA9Db(i+5NvYE3@A~~-D3x?{6wg2Wn@0}wbt3ta#;IvA
zkC4JAXXpPxH<a`nzohj8*NmA;cSp<mf)}A0cIKJsXlFh-jQLt;n4{!Hj#VCOrp7=R
zyW@}T&CQf*!NNTP66&9C(wJq?A_g~NR9Ia!H6mN*MX<srGQ%w9O;u`&H`-9qBLb2V
z3MDrKrjw^*dh1af*XDSJ!6@Ndze+@+wiZ-^oTg@Hk8!^X9{XD`)zmTr+RNecU{IEQ
zvf0lpu+7ga#3BRKODlm}7N6!z?@Gih?HUL1`)fkR16w)?@ZhXqYQK%fenelS;&?Gw
znhMFEM?|J9{JA1q0BL4UgJ`0^*WmsMlE!Dp20lvqX~ei$WTn{^wef>nEQSh|HTfuk
zTFV3xH?u{l^`>~-6%~Vvb6ljCZ(HrqPJ8h1N>8q63kb+HH63MRXbB^23k+z|Si_?h
zqN)?;-OU!^B$228pFCbb(){)?B}9e?Jc=4G<NFy)ro*G8&6z6i8{%Hip3CuWCaOZ3
zL=Z&bWs}DTWZ721y71h<n~4Ug*2<ZrV#s=?c=6e=x5z`g{<Gz(9#M-i2$5!<QYf$a
zF>!qq@Zfy&pkh-Ui1?zV%boqPZ6w<EVgA=<lUj%&9cyYwu!cQpi_%a}(@?IHjn?=~
z)B~qf$ATZ9u06T*i^^xA)=vEV7%MkASgnr-WB0XSI}-GAqBlf=TJEoTrtKCJ=ffx`
zt3#qQCq&B4lcvfp4DPIg+-<0$<3Xi5<+`M;LzRO)REq?LYZSkX_C8<{tcQT#@u>On
zQYp~<LqoxlqbT#S1q(?M^wMzrUe<IswCs>W{$M0c1zJSU%N@(k#q6aNk(^7L+M~Ug
zqjHSpZ}~x7;hPbH%*i?6b~m_(m$nzu+=S19Oiw%X6T`VKGvU8DFS$n<2WkAzfLM6-
zzxv<|2%`e!o4}n1;`~Zf<);5LI`WhciZVDGSW2NjN8;?pR$8?f{}5+44v(~EL|AYZ
z_5YVhcI<A4;mdPF>ceB|^Cbj+DaES^mG6)56o$laIL53!$Nu}<lBSxjYPGU;#Qy*Q
C0Yd2j

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/MultiZone2.png b/Shorewall-docs/images/MultiZone2.png
new file mode 100755
index 0000000000000000000000000000000000000000..ec3b74cac552428994cb9b319e9bcc02c4765e63
GIT binary patch
literal 10370
zcmch7_cz?n_y03OvRO_@vP!gw-pfl(RuDl%FF};m1<_a5>NSWSM6~G9WA(CD7oA0P
zR$rY}R}%H({Xcxqcg~!-GjrxX?)~A;%$+%p2rZ4*V0thB0N^*u3OWElg1qTpfNtNk
ztQT<08*$5B=e0b5!ZL2%3`lKXs=ow)$~f{13$mLri<PpDIskZc0zlv=064pu3fu$$
zgfIYXn*+e}6ab)g{obf84FI<REw#6bHwyq#fRvOJL`n)!03Z;El!BDvMo@q#{#Ple
zC@4rFq#y{0ii(N?LP2-a(oujIK@bRp4njo-fdK3P1tSF`gbKt0qNAe&v4a41b}AMs
z5H|?I0%2sNV`O9mgaHsgh>o2O!VM9lgRro$08#*jFa;eqofzXyWdx*el-L>h838!}
zBn<-OsH9mKxw*M1q$$MM*#T*3KpCKrqo9+b<LBq6lB1$fpkNncm*!>{<L3vo0AXQa
zkQ#_enTlJATTDz0qz94~69crgq@<((3qV*-7z6`JOG}g5kcugYNhwIl$;pvAkxDB|
z0~Qv58-<jb6o3HirTC@Qq)8E^fES>wtPJ=8YHDgAKM)XlgQTUVrv@MpKn$R#rw91?
z0ZD+Np&@A!sh)*igqjo#1_LqxAT$)n0Fh>p0y#j2vXsRQcs>Bc#E|Bb+Su3tC;&)G
z0;+%vJq3Gv`w}fVpboHcvvG2AN`+~;IXM9>Kt4>t&CLzS$pN}=tRZ5YY!F@uFE1|u
z3wZf?^~2Os-Ryy?D!&^CCV}4;YQQXz>g5D106<GiXlQ7Oms@B=D6kGhL`0;92K{z}
z0fZa-F~AYf?`02QvA`)1A0LnPb4t4L<Ql*Rxh?p?fZ5s9)KqMQUq(hoRcaEjzMhkl
z(~+8#pP!FSjlrhI14l<CB_${n3Y(u%RaFICU-zR*>gwvSs1j@ys<E*VTUXW6(y~&O
z)6vm^ZE3`|w9K|Nc6WErcC=vo`xm-9uvqLYwtofNz3>}5IXO8y`FnPDc41**eSMuk
zARHYXot~avUtj+(8vp+m@OI5G0I(C^D7<{@X}XsYXU5*A*LI%Eu<8}gIjVh+UQ$-!
zk!|!n+VKfhI(3SrnB+Gj#Jh#jK0B6!7QMfyu<E~97$9oS9o}mAsu?hb9Lx$rH89|;
z<yp6jK%Kv@WA^ok!>NR=62f-o`^IgV9;}){D`D#l>q9i1DAjpuXmm}g!FP|ZP-W*y
zW7F;0i_X?BMMrr7oam_Ar}-QDkMvCce#UFSX<r;AV5GDPOLP{y@|Y4lXcI6$YCWY}
z%JG8CdtYiWUvL~{U8{$F9LPhv@E`M`ctLvs=D2-6bku7o`<@^>@{Plxr>|KbOnUaI
zJ@P49)hMcG^<0IpGJ5|FhP)5<+en&uQIenVZGB@yAn$5wV<R~?i*(6V@tIKee1j@6
zb*O1PSqH))?iuATCci+0P4PwlII*-5eJIF*bn1c40=6<q^xreHnBVFs^bvXdR*#Qq
zb$OVYwjSs#CH5v|<54ka)%+r627@nM4{W|P`Dj<#DO|9WMZeBn{Ye{-s}(}B^;4G>
z-;MwIR>fy3xvseW<r?cVR~u_<`s-$YKZJ=7x{-8S7y{!)JD3rEKesDA&R!`HZ`#(I
z1L*~<7QcP2Xj(94zj+!zi|-s)2F+^0r&@52!S_GH=m&r1iTlM*FHPh_c-#5xBF9t~
z%O>*0PW}}{*f75}g-~Yx&ppu>6mqT#Zg8V=2h;9sc}K@5BVoTRTwIwK9xVN2uHq))
zK=!Q*mhp%Vak4p`aI}y-it5UhRJ5q)MLSp#qOX|VX}f-4I<pTs3%4&}*x1AI82M__
zIft?I!Or1@Ga4WD+N%{$?a(Q|p^n~mWX};_N1yxI(tjAmzah*fLqlpfEP2lDXq}1Q
zEF{IVNMsp*<XBzw)Kou@ekxT%f`*nkepUJB+oHvr#OH5x`~zP7mL9ti#j?~E7bxl*
z+i+<3sx0SJh3&%_&q{wVdC;|5A+aKppv&Sqrb2&btXt%ZC0tVD!f*v2DHz-Uolj?w
z3U6!M{tuJ?+r+fbbY5m{86f?Lw^hk+2CqORv+)}qURc>x1R1;#(XaIe_J)TpiLL47
zhPqE-Y54=XpA-EcmSmN}H)>t@`|{jp;gxul(JmcoN^2r%6w6vV3vHU^&ejq9h-J!j
z`<~)r#)$klsK?;?uJLy=VeGYlTo$-sZ2fPDgmkH1W=jfz&DZp)iALO#b@0~9y-qrK
z{fjU2u5X>V82%B`DO6mnvTfIX6^DLU%M1dq7eL3TyWF_azPRGa>Z&pGdFp4DJ)$q>
zn5B0;XwpGa-0%Nj#k8U&h0s>MS~W)EW>U`n9fx*xskJW{1;^9Ki|%ifn*905$)`$?
zO53w8;L%O{@u6kYPI38Qi!n-~)Ov&Nr+ANFPelnnwpsgrmE;Vs3x$-!&rZiwaM6(*
z21=IzmH3)Hsj|@dD=p#v-S41z?0;i#hw9J)PtjI*!p9TdbQJ56hAo&_t7)s`MGEoy
zAnG4Zr<aJU6z_JM9MCLFtcE)7<0p=ym5h?B=j8<FGBRU~5}*Yh&#|KE$}m$77qWfN
zrNAxuZz?{woeB5Kf6z@P<0{4aMSP~P5QCxg2Z?PY?+8cy6Y)5anr}iMSf(Yjp{zk<
z!Z`d)2`l>8Stx6~X!{VD@Vp|ko|_m~AxNX4hfma?y?Nve?*cajGMm8(&|wLN`@-gp
z#=v0^ndidFOeqWc_(Sz$?B8&hsh37`;|e0;eUAa^&NFD;#tlLmrya(ODf8asU-vch
zjh<u2KG?BGF@-zDe^Qa)AA&De?5|idH%S}$`e0){1_R!MM&Of!84Vf2y-1lk1Zx=w
z+TpC>^|RMK^7fb*OKwYJ-na0n-9wkSx*E5WsGeZ|N=<qA6yB@5y?<pd<D_O`HmXa5
zaC>&wt6ORKi?F#db@4tfU6fOw#zk0p^Vzp16@p3nS`AcYa!;7SAgfM-INI1DrfUS>
z=${`7yk(Z-%{g5ZF=AYK59<GdKh@OW9f}j}?xRvmkSb1*;xQX|bbHr%($Qx7J1g2@
z@bdleTx@Dsgbmg3EsUcQe4_#nh$1T)IC{H<(&z4B5PcbADzt+*Y7fIf#ZQP8T2=dB
zgbyB<*j1fHvJvEj<0s`xSV=gv_Om)_(Fi-;Y-(uxfV-o7WO7JCg1vfA?asg#`yttK
zrz!XO7QNI;9|-DQ!9;VY>MO%-!yQuN@^HPyuAj(o^~ZeI^ql*W4UnQey2?i)rf#A9
z)Z{*|@_V0G39XPfvVnO{g!%tV&)up1(@s7R9C<vuATyh4FTaq~GO^Q;8d}#r92KkD
zaZd6j9y5mh%OUY=ARio-0T58!pvi|-AIUse*n|p(UTAJwOw+s2pB4nZ3Td19*#C~6
za*|ZM?s1@~%P6AGVyj8)=k3O?oJ;dn<A-GFYwSvdVC<>2h&T?h^5cN9(s=*9Xw|_`
z$n1=<UquDi=!XUq)<DIH^g6Zk5`WL6Ku@v;wh}E_3UZ&*$GCXW<Uq}$nvWS5Q29^9
zr=`JQHl)Z$W{W#^zIU{~SDx=8DJrf~g5i>~4GK$iPrbKUFF5=}nD{Rb5Nl`Kh{k7Z
zCBmH}r|PTsNor0WJOFJ<E3+pFJ^V3NpSw;7{P(X?#`Y=Ea%}5kI{~)XbAbzn7xHnG
zq@HB-6$tpeif216cH1m}3ZK&TV+(8SWV?eLFDiKX#B{tdy#9;kxUaUmfi=Aqq~l@S
zmrmx)+2sjDC*gS1{dFUvB7<qv<XFEa$n|b>6K(q{3ru$U3X3C|>1Q%rq)TNlZQn5x
z1wVN`2x|)K<-a%(s(N_G7dx%qymL%G>K;Cr|2yOp#-7ikCQd>F!g9LQEAl~yC$FG|
z%~Ws`!=bXT^BgR}ppG2Jbrs)sxy?mGh$Z*f|92tJ*I*0_USbIPM3Aw7e6YO-J3wac
zCjJMWZ&o6lT+K^)iD*jx0@B>Ff*J)9%V?Lphwui!1mqnmkh7y_Xt1Et>1{LEyLW%D
zde4#Uzg53axLHkEfk~I0BOGl+GD%LpNWCW1M2^uZia3eSKi$tQD)TY9xn#aZHvGX7
zA{r$b!w?TyA3e|HV#qJ`%$qBV5N;&ywRj*cmX&PrH~|Y~0(b_hA2-x~HFF1PZs_vT
z^?nV_tl`7_vHK1lG~-Vn1bw5=4Md~|hAp(taep63mT=wAkbiB#;{2+bvnnZ5{&i(d
zu;lYuk)@`XFsiosPYsO_%6&ncCtY)kadS~%E1*&qN9YPUml@SyBz|n42))*tSk|AF
z;<cEG(5~)W<z7*IsQB{rCrF9tt954##_pw)q+J0b1spI2&%4`2D7thu*rj1!Xg)kp
z`r+RtKp%*afs<jJr#9Z)O3LRE+Y@&DmFHEwdJ^jKj-iF)zoO6fZ&T`v==?U5SGcmJ
zre_jIwb#k2I~DrFca28hSq}HiTog7~)gK%@VP5z=SxzPQ>LV*Xy7d09r;_Pex4gSw
zp0@25Uu=lCJ1;NSJ1guCE8UF=<P&$TUkN}!ufoWeqZ56tn@8VI&;Pw+&PB}N%OT>1
z4tDQTkw~;FX40^3$4PYEkN$~AMVS6v6|8$;$;@o4B3*kqY15{$4OQ}^T~%hHWY!*}
zb$!AZ(!ey~5kEVVEZa4;vr^W2a!=+TbFI@E>iNjofh?t&GlK0M>o6IHvTZ3P0`~Qc
zK!zQf_S(^GWfLR#3RMdRQ|J6Auj%hDQnmk&-tv!=`kVm&h1|zg>L$j+Ny>PP=OBTK
z#JqQ=*4YnJE~DUNkgw!nVeuNiQNS+XA%U-Z*zu_Pi<T`#V<QClBsYEnJvS5K+7xUM
zaHFlh*kv~<B?==@cV0*kGI!_0H+AfAd%L|?Od+xip^vx$Zv6+#il5R*wFv&?FAV#c
z%(>9V>w+gJDL&!g?a+dQw649Y*apZaOh!PgL~MtHq}NWkjjdJveMPM+c^yxRWlOyC
zhOEU^#yB$bOfYOmi<DG|F|;R;X&aNlloG&&cBlNeb>&zwlup9>5W8i;EnT1;$$PrT
zj#OVAq({0bzok+)1A)umfa7ew=0*yJ;$uTGb&>O1!14A0o1Orj&nXkNd)FE9dwTu>
zomJJ60pRf!1KL0zpWSOBb{_H_QIF1Y-Z|p+LZ$a6>51RIPSojx44|W#nhJQN7nP=?
z0q`1@r`(qOlxg_gw`l$mzB{HufyrzOXF0C4$-jIAHJbR4Z~?iv!N)jiSD}*cPOnPV
zd8DsP+{2Z=Z9@y2GU0a`bkzuvDhX(Z;b!s2$i{hI{QD=xAD-PV;nH2`Uz6h~ek=xn
zBDAG-JjHOz4Jq)AlqstXRKfsz8ir7v);nghA@X?E@;wdzHd_odu)OG}9k2aBM}`47
zt~)&z=4U#5X~HR5TEh33qh3d^4*WRR(7o$*TA2Eej537x+)q)%koFOM$hf1Oc0|U|
zaysM3_JebMYFBZ)L$&3cw#U;GYebwu|HOG}?wOs0uHRd||BNSCO=-s+6VOqM4<~}T
zZBvqTuy1o9L85s92F`fYWRA&vZBoSU*_o}y7SjQ<GMMtI^9DnsyLR%_EAL3^wv<`J
zlQi+Agh5!k`aR(sn|JkGh1SZ&tFa$1`NA?X^qBW+lBSUK)1z<pdgrmN?H5p;nxaS%
zO7Ng0#C&jfG3VTIC0Q9dr}Ri>FEYX6#AVWapk)68`?$p!wQhgw?p!}EZfjO!ARi!j
zc$i;hP(!VJ>q_v-hVeN2QESF>yPkG%|C3J1Io3}W)4%$ez&ZHnJtd}wPU0Rv8Uod#
z5hKtad;iDI47Ok@-skr0WlEgmD(a!Gqzgl&x{vf_=@IfYgWMo*-Iq+V*|Y}foV&j2
zG`ib%<sPm--`4T;5O!5Vi-rqQK#k=B$Q~r)QgNXofy^Ri&dFA;{Nt9KiMMyh1+-kO
zzdMp4=4pIC++S(>UD3BfIgx+xr9ou*CZaY#*_mVkG`{4~dD)RkmzZhCJOO5XZQ0^P
zm3+AFzr0qiwe)M$)A#DjPc0yL?6dMheJr&Ia~bL@UtB+xthNF7gv}Xcmf2xfl;%XT
zr1a>4_86t-PU}A?!><>|!PnzTHPuefq*Nc%psD=wGoi*{%0n*J{+)l*#$0W?a|4^_
zJF@myne|t13tleZ!UG6(W=CHz5=><*v0cyHp4VhTeQx3l2Jw3F<UFR;dpE+i)pWz0
za&FP5IeqnK0M`!7p-aGwkZ12ano9qk)PIfm75arZ_JSd*8PX{?gXE4^=qT25+pW81
zUfZYJPp<SS8s@Hh_y4{1Y=d#<Sqo2Ee~WZ74Oit$el??6_X=0i<3ZTg^#mc~@kD9S
zV>Y2z4zh?IW-a`<8OGR@e$*eQy|@=}*;oGeHf4hq2vx;H>L9>?tdkV1`k5H=S7^gK
ztWD-q3{*hhvf$ty3HS0k5$6v-sjn>CSfu$3mDxW1lYySQuFza0X&~qDEzI#y_?mKB
zP~sqV=AtLsRimMd6Cpi#$5Rh44Bs4tFstGOaZQ=SP5VwCYnP{H!n8ck9fBKt)@c29
zFe43ogB>5U2K{QYxv4}#1L<0{2SQ1jhJITA2flyztwk`Ef<x(J4y)+<6$x!xn%U*f
z%h=Bp={(ZkT-_SHUJR>Azf3=SrK|6e2A32MA}iJ0J0vNbK#n5)!2+8YEjXW6*P8jq
z%?Dn$t_@rtDm{1~o1A1>OLF_0I6^h(GtC{{dh-Src0b9c9)Qc3IuUa{GF2b)7W^WV
ztEwq;iaIL?=eKQ;ipG3l!>O0;o4rG>IY$L<>6<jn1uWY7@-(@kL+-$W+>rR#Xh^Z}
zpUP-Ma$(|w#iTxqr3des4LJj<-P+zp*|Y_}p}K-!9i{)c7`}c?9+S!=9lu7DmN;W{
z+DbMXz%nUrA2GVt$Kv-;A;y(tEnN$QGr^`F$_+uuu~28+zul$Kex}?oQSNvsokuXq
zF>fC`rBzXp^7{{MVn4n#4E(`YLR2P67&_j8OM4vPf6UJKq0fgBe;ib-6C32P(x!(=
z20H?N=OP+}Q+V<pL6ekT*g{rFtNZze5PnjK!c3+WgRrpl^t^^+2~Vs4R-d0M?isWd
z6LVK%2j%$2Qsp?2p%nk<o_j8DVnz++r%^G`X<$I-xuaEi-75(b*$)imBO5qvg0u8R
zp^)$QZ$cxqW>?2?*IUW0g*{4AUaO4!HtU2a7cu@htH}|!v8(yeV=egkBXiq<a}4e2
za7Zq+HNf8`;IiY&-<gR{L2+{ci?!F6Md7rwJfg4-;^;hG9KoP-C3X%wD_6NZ+m;~^
zx}my%<)*Vxc6q*#<$dn6cvaHlM3*SJL0>>86>#uq-<99Rd&psd^sZ~IMfxk_?cT<u
zh)Z$^5B@#{FIBkBrS!DHlCx!o`LiHg^9nEfvHwP9mS(ubpcMF}dVTe;hz81lUEIV-
zd7G@>_ek~@SN9En^3#S&j^tp+q1E`QRpJmmaekwKY2et!Yv9-ws1L5Xt78&oWx?oC
z8V}w5eJkKO(%gLNPdsKGdVjUz?SCG(nN<EIONnQQQ1aGDMYhj_yR|F03IS^mLa#4d
zf_maTj@XBhvQfv{H~TkjgXn3|BlBc!ZOUKE%y9m_?fiw7Wk9hkMpC5dHF17znaER7
z_Z+!KzO#0W*`aj>bq)o%Cdv|@w&IwOJ~Gr-U?~~Z9y<|UHP-Iee0+b~+2}dDWnW7@
zDXLR^-TT3tG4<L~9Sh>}51+m{OvQ$G4lgtYFEMj*&(5jU(RqiM=J^OHUF+>;3B=>z
zfP;PJ3wK+WR$niY@fpY+QZF<Ev7Sv}dPb|^*mvZC9>~5aS0uF1%QSAI-e%pI7_o?m
z&J$Zh8JeRAbVA6hRc_V|u$RnY5udR2NYz3@ZNOAY$Cy}o&-ue$T(g%vL)zJ|yN0eS
zOtPzMghJVkDQpSJje_iwox|q~b;AaC<z@TKsnvgFGiV>@lZlVN=gPlYw#}m??0U$b
zU|Sy*J(A9H`9-ZDC}j=*vv{9Jdg$0&x>W*-^al1%6V+aoIiF#jm?4EN>How{S11DX
zoiO<^L;5u6Wg|tjVcuE*laA;2BX5~Y-u0xBX|%ClCq$$s%lDh&{2s<_<MbI9Qqv(F
zdHg&43<c@C3eA-LC(Qe~f2ZBYp|`vu|3C^)^gY8c+hz{*x6dE9Uhi@l7`U`zIkNR%
zTQ%UEnuBPi%4FbEbpv^ApF+THV#n*m1M?o{*4r!oM@jW92dP>A95@lQRV~NQ7(&;b
z!v7nEnfTm|XLoIM3u!s--C6F44aZC*2eh0l|7q?BgB9WSUYv_$ZO6J!wZw*wm_f`;
zDW7<l;L2Jq#^*BM3%FdEZlpP9wXTW(Ovv&-dsFd8hI|?2#6+I+0)%Q}*4X{q5P}D9
zv>S(O25i`7ls5WZU8JWdYM!fGlIq_>I_<mz!OUa0%EM`)riAI*=()2Q=PYtl*||NX
zd&rzY3eazXM+npi*`(BwcSB`VCPt`ncaE6@xi{Nx^)4(r#Pzg^*?%{81FQZ(v7c%G
zJ{x1%M1P4TQOezPSmHHKBS4z*5bD7YC2riLsi+H`Lxt(@${YOjdXeS-{e_9+1#e;>
z%!ht9Q6q=ERd}8FSGY>fOdjo^`f8w}L_$+2+dmT{vX+7;Zk`kWb_y2bBKGbb*1Z3W
zAjAH1WX!4^{K#c|Z1;~^rc#v`S+XPnj^}(onmff{*|&2T1+zpyqMxx<VjGW?59tOU
zYcn2u`&uQxBg|?pXPmh1b#Gois@S>7IGL}fIg&ATx}Lcc8GbS<os-fdt>l3)INCun
z)PRYKUZJ?UTEpwb%L-Ltq*K8GDW{_Y=QLaShN_GbkJ@VH$X_NIASYyVVLsp0;nM-%
zhs>$t{QXlAm8a+sF4yliuy{TbYXxQ5A?8RbtHe>Ua;`7&>I6?RuePU~pyilhZsF*d
zo%A&#X_sL8CDcxPS&)T|qoXvm>Z5aFQ)b&VM>=NgBFL50=xN1&{IkhUj9i%Wk-?pN
zv9Kz1h~R=7pVR~2q0S(!=Orkw7bF#`QpgYD!{6=s>1f<mK0Lkj#2tAnm?wWEjITB|
zg#PKu`Nd{m&h;ZJR@F3)YWLxAhPMt?isf);RCZ(jvQ{)dF2mh4j&7G7xoz+E_8_p4
zCHLL0@uTH3;!4UC8whjIfQjLIdJMt23th+`(e3nmXl^+s7^H7W)W5fF|5_TWYZ{jY
zVeW|vlhB}%k#9jQ{kpNR%{V_IJ(n0G|Js*FdW(Bg(z{7#v+1$Yg~G<Kr{z62nK@p=
zOsH-7jUz3lPeW4WwVP!0l5BE;Te+|M`}*m!FARGvjeN>QQ7PR`%-Tvcf<-$R+DwN(
z^0b5Q<H(ctCo43pcty<yFuj~N<>Rmk7qLK=FkOZtZ&FKJ*TRdJ>B%`rZ#P?s(6+9>
zk7twfB74`QUkDiwXDIKg5twVd4Dm~XUzat8J>C~lZOQ8+aQC`2;2Yz!mQ#-{mLe)6
zN7nYF%k4Kb_&t8&%Cwytnts|Vu7;kXuiX4zoS{#PVV^v}>G+|wp+;zhSxVDf)0Bek
z@g`Kfz<z%8xwHg<)T*a<UP~wkMc%J^u)^W%*5`=t6FfS5=sO!n^j_`~KR$pb$L@qU
zcorPqFByNs+`0NqSG@0XmblH~5MHZFj9n&g@}zBk>ae^*FmKaksLAfINB+3Q%!kaa
zv|4pmeo2tPgfUB}>>A|>(O{JMtWw`9i^d@YWTtmRUo|)XS*jMlJg`j8O;o}%R>^5|
z{o^1@Nq<YT!~W-wa|dxrE5mxPqvrH|xjdoB0sdG;n6Q$1QvHISXP1WX$*QMg-qOW|
z7A`px>Os+#YgCZD*>;zbKtvJ~C_$eSUj=f&t<0bOIAOrSIwJ?V=kD}fDirva2ztc?
zN{Q)n%`^z3V=7Vp@P(>-O))P7{b+}admnIpO2J)PW#5F#lPKm^U3$o;!}e)98^>rl
zw|iG8L$opTEaR*1liBT4%0d)#0W%ffE~7Z@K4td_mX)8jDOO=K1Rp;u1P^i=%Bs11
z+@xP48cn^p>vZ=lwKFS}i@FoRuTcJKIbWKu-{p#oCt%e!M}%^V0{7BNhww#kQ)bk|
zR3Wj58cwPlf}%d%M<Kv5IWH%o`j|f65`tBI-{kfhT++d;zZ3E}uaGqqN?k}W1tF*V
zel%<OEaL^k(6ri6sGgPCu3V}W7J$3Her~%&_vO^2E?6<`$#Y|&pq`g!f##|64I!_T
zdZ@6h3Ulmcx}55kpRI-Q4lK+Ve?-E~>#Bw2ojEL@K357ImDN#-2!BSmqYz$6<_k)!
zde*>(wG$$OY06Br)jeZ2MJgf`9xYVA6(-KpomF}IQh+18M@(}SkJyR#YvkD}A4F#F
zPqEAdLE$U!lS5&=k;%|_sGygjSi!1O;wOa`0ZJsLM9#*iOQ`u^E>_Gzc`LXT5~hk5
z;^9PY?vXfL0@^~G!oKRwk6s;p83OC(7R&veW0{G8j+Kfy2Pb33GO7I6)B>LwJRejl
zBaq;J{wZd}&F5KwH*IIsa_)C?9<sMtIdwC6Tz`S)Q4!SoUj3q#AfNc5u=w&vTqwqW
z{NstKV`ws_0bLV+Ki<pzQO%vZ$X}j0qK$SZZQr&)x7Ko=ba?y;<bkK0Tu)B+T9oV)
z+Mih37QdW~oNOIqPh34=EVcexOEE96TeT;w(k=fy)|0l5Du?q+I#gW0`gX3z`w;jV
zLgp@#Qjli}0*GFM4<EmDuonz|Phc5*P2y)Yef~P5;IVdp#-!fPo*q9NlMyuxPMbt=
zG0om7cMtKFqOY#Av6kbB^9pP_Oo7|;0@qbi%oaQEW%1~*6azAC#fTwYA*w#?Hp#$1
z_Mlj89^dyakq;b_Ts@z`zcupOC5`SWw0XU+R4oYB{*ZxpusY#~Rqa*yd+l|0Ro-FS
ziNZ(;a8Y$uXb7K7H&iFUmCTNJptX~a^h;=5((joKB>uVcX(|~f?)4*>cKy$yCu_av
zX#g$j@K>C;PudEt=*fhKldX;6D$;hm&d6mhJVS57NaA<uYeB8<RYBiNOB2n6Gt|~`
zbk`NHWj)jJux8RXHsXW1embq4&E7S50%m=WDrB^H+S<o@Qz7WP5w@buSg+)RAQ#$d
zn5$a4bnI5$Vx7Y)MvuEDw@z7}B;TqU{8_NiYtzT%Fg0dyeV=*%P%c|=;Z5B`HMzE(
zYM{f2%c`eL$&ou{K1`=<MKtjYyXYBuDs|h5!tJ?<cE~+YiHl*5Ws$9GxQ9e_g0}wn
zj2dSmRL6Go`@{6KbiMkeYPFZ}4diz<mk5@=-`1%2UxbxSe8IkSX&HKNt_2fkO4_0#
z&p@6~o!D`su#0CUHcL>0rMPiq&`CzgSyrS$Zs{j7nzrm{)}ml<ipXwQ{1;Hb2jGc$
zT~dfF-(%u~%I<6i4&*JguC1@&e}xu>B?ckj&w;%As?&S?OM182$Q5}?yS^KJ7oZs#
zEZNpa2WGt?+<c#ZTW>PXuM7)f`m|w70zPnW+;pdJfa*lr@KaZmekiC)@**vvH0S@y
zr?Y5(zuYX~n}q4(GO%r>`P~AEA^;l|uH762ttlv4WPTud`*Vow2a($@`56<d{Ot|8
zlHl*!HDlTsr!`uw6Z`L-a<RRRcvMQz=DOpZT+UDm&uTQqMI#8w_ZtfyMJ|0^M;{5q
z-mTl24UinB21zr1p7&mi!QHY)o4hASFb5W3c`N*v9(bIA(ZRcm4~|H-p?WWRClkjN
zDtDjZ{hplcR+Z+?({=5gU{JZYx`J1$XVX7;MO}S&eHR`(H(A$DrPa<0_tgiG+kJNN
zqm!A>g$MyU4gI|41yspAg}buUs5H1K(6c(*`=3BoOEO|7wXDLvvN<!I5sBa|RUvq$
z?Fq~7K2u-v^qltNloN+;&#05$%0zfNKmUf{K>7|<ZQRl*8z1vsE#AvaE#Ms21r{&6
zYwPf_^)_{w*RZ}>hCO~S#IlBqhZ#aIji1ERMd}-o19>r2^#b>7!~9;UBqlu7WFaxh
zQFG>Lk&b`}c&T-5I^!w&c#ORkj<j7~5AxbR?6$M@2x~U>keZqiHA1B{9-3R#uo+v@
zE^VMzKgQy*whrSSws#<*yN6?W-1A*ds3KvL6IUO>0FA8?QVK}@oHX1r0Gj~K!i|pg
zGRwZ?tjZ##rrJC;Mpofbh+&yNgKszvG|~9ayrL^o(>OLfw#}?loH}MrLb7LRp2KQl
zDtVAdPwO_Msk512^)$I{wYtn9&!eddMEF*w+S$QsQvrUALPXm<)TaumKl|_VfOW=y
zM!hsVS`aJaAg#VcTo>4E6lb5F+!ia-usi*Oq|~Hy#R~S34>J9-3$Kyqs8jj#>M^TV
z0>)$AS<S%jZS~f+Q+yj)`tiFHCY#-SrH7qCn(!$sE|nn!92A)@M)M<sbT6E*Ydig7
z)3MB6)qQ1>w%Pi{-z%Hx=%2~&>}!5qIs^-U#np-+9STkx@1zamSR&hQbJk~KOdBT;
zIr6V(YyC|EJ=B8K4b1l+6+wSc2;7c44XyLjy&)o45%`(A|4Y&Lb9wUU+jBx#k>LV+
z>C?_D?({Y$?<UY*Zru><RouuE?;E;?>(ovkQz%6eBLW&&BjQ9GE#g!UnZBE6vBPAx
zbi)8hgIblH+Ek=9g9oQiGM07ipb1X$cSrE3WYnIsGwU|F<SKg~jKSSjs$$wEWIj7O
zgICZ#UDgnNJ4@c3z9t6PZrFK9um25KD~jCg`W>9Pm-Zli?9zk}*&Ny8z^VtYXpPic
zB!&Roxpzd_k$Z#l1uZsjWDmh-;-Q8AC?x_sdT~g%nA77h^Sj1l*j$%e`J<ADwk|jP
zj$T-+$Ost9cV9p-j`)H3RrzmOwDgR_Cj&LVyK`aNtJP8L)>RY%BVE~;om=k0CqYk)
zkbe%t8K0@br~GmDY-QGVj%81jOzbIAHibR!e%fj~VF<B2JK&$E*?yS$sdn?e4V`7d
z#;imsI4}b*s6Q=2xZOXsG%zqZ(nIgey#`~Hv_)Qw7=P0R7w=n=Wq$U$btU)tFMr?7
zVoSXBwV-})e0uzupubbXCujnWBPVI~57P}5#vzd%7mpXbSH{@7&y9{UOJ`q>r6ADE
zHC^;U{q{7!k=`*nWI_=9FEjQ`uin9@z-=a|V)xhd9Jkg&<G4k<&-$9F`(W_7mZU`!
z_*8#k7S2JHkT7>zcCns-(U-Zzn;OHDadj?hlF7K*qb;sKvk4e{ogZH-8jniSltoY7
z?3VgH<9|aO$THs>usXaT+G(-hMG)<<Hl|6ay&;r1o$LF%_rdtG{Nd#SXjSLA`lEDJ
zg3-T|L?5UBm!>_on1(q@PWlkMmbcE`cr5bIuGQ4D->=YpdiX!e)f+_(1(dvb@c#iC
CKQ>|j

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/Netfilter.png b/Shorewall-docs/images/Netfilter.png
index 170752fb3bd8a676421c1b764d1534dd0ecfe266..c4d393d981d72add8a1be06527866ba2268ce080 100755
GIT binary patch
literal 26876
zcmeFZXH=74^C${2Qld+m6zN535b4r;?>)3oMXFK^MLL4gL4*LJ^ez~Rf*PvQ1f+LR
zP!I@BdN1A`fA9PL@40K;59ge_&WF4Hp9oK8&&-}Z&+Ms*HPBOs(ZdJ`2w<8TDn<kZ
z5GDeGOHw2d@Z|NkdvV|o;X@;JB?3%8;|ll(>a3`%NI+1NeC5pkGWeg>QNu`=fFO{I
zfFL}IfZzl?3da!;_zDsbtlAL}NM#Zb(0aYX8p;q5xCCjcD4GP=Y&6~a%A^_Cy!l7p
z(4kth@vhj=Z#61A*FiV-%M#B&DQL5aGe|s-&5wwfDoFWBuKo1V)vv<BF+`S%RCe94
zEHUA?ZA5fBlV_XTO{YaA1L~$>W967;`bH_w+>^%D73}Gw*VutSha>v($e*~R*0A%5
zu=CA77n^_12L7C_=!Y3CU+l{NdD|c`%tmsT<l6`D1<#8mPq_;(o)zcZ5TaTwXc3$-
zggjt(sV|jV|G{@G=g1IsaRqL7K>p7{^ulFg=z;o=p+a@xi`&gdN)wM&RVO+SwjulH
zhjWMC-FIf<;eGW9PpK&b4u5B3a`olUP3|}y{{DV?Fynbe<oQ)d5XaVc|GDoiVSiG|
zy4s@2eBt$XAigK@n9-k&TDRoSwjwdG?%0dwz<oEg6wh^tEakJ_f(D_vxRw6OE&-cb
zeOwRciazGFizO^gx~f8H;;EdzKy(86q$J^!Bwr?8>yn0d*@foSr?{TSf^h0$iI0r|
zA9t-u(J{ul6Ht^h7jj5!e|_pLM%uFKAx=wnJbtuj2L48YlGX;w^+bV{gonN)L;%Ly
zc2|xN<s{b@$jL)fS!fe73XRC7Ft9s5*qCWgcfKZ#6{fN)UWYyE)=hb9R4(^AqSb~p
zc(?D)bdrvSUH?%b{2|V?2Tq2ZiK(mn=lf<-7k|#7B}uMu%-4JbN0qgY>}pKesGTko
z`Oy`^`zq-ZpT{#@X(BK>3ud=7XiP}L#@cjs@!!chR9Z;|=&*)kbi&PU$1@uZh0X`=
z8&W}8pOOE7yt;P{*CYBs%*VUIBvRN{;Rin<gox@Y6#0VSjT+5mzx_NK&&;w<SyHTC
zS>ZGizMQqP9%+er@ItRK?aHl;;H`g9c|8vIV_wUr*-E2QK=fFQY4hGu-Q=JDSsB<~
zP6}}*bt#mu^1Jn(0#*FVv?(nLwN_KYMRJ|ouI4Sl@E=Y^gxb&7Ddz80v68P1seBa(
zARW-_Fk^*EiDL{^0lW{^5<2^Pt*Ye##-d3Sx4$-VN1oA{S*$7O5JSnc_)ZV#L#SnE
zv5#!%nfV6db~@iP9~A|n!ssnULnQ(vZ@!6GpE^rOyLk0}OiS?bu>AI$7l$UdPP9nV
ze3V3*&vtr6IQ4nFlxXUH1`~6qY0|v$U!DF%dPb?OfY9O@({7U;nyyqvi0;Y-Z2fTY
zP4(?~QV4e^n=kI+PB+kCM)E>Ud0&KHD0;49Or``XG<{X+y+rAsV%CR6ce2OH!dC8B
z?yUIbLXfV#(05Il+|_1Glxsa;8=K!gKJ0lfQ3dDwX%gcB3+otb3OPNHq2Y`%qae2G
zj=BzO@Y|p#Be=U=0Jl)tr^Hde4y=7|6Vg!0i&CvvGosb({dsa=h#V4bF8X3osne6G
zcNpo3R`3?**4FG*9@b>KRBli#bz?fu6D{=Sw^vofo-*m)1ocN#w`D`5x2xMPf#{GL
zy*1sm>4%Nx-q|!!7*WycfGKJs4wR~|Y}my&_Ixtev1qJ=P<2?L#Z3HePM0!sWBga{
zeMONEB>{h4(g?u3iuH5lbO)?Fg4GhQW*eN8J$Tl8V&By}h5Ve4DZ77*|ICDLuC9XB
z2&qJeKMP*iZT&X{Qe)Jn%cO`AZ>;2z0YaviOonV(S2ny&B2%QqDjj*0C+eyb*y&0%
z=6blL&|S&ms)Z08q*ifKY?x=i6%mU`GkBf$)G8mAM~w9mr57Kh*2k&)KZ4y|0LV%!
zp#Hl3iIIlo{sp@Sl8vznVPs8=&i=KNo%hb^j+8GU6;0B`_#VSJWrom{TIk{G_!<Z<
z0#nx6<}#^(INKc3?Y_|3ZLkV0gVV$g-aO?DeIT^&X!N4Sk}>4<&{W|&<F#FHxyBlp
zoxjm#eMs6>QLK?txe>i=U+*TYs_(=AVY0wV?`MK=AmljzAvk&iY524J-UoKoipCxX
z`Oayo?RODo#R^1;@>TE$FUi*3cpHZObnj1FzkX-atB9bdx42I<l3x9ke$>%8X|?As
zD%8#>g*~S5G+~4e;iB`Jb3D_$(-siA?p^Kl#{6YMl}!`Y<Hb4pDLBHC#`uQMc8p_a
zMbY&#%+-2Nru(blytlOGe{R@Q{D39isH`(5{Y;#-Ue%86eIa3U`A4>C{^184MS8zf
zU4Z`}x+6vJ_OmzJBU9ANGR1ILQI9-$4lY?B;EQpJN4rgJA$Gnl5WTYhC&IR1j46yk
zR^qL0YmTnU*V;9>z(_O2P_+YtWX7}TuUdiyaLzQo;-Ah4zHqrhI0bB%pD~%IljzMS
z$AcaDMizdv+j_E|o6gMVcXIqmO=F(W_|Hk9crFb!8k8s@NxNmR#cv?HIj?_2n`^02
z{nej77I{WA-;BGMGfGv%!PERTT#99Yxsxhwn6g1EdZ0>!T6Diud(lr3RTT7?iDtL^
z)7!%XZEL+FMvTDNQy(O$uGIePzNV};T<F>z{&$`aQT5qQ3P9>!I`yCJUQM7s)Un{S
zG~!ExPN^a-W)qXUn3J`>ux2j#Bw;D8HD_00tPw`tcReQ=MHZH-qL}|Vd+T*rp6~K+
z+L~A8y`<N|a<oNiZO7+B%+wJ(i;s@#;9Aepe+Uz|P;<$vaqH{uN!>o2*YVZLTd!fb
z6^L4Gtbk928`!goTVDRO`aD7z*d0@?HnUW%ymBIlF=@5y+bBjn9UFS)#LBL$ELOqi
z1Z1i-5M=~R(NwF`YJ)GLgq|dUyLHjx%hkUI>Bb!uw1P1V+DXOw%HW@8w{H-B3#<h8
zxC3f_!LPPYg*EDbZKM^v@t2AtiI;u)h!U{grds8+Gb>NZH)oqFOjyQ%IhKT2qa~GE
zj+l`*o>Uk){7(2wE{)>HbN+?BWfNQvk2RWdZAqhozfq)x@&UNdEFdsuT;R<pg9ltV
zEy;@4ye-E|FK6C+BHldjVI_!gg#MmuxgB;{d=WZ`_A#q7o&~-{!)9{@627lU03jv3
ze?CF>n>UI8?E}HDpXOck*S5SnUI#CcBT@KqiE!iAxR{1YV5MXp+%eWv_s{AW{Ds(|
zmTA864d{hZc<%Jedspxm+rCfDpi#1zm?A4%Yi-ZnhYAR;!itP-;DeB{$W<a(#1!og
zp*b>-3J~*~%xx+JxE>WR^xKtj%@!kdg-T(+*E8IN-#fPppFMoajC`S7<z{o9Rb&%X
z`lS7JozV^Gfr`TW2h(#^B%gAmnu2YI(2FlHh=O{iU9+D3Eu)=&QkTu*`feB1hs%sh
z{w&BB1J!P%!Xb}tVRPBJ%+S*4eLaOMe3aB1t?NyNVkgm<(Y!_vCfF0+iwb{ZKH++g
z?lhtZCdy}#1>7ukS_3aF)9FJ{PQ1_SdWXdFidB(hA2#ZSjBRg2Z5jjESX8g@$sB)J
ze^vnR-Kj)oVTh5`J4n>~{f+l?<CvTi)@ntFW$7r9_V-lYqOTRt$LSPMPO#T?y`u&3
z1#N-iN7HrgJ`OpuK_v`AuTG}h6hhum8sN+kQ8Gc_Lqqn4)OQT`m^Fjb_McusS|o2=
z)*9b0RLuaMo%J0DY$(S1BYW|XbCNd25pWtOv`uxJA}bVfnjW-#n0qZKln<w7wXKEC
zm3v#qg%_P0nHt}=IV~<>MlBlsD)*-aeq#fUJ3C52iJ-8Hk+qr~xKFAdu7BqvL=}&v
z<Rg*f3J5Hnnv_ry0aiGPwwz5c4t#*o#-0MdW=|+-ufP!KN#P~sx8pa%F_oGbwf_19
z$f+jMbqWG(ZI@x`z!*s$e9XYuP#P$lU+3d=lm-EE#mivD2w;59(SAstsYrl)L6}@=
z#TkzA@crd-$OTrsq~oIh$PbvY$N?u|3%C%BVWLz(_(|YUADIDj%<gV(PYJNYUkwJI
zF_Y%OWs~?qdhlQrB$a@I1%-g>do2Q_tM6SG1T7#f@H9m)fg>D~u%PNjlE4l=d{&*8
z1C&A%IGSA2047}PV5Jzq<UU-y{vCKzex8sZXgFrwdvxWY7}%uPsLALxKsmc6j}y;|
z6r%|?4Pg95vMmd}2T0#*<ybQV2&|YSr<+J2xE`*jv1$U^fSGjeV#ObT3+k&5(SR4G
zYf?yzIsvjA7?dowaEz$Pb<rYqKq9$ND_0nR=|CZHK*20Zd*}`LYsqwDdh9YF9dBPm
zwE%ct2uPua6oL<hUMU~Qz(SS<job7<exg!>qVBqYbQX#?=n#<l{<4*sFb^KY=zC(F
zNPsnhiBZ=n1F<;syJ+HBxkii@SOkb9m4eA4Zh!|jw!UCZ0Rl7iBtOr`;0$B!3sQOk
z6X}bZuH;96i_4LdY~Wy`BlR-YC=?K@H6<nY0EWJ+mtiX@K#mJ#!=+aN7*#}T96(6@
z(+E`o{+g*j_45Tsz2ZQ((k=lgNZ1rTRUnN}Pi8*fZev4k6En$Q964&*3@g~J0r)q`
ztQ(#wt>>qQ#XKwCrw1D}3|cQ)t092&<+AG^gCM|4Hh_5JH5}Z))3VeA>rVi;87U>X
zXwo8qEB#tdM<)IjfR59#anO6HQO0HG;u-rA$1cF@<YnkMyB&DqbgMaS=HI$L!~OTs
zDTgLmC)il$HoNZvlvytL$U?h|<zg#3J!^N0);4(Ph-A3&8o<JIl^uB`4`B&A+kWdj
zVB__Qwe?|^^(|`f6*a4|sw`v}eaCZlw8GO}EFW&gP@`K<i=6sZJ%lrc!h9FE7rJai
zB~Vs>b{4fWXn<qKJ=YwvwySp|x>;9WF62a1%PY_cWymKpT^=^q62|g}FXAGRzHrM+
z<Xg@=Xc#qTnay&XU%L5aa6QF}iU7S6A$;C+3-Sc(1EN4_|K9;N<HY9`4~n>1WCFa-
zPkaX!PV&NtvCnfFf%|?TMxuMTjqY!_OZ&Vhxqr=eEp82#y-WOFeOWnizA;M0w%jY%
zklxf%;wnyyjpunEP}8sZ>a$BEX=`!I4_I;*_wUG-4`elvasEux3-DpVMT;)DuwjN&
zSCqdzztHtn&01bxd6fNb;QEwuQ|&?o<}O8w-QVC$S<5A+^)c2VI!^`h%V_dr%Dby2
z0mn4s356G0W{66^fn0fgUry@$8r%@Nrd>lm0vH@ZdW&gJ0}MPXTg<5|UqJHrb#)2Y
ziY9SoC6#wn;X>Ycc)t$v(fLVTq5XlQ(K46bYA`n7;k^K0a_+w`OwWfi!MKpeE2Tcj
z6atr|@%-4CUrNj}{xjNNPT)2M+w;ft7jd#^b6xMCZ`Fh72$3j^7q4|X0oKRjVzgN>
z!Uw6DVMK&22%{d26Wc9(>lZj2|EFiM41raI)41NWTzMeCc|}(GZ8N32;6cT=rB5e4
zyo=IWG+|Emk%b=|!5h6^0EcL=#N~Zajo~~*$xjZc((0brXut2B@9Ubabb66;xR7XN
zl!404Y~~xHR&TSeldmAJ!Uf1PcvoZA0~WFs5#n;;qJJ`g>Nst=#PmwYtoUBJ?NJm>
zNtP}uIuU)TXl0gJ2kYJ|_iS%vtFa;`wEZDpXeVdC_6wtA^*Jp|6T4$BN9rdnpQ(+3
zM2!fAO-DHl%HaF-qvpCeEyqj4&JPFCa$Uafo0Jg!WU|=W8STP*T|?-scjfNB5F89!
zi%l_9{Fl*w2@EJO(!!H+4DpyfNle2AHTE%Pef(%<MFKnAZ$9|^GI$GcJ&=1U6uaQl
z?ompE5Txbw`)26r%-rhjE<;Gzp?}!KWX#a3Ye03GuC3-Y?48d2$(f6n*>!)hPCT<a
zX830Fuhlh)B=8oTw-Z}Wkm?79Nbng3k6Q~t)YR9X2cKcQV;KSr)nkm8xAiM<WZP_c
zgxUaZ5Y4#}TgwIBWG;ISV_<@)QN^Y+-wYdo0frqgW8=UMf~t2rPh&8matflJjKF3g
zZ#WAT*#P;}LQLWs|33NnYTs}-7x0*=g!qdC9yxo@c@TX+iQ$bLuxE;h4-x`;1jvs^
z<b&ay01nsl{6NJb74Vo^ol*{LDGWRO`u^`SB(5ikD2NQH3OJLUe6$dvf}m$%&AJ0b
z`WTb&md>b30bCV?e5y7{t*WTS-rFsWq376HJ(ly(v!j}RolZgS+gRZn(l;`I@cC7r
z`(&|t@ghGy+FknI;D0INBD)awaHjySOE=%l5P?|_I%`-vH%C6YIQ!U`_=3*lb0jgD
z($(4Kkf7y$raz}A`|cs*Y{id`cZ&NpLUZIovT}wVl^ROYl=5gfpP_gA<&Th6$5(mT
z!2Q+D&i*N#Bw?6Z_aw{N*JVCuM6>ULh9LU$b!e)OIm1nExpI+{brBje&Ule@SUgat
zF9}gv%lrO%9NDzM_j*QI3k*6xJEcc#>t$cn9{W$vWE#W%$OT_3&nQy8)~BHQ%E(rg
zKsVPISp%_nXOh*ED^H2*34WUP4BTmW!=VjTTZ#Kl(l;%FB-B4YP%UD2<%dJ8%UdWF
zZ-p?p6|GCj4^o$>T$xDueI--oCa&i$>MlQbI412a`yvrZ!Wdc=dmYQJ8tamIj^47=
zTZwbD-tkN`pE5=cwZx%6J~`p<$eObRnImPbFF<u_V>GHcAsJ)TAFs3By!gRMb)NX-
z97Qp^CY8=uI+XG{WnispU_gEl{XYoES_QF0@Vt~#FIMjB+$+CkAzaU^PwbxHvMeUQ
z-d(R~_Ylio>8IXUE&s5XTUrCBMMFWl1RRYek)o)lBp!x{D1G>Wwru|6mf>fTzw3B$
zJvQpiBcYxqh}Vfk7r_4r!jK@Rc5(ib{;11g#maAIEi=G9nMk)GtNnu=ThQURNp|q_
zu$J+Di4DWUDZ+N!kNkhKN0Tt?ck>R1`+)iJqwX^M5zx3ze)5&J^DB$$|6{|BzD}PG
z^*SqBl@KN$a^EK}o7|MoK+~X{w8tB#>I>j6nWX4L6IywY76(nK+kRDhzWkxjW~&^B
zqI=`w=)*By-%Ws5XcDeNy-#9ofT(1V8kWeEJAHEmGIkt!CE8%G0<w_N7M=)0Y(Z8=
z$Yv4DM3g^-uz7C#NlPt`)z}<=@sF#=93-*}njzGvL;1WL{f$V^;spQ1Av`E|*M2h*
zKfJqcMC@Iyoib<IgzLdPZTQn~V~t>h?MlVX(XY^Iog~beH-32;Tbjs;6;5RMs0Ivx
z+D~@xHK;%V{Ef2abTr1prMiB`1m)D=sNS0l9Jl_Lm$9Fn{>v=lZQFijVwN7>pG^G!
zy|uyHAM5^;vf}}~>zNOS<Oc6_Co<fTb6<MaFE)~%%iy!WI)>?d*)OUITt^>smr)al
z=WOH9?XT}2;{4xDyCzuffK0N!s<s?S8hCxQG*hlYs7SU>6R7f1oc`m?WdY}KZ)@;_
zFEEX3Ud1LP!9ZK=NTfmFu<kXu;v)+jS=sT?QQ$llzsS#HlLe>(8BI^pfbU_)PHqmI
z%UX8pxCdx}XZ6b<MgZVJUggN91FrOquJ}=MI#uxDNql<<IJXlz^}rz>fN3Zq-@+YW
z8ZXkGY5*o-eHMB^0z#C9vXNyspl)tu<z-BOvb3Y3wiI9mB~gar1sJ<2=7UJS0uH~1
ztB>Qo@OmkqcR^HOh3-|VM7(oQ%df8$*?JprLD!DI#H1NfSnFhPw}P-&4DV#$<8jeQ
z1`C+g(Q-}zERzIkhL4g+G79j)&O0gLcNJFvY1%do?tgilV$gr<D+^dC*O_7?ijQJY
zb}r*t;DOkR(ZO#(s^LzAEJOiuAhEjlksfT4-i^;K8i)md^Zs+6@*#VG;`>A$F+)TE
zX^|f(zTgT(ze!@;c#z(jEPoNOHvVQnj&YbeY;gPc_lA2jI&G}gtiZcg%)EX%LZ0eF
z*q`R>oU#w*nqf>N>rr64sSzbFO-a9qef+oA{dyY07umW9&}TU6_aUh?kTkE*nCPs2
z7+`S{3N>SUhUJ%lSFn~0;^U$>Nmn<f<p>+VqZt;>K*4{9lm>dOcz<0|$mjqcA2>3u
zsK!G>kA6mnoxTqX+FjC(Pb}0WHwWQMExjdd_D;lR^XczYeYr<Fzq(6vLr?nd%&jvJ
zHO<ii=4}^rJ=e$s_HaW$fzMcr8fk9TxV%vv&>k<(wq*7CcRb(;En*Lxy!hD`9hnre
zKZXeWm6K`ixu6@C1cX+7g@j+NwWi9m<@~@U_9Q)X(xH;K%pM$6Tcq-cxGHO6NVc1V
zP>n8(H!&N;nlDI_Jjh8Pr4F{G<P=nG0VkkVuqWHR_rMpj>}Xs1nwzWsq}AZlzvVQ;
zZ9sX-&Q*WzT|)eyV2(>r{6JObYVQ;o*o3^Ju0Ab?;4SdPqlPdqub$My2=N=_tk2uL
zciXo2Rz@hl+_r5t>D=Ybl@H6|GDv?{(BQwBZt_c1;C0b3kBA$hc#&GtNxV1eK;;nj
z$@DIq&+|BgCCRCmzbeG1N3y2M7%l!mpPvYcNW=)=P$sRR8xe`6ZR`Q*jQlt)J|=6Y
zLV>Se8e+B^`c{65%v+Ouyvr)^@?I*I9ex;Gq^w-<DHKE$>4lv-HwL&FNRqkDoFAPY
zyg_kR=op3;@w>i!sG3f?gzlUFtj(%Io5a;`mc|6`R7s=--+?d8(D=0d?y=B#GK;*x
zD<kcaqhgG(*uZY<DVciyPu&lKBk+RibmQ)VKGzq&RX+v{cql(ve>s7sBh#I$&HU7a
zMz@BleSO|+n!=`*PE5wk6LH3jlqnx7#m;{sfu-_(kg^RjOj{eaEgrSaP8Lb&P+h_F
zaenB0ci<8^Q>FZR$pP&#sGhOJA9*i|P&Mf4rw;6dt2R;297xrwX1S!9tCrJVN?0w~
zY}vabBeM*HU;?eMwI1thqjlf=<!Ve29>?Vo#i@3I=#I=D8JQFN<$8=@2dmc--<4Aq
zy4TzeH_(>F4o-<u)<-}17&5>8e6nI4S>a)zAv$)CQ8uo@ihE1-XRnArF%RD>%J-7D
zMx4{MCpw01@Mov#S?C!rzkdy<CwNhKEwM&Tbp)f<!LdwHJ2f@EhbURF7%rH1mBKKh
zmtH&&42`DQq`V7nzGq!^!B^N66yj9qZ73ubEi|=<Z1Ai#@wMg_zh>LU_eoVXnV<Cc
zQ0rkF*z#2Y(!(#7xMq?pxeuH}SC)Mo2CnDRU^M=8eid$|ql&At=d9l<D`;h)yQFH2
z=&*Mjj|s_M_2Cc_vZ}1At$x35de4}YLBb9B1Yu#_BJ64vWG&q67$5X!kBD=$mquFf
zW80P8Ek5Z+6UQR<>+5SBeKDRPhPaB%I}Qa~H*~KrpHtg@j}|c}cR3S|UAk|I5Y@1;
z)+|*@tl`%jL7Cf2U1gs3k{H%Bws5eK`}#a*I|_IFecS_%D#o6D?!V^Su~_!R`(<H4
zaO6W1#J8I)eAb+$cVZ*sM`FodQgB|KcD!$}(VXjJyT^u9mI7)1UBiSWPpwtYZ+a)s
z9~yMfnxA58{lHo3cyDK#TRSj!39j!VUM!CbelHw1ErYMf>VA{9Bnq|-FhLL@rdoep
z^IhEHix*ibUUfJ}mu9=Dy@q?cc5#w_L*4J$8CZ++JhFaLu`4$JsIzIdy~Y$7yRE&f
zJCK}zP~Opg756AukgXG%Q5VqrT<yEw(`1rU^IW3|?tR3!Q9*uNjBs5c2t4y~NSuZF
ztRd1c5biFz(1?k8rDD7OQ`MN*#?abQ(IZcmnKr(uN>)1?yMPuvUn883!i>g-WM}aT
zFi^ccAe$}`k_|(56WkrMA1=q>-oB~W;?s6EU95|@)7P-=Ztcg#wMdD6Ec;HoG*rRA
zl&B1gsT#h=I7WRqWGWGH`-KwFdv#!--6;lLm{zr<etEzBaiy(4KxaFr&p0&>O<<vn
zC7`>g3@We|r_K10+Ke8V`w$&By}!YWjNKJrD{-7)Hd{QX`1QdMNIbePM#!sTIPgA>
zqPBXaG-XcIJ8dC73d7ietB$2OUpEOYv$Swfb*8$|>YJP>*Is-qR8xq3-qiD1aNVAz
z4)dw6ryS(7A0n?e3o1XWwCV|P%NO`<NyOzG$!MJ!S+U-TVHD@+6ga_%JaCKJv95CT
zAG+zBATl(UNk|0MyP+Amd}pOf<p<B@*Qp2k9A%5HL(BUX(Ztd;s=*8EZS}>ErrKDP
z1vuh45-C)>>nVv9kQoSxGf$I1mrA`KMA6nC{kZEHv0u&KO5!)8;mdhn|26D)9YZR6
zVrMBgF}9%Unvf+)q9Lc1UGOf>l0D8vktraZwna~X`c!JnyQ{tV&&6rhUA<%Ya#d}n
zm80g5L9DgXUI*4E0DXM2Z-4rJa}BN}z69s=;1#>M)|21OWRn?<uo$<!A<7};QwGm*
z`(~$qeQ4<mwR7;Jlg1e@jl2@VujTHkSmDyP=tsT&JOWmp&c(iw+qJ-wo8_CWM1Kb9
z<M9_$cN<0$kxoH@e4l8*d8S6cOkkpPVFM<&qOlAljL&A9g3f;5jZU9HfXJb_Gj&#n
zbI@{q%|sq#;@P{3eRMqdOm;RvHnesmqI8BgLLA&*ow%_I#A!mT{W~k*h*<{|^~~+e
zKP{=M9ITzCajc@{3N;Ant*H`lbeN@~j@AuS)IL}}91=diJ3kqZ5sSayA`6QDT|DB}
z$M<<Sbu|yY-BP=MO0R3d*b+%SI1k1wbol)q9Y@w*DUmK;Vp#r}u9~ru?J7rP#iDP@
z$E4*yJK#B^r=@_%qI2==yzQ!G9r0$P@0M$@v1?~%vnW-EjkzaUV6#6eLz9-Kxg#^P
zWM9esc9ft7z6^L8>Y{T(vQ-|}X#2=g<lxm6<i}sQ8QYqUHHVStNqUw;<Io=*^;=d5
z)KU)`{^Za)W8J>OS3f4im1LNgD@0s;rkAc<sY=w!F3axWY5O%_ryoz?5mFM>!MURp
z53qA&*E4ivgndmAXF8@whue><ywuN*zWjjf^{L3nihrOy|MdbX5Ei4BME~i6vJjrZ
zXe@tNL=)A*&QagdYqZbC+%a*(R{RJqLhRwQ?w$uX^B23fCFQIi1JZVKeOjTcq9Gsa
z=D5@Pt8>&A*rsZ}e;bsm5xsWLtlYGVswaQGK6ozRI5JyxaUX8m=jP?g*g1YyR?_v^
zh~joh!i3sYfz~ZVl1=P`r@3o;P7U>N@o_!@G&Az!_2b+%*-`42Q;o3uhbz=&yRJ90
zBqpO$7#L2qD!dG4-=dQ~94D5yZ+7f3wc3^Jexq$;5^-$gmbixvuxgK*z0b*YZ&`YL
z17!co7Ojdx%AkD<&D^OsT_l2k7FBsl)ZJU)O#PreNSwWmE*>VLwZrwifD1jPMv@k)
zBDkzu;+-T%scpIIgKXsib$8M*C*gC_nkrxhn%B8QsDgO3Vlh`|yHY##m%a&kuygrw
zU84z+e;3@qbzoQt8@5w_k4j|3?p#7{S2Q>(jA#$gS~ju@HxU>kC4D&y;L#a3vBHnC
zELj&?KZLY6o*r1$g>aOFh4`y6deHB6*HlGd+S`j1w?7nZn!c)pN4{U}AELhV0bB^N
z7)HzHZMAQc8Ol<n(s6W!f`e!S);X-Ib?-7qruYW}(`Mq6ujm*MA&x8+*ZHWne!tx^
za+6wKm3Ai4fo&)#j*)nfm}cXOx|81eS{f!`XXp3Uvxp<or!n<pvnJV{pRS!#=MMeo
zpP)vM_~_`E6P?l~S?;&)$bRgaVQ9NB%{tE<3<#rk>SUe%h*E*?BZF5Yr+`Au#D@sw
zU?~^)%(B`r)RwN!-CGDL1_SKw6^MwVt*eENb*#umzLCD4P2e^YN=M=3PUzG2{I>zt
znz6)Khwkm`>7DIMSC_dQ93D!2(3mwZwI~vW34xTCHZHZ5y{5{|MX9E7&h=9uLvrk`
z$q`c3M-|Naa(W8>a#ygm5=O8_nTTQs+p$3Qflft{*tknMSD0^gwbQI~ss6j3&@Bw5
zNeH<$l2>cg2x}Vl%%q}%GeC`QDd$NdA02Jwhtelsf{c)yjmV#;h8Ep@5ntF~baB)r
zf6*p?)+Sp0%PqYXpIy%?7cYf_oO(^@b$#hO60Cv|tzl<fVK}B8OB3@gt@y*uq+7eA
zR#s*q(&Oc7p{E<~@!@LApVJooJgxL}QXE>(@z%qQy*@Dw?9Ni(%en^LV<xJ>0p3-0
z>cu*qqqiD&>Xv?TbHB6IW@#L&`=xOhQoKStrD;7Ju2Cr1`o`*gIz;%j8)cO)hykh8
z5IYGPh6)NcRgAQ^ENF}RZfdglZ`F^&Hdq5euatyKpQ{|PmP;zAWwFqrI0s^`J3;px
zo8sHsiIRtoZ%Mm7mOtvIe$Uf?G$eBh5B+X`5*~k!4!EZ}cOu&m8roqq#6G+@nc>%k
zCgd370yg{DUimLc9lMlF&=XNf9Qr4E&S8yvV?<<H$V1ZG!IQ}^!G@(0elZTAay}Ej
zynO5T;&xPf^F7EnEk6{eyb(?-hk{p)GV=zN^lLaxB-tkP_;_%6PuB239-3n|)w8b}
zyjr9*FwuZ(VRzO4ym~b`A^L!!?+NA?@ik<(2zy5W<e`HDc(p_l%qY%vlSjL^Qg`#I
zc1#!-U}2odCPa_oN%v+L$AQ?aRDJd(WOp(P_PMi4oF<g3t6g+OTf36QPws5b;mgx7
z0YTXX+f)=JWKkk>&Xo>Z;Mo*IX;@_vU9tkJsnRT|+0emhg`N$fWjKt!vI??sE%_^+
z3@!)UoXz@~`XFThw`Fs;<-2&Ofzk50O1v0HsKL$tQqQ(T;VY+F>lNfCVcmo1v&;hc
zBekMTbvr#B51T&sMXrN7nyFi9@t9xgq<{D00ZDaqc<XM{OyFSKEArhW7SR0gmnOeT
ztB}yg+gH$t2091Zy4X7wU@I&%f6uX(;#pbn$x5kh*!jMXsu^GGB!Y9W4-tv^6;1LN
zZ2|N;)d+*VFRrcNa+Nt<O%?Ue2X9=!2{`;c0W((C4Ams<Qz0P-Tlm$B`gj$@&O$Wi
z*NqehCdfutdrZh1k)0U<>i@`ZjN~076~{r{bhT%L9Y7QM4;rpPOPz$tiJnW%8}mcx
zv!i_cZq0KQr16N?k`L<L75<I502V>x;LzUu`s#i?T=73o*(0<&069~}U-uE<l)K3A
z?5iRn`;Gv1HEFBf9jM$ttQAN_Wa06SMf=ZC7r>9V|0<(58^j&YFw({DJ@OWiko;c>
zWpGs6;8|N#^PLeZ{131p#JwF4jM8|Il>84cjNF`$OKrU(;?p-jDsXE5?87Cp^(+&J
zPF&4r=8XbEFKKQ$H|%06dSP{};-s82EEFW3>WN>CAL@bAO_)S%j@LN+xf}5Q!S@{*
zUQja3cK!998B;mAFQgg<!uWzz=0MluOo+ynh<FM*1|Ut}n*7zW`P0KqvL&5t*P^gD
zxVXCqg~@VSLLs2-FHx}I2Kg6Cp5$1H)1J>a6-f!dXY*jG9+t?h>1cMsTrG#FeZ_n&
zyv+C#WKH?C^KOD2xLYhq-@fH*G3{+8$^%=`TCM$2xqkL|>cOEtUds3Vbza_o^nqVj
z5`KS0>jTJj^i2!F;A~!WfE&}#iK0{_lTNNZ7Or}Tb+A%L@OG^z$S42?+}vEG+!L(R
z-6t@0Z)+VI5qI}y3&+1~N6Vk(r=+)!H?f2s<%?JqN&AxUaFw`UfL03M*M;d)P>`be
zKFYX%`_Im8-MZ!Y+sz*emdSHvgAN`qKnaiaL8h+Uv1)XfB|<HS8%MT&IjHCZ)$ZaA
zh`gua!tuc_5iIwLO{)nkf{0Y~C^*PC4V;cw9$w4BTXR5eXIZ`BIVSjcF~hA3$nl)*
z+8=nB77I!y<YaHLH^XzTdB3|WnMGY|ajZqa-mCKd0Ip{`ikAg4!!BrxxK>)rn&&#0
zYX53zbXilMW%!0sYSGBm5;OI(voSk%S<AHN#fvSW=YdOJCd25piK>cx_JR{5*X>8y
zL&W~;ATf1PnY6Oo_wr6*P)|jeqhQ)nf3|eLFqNXXH1@fw3WQ`mt~D4r6h)J2^VKoy
zP_)<e+USeFNrC62m3p11<z1sIq{({p4RULDHByG7L3mVZ!J-~N{HWNl+pua{&{@HK
zEl&DIARYF(R!oDx3BpK<`g+G$KKvnnLL)gYxs@IJTrW`VX0}G8C@4+()1T{>O3#JC
zF;tuqjxmZPnk1%tlF_Obh)R1oeq<`~ZwQvM`di>RlLiU!K_t3K2uVy>tDj;txQ)8l
zm;Bw8`H1{nD(~2cdGU7%b37uESK}?_5%_dDhtCc4dPQ-kHil!$-hARrj4W@HLm5?X
zA-Kr+Zm<zVn3D1r!1+`jW|QgqU)v|kdLtso!n@CQM%i~^lX`H2a~Gy0A<Je$!6{`r
z3YrlFgsjyNH{bkLTdl&`vT(sgc^3)yB33bO%I%-bI<$Y1PclY;0ze*n=^3?t$N{sA
zGv6;q2big*Wu?H$M4W@~P>T&JWwU@|6lY>6djwy7TWGJoV5cTd{v4IEI{4CROkfCY
zx@{x@6<4=|A-CVrWZ6$iSlbS1>b}H^-4X2yIJ59!Cyfo;m(;p4q_z2Fq(Ho-nNs}M
z8{70LW#YjvX=)G-3O!SL<kUA`jYzgZst7cSQ#^JhvI%yjja8=5LP*KJ9K+*u#2G!C
zJaM2;U7S!;{U&W@lI$LL|3F^R(&BC;)3__77{NXE^V1SEJNGTpJ}q{k3Uqcjkf8MK
znlX%ePoFLoJ8kkEWHlzWt?127JEd$D3FsB2Z3<_4G>ILX7=r4rP?+1Bcg?k~(#i;N
z*<ev-NIX?$6+He<c{v0a-2d@aU_f@;!u}d&)@p8iX-{}!b_o3u+D#VG4Bi!7k9E8n
zVu|vmJoE%q>8`Kzc!q(3r}rz?t;4WChhZlpxhGfw91O}TnB7_xx({FK6@iAHui4rj
zpKpc@Y^vrQZ@is5Te@>*^J`E0*(-8f5<v^?ql;x>i}wRBWxT7wMX6w?4~>bW?)db9
zMLv=gIW>}?Xv_8tWVXRO3zr1lt}nEoosr|>@oD|9buK6;0mU8VyxadUTk!wRY##jK
zE&Bh}#X#5gtnOWKYM(bQ{<!nhw^N=<^5@{d!_|z@q<gQ9+g>=+M`Cp7cxx5%9PvFF
zDAl)(VPB2-3c#Ii%<a6|qflHB#AhLoXne{GdVCFvbx1riK;d5xv1i<!njKrF$w&FN
z#YAN!<ZQThPc6E_0O=zajI%vwecQig^(U`MdxT6_I^s%7%lvb+M8A4d=}qU7;{tq7
z1QR41Ujo9#ajoUfDL-25DK|IH_tv<oL{|i7BkIAF+s@k~hY+xgl}O69gy)hqdMA<A
z<i!&$lzc&whG|q1o}<)yM)uNIQuE<Y@-&DdvO#%4AP=6;NJG{e`%Y2nXVquU=i-wb
znqqBk`Bi&}Iqao;S-u|FFCWybDNaM%X0Uk(ec9gVI#i0a`UA%0TEe5R!R*gOU=w-o
zT%YLliv{a9FM0R%*Dwmd`KF8<x}jS0OTX;bkr^ysL@L)!jVG#IdG0AjBI6uwf*8gQ
zqFonM1xOU^u19qEs*YqOW&RFUm*cLUOUEQU4&vL+#{_hAWEws3BDL|>Y;(Fmq&a3}
zTyoJ%#ms#njuR~pd#j;tO>zMm?RjAkCUOm5RsYVKP??YJIdcw#pN;42ZcV)(6|yh6
zmUyQ}YKw}&+tDw3<wOTJ%Ga`1?3;!9KHE2ZV?_TPZ5}icjUubzREg!J?kV$Z@}qQZ
z|E@$`iR{qPU*l0kIX$*dxeQ^VB0&zlS`u4%F-&Psr#zBSdS5q3b$=qrU3O(9GMFMr
zyoQ*sMA0chRG<qMKfHRihYve{@ilk;+&F`9S}T>==HM`Y_1=R!5~_^Ia>w{lNW>d*
zb4>*M&gSX*2kD7yY;K{3m~v&KLw2V}<3#uLLQ8Y<M2g&IjrejMs)H$KDzK|zed_YO
zu@he+ZlH48#Sh<omqr?~L21r$ZHcMc==w3cloEoy6@3C%D;3RR9@&44>RMMoqzN}s
z*iv6uVhhx6i}l8j=9l`AIF+wn(^f;6i7CROTbD>GYaVP`^w)&AceYAP7Q>tW)Zc5r
z72whCTXW)9?A1S1V`YdCcZQeJCty$_X(%Wpp4=Q%E02t3uCLb;v|H9@=$v^3sJu4{
zQ_a04skg9v{Azgq7sq#xdXgxSCzZu;KjC>VGFp_w_|o(AWXx!hE|T0Ow{;$5f_isU
z9VWu%7zGqeu7s)HHXEYWjJacbT77oytQI}HDCQing&5CMe*x|=1!F9GW7fTma$MUP
z%y_rU{T5QP?ki^3&)SXX^q#|K+ZUwI*2!@R3hvnXaD#3sRCWa2Y8<uaz0+YPpP|H2
z+oAdA7yG-?7{lm4rn7r9QrG(@9%J4K!rl==HppEJ5YrKb>1Rp^(bCf!xyG|<_9MjJ
zf?XFx-hv?Jk<5(WmqxyNAF8mWGckz%?9F`x>IcRHB;^NN2B}-b%}eiHsHFpSdiP!f
z<Rs<aIEJaR5b0kMb11}Vaa>XqVI3p^n%*H|&$x1`?oeSab8{95r;o1l)6H8Vk#<Q=
zOo1|`sE#UugM4R$q@^Z)b<|?*SveEr4TZTf;@YA2@r%X}>bZZ49*HIFk8coT+0Azx
z=V{G`B__Y}e4Ag#cU>E?LdA9MwwE`^<~jrny}y0IvR851Tv@tf@|2};@sfN?K}NWk
zk}pVLu)A_MB~f}>ZEq^ACS;gHJKTarH=XSB;TeniKo*Iu^P9wPP1+k8Q3FgVFC$tg
zJ^2qD4=xr{j$gh>=WL9_@XxfzXFSDN2a~uEK(pAr6p`EGQvv9rFrkV%@*CLacMyNQ
zYw}5|2$*-Z@kJa<#MJ?=(5UykXCQEq_#3$3?*P8a8J5+!Im7v7p{p~!up{_OQCXBz
zYMWXiTQz-z6n384rD{N1e%`{Tg|Rm&o-z+!k+_?68CcihVh<9JWS~T~vQTF$9Y%in
zy#Kn=dX9%c(2KZ)kLh3}>#_e_BmVzqu95$(JLrFI@gwB%-iW^Ew-4JEBGF6U=hrPo
z`i|E@+yVLu*VeFkcgVwAQIIUE=@)sU&*#p6`vcz^H0mNmU7KB2j&Oy^_>8MwyiHS}
z*mr_%QbH1x`j6Ai7EkBLM%usR#l~_#@1M2n{lQr2I&t=Q#1L|q7YdQylBi;*$o%`{
z;RI07=!tHO{ZR!XLI?y9vjzUcBP$ThC1?;5l7L<y-uIxg`-+;Ejew8@fZYfA2od(n
zP*wuMGqeu_e%vR85-cRR(3&OsM=J;*<gK><z3jh5^8cZh^k_01oq;*RQ!neL!2Qld
zhKsY`-=!0X@R|qh2d<Fb=i}9iDiv;gt3aX<7$N|={0R7XnsT6@cLB_QrLFc<AgZdl
zflfmJe94RgK4#Wg*3bh^j6QS=(Vyt|H;P`t=2iWD>u_36v+=zID_m-L7-#UNd<~y*
z`eZRR<*VoqVxbji;5gdq{R5ad3VC3g6Zzsn>8~gPXuWct6%yYT04CJ3=woPa+u%qu
zOR`iP!8=33ua~Ef1l@9d+_}L8<m2;=_h@*^Q-AdFN3G+xV#zgFiurQu*~39rf6Z*D
ze(i+aj0+`r+agp+P-SqKTI+B=JAHl3Pa_g2>mYx`EUI{l#N3Tgr7f$8*@X^x^tlS2
z*kKPSKNDYp{Vptn5-hz(iYkUDs<*~G6$`pCC<ykV2ssCh;p}!QZ8YzYagPb0(>Di`
zF&^v?HPOnx-f%M@zblkD6@>V8LJs=+ykp=svJSFFFr%CvQV15<!)!=JNg?FsaSCME
z+K(i3L)FD!GkgFgB2o_<gg8A|H2$MQA@wiY9##l(COn#$%f@)7=_Bs1^^|Y`+LjG;
zE@V*FYLW=pnier0aXg*S6L3Dd6qBzpC@MUf(R~FVw}@kC{cHGl6|jZAI}TbvP+9EN
zn#dJ?Jj3PMk2}F45mFC*1U4a@0`}6i>uxmI6I-<`azz*qlCAwX{T~n=gjCXBkRCh;
zJzF&=azzdgl2Y;b9sqer;-QJaCgVXIdwxCn3vvT#!3*&_KiNO#@LulE&bV#cf7{vM
zb3E<so5k_8+7bAJGvlm=AuVo0>SHk98XrA`A%|M$8vOMiV_#o3kiegx6RC$XVmv;a
zX|)F=7#72DV45((qU*)&mNVh=JHPJAB9FJbSmcj?QFX7@7V5d;k&bgz6XI##D~ZNZ
zvU?x?Mry|oPcjX?DAmv9i(of7naJI@mj&ZxDsAI$L$#iQ6|93;OeHNLNV;aVFP1}H
z;Bg%svcEp@6q}Sj#+2C<*t=)SIVll9;1n*%zwC@re`NL1>R*d1yc-ugwv8C2E3k)K
z$aer3cXAg?gjr%Z(-^fRJH?Gu4-I+Hxyf)5_fADlD=ROlMM=~HHd3ks6p9nFvD!0D
zQ9Ve#qQWS}yZy{k!*CBFTqts&9jx}}B$D>vjSzf8g!!uEP&FDu7zYHK&N+y|R5B4-
zr8_<uj(KVd8uq|z7Ys>U)p|lQ8SJ;OZRcqovNQ@(7YUq$1)$a(p2#_-5m;cKcoo_Q
zq@zdSVu+CYbGGX|kRx<Yos@^(Z(~~Q{0UGgf(UWacV%$6YS3&;SXHzk$|WB0GSYCE
zk3EVrP2&<FiS;vucq}`kyGqczA?=y>@6hn1D?YhqViccUzkRt(NHThJunbdKbJ)!g
za|x3Zws+brj;dCFpd6`c%vNm$c#P|G+{TX!?p0lT(s5I8$8m3>%42(hH}sNuVCO*X
zk$n*7pz^Jg!{goMl{SIU7-8M&JbMa4D{?MX@N%tDxF8TT$xkJ(-ILsQj*U)JW_h<)
zusXk=BDW$!L)QZ1_w`Ow&?<yJr{Ny_NxZXP1ziHI`d6+oP*neo;aID|43@9c6rP3k
zuy%LOk;A&E&a1P2uP}W$IB#?#O~|uI2kLEiyEGl&TMg3TB$KZ*2%jk9-)nHF>4{Ha
z^L9@&n=ulm6fNzXvI}XHl%9Me_P4td)8JIMmBtY(?(Iv-G!)gKxs(t>UZ$4ki=>Dt
zK6vWn>s0Ml@S2m_Mm<G(-k<LDewWepE6I9N*GgLSen@0e^6zM;@x_st*TqM~{bK;Y
z*hbt_O@?9r9}Kzg*!1{(7M&h3B|W#W3_h~`v!wM!^DOP|-I@hT(j_v={}9x)y95p>
zeiK#^8=!|&X<ZuRxD93XqJYc{Qs-On(fd*KjPP+n#6fc<pwde@nSkM^hBfg2Hmsu}
zWB~nl<lzb&Q1L=|Q2bL0Lib;={2M^M%pq38=yR2}nDE3p$6+9j4f4rM%=%4wHE3lv
zJPL0l97#QN5C`Ni4v6@8j3yZ&iKwbw5O&yKG=aq2ID<Gbf&j`zK3Rl8G2%f!#dJgd
zf}~=H-T#725aB^e@Fr}J77x<*xEpBHJ2ksD?63tM#C?Kj;~$V}%-;3CAi;PLQ4PBp
z?65i>B$Ad$7no%(s>wzS>Mt)-!T2N|0NKUX?z_-YR1;OfvY><{U)csDF&=lo20W5B
zp3?#kFI9mXTRVgY5wC(-0=xhu7ULoG7v$$(kaPukZ0#F7$i3U7^h5yU<{%p5!Gi}W
z`3aI0<Syx8<f<0^7o>{#F9`SGOUyeKJiBvlc%1;QWHfd-0MBmk#HIU@1kfcaoB_fz
z3CR1UXKfm|?L_gnovR35y4&#)OF;AE$#G_g>#)<Kh2*g&za(%aHwSDxq}Ugd<1gku
zO7JbsO@WZ-6*YDd*8%T;Gc{VFUPJim41mDTw4*pZuly4#01|odMe)Ba)|~(Nq>ZqD
zvc?2Z*6<di2baM7AlwKTGvJeU&wv6MKAr%0j{bYue~Y9D+#>%cv?NvB>(9kG=yOGY
zDKYPbr}8a9ht~>$2>_OhFakfiHU7pbhr1YlktZTG2dRMH5>>i?wDi*RAAk0{#*7OQ
z9(J4rXA>;wysE>I=%I>;S^&S)p(_OZ;nx&uqL+ZjtKbg3-fxKFUeXD9z}-6X4D)vc
z&0S3==<nhp0d492I3BSgczN&Rx5HVNN0`C;B?kFfE4o-IS_=0AH6}|D+i7q=zSC?K
z&^GSZdWdzvkF4olDKY(v{#UJagWsEMH1+QBlq8)8-;cSp@XqyUmQa_zOuR4W#S01S
zOw!!B8j<U7x6L^JXf0}>7-O^gMBycrKKNP<uYtVwwOuakaGK#T9WW301dIYsYc_o7
z`@fRPgXs8`o{>`hma`r0^F$gMFm}=rPrF?ucWO|(=OvtLcmVvb=8#jfk0>y%ad5af
zw`P0Jba$eq*HYqN&CuhduZGZt4>L|H9_bjTbCsd!_r5M^@^fKDj0>8F(~eH|*V6K}
z4SovPuY0UWjy!a=^f;-~N|Kb64z2(t27H|dgx?i@GQdRxu#o%`+}&w|_rjTcFDPFo
zU98%28%Um13h!HRs$`gyT)>cqSzyvlLc4yZ5ac(&G$bA5JC#HsTzy%9aOjqgj(66G
z1K&syEma1kOxT5tG-n`JLag4@2xTx_-mTuGsi)wE>ABXje(prR8dgpJ%Zf}esuBUJ
ze!{-|Dm@z#ui-<L&vKP{#$Of|v7hE`UB1PDw7@$Od6yu|zMR>9vi{}0D`!hDEUDfN
z5R>bovt+bOR9wSF0t=G)clc1V%^g3HN99w(C{>GKs?9XHs<08Y)dV*a<AH>Q9qfD(
z>@~`22z?F1g9QdPVT}5iJTmAklbiEqRteLP<SX%oGX-wc!h_57U(nnk(ZMC4q)3<#
z=hNboa2w2+ppGsjN*uhAtDjw|_|@$PDD)H`3ModY8%pHTh5ggWeU0Sqf?f2(iJzm4
zhjZfu>N_J(Qa`1YY58`l7s)in9yUsW%9YMf$CWwMY`w#Z28U7fC2S++)efQvehs3=
z0o>E#FVSzyxEEoKc^d`rE1!#aNKgu_YgJd5Fd`RPT8^wl>KR1u3MyR%O;*cV<{z~L
z*Xu0Uxh22$s*z*Km(l;sXDxDk%$dIE+i{YvHuvu8qT1Cn-c$F8{jVo+BUfeEV5ao(
zcSDLJd(i?4c2v+>tT0ZMKd8umEQ_E?>KT{bd9tx_!E%TvpD|lG_pd6G?`2ayd2qh*
zA;H{aQknZ_mr)%`+|)zFn~$r%(qRUIa?RJ{M&4T>YaAqLcopLuzFVQ3sAz8{Mkx?O
zJ6Ged9vK~EdLRowHPG<!ti40wX1`8sxisb5g3GLTOM>fVMycUuF|Q88%ZD?uBVR^-
zhGXWd%$3#!Ry_HbOZ(yRMp_=<+dmcZxi&P}ar#Bd{)mir1i{?A-M?h><7^jRI?mh}
z5m1dBf4;C`zcLa!#cNpC?vNm7m3qy&<N4Gu`%iAj$dG0S2fcjeaB|X;C3ZMsMTK?{
zouii8tN;cjbKc7jkR!WiKw0vCEf4p9uRXm7o%E6KqYr!&2N^)fz!+hBzKZyo;Y@ON
zGSSk!ll<o>c_2qN{{8r_y~2+>Eyv(B^z58sDhH8vDCrkl`y3hN@N>IIGu+qG|HX`V
zb%6xk;exYZK0GK(2nUDm;Ai7FJvo<+K^l(qISV8N6kP_<A88UXUpX~GN%p{Oh9Y9g
zQWPtk!FtR#2%7aTBVV`=fr{DVU(pJ-_~lL*RqzWu|6UAAEP-=AXEgWDc#3R4Rvrp=
z^=`d)a0R2uYH@x_d0-TK5tLe6)~Htt)Q;XWov(e~_GIG7w73F(<cD>NZSV#F5XSl(
z!O`idM`M8@F&TwL@(xv^J}!HvC+>C`Vp{)66N6#jmAJ5xfUUPqj>NuOBR&1UbKkwg
z93i64XYOA7)M4^-d3EPptgoi-b`CSrf|2*KlHCYMN>E@6B+r)*vDP1baQ730AsHNt
zTR+jDO0!pG+Ag2F@|p9N)+3WtwXx;^2b7a{(RGptT`&X%YEezm29LWh<?bVt5I1kK
z$)B*+C?dEVxjCS$24Ic@l)Y$fpbfF?cRJ8+imJre+Arh=AcC*PPre%>Q~Y<%jvtc7
z%G?a8e$^hmf7L;$yZsZF0>>4o6c?y4@t9D-A@elJ&WysNH>cz#O=nZ9U`U%({p3%(
z@M-!VBGV_uWIL97;$i1OAa^ZU@L#!W?EK}J!2}WPJbI-w*%Vd0Eth<s87rJlx574f
zC&C1QA`1y%kgY!*rvC1xZFx2sfQw60Q<_&^&MpaY1uZ8;U>+Wy&kSNG2lIB@%+oK1
z=ZOVxawk1~f{7XqXsB#<vo#sjKyikN{insCvIwq(b6OI;#?_Sal3h{}ffW`)6<7Q$
z5+TpjwMzu8LmCD9_l|jfW^3I0_36uv&$h>!@U3#h<PW1Wo(3iSbe9km%U#`xZSw6<
z6qHxVltZ!kl7<zZBf#$z5gY$8#T@#tNbG9#a5+4|X&sJ0nW9>GAn|K)ETqZeUvz8Y
zaFMhd3%Ur(%)Q09!Yt&iZA&aW`L=MT3F6mchZR>bb~|vvjVZ@~;_oCf>!1**M-+>g
zDI+a@HKp31c4lrGhpGOVe);ySC;!Et{!AE{cgBywkx!BXB|Nh`S3;x*Zr=5{_e@Ju
z=Cf_AYKDX|qlfYYr7noZb->V4KK$Bp-ys`N2EKHfuJ*l8+d?c-kr=Oh;6A^^|7yVq
zT9ruRd+?h8L|M%B-uUAqc)V8$aNK{eL(PV%|BU9BbbU&yLTQG1gqe<(pF6Id`^{Uf
z9n60H!7)bNVqsLlzx|M3B-fZp`;k)MIO5;B@)YC3HM*N@lb|uDSRUk^{eu4%?W3_t
zKCu0oZu5FhiuwRtku-1iyR9Rgg_)WmbP_iSmMDT0IzC8!8zzyyF!O+=`HHPFVt%oO
zisaQmEhuly_Vm)kV64;S>y&|qQ;uoZW?L3D@}F%UtH+dm{UGMw*oB?PvO|7N>IbU1
zzWP4@%RlMk-Exg!YTd+A#U;@T!Q0s9%l}t<XZ{a$*Z=Xdn>=t~WT(VsOGL^pvNR#a
zG9gQ8h>|7B5}L@qGqy^$u^UT-K@uWl8Dq^Z%Zy#NtoNC^uIv8(0r%tn;rqCMn}>%v
z=i}pi&Ur7d*Ygwl?{ze7|Is5m_L%<MbdAnpnC!<4sr>MyJdg3Wmet)0blsor5Adgj
z40J{Mp~s7DF%xp^vqfd?FR=d<%(t%zxNAPH@X+L+J3$wHZd=w&Dx39aU1ML|>Pn2*
zEt#`rfW)>VRMC1A1{K+!W+dF#?}(n$L~Q8%PJKX)68IPgqU)m{bh+k<!`Y5^VIqN)
zW^suIsaZIdNY|7M@u}%sG4KX^{f<Rq7?1SU86@xX91pdS`RLJ#0`w`%l!&MZ=7qSA
z(~H|>=`8T6)*~JQ<fRKw=hfoP*dJ?%?6ZvN!?CbIggVaHj*Hg9_PHsj2VHI;$(uiH
zb#kM9(e|BX?jG=$l2h?LLGX<0&?wy@(J07qJ{Z}Y4t6fu8eZJ?<4*j3MsLagycBGv
z0SG|5;9N6X2O<-G-CS8R1ZY2-B>wweQHn!&-<!wdKbbpjQ;?imiJy}Ct|W7~6*H9?
zdAWTP2DALVI;ydriLY*Uu38$)n`d^9w?BCDrbfcOpb@m~Y7q)(92YCjF*d{?`RVoA
zcotoUplorg{iR~(vOD??2i~y42TCgW{!ra_Gt*aQ0)zBAUI0d#mL%OK49G=#59It4
zlR8*lg}%cS?{F1cFNEbhTy;v8e_(+);I<!N5l>VJmSG!Vmd3iYtJ?{JYaHRI6~Jp>
zKwPqRN1D{JF`~Yb+k0}fQ@R1cpxantr$0OZT?`zRF3jxz<QJh4Xj<aFd~LqCs&|@T
z9jfPcWUx#vwE(-xe$yJ%YJpKaZ3;XgR;SDShIrqpH@}l#j{}b_13nv<iT^H!Q)NLr
zI{Sko%Q`sW1d1$#N+Li-VN{jsXV`dtSiLls8HM@CF~)kG6y9=JY8NTtS1Y#5`DIwA
zLh1dM2oPVT%+$o+G7HUhdnW8FC1l0A?Bq~3&Enwxx%T}7E`A(5Ue4ocx-Y1fQ@bN`
z%$n1ro%_<vMh=#Kxu1Ve`>hXp;cZb>m3NVE7GUng@=^GLGej<5T#r)-hbOr7aL|!`
z??CKvN&UamrTgwN`>tE%$Ktwt6ic=D772LI{;g`Md@z`NzMHwHeiu!2AN&&PU&@Gp
zfo*Q@Tu=IOAa>KiaT7wpJVXy_393E2zhq`08(TXK>~-Vp|Fp3{cMJ5pMC~<Uze@&Q
zpx^a(W6U2j3i@4crrDt44|2#j&?X}bZ^>obwf}ctLv^d{>n2|j=%Gb594$7iWC?C&
zno;0Rci$}XFuI*@!CQIN#+r(&E@^b|M9;Sy<aKxTjlxr4KOO#R(ARqm4i6ikz5Jhd
z_CMpD9j5~ROxC7rf=R%@E71{;7gz%hUI<N@26%=UY2Qc=f*Ve-)zkY5{u8O35H7qR
z2-#W<F*iBEuL)D2pg`j-{t2`2w;`4U&=vR=DSW6ah$mg^bRZ~0@WHTJXOtFvG1@iz
zbR_T|bMbPdRtkfu^>7LGK47X9J)7tgfFlv5;EUA)B%z?xuo2+SsgPl>$Oe}J3l4xK
zxq*Rr&U^^|$N;{;;CYV>bwU;jYS&%{HrwH5sopjuxR{QOY+1SkGC<?%QVcNuG+oW@
z*aExV)-59=88Cuf(2Jl=;BqCp8WW8Gap^^<nvEtHFw8}i3<`o33To8ifKA$6I>P-f
zAZ8$WF2FTx*uV!iNtT_z4ZT@lBrVz?yJFxVH;b1<uBL&hd{~DBPq-tav-IB<f^4B6
zBPa6-n0YyZ`aBU_3Vtdbj{zeJX@{(ykqQ7|F(scF8R|4lYU^DgZ?SUHy0UI$Pj9&r
z&@wfU?c~h=IXih93-BQGA59$Z`@<6&*C&n-Cx+|JJqKAN;3m<;O3G?a0<I{f;m>*h
zqxm`W>j46#ASpreViR!A6v4pK-2UPGUF&*n1W?LvzUM*_Km#*B=uMb8xK6TmCPRbb
zS2bwrL>~rZ6VM_`iU)s`g8EQ7yLG$M-!AuM)|ieBg#Q-e|GK6T`}voWd=Iw<{SRE8
zZBLQq2#h;*ZZx3!QT=2&^#UrGiJ#=w<3V<IZ(o>VG!MbLONFRDodTKN%`~MNkHthR
z2B2U+;Wnn58Y>B3IQk-EsobMyZ;&amI39P)1-?bl>jj9|{+$Vb)pDu0XmHgL&-?A*
zUw)acLB|Yq*;c<fH#ohEt$<KOGViX`t^&B+@t0r?iXSu4s&e?!v{V%Kp{FcB&~aOG
z$HjvhoKrQoEH6b8SsPE0#eK1*RnpME+XJ8_cr3>ri#ir9YgPYv#iPnK#&A+I6v`jp
z8eP&bnVb&F4n@WZkILBuO$pU-Ut>ztIDOm9;K+9%7uUb_Fg8OA!QOZ)pSf70eGkfp
zCByST)J8_CDavivbn-tYLt$Y;_gj-9_?+tjC~sKkq`YKUXqk=t<F#IN$_a5Kf^cK5
z%Mm6tYW&WYVgun$`R4?(m0|7)FOWo*s{4h8nG&H?g$AchKndF%*_*?WjVu=e9=l$X
z_Pn(uCFnKGFa91aMI8HBr^Aepk}z1H!fJ&{nr>&4UaujPrvZ$%f!Re(_wo|~PC!-R
zyiw%ny?k^x<Aa#1Sb&<k+Ns?*b~*m&OAvRYM42~n>ovq8Y;g+kT6qN1tIY2gQ_KBE
ze)Zp2I*i&PWeJ1upXwwrj6kjQo91U?bhq8a6@d8kSto^^i#*7PzJ8q&OOY_rKwhW<
zs6<jwc(<JT7Io^%p*%eqLTCj`+bt$z4Gq-Pe3~}rY}waN863W*B9ja+a4rUdO@Ngu
zjJ`BFhXaa(M-`aDw%IS}>;WhjU{{e@G6h3G`z?-wOWtz+nz^Y!Q)ykFXGUaP#M|E6
ztI6Vh@=QHx9oz*A>2SV4!cENdqYE#0fol8+x&!KVuf;$&{uL}efmN*kwIARO({rBg
zJZosU-ycrhk)4+X;B-pax9@T<!00jF4i$2F&`;i5TUJI3VRqw2PdCXtSnFr%+K2+P
zb-*O%SN1k8#x0u$Vk<5^*&{0WK|LDJT=$p-bwur~I{+;FabL3C`T25fboeHtr5V-C
z#g`%n7y*uw<l8}W!SEsw*oU`*<_)e~U~MHF4{c}iM{08d_)S65^Hx)KdtO{76Cl5a
zXKDqI2{Le!_-wg^G5~db%|k-%H>=<hx%>&ofUD!Lm`51ia(X>jUm91Vzzd7<E4&vr
zBN~3B0>G{iBX4KjD-5mqmDs1X`+u-s4$_2tznaJrLH;9Q4s0ilc#7c2{XAiJ&9SY6
zLZYXXHBfndLgw3fvha6~4V-X>l(Oh>FwQ?k6lhH3w7n7P($UP!%hRWaOFuS*r3`Q%
z!jilaI*L=@bKc?4kuFODTZC?B-K&QSFb$1jp{wT^<Ou1@mxcPFTb~`JZ#k$E&^qjw
z_cLUf_>}0xf)}?<!`-2+nnWELbJV9$`o?%cmY4hx_&K8#v8$C99yCXg%<_U^GJFA;
zNefMTuTFu11KI)*;Y^>^5a088w3=veEI&5VrQzYIhdiXPZ1oqh3Y<}KKUY60hTeOG
z7wF1qesY&_*1mLKpdXNBU0J!<+H5<70)I1MnQ@jpn`($C@-TOubjHH(qm4fM&1wLJ
zIUmfX;o6TQwHUm>(4A9R3i;_xW-5;zRb5|e8?#rvZK5!vI**F@g{alC;Gi|!g+X^L
zzV@2=FhjT(+HH`U$DgIwJfc(@;v9pTuYXFvx2?1kd+Yos-&h!L(A-_M+gVB1yB1-%
z1-H3bibF;ZOd4@sa4WMEhIV?-<&Me7h_Bzs%I%11HMHcs)&$l7bb2j>*IL`71>^NV
z?S6zZy=scH7hUfBfl=fv?r!(z%C}xMAIm*=%u?xA-_6X{(-_DX_8U!?NJQ-#Cy0)5
z1B)tNXw#@zp+J0F^+4;Q-llX*@Mq5&q1$0B{w-qYEd+rNkxCkv)_H0ra0CklBtJ6L
z^^Pynwa4D{!dWiU4<9mrDnq1s`_XidhqdV&n%(XqL@k@FU3^<MC5!`{9Kr*}oKQt2
z2@J}=ajDw@=Nb17ig+Kelm%tbG?R8FL)8x-ycLvt^u}8?Io|6~H4VLP-qEXf@{!h*
zUumN-G0Tskx3mQ!3c06xi{8Q=69~u1Dm9c}S&+f8$dtdmaGn2*(lbBJ(E4pZLO(}Q
zyoEZx_;&kB{T&q=COa(y$+5~iRT|o_J6C8=d6zwJ?)Y)KN+iu16lQ<3gy)w})B0K=
zj4hR_l1Z?-%@%3#;L;-2fIo+3>Qt`HSmxKqS7^uXmcClA^EDs)7%Do5j?o2r6$`fR
zZ%G20zksb83r}2oa;>`2<0C#|{JYFy-d~n=E(bV}R7V@QOGq0d*V)814O0SI{2N%8
z)~JzPvzNU!BgO8N5=U2Q6%T5XjONFJvY4hNy1Z1W%jwK74*Y%^J>R+t^?<`Bp9*}U
z2im<rc)jew5t&j$g^H!xJw&V906bnE?8|O_+b@{w4E>r<?90v`w7LO0Zhe3IFBI(L
z&hjZxC3u-m5~}rB9H^S`vnWw<1Z`#r-LvDv9X$F);JKglmJVHXo@)g)XELrb?-Kvy
zvyiN!_zms`loKLo*pm9S^*}4#jABpEr=HzZQEtlkH)mTB!c<NW*7s$;as%vDTAaXo
z0zuR_S2<6Zsuhtj=qKr33#3n?)afQge_^o-Qdx|!VXxW&UHrslFWX{D@^NJ4JwX2p
z5DrL&Dyj520BR1%<)?h2e*KV#*<ffA!~_z9e;rW;#I5A)PIK=0!T}f(T-Hrh2c~4K
ziXYdr7w6N(S<_9vo_#lvnn9K0SZqv#@@0*Q&YYkg?CSKjO&;=bN1m-t9X@!kn2iyB
zOd63n85%Y~+A9B`tdZOY#HNh(-d;lIH_Yim`UUm%e1s;~PG?@UKj=lvZx+m%sOipi
z6*d*9=a#?uW9`Uq{E77AA@V6+XonEdRc!vSM=JbHiM^_(68329d&yE(t@t(zpn|Tz
zG#6{w&5kFv9T5fLch8j4Qn(qox8@{OmSQ|(r+$SIwaiXNy|537>}Ia{k!gE-X9ZTT
zsp1QUPX94SP0J4YKX%KRo99aXn5V%G7#Q#%EBC`PYmaiuZU1`AE}*54`#F!0PU7$b
zp1SwRIDYpkOos+Vlky<d^LxY4lRx+3SjS?BJ#ZmZ$t5j*OS1qHbvxmaG=0R~=0U7w
zy!CM_Q}BR|dnuzAYCXN3hVK5`@C#&2CXpP_^=k7wIKkc2Pk8mOUqzU<_@F*{oc~f%
zg}o2a3dUl@d6<XzPmbCCWbp)+TS;2W)1$WiDRDh$h1dDiWM!Te2(W!P9rl1=RgGLj
z$1vJElG~xBAOUZ;(n|FsH|+C3`k3F8VosLL{e#sc=hq|<(~w+p*vUz`56Cx`klDmP
z$^B6U5EK7zir@Uv|L%=S9H9b%*#1V-`qAP3h=&nB)i!W05AW<+<8}sBc}lDsR33(O
zP1HQjEk#`be4nEOuX6+T$cBxn9)yEoz}>ehzTOqvpS)?m03iR3o%=3%g5iWrH{*?p
z_o7LuPsLXA6KN$yD^%W!-f=5z1B=TY(;z(tk5<~BsPp=fhviZBPlg-4hg{E9LK=U8
zpZ*#ID<STJyrV1chvCvpYc#sofnA<J1Kpi$r1TBZFj>qdp-)|U$G-Ex{LK6%;{A>>
zYD0KrrtEX2V$ScN1MZGw${Kyd-&A;|?hk$H$!D~Txk_Ifa%Dx&55yCvac;NLsU<3$
zHat6f(LcQ2iS(eqWW8^SAZOq88InGUI|-LV*my}{XU&Pc6}1_&tS#kBLZ0e_)=BwH
zk}@jUM`0h}>`3EnWBRCpY20hwM=_}xw}W}QJG%l_^0r;>N3mn#^<(^e@*oa_1iqSU
zh7U=6DWM}$I{cQ&IpW&f`B+HMMk#!to(o5ZxDT+HfD|bqJUMLI*OL*(&~;7r%a5$4
z+XbzsC>dqF#u@lU2511Z=iQ8YY_Fb*Nw{VUX%_h^Ydufh(y(8$(U<cYg{H>5??shr
zFG@@L{I#moS;!gYm#013?nzy<^=MItZjO$GDCD^CV0626YU)=^9txiu<p6idmU6)C
zv2Ef`U7}VKTzajFadR;ydOE+a>ih7OAw$bDVT@~OoVjsAY6e%det52(eFxfSKKa(B
zP_x7V%hU7iRhQ>D%nQUR4cG6z2^zWW@X%f)G+@}{M)aBzO$=@1<{aIdiaJdB9btt`
zkxNT?Vo&Y9`K&PF%IA9<o=x;|PV6*DzfEJIygc%>F*h;6H<y1*oPd@c&NuHWiS=ak
zSaxMlV$rJ&P{)gYJB&jlL`C9raV+JjL90=c9l@<~J=smD=-~-2W^Ef?ZiiV8iO?FV
z!YopxWOBgP&{j?{u8to6g3QttSHra3r63xsgaox9(t2f`KewY)8CbIWM#0N63_9|M
zha2;*5IFS8gQI(Q>AAnY4<7HFYHwKFpmI9Nr@M$<VK(%nIkhLQJyve)iN_I6gz80v
zy!^2c2QTZ7DFtX#*rFie={}9*i$5hMNR0PvrOfuNRVT}JcsgH36wD@IU&CMOtg0D^
zDP^$E56Tyb#7bMH41O_MzIln5ARlRNU6#ksj=a<76^c<Q^ooim27D%%9hgj*>aF%b
zA5O+m(cq>n+_XVBd$C&iCU<>0HlhHTiXBqywZ63P;ww@p{%N|Oci*KqNFy#_4!tXG
z&nEqHNsI5%9>l}AVJRo@b#<fF@=c9|Bv}=b)n61eNdcED+zMQCg2L%8dYL*e(X#el
zhTeZzmIcdtemZ`3zR!KOw1epOaz74BDonhkc)hYwvG44x;jqiChpzrD5WePenm-{%
z#jv+Jm7NUU2pi#Z!~ZO*=y7B#m)k<v>Uv+Ogfgq*bIPu~E%cDI3A}?dSgX=L>$+))
zEOWNSexr9N^z3a~-=2ox{l=wl^6lB(#P`yVIg}!Z&AH==iB3P&>c+ya3ikP#spBI#
z9;wMz%iPFO6a~FspXzfc@HPX^KJG$zen_!tS}ESrM1@txG6UP31(iOdRi8%HXU<rk
z>2MTw$bc@%AB_r0vdC0qXNh-}dC~My6hz?oU}wgY=61#-y;a!Aesq&o&PBnC!O_Ll
zkQX*db>oixkyyf6J>^!q`&fA{==#h;K#BVez6^BZjG#XMH*A9R*H`S9L`=KFtmmP{
ziYDPJo9Ly3zGr@>s{1svdFm#$YL#+M0sOD3u-Uwv=fWclvtaQ!kt8+Vl^Xbyeor>f
z_p`xcs{L&O@@mVQN{ltZDPZGm66w<>ACG_4(7@|nPN0;*vAHePzWE1PDfAcS5QJoE
xHca5yRF1glORi)a{Dlq#Qa$D&O4Kp`Yb%mWzL-ipct6pJ>zex4u<AB1{sncaO}795

literal 25936
zcmeFZbx@RV|1b*ciqt3}Y0w}nAT1%?ODMU3ERCe1xF8`VNQcDI-3Tl#vb2<fbfbWR
z$kHO+=UTtd^Ze$VnKSR1Gw;0f&b+@r9O1g}`%~BF`t(KELv2-3Mp6O-0#bD~C0zmn
z$Sv^if*1l;w4xUzz<-1<bX64yFatMNz%Nicc`bPYf~pv@Q_IWXcV=rfT`d9vFHQmi
z{~!W_W3c3pBOq`SARt(^ARv%TCLo}DmX6iAPe5QZsIDZh?_svlEc=B<-K(YlAl{a`
z?1^Eup;1jE;}tdP^2(nC8qgp$ZDzKcVL@;G{hf0uf3T|s-Jp2OKxstHs=7!(B4HKw
zscjkx6;Io`y*b+>I=h_y?i^8sJz4!e?s+mcUz&+&%qn_!a_T30wmW(`x}Wl};^MgC
z;%xrnEbHPZOZIH#!Rj}^^JTxMm<SXxgaI;%L7t?w9;MxtWrBMxc9Xs}U}Z-Bm?8>z
zxiu&4`RC`a{xqRmNF8kW=C_8O{^doEE6{z_@56bjLgy8&=O&Y{m6a#EUe5a*fES;b
z{^{ReP^jU{vwQ=Ud3Bh*w!AuCisfzuuny+^%#&knD5h=%F!>(-I6pfv_mR0R^Q!n!
zRWoJrs5z?O>aw!q(RL4$+Y>eI-GjZg$%rxe9EvGc!UkUKjh*u3%`fk#x?b#)ASJlY
zhTZ&*chxtWFr>&E$M>-}g%m87q1Pq%Gg3B3+@r0!H}hb^AItO;7JmL&SQ>c2q0g!<
zn#P$eC49m^lC1Tz)@*qQ?Nw%1qFz`*qqgv|rY)a>7)m%>z|C2BiF1@B8#c-?0V8az
z=t)g=S8qFbq6Fc*DuWfGv?y2?LZwLgdU1Tyud#-N3p+^(dB+wd6JUkjm=!e5ROCMC
z6gq(K>5xMAwd8VH9V}y(>|t^UmAujforrL+F-o11pfpG3-zoly0vvqK^0)1-;(EoO
z?zuW>z4?uh{x${;Xr&nHPk*{H)g$|nbqGy4v}!x7$TRc6v_i)5H35_gf-SHPnIet=
zK;=pklwE9wH*^bni-{l<;!1M&+_BAp{mc+tFSF?$mD8o<+rI2gk7C3{<-b!9cD188
z{&Y?;ugM{Ze!NRcZp`;8D<Oe!k=*w?Kb<IlB*(+$k4dO`m!$hNe2%C6wWag|ASWJL
zJDl~TXG!e!-)C{s7JEi|)KF65$|+-lm5aD+Sm3j9wX(0Qvp2_!!z7sr0<0jUZ@8Ha
z(_c-J45NPqo6EW!^vIr9H9US&An!8Y(tLg-zFoXB+xQYK$KB(0yx0@7C^Udx+g|K(
zZ1oaE1SGIQgy@?!NUn20htO1TgHh9#S1C^{`Y8SOR?&V7kA%0XOm@*!ca}mQzdG5d
z=YrqX`5wya*s*do`c6Er$<|oiXBf8zFCmgUNB=JAfs#heRpjuOlke?;f#XpVG<4Az
zUg^+fo-88;7Ee?Gg?@p}@vP)o=fi?tcVn%0uo3^jVF8qFQeo`YZjId_(EIoY^(WVH
z@JF248(sGU>Tqw35E#=2*OUDX>y|DDqz*}sf{n%@46}K5a!^!tN4_>(d`f{c|KU`D
zMv?~sa|9joGwZt~IhW;$_~yOUueMq_FcV}FR?Xyi?dugc<-Wr>R=X-8ZfnWemn{a6
zuIY4M4!&#ZTyCg*1@x+oePD}0cP;kZ?9xgI6|Ms2S~@lmh+P;N`-HrD;+!#2imqMu
zc)uWKLV+C_YFn^H&_@o@jPEUUkwpZ_<Qp8gby-<lsMNftTb7Oqx$i-j@?bUa@iVRM
z^Lu=zjNjo|GCrx9^;3tDj0}=FyE;g&q`i*lq?*Q{7EJLIKHgJ(`uT!VW?iHLJzk#N
zq%L<c1d`)42FoOf(dSr+4;8S?C8^Aiox<C4vR8jat|Z#h&2ein#%DfH)pnba{-z_e
zrkXlJ<A%DdlQN9?pr&Dw3*$)ODfnSn48cWXZbk;Xp}MG#+mU9srg3ZG%P91B%;$#Z
z0z7-#s5zOCdz3hr`M&4wToF&4Ct{*y$A)Q?Y|ZjmiywZZ{)eDOdYJzvF5GclwL=oS
z;CJmQd>@fIKl`TzW5liyzn*m1&@~pLZrknn{CA0pUCc;y`C!k{?`|IdS#_HGBoBp#
zaBz|WxWlf<-PU_eB5Q!{Zf%kEY)mIa<+$Clm>Qe=QLq1*a=4)<y304Rj%&f;RyjNX
z#pq{(_$J0QHE!x&u#q}bD}iu$#CHYhU~f~$p!w({qvH^5n(IS^<ZxvmHaET}n)t=7
zZ+7Y39~7*0`Kr1*h0Y_fxw)Z%{Z3soHm|l9x;*>7nK|I#iq^f2A7JF&^2imXj;pJ1
zyOW9b!rNmsS1Q<V&)uda#0(`5m_(qNUu6%U!^;}eLl+GQTB>+<Z_`PCtgh1TpSy*!
zb<bZUvvE50aPN|cS%EW>uHnMDjswYV|Iuf^QI!N(^C&m7^*U=^OtN?DnOC`{?Mz*1
zM@?C?ejMIc>!Ku5Hl?D?@sp*7D)JxE98RN2vmfB#N*(vfdf39N<V$ywn@_K8U5OZv
zupaz+lA?MMwTx7tvC8S1t-rcw%bZHrt6vObNx4#AYhck*z;now7&okhfZs8I10Ry7
zYwKP9D+oiZzD}y)ro6m3-Qn?C*Tky6@ZvOFUtZ4-tN)ZvNfpaAWht1oe&5@rwR0(G
z@W-m|lRJ~>p?vF#nQx^M<eT-r9SSF6SM0tT6QK%n2zzXR)Etmuk4~a7LA4&(dfDNW
zrP)J|_3i8+)N2R+<?I_jzJFa=?RDcoYwibY2?{?whvRbo>SB8rhQQ?IrY~h*7&blo
zV#hQ!_N<zAt48ue+}**B3Z%~KT4>VrQMtg8progB?xbe}9oIWOh;7WQ{cxW3G7|Zj
zD2Vh@)d&x<VG{XGtgb?dF5~-DeTbGQ1-*v9RvO1oydm2g`E73_JppWL0Mz47H3dCZ
zm-wBo(3~TJL}XmfLY$C)P~kBS&Qc8j{DI{iG}Vz=Af4bx&_8QlpNYRuSZirf+~I8d
zV<-47YY6RXh}K<jLj1*|;7?YQPK(tYc&7_*p3=UndG`B<V!<)qEqtQ<{_YFqan}Lf
zDWIud*y-cZWk(Vu*)SBz7AfGJL4wgeRTJAE8As@6dZbWos)xVjCfQhmT!rNky~YMw
zN2f<SkLsTql*jb~`>qJxoNvABcUf!+*k@P6Iz6*S_l*!H-(n<ePo4lmLiprt^4cbM
z5CPg1f`dzx&Tuci)G)D`sDl;C5X*fRCfwkg5LHw1DwfEGDTWznT^#Q@rHCHD4RZ7t
zpyvv5RrbpHKLitiPfak|*yXJq<J9({IMn?9qa!5dwlt)h7`QiL`?{J>A8Z%uoC;)!
z*OUEy$yWw4q@;)hO4e|_?61a!oK(Yo3!?pvM8E6T+CgT{3W({GzS`gT>xwgU?mhI{
z$e^WiLTLI>Opy{gggyO^x>28Y`|gMi%9gT>jON{wo+h*_%lqqOgtN6P6I%D4Whbi<
zAXA7d-QAx^C9XJiUFK>Q^IH8XLijl>Q}0Jul`#<mGUc-MxB?1MVEd{$E$&9?yKg1V
zdC=M=T}y&DtsZ)PrfiXzFUr;K5?CS>2kvUb*<RhS-n=1k)2k!hxz<G7UiOsX@tBhA
z5SlaC62-R5UWp++;y>7&Jvl$wQcY4+Azlyhe~mOrnUrQ|z4$Pcod+WeC^spiMP}aj
zblv&YuaU(6Im~l^J>_ZVv(?gQLbRx+T#hx8^3S^4iQCa1+vW}hsW4BeK3BG23~$dq
zImg=Z_Kqo*a&+&-kB^tRqhwyBN3^w`ueD~DI<9V*UdDgdb!PY`j09OiaFlLvs2#Ov
z3T59|ewXUCJu@h}mknEHebC&<%#55?mR(^7(FwiuFM@!}Ac7+MSb#GG|CdLTZ_Gdm
zQMS|_YFxpTa){t<R#7Ms_<`sL>$VtiHtZ|Cs@L!xLR7(UK#s8nl^h~5Ut_uv#3Ji+
z(0yV8<n&_k=&~cwHOJzT;#)waq^#vN#K3M$f6pE%xJiiOPz~K;5eNVZLwMVG5>9|L
zUi&n>X+R-|Fcj1jaWw<_(sZAj6w=D<kFlVTVh50)4XwCJ15n^Nj*$b@DLL6JkH7=x
z=lUyp!35aXVR9Do;Jeq)xUmM{y;3&CMlpGSvQuCr%o5OI*`!7qAP;_!|De`H3f>g!
zjx`ejxE)Xy_7id70mq8&{w5GW<GlcBh#X>He08^h5ujpp<Z%okz>W+U4aJcHZpFll
zQQWEo$j_7u-o%=KL`{Fyi8}CLLejO?n+8BKAg7K>PXg@SeE<(^y9-1{-+2{4mb!_;
zn#K@dbz?+DMHK<+$9L>M(Siq$ZW<gXumEORDU99{V5^x;!=Iu7%GFOp7%d<cF~LZb
z6+PG!`n$S{78KwI3Vte=K=5YN^L)A}fSd6aeQF&$c%Y6=X!Zu|ZE9J>5DcNEqa}SX
zDg?-q;MDLLfT32Hw$>&P&`5ff2iXfY)ivnwHiR0GNc}z5tsFe4i@v#Gb{RmT=}=-@
z=J3aS>5Cs>{!IqKkrGuY0?1ddWbjY2`D4a_b?XPjr81B*Rx5)Cw5n(sTL3AU7)lGa
zhL<=g_YwHMR#K?ei5fuGB4^8>2edGBM~qS2Vfl?4&U2Ar8lmwU+FltgifhUbXqy4T
zaAK05nP&|+IoQ(B8Ce8zE}vL}n7joczyNv3?RtRERGt9`tdB5j^=<a%A($cq)ZS&&
zl7&&LA!*amy}wH~n*hF@KSlffRDYNHuL|FiQX)XM^D|doCv4;uhiPmVeEYY$o5=oM
zT4Pf85{Lxb7D-ofgX{P2A00RNZuuQ{Fqt?GM1kZ9yG@zzc>`>?vjxS<#|z5CKYe$z
zq`mj!7KsTnM}In&$N@PMr0}d#zQr_oA7IRUoJvWM#$Q9rtDAAXJRwmkOl(8L=$;rR
zzmub(jgwMDMLJA-HBh_7?_zE_L+GkcTIQ?cU5AA4yS=zveUDnz3*Xa2!E*!1*$q*Z
zA3wA|NIQ_6^S~cA572C^@1Au<&^_mrDIM8;#V&{V;LZc~f=8|}+zTp+bv--Y`&#ef
zZ8mY`th6wni|M|{v!z~|!NucjKPhZnCZ4==H#?Ep9)#pp98!%(R<gpc9EO3R2AICx
z&bTHTzC%UjQ}EG8#X;ZUN<l9<<w%HqW?V^Y$wvt`tnMJ~OH*oW^<w+H)#M3wq2X(Y
zo#&a>gVmZ}n=R}&M@b%R-Z~pP^{u3s#O3a?WE|)rV~NBYqs1%Y_fuHCi<1V`JQBLI
z#tGK+@{_(Or97uXl3agf6b<zG<|DYwr2tB-RY<lH0(IiDtTHl^wIE%@w2P?5TGhSy
z$%Epc2@AY~77F4r#faFpLQzZPDh;hX!|1c9qeAa*lQjM1snv@Qw|vZ*RKJZCaowt{
z*6yT?jt(@r^_JRgY2#~sbg(f(cbQXr^%dg`JcH$4Asah9+iKK37nUY=VJI1bsTHEC
zwWfvmAY%#aqbDeZoj(OGZyL>Seqa>TlX|;!ndWZh-5(WGdST-U`s@k_ZE?jOR6)%o
za5r6F?)(%XL|rDEz8*08T;QcB(tO*bKEr<$yWly$#-N)tM4!YEA;NQiw!gq8$Bt_P
zVYOdxZi^_XX&G^`3~POjaqewFj4+^VIW8#+_Ysqi)1Z0iSQ5XDo>^R>LyDli)jRkj
z?lF1SBqA9+Wsl2t%)}lfS;A3W!vctnL7q;S<lJClcl)k^U5F9a)$U_>%J^Hy$KdFE
zk>du3;&`wke=hLrgr`~OoC-Gh2hG(7n;9IW{d-kOnjBvP)n7j0ju_C$I$lO9{|;N$
zKaJE#PZBD4GEqNrjb>`z=G*)>I<ca#`)Spkbnz+AjTc;Xc`zvkTr=v0%iz}oG@Hsy
zw6@*%VRW-8iQNVl*46M-U*=vw^GbMnTy(unuB-pC)CB4_GUe;Soh<?&r<$qj;A!tr
zyCNc(itX&5NWsPd*iKh3=OMKFlb4EoiU={0WYkho)({Qq&D!^MaI$Nz5t1gy1FMhu
z;_x6rG#s2+(i<rz9KXNLpYKQ9Z5c9;4uqa>Zk=PsbMla1f!%Yq<6Q|OKHYrTx_H3)
z;M9b34Q9$o1B?|7v!1dvq_aIVaJ)v$QBnce2oW)50;D`b%ywvPog7;|@H}r^6}*Wf
zrR$jn_Q{S3!YIH6h)1T3X5MkS4vf!rF`+u(O5_nHb^W*M$dJ>+7F#)`I8to&6)Bgd
z7#w`@lF|;|mjXXTtGId@KqHeY__XtPWyhFF^dbc?!|e<h!D~SF<TTKLj762w7;vVC
zX!xURsO1m?GEfl<ZD5A6LPgR#6L-L--f^~Z1b*T*rq(e{%8?FRo!366h#00p*<N#>
z^I#fAcV7wpMG9<nHmrj;c#I4{qxFZ!F0(zOMIP;cb*V6I$gLk$ZDo@6EfdZY)chQQ
ziR{+yZUFSXh|N#uBu>{rV9Z;6K}aK)?N?;qk<f&LQwM+8Qptv$+`j1F^DV|Sd2B1p
zbt{qc{Adrn!a}q)-`eVP^8Ui-WWQWy?d?dD*B;!CUG_nijMgBoX|(uegx>W6;qzY4
zBBoQ!Bq})JEpQPwl(80CP@<J^PM`i7Ns;FdR`MVFk@+iHlD<}#C?k!d&KhIz*=L9d
ziR)tM3-01XaoDIR6zm*J6~qoiU^MO2NQ{Bcr==vBQ2HK;WnHSYP`fSTdrB`8GNv)Y
z8d8|Ys$EjS>R&imf-wr<HQ~`(dcZ`2vXxYXe*(U<I#jKa6B3B(dK&b2BMjqT<a@%Z
z8!M7XLx>qO56ez$Ar;ki&)C9+k9~Txrgm^S@-`L9Rzy-L5o}7YajffQXz*$;FOn1)
zo2w-9<s9z8*MsU3<UhIxFIz9c;LN*vzbW`6T4}lPVTCeSIBb9p87r|HQ3vd-hMR^{
zQ2G6i3p?-r=!+%Za=WDwJ&IEs|Fpa}xm?7A>;1n8XdoA+NAOvXq)3UW&_!EnmL6r>
zYY|%yA_iUJaGN#eN=YQ8VI!N_RMv-)_*?8Kj)+j`KgBU!1x4sYG3;Xz%}GP%!*+9r
zPd5){uA^)#*jk5uEA$cXqKMAnqGR3|V&wD=&ZTk-M|$2%)bI5KseqUev#LE{52(R~
z(|&E1oeG)nbFEDAdh*5d3WeWN)9FiHDQtCoz?{at!2;Nf!Oceji`(5YyJ2@DQ)I&b
z9}ECFMQ&w8A_CrEil524Fb$Td`3}JNaJ{Kzo^?-@5r$GIkyDBQd92WuH`n5Z*~*&H
zDRZ-VPwus48X8do<PYqB`B?EhjFBuV|G9wA{-f<-w3mvU)-tC*Cfyra>}LpeQ(1KI
zWKNx?*xu+E@~U-_%+Gd0zOZrv2){grV&jIAMKOk)=hSGyV=JHPkjC<yreccy*W|3!
z)nA{c8m=x_EVH(jdJUtIqzC&_-tNffB45_-_&VjA-&qm%wch4+;k<n>5nl@Y$q3>K
zhM<Vfa%%AiOzl+;2PSNFZo7$#-Y|ME`WBxohzca0(Bepwv@QcBz5GdE2ZVsHF=PJ+
znH#(TTCS0CJQoILQxDkuik9QmnL4L?sS^1w`fHb#gH4+}p6e}Y*`<QOQAC1Q#E}<Y
z&|abY^;Ke5%49=Ch0hb@OGdRn1Le3uOrCIkg<0S=LF=G6gwc3H8)OhC#3Sd0U~{#u
zU5k1I5`t=S1pG~#9Wa-{mH+diR{DSK^;dipXnk`<IS+Uvl`FxI`P2aoas0MhnE<sn
z^%NTc$~GoXJF66!_;)#lx$eNEZbV+@n`Q>?A}|o1<O)8#$<h+i1_gE;>S2R~fd}Pm
zs*MPcwHS8^41e+j-0b|x7a=}<4fI8R9iJF<$QSkP0Z^c%t0xQ~JPv*x>>LXobm<g4
zU;xZ=LjLzi<{p!PNOlGE81DTm!Ux5G$6qx&m<8AXpDM}MF9*m{fAG6#xy~W|bQXL0
z7V&xzU?V=DFwKDElW2p-w$(dWg?TGx2Er5Ab_7^nwtmo`#`zWtV)wM$j*^qWZCFrK
z7zN3#R(~(!eVwfEpIqY%x(=4g{Mc981%Pk`%<_ZfB>qPDOPy*B|IYnt)xP&I`JLAL
zozw$OtD6#^fd+H|JP|ns-+ibLe}pgr9WCX0kZIcNwRg0$d=f0bbpQf`=}C{#uaeN)
z(q5>I8Btkc?h0iMUK6L`oj5ngB3fd6-sfs|KGq@%(WR7jz5rQ-c2CR6rj)en15IbA
zMJ>OpKqV^4h`*?`RaI=YUYuKm9VaGFIhS!4TLSyg5vVw7sLUMYbIVCwu*!gxJL(ot
zEe4WkX9{9SkCk~31toQd$9pY6$o}C-V;4z!w9l>5%;c$sONy75fvZoCkru7Ul2c!g
zNS-?GNx4l9*2ou?9f_0MhNkEQ1$pgcf#RG+ib`ihwS539RntWNuV*+b;m8Kyw9$h-
zdxJfrMGrKXTY>9lcu)k2oyw_l#v|dIbIp%*V@E#}$HDWy6eH1zh@T15ylgYnv-hBg
z*z)40rFmbOUwk!9`@`Htoh{J@Gv8&Z=ut>fY_APDN2itM1NO{q9`B<+1w1?@wJ*@5
zSOK;z-tH~2qL9JR7c4*H0>oWX4OYX;zU{<bB@H7w0kOJqG^4QX{fsiU`<X@=OQ2pq
zf-VzMK8mf*e=<O0tdfiniy*rjK!Frb7JsDU&dl1rin7H_O$sV$ZBWNA^%%+eo_=@+
z=Sx{w#`ccgAH2jQ%k(Dr-oi)CiqMZH(Hs$CMYdSFr3L9KQkv=tGlbQB5uZLQ$pb?}
z$O(g>#<8JtFun2Z`yScQKi;VAe3h)#@GER0nuXt2Uu`JsU^M*Dx_)jl14^`X1&v}!
z-x)_|@<^YyUM)$DFsRmMLZ;TBQYne9ZwNx^*363dRy=&KxOLGu<my<_6qum|-ler%
zjLiT3oem@Zu<Ewb+f-FyJ?SoW(y5EAS}Gz+)PB8UKx@sj^BWhE@fG{=dSF{vDero#
zb#Z2>t-d2V94)%~>_<jvnYHT~*=U0#!no+I{kwi~uj?=CwZBJvOtLeD>*$MfJbhtO
zICv)s6A>tEB*}fNCcSW=!T=#cAf$SW(K;%;5E&J&I>2UAQ&YE6q1jWDuiQ0?GL_)z
z7e?Bh9@B17*}z&Jn^v6j<TZQy*ycUg5flv(oZdw?x>W1CnR1C;HSgeQS5}VUCE3*J
zISA*?c#PsFIrwCPYavdR`M@zuw(M#(cs+*}qju5#Wu%>+I=sS?<NfdA+_oF^mz4Do
z%B_MLKwI1zVw02kCJ@F`kM?<LN`gpl)?z-E@?y+WYRjeh8Ro0Hn*F>2sa9<xHj+&*
zKCYYFo@t1x@F=vmn0<>poS=Kt67I>yNt!jR^nAvAdwe#l{k7a;lDddXIW|}R&jMVM
z#xc@XJ+-idbky?qP;f`Ac4{xxj;pMOS2uO;^2<jx<wNMzKV(vCYvFx5WQ$^|%11=Y
z*_aRNGWs9j+AdU5bVbw$X_OqO8S5txH(Ih>&39Rlijw89r#teIzg*y}F5k3|<6b=M
zqBA<dR-@L}rZk`LCmWes-R==sA4Q}rPYBEgP8bx!R;0DQNtqD6GWP)82840X&tvRJ
zYwv=lR|(e0Z^?lxHFgzlI`f<adJmaaeF`$i8#0I=tFNLwGM`r<o|hRQtWHNfM|Z4?
zeH;Y^FL~YG(hL=Bx8<9w&ey4r|H1ZAW};|pPyLMMo+x==QmN)fcB|EcJ6?2Nw23bt
zA`<3$8T-Y{VJuw3blx7rW6_A~Nrn___AxzOR$ESkx<#8F9GVwi{)Ra)H(+cYhwpTE
zmYrq1chG!bZYxA!?3Rpr2Rn9N<7w(0F*fkrV4b2KK?qe+V;3rpIqB+7KHm30cQp-9
z`XBN<0X>oDOvpFXhjH9vGzb*le_bbxGBihwu*9TYHm7&*whljV&P>%WgMMNhx!m^K
zZkBqfy5R#fYqvc8yjxm-4C4a&A?Ytk1aCF&SMt=GbM!=wI3QQ<v30kV!`JF^R6l(z
z%u?|k?bL~WM1^&w$m`%#*{#t#YH+j-qscHhgo#?4_wb{IyE{Q=W}k<wqcX&22rGFH
z)`O}3J>aHu_>o+``YHEf)f?;wr<LS%(&`tM?wIOP?1+m>BytyN_ic=LsllvgGgp0p
z-Y&OQ@Dhsnrf?k5V8w`eSep*1KG#N;%EP|V+`+Y)tJmCl!w<WsL!M~tRENk0o2t;N
zGO~roJ>j_OkL9m;b~s;L>r$ruohZb#!JX^<P3#w=8i{h)+2ed{+<UHZqJx<z^;ng~
z(fC`)VT4a4t%9}wXIlFC``E-#R+EQPnM>0Z@h`f-Ir%17b<bsPjQzzIa|s`G*EdED
zh|iiU$uQj-{DNm^Z>?kBWquM7<opEzpVD<yn?SdG-n;wd+#qoeA=w`qz3bMc7j<Jj
zjCJN_!$RcU2U#y~977!$+Y+#bB``h7Z-b9o6ray|-7}ndERcC`-|Y*}7|+?mDbQIJ
zdn`7+>D-N}mX=PmhyqSzxI?R(l**oE-;KPqsaWde=C{U|G4mPUvX`EeYT$a`cgN2~
zatxWQuNldLf;VeVfvcu7ul}D6&?=}N4Ji7`9UunwryB=m2TmfxENh)WqF!d3Z@;Vy
zHHr42q<-W$#{E(qxbQgC3)`Mx*aiu=X-0%J*Nk+o7Te1E@1{>)&2v;HPEB@OS&7Yx
zFHDy-kk_`_4s&=f=B{nX7C$T7KX+nXc3ckblSd5P|1cN1)_=&MMS^sA;__5|F%2#(
zvX34Jp5sBzWl-LY=jVMDC0I2z!Q^vuci|In3TWCkZ~1=G9PgT28ZGc_b$zcwg~CT7
zA|$d8S4h`=T?;PYQnFPyy}y>jjt@S*A<O8|8kml+8<%F?FCc^$CGSp8Id56#_nJS=
z;1i}Qdzxhgl%Gzud(pIHNrOb;(_(=T*68PJ)Z9D|FYpWqW2MVK-{2xwNndtmNzqv_
z(%?+PwiDIO)1JC7r}X@h|7HY7Eu~*#yjC01N>#WOp}OoN(N&Xv2&2B@j9M?vgJs%|
zB@e8nyK(Awju!lqk)=p&`8Kmf4YxCzm+mZ+tWAT>aQzB_j{ZhCj{AN#oBwmhn?D=v
zVW9htcKc7V^>YDPLB3DEv%$ng6_*|!P2}%p#Qmta*+hj_4m(?YR4``eW3(_~SuB_?
zEsb>@U;+K#tbr)R%*y-#8UHYv`;r(C=)_V^*z`l;P!~7F8>ePvAIv90P=cBl-Os#@
z+&Jf`*X1WuJRWt1KE-fwx`USNcFWR9zw36lMA37r0Im6XFHOWNzX{K}B<heh6o1<g
zni^q6?&L_$7VM&7JcND`{n#AwvD0?bms-WkZkeu3lCk5scPRD-<%uM)t$n^D_o{lb
zJBQMT&;utPR^jR5)uo|fdy5u6rJIjh&J<3zj|~wab<@JW$LABE(;Ev%d>@_sVif;z
zQ2fxbj~c-WtTELvI;UndeFfAla}LZMCjHtuutHV@Dm^WdSgJJ`Bi#c>2WHz^3~KJ3
z)LC@ScCt|zW|wc?gRd=`7S1&yAw7p@<EHvf^6|Zt-FBWOs|QUpe>%~jAP-{WEVx|L
zDPw)Xu6}s9{aAWFx?rmul)s{T5<uL7+`hRy-%HLAnq{G8y_?7ymF-8|xr4AX=8(45
zpr7gSJx;W?sv_Y?^%;66l~~c4`mNc0i4HE=7+;{F*Rx>puB-PauTG<O_uA)}W<1K|
zmdv{Ox)sHSZmQpi3312ThJ?1xDTGNB9bzF8;j~ww-A#@&3STY^P4`f!P4tk|uw%-q
z`YApT-`xp6@w_w3V`Zf$DbDY5F<GT6``9$)=PIZo34}eNO6J%%Al15)*dZi5@zq1q
zxjQrZ4o{+h>Q9b75|D}fs*;BQd-X0SHezv!utII{kxQRom8Z94ZtchASk;84WnNrw
zrmA0>PnO`m0rguy&1X6D0$iMiFYc6-N+3NCf9Loz#$19d5}%IBp2hp-2a%mH2e`Bx
z{bIV<X6gyxK-556&X3n7$Xg_kN1znHm*+9(JU|$b13h1qJy+a%JDK}25|Jt$MoAcN
z9b*=A$I<I$%f<N#KKBIURr4XN96pQCU3k&TFF_ZQeo-~-pUv4uPbqbWM%L^sy|Eac
zUMHR3c8SqW{T(NIb>=WLR$bjcRmh^6b#{ISxqKb^?;yW<LCByl8kPhq4?jurV4f=Z
zcbJ(g5YZ8dWn?3d<J5GlS`Cj%pA}6?X^=3<yrQ^LF43>c_(lYD!#-al#m3nwg$qHB
ztLBWYtV%G&k1rxsU;WlAeHz>P$J*<7@;v-rjbsX&^*&-Dg(l+wrgC~3-kfXfYur<H
zcOx2hN#&gZs9*i*2*&(mh|NuI;}xum#u!~YwL-R@Ogxw=vimu2q@6zXC}fewV1mZa
zDIiSP_qWuXnZdW=OC(`FS~>N(prGelIfTB?rc2H)Ajs+d5W!32i<u)6Sn<yNCI?e(
z;*vF^&F##1`T7mSZBA99GS5$2d)?_~J^Ggd;?JcJJZ3BL0B$_yLk5-7(1Wn9SQ(xz
zu4P58pJknE<?9*wr3Y7I3sy$yj7V4ct19F_h`pr;+_V1WUI(hu(<w5mp}~9GUFLMx
z>XZLX%09XD?KPLPiWb+KUs{#v!*gAlL#cEsR<H`|P6-ZWQq<TuCRr56VCZ#f;>ggj
zBjj6|U5VRa^^XtpAN>^et;d}2#k}df248KO+$iVg=?PnWb@~yrb9I#ikNtfDz#hZ-
z7rO(ru(Pvpyh;D5mAOVNQn3L@BjK+!G&uz%ImH@&9g#8bi^`4~fV2BEgbevvn6*n2
zdXqZ-L`cuGE`nv>Ak8CwF9&vHDUbLQsV2xo7}h&pinuuJksUzT6vT!47(ixUi2|^p
zf5Co%%LxiLQyPZId@=d``VHlY3B~42xC-JA=<wntNeFQ@{`sMniJEP{uI+n8qZ*1s
z))xoQq~uOy8S>SPoSGD3Yu(fxMxP$$;I+*tQm#)>(8@f5^aM)=z%2f=A(oKxuFg;&
zzWd+T_-_Mlnf`LSL{dwQ2YhN@(Fi)){{sAu!k&dwWxcfbVMQa=e^z;@#1Q};qD$WF
zr2!!S^e_2i91msj?`{%TG>ZM_-FMW*3;?cykH;jE<v)94$6ATP6P!ZiK0BTZJK9#n
zOX#@_qz_M8hKv3rQux1K=BQM{zib?WnnmaR`{iMRfCek8&K5@cFK+h;|HFqEv1Uvd
z<%y#;`{XPsY6*8Z+wfw!dwFr8E8@6>!_OBqzpz)*CtNbx5|ZhwD#{=AygrNnG1~;9
z=6qBa6RI$F-s?l9#bn6!v)PyPVcK4}f+a;#W<KbEiiJI%is@iSMVk3mzgA(pRZX@t
zCuIbCP10R+Z9!?j^Cn6akxLL`$P!-c#>wn=Sh5?bm0wy7jM-&ye>P&#f?;zph5Td#
z@HbUO;hrQ3oq*f^zE{fy1^gOP1K~skEJ$^Hn=->(U~S{P3Qyr)v_lQwwWI=Wy8=EW
zNz!Gz0%NH{OAhEU9tX!aHR0F($i%{Q^e<Ew0NhKw!>XYN9l?KD82s2eDz?vcWu(B}
z&@l4gb>y7)7^B4b?+{s$k+>=B!D5W;(=W6u+P5I#VJoSAyEvVU)#8Gy0bo2tR8;k>
zuk}<zZ{z5At>P|DqSJ0Lv-zjEg53Ei7y(_Kg4H?4$gvGlJ6~I8@Xr50y|Y9Dk#*5o
zJlY>6BFz#uYtttUAR-YteC4eN4$bMaY`jMLw`GDDsYtak4uhZebL;{A&NG&)7cf6K
z6Y9Rt@h&(Xph<A>8LX?qm&RN9b6)U18N~ID1aUJ#)>s9Qh+{otiXjo)XMq9x)t&sJ
zYb)d>>LU)4dZldo=kJ7LZ}Y-GkNlZ$@sWBi&a={sh9SltQtJ4W)E+hs-~y%G4>plL
zhCRDS$9rqT(g1-VJ^aPV{u8^DQ0BB-V6=~w5bCaMfyLM>M5y2WCD`wsx+HRC^-JKD
zYYB3np@v-6*d5Q3H$kdgQOGPep?tL!Ma1s(Xjx34@=DW4@y}w!lVqXnI=8M2a%pm;
zI!EWMR56S@gEV|$bqLK(t71m%9Mi^&jnnp0Vb4$t6uE2G^o;RLt4M0z4~C)U5VsDM
zCsrpm;E_1XErU%6FePG!FTEr}k{CU0K6ht_A{nI9ZGs4(JQPL>h<xf2Ys#I*Iu@Es
zQX&&KDj3BRty5y}2QlR(=w46y4vC=|AEtTmF;6{H9x*oYJ+8Zb%#ulx+vpIMcLg0u
z;op`EeLPG<liM&5QYaO2EY&~3kQI|~OyL{$*sntUBr?wPGD~_U#k)|dTd;R|FzO`w
zfjn58;Y+qX#BRm4c$(A%*DGGCZgh1l3l<Rz1<#1fq5*3oI<eO0;YBju*D{4^{s;=b
zdB@IYNC%Ed6&7cH7yIeuFr_1^teEc*wpx>Cd1cW;Wr8ve75i?hpU*J~*PH9XeG^j3
zRvCoxFd^%&bl#mrpmawIpZ1gX3*PoiOjlD_F!zZbQK%h}`cqpxUQrQ5>baI=`+kdn
zF=a%}g8gF&JP%gdc-27w`d-O`1sSGgb!_3%@o|V`(B3feq0u`SoWWOp{$zXRyec<A
zkoG;=_0~!Idgl>C!dTO*mYNPpt?b>^e93Rq>DfDa?_uOZ&rk7VA>;x5)X5mw+2^65
zrrLF6ms$MeaMtE-Ig*y-!Rmq%{D?o}^Teb07#h$4W*RM;fUm(y-wUH`$2(LPSp=j4
zR<J_e@u@r%z_(q&+gnoN^)P%RvldwEaS$Ic#6lq6toT~E-o`Ct3jFOU#T4z|KBD6=
zu2=u{&ycqF;OHo0|8&urpC&F62ee+Cv|fy6o!6GHy`GaJfGm=nt|D5kTJFn#pKLwf
zdozEw`SR54XV|>VNxzG4$Ch$*EA%r-KtJVo(B!-@<y_nMjOV(V_%BkPSLTY-A1rbS
z<iNaB1#vLwA1G+4a=365=>d{R;+P;`|DleL@&BDVKxl*tqL7MR7W)2go3zkG1S^DQ
zK4Pil``eow&mBgWKtEp#c=ETqSwb6y(d1C`C3cR$cRe)g>`}Hn@_!U99)SdM2N&+!
z_odaQB&&Y?w7YWP(2iC0=CP;tS=>x}<P|@0;nbWgeLZ1)H=DZ`Ia(;&PPN#}kQ?|e
zk19gM>7<8O6ulP8G&c4*4CrJDE)za6Nb}MwO-wO0-(^oY-7q0=<=RIDgxG!gAyMK;
zP_ri=rJ0?Kap%nCEK&P%u1l$Pu&vRTI_ma;bev<WJ>-1+n$TKP%igt_Mv*h-8tM-e
z4uKkm3*t<B?(Cp0bDn@o$Tsa^e-}uOWO)ALU$l@9(P&M`wub!q_{O@bP(d-4K1e_f
zA*t8U*@4Zi5LsLcq*{xNlc>@@4m2gzIy**?THfUfcZDoRVLwWdXsvn+tfr<eLo;@J
zyh1S7qoqDGS5kwVmjT6*(6L}SC^y5L@f-1jO8v%qY<{X`-4NpV1|!8xUT&Ejzv?pb
zO?2(g^H$n8lyO1)ZRGUle7Sop0<mrD*jx#LUxM{~5Q)Xq8SV`Wmdv-(299Rqlsg+r
zles6Euh6BERuVR*Nype+VY8`+pSR1gIl_`zjw*M8Iu++tWHb8C;qPD$$Ramo2B}Rl
ztkBa}pDzbwP$wf1lB3wIPh^+&uJq(8AxwRP-dty>zGP7_EZK$AG5dLdIL0m%Tz$!A
zKwSS7#_#aq%LQEjWAno~wRp@tF+5-WEG@b<cfG2cx>9mw8=;a$$-q(xgOp(GtyTv4
z6dgQ#$?mr6ncMMA*N+KW7G90I*DLv(`o?o>cWK;lr{fzs#&jbCdr>8(5eavD^8{Z?
zq)y+6+lhVEN)ec_ZC+EvhD=fAcBUR1B(&_AsO3{$Co`xNOBfpse|)E^zThadeJx)V
zp+Zk#%nUk1Ik42xCQfM`6IOET<kY-V`=BDxt@1tKby7QTehQO*C`ig<o&Q|osZj!L
z;J7i;kS6mnTl;kv2TJ5~KTe`i{ZPMEA-P8mBOQI`GWtkaPLEuME2B(J3P$zwKRV@;
zSf0IZQ@~Qi`pw(*e8D`jk)?}u47O97eO)AY<4Rqb^!eI}$E}r}+li$pm2uP6Cd%_w
zc6ys@8Y}QJVp2yft|}ivZ+GKueMawRE6?$u^I&@25ls|RBmo=?7ITDaq@|Jy2-Y_A
zG3-~FNb2p;z1OH7XH`UkP&4HNTeg8B4SK%SaO_ytQqOd{+MYDpSEuLQ4X+k+q4VAk
z0c>>8_i&3aH}65$=#59hl5?Ly26|Rs$MUq@nhg^%UZ3$y`;!Wf#+=%c4j7ma7w^<K
zf<3C{LfLBMshcwkWB^55XiH)&v`D(lJQ3GyliRwjsl2{d-J08(c(Z65gD9#JKMHNG
z+icnG@C3&!iQ-u`OD;8i(g=+d!}AZoC3S_Z{H&8H%A7^LkT8N^t0|1a-?YI=zF=T_
z;`v+D>f@}v_r=sRA6}JxCWJMJz=gASrd8;Xt{>W-as7C3Am60h92G_Jhj3JyJWoFT
zQz(X49xcRDX$H|+2^VlItSb__<FO=q5tt{i^CGq;5`~S=(X)W=1;3X<8#+WDNPPJH
zak46MlMyS#cnc_^I;4ChoS6=z_%e9Wh`?dt=^Uojstab!C2Prl#f@VRkq<qd^bK|z
z`{9SacQ#R%Kaepmp0fE!t$v!%vJ=-!rO!<bS>qVW#)w?rp#!IIcJNTsxT;DFbgEqh
zaGmYz6^Ba}Kim(ay5Q3!#ND}xx~nzwuhN4rIK>Wk-+~5a3U5?E8-CEFDC9dGc43le
zZLE`q>;zV2?-DCs4D&VVIS<bYlEtkBkrnJ_gzV2Y$0hxUe6Rd>CPBd>9{PBaW-#b^
z{uWbM<Eph2OAm3+BaL+C-Y}$1AF0;8tDFug^w65tk(bQTE8*tIb;amU4#?Q=N8Bve
z<jQ{L!TM5&ITXRgDu@OS?stKvlU=y&GelHAaH5oecoN;<lX#GmUKw7nA86~QOtR2V
zxUKZyxDV-&r<{{F?r_t20X9-SNq&x>#$X1=x<=Mzo@AY@P^s%V+gi9wp$}JiXG`;Y
zZI6nwxB?eu?U%w5-q>fE=SmY)m+C_?(Aa1(+`NZ(xb(G*ZK{Z4XHl8t`UfmNA-Iu9
zFrvvD^LJ}&TA9A+ZZF^S^zr=xS9&UW9zO5HfojRxzZ<iA?@__aeeJ|T<72Z|lt|-`
zrrKp+?rx0cz%<D3*eX~wLkEgsbCOP%tFMe6xIx7diE4)|WDE18BQUqhR1iUhJGUV>
zY~P69LD@D>%JPM@Q9*e++oO+QaaS%Va$^oD=d|xBiZwCyT8b=1T`>eSkz329;Ccy+
z*x$5WCDu2p-&zZw*NJOk9O)x1Iz!V(MYmStY8Xnl5d-$6z^wn!6NNIeKU76DK{ob0
zS5)t7@T>n$twsOJ#^ev4GFW&$Ua|W;jBXmv{dY7CjzUd`RQXMf))P_?Tip3~Y$11o
zwYswOJuMQ}R0^)Fn3Mj^6PYWyAf-bzq@U!GCBMJ2;^60wphOU<Mi?MXX%vA;chUrz
zoaf){nPQ5X5Vf>x5Av;2kX;G0UWV?22Ddz-a7OC?uTKZFNAHw@jrv~^PQ*>3!3-sS
znq5UW<k$1F>n6he4bQ=7=rtx8=QV8hJrDqUKvJn^QnJV5z+_mxR^9SQfd-w3!)j00
zj0C@V%jx=bjr+_F$P~7T)U=7^EM7q8K$<uJElB+2=lD)~Yp%I*XeOKbrQ;JN`)g3<
zA)x@GMOPfWk4W(=GXWv74T#q~soTx}$_|X$w}RT(pZEWY^(g$oV9wJ^V5A<Vt3Uvu
zXfyx(mEfPv1F_s8Y)K4%eT$U?3Lu@Ln@Imjp9rAL{;mK0*?)_Kl=y$1mgI>&TOP=`
zkrfj`cNd(O{wy%m7c~svgA)RZwY@sx;6`W$F24sP=YpJg#1!IS#6Y5V8B7A;D<5u4
zU<6`{8n3EA<rkkYyBR+-?0&({1;yK&Ls*fD6n<qNg&abFV{{)3`F9N9YZV^UZ1{JC
z!Dz$dwhb_svA&MYZv1;NA5Eas?zy;&p)wB4GXoi1ihhE$cS6yk2K(pd=XmdfO;J&b
zyXGxp)B;+fVcmF|k~7-G+?K#iM01}#w1QF1PO4FMzV_>TRTS00V^P?rfXB*D1JVPD
z8Z=hfJ>r^)zN*CIN&cc>5r`eJfb!nr$+fJZ=YIpB^;1oyVnl8bYVi5n8`Vr+A`K*f
z7E=FfEhOB23e`~nC6>!JhNO+4yV)$1I#Qd-?dhRlge71D%yYAXmB+QnaB#_UhQ0C@
z(pVW9X>XL4L|6`19<x^h=c5BwrXqi7=ur5}1w!9v!%8FkDM_7v!?V?a1Wf<4lGgW%
z`wF1{ZQH7wZ2_e~t|h4%xd;hh_)Qzu&2}8WQez~5r@EZds2)=$2~iO#tBVNO2P-uc
zMpYPRX0YN+%T`DMDCUMZjidXO+Cqax-K2-;!G1^v)UEbD##3B)Ly!Y}q(x~|fN|!<
zgDKH?jTbI8N!bI07y}_2qu6lt=c|OowTc!#*y_*3^uv|z{3Iq2LSjw!N+IO*GdxpD
zdYn?g91;hJuJr!G%Z9Om$DRnt=1p5F%611&u%2d06X2T-Y6z~qD7S$dm_k16Pv=|C
zz#Ze2B^2BP41(mN_N}-n@LHG)oydXpDYrcyMz2j)+|7Y89s&(ee@ItHKpFyUqQKn%
zH(akPWn~Md$>+rIJS6(cwcE*V>G(0$Q9niP#8EVuG4<ISN5qYLs%DJfcb!+&;xe}S
zA@qyp36_fWIj9S1M2t+`8cr#Cki`?gs((D0wPz`T)cK**kyzsk4<>*nG7n)fymW-1
zqLbRWR06e!g?F(@|7^cgpkMSFQ*4%NsgW#W3ye7#r9Bdn7~y|wjHZFv6|TJ&o@Wyt
zHolD*qtCS@GnVZF?`Tlin;>YT@b5^lQZmFltI5u_`Z1k{*DA@tQ?sL66-1m#MvFAT
z{;)tcR(nS%D~D)Slx|9LZ@)EB)7eD`<q7X=yi&P14y4;J7bM#d-Xxb8u6%<b41Yra
z{lzha!SLQ9OiQwUGZGqX;IByo#E61Kt-{|BPodoRG%Q?<e144)6B3hi4CP|R!u&}&
z#?`!XEu+Yx{r&{dXi9q>1pb!z`m}KOIy0ei2R{;<-}*ZMNPCDgfY!}6$9@nL>GlM|
zuRhs!d?5fgQ4XpMqH+L!PM8XO8)O}3A0y`FaFY1mwd=Xc=Hfd}1@Y(`4d8hylyMx*
zu`lC!>3Q4uPK@vTWcbznPv!QN_B>E`jcgs{u*a9%_<N4$<2jYdP!-?E^J6rh@BJ<p
z0*%2#V_I3~3aD4H@<ofsHmlE6*EO9&lE)&vtQNu_^X~w0N#Mn`J}l7F&dYVqyZzP`
z7no?Kk8F||;qvK*EY=4U@JCarIV8x9EI=hs<yy|sZTEdoJ-RK~AYyEq_!CRZF;t8B
zasyAoS&T=y&2dX2xTyIxdbEzghhqt}j;^^rEMxU0jf^Y7c)q+sLHKA_DEk>etpd?n
z>unmY)V}$JVsw(Gh-V?`L%v<QuEK(rt>pUBhgetJ1?5l2JU&rVyThyyF);884%aww
zEd~Y=oSdsH!=Mbc^y~6JuHA7}J-uq(x?vP<^<!AQr+s&l<mMH<*T%kKy2_M<rS5_c
zDS_IP1<>GnO@{>>6pydIT8tO#R9D6{@m6%`2x&xIyI7kyC6Nfrii_lRH)U<#mH!Vy
zQIaw_utEFHmZFpoN+O7-u6z9iN;9BfaSO{T@<O>|K*7_rK&h?!IY<GSpP4~QhtUnW
zmdjnz#qO*YfzM*;fjJ6lb41y?3=6PYM47UHqBjLS+(HXmon=o?S()Rm=><&9EeLEB
zouSkb>R<Qb%@7q3(47GEO7HDlOQp78M!^*pf`CF|U|8PYB4vY2j4jDq1MQ%Mf>DDT
z(ZQ62H!M4CfWD=&g6XqqN0CTkBfUwYD6rB^X;g}FzRRcrbxyw=PX>sIY72L>wZ;=u
zj=WI|tR=mwMHjZZ08h;GUmE;?7<tIr1o{b{7*P+)A$CBFNWl17FA<&?m9)DIfEXf@
zGBd=)Z9FmG4dj7u2;jzB;k770Oqx|AUPi!}1Jmt*CngPX8E?!BDW*a(WrBEO!hgik
z0b&x{+)=hjJTd)dR3hZSP^($!fw5maF=4?P?*Dchb$^NRmL3uS#7G8|ufR|6AB~nL
zQUTP7B+d^Jj4=SU(~(#9lfTFJ#uz#=571kf#*0^+DC(&~Of3VR-oq}r9q^Gcv9lrK
zI_U}Mc#b!_M+1l6^6JPn(J~KM{=ZJG4D&_J^q3uC-3<YE=m5}QkV_u5EB{Rb2*HKU
zyP)#c#P?s(CME%drMd&*2_RsF{zm)(Vd>vmCHVCm-T=bVr7|@V@F9U8hYN^iK`#n#
zT)$WR_h<ht5(rSR{{>nSJ<|qeKV4qQ@S8PxfU#S@^WQ%%sa(P<B`8z?zmN6YDO^@x
z375r14%D};Dv(7zypbvE$1l0^d~Kp!Wky99ud}r(at8|;5_)!w4mL0>>rIe6Y6&*`
zo?-v?^gyuU1ie0>gW~$7>GPDUZS*ZBAK%AwQqlAV2XBHn|8E2Dj%Yrtr0;djNb2R$
z+u)#!LVi?>ER~5A!Q4RvY$9wv1L&$%Z{yd{8-TySTH)JyT4aR=f5HE(HpQY!GSD<T
zN7E8GXP)o#3I5&dU=Z24KN+83KI4aYbw{iJfd*u~wAjA6;II}n*nlxxeIu6!WqftD
ziu<9g#?>88>_~#n2tBa~n0%Lzmczm4{D)^j3t!IS0XW+=E4?6UZ#~<8bQVPm{NCYG
zU($Ak%*n&*-Dg5sI{Sd@X1@!w29&P3@_r1H?5g?MhRtN_j*0lcZmiCbfa#gQ7fC0j
zo|<}zoW&@{-7mk?c{#Dvdbuql35WX|UlVdP9{%9B#5u1>jJ|L%aXzkqM@vXZy@~)m
zA25S92@>a0_xm2dzk~K1B&QH(GxM-sD48dPDlPha)tu|0#BrI>o-v0~l78ViDN-jD
zTvn9Qc>gt!3jgOxfb&V?dZvK5I)H@aKKhxwAX3z&U#NbUlb^!_3?sY4cQxs$GpdU?
z4h?;WoJ+jW%EIrC(F0jB6^c=)sLZ#co`>I!?&iW)ZB~s!6TUuwh{!c&k@dMVkrtTG
z>Rt4kf$s(~g_2WQ-r^EedkrqR;kBuoG<wu8T*qmjb&WZdN7OS>Gi-#wZdZxP_@@D`
z$tU6*c~~_qgi<zsMZJ|EQ{gwNvKr~AulFEw@f5od?e-4!Xc$dus)Hf~e(4?T4~yi%
zq2L3!nuwNE?r4_S;wx1y)Z)|2tDn$ZJ|VBVSKuEAb6`Ah9&!7j<w=^5BFU&BhO7q}
zW!hifEmq*n3l0Po0<P$YXVCloGb>L@@u|E0_yxkxG5W;C$)D|L<)gYCT)#kakxh5s
zWkI?kdV&U~cW88cFQdNPNOB}p-%oCN5)Ha^s4n?7`%VXB)%Bxiw0rrc0d}>>e+}RR
zpvSO`hP9y9xDi}vdwT(4`5h-la<n9_!ej1k7T>6N@=P9&Y1yFaox%7@(n(EUuP|F*
zWK~PS@I5}o2FhE0z2_zt(p4=BBDWr>DWbbsjm@Xqmf&>Em81}3<jO8<qV!0kqn5wf
zEj8+*^PVd1;hmOy=#sZ%)PE4~o(?%rgVyAleez%rG*j%H9BY*mAC3!rDR1<cd~&(@
z0k3=4%GWZCQPs_e1ZL%`O+IXOI9Z&E0@$=*P|<cy>bj<Fe>HM?u(9E^Q(2W=TQjUg
zimE2}GP6zLtM}_`;WRL%0q-__2hCZBpCz){Ks6I78a0m7!h5QAdUF$~9^I?jDTdEH
zy=xSPw7cf9{3Ds+Ns{<fqyTW6H<+ItAEB+CuFc7Po91`=yuDw!>(IKMP;6o)sFGE#
zer8-{^S)N?Fsu!Q(%la2ep$F1nAebiac)E9lHqz2RpMKK!zawFm+c4rz_0ZGuG#(5
z1AF;jJ+S{ly{teD(Q>#DG4Fbl<v0GSLPmYa(>2B%d}T`j(t12zk$m?7#o=CspU;nj
z){8SRrMXbP_X<aG2>O9LV4TU)UDXkU9*xkS6#@@3ncI9Tn>MJg^!-!n^A|VLxfyw~
zO`Qxbiucp+(m*`%Exfq;xKZw*|F2EF{{aI_<k;K;z8)9L?iht*bf4F?7fs}T#RW&I
zrn{k5$B&$kU#^7Ef^j=GWiMjqG|(<3LWa%nk-F)yoqmlzcl&Wz|Lt(0=<-5H-d=ln
z+_|HTXTTEoF!(bT`9W>BK`CN+7=2!$Z=$_`SW~1y37t`TpTR;@UJoCMR#L?5zLcE3
zr>?zx@a$KeGs@O1Gl3|e4&2%cUJ3Ub^;i&@J#w(EZ}YN1ZdVYW)PFwhNRceNIgoaq
zTBzN-_1r2f%Fk5K?-uQgL}er`%66lMU?Zdrf3utrn@e)Me1J9mFmxbB6cyeV>w5UR
z7qrWcC*j|-2FdFcxvx3uDh>YZxs!L6rf+hr{Uw_yOB?((3F7!%=1Tlkb^>J80R>#Z
z>#zp=Rg>@__MfUuWeh$BWJvWi_M%m#XU?d_6NX_lgQf0us2I3H#!v{WAwOb9>OjAs
zdAbW0YcV*|RLVRJpIfJBW1?sU;Gn2LjU^Au$}t29o7C84SunZcrd%b|7l!I$aO>=C
zeQiyB>1Ag-9K$gJye6kWBj(O76%4{7dwURfDaLJSw>0z{?&;UH(M$n@=wDxs^WJ~*
z{!^FJ*SEeh?CGmKyU$SaTBcKMA<**;XZBjn<k4ak&G>l5Q<a3y_Qyf$Iuug`0n=_>
zWE43JT&RLpRqkK9wg>g8$_A<RWBk~nm8pmPxiF2XeiF$DN!ThGwz|__mlHan!90#O
z-gMfqR3kr~^1y``d<+?o(y|kZBzd@eG8eY_X|0jBbeP7I>;G!+zM`7ix;=mkqC#ZQ
zq)Cw)S|~~v6bL0i=tUwWfGAB71VV2IP?WAn=t%Dnig3_Sf*cS<O6aI`K?z_%nv}p@
zk?)LKUcUQq-|iWM2L>rH!p_QGbN=UVpUGtrP+jI6aBEoZ{nvYx316uHHpERd#;{dE
z-)Eu2a2Y9<C@9bH1Ebw-K!@NObSxfp*Nbz4v~cZ?Eh7~K$#F!iTxZ#BT6sMX9H>`Z
zMqEye*7s`N*#gz~v%|fs@+!i5_TtJfoZ95gF;Ekb6gz&aIL0bx%<2hVdMtcDz==b9
zfOsjQqzES6wYNC<afq$E)V%h`ocRHrkf8%qydWvDo6Y`GP~9~UaCD*HgG645gpPmJ
zVmYvM_#)t4Vekt^stU1q|KoId5+TJixHrI~l$G+q`K&jwyYO68&^-mUKjoE?<wEF;
ztcp)3<KU>%9fIOC{u++{=yjoaxU`_n-ki>U;0Sis3ESRvH7wXfylqgK#)UK?dV%L_
z38s767h8ervi;^~U->cOvD$XugW0mwb${~ni<&6^i)KU}T6%tP0MM7Wq+9N+lel?D
zl(tp)6-$122esfA?v9?DRVC?&ws29#S3`W$9Ml&%&l-Kx(5qJyi;Rbu8xWj+@@r$9
zbM8JlOKl4!rs8OS*7sbLe`+#SuINb<Q2_I83y@WmyUyL|5PRWurdrYu(prB|g^1rK
zdzdrmB@ZOLITeX!b~8e$s38-&hY3M}9z@1{7%!hwdG~#s9$PhJyL(fhGeXVR2IcfX
z1d?6=(|Q=a36{N98k-SpP>51nW63y5GqZKYlkJJ{bqVAFo4)b=Ped$9$cPTy&5nkB
z7#p}yym9j@DdmtTU0!}uoov6bRD5Buev>RBg@aYfj<FG(%&R2VeI;{$<gv7DZTlP;
zno3@kBFE`3IBM0TZ8A*?L_#q-as{7NWDv#Q^G6NK<%&w2iB+%VQ$1tU0v8hB?>h!o
z$TKL$$I@!=A+iEb8Q>Yb9=>)pzihOl82F{>$}{3yYx{1w#^macj8Ft+jq6~+FSNM!
z_zb%dzIUb*v6G?M3|3QJI}QTA7s;<8?YkT@-OOD>yM+&XyXu8hX|^@MJ0wtiF*Rv5
z>3#EuaqK1}Wt+1aU=5+PJ>kQ0NsPM*V`2wv`+THx{Kh$os#){3b`^ZT0ve3>Di3>E
z+k5Z0);Z`sKp7Uo&h;d%F-@L~B(kZW#NAx5FAJ0&20cn*!NnuVM`eK#NxNuQOfk2c
zl-&4<?m%<&Iw6U^gwV*n${?*6cE#cj`{AWoO9K_sL@})9J=D8y9C3eJW3H7(6D6-}
zixN@W;240fxi>iKi5|Rmn!Oz|ukoCqAjGm-H4x&^IbTO`Iu*B-lEihYulx-*m`afB
zJfn9nD<a;zZo|fq;EyS3VlKGKq%0E&UeR|UXZP`fI<d2)pUn)n^ldcV!3@XRoDYu3
zcEqi_va{(2m3l9OxSY{mNm!WeG*l`-mG3>y-vwp-^+unS+BZQ<!T4Yo3>!|B|2{}B
z?&HHG%e(G>gVZzJexMmB;cE&DTfB0>)*r%<|NaSb0;P$!bg8}(Fm6zIo*A*a4};#s
zKOz*i?_L`mqE_{ULR2zJyLNvf8Z1$%Fea0rOe(x=@Z1~PNFx@IiCCCu#+>BMPEfe3
z!m`ADCu|$vHXBoNS;}ZFLh2&&6T#}#VE8bn%m>|Fl2=qv#xNh%bGiJWeeFH-2pt7p
zJ2}2vJmY->w@sGgnt8fp(}N3<BXTYUattCdcB@)zmfxDogj#b&(U9g#JZmC&S+`C7
z-*F{0>dHH#FQ0d$D|wE($Rz48nHhcG-wA~31&+hGFuvR@PUQwYZLz+VXVdz0`SM!B
zY_(xlvR;}$VlJ1guZq{;)_)ZrV#7<lUpK0U4@0j$^&ItWE81c~XL^21JrOCz3}R^V
z1S7ixjvKQkA7$RAu@BW@+>GTvIqtRM+&*v3#KiWxqu0H1f{dG;NWO;O)>*?`&qNL1
z??XtJc{g72hZiT?`%mQt3R!QyeCqf(w&?FOd=LQhptA`G>t3(I^j;XUHCbSodCU8}
z*IH_=M_Jo#3prtoX+K9mlG#cOlQD0Lg}6!4S3K205})TSs7CX&@ICCKqc*7d7=rHF
zyAjX_VIKT^-(YA6Yn)|?vdjvV4-g3_t>$}__YJ^?*VGf`P90#qr@+Ef!_wh!`D(+v
zl{i*tluZHCp}?Dg53#oHgRcc-Wjc!064B?Ej3P28&zG3HuhkM9+2XGX(et9uQzc3=
zO<n{oQ+j+#d*<b5s<Bu$naAbUhuLZwEVZ%Qe>P5@=5WWnZuxV+4LNatkFmwj`qF=m
zALYPNhy;r)=ypO-w*L+HpCEJ*VJg6^0h5$6ioqrPfncZg05)ZV8rm$Le1P=Nvn%uJ
z8D^9!vyj9$%+p2T;EoiT2@76=;`Db>z=TRm5vW5P=dL{e*SV{IbIJx_i~kl#`yY|7
zx2wI0+)4+*p}^Px+wosuviB~UV-v__oF;Riz1o*1O1o@-&>4t-x7ekAJqA_+YT+M+
ziTOw1|2;Cg%m&&)AmD@y&tLziB=zsgZAzX~Od<@l9?=~RM_UeFMM9f}*3@{8L6d4f
z3%hb#-X^%C0}WSe`qab;;zwW5eI9`4sssRA>V3cI$j}j({dI)=zcHo$na=-*TKhkx
z*7EOne2+NVH^^fImBoX<z*n;R;q{bsd8X^CU>*J{q_=M?d~bDJN*oz{u%UkB8xJWl
zV!94;9}Oog<EE}sy%ah6enci%q7FfjH)O~1L>&j%``IJ1!mW-e1MIxTGzEJ2vSji#
z8+xo8@Vcn@KLUjUw1%TNHKnGQwqWqG1`PVx@SgwB6b>dt4p(XqA+FA3A$`VUq3^bO
z)8_{D!}a9ZP&H3bC3R?@dY|1z0H=CXcfW5#fn}zJX244WIgNM-ZH;6vgmH6r<+c0(
z6#^g}Otl7CObkyrMBGIO?e5Ome0ak-k{C&YNnSFb$kBKn40`#(D)2f$NMIVY>`${J
zeo|4k!F3-DB`&`V-dag_2oC}!KfoEZ_agwSDX%#PfJxvx9HR0V>H0vwmCJoHEh`dN
z9Vnlt9)Y`~<?|DSZrB2%OSR^BXcimv95Gs@za}rQ%=+Yl-nuSo$1aZRP7Cw51Bsqw
zgp!tqnNxQUCZe>Z(S@sNF9vjMxHYG5i6g4Z*Y~oF;{}MqRMUARX`?gW?`1oO60z17
ztt7M&wb-Cj4`5@u3Y4T1V5x78uxDKL3x3jG2#a?_7n)|aBs|0JLMOpK)KDWS-v1R7
zJ*dJi_iF!vZFom?{#IRT*=eMpDl%7oB7WDx5CC7AwdVG*aaN?*11oS#i)em-k4>Mh
z4T75*<Ok6u36O}l7H~_6`BE<0P!WFjCli_)9y!3x{Pf~lFZA+I7G%B_`J&=91>J<Z
zoR7%SIliexRfK&7Ru3MvNxK|-Q~&JXBBKHX<1AJmOxntU*v75Smx|Ex2!dZ1j60<m
z4GJGXaW<&thDue9RwZYF-M<h`G3-jB`WqDrakv6~ow`~N9+D&6VKifU5)OE+sweif
zN9LBz2%}LdDq2>i7rtKxK)ndUlClVx6lA=AJ}qahn5Va++lW1#n^(q6XdiX>{I4R|
zgZvff&D^>RcWy^%T%y_@VlC=)5ZAp1gNDSr3X=f??WN8KCOXuu)&LC+jA+;DW*4(y
zf0M5$ncG(Qzwn!!nf7Ibzmk%dLFSa!?X1gC^y9q>%c-v~nE)}-tG*ack(r%==7*+B
z_0cZL8Ucrrs^F&tYhekBFnu$V)$j2im<JD24LnZ%MxqnPPd8~^uWhfHV8s_^?o9HM
z-O%3iu6aP$yKQv<$PL}(3)iYV+t><VcN2NNTCxMKn4@3%EcL!};{-MC4M_TDr4G**
z(Y}5VbY}b_{gT*02|s6TMh?}ILtGtB&rI^dnW7t@%+R6akcu<?3i%kSB<jxuIMI6p
zYghi17408%et=t!9@QBxEH^7lyNNGM-9x^VG@vk7a<{F!&y#Cd-;q?80EIO^>o4Kw
zAIAN~Pp0}7&iElq@vKDVLSSzpfif8KSLzJ+xxIPirtvLYfO_ZJ>x%}FSKgRMG5@xb
z6T`p5z3Y(JuSHozHou9D+R{%0q0<v=58j#g{}7(ZY^kA|VReK)zPR}%099GE@!HQd
z7XCO++srJNrP%3nVXAD6(jHcNLoD4^!BehN&G6<e8NzO8LSJjP2cV0!YM^i_dd1QF
zEhXp}+t%ybL)Px!SCPW;*<{l!5U-%Y9^%`^1kv5zW-7x8R{8gwG=D5U(w+~4$K8^!
zfR_7L8TUBAE!h=5QWlYx0IwklMN?&<TJ!&$8(WJW0#zFcvfFiCl#~58dBp9ZCyDJi
zJqcmXil_5pnMeMuPxU^F_$_!KJw!`o)N`lLRN(j}o@bkuX<V?C7D&LQnpUR95WlYF
ztKxkwa*YqM-O*aH*RINu-G%`qdn8yalFZV-&kILJJCfNEe&+Cp&qF^?hA${5m-l(9
zlc}v~q#}=>1!2p%J3SI)&6m@pI#ibgTJTnzUOc=GU*<Mo6)t)?!t_X&!M`rVjtNe2
zR9LFZb1>NzrR#&%0DjqLVTpQUVfu#q9{OIJn8!n2zENkuZ{nQKy|Z_2dN*GGe3)?s
zDaz$<h^l5H3;BnFv`6~q8mfXz+rkI8+Lyq1&4`IY+G^ZY?ul^lT&mnhI(S%Td}>R9
zCe<j>aiO+PjkBlFkTe6_=@jV#zB^-Zbp6r1Qi^+FvbdW3>vvM~=BdA6Ru$ER!tEEs
zmd!4@_zmiH6q5eLv8TNXdmgP;AIv;d_j8M_|GWDmQa(;Q<DDAv7c}i$3zEcjn6L^f
zbuC!&Fv#Xz^E`VitmM}65b%w$!*zTf{=_oZuh*YGQlMAhw<4&Tu&y}l^VEB<PVT?T
z>03QouTGe-Veo|9lY{I;`zh-4ZQgto)9<Ng#=rjxIr%Rcd>8v34t(Q`C*)B5J=z;b
zyKK<y5BqRb(Q{)@I{juJ@s^#K-Q_D8=ix6g6EV{ayxy`ce3HxE)GRWCdDDe~;UzTU
z#|ZPY<~-g_Ahi3fPXYgDeVC)Cny0hD81u|Ad1H?$F`#7Ic=&?OLb%eWp#4UC(m4wp
zP^&=<t6A(>vkW}$KM$GYwr8-mrX9<fbph6`l#fq5Pmhew&Jwt5SAKrbXNBpQW#)EA
z5YAN}Mah2o$=z0nz!KkMzU@SBMSNSD3~HXAi&lQ_J7W?l8I_ixaQwH;xZ3@8pCzfl
zcbW{p7a|COK*3z$j{H>N5hZ^M(cv-;EN+#N9rvgY>~9Ik9h>zB?O{-&<;lo-nqOi2
ze;d)BGp)Pio!N=wC7hbtYo_%Hj#XIrEzrAt5gpN}eh3{Ts>4KmebVP88>JJ!QUXN1
z6%dhH9n&=ebuNACJ)@8|b}LoIc}sv70`grI!r1VeU{==uqsQv>d0M<IEvl`n*>l=l
zquM@flm={_1@h-2HEHL>MSovFAdAHU7nj}3e=p~RQjk{7N%VPSwSDk7-S1Bj9)S+E
zEauWkusyYsIUADn`-hvfVjlNEA2x0EVb*Di`#iQ8Y-sLMlels1PKhkY7?kBTo-su6
zsYBE{*(n!AsC0Q^eW%})+M>w{cuwtfZ*<KX^EZ&BFro9r5RCJQYG3Hq$8V3*eAmln
z+L#}g|2RD<9-V|UEI`TB7VFrbrK%6^s&KER!JHH|(NS+`MxBt`1Wi0Dr(8i+CX2>&
z)Wfj?BdLAid|RdI4(7uw<vq%$__gQz#w#t~+pBC~Shyn}O=C&MgFWjQFy2IgpEvE|
ztMhCtD~S~zBQ%Sp%k#Rt)lLJl1IxXVoOd`1IUcz~9nz^_(iHUhPg*y*dLTYihuUY$
zf9fctT&@D0ilad@0vqwuQV-=mdvwds3~_`R^F9{xT68R~FR9T#(&X8dA!Ly>BOQI!
zUK7b;_5<ykiS(T17{iBY5<zL<u~gcqwEW;0*(O^<>Y{68iU?hM^m(H|fs^;=<{**3
z@_xrlI=A|+^o}CkWX$Dd{EN`thH(+7D9vLIULK6IS*xp<-9*Yk@M_$+BWBqK-$4~g
vW+q-ulZkxD$hYD{^m}#HDp#CzbcU4?tH-BuGaX#><b=MCu{KWAG3q}6?S5^*

diff --git a/Shorewall-docs/images/ProtectedBy.png b/Shorewall-docs/images/ProtectedBy.png
new file mode 100755
index 0000000000000000000000000000000000000000..985a5de2716538f15077e5aba22a417df3a7bd6b
GIT binary patch
literal 4978
zcmV-&6OHVNP)<h*8VUda018P+L{b0%0j>Z509ptG0002jUqTZA003Z6OjJeK!=C{F
z04GhrF=F%;5)dw2=L!f1DpS!cS>7xtBqbXbGiLwFwv}XBN}-W=L_IV;EhVs@f|P}A
zg?MFDN<K73kGiUmG%!d}X}m5>u6JlxGd*<_AV`Rhus%IpU}1z%EzTkU020ngL_t(|
z+U=c*cAGj7K(Rw*Lj*z~h>>Ib|9|;rMmtO5^rfdM$(++Bw($}!Gn!S-o`2*YlI#n7
zhNrpwVEMYZp4R0D&6mVQY<>j^z|Kc2Ka{=<t{E&Z$5(c6k_&ym-~0afqj%Ytpmk0K
z?wJlja+RTQE^n7_4(#vaB3P$Lh}a4)lHu2a7Z}ZNqjrBC7t%T{<z)j`%4_VWrYXxZ
z&tJ!H0WA9h%7u8GTXEdL)oI<ewFF)l&+DX`#?s1*Hqo%Xx|n|-7b@3rE(=^*DItXF
zvg}6QBRsh;OJ*f+hU}NeNR*EK^#$eH?+M!%#dVzH5}-kOSqRXtvjKBt(GgXaxgdaO
z-G$e?^1dTI`vSO5kKk(HCumWrvut{quHe+qah=aTXgf~|g35DvMo|w2<gfnK1_!UN
z*9*So(+{pciOX^kN_IspD^Q+7h}_+Mq5yz!l?lkfgx`I1r^ssa!ney0uIGoB`H$lQ
z?P^peYw$T#UUB%*F;-R`Djh6T*Abb`aG6kU3RjigzB8_m=KmhYCCId~95}&E#FQ1<
zxb`wH(PPZ&Ja5`zxJ@smF@?FsMX}ruu7^;)N$hc46*&%Ng>*0sleH`W+92V-&f;PU
zVdQ|8<)Y?UU6kNU4il<ffBnI=gte0XqipTi_tT4!z8{b0aQtJqGR_An2l%DJn^K4d
zluHXy0V;*Yu-3W6!{A?jV8W6^tC?wVQRL7zM(g0eZ;mTLHB0}U`pJ6LAdTv32~xNB
z%lSjNoJhK<z%I(H24|yD90-Ee<qYm`mC`)ZWHbkvnMDq8wN~xWQv`L4aP{Z!hAXi0
zlw9)fcok9Rp_0*g&$zt&vMH#?amn0z9t><DLc{Z4Bd!B5L4HDKoC(xC461dP@m9by
z_`pH!h$CpC$EEck)$4S>T(AE^sV4gzT8>qk_#3Cd3hdF4&4u6KDc9Fm%Z0tZOw$$I
zyCtr+YwNn!!aItrA$JknLcoK#7_49w;48&|UWf#c5LD|5$bceBrK$lQM?(s$n#V<-
zNda<vt+KxD9#^P=%+s`2&kEB-GFuaVxyE2XWpI(YEO4o!AWzTUBzM7h_jr?V!E<#}
zfPU3k)n@ttL3PIw7c0Px1ha_@>#S`A*h_~C=n5GJy!wDw!0vH5SQb%a&s2Z~jvCK4
zq+=;Al*?A!mEtO_n`d#^3jn+dEi(m=<bW7)L7;|avl+4yG%qikHsAuA2|B3o4p!|R
zS3)aZd`6;0unx{qTbG*sF0LlVl{e8PAfq%0u55#@lmOcZAsgCH<#9pKR=^<&=LcN;
zcD{B!g@V=0SI`8DA*=%{W%h>D{|}c6xF8yn!@&6rm-cT}(VM}c-qiq`39P_?7KeP`
z-vZYPt-JED;DmJ9o1%XQ7sSMs%}a5E3+@m?ff_Z%7A{SkV3`ZJ;FiqF4&2P*>qlYP
z=g^w_;bT=AGf21^9=q>#+k%%TWAoU27#9Ul676hm9r?T%3_m6ccuW%(Q5sxQcOAZK
zHOD2$A<V!$cCf_l9@j?TbZ<PYM7e6MoK!kk$l-TzY0Pji%1{|xH7$cIA2Qu$-GO`u
zY1S@T=0!p244LAp4DeEL$-3<F)oak%A5pHO3bZJobzXaK6H(yegWU>|nED_t438B&
zyRABmeklp;_+gC&3M9kp1oa7X!t}(p1DA(BQM7g)Ff7Z_Aj<5^H>YNwp<Ij7{k>r<
zsU2pP!f~7mFO8_`RK2!v3Veo(D$8z3Qp{w1h2tkdS+css=%E5!7&uq3j)JET&LNsV
z72`s6%nMk&`0(YsiT^*YrE;B4aFP47Yx6#a7RY3)8#yKXWU_jBT&MB+`f3h?gYNe!
z4$hR6h^tW@x3mxl>XcPuQHmB<Nl?5JGa?W*XH^LbB!P;|(NXnT3W|<vhHD(Qfy|QA
zz671WzE1bP$AruIAH}uRX>mF=(b;9CHF?~6AuqXUhoMtm@z^;GxaI<<&B!#N=Vz2t
z>9*CS(X=7sjUrxLVJcZVa2SRu%+sSEU%+ot*C7d&sT?jRjd48BF7xKpU#G}O;8h1d
zy817ss{S{wHRZbGkty>_*UdiOn@5RQA==m)dR$SWcqwD=<oa5a1WthOB7k4jb<`A4
zfSu)B3U~u#WA&~DuARwzgd`Mp!<7sduk6=3X-x%SmnAOz@sHx#u!SQ#B(=cU7J?MP
zPUd*IlavXrMIZKC_}~f(LHJ?1)dUIV4`F@OT7e$cvQ}h4Tb>Ha<B~?T0ar_9=UF@P
z4sk7QVb9jeAO3(TTGvXK`fX;oR%&PGk03mbD4>ATG+nVaY6_^Rs;Urzu8y*5b;pN_
zOm>ys=+aAo{on#?7;rIk$-?60ajj0JMDkIHX4M==^Rpj`qM9aH221l{Ax68LW`D<b
z!F5=}<&EJbUfIfO1=pQy+Vwh)k1%_O-Xi-97|`p3zu;a{o{UjYHphj$z6GxF@aEce
zj64zM9`0gXiaG@pmLzYNQ-Wx;>r_7;w-j!1Z_11MqA;WiBV-U%G@P&eCEo(qCB-%K
z3?pBI9>&&<x>hkR5f`7a<V>gj)KhiZw0$&{?y%t_B{Ld1rNCBjA+P8|VDaVlU2&Zg
z^=XE=dSMJ~<pshhZ~<&s9dH$OQgViK-beE$rSJOSH+nHfFIE_o@VEkyXVOE{E!vMO
zxbigExO@*>OGiGQA0Zdn##YBQnGVZpvM6SK9hYO=_95c(S;$YZyu;1`+i1W$-+xuL
z;KsL?{%YNQ%j-4Lu6nqfc8_Z-tI@|fsKS?<R(ZXw;8KfnrgE@W8VM@@R&-%7$6C^0
zL+MgenH1*pKqRK`sFR@6j6rbra_!BE=sZX8|3UixxHnwu*6>uuxWo`TpB}@tEI!wb
zZ~IV-MuIBA73wvO?JG<UWF<Xbc-K_&VGzMl1u<G#R9)M4D&GsPEo%t8t}Kp(ySP<t
zd;pg}I@}bl?W0*~`)FcZp<V-U%X(h7wxNUa%T`>^#&)<&;+0W!JnjA21Fo&%NALXM
zOcqt9qR!6C_z*6s;X?16qP3=#AmsO{<;ne;N4WgO(XF%{2p2kdKy<5hw=hWT^2k3z
z8(!`Q*Lr#K)VpK><#F|_xv;*E@8ROgX5Cw_DmMAxVJcO%_V_l!#Y4@LsYPF-L*e>)
zm^Q84_5*ZOkzuK;BiSx+dG%W9n!e_?t%m9w?ZSRZM{FGzFHB9WXp~i_;t=;#bp*2!
z)es)FxH88qceNW{gL7fYc6K@A?k&x8;svTW%$2g*53Vg<QyG=DRK3ywWvt>luEwb*
ztoS_i2RL=<Y<;s3*3fndt`-!p9<1hMgQ8vo8>^Mp*RZQ=Ztl%PZH^y&hv_hIU*6dP
zt~YsI%iQ7u^;+dcj>jsldYQA={_2O*m-{Qhm5^D43stXCf*BM;L4KYqU3b>ku<l98
zV`rtH_coY^3LAio$5HG9*BgDI$75fVdC-Dxy^;5}7A9vR4g|WOKQ0AKmewer8R0_Z
zbGSIU{LYKWM9^_6HYdJ@QzRWc3T-rQFbXB+a!~uh^|ab_ZR-4mNh{FRuIu%o2DO6g
zWtp?DgDo7!A}UCmIIIe|y4Y{9J>7)XL=+;YSfD#3);0JY!XQ-i>LoVR6U|-V^1Rl8
z^)FH1lhTsEJ=EZE3fE;yzqXU)lq{ZDWGv}2-~pF#50UY^vk+2HK15TY-#UW?$O;e{
z7P&#l-0LfIG3*1^Vqj<v>}rXb&cb$hYpB8Dx+S<wU|ffw>k?NuU6L#Jxbmb)#OINi
zX~@8~r_MWrIkimrTgKDSv7=Af`g%9GRwle=CJ`Gb3Ubb{g<aQtbEqNUT22wwp{WX9
zG-OR!DXg==Qm5Q3UAL$;#QB7!_K^W<plmH;<7oi@df+<A*6#_|+Wh34*c3Wmkl3(3
z)ZmN%8@SAGLsBwhR{ONWC6jj4TjY8&b6081t8$KEr>$#9fLrVcpQbXbofcQS7hKUO
z`6e;5rIy$tRy>5O@paDE_;H!wsuNG+-cO9Vo?^qPF@Uwp5$ej_(!MHpMK8nbQ-mtL
zFI>s&|9NW}vzwq<Vk)tU^&_~f({W3KYn#Tc7r0CYv9f}lh(g)or;J@qA*^di&oK2<
z<woGCAvng>?g7_xvaiOLqX<^fPBa)D>xNXl-ovFlu4{~|O>lMdX79x~nRy0xu4dU-
z*N|Mv{z@B55UWPnPq-Ug%OL<qY#mtY+xwY@w6$gnSLK@sVq7-9a=5fFWNqWp)>TKO
z9Ov;U5WrPRI<0DA?cWEk%{_$zuq7`aJX2z*i)T<ifQ$VfTy_dGp;>LLDKnl%XNuNk
znuOT{uDL=byTChMW5488*kmGQ6WhodzK2V%;j(vs2$%IWNT0Ov?;BH`p&?!Cz3d9t
z#vV{lPsgk2bV44cx#eX_Dw0#Eh2_3>seV_x4!@yYgrhZ%VP*XL%DhhDHg@w#GR=2`
zYtjD<cf=V9I1_b^!}v*8P0!+?hBky=f4~^Zr6}v2NTW}U@i<Lpm#Uz?1`4mL@|h$5
zkK%e--vfS*ORqISMd#XgU3VYy45t`Z`v$JNpDyZYaI>Ubz40}SKIJCORl9iD*T4pi
zdy&q=<bM~}+8*%dbDwJ0e4t_3#v3B9-^5kB&WsdSowj->iAH**f*eE4mSC>Xgv>sB
z<@y(Qh3mA~1pfTaK*KT3Nq9u{hr(nL;VRRt#wM<Dp12bEU~`e=8Y-L3XS2?>o#0xV
zBL`f^)q#fFrgnV*SL1Vr2`;{ltF!Mr+DX~Cn~r=6jjycTp`x>yUb2PVA?|G339i!;
z*Xf*0cexI*Wbuk;m)%}YkGL9z%gB$>)&e$@C>FR(3I7;vL%<5HO6D^mwJ>cnW`(Vc
zWwd#J#p1;NZg8y(G^8E!a%l?3CfXUmnahW8xq4T!%}SNlyL7TXWk+3x{d1IElnl$d
zvZ;7Fv>P(FrwSQL#=^_*W9?cWXh;%7ZaOlyhIbL|K;)Xlng?(h`vxzin>?i1Yg^@-
z<1)SUw<_#TW!ro`%g$Df$;uAS)1dcLwrkkD{7!J4-x=Gmwey*8s2khw9&Zf5-o@pe
zem+)qJ2&QEpk3lJip_=Frq3SAgRdcNzad#!?mP;E%k<>iTe}F8x2$1YJ1qS`!w{6q
z?@Jj1Gx<optF*%>tq6N1+83x+a2Z{!{ITZHE-}(|<VCugGJfKgKBG%;><8C-0}9?6
zI&(ONxw>ecq&hsHUAbwaf#oM`L~2JI@)caRZ_2-!IaEYd7kjk3#f?8A-CMvrXqSNA
zK@w`i8Xn7dv_A~^4464IQ;=@5&OgW=!sTYgT8F@XLjyI*&vBJ@Y){%VZ;fN@H@fCv
zOQnvq5=WH6wYH0l{JZLf-C|ADxqcsQ?a!R;!jH;zhsSU^)9QG+@vUZ#i$-5u2CSmV
z^dW8lbq;A0yQezVO5S!<@v@Cldnll6%?rJ-cwQ(f9SWVVs+S@Zlg-4>`?$)+3bROD
zk_tD`P)Er_&BEx5A7PfR#gVh5Aty_MKVjPulUzP-0ET(sJ>c4!7b>>rg=DLBrMslJ
z=Alj~VjoVWA2@KWg%(#^`i^YBLs&fEmH3T*XTHJgbYz|uf8dVHrrJR@`GI*MYGYUR
z+k5ebUbDAxQ4e&r(h02M)cnoQzLbl}vM9IY8gdSid*SCK+PG7IV(6XV+ME}PrVbkQ
z=1$knK)r)&Hgd9L;BfgZ6LFLxE#kLPrcoyuD=L8D42J1Ru+w0Jz~}+LAA%LS(|6p}
z@P4`co46jH?-JEpym)zd1lI<EXl~WwI)N?5Z;vu3KK?F`TT(+A1}TM4CU*DRWi%b)
z*dAWB_3cIjXs6S!=dU7vY#(_$-{ns68@yz`+(*9O#D#m_CEupP#bJT#<om5~z_K%L
z2EXC1mgCim*<k}W*BejC7E)&8o8!s#o;-gc`Na9ImGP5!zN_8%qK0mzn6idz001<4
zg#B)9*ny~j&0U=Ja!0Y7M;`lrnqEvl;~g#7oBMpNZxZ&jLtJmn3terG8jiK8wONL2
zxXh*}NiJhlzyyaM<bDB_nMhyAR%!gkp&RW9_2|ieS3dSljQ=98l`j~Y^;!ECP#PEF
z>8vYU^0>{e@xyV4C{&OB7#StBRk5*hJFYovwcIT)oc;G%yerSo`@$8EpKNT~d7XTl
zwW6<r9|m0Ik=5#El4}a{wl4ho1TbHF1Nl$GmCg&TFtbX5tw=`t`~7(QxW#(<GzlO3
zU;D!HPn++Wf1Tk&OUXN@^}VB>m*;&qUl;!ean0sW{*-1!Z?yRlp7$-EJutLn_Ar7O
wiEpAWe+k#~+h273bEdx>u1#b=r}?wwKk@PbOEUE!f&c&j07*qoM6N<$f&q@(UjP6A

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/netfilterconf.png b/Shorewall-docs/images/netfilterconf.png
new file mode 100644
index 0000000000000000000000000000000000000000..6531ae265ec3e087c64fe98f8a249874f4bd1cf0
GIT binary patch
literal 43376
zcmbSyXH=6*)GkOb3#3SqDph(>flvkMRZ#)yN*4(wgx(PmY0^<bZz2#nAqiD_@0|eB
zLJhsQ8_qf3x_|DEZ{5XW5#E`3XJ*gd&))OworssZYNQWIad2=*HPn^$ad7VG;Nal#
z6W_x=xzD=v4*Lh+PEkh@2d5&I?CL!M_J6_;T58HTw|75T4TTBVCnPTF??5;>WYl-R
zxFe{5E9^recMTmCqERAZY966ljnp_C9CjQHWyLpMxZ4eZzicMKJVp=3Ufv^3d`|jS
z$>Dd@Xq~cn-S2ds-!YGbrwb0}SUcV(KjJreA;|lJ<CNT?mr=Ze_i2UidWB=3dkKDg
zGSPP8y?9MVX(#Y#OmCo6+!sbQ8y*gks27@+%ZB&keEPl`hzWUBVN6a-k@Mz`yHx|b
zAk1}JuKU1@W7%=3^DeRpIVg8Jm#c8~mooO(EvD%<!2g?-C=OvW4g(I};Rp8N8YI4)
zz})=2d8iLG;CK@qxO+i!yZxH<f_3x2U>0Ycl2F=qQ31?M`L{X9cCkNVct2?Yen7tv
zfZ%?t|G78Tj8&{_I9H7i`3t3wR$npt3%&kZW97*r<2D(G+(leYRkY(~esg`FeS6|>
z&~Y6Cy+-aNhh@uPr?<o*C+`V@A=$HyOZEcML(&$8RI22E+*Chy>Ys8dKaQN!5@}Kn
zEM$}NKWNjqkO^4Ww>o8(2^e&JRl|Mk%mP2`NJmL}Y&4maEzJ1)d!i?F?cY#KY`E9_
zkab(x+en9D=5+LZ_7-k7_`B0(!c8_3x!yrWM^UY%;d%>G4X3Q*u=$Nr-`L_t<by)q
zq$hEn2aRtRP^h$U-P?|gc>w~9{#L}uh64&wW#)PjM5;0nHoD6OyuOKkQut;;x)9cN
zzEj)?1M(D#WXg<b7V_p_nMhJ*2JEhac3+l0D4ZO;uJdRNFwX=|O8f6$$-MpL1PO^=
z<!X2q+3j+;I=Xr6yHY9>PPc-LffU^8rUUbdmkHqBhie0;o;TY`3d>uG3T}rrX_X;@
zCw4~*!8w9@l!Dc*CO*bQB(J2(fAjRH5hb24CcfF3x9VKrnm@gjkuv+j6Nkj^OtY{v
zw#gga43I-LoSu=4`<xv`qY`*^=K_|qoEt_>c-f@DzNc9t8xut%8yl|+Jt!a=D+5Ct
zTfL2uqp-|(={NoTPwe7HK{90vYZuri2ml7sO228#9<5Sv#S~OyK4r@JHo9LVpq+0P
z*=YeOdTjaw3kw13DEe9pnf1$Srv2B{@Y8zqpA!qA%lNJawExA?YU!y{L*>W((a5r^
z@q-51h`E4b>FdRI!<&P}BVQ5cB;7J+|Gfi&vTujSk!*;ocnHv<=}i6Vs6A5Q^h|3(
zj<_cJb-7q^_g=%+uJ=NF8d2GTjHkzL0qpXlfRYT{`nvGA5Xzy=MeHyadzE{5YrlIt
zYhn(~(=Yk5W1`7XNbreIwf&am6H2&Yx9`KLi_yxuQy8xsnTFRAdSI9*NEx#nE8FF~
zNB?tDX$8|z#u?|E`=tx@K5q2qsYkwdOjq0*3mw4Um>QmD_6?H!oEjcJAW09P?kd5y
zy!{3tUg<SaFnPUV@XgC;rI9Eu^ku*1ubKLqi}@weg_D-FcA08Flv)~Yjs2+INab%y
zgU=-R*<=ZU7bBVR9YT@zjR^wZn9W45&WPA#Z=p22yJp)2&I<vDYo#)Ja-N~5_w{5C
z7U`Q1$m^MOD`ytdmRz~H3M*S)7;~`JF2MirQby7o^^SRNZu)uvbF;VN;l>qwo<5gu
zMh$<vARz<z$^Di|X1Y7BE1wDZF-~UcWM3EhrR#yD$7-obc9M#&M=;pa?IXRthnt60
z%Jxd1LuopM8ZOk3z!_IuQPDa<`c2ANWzJ{C75=+Ii|s80;Cs0^6K`+E`|Ufv_d%xI
zyD1#G>!iXRiufy`c)c6ROs>n6z{}nv5$9&s+xE_lRF0CX4RwdnmPgmO<v^_xYu?kd
zPBz}bVhcFpxhXB+<Lz;#g69bf?}kC&PE%fSuBR?UD&S`O2d6Wtz<+9qQ%AhP^>Tm-
z*%^~*q-^qO+rZb(_t<SC(9YA<1$|P1j47e5Ky^Up$F)j7;>L|mN@#Jw97PQ2%FGS6
zS1zdGRn-ZOTy98rc%?~PLUGE26oHKoYc^n~L+J?9!{U@W(}?1l$ni~Le`3jA$H`b(
z;mOSnZtoLbkuF~POB<FeJKFcd<xPu|b+u^1R~kpz0&cx|nrTL<T{qnpH!Gt}$omp>
z@b;EYHjBCQKesFs1?~Qik20U5t)-JO9UN-Oy=+a}rhiQl&>J<j1BJs~3-7<N(A{m;
zY47E;=qBldF}At7eKd@Yb<=q7pn8cDF>b~L3Ht2fEt=OgjP^eGVG83g+~P#Ea(Jo+
z@|;RyH}cr+D8lUO3A{B$Kx4(ge`|YX{XxD$vx%Rw=lT->GC}6*k?93h`pneZNJwMt
zwC>6}o@~j%Wf=kvJ@887U{hc4JKsi%bcLUG`#+B05d0!5=$2!od*8frr-?&Lb7ZRc
z{%2ZUW!?Lmc#4%naLEOq1W!W&mA6uK!6%@|E{E?xde^$^j<o7bnSg^Mu}0^FkvY)S
z*@9ffI{4+_#2^HIabCJ*0Y8FUNH;y5S7B-)8@%nMG`&S>>D|r{Ao%QWX^^46!kY%i
z4mc4$GVm9YrEe^tf;%fNY?>#W(sSV<WTA(RqEey$=KJ!rYE+w%5E^BHaQT5q2<e{`
zfpqmX{@jUzQ1UAqDUAQ*(g^PkDffiZ-*p8=&<e3LWlC_OoW|`KXg2e_9b|E9!P;<>
zZZhe-EvRrVTSplN5xLohb2_si4{B2M=0Gdm7WFQeu?oW*x6{a`O7O0nn*7C<-l!y9
z#@W<FO5kcXrQfDXgx@x1yaSrw^;bTzgGmOv#Auc#u8NAZ;NRRSMyI<k;snkkFJJ0H
z;%5g^1a{u5uv@LT+59HvA+~TB`}oHULiSnn%HUg#a~^wmt*doU#GK;yRdDZv#%t%V
zqYI=%0g1{hU4d}k-bm(S<V|{7?Ct5K`30uGG*kY1tSqDHL<A;$-N(qX*_F=8c0FEb
zaW$bOa@D=GMamn)2Jl{*f<HNxKdwosZGwT&Q{D894Zf!+&rILNAs7W+%}C(wM%NM<
zVI8GSCiz8U%U@^OH)aija}N49AuU~}*}u|+Ha_rRUQDz3f9=0&v#pOkrOVV~t9MzK
zPi&{pp=dOzQAne^eWzk%METhgeq+-6K3_dV@C8zlBHsAjew?5cpOfYvR@F+8*Yzzk
z3S&7su(Bz~r0N6{Zh0IS|ML+xEJDd0oR^`_ws-xuvOSptuU?=ty^a(ws1IKUR{Od2
zkS+Lx$=k}fx^V|w<*(^o|2gLkxVeXN_;Z_Hw>ytAq-3piv&@S|rR61D7Dh&+{4al^
zGg;@%;Gg9DG$l>s%WnzrfTgmlyWK+Rl#Q>N3y*{lu-(8&VUW*H3{=+M%+CqKa=Gw$
z%Cn&CTjqJhHIv@i5!e@TD<th8hrF$UhmNk=x%nYLhueCXKxLRL>h=Rfel>PF?^(db
z^-k69d=q8Z<wzm$NJr{|PIudVzXpznZtqW4K;9CBUN^3}-^$>*7j{?Hcxkc?``cR_
zPE7+)f$v33%ADmY1KE07HVzy?ewqt8m+))n;Z<FQ+Q3(?(-%uB*bu>6hw$R_fu&Cw
z_6S7YA7{S$ytRM`IHtTZk!8J|S~gKY)~x&9x8}Rg^L5$Emms7>0z@hyXIqk`6Mh2n
zutOmHZ8AfZ*gxj;rq%^kZ{_&!JC?Bp9>C0fRtG(61J+uwP95R9-@n%$*m+x(aCD3Z
zuvt!8K;Eo4%O7?x7+slNtQK0FEvF>U2{pcKL;$-t)C=|IJ>zfsA@cz51&8sU86)&J
z8f=so^F{LhFCd<J3NC9gkojpj|KILDYhyo9cy<>b)}~>Z(<rkq2oQP#`_Ux5(RFKE
zCVun~iF6iMM+~@}bPnz|2CN??OZ%^HpO0@~`ojmz)%BcNj`Alm>s<uAE-w1RS@j3X
zoGrXgCma=|h~J{!Pmi505T}l1LYE_HJu62`m%{NJZVh8T`~I=Xx(a8HH&%P#?mo*)
z;j9ZcTCV1h`R}7?lEU)(;EPSgg)|Y1D>yH3(f#&q6Pd)CIHN&AChKuIw*VeiMimrn
zvSHsQO<sM5bPc;*_f2NJ6P$^V-zi(xxNkn&4)sO(Ti-t73TB6PxvuERo<x{_&mVYo
zPrxn8?fgLqf1F7cFNx+2=2fz9%uw>yz|9U966P6$YMnY^Sr^Cbukr<|+_pvdIyZs0
z2h2J*c2B6{yQ_}g&5SHB20|hSPS`?JU?YM`KSpJa-YVWjY^CiR>FrKZm;PHB@y|CK
z3pERm@YC-^E8WH@-B8ts4D_)D``D$h#=4yyZ43LyeqdWki=3!JI{zB=WR{k@jH!a<
zfi0-C3U_4#9Z&y>(iXs7=T~}Wb?1m9f1v=M%jikrtD_}V5$O5}#*uzLR}TiWpM_yV
zw9*|D8KQx?-+HjxKo=Ly1C4>{Q6`h!N9VL?rpu2$E<Rfw?UWsQ7L8|*s0}wF{|(D7
zqRDn2#hEk`ZhV^(^ZB#9G~G_rTU<z-^P-ZL{>b6)GC>@R*6)uQU8^B379%{<5lL}^
zteaPCx0$zITN9<+?rDM*UKAp-r}z9dFx$vcqBnu(lfpwP89Qk(&(qy@1^<ir&fEPB
z$G|K4%xl9zh@9`=&8E6N_`=Nv7^@aa-(rR~=mSr;L~goE2d_pZ!aURcHsLA2o5e1t
zksumgkKH-=d8pY*;JFOa;<m>IqfYq(5HQ%VNk-^gD=ilwVs>lIikb61^x8N&*}v2s
z0m)NBC^H*fFQvNCo30;VdJrji8i2c9I^WoHVG00Vs+NLDqfmh3AkrG&!!f+-Y}vC3
zKze)~l(lyRlla;Dn4v1IaH+6tLH3wpTv84te;89$%$w5y)D67a9w-g{26W2ww)=aO
z^ki4I3}OMe6uyZ0d?e?05o$PallZZnZ|ZwdC1JwfiR{UH{t@1Rr6&B%(J5s&(~%as
zw0|!op%(s_Ma1ezT&-oK&Qz|#?PCkr*ge&6F8eR&6WC8)i*5>E99<4x$)_6-K4P06
z5t6VZ`p_l=UkLP|dPL&3jFepWeoU5rIoot?;`8|M;I;I!=dVIux0Pn;)1gcKbmUpa
zs5^S)$7@~;Dv-5jV4>doS`Qd-<CzI?J$Sm~oN>cOCw+S0>8U4MJ_L~FPQRS+1g1-Y
zFRo%)W-m6L@aoNLNv6&DUH2CUdM$T2%1quAYHi;hFQ6vjyYo4{UygJ?Q(>G-*ZDp~
z>uQXDTwmQ;J{=N%83B<u(|$NUv&H97O8kWTH`vE0g66$&=Ex=W@ynrf>|KUPPoq{(
z0F6Si{3JZsA=^D7Z%|p<M>#wB`5Yb<Rq>DYk2)9HJy%~zt5%thdwpT;{s>A`Dn-Dw
zCBt~40<4J|a@<*UHoG1TJZwMtR({-4%7+ig167;$e0yhQ;mz(_0y1HnxxHxlds}<^
zF;MdKRyZSAN$7})m^bj~sacJQR|9yZ-ML<UP_UqVAVa@1eRsk12(i_*Z`G-HJH?2Q
zKVNDxx#-2U%XOaIV0$WB7#^??1f}V*vES77EL&%L%5d~XP6iwYTRN)yb=G*8{rckm
zo4nJ0NxIl;!SoS=6}(_mDZTxplLpP&1;5<R*B34+!VH4EBN!+B{gDm4;?napqzvzP
z3}d0?3usE8m3Y1DC1#m-Ls-7Sw&_ewFJYj@5Pt;z&$hS#N3UhbSmG^ONlc;E9_yiU
z7m4vu6LY^6l77QuvHT%Dm5r^$M16&CNZ9CgI0(uwj&+*eH(v3nkEn9C{z|QCe3+Wb
z_mubs`Tct2EHq^^9p<sondjp3TyUz{+6daVmhWm$62E#8hR)zfcPt~$1HC3b81Xch
z_KG=dp@*eKK<>MnUN;)obb;4jJ^CIV;Jj46Hq4tJS_=g}Kn>2`@<m8HU2+YZ>gq9f
zFiV-~YY<>$I(2s&xA2{=+p&AJO5kZ-di1)OTV13p{qZ07kgjM*o=d+9W>=7LiH&>x
zWz+rN&+v#880*MCzwTcTi4MK=+qjRFO+jaY&KLLm4P~kV8f#bZ!4HM0+k489x9hcP
zo7WMsvQr#{h!EU6UZlB;91<{@i+#Ith-g~mrO@fgiHAorrEdPEnn?ZbpDt}qxqrEf
zpkP(<@85=(Um1<nTA%{Xt|{64^y*(px!=2EHiB?PMO_KAKs0RZ&3OMj2sR*pjy4_+
zANc=kbuR^70L)8+vJXobrarqae12&6Yy*dm9G`JrA8mfIV1c;ZMX_nmCCpx*F6fE+
zkj9h?<Gp6^q&Euh(D_yI0&$;|T>D$FkF*+p{FR!Xi@6}~>8Y@@!_wt$;Mt#60RJ<t
zi-E<RNoTZd=*i$!huwPbmx#msSW};iK!2aqgM_hU(n>!};FW1PBxLsSDsjeLOmaTl
zODTW0nA6<kd3%0{R@mRyqaCVs$RQWG`b#E#@16NoF8yqqvISPOJYCH#Wz?Uu{m+X;
zMk&`FJTDZ7(H36v%vtbUo%BdBrgM-aFZRZeEr0p&G<^`DwjCR|y<c`UZ@6B3Y!?6t
z*az+}3{ZLi{m_KBQx~GEj*vTA>pU@eO-d+E^BI`xmcl>drlC;bGA;A^Snu|N{uV7V
z;=GEbJWl$X5a$QIBA%)Dva!_H)N{hk9kgkPx%Y7rrNx!Y$Wf1{#d-4t5$n|;o2(~>
zdFOmC#*7hm>vlQPu2tQTYs&nZeK<K%kj?)nxB8J|0_JE|FVlbW-AseVeIK9M35EHb
z%+b-++217N<7GlUg`RlTitvLl0p{RZL8m?13uE#XZMU<rU0IdZ{gF&TiG`;e)o*=f
zXXjO??8#It=TA--R24SVG7!x33-`l6Lo#w(H8i5>{BLh&9~*~rYWV``;Jh~*G?5D_
zO<P?Jox5_UP>_3%w{xRM!grVXcKefahabJ!F1po2+ES;KgH+DlG3BDd_E=T46eN@$
z0+6Lo98m_Yw8q|EEeGxgUbl~znO`3To;n!km6-6-UGOOw-`Gc<_iruuttJ`9r%q-x
zsM1}ioD5zc)=nP%Vm2Q8^;B0;>nb-^?)NDCt-{gJi+avSfb2p~i`x_MrqZR-g%Cow
zM=zv~VJbX;>~!YIq&i^z=tr5{i)AJ1gXx8{ZL-^0GG&(Q138lHFy%?5%(Hyno1La}
z*uurKGu0=ztcCXLi%5&xt=r48?wj+4tNNXhzJpTdz{tF<CC+f+2PH}k;LlLIjPr^o
zf!Fkb*ZsG9ItaRJxJWh25c9yj@R6{#8|-450*<U=<<E<FZ8TTz{h`2GbRGHF1YA#k
zU&BYC_jVuHP4~QsTK537q^4JYkZw3%f4CNLsat=vLxCY3E+WBkT7LX&gXmiNay8Qg
zBO#ay6{J`2iffDT6eSy$_SnACV?oeu8t5RD6pqvw%&(T|6^;cmbJ$?{HgO0GufZ^A
z(1w&Sp-0xX`*6~65^apfFUsqc7f-b<uCC}EZjXkLtcZp!zi;O&WwIJC2OB`yG21RT
zg@dEIk-w#M6!II8XHN6FH_L-BH{9}>qNV(HY9{G?k;s_)#t(t<PLoy1Vn1HZ!J4!2
z0}n>^gin4p?cr0MjoePR%s~m5?!aa2LssY@`jfnImHqBP(!w>V<S@VYuK%eq3_*7q
z`uGA86`=4lxoQ3u=~yxAb>XO|a6=Y5s-jg~0vxv+%xE|cHNlUs-jTdLcNPZDdY^Mk
z7ogs=1(}gU*3TBquE%EfeGNO^H)?`D&zEqOzPaZ_q?akJlbQKIdcuigCr?-g=AkQJ
zo+ynV_1`)+sqW6D<aFMd%b93D?z_HSw;Ue3XtGuvPU9tgxA>AeLkgZ1Cg%D0q?Akv
z2a6KSgg(PW#=kN3V07>8X7B2=vEbJW%6uLRQ)Yg~ph>sZR|=}tL<`YMnO0`E%Uc#_
z^cL!f)!*{_%@G1k;MKm_!J$fZ-(33J>&WWjEeC~^*88R9J+VOY^P@ufYrEUd%vT(U
zCkeu~2FG7(M+wZ`@?lh&=QXRmMeYxNVgjz(0vqZU;=wlAA(#4UMDB6y4-o~Kz1f#G
zN$HdHO}5}oHNEjZ98c^@32m}Yz`eu>ETx$)<+{{u;U8b-KFnl2Go&mnu?OG7ka4*g
zW+F8WN950YGpniAHBp!acaXP}Yw2zw>%~goWp{YM#Utd4{<r=&*@xA*Ih4)BOlC*E
zYj8WdNy<p%V-uC3_}2T|<{KRXGTr3Sd<!89<6ZHHs{@7W)rFhVg#uq~y3Dmk@MmEX
zHw1z6u5{q$SW#iX7GLFSkNDPYUhkx5ZvdaA=9<X9U{tdu#r$5u`1xmAa2Ob(gU#Jz
zY7Hy`|87<5UWW#rQLYy>QeM%sP0gG8B~KhQt&GwldX$TWN@FeR4hRsLOLOO-6JrjW
zJW8<o59xEM@Eo(7DI4lHGgE*X>)$*MTy{6d#s;ey5+E{lMskW7Rh|p=c>J|Y(<|Pm
z1$onU3*N~T4^`Zxhjn9wxq!FlOP*946nco7c;IQ>nFVIy2R2<$JZOr#nLn9j^<%0T
zN&7PBhZrZV*7Xr1kjk4aA)fDD2>1a+GcNt~CJ~;&g7_~>oF-m##rr>7p8vsVXfgKV
zJlr!=w<IAC3XTx94AiUdK!dLM8cZVmoTi<eoCWg=7X9rCX>;+^r34olgQ8FHK629X
zZ(4mN(zV+PBft)8Vfd8|;uOx}ELe+UV0kY7sNhTCwI54ej>N|L5<lwgSfjNv4i-@v
z2tTgRi3WWqAlHTjufRQN)X2QBc6S6~BlRNqALmbsb^fCaL|NDY*k~X)fFWq$xK$wM
zzbNA=gNuCT*6xqq(Z`IB|4GJJT81*XxW{BHR4C$Sy}1iTa2Qf0@D7lcRH-JrX0m>o
zx9D}|XKZqaGXT>S(OokRb}goaCnt0YoCvRzmx~I9RQ~B?%35Z^m>1sfh4AAY|B_DT
z=D1fsOh;Bn$zYako!dC1gK<TNz6YnLe?xPPwmPGRYQVs@ByJ598})=lLkV*3K@^nh
z%|*(yXY@}7UI;7Urao=2QqCDaW|Z_btKK8R&Z$rC?$N|uI=pIwn5`_V-y^BbGXHqq
zU6B~cxX~--`{C1~tKJ#5JFwjH-|l1cgYS-fiXIecO;|K6@pk%LlS11gOzsDfMfA8L
zXT{AT$r_XAd4J6bTDw~jUTQ`&D~DIsAO#~{Q9S;-)4S+|U%Rpvlvu(tm1?wU3&RCz
zui1yQV5QnE{#?QA0P6|*iR&p&K-E9j^PhBYLZ4At1K1ku<6|Lf)bG4zsw#acRC!PG
zk`ZD~4mBK!j+27jXKt$U;3{6RP%o}TvLaWHVU;i00;KmsnXpnFwGL8_3EFQ;B9<9~
zD^a}5=J&VP_y}J|@(JQNy2^Nb5Hx%P?8mjA5TF;bV~gib*TNSeDyi`A`t~qXSq*!1
z9OU-ik?Lkm()5bj@|A=tbety|^S>jt37_x)qmg6`0typLA4ZE3a!LY43wES9$!PR7
z+N1dI-5tBMbu(#N4cCVBnIF_2xANDp;>%61XC>U<2_SKKVVGJz4s~gVHiadtxF{P3
zo;QdNTdI!V^xk(?{RQ_zTQ^Xg{yY%~xrUhkv33ASegrI;+L4aix_+8KeJnLEc@_}E
zrf4q*5(8avd89xs7mR_c%5gJ}`Jqp+J7?+&YP{xh6VPnEh6ozfcqpyRX={<<{b(x*
z3;$EQZH`kgd4%}o_I|dlI>}f|*jWfkTg<EBGPgsX9b-+dM2Z;aC%SV%ed)ouZ<^=l
zGyDdxus76E(CfXqGI;D3?OxRYIDh~3FJcC){xW3X`e5jbsO3%t4rCJrED%bAFs?w4
z`2cX5@F$76K~f8T@qw^liL?Ru7%>F<TJpi?m<sbG^(;^lZA&&Q-c<AWGTA(~0iVHz
zZHRdt<`O(W5D{{BhS-Nu9nD+;WtP>OaSV6iI1ZsiP;eI-Buu*OSJoVMkMrMNLBRuz
zK?7i2zI*?f=4Y&>>e!3oU=iVNkhEP^hyUY?fc*hicJ_aVe3HVGLzSAnK>H|_|6Tre
zfR#OV!Yo5V7gVL84;Ayj166Htq$Lk<*#EmO9QEM1L;v@!SsmBO!XxNRaKGrk>%w6$
z65ab78`by1B%O&-ek3%Q0WXEsTa~#??({KRl^9@^N37#d?BatWdrKpdOguX^Y0>Xi
zIMOLrgeN@Y>+LC*36@+P2<jZe!JecsuuF8UETOFyu?GydmoEJmDetPFfAxv7I@?Ps
z8uI&iLjdhiVa6f-xDwQea<MhaCY@bk>n*etH_ENqt5`iOY254n7T|*lzU|z0GO1BB
z&J&#UR&9o8+;>Z9rLi6gTy!k(PbH@5D9l)|tzJ}E*IY{RM9pmK3<s{6daX!oadcMI
ztkn<FgGMg9xULn(ZXh1r<M=!&9K0RI=Ii7gfb!>HhM~wJ!6Bbx+WsuOn^6IW5431;
zAIX9=v(C8f)kQ=N^Ar7o(#H{u_?(Mo>cWqJ4M5M9tbc9TzT>&wC0r}k^y3$thJx1S
z8Z?xYqyyUf!gg205Df;imcK*}j9bk2bQ$T9T0LDY$W@Catw(422XMTU83p{dTYT%r
zL4Hs5JMMJ!Tc|7W`DXqpXxmB%xR4RGY`a_Zi)-8H*#|L3TR)jWj+v9cv3_-ji_v%<
zMWATKtYw}~K<VZG)B=bOY0vlc9Z^+5UcqA0<YE$J)4G#Py*@E#)2T~^24^rdqd{_1
zk>%s$L*hMw<Iqc1fLYN4u2ccc1iK9Vh_>%i^XCfF97ux!DYp9tR?cZR4E-e8=2#ly
zdHtI>Qu7j(do>Nk;JJ=I8|N<;DeQTx%5oVYa(ooG8fv%}jQo5FS3+a=x_93FRwgDA
zz5m{F|Ht3?`T2nX3SW!cj$>>NU*6}bk3xv-X{5Yl2lp}Y@*XZ;uITsrM+^jb@jwc^
zqjShb3G^+>*EdBy30o!bd;N{@+(2nM)?zD<=Y<aJ&^v}Owt(B#Ge6-@hHXnr7KWkA
zQs~Lot!A>1Q(Ra_nD%t$7x<7NsMcvdRj+*MtRbbr@4@>~h0L_E{<5S|kiI=HK|wsC
z-#trgsVO2Q7XEY}_oqyK(fXXAd2|))cCwa6FXk{`H;+SHrLcqA|M|!P67jm&zLAEc
zOU>GnUs{rb;E5*6t^en%{M;AgTQbEezWu)hNptiyhNGB8e~vPiX!yyi(S#Vf0N6v$
zQqkXTV&qs%IB7nHmYanOz09<p6eEZw{bdJI44-q8`otAyt)X8xUHZht&Eww7=fdnx
zo(>}@GfC*Hn+Fox-={H4C9aimc$>>yuc}6Sf&l7D>i3e~a|urW=u18@Qt#IPd1kWd
zwu+Xek;yc+t5_FDnNB1WCGc<e4Zl``B$$(A&h@~bGQq91(#ab0#pHhq(PaB_<0TBi
znKk9$?Yv^i77}sXp`7TYItDjOw=ga~E?eQEXikv;RHC~G?NZ~)M;lM?@~}3mO5SU&
zasqQGQpcKavuDZRW2lKbSi^$`t{A@!>|_QLtc<<EtcJK&%?fI`Oe!)7Wq!&I>@F>4
zq$aW;ky=`$X4oLk1Tv;p59}{x&~868i5KtNhIN(Z+dLX;h)o5&adOjGQ2+i_kHT6A
zDMRB`q*Lca$wwc&EgWSWHU?&uw+b1m6k8&Xqbk$lyxcNYW$d>tpRAialkR-2$zxzx
zCK*E$u{Pk~n0Wr%s&ZHta~4Iy^Nom0kLk&z9Og%)<&Kb5?KW_Ktg@~+-Ymqiy~HFg
z!xES?R}#tl&DR(QzU?IIv=Cy0vnQlx8d}EOuas}U`7L-K9K%0c^}C<TR{uzURoH~Y
z6C(E`W<NqWgOsNlGg9D!f*JIA{n#g&6u0fgxIzGfU6Af$@J<as=>Ui4L_1BpT<?Ro
zIbc_W*m6fpbLXQ~S%LFz@aF~-LYJo1cs+BJAlz6<+5*=}x)z_N!i2XhUxGiaILD^X
z^0X~lH<Sfb-kp&~9wr=DplO*-&i$xJo6EkvsxY3cx=nE{1fLTh<@WC3ENYl**~sf5
zeI+3aZ$+kKYi@vlZ6KD%d&2r!Z<=sAK^a4qs~w~BGtwclGFb_l1sW1cc|30>3r;be
zBJ>~?Xjsbqv~Qw?8>MUP0@`n*S(P<IK0{2KRYME$$Kr~RQYjkcUUOsC?lkc4ZdArI
zy<yelF_;>LW)Q@2X#9EjM`dTUw9Tg-{uj<zSGLv}WFB`k8~Ixkf)4l#7<iipo;0`n
zh3GYYz;`BG$4`EDH^9Mj>}}pIGog?WAFU@9(|Hq0N{tN}aR~VtQ;+-~#|b5Fy->ZW
z!e%8SOxikCJ%m<Y5<q~}VDaQ1MJ3fXr#)w*o~dMb(XJA{;HSEh*HoTVA>1j+ZBmT`
z8{X67%=u=zY)t9U#cqbNKO455(Q(0<DT9JNi4W}P>^W(&Vkd36L@vjCz-_G_7?Nb^
z!s^4I<t@|fJo)P1v8iFyL)EXy_eQjDDcHf+{VSS#NfbUqm#qNI*zZJ`v0$`G?~GmM
zIvOOd5>FqIA&rRGSv7pqn>vRgtf2e(RH(2n`fg5XU!}N`rVo=+Oyz1QGO=FV^Za(4
z?U(wF_eR_}M0CGo<ME)tzX)q!rUXlZ@YeUy!ViGS*8GHOc_Yz84I`y=19SB{U3wie
zEIM*xXGSk-{3IAGNI56vy5dc|pxTqu_qxE7HI&Wq1QN+MInten;*3ewdq+|cfq!cz
z#S3H{QRj)RjLcS8XNG!)KmlriOZ3{o!qK(w`nb}CESR^0zo3&H)D((-K^o>hX4h8J
zrg}Ph7SrU)B!JI>+TsQVaf`HTLT0Oqf0bP!-BWLuw3(mE@;wnFO<jbDSbnXddf(mt
zqZjxZEnDhunJgGYC6rJH)WB;F?Eh-7;OaCl|6xWD&*UNf+jS%R-z88T3yS$Q8w--M
z7vU#Ks?F7X`YGC)YGxeG)NGMez)eC8<fcCT$0x~oh8()d2<WEqu2jO*VE5uP-{~kB
zC4WmG<C7_~rh5Vw3N5Km>0Aes@z6Y#s=}{tR`Y5;#x5srlb*Rhf_F$|7-x{E{Co^!
z=AWpU)SM{>0maoFNGp+oubAcZr9XY<j(mNOqPe_Zex<}w6rU8Kt%TlOs>ORP8FK8*
zTooHJC2m`f^h&mf#$FtMd3nf?)(Ao#E3yu<mNekzsngRJl65~*)wj>=d1YnS^EQKo
z`pLQhy&devHQsS`2f|Iy`$QIJ5O|_%YbIpi3(jZ*_gaR@HXvBeD6D4k+l)h!HplaT
z^g9cz%|}&-#KsWBi80w|bKdb!Xv@*S{*OKZPuJ?)`_;<vJlUr6rkvou>4Y2(;9NTa
z#6@X%vyuxZuS|D^N9f76!OFu+%c3Z!u8AKz=*@vN;-vl5Zb<IpL{2p6nvJmS01($m
zD+XT<)yu^tMkcc8<w5@z>N_x?SeJAogxrYQpD}|7MGNcF$2*oJrMrzE@S=N!lPJJX
z-1PZs?_2!Rl3HnmzA_xk(Bmt`iTCGcX%o`-5<+j3k6H2@4ckBmU4;c}q8&ClZLLJt
zryk)kyyKwZqP0!zvTh;LsWBQk)cGvioPAjPX*pwA(2rn2fWSWbhFzVD){m#_dHUoO
z{$E(wSf^HjP{GFWu8Z6cbJz4oKSi|afbaa13aT7Jo?D5EF3{WYesc0UPj~ss4zjbf
zm7Wwpt&+*4*NX@ju9qWphdjO#Wj8<P#tUtb=8sEc>F{xlPJ;Dy2paSL26abe{vium
zpznQ?cCcQXS8Q|oK6MyREKW#ET=L?@Gb4_NJ+8bj(9^SeY4YsdZ}^BZhpC_Taoisi
zFWr5x{_b%nRLuNup6sQ`CC}S6QOmE|H=|FiQ^%yWD&0wc6RP)wkthGcJ<vrQoo?RW
zw02*&Os7lMJ+oM5r<oZXt}ceG%gXcunbmSO%6$;MS(_UJ9eG+d(wKY{KHjqmxp-ra
zH`4U%t`<x!#>8n@3xz|N0dx5@dpi~m<TYYkkCX|a<Qh*B4*S|^kuTMV;6VVS?u-Tp
z)6i0Na?i~1QF$luxdcK7?hchxG7CQM`0QfdVd2$+NbP12thY%vJ$Y88r-I%#UHPHr
z-i!O1?MGbqRBzGcz0nRtZt;6wZmvRz${KWxgE7B5`iHW>qWgJK6dwifR0*LpK0-@m
zp-$`kk-SKF;A`Ljubt=lAiz=AO&)+ud;Dnnco-Md0??g%a=Q7rGgdpo3m-O>{JE`)
zH)3h*m6|IMBK&8i#GfY{1P(8BQ$6VYLa0jN^Ds~8N-2ThbqX$1c5pu3AJZ${kd+Y0
zDoVU=7IAU$HE}{%8LgJTKnh%*`k56HC{hH~Rzj6So6>TgoBgS0s!FbqCFM$d{`-L`
zB=p@+0*hF4Y%GHq?M-jAidO3dXqGzxBzRu8J(EbAkl-oAKqS+C$$8ORzi-jJ3jO}^
zuRCuk%THr5Mh|f|Lamkfxe@yxg+V|SAsRRe6tOJ|??Z}RijuPGq-dG3O-nvn<8l|4
zJVtG#mfTyWh$kHVWR6&^3)`X(-FjK@$HRegzTci^|E#jgq>QO>WSz&&7oH)U2_25^
zR#E9GdN4|=PG#zQuf#vcG(UPr_|Q}<FQ>yhKR16MO!=mDF~Sgw&9OLo?=6*1O%9?2
zV|4;SaU8Q_&|$>0+BeCgL_rc_j>o0$JmH#|9dig489n+R)pQzA!}szlh$(C}+}2z5
zHxyHKZ&Opo0H5M$YixDnyVCJmX{h-U{7svaP>!$OFgjr<UQZ8-#U?qw=Vu{Z&Mri@
zQCW@jfQk?D?S02pe({Q(f?bVaO8K=|1;BGoZ_i2lL{~Z0X#I&~UWZn)<I%HLjeUZs
zXiK5(?VOS9Pr;$wBSk{GjukJ-o~=R5d}UK+&7y2RbeE1~-)|E5F0E3UD&9Hs=G9{t
z(w}P=%;;xXtlZe^?NAV|H|0#$?gjXfL;;`k!_)wn;WK=%7|??k_IK3H4rA(CW#dWp
zAflPXUtZFY6_@p&%$6+P%WGmZ({B*?WH{VDFXqaSU2>@vwe?5+YB{3Eo~*S0Cr2}f
ze19cx!%yySlsa=&32q2deZqw(1d!^4-pQi|88qn|g?M<au?~?5Fnc@Y&Fq7hR3EOn
zXA(Xj=F)7M!?*XNmFLYHX?K+w%LwCpx~fiep;MJBe4d%T)j!AvTswWJr6q+4oGQ24
z?SsPjh9@Pu@}1elWN>RADbDe&Je-XE-jkx8-+JL1^6kRX(s)5&=s^$dBw0nq=?7Sb
zb+$n*8lfe;MaTQIs;g-~rdHo9My~eRnp=fk+rn}8s}wECD3p>71Y*XP&@OHA9gZ29
zq`3c%A04mrrk1PA4BfRI|H|sK2AH{)Twd)f8Q-7sS+VzTU$|YP&5_(aH7-Bef@D-l
zw3xHwrPI1>yk11ni~~;Jq8ok8^d8Dq%;Euetb+h`H!z?PeFiDVR*I9RU|fDMa^(Zz
zqqiIzJ&z>YfPOpM(zH<;94GEo$c(TqU_#jMNtusH=5b=H_H$ZSmpHo}?qq@tPCEef
z`2^6h?-j3y@AK-qhEFa!S+m@odpuKEq}?eh^K0VdTgsqI!psWlR+-ajv?wLa*U}x(
z{rm)}5UjlFKjJnsFBB}+FLU}388veh?o9L1)3J{<y2eCHya(=pgY0c~2M?H~qaH40
z08dXk=JGzV!4rsS!s&~KS(bY86{rDA%eJxZf@fm{yU?_-vj&M8F6#ux*w^%@?wtr5
zPsugE=+SZbpG^q)`xa0m9^T4NT+grG8*I;U=C*f;y38;rQ@k;wVrF`46md&V2(YFS
z<_dg`gyxsLa2+%ia&lSwFfb_}dMRY1w1;?^db(P~8Jbu(>`=bk+$yW{1~1`z9*wT`
z!@UwqNq^?Hjri?{d|BAli#juxzcChYYnvw6eFz%<2;f!Z2z|CN!#Tccv@<bp8--92
z|4?1DjkXp&b5gJLB2hfi(Ht0c<IfoV5rQwy2NB$H?Eq8=>I~@@L$a#0+@`x;v|iO^
z^#96zxf+v15rz?F684&0SM{($WF&R;j9_h<&lCdufyJ8b4tKe3`*fPfUtaI2zDsF`
z9lKXyL1cD~0gbi4oB8#mPI>V`4*69<kaM)?{rw*@l+BdbAe+IFuNZ$~L~)W^<m9<F
z+G$~aJ|BBUZ@d^UmXVQJCB|k~pne-Y6TYyn%yihliDx|<1w&Pl(p-_4E9mbiiKW*u
zqNfwYcvPA2L!2ut6Q&&;{9}Weu9Hvuq2(P@B|unS0B*N_G(e7d!Iz~*b4Op@k<{XN
zLvV2g`+qs?VDCGw;q(mmKLRTeOOqv?D+>JExi1ZOeXhQfa{WK@tFM{()MVmZScOs6
z_`gS<SZex&s}sw;9A}hm;d8DtCk2@}AX(Mg{z-@*wFlYH=Bo)GC*=;-)d8n@kzYv(
z|6#SQuoE-+;(urRmq@#?#*v=<-?xemTqj!@HuT;8jg@+y5jY`+$cSOnzLP=_?&(`u
zT+<*?3OuG#(DF-pbAt;;Ud@1`b@!$l{pUvZA6p-X@1!N`HmilG1N;rgzJNBEiXO+?
zrz%FV2M<2Q3IMQt&<7%u^E!&lXC316*Q$idZtuu(X2-Jnk7<mi6&0`MQZHIY@W(v`
zrOMpoZJsCR#__(jCrwz+a|v+L7q}kxPnSpotUnVW+&iE9SbqlQK$m!2i7?TG|52~%
zA{BHdkeyT3YW6e44Ju<^@CI=Cs4jxUdBFS3-vJQFK(SvIOFZs2I{8y?G1SE-)7&ub
zG|G6TdTb*_tjQpO-lGNU6OEzq<!<~$<R&6?Zp@!o2Gk{Ag(T=Yy&~9?rs^CF_AKhP
z5m}tHbVCVgK?`w`Cz!opz8`2UHS&Q%h%(kw%f8R}x^ZuuimhPGx-yuRU7nt|T#G+c
z@4dvZx(npJ7)6K&UC({6K6W&Ut)B0zK=~i5@`UHPaK3p6Le->)b{Rh>x>DO)dH$lm
zo!nrPXJnt-K{$>;1a<tiZm~V#eR*K~V{u_Xrudmxj<}cHQ(>(d>h9*G7Nk|;a_|m$
zXv{_ywVg0h_mN_Jef+N|qEgE&I;>)rbgg=gkvR?&Ca2@^n3-BFC71|eS&($jX;jRI
zF{-(mMx4f>v7mf$U099(Inc<FSujpVCt2NNf0!sP2B^x=()^elTPU?OKCr7FS~h>i
zKX?9h;1q@Ni#uee_!3yI?8H+@z$d~%!Q{us%^>xafjd&(o(`^4v5q9fmTu66u4|?@
zE{J>YL?3@(5^(N~fG#jjagPvshPNUf2*wFw$$1CSH6kr*M{;AgT)wXE;2YAgb>buq
z@RX*VR1j_ot|`oP<c~<<!3Be#|3L%qg)f2daddQj%*#{awT^ce7$ZUpVE_B#@#5qs
zcC>2*K{D@6tthG-DS6y3b%z*u^Ri-+zyuZ<Nv@0K0oWB8SZS739Q2lqD1L|-i<@DY
z3xJ<Vm~*_^Kj(^cJNPi+@lMAyw?8S;K@OB`8<9$M0h=>322GpE#8RDtSvDV<C7XVN
zie(6A{Icou@|=9qq9HF^ylPQd9;-z>)@Adc!<?}htQBq!|IqE^?sN2O*+61iWN^CO
z&}3!mS<lS-gqd=H-PXI>sR?xtSc+q{6b+2|fkvmPOQb}_%g&YbaHij%5@GbU%o=u_
zMp{th)<*K0Pe*hzbFDhQ@8X{!)s38Yl?_k3Oz9@WUvTg4eeyGsfM8+ei(U{|Kp{sO
zqf`%6)~;bS^fU?C;k4CKUzg`2lrTn<T9D`w@?ii)!>H$?lNly*4WQIl%TcW>KX-#d
z^3P*X57`&&(@jG6(^N><Zo0x5(T9Wb3S`YVB-m;IX)&C1kZQt&O#=sSp>8-`fmUn@
z>#6qp7*_ulLQYYR2V*lZV|Q~Ayb129hrAy)>Q5rZ2pB9a6R_4_s%lZ@>Q-WizM*Sz
z925#1T0FN)A(BYxN^_c7VT}5hKC!{_omv4LOD&hb8)2_kaf?5#Dj8+$K%Z7besiSC
zrv=D7<6iBQ6Nsw{#ZNT#v0q80`~;9yCDA2|chrVV_k$@y!tXK|G+5Y!G0--|AFyvc
zcu6P!@n_uFG$LO7xQH1^fXI*t_)t+|(1`O9Ol3!J4o`~X+L)UW5NpN7;&=oWKtak-
zSzG^-F9&?-rp<y@k6}C}!mb0;y~A#$HBb5Iv8B^OozK=P$J_=8g6~pkcVmhhRJN@A
zW4oAESG%h_ik~!v8(oU?Ha^B-WiWbz-Bu(n7-kQJ96fSt;agoIIZ2O8O9XI?Kgl6`
ziN*Y1);NPOQ~f+oYQRMK!ADz;sMXX@wka%5RhV@GtmJL)VB_PQfTVU31<j8aEdmhZ
zU+xYQKq1p2tgjZ*t&S(*iYN+wZ3NSHEFmaL29=I1l4HjiVO5=Z%_eNMc4cg1=uhIM
zHI$T)-epdG+{n(cJC5eGy87+OI0Y1>m1}}*Cn3Yi?#Tz7Ng=zZMnV61lp5^ejTd}c
zVwofDZxfRYLMLxLWWraY$I@C85m=3rj<z-K^_i<ve7k31%sTLo1H;8`m_j2$_NbKZ
zh}-oBl+`yh1~9AEO6yfEJ)E(Vx(OmD<mtq52R`HSiHo<Il!Cv<XUDz}>%zK3gD!<q
z+P-JJ1wQP0w3M7ZBY8;Ev<}sp9~s^~SQnH|e+*q*F{pLiGfv|!-of1CZ?m=>)52S1
zk7!@3q{G<nOe`(+F@krZz6r#;&vXsA%G1QtC`lP>UBMA|In^vNEFcnqefX^TkExRd
z(<k6!mq4``5v_6vPp{bN1JRS9EzP;P4>SzG$Fr{v**p8vCPMRaXSHw=O=ut|Z#-e8
zapF!p1nL^nuoF!N7aZ&>ow4bw5h}R&21l?BtfQ2J+E|Es_4^{gH(qYNqrq(e;9I5X
z=%8OkyJ`*uK*i__lR?77+gQJP)Q@ulx@i?6tM{yX-aAOk)x?jnEv$#i*?*drOSLhT
zq-N!#;dqKMVwYh^rNAz{-DvM3wIm9oG@aem&GlU^hjvUD?qlG2uV&j^67}^){G)%=
z*jMnQXV{aB#zIgpH`qtuyA{Y>3*9E^LiGoPH{2)hs`T?gm^pU(H+O3Fjl&bKkg>%5
zS01t=)PO*KAec&THmoWInV`2fVnJ=8S>@q4tiF;;;g+E|k5x1U;YV<+0BYFB-6-e?
zB(cY4EbfwcvAeUgv%T$-wY5+ea9+`?7Hdw{;eRuozl@Dj%zTB%9L<qA?39knwU2U_
zu_`oaYyFCt!G7?06}WLAKM^g|)zF}or)k*a^VYrRqTB{OF_0u;Htn-ZcV2aPQanr9
zbo<^E)+a{z-`5{Y@UYSVGqh7Ue(&{X>3~>1hG|bqDeeW~6E;5=!bS+DLWspVM!b`R
z@&P5z`*)Go^E>z|cyR#G(PNvfTi{sSWmxZ>zL+44epYeXK)(UOCp1O>X?UXFnkrr9
z&oI?>537(^(>CeHZ-8`Hn14l@?Z%h&b1Mi!!CEmwK}s|QQg`pgxl8)NSD%(se?SvC
zXJ5<%rt5cvOj#UjJ9cMOW@^4te}Sa`q}E-^Xc^(kS{Yg9?u5H}EmA}1xF%Djs?xTY
z@hR`b*kOZ3twjrwpR%kz6<T!fwq!B)39EQNus6iJ9bu8{-mVYAdQEnVBlZkwV{C=1
zuk_W#7oWrrYc;9Fcy$X{4Lq3oil2-!t{wT<8z{7_ernzO*1<Vhk}AShapuUa*F738
zSOWnm{!?2ZO>U`xR+y_4RcaMnZ5dB)79Gn9%!YPLY)H~Mnyy)&6N!q7dfq`7)k@OS
zcP~)fV1~HJL4JDc`b$&U{Jx@n1^RozG~}Pe@#=tZX8#6<E*)aQN`P$}Yj%aWx)9Oy
z@Wdv89d=_9;n=Xtz{(6R`P)79pq|A1@0e2lR*i?_--A+=@kgrsByDyLZ5GHM1a@0O
z>NOC@B*MFKgqAqc=<kA&d@ydTyYVPkNdwUerc{uMO4`n?=eQwZN7beVw!{CzSKPnw
zHENB8uR?(Eb1ZD$G4d!;ob;_Poe^rTl22(m=WsGi3LHP(XEwVN8XtDyfYIPInopPe
zQ;;FNyZHQx9X9p6hBKoE7_|dqoam$67+SIfQJ7$<pHN5bkw~~qSwkvmH1^QRTd)Au
z?zZ~SaO0(C+ZhF|fsDW8x2~vx$DLL8qY!VJ|B1neXt27$T|q_4c^*-BEcQm)*}JMe
zqa<u*v?kK}qYd}foll!y&QLVIQ;nKlS12=UE`A|F_cNY>?KNqlmR3@%hanNisv-F|
zbB*56r#WLu!5b6G<avC2uQPipOtQ8%4w4VaLt-gE4`6t}8jnSv<DzClyZ#bl9f0*6
zdfx}Iw&NPSFpl9i3@u9d1m{v3m}e&d7v*d8>nHlcSL-@VA;tr6_VUnwDsT51LROJy
zXHul)jiVRHA6lYK;p|^jHkOy~>0uA0Ij9%AZ$&bZGGWCCSDd(nDAzYsE1>=N(F=Vu
zXmQnM62i51Y!85WTo_nAPOIP*{(SQjXD{`s6;jzYbt1xvP+UKG*h4kry53OZjh7gp
z$?++A8%9PQSSnz{)e?K^hKtn-hO`=!$WnymuqMwlO{{K&)cvO$WMNr%bxIr9b7cYv
zZqq<WqDywWE9CkWC#l+af!K5o3i~bJtE6|ND=tqZmFCtBtX=<LEx9?00SkwWq;y&T
z76m+a!m4%+Uz!(@=dQSGAL%082GK#-GJIFf1pa`vMBQ9CPYt<8Q@3S=DjUOZchEPX
za#B{(l@eDPZ2eJy%P|Xgl4pv0CM(sYT~M;tv`mjH2iMA?CYk3L6+_vM?ujW!1E?mO
z`W|(-aRgT))UY$f4NE2X-PaG+Tl;oX(_&UVBa}^6xb=@CEC5eN9;cDg6xo+Q`=!I-
zS<8i6Bk^YK0}<1N@sVhf2?)=aL{%EWU56^Qvr#dI&82F9B~+l#r&@xr#S$=U&Pwy4
zUcsg0wD*`|<ERVpz`Ht)rrLz@PB15%WP#(L_YAe5*T6tVw-^)ZZPCb+jo$Jf-qN~8
z)DR5+#s{lG)4u>Dw>2r9jxB{=TX=-cU{;_o%E%*_rDfqDOx7T}Yc>_@>_ZS;j-h<O
zD^l0j_Et+T<&*YnMRrZK$=J~jyswuWSOhaP4N%(=#M9-q=DKf!RwUpNrs_aXafu8P
zEYa&L9LF+b`nhNt&hfV#N5s%Ko9t(E5Ek_eU#z4yzBl)+zdwtsB{<P<{Hxb*QkmOh
z68=A>0DtS_znxGBgKPd!54PeYE7vSWR7F0KuRvj-ViaXIr(PUhKz6L9%{cd^Iee)P
z&(|oJ99;}a+QR5gTWW7IonrN(!>g~ZFzvB@;;M|eOAY&m;(O7Zq!A(hl*jt7gtKZu
z)m#PlbF@Ic)>cCIo)Jp&0H$WlR;&}pq8%#Y-oK-~LqgY;NqtOGff}M;OMPjJJuZ*D
zc?W2hO<@jSZ>ySB258CJ&OJ$q+)jE%cfq4m^D8oZXYh%<Gn3UX8C6AfaI3-6B(4mE
zI?4O5C>i12HGEZcf2&H?)=3%4{KMGS-_^i?z7K<dtHN^X?6}QLU%4oUL^|8(Zw;OM
zIK3|CPWk0#Ex;nxD9U&=_;<TCqqxBpx>)VN%*ImKfej>zsfzpnZ>3!XeLiygJLzT&
z_fb}iY1Ow4J8A;zX46L^<mgAunx+65X0i#w5Y#hj39_P*s)^ngOOu;#U269>3%W=X
z(w;KP03H~i%+nbh|5h`Gq8#7SMme-33Xyc%*i}OX@YIUR8yXtY(^;T<ci*51*ghD}
zoeUvRxZNJvAK^@a%F%DCJSoE*P~lfO0CPnFnj;5Yy7%=N_x4Kb=a#`lti}Tkwp;Z9
zG_MJo&xce0uiM9Zmj9R6-$uJdwa9}B_YCCZm0n7%VNnF#C+)3-ww3*vTW_zXu}LxF
z{=II`5+BRDa*!{|Cq|Gf(=cGhal{WS625MY*f9{A-fZbJkc@PuBE)D!p?au$X1D6&
zKsBdrE_E9^w{?E1L&omATz+%Fz~6*|+<5^mtix&Lxfb|4rv%GcPtjae%>$~YXNGzn
z_ml{FFoYX_9&=+Q3``UBPo#<Zk*3vxar&KMYhmW4bgya2E$S6ujH@(Bp!sQUrU?J~
z+{f)XjlR*8^bir}#+H#A{a|g3CFFeIH>qM{K=HWcgPQ+C+gpZJ)pc#4G`QhHN*biQ
z1!<(a1f)w^Vgs8NQM$WZ8tLv3q(hKyB&CrO6_w}Ah41ry?{}T+I{(h!9c!;S*O+76
z;~w`ITZ4ZwYWUEA(YtfHv>8QmFO{CaXX(>bOluRRrLOLj-k;3P;gPXuadtD`$24+;
z^i*l|`Wk8>l$TN{BLauVB26A&>`?LuN<C_Mv6rlW2*oB3n)IhrU?XaGjci#JrrR*v
zmQ5b7@;T`XmQZ}UwkFsy6Txd<!y?xD6r&y0pq`wUNObC5=f>B|5QuK3n7lJr8Xdra
z&~*7iRzUk8dusL`I9up3o}PzuY(8}cd+PGifvw!AIkVzih4!E1NS@*5CUZ~h7QxxW
zl&9N*XLrRS4j}CkQGJo&+X+HOWY$9L_2P*S^igBB`2`H&E8@7UX^M1<s9XkpE=o*=
z)e|9BBaN?!33eA%SUw!glJ@wq#15xmDlya^&pWZ#;64U*KXJ^4)_9QBYjN%w$M>%*
zs0w~Fk6=pgf)zdPR5GI~Qj=`KBi$Q=5cSH+hwygid)T+r{a*zS8kg8L+Z7N74_9)`
z(P#(6oz_PTIcUYDs5qW#{0Mr^tX~o`JEA%-6;3%p*S4Rxge^AwXq6lU7^C<>Lcxrj
zQ!A%O5o`XvyfZ#06@mo)AGroc+qZJ@d9=@5?;W5nnn&CqJ&ap2%NPl+$*zbN{+<{y
zxnoYJT<YL_eGz?$Gl>C_CyD%-WhsRG5??8z`^`<*#ww$VF8w`_?fw}SVmjx1?U2t^
zT}P|~%4YWH*(Gjza_5>_jkiRN2&NrUIO>bxNW>4pkFg*N>}TJD7o!eMe}3EWnJavp
zr%T^$x}T2wfr0kuqN8MB{z4(bYeC!Ma6_ar_JwPEJYok*RHr-z^NbQ4qKnMmdKaYf
zZm+HQE*Df5`w>S<K2H*IO;Dt99r~df%Y0a*g?5mFEH>1p_fn9nwL_$J(6nrGcf30B
zyr|DI)^bHsgDkdtsCYs4q;z**CT>qCP67=~eM!Y>d@2+#M1`SGiWP^mZ%)6WP#|HU
zZd+RtjRpXjn8;<{m+nN9?S6+W`Y#dM%Sh{Ig*>kYF&gt!OfW#Ry2)Vs)!tjnxhJD+
zQ@c5i*4?eP*6*%ylTc>5DesiSFrY0I4oc^k|5LSg#i06{v;?&vr0jl=U%%s13rv%R
zngU!!DJ-7aScu&zEGLl=_KZOt5B~8jsdW#jHUZ_X_#yzD_!vH|cm)v-g4CQ)lJ$qi
z7Z`KXw1aqAln}F2Vn$lj2tESIahwuE$|(JOS})t9reEK`NPFi@(d2l%*JKaHoF7O!
zcoe`rk6O&yb*adzGjL8lmZ;L{f2<u4bo9Usul^}dYp!dsu?K;+HtkSbda9sW$qL&z
zNFPxKmO}L4yP8Vv#&S*=xPBm6PG>@0oD`<hqh>Ru8<WUsiL4)$`b7jE_x_!&IY8g9
z;$qo8XgvNu=u82l_U+|ExB=<d>W%3>UkwwR3sMh*SRxi3KhmZmGREUn5Tz~leLkw`
z8hM?sp(P}J_(d$1Gi>c^X_m?Y<dp%qcUfV^OW%ZTuM;^gy;g@fo-dx!q`y)Zu`qss
z!d5LcNDNxYhekQ&iu+{01ncItrzdsOoxoKWNExKqGyIeNMflL&Yg_<U7i-E6lI#78
zQ2qCWG+Z>14)9P<A1@083IVM6(%QUa(sj^d%+wY=5P(a79zm0s<eoe=DEC`QR@>Wa
zEa;QLZ~>Zjgrav0h5L8n`wK#%_Vb02OH;T#=H^@A<Jri{sbjaglhSlQSy5x+e*c_A
z?wT*T4K?Rjp06pWOP4j}(HsGgQ!c^uC7{=Ir^&rs01O;S;+o%lnWKUm4X*DWK#BUp
zv^SAVH-S>kaZhv#Q<Hpo{HgrS2=)5hR6wZSJ;_FGU;ExvJ~#R5<W&Y~Yt^H&4(5J@
zuvT*Q1d~NnllFKZ??mE;s<{hVKxXZ8R<;eLZ0rY&vYSNU;@99di75}!V}<9ilQ>Fd
z`>#g@_$7GSWY4i8Y@gTJXs|M$&$<#wvso&ejagOWU0d;dD9>UUYRgiIhC85U&kn@A
zh~e_yG@i^bmJ_bNBPw7ZJvj(B&d_{XQoo{Km1F0^EH#Rw7%7W1+EpaLZ0Sei1&o98
z$G^t$DH^0%_RdoXcE<+f+O8i3j7z&cH_4pAwa1_G<_3$JjG_%2E9-Pcvfk-_&uhSz
zSR{diof(gUOs3O&PG#M_<7@9PJYhk6Kc=BaW!1|sf~o97v9+Q_${cXI*<PZ2wQ&xb
zfnh=N-@803ZTo|k9(9p~Y<2ciL;5qieB)iWm^M2o#av$LpzD|8OCUFKgjBeiX;2Cn
z-DX6rW>+j@a_#W*D5cAv!PU}<xX_6aCna;UWZr_t+t{*G6+4c;1IgHuCk-fCn1aI_
zl9dc9>xgp=CwdDuKuQDBkKFC!X`n&Y=j(AMA`mgAXF)}Em;|qOUdu$I{H>svzsA|P
zZ2K8QhIfC&zgw5p$7DPHT|72;QbNGag!GawXCLyZ;jWVUOAeD((le8$ivZ!SZE)gl
z{rfp>>iKa@+~iZ$bGEJAwfu^3eksKV;T4&{$CO7-;bO=GZE#D0DYrP{n7o6E>!zIY
zjZyWf-fnwHfZd&`H9`C%rS5dY=zWvKm5;x&@X$j4Nd)v|8{^At_q};(FQuKAOub76
zzV_Ko_4}F#O3bfcl-u`0m2Q+h&iNeX;5kil%pavfAa?OF&c-h{>}$I!rT=m@G6lUm
zu}MFK1?z^M4~YvnC$fa~6MV?M;ucWSYVpNQ^i2K1m1ykg;Kd17b#U)>>p`=xrV|u}
zPC}y<(l23!ozZNjQ9V!ir^Cp19VKpO(%M1CP3^6kLHI>AxCHmpD@3Si!;@B5(*a%8
z@Go7(ZwbEo&t@w6V>foke3dpOiPR)pL#;>z$qNs06HA`FBl$6YJ*u)U>+94tli%~h
z59+AstbPWd<5WUv@POT@NOjn}$t@kW-`Y>wi$N-n$WghsQcUlRcRZd7TstRq>7K;k
zBNTd<hSHn+Lr=lox(_2&8*z=yI-j}yj%}q$-P|=~x8~C;YjTS;B%gnNO-b$WwSSuZ
zLLH9|3z(%V@Q+5W&)UNEMEZTWz3r!_4-*%Yu(mSX#+En}TTAx?cnH5bTqZIea5;0V
z)>co!9AXSdIJ~JcZkG8>?i?EDYoN&{4Sxju*-+cEokmAmQ)&~#Fz1Xwwe?RH7>*sr
z8Kv!bSd+En*VpsSibPPFoyq5al<FW-o0H0@ckQmTu=rwG3C#`gElK{^cwiNzAY4S|
zTfs4w9narl<R14JzioT4ENbd#<XcL5ucwC;xDU$tDn%jnpsdwr>CufX8}CsHvV$lZ
z@Jj2;B&i&#WbqE>Okiv5+9Z@B+zs&#=_TJP>`2$+tsg<;`rw+0i^=xY-e@?<d~n@p
zlRnY%H-_!-XR2?)1Mq+i(V+f#1y|CsdRA;LxJ6u)yDCIpbMaDb;fZn2XFA)5Q>dO?
zq^#b>imhv857P4Jck(cz9<1-=t=1hgnFnJAWNI?(>igzT3;AZU#0ZzAH8{kJr6tM=
z$45NsXq&Lsoq}OJPJ+D1>Ngl8ds?MhecoBQRnCekRRj|z2jW6S++BI7bDD8F<q<+I
z<=yIOdwbEe`R2=~^Rv&k@WT}8t~Y;Zg=4RC&QQ5K-4X67kqy{2tE2ge?ro7<IDLR+
zA_C_VSnZ>{m1j%|)rdn^Bhj!?HaWS2VG9ltb`$r{LLZ=rnY?+R3-aCZfy&)%Y!p$_
zMST$RA%>NZu0@u(o!^f9Tu?7anUFgYRau`lKJ6<*4rvzWX-<&W7=vTtJ2G`a4(O0v
zLF7&^8@JI&;BK{9UpS?dG8k<zw76%{9<rBh(h-x#sk_KgaT?y**7$Vj!04=q4!fIx
znG#qIX(IBfbDLEb$voe;z8bs63Zv2(lZ^Eu0Y17W6#G5XpzoY@F%|L(Jhd5jf!3=7
zyN>-UQbVvO!f@TnvNY|B@;j;Q$0bc@GHSh?$lPC5Rtt<RYhhJZe8dEr3MKwq9Jv4~
z{_7CuA+Y9SqCo7S7Kr?v+}|M^&Db9aRSsC`9-X)yNQ(Y;RAWFUfHR-qW=Z;KfvwnX
zp_Ml|Pm_m-9~{hlGUwE|YWH)qTHhVr@OIvyGTTk!O<Up+BnEJ%QXu1uOq8pAFTk4{
z?um5Dlm}}zRt-ydt?JaXhxZNtQJMqkubXH5IL?4F4F+~#&$o{*7i(e}MmVfCE78p!
zdD2IR0<L6k?g_4yDkJ|=y9{<?b9yUp_@*rH_aEVT#hbK$NVO1b@*<z$=)d7;M>P#c
zx-A_Z^TZO(tfURUEAAIjuC?Gj3M-E{JX17tZB`P{SsBH@u^cJJl?S*Y9r@K8crPla
zOvG?R5##b;X-XvNThlh#1S~GnL7Oz^vMJ&Uw}bim(k~xjx$YY3CTH-u)r8w(-Gkk&
z@d0;iS6(9|xY^Mlv0#Zn`$iJhtIP@(Oe9ZmWsW<1X8U5A7z)F)h6ew%%ROVa;oJ*$
zk(k5ZnnFlFh{I$47;`}G#_J%w7uW;(W&tI0=O;r95{(40O}@;@qEDcl@dzn-GvLeG
z5fh@)K#g~RMZ>DG9%1{!W$zcBon_abAtE5g^<bp<$wDc6A>Q=Rz85-yE3l|xUf^9+
zY_3+WDGgA$-RLEHGssA7`jRa>*nO?6DE18RN0O(-#hRNF-x*ZNsGn-F46{rw0P&RC
z+*{V(y;08R{%GTam2+LGZXaZ(_0|Jhc}*-c^k2*=GvTO6QY|s|3(SAe9uw9lTJ7nP
z=LNpcx!>h`9pMT6mrBe&@a{yrs{dyz$f(pny&kL)B3B8mk={<Kxtq6#Fp{i_;H)T&
z<8Hzpj)ITl#=*#Xdzb)wzOpkFH(&jvF!DO!;hhPPgA|>}mNIct=jBcKKv#~|Yw_%2
zxvv<Fi|$P-`(^xLGx@4VdQ+O?wD(E%jlk)x$e&XwqIB>$@Ps{3vg}RLMk#7&DDud9
z=~Vg%cBh8`?sW~Jq$I0&MYSF}GJ!*`v=&`CTJSMKapr{u?I*|C>-xHS^?T_-z4)z7
zNJ`A30YvW}+h{#ybOg0!p4w_?+ei%z36t0Z=y)Qg&tB-I!5luaVNah-z&l5=4cGKy
z-I`h>`uCe*i3kUj#XGEqn^H9PY=;0HLPHcEK-LKo)**?f-SuvIRh5;El{03-C3dyM
z+pRo%!EDs|I2tYOV9&XL<rw2F0+gcf{4bXOmQ6s^?mk^qT-|$P${KGHkSq(6^bACn
zy4&PTaG(NVh6z<K+r}C_D7+<jXWNwoj=Rw{yeV=j+Btdw&l~^{#{y?sANf?=b7FXm
zReJPG8wGE>-^%+&78Iy5P-ESEI)uQ2j^G;vFj5<~@WuVEgre&H7gF}$wk&ZI7uyOQ
z8hK5kboqK&kv*&qxhA#_$Q?Gzc8^n$pcOg{BDqhHX?7iJxgieS?QEw%XD2Cs<Wa2o
zAf=UHWJ23<^ft)pq`iZpyx7(M++J{bAJh+fK0%4^r)c`SCl4rd2&F4FCpZj9zWR(Y
zf44j*kk>Umch<hyx=m0cdog<tV?F_SKl@SnNd5X}HVutt)mt<e<L;AYI~=O51D@o*
zZBi)o;SeVf;#58W&TG!4-EfP%BL~I(VdQUDD`n-hZ;9-_`n?^+R8!y=7V)5*FTmyn
zYn;fvNhFKHgw}@^4<z}-kTb&hbC`%>1A|4?fpzgYSw+scp{+`u5hEr9+34{~XlvqS
z?+6}4E?r*_1CZha!_%4RERl+a1x~LF^<Il)i1*GKW7k|v%aH&e@1F`&OITq;Pc<T>
z?*HF3FXt?d26*7{WUwZB#BSa3E8dic#vbn#^)M`r<bs+=heCvzb<P13GqE-39@9j(
zll>f$4?<!6=lvFr@leP(lC!oh1__K}Qymx=+e&ax$e(i#9O9u$-*p#29vq#bQ-t}b
zzC+cE3(==KwDZBdMk%Bv12M-gj0FyB&l$vvG43T)P4i%TkwsK=Q%z(cu2UmIm$aMF
zA|RkuNd_EU6-J|$G#gc>8t%_mvF(=vs+^B=7}QWA%{wAM2;#4@3N%JJ946At_K2C+
z$JXH7Gk@v=PN4ZbaO>HdGh<u=kT9U6<O8!CIu5$nw2qJ>8=_EP%yeUPYeZP#jOTN;
zEtlgAt@IOMkv5Y6+D*L1dV1Fbh=fA~EaAbhly)3WYX|SbB0W|x2DmgTc-5(g=DRi>
zob4b?PZlVw@+?7pFI&bAVP^fN#b8-flQhOx5L1BhyWP%ecH&|BO+^cCB$pq6>s(7x
z96YtBcW&`HCk2Gpa~`}BjI^WX9(6~L`-dTI(ZkbqMyMks>@RXRfa-m?W;>iuB9t`{
ziHbQnTI8l{_v=U-Xcibh@&2PE@2Y;hW1cf$hs;cTkQLN>E7F0j6!vjbN%H|)c`ytU
zI%)opS_OxWGbF-0{4N-Iq?DY>)_EVwEB+RysrjK5I6*hmhGL><;ckR3(>529i4&=|
z6S#NB3vjZ^d4Y?3`Hx4z<c2&-kS_64!^(piDX*3&tOnivRzt|A^vdm$uccQ{ov07~
zn*-K925Y^m>h-kAz5i4UPfBgSDCacP_Z&ms*Hm_69adj7+~Pp{D_qMPhfvOa?*0g!
z)=^&n;Sv8AKEp8u*nE50iyoYQ*tr{&i9Iy;?;dd%#2f7Xke4lfFOccn%<%-H(wUV_
z^$JTk<aD<L|A-A$2CAPO^+H6nYvn4%GZFqQ!ieDm4>Q|Yi<x_g40-QbvxWsQjy%{C
zAqIiS)}-)%gAQOqu%QgB=nAItainY}ziec!=fSi9DpMB>Qz?ThRN8aFOn;=wP)r!`
zmadk-id<zNEBew8S<#C|{|A31Z-<~%Rxw8U+t(^@p14YZ5)1M}<e>DM_1S#lbTDQK
zIrnomk_GtY1xOKv!zkM5gH{r?OJzip#Fi4DRL>lYmJ$Am{}|ugFlD$bWqQrkcf>Hz
zBL$d-fP1ncJUmiRNRo0zmuK%MBJM>C>iU$1TK4SIb>_w_8Uwg&k0kRQ-8YymW|yi&
z-FWQ5hjgQYeq;Mm<esS@mL9VJ6S+odM95YHZ+@|PWiW%E8;=l53o*@stgu+%=Rwtf
z?T87YGNbbI<v5qN{@Rh{Nf?K^mj(J7%+Dt!&B8-cc;e}%4N2h&o8oBIJ@Y&4BCM0h
zrI(;W1fkgRkiTB1m%?12=vzy)l;MDOQQBr*R{-^qP$DBWGvs-CKaBie^wQJ+AK!yx
z1ZU-T9}yS{8QqC2u6&;oxK};vSkz5k{;Z#pZNW66|K!<%;;_+HWfuM|<U+)uBoFWM
zBGWFEot7#xdz{mUP5I|#TYFiPjY~|7Z9_#`Oks+seT-LF-YQiU_=<l(F!E|xJp;p2
zbgzQhXXJvzFDdBxAKRFxi(6ZI?_+^y#}8O}xByp5N0@Th?Vu2I-OB@8@A+x!6kTqK
zFUAo$ps+)OLDC7Dx>)ms9+9d)k7+ua{a2a*)ztUSY8KS&)zx!w)zn7ZvVZE7vX^=q
zZOca)-VoywNYfn{>J~lH4UOE`{9rO^8n!}!3+Z4`c>w4_jbD|DTrF6YvI_?26|7JI
ztgwlC{Tt`RgVzhK-IRHJ;E78E?<dXQTLuW5H$^bteQaO@Dt9i*95JJCN{v@)>!*ET
zxkW_t6n(uAgf8k*Mh(5Ei(I}rxMK%AI(}bX9@M>l@J*U9FfhOXn5q#ht%A`|7{dr{
z?Z_GK$;&q((eJ2xNoIaWZa`)0Hmm+;3BgsXp{$G^@7!XRQU=>4^*Q90cm1~@FQp2+
zRCNO>JFQXyB~EN!Lr1(j9d_<H!#mi6XCFdQ!Sa%<k$$xeeENivwjX>K(Uv3L&E^pH
z71^+P52QtBJ`|qVth2HYUDM4kSk2^Nn&9e0K;-@|Te+y#e?}RAv><^!?h{f4ZPoke
zd>N^f^pv@!Syxiw{740szL_e(7^X)Vj0uyVK|q>m0w9Ptt=7*M5h_0UDr+UHH)8}x
z@)fd-yg`9!RxjqqLJWBhQQR1a+6zI27n#Q#m?5Xo=B|K&{+dU#mO96PgZb36@0{L-
zaci{ts1i@1ltPBj|CeT}<57+*9I1o`@$w+fd}3}osY_4MPsLFqn}!2?X8TU&^3Uj+
zOtH*%U9#EErh@SydRKO%o=F12omj#~CnD#MiDf)li_5)qBK8TKP;LGH<~Ci)gp?2N
zhFN)%4t;Yre*b%Mw@{%5{kiym)w~2kOrF+?w5p{ddl9z{j-(=)L)i|$(cY19gwHyn
zzQrp-=ipGUCQ{wtVe|3oa@$2QyV2J*y1S<RUz^{bL?5LJ4?@HrbSgZ6^q~c}ur)wn
z-yub-+hJ7_p~(l90>B{U7a0Lm4=zz1g&<7uin+NW#6`zD0^I#Q*Y0SlkXv7}Q|(~8
zuT;Xq@VAU1a9p%YGF&{hslZHi`wZJ;bwy?~>3}`nFk|PwxqgZ}?Nn{p1L?&8(qV?6
zv~VWAiPEXV+YPY|?C9Uzy-BDNB{Th7%VUG1<-$=D)=98t6owo{3nux1QBU<95xu`Q
zbu<b&tc2neUT<tv6_Zas$x3}qXOY}?9s!8#iUDhxXn2K=AzTf(Z^J_DTp7j##Df?<
zJVnSu%aZoI2IG{^)74(-F_Tvg2yu-=W)wc@_}|$)h%f&trV4Yl1Eteg`SFjD&G!Y7
z@$!+e6kx#2*dVK6*_sos=bF^pDQX8enK@F^P*`CT30k0CAH*ktaf}I+`Hvp784Fj7
ze+XLPwKz7ipeNlx1$R=y3u*28*##e_;QCEcPersVHoiRPRZu*R{w#o@GNa5y!<ZMV
zioAySZ(6da68vt=lUEmVA}~2w>F9Zje1{jCx(>7*xVxch(J8knH0;ll>18ET>GiA4
zk-=k=f%FJ4GP`6TtpqSt6ND8Ck+Z@y6NjkBB8Esv;3M7OiG30EY><jw(Xe@>g9Q5@
zY}~$j#HV(@#r@&_aZhG$nVyY2tJfbk@(_6jbkrnBy+DrJH8@h|kUfisf&*Cz1h2q!
z02PGd<f=wAzt;|)EBmJ${t<O`+?{omDLwfCpQUvDE7qZfWe&NvL9{q4)_zqKCLuzk
zOf6WqWWvD6I|f879s=*TyQ8)d{ZBicSI4?KNYPCHIoWVt$(M|~$TRHb^%sVFgO;l0
zC2x`ywpv;H(<ynxFgX5UieL5Ta=hl~Pu6Tg7@UP1!;=Ksd8?i-<etT6e_^XHdk$@i
zJP4h|04JXl-s9*HfU6OkMHC9MI1-t=yNvv+1&DI8&t8imi+hOqne=%8o_(ZD)zK<7
z4;^qBJTL%a=e%1P<22!{53PSYYH{`%Hex*%UC=^_;9heY#O37rfxAsl1h#}?7=Rz%
z{mxD%l#RpQez{oNTABqr6HAxDBOyO*Q;O_f1jIK(+3->7*yg-w#3~M{{0^NW0!yLg
zJFMF|f+|NGdQ5ruA=0t#5Wc~Gkb(=74|kSRI&GP?&;Kq+`5s3mD&Rx~e{^k)fIzI^
zJD2*xerS{YUAQW%5ju+eYeU3OIKUH9jSnace&OuwY-=0VYx3`Wfh$A2qsvJyDnK_M
zEW72K_8mtC{@B~Xm`+SU+;fd_BeU2*L!GhBTN0`H{9bqNN2kZ)N{4K@`?m@`xzft}
zMxO8!<Db(hRo~$WPeh&HxBof&^$?U~C@mqm4-#0Q2&i;s4Y3@mxLr!FK2lD@TUdOA
z7YrpKhrs?yB&4I`9^d{Jyx$u3biU1=cj(5S40tFdfRx=rnGMo@8I^pK$sW7!UXnA4
zCdmGWcRPBN21?QJmgCWIRH5|M-usH2d8pcTS_b9<xi@5<Jb>ysM`*+=R(TGxCVX?`
z06{)#pdVCKx+1<;sU3cw;-^k*lB`JHHN!uY{{0`T)Ndl)P-HCGC6y1A#mI^zn|SFp
zO@2eA1s(xNNih)qsUS5x`)_hq7VZ>k5LDNbIJ{+k-_ayxstBZMT9w$W3L#koA+`pH
zUxtFst-MuJ=x=2=W<bFO=}!8D4UQm4;uWed=W0KGt(@0d4R82ix2LF}CmcND9nAN$
zeeVCzJpTohs>Bs&WBJdWCtfra5+%e6zfE0RtM%(|j8KFqpWzEs2vR^LOisn^{{%F*
z1h=7awUd|agQ;sy<2%!DJ@!A*ZG`2w%j{r5nqPo>{8+|Zr-0pQ!rosrugWzY=Wgel
z$9>Y@H-(dTXY)}vLd(a7tPiHW`}o~-eiH41*3*nB)7^?WaV((-)|X$uAYyuD4M&PR
z@4chfmNe>cs0;z>(^{5RsEWx25O>%cgXe9W!X6_00_V(bt40s^_zXLmG#guak-4a_
zF_nHRa-D47U`HEQ3}{!V3RXIdhd7CR*vABS_yfYZKP-{Z{yx)B4*@v3Z9Nf3z!j!_
zx9%~xIC#YnB4J~Jx1*uVU-g<fi^A(wau~+%WT+b^9pZFtg%Y1tewB-PyJ7q~wjrn<
zTl+HzAcGA<;$vj&Mwlu(5k>4_-zwg*+u+%{feox0G_1h_iJWNm!{6Ur{0No9dMUy_
zp!W>U=0iM%wk6VcBQAyDt4f3`b6B|1tLUcT7iEO54-~W0PORyzTh_?5EcUb)6mRcQ
zJTAdz)$4Fi8-{z5yjq>HA&ED}ecSG+Xm3;&r5v3yGgu`~CL23QsLC=*hV7k*C488U
z{2LqNF+_1%<bAssLakYdvdXESSer<(;+)_N&(_I4k<v;F`6$3N#{c#(5!-dOC>55K
z`D*nTe&VW;W!U2;N5GcL!fK|~ShhA$M%Z??8hx*2qzufR5(UFQVsScuC~(95Tq>d|
z7dWXB*tG{86qZWk=4IoBLL3^Gl6EIW_#4m~hJw7P<F!;&sl;+w6imdV$1WTg%XcX;
zF*JC1)G!oxp#KYCuY3Mv&zS?(zf0ULofeRVwb?^9c3^k@Krsc|l@csBWTC!;Vul<P
zn>zY{K29<gnYb+{Cnq~-G2acF&6`&_)!a)iw|m%CI0f}dZBV=clV*$VVZ5khZ@WDs
zY;e2{-C@!L8YP81CTYC$jvIv4d$V6VI7=N_Yo^*v(L4Ug<p#P1F(pJQdcd|cid2f}
zntPYnJ-X<ewFPbh16Utvs_eYO1Ef@;LEDpe?shzn6c4Wi_x5$TD`9+J+B-ZK>?*L@
zmtq~KD%z@tL)ADg1`DPirHR<aF&AJx_T{Q<>SzMoWya0ncSeHIJF?3094w_|P?8Rj
z@JlmR3+C(Vi-@@VFPT!)e?vCLC_Nr@z;`n7Y;<!OZ!^^fke7}CL9*%lm5TBspQGA;
zG23$77Qx4rwkEe-6}{&54!PUo&Oe9OeP7>@E^u;I)B=A7`O#UjaI>!92{k{C0B0G}
zJnZOZtp&R^5bLuB!3Kqs?XQ-o#c6hVR6hzv@jTT5O;d-I@(uno3X7FoS171`JYYYt
z2ms5LW<_@B`)oOQPw4x{{6~?N>GL(?z@J9@1Z11=nSYfji^k0{dRk;Q4UPf(ix|-j
z;R)C3z}(h(5(XF?vZ7Dg-8-Q~^PQt?fVN_kE3!>FqW@fAa-gf!F61~2QlPHDPD?zL
z47X+n`pcv<#}4cmKF{j7tdN_?M^t-*Iydz}4AX0bJHj~4EZ5`3^K&D0*fJDJ=_yS|
z$MYG5Z4d4-Q2Gbdk>0JBb5OCyOw8u$CXG?XbPuY0H<f+tao{<1UD|IZwpX=Jkkd}n
zB%2|4*FmDFBBIMw-+#!(<!#a-#2n$MUsnsJun@EM4`i@EDodd6P~^aAsqtV3p40eD
z2~FbTvt(2xQBu<AfYxDr2ICfY(3+w1dyD(m)l?=HL8(j3W8bRXY0pW6z$Le}kz839
zRN@|zOm{6oN92?hJ<JHqaoT7FtgS{X#E@Zxz3@;#FCmWmm?URH;Vb|O>jk^I)o{#u
zHGb*El3%TU+Z)@temeZBo&?lNX!wVgl=yC*II|Cg+3-L+iM6R(qDQ}pZV5NS7)W!u
zQ0K37VfXH9j^US$Z}Aymmr~HelYJKJr@iI9A?wcjDsyiO%t>H;dK2Ro+c7~xE;b~r
z(A1n3R<fEIHQ6QdP&2EVOpIcviJ$O=AjsFvfnXnGx~-=e>T!O>GC>jb_a<GL46hJo
zdAzQKRBYg1dZhKej1O;^A4&1cgMaO4mnTUSuxBLffyzSN<cY!cgNEMr!bZPq{R3Ee
zAU(!&BLC;A7#NFlFwI<}5C=*m9IZ-rRBhi_w-0Wo!V`e-I|`OHd4RJRqb`TZ56OQu
zKn%R36wHHv^f$(Eq<TSsyoxa1X4pVMBPERosX8Ccl1XU+)xCc_sJz3y>vPEImTHB+
zh_b9*pi#H)5>Amn^8b@9V{%a@|K=fLfA6(`_b0~pMsG9CuN2ZA=>(<QKeJ+v8)T7T
z66HK!*nVfUc4|?1HESd?k)oPT$>3$mc;M(lQsqfu)epb}C4^)PWNI`|50f~arz@M&
ze2{#VvcN_+1ot``Ar_Te%QzlXy;&wou-HTeQ*t3_k2%1F=h?WQ^0j-UDc6Z3JMgxt
zZPD&TNo3(8Id+7*q^o7&glTNXM&krgd`ybFl37GX&!@%2^y3$VyJrmV+`V#U2UKyZ
zgBd3H5(01G)%Y<uqCXH=?J@eeS~cPTUUG&matU5+shSqQA~zUYR;B7K3^0g?!&;&o
zW<%0~+}Qu9m;@sW+QdE->?U2)EvsJ5jNce+lqV6pOP>)VZ}WHslQ?JF^z7LK(Q$bG
z)-{tX{dao~?W&sAw_1>wm~A!a!n3aLUl(f%pPgeh7i13r<l!JU3`YCvbX#Z9?Aj?=
zw6B?1qT&2%Jf_w_1CAdZJUOV)X-R0D3&X#GCq7eUM#OL?T;b11TPT_Pat_qz%h$E0
z`w%m_jifwm5v8EG{5r^h;GYw&7Ah-JS04TrNQDy(p<=1-Utg9@ux-xEn}-FC2cs<c
z)P99$_%bTWHGoNpa>Z-7#%)oe&Q59V&z*w%3s5};a@dkSAmi}cAbrp0DBET%9N!L)
zazx8Tf07{Zj?CLA)*(YNCYn>fOtmQQy^*)Z;DnrOzn+=~5$*9YNc`XeRw*@S%3<w&
z&JVYY!}AvUQ3w_|c|Gf|b}ZzPh(;UL0D^HDDVTX`<~mPgP>4NUVxz)oOVK~zyoLZ_
z%5@vnq&tQ(`h{pJXX;-46T{vf9vt8m`_7^{WOyWxDos9{Sk~ClDbKL`N1$QeCnO8U
zeGcBIN{rAnHy^|S;u=?8&b%P-e^U7lX^?V+Ye}}!mCS`icR`3t-3r3OieP(X>bq{+
zt}vfC=yIks56%r>VvF^+1@3{|)sJQSKH8Js43|$%tlNbnG^DrM)j07J<4tVJ*@V5@
zoQ2m3mM5&DW5!-(RnyweTEco<CAe}!5frwn(@Ptf?naKbGJ%rjc@M#_u$z7p*{wG@
z*tlk+*tLc2``?yuc<f3)u6h<F)pjlWVsYsNF78&KHUBh*IivCMUE6REIYd{DNk!X{
zR^gwnYz|&Z{zH79Jv(NS_@|(2p7yOu>SK{6&xNoUk;<5|225lIIG0?aVm2WuIfbYS
zC5*L<{oIO;K-&Gg^1GdlQ7x@x)wsO(V<X}6p;XyBQZ4vnQuaJF5RaZm*UfW2CR%^k
zlx;<vsDB*5+3VTjy%=^|%v7f0mAq{{2PY;m<?3ka_*+XAHb)WAOUUvIluyV|?#l2j
zCS-URZv!;%P`1Ax+vGA!u<$=H+v;$LzTXUJR{ldA$*w2~Sxf9Mo1C;D1F84a^+y9k
z&&d#=iy6-W)aE}fV;@>ENb047N14>|l^9fvtjAkr9`ZVQ666}xj8(g|qk?udPg_gN
z+qLxm&XQ$ZG$UZ@U!)NewLt+s5YrY-!j0BuEgfg~x#mp_Lm*pV+kEsa`eRd<ATsn<
zpDQuWuXc33qUp9LlA4Wr$ZbE%eC9;RqM}+uoJ-<EQ{z!9k8aA#E@n_vc-4^?O}ilS
z`vcK)j<DuwiC4ntioMF#FVX&BlZiT)S2U#{iM-*|u?a>cwHpUa3Hu@2LZEUOMql2;
zUE}X6=r6@jU`7NpCLN4=6i9|6jsV)|Kd?0^xg*J!Vk@IQx9@WFo^B0dw!fkfCY|x*
zFyffBe$yBjPzDujHJoJqnXUcj4LZ6z1{-Zl_wb7k_%~&P0>UD2$7yOo<yOj0o`8pk
z09DsP0fi4?c*X-pEc*FDy;6P?pDgt;Rzv0laHFu703DHz39!6RbW)Vo8|rNl{>NHY
zw=?*O?$sLG(IK)q{jzuf@c^yiYS<Qz-^G#!R1&mTKCP?teW+a3c+M7>+gYgGA4h}U
zv4C<PYUSyXw1m=>r=@9*K$jVF;3=BedB9EDDxuAT>sjVfE30k(0GeyLp9QLvsW=Lr
zw2im&tIKg2;STj%d&kL7Q5)cnb)MLB-=f`jG~r&ML%8j9gX1QNYtNU|_UfNIJ%vzM
z?FdL%i3=yOt8+0qURWid!l@(=`O{Zj`K;aG7IA%^;)M8Yo#v~j!rrMrjp-uH?+Ym+
z6J$d4i_6~@zKd+d<eKBvyp)BTqQYkut}Ofl!xAneE&5Tk`!=Fb9|;mfR1NlV`n0=O
zvtNJjXO(lYZ_lmfC9P#{xhH*CrWFh-ROa^3jnHqII=Owv%ZZ}2)_^z6va;<;ab3M=
z<hpRRHGLD$#!BAea_3sy?>IL!aLCX1Wp+l%ikon_7eu6B`!Iquv8`}4Ok7B(7d-)0
zR%qX?x`D|aeA$MLKhiImt{Kw2zpNsz)p?F+9w#)pCnmo*U?2*F_F@p+LUykj@u%DQ
znN^ZLkHJ;m&56x%<cTFh7y=Gj3~}0d6OB!pt!&TCQBc7TP=ZF1Ffv{}j2(h^>;-OB
zuvS1f?}Pl^cp;i@T@y!gJ=B8Sr>CbAN=z@QpX33z2yvBskV4`&gV(v*W{Jf2h{=(z
zsLuBh6m1B<Z<AeQ^|emq(HXr2!VUScFSvw`X3@-eczl7ItDv2YN~Sz2eslFq6?75T
z4-M%C%bviz+!Q}5WlURNDck<@K^htSf@&zpw-79JV3M<BzY|}O5wh%p#kcx`%Uc<#
z5ruV3yO^DB5vDy0+asmh`E-3pI+FZWB~_CW%DuBQJO?p&jH7C{um@f#HZ`Oaxq+Bf
z^Jm;4<MpN=5{qX<zVq_T#ElTW;8jUi4QI=S^(`yJuE}yeX$qCkUMt$woyaYU+IH{l
z1GNZA4X~$x^L7*8Lg;!E*c1phqfI3$Ype*uS<$%p2e!TT54K!m+KT>dvICu=e}i)8
z!ZJV67QbD=<W3@m)|QIXY6CLQnjBh_LH6Udvccy&odz%NI(=Cn!)d&{NoNUQ$Dxm;
zoV=eZ(stiESxH;5{O3J3-K{Uvro-v{O5djx*kZ|Y!S;aZsNGLmiu9b(5z#eE(`2l|
z3Ua=pw%nTJ$s<CE6R3mQKtAOkfDeI7x!1eu1=G)e1k5_L%yVK3oLjxy<x1IIJdG%(
zu_RgzY(#e0<XCtI8i`%!c`A7^M;J>}8z_*WeG>tVaeJDXmG3=;J#VfYr!`)sT4IkI
zlIl&USHY7U+*KNLm+6M)KgOi?Y1bYJwQ+FaEVLE#hCk8+neAUeRrP&c{73!%Yhoeo
zy>|@1W*9Ios^*OqR@BokWivQS=5YIkbXWie_&u8sNT)IxBa+BpMEE2{4gX|piKLR2
z-xCYA3)I#IzQkd4wf0XUg~$*7pIlV51#zcW?W`0;3&RgwwEJgtv-9e4O$;zpW(iz4
zvprQkJgM<d=!Z`2?CA#*P6=kHEKbT=8nW3*w8ILv`(qw49XOsL>Nqh`*8a9rS<oAJ
z9m|%v*P4hlE?TQoAE_E##juU=^^+PG#<Jp8+lGbE=)@v(VhF$eVAsBOVpl()ZX?>u
zl1B09z(G5?x9|ZD&Nzfd@3nCIiV|GCWD<0ETPBybn#W%fc)R<Aw%72TlBki!$MTb0
zm7Qs>HAWkPY~S589-TEgj`?(<g@FTQMXls$Y;@4;nH_Cswb;A#z@4IwvM84of}j{&
z-Qi~{uE`G+bORzdFu5LNjs(wrC{qkySyS8TUf<e&hq<Q4Cf}0Mz<jVJWO7zWu}$cB
zni8un0E&WtL+_&MKXP34QkvEhZSr2tpee#DhxY|1|B?`@zOh&}FJ=i4eTFx8j1TQ)
zt*i;i_ta{Pou12{p`rc(VH1*|n~V97n4M8pL@byY<dcRvxZ@9subnEHE|i)(&g3vk
zEf^{C_cG}T`E)ZjOaQ#;J2vHRN#K!rNSTDAmB+-m^RgHB&Z=7SlFb_1(i)lkRu}Bi
z^7A~R5HY8fk-lGkK=!U%As=Pj9w(|rtlyH_&VjDb0ACy}aPQf8^)C7zCL}Bd^+T&@
zl0ZH`hi3P~#4zrd29gWUZVpfCS}~*1s)V2N_`z@U-Uz>Fsmh76c+Te@MLG321`@;2
zoBnLCawqk^-v2szUU%y$g%(|z`%!r&id#XEV>e}tsR_9)GF!atDSHN5TDJ(62azqT
zk36W%VG~UFiF&f<cybqwJ&D|R%vG^V9P7l={s1ZDGLK8L$bZ_QlmDw78sop)p`%K?
ze-=Mbg|#$2H~+!9Y2zN#l}PzC(-c{iLC8COSW@SMUGv0|m&!9%-Ij@nz4diQt>Ox^
zE;f-A?0Pqcz0tI4$1bm^-%CEf=1#&s|HE_b28u^tbC5gBhA1R*tv2$%ldRY<1L?%|
zk2u3W;T2g~%L1{Zc!?m#`-BW)JFX%nO>oCI*BDfPDX44$^+!St7AddPXO4y*k2Iva
z2_~ND(zlJDkmtO_eR4LSt6&1luN`w`4Z#QQqz!71iAg3#5}u!)e!H=|Q`Pr^2$?&P
z*!2{T;;$~{#uDlCTO$O8!IBb2<MB6swut)c<d8nZT;J@R11%&=fuwEVGCY=Yv1zy2
z;zM7OPw*O8<8W&MISJUrzw&oDaWwo%Q=-NJMytO;HSXW4u>g=@>uqnQid}mqExcC8
zp?4lhjpdFXwVswZw4cO*Y5`DRI=DFAK74AGY9%uwp!z9V&2F+Zq^{`cDT0Ovk8Os(
zdL>Xh{Eb$u+FQe3{%@%y4-%cRORx*%0YbIz`2dx^wy0Drq~d`ZaRJPp$YXdpU(wn2
zc3f!?D-lcVgzz49!~q`W-7p~YmjERTcJU(9LB9h6Xe{t?UdD6;f2%O6aUhso4WfmE
zw~#>XKoqJI_gN$E4->)fu}ao|=3Nl9Kh#)W<RYfhj`c7r2+eUr9_byll6EqsZU4P#
zrd9Sxj4A{2Y+sFCnmGv9dL`e0n4!C>Tm5UhS}4(^A~uIiIKJK2;Ki!09+i`4eK`N2
z5L~t8PW<g30GiwYC-GL;=ac)4g~@z6e29r4M$qlmjLik%llG44>OMB1N{UYcy1M;W
z)9-&X-_A>`Eib)1OsEI*<cx!-O)Qvt+w^en%gmYdTf{`Tab|OQlLDXsq6;skoq*C~
z%6e7iBZ0R}6Md?MlnhyGsg`~vFI*4ib{UEvsLM&Op2F$Uk_@dP8?qW#N0*Y^UH@|d
z8nEkteYYL#PooYUs(AHCoH*nYNO3b*)|N|r^CP9TDUHH%xu_S?RSf^FDFf*fq(=uj
z%g${s@9Q-N61F7v)J|Q32^-C|VqFX6ryM49=DWu5aiJ%PjO%i~%?Ikk#lB-~nE?vi
z|6?J;4hHp+ZBd3k0?xvuDQhN*7qSm3Je}sfNK~bh2WNb^kn@D^+bFFXudkw*6uLk3
zy82I3!w3jb23q~>-WfGNx!l^@pO=#|sqmQ^+t7MwGL6khws=zW<dQ={8tpFn>g;yh
zDu>Y=bhRI(=%Esq5f&0ZImw8^3;wu9SiQx|S>CS|&nun2V;yC+Q1ux6DPENE%^}U~
znwnKi?`$*(#YQO6=H`8%9R2ODf8oJjc<=h>!ZIz6x{G*c7mQSiO`~peKWWpfxe$3U
zj@@E|(@HnXG28D8d-8ELy4rPX7MU6xx=)Td3(mxD3HOgDjl%x71M~lD@IrI0=lZAF
z49`c~0m|D?I_k0v82urkg90c5SS!d*Fps~)?g^i3D>K=C#e^Ln2$isZfe8(Avv<b;
z2~`*bZMSqK3GIvz3LGO|7(Y7DMs|mGGK<!glEouXTs_4z=wHz7^~X@beA9Y`zzCv8
z&WGt=0vpuT&d?#LDJW`^c3lnEnSN3*%i0l6W$=A<tQ>`v+i0j#pxVwaXd@jyFSqcf
z;F78q9Iiz%U{7PbadxDf`}i#p;{~`=y5;6=R<CPlzLGY|BNVEVv!imVn132sTGT}t
zdv7uEdSoE7`}(fz#oUien(-GudU)o4fKVR=xDxjD70Qs~;WO2Fdiz67v1Oc<&YSk4
z7ZZfH*rj~La4*4xu@oxTg_xMFV<yfPCj6^o0w1m-dB`Q4fXXoF@G24LPEXzDx8wX>
zWZxjCZ6)L76$AT}+ChXwk~zxjYwvO1I!NjNuaFBg^Xwa+a2i%sNj5wk`37*~u?&aX
z1iom^dpgHe>smSC5eno=zh(DQ^00)<cDXwhC^U|rlV$fAx54MN-Pf`S+jX{ONxw8j
zGVtI(b7Z;Drc^N=R2Ye;o>Td$Vsqp}ee~B*cZmw_H;UhsRhNc%qOugU%nF7OeoQ9(
zKlpLt&VtK20%oH1MBF9BQjotzRtmDrJ}rD8D8WLqH8`uKcY12kyhf-ZHJE59)D6>b
zW_~v+aJVu1G}}aZ;Kx5LUbmnJV90MBTS#+%Hd<EF%s-#X{+_hHWP}+PvMaJY8qp7m
zAE+z|_vBz`nz&e%I4)jPu)tf#azz_yb22QzJm64?@VLx12vi!aJX<TBcrURxE*3=+
z)#g!N@%r0U+p`wiFB48m$|(2Nc%+d~j_&d7p@cqrSksL|eC#~^gilZFU|VyMuh40}
z%Kjpu59@VXlNFlIb3aK}yQPzhR1Fq-cheUf79X%^MWXTid&p77+XSxkMZ+b%3&@kR
z_`yp9;F4V30h6@<^b~5Oi||Vf>1r~fRV(-ld#yB#yV7pEb^UQ>nIOtKe-Z4Q`8|9|
zwRti`>q9LoOKWKH3g#l`VINWbLpr(|+Meu=nahs__WE0SG2XB%bcd>R<@7(h=bE|P
zRopa7W#5tN6~<rJMb$8|a>hPst0gdRG4<+fe|Vfjlh(Pnvu1I5xUEa4!8%*^OCrOM
z02>$Y3@zO)cSKNvcHm7R26kvVpR(ghfi=!js>n#dV&B^2k%6$|7bdn1z83e7X*IMw
zZ;{-%%yqjhcSX;Be-1;W8~q;JzUganN|^Q!R_XR(Rd}e)<<rrEmNg~t6DwctaieTG
zQ-IJ4`JW5T&emrWBTaz|Dg+&=E6iqyZ&dAz>lo2-^dIKYzLuUEi}QFWJV>MV2fwf=
z`}0f7KligkvmSp%X&yS*PBHk9j-K+hlyg#S;g#w)oTTfT&@CBdJ_==iBkA<1L7av?
z+Kqe2SgHi(6X@Z`_Zz}~n^V}e*N@yU()y@e`+S^Y{pRFfEdX&5kDlEXz76BWm{F?L
z_58)BYWjJM`!SmropqVJ^)7L;K1$xwc{2XO3&9Nv%=S!UCM=1LQBz)dIuB2?u{}HW
z7P;b5Jn|Si+Qv@B4W6ZJ$V3FSr(mv^zQ;avcH0fwFaMp`O<gUWrvWap=N3?LbI!7m
z>Dk;xEo4#-lW4wN{#mE5WFREm?s#^7Mv~?k@Kv56HxcRW_N!5+7g6mNaq$x?)h|X;
z#4QY|uE%*_6Q~j_)%+eI6E1VA>kB9&aj@BB#B#~)=zn}dH+?-?HE7FT(xR7&E)M7W
zVr(ywCyRBGKV_@ho)Y4jnfgp(mQO{Z(wj?tO}XfLAR+C+1REAhK-$Irw{PG6{Q7Qj
zbMdhI_m0Bb&dyf}R#!hKzs7!*c>R6Aw(J?Uh@sZFMay`L#h`5+60x*7azIMb3#q}J
zR54Xr(Q{#qMQgwHTO9spDrbc2M@JoeDH4B{N<~TyrPlws{-bfb#r)9kd*K%MgxQ~q
ziu>=s)9$rV)QxLolD#GNJH}fK>giiey01M<-Jv@E4b9sRE-phSiG%`<j1M?66CHwC
z>{*w`y<bM|r88<aN93^8Zp3$4o@LSXT&8LVPq=p7<RJgD)f>WU%+brWW+V1%S9)kv
z*jT=`y>KlM_1=%G0#-35aFOx$hke9-T5tdPDh*TdlkVWL%iPx_$M94kPNkGAtIFV?
z8~MwRoZ+nzq?7Xg!rz<elm6IEKmWRxa;|G*`m@D+mh+UP>Vr%Nxl?Ha3|<!vb56JW
z%1Qe0NgR7HCD->{i*pKcX<SQP2fxVk{b4L*=$wAOcPqO3nQqreaQh3%sqK`3g;Cr?
zp8TwLhsMhqp3L=5mCv6%TYA~FtvjdReFf_pWsxj@Y(l1z9iJ6kKXD=CevPLS@!pE_
z<wK@FzorJwo-L96Vg6l0p%ER;4mJml^ysrQ%8kxv4_(jqUUqIZ@U&N(`L>EO(ToWa
z`aW^h#?)-i130`dEfq~IbPuFutB#o)_q;9-Q*!Yn5}WCIva@)1&~5@gPhM-36Z7(Q
z5r2mLM5bXR`RALGTvc#+at((qFJ=eNEFQVhfsJrWpngYveZr;S^Hwo_n|_^@7N0sF
zn71?yuyC&@o;&X?FSlvm!<4|k0A@cVoknIf?|!F*Oi*4_G1_t<B2_-POuz&`%$8mA
zTDhlKy6D6mQdzW9eg;GAQGZ%9W)eu&k+z11S{rq$GFQ;h0G}j?d+}%K=CtX%^7~@k
z?uts%6IZQRmL+4Sk^}=}7(<_Kc2y~-J<KSkO*mel{IOY9SmnD%l3zk|DjniDb5$ez
z9uaPQ-#hJid$5sF;*y`ms*Nbg{`kwB?|@0$C5eWtm+b9M?7m<6)nw87sO@FeW^eaF
z^OkD10h-Wc*JkE#;vDz%kk<hXZ~W9(8XG&y&(&bfw^X*GI3jRtwo&f7l+p6?McsFr
zoz+!=KR6gG1)17>a<KP9Zj1(A`XbueM}oR1tW>#6oX@j=-5Q5TLWesWEo5bzki~EQ
z`}a?+>`~)IOV4_g0{b=@D4tuN2~RMu5-~_^yhQt5*<}hdVhQadCW>&S?>TZ?#l&kR
z#G-JpLnA|@aiIkP2HQ!ObFN!e%S?1;L9X=oWkI!8pk6FG3SKJ=c|DBaSm#^f`0JWa
z(ZAil{3*x6dOgFSKqtS<z(Prb6d(>9hi{=hMV$n0%*v_k&lBfA=x0v!Z=aA)!gAll
zX<`Lb5N?QheeNB1E#=>hUb*p=4s#H|FuYEjf?dKb&aair(WW$$c+nN_S$No|j-I+j
z6dQIheR+8y>yLy+9f#z0+FaV4?{Jy&y2@!`*-Jb`XGYG=C*h^2I#&W4Up-@TRhJ>f
z7cEPVrb`&T1w(?zW&Q=P=s_zQGL{%8a&8MwsPRAWcT8rVeR}6y$d^pb29Avllh#JD
z7*jSle+727Tg9b2T-6eT)rufbxIL0s)q3o^(xzph`xc?aahp8TJ}Eu<X)!Xs@hkqL
z401s%;8Gm0z>&EsFa3gM=Uuz_YB<Gs&J3f4m8mo;yizA*bYYdTfkCN2X&3wI7~d@b
zCl!2U0rE26|0F(L_}nQTYW$?o^kmGzgz5>Y>_~Iob$CX9ECm|P84_eKPFp*?z+og&
ze8A=O;qYPiO;Hgyf^+)HyQyfk>duCy5mS5*Z_~%YrbP;Hzy}fP*E5f~Kbel-qKlR5
z$c*Bm+*E8;T);oBl$XBA^8t);iF(zKM&+})5MEvYN$}Dcz;Trg?h`|~u{zk%|2VWp
zZzCa^3;bj;1TDJ!Y>D1)de2;3hx^ET+65w^dD8U!()9FKR)p4$Cj<lA)T^uGOtN~t
z79`cps{PG%a;v)LWW?>|b-(3jo24iBVC+u%1+1xrp#Q<G0EbHk2_+OfNLc8J>&@as
zbYW&*EI%2@mDqJlqZ<olFPzYku_QOL!9o4*HxeDjr^pBI^IVQJ$WxPV#YKq!^ie5O
zM2s+gHK6RQs}FuI&h9aj-mL1kI!#YmNsZ4Pp`)drP^5l%HChL5a1Si6<0R^&s9vMl
zL^o$a^sSRa60C2^Zb8>o#Eh-L#V4I5I8}$sVNO_e`MsfBZ5G`2IST<jI1HR9o%b0@
z5q~&m@fW>B56c@5rguHA$F-&pE^<^Fv>bOS5AVfPMK@#{N!5ZiF*Eo0aNW9$O*DTL
zadY1~_8N(8N3VLd<Ufm;=is*Y_=&Rni<XfOT-XGhvXylu-zsv4Mcc_IJ6EQSkLce7
zEu$n6Rv@t3cG34Qu=6MM!kEDf!d#?DqxB5ik`F*lHz#JAW%YGOEq3I$+Iyd#SN3Ay
znI92sh<$JNO2SM~3OoNE5G&$~qeYe!cv3{PH#$vb$ru&)6*V$FwTsS%IRj&%>9L~0
zy9wP;K_>0VY2nv}BUs2-985jg*q@%AblmXi^NbR`KD|_K>K1XB8d|S<=04V7-QsE}
zkstlZr?@Ws9(`lv04_3CHh^lUzkS_JLvGL9O{-XfkkE2dz)J>RucO-Ui`@j5$!rsc
z5TJr%!~>iLV)LVn2pSF2zZk0g`?s7;r`NkloE2}%JBE|qSk&1wr)Y?vxf5rEG8z`0
zI!!%uujWYF#q(wZd(}Gh;(eCD<LhpZ(O;TZZ+F-(Mw2||E<N~<x&#A%080(QI=fl*
zYp^oE@~VzbiZ*&O9I989j?S$%A~c)-4!^V5F4Y(@;!BL_T*>iVUqfb%zl2l!VawGp
zwShRDDS?5qMBxA1V3zTUKfn0gc#SS&y>lJ)MJXZQNJvNam0a1ymBb+)6D;6I4Axq?
zalVZ}s9x8y#mLd|yDb9nbRUB|HXr^bc+dlX_r^uww_JPo@y^_Y`?0Yy#^-s?SweCn
zA6pRg%)^k-)Ybik1%H+PFtCkvYI*Wx-HMcZ%oJwatf^aN0JnY=Jb#ShK#PRT2y8e%
z{@PGrzIKvYXlHP>X|CZ_M$w!(cANE9cpTRo?^z!vZ*ZC&u+CnOiFS=6?>pwS)cEXn
zW^`6C_=b&S2AQP$UHU&KhO&qte8^(*lY*WD9Fiqt_Le<jM_5(#ka+lVj9tYx`T<O$
z@IH&G;dNwsjupA_!ZM9@zK9Xodb+B(%HBGK+AAzca~ZHmB%8VJ3hp5EUs)nG;~uj%
z$-WQ&|1z2lF%p{c^;c7GxaDhKV<x@9jAXd?x%Da6vq_fbRq5isL#k93jz`X&krS`v
zyrnnFpfI!o7sa`9wG%rePVg$+A5Xe9%B@U#Q?7iXTiU)98T<c~cIDwvzV9AQVYrYr
z%2Kj#MPwaC(I6uG*h)-xk$o>qNQ4=YF-ekriy^zRPNA~Il*lgonsv_ePQTxEzUPl~
zu5+E^&+)#`df%Vre%^ORJhGkza7r{-3_oq$PI|-RxW}ZD=Vn^C{fMkVm2<_dM@!AR
z*!wM@_(>J3olM@AWEwTMXf5M=@y<yP^%~(m_cWn0@JjvJiqv2j64yV6v5%mFF^Pc9
za*J@w7}<MO<rEL%XWc#zx7BSXoE%t4<AxQtpV7s^$JfpoiiVmd%%2iow8bo#ysPiI
zp{fO7&yz;ggPXDTu*5i}bh-YwNxD|9%<n71V%F#qKk3D@ulW_A0J;aMCMbY<G{e`e
z_Q$a}-VC4m*$=~$$-F)X$BHY<mIsZhyi!XnY+$AAKgHoHfKC_zq7tmJ`j+r;Prgj&
z&N;ZV$mQQ9aH5lvnJ>!6>$ZuzO9k;*>?`jzgWDhA0NW!W@F_=YwQ*+@)el!}3bS+5
zcNxCzfQy_^d7&^=9nh>+#=-_JOrn~pz4#{u{RA1)aIu2NtGW&4=Ibcaw~%Ir?KvR<
z3)bSlaj9y7qrFVe+T~$t)V!;MzrF0HBra$fu?j%U0St|rP;hgvowsOsn4ND-xz!Xq
zCWwkhY`IG@O7&uYv^(uY%4*DD+Rq3-?i1$(^YMhB;ig-M;G@-;Jnc7eJV1XCfkm_S
z{oNzJ|JMy?aqztZA1~6cAW|38S&swxPgyf1u7#_coQ-nzIi-R~#IcW|vkv#LVU{R#
zZE2W!!+X{p9<)WtOK(#{Ma{7QK<}elBh_*tr+Aoa)isdW$!mJJeTI|w&#xKVbix5u
ztRw-0vD8?czGU03+3q%(@UqFNkL-!YT*$Z8%3->Odo*fvTjxUUq+0yLi>BCfMYM0+
zdA@SKOhg6VnV@jiLjU&hvpz<76rrV<3F(}p)lSaKDTA-2zKpn`PgO@%Tey&Lm>+3#
zX}Z{gOLb-NFFQt8qlxdY*cjBPWIsP4Z}#kMSXG>W?X-`t@jZIVu6RoW{yI<$oA^p?
z-+|%T8;CMf@ow-IW2_>ahvG=*A919_1>S{0#}u&Xb$Bo9?vApB2yo}#G<$eGfw=o8
z<Gh7&F$kuZlpv4#4<PXP9ztVG{DLf`X6booA7dqoR2OeEP$^X?y1!;xeJ`0!BC{eT
z){@Dxru0n}4D1&bur7O2%YF~kF1&Sr(s8#UT?YjdUSzF5BCaGX!j}JjntDBdHIfP@
zeK~ynJ4qobPpB?Fg(>aZ8uF<xi%u6NSFT;h)1Zr%9WE7=+ovxJFL7~8s<?qGX7tc|
zot5j&D#--U?KBihTLm}GY>zQ)U5rXDVD`hx6z3tB()^6~lI3op!FzuAPFfI715rH^
z30I9ywCJ|c07^>&6N-H9<%R^5witMWnVQZD+J|4@1?L@FzL3`b?A73JH-L~_xEj8l
zy>Jy<0|k?S=P?NHxe5p?i@Q${JN42sFVAiUw9PIKtRZRf?&%KZFCEtI5B!VI!Y^F|
zCNR3qR}(~&X6i{E-7jmds2wv0u8HVaI*RZar-#Ta-r?=WHtJaKXz8}OP)50|@BQw(
z{nYu+4Y{zVW&g=#G6sOlimw4KqoXa<{-ArNPVgUGW(Hx=;)})F5#?Mt=a?#Al6kK$
z?V~ZBTY$*|OoFE7Li$hZv42_d*CdFWy|G9bHz}<)UsF~ofCRHu8c6?Rnk7xRfyv)0
z_(^B<IX`LMGYBYf*8Uwhe9<8Fht-#Rm2nIAawORRa~-dAtUc%oKmFE`%bWqo3jr{Q
z%PCq`Rbyp>GSAO5C^(XYApRNy{N;29;;$yr=HOh2ztDn^F6J#qKN%EGnEPxR>-e$L
zr7O!J?Fvq3=+uIS&~sYGN;?oESy<35p%|}Pp{Fd_n6P0mKZ`cj*(PwW=kx^XL_*3Z
z7iRmKSrk*fz(K3hb)lxD>T<V+Pql3Q`Sd_+PaCO21EB3k5G*ZA#tDr;`joXAhj3PE
z!Be8!&(&_f1x17(t#{kLt+@`nW&W!Yw=nB55YJ1);(r3{dCYM4CpdtfPa14=P+7qf
zd^X-`fIp|InqbKLnkm74BMG=Be<~m&r>GU4vO@aj(hFp`64#6TQR<qXCutUA6iFS$
zkK2}HVn34#TZKW>@p|uBrHr<#XT_Dxuw7nsm%!y05pEBvPx6ttb+^_SZFbC%tbzof
zBSCYK5biv=`ubYuwFFsvrhwYc?wj10azPsib);HQIxO@OY4zxPEA8E^(VJ`i*X>8*
zHty*rdX`ami!>>CZT^*h=_v*f$B_3UISy|XSQ}-$P`K$rP}^XAE@fg|@jm;^l<_5T
zgXJ8iTQ6CjqWRvL)M|WkW-JY?YD*p(Hf$3DE6ED;AC(1QgDV8)YUiVw%GY<^b4hU;
zYT4yN9$0S)I$v;6956JW4nKzuUcU29tz6H<qDpH#V`{78XmnqOwVf19pbrYz)u&k~
zA5z(l^huEeHN|=7O-WlVE%|R6SJD-K<q-K}og0H8;d>tRxYjewCu2Fw?Al?P)!lj5
zeL$8d9jiQ5s`M>NM}hf-V+)YCsz-oB@u*V`P)@)9ET|)uneetr0j>Vq=wyTNK)$2H
zq&99dm5zcg){VaWH@ZEBB@}&=ojfT_m8Er;0xnBgzW^d+CO`$mrv-U?ocu)=&T#dP
zTFm*kG3_^={LcYXbB22QJBQyQ)u-{;c`DvlAc6(XrBHdh3zwmNn3)ai?I6W`LhTL^
z5G4@2Sh+Oa0J#GU%sS9A4E`p|owH4s1<mntb3a)KOS@jyo2s||lq6t#u$98|{L#Jz
zLpQmxoq1UfwQ)TbSH~G6W<a4Rh~z@**(k?xleScNon%)EE~2_cov%ys8rz^nWiKFl
zt@U$3<jS$x_5AQtm!t2#-&Ipwk9UnbY;kdT=~=61iYxVf5!Zw{Yt%Lz#2E(UGr~|C
z!(k^jH-Y6FRxHd@WxBaX_lr|G#t1T#AbkPeJaWsZ(5#koPLxRd;2v~PuEI0FF%>Bv
z-Tj`%ty$cEMt6!+nwc#sxz$U<0Ok117@$t9MK1BTE3y?>i&MH_`Y?bxLdurA?%LKE
zZmW!{C+RQGUYO?aoerEaLL5eCWoPw$(@`eYazMo5$w!kp<H-Nnkyl3HyAuwTlJHGm
z-iIk6Ai&po+AM!2W9n)^<JQp;bAa-y3ScAL!g5ng*9A|BXv39`bC1Sn>q`|_-bQPk
zkh(BZ0C_N%SjMjbInwG$O=eM0;R6OL2lXB|9jP8WRd5UCH4v@@(;9o}O*4E~wL{25
zUKy&G29aKO$#uMXZ;Eo){_*`)^)ksm$@w|sY$ZhlSp*03-}vwr(m-eas|G?XBJKf^
z;s)$CO_oXCR)UIoWozn==*$hxH*yn7VuQ5h5ExlLMP*6VC460@cZh_DOYcOsi6oR&
z#sI|fMxJQ1OfVZH-r$f2L6ZhKhJ`_#$)5;q{5hYysuHUAFH_Nw*v3LcNpflmxBoOg
zzMUG@;VcLdbHpmh%cCC)w=IkTX`V?5)vK)EckD>aI;UaJzTk)w)_jR<_k>k{!ToGJ
z*11!tc^W2A#sOv3*~Jrm9ohG|4`f{@ZRJPn?^y(!f__-S!+{xI>N)GJD0)N;oC?h2
z1w@&<n^t%+p>oQc+zHA82eD;=96G8JIl!KB;++}yOq^G<u!#sPE#_6<-AdHzsKv|t
z@Gcz{6Hg#z{9Pe%IviP&+>;V4Rvn}rL^Kx0F{*#;zpdNX(I_2sQO5j>C1U3~tIk^c
zjbvD<Gkt_!cQZA(Qv=)y?AY?dHs0#{&aw3a&s^J_hWC6H1LafMc~G+dCbBHR{}lUP
z+^2pP6Sd2fIxiEgn>XkrB4*0eByOqg>)$1lCMMl;@Hu&#@uoc`g`qk|J9q+gVDP=P
zy3*u*Qh_>G$(Fd;GojjT)5m!8bb(vG^7@?5w?95=p@m3-59Z%Ag)4ZBNBrt){An9H
zT}W)dllSt|5nnGzvV~uYft0l3_;`E8^ZT>mHep@*w+)Rf?lb;=Jjbv_9e+&)zf06K
zNN{>cDpPnp#I56;{e0>>`~gHt{?JV03lB#<wnIZUQLwdK_{+o@t*t{u(Y9gKp;7xU
z2KIPc)Nn(!xbcb89+ICmX0Ub(U{KzyV*$jO?|uc*0G3uHK{)kRe5D=a&U&XY5pf0y
z2WcY?(k5qVq4nKX5cyiHB)O<U+<LaMEZIYvR9bR<@;Ho!<y#_EY41^2U4yrI3G+m|
z7Ui$g_&@dfJ&y+hWRV6fOK2mn9mcsD022nlw0tL-lC}yGH77<1+D_YRy^hQYK@!6%
zhh=D)7@?8pCm>f)3&Qe8tb;ydu9@R^$Hf*t{2xi>ct+B9pF5_!O%5_dxAM{JlA}vR
zW;HnmA>$gW$yiMjN0ZQJ*K|^JPv^#E$-p6E<A7pEA30PR<QSBz(EY2d;|*!w=CjxS
z!vb^Lnz-_`){X%7>^wa#Vs+bTD?XiMIupa<D}4GKmASMKyh#0xAi_D<x&tBaQs?b7
zJ~h8u+bJm_M|oyfY)@|O?e@Kxwm@#=#U>W0L+FNK?YD4rvy%F%MP5+@2E66Hy-P2|
z%Mc0H8<K#2?^*dix8lJInO^Vs(R&}zV)X?VUL7AbdjEJ2dHVqq=?d#*J1Xi?kAN7-
zoDzfJ#M48)HNOW!!LR*_WKyG$$;te#X?_h+bW9PtERdbQo-*?g83VpceJg~+H3qAS
z)x|V?Db121U_-o_5KjrN$;M@_tZ@QhyOF@qJV<zx@guasBhMh1=_tzn_q|)63)CLZ
z9URH9eeNj5jBEIeT8mYNSqecWQ(6ZM_;Z5hmNabN&_C@0EQ$(t3^*-#q}o{%|8DN&
zo#V-umXG^B<q=r94%CiAsmja!p76tw=Au*HKTXaLsf)di{2}ILbm`~yNeA|<`lQfw
zE6~Ous09<U#*b);R%R;?&t6GaU7b|Z^hEf~3d_oR>#K=iVq&#;QmPVDuSnCWQh^X8
z3G4f&BWZ&)jhD|4FWYeUHM)(5&;|4!gtKr%r~|>?*I9zcJ#jXn2}gWMzmo_9k*xdX
zqhVK2T$}VZ)~gD04c8Dpk7^xy#-AHt@U$R*ai^$&IKMhl?_X}LlN>Z77B#Hdnf)2-
zBou%~7SlLBEfQD}f(h6`2O}4R>+;SJ-|D8j9kwZbVy)J%lNgn=x{cNh-9a`|YfN+3
z^B$beeG=v)mfCN*wEf0E&|cdJ<L<C1h5H8TIMd%BpB5nye}ztlX?Vz+F3(Bfg8Z=F
zB2Sw7S--DJ>h2F5u<u%_ShTWg*y}b+&X}@5>3NoV8nXDjo;x-_=_|&J6wf8!)6pH6
ziYK`=dj1~PNlQDMwM!1|in%#YoDiqf3;`;s4r|7v8;3mV(iD~}OiR`sE$DYl0(vpY
z8m-0UJjy{6e96I_lA!r(H2a6&an))zZxsZ7wxEuS2MIgL_D8$hm=vzuE{%34dgs>f
zGoQ)0>wU|l8N*S2iiYKc7D(We^IbX3uQbC*Zw*Hjec#;wW#;bP5xe*qC&_!TLx=3e
zqFAqq`g|H;J(v3Gyqo85*MMEAEFmYX_cbbDnaAks*}wk&{d;eFd1@q$yfP)CzB@TJ
z#jwm{i6HO%*k79Pvkk^t$`iC>0%XwjRs&xu(%@~M{Lt_QH8}ldWcw#W78V*>R`bD`
z&6%diwcdu_f1DB4Cz}7ahlHHvXafFDE5_~F`gPWYkpMXThg+bmy#=Hv3BNkTJzE`r
z8P8%ZDt1A-BqItekSPE})YGDg&gED%;y|}o!i8rlL*&zzzhh~8`LExq_!O>+2h_R%
zu%^J3#9_AzuTQ}v$mZ|0Mt3Bi_jQd3)fCJd7iSSS?w|1p6|>lz4xp!t5CMhhAks$H
zpxm6D$BU21rO1n!#pSjhqwA3lXCTVsgZ3q)bWhDXvs>)6cR^B<s@cJTl7;!9hoE^5
zqQo7snO21f?>0Z0pLyVBeX1a*S6}4xfD=(HP~+gGoS+TX%twfjFO=UcEn9FU`*WJT
z<}jV_&Ykqop)w#5DuH6D8y9a79{!mdvxQs7PkfIxMON6(PjtVrHaQt0a#&P%C)fLt
zUv4$aH6R!BtLl$hxj#HKsT1P~`&U3m0M2x8Phxuz|J*oCIhtgzV*j%xs03;D@>2#Z
zxj}OEj9K>zbq9(P&!m6Hvn+r|Zhm*MM_i2IwLyYn1>hTN(@!eRH5Ij+UQEL?p7kMW
zmqu5`R18sd>B1>YD}4oeo<VXh@PJeD`8!vtNe{Zh4~Xi3p^fdw$!gBV)hCbjE|}$w
zs-5-uLMeU3Q7voMrV!M}2nzP^`F`k>e{A$$+bKZFbMF0;tc<Jpss<il7!*IvU0jop
zf1#At0Ms<0lMIgy;a=JlrUP8xQmw!f-fPPA{j(h=wn%cp;u>#0=9T_O)8=3pe=rDZ
zsnq^o-0qnddy+2@htm>)PV8hG^VVsOo1>zlt3+P8Y@E4XWExPSey2$1r?sS1o!pmq
zg%=xZj`j0JMFwh2v<uMDMywwn^Umxgh=_I{SL}+ExV@Q_%4QRU%S*E4wgqPj9mfGP
zUtVx(;qDW8#jXQSNT*o^7NH%|aTDn&f9qN8;M6C<{<<*bJmv&AG`*Om#0}5}Oz9MW
z9L2#qAiOCm@0s^MZc>~+!0v9X4h;?6t4fBn2XNJi&D7pKjUs#Ty^a2eX=6r;1DT*(
zsh|4qTKPY9{r|toj@U~G-d?R+J(~1)5%e|2rlzLO>J&YenmNVa9o!1n0>yZ$h+D7?
z``yjNFO0fBkRR5uyoy$T7lQ~qk98=67$jDyV9FqI|9AiTwswF`i&@n>8ce1gdb72T
zx78F82dV!R@FC9ErAK;UbJN547m>)^EA5xs*tD|{Jr%>R&c%{%c|skvn6o6gCJB%R
z)w5)1*4P+2v3+1`(?}<Q8FtLGo*g{jJyO}*$sbHUDYU=8u77nrm%*UXsBX}OzfReq
zde~{k>fEKVb0B}-_u<9MKUT|r*=R9bYiAH`>MLma&SR#At}a&kq$d%(DMfhF`|V30
zpO944w^Ch@JwF;qdI64aC-J$i0j9nOM*N*E`i^c-`<1obO}B<3uvKP3SH5<Pd;2-}
z)8a0hw=c@75uZu+aG1`^8+X*{k2@@mjWk$FGV6tJqYx|8uXPw=tTy{|5iN>4Ru06k
zBViYNmrCt0GE?|&4857tH4eG2PWN({*HaNos9MX(0>3vJ$U5c;4;L$|x*qUTFFcOf
zov&ufMl_$E;C}{Wbi_r!cNf4}7`utIo4nKg&g%@jxQ=kci#eau(q2#gT%L5A7<`SF
zar@$Zsm}K1-mAmzTV8KbWa_Hkfkg5V7P}s`W?^ZW)2Bq*?&jgNWG1>1+uyn}wq1{|
z9;unC{f5ZN#SYC(;*pNb&hhe*3~0t|&yd!diml{q#y=mC(%DldrH?q{CFset0^nGj
zxh%F&=WYX^u<uD_a(ibzS~R3NDW%@UhV6^AE#F7wib$ctd*(T|H-il8Zgow#EPGI!
z@h1Z9-a-00%n_CM&NOx3;<}oM?LcL1G+YU(JaNa~SlU0KpzZ5O47^sp3e|ElYyQ|!
z)-Y2rrGy5mNhVQ|2FBP&w`Cr7KOywoE1u#WIobYaXwwukWNoEoy}e6I;F{TJLZZ0}
zPlYU~&Splw#?*{Sz!_wxiO1anR~FfARJlYgEL4d27_guLTgoQ+O!eJ$@}&A7sI$g*
znG?ja-)FvTaYXqJG`@G|<B2gTQ+-<eL)9I_HljJ<g)E9}4hF{$N_cJwO08;483=G|
zbg6<#_l%%NT#6kvwZ0cMyPh^soPIDLFCgUsJ&J;GG<?-{gn|{?U?X@h<1#6w(Q|Qt
z9@w4M0Na4;j)NT2z99k*H32j|K2tWeC-pNVn7o%MBO{ZukpkHx08@Q}Wy6_!zbXld
z<zqSUz|PuZly;BM0}Q(K?bYAp9S2Rlf11KVx#h1Cy)OP2{-6W3Q%dxI;ZFd--#=~|
zZ2Y;lr{1Zn5cWZ$i4H(MWn6GjJuq#y7o&_TGYhQT1}gFr<)7x4!<7g$e1O`)AjUR8
zuX#Vu!2V7f4yMhqVh+p^XeJM&w8{bJ>Axc~1&dG|-eE*(Ls1P3Vvax;L786J1F$4V
zRk45Dm;;(pzv(I+<Rz&hIAHGhz0IyL^4bu2%LTsHm1z3mU&Fd&M@zFDwufNblp!yX
z4;D+8G#ByYp+sUbDRZxff4^gSzs2v)0r{}Q_72VX->m>DZ7hX9B)QildW4ogcyF34
zqAr!Qbg0zR^k<0t9Q+c?`g$&d1ubO)2G_^F;zKg>)lbE^kZmptpGQ!JOBI2EjW*%^
zM=Lfz2rp||AhV_@pL;rk+28bF{zZusJ0UPdop4ED6~HvIVTk?Fn2cV8d+gX|EhjgS
zu;6n~Wg6LU1%}%OVPpf|?93TuPpHHUmTu<En05xiI4<3LW<;Z(vL%=B;k>RXnkA99
zdo}~SI4HZUuYIW<<=A<CMxPKs_csa{BPNsVdmQY3{hcqDFsL1KjjFx^ya~eXEOlt9
z9qVy$BmniU8Zp=rcwIbx<~vY{T^L15KY&PC=+s{*rN7Ja{&{%dK~Cd8^zkaMIUuO-
zHdq`gQW~OyCBqK4%*b;?WHNI~PupTs=(fs$?O4FhobACzN7(L!I{9~4IalN1gjzni
zyTE|#8vVfdMkZxtsAz22{_vC6$sf;TR~GFbtgLm+*x1^V-)o2Mf2Iwyr0pUry<@$*
z<{{Mod57n31|$h5@gr|_lGd?JJD)rnH;X+EX4H3_0<6H(D+kb1q|l6{FTXg|9H+1J
z5ktE@G;^o_2mDXq$fw=qLfcSzB0riEdEu9mn`I6+kEElJ<X@)3Ry$z<?MB%8RC+X5
q+CysuC#YLdHmve^AH7KHA@7BX$;M38_^VXl4|!GpN{NQugZ}_O)LZ!g

literal 0
HcmV?d00001

diff --git a/Shorewall-docs/images/staticnat.png b/Shorewall-docs/images/staticnat.png
index a147089b7847c57f63d6068ec998eb9ef5be4419..bd566608ebaeb121fefc242822db989eccab27c0 100644
GIT binary patch
literal 6422
zcmeHL_fwPIwtf?OU_^R{myQU6p$P;CJ@g_)stOV5C`F`)rXolJQa+IK0Rd?drG5!T
z1%V(S(xnI@kuH(Y1Qf1k?tgG+&dj+pXV0wJ^E|WHer7*w&-!7d*;<>z1YrOGz|2ra
z_5c7O|A{Bebbpxg4GyM18zju$)Bt$#L3sTSpueqer4InFu&lpsGW@}yH_F}$0HS38
z0Fwd$$A2iy8UREn1Hi@&0MPmi0Ql|{k?arvKnK`bIvD>sz|YSQf}oU?l(Mq&l`B^e
z2m}&|M4?c&wzfBK-i(Ndh>MF$O-;?s%>~YYva+(u%F4#ZMiPnC)z#J4*Z1MWhuPWL
zg@uK)Ghk(9g+`+t92}he0sme9b>KhVfw$trj{$%u&CE#O;lAhh;&f6iDLZxDO3b>B
zb*|M9;fAH26?)_Y5IZhQ%QtV^^0>rnQg)up^Q~s|iuB8H%c<{h-+!cy490T+QpjMV
z#3u;G7<7};;Kt95#9)n){!Rzkfme&0*bVcB{P)7zHUX$pPY5(hzLvC*Ke_uZzcDVv
zFQ;75+$6H$-A0ST<~g*!GGy$k^+QVUZ}&&j%}S`&UMSAMLSJ;y&~M{w$onO69L2iA
zX|hnHiKx-P*)`jw<iS3<9Y{|Sc}!=#@F3VDdYDAtUp3>n6;g2$bXV@mwYs}-7ys%`
zIyBzNd0u*B$4+!R!bQ~o-mnF+jy;uF0d9KPK>kUdLnYBw)UKrz9ZMZPE151yuEPXY
zr-d(ZgWidOtjiY_qCL)6t1yg-F!fa&gl(8OL%OI2c#I}*evIQ7@{#281&wVh&0uM1
z4qVYXIuL?J;QG?&@psD0tfG9^<%VtZCiMmgnLUmk*e^9Bx#6oun${_;7Liq7<Rb?r
zsT%RG*o>l!7S*(21Xwm>ap;8NYnbjW%iG-XgT;{9#6XKspW*Tz38Ky0T>TP?by*i1
zHe+Jy!P^f7(T#5<+wTu%Uf2-R#%Yj3iMC#Yk}T-)-lar724_YW$3O~RTo|lKMC{^H
zSEKP!?2TV9n0doIw)r4sEc|6sU+mbJY@kuOSKOUR;eU60Ft!_o1#xS2Ldd@0g}v{Y
z!)5i=k(>Hslt!IHmB9d_p8em5mIw`8rDa6S#zPf)nsxGgo=k?TO;3Og*nR=6_*oX&
zM;8@xui3~s3}RZ)OGWL3IX)g=zk7q7P&cN~u_JB$CJN25-F@`4>)I0Qyn^qern$xS
zQekJJU+`YuT}~7v_Lu`jp6~(SYKh2ibZAig>N5y=f*zX7j!R6j3}OVYaxpvTA{ja1
zEdm%zE70}`5cszx6o@hSoen9q976`r>~IM|nUsd4U(U$e<Zf=HPvX+9IY3zz^tlNE
zo8J70k_KpDu%?#)&gI6>4o={R_`u~FKvqzW^<=^Pa_>=40Hkgz3pI_NN=LhI5e_eX
z59g`2xoy9R4ak3?C-6DbN(gNKPC{Fhae3oEbC3wTdr!9N!FJ}+nSz8u9i^Yqb#APq
zPBqajdUoN_ZinDTWO_Q12c&lFGY42bb0VKcY0r9@SpTeE8_qop2pCieQ8sEHwk7!>
z$8s9EtgJfF7t2nKcAw34jN7&^e_rqs(PM9{@m1k;a`$U(E<11Px*Wzg<Nqj<uzrt!
z>`4VlQLTn&iyprPf2X~(FKbZWKD^o?>DaNnsz2qUt+OwdbVWuwbHI&ZROaKXhWW$U
z<axEmu#dg}e7jRl9tzTIYi&<^v%9MA>X6BFU>MOk8yGgQs$udbt};-*@(odC(h%87
z65<Y-yKQaK*89~L+xA5c5_+d0t~Xi0_!D(<D$(aJz9znF0owUVTlY3LZA6i?boej)
zQB2=T5vPrM*sW!J2D(brOxyk7#ANeQ)vz2&5GR~GBiT#kUj6bid@AUgkVP=2Sqrfa
z<DtA@B~)}SFbD?m1dS_~<(}AVct$kne7|i9#w2H<pm<2l?6}X!#?{~3kNQr+*>&#K
zJq?`F6@F|jQv&z@ZY=|Pe-J0iVYW0pWpxz?hlS*5*1r$)s^UoeZ}4jyPh@heMt0zV
zyu)lEh3$XJsa`RIT42V>*B@j(&-Td?R`pAJo~;v@HaNP)s>rGZUz%Uf4SszPzidyc
z`Pj}izFQb)H8~<F`U54HQ5)ca-T#?_$Zku|v%(jI4|5%-d;XmxGxu3xXyd!?XUf5_
zXV;UrT%dP#;TsvG%y}J?EI`0;l3pDGPh7kFn4ZjEEAx^C$6|!FlS1~{swG-sEWzju
z2?+c_ElVI24ITC7X2D%{u)4toay=5QKw&b<{Grc)0^}aQF%-?_$n}YyOkdtF$N7Jh
zIF%zO{JIV$RPY{EfM)``BS#g`7$0HqDOt437Q@!y$C(Zk7#;jbg`)3UJ-tRxmTG*c
z#0~ZY6uy%{%4F%pmH`5u<5Ij3c-qzyD+BpQq0B30oEe(^x*YPsv}&3$#!@2YrvU`s
zQDvq8MRU&d@WF6PYF1tx|8FJ!SawE~vD5Y{(}Tgw%hN3B&=O0Ae5|-K9xF6E$i*T?
zx`sg;r|%EGJeB?7H#<_&`ZH!<E`g20nym|y=xKh<5Xx;BB&%?G8uQJ(zT>#-h5qH{
z5wFrkXB*loQdgV>*QJ|vr4u4^vn9+d-f((a#64k1GUf(tUdK$6iTuub#W8j@$~&JP
zrNnVnX8S=kTeimt#zAS`An<qA$6EayOay2u1%X#$qjCx7W)h1?_#2*4vcw?lR_O~W
zXRl=L9Ka5Cc1Y-dExSFj&Zt;(4jg{QGC|+MW>4wU8MC~gl`oXcUDfF=(ah*)dp9He
z4kJz-fyt<drmtfMbBlMnx1VI9ox7Tw_CNZ|Jk~l<rugU!c5%3lM_LAp;`P_)LUYC7
zXE3svstEBmwZ<f4bk%Kf=lO`mj3{}OD?;oZifK*I)mbzCGl)9L8ai+CP-O&}NwPk<
znl<v962q&`Ja%d<FN7Wm*eZs5iZC|8LgU2zf;jN0Zy6}S{o@+);ji`G>{h0+)0eN$
zKE9`!6yIhGz7jgI)9+R~c%s89#4w{YJnS6<&4xto=CrUhwH}jHcTQDImm^g^`H0x-
zIO=h`c*qi6a8s@yRL-8gbK?qyjP<&7J?%TK_lNJ?PthQCU*-PR)ymt|dfes9k}BF$
z?oUmdVxz%O9@^KJNt;zjm~@%nO6t>6s@&|MG5@$aiIG-(zp*|CmdO2i)kTN+3sygL
z!4$pgX|c$S+7TCPi^;k-FQ<xLjiq?%C44u?YUYDE{XGV&T^od}4r~?M(L>3RW%s3F
z1bm^Vr@(~tw8Tf(jdeq~6nS#3sqk?$j*U4~hgSc*YFjF*;QOwjGvB<0RZ*ypS_I!?
zP`y+HeIsZyT!>x(>MaRQOMNKZ*q}VUsSL$G{j|fG+ARk<Pm-M-XCh&sun8malHZi$
zT)vc{mlW>eRi9gvan`imqrUsq?dmtDoEC3OiGAML=cX)e?{&|nxVXhZXlc+nh-MmL
zSQ}f^_jQ2te`y^AEuulw<5=G}PDA$Rhu=*8!<#bZ0e32v-zH8^bx%88XUE3sI47FM
z_xHqFB$^(}=lLBMtTQ3tSDmPN5mm(tLOA{wp8)~U0%_he^I^=py`JlRdzwCs+Ny8=
zZVB-`75%+-siP>qK4>6T`}MR|+mt+gRQD(DGlJeRD|S=&AnDDqaxe>JP?}VrMtd$w
zG|6y-9tA(p>pI&T$3}R~bCSXIm4M!Vq;U{LXeU3Uv46y{Y%iJmP3>C5H$wlpAJ0Sw
zjfccnosh@=N2O;!WyPL^bOnx|$&+87<|=02;-MqoBHhYo1)B^T>kR;+W!qLL1bq*c
z=g17^ujhGO!VH}oXoNxVYxgwYV>e%k4l4w>O*F*~qOZwBXSf3wYMppqmkid*A0!W*
zjAeHy2GtjeSI~hoVs!@pIMDAngl9(1@$r(wT-d;NHlV;A5_4<y+IH{TS(?AEd9&ih
zLCM2!H-C^X8PcA=ln1c*N3*`ZgkDIbjIXElN>a7sbt)bC5*@P2`9|ZEf1*Q?`N+1U
zB5tc~O>*3jA~=-9eFZ3B67P5I_(6U<{Us~YU&d0Mi6)md0V@Owa5(SLFi;7;`?4w>
zSg-c!Mu&lZZ=yS?QRhM@QbieNCR}aAW9vd_jLF3*Keozc!AR}it9joF;tShgjk^|*
znLGks^#VLfu$FNpOOltbx4D}RbY>2E@g88o)j0vLjobWV4ZlG+!CeO+4qf8j5x{_3
z$o^IU0e2~1JuYJQ@)Sn?JX@BJ>I%WPp`&~NGJ<%28U}Vs530~1R|b09oq%;kml6R0
zZgXj&1&Rt8pbY`IsL-7kJjiH^yxWYJp{MDQ1Ypdq5upP7`z7iDG$zF2I4><FW0&dZ
zhZT0bp;CpqukB&luoB~T^x&v(`t;!Jz)a1qH0pAgIuxhGeTU&FrGfgbpZYVR2_!Ip
zdJIPo*{U;WwTs}DxbIxUi&JcrtYC^sjVd3q%YVSS`}8L8PT#Yn)4%+A+mloV{`OC7
zI3<0O+)00BK$v;+J2A*urA<LJrBp9LbX4nds5w3El5HNoAW5oHtoNQ5CFjrQM1~Hi
zRBW-K_$&~gqGA9%s`;r>2P_&Pv_)37OH%0kSK1y2IpJ*jIkxNMaIQ+d6#Rh<s9{rL
zRAr;F8~0vfVGju37`g6niAkD_emPFc81k$<!d6}v5Ei6#AME*yUI6>q&y;5d87TeO
z*Y}%xA~33U;XmHbNqvD*U`S458aZjX&c#X%;%HF!>$z^IBrDYI09Dmr7Qx(L8M1{}
z&5UZ<u8Lfgh7andlZdt!;ciSvPVTNUa%+02pJt|$s5Am!n_9@%mZ?&vBW3rJXYpFn
z(Q`g4T=cH0Oyq%IJ(jkfBj!b%M9aXT9Jx0b?;bFMzbSKhd8U8QZEqgN=xcQEX5uhW
zuiwc&ct*0Vo4l?GjG0ya;)0-0Gm89~an|r}rOe>&ZHj{-COrGXnGsN+C;43PPuH|O
zl7*6g320892aD0~^*E3#BjlO~z`E4c(=-5{U}CLCkCH8*+0f&TR6=XTky-;e2@;s0
z(yXg6$bY&-nZEA!(rWWebMdfJ^7z$LWceE~eXeI`b!53^hi75O>0IY8-Q?W3uxA|c
zpSf0e+!@C(0*PDex_V22ZgfP;H#P`yEpnR>Cu<~z!het^3!rl{BMVGFB!%y#G+<&$
zzhA{B0*Fwym%ElC=%HA(MS22^pC7OGMPOqzES8@P#p`$$u@jUuJjLkQ&W*9TwA*b~
z>;EQ_-(JT}#P#qXLXiU?UyK18ZbIL-*hiv=AD?!fnIK}$u)fVA30Y2V)<SW)nsV^Q
zp{dzAWa*OgboflXHa2$Gm>oDeN6C==^x_762K$(xH_xmo?GROljdhoc;dK3sSZW8`
zwPxsi_p-L*D6BR=<;gQdMPxK4cAMogk~ekIwCj3cZxW^j{1H8I+|5;viB<oNG1a}7
zF_n8*F{P9&jCEZk@JKZ4rc90Q^<2j5?33@t=VSR6M{X}=1&b2jaRKnz=VGlFuLY=&
zxWrRfE+3PnVe*fQ)-yuy2#bsw&W7O@gKXDTvGz1>v;p>4X!2u;+gcUrde_eB{RYT3
zh59C<n%|!;p4rcv#_h}2-ujC#4*kG3&mqllGm=T*uXu%}J@paB6I6d{TH9FtMSbhC
zh%vKr?4F;wK%%>rzoNX><D<oyBZ4#u8He{qvCf!gkDrcSH>d_^H>EFyqFCD+B@?;~
z!F48N{CU^?Chrg%=B_CimeLi@LLNbgqkVIUPcgBy7{cpG(_<{J9*f^w{jTHRu9)zj
zh(?%*E8jWNvEIG?6Cv)>SHEFnmskk2er^10BaZhUEQMF&)NnfT_4=!s>$aX+32yvj
z0Q_-6!b_tzWjqA!3GzK`UIRt=WXj0}AJ)9ELr{uri~xQdVLmW}DVp(k7qTeq`s~O1
z^Tr>-P3V%s+5Ft*tR+R-?FI&s@tl9|f*lv=rS7KNcFb?^{0ow)LJVYTfM}%=CPQNL
z@ClT1sD`zdK$>LjpO`>sCxxaLIKT?>aa;v(6gNyg+_bU?nzLKyJ1PEMCGxp|a2Z(z
zxJ<fl5ETaB8xR}nNzJzsR^P2Jl(_@6J2|vW$B0IlE|s7$?QynpuUdW>(<66>0E4(}
zQ``J8ZAuC_E0=Ka*;iF_jfM(6^3y3V=c$KZKMDm|v}-!vid=SbiU^wIRi#Fl&AyU-
ziJES-Gb^lZl$z&j7ex<yj_y6ywfiVUDLapY#hkwC5Nzrn^S8EgJm?iQ-#GU|IyUrU
zLIR1ET&x<WSy}Od>J+o67Q}8J@{o~OCwSrb?-pguMm99ad9oEDeC&ngyxTsj>u04G
z>9SXiKdX6AtqyaS#O-%Ax4+WtjMd48CQf-x6jjTL`rmE0o?|zS63&Clm;Ed^rfQNs
z9M5&E=I$}f5cAcgf*e9K{4cZ6uSv>&y@+CQvKBRyoR92!$&Xi;mBl$O=5{MOCKmjy
zzMpC)=4YW(_tgu>>8hsHaX@aZ9opmL*Jhx{rx4;Nj)f_n9jPnwO4v#;g699kq%?J^
zRk(v!>IoET-$#q7n(?=AW>M1GcgA*%S}1a*bX#66@%x9HlGgK$$Uh}ig6Zf8Fw<jk
zHr<guuJ}S5It4>uC`o)0cf;rWobAtd?p{F2w`i*1(_Ii_v_nB4{AHNbbv#i?ETnL}
zVN~_f{TeKsgSzn8jUU@F*nKWW$^*XcInWGHtYxw7_7C2Ppp1Qya09yRGft88@Ex}e
zC~oIsD(5dA0F^M@I0V7Dc<nTBBaZ{}Ze^Y^SqL<mmdxzd{cCb;W^8Tr!r(^I{{X~u
Bnic>6

literal 9725
zcmeHtXHZjJxNhi0Mk$JfA|M1rI-A~+A|0`SAUzOz@4YE1L=b5qG?l6}L6F`)A+!Xf
z_aY%kM|y|5`OcX$bMB9Of82j}PG&Nbti4xz%kw_Z+WYMz{fE@d)DQ@ST1!*yF$6;N
z9sItdBnDe<UQ%9NAo70v@ByT(k97t7Lu#+0rviagBwRbQCIkO-z%?K1K_Edq5J<#J
z2;>B8idcp~d_^FTRVxTY76pOa_Q<R^l!riIAzErGPXjDAvh>_$YAYjl{k(XIg6N1W
z+}q?R=c)HvqqFz#EmPZON8bMRm%5Qics_6#FklI=P<E3^`3C*);oe*I?LTt04$^-f
zsqgTwdTR}DpXZcYwlw3(h$xjI#EL|sT*6mBX#Y|*l2DLxK!_+wNkzDHh>2+<lr<qh
zCC^opK*sjP#l^wF!P3&wP@zG8f4|Dlv9U4MfU*fZKDWJFMs2DqvO7#EJebULF^i-2
zPV-(5JGmey*p)J}2E9!n5YB7HUb_n)tNd`-+}vd45Jki<<-L3JEa5{AOkZ)Ku#k7<
zY0!=91Ds^;tCZ@5%}^P$!jHno!<Y6KA`VpGTIU;}>LCksE%$E<#+sQC?&U0@25L}h
z3@->=MgX}+>Q6WjOKT@Dwlt2K%!-*D3BHha1p8r?=SvZ~qjrza9SsWzsM^6g4JX~E
z?3Bx%{#Y&Xubx#VE*funULU>6?l<=3$?6FwXitaUOwgO`(wQU`JU^iW`o8(4bCIr7
zHl`aoV_^1QO7kKu_?)|!${GlNUcaWet)@h;b7DNS`Pf)^B&j-^e~<VU`Q`AnaJH{T
z@uJL58V!U8wv@UL=1*s<C^h$amD=SvFGhSk>^3rbFDImO8@F!qROcCeB(f|7D!$Hf
zh~%;^yIBg&^t2<BO3VwWh~$Vb6|1?%3K!UFNbqU!X6k6yH9Y{6{eg0Owq{N@`A=Cg
z32@^3c{E|WPXbZ(LP#y9m7A2lABgoF)+?*r#of!1ja(J_)*!1tio9!POehth_E~yx
zEV@7YxjDCd(N7YQX}ck&M>$RxFcmQ>7p=nH{2{8?v1ws6D>W0n9RZz@sAjix^I6rL
z);auj&c*_z|F3CgoiK|=8iPo$mHY2z!hGVP9iEYmdx1Oor^wCF(ii7!8H+zv-JHAF
z-avUx8gv<m{YYoAMJZ{NI<dk7v5kxNfe)p!vSbONP1(LR2R=92&Gnr13aj&46z*>6
zu<U=aFzY;>*UCB`>#a!kb*Zn|>}3Wf1#jO~wW24U+XB9J?KOYu>2ow3`H~~cu%fiz
zAi8N|a(&>iL$3`}q5Z_N`!#02J9~cHrKw<)7#NTBTp5rI!`c>U4R(ujLL%>yhD}B$
z_UKeCj9Kc0vYy6tSLDWGlQ?K2Af!7~e{1}9Oa|zQX;H5rh)mcJmVubIi#Gzg`~P?2
zdEYL+GXeaZ$LAy-f*5dss;<KbAkKCOy=LBsAI1!=NMrkmiyBHRjNpS1i);u&pg;MI
z9hDWPQvPkKDg;=1^cj~zDuPehv)^C=`q0N=OYfkk-6PUm9Z3A5*KoQO#t@j=X%vC?
zPFTCRgLt#{QIQDyJV!=hlPdyxxc%9eiWpTvs&4a~z7?73^EQho0%`&+1t%`GcWB?X
z#?XD29nBQO-J9bGxx5G!*>7l&3w&b1t{4&!5b#&Ymwje>T3$&>SoHMl_`AmYv5k$=
zIo<2Y-!=*1t5Lm%If|jC23>1w#p1z1K|2}UKHQZDENULAvAikknwXV`lrg3FG!(oP
z{r!6z(w@qzQ6iERh&6h8x8hXo&CVAG9YtUA;qcXm_dhNQwBO#EZA!Y-2A-ufR^>Nx
zvA-o!mp$?F+K!%^o73@d{Gp~*bx#zQ?2buGyM3#o@eAC;DJjBDb5J?V;_`9bk8RvC
zd5O~Uo^hDe^FKAXBUA;hQRHhll?&QX-`#lhcz#iD`%Q4?Ez4Cl;|EUNsRHOISwq&v
zn+304Wb#sP9v1Jz#d25m0?80Jvt-D6BV|?IacrGtrw~7~=$<cIrNJ&sF>(swLU&+b
z3R*(gbi-$mrh9LfLPELi3D_dVovEXakC)9|9pznB`ojzQdyBojO4<u?t}}A{Btx9X
z*84^C)RPjAHcmze+8)qsCZnbnA9Z2Z)b`1?o^Pyo5mk9Q>-40O&KeuG-E^PH{Urnu
zT0hJNGL=Z0bp5I`PM*d!r>qh5PQeYC^Whd!yBmsSAK3qa0jsZM!hZ|aX^O(%dZ#g^
zlIo)e%$*z9=$q=6ZUlaxO~$O!`KJriCvtqg)pU!=%)ep2?HtElm<Nrfh8mlbkGO@n
zOm}>MRu@(2ns-)+!aKV&Y?pa)Mag?HXbYJ;BDqcj!Zgu>*L;gd^CB6~gX518G}<yv
z{$E)1!e~Qzm!+0rjv7t&+HJKy^wt=yy}@nqIFw<WVv432C%N1mB7vD%^V?=-4J)tw
z9-R;}23mk+H(^Xu`=Ku2tZ~_=+!^=NWf?U<BN%y&P8y+6*UNM3v!$+M3U{?dh`Sr1
zeo!F_->(rBS9j*hc-t&vMX(F|(E5YX{@N3^Z++@vf3G#AymObDx5d?lxmP_}mAxJf
zmD8W)R#if1lzu<!(aG^Ja=3UHq=FWp8j<sysksy4SQyM_Splv7>btbBGdVAsm4BKM
z1~&MfnQ512s-QgSn|$PPaKv!0Js-U~|6OLf*e&TxF8@nIsLXzmqEBH*xFhVIXi}Sm
zmq&827|-#MwbyO+;AD#`2VX{SDcu>>N&SyHr<&jto!AdQ@cG_0%cyNq`Rk<*IEIi5
z@kd`20-szH`f?HFN*zf0xVUQ`>V90<oSTN-?oGc3HG56hax>-HW>Q=^ZvRPWswRg0
zp6<m8&n>e7-kcZ7Qqen)?g}XUeh$lL^NE7WX$~%`V#V=`$*3?BFxv$TKBs`-+6%xI
z7>Tg8>TmkX!K^RuYek;JG0^X`W0|6G%VTDE70MGSA1{9mEA8d?B8vs#A^{-RD2T9K
zrbPx2VANhe;S>a>&_)OIC=i%b62Zt4$%UEQ6jE7f7-_7Lion;P%$^}A&-Rjd30|zU
zk>V+e8nMo003^@@eVOOQOYzY1y9O<F;GIHzlPMq|^;U3ypeDjP{7flwz5=UUUvRzq
zH1DJpvC=k1ooEIGD}PQXmK-=pEKGm+7HZ#j@yxpuX`EO%XGV+?O}n|#L)VHVJg4uD
zfgq}WYd`g~dQPGMqM3qy`B=ph-~e40h<OM7)9ot<bRahtqZ0G}U2G^gjiPtZ^g{@+
ziC15v2UkQD+y0F^0xGydFQ*5xGci-pWH0)Ey}|!Pav^+6WUMh2I}@EQB5?LVbYODJ
z<;7`E_=OBWv}BP3L6r1o-Z`W@!cRHRiB`q5$`GTrS(V~{fJ1CRhgAP%d;jP0P@YTc
zmJ<HhfLnnlI9LSKTWg?<6$I{hSfUH1l?F?hnmK4L6ZZcdsYUS5kJsUnsEP!6oV+$x
z+WVj!Er)1~l|Nqs0lqHJ!8jiDRp$pyNzhl+#-A%meljnoLlEmS!A<d5=!!8c4sgRt
z8<b6@^C4V#ZzH+?-TW$O!u|9iydp8mlU>*}jUxi8^N2eJ2D(ZsZQPL<m6$RhON1Q{
ziqT+YN3e<(!*NtVd`iC}A{u(yHH6J=M*{YjU+dtQ;;tcgAtEeFC)SSuMvs@kTU)S>
zO?tpqnZd|9ama!oTohEf;%@-)sF8}Lm(b20dv>rmgf2QR8QNgdzlV=Zi{hUxu1KXp
z5LlRcgBR#4nN+n(&IqV$Eqw|b)2MPk*wjC<=DR+OY(ltYd%`h+UNe2VqHwu7EAD?6
zYxrM2YDJy~4Ahf?rj5EQDgXw9PJO#RxZ4usC|G7k0r7<+5&RnyHfMd5XGzF`C<}J{
zVK(9p43Q~wYK&t8EY!2Zyumxo9#`>$(US_-;$|U64aD#pj)8s}efa;H2J5Zg$b-Q2
z4DPcihZiE&CA@c$V5Lu5^Fzc!r@G0wwEkV}3Ap9ZrM=n&2x7W3ZWIQZmj32jYb^+1
zItcSaLlCxhRr>SWQ^os+V$Buc)ry^N7Y<0|e?~gU!Z3FuKwI;EkA#qF)3zdE_vlH8
zX_?|6R~d(0S{w79vv?oT3MCf!2<%D!V2X?qI%TAmVbsB8MvCAw1Kr(5O_y(N=c4Ik
zB-8L^<S(HO+GD?>aV7g+>u*_KTkuKnyoNeIDoD^Jmhr;!35vpbJkWw*vX;Dyp<HBg
z?Z^(3NoV-_DIG}0fXl<siyeBT`Y@WQ2zP_ZpeaPV?+%cfr&W?fnhA|QPnxF=>Oktp
z>wMCWfB%yg^gXYZkN1$STi%gu9AUYildm&Rc_PnE=um-%5;%CD{~J?V8CO~Cf-LPM
z+xLhgpsB1e&b0=!&Muh6XWxXIu|dDwF=YFTz3bRLQ9Lw=HTb1+2<LjscOMlt)|4lv
zHW;pz->54Bb*=5C@{Z)^gQ`Vo1=|^9S*)(9@c1MK$@3+P>mDMLtAE74E{xZ6#m(wt
z$GlEh^N|RAKe=y&6OqY3H-gBRmh+RqYXM(H&o4Xnmu^VxvaLGFuz%&kN<WpIO4s$U
zUL*hElQh78V`wx^xC#u}l{@a-D9^@BNzq(50vXq46)Zc!5xBeEnK6viD|x+19tmyG
zF_9wC@9}Ix2smSEi`HY<NSZ*GH_DRW4_a(6SnXePky>tj(uc6aYAIZ8rJlH(Dar)I
ze$=bC8Wfa1)*8)n0UX}})+nfbm)CEZGWp`=!>S7_T*75bYCC|;IPL3hTFLw@2C1lw
zv|xh%4g#?!xc4~;9@j`YBaZJ0+dFCYHUS<>N`5Oqvk)U(gkT#tx>8KnI^YG+v>zF}
zTbxTwqcd-4FuD`t7eNiSFHzg{>oflKdyo1CNA?DzB{EFqy{#($>Y@`XD^72j1c7)g
zJ|MFITWec1Z*0n+i{vMSH1$wMzaWx{&Ed+&?(l+`L+1IuwSYBRFcC-LY?QrVF=x(a
zqtSzjUbFi3Qw0C<ZFP>(;}8wwAv;{{p19poc7uXxP%TKJ8x<+e<E_l&EBeCBx?|>$
zeS9Z<HQRAUyluFinz?n69RQ@%(4g<^4eQN+`vvMZ@Vg^(*6QSGyA=grp!Sx(X3s>q
z;;i3Ata1gEnu(RO{GCJ(1phcIb?86}oZkXhMyPPb9O>{i^CziKKXwhU#?_j*kW0XK
zYX0dFrZO7T1jpB$s6xjLwH262viMkI&L&5>;AA<qX<+K5S#4Dhh1j{=uWTbfZh_F+
zl=DjmPoqRxZc&HRI@E1`XWUGfqb`YQ17W9)!9~1@itvWv-RR>CYf*ScpkwIM@9BvY
zL8g|8`JJz!It*Dnv+`bQaYF*D;k>a>UfrN{J_8$#s^^HhJw`I%AhiO4k&A{7*Z{qy
z2g)LF*M*;Zf3T=sH6LNu1*H{f-DXsm5D5FXg_tkZltT~4cYFC>@X$SNyNLvZ{jVxa
zLVu_T@7JkN;ByB)4*rHq6i@3|BK_7nlgYUL;yf}|ZRM*v=+BOlDw%@FET&=PO{8mC
zD?0Zdq=e()<k(;RJ=`0{VDkd?&Uetb1y-SPZhaqwTHH^;-_Z>JASv3Y!=DTHPq@Sb
z;eS{KueW^N<$VJxL)^$tD_)x7`b2)|8K#VU+LscM>HN05j}fS38YI2$u-VFayd+B-
zvc-u?OlkvxMj%E4aI+{TH_-l*;pVP0lDQHf!o^F1u%&jP9e?4mF=*60f0o*5iw?hu
zSS$g7Dbf|#+(`p+$tKLXJWp4G3Gq-tuQ5m6vI051%;Rr|PWe&L-C`v_E9_Y3GMg1<
z00{933+}CwMPS)e;_cIPzd#d&Qi&3NB1w3vyOIx_^5db0XgBxMyUUbf5F)I!GQD1b
zhl}ud(fW=%8zS}HFp{U&2K^D`iGI43c~1hbZzawi3j*-{EHYm2ab&v0OeCT~=-n6S
zHK7<PRcj1YQnm!4X=z7qv1GL@D%#*&XWxolCh(1%eE8D_Y?1Z%+FuUWiA!Q+b{fM|
zJDo6Fry`bfYWM@&(b=<#P}XTJpZYzRvmvn1ey#(L<r2Z)bW{}SK3m16P4+~;q<Fek
z{1+SWLA&EEg;9t6Yb&sdHn|s2sQJymKNI__{5N0KW1%@;#LgKjZ8r(<Y*=3ZGwj^3
zxkk7)P%R*KCli$zh;F<>_-OISD2Yj;8<^LbtT*&+KW%}f#{W0EXj_ZnR)w`kj;FhB
z3pVqfw{G>nb$H>8s8`v?1_!{#3zZ}TQjB=i^*)B9jheZzV?vr`cv$H14k5($t}+K$
z-YP|8IsR_rAIgubWRo-BMX=sW$Lo^;@flMZ_AyWvJ({08U{N1cwF4ti%%fiJ0R*`7
z2_wo2))<Dr(p4Y`K93VW4*{8(2{jv-d~Do~C7d>3d6Zdpxxx@ve^XS&%(RHuL#uMA
zQs~Lep@x>0v_nFRjFnRO#o5V8{lw1kv5BdhWD<EdCxKNnLkApM=iAVVB5?yYAUOE+
z;ykz|IxQ{j2D@Tc#%9afOq>E?O~JsxAR{+9VrSBY@rL6rEwh;p1hDAMnf*>_i#Gf!
z@A+O+P$ai;<qX!GWMF(>`dG7Nzt&CT3nQ#R{Dl;L@O@>0UhWz=)7toux8#**{#tb(
zc}+ZUuH{X0L&LS<74pyO`Qp!|a?Mn9fLoifP~(_n1z%<hkZf7}%(C#O>k`jhHHcNT
z40(J)hJI2Gqxe{D8>0E^==X1xi@yntb&i<D_kOr6%zq$K;ZP{47k2qB266L7PpQV3
zvT)J4f7E~rdZ1j?dlMj6os<eRwNwEISIJWJr<ZouX!)tP?JC)dlw%mT^u~@`_VKW8
zYXLnYRnt4yoG`bLD9?W+7<HjQCAlnz2L`#&KCg&hsuo17Tj?>~paYmmctWU%?XmaH
zDH2wur>9HiSlf}X52OAx*m3_09_YCi;FMU@(0y{V#zlx<cA_x8rJX**@QzM0$99d)
zLX)Fo0o!po?!NB_c|UPI?6_g&65Fa4KrJ2GWoUT;pM9*<!_QHiF?NwOyDb-_84|D~
z>V+Mjne0H$<hx*qw#4xC9D%yLf3AfCJ9d3^AUFNI9HC4H_=y<AjMIQrSNA?sml)W*
zTBHjBjL7x<AA;WC8kSxHV>p2L&g)Sy$ej}la<;Axc|VbW;TO&QPD1TU22o^DBUr^N
zHuSFnKQdS}mO!G&_<sq|Z&y71HOSL>jiZstXwUa*@e0&fX}>U*Og4mz2p<g}s8viD
zQoxeX)4H-r39jKKb7v;V(+yhjzf3`PC^)$H^E!?5M|N-}IcC&ikDV|o^fCwHBKYxR
zR}Vi_MO&T-_my0_4HC-Ryb+t;l#i~?m-JM?4jj4<Ou$SwvVGg24Cb7;EI2SIE1#>j
zBjE(^UlUds6^5zJDiL@?owY5fFl<Gif}E9~q_BYtEOm5FtlpqRlqX71bp}VN)*R~h
z2a9C>FCx&6DjzUcY0IAz-A4{wN00jzzJgBSsJY-2F%llPz<q!UXhtOh?MWekPW?~a
zAqs*54eBo^Xnyo^1ZWiwEjTsZmEcgZkA_m{xik#@gWOn(Nvr_PRtrMtl>pl0P{!4g
zFzV_22fO`=f*{1nbpx)p%m!*BHlETgPEa9cwP<N1T+vCnq4s|jq5ybNAif7Qq1`-1
zLvW|F8!^Qg^=mdzl_h*A4#<@Ly&aoY-?b&P%O=Bp=li8T>%$v-BQx5W@uX{Ay(oSm
zsrn!;$oBP7l~CZqa2xg~ykqu4Q~Nk}PA)D~)*p_!W}uG^;5?fy<IgaZCukJduM8^9
zg;ifn&$r5zHSB)!$z1ca*%HrJH<qJ-`E8nhGUo(cLaW&;lG4li?3u?1v=J}YC6yTd
z6p>NefF<#cNzPPvzONfk0hne#o~jVVOXl{zU=_(-Uiy11+&S6^HLh#uAv^jlV1;q+
zm%|1KUY5)rq6cPv$oZKX89gIxioi$F8O?NHE>f*4q@TxbMX>T0fA#VYw!Q;-zDVl?
zcGLaOZlg#YdxS?N8E(4p;=1nWQJ=)uX*Ps>TA4}wW;ZhYeBT&%YFWCUf7e@z*0}F)
ze!?hjSuOoL$rD=r%7&=zXuVHixTCf57G~=&j0Z}W$Nfr|XG5>dg2i%Y71xNJCsa-(
zavx|aYO|%qIuZHTp4xi^aK!bb)uc46jUnxBkH7}nk>Qu;hcNT4jhnzG%unTX-YICT
zc{egRKIPf7I&gb!)E5IVgm|QqH*VQ-RW@b0!#Cu%7h$36SzMXknS&>;*wN&knO^^{
zJQo7Q7^-&ThUR<5eh-q!@Jllq{=E-w9NOD#$NTzUkJ5jMu2>wLhF$|UNmIu%(G^{I
z4jGl3)r@(Y_QpBcArIm8U8cvWt3s4_5+;OGy&ny`GbD%{ohSR(SB+BxXj?MCNKWU*
zO(Tly11s(RBwhu91r3=;X*E>Z!AZc^phsATC|2+mbK}jYJW4whKMu!9Hu(MhtzN2M
z_Z-SYh|~2rJvt~@1C$2giNHIKb9(7Yhe^2@^Z+;S&?u5eoQgVf6;$?AUf@6}A8Cu!
zAprV4C{CV(7eExqrE>hA3;$!1e}mx!z&EH08;*R!)7)^f*Q{n_IamJ3LY$RusJ4Ik
z+QPJ*P1dJVWm0G7*26DA9&X^;pqmjt30qWag;#Et_CN1hQaHQ6I?N%p7-0FV8J_AT
zc3{B1g}(l#CzT}aN8Ni89um^{t=6%wGLYXj-a5r(gzs0XSem<rR?9v=6AfZr<Gw1*
z-Z-Dx5K@Z@fv#{NOY$Z<F>1BJ+#PI3sxlRfY0<c7jMVJ&D~1;W_=+jf?%XpMYm7y{
zSbMD~Udz|d9fO-eErx15bXAX|*gUntaF&Su!@VR5ukI=Mj`m#XD|m8I4>b;}=!(3&
z-6W2_Ln!2qSH($3S=DE$3M1rACP)iEg=;gGyPQbozMz%Bp@#Vp>!bI%Xc~oqvUN<=
zlL@R126tEfSdMr1w&B?_N$?QYQ9+K3kCTQ1|32UCk^C&Ec~iQ{#Gb3hVXuACdI7Xw
z96Uyqw#6p;Icdm*1Gw72AfacHG97w5XIUM{j2FgHip~8+#~|53$wD2B&d~!Yv1=0e
z|LEu(WX9Rx_{<3t$vs4P8Y6{Yl0lWY<c-RhO*{hJ#QL3Duj{61K<$2^Dgx|=YM{W@
zyv5GOXG4A2r2(*(qMo$~NHH&Jxz}tz{`)0s!B$Q>hiTy+sjLLNH$`tw0)8>Or?u^R
zr*CBM-iH;hJK%XAVfT<1ShDmLa^-ft`27zFb;!ziC<S6Dbd6dB{-0AF9mhcp?w*H9
zBUshN%=><}lqNr!tL@<lD_Kz9s0{4t!DG@5Hj-s@{?zr4dr8a^pqP)RARRII>K#nM
zb9uWD7G9THyrS4|rs1j+QSA5vSaKNfANo)zS-fUWUEA*vY(&=-PTUOj?z1T?AW3o?
zM#_MPbxTr%r%E#@6)DnM^p8@ge~Oox-f6cLMFC43QW^wGH%w;bz}z7v^4nOc%tjsh
z&bApsA4cVoGcbyjF<o>*7q5KyBVM6RJFm!v2my9yTc|SK&j7)5!)|TCiut!hkpjeK
zdQ)i8Ka->GKWD3YDGs6E`>dEJXql#v_Nysp@aUd`-mTUy*(1v>*ri!umxZG2@hSHo
z53GZC4}(M;<PhquKbRufq*#rQeR9ru^upz?78d18JmBz%ICKPQ{#5e!++;VOqVuNS
zDc-Z6$}w?S;4PFwVJ_WBC^8kdtpCjaqKAs*^3%lrWleMv?Dx`d774iUA@mE>yPs(i
zr}B}|v;qT8I`pg#tN{3s^B<PIAPKgoUm~IV{)Wyi-b>Q3bUOypllp$9+aRHKe|9oD
zJ9a$iCXH}eAhn~tP3LgzBx_Pj>gDqH%=KImK8Wnj_%w{Xot5GftPr`0WlGj$LwOn-
z);w+7pst*dt|gndG~s1GzCO7-+_%pw#3jP>YbO*_i&+0$xw3vq!BZ;{2YuHs{m-Gw
z$Fx%<TUHBd`>c8N#mfNq;)Ex$hSxy>kS+hNA>8TD_*Q1-Yw`Y?-@)K{cR{a~6-EnJ
zn^&4yyn;JLF;XAJ(VJ5jOsU*((Krk_I-ayscyJOt)Xj^Oob#D`FyUfSsv@VldLRIw
zKc@pRhQC3m?bZBXe6c#&_nW&o<MUEt4H_cKGu?R)0w=R<NJ&TJ##2d9=+peSw<$p3
z2La!-h!i9qM!tA?#0oxO1`kLxh5ulgh-t?`f?h+pEknv7!VZdY%f56`QjTw6!E~cr
z@TOF@x;pD_&II6;whRGbVHan|-oMOd&-OO<cXmE7XqhgFC&gP>S{j@7q~*er#e3JK
z3WxF~QQI^M@vmCvNfkqakCPf38j{>wmQT0lTELIxLyzEKew?JJ7Aw{1-d@%4V|;BG
z`<*+I@N7pbJB^B9q^hm3`|6$~FHeg?9)X%qY9k{fW8YHygU*JrMS4qfp9tYOC5^H&
zwW^H4vnV&&$0f&-W;NNF{|qYM1t0qLX`h$<9y}JB-E)2KI0cx9i00}VNGvAkhV#B*
zB|IU(4$PSAMMg@%TUASs^f_bSz>;@v8D^_sDrlLqBN#=!Hc2INGacFjo1RL>KCdR9
ztU`@uo5l)dZFyas6qYh$#IF%>Me8;|&)IpM)+gTb#pz+o9aE{?H_y_`P@+e-cxN2X
z9eR@IX_vDiP@31$T9Mlw`-8qHl%a4HJe}O5s)TNW@bp1Y$^EIDUe-X*-k!Eh>!+BV
zaL$syk4H1|_Qnz|e9DKBAMRZK*hFOOdNQyQhtj>l-Q&$tB2%C?=1B>}xMpunzDj;#
zD(PyWm%V5<j&u_ziVv9VW=XuTmDG}%E6osvaKAPC`pn?-q6a1NA%`UV(W~}nwr2E8
zX8B-eW~0OQec730KLvo?M^eQ_(!*>AS5zaP*C%DC?LkSSdez~%X7s)}u2Ld5YQ*{1
zk>}^A@pAE8tSg}|ZvpXC&`r_y5v|ZCj$d+-t;o+EAD>T^=xC>ldUPO4gFb|S<JK7a
zX4u*7+2M+UB}NZ<^m(Fxa{gkDR93FH-yr8pv&@*{QOBahD_2x`Qn2^#kriE{`j+l^
zssK)Yb#L4@O5pMv44Q5lYpHRHrhn4j-)%cGY#c{^9y@v<tvCm3W-Xqgs{B&if5s=;
zbOD_6=z>!wtaP=H)>LVy57e)^g?j=IC|P-EmCXNS8;!csw#;i<m~<j^6)Os@&x`Bl
z*$zc=4xB^Jjr)-&i-lp9>gBF8OFQ&mK0dO%--{2a_21j}QeUxH*JD>SkftTpR&Mv{
zR)1a{R*Ef}JHMWq_;L85IN|YRI7Y<8{It3XqlHO6#52z}<-Tqg9+kSvxLd?V2vXUr
zUtypm4fF2o0$)+$2Oo^Y3V4FAgZ#I~OR^W{GuAxz>_gxSS`aODeYLU&R#E>8;z&aj

diff --git a/Shorewall-docs/images/staticnat.vsd b/Shorewall-docs/images/staticnat.vsd
index 3ce9724bdbfbed7b8d621fdc00d10c71ee7e5de9..5f73334dfa32985b21f19b4df159eb5988eb570c 100644
GIT binary patch
delta 12880
zcmeI2cUV(N+wf;nXz~zx$IvylB#6o?ngfDhBSb;hf&mq5Xec6UJz#GTv21kL-JoJw
zbvJ-0Sc5Ant|el}RS`i{;$squVB>uE0g?5&-fzEszklENT-Rh~elv5=oO|wj=A1Lp
z-?!A?x6Ds8GTss&tb6~<g>9)uYw)9O?~EwC`Pe&S`M(&fG21rU4c_+1&P{-(A{Ii(
z5`uI><j4?d<halYBSR;SM~KnMX*_0R#OUCl@uAx?ZEd!B+xM{x7|lQwTozCZLr8?M
zXj{B}4~Ag$v26Q@;9ka|m(yQ`TuvvRSfiPAmCx5suR6b^YHL(mW!+9Lg&s4SbRd3P
z-nZW5e(vS;bKaNJCqgiVQV+Bdn?W2fzdW6eZ<={jI-z`!W`^7!I-#B*o4utaz5MRm
zbb2&%?VHoD#=b~L$hKYf6G)#i6Kq7N-p{@CkMx)1BR@KHn^T@{4mDWNp3cvPu>hNt
zPB-hU6c#dacuPfjx=FhzYvljf2~r-Y55%-EdN8!|5E3A|lg|8R5c>PW%k3T0oDRnh
zsdxLbZW;wmI2K-aX)w8?UF8O78{plXz8ONHLvwn5qcx&?qqTL&(4n3!a7$Yp>--`h
zK4ff*=v!n%IeqN}j-VbrRXs1t{leL{?bGQFc_xIHloKlH?~DiwTB0q=(9<$)(Lxd$
z{lE0K-^?=Y(3rY*y={m32I6wM5j3Z-NXS1+DsRsVAio~+I0K;)6F10pboRQvGlZUg
z?yD5aXuZ!|giI7kJnX3O_QWU1e=b<~4+KN+|2=Jxv^qYI@b9eX|5qEGmgWNkqYdjd
z^hI0mow*$r$fnhS6hS;3rttR0_Z0mOVIzg>dTgQ)^umFP5Fb23@$(g6M>|>Z9UuIJ
zrMSVv7K+kdP~0{Rij%ytx#DRMHs2Q6-=w%tZ#>FGQ5TJ^yV&mjID+{f`o@mvznsXw
zTA%w%M?_m+_-E^*EsMT-0uQ+1+OBWfs>bN7zgXXzrsniL5KN40;kN%`ecvGKf2!{_
zbO*Gfby%Nbg#<ebTFCNr+S<zdbw_r8F$j7c>a?_*Q1->rB1PD-m=%DnS+t%kioFBz
zIjm^Q1?Alwf?35)L$L)zF>EXzR!k5$8+RnlgTEvn4F8hM3&oR}^lVrZn~%f^pPS{6
z#+TSE+K$_YNOlg9*5P+BEZT#^&vbZjPty($rWZ5%iUdx_v<LrV9sa!vrR}2Vl`q6h
zpelLZvGR3#Fs&#0>hxebp9DcLvip~X@9%83+nnN*aX1z$ZbV`0;@a_e7-*~n6e5Vm
zb3d#2(4<Zk7cZQGtv{=&Ear<Iw@5pa3P`ewW8-kJal1hm=g+3w){lYdSvD7Jo1T~x
z^YCD-I1vFXJn=L8ejc>DnTQ8s#ks4Pqp(|mL+Q%aibx&~Pzd@%@u3CS+JyXPyTyNJ
z=drx%`j2)VGjl;WB2mW@+PSNAD)&FOp1<9Byur)poyQg8&Yh>j3k8Vogx-1ReCN(X
zv(8Xll8#f%|98X5f(?gQ^S>KT=Z2Go!-|P@_>%SixE&$mXV?+kf5a(H|AQ9o?Bn={
zo@A548PA50=VgZmx}n(4v`KdqOS8_)et1WoF82ps8XFOt|J)jtK|tsjs)L7B`bn>~
z+p+dMaq_WncY7H;*T3j^w$y)qCa3Fu2LT>%N2Vugt<h6xl3Veo(AL`yxx1iP$RaxZ
z`HDSSXN}fFps#ocJt18!LhYPpf;&%z#rh{WiKU3D#{P=!HSnBNR*fA=F<JmE`l5wM
z2EVfQoI8p@K`07^Y=1fop^RakORPk6eBGbd9;fSwj=Z<HBTr3kk3CPNw8v-CGumUT
z=*{hMg5S;#&dKZGpML3x<4>A*6eus#v4VVx$MSMvyo(^Lg76r^RtWUd5JK;R=s=fk
zfncG)y|7E@Y)JmyO>~2D`UQaw^h*H!`q7#0<R-<Y&v8QpSqWwBSIDgHXzEjI6bSL1
z$FyGk+9!|}@SU+=dp@adH#!Ps^b1!LybRGV2mi$c!iyC`^j<XL=<n&Y!TjG02WGCz
zasuFmh_)ol;Eu_r6)?{S#r~Z&B6zy%y#6a|q_;YdSzP7MxYFB+9@lCJtswd)gwFg*
z#rar9V{ua)qy7&???((r1>cKl{^iF=@v4%Ml9QCBxH^kLDDodNx-0U%nMVKlQ&Y+K
zE+=UtU2C{vNF|8j`hu9wA0x$rHpc#(q{+olA;_yZB#L>JY4_+hJtzzh#t79WIpgnc
zAv9Cr{Vg*OzbL-)Ez`N1i3}xxtuoUUA0INqiv4CX3;)GjUCb+fk<1KnW9FUYDf-Eo
zdsrW-V?4!eIn$37MV9asrdycN<ZH@~hu?ucTzjL{-$PznJu8Yw;fwHAYlo2z1tT-9
zK5sKmgdf7Q<`S)bCR3d_gomRnoatf$_15ZLvv{dEIukV*f>D@O-@ICme#%4wFr=1S
zC_<|bEa2g)l0gWiY4sD(j!><ht<_sKHoa=_D1N+!Ins(*dxodr?Pd07hBUesOZPJG
znHs%5%fp|>D}-|9JjH>d%>I%*O6Q8(M#99vNTZOsR{v75new|a3ZXs5;H1GQ@kP_{
z@dSF$XIN<Us~cVMi&OKEy;dKL=7{iFl83ob2n`&~7%=li(`GqK(dSp@hy)hF!>n)6
zX>{}R{Wqyj@$j9|Xd^WIK;M1YLN`3EaWMLzpU!?=;EK~W$q?4++izX^=rj*+mZ8Wv
z#&Wpz#9~+cNQSh7%_A|~xVO$#jemzumlQwvmHE(;gegP?Gho?*n2C16Z(b=6OJ*XJ
z0_iZc8-D5Q0uUX<Oth{&k5D13U_IK&!Ox@;h!v!9yT#J59*76TOq2(|V}x$FTS7;x
zFtm@ZK)bddpxKHa_cEOnqF2m+6-(93Zk$-UluV<W(gNW-NBgxBh$p0&Xwzqs2SoT4
zxeJ7Tb?>UfhQ+A&S46N#@mn_2L!rIFoM=>bo`+4++b5P0o38j-&J;!;rTV(zA7Er(
z=GG+Ai9&N{ffZV`TOrKtxJ9TD<?$IY@PI0G)8e=DkahdywrTYXL1?dZbcCK>m|caO
zg|H&%CNp&AqYxf`6^;Hx8hU>FVt+LlLdgV#LbUppcI)mF<B1I)V^A=j$*g_ria!KT
z1ly)f`><BOeG(d;iN?h-!sdeQFGo8vkt<B@Cz##Wz1;BibTI4X#q~Ft)7e3JBYC(9
z-qapn`)o>4m!PlG#Rv^@MIC*8ybM;@vIORu_N02l)nQ9tHWH60LqnqfJU7MWd(3z@
zonc)M{G)0GeAChDhxcWyR;794+k=piRv&~Eocqkfb|GhYSmp%g1ieEI=_4@Nor)Xx
znJQOsU@$3J)t5rbRn5cGGGL)MQtW)d>~9-#iH8rU0MG*aGRuv5_^9IP1Lh37*MIP^
zv>r-2I;H}z@UW-i+e&61qcLlH;K~(>%$_Xg0R%$m^+_K78Ttr<^f=HJLjLD?cxDCy
zKkOvtzw>Y*kN}!&%VhbO5|D~2=i#0T<A=<->@y(LUUBXr)1_}HluU)Y@LEZK)u1KN
zBoAZ?z9MHX^6*f)iI80ef<_fLJ!Go>MSh=!&|YZJ;Z*)t;oU9!Kb`6@kguI;m;67S
zsualAPE`S<%c)p0H{9^K)n})IUY%I5_jWi{F*wx?Tj|vKZn*pY4u1-5_oszGJb-vY
z{jhd_Dg!bc2<=ZD#CCxjUI>Ktrw%d`NFET{pE^hp5RD?SjY%4fxyHl49_a8S_Q7^f
zny{Lh?S?a9IA1*JCC8aUk{pDt+jMx6R&So@rp5*ko2S)Be?S&G1Kie*1L+7kwmVdd
zK?R~U%iFza;ESd}MIFT)L55Icd6>ECFMGw9E4&X_Gn(EiP{(2!HP{Q+YG4l?LK}Ed
zu+9y0*R;FS2YRbm4Ho8pI1>e@GQb1;m!s+TGLgSY`)XMhPrBh0Sl(7@^-S0&TDAI~
zu=+lts^7EgwR#isMN@aJ{!WUs8uta0D$wf3e?V8X`aZBeKdJAHd|~V!jMpbzMK~}T
zp<nq7PfX>(HZTf&^3&n*Mn_>qv|Mo?p-p^-NUN`%s`12gGZT?kABjG}a<ICmFP^ya
z<65>SE(&tPO$VbQ+4Tknj0T(vHZ5$-LblsHST2e%%o;N>iNQjPDKk{ptXJQ-=7e-(
zLW%26c=Ko?8G}db^#+V)L9=dJy=O1ZG)@v{CFj|@8AE%?IsT@l99VG2f!Y|zO{@Q8
z0!oJO&aD(@j^Z_Zaxk95U>NiWDF`;pPN8P7a_}65gvmO{h62P=3}dq#6t*nZ>h?UF
z&buqlvRKQY+F&;8XgfCUsKzj2Z6FgFkEoZ8CN`{kL$5Zi0k*NMUl3}RzzXBRNL<Oo
z%};ux624K{D%h*PKTNC7$b1bfU&D{UH)Ot%G-@pmYvWKZ--z11j)ylLg>`Qa-{{eL
z9_}*^of~J|XCn_+jzhoo<TL6GIz9SiU}_Coy&dfJMp}iLG0T;F^7I3(DsMC<bO>?X
zn^x5$>e;)fw}yJdh!;(uW0-{=7)8b7dIQtYu$V)1!^Z3_#!o-Q0hvADs0AT!t)79R
z9D~7(t3H<EQe4-JFEU_Ox7M_7Pi901J$cnYL=!<ej53O+5Tcijr6N~5^#U^+66r<#
zY`uwRX8B{d)3{081l+=m#a4qaVy3ITP1}#JK|8`6mW`iLfty}*!L7v66|=Pr4bw6i
zH{v&pV$8C?h*@ckC^pNzu9@BT*1Cp)JlVcRp6s+zWXUVmgM=(G%f{03F1MfUtez%|
zS#$Vn`M8lIdu>9lw(=-vnN)pj#3OvP>_Z!CTF0_%J~ikYJbq&01RcV-!9&aV*lm+7
zg<_2(;uogNs#4~mHnWQu$2uU?mSt_`6j0@{*RDeHn%~B^6xi7IHyuvN7A%OLu~3#0
z<@rsjpV{KU@p=|Kx3I@tH1@Chctm(as5LFchvP`N8JG*baf!F7J3O5TEd{R{G<a1_
ztGAG4Y^lRxuNusP_S)Hplwut2Ibwv5eMlVk2&-Y+hoE|)M_4{2PJ4KS)d{V`k+*PI
zSUn`#Abvvw4IUPD8k!sd@D_lT#gI|n5Oao%Y8zl5LcArdhJ|TBM3&XC;a8rT>{xt}
z5m_e;R7B~pmC!@0KPZXAR<QLHNiNk3t-jIf&r42wSPcRHydm)xW?4O!>ZH~0J%W%9
zzY)fppZ2neZ!pvemvPW~<Jy+W&=NL`2bZ(nTA@6%GofeL&j$Q#RoA>v_?s2=vqgO_
znavC#J`f2v;%vtg#LiE<9>m7`5`=&Md)2Y2Zg=DDpTwIHlV3P9S5Id$_SzYnq-HTW
zi}1mxCRtWuf4uCIpMwAkP}}NXO>%m(Y?e6J8=T!dpA5jiGSU|@ckd1lJz^V6bvqH;
zZDkK4=q%AVlSp>GT##gtiinzk>{DbCQ<c`Yx+JYpgxMLzvydmOEv^@h^Vu&<_u6@d
zT8uGk#1XF==AUKh@Kv~xr(@;04yz<}%|#L>ipq$?Zw+q^w$`b_)c#t%t^3Z^HH<fg
zH->!1tnbnYIcuDJrhHrasy3mKhmnV^b&!MU_7B!qK~fFF$!oi1KFLUiOBw7kbo-fL
zU9z_>xiZ*o;`Y;?-DhsM8Hc&a+uQuCJghu43~Q_mMSi#(S!}3lz90WIeuQjTa<GA!
z{K8*Lej;mHch$63Z#iQ7DzPrMusgzSx6ByW%H7Blne(2Cdb8V%Jh2~7zaTd`1w9@}
zE>2D{N|LKcVP+%NVMe?;t8S5he7*3pa-1yJfw5ptpNqynW<GmYH{gZovjIIDalsr#
z>cp2a;z8V>(^=JVwbOs7kKb~vb=IR~9a^(f={RgbQ6YENv8)nS_fzha%WUgCHcf@T
zIk`HtDS3pCBJEYe)6=P?6yY&#iR)!|Z&TuAy5NE>Iq2f86};qpw&egaEL|D8;KIbm
zZNq|K4Qa%~g66Q|@CdI46-A*^{O9%O94)(q^9Sb<=Z#TA!5j-6`prsgoEF)58DEX<
zW=D8;FIdH454F5joN_z7w90-Hc{6zYF8g=t1YEqH+1I&(k>-6f_EVa-AeL1-oq>Kd
zP9u*9V$&=I$L=s=GO{d*Hc#gYqf-x@4?oCwt0&qlx2bL&zGcTeUSZU58>?@fy2Y$T
zZ*7LGVe#kfbM@*`*PEZX_u@}V$H|lKylhOkn=#=VqHNan3*!mwc+2M{!}o<zkGlOe
zgVz@6F4c{BK~(Cbf&<SE>}}PVHS?TrB`1kU$@H0lEwC(F3VIMr`d_aY*nk762x`>+
zTS=UBl-;tFVrElBZrfN;qN`QRvN4Q)DNDmQA3UI9CndgS+1-zJuWItE(y=#$TSQ~b
z@!6<!>~)0uip7|sa`eEPhWE^3r#v~p$=v4=v^*1?_HaqG8Grs_fb6X*;{ItL5}Dn7
zBlJ}VoT?1nGrwL~AbS_R@9F01fdt{Ds+wveemy3;=xh&)Aa0or_`_mIwADpBhZ}bI
z-8_!TLPC<}kVe_}BvUnGmJE17<tC=Qsqq$`Ts6xV-;2hdx@{t(iT8Qp_oBSYo<z{i
z8ryu5^*ecIS>DNT^PI81*2g4dUTj8A4cVw<tDNL0x=t7=l%JQg)w4EFm~<;DIhn|m
zZ<FuOs(?!w>{a8x<xH?sg;PcJR-aG))3^Gv%tCC&^>7Fgj9U`7ByQ|DG|({6Fr1Nv
zvoKroZOWu%<SB`_POwU7$g9Y!STnuNFtg3@a2%fu*)K$b%^|+z2_X{h3Q4y1I}max
zQ-~((j|U5@k$-83c}{t_=SYtQeghwd_~yV<{fm&~<RW>ZXoaX={!wnBMD9vIWr%Wu
za<+1ba<kIyW@7iDd70(cS|gk6@6GV~1(hjlbEA(ZJ=;DDXB@+BcgER8-kpW<T`Bu;
z?$`$_gU-iQ+LJ}zr4P8q$RbIyFJ`*+@wxH4e4p8^l3~;DXI1AYBpi{4$V|mOj4EC4
zSq@W0s-~+Js@CSs;`hgR&%SID<I{U49cP@l#%^P{I=xg4=6=wa-9>ql1a82o!E<Kd
zOuHDh?3jIJcVbYv-JJ@%&8w;`Gj^<c=}@RHQ{P%kZqC*hOj>6#fNgc`-Abm$?oz<V
zhju+KO?e#?efOfB=b-Y*1Gid_)J!Sgcop^LKQyed+p5Xg)`$H(M;??B$TEw0BMdz|
z3+Fh^<49&-5oDTP=r5t4&(E16*ZrH<_B}F@J^Z&FYX<B~xQJYTTYBV9^o9Q0I9CK8
zV81|2E@@}mBi@_aLWXlEbA|E;E4W*@d$~kHR{nt&YBWL2PkX)ME`C(Ty~lmYeQ*76
zhq2H76UdSOoidOg!T)#dP|1hkqDxkIsD$LZ>}dUgf0TcYk8bjx@tgQYqDC2;3>0n1
zM+!-_h$*#`ZW8?@Qi;xs&~4FkQH#h_OuC5sibZ0H7|jr;iPwpDiI0fSiZ$YDF=`YC
zRgJIWNry<sN~O|dDOx4nAw4KPDZMHc%y_s<Cq-CR-F&G+X7G{?kcG)6$<RF6a+zGV
zM|Mm$g>zq4r$MiEW+ayslEcYpau&ImL}?i!O>SBO_f+b%HRUVr?I2M#`3Lur(m@`m
z9wHwrm&#GHe3g8M{Gj}#{Hpx1TqkE?rOi(QZ{<K`xN@@cts1RRZc*-47AY?&A1LdU
zAAdrZ&s(a_sr*&z3rDMBRPH0uQk7n$R81FOP*v{xQ}ypWw9Ifx_)(?dx~u)vru+%&
zrrBzT2U%;2qR9_ykLz?6A;jjwx|xwJu=6Sl%=`#~TFsl5RO#6!TE8gDMvyW74S(Pt
zMc@3+2xdeZFKsv{EFQnx$~d5mp_+hCPIxr#@;JRZQe^vw`zh?B3AB7xcxVyh(4t|}
z%_jbCo?*|(upjpO#2L2LWw&dVCScp@i5iz3j)~NH`$Y0bKO!gtZHro|*{(UDDbf6)
zd8E0*L4R_rtJW26F!ZhZQ}=J(j4G5?wXSMc)sd>RRhp{ms>UkB);Z{Sx*@u;I;k#M
zw@Qb0=nm>m>aOaRlX4PMHWc!q22mraDb#$5q;jZzRK5w*+RSKNR)Mqcd#_ZN2GKJy
zl$7LL%sGV-BlD8bII|loa^>w|MIr+SeILFxS|RSq9qi=lK9U=1eJ$2TB*V-lHd+;C
zqD6at@cG0}pSnwRL>1sN)e31;)dyo_pY~^~9gb;zd`=_zgtd_(wM0FHJC-Z8T`DvG
z&Q7So_=91fk1@xIgL-pFvkeo-@kSe_&4=W#325Mn4bxO6bCNIS?B=?;t3uJu(DU4S
z@pEpA9V63T+H-P7;n2|N!Td2^8>Wq9E|Y9TnbB`<+Xz~2@0=*-@8SE`1-^N5-D8i-
zGlo~qlxO;<{083*6IcV^Bq(co1nli@8=$DM@D&9FAiuOv(wITRhop(fb)sFOBO;Tt
zB8_OQyX3iOo}s_aOpI0<-rVaW-a|D#m?B>J{_zL2UcA07*J@g7&nH?h_VGJnl-O<c
z%HeODqkSt{>?Aq&Gm)&UNAlZ|M{;g$4Qgd%9?5yh-#;z6yfSrK)cSs>bT9W_9h?{~
zCWuenKcP+iJP0Cog!!Hb(!QHrs=K|7(OTcckfwyKjI_v%*tBU$s#sP=P&(0;u$4JB
zEe4QeON8A|9xvycsZyeen5`KDi<+qjg0PHPSP`mq5G78;VJjIZsl+es$d;oHu%Sw}
z5Pg^YkwLT_u*OHZ=eVN?>m=1g)aIb&GTXS`mi<;|GQ+2n+!V$r&zKaGsGj4db5oe3
zJXwVcy$lkQz~;NU7=bWuNUh#`e$z9wA#>>L`hzTWWUL{M5iPN_h?STy7{Qh{!<!4H
z)&5qS%;>goPEzb-yu`i{5pBKv%mscWIp6ee-4%Cf_|g|8F89vGt#fM?**U0X6|$l4
zm`tSZzot96`W)X^xq4-7j;HtYz{Csr11ORHl*haRGj$?|qNXKV8GI`yV^o{t(X_(2
zv1T&%TO9swD#fAq`V`8Y6B)aUx~UAew<{c8_95Dw3$_`AB{@SmyPFD+cf8=1Zs#1}
ze12{+3vr-g78*iE5yYmdk^Od)ycjb}_XcXaySTSYDPgJfe`(tP4_C{F<GW>4NB83r
z+;QBQ+(nM&dk#=7upW=PB%epE)sH0z&+_s7m4REsf8ZtsHVZshOA>7Pc(H7g?43in
zLEwXKPA`%9dfk)_<4ba)cy7xu({0gW@1f}%`MdeQ@z04eZg~}+$Rdjmsz34RT@F>p
z{+#oTXtZd_OHpefcXHC|YW1^;OGI!q^Rp;llr6s_suOLQ#1h+!k#>zF$6q``{H=Jd
zc$qj`jB>?=;<-Q6L|2M=1rMj8@hD=CnRIv4=!?CjL#1MAoHRF8x<;yy{vvI9mVEx(
z3MwFkAbxK#O(k2F&5#tmB?!Tus>uP}MmZKW>qXY8Jd=+xz5Eyl4!Ftqveu?&?$x}4
zXnLvqWbtF}NzX8+K6|D_61N+UP5&|XntuV;XB>ge57<^D`&O6;d`1>l%W#O=h`jAN
z`n>x>-uJ~5$vNcG#l6?c!IDCM-%&W=`t`+G6^}_BneuB!Yp(zY`QlduYw@Tp)Vk*)
z!XQ24W8CAVS*U!Xe2#pn{EWt2DKC(tsJ4Pu&7X3Y$Ed9UHU*`Ra*%SQa*A^1<<fNJ
z)~dXUg1iID%<8AhxfdP|3T(bs`DadZF1n{oeeP2Ar26eP|L0Yqt}2sogWvuY1@5AQ
z6=@O@QZIjM4rwl$lyiLhDC4x2$je^qEIn0IZT=L$z7e@|SJ~4iz2NaLsdmS_XB(o;
z&Odkl<N2pumokjv;x!{u8O-V^PnNwp^C~NCMSkpp>K=lpqB(4N(T6%VyMdh+sb9}|
zw=}u#qT2~gLrPl#BaD$TrhbpGV$OcSu=^;4tQh-CQ9;r1nU9-ttntFCRnchupYIKG
zl}6Lq4am0JyA%30b^{i^>xK&|EuS=BsMAqqEqX^ihvUIURiQ$QYtKh<rgDxL7gRj6
zLr>ava4_d2r=a3v&TY<X%A|!egY&JWMd5=p1;1xV_Va~;e!^@^KeK1aR>)ZAq$7Ll
zhU&z+I9;l4jm}@8`{ns{|NK6+QL!a98Kt^gy4p8v%E8c^a(K(IOtzwG2Bn_$Wd~8?
zsdx&dQyZussb48IRYCE&L0mMR>%>{X8OqrU=ZC4BH5^pWc`dTwUguPC{KdH<J1#L-
zyh@Y}&%-iqCbxgCHRh1fclNmY?knMzb02c2-gR%{8u1<Zz4+BP_aEQhyMVeqC5#{z
z9FlMrJusaxkw1sOl%K^nQS$8?TMHR{301?FMDL4gJvKgp9g~3X^9I%OXTR;&dThi1
z96AtVV-a!^^%e~kiA8ZDwYWlDBSy{Q)1vF5NHRps6t5-89%6KuJVVBaW#R^M8fh;t
z77K#NG4g40N{rB(y(=B5{(^pf1N{04*@7&~L7Vfu8b|I4&YN1<Gk$;F#itd!A`Wfw
zlfREL+MJEB@O)+I50UNGYP_bkuyj`G?AF2qrTdh7tWa*Dzciowt#q!mj+-sbl|Cqx
z_9OY<?8@-ppGQnQ6ydWjH~h9`gpc<R@EP>Vfj9M!&r>?9Pgf80q5>(DEqlwqCVL{&
z%NV3B=}V&3^6%x}DbJG`<ko{~HI}0q^)1r4eD{85O&^Vm{ID7g&5zeqs5fZ7lNYI-
zG!>eUrSe<wXewS1-<Mh_>nmFj?@mTAgQ6a8wUOLczEXZrnyE^;Dxqq)Dq1y5wfM06
zh;!@nN+ksGG5eOg13{E#-xl?&-J2UwgLTh!Cp~N=8kN<jS#|GK$XwlBEl>xmqtprN
z@6;RBXt(;k#=NR~)gaAVb-x!=z+5yW6|ULW8u0uCRZit-&<LvXsTJnTr+heXG?CPC
zN-&=@uu75b%(`s%dJ_+;RKFu6Z$EFiBZbd?!xVE}SUh&^3LYjDJ6%`<*-=1`C~gBC
z5~X*+_A2<hrVT>3(G~bM{aWXOe+CKkw{rrC;CFYb8(w|^p?;8#L?Q573#6oYkSnW#
zO;)+!%!?gg`a@BFC=9H3!JB||gLDTO1LXU!$W$PEfH*>(u=Z99ft>tG&T1eRfN;LZ
z*$w2@SFMWbNf%rX2tKKO7IY0N;Y)vQRtv-u2>oB(j?O*;;eA!dR_lTTfOHM050J>O
zNC=SGKrFrtXsXtQ#EZVFv=Ay~e^qHSklkO^$pcaZ#QDpB%7EMeLMy#PXODnX0qMH2
zCLnKtbm_zVwF@TMmpjhiJMOFxAP*pL==)hvAdtR5x|&4+2?S#IrTau6lCSEl1`-RT
zOCP&|d<UfK?u&q|B>{Df`WhewkgieJ0{IO{SN9)*oCRX}Wr()_cEQ)bs?!I^BOqN<
z76POhNLOD|ff$v;!Btmh3jw*6|5fy6Abo*!sro38Fd+1Q7CLlx4af{2U7~A&ECfOy
zUv*5!M<AI%OurEGH!gT%IsBQg>pr{z{qU8bKp;oH5)=ib<SUX0<l<MNmjSr}q)TVp
zfjkD%)z?uV{{}*K%|{ua4_`HV1jG!Sx@#7jfOrDw(wRB<`!_(kI`ak+4x~%@fk5Jb
zbm?p=kmW#J!oR3-8K9kjy41KG$S**;hIkZ6G2QG-t7|}R(L|Bd#&j!=_hk*jwvVp!
z)OfT84$EK}8`YOl)*mfW<o93+UCRpH)wm2w;C}%@P;#a}x-|%S;-FUz@E6`5tmW+O
zaNf0Ak<pX&lj$;84evnRfr@SqnOsFEkF~^zb)AR(D-`O7%s$)PEfP&bVI+xDL4YEm
z7fVcD;p@KtICAZ;s4;Ed$qz-0gBIbx{QSK|%3bG{w>B@D;4cVMm*02BgW-P*^!eHj
zhZjxRTD|+L26MaL4%^wop<5Y+ZfNyCzR~J$(dSqpscuK`oJPHev9+@e&MbDu8yof4
zO@~>zoYU$B5%qo(ozY6DJOaUa?|Ra<F4eEn897>wpbwL%J4>ALo<ndBy<MvxhrC}j
z4frJnrCTF3^hJ|ozkObWRlQ;UeoIFi9@FaAiLQ8^uccgJ-2+<gu5-q9uxQ83rq9HL
za7OmZvMQnsq5h39uzyopeUtvBaV+v{GxfL)rUX-<oyK-&S;2AIvW0M{Xm%5!UXA+5
V5A^Z+n8)351g;q9182Y9{|9t|`hNfb

delta 12775
zcmeI2c~}$4w!o{p6F}e+c2Lj&0s=up0MSu2jev+-SY_0~fC7%n7*LUM85`V29W|nO
zGdgNOaT#?cf+*@Z1{V~!LEIM<6$B+-lduSG^gA6!8Nc_wd*`3`*L(ea)z$s$s#8^`
z&Z(;IYTX@6-5twA=|;v$vm$nH3pulCuF(qoY||Sf29G`b##sIj;@p@`YwU(ZaS%e5
z5Tp~LBEzInG2s&;!xLf=B7r%6;vr+>!ehpV#D$L!85bUl&h9|O$9!zIv617)j0lMh
zM?Z=;+1dx&b&Mtu1BV49!VuCStlE@n-;dCZKD^$3{0N_@Q5UlPAyAL3Q3{*n&%-5R
zpMS;^YgAurZ6LhJ!$uSLq;4ws(w#oezmR=S_kosrT*&TlzmVMnQn;cu*c4*pqm|ig
zeAL{vw5v>0<OQ+`_m1q2xb|$eHtX!$vNN_eW+P;4ki879vrPSL5ZdYQQhq7h@ocDn
zWmbV9Q2Q&hIgsB2Qhp6}f%}QsY_^XHBElj=pP#DCHZh2@MseAF;mQ?_g_sq_R)p0p
zLVk!X<m3HX5L(f<(oitV*>HHDdYdQb=Nk9>hetJ>A3`HU1?&{Dx$kONHQ1sysJfv?
zjM+NaqWqU#>NyPjnlRiy6XJdFjBO$pQn1He;3tF#jXZcJI}QaQHn1{XAecF}WqXC@
z`?Eby8L|4eMd^mJc8Zc{5dNR^cHG?ZXBYP$4SGX4zlMH4;zG6&h+&Ul$nU4GG~D~a
z{XDqGIS760;S6_Og>^Lyp(}rul>^UMou|x4CW;Ji?5J>e!$;{$*?(8K2>m_bPy>S|
z{+2dq1nT%-)&|>ZbEp(+X{>SGh4K(GMbCb&%;vJ{K#CA=9HDS`$G3?TLP2@sQHn4R
zJd)^-4L4;sJ@6wAwpJYW!Lis@Q5AxFZ;A>qDf1QJ(Ix~fR$L3g&IYnA0FNjCgHkbg
zJ=<e{HL)M>?=_g%s6S1NHAVI)0FEexI+~meN@dOHqlvNCV=uL3e+|LpuO{{dYRmqc
zN<GdNz<QHAROtH=ic?#0FTW#YmDy|suk{J_xBH7Zv4hP=bGi%9KABUL7(14624iau
zu@09x2IEVZ@Wy5J!*Cx02&<mpGK#|M4H)j=c^9V2YC`cEOceTeB`ONXlSo2E9F4?t
z2#CArp)vS8*W|NG(rhJJ4SoxiVx2T&;ZB1Fy?S&xDLYoN$G5-@oebBkN&YPj{$~YF
zM(p5bX6nb=*ID=%4PMA*wZtADos_-LfWT^W@E4yCfd7+OQv1v1#NZ^1cb46V#S%>D
zahZEOo^R0Ywuyi0_Up-i)$O^&F5N0zk};)tFU4VHccpkFtK~94OO1)jkg}q$Aum|5
zY$lE+7)G%n9aCkTSvUw2@=!%^I*uX61(yMxkBMu9!ell8hz;)G7l1is`(|Tn6Bs-H
z&J^&!F_n;}etQs&y2eEJE5rWXT=H+HlI1DAp+j8JVu(LZC0!ophuA{c2D0}brxKQZ
z3}wf%@f`F2pF!5a3_`8={~6@t46+VKlu_T~^Va|8M*o~0F#5avgy;19KQu(IKZ3V<
z(KVzOHW7N`<wNXHP;Zp<@!F&hN@Cf^!#=d@o_*dLVu#9;#wQ(mW{uc;%MmDvP4{t)
zzN*0*l|tysZ;ko|qa-#D%UU51Om~LWDhy$fsKe~A0XY7;O>_kwx;UYv`o^x+rAvG}
zti&0HUD{rCXv=1or0f#(G32NWFAyCBf$Wh%rUsSi9^niQ*90o@UhzvU7Ao@Va4`KN
zJYH)^gc!DdY+xtWSTqkMLzsc4Ar~|rg}~J6cHdKsP|omdNvI)q^N|?htMzGJTs^0Y
z4_R!8PhMDMh^>yS?}~fx=;8?n4Kc`4WY^<J?^RGB8<s)12w@`xwjv0<4PgWOYy$*S
z1@^&C{gdGGf2tq*GQ%#N*!KxGW(RoVvdCw+c{~koG+oEogi!yl9$TX@h)cezG`wW6
z%Y3%c|7l8N-)0c<H*^mBitw$mzv2E`UUp#3L+ETUidJ~jVORca->`2?Y~LW1+SNIb
z+OWoE-zWZR6|+20(!aAbg#NvyvC|k>S{Z*JaZ%8dRo8L|9iYQ&5I){#DsVE<vgt90
zDr-$9nl9yK7?HKLwTdUcq^n|RUvfiU#v+BFj*uuK9}sqmL++#zd)ma}%hQQS#Uo!J
zH-%&$g}~F0x(skg-?Fec@-k`n>;_vdhBYffz9YObeI21Rh5MIe5e%Fcza)E^nS`Pd
z=nF)Km1(AtZ~j4^eCAu$m`R59CTkje6$9jCA;*`g^HtoClm48wG_W2U$ap%AIWNF(
z%wTEyN~61t`f7BXE4~b_fVGt!Mp}?*s?p8+RUpRqp%)iwbSb2I>?Q$@v*?A93KrJ_
zjqc?v6kn5zn)M@4ghm&vY!~3|xyTPprTsb@uhFGH_Qkcw1|gKC(M>>`!!<gtMrYO1
z`l8vj?BND7(u#C$@>O{6Bm>B8R)R9=PV#mSBX^B2{t&AW$;nxYJqO8vSZBsUfIA~W
z?NHM=WUkS5{IHer|6?>lg~o=OrZ={R#v%<W5)u{~U5%AMgBxcddyQ@cn$eksn|v`p
z4xw8?V~CW-*0pjDQuzErj->N%2r%ah^c%YNrv`jg&wcUDF=!3se8;x`V4N?W(lP|S
z(@o`uo%O+4KgbZ)=nRdQ+P?6`Yh@@ZnfMM`pK{j+*T|4&h<Ox-rf)M9sPP#nbuly@
zqxg{;9n-8MHM+3pEopCC5vgzfX9_7S>+>tQ(ULBz5a7ep;JpQUIRdf6M=Oxn6olp&
z$Tm2Sy)3{LK(q$(J)9Re3UFyELj4S6FPz!q0T3&QvB6wx_V&Xsfw%&RKt*uA5+}f>
zX&-a#0)n^@0@D;uFG%mQL^Wx~o9-Sfz`0pn-X4zD!1G`r%YnGTbp-kW&TE0}0V4WD
zYJl7U!oFO0rSXNrjOQaH_(T>1@dsj%qbNT>_ENm~gG~5`?Q^IWICU4-b&@H>)NI8L
zIT<i<i~w(g3V-T;_&~t;r%wk%wdm@8jc&OF)Ex(6i!{3U4=52K^LPR7I57)Z8>~R1
zyTX9Be4&7#nFcf1!kWPs*T`_%{f+=@;?V<C#hO8Xoc@yb#U~~p6sFO&8{FXK3}3A8
zOhhAa3K?uC!0*BmzzJ9%*bjmyqVQZ4lT1XM(&$dw3a}y<Ik&M^umDF2aFq<oT*lh}
zf3pFsZ?@nuWgo7Q5nSr!0|9;yZ)Fd!{ArBNdZ<R_0)z%RqpoV4YX(DR7J_bBZyZiM
zTlBnzs$ulaFB1d<6)SF&sSX;QJNTS*=MsblYjmOg390W!FMMBd{tihgs5@k)-D0p>
znJW!q5n`X)g2@-K&s9!Z{l9#1W7(%?am-6!oR))-5uwPtO9t4P>wWPrDi&yTA^nL~
zp4Jy1R@}WyPP04M2E{hRqpo6^))rsvqlmgk`u6bM;)NeWg+dgky*Unw3@;9+zk8!E
z-U9`NfL+9ZBH>dUxP3b0?<O~)HphW{!RGTe<l~xySU&}GkDSR}{F4{%qnLf4<a_6X
zG{MrYIW`7`gR~luHuy7=uk*#>Y;vbf8#vZI*hGs#SWMZ=`=sh0^p17#wG9~A<$cf^
zYW-im4<4ZsAguS1i1j}9D3o{k5s5x}UnP)k?_<;41HyVAY4E=MJOO_DXRZij@IH9v
zTGs0Ysj;1YQ!c=syZ`EToDBl(4a5ynb-7d=kTF2I-L448Vj$ga*9znykZ!jNgL3bD
zl+)#QD?7<VBlC7&d}NPdv?WaUvi>GYILWLM;MK4;_~dcN?z%E)Vje<QZMr;8t6wX?
zwQoQm>u~4;47)d>gzbC4*d71$IO)09zWB~}2!`EnVB8H;JY>j`>GjNG0XAFqmwCs$
z)%P8~GlrdZP}i{gex@&eSp~E0P}b0ElC%QcZ-v3*-m%k881#-;Q!W}Ymxx$^Qv~>z
znYk#?#4zp#(@^(?&>LfrG1@HW*wZcg!QQyG|6qiQHM&^z-9?Qqf1?0D5}-CusHrPa
zbjt@ThsPuIi;!@`?-?rrjsZv9-x+J<3xkN`5|~-m2njJv2Rj6fcup<=T@(u2s?oLP
zBI(kVTsQ2joGQQ{_C|4=^n{Ow9p^b3oiPWdZAB>N^issdk<N-l%<-GJhTxz#j45hp
z)2T-~B&z3Chlf){lRoFd7z%?k>vVdI?51mUW*VKF4{r)DgSU1m@9CRiK5|}Qk8&Q2
z>vRlgia@<Jx(_Cet--J!>R@=w6!q|}0WVW*BRB^kiX=IEA<~l^B}91~P62lrK_DZ=
zI1-$29G8;^xR%Q)n!b{#VV<{`*l?QkKAjr<H6Og`XN1~fVf=6<%(n}0TY~@{6B_yc
z0$sjiKdUFB{0bPH#vDLspU_BJbKV!XB%=bM5#wIzi#Hua=(|FpQOZSM92kR6#Tb`f
z^2JXSO-7tRy7TcnL%ZiyYyWKb7%HlUdHUwHzDYl_u@%&|9mZXZ;!<&wo<#cQ1w1os
z%-vx8_+2uPhhKjKpL5+cIs%!+fu)((zAwk+xS=f(R}iqst?S6oBo@VoylAH4sSqu$
zMLClx@$;5)@d;-;wJB|bbm9TF?x(4zrepb2_!;~(+)g$nVXF#EI@{ZH{&emo=pm0|
z<8M^lTPMyq+xwU!=4yy4(lQg*2na349Qz8)$qEvnB$tLZZs%+3I$|qw;~Kefv&xaB
zcUhngBuF?mmX^2p18f_ndzo-%2v-Vm3(rbMzcjIOt>l>0z8Bz;9zGiGzPgTa9Gef#
zx@Om{+exfN7&p6Wi1#1Ney~MJ#^Y1x(b=*&vrwmL1(xC@ggVz*oAw+WR_nUcF8Zag
zQ)uaDV;jKq2$jvAojPq^tZa_k7jykh7Ys?&aqM6PGq%Dwu=f1{(E-suO^<R+CqrX&
zFnk*?J?7p6W($#}-;3rdyv(w$!(C)-sl^d5noUD?+Hvf|%JC?-kt03q!;-OU1ghiO
zhc$^@BMw3Qn=60@k@YBd(eQ{Sh&v%hui&Bz50Cf_vK#;q_8Nf2(9!M?@rI5@odfN|
z=+{=mBdS2eI;-KK@fRPPET|x&8bra0xbs?U<*L!`jZVf^gP~(fqnkulUublvqknTH
ztzaPdBidcG&g!95D@9M<x<c2!5~Z5|*4HMrSr2tt%v)t#-+nLr7#He;Q6=ZKRgvk*
z@RQu919w<8w7uUY`qgTOMH5}Hp45g>RN5cOwy{(@_2ZViNvWO`H90WgNz&Zjw^HpN
zrOq;?8heq;r;@}@yMe|gb4lKOy!WxmI;&<$ApYR*;D`NCXZZ48OavU8g}s{ey?VPH
zeKZgg+4IS5+eU?V9<WU^JDOy+v|l?FLbaq&na&rM6ldtgRNdh9^ofikq$=ylv8)y`
z=H{4`O-F7TopXipA#P)jopxS*!!5=N@c0+a-~7(e;+)I4k~2<T;IJ&Zp{+EUBvD*4
zeyxA4x3!)tnj5fGqqF^Sc^&ae|4M&|m~Q!P7A237r^q*DFY6Q;xpItLZLJ-8<O_()
z_%f~|LVEVirw<XCa41JO4a?tfa)dThn|W_U?}Yr{-1=}*@@-=HnfaamR<2gARRpre
z%5Z;Ni7Zw(wB1R4oN6*sHat^LW;O<D=nr&V$BHd=9UBhVzDRFKD(Qp9;7(HlTe%py
zA#-olV==eW$PN2@>(K0i%sCH(=mnW`j56f3N|b9Nz*?MY&S{t*nA#+|pfrh*6*$bE
z;ag$+Q|{9@4Fd}rdpsQ|z{N8Za}%D+D9gLa52ijzuAjQKDRsl)j_I~FnOgLt(sB6g
z(h~lb!wc6P<D76|oW8a$w8?2L@yyerA2LUJD6(FpJ?{K%ZaL*TWufzhelG6R@oc}d
zwC$jZ>q{u_%tPFPbVRl?eD>Ldhn;A6NI4eZ;UP0P$#`VnW);aW<@mwXXFLt}81E9V
zvWEA{sCb5j7X4}^F|Nvrx_~bynb}e9ygtP|?l8+MWpi$fD(|ed|KZw**e&*N9;(yu
zDzbmCY9i~k`?aJjcfTY~{Ztu&jOnZceo0xDe)A9CBy-kTQk`zSs%IFTxV!&u&TAdj
zX}Kv*b$$PJ@<_E&^9`)Nj!s-B>tEXpUBMB~+U4B0UxTecn7(tn(s9znoA4fSt1)K+
zb#D6Av#}I5alG#F+_TZBU&HRYAuCI@=zPQ2#(P?+-=3#?c6Mk@+bX<!UC*G!(Nj}`
z+cDanW9dgN47gey)Qr7?neoi->lwUkw7z{2gUR(wLFYJ7qO(=v;<1G5fH{lS?%ku}
zW~9I5*xjj)cd7NS)pA#lvWUkD%v+;$^f|zP!67)4RgSJdgnF&x&Uv(lm%9tOhJ2U%
zo2yg0P3-B4!LrvXH2x0#n}_MGS0YdK;1l=43%{vv5*5qhcRf}W2T>H=SM`;R<mK4)
zrOfaBDC)ZDz)J}hL#-<89R9GwZ)Rbh$-L++hb+e4i=JCGc46+oMkamEt2%el@nzFJ
z@$1|1*z5;7o_brvNZuCR^P)noS=QMeqR-Gb7Z)8LWu7<AGsl`f99@)?S4X!fxvHLW
z6cXPc63I`?x$5a_CrrGK<1#aI<(uTY*Hy!z91+sDF7V`tp4C08<2QPI2(+HM(bF`{
zCZ?Z5m|x7oWVA4OTuhKYNFNIO1?w<38htruVy0Vks&$%GT60l#QT2uuQ#<vY`uj0L
zI&8NHZSh-6haD9m(U!1GYyWe5!uI8&NxCB=L{CtlOL>@i-YB<7*V+C-_rpB%NHnN1
zEHkrIo-SS@Zjz(-ato!4(q9>-oS^(#xlnm%t+MyEKEsM~E3b4!wXU<jJ?&?7PFY_N
ze<TAv&7Tl`827#zV;6O6LNva$RLb2y?(Wi%)5-T}`%?FE;x6CVA|rZN;#BJ+GgG&C
za-P~PllA!L^e1_WXr9<rj7(Mh{r8-2TMk!6sivytsjjRnnl8k+aMyYoW0T(sCmuO^
zh1*Fu_k6Az!bk6_Om7uMr|}1$7&2oT&b9k8Q7t=suMah-((Y!p9a_7r)^hW*=ME+6
zbL#8#%C+nJ=!z#=4CGoJezTOUYPLH+_`Y4g^OIjD#wXmWa2r%PDQKg0WEGlRx#qG!
zcwfK5Zevy6CSNXkmM0Gh=9nhF5{3UhAv&+;&RM+Zi+;I1&IUwR%VAY?s)zILwJZA{
zNZ^M4x_Jc}xGSx~`PW4UZpNPt*u=Z&hu*=2LDGCX+kUC;{C0X2KWP$QBwxbcz~9NI
z($*bf_Oy?osBf}f8ZWt3bB=$T|D6BU`u=8Q>~ZI)qwrg0uyDNaU-iSH!`_98&*Ndy
zw9sjD$5tUaC_E*+CVVPv6&i_KWLz2ri&q~~M8}Issh#u(@pds%iBF4fh@Xku#XV?=
zlcc`{i6zmJX_73-_mVA=1Crk*s7mrg(jp0|jji>T4wa6RBB?Y}x=gxRx>tH!dRgi>
z4c*_Om15bGw)538eP7u?8H$iil+BWTCzHzxWrt;xdFYO;q3Wg9l;+bSI+Tv5(R6wN
zos}c5D#%LXpO`yk1*%*^-`@O$zQnIlI>>|7L*;0kTq@6$FOzSU@0A~yUzS@wlxyW!
zX|vtWT^Xbtr9_jIuhmPG8<abhrONZlyGqoge82s|X-m~9RiJ8B$ru$%RJlYhQt8A>
z)l|t@)xBNlf$CpHi}mM4?^RWN7q!3oS`Xm__19{LyX#h#((&)qE01U`!l<<+4Yesz
z6cwl}HuYyHYPt86jC*c<JH_+kZ2WR!UkQUQm70EWh9KgN7d4*}mBkLw_b?uOPBj4^
zpHLHXAx5Xpi4xmhI)Oc^f-Rqx?3+(`?VCS*YQh=w9D5?ie)t*7glV=<ZqzMG!?sTn
zs+=}6j_IfE`=$TnPmv)xo8p#M<yY;gI#zY53e{9y<UQb7*M48JTHn9+ffoHstJwXP
z<kKiqyG*-TyH|T$ds+J(EvFG?Y#0w_5EIEvX1-x)raX_?#h8%RrbaRAihFs^e%p6$
zv-qimVUFdYio6q;$UQGI&NbsiExj=um5TMee~#K1uaJ20hxBxI@r&e#TPN9wWtd!O
zqfwEVoL{)r;{!MQt1YSnDm0jO`pT+G^<;0N?8EN$YKOx}<Kgj}e8S2ou{v5kls}H|
zC$(K9`_@iWh4DLmkOwm6_2db7wCU;zu|}(>e8WSu=`U$PM^{f#nas$n$lJz8y<Jq{
z*TPTpn<UTp?RG>ivX^>IDj60YKSVgT@9HU$B(XSpO>X?F8#aFJH|QS|<U(DcFtFj(
zqpPlkPEU#QzIBtIJ{C56uAaaNdX=VB)(zg-$9Axy&H{Og2M_ko`XEgl6go6Z{Jq#^
zi}--}cX5??oJ;gG@hm+G(3(n?>R;XVl@v0qcPC5G(zg%at&*(jEU=m~*Xxm{FXA4#
zDM>e5zBKf8Tl~ztb~_qH=iSMbo$HtRI`Tl?^^GAN1w`(FJmKysnU(kEPKjHk9&qCM
z&dWp6<0b7B)#n5HVSp>;L?xLQj<+|no9kk4Q*5--GpsdjBas!Alk|Jml#C=!PDnP@
z8I-n>%u38j%8K4F-tNeD*XO3HIq_8D#+(m9rETLW$}(}Dsydu@5T_^Lh^0gw%J9!R
zu;HKsMma~LH&6>N<xrh_tg+WY{wY3XouNuVoemm)9@)va9I!l>95t0chj1C~mN+NQ
zD+aE~(Qcd)mwA2l(ZOxEw26MA<e~LC<o-?T)781dzHZvfQAZ`|lLr&=(UwWkCIm6U
z(kAp+TQNPQzCM#Mn>QmPY0@OTumw?_KK|x@{*RC4eG#xF`F!Z2#$!&m`KOY5cZlsA
z)Us-s#jrOdQU|Q)v;36MQ@LvS()v92XTj-b4-I6*y1)~zvx?Q}JcgN)X{ARq^Csc?
zJlEDG#w~S|u>XSKQE$Ft;xXpUVO)4rRMHlPR*tf_D+xXKF5a9E#u<X6^M>)ZwU!*2
z!b2InrM!IJ9v-_qg4K~J6XuXOPaig#qNyJu2W<0BG__=0n)6*G0;h7CvJ8CQBjA#=
zC2>F2>`D9pKE;pWr|{=HcA6I&M%~fp8TqW0x^Wccrml=#8oY7TR(^&h9o**Ux-iXF
zh!@CykiBt0qx60r*QOqmdG@^~8!n8_<HULQUQG6$zrcN1_8Q?fA^KH#N_@R<$<cLX
zd(|I=Jn>4H%#wEGeIXtrUie&0ca%)ZSpG!)GyyFXuNChQ9}=&Z-xN29H%vqviM>R#
zB04WnGE(xTWTpfymaL~G1(FiU%&m3t_axrM=>8NGJHF6Vx~+9gg+Mw?nj?`WOXo^g
zNEOnbrL9jhJ5PUEJs93C&a~I|n7epdbm?nY)A$um8f-S&v9xWBPOK_2d7tRxPwd(A
zxVKCwYklhS#Jf2D-O6?t5PvE-?iSHg=35v=-Do~M^{0aGt_0G>9x)U)-(%}io!OA-
z=Mh=*M25rEMs&^%w=t*ZdH=I4fu2DxS|C6x<*iS{&ulIkc=hUnb=42)$J#l+<oFDB
zkS};aaTYM6H+=t0OzEZklOFw^n}*91<TK=ci{vM(l=5OZit8-ys6r3qP7gbaVdz(S
zC<iGcm1we(PPve++*n&wU0k$Bnfru({N366gM!<x+(QrY+6rzf=RR|)ee~q@rod+|
zwc*aHQF{N~4Vf<Dz13L-(QviBEv&6{V&0Mb(Y3~~WbXUDrJG8|uJHbd`f<y-$IK%i
zipr?pJS*YpYSYutdR=<<Vaxf=IY!A<Bj*z2lQ=gH-QQlF%gJiUNSghmpWj}1r;wMv
zYv6L5xvp7JI^LT_nGF@ak5)C$>C;(E5IJL;3Psg3c4NQccfzX2{ajjHdL-pxYo56^
zo>v=>Ry|m4HB)IcHHO=a%-$T;b#j}r=nZ9ti|;*ZJKLaTOxtyiI>h6-a%;my7FV8)
z=FwmA4j7~2>Zf*(Iydt$?>Mix`hA|u4c<$poi~m5rKLs5-IK*9&*Vh!7WoYjt+(_?
zrcX1ijI}+r0_`xZM4PO=HdnhstI+=Z>}ud4-+C06bj+q)dtF=qipx0Y1<VMC*F>fj
zQ#WYt@1EQc2E{U|Og6Kc`HA_3Q8RQkgM|DLek{KyZwYT0Zzr!vjOOxI@S1op#TNXl
zyjotM1Qm$w_%kKT#Ooz*#WH>_pBqqM&5OTT=<K=c7{8LAbD#g!tyaE~&{60kd~$8~
z`y=^+;v17AC~CHNU-bODJtiawX9!&u3D*ggLc5lZ5<(cw)I|xS<9E>=hhx*YiD~$b
zcj2IV;p+h%her;?;XxQ<V{uQhKs-z=5hsh)5>zdzle9^G6JHfa(P0u&f>zS~B>U-;
zbfQEiX{M*p<@WM2NeDewK1I$*V6*hq&ZUk4egpgm`a28|`K_}Yw6>^kOJrfeh@!9V
zrS5L1cwD_@{62bvqrd!Z+}iaBi%#Dw-x`Hjdo^CsQBpp={OgXAJ>_VZve2raBv5*Y
z|D|-Mw1J<rURoe6kq!`ku_Y&PchN2?VZ6up1*2|Qj`wgUw(dq3_q=L)c$(2#eYm^_
z`7puEdf98?71<-1PDaqkmiDBV%l|3=R(YDvp*PZdky?%Ab+BwTuH3e}SCwxSa+2>?
z4?C1vRjpoK^{u>AeXVCzbyd0CBF4sca_l@NdESg^F7Q7py1&sT`i}C2@|_YE(<+hb
zP^c<iHC?q}zstx~MdjLPih951x(h{xm#?`Y_Nm`l5Ll;urbWkHZKA7GRv)G{yj7Wx
zQuk3KKlKQ8oH|YYt$K}moBC}PGOz7ZJE-cl+NUvr$*x+&pix!Ij=*On%sD2nY6NrZ
zG5WyFU|e~xs>U+K%nV*ot+`@VFU|$Kb6dUe5!D%l<c6JrQfZbK4pXE!alE->H+$ic
zij7X3Anw6`df{TlRiH!j9er>g6+$cFPt+TRJ>+_+H!cDR>=$kd!G1Gpg|EKL&LT7b
zuHl;~oWtPb>Zvl3GpCwMGv4_7imvbS;V6Jj&hx=}K+NE}ixgS=;BB9gQXqSQI6|5T
zL#``8)St<z0df%t?~|NXAa_5@Wo|?JU>zWbPlDWSe6aEPzh(;tVh^O}r!;XugrB8J
z2QnN;cZHS%neZ9e24pr6i%%6Qweg|x;?ELYfkgSAC8`Iq^RqPXft&!+>r;iCZGG@f
zAgt26bQTEY8IbOVjRo=^NVh&xfY4?ay0*r<)VLf_KOpSyb6tY+fdl~Q&UO&U2q1Q!
zia!S=;j=U~K+=G8>!TIO5+L2JH@EY_YiU5;wRQ)z9Y}YrgMpL+=`KDF$XOtkpQ@M+
z<i=-dmIHYTq`S+u0eJ_cyR1?m=9RF))LqyWKz%F!D!Lv>0FZ7~bL@TaI3VmVyIneS
z2QmXlx9DIX3xU9{_@7#g1M)o(_E(86y`})!PzgWXb+=<Npn}f?<pU}HOwd6fr#>U+
zfL#7e^i3c)fpqKaC6GEG-DPncd~gd8y1PG|0pW{(%@zp65=eJ1js@Zcq+4exK*XQr
zS`1`7kZ$GY1DOt_TW6&}mH}~Mhl4IP-UPG*P`4Ui0#O0!t|AA9o8Q@NpK`eaxmz~e
zlk+9E-PYl&#?e)<rv;<e=>Ej=0JK=KzaK~BGB(#sjo~#8!6sD5@czWXOfP(Q5OTv@
z*ag6rNHN@-GvBa%*dq>hyVgKTirrG&+{N4#ut5rJkb>{c*<y4Kk_@d@$nKN9Hn~_V
zF>Dl;{^$k&HcNdt5_-zG_FzHBK|EJ?#^+=yvDX6Knhzh?GY*7$x4*V&Y=xf==Bb8y
z<00^?0_-jckV9kZdX3KIMYFkG{I7QQ@MXJ(L4Rm;4}a3=t|QoiTD~bkfM>MmT#c=J
zX>_$$g1zyY7Twhz3x``d^|y-H?Vr#KJ%mraBayR4N9%$bi~R5PLXK7=QSY}JoiBs-
z??Wi>l|~nX+#6em{)`4>TO%~Au{B}0{dlYEP5QaJEgfyVMOGJm4q&;brCed%Poq1>
zz|ZV2Vc`B6az-H$d`iyrhAs4S2nDq0u0KGGMz?nUbK@lR!5@C)c;k&*E~;P~atfDY
j1v_E&42<$t*AVh~)xz$D!9Lv%fiaG+4)WOK%5nNHg4UNP

diff --git a/Shorewall-docs/index.htm b/Shorewall-docs/index.htm
index 6bf808fdb..831ef6161 100644
--- a/Shorewall-docs/index.htm
+++ b/Shorewall-docs/index.htm
@@ -1,22 +1,19 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
+Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd">
 <html>
-
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Shoreline Firewall</title>
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<meta name="ProgId" content="FrontPage.Editor.Document">
-</head>
-
-<frameset cols="242,*">
-  <frame name="contents" target="main" src="Shorewall_index_frame.htm">
-  <frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
-  <noframes>
-  <body>
-
-  <p>This page uses frames, but your browser doesn't support them.</p>
-
-  </body>
-  </noframes>
+<meta http-equiv="Content-Type" content="text/html;
+charset=iso-8859-1"></head>
+<frameset rows="110,*" cols="*" frameborder="yes"
+border="1"framespacing="0">  <frame
+src="Banner.html" name="topFrame"scrolling="NO"
+noresize >
+<frameset cols="242,*" frameborder="yes" border="1" framespacing="0">
+<frame src="Shorewall_index_frame.htm" name="contents">    <frame src="seattlefirewall_index.htm"
+name="main">
 </frameset>
-
-</html>
\ No newline at end of file
+</frameset>
+<noframes><body><p>This page uses frames, but your browser doesn't
+support them.</p></body></noframes>
+</html>
diff --git a/Shorewall-docs/kernel.htm b/Shorewall-docs/kernel.htm
index 3f9060301..c9efc02ae 100644
--- a/Shorewall-docs/kernel.htm
+++ b/Shorewall-docs/kernel.htm
@@ -1,46 +1,28 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-     
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Kernel Configuration</title>
-         
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-     
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-   
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-    <tbody>
-     <tr>
-      <td width="100%">            
-      <h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
-      </td>
-    </tr>
-     
-  </tbody> 
-</table>
-   
-<p>For information regarding configuring and building GNU/Linux kernels, see
+<body>
+<h1 style="text-align: center;">Kernel Configuration<br>
+</h1>
+<p>For information regarding configuring and building GNU/Linux
+kernels, see
 <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
-   
 <p>Here's a screen shot of my Network Options Configuration:</p>
-   
-<blockquote>      
-  <p> <img border="0" src="images/netopts.jpg" width="609" height="842">
-   </p>
-  </blockquote>
-   
-<p>While not all of the options that I've selected are required, they should 
-be sufficient for most applications. Here's an excerpt from the corresponding 
-.config file (Note: If you are running a kernel older than 2.4.17, be sure 
-to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
-    
-<blockquote>   <font size="2">      
+<blockquote>
+  <p>&nbsp;<img border="0" src="images/netopts.jpg" width="609"
+ height="842"> </p>
+</blockquote>
+<p>While not all of the options that I've selected are required, they
+should be sufficient for most applications. Here's an excerpt from the
+corresponding .config file (Note: If you are running a kernel older
+than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
+<blockquote> <font size="2">
   <p>#<br>
 # Networking options<br>
 #<br>
@@ -70,33 +52,30 @@ CONFIG_NET_IPGRE=y<br>
 CONFIG_INET_ECN=y<br>
 CONFIG_SYN_COOKIES=y<br>
   </p>
-    </font> </blockquote>
-    
+  </font> </blockquote>
 <p>Here's a screen shot of my Netfilter configuration:</p>
-   
-<blockquote>     
+<blockquote>
   <p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
- width="589" height="849">
-  <br>
-   </p>
-  </blockquote>
-    
-<p>Note that I have built everything I need as modules. You can also build
-everything into your kernel but if you want to be able to deal with FTP running
-on a non-standard port then I recommend that you modularize FTP Protocol
+ width="589" height="849"> <br>
+  </p>
+</blockquote>
+<p>Note that I have built everything I need as modules. You can also
+build
+everything into your kernel but if you want to be able to deal with FTP
+running
+on a non-standard port then I recommend that you modularize FTP
+Protocol
 support.<br>
 </p>
 <p>Here's the corresponding part of my .config file:<br>
 </p>
-    
-<blockquote>              
-  <pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
-   </blockquote>
-    
+<blockquote>
+  <pre>#<br>#&nbsp;&nbsp; IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
+</blockquote>
 <p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
  href="support.htm">Tom Eastep</a></font> </p>
-  <a href="copyright.htm"><font size="2">Copyright</font> © <font
- size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
- <br>
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
+ size="2">2001-2003,&nbsp; Thomas M. Eastep.</font></a><br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm
index 63e719e5e..2cb7b84ea 100644
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@@ -15,7 +15,8 @@
  border="0">
   <tbody>
     <tr>
-      <td width="33%" valign="middle" align="left">
+      <td width="33%" valign="middle" align="left"
+ style="background-color: rgb(255, 255, 255);">
       <h1 align="center"><a
  href="http://www.centralcommand.com/linux_products.html"><img
  src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@@ -23,15 +24,18 @@
       <a href="http://www.gnu.org/software/mailman/mailman.html"> <img
  border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
  height="35" alt=""> </a>
-      <p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
+      <p align="right" style="background-color: rgb(255, 255, 255);"><font
+ color="#ffffff"><b>&nbsp; </b></font><a
  href="http://razor.sourceforge.net/"><img src="images/razor.gif"
  alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
       </p>
       </td>
-      <td valign="middle" width="34%" align="center">
-      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
+      <td valign="middle" width="34%" align="center"
+ style="color: rgb(51, 0, 51); background-color: rgb(255, 255, 255);">
+      <h1 align="center">Shorewall Mailing Lists</h1>
       </td>
-      <td valign="middle" width="33%"> <a
+      <td valign="middle" width="33%"
+ style="background-color: rgb(255, 255, 255);"> <a
  href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
  align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
       </a><br>
@@ -50,7 +54,7 @@
 <big><span style="color: rgb(255, 0, 0);"><span
  style="font-weight: bold;">If you are reporting a problem or asking a
 question, you are at the wrong place -- please see the <a
- href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
+ href="http://shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
 <br>
 If you experience problems with any of these lists,
 please let <a href="mailto:postmaster@shorewall.net">me</a>
@@ -148,7 +152,7 @@ of general interest to the Shorewall user community is also posted to
 this list.</p>
 <p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
 to this list, please see the <a
- href="http://www.shorewall.net/support.htm">problem
+ href="http://shorewall.net/support.htm">problem
 reporting guidelines</a>.<br>
 </b></big></p>
 <p align="left">To subscribe: <a
@@ -158,7 +162,9 @@ reporting guidelines</a>.<br>
 </ul>
 <p align="left"> To post to the list, post to <a
  href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
-<br>
+<span style="font-weight: bold;">IMPORTANT: </span>If you are not
+subscribed to the list, please say so -- otherwise, you will not be
+included in any replies.<br>
 </p>
 <p align="left">The list archives are at <a
  href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
@@ -230,8 +236,8 @@ to be emailed to you.</p>
 <h2 align="left">Frustrated by having to Rebuild Mailman to use it with
 Postfix?</h2>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 9/17/2003 - <a
- href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
+<p align="left"><font size="2">Last updated 10/27/2003 - <a
+ href="http://shorewall.net/support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
 ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm
index 73f72c770..1bbce51fe 100644
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@@ -9,18 +9,9 @@
   <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">About My Network</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
 <blockquote> </blockquote>
+<h1 style="text-align: center;">About My Network<br>
+</h1>
 <a href="http://www.redhat.com"><img
  style="border: 0px solid ; width: 88px; height: 31px;"
  src="images/poweredby.png" title="" alt="(RedHat Logo)"> </a><a
@@ -51,7 +42,7 @@
 <h1> </h1>
 <blockquote>
   <p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
-use a combination of Static NAT and Proxy ARP, neither of which are
+use a combination of One-to-one NAT and Proxy ARP, neither of which are
 relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
 If you have just a single public IP address, most of what you see here
 won't apply to your setup so beware of copying parts of this
@@ -70,9 +61,10 @@ and a Wireless network connected to eth3 (192.168.3.0/24).</p>
   <p> I use:<br>
   </p>
   <ul>
-    <li>Static NAT for Ursa (my XP System) - Internal address
+    <li>One-to-one NAT for Ursa (my XP System) - Internal address
 192.168.1.5 and external address 206.124.146.178.</li>
-    <li>Static NAT for EastepLaptop (My work system). Internal address
+    <li>One-to-one NAT for EastepLaptop (My work system). Internal
+address
 192.168.1.7 and external address 206.124.146.180.<br>
     </li>
     <li>SNAT through the primary gateway address
@@ -181,7 +173,8 @@ my Ethernet interfaces. </p>
 </blockquote>
 <h3>Masq File: </h3>
 <blockquote>
-  <p> Although most of our internal systems use static NAT, my wife's
+  <p> Although most of our internal systems use one-to-one NAT, my
+wife's
 system (192.168.1.4) uses IP Masquerading (actually SNAT) as does my
 personal system (192.168.1.3), our laptop (192.168.3.8) and
 visitors with laptops.<br>
@@ -244,7 +237,7 @@ file.<br>
 </div>
 <pre style="margin-left: 40px;">#!/bin/sh<br><br>case $1 in<br>	eth1)<br>		ip route add 206.124.146.177 dev eth1<br>		;;<br>esac<br></pre>
 <pre style="margin-left: 40px;"><span style="font-family: sans-serif;"></span></pre>
-<p><font size="2">Last updated 10/03/2003 - <a href="support.htm">Tom
+<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
 Eastep</a></font> </p>
 <a href="copyright.htm"><font size="2">Copyright</font> © <font
  size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
diff --git a/Shorewall-docs/ping.html b/Shorewall-docs/ping.html
index 1ea7ae6a8..c08c02b7b 100644
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@@ -7,18 +7,9 @@
   <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
 <br>
+<h1 style="text-align: center;">ICMP Echo-request (Ping)<br>
+</h1>
 Shorewall 'Ping' management has evolved over time with the latest
 change coming in Shorewall version 1.4.0. To find out which version of
 Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
diff --git a/Shorewall-docs/ports.htm b/Shorewall-docs/ports.htm
index 89d4c0b30..aa007d071 100644
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@@ -1,201 +1,147 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Port Information</title>
-                                                        
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
-                
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-               <tbody>
-                <tr>
-                 <td width="100%">                                      
-                 
-      <h1 align="center"><font color="#ffffff">Ports required for Various
-      Services/Applications</font></h1>
-                 </td>
-               </tr>
-                                
-  </tbody>        
-</table>
-                
+<body>
+<h1 style="text-align: center;">Ports Required for Various
+Services/Applications<br>
+</h1>
 <p>In addition to those applications described in <a
- href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
-      are some other services/applications that you may need to configure
-your     firewall to accommodate.</p>
-                
+ href="Documentation.htm">the /etc/shorewall/rules documentation</a>,
+here are some other services/applications that you may need to
+configure
+your firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
-                
-<blockquote>                        
+<blockquote>
   <p>UDP Port 123</p>
-             </blockquote>
-                
+</blockquote>
 <p>rdate</p>
-                
-<blockquote>                        
+<blockquote>
   <p>TCP Port 37</p>
-             </blockquote>
-                
+</blockquote>
 <p>UseNet (NNTP)</p>
-                
-<blockquote>                        
+<blockquote>
   <p>TCP Port 119</p>
-             </blockquote>
-                
+</blockquote>
 <p>DNS</p>
-                
-<blockquote>                        
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably
-want to   open TCP Port 53 as well.<br>
-               If you are configuring a server, only open TCP Port 53 if
-you   will   return  long   replies to queries or if you need to enable ZONE
-transfers. In     the  latter   case, be sure that your server is properly
+<blockquote>
+  <p>UDP Port 53. If you are configuring a DNS client, you will
+probably
+want to open TCP Port 53 as well.<br>
+If you are configuring a server, only open TCP Port 53 if
+you will return long replies to queries or if you need to enable ZONE
+transfers.&nbsp;In the latter case, be sure that your server is
+properly
 configured.</p>
-             </blockquote>
-                
-<p>ICQ   </p>
-                
-<blockquote>                        
-  <p>UDP Port 4000. You will also need to open a range of TCP ports which
-      you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
-             </blockquote>
-                
+</blockquote>
+<p>ICQ&nbsp;&nbsp;&nbsp;</p>
+<blockquote>
+  <p>UDP Port 4000. You will also need to open a range of TCP ports
+which you can specify to your ICQ client. By default, clients use
+4000-4100.</p>
+</blockquote>
 <p>PPTP</p>
-                
-<blockquote>                        
+<blockquote>
   <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
- href="PPTP.htm">Lots more   information here</a>).</p>
-             </blockquote>
-                
+ href="PPTP.htm">Lots more information here</a>).</p>
+</blockquote>
 <p>IPSEC</p>
-                
-<blockquote>                        
-  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
-      500.    These should be opened in both directions (Lots more information
-       <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
-             </blockquote>
-                
+<blockquote>
+  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP
+Port 500. These should be opened in both directions (Lots more
+information <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
+</blockquote>
 <p>SMTP (Email)</p>
-                
-<blockquote>                        
-  <p> TCP Port 25.</p>
-             </blockquote>
-                
+<blockquote>
+  <p>&nbsp;TCP Port 25.</p>
+</blockquote>
 <p>RealPlayer<br>
-     </p>
-         
-<blockquote>               
+</p>
+<blockquote>
   <p>UDP Port 6790 inbound<br>
-       </p>
-     </blockquote>
-         
-<p>POP3</p>
-                
-<blockquote>                        
-  <p>TCP Port 110 (Secure = TCP Port 995)<br>
-     </p>
-   </blockquote>
-     
-<p>IMAP<br>
-   </p>
-     
-<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
-   </blockquote>
-                          
-<p>TELNET</p>
-                
-<blockquote>                        
-  <p>TCP Port 23.</p>
-             </blockquote>
-                
-<p>SSH</p>
-                
-<blockquote>                        
-  <p>TCP Port 22.</p>
-             </blockquote>
-                
-<p>Auth (identd)</p>
-                
-<blockquote>                        
-  <p>TCP Port 113</p>
-             </blockquote>
-                
-<p>Web Access</p>
-                
-<blockquote>                        
-  <p>TCP Ports 80 and 443.</p>
-             </blockquote>
-                
-<p>FTP<br>
   </p>
-   
-<blockquote>      
-  <p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
+</blockquote>
+<p>POP3</p>
+<blockquote>
+  <p>TCP Port 110 (Secure = TCP Port 995)<br>
+  </p>
+</blockquote>
+<p>IMAP<br>
+</p>
+<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
+</blockquote>
+<p>TELNET</p>
+<blockquote>
+  <p>TCP Port 23.</p>
+</blockquote>
+<p>SSH</p>
+<blockquote>
+  <p>TCP Port 22.</p>
+</blockquote>
+<p>Auth (identd)</p>
+<blockquote>
+  <p>TCP Port 113</p>
+</blockquote>
+<p>Web Access</p>
+<blockquote>
+  <p>TCP Ports 80 and 443.</p>
+</blockquote>
+<p>FTP<br>
+</p>
+<blockquote>
+  <p>TCP port 21 plus <a href="FTP.html">look here for much more
+information</a>.<br>
   </p>
 </blockquote>
 <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
-                
 <blockquote> </blockquote>
-                
-<blockquote>                        
+<blockquote>
   <p>TCP Ports 137, 139 and 445.<br>
-               UDP Ports 137-139.<br>
-               <br>
-               Also, <a href="samba.htm">see this page</a>.</p>
-             </blockquote>
-                
+UDP Ports 137-139.<br>
+  <br>
+Also, <a href="samba.htm">see this page</a>.</p>
+</blockquote>
 <p>Traceroute</p>
-                
-<blockquote>                        
+<blockquote>
   <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
-   ICMP type 8 ('ping')<br>
-     </p>
-             </blockquote>
-                
+ICMP type 8 ('ping')<br>
+  </p>
+</blockquote>
 <p>NFS<br>
-         </p>
-                
-<blockquote>                        
-  <p>I personally use the following rules for opening access from zone z1
-    to a server with IP address a.b.c.d in zone z2:<br>
-           </p>
-                                
+</p>
+<blockquote>
+  <p>I personally use the following rules for opening access from zone
+z1 to a server with IP address a.b.c.d in zone z2:<br>
+  </p>
   <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	tcp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
-         </blockquote>
-                
-<blockquote>                        
-  <p>Note that my rules only cover NFS using UDP (the normal case). There
-    is lots of additional information at    <a
- href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
-             </blockquote>
-                
+</blockquote>
+<blockquote>
+  <p>Note that my rules only cover NFS using UDP (the normal case).
+There is lots of additional information at&nbsp; <a
+ href="http://nfs.sourceforge.net/nfs-howto/security.html">
+http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
+</blockquote>
 <p>VNC<br>
-      </p>
-           
-<blockquote>                  
+</p>
+<blockquote>
   <p>TCP port 5900 + &lt;display number&gt;</p>
-      </blockquote>
-           
-<p>Didn't find what you are looking for -- have you looked in your own /etc/services 
-   file? </p>
-                
-<p>Still looking? Try   <a
- href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
-                
+</blockquote>
+<p>Didn't find what you are looking for -- have you looked in your own
+/etc/services file? </p>
+<p>Still looking? Try <a
+ href="http://www.networkice.com/advice/Exploits/Ports">
+http://www.networkice.com/advice/Exploits/Ports</a></p>
 <p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
  href="support.htm">Tom Eastep</a></font> </p>
-             <a href="copyright.htm"><font size="2">Copyright</font>   ©
+<a href="copyright.htm"><font size="2">Copyright</font> ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-   <br>
-  <br>
- <br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/quotes.htm b/Shorewall-docs/quotes.htm
index ed51b4e6e..30821c7ef 100644
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@@ -1,153 +1,134 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-            
   <meta http-equiv="Content-Language" content="en-us">
-            
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-            
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-            
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Quotes from Shorewall Users</title>
 </head>
-  <body>
-      
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-        <tbody>
-         <tr>
-          <td width="100%">                     
-      <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
-          </td>
-        </tr>
-            
-  </tbody>   
-</table>
-    
+<body>
+<h1 style="text-align: center;">Quotes from Shorewall Users<br>
+</h1>
 <ul>
-  <li><font size="3">"I have fought with IPtables for untold hours. First
-I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield, 
-which also worked for 80%. Then I set out to write my own IPtables parser 
-in shell and awk, which was a lot of fun but never got me past the "hey, cool"
-stage. Then I discovered Shorewall. After about an hour, everything just
+  <li><font size="3">"I have fought with IPtables for untold hours.
+First
+I tried the SuSE firewall, which worked for 80% of what I needed. Then
+gShield, which also worked for 80%. Then I set out to write my own
+IPtables parser in shell and awk, which was a lot of fun but never got
+me past the "hey, cool"
+stage. Then I discovered Shorewall. After about an hour, everything
+just
 worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
     <br>
   </li>
-  <li>"The configuration is intuitive and flexible, and much easier than
-any  of the other iptables-based firewall programs out there. After sifting
-through  many other scripts, it is obvious that yours is the most well thought-out 
- and complete one available." -- BC, USA<br>
+  <li>"The configuration is intuitive and flexible, and much easier
+than
+any of the other iptables-based firewall programs out there. After
+sifting
+through many other scripts, it is obvious that yours is the most well
+thought-out and complete one available." -- BC, USA<br>
     <br>
   </li>
-  <li>"I just installed Shorewall after weeks of messing with       ipchains/iptables 
-  and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
+  <li>"I just installed Shorewall after weeks of messing with
+ipchains/iptables and I had it up and running in under 20 minutes!" --
+JL, Ohio<br>
     <br>
   </li>
-  <li>"My case was almost like [the one above]. Well. instead of 'weeks'
-it  was  'months' for me, and I think I needed two minutes more:<br>
+  <li>"My case was almost like [the one above]. Well. instead of
+'weeks'
+it was 'months' for me, and I think I needed two minutes more:<br>
   </li>
 </ul>
-           
 <ul>
-       
   <ul>
-    <li>One to see that I had no Internet access from the firewall itself.</li>
+    <li>One to see that I had no Internet access from the firewall
+itself.</li>
   </ul>
-       
   <ul>
-    <li>Other to see that this was the default configuration, and it was 
-enough  to uncomment a line in /etc/shorewall/policy.<br>
-       </li>
+    <li>Other to see that this was the default configuration, and it
+was enough to uncomment a line in /etc/shorewall/policy.<br>
+    </li>
   </ul>
-      
 </ul>
 <ul>
-  <li>     Minutes instead of months! Congratulations and thanks for such
-a simple  and well documented thing for something as huge as iptables." --
-JV, Spain.     </li>
+  <li> Minutes instead of months! Congratulations and thanks for such
+a simple and well documented thing for something as huge as iptables."
+--
+JV, Spain. </li>
 </ul>
 <ul>
-  <li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1    
-  without   any problems. Your documentation is great and I really appreciate
-your  network configuration info. That really helped me out alot.       THANKS!!!" 
-  -- MM.           </li>
+  <li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
+without any problems. Your documentation is great and I really
+appreciate
+your network configuration info. That really helped me out alot.
+THANKS!!!" -- MM. </li>
 </ul>
-      
 <ul>
-  <li>"[Shorewall is a] great, great project. I've used/tested may      
-firewall   scripts but this one is till now the best." -- B.R,       Netherlands
-        </li>
+  <li>"[Shorewall is a] great, great project. I've used/tested may
+firewall scripts but this one is till now the best." -- B.R,
+Netherlands </li>
 </ul>
-      
 <ul>
-  <li>"Never in my +12 year career as a sys admin have I witnessed      
-someone   so relentless in developing a secure, state of the art, safe and
-      useful   product as the Shorewall firewall package for no cost or obligation 
-  involved." -- Mario Kerecki, Toronto           </li>
+  <li>"Never in my +12 year career as a sys admin have I witnessed
+someone so relentless in developing a secure, state of the art, safe
+and useful product as the Shorewall firewall package for no cost or
+obligation involved." -- Mario Kerecki, Toronto </li>
 </ul>
-      
 <ul>
-  <li>"one time more to report, that your great shorewall in the latest 
-  release        1.2.9 is working fine for me with SuSE Linux 7.3! I now
-have 7 machines  up       and running with shorewall on several versions
-- starting with 1.2.2  up to       the new 1.2.9 and I never have encountered
+  <li>"one time more to report, that your great shorewall in the latest
+release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
+have 7 machines up and running with shorewall on several versions
+- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
 any problems!" -- SM, Germany</li>
 </ul>
-      
 <ul>
-  <li>"You have the best support of any other package I've ever       used." 
-  -- SE, US           </li>
+  <li>"You have the best support of any other package I've ever used."
+-- SE, US </li>
 </ul>
-      
 <ul>
-  <li>"Because our company has information which has been classified by the 
- national government as secret, our security doesn't stop by putting a fence 
-   around our company. Information security is a hot issue. We also make use
-  of  checkpoint firewalls, but not all of the internet servers are guarded 
-  by  checkpoint, some of them are running....Shorewall." -- Name withheld 
- by request,  Europe</li>
+  <li>"Because our company has information which has been classified by
+the national government as secret, our security doesn't stop by putting
+a fence around our company. Information security is a hot issue. We
+also make use of checkpoint firewalls, but not all of the internet
+servers are guarded by checkpoint, some of them are
+running....Shorewall." -- Name withheld by request, Europe</li>
 </ul>
-      
 <ul>
-  <li>"thanx for all your efforts you put into shorewall - this product stands 
-  out  against a lot of commercial stuff i´ve been working with in terms of
-   flexibillity, quality &amp; support" -- RM, Austria</li>
+  <li>"thanx for all your efforts you put into shorewall - this product
+stands out against a lot of commercial stuff i´ve been working with in
+terms of flexibillity, quality &amp; support" -- RM, Austria</li>
 </ul>
-      
 <ul>
-  <li>"I have never seen such a complete firewall package that is so easy
-to    configure. I searched the Debian package system for firewall scripts
-and    Shorewall won hands down." -- RG, Toronto</li>
+  <li>"I have never seen such a complete firewall package that is so
+easy
+to configure. I searched the Debian package system for firewall scripts
+and Shorewall won hands down." -- RG, Toronto</li>
 </ul>
-      
 <p></p>
 <ul>
-  <li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
-it   is a  wonderful piece of software. I've just sent out an email to about 
-30  people  recommending it. :-)<br>
+  <li>"My respects... I've just found and installed Shorewall 1.3.3-1
+and
+it is a wonderful piece of software. I've just sent out an email to
+about 30 people recommending it. :-)<br>
     <br>
-While I had previously taken the time (maybe 40 hours) to really understand 
-   ipchains, then spent at least an hour per server customizing and carefully 
-   scrutinizing firewall rules, I've got shorewall running on my home firewall, 
-   with rulesets and policies that I know make sense, in under 20 minutes." 
-  -- RP,  Guatamala<br>
+While I had previously taken the time (maybe 40 hours) to really
+understand ipchains, then spent at least an hour per server customizing
+and carefully scrutinizing firewall rules, I've got shorewall running
+on my home firewall, with rulesets and policies that I know make sense,
+in under 20 minutes." -- RP, Guatamala<br>
   </li>
 </ul>
-      
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003 
-  - <a href="support.htm">Tom Eastep</a>      </font>                    
-    </p>
-      
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-   © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-       <br>
-     <br>
-    <br>
-   <br>
-  <br>
- <br>
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
+7/1/2003 - <a href="support.htm">Tom Eastep</a> </font> </p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/samba.htm b/Shorewall-docs/samba.htm
index 42d6d2954..3f758fb17 100644
--- a/Shorewall-docs/samba.htm
+++ b/Shorewall-docs/samba.htm
@@ -9,17 +9,8 @@
   <title>Samba</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Samba</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Samba/SMB<br>
+</h1>
 <p>If you wish to run Samba on your firewall and access shares between
 the firewall and local hosts, you need the following rules:</p>
 <h4>/etc/shorewall/rules:</h4>
@@ -95,7 +86,98 @@ DEST</b></td>
     </tbody>
   </table>
 </blockquote>
-<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
+<p>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</p>
+<h4>/etc/shorewall/rules:</h4>
+<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><b>ACTION</b></td>
+        <td><b>SOURCE</b></td>
+        <td><b>DEST</b></td>
+        <td><b> PROTO</b></td>
+        <td><b>DEST<br>
+PORT(S)</b></td>
+        <td><b>SOURCE<br>
+PORT(S)</b></td>
+        <td><b>ORIGINAL<br>
+DEST</b></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>Z1<br>
+        </td>
+        <td>Z2<br>
+        </td>
+        <td>udp</td>
+        <td>137:139</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>Z1<br>
+        </td>
+        <td>Z2<br>
+        </td>
+        <td>tcp</td>
+        <td>137,139,445</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>Z1<br>
+        </td>
+        <td>Z2<br>
+        </td>
+        <td>udp</td>
+        <td>1024:</td>
+        <td>137</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>Z2<br>
+        </td>
+        <td>Z1<br>
+        </td>
+        <td>udp</td>
+        <td>137:139</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>Z2<br>
+        </td>
+        <td>Z1<br>
+        </td>
+        <td>tcp</td>
+        <td>137,139,445</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>Z2<br>
+        </td>
+        <td>Z1<br>
+        </td>
+        <td>udp</td>
+        <td>1024:</td>
+        <td>137</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<br>
+To make network browsing ("Network Neighborhood") work properly between
+Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I
+run Samba on my firewall to handle browsing between two zones connected
+to my firewall. Details are <a href="myfiles.htm">here</a>.<br>
+<p><font size="2">Last modified 10/22/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm
index 52c7053a4..b15df5a38 100644
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@@ -7,30 +7,38 @@
   <base target="_self">
 </head>
 <body>
-<table cellpadding="0" cellspacing="4"
- style="border-collapse: collapse;" width="100%" id="AutoNumber3"
- bgcolor="#3366ff">
-  <tbody>
-    <tr>
-      <td width="33%" height="90" valign="middle" align="center"><a
- href="http://www.cityofshoreline.com"> </a>
-      <div align="center"> <img src="images/Logo1.png"
- alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
-      </td>
-    </tr>
-  </tbody>
-</table>
 <div align="center">
 <div align="center"> </div>
 <center>
 <div align="center"> </div>
 <table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4">
+ style="border-collapse: collapse; width: 100%; height: 100%;"
+ id="AutoNumber4">
   <tbody>
     <tr>
       <td width="90%">
-      <h2>Introduction<br>
+      <h2>Site Problem</h2>
+The server that normally hosts www.shorewall.net and ftp.shorewall.net
+is currently down. Until it is back up, a small server with very
+limited bandwidth is being used temporarly. You will likely experience
+better response time from the <a
+ href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
+or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
+Sorry for the inconvenience.<br>
+      <br>
+      <h2>Introduction to Shorewall<br>
       </h2>
+      <h3>This is the Shorewall 1.4 Web Site</h3>
+The information on this site applies only to 1.4.x releases of
+Shorewall. For older versions:<br>
+      <ul>
+        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
+ target="_top">here.</a></li>
+        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
+ target="_top">here</a>.</li>
+      </ul>
+      <h3>Glossary<br>
+      </h3>
       <ul>
         <li><a href="http://www.netfilter.org">Netfilter</a> - the
 packet filter facility built into the 2.4 and later Linux kernels.</li>
@@ -40,12 +48,12 @@ and control that facility. Netfilter can be used in ipchains
 compatibility mode.<br>
         </li>
         <li>iptables - the utility program used to configure and
-control
-Netfilter. The term 'iptables' is often used to refer to the
-combination of iptables+Netfilter (with Netfilter not in
-ipchains compatibility mode).<br>
-        </li>
+control Netfilter. The term 'iptables' is often used to refer to the
+combination of iptables+Netfilter (with Netfilter not in ipchains
+compatibility mode).</li>
       </ul>
+      <h3>What is Shorewall?<br>
+      </h3>
 The Shoreline Firewall, more commonly known as "Shorewall", is
 high-level tool for configuring Netfilter. You describe your
 firewall/gateway requirements using entries in a set of configuration
@@ -57,367 +65,237 @@ system. Shorewall does not use Netfilter's ipchains compatibility mode
 and can thus take advantage of Netfilter's connection state tracking
 capabilities.<br>
       <br>
+Shorewall is <span style="text-decoration: underline;">not</span> a
+daemon. Once Shorewall has configured Netfilter, it's job is complete
+although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
+program can be used at any time to monitor the Netfilter firewall</a>.<br>
+      <h3>Getting Started with Shorewall</h3>
+New to Shorewall? Start by selecting the <a
+ href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
+closely match your environment and follow the step by step instructions.<br>
+      <h3>Looking for Information?</h3>
+The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
+Index</a> is a good place to start as is the Quick Search in the frame
+above.
+      <h3>License<br>
+      </h3>
 This program is free software; you can redistribute it and/or modify it
 under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
-2 of the GNU
-General Public License</a> as published by the Free Software Foundation.<br>
+2 of the GNU General Public License</a> as published by the Free
+Software Foundation.<br>
       <p> This program is distributed in the hope that it will be
 useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.<br>
+General
+Public License for more details.<br>
       <br>
 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
 675 Mass Ave, Cambridge, MA 02139, USA</p>
       <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
-Eastep</a></p>
-      <h2>This is the Shorewall 1.4 Web Site</h2>
-The information on this site applies only to 1.4.x releases of
-Shorewall. For older versions:<br>
-      <ul>
-        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
- target="_top">here.</a></li>
-        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
- target="_top">here</a>.<br>
-        </li>
-      </ul>
-      <h2>Getting Started with Shorewall</h2>
-New to Shorewall? Start by selecting the <a
- href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
-closely match your environment
-and follow the step by step instructions.<br>
-      <h2>Looking for Information?</h2>
-The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
-Index</a> is a good place to start as is the Quick Search to your
-right.
-      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
-If so, the documentation<b> </b>on
-this site will not apply directly to your setup. If you want
-to use the documentation that you find here, you will want to consider
-uninstalling what you have and installing a setup that matches the
-documentation on this site. See the <a href="two-interface.htm">Two-interface
-QuickStart Guide</a> for details.<br>
-      <h2>News</h2>
-      <p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
- style="border: 0px solid ; width: 28px; height: 12px;"
- src="images/new10.gif" alt="(New)" title=""><br>
-      </b></p>
-      <b>Problems Corrected since version 1.4.6 (Those in bold font
-were corrected since 1.4.7 RC2)</b><br>
-      <ol>
-        <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
-variable was being tested before it was set.</li>
-        <li>Corrected handling of MAC addresses in the SOURCE column of
-the tcrules file. Previously, these addresses resulted in an invalid
-iptables command.</li>
-        <li>The "shorewall stop" command is now disabled when
-/etc/shorewall/startup_disabled exists. This prevents people from
-shooting themselves in the foot prior to having configured Shorewall.</li>
-        <li>A change introduced in version 1.4.6 caused error messages
-during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
-were being added to a PPP interface; the addresses were successfully
-added in spite of the messages.<br>
-&nbsp;&nbsp;&nbsp; <br>
-The firewall script has been modified to eliminate the error messages</li>
-        <li>Interface-specific dynamic blacklisting chains are
-now displayed by "shorewall monitor" on the "Dynamic Chains" page
-(previously named "Dynamic Chain").</li>
-        <li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
-        <li>The 'shorewall reject' and
-'shorewall drop' commands now delete any existing rules for the subject
-IP address before adding a new DROP or REJECT rule. Previously, there
-could be many rules for the same IP address in the dynamic chain so
-that multiple 'allow' commands were required to re-enable traffic
-to/from the address.</li>
-        <li>When ADD_SNAT_ALIASES=Yes in
-shorewall.conf, the following entry in /etc/shorewall/masq resulted in
-a startup error:<br>
-&nbsp;<br>
-&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
-206.124.146.20-206.124.146.24<br>
-          <br>
-        </li>
-        <li>Shorewall previously choked over
-IPV6 addresses configured on interfaces in contexts where Shorewall
-needed to detect something about the interface (such as when "detect"
-appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
-        <li>Shorewall will now load
-module files that are formed from the module name by appending ".o.gz".</li>
-        <li>When Shorewall adds a route to a
-proxy ARP host and such a route already exists, two routes resulted
-previously. This has been corrected so that the existing route is
-replaced if it already exists.</li>
-        <li>The rfc1918 file has been
-updated to reflect recent allocations.</li>
-        <li>The documentation of the
-USER SET column in the rules file has been corrected.</li>
-        <li>If there is no policy
-defined for
-the zones specified in a rule, the firewall script previously
-encountered a shell syntax error:<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-Now, the absence of a policy generates an error message and the
-firewall is stopped:<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
-&lt;source&gt; to zone &lt;dest&gt;<br>
-          <br>
-        </li>
-        <li>Previously, if neither
-/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
-would fail to start and would not remove the lock file. Failure to
-remove the lock file resulted in the following during subsequent
-attempts to start:<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
-&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
-&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
-&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
-&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
-          <br>
-Shorewall now reports a fatal error if neither of these two files exist
-and correctly removes the lock fille.</li>
-        <li>The order of processing
-the
-various options has been changed such that blacklist entries now take
-precedence over the 'dhcp' interface setting.</li>
-        <li>The log message generated
-from the
-'logunclean' interface option has been changed to reflect a disposition
-of LOG rather than DROP.</li>
-        <li><span style="font-weight: bold;">When a user name and/or a
-group
-name was specified in the USER SET column and the destination zone was
-qualified with a IP address, the user and/or group name was not being
-used to qualify the rule.<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp; Example:<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
-          <br>
-          </span></li>
-        <li><span style="font-weight: bold;">The /etc/shorewall/masq
-file has had the spurious "/" character at the front removed.</span></li>
-      </ol>
-      <b>Migration Issues:</b><br>
-      <ol>
-        <li>Shorewall IP Traffic Accounting has changed since snapshot
-20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
-details.</li>
-        <li>The Uset Set capability introduced in SnapShot 20030821 has
-changed -- see the <a href="UserSets.html">User Set page</a> for
-details.</li>
-        <li>The per-interface Dynamic Blacklisting facility introduced
-in the first post-1.4.6 Snapshot has been removed. The facility had too
-many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
-        </li>
-      </ol>
-      <b>New Features:</b><br>
-      <ol>
-        <li>Thanks to Steve Herber, the 'help' command can now give
-command-specific help (e.g., shorewall help &lt;command&gt;).</li>
-        <li>A new option "ADMINISABSENTMINDED" has been added to
-/etc/shorewall/shorewall.conf. This option has a default value of "No"
-for existing users which causes Shorewall's 'stopped' state &nbsp;to
-continue as it has been; namely, in the stopped state only traffic
-to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
-          <br>
-With ADMINISABSENTMINDED=Yes (the default for new installs), in
-addition to traffic to/from the hosts listed in
-/etc/shorewall/routestopped, Shorewall will allow:<br>
-          <br>
-&nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
-&nbsp;&nbsp; b) All traffic that is part of or related to an
-already-existing connection.<br>
-          <br>
-&nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
-entered through an ssh session will not kill the session.<br>
-          <br>
-&nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
-possible for people to shoot themselves in the foot.<br>
-          <br>
-&nbsp;Example:<br>
-          <br>
-&nbsp;/etc/shorewall/nat:<br>
-          <br>
-&nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
-eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
-          <br>
-&nbsp;/etc/shorewall/rules:<br>
-          <br>
-&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
-loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
-&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
-fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
-          <br>
-From a remote system, I ssh to 206.124.146.178 which establishes an SSH
-connection with local system 192.168.1.5. I then create a second SSH
-connection
-from that computer to the firewall and confidently type "shorewall
-stop".
-As part of its stop processing, Shorewall removes eth0:0 which kills my
-SSH
-connection to 192.168.1.5!!!</li>
-        <li>Given the wide range of VPN software, I can never hope to
-add specific support for all of it. I have therefore decided to add
-"generic" tunnel support.<br>
-&nbsp;<br>
-Generic tunnels work pretty much like any of the other tunnel types.
-You usually add a zone to represent the systems at the other end of the
-tunnel and you add the appropriate rules/policies to<br>
-implement your security policy regarding traffic to/from those systems.<br>
-&nbsp;<br>
-In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
-          <br>
-generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
-address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
-&nbsp;<br>
-where:<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
-used by the tunnel<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
-is 'udp' or 'tcp' then this is the destination port number used by the
-tunnel.<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
-the remote tunnel gateway<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
-address of the remote tunnel gateway.<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
-Optional. A comma-separated list of zone names. If specified, the
-remote gateway is to be considered part of these zones.</li>
-        <li>An 'arp_filter' option has been added to the
-/etc/shorewall/interfaces file. This option causes
-/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
-result that this interface will only answer ARP 'who-has' requests from
-hosts that are routed out through that interface. Setting this option
-facilitates testing of your firewall where multiple firewall interfaces
-are connected to the same HUB/Switch (all interfaces connected to the
-single HUB/Switch should have this option specified). Note that using
-such a configuration in a production environment is strongly
-recommended against.</li>
-        <li>The ADDRESS column in /etc/shorewall/masq may now include a
-comma-separated list of addresses and/or address ranges. Netfilter will
-use all listed addresses/ranges in round-robin fashion. \</li>
-        <li>An /etc/shorewall/accounting file has been added to allow
-for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
-documentation</a> for a description of this facility.</li>
-        <li>Bridge interfaces (br[0-9]) may now be used in
-/etc/shorewall/maclist.</li>
-        <li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
-/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
-rules, rate limiting occurs in the nat table DNAT rule; the
-corresponding ACCEPT rule in the filter table is not rate limited. If
-you want to limit the filter table rule, you will need o create two
-rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
-separately.<br>
-&nbsp;<br>
-          <span style="font-weight: bold;">Warning: </span>When rate
-limiting is specified on a rule with "all" in the SOURCE or DEST
-fields, the limit will apply to each pair of zones individually rather
-than as a single limit for all pairs of covered by the rule.<br>
-&nbsp;<br>
-To specify a rate limit, <br>
-          <br>
-a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
-&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
-&nbsp;<br>
-&nbsp;
-where<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
-&lt;interval&gt;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
-accepted within an &lt;interval&gt;. If not given, the default of 5 is
-assumed.<br>
-&nbsp;<br>
-There may be no white space between the ACTION and "&lt;" nor there may
-be any white space within the burst specification. If you want to
-specify logging of a rate-limited rule, the ":" and log level comes
-after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
-          <br>
-b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
-file. You may specify the rate limit there in the format:<br>
-          <br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
-&nbsp;<br>
-Let's take an example:<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
-tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
-&nbsp;&nbsp;&nbsp; <br>
-The first time this rule is reached, the packet will be accepted; in
-fact, since the burst is 4, the first four packets will be accepted.
-After this, it will be 500ms (1 second divided by the rate<br>
-of 2) before a packet will be accepted from this rule, regardless of
-how many packets reach it. Also, every 500ms which passes without
-matching a packet, one of the bursts will be regained; if no packets
-hit the rule for 2 second, the burst will be fully recharged; back
-where we started.<br>
-        </li>
-        <li>Multiple chains may now be displayed in one "shorewall
-show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
-        <li>Output rules (those with $FW as the SOURCE) may now be
-limited to a set of local users and/or groups. See <a
- href="UserSets.html">http://shorewall.net/UserSets.html</a>
-for details.<br>
-          <br>
-        </li>
-      </ol>
-      <p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
-      <p>Thanks to Dave Kempe and Solutions First (<a
- href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
-there is now a Shorewall Mirror in Australia:</p>
-      <p style="margin-left: 40px;"><a
- href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
- size="3"><br>
-      <a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
+Eastep</a><br>
       </p>
-      <p><b>8/26/2003 - French Version of the Shorewall Setup
-Guide&nbsp;</b></p>
-Thanks to Fabien <font size="3">Demassieux, there is now a <a
- href="shorewall_setup_guide_fr.htm">French translation of the
-Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
-      </font>
-      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b>&nbsp; <br>
-      </b></p>
-      <b>Problems Corrected since version 1.4.6:</b><br>
-      <ol>
-        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
-then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
-Control requires Mangle"; that problem has been corrected.</li>
-        <li>Corrected handling of MAC addresses in the SOURCE column of
-the
-tcrules file. Previously, these addresses resulted in an invalid
-iptables
-command.</li>
-        <li>The "shorewall stop" command is now disabled when
-/etc/shorewall/startup_disabled
-exists. This prevents people from shooting themselves in the foot prior
+      <h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
+If so, the documentation<b> </b>on this site will not apply directly
 to
-having configured Shorewall.</li>
-        <li>A change introduced in version 1.4.6 caused error messages
-during
-"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
-being
-added to a PPP interface; the addresses were successfully added in
-spite
-of the messages.<br>
-&nbsp;&nbsp; <br>
-The firewall script has been modified to eliminate the error messages.<br>
+your setup. If you want to use the documentation that you find here,
+you will want to consider uninstalling what you have and installing a
+setup that matches the documentation on this site. See the <a
+ href="two-interface.htm">Two-interface QuickStart Guide</a> for
+details.<br>
+      <h2>News</h2>
+      <p><b>11/07/2003 - Shorewall 1.4.8</b><b> <img
+ style="border: 0px solid ; width: 28px; height: 12px;"
+ src="images/new10.gif" alt="(New)" title=""></b><b><br>
+      <br>
+      </b>Problems Corrected since version 1.4.7:<br>
+      </p>
+      <ol>
+        <li>Tuomo Soini has supplied a correction to a problem that
+occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.</li>
+        <li>Andres Zhoglo has supplied a correction that avoids trying
+to use the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+          <br>
         </li>
+        <li>Previously, if the following error message was issued,
+Shorewall was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
+          <br>
+        </li>
+        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
+been corrected.</li>
+        <li>In Shorewall 1.4.2, an optimization was added. This
+optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+        <li>When the MARK value in a tcrules entry is followed by ":F"
+or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.</li>
+        <li>An incorrect comment concerning Debian's use of the
+SUBSYSLOCK option has been removed from shorewall.conf.</li>
+        <li>Previously, neither the 'routefilter' interface option nor
+the
+ROUTE_FILTER parameter were working properly. This has been corrected
+(thanks to Eric Bowles for his analysis and patch). The definition of
+the ROUTE_FILTER option has changed however. Previously,
+ROUTE_FILTER=Yes was documented as enabling route filtering on all
+interfaces (which didn't work). Beginning with this release, setting
+ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
+up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
+coexist with the use of the 'routefilter' option in the interfaces file.</li>
+        <li>If MAC verification was enabled on an interface with a /32
+address and
+a broadcast address then an error would occur during startup.</li>
+        <li>he NONE policy's intended use is to suppress the generating
+of
+rules that can't possibly be traversed. This means that a policy of
+NONE is inappropriate where the source or destination zone is $FW or
+"all". Shorewall now generates an error message if such a policy is
+given in /etc/shorewall/policy. Previously such a policy caused
+"shorewall start" to fail.</li>
+        <li>The 'routeback' option was broken for wildcard interfaces
+(e.g.,
+"tun+"). This has been corrected so that 'routeback' now works as
+expected in this case.<br>
+        </li>
+      </ol>
+Migration Issues:<br>
+      <ol>
+        <li>The definition of the ROUTE_FILTER option in shorewall.conf
+has changed as described in item 8) above.<br>
+        </li>
+      </ol>
+New Features:<br>
+      <ol>
+        <li>A new QUEUE action has been introduced for rules. QUEUE
+allows
+you to pass connection requests to a user-space filter such as ftwall
+(http://p2pwall.sourceforge.net). The ftwall program
+allows for effective filtering of p2p applications such as Kazaa. For
+example, to use ftwall to filter P2P clients in the 'loc' zone, you
+would add the following rules:<br>
+          <br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
+          <br>
+You would normally want to place those three rules BEFORE any ACCEPT
+rules for loc-&gt;net udp or tcp.<br>
+          <br>
+Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
+Shorewall will only pass connection requests (SYN packets) to user
+space. This is for compatibility with ftwall.</li>
+        <li>A BLACKLISTNEWNONLY option has been added to
+shorewall.conf. When this option is set to "Yes", the blacklists
+(dynamic and static) are only consulted for new connection requests.
+When set to "No" (the default if the variable is not set), the
+blacklists are consulted on every packet.<br>
+          <br>
+Setting this option to "No" allows blacklisting to stop existing
+connections from a newly blacklisted host but is more expensive in
+terms of packet processing time. This is especially true if the
+blacklists contain a large number of entries.</li>
+        <li>Chain names used in the /etc/shorewall/accounting file may
+now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
+      </ol>
+      <p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
+bag awards </b><b><img
+ style="border: 0px solid ; width: 50px; height: 80px;"
+ src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
+1.4.7c released.</b> </p>
+      <ol>
+        <li>The saga with "&lt;zone&gt;_frwd" chains continues. The
+1.4.7c
+script produces a ruleset that should work for everyone even if it is
+not
+quite optimal. My apologies for this ongoing mess.<br>
+        </li>
+      </ol>
+      <p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
+      <p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
+      </p>
+      <ol>
+        <li>The fix for problem 5 in 1.4.7a was wrong with the result
+that
+"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
+is corrected in this release.<br>
+        </li>
+      </ol>
+      <p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
+      <p>This is a bugfix rollup of the following problem corrections:<br>
+      </p>
+      <ol>
+        <li>Tuomo Soini has supplied a correction to a problem that
+occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.<br>
+          <br>
+        </li>
+        <li>Andres Zhoglo has supplied a correction that avoids trying
+to use the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+          <br>
+        </li>
+        <li>Previously, if the following error message was issued,
+Shorewall was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through
+interface xxx<br>
+          <br>
+        </li>
+        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
+been corrected.</li>
+        <li>In Shorewall 1.4.2, an optimization was added. This
+optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+        <li>When the MARK value in a tcrules entry is followed by ":F"
+or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.<br>
+        </li>
+      </ol>
+      <ol>
       </ol>
       <p><b></b></p>
       <ol>
@@ -432,56 +310,33 @@ You can find their work at: <a
  href="http://leaf.sourceforge.net/devel/jnilo">
 http://leaf.sourceforge.net/devel/jnilo<br>
       </a></p>
-      <b>Congratulations to Jacques
-and Eric on the recent release of Bering 1.2!!! </b><br>
-      <h2><a name="Donations"></a>Donations</h2>
-      </td>
-      <td width="88" bgcolor="#3366ff" valign="top" align="center">
-      <form method="post"
- action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
-        <font color="#ffffff"><b>Note: </b></font></strong><font
- color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
-        <strong></strong>
-        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-        <font face="Arial" size="-1"> <input type="text" name="words"
- size="15"></font><font size="-1"> </font> <font face="Arial"
- size="-1"> <input type="hidden" name="format" value="long"> <input
- type="hidden" name="method" value="and"> <input type="hidden"
- name="config" value="htdig"> <input type="submit" value="Search"></font>
-        </p>
-        <font face="Arial"> <input type="hidden" name="exclude"
- value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
-      <p><font color="#ffffff"><b><a
- href="http://lists.shorewall.net/htdig/search.html"><font
- color="#ffffff">Extended Search</font></a></b></font></p>
+      <b>Congratulations to Jacques and Eric on the recent release of
+Bering 1.2!!! <br>
       <br>
+      </b>
+      <div style="text-align: center;">
+      <div style="text-align: center;"><a
+ href="http://www.shorewall.net" target="_top"><img
+ src="images/ProtectedBy.png" title="" alt="(Protected by Shorewall)"
+ style="border: 0px solid ; width: 216px; height: 45px;"></a></div>
+      </div>
+      <h2><a name="Donations"></a>Donations</h2>
+      <p style="text-align: left;"><a href="http://www.starlight.org"> <img
+ style="border: 4px solid ; width: 57px; height: 100px;"
+ src="images/newlog.gif" align="left" hspace="10" alt="(Starlight Logo)"
+ title=""></a><br>
+      <big>Shorewall is free but if you try it and find it useful,
+please consider making a donation to <a href="http://www.starlight.org">Starlight
+Children's Foundation</a>. Thanks!</big><br>
+      <a href="http://www.starlight.org"> </a></p>
       </td>
     </tr>
   </tbody>
 </table>
 </center>
 </div>
-<table border="0" cellpadding="5" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber2"
- bgcolor="#3366ff">
-  <tbody>
-    <tr>
-      <td width="100%" style="margin-top: 1px;" valign="middle">
-      <p align="center"><a href="http://www.starlight.org"> <img
- border="4" src="images/newlog.gif" width="57" height="100" align="left"
- hspace="10" alt="(Starlight Logo)"> </a></p>
-      <p align="center"><font size="4" color="#ffffff"><br>
-      <font size="+2"> Shorewall is free but if you try it and find it
-useful, please consider making a donation to <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight
-Children's Foundation.</font></a> Thanks!</font></font></p>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 11/13/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
-<br>
 </body>
 </html>
diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm
index 8fc3fecbd..3e7f9bdb1 100644
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@@ -9,18 +9,10 @@
   <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<p align="center"> <img border="3" src="images/Tom.jpg"
+<p align="center"> </p>
+<h1 style="text-align: center;">Tom Eastep<br>
+</h1>
+<p align="center"><img border="3" src="images/Tom.jpg"
  alt="Aging Geek - June 2003" width="320" height="240"> </p>
 <p align="center">"The Aging Geek" -- June 2003<br>
 <br>
diff --git a/Shorewall-docs/shorewall_extension_scripts.htm b/Shorewall-docs/shorewall_extension_scripts.htm
index a18b8b96a..96fcbf33a 100644
--- a/Shorewall-docs/shorewall_extension_scripts.htm
+++ b/Shorewall-docs/shorewall_extension_scripts.htm
@@ -1,118 +1,89 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-            
   <meta http-equiv="Content-Language" content="en-us">
-            
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-            
   <meta name="ProgId" content="FrontPage.Editor.Document">
-            
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shorewall Extension Scripts</title>
 </head>
-  <body>
-       
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-                 <tbody>
-        <tr>
-                   <td width="100%">                      
-      <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
-                   </td>
-                 </tr>
-             
-  </tbody>   
-</table>
-       
-<p>  Extension scripts are   user-provided  scripts that are invoked at various 
- points during firewall   start, restart,  stop and clear. The scripts are 
- placed in /etc/shorewall and   are processed  using the Bourne shell "source" 
- mechanism.<br>
- </p>
- 
+<body>
+<h1 style="text-align: center;">Extension Scripts<br>
+</h1>
+<p>Extension scripts are user-provided scripts that are invoked at
+various points during firewall start, restart, stop and clear. The
+scripts are placed in /etc/shorewall and are processed using the Bourne
+shell "source" mechanism.<br>
+</p>
 <p><font color="#ff0000"><b>Caution: <br>
-  </b></font></p>
-   
+</b></font></p>
 <ol>
-   <li><font color="#ff0000"><b>Be sure that you actually need to use an
-extension  script to do what you want. Shorewall has a wide range of features
-that cover  most requirements.</b></font></li>
-   <li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON 
-THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
- SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
+  <li><font color="#ff0000"><b>Be sure that you actually need to use an
+extension script to do what you want. Shorewall has a wide range of
+features
+that cover most requirements.</b></font></li>
+  <li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND
+ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT
+BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT
+YOU ARE
 DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
- 
 </ol>
- 
-<p>The   following scripts can be  supplied:</p>
-      
+<p>The following scripts can be supplied:</p>
 <ul>
-        <li>init -- invoked early in "shorewall start" and       "shorewall 
- restart"</li>
-        <li>start -- invoked after the firewall has been started or restarted.</li>
-        <li>stop -- invoked as a first step when the firewall is being stopped.</li>
-        <li>stopped -- invoked after the firewall has been stopped.</li>
-        <li>clear -- invoked after the firewall has been cleared.</li>
-        <li>refresh -- invoked while the firewall is being refreshed but
-before  the     common and/or blacklst chains have been rebuilt.</li>
-        <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' 
- chain     has been created but before any rules have been added to it.</li>
-      
+  <li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
+  <li>start -- invoked after the firewall has been started or restarted.</li>
+  <li>stop -- invoked as a first step when the firewall is being
+stopped.</li>
+  <li>stopped -- invoked after the firewall has been stopped.</li>
+  <li>clear -- invoked after the firewall has been cleared.</li>
+  <li>refresh -- invoked while the firewall is being refreshed but
+before the common and/or blacklst chains have been rebuilt.</li>
+  <li>newnotsyn (added in version 1.3.6) -- invoked after the
+'newnotsyn' chain has been created but before any rules have been added
+to it.</li>
 </ul>
-         
-<p><u><b>If your version of Shorewall doesn't have the file that you want 
- to use from the above list, you can simply create the file yourself.</b></u></p>
-      
-<p>   You can also supply a script with the same name as any of the filter 
-   chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules 
-   file has been processed but before the   /etc/shorewall/policy file has 
- been  processed.</p>
-         
-<p>The /etc/shorewall/common file receives special treatment. If this file 
- is present, the rules that it       defines will totally replace the default 
- rules in the common chain. These         default rules are contained in the
- file /etc/shorewall/common.def which        may be used as a starting point
- for making your own customized file.</p>
-         
-<p>   Rather than running iptables directly, you should run it using the 
-function  run_iptables. Similarly, rather than running "ip" directly, you
- should use run_ip. These functions accept the same arguments as the  underlying
- command but cause the firewall to be stopped if an error occurs   during
+<p><u><b>If your version of Shorewall doesn't have the file that you
+want to use from the above list, you can simply create the file
+yourself.</b></u></p>
+<p> You can also supply a script with the same name as any of the
+filter chains in the firewall and the script will be invoked after the
+/etc/shorewall/rules file has been processed but before the
+/etc/shorewall/policy file has been processed.</p>
+<p>The /etc/shorewall/common file receives special treatment. If this
+file is present, the rules that it defines will totally replace the
+default rules in the common chain. These default rules are contained in
+the file /etc/shorewall/common.def which may be used as a starting
+point for making your own customized file.</p>
+<p> Rather than running iptables directly, you should run it using the
+function run_iptables. Similarly, rather than running "ip" directly,
+you should use run_ip. These functions accept the same arguments as the
+underlying command but cause the firewall to be stopped if an error
+occurs during
 processing of the command.</p>
-         
-<p>   If you decide to create /etc/shorewall/common it is a good idea to
-use the    following technique</p>
-         
-<p>   /etc/shorewall/common:</p>
-         
-<blockquote>          
+<p> If you decide to create /etc/shorewall/common it is a good idea to
+use the following technique</p>
+<p> /etc/shorewall/common:</p>
+<blockquote>
   <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
-      </blockquote>
-      
-<p>If you need to supercede a rule in the released common.def file, you can 
- add   the superceding rule before the '.' command. Using this technique allows
-   you to add new rules while still getting the benefit of the latest common.def
-   file.</p>
-        
-<p>Remember that /etc/shorewall/common defines rules   that are only applied 
- if the applicable policy is DROP or REJECT. These rules   are NOT applied 
- if the policy is ACCEPT or CONTINUE<br>
-  </p>
-   
+</blockquote>
+<p>If you need to supercede a rule in the released common.def file, you
+can add the superceding rule before the '.' command. Using this
+technique allows you to add new rules while still getting the benefit
+of the latest common.def file.</p>
+<p>Remember that /etc/shorewall/common defines rules that are only
+applied if the applicable policy is DROP or REJECT. These rules are NOT
+applied if the policy is ACCEPT or CONTINUE<br>
+</p>
 <p> </p>
-        
 <p align="left"><font size="2">Last updated 6/30/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
-      
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
- Thomas M. Eastep</font></a></p>
-      <br>
-    <br>
-   <br>
-  <br>
- <br>
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
+2003 Thomas M. Eastep</font></a></p>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/shorewall_features.htm b/Shorewall-docs/shorewall_features.htm
index c043b43f7..70b212d83 100644
--- a/Shorewall-docs/shorewall_features.htm
+++ b/Shorewall-docs/shorewall_features.htm
@@ -1,119 +1,98 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Shorewall Features</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-       <tbody>
-        <tr>
-         <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
-         </td>
-       </tr>
-    
-  </tbody> 
-</table>
-  
+<body>
+<h1 style="text-align: center;">Shorewall Features<br>
+</h1>
 <ul>
-       <li>Uses Netfilter's connection tracking facilities for stateful packet 
-    filtering.</li>
-       <li>Can be used in a <b> wide range of router/firewall/gateway applications</b>. 
-     
+  <li>Uses Netfilter's connection tracking facilities for stateful
+packet filtering.</li>
+  <li>Can be used in a <b> wide range of router/firewall/gateway
+applications</b>.
     <ul>
-         <li>Completely customizable using configuration files.</li>
-         <li>No limit on the number of network interfaces.</li>
-         <li>Allows you to partitions the network into <i><a
- href="Documentation.htm#Zones">zones</a></i>         and gives you complete 
- control over the connections permitted between         each pair of zones.</li>
-         <li>Multiple interfaces per zone and multiple zones per interface 
-        permitted.</li>
-         <li>Supports nested and overlapping zones.</li>
-      
+      <li>Completely customizable using configuration files.</li>
+      <li>No limit on the number of network interfaces.</li>
+      <li>Allows you to partitions the network into <i><a
+ href="Documentation.htm#Zones">zones</a></i> and gives you complete
+control over the connections permitted between each pair of
+zones.</li>
+      <li>Multiple interfaces per zone and multiple zones per interface
+permitted.</li>
+      <li>Supports nested and overlapping zones.</li>
     </ul>
-       </li>
-       <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a> 
-to  help    get your first firewall up and running quickly</li>
-   <li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
+  </li>
+  <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
+(HOWTOs)</a> to help get your first firewall up and running quickly</li>
+  <li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
  href="http://www.webmin.com">http://www.webmin.com</a>)<br>
-   </li>
-       <li>Extensive <b> <a
- href="shorewall_quickstart_guide.htm#Documentation">documentation</a>  
-    </b>   included in the .tgz and .rpm downloads.</li>
-       <li><b>Flexible address management/routing support</b> (and you can 
-use  all     types in the same firewall):     
+  </li>
+  <li>Extensive <b> <a
+ href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
+included in the .tgz and .rpm downloads.</li>
+  <li><b>Flexible address management/routing support</b> (and you can
+use all types in the same firewall):
     <ul>
-         <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
-         <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
-         <li><a href="Documentation.htm#NAT">     Static NAT</a>.</li>
-         <li><a href="Documentation.htm#ProxyArp">     Proxy ARP</a>.</li>
-         <li>Simple host/subnet Routing</li>
-      
+      <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
+      <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
+      <li><a href="Documentation.htm#NAT">One-to-one NAT</a>.</li>
+      <li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
+      <li>Simple host/subnet Routing</li>
     </ul>
-       </li>
-       <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
-individual       IP addresses and subnetworks is supported.</li>
-       <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: 
-     
+  </li>
+  <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
+individual IP addresses and subnetworks is supported.</li>
+  <li><b><a href="starting_and_stopping_shorewall.htm">Operational
+support</a></b>:
     <ul>
-         <li>Commands to start, stop and clear the firewall</li>
-         <li>Supports status             monitoring      with an audible
-alarm  when an             "interesting" packet is detected.</li>
-         <li>Wide variety of informational commands.</li>
-      
+      <li>Commands to start, stop and clear the firewall</li>
+      <li>Supports status monitoring with an audible
+alarm when an "interesting" packet is detected.</li>
+      <li>Wide variety of informational commands.</li>
     </ul>
-       </li>
-       <li><b>VPN Support</b>     
+  </li>
+  <li><b>VPN Support</b>
     <ul>
-         <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP     and 
+      <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,&nbsp; IPIP
+and
 OpenVPN Tunnels</a>.</li>
-         <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
-      
+      <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
     </ul>
-       </li>
-       <li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a> 
-      integration.</li>
-       <li>Wide support for different <b>GNU/Linux Distributions</b>.   
-  
+  </li>
+  <li>Support for <a href="traffic_shaping.htm"><b>Traffic
+Control/Shaping</b></a> integration.</li>
+  <li>Wide support for different <b>GNU/Linux Distributions</b>.
     <ul>
-         <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
- href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a> 
-          packages available.</li>
-         <li>Includes <a href="Install.htm"><b>automated install, upgrade, 
-fallback          and uninstall facilities</b></a> for users who can't use 
-or choose  not         to use the RPM or Debian packages.</li>
-         <li>Included as a standard part of<b> <a
- href="http://leaf.sourceforge.net/devel/jnilo">     LEAF/Bering</a> </b>(router/firewall 
- on a floppy, CD or compact flash).</li>
-      
+      <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
+ href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian"><b>Debian</b></a>
+packages available.</li>
+      <li>Includes <a href="Install.htm"><b>automated install,
+upgrade, fallback and uninstall facilities</b></a> for users
+who can't use or choose not to use the RPM or Debian packages.</li>
+      <li>Included as a standard part of<b> <a
+ href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
+on a floppy, CD or compact flash).</li>
     </ul>
-      </li>
-      <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) 
-Address      <b>Verification</b><br>
-        </a><br>
-       </li>
-  
+  </li>
+  <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
+Address <b>Verification</b></a></li>
+  <li><a href="Accounting.html">Traffic Accounting<br>
+    </a><br>
+  </li>
 </ul>
-  
-<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
-  
+<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
+Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
  size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
-   </p>
-   <br>
-  <br>
- <br>
+</p>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/shorewall_firewall_structure.htm b/Shorewall-docs/shorewall_firewall_structure.htm
deleted file mode 100644
index d738a23dc..000000000
--- a/Shorewall-docs/shorewall_firewall_structure.htm
+++ /dev/null
@@ -1,332 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-<head>
-                 
-  <meta http-equiv="Content-Language" content="en-us">
-                 
-  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                 
-  <meta name="ProgId" content="FrontPage.Editor.Document">
-                 
-  <meta http-equiv="Content-Type"
- content="text/html; charset=windows-1252">
-  <title>Shorewall Firewall Structure</title>
-</head>
-  <body>
-                
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-             <tbody>
-        <tr>
-               <td width="100%">                                       
-      <h1 align="center"><font color="#ffffff">Firewall Structure (Under
-Construction)</font></h1>
-               </td>
-             </tr>
-                       
-  </tbody>    
-</table>
-               
-<p>  Shorewall views the network in which it is running as a set of     
- <i> zones. </i>Shorewall itself defines exactly   one zone called "fw" which
-  refers to the firewall system itself . The   /etc/shorewall/zones file
-is   used to define additional zones and the example file   provided with
-Shorewall   defines the zones:</p>
-               
-<ol>
-             <li>  net -- the (untrusted) internet.</li>
-             <li>  dmz - systems that must be accessible from       the internet
-  and from the local network.  These systems cannot be trusted completely
-since  their servers may have been       compromised through a security exploit.</li>
-             <li>  loc - systems in your local network(s).       These systems
-  must be protected from the internet and from the DMZ and in       some
-cases,   from each other.</li>
-               
-</ol>
-          
-<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall
-zone</a>.  For ease of description in this documentation, it is assumed 
-that the firewall zone is named "fw".</p>
-          
-<p>It can't be stressed enough that  with the exception of the firewall zone,
-  Shorewall itself attaches no meaning to  zone names. Zone names are simply
-  labels used to refer to a collection of  network hosts.</p>
-          
-<p>While zones are normally disjoint (no two zones have a host in common), 
-   there are cases where nested or overlapping zone definitions are appropriate.</p>
-          
-<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose
-of this document, we will consider Netfilter to have three tables:</p>
-     
-<ol>
-     <li>Filter table -- this is the main table for packet filtering and
-can  be displayed with the command "shorewall show".</li>
-     <li>Nat table -- used for all forms of Network Address Translation (NAT); 
- SNAT, DNAT and MASQUERADE.</li>
-     <li>Mangle table -- used to modify fields in the packet header.<br>
-     </li>
-     
-</ol>
-     
-<p>Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT, 
- FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables 
- as shown in this table.<br>
-   </p>
-     
-<div align="center">   
-<table cellpadding="2" cellspacing="2" border="1">
-     <tbody>
-       <tr>
-         <td valign="top">CHAIN<br>
-         </td>
-         <td valign="top">Filter<br>
-         </td>
-         <td valign="top">Nat<br>
-         </td>
-         <td valign="top">Mangle<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">PREROUTING<br>
-         </td>
-         <td valign="top"><br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">INPUT<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-         <td valign="top"><br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">OUTPUT<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">FORWARD<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-         <td valign="top"><br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-       </tr>
-       <tr>
-         <td valign="top">POSTROUTING<br>
-         </td>
-         <td valign="top"><br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-         <td valign="top">X<br>
-         </td>
-       </tr>
-           
-  </tbody>   
-</table>
-   </div>
-     
-<p>Shorewall doesn't create rules in all of the builtin chains. In the large 
- diagram below are boxes such as  shown below.  This box represents in INPUT 
- chain and shows that packets first flow through the INPUT chain in the Mangle 
- table followed by the INPUT chain in the Filter table. The parentheses around 
- "Mangle" indicate that while the packets will flow through the INPUT chain 
- in the Mangle table, Shorewall does not create any rules in that chain.<br>
-   </p>
-     
-<div align="center"><img src="images/Legend.png" alt="(Box Legend)"
- width="145" height="97" align="middle">
-   <br>
-   </div>
-     
-<p></p>
-     
-<p>Here is a picture of how packets traverse the various chains and tables
-  in Netfilter. In that diagram, "Local Process" refers to a process running
-  on the Firewall itself (in the 'fw' zone).</p>
-       
-<div align="center"><img src="images/Netfilter.png"
- alt="Netfilter Flow Diagram" width="541" height="767">
-       </div>
-       
-<p><br>
-   <br>
-   In the text that follows, the paragraph numbers correspond to the box
-number  in the diagram above.<br>
-   </p>
-     
-<ol>
-     <li>Packets entering the firewall first pass through the <i>mangle </i>table's 
-   PREROUTING chain (you can see the mangle table by typing "shorewall show 
-   mangle"). If the packet entered through an interface that has the <b>norfc1918</b> 
-   option and if iptables/netfilter doesn't support the connection tracking 
-match extension, then the packet is sent down the <b>man1918</b> chain which 
-will  drop  the packet if its destination IP address is reserved (as specified
- in the  /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
- pretos</b>  chain to set its TOS field as specified in the /etc/shorewall/tos
- file.  Finally, if traffic control/shaping is being used, the packet is
-sent  through  the<b> tcpre</b> chain to be marked for later use in policy
-routing  or traffic  control.<br>
-       <br>
-   Next, if the packet isn't part of an established connection, it passes 
-  through the<i> nat</i> table's PREROUTING chain (you can see the nat table
-  by  typing "shorewall show nat"). If you are doing both static nat and
- port  forwarding, the order in which chains are traversed is dependent on
-the  setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is
-on then  packets will ender a chain called<b> <i>interface_</i>in</b> where
-    <i>interface</i>  is  the name of the interface on which the packet entered.
- Here it's destination  IP  is compared to each of the <i>EXTERNAL</i> IP
-addresses from /etc/shorewall/nat   that correspond to this interface; if
-there is a match, DNAT is applied  and the  packet header is modified to
-the IP in the <i>INTERNAL</i> column  of the nat  file record. If the destination
-address doesn't match any of the rules in the  <b><i>interface_</i>in</b>
-chain then the packet enters a chain  called <b><i>sourcezone</i>_dnat</b>
- where <i>sourcezone</i> is the source zone of the packet. There it is compared
- for a match against each of the DNAT records in the rules file that specify
-    <i>  sourcezone     </i>as the source  zone. If a match is found, the
-destination IP  address (and possibly the destination port) is modified based
-on the rule  matched. If NAT_BEFORE_RULES is off, then the order of traversal
-of the <b><i>  interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b>  is
-reversed.<br>
-       <br>
-     </li>
-     <li>Depending on whether the packet is destined for the firewall itself 
- or for another system, it follows either the left or the right path. Traffic 
- going to the firewall goes through chain called INPUT in the mangle table. 
- Shorewall doesn't add any rules to that chain.<br>
-     <br>
-   </li>
-   <li>Traffic that is to be forwarded to another host goes through the chains 
-called FORWARD in the mangle table. If MARK_IN_FORWARD=Yes in shorewall.conf, 
-all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are 
-processed in a chain called <br>
-     <br>
-   </li>
-   
-  <ol>
-                 
-  </ol>
-     <li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
-  table  (called 'filter'). If the traffic is destined for the  firewall
-itself,   the name of the interface chain is formed by appending "_in" to
- the interface   name. So traffic on eth0 destined for the firewall will
-enter a  chain called       <i>eth0_in</i>. The interface chain for traffic
-that will be routed to  another  system is formed by appending "_fwd" to
-the interface name. So traffic  from  eth1 that is going to be forwarded
-enters a chain called<i> eth1_fwd</i>.    Interfaces described with the wild-card
-character ("+") in  /etc/shorewall/interfaces,  share input chains. if <i>ppp+
-    </i>appears in  /etc/shorewall/interfaces then all PPP interfaces (ppp0,
-ppp1, ...) will share  the interface chains <i>ppp_in</i>  and <i>ppp_fwd</i>.
-In other words, "+" is  deleted from the name before forming the input chain
-names.<br>
-     <br>
- While the use of interfacechains may seem wasteful in simple environments,
-  in  complex setups it substantially reduces the number of rules that each
-  packet  must traverse.  </li>
-     
-</ol>
-                                         
-<p>  Traffic directed from a zone to the firewall itself is sent through
-a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from 
-  the   internet and addressed to the firewall is sent through a chain named 
-  net2fw.   Similarly, traffic originating in the firewall and being sent 
-to  a host in a   given zone is sent through a chain named fw2<i>&lt;zone 
-name&gt;.        </i>For   example, traffic originating in the firewall and 
-destined  for a host in the   local network is sent through a chain named 
-<i>fw2loc.</i>        <font face="Century Gothic, Arial, Helvetica">   </font></p>
-               
-<p>  Traffic being forwarded between two zones (or from one interface to
-a zone to another interface to that zone) is sent through a chain named <i> 
-  &lt;source   zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example, 
-  traffic   originating in a local system and destined for a remote web server 
-  is   sent through chain       <i>loc2net. </i>This chain is referred to 
-as the <i>canonical</i>    chain from &lt;source zone&gt; to &lt;destination 
-  zone&gt;. Any destination NAT will have occurred <u>before</u>   the packet 
-  traverses one of these chains so rules in /etc/shorewall/rules   should 
-be  expressed in terms of the destination system's real IP address as   opposed 
-  to its apparent external address. Similarly, source NAT will occur <u>after</u> 
-      the packet has traversed the appropriate forwarding chain so the rules 
-  again   will be expressed using the source system's real IP address.</p>
-               
-<p>  For each record in the /etc/shorewall/policy file, a chain is   created.
-  Policies in that file are expressed in terms of a source zone and   destination
-  zone where these zones may be a zone defined in   /etc/shorewall/zones,
-"fw"  or "all". Policies specifying   the pseudo-zone "all" matches all defined
-  zones and "fw".   These chains are referred to as <i>Policy Chains.</i> Notice
-  that for an   ordered pair of zones (za,zb), the canonical chain (za2zb)
- may also be the    policy chain for the pair or the policy chain may be
-a  different chain   (za2all, for example). Packets from one zone to another
- will traverse chains    as follows:</p>
-               
-<ol>
-             <li>  If the canonical chain exists, packets first traverse
-that   chain.</li>
-             <li>  If the canonical chain and policy chain are different
-and   the packet    does not match a rule in the canonical chain, it then
-is sent   to the      policy chain.</li>
-             <li>  If the canonical chain does not exist, packets are sent
- immediately    to the policy chain.</li>
-               
-</ol>
-               
-<p>  The canonical chain from zone za to zone zb will be created only if
-there are   exception rules defined in /etc/shorewall/rules for packets going
-from za to   zb.</p>
-               
-<p>  Shorewall is built on top of the Netfilter kernel facility. Netfilter 
-  implements connection tracking function that allow what is often referred 
-  to   as "statefull inspection" of packets. This statefull property allows 
-    firewall rules to be defined in terms of "connections" rather than   in
-  terms of "packets". With Shorewall, you:</p>
-               
-<ol>
-             <li>  Identify the client's zone.</li>
-             <li>  Identify the server's zone.</li>
-             <li>  If the POLICY from the client's zone to the server's zone
-  is what you     want for this client/server pair, you need do nothing further.</li>
-             <li>  If the POLICY is not what you want, then you must add
-a  rule.  That rule       is expressed in terms of the client's zone and
-the  server's  zone.</li>
-               
-</ol>
-               
-<p>  Just because connections of a particular type are allowed between zone
-  A   and the firewall and are also allowed between the firewall and zone
-B  <font color="#ff6633"><b><u>   DOES   NOT mean that these connections
-are  allowed between zone A and zone  B</u></b></font>.   It rather means
-that  you can have a proxy running on the firewall that accepts   a connection
- from zone A and then establishes its own separate connection from   the
-firewall   to zone B.</p>
-               
-<p>  If you adopt the default policy of ACCEPT from the local zone to the
-    internet zone and you are having problems connecting from a local client
-  to an   internet server, <font color="#ff6633"><b><u> adding a rule won't
-  help</u></b></font>     (see point 3 above).</p>
-         
-<p><font size="2">Last modified 5/22/2003 - <a href="support.htm">Tom Eastep</a></font></p>
-       
-<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
-  © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-    <br>
-    <br>
-   <br>
-  <br>
- <br>
-</body>
-</html>
diff --git a/Shorewall-docs/shorewall_logging.html b/Shorewall-docs/shorewall_logging.html
index 9e7d1bc1f..493933164 100644
--- a/Shorewall-docs/shorewall_logging.html
+++ b/Shorewall-docs/shorewall_logging.html
@@ -7,18 +7,37 @@
   <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Logging</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<br>
+<h1 style="text-align: center;">Logging</h1>
+<h2>How to Log Traffic through a Shorewall Firewall</h2>
+The disposition of packets entering a Shorewall firewall&nbsp; is
+determined by one of a number of Shorewall facilities. Only some of
+these facilities permit logging.<br>
+<ol>
+  <li>The packet is part of an established connection. The packet is
+accepted and cannot be logged.</li>
+  <li>The packet represents a connection request that is related to an
+established connection (such as a <a href="FTP.html">data connection
+associated with an FTP control connection</a>).&nbsp; These packets
+also cannot be logged.</li>
+  <li>The packet is rejected because of an option in <a
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> or <a
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+These packets can be logged by setting the appropriate logging-related
+option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+  <li>The packet matches a rule in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.
+By including a syslog level (see below) in the ACTION column of a rule
+(e.g., "ACCEPT<span
+ style="font-weight: bold; text-decoration: underline;">:info</span>
+net fw tcp 22"), the connection attempt will be logged at that level.</li>
+  <li>The packet doesn't match a rule so is handled by a policy defined
+in <a href="Documentation.htm#Policy">/etc/shorewall/policy</a>. These
+may be logged by specifying a syslog level in the LOG LEVEL column of
+the policy entry (e.g., "loc net ACCEPT <span
+ style="font-weight: bold; text-decoration: underline;">info</span>"<br>
+  </li>
+</ol>
+<h2>Where the Traffic is logged and how to Change the Destination<br>
+</h2>
 By default, Shorewall directs NetFilter to log using syslog (8). Syslog
 classifies log messages by a <i>facility</i> and a <i>priority</i>
 (using the notation <i>facility.priority</i>). <br>
@@ -149,7 +168,8 @@ and
 <a
  href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
 is a post describing configuring syslog-ng to work with Shorewall.<br>
-<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2"> Updated 10/30/2003 - <a href="support.htm">Tom
+Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
  size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
diff --git a/Shorewall-docs/shorewall_mirrors.htm b/Shorewall-docs/shorewall_mirrors.htm
index 55ca10c19..f7fef1d06 100644
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@@ -9,20 +9,12 @@
   <title>Shorewall Mirrors</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Shorewall Mirrors<br>
+</h1>
 <p align="left"><b>Remember that updates to the mirrors are often
 delayed for 6-12 hours after an update to the primary rsync site. For
-HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
+HTML content, the main web site (<a href="http://shorewall.sf.net"
+ target="_top">http://shorewall.sf.net</a>)
 is updated at the same time as the rsync site.</b></p>
 <p align="left">The main Shorewall Web Site is <a
  href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
@@ -67,6 +59,9 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
   <li> <a target="_blank"
  href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
 (Paris, France)</li>
+  <li><a href="ftp://ftp.syachile.cl/pub/shorewall" target="_top">ftp://ftp.syachile.cl/pub/shorewall
+    </a>(Santiago Chile)<br>
+  </li>
   <li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
 (Taipei, Taiwan)</li>
   <li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
@@ -78,7 +73,7 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
 </ul>
 Search results and the mailing list archives are always fetched from
 the site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 8/27/2003 - <a
+<p align="left"><font size="2">Last Updated 11/14/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
  size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
diff --git a/Shorewall-docs/shorewall_prerequisites.htm b/Shorewall-docs/shorewall_prerequisites.htm
index 09689ee34..171dd4006 100644
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@@ -1,86 +1,57 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                
   <meta http-equiv="Content-Language" content="en-us">
-                
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-                
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Shorewall Prerequisites</title>
 </head>
-  <body>
-        
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-           <tbody>
-            <tr>
-             <td width="100%">                            
-      <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
-             </td>
-           </tr>
-                
-  </tbody>    
-</table>
-          <br>
-      Shorewall Requires:<br>
-        
+<body>
+<h1 style="text-align: center;">Shorewall Requirements</h1>
+Shorewall Requires:<br>
 <ul>
-           <li>A kernel that supports netfilter. I've tested with 2.4.2 - 
-2.4.20.  With current releases of Shorewall, Traffic Shaping/Control requires 
-at least  2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
-       information.</a>       If you are looking for a firewall for use with
- 2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle
-Firewall   site</a>     .</li>
-           <li>iptables 1.2 or later  but beware version 1.2.3 -- see the 
-    <a href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: 
-   </b></font>The    buggy iptables version 1.2.3    is included in RedHat 
-7.2 and you should   upgrade to iptables 1.2.4 prior to    installing Shorewall. 
-Version 1.2.4   is available   <a
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
-      and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
-           <li>Iproute ("ip" utility). The iproute package  is     included 
- with most distributions but may not be installed by default.  The     official
-  download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
- target="_blank">   <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
-      </li>
-           <li>A Bourne shell or derivative such as bash or ash. This shell 
- must  have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
-       },        ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
-        } and       ${<i>variable</i>##<i>pattern</i>}.</li>
-    <li>Your shell must produce a sensible result when a number n (128 &lt;= 
-n &lt;= 255)  is left shifted by 24 bits. You can check this at a shell prompt 
-by:</li>
-           
+  <li>A kernel that supports netfilter. I've tested with 2.4.2 -
+2.4.23-rc2. With current releases of Shorewall, Traffic
+Shaping/Control
+requires at least 2.4.18.&nbsp; <a href="kernel.htm"> Check here for
+kernel configuration information.</a> If you are looking for a firewall
+for use with 2.2 kernels, <a href="http://seawall.sf.net"> see the
+Seattle
+Firewall site</a> .</li>
+  <li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
+ href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
+buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
+upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
+is available <a
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from
+RedHat</a> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
+  <li>Iproute ("ip" utility). The iproute package is included with most
+distributions but may not be installed by default. The official
+download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
+ target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
+  </li>
+  <li>A Bourne shell or derivative such as bash or ash. This shell must
+have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
+}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
+} and ${<i>variable</i>##<i>pattern</i>}.</li>
+  <li>Your shell must produce a sensible result when a number n (128
+&lt;= n &lt;= 255) is left shifted by 24 bits. You can check this at a
+shell prompt by:</li>
   <ul>
-       <li>echo $((128 &lt;&lt; 24))<br>
-      </li>
-       <li>The result must be either 2147483648 or -2147483648.<br>
-      </li>
-                     
+    <li>echo $((128 &lt;&lt; 24))<br>
+    </li>
+    <li>The result must be either 2147483648 or -2147483648.<br>
+    </li>
   </ul>
-           <li>The firewall monitoring display is greatly improved if you 
-have   awk        (gawk) installed.</li>
-        
+  <li>The firewall monitoring display is greatly improved if you have
+awk (gawk) installed.</li>
 </ul>
-        
-<p align="left"><font size="2">Last updated 7/8/2003 - <a
+<p align="left"><font size="2">Last updated 11/20/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
-        
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-          <br>
-        <br>
-       <br>
-      <br>
-     <br>
-    <br>
-   <br>
-  <br>
- <br>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
+Eastep.</font></a></font></p>
 </body>
 </html>
diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm
index 34042e47d..9e4dbff5c 100644
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@@ -10,22 +10,10 @@
   <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall QuickStart
-Guides (HOWTO's)<br>
-      </font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Shorewall QuickStart Guides (HOWTOs)<br>
+</h1>
 <p align="center">With thanks to Richard who reminded me once again
-that we
-must all first walk before we can run.<br>
+that we must all first walk before we can run.<br>
 The French Translations of the single-IP guides are courtesy of Patrice
 Vetsel<br>
 The French Translation of the Shorewall Setup Guide is courtesy of
@@ -51,15 +39,16 @@ acting as a firewall/router for a small local network and a DMZ. (<a
 running quickly in the three most common Shorewall configurations. If
 you want to learn more about Shorewall than is explained in the above
 simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
-Setup Guide</a> (See Index Below) is for you.</p>
+Setup
+Guide</a> (See Index Below) is for you.</p>
 </blockquote>
 <p>If you have <font color="#ff0000"><big><big><b>more than one public
 IP address</b></big></big></font>:<br>
 </p>
 <blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
 Guide</a> (See Index Below) outlines the steps necessary to set up a
-firewall where there are multiple public IP
-addresses involved or if you
+firewall where there are multiple public IP addresses involved or if
+you
 want to learn more about Shorewall than is explained in the
 single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
 Française</a>).</blockquote>
@@ -79,13 +68,11 @@ Interfaces (e.g., eth0:0)</a><br>
   <li><a href="blacklisting_support.htm">Blacklisting</a>
     <ul>
       <li>Static Blacklisting using /etc/shorewall/blacklist</li>
-      <li>Dynamic Blacklisting using
-/sbin/shorewall</li>
+      <li>Dynamic Blacklisting using /sbin/shorewall</li>
     </ul>
   </li>
   <li><a href="starting_and_stopping_shorewall.htm">Commands</a>
-(Description of
-all /sbin/shorewall commands)</li>
+(Description of all /sbin/shorewall commands)</li>
   <li><a href="configuration_file_basics.htm">Common configuration file
 features</a>&nbsp;</li>
   <ul>
@@ -143,13 +130,16 @@ in Shorewall</a> </li>
   <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
 Scripts</a></font> (How to extend Shorewall without modifying Shorewall
 code through the use of files in /etc/shorewall --
-/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
+/etc/shorewall/start,
+/etc/shorewall/stopped, etc.)</li>
   <li><a href="fallback.htm">Fallback/Uninstall</a></li>
   <li><a href="FAQ.htm">FAQs</a><br>
   </li>
   <li><a href="shorewall_features.htm">Features</a><br>
   </li>
-  <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
+  <li><a href="Multiple_Zones.html">Forwarding Traffic on the Same
+Interface</a><br>
+  </li>
   <li><a href="FTP.html">FTP and Shorewall</a><br>
   </li>
   <li><a href="support.htm">Getting help or answers to questions</a></li>
@@ -158,16 +148,25 @@ code through the use of files in /etc/shorewall --
     <li><a href="GSLUG.htm">HTML</a></li>
     <li><a href="GSLUG.ppt">PowerPoint</a></li>
   </ul>
-  <li><a href="Install.htm">Installation/Upgrade</a><br>
+  <li><a href="Install.htm">Installation/Upgrade</a></li>
+  <li><a href="IPSEC.htm">IPSEC</a></li>
+  <li><a href="Shorewall_and_Kazaa.html">Kazaa Filtering</a><br>
   </li>
   <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
   <li><a href="shorewall_logging.html">Logging</a><br>
   </li>
   <li><a href="MAC_Validation.html">MAC Verification</a></li>
-  <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
+  <li><a href="http://lists.shorewall.net">Mailing Lists</a></li>
+  <li><a href="Multiple_Zones.html">Multiple Zones Through One Interface</a><br>
+  </li>
+  <li><a href="NetfilterOverview.html">Netfilter Overview</a><br>
   </li>
   <li><a href="myfiles.htm">My Shorewall Configuration (How I
 personally use Shorewall)</a></li>
+  <li><font color="#000099"><a href="NAT.htm">One-to-one NAT (Formerly
+referred to as <span style="font-style: italic;">Static NAT</span>)<br>
+    </a></font></li>
+  <li><a href="OPENVPN.html">OpenVPN</a></li>
   <li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
   </li>
   <li><a href="ping.html">'Ping' Management</a><br>
@@ -178,8 +177,8 @@ personally use Shorewall)</a></li>
       <li>Ports used by Trojans</li>
     </ul>
   </li>
-  <li><a href="ProxyARP.htm">Proxy
-ARP</a></li>
+  <li><a href="PPTP.htm">PPTP</a></li>
+  <li><a href="ProxyARP.htm">Proxy ARP</a></li>
   <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
   </li>
   <li><a href="samba.htm">Samba</a></li>
@@ -197,8 +196,7 @@ Subnets and Routing</a>
       <ul>
         <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
 Addresses</a></li>
-        <li><a href="shorewall_setup_guide.htm#Subnets">4.2
-Subnets</a></li>
+        <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
         <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
         <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
 Resolution Protocol (ARP)</a></li>
@@ -219,7 +217,8 @@ Network</a>
             <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
             <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
 Proxy ARP</a></li>
-            <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
+            <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
+One-to-one NAT</a></li>
           </ul>
         </li>
         <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
@@ -235,14 +234,11 @@ Starting and Stopping the Firewall</a></li>
  href="starting_and_stopping_shorewall.htm">Starting/stopping the
 Firewall</a></font></li>
   <ul>
-    <li>Description of all /sbin/shorewall
-commands</li>
+    <li>Description of all /sbin/shorewall commands</li>
     <li>How to safely test a Shorewall configuration change<br>
     </li>
   </ul>
-  <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
-  <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
-with Shorewall</a></li>
+  <li><a href="Shorewall_Squid_Usage.html">Squid with Shorewall</a></li>
   <li><a href="Accounting.html">Traffic Accounting</a><br>
   </li>
   <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
@@ -255,14 +251,14 @@ doesn't work)</a></li>
   <li>VPN
     <ul>
       <li><a href="IPSEC.htm">IPSEC</a></li>
-      <li><a href="IPIP.htm">GRE and
-IPIP</a></li>
+      <li><a href="IPIP.htm">GRE and IPIP</a></li>
       <li><a href="OPENVPN.html">OpenVPN</a><br>
       </li>
       <li><a href="PPTP.htm">PPTP</a></li>
       <li><a href="6to4.htm">6t04</a><br>
       </li>
-      <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
+      <li><a href="VPN.htm">IPSEC/PPTP</a> passthrough from a system
+behind your
 firewall to a remote network.</li>
       <li><a href="GenericTunnels.html">Other VPN types</a>.<br>
       </li>
@@ -272,7 +268,7 @@ firewall to a remote network.</li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement
 <a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
+<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
 M. Eastep</font></a><br>
diff --git a/Shorewall-docs/shorewall_setup_guide.htm b/Shorewall-docs/shorewall_setup_guide.htm
index 3df10dd9e..d66583d76 100644
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@@ -10,18 +10,8 @@
   <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall Setup Guide</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<br>
+<h1 style="text-align: center;">Shorewall Setup Guide<br>
+</h1>
 <p><a href="#Introduction">1.0 Introduction</a><br>
 <a href="#Concepts">2.0 Shorewall Concepts</a><br>
 <a href="#Interfaces">3.0 Network Interfaces</a><br>
@@ -41,7 +31,7 @@
     <p><a href="#SNAT">5.2.1 SNAT</a><br>
     <a href="#DNAT">5.2.2 DNAT</a><br>
     <a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
-    <a href="#NAT">5.2.4 Static NAT</a></p>
+    <a href="#NAT">5.2.4 One-to-one NAT</a></p>
   </blockquote>
   <p><a href="#Rules">5.3 Rules</a><br>
   <a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
@@ -929,7 +919,15 @@ a VPN relationship. </p>
 <div align="left">
 <p align="left">So it's a good idea to check with your ISP to see if
 they are using (or are planning to use) private addresses before you
-decide the addresses that you are going to use.</p>
+decide the addresses that you are going to use.<br>
+</p>
+<p align="left"><span style="font-weight: bold;">NOTE: In this
+document, external "real" IP addresses are of the form 192.0.2.x.
+192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
+printed examples. These addresses are not to be confused with addresses
+in 192.168.0.0/16; as described above, these addresses are reserved by
+RFC 1918 for private use.</span><br>
+</p>
 </div>
 <div align="left">
 <h2 align="left"><a name="Options"></a>5.0 Setting up your Network</h2>
@@ -1077,7 +1075,7 @@ also known as <i>Port Forwarding.</i> </p>
   </li>
   <li>
     <p align="left"><i>Network Address Translation</i> (NAT) also
-referred to as <i>Static NAT</i>. </p>
+referred to as <i>One-to-one NAT</i>. </p>
   </li>
 </ul>
 </div>
@@ -1230,12 +1228,13 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask <b>(M)
     <p align="left">When <b>H</b> issues an ARP "who has" request for
 an address in the subnetwork defined by <b>A</b> and <b>M</b>, the
 firewall will
-respond (with the MAC if the firewall interface to <b>H</b>). </p>
+respond (with the MAC if the firewall interface) to <b>H</b>. </p>
   </li>
 </ul>
 </div>
 <div align="left">
-<p align="left">Let suppose that we decide to use Proxy ARP on the DMZ
+<p align="left">Let us suppose that we decide to use Proxy ARP on the
+DMZ
 in our example network.</p>
 </div>
 <div align="left">
@@ -1323,7 +1322,7 @@ accordingly."<br>
     <br>
 Which is, of course, exactly what you want to do when you switch a host
 from being exposed to the Internet to behind Shorewall using proxy ARP
-(or static NAT for that matter). Happily enough, recent versions
+(or one-to-one NAT for that matter). Happily enough, recent versions
 of Redhat's iputils package include "arping", whose "-U" flag does just
 that:<br>
     <br>
@@ -1371,10 +1370,10 @@ words, the gateway's ARP cache still associates 192.0.2.177 with
 the NIC in DMZ 1 rather than with the firewall's eth0.</p>
 </div>
 <div align="left">
-<h4 align="left"><a name="NAT"></a>5.2.4 Static NAT</h4>
+<h4 align="left"><a name="NAT"></a>5.2.4 One-to-one NAT</h4>
 </div>
 <div align="left">
-<p align="left">With static NAT, you assign local systems RFC 1918
+<p align="left">With one-to-one NAT, you assign local systems RFC 1918
 addresses then establish a one-to-one mapping between those addresses
 and
 public IP addresses. For outgoing connections SNAT (Source Network
@@ -1486,7 +1485,7 @@ daughter's web server -- you would rather just use an ACCEPT rule:</p>
 <p align="left">A word of warning is in order here. ISPs typically
 configure their routers with a long ARP cache timeout. If you move a
 system from parallel to your firewall to behind your firewall with
-static NAT, it will probably be HOURS before that system can
+one-to-one NAT, it will probably be HOURS before that system can
 communicate
 with the internet. There are a couple of things that you can try:<br>
 </p>
@@ -1506,7 +1505,7 @@ accordingly."<br>
     <br>
 Which is, of course, exactly what you want to do when you switch a host
 from being exposed to the Internet to behind Shorewall using proxy ARP
-(or static NAT for that matter). Happily enough, recent versions
+(or one-to-one NAT for that matter). Happily enough, recent versions
 of Redhat's iputils package include "arping", whose "-U" flag does just
 that:<br>
     <br>
@@ -2367,7 +2366,7 @@ create an <i><a href="Documentation.htm#Configs">alternate
 configuration</a></i> and test it using the <a
  href="Documentation.htm#Starting">"shorewall try" command</a>.</p>
 </div>
-<p align="left"><font size="2">Last updated 7/6/2003 - <a
+<p align="left"><font size="2">Last updated 11/18/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a><br>
diff --git a/Shorewall-docs/shorewall_setup_guide_fr.htm b/Shorewall-docs/shorewall_setup_guide_fr.htm
new file mode 100755
index 000000000..ec9e15533
--- /dev/null
+++ b/Shorewall-docs/shorewall_setup_guide_fr.htm
@@ -0,0 +1,2515 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+  <meta http-equiv="Content-Language" content="en-us">
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <title>Shorewall Setup Guide</title>
+</head>
+<body>
+<h1 style="text-align: center;">Guide de Configuration de Shorewall<br>
+</h1>
+Note du traducteur : <br>
+Je remercie <font size="2">l'équipe Shorewall,&nbsp; pour ce firewall
+formidable et l'aide personnelle que m'a donné </font><font size="2">Tom
+Eastep.</font><br>
+J'espère que cette traduction vous aidera à utiliser efficacement ce
+firewall.<br>
+Toutefois, si ce manuel comporte des lacunes, des incohérences ou afin
+d'améliorer sa compréhension, <br>
+n'hésitez pas à me contacter <a href="mailto:fd03x@wanadoo.fr">fabien
+demassieux</a>
+<p><a href="#Introduction">1.0 Introduction</a><br>
+<a href="#Concepts">2.0 Concepts de </a><a
+ href="shorewall_setup_guide.htm#Concepts">Shorewall</a><br>
+<a href="#Interfaces">3.0 Interfaces Réseaux</a><br>
+<a href="#Addressing">4.0 Adresses, Sous/Réseaux et Routage</a></p>
+<blockquote>
+  <p><a href="#Addresses">4.1 Adresses IP</a><br>
+  <a href="#Subnets">4.2 Sous-réseaux</a><br>
+  <a href="#Routing">4.3 Routage</a><br>
+  <a href="#ARP">4.4 Protocole de Résolution d'Adresses (ARP)</a><br>
+  <a href="#RFC1918">4.5 RFC 1918</a></p>
+</blockquote>
+<p><a href="#Options">5.0 Configurer votre Réseau</a></p>
+<blockquote>
+  <p><a href="#Routed">5.1 Routé</a><br>
+  <a href="#NonRouted">5.2 Non-routé</a></p>
+  <blockquote>
+    <p><a href="#SNAT">5.2.1 SNAT</a><br>
+    <a href="#DNAT">5.2.2 DNAT</a><br>
+    <a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
+    <a href="#NAT">5.2.4 One-to-one NAT</a></p>
+  </blockquote>
+  <p><a href="#Rules">5.3 Règles</a><br>
+  <a href="#OddsAndEnds">5.4 D'autres petites choses<br>
+  </a></p>
+</blockquote>
+<p><a href="#DNS">6.0 DNS</a><br>
+<a href="#StartingAndStopping">7.0 Démarrer et Arrêter le firewall</a></p>
+<h2><a name="Introduction"></a>1.0 Introduction</h2>
+<p>Ce guide est destiné aux utilisateurs qui configurent Shorewall dans
+un environnement ou un ensemble d'adresses IP publiques doivent être
+prises en compte ou à ceux qui souhaitent en savoir plus à propos de
+Shorewall que ce que contient le guide pour une utilisation <a
+ href="http://shorewall.net/standalone_fr.html">Simple Adresse</a>.
+Parce que le champ d'utilisation est si élevé, le guide vous donnera
+les
+indications générales à suivre et vous renseignera sur d'autres
+ressources si nécessaire.</p>
+<p><img style="border: 0px solid ; width: 60px; height: 60px;"
+ src="images/j0213519.gif" title="" alt=""> &nbsp;&nbsp;&nbsp; Si vous
+utilisez LEAF
+Bering, votre configuration Shorewall n'est PAS&nbsp; ce que je publie
+-- Je suggère de prendre en considération l'installation de Shorewall
+LPR disponible sur le site de shorewall.net avant de poursuivre.</p>
+<p>Shorewall nécessite que le package iproute/iproute2 soit installé
+(sur RedHat, le package s'appelle <i>iproute</i>)<i>. </i>Vous pouvez
+voir si le package est installé grâce au programme <b>ip</b> sur votre
+système firewall. En tant que root, vous pouvez utiliser la commande
+'which' pour vérifier que le programme est présent:</p>
+<pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
+<p>Je vous recommande de parcourir en premier le guide pour vous
+familiariser avec ce que cela implique puis de le reprendre afin de
+modifier votre configuration. Les Points de configuration à changer
+sont
+précédés du symbole <img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_.gif" title="" alt=""> .</p>
+<p><img style="border: 0px solid ; width: 60px; height: 60px;"
+ src="images/j0213519.gif" title="" alt=""> &nbsp;&nbsp;&nbsp; Si vous
+éditez vos fichiers
+de configuration sous un système d'exploitation Windows, vous devez
+sauvegarder ceux-ci en tant que fichiers formatés Unix si votre éditeur
+le permet ou utiliser la commande dos2unix avant de les utiliser avec
+Shorewall. Idem si vous transférez vos fichiers par l'intermédiaire du
+lecteur de disquette de Windows.</p>
+<ul>
+  <li><a href="http://www.simtel.net/pub/pd/51438.html">Version Windows
+de dos2unix</a></li>
+  <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Version
+Linux de dos2unix</a></li>
+</ul>
+<h2 align="left"><a name="Concepts"></a>2.0 Concepts de Shorewall <br>
+</h2>
+<p>Les fichiers de configuration de Shorewall se trouvent dans le
+répertoire /etc/shorewall -- pour la plus par des paramétrages, vous
+avez juste besoin de quelques-uns d'entre eux comme cela est décrit
+dans
+le&nbsp; manuel. Des squelettes de fichiers sont créés durant <a
+ href="Install.htm">La procédure d'installation de
+Shorewall</a>.</p>
+<p>Comme chaque fichier est abordé, je vous suggère de regarder celui
+de votre système -- chaque fichier contient des instructions détaillées
+de configuration et d'autres des entrées par défaut.</p>
+<p>Shorewall voit le réseau ou il opère comme composé d'un ensemble de <i>zones.</i>
+Dans la configuration par défaut, les zones suivantes sont utilisées:</p>
+<table border="0" style="border-collapse: collapse;" cellpadding="3"
+ cellspacing="0" id="AutoNumber2">
+  <tbody>
+    <tr>
+      <td><u><b>Nom</b></u></td>
+      <td><u><b>Description</b></u></td>
+    </tr>
+    <tr>
+      <td><b>net</b></td>
+      <td><b>L'Internet</b></td>
+    </tr>
+    <tr>
+      <td><b>loc</b></td>
+      <td><b>Votre réseau local<br>
+      </b></td>
+    </tr>
+    <tr>
+      <td><b>dmz</b></td>
+      <td><b>Zone Démilitarisée<br>
+      </b></td>
+    </tr>
+  </tbody>
+</table>
+<p>Les<span style="font-style: italic;"> Zones</span> sont définies
+dans
+le fichier <a href="Documentation.htm#Zones">
+/etc/shorewall/zones</a>.</p>
+<p>Shorewall reconnaît aussi le système firewall comme sa propre zone -
+par défaut, le firewall lui-même est connu sous le nom <b>fw</b>
+cela peut être modifié dans le fichier <a
+ href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
+. Dans ce guide, le nom par défaut (<b>fw</b>) sera utilisé.<br>
+</p>
+<p>Mise à par <b>fw</b>, Shorewall n'attache aucune importance au nom
+des zones. Les Zones sont entièrement ce que VOUS en faites. Cela veut
+dire que vous ne devez pas vous attendre à ce que Shorewall fasse
+quelque chose de spécial "car il s'agit de la zone Internet" ou "car
+c'est la zone DMZ".</p>
+<p><img style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_.gif" title="" alt=""> &nbsp;&nbsp;&nbsp; Editez
+le fichier
+/etc/shorewall/zones et faites tout changement qui s'impose.</p>
+<p>Les Règles qui concernent le trafic à autoriser ou à refuser sous
+exprimés en terme de Zones.</p>
+<ul>
+  <li>Vous désignez les Polices par défaut entre une zone et une autre
+dans le fichier<a href="Documentation.htm#Policy">
+/etc/shorewall/policy</a>.</li>
+  <li>Vous définissez les exceptions à ces Polices par défaut dans le
+fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+</ul>
+<p> Shorewall est construit sur les possibilités du noyau (kernel) <a
+ href="http://www.netfilter.org/">Netfilter</a>. Netfilter implémente
+une <a
+ href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">fonction
+de tracking</a> qui autorise ce qui est souvent désigné comme une&nbsp;<i>
+inspection déclarée </i>de paquets. Les propriétés de <span
+ style="font-style: italic;">déclaration</span> permettent au firewall
+d'être définie en terme de <i>connexions</i> plutôt qu'en terme de
+paquet. Avec Shorewall, vous:</p>
+<ol>
+  <li> Identifiez la zone source.</li>
+  <li> Identifiez la zone destination.</li>
+  <li> Si la POLICE de la zone client vers la zone destination est ce
+que
+vous souhaitez pour cette paire client/serveur, vous n'avez besoin de
+rien de plus.</li>
+  <li>Si la POLICE n'est pas ce que vous souhaitez, alors vous devez
+ajouter une règle. Cette règle est exprimé en terme de zone client et
+de zone serveur.</li>
+</ol>
+<p>Si les connexions d'un certain type sont autorisés de la zone A au
+firewall et sont aussi autorisés du firewall à la zone B cela&nbsp; <font
+ color="#ff6633"><b><u>NE VEUT PAS dire que ces connections sont
+autorisés de la zone A à la zone B</u></b></font>. Cela veut plutôt
+dire que vous avez un proxy qui tourne sur le firewall qui accepte les
+connections de la zone A et qui ensuite établit ces propres connections
+du firewall à&nbsp; la zone B.</p>
+<p>Pour chaque requête de connexion sur le firewall, la requête est
+d'abord évalué à travers le fichier /etc/shorewall/rules file. Si
+aucune
+règle dans ce fichier ne correspond, la connexion interroge ensuite la
+première police dans /etc/shorewall/policy qui correspond à la
+requête et l'applique. Si cette police est REJECT ou DROP, la
+requête est a nouveau évaluée à travers les règles du fichier
+/etc/shorewall/common.def.</p>
+<p>Le fichier de défaut /etc/shorewall/policy a les polices suivantes:</p>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+    <tbody>
+      <tr>
+        <td><u><b>Zone Source<br>
+        </b></u></td>
+        <td><u><b>Zone Destination<br>
+        </b></u></td>
+        <td><u><b>Police</b></u></td>
+        <td><u><b>Niveau de Log</b></u></td>
+        <td><u><b>Limit:Burst</b></u></td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>net</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>all</td>
+        <td>DROP</td>
+        <td>info</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>all</td>
+        <td>all</td>
+        <td>REJECT</td>
+        <td>info</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p>La police précédente:</p>
+<ol>
+  <li>Permet toutes les connexions de votre réseau local vers Internet,</li>
+  <li>Drop (ignore) toutes les connexions d'Internet vers le firewall
+ou votre réseau local et génère un message au niveau <i>info</i> (<a
+ href="shorewall_logging.html">ici</a> se trouve la
+description des niveaux de log).</li>
+  <li>Rejette toutes les autres connexions et génère un message au
+niveau <i>info</i>. Quant la requête est rejeté, le firewall retourne
+un RST (si le protocole est TCP) ou un ICMP port-unreachable paquet
+pour
+les autres protocoles.</li>
+</ol>
+<p><img style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_.gif" title="" alt=""> &nbsp;&nbsp;&nbsp;
+Maintenant, éditez votre
+/etc/shorewall/policy et apportez tous les changements que vous
+souhaitez.</p>
+<h2 align="left"><a name="Interfaces"></a>3.0 Interfaces Réseau</h2>
+<p align="left">Pour le reste de ce guide, nous utiliserons le schéma
+ci-dessous. Bien qu'il ne puisse correspondre à votre propre réseau, il
+peut être utilisé pour illustrer les aspects importants de la
+configuration de Shorewall.</p>
+<p align="left">Sur ce schéma:</p>
+<ul>
+  <li>La zone DMZ est composée des systèmes DMZ 1 et DMZ 2. Une DMZ est
+utilisée pour isoler vos serveurs accessibles depuis Internet de vos
+systèmes locaux. Ainsi si un de ces serveurs est compromis, vous avez
+encore votre firewall entre le système compromis et vos systèmes locaux.</li>
+  <li>La zone Local est composée des systèmes Local 1, Local 2 et Local
+3. </li>
+  <li>Tous les systèmes du FAI vers l'extérieur et qui <br>
+  </li>
+  <li>englobe la Zone Internet. </li>
+</ul>
+<p align="center"> <img
+ style="border: 0px solid ; width: 692px; height: 635px;"
+ src="images/dmz3.png" title="" alt=""> </p>
+<p align="left">La façon la plus simple pour définir les zones est
+d'associer le nom de la zone (définie précédemment dans&nbsp;
+/etc/shorewall/zones) avec une interface réseau. <br>
+C'est fait dans le fichier <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</p>
+<p align="left">Le firewall illustré ci-dessus à trois interfaces. Si
+la connexion se fait à travers un câble ou un "modem" DSL , l'<i>Interface</i><i>
+Externe</i> sera l'adaptateur qui est branché au "Modem" (e.g., <b>eth0</b>)&nbsp;<u>tant</u>
+que vous ne vous n'utilisez pas le <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
+over <u>E</u>thernet</i> (PPPoE) ou le <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
+dans ce cas l'Interface Externe sera de type ppp (e.g., <b>ppp0</b>).
+Si vous vous connectez à travers un modem classique, votre Interface
+Externe sera également <b>ppp0</b>. Si vous utilisez ISDN, votre
+Interface Externe sera <b>ippp0.</b></p>
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_1.gif" title="" alt="">
+&nbsp;&nbsp;&nbsp; Si votre Interface Externe est&nbsp; <b>ppp0</b> ou
+<b>ippp0</b>
+alors vous pouvez fixer CLAMPMSS=yes dans <a
+ href="Documentation.htm#Conf">
+/etc/shorewall/shorewall.conf.</a></p>
+<p align="left">Votre <i>Interface</i> <span
+ style="font-style: italic;">Locale</span> doit être un adaptateur
+Ethernet&nbsp; (eth0, eth1 or eth2) et doit être connecté à un hub ou
+un
+switch. Vos ordinateurs locaux doivent être&nbsp; connectés au même
+switch (note: Si vous avez une machine unique, vous pouvez connecter le
+firewall directement à l'ordinateur en utilisant un câble <span
+ style="font-style: italic;">croisé</span>).</p>
+<p align="left">Votre <i>Interface </i><i>DMZ&nbsp;</i> doit aussi
+être un adaptateur Ethernet (eth0, eth1 or eth2) et doit être connecté
+à un hub ou un switch. Vos ordinateurs DMZ doivent être&nbsp;
+connectés au même switch (note: Si vous avez une machine DMZ unique,
+vous pouvez connecter le firewall directement à l'ordinateur en
+utilisant un câble <span style="font-style: italic;">croisé</span>).</p>
+<p align="left"><u><b> <img
+ style="border: 0px solid ; width: 60px; height: 60px;"
+ src="images/j0213519.gif" title="" alt=""> </b></u>Ne
+pas connecter plus d'une interface au même hub ou switch (sauf pour
+tester). Cela ne fonctionne pas comme vous pourriez vous y attendre et
+vous terminerez confus en croyant que le réseau ne fonctionne pas
+entièrement.<br>
+</p>
+<p align="left">Pour le besoin de ce Guide, nous décidons que:</p>
+<ul>
+  <li>
+    <p align="left">L'interface externe est <b>eth0</b>.</p>
+  </li>
+  <li>
+    <p align="left">L'interface locale est <b>eth1</b>.</p>
+  </li>
+  <li>
+    <p align="left">L'interface DMZ est <b>eth2</b>.</p>
+  </li>
+</ul>
+<p align="left">La configuration par défaut de Shorewall ne définit pas
+le contenu de chaque zone. Pour définir la précédente configuration en
+utilisant le fichier <br>
+/etc/shorewall/interfaces file, ce fichier doit contenir:</p>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+    <tbody>
+      <tr>
+        <td><u><b>Zone</b></u></td>
+        <td><u><b>Interface</b></u></td>
+        <td><u><b>Broadcast</b></u></td>
+        <td><u><b>Options</b></u></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>eth0</td>
+        <td>detect</td>
+        <td>norfc1918</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth1</td>
+        <td>detect</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>dmz</td>
+        <td>eth2</td>
+        <td>detect</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">
+&nbsp;&nbsp;&nbsp; Editer le fichier /etc/shorewall/interfaces et
+définissez les interfaces du réseau sur votre firewall et associez
+chaque interface avec une zone. Si vous avez une zone qui est
+interfacée
+avec plus d'une interface, incluez simplement une entrée pour chaque
+interface et répéter le nom de&nbsp; zone autant de fois que nécessaire.</p>
+<p align="left">Exemple:</p>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+    <tbody>
+      <tr>
+        <td><u><b>Zone</b></u></td>
+        <td><u><b>Interface</b></u></td>
+        <td><u><b>Broadcast</b></u></td>
+        <td><u><b>Options</b></u></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>eth0</td>
+        <td>detect</td>
+        <td>norfc1918</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth1</td>
+        <td>detect</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth2</td>
+        <td>detect</td>
+        <td>dhcp</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<div align="left">
+<p align="left">Si vous avez plus d'une interface pour une zone, vous
+voudrez probablement une police qui permet le trafic intra-zone:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+    <tbody>
+      <tr>
+        <td><u><b>Source Zone</b></u></td>
+        <td><u><b>Destination Zone</b></u></td>
+        <td><u><b>Policy</b></u></td>
+        <td><u><b>Log Level</b></u></td>
+        <td><u><b>Limit:Burst</b></u></td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>loc</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">
+&nbsp;&nbsp;&nbsp; Vous pouvez définir des zones plus compliquées en
+utilisant le fichier <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
+mais dans la plus part des cas, ce n'est pas nécessaire.</p>
+<h2 align="left"><a name="Addressing"></a>4.0 Adressage, Sous-réseaux
+et Routage</h2>
+<p align="left">Normalement, votre FAI vous assigne des adresses<i>
+Publiques</i>. Vous pouvez configurer l'interface externe du firewall
+en utilisant l'une de ces adresses permanentes et vous pouvez décider
+comment utiliser le reste de vos adresses.</p>
+<p align="left">Si vous êtes déjà familier avec l'adressage IP et le
+routage, vous pouvez aller <a href="#Options">à la prochaine section</a>.</p>
+<p align="left">La discussion suivante aborde tout juste les concepts
+d'adressage et de routage. Si vous souhaitez approfondir vos
+connaissances sur ce sujet, je vous recommande vivement l'ouvrage&nbsp;
+<i>"IP
+Fundamentals: What Everyone Needs to Know about Addressing &amp;
+Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
+<h3 align="left"><a name="Addresses"></a>4.1 Adressage IP<br>
+</h3>
+<p align="left">L'adressage IP version 4 (<i>IPv4) </i>est codé sur
+32-bit. La notation w.x.y.z se réfère à une adresse dont le byte
+d'ordre
+supérieur est "w", le suivant à pour valeur "x", etc. Si nous prenons
+l'adresse 192.0.2.14 et l'exprimons en hexadécimal, nous obtenons:</p>
+<blockquote>
+  <p align="left">C0.00.02.0E</p>
+</blockquote>
+<p align="left">ou l'exprimons comme un entier de 32-bit</p>
+<blockquote>
+  <p align="left">C000020E</p>
+</blockquote>
+<h3 align="left"><a name="Subnets"></a>4.2 Sous -réseaux<br>
+</h3>
+<p align="left">Vous entendrez toujours les termes "réseaux de Class
+A", "réseaux de Class B" et "réseaux de Class C". Au début de
+l'existence de l'IP, les réseaux ne comportez que trois tailles (il y
+avait aussi le réseau de Class D mais il étaient utilisés différemment):</p>
+<blockquote>
+  <p align="left">Classe A - masque réseau 255.0.0.0, taille = 2 ** 24</p>
+  <p align="left">Classe B - masque réseau 255.255.0.0, taille = 2 ** 16</p>
+  <p align="left">Classe C - masque réseau 255.255.255.0, taille = 256</p>
+</blockquote>
+<p align="left">La taille d'un réseau était uniquement déterminé par la
+valeur du byte de l'ordre supérieur, ainsi vous pouviez regarder une
+adresse IP et déterminer immédiatement le <span
+ style="font-style: italic;">masque réseau</span>. Le masque réseau est
+un nombre qui se termine logiquement avec une adresse qui isole le <span
+ style="font-style: italic;">numéro de réseau</span>; le reste de
+l'adresse est le <i>numéro d'hôte</i>. Par exemple, dans la Classe C
+l'adresse 192.0.2.14, le numéro hexadécimal du réseau est C00002 et le
+numéro hexadécimal d'hôte est 0E.</p>
+<p align="left">Comme l'Internet se développait, il semblait clair que
+la classification en adressage 32-bit allait devenir très limité
+(rapidement, les grandes sociétés et les universités s'étaient assigné
+leur propre réseau de classe A!). Après quelques faux départs, la
+technique courante du <span style="font-style: italic;">sous-adressage
+</span>de
+ces réseaux en plus petits <span style="font-style: italic;">sous-réseaux</span>&nbsp;
+évolua; cette technique est consignée par le <i>Classless Inter Domain
+Routing</i> (CIDR). Aujourd'hui, tous les systèmes avec lesquels vous
+travaillerez&nbsp; comprennent probablement la notation CIDR. Le réseau
+basé sur les Classes est du domaine du passé .</p>
+<p align="left">Un sous-réseau (aussi appelé <i>subnetwork </i>et <i>subnet)</i>
+est un ensemble d'adresses IP tel que:</p>
+<ol>
+  <li>
+    <p align="left">Le nombre d'adresses dans le jeu est un multiple de
+2; et</p>
+  </li>
+  <li>
+    <p align="left">La première adresse dans le jeu est un multiple de
+la taille du jeu.</p>
+  </li>
+  <li>
+    <p align="left">La première adresse du sous-réseau est réservée et
+se réfère à l'<i>adresse du sous-réseau.</i></p>
+  </li>
+  <li>
+    <p align="left">La dernière adresse du sous-réseau est réservée
+comme <i>adresse broadcast du sous-réseau.</i></p>
+  </li>
+</ol>
+<p align="left">Comme vous pouvez voir dans cette définition, dans
+chacun des sous-réseau de taille <b>n</b> il y a (<b>n</b> - 2)
+adresses
+utilisables (adresses qui peuvent être assignées aux hôtes). La
+première
+et la dernière adresse du sous-réseau sont respectivement utilisées
+pour
+l'adresse du sous-réseau et de l'adresse broadcast du sous-réseau. En
+conséquence, les petits réseaux sont plus gaspilleur d'adresses IP que
+les grands.</p>
+<p align="left">Comme <b>n</b> est un multiple de deux, nous pouvons
+facilement calculer le <span style="font-style: italic;">Logarithme
+Naturel</span>&nbsp; (<b>log2</b>) de <b>n</b>. Pour les sous-réseaux
+les plus communs, la taille et son logarithme naturel sont donnés dans
+la table suivante:</p>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber5">
+    <tbody>
+      <tr>
+        <td><u><b>n</b></u></td>
+        <td><u><b>log2 n</b></u></td>
+        <td><u><b>(32 - log2 n)</b></u></td>
+      </tr>
+      <tr>
+        <td>8</td>
+        <td>3</td>
+        <td>29</td>
+      </tr>
+      <tr>
+        <td>16</td>
+        <td>4</td>
+        <td>28</td>
+      </tr>
+      <tr>
+        <td>32</td>
+        <td>5</td>
+        <td>27</td>
+      </tr>
+      <tr>
+        <td>64</td>
+        <td>6</td>
+        <td>26</td>
+      </tr>
+      <tr>
+        <td>128</td>
+        <td>7</td>
+        <td>25</td>
+      </tr>
+      <tr>
+        <td>256</td>
+        <td>8</td>
+        <td>24</td>
+      </tr>
+      <tr>
+        <td>512</td>
+        <td>9</td>
+        <td>23</td>
+      </tr>
+      <tr>
+        <td>1024</td>
+        <td>10</td>
+        <td>22</td>
+      </tr>
+      <tr>
+        <td>2048</td>
+        <td>11</td>
+        <td>21</td>
+      </tr>
+      <tr>
+        <td>4096</td>
+        <td>12</td>
+        <td>20</td>
+      </tr>
+      <tr>
+        <td>8192</td>
+        <td>13</td>
+        <td>19</td>
+      </tr>
+      <tr>
+        <td>16384</td>
+        <td>14</td>
+        <td>18</td>
+      </tr>
+      <tr>
+        <td>32768</td>
+        <td>15</td>
+        <td>17</td>
+      </tr>
+      <tr>
+        <td>65536</td>
+        <td>16</td>
+        <td>16</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p align="left">Vous pourrez voir que la table ci-dessus contient aussi
+une colonne (32 - log2 <b>n</b>). Ce nombre est la <span
+ style="font-style: italic;">Variable de Longueur&nbsp; du Masque de
+Sous-réseau </span>(VLSM <i>Variable Length Subnet Mask) </i>pour
+un réseau de taille <span style="font-weight: bold;">n</span>. De la
+table ci-dessus, nous pouvons dériver celle-ci, ce qui est plus facile
+à
+utiliser.</p>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber5">
+    <tbody>
+      <tr>
+        <td><u><b>Taille du sous-réseau<br>
+        </b></u></td>
+        <td><u><b>VLSM</b></u></td>
+        <td><u><b>Masque sous-réseau<br>
+        </b></u></td>
+      </tr>
+      <tr>
+        <td>8</td>
+        <td>/29</td>
+        <td>255.255.255.248</td>
+      </tr>
+      <tr>
+        <td>16</td>
+        <td>/28</td>
+        <td>255.255.255.240</td>
+      </tr>
+      <tr>
+        <td>32</td>
+        <td>/27</td>
+        <td>255.255.255.224</td>
+      </tr>
+      <tr>
+        <td>64</td>
+        <td>/26</td>
+        <td>255.255.255.192</td>
+      </tr>
+      <tr>
+        <td>128</td>
+        <td>/25</td>
+        <td>255.255.255.128</td>
+      </tr>
+      <tr>
+        <td>256</td>
+        <td>/24</td>
+        <td>255.255.255.0</td>
+      </tr>
+      <tr>
+        <td>512</td>
+        <td>/23</td>
+        <td>255.255.254.0</td>
+      </tr>
+      <tr>
+        <td>1024</td>
+        <td>/22</td>
+        <td>255.255.252.0</td>
+      </tr>
+      <tr>
+        <td>2048</td>
+        <td>/21</td>
+        <td>255.255.248.0</td>
+      </tr>
+      <tr>
+        <td>4096</td>
+        <td>/20</td>
+        <td>255.255.240.0</td>
+      </tr>
+      <tr>
+        <td>8192</td>
+        <td>/19</td>
+        <td>255.255.224.0</td>
+      </tr>
+      <tr>
+        <td>16384</td>
+        <td>/18</td>
+        <td>255.255.192.0</td>
+      </tr>
+      <tr>
+        <td>32768</td>
+        <td>/17</td>
+        <td>255.255.128.0</td>
+      </tr>
+      <tr>
+        <td>65536</td>
+        <td>/16</td>
+        <td>255.255.0.0</td>
+      </tr>
+      <tr>
+        <td>2 ** 24</td>
+        <td>/8</td>
+        <td>255.0.0.0</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p align="left">Notez que le VLSM est écrit avec un slash ("/") -- vous
+pouvez souvent entendre un sous-réseau de taille 64 qui fait référence
+à
+un sous-réseau "slash 26" et un de taille 8 faisant référence à un
+"slash 29".</p>
+<p align="left">Le masque de sous-réseau (aussi référencé par son <i>netmask)&nbsp;</i>est
+simplement un nombre de 32-bit avec le premier bit "VLSM" à un et
+les autres à zéro. Par exemple, pour un sous-réseau de taille 64, le
+masque de sous-réseau débute par 26 bits à un:</p>
+<blockquote>
+  <p align="left">11111111111111111111111111000000 = FFFFFFC0 =
+FF.FF.FF.C0 = 255.255.255.192</p>
+</blockquote>
+<p align="left">Le masque de sous-réseau a la propriété suivante: si
+vous terminez logiquement le masque de sous-réseau avec une adresse
+dans
+le sous-réseau, le résultat est l'adresse du sous-réseau. Attention, si
+vous terminez logiquement le masque de sous-réseau avec une adresse en
+dehors du sous-réseau, le résultat n'est PAS l'adresse du sous-réseau.
+Comme nous l'avons vu précédemment, la propriété du masque de
+sous-réseau est très importante dans le routage.</p>
+<p align="left">Pour un sous-réseau dont l'adresse est <b>a.b.c.d</b>
+et dont la VLSM est <b>/v</b>, nous notons le sous-réseau par "<b>a.b.c.d/v</b>"
+en utilisant la <span style="font-style: italic;">Notation</span> <i>CIDR</i>.&nbsp;</p>
+<p align="left">Exemple:</p>
+<blockquote>
+  <table border="2" style="border-collapse: collapse;" id="AutoNumber1"
+ cellpadding="2">
+    <tbody>
+      <tr>
+        <td><b>Sous-réseau:</b></td>
+        <td>10.10.10.0 - 10.10.10.127</td>
+      </tr>
+      <tr>
+        <td><b>Taille Sous-réseau</b><b>:</b></td>
+        <td>128</td>
+      </tr>
+      <tr>
+        <td><b>Adresse Sous-réseau</b><b>:</b></td>
+        <td>10.10.10.</td>
+      </tr>
+      <tr>
+        <td><b>Adresse Broadcast:</b></td>
+        <td>10.10.10.127</td>
+      </tr>
+      <tr>
+        <td><b>Notation </b><b>CIDR: <br>
+        </b></td>
+        <td>10.10.10.0/25</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p align="left">Il y a deux sous-réseaux dérivés qui doivent être
+mentionnés; A savoir, le sous-réseau avec un membre et le sous-réseau
+avec 2 ** 32 membres.</p>
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber5">
+    <tbody>
+      <tr>
+        <td><u><b>Taille du Sous-réseau<br>
+        </b></u></td>
+        <td><u><b>Longueur VLSM<br>
+        </b></u></td>
+        <td><u><b>Masque Sous-réseau</b></u></td>
+        <td><u><b>Notation CIDR</b></u></td>
+      </tr>
+      <tr>
+        <td>1</td>
+        <td>32</td>
+        <td>255.255.255.255</td>
+        <td>a.b.c.d/32</td>
+      </tr>
+      <tr>
+        <td>2 ** 32</td>
+        <td>0</td>
+        <td>0.0.0.0</td>
+        <td>0.0.0.0/0</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+<p align="left">Ainsi, chaque adresse <b>a.b.c.d </b>peut aussi être
+écrite <b>a.b.c.d/32</b> et l'ensemble des adresses possibles est
+écrit <b>0.0.0.0/0</b>.</p>
+<p align="left">Plus loin dans ce manuel, vous verrez la notation <b>a.b.c.d/v</b>
+utilisé pour décrire la configuration IP d'une interface réseau
+(l'utilitaire 'ip' utilise aussi cette syntaxe). cela veut simplement
+dire que l'interface est configuré avec une adresse ip <b>a.b.c.d</b>
+et
+avec le masque de réseau qui correspond à la variable VLSM <b>/v</b>.</p>
+<p align="left">Exemple: 192.0.2.65/29</p>
+<p align="left">&nbsp;&nbsp;&nbsp; L'interface est configuré avec
+l'adresse IP 192.0.2.65 et le masque de réseau 255.255.255.248.<br>
+</p>
+<p align="left">A partir de Shorewall version 1.4.6, /sbin/shorewall
+supporte la commande <b>ipcalc</b> qui calcule automatiquement
+l'information du [sous]-réseau.<br>
+</p>
+<p align="left">Exemple 1:<br>
+</p>
+<blockquote>
+  <pre><b><font color="#009900">ipcalc 10.10.10.0/25<br></font></b>   CIDR=10.10.10.0/25<br>   NETMASK=255.255.255.128<br>   NETWORK=10.10.10.0<br>   BROADCAST=10.10.10.127<br></pre>
+</blockquote>
+Exemple 2
+<blockquote>
+  <pre><b><font color="#009900">ipcalc 10.10.10.0 255.255.255.128</font></b><br>   CIDR=10.10.10.0/25<br>   NETMASK=255.255.255.128<br>   NETWORK=10.10.10.0<br>   BROADCAST=10.10.10.127<br></pre>
+</blockquote>
+<h3 align="left"><a name="Routing"></a>4.3 Routage</h3>
+<p align="left">L'un des buts des sous-réseaux est la base du routage.
+Ci-dessous se trouve la table de routage de mon firewall:</p>
+<div align="left">
+<blockquote>
+  <pre>[root@gateway root]# netstat -nr<br>Kernel IP routing table<br>Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface<br>192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas<br>206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1<br>206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3<br>192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3<br>192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1<br>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2<br>206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0<br>192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas<br>127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo<br>0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0<br>[root@gateway root]#</pre>
+</blockquote>
+</div>
+<p align="left">Le périphérique <i>texas</i> est le tunnel GRE vers un
+site peer à Dallas, la zone Texas.<br>
+<br>
+Les trois premières routes sont des <span style="font-style: italic;">routes
+hôte </span>puisqu'elles indiquent comment aller vers un hôte unique.
+Dans la sortie de 'netstat' cela peut-être vu par le "Genmask" (Masque
+sous-réseau) de 255.255.255.255 et le "H"&nbsp; dans la colonne
+"Flags".
+Les autres sont des routes 'net' car elles indiquent au noyau comment
+router des paquets à un sous-réseau. La dernière route est la <span
+ style="font-style: italic;">route par défaut</span> est la passerelle
+(gateway) mentionnée est appelé <i>passerelle par défaut (</i><i>default
+gateway</i>).</p>
+<p align="left">Quant le noyau essaye d'envoyer un paquet à une adresse
+IP A, il commence au début de la table de routage et :</p>
+<ul>
+  <li>
+    <p align="left">A est logiquement terminé avec la valeur du
+'Genmask' dans l'entrée de la table.</p>
+  </li>
+  <li>
+    <p align="left">Le résultat est comparé avec la valeur de la
+destination 'Destination' dans l'entrée de la table.</p>
+  </li>
+  <li>
+    <p align="left">Si le résultat et la valeur de la&nbsp;
+'Destination' sont identiques, alors:</p>
+    <ul>
+      <li>
+        <p align="left">Si la colonne 'Gateway' est n'est pas nulle, le
+paquet est envoyé au gateway à travers l'interface nommée dans la
+colonne 'Iface'.</p>
+      </li>
+      <li>
+        <p align="left">Sinon, le paquet est directement envoyé à A à
+travers l'interface nommée dans la colonne 'iface'.</p>
+      </li>
+    </ul>
+  </li>
+  <li>
+    <p align="left">Autrement, les étapes précédentes sont répétées sur
+l'entrée suivante de la table.</p>
+  </li>
+</ul>
+<p align="left">Puisque la route par défaut correspond à toutes les
+adresses IP (<b>A</b> donne 0.0.0.0 = 0.0.0.0), les paquets qui ne
+correspondent à aucune des autres entrées de la table de routage sont
+envoyés au <i>gateway</i> <span style="font-style: italic;">par défaut</span>
+qui généralement est un routeur vers le FAI.</p>
+<p align="left">Voici un exemple. Supposez que vous souhaitez router un
+paquet à 192.168.1.5. Cette adresse ne correspond à aucune route d'hôte
+dans la table mais si nous terminons logiquement cette adresse avec
+255.255.255.0, le résultat est 192.168.1.0 qui correspond à la l'entrée
+dans la table:</p>
+<div align="left">
+<blockquote>
+  <pre>192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2</pre>
+</blockquote>
+<p>Donc le paquet vers 192.168.1.5 est directement envoyé à travers
+eth2.</p>
+</div>
+<p align="left">Un des points qui doit être souligné -- tous les
+paquets sont envoyés en utilisant la table de routage et les réponses
+ne
+sont pas exclues de ce principe. Il semble y avoir&nbsp; une croyance
+de la part des ceux qui croient que les paquets réponses sont comme les
+saumons et contiennent un code génétique qui leur permet de suivre la
+route emprunté par les paquets envoyés. Ce n'est pas le cas; La réponse
+peut prendre un chemin totalement différent de celui de la requête du
+client -- les routes requête/réponse sont totalement indépendantes.</p>
+<h3 align="left"><a name="ARP"></a>4.4 Protocole de Résolution
+d'Adresse (ARP)</h3>
+<p align="left">Quant on envoie des paquets à travers Ethernet, les
+adresses IP ne sont pas utilisées. Bien que l'adressage Ethernet soit
+basé sur les adresses <i>Media Access Control</i> (MAC). Chaque
+périphérique Ethernet à sa propre adresse&nbsp; MAC qui est contenu
+dans
+une PROM lors de la fabrication. Vous pouvez obtenir l'adresse MAC
+grâce
+à l'utilitaire 'ip':</p>
+<blockquote>
+  <div align="left">
+  <pre>[root@gateway root]# ip addr show eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br>link/ether <u>02:00:08:e3:fa:55</u> brd ff:ff:ff:ff:ff:ff<br>inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br>inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0<br>inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0<br>[root@gateway root]#</pre>
+  </div>
+</blockquote>
+<div align="left">
+<p align="left">Comme vous pouvez le constater ci-dessus, l'adresse MAC
+codé sur 6 bytes (48 bits). Une carte MAC est généralement aussi
+imprimé sur la carte elle-même. </p>
+</div>
+<div align="left">
+<p align="left">Parce que IP utilise les adresses IP et Ethernet les
+adresses MAC, un mécanisme est nécessaire pour transcrire une adresse
+IP
+en adresse MAC; C'est ce dont est chargé le protocole de résolution
+d'adresse <i>Address Resolution Protocol</i> (ARP). Voici ARP en
+action:</p>
+</div>
+<div align="left">
+<blockquote>
+  <div align="left">
+  <pre>[root@gateway root]# tcpdump -nei eth2 arp<br>tcpdump: listening on eth2<br>09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254<br>09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0<br><br>2 paquets received by filter<br>0 paquets dropped by kernel<br>[root@gateway root]#<br></pre>
+  </div>
+</blockquote>
+</div>
+<p align="left">Dans cet échange , 192.168.1.254 (MAC 2:0:8:e3:4c:48)
+veut connaître l'adresse MAC du périphérique avec l'adresse IP
+192.168.1.19. Le système ayant cette adresse IP répond que l'adresse
+MAC
+du périphérique avec l'adresse IP 192.168.1.19 est 0:6:25:aa:8a:f0.</p>
+<p align="left">Afin de rendre disponible les informations d'échange
+ARP chaque fois qu'un paquet est envoyé, le système maintient un <span
+ style="font-style: italic;">cache</span> <i>ARP&nbsp; </i>des
+correspondances IP&lt;-&gt;MAC. Vous pouvez voir le cache ARP sur votre
+système (également sur les systèmes Windows) en utilisant la commande
+'arp':</p>
+<blockquote>
+  <div align="left">
+  <pre>[root@gateway root]# arp -na<br>? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1<br>? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2<br>? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2<br>? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0<br>? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</pre>
+  </div>
+</blockquote>
+<p align="left">Les détails de réponse sont le résultat de
+l'utilisation de l'option 'n' (Windows 'arp' n'accepte pas cette
+option)
+qui force le programme 'arp' à la translation de résolution de noms
+IP-&gt;DNS. Si je n'utilise pas cette option, la marque de question
+aurait été remplacé par le FQDN correspondant à chaque adresse IP.
+Notez
+que la dernière information dans la table d'enregistrement est celle
+que
+nous voyons en utilisant précédemment tcpdump.</p>
+<h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
+<p align="left">Les adresses IP sont alloués par l'autorité <i> <a
+ href="http://www.iana.org/">Internet Assigned Number Authority</a> </i>(IANA)
+qui délégue des allocations géographiques basés sur le <i>Regional
+Internet Registries</i> (RIRs). Par exemple, les allocations pour les
+Etats-Unis sont déléguées à <i><a href="http://www.arin.net/">American
+Registry for Internet Numbers</a> </i>(ARIN). Ces&nbsp; RIRs peuvent
+déléguer à des bureaux nationaux. La plus part d'entre nous ne traite
+pas avec autorités mais obtienne plutôt leur adresse IP par leur FAI.</p>
+<p align="left">Dans la réalité, généralement on ne peut se permettre
+autant d'adresses IP Publiques que de périphériques à assigner si bien
+que nous utiliseront des adresses IP <span style="font-style: italic;">Privées</span>.
+RFC 1918 réserve plusieurs plages d'adresse IP à cet usage:</p>
+<div align="left">
+<pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
+</div>
+<div align="left">
+<p align="left">Les adresses réservées par la RFC 1918 sont parfois
+appelées <i>non-routable</i> car le routeur passerelle Internet ne
+renvoit pas les paquets qui ont une adresse de destination RFC-1918.
+cela est compréhensible car tout le monde peut choisir ces adresses
+pour
+un usage privé.</p>
+</div>
+<div align="left">
+<p align="left">Quant on choisit des adresses de ces plages, il y a
+deux choses à garder en mémoire:</p>
+</div>
+<div align="left">
+<ul>
+  <li>
+    <p align="left">Comme l'espace des adresses IPv4 s'épuise, de plus
+en plus d'organisation (comprenant les FAI) commencent à utiliser les
+adresses RFC 1918 dans leur infrastructures. </p>
+  </li>
+  <li>
+    <p align="left">Vous ne voulez pas utiliser des adresses IP qui
+sont utilisés par votre FAI ou une autre organisation avec laquelle
+vous
+souhaiter établir une liaison VPN. </p>
+  </li>
+</ul>
+</div>
+<div align="left">
+<p align="left">C'est pourquoi c'est une bonne idée de vérifier avec
+votre FAI s'il n'utilise pas (ou ne prévoie pas d'utiliser) des
+adresses
+privées avant de décider les adresses que vous allez utiliser.</p>
+</div>
+<div align="left">
+<h2 align="left"><a name="Options"></a>5.0 Configurer votre Réseau<br>
+</h2>
+</div>
+<div align="left">
+<p align="left">Le choix de configuration de votre réseau dépend
+d'abord du nombre d'adresses Public IP dont vous avez besoin, c'est à
+dire du nombre d'entités adressables que vous avez sur votre réseau. En
+fonction du nombre d'adresses que vous avez, votre FAI peut servir ce
+jeu d'adresses de deux manières:<br>
+</p>
+</div>
+<div align="left">
+<ol>
+  <li>
+    <p align="left"><b>Routé - </b>Le trafic vers chacune de vos
+adresses sera routé à travers une unique <i>adresse passerelle</i>.
+Cela sera généralement fait si votre FAI vous assigne un sous-réseau
+complet (/29 ou plus). Dans ce cas, vous assignerez l'adresse
+passerelle comme adresse IP de l'interface externe de votre
+firewall/router. </p>
+  </li>
+  <li>
+    <p align="left"><b>Non-routé - </b>Votre FAI vous enverra
+directement le trafic de chaque adresse directement. </p>
+  </li>
+</ol>
+</div>
+<div align="left">
+<p align="left">Dans les paragraphes qui suivent, nous étudierons
+chaque cas séparément.<br>
+</p>
+<p align="left">Avant de commencer, il y a une chose que vous devez
+vérifier:</p>
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_.gif" alt="" title=""> &nbsp;&nbsp;&nbsp; Si vous
+utilisez le package Debian, vérifier
+svp votre fichier shorewall.conf afin de contrôler les paramètres
+suivants; si ce n'est pas juste, appliquer les&nbsp; changements
+nécessaires:<br>
+</p>
+<ul>
+  <li>NAT_ENABLED=Yes (Shorewall versions antérieures à 1.4.6)</li>
+  <li>IP_FORWARDING=On<br>
+  </li>
+</ul>
+</div>
+<div align="left">
+<h3 align="left"><a name="Routed"></a>5.1 Routage</h3>
+</div>
+<div align="left">
+<p align="left">Supposons que votre fournisseur d'accès FAI vous a
+assigné le sous-réseau 192.0.2.64/28 routé à travers 192.0.2.65. cela
+veut dire que vous avez les adresses IP&nbsp; 192.0.2.64 - 192.0.2.79
+et que l'adresse externe de votre firewall est 192.0.2.65. Votre FAI
+vous a aussi dit que vous pouvez utiliser le masque de réseau
+255.255.255.0 (ainsi votre /28 est une partie de /24). Avec ces
+adresses
+IP, vous pouvez scinder votre réseau /28 en deux /29 et configurer
+votre
+réseau comme l'indique le diagramme suivant.</p>
+</div>
+<div align="left">
+<p align="center"> <img
+ style="border: 0px solid ; width: 726px; height: 635px;"
+ src="images/dmz4.png" title="" alt=""> </p>
+</div>
+<div align="left">
+<p align="left">Ici, la zone démilitarisé DMZ comprend le sous-réseau
+192.0.2.64/29 et le réseau Local 192.0.2.72/29. La passerelle par
+défaut
+pour les hôtes dans la DMZ pourra être configuré à 192.0.2.66 et la
+passerelle par défaut pour les hôtes du réseau local pourra être
+192.0.2.73.</p>
+</div>
+<div align="left">
+<p align="left">Notez que cet arrangement est plus gourmand en adresses
+publiques puisqu'il utilise 192.0.2.64 et 192.0.2.72 pour les adresses
+du sous-réseau, 192.0.2.71 et 192.0.2.79 pour les adresses
+broadcast du réseau, de même que 192.0.2.66 et 168.0.2.73 pour les
+adresses internes que le firewall/routeur. Néanmoins, cela montre
+comment nous pouvons faire avec un réseau /24 plutôt qu'un /28,
+l'utilisation de 6 adresses IP parmi les 256 peut être justifié par la
+simplicité du paramétrage.</p>
+</div>
+<div align="left">
+<p align="left">Le lecteur astucieux aura remarqué que l'interface
+externe du firewall/Routeur est actuellement inclus dans le sous-réseau
+DMZ (192.0.2.64/29). Que se passe-t-il si DMZ 1 (192.0.2.67) essaye de
+communiquer avec 192.0.2.65? La table de routage sur DMZ 1 peut
+ressembler à cela:</p>
+</div>
+<div align="left">
+<blockquote>
+  <pre>Kernel IP routing table<br>Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface<br>192.0.2.64 	0.0.0.0 	255.255.255.248 U     40  0         0 eth0<br>0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0</pre>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Cela indique que DMZ 1 enverra une requête ARP "qui-a
+192.0.2.65" et aucune interface sur le segment Ethernet DMZ&nbsp; à
+cette adresse IP. Assez bizarrement, le firewall répondra à la
+requête avec l'adresse MAC de sa propre <u>Interface DMZ!!</u> DMZ 1
+peut alors envoyer des trames Ethernet frames adressées à cette
+adresse MAC et les trames seront reçues (correctement) par le
+firewall/routeur.</p>
+</div>
+<div align="left">
+<p align="left">C'est plutôt une possibilité inattendue d'ARP sur la
+partie du Noyau Linux qui pousse cet avertissement très tôt dans ce
+manuel à propos de la connexion de plusieurs interfaces
+firewall/routeur
+au même hub ou switch. Quant une requête ARP destiné à une des
+adresses firewall/routeur est envoyé par un autre système connecté au
+hub/switch, toutes les interfaces du firewall qui se connectent au
+hub/switch peuvent répondre! C'est alors une course à la réponse qui
+"est-là" qui atteindra en premier l'émetteur.</p>
+</div>
+<div align="left">
+<h3 align="left"><a name="NonRouted"></a>5.2 Non-routé</h3>
+</div>
+<div align="left">
+<p align="left">Avec la situation précédente mais non-routé, vous
+pouvez configurer votre réseau exactement comme décrit ci-dessus avec
+une condition supplémentaire; spécifiez simplement l'option "proxyarp"
+sur les trois interfaces du firewall dans le fichier
+/etc/shorewall/interfaces.</p>
+</div>
+<div align="left">
+<p align="left">La plus part d'entre nous n'a pas le luxe d'avoir assez
+d'adresses publiques IP pour configurer notre réseau comme montré dans
+le précédent exemple (même&nbsp; si la configuration est routé). </p>
+</div>
+<div align="left">
+<p align="left"><b>Pour le besoin de cette section, admettons que notre
+FAI nous a assigné les adresses IP 192.0.2.176-180 et nous a dit
+d'utiliser le masque de réseau 255.255.255.0 et la passerelle par
+défaut
+192.0.2.254.</b></p>
+</div>
+<div align="left">
+<p align="left">Clairement, ce jeu d'adresses ne comprend pas de
+sous-réseau et n'a pas suffisamment d'adresses pour toutes les
+interfaces de notre réseau. Il y a quatre possibilités qui peuvent être
+utilisées pour règler ce problème.</p>
+</div>
+<div align="left">
+<ul>
+  <li>
+    <p align="left">Translation d'Adresses Réseau Source <i>: Source
+Network Address Translation </i>(SNAT). </p>
+  </li>
+  <li>
+    <p align="left">Translation d'Adresses Réseau Destination <i>:
+Destination Network Address Translation </i>(DNAT) aussi nommé <i>Port
+Forwarding.</i> </p>
+  </li>
+  <li>
+    <p align="left"><i>Proxy ARP.</i> </p>
+  </li>
+  <li>
+    <p align="left">Translation d''Adresses Réseau : <i>Network
+Address Translation</i> (NAT) aussi appelé <i>One-to-one NAT</i>. </p>
+  </li>
+</ul>
+</div>
+<div align="left">
+<p align="left">Souvent une combinaison de ces techniques est utilisée.
+Chacune d'entre elle sera détaillée dans la section suivante.</p>
+</div>
+<div align="left">
+<h4 align="left"><a name="SNAT"></a>&nbsp;5.2.1 SNAT</h4>
+</div>
+<div align="left">
+<p align="left">Avec SNAT, un segment interne LAN est configuré en
+utilisant les adresses RFC 1918. Quant un hôte A sur ce segment interne
+initialise une connexion à l'hôte <b>B</b> sur Internet, le
+firewall/routeur réécrit les entêtes IP dans la requête pour utiliser
+une de vos adresses publiques IP en tant qu'adresse source. Quant B
+répond et que la réponse est reçu par le firewall, le firewall change
+l'adresse destination par celle RFC 1918 de <b>A</b> et renvoi la
+réponse à A<b>.</b></p>
+</div>
+<div align="left">
+<p align="left">Supposons que vous décidiez d'utiliser SNAT sur votre
+zone locale et utilisiez l'adresse publique 192.0.2.176 à la fois comme
+adresse externe du firewall et l'adresse source des requêtes Internet
+envoyées depuis cette zone.</p>
+</div>
+<div align="left">
+<h2 align="center"> <img
+ style="border: 0px solid ; width: 745px; height: 635px;"
+ src="images/dmz5.png" title="" alt=""> </h2>
+</div>
+<div align="left">La zone locale a été assigné au sous-réseau
+192.168.201.0/29 (netmask 255.255.255.248).</div>
+<div align="left"> &nbsp;</div>
+<div align="left"> <img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">
+&nbsp;&nbsp;&nbsp; Le système dans la zone locale pourra être configuré
+avec la passerelle par défaut 192.168.201.1 (L'adresse IP de
+l'interface local du firewall).</div>
+<div align="left"> &nbsp;</div>
+<div align="left"> <img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">
+&nbsp;&nbsp;&nbsp; SNAT est configuré dans Shorewall avec le
+fichier&nbsp; <a href="Documentation.htm#Masq">/etc/shorewall/masq</a>.</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber6">
+    <tbody>
+      <tr>
+        <td width="33%"><u><b>INTERFACE</b></u></td>
+        <td width="33%"><u><b>SOUS-RESEAU</b></u></td>
+        <td width="34%"><u><b>ADDRESSE</b></u></td>
+      </tr>
+      <tr>
+        <td width="33%">eth0</td>
+        <td width="33%">192.168.201.0/29</td>
+        <td width="34%">192.0.2.176</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Cet exemple utilise la technique normale pour assigner
+la même adresse publique IP pour l'interface externe du firewall et
+pour
+SNAT. Si vous souhaitez utiliser une adresse IP différente, vous pouvez
+soit utiliser les outils de configuration réseau de votre distribution
+pour ajouter cette adresse IP ou vous pouvez mettre la variable
+ADD_SNAT_ALIASES=Yes dans /etc/shorewall/shorewall.conf si bien que
+Shorewall ajoutera l'adresse pour vous.</p>
+</div>
+<div align="left">
+<h4 align="left"><a name="DNAT"></a>5.2.2 DNAT</h4>
+</div>
+<div align="left">
+<p align="left">Quant SNAT est utilisé, il est impossible pour les
+hôtes sur Internet d'initialiser une connexion avec un des systèmes
+puisque ces systèmes n'ont pas d'adresses publiques IP. DNAT fournit
+une
+méthode pour autoriser des connexions sélectionnés depuis Internet.</p>
+</div>
+<div align="left">
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">&nbsp;&nbsp;&nbsp;&nbsp;
+Supposons que votre fille souhaite héberger un
+server web sur son système "Local 3". Vous pouvez autoriser les
+connexions d'Internet à son serveur en ajoutant l'entrée suivante dans
+le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL DESTINATION</b></u></td>
+      </tr>
+      <tr>
+        <td>DNAT</td>
+        <td>net</td>
+        <td>loc:192.168.201.4</td>
+        <td>tcp</td>
+        <td>www</td>
+        <td>-</td>
+        <td>192.0.2.176</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Si une des amies de votre fille avec une adresse A veut
+accéder au serveur de votre fille, elle peut se connecter à l'adresse
+http://192.0.2.176 (l'adresse IP externe
+de votre firewall) et le firewall réécrira l'adresse IP à 192.168.201.4
+(le système de votre fille) et enverra la requête. Quant le serveur de
+votre fille répond, le firewall réécrira la source de réponse avec
+192.0.2.176 et retournera la réponse à <b>A.</b></p>
+</div>
+<div align="left">
+<p align="left">Cet exemple l'adresse externe IP du firewall pour DNAT.
+Vous pouvez utiliser une autre de vos adresses IP publiques, mais
+Shorewall n'ajoutera pas pour vous cette adresse à l'interface externe
+du firewall.</p>
+</div>
+<div align="left">
+<h4 align="left"><a name="ProxyARP"></a>5.2.3 Proxy ARP</h4>
+</div>
+<div align="left">
+<p align="left">Le principe du proxy ARP est:</p>
+</div>
+<div align="left">
+<ul>
+  <li>
+    <p align="left">Un hôte <b>H </b>derrière votre firewall est
+assigné à une de vos adresses publiques (<b>A)</b>, a le même masque de
+réseau <b>(M) </b>que l'interface externe du firewall. </p>
+  </li>
+  <li>
+    <p align="left">Le firewall répond à ARP "qui a" demandé <b>A.</b>
+    </p>
+  </li>
+  <li>
+    <p align="left">Quant <b>H</b> délivre une requête ARP "qui a"
+pour
+une adresse du sous -réseau définit par&nbsp; <b>A</b> et <b>M</b>,
+le
+firewall répondra (avec l'adresse MAC si le firewall s'interface à <b>H</b>).</p>
+  </li>
+</ul>
+</div>
+<div align="left">
+<p align="left">Supposons que nous décidons d'utiliser Proxy ARP sur
+DMZ de notre exemple réseau.</p>
+</div>
+<div align="left">
+<p align="center"> <img
+ style="border: 0px solid ; width: 745px; height: 635px;"
+ src="images/dmz6.png" title="" alt=""> </p>
+</div>
+<div align="left">Ici, nous avons assigné les adresses IP 192.0.2.177
+au système DMZ 1 et 192.0.2.178 à DMZ 2. Notez que nous avons juste
+assigné une adresse arbitraire RFC 1918 et un masque de sous-réseau à
+l'interface DMZ de notre firewall. Cette adresse et le masque ne sont
+pas pertinentes - vérifiez juste que celle-ci n'écrase pas un autre
+sous-réseau déjà définit.</div>
+<div align="left"> &nbsp;</div>
+<div align="left"> <img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">
+&nbsp;&nbsp;&nbsp; La configuration de Proxy ARP est faite dans le
+fichier <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a>.</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" id="AutoNumber8"
+ style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><u><b>ADDRESS</b></u></td>
+        <td><u><b>INTERFACE</b></u></td>
+        <td><u><b>EXTERNAL</b></u></td>
+        <td><u><b>HAVE ROUTE</b></u></td>
+      </tr>
+      <tr>
+        <td>192.0.2.177</td>
+        <td>eth2</td>
+        <td>eth0</td>
+        <td>No</td>
+      </tr>
+      <tr>
+        <td>192.0.2.178</td>
+        <td>eth2</td>
+        <td>eth0</td>
+        <td>No</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Parce que la&nbsp; variable HAVE ROUTE contient No,
+Shorewall ajoutera les routes d'hôte à travers eth2 à 192.0.2.177 et
+192.0.2.178.<br>
+</p>
+<p>Les interfaces ethernet de DMZ 1 et DMZ 2&nbsp; pourront être
+configurées pour avoir les adresses IP apparentes mais devront avoir la
+même passerelle par défaut que le firewall lui-même -- nommé
+192.0.2.254. En d'autres termes, elles pourront être configurées juste
+comme elles devraient être si elles étaient parallèles au firewall
+plutôt que derrière lui.<br>
+</p>
+<p><font color="#ff0000"><b>NOTE: Ne pas ajouter le(s) adresse(s) ARP
+(192.0.2.177 et 192.0.2.178 dans l'exemple ci-dessus)&nbsp; à
+l'interface externe (eth0 dans cet exemple) du firewall.</b></font><br>
+</p>
+<div align="left"> </div>
+</div>
+<div align="left"> </div>
+<div align="left">
+<div align="left">
+<p align="left">Un mot de mise en garde à sa place ici. Les FAIs
+configure(nt) typiquement leur routeur avec un timeout de cache ARP
+élevé. Si vous déplacer un système parallèle à votre firewall derrière
+le Proxy ARP du firewall, cela peut mettre des HEURES avant que le
+système puisse communiquer avec Internet. Il y a deux choses que vous
+pouvez essayer de faire:<br>
+</p>
+<ol>
+  <li>(Courtoisement de Bradey Honsinger) Une lecture de Stevens' <i>TCP/IP
+Illustrated, Vol 1</i> révèle qu'un paquet ARP <br>
+    <br>
+"gratuitous" peut entraîner le routeur de votre FAI à rafraîchir son
+cache(section 4.7). Une "gratuitous" ARP est simplement une requête
+d'un
+hôte demandant l'adresse MAC de sa propre adresse IP; éventuellement
+pour vérifier que l'adresse IP n'est pas dupliquée,...<br>
+    <br>
+si l'hôte envoyant la commande "gratuitous" ARP vient juste de changer
+son adresse IP..., ce paquet entraîne tous les autres hôtes...qui ont
+une entrée dans son cache pour l'ancienne adresse matériel de mettre à
+jour également ses caches ARP."<br>
+    <br>
+Ce qui est exactement, bien sûr, ce que vous souhaitez faire lorsque
+vous basculez un hôte vulnérable à Internet derrière Shorewall
+utilisant
+proxy ARP (ou one-to-one NAT). Heureusement, des packages récents
+(Redhat)
+iputils incluent "arping", avec l'option "-U" qui fait cela:<br>
+    <br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I &lt;net
+if&gt; &lt;newly proxied IP&gt;</b></font><br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
+66.58.99.83 # for example</b></font><br>
+    <br>
+Stevens continue en mentionnant que tous les systèmes répondent
+correctement au gratuitous ARPs,&nbsp; et&nbsp; "googling" pour "arping
+-U" semble aller dans ce sens.<br>
+    <br>
+  </li>
+  <li>Vous pouvez appeler votre FAI et dire de purger l'ancienne entrée
+du cache ARP mais la plupart ne veulent ou ne peuvent le faire.</li>
+</ol>
+Vous pouvez vérifier si le cache ARP de votre FAI est ancien en
+utilisant ping et tcpdump. Supposez que vous pensez que la
+passerelle&nbsp; routeur a une ancienne entrée ARP pour 192.0.2.177.
+Sur
+le firewall, lancez tcpdump de cette façon:</div>
+<div align="left">
+<pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
+</div>
+<div align="left">
+<p align="left">Maintenant depuis 192.0.2.177, utilisez ping vers la
+passerelle du FAI&nbsp; (que nous supposons être 192.0.2.254):</p>
+</div>
+<div align="left">
+<pre>	<b><font color="#009900">ping 192.0.2.254</font></b></pre>
+</div>
+</div>
+<div align="left">
+<p align="left">Nous pouvons maintenant observer le résultat de tcpdump:</p>
+</div>
+<div align="left">
+<pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 192.0.2.177 &gt; 192.0.2.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 192.0.2.254 &gt; 192.0.2.177 : icmp: echo reply</pre>
+</div>
+<div align="left">
+<p align="left">Notez que l'adresse source&nbsp; MAC dans la
+requête&nbsp; echo&nbsp; est différente de&nbsp; l'adresse de
+destination dans&nbsp; la réponse&nbsp; echo!! Dans le cas ou
+0:4:e2:20:20:33 était l'adresse MAC de l'interface NIC eth0 du firewall
+tandis que 0:c0:a8:50:b2:57 était l'adresse MAC de DMZ 1. En
+d'autre&nbsp; termes, le cache ARP de la passerelle associe encore
+192.0.2.177 avec la NIC de DMZ 1 plutôt qu'avec eth0 du firewall.</p>
+</div>
+<div align="left">
+<h4 align="left"><a name="NAT"></a>5.2.4 One-to-one NAT</h4>
+</div>
+<div align="left">
+<p align="left">Avec one-to-one NAT, vous assignez les adresses
+systèmes
+RFC 1918 puis établissez une à une l'assignation entre ces adresses et
+les adresses publiques. Pour les occurrences des connexions sortantes
+SNAT (Source Network Address Translation) et pour les occurrences
+des connexions entrantes DNAT (Destination Network Address
+Translation). Voyons avec l'exemple précédent du serveur web de votre
+fille tournant sur le système Local 3.</p>
+</div>
+<div align="left">
+<p align="center"><img
+ style="border: 0px solid ; width: 745px; height: 635px;"
+ src="images/dmz5.png" title="" alt=""> </p>
+</div>
+<div align="left">
+<p align="left">Rappel du paramétrage, le réseau local utilise SNAT et
+partage l'IP externe du firewall (192.0.2.176) pour les connexions
+sortantes. cela est obtenu avec l'entrée suivante dans le fichier
+/etc/shorewall/masq:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber6">
+    <tbody>
+      <tr>
+        <td width="33%"><u><b>INTERFACE</b></u></td>
+        <td width="33%"><u><b>SOUS-RESEAU</b></u></td>
+        <td width="34%"><u><b>ADDRESSE</b></u></td>
+      </tr>
+      <tr>
+        <td width="33%">eth0</td>
+        <td width="33%">192.168.201.0/29</td>
+        <td width="34%">192.0.2.176</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_1.gif" title="" alt="">&nbsp;&nbsp;&nbsp;
+Supposons maintenant que vous avez décidé d'allouer à
+votre fille sa propre adresse IP (192.0.2.179) pour l'ensemble des
+connexions entrantes et sortantes. Vous devrez faire cela en
+ajoutant une entrée dans le fichier <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellspacing="0" cellpadding="2" id="AutoNumber9"
+ style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td>EXTERNAL</td>
+        <td>INTERFACE</td>
+        <td>INTERNAL</td>
+        <td>ALL INTERFACES </td>
+        <td>LOCAL</td>
+      </tr>
+      <tr>
+        <td>192.0.2.179</td>
+        <td>eth0</td>
+        <td>192.168.201.4</td>
+        <td>No</td>
+        <td>No</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Avec cette entrée active, votre fille a sa propre
+adresse IP et les deux autres systèmes locaux partagent l'adresse IP du
+firewall.</p>
+</div>
+<div align="left">
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_1.gif" title="" alt="">&nbsp;&nbsp;&nbsp; Une fois
+que la relation entre 192.0.2.179
+et192.168.201.4 est établie par l'entrée ci-dessus, ce n'est pas
+nécessaire d'utiliser une règle DNAT pour le serveur web de votre fille
+-- vous devez simplement utiliser une règle ACCEPT:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL DESTINATION</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>loc:192.168.201.4</td>
+        <td>tcp</td>
+        <td>www</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<div align="left">
+<div align="left">
+<p align="left">Un mot de mise en garde à sa place ici. FAIs
+configure(nt) typiquement leur routeur avec un timeout de cache ARP
+élevé. Si vous déplacer un système parallèle à votre firewall derrière
+le Proxy ARP du firewall, cela peut mettre des HEURES avant que le
+système puisse communiquer avec Internet. Il y a deux choses que vous
+pouvez essayer de faire:<br>
+</p>
+<ol>
+  <li>(Courtoisement de Bradey Honsinger) Une lecture de Stevens' <i>TCP/IP
+Illustrated, Vol 1</i> révèle qu'un paquet ARP <br>
+    <br>
+"gratuitous" peut entraîner le routeur de votre FAI à rafraîchir son
+cache(section 4.7). Une "gratuitous" ARP est simplement une requête
+d'un
+hôte demandant l'adresse MAC de sa propre adresse IP; éventuellement
+pour vérifier que l'adresse IP n'est pas dupliquée,...<br>
+    <br>
+"si l'hôte envoyant la "gratuitous" ARP vient juste de changer son
+adresse IP..., ce paquet entraîne tous les autres hôtes...qui ont une
+entrée dans son cache pour l'ancienne adresse matériel de mettre à jour
+également ses caches ARP."<br>
+    <br>
+Ce qui est exactement, bien sûr, ce que vous souhaitez faire lorsque
+vous basculez un hôte vulnérable à Internet derrière Shorewall
+utilisant
+proxy ARP (ou one-to-one NAT). Heureusement, les versions récentes des
+packages Redhat's iputils incluent "arping", avec l'option "-U" qui
+fait
+cela:<br>
+    <br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I &lt;net
+if&gt; &lt;newly proxied IP&gt;</b></font><br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
+66.58.99.83 # for example</b></font><br>
+    <br>
+Stevens continue en mentionnant que tous les systèmes répondent
+correctement au gratuitous ARPs,&nbsp; et&nbsp; "googling" pour "arping
+-U" semble aller dans ce sens.<br>
+    <br>
+  </li>
+  <li>Vous pouvez appeler votre FAI et dire de purger l'ancienne entrée
+du cache ARP mais la plupart ne veulent ou ne peuvent le faire.</li>
+</ol>
+Vous pouvez vérifier si le cache ARP de votre FAI est ancien en
+utilisant ping et tcpdump. Supposez que vous pensez que la
+passerelle&nbsp; routeur a une ancienne entrée ARP pour 192.0.2.177.
+Sur
+le firewall, lancez tcpdump de cette façon:</div>
+<div align="left">
+<pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
+</div>
+<div align="left">
+<p align="left">Maintenant depuis 192.0.2.177, utilisez ping vers la
+passerelle du FAI&nbsp; (que nous supposons être 192.0.2.254):</p>
+</div>
+<div align="left">
+<pre>	<b><font color="#009900">ping 192.0.2.254</font></b></pre>
+</div>
+</div>
+<div align="left">
+<p align="left">Nous pouvons maintenant observer le résultat de tcpdump:</p>
+</div>
+<div align="left">
+<pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 192.0.2.177 &gt; 192.0.2.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 192.0.2.254 &gt; 192.0.2.177 : icmp: echo reply</pre>
+</div>
+<div align="left">
+<p align="left">Notez que l'adresse source&nbsp; MAC dans la
+requête&nbsp; echo&nbsp; est différente de&nbsp; l'adresse de
+destination dans&nbsp; la réponse&nbsp; echo!! Dans le cas ou
+0:4:e2:20:20:33 était l'adresse MAC de l'interface NIC eth0 du firewall
+tandis que 0:c0:a8:50:b2:57 était l'adresse MAC de DMZ 1. En
+d'autre&nbsp; termes, le cache ARP de la passerelle associe encore
+192.0.2.177 avec la NIC de DMZ 1 plutôt qu'avec eth0 du firewall.</p>
+</div>
+<h3 align="left"><a name="Rules"></a>5.3 Règles</h3>
+</div>
+<div align="left">
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_1.gif" title="" alt="">&nbsp;&nbsp;&nbsp; Avec les
+polices par défaut, vos systèmes locaux
+(Local 1-3) peuvent accéder à tous les serveurs sur Internet et la DMZ
+ne peut accéder à aucun autre hôte (incluant le firewall). Avec les
+exceptions des règles <a href="#DNAT">règles NAT</a> qui entraîne la
+translation d'adresses et permet aux requêtes de connexion translatées
+de passer&nbsp; à travers le firewall, la façon d'autoriser des
+requêtes
+à travers le firewall est d'utiliser des règles ACCEPT.<br>
+</p>
+</div>
+<div align="left">
+<p align="left"><b>NOTE: Puisque les colonnes SOURCE PORT et ORIG.
+DEST. ne sont pas utilisées dans cette section, elle ne sont pas
+affichées.</b></p>
+</div>
+<div align="left">
+<p align="left">Vous souhaiter certainement autoriser ping entre vos
+zones:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>loc</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz</td>
+        <td>loc</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">En supposant que vous avez des serveurs mail et pop3
+actifs sur DMZ 2 et un serveur Web sur DMZ 1. Les règles dont vous avez
+besoin sont:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>COMMENTS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail depuis Internet<br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>pop3</td>
+        <td># Pop3 depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail depuis le Réseau Local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>pop3</td>
+        <td># Pop3 depuis le Réseau Local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail depuis le firewall</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz:192.0.2.178</td>
+        <td>net</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mails vers Internet<br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>http</td>
+        <td># WWW depuis le Net<br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>https</td>
+        <td># HTTP sécurisé depuis le Net</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>https</td>
+        <td># HTTP sécurisé depuis le Réseau Local</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Si vous utilisez un serveur DNS publique sur
+192.0.2.177, vous devez ajouter les règles suivantes:</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>COMMENTS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.177</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:192.0.2.177</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS depuis le firewall</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS depuis le firewall</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.177</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS depuis le Réseau local<br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS depuis le Réseau local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz:192.0.2.177</td>
+        <td>net</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS vers Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz:192.0.2.177</td>
+        <td>net</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS vers Internet</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Vous souhaitez probablement communiquer entre votre
+firewall et les systèmes DMZ depuis le réseau local -- Je recommande
+SSH
+qui, grâce à son utilitaire scp&nbsp; peut aussi faire de la diffusion
+et de la mise à jour de logiciels.</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>COMMENTS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz</td>
+        <td>tcp</td>
+        <td>ssh</td>
+        <td># SSH vers la DMZ</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>ssh</td>
+        <td># SSH vers le firewall</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<h3 align="left"><a name="OddsAndEnds"></a>5.4 D'autres petites choses<br>
+</h3>
+</div>
+<div align="left">
+<p align="left">La discussion précédente reflète ma préférence
+personnelle pour l'utilisation de Proxy ARP associé à mes serveurs de
+la
+DMZ et SNAT/NAT pour mes systèmes locaux. Je préfère utiliser NAT
+seulement dans le cas ou un système qui fait partie d'un sous-réseau
+RFC
+1918 à besoin d'avoir sa propre adresse IP.&nbsp;</p>
+</div>
+<div align="left">
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">&nbsp;&nbsp;&nbsp; Si vous
+ne l'avez pas fait, ce peut-être une bonne
+idée de parcourir le fichier <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
+afin de voir si autre chose pourrait être intéressant. Vous pouvez
+aussi
+regarder aux autres fichiers de configuration que vous n'avez pas
+touché
+pour un aperçu des autres possibilités de Shorewall.</p>
+</div>
+<div align="left">
+<p align="left">Dans le cas ou vous n'auriez pas validé les étapes,
+ci-dessous se trouve un jeu final des fichiers de configuration pour
+notre réseau exemple. Uniquement ceux qui auraient étés modifiés de la
+configuration originale sont montrés.</p>
+</div>
+<div align="left">
+<p align="left">/etc/shorewall/interfaces (Les "options" seront
+spécifiques aux sites).</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" id="AutoNumber4">
+    <tbody>
+      <tr>
+        <td><u><b>Zone</b></u></td>
+        <td><u><b>Interface</b></u></td>
+        <td><u><b>Broadcast</b></u></td>
+        <td><u><b>Options</b></u></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>eth0</td>
+        <td>detect</td>
+        <td>norfc1918,routefilter </td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth1</td>
+        <td>detect</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>dmz</td>
+        <td>eth2</td>
+        <td>detect</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">La configuration décrit nécessite que votre réseau soit
+démarré avant que Shorewall&nbsp; puisse&nbsp; se lancer. Cela ouvre un
+lapse de temps durant lequel vous n'avez pas de protection firewall.<br>
+Si vous remplacez 'detect' par les valeurs des adresses broadcoast dans
+les entrées suivantes, vous pouvez activer Shorewall avant les
+interfaces réseau.<br>
+</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" id="AutoNumber4">
+    <tbody>
+      <tr>
+        <td><u><b>Zone</b></u></td>
+        <td><u><b>Interface</b></u></td>
+        <td><u><b>Broadcast</b></u></td>
+        <td><u><b>Options</b></u></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>eth0</td>
+        <td>192.0.2.255</td>
+        <td>norfc1918,routefilter </td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth1</td>
+        <td>192.168.201.7</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>dmz</td>
+        <td>eth2</td>
+        <td>192.168.202.7</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">/etc/shorewall/masq - Sous-réseau Local<br>
+</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber6">
+    <tbody>
+      <tr>
+        <td width="33%"><u><b>INTERFACE</b></u></td>
+        <td width="33%"><u><b>SOUS-RESEAU</b></u></td>
+        <td width="34%"><u><b>ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td width="33%">eth0</td>
+        <td width="33%">192.168.201.0/29</td>
+        <td width="34%">192.0.2.176</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">/etc/shorewall/proxyarp - DMZ</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" id="AutoNumber8"
+ style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td><u><b>ADDRESS</b></u></td>
+        <td><u><b>INTERFACE</b></u></td>
+        <td><u><b>EXTERNAL</b></u></td>
+        <td><u><b>HAVE ROUTE</b></u></td>
+      </tr>
+      <tr>
+        <td>192.0.2.177</td>
+        <td>eth2</td>
+        <td>eth0</td>
+        <td>No</td>
+      </tr>
+      <tr>
+        <td>192.0.2.178</td>
+        <td>eth2</td>
+        <td>eth0</td>
+        <td>No</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">/etc/shorewall/nat- Le système de ma fille<br>
+</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" id="AutoNumber9"
+ style="border-collapse: collapse;">
+    <tbody>
+      <tr>
+        <td>EXTERNAL</td>
+        <td>INTERFACE</td>
+        <td>INTERNAL</td>
+        <td>ALL INTERFACES </td>
+        <td>LOCAL</td>
+      </tr>
+      <tr>
+        <td>192.0.2.179</td>
+        <td>eth0</td>
+        <td>192.168.201.4</td>
+        <td>No</td>
+        <td>No</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">/etc/shorewall/rules</p>
+</div>
+<div align="left">
+<blockquote>
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber7">
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>COMMENTS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>pop3</td>
+        <td># Pop3 depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail depuis le Réseau Local<br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>pop3</td>
+        <td># Pop3 depuis le Réseau Local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail depuis le firewall</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz:192.0.2.178</td>
+        <td>net</td>
+        <td>tcp</td>
+        <td>smtp</td>
+        <td># Mail vers Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>http</td>
+        <td># WWW depuis le Net</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>https</td>
+        <td># HTTP sécurisé depuis le Net</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.178</td>
+        <td>tcp</td>
+        <td>https</td>
+        <td># HTTP sécurisé depuis le Réseau Local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.177</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:192.0.2.177</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS depuis le firewall</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS depuis le firewall</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.177</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS depuis le Réseau Local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:192.0.2.177</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS depuis le Réseau Local</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz:192.0.2.177</td>
+        <td>net</td>
+        <td>udp</td>
+        <td>domain</td>
+        <td># UDP DNS vers Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz:192.0.2.177</td>
+        <td>net</td>
+        <td>tcp</td>
+        <td>domain</td>
+        <td># TCP DNS vers Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>dmz</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+        <td># Ping</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>loc</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+        <td>#&nbsp; "</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz</td>
+        <td>loc</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+        <td># "</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz</td>
+        <td>icmp</td>
+        <td>echo-request</td>
+        <td># "</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz</td>
+        <td>tcp</td>
+        <td>ssh</td>
+        <td># SSH vers DMZ</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>ssh</td>
+        <td># SSH vers le firewall</td>
+      </tr>
+    </tbody>
+  </table>
+</blockquote>
+</div>
+<div align="left">
+<h2 align="left"><a name="DNS"></a>6.0 DNS</h2>
+</div>
+<div align="left">
+<p align="left">En donnant une collection d'adresses RFC 1918 et
+publiques dans la configuration, cela justifie d'avoir des serveurs DNS
+interne et externe. Vous pouvez combiner les deux dans un unique
+serveur BIND 9 utilisant les vues (<i>Views). </i>Si vous n'êtes pas
+intéressé par les vues BIND 9, vous pouvez <a
+ href="#StartingAndStopping">allez à la section suivante</a>.</p>
+</div>
+<div align="left">
+<p align="left">Supposons que votre domain est foobar.net et vous
+voulez que les deux systèmes DMZ s'appellent www.foobar.net et
+mail.foobar.net, les trois systèmes locaux&nbsp; "winken.foobar.net,
+blinken.foobar.net et nod.foobar.net. Vous voulez que le firewall soit
+connu à l'extérieur sous le nom firewall.foobar.net, son interface vers
+le réseau local gateway.foobar.net et son interface vers la DMZ
+dmz.foobar.net. Mettons le serveur DNS sur 192.0.2.177 qui sera aussi
+connu sous le nom ns1.foobar.net.</p>
+</div>
+<div align="left">
+<p align="left">Le fichier&nbsp; /etc/named.conf devrait ressembler à
+cela:</p>
+</div>
+<div align="left">
+<blockquote>
+  <div align="left">
+  <pre>options {<br>	directory "/var/named";<br>	listen-on { 127.0.0.1 ; 192.0.2.177; };<br>};<br><br>logging {<br>	channel xfer-log {<br>		file "/var/log/named/bind-xfer.log";<br>		print-category yes;<br>		print-severity yes;<br>		print-time yes;<br>		severity info;<br>	};<br>	category xfer-in { xfer-log; };<br>	category xfer-out { xfer-log; };<br>	category notify { xfer-log; };<br>};</pre>
+  </div>
+  <div align="left">
+  <pre>#<br># Ceci est la vue présente sur vos systèmes internes.<br>#<br><br>view "internal" {<br>	#<br>	# Les clients suivants peuvent voir le serveur<br>	#<br>	match-clients { 192.168.201.0/29;<br>			192.168.202.0/29;<br>			127.0.0.0/8;<br>			192.0.2.176/32; <br>			192.0.2.178/32;<br>			192.0.2.179/32;<br>			192.0.2.180/32; };<br>	#<br>	# Si le serveur ne peut répondre à la requête, il utilisera des serveurs externes<br>	# <br>	#<br>	recursion yes;<br><br>	zone "." in {<br>		type hint;<br>		file "int/root.cache";<br>	};<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.foobar";<br>	};<br><br>	zone "0.0.127.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.127.0.0";	<br>	};<br><br>	zone "201.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.201";<br>	};<br><br>	zone "202.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.202";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.176";<br>	};<br> (or status NAT for that matter)<br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.206.124.146.179";<br>	};<br><br>};<br>#<br># Ceci est la vue qui sera présente pour le monde extérieur<br>#<br>view "external" {<br>	match-clients { any; };<br>	#<br>	# Si nous pouvons répondre à la requéte, nous le disons<br>	#<br>	recursion no;<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify yes;<br>		allow-update {none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "ext/db.foobar";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br> 		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.176";<br>	};<br><br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.179";<br>	};<br>};</pre>
+  </div>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Voici les fichiers de /var/named (ceux qui ne sont pas
+présents font partis de votre distribution BIND).</p>
+<p align="left">db.192.0.2.176 - Zone inverse de l'interface externe du
+firewall</p>
+<blockquote>
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32<br>; Filename: db.192.0.2.176<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.<br></pre>
+</blockquote>
+</div>
+<div align="left">
+<div align="left"> db.192.0.2.177 - Zone inverse pour le serveur
+www/DNS
+server
+<blockquote>
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32<br>; Filename: db.192.0.2.177<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.<br></pre>
+</blockquote>
+</div>
+</div>
+<div align="left">
+<div align="left"> db.192.0.2.178 - Zone inverse du serveur mail
+<blockquote>
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32<br>; Filename: db.192.0.2.178<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.<br></pre>
+</blockquote>
+</div>
+</div>
+<div align="left">
+<div align="left"> db.192.0.2.179 - Zone inverse du serveur web
+publique
+de votre fille
+<blockquote>
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32<br>; Filename: db.192.0.2.179<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2001102303 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ) ; minimum (1 day)<br>;<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800	IN NS	ns1.foobar.net.<br>@	604800	IN NS	<i>&lt;name of secondary ns&gt;</i>.<br>;<br>; ############################################################<br>; Iverse Address Arpa Records (PTR's) <br>; ############################################################<br>179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.<br></pre>
+</blockquote>
+</div>
+</div>
+<div align="left">
+<p align="left">int/db.127.0.0 - Zone inverse pour localhost</p>
+</div>
+<div align="left">
+<blockquote>
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8<br>; Filename: db.127.0.0<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>				2001092901 ; serial<br>				10800 ; refresh (3 hour)<br>				3600 ; retry (1 hour)<br>				604800 ; expire (7 days)<br>				86400 ) ; minimum (1 day)<br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800		IN NS	ns1.foobar.net.<br><br>; ############################################################<br>; Iverse Address Arpa Records (PTR's)<br>; ############################################################<br>1	86400		IN PTR	localhost.foobar.net.</pre>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">int/db.192.168.201 - Zone inverse pour le réseau local.
+cela n'est montré qu'aux clients internes<br>
+</p>
+</div>
+<div align="left">
+<blockquote>
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29<br>; Filename: db.192.168.201<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (<br>				2002032501 ; serial<br>				10800 ; refresh (3 hour)<br>				3600 ; retry (1 hour)<br>				604800 ; expire (7 days)<br>				86400 ) ; minimum (1 day)<br><br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@	604800		IN NS	ns1.foobar.net.<br><br>; ############################################################<br>; Iverse Address Arpa Records (PTR's)<br>; ############################################################<br>1	86400		IN PTR 	gateway.foobar.net.<br>2	86400		IN PTR	winken.foobar.net.<br>3	86400		IN PTR	blinken.foobar.net.<br>4	86400		IN PTR	nod.foobar.net.</pre>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">int/db.192.168.202 - Zone inverse de l'interface DMZ du
+firewall</p>
+</div>
+<div align="left">
+<blockquote>
+  <div align="left">
+  <pre>; ############################################################<br>; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29<br>; Filename: db.192.168.202<br>; ############################################################<br>@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (<br>				2002032501 ; serial<br>				10800 ; refresh (3 hour)<br>				3600 ; retry (1 hour)<br>				604800 ; expire (7 days)<br>				86400 ) ; minimum (1 day)<br><br>; ############################################################<br>; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)<br>; ############################################################<br>@		604800	IN NS	ns1.foobar.net.<br><br>; ############################################################<br>; Iverse Address Arpa Records (PTR's)<br>; ############################################################<br>1 		86400 IN PTR	dmz.foobar.net.</pre>
+  </div>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">int/db.foobar - Forward zone pour l'utilisation des
+clients internes.</p>
+</div>
+<div align="left">
+<blockquote>
+  <pre>;##############################################################<br>; Start of Authority for foobar.net.<br>; Filename: db.foobar<br>;##############################################################<br>@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2002071501 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ); minimum (1 day)<br>;############################################################<br>; foobar.net Nameserver Records (NS)<br>;############################################################<br>@ 		604800	IN NS	ns1.foobar.net.<br><br>;############################################################<br>; Foobar.net Office Records (ADDRESS)<br>;############################################################<br>localhost	86400 	IN A 	127.0.0.1<br><br>firewall	86400	IN A	192.0.2.176<br>www		86400	IN A	192.0.2.177<br>ns1 		86400	IN A 	192.0.2.177<br>www		86400	IN A	192.0.2.177<br><br>gateway		86400	IN A 	192.168.201.1<br>winken		86400	IN A 	192.168.201.2<br>blinken		86400	IN A	192.168.201.3<br>nod		86400	IN A	192.168.201.4</pre>
+</blockquote>
+</div>
+<div align="left">
+<p align="left">ext/db.foobar - Forward zone pour les clients externes<br>
+</p>
+</div>
+<div align="left">
+<blockquote>
+  <div align="left">
+  <pre>;##############################################################<br>; Start of Authority for foobar.net.<br>; Filename: db.foobar<br>;##############################################################<br>@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (<br>			2002052901 ; serial<br>			10800 ; refresh (3 hour)<br>			3600 ; retry (1 hour)<br>			604800 ; expire (7 days)<br>			86400 ); minimum (1 day)<br>;############################################################<br>; Foobar.net Nameserver Records (NS)<br>;############################################################<br>@		86400	IN NS	ns1.foobar.net.<br>@		86400	IN NS	<i>&lt;secondary NS&gt;</i>.<br>;############################################################<br>; Foobar.net 	Foobar Wa Office Records (ADDRESS)<br>;############################################################<br>localhost	86400	IN A	127.0.0.1<br>;<br>; The firewall itself<br>;<br>firewall	86400	IN A	192.0.2.176<br>;<br>; The DMZ<br>;<br>ns1		86400	IN A	192.0.2.177<br>www		86400	IN A	192.0.2.177<br>mail		86400	IN A	192.0.2.178<br>;<br>; The Local Network<br>;<br>nod		86400	IN A	192.0.2.179<br><br>;############################################################<br>; Current Aliases for foobar.net (CNAME)<br>;############################################################<br><br>;############################################################<br>; foobar.net MX Records (MAIL EXCHANGER)<br>;############################################################<br>foobar.net.	86400	IN A	192.0.2.177<br>		86400 	IN MX 0 mail.foobar.net.<br>		86400	IN MX 1 <i>&lt;backup MX&gt;</i>.</pre>
+  </div>
+</blockquote>
+</div>
+<div align="left">
+<h2 align="left"><a name="StartingAndStopping"></a>7.0 Démarrer et
+Stopper le firewall</h2>
+</div>
+<div align="left">
+<p align="left">La <a href="Install.htm">procédure
+d'installation</a> configure votre système pour que Shorewall démarre
+au
+boot du système.</p>
+</div>
+<div align="left">
+<p align="left">Le firewall est démarré en utilisant la commande
+"shorewall start" et arrêté avec "shorewall stop". Quand le firewall
+est
+arrêté, le routage est actif sur les hôtes qui ont une entrée dans le
+fichier <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+Le firewall actif peut-être relancé grâce à la commande "shorewall
+restart". Si vous voulez retirer toute trace de Shorewall de votre
+configuration Netfilter, utilisez "shorewall clear".</p>
+</div>
+<div align="left">
+<p align="left"><img
+ style="border: 0px solid ; width: 13px; height: 13px;"
+ src="images/BD21298_2.gif" title="" alt="">&nbsp;&nbsp;&nbsp; Editez
+le fichier&nbsp; /etc/shorewall/routestopped
+file et ajouter les systèmes qui doivent pouvoir se connecter au
+firewall quant il est arrêté.</p>
+</div>
+<div align="left">
+<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
+firewall depuis Internet, ne pas exécutez la commande&nbsp; "shorewall
+stop" tant que vous n'avez pas une entrée active pour l'adresse IP de
+votre hôte dans le fichier <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+Egalement, je ne recommande pas d'utiliser "shorewall restart"; il est
+préférable d'utiliser une <i><a
+ href="starting_and_stopping_shorewall.htm">configuration
+alternative</a></i>&nbsp; et la tester avec la commande <a
+ href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
+</div>
+<p align="left"><font size="2">Last updated 11/13/2003 - Fabien
+Demassieux and <a href="support.htm">Tom Eastep</a></font></p>
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
+2003 Fabien Demassieux and Thomas M. Eastep</font></a><br>
+</p>
+<br>
+<br>
+</body>
+</html>
diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm
index 05cb287ed..b730008b1 100644
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@@ -7,18 +7,6 @@
   <base target="_self">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="4"
- style="border-collapse: collapse;" width="100%" id="AutoNumber3"
- bgcolor="#3366ff">
-  <tbody>
-    <tr>
-      <td width="33%" height="90" valign="middle" align="center"><a
- href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
- alt="(Shorewall Logo)" width="430" height="90"> <br>
-      </td>
-    </tr>
-  </tbody>
-</table>
 <div align="center">
 <center>
 <table border="0" cellpadding="0" cellspacing="0"
@@ -26,6 +14,15 @@
   <tbody>
     <tr>
       <td width="90%">
+      <h2>Site Problem</h2>
+The server that normally hosts www.shorewall.net and ftp.shorewall.net
+is currently down. Until it is back up, a small server with very
+limited bandwidth is being used temporarly. You will likely experience
+better response time from the <a
+ href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
+or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
+Sorry for the inconvenience.<br>
+      <br>
       <h2>Introduction<br>
       </h2>
       <ul>
@@ -37,14 +34,12 @@ and control that facility. Netfilter can be used in ipchains
 compatibility mode.<br>
         </li>
         <li>iptables - the utility program used to configure and
-control
-Netfilter. The term 'iptables' is often used to refer to the
-combination of iptables+Netfilter (with Netfilter not in
-ipchains compatibility mode).<br>
+control Netfilter. The term 'iptables' is often used to refer to the
+combination of iptables+Netfilter (with Netfilter not in ipchains
+compatibility mode).<br>
         </li>
       </ul>
-The
-Shoreline Firewall, more commonly known as "Shorewall", is
+The Shoreline Firewall, more commonly known as "Shorewall", is
 high-level tool for configuring Netfilter. You describe your
 firewall/gateway requirements using entries in a set of configuration
 files. Shorewall reads those configuration files and with the help of
@@ -56,14 +51,14 @@ and can thus take advantage of Netfilter's connection state tracking
 capabilities.
       <p>This program is free software; you can redistribute it and/or
 modify it under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
-GNU General Public License</a> as published by the Free Software
-Foundation.<br>
+ href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
+General Public License</a> as published by the Free Software Foundation.<br>
       <br>
 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.<br>
+General
+Public License for more details.<br>
       <br>
 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
@@ -81,356 +76,205 @@ Shorewall. For older versions:<br>
         </li>
       </ul>
       <h2>Getting Started with Shorewall</h2>
-New to Shorewall? Start by
-selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
-that most closely match your environment and
-follow the step by step instructions.<br>
+New to Shorewall? Start by selecting the <a
+ href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
+closely match your environment and follow the step by step instructions.<br>
       <h2>Looking for Information?</h2>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
-Index</a> is a good place to start as is the Quick Search to your
-right.
+Index</a> is a good place to start as is the Quick Search in the frame
+above.
       <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
 If so, the documentation<b> </b>on this site will not apply directly
-to your setup. If you want to
-use the documentation that you find here, you will want to consider
-uninstalling what you have and installing a setup that matches the
-documentation on this site. See the <a href="two-interface.htm">Two-interface
-QuickStart Guide</a> for
+to
+your setup. If you want to use the documentation that you find here,
+you will want to consider uninstalling what you have and installing a
+setup that matches the documentation on this site. See the <a
+ href="two-interface.htm">Two-interface QuickStart Guide</a> for
 details.
       <h2></h2>
       <h2><b>News</b></h2>
-      <b>10/06/2003 - Shorewall 1.4.7</b><b> <img
+      <p><b>11/01/2003 - Shorewall 1.4.8 RC2</b><b> <img
  style="border: 0px solid ; width: 28px; height: 12px;"
- src="images/new10.gif" alt="(New)" title=""></b><br>
-      <b><br>
-Problems Corrected since version 1.4.6 (Those in bold font
-were corrected since 1.4.7 RC2).</b><br>
-      <ol>
-        <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
-variable was being tested before it was set.</li>
-        <li>Corrected handling of MAC addresses in the SOURCE column of
-the tcrules file. Previously, these addresses resulted in an invalid
-iptables command.</li>
-        <li>The "shorewall stop" command is now disabled when
-/etc/shorewall/startup_disabled exists. This prevents people from
-shooting themselves in the foot prior to having configured Shorewall.</li>
-        <li>A change introduced in version 1.4.6 caused error messages
-during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
-were being added to a PPP interface; the addresses were successfully
-added in spite of the messages.<br>
-&nbsp;&nbsp;&nbsp; <br>
-The firewall script has been modified to eliminate the error messages</li>
-        <li>Interface-specific dynamic blacklisting chains are
-now displayed by "shorewall monitor" on the "Dynamic Chains" page
-(previously named "Dynamic Chain").</li>
-        <li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
-        <li value="7">The 'shorewall reject'
-and
-'shorewall drop' commands now delete any existing rules for the subject
-IP address before adding a new DROP or REJECT rule. Previously, there
-could be many rules for the same IP address in the dynamic chain so
-that multiple 'allow' commands were required to re-enable traffic
-to/from the address.</li>
-        <li>When ADD_SNAT_ALIASES=Yes in
-shorewall.conf, the following entry in /etc/shorewall/masq resulted in
-a startup error:<br>
-&nbsp;<br>
-&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
-206.124.146.20-206.124.146.24<br>
-          <br>
-        </li>
-        <li>Shorewall previously choked over
-IPV6
-addresses configured on interfaces in contexts where Shorewall needed
-to detect something about the interface (such as when "detect" appears
-in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
-        <li>Shorewall will now load
-module files that are formed from the module name by appending ".o.gz".</li>
-        <li>When Shorewall adds a route to a
-proxy
-ARP host and such a route already exists, two routes resulted
-previously. This has been corrected so that the existing route is
-replaced if it already exists.</li>
-        <li>The rfc1918 file has been
-updated to reflect recent allocations.</li>
-        <li>The documentation of the
-USER SET column in the rules file has been corrected.</li>
-        <li>If there is no policy
-defined for
-the zones specified in a rule, the firewall script previously
-encountered a shell syntax error:<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-Now, the absence of a policy generates an error message and the
-firewall is stopped:<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
-&lt;source&gt; to zone &lt;dest&gt;<br>
-          <br>
-        </li>
-        <li>Previously, if neither
-/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
-would fail to start and would not remove the lock file. Failure to
-remove the lock file resulted in the following during subsequent
-attempts to start:<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-          <br>
-&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
-&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
-&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
-&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
-&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
-          <br>
-Shorewall now reports a fatal error if neither of these two files exist
-and correctly removes the lock fille.</li>
-        <li>The order of processing
-the
-various options has been changed such that blacklist entries now take
-precedence over the 'dhcp' interface setting.</li>
-        <li>The log message generated
-from the
-'logunclean' interface option has been changed to reflect a disposition
-of LOG rather than DROP.</li>
-        <li><span style="font-weight: bold;">When a user name and/or a
-group
-name was specified in the USER SET column and the destination zone was
-qualified with a IP address, the user and/or group name was not being
-used to qualify the rule.<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp; Example:<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
-          <br>
-          </span></li>
-        <li><span style="font-weight: bold;">The /etc/shorewall/masq
-file has had the spurious "/" character at the front removed.</span></li>
-      </ol>
-      <b>Migration Issues:</b><br>
-      <ol>
-        <li>Shorewall IP Traffic Accounting has changed since snapshot
-20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
-details.</li>
-        <li>The Uset Set capability introduced in SnapShot 20030821 has
-changed -- see the <a href="UserSets.html">User Set page</a> for
-details.</li>
-        <li>The
-per-interface Dynamic Blacklisting facility introduced in the first
-post-1.4.6 Snapshot has been removed. The facility had too many
-idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
-        </li>
-      </ol>
-      <b></b><b>New Features:</b><br>
-      <ol>
-        <li>Shorewall now creates a dynamic blacklisting chain for each
-interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
-commands use the routing table to determine which of these chains is to
-be used for blacklisting the specified IP address(es).<br>
-          <br>
-Two new commands ('dropall' and 'rejectall') have been introduced that
-do what 'drop' and 'reject' used to do; namely, when an address is
-blacklisted using these new commands, it will be blacklisted on all of
-your firewall's interfaces.</li>
-        <li>Thanks to Steve Herber, the 'help' command can now give
-command-specific help (e.g., shorewall help &lt;command&gt;).</li>
-        <li>A new option "ADMINISABSENTMINDED" has been added to
-/etc/shorewall/shorewall.conf. This option has a default value of "No"
-for existing users which causes Shorewall's 'stopped' state &nbsp;to
-continue as it has been; namely, in the stopped state only traffic
-to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
-          <br>
-With ADMINISABSENTMINDED=Yes (the default for new installs), in
-addition to traffic to/from the hosts listed in
-/etc/shorewall/routestopped, Shorewall will allow:<br>
-          <br>
-&nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
-&nbsp;&nbsp; b) All traffic that is part of or related to an
-already-existing connection.<br>
-          <br>
-&nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
-entered through an ssh session will not kill the session.<br>
-          <br>
-&nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
-possible for people to shoot themselves in the foot.<br>
-          <br>
-&nbsp;Example:<br>
-          <br>
-&nbsp;/etc/shorewall/nat:<br>
-          <br>
-&nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
-eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
-          <br>
-&nbsp;/etc/shorewall/rules:<br>
-          <br>
-&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
-loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
-&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
-fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
-          <br>
-From a remote system, I ssh to 206.124.146.178 which establishes an SSH
-connection with local system 192.168.1.5. I then create a second SSH
-connection
-from that computer to the firewall and confidently type "shorewall
-stop".
-As part of its stop processing, Shorewall removes eth0:0 which kills my
-SSH
-connection to 192.168.1.5!!!</li>
-        <li>Given the wide range of VPN software, I can never hope to
-add specific support for all of it. I have therefore decided to add
-"generic" tunnel support.<br>
-&nbsp;<br>
-Generic tunnels work pretty much like any of the other tunnel types.
-You usually add a zone to represent the systems at the other end of the
-tunnel and you add the appropriate rules/policies to<br>
-implement your security policy regarding traffic to/from those systems.<br>
-&nbsp;<br>
-In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
-          <br>
-generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
-address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
-&nbsp;<br>
-where:<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
-used by the tunnel<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
-is 'udp' or 'tcp' then this is the destination port number used by the
-tunnel.<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
-the remote tunnel gateway<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
-address of the remote tunnel gateway.<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
-Optional. A comma-separated list of zone names. If specified, the
-remote gateway is to be considered part of these zones.</li>
-        <li>An 'arp_filter' option has been added to the
-/etc/shorewall/interfaces file. This option causes
-/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
-result that this interface will only answer ARP 'who-has' requests from
-hosts that are routed out through that interface. Setting this option
-facilitates testing of your firewall where multiple firewall interfaces
-are connected to the same HUB/Switch (all interfaces connected to the
-single HUB/Switch should have this option specified). Note that using
-such a configuration in a production environment is strongly
-recommended against.</li>
-        <li>The ADDRESS column in /etc/shorewall/masq may now include a
-comma-separated list of addresses and/or address ranges. Netfilter will
-use all listed addresses/ranges in round-robin fashion. \</li>
-        <li>An /etc/shorewall/accounting file has been added to allow
-for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
-documentation</a> for a description of this facility.</li>
-        <li>Bridge interfaces (br[0-9]) may now be used in
-/etc/shorewall/maclist.</li>
-        <li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
-/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
-rules, rate limiting occurs in the nat table DNAT rule; the
-corresponding ACCEPT rule in the filter table is not rate limited. If
-you want to limit the filter table rule, you will need o create two
-rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
-separately.<br>
-&nbsp;<br>
-          <span style="font-weight: bold;">Warning: </span>When rate
-limiting is specified on a rule with "all" in the SOURCE or DEST
-fields, the limit will apply to each pair of zones individually rather
-than as a single limit for all pairs of covered by the rule.<br>
-&nbsp;<br>
-To specify a rate limit, <br>
-          <br>
-a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
-&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
-&nbsp;<br>
-&nbsp;
-where<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
-&lt;interval&gt;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
-accepted within an &lt;interval&gt;. If not given, the default of 5 is
-assumed.<br>
-&nbsp;<br>
-There may be no white space between the ACTION and "&lt;" nor there may
-be any white space within the burst specification. If you want to
-specify logging of a rate-limited rule, the ":" and log level comes
-after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
-          <br>
-b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
-file. You may specify the rate limit there in the format:<br>
-          <br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
-&nbsp;<br>
-Let's take an example:<br>
-&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
-tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
-&nbsp;&nbsp;&nbsp; <br>
-The first time this rule is reached, the packet will be accepted; in
-fact, since the burst is 4, the first four packets will be accepted.
-After this, it will be 500ms (1 second divided by the rate<br>
-of 2) before a packet will be accepted from this rule, regardless of
-how many packets reach it. Also, every 500ms which passes without
-matching a packet, one of the bursts will be regained; if no packets
-hit the rule for 2 second, the burst will be fully recharged; back
-where we started.<br>
-        </li>
-        <li>Multiple chains may now be displayed in one "shorewall
-show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
-        <li>Output rules (those with $FW as the SOURCE) may now be
-limited to a set of local users and/or groups. See <a
- href="UserSets.html">http://shorewall.net/UserSets.html</a> for
-details.</li>
-      </ol>
-      <p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
-      <p>Thanks to Dave Kempe and Solutions First (<a
- href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
-there is now a Shorewall Mirror in Australia:</p>
-      <div style="margin-left: 40px;"><a
- href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
-      <font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
-      <p><b>8/26/2003 - French Version of the Shorewall Setup
-Guide&nbsp;</b></p>
-Thanks to Fabien <font size="3">Demassieux, there is now a <a
- href="shorewall_setup_guide_fr.htm">French translation of the
-Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
-- Shorewall 1.4.7 Beta 2</b><b> <img
- style="border: 0px solid ; width: 28px; height: 12px;"
- src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
-      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
- style="border: 0px solid ; width: 28px; height: 12px;"
- src="images/new10.gif" alt="(New)" title=""> <br>
+ src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b><b>
       </b></p>
-      <b>Problems Corrected since version 1.4.6:</b><br>
+Given the small number of new features and the relatively few lines of
+code that were changed, there will be no Beta for 1.4.8.<br>
+      <p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
+      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
+      <br>
+      </b>Problems Corrected since version 1.4.7:<br>
+      </p>
       <ol>
-        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
-then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
-Control requires Mangle"; that problem has been corrected.</li>
-        <li>Corrected handling of MAC addresses in the SOURCE column of
+        <li>Tuomo Soini has supplied a correction to a problem that
+occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.</li>
+        <li>Andres Zhoglo has supplied a correction that avoids trying
+to use the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+          <br>
+        </li>
+        <li>Previously, if the following error message was issued,
+Shorewall was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
+          <br>
+        </li>
+        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
+been corrected.</li>
+        <li>In Shorewall 1.4.2, an optimization was added. This
+optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+        <li>When the MARK value in a tcrules entry is followed by ":F"
+or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.</li>
+        <li>An incorrect comment concerning Debian's use of the
+SUBSYSLOCK option has been removed from shorewall.conf.</li>
+        <li>Previously, neither the 'routefilter' interface option nor
 the
-tcrules file. Previously, these addresses resulted in an invalid
-iptables
-command.</li>
-        <li>The "shorewall stop" command is now disabled when
-/etc/shorewall/startup_disabled
-exists. This prevents people from shooting themselves in the foot prior
-to
-having configured Shorewall.</li>
-        <li>A change introduced in version 1.4.6 caused error messages
-during
-"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
-being
-added to a PPP interface; the addresses were successfully added in
-spite
-of the messages.<br>
-&nbsp;&nbsp; <br>
-The firewall script has been modified to eliminate the error messages.</li>
+ROUTE_FILTER parameter were working properly. This has been corrected
+(thanks to Eric Bowles for his analysis and patch). The definition of
+the ROUTE_FILTER option has changed however. Previously,
+ROUTE_FILTER=Yes was documented as enabling route filtering on all
+interfaces (which didn't work). Beginning with this release, setting
+ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
+up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
+coexist with the use of the 'routefilter' option in the interfaces file.</li>
+        <li>If MAC verification was enabled on an interface with a /32
+address and
+a broadcast address then an error would occur during startup.</li>
+      </ol>
+Migration Issues:<br>
+      <ol>
+        <li>The definition of the ROUTE_FILTER option in shorewall.conf
+has changed as described in item 8) above.<br>
+        </li>
+      </ol>
+New Features:<br>
+      <ol>
+        <li>A new QUEUE action has been introduced for rules. QUEUE
+allows
+you to pass connection requests to a user-space filter such as ftwall
+(http://p2pwall.sourceforge.net). The ftwall program
+allows for effective filtering of p2p applications such as Kazaa. For
+example, to use ftwall to filter P2P clients in the 'loc' zone, you
+would add the following rules:<br>
+          <br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
+&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
+          <br>
+You would normally want to place those three rules BEFORE any ACCEPT
+rules for loc-&gt;net udp or tcp.<br>
+          <br>
+Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
+Shorewall will only pass connection requests (SYN packets) to user
+space. This is for compatibility with ftwall.</li>
+        <li>A
+BLACKLISTNEWNONLY option has been added to shorewall.conf. When this
+option is set to "Yes", the blacklists (dynamic and static) are only
+consulted for new connection requests. When set to "No" (the default if
+the variable is not set), the blacklists are consulted on every packet.<br>
+          <br>
+Setting this option to "No" allows blacklisting to stop existing
+connections from a newly blacklisted host but is more expensive in
+terms of packet processing time. This is especially true if the
+blacklists contain a large number of entries.</li>
+        <li>Chain names used in the /etc/shorewall/accounting file may
+now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
+      </ol>
+      <p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
+bag awards </b><b><img
+ style="border: 0px solid ; width: 50px; height: 80px;"
+ src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
+1.4.7c released.</b> </p>
+      <ol>
+        <li>The saga with "&lt;zone&gt;_frwd" chains continues. The
+1.4.7c script
+produces a ruleset that should work for everyone even if it is not
+quite optimal. My apologies for this ongoing mess.</li>
+      </ol>
+      <p><b>10/24/2003 - Shorewall 1.4.7b</b><b> <img
+ style="border: 0px solid ; width: 28px; height: 12px;"
+ src="images/new10.gif" alt="(New)" title=""></b></p>
+      <p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
+      </p>
+      <ol>
+        <li>The fix for problem 5 in 1.4.7a was wrong with the result
+that
+"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
+is corrected in this release.<br>
+        </li>
+      </ol>
+      <p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
+      <p>This is a bugfix rollup of the following problem corrections:<br>
+      </p>
+      <ol>
+        <li>Tuomo Soini has supplied a correction to a problem that
+occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:<br>
+&nbsp;<br>
+&nbsp;&nbsp; local: --limit: bad variable name<br>
+&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:<br>
+&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
+&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
+information.<br>
+          <br>
+        </li>
+        <li>Andres Zhoglo has supplied a correction that avoids trying
+to use the multiport match iptables facility on ICMP rules.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
+to fail:<br>
+&nbsp;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
+icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
+          <br>
+        </li>
+        <li>Previously, if the following error message was issued,
+Shorewall was left in an inconsistent state.<br>
+&nbsp;<br>
+&nbsp;&nbsp; Error: Unable to determine the routes through
+interface xxx<br>
+          <br>
+        </li>
+        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
+been corrected.</li>
+        <li>In Shorewall 1.4.2, an optimization was added. This
+optimization
+involved creating a chain named "&lt;zone&gt;_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.</li>
+        <li>When the MARK value in a tcrules entry is followed by ":F"
+or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.</li>
       </ol>
       <p><b><a href="News.htm">More News</a></b></p>
       <b> </b>
@@ -453,44 +297,22 @@ Bering 1.2!!! </b><br>
       <h4><b> </b></h4>
       <b> </b>
       <h2><b>This site is hosted by the generous folks at <a
- href="http://www.sf.net">SourceForge.net</a> </b></h2>
-      <b> </b>
+ href="http://www.sf.net">SourceForge.net</a></b></h2>
+      <br>
+      <br>
       <h2><b><a name="Donations"></a>Donations</b></h2>
       <b> </b></td>
-      <td width="88" bgcolor="#3366ff" valign="top" align="center">
-      <form method="post"
- action="http://lists.shorewall.net/cgi-bin/htsearch">
-        <p><strong><br>
-        <font color="#ffffff"><b>Note: </b></font></strong> <font
- color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
-&nbsp;</p>
-        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
-        <font face="Arial" size="-1"> <input type="text" name="words"
- size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
-        <input type="hidden" name="format" value="long"> <input
- type="hidden" name="method" value="and"> <input type="hidden"
- name="config" value="htdig"> <input type="submit" value="Search"></font>
-        </p>
-        <font face="Arial"> <input type="hidden" name="exclude"
- value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
-      <p><font color="#ffffff"><b> <a
- href="http://lists.shorewall.net/htdig/search.html"> <font
- color="#ffffff">Extended Search</font></a></b></font></p>
-      <a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
- target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
- color="#ffffff"><small><small><small></small></small></small></font></a><br>
-      </td>
     </tr>
   </tbody>
 </table>
 </center>
 </div>
 <table border="0" cellpadding="5" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber2"
- bgcolor="#3366ff">
+ style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
+ id="AutoNumber2">
   <tbody>
     <tr>
-      <td width="100%" style="margin-top: 1px;">
+      <td style="width: 100%; margin-top: 1px;">
       <p align="center"><a href="http://www.starlight.org"> <img
  border="4" src="images/newlog.gif" width="57" height="100" align="left"
  hspace="10"> </a></p>
@@ -503,7 +325,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
     </tr>
   </tbody>
 </table>
-<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 11/17/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
 </body>
diff --git a/Shorewall-docs/standalone.htm b/Shorewall-docs/standalone.htm
index 6a2ca5ec8..dbbc6cd5d 100644
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@@ -9,17 +9,8 @@
   <title>Standalone Firewall</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber6" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Standalone Firewall<br>
+</h1>
 <p align="left">Setting up Shorewall on a standalone Linux system is
 very easy if you understand the basics and follow the documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features
@@ -113,7 +104,9 @@ first checked against the /etc/shorewall/rules file. If no rule in that
 file matches the connection request then the first policy in
 /etc/shorewall/policy that matches the request is applied. If that
 policy is REJECT or DROP&nbsp; the request is first checked against the
-rules in /etc/shorewall/common (the samples provide that file for you).</p>
+rules in /etc/shorewall/common if that file exists; otherwise the rules
+in /etc/shorewall/common.def are checked.<br>
+</p>
 <p>The /etc/shorewall/policy file included with the one-interface
 sample
 has the following policies:</p>
@@ -365,9 +358,15 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 Also, I don't recommend using "shorewall restart"; it is better to
 create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
- href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
+</p>
+<h2>Additional Recommended Reading</h2>
+I highly recommend that you review the <a
+ href="configuration_file_basics.htm">Common Configuration File
+Features page</a> -- it contains helpful tips about Shorewall features
+than make administering your firewall easier.<br>
 </div>
-<p align="left"><font size="2">Last updated 2/08/2003 - <a
+<p align="left"><font size="2">Last updated 11/15/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a></p>
diff --git a/Shorewall-docs/standalone_fr.html b/Shorewall-docs/standalone_fr.html
index 4b21a122b..fa5380532 100755
--- a/Shorewall-docs/standalone_fr.html
+++ b/Shorewall-docs/standalone_fr.html
@@ -1,471 +1,426 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-           
   <meta http-equiv="Content-Language" content="en-us">
-           
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-           
   <meta name="ProgId" content="FrontPage.Editor.Document">
-           
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Standalone Firewall</title>
 </head>
-  <body>
-     
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber6" bgcolor="#3366ff" height="90">
-     <tbody>
-       <tr>
-         <td width="100%">                     
-      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
-         </td>
-       </tr>
-           
-  </tbody>   
-</table>
-     
-<h2 align="center">Version 2.0.1 Française</h2>
-     
+<body>
+<h1 style="text-align: center;">Standalone Firewall</h1>
 <p align="left"><small><i><u>Notes du traducteur</u> :<br>
-   Je ne prétends pas être un vrai traducteur dans le sens ou mon travail 
-n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une 
-traduction exacte du texte, mais plutôt à en faire une version française intelligible
-par tous (et par moi). Les termes techniques sont la plupart du temps conservés
-sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
-dans le reste des documentations ainsi que dans les fichiers de configuration.
+Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
+n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
+une traduction exacte du texte, mais plutôt à en faire une version
+française intelligible
+par tous (et par moi). Les termes techniques sont la plupart du temps
+conservés
+sous leur forme originale et mis entre parenthèses car vous pouvez les
+retrouver
+dans le reste des documentations ainsi que dans les fichiers de
+configuration.
 N?hésitez pas à me contacter afin d?améliorer ce document <a
- href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
-pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
+ href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
+JMM
+pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
+pour
 son formidable outil et sa disponibilité)</i><i>.</i></small></p>
-     
-<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
- pour un petit réseau est une chose assez simple, si vous comprenez les bases
- et suivez la documentation.</p>
-     
-<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
-se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
+<p align="left">Mettre en place un système Linux en tant que firewall
+(écluse) pour un petit réseau est une chose assez simple, si vous
+comprenez les bases et suivez la documentation.</p>
+<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
+Il
+se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
+son
 utilisation la plus courante :</p>
-     
 <ul>
-     <li>Un système Linux</li>
-     <li>Une seule adresse IP externe</li>
-     <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
- rtc...</li>
-     
+  <li>Un système Linux</li>
+  <li>Une seule adresse IP externe</li>
+  <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
+Relay, rtc...</li>
 </ul>
-     
-<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
-Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
- ip sur votre système de firewall. Sous root, utilisez la commande 'which'
- pour rechercher le programme :</p>
-     
+<p>Ce guide suppose que vous avez le paquet iproute/iproute2
+d'installé.
+Vous pouvez voir si le paquet est installé en vérifiant la présence du
+programme ip sur votre système de firewall. Sous root, utilisez la
+commande 'which' pour rechercher le programme :</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-     
-<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
- vous familiariser avec ce qu'il va se passer, et de revenir au début en
-effectuant  le changements dans votre configuration. Les points, où les changements
-dans  la configuration sont recommandées, sont signalés par une <img
- border="0" src="images/BD21298_.gif" width="13" height="13">
-   .</p>
-     
-<p><img border="0" src="images/j0213519.gif" width="60" height="60">
-   Si vous éditez vos fichiers de configuration sur un système Windows, vous 
- devez les sauver comme des fichiers Unix si votre éditeur supporte cette 
-option sinon vous devez les faire passer par dos2unix avant d'essayer de les
-utiliser. De la même manière, si vous copiez un fichier de configuration depuis
-votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
+<p>Je vous recommande dans un premier temps de parcourir tout le guide
+pour vous familiariser avec ce qu'il va se passer, et de revenir au
+début en
+effectuant le changements dans votre configuration. Les points, où les
+changements
+dans la configuration sont recommandées, sont signalés par une <img
+ border="0" src="images/BD21298_.gif" width="13" height="13"> .</p>
+<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
+vous éditez vos fichiers de configuration sur un système Windows, vous
+devez les sauver comme des fichiers Unix si votre éditeur supporte
+cette option sinon vous devez les faire passer par dos2unix avant
+d'essayer de les
+utiliser. De la même manière, si vous copiez un fichier de
+configuration depuis
+votre disque dur Windows vers une disquette, vous devez lancer dos2unix
+sur
 la copie avant de l'utiliser avec Shorewall.</p>
-     
 <ul>
-     <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
- of    dos2unix</a></li>
-     <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-Version  of    dos2unix</a></li>
-     
+  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
+of dos2unix</a></li>
+  <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
+Version of dos2unix</a></li>
 </ul>
-     
 <h2 align="left">Les Concepts de Shorewall</h2>
-     
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
- alt="">
-   Les fichiers de configuration pour Shorewall sont situés dans le répertoire
-  /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
- quelques un d'entre eux comme décris dans ce guide. Après avoir <a
- href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
- href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface  sample</a>, 
-un-tarez le  (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall 
- (Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall 
-installés lors de l'installation de Shorewall)</b>.</p>
-     
-<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
- physiquement présents sur votre système -- chacun des fichiers contient
-des  instructions de configuration détaillées et des entrées par défaut.</p>
-     
-<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
- <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
+ alt=""> Les fichiers de configuration pour Shorewall sont situés dans
+le répertoire /etc/shorewall -- pour de simples paramétrages, vous
+n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
+guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
+le <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
+sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
+fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
+déjà existant dans /etc/shorewall installés lors de l'installation de
+Shorewall)</b>.</p>
+<p>Parallèlement à la description, je vous suggère de jeter un oeil à
+ceux physiquement présents sur votre système -- chacun des fichiers
+contient
+des instructions de configuration détaillées et des entrées par défaut.</p>
+<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
+de <i>zones.</i> Dans les fichiers de configuration fournis pour une
+unique
 interface, une seule zone est définie :</p>
-     
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
  cellspacing="0" id="AutoNumber2">
-     <tbody>
-       <tr>
-         <td><u><b>Name</b></u></td>
-         <td><u><b>Description</b></u></td>
-       </tr>
-       <tr>
-         <td><b>net</b></td>
-         <td><b>The Internet</b></td>
-       </tr>
-           
-  </tbody>   
+  <tbody>
+    <tr>
+      <td><u><b>Name</b></u></td>
+      <td><u><b>Description</b></u></td>
+    </tr>
+    <tr>
+      <td><b>net</b></td>
+      <td><b>The Internet</b></td>
+    </tr>
+  </tbody>
 </table>
-     
 <p>Les zones de Shorewall sont définies dans <a
  href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
-     
-<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
-- par défaut,    le firewall lui-même est connu en tant que <b>fw</b>.</p>
-     
-<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
- en utilisant les termes de zones.</p>
-     
+<p>Shorewall reconnaît aussi le système de firewall comme sa propre
+zone
+- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
+<p>Les règles concernant le trafic à autoriser ou à interdire sont
+exprimées en utilisant les termes de zones.</p>
 <ul>
-     <li>Vous exprimez les politiques par défaut pour les connexions d'une 
-zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
-     </a>.</li>
-     <li>Vous définissez les exceptions à ces règles de politiques par défaut
- dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
-     
+  <li>Vous exprimez les politiques par défaut pour les connexions d'une
+zone à une autre dans le fichier<a href="Documentation.htm#Policy">
+/etc/shorewall/policy </a>.</li>
+  <li>Vous définissez les exceptions à ces règles de politiques par
+défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ul>
-     
-<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
- demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
- Si aucune des règles dans ce fichier ne correspondent, alors la première
-politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
-politique est REJECT ou DROP la requête est alors comparée par rapport aux
-règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
+<p>Pour chacune des demandes de connexion entrantes dans le firewall,
+les demandes sont en premier lieu comparées par rapport au fichier
+/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
+correspondent, alors la première
+politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
+cette
+politique est REJECT ou DROP la requête est alors comparée par rapport
+aux
+règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
+fournit
 ce fichier).</p>
-     
-<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
- a les politiques suivantes :</p>
-     
-<blockquote>         
+<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
+one-interface a les politiques suivantes :</p>
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
-       <tbody>
-         <tr>
-           <td><u><b>SOURCE ZONE</b></u></td>
-           <td><u><b>DESTINATION ZONE</b></u></td>
-           <td><u><b>POLICY</b></u></td>
-           <td><u><b>LOG LEVEL</b></u></td>
-           <td><u><b>LIMIT:BURST</b></u></td>
-         </tr>
-         <tr>
-           <td>fw</td>
-           <td>net</td>
-           <td>ACCEPT</td>
-           <td> <br>
-           </td>
-           <td> <br>
-           </td>
-         </tr>
-         <tr>
-           <td>net</td>
-           <td>all<br>
-           </td>
-           <td>DROP</td>
-           <td>info</td>
-           <td> <br>
-           </td>
-         </tr>
-         <tr>
-           <td>all</td>
-           <td>all</td>
-           <td>REJECT</td>
-           <td>info</td>
-           <td> <br>
-           </td>
-         </tr>
-                 
-    </tbody>         
+    <tbody>
+      <tr>
+        <td><u><b>SOURCE ZONE</b></u></td>
+        <td><u><b>DESTINATION ZONE</b></u></td>
+        <td><u><b>POLICY</b></u></td>
+        <td><u><b>LOG LEVEL</b></u></td>
+        <td><u><b>LIMIT:BURST</b></u></td>
+      </tr>
+      <tr>
+        <td>fw</td>
+        <td>net</td>
+        <td>ACCEPT</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>all<br>
+        </td>
+        <td>DROP</td>
+        <td>info</td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>all</td>
+        <td>all</td>
+        <td>REJECT</td>
+        <td>info</td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-     
+</blockquote>
 <pre>  </pre>
-   Ces politiques vont :   
+Ces politiques vont :
 <ol>
-     <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
-     <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet 
-vers votre  firewall</li>
-     <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
- de cette politique).</li>
-     
+  <li>permettre toutes demandes de connexion depuis le firewall vers
+l'Internet</li>
+  <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
+vers votre firewall</li>
+  <li>rejeter toutes les autres requêtes de connexion (Shorewall à
+besoin de cette politique).</li>
 </ol>
-     
-<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
- que vous désirez.</p>
-     
+<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
+changements que vous désirez.</p>
 <h2 align="left">Interface Externe</h2>
-     
-<p align="left">Le firewall possède une seule interface réseau. Lorsque la
- connexion Internet passe par un modem câble ou par un routeur ADSL (pas
-un  simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
- ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
- par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
- (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) 
- dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
- par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. 
- Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
- sera<b> ippp0.</b></p>
-     
+<p align="left">Le firewall possède une seule interface réseau. Lorsque
+la connexion Internet passe par un modem câble ou par un routeur ADSL
+(pas
+un simple modem), l'<i>External Interface</i> (interface externe) sera
+l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u>
+vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
+over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
+dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
+connectez par un simple modem (RTC), votre interface externe sera aussi
+<b>ppp0</b>. Si vous vous connectez en utilisant l'ISDN (numéris),
+votre interface externe sera<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
- height="13">
-   L'exemple de configuration de Shorewall pour une interface suppose que 
-votre interface externe est <b>eth0</b>.  Si votre configuration est différente,
- vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
-  Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
- spécifiées pour l'interface. Quelques astuces :</p>
-     
+ height="13"> L'exemple de configuration de Shorewall pour une
+interface suppose que votre interface externe est <b>eth0</b>. Si
+votre configuration est différente, vous devrez modifier le fichier
+d'exemple /etc/shorewall/interfaces en conséquence. Puisque vous y
+êtes, vous pourriez parcourir la liste d'options qui sont spécifiées
+pour l'interface. Quelques astuces :</p>
 <ul>
-     <li>               
-    <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>, 
- vous pouvez remplacer le    "detect" dans la seconde colonne par un "-".
-     </p>
-     </li>
-     <li>               
-    <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b> 
- ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
- de la liste d'option. </p>
-     </li>
-     
+  <li>
+    <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
+vous pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
+  </li>
+  <li>
+    <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
+ou bien si vous avez une adresse IP statique, vous pouvez enlever le
+"dhcp" de la liste d'option. </p>
+  </li>
 </ul>
-     
-<div align="left">   
+<div align="left">
 <h2 align="left">Adresse IP</h2>
-   </div>
-     
-<div align="left">   
-<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
+</div>
+<div align="left">
+<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
+privée
 (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
-     
-<div align="left">   
+<div align="left">
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-   </div>
-     
-<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i> 
- car les routeurs sur les backbones Internet ne font pas passer les paquets
- dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
- cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
- le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
- lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
-     
+</div>
+<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
+car les routeurs sur les backbones Internet ne font pas passer les
+paquets dont les adresses de destinations sont définies dans la RFC
+1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
+ces adresses et utilisent le <i>Network Address Translation </i>afin
+de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
+ou vers l'Internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
- width="13" height="13">
-   Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
- externe et si elle est comprise dans une des plages précédentes, vous devriez
- enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
-   </div>
-     
-<div align="left">   
+ width="13" height="13"> Avant de lancer Shorewall, vous devriez
+regarder l'adresse de votre interface externe et si elle est comprise
+dans une des plages précédentes, vous devriez enlever l'option
+'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
+</div>
+<div align="left">
 <h2 align="left">Permettre d'autres connexions</h2>
-   </div>
-     
-<div align="left">   
-<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
- vers votre   firewall, le format général est :</p>
-   </div>
-     
-<div align="left">   
-<blockquote>         
+</div>
+<div align="left">
+<p align="left">Si vous désirez autoriser d'autres connexions depuis
+l'Internet vers votre firewall, le format général est :</p>
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-       <tbody>
-         <tr>
-           <td><u><b>ACTION</b></u></td>
-           <td><u><b>SOURCE</b></u></td>
-           <td><u><b>DESTINATION</b></u></td>
-           <td><u><b>PROTOCOL</b></u></td>
-           <td><u><b>PORT</b></u></td>
-           <td><u><b>SOURCE PORT</b></u></td>
-           <td><u><b>ORIGINAL ADDRESS</b></u></td>
-         </tr>
-         <tr>
-           <td>ACCEPT</td>
-           <td>net</td>
-           <td>fw</td>
-           <td><i>&lt;protocol&gt;</i></td>
-           <td><i>&lt;port&gt;</i></td>
-           <td> <br>
-           </td>
-           <td> <br>
-           </td>
-         </tr>
-                 
-    </tbody>         
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td><i>&lt;protocol&gt;</i></td>
+        <td><i>&lt;port&gt;</i></td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-   </div>
-     
-<div align="left">   
-<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
+un
 serveur POP3 sur votre système de firewall :</p>
-   </div>
-     
-<div align="left">   
-<blockquote>         
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber5">
-       <tbody>
-         <tr>
-           <td><u><b>ACTION</b></u></td>
-           <td><u><b>SOURCE</b></u></td>
-           <td><u><b>DESTINATION</b></u></td>
-           <td><u><b>PROTOCOL</b></u></td>
-           <td><u><b>PORT</b></u></td>
-           <td><u><b>SOURCE PORT</b></u></td>
-           <td><u><b>ORIGINAL ADDRESS</b></u></td>
-         </tr>
-         <tr>
-           <td>ACCEPT</td>
-           <td>net</td>
-           <td>fw</td>
-           <td>tcp</td>
-           <td>80</td>
-           <td> <br>
-           </td>
-           <td> <br>
-           </td>
-         </tr>
-         <tr>
-           <td>ACCEPT</td>
-           <td>net</td>
-           <td>fw</td>
-           <td>tcp</td>
-           <td>110</td>
-           <td> <br>
-           </td>
-           <td> <br>
-           </td>
-         </tr>
-                 
-    </tbody>         
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>80</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>110</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-   </div>
-     
-<div align="left">   
-<p align="left">Si vous ne savez pas quel port ou protocole une application
- particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
-   </div>
-     
-<div align="left">   
-<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
- telnet depuis ou vers l'Internet car il utilise du texte en clair (même
-pour  le login et le mot de passe !). Si vous voulez avoir un accès au shell
-de  votre firewall depuis Internet, utilisez SSH :</p>
-   </div>
-     
-<div align="left">   
-<blockquote>         
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Si vous ne savez pas quel port ou protocole une
+application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
+</div>
+<div align="left">
+<p align="left"><b>Important: </b>Je ne vous recommande pas
+d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
+en clair (même
+pour le login et le mot de passe !). Si vous voulez avoir un accès au
+shell
+de votre firewall depuis Internet, utilisez SSH :</p>
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-       <tbody>
-         <tr>
-           <td><u><b>ACTION</b></u></td>
-           <td><u><b>SOURCE</b></u></td>
-           <td><u><b>DESTINATION</b></u></td>
-           <td><u><b>PROTOCOL</b></u></td>
-           <td><u><b>PORT</b></u></td>
-           <td><u><b>SOURCE PORT</b></u></td>
-           <td><u><b>ORIGINAL ADDRESS</b></u></td>
-         </tr>
-         <tr>
-           <td>ACCEPT</td>
-           <td>net</td>
-           <td>fw</td>
-           <td>tcp</td>
-           <td>22</td>
-           <td> <br>
-           </td>
-           <td> <br>
-           </td>
-         </tr>
-                 
-    </tbody>         
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>22</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-   </div>
-     
-<div align="left">   
+</blockquote>
+</div>
+<div align="left">
 <pre>     ACCEPT	net	fw	tcp	22</pre>
-   </div>
-     
-<div align="left">   
+</div>
+<div align="left">
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
- height="13">
-   A ce point, éditez    /etc/shorewall/rules pour rajouter les autres connexions
- désirées.</p>
-   </div>
-     
-<div align="left">   
+ height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter les
+autres connexions désirées.</p>
+</div>
+<div align="left">
 <h2 align="left">Lancer et Arrêter son Firewall</h2>
-   </div>
-     
-<div align="left">   
+</div>
+<div align="left">
 <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
- height="13" alt="Arrow">
-   La <a href="Install.htm">procédure d'installation </a> configure votre 
-système pour lancer Shorewall au boot du système, mais au début avec la version 
-1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
- avec que la configuration soit finie. Une fois que vous en aurez fini avec
- la configuration du firewall, vous pouvez permettre le lancement de Shorewall
- en supprimant le fichier /etc/shorewall/startup_disabled.<br>
-   </p>
-     
-<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
-des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
-   </p>
-   </div>
-     
-<div align="left">   
-<p align="left">Le firewall est activé en utilisant la commande "shorewall
- start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
-le  routage est autorisé sur les hôtes qui possèdent une entrée dans <a
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
- firewall qui tourne peut être relancé en utilisant la commande "shorewall
- restart".   Si vous voulez enlever toutes traces de Shorewall sur votre
-configuration  de Netfilter, utilisez "shorewall clear".</p>
-   </div>
-     
-<div align="left">   
-<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
-depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
-n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
-vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
-  De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
- il est plus intéressant de créer une <i><a
- href="configuration_file_basics.htm#Configs">configuration alternative</a></i> 
- et de la tester en utilisant la commande <a
- href="starting_and_stopping_shorewall.htm">"shorewall  try"</a>.</p>
-   </div>
-     
+ height="13" alt="Arrow"> La <a href="Install.htm">procédure
+d'installation </a> configure votre système pour lancer Shorewall au
+boot du système, mais au début avec la version 1.3.9 de Shorewall le
+lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
+configuration soit finie. Une fois que vous en aurez fini avec la
+configuration du firewall, vous pouvez permettre le lancement de
+Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
+</p>
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
+utilisateurs
+des paquets .deb doivent éditer /etc/default/shorewall et mettre
+'startup=1'.</font><br>
+</p>
+</div>
+<div align="left">
+<p align="left">Le firewall est activé en utilisant la commande
+"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
+est stoppé,
+le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
+ href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+Un firewall qui tourne peut être relancé en utilisant la commande
+"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
+sur votre
+configuration de Netfilter, utilisez "shorewall clear".</p>
+</div>
+<div align="left">
+<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
+firewall
+depuis Internet, n'essayez pas une commande "shorewall stop" tant que
+vous
+n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de
+laquelle
+vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+De la même manière, je ne vous recommande pas d'utiliser "shorewall
+restart"; il est plus intéressant de créer une <i><a
+ href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
+et de la tester en utilisant la commande <a
+ href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
+</div>
 <p align="left"><font size="2">Last updated 12/9/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
-     
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
- M. Eastep</font></a></p>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-  <br>
- <br>
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
+Thomas M. Eastep</font></a></p>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/starting_and_stopping_shorewall.htm b/Shorewall-docs/starting_and_stopping_shorewall.htm
index 061924369..cef5ea24c 100644
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@@ -9,19 +9,12 @@
   <title>Starting and Stopping Shorewall</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Starting/Stopping and
-Monitoring the Firewall</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
-<p> If you have a permanent internet connection such as DSL or Cable, I
+<div style="text-align: center;">
+<h1>Starting/Stopping and Monitoring the Firewall<br>
+</h1>
+</div>
+<p><br>
+If you have a permanent internet connection such as DSL or Cable, I
 recommend that you start the firewall automatically at boot. Once you
 have installed "firewall" in your init.d directory, simply type
 "chkconfig --add firewall". This will start the firewall in run levels
@@ -44,7 +37,7 @@ restart" in that script.</li>
 <p> </p>
 <p> You can manually start and stop Shoreline Firewall using the
 "shorewall" shell program. Please refer to the <a
- href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
+ href="starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
 State Diagram</a> is shown at the bottom of this page. </p>
 <ul>
   <li>shorewall start - starts the firewall</li>
diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm
index 78b4b75d7..76dd2c49c 100644
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@@ -7,19 +7,11 @@
   <title>Shorewall Support Guide</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
- src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
-      </font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
+Support Guide <font><font color="#ffffff"><img
+ src="images/obrasinf.gif" alt=""
+ style="width: 90px; height: 90px; color: rgb(51, 0, 51);"
+ align="middle" title=""></font></font></h1>
 <h2>Before Reporting a Problem or Asking a Question<br>
 </h2>
 There are a number of sources of Shorewall information. Please try
@@ -29,15 +21,15 @@ these before you post.
   </li>
   <li>More than half of the questions posted on the support list have
 answers directly accessible from the <a
- href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation
 Index</a><br>
   </li>
-  <li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
+  <li> The <a href="FAQ.htm">FAQ</a> has
 solutions to more than 20 common problems. </li>
-  <li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
+  <li> The <a href="troubleshoot.htm">Troubleshooting</a>
 Information contains a number of tips
 to help you solve common problems. </li>
-  <li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
+  <li> The <a href="errata.htm"> Errata</a>
 has links to download updated components. </li>
   <li> The Site and Mailing List Archives search facility can locate
 documents and posts about similar problems: </li>
@@ -98,6 +90,13 @@ error messages, log entries, command output, and other output is
 better than a paraphrase or summary.<br>
     <br>
   </li>
+  <li>Please don't describe your problem as "Computer A can't see
+Computer B". Of course it can't -- it hasn't any eyes! If ping from A
+to B fails, say so (and see below for information about reporting
+'ping' problems). If Computer B doesn't show up in "Network
+Neighborhood" then say so. <br>
+    <br>
+  </li>
   <li> Please don't describe your environment and then ask us to send
 you custom configuration files. We're here to answer your questions but
 we can't do your job for you.<br>
@@ -143,7 +142,11 @@ problem is that some type of connection to/from or through your
 firewall
 isn't working then please perform the following four steps:<br>
       <br>
-1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
+1. <b><font color="#009900"><span style="color: rgb(0, 0, 0);">If
+shorewall isn't running then </span></font></b><font color="#009900"
+ style="font-weight: bold; color: rgb(0, 153, 0);">/sbin/shorewall/start</font><b><font
+ color="#009900"><span style="color: rgb(0, 0, 0);">. Otherwise</span>
+/sbin/shorewall reset<span style="color: rgb(0, 0, 0);">.</span></font></b><br>
       <br>
 2. Try making the connection that is failing.<br>
       <br>
@@ -189,7 +192,7 @@ unless one also knows the policies).<br>
   </li>
   <li>If an error occurs when you try to "<font color="#009900"><b>shorewall
 start</b></font>", include a trace (See the <a
- href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
+ href="troubleshoot.htm">Troubleshooting</a>
 section for instructions).<br>
     <br>
   </li>
@@ -232,7 +235,10 @@ you can post non MNF-specific Shorewall questions to the </b><a
 mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
   <p>Otherwise, please post your question or problem to the <a
  href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
-mailing list.</a> </p>
+mailing list.</a><span style="font-weight: bold;"> IMPORTANT: </span>If
+you are not subscribed to the list, please say so -- otherwise, you
+will not be included in any replies.<br>
+  </p>
 </blockquote>
 <h2>Subscribing to the Users Mailing List<br>
 </h2>
@@ -245,7 +251,7 @@ mailing list.</a> </p>
 <p>For information on other Shorewall mailing lists, go to <a
  href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
 </p>
-<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 11/12/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
  size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
 Eastep.</font></a></font><br>
diff --git a/Shorewall-docs/three-interface.htm b/Shorewall-docs/three-interface.htm
index c8cd300d3..50b01becf 100644
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@@ -9,17 +9,8 @@
   <title>Three-Interface Firewall</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber5" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Three-Interface Firewall<br>
+</h1>
 <p align="left">Setting up a Linux system as a firewall for a small
 network with DMZ is a fairly straight-forward task if you understand
 the basics and follow the documentation.</p>
@@ -28,7 +19,11 @@ of Shorewall. It rather focuses on what is required to configure
 Shorewall in one of its more popular configurations:</p>
 <ul>
   <li>Linux system used as a firewall/router for a small local network.</li>
-  <li>Single public IP address.</li>
+  <li style="font-weight: bold;">Single public IP address. If you have
+more than one public IP address, this is not the guide you want -- see
+the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
+instead.<br>
+  </li>
   <li>DMZ connected to a separate ethernet interface.</li>
   <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
 ...</li>
@@ -128,7 +123,9 @@ file matches the connection request then the first policy in
 /etc/shorewall/policy that matches the request is applied. If that
 policy is REJECT
 or DROP&nbsp; the request is first checked against the rules in
-/etc/shorewall/common (the samples provide that file for you).</p>
+/etc/shorewall/common if that file exists; otherwise the file
+/etc/shorewall/common.def is checked<br>
+</p>
 <p>The /etc/shorewall/policy file included with the three-interface
 sample has the following policies:</p>
 <blockquote>
@@ -1064,9 +1061,15 @@ from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>
 Also, I don't recommend using "shorewall restart"; it is better to
 create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
- href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
+</p>
+<h2>Additional Recommended Reading</h2>
+I highly recommend that you review the <a
+ href="configuration_file_basics.htm">Common Configuration File
+Features page</a> -- it contains helpful tips about Shorewall features
+than make administering your firewall easier.
 </div>
-<p align="left"><font size="2">Last updated 8/8/2003 - <a
+<p align="left"><font size="2">Last updated 11/15/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a><br>
diff --git a/Shorewall-docs/three-interface_fr.html b/Shorewall-docs/three-interface_fr.html
index 4a0d35712..4165e7db7 100755
--- a/Shorewall-docs/three-interface_fr.html
+++ b/Shorewall-docs/three-interface_fr.html
@@ -1,1197 +1,1125 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                
   <meta http-equiv="Content-Language" content="en-us">
-                
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Three-Interface Firewall</title>
 </head>
-  <body>
-        
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber5" bgcolor="#3366ff" height="90">
-       <tbody>
-         <tr>
-           <td width="100%">                            
-      <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
-           </td>
-         </tr>
-                
-  </tbody>    
-</table>
-        
-<h2 align="center">Version 2.0.1 Française</h2>
-        
+<body>
+<h1 style="text-align: center;">&nbsp;Three-Interface Firewall</h1>
 <p align="left"><small><i><u>Notes du traducteur</u> :<br>
-     Je ne prétends pas être un vrai traducteur dans le sens ou mon travail 
- n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une 
- traduction exacte du texte, mais plutôt à en faire une version française 
-intelligible par tous (et par moi). Les termes techniques sont la plupart 
-du temps conservés sous leur forme originale et mis entre parenthèses car 
-vous pouvez les retrouver dans le reste des documentations ainsi que dans 
-les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer 
-ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> 
-(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à 
-Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
-        
+Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
+n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à
+une traduction exacte du texte, mais plutôt à en faire une version
+française intelligible par tous (et par moi). Les termes techniques
+sont la plupart du temps conservés sous leur forme originale et mis
+entre parenthèses car vous pouvez les retrouver dans le reste des
+documentations ainsi que dans les fichiers de configuration. N?hésitez
+pas à me contacter afin d?améliorer ce document <a
+ href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
+JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom
+EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
 <p align="left"><br>
-     Mettre en place un système linux en tant que firewall pour un petit
-réseau   contenant une DMZ est une chose assez simple à réaliser si vous
-comprenez   les bases et suivez cette documentation.</p>
-        
-<p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
-  de Shorewall. Il se focalise sur les besoins pour configurer Shorewall
-dans   une de ses utilisations les plus populaire :</p>
-        
+Mettre en place un système linux en tant que firewall pour un petit
+réseau contenant une DMZ est une chose assez simple à réaliser si vous
+comprenez les bases et suivez cette documentation.</p>
+<p>Ce guide ne prétend pas vous mettre au courant de toutes les
+possibilités de Shorewall. Il se focalise sur les besoins pour
+configurer Shorewall
+dans une de ses utilisations les plus populaire :</p>
 <ul>
-       <li>Un système Linux utilisé en tant que firewall/routeur pour un
-petit   réseau local.</li>
-       <li>Une seule adresse IP publique.</li>
-       <li>Une DMZ connectée sur une interface Ethernet séparée.</li>
-       <li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame
-Relay,   RTC,     ...</li>
-        
+  <li>Un système Linux utilisé en tant que firewall/routeur pour un
+petit réseau local.</li>
+  <li>Une seule adresse IP publique.</li>
+  <li>Une DMZ connectée sur une interface Ethernet séparée.</li>
+  <li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame
+Relay, RTC, ...</li>
 </ul>
-        
 <p align="left">Voici le schéma d'une installation typique.</p>
-        
 <p align="center"> <img border="0" src="images/dmz1.png" width="692"
- height="635">
-     </p>
-        
-<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
-Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
-  ip sur votre système de firewall. Sous root, utilisez la commande 'which'
-  pour rechercher le programme :</p>
-        
+ height="635"> </p>
+<p>Ce guide suppose que vous avez le paquet iproute/iproute2
+d'installé.
+Vous pouvez voir si le paquet est installé en vérifiant la présence du
+programme ip sur votre système de firewall. Sous root, utilisez la
+commande 'which' pour rechercher le programme :</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-        
-<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
-  vous familiariser avec ce qu'il va se passer, et de revenir au début en
-effectuant  le changements dans votre configuration. Les points où, les changements
-dans  la configuration sont recommandées, sont signalés par une <img
- border="0" src="images/BD21298_.gif" width="13" height="13">
-     </p>
-        
-<p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     Si vous éditez vos fichiers de configuration sur un système Windows, 
-vous  devez les sauver comme des fichiers Unix si votre éditeur offre cette 
-option  sinon vous devez les faire passer par dos2unix avant d'essayer de 
-les utiliser.  De la même manière, si vous copiez un fichier de configuration 
-depuis votre  disque dur Windows vers une disquette, vous devez lancer dos2unix 
-sur la copie avant de l'utiliser avec Shorewall.</p>
-        
+<p>Je vous recommande dans un premier temps de parcourir tout le guide
+pour vous familiariser avec ce qu'il va se passer, et de revenir au
+début en
+effectuant le changements dans votre configuration. Les points où, les
+changements
+dans la configuration sont recommandées, sont signalés par une <img
+ border="0" src="images/BD21298_.gif" width="13" height="13"> </p>
+<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
+vous éditez vos fichiers de configuration sur un système Windows, vous
+devez les sauver comme des fichiers Unix si votre éditeur offre cette
+option sinon vous devez les faire passer par dos2unix avant d'essayer
+de les utiliser. De la même manière, si vous copiez un fichier de
+configuration depuis votre disque dur Windows vers une disquette, vous
+devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall.</p>
 <ul>
-       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
- of    dos2unix</a></li>
-       <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
- Version  of    dos2unix</a></li>
-        
+  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
+of dos2unix</a></li>
+  <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
+Version of dos2unix</a></li>
 </ul>
-        
 <h2 align="left">Les Concepts de Shorewall</h2>
-        
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
- alt="">
-     Les fichiers de configuration pour Shorewall sont situés dans le répertoire
-   /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
-  quelques un d'entre eux comme décris dans ce guide. Après avoir <a
- href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
-  d'exemple <a href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
-  sample</a>, un-tarez la  (tar -zxvf three-interfaces.tgz) </b><b>et copiez
-  les fichiers vers /etc/shorewall  (Ils remplaceront les fichiers de même
- nom déjà existant dans /etc/shorewall installés lors de l'installation de
- Shorewall)</b>.</p>
-        
-<p>En même temps que chacun des fichiers est présenté, je vous suggère de
-  jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
-  des fichiers contient des instructions de configuration détaillées et des
-  entrées par défaut.</p>
-        
-<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
-  <i>zones.</i> Dans les fichiers de configuration fournis pour trois interfaces,
-  trois zones sont définies :</p>
-        
+ alt=""> Les fichiers de configuration pour Shorewall sont situés dans
+le répertoire /etc/shorewall -- pour de simples paramétrages, vous
+n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
+guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
+la configuration d'exemple <a
+ href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
+sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et
+copiez les fichiers vers /etc/shorewall (Ils remplaceront les fichiers
+de même nom déjà existant dans /etc/shorewall installés lors de
+l'installation de Shorewall)</b>.</p>
+<p>En même temps que chacun des fichiers est présenté, je vous suggère
+de jeter un oeil à ceux qui se trouvent réellement sur votre système --
+chacun des fichiers contient des instructions de configuration
+détaillées et des entrées par défaut.</p>
+<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
+de <i>zones.</i> Dans les fichiers de configuration fournis pour trois
+interfaces, trois zones sont définies :</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
  cellspacing="0" id="AutoNumber2">
-       <tbody>
-         <tr>
-           <td><u><b>Name</b></u></td>
-           <td><u><b>Description</b></u></td>
-         </tr>
-         <tr>
-           <td><b>net</b></td>
-           <td><b>The Internet</b></td>
-         </tr>
-         <tr>
-           <td><b>loc</b></td>
-           <td><b>Votre réseau local</b></td>
-         </tr>
-         <tr>
-           <td><b>dmz</b></td>
-           <td><b>Zone </b><b>Demilitarisée</b></td>
-         </tr>
-                
-  </tbody>    
+  <tbody>
+    <tr>
+      <td><u><b>Name</b></u></td>
+      <td><u><b>Description</b></u></td>
+    </tr>
+    <tr>
+      <td><b>net</b></td>
+      <td><b>The Internet</b></td>
+    </tr>
+    <tr>
+      <td><b>loc</b></td>
+      <td><b>Votre réseau local</b></td>
+    </tr>
+    <tr>
+      <td><b>dmz</b></td>
+      <td><b>Zone </b><b>Demilitarisée</b></td>
+    </tr>
+  </tbody>
 </table>
-        
 <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
-        
-<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
-- par défaut,    le firewall lui même est connu en tant que <b>fw</b>.</p>
-        
-<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
-  en utilisant les termes de zones.</p>
-        
+<p>Shorewall reconnaît aussi le système de firewall comme sa propre
+zone
+- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
+<p>Les règles concernant le trafic à autoriser ou à interdire sont
+exprimées en utilisant les termes de zones.</p>
 <ul>
-       <li>Vous exprimez les politiques par défaut pour les connexions d'une 
- zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
-      </a>.</li>
-       <li>Vous définissez les exceptions à ces règles de politiques par
-défaut   dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
-        
+  <li>Vous exprimez les politiques par défaut pour les connexions d'une
+zone à une autre dans le fichier<a href="Documentation.htm#Policy">
+/etc/shorewall/policy </a>.</li>
+  <li>Vous définissez les exceptions à ces règles de politiques par
+défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ul>
-        
-<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
-  demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
-  Si aucune des règles dans ce fichier ne correspondent, alors la première
- politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
-cette  politique est REJECT ou DROP la requête est alors comparée par rapport
-aux  règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
-fournit  ce fichier).</p>
-        
-<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
-  sample a les politiques suivantes :</p>
-        
-<blockquote>            
+<p>Pour chacune des demandes de connexion entrantes dans le firewall,
+les demandes sont en premier lieu comparées par rapport au fichier
+/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
+correspondent, alors la première politique dans /etc/shorewall/policy
+qui y correspond est appliquée. Si
+cette politique est REJECT ou DROP la requête est alors comparée par
+rapport
+aux règles contenues dans /etc/shorewall/common (l'archive d'exemple
+vous
+fournit ce fichier).</p>
+<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
+three-interface sample a les politiques suivantes :</p>
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
-         <tbody>
-           <tr>
-             <td><u><b>Source Zone</b></u></td>
-             <td><u><b>Destination Zone</b></u></td>
-             <td><u><b>Policy</b></u></td>
-             <td><u><b>Log Level</b></u></td>
-             <td><u><b>Limit:Burst</b></u></td>
-           </tr>
-           <tr>
-             <td>loc</td>
-             <td>net</td>
-             <td>ACCEPT</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>net</td>
-             <td>all</td>
-             <td>DROP</td>
-             <td>info</td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>all</td>
-             <td>all</td>
-             <td>REJECT</td>
-             <td>info</td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>Source Zone</b></u></td>
+        <td><u><b>Destination Zone</b></u></td>
+        <td><u><b>Policy</b></u></td>
+        <td><u><b>Log Level</b></u></td>
+        <td><u><b>Limit:Burst</b></u></td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>net</td>
+        <td>ACCEPT</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>all</td>
+        <td>DROP</td>
+        <td>info</td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>all</td>
+        <td>all</td>
+        <td>REJECT</td>
+        <td>info</td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
-<blockquote>            
-  <p>Dans l'archive three-interface, la ligne suivante est existante mais
-  elle est commentée. Si vous souhaitez que votre système de firewall puisse
-  avoir un accès complet aux serveurs sur Internet, décommentez la.</p>
-                
+</blockquote>
+<blockquote>
+  <p>Dans l'archive three-interface, la ligne suivante est existante
+mais elle est commentée. Si vous souhaitez que votre système de
+firewall puisse avoir un accès complet aux serveurs sur Internet,
+décommentez la.</p>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber3">
-         <tbody>
-           <tr>
-             <td><u><b>Source Zone</b></u></td>
-             <td><u><b>Destination Zone</b></u></td>
-             <td><u><b>Policy</b></u></td>
-             <td><u><b>Log Level</b></u></td>
-             <td><u><b>Limit:Burst</b></u></td>
-           </tr>
-           <tr>
-             <td>fw</td>
-             <td>net</td>
-             <td>ACCEPT</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>Source Zone</b></u></td>
+        <td><u><b>Destination Zone</b></u></td>
+        <td><u><b>Policy</b></u></td>
+        <td><u><b>Log Level</b></u></td>
+        <td><u><b>Limit:Burst</b></u></td>
+      </tr>
+      <tr>
+        <td>fw</td>
+        <td>net</td>
+        <td>ACCEPT</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
+</blockquote>
 <p>Les politiques précédentes vont :</p>
-        
 <ol>
-       <li>permettre toutes demandes de connexion depuis le firewall vers 
+  <li>permettre toutes demandes de connexion depuis le firewall vers
 l'Internet</li>
-       <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet 
- vers votre  firewall ou vers votre réseau local</li>
-       <li>Facultativement accepter toutes les demandes de connexion depuis 
- votre firewall et vers Internet (si vous decommentez la politique précédente)</li>
-       <li>reject (rejeter) toutes les autres demandes de connexion.</li>
-        
+  <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
+vers votre firewall ou vers votre réseau local</li>
+  <li>Facultativement accepter toutes les demandes de connexion depuis
+votre firewall et vers Internet (si vous decommentez la politique
+précédente)</li>
+  <li>reject (rejeter) toutes les autres demandes de connexion.</li>
 </ol>
-        
-<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-    A ce point, éditez votre /etc/shorewall/policy et faites y les changements
-  que vous désire</p>
-        
+<p><img border="0" src="images/BD21298_1.gif" width="13" height="13"> A
+ce point, éditez votre /etc/shorewall/policy et faites y les
+changements que vous désire</p>
 <h2 align="left">Les Interfaces Réseau</h2>
-        
 <p align="center"> <img border="0" src="images/dmz1.png" width="692"
- height="635">
-     </p>
-        
-<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
-  Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
- (non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
-  sur lequel est connecté le routeur (e.g., eth0)  à moins que vous ne vous
-  connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
-  Protocol (PPTP), dans ce cas l'interface extérieure sera une interface
-de   type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
- votre interface extérieure sera aussi ppp0. Si votre connexion passe par
+ height="635"> </p>
+<p align="left">Le firewall a trois interfaces de réseau. Lorsque la
+connexion Internet passe par le câble ou par un ROUTEUR (pas un simple
+modem) ADSL (non USB), l'interface vers l'extérieur (External
+Interface) sera l'adaptateur sur lequel est connecté le routeur (e.g.,
+eth0) à moins que vous ne vous connectiez par Point-to-PointProtocol
+overEthernet (PPPoE) ou par Point-to-PointTunneling Protocol (PPTP),
+dans ce cas l'interface extérieure sera une interface
+de type ppp (e.g., ppp0). Si vous vous connectez par un simple modem
+(RTC), votre interface extérieure sera aussi ppp0. Si votre connexion
+passe par
 Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
-        
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
- height="13">
-     Si votre interface vers l'extérieur est ppp0 ou ippp0 alors vous mettrez
-  CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
-        
-<p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
-  (eth0,       eth1 ou eth2) et sera connecté à un hub ou un switch. Vos
-ordinateurs   locaux seront connectés à ce même switch (note : si vous n'avez
-qu'un seul   ordinateur en local, vous pouvez le connecter directement au
-firewall par   un <i>câble croisé</i>).</p>
-        
-<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
-  (eth0,  eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
-  appartenant à la DMZ seront connectés à ce même switch (note : si  vous
-n'avez  qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
-au  firewall par un <i>câble croisé</i>).</p>
-        
+ height="13"> Si votre interface vers l'extérieur est ppp0 ou ippp0
+alors vous mettrez CLAMPMSS=yes dans <a href="Documentation.htm#Conf">
+/etc/shorewall/shorewall.conf.</a></p>
+<p align="left">Votre <i>Interface locale</i> sera un adaptateur
+Ethernet (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch.
+Vos
+ordinateurs locaux seront connectés à ce même switch (note : si vous
+n'avez
+qu'un seul ordinateur en local, vous pouvez le connecter directement au
+firewall par un <i>câble croisé</i>).</p>
+<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur
+Ethernet (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch.
+Vos ordinateurs appartenant à la DMZ seront connectés à ce même switch
+(note : si vous
+n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter
+directement
+au firewall par un <i>câble croisé</i>).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
- width="60" height="60">
-    </b></u> Ne connectez pas l'interface interne et externe sur le même
-hub   ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez
-pas que  ce soit shorewall qui ne marche pas.</p>
-        
+ width="60" height="60"> </b></u> Ne connectez pas l'interface interne
+et externe sur le même
+hub ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez
+pas que ce soit shorewall qui ne marche pas.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
- height="13">
-     L'exemple de configuration de Shorewall pour trois interfaces suppose
- que  l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
-</b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
-diffère,  vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
-en conséquence.  Tant que vous y êtes, vous pourriez parcourir la liste des
-options qui sont  spécifiées pour les interfaces. Quelques trucs :</p>
-        
+ height="13"> L'exemple de configuration de Shorewall pour trois
+interfaces suppose que l'interface externe est <b>eth0, </b>l'interface
+locale est <b>eth1
+</b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre
+configuration
+diffère, vous devrez modifier le fichier d'exemple
+/etc/shorewall/interfaces
+en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste
+des
+options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
 <ul>
-       <li>                    
-    <p align="left">Si votre interface externe est ppp0 ou ippp0, vous pouvez
-  remplacer le "detect" dans la seconde colonne par un "-". </p>
-       </li>
-       <li>                    
-    <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
-si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
+  <li>
+    <p align="left">Si votre interface externe est ppp0 ou ippp0, vous
+pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
+  </li>
+  <li>
+    <p align="left">Si votre interface externe est ppp0 ou ippp0 ou
+bien
+si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de
+la
 liste d'option. </p>
-       </li>
-        
+  </li>
 </ul>
-        
 <h2 align="left">Adresses IP</h2>
-        
-<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
-  sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
-  Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
-  Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
-  (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous
-connectez   (modem standard) ou établissez votre connexion PPP. Dans de rares
-cas , votre  provider peu vous assigner une adresse statique (staticIP address);
-cela signifie que vous configurez votre interface externe sur votre firewall
-afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
-externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
-à Internet. Vous devrez assigner vos propres adresses à votre réseau local
-(votre interface  interne sur le firewall  ainsi que les autres ordinateurs).
-La RFC 1918 réserve  plusieurs plages d'IP (Private IP address ranges) à
+<p align="left">Avant d'aller plus loin, nous devons dire quelques mots
+au sujet du Protocole d'adresse Internet (IP). Normalement, votre
+fournisseur Internet (ISP) vous assignera une seule adresse IP (single
+Public IP address). Cette adresse peut être assignée par le Dynamic
+Host Configuration Protocol (DHCP) ou lors de l'établissement de votre
+connexion lorsque vous vous
+connectez (modem standard) ou établissez votre connexion PPP. Dans de
+rares
+cas , votre provider peu vous assigner une adresse statique (staticIP
+address);
+cela signifie que vous configurez votre interface externe sur votre
+firewall
+afin d'utiliser cette adresse de manière permanente. Une fois votre
+adresse
+externe assignée, elle va être partagée par tout vos systèmes lors de
+l'accès
+à Internet. Vous devrez assigner vos propres adresses à votre réseau
+local
+(votre interface interne sur le firewall ainsi que les autres
+ordinateurs).
+La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
 cette fin :</p>
-        
-<div align="left">    
+<div align="left">
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-     </div>
-        
-<div align="left">    
+</div>
+<div align="left">
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
- height="13">
-     Avant de lancer Shorewall, vous devriez regarder l'adresse de votre
-interface   externe et si elle est comprise dans une des plages précédentes,
-vous devriez   enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
-     </div>
-        
-<div align="left">    
-<p align="left">Vous devrez assigner les adresses locales à un sous-réseau
-  (<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
-  sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
-  en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
-  une masque (<i>Subnet   Mask)</i> de 255.255.255.0.  L'adresse x.y.z.0
-est   réservée comme l'adresse du sous-réseau (<i>Subnet     Address)</i>
-et x.y.z.255    est réservée en tant qu'adresse de broadcast du sous-réseau
-(<i>Subnet Broadcast</i>  <i>Address)</i>. Sous Shorewall,  un sous-réseau
-est décrit/désigné en utilisant  la notation <a
- href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain  Routing</i>(CIDR)</a>
-qui consiste en l'adresse du sous-réseau suivie par  "/24". Le "24"  se réfère
-au nombre de bits "1" consécutifs dans la partie  gauche du masque de sous-réseau.
+ height="13"> Avant de lancer Shorewall, vous devriez regarder
+l'adresse de votre
+interface externe et si elle est comprise dans une des plages
+précédentes,
+vous devriez enlever l'option 'norfc1918' dans le fichier
+/etc/shorewall/interfaces.</p>
+</div>
+<div align="left">
+<p align="left">Vous devrez assigner les adresses locales à un
+sous-réseau (<i>sub-network </i>ou <i>subnet)</i> et les adresse pour
+la DMZ à un autre sous-réseau. Pour ce faire, nous pouvons considérer
+qu'un sous-réseau consiste en une plage d'adresse x.y.z.0 à x.y.z.255.
+Chacun des sous-réseaux possèdera une masque (<i>Subnet Mask)</i> de
+255.255.255.0. L'adresse x.y.z.0
+est réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i>
+et x.y.z.255 est réservée en tant qu'adresse de broadcast du
+sous-réseau
+(<i>Subnet Broadcast</i> <i>Address)</i>. Sous Shorewall, un
+sous-réseau
+est décrit/désigné en utilisant la notation <a
+ href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain
+Routing</i>(CIDR)</a>
+qui consiste en l'adresse du sous-réseau suivie par "/24". Le "24" se
+réfère
+au nombre de bits "1" consécutifs dans la partie gauche du masque de
+sous-réseau.
 </p>
-     </div>
-        
-<div align="left">    
+</div>
+<div align="left">
 <p align="left">Exemple de sous-réseau (subnet) :</p>
-     </div>
-        
-<div align="left">    
-<blockquote>            
+</div>
+<div align="left">
+<blockquote>
   <table border="1" style="border-collapse: collapse;" id="AutoNumber1"
  cellpadding="2">
-         <tbody>
-           <tr>
-             <td><b>Plage:</b></td>
-             <td>10.10.10.0 - 10.10.10.255</td>
-           </tr>
-           <tr>
-             <td><b>Subnet Address:</b></td>
-             <td>10.10.10.0</td>
-           </tr>
-           <tr>
-             <td><b>Broadcast Address:</b></td>
-             <td>10.10.10.255</td>
-           </tr>
-           <tr>
-             <td><b>CIDR Notation:</b></td>
-             <td>10.10.10.0/24</td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><b>Plage:</b></td>
+        <td>10.10.10.0 - 10.10.10.255</td>
+      </tr>
+      <tr>
+        <td><b>Subnet Address:</b></td>
+        <td>10.10.10.0</td>
+      </tr>
+      <tr>
+        <td><b>Broadcast Address:</b></td>
+        <td>10.10.10.255</td>
+      </tr>
+      <tr>
+        <td><b>CIDR Notation:</b></td>
+        <td>10.10.10.0/24</td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
-<p align="left">Il est de convention d'assigner à l'interface interne la
-première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
-précédent)      ou la dernière utilisable (10.10.10.254).</p>
-     </div>
-        
-<div align="left">    
-<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
-  ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
-ils  peuvent communiquer directement. Pour communiquer avec des systèmes
-en dehors  du sous-réseau, les ordinateurs envoient des paquets à travers
-le gateway  (routeur).</p>
-     </div>
-        
-<div align="left">    
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Il est de convention d'assigner à l'interface interne
+la
+première adresse utilisable dans le sous-réseau (10.10.10.1 dans
+l'exemple
+précédent) ou la dernière utilisable (10.10.10.254).</p>
+</div>
+<div align="left">
+<p align="left">L'un des buts d'un sous-réseau est de permettre à tous
+les ordinateurs dans le sous-réseau de savoir avec quels autres
+ordinateurs
+ils peuvent communiquer directement. Pour communiquer avec des systèmes
+en dehors du sous-réseau, les ordinateurs envoient des paquets à
+travers
+le gateway (routeur).</p>
+</div>
+<div align="left">
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
- height="13">
-     Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
-  avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
-  IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
-  être configurés avec leur passerelle par défaut (<i>default gateway)</i>
- pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
-     </div>
-        
-<p align="left">Cette courte description ne fait que survoler les concepts
-  de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
-l'adressage  IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
-   What  Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
-     A.  Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
-        
-<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
-  réseau comme montrer ci-dessous :</p>
-        
+ height="13"> Vos ordinateurs locaux (ordinateur local 1 et 2)
+devraient être configurés avec leur passerelle par défaut (<i>default
+gateway)</i>pointant sur l'adresse IP de l'interface interne du
+firewall, et les ordinateurs de la DMZ devraient être configurés avec
+leur passerelle par défaut (<i>default gateway)</i> pointant sur
+l'adresse IP de l'interface DMZ du firewall. </p>
+</div>
+<p align="left">Cette courte description ne fait que survoler les
+concepts de routage et de sous-réseau. Si vous vous voulez en apprendre
+plus sur
+l'adressage IP et le routage, je vous recommande chaudement <i>"IP
+Fundamentals: What Everyone Needs to Know about Addressing &amp;
+Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
+<p align="left">Pour rappel, ce guide supposera que vous avez configuré
+votre réseau comme montrer ci-dessous :</p>
 <p align="center"> <img border="0" src="images/dmz2.png" width="721"
- height="635">
-     </p>
-        
-<p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
-  de la DMZ sera 10.10.11.254       et le passerelle par défaut pour les
-ordinateurs   en local sera 10.10.10.254.</p>
-        
+ height="635"> </p>
+<p align="left">La passerelle par défaut (default gateway) pour les
+ordinateurs de la DMZ sera 10.10.11.254 et le passerelle par défaut
+pour les
+ordinateurs en local sera 10.10.10.254.</p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
-        
-<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
-  comme non-routables car les routeurs Internet (backbone) ne font pas circuler
-  les paquets qui ont une adresse de destination appartenant à la RFC-1918.
-  Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
- connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
- Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
- et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
- mots, le firewall fait croire que c'est lui même qui initie la connexion.
- Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
- les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
- de destination, une adresse réservée par la RFC 1918 ne pourront pas être
- routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
- à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
-  l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
-  1. </p>
-        
-<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
-l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
-Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
+<p align="left">Les adresses réservées par la RFC 1918 sont parfois
+désignées comme non-routables car les routeurs Internet (backbone) ne
+font pas circuler les paquets qui ont une adresse de destination
+appartenant à la RFC-1918. Lorsqu'un de vos systèmes en local
+(supposons l'ordinateur1) demande une connexion à un serveur par
+Internet, le firewall doit appliquer un NAT (Network Address
+Translation). Le firewall ré écrit l'adresse source dans le paquet, et
+l'a remplace par l'adresse de l'interface externe du firewall; en
+d'autres mots, le firewall fait croire que c'est lui même qui initie la
+connexion. Ceci est nécessaire afin que l'hôte de destination soit
+capable de renvoyer les paquets au firewall (souvenez vous que les
+paquets qui ont pour adresse de destination, une adresse réservée par
+la RFC 1918 ne pourront pas être routés à travers Internet, donc l'hôte
+Internet ne pourra adresser sa réponse à l'ordinateur 1). Lorsque le
+firewall reçoit le paquet de réponse, il remet l'adresse de destination
+à 10.10.10.1 et fait passer le paquet vers l'ordinateur 1. </p>
+<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé
+de
+l'IP Masquerading mais vous verrez aussi le terme de Source Network
+Address
+Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec
+Netfilter
 :</p>
-        
 <ul>
-       <li>                    
-    <p align="left">Masquerade désigne le cas ou vous laissez votre firewall
-  détecter automatiquement l'adresse de l'interface externe. </p>
-       </li>
-       <li>                    
-    <p align="left">SNAT désigne le cas où vous spécifiez explicitement l'adresse
-  source des paquets sortant de votre réseau local. </p>
-       </li>
-        
+  <li>
+    <p align="left">Masquerade désigne le cas ou vous laissez votre
+firewall détecter automatiquement l'adresse de l'interface externe. </p>
+  </li>
+  <li>
+    <p align="left">SNAT désigne le cas où vous spécifiez explicitement
+l'adresse source des paquets sortant de votre réseau local. </p>
+  </li>
 </ul>
-        
-<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configuré
-  avec des entrés dans le fichier /etc/shorewall/masq.</p>
-        
+<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont
+configuré avec des entrés dans le fichier /etc/shorewall/masq.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
- height="13">
-     Si votre interface externe est <b>eth0</b>, votre interface locale <b>eth1</b>
-  et votre interface pour la DMZ <b>eth2</b> vous n'avez pas besoin de modifier
-  le fichier fourni avec l'exemple. Dans le cas contraire, éditez    /etc/shorewall/masq
-    et changez le en conséquence.</p>
-        
+ height="13"> Si votre interface externe est <b>eth0</b>, votre
+interface locale <b>eth1</b> et votre interface pour la DMZ <b>eth2</b>
+vous n'avez pas besoin de modifier le fichier fourni avec l'exemple.
+Dans le cas contraire, éditez /etc/shorewall/masq et changez le en
+conséquence.</p>
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
- height="13">
-     Si votre IP externe est statique, vous pouvez la mettre dans la troisième
-  colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
-  firewall fonctionnera bien si vous laissez cette colonne vide. Le fait
-de   mettre votre IP statique dans la troisième colonne permet un traitement
-des  paquets sortant un peu plus efficace.<br>
-     </p>
-        
+ height="13"> Si votre IP externe est statique, vous pouvez la mettre
+dans la troisième colonne dans /etc/shorewall/masq si vous le désirez,
+de toutes façons votre firewall fonctionnera bien si vous laissez cette
+colonne vide. Le fait
+de mettre votre IP statique dans la troisième colonne permet un
+traitement
+des paquets sortant un peu plus efficace.<br>
+</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
- height="13" alt="">
-     Si vous utilisez les paquets Debian, vérifiez que votre fichier de configuration
-  shorewall.conf contient bien les valeurs suivantes, si elles n'y sont pas
-  faite les changements nécessaires :<br>
-     </p>
-        
+ height="13" alt=""> Si vous utilisez les paquets Debian, vérifiez que
+votre fichier de configuration shorewall.conf contient bien les valeurs
+suivantes, si elles n'y sont pas faite les changements nécessaires :<br>
+</p>
 <ul>
-       <li>NAT_ENABLED=Yes</li>
-       <li>IP_FORWARDING=On<br>
-       </li>
-        
+  <li>NAT_ENABLED=Yes</li>
+  <li>IP_FORWARDING=On<br>
+  </li>
 </ul>
-        
 <h2 align="left">Port Forwarding (DNAT)</h2>
-        
-<p align="left">Un de nos buts est de, peut être, faire tourner un ou plusieurs
-  serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
-  RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
-  directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
-  de connexion au firewall qui ré écrit l'adresse de destination de votre
-serveur,  et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
-le firewall  applique automatiquement un SNAT pour ré écrire l'adresse source
+<p align="left">Un de nos buts est de, peut être, faire tourner un ou
+plusieurs serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs
+on une adresse RFC-1918, il n'est pas possible pour les clients sur
+Internet de se connecter directement à eux. Il est nécessaire à ces
+clients d'adresser leurs demandes de connexion au firewall qui ré écrit
+l'adresse de destination de votre
+serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur
+répond,
+le firewall applique automatiquement un SNAT pour ré écrire l'adresse
+source
 dans la réponse.</p>
-        
-<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
-  Address Translation(DNAT). Vous configurez le port forwarding en utilisant
-  les règles DNAT dans le fichier /etc/shorewall/rules.</p>
-        
-<p>La forme générale d'une simple règle de port forwarding dans /etc/shorewall/rules
-  est :</p>
-        
-<blockquote>            
+<p align="left">Ce procédé est appelé Port Forwarding ou Destination
+Network Address Translation(DNAT). Vous configurez le port forwarding
+en utilisant les règles DNAT dans le fichier /etc/shorewall/rules.</p>
+<p>La forme générale d'une simple règle de port forwarding dans
+/etc/shorewall/rules est :</p>
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>DNAT</td>
-             <td>net</td>
-             <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
- port&gt;</i>]</td>
-             <td><i>&lt;protocol&gt;</i></td>
-             <td><i>&lt;port&gt;</i></td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>DNAT</td>
+        <td>net</td>
+        <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
+port&gt;</i>]</td>
+        <td><i>&lt;protocol&gt;</i></td>
+        <td><i>&lt;port&gt;</i></td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
-<p>Si vous ne spécifiez pas le <i>&lt;server port&gt;</i>, il est supposé
-  être le même que <i>&lt;port&gt;</i>.</p>
-        
-<p>Exemple - vous faites tourner un serveur Web dans votre DMZ (2) et vous
-  voulez faire passer les paquets entrant en TCP sur le port 80 à ce système
-  :</p>
-        
-<blockquote>            
+</blockquote>
+<p>Si vous ne spécifiez pas le <i>&lt;server port&gt;</i>, il est
+supposé être le même que <i>&lt;port&gt;</i>.</p>
+<p>Exemple - vous faites tourner un serveur Web dans votre DMZ (2) et
+vous voulez faire passer les paquets entrant en TCP sur le port 80 à ce
+système :</p>
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>DNAT</td>
-             <td>net</td>
-             <td>dmz:10.10.11.2</td>
-             <td>tcp</td>
-             <td>80</td>
-             <td># Fait suivre le port 80</td>
-             <td>depuis Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:10.10.11.2</td>
-             <td>tcp</td>
-             <td>80</td>
-             <td>#Permet les connexions </td>
-             <td>depuis le réseau local</td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>DNAT</td>
+        <td>net</td>
+        <td>dmz:10.10.11.2</td>
+        <td>tcp</td>
+        <td>80</td>
+        <td># Fait suivre le port 80</td>
+        <td>depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:10.10.11.2</td>
+        <td>tcp</td>
+        <td>80</td>
+        <td>#Permet les connexions </td>
+        <td>depuis le réseau local</td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
+</blockquote>
 <p>Deux points importants à garder en mémoire :</p>
-        
 <ul>
-       <li>Lorsque vous vous connectez à votre serveur à partir de votre
-réseau   local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
-       <li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
-  de connexion entrantes sur le port 80. Si vous avez des problèmes pour
-vous   connecter à votre serveur web, essayez la règle suivante et connectez
-vous   sur le port 5000 (c.a.d., connectez vous à <a
- href="http://w.x.y.z:5000">  http://w.x.y.z:5000</a> où w.x.y.z est votre
- IP externe).</li>
-        
+  <li>Lorsque vous vous connectez à votre serveur à partir de votre
+réseau local, vous devez utiliser l'adresse IP interne du serveur
+(10.10.11.2).</li>
+  <li>Quelques fournisseurs Internet (Provider/ISP) bloquent les
+requêtes de connexion entrantes sur le port 80. Si vous avez des
+problèmes pour
+vous connecter à votre serveur web, essayez la règle suivante et
+connectez
+vous sur le port 5000 (c.a.d., connectez vous à <a
+ href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est
+votre IP externe).</li>
 </ul>
-        
-<blockquote>            
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>DNAT</td>
-             <td>net</td>
-             <td>dmz:10.10.11.2:80</td>
-             <td>tcp</td>
-             <td>5000</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>DNAT</td>
+        <td>net</td>
+        <td>dmz:10.10.11.2:80</td>
+        <td>tcp</td>
+        <td>5000</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
-<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
-depuis le réseau local en utilisant votre adresse externe, et si vous avez
-une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
+</blockquote>
+<p>Si vous voulez avoir la possibilité de vous connecter à votre
+serveur
+depuis le réseau local en utilisant votre adresse externe, et si vous
+avez
+une adresse IP externe statique (fixe), vous pouvez remplacer la règle
+loc-&gt;dmz
 précédente par :</p>
-        
-<blockquote>            
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>DNAT</td>
-             <td>net</td>
-             <td>dmz:10.10.11.2:80</td>
-             <td>tcp</td>
-             <td>80</td>
-             <td>-</td>
-             <td><i>&lt;external IP&gt;</i></td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>DNAT</td>
+        <td>net</td>
+        <td>dmz:10.10.11.2:80</td>
+        <td>tcp</td>
+        <td>80</td>
+        <td>-</td>
+        <td><i>&lt;external IP&gt;</i></td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
-<p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
-  interface externe est en route avant de lancer Shorewall et vous devez
-suivre   les étapes suivantes (en supposant que votre interface externe est
-<b>eth0</b>)   :</p>
-        
+</blockquote>
+<p>Si vous avez une IP dynamique, alors vous devez vous assurer que
+votre interface externe est en route avant de lancer Shorewall et vous
+devez
+suivre les étapes suivantes (en supposant que votre interface externe
+est
+<b>eth0</b>) :</p>
 <ol>
-       <li>Insérez ce qui suit dans /etc/shorewall/params :<br>
-         <br>
-     ETH0_IP=`find_interface_address eth0`<br>
-       </li>
-       <li>Faites votre règle loc-&gt;dmz :</li>
-        
+  <li>Insérez ce qui suit dans /etc/shorewall/params :<br>
+    <br>
+ETH0_IP=`find_interface_address eth0`<br>
+  </li>
+  <li>Faites votre règle loc-&gt;dmz :</li>
 </ol>
-        
-<blockquote>            
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>DNAT</td>
-             <td>loc<br>
-             </td>
-             <td>dmz:10.10.11.2:80</td>
-             <td>tcp</td>
-             <td>80</td>
-             <td>-</td>
-             <td>$ETH0_IP</td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>DNAT</td>
+        <td>loc<br>
+        </td>
+        <td>dmz:10.10.11.2:80</td>
+        <td>tcp</td>
+        <td>80</td>
+        <td>-</td>
+        <td>$ETH0_IP</td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-        
-<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
+</blockquote>
+<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant
+votre
 adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
-        
-<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
-     A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
-        
+<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> A
+ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
-        
-<p align="left">Normalement, quand vous vous connectez à votre fournisseur
-  (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
- firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
-fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
-donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
-manuellement votre serveur de nom primaire et secondaire. La manière dont
-le DNS est configuré sur votre firewall est de votre responsabilité. Vous
+<p align="left">Normalement, quand vous vous connectez à votre
+fournisseur (ISP), une partie consiste à obtenir votre adresse IP,
+votre DNS pour le firewall (Domain Name Service) est configuré
+automatiquement (c.a.d., le
+fichier /etc/resolv.conf a été écrit). Il arrive que votre provider
+vous
+donne une paire d'adresse IP pour les DNS (name servers) afin que vous
+configuriez
+manuellement votre serveur de nom primaire et secondaire. La manière
+dont
+le DNS est configuré sur votre firewall est de votre responsabilité.
+Vous
 pouvez procéder d'une de ses deux façons :</p>
-        
 <ul>
-       <li>                    
-    <p align="left">Vous pouvez configurer votre système interne pour utiliser
-  les noms de serveurs de votre provider. Si votre fournisseur vous donne
-les  adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
-site  web, vous pouvez configurer votre système interne afin de les utiliser.
-Si  cette information n'est pas disponible, regardez dans /etc/resolv.conf
-sur  votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
-  "nameserver" dans ce fichier. </p>
-       </li>
-       <li>                    
+  <li>
+    <p align="left">Vous pouvez configurer votre système interne pour
+utiliser les noms de serveurs de votre provider. Si votre fournisseur
+vous donne
+les adresses de leurs serveurs ou si ces adresses sont disponibles sur
+leur
+site web, vous pouvez configurer votre système interne afin de les
+utiliser.
+Si cette information n'est pas disponible, regardez dans
+/etc/resolv.conf
+sur votre firewall -- les noms des serveurs sont donnés dans
+l'enregistrement "nameserver" dans ce fichier. </p>
+  </li>
+  <li>
     <p align="left"><img border="0" src="images/BD21298_2.gif"
- width="13" height="13">
-     Vous pouvez installer/configurer un cache dns (Caching Name Server)
-sur   votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre
-en cache   un serveur de nom (le RPM requis aussi le RPM 'bind') et pour
-les utilisateurs   de Bering, il y a dnscache.lrp. Si vous adoptez cette
-approche, vous configurez   votre système interne pour utiliser le firewall
-lui même comme étant le seul  serveur de nom primaire. Vous pouvez utiliser
-l'adresse IP interne du firewall  (10.10.10.254 dans l'exemple) pour l'adresse
-de serveur de nom si vous décidez  de faire tourner le serveur de nom sur
-votre firewall. Pour permettre à vos  systèmes locaux de discuter avec votre
-serveur cache de nom, vous devez ouvrir  le port 53 (UDP ET  TCP) sur le
-firewall vers le réseau local; vous ferez  ceci en ajoutant les règles suivantes
-dans /etc/shorewall/rules.     </p>
-       </li>
-        
+ width="13" height="13"> Vous pouvez installer/configurer un cache dns
+(Caching Name Server)
+sur votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre
+en cache un serveur de nom (le RPM requis aussi le RPM 'bind') et pour
+les utilisateurs de Bering, il y a dnscache.lrp. Si vous adoptez cette
+approche, vous configurez votre système interne pour utiliser le
+firewall
+lui même comme étant le seul serveur de nom primaire. Vous pouvez
+utiliser
+l'adresse IP interne du firewall (10.10.10.254 dans l'exemple) pour
+l'adresse
+de serveur de nom si vous décidez de faire tourner le serveur de nom
+sur
+votre firewall. Pour permettre à vos systèmes locaux de discuter avec
+votre
+serveur cache de nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP)
+sur le
+firewall vers le réseau local; vous ferez ceci en ajoutant les règles
+suivantes
+dans /etc/shorewall/rules. </p>
+  </li>
 </ul>
-        
-<blockquote>            
-  <p align="left">Si vous faites tourner le serveur de nom sur le firewall
-  :            
+<blockquote>
+  <p align="left">Si vous faites tourner le serveur de nom sur le
+firewall :
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>fw</td>
-             <td>udp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>dmz</td>
-             <td>fw</td>
-             <td>udp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>fw</td>
+        <td>udp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>dmz</td>
+        <td>fw</td>
+        <td>udp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-       </p>
-     </blockquote>
-        
-<div align="left">    
-<blockquote>            
+  </p>
+</blockquote>
+<div align="left">
+<blockquote>
   <p>Le serveur de nom tourne sur l'ordinateur 1 de la DMZ</p>
-                
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:10.10.11.1</td>
-             <td>tcp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz:10.10.11.1</td>
-             <td>udp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:10.10.10.1</td>
-             <td>tcp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>dmz:10.10.10.1</td>
-             <td>udp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:10.10.11.1</td>
+        <td>tcp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz:10.10.11.1</td>
+        <td>udp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:10.10.10.1</td>
+        <td>tcp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>dmz:10.10.10.1</td>
+        <td>udp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
+</blockquote>
+</div>
+<div align="left">
 <h2 align="left">Autres Connexions</h2>
-     </div>
-        
-<div align="left">    
-<p align="left">L'exemple pour trois interfaces contient les règles suivantes
-  :</p>
-     </div>
-        
-<div align="left">    
-<blockquote>            
+</div>
+<div align="left">
+<p align="left">L'exemple pour trois interfaces contient les règles
+suivantes :</p>
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>net</td>
-             <td>udp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>fw</td>
-             <td>net</td>
-             <td>tcp</td>
-             <td>53</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>net</td>
+        <td>udp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>fw</td>
+        <td>net</td>
+        <td>tcp</td>
+        <td>53</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
-<p align="left">Ces règles permettent l'accès DNS depuis votre firewall et
-  peuvent être enlevées si vous avez décommenté la ligne dans /etc/shorewall/policy
-  autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
-     </div>
-        
-<div align="left">    
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Ces règles permettent l'accès DNS depuis votre firewall
+et peuvent être enlevées si vous avez décommenté la ligne dans
+/etc/shorewall/policy autorisant toutes les connexions depuis votre
+firewall et vers Internet.</p>
+</div>
+<div align="left">
 <p align="left">L'exemple contient aussi :</p>
-     </div>
-        
-<div align="left">    
-<blockquote>            
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>22</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>loc</td>
-             <td>dmz</td>
-             <td>tcp</td>
-             <td>22</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>22</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>loc</td>
+        <td>dmz</td>
+        <td>tcp</td>
+        <td>22</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
-<p align="left">Cette règle permet de faire fonctionner une serveur SSH sur
-  le firewall et sur tous les systèmes de la DMZ et d'y autoriser la connexion
-  à partir de votre réseau local.</p>
-     </div>
-        
-<div align="left">    
-<p align="left">Si vous désirez permettre d'autres connexions entre vos systèmes,
-  la forme générale est :</p>
-     </div>
-        
-<div align="left">    
-<blockquote>            
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Cette règle permet de faire fonctionner une serveur SSH
+sur le firewall et sur tous les systèmes de la DMZ et d'y autoriser la
+connexion à partir de votre réseau local.</p>
+</div>
+<div align="left">
+<p align="left">Si vous désirez permettre d'autres connexions entre vos
+systèmes, la forme générale est :</p>
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td><i>&lt;source zone&gt;</i></td>
-             <td><i>&lt;destination zone&gt;</i></td>
-             <td><i>&lt;protocol&gt;</i></td>
-             <td><i>&lt;port&gt;</i></td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td><i>&lt;source zone&gt;</i></td>
+        <td><i>&lt;destination zone&gt;</i></td>
+        <td><i>&lt;protocol&gt;</i></td>
+        <td><i>&lt;port&gt;</i></td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
-<p align="left">Exemple - Vous voulez faire tourner un serveur DNS disponible
-  pour le publique sur votre firewall :</p>
-     </div>
-        
-<div align="left">    
-<blockquote>            
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Exemple - Vous voulez faire tourner un serveur DNS
+disponible pour le publique sur votre firewall :</p>
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>53</td>
-             <td>#permet les accès DNS</td>
-             <td>depuis Internet</td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>fw</td>
-             <td>udp<br>
-         </td>
-             <td>53</td>
-             <td>#permet les accès DNS</td>
-             <td>depuis Internet</td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>53</td>
+        <td>#permet les accès DNS</td>
+        <td>depuis Internet</td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td>udp<br>
+        </td>
+        <td>53</td>
+        <td>#permet les accès DNS</td>
+        <td>depuis Internet</td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
-<p align="left">Ces deux règles seront, bien sur, ajoutées aux règles décrites
-  dans "Vous pouvez installer/configurer un cache dns (Caching Name Server)
-  sur votre firewall ou dans la DMZ".</p>
-     </div>
-        
-<div align="left">    
-<p align="left">Si vous ne savez pas quel port ou protocole une application
-  particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
-     </div>
-        
-<div align="left">    
-<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
-  depuis ou vers l'Internet car il utilise du texte en clair (même pour le
- login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
- firewall depuis Internet, utilisez SSH :</p>
-     </div>
-        
-<div align="left">    
-<blockquote>            
+</blockquote>
+</div>
+<div align="left">
+<p align="left">Ces deux règles seront, bien sur, ajoutées aux règles
+décrites dans "Vous pouvez installer/configurer un cache dns (Caching
+Name Server) sur votre firewall ou dans la DMZ".</p>
+</div>
+<div align="left">
+<p align="left">Si vous ne savez pas quel port ou protocole une
+application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
+</div>
+<div align="left">
+<p align="left">Important: Je ne vous recommande pas d'autoriser le
+telnet depuis ou vers l'Internet car il utilise du texte en clair (même
+pour le login et le mot de passe !). Si vous voulez avoir un accès au
+shell de votre firewall depuis Internet, utilisez SSH :</p>
+</div>
+<div align="left">
+<blockquote>
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
  id="AutoNumber4">
-         <tbody>
-           <tr>
-             <td><u><b>ACTION</b></u></td>
-             <td><u><b>SOURCE</b></u></td>
-             <td><u><b>DESTINATION</b></u></td>
-             <td><u><b>PROTOCOL</b></u></td>
-             <td><u><b>PORT</b></u></td>
-             <td><u><b>SOURCE PORT</b></u></td>
-             <td><u><b>ORIGINAL ADDRESS</b></u></td>
-           </tr>
-           <tr>
-             <td>ACCEPT</td>
-             <td>net</td>
-             <td>fw</td>
-             <td>tcp</td>
-             <td>22</td>
-             <td> <br>
-             </td>
-             <td> <br>
-             </td>
-           </tr>
-                        
-    </tbody>            
+    <tbody>
+      <tr>
+        <td><u><b>ACTION</b></u></td>
+        <td><u><b>SOURCE</b></u></td>
+        <td><u><b>DESTINATION</b></u></td>
+        <td><u><b>PROTOCOL</b></u></td>
+        <td><u><b>PORT</b></u></td>
+        <td><u><b>SOURCE PORT</b></u></td>
+        <td><u><b>ORIGINAL ADDRESS</b></u></td>
+      </tr>
+      <tr>
+        <td>ACCEPT</td>
+        <td>net</td>
+        <td>fw</td>
+        <td>tcp</td>
+        <td>22</td>
+        <td> <br>
+        </td>
+        <td> <br>
+        </td>
+      </tr>
+    </tbody>
   </table>
-     </blockquote>
-     </div>
-        
-<div align="left">    
+</blockquote>
+</div>
+<div align="left">
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
- height="13">
-     Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres
-connexions   désirées.</p>
-     </div>
-        
-<div align="left">    
+ height="13"> Et maintenant, éditez /etc/shorewall/rules pour rajouter
+les autres
+connexions désirées.</p>
+</div>
+<div align="left">
 <h2 align="left">Lancer et Arrêter son Firewall</h2>
-     </div>
-        
-<div align="left">    
+</div>
+<div align="left">
 <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
- height="13" alt="Arrow">
-     La <a href="Install.htm">procédure d'installation</a> configure votre
- système  pour lancer Shorewall au boot du système, mais au début avec la
-version 1.3.9  de Shorewall le lancement est désactivé, n'essayer pas de
-lancer Shorewall  avec que la configuration soit finie. Une fois que vous
-en avez fini avec  la configuration du firewall, vous pouvez permettre le
-lancement de Shorewall  en supprimant le fichier /etc/shorewall/startup_disabled.<br>
-     </p>
-        
-<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
-  /etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br>
-     </p>
-     </div>
-        
-<div align="left">    
-<p align="left">Le firewall est activé en utilisant la commande "shorewall
-  start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
-le  routage est autorisé sur les hôtes qui possèdent une entrée dans <a
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
-  firewall qui tourne peut être relancé en utilisant la commande "shorewall
-  restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
-  de Netfilter, utilisez "shorewall clear".</p>
-     </div>
-        
-<div align="left">    
+ height="13" alt="Arrow"> La <a href="Install.htm">procédure
+d'installation</a> configure votre système pour lancer Shorewall au
+boot du système, mais au début avec la
+version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
+lancer Shorewall avec que la configuration soit finie. Une fois que
+vous
+en avez fini avec la configuration du firewall, vous pouvez permettre
+le
+lancement de Shorewall en supprimant le fichier
+/etc/shorewall/startup_disabled.<br>
+</p>
+<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent
+éditer /etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br>
+</p>
+</div>
+<div align="left">
+<p align="left">Le firewall est activé en utilisant la commande
+"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
+est stoppé,
+le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
+ href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+Un firewall qui tourne peut être relancé en utilisant la commande
+"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
+sur votre configuration de Netfilter, utilisez "shorewall clear".</p>
+</div>
+<div align="left">
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
- height="13">
-     L'exemple pour trois interfaces suppose que vous voulez permettre le 
-routage  depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) 
-  lorsque  Shorewall    est arrêté.    Si ces deux interfaces ne sont pas 
-connectées  à votre réseau local et votre DMZ, ou si vous voulez permettre 
-un ensemble  d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
-     </div>
-        
-<div align="left">    
-<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
-Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
-pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
+ height="13"> L'exemple pour trois interfaces suppose que vous voulez
+permettre le routage depuis/vers <b>eth1 </b>(votre réseau local) et<b>
+eth2</b>(DMZ) lorsque Shorewall est arrêté. Si ces deux interfaces ne
+sont pas connectées à votre réseau local et votre DMZ, ou si vous
+voulez permettre un ensemble d'hôtes différents, modifiez
+/etc/shorewall/routestopped en conséquence.</p>
+</div>
+<div align="left">
+<p align="left">ATTENTION: Si vous êtes connecté à votre firewall
+depuis
+Internet, n'essayez pas une commande "shorewall stop" tant que vous
+n'avez
+pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
+vous
 êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-  De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
-  il est plus intéressant de créer une <i><a
+De la même manière, je ne vous recommande pas d'utiliser "shorewall
+restart"; il est plus intéressant de créer une <i><a
  href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
- href="configuration_file_basics.htm#Configs">alternative</a></i>et de la
-  tester en utilisant la commande <a
- href="starting_and_stopping_shorewall.htm">"shorewall   try"</a>.</p>
-     </div>
-        
+ href="configuration_file_basics.htm#Configs">alternative</a></i>et de
+la tester en utilisant la commande <a
+ href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
+</div>
 <p align="left"><font size="2">Last updated 05/19/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
-        
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
-Thomas  M. Eastep</font></a><br>
- </p>
- <br>
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
+2003 Thomas M. Eastep</font></a><br>
+</p>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/traffic_shaping.htm b/Shorewall-docs/traffic_shaping.htm
index 4b127c911..40c2c9c5c 100644
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@@ -1,341 +1,306 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
   <title>Traffic Shaping</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-                    <tbody>
-                     <tr>
-                      <td width="100%">         
-      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
-                      </td>
-                    </tr>
-    
-  </tbody> 
-</table>
-  
-<p align="left">Shorewall has limited support       for traffic shaping/control. 
- In order to use traffic shaping under Shorewall,       it is essential that 
- you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing 
- and Shaping HOWTO</a>,       version 0.3.0 or later. It is also necessary 
-to be running Linux Kernel 2.4.18 or later.</p>
-  
-<p align="left">Shorewall traffic shaping support consists of the following:</p>
-  
+<body>
+<h1 style="text-align: center;">Traffic Shaping/Control<br>
+</h1>
+<p align="left">Shorewall has limited support for traffic
+shaping/control. In order to use traffic shaping under Shorewall, it is
+essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux
+Advanced Routing and Shaping HOWTO</a>, version 0.3.0 or later. It is
+also necessary to be running Linux Kernel 2.4.18 or later.</p>
+<p align="left">Shorewall traffic shaping support consists of the
+following:</p>
 <ul>
-                    <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. 
-    Traffic     Shaping  also requires that you enable packet mangling.</li>
-          <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added 
- in  Shorewall  1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), 
- the  setting of  this variable determines whether Shorewall clears the traffic 
-  shaping configuration  during Shorewall [re]start and Shorewall stop. <br>
-          </li>
-                    <li><b>/etc/shorewall/tcrules</b> - A file where you
-can  specify       firewall     marking of packets. The firewall mark value
-may  be used  to classify     packets  for traffic shaping/control.<br>
-                    </li>
-                    <li><b>/etc/shorewall/tcstart </b>- A user-supplied file 
- that   is     sourced     by Shorewall during "shorewall start" and which 
- you can       use to define     your traffic shaping disciplines and classes. 
-  I have   provided     a <a
- href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>   that does 
-   table-driven CBQ shaping but if you read the traffic shaping   sections 
-  of     the     HOWTO mentioned above, you can probably code your   own faster
-  than     you can     learn how to use my sample. I personally  use    
-    <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below). 
- HTB         support may eventually become an integral part of Shorewall 
-since  HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
- HTB is a standard     part of the kernel but iproute2 must be patched  in
- order  to     use it.<br>
-                      <br>
-                      In tcstart, when you want to run the 'tc' utility,
-use  the   run_tc    function      supplied by shorewall if you want tc errors 
- to stop   the firewall.<br>
-                <br>
-            You can generally use off-the-shelf traffic shaping scripts by 
-simply    copying  them to /etc/shorewall/tcstart. I use <a
- href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) 
-    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
-and    modified  it according to the Wonder Shaper README). <b>WARNING: </b>If 
- you  use use Masquerading or SNAT (i.e., you only have one external IP address) 
-   then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] 
-   script won't work. Traffic shaping occurs after SNAT has already been
-applied    so when traffic shaping happens, all outbound traffic will have
-as a source     address the IP addresss of your firewall's external interface.<br>
-              </li>
-                    <li><b>/etc/shorewall/tcclear</b> - A user-supplied file 
- that   is     sourced     by Shorewall when it is clearing traffic shaping. 
- This   file is     normally     not required as Shorewall's method of clearing 
-  qdisc  and filter     definitions     is pretty general.</li>
-  
-</ul>
-        Shorewall allows you to start traffic shaping when Shorewall itself 
- starts   or it allows you to bring up traffic shaping when you bring up your
- interfaces.<br>
-        <br>
-        To start traffic shaping when Shorewall starts:<br>
-  
-<ol>
-          <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
-          <li>Supply an /etc/shorewall/tcstart script to configure your traffic 
-   shaping rules.</li>
-          <li>Optionally supply an /etc/shorewall/tcclear script to stop
-traffic    shaping. That is usually unnecessary.</li>
-          <li>If your tcstart script uses the 'fwmark' classifier, you can 
-mark   packets using entries in /etc/shorewall/tcrules.</li>
-  
-</ol>
-        To start traffic shaping when you bring up your network interfaces, 
- you   will have to arrange for your traffic shaping configuration script 
-to be  run at that time. How you do that is distribution dependent and will 
-not be covered here. You then should:<br>
-  
-<ol>
-          <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
-          <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear 
- scripts.</li>
-          <li value="4">If your tcstart script uses the 'fwmark' classifier, 
- you   can mark packets using entries in /etc/shorewall/tcrules.</li>
-  
-</ol>
-  
-<h3 align="left">Kernel Configuration</h3>
-  
-<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
-  
-<p align="center"><img border="0" src="images/QoS.png" width="590"
- height="764">
-                 </p>
-  
-<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
-  
-<p align="left">The fwmark classifier provides a convenient way to classify 
-        packets for traffic shaping. The /etc/shorewall/tcrules file provides 
-    a  means  for specifying these marks in a tabular fashion.<br>
-          </p>
-  
-<p align="left">Normally, packet marking occurs in the PREROUTING chain before 
-    any address rewriting takes place. This makes it impossible to mark inbound 
-    packets based on their destination address when SNAT or Masquerading
-are    being used. Beginning with Shorewall 1.3.12, you can cause packet
-marking    to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
-option  in  <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
-          </p>
-  
-<p align="left">Columns in the file are as follows:</p>
-  
-<ul>
-                    <li>MARK - Specifies the mark value is to be assigned 
-in  case   of      a match. This is an integer in the range 1-255. Beginning 
-with Shorewall  version 1.3.14, this value may be optionally followed by
-":" and either 'F'  or 'P' to designate that the marking will occur in the
-FORWARD or PREROUTING  chains respectively. If this additional specification
-is omitted, the chain  used to mark packets will be determined by the setting
-of the MARK_IN_FORWARD_CHAIN  option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
-                      <br>
-                      Example - 5<br>
-                    </li>
-                    <li>SOURCE - The source of the packet. If the packet
-originates          on  the firewall, place "fw" in this column. Otherwise,
-this is a      comma-separated   list of interface names, IP addresses, MAC
-addresses   in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
-Subnets.<br>
-                      <br>
-                      Examples<br>
-                          eth0<br>
-                          192.168.2.4,192.168.1.0/24<br>
-                    </li>
-                    <li>DEST -- Destination of the packet. Comma-separated 
-list   of      IP  addresses and/or subnets.<br>
-                    </li>
-                    <li>PROTO - Protocol - Must be the name of a protocol 
-from       /etc/protocol,    a number or "all"<br>
-                    </li>
-                    <li>PORT(S) - Destination Ports. A comma-separated list 
- of  Port       names  (from /etc/services), port numbers or port ranges (e.g.,
-  21:22);     if     the  protocol is "icmp", this column is interpreted as
-  the     destination    icmp  type(s).<br>
-                    </li>
-                    <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. 
-   If      omitted,  any source port is acceptable. Specified as a comma-separate 
-     list      of port names, port numbers or port ranges.</li>
-  
-</ul>
-  
-<p align="left">Example 1 - All packets arriving on eth1 should be marked 
-        with 1. All packets arriving on eth2 and eth3 should be marked with 
-  2.   All packets   originating on the firewall itself should be marked with
-  3.</p>
-  
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-                    <tbody>
-                     <tr>
-                      <td><b>MARK</b></td>
-                      <td><b>SOURCE</b></td>
-                      <td><b>DEST</b></td>
-                      <td><b>PROTO</b></td>
-                      <td><b>PORT(S)</b></td>
-                      <td><b>CLIENT PORT(S)</b></td>
-                    </tr>
-                    <tr>
-                      <td>1</td>
-                      <td>eth1</td>
-                      <td>0.0.0.0/0</td>
-                      <td>all</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-                    <tr>
-                      <td>2</td>
-                      <td>eth2</td>
-                      <td>0.0.0.0/0</td>
-                      <td>all</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-                    <tr>
-                   <td valign="top">2<br>
-                   </td>
-                   <td valign="top">eth3<br>
-                   </td>
-                   <td valign="top">0.0.0.0/0<br>
-                   </td>
-                   <td valign="top">all<br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                   <td valign="top"><br>
-                   </td>
-                 </tr>
-                 <tr>
-                      <td>3</td>
-                      <td>fw</td>
-                      <td>0.0.0.0/0</td>
-                      <td>all</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-    
-  </tbody> 
-</table>
-  
-<p align="left">Example 2 - All GRE (protocol 47) packets not originating 
-        on the firewall and destined for 155.186.235.151 should be marked 
-with     12.</p>
-  
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-                    <tbody>
-                     <tr>
-                      <td><b>MARK</b></td>
-                      <td><b>SOURCE</b></td>
-                      <td><b>DEST</b></td>
-                      <td><b>PROTO</b></td>
-                      <td><b>PORT(S)</b></td>
-                      <td><b>CLIENT PORT(S)</b></td>
-                    </tr>
-                    <tr>
-                      <td>12</td>
-                      <td>0.0.0.0/0</td>
-                      <td>155.186.235.151</td>
-                      <td>47</td>
-                      <td> </td>
-                      <td> </td>
-                    </tr>
-    
-  </tbody> 
-</table>
-  
-<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 
-        and destined for 155.186.235.151 should be marked with 22.</p>
-  
-<table border="2" cellpadding="2" style="border-collapse: collapse;">
-                    <tbody>
-                     <tr>
-                      <td><b>MARK</b></td>
-                      <td><b>SOURCE</b></td>
-                      <td><b>DEST</b></td>
-                      <td><b>PROTO</b></td>
-                      <td><b>PORT(S)</b></td>
-                      <td><b>CLIENT PORT(S)</b></td>
-                    </tr>
-                    <tr>
-                      <td>22</td>
-                      <td>192.168.1.0/24</td>
-                      <td>155.186.235.151</td>
-                      <td>tcp</td>
-                      <td>22</td>
-                      <td> </td>
-                    </tr>
-    
-  </tbody> 
-</table>
-  
-<h3>My Setup<br>
-            </h3>
-  
-<p>While I am currently using the HTB version of <a
- href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied 
-    wshaper.htb  to <b>/etc/shorewall/tcstart</b> and modified it as shown 
- in  the Wondershaper README),  I have also run with the following set of 
-hand-crafted  rules in my <b>/etc/shorewall/tcstart</b>  file:<br>
-            </p>
-  
-<blockquote>   
-  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
-    
-  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
-    
-  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
-    
-  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
-    
-  <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
-    
-  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
-    
-  <pre>echo "   Defined fwmark filters"<br></pre>
-                            </blockquote>
-  
-<p>My tcrules file that went with this tcstart file is shown in Example 1 
-     above. You can look at <a href="myfiles.htm">my configuration</a> to 
-see why I wanted shaping of this type.<br>
-             </p>
-  
-<ol>
-               <li>I wanted to allow up to 140kbits/second for traffic outbound 
-   from   my DMZ (note that the ceiling is set to 384kbit so outbound DMZ 
-traffic   can  use all available bandwidth if there is no traffic from the 
-local systems     or from my laptop or firewall).</li>
-               <li>My laptop and local systems could use up to 224kbits/second.</li>
-               <li>My firewall could use up to 20kbits/second.</li>
-  
-</ol>
-   You see <a href="myfiles.htm">the rest of my Shorewall configuration</a> 
- to see how this fit in. <br>
-  
-<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
-  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-         © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-      </p>
-      <br>
-     <br>
+  <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
+Traffic Shaping also requires that you enable packet mangling.</li>
+  <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
+in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
+the setting of this variable determines whether Shorewall clears the
+traffic shaping configuration during Shorewall [re]start and Shorewall
+stop. <br>
+  </li>
+  <li><b>/etc/shorewall/tcrules</b> - A file where you
+can specify firewall marking of packets. The firewall mark value
+may be used to classify packets for traffic shaping/control.<br>
+  </li>
+  <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that is
+sourced by Shorewall during "shorewall start" and which you can use to
+define your traffic shaping disciplines and classes. I have provided a <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
+table-driven CBQ shaping but if you read the traffic shaping sections
+of the HOWTO mentioned above, you can probably code your own faster
+than you can learn how to use my sample. I personally use <a
+ href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
+support may eventually become an integral part of Shorewall since HTB
+is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
+standard part of the kernel but iproute2 must be patched in order to
+use it.<br>
     <br>
-   <br>
-  <br>
- <br>
+In tcstart, when you want to run the 'tc' utility,
+use the run_tc function supplied by shorewall if you want tc errors to
+stop the firewall.<br>
+    <br>
+You can generally use off-the-shelf traffic shaping scripts by simply
+copying them to /etc/shorewall/tcstart. I use <a
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB
+version) that way (i.e., I just copied wshaper.htb to
+/etc/shorewall/tcstart
+and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
+you use use Masquerading or SNAT (i.e., you only have one external IP
+address) then listing internal hosts in the NOPRIOHOSTSRC variable in
+the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
+has already been
+applied so when traffic shaping happens, all outbound traffic will have
+as a source address the IP addresss of your firewall's external
+interface.<br>
+  </li>
+  <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that is
+sourced by Shorewall when it is clearing traffic shaping. This file is
+normally not required as Shorewall's method of clearing qdisc and
+filter definitions is pretty general.</li>
+</ul>
+Shorewall allows you to start traffic shaping when Shorewall itself
+starts or it allows you to bring up traffic shaping when you bring up
+your interfaces.<br>
+<br>
+To start traffic shaping when Shorewall starts:<br>
+<ol>
+  <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
+  <li>Supply an /etc/shorewall/tcstart script to configure your traffic
+shaping rules.</li>
+  <li>Optionally supply an /etc/shorewall/tcclear script to stop
+traffic shaping. That is usually unnecessary.</li>
+  <li>If your tcstart script uses the 'fwmark' classifier, you can mark
+packets using entries in /etc/shorewall/tcrules.</li>
+</ol>
+To start traffic shaping when you bring up your network interfaces, you
+will have to arrange for your traffic shaping configuration script to
+be run at that time. How you do that is distribution dependent and will
+not be covered here. You then should:<br>
+<ol>
+  <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
+  <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
+scripts.</li>
+  <li value="4">If your tcstart script uses the 'fwmark' classifier,
+you can mark packets using entries in /etc/shorewall/tcrules.</li>
+</ol>
+<h3 align="left">Kernel Configuration</h3>
+<p align="left">This screen shot show how I've configured QoS in my
+Kernel:</p>
+<p align="center"><img border="0" src="images/QoS.png" width="590"
+ height="764"> </p>
+<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
+<p align="left">The fwmark classifier provides a convenient way to
+classify packets for traffic shaping. The /etc/shorewall/tcrules file
+provides a means for specifying these marks in a tabular fashion.<br>
+</p>
+<p align="left">Normally, packet marking occurs in the PREROUTING chain
+before any address rewriting takes place. This makes it impossible to
+mark inbound packets based on their destination address when SNAT or
+Masquerading
+are being used. Beginning with Shorewall 1.3.12, you can cause packet
+marking to occur in the FORWARD chain by using the
+MARK_IN_FORWARD_CHAIN
+option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+</p>
+<p align="left">Columns in the file are as follows:</p>
+<ul>
+  <li>MARK - Specifies the mark value is to be assigned in case of a
+match. This is an integer in the range 1-255. Beginning with Shorewall
+version 1.3.14, this value may be optionally followed by
+":" and either 'F' or 'P' to designate that the marking will occur in
+the
+FORWARD or PREROUTING chains respectively. If this additional
+specification
+is omitted, the chain used to mark packets will be determined by the
+setting
+of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
+    <br>
+Example - 5<br>
+  </li>
+  <li>SOURCE - The source of the packet. If the packet
+originates on the firewall, place "fw" in this column. Otherwise,
+this is a comma-separated list of interface names, IP addresses, MAC
+addresses in <a href="Documentation.htm#MAC">Shorewall Format</a>
+and/or
+Subnets.<br>
+    <br>
+Examples<br>
+&nbsp;&nbsp;&nbsp; eth0<br>
+&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
+  </li>
+  <li>DEST -- Destination of the packet. Comma-separated list of IP
+addresses and/or subnets.<br>
+  </li>
+  <li>PROTO - Protocol - Must be the name of a protocol from
+/etc/protocol, a number or "all"<br>
+  </li>
+  <li>PORT(S) - Destination Ports. A comma-separated list of Port names
+(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
+protocol is "icmp", this column is interpreted as the destination icmp
+type(s).<br>
+  </li>
+  <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
+omitted, any source port is acceptable. Specified as a comma-separate
+list of port names, port numbers or port ranges.</li>
+</ul>
+<p align="left">Example 1 - All packets arriving on eth1 should be
+marked with 1. All packets arriving on eth2 and eth3 should be marked
+with 2. All packets originating on the firewall itself should be marked
+with 3.</p>
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+  <tbody>
+    <tr>
+      <td><b>MARK</b></td>
+      <td><b>SOURCE</b></td>
+      <td><b>DEST</b></td>
+      <td><b>PROTO</b></td>
+      <td><b>PORT(S)</b></td>
+      <td><b>CLIENT PORT(S)</b></td>
+    </tr>
+    <tr>
+      <td>1</td>
+      <td>eth1</td>
+      <td>0.0.0.0/0</td>
+      <td>all</td>
+      <td>&nbsp;</td>
+      <td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td>2</td>
+      <td>eth2</td>
+      <td>0.0.0.0/0</td>
+      <td>all</td>
+      <td>&nbsp;</td>
+      <td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td valign="top">2<br>
+      </td>
+      <td valign="top">eth3<br>
+      </td>
+      <td valign="top">0.0.0.0/0<br>
+      </td>
+      <td valign="top">all<br>
+      </td>
+      <td valign="top"><br>
+      </td>
+      <td valign="top"><br>
+      </td>
+    </tr>
+    <tr>
+      <td>3</td>
+      <td>fw</td>
+      <td>0.0.0.0/0</td>
+      <td>all</td>
+      <td>&nbsp;</td>
+      <td>&nbsp;</td>
+    </tr>
+  </tbody>
+</table>
+<p align="left">Example 2 - All GRE (protocol 47) packets not
+originating on the firewall and destined for 155.186.235.151 should be
+marked with 12.</p>
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+  <tbody>
+    <tr>
+      <td><b>MARK</b></td>
+      <td><b>SOURCE</b></td>
+      <td><b>DEST</b></td>
+      <td><b>PROTO</b></td>
+      <td><b>PORT(S)</b></td>
+      <td><b>CLIENT PORT(S)</b></td>
+    </tr>
+    <tr>
+      <td>12</td>
+      <td>0.0.0.0/0</td>
+      <td>155.186.235.151</td>
+      <td>47</td>
+      <td>&nbsp;</td>
+      <td>&nbsp;</td>
+    </tr>
+  </tbody>
+</table>
+<p align="left">Example 3 - All SSH packets originating in
+192.168.1.0/24 and destined for 155.186.235.151 should be marked with
+22.</p>
+<table border="2" cellpadding="2" style="border-collapse: collapse;">
+  <tbody>
+    <tr>
+      <td><b>MARK</b></td>
+      <td><b>SOURCE</b></td>
+      <td><b>DEST</b></td>
+      <td><b>PROTO</b></td>
+      <td><b>PORT(S)</b></td>
+      <td><b>CLIENT PORT(S)</b></td>
+    </tr>
+    <tr>
+      <td>22</td>
+      <td>192.168.1.0/24</td>
+      <td>155.186.235.151</td>
+      <td>tcp</td>
+      <td>22</td>
+      <td>&nbsp;</td>
+    </tr>
+  </tbody>
+</table>
+<h3>My Current Setup<br>
+</h3>
+<p>I am currently using the HTB version of <a
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just
+copied wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as
+shown in the Wondershaper README).<span style="font-weight: bold;"> </span>WonderShaper
+DOES NOT USE THE
+/etc/shorewall/tcrules file. While I currently have entries in
+/etc/shorewall/tcrules, I do so for <a
+ href="Shorewall_Squid_Usage.html">policy routing for Squid</a> and not
+for Traffic Shaping.</p>
+<h3>My Old Setup<br>
+</h3>
+<p>I have also run with the following set of hand-crafted rules in my <b>/etc/shorewall/tcstart</b>
+file.<br>
+</p>
+<blockquote>
+  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "&nbsp;&nbsp; Added Top Level Class -- rate 384kbit"</pre>
+  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit&nbsp; ceil 384kbit burst 15k quantum 1500 prio 1</pre>
+  <pre>echo "&nbsp;&nbsp; Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
+  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
+  <pre>echo "&nbsp;&nbsp; Enabled PFIFO on Second Level Classes"</pre>
+  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
+  <pre>echo "&nbsp;&nbsp; Defined fwmark filters"<br></pre>
+</blockquote>
+<p>My tcrules file that went with this tcstart file is shown in Example
+1 above. When I was using these rules:<br>
+</p>
+<ol>
+  <li>I wanted to allow up to 140kbits/second for traffic outbound from
+my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
+traffic can use all available bandwidth if there is no traffic from the
+local systems or from my laptop or firewall).</li>
+  <li>My laptop (which at that time connected via eth3) and local
+systems (eth2) could use up to 224kbits/second.</li>
+  <li>My firewall could use up to 20kbits/second.</li>
+</ol>
+Once www.shorewall.net was moved off-site, I no longer needed these
+shaping rules and The Wonder Shaper does all that I now require.<br>
+<p><font size="2">Last Updated 10/21/2003 - <a href="support.htm">Tom
+Eastep</a></font></p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
+</p>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/troubleshoot.htm b/Shorewall-docs/troubleshoot.htm
index 9669a7ab9..b7afdf2b4 100644
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@@ -8,19 +8,10 @@
   <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
- src="images/obrasinf.gif" alt="Beating head on table" width="90"
- height="90" align="middle"> </font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
+Troubleshooting <img src="images/obrasinf.gif"
+ alt="Beating head on table" style="width: 90px; height: 90px;"
+ align="middle" title=""></h1>
 <h3 style="text-align: center;"><span style="font-style: italic;">"If
 you think you can you can; if you think you can't you're right.<br>
 If you don't believe that you can, why should someone else?" -- Gunnar
@@ -145,8 +136,8 @@ sending the packets or the destination host isn't in any zone (using an
         <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
 are you?); or</li>
       <li>the source and destination hosts are both connected to the
-same interface and you don't have a policy or rule for the
-source zone to or from the destination zone.</li>
+same interface and you haven't specified the 'routeback' option on that
+interface.</li>
     </ol>
   </li>
   <li>Remember that Shorewall doesn't automatically allow ICMP type 8
@@ -199,7 +190,7 @@ in /etc/shorewall/shorewall.conf.</li>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote> </blockquote>
 </font>
-<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
+<p><font size="2">Last updated 11/1/2003 - Tom Eastep</font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </p>
diff --git a/Shorewall-docs/two-interface.htm b/Shorewall-docs/two-interface.htm
index 2d849b165..e43e72d7b 100644
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@@ -10,18 +10,8 @@
   <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber5"
- bgcolor="#3366ff" height="90">
-  <tbody>
-    <tr>
-      <td width="100%">
-      <h1 align="center"><font color="#ffffff">Basic Two-Interface
-Firewall</font></h1>
-      </td>
-    </tr>
-  </tbody>
-</table>
+<h1 style="text-align: center;">Basic Two-Interface Firewall<br>
+</h1>
 <p align="left">Setting up a Linux system as a firewall for a small
 network is a fairly straight-forward task if you understand the basics
 and follow the documentation.</p>
@@ -30,7 +20,10 @@ of Shorewall. It rather focuses on what is required to configure
 Shorewall in its most common configuration:</p>
 <ul>
   <li>Linux system used as a firewall/router for a small local network.</li>
-  <li>Single public IP address.</li>
+  <li style="font-weight: bold;">Single public IP address. If you have
+more than one public IP address, this is not the guide you want -- see
+the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
+instead.</li>
   <li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
 dial-up ...</li>
 </ul>
@@ -140,8 +133,8 @@ that file matches the connection request then the first policy
 in /etc/shorewall/policy that matches the request is applied.
 If that policy is REJECT or DROP&nbsp; the request is first checked
 against
-the rules in /etc/shorewall/common (the samples provide that file
-for you).</p>
+the rules in /etc/shorewall/common if that file exists; otherwise the
+rules in /etc/shorewall/common.def are checked.</p>
 <p>The /etc/shorewall/policy file included with the two-interface
 sample
 has the following policies:</p>
@@ -946,9 +939,15 @@ have added an entry for the IP address that you are connected from to <a
 Also, I don't recommend using "shorewall restart"; it is better
 to create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
- href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
+</p>
+<h2>Additional Recommended Reading</h2>
+I highly recommend that you review the <a
+ href="configuration_file_basics.htm">Common Configuration File
+Features page</a> -- it contains helpful tips about Shorewall features
+than make administering your firewall easier.
 </div>
-<p align="left"><font size="2">Last updated 8/8/2003 - <a
+<p align="left"><font size="2">Last updated 11/15/2003 - <a
  href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a><br>
diff --git a/Shorewall-docs/two-interface_fr.html b/Shorewall-docs/two-interface_fr.html
index 5262afb6f..93f4ea84a 100755
--- a/Shorewall-docs/two-interface_fr.html
+++ b/Shorewall-docs/two-interface_fr.html
@@ -1,1381 +1,1339 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
 <html>
 <head>
-            
   <meta http-equiv="CONTENT-TYPE"
  content="text/html; charset=iso-8859-1">
   <title>Two-Interface Firewall</title>
-                     
   <meta name="GENERATOR" content="OpenOffice.org 1.0.1  (Linux)">
-            
   <meta name="CREATED" content="20030121;19181000">
-            
   <meta name="CHANGED" content="20030121;20290700">
-            
   <meta name="ProgId" content="FrontPage.Editor.Document">
-            
   <meta name="Microsoft Theme" content="none">
-            
   <meta http-equiv="Content-Language" content="en-us">
 </head>
-  <body lang="fr-FR">
-          
-<table width="100%" border="0" cellpadding="0" cellspacing="0"
- bgcolor="#3366ff">
-   	<tbody>
-       <tr>
-   		<td width="100%" height="90">                     
-      <h1 align="center"><font color="#ffffff">Basic Two-Interface 			Firewall</font></h1>
-   		</td>
-   	</tr>
-           
-  </tbody>   
-</table>
-     
-<h2 align="center">Version 2.0.1 Fran&ccedil;aise</h2>
-     
+<body lang="fr-FR">
+<h1 style="text-align: center;">Basic Two-Interface Firewall</h1>
 <p align="left"><br>
-   <small><i><u>Notes du traducteur</u> :<br>
-   Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou 
-mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne 
-me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t
-&agrave; en faire une version fran&ccedil;aise intelligible par tous (et
-par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
- sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
- les retrouver dans le reste des documentations ainsi que dans les fichiers
- de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
- ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> 
- (merci &agrave; JMM pour sa relecture et ses commentaires pertinents, ainsi
- qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i></small><i>.<br>
-   <br>
-   </i></p>
-     
-<p align="left">Mettre en place un syst&egrave;me Linux en tant que firewall
- pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
- les bases et suivez la documentation.</p>
-     
-<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
-se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
- son utilisation la plus courante :</p>
-     
+<small><i><u>Notes du traducteur</u> :<br>
+Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
+mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je
+ne me suis pas attach&eacute; &agrave; une traduction exacte du texte,
+mais plut&ocirc;t
+&agrave; en faire une version fran&ccedil;aise intelligible par tous
+(et
+par moi). Les termes techniques sont la plupart du temps
+conserv&eacute;s sous leur forme originale et mis entre
+parenth&egrave;ses car vous pouvez les retrouver dans le reste des
+documentations ainsi que dans les fichiers de configuration.
+N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer ce
+document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
+(merci &agrave; JMM pour sa relecture et ses commentaires pertinents,
+ainsi qu'&agrave; Tom EASTEP pour son formidable outil et sa
+disponibilit&eacute;)</i></small><i>.<br>
+<br>
+</i></p>
+<p align="left">Mettre en place un syst&egrave;me Linux en tant que
+firewall pour un petit r&eacute;seau est une chose assez simple, si
+vous comprenez les bases et suivez la documentation.</p>
+<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
+Il
+se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall,
+dans son utilisation la plus courante :</p>
 <ul>
-   	<li>               
-    <p style="margin-bottom: 0cm;">Un syst&egrave;me Linux utilis&eacute;
- 	en tant que firewall/routeur pour un petit r&eacute;seau local.  	</p>
-   	</li>
-     <li>               
-    <p style="margin-bottom: 0cm;">Une seule adresse IP publique.  	</p>
-   	</li>
-     <li>               
-    <p>Une connexion Internet par le biais d'un modem 	c&acirc;ble, ADSL,
- ISDN, "Frame Relay", RTC ...  	</p>
-     </li>
-     
+  <li>
+    <p style="margin-bottom: 0cm;">Un syst&egrave;me Linux
+utilis&eacute; en tant que firewall/routeur pour un petit r&eacute;seau
+local. </p>
+  </li>
+  <li>
+    <p style="margin-bottom: 0cm;">Une seule adresse IP publique. </p>
+  </li>
+  <li>
+    <p>Une connexion Internet par le biais d'un modem c&acirc;ble,
+ADSL, ISDN, "Frame Relay", RTC ... </p>
+  </li>
 </ul>
-     
 <p align="left">Voici un sch&eacute;ma d'une installation typique.</p>
-     
 <p align="center"><img src="images/basics.png" name="Image1"
- align="bottom" width="444" height="635" border="0">
-  </p>
-     
-<p><b>Si vous faites tourner Shorewall sous Mandrake 9.0 ou plus r&eacute;cent,
- vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
- l'applet Mandrake "Internet Connection Sharing". Depuis le "Mandrake Control
- Center", s&eacute;lectionnez "Network &amp; Internet" et "Connection Sharing".
- Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave;
-ce  guide.</b></p>
-     
-<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
- </i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
- la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall.
+ align="bottom" width="444" height="635" border="0"> </p>
+<p><b>Si vous faites tourner Shorewall sous Mandrake 9.0 ou plus
+r&eacute;cent, vous pouvez facilement r&eacute;aliser la configuration
+ci-dessus en utilisant l'applet Mandrake "Internet Connection Sharing".
+Depuis le "Mandrake Control Center", s&eacute;lectionnez "Network &amp;
+Internet" et "Connection Sharing". Vous ne devriez pas avoir besoin de
+vous r&eacute;f&eacute;rer &agrave;
+ce guide.</b></p>
+<p>Ce guide suppose que vous avez le paquet iproute/iproute2
+d'install&eacute;.<i> </i>Vous pouvez voir si le paquet est
+install&eacute; en v&eacute;rifiant la pr&eacute;sence du programme ip
+sur votre syst&egrave;me de firewall.
 Sous root, utilisez la commande 'which' pour rechercher le programme :</p>
-     
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-     
-<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
- vous familiariser avec ce qui va se passer, et de revenir au d&eacute;but
- en effectuant le changements dans votre configuration. Les points o&ugrave;,
- les changements dans la configuration sont recommand&eacute;es, sont signal&eacute;s
- par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
- width="13" height="13" border="0">
-  .</p>
-     
+<p>Je vous recommande dans un premier temps de parcourir tout le guide
+pour vous familiariser avec ce qui va se passer, et de revenir au
+d&eacute;but en effectuant le changements dans votre configuration. Les
+points o&ugrave;, les changements dans la configuration sont
+recommand&eacute;es, sont signal&eacute;s par une <img
+ src="images/BD21298_.gif" name="Image2" align="bottom" width="13"
+ height="13" border="0"> .</p>
 <p><img src="images/j0213519.gif" name="Image3" align="bottom"
- width="60" height="60" border="0">
-  &nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration
-sur  un syst&egrave;me Windows, vous devez les sauver comme des fichiers
-Unix si votre &eacute;diteur offre cette option sinon vous devez les faire
-passer  par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
- si vous copiez un fichier de configuration depuis votre disque dur Windows
- vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
- avec Shorewall.</p>
-     
+ width="60" height="60" border="0"> &nbsp;&nbsp;&nbsp; Si vous
+&eacute;ditez vos fichiers de configuration
+sur un syst&egrave;me Windows, vous devez les sauver comme des fichiers
+Unix si votre &eacute;diteur offre cette option sinon vous devez les
+faire
+passer par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me
+mani&egrave;re, si vous copiez un fichier de configuration depuis votre
+disque dur Windows vers une disquette, vous devez lancer dos2unix sur
+la copie avant de l'utiliser avec Shorewall.</p>
 <ul>
-   	<li>               
+  <li>
     <p style="margin-bottom: 0cm;"><a
- href="http://www.simtel.net/pub/pd/51438.html">Windows 	Version of dos2unix</a>
- 	</p>
-   	</li>
-     <li>               
-    <p><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 	Version
- of dos2unix</a> 	</p>
-     </li>
-     
+ href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
+dos2unix</a> </p>
+  </li>
+  <li>
+    <p><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
+Version of dos2unix</a> </p>
+  </li>
 </ul>
-     
 <h2 align="left">Les Concepts de Shorewall</h2>
-     
 <p><img src="images/BD21298_.gif" name="Image4" align="bottom"
- width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
- le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
- n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit 
- dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>,
+ width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp; Les fichiers de
+configuration pour Shorewall sont dans le r&eacute;pertoire
+/etc/shorewall -- pour de simples configurations, vous n'aurez
+seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
+dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
+Shorewall</a>,
 t&eacute;l&eacute; chargez<b> le <a
- href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface  sample</a>, 
-un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall 
-(ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
-     
-<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers,
- je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
- sur votre syst&egrave;me -- tous les fichiers contiennent des instructions
- de configuration d&eacute;taill&eacute;es et des valeurs par d&eacute;faut.</p>
-     
-<p>Shorewall voit le r&eacute;seau o&ugrave; il tourne, comme un ensemble
- de <i>zones.</i> Dans une configuration avec deux interfaces, les noms des
- zones suivantes sont utilis&eacute;s:</p>
-   <a name="AutoNumber2"></a>   
+ href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
+sample</a>, un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les
+fichiers vers /etc/shorewall (ces fichiers remplaceront les fichiers de
+m&ecirc;me nom).</b></p>
+<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des
+fichiers, je vous sugg&egrave;re de regarder le fichier qui se trouve
+r&eacute;ellement sur votre syst&egrave;me -- tous les fichiers
+contiennent des instructions de configuration d&eacute;taill&eacute;es
+et des valeurs par d&eacute;faut.</p>
+<p>Shorewall voit le r&eacute;seau o&ugrave; il tourne, comme un
+ensemble de <i>zones.</i> Dans une configuration avec deux interfaces,
+les noms des zones suivantes sont utilis&eacute;s:</p>
+<a name="AutoNumber2"></a>
 <table border="0" cellpadding="3" cellspacing="0">
-   	<tbody>
-       <tr>
-   		<td>                     
+  <tbody>
+    <tr>
+      <td>
       <p><u><b>Nom</b></u></p>
-   		</td>
-   		<td>                     
+      </td>
+      <td>
       <p><u><b>Description</b></u></p>
-   		</td>
-   	</tr>
-   	<tr>
-   		<td>                     
+      </td>
+    </tr>
+    <tr>
+      <td>
       <p><b>net</b></p>
-   		</td>
-   		<td>                     
+      </td>
+      <td>
       <p><b>Internet</b></p>
-   		</td>
-   	</tr>
-   	<tr>
-   		<td>                     
+      </td>
+    </tr>
+    <tr>
+      <td>
       <p><b>loc</b></p>
-   		</td>
-   		<td>                     
+      </td>
+      <td>
       <p><b>Votre r&eacute;seau local</b></p>
-   		</td>
-   	</tr>
-           
-  </tbody>   
+      </td>
+    </tr>
+  </tbody>
 </table>
-     
 <p>Les zones sont d&eacute;finies dans le fichier<a
  href="Documentation.htm#Zones">/etc/shorewall/zones</a> .</p>
-     
-<p>Shorewall reconna&icirc;t aussi le syst&egrave;me de firewall comme sa
- propre zone - par d&eacute;faut, le firewall est connu comme<b> fw.</b></p>
-     
-<p>Les r&egrave;gles &agrave; propos de quel trafic autoriser, et de quel
- trafic interdire sont exprim&eacute;es en terme de zones.</p>
-     
+<p>Shorewall reconna&icirc;t aussi le syst&egrave;me de firewall comme
+sa propre zone - par d&eacute;faut, le firewall est connu comme<b> fw.</b></p>
+<p>Les r&egrave;gles &agrave; propos de quel trafic autoriser, et de
+quel trafic interdire sont exprim&eacute;es en terme de zones.</p>
 <ul>
-   	<li>               
-    <p style="margin-bottom: 0cm;">Vous exprimez votre politique par 	d&eacute;faut
- pour les connexions d'une zone vers une autre zone 	dans le fichier<a
- href="Documentation.htm#Policy">	/etc/shorewall/policy </a>. 	</p>
-   	</li>
-     <li>               
-    <p>Vous d&eacute;finissez les exceptions &agrave; ces politiques 	pas
- d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules 
- 	</a>. 	</p>
-     </li>
-     
+  <li>
+    <p style="margin-bottom: 0cm;">Vous exprimez votre politique par
+d&eacute;faut pour les connexions d'une zone vers une autre zone dans
+le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>.
+    </p>
+  </li>
+  <li>
+    <p>Vous d&eacute;finissez les exceptions &agrave; ces politiques
+pas d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules
+    </a>. </p>
+  </li>
 </ul>
-     
-<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
- est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
- Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande
-de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
- qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou
-DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par
+<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la
+requ&ecirc;te est en premier lieu compar&eacute;e par rapport au
+fichier /etc/shorewall/rules. Si aucune r&egrave;gle dans ce fichier ne
+correspond &agrave; la demande
+de connexion alors la premi&egrave;re politique dans le fichier
+/etc/shorewall/policy qui y correspond sera appliqu&eacute;e. Si cette
+politique est REJECT ou
+DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e
+par
 rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p>
-     
-<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
- a les politiques suivantes:</p>
-   <a name="AutoNumber3"></a>   
+<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple
+(two-interface) a les politiques suivantes:</p>
+<a name="AutoNumber3"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>Source Zone</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Destination Zone</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Policy</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Log Level</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Limit:Burst</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>loc</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>all</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>DROP</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>info</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>all</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>all</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>REJECT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>info</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante
-est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall
-puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
- la ligne.</blockquote>
-   <a name="AutoNumber31"></a>   
+<blockquote>Dans le fichier d'exemple (two-interface), la ligne
+suivante
+est inclue mais elle est comment&eacute;e. Si vous voulez que votre
+firewall
+puisse avoir un acc&egrave;s complet aux serveurs sur Internet,
+d&eacute;commentez la ligne.</blockquote>
+<a name="AutoNumber31"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>Source Zone</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Destination Zone</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Policy</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Log Level</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>Limit:Burst</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
 <p>Ces politiques vont:</p>
-     
 <ol>
-   	<li>               
-    <p style="margin-bottom: 0cm;">permettre toutes les demandes de 	connexion
- depuis votre r&eacute;seau local vers l'Internet  	</p>
-   	</li>
-     <li>               
-    <p style="margin-bottom: 0cm;">drop (ou ignorer) toutes les 	demandes
- de connexion depuis l'Internet vers votre firewall ou 	votre r&eacute;seau
- local.  	</p>
-   	</li>
-     <li>               
-    <p style="margin-bottom: 0cm;">Facultativement&nbsp;accepter toutes les
- 	demandes de connexion de votre firewall vers l'Internet (si vous 	avez
-d&eacute;  comment&eacute; la politique additionnelle)  	</p>
-   	</li>
-     <li>               
-    <p>reject (rejeter) toutes les autres demandes de connexion.  	</p>
-     </li>
-     
+  <li>
+    <p style="margin-bottom: 0cm;">permettre toutes les demandes de
+connexion depuis votre r&eacute;seau local vers l'Internet </p>
+  </li>
+  <li>
+    <p style="margin-bottom: 0cm;">drop (ou ignorer) toutes les
+demandes de connexion depuis l'Internet vers votre firewall ou votre
+r&eacute;seau local. </p>
+  </li>
+  <li>
+    <p style="margin-bottom: 0cm;">Facultativement&nbsp;accepter toutes
+les demandes de connexion de votre firewall vers l'Internet (si vous
+avez
+d&eacute; comment&eacute; la politique additionnelle) </p>
+  </li>
+  <li>
+    <p>reject (rejeter) toutes les autres demandes de connexion. </p>
+  </li>
 </ol>
-     
 <p><img src="images/BD21298_.gif" name="Image5" align="bottom"
- width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; A ce point, &eacute;ditez votre fichier /etc/shorewall/policy
- et faite les changements que vous d&eacute;sirez.</p>
-     
+ width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp; A ce point,
+&eacute;ditez votre fichier /etc/shorewall/policy et faite les
+changements que vous d&eacute;sirez.</p>
 <h2 align="left">Network Interfaces</h2>
-     
 <p align="center"><img src="images/basics.png" name="Image6"
- align="bottom" width="444" height="635" border="0">
-  </p>
-     
-<p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la
- connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
- modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External
-Interface)</i>  sera l'adaptateur sur lequel est connect&eacute; le routeur
-(e.g., <b>eth0</b>)&nbsp;  <u>&agrave; moins que</u> vous ne vous connectiez
-par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol  over<u>E</u>thernet</i>
-(PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP), 
- dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
- (e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
- interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
- par Num&eacute;ris (ISDN), votre interface ext&eacute;rieure sera<b>ippp0.</b></p>
-     
+ align="bottom" width="444" height="635" border="0"> </p>
+<p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque
+la connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas
+un simple modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External
+Interface)</i> sera l'adaptateur sur lequel est connect&eacute; le
+routeur
+(e.g., <b>eth0</b>)&nbsp; <u>&agrave; moins que</u> vous ne vous
+connectiez
+par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol over<u>E</u>thernet</i>
+(PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
+dans ce cas l'interface ext&eacute;rieure sera une interface de type
+ppp (e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem
+(RTC), votre interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si
+votre connexion passe par Num&eacute;ris (ISDN), votre interface
+ext&eacute;rieure sera<b>ippp0.</b></p>
 <p align="left"><img src="images/BD21298_1.gif" name="Image7"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b>
- ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
- href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></p>
-     
-<p align="left">Votre <i>Internal Interface</i> (interface vers votre r&eacute;seau
- local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou eth0) et sera connect&eacute;e
- &agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;).
-Vos  autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
-     
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b> ou <b>ippp0</b>&nbsp;
+alors vous mettrez CLAMPMSS=yes dans <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></p>
+<p align="left">Votre <i>Internal Interface</i> (interface vers votre
+r&eacute;seau local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou
+eth0) et sera connect&eacute;e &agrave; un hub ou switch (ou un PC avec
+un c&acirc;ble crois&eacute;).
+Vos autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me
+hub/switch</p>
 <p align="left"><b><u><img src="images/j0213519.gif" name="Image8"
- align="bottom" width="60" height="60" border="0">
-  </u></b>Ne connectez pas l'interface interne et externe sur le m&ecirc;me
- hub ou switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez
- pas que ce soit shorewall qui ne marche pas.</p>
-     
+ align="bottom" width="60" height="60" border="0"> </u></b>Ne
+connectez pas l'interface interne et externe sur le m&ecirc;me hub ou
+switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez
+pas que ce soit shorewall qui ne marche pas.</p>
 <p align="left"><img src="images/BD21298_.gif" name="Image9"
- align="left" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
- suppose que votre interface externe est <b>eth0</b>et que l'interne est
-<b>eth1</b>.  Si votre configuration est diff&eacute;rente, vous devrez modifier
-le fichier  <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-en cons&eacute;quence.  Tant que vous y &ecirc;tes, vous pourriez parcourir
-la liste des options qui sont sp&eacute;cifi&eacute;es pour les interfaces.
+ align="left" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp; Le
+fichier de configuration d'exemple pour deux interfaces suppose que
+votre interface externe est <b>eth0</b>et que l'interne est
+<b>eth1</b>. Si votre configuration est diff&eacute;rente, vous devrez
+modifier
+le fichier <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+en cons&eacute;quence. Tant que vous y &ecirc;tes, vous pourriez
+parcourir
+la liste des options qui sont sp&eacute;cifi&eacute;es pour les
+interfaces.
 Quelques trucs:</p>
-     
 <ul>
-   	<li>               
-    <p align="left">Si votre interface vers l'ext&eacute;rieur est 	<b>ppp0</b> 
- ou <b>ippp0</b>, vous pouvez remplacer le "detect" 	dans la seconde colonne
- par un "-".  	</p>
-   	</li>
-     <li>               
-    <p align="left">Si votre interface vers l'ext&eacute;rieur 	est&nbsp;<b>ppp0</b>
- ou <b>ippp0</b> ou si vous avez une adresse IP 	statique, vous pouvez enlever
- "dhcp" dans la liste des 	options.  	</p>
-     </li>
-     
+  <li>
+    <p align="left">Si votre interface vers l'ext&eacute;rieur est <b>ppp0</b>
+ou <b>ippp0</b>, vous pouvez remplacer le "detect" dans la seconde
+colonne par un "-". </p>
+  </li>
+  <li>
+    <p align="left">Si votre interface vers l'ext&eacute;rieur est&nbsp;<b>ppp0</b>
+ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez
+enlever "dhcp" dans la liste des options. </p>
+  </li>
 </ul>
-     
 <h2 align="left">Adresses IP</h2>
-     
-<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
- sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
- Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP 
- address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i> 
- Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de
-votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
- votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
- une adresse statique<i> (static</i>IP address); cela signifie que vous devez
- configurer l'interface externe de votre firewall afin d'utiliser cette adresse
- de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
- va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s 
- &agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau
-local (votre interface interne sur le firewall &nbsp;ainsi que les autres
+<p align="left">Avant d'aller plus loin, nous devons dire quelques mots
+au sujet de Internet Protocol (IP) <i>addresses</i>. Normalement,
+votre fournisseur Internet (ISP) vous assignera une seule adresse IP
+(single <i>Public</i>IP address). Cette adresse peut &ecirc;tre
+assign&eacute;e par le Dynamic<i> Host Configuration Protocol</i>(DHCP)
+ou lors de l'&eacute;tablissement de
+votre connexion lorsque vous vous connectez (modem standard) ou
+&eacute;tablissez votre connexion PPP. Dans de rares cas , votre
+provider peut vous assigner une adresse statique<i> (static</i>IP
+address); cela signifie que vous devez configurer l'interface externe
+de votre firewall afin d'utiliser cette adresse de mani&egrave;re
+permanente. Votre adresse externe assign&eacute;e, elle va &ecirc;tre
+partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
+&agrave; Internet. Vous devrez assigner vos propres adresses dans votre
+r&eacute;seau
+local (votre interface interne sur le firewall &nbsp;ainsi que les
+autres
 ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP
 address ranges) &agrave; cette fin :</p>
-     
 <pre style="text-align: left;">     10.0.0.0    - 10.255.255.255an<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-     
 <p align="left"><img src="images/BD21298_.gif" name="Image10"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Avant de lancer Shorewall, vous devriez regarder l'adresse
- IP de votre interface externe, et si elle est dans les plages pr&eacute;c&eacute;dentes,
- vous devriez enlever l'option 'norfc1918' dans la ligne concernant l'interface
- externe dans le fichier /etc/shorewall/interfaces.</p>
-     
-<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
- (<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
- un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
- sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0.
-L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau
-(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse
-de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Avant de lancer Shorewall, vous devriez regarder l'adresse IP de votre
+interface externe, et si elle est dans les plages
+pr&eacute;c&eacute;dentes, vous devriez enlever l'option 'norfc1918'
+dans la ligne concernant l'interface externe dans le fichier
+/etc/shorewall/interfaces.</p>
+<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me
+sous-r&eacute;seau (<i>sub-network/subnet)</i>. Pour ce faire, nous
+pouvons consid&eacute;rer un sous-r&eacute;seau dans une plage
+d'adresses x.y.z.0 - x.y.z.255. Chaque sous-r&eacute;seau aura un
+masque (<i>Subnet Mask) </i>de 255.255.255.0.
+L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de
+sous-r&eacute;seau
+(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en
+tant qu'adresse
+de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall,
+un
 sous-r&eacute;seau est d&eacute;crit en utilisant <a
- href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
- Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
- par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
- bits marquant "1" dans la partie gauche du masque de sous-r&eacute;seau.</p>
-     
+ href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless
+InterDomain Routing </i>(CIDR)</a> qui consiste en l'adresse du
+sous-r&eacute;seau suivie par "/24". Le "24" se r&eacute;f&egrave;re au
+nombre cons&eacute;cutif de bits marquant "1" dans la partie gauche du
+masque de sous-r&eacute;seau.</p>
 <p align="left">Un exemple de sous-r&eacute;seau (sub-network) :</p>
-   <a name="AutoNumber1"></a>   
+<a name="AutoNumber1"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><b>Plage:</b></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>10.10.10.0 - 10.10.10.255</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p><b>Subnet Address:</b></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>10.10.10.0</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p><b>Broadcast Address:</b></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>10.10.10.255</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p><b>CIDR&nbsp;Notation:</b></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>10.10.10.0/24</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<p align="left">Il est de mise d'assigner l'interface interne (LAN) &agrave;
- la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1
-dans  l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable
- (10.10.10.254).</p>
-     
-<p align="left">L'un des buts d'un sous-r&eacute;seau est de permettre &agrave;
- tous les ordinateurs dans le sous-r&eacute;seau de savoir avec quels autres
- ordinateurs ils peuvent communiquer directement. Pour communiquer avec des
- syst&egrave;mes en dehors du sous-r&eacute;seau, les ordinateurs envoient
- des paquets &agrave; travers le gateway (routeur).</p>
-     
+<p align="left">Il est de mise d'assigner l'interface interne (LAN)
+&agrave; la premi&egrave;re adresse utilisable du sous-r&eacute;seau
+(10.10.10.1
+dans l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse
+utilisable (10.10.10.254).</p>
+<p align="left">L'un des buts d'un sous-r&eacute;seau est de permettre
+&agrave; tous les ordinateurs dans le sous-r&eacute;seau de savoir avec
+quels autres ordinateurs ils peuvent communiquer directement. Pour
+communiquer avec des syst&egrave;mes en dehors du sous-r&eacute;seau,
+les ordinateurs envoient des paquets &agrave; travers le gateway
+(routeur).</p>
 <p align="left"><img src="images/BD21298_1.gif" name="Image11"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur 
-2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle 
- par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Vos ordinateurs en local (ordinateur 1 et ordinateur 2 dans le
+diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
+par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
+l'interface
 interne du firewall.</p>
-     
-<p align="left">The foregoing short discussion barely scratches the surface
- regarding subnetting and routing. If you are interested in learning more
-about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
-What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
+<p align="left">The foregoing short discussion barely scratches the
+surface regarding subnetting and routing. If you are interested in
+learning more
+about IP addressing and routing, I highly recommend <i>"IP
+Fundamentals:
+What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
+A.
 Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
-     
-<p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
- votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
-     
+<p align="left">Le reste de ce guide assumera que vous avez
+configur&eacute; votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
 <p align="center"><img src="images/basics1.png" name="Image12"
- align="bottom" width="444" height="635" border="0">
-  </p>
-     
-<p align="left">La passerelle par d&eacute;faut pour les ordinateurs 1 et
- 2 devrait &ecirc;tre 10.10.10.254.</p>
-     
+ align="bottom" width="444" height="635" border="0"> </p>
+<p align="left">La passerelle par d&eacute;faut pour les ordinateurs 1
+et 2 devrait &ecirc;tre 10.10.10.254.</p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
-     
-<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
- parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
- Internet (backbone) ne font pas circuler les paquets qui ont une adresse
-de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
- en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
- par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
- Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
- remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
- le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion. 
- Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
- de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
- pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
- 1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet,
-donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave;
-l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse,
-il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet
+<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918
+sont parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car
+les routeurs Internet (backbone) ne font pas circuler les paquets qui
+ont une adresse
+de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos
+syst&egrave;mes en local (supposons l'ordinateur1) demande une
+connexion &agrave; un serveur par Internet, le firewall doit appliquer
+un NAT<i> (Network Address Translation)</i>. Le firewall r&eacute;
+&eacute;crit l'adresse source dans le paquet, et l'a remplace par
+l'adresse de l'interface externe du firewall; en d'autres mots, le
+firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
+Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit
+capable de renvoyer les paquets au firewall (souvenez vous que les
+paquets qui ont pour adresse de destination, une adresse
+r&eacute;serv&eacute;e par la RFC 1918 ne pourront pas &ecirc;tre
+rout&eacute;s &agrave; travers Internet,
+donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse
+&agrave;
+l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de
+r&eacute;ponse,
+il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le
+paquet
 vers l'ordinateur 1. </p>
-     
-<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
- souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi
-le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
- Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
-     
+<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute;
+est souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez
+aussi
+le terme de <i>Source Network Address Translation </i>(SNAT)
+utilis&eacute;. Shorewall suit la convention utilis&eacute;e avec
+Netfilter:</p>
 <ul>
-   	<li>               
-    <p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous 	laissez
- votre firewall d&eacute;tecter automatiquement l'adresse de 	l'interface
-externe.  	</p>
-   	</li>
-     <li>               
-    <p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous 	sp&eacute;cifiez
- explicitement l'adresse source des paquets sortant 	de votre r&eacute;seau
- local.  	</p>
-     </li>
-     
+  <li>
+    <p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous
+laissez votre firewall d&eacute;tecter automatiquement l'adresse de
+l'interface
+externe. </p>
+  </li>
+  <li>
+    <p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous
+sp&eacute;cifiez explicitement l'adresse source des paquets sortant de
+votre r&eacute;seau local. </p>
+  </li>
 </ul>
-     
-<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configur&eacute;
- avec des entr&eacute;s dans le fichier /etc/shorewall/masq. Vous utiliserez
- normalement le Masquerading si votre adresse IP externe est dynamique, et
- SNAT si elle est statique.</p>
-     
+<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont
+configur&eacute; avec des entr&eacute;s dans le fichier
+/etc/shorewall/masq. Vous utiliserez normalement le Masquerading si
+votre adresse IP externe est dynamique, et SNAT si elle est statique.</p>
 <p align="left"><img src="images/BD21298_.gif" name="Image13"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
- vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
- le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
- colonne par le nom de votre interface externe, et la seconde colonne par
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Si votre interface externe du firewall est <b>eth0</b>, vous n'avez
+pas besoin de modifier le fichier fourni avec l'exemple. Dans le cas
+contraire, &eacute;ditez /etc/shorewall/masq et changez la
+premi&egrave;re colonne par le nom de votre interface externe, et la
+seconde colonne par
 le nom de votre interface interne.</p>
-     
 <p align="left"><img src="images/BD21298_.gif" name="Image14"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
- dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
- de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez
-cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
- colonne permet un traitement des paquets sortant un peu plus efficace.<br>
-   <br>
-   <img src="images/BD21298_.gif" name="Image15" align="bottom"
- width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez 
-que votre fichier de configuration shorewall.conf contient bien les valeurs 
-suivantes, si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
-     
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Si votre IP externe est statique, vous pouvez la mettre dans la
+troisi&egrave;me colonne dans /etc/shorewall/masq si vous le
+d&eacute;sirez, de toutes fa&ccedil;ons votre firewall fonctionnera
+bien si vous laissez
+cette colonne vide. Le fait de mettre votre IP statique dans la
+troisi&egrave;me colonne permet un traitement des paquets sortant un
+peu plus efficace.<br>
+<br>
+<img src="images/BD21298_.gif" name="Image15" align="bottom" width="13"
+ height="13" border="0"> &nbsp;&nbsp;&nbsp; Si vous utilisez les
+paquets Debian, v&eacute;rifiez que votre fichier de configuration
+shorewall.conf contient bien les valeurs suivantes, si elles n'y sont
+pas faite les changements n&eacute;cessaires:</p>
 <ul>
-   	<li>               
-    <p style="margin-bottom: 0cm;">NAT_ENABLED=Yes  	</p>
-   	</li>
-     <li>               
+  <li>
+    <p style="margin-bottom: 0cm;">NAT_ENABLED=Yes </p>
+  </li>
+  <li>
     <p>IP_FORWARDING=On</p>
-     </li>
-     
+  </li>
 </ul>
-     
 <h2 align="left">Port Forwarding (DNAT)</h2>
-     
-<p align="left">Un de nos buts est de , peut &ecirc;tre, faire tourner un
- ou plusieurs serveurs sur nos ordinateurs locaux. Parce que ces ordinateurs
- on une adresse RFC-1918, il n' est pas possible pour les clients sur Internet
- de se connecter directement &agrave; eux. Il est n&eacute;cessaire &agrave;
- ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
- &eacute;crit l'adresse de destination de votre serveur, et fait passer le
- paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
- applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse
-source  dans la r&eacute;ponse.</p>
-     
-<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
- ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez
-le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
-     
-<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
- dans /etc/shorewall/rules est:</p>
-   <a name="AutoNumber4"></a>   
+<p align="left">Un de nos buts est de , peut &ecirc;tre, faire tourner
+un ou plusieurs serveurs sur nos ordinateurs locaux. Parce que ces
+ordinateurs on une adresse RFC-1918, il n' est pas possible pour les
+clients sur Internet de se connecter directement &agrave; eux. Il est
+n&eacute;cessaire &agrave; ces clients d'adresser leurs demandes de
+connexion au firewall qui r&eacute; &eacute;crit l'adresse de
+destination de votre serveur, et fait passer le paquet &agrave;
+celui-ci. Lorsque votre serveur r&eacute;pond, le firewall applique
+automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse
+source dans la r&eacute;ponse.</p>
+<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port
+Forwarding</i> ou <i>Destination Network Address Translation</i>(DNAT).
+Vous configurez
+le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier
+/etc/shorewall/rules.</p>
+<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port
+forwarding dans /etc/shorewall/rules est:</p>
+<a name="AutoNumber4"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>DNAT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
-          <p>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server 				port&gt;</i>]</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
+          <p>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
+port&gt;</i>]</p>
+          </td>
+          <td>
           <p><i>&lt;protocol&gt;</i></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><i>&lt;port&gt;</i></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<p>Exemple - vous faites tourner un serveur Web sur l'ordinateur 2 et vous
- voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrave;me
- :</p>
-   <a name="AutoNumber41"></a>   
+<p>Exemple - vous faites tourner un serveur Web sur l'ordinateur 2 et
+vous voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave;
+ce syst&egrave;me :</p>
+<a name="AutoNumber41"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>DNAT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>loc:10.10.10.2</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>80</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
 <p>Deux points importants &agrave; garder en m&eacute;moire :</p>
-     
 <ul>
-   	<li>               
-    <p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle 	pr&eacute;c&eacute;dente
- depuis un client &agrave; l'ext&eacute;rieur 	de votre r&eacute;seau local
- (c.a.d., ne pas tester depuis un 	navigateur tournant sur l'ordinateur 1
-ou 2 ou sur le firewall). Si 	vous voulez avoir la possibilit&eacute; d'acc&eacute;der
- &agrave; 	votre serveur web en utilisant l'adresse IP externe de votre 	firewall,
- regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. 	</p>
-   	</li>
-     <li>               
-    <p>Quelques fournisseurs Internet (Provider/ISP) bloquent les 	requ&ecirc;tes
- entrantes de connexion sur le port 80. Si vous avez 	des probl&egrave;mes
- &agrave; vous connecter &agrave; votre serveur 	web, essayez la r&egrave;gle
- suivante et connectez vous sur le port 	5000.  	</p>
-     </li>
-     
+  <li>
+    <p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle
+pr&eacute;c&eacute;dente depuis un client &agrave; l'ext&eacute;rieur
+de votre r&eacute;seau local (c.a.d., ne pas tester depuis un
+navigateur tournant sur l'ordinateur 1
+ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute;
+d'acc&eacute;der &agrave; votre serveur web en utilisant l'adresse IP
+externe de votre firewall, regardez <a href="FAQ.htm#faq2">Shorewall
+FAQ #2</a>. </p>
+  </li>
+  <li>
+    <p>Quelques fournisseurs Internet (Provider/ISP) bloquent les
+requ&ecirc;tes entrantes de connexion sur le port 80. Si vous avez des
+probl&egrave;mes &agrave; vous connecter &agrave; votre serveur web,
+essayez la r&egrave;gle suivante et connectez vous sur le port 5000. </p>
+  </li>
 </ul>
-   <a name="AutoNumber42"></a>   
+<a name="AutoNumber42"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>DNAT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>loc:10.10.10.2:80</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>5000</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
 <p><img src="images/BD21298_.gif" name="Image16" align="bottom"
- width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; A ce point, modifiez /etc/shorewall/rules pour ajouter
- les r&egrave;gles DNAT dont vous avez besoin.</p>
-     
+ width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp; A ce point,
+modifiez /etc/shorewall/rules pour ajouter les r&egrave;gles DNAT dont
+vous avez besoin.</p>
 <h2 align="left">Domain Name Server (DNS)</h2>
-     
-<p align="left">Normalement, quand vous vous connectez &agrave; votre fournisseur
- (ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS
-pour  le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement
- (c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute; &eacute;crit). Il
- arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
- (name servers)</i> afin que vous configuriez manuellement votre serveur
-de  nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
- sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez 
- proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
-     
+<p align="left">Normalement, quand vous vous connectez &agrave; votre
+fournisseur (ISP), une partie consiste &agrave; obtenir votre adresse
+IP, votre DNS
+pour le firewall (<i>Domain Name Service) </i>est configur&eacute;
+automatiquement (c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute;
+&eacute;crit). Il arrive que votre provider vous donne une paire
+d'adresse IP pour les DNS<i> (name servers)</i> afin que vous
+configuriez manuellement votre serveur
+de nom primaire et secondaire. La mani&egrave;re dont le DNS est
+configur&eacute; sur votre firewall est de <u>votre</u>
+responsabilit&eacute;. Vous pouvez proc&eacute;der d'une de ses deux
+fa&ccedil;ons :</p>
 <ul>
-   	<li>               
-    <p align="left">Vous pouvez configurer votre syst&egrave;me 	interne
-pour utiliser les noms de serveurs de votre provider. Si 	votre fournisseur
-vous donne les adresses de leurs serveurs ou si 	ces adresses sont disponibles
- sur leur site web, vous pouvez 	configurer votre syst&egrave;me interne
-afin  de les utiliser. Si 	cette information n' est pas disponible, regardez
-dans  	/etc/resolv.conf sur votre firewall -- les noms des serveurs sont
-	donn&eacute;s  dans l'enregistrement "nameserver" dans ce 	fichier.  	</p>
-   	</li>
-     <li>               
+  <li>
+    <p align="left">Vous pouvez configurer votre syst&egrave;me interne
+pour utiliser les noms de serveurs de votre provider. Si votre
+fournisseur
+vous donne les adresses de leurs serveurs ou si ces adresses sont
+disponibles sur leur site web, vous pouvez configurer votre
+syst&egrave;me interne
+afin de les utiliser. Si cette information n' est pas disponible,
+regardez
+dans /etc/resolv.conf sur votre firewall -- les noms des serveurs sont
+donn&eacute;s dans l'enregistrement "nameserver" dans ce fichier. </p>
+  </li>
+  <li>
     <p align="left"><img src="images/BD21298_.gif" name="Image17"
- align="bottom" width="13" height="13" border="0">
-  	&nbsp;&nbsp;&nbsp; Vous pouvez configurer un cache dns<i> (Caching 	Name
- Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour 	mettre en
-cache  un serveur de nom (le RPM requis aussi le RPM 	'bind') et pour les
-utilisateurs   de Bering, il y a 	dnscache.lrp. Si vous adoptez cette approche,
-vous configurez  votre 	syst&egrave;me interne pour utiliser le firewall
-lui m&ecirc;me 	comme  &eacute;tant le seul serveur de nom primaire. Vous
-pouvez 	utiliser l'adresse  IP interne du firewall (10.10.10.254 dans 	l'exemple)
-pour l'adresse de serveur  de nom. Pour permettre &agrave; 	vos syst&egrave;mes
-locaux de discuter avec  votre serveur cache de 	nom, vous devez ouvrir le
-port 53 (UDP ET&nbsp; TCP)  sur le firewall 	vers le r&eacute;seau local;
-vous ferez ceci en ajoutant  les r&egrave;gles 	suivantes dans /etc/shorewall/rules.
- 	</p>
-     </li>
-     
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Vous pouvez configurer un cache dns<i> (Caching Name Server) </i>sur
+votre firewall.<i> </i>Red Hat a un RPM pour mettre en
+cache un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les
+utilisateurs de Bering, il y a dnscache.lrp. Si vous adoptez cette
+approche,
+vous configurez votre syst&egrave;me interne pour utiliser le firewall
+lui m&ecirc;me comme &eacute;tant le seul serveur de nom primaire. Vous
+pouvez utiliser l'adresse IP interne du firewall (10.10.10.254 dans
+l'exemple)
+pour l'adresse de serveur de nom. Pour permettre &agrave; vos
+syst&egrave;mes
+locaux de discuter avec votre serveur cache de nom, vous devez ouvrir
+le
+port 53 (UDP ET&nbsp; TCP) sur le firewall vers le r&eacute;seau local;
+vous ferez ceci en ajoutant les r&egrave;gles suivantes dans
+/etc/shorewall/rules. </p>
+  </li>
 </ul>
-   <a name="AutoNumber43"></a>   
+<a name="AutoNumber43"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>loc</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>53</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>loc</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>udp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>53</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
 <h2 align="left">Autres Connexions</h2>
-     
-<p align="left">Les fichiers exemples inclus dans l'archive (two-interface)
- contiennent les r&egrave;gles suivantes :</p>
-   <a name="AutoNumber44"></a>   
+<p align="left">Les fichiers exemples inclus dans l'archive
+(two-interface) contiennent les r&egrave;gles suivantes :</p>
+<a name="AutoNumber44"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>53</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>udp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>53</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave;
-partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez
-d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant
+<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS
+&agrave;
+partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous
+avez
+d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy
+autorisant
 toutes les connexions depuis le firewall vers Internet.</p>
-     
 <p align="left">Les exemples contiennent aussi :</p>
-   <a name="AutoNumber45"></a>   
+<a name="AutoNumber45"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>loc</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>22</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
- serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre
+<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner
+un serveur SSH sur votre firewall et &agrave; vous y connecter depuis
+votre
 r&eacute;seau local.</p>
-     
-<p align="left">Si vous voulez permettre d'autres connexions entre votre
-firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est
+<p align="left">Si vous voulez permettre d'autres connexions entre
+votre
+firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale
+est
 :</p>
-   <a name="AutoNumber46"></a>   
+<a name="AutoNumber46"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><i>&lt;source zone&gt;</i></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><i>&lt;destination zone&gt;</i></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><i>&lt;protocol&gt;</i></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><i>&lt;port&gt;</i></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<p align="left">Exemple - Vous voulez faire tourner un serveur Web sur votre
- firewall :</p>
-   <a name="AutoNumber47"></a>   
+<p align="left">Exemple - Vous voulez faire tourner un serveur Web sur
+votre firewall :</p>
+<a name="AutoNumber47"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>80</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>#Permet l'acc&egrave;s Web</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>depuis Internet</p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>loc</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>80</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>#Permet l'acc&egrave;s Web</p>
-   			<br>
-             </td>
-   			<td>                                 
+          <br>
+          </td>
+          <td>
           <p>depuis Internet</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
-<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter
-aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
- configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
-     
-<p align="left">Si vous ne savez pas quel port et quel protocole une application
- particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
-     
-<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre
-le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
- pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
- sur votre firewall depuis Internet, utilisez SSH :</p>
-   <a name="AutoNumber48"></a>   
+<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent
+s'ajouter
+aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous
+pouvez configurer un cache dns<i> (Caching Name Server) </i>sur votre
+firewall"</p>
+<p align="left">Si vous ne savez pas quel port et quel protocole une
+application particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
+<p align="left"><b>Important: </b>Je ne vous recommande pas de
+permettre
+le telnet depuis ou vers Internet car il utilise du texte en clair
+(m&ecirc;me pour le login et le mot de passe!). Si vous voulez un
+acc&egrave;s au shell sur votre firewall depuis Internet, utilisez SSH :</p>
+<a name="AutoNumber48"></a>
 <dl>
-  <dd>               
+  <dd>
     <table border="1" cellpadding="2" cellspacing="2">
-   		<tbody>
-           <tr>
-   			<td>                                 
+      <tbody>
+        <tr>
+          <td>
           <p><u><b>ACTION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>DESTINATION</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PROTOCOL</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>SOURCE PORT</b></u></p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p><u><b>ORIGINAL ADDRESS</b></u></p>
-   			</td>
-   		</tr>
-   		<tr>
-   			<td>                                 
+          </td>
+        </tr>
+        <tr>
+          <td>
           <p>ACCEPT</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>net</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>fw</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>tcp</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>22</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   			<td>                                 
+          </td>
+          <td>
           <p>&nbsp;</p>
-   			</td>
-   		</tr>
-                        
-      </tbody>               
+          </td>
+        </tr>
+      </tbody>
     </table>
-     </dd>
+  </dd>
 </dl>
-     
 <p align="left"><img src="images/BD21298_.gif" name="Image18"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Maintenant &eacute;ditez votre fichier /etc/shorewall/rules
- pour ajouter ou supprimer les connexions voulues.</p>
-     
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Maintenant &eacute;ditez votre fichier /etc/shorewall/rules pour
+ajouter ou supprimer les connexions voulues.</p>
 <h2 align="left">Lancer et Arr&ecirc;ter votre Firewall</h2>
-     
 <p align="left"><img src="images/BD21298_2.gif" name="Image19"
  alt="Arrow" align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a> 
- configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
- mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
- est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie.
-Une  fois la configuration de votre firewall achev&eacute;e, vous pouvez
-permettre  le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
-     
-<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
-des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
-     
-<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
- start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
- le routage est permis sur les h&ocirc;tes qui sont dans le fichier<a
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
- firewall fonctionnant peut &ecirc;tre relanc&eacute; en utilisant la commande
- "shorewall restart". Si vous voulez enlever toutes les traces de Shorewall
- dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
-     
+&nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure
+d'installation</a> configure votre syst&egrave;me pour lancer Shorewall
+au boot du syst&egrave;me, mais pour les d&eacute;butants sous
+Shorewall version 1.3.9, le lancement est d&eacute;sactiv&eacute; tant
+que la configuration n' est pas finie.
+Une fois la configuration de votre firewall achev&eacute;e, vous pouvez
+permettre le lancement de Shorewall en enlevant le fichier
+/etc/shorewall/startup_disabled.</p>
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
+utilisateurs
+des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre
+'startup=1'.</font></p>
+<p align="left">Le firewall est lanc&eacute; en utilisant la commande
+"shorewall start" et stopp&eacute; avec "shorewall stop". Lorsque le
+firewall est stopp&eacute;, le routage est permis sur les h&ocirc;tes
+qui sont dans le fichier<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+Un firewall fonctionnant peut &ecirc;tre relanc&eacute; en utilisant la
+commande "shorewall restart". Si vous voulez enlever toutes les traces
+de Shorewall dans votre configuration de Netfilter, utilisez "shorewall
+clear".</p>
 <p align="left"><img src="images/BD21298_.gif" name="Image20"
- align="bottom" width="13" height="13" border="0">
-  &nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
- permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
-lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est
-pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s
-depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped
+ align="bottom" width="13" height="13" border="0"> &nbsp;&nbsp;&nbsp;
+Les exemples (two-interface) supposent que vous voulez permettre le
+routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
+lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n'
+est
+pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre
+l'acc&egrave;s
+depuis ou vers d'autres h&ocirc;tes, changez
+/etc/shorewall/routestopped
 en cons&eacute;quence.</p>
-     
-<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
- votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
- tant que vous n'avez pas ajout&eacute; une entr&eacute;e pour votre adresse
- IP depuis laquelle vous &ecirc;tes connect&eacute; dans<a
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De
- plus, je ne vous recommande pas d'utiliser "shorewall restart"; il est mieux
- de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configuration 
- alternative</i></a> et de l'essayer en utilisant la commande<a
+<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute;
+&agrave; votre firewall depuis Internet, n'essayez pas la commande
+"shorewall stop" tant que vous n'avez pas ajout&eacute; une
+entr&eacute;e pour votre adresse IP depuis laquelle vous &ecirc;tes
+connect&eacute; dans<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
+De plus, je ne vous recommande pas d'utiliser "shorewall restart"; il
+est mieux de cr&eacute;er une <a
+ href="configuration_file_basics.htm#Configs"><i>configuration
+alternative</i></a> et de l'essayer en utilisant la commande<a
  href="starting_and_stopping_shorewall.htm">"shorewall try".</a></p>
-     
 <p align="left"><font size="2">Last updated 12/20/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
-     
-<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
- M. Eastep</font></a></p>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-   <br>
-  <br>
- <br>
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
+Thomas M. Eastep</font></a></p>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/upgrade_issues.htm b/Shorewall-docs/upgrade_issues.htm
index 3d7fe7683..32cf343ff 100755
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@@ -1,471 +1,378 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-                                    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Upgrade Issues</title>
-                                                                
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                                    
   <meta name="ProgId" content="FrontPage.Editor.Document">
-                                     
   <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
-                  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
- bgcolor="#3366ff" height="90">
-                             <tbody>
-                             <tr>
-                               <td width="100%">                        
-                                       
-      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
-                               </td>
-                             </tr>
-                                    
-  </tbody>         
-</table>
-                   
-<p>For upgrade instructions see the                               <a
- href="Install.htm">Install/Upgrade page</a>.<br>
-             </p>
-                  
-<p>It is important that you read all of the sections on this page where the 
-      version number mentioned in the section title is later than what you 
- are    currently running.<br>
-       </p>
-             
-<p>  In the descriptions that follows, the term <b><i>group </i></b>refers 
-   to a particular  network or subnetwork (which may be 0.0.0.0/0 or it may 
-  be a host address)  accessed through a particular interface.<br>
-       </p>
-             
+<body>
+<h1 style="text-align: center;">Upgrade Issues<br>
+</h1>
+<p>For upgrade instructions see the <a href="Install.htm">Install/Upgrade
+page</a>.<br>
+</p>
+<p>It is important that you read all of the sections on this page where
+the version number mentioned in the section title is later than what
+you are currently running.<br>
+</p>
+<p> In the descriptions that follows, the term <b><i>group </i></b>refers
+to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
+be a host address) accessed through a particular interface.<br>
+</p>
 <p>Examples:<br>
-               <br>
-           eth0:0.0.0.0/0<br>
-              eth2:192.168.1.0/24<br>
-              eth3:192.0.2.123<br>
-      </p>
-           
-<p> You can use the "shorewall check" command to see the groups associated
-   with each of your zones.<br>
-             </p>
-                  
+&nbsp;&nbsp;&nbsp; <br>
+&nbsp;&nbsp;&nbsp; eth0:0.0.0.0/0<br>
+&nbsp;&nbsp;&nbsp; eth2:192.168.1.0/24<br>
+&nbsp;&nbsp;&nbsp; eth3:192.0.2.123<br>
+</p>
+<p> You can use the "shorewall check" command to see the groups
+associated with each of your zones.<br>
+</p>
 <h3> </h3>
-                  
+<h3>Version &gt;= 1.4.8</h3>
+<ul>
+  <li>The meaning of ROUTE_FILTER=Yes has changed. Previously this
+setting was documented as causing route filtering to occur on all
+network interfaces; this didn't work. Beginning with this release,
+ROUTE_FILTER=Yes causes route filtering to occur on all interfaces
+brought up while Shorewall is running. This means that it may be
+appropriate to set ROUTE_FILTER=Yes <span
+ style="text-decoration: underline;">and</span> use the routefilter
+option in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+entries.<br>
+  </li>
+</ul>
 <h3>Version &gt;= 1.4.6</h3>
- 
 <ul>
-   <li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed 
-from shorewall.conf. These capabilities are now automatically detected by 
-Shorewall.</li>
-   <li>An undocumented <i>feature</i> previously allowed entries in the host 
-file as follows:<br>
-     <br>
-     <i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
-     <br>
- This capability was never documented and has been removed in 1.4.6 to allow 
-entries of the following format:<br>
-     <br>
-     <i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
-   </li>
- 
-</ul>
-   
-<h3>Version &gt;= 1.4.4</h3>
-     If you are upgrading from 1.4.3 and have set the LOGMARKER variable
-in  <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then 
-you  must set the new LOGFORMAT variable appropriately and remove your setting 
-  of LOGMARKER<br>
+  <li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
+removed from shorewall.conf. These capabilities are now automatically
+detected by Shorewall.</li>
+  <li>An undocumented <i>feature</i> previously allowed entries in the
+host file as follows:<br>
     <br>
-     
+    <i>zone</i> &nbsp; &nbsp;eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
+    <br>
+This capability was never documented and has been removed in 1.4.6 to
+allow entries of the following format:<br>
+    <br>
+    <i>zone</i> &nbsp; eth1:192.168.1.0/24,192.168.2.0/24<br>
+  </li>
+</ul>
+<h3>Version &gt;= 1.4.4</h3>
+If you are upgrading from 1.4.3 and have set the LOGMARKER variable
+in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>,
+then you must set the new LOGFORMAT variable appropriately and remove
+your setting of LOGMARKER<br>
+<br>
 <h3>Version 1.4.4<br>
-   </h3>
-   If you have zone names that are 5 characters long, you may experience
-problems   starting Shorewall because the --log-prefix in a logging rule
-is too long.  Upgrade to Version 1.4.4a to fix this problem..<br>
-         
+</h3>
+If you have zone names that are 5 characters long, you may experience
+problems starting Shorewall because the --log-prefix in a logging rule
+is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
 <h3>Version &gt;= 1.4.2</h3>
-       There are some cases where you may want to handle traffic from a particular 
-   group to itself. While I personally think that such a setups are ridiculous, 
-   there are two cases covered in this documentation where it can occur:<br>
-             
+There are some cases where you may want to handle traffic from a
+particular group to itself. While I personally think that such a setups
+are ridiculous, there are two cases covered in this documentation where
+it can occur:<br>
 <ol>
-         <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
-         <li><a href="Shorewall_Squid_Usage.html">When running Squid as a 
-transparent    proxy in your local zone.</a></li>
-             
+  <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
+  <li><a href="Shorewall_Squid_Usage.html">When running Squid as a
+transparent proxy in your local zone.</a></li>
 </ol>
-       If you have either of these cases, you will want to review the current 
-  documentation  and change your configuration accordingly.<br>
-             
+If you have either of these cases, you will want to review the current
+documentation and change your configuration accordingly.<br>
 <h3>Version &gt;= 1.4.1</h3>
-                  
 <ul>
-             <li>Beginning with Version 1.4.1, traffic between groups in
-the   same   zone is accepted by default.  Previously, traffic from a zone
-to itself  was  treated just like any other  traffic; any matching rules
-were applied  followed  by enforcement of the appropriate  policy. With 1.4.1
-and later  versions,  unless you have explicit rules for  traffic from Z
-to Z or you  have an explicit  Z to Z policy (where "Z" is some  zone) then
-traffic between  the groups in  zone Z will be accepted. If you do have one
-or more explicit  rules for Z to Z or if you have an explicit Z to Z policy
-then the behavior  is as it was in prior versions.</li>
-                  
+  <li>Beginning with Version 1.4.1, traffic between groups in
+the same zone is accepted by default. Previously, traffic from a zone
+to itself was treated just like any other traffic; any matching rules
+were applied followed by enforcement of the appropriate policy. With
+1.4.1
+and later versions, unless you have explicit rules for traffic from Z
+to Z or you have an explicit Z to Z policy (where "Z" is some zone)
+then
+traffic between the groups in zone Z will be accepted. If you do have
+one
+or more explicit rules for Z to Z or if you have an explicit Z to Z
+policy
+then the behavior is as it was in prior versions.</li>
 </ul>
-                  
-<blockquote>                           
+<blockquote>
   <ol>
-               <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
-   between   two interfaces to the same zone, that policy can be removed
-and    traffic between  the interfaces will traverse fewer rules than previously.</li>
-               <li>If you have a Z Z DROP or Z Z REJECT policy or you have
- Z-&gt;Z    rules then your configuration should not require any change.</li>
-              <li>If you are currently relying on a implicit policy (one
-that   has   "all" in either the SOURCE or DESTINATION column) to prevent
-traffic   between   two interfaces to a zone Z and you have no rules for
-Z-&gt;Z then   you should   add an explicit DROP or REJECT policy for Z to
+    <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
+between two interfaces to the same zone, that policy can be removed
+and traffic between the interfaces will traverse fewer rules than
+previously.</li>
+    <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
+rules then your configuration should not require any change.</li>
+    <li>If you are currently relying on a implicit policy (one
+that has "all" in either the SOURCE or DESTINATION column) to prevent
+traffic between two interfaces to a zone Z and you have no rules for
+Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
 Z.<br>
-              </li>
-                                    
+    </li>
   </ol>
-           </blockquote>
-                  
+</blockquote>
 <ul>
-        <li>    Sometimes, you want two separate zones on one interface but 
- you  don't want  Shorewall to set up any infrastructure to handle traffic 
- between  them. </li>
-           
+  <li> Sometimes, you want two separate zones on one interface but you
+don't want Shorewall to set up any infrastructure to handle traffic
+between them. </li>
 </ul>
-           
 <blockquote>Example:<br>
-                       
-  <blockquote>                                       
+  <blockquote>
     <pre>/etc/shorewall/zones<br><br>z1	Zone1	The first Zone<br>z2	Zone2	The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2	eth1	192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1	eth1:192.168.1.3<br></pre>
-           </blockquote>
-          Here, zone z1 is nested in zone z2 and the firewall is not going
- to  be  involved in any traffic between these two zones. Beginning with
-Shorewall     1.4.1, you can prevent Shorewall from setting up any infrastructure
-to  handle   traffic between z1 and z2 by using the new NONE policy:<br>
-                       
-  <blockquote>                                       
+  </blockquote>
+Here, zone z1 is nested in zone z2 and the firewall is not going to be
+involved in any traffic between these two zones. Beginning with
+Shorewall 1.4.1, you can prevent Shorewall from setting up any
+infrastructure
+to handle traffic between z1 and z2 by using the new NONE policy:<br>
+  <blockquote>
     <pre>/etc/shorewall/policy<br><pre>z1	z2	NONE<br>z2	z1	NONE</pre></pre>
-          </blockquote>
-          Note that NONE policies are generally used in pairs unless there
- is  asymetric   routing where only the traffic on one direction flows through 
-  the firewall   and you are using a NONE polciy in the other direction. </blockquote>
-                        
+  </blockquote>
+Note that NONE policies are generally used in pairs unless there is
+asymetric routing where only the traffic on one direction flows through
+the firewall and you are using a NONE polciy in the other
+direction.&nbsp;</blockquote>
 <h3>Version 1.4.1<br>
-      </h3>
-           
+</h3>
 <ul>
-             <li>In Version 1.4.1, Shorewall will never create rules  to
- deal   with traffic from a given group back to itself.  The <i>multi</i> 
- interface   option is no longer available so if you want to route traffic 
-between  two   subnetworks on the same interface then I recommend that you 
-upgrade to Version   1.4.2 and use the 'routeback' interface or host option. </li>
-                  
+  <li>In Version 1.4.1, Shorewall will never create rules to deal with
+traffic from a given group back to itself. The <i>multi</i> interface
+option is no longer available so if you want to route traffic between
+two subnetworks on the same interface then I recommend that you upgrade
+to Version 1.4.2 and use the 'routeback' interface or host option.&nbsp;</li>
 </ul>
-                  
 <h3>Version &gt;= 1.4.0</h3>
-               <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
-  iproute    package  ('ip' utility).</b><br>
-            <br>
-            <b>Note: </b>Unfortunately, some distributions call this package
-  iproute2    which will cause the upgrade of Shorewall to fail with the
+<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
+package ('ip' utility).</b><br>
+<br>
+<b>Note: </b>Unfortunately, some distributions call this package
+iproute2 which will cause the upgrade of Shorewall to fail with the
 diagnostic:<br>
-               <br>
-                  error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
-         <br>
-               <br>
-             This may be worked around by using the --nodeps option of rpm
- (rpm   -Uvh   --nodeps &lt;shorewall rpm&gt;).<br>
-               <br>
-               If you are upgrading from a version &lt; 1.4.0, then:<br>
-                  
+<br>
+&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
+shorewall-1.4.0-1 <br>
+<br>
+This may be worked around by using the --nodeps option of rpm (rpm -Uvh
+--nodeps &lt;shorewall rpm&gt;).<br>
+<br>
+If you are upgrading from a version &lt; 1.4.0, then:<br>
 <ul>
-                    <li>The <b>noping </b>and <b>forwardping</b> interface
- options    are   no  longer supported nor is the <b>FORWARDPING </b>option
- in shorewall.conf.       ICMP echo-request (ping) packets are treated just
- like any other connection       request and are subject to rules and policies.</li>
-                    <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
-    in   /etc/shorewall/interfaces   now generate a Shorewall error at startup 
-    (they   always have produced warnings   in iptables).</li>
-                    <li>The MERGE_HOSTS variable has been removed from shorewall.conf. 
-      Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
-    contents   are  determined by BOTH the interfaces and hosts files when
- there   are entries   for the zone in both files.</li>
-                    <li>The <b>routestopped</b> option in the interfaces
-and   hosts   file   has  been eliminated; use entries in the routestopped
-file   instead.</li>
-                    <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
-  is  no  longer     accepted; you must convert to using the new syntax.</li>
-                    <li value="6">The ALLOWRELATED variable in shorewall.conf 
-  is  no  longer    supported.  Shorewall 1.4 behavior is the same as 1.3 
-with  ALLOWRELATED=Yes.</li>
-                    <li value="6">Late-arriving DNS replies are now dropped 
- by  default;     there  is no need for your own /etc/shorewall/common file 
- simply  to avoid     logging  these packets.</li>
-                    <li value="6">The 'firewall', 'functions' and 'version' 
- file   have   been   moved to /usr/share/shorewall.</li>
-                   <li value="6">The icmp.def file has been removed. If you 
- include     it  from  /etc/shorewall/icmpdef, you will need to modify that 
- file.</li>
-                                    
+  <li>The <b>noping </b>and <b>forwardping</b> interface options are
+no longer supported nor is the <b>FORWARDPING </b>option in
+shorewall.conf. ICMP echo-request (ping) packets are treated just like
+any other connection request and are subject to rules and policies.</li>
+  <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
+/etc/shorewall/interfaces now generate a Shorewall error at startup
+(they always have produced warnings in iptables).</li>
+  <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
+Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
+contents are determined by BOTH the interfaces and hosts files when
+there are entries for the zone in both files.</li>
+  <li>The <b>routestopped</b> option in the interfaces
+and hosts file has been eliminated; use entries in the routestopped
+file instead.</li>
+  <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
+accepted; you must convert to using the new syntax.</li>
+  <li value="6">The ALLOWRELATED variable in shorewall.conf is no
+longer supported. Shorewall 1.4 behavior is the same as 1.3 with
+ALLOWRELATED=Yes.</li>
+  <li value="6">Late-arriving DNS replies are now dropped by default;
+there is no need for your own /etc/shorewall/common file simply to
+avoid logging these packets.</li>
+  <li value="6">The 'firewall', 'functions' and 'version' file have
+been moved to /usr/share/shorewall.</li>
+  <li value="6">The icmp.def file has been removed. If you include it
+from /etc/shorewall/icmpdef, you will need to modify that file.</li>
   <ul>
-                                    
   </ul>
-                <li>If you followed the advice in FAQ #2 and call find_interface_address 
-      in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
-                </li>
-                  
+  <li>If you followed the advice in FAQ #2 and call
+find_interface_address in /etc/shorewall/params, that code should be
+moved to /etc/shorewall/init.<br>
+  </li>
 </ul>
-                  
 <ul>
-                  
 </ul>
-                  
 <h3>Version 1.4.0</h3>
-                  
 <ul>
-             <li value="8">The 'multi' interface option is no longer supported. 
-    Shorewall     will generate rules for sending packets back out the same 
-  interface that    they arrived on in two cases:</li>
-                  
+  <li value="8">The 'multi' interface option is no longer supported.
+&nbsp;Shorewall will generate rules for sending packets back out the
+same interface that they arrived on in two cases:</li>
 </ul>
-                  
-<blockquote>                           
+<blockquote>
   <ul>
-               <li>There is an <u>explicit</u> policy for the source zone 
-to  or  from     the destination zone. An explicit policy names both zones 
-and  does  not  use   the 'all' reserved word.</li>
-                                    
+    <li>There is an <u>explicit</u> policy for the source zone to or
+from the destination zone. An explicit policy names both zones and does
+not use the 'all' reserved word.</li>
   </ul>
-                                    
   <ul>
-               <li>There are one or more rules for traffic for the source 
-zone   to   or  from the destination zone including rules that use the 'all' 
-reserved      word.  Exception: if the source zone and destination zone are 
-the same   then   the rule must be explicit - it must name the zone in both 
-the SOURCE   and  DESTINATION  columns.</li>
-                                    
+    <li>There are one or more rules for traffic for the source zone to
+or from the destination zone including rules that use the 'all'
+reserved word. Exception: if the source zone and destination zone are
+the same then the rule must be explicit - it must name the zone in both
+the SOURCE and DESTINATION columns.</li>
   </ul>
-           </blockquote>
-                  
+</blockquote>
 <h3>Version &gt;= 1.3.14</h3>
-                   <img src="images/BD21298_3.gif" alt="" width="13"
- height="13">
-                        Beginning in version 1.3.14, Shorewall treats entries 
-  in  <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. 
-  The  change      involves entries with an <b>interface name</b> in the <b>SUBNET</b>
-   (second)      <b>column</b>:<br>
-                  
+<img src="images/BD21298_3.gif" alt="" width="13" height="13">
+&nbsp;&nbsp; &nbsp; Beginning in version 1.3.14, Shorewall treats
+entries in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
+The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
+(second) <b>column</b>:<br>
 <ul>
-                      <li>Prior to 1.3.14, Shorewall would detect the FIRST 
- subnet    on  the   interface  (as shown by "ip addr show <i>interface</i>") 
- and would    masquerade   traffic  from that subnet. Any other subnets that 
- routed through    eth1 needed   their  own entry in /etc/shorewall/masq to
- be masqueraded   or  to have SNAT   applied.</li>
-                      <li>Beginning with Shorewall 1.3.14, Shorewall uses 
-the   firewall's      routing   table to determine ALL subnets routed through 
-the  named interface.      Traffic   originating in ANY of those subnets is
-masqueraded  or has SNAT     applied.</li>
-                  
+  <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
+interface (as shown by "ip addr show <i>interface</i>") and would
+masquerade traffic from that subnet. Any other subnets that routed
+through eth1 needed their own entry in /etc/shorewall/masq to be
+masqueraded or to have SNAT applied.</li>
+  <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
+routing table to determine ALL subnets routed through the named
+interface. Traffic originating in ANY of those subnets is
+masqueraded or has SNAT applied.</li>
 </ul>
-                    You will need to make a change to your configuration
+You will need to make a change to your configuration
 if:<br>
-                  
 <ol>
-                      <li>You have one or more entries in /etc/shorewall/masq 
-  with   an  interface    name in the SUBNET (second) column; and</li>
-                      <li>That interface connects to more than one subnetwork.</li>
-                  
+  <li>You have one or more entries in /etc/shorewall/masq with an
+interface name in the SUBNET (second) column; and</li>
+  <li>That interface connects to more than one subnetwork.</li>
 </ol>
-                    Two examples:<br>
-                    <br>
-                     <b>Example 1</b> -- Suppose that your current config 
-is  as  follows:<br>
-                       <br>
-                  
-<pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE              SUBNET                  ADDRESS<br>	eth0                    eth2                    206.124.146.176<br>	eth0                    192.168.10.0/24         206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>	[root@gateway test]#</pre>
-                  
-<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer 
-         required.<br>
-                    </blockquote>
-                    <b>Example 2</b>-- What if your current configuration 
-is  like   this?<br>
-                  
-<pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    eth2                    206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	<br>	[root@gateway test]#</pre>
-                  
-<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq 
-         to:<br>
-                    </blockquote>
-                  
-<pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                    <img src="images/BD21298_3.gif" alt="" width="13"
- height="13">
-                       Version 1.3.14 also introduced simplified ICMP echo-request 
-    (ping)    handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
-        is used  to specify that the old (pre-1.3.14) ping handling is to 
-be   used     (If the option is not set in your /etc/shorewall/shorewall.conf 
-  then OLD_PING_HANDLING=Yes      is assumed). I don't plan on supporting 
-the  old handling indefinitely  so   I urge current users to migrate to using 
- the new handling as soon as  possible.    See the <a href="ping.html">'Ping' 
- handling documentation</a>  for details.<br>
-                  
+Two examples:<br>
+<br>
+&nbsp;<b>Example 1</b> -- Suppose that your current config is as
+follows:<br>
+&nbsp;&nbsp; <br>
+<pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.10.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24&nbsp; scope link<br>	192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254<br>	[root@gateway test]#</pre>
+<blockquote>In this case, the second entry in /etc/shorewall/masq is no
+longer required.<br>
+</blockquote>
+<b>Example 2</b>-- What if your current configuration is like this?<br>
+<pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS	<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24&nbsp; scope link<br>	192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254	<br>	[root@gateway test]#</pre>
+<blockquote>In this case, you would want to change the entry in
+/etc/shorewall/masq to:<br>
+</blockquote>
+<pre>	#INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS	<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+<img src="images/BD21298_3.gif" alt="" width="13" height="13">
+&nbsp;&nbsp;&nbsp; Version 1.3.14 also introduced simplified ICMP
+echo-request (ping) handling. The option OLD_PING_HANDLING=Yes in
+/etc/shorewall/shorewall.conf is used to specify that the old
+(pre-1.3.14) ping handling is to be used (If the option is not set in
+your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes is
+assumed). I don't plan on supporting the old handling indefinitely so I
+urge current users to migrate to using the new handling as soon as
+possible. See the <a href="ping.html">'Ping' handling documentation</a>
+for details.<br>
 <h3>Version 1.3.10</h3>
-                     If you have installed the 1.3.10 Beta 1 RPM and are
-now   upgrading     to  version   1.3.10, you will need to use the '--force'
+If you have installed the 1.3.10 Beta 1 RPM and are
+now upgrading to version 1.3.10, you will need to use the '--force'
 option:<br>
-                     <br>
-                  
-<blockquote>                           
-  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
-                     </blockquote>
-                  
+<br>
+<blockquote>
+  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm&nbsp;</pre>
+</blockquote>
 <h3>Version &gt;= 1.3.9</h3>
-                       The 'functions' file has moved to /usr/lib/shorewall/functions. 
-      If  you   have  an application that uses functions from that file, your
-    application     will need to be changed to reflect this change of location.<br>
-                  
+The 'functions' file has moved to /usr/lib/shorewall/functions. If you
+have an application that uses functions from that file, your
+application will need to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.8</h3>
-                  
-<p>If you have a pair of firewall systems configured for            failover 
-            or if you have asymmetric routing, you will need to modify   
-                      your firewall setup slightly under Shorewall      
-                      versions &gt;= 1.3.8. Beginning with version 1.3.8, 
-                                    you must set NEWNOTSYN=Yes in your   
-                            /etc/shorewall/shorewall.conf file.</p>
-                  
+<p>If you have a pair of firewall systems configured for failover or if
+you have asymmetric routing, you will need to modify your firewall
+setup slightly under Shorewall versions &gt;= 1.3.8. Beginning with
+version 1.3.8, you must set NEWNOTSYN=Yes in your
+/etc/shorewall/shorewall.conf file.</p>
 <h3>Version &gt;= 1.3.7</h3>
-                  
-<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf 
-            will need to include the                                following 
-    rules      in  their /etc/shorewall/icmpdef   file (creating       this 
-  file if necessary):</p>
-                  
+<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to
+include the following rules in their /etc/shorewall/icmpdef file
+(creating this file if necessary):</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
-                  
-<p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def" 
-            command from that file since the icmp.def file is now   empty.</p>
-                  
-<h3><b><a name="Bering">Upgrading </a>Bering to       Shorewall &gt;= 1.3.3</b></h3>
-                  
-<p>To properly upgrade with Shorewall version     1.3.3 and later:</p>
-                  
+<p>Users having an /etc/shorewall/icmpdef file may remove the ".
+/etc/shorewall/icmp.def" command from that file since the icmp.def file
+is now empty.</p>
+<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
+<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
 <ol>
-                                                          <li>Be sure you 
-have   a  backup    --  you   will  need                                 
-to transcribe    any  Shorewall   configuration                         
-          changes    that  you have made   to the new                   
-              configuration.</li>
-                                                          <li>Replace the 
-shorwall.lrp       package     provided  on                              
-   the Bering  floppy     with the    later one.  If you did            
-                     not   obtain  the later   version from Jacques's   site,
- see additional    instructions   below.</li>
-                                                          <li>Edit the /var/lib/lrpkg/root.exclude.list 
-                                             file and remove the /var/lib/shorewall 
-          entry  if                                  present. Then do not 
-forget       to   backup  root.lrp !</li>
-                  
+  <li>Be sure you have a backup -- you will need to transcribe any
+Shorewall configuration changes that you have made to the new
+configuration.</li>
+  <li>Replace the shorwall.lrp package provided on the Bering floppy
+with the later one. If you did not obtain the later version from
+Jacques's site, see additional instructions below.</li>
+  <li>Edit the /var/lib/lrpkg/root.exclude.list file and remove the
+/var/lib/shorewall entry if present. Then do not forget to backup
+root.lrp !</li>
 </ol>
-                  
-<p>The .lrp that I release isn't set up for a two-interface firewall like 
-              Jacques's. You need to follow the <a
- href="two-interface.htm">instructions           for   setting up a two-interface 
-  firewall</a> plus you also need  to   add    the  following   two Bering-specific 
-  rules to /etc/shorewall/rules:</p>
-                  
-<blockquote>                           
+<p>The .lrp that I release isn't set up for a two-interface firewall
+like Jacques's. You need to follow the <a href="two-interface.htm">instructions
+for setting up a two-interface firewall</a> plus you also need to add
+the following two Bering-specific rules to /etc/shorewall/rules:</p>
+<blockquote>
   <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
-                           </blockquote>
-                  
-<h3 align="left">Version  1.3.6 and 1.3.7</h3>
-                  
-<p align="left">If you have a pair of firewall systems configured for   
-     failover or if you have asymmetric routing, you will need to modify
-                   your firewall setup slightly under Shorewall versions
-1.3.6       and   1.3.7</p>
-                  
+</blockquote>
+<h3 align="left">Version 1.3.6 and 1.3.7</h3>
+<p align="left">If you have a pair of firewall systems configured for
+failover or if you have asymmetric routing, you will need to modify
+your firewall setup slightly under Shorewall versions
+1.3.6 and 1.3.7</p>
 <ol>
-                                      <li>                              
-               
-    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
-                       the following rule<br>
-                                    <br>
-                                    <font face="Courier">run_iptables -A
-newnotsyn     -j  RETURN    #  So  that the            connection tracking
-table can  be   rebuilt<br>
-                                                                        
-#  from   non-SYN     packets     after  takeover.<br>
-                           </font>  </p>
-                           </li>
-                           <li>                                          
-   
-    <p align="left">Create /etc/shorewall/common (if you don't already  
-       have that file) and include the following:<br>
-                                    <br>
-                                    <font face="Courier">run_iptables -A
-common    -p  tcp   --tcp-flags                 ACK,FIN,RST ACK -j ACCEPT
-#Accept  Acks  to rebuild   connection<br>
-                                                                                              
-                     #tracking table. <br>
-                                    . /etc/shorewall/common.def</font> </p>
-                           </li>
-                  
+  <li>
+    <p align="left">Create the file /etc/shorewall/newnotsyn and in it
+add the following rule<br>
+    <br>
+    <font face="Courier">run_iptables -A
+newnotsyn -j RETURN # So that the connection tracking
+table can be rebuilt<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+# from non-SYN packets after takeover.<br>
+&nbsp;</font> </p>
+  </li>
+  <li>
+    <p align="left">Create /etc/shorewall/common (if you don't already
+have that file) and include the following:<br>
+    <br>
+    <font face="Courier">run_iptables -A
+common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
+#Accept Acks to rebuild connection<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+#tracking table. <br>
+. /etc/shorewall/common.def</font> </p>
+  </li>
 </ol>
-                  
 <h3 align="left">Versions &gt;= 1.3.5</h3>
-                  
-<p align="left">Some forms of pre-1.3.0 rules file syntax are no    longer
-    supported. </p>
-                  
+<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
+supported. </p>
 <p align="left">Example 1:</p>
-                  
-<div align="left">         
+<div align="left">
 <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
-                           </div>
-                  
+</div>
 <p align="left">Must be replaced with:</p>
-                  
-<div align="left">         
+<div align="left">
 <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
-                           </div>
-                  
-<div align="left">         
+</div>
+<div align="left">
 <p align="left">Example 2:</p>
-                         </div>
-                  
-<div align="left">         
+</div>
+<div align="left">
 <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
-                           </div>
-                  
-<div align="left">         
+</div>
+<div align="left">
 <p align="left">Must be replaced with:</p>
-                         </div>
-                  
-<div align="left">         
+</div>
+<div align="left">
 <pre>	REDIRECT	loc	3128	tcp	80</pre>
-                           </div>
-                  
+</div>
 <h3 align="left">Version &gt;= 1.3.2</h3>
-                  
-<p align="left">The functions and versions files together with the      'firewall'
-    symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
-                  If you have applications that access these files, those
- applications                    should be modified accordingly.</p>
-                  
-<p><font size="2">  Last updated 6/29/2003 -   <a href="support.htm">Tom
+<p align="left">The functions and versions files together with the
+'firewall' symbolic link have moved from /etc/shorewall to
+/var/lib/shorewall. If you have applications that access these files,
+those applications should be modified accordingly.</p>
+<p><font size="2"> Last updated 10/30/2003 - <a href="support.htm">Tom
 Eastep</a></font> </p>
-                  
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-              © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-   </p>
-   <br>
-  <br>
- <br>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
+</p>
 </body>
 </html>
diff --git a/Shorewall-docs/useful_links.html b/Shorewall-docs/useful_links.html
index b55737d14..8a3357d3d 100644
--- a/Shorewall-docs/useful_links.html
+++ b/Shorewall-docs/useful_links.html
@@ -2,65 +2,39 @@
 <html>
 <head>
   <title>Useful Links</title>
-       
   <meta http-equiv="content-type"
  content="text/html; charset=ISO-8859-1">
-    
   <meta name="author" content="Tom Eastep">
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
- bgcolor="#3366ff" height="90">
-      <tbody>
-        <tr>
-          <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Useful Links</font><br>
-          </h1>
-         <br>
-          </td>
-       </tr>
-    
-  </tbody> 
-</table>
-    &nbsp;&nbsp; &nbsp;<br>
-  
+<body>
+<h1 style="text-align: center;">Useful Links &nbsp; &nbsp;</h1>
 <h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
  src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
- height="33" hspace="4" align="middle" border="0">
-   </a></h3>
-  
+ height="33" hspace="4" align="middle" border="0"> </a></h3>
 <h3>Linux Advanced Routing and Traffic Control Howto: <a
  href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
-  
 <h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
-  
 <h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
  src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
- align="middle" hspace="4" border="0">
-   </a></h3>
-  
+ align="middle" hspace="4" border="0"> </a></h3>
 <h3>Bering LEAF Distribution: <a
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></h3>
-  
+ href="http://leaf.sourceforge.net/devel/jnilo">
+http://leaf.sourceforge.net/devel/jnilo</a></h3>
 <h3>Debian apt-get sources for Shorewall: <a
- href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
+ href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian<img
  src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
- align="middle" hspace="4" border="0">
-  <img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
- align="middle" border="0">
-   </a><br>
-   </h3>
-   <br>
-   <font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font> 
- 
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
- &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-     <br>
-    <br>
-   <br>
-  <br>
- <br>
+ align="middle" hspace="4" border="0"> <img src="images/debian.jpg"
+ alt="Debian Logo" width="88" height="30" align="middle" border="0"> </a><br>
+</h3>
+<br>
+<font size="2">Last updated 11/20/2003 - <a href="support.htm">Tom
+Eastep</a></font>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
+<br>
+<br>
+<br>
 </body>
 </html>
diff --git a/Shorewall-docs/whitelisting_under_shorewall.htm b/Shorewall-docs/whitelisting_under_shorewall.htm
index 5dd7f367e..b23f190a7 100644
--- a/Shorewall-docs/whitelisting_under_shorewall.htm
+++ b/Shorewall-docs/whitelisting_under_shorewall.htm
@@ -1,309 +1,267 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-    
   <meta http-equiv="Content-Language" content="en-us">
-    
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-    
   <meta name="ProgId" content="FrontPage.Editor.Document">
-    
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Whitelisting under Shorewall</title>
 </head>
-  <body>
-  
-<table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
-     <tbody>
-      <tr>
-       <td width="100%">       
-      <h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
-       </td>
-     </tr>
-    
-  </tbody> 
-</table>
-  
-<p align="left">For a brief time, the 1.2 version of Shorewall supported
-an  /etc/shorewall/whitelist file. This file was intended to contain a list
-of IP  addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist 
-file was  implemented as a stop-gap measure until the facilities necessary 
-for  implementing white lists using zones was in place. As of Version 1.3 
-RC1, those  facilities were available.</p>
-  
-<p align="left">White lists are most often used to give special privileges 
-to a  set  of hosts within an organization. Let us suppose that we have the 
- following environment:</p>
-  
+<body>
+<h1 style="text-align: center;">Whitelisting under Shorewall<br>
+</h1>
+<p align="left">For a brief time, the 1.2 version of Shorewall
+supported
+an /etc/shorewall/whitelist file. This file was intended to contain a
+list
+of IP addresses of hosts whose POLICY to all zones was ACCEPT. The
+whitelist file was implemented as a stop-gap measure until the
+facilities necessary for implementing white lists using zones was in
+place. As of Version 1.3 RC1, those facilities were available.</p>
+<p align="left">White lists are most often used to give special
+privileges to a set&nbsp; of hosts within an organization. Let us
+suppose that we have the following environment:</p>
 <ul>
-     <li>A firewall with three interfaces -- one to the internet, one   
-to a local network and one to a DMZ.</li>
-     <li>The local network uses SNAT to the internet and is comprised   
-of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
-1918    local network, the technique described here in no way depends on
-that or on    SNAT. It may be used with Proxy ARP, Subnet Routing, Static
+  <li>A firewall with three interfaces -- one to the internet, one to a
+local network and one to a DMZ.</li>
+  <li>The local network uses SNAT to the internet and is comprised of
+the class B network 10.10.0.0/16 (Note: While this example uses an RFC
+1918 local network, the technique described here in no way depends on
+that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
 NAT, etc.).</li>
-     <li>The network operations staff have workstations with IP    addresses 
+  <li>The network operations staff have workstations with IP addresses
 in the class C network 10.10.10.0/24</li>
-     <li>We want the network operations staff to have full access to    all 
+  <li>We want the network operations staff to have full access to all
 other hosts.</li>
-     <li>We want the network operations staff to bypass the transparent 
+  <li>We want the network operations staff to bypass the transparent
 HTTP proxy running on our firewall.</li>
-  
 </ul>
-  
-<p align="left">The basic approach will be that we will place the operations 
- staff's class C in its own zone called <b>ops</b>. Here are the appropriate 
- configuration files:</p>
-  
+<p align="left">The basic approach will be that we will place the
+operations staff's class C in its own zone called <b>ops</b>. Here are
+the appropriate configuration files:</p>
 <h2 align="left">Zone File</h2>
-  
-<blockquote>   
+<blockquote>
   <table border="2">
-                           <tbody>
-        <tr>
-            <td><b>   ZONE</b></td>
-            <td><b>   DISPLAY</b></td>
-            <td><b>   COMMENTS</b></td>
-          </tr>
-                       <tr>
-            <td>net</td>
-            <td>Net</td>
-            <td>Internet</td>
-          </tr>
-          <tr>
-            <td>ops</td>
-            <td>Operations</td>
-            <td>Operations Staff's Class C</td>
-          </tr>
-          <tr>
-            <td>loc</td>
-            <td>Local</td>
-            <td>Local Class B</td>
-          </tr>
-          <tr>
-            <td>dmz</td>
-            <td>DMZ</td>
-            <td>Demilitarized  zone</td>
-          </tr>
-      
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b> ZONE</b></td>
+        <td><b> DISPLAY</b></td>
+        <td><b> COMMENTS</b></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>Net</td>
+        <td>Internet</td>
+      </tr>
+      <tr>
+        <td>ops</td>
+        <td>Operations</td>
+        <td>Operations Staff's Class C</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>Local</td>
+        <td>Local Class B</td>
+      </tr>
+      <tr>
+        <td>dmz</td>
+        <td>DMZ</td>
+        <td>Demilitarized zone</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- 
-since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
-  
+</blockquote>
+<p>The <b>ops </b>zone has been added to the standard 3-zone zones
+file -- since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u>
+<b>loc</b>.</p>
 <h2>Interfaces File</h2>
-  
-<blockquote>   
+<blockquote>
   <table border="2">
-                             <tbody>
-        <tr>
-            <td><b>   ZONE</b></td>
-            <td><b>   INTERFACE</b></td>
-            <td><b>   BROADCAST</b></td>
-            <td><b>   OPTIONS</b></td>
-          </tr>
-          <tr>
-            <td>net</td>
-            <td>eth0</td>
-            <td>&lt;whatever&gt;</td>
-            <td>&lt;options&gt;</td>
-          </tr>
-          <tr>
-            <td>dmz</td>
-            <td>eth1</td>
-            <td>&lt;whatever&gt;</td>
-            <td><br>
-          </td>
-          </tr>
-          <tr>
-            <td>-</td>
-            <td>eth2</td>
-            <td>10.10.255.255</td>
-            <td> </td>
-          </tr>
-       
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b> ZONE</b></td>
+        <td><b> INTERFACE</b></td>
+        <td><b> BROADCAST</b></td>
+        <td><b> OPTIONS</b></td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>eth0</td>
+        <td>&lt;whatever&gt;</td>
+        <td>&lt;options&gt;</td>
+      </tr>
+      <tr>
+        <td>dmz</td>
+        <td>eth1</td>
+        <td>&lt;whatever&gt;</td>
+        <td><br>
+        </td>
+      </tr>
+      <tr>
+        <td>-</td>
+        <td>eth2</td>
+        <td>10.10.255.255</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, 
-we  don't specify a zone for it here.</p>
-  
+</blockquote>
+<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
+we don't specify a zone for it here.</p>
 <h2>Hosts File</h2>
-  
-<blockquote>   <font face="Century Gothic, Arial, Helvetica">           
-                                                     </font>    
+<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
   <table border="2">
-                                       <tbody>
-        <tr>
-            <td><b>   ZONE</b></td>
-            <td><b>   HOST(S)</b></td>
-            <td><b>   OPTIONS</b></td>
-          </tr>
-          <tr>
-            <td>ops</td>
-            <td>eth2:10.10.10.0/24</td>
-    <td><br>
-          </td>
-              </tr>
-          <tr>
-            <td>loc</td>
-            <td>eth2:0.0.0.0/0</td>
-            <td> </td>
-          </tr>
-       
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b> ZONE</b></td>
+        <td><b> HOST(S)</b></td>
+        <td><b> OPTIONS</b></td>
+      </tr>
+      <tr>
+        <td>ops</td>
+        <td>eth2:10.10.10.0/24</td>
+        <td><br>
+        </td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>eth2:0.0.0.0/0</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
-only the hosts in the <b>ops</b> zone will be allowed to access the  firewall
-and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than  10.10.0.0/16
-so that the limited broadcast address (255.255.255.255) falls into  that
-zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
- that special address.</p>
-  
+</blockquote>
+<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall
+is stopped,
+only the hosts in the <b>ops</b> zone will be allowed to access the
+firewall
+and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
+10.10.0.0/16
+so that the limited broadcast address (255.255.255.255) falls into that
+zone. If I used 10.10.0.0/16 then I would have to have a separate entry
+for that special address.</p>
 <h2>Policy File</h2>
-  
-<blockquote>   <font face="Century Gothic, Arial, Helvetica">           
-                                                         </font>    
+<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
   <table border="2">
-                                         <tbody>
-        <tr>
-            <td><b>SOURCE</b></td>
-            <td><b>DEST</b></td>
-            <td><b>   POLICY</b></td>
-            <td><b>   LOG LEVEL</b></td>
-            <td><b>LIMIT:BURST</b></td>
-          </tr>
-          <tr>
-            <td><font color="#0000ff">ops</font></td>
-            <td><font color="#0000ff">all</font></td>
-            <td><font color="#0000ff">ACCEPT</font></td>
-           <td> </td>
-           <td> </td>
-          </tr>
-          <tr>
-            <td><font color="#0000ff">all</font></td>
-            <td><font color="#0000ff">ops</font></td>
-            <td><font color="#0000ff">CONTINUE</font></td>
-           <td> </td>
-           <td> </td>
-          </tr>
-          <tr>
-            <td>loc</td>
-            <td>net</td>
-            <td>ACCEPT</td>
-    <td> </td>
-           <td> </td>
-               </tr>
-          <tr>
-            <td>net</td>
-            <td>all</td>
-            <td>DROP</td>
-            <td>info</td>
-            <td> </td>
-          </tr>
-          <tr>
-            <td>all</td>
-            <td>all</td>
-            <td>REJECT</td>
-            <td>info</td>
-            <td> </td>
-          </tr>
-       
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>SOURCE</b></td>
+        <td><b>DEST</b></td>
+        <td><b> POLICY</b></td>
+        <td><b> LOG LEVEL</b></td>
+        <td><b>LIMIT:BURST</b></td>
+      </tr>
+      <tr>
+        <td><font color="#0000ff">ops</font></td>
+        <td><font color="#0000ff">all</font></td>
+        <td><font color="#0000ff">ACCEPT</font></td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td><font color="#0000ff">all</font></td>
+        <td><font color="#0000ff">ops</font></td>
+        <td><font color="#0000ff">CONTINUE</font></td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>loc</td>
+        <td>net</td>
+        <td>ACCEPT</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>net</td>
+        <td>all</td>
+        <td>DROP</td>
+        <td>info</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>all</td>
+        <td>all</td>
+        <td>REJECT</td>
+        <td>info</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy 
-file.<font color="#ff0000"><b></b></font></p>
-  
+</blockquote>
+<p>Two entries for <b>ops</b> have been added to the standard 3-zone
+policy file.<font color="#ff0000"><b></b></font></p>
 <h2>Rules File</h2>
-  
-<blockquote>   <font face="Century Gothic, Arial, Helvetica">          </font> 
-   
+<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
   <table border="2">
-                                                     <tbody>
-        <tr>
-       <td><b>ACTION</b></td>
-            <td><b>SOURCE</b></td>
-            <td><b>DEST</b></td>
-            <td><b>   PROTO</b></td>
-            <td><b>DEST<br>
-     PORT(S)</b></td>
-            <td><b>SOURCE<br>
-            PORT(S)</b></td>
-            <td><b>ORIGINAL<br>
-            DEST</b></td>
-                                                          </tr>
-          <tr>
-            <td>REDIRECT</td>
-            <td>loc!ops</td>
-            <td>3128</td>
-            <td>tcp</td>
-            <td>http</td>
-            <td> </td>
-            <td> </td>
-          </tr>
-          <tr>
-            <td>...</td>
-            <td> </td>
-            <td> </td>
-            <td> </td>
-            <td> </td>
-            <td> </td>
-            <td> </td>
-          </tr>
-        
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>ACTION</b></td>
+        <td><b>SOURCE</b></td>
+        <td><b>DEST</b></td>
+        <td><b> PROTO</b></td>
+        <td><b>DEST<br>
+PORT(S)</b></td>
+        <td><b>SOURCE<br>
+PORT(S)</b></td>
+        <td><b>ORIGINAL<br>
+DEST</b></td>
+      </tr>
+      <tr>
+        <td>REDIRECT</td>
+        <td>loc!ops</td>
+        <td>3128</td>
+        <td>tcp</td>
+        <td>http</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+      <tr>
+        <td>...</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+        <td>&nbsp;</td>
+      </tr>
+    </tbody>
   </table>
-   </blockquote>
-  
-<p>This is the rule that transparently redirects web traffic to the transparent 
- proxy running on the firewall. The SOURCE column explicitly excludes the 
-<b>ops</b>  zone from the rule.</p>
- 
+</blockquote>
+<p>This is the rule that transparently redirects web traffic to the
+transparent proxy running on the firewall. The SOURCE column explicitly
+excludes the <b>ops</b> zone from the rule.</p>
 <h2>Routestopped File</h2>
-  
-<blockquote>   
+<blockquote>
   <table border="2">
-     <tbody>
-       <tr>
-         <td><b>INTERFACE</b><br>
-         </td>
-           <td><b>   HOST(S)</b></td>
-                   </tr>
-         <tr>
-         <td valign="top">eth1<br>
-         </td>
-         <td valign="top"><br>
-         </td>
-       </tr>
-       <tr>
-           <td>eth2<br>
-         </td>
-           <td>10.10.10.0/24</td>
-               </tr>
-       
-    </tbody>   
+    <tbody>
+      <tr>
+        <td><b>INTERFACE</b><br>
+        </td>
+        <td><b> HOST(S)</b></td>
+      </tr>
+      <tr>
+        <td valign="top">eth1<br>
+        </td>
+        <td valign="top"><br>
+        </td>
+      </tr>
+      <tr>
+        <td>eth2<br>
+        </td>
+        <td>10.10.10.0/24</td>
+      </tr>
+    </tbody>
   </table>
   <br>
- </blockquote>
-     
-<p><font size="2">   Updated 2/18/2003 - <a href="support.htm">Tom  Eastep</a> 
-    </font></p>
-    
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-   © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
-                               <br>
-  <br>
- <br>
+</blockquote>
+<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
+</font></p>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
+<br>
+<br>
+<br>
 </body>
 </html>